From nobody Sun Mar 1 21:47:42 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6681A0AF8 for ; Sun, 1 Mar 2015 21:47:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.101 X-Spam-Level: X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YH0YgZP8Z7L1 for ; Sun, 1 Mar 2015 21:47:39 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8240B1A07BE for ; Sun, 1 Mar 2015 21:47:39 -0800 (PST) Received: from Philemon (unknown [50.109.252.111]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 0489E2C9EB; Sun, 1 Mar 2015 21:47:35 -0800 (PST) From: "Jim Schaad" To: Date: Sun, 1 Mar 2015 21:46:35 -0800 Message-ID: <04ed01d054ac$4419bd30$cc4d3790$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04EE_01D05469.35F82AE0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AdBS2aGJ7H1FFkuwRSCUm0oRqFiJ6w== Content-Language: en-us Archived-At: Cc: jose@ietf.org Subject: [jose] draft-ietf-jose-jwk-thumbprint-03 Comments X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2015 05:47:41 -0000 This is a multipart message in MIME format. ------=_NextPart_000_04EE_01D05469.35F82AE0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Couple more comments: 1. Think about expanding the abstract. Remember this is text that is expected to be read in isolation from the rest of the document. 2. You missed a couple of uses of "REQUIRED members" in the last edit pass. 3. This statement from section 4 "Use of escaped characters in the input JWK representation SHOULD be avoided. Does not agree with the statement from section 3.3 "Characters in member names and member values MUST be represented without being escaped." While I assume that the statement in section 4 is to apply to values, it does not say so. 4. Section 7 needs to be moved. It must come before the IANA considerations section. Given the content you might consider putting the text into the introduction. Jim ------=_NextPart_000_04EE_01D05469.35F82AE0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Couple = more comments:

 

1.       =  Think about expanding the abstract.  = Remember this is text that is expected to be read in isolation from the = rest of the document.

2.       You = missed a couple of uses of “REQUIRED members” in the last = edit pass.

3.       =
This =
statement from section 4
   “Use of escaped =
characters in the input JWK representation SHOULD be avoided.
Does not =
agree with the statement from section 3.3
    =
“Characters in member names and member values MUST be represented =
without being escaped.”
While I =
assume that the statement in section 4 is to apply to values, it does =
not say so.

4.       = Section 7 needs to be moved.  It must come = before the IANA considerations section.  Given the content you = might consider putting the text into the introduction.

 

Jim

 

------=_NextPart_000_04EE_01D05469.35F82AE0-- From nobody Sun Mar 1 21:50:56 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FEEF1A0302 for ; Sun, 1 Mar 2015 21:50:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.101 X-Spam-Level: X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_4jcHg732da for ; Sun, 1 Mar 2015 21:50:53 -0800 (PST) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A0E41A0029 for ; Sun, 1 Mar 2015 21:50:53 -0800 (PST) Received: from Philemon (unknown [50.109.252.111]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 4A1A32C9F7 for ; Sun, 1 Mar 2015 21:50:52 -0800 (PST) From: "Jim Schaad" To: Date: Sun, 1 Mar 2015 21:49:57 -0800 Message-ID: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04F3_01D05469.A9EA53B0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AdBUrLRKCXeykxkCSp+WORV/D3QbUg== Content-Language: en-us Archived-At: Subject: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - Round 2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2015 05:50:55 -0000 This is a multipart message in MIME format. ------=_NextPart_000_04F3_01D05469.A9EA53B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The chairs are issuing a one week working group last call on the document draft-ietf-jose-jwk-thumbprint to see where we stand. The chairs believe that the document has addressed all of the issues raised during the previous last call except for the question of changing the serialization format of the string to be hashed to compute the thumbprint value. The previous discussion on the serialization did not reach a consensus either to keep or change serialization string method. Given this the decision to keep the previous one is a conservative decision. If people want to re-litigate this issue and try to come to a consensus this is the time to do it. Starting the shepherd report raised the question of the correct track for this document. It is currently standards track. Given that it is only defining an algorithm, it might be reasonable to change it to informational. We would like to get peoples opinion this question. If there is no big mail storm, then I would expect that we will progress the document to the IESG after the last call finishes. Last call will finish on March 9th. Jim ------=_NextPart_000_04F3_01D05469.A9EA53B0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The = chairs are issuing a one week working group last call on the document = draft-ietf-jose-jwk-thumbprint to see where we stand.  The chairs = believe that the document has addressed all of the issues raised during = the previous last call except for the question of changing the = serialization format of the string to be hashed to compute the = thumbprint value.

 

The = previous discussion on the serialization did not reach a consensus = either to keep or change serialization string method.  Given this = the decision to keep the previous one is a conservative = decision.   If people want to re-litigate this issue and try = to come to a consensus this is the time to do it.

 

Starting the shepherd report raised the question of = the correct track for this document.  It is currently standards = track.  Given that it is only defining an algorithm, it might be = reasonable to change it to informational.  We would like to get = peoples opinion this question.

 

If = there is no big mail storm, then I would expect that we will progress = the document to the IESG after the last call finishes.

 

Last call = will finish on March 9th.

 

Jim

 

------=_NextPart_000_04F3_01D05469.A9EA53B0-- From nobody Sun Mar 1 22:50:22 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70ED1A007D for ; Sun, 1 Mar 2015 22:50:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z0q4zpYm0Fv for ; Sun, 1 Mar 2015 22:50:19 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B961A1A30 for ; Sun, 1 Mar 2015 22:50:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8BDCCBED5; Mon, 2 Mar 2015 06:50:06 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Dl4KXUimkkP; Mon, 2 Mar 2015 06:50:05 +0000 (GMT) Received: from [192.168.1.112] (147.red-80-28-131.adsl.static.ccgg.telefonica.net [80.28.131.147]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 58DD4BEA1; Mon, 2 Mar 2015 06:50:05 +0000 (GMT) Message-ID: <54F4081C.8000202@cs.tcd.ie> Date: Mon, 02 Mar 2015 06:50:04 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Jim Schaad , jose@ietf.org References: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> In-Reply-To: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - Round 2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2015 06:50:21 -0000 On 02/03/15 05:49, Jim Schaad wrote: > The previous discussion on the serialization did not reach a consensus > either to keep or change serialization string method. Given this the > decision to keep the previous one is a conservative decision. If people > want to re-litigate this issue and try to come to a consensus this is the > time to do it. Other hashed-public-key things all use SPKI as the input. Doing something different is IMO a bad plan for zero benefit. The benefit of doing the same as others is that one can use the same value to refer to the same key in different contexts. With the current approach, one cannot. S. From nobody Mon Mar 2 00:41:18 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E61D1A6FF7 for ; Mon, 2 Mar 2015 00:41:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqG85sAbcian for ; Mon, 2 Mar 2015 00:41:16 -0800 (PST) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D0D1A6FF6 for ; Mon, 2 Mar 2015 00:41:15 -0800 (PST) Received: from Philemon (unknown [50.109.252.111]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 5A6072C9BB; Mon, 2 Mar 2015 00:41:15 -0800 (PST) From: "Jim Schaad" To: "'Stephen Farrell'" , References: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> <54F4081C.8000202@cs.tcd.ie> In-Reply-To: <54F4081C.8000202@cs.tcd.ie> Date: Mon, 2 Mar 2015 00:40:21 -0800 Message-ID: <050d01d054c4$85524930$8ff6db90$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFdh2vvSqBWApABxWhqI00dgmIxMAKW2kHPndnC+GA= Content-Language: en-us Archived-At: Subject: Re: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - Round 2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2015 08:41:17 -0000 Going forward, the argument that SPKI is not easily obtainable is not = going to be a valid argument in browsers. The new WebCrypto API = supplies that need. So this is just an argument about current browsers = (well current IE) and non- browser platforms Jim > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Sunday, March 01, 2015 10:50 PM > To: Jim Schaad; jose@ietf.org > Subject: Re: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - = Round 2 >=20 >=20 >=20 > On 02/03/15 05:49, Jim Schaad wrote: > > The previous discussion on the serialization did not reach a = consensus > > either to keep or change serialization string method. Given this = the > > decision to keep the previous one is a conservative decision. If = people > > want to re-litigate this issue and try to come to a consensus this = is > > the time to do it. >=20 > Other hashed-public-key things all use SPKI as the input. Doing = something > different is IMO a bad plan for zero benefit. The benefit of doing the = same as > others is that one can use the same value to refer to the same key in > different contexts. With the current approach, one cannot. >=20 > S. From nobody Tue Mar 3 02:43:23 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 810721A1B67 for ; Tue, 3 Mar 2015 02:43:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfz4MK9k2A-V for ; Tue, 3 Mar 2015 02:43:20 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0734.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA0D71A1B53 for ; Tue, 3 Mar 2015 02:43:19 -0800 (PST) Received: from BN3PR0301CA0065.namprd03.prod.outlook.com (25.160.152.161) by DM2PR03MB334.namprd03.prod.outlook.com (10.141.54.19) with Microsoft SMTP Server (TLS) id 15.1.106.11; Tue, 3 Mar 2015 10:42:56 +0000 Received: from BY2FFO11FD029.protection.gbl (2a01:111:f400:7c0c::199) by BN3PR0301CA0065.outlook.office365.com (2a01:111:e400:401e::33) with Microsoft SMTP Server (TLS) id 15.1.99.9 via Frontend Transport; Tue, 3 Mar 2015 10:42:56 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD029.mail.protection.outlook.com (10.1.14.212) with Microsoft SMTP Server (TLS) id 15.1.99.6 via Frontend Transport; Tue, 3 Mar 2015 10:42:56 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.74]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0224.003; Tue, 3 Mar 2015 10:42:24 +0000 From: Mike Jones To: "jose@ietf.org" Thread-Topic: Key Managed JSON Web Signature (KMJWS) specification Thread-Index: AdBVnrlYeSkbpnXYQGWf+2U9DVU+8w== Date: Tue, 3 Mar 2015 10:42:23 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.33] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2E74771TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; ietf.org; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(209900001)(189002)(199003)(110136001)(33656002)(84326002)(50986999)(104016003)(107886001)(2351001)(229853001)(16236675004)(2930100002)(2656002)(16297215004)(86612001)(87936001)(86362001)(19580395003)(6806004)(85806002)(19625215002)(2920100001)(66066001)(46102003)(19617315012)(15975445007)(102836002)(92566002)(55846006)(106466001)(62966003)(2501003)(54356999)(2900100001)(19300405004)(450100001)(77156002)(512954002)(1720100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR03MB334; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR03MB334; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006); SRVR:DM2PR03MB334; BCL:0; PCL:0; RULEID:; SRVR:DM2PR03MB334; X-Forefront-PRVS: 0504F29D72 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Mar 2015 10:42:56.1686 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR03MB334 Archived-At: Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 10:43:22 -0000 --_000_4E1F6AAD24975D4BA5B1680429673943A2E74771TK5EX14MBXC292r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I took a little time today and wrote a short draft specifying a JWS-like ob= ject that uses key management for the MAC key used to integrity protect the= payload. We had considered doing this in JOSE issue #2 but didn't do so at the time because of lac= k of demand. However, I wanted to get this down now to demonstrate that it= is easy to do and specify a way to do it, should demand develop in the fut= ure - possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones= -jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/dra= ft-jones-jose-key-managed-json-web-signature-00.html. This spec reuses key management functionality already present in the JWE sp= ec and MAC = functionality already present in the JWS spec. The result is essentially a JWS with an= Encrypted Key value added, and a new "mac" Header Parameter value represen= ting the MAC algorithm used. (Like JWE, the key management algorithm is ca= rried in the "alg" Header Parameter value.) I also wrote this now as possible input into our thinking on options for cr= eating a CBOR JOSE mapping. If there a= re CBOR use cases needing managed MAC keys, this could help us reason about= ways to structure the solution. Yes, the spec name and abbreviation are far from catchy. Better naming ide= as would be great. Feedback welcomed. -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1344 and as= @selfissued. --_000_4E1F6AAD24975D4BA5B1680429673943A2E74771TK5EX14MBXC292r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I took a little time today and wrote a short draft s= pecifying a JWS-like object that uses key management for the MAC key used t= o integrity protect the payload.  We had considered doing this in JOSE issue #2<= /a> but didn’t do so at the time because of lack of demand.  How= ever, I wanted to get this down now to demonstrate that it is easy to do an= d specify a way to do it, should demand develop in the future – possibly after the JOSE working group has been closed.  See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-= 00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signatur= e-00.html.

 

This spec reuses key management functionality alread= y present in the = JWE spec and MAC functionality already present in the J= WS spec.  The result is essentially a JWS with an Encrypted Key va= lue added, and a new “mac” Header Parameter value representing the MAC algorithm used.  (Like JWE, the key management algorithm is carri= ed in the “alg” Header Parameter value.)

 

I also wrote this now as possible input into our thi= nking on options for creating a CBOR JOSE mapping. = If there are CBOR use cases needing managed MAC keys, this could help us r= eason about ways to structure the solution.

 

Yes, the spec name and abbreviation are far from cat= chy.  Better naming ideas would be great.

 

Feedback welcomed.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1344 and as @selfissued.

 

--_000_4E1F6AAD24975D4BA5B1680429673943A2E74771TK5EX14MBXC292r_-- From nobody Tue Mar 3 03:03:39 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17E71A1A04 for ; Tue, 3 Mar 2015 03:03:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQvGDBPPYd7O for ; Tue, 3 Mar 2015 03:03:37 -0800 (PST) Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB8E1A03A0 for ; Tue, 3 Mar 2015 03:03:36 -0800 (PST) Received: by wgha1 with SMTP id a1so39201874wgh.12 for ; Tue, 03 Mar 2015 03:03:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=yFZv+yD1mLQ4SerpWUtfJPISRmn3wjnKwicaSKlX6bY=; b=r7UWMd/5Lf+yDYP02Hclhc5B/C1In+Cq5OSsOg1Zw9TEbNhKYY8VZM/vbrQWSumzoF OiDW5aEnkPvm3v3pZAlYJp7XaQcKlQtzdlGwxxIy6mMwFklzSLcZCejgdHnkO+hLlPDv ABywu59n5l5cZoAFfBQ6YiBtxAbo7Jb3IGcPGqpcZCeFBeTi/rYhp/2d2ZrHaCo4BbKt 2CF4neykm/A3gkz/wrWKJPhWMCE6wpwGi6ahWxsR5ykUXoMFk6TajMy5aiiCnVYkaEQ5 Khcb/J/Oiu0r3Zm3CHMB1pOit8iJheXmf1KhBjRycbMZwyUrNGO2vJuYu5IbweDcRhiO EFgQ== X-Received: by 10.180.82.40 with SMTP id f8mr1729699wiy.60.1425380615419; Tue, 03 Mar 2015 03:03:35 -0800 (PST) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id n6sm823394wjy.8.2015.03.03.03.03.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Mar 2015 03:03:34 -0800 (PST) Message-ID: <54F594FB.6040809@gmail.com> Date: Tue, 03 Mar 2015 12:03:23 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Mike Jones , "jose@ietf.org" References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 11:03:38 -0000 On 2015-03-03 11:42, Mike Jones wrote: > > I took a little time today and wrote a short draft specifying a JWS-like object that uses key management for the MAC key used to integrity protect the payload. We had considered doing this in JOSE issue #2 but didn’t do so at the time because of lack of demand. However, I wanted to get this down now to demonstrate that it is easy to do and specify a way to do it, should demand develop in the future – possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature-00.html. > > This spec reuses key management functionality already present in the JWE spec and MAC functionality already present in the JWS spec . The result is essentially a JWS with an Encrypted Key value added, and a new “mac” Header Parameter value representing the MAC algorithm used. (Like JWE, the key management algorithm is carried in the “alg” Header Parameter value.) > I guess I'm stupid but I don't understand what this scheme brings to the table over what for example RSA signatures already provide. A short rationale for us imbeciles would be nice to have :-) Anders > I also wrote this now as possible input into our thinking on options for creating a CBOR JOSE mapping. If there are CBOR use cases needing managed MAC keys, this could help us reason about ways to structure the solution. > > Yes, the spec name and abbreviation are far from catchy. Better naming ideas would be great. > > Feedback welcomed. > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1344 and as @selfissued. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose From nobody Tue Mar 3 15:51:50 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB1D1A7011 for ; Tue, 3 Mar 2015 15:51:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.099 X-Spam-Level: X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpdYUn7GIrh4 for ; Tue, 3 Mar 2015 15:51:46 -0800 (PST) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46AB1A3BA2 for ; Tue, 3 Mar 2015 15:51:46 -0800 (PST) Received: by obcva2 with SMTP id va2so3408172obc.6 for ; Tue, 03 Mar 2015 15:51:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QuUosMHFxFRwpwqtkJf/3xB9kwOuv6NH8H7ULnUqHt4=; b=JHE87Qu+p4+qvESWa8LPZQspaZXNVIgfTMlTBRSwdTDMnV6x/UUpC4C6YYdrmX6wEj HTa4FFdDk0iOJgpXFFkNw4EBH72cQnJtibyeJSnKjiuRSLNRLjk9A7LysPVOKx4xV5zS la26tBlghsOqzLl5XQBzyWjg4qGYnvXvzCWSsh0396T4FZf9qD9qmaF2wontMbI0/riL tkzwXwuLsj3AOGw3Lgl/TzhNQ3TDALIfx9Dob12iwtMSfGulexNu86pomc0oaCjOmWcT UoSQQL2diVzmxnYNWvTW0S+1tdxKgErcPsSe+Ke2eIZaa7x+BhDLuxStCWvTjDaSCU75 Hh4A== MIME-Version: 1.0 X-Received: by 10.202.180.87 with SMTP id d84mr1089063oif.0.1425426705856; Tue, 03 Mar 2015 15:51:45 -0800 (PST) Received: by 10.60.157.193 with HTTP; Tue, 3 Mar 2015 15:51:45 -0800 (PST) In-Reply-To: <54F4081C.8000202@cs.tcd.ie> References: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> <54F4081C.8000202@cs.tcd.ie> Date: Wed, 4 Mar 2015 08:51:45 +0900 Message-ID: From: Nat Sakimura To: Stephen Farrell Content-Type: multipart/alternative; boundary=001a113cc7e074bfc605106b04f0 Archived-At: Cc: Jim Schaad , "jose@ietf.org" Subject: Re: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - Round 2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 23:51:49 -0000 --001a113cc7e074bfc605106b04f0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Stephen asks why JWK Thumbprint should do something other than hash a SPKI key representation. Here are a few reasons: 1. The whole premise of JOSE was to create easy to use crypto data formats and algorithms that are based on JSON. Saying =E2=80=9CSPKI exists =E2=80= =93 everyone should use it=E2=80=9D is like saying =E2=80=9CCMS exists =E2=80=93 everyon= e should use it, or perhaps XMLDSIG exists =E2=80=93 everyone should use it=E2=80=9D. It does = not seem consistent or helpful to developers for JOSE to effectively say =E2=80=9CYo= u can use JSON-based structures for everything except key hashes and for those, you have to use a binary structure (based on ASN.1).=E2=80=9D 2. The point of the draft is to create thumbprints of keys that are already represented in JWK format. Requiring a format conversion to ASN.1, which most developers consider to be unapproachable, will result both in more code and less adoption. (If the keys are already in X.509 certs, by all means, hash the SPKI value because it=E2=80=99s easy. JWK Thumbprint i= s similarly easy for JWK keys.) Stephen also states =E2=80=9CThe benefit of doing the same as others is tha= t one can use the same value to refer to the same key in different contexts=E2=80= =9D. That sounds great on the face of it, but it is not clear that there=E2=80= =99s much/any benefit to this in practice. A key is typically deployed for a particular application context or among applications running over a TLS connection. Key reuse across different applications contexts is arguably a security concern and not something likely to occur much in practice. Each application defines what key format it uses (X.509/SPKI, XML, JWK, etc.) and how to create key identifiers for those keys. Letting the application choose a JSON-based way to create key identifiers is both logical and good for adoption of usable crypto. I also took a look at some adoption data as background information. - Browser support for WebCrypto is still iffy. See http://caniuse.com/#feat=3Dcryptography. - Notably, all the Android Browsers before Android L (5.0) do not support WebCrypto, and there are tons of them out there. They will be there for years. - There are many enterprise deployments of IE below 10, which are not going to be upgraded anytime soon. - PHP started supporting SPKI in ver. 5.6, which was released Aug. 28, 2014. Its deployment is very small as you can expect - 0.7%. Server platforms do not do major version upgrades frequently. See http://w3techs.com/technologies/details/pl-php/5/all. - Python seems to have been supporting SPKI for sometime as a NetscapeSPKI object. - So does Ruby. - I am not sure if the same is true for Perl. A cursory search didn=E2=80= =99t turn up any useful data. In closing, the point of JOSE (and the point of the JWK Thumbprint spec) is to enable widespread adoption of usable crypto with the development tools people actually have NOW. That seems to be reason enough to have this draft progress now towards RFC status. Best, Nat 2015-03-02 15:50 GMT+09:00 Stephen Farrell : > > > On 02/03/15 05:49, Jim Schaad wrote: > > The previous discussion on the serialization did not reach a consensus > > either to keep or change serialization string method. Given this the > > decision to keep the previous one is a conservative decision. If peop= le > > want to re-litigate this issue and try to come to a consensus this is t= he > > time to do it. > > Other hashed-public-key things all use SPKI as the input. Doing > something different is IMO a bad plan for zero benefit. The benefit > of doing the same as others is that one can use the same value to > refer to the same key in different contexts. With the current > approach, one cannot. > > S. > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > --=20 Nat Sakimura (=3Dnat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a113cc7e074bfc605106b04f0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Stephen asks why JWK Thumbprint should do something other than hash a SPKI= key representation.=C2=A0 Here are a few reasons:


1.=C2=A0 The whole p= remise of JOSE was to create easy to use crypto data formats and algorithms= that are based on JSON.=C2=A0 Saying =E2=80=9CSPKI exists =E2=80=93 everyo= ne should use it=E2=80=9D is like saying =E2=80=9CCMS exists =E2=80=93 ever= yone should use it, or perhaps XMLDSIG exists =E2=80=93 everyone should use= it=E2=80=9D.=C2=A0 It does not seem consistent or helpful to developers fo= r JOSE to effectively say =E2=80=9CYou can use JSON-based structures for ev= erything except key hashes and for those, you have to use a binary structur= e (based on ASN.1).=E2=80=9D


2.=C2=A0 The point of the draft is to crea= te thumbprints of keys that are already represented in JWK format.=C2=A0 Re= quiring a format conversion to ASN.1, which most developers consider to be = unapproachable, will result both in more code and less adoption. =C2=A0(If = the keys are already in X.509 certs, by all means, hash the SPKI value beca= use it=E2=80=99s easy.=C2=A0 JWK Thumbprint is similarly easy for JWK keys.= )


Stephen also states =E2=80=9CThe benefit of doing the same as others = is that one can use the same value to refer to the same key in different co= ntexts=E2=80=9D.=C2=A0 That sounds great on the face of it, but it is not c= lear that there=E2=80=99s much/any benefit to this in practice.=C2=A0 A key= is typically deployed for a particular application context or among applic= ations running over a TLS connection.=C2=A0 Key reuse across different appl= ications contexts is arguably a security concern and not something likely t= o occur much in practice.


Each application defines what key format it u= ses (X.509/SPKI, XML, JWK, etc.) and how to create key identifiers for thos= e keys.=C2=A0 Letting the application choose a JSON-based way to create key= identifiers is both logical and good for adoption of usable crypto.=


I = also took a look at some adoption data as background information.

  • Notably, all the Android Browser= s before Android L (5.0) do not support WebCrypto, and there are tons of th= em out there.=C2=A0 They will be there for years.

  • There are many enterprise deployments of IE below 10, which are not go= ing to be upgraded anytime soon.

  • PHP started supporting SPKI in ver.= 5.6, which was released Aug. 28, 2014. Its deployment is very small as you= can expect - 0.7%.=C2=A0 Server platforms do not do major version upgrades= frequently.=C2=A0 See http://w3techs.com/technologies/details= /pl-php/5/all.

  • Pyth= on seems to have been supporting SPKI for sometime as a NetscapeSPKI object= .

  • So does Ruby.

  • I am not sure if the = same is true for Perl. A cursory search didn=E2=80=99t turn up any useful d= ata.


In closing, the point of JOSE (and the point of the JWK = Thumbprint spec) is to enable widespread adoption of usable crypto with the= development tools people actually have NOW.=C2=A0 That seems to be reason = enough to have this draft progress now towards RFC status.
Best,

Nat

2015-03-02 15:50 GMT+09:00 Stephen Farrell <steph= en.farrell@cs.tcd.ie>:


On 02/03/15 05:49, Jim Schaad wrote:
> The previous discussion on the serialization did not reach a consensus=
> either to keep or change serialization string method.=C2=A0 Given this= the
> decision to keep the previous one is a conservative decision.=C2=A0 = =C2=A0If people
> want to re-litigate this issue and try to come to a consensus this is = the
> time to do it.

Other hashed-public-key things all use SPKI as the input. Doing
something different is IMO a bad plan for zero benefit. The benefit
of doing the same as others is that one can use the same value to
refer to the same key in different contexts. With the current
approach, one cannot.

S.

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<= br>http://nat.sakimu= ra.org/
@_nat_en
--001a113cc7e074bfc605106b04f0-- From nobody Tue Mar 3 18:14:46 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAAC31A88B0; Tue, 3 Mar 2015 18:14:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSJeq0tEJ3yS; Tue, 3 Mar 2015 18:14:41 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DF971A8ACD; Tue, 3 Mar 2015 18:14:40 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 5.12.0.p2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20150304021440.20625.89150.idtracker@ietfa.amsl.com> Date: Tue, 03 Mar 2015 18:14:40 -0800 Archived-At: Cc: jose@ietf.org Subject: [jose] I-D Action: draft-ietf-jose-jwk-thumbprint-04.txt X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 02:14:43 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Javascript Object Signing and Encryption Working Group of the IETF. Title : JSON Web Key (JWK) Thumbprint Authors : Michael B. Jones Nat Sakimura Filename : draft-ietf-jose-jwk-thumbprint-04.txt Pages : 12 Date : 2015-03-03 Abstract: This specification defines a means of computing a thumbprint value (a.k.a. digest) of a key represented as a JSON Web Key (JWK). This value can be used for identifying or selecting the key that is the subject of the thumbprint. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-jose-jwk-thumbprint/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-jwk-thumbprint-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Mar 3 18:19:34 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C868D1A8BAF for ; Tue, 3 Mar 2015 18:19:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzsRf22rsF4T for ; Tue, 3 Mar 2015 18:19:32 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0140.outbound.protection.outlook.com [65.55.169.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F3C1A8AF2 for ; Tue, 3 Mar 2015 18:19:31 -0800 (PST) Received: from BY2PR03CA012.namprd03.prod.outlook.com (10.255.93.29) by DM2PR03MB430.namprd03.prod.outlook.com (10.141.85.14) with Microsoft SMTP Server (TLS) id 15.1.93.12; Wed, 4 Mar 2015 02:19:30 +0000 Received: from BL2FFO11OLC004.protection.gbl (10.255.93.4) by BY2PR03CA012.outlook.office365.com (10.255.93.29) with Microsoft SMTP Server (TLS) id 15.1.99.14 via Frontend Transport; Wed, 4 Mar 2015 02:19:29 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11OLC004.mail.protection.outlook.com (10.173.161.188) with Microsoft SMTP Server (TLS) id 15.1.99.6 via Frontend Transport; Wed, 4 Mar 2015 02:19:29 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.74]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0224.003; Wed, 4 Mar 2015 02:19:15 +0000 From: Mike Jones To: "jose@ietf.org" Thread-Topic: JWK Thumbprint -04 draft incorporating feedback during second WGLC Thread-Index: AdBWIZvjSh9gKPFVQMGJ3MOzaUMR2Q== Date: Wed, 4 Mar 2015 02:19:14 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2E76B43@TK5EX14MBXC292.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.70] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2E76B43TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; ietf.org; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(209900001)(2501003)(66066001)(19625215002)(512954002)(107886001)(33656002)(2351001)(46102003)(55846006)(62966003)(50986999)(450100001)(1720100001)(54356999)(110136001)(229853001)(106466001)(77156002)(2920100001)(2930100002)(102836002)(15975445007)(2900100001)(86612001)(19300405004)(86362001)(104016003)(92566002)(16236675004)(16297215004)(19580395003)(84326002)(2656002)(85806002)(87936001)(6806004)(19617315012)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR03MB430; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; LANG:en; X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR03MB430; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006); SRVR:DM2PR03MB430; X-Forefront-PRVS: 0505147DDB X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:;SRVR:DM2PR03MB430; X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2015 02:19:29.3675 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR03MB430 Archived-At: Subject: [jose] JWK Thumbprint -04 draft incorporating feedback during second WGLC X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 02:19:33 -0000 --_000_4E1F6AAD24975D4BA5B1680429673943A2E76B43TK5EX14MBXC292r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The latest JWK Thumbprint draft addresses review comments on the -03 draft = by Jim Schaad, which resulted in several clarifications and some correction= s to the case of RFC 2119 keywords. The specification is available at: * http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-04 An HTML formatted version is also available at: * http://self-issued.info/docs/draft-ietf-jose-jwk-thumbprint-04.ht= ml -- Nat and = Mike P.S. This notice was also posted at http://self-issued.info/?p=3D1348 and = as @selfissued. --_000_4E1F6AAD24975D4BA5B1680429673943A2E76B43TK5EX14MBXC292r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The latest JWK Thumbprint draft addresses review com= ments on the -03 draft by Jim Schaad, which resulted in several clarificati= ons and some corrections to the case of RFC 2119 keywords.

The specification is available at:

·         http://tools.ietf.org/html/draft-ietf-jose-jwk= -thumbprint-04

 

An HTML formatted version is also available at:=

·         http://self-issued.info/docs/draft-ietf= -jose-jwk-thumbprint-04.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;     -- Nat and Mike

 

P.S.  This notice was also posted at http://self-issued.info/?p=3D1348 and as @selfissued.

 

--_000_4E1F6AAD24975D4BA5B1680429673943A2E76B43TK5EX14MBXC292r_-- From nobody Tue Mar 3 18:27:04 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B89E1A1BEC for ; Tue, 3 Mar 2015 18:27:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Df5UTH0Gaxjj for ; Tue, 3 Mar 2015 18:26:59 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0117.outbound.protection.outlook.com [207.46.100.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC0C81A1EED for ; Tue, 3 Mar 2015 18:26:59 -0800 (PST) Received: from BY2PR03CA067.namprd03.prod.outlook.com (10.141.249.40) by BY1PR0301MB0872.namprd03.prod.outlook.com (25.160.194.142) with Microsoft SMTP Server (TLS) id 15.1.99.14; Wed, 4 Mar 2015 02:26:58 +0000 Received: from BY2FFO11FD038.protection.gbl (2a01:111:f400:7c0c::197) by BY2PR03CA067.outlook.office365.com (2a01:111:e400:2c5d::40) with Microsoft SMTP Server (TLS) id 15.1.106.15 via Frontend Transport; Wed, 4 Mar 2015 02:26:58 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD038.mail.protection.outlook.com (10.1.14.223) with Microsoft SMTP Server (TLS) id 15.1.99.6 via Frontend Transport; Wed, 4 Mar 2015 02:26:57 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.74]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0224.003; Wed, 4 Mar 2015 02:26:24 +0000 From: Mike Jones To: Jim Schaad , "draft-ietf-jose-jwk-thumbprint@tools.ietf.org" Thread-Topic: [jose] draft-ietf-jose-jwk-thumbprint-03 Comments Thread-Index: AdBS2aGJ7H1FFkuwRSCUm0oRqFiJ6wDSBpJg Date: Wed, 4 Mar 2015 02:26:23 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2E76BC2@TK5EX14MBXC292.redmond.corp.microsoft.com> References: <04ed01d054ac$4419bd30$cc4d3790$@augustcellars.com> In-Reply-To: <04ed01d054ac$4419bd30$cc4d3790$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.70] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2E76BC2TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; augustcellars.com; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(43784003)(199003)(377454003)(87936001)(512954002)(230783001)(19580395003)(6806004)(84326002)(19580405001)(62966003)(86362001)(46102003)(92566002)(77156002)(106466001)(2950100001)(2920100001)(33656002)(2900100001)(15975445007)(19300405004)(102836002)(66066001)(76176999)(50986999)(54356999)(104016003)(55846006)(85806002)(2656002)(16236675004)(19625215002)(2501003)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0301MB0872; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB0872; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006); SRVR:BY1PR0301MB0872; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0301MB0872; X-Forefront-PRVS: 0505147DDB X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2015 02:26:57.4912 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0301MB0872 Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] draft-ietf-jose-jwk-thumbprint-03 Comments X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 02:27:02 -0000 --_000_4E1F6AAD24975D4BA5B1680429673943A2E76BC2TK5EX14MBXC292r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable These comments were addressed in the -04 draft. Replies are inline below. Thanks again for your consistent attention to detail! From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Sunday, March 01, 2015 9:47 PM To: draft-ietf-jose-jwk-thumbprint@tools.ietf.org Cc: jose@ietf.org Subject: [jose] draft-ietf-jose-jwk-thumbprint-03 Comments Couple more comments: 1. Think about expanding the abstract. Remember this is text that i= s expected to be read in isolation from the rest of the document. Done. It now also says that the value can be used for identifying or selec= ting the key. 2. You missed a couple of uses of "REQUIRED members" in the last edit= pass. Thanks. You prompted us to do a full RFC 2119 review. I think we got it a= ll, but let us know if we missed anything. 3. This statement from section 4 "Use of escaped characters in the input JWK representation SHOULD be avo= ided. Does not agree with the statement from section 3.3 "Characters in member names and member values MUST be represented witho= ut being escaped." While I assume that the statement in section 4 is to apply to values, it do= es not say so. This is now (hopefully) clarified through the following language: Use of escaped characters in JWKs for which JWK Thumbpr= ints will be computed should be avoided. (Use of escaped characters in the hash input JWKs deriv= ed from these original JWKs is prohibited.) 4. Section 7 needs to be moved. It must come before the IANA conside= rations section. Given the content you might consider putting the text int= o the introduction. It's now before the IANA considerations section. We thought about putting = it in the introduction, but it would triple the size of the introduction an= d delay getting to the meat of the specification. Jim Thanks agai= n, -- Nat & Mi= ke --_000_4E1F6AAD24975D4BA5B1680429673943A2E76BC2TK5EX14MBXC292r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

These comments were ad= dressed in the -04 draft.  Replies are inline below.=

 

Thanks again for your = consistent attention to detail!

 

From: jose [ma= ilto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Sunday, March 01, 2015 9:47 PM
To: draft-ietf-jose-jwk-thumbprint@tools.ietf.org
Cc: jose@ietf.org
Subject: [jose] draft-ietf-jose-jwk-thumbprint-03 Comments

 

Couple more comments:

 

1.     &= nbsp;  Think about expanding the abstract.  Rem= ember this is text that is expected to be read in isolation from the rest o= f the document.

 

Done.  It now als= o says that the value can be used for identifying or selecting the key.

 

2.     &= nbsp; You missed a couple of uses of “REQUIRED memb= ers” in the last edit pass.

 

Thanks.  You prom= pted us to do a full RFC 2119 review.  I think we got it all, but let = us know if we missed anything.

 

=
3.    &nb=
sp;  This statement from s=
ection 4
   “Use of escaped characters in the inp=
ut JWK representation SHOULD be avoided.
Does not agree wit=
h the statement from section 3.3
    “Charac=
ters in member names and member values MUST be represented without being es=
caped.”
While I assume that the statement in section =
4 is to apply to values, it does not say so.
 
This is now (hopefully) clarified through t=
he following language:
 
       &=
nbsp;            Use=
 of escaped characters in JWKs for which JWK Thumbprints will be computed s=
hould be avoided.
       &=
nbsp;            (Us=
e of escaped characters in the hash input JWKs derived from these original =
JWKs is prohibited.)
 

4.     &= nbsp; Section 7 needs to be moved.  It must come bef= ore the IANA considerations section.  Given the content you might cons= ider putting the text into the introduction.

 

It’s now before = the IANA considerations section.  We thought about putting it in the i= ntroduction, but it would triple the size of the introduction and delay get= ting to the meat of the specification.

 

Jim

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          Thanks again,=

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          -- Nat & Mike<= o:p>

 

--_000_4E1F6AAD24975D4BA5B1680429673943A2E76BC2TK5EX14MBXC292r_-- From nobody Wed Mar 4 00:08:15 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 234751A0A85 for ; Wed, 4 Mar 2015 00:08:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FjRc_TPLjuvM for ; Wed, 4 Mar 2015 00:08:11 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5CE1A06E9 for ; Wed, 4 Mar 2015 00:08:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 80DBBBEED; Wed, 4 Mar 2015 08:08:07 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avsBkHvlglah; Wed, 4 Mar 2015 08:08:07 +0000 (GMT) Received: from webmail.scss.tcd.ie (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 21965BEDC; Wed, 4 Mar 2015 08:08:07 +0000 (GMT) Received: from 81.57.243.48 (SquirrelMail authenticated user sfarrel6) by webmail.scss.tcd.ie with HTTP; Wed, 4 Mar 2015 08:08:07 -0000 Message-ID: <22b90ca0ffd3bd18b95852838b380c98.squirrel@webmail.scss.tcd.ie> In-Reply-To: References: <04f201d054ac$b80c5b30$28251190$@augustcellars.com> <54F4081C.8000202@cs.tcd.ie> Date: Wed, 4 Mar 2015 08:08:07 -0000 From: stephen.farrell@cs.tcd.ie To: "Nat Sakimura" User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Archived-At: Cc: Jim Schaad , "jose@ietf.org" , Stephen Farrell Subject: Re: [jose] Last Call on draft-ietf-jose-jwk-thumbprint - Round 2 X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 08:08:14 -0000 Hi Nat, Nat Sakimura wrote: > Stephen asks why JWK Thumbprint should do something other than hash a SPKI > key representation. Here are a few reasons: > > 1. The whole premise of JOSE was to create easy to use crypto data > formats > and algorithms that are based on JSON. Sorry, but that's bogus. SPKI is easy to use and simple on pretty much all web development platforms. Claiming that this is ASN.1 and therefore bad is just not a valid argument since there is no requirement for any decoding and there is no complex encoding at all. > Saying “SPKI exists – everyone > should use it” is like saying “CMS exists – everyone should use it, > or > perhaps XMLDSIG exists – everyone should use it”. It does not seem > consistent or helpful to developers for JOSE to effectively say “You can > use JSON-based structures for everything except key hashes and for those, > you have to use a binary structure (based on ASN.1).” > > 2. The point of the draft is to create thumbprints of keys that are > already represented in JWK format. Requiring a format conversion to > ASN.1, > which most developers consider to be unapproachable, Same bogus argument, sorry. Using ASN.1 as a scare tactic is just not credible here, once one looks at the facts. > will result both in > more code and less adoption. (If the keys are already in X.509 certs, by > all means, hash the SPKI value because it’s easy. JWK Thumbprint is > similarly easy for JWK keys.) Nonsense. SPKI is trivial to generate from any form of public key. > Stephen also states “The benefit of doing the same as others is that one > can use the same value to refer to the same key in different contexts”. > That sounds great on the face of it, but it is not clear that there’s > much/any benefit to this in practice. A key is typically deployed for a > particular application context or among applications running over a TLS > connection. Key reuse across different applications contexts is arguably > a > security concern and not something likely to occur much in practice. Please demonstrate such a concern. Vague arm-waving isn't useful. Using the same input bits for the same key would help e.g. to ensure weak keys like the old debian ones would be more easily spotted in signature applications, so there are security benefits to consistency here. (That's a modest, benefit for sure though.) > > Each application defines what key format it uses (X.509/SPKI, XML, JWK, > etc.) and how to create key identifiers for those keys. Letting the > application choose a JSON-based way to create key identifiers is both > logical and good for adoption of usable crypto. > > I also took a look at some adoption data as background information. > > > - > > Browser support for WebCrypto is still iffy. See > http://caniuse.com/#feat=cryptography. WebCrypto makes SPKI access the obvious thing to do. Other platforms require a line of code or so to create the SPKI bits as a hash input, and that's true in JS or any other dev environment I've used. > > > - > > Notably, all the Android Browsers before Android L (5.0) do not support > WebCrypto, and there are tons of them out there. They will be there > for > years. > - > > There are many enterprise deployments of IE below 10, which are not > going to be upgraded anytime soon. > > > - > > PHP started supporting SPKI in ver. 5.6, which was released Aug. 28, > 2014. Its deployment is very small as you can expect - 0.7%. Server > platforms do not do major version upgrades frequently. See > http://w3techs.com/technologies/details/pl-php/5/all. > - > > Python seems to have been supporting SPKI for sometime as a > NetscapeSPKI > object. > - > > So does Ruby. > > > - > > I am not sure if the same is true for Perl. A cursory search didn’t > turn > up any useful data. And precisely zero of all of the above support the current draft's approach. > > > In closing, the point of JOSE (and the point of the JWK Thumbprint spec) > is > to enable widespread adoption of usable crypto with the development tools > people actually have NOW. That seems to be reason enough to have this > draft progress now towards RFC status. You have IMO only used bogus ASN.1-is-bad arguments to back up your usability claim. I don't really feel that strongly about the WG doing the wrong thing here (i.e. wrong-thing==current I-D) but we should decide based on valid arguments. S. PS: In case it's not clear - this is all me arguing as an individual and nothing to do with IESG evaluation of the draft when it gets there. > > Best, > > Nat > > 2015-03-02 15:50 GMT+09:00 Stephen Farrell : > >> >> >> On 02/03/15 05:49, Jim Schaad wrote: >> > The previous discussion on the serialization did not reach a consensus >> > either to keep or change serialization string method. Given this the >> > decision to keep the previous one is a conservative decision. If >> people >> > want to re-litigate this issue and try to come to a consensus this is >> the >> > time to do it. >> >> Other hashed-public-key things all use SPKI as the input. Doing >> something different is IMO a bad plan for zero benefit. The benefit >> of doing the same as others is that one can use the same value to >> refer to the same key in different contexts. With the current >> approach, one cannot. >> >> S. >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > From nobody Thu Mar 5 03:58:53 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8C61B29B8 for ; Thu, 5 Mar 2015 03:58:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.962 X-Spam-Level: X-Spam-Status: No, score=-1.962 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8dmn5fiQbRj for ; Thu, 5 Mar 2015 03:58:50 -0800 (PST) Received: from lvs-smtpgate3.nz.fh-koeln.de (lvs-smtpgate3.nz.fh-koeln.de [139.6.1.49]) by ietfa.amsl.com (Postfix) with ESMTP id 3734C1A1B4C for ; Thu, 5 Mar 2015 03:58:49 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.11,346,1422918000"; d="asc'?scan'208";a="18860659" Received: from aftr-37-201-195-74.unity-media.net (HELO mac-01.local) ([37.201.195.74]) by smtp.intranet.fh-koeln.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 05 Mar 2015 12:58:48 +0100 Message-ID: <54F8466B.8060007@fh-koeln.de> Date: Thu, 05 Mar 2015 13:04:59 +0100 From: "Prof. Dr.-Ing. Luigi Lo Iacono" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: "jose@ietf.org" Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9MV0N2Hp2OFOWa3SbKxCPsOS0QHpIDWfN" Archived-At: Subject: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: luigi.lo_iacono@fh-koeln.de List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 11:58:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9MV0N2Hp2OFOWa3SbKxCPsOS0QHpIDWfN Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dear all, we developed an own JOSE implementation in Java, mainly because we missed the JSON serialisation in almost all of the available libs. You can grasp it here: http://jw-asterisk.realsoasecurity.de/ We are still doing some polishing, that is why the sources are still lacking. Stay tuned, though, updates will follow soon... The documentation and especially the unit tests should help in taking the first steps. Let us know what you think about it... BR, Luigi. --9MV0N2Hp2OFOWa3SbKxCPsOS0QHpIDWfN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJU+EZwAAoJEFL6uArWI9sNKt0QAIAl656mm2OgMAj6YJaTuGzq A4CzQQRJtrdYUJG6SFoPbh+ums6XlgE7mGG/u+zbBEiboQw3QUNpjj4vNvtMucyh lPvhzl/rv65YqDai1ugXw27GVaLdiIezL7nEail2MYCo8xlBf0E9Xp9S6/D+77an sLymyqfQNrde0hci1nrVNGD7iTff7MvUHlKj3a45RemvuyXUECHqHtjJ5XA3reDP tWnhFrnHmi1mdKVr8nJ0QdeBXXc8aJmV5Jufa2T0RsLCSq8bg6K3zw6hpfyvXpJN gG91a5DErT/F2eDeHrLE+E63/LKH/dipezQ7+4Jl00b06rMu3I/ltBlnHYO8LDPB pOFWc0F0n0Z0iZdRW35/kh3h09vk1cZS/BFAZ6ts5k8ZlS3lF8worOz75GhQi+5i 3ts7O9gbpJdPmjOYRgf1KwROLcNRXBti6IDbgP1fycYJpJqn8kxLHpce6g7y3uqX Y5DzhcAR3GKZ+PfPqxcHbafZ1upjpuv74jzADROPtqVmTfkP5kg0p5v2pm9hu7Ct 14taY9qIoG0Xgbtu8Pn2WVJMi5iUGWLhSvkKHmeAdh4zOTjxaNgDPIDwVXIm+GaG N/cjH5UgRJiwvtP+a6PgMzNj1VoZUsvkwpco1IPihfy3dpT4lxlQUn87yZevqlE7 AaIcLBRSTqzOn2JOb0JM =Tt8l -----END PGP SIGNATURE----- --9MV0N2Hp2OFOWa3SbKxCPsOS0QHpIDWfN-- From nobody Fri Mar 6 11:19:32 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC97B1A1BD9 for ; Fri, 6 Mar 2015 11:19:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfZpyAbaiW9j for ; Fri, 6 Mar 2015 11:19:26 -0800 (PST) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A0F71A1BCC for ; Fri, 6 Mar 2015 11:19:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2908; q=dns/txt; s=iport; t=1425669566; x=1426879166; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=H5WbA8oEqx/1XbWHMmBoxMLNoWMwFK2091cllPWJOeY=; b=VjXMdyQrP+l12S+IQdTaTfMKHOPQ/FHER/BA1fdT8+stZ4gQXiU7qQgi h/soHG8aU/ss5uDDaWJP0TYZ35lXwNrCFmJLG1UOhRKsM2Y/0oZ52SPeI wu1b+2yXnRGz331+CThrlbC3QOCwP9fipA44ICDsfqbApQJTKUme2+BMg M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DnDQAF/flU/49dJa1cgwaBMIMGuGqDSIhEgR5NAQEBAQEBfIQWIxFXASICJgIEMBUSBIhCo3qPSJo+AQEBAQYBAQEBAQEcgSGOFoM9L4EUBYV4ig+JTYp6iHUjg26CM38BAQE X-IronPort-AV: E=Sophos;i="5.11,354,1422921600"; d="scan'208";a="401531908" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-6.cisco.com with ESMTP; 06 Mar 2015 19:19:25 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t26JJPVI004044 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 6 Mar 2015 19:19:25 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.03.0195.001; Fri, 6 Mar 2015 13:19:25 -0600 From: "Joe Hildebrand (jhildebr)" To: "jose@ietf.org" Thread-Topic: COSE: what would change? Thread-Index: AQHQWEJ1QLnkI9RDkEaFuLpGIA6Fwg== Date: Fri, 6 Mar 2015 19:19:25 +0000 Message-ID: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/15.8.0.150225 x-originating-ip: [10.129.24.156] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 19:19:31 -0000 SW4gdGFsa2luZyB3aXRoIHNldmVyYWwgZm9sa3MgYWJvdXQgQ09TRSwgaXQgYXBwZWFycyB0aGF0 IHRoZXJlIGFyZSBkaWZmZXJpbmcgdmlld3Mgb24gaG93IG11Y2ggdG8gY2hhbmdlIGluIHRoZSBK T1NFL0NPU0UgdHJhbnNsYXRpb24uICBJIHdvdWxkIGxpa2UgdG8gZXhwbG9yZSB0aGUgcG9pbnRz IG9mIGFncmVlbWVudCBhbmQgZGlzYWdyZWVtZW50IGEgbGl0dGxlLg0KIA0KDQpJdCBzZWVtcyBs aWtlIG1vc3QgcGVvcGxlIGFncmVlIHRoYXQgbWFpbnRhaW5pbmcgc2lnbmF0dXJlIGNvbXBhdGli aWxpdHkgaXMgYSBub24tZ29hbDsgSSBhZ3JlZSB0aGF0IGlzIHRoZSBvbmx5IHdheSBmb3IgdXMg dG8gaGF2ZSBhIGNoYW5jZSBhdCBzdWNjZXNzLg0KDQogDQpJIHRoaW5rIHdlJ3JlIGFsc28gbGlr ZWx5IHRvIGdldCBhZ3JlZW1lbnQgdGhhdCB3ZSBzaG91bGQgZG8gb3VyIGJlc3QgdG8gdXNlIENC T1IgaWRpb21zIGluIENPU0UgKHN1Y2ggYXMgbWl4ZWQtdHlwZSBrZXlzIGZvciBtYXBzKSBvbmNl IHRoZXkgYXJlIGV4cGxhaW5lZCB0byB0aGUgZ3JvdXAgaW4gZW5vdWdoIGRldGFpbCBmb3IgZXZl cnlvbmUgdG8gdW5kZXJzdGFuZCB0aGUgcHJvcG9zYWxzLg0KDQpGaW5hbGx5LCBJIHRoaW5rIG9u ZSBvZiB0aGUgcmVhc29ucyBwZW9wbGUgYXJlIGludGVyZXN0ZWQgaW4gQ09TRSBpcyBhIGNoYW5j ZSB0byBvcHRpbWl6ZSBmb3IgYSBkaWZmZXJlbnQgc2V0IG9mIHVzZSBjYXNlcyB0aGFuIHdlIGhh ZCBmb3IgSk9TRS4NCg0KIA0KVGhlIG1haW4gc291cmNlIG9mIGRpc2FncmVlbWVudCBzZWVtcyB0 byBiZSB3aGF0IHdlIHdvdWxkIGNoYW5nZSBpbiBDT1NFIG9mIHRoZSB0aGluZ3Mgc29tZSBtaWdo dCBoYXZlIHdhbnRlZCB0byBkb25lIGRpZmZlcmVudGx5IGluIEpPU0UuICBJJ20gc3ltcGF0aGV0 aWMgdG8gYm90aCB0aGUgZ3JvdXAgdGhhdCB3YW50cyB0byBjcmFuayBzb21ldGhpbmcgb3V0IHF1 aWNrbHkgd2l0aG91dCByZS1saXRpZ2F0aW5nIHRoZSBwYXN0LCBhcyB3ZWxsIGFzIHRvIHRoZSBn cm91cCB0aGF0IHdhbnRzIHRvIHJlLW9wdGltaXplIGFzIG1hbnkgdGhpbmdzIGFzIHBvc3NpYmxl IGdpdmVuIHRoZSByZW1vdmFsIG9mIHRoZSBwcmVzc3VyZSBvZiBleGlzdGluZyBjb2RlYmFzZXMg dGhhdCB3ZSBoYWQgd2l0aCBKT1NFLg0KDQogDQpBbiBhcHByb2FjaCB0aGF0IG1pZ2h0IHdvcmsg Zm9yIHRoaXMgd291bGQgYmUgdG8gc2V0IGEgYmFyIGZvciBjaGFuZ2VzIGFsb25nIHRoZSBsaW5l cyBvZiAic2lnbmlmaWNhbnQgaW1wcm92ZW1lbnQgaW4gc2VjdXJpdHksIHBlcmZvcm1hbmNlICh3 aXJlIHNpemUsIGNvZGUgc2l6ZSwgQ1BVLCBwb3dlciwgZXRjLiksIG9yIGRlcGxveWFiaWxpdHki IHdvdWxkIGJlIHJlcXVpcmVkIHRvIGp1c3RpZnkgYSBjaGFuZ2UuICBUbyBzZWUgaWYgdGhhdCBh cHByb2FjaCB3b3VsZCB3b3JrLCBpdCB3b3VsZCBiZSBuaWNlIHRvIHNlZSBhIGxpc3Qgb2YgdGhp bmdzIHRoYXQgZm9sa3Mgd291bGQgd2FudCB0byBjaGFuZ2UsIGFuZCB0byBnZXQgZWFybHkgYWdy ZWVtZW50IG9uIGEgY291cGxlIG9mIHRob3NlIGNoYW5nZXMgYXMgYmVpbmcgYWJvdmUgdGhlIGJh ciB0aGF0IHdlIHNldCwgc28gdGhhdCB3ZSBoYXZlIHNvbWUgcHJlY2VkZW50IHRvIHJlYXNvbiBm cm9tLiANCg0KIA0KVG8gdGhhdCBlbmQsIEkgcHJvcG9zZSB0aGF0IHRob3NlIHRoYXQgd2FudCBj aGFuZ2VzIHByb2R1Y2UgYSBsaXN0LCBwZXJoYXBzIGFubm90YXRlZCB3aXRoIHdoZXRoZXIgdGhl IGNoYW5nZSBpcyBzZWVuIGFzIGltcGVyYXRpdmUgb3IgbWVyZWx5IG5pY2UtdG8taGF2ZS4gIFRo ZSBmb2xrcyB0aGF0IHdhbnQgYSBxdWljayBvdXRjb21lIHdvdWxkIHRoZW4gc2VsZWN0IHNldmVy YWwgY2hhbmdlcyB0aGV5IHNlZSBhcyBiZWluZyBkZWZpbml0ZWx5IGFib3ZlIHRoZSBsaW5lLiAg TXkgaG9wZSBpcyB0aGF0IHRoaXMgZXhlcmNpc2Ugd291bGQgYnVpbGQgdHJ1c3QgdGhhdCB3ZSBh bGwgd2FudCBzb21ldGhpbmcgc2ltaWxhcjogYSBoaWdoIHF1YWxpdHkgcHJvdG9jb2wgc3RhbmRh cmRpemVkIGluIGFzIHNob3J0IGEgdGltZSBhcyBwb3NzaWJsZS4NCg0KDQotLSANCkpvZSBIaWxk ZWJyYW5kDQoNCg0KDQo= From nobody Fri Mar 6 11:46:10 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25E831A6F33 for ; Fri, 6 Mar 2015 11:46:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuV-xGufn1E7 for ; Fri, 6 Mar 2015 11:46:08 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0139.outbound.protection.outlook.com [65.55.169.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96EC1A6EED for ; Fri, 6 Mar 2015 11:46:07 -0800 (PST) Received: from CH1PR03CA004.namprd03.prod.outlook.com (10.255.156.149) by BY2PR03MB608.namprd03.prod.outlook.com (10.255.93.39) with Microsoft SMTP Server (TLS) id 15.1.99.14; Fri, 6 Mar 2015 19:46:05 +0000 Received: from BL2FFO11OLC004.protection.gbl (10.255.156.132) by CH1PR03CA004.outlook.office365.com (10.255.156.149) with Microsoft SMTP Server (TLS) id 15.1.106.15 via Frontend Transport; Fri, 6 Mar 2015 19:46:05 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11OLC004.mail.protection.outlook.com (10.173.161.188) with Microsoft SMTP Server (TLS) id 15.1.112.13 via Frontend Transport; Fri, 6 Mar 2015 19:46:04 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.148]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0224.002; Fri, 6 Mar 2015 19:43:31 +0000 From: Mike Jones To: "Joe Hildebrand (jhildebr)" , "jose@ietf.org" Thread-Topic: COSE: what would change? Thread-Index: AQHQWEJ1QLnkI9RDkEaFuLpGIA6Fwp0P2fEQ Date: Fri, 6 Mar 2015 19:43:29 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> In-Reply-To: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; cisco.com; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; BMV:0; SFV:NSPM; SFS:(10019020)(6009001)(438002)(52314003)(52604005)(13464003)(51444003)(189002)(377454003)(199003)(2501003)(19580405001)(104016003)(86362001)(55846006)(62966003)(97756001)(46406003)(50466002)(86612001)(85806002)(77156002)(33656002)(76176999)(107886001)(15975445007)(54356999)(102836002)(50986999)(106466001)(19580395003)(2920100001)(46102003)(2950100001)(23726002)(2656002)(87936001)(106116001)(92566002)(561944003)(2900100001)(47776003)(6806004)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB608; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB608; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5001007)(5005006); SRVR:BY2PR03MB608; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB608; X-Forefront-PRVS: 05079D8470 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2015 19:46:04.5805 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]; Helo=[mail.microsoft.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB608 Archived-At: Subject: Re: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 19:46:10 -0000 Thanks for writing this, Joe. I know that people from the IoT and other co= mmunities are already itching for a CBOR JOSE encoding and we'll do everyon= e a service by providing one in a timely fashion. I think your proposal to set a high, well-understood and agreed upon bar fo= r any changes to the decisions made in JOSE is the key to having this compl= ete in a reasonable period of time. In my view, if we open most decisions = to be re-debated, our timeline is far more likely to look like the JOSE tim= eline (in which we had the WOES BoF in July 2011 and are only nearing havin= g RFCs now over 3.5 years later) than the quick turnaround achievable by bu= ilding on past work that I think we would all like. Getting down to specifics, looking at the two COSE submissions to date, htt= ps://tools.ietf.org/html/draft-bormann-jose-cose-00 and http://tools.ietf.o= rg/html/draft-schaad-cose-00, I think Carsten's submission is more effectiv= e at leveraging our existing decisions than Jim's does so I'd personally wa= nt to use that as a starting point, but there are some things I find valuab= le in Jim's draft as well. For instance, I think that we should consider u= sing arrays rather than maps at the top level, as Jim suggests, as it may k= eep the code simpler and the representations more compact. I'll note that = this is actually parallel to the JOSE Compact Serializations, which used da= ta structures with fixed numbers of elements in fixed positions at the top = level, rather than JSON objects, as was done in the JSON Serializations. I'll also add that I personally think we should only define one serializati= on for the CBOR encoding. I would justify this departure from JOSE as bein= g in the name of "keeping simple things simple" - something I think should = also be part of our criteria when making our decisions. (If people do need= a URL-safe representation of a COSE object, it would be fine for them to b= ase64url encode the whole thing, for transmission purposes - a suggestion t= hat Joe made to me in person in Honolulu.) Anyway, I'm glad to see this discussion and look forward to us hopefully co= mpleting a COSE standard within a year from now! -- Mike -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Joe Hildebrand (jhil= debr) Sent: Friday, March 06, 2015 11:19 AM To: jose@ietf.org Subject: [jose] COSE: what would change? In talking with several folks about COSE, it appears that there are differi= ng views on how much to change in the JOSE/COSE translation. I would like = to explore the points of agreement and disagreement a little. =20 It seems like most people agree that maintaining signature compatibility is= a non-goal; I agree that is the only way for us to have a chance at succes= s. =20 I think we're also likely to get agreement that we should do our best to us= e CBOR idioms in COSE (such as mixed-type keys for maps) once they are expl= ained to the group in enough detail for everyone to understand the proposal= s. Finally, I think one of the reasons people are interested in COSE is a chan= ce to optimize for a different set of use cases than we had for JOSE. =20 The main source of disagreement seems to be what we would change in COSE of= the things some might have wanted to done differently in JOSE. I'm sympat= hetic to both the group that wants to crank something out quickly without r= e-litigating the past, as well as to the group that wants to re-optimize as= many things as possible given the removal of the pressure of existing code= bases that we had with JOSE. =20 An approach that might work for this would be to set a bar for changes alon= g the lines of "significant improvement in security, performance (wire size= , code size, CPU, power, etc.), or deployability" would be required to just= ify a change. To see if that approach would work, it would be nice to see = a list of things that folks would want to change, and to get early agreemen= t on a couple of those changes as being above the bar that we set, so that = we have some precedent to reason from.=20 =20 To that end, I propose that those that want changes produce a list, perhaps= annotated with whether the change is seen as imperative or merely nice-to-= have. The folks that want a quick outcome would then select several change= s they see as being definitely above the line. My hope is that this exerci= se would build trust that we all want something similar: a high quality pro= tocol standardized in as short a time as possible. --=20 Joe Hildebrand _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose From nobody Tue Mar 10 02:15:06 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE50A1A8033 for ; Tue, 10 Mar 2015 02:15:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id II3eXmJEj8PW for ; Tue, 10 Mar 2015 02:15:01 -0700 (PDT) Received: from p3plsmtpa08-10.prod.phx3.secureserver.net (p3plsmtpa08-10.prod.phx3.secureserver.net [173.201.193.111]) by ietfa.amsl.com (Postfix) with ESMTP id 45BBF1A8025 for ; Tue, 10 Mar 2015 02:15:01 -0700 (PDT) Received: from [192.168.0.106] ([77.77.164.115]) by p3plsmtpa08-10.prod.phx3.secureserver.net with id 1lEz1q0032Vi9sD01lF06d; Tue, 10 Mar 2015 02:15:00 -0700 Message-ID: <54FEB612.7030707@connect2id.com> Date: Tue, 10 Mar 2015 11:14:58 +0200 From: Vladimir Dzhuvinov Organization: Connect2id Ltd. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: jose@ietf.org References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2015 09:15:04 -0000 Arrays would be good. Perhaps even bit fields? We recently had a use case where we had to constrain the size of JWTs and we successfully compressed an array of various constant claims into a base64 encoded bit field, giving us significant space saving. Vladimir On 6.03.2015 21:43, Mike Jones wrote: > Thanks for writing this, Joe. I know that people from the IoT and other communities are already itching for a CBOR JOSE encoding and we'll do everyone a service by providing one in a timely fashion. > > I think your proposal to set a high, well-understood and agreed upon bar for any changes to the decisions made in JOSE is the key to having this complete in a reasonable period of time. In my view, if we open most decisions to be re-debated, our timeline is far more likely to look like the JOSE timeline (in which we had the WOES BoF in July 2011 and are only nearing having RFCs now over 3.5 years later) than the quick turnaround achievable by building on past work that I think we would all like. > > Getting down to specifics, looking at the two COSE submissions to date, https://tools.ietf.org/html/draft-bormann-jose-cose-00 and http://tools.ietf.org/html/draft-schaad-cose-00, I think Carsten's submission is more effective at leveraging our existing decisions than Jim's does so I'd personally want to use that as a starting point, but there are some things I find valuable in Jim's draft as well. For instance, I think that we should consider using arrays rather than maps at the top level, as Jim suggests, as it may keep the code simpler and the representations more compact. I'll note that this is actually parallel to the JOSE Compact Serializations, which used data structures with fixed numbers of elements in fixed positions at the top level, rather than JSON objects, as was done in the JSON Serializations. > > I'll also add that I personally think we should only define one serialization for the CBOR encoding. I would justify this departure from JOSE as being in the name of "keeping simple things simple" - something I think should also be part of our criteria when making our decisions. (If people do need a URL-safe representation of a COSE object, it would be fine for them to base64url encode the whole thing, for transmission purposes - a suggestion that Joe made to me in person in Honolulu.) > > Anyway, I'm glad to see this discussion and look forward to us hopefully completing a COSE standard within a year from now! > > -- Mike > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Joe Hildebrand (jhildebr) > Sent: Friday, March 06, 2015 11:19 AM > To: jose@ietf.org > Subject: [jose] COSE: what would change? > > In talking with several folks about COSE, it appears that there are differing views on how much to change in the JOSE/COSE translation. I would like to explore the points of agreement and disagreement a little. > > > It seems like most people agree that maintaining signature compatibility is a non-goal; I agree that is the only way for us to have a chance at success. > > > I think we're also likely to get agreement that we should do our best to use CBOR idioms in COSE (such as mixed-type keys for maps) once they are explained to the group in enough detail for everyone to understand the proposals. > > Finally, I think one of the reasons people are interested in COSE is a chance to optimize for a different set of use cases than we had for JOSE. > > > The main source of disagreement seems to be what we would change in COSE of the things some might have wanted to done differently in JOSE. I'm sympathetic to both the group that wants to crank something out quickly without re-litigating the past, as well as to the group that wants to re-optimize as many things as possible given the removal of the pressure of existing codebases that we had with JOSE. > > > An approach that might work for this would be to set a bar for changes along the lines of "significant improvement in security, performance (wire size, code size, CPU, power, etc.), or deployability" would be required to justify a change. To see if that approach would work, it would be nice to see a list of things that folks would want to change, and to get early agreement on a couple of those changes as being above the bar that we set, so that we have some precedent to reason from. > > > To that end, I propose that those that want changes produce a list, perhaps annotated with whether the change is seen as imperative or merely nice-to-have. The folks that want a quick outcome would then select several changes they see as being definitely above the line. My hope is that this exercise would build trust that we all want something similar: a high quality protocol standardized in as short a time as possible. > > -- Vladimir Dzhuvinov :: vladimir@connect2id.com From nobody Tue Mar 10 22:17:34 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828391A0121 for ; Tue, 10 Mar 2015 22:17:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.799 X-Spam-Level: X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCBksi4sLena for ; Tue, 10 Mar 2015 22:17:27 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0781.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::781]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48EBC1A02BE for ; Tue, 10 Mar 2015 22:17:27 -0700 (PDT) Received: from CH1PR03CA004.namprd03.prod.outlook.com (10.255.156.149) by SN2PR03MB078.namprd03.prod.outlook.com (10.255.175.154) with Microsoft SMTP Server (TLS) id 15.1.99.9; Wed, 11 Mar 2015 05:17:06 +0000 Received: from BN1BFFO11FD046.protection.gbl (10.255.156.132) by CH1PR03CA004.outlook.office365.com (10.255.156.149) with Microsoft SMTP Server (TLS) id 15.1.106.15 via Frontend Transport; Wed, 11 Mar 2015 05:17:06 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD046.mail.protection.outlook.com (10.58.145.1) with Microsoft SMTP Server (TLS) id 15.1.112.13 via Frontend Transport; Wed, 11 Mar 2015 05:17:06 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.148]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0224.003; Wed, 11 Mar 2015 05:16:58 +0000 From: Mike Jones To: Stephen Farrell Thread-Topic: My quest to learn how to create SubjectPublicKeyInfo values from scratch Thread-Index: AdBbunvjG3Fobl38T+ib6QLqsv0XzA== Date: Wed, 11 Mar 2015 05:16:57 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: multipart/mixed; boundary="_005_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; cs.tcd.ie; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; BMV:0; SFV:NSPM; SFS:(10019020)(438002)(189002)(199003)(66066001)(102836002)(2930100002)(19617315012)(86612001)(6806004)(86362001)(54356999)(99936001)(19580395003)(50986999)(77156002)(46102003)(15975445007)(2900100001)(104016003)(84326002)(4610100001)(62966003)(5260100001)(4810100001)(5890100001)(19625215002)(33656002)(16236675004)(15395725005)(87936001)(110136001)(229853001)(2656002)(2920100001)(512954002)(568964001)(85806002)(16297215004)(3380100001)(575784001)(19300405004)(19273905006)(55846006)(92566002)(106466001)(16503001)(562404015)(563064011); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR03MB078; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN2PR03MB078; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5001009)(5005006); SRVR:SN2PR03MB078; BCL:0; PCL:0; RULEID:; SRVR:SN2PR03MB078; X-Forefront-PRVS: 0512CC5201 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Mar 2015 05:17:06.1118 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]; Helo=[mail.microsoft.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB078 Archived-At: Cc: "jose@ietf.org" , Nat Sakimura Subject: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 05:17:33 -0000 --_005_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_" --_000_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I've always loved learning new things, so I decided yesterday to try to lea= rn first-hand how to write code that emitted X.509 SubjectPublicKeyInfo (SP= KI) values from scratch. By "from scratch", I mean using development tools= without built-in X.509 or ASN.1 support. I took this on because of Stephen's suggestion http://www.ietf.org/mail-arc= hive/web/jose/current/msg04954.html that people could just hash the SPKI va= lues to create a key thumbprint. Given I'd helped create the JSON-based ha= sh input described in http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbp= rint-03, I wanted to give his alternative suggestion a fair shake (and lear= n some new things along the way). This admittedly stream-of-consciousness = and overly long message describes my expedition to date... Thus far, I've spent 5 hours trying to learn to do this. I spent about the= first two hours searching for examples of creating the bytes of X.509 cert= ificates or SubjectPublicKeyInfo values without using ASN.1 and/or X.509 li= braries. I failed. Next, I tried to read the authoritative reference for what's in the SPKI fi= eld - the X.509 spec. Unfortunately, http://www.itu.int/rec/T-REC-X.509/en= told me "This text was produced through a joint activity with ISO and IEC.= According to the agreement with our partners, this document is only availa= ble through payment." Since most developers would stop at that point, I di= d too. After that, I changed tacks and tried to find examples of sample certificat= es with commentary on what all the values mean - the kind of info developer= s would want when coding this. I had better luck with that. After about a= nother hour of Web searching, I found this really useful example: http://to= ols.ietf.org/html/rfc7250#appendix-A. I also found this one: http://www.je= nsign.com/JavaScience/dotnet/JKeyNet/index.html. Going through them byte-b= y-byte enabled me to reverse engineer some of the ASN.1 and X.509 construct= s used. Things I learned by looking at these 1024-bit RSA public key representation= s included: * ASN.1 uses byte-aligned Tag-Length-Value encodings. * The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER are resp= ectively 0x30, 0x06, 0x05, 0x03, and 0x02. * These Length values are encoded as follows: o 159 - 0x81 0x9f o 9 - 0x09 o 0 - 0x00 * The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0x= 48 0x86 0xf7 0x0d 0x01 0x01 0x01. * The OID is followed by an ASN.1 NULL - 0x05 0x00. * The RSA Key is represented as an encapsulated bit field. * There is an apparently unused zero byte (the 22nd byte of the SPKI= field in the RFC 7250 example) as the first byte of this bit field. * The rest of the bit field contains concatenated representations of= the modulus and the exponent as ASN.1 INTEGERs. * The 1024 bit modulus is represented in 129 bytes, with the first b= yte being zero. This brought me up to hour four. Next, I went looking for a 2048 bit cert = to learn from (especially since JWA requires 2048+ bit RSA keys). I found = http://fm4dd.com/openssl/certexamples.htm and chose 2048b-rsa-example-cert.= der, from which I also learned: * These length values are encoded as follows: o 290 - 0x82 0x01 0x22 o 257 - 0x82 0x01 0x01 * From this, I deduced (possibly incorrectly :)) that if the high bi= t of the first length byte is 0, the remaining 7 bits represent the length,= but if the high bit of the first length byte is 1, the remaining 7 bits re= present the number of bytes used to represent the actual length. (Hence th= e use of 0x81 for representing values in the range 128-255 and the use of 0= x82 for representing values in the range 256-32767.) * Length values are represented in big-endian byte order. * The 2048 bit key representation also starts with an apparently unu= sed zero byte. * The 2048 bit modulus is represented by 257 bytes, with the first b= yte being zero. Things I haven't yet learned that I'd need to know to really write this cod= e: * How are the OIDs in the table at http://tools.ietf.org/html/draft-= ietf-jose-json-web-algorithms-40#appendix-A represented as ASN.1 OID values= ? * Are multiple OIDs sometimes present before the ASN.1 NULL, and if = so, which algorithms require which sets of OIDs in what order? * Is there always the apparently unused zero byte in the key represe= ntation or if not, when is it present and absent? * Is there always a leading zero byte in the RSA modulus or if not, = when is it present and absent? * How are elliptic curve keys represented? This brought me up to about the fifth hour of my investigation, and I decid= ed to stop and write up my findings to date. Highlighted versions of the e= xample certificate from RFC 7250 and the SPKI value from fm4dd.com are atta= ched, should any of you want to follow along with my reverse engineering. = Tags are yellow. Lengths are green. OIDs are purple. The apparently unus= ed byte is red. Key values are blue. I readily admit that I could have easily missed something while searching. = If someone can point me to self-contained descriptions of this information= , I'd love to see them! =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D 1. I think it would be a fine thing to do to write an RFC describing the m= apping between key values and their SPKI representations. This could take = the form of a cookbook with entries like "For a 2048 bit RSA key using RSAS= SA with SHA-256, emit these bytes, filling in slots A and B in the template= with the 256 bites of the mantissa and the 3 bytes of the exponent". Base= d on my searching, I don't think this information exists anywhere in a self= -contained form accessible to developers (but I could be wrong, of course).= I'm not going to personally do it, but if any of you want go for it, have= at it! 2. If my experience is representative, telling developers to just hash the= SPKI representation of a JWK won't be very effective unless they already h= ave X.509 support. Most will probably give up well before the 5 hours that= I've invested to get this this partial understanding of what I'd need to k= now. If my experience is representative, draft-ietf-jose-jwk-thumbprint wi= ll be much easier to implement for these developers. Trying to live in the shoes of developers, -- Mike --_000_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’ve always loved learning new things, so I de= cided yesterday to try to learn first-hand how to write code that emitted X= .509 SubjectPublicKeyInfo (SPKI) values from scratch.  By “from = scratch”, I mean using development tools without built-in X.509 or ASN.1 support.

 

I took this on because of Stephen’s suggestion= http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that pe= ople could just hash the SPKI values to create a key thumbprint.  Give= n I’d helped create the JSON-based hash input described in ht= tp://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wanted to= give his alternative suggestion a fair shake (and learn some new things al= ong the way).  This admittedly stream-of-consciousness and overly long message describes my expedition to date…<= /p>

 

Thus far, I’ve spent 5 hours trying to learn t= o do this.  I spent about the first two hours searching for examples o= f creating the bytes of X.509 certificates or SubjectPublicKeyInfo values w= ithout using ASN.1 and/or X.509 libraries.  I failed.

 

Next, I tried to read the authoritative reference fo= r what’s in the SPKI field – the X.509 spec.  Unfortunatel= y, http://www.itu.int/rec/T-= REC-X.509/en told me “This text was pr= oduced through a joint activity with ISO and IEC. According to the agreement with our partners, this document is only available through p= ayment.”  Since most developers would stop at that point,= I did too.

 

After that, I changed tacks and tried to find exampl= es of sample certificates with commentary on what all the values mean ̵= 1; the kind of info developers would want when coding this.  I had bet= ter luck with that.  After about another hour of Web searching, I found this really useful example: http://tools.ietf.org/html/rfc7250#appendix-A.  I also found this = one: http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html.  Goi= ng through them byte-by-byte enabled me to reverse engineer some of the ASN= .1 and X.509 constructs used.

 

Things I learned by looking at these 1024-bit RSA pu= blic key representations included:

·        ASN.1 uses byte-aligned Tag-Length-Value enc= odings.

·        The tags for SEQUENCE, OID, NULL, BIT STRING= , and INTEGER are respectively 0x30, 0x06, 0x05, 0x03, and 0x02.=

·        These Length values are encoded as follows:<= o:p>

o   159 – 0x81 0x9f

o   9 – 0x09

o   0 – 0x00

·        The OID 1.2.840.113549.1.1.1 is encoded in 9= bytes as 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01.

·        The OID is followed by an ASN.1 NULL - 0x05 = 0x00.

·        The RSA Key is represented as an encapsulate= d bit field.

·        There is an apparently unused zero byte (the= 22nd byte of the SPKI field in the RFC 7250 example) as the fir= st byte of this bit field.

·        The rest of the bit field contains concatena= ted representations of the modulus and the exponent as ASN.1 INTEGERs.=

·        The 1024 bit modulus is represented in 129 b= ytes, with the first byte being zero.

 

This brought me up to hour four.  Next, I went = looking for a 2048 bit cert to learn from (especially since JWA requires 20= 48+ bit RSA keys).  I found http://fm4dd.com/open= ssl/certexamples.htm and chose 2048b-rsa-example-cert.der, from which I= also learned:

·        These length values are encoded as follows:<= o:p>

o   290 – 0x82 0x01 0x22

o   257 – 0x82 0x01 0x01

·        From this, I deduced (possibly incorrectly <= span style=3D"font-family:Wingdings"> J) that if the high bit of the first length byte is 0, the remaining= 7 bits represent the length, but if the high bit of the first length byte = is 1, the remaining 7 bits represent the number of bytes used to represent = the actual length.  (Hence the use of 0x81 for representing values in the range 128-255 and the use of 0x82 f= or representing values in the range 256-32767.)

·        Length values are represented in big-endian = byte order.

·        The 2048 bit key representation also starts = with an apparently unused zero byte.

·        The 2048 bit modulus is represented by 257 b= ytes, with the first byte being zero.

 

Things I haven’t yet learned that I’d ne= ed to know to really write this code:

·        How are the OIDs in the table at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-= A represented as ASN.1 OID values?

·        Are multiple OIDs sometimes present before t= he ASN.1 NULL, and if so, which algorithms require which sets of OIDs in wh= at order?

·        Is there always the apparently unused zero b= yte in the key representation or if not, when is it present and absent?

·        Is there always a leading zero byte in the R= SA modulus or if not, when is it present and absent?

·        How are elliptic curve keys represented?

 

This brought me up to about the fifth hour of my inv= estigation, and I decided to stop and write up my findings to date.  H= ighlighted versions of the example certificate from RFC 7250 and the SPKI v= alue from fm4dd.com are attached, should any of you want to follow along with my reverse engineering.  Tags ar= e yellow.  Lengths are green.  OIDs are purple.&nbs= p; The apparently unused byte is red.  Key valu= es are blue.

 

I readily admit that I could have easily missed some= thing while searching.  If someone can point me to self-contained desc= riptions of this information, I’d love to see them!

 

=3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D

 

1.  I think it would be a fine thing to do to w= rite an RFC describing the mapping between key values and their SPKI repres= entations.  This could take the form of a cookbook with entries like &= #8220;For a 2048 bit RSA key using RSASSA with SHA-256, emit these bytes, filling in slots A and B in the template with the 256 bi= tes of the mantissa and the 3 bytes of the exponent”.  Based on = my searching, I don’t think this information exists anywhere in a sel= f-contained form accessible to developers (but I could be wrong, of course).  I’m not going to personally do it,= but if any of you want go for it, have at it!

 

2.  If my experience is representative, telling= developers to just hash the SPKI representation of a JWK won’t be ve= ry effective unless they already have X.509 support.  Most will probab= ly give up well before the 5 hours that I’ve invested to get this this partial understanding of what I’d need to know.&nbs= p; If my experience is representative, draft-ietf-jose-jwk-thumbprint will = be much easier to implement for these developers.

 

        &nbs= p;            &= nbsp;        Trying to live in the shoes= of developers,

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_-- --_005_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_ Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="RFC 7520 Appendix A.docx" Content-Description: RFC 7520 Appendix A.docx Content-Disposition: attachment; filename="RFC 7520 Appendix A.docx"; size=16226; creation-date="Tue, 10 Mar 2015 23:32:47 GMT"; modification-date="Tue, 10 Mar 2015 23:50:37 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQAJJIeCgQEAAI4FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lE1Pg0AQhu8m/geyVwPbejDGlPag9ahNrPG8LkPZyH5kZ/v17x1KS6qhpVq9kMAy7/vMCzOD0UqX 0QI8KmtS1k96LAIjbabMLGWv08f4lkUYhMlEaQ2kbA3IRsPLi8F07QAjqjaYsiIEd8c5ygK0wMQ6 MHSSW69FoFs/407IDzEDft3r3XBpTQAT4lBpsOHgAXIxL0M0XtHjmsRDiSy6r1+svFImnCuVFIFI +cJk31zirUNClZt3sFAOrwiD8VaH6uSwwbbumaLxKoNoInx4Epow+NL6jGdWzjX1kByXaeG0ea4k NPWVmvNWAiJlrsukOdFCmR3/QQ4M6xLw7ylq3RPt31QoxnkOkj52dx4a46rppLbYq+12gxAopFNM vv6CcVfouFXuRFjC+8u/UeyJd4LkNBpT8V7CCYn/MIxGuhMi0LwD31z7Z3NsZI5Z0mRMvHVI+8P/ ou3dgqiqYxo5Bz4oaFZE24g1jrR7zu4Pqu2WQdbizTfbdPgJAAD//wMAUEsDBBQABgAIAAAAIQAe kRq38wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJLbSgNBDIbvBd9hyH032woi0tneSKF3 IusDhJnsAXcOzKTavr2jILpQ217m9OfLT9abg5vUO6c8Bq9hWdWg2JtgR99reG23iwdQWchbmoJn DUfOsGlub9YvPJGUoTyMMaui4rOGQSQ+ImYzsKNchci+VLqQHEkJU4+RzBv1jKu6vsf0VwOamaba WQ1pZ+9AtcdYNl/WDl03Gn4KZu/Yy4kVyAdhb9kuYipsScZyjWop9SwabDDPJZ2RYqwKNuBpotX1 RP9fi46FLAmhCYnP83x1nANaXg902aJ5x687HyFZLBZ9e/tDg7MvaD4BAAD//wMAUEsDBBQABgAI AAAAIQBouJUzWAEAABkFAAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANSUQVPCMBCF7874Hzq52wAKOA6FizjDwYvieA7p ps2QJp3sqvDvjVSkVSiXXjxmM3nvm923mcw2hYnewaN2NmH9uMcisNKl2mYJe1k+XN2yCEnYVBhn IWFbQDabXl5MnsAICo8w1yVGQcViwnKi8o5zlDkUAmNXgg03yvlCUDj6jJdCrkUGfNDrjbiva7Bp QzNapAnzizT4L7dlcD6v7ZTSEu6dfCvA0hELToELgqDwGVDCdseq2I8DKOPHGa67ZEAgCt3FA8a+ 0oYw7hJBOUtLsTK1VvyU2iAGJyAKLb1DpyiWruDVGL7aP25OmCNtDeCrpnyuFEiq9+D3VRtH/wTH kbydz0QFVZvGjqTNftSlfR7C7Y226wPBd9LJOYOxBlK7zcmpMNwrOR4Mw5JWEX50adiM+YbAW3Ey vsN/xnvTJe8HrJ7/bFytuB80b3xo008AAAD//wMAUEsDBBQABgAIAAAAIQCZoyRt3AoAAJSbAAAR AAAAd29yZC9kb2N1bWVudC54bWzsXWtv47gV/V6g/4FQP3QXk4fkt411FjOOk3onzaaxp0WxXRSU RNlqZFGlpDieTv97Ly8lxY7jjLKZ5mHRQWhZpimRPPfcBynyhx9v5gG5ZiL2edg3rAPTICx0uOuH 077xaXKy3zFInNDQpQEPWd9Ystj48ej3v/th0XO5k85ZmBAoIox7i8jpG7MkiXqHh7EzY3MaH8x9 R/CYe8mBw+eH3PN8hx0uuHAPa6Zl4lEkuMPiGK43oOE1jY2suPlmaTxiIVzL42JOk/iAi+nhnIqr NNqH0iOa+LYf+MkSyjZbeTG8b6Qi7GU3tF/ckPxJT91Q9pb/QmzU4p7rql8eZy2AVzwULIB74GE8 86PbavzW0qCKs/yWrh+qxPU8yPMtIquxcb2iymX64FjQBXTFbYEbxd3TGK760TxQ7SD797ZX75Zo mQ9VJusRWURxD2VuYf2a+Z3MqR8Wxfy2plltXJCIp+D7VPA0Km4n8p9W2ii8KsqSgvmIOzNbKHmr VYsfVcCG6I5nNGIGmTu90TTkgtoB3NHCahCJSOMIyMLm7lK+R2TRA7JxL/uGCa92Z1A38lMXIHqm 2T1pmB+s4uQx82gaJJvZL1YyY8kXAt/GyTJgUOQ1DfrGOR9H1JGIPpRfCpVHnPAwiSEPjR0f+mHA U+EzQc7ZQl539j6MN8860EarGbHA+HN+pZqpLhF/HsiS8er5uYCG0/wcC2W+w+xe4D3K7gkyYMOs tcKrvOlFLzn6G08T0Bp7hCWEBgdk7TVGhSHcmEwEda7WvlMffrmgU0as1q+yJRLVHphG2Id5W2z2 +uVa8+T5qgISm/MrqfKggUUClfddaCEJ2ZDOQeL+eco/QHsrIOZ5h6Fb5FTI020sqWGbIM6WEROB H14Rge0rRm4TWcGPEy6WYCQhoYkce2uA/L/Iq8MDLi+HnCJZ8+Qk55r8bM4097FPmmeSRlbA1E+3 U5KUx8uTAWnXmuZd6SzaBuv5fC3wVJqFOkmzsheDMgA5iQSLmbhmxtEqNX2S7UMu6YJcpHbgO+Qj W8bED8nkbHx4DMlt5p/SkBEwYRt3G0iL1nbRkrpOs/tW5smbJ+ftVY5Hc0hxPI3AC3L9m/33SpB3 zKCy0ayyB/HbNa++bRUWPS9wBzMqFUB2NAEN1TdsNgXvJrMln5mPv3UV/TBOxITdbGPpP/39Ynh5 Njr/SHI/J+E8iA98lngYB5gl4PMJz5FKyyD/CIixIidEsnRxidzYBHP7+RTYt26wLZiIWUQFTVDH Q53RIXqxWm6YLWbhIuUWyTc2W95n3Ejer+nlXexp0AGrsp8rjVtj35Jfv+maJ0fgVg5v6DwCf36Y BSXXOjZXmTumA59q7cpmkUEF3TyZz3S/q6eb58HmeVbueCrkH3LwTsB5ZopG9kgyY2TGbkjM/p3C QAcj8YwvQunlnfjTVDDSJS6LHeHbLCZUs02uobfHC3K22Rm8jFP7X8xJVBAAYgCj0OMwBiZSJ5EA AUPSdxkCyWEi8WFMCywuEtFlwKl7oCFTHjKagavBwFngzMR3C9MapnVMG5g2MW1h2sa0g2lXS1R5 idoZEoauf7ePL/X22FSDJgfNzJ/OAviX40U4gjCHobcwoco/rJBeB+L5gqGgYrzxFUrLRm8tWRDw xdc6Sw7amDf19QGbV1i97XDbasHvvb0+mwqmXM5F78EKQ5d1rD1i3nS9Nb7SHfc88zK0sN0dD91t YTNdLWYyJvzM05+eJGZmS/fZa+izR+g0c91l09rshbRZSUNf2Y41Kg2RTkumjc7emtBVOk6zwV6l JOEVR0U3KlQeJ1snUUE450sBH68tQWS6mKJ9a2bpGqo0L7wQL5R2Ke/vbuja5o7bidqPxrkDb8pO rGtyeWN2IsQ+1vpMmxmrYVpnSXF630MxpLdkZZQym7ZGAWE8AAaL0MbQTvyrIGfBcAbaQ/BUnoWp temr6LDSZp8eSXipBwU3XLOypFmMJHR07OXNCZtZWzODtF/8Qn7x44XN0h33GnyOMqZybovIoJTj asfD2Do/pExrviXHo0x9HvI7YHqa9Ds8jGd2uhJAECCH1GYyrWPI3MbzXQiMmTdtPOM25LFV11DT UMsf1VFLPWx7yo0QmAP5RULKlNAxEV62J4/tmkwZQrClwus4XuNgTgsBV/c01DTUykINJtpKqDXV yIxiL4RXDY9rK7Br4XmAF+SvIyhbjoaahlpZqMFsbgk1BakuMlYHU4rga2PqKsAplYrq1UFl6tga ahpqZaEGjwxIqFHFZ6giG0pFojWmwGfieQ/z2EqZqlRDra+hVhZqXQU1ptgLIcUUjBSwkM/UJIgm nm9gTjXDpmVqVtNQKws1y1SshgByMK0hpLp43LSlZaZYrYuqs9GSZyw877U01DTUSkPNUlBDf7OD StNDSLWUNYawc9BKq6Fb0FVQw/OUaqhpqJWGWg2hpjgsAxnymYmwa6Ld1saUIZPZeL5Rl9wGdtta 7F3PHdnluSNPDeFadYSa60jodKlMHTyuK8BhaiG8VNgWRgiKPE5NQ02zWmlWayDU6qgQVeSshQ5B B1Wqi+rSUSkCTo0iePhtvaGhpqFWGmpNZaspywxBRpU1hsdNVJR1BFYbOU/5nmpcAdSuVqB6DDRb P/JrA1NWC6GmOMz0pHJUwdsGwquJTAbmP5w39aQIPQPpGZfQ3zp0v+PPqOjnHV6FmJV0TWCCJjwE pzVurnG3r4tRpalFVhvVqolBjjuKs9IRja/DQzdPZdaOy1fm7BWrAd+7ROO4WKLxwxIWZBxnK3xq zi3PuVqoqiFUE1gF12WwzR9ziS2F5YHlcL+D/fZu189NcZOUCwabP2nBKi9Yu/FMBzyEeZomcxqG f4zJ+/H5gZWhSJBf1tAAe6ht7qIEezLCjmuhM+Owz5tg3j6WsH+czmFXPPhFhfZXuq35WrMB/Rbt hs4NNMsb2hPu1++JHwQpLJUMCyLHuEJysWzyHqHx3brq3YC2b5a0M4Rxd311y9RLZBdDHNrNKZri vp3rvt48OyMmP3teDFtpkjMWTpMZKNpj3IUgkhsKa96soKGlFr9+UqpxU0HcAHWY8A/Lpbyzmt0e HIyHf/k0PB8MyX80IKoJCLXNAqm9s+oSEBoSFTc2AAFqtw0CmECOgDM/f/hpOJiQ0fHwfDI6GQ0v yV9pkDLynUVqpNMwiWXVm40useTf95pKqkklkj2yl6KS/NPFx8GY/AEmUoqYwmZ9YqlNV9xto5Iw gelC6lV7Z2YwOf90dqZJo5JoyClCvmdo+K+GQiWhYKk9vcA3aVgIhQ+jCRlPLkfnp3sE9mOkUZwG GD3WzkoRGqtQGAwM0mxnOPBV2hlZaAd2EOebd1WSNWrKWwHWqOXeCiGj88nwdMVLMWsNYvuJ9kwq yRtWU+0ZKT3aLMgB1sYdjLSazXpbA6SSAFk1QnMrlBBth2owaJek0sbFKjEgFDQnPIIT9IzRaswY lVKSzcO2IKR3LCeP+uGUcK/kpOx7Az4xc5ILkc9y6xsmvNqdQV3OB7x/4ls0HX+GLxd9w6rVGiZO HITjJgxQyMdmF71o+mcqS0x4BOcbKouQiyPcfrR5kvD57eeAeSvfzhh1GUxRbIOvBQV5nMNk1+Lj NE3wY3Y5hwfSN4vVRpryJ3gXLndOhe/CN4Efsgs/cWZ9o97Cb0FkVL2PZJvY3F3iAfwkncPGzEf/ AwAA//8DAFBLAwQUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAHdvcmQvdGhlbWUvdGhlbWUxLnht bOxZT2/bNhS/D9h3IHRvYyd2Ggd1itixmy1NG8Ruhx5piZbYUKJA0kl9G9rjgAHDumGHFdhth2Fb gRbYpfs02TpsHdCvsEdSksVYXpI22IqtPiQS+eP7/x4fqavX7scMHRIhKU/aXv1yzUMk8XlAk7Dt 3R72L615SCqcBJjxhLS9KZHetY3337uK11VEYoJgfSLXcduLlErXl5akD8NYXuYpSWBuzEWMFbyK cCkQ+AjoxmxpuVZbXYoxTTyU4BjI3hqPqU/QUJP0NnLiPQaviZJ6wGdioEkTZ4XBBgd1jZBT2WUC HWLW9oBPwI+G5L7yEMNSwUTbq5mft7RxdQmvZ4uYWrC2tK5vftm6bEFwsGx4inBUMK33G60rWwV9 A2BqHtfr9bq9ekHPALDvg6ZWljLNRn+t3slplkD2cZ52t9asNVx8if7KnMytTqfTbGWyWKIGZB8b c/i12mpjc9nBG5DFN+fwjc5mt7vq4A3I4lfn8P0rrdWGizegiNHkYA6tHdrvZ9QLyJiz7Ur4GsDX ahl8hoJoKKJLsxjzRC2KtRjf46IPAA1kWNEEqWlKxtiHKO7ieCQo1gzwOsGlGTvky7khzQtJX9BU tb0PUwwZMaP36vn3r54/RccPnh0/+On44cPjBz9aQs6qbZyE5VUvv/3sz8cfoz+efvPy0RfVeFnG //rDJ7/8/Hk1ENJnJs6LL5/89uzJi68+/f27RxXwTYFHZfiQxkSim+QI7fMYFDNWcSUnI3G+FcMI 0/KKzSSUOMGaSwX9nooc9M0pZpl3HDk6xLXgHQHlowp4fXLPEXgQiYmiFZx3otgB7nLOOlxUWmFH 8yqZeThJwmrmYlLG7WN8WMW7ixPHv71JCnUzD0tH8W5EHDH3GE4UDklCFNJz/ICQCu3uUurYdZf6 gks+VuguRR1MK00ypCMnmmaLtmkMfplW6Qz+dmyzewd1OKvSeoscukjICswqhB8S5pjxOp4oHFeR HOKYlQ1+A6uoSsjBVPhlXE8q8HRIGEe9gEhZteaWAH1LTt/BULEq3b7LprGLFIoeVNG8gTkvI7f4 QTfCcVqFHdAkKmM/kAcQohjtcVUF3+Vuhuh38ANOFrr7DiWOu0+vBrdp6Ig0CxA9MxEVvrxOuBO/ gykbY2JKDRR1p1bHNPm7ws0oVG7L4eIKN5TKF18/rpD7bS3Zm7B7VeXM9olCvQh3sjx3uQjo21+d t/Ak2SOQEPNb1Lvi/K44e//54rwony++JM+qMBRo3YvYRtu03fHCrntMGRuoKSM3pGm8Jew9QR8G 9Tpz4iTFKSyN4FFnMjBwcKHAZg0SXH1EVTSIcApNe93TREKZkQ4lSrmEw6IZrqSt8dD4K3vUbOpD iK0cEqtdHtjhFT2cnzUKMkaq0Bxoc0YrmsBZma1cyYiCbq/DrK6FOjO3uhHNFEWHW6GyNrE5lIPJ C9VgsLAmNDUIWiGw8iqc+TVrOOxgRgJtd+uj3C3GCxfpIhnhgGQ+0nrP+6hunJTHypwiWg8bDPrg eIrVStxamuwbcDuLk8rsGgvY5d57Ey/lETzzElA7mY4sKScnS9BR22s1l5se8nHa9sZwTobHOAWv S91HYhbCZZOvhA37U5PZZPnMm61cMTcJ6nD1Ye0+p7BTB1Ih1RaWkQ0NM5WFAEs0Jyv/chPMelEK VFSjs0mxsgbB8K9JAXZ0XUvGY+KrsrNLI9p29jUrpXyiiBhEwREasYnYx+B+HaqgT0AlXHeYiqBf 4G5OW9tMucU5S7ryjZjB2XHM0ghn5VanaJ7JFm4KUiGDeSuJB7pVym6UO78qJuUvSJVyGP/PVNH7 Cdw+rATaAz5cDQuMdKa0PS5UxKEKpRH1+wIaB1M7IFrgfhemIajggtr8F+RQ/7c5Z2mYtIZDpNqn IRIU9iMVCUL2oCyZ6DuFWD3buyxJlhEyEVUSV6ZW7BE5JGyoa+Cq3ts9FEGom2qSlQGDOxl/7nuW QaNQNznlfHMqWbH32hz4pzsfm8yglFuHTUOT278QsWgPZruqXW+W53tvWRE9MWuzGnlWALPSVtDK 0v41RTjnVmsr1pzGy81cOPDivMYwWDREKdwhIf0H9j8qfGa/dugNdcj3obYi+HihiUHYQFRfso0H 0gXSDo6gcbKDNpg0KWvarHXSVss36wvudAu+J4ytJTuLv89p7KI5c9k5uXiRxs4s7Njaji00NXj2 ZIrC0Dg/yBjHmM9k5S9ZfHQPHL0F3wwmTEkTTPCdSmDooQcmDyD5LUezdOMvAAAA//8DAFBLAwQU AAYACAAAACEAX5ARw3EDAADLCAAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFbbbts4EH1fYP9B0PM6 kmwnaYU4xdZZ76aI26JKP4CSaJsIbxhSVtyv75AUoxpxg6DF+sXknLnfqKt3j4InewqGKblIi7M8 TahsVMvkdpF+vV9N3qSJsUS2hCtJF+mBmvTd9Z9/XPWlodYim0lQhTSlaBbpzlpdZplpdlQQc6Y0 lQhuFAhi8QrbTBB46PSkUUITy2rGmT1k0zy/SAc1apF2IMtBxUSwBpRRG+tESrXZsIYOf1ECXmM3 SN6ophNUWm8xA8rRByXNjmkTtYlf1YYh7qKS/UtB7AWPfH2Rv8Q5hNsraJ8kXuOeE9CgGmoMFkjw EK4gTD6pKebPFD2l+gxTnQXbmVOF4kXuT6Pnhj+TP1HtUMU7VgOBUGZsAOeFaMrbrVRAao5N1Rfz 9Bo76ptSIulLTaHBImE7TvM0c0BLN6Tj9p7UlVUaWfYE7V9GuNkRII2lUGnSYMRLJS0oHvla9VHZ JXYcYEKCwtB/TnU4VaGXUUISgR4F6tCfa9XSFKEO2LOgf5o0J+C9xNh8DKcNKZw9YC3F0Dit7IHT FTpfsW/0b9l+6Ixl2PG+S3/Dg5ccoNJZ/oSTen/QdEWJ7TBN/5MxX4kVZ3rNABTcyhbr/LvGslhE V05cZK2Jhy9K2ViGHH+Xb5azkAvH9ipkOl1eFidlprPl29UpZHaB0D+nkMt5cXM+tMOxB29X8/y9 t4PRDDGI0q2Uz3B9FU6uMRIRmmpJRA2MJGu3dLC9RFnDw3smI15TXLr0R6Tq6ghOJgEwgnC+wsmJ gJ82UbbM6Bu68Wr5msB21DtwwEkqTumHJ11ugin8C6rTwVoPRIeCR3PFfD7oY9LeMRHppqurKCVx cfwAdbL9tAenMBvT05cW3xs/OHdEbmNdqZx8rRwr9geHyr1JdE20xgWBLPW2WKScbXe2cM1u8dbi 2+Qv9XY6YFOP4c1h/kIaFxlyDwfHEI7INRxG2izSZiMNN2/gm4+080g7H2kXkYZvY1/ucDqBM/mA KygeHX2jOFc9bf+LxEX6jBSSYHZEU6yr26Q4Iqr0hGG1mmRf0kfcubRlFp98zVpBHnEF59MLJz5w c3JQnT3idZhj1kfUpCWWoLgv1ZEwlg6/HY59cRu+YdiO1UHU4+I+C45zZmxFNe54qwBD9mv1L695 /Aq5/g4AAP//AwBQSwMEFAAGAAgAAAAhAHMObQeCAQAAUAMAABQAAAB3b3JkL3dlYlNldHRpbmdz LnhtbJRTy27CMBC8V+o/RL6DE4pQiQhICFFVqqqqjw9wHIdYtb2WbZLC13dJePVxgJPXuzPj3Z1k MvvSKqqF8xJMRpJ+TCJhOBTSrDLy8b7s3ZPIB2YKpsCIjGyEJ7Pp7c2kSRuRv4kQEOkjVDE+1Twj VQg2pdTzSmjm+2CFwWIJTrOAV7eimrnPte1x0JYFmUslw4YO4nhE9jLuEhUoS8nFAvhaCxNaPnVC oSIYX0nrD2rNJWoNuMI64MJ7nEerTk8zaY4yyfCPkJbcgYcy9HEY2nVEd1JIT+I20opEmqePKwOO 5Qo32CRDMsX1FbL2+zNqUllkZDyOk7vhOBm19RyKzULWWKuZQmsI3aFxeU+iDMfsID7mX+Wq+rfw DvaAP6HnEALoX3nsaV643TvhxDFoPEGg32YEPw8MLOM4SBtzUIB+sXWArhF11t11zPxHR9dx3fns 11Bpa0Q7dBdOJ93ZegM2SC23Yglu7qDxwrUmMKWgeXl+wAuCz/6D6TcAAAD//wMAUEsDBBQABgAI AAAAIQA98saZ9gkAAFlJAAAaAAAAd29yZC9zdHlsZXNXaXRoRWZmZWN0cy54bWzcXFtT47gSfj9V 5z+4/M6QGwmhNrPFMMsOVcwsO0Dts+MoxIVt+dgOGebXb6slK45txS1s5uHMwySRpf76pq8VUPPb 7z+i0HlhaRbweOEOPwxch8U+XwXx08J9fLg+OXedLPfilRfymC3cV5a5v3/8739+211k+WvIMgcE xNnFLvEX7ibPk4vT08zfsMjLPkSBn/KMr/MPPo9O+Xod+Ox0x9PV6WgwHOC7JOU+yzJAu/LiFy9z lbioLo0nLAasNU8jL88+8PTpNPLS521yAtITLw+WQRjkryB7MC3E8IW7TeMLpdCJVkgsuZAKqZdi RVqzogFXrvzM/W3E4hwRT1MWgg48zjZBsjfjrdLAxE2h0ssxI16isJi3S4aTGp42mRKDz6m3g1Ds BdbENThjJRdFofSDiO8+qlWJw8ExY1REhAitA0WFQ8xCk8gLYi3mba4pOxf2Q5f8/jPl20SrkwTd pN3Ez1qW2JYWmg2muPPKpmVWAmpb937jJcx1Iv/i5inmqbcMQaPdcOKIjHQ/AlWsuP+Zrb1tmGfi Y3qXqo/qE75c8zjPnN2Fl/lB8AAUAlKiAAR+uYyzwIUnzMvyyyzwGh9uxKzGJ36Wl6R9ClaBeyoQ s58g88ULF+5oVIxcCQ0OxkIvfirGWHzyeF/WZOHqoSXIXbheenJ/KYSdopnFa8nc5MB4+ISqJJ4P Ow9wvHXOgISAxQROGIjojmbAaPLD961wrrfNuQJBAQBWFgsfKx4HbgKmupeMDU/Z+pb7z2x1n8OD hYtYMPh4c5cGPAUaXbjzucCEwXsWBV+C1YqJAqHGHuNNsGL/bFj8mLHVfvzva6RnJdHn2zgH9acz zIIwW/3xw2eJoEkQHXsiwt/EAuAwCEcJBxXaBntt5EAFFQf/V0AOZQwbUTbMEyXNQf2PAqHV285A I2FR2QCUa6XruLuISXcRZ91FYPJ288WsuxZwkOkaEZkbpaykBzXnvky+sh/G8yMpK1bUsqh1RS1p WlfUcqR1RS0lWlfUMqB1RS3grStq8W1dUQvn0RW+h8RVzaIxeoO0sR+CPIQ62cJ0w45Up0qNc+el 3lPqJRtHFNaq2sfI8n67zGmqIp2+nSzv85SL42aLR6A6i637Zk7+I0o2XhbAqbwNqKPrH8TRx/kz DeD42gJ1JpOvZhMeTBpL2F3o+WzDwxVLnQf2Q0bUYv037tzLU0arch3Dehs8bXIHToWi5LaCTQ1O N3tCyr8NMvTB0Wo+NZjSJpwUw6khL83Cv7JVsI0K1xBOI1PJ5xZhrkCgisddNBEhqu+uVitEACgm yHJhbwLKJ+gvi4u9fBFjiv6yFL1RPkF/WbjeKB/z43h8rZnmM/xYxSFtr5n13r3iIU/X27DYA630 MLPewRqCZoL1JtbySSQxs97BB/TpXPo+fHOj5Kl1LPY8aoFiHQ6JgpuNbot1UCq0N7SwyDpAFayR BVY3rrUAsibd7+wlED8Eti0GyNL6rNm6nccGD0AJIp2h/97yvP0MPTJwHhXlJoYfl2TMoaGNDTuP iqbySdY7ixh3K3wWQN0qoAVQt1JoAWTID/OZR9dEOkj34miBZU3Luoph2pGZeWbNzBrIrgT0VDcJ 5y/D7jXnQr1uElCsA1SvmwQU6+hUapmumwSs3uomActQNcwxKnOqjVHWdbMMpE8CBIv6IW8CUD/k TQDqh7wJQN3Jux2kP/ImYFlzg+bUMnkTgHCKzVd9DVQmbwKQNTdItlM/MyrqHko5/uW2B/ImoFgH qE7eBBTr6JjIm4CFU2wyoYKlqY6A1Q95E4D6IW8CUD/kTQDqh7wJQP2QNwGoO3m3g/RH3gQsa27Q nFombwKQNT1ooDJ5E4Bwig03NJI37vp3J28CinWA6uRNQLGOToVQ9SGVgGUdoAqWJm8CFk6xSQaF hcltY1Q/5E2wqB/yJgD1Q94EoH7ImwDUnbzbQfojbwKWNTdoTi2TNwHImh40UJm8CUDW3NBI3rgZ 3528CSjWAaqTNwHFOjoVQtU8R8CyDlAFS5M3AQvzpTN5E4BwyluBbCzqh7wJFvVD3gSgfsibANSd vNtB+iNvApY1N2hOLZM3AciaHjRQmbwJQNbc0EjeuEfenbwJKNYBqpM3AcU6OhVC1eRNwLIOUAVL Ux0Bqx/yJgBhYnYmbwIQTnkDEO4imzD1Q94Ei/ohbwJQd/JuB+mPvAlY1tygObVM3gQga3rQQGXy JgBZc4O4Zwv3RcnXU4eGJKDeMyhuNZABR4YgUQGVgd/ZmqXQVcjab4d0BCwstEA0pAfVxE+cPzu0 i91jQ4KQoYJlGHC80v2Kt3RKjQjj2ZFOgoe/rpwvsgGmtg5T6vDmDXQPlduFsD1JNA6BnvlrAi07 SXGzXEiDBiHR16VagLAn9AYaglRbj1gs+nxgIjZVqWH8va1ChfeAiAtboLRwZcwIu4rK4os2H9XO tfSgOekv0WtUA4fGqudivBB3tfFS6cZ9k0YxR3Vq7HWG9q4M7o8q0QP4Nzu/GsvltaauJYO2VfDc UHZ1yY+X0MSVyRvZynuq90vNwk/1SbIlDH/vJd6qhrD8VjTHSXi+zcWT25ewUA9v+8smMeFj6L/D l4OOu4V7xbdpALfLv7GdiGzRbbdwH4IIGn1h2PnOIw+viGG3XW2JD52EZSkY56X8/yrD11LT3USq m/0sNd3hGGiKKprzwodQeT50yh1JQdUIoe+mYRtENSEN3RKoaj0LVNfE/mwt5x3c3YUhs9656BA4 ojN2EBzdOw5OkZ6rKwhNe9LLupeuWUPYystQZgG8uYlFIu9U157c5KsfnhQFz69YGH71MGdynpin hmydy6fDAZ6MKqKWPM95ZF6fYuMAatIkANxaVkZ+FEaY/R1voyVLVRuCkarEiaLGJdAvgePSgZpr QXskE6qnzbod5LC/zcA12KBZpdIDeqrmr3rojJw9e1Vor3EfoFVNJGjMLPnATHr/Z6SyLzZQ81Lh qVqGfNFP0Jtkt3fZtq3+98UF+yJJRVm6vlYhLQbFX1sAEgKdITdbePag1O9d8vD19i4VNQ3+TkHO VnXPwATnYEaTh8qHgYNUrIjfZ/b7eE6Va+Bm7E6H18JVgtAEWyccCtt8OJWeNE0Yno/VwcM0YzSb nB+XMZ5OVVk0yZicnQ+OyzibzFs0nU6GLZrOxqMWTc9HkxZNwWEtmsJJB1rbMTdM5g4H83mLrsPh HMrNcSkjULdlyng2aVN3Mj1DdUXpUdmiTnCQJOr0pk9m0PgOAuGBOIw19+3/6qPYOxy+jhWupn1c K2BVquhcyCqoMupk5mgl2PTXnJp/baieUvZaY3EcbCJu84nC5D3zKai5wnzjRa9qNV9KbayoWj2w 6pBu/qo2v54MPqlZta9qb9jFe+OKd9nHfwEAAP//AwBQSwMEFAAGAAgAAAAhAEQVyeBNAQAAgQIA ABEACAFkb2NQcm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIySUUvDMBSF3wX/Q8l7m7RlIqHtQGUP4kBwovgWkrstrElDEtft35u2s7bog4/JOffLObctlidV R0ewTja6RGlCUASaN0LqXYleN6v4FkXOMy1Y3Wgo0RkcWlbXVwU3lDcWnm1jwHoJLgok7Sg3Jdp7 byjGju9BMZcEhw7itrGK+XC0O2wYP7Ad4IyQG6zAM8E8wx0wNiMRXZCCj0jzaeseIDiGGhRo73Ca pPjH68Eq9+dAr0ycSvqzCZ0ucadswQdxdJ+cHI1t2yZt3scI+VP8vn566avGUne74oCqQnDKLTDf 2GotDxA9hvW5Ak+uuxXWzPl12PZWgrg7z5y/1W7AwlF236rKCzw9hvf6esOjIKIQmA71vpW3/P5h s0JVRtJFTPI4JZssp3lGCfnogs3muwLDhbrE+zdxQebEb0DVJ57/NNUXAAAA//8DAFBLAwQUAAYA CAAAACEAE9yLl28JAABoRgAADwAAAHdvcmQvc3R5bGVzLnhtbNxbS3PbNhC+d6b/gcN7oqclyxMl 4zh14xnHcSJ7eqYoyOKEJFSSiu38+i4WIEWRArEw6RzaQyWCwH77wreQg3334SkKnZ8sSQMez93B 277rsNjnqyB+mLv3d5dvTl0nzbx45YU8ZnP3maXuh/d//vHu8SzNnkOWOiAgTs8if+5usmx71uul /oZFXvqWb1kML9c8ibwMHpOHXuQlP3bbNz6Ptl4WLIMwyJ57w35/4ioxCUUKX68Dn33i/i5icYbr ewkLQSKP002wTXNpjxRpjzxZbRPuszQFo6NQyou8IC7EDMY1QVHgJzzl6+wtGNOTGvWEKFg+6OO3 KHSdyD+7eoh54i1DcN7jYOy+B8+tuP+Jrb1dmKXiMblN1KN6wo9LHmep83jmpX4Q3IFLQUAUgKzP 53EauPCGeWl2ngbe0ZcbMevoGz/NStI+BqvA7QnE9BfI/OmFc3c4zEcuhAYHY6EXP+RjLH5zvyhr MneLoSXInbte8mZxLoT10Mz8s2Tu9sB4eEJVtp4PwQAcb50xSArIEYETBiIHh1PIF/nwfSf86u0y rkBQAICVxcJjxeOQK5A5C5nA8Jatr7n/g60WGbyYu4gFg/dXt0nAE0jSuTubCUwYXLAo+BysVkzs FzV2H2+CFftnw+L7lK32498uMfmVRJ/v4gzUn0wxC8J09deTz7YibUF07IkI34gFkDgQjhIOKrQL 9trIgQoqDv6bQw5kDI+ibJgndriD+jcCodW71kBDYVHZAJRrpeuovYhxexEn7UVg8rbzxbS9FsDr bSMic6OUlfSgZtyXyVf2w2jWkLJiRS2LjCtqSWNcUcsR44paShhX1DLAuKIWcOOKWnyNK2rhbFzh e0hc1SwaoTdIG/suyEIm1jcS0KAl1alS49x6ifeQeNuNIwprVe0mslzslhlNVaTTl5PlIkt4/GD0 CFRnsXVfzMl/RduNlwZwSjK4ftjS9Xfi1OP8nQQrI9SJTL6aTXgwOVrCbkPPZxserlji3LEnGVGL 9TfcWchThlG5lmG9Dh42mbPYYMk1gk00Ttd7Qsq/DlL0QeNmmmhMMQknxXCiyUu98C9sFeyi3DWE 08hE8rlFmCsQqGKzi8YiRPXdZbRCBIBigiwX9iagfIL+srjYyxcxpugvS9EL5RP0l4XrhfIxP5rj a800n+BHq0PaXlPrvXvBQ56sd2G+B4z0MLXewQUEzQTrTVzIJ5HE1HoHH9Cnc+778MuNkqfWsdjz qAWKdTgkCm42ui3WQanQ3sDCIusAVbCGFljtuNYCyJp0v7OfgfibmG0xQJYuzprG7TzSeABKEOkM /W3HM/MZeqjhPCrKVQx/LkmZQ0MbaXYeFU3lk6x3FjFuV/gsgNpVQAugdqXQAkiTH/ozT1ET6SDt i6MFljUtF1UM047MzFNrZi6A7EpAR3WTcP7S7F59LtTrJgHFOkD1uklAsY5OpZYVdZOA1VndJGBp qoY+RmVOtTHKum6WgYqTAMGibsibANQNeROAuiFvAlB78jaDdEfeBCxrbig4tUzeBCCcYvNTvwAq kzcByJobJNupvxnldQ+lNP+47YC8CSjWAaqTNwHFOjo68iZg4RSbTKhgFVRHwOqGvAlA3ZA3Aagb 8iYAdUPeBKBuyJsA1J68zSDdkTcBy5obCk4tkzcByJoeCqAyeROAcIoNNxwlb9z1r07eBBTrANXJ m4BiHZ0KoRaHVAKWdYAqWAV5E7Bwik0yKCxMbhujuiFvgkXdkDcBqBvyJgB1Q94EoPbkbQbpjrwJ WNbcUHBqmbwJQNb0UACVyZsAZM0NR8kbN+OrkzcBxTpAdfImoFhHp0KoBc8RsKwDVMEqyJuAhfnS mrwJQDjlpUA2FnVD3gSLuiFvAlA35E0Aak/eZpDuyJuAZc0NBaeWyZsAZE0PBVCZvAlA1txwlLxx j7w6eRNQrANUJ28CinV0KoRakDcByzpAFayC6ghY3ZA3AQgTszV5E4BwyguAcBfZhKkb8iZY1A15 E4Dak7cZpDvyJmBZc0PBqWXyJgBZ00MBVCZvApA1N4h7tnBflHw9daBJAuo9g/xWAxlwqAkSFVAZ +J2tWQJNVsx8O6QlYG6hBaImPagmfuT8h0O72D3SJAgZKliGAccr3c94S6fUiDCaNnQS3H29cD7L BpjaOkypw5s30D1UbhfC9iTROAR6Zs9baNnZ5jfLhTRoEBJ9XaoFCFvkrqAhSLX1iMWizwcmYlOV GsZ/t1Wo8B0QcaEBqhCujBliV1FZfN7mo9q5lh40J30VvUY1cGis+pGP5+IuNl4i3bhv0sjnqE6N vc7Q3pXC/VElug//TU8vRnJ5ralryaApEDw3kF1d8vEcmrhSeSNbeU/1fqlZ+FSfJFvC8N+9xFfV EJZdi+Y4Cc93mXhz/TPM1cPb/rJJTPgY+u/w46Djbu5e8F0SwO3yG/YoIpt3283duyCCvkcYdr7z yMMrYthtV1vip4dDGOel/P9Fip+lpruxVDf9VWq6wzHQFFXU54UPofJ86JRrSEHVCFHcTcM2iGpC arolUNV6Fqiuif3ZWs47uLsLQ3q9M9Eh0KAzdhA07h0Hp0jP1RWEpj3p5aKX7riGsJWXocwC+HIV i0SG5lHMKrnJV0+eFAXvL1gYfvEwZzK+1U8N2TqTbwd9PBlVRC15lvFIvz7BxgHU5JgAcGtZGfko jND7O95FS5ZA51+Dz2+4OFHUuAT6JXBcOrDgWtAeyYTqab1uBzns71JwDTZoVqn0gJ6q+ateOkNn z14V2ju6D9CqYySozSz5Qk96/zNS2RcbqHmJ8FQtQz4Xb9CbZLe32bZG//vign2epKIsXV6qkOaD ousbSAh0htw08OxBqd+75O7L9W0iaho0umdsVfcMTHAOZhzzUPkwcJCKFfH7zH4dz6lyDdyM3enw mbtKEJpgji2HwjYbTKQndRMGpyN18NDNGE7Hp80yRpOJKos6GeOT036zjJPxzKDpZDwwaDodDQ2a ng7HBk3BYQZN4aQDre2YGzpzB/3ZzKDrYDCDctMsZQjqGqaMpmOTuuPJCaorSo/KFnWCgyRRp7fi ZAaN7yAQXojD2PG+/d99FHuFw1dT4Tq2j2sFrEoVrQtZBVVGncwcRoJNfs+p+feG6iFhzzUWx8Fj xK0/Uei8pz8FHa8wNzzvVa3mS6mNFVWrB1Yd0vU/1WaX4/5HNav2U+0Fu3hvXP4tff8fAAAA//8D AFBLAwQUAAYACAAAACEAyuVY+e8BAACuBQAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbLST3Y7aMBCF 7yv1HSLfL3FC9odow2pFi9SbXlTbBzCOQ6z6J/IYsrx9J3bIXgAqtGqQonDGPpr5dOb55V2rZC8c SGsqks0oSYThtpZmW5Gfb+u7J5KAZ6ZmyhpRkYMA8rL8/Om5LxtrPCR430CpeUVa77syTYG3QjOY 2U4YLDbWaebxr9ummrlfu+6OW90xLzdSSX9Ic0ofyGjjrnGxTSO5+GL5Tgvjw/3UCYWO1kArOzi6 9de49dbVnbNcAODMWkU/zaSZbLLixEhL7izYxs9wmDR2lA5WeD2j4Usrkmheftsa69hGIbs+K8hy BJf0pWEaxRVTcuNkKHTMWBAZ1vZMVYTmdE3v8T38Cjof3iQdHHjLHAg/HaRRbpiW6nBUoZcAsdBJ z9ujvmdODg3FEsgtFnawoRX5SvHJ12sSlawiBQqvq0nJsan4ZOOZ+aRgcrCx4BOOZIvggwr6jLdC n2mMzgmJN6kFJN9Fn/ywmpkLRHL6gCTukcdAZn4TERd8A8EbiOSv0/w4yQpHeXwqjvN/EFn8mUj0 uZ7Iyu6cFG5gcoHGIxJYhHwMNIqbaGhbC2fOBKSR76I+n46zLObj5P+XBdO4JuwChyENMRVDOm7b k79Lxeme0GLKyQeJsBW4Xf+yJ+PCwPI3AAAA//8DAFBLAwQUAAYACAAAACEAIMSRJe4BAAD1AwAA EAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACc U8tu2zAQvBfoPwi6x7SdxE2MNYPCQZFD2xiwkpxZamUTpUiCZIS4X9+lFMt021N12peGw5kl3L21 uujQB2XNqpxNpmWBRtpamd2qfKq+XNyURYjC1EJbg6vygKG84x8/wMZbhz4qDAVBmLAq9zG6JWNB 7rEVYUJtQ53G+lZESv2O2aZREu+tfG3RRDafThcM3yKaGusLNwKWA+Kyi/8LWluZ+IXn6uCIMIcK W6dFRP490dGT2sYW2FiFykahK9Uin91QfcxgI3YY+AzYEMCL9XXgl7efgA0hrPfCCxlJQj6fLy6B ZQX47JxWUkRSl39T0ttgm1g89joUCQBYPgKkzRblq1fxwKfA8hS+KpOoEL8hIm5e7Lxw+8CvE8Ex g60UGtekAG+EDgjsVIAHFMndjVDEGLq47FBG64ugfpG/87L4IQIm3VZlJ7wSJpJ+aWxI+li7ED2v VNSETb0h78N8LI/VVVKRZik4H0zFgQM1ztn1J4THhu4W/0F2lpPtOQxUMzpZOJ7xB+ratk6YQ+bP 2npnfe8a2fneTvr/DE+usvdpkd6FPS9my/Ci4n7rhCTL5otr8ue0FlkLtrQ9WJPPR8BTAR7IBK/T qfSv2WF9nPm7kRbteXjFfHY1mdLXb9axRusxPi/+GwAA//8DAFBLAQItABQABgAIAAAAIQAJJIeC gQEAAI4FAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA AAAhAB6RGrfzAAAATgIAAAsAAAAAAAAAAAAAAAAAugMAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA AAAhAGi4lTNYAQAAGQUAABwAAAAAAAAAAAAAAAAA3gYAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1s LnJlbHNQSwECLQAUAAYACAAAACEAmaMkbdwKAACUmwAAEQAAAAAAAAAAAAAAAAB4CQAAd29yZC9k b2N1bWVudC54bWxQSwECLQAUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAAAAAAAAAAAAAACDFAAA d29yZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAF+QEcNxAwAAywgAABEAAAAAAAAA AAAAAAAAXhsAAHdvcmQvc2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAHMObQeCAQAAUAMAABQA AAAAAAAAAAAAAAAA/h4AAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAD3yxpn2 CQAAWUkAABoAAAAAAAAAAAAAAAAAsiAAAHdvcmQvc3R5bGVzV2l0aEVmZmVjdHMueG1sUEsBAi0A FAAGAAgAAAAhAEQVyeBNAQAAgQIAABEAAAAAAAAAAAAAAAAA4CoAAGRvY1Byb3BzL2NvcmUueG1s UEsBAi0AFAAGAAgAAAAhABPci5dvCQAAaEYAAA8AAAAAAAAAAAAAAAAAZC0AAHdvcmQvc3R5bGVz LnhtbFBLAQItABQABgAIAAAAIQDK5Vj57wEAAK4FAAASAAAAAAAAAAAAAAAAAAA3AAB3b3JkL2Zv bnRUYWJsZS54bWxQSwECLQAUAAYACAAAACEAIMSRJe4BAAD1AwAAEAAAAAAAAAAAAAAAAAAfOQAA ZG9jUHJvcHMvYXBwLnhtbFBLBQYAAAAADAAMAAkDAABDPAAAAAA= --_005_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_ Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="2048b-rsa-example-cert.spki.docx" Content-Description: 2048b-rsa-example-cert.spki.docx Content-Disposition: attachment; filename="2048b-rsa-example-cert.spki.docx"; size=14625; creation-date="Wed, 11 Mar 2015 00:57:25 GMT"; modification-date="Wed, 11 Mar 2015 02:29:03 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQAJJIeCgQEAAI4FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lE1Pg0AQhu8m/geyVwPbejDGlPag9ahNrPG8LkPZyH5kZ/v17x1KS6qhpVq9kMAy7/vMCzOD0UqX 0QI8KmtS1k96LAIjbabMLGWv08f4lkUYhMlEaQ2kbA3IRsPLi8F07QAjqjaYsiIEd8c5ygK0wMQ6 MHSSW69FoFs/407IDzEDft3r3XBpTQAT4lBpsOHgAXIxL0M0XtHjmsRDiSy6r1+svFImnCuVFIFI +cJk31zirUNClZt3sFAOrwiD8VaH6uSwwbbumaLxKoNoInx4Epow+NL6jGdWzjX1kByXaeG0ea4k NPWVmvNWAiJlrsukOdFCmR3/QQ4M6xLw7ylq3RPt31QoxnkOkj52dx4a46rppLbYq+12gxAopFNM vv6CcVfouFXuRFjC+8u/UeyJd4LkNBpT8V7CCYn/MIxGuhMi0LwD31z7Z3NsZI5Z0mRMvHVI+8P/ ou3dgqiqYxo5Bz4oaFZE24g1jrR7zu4Pqu2WQdbizTfbdPgJAAD//wMAUEsDBBQABgAIAAAAIQAe kRq38wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJLbSgNBDIbvBd9hyH032woi0tneSKF3 IusDhJnsAXcOzKTavr2jILpQ217m9OfLT9abg5vUO6c8Bq9hWdWg2JtgR99reG23iwdQWchbmoJn DUfOsGlub9YvPJGUoTyMMaui4rOGQSQ+ImYzsKNchci+VLqQHEkJU4+RzBv1jKu6vsf0VwOamaba WQ1pZ+9AtcdYNl/WDl03Gn4KZu/Yy4kVyAdhb9kuYipsScZyjWop9SwabDDPJZ2RYqwKNuBpotX1 RP9fi46FLAmhCYnP83x1nANaXg902aJ5x687HyFZLBZ9e/tDg7MvaD4BAAD//wMAUEsDBBQABgAI AAAAIQBYNKCHWAEAAHAEAAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKyUwU4CMRCG7ya+w6Z3t4AIxrBwERMOXhTjubTT 3YZtu+mMCm9vBZFFYPWwlyadpvN//Wemo8nKlsk7BDTeZaybdlgCTnplXJ6xl/nD1S1LkIRTovQO MrYGZJPx5cXoCUpB8RIWpsIkZnGYsYKouuMcZQFWYOorcPFE+2AFxW3IeSXkUuTAe53OgId6DjY+ yJnMVMbCTF2zZL6uovLfub3WRsK9l28WHJ2Q4AhE8WUYc4qQA2VsF0kjJ+OnEYZtIlC0Bvb6my3f rN0mht4ZBmtk8Og1pdJbvnXg6+XDQ3M50roEfDVUTLUGSXULfh81cXTPcJwo9T/KsVHem7GFbJIf tCmvvaO5WJS1cvyEmiBu2oQoYnOH0rjl3obvTte2r9S2rHGOEEsuIRCshK1iKdOC7O7Ko1dxQKYr guDE2Tbut4n9AYvno2GqBXf+8YN/YvwJAAD//wMAUEsDBBQABgAIAAAAIQDPwzahdwcAAA5SAAAR AAAAd29yZC9kb2N1bWVudC54bWzsXNtu20YQfS/Qfxjw3dbyTgqRC4qXNA8tjLh9LmiKlgjzBpK2 4n59z1CUIkpy4qZNLEs0bIviZfYys2fOzC733S+fspQe46pOinwiyZdCojiPilmSzyfSn38EF5ZE dRPmszAt8ngiPcW19MvVzz+9W45nRfSQxXlDEJHX42UZTaRF05Tj0aiOFnEW1pdZElVFXdw1l1GR jYq7uySKR8uimo0UIYv2qKyKKK5rlOeG+WNYS524bF9aUcY5yrorqixs6suimo+ysLp/KC8gvQyb 5DZJk+YJsoWxFlNMpIcqH3cVuthUiB8ZryrUfayfqPZacaDc1ZNe1wNtiaMqTlGHIq8XSfm5Gd8q DU1crKv0+KVGPGbp+r5lKWt75W2a/BIdeFW4hCo+C9wTd6AzZquHsnTVD6zfz1rdlSiLLzWm0wiL 2NThJVXol7muSRYm+UbMt3XNdudiRPwX+35fFQ/lpjpl8t+kfcjvN7J4YP6LmgmjHXnbTav/lYC9 oXuzCMtYoiwaf5jnRRXepqjRUtaILVK6AljcFrMn/ixpOQbYzD5OJCFsXTUcXVqf8uK78CFt9q9c 8ylT1oRjtsLK66qVddM8pTGefgzTiXSdQtt/xJ8aacQXq9U9VVDkTY17wjpK0OVu8VAlcUW/x0su d+Hk9f7ZCN2xfWMrsP57XZIiVkXUf7ssuS19dW7UlYvPro6LpzKu0iS/p2qczCZS9WHWNniR1E1R PQFy2xZVkNN2yzXgRwhNGKo2XV3p2tFr669rqV1bX6WRy3Fz1VndXabNZit8AUbXdTqK4qqJP4VZ mcb15aLJ3qFLmiv+D9Xh/6Zf2m/lOZrGjs67wfDqtst6UoRm3V5UdXjR6fCC9Xk5i6tdPX5VcyuD PvmRziP+a0Z8zl0h2p8N1H+tK3xd9n1nffubwX/gWjJfpPhr1o4hC+fgyCEDNYMfoznbSofqfdiX XVmzrB7s/1BkP1D9pzhNi+V27RkfVNHDAbTruBqy7mnUlcOJcV2GERhJWcV1XD3G0hUdd/0PKGJe xXG+qwdLISGTohx3a05QG8OweA16/dJhIbxhQHzPMOeAHg4PCGEMivjBijjoJ4R92np47djpwIA4 wPvayMohyyDN6umDCeFe8HCQMXcMcc22tjImp8OY9yz4Wb78dtQOnQcmCY/pWvvb0//An//nPNyB 8fiMg9IHRRyFgxoCyu+amH75gFCHAXEMA2IV2Ytg0MYP1kYVz3azLGIAp+MApyHtuD0riSDg+9Om PTLOQUwLTj1kenkE8/xM0OlEMNFT2EvVPhvAHGHC/6DChdPT9hCvfP+B90y8cmqp/tuiuOdFXDdN WPGcGa+RwBq05TgPM8zY/PW+mIbRPXvkozO6A5z64ODpqJy8M4TWLffz2abdx9hMgFe3lubb5tKO MEmzi8/s04SgqUZuQJ5Muk+qSopNvktiyicdv6e9wd1tT3Hvduez7u6NmIKJZJ1OgU+KR65Ftk2u QaZFpk1Tm2SLAovNwtNo6sBoBstYL4jbW/xwapbhmWT7JBTSMfFukLAp0NggbJU0lw3CFIwfmkKO AH4MlnE2liGrZCtkqqQLMk0KYBwaWTY5bs8I9kjM24DEZxbRCDhJmD3gErMaBjlTcvoz74OfPGU/ abjkAu9s8nRyWvW7Drke6Q55gEiDFIN0mXydtCmJb53yHBIGWwvD3wZcXFkOOQG5Lsk2iYAUnVSN bDBseEWHibUGwAhIB8uSyZj2IHLAjFPGDDAlb0q2R1OV7cNzOcbyEWOZbA2gUqBYoE+wGM8nbWBQ 0tkwKBXq10hVmEfZQA6foy4DMbhKqkvBlKm27XDshWNrwIzzsQxXJ1+QPCXTp8AjrXUoCL3VgLmF DZKBsKznQ94ozb6Cb0QMCffYb87gEk/ZJcomKSb7PYSLIMoGjAA5Bo8suESZ6bUCBMTKMYMsHay6 Z+iDZZyyZcDX6Rap4Mo++T5ZMucikYg0LA6zDBAkoAX8JCIwLCvtZxoGyzhly0CIbU5JdmkKZ6iR xtlGrCrm5COSMqBPPiYyXExbcLylD0mZ8yFLzI9NdiKIqHxMWCBHo3PcrSNXbZCNiBvc2iAX8xfI Ww+YcT6W4WM2S23VjwBL8JwFXAkDCexD43SdhasIsFzOzljDtNb5WAaAwWjjDmTpOAyH43DJBKXQ mXlgUoMnP9tXTX1w1cEyzscyEJIgFYc5TxBMMyADUAHjCDg2AX4gu2shh4fAHEaDSy+ITfqL/D6u 9gE4ubeaQL6//Kb/G8njI+2iCmYSol30oPfTEntZltdezrju9hN67f9MlgEe2f4RL13aJ078bZk3 AlP8RqXAe5UHU2N1HDXXG/vi3bVe4INu8NDupmPzG94BbIktuxRFa9eoLnCsWzhu122W899CLqcp SpzXVrdUnIXg24TCq1pvi6Ypss+X0/hudVXmq4s4xBZLE8nEpA++3hVFs/V1/tC0X7vioiLl3ce6 rU34kbYW2JXxfZXwklLsOhZfJ02EWqpGexX4uOqNdg+a1ZZsOLfeyPHqHwAAAP//AwBQSwMEFAAG AAgAAAAhADDdQymoBgAApBsAABUAAAB3b3JkL3RoZW1lL3RoZW1lMS54bWzsWU9v2zYUvw/YdyB0 b2MndhoHdYrYsZstTRvEboceaYmW2FCiQNJJfRva44ABw7phhxXYbYdhW4EW2KX7NNk6bB3Qr7BH UpLFWF6SNtiKrT4kEvnj+/8eH6mr1+7HDB0SISlP2l79cs1DJPF5QJOw7d0e9i+teUgqnASY8YS0 vSmR3rWN99+7itdVRGKCYH0i13Hbi5RK15eWpA/DWF7mKUlgbsxFjBW8inApEPgI6MZsablWW12K MU08lOAYyN4aj6lP0FCT9DZy4j0Gr4mSesBnYqBJE2eFwQYHdY2QU9llAh1i1vaAT8CPhuS+8hDD UsFE26uZn7e0cXUJr2eLmFqwtrSub37ZumxBcLBseIpwVDCt9xutK1sFfQNgah7X6/W6vXpBzwCw 74OmVpYyzUZ/rd7JaZZA9nGedrfWrDVcfIn+ypzMrU6n02xlsliiBmQfG3P4tdpqY3PZwRuQxTfn 8I3OZre76uANyOJX5/D9K63Vhos3oIjR5GAOrR3a72fUC8iYs+1K+BrA12oZfIaCaCiiS7MY80Qt irUY3+OiDwANZFjRBKlpSsbYhyju4ngkKNYM8DrBpRk75Mu5Ic0LSV/QVLW9D1MMGTGj9+r596+e P0XHD54dP/jp+OHD4wc/WkLOqm2chOVVL7/97M/HH6M/nn7z8tEX1XhZxv/6wye//Px5NRDSZybO iy+f/PbsyYuvPv39u0cV8E2BR2X4kMZEopvkCO3zGBQzVnElJyNxvhXDCNPyis0klDjBmksF/Z6K HPTNKWaZdxw5OsS14B0B5aMKeH1yzxF4EImJohWcd6LYAe5yzjpcVFphR/MqmXk4ScJq5mJSxu1j fFjFu4sTx7+9SQp1Mw9LR/FuRBwx9xhOFA5JQhTSc/yAkArt7lLq2HWX+oJLPlboLkUdTCtNMqQj J5pmi7ZpDH6ZVukM/nZss3sHdTir0nqLHLpIyArMKoQfEuaY8TqeKBxXkRzimJUNfgOrqErIwVT4 ZVxPKvB0SBhHvYBIWbXmlgB9S07fwVCxKt2+y6axixSKHlTRvIE5LyO3+EE3wnFahR3QJCpjP5AH EKIY7XFVBd/lbobod/ADTha6+w4ljrtPrwa3aeiINAsQPTMRFb68TrgTv4MpG2NiSg0UdadWxzT5 u8LNKFRuy+HiCjeUyhdfP66Q+20t2Zuwe1XlzPaJQr0Id7I8d7kI6NtfnbfwJNkjkBDzW9S74vyu OHv/+eK8KJ8vviTPqjAUaN2L2EbbtN3xwq57TBkbqCkjN6RpvCXsPUEfBvU6c+IkxSksjeBRZzIw cHChwGYNElx9RFU0iHAKTXvd00RCmZEOJUq5hMOiGa6krfHQ+Ct71GzqQ4itHBKrXR7Y4RU9nJ81 CjJGqtAcaHNGK5rAWZmtXMmIgm6vw6yuhTozt7oRzRRFh1uhsjaxOZSDyQvVYLCwJjQ1CFohsPIq nPk1azjsYEYCbXfro9wtxgsX6SIZ4YBkPtJ6z/uobpyUx8qcIloPGwz64HiK1UrcWprsG3A7i5PK 7BoL2OXeexMv5RE88xJQO5mOLCknJ0vQUdtrNZebHvJx2vbGcE6GxzgFr0vdR2IWwmWTr4QN+1OT 2WT5zJutXDE3Cepw9WHtPqewUwdSIdUWlpENDTOVhQBLNCcr/3ITzHpRClRUo7NJsbIGwfCvSQF2 dF1LxmPiq7KzSyPadvY1K6V8oogYRMERGrGJ2Mfgfh2qoE9AJVx3mIqgX+BuTlvbTLnFOUu68o2Y wdlxzNIIZ+VWp2ieyRZuClIhg3kriQe6VcpulDu/KiblL0iVchj/z1TR+wncPqwE2gM+XA0LjHSm tD0uVMShCqUR9fsCGgdTOyBa4H4XpiGo4ILa/BfkUP+3OWdpmLSGQ6TapyESFPYjFQlC9qAsmeg7 hVg927ssSZYRMhFVElemVuwROSRsqGvgqt7bPRRBqJtqkpUBgzsZf+57lkGjUDc55XxzKlmx99oc +Kc7H5vMoJRbh01Dk9u/ELFoD2a7ql1vlud7b1kRPTFrsxp5VgCz0lbQytL+NUU451ZrK9acxsvN XDjw4rzGMFg0RCncISH9B/Y/Knxmv3boDXXI96G2Ivh4oYlB2EBUX7KNB9IF0g6OoHGygzaYNClr 2qx10lbLN+sL7nQLvieMrSU7i7/PaeyiOXPZObl4kcbOLOzY2o4tNDV49mSKwtA4P8gYx5jPZOUv WXx0Dxy9Bd8MJkxJE0zwnUpg6KEHJg8g+S1Hs3TjLwAAAP//AwBQSwMEFAAGAAgAAAAhACW3LQeX AwAAGQkAABEAAAB3b3JkL3NldHRpbmdzLnhtbLRW227jNhB9L9B/MPRcR5JvyQpxFqljt7uIu0WV /QBKGstEeANJWfF+fYekGG8aNwi66JPJOTOHc5evPz5xNjqANlSKZZJfZMkIRC0bKtpl8vVhM75K RsYS0RAmBSyTI5jk483PP133hQFrUc2MkEKYgtfLZG+tKtLU1HvgxFxIBQLBndScWLzqNuVEP3Zq XEuuiKUVZdQe00mWLZKBRi6TTotioBhzWmtp5M46k0LudrSG4Sda6Pe8GyzvZN1xENa/mGpg6IMU Zk+ViWz8v7JhiPtIcngriANnUa/Ps7c0h3B7qZtni/e45wyUljUYgwXiLITLCRXPNPnsFdFzqi8w 1Wl4O3VUaJ5n/nTy3LBX9meqHap4TytNdCgzNoDzgtfFp1ZITSqGTdXns+QGO+qblHzUFwp0jUXC dsyyJHUABiN3pSUWEDYKGPP9WTMgSNYXrSYcO2uZBIm3aWBHOmYfSFVaqVDpQNDny8lAWe+JJrUF XSpSI9tKCqsli3qN/EPaFXapxiQGJ0LPOnfCqQz9jxaCcIwiSIee3soGnGedpq8S9a+JdgbeS8yH j+H8QxLnVdMGMDQGpT0y2KDzJf0Gt6L53BlLcUp8Z/+AB285AMK9/AWn++GoYAPEdpim/+kxX4kN o2pLtZb6k2iwN370sTQW0ZUTl19j4uEvKW0sQ5Zlk+nqwybkwqm9B8lX+ezq6pzNdIF063PIYj27 W+TnkMt8lt1enkM+zKeL2/k5ZD3P1+tbh2CcQ3S8cAvqT31zHU6uZUY8tNuK8EpTMtq6FYZWvKj0 469URLwCXOHwPVJ2VQTH4wAYThjb4ExFwA8aLxpq1B3sPC3bEt2eeAcNfVaK8/v5mcvtA9C/admp 8FqviQqtEJ/LZ7OBjwp7T3mUm64qo5XANfQd1Inmy0E7wvSUnr6w+PXyI3VPRBsrDmL8tXSq2DlM l+4LB1uiFK4OVKnafJkw2u5t7sbA4q3BL52/VO1kwCYew5vD/IXULjLUHg5OIRxRazicZNMom55k uMeD3uwkm0fZ/CRbRBl+aftij3OrcYk+4nKKRyffScZkD83vUbhMXolCEsyeKMC6uh2LwyMLLxiW rhkdCnjCDQ4NtfgHQtGGkye30CcLZz5oM3KUnX2h6zCnrF5IRw2xBM19qV4Y+xb/hy990UBNsR3L I69OK/0iOM6osSUo3P5WagzZL9xfPPPpP83N3wAAAP//AwBQSwMEFAAGAAgAAAAhABegFk4CAQAA rAEAABQAAAB3b3JkL3dlYlNldHRpbmdzLnhtbIzQwUoDMRAG4LvgOyy5t9mVIrJ0tyBS8SKC+gBp dnYbzGTCTGqsT2/aqiBeesskmY+Zf7n6QF+9A4uj0KlmXqsKgqXBhalTry/r2Y2qJJkwGE8BOrUH Uav+8mKZ2wybZ0ip/JSqKEFatJ3aphRbrcVuAY3MKUIojyMxmlRKnjQaftvFmSWMJrmN8y7t9VVd X6tvhs9RaBydhTuyO4SQjv2awReRgmxdlB8tn6Nl4iEyWRAp+6A/eWhc+GWaxT8InWUSGtO8LKNP E+kDVdqb+nhCryq07cMUiM3GlwRzs1B9iY9icug+YU18y5QFWB+ujfeUnx7vS6H/ZNx/AQAA//8D AFBLAwQUAAYACAAAACEAh5Ac0qQIAABRQQAAGgAAAHdvcmQvc3R5bGVzV2l0aEVmZmVjdHMueG1s zFzfc9s4Dn6/mfsfNHpPbSdpvM2su5NNN9vMdHe7dTL3TMt0zIkk6vQjbvavPxCUaFmyLCBSZ+7J EUXiAwjgA+MQ+fmX71Hovcg0Uzpe+LN3U9+TcaDXKn5a+I8Pd2c/+V6Wi3gtQh3Lhf8qM/+Xj//+ 18+76yx/DWXmgYA4u94lwcLf5nlyPZlkwVZGInsXqSDVmd7k7wIdTfRmowI52el0PTmfzqb4U5Lq QGYZoN2K+EVkfikuakvTiYwBa6PTSOTZO50+TSKRPhfJGUhPRK5WKlT5K8ieXlVi9MIv0vi6VOjM KWSWXFuFyo9qRdqy4giuXflJB0Uk4xwRJ6kMQQcdZ1uV7M14qzQwcVup9HLKiJcorObtktllC8+Z TPHBp1TswBV7gS1xRzZjbRdFod0H49+9V5sSZ9NTxpQeMSKcDhQVDjErTSKhYifmbVtT31zIhyHx /Xuqi8Spk6hh0u7jZyfLpCVDs+kVZl7dtIwloJW6y61IpO9FwfX9U6xTsQpBo93s0jMR6X8Eqljr 4JPciCLMM/OYfk3Lx/IJP+50nGfe7lpkgVIPQCEgJVIg8PNNnCkf3kiR5TeZEkdfbs2so2+CLK9J +1WtlT8xiNk/IPNFhAv//LwauTUaHIyFIn6qxmR89risa7Lw3dAK5C58kZ4tb4ywCZpZfdbMTQ6M hydUJREBZB7giE0ugYSAxQxOqIx3z+fAaPbhW2E2VxS5LkFQAIDVxcJjY8eBm4Cplpax4a3cfNHB s1wvc3ix8BELBh/vv6ZKp0CjC//DB4MJg0sZqc9qvZamQJRjj/FWreV/tjJ+zOR6P/73HdJzKTHQ RZyD+ldzjIIwW//2PZCJoUkQHQvj4T/NAuAwcEcNBxUq1F4bO9BAxcH/VpAz68OjKFspTEnzUP+T QGh1MRjo3FhUNwDlsnS9GC7icriI98NFYPAO24v5cC3gIDPUIzY2alFJd2quAxt89X24+HAiZM2K VhT1rmgFTe+KVoz0rmiFRO+KVgT0rmg5vHdFy7+9K1ruPLkiEEhczSi6wN0gJfaDykOokz1MNxtI dWWp8b6KVDylItl6prA21T5FlstildNURTp9O1ku81Sb42bPjkB1Nqn7Zk7+LUq2IlNwKu8DGrj1 D+bo4/2eKji+9kC9t8HXsgkPJkdL2NdQBHKrw7VMvQf53XqUsf5P7S3tKaNXuYFu/aKetrkHp0JT cnvBrjo2vXsnrPwvKsM9OFnNrzpM6RNO8uFVR1x2C/9DrlURVVtDOI1cWT5nuLkBgSqe3qJL46J2 dvVaYRxAMcGWC74JKJ+gvy0ufPnGxxT9bSl6o3yC/rZwvVE+xsdp/7KZ5hN8reKR0mvOzt1bHep0 U4RVDvTSw5ydwQ6CZgI7iZ18EknM2Rl8QJ/eTRDAb26UOGX7Ys+jDBS2OywKJhvdFrZTGrQ3Y1jE dlAD65yBNYxrGUBs0v0mX5T5EphbDJCl3VmzN50vOnYAShDpDP13ofP+M/R5B+dRUe5j+Lokkx4N 7aIj86hoZTzZesfw8bDCxwAaVgEZQMNKIQOoIz66zzyuJtJBhhdHBhabll0Vw7AjM/OczcwOiFcC RqqbhPNXR/Z2x0K7bhJQ2A5q100CCts7jVrm6iYBa7S6ScDqqBrdPqpzKscodt2sA7mTAMGiccib ADQOeROAxiFvAtBw8u4HGY+8CVhsbnCcWidvAhBO4fyq74Dq5E0AYnODZbvyO6Oq7qGU07/cjkDe BBS2g9rkTUBhe6eLvAlYOIUTCQ0sR3UErHHImwA0DnkTgMYhbwLQOORNABqHvAlAw8m7H2Q88iZg sbnBcWqdvAlAbHpwQHXyJgDhFA43HCVvzPofTt4EFLaD2uRNQGF7p0Go7pBKwGI7qIHlyJuAhVM4 wVBiYXBzjBqHvAkWjUPeBKBxyJsANA55E4CGk3c/yHjkTcBic4Pj1Dp5E4DY9OCA6uRNAGJzw1Hy xmT84eRNQGE7qE3eBBS2dxqE6niOgMV2UAPLkTcBC+NlMHkTgHDKW4E4Fo1D3gSLxiFvAtA45E0A Gk7e/SDjkTcBi80NjlPr5E0AYtODA6qTNwGIzQ1HyRtz5IeTNwGF7aA2eRNQ2N5pEKojbwIW20EN LEd1BKxxyJsAhIE5mLwJQDjlDUCYRRw3jUPeBIvGIW8C0HDy7gcZj7wJWGxucJxaJ28CEJseHFCd vAlAbG4w92zhvij5euqsIwio9wyqWw1kwPMOJ1EBSwO/yY1MoatQ9t8OGQhYWchA7AgPqom/av3s 0S52X3QECBlKrUKl8Ur3K97SqTUiXMxPdBI8/HXrfbYNMK11GFKHN2+ge6jeLoTtSaZxCPTMXxNo 2Umqm+VGGjQImb6usgUIe0LvoSGobOsxi02fD0zEpqpyGP9uW6LCz4CIC9tQwRawAuiIOgFVXnh3 d5DwunsTuONWPCqyb8mo1Cxvx+/PUHbewR3Nk3rn5ib4CZ3xpvjJPfJwivVqW0FozkKV+jQEl61C 22IGP9zHa7BwV3ZnWWeuvwsrCt7fyjD8Q2BDWq6T7qmh3OT27WyKFbAhaqXzXEfd61O8II6aHBMA 4VBXxj4aI7rjJC6ilUzL6+adIWkqB3aiHYakvevaEQrUne7W7SBdXILAdX4V4z3+ZqjiG3vFH3Va CWix+8t0zLVSCNoDn6txJ/AWcqYvbg4PYQgDLeAmOhBjOp3PLqc3Jal09Sji317LDsVL93C8Q7Hs hoSPgzbPhX8LLdM6NJ3fu2ts4awN2RDfd2lWaflPrUsTx2Dzoaf0VIAcEElQZBCf2A3Z5K3DXex2 jbff5YZ/jtIRWnLUW32e6nYLWvz/saEuqj9DgUiNna002785FtTdm9bNfb0x/OH9xdXNe7vB5WYF 5vr5Psqn07s7E3jYH4znPuiEdiagokU12/yTAuB0GGxHW5X82cf/AQAA//8DAFBLAwQUAAYACAAA ACEAKiQEt08BAACBAgAAEQAIAWRvY1Byb3BzL2NvcmUueG1sIKIEASigAAEAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAjJJfS8MwFMXfBb9DyXuXtGX+CW0HKnsQB4ITxbeQ3G1hTRqSuLpvb9pu tUUffEzOub+cc9t88aWq6ADWyVoXKJkRFIHmtZB6W6DX9TK+QZHzTAtW1RoKdASHFuXlRc4N5bWF Z1sbsF6CiwJJO8pNgXbeG4qx4ztQzM2CQwdxU1vFfDjaLTaM79kWcErIFVbgmWCe4RYYm4GITkjB B6T5tFUHEBxDBQq0dziZJfjH68Eq9+dAp4ycSvqjCZ1OccdswXtxcH85ORibppk1WRcj5E/w++rp pasaS93uigMqc8Ept8B8bcuV3EP0GNbncjy6bldYMedXYdsbCeLuOHH+VtsBCwfZfqsyy/H4GN7r 6vWPgohCYNrXOytv2f3DeonKlCTzmGRxkqwJofNrSshHG2wy3xboL9Qp3j+JKU1vp8QzoOwST3+a 8hsAAP//AwBQSwMEFAAGAAgAAAAhACyk3FEdCAAAYD4AAA8AAAB3b3JkL3N0eWxlcy54bWzMW9tu 2zgQfV9g/0HQe+pbEm+CukWaNpsAvaR1gn2WJTomIoleSW6Sfv0OhxItS5Y1E6nAPsW6cM4M5/AM 7XDevn+OQuenSFKp4pk7ejN0HRH7KpDxw8y9v7s6+st10syLAy9UsZi5LyJ137/784+3T+dp9hKK 1AEDcXoe+TN3lWXr88Eg9Vci8tI3ai1ieLhUSeRlcJk8DCIvedysj3wVrb1MLmQos5fBeDg8dXMz CcWKWi6lLz4qfxOJOMPxg0SEYFHF6Uqu08LaE8Xak0qCdaJ8kaYQdBQae5EnY2tmdFwzFEk/Uala Zm8gmIHxaKBNwfDRED9FoetE/vnNQ6wSbxHC5D2Njt13MHOB8j+KpbcJs1RfJrdJfplf4Z8rFWep 83Tupb6UdzClYCCSYOv6Ik6lC0+El2YXqfT2Plzpt/Y+8dOsZO2DDKQ70IjpL7D50wtn7nhc3LnU HuzcC734obgn4qP7edmTmWtvLcDuzPWSo/mFNjbAMIu/pXDXO8HDFbqy9nxIBuB4y0wAKYAjGieU moPjKfDFXPzY6Hn1NpnKQdAAgJXNwmVlxoErwJy5ITA8FcvPyn8UwTyDBzMXseDm/c1tIlUCJJ25 Z2caE27ORSSvZRAIvV7ye/fxSgbin5WI71MRbO9/v0Ly5xZ9tYkzcP90iiwI0+DTsy/WmrZgOvZ0 hr/qAUAcSEcJBx3ayK035kYFFW/+W0COTA73oqyEp1e4g/4fBMKoN52BxjqicgBol+XrpLuJ4+4m TrqbQPJ2m4tpdy9A17tmxHCjxEp6UjPlG/KV52FydoCyekSNRa0jaqRpHVHjSOuIGiVaR9QY0Dqi lvDWEbX8to6opfPgCN9D4aqyaIKzQVrYdzILhR5/UIBGHaUuLzXOrZd4D4m3Xjm6sFbdPiSW880i o7mKcvp6sZxniYofWmcEqrNeuq/W5E/ReuWlEnZJLVM/7jj1d3rX4/ydyKAV6sSQrxYTbkz2lrDb 0PPFSoWBSJw78Wwyyhj/VTlzs8toda5jWj/Lh1XmzFdYclvBThsmvXkmjP3PMsU5OLiYThtCaTNO yuFpAy+bjX8RgdxExdQQdiOnRs8Zaa5AoIuHp+hYp6i+ulqj0AmghGDKBT8EtE/w3xQXvn2dY4r/ phS90j7Bf1O4Xmkf+XE4v2yl+QhfWh3S8pqy1+6lClWy3ITFGmiVhyl7BVsIWgjsRWztk0Riyl7B O/LpXPg+fHOj8JSdi62OMlDY6TAouNjosbCTUpG9ESMidoIqWGMGVjetZQCxRfeH+Cn1b2LcYoAq bfearct50jADUIJIe+jvG5W176HHDZpHRbmJ4eeSVDg0tEnDyqOi5Xwy9Y6R426FjwHUrQIygLqV QgZQAz+a9zy2JtJBuhdHBhZblm0VQ9qRlXnKVmYLxCsBPdVNwv6rYfU2c6FeNwko7ATV6yYBhZ2d Si2zdZOA1VvdJGA1VI3mHJU1lRMUu26WgexOgBBRP+JNAOpHvAlA/Yg3Aai7eLeD9CfeBCy2NlhN LYs3AQhf4XzVt0Bl8SYAsbXBqF3+m1FR99DK4S+3PYg3AYWdoLp4E1DY2WkSbwIWvsJhQgXLSh0B qx/xJgD1I94EoH7EmwDUj3gTgPoRbwJQd/FuB+lPvAlYbG2wmloWbwIQWx4sUFm8CUD4Ckcb9oo3 rvrfLt4EFHaC6uJNQGFnpyKodpNKwGInqIJlxZuAha9wyJBjIbk5QfUj3oSI+hFvAlA/4k0A6ke8 CUDdxbsdpD/xJmCxtcFqalm8CUBsebBAZfEmALG1Ya9442L87eJNQGEnqC7eBBR2diqCanWOgMVO UAXLijcBC/nSWbwJQPjKa4E4EfUj3oSI+hFvAlA/4k0A6i7e7SD9iTcBi60NVlPL4k0AYsuDBSqL NwGIrQ17xRvXyG8XbwIKO0F18SagsLNTEVQr3gQsdoIqWFbqCFj9iDcBCInZWbwJQPjKK4BwFXHS 1I94EyLqR7wJQN3Fux2kP/EmYLG1wWpqWbwJQGx5sEBl8SYAsbVBn7OF86Lk46mjBhJQzxkUpxrI gOOGJFEB8wB/iKVIoMlKtJ8O6QhYRMhAbKAHNcQPSj06tIPdkwaCkKHkIpQKj3S/4CmdUiPCZHqg k+Du26VzbRpgauOQUrsnb6B7qNwuhO1JunEI/Mxe1tCysy5Olmtr0CCk+7ryFiBskbuBhqC8rUcP 1n0+8CI2VeW38f+2OSp8BkQcWIfyV4DlQ0fUAaj8wLs9g4TH3avADafi0ZFtS0bhZn46fruHMu/t nNE86HemT4If8BlPih+cIwdfMVmtOwjNWehSm4eQskVoWszgw00cQITQJIj/NTPJDJ49YwqeX4ow /OJhQ1qm1s2vhmKZmaejIVbAiqmFyjIVNY9P8IA4erLPANCh7Iy51EE08yTeRAuRQIfXgTn/qnTl wE60XUqas64NVKDOdLNvO8vFLhA4zi9jPMdfpSo+MUf80aeFBy1233THXG0JQXvgY3HfGryENdPG m91NGMJAR6xmB2IMh9PR8fAiF5WmHkVkUd6heGwv9nco5t2Q8GenzXPmXkILqwq9VCcOWzhLtwzF t12axbL8VerSxHsw+dBTeoggO0Lib1LgJ3ZDVnVrdxabU+NsZ7mSn71yhJHszVZbpprTghH/PybU svoaCkSi46wts+2TfaRunrRm7Wvl8NnJ5PTixExwPlm+Pn6+ZflweHWliYf9wbjvg75nGwI6uine 1s3SoOlws862YvGn7/4DAAD//wMAUEsDBBQABgAIAAAAIQC6QBm8EQIAALcGAAASAAAAd29yZC9m b250VGFibGUueG1stJTbjtowEIbvK+07RL5f4oTsgWjDakuL1JteVNsHMMYBa32IPIYsb99xHLIX gEq2apCiMGP/mvn0zzw9v2uV7IUDaU1FsgkliTDcrqXZVOT36/L2kSTgmVkzZY2oyEEAeZ7ffHlq y9oaDwneN1BqXpGt902ZpsC3QjOY2EYYTNbWaebxr9ukmrm3XXPLrW6YlyuppD+kOaX3pJdx16jY upZcfLN8p4Xx3f3UCYWK1sBWNnBUa69Ra61bN85yAYA9axX1NJNmkMmKEyEtubNgaz/BZtJYURqk 8HpGuy+tSKJ5+WNjrGMrhezarCDzHlzSloZpDC6Ykisnu0TDjAWRYW7PVEVoTpf0Dt/hV9BpeJM0 KPAtcyD8cJDGcM20VIdjFFoJEBON9Hx7jO+Zk6GgmAK5wcQOVrQi3yk++XJJYiSrSIGBl8UQybGo +GT9mekQQedgYZ1OdySbdToYQZ3+VldnGq1zQuJVagHJT9Emv6xm5gKRnN4jiTvkEchMRxFxnW5H cASR/GXoHztZYCsPj8Wx/w8is78TiTrXE1mgoa1icAHFV0Qx+6Q5tF0LZ864o5bvYn3GGhn2fWKN 5TlrXAFirDUWduekcMEcF1g8oBUii2CLYpQtRrMIKM6ZYtpb4P+agmncF+wChzAWcTzCmIxbGJ8b j1NX0GIYmA8S3XrANfMvC6PfHDD/AwAA//8DAFBLAwQUAAYACAAAACEAPf4KlOwBAADzAwAAEAAI AWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcU8Fu 2zAMvQ/YPxi+N3LSri0CWcWQYuhhWwPEbc+aTCfCZEmQ2KDZ14+yG0fZdppPfCRFPT0+87u33hR7 CFE7W5fzWVUWYJVrtd3W5VPz5eK2LCJK20rjLNTlAWJ5Jz5+4OvgPATUEAsaYWNd7hD9krGodtDL OKOypUrnQi+RYNgy13Vawb1Trz1YZIuqumbwhmBbaC/8NLAcJy73+L9DW6cSv/jcHDwRFryB3huJ IL4nOmbWOuw5m7K8cShNo3sQl9eUnxBfyy1EMedsDPiLCy3hT5ecjSFf7WSQCklCcXtDhzPMP3tv tJJI4opvWgUXXYfF4yBDkc5zlrdwkmYD6jVoPIiKsxzyr9oSkxvOxoCYBbkN0u+iWCR6E+IbJQ2s 6P2ikyYCZ6cEfwCZdruWmvjyPS73oNCFIupftN1FWfyQEZJqdbmXQUuLpF5qG8EQGx8xiEajodlU G/EQ5m15rK+ShtRLwXljSo4cqHDObrghPnb0NvwH2XlOduAwUs3oZOF0xx9TV6730h6y9axc8C4M S6NtvpeT/D/jk2/cfbLRu7DnycwKLxp3Gy9V8k61oKWdXJGV+Ia8Ay2t+TjwlOAPtIRg0q101m6h Pfb8XUg+ex7/YTG/mlX0DcY65sge088lfgMAAP//AwBQSwECLQAUAAYACAAAACEACSSHgoEBAACO BQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAe kRq38wAAAE4CAAALAAAAAAAAAAAAAAAAALoDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQBY NKCHWAEAAHAEAAAcAAAAAAAAAAAAAAAAAN4GAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz UEsBAi0AFAAGAAgAAAAhAM/DNqF3BwAADlIAABEAAAAAAAAAAAAAAAAAeAkAAHdvcmQvZG9jdW1l bnQueG1sUEsBAi0AFAAGAAgAAAAhADDdQymoBgAApBsAABUAAAAAAAAAAAAAAAAAHhEAAHdvcmQv dGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQAlty0HlwMAABkJAAARAAAAAAAAAAAAAAAA APkXAAB3b3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQAXoBZOAgEAAKwBAAAUAAAAAAAA AAAAAAAAAL8bAAB3b3JkL3dlYlNldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQCHkBzSpAgAAFFB AAAaAAAAAAAAAAAAAAAAAPMcAAB3b3JkL3N0eWxlc1dpdGhFZmZlY3RzLnhtbFBLAQItABQABgAI AAAAIQAqJAS3TwEAAIECAAARAAAAAAAAAAAAAAAAAM8lAABkb2NQcm9wcy9jb3JlLnhtbFBLAQIt ABQABgAIAAAAIQAspNxRHQgAAGA+AAAPAAAAAAAAAAAAAAAAAFUoAAB3b3JkL3N0eWxlcy54bWxQ SwECLQAUAAYACAAAACEAukAZvBECAAC3BgAAEgAAAAAAAAAAAAAAAACfMAAAd29yZC9mb250VGFi bGUueG1sUEsBAi0AFAAGAAgAAAAhAD3+CpTsAQAA8wMAABAAAAAAAAAAAAAAAAAA4DIAAGRvY1By b3BzL2FwcC54bWxQSwUGAAAAAAwADAAJAwAAAjYAAAAA --_005_4E1F6AAD24975D4BA5B1680429673943A2F496F5TK5EX14MBXC292r_-- From nobody Wed Mar 11 02:03:09 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB4DE1AC427 for ; Wed, 11 Mar 2015 02:03:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-TZ6RbPRjNN for ; Wed, 11 Mar 2015 02:03:03 -0700 (PDT) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35651A1AB1 for ; Wed, 11 Mar 2015 02:03:02 -0700 (PDT) Received: by wggx12 with SMTP id x12so7538917wgg.13 for ; Wed, 11 Mar 2015 02:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=7rO29oQrLVcHVIgXupRAt/2OO+DtOsGOTY0KozuEMWc=; b=hvyyeFymMZs3gSX3Ja6cYIvgEKQu5yVY6dFbN2MwfigbQxJBqQn/kB+RDyHPEZe/00 jGCEfxJ1c2YqVkhyY6TDLxDAuVs7odIBXBkklhji/0IoYHRc6KLKCt3Q9gZfKztpfLKo 9xmdDINIVh82R2I6zDrrxRx/4ceFdaTdzkz7JqQ/2HRCPZEyBy45mSc66lKgMkhIJ/6B V5l60zHaP7bQwznmuwre8W0AgFVuOixbvqN12JsnKqm/eccBw+D7dGy6g9i3IzkjSsO6 8O2KRprMNAt3jsqIQwryXjG0T2HQIO4XqdWdC1iwTHMLP2wRiDPJtFyh1S48jpFVr2vq tMYQ== X-Received: by 10.180.75.108 with SMTP id b12mr75718081wiw.44.1426064581551; Wed, 11 Mar 2015 02:03:01 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id w4sm5151374wib.19.2015.03.11.02.03.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Mar 2015 02:03:00 -0700 (PDT) Message-ID: <550004B3.70402@gmail.com> Date: Wed, 11 Mar 2015 10:02:43 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 09:03:08 -0000 On 2015-03-11 06:16, Mike Jones wrote: Hi Mike, I did approximately the same journey as you did when I created JCS for JavaScript. It wasn't easy. A bare-bones ASN.1 encoder is needed + tables holding OIDs for EC keys. The encodeRSAPublicKey and encodeECPublicKey methods in https://code.google.com/p/openkeystore/source/browse/javascript/trunk/src/crypto/KeySerialization.js use decoded JWK values to generate SPKIs. Since this list is crowded by die-hard ANS.1 experts, you may end-up with lots of feedback :-) BTW, I noted (unfortunately very late) that Java and .NET use different formats for EC signatures. None of the documents give any hint about what they produce. A signature is a signature...well not really. Cheers, Anders > I’ve always loved learning new things, so I decided yesterday to try to learn first-hand how to write code that emitted X.509 SubjectPublicKeyInfo (SPKI) values from scratch. By “from scratch”, I mean using development tools without built-in X.509 or ASN.1 support. > > I took this on because of Stephen’s suggestion http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that people could just hash the SPKI values to create a key thumbprint. Given I’d helped create the JSON-based hash input described in http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wanted to give his alternative suggestion a fair shake (and learn some new things along the way). This admittedly stream-of-consciousness and overly long message describes my expedition to date… > > Thus far, I’ve spent 5 hours trying to learn to do this. I spent about the first two hours searching for examples of creating the bytes of X.509 certificates or SubjectPublicKeyInfo values without using ASN.1 and/or X.509 libraries. I failed. > > Next, I tried to read the authoritative reference for what’s in the SPKI field – the X.509 spec. Unfortunately, http://www.itu.int/rec/T-REC-X.509/en told me “This text was produced through a joint activity with ISO and IEC. According to the agreement with our partners, this document is only available through payment.” Since most developers would stop at that point, I did too. > > After that, I changed tacks and tried to find examples of sample certificates with commentary on what all the values mean – the kind of info developers would want when coding this. I had better luck with that. After about another hour of Web searching, I found this really useful example: http://tools.ietf.org/html/rfc7250#appendix-A. I also found this one: http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going through them byte-by-byte enabled me to reverse engineer some of the ASN.1 and X.509 constructs used. > > Things I learned by looking at these 1024-bit RSA public key representations included: > > ·ASN.1 uses byte-aligned Tag-Length-Value encodings. > > ·The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER are respectively 0x30, 0x06, 0x05, 0x03, and 0x02. > > ·These Length values are encoded as follows: > > o159 – 0x81 0x9f > > o9 – 0x09 > > o0 – 0x00 > > ·The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. > > ·The OID is followed by an ASN.1 NULL - 0x05 0x00. > > ·The RSA Key is represented as an encapsulated bit field. > > ·There is an apparently unused zero byte (the 22^nd byte of the SPKI field in the RFC 7250 example) as the first byte of this bit field. > > ·The rest of the bit field contains concatenated representations of the modulus and the exponent as ASN.1 INTEGERs. > > ·The 1024 bit modulus is represented in 129 bytes, with the first byte being zero. > > This brought me up to hour four. Next, I went looking for a 2048 bit cert to learn from (especially since JWA requires 2048+ bit RSA keys). I found http://fm4dd.com/openssl/certexamples.htm and chose 2048b-rsa-example-cert.der, from which I also learned: > > ·These length values are encoded as follows: > > o290 – 0x82 0x01 0x22 > > o257 – 0x82 0x01 0x01 > > ·From this, I deduced (possibly incorrectly J) that if the high bit of the first length byte is 0, the remaining 7 bits represent the length, but if the high bit of the first length byte is 1, the remaining 7 bits represent the number of bytes used to represent the actual length. (Hence the use of 0x81 for representing values in the range 128-255 and the use of 0x82 for representing values in the range 256-32767.) > > ·Length values are represented in big-endian byte order. > > ·The 2048 bit key representation also starts with an apparently unused zero byte. > > ·The 2048 bit modulus is represented by 257 bytes, with the first byte being zero. > > Things I haven’t yet learned that I’d need to know to really write this code: > > ·How are the OIDs in the table at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A represented as ASN.1 OID values? > > ·Are multiple OIDs sometimes present before the ASN.1 NULL, and if so, which algorithms require which sets of OIDs in what order? > > ·Is there always the apparently unused zero byte in the key representation or if not, when is it present and absent? > > ·Is there always a leading zero byte in the RSA modulus or if not, when is it present and absent? > > ·How are elliptic curve keys represented? > > This brought me up to about the fifth hour of my investigation, and I decided to stop and write up my findings to date. Highlighted versions of the example certificate from RFC 7250 and the SPKI value from fm4dd.com are attached, should any of you want to follow along with my reverse engineering. Tags are yellow. Lengths are green. OIDs are purple. The apparently unused byte is red. Key values are blue. > > I readily admit that I could have easily missed something while searching. If someone can point me to self-contained descriptions of this information, I’d love to see them! > > ==== CONCLUSIONS ==== > > 1. I think it would be a fine thing to do to write an RFC describing the mapping between key values and their SPKI representations. This could take the form of a cookbook with entries like “For a 2048 bit RSA key using RSASSA with SHA-256, emit these bytes, filling in slots A and B in the template with the 256 bites of the mantissa and the 3 bytes of the exponent”. Based on my searching, I don’t think this information exists anywhere in a self-contained form accessible to developers (but I could be wrong, of course). I’m not going to personally do it, but if any of you want go for it, have at it! > > 2. If my experience is representative, telling developers to just hash the SPKI representation of a JWK won’t be very effective unless they already have X.509 support. Most will probably give up well before the 5 hours that I’ve invested to get this this partial understanding of what I’d need to know. If my experience is representative, draft-ietf-jose-jwk-thumbprint will be much easier to implement for these developers. > > Trying to live in the shoes of developers, > > -- Mike > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > From nobody Wed Mar 11 05:23:05 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CC91A878B for ; Wed, 11 Mar 2015 05:23:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.377 X-Spam-Level: X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7EAE1pKfVSF for ; Wed, 11 Mar 2015 05:22:57 -0700 (PDT) Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D1C1A8725 for ; Wed, 11 Mar 2015 05:22:57 -0700 (PDT) Received: by lbvp9 with SMTP id p9so8383274lbv.8 for ; Wed, 11 Mar 2015 05:22:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/H8ptOdXl7U/0+gnaTBlKCh5WaBclbHg3x+kXb+yA08=; b=eucOD0KxxV1X3ZBMNgC8urnz2IkesSrYfE506QMwwVXLs8DBxL4tNcum/nduEbTwP3 Ktbx/oxCKIBpDzIJTgDbo0uDASyHTn6FX5m/+c+nZmAqP8uwj3Xctc6AVrPiFclPSHIF dTT8WaOqvKBarEdyS9qgol+8OjCnue3O3T/mNbsMwGXwL/Bz9VrNuykT5Nq57gM0nAwb Ung/s1YALo3ZYqygVa3+CDiNE8qn8xoPc4Hh1PXM2Eh16GIY4/SB1t2udFiWOY16TBB4 K068FBwGjgGt3Gob9aT5uHtbXjT6qYMpnEFlSFcgFoDIftQ4ytVykWkhxHkfxl9FhFc3 +ykw== X-Gm-Message-State: ALoCoQnPH0n14F1n31pt8O7FNBGbg6QhR22d2/dAx4gOnVe4DaRRAob0wiJchfDUZTKxU7CS5IkW MIME-Version: 1.0 X-Received: by 10.152.1.1 with SMTP id 1mr33920136lai.63.1426076575382; Wed, 11 Mar 2015 05:22:55 -0700 (PDT) Received: by 10.25.135.4 with HTTP; Wed, 11 Mar 2015 05:22:55 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> Date: Wed, 11 Mar 2015 05:22:55 -0700 Message-ID: From: Richard Barnes To: Mike Jones Content-Type: multipart/alternative; boundary=089e013c6af0b2dc260511025315 Archived-At: Cc: Nat Sakimura , "jose@ietf.org" , Stephen Farrell Subject: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 12:23:04 -0000 --089e013c6af0b2dc260511025315 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hey Mike, Thanks for the narrative. I think you might not be thinking quite as lazily as some hackers :) The lazy hacker can cover 99+% of cases with the following few lines of JS, which could easily be encoded in an appendix: -----BEGIN----- RSA_1024_PREFIX =3D "30819F300D06092A864886F70D010101050003818D00308189028181"; RSA_2048_PREFIX =3D "30820122300D06092A864886F70D01010105000382010F003082010A02820101"; RSA_SUFFIX =3D "0203010001"; function SPKI_hex(jwk) { if (jwk.kty !=3D "RSA" || jwk.e !=3D "AQAB") { throw "Can't encode this"; } if (jwk.n.length =3D=3D 171) { return RSA_1024_PREFIX + b64_to_hex(jwk.n) + RSA_SUFFIX; } else if (jwk.n.length =3D=3D 342) { return RSA_2048_PREFIX + b64_to_hex(jwk.n) + RSA_SUFFIX; } throw "Can't encode this"; } -----END----- This is pretty much the encoding design philosophy embraced by PKCS#1 itself: https://tools.ietf.org/html/rfc3447#section-9.2 Also, if you want to analyze ASN.1 structs very quickly: http://lapo.it/asn1js/ I have no love for ASN.1, but it's not really any more rocket science than other binary encodings. --Richard On Tue, Mar 10, 2015 at 10:16 PM, Mike Jones wrote: > I=E2=80=99ve always loved learning new things, so I decided yesterday to= try to > learn first-hand how to write code that emitted X.509 SubjectPublicKeyInf= o > (SPKI) values from scratch. By =E2=80=9Cfrom scratch=E2=80=9D, I mean us= ing development > tools without built-in X.509 or ASN.1 support. > > > > I took this on because of Stephen=E2=80=99s suggestion > http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that > people could just hash the SPKI values to create a key thumbprint. Given > I=E2=80=99d helped create the JSON-based hash input described in > http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wanted to > give his alternative suggestion a fair shake (and learn some new things > along the way). This admittedly stream-of-consciousness and overly long > message describes my expedition to date=E2=80=A6 > > > > Thus far, I=E2=80=99ve spent 5 hours trying to learn to do this. I spent= about > the first two hours searching for examples of creating the bytes of X.509 > certificates or SubjectPublicKeyInfo values without using ASN.1 and/or > X.509 libraries. I failed. > > > > Next, I tried to read the authoritative reference for what=E2=80=99s in t= he SPKI > field =E2=80=93 the X.509 spec. Unfortunately, > http://www.itu.int/rec/T-REC-X.509/en told me =E2=80=9CThis text was prod= uced > through a joint activity with ISO and IEC. According to the agreement wit= h > our partners, this document is only available through payment.=E2=80=9D = Since > most developers would stop at that point, I did too. > > > > After that, I changed tacks and tried to find examples of sample > certificates with commentary on what all the values mean =E2=80=93 the ki= nd of info > developers would want when coding this. I had better luck with that. > After about another hour of Web searching, I found this really useful > example: http://tools.ietf.org/html/rfc7250#appendix-A. I also found > this one: http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. > Going through them byte-by-byte enabled me to reverse engineer some of th= e > ASN.1 and X.509 constructs used. > > > > Things I learned by looking at these 1024-bit RSA public key > representations included: > > =C2=B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. > > =C2=B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER a= re > respectively 0x30, 0x06, 0x05, 0x03, and 0x02. > > =C2=B7 These Length values are encoded as follows: > > o 159 =E2=80=93 0x81 0x9f > > o 9 =E2=80=93 0x09 > > o 0 =E2=80=93 0x00 > > =C2=B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a = 0x86 > 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. > > =C2=B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. > > =C2=B7 The RSA Key is represented as an encapsulated bit field. > > =C2=B7 There is an apparently unused zero byte (the 22nd byte of t= he > SPKI field in the RFC 7250 example) as the first byte of this bit field. > > =C2=B7 The rest of the bit field contains concatenated representat= ions > of the modulus and the exponent as ASN.1 INTEGERs. > > =C2=B7 The 1024 bit modulus is represented in 129 bytes, with the = first > byte being zero. > > > > This brought me up to hour four. Next, I went looking for a 2048 bit cer= t > to learn from (especially since JWA requires 2048+ bit RSA keys). I foun= d > http://fm4dd.com/openssl/certexamples.htm and chose > 2048b-rsa-example-cert.der, from which I also learned: > > =C2=B7 These length values are encoded as follows: > > o 290 =E2=80=93 0x82 0x01 0x22 > > o 257 =E2=80=93 0x82 0x01 0x01 > > =C2=B7 From this, I deduced (possibly incorrectly J) that if the h= igh > bit of the first length byte is 0, the remaining 7 bits represent the > length, but if the high bit of the first length byte is 1, the remaining = 7 > bits represent the number of bytes used to represent the actual length. > (Hence the use of 0x81 for representing values in the range 128-255 and t= he > use of 0x82 for representing values in the range 256-32767.) > > =C2=B7 Length values are represented in big-endian byte order. > > =C2=B7 The 2048 bit key representation also starts with an apparen= tly > unused zero byte. > > =C2=B7 The 2048 bit modulus is represented by 257 bytes, with the = first > byte being zero. > > > > Things I haven=E2=80=99t yet learned that I=E2=80=99d need to know to rea= lly write this > code: > > =C2=B7 How are the OIDs in the table at > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi= x-A > represented as ASN.1 OID values? > > =C2=B7 Are multiple OIDs sometimes present before the ASN.1 NULL, = and > if so, which algorithms require which sets of OIDs in what order? > > =C2=B7 Is there always the apparently unused zero byte in the key > representation or if not, when is it present and absent? > > =C2=B7 Is there always a leading zero byte in the RSA modulus or i= f > not, when is it present and absent? > > =C2=B7 How are elliptic curve keys represented? > > > > This brought me up to about the fifth hour of my investigation, and I > decided to stop and write up my findings to date. Highlighted versions o= f > the example certificate from RFC 7250 and the SPKI value from fm4dd.com > are attached, should any of you want to follow along with my reverse > engineering. Tags are yellow. Lengths are green. OIDs are purple. The > apparently unused byte is red. Key values are blue. > > > > I readily admit that I could have easily missed something while > searching. If someone can point me to self-contained descriptions of thi= s > information, I=E2=80=99d love to see them! > > > > =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D > > > > 1. I think it would be a fine thing to do to write an RFC describing the > mapping between key values and their SPKI representations. This could ta= ke > the form of a cookbook with entries like =E2=80=9CFor a 2048 bit RSA key = using > RSASSA with SHA-256, emit these bytes, filling in slots A and B in the > template with the 256 bites of the mantissa and the 3 bytes of the > exponent=E2=80=9D. Based on my searching, I don=E2=80=99t think this inf= ormation exists > anywhere in a self-contained form accessible to developers (but I could b= e > wrong, of course). I=E2=80=99m not going to personally do it, but if any= of you > want go for it, have at it! > > > > 2. If my experience is representative, telling developers to just hash > the SPKI representation of a JWK won=E2=80=99t be very effective unless t= hey > already have X.509 support. Most will probably give up well before the 5 > hours that I=E2=80=99ve invested to get this this partial understanding o= f what I=E2=80=99d > need to know. If my experience is representative, > draft-ietf-jose-jwk-thumbprint will be much easier to implement for these > developers. > > > > Trying to live in the shoes of developers, > > -- Mike > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --089e013c6af0b2dc260511025315 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hey Mike,

Thanks for the narrative.= =C2=A0 I think you might not be thinking quite as lazily as some hackers :)= =C2=A0 The lazy hacker can cover 99+% of cases with the following few lines= of JS, which could easily be encoded in an appendix:

---= --BEGIN-----
RSA_1024_PREFIX =3D "30819F300D06092A864886F70D0= 10101050003818D00308189028181";
RSA_2048_PREFIX =3D "308201223= 00D06092A864886F70D01010105000382010F003082010A02820101";
RSA_SUFFI= X=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D "0203010001";

function= SPKI_hex(jwk) {
=C2=A0 if (jwk.kty !=3D "RSA" || jwk.e !=3D &= quot;AQAB") {
=C2=A0=C2=A0=C2=A0 throw "Can't encode this&= quot;;
=C2=A0 }
=C2=A0 if (jwk.n.length =3D=3D 171) {
=C2=A0=C2=A0= =C2=A0 return RSA_1024_PREFIX + b64_to_hex(jwk.n) + RSA_SUFFIX;
=C2=A0 }= else if (jwk.n.length =3D=3D 342) {
=C2=A0=C2=A0=C2=A0 return RSA_2048_= PREFIX + b64_to_hex(jwk.n) + RSA_SUFFIX;
=C2=A0 }
=C2=A0 throw "= Can't encode this";
}
-----END-----

<= /div>
This is pretty much the encoding design philosophy embraced by PK= CS#1 itself:
https://tools.ietf.org/html/rfc3447#section-9= .2

Also, if you want to analyze ASN.1 structs very quickly:
<= a href=3D"http://lapo.it/asn1js/" target=3D"_blank">http://lapo.it/asn1js/<= /a>

I have no love for ASN.1, but it's not really any= more rocket science than other binary encodings.=C2=A0

--Richard


On Tue, Mar 10, 2015 at 10:16 PM, Mik= e Jones <Michael.Jones@microsoft.com>= wrote:

I=E2=80=99ve always loved learning new things, so I = decided yesterday to try to learn first-hand how to write code that emitted= X.509 SubjectPublicKeyInfo (SPKI) values from scratch.=C2=A0 By =E2=80=9Cf= rom scratch=E2=80=9D, I mean using development tools without built-in X.509 or ASN.1 support.

=C2=A0

I took this on because of Stephen=E2=80=99s suggesti= on http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that pe= ople could just hash the SPKI values to create a key thumbprint.=C2=A0 Give= n I=E2=80=99d helped create the JSON-based hash input described in http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-0= 3, I wanted to give his alternative suggestion a fair shake (and learn = some new things along the way).=C2=A0 This admittedly stream-of-consciousne= ss and overly long message describes my expedition to date=E2=80=A6=

=C2=A0

Thus far, I=E2=80=99ve spent 5 hours trying to learn= to do this.=C2=A0 I spent about the first two hours searching for examples= of creating the bytes of X.509 certificates or SubjectPublicKeyInfo values= without using ASN.1 and/or X.509 libraries.=C2=A0 I failed.

=C2=A0

Next, I tried to read the authoritative reference fo= r what=E2=80=99s in the SPKI field =E2=80=93 the X.509 spec.=C2=A0 Unfortun= ately, http://= www.itu.int/rec/T-REC-X.509/en told me =E2=80=9CThis text was produced through a joint activity with ISO and IEC. Accor= ding to the agreement with our partners, this document is only available through p= ayment.=E2=80=9D=C2=A0 Since most developers would stop at that poin= t, I did too.

=C2=A0

After that, I changed tacks and tried to find exampl= es of sample certificates with commentary on what all the values mean =E2= =80=93 the kind of info developers would want when coding this.=C2=A0 I had= better luck with that.=C2=A0 After about another hour of Web searching, I found this really useful example: http://tools.ietf.org/html/rfc7250#appendix-A.=C2=A0 I also found this = one: http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html.=C2=A0 Goi= ng through them byte-by-byte enabled me to reverse engineer some of the ASN= .1 and X.509 constructs used.

=C2=A0

Things I learned by looking at these 1024-bit RSA pu= blic key representations included:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 ASN.1 uses byte-aligned Tag-Length-Value encodi= ngs.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The tags for SEQUENCE, OID, NULL, BIT STRING, a= nd INTEGER are respectively 0x30, 0x06, 0x05, 0x03, and 0x02.=

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 These Length values are encoded as follows:<= /u>

o=C2=A0=C2=A0 159 =E2=80=93 0x81 0x9f

o=C2=A0=C2=A0 9 =E2=80=93 0x09

o=C2=A0=C2=A0 0 =E2=80=93 0x00

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The OID 1.2.840.113549.1.1.1 is encoded in 9 by= tes as 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The OID is followed by an ASN.1 NULL - 0x05 0x0= 0.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The RSA Key is represented as an encapsulated b= it field.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 There is an apparently unused zero byte (the 22= nd byte of the SPKI field in the RFC 7250 example) as the first = byte of this bit field.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The rest of the bit field contains concatenated= representations of the modulus and the exponent as ASN.1 INTEGERs.<= u>

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The 1024 bit modulus is represented in 129 byte= s, with the first byte being zero.

=C2=A0

This brought me up to hour four.=C2=A0 Next, I went = looking for a 2048 bit cert to learn from (especially since JWA requires 20= 48+ bit RSA keys).=C2=A0 I found htt= p://fm4dd.com/openssl/certexamples.htm and chose 2048b-rsa-example-cert= .der, from which I also learned:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 These length values are encoded as follows:<= /u>

o=C2=A0=C2=A0 290 =E2=80=93 0x82 0x01 0x22

o=C2=A0=C2=A0 257 =E2=80=93 0x82 0x01 0x01

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 From this, I deduced (possibly incorrectly J) that if the high bit of the first length byte is 0, the remaining= 7 bits represent the length, but if the high bit of the first length byte = is 1, the remaining 7 bits represent the number of bytes used to represent = the actual length.=C2=A0 (Hence the use of 0x81 for representing values in the range 128-255 and the use of 0x82 f= or representing values in the range 256-32767.)

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Length values are represented in big-endian byt= e order.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The 2048 bit key representation also starts wit= h an apparently unused zero byte.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 The 2048 bit modulus is represented by 257 byte= s, with the first byte being zero.

=C2=A0

Things I haven=E2=80=99t yet learned that I=E2=80=99= d need to know to really write this code:

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 How are the OIDs in the table at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-= A represented as ASN.1 OID values?

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Are multiple OIDs sometimes present before the = ASN.1 NULL, and if so, which algorithms require which sets of OIDs in what = order?

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Is there always the apparently unused zero byte= in the key representation or if not, when is it present and absent?=

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Is there always a leading zero byte in the RSA = modulus or if not, when is it present and absent?

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 How are elliptic curve keys represented?=

=C2=A0

This brought me up to about the fifth hour of my inv= estigation, and I decided to stop and write up my findings to date.=C2=A0 H= ighlighted versions of the example certificate from RFC 7250 and the SPKI v= alue from fm4dd.com are = attached, should any of you want to follow along with my reverse engineering.=C2=A0 Tags ar= e yellow.=C2=A0 Lengths are green.=C2=A0 OIDs are purple.=C2=A0 The apparently unus= ed byte is red.=C2=A0 Key values are blue.

=C2=A0

I readily admit that I could have easily missed some= thing while searching.=C2=A0 If someone can point me to self-contained desc= riptions of this information, I=E2=80=99d love to see them!

=C2=A0

=3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D<= /p>

=C2=A0

1.=C2=A0 I think it would be a fine thing to do to w= rite an RFC describing the mapping between key values and their SPKI repres= entations.=C2=A0 This could take the form of a cookbook with entries like = =E2=80=9CFor a 2048 bit RSA key using RSASSA with SHA-256, emit these bytes, filling in slots A and B in the template with the 256 bi= tes of the mantissa and the 3 bytes of the exponent=E2=80=9D.=C2=A0 Based o= n my searching, I don=E2=80=99t think this information exists anywhere in a= self-contained form accessible to developers (but I could be wrong, of course).=C2=A0 I=E2=80=99m not going to personally do i= t, but if any of you want go for it, have at it!

=C2=A0

2.=C2=A0 If my experience is representative, telling= developers to just hash the SPKI representation of a JWK won=E2=80=99t be = very effective unless they already have X.509 support.=C2=A0 Most will prob= ably give up well before the 5 hours that I=E2=80=99ve invested to get this this partial understanding of what I=E2=80=99d need to know.= =C2=A0 If my experience is representative, draft-ietf-jose-jwk-thumbprint w= ill be much easier to implement for these developers.

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Trying to live in the shoe= s of developers,

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 -- Mike

=C2=A0


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--089e013c6af0b2dc260511025315-- From nobody Wed Mar 11 05:42:29 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1709E1A8799 for ; Wed, 11 Mar 2015 05:42:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3eZGEITS4Dkv for ; Wed, 11 Mar 2015 05:42:25 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23071A8725 for ; Wed, 11 Mar 2015 05:42:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C5808BEBF; Wed, 11 Mar 2015 12:42:23 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akK39NWOsvwT; Wed, 11 Mar 2015 12:42:23 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A09A1BEA1; Wed, 11 Mar 2015 12:42:23 +0000 (GMT) Message-ID: <55003830.8000705@cs.tcd.ie> Date: Wed, 11 Mar 2015 12:42:24 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mike Jones References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Cc: Nat Sakimura , "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 12:42:28 -0000 Hi Mike, Simplest is [0] as used in public key pinning for web servers. (That should pop out as an RFC any time now btw.) I really doubt any claim that that there's some magic needed to make this work as those two lines of script show. But given you wanted to learn, and not just get stuff done, it's a pity you didn't start from RFC5280, [1] and RFCs 3279 [2] and 5480. [3] Lots of pages there it's true, but actually only very few need to be read if one only cares about SPKI. Or, maybe just search for the thing you're after [4] and you'll see a bunch of fine information, including howto in the search is even better. [5] Or, if you want code examples those are there too. [6] I have to admit to being more than surprised that 5 hours of effort didn't throw up any of that. But if, after that, you're still desperate, then you could look at code I wrote, (you would need to be desperate to try learn from my crappy code:-) [7] being an example of doing this for RSA in about a dozen JS LOC without any ASN.1 support using the Stanford JS library, and [8] being openssl 'C' code. Or the netinf code [9] implements RFC6920 [10] with implementations of what you need in other languages like php, python and ruby as well, even clojure if you want to be fancy:-) Anyway, it took me ~20 minutes to find all those again, and I guess it might take a while to read everything and find the bits you want, but from my POV if someone is developing a generic library for this kind of thing, they really should understand all this already, (or I don't want them writing crypto code on which I depend) or else if all that's needed a quick bit of code for say a client that emits a key id, then the stackoverflow approach of copying from examples should be fine. Either way, there is IMO not even a scintilla of credibility to any claim that this is super complex or anything like it. I think I'd summarise the real argument against SPKI here as being: "I want to do what I thought of first." And of course since that's not a very good argument, further discussion seems to dive into even worse argument, such as this being too difficult, taking hours or being nasty-old-ASN.1 etc. Cheers, S. [0] https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21#appendix-A [1] https://tools.ietf.org/html/rfc5280 [2] https://tools.ietf.org/html/rfc3279 [3] https://tools.ietf.org/html/rfc5480 [4] https://www.google.ie/search?q=subjectpublickeyinfo&sa=G&gbv=1&sei=aC4AVdP1OcHP7gaO9oHoBw [5] https://www.google.ie/search?q=subjectpublickeyinfo+howto&btnG=Search&gbv=1 [6] https://www.google.ie/search?q=sha256+spki+code&btnG=Search&gbv=1 [7] http://sourceforge.net/p/hoba/code/ci/master/tree/js/hoba-gen-key.js#l60 [8] http://sourceforge.net/p/hoba/code/ci/master/tree/lib/hoba-crypt.cc#l74 [9] http://sourceforge.net/p/netinf/code/ci/default/tree/ [10] http://tools.ietf.org/html/rfc6920 On 11/03/15 05:16, Mike Jones wrote: > I've always loved learning new things, so I decided yesterday to try > to learn first-hand how to write code that emitted X.509 > SubjectPublicKeyInfo (SPKI) values from scratch. By "from scratch", > I mean using development tools without built-in X.509 or ASN.1 > support. > > I took this on because of Stephen's suggestion > http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that > people could just hash the SPKI values to create a key thumbprint. > Given I'd helped create the JSON-based hash input described in > http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I > wanted to give his alternative suggestion a fair shake (and learn > some new things along the way). This admittedly > stream-of-consciousness and overly long message describes my > expedition to date... > > Thus far, I've spent 5 hours trying to learn to do this. I spent > about the first two hours searching for examples of creating the > bytes of X.509 certificates or SubjectPublicKeyInfo values without > using ASN.1 and/or X.509 libraries. I failed. > > Next, I tried to read the authoritative reference for what's in the > SPKI field - the X.509 spec. Unfortunately, > http://www.itu.int/rec/T-REC-X.509/en told me "This text was produced > through a joint activity with ISO and IEC. According to the agreement > with our partners, this document is only available through payment." > Since most developers would stop at that point, I did too. > > After that, I changed tacks and tried to find examples of sample > certificates with commentary on what all the values mean - the kind > of info developers would want when coding this. I had better luck > with that. After about another hour of Web searching, I found this > really useful example: http://tools.ietf.org/html/rfc7250#appendix-A. > I also found this one: > http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going > through them byte-by-byte enabled me to reverse engineer some of the > ASN.1 and X.509 constructs used. > > Things I learned by looking at these 1024-bit RSA public key > representations included: > > * ASN.1 uses byte-aligned Tag-Length-Value encodings. > > * The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER > are respectively 0x30, 0x06, 0x05, 0x03, and 0x02. > > * These Length values are encoded as follows: > > o 159 - 0x81 0x9f > > o 9 - 0x09 > > o 0 - 0x00 > > * The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a > 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. > > * The OID is followed by an ASN.1 NULL - 0x05 0x00. > > * The RSA Key is represented as an encapsulated bit field. > > * There is an apparently unused zero byte (the 22nd byte of > the SPKI field in the RFC 7250 example) as the first byte of this bit > field. > > * The rest of the bit field contains concatenated > representations of the modulus and the exponent as ASN.1 INTEGERs. > > * The 1024 bit modulus is represented in 129 bytes, with the > first byte being zero. > > This brought me up to hour four. Next, I went looking for a 2048 bit > cert to learn from (especially since JWA requires 2048+ bit RSA > keys). I found http://fm4dd.com/openssl/certexamples.htm and chose > 2048b-rsa-example-cert.der, from which I also learned: > > * These length values are encoded as follows: > > o 290 - 0x82 0x01 0x22 > > o 257 - 0x82 0x01 0x01 > > * From this, I deduced (possibly incorrectly :)) that if the > high bit of the first length byte is 0, the remaining 7 bits > represent the length, but if the high bit of the first length byte is > 1, the remaining 7 bits represent the number of bytes used to > represent the actual length. (Hence the use of 0x81 for representing > values in the range 128-255 and the use of 0x82 for representing > values in the range 256-32767.) > > * Length values are represented in big-endian byte order. > > * The 2048 bit key representation also starts with an > apparently unused zero byte. > > * The 2048 bit modulus is represented by 257 bytes, with the > first byte being zero. > > Things I haven't yet learned that I'd need to know to really write > this code: > > * How are the OIDs in the table at > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A > represented as ASN.1 OID values? > > * Are multiple OIDs sometimes present before the ASN.1 NULL, > and if so, which algorithms require which sets of OIDs in what > order? > > * Is there always the apparently unused zero byte in the key > representation or if not, when is it present and absent? > > * Is there always a leading zero byte in the RSA modulus or if > not, when is it present and absent? > > * How are elliptic curve keys represented? > > This brought me up to about the fifth hour of my investigation, and I > decided to stop and write up my findings to date. Highlighted > versions of the example certificate from RFC 7250 and the SPKI value > from fm4dd.com are attached, should any of you want to follow along > with my reverse engineering. Tags are yellow. Lengths are green. > OIDs are purple. The apparently unused byte is red. Key values are > blue. > > I readily admit that I could have easily missed something while > searching. If someone can point me to self-contained descriptions of > this information, I'd love to see them! > > ==== CONCLUSIONS ==== > > 1. I think it would be a fine thing to do to write an RFC describing > the mapping between key values and their SPKI representations. This > could take the form of a cookbook with entries like "For a 2048 bit > RSA key using RSASSA with SHA-256, emit these bytes, filling in slots > A and B in the template with the 256 bites of the mantissa and the 3 > bytes of the exponent". Based on my searching, I don't think this > information exists anywhere in a self-contained form accessible to > developers (but I could be wrong, of course). I'm not going to > personally do it, but if any of you want go for it, have at it! > > 2. If my experience is representative, telling developers to just > hash the SPKI representation of a JWK won't be very effective unless > they already have X.509 support. Most will probably give up well > before the 5 hours that I've invested to get this this partial > understanding of what I'd need to know. If my experience is > representative, draft-ietf-jose-jwk-thumbprint will be much easier to > implement for these developers. > > Trying to live in the shoes of developers, -- Mike > > > > > _______________________________________________ jose mailing list > jose@ietf.org https://www.ietf.org/mailman/listinfo/jose > From nobody Wed Mar 11 05:54:52 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56891A883E for ; Wed, 11 Mar 2015 05:54:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXyFTenHsX0W for ; Wed, 11 Mar 2015 05:54:44 -0700 (PDT) Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191B31A8824 for ; Wed, 11 Mar 2015 05:54:43 -0700 (PDT) Received: by qgdq107 with SMTP id q107so9551546qgd.6 for ; Wed, 11 Mar 2015 05:54:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-type; bh=DJSNDMrIhR2tT/fHfzL4qrUyrApv3nHdMykKmoJjeJM=; b=am6BS4CrjazXGIXB4ZpBEuleMrRFvxw6MzJ+fz00hEGNPIBJiarje1dXAJM+fHUBLp EVKfK9RH5Cbgp0ZEe8fw4O1PG7LIuOsExnoXxy+pS4EO6HoGz1lL8dxoXzpH6MMTZk3N JjwgG9xeC8/vPdsp/HagI8i9EHrmkJ46pOQOTyyM6QgJ5mduM/Bibppcawe2kRaVOTXd 8WKslvbKt5IF8oRvNJrfH4yzSU34/BeuVVFzHGs9MXFQAzGkqVE0jnpiHHi+CyJ2IJlK Nvw9ZWyOTjvnFzaUDRizkhKDRa6ASx+4jSHLM4diibrjvQjL9eOuOnkZ2S7Y/KKbObzu JlBw== X-Gm-Message-State: ALoCoQndOqwbo+lFf2p/QJ7nvPsDSRyakfO+h4Ig5gnAg40DwUc0ZEOUKKJutIA3sVhIJZCHU94H X-Received: by 10.140.150.15 with SMTP id 15mr48611855qhw.46.1426078483245; Wed, 11 Mar 2015 05:54:43 -0700 (PDT) Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by mx.google.com with ESMTPSA id f102sm2497192qki.1.2015.03.11.05.54.41 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 11 Mar 2015 05:54:42 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.4.7.141117 Date: Wed, 11 Mar 2015 08:54:38 -0400 From: Carl Wallace To: Mike Jones , Stephen Farrell Message-ID: Thread-Topic: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3508908882_18364217" Archived-At: Cc: Nat Sakimura , "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 12:54:51 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3508908882_18364217 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Inline=E2=80=A6 From: Mike Jones Date: Wednesday, March 11, 2015 at 1:16 AM Things I haven=E2=80=99t yet learned that I=E2=80=99d need to know to really write this code: > =C2=B7 How are the OIDs in the table at > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi= x-A > represented as ASN.1 OID values? OID encoding is a pain (but there are some free tools/source to help in thi= s regard). Fortunately for you, as Richard implicitly noted, you don=E2=80=99t need the OIDs you reference when encoding a subject public key info. If you want to encode them for some other purpose, this site from your employer has a decent description of the OID encoding process: https://msdn.microsoft.com/en-us/library/bb540809(v=3Dvs.85).aspx > =C2=B7 Are multiple OIDs sometimes present before the ASN.1 NULL, and i= f so, > which algorithms require which sets of OIDs in what order? Multiple OIDs are never present before the ASN.1 NULL here (nor is are the parameters represented as ASN.1 NULL for other algorithms). The structure is AlgorithmIdentifier as defined below. If multiple OIDs were permitted th= e algorithm field would be SEQUENCE or SET but it=E2=80=99s not. AlgorithmIdentifier ::=3D SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } > =C2=B7 Is there always the apparently unused zero byte in the key > representation or if not, when is it present and absent? The leading zero is present for any integer value with the high bit set, which is the case for RSA keys being encoded here. > =C2=B7 Is there always a leading zero byte in the RSA modulus or if not= , when > is it present and absent? See above, except in this case the high bit is not set so no leading zero. > =C2=B7 How are elliptic curve keys represented? RFC 5912 is a fairly comprehensive resource for the structures you=E2=80=99ll nee= d, including public key and parameter structures for different algorithms. --B_3508908882_18364217 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable
Inline…

<= /div>
From: Mike Jones <Michael.Jones@microsoft.com>
Date: Wednesday, March 11, 2015 at 1:16 AM<= /div>
<snip>
Things I haven’t yet learned that I&#= 8217;d need to know to really write this code:
=

=C2=B7        How are the OIDs in the table at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-= A represented as ASN.1 OID values?


OID encoding is a pain (but there are some free tool= s/source to help in this regard). Fortunately for you, as Richard implicitly= noted, you don’t need the OIDs you reference when encoding a subject = public key info. If you want to encode them for some other purpose, this sit= e from your employer has a decent description of the OID encoding process:&n= bsp;https://msdn.microsoft.com/en-us/library/bb540809(v=3Dvs.85).aspx
<= div>
=

=C2=B7      &nb= sp; Are multiple OIDs sometimes present befo= re the ASN.1 NULL, and if so, which algorithms require which sets of OIDs in= what order?


Mu= ltiple OIDs are never present before the ASN.1 NULL here (nor is are the par= ameters represented as ASN.1 NULL for other algorithms).  The structure= is AlgorithmIdentifier as defined below. If multiple OIDs were permitted th= e algorithm field would be SEQUENCE or SET but it’s not.
   AlgorithmIdentifi=
er  ::=3D  SEQUENCE  {
        algorithm               OBJECT IDENTIFIER,
        parameters              ANY DEFINED BY algorithm OPTIONAL  }
<= pre class=3D"newpage" style=3D"font-size: 1em; margin-top: 0px; margin-bottom: 0= px; page-break-before: always; widows: 1;">

=C2=B7        Is there always the apparently unused ze= ro byte in the key representation or if not, when is it present and absent?<= /p>


The leading zer= o is present for any integer value with the high bit set, which is the case = for RSA keys being encoded here.  

<= o:p>

=C2=B7        Is there always a leading zero byte in t= he RSA modulus or if not, when is it present and absent?


See above, except in this case the= high bit is not set so no leading zero.

=

=C2=B7        How are elliptic curve keys represented?=


RFC 5912 is a = fairly comprehensive resource for the structures you’ll need, includin= g public key and parameter structures for different algorithms.  
=

--B_3508908882_18364217-- From nobody Wed Mar 11 06:08:03 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 823C01A8AB6 for ; Wed, 11 Mar 2015 06:08:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYPOPsKm_70k for ; Wed, 11 Mar 2015 06:07:55 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 137481A8A9B for ; Wed, 11 Mar 2015 06:07:55 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D778FBEBF; Wed, 11 Mar 2015 13:07:53 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LA8-EqFi_A8b; Wed, 11 Mar 2015 13:07:53 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B65ECBEAF; Wed, 11 Mar 2015 13:07:53 +0000 (GMT) Message-ID: <55003E2A.6000502@cs.tcd.ie> Date: Wed, 11 Mar 2015 13:07:54 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Richard Barnes , Mike Jones References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "jose@ietf.org" , Nat Sakimura Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 13:08:02 -0000 On 11/03/15 12:22, Richard Barnes wrote: > I have no love for ASN.1, but it's not really any more rocket science than > other binary encodings. That, and of course in this case if SPKI is used, there is no decoding requirement at all. It's decoding complex structures (like certs) that's the real PITA with ASN.1 defined things in my experience, esp when you get errors in hard-to-handle bits of code generated by compilers. None of that is at all relevant here. S. PS: Interesting that both of our hacky bits of JS code are almost identical even though mine has nothing to do with JOSE:-) From nobody Wed Mar 11 06:49:11 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B85B51AC7E8 for ; Wed, 11 Mar 2015 06:49:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obr0AlxE5_0U for ; Wed, 11 Mar 2015 06:49:07 -0700 (PDT) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD3B31AC449 for ; Wed, 11 Mar 2015 06:49:06 -0700 (PDT) Received: by oiav63 with SMTP id v63so7730174oia.9 for ; Wed, 11 Mar 2015 06:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HF9xYiPAapDD4+53/lIupnmi1jfnXfL/45bQ/E87TJk=; b=VtdVENY8Jy5Hz8gTTfdiNJlQkSEy3+60EoyuNXOvRLBvEzIMzFrsNgJHkLPhs4vgaV 1c6szQuWgFs4Kr6ZA0+Gc7klSSCBqD9l1DPJEVrGLGlF+ykrOKTpC5WVScJ0XMx5i+3B EptAJpDrQ1IoirEQifctHV19gjMqw22mZ0RA4is9j8LR7sa5eB+ou2heSZoHV5woNkFp vz5OVKMCokhFPEaATEsW1k1CA/9PZbt6nxttcWEWc4BLhkRdyf0EJvhGYPWM30q7O/7B GpI5ggrzHaUXeT5Cm9cinGYgRcoRtFE/BiJznA0FzjZjEGMv4QApMSyWarX2Cyhef6S3 SFGw== MIME-Version: 1.0 X-Received: by 10.182.24.133 with SMTP id u5mr30026334obf.27.1426081746168; Wed, 11 Mar 2015 06:49:06 -0700 (PDT) Received: by 10.60.141.230 with HTTP; Wed, 11 Mar 2015 06:49:06 -0700 (PDT) In-Reply-To: <54FEB612.7030707@connect2id.com> References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> <54FEB612.7030707@connect2id.com> Date: Wed, 11 Mar 2015 22:49:06 +0900 Message-ID: From: Nat Sakimura To: Vladimir Dzhuvinov Content-Type: multipart/alternative; boundary=001a11c30864e6b574051103878b Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 13:49:09 -0000 --001a11c30864e6b574051103878b Content-Type: text/plain; charset=UTF-8 We have something similar as well... 2015-03-10 18:14 GMT+09:00 Vladimir Dzhuvinov : > Arrays would be good. Perhaps even bit fields? > > We recently had a use case where we had to constrain the size of JWTs > and we successfully compressed an array of various constant claims into > a base64 encoded bit field, giving us significant space saving. > > Vladimir > > On 6.03.2015 21:43, Mike Jones wrote: > > Thanks for writing this, Joe. I know that people from the IoT and other > communities are already itching for a CBOR JOSE encoding and we'll do > everyone a service by providing one in a timely fashion. > > > > I think your proposal to set a high, well-understood and agreed upon bar > for any changes to the decisions made in JOSE is the key to having this > complete in a reasonable period of time. In my view, if we open most > decisions to be re-debated, our timeline is far more likely to look like > the JOSE timeline (in which we had the WOES BoF in July 2011 and are only > nearing having RFCs now over 3.5 years later) than the quick turnaround > achievable by building on past work that I think we would all like. > > > > Getting down to specifics, looking at the two COSE submissions to date, > https://tools.ietf.org/html/draft-bormann-jose-cose-00 and > http://tools.ietf.org/html/draft-schaad-cose-00, I think Carsten's > submission is more effective at leveraging our existing decisions than > Jim's does so I'd personally want to use that as a starting point, but > there are some things I find valuable in Jim's draft as well. For > instance, I think that we should consider using arrays rather than maps at > the top level, as Jim suggests, as it may keep the code simpler and the > representations more compact. I'll note that this is actually parallel to > the JOSE Compact Serializations, which used data structures with fixed > numbers of elements in fixed positions at the top level, rather than JSON > objects, as was done in the JSON Serializations. > > > > I'll also add that I personally think we should only define one > serialization for the CBOR encoding. I would justify this departure from > JOSE as being in the name of "keeping simple things simple" - something I > think should also be part of our criteria when making our decisions. (If > people do need a URL-safe representation of a COSE object, it would be fine > for them to base64url encode the whole thing, for transmission purposes - a > suggestion that Joe made to me in person in Honolulu.) > > > > Anyway, I'm glad to see this discussion and look forward to us hopefully > completing a COSE standard within a year from now! > > > > -- Mike > > > > -----Original Message----- > > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Joe Hildebrand > (jhildebr) > > Sent: Friday, March 06, 2015 11:19 AM > > To: jose@ietf.org > > Subject: [jose] COSE: what would change? > > > > In talking with several folks about COSE, it appears that there are > differing views on how much to change in the JOSE/COSE translation. I > would like to explore the points of agreement and disagreement a little. > > > > > > It seems like most people agree that maintaining signature compatibility > is a non-goal; I agree that is the only way for us to have a chance at > success. > > > > > > I think we're also likely to get agreement that we should do our best to > use CBOR idioms in COSE (such as mixed-type keys for maps) once they are > explained to the group in enough detail for everyone to understand the > proposals. > > > > Finally, I think one of the reasons people are interested in COSE is a > chance to optimize for a different set of use cases than we had for JOSE. > > > > > > The main source of disagreement seems to be what we would change in COSE > of the things some might have wanted to done differently in JOSE. I'm > sympathetic to both the group that wants to crank something out quickly > without re-litigating the past, as well as to the group that wants to > re-optimize as many things as possible given the removal of the pressure of > existing codebases that we had with JOSE. > > > > > > An approach that might work for this would be to set a bar for changes > along the lines of "significant improvement in security, performance (wire > size, code size, CPU, power, etc.), or deployability" would be required to > justify a change. To see if that approach would work, it would be nice to > see a list of things that folks would want to change, and to get early > agreement on a couple of those changes as being above the bar that we set, > so that we have some precedent to reason from. > > > > > > To that end, I propose that those that want changes produce a list, > perhaps annotated with whether the change is seen as imperative or merely > nice-to-have. The folks that want a quick outcome would then select > several changes they see as being definitely above the line. My hope is > that this exercise would build trust that we all want something similar: a > high quality protocol standardized in as short a time as possible. > > > > > > -- > Vladimir Dzhuvinov :: vladimir@connect2id.com > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en --001a11c30864e6b574051103878b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
We have something similar as well...=C2=A0

2015-03-10 18:14 GMT+09:00 = Vladimir Dzhuvinov <vladimir@connect2id.com>:
Arrays would be good. Perhaps even bit fields?
We recently had a use case where we had to constrain the size of JWTs
and we successfully compressed an array of various constant claims into
a base64 encoded bit field, giving us=C2=A0 significant space saving.

Vladimir

On 6.03.2015 21:43, Mike Jones wrote:
> Thanks for writing this, Joe.=C2=A0 I know that people from the IoT an= d other communities are already itching for a CBOR JOSE encoding and we'= ;ll do everyone a service by providing one in a timely fashion.
>
> I think your proposal to set a high, well-understood and agreed upon b= ar for any changes to the decisions made in JOSE is the key to having this = complete in a reasonable period of time.=C2=A0 In my view, if we open most = decisions to be re-debated, our timeline is far more likely to look like th= e JOSE timeline (in which we had the WOES BoF in July 2011 and are only nea= ring having RFCs now over 3.5 years later) than the quick turnaround achiev= able by building on past work that I think we would all like.
>
> Getting down to specifics, looking at the two COSE submissions to date= , https://tools.ietf.org/html/draft-bormann-jose-cose-00 and = http://tools.ietf.org/html/draft-schaad-cose-00, I think Carsten'= ;s submission is more effective at leveraging our existing decisions than J= im's does so I'd personally want to use that as a starting point, b= ut there are some things I find valuable in Jim's draft as well.=C2=A0 = For instance, I think that we should consider using arrays rather than maps= at the top level, as Jim suggests, as it may keep the code simpler and the= representations more compact.=C2=A0 I'll note that this is actually pa= rallel to the JOSE Compact Serializations, which used data structures with = fixed numbers of elements in fixed positions at the top level, rather than = JSON objects, as was done in the JSON Serializations.
>
> I'll also add that I personally think we should only define one se= rialization for the CBOR encoding.=C2=A0 I would justify this departure fro= m JOSE as being in the name of "keeping simple things simple" - s= omething I think should also be part of our criteria when making our decisi= ons.=C2=A0 (If people do need a URL-safe representation of a COSE object, i= t would be fine for them to base64url encode the whole thing, for transmiss= ion purposes - a suggestion that Joe made to me in person in Honolulu.)
>
> Anyway, I'm glad to see this discussion and look forward to us hop= efully completing a COSE standard within a year from now!
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-- Mike
>
> -----Original Message-----
> From: jose [mailto:jose-bounc= es@ietf.org] On Behalf Of Joe Hildebrand (jhildebr)
> Sent: Friday, March 06, 2015 11:19 AM
> To: jose@ietf.org
> Subject: [jose] COSE: what would change?
>
> In talking with several folks about COSE, it appears that there are di= ffering views on how much to change in the JOSE/COSE translation.=C2=A0 I w= ould like to explore the points of agreement and disagreement a little.
>
>
> It seems like most people agree that maintaining signature compatibili= ty is a non-goal; I agree that is the only way for us to have a chance at s= uccess.
>
>
> I think we're also likely to get agreement that we should do our b= est to use CBOR idioms in COSE (such as mixed-type keys for maps) once they= are explained to the group in enough detail for everyone to understand the= proposals.
>
> Finally, I think one of the reasons people are interested in COSE is a= chance to optimize for a different set of use cases than we had for JOSE.<= br> >
>
> The main source of disagreement seems to be what we would change in CO= SE of the things some might have wanted to done differently in JOSE.=C2=A0 = I'm sympathetic to both the group that wants to crank something out qui= ckly without re-litigating the past, as well as to the group that wants to = re-optimize as many things as possible given the removal of the pressure of= existing codebases that we had with JOSE.
>
>
> An approach that might work for this would be to set a bar for changes= along the lines of "significant improvement in security, performance = (wire size, code size, CPU, power, etc.), or deployability" would be r= equired to justify a change.=C2=A0 To see if that approach would work, it w= ould be nice to see a list of things that folks would want to change, and t= o get early agreement on a couple of those changes as being above the bar t= hat we set, so that we have some precedent to reason from.
>
>
> To that end, I propose that those that want changes produce a list, pe= rhaps annotated with whether the change is seen as imperative or merely nic= e-to-have.=C2=A0 The folks that want a quick outcome would then select seve= ral changes they see as being definitely above the line.=C2=A0 My hope is t= hat this exercise would build trust that we all want something similar: a h= igh quality protocol standardized in as short a time as possible.
>
>

--
Vladimir Dzhuvinov :: vladimir@connect2id.com

_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose



--
=
Nat Sakimura (=3Dnat)
Chairman, OpenID F= oundation
http://= nat.sakimura.org/
@_nat_en
--001a11c30864e6b574051103878b-- From nobody Wed Mar 11 07:13:11 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A2C1ACDB8 for ; Wed, 11 Mar 2015 07:13:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.55 X-Spam-Level: X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aau18IuEczfn for ; Wed, 11 Mar 2015 07:13:09 -0700 (PDT) Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D641ACDB9 for ; Wed, 11 Mar 2015 07:13:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id t2BED1bZ012785; Wed, 11 Mar 2015 15:13:01 +0100 (CET) Received: from alma.local (p5DCCC330.dip0.t-ipconnect.de [93.204.195.48]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3l2FcY2b4Vz2l1Y; Wed, 11 Mar 2015 15:13:01 +0100 (CET) Message-ID: <55004D6B.2080903@tzi.org> Date: Wed, 11 Mar 2015 15:12:59 +0100 From: Carsten Bormann User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: Nat Sakimura References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> <54FEB612.7030707@connect2id.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Archived-At: Cc: "jose@ietf.org" , Vladimir Dzhuvinov Subject: Re: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 14:13:10 -0000 Nat Sakimura wrote: > We have something similar as well... > > 2015-03-10 18:14 GMT+09:00 Vladimir Dzhuvinov >: > > Arrays would be good. Perhaps even bit fields? Do you guys have some examples that we could look at? (CDDL just got support for bit fields, by the way; the current draft only has it for byte strings, the tool already also supports specifying them for uints.) GrĂĽĂźe, Carsten From nobody Wed Mar 11 09:23:47 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D19B1ACDA3 for ; Wed, 11 Mar 2015 09:23:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-akUZOD3G5T for ; Wed, 11 Mar 2015 09:23:44 -0700 (PDT) Received: from p3plsmtpa07-02.prod.phx3.secureserver.net (p3plsmtpa07-02.prod.phx3.secureserver.net [173.201.192.231]) by ietfa.amsl.com (Postfix) with ESMTP id C41921ACDA2 for ; Wed, 11 Mar 2015 09:23:33 -0700 (PDT) Received: from [192.168.0.106] ([77.77.164.115]) by p3plsmtpa07-02.prod.phx3.secureserver.net with id 2GPX1q0092Vi9sD01GPYnK; Wed, 11 Mar 2015 09:23:33 -0700 Message-ID: <55006C02.5060404@connect2id.com> Date: Wed, 11 Mar 2015 18:23:30 +0200 From: Vladimir Dzhuvinov Organization: Connect2id Ltd. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Carsten Bormann , Nat Sakimura References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com> <4E1F6AAD24975D4BA5B1680429673943A2E82259@TK5EX14MBXC292.redmond.corp.microsoft.com> <54FEB612.7030707@connect2id.com> <55004D6B.2080903@tzi.org> In-Reply-To: <55004D6B.2080903@tzi.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] COSE: what would change? X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 16:23:46 -0000 This is the class that we use to compress JSON string arrays: https://gist.github.com/anonymous/ee61ff43d3fe76d8d7e0 For example the array ["apple","pear","orange","mango","fig"] to ["!Jg"] For that you would need a compression table like this: 0 : apple 1 : pear 2 : orange 3 : mango 4 : fig 5 : ... where the most frequent words should be at the top, and rarely used words at the bottom. Cheers, Vladimir On 11.03.2015 16:12, Carsten Bormann wrote: > Nat Sakimura wrote: >> We have something similar as well...=20 >> >> 2015-03-10 18:14 GMT+09:00 Vladimir Dzhuvinov > >: >> >> Arrays would be good. Perhaps even bit fields? > Do you guys have some examples that we could look at? > > (CDDL just got support for bit fields, by the way; the current draft > only has it for byte strings, the tool already also supports specifying= > them for uints.) > > Gr=C3=BC=C3=9Fe, Carsten --=20 Vladimir Dzhuvinov :: vladimir@connect2id.com From nobody Wed Mar 11 09:38:51 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46AD1A1A8E for ; Wed, 11 Mar 2015 09:38:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvjmL5hjoXW6 for ; Wed, 11 Mar 2015 09:38:47 -0700 (PDT) Received: from p3plsmtpa07-07.prod.phx3.secureserver.net (p3plsmtpa07-07.prod.phx3.secureserver.net [173.201.192.236]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0FD1A1A8A for ; Wed, 11 Mar 2015 09:38:47 -0700 (PDT) Received: from [192.168.0.106] ([77.77.164.115]) by p3plsmtpa07-07.prod.phx3.secureserver.net with id 2Gel1q00P2Vi9sD01GemSZ; Wed, 11 Mar 2015 09:38:47 -0700 Message-ID: <55006F95.5090807@connect2id.com> Date: Wed, 11 Mar 2015 18:38:45 +0200 From: Vladimir Dzhuvinov Organization: Connect2id Ltd. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: jose@ietf.org References: <54F8466B.8060007@fh-koeln.de> In-Reply-To: <54F8466B.8060007@fh-koeln.de> Content-Type: multipart/alternative; boundary="------------020209050900050208000007" Archived-At: Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 16:38:49 -0000 This is a multi-part message in MIME format. --------------020209050900050208000007 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Thanks for sharing this. I see that you support JSON and compact serialisation, but what is flattened serialisation? Thanks, Vladimir On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > Dear all, > > we developed an own JOSE implementation in Java, mainly because we > missed the JSON serialisation in almost all of the available libs. You > can grasp it here: > > http://jw-asterisk.realsoasecurity.de/ > > We are still doing some polishing, that is why the sources are still > lacking. Stay tuned, though, updates will follow soon... > > The documentation and especially the unit tests should help in taking > the first steps. > > Let us know what you think about it... > > BR, Luigi. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose -- Vladimir Dzhuvinov :: vladimir@connect2id.com --------------020209050900050208000007 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit Thanks for sharing this.

I see that you support JSON and compact serialisation, but what is flattened serialisation?

Thanks,

Vladimir

On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote:
Dear all,

we developed an own JOSE implementation in Java, mainly because we
missed the JSON serialisation in almost all of the available libs. You
can grasp it here:

http://jw-asterisk.realsoasecurity.de/

We are still doing some polishing, that is why the sources are still
lacking. Stay tuned, though, updates will follow soon...

The documentation and especially the unit tests should help in taking
the first steps.

Let us know what you think about it...

BR, Luigi.




_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


-- 
Vladimir Dzhuvinov :: vladimir@connect2id.com
--------------020209050900050208000007-- From nobody Wed Mar 11 09:47:46 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8820F1A1A82 for ; Wed, 11 Mar 2015 09:47:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib3QuW3hob3E for ; Wed, 11 Mar 2015 09:47:42 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0743.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::743]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42CE1A0181 for ; Wed, 11 Mar 2015 09:47:40 -0700 (PDT) Received: from BY2PR03CA052.namprd03.prod.outlook.com (10.141.249.25) by DM2PR0301MB0622.namprd03.prod.outlook.com (25.160.95.26) with Microsoft SMTP Server (TLS) id 15.1.112.16; Wed, 11 Mar 2015 16:47:18 +0000 Received: from BL2FFO11FD050.protection.gbl (2a01:111:f400:7c09::196) by BY2PR03CA052.outlook.office365.com (2a01:111:e400:2c5d::25) with Microsoft SMTP Server (TLS) id 15.1.112.16 via Frontend Transport; Wed, 11 Mar 2015 16:47:18 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD050.mail.protection.outlook.com (10.173.161.212) with Microsoft SMTP Server (TLS) id 15.1.112.13 via Frontend Transport; Wed, 11 Mar 2015 16:47:18 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.148]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0224.003; Wed, 11 Mar 2015 16:46:49 +0000 From: Mike Jones To: Carl Wallace , Stephen Farrell Thread-Topic: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch Thread-Index: AQHQW/qIG3Fobl38T+ib6QLqsv0XzJ0Xekkg Date: Wed, 11 Mar 2015 16:46:48 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2F4A754@TK5EX14MBXC292.redmond.corp.microsoft.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/mixed; boundary="_005_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; redhoundsoftware.com; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(438002)(51914003)(199003)(189002)(15975445007)(102836002)(3380100001)(2900100001)(86362001)(104016003)(33656002)(5260100001)(55846006)(66066001)(2950100001)(2920100001)(19625215002)(4610100001)(92566002)(2656002)(87936001)(50986999)(16236675004)(106466001)(54356999)(4810100001)(86612001)(99936001)(512874002)(84326002)(77156002)(85806002)(568964001)(6806004)(62966003)(5890100001)(76176999)(19300405004)(106116001)(46102003)(19580395003)(16503001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0622; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0622; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:DM2PR0301MB0622; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0622; X-Forefront-PRVS: 0512CC5201 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Mar 2015 16:47:18.6367 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]; Helo=[mail.microsoft.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0622 Archived-At: Cc: Nat Sakimura , "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 16:47:44 -0000 --_005_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_ Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_" --_000_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0aGUgY29tbWVudGFyeSwgQ2FybC4gIEkgd2FzIGd1ZXNzaW5nIHRoYXQgaW50 ZWdlcnMgd2l0aCB0aGUgaGlnaCBiaXQgc2V0IHdlcmUgcHJlZml4ZWQgYnkgYSB6ZXJvIGJ5dGUs IGFzIHlvdSBzYWlkLiAgVGhhdOKAmXMgZGlmZmVyZW50IHRoYW4gdGhlIHplcm8gYnl0ZSAodGhl IDIybmQgYnl0ZSBpbiB0aGUgYXR0YWNoZWQgUkZDIDcyNTAgZXhhbXBsZSkgdGhhdCBjb21lcyBi ZWZvcmUgdGhlIEFTTi4xIElOVEVHRVIgdGFnIGFuZCBsZW5ndGggZm9yIHRoZSBtb2R1bHVzLCB3 aGljaCBJIGZpbmQgdG8gYmUgbW9yZSBteXN0ZXJpb3VzLiAgU2VlIGJlbG934oCmDQoNCg0KPiDC tyAgICAgICAgSXMgdGhlcmUgYWx3YXlzIHRoZSBhcHBhcmVudGx5IHVudXNlZCB6ZXJvIGJ5dGUg aW4gdGhlIGtleSByZXByZXNlbnRhdGlvbiBvciBpZiBub3QsIHdoZW4gaXMgaXQgcHJlc2VudCBh bmQgYWJzZW50Pw0KDQo+IFRoZSBsZWFkaW5nIHplcm8gaXMgcHJlc2VudCBmb3IgYW55IGludGVn ZXIgdmFsdWUgd2l0aCB0aGUgaGlnaCBiaXQgc2V0LCB3aGljaCBpcyB0aGUgY2FzZSBmb3IgUlNB IGtleXMgYmVpbmcgZW5jb2RlZCBoZXJlLg0KDQpUaGlzIGlzbuKAmXQgYSBsZWFkaW5nIHplcm8g b2YgYW4gaW50ZWdlciDigJMgaXTigJlzIGEgemVybyBpbiB0aGUgZmlyc3QgYnl0ZSBvZiB0aGUg Yml0IGZpZWxkIHRoYXQgaG9sZHMgdGhlIGtleSB2YWx1ZSwgd2hpY2ggaXMgZm9sbG93ZWQgYnkg dHdvIEFTTi4xLWVuY29kZWQgaW50ZWdlcnMgZm9yIHRoZSBtb2R1bHVzIGFuZCBleHBvbmVudC4g IERvZXMgYW55b25lIGtub3cgd2h5IHRoaXMgemVybyBpcyBoZXJlPyAgQW5kIHdoZXRoZXIgaXQg aXMgYWx3YXlzIHRoZXJlPw0KDQoNCj4gwrcgICAgICAgIElzIHRoZXJlIGFsd2F5cyBhIGxlYWRp bmcgemVybyBieXRlIGluIHRoZSBSU0EgbW9kdWx1cyBvciBpZiBub3QsIHdoZW4gaXMgaXQgcHJl c2VudCBhbmQgYWJzZW50Pw0KDQo+IFNlZSBhYm92ZSwgZXhjZXB0IGluIHRoaXMgY2FzZSB0aGUg aGlnaCBiaXQgaXMgbm90IHNldCBzbyBubyBsZWFkaW5nIHplcm8uDQoNCkFzIEkgc3VybWlzZWQg 4oCTIHRoYW5rcy4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQo= --_000_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNl cmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5 OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVk LCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFy IjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAu MHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29B Y2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNh bnMtc2VyaWYiO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2 Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6 MGluOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRvbTowaW47DQoJbWFyZ2luLWxl ZnQ6LjVpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFByZWZvcm1hdHRl ZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1z dHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0K CWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29s b3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMQ0KCXttc28tc3R5bGUtdHlwZTpwZXJz b25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9y OiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxv b24gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkJhbGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCi5N c29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZTox MC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdp bjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29y ZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFw ZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZd LS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+ DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3ht bD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2 bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+VGhhbmtzIGZvciB0aGUgY29tbWVu dGFyeSwgQ2FybC4mbmJzcDsgSSB3YXMgZ3Vlc3NpbmcgdGhhdCBpbnRlZ2VycyB3aXRoIHRoZSBo aWdoIGJpdCBzZXQgd2VyZSBwcmVmaXhlZCBieSBhIHplcm8gYnl0ZSwgYXMgeW91IHNhaWQuJm5i c3A7IFRoYXTigJlzIGRpZmZlcmVudCB0aGFuIHRoZSB6ZXJvIGJ5dGUgKHRoZSAyMjxzdXA+bmQ8 L3N1cD4gYnl0ZSBpbiB0aGUgYXR0YWNoZWQgUkZDDQogNzI1MCBleGFtcGxlKSB0aGF0IGNvbWVz IGJlZm9yZSB0aGUgQVNOLjEgSU5URUdFUiB0YWcgYW5kIGxlbmd0aCBmb3IgdGhlIG1vZHVsdXMs IHdoaWNoIEkgZmluZCB0byBiZSBtb3JlIG15c3RlcmlvdXMuICZuYnNwO1NlZSBiZWxvd+KApjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuNXB0O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRE RiA0LjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJn aW4tcmlnaHQ6MGluIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8 ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRl eHQtaW5kZW50Oi0uMjVpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Y29sb3I6IzFG NDk3RCI+Jmd0Ow0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2NvbG9yOmJs YWNrIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcuMHB0O2NvbG9yOmJsYWNrIj4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjpibGFjayI+SXMgdGhlcmUgYWx3YXlzIHRoZSBh cHBhcmVudGx5IHVudXNlZCB6ZXJvIGJ5dGUgaW4gdGhlIGtleSByZXByZXNlbnRhdGlvbiBvciBp ZiBub3QsIHdoZW4gaXMgaXQgcHJlc2VudCBhbmQgYWJzZW50PzxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjpibGFjayI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Y29sb3I6IzFGNDk3RCI+Jmd0 OyA8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Y29sb3I6YmxhY2siPlRoZSBs ZWFkaW5nIHplcm8gaXMgcHJlc2VudCBmb3IgYW55IGludGVnZXIgdmFsdWUgd2l0aCB0aGUgaGln aCBiaXQgc2V0LCB3aGljaCBpcyB0aGUgY2FzZSBmb3IgUlNBIGtleXMgYmVpbmcgZW5jb2RlZCBo ZXJlLiAmbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iY29sb3I6IzFGNDk3RCI+VGhpcyBpc27igJl0IGEgbGVhZGluZyB6ZXJvIG9mIGFu IGludGVnZXIg4oCTIGl04oCZcyBhIHplcm8gaW4gdGhlIGZpcnN0IGJ5dGUgb2YgdGhlIGJpdCBm aWVsZCB0aGF0IGhvbGRzIHRoZSBrZXkgdmFsdWUsIHdoaWNoIGlzIGZvbGxvd2VkIGJ5IHR3byBB U04uMS1lbmNvZGVkIGludGVnZXJzIGZvciB0aGUgbW9kdWx1cyBhbmQgZXhwb25lbnQuJm5ic3A7 IERvZXMgYW55b25lIGtub3cNCiB3aHkgdGhpcyB6ZXJvIGlzIGhlcmU/Jm5ic3A7IEFuZCB3aGV0 aGVyIGl0IGlzIGFsd2F5cyB0aGVyZT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0O21hcmdp bi1sZWZ0OjMuNzVwdDttYXJnaW4tcmlnaHQ6MGluIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJ T05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTGlzdFBh cmFncmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0uMjVpbiI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC41cHQ7Y29sb3I6IzFGNDk3RCI+Jmd0Ow0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2NvbG9yOmJsYWNrIj7Ctzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjcu MHB0O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsNCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjpibGFjayI+SXMg dGhlcmUgYWx3YXlzIGEgbGVhZGluZyB6ZXJvIGJ5dGUgaW4gdGhlIFJTQSBtb2R1bHVzIG9yIGlm IG5vdCwgd2hlbiBpcyBpdCBwcmVzZW50IGFuZCBhYnNlbnQ/PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2NvbG9yOmJsYWNrIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjojMUY0OTdEIj4mZ3Q7 IDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjpibGFjayI+U2VlIGFi b3ZlLCBleGNlcHQgaW4gdGhpcyBjYXNlIHRoZSBoaWdoIGJpdCBpcyBub3Qgc2V0IHNvIG5vIGxl YWRpbmcgemVyby48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iY29sb3I6IzFGNDk3RCI+QXMgSSBzdXJtaXNlZCDigJMgdGhhbmtzLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv Ym9keT4NCjwvaHRtbD4NCg== --_000_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_-- --_005_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_ Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="RFC 7520 Appendix A.docx" Content-Description: RFC 7520 Appendix A.docx Content-Disposition: attachment; filename="RFC 7520 Appendix A.docx"; size=16226; creation-date="Tue, 10 Mar 2015 23:32:47 GMT"; modification-date="Tue, 10 Mar 2015 23:50:37 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQAJJIeCgQEAAI4FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lE1Pg0AQhu8m/geyVwPbejDGlPag9ahNrPG8LkPZyH5kZ/v17x1KS6qhpVq9kMAy7/vMCzOD0UqX 0QI8KmtS1k96LAIjbabMLGWv08f4lkUYhMlEaQ2kbA3IRsPLi8F07QAjqjaYsiIEd8c5ygK0wMQ6 MHSSW69FoFs/407IDzEDft3r3XBpTQAT4lBpsOHgAXIxL0M0XtHjmsRDiSy6r1+svFImnCuVFIFI +cJk31zirUNClZt3sFAOrwiD8VaH6uSwwbbumaLxKoNoInx4Epow+NL6jGdWzjX1kByXaeG0ea4k NPWVmvNWAiJlrsukOdFCmR3/QQ4M6xLw7ylq3RPt31QoxnkOkj52dx4a46rppLbYq+12gxAopFNM vv6CcVfouFXuRFjC+8u/UeyJd4LkNBpT8V7CCYn/MIxGuhMi0LwD31z7Z3NsZI5Z0mRMvHVI+8P/ ou3dgqiqYxo5Bz4oaFZE24g1jrR7zu4Pqu2WQdbizTfbdPgJAAD//wMAUEsDBBQABgAIAAAAIQAe kRq38wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJLbSgNBDIbvBd9hyH032woi0tneSKF3 IusDhJnsAXcOzKTavr2jILpQ217m9OfLT9abg5vUO6c8Bq9hWdWg2JtgR99reG23iwdQWchbmoJn DUfOsGlub9YvPJGUoTyMMaui4rOGQSQ+ImYzsKNchci+VLqQHEkJU4+RzBv1jKu6vsf0VwOamaba WQ1pZ+9AtcdYNl/WDl03Gn4KZu/Yy4kVyAdhb9kuYipsScZyjWop9SwabDDPJZ2RYqwKNuBpotX1 RP9fi46FLAmhCYnP83x1nANaXg902aJ5x687HyFZLBZ9e/tDg7MvaD4BAAD//wMAUEsDBBQABgAI AAAAIQBouJUzWAEAABkFAAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANSUQVPCMBCF7874Hzq52wAKOA6FizjDwYvieA7p ps2QJp3sqvDvjVSkVSiXXjxmM3nvm923mcw2hYnewaN2NmH9uMcisNKl2mYJe1k+XN2yCEnYVBhn IWFbQDabXl5MnsAICo8w1yVGQcViwnKi8o5zlDkUAmNXgg03yvlCUDj6jJdCrkUGfNDrjbiva7Bp QzNapAnzizT4L7dlcD6v7ZTSEu6dfCvA0hELToELgqDwGVDCdseq2I8DKOPHGa67ZEAgCt3FA8a+ 0oYw7hJBOUtLsTK1VvyU2iAGJyAKLb1DpyiWruDVGL7aP25OmCNtDeCrpnyuFEiq9+D3VRtH/wTH kbydz0QFVZvGjqTNftSlfR7C7Y226wPBd9LJOYOxBlK7zcmpMNwrOR4Mw5JWEX50adiM+YbAW3Ey vsN/xnvTJe8HrJ7/bFytuB80b3xo008AAAD//wMAUEsDBBQABgAIAAAAIQCZoyRt3AoAAJSbAAAR AAAAd29yZC9kb2N1bWVudC54bWzsXWtv47gV/V6g/4FQP3QXk4fkt411FjOOk3onzaaxp0WxXRSU RNlqZFGlpDieTv97Ly8lxY7jjLKZ5mHRQWhZpimRPPfcBynyhx9v5gG5ZiL2edg3rAPTICx0uOuH 077xaXKy3zFInNDQpQEPWd9Ystj48ej3v/th0XO5k85ZmBAoIox7i8jpG7MkiXqHh7EzY3MaH8x9 R/CYe8mBw+eH3PN8hx0uuHAPa6Zl4lEkuMPiGK43oOE1jY2suPlmaTxiIVzL42JOk/iAi+nhnIqr NNqH0iOa+LYf+MkSyjZbeTG8b6Qi7GU3tF/ckPxJT91Q9pb/QmzU4p7rql8eZy2AVzwULIB74GE8 86PbavzW0qCKs/yWrh+qxPU8yPMtIquxcb2iymX64FjQBXTFbYEbxd3TGK760TxQ7SD797ZX75Zo mQ9VJusRWURxD2VuYf2a+Z3MqR8Wxfy2plltXJCIp+D7VPA0Km4n8p9W2ii8KsqSgvmIOzNbKHmr VYsfVcCG6I5nNGIGmTu90TTkgtoB3NHCahCJSOMIyMLm7lK+R2TRA7JxL/uGCa92Z1A38lMXIHqm 2T1pmB+s4uQx82gaJJvZL1YyY8kXAt/GyTJgUOQ1DfrGOR9H1JGIPpRfCpVHnPAwiSEPjR0f+mHA U+EzQc7ZQl539j6MN8860EarGbHA+HN+pZqpLhF/HsiS8er5uYCG0/wcC2W+w+xe4D3K7gkyYMOs tcKrvOlFLzn6G08T0Bp7hCWEBgdk7TVGhSHcmEwEda7WvlMffrmgU0as1q+yJRLVHphG2Id5W2z2 +uVa8+T5qgISm/MrqfKggUUClfddaCEJ2ZDOQeL+eco/QHsrIOZ5h6Fb5FTI020sqWGbIM6WEROB H14Rge0rRm4TWcGPEy6WYCQhoYkce2uA/L/Iq8MDLi+HnCJZ8+Qk55r8bM4097FPmmeSRlbA1E+3 U5KUx8uTAWnXmuZd6SzaBuv5fC3wVJqFOkmzsheDMgA5iQSLmbhmxtEqNX2S7UMu6YJcpHbgO+Qj W8bED8nkbHx4DMlt5p/SkBEwYRt3G0iL1nbRkrpOs/tW5smbJ+ftVY5Hc0hxPI3AC3L9m/33SpB3 zKCy0ayyB/HbNa++bRUWPS9wBzMqFUB2NAEN1TdsNgXvJrMln5mPv3UV/TBOxITdbGPpP/39Ynh5 Njr/SHI/J+E8iA98lngYB5gl4PMJz5FKyyD/CIixIidEsnRxidzYBHP7+RTYt26wLZiIWUQFTVDH Q53RIXqxWm6YLWbhIuUWyTc2W95n3Ejer+nlXexp0AGrsp8rjVtj35Jfv+maJ0fgVg5v6DwCf36Y BSXXOjZXmTumA59q7cpmkUEF3TyZz3S/q6eb58HmeVbueCrkH3LwTsB5ZopG9kgyY2TGbkjM/p3C QAcj8YwvQunlnfjTVDDSJS6LHeHbLCZUs02uobfHC3K22Rm8jFP7X8xJVBAAYgCj0OMwBiZSJ5EA AUPSdxkCyWEi8WFMCywuEtFlwKl7oCFTHjKagavBwFngzMR3C9MapnVMG5g2MW1h2sa0g2lXS1R5 idoZEoauf7ePL/X22FSDJgfNzJ/OAviX40U4gjCHobcwoco/rJBeB+L5gqGgYrzxFUrLRm8tWRDw xdc6Sw7amDf19QGbV1i97XDbasHvvb0+mwqmXM5F78EKQ5d1rD1i3nS9Nb7SHfc88zK0sN0dD91t YTNdLWYyJvzM05+eJGZmS/fZa+izR+g0c91l09rshbRZSUNf2Y41Kg2RTkumjc7emtBVOk6zwV6l JOEVR0U3KlQeJ1snUUE450sBH68tQWS6mKJ9a2bpGqo0L7wQL5R2Ke/vbuja5o7bidqPxrkDb8pO rGtyeWN2IsQ+1vpMmxmrYVpnSXF630MxpLdkZZQym7ZGAWE8AAaL0MbQTvyrIGfBcAbaQ/BUnoWp temr6LDSZp8eSXipBwU3XLOypFmMJHR07OXNCZtZWzODtF/8Qn7x44XN0h33GnyOMqZybovIoJTj asfD2Do/pExrviXHo0x9HvI7YHqa9Ds8jGd2uhJAECCH1GYyrWPI3MbzXQiMmTdtPOM25LFV11DT UMsf1VFLPWx7yo0QmAP5RULKlNAxEV62J4/tmkwZQrClwus4XuNgTgsBV/c01DTUykINJtpKqDXV yIxiL4RXDY9rK7Br4XmAF+SvIyhbjoaahlpZqMFsbgk1BakuMlYHU4rga2PqKsAplYrq1UFl6tga ahpqZaEGjwxIqFHFZ6giG0pFojWmwGfieQ/z2EqZqlRDra+hVhZqXQU1ptgLIcUUjBSwkM/UJIgm nm9gTjXDpmVqVtNQKws1y1SshgByMK0hpLp43LSlZaZYrYuqs9GSZyw877U01DTUSkPNUlBDf7OD StNDSLWUNYawc9BKq6Fb0FVQw/OUaqhpqJWGWg2hpjgsAxnymYmwa6Ld1saUIZPZeL5Rl9wGdtta 7F3PHdnluSNPDeFadYSa60jodKlMHTyuK8BhaiG8VNgWRgiKPE5NQ02zWmlWayDU6qgQVeSshQ5B B1Wqi+rSUSkCTo0iePhtvaGhpqFWGmpNZaspywxBRpU1hsdNVJR1BFYbOU/5nmpcAdSuVqB6DDRb P/JrA1NWC6GmOMz0pHJUwdsGwquJTAbmP5w39aQIPQPpGZfQ3zp0v+PPqOjnHV6FmJV0TWCCJjwE pzVurnG3r4tRpalFVhvVqolBjjuKs9IRja/DQzdPZdaOy1fm7BWrAd+7ROO4WKLxwxIWZBxnK3xq zi3PuVqoqiFUE1gF12WwzR9ziS2F5YHlcL+D/fZu189NcZOUCwabP2nBKi9Yu/FMBzyEeZomcxqG f4zJ+/H5gZWhSJBf1tAAe6ht7qIEezLCjmuhM+Owz5tg3j6WsH+czmFXPPhFhfZXuq35WrMB/Rbt hs4NNMsb2hPu1++JHwQpLJUMCyLHuEJysWzyHqHx3brq3YC2b5a0M4Rxd311y9RLZBdDHNrNKZri vp3rvt48OyMmP3teDFtpkjMWTpMZKNpj3IUgkhsKa96soKGlFr9+UqpxU0HcAHWY8A/Lpbyzmt0e HIyHf/k0PB8MyX80IKoJCLXNAqm9s+oSEBoSFTc2AAFqtw0CmECOgDM/f/hpOJiQ0fHwfDI6GQ0v yV9pkDLynUVqpNMwiWXVm40useTf95pKqkklkj2yl6KS/NPFx8GY/AEmUoqYwmZ9YqlNV9xto5Iw gelC6lV7Z2YwOf90dqZJo5JoyClCvmdo+K+GQiWhYKk9vcA3aVgIhQ+jCRlPLkfnp3sE9mOkUZwG GD3WzkoRGqtQGAwM0mxnOPBV2hlZaAd2EOebd1WSNWrKWwHWqOXeCiGj88nwdMVLMWsNYvuJ9kwq yRtWU+0ZKT3aLMgB1sYdjLSazXpbA6SSAFk1QnMrlBBth2owaJek0sbFKjEgFDQnPIIT9IzRaswY lVKSzcO2IKR3LCeP+uGUcK/kpOx7Az4xc5ILkc9y6xsmvNqdQV3OB7x/4ls0HX+GLxd9w6rVGiZO HITjJgxQyMdmF71o+mcqS0x4BOcbKouQiyPcfrR5kvD57eeAeSvfzhh1GUxRbIOvBQV5nMNk1+Lj NE3wY3Y5hwfSN4vVRpryJ3gXLndOhe/CN4Efsgs/cWZ9o97Cb0FkVL2PZJvY3F3iAfwkncPGzEf/ AwAA//8DAFBLAwQUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAHdvcmQvdGhlbWUvdGhlbWUxLnht bOxZT2/bNhS/D9h3IHRvYyd2Ggd1itixmy1NG8Ruhx5piZbYUKJA0kl9G9rjgAHDumGHFdhth2Fb gRbYpfs02TpsHdCvsEdSksVYXpI22IqtPiQS+eP7/x4fqavX7scMHRIhKU/aXv1yzUMk8XlAk7Dt 3R72L615SCqcBJjxhLS9KZHetY3337uK11VEYoJgfSLXcduLlErXl5akD8NYXuYpSWBuzEWMFbyK cCkQ+AjoxmxpuVZbXYoxTTyU4BjI3hqPqU/QUJP0NnLiPQaviZJ6wGdioEkTZ4XBBgd1jZBT2WUC HWLW9oBPwI+G5L7yEMNSwUTbq5mft7RxdQmvZ4uYWrC2tK5vftm6bEFwsGx4inBUMK33G60rWwV9 A2BqHtfr9bq9ekHPALDvg6ZWljLNRn+t3slplkD2cZ52t9asNVx8if7KnMytTqfTbGWyWKIGZB8b c/i12mpjc9nBG5DFN+fwjc5mt7vq4A3I4lfn8P0rrdWGizegiNHkYA6tHdrvZ9QLyJiz7Ur4GsDX ahl8hoJoKKJLsxjzRC2KtRjf46IPAA1kWNEEqWlKxtiHKO7ieCQo1gzwOsGlGTvky7khzQtJX9BU tb0PUwwZMaP36vn3r54/RccPnh0/+On44cPjBz9aQs6qbZyE5VUvv/3sz8cfoz+efvPy0RfVeFnG //rDJ7/8/Hk1ENJnJs6LL5/89uzJi68+/f27RxXwTYFHZfiQxkSim+QI7fMYFDNWcSUnI3G+FcMI 0/KKzSSUOMGaSwX9nooc9M0pZpl3HDk6xLXgHQHlowp4fXLPEXgQiYmiFZx3otgB7nLOOlxUWmFH 8yqZeThJwmrmYlLG7WN8WMW7ixPHv71JCnUzD0tH8W5EHDH3GE4UDklCFNJz/ICQCu3uUurYdZf6 gks+VuguRR1MK00ypCMnmmaLtmkMfplW6Qz+dmyzewd1OKvSeoscukjICswqhB8S5pjxOp4oHFeR HOKYlQ1+A6uoSsjBVPhlXE8q8HRIGEe9gEhZteaWAH1LTt/BULEq3b7LprGLFIoeVNG8gTkvI7f4 QTfCcVqFHdAkKmM/kAcQohjtcVUF3+Vuhuh38ANOFrr7DiWOu0+vBrdp6Ig0CxA9MxEVvrxOuBO/ gykbY2JKDRR1p1bHNPm7ws0oVG7L4eIKN5TKF18/rpD7bS3Zm7B7VeXM9olCvQh3sjx3uQjo21+d t/Ak2SOQEPNb1Lvi/K44e//54rwony++JM+qMBRo3YvYRtu03fHCrntMGRuoKSM3pGm8Jew9QR8G 9Tpz4iTFKSyN4FFnMjBwcKHAZg0SXH1EVTSIcApNe93TREKZkQ4lSrmEw6IZrqSt8dD4K3vUbOpD iK0cEqtdHtjhFT2cnzUKMkaq0Bxoc0YrmsBZma1cyYiCbq/DrK6FOjO3uhHNFEWHW6GyNrE5lIPJ C9VgsLAmNDUIWiGw8iqc+TVrOOxgRgJtd+uj3C3GCxfpIhnhgGQ+0nrP+6hunJTHypwiWg8bDPrg eIrVStxamuwbcDuLk8rsGgvY5d57Ey/lETzzElA7mY4sKScnS9BR22s1l5se8nHa9sZwTobHOAWv S91HYhbCZZOvhA37U5PZZPnMm61cMTcJ6nD1Ye0+p7BTB1Ih1RaWkQ0NM5WFAEs0Jyv/chPMelEK VFSjs0mxsgbB8K9JAXZ0XUvGY+KrsrNLI9p29jUrpXyiiBhEwREasYnYx+B+HaqgT0AlXHeYiqBf 4G5OW9tMucU5S7ryjZjB2XHM0ghn5VanaJ7JFm4KUiGDeSuJB7pVym6UO78qJuUvSJVyGP/PVNH7 Cdw+rATaAz5cDQuMdKa0PS5UxKEKpRH1+wIaB1M7IFrgfhemIajggtr8F+RQ/7c5Z2mYtIZDpNqn IRIU9iMVCUL2oCyZ6DuFWD3buyxJlhEyEVUSV6ZW7BE5JGyoa+Cq3ts9FEGom2qSlQGDOxl/7nuW QaNQNznlfHMqWbH32hz4pzsfm8yglFuHTUOT278QsWgPZruqXW+W53tvWRE9MWuzGnlWALPSVtDK 0v41RTjnVmsr1pzGy81cOPDivMYwWDREKdwhIf0H9j8qfGa/dugNdcj3obYi+HihiUHYQFRfso0H 0gXSDo6gcbKDNpg0KWvarHXSVss36wvudAu+J4ytJTuLv89p7KI5c9k5uXiRxs4s7Njaji00NXj2 ZIrC0Dg/yBjHmM9k5S9ZfHQPHL0F3wwmTEkTTPCdSmDooQcmDyD5LUezdOMvAAAA//8DAFBLAwQU AAYACAAAACEAX5ARw3EDAADLCAAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFbbbts4EH1fYP9B0PM6 kmwnaYU4xdZZ76aI26JKP4CSaJsIbxhSVtyv75AUoxpxg6DF+sXknLnfqKt3j4InewqGKblIi7M8 TahsVMvkdpF+vV9N3qSJsUS2hCtJF+mBmvTd9Z9/XPWlodYim0lQhTSlaBbpzlpdZplpdlQQc6Y0 lQhuFAhi8QrbTBB46PSkUUITy2rGmT1k0zy/SAc1apF2IMtBxUSwBpRRG+tESrXZsIYOf1ECXmM3 SN6ophNUWm8xA8rRByXNjmkTtYlf1YYh7qKS/UtB7AWPfH2Rv8Q5hNsraJ8kXuOeE9CgGmoMFkjw EK4gTD6pKebPFD2l+gxTnQXbmVOF4kXuT6Pnhj+TP1HtUMU7VgOBUGZsAOeFaMrbrVRAao5N1Rfz 9Bo76ptSIulLTaHBImE7TvM0c0BLN6Tj9p7UlVUaWfYE7V9GuNkRII2lUGnSYMRLJS0oHvla9VHZ JXYcYEKCwtB/TnU4VaGXUUISgR4F6tCfa9XSFKEO2LOgf5o0J+C9xNh8DKcNKZw9YC3F0Dit7IHT FTpfsW/0b9l+6Ixl2PG+S3/Dg5ccoNJZ/oSTen/QdEWJ7TBN/5MxX4kVZ3rNABTcyhbr/LvGslhE V05cZK2Jhy9K2ViGHH+Xb5azkAvH9ipkOl1eFidlprPl29UpZHaB0D+nkMt5cXM+tMOxB29X8/y9 t4PRDDGI0q2Uz3B9FU6uMRIRmmpJRA2MJGu3dLC9RFnDw3smI15TXLr0R6Tq6ghOJgEwgnC+wsmJ gJ82UbbM6Bu68Wr5msB21DtwwEkqTumHJ11ugin8C6rTwVoPRIeCR3PFfD7oY9LeMRHppqurKCVx cfwAdbL9tAenMBvT05cW3xs/OHdEbmNdqZx8rRwr9geHyr1JdE20xgWBLPW2WKScbXe2cM1u8dbi 2+Qv9XY6YFOP4c1h/kIaFxlyDwfHEI7INRxG2izSZiMNN2/gm4+080g7H2kXkYZvY1/ucDqBM/mA KygeHX2jOFc9bf+LxEX6jBSSYHZEU6yr26Q4Iqr0hGG1mmRf0kfcubRlFp98zVpBHnEF59MLJz5w c3JQnT3idZhj1kfUpCWWoLgv1ZEwlg6/HY59cRu+YdiO1UHU4+I+C45zZmxFNe54qwBD9mv1L695 /Aq5/g4AAP//AwBQSwMEFAAGAAgAAAAhAHMObQeCAQAAUAMAABQAAAB3b3JkL3dlYlNldHRpbmdz LnhtbJRTy27CMBC8V+o/RL6DE4pQiQhICFFVqqqqjw9wHIdYtb2WbZLC13dJePVxgJPXuzPj3Z1k MvvSKqqF8xJMRpJ+TCJhOBTSrDLy8b7s3ZPIB2YKpsCIjGyEJ7Pp7c2kSRuRv4kQEOkjVDE+1Twj VQg2pdTzSmjm+2CFwWIJTrOAV7eimrnPte1x0JYFmUslw4YO4nhE9jLuEhUoS8nFAvhaCxNaPnVC oSIYX0nrD2rNJWoNuMI64MJ7nEerTk8zaY4yyfCPkJbcgYcy9HEY2nVEd1JIT+I20opEmqePKwOO 5Qo32CRDMsX1FbL2+zNqUllkZDyOk7vhOBm19RyKzULWWKuZQmsI3aFxeU+iDMfsID7mX+Wq+rfw DvaAP6HnEALoX3nsaV643TvhxDFoPEGg32YEPw8MLOM4SBtzUIB+sXWArhF11t11zPxHR9dx3fns 11Bpa0Q7dBdOJ93ZegM2SC23Yglu7qDxwrUmMKWgeXl+wAuCz/6D6TcAAAD//wMAUEsDBBQABgAI AAAAIQA98saZ9gkAAFlJAAAaAAAAd29yZC9zdHlsZXNXaXRoRWZmZWN0cy54bWzcXFtT47gSfj9V 5z+4/M6QGwmhNrPFMMsOVcwsO0Dts+MoxIVt+dgOGebXb6slK45txS1s5uHMwySRpf76pq8VUPPb 7z+i0HlhaRbweOEOPwxch8U+XwXx08J9fLg+OXedLPfilRfymC3cV5a5v3/8739+211k+WvIMgcE xNnFLvEX7ibPk4vT08zfsMjLPkSBn/KMr/MPPo9O+Xod+Ox0x9PV6WgwHOC7JOU+yzJAu/LiFy9z lbioLo0nLAasNU8jL88+8PTpNPLS521yAtITLw+WQRjkryB7MC3E8IW7TeMLpdCJVkgsuZAKqZdi RVqzogFXrvzM/W3E4hwRT1MWgg48zjZBsjfjrdLAxE2h0ssxI16isJi3S4aTGp42mRKDz6m3g1Ds BdbENThjJRdFofSDiO8+qlWJw8ExY1REhAitA0WFQ8xCk8gLYi3mba4pOxf2Q5f8/jPl20SrkwTd pN3Ez1qW2JYWmg2muPPKpmVWAmpb937jJcx1Iv/i5inmqbcMQaPdcOKIjHQ/AlWsuP+Zrb1tmGfi Y3qXqo/qE75c8zjPnN2Fl/lB8AAUAlKiAAR+uYyzwIUnzMvyyyzwGh9uxKzGJ36Wl6R9ClaBeyoQ s58g88ULF+5oVIxcCQ0OxkIvfirGWHzyeF/WZOHqoSXIXbheenJ/KYSdopnFa8nc5MB4+ISqJJ4P Ow9wvHXOgISAxQROGIjojmbAaPLD961wrrfNuQJBAQBWFgsfKx4HbgKmupeMDU/Z+pb7z2x1n8OD hYtYMPh4c5cGPAUaXbjzucCEwXsWBV+C1YqJAqHGHuNNsGL/bFj8mLHVfvzva6RnJdHn2zgH9acz zIIwW/3xw2eJoEkQHXsiwt/EAuAwCEcJBxXaBntt5EAFFQf/V0AOZQwbUTbMEyXNQf2PAqHV285A I2FR2QCUa6XruLuISXcRZ91FYPJ288WsuxZwkOkaEZkbpaykBzXnvky+sh/G8yMpK1bUsqh1RS1p WlfUcqR1RS0lWlfUMqB1RS3grStq8W1dUQvn0RW+h8RVzaIxeoO0sR+CPIQ62cJ0w45Up0qNc+el 3lPqJRtHFNaq2sfI8n67zGmqIp2+nSzv85SL42aLR6A6i637Zk7+I0o2XhbAqbwNqKPrH8TRx/kz DeD42gJ1JpOvZhMeTBpL2F3o+WzDwxVLnQf2Q0bUYv037tzLU0arch3Dehs8bXIHToWi5LaCTQ1O N3tCyr8NMvTB0Wo+NZjSJpwUw6khL83Cv7JVsI0K1xBOI1PJ5xZhrkCgisddNBEhqu+uVitEACgm yHJhbwLKJ+gvi4u9fBFjiv6yFL1RPkF/WbjeKB/z43h8rZnmM/xYxSFtr5n13r3iIU/X27DYA630 MLPewRqCZoL1JtbySSQxs97BB/TpXPo+fHOj5Kl1LPY8aoFiHQ6JgpuNbot1UCq0N7SwyDpAFayR BVY3rrUAsibd7+wlED8Eti0GyNL6rNm6nccGD0AJIp2h/97yvP0MPTJwHhXlJoYfl2TMoaGNDTuP iqbySdY7ixh3K3wWQN0qoAVQt1JoAWTID/OZR9dEOkj34miBZU3Luoph2pGZeWbNzBrIrgT0VDcJ 5y/D7jXnQr1uElCsA1SvmwQU6+hUapmumwSs3uomActQNcwxKnOqjVHWdbMMpE8CBIv6IW8CUD/k TQDqh7wJQN3Jux2kP/ImYFlzg+bUMnkTgHCKzVd9DVQmbwKQNTdItlM/MyrqHko5/uW2B/ImoFgH qE7eBBTr6JjIm4CFU2wyoYKlqY6A1Q95E4D6IW8CUD/kTQDqh7wJQP2QNwGoO3m3g/RH3gQsa27Q nFombwKQNT1ooDJ5E4Bwig03NJI37vp3J28CinWA6uRNQLGOToVQ9SGVgGUdoAqWJm8CFk6xSQaF hcltY1Q/5E2wqB/yJgD1Q94EoH7ImwDUnbzbQfojbwKWNTdoTi2TNwHImh40UJm8CUDW3NBI3rgZ 3528CSjWAaqTNwHFOjoVQtU8R8CyDlAFS5M3AQvzpTN5E4BwyluBbCzqh7wJFvVD3gSgfsibANSd vNtB+iNvApY1N2hOLZM3AciaHjRQmbwJQNbc0EjeuEfenbwJKNYBqpM3AcU6OhVC1eRNwLIOUAVL Ux0Bqx/yJgBhYnYmbwIQTnkDEO4imzD1Q94Ei/ohbwJQd/JuB+mPvAlY1tygObVM3gQga3rQQGXy JgBZc4O4Zwv3RcnXU4eGJKDeMyhuNZABR4YgUQGVgd/ZmqXQVcjab4d0BCwstEA0pAfVxE+cPzu0 i91jQ4KQoYJlGHC80v2Kt3RKjQjj2ZFOgoe/rpwvsgGmtg5T6vDmDXQPlduFsD1JNA6BnvlrAi07 SXGzXEiDBiHR16VagLAn9AYaglRbj1gs+nxgIjZVqWH8va1ChfeAiAtboLRwZcwIu4rK4os2H9XO tfSgOekv0WtUA4fGqudivBB3tfFS6cZ9k0YxR3Vq7HWG9q4M7o8q0QP4Nzu/GsvltaauJYO2VfDc UHZ1yY+X0MSVyRvZynuq90vNwk/1SbIlDH/vJd6qhrD8VjTHSXi+zcWT25ewUA9v+8smMeFj6L/D l4OOu4V7xbdpALfLv7GdiGzRbbdwH4IIGn1h2PnOIw+viGG3XW2JD52EZSkY56X8/yrD11LT3USq m/0sNd3hGGiKKprzwodQeT50yh1JQdUIoe+mYRtENSEN3RKoaj0LVNfE/mwt5x3c3YUhs9656BA4 ojN2EBzdOw5OkZ6rKwhNe9LLupeuWUPYystQZgG8uYlFIu9U157c5KsfnhQFz69YGH71MGdynpin hmydy6fDAZ6MKqKWPM95ZF6fYuMAatIkANxaVkZ+FEaY/R1voyVLVRuCkarEiaLGJdAvgePSgZpr QXskE6qnzbod5LC/zcA12KBZpdIDeqrmr3rojJw9e1Vor3EfoFVNJGjMLPnATHr/Z6SyLzZQ81Lh qVqGfNFP0Jtkt3fZtq3+98UF+yJJRVm6vlYhLQbFX1sAEgKdITdbePag1O9d8vD19i4VNQ3+TkHO VnXPwATnYEaTh8qHgYNUrIjfZ/b7eE6Va+Bm7E6H18JVgtAEWyccCtt8OJWeNE0Yno/VwcM0YzSb nB+XMZ5OVVk0yZicnQ+OyzibzFs0nU6GLZrOxqMWTc9HkxZNwWEtmsJJB1rbMTdM5g4H83mLrsPh HMrNcSkjULdlyng2aVN3Mj1DdUXpUdmiTnCQJOr0pk9m0PgOAuGBOIw19+3/6qPYOxy+jhWupn1c K2BVquhcyCqoMupk5mgl2PTXnJp/baieUvZaY3EcbCJu84nC5D3zKai5wnzjRa9qNV9KbayoWj2w 6pBu/qo2v54MPqlZta9qb9jFe+OKd9nHfwEAAP//AwBQSwMEFAAGAAgAAAAhAEQVyeBNAQAAgQIA ABEACAFkb2NQcm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIySUUvDMBSF3wX/Q8l7m7RlIqHtQGUP4kBwovgWkrstrElDEtft35u2s7bog4/JOffLObctlidV R0ewTja6RGlCUASaN0LqXYleN6v4FkXOMy1Y3Wgo0RkcWlbXVwU3lDcWnm1jwHoJLgok7Sg3Jdp7 byjGju9BMZcEhw7itrGK+XC0O2wYP7Ad4IyQG6zAM8E8wx0wNiMRXZCCj0jzaeseIDiGGhRo73Ca pPjH68Eq9+dAr0ycSvqzCZ0ucadswQdxdJ+cHI1t2yZt3scI+VP8vn566avGUne74oCqQnDKLTDf 2GotDxA9hvW5Ak+uuxXWzPl12PZWgrg7z5y/1W7AwlF236rKCzw9hvf6esOjIKIQmA71vpW3/P5h s0JVRtJFTPI4JZssp3lGCfnogs3muwLDhbrE+zdxQebEb0DVJ57/NNUXAAAA//8DAFBLAwQUAAYA CAAAACEAE9yLl28JAABoRgAADwAAAHdvcmQvc3R5bGVzLnhtbNxbS3PbNhC+d6b/gcN7oqclyxMl 4zh14xnHcSJ7eqYoyOKEJFSSiu38+i4WIEWRArEw6RzaQyWCwH77wreQg3334SkKnZ8sSQMez93B 277rsNjnqyB+mLv3d5dvTl0nzbx45YU8ZnP3maXuh/d//vHu8SzNnkOWOiAgTs8if+5usmx71uul /oZFXvqWb1kML9c8ibwMHpOHXuQlP3bbNz6Ptl4WLIMwyJ57w35/4ioxCUUKX68Dn33i/i5icYbr ewkLQSKP002wTXNpjxRpjzxZbRPuszQFo6NQyou8IC7EDMY1QVHgJzzl6+wtGNOTGvWEKFg+6OO3 KHSdyD+7eoh54i1DcN7jYOy+B8+tuP+Jrb1dmKXiMblN1KN6wo9LHmep83jmpX4Q3IFLQUAUgKzP 53EauPCGeWl2ngbe0ZcbMevoGz/NStI+BqvA7QnE9BfI/OmFc3c4zEcuhAYHY6EXP+RjLH5zvyhr MneLoSXInbte8mZxLoT10Mz8s2Tu9sB4eEJVtp4PwQAcb50xSArIEYETBiIHh1PIF/nwfSf86u0y rkBQAICVxcJjxeOQK5A5C5nA8Jatr7n/g60WGbyYu4gFg/dXt0nAE0jSuTubCUwYXLAo+BysVkzs FzV2H2+CFftnw+L7lK32498uMfmVRJ/v4gzUn0wxC8J09deTz7YibUF07IkI34gFkDgQjhIOKrQL 9trIgQoqDv6bQw5kDI+ibJgndriD+jcCodW71kBDYVHZAJRrpeuovYhxexEn7UVg8rbzxbS9FsDr bSMic6OUlfSgZtyXyVf2w2jWkLJiRS2LjCtqSWNcUcsR44paShhX1DLAuKIWcOOKWnyNK2rhbFzh e0hc1SwaoTdIG/suyEIm1jcS0KAl1alS49x6ifeQeNuNIwprVe0mslzslhlNVaTTl5PlIkt4/GD0 CFRnsXVfzMl/RduNlwZwSjK4ftjS9Xfi1OP8nQQrI9SJTL6aTXgwOVrCbkPPZxserlji3LEnGVGL 9TfcWchThlG5lmG9Dh42mbPYYMk1gk00Ttd7Qsq/DlL0QeNmmmhMMQknxXCiyUu98C9sFeyi3DWE 08hE8rlFmCsQqGKzi8YiRPXdZbRCBIBigiwX9iagfIL+srjYyxcxpugvS9EL5RP0l4XrhfIxP5rj a800n+BHq0PaXlPrvXvBQ56sd2G+B4z0MLXewQUEzQTrTVzIJ5HE1HoHH9Cnc+778MuNkqfWsdjz qAWKdTgkCm42ui3WQanQ3sDCIusAVbCGFljtuNYCyJp0v7OfgfibmG0xQJYuzprG7TzSeABKEOkM /W3HM/MZeqjhPCrKVQx/LkmZQ0MbaXYeFU3lk6x3FjFuV/gsgNpVQAugdqXQAkiTH/ozT1ET6SDt i6MFljUtF1UM047MzFNrZi6A7EpAR3WTcP7S7F59LtTrJgHFOkD1uklAsY5OpZYVdZOA1VndJGBp qoY+RmVOtTHKum6WgYqTAMGibsibANQNeROAuiFvAlB78jaDdEfeBCxrbig4tUzeBCCcYvNTvwAq kzcByJobJNupvxnldQ+lNP+47YC8CSjWAaqTNwHFOjo68iZg4RSbTKhgFVRHwOqGvAlA3ZA3Aagb 8iYAdUPeBKBuyJsA1J68zSDdkTcBy5obCk4tkzcByJoeCqAyeROAcIoNNxwlb9z1r07eBBTrANXJ m4BiHZ0KoRaHVAKWdYAqWAV5E7Bwik0yKCxMbhujuiFvgkXdkDcBqBvyJgB1Q94EoPbkbQbpjrwJ WNbcUHBqmbwJQNb0UACVyZsAZM0NR8kbN+OrkzcBxTpAdfImoFhHp0KoBc8RsKwDVMEqyJuAhfnS mrwJQDjlpUA2FnVD3gSLuiFvAlA35E0Aak/eZpDuyJuAZc0NBaeWyZsAZE0PBVCZvAlA1txwlLxx j7w6eRNQrANUJ28CinV0KoRakDcByzpAFayC6ghY3ZA3AQgTszV5E4BwyguAcBfZhKkb8iZY1A15 E4Dak7cZpDvyJmBZc0PBqWXyJgBZ00MBVCZvApA1N4h7tnBflHw9daBJAuo9g/xWAxlwqAkSFVAZ +J2tWQJNVsx8O6QlYG6hBaImPagmfuT8h0O72D3SJAgZKliGAccr3c94S6fUiDCaNnQS3H29cD7L BpjaOkypw5s30D1UbhfC9iTROAR6Zs9baNnZ5jfLhTRoEBJ9XaoFCFvkrqAhSLX1iMWizwcmYlOV GsZ/t1Wo8B0QcaEBqhCujBliV1FZfN7mo9q5lh40J30VvUY1cGis+pGP5+IuNl4i3bhv0sjnqE6N vc7Q3pXC/VElug//TU8vRnJ5ralryaApEDw3kF1d8vEcmrhSeSNbeU/1fqlZ+FSfJFvC8N+9xFfV EJZdi+Y4Cc93mXhz/TPM1cPb/rJJTPgY+u/w46Djbu5e8F0SwO3yG/YoIpt3283duyCCvkcYdr7z yMMrYthtV1vip4dDGOel/P9Fip+lpruxVDf9VWq6wzHQFFXU54UPofJ86JRrSEHVCFHcTcM2iGpC arolUNV6Fqiuif3ZWs47uLsLQ3q9M9Eh0KAzdhA07h0Hp0jP1RWEpj3p5aKX7riGsJWXocwC+HIV i0SG5lHMKrnJV0+eFAXvL1gYfvEwZzK+1U8N2TqTbwd9PBlVRC15lvFIvz7BxgHU5JgAcGtZGfko jND7O95FS5ZA51+Dz2+4OFHUuAT6JXBcOrDgWtAeyYTqab1uBzns71JwDTZoVqn0gJ6q+ateOkNn z14V2ju6D9CqYySozSz5Qk96/zNS2RcbqHmJ8FQtQz4Xb9CbZLe32bZG//vign2epKIsXV6qkOaD ousbSAh0htw08OxBqd+75O7L9W0iaho0umdsVfcMTHAOZhzzUPkwcJCKFfH7zH4dz6lyDdyM3enw mbtKEJpgji2HwjYbTKQndRMGpyN18NDNGE7Hp80yRpOJKos6GeOT036zjJPxzKDpZDwwaDodDQ2a ng7HBk3BYQZN4aQDre2YGzpzB/3ZzKDrYDCDctMsZQjqGqaMpmOTuuPJCaorSo/KFnWCgyRRp7fi ZAaN7yAQXojD2PG+/d99FHuFw1dT4Tq2j2sFrEoVrQtZBVVGncwcRoJNfs+p+feG6iFhzzUWx8Fj xK0/Uei8pz8FHa8wNzzvVa3mS6mNFVWrB1Yd0vU/1WaX4/5HNav2U+0Fu3hvXP4tff8fAAAA//8D AFBLAwQUAAYACAAAACEAyuVY+e8BAACuBQAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbLST3Y7aMBCF 7yv1HSLfL3FC9odow2pFi9SbXlTbBzCOQ6z6J/IYsrx9J3bIXgAqtGqQonDGPpr5dOb55V2rZC8c SGsqks0oSYThtpZmW5Gfb+u7J5KAZ6ZmyhpRkYMA8rL8/Om5LxtrPCR430CpeUVa77syTYG3QjOY 2U4YLDbWaebxr9ummrlfu+6OW90xLzdSSX9Ic0ofyGjjrnGxTSO5+GL5Tgvjw/3UCYWO1kArOzi6 9de49dbVnbNcAODMWkU/zaSZbLLixEhL7izYxs9wmDR2lA5WeD2j4Usrkmheftsa69hGIbs+K8hy BJf0pWEaxRVTcuNkKHTMWBAZ1vZMVYTmdE3v8T38Cjof3iQdHHjLHAg/HaRRbpiW6nBUoZcAsdBJ z9ujvmdODg3FEsgtFnawoRX5SvHJ12sSlawiBQqvq0nJsan4ZOOZ+aRgcrCx4BOOZIvggwr6jLdC n2mMzgmJN6kFJN9Fn/ywmpkLRHL6gCTukcdAZn4TERd8A8EbiOSv0/w4yQpHeXwqjvN/EFn8mUj0 uZ7Iyu6cFG5gcoHGIxJYhHwMNIqbaGhbC2fOBKSR76I+n46zLObj5P+XBdO4JuwChyENMRVDOm7b k79Lxeme0GLKyQeJsBW4Xf+yJ+PCwPI3AAAA//8DAFBLAwQUAAYACAAAACEAIMSRJe4BAAD1AwAA EAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACc U8tu2zAQvBfoPwi6x7SdxE2MNYPCQZFD2xiwkpxZamUTpUiCZIS4X9+lFMt021N12peGw5kl3L21 uujQB2XNqpxNpmWBRtpamd2qfKq+XNyURYjC1EJbg6vygKG84x8/wMZbhz4qDAVBmLAq9zG6JWNB 7rEVYUJtQ53G+lZESv2O2aZREu+tfG3RRDafThcM3yKaGusLNwKWA+Kyi/8LWluZ+IXn6uCIMIcK W6dFRP490dGT2sYW2FiFykahK9Uin91QfcxgI3YY+AzYEMCL9XXgl7efgA0hrPfCCxlJQj6fLy6B ZQX47JxWUkRSl39T0ttgm1g89joUCQBYPgKkzRblq1fxwKfA8hS+KpOoEL8hIm5e7Lxw+8CvE8Ex g60UGtekAG+EDgjsVIAHFMndjVDEGLq47FBG64ugfpG/87L4IQIm3VZlJ7wSJpJ+aWxI+li7ED2v VNSETb0h78N8LI/VVVKRZik4H0zFgQM1ztn1J4THhu4W/0F2lpPtOQxUMzpZOJ7xB+ratk6YQ+bP 2npnfe8a2fneTvr/DE+usvdpkd6FPS9my/Ci4n7rhCTL5otr8ue0FlkLtrQ9WJPPR8BTAR7IBK/T qfSv2WF9nPm7kRbteXjFfHY1mdLXb9axRusxPi/+GwAA//8DAFBLAQItABQABgAIAAAAIQAJJIeC gQEAAI4FAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA AAAhAB6RGrfzAAAATgIAAAsAAAAAAAAAAAAAAAAAugMAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA AAAhAGi4lTNYAQAAGQUAABwAAAAAAAAAAAAAAAAA3gYAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1s LnJlbHNQSwECLQAUAAYACAAAACEAmaMkbdwKAACUmwAAEQAAAAAAAAAAAAAAAAB4CQAAd29yZC9k b2N1bWVudC54bWxQSwECLQAUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAAAAAAAAAAAAAACDFAAA d29yZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAF+QEcNxAwAAywgAABEAAAAAAAAA AAAAAAAAXhsAAHdvcmQvc2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAHMObQeCAQAAUAMAABQA AAAAAAAAAAAAAAAA/h4AAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAD3yxpn2 CQAAWUkAABoAAAAAAAAAAAAAAAAAsiAAAHdvcmQvc3R5bGVzV2l0aEVmZmVjdHMueG1sUEsBAi0A FAAGAAgAAAAhAEQVyeBNAQAAgQIAABEAAAAAAAAAAAAAAAAA4CoAAGRvY1Byb3BzL2NvcmUueG1s UEsBAi0AFAAGAAgAAAAhABPci5dvCQAAaEYAAA8AAAAAAAAAAAAAAAAAZC0AAHdvcmQvc3R5bGVz LnhtbFBLAQItABQABgAIAAAAIQDK5Vj57wEAAK4FAAASAAAAAAAAAAAAAAAAAAA3AAB3b3JkL2Zv bnRUYWJsZS54bWxQSwECLQAUAAYACAAAACEAIMSRJe4BAAD1AwAAEAAAAAAAAAAAAAAAAAAfOQAA ZG9jUHJvcHMvYXBwLnhtbFBLBQYAAAAADAAMAAkDAABDPAAAAAA= --_005_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_ Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="RFC 7250 Appendix A.docx" Content-Description: RFC 7250 Appendix A.docx Content-Disposition: attachment; filename="RFC 7250 Appendix A.docx"; size=16226; creation-date="Tue, 10 Mar 2015 23:32:47 GMT"; modification-date="Tue, 10 Mar 2015 23:50:37 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQAJJIeCgQEAAI4FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lE1Pg0AQhu8m/geyVwPbejDGlPag9ahNrPG8LkPZyH5kZ/v17x1KS6qhpVq9kMAy7/vMCzOD0UqX 0QI8KmtS1k96LAIjbabMLGWv08f4lkUYhMlEaQ2kbA3IRsPLi8F07QAjqjaYsiIEd8c5ygK0wMQ6 MHSSW69FoFs/407IDzEDft3r3XBpTQAT4lBpsOHgAXIxL0M0XtHjmsRDiSy6r1+svFImnCuVFIFI +cJk31zirUNClZt3sFAOrwiD8VaH6uSwwbbumaLxKoNoInx4Epow+NL6jGdWzjX1kByXaeG0ea4k NPWVmvNWAiJlrsukOdFCmR3/QQ4M6xLw7ylq3RPt31QoxnkOkj52dx4a46rppLbYq+12gxAopFNM vv6CcVfouFXuRFjC+8u/UeyJd4LkNBpT8V7CCYn/MIxGuhMi0LwD31z7Z3NsZI5Z0mRMvHVI+8P/ ou3dgqiqYxo5Bz4oaFZE24g1jrR7zu4Pqu2WQdbizTfbdPgJAAD//wMAUEsDBBQABgAIAAAAIQAe kRq38wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJLbSgNBDIbvBd9hyH032woi0tneSKF3 IusDhJnsAXcOzKTavr2jILpQ217m9OfLT9abg5vUO6c8Bq9hWdWg2JtgR99reG23iwdQWchbmoJn DUfOsGlub9YvPJGUoTyMMaui4rOGQSQ+ImYzsKNchci+VLqQHEkJU4+RzBv1jKu6vsf0VwOamaba WQ1pZ+9AtcdYNl/WDl03Gn4KZu/Yy4kVyAdhb9kuYipsScZyjWop9SwabDDPJZ2RYqwKNuBpotX1 RP9fi46FLAmhCYnP83x1nANaXg902aJ5x687HyFZLBZ9e/tDg7MvaD4BAAD//wMAUEsDBBQABgAI AAAAIQBouJUzWAEAABkFAAAcAAgBd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVscyCiBAEooAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANSUQVPCMBCF7874Hzq52wAKOA6FizjDwYvieA7p ps2QJp3sqvDvjVSkVSiXXjxmM3nvm923mcw2hYnewaN2NmH9uMcisNKl2mYJe1k+XN2yCEnYVBhn IWFbQDabXl5MnsAICo8w1yVGQcViwnKi8o5zlDkUAmNXgg03yvlCUDj6jJdCrkUGfNDrjbiva7Bp QzNapAnzizT4L7dlcD6v7ZTSEu6dfCvA0hELToELgqDwGVDCdseq2I8DKOPHGa67ZEAgCt3FA8a+ 0oYw7hJBOUtLsTK1VvyU2iAGJyAKLb1DpyiWruDVGL7aP25OmCNtDeCrpnyuFEiq9+D3VRtH/wTH kbydz0QFVZvGjqTNftSlfR7C7Y226wPBd9LJOYOxBlK7zcmpMNwrOR4Mw5JWEX50adiM+YbAW3Ey vsN/xnvTJe8HrJ7/bFytuB80b3xo008AAAD//wMAUEsDBBQABgAIAAAAIQCZoyRt3AoAAJSbAAAR AAAAd29yZC9kb2N1bWVudC54bWzsXWtv47gV/V6g/4FQP3QXk4fkt411FjOOk3onzaaxp0WxXRSU RNlqZFGlpDieTv97Ly8lxY7jjLKZ5mHRQWhZpimRPPfcBynyhx9v5gG5ZiL2edg3rAPTICx0uOuH 077xaXKy3zFInNDQpQEPWd9Ystj48ej3v/th0XO5k85ZmBAoIox7i8jpG7MkiXqHh7EzY3MaH8x9 R/CYe8mBw+eH3PN8hx0uuHAPa6Zl4lEkuMPiGK43oOE1jY2suPlmaTxiIVzL42JOk/iAi+nhnIqr NNqH0iOa+LYf+MkSyjZbeTG8b6Qi7GU3tF/ckPxJT91Q9pb/QmzU4p7rql8eZy2AVzwULIB74GE8 86PbavzW0qCKs/yWrh+qxPU8yPMtIquxcb2iymX64FjQBXTFbYEbxd3TGK760TxQ7SD797ZX75Zo mQ9VJusRWURxD2VuYf2a+Z3MqR8Wxfy2plltXJCIp+D7VPA0Km4n8p9W2ii8KsqSgvmIOzNbKHmr VYsfVcCG6I5nNGIGmTu90TTkgtoB3NHCahCJSOMIyMLm7lK+R2TRA7JxL/uGCa92Z1A38lMXIHqm 2T1pmB+s4uQx82gaJJvZL1YyY8kXAt/GyTJgUOQ1DfrGOR9H1JGIPpRfCpVHnPAwiSEPjR0f+mHA U+EzQc7ZQl539j6MN8860EarGbHA+HN+pZqpLhF/HsiS8er5uYCG0/wcC2W+w+xe4D3K7gkyYMOs tcKrvOlFLzn6G08T0Bp7hCWEBgdk7TVGhSHcmEwEda7WvlMffrmgU0as1q+yJRLVHphG2Id5W2z2 +uVa8+T5qgISm/MrqfKggUUClfddaCEJ2ZDOQeL+eco/QHsrIOZ5h6Fb5FTI020sqWGbIM6WEROB H14Rge0rRm4TWcGPEy6WYCQhoYkce2uA/L/Iq8MDLi+HnCJZ8+Qk55r8bM4097FPmmeSRlbA1E+3 U5KUx8uTAWnXmuZd6SzaBuv5fC3wVJqFOkmzsheDMgA5iQSLmbhmxtEqNX2S7UMu6YJcpHbgO+Qj W8bED8nkbHx4DMlt5p/SkBEwYRt3G0iL1nbRkrpOs/tW5smbJ+ftVY5Hc0hxPI3AC3L9m/33SpB3 zKCy0ayyB/HbNa++bRUWPS9wBzMqFUB2NAEN1TdsNgXvJrMln5mPv3UV/TBOxITdbGPpP/39Ynh5 Njr/SHI/J+E8iA98lngYB5gl4PMJz5FKyyD/CIixIidEsnRxidzYBHP7+RTYt26wLZiIWUQFTVDH Q53RIXqxWm6YLWbhIuUWyTc2W95n3Ejer+nlXexp0AGrsp8rjVtj35Jfv+maJ0fgVg5v6DwCf36Y BSXXOjZXmTumA59q7cpmkUEF3TyZz3S/q6eb58HmeVbueCrkH3LwTsB5ZopG9kgyY2TGbkjM/p3C QAcj8YwvQunlnfjTVDDSJS6LHeHbLCZUs02uobfHC3K22Rm8jFP7X8xJVBAAYgCj0OMwBiZSJ5EA AUPSdxkCyWEi8WFMCywuEtFlwKl7oCFTHjKagavBwFngzMR3C9MapnVMG5g2MW1h2sa0g2lXS1R5 idoZEoauf7ePL/X22FSDJgfNzJ/OAviX40U4gjCHobcwoco/rJBeB+L5gqGgYrzxFUrLRm8tWRDw xdc6Sw7amDf19QGbV1i97XDbasHvvb0+mwqmXM5F78EKQ5d1rD1i3nS9Nb7SHfc88zK0sN0dD91t YTNdLWYyJvzM05+eJGZmS/fZa+izR+g0c91l09rshbRZSUNf2Y41Kg2RTkumjc7emtBVOk6zwV6l JOEVR0U3KlQeJ1snUUE450sBH68tQWS6mKJ9a2bpGqo0L7wQL5R2Ke/vbuja5o7bidqPxrkDb8pO rGtyeWN2IsQ+1vpMmxmrYVpnSXF630MxpLdkZZQym7ZGAWE8AAaL0MbQTvyrIGfBcAbaQ/BUnoWp temr6LDSZp8eSXipBwU3XLOypFmMJHR07OXNCZtZWzODtF/8Qn7x44XN0h33GnyOMqZybovIoJTj asfD2Do/pExrviXHo0x9HvI7YHqa9Ds8jGd2uhJAECCH1GYyrWPI3MbzXQiMmTdtPOM25LFV11DT UMsf1VFLPWx7yo0QmAP5RULKlNAxEV62J4/tmkwZQrClwus4XuNgTgsBV/c01DTUykINJtpKqDXV yIxiL4RXDY9rK7Br4XmAF+SvIyhbjoaahlpZqMFsbgk1BakuMlYHU4rga2PqKsAplYrq1UFl6tga ahpqZaEGjwxIqFHFZ6giG0pFojWmwGfieQ/z2EqZqlRDra+hVhZqXQU1ptgLIcUUjBSwkM/UJIgm nm9gTjXDpmVqVtNQKws1y1SshgByMK0hpLp43LSlZaZYrYuqs9GSZyw877U01DTUSkPNUlBDf7OD StNDSLWUNYawc9BKq6Fb0FVQw/OUaqhpqJWGWg2hpjgsAxnymYmwa6Ld1saUIZPZeL5Rl9wGdtta 7F3PHdnluSNPDeFadYSa60jodKlMHTyuK8BhaiG8VNgWRgiKPE5NQ02zWmlWayDU6qgQVeSshQ5B B1Wqi+rSUSkCTo0iePhtvaGhpqFWGmpNZaspywxBRpU1hsdNVJR1BFYbOU/5nmpcAdSuVqB6DDRb P/JrA1NWC6GmOMz0pHJUwdsGwquJTAbmP5w39aQIPQPpGZfQ3zp0v+PPqOjnHV6FmJV0TWCCJjwE pzVurnG3r4tRpalFVhvVqolBjjuKs9IRja/DQzdPZdaOy1fm7BWrAd+7ROO4WKLxwxIWZBxnK3xq zi3PuVqoqiFUE1gF12WwzR9ziS2F5YHlcL+D/fZu189NcZOUCwabP2nBKi9Yu/FMBzyEeZomcxqG f4zJ+/H5gZWhSJBf1tAAe6ht7qIEezLCjmuhM+Owz5tg3j6WsH+czmFXPPhFhfZXuq35WrMB/Rbt hs4NNMsb2hPu1++JHwQpLJUMCyLHuEJysWzyHqHx3brq3YC2b5a0M4Rxd311y9RLZBdDHNrNKZri vp3rvt48OyMmP3teDFtpkjMWTpMZKNpj3IUgkhsKa96soKGlFr9+UqpxU0HcAHWY8A/Lpbyzmt0e HIyHf/k0PB8MyX80IKoJCLXNAqm9s+oSEBoSFTc2AAFqtw0CmECOgDM/f/hpOJiQ0fHwfDI6GQ0v yV9pkDLynUVqpNMwiWXVm40useTf95pKqkklkj2yl6KS/NPFx8GY/AEmUoqYwmZ9YqlNV9xto5Iw gelC6lV7Z2YwOf90dqZJo5JoyClCvmdo+K+GQiWhYKk9vcA3aVgIhQ+jCRlPLkfnp3sE9mOkUZwG GD3WzkoRGqtQGAwM0mxnOPBV2hlZaAd2EOebd1WSNWrKWwHWqOXeCiGj88nwdMVLMWsNYvuJ9kwq yRtWU+0ZKT3aLMgB1sYdjLSazXpbA6SSAFk1QnMrlBBth2owaJek0sbFKjEgFDQnPIIT9IzRaswY lVKSzcO2IKR3LCeP+uGUcK/kpOx7Az4xc5ILkc9y6xsmvNqdQV3OB7x/4ls0HX+GLxd9w6rVGiZO HITjJgxQyMdmF71o+mcqS0x4BOcbKouQiyPcfrR5kvD57eeAeSvfzhh1GUxRbIOvBQV5nMNk1+Lj NE3wY3Y5hwfSN4vVRpryJ3gXLndOhe/CN4Efsgs/cWZ9o97Cb0FkVL2PZJvY3F3iAfwkncPGzEf/ AwAA//8DAFBLAwQUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAHdvcmQvdGhlbWUvdGhlbWUxLnht bOxZT2/bNhS/D9h3IHRvYyd2Ggd1itixmy1NG8Ruhx5piZbYUKJA0kl9G9rjgAHDumGHFdhth2Fb gRbYpfs02TpsHdCvsEdSksVYXpI22IqtPiQS+eP7/x4fqavX7scMHRIhKU/aXv1yzUMk8XlAk7Dt 3R72L615SCqcBJjxhLS9KZHetY3337uK11VEYoJgfSLXcduLlErXl5akD8NYXuYpSWBuzEWMFbyK cCkQ+AjoxmxpuVZbXYoxTTyU4BjI3hqPqU/QUJP0NnLiPQaviZJ6wGdioEkTZ4XBBgd1jZBT2WUC HWLW9oBPwI+G5L7yEMNSwUTbq5mft7RxdQmvZ4uYWrC2tK5vftm6bEFwsGx4inBUMK33G60rWwV9 A2BqHtfr9bq9ekHPALDvg6ZWljLNRn+t3slplkD2cZ52t9asNVx8if7KnMytTqfTbGWyWKIGZB8b c/i12mpjc9nBG5DFN+fwjc5mt7vq4A3I4lfn8P0rrdWGizegiNHkYA6tHdrvZ9QLyJiz7Ur4GsDX ahl8hoJoKKJLsxjzRC2KtRjf46IPAA1kWNEEqWlKxtiHKO7ieCQo1gzwOsGlGTvky7khzQtJX9BU tb0PUwwZMaP36vn3r54/RccPnh0/+On44cPjBz9aQs6qbZyE5VUvv/3sz8cfoz+efvPy0RfVeFnG //rDJ7/8/Hk1ENJnJs6LL5/89uzJi68+/f27RxXwTYFHZfiQxkSim+QI7fMYFDNWcSUnI3G+FcMI 0/KKzSSUOMGaSwX9nooc9M0pZpl3HDk6xLXgHQHlowp4fXLPEXgQiYmiFZx3otgB7nLOOlxUWmFH 8yqZeThJwmrmYlLG7WN8WMW7ixPHv71JCnUzD0tH8W5EHDH3GE4UDklCFNJz/ICQCu3uUurYdZf6 gks+VuguRR1MK00ypCMnmmaLtmkMfplW6Qz+dmyzewd1OKvSeoscukjICswqhB8S5pjxOp4oHFeR HOKYlQ1+A6uoSsjBVPhlXE8q8HRIGEe9gEhZteaWAH1LTt/BULEq3b7LprGLFIoeVNG8gTkvI7f4 QTfCcVqFHdAkKmM/kAcQohjtcVUF3+Vuhuh38ANOFrr7DiWOu0+vBrdp6Ig0CxA9MxEVvrxOuBO/ gykbY2JKDRR1p1bHNPm7ws0oVG7L4eIKN5TKF18/rpD7bS3Zm7B7VeXM9olCvQh3sjx3uQjo21+d t/Ak2SOQEPNb1Lvi/K44e//54rwony++JM+qMBRo3YvYRtu03fHCrntMGRuoKSM3pGm8Jew9QR8G 9Tpz4iTFKSyN4FFnMjBwcKHAZg0SXH1EVTSIcApNe93TREKZkQ4lSrmEw6IZrqSt8dD4K3vUbOpD iK0cEqtdHtjhFT2cnzUKMkaq0Bxoc0YrmsBZma1cyYiCbq/DrK6FOjO3uhHNFEWHW6GyNrE5lIPJ C9VgsLAmNDUIWiGw8iqc+TVrOOxgRgJtd+uj3C3GCxfpIhnhgGQ+0nrP+6hunJTHypwiWg8bDPrg eIrVStxamuwbcDuLk8rsGgvY5d57Ey/lETzzElA7mY4sKScnS9BR22s1l5se8nHa9sZwTobHOAWv S91HYhbCZZOvhA37U5PZZPnMm61cMTcJ6nD1Ye0+p7BTB1Ih1RaWkQ0NM5WFAEs0Jyv/chPMelEK VFSjs0mxsgbB8K9JAXZ0XUvGY+KrsrNLI9p29jUrpXyiiBhEwREasYnYx+B+HaqgT0AlXHeYiqBf 4G5OW9tMucU5S7ryjZjB2XHM0ghn5VanaJ7JFm4KUiGDeSuJB7pVym6UO78qJuUvSJVyGP/PVNH7 Cdw+rATaAz5cDQuMdKa0PS5UxKEKpRH1+wIaB1M7IFrgfhemIajggtr8F+RQ/7c5Z2mYtIZDpNqn IRIU9iMVCUL2oCyZ6DuFWD3buyxJlhEyEVUSV6ZW7BE5JGyoa+Cq3ts9FEGom2qSlQGDOxl/7nuW QaNQNznlfHMqWbH32hz4pzsfm8yglFuHTUOT278QsWgPZruqXW+W53tvWRE9MWuzGnlWALPSVtDK 0v41RTjnVmsr1pzGy81cOPDivMYwWDREKdwhIf0H9j8qfGa/dugNdcj3obYi+HihiUHYQFRfso0H 0gXSDo6gcbKDNpg0KWvarHXSVss36wvudAu+J4ytJTuLv89p7KI5c9k5uXiRxs4s7Njaji00NXj2 ZIrC0Dg/yBjHmM9k5S9ZfHQPHL0F3wwmTEkTTPCdSmDooQcmDyD5LUezdOMvAAAA//8DAFBLAwQU AAYACAAAACEAX5ARw3EDAADLCAAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFbbbts4EH1fYP9B0PM6 kmwnaYU4xdZZ76aI26JKP4CSaJsIbxhSVtyv75AUoxpxg6DF+sXknLnfqKt3j4InewqGKblIi7M8 TahsVMvkdpF+vV9N3qSJsUS2hCtJF+mBmvTd9Z9/XPWlodYim0lQhTSlaBbpzlpdZplpdlQQc6Y0 lQhuFAhi8QrbTBB46PSkUUITy2rGmT1k0zy/SAc1apF2IMtBxUSwBpRRG+tESrXZsIYOf1ECXmM3 SN6ophNUWm8xA8rRByXNjmkTtYlf1YYh7qKS/UtB7AWPfH2Rv8Q5hNsraJ8kXuOeE9CgGmoMFkjw EK4gTD6pKebPFD2l+gxTnQXbmVOF4kXuT6Pnhj+TP1HtUMU7VgOBUGZsAOeFaMrbrVRAao5N1Rfz 9Bo76ptSIulLTaHBImE7TvM0c0BLN6Tj9p7UlVUaWfYE7V9GuNkRII2lUGnSYMRLJS0oHvla9VHZ JXYcYEKCwtB/TnU4VaGXUUISgR4F6tCfa9XSFKEO2LOgf5o0J+C9xNh8DKcNKZw9YC3F0Dit7IHT FTpfsW/0b9l+6Ixl2PG+S3/Dg5ccoNJZ/oSTen/QdEWJ7TBN/5MxX4kVZ3rNABTcyhbr/LvGslhE V05cZK2Jhy9K2ViGHH+Xb5azkAvH9ipkOl1eFidlprPl29UpZHaB0D+nkMt5cXM+tMOxB29X8/y9 t4PRDDGI0q2Uz3B9FU6uMRIRmmpJRA2MJGu3dLC9RFnDw3smI15TXLr0R6Tq6ghOJgEwgnC+wsmJ gJ82UbbM6Bu68Wr5msB21DtwwEkqTumHJ11ugin8C6rTwVoPRIeCR3PFfD7oY9LeMRHppqurKCVx cfwAdbL9tAenMBvT05cW3xs/OHdEbmNdqZx8rRwr9geHyr1JdE20xgWBLPW2WKScbXe2cM1u8dbi 2+Qv9XY6YFOP4c1h/kIaFxlyDwfHEI7INRxG2izSZiMNN2/gm4+080g7H2kXkYZvY1/ucDqBM/mA KygeHX2jOFc9bf+LxEX6jBSSYHZEU6yr26Q4Iqr0hGG1mmRf0kfcubRlFp98zVpBHnEF59MLJz5w c3JQnT3idZhj1kfUpCWWoLgv1ZEwlg6/HY59cRu+YdiO1UHU4+I+C45zZmxFNe54qwBD9mv1L695 /Aq5/g4AAP//AwBQSwMEFAAGAAgAAAAhAHMObQeCAQAAUAMAABQAAAB3b3JkL3dlYlNldHRpbmdz LnhtbJRTy27CMBC8V+o/RL6DE4pQiQhICFFVqqqqjw9wHIdYtb2WbZLC13dJePVxgJPXuzPj3Z1k MvvSKqqF8xJMRpJ+TCJhOBTSrDLy8b7s3ZPIB2YKpsCIjGyEJ7Pp7c2kSRuRv4kQEOkjVDE+1Twj VQg2pdTzSmjm+2CFwWIJTrOAV7eimrnPte1x0JYFmUslw4YO4nhE9jLuEhUoS8nFAvhaCxNaPnVC oSIYX0nrD2rNJWoNuMI64MJ7nEerTk8zaY4yyfCPkJbcgYcy9HEY2nVEd1JIT+I20opEmqePKwOO 5Qo32CRDMsX1FbL2+zNqUllkZDyOk7vhOBm19RyKzULWWKuZQmsI3aFxeU+iDMfsID7mX+Wq+rfw DvaAP6HnEALoX3nsaV643TvhxDFoPEGg32YEPw8MLOM4SBtzUIB+sXWArhF11t11zPxHR9dx3fns 11Bpa0Q7dBdOJ93ZegM2SC23Yglu7qDxwrUmMKWgeXl+wAuCz/6D6TcAAAD//wMAUEsDBBQABgAI AAAAIQA98saZ9gkAAFlJAAAaAAAAd29yZC9zdHlsZXNXaXRoRWZmZWN0cy54bWzcXFtT47gSfj9V 5z+4/M6QGwmhNrPFMMsOVcwsO0Dts+MoxIVt+dgOGebXb6slK45txS1s5uHMwySRpf76pq8VUPPb 7z+i0HlhaRbweOEOPwxch8U+XwXx08J9fLg+OXedLPfilRfymC3cV5a5v3/8739+211k+WvIMgcE xNnFLvEX7ibPk4vT08zfsMjLPkSBn/KMr/MPPo9O+Xod+Ox0x9PV6WgwHOC7JOU+yzJAu/LiFy9z lbioLo0nLAasNU8jL88+8PTpNPLS521yAtITLw+WQRjkryB7MC3E8IW7TeMLpdCJVkgsuZAKqZdi RVqzogFXrvzM/W3E4hwRT1MWgg48zjZBsjfjrdLAxE2h0ssxI16isJi3S4aTGp42mRKDz6m3g1Ds BdbENThjJRdFofSDiO8+qlWJw8ExY1REhAitA0WFQ8xCk8gLYi3mba4pOxf2Q5f8/jPl20SrkwTd pN3Ez1qW2JYWmg2muPPKpmVWAmpb937jJcx1Iv/i5inmqbcMQaPdcOKIjHQ/AlWsuP+Zrb1tmGfi Y3qXqo/qE75c8zjPnN2Fl/lB8AAUAlKiAAR+uYyzwIUnzMvyyyzwGh9uxKzGJ36Wl6R9ClaBeyoQ s58g88ULF+5oVIxcCQ0OxkIvfirGWHzyeF/WZOHqoSXIXbheenJ/KYSdopnFa8nc5MB4+ISqJJ4P Ow9wvHXOgISAxQROGIjojmbAaPLD961wrrfNuQJBAQBWFgsfKx4HbgKmupeMDU/Z+pb7z2x1n8OD hYtYMPh4c5cGPAUaXbjzucCEwXsWBV+C1YqJAqHGHuNNsGL/bFj8mLHVfvzva6RnJdHn2zgH9acz zIIwW/3xw2eJoEkQHXsiwt/EAuAwCEcJBxXaBntt5EAFFQf/V0AOZQwbUTbMEyXNQf2PAqHV285A I2FR2QCUa6XruLuISXcRZ91FYPJ288WsuxZwkOkaEZkbpaykBzXnvky+sh/G8yMpK1bUsqh1RS1p WlfUcqR1RS0lWlfUMqB1RS3grStq8W1dUQvn0RW+h8RVzaIxeoO0sR+CPIQ62cJ0w45Up0qNc+el 3lPqJRtHFNaq2sfI8n67zGmqIp2+nSzv85SL42aLR6A6i637Zk7+I0o2XhbAqbwNqKPrH8TRx/kz DeD42gJ1JpOvZhMeTBpL2F3o+WzDwxVLnQf2Q0bUYv037tzLU0arch3Dehs8bXIHToWi5LaCTQ1O N3tCyr8NMvTB0Wo+NZjSJpwUw6khL83Cv7JVsI0K1xBOI1PJ5xZhrkCgisddNBEhqu+uVitEACgm yHJhbwLKJ+gvi4u9fBFjiv6yFL1RPkF/WbjeKB/z43h8rZnmM/xYxSFtr5n13r3iIU/X27DYA630 MLPewRqCZoL1JtbySSQxs97BB/TpXPo+fHOj5Kl1LPY8aoFiHQ6JgpuNbot1UCq0N7SwyDpAFayR BVY3rrUAsibd7+wlED8Eti0GyNL6rNm6nccGD0AJIp2h/97yvP0MPTJwHhXlJoYfl2TMoaGNDTuP iqbySdY7ixh3K3wWQN0qoAVQt1JoAWTID/OZR9dEOkj34miBZU3Luoph2pGZeWbNzBrIrgT0VDcJ 5y/D7jXnQr1uElCsA1SvmwQU6+hUapmumwSs3uomActQNcwxKnOqjVHWdbMMpE8CBIv6IW8CUD/k TQDqh7wJQN3Jux2kP/ImYFlzg+bUMnkTgHCKzVd9DVQmbwKQNTdItlM/MyrqHko5/uW2B/ImoFgH qE7eBBTr6JjIm4CFU2wyoYKlqY6A1Q95E4D6IW8CUD/kTQDqh7wJQP2QNwGoO3m3g/RH3gQsa27Q nFombwKQNT1ooDJ5E4Bwig03NJI37vp3J28CinWA6uRNQLGOToVQ9SGVgGUdoAqWJm8CFk6xSQaF hcltY1Q/5E2wqB/yJgD1Q94EoH7ImwDUnbzbQfojbwKWNTdoTi2TNwHImh40UJm8CUDW3NBI3rgZ 3528CSjWAaqTNwHFOjoVQtU8R8CyDlAFS5M3AQvzpTN5E4BwyluBbCzqh7wJFvVD3gSgfsibANSd vNtB+iNvApY1N2hOLZM3AciaHjRQmbwJQNbc0EjeuEfenbwJKNYBqpM3AcU6OhVC1eRNwLIOUAVL Ux0Bqx/yJgBhYnYmbwIQTnkDEO4imzD1Q94Ei/ohbwJQd/JuB+mPvAlY1tygObVM3gQga3rQQGXy JgBZc4O4Zwv3RcnXU4eGJKDeMyhuNZABR4YgUQGVgd/ZmqXQVcjab4d0BCwstEA0pAfVxE+cPzu0 i91jQ4KQoYJlGHC80v2Kt3RKjQjj2ZFOgoe/rpwvsgGmtg5T6vDmDXQPlduFsD1JNA6BnvlrAi07 SXGzXEiDBiHR16VagLAn9AYaglRbj1gs+nxgIjZVqWH8va1ChfeAiAtboLRwZcwIu4rK4os2H9XO tfSgOekv0WtUA4fGqudivBB3tfFS6cZ9k0YxR3Vq7HWG9q4M7o8q0QP4Nzu/GsvltaauJYO2VfDc UHZ1yY+X0MSVyRvZynuq90vNwk/1SbIlDH/vJd6qhrD8VjTHSXi+zcWT25ewUA9v+8smMeFj6L/D l4OOu4V7xbdpALfLv7GdiGzRbbdwH4IIGn1h2PnOIw+viGG3XW2JD52EZSkY56X8/yrD11LT3USq m/0sNd3hGGiKKprzwodQeT50yh1JQdUIoe+mYRtENSEN3RKoaj0LVNfE/mwt5x3c3YUhs9656BA4 ojN2EBzdOw5OkZ6rKwhNe9LLupeuWUPYystQZgG8uYlFIu9U157c5KsfnhQFz69YGH71MGdynpin hmydy6fDAZ6MKqKWPM95ZF6fYuMAatIkANxaVkZ+FEaY/R1voyVLVRuCkarEiaLGJdAvgePSgZpr QXskE6qnzbod5LC/zcA12KBZpdIDeqrmr3rojJw9e1Vor3EfoFVNJGjMLPnATHr/Z6SyLzZQ81Lh qVqGfNFP0Jtkt3fZtq3+98UF+yJJRVm6vlYhLQbFX1sAEgKdITdbePag1O9d8vD19i4VNQ3+TkHO VnXPwATnYEaTh8qHgYNUrIjfZ/b7eE6Va+Bm7E6H18JVgtAEWyccCtt8OJWeNE0Yno/VwcM0YzSb nB+XMZ5OVVk0yZicnQ+OyzibzFs0nU6GLZrOxqMWTc9HkxZNwWEtmsJJB1rbMTdM5g4H83mLrsPh HMrNcSkjULdlyng2aVN3Mj1DdUXpUdmiTnCQJOr0pk9m0PgOAuGBOIw19+3/6qPYOxy+jhWupn1c K2BVquhcyCqoMupk5mgl2PTXnJp/baieUvZaY3EcbCJu84nC5D3zKai5wnzjRa9qNV9KbayoWj2w 6pBu/qo2v54MPqlZta9qb9jFe+OKd9nHfwEAAP//AwBQSwMEFAAGAAgAAAAhAEQVyeBNAQAAgQIA ABEACAFkb2NQcm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIySUUvDMBSF3wX/Q8l7m7RlIqHtQGUP4kBwovgWkrstrElDEtft35u2s7bog4/JOffLObctlidV R0ewTja6RGlCUASaN0LqXYleN6v4FkXOMy1Y3Wgo0RkcWlbXVwU3lDcWnm1jwHoJLgok7Sg3Jdp7 byjGju9BMZcEhw7itrGK+XC0O2wYP7Ad4IyQG6zAM8E8wx0wNiMRXZCCj0jzaeseIDiGGhRo73Ca pPjH68Eq9+dAr0ycSvqzCZ0ucadswQdxdJ+cHI1t2yZt3scI+VP8vn566avGUne74oCqQnDKLTDf 2GotDxA9hvW5Ak+uuxXWzPl12PZWgrg7z5y/1W7AwlF236rKCzw9hvf6esOjIKIQmA71vpW3/P5h s0JVRtJFTPI4JZssp3lGCfnogs3muwLDhbrE+zdxQebEb0DVJ57/NNUXAAAA//8DAFBLAwQUAAYA CAAAACEAE9yLl28JAABoRgAADwAAAHdvcmQvc3R5bGVzLnhtbNxbS3PbNhC+d6b/gcN7oqclyxMl 4zh14xnHcSJ7eqYoyOKEJFSSiu38+i4WIEWRArEw6RzaQyWCwH77wreQg3334SkKnZ8sSQMez93B 277rsNjnqyB+mLv3d5dvTl0nzbx45YU8ZnP3maXuh/d//vHu8SzNnkOWOiAgTs8if+5usmx71uul /oZFXvqWb1kML9c8ibwMHpOHXuQlP3bbNz6Ptl4WLIMwyJ57w35/4ioxCUUKX68Dn33i/i5icYbr ewkLQSKP002wTXNpjxRpjzxZbRPuszQFo6NQyou8IC7EDMY1QVHgJzzl6+wtGNOTGvWEKFg+6OO3 KHSdyD+7eoh54i1DcN7jYOy+B8+tuP+Jrb1dmKXiMblN1KN6wo9LHmep83jmpX4Q3IFLQUAUgKzP 53EauPCGeWl2ngbe0ZcbMevoGz/NStI+BqvA7QnE9BfI/OmFc3c4zEcuhAYHY6EXP+RjLH5zvyhr MneLoSXInbte8mZxLoT10Mz8s2Tu9sB4eEJVtp4PwQAcb50xSArIEYETBiIHh1PIF/nwfSf86u0y rkBQAICVxcJjxeOQK5A5C5nA8Jatr7n/g60WGbyYu4gFg/dXt0nAE0jSuTubCUwYXLAo+BysVkzs FzV2H2+CFftnw+L7lK32498uMfmVRJ/v4gzUn0wxC8J09deTz7YibUF07IkI34gFkDgQjhIOKrQL 9trIgQoqDv6bQw5kDI+ibJgndriD+jcCodW71kBDYVHZAJRrpeuovYhxexEn7UVg8rbzxbS9FsDr bSMic6OUlfSgZtyXyVf2w2jWkLJiRS2LjCtqSWNcUcsR44paShhX1DLAuKIWcOOKWnyNK2rhbFzh e0hc1SwaoTdIG/suyEIm1jcS0KAl1alS49x6ifeQeNuNIwprVe0mslzslhlNVaTTl5PlIkt4/GD0 CFRnsXVfzMl/RduNlwZwSjK4ftjS9Xfi1OP8nQQrI9SJTL6aTXgwOVrCbkPPZxserlji3LEnGVGL 9TfcWchThlG5lmG9Dh42mbPYYMk1gk00Ttd7Qsq/DlL0QeNmmmhMMQknxXCiyUu98C9sFeyi3DWE 08hE8rlFmCsQqGKzi8YiRPXdZbRCBIBigiwX9iagfIL+srjYyxcxpugvS9EL5RP0l4XrhfIxP5rj a800n+BHq0PaXlPrvXvBQ56sd2G+B4z0MLXewQUEzQTrTVzIJ5HE1HoHH9Cnc+778MuNkqfWsdjz qAWKdTgkCm42ui3WQanQ3sDCIusAVbCGFljtuNYCyJp0v7OfgfibmG0xQJYuzprG7TzSeABKEOkM /W3HM/MZeqjhPCrKVQx/LkmZQ0MbaXYeFU3lk6x3FjFuV/gsgNpVQAugdqXQAkiTH/ozT1ET6SDt i6MFljUtF1UM047MzFNrZi6A7EpAR3WTcP7S7F59LtTrJgHFOkD1uklAsY5OpZYVdZOA1VndJGBp qoY+RmVOtTHKum6WgYqTAMGibsibANQNeROAuiFvAlB78jaDdEfeBCxrbig4tUzeBCCcYvNTvwAq kzcByJobJNupvxnldQ+lNP+47YC8CSjWAaqTNwHFOjo68iZg4RSbTKhgFVRHwOqGvAlA3ZA3Aagb 8iYAdUPeBKBuyJsA1J68zSDdkTcBy5obCk4tkzcByJoeCqAyeROAcIoNNxwlb9z1r07eBBTrANXJ m4BiHZ0KoRaHVAKWdYAqWAV5E7Bwik0yKCxMbhujuiFvgkXdkDcBqBvyJgB1Q94EoPbkbQbpjrwJ WNbcUHBqmbwJQNb0UACVyZsAZM0NR8kbN+OrkzcBxTpAdfImoFhHp0KoBc8RsKwDVMEqyJuAhfnS mrwJQDjlpUA2FnVD3gSLuiFvAlA35E0Aak/eZpDuyJuAZc0NBaeWyZsAZE0PBVCZvAlA1txwlLxx j7w6eRNQrANUJ28CinV0KoRakDcByzpAFayC6ghY3ZA3AQgTszV5E4BwyguAcBfZhKkb8iZY1A15 E4Dak7cZpDvyJmBZc0PBqWXyJgBZ00MBVCZvApA1N4h7tnBflHw9daBJAuo9g/xWAxlwqAkSFVAZ +J2tWQJNVsx8O6QlYG6hBaImPagmfuT8h0O72D3SJAgZKliGAccr3c94S6fUiDCaNnQS3H29cD7L BpjaOkypw5s30D1UbhfC9iTROAR6Zs9baNnZ5jfLhTRoEBJ9XaoFCFvkrqAhSLX1iMWizwcmYlOV GsZ/t1Wo8B0QcaEBqhCujBliV1FZfN7mo9q5lh40J30VvUY1cGis+pGP5+IuNl4i3bhv0sjnqE6N vc7Q3pXC/VElug//TU8vRnJ5ralryaApEDw3kF1d8vEcmrhSeSNbeU/1fqlZ+FSfJFvC8N+9xFfV EJZdi+Y4Cc93mXhz/TPM1cPb/rJJTPgY+u/w46Djbu5e8F0SwO3yG/YoIpt3283duyCCvkcYdr7z yMMrYthtV1vip4dDGOel/P9Fip+lpruxVDf9VWq6wzHQFFXU54UPofJ86JRrSEHVCFHcTcM2iGpC arolUNV6Fqiuif3ZWs47uLsLQ3q9M9Eh0KAzdhA07h0Hp0jP1RWEpj3p5aKX7riGsJWXocwC+HIV i0SG5lHMKrnJV0+eFAXvL1gYfvEwZzK+1U8N2TqTbwd9PBlVRC15lvFIvz7BxgHU5JgAcGtZGfko jND7O95FS5ZA51+Dz2+4OFHUuAT6JXBcOrDgWtAeyYTqab1uBzns71JwDTZoVqn0gJ6q+ateOkNn z14V2ju6D9CqYySozSz5Qk96/zNS2RcbqHmJ8FQtQz4Xb9CbZLe32bZG//vign2epKIsXV6qkOaD ousbSAh0htw08OxBqd+75O7L9W0iaho0umdsVfcMTHAOZhzzUPkwcJCKFfH7zH4dz6lyDdyM3enw mbtKEJpgji2HwjYbTKQndRMGpyN18NDNGE7Hp80yRpOJKos6GeOT036zjJPxzKDpZDwwaDodDQ2a ng7HBk3BYQZN4aQDre2YGzpzB/3ZzKDrYDCDctMsZQjqGqaMpmOTuuPJCaorSo/KFnWCgyRRp7fi ZAaN7yAQXojD2PG+/d99FHuFw1dT4Tq2j2sFrEoVrQtZBVVGncwcRoJNfs+p+feG6iFhzzUWx8Fj xK0/Uei8pz8FHa8wNzzvVa3mS6mNFVWrB1Yd0vU/1WaX4/5HNav2U+0Fu3hvXP4tff8fAAAA//8D AFBLAwQUAAYACAAAACEAyuVY+e8BAACuBQAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbLST3Y7aMBCF 7yv1HSLfL3FC9odow2pFi9SbXlTbBzCOQ6z6J/IYsrx9J3bIXgAqtGqQonDGPpr5dOb55V2rZC8c SGsqks0oSYThtpZmW5Gfb+u7J5KAZ6ZmyhpRkYMA8rL8/Om5LxtrPCR430CpeUVa77syTYG3QjOY 2U4YLDbWaebxr9ummrlfu+6OW90xLzdSSX9Ic0ofyGjjrnGxTSO5+GL5Tgvjw/3UCYWO1kArOzi6 9de49dbVnbNcAODMWkU/zaSZbLLixEhL7izYxs9wmDR2lA5WeD2j4Usrkmheftsa69hGIbs+K8hy BJf0pWEaxRVTcuNkKHTMWBAZ1vZMVYTmdE3v8T38Cjof3iQdHHjLHAg/HaRRbpiW6nBUoZcAsdBJ z9ujvmdODg3FEsgtFnawoRX5SvHJ12sSlawiBQqvq0nJsan4ZOOZ+aRgcrCx4BOOZIvggwr6jLdC n2mMzgmJN6kFJN9Fn/ywmpkLRHL6gCTukcdAZn4TERd8A8EbiOSv0/w4yQpHeXwqjvN/EFn8mUj0 uZ7Iyu6cFG5gcoHGIxJYhHwMNIqbaGhbC2fOBKSR76I+n46zLObj5P+XBdO4JuwChyENMRVDOm7b k79Lxeme0GLKyQeJsBW4Xf+yJ+PCwPI3AAAA//8DAFBLAwQUAAYACAAAACEAIMSRJe4BAAD1AwAA EAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACc U8tu2zAQvBfoPwi6x7SdxE2MNYPCQZFD2xiwkpxZamUTpUiCZIS4X9+lFMt021N12peGw5kl3L21 uujQB2XNqpxNpmWBRtpamd2qfKq+XNyURYjC1EJbg6vygKG84x8/wMZbhz4qDAVBmLAq9zG6JWNB 7rEVYUJtQ53G+lZESv2O2aZREu+tfG3RRDafThcM3yKaGusLNwKWA+Kyi/8LWluZ+IXn6uCIMIcK W6dFRP490dGT2sYW2FiFykahK9Uin91QfcxgI3YY+AzYEMCL9XXgl7efgA0hrPfCCxlJQj6fLy6B ZQX47JxWUkRSl39T0ttgm1g89joUCQBYPgKkzRblq1fxwKfA8hS+KpOoEL8hIm5e7Lxw+8CvE8Ex g60UGtekAG+EDgjsVIAHFMndjVDEGLq47FBG64ugfpG/87L4IQIm3VZlJ7wSJpJ+aWxI+li7ED2v VNSETb0h78N8LI/VVVKRZik4H0zFgQM1ztn1J4THhu4W/0F2lpPtOQxUMzpZOJ7xB+ratk6YQ+bP 2npnfe8a2fneTvr/DE+usvdpkd6FPS9my/Ci4n7rhCTL5otr8ue0FlkLtrQ9WJPPR8BTAR7IBK/T qfSv2WF9nPm7kRbteXjFfHY1mdLXb9axRusxPi/+GwAA//8DAFBLAQItABQABgAIAAAAIQAJJIeC gQEAAI4FAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA AAAhAB6RGrfzAAAATgIAAAsAAAAAAAAAAAAAAAAAugMAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA AAAhAGi4lTNYAQAAGQUAABwAAAAAAAAAAAAAAAAA3gYAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1s LnJlbHNQSwECLQAUAAYACAAAACEAmaMkbdwKAACUmwAAEQAAAAAAAAAAAAAAAAB4CQAAd29yZC9k b2N1bWVudC54bWxQSwECLQAUAAYACAAAACEAMN1DKagGAACkGwAAFQAAAAAAAAAAAAAAAACDFAAA d29yZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAF+QEcNxAwAAywgAABEAAAAAAAAA AAAAAAAAXhsAAHdvcmQvc2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAHMObQeCAQAAUAMAABQA AAAAAAAAAAAAAAAA/h4AAHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhAD3yxpn2 CQAAWUkAABoAAAAAAAAAAAAAAAAAsiAAAHdvcmQvc3R5bGVzV2l0aEVmZmVjdHMueG1sUEsBAi0A FAAGAAgAAAAhAEQVyeBNAQAAgQIAABEAAAAAAAAAAAAAAAAA4CoAAGRvY1Byb3BzL2NvcmUueG1s UEsBAi0AFAAGAAgAAAAhABPci5dvCQAAaEYAAA8AAAAAAAAAAAAAAAAAZC0AAHdvcmQvc3R5bGVz LnhtbFBLAQItABQABgAIAAAAIQDK5Vj57wEAAK4FAAASAAAAAAAAAAAAAAAAAAA3AAB3b3JkL2Zv bnRUYWJsZS54bWxQSwECLQAUAAYACAAAACEAIMSRJe4BAAD1AwAAEAAAAAAAAAAAAAAAAAAfOQAA ZG9jUHJvcHMvYXBwLnhtbFBLBQYAAAAADAAMAAkDAABDPAAAAAA= --_005_4E1F6AAD24975D4BA5B1680429673943A2F4A754TK5EX14MBXC292r_-- From nobody Wed Mar 11 10:24:11 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5AB1A016C for ; Wed, 11 Mar 2015 10:24:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oy3dzf3-Rxvq for ; Wed, 11 Mar 2015 10:24:07 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 376481A0077 for ; Wed, 11 Mar 2015 10:24:07 -0700 (PDT) Received: from [192.168.10.133] ([208.85.208.52]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MYfJW-1Z0yMK1luk-00VSpz; Wed, 11 Mar 2015 18:23:39 +0100 Message-ID: <55007A17.9000808@gmx.net> Date: Wed, 11 Mar 2015 18:23:35 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mike Jones , Stephen Farrell References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> OpenPGP: id=4D776BC9 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="oFEiMM2Snn8ih00aG0MSVIlENXrhN8Pd9" X-Provags-ID: V03:K0:gMyvnqJ2BAC+a1wPuVCx+aFxBHe0rBgH6EIYkjgllaKfs9osFic oz9SWiJ5/6OUdrbEunNXjZlewhYlZuazh2QX1ZYd+dnI80sgH0dnOXkJtDAv9AmrnR5vbAl VfVpbDGtw70vSPK0BBzX/uhv5W6KQk/4VNl9lm9tfXQ8pJdJf7ouvK74oyx4K/gw+KqR7iH SCoNCmIzECoO2ud3V/phA== X-UI-Out-Filterresults: notjunk:1; Archived-At: Cc: Nat Sakimura , "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 17:24:10 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --oFEiMM2Snn8ih00aG0MSVIlENXrhN8Pd9 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Mike, I did this in the context of the work on the raw public key document for TLS. Using an ASN.1 parser makes sense since the SubjectPublicKeyInfo is not just a blog but an ASN.1 structure that looks differently depending on the type of keys encoding (ECC vs. RSA). My code was done as part of the TLS stack itself it is not as usable as a command line tool. You referenced https://tools.ietf.org/html/rfc7250#appendix-A and this was created by extracing the SubjectPublicKeyInfo field from a self-signed certificate that was created with the OpenSSL tools. Ciao Hannes On 03/11/2015 06:16 AM, Mike Jones wrote: > I=92ve always loved learning new things, so I decided yesterday to try = to > learn first-hand how to write code that emitted X.509 > SubjectPublicKeyInfo (SPKI) values from scratch. By =93from scratch=94= , I > mean using development tools without built-in X.509 or ASN.1 support. >=20 > =20 >=20 > I took this on because of Stephen=92s suggestion > http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that > people could just hash the SPKI values to create a key thumbprint.=20 > Given I=92d helped create the JSON-based hash input described in > http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wanted > to give his alternative suggestion a fair shake (and learn some new > things along the way). This admittedly stream-of-consciousness and > overly long message describes my expedition to date=85 >=20 > =20 >=20 > Thus far, I=92ve spent 5 hours trying to learn to do this. I spent abo= ut > the first two hours searching for examples of creating the bytes of > X.509 certificates or SubjectPublicKeyInfo values without using ASN.1 > and/or X.509 libraries. I failed. >=20 > =20 >=20 > Next, I tried to read the authoritative reference for what=92s in the S= PKI > field =96 the X.509 spec. Unfortunately, > http://www.itu.int/rec/T-REC-X.509/en told me =93This text was produced= > through a joint activity with ISO and IEC. According to the agreement > with our partners, this document is only available through payment.=94 = > Since most developers would stop at that point, I did too. >=20 > =20 >=20 > After that, I changed tacks and tried to find examples of sample > certificates with commentary on what all the values mean =96 the kind o= f > info developers would want when coding this. I had better luck with > that. After about another hour of Web searching, I found this really > useful example: http://tools.ietf.org/html/rfc7250#appendix-A. I also > found this one: > http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going > through them byte-by-byte enabled me to reverse engineer some of the > ASN.1 and X.509 constructs used. >=20 > =20 >=20 > Things I learned by looking at these 1024-bit RSA public key > representations included: >=20 > =B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. >=20 > =B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER ar= e > respectively 0x30, 0x06, 0x05, 0x03, and 0x02. >=20 > =B7 These Length values are encoded as follows: >=20 > o 159 =96 0x81 0x9f >=20 > o 9 =96 0x09 >=20 > o 0 =96 0x00 >=20 > =B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0= x86 > 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. >=20 > =B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. >=20 > =B7 The RSA Key is represented as an encapsulated bit field. >=20 > =B7 There is an apparently unused zero byte (the 22^nd byte of t= he > SPKI field in the RFC 7250 example) as the first byte of this bit field= =2E >=20 > =B7 The rest of the bit field contains concatenated representati= ons > of the modulus and the exponent as ASN.1 INTEGERs. >=20 > =B7 The 1024 bit modulus is represented in 129 bytes, with the > first byte being zero. >=20 > =20 >=20 > This brought me up to hour four. Next, I went looking for a 2048 bit > cert to learn from (especially since JWA requires 2048+ bit RSA keys). = > I found http://fm4dd.com/openssl/certexamples.htm and chose > 2048b-rsa-example-cert.der, from which I also learned: >=20 > =B7 These length values are encoded as follows: >=20 > o 290 =96 0x82 0x01 0x22 >=20 > o 257 =96 0x82 0x01 0x01 >=20 > =B7 From this, I deduced (possibly incorrectly J) that if the hi= gh > bit of the first length byte is 0, the remaining 7 bits represent the > length, but if the high bit of the first length byte is 1, the remainin= g > 7 bits represent the number of bytes used to represent the actual > length. (Hence the use of 0x81 for representing values in the range > 128-255 and the use of 0x82 for representing values in the range 256-32= 767.) >=20 > =B7 Length values are represented in big-endian byte order. >=20 > =B7 The 2048 bit key representation also starts with an apparent= ly > unused zero byte. >=20 > =B7 The 2048 bit modulus is represented by 257 bytes, with the > first byte being zero. >=20 > =20 >=20 > Things I haven=92t yet learned that I=92d need to know to really write = this > code: >=20 > =B7 How are the OIDs in the table at > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appen= dix-A > represented as ASN.1 OID values? >=20 > =B7 Are multiple OIDs sometimes present before the ASN.1 NULL, a= nd > if so, which algorithms require which sets of OIDs in what order? >=20 > =B7 Is there always the apparently unused zero byte in the key > representation or if not, when is it present and absent? >=20 > =B7 Is there always a leading zero byte in the RSA modulus or if= > not, when is it present and absent? >=20 > =B7 How are elliptic curve keys represented? >=20 > =20 >=20 > This brought me up to about the fifth hour of my investigation, and I > decided to stop and write up my findings to date. Highlighted versions= > of the example certificate from RFC 7250 and the SPKI value from > fm4dd.com are attached, should any of you want to follow along with my > reverse engineering. Tags are yellow. Lengths are green. OIDs are > purple. The apparently unused byte is red. Key values are blue. >=20 > =20 >=20 > I readily admit that I could have easily missed something while > searching. If someone can point me to self-contained descriptions of > this information, I=92d love to see them! >=20 > =20 >=20 > =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D >=20 > =20 >=20 > 1. I think it would be a fine thing to do to write an RFC describing > the mapping between key values and their SPKI representations. This > could take the form of a cookbook with entries like =93For a 2048 bit R= SA > key using RSASSA with SHA-256, emit these bytes, filling in slots A and= > B in the template with the 256 bites of the mantissa and the 3 bytes of= > the exponent=94. Based on my searching, I don=92t think this informati= on > exists anywhere in a self-contained form accessible to developers (but = I > could be wrong, of course). I=92m not going to personally do it, but i= f > any of you want go for it, have at it! >=20 > =20 >=20 > 2. If my experience is representative, telling developers to just hash= > the SPKI representation of a JWK won=92t be very effective unless they > already have X.509 support. Most will probably give up well before the= > 5 hours that I=92ve invested to get this this partial understanding of > what I=92d need to know. If my experience is representative, > draft-ietf-jose-jwk-thumbprint will be much easier to implement for > these developers. >=20 > =20 >=20 > Trying to live in the shoes of developers= , >=20 > -- Mike >=20 > =20 >=20 >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >=20 --oFEiMM2Snn8ih00aG0MSVIlENXrhN8Pd9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJVAHoXAAoJEGhJURNOOiAtRP8IAJ88QYeKc+FuCuDQ63YvYSeV jnPeUH0wphQXU0yawywljGUeDDLGjjtkJIh0qAilT3xQdOwW77Mis8puSEnBOvmP bZazTulFgYLS9NGpsLkcSvhfuUggoEo3ekt4ljo3oGmog8baJmysehEetk8eOH1t nJTQg4wYThb2c928YVkmR8EfBPZWXYGUNHRKubZc9Em4cbGPyeLzZFM7HwQ/WLpB RYK/CamTtAEcRBF6M16zvb76b7XVelnBpxx5gx062qxJhYxLyw/oVTpdC1vExfwr 8JMc2lH5dt3jWMgoxZlI8hX72rmiS+iG1s7F9r/7dqSXSQTupjMRlw5EoLAUJ20= =U5f6 -----END PGP SIGNATURE----- --oFEiMM2Snn8ih00aG0MSVIlENXrhN8Pd9-- From nobody Wed Mar 11 11:06:36 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5D7F1A1BDF for ; Wed, 11 Mar 2015 11:06:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxB18wArqBoT for ; Wed, 11 Mar 2015 11:06:27 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD34C1A1BAC for ; Wed, 11 Mar 2015 11:06:14 -0700 (PDT) Received: from [192.168.10.133] ([208.85.208.52]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0Lcj9b-1ZFZlY19hX-00k804; Wed, 11 Mar 2015 19:06:07 +0100 Message-ID: <55008407.1080804@gmx.net> Date: Wed, 11 Mar 2015 19:05:59 +0100 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mike Jones , Stephen Farrell References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <55007A17.9000808@gmx.net> In-Reply-To: <55007A17.9000808@gmx.net> OpenPGP: id=4D776BC9 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4R2FqDWCKWqoRnUrrxVGax1Q3tMJB3iN7" X-Provags-ID: V03:K0:elapUpw1j2W1otnKdHHt8M/HDXw2yN/eyH8vTolDDHzNpuVIIFl jy27v5GyBUTqjEF3uewuS2JCE2jswNW/noEtNafdXUoA9Sx6frB/83CrVi1LkDMMc5VtEwK 4MGtbM4CZ8sVNsP42F+uNHB6CU/3oBXDDUs6UMDrH3LosgYentTyJYu1EEQ2qMcxUfhe7pu kij9xhSPgDAv4V+VfWS7w== X-UI-Out-Filterresults: notjunk:1; Archived-At: Cc: Manuel.Pegourie-Gonnard@arm.com, "jose@ietf.org" , Nat Sakimura Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 18:06:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4R2FqDWCKWqoRnUrrxVGax1Q3tMJB3iN7 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Just adding a bit more info after a chat with my co-worker Manuel (on CC)= =2E If you use the OpenSSL tools then you can generate the SubjectPublicKeyInfo structure with the following commands: > openssl ecparam -genkey -name prime256v1 -out ec.key && openssl ec -in ec.key -pubout -outform der -out ec.pub > dumpasn1 ec.pub 0 89: SEQUENCE { 2 19: SEQUENCE { 4 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 13 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) : } 23 66: BIT STRING : 04 58 74 31 8E DB 77 7C D3 AA 13 E0 81 D2 2C 0F : F1 CA 15 89 5B 50 F5 E2 5F AF 45 DC 3D 29 17 64 : B2 0F 1A BE DE A3 77 70 CB D2 0F B5 6B 5F 11 92 : C6 38 BE 6A F6 0B 2F 80 B7 AE 7E 4A 0A 33 C4 14 : AC : } Ciao Hannes On 03/11/2015 06:23 PM, Hannes Tschofenig wrote: > Mike, >=20 > I did this in the context of the work on the raw public key document fo= r > TLS. >=20 > Using an ASN.1 parser makes sense since the SubjectPublicKeyInfo is not= > just a blog but an ASN.1 structure that looks differently depending on > the type of keys encoding (ECC vs. RSA). >=20 > My code was done as part of the TLS stack itself it is not as usable as= > a command line tool. >=20 > You referenced https://tools.ietf.org/html/rfc7250#appendix-A and this > was created by extracing the SubjectPublicKeyInfo field from a > self-signed certificate that was created with the OpenSSL tools. >=20 > Ciao > Hannes >=20 >=20 > On 03/11/2015 06:16 AM, Mike Jones wrote: >> I=92ve always loved learning new things, so I decided yesterday to try= to >> learn first-hand how to write code that emitted X.509 >> SubjectPublicKeyInfo (SPKI) values from scratch. By =93from scratch=94= , I >> mean using development tools without built-in X.509 or ASN.1 support. >> >> =20 >> >> I took this on because of Stephen=92s suggestion >> http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that >> people could just hash the SPKI values to create a key thumbprint.=20 >> Given I=92d helped create the JSON-based hash input described in >> http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wanted= >> to give his alternative suggestion a fair shake (and learn some new >> things along the way). This admittedly stream-of-consciousness and >> overly long message describes my expedition to date=85 >> >> =20 >> >> Thus far, I=92ve spent 5 hours trying to learn to do this. I spent ab= out >> the first two hours searching for examples of creating the bytes of >> X.509 certificates or SubjectPublicKeyInfo values without using ASN.1 >> and/or X.509 libraries. I failed. >> >> =20 >> >> Next, I tried to read the authoritative reference for what=92s in the = SPKI >> field =96 the X.509 spec. Unfortunately, >> http://www.itu.int/rec/T-REC-X.509/en told me =93This text was produce= d >> through a joint activity with ISO and IEC. According to the agreement >> with our partners, this document is only available through payment.=94= =20 >> Since most developers would stop at that point, I did too. >> >> =20 >> >> After that, I changed tacks and tried to find examples of sample >> certificates with commentary on what all the values mean =96 the kind = of >> info developers would want when coding this. I had better luck with >> that. After about another hour of Web searching, I found this really >> useful example: http://tools.ietf.org/html/rfc7250#appendix-A. I also= >> found this one: >> http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going >> through them byte-by-byte enabled me to reverse engineer some of the >> ASN.1 and X.509 constructs used. >> >> =20 >> >> Things I learned by looking at these 1024-bit RSA public key >> representations included: >> >> =B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. >> >> =B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER a= re >> respectively 0x30, 0x06, 0x05, 0x03, and 0x02. >> >> =B7 These Length values are encoded as follows: >> >> o 159 =96 0x81 0x9f >> >> o 9 =96 0x09 >> >> o 0 =96 0x00 >> >> =B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a = 0x86 >> 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. >> >> =B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. >> >> =B7 The RSA Key is represented as an encapsulated bit field. >> >> =B7 There is an apparently unused zero byte (the 22^nd byte of = the >> SPKI field in the RFC 7250 example) as the first byte of this bit fiel= d. >> >> =B7 The rest of the bit field contains concatenated representat= ions >> of the modulus and the exponent as ASN.1 INTEGERs. >> >> =B7 The 1024 bit modulus is represented in 129 bytes, with the >> first byte being zero. >> >> =20 >> >> This brought me up to hour four. Next, I went looking for a 2048 bit >> cert to learn from (especially since JWA requires 2048+ bit RSA keys).= =20 >> I found http://fm4dd.com/openssl/certexamples.htm and chose >> 2048b-rsa-example-cert.der, from which I also learned: >> >> =B7 These length values are encoded as follows: >> >> o 290 =96 0x82 0x01 0x22 >> >> o 257 =96 0x82 0x01 0x01 >> >> =B7 From this, I deduced (possibly incorrectly J) that if the h= igh >> bit of the first length byte is 0, the remaining 7 bits represent the >> length, but if the high bit of the first length byte is 1, the remaini= ng >> 7 bits represent the number of bytes used to represent the actual >> length. (Hence the use of 0x81 for representing values in the range >> 128-255 and the use of 0x82 for representing values in the range 256-3= 2767.) >> >> =B7 Length values are represented in big-endian byte order. >> >> =B7 The 2048 bit key representation also starts with an apparen= tly >> unused zero byte. >> >> =B7 The 2048 bit modulus is represented by 257 bytes, with the >> first byte being zero. >> >> =20 >> >> Things I haven=92t yet learned that I=92d need to know to really write= this >> code: >> >> =B7 How are the OIDs in the table at >> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appe= ndix-A >> represented as ASN.1 OID values? >> >> =B7 Are multiple OIDs sometimes present before the ASN.1 NULL, = and >> if so, which algorithms require which sets of OIDs in what order? >> >> =B7 Is there always the apparently unused zero byte in the key >> representation or if not, when is it present and absent? >> >> =B7 Is there always a leading zero byte in the RSA modulus or i= f >> not, when is it present and absent? >> >> =B7 How are elliptic curve keys represented? >> >> =20 >> >> This brought me up to about the fifth hour of my investigation, and I >> decided to stop and write up my findings to date. Highlighted version= s >> of the example certificate from RFC 7250 and the SPKI value from >> fm4dd.com are attached, should any of you want to follow along with my= >> reverse engineering. Tags are yellow. Lengths are green. OIDs are >> purple. The apparently unused byte is red. Key values are blue. >> >> =20 >> >> I readily admit that I could have easily missed something while >> searching. If someone can point me to self-contained descriptions of >> this information, I=92d love to see them! >> >> =20 >> >> =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D >> >> =20 >> >> 1. I think it would be a fine thing to do to write an RFC describing >> the mapping between key values and their SPKI representations. This >> could take the form of a cookbook with entries like =93For a 2048 bit = RSA >> key using RSASSA with SHA-256, emit these bytes, filling in slots A an= d >> B in the template with the 256 bites of the mantissa and the 3 bytes o= f >> the exponent=94. Based on my searching, I don=92t think this informat= ion >> exists anywhere in a self-contained form accessible to developers (but= I >> could be wrong, of course). I=92m not going to personally do it, but = if >> any of you want go for it, have at it! >> >> =20 >> >> 2. If my experience is representative, telling developers to just has= h >> the SPKI representation of a JWK won=92t be very effective unless they= >> already have X.509 support. Most will probably give up well before th= e >> 5 hours that I=92ve invested to get this this partial understanding of= >> what I=92d need to know. If my experience is representative, >> draft-ietf-jose-jwk-thumbprint will be much easier to implement for >> these developers. >> >> =20 >> >> Trying to live in the shoes of developer= s, >> >> -- Mike >> >> =20 >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >=20 >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >=20 --4R2FqDWCKWqoRnUrrxVGax1Q3tMJB3iN7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJVAIQHAAoJEGhJURNOOiAtQv8H/R5T12DHUel5dbq75Po0QzxH mhyGvEh3fBjjvK9dTn1BDTGwwxjFoeAGw/V4LRbH9Wh2VkLIo1Q49SlqB2AkVfrU nLFHSjLAbOu7CzERHPGTVnU/TVOzThOdvX69Pdd8QMC4jYPQ7ZMiXYpUuCgVvrRT pn4gg2fzJrmN6eNzHTMVnaEG0NN3VTQmGl6YGkJ7rCbrYQ1lO3gzI5BDu01dPFWq zXOwZjwaX3iymPwdebWDQxEqRQJXmD4q9tRijGYWuT/osqs2SWXTP77Lh+NiBp04 AWCOhq3Aoxj5aNFxzhOQKES7VttaYjkFuDoncr0XSdSN/B8KGp7byzSG77t4lf4= =3/Bk -----END PGP SIGNATURE----- --4R2FqDWCKWqoRnUrrxVGax1Q3tMJB3iN7-- From nobody Wed Mar 11 11:17:01 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 641201A1DBE for ; Wed, 11 Mar 2015 11:16:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgTXLze7MYwT for ; Wed, 11 Mar 2015 11:16:47 -0700 (PDT) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 792081A1BE3 for ; Wed, 11 Mar 2015 11:16:47 -0700 (PDT) Received: by qgdz107 with SMTP id z107so12156061qgd.3 for ; Wed, 11 Mar 2015 11:16:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=e5K8QW+bcLHBeLPirIQvswcz31j1YwrYeT78b9XvDJE=; b=CuXlgCwJe8ZBbsmSMnv6Osa1dqkoSWtRiqO/yOf/geAjgV/ie3OqKYEwiBecqBk7QG FhIemh8vIYPf6Bh2jIaZuYvCGxrssGwny6CHgkl+W1bwjuglBliiIDpYyMYTcqZOqEfx NiWYrkD8f1geHsKP1bmhFiKyM0Xz76AqFORAotlWdlnd1DDtT19L7k7qmsfJh1aGDret ZFiLoiYkMMWxAKVQ00x+It+3vJdBFhNGYfx8a6fVodTd2k7ne0imQxt3Cnk9kx64IHjw 7cNHH9OkAWz6XCLSLCDzzXqYvJZddVhsLGj2uGJ5/Uif4cVGDj57tqLgoxhvZGXk55zB CVtA== X-Gm-Message-State: ALoCoQm+oZmKNUqVMco05D1qZwHbXDaUAiXE140K4mhNPsGs7/QHBitehiZwXToYNETwucRBwAHk X-Received: by 10.55.33.193 with SMTP id f62mr9866661qki.1.1426097806387; Wed, 11 Mar 2015 11:16:46 -0700 (PDT) Received: from [192.168.8.100] ([181.202.7.165]) by mx.google.com with ESMTPSA id r136sm3063965qha.0.2015.03.11.11.16.43 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Mar 2015 11:16:45 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_551586B8-971C-491D-8B78-308358AC4857"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) From: John Bradley In-Reply-To: <55008407.1080804@gmx.net> Date: Wed, 11 Mar 2015 15:16:40 -0300 Message-Id: References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <55007A17.9000808@gmx.net> <55008407.1080804@gmx.net> To: Hannes Tschofenig X-Mailer: Apple Mail (2.2070.6) Archived-At: Cc: Nat Sakimura , Michael Jones , Manuel.Pegourie-Gonnard@arm.com, "jose@ietf.org" , Stephen Farrell Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 18:16:54 -0000 --Apple-Mail=_551586B8-971C-491D-8B78-308358AC4857 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 How do you generate it from a raw key in JWK based on "crv", "kty" , "x" = and "y" ? > On Mar 11, 2015, at 3:05 PM, Hannes Tschofenig = wrote: >=20 > Just adding a bit more info after a chat with my co-worker Manuel (on = CC). >=20 > If you use the OpenSSL tools then you can generate the > SubjectPublicKeyInfo structure with the following commands: >=20 >> openssl ecparam -genkey -name prime256v1 -out ec.key && openssl ec = -in > ec.key -pubout -outform der -out ec.pub >=20 >> dumpasn1 ec.pub >=20 > 0 89: SEQUENCE { > 2 19: SEQUENCE { > 4 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) > 13 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) > : } > 23 66: BIT STRING > : 04 58 74 31 8E DB 77 7C D3 AA 13 E0 81 D2 2C 0F > : F1 CA 15 89 5B 50 F5 E2 5F AF 45 DC 3D 29 17 64 > : B2 0F 1A BE DE A3 77 70 CB D2 0F B5 6B 5F 11 92 > : C6 38 BE 6A F6 0B 2F 80 B7 AE 7E 4A 0A 33 C4 14 > : AC > : } >=20 > Ciao > Hannes >=20 > On 03/11/2015 06:23 PM, Hannes Tschofenig wrote: >> Mike, >>=20 >> I did this in the context of the work on the raw public key document = for >> TLS. >>=20 >> Using an ASN.1 parser makes sense since the SubjectPublicKeyInfo is = not >> just a blog but an ASN.1 structure that looks differently depending = on >> the type of keys encoding (ECC vs. RSA). >>=20 >> My code was done as part of the TLS stack itself it is not as usable = as >> a command line tool. >>=20 >> You referenced https://tools.ietf.org/html/rfc7250#appendix-A and = this >> was created by extracing the SubjectPublicKeyInfo field from a >> self-signed certificate that was created with the OpenSSL tools. >>=20 >> Ciao >> Hannes >>=20 >>=20 >> On 03/11/2015 06:16 AM, Mike Jones wrote: >>> I=92ve always loved learning new things, so I decided yesterday to = try to >>> learn first-hand how to write code that emitted X.509 >>> SubjectPublicKeyInfo (SPKI) values from scratch. By =93from = scratch=94, I >>> mean using development tools without built-in X.509 or ASN.1 = support. >>>=20 >>>=20 >>>=20 >>> I took this on because of Stephen=92s suggestion >>> http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that >>> people could just hash the SPKI values to create a key thumbprint.=20= >>> Given I=92d helped create the JSON-based hash input described in >>> http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I = wanted >>> to give his alternative suggestion a fair shake (and learn some new >>> things along the way). This admittedly stream-of-consciousness and >>> overly long message describes my expedition to date=85 >>>=20 >>>=20 >>>=20 >>> Thus far, I=92ve spent 5 hours trying to learn to do this. I spent = about >>> the first two hours searching for examples of creating the bytes of >>> X.509 certificates or SubjectPublicKeyInfo values without using = ASN.1 >>> and/or X.509 libraries. I failed. >>>=20 >>>=20 >>>=20 >>> Next, I tried to read the authoritative reference for what=92s in = the SPKI >>> field =96 the X.509 spec. Unfortunately, >>> http://www.itu.int/rec/T-REC-X.509/en told me =93This text was = produced >>> through a joint activity with ISO and IEC. According to the = agreement >>> with our partners, this document is only available through payment.=94= =20 >>> Since most developers would stop at that point, I did too. >>>=20 >>>=20 >>>=20 >>> After that, I changed tacks and tried to find examples of sample >>> certificates with commentary on what all the values mean =96 the = kind of >>> info developers would want when coding this. I had better luck with >>> that. After about another hour of Web searching, I found this = really >>> useful example: http://tools.ietf.org/html/rfc7250#appendix-A. I = also >>> found this one: >>> http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going >>> through them byte-by-byte enabled me to reverse engineer some of the >>> ASN.1 and X.509 constructs used. >>>=20 >>>=20 >>>=20 >>> Things I learned by looking at these 1024-bit RSA public key >>> representations included: >>>=20 >>> =B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. >>>=20 >>> =B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER = are >>> respectively 0x30, 0x06, 0x05, 0x03, and 0x02. >>>=20 >>> =B7 These Length values are encoded as follows: >>>=20 >>> o 159 =96 0x81 0x9f >>>=20 >>> o 9 =96 0x09 >>>=20 >>> o 0 =96 0x00 >>>=20 >>> =B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as = 0x2a 0x86 >>> 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. >>>=20 >>> =B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. >>>=20 >>> =B7 The RSA Key is represented as an encapsulated bit field. >>>=20 >>> =B7 There is an apparently unused zero byte (the 22^nd byte = of the >>> SPKI field in the RFC 7250 example) as the first byte of this bit = field. >>>=20 >>> =B7 The rest of the bit field contains concatenated = representations >>> of the modulus and the exponent as ASN.1 INTEGERs. >>>=20 >>> =B7 The 1024 bit modulus is represented in 129 bytes, with = the >>> first byte being zero. >>>=20 >>>=20 >>>=20 >>> This brought me up to hour four. Next, I went looking for a 2048 = bit >>> cert to learn from (especially since JWA requires 2048+ bit RSA = keys).=20 >>> I found http://fm4dd.com/openssl/certexamples.htm and chose >>> 2048b-rsa-example-cert.der, from which I also learned: >>>=20 >>> =B7 These length values are encoded as follows: >>>=20 >>> o 290 =96 0x82 0x01 0x22 >>>=20 >>> o 257 =96 0x82 0x01 0x01 >>>=20 >>> =B7 =46rom this, I deduced (possibly incorrectly J) that if = the high >>> bit of the first length byte is 0, the remaining 7 bits represent = the >>> length, but if the high bit of the first length byte is 1, the = remaining >>> 7 bits represent the number of bytes used to represent the actual >>> length. (Hence the use of 0x81 for representing values in the range >>> 128-255 and the use of 0x82 for representing values in the range = 256-32767.) >>>=20 >>> =B7 Length values are represented in big-endian byte order. >>>=20 >>> =B7 The 2048 bit key representation also starts with an = apparently >>> unused zero byte. >>>=20 >>> =B7 The 2048 bit modulus is represented by 257 bytes, with = the >>> first byte being zero. >>>=20 >>>=20 >>>=20 >>> Things I haven=92t yet learned that I=92d need to know to really = write this >>> code: >>>=20 >>> =B7 How are the OIDs in the table at >>> = http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix= -A >>> represented as ASN.1 OID values? >>>=20 >>> =B7 Are multiple OIDs sometimes present before the ASN.1 = NULL, and >>> if so, which algorithms require which sets of OIDs in what order? >>>=20 >>> =B7 Is there always the apparently unused zero byte in the = key >>> representation or if not, when is it present and absent? >>>=20 >>> =B7 Is there always a leading zero byte in the RSA modulus or = if >>> not, when is it present and absent? >>>=20 >>> =B7 How are elliptic curve keys represented? >>>=20 >>>=20 >>>=20 >>> This brought me up to about the fifth hour of my investigation, and = I >>> decided to stop and write up my findings to date. Highlighted = versions >>> of the example certificate from RFC 7250 and the SPKI value from >>> fm4dd.com are attached, should any of you want to follow along with = my >>> reverse engineering. Tags are yellow. Lengths are green. OIDs are >>> purple. The apparently unused byte is red. Key values are blue. >>>=20 >>>=20 >>>=20 >>> I readily admit that I could have easily missed something while >>> searching. If someone can point me to self-contained descriptions = of >>> this information, I=92d love to see them! >>>=20 >>>=20 >>>=20 >>> =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D >>>=20 >>>=20 >>>=20 >>> 1. I think it would be a fine thing to do to write an RFC = describing >>> the mapping between key values and their SPKI representations. This >>> could take the form of a cookbook with entries like =93For a 2048 = bit RSA >>> key using RSASSA with SHA-256, emit these bytes, filling in slots A = and >>> B in the template with the 256 bites of the mantissa and the 3 bytes = of >>> the exponent=94. Based on my searching, I don=92t think this = information >>> exists anywhere in a self-contained form accessible to developers = (but I >>> could be wrong, of course). I=92m not going to personally do it, = but if >>> any of you want go for it, have at it! >>>=20 >>>=20 >>>=20 >>> 2. If my experience is representative, telling developers to just = hash >>> the SPKI representation of a JWK won=92t be very effective unless = they >>> already have X.509 support. Most will probably give up well before = the >>> 5 hours that I=92ve invested to get this this partial understanding = of >>> what I=92d need to know. If my experience is representative, >>> draft-ietf-jose-jwk-thumbprint will be much easier to implement for >>> these developers. >>>=20 >>>=20 >>>=20 >>> Trying to live in the shoes of = developers, >>>=20 >>> -- Mike >>>=20 >>>=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >>>=20 >>=20 >>=20 >>=20 >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >>=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_551586B8-971C-491D-8B78-308358AC4857 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTAzMTExODE2NDFaMCMGCSqGSIb3DQEJBDEWBBQKwNGcH7z5F1/W4iGnaZW4 Ft33LzCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQB0GbfKG45+D7IT/irzsAObhhT57qMkxwyM6q/mHr8Fr70c8ZuIzrU+ uqJQYpDWTCKU6TBbImvxoVWkG0ePHvmGHzBDIrrj2tKY1KRnBMXVDIZSibrtGupuJHsEd2RittuU iaLwWoJ0/D08MKkb2TBb7bHCwErMf1I1ABtDQH2adbFHQFpA6BP+wL2QgREVG9nqV+FCN8mdjMLz doovYgopQadE5uKwa7d/ZbjOrkQST8iQRlXzSfrgwEcGkUWRjo0kojS5Wqtc9el6Of/lf6+doyX8 NvxPdhRE87Ebc+W7jXbouvOxO0ppT80OIo2a6hRX2kHbtEfQUyaudfoK7BmMAAAAAAAA --Apple-Mail=_551586B8-971C-491D-8B78-308358AC4857-- From nobody Wed Mar 11 11:26:26 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 153DE1A1BB3 for ; Wed, 11 Mar 2015 11:26:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1hZ6dDlIHln for ; Wed, 11 Mar 2015 11:26:21 -0700 (PDT) Received: from mail-la0-f53.google.com (mail-la0-f53.google.com [209.85.215.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB7B91A1BA7 for ; Wed, 11 Mar 2015 11:26:20 -0700 (PDT) Received: by labhs14 with SMTP id hs14so10246796lab.5 for ; Wed, 11 Mar 2015 11:26:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dJhi42qwFui0MzMHfsA6+oxAARRAva9bZTGZULgdNXw=; b=QqV0XKG9OJ7K1SBbWhsXeOMSu3vqIjeKSZjZsjCEpUzpam4fDF09ZBgjyX61O8ypWP joOgqHKM8EUvYKgNVkv+D/MjWeVqA0Swpmu1DsI1vMJVbuUryyF2poflwx2fomdhpyhu ZzmSnl0cSdMAhhLbZ8rNJ4/e+hT1vfCmHxwThjOy0C8W/QMcs5hXZbgwNF+FO2MmgQVL r3/cCP2fns8HWlOqskg4qft4VSBrtHBBl8jmbmMcgcPvmzx8fZ1ErYQVJ9kyU7MJuChm 4vxoF4LyxHTtJmO8SaXxJfD0EJflkMipNZLrMIILYFJjaGl47KnBKOYREJrRdBZhGVmi kTgw== X-Gm-Message-State: ALoCoQnhMhLjfTrGqWetcZKiwQl7evuWZ6rI2GnZCxuUzlUmuGK8PDZZgWc0Ko8WSmTCfxbqjGsP MIME-Version: 1.0 X-Received: by 10.152.1.1 with SMTP id 1mr35164048lai.63.1426098378653; Wed, 11 Mar 2015 11:26:18 -0700 (PDT) Received: by 10.25.135.4 with HTTP; Wed, 11 Mar 2015 11:26:18 -0700 (PDT) In-Reply-To: References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <55007A17.9000808@gmx.net> <55008407.1080804@gmx.net> Date: Wed, 11 Mar 2015 11:26:18 -0700 Message-ID: From: Richard Barnes To: John Bradley Content-Type: multipart/alternative; boundary=089e013c6af0465ce605110767ec Archived-At: Cc: Nat Sakimura , Manuel.Pegourie-Gonnard@arm.com, Michael Jones , "jose@ietf.org" , Hannes Tschofenig , Stephen Farrell Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 18:26:25 -0000 --089e013c6af0465ce605110767ec Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable You could do a similar template thing to what I posted above, but with different values. On Wed, Mar 11, 2015 at 11:16 AM, John Bradley wrote: > How do you generate it from a raw key in JWK based on "crv", "kty" , "x" > and "y" ? > > > > > On Mar 11, 2015, at 3:05 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > > > Just adding a bit more info after a chat with my co-worker Manuel (on > CC). > > > > If you use the OpenSSL tools then you can generate the > > SubjectPublicKeyInfo structure with the following commands: > > > >> openssl ecparam -genkey -name prime256v1 -out ec.key && openssl ec -in > > ec.key -pubout -outform der -out ec.pub > > > >> dumpasn1 ec.pub > > > > 0 89: SEQUENCE { > > 2 19: SEQUENCE { > > 4 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) > > 13 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7) > > : } > > 23 66: BIT STRING > > : 04 58 74 31 8E DB 77 7C D3 AA 13 E0 81 D2 2C 0F > > : F1 CA 15 89 5B 50 F5 E2 5F AF 45 DC 3D 29 17 64 > > : B2 0F 1A BE DE A3 77 70 CB D2 0F B5 6B 5F 11 92 > > : C6 38 BE 6A F6 0B 2F 80 B7 AE 7E 4A 0A 33 C4 14 > > : AC > > : } > > > > Ciao > > Hannes > > > > On 03/11/2015 06:23 PM, Hannes Tschofenig wrote: > >> Mike, > >> > >> I did this in the context of the work on the raw public key document f= or > >> TLS. > >> > >> Using an ASN.1 parser makes sense since the SubjectPublicKeyInfo is no= t > >> just a blog but an ASN.1 structure that looks differently depending on > >> the type of keys encoding (ECC vs. RSA). > >> > >> My code was done as part of the TLS stack itself it is not as usable a= s > >> a command line tool. > >> > >> You referenced https://tools.ietf.org/html/rfc7250#appendix-A and this > >> was created by extracing the SubjectPublicKeyInfo field from a > >> self-signed certificate that was created with the OpenSSL tools. > >> > >> Ciao > >> Hannes > >> > >> > >> On 03/11/2015 06:16 AM, Mike Jones wrote: > >>> I=E2=80=99ve always loved learning new things, so I decided yesterday= to try to > >>> learn first-hand how to write code that emitted X.509 > >>> SubjectPublicKeyInfo (SPKI) values from scratch. By =E2=80=9Cfrom sc= ratch=E2=80=9D, I > >>> mean using development tools without built-in X.509 or ASN.1 support. > >>> > >>> > >>> > >>> I took this on because of Stephen=E2=80=99s suggestion > >>> http://www.ietf.org/mail-archive/web/jose/current/msg04954.html that > >>> people could just hash the SPKI values to create a key thumbprint. > >>> Given I=E2=80=99d helped create the JSON-based hash input described i= n > >>> http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-03, I wante= d > >>> to give his alternative suggestion a fair shake (and learn some new > >>> things along the way). This admittedly stream-of-consciousness and > >>> overly long message describes my expedition to date=E2=80=A6 > >>> > >>> > >>> > >>> Thus far, I=E2=80=99ve spent 5 hours trying to learn to do this. I s= pent about > >>> the first two hours searching for examples of creating the bytes of > >>> X.509 certificates or SubjectPublicKeyInfo values without using ASN.1 > >>> and/or X.509 libraries. I failed. > >>> > >>> > >>> > >>> Next, I tried to read the authoritative reference for what=E2=80=99s = in the > SPKI > >>> field =E2=80=93 the X.509 spec. Unfortunately, > >>> http://www.itu.int/rec/T-REC-X.509/en told me =E2=80=9CThis text was = produced > >>> through a joint activity with ISO and IEC. According to the agreement > >>> with our partners, this document is only available through payment.= =E2=80=9D > >>> Since most developers would stop at that point, I did too. > >>> > >>> > >>> > >>> After that, I changed tacks and tried to find examples of sample > >>> certificates with commentary on what all the values mean =E2=80=93 th= e kind of > >>> info developers would want when coding this. I had better luck with > >>> that. After about another hour of Web searching, I found this really > >>> useful example: http://tools.ietf.org/html/rfc7250#appendix-A. I als= o > >>> found this one: > >>> http://www.jensign.com/JavaScience/dotnet/JKeyNet/index.html. Going > >>> through them byte-by-byte enabled me to reverse engineer some of the > >>> ASN.1 and X.509 constructs used. > >>> > >>> > >>> > >>> Things I learned by looking at these 1024-bit RSA public key > >>> representations included: > >>> > >>> =C2=B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. > >>> > >>> =C2=B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEG= ER are > >>> respectively 0x30, 0x06, 0x05, 0x03, and 0x02. > >>> > >>> =C2=B7 These Length values are encoded as follows: > >>> > >>> o 159 =E2=80=93 0x81 0x9f > >>> > >>> o 9 =E2=80=93 0x09 > >>> > >>> o 0 =E2=80=93 0x00 > >>> > >>> =C2=B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0= x2a > 0x86 > >>> 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. > >>> > >>> =C2=B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. > >>> > >>> =C2=B7 The RSA Key is represented as an encapsulated bit field= . > >>> > >>> =C2=B7 There is an apparently unused zero byte (the 22^nd byte= of the > >>> SPKI field in the RFC 7250 example) as the first byte of this bit > field. > >>> > >>> =C2=B7 The rest of the bit field contains concatenated > representations > >>> of the modulus and the exponent as ASN.1 INTEGERs. > >>> > >>> =C2=B7 The 1024 bit modulus is represented in 129 bytes, with = the > >>> first byte being zero. > >>> > >>> > >>> > >>> This brought me up to hour four. Next, I went looking for a 2048 bit > >>> cert to learn from (especially since JWA requires 2048+ bit RSA keys)= . > >>> I found http://fm4dd.com/openssl/certexamples.htm and chose > >>> 2048b-rsa-example-cert.der, from which I also learned: > >>> > >>> =C2=B7 These length values are encoded as follows: > >>> > >>> o 290 =E2=80=93 0x82 0x01 0x22 > >>> > >>> o 257 =E2=80=93 0x82 0x01 0x01 > >>> > >>> =C2=B7 From this, I deduced (possibly incorrectly J) that if t= he high > >>> bit of the first length byte is 0, the remaining 7 bits represent the > >>> length, but if the high bit of the first length byte is 1, the > remaining > >>> 7 bits represent the number of bytes used to represent the actual > >>> length. (Hence the use of 0x81 for representing values in the range > >>> 128-255 and the use of 0x82 for representing values in the range > 256-32767.) > >>> > >>> =C2=B7 Length values are represented in big-endian byte order. > >>> > >>> =C2=B7 The 2048 bit key representation also starts with an app= arently > >>> unused zero byte. > >>> > >>> =C2=B7 The 2048 bit modulus is represented by 257 bytes, with = the > >>> first byte being zero. > >>> > >>> > >>> > >>> Things I haven=E2=80=99t yet learned that I=E2=80=99d need to know to= really write this > >>> code: > >>> > >>> =C2=B7 How are the OIDs in the table at > >>> > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi= x-A > >>> represented as ASN.1 OID values? > >>> > >>> =C2=B7 Are multiple OIDs sometimes present before the ASN.1 NU= LL, and > >>> if so, which algorithms require which sets of OIDs in what order? > >>> > >>> =C2=B7 Is there always the apparently unused zero byte in the = key > >>> representation or if not, when is it present and absent? > >>> > >>> =C2=B7 Is there always a leading zero byte in the RSA modulus = or if > >>> not, when is it present and absent? > >>> > >>> =C2=B7 How are elliptic curve keys represented? > >>> > >>> > >>> > >>> This brought me up to about the fifth hour of my investigation, and I > >>> decided to stop and write up my findings to date. Highlighted versio= ns > >>> of the example certificate from RFC 7250 and the SPKI value from > >>> fm4dd.com are attached, should any of you want to follow along with m= y > >>> reverse engineering. Tags are yellow. Lengths are green. OIDs are > >>> purple. The apparently unused byte is red. Key values are blue. > >>> > >>> > >>> > >>> I readily admit that I could have easily missed something while > >>> searching. If someone can point me to self-contained descriptions of > >>> this information, I=E2=80=99d love to see them! > >>> > >>> > >>> > >>> =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D > >>> > >>> > >>> > >>> 1. I think it would be a fine thing to do to write an RFC describing > >>> the mapping between key values and their SPKI representations. This > >>> could take the form of a cookbook with entries like =E2=80=9CFor a 20= 48 bit RSA > >>> key using RSASSA with SHA-256, emit these bytes, filling in slots A a= nd > >>> B in the template with the 256 bites of the mantissa and the 3 bytes = of > >>> the exponent=E2=80=9D. Based on my searching, I don=E2=80=99t think = this information > >>> exists anywhere in a self-contained form accessible to developers (bu= t > I > >>> could be wrong, of course). I=E2=80=99m not going to personally do i= t, but if > >>> any of you want go for it, have at it! > >>> > >>> > >>> > >>> 2. If my experience is representative, telling developers to just ha= sh > >>> the SPKI representation of a JWK won=E2=80=99t be very effective unle= ss they > >>> already have X.509 support. Most will probably give up well before t= he > >>> 5 hours that I=E2=80=99ve invested to get this this partial understan= ding of > >>> what I=E2=80=99d need to know. If my experience is representative, > >>> draft-ietf-jose-jwk-thumbprint will be much easier to implement for > >>> these developers. > >>> > >>> > >>> > >>> Trying to live in the shoes of developer= s, > >>> > >>> -- Mike > >>> > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose > >>> > >> > >> > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose > >> > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --089e013c6af0465ce605110767ec Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You could do a similar template thing to what I posted abo= ve, but with different values.

On Wed, Mar 11, 2015 at 11:16 AM, John Bradley <ve7= jtb@ve7jtb.com> wrote:
How = do you generate it from a raw key in JWK based on "crv", "kt= y" , "x" and "y" ?



> On Mar 11, 2015, at 3:05 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
> Just adding a bit more info after a chat with my co-worker Manuel (on = CC).
>
> If you use the OpenSSL tools then you can generate the
> SubjectPublicKeyInfo structure with the following commands:
>
>> openssl ecparam -genkey -name prime256v1 -out ec.key && op= enssl ec -in
> ec.key -pubout -outform der -out ec.pub
>
>> dumpasn1 ec.pub
>
>=C2=A0 0=C2=A0 89: SEQUENCE {
>=C2=A0 2=C2=A0 19:=C2=A0 =C2=A0SEQUENCE {
>=C2=A0 4=C2=A0 =C2=A07:=C2=A0 =C2=A0 =C2=A0OBJECT IDENTIFIER ecPublicKe= y (1 2 840 10045 2 1)
> 13=C2=A0 =C2=A08:=C2=A0 =C2=A0 =C2=A0OBJECT IDENTIFIER prime256v1 (1 2= 840 10045 3 1 7)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0}
> 23=C2=A0 66:=C2=A0 =C2=A0BIT STRING
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A004 58 74 31 8E DB 77 7C= D3 AA 13 E0 81 D2 2C 0F
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0F1 CA 15 89 5B 50 F5 E2= 5F AF 45 DC 3D 29 17 64
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0B2 0F 1A BE DE A3 77 70= CB D2 0F B5 6B 5F 11 92
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0C6 38 BE 6A F6 0B 2F 80= B7 AE 7E 4A 0A 33 C4 14
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0 =C2=A0AC
>=C2=A0 =C2=A0 =C2=A0 =C2=A0:=C2=A0 =C2=A0}
>
> Ciao
> Hannes
>
> On 03/11/2015 06:23 PM, Hannes Tschofenig wrote:
>> Mike,
>>
>> I did this in the context of the work on the raw public key docume= nt for
>> TLS.
>>
>> Using an ASN.1 parser makes sense since the SubjectPublicKeyInfo i= s not
>> just a blog but an ASN.1 structure that looks differently dependin= g on
>> the type of keys encoding (ECC vs. RSA).
>>
>> My code was done as part of the TLS stack itself it is not as usab= le as
>> a command line tool.
>>
>> You referenced https://tools.ietf.org/html/rfc7250#appendix-A and this
>> was created by extracing the SubjectPublicKeyInfo field from a
>> self-signed certificate that was created with the OpenSSL tools. >>
>> Ciao
>> Hannes
>>
>>
>> On 03/11/2015 06:16 AM, Mike Jones wrote:
>>> I=E2=80=99ve always loved learning new things, so I decided ye= sterday to try to
>>> learn first-hand how to write code that emitted X.509
>>> SubjectPublicKeyInfo (SPKI) values from scratch.=C2=A0 By =E2= =80=9Cfrom scratch=E2=80=9D, I
>>> mean using development tools without built-in X.509 or ASN.1 s= upport.
>>>
>>>
>>>
>>> I took this on because of Stephen=E2=80=99s suggestion
>>> http://www.ietf.org/mail-archive/web/jose/c= urrent/msg04954.html that
>>> people could just hash the SPKI values to create a key thumbpr= int.
>>> Given I=E2=80=99d helped create the JSON-based hash input desc= ribed in
>>> http://tools.ietf.org/html/draft-ietf-jose-jwk= -thumbprint-03, I wanted
>>> to give his alternative suggestion a fair shake (and learn som= e new
>>> things along the way).=C2=A0 This admittedly stream-of-conscio= usness and
>>> overly long message describes my expedition to date=E2=80=A6 >>>
>>>
>>>
>>> Thus far, I=E2=80=99ve spent 5 hours trying to learn to do thi= s.=C2=A0 I spent about
>>> the first two hours searching for examples of creating the byt= es of
>>> X.509 certificates or SubjectPublicKeyInfo values without usin= g ASN.1
>>> and/or X.509 libraries.=C2=A0 I failed.
>>>
>>>
>>>
>>> Next, I tried to read the authoritative reference for what=E2= =80=99s in the SPKI
>>> field =E2=80=93 the X.509 spec.=C2=A0 Unfortunately,
>>> http://www.itu.int/rec/T-REC-X.509/en told me =E2=80=9CThis text = was produced
>>> through a joint activity with ISO and IEC. According to the ag= reement
>>> with our partners, this document is only available through pay= ment.=E2=80=9D
>>> Since most developers would stop at that point, I did too.
>>>
>>>
>>>
>>> After that, I changed tacks and tried to find examples of samp= le
>>> certificates with commentary on what all the values mean =E2= =80=93 the kind of
>>> info developers would want when coding this.=C2=A0 I had bette= r luck with
>>> that.=C2=A0 After about another hour of Web searching, I found= this really
>>> useful example: http://tools.ietf.org/html/rfc7250#appendix-A= .=C2=A0 I also
>>> found this one:
>>> http://www.jensign.com/JavaScience/dotnet/JKey= Net/index.html.=C2=A0 Going
>>> through them byte-by-byte enabled me to reverse engineer some = of the
>>> ASN.1 and X.509 constructs used.
>>>
>>>
>>>
>>> Things I learned by looking at these 1024-bit RSA public key >>> representations included:
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 ASN.1 uses byte-aligned Tag-= Length-Value encodings.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The tags for SEQUENCE, OID, = NULL, BIT STRING, and INTEGER are
>>> respectively 0x30, 0x06, 0x05, 0x03, and 0x02.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 These Length values are enco= ded as follows:
>>>
>>> o=C2=A0 =C2=A0159 =E2=80=93 0x81 0x9f
>>>
>>> o=C2=A0 =C2=A09 =E2=80=93 0x09
>>>
>>> o=C2=A0 =C2=A00 =E2=80=93 0x00
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The OID 1.2.840.113549.1.1.1= is encoded in 9 bytes as 0x2a 0x86
>>> 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The OID is followed by an AS= N.1 NULL - 0x05 0x00.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The RSA Key is represented a= s an encapsulated bit field.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 There is an apparently unuse= d zero byte (the 22^nd byte of the
>>> SPKI field in the RFC 7250 example) as the first byte of this = bit field.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The rest of the bit field co= ntains concatenated representations
>>> of the modulus and the exponent as ASN.1 INTEGERs.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The 1024 bit modulus is repr= esented in 129 bytes, with the
>>> first byte being zero.
>>>
>>>
>>>
>>> This brought me up to hour four.=C2=A0 Next, I went looking fo= r a 2048 bit
>>> cert to learn from (especially since JWA requires 2048+ bit RS= A keys).
>>> I found http://fm4dd.com/openssl/certexamples.htm and chose >>> 2048b-rsa-example-cert.der, from which I also learned:
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 These length values are enco= ded as follows:
>>>
>>> o=C2=A0 =C2=A0290 =E2=80=93 0x82 0x01 0x22
>>>
>>> o=C2=A0 =C2=A0257 =E2=80=93 0x82 0x01 0x01
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 From this, I deduced (possib= ly incorrectly J) that if the high
>>> bit of the first length byte is 0, the remaining 7 bits repres= ent the
>>> length, but if the high bit of the first length byte is 1, the= remaining
>>> 7 bits represent the number of bytes used to represent the act= ual
>>> length.=C2=A0 (Hence the use of 0x81 for representing values i= n the range
>>> 128-255 and the use of 0x82 for representing values in the ran= ge 256-32767.)
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 Length values are represente= d in big-endian byte order.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The 2048 bit key representat= ion also starts with an apparently
>>> unused zero byte.
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 The 2048 bit modulus is repr= esented by 257 bytes, with the
>>> first byte being zero.
>>>
>>>
>>>
>>> Things I haven=E2=80=99t yet learned that I=E2=80=99d need to = know to really write this
>>> code:
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 How are the OIDs in the tabl= e at
>>> http://tools.ietf.org/html/dra= ft-ietf-jose-json-web-algorithms-40#appendix-A
>>> represented as ASN.1 OID values?
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 Are multiple OIDs sometimes = present before the ASN.1 NULL, and
>>> if so, which algorithms require which sets of OIDs in what ord= er?
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 Is there always the apparent= ly unused zero byte in the key
>>> representation or if not, when is it present and absent?
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 Is there always a leading ze= ro byte in the RSA modulus or if
>>> not, when is it present and absent?
>>>
>>> =C2=B7=C2=A0 =C2=A0 =C2=A0 =C2=A0 How are elliptic curve keys = represented?
>>>
>>>
>>>
>>> This brought me up to about the fifth hour of my investigation= , and I
>>> decided to stop and write up my findings to date.=C2=A0 Highli= ghted versions
>>> of the example certificate from RFC 7250 and the SPKI value fr= om
>>> fm4dd.com a= re attached, should any of you want to follow along with my
>>> reverse engineering.=C2=A0 Tags are yellow.=C2=A0 Lengths are = green.=C2=A0 OIDs are
>>> purple.=C2=A0 The apparently unused byte is red.=C2=A0 Key val= ues are blue.
>>>
>>>
>>>
>>> I readily admit that I could have easily missed something whil= e
>>> searching.=C2=A0 If someone can point me to self-contained des= criptions of
>>> this information, I=E2=80=99d love to see them!
>>>
>>>
>>>
>>> =3D=3D=3D=3D CONCLUSIONS =3D=3D=3D=3D
>>>
>>>
>>>
>>> 1.=C2=A0 I think it would be a fine thing to do to write an RF= C describing
>>> the mapping between key values and their SPKI representations.= =C2=A0 This
>>> could take the form of a cookbook with entries like =E2=80=9CF= or a 2048 bit RSA
>>> key using RSASSA with SHA-256, emit these bytes, filling in sl= ots A and
>>> B in the template with the 256 bites of the mantissa and the 3= bytes of
>>> the exponent=E2=80=9D.=C2=A0 Based on my searching, I don=E2= =80=99t think this information
>>> exists anywhere in a self-contained form accessible to develop= ers (but I
>>> could be wrong, of course).=C2=A0 I=E2=80=99m not going to per= sonally do it, but if
>>> any of you want go for it, have at it!
>>>
>>>
>>>
>>> 2.=C2=A0 If my experience is representative, telling developer= s to just hash
>>> the SPKI representation of a JWK won=E2=80=99t be very effecti= ve unless they
>>> already have X.509 support.=C2=A0 Most will probably give up w= ell before the
>>> 5 hours that I=E2=80=99ve invested to get this this partial un= derstanding of
>>> what I=E2=80=99d need to know.=C2=A0 If my experience is repre= sentative,
>>> draft-ietf-jose-jwk-thumbprint will be much easier to implemen= t for
>>> these developers.
>>>
>>>
>>>
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Trying to live in the shoes of de= velopers,
>>>
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -= - Mike
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>>
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--089e013c6af0465ce605110767ec-- From nobody Wed Mar 11 17:29:55 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FFFC1A88F4 for ; Wed, 11 Mar 2015 17:29:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.901 X-Spam-Level: X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-bIerV2_KhH for ; Wed, 11 Mar 2015 17:29:51 -0700 (PDT) Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 123AC1A889D for ; Wed, 11 Mar 2015 17:29:48 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.11,385,1422882000"; d="scan'208,217";a="275589244" Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipobvi.tcif.telstra.com.au with ESMTP; 12 Mar 2015 11:09:41 +1100 X-IronPort-AV: E=McAfee;i="5600,1067,7737"; a="306128093" Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcdvi.tcif.telstra.com.au with ESMTP; 12 Mar 2015 11:29:47 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3755.srv.dir.telstra.com ([172.49.40.196]) with mapi; Thu, 12 Mar 2015 11:29:46 +1100 From: "Manger, James" To: Mike Jones , "jose@ietf.org" Date: Thu, 12 Mar 2015 11:29:45 +1100 Thread-Topic: My quest to learn how to create SubjectPublicKeyInfo values from scratch Thread-Index: AdBbunvjG3Fobl38T+ib6QLqsv0XzAAmMgSg Message-ID: <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E12855654940WSMSG3153Vsrv_" MIME-Version: 1.0 Archived-At: Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 00:29:54 -0000 --_000_255B9BB34FB7D647A506DC292726F6E12855654940WSMSG3153Vsrv_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable >> Things I learned by looking at these 1024-bit RSA public key representat= ions included: * ASN.1 uses byte-aligned Tag-Length-Value encodings. * The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER are res= pectively 0x30, 0x06, 0x05, 0x03, and 0x02. * These Length values are encoded as follows: o 159 - 0x81 0x9f o 9 - 0x09 o 0 - 0x00 * The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0= x48 0x86 0xf7 0x0d 0x01 0x01 0x01. * The OID is followed by an ASN.1 NULL - 0x05 0x00. * The RSA Key is represented as an encapsulated bit field. * There is an apparently unused zero byte (the 22nd byte of the SPK= I field in the RFC 7250 example) as the first byte of this bit field. The ASN.1 BIT STRING is DER-encoded as: |Tag|Len |Value | | | |Unused-bit-count Bits-paddeded-with-0-bits | | 03| 818D| 00 30818902... | For a BIT SRING, the value part of the tag-length-value starts with 1 byte = that holds the number of unused bits in the last byte of the value. As an example, the 7 bits 1110001 are DER-encoded as 03(tag) 02(length) 01(= unused bit count) E2(bits plus 1 unused bit) * The rest of the bit field contains concatenated representations o= f the modulus and the exponent as ASN.1 INTEGERs. The modulus and exponent are encapsulated in a SEQUENCE (tag byte 0x30), no= t just concatenated. * The 1024 bit modulus is represented in 129 bytes, with the first = byte being zero. Integers are represented in 2's-complement to handle positive and negative = integers. If the top bit of the first byte is 1 you have a negative integer= . Hence, you need an extra leading 0x00 byte for some positive integers. > RSA_2048_PREFIX =3D "30820122300D06092A864886F70D01010105000382010F003082= 010A02820101"; There are plenty of "2048-bit RSA keys" where the modulus is actually 2047-= bits long (multiply two 1024-bit primes and you get a 2048-bit or 2047-bit = modulus). There is no extra leading 0x00 byte when DER-encoding a 2047-bit = modulus. Consequently, concatenating a fixed prefix to build a DER-encoding= is likely to cause interop bugs. * How are the OIDs in the table at http://tools.ietf.org/html/draft= -ietf-jose-json-web-algorithms-40#appendix-A represented as ASN.1 OID value= s? Example: HS256 1.2.840.113549.2.9 Believe it or not, the first step to DER-encode an OID is to convert the fi= rst two numbers (1.2.) to a single number. Multiple the first by 40 and add= the second: 1*40 + 2 =3D 42 =3D 0x2A (aren't standards great ;). Now 42 an= d the following four numbers are each represented with a variable-length en= coding: 7 bits per byte; 8th bit (most significant bit) indicates if there = are more bytes to follow. Example: 113549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> encoded in 3 bytes 86 F7 0= D, which you can see in the middle of RSA_2048_PREFIX above. P.S. The draft splits the number 113549 (and JCA labels) over two lines. Yu= ck. Might be better to put the XML DSIG uris in a separate table to avoid w= rapping. * Is there always the apparently unused zero byte in the key repres= entation or if not, when is it present and absent? Whenever you put a whole number of bytes into a BIT STRING you get the 0x00= byte as there are no unused bits. -- James Manger --_000_255B9BB34FB7D647A506DC292726F6E12855654940WSMSG3153Vsrv_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

>> Things = I learned by looking at these 1024-bit RSA public key representations inclu= ded:

·      &n= bsp;  ASN.1 uses byt= e-aligned Tag-Length-Value encodings.

· = ;        = The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGE= R are respectively 0x30, 0x06, 0x05, 0x03, and 0x02.

<= p class=3DMsoListParagraph style=3D'text-indent:-18.0pt;mso-list:l2 level1 = lfo2'>= ·         These Length values are encoded as follow= s:

o   <= /span>159 – 0x81 0x9f<= /span>

o   <= ![endif]>9 – 0x09

o   0 – 0x00

·   &= nbsp;     The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0x48 0= x86 0xf7 0x0d 0x01 0x01 0x01.

·  &= nbsp;      The OID is followed by an ASN.1 NULL - 0x05 0x00.

·         <= /span>The RSA Key is represented as an = encapsulated bit field.

·   &= nbsp;     There is an apparently unused zero byte (the 22nd byte of t= he SPKI field in the RFC 7250 example) as the first byte of this bit field.=

 

The ASN.1 BIT STRING is DER-encoded as:

|Tag|Len  |Value     =              &n= bsp;            = ;        |

|   |     |Unused-bit-count  Bits= -paddeded-with-0-bits |

| 03| 818D| 00 =              &n= bsp;30818902…          &= nbsp;      |    

 

For a BIT SRING, the value part of the tag-length-value= starts with 1 byte that holds the number of unused bits in the last byte o= f the value.

As an example, the 7 bits 1110001 are DER-encoded as= 03(tag) 02(length) 01(unused bit count) E2(bits plus 1 unused bit)

 

·     &nb= sp;   The rest = of the bit field contains concatenated representations of the modulus and t= he exponent as ASN.1 INTEGERs.

 

The modulus and e= xponent are encapsulated in a SEQUENCE (tag byte 0x30), not just concatenat= ed.

 

= ·   &nbs= p;     The 1024 bit modulus is represented in 129 bytes, with the first byte bei= ng zero.

=  

Integers are represented in 2’s-complement to handle posi= tive and negative integers. If the top bit of the first byte is 1 you have = a negative integer. Hence, you need an extra leading 0x00 byte for some pos= itive integers.

 

= > RSA_2048_PREFIX =3D "30820122300D06092A864886F70D0101010500038201= 0F003082010A02820101";

There are plenty of “2048-bit RSA keys” where the= modulus is actually 2047-bits long (multiply two 1024-bit primes and you g= et a 2048-bit or 2047-bit modulus). There is no extra leading 0x00 byte whe= n DER-encoding a 2047-bit modulus. Consequently, concatenating a fixed pref= ix to build a DER-encoding is likely to cause interop bugs.

=  

·       = ;  How are the OIDs = in the table at http://tools.ietf.org/html/draft-ietf-jose-js= on-web-algorithms-40#appendix-A represented as ASN.1 OID values?

 

Example: HS= 256   1.2.840.113549.2.9

 

Believe it or not, the= first step to DER-encode an OID is to convert the first two numbers (1.2.)= to a single number. Multiple the first by 40 and add the second: 1*40 + 2 = =3D 42 =3D 0x2A (aren’t standards great ;). Now 42 and the following = four numbers are each represented with a variable-length encoding: 7 bits p= er byte; 8th bit (most significant bit) indicates if there are m= ore bytes to follow.

Example: 11= 3549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> encoded in 3 bytes 86 F7 0D, which= you can see in the middle of RSA_2048_PREFIX above.

<= p class=3DMsoListParagraph style=3D'margin-left:0cm'> 

P.S.= The draft splits the number 113549 (and JCA labels) over two lines. Yuck. = Might be better to put the XML DSIG uris in a separate table to avoid wrapp= ing.

 

·         = Is there always the apparently unused z= ero byte in the key representation or if not, when is it present and absent= ?

 

Whenever you put a whole number of bytes into = a BIT STRING you get the 0x00 byte as there are no unused bits.<= /span>

<= o:p> 

 

--

James Manger

= --_000_255B9BB34FB7D647A506DC292726F6E12855654940WSMSG3153Vsrv_-- From nobody Wed Mar 11 17:50:24 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558471A8993 for ; Wed, 11 Mar 2015 17:50:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLHES36hoZbD for ; Wed, 11 Mar 2015 17:50:16 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0134.outbound.protection.outlook.com [207.46.100.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09B491A8991 for ; Wed, 11 Mar 2015 17:50:15 -0700 (PDT) Received: from CH1PR03CA011.namprd03.prod.outlook.com (10.255.156.156) by CY1PR0301MB0617.namprd03.prod.outlook.com (25.160.142.24) with Microsoft SMTP Server (TLS) id 15.1.99.9; Thu, 12 Mar 2015 00:50:15 +0000 Received: from BN1BFFO11FD046.protection.gbl (10.255.156.132) by CH1PR03CA011.outlook.office365.com (10.255.156.156) with Microsoft SMTP Server (TLS) id 15.1.112.16 via Frontend Transport; Thu, 12 Mar 2015 00:50:14 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD046.mail.protection.outlook.com (10.58.145.1) with Microsoft SMTP Server (TLS) id 15.1.112.13 via Frontend Transport; Thu, 12 Mar 2015 00:50:14 +0000 Received: from TK5EX14MBXC292.redmond.corp.microsoft.com ([169.254.1.148]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0224.003; Thu, 12 Mar 2015 00:49:47 +0000 From: Mike Jones To: "Manger, James" Thread-Topic: My quest to learn how to create SubjectPublicKeyInfo values from scratch Thread-Index: AdBbunvjG3Fobl38T+ib6QLqsv0XzAAmMgSgAAIxMyA= Date: Thu, 12 Mar 2015 00:49:47 +0000 Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2F4C5B4@TK5EX14MBXC292.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> In-Reply-To: <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.73] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2F4C5B4TK5EX14MBXC292r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; team.telstra.com; dkim=none (message not signed) header.d=none; X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; BMV:0; SFV:NSPM; SFS:(10019020)(438002)(43784003)(52604005)(189002)(377454003)(199003)(19617315012)(19580405001)(86612001)(6806004)(110136001)(19580395003)(104016003)(19300405004)(46102003)(33656002)(92566002)(86362001)(62966003)(77156002)(54356999)(575784001)(102836002)(16236675004)(84326002)(50986999)(76176999)(87936001)(2656002)(512954002)(2920100001)(2900100001)(16297215004)(15975445007)(66066001)(106466001)(2950100001)(55846006)(7059030)(16503001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0617; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0617; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5001009); SRVR:CY1PR0301MB0617; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0617; X-Forefront-PRVS: 05134F8B4F X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2015 00:50:14.1369 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]; Helo=[mail.microsoft.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0617 Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 00:50:23 -0000 --_000_4E1F6AAD24975D4BA5B1680429673943A2F4C5B4TK5EX14MBXC292r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for explaining about the unused bit count, James. Another mystery s= olved! Your point about 2048 bit keys sometimes being 2047 bits in length seems qu= ite pertinent, as it changes the encoded key length (and therefore several = other encoded lengths) by a byte. About the draft splitting the number 113549 (and JCA labels) over two lines= , I'll plan to work with the RFC editor to see what we can do about that. Thanks agai= n, -- Mike From: Manger, James [mailto:James.H.Manger@team.telstra.com] Sent: Wednesday, March 11, 2015 5:30 PM To: Mike Jones; jose@ietf.org Subject: RE: My quest to learn how to create SubjectPublicKeyInfo values fr= om scratch >> Things I learned by looking at these 1024-bit RSA public key representat= ions included: * ASN.1 uses byte-aligned Tag-Length-Value encodings. * The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER are res= pectively 0x30, 0x06, 0x05, 0x03, and 0x02. * These Length values are encoded as follows: o 159 - 0x81 0x9f o 9 - 0x09 o 0 - 0x00 * The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0= x48 0x86 0xf7 0x0d 0x01 0x01 0x01. * The OID is followed by an ASN.1 NULL - 0x05 0x00. * The RSA Key is represented as an encapsulated bit field. * There is an apparently unused zero byte (the 22nd byte of the SPK= I field in the RFC 7250 example) as the first byte of this bit field. The ASN.1 BIT STRING is DER-encoded as: |Tag|Len |Value | | | |Unused-bit-count Bits-paddeded-with-0-bits | | 03| 818D| 00 30818902... | For a BIT SRING, the value part of the tag-length-value starts with 1 byte = that holds the number of unused bits in the last byte of the value. As an example, the 7 bits 1110001 are DER-encoded as 03(tag) 02(length) 01(= unused bit count) E2(bits plus 1 unused bit) * The rest of the bit field contains concatenated representations o= f the modulus and the exponent as ASN.1 INTEGERs. The modulus and exponent are encapsulated in a SEQUENCE (tag byte 0x30), no= t just concatenated. * The 1024 bit modulus is represented in 129 bytes, with the first = byte being zero. Integers are represented in 2's-complement to handle positive and negative = integers. If the top bit of the first byte is 1 you have a negative integer= . Hence, you need an extra leading 0x00 byte for some positive integers. > RSA_2048_PREFIX =3D "30820122300D06092A864886F70D01010105000382010F003082= 010A02820101"; There are plenty of "2048-bit RSA keys" where the modulus is actually 2047-= bits long (multiply two 1024-bit primes and you get a 2048-bit or 2047-bit = modulus). There is no extra leading 0x00 byte when DER-encoding a 2047-bit = modulus. Consequently, concatenating a fixed prefix to build a DER-encoding= is likely to cause interop bugs. * How are the OIDs in the table at http://tools.ietf.org/html/draft= -ietf-jose-json-web-algorithms-40#appendix-A represented as ASN.1 OID value= s? Example: HS256 1.2.840.113549.2.9 Believe it or not, the first step to DER-encode an OID is to convert the fi= rst two numbers (1.2.) to a single number. Multiple the first by 40 and add= the second: 1*40 + 2 =3D 42 =3D 0x2A (aren't standards great ;). Now 42 an= d the following four numbers are each represented with a variable-length en= coding: 7 bits per byte; 8th bit (most significant bit) indicates if there = are more bytes to follow. Example: 113549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> encoded in 3 bytes 86 F7 0= D, which you can see in the middle of RSA_2048_PREFIX above. P.S. The draft splits the number 113549 (and JCA labels) over two lines. Yu= ck. Might be better to put the XML DSIG uris in a separate table to avoid w= rapping. * Is there always the apparently unused zero byte in the key repres= entation or if not, when is it present and absent? Whenever you put a whole number of bytes into a BIT STRING you get the 0x00= byte as there are no unused bits. -- James Manger --_000_4E1F6AAD24975D4BA5B1680429673943A2F4C5B4TK5EX14MBXC292r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for explaining = about the unused bit count, James.  Another mystery solved!=

 

Your point about 2048 = bit keys sometimes being 2047 bits in length seems quite pertinent, as it c= hanges the encoded key length (and therefore several other encoded lengths)= by a byte.

 

About the draft splitting the number 113549 (and JCA labels)= over two lines, I’ll plan to work with the RFC editor to see what we= can do about that.

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          Thanks again,=

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;          -- Mike=

 

From: Manger, = James [mailto:James.H.Manger@team.telstra.com]
Sent: Wednesday, March 11, 2015 5:30 PM
To: Mike Jones; jose@ietf.org
Subject: RE: My quest to learn how to create SubjectPublicKeyInfo va= lues from scratch

 

&n= bsp;

>> Things= I learned by looking at these 1024-bit RSA public key representations incl= uded:

·         ASN.1 uses byte-aligned Tag-Length-Value enc= odings.

·         The tags for SEQUENCE, OID, NULL, BIT STRING= , and INTEGER are respectively 0x30, 0x06, 0x05, 0x03, and 0x02.=

·         These Length values are encoded as follows:<= o:p>

o   159 – 0x81 0x9f

o   9 – 0x09

o   0 – 0x00

·         The OID 1.2.840.113549.1.1.1 is encoded in 9= bytes as 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01.

·         The OID is followed by an ASN.1 NULL - 0x05 = 0x00.

·         The RSA Key is represented as an encapsulate= d bit field.

·         There is an apparently unused zero byte (the= 22nd byte of the SPKI field in the RFC 7250 example) as the fir= st byte of this bit field.

 

The ASN.1 BIT STRING i= s DER-encoded as:

|= Tag|Len  |Value         &= nbsp;            &nb= sp;            =     |

|=    |     |Unused-bit-count  Bits-paddede= d-with-0-bits |

|= 03| 818D| 00          &n= bsp;    30818902…       =           |  &n= bsp; 

 

For a BIT SRING, the v= alue part of the tag-length-value starts with 1 byte that holds the number = of unused bits in the last byte of the value.

As an example, the 7 b= its 1110001 are DER-encoded as 03(tag) 02(length) 01(unused bit count) E2(b= its plus 1 unused bit)

 

·         The rest of the bit field contains concatena= ted representations of the modulus and the exponent as ASN.1 INTEGERs.=

 

The modulus and expone= nt are encapsulated in a SEQUENCE (tag byte 0x30), not just concatenated.

 

·         The 1024 bit modulus is represented in 129 b= ytes, with the first byte being zero.

 

Integers are represent= ed in 2’s-complement to handle positive and negative integers. If the= top bit of the first byte is 1 you have a negative integer. Hence, you nee= d an extra leading 0x00 byte for some positive integers.

 

= > RSA_2048_PREFIX =3D "30820122300D06092A864886F70D0101010500038201= 0F003082010A02820101";=

There are plenty of &#= 8220;2048-bit RSA keys” where the modulus is actually 2047-bits long = (multiply two 1024-bit primes and you get a 2048-bit or 2047-bit modulus). = There is no extra leading 0x00 byte when DER-encoding a 2047-bit modulus. Consequently, concatenating a fixed prefix to build a = DER-encoding is likely to cause interop bugs.

 

·         How are the OIDs in the table at http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-= A represented as ASN.1 OID values?

 

Example: HS256   1.2.840.113549.2.9<= /p>

 

Believe it or not, the first step to DER-encode an OID is to con= vert the first two numbers (1.2.) to a single number. Multiple the first by= 40 and add the second: 1*40 + 2 =3D 42 =3D 0x2A (aren’t standards great ;). Now 42 and the following four n= umbers are each represented with a variable-length encoding: 7 bits per byt= e; 8th bit (most significant bit) indicates if there are more by= tes to follow.

Example: 113549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> enco= ded in 3 bytes 86 F7 0D, which you can see in the middle of RSA_2048_PREFIX= above.

 

P.S. The draft splits the number 113549 (and JCA labels) over tw= o lines. Yuck. Might be better to put the XML DSIG uris in a separate table= to avoid wrapping.

 

·         Is there always the apparently unused zero b= yte in the key representation or if not, when is it present and absent?

 

Whenever you put a who= le number of bytes into a BIT STRING you get the 0x00 byte as there are no = unused bits.

 

 

--

James Manger

--_000_4E1F6AAD24975D4BA5B1680429673943A2F4C5B4TK5EX14MBXC292r_-- From nobody Wed Mar 11 20:58:04 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93DD31A8A3E for ; Wed, 11 Mar 2015 20:57:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_gmk_Nr-3cY for ; Wed, 11 Mar 2015 20:57:53 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8CD1A8A27 for ; Wed, 11 Mar 2015 20:57:51 -0700 (PDT) Received: from Philemon (ip-64-134-132-146.public.wayport.net [64.134.132.146]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 2CCEB2CA26; Wed, 11 Mar 2015 20:57:51 -0700 (PDT) From: "Jim Schaad" To: "'Mike Jones'" , References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> Date: Wed, 11 Mar 2015 20:56:47 -0700 Message-ID: <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0F1F_01D05C3D.E7F94D60" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQJeXUdN+AvHxI03P38QRReVQq26kZv8EM8w Content-Language: en-us Archived-At: Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 03:57:56 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0F1F_01D05C3D.E7F94D60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I cannot respond for Richard, but personally I feel rather insulted by the current draft. My first half a dozen responses were rather vulgar and pejorative to this draft and thus deleted. This draft seems to be, more or less, what Richard and I were proposing in Denver and were told was not possible due to backwards compatibility. What has changed that this is no longer true? Why is there need to have a compact formation for this draft? We were told in no uncertain terms that this was completely unnecessary in Denver and thus was out of scope for the documents. This document does not seem to have read the security considerations section of the JWS draft specifically dealing with the existence of multiple sharers of the secret key. This document has messed up the current documentation in JWE about how to determine what type of document is being presented. This is completely unacceptable. There are now multiple representations of direct keying for mac. This is a significant problem as one does not know which of the version one is supposed to be using. (The fact that I am half, if not all the way drunk has make this message much easier to write). Jim From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, March 03, 2015 2:42 AM To: jose@ietf.org Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification I took a little time today and wrote a short draft specifying a JWS-like object that uses key management for the MAC key used to integrity protect the payload. We had considered doing this in JOSE issue #2 but didn't do so at the time because of lack of demand. However, I wanted to get this down now to demonstrate that it is easy to do and specify a way to do it, should demand develop in the future - possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-0 0 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature -00.html. This spec reuses key management functionality already present in the JWE spec and MAC functionality already present in the JWS spec . The result is essentially a JWS with an Encrypted Key value added, and a new "mac" Header Parameter value representing the MAC algorithm used. (Like JWE, the key management algorithm is carried in the "alg" Header Parameter value.) I also wrote this now as possible input into our thinking on options for creating a CBOR JOSE mapping. If there are CBOR use cases needing managed MAC keys, this could help us reason about ways to structure the solution. Yes, the spec name and abbreviation are far from catchy. Better naming ideas would be great. Feedback welcomed. -- Mike P.S. This note was also posted at http://self-issued.info/?p=1344 and as @selfissued. ------=_NextPart_000_0F1F_01D05C3D.E7F94D60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I cannot respond for Richard, but personally I = feel rather insulted by the current draft.  My first half a dozen = responses were rather vulgar and pejorative to this draft and thus = deleted.

 

This draft seems to be, = more or less, what Richard and I were proposing in Denver and were told = was not possible due to backwards compatibility.  What has changed = that this is no longer true?

 

Why is there  need = to have a compact formation for this draft?  We were told in no = uncertain terms that this was completely unnecessary in Denver and thus = was out of scope for the documents.

 

This document does not = seem to have read the security considerations section of the JWS draft = specifically dealing with the existence of multiple sharers of the = secret key.

 

This document has messed = up the current documentation in JWE about how to determine what type of = document is being presented.  This is completely = unacceptable.

 

There are now multiple = representations of direct keying for mac.  This is a significant = problem as one does not know which of the version one is supposed to be = using.

 

(The fact that I am = half, if not all the way drunk has make this message much easier to = write).

 

Jim

 

 

From:= = jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike = Jones
Sent: Tuesday, March 03, 2015 2:42 AM
To: = jose@ietf.org
Subject: [jose] Key Managed JSON Web Signature = (KMJWS) specification

 

I took a = little time today and wrote a short draft specifying a JWS-like object = that uses key management for the MAC key used to integrity protect the = payload.  We had considered doing this in JOSE issue = #2 but didn’t do so at the time because of lack of = demand.  However, I wanted to get this down now to demonstrate that = it is easy to do and specify a way to do it, should demand develop in = the future – possibly after the JOSE working = group has been closed.  See http://tools.ietf.org/html/draft-jones-jose-key-managed-jso= n-web-signature-00 or http://self-issued.info/docs/draft-jones-jose-key-ma= naged-json-web-signature-00.html.

 

This spec = reuses key management functionality already present in the J= WE spec and MAC functionality already present in the JW= S spec.  The result is essentially a JWS with an Encrypted Key = value added, and a new “mac” Header Parameter value representing the MAC = algorithm used.  (Like JWE, the key management algorithm is carried = in the “alg” Header Parameter value.)

 

I also wrote = this now as possible input into our thinking on options for creating a = CBOR JOSE = mapping.  If there are CBOR use cases needing managed MAC keys, = this could help us reason about ways to structure the = solution.

 

Yes, the spec name and abbreviation are far from = catchy.  Better naming ideas would be great.

 

Feedback = welcomed.

 

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;  -- Mike

 

P.S.  = This note was also posted at http://self-issued.info/?p=3D1= 344 and as @selfissued.

 

------=_NextPart_000_0F1F_01D05C3D.E7F94D60-- From nobody Wed Mar 11 22:39:49 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910751A8A68 for ; Wed, 11 Mar 2015 22:39:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glLYXDLemuul for ; Wed, 11 Mar 2015 22:39:45 -0700 (PDT) Received: from mail-la0-f50.google.com (mail-la0-f50.google.com [209.85.215.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC3271A0334 for ; Wed, 11 Mar 2015 22:39:44 -0700 (PDT) Received: by labge10 with SMTP id ge10so13445941lab.7 for ; Wed, 11 Mar 2015 22:39:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jpOM/qSVez4zdaFuYo7OXzwiaU8th/kpdzaKntb1Jio=; b=GGixM2x+Nbs74JAoFZ8Tt+kk7FrPZN/ZmKIWiv4ouGCaV63o5Tz1MH9cjFFDlsLsK1 3635TZTOSbhDqyk+p1Fxnu5Rm3jwdZ/c9QHGrq/szzOWBdPPLgq2DGNr0TE8qBYgnjMg 98o+yzdX+fPetC+H75nVgYoQ9DcycaHX2BDWO1TwqxzvczkrZfKsO3Fkq1rX86adQcZq CybnhrdRS52Euf/RO5kPcoQbk6S/5ISlWRdGGh1g1dcbYHJ/4aBiONMmNj1v5Cw2nU1L SR55MgBx4jP5QMCckpV24EZecvPr7jUxxEk684gFijGt+iKXCCpoGeW0TV9SsSWeHSb/ L32Q== X-Gm-Message-State: ALoCoQmK/dBw+5z0PQnQBy3YEaS7ri7pLK1RVilAb2cBuOSVl4LbfbkkpaL98AsGLhrfeEMOoHJh MIME-Version: 1.0 X-Received: by 10.152.179.139 with SMTP id dg11mr31769983lac.28.1426138783132; Wed, 11 Mar 2015 22:39:43 -0700 (PDT) Received: by 10.25.135.4 with HTTP; Wed, 11 Mar 2015 22:39:43 -0700 (PDT) In-Reply-To: <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> Date: Wed, 11 Mar 2015 22:39:43 -0700 Message-ID: From: Richard Barnes To: Jim Schaad Content-Type: multipart/alternative; boundary=001a1134919291c3ec051110cfc6 Archived-At: Cc: Mike Jones , "jose@ietf.org" Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 05:39:47 -0000 --001a1134919291c3ec051110cfc6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I was simply going to note with bemusement that exactly this eventuality was foreseen by those of us that favored a more general approach to key wrapping [0][1]. Those that dismissed that idea have made their bed full of complexity, and now they are lying in it. At this point, the least harmful approach would be to simply define an "ek" header field that contains an encrypted key, in the form of a JWE containing a JWK [0]. [0] http://tools.ietf.org/agenda/85/slides/slides-85-jose-7.pdf [1] http://tools.ietf.org/agenda/86/slides/slides-86-jose-0.pdf On Wed, Mar 11, 2015 at 8:56 PM, Jim Schaad wrote: > I cannot respond for Richard, but personally I feel rather insulted by th= e > current draft. My first half a dozen responses were rather vulgar and > pejorative to this draft and thus deleted. > > > > This draft seems to be, more or less, what Richard and I were proposing i= n > Denver and were told was not possible due to backwards compatibility. Wh= at > has changed that this is no longer true? > > > > Why is there need to have a compact formation for this draft? We were > told in no uncertain terms that this was completely unnecessary in Denver > and thus was out of scope for the documents. > > > > This document does not seem to have read the security considerations > section of the JWS draft specifically dealing with the existence of > multiple sharers of the secret key. > > > > This document has messed up the current documentation in JWE about how to > determine what type of document is being presented. This is completely > unacceptable. > > > > There are now multiple representations of direct keying for mac. This is > a significant problem as one does not know which of the version one is > supposed to be using. > > > > (The fact that I am half, if not all the way drunk has make this message > much easier to write). > > > > Jim > > > > > > *From:* jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones > *Sent:* Tuesday, March 03, 2015 2:42 AM > *To:* jose@ietf.org > *Subject:* [jose] Key Managed JSON Web Signature (KMJWS) specification > > > > I took a little time today and wrote a short draft specifying a JWS-like > object that uses key management for the MAC key used to integrity protect > the payload. We had considered doing this in JOSE issue #2 > but didn=E2=80=99t do = so at > the time because of lack of demand. However, I wanted to get this down n= ow > to demonstrate that it is easy to do and specify a way to do it, should > demand develop in the future =E2=80=93 possibly after the JOSE working gr= oup > has been closed. See > http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signatur= e-00 > or > http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signat= ure-00.html > . > > > > This spec reuses key management functionality already present in the JWE > spec and > MAC functionality already present in the JWS spec > . The > result is essentially a JWS with an Encrypted Key value added, and a new = =E2=80=9C > mac=E2=80=9D Header Parameter value representing the MAC algorithm used. = (Like > JWE, the key management algorithm is carried in the =E2=80=9Calg=E2=80=9D= Header > Parameter value.) > > > > I also wrote this now as possible input into our thinking on options for > creating a CBOR JOSE mapping. If > there are CBOR use cases needing managed MAC keys, this could help us > reason about ways to structure the solution. > > > > Yes, the spec name and abbreviation are far from catchy. Better naming > ideas would be great. > > > > Feedback welcomed. > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=3D1344 and = as > @selfissued. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --001a1134919291c3ec051110cfc6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I was simply going to note with bemusement that exact= ly this eventuality was foreseen by those of us that favored a more general= approach to key wrapping [0][1].=C2=A0 Those that dismissed that idea have= made their bed full of complexity, and now they are lying in it.

At this point, the least harmful approach would be to simply define an = "ek" header field that contains an encrypted key, in the form of = a JWE containing a JWK [0].

On Wed, Mar 11, 2015 at 8:56 PM, Jim Schaad <ietf@augustcellars.com> wrote:

I cannot respond for Richard, but pe= rsonally I feel rather insulted by the current draft.=C2=A0 My first half a= dozen responses were rather vulgar and pejorative to this draft and thus d= eleted.

=C2=A0

This draft seems to be, more or less, what Richard and I= were proposing in Denver and were told was not possible due to backwards c= ompatibility.=C2=A0 What has changed that this is no longer true?=

= =C2=A0

Why is there=C2=A0 need to have a compact formation for this draft?=C2=A0= We were told in no uncertain terms that this was completely unnecessary in= Denver and thus was out of scope for the documents.

=C2=A0=

This docume= nt does not seem to have read the security considerations section of the JW= S draft specifically dealing with the existence of multiple sharers of the = secret key.

=C2=A0

This document has messed up the current documentatio= n in JWE about how to determine what type of document is being presented.= =C2=A0 This is completely unacceptable.

=C2=A0

There are now multiple r= epresentations of direct keying for mac.=C2=A0 This is a significant proble= m as one does not know which of the version one is supposed to be using.=

= =C2=A0

(The fact that I am half, if not all the way drunk has make this m= essage much easier to write).

=C2=A0

Jim

=C2=A0<= /p>

=C2=A0

From= : jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike J= ones
Sent: Tuesday, March 03, 2015 2:42 AM
To: jose@ietf.org
Subject= : [jose] Key Managed JSON Web Signature (KMJWS) specification=

=C2=A0

I took a little time today and= wrote a short draft specifying a JWS-like object that uses key management = for the MAC key used to integrity protect the payload.=C2=A0 We had conside= red doing this in JOSE issue #2 but didn=E2=80=99t do so at the tim= e because of lack of demand.=C2=A0 However, I wanted to get this down now t= o demonstrate that it is easy to do and specify a way to do it, should dema= nd develop in the future =E2=80=93 possibly after the JOSE working group has been closed.=C2=A0 See http://tools.= ietf.org/html/draft-jones-jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/draft-jon= es-jose-key-managed-json-web-signature-00.html.

=C2=A0

This spec r= euses key management functionality already present in the JWE spec and MAC functionality already present in the JWS spec.=C2=A0 The result is essentially a JWS with an Encrypted Key = value added, and a new =E2=80=9Cmac=E2=80=9D Header Parameter value representing the MAC al= gorithm used.=C2=A0 (Like JWE, the key management algorithm is carried in t= he =E2=80=9Calg= =E2=80=9D Header Parameter value.)

= =C2=A0

I also wrote this now as pos= sible input into our thinking on options for creating a CBOR JOSE mapping.=C2=A0 = If there are CBOR use cases needing managed MAC keys, this could help us re= ason about ways to structure the solution.

=C2=A0

Yes, the spec name a= nd abbreviation are far from catchy.=C2=A0 Better naming ideas would be gre= at.

=C2=A0

Feedback welcomed.

= =C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike

=C2=A0

P.S.=C2=A0 This note was al= so posted at http://self-issued.info/?p=3D1344 and as @selfissued.

=C2=A0


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--001a1134919291c3ec051110cfc6-- From nobody Wed Mar 11 22:45:08 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CC31A8A6D for ; Wed, 11 Mar 2015 22:45:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dlqksGInJBCo for ; Wed, 11 Mar 2015 22:45:05 -0700 (PDT) Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E9CB1A8A70 for ; Wed, 11 Mar 2015 22:45:04 -0700 (PDT) Received: by labge10 with SMTP id ge10so13463709lab.7 for ; Wed, 11 Mar 2015 22:45:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Qn/RO0qMXn8kMxY+Ns0k4Hl932SvtMNHJi0K09SP/Zg=; b=b+3XhnLl/ukv55b5Jb+WV4MpwDAElmZcvTTahDxQuZVtTYqcKcqwOnysuQxEQDTLMy Y6tgU+NUpBEO5pxsPF1pLm30kIOZ6xbWSK49w0N1uBebscFgks0UVxVOW9kFJAObdeVC RhidpCSvzvfk+eEGkr+LgKwxFvPKFnN1tKHLcB6hU1tkUCdBl6XN4HMCu7qGmBYojz29 qRYyWOkK2ujNpzGt4W1IZyqxMg3w6H6oKOAC+84s6DMm7GBvuK4+3oPWJfcWtx57ZhRw VSyXUQmSrUTnhNmoYff0Yz+izAJDrtXn0p0y/LV51jsDNyM1NfTag9qdJUTfNWheGcz1 y0HA== X-Gm-Message-State: ALoCoQkOU+q9HZgeoKuWWcNVbLlRk+Az4TmsGXKEwcygNpL93SfNEwsr/Nwdu7J3+RvXJpWaOQ8o MIME-Version: 1.0 X-Received: by 10.112.110.231 with SMTP id id7mr37701424lbb.28.1426139103022; Wed, 11 Mar 2015 22:45:03 -0700 (PDT) Received: by 10.25.135.4 with HTTP; Wed, 11 Mar 2015 22:45:02 -0700 (PDT) In-Reply-To: <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> Date: Wed, 11 Mar 2015 22:45:02 -0700 Message-ID: From: Richard Barnes To: "Manger, James" Content-Type: multipart/alternative; boundary=001a1134daf6a2ecf5051110e23b Archived-At: Cc: Mike Jones , "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 05:45:07 -0000 --001a1134daf6a2ecf5051110e23b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Mar 11, 2015 at 5:29 PM, Manger, James < James.H.Manger@team.telstra.com> wrote: > > > >> Things I learned by looking at these 1024-bit RSA public key > representations included: > > =C2=B7 ASN.1 uses byte-aligned Tag-Length-Value encodings. > > =C2=B7 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER = are > respectively 0x30, 0x06, 0x05, 0x03, and 0x02. > > =C2=B7 These Length values are encoded as follows: > > o 159 =E2=80=93 0x81 0x9f > > o 9 =E2=80=93 0x09 > > o 0 =E2=80=93 0x00 > > =C2=B7 The OID 1.2.840.113549.1.1.1 is encoded in 9 bytes as 0x2a= 0x86 > 0x48 0x86 0xf7 0x0d 0x01 0x01 0x01. > > =C2=B7 The OID is followed by an ASN.1 NULL - 0x05 0x00. > > =C2=B7 The RSA Key is represented as an encapsulated bit field. > > =C2=B7 There is an apparently unused zero byte (the 22nd byte of = the > SPKI field in the RFC 7250 example) as the first byte of this bit field. > > > > The ASN.1 BIT STRING is DER-encoded as: > > |Tag|Len |Value | > > | | |Unused-bit-count Bits-paddeded-with-0-bits | > > | 03| 818D| 00 30818902=E2=80=A6 | > > > > For a BIT SRING, the value part of the tag-length-value starts with 1 byt= e > that holds the number of unused bits in the last byte of the value. > > As an example, the 7 bits 1110001 are DER-encoded as 03(tag) 02(length) > 01(unused bit count) E2(bits plus 1 unused bit) > > > > =C2=B7 The rest of the bit field contains concatenated representa= tions > of the modulus and the exponent as ASN.1 INTEGERs. > > > > The modulus and exponent are encapsulated in a SEQUENCE (tag byte 0x30), > not just concatenated. > > > > =C2=B7 The 1024 bit modulus is represented in 129 bytes, with the > first byte being zero. > > > > Integers are represented in 2=E2=80=99s-complement to handle positive and= negative > integers. If the top bit of the first byte is 1 you have a negative > integer. Hence, you need an extra leading 0x00 byte for some positive > integers. > > > > > RSA_2048_PREFIX =3D > "30820122300D06092A864886F70D01010105000382010F003082010A02820101"; > > There are plenty of =E2=80=9C2048-bit RSA keys=E2=80=9D where the modulus= is actually > 2047-bits long (multiply two 1024-bit primes and you get a 2048-bit or > 2047-bit modulus). There is no extra leading 0x00 byte when DER-encoding = a > 2047-bit modulus. Consequently, concatenating a fixed prefix to build a > DER-encoding is likely to cause interop bugs. > I'm sorry, what? Could you please provide an example of two 1024-bit primes that multiply to a 2047-bit value? Last I checked, (1< 1<<(2*N). --Richard > > > =C2=B7 How are the OIDs in the table at > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi= x-A > represented as ASN.1 OID values? > > > > Example: HS256 1.2.840.113549.2.9 > > > > Believe it or not, the first step to DER-encode an OID is to convert the > first two numbers (1.2.) to a single number. Multiple the first by 40 and > add the second: 1*40 + 2 =3D 42 =3D 0x2A (aren=E2=80=99t standards great = ;). Now 42 and > the following four numbers are each represented with a variable-length > encoding: 7 bits per byte; 8th bit (most significant bit) indicates if > there are more bytes to follow. > > Example: 113549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> encoded in 3 bytes 86 F7= 0D, > which you can see in the middle of RSA_2048_PREFIX above. > > > > P.S. The draft splits the number 113549 (and JCA labels) over two lines. > Yuck. Might be better to put the XML DSIG uris in a separate table to avo= id > wrapping. > > > > =C2=B7 Is there always the apparently unused zero byte in the key > representation or if not, when is it present and absent? > > > > Whenever you put a whole number of bytes into a BIT STRING you get the > 0x00 byte as there are no unused bits. > > > > > > -- > > James Manger > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --001a1134daf6a2ecf5051110e23b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Wed, Mar 11, 2015 at 5:29 PM, Manger, James <James.H.= Manger@team.telstra.com> wrote:

=C2=A0

>> Things I learned by looking at th= ese 1024-bit RSA public key representations included:<= /p>

=C2=B7= =C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ASN.1 uses byte-aligned Tag-Length-Value encodings.

=C2= =B7=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The tags for SEQUENCE, OID, NULL, BIT STRING, and INTEGER are respe= ctively 0x30, 0x06, 0x05, 0x03, and 0x02.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 These L= ength values are encoded as follows:

o=C2=A0=C2=A0 159 =E2= =80=93 0x81 0x9f

o=C2=A0=C2=A0 9 =E2=80=93 0x09

o=C2=A0=C2=A0 0 =E2=80=93 0x00

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 The OID 1.2.840.= 113549.1.1.1 is encoded in 9 bytes as 0x2a 0x86 0x48 0x86 0xf7 0x0d 0x01 0x= 01 0x01.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The OID is followed by an ASN.1 NULL - 0x0= 5 0x00.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The RSA Key is represented as an encapsulat= ed bit field.

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There is an apparently unused zero by= te (the 22nd byte of the SPKI field in the RFC 7250 example) as = the first byte of this bit field.

=C2=A0

The ASN.1 BIT STRING is DER-encoded as:

|Tag|Len =C2=A0|Value=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|

|=C2=A0=C2=A0 |=C2=A0 =C2=A0=C2=A0=C2=A0|Unused-bit-count=C2=A0 Bits-= paddeded-with-0-bits |

| 03| 818D| 00= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 =C2=A030818902=E2=80=A6 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A0=C2=A0=C2= =A0

=C2=A0

For a BIT SRING, the value pa= rt of the tag-length-value starts with 1 byte that holds the number of unus= ed bits in the last byte of the value.

As an example, the = 7 bits 1110001 are DER-encoded as 03(tag) 02(length) 01(unused bit count) E= 2(bits plus 1 unused bit)

=C2=A0

=C2=B7=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 The rest of the bit field contains concatenated representa= tions of the modulus and the exponent as ASN.1 INTEGERs.

<= u>=C2=A0

The modulus and exponent are encapsulated in = a SEQUENCE (tag byte 0x30), not just concatenated.

=

=C2=A0

=C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = The 1024 bit modulus is represent= ed in 129 bytes, with the first byte being zero.

=C2=A0

In= tegers are represented in 2=E2=80=99s-complement to handle positive and neg= ative integers. If the top bit of the first byte is 1 you have a negative i= nteger. Hence, you need an extra leading 0x00 byte for some positive intege= rs.

=C2=A0

= > RSA_2048_PREFIX =3D "30820122300D06092A864886F70D0101010500038201= 0F003082010A02820101";

There are plenty of =E2=80=9C2048-bit RSA keys=E2=80= =9D where the modulus is actually 2047-bits long (multiply two 1024-bit pri= mes and you get a 2048-bit or 2047-bit modulus). There is no extra leading = 0x00 byte when DER-encoding a 2047-bit modulus. Consequently, concatenating= a fixed prefix to build a DER-encoding is likely to cause interop bugs.


I'm sorry, what?= =C2=A0 Could you please provide an example of two 1024-bit primes that mult= iply to a 2047-bit value?=C2=A0 Last I checked, (1<<N + x)*(1<<= N + y) > 1<<(2*N).

--Richard
=C2= =A0

=C2=A0

=C2= =B7=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 How are the OIDs in the table at ht= tp://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A<= /a> represented as ASN.1 OID values?

=C2=A0

<= p style=3D"margin-left:0cm">Ex= ample: HS256=C2=A0=C2=A0 1.2.840.113549.2.9

= =C2=A0

Believe it or not, the first step to DER-encode an O= ID is to convert the first two numbers (1.2.) to a single number. Multiple = the first by 40 and add the second: 1*40 + 2 =3D 42 =3D 0x2A (aren=E2=80=99= t standards great ;). Now 42 and the following four numbers are each repres= ented with a variable-length encoding: 7 bits per byte; 8th bit = (most significant bit) indicates if there are more bytes to follow.<= u>

Example: 113549 =3D 6*2^14 + 119 * 2^7 + 13 =3D> encoded= in 3 bytes 86 F7 0D, which you can see in the middle of RSA_2048_PREFIX ab= ove.

=C2=A0

P.S. The draft sp= lits the number 113549 (and JCA labels) over two lines. Yuck. Might be bett= er to put the XML DSIG uris in a separate table to avoid wrapping.

=C2=A0

= =C2=B7=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Is ther= e always the apparently unused zero byte in the key representation or if no= t, when is it present and absent?

=C2=A0

Whenever you put a whole number of bytes into a BIT STRING you get t= he 0x00 byte as there are no unused bits.

=C2=A0

=C2=A0

--

James Manger<= u>


__________________________________________= _____
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--001a1134daf6a2ecf5051110e23b-- From nobody Thu Mar 12 00:04:15 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB031A0419 for ; Thu, 12 Mar 2015 00:04:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.901 X-Spam-Level: X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiCjxzJ90QzE for ; Thu, 12 Mar 2015 00:04:12 -0700 (PDT) Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id F11ED1A0461 for ; Thu, 12 Mar 2015 00:04:11 -0700 (PDT) X-IronPort-AV: E=Sophos; i="5.11,387,1422882000"; d="scan'208,217"; a="66248427" Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipobni.tcif.telstra.com.au with ESMTP; 12 Mar 2015 17:37:55 +1100 X-IronPort-AV: E=McAfee;i="5600,1067,7737"; a="285555366" Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcbni.tcif.telstra.com.au with ESMTP; 12 Mar 2015 18:04:11 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Thu, 12 Mar 2015 18:04:10 +1100 From: "Manger, James" To: Richard Barnes Date: Thu, 12 Mar 2015 18:04:08 +1100 Thread-Topic: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch Thread-Index: AdBch7JceKmZL0MORm2lyGFoJa1T5wACexEA Message-ID: <255B9BB34FB7D647A506DC292726F6E12855655143@WSMSG3153V.srv.dir.telstra.com> References: <4E1F6AAD24975D4BA5B1680429673943A2F496F5@TK5EX14MBXC292.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E12855654940@WSMSG3153V.srv.dir.telstra.com> In-Reply-To: Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E12855655143WSMSG3153Vsrv_" MIME-Version: 1.0 Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 07:04:14 -0000 --_000_255B9BB34FB7D647A506DC292726F6E12855655143WSMSG3153Vsrv_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Pj4+IFJTQV8yMDQ4X1BSRUZJWCA9ICIzMDgyMDEyMjMwMEQwNjA5MkE4NjQ4ODZGNzBEMDEwMTAx MDUwMDAzODIwMTBGMDAzMDgyMDEwQTAyODIwMTAxIjsNCj4+IFRoZXJlIGFyZSBwbGVudHkgb2Yg 4oCcMjA0OC1iaXQgUlNBIGtleXPigJ0gd2hlcmUgdGhlIG1vZHVsdXMgaXMgYWN0dWFsbHkgMjA0 Ny1iaXRzIGxvbmcgKG11bHRpcGx5IHR3byAxMDI0LWJpdCBwcmltZXMgYW5kIHlvdSBnZXQgYSAy MDQ4LWJpdCBvciAyMDQ3LWJpdCBtb2R1bHVzKS4gVGhlcmUgaXMgbm8gZXh0cmEgbGVhZGluZyAw eDAwIGJ5dGUgd2hlbiBERVItZW5jb2RpbmcgYSAyMDQ3LWJpdCBtb2R1bHVzLiBDb25zZXF1ZW50 bHksIGNvbmNhdGVuYXRpbmcgYSBmaXhlZCBwcmVmaXggdG8gYnVpbGQgYSBERVItZW5jb2Rpbmcg aXMgbGlrZWx5IHRvIGNhdXNlIGludGVyb3AgYnVncy4NCg0KPiBJJ20gc29ycnksIHdoYXQ/ICBD b3VsZCB5b3UgcGxlYXNlIHByb3ZpZGUgYW4gZXhhbXBsZSBvZiB0d28gMTAyNC1iaXQgcHJpbWVz IHRoYXQgbXVsdGlwbHkgdG8gYSAyMDQ3LWJpdCB2YWx1ZT8gIExhc3QgSSBjaGVja2VkLCAoMTw8 TiArIHgpKigxPDxOICsgeSkgPiAxPDwoMipOKS4NCg0KcDEgPSAyXjEwMjMgKyAxDQpwMiA9IDJe MTAyMyArIDMNCm4gPSBwMSAqIHAyID0gMl4yMDQ2ICsgMl4xMDI1ICsgMw0KDQpwMSAmIHAyIGFy ZSAxMDI0LWJpdCBudW1iZXJzIChwcm9iYWJseSBub3QgYWN0dWFsbHkgcHJpbWUpLg0KVGhlaXIg cHJvZHVjdCBuIGlzIGEgMjA0Ny1iaXQgbnVtYmVyLg0KDQpUaGUgY2FsY3VsYXRpb24gaXMgKDE8 PE4gLSB4KSooMTw8TiAtIHkpID0gKDE8PDJOIC0geikNCg0KLS0NCkphbWVzIE1hbmdlcg0K --_000_255B9BB34FB7D647A506DC292726F6E12855655143WSMSG3153Vsrv_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxMiAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0 aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5 bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3Jt YWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEy LjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30NCmE6bGluaywg c3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7 DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJs aW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0 ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnANCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowY207DQoJbXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGNtOw0KCWZvbnQtc2l6ZToxMi4wcHQ7 DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlmIjt9DQpwLk1zb0xpc3RQYXJh Z3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29MaXN0UGFyYWdyYXBoDQoJe21zby1z dHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBjbTsNCgltYXJnaW4tcmlnaHQ6MGNtOw0K CW1hcmdpbi1ib3R0b206MGNtOw0KCW1hcmdpbi1sZWZ0OjM2LjBwdDsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJv bWFuIiwic2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9 DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcy LjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29y ZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFw ZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZd LS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+ DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3ht bD48IVtlbmRpZl0tLT48L2hlYWQ+PGJvZHkgbGFuZz1FTi1BVSBsaW5rPWJsdWUgdmxpbms9cHVy cGxlPjxkaXYgY2xhc3M9V29yZFNlY3Rpb24xPjxkaXY+PGRpdj48ZGl2PjxkaXY+PGRpdj48cCBj bGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0 b206MTIuMHB0Jz48c3BhbiBzdHlsZT0nY29sb3I6IzFGNDk3RCc+Jmd0OyZndDs8L3NwYW4+Jmd0 OyBSU0FfMjA0OF9QUkVGSVggPSAmcXVvdDszMDgyMDEyMjMwMEQwNjA5MkE4NjQ4ODZGNzBEMDEw MTAxMDUwMDAzODIwMTBGMDAzMDgyMDEwQTAyODIwMTAxJnF1b3Q7OzxvOnA+PC9vOnA+PC9wPjxw IGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8nPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2NvbG9yOiMxRjQ5N0Qn PiZndDsmZ3Q7IDwvc3Bhbj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdjb2xvcjojMUY0OTdEJz5U aGVyZSBhcmUgcGxlbnR5IG9mIOKAnDIwNDgtYml0IFJTQSBrZXlz4oCdIHdoZXJlIHRoZSBtb2R1 bHVzIGlzIGFjdHVhbGx5IDIwNDctYml0cyBsb25nIChtdWx0aXBseSB0d28gMTAyNC1iaXQgcHJp bWVzIGFuZCB5b3UgZ2V0IGEgMjA0OC1iaXQgb3IgMjA0Ny1iaXQgbW9kdWx1cykuIFRoZXJlIGlz IG5vIGV4dHJhIGxlYWRpbmcgMHgwMCBieXRlIHdoZW4gREVSLWVuY29kaW5nIGEgMjA0Ny1iaXQg bW9kdWx1cy4gQ29uc2VxdWVudGx5LCBjb25jYXRlbmF0aW5nIGEgZml4ZWQgcHJlZml4IHRvIGJ1 aWxkIGEgREVSLWVuY29kaW5nIGlzIGxpa2VseSB0byBjYXVzZSBpbnRlcm9wIGJ1Z3MuPC9zcGFu PjxvOnA+PC9vOnA+PC9wPjwvZGl2PjwvZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPjwvZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJn aW4tYm90dG9tOjEyLjBwdCc+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPiZndDsgPC9zcGFu PkknbSBzb3JyeSwgd2hhdD8mbmJzcDsgQ291bGQgeW91IHBsZWFzZSBwcm92aWRlIGFuIGV4YW1w bGUgb2YgdHdvIDEwMjQtYml0IHByaW1lcyB0aGF0IG11bHRpcGx5IHRvIGEgMjA0Ny1iaXQgdmFs dWU/Jm5ic3A7IExhc3QgSSBjaGVja2VkLCAoMSZsdDsmbHQ7TiArIHgpKigxJmx0OyZsdDtOICsg eSkgJmd0OyAxJmx0OyZsdDsoMipOKS4gPG86cD48L286cD48L3A+PC9kaXY+PGRpdj48cCBjbGFz cz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5wMSA9 IDJeMTAyMyArIDE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFu IHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJp ZiI7Y29sb3I6IzFGNDk3RCc+cDIgPSAyXjEwMjMgKyAzPG86cD48L286cD48L3NwYW4+PC9wPjxw IGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPm4gPSBwMSAqIHAyID0gMl4y MDQ2ICsgMl4xMDI1ICsgMzxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+ PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+cDEgJmFtcDsgcDIgYXJlIDEwMjQt Yml0IG51bWJlcnMgKHByb2JhYmx5IG5vdCBhY3R1YWxseSBwcmltZSkuPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPlRoZWlyIHBy b2R1Y3QgbiBpcyBhIDIwNDctYml0IG51bWJlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPlRoZSBjYWxj dWxhdGlvbiBpcyAoMSZsdDsmbHQ7TiAtIHgpKigxJmx0OyZsdDtOIC0geSkgPSAoMSZsdDsmbHQ7 Mk4gLSB6KTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtj b2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9y bWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwi c2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+LS08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD YWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+SmFtZXMgTWFuZ2VyPG86cD48L286 cD48L3NwYW4+PC9wPjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2PjwvYm9keT48L2h0bWw+ --_000_255B9BB34FB7D647A506DC292726F6E12855655143WSMSG3153Vsrv_-- From nobody Thu Mar 12 00:37:57 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF041A1B40 for ; Thu, 12 Mar 2015 00:37:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xv6YV6tKnMoy for ; Thu, 12 Mar 2015 00:37:49 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0125.outbound.protection.outlook.com [65.55.169.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC0E41A1B91 for ; Thu, 12 Mar 2015 00:37:48 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.106.11; Thu, 12 Mar 2015 07:37:24 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0106.007; Thu, 12 Mar 2015 07:37:24 +0000 From: Mike Jones To: Jim Schaad , "jose@ietf.org" Thread-Topic: [jose] Key Managed JSON Web Signature (KMJWS) specification Thread-Index: AdBVnrlYeSkbpnXYQGWf+2U9DVU+8wG2dZWAAARd7NA= Date: Thu, 12 Mar 2015 07:37:24 +0000 Message-ID: References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> In-Reply-To: <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.47.90.173] authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(209900001)(52604005)(377454003)(51704005)(43784003)(19617315012)(77096005)(102836002)(2900100001)(15975445007)(2950100001)(19609705001)(74316001)(50986999)(54356999)(76176999)(62966003)(77156002)(92566002)(46102003)(19625215002)(66066001)(33656002)(76576001)(2656002)(19300405004)(99286002)(2501003)(16236675004)(87936001)(86362001)(86612001)(19580405001)(19580395003)(40100003)(122556002)(107886001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 05134F8B4F Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4427BF68CEE0CE400972401F5060BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2015 07:37:24.1569 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 07:37:55 -0000 --_000_BY2PR03MB4427BF68CEE0CE400972401F5060BY2PR03MB442namprd_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jim. Thanks for responding and for your honest feedback. While you may= feel insulted (I'm genuinely sorry about that!), I'm to try to take the ne= gatives you've expressed as positives, in the sense that they can construct= ively inform future work by the working group. One reason I wrote this draft was to get down a straightforward way of usin= g key managed HMACs, should people want to do that in the future, especiall= y since there's talk of closing the working group soon. The other reason I= wrote it was to further illuminate the upsides and downsides of some of th= e choices we made in JWS and JWE, given we have a chance to reuse and/or re= visit those choices should the COSE work go forward. Replies to your specific points follow inline... From: Jim Schaad [mailto:ietf@augustcellars.com] Sent: Wednesday, March 11, 2015 8:57 PM To: Mike Jones; jose@ietf.org Subject: RE: [jose] Key Managed JSON Web Signature (KMJWS) specification > I cannot respond for Richard, but personally I feel rather insulted by th= e current draft. My first half a dozen responses were rather vulgar and pe= jorative to this draft and thus deleted. > > This draft seems to be, more or less, what Richard and I were proposing i= n Denver and were told was not possible due to backwards compatibility. Wh= at has changed that this is no longer true? For what it's worth, I've occasionally been thinking about key management f= or MACs ever since you and Richard raised the possibility in Denver. Somew= here along the way I realized that there was a simple way to combine the JW= E key management methods and the JWS MAC methods. So I decided to write it= down, while there was still a working group to consider it, should the wor= king group decide to do so. If the reason you're insulted is that you feel that you should receive more= credit for some of the ideas, I'd be glad to point out in the Acknowledgem= ents that you and Richard suggested the possibility of key-managed MACs and= /or make you co-editors if you agree with the approach and would like to wo= rk more actively on it. If the reason that you're insulted is that you fee= l that we should have done this earlier, I think the verdict is still out o= n whether we need to do this at all. Looking at http://trac.tools.ietf.org= /wg/jose/trac/ticket/2, Karen made a consensus call that "we should not add= the ability to have a randomly generated MAC key protected by a different = key" based on working group input. I think the key question for the working group relative to this draft is wh= ether people now want to see a standard way to do this or not. As for the backwards compatibility issues discussed in Denver, I know that = several participants were opposed to seeing the JWS format for non-key-mana= ged MACs change. I suspect that's what you're referring to. The good news= about the current draft is that it adds the ability to have key-managed MA= Cs without such a change. Should we have thought of this approach then? Probably. Did we? At least= I didn't. I thought of it recently, so I decided to write it down. > Why is there need to have a compact formation for this draft? We were to= ld in no uncertain terms that this was completely unnecessary in Denver and= thus was out of scope for the documents. I can't remember the part of the discussion that you're referring to in Den= ver and I can't find it in the published notes. The only uses of "compact"= in the notes aren't about this. That said, there's a compact serialization for key managed MACs for the sam= e reason that there's a compact serialization for the other JOSE objects - = to provide a compact, URL-safe representation for use cases that need it. = It also makes this draft more parallel to both JWS and JWE than it would ot= herwise be. > This document does not seem to have read the security considerations sect= ion of the JWS draft specifically dealing with the existence of multiple sh= arers of the secret key. I'm not sure I'm following you here, because different recipients use diffe= rent ephemeral keys in this representation. What's the security considerat= ion that you think wasn't taken into account? > This document has messed up the current documentation in JWE about how to= determine what type of document is being presented. This is completely un= acceptable. It's backwards-compatible in the sense that if an implementation supports J= WSs and JWEs but not KMJWSs (I'm still looking for a better name than KMJWS= , BTW), the current rules all continue to do the right thing. If an implem= entation supports all three, yes, a little bit of additional logic would be= needed, just like a little bit of additional code would be needed, but no = breaking changes result. A KMJWS is neither a legal JWS nor a legal JWE, s= o even if the existing discrimination rules were applied to a KMJWS and it = was mis-categorized as one or the other, upon parsing, it would still be re= jected, since it would be missing required properties. > There are now multiple representations of direct keying for mac. This is= a significant problem as one does not know which of the version one is sup= posed to be using. Thanks for pointing this out. We should probably just prohibit the use of = "alg":"dir" in KMJWS so that there's exactly one way of representing non-ke= y-managed MACS - the existing way. > (The fact that I am half, if not all the way drunk has make this message = much easier to write). I'm glad you enjoyed your evening. :) > Jim Thanks again, -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, March 03, 2015 2:42 AM To: jose@ietf.org Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification I took a little time today and wrote a short draft specifying a JWS-like ob= ject that uses key management for the MAC key used to integrity protect the= payload. We had considered doing this in JOSE issue #2 but didn't do so at the time because of lac= k of demand. However, I wanted to get this down now to demonstrate that it= is easy to do and specify a way to do it, should demand develop in the fut= ure - possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones= -jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/dra= ft-jones-jose-key-managed-json-web-signature-00.html. This spec reuses key management functionality already present in the JWE sp= ec and MAC = functionality already present in the JWS spec. The result is essentially a JWS with an= Encrypted Key value added, and a new "mac" Header Parameter value represen= ting the MAC algorithm used. (Like JWE, the key management algorithm is ca= rried in the "alg" Header Parameter value.) I also wrote this now as possible input into our thinking on options for cr= eating a CBOR JOSE mapping. If there a= re CBOR use cases needing managed MAC keys, this could help us reason about= ways to structure the solution. Yes, the spec name and abbreviation are far from catchy. Better naming ide= as would be great. Feedback welcomed. -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1344 and as= @selfissued. --_000_BY2PR03MB4427BF68CEE0CE400972401F5060BY2PR03MB442namprd_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Jim.  Thanks f= or responding and for your honest feedback.  While you may feel insult= ed (I’m genuinely sorry about that!), I’m to try to take the ne= gatives you’ve expressed as positives, in the sense that they can constructively inform future work by the working group.

 

One reason I wrote thi= s draft was to get down a straightforward way of using key managed HMACs, s= hould people want to do that in the future, especially since there’s = talk of closing the working group soon.  The other reason I wrote it was to further illuminate the upsides and downside= s of some of the choices we made in JWS and JWE, given we have a chance to = reuse and/or revisit those choices should the COSE work go forward.

 

Replies to your specif= ic points follow inline…

 

From: Jim Scha= ad [mailto:ietf@augustcellars.com]
Sent: Wednesday, March 11, 2015 8:57 PM
To: Mike Jones; jose@ietf.org
Subject: RE: [jose] Key Managed JSON Web Signature (KMJWS) specifica= tion

 

> I cannot respond for Richard, but personally I feel rat= her insulted by the current draft.  My first half a dozen responses we= re rather vulgar and pejorative to this draft and thus deleted.

> 

> This draft seems to be, more or less, what Richard and = I were proposing in Denver and were told was not possible due to backwards = compatibility.  What has changed that this is no longer true?

 

For what it’s wo= rth, I’ve occasionally been thinking about key management for MACs ev= er since you and Richard raised the possibility in Denver.  Somewhere = along the way I realized that there was a simple way to combine the JWE key management methods and the JWS MAC methods.  S= o I decided to write it down, while there was still a working group to cons= ider it, should the working group decide to do so.

 

If the reason you̵= 7;re insulted is that you feel that you should receive more credit for some= of the ideas, I’d be glad to point out in the Acknowledgements that = you and Richard suggested the possibility of key-managed MACs and/or make you co-editors if you agree with the approach and would l= ike to work more actively on it.  If the reason that you’re insu= lted is that you feel that we should have done this earlier, I think the ve= rdict is still out on whether we need to do this at all.  Looking at http://trac.tools.ietf.org/wg/jose/trac/ticket/2, Karen made a consensu= s call that “we should not add the= ability to have a randomly generated MAC key protected by a different key<= /span>” based on working group input.

 

I think the key questi= on for the working group relative to this draft is whether people now want = to see a standard way to do this or not.

 

As for the backwards c= ompatibility issues discussed in Denver, I know that several participants w= ere opposed to seeing the JWS format for non-key-managed MACs change. = I suspect that’s what you’re referring to.  The good news about the current draft is that it adds the ability to have = key-managed MACs without such a change.

 

Should we have thought= of this approach then?  Probably.  Did we?  At least I didn= ’t.  I thought of it recently, so I decided to write it down.

 

> Why is there need to have a compact formation for this = draft?  We were told in no uncertain terms that this was completely un= necessary in Denver and thus was out of scope for the documents.

 

I can’t remember= the part of the discussion that you’re referring to in Denver and I = can’t find it in the published notes.  The only uses of “c= ompact” in the notes aren’t about this.

 

That said, there’= ;s a compact serialization for key managed MACs for the same reason that th= ere’s a compact serialization for the other JOSE objects – to p= rovide a compact, URL-safe representation for use cases that need it.  It also makes this draft more parallel to both JWS and= JWE than it would otherwise be.

 

> This document does not seem to have read the security c= onsiderations section of the JWS draft specifically dealing with the existe= nce of multiple sharers of the secret key.

 

I’m not sure I&#= 8217;m following you here, because different recipients use different ephem= eral keys in this representation.  What’s the security considera= tion that you think wasn’t taken into account?

 

> This document has messed up the current documentation i= n JWE about how to determine what type of document is being presented. = ; This is completely unacceptable.

 

It’s backwards-c= ompatible in the sense that if an implementation supports JWSs and JWEs but= not KMJWSs (I’m still looking for a better name than KMJWS, BTW), th= e current rules all continue to do the right thing.  If an implementation supports all three, yes, a little bit of additional l= ogic would be needed, just like a little bit of additional code would be ne= eded, but no breaking changes result.  A KMJWS is neither a legal JWS = nor a legal JWE, so even if the existing discrimination rules were applied to a KMJWS and it was mis-categorized as= one or the other, upon parsing, it would still be rejected, since it would= be missing required properties.

 

> There are now multiple representations of direct keying= for mac.  This is a significant problem as one does not know which of= the version one is supposed to be using.

 

Thanks for pointing th= is out.  We should probably just prohibit the use of “alg”= :”dir” in KMJWS so that there’s exactly one way of repres= enting non-key-managed MACS – the existing way.

 

> (The fact that I am half, if not all the way drunk has = make this message much easier to write).

 

I’m glad you enj= oyed your evening. J

 

> Jim

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      Thanks again,

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      -- Mike

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Tuesday, March 03, 2015 2:42 AM
To: jose@ietf.org
Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification=

 

I took a little time today and wrote a short draft s= pecifying a JWS-like object that uses key management for the MAC key used t= o integrity protect the payload.  We had considered doing this in JOSE issue #2<= /a> but didn’t do so at the time because of lack of demand.  How= ever, I wanted to get this down now to demonstrate that it is easy to do an= d specify a way to do it, should demand develop in the future – possibly after the JOSE working group has been closed.  See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-= 00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signatur= e-00.html.

 

This spec reuses key management functionality alread= y present in the = JWE spec and MAC functionality already present in the J= WS spec.  The result is essentially a JWS with an Encrypted Key va= lue added, and a new “mac” Header Parameter value representing the MAC algorithm used.  (Like JWE, the key management algorithm is carri= ed in the “alg” Header Parameter value.)

 

I also wrote this now as possible input into our thi= nking on options for creating a CBOR JOSE mapping. = If there are CBOR use cases needing managed MAC keys, this could help us r= eason about ways to structure the solution.

 

Yes, the spec name and abbreviation are far from cat= chy.  Better naming ideas would be great.

 

Feedback welcomed.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1344 and as @selfissued.

 

--_000_BY2PR03MB4427BF68CEE0CE400972401F5060BY2PR03MB442namprd_-- From nobody Thu Mar 12 00:56:25 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166DB1A8AA1 for ; Thu, 12 Mar 2015 00:56:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMRUey7Xo65B for ; Thu, 12 Mar 2015 00:56:19 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0137.outbound.protection.outlook.com [65.55.169.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 591E91A0084 for ; Thu, 12 Mar 2015 00:56:19 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.106.11; Thu, 12 Mar 2015 07:56:16 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0106.007; Thu, 12 Mar 2015 07:56:16 +0000 From: Mike Jones To: Richard Barnes , Jim Schaad Thread-Topic: [jose] Key Managed JSON Web Signature (KMJWS) specification Thread-Index: AdBVnrlYeSkbpnXYQGWf+2U9DVU+8wG2dZWAAAOYS4AABDJqMA== Date: Thu, 12 Mar 2015 07:56:15 +0000 Message-ID: References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.47.90.173] authentication-results: ipv.sx; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(209900001)(243025005)(377454003)(24454002)(87936001)(19300405004)(2656002)(76576001)(16236675004)(99286002)(122556002)(40100003)(86612001)(86362001)(19580395003)(19580405001)(74316001)(19609705001)(76176999)(54356999)(50986999)(19617315012)(77096005)(102836002)(15975445007)(2950100001)(2900100001)(33656002)(19625215002)(66066001)(92566002)(62966003)(77156002)(46102003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 05134F8B4F Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442FCA01F4D1B404C2CDC51F5060BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2015 07:56:15.0383 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 07:56:23 -0000 --_000_BY2PR03MB442FCA01F4D1B404C2CDC51F5060BY2PR03MB442namprd_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 UGVyIG15IG5vdGUgdG8gSmltIGp1c3Qgbm93LCBJIGdpdmUgeW91IGFuZCBKaW0gZnVsbCBjcmVk aXQgZm9yIGJyaW5naW5nIHVwIHRoZSBwb3NzaWJpbGl0eSBvZiBrZXktbWFuYWdlZCBNQUNzIGZv ciBKT1NFIGluIERlbnZlciBhbmQgc3Vic2VxdWVudGx5LiAgVGhlIHBvc3NpYmlsaXR5IGhhcyBp bnRyaWd1ZWQgbWUgZXZlciBzaW5jZSwgZm9yIHdoYXQgaXTigJlzIHdvcnRoLg0KDQpJIHVuZGVy c3RhbmQgYnV0IGRpc2FncmVlIHdpdGggeW91ciDigJxla+KAnSBzdWdnZXN0aW9uLiAgSSBkaXNh Z3JlZSBiZWNhdXNlIGl04oCZcyBpbnZlbnRpbmcgYSBuZXcgbWVjaGFuaXNtIG5vdCBjdXJyZW50 bHkgdXNlZCBpbiBKT1NFLCB3aGVyZWFzIHRoZSBwcmVzZW50IGRyYWZ0IHByb3ZpZGVzIGFuIGV4 aXN0ZW5jZSBwcm9vZiB0aGF0IEpXRSBrZXkgbWFuYWdlbWVudCBhbmQgSldTIE1BQ3MgY2FuIGJl IGNvbWJpbmVkIGluIGEgc3RyYWlnaHRmb3J3YXJkIHdheSB0byBhY2NvbXBsaXNoIHRoZSBnb2Fs IHdpdGhvdXQgaW52ZW50aW5nIGFueSBuZXcgbWVjaGFuaXNtcy4gIChZZXMsIHRoZSBuZXcgaGVh ZGVyIHBhcmFtZXRlciBmaWVsZCBuYW1lIOKAnG1hY+KAnSBpcyBpbnZlbnRlZCB0byBob2xkIHRo ZSBNQUMgYWxnb3JpdGhtLCBpbnN0ZWFkIG9mIOKAnGFsZ+KAnSwgYnV0IHRoYXTigJlzIHByZXR0 eSBtdWNoIHRoZSBleHRlbnQgb2YgdGhlIGludmVudGlvbi4pDQoNCkxpa2Ugd2UgdGFsa2VkIGFi b3V0IGluIERlbnZlciBhbmQgYWZ0ZXJ3YXJkcywgd2hpbGUgSSB1bmRlcnN0YW5kIHRoZSBjb25j ZXB0dWFsIGVsZWdhbmNlIG9mIGhhdmluZyBhbGwgd3JhcHBlZCBrZXlzIGJlIHJlcHJlc2VudGVk IGFzIGVuY3J5cHRlZCBKV0tzLCBpbiBwcmFjdGljZSwgdGhhdCBnZW5lcmFsaXR5IGlzbuKAmXQg bmVlZGVkIGZvciB3cmFwcGVkIGtleXMgKHNpbmNlIG5vIGtleSBhdHRyaWJ1dGVzIGFyZSBuZWVk ZWQpIGFuZCBpdCB0YWtlcyB1cCBleHRyYSBzcGFjZS4gIEFsbCB5b3UgYWN0dWFsbHkgbmVlZCBh cmUgdGhlIHN5bW1ldHJpYyBrZXkgYml0cywgc28gdGhhdOKAmXMgd2hlcmUgd2UgbGFuZGVkLCBh bmQgcHV0IHRoZW0gaW4gdGhlIGVuY3J5cHRlZF9rZXkgZmllbGQuICBLTUpXUyBkb2VzIHRoZSBz YW1lLg0KDQpBcyBhbiBhc2lkZSwgSSBkbyByZWFsaXplIG5vdyB0aGF0IGlmIHdl4oCZZCB1c2Vk IGhlYWRlciBwYXJhbWV0ZXIgbmFtZXMgZGlmZmVyZW50bHksIGFuZCBpbiBwYXJ0aWN1bGFyLCBu b3Qgb3ZlcmxvYWRlZCDigJxhbGfigJ0gaW4gdGhlIHdheSB3ZSBkaWQsIHRoaXMgY291bGQgYmUg ZXZlbiBtb3JlIGVsZWdhbnQuICBIaW5kc2lnaHQgaXMgMjAtMjAuICBXZSBoYXZlIHRoZSBvcHBv cnR1bml0eSB0byBoYXZlIGl0IGJlIG1vcmUgZWxlZ2FudCBpbiBDT1NFLCB3aGlsZSBrZWVwaW5n IHRoZSBiYXNpYyBtb2RlbCB0aGUgc2FtZSwgc2hvdWxkIHdlIGNob29zZSB0byB0YWtlIG9uIHRo YXQgbmV3IHdvcmsuICAoSW4gZmFjdCwgbWFraW5nIHRoYXQgY2xlYXIgZm9yIENPU0UgaXMgcGFy dCBvZiB3aHkgSSB3cm90ZSBLTUpXUyBpbiB0aGUgZmlyc3QgcGxhY2UuKQ0KDQpJ4oCZbSBsb29r aW5nIGZvcndhcmQgdG8gc2VlaW5nIHlvdSBpbiBEYWxsYXMuDQoNCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJv bTogUmljaGFyZCBCYXJuZXMgW21haWx0bzpybGJAaXB2LnN4XQ0KU2VudDogV2VkbmVzZGF5LCBN YXJjaCAxMSwgMjAxNSAxMDo0MCBQTQ0KVG86IEppbSBTY2hhYWQNCkNjOiBNaWtlIEpvbmVzOyBq b3NlQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW2pvc2VdIEtleSBNYW5hZ2VkIEpTT04gV2ViIFNp Z25hdHVyZSAoS01KV1MpIHNwZWNpZmljYXRpb24NCg0KSSB3YXMgc2ltcGx5IGdvaW5nIHRvIG5v dGUgd2l0aCBiZW11c2VtZW50IHRoYXQgZXhhY3RseSB0aGlzIGV2ZW50dWFsaXR5IHdhcyBmb3Jl c2VlbiBieSB0aG9zZSBvZiB1cyB0aGF0IGZhdm9yZWQgYSBtb3JlIGdlbmVyYWwgYXBwcm9hY2gg dG8ga2V5IHdyYXBwaW5nIFswXVsxXS4gIFRob3NlIHRoYXQgZGlzbWlzc2VkIHRoYXQgaWRlYSBo YXZlIG1hZGUgdGhlaXIgYmVkIGZ1bGwgb2YgY29tcGxleGl0eSwgYW5kIG5vdyB0aGV5IGFyZSBs eWluZyBpbiBpdC4NCkF0IHRoaXMgcG9pbnQsIHRoZSBsZWFzdCBoYXJtZnVsIGFwcHJvYWNoIHdv dWxkIGJlIHRvIHNpbXBseSBkZWZpbmUgYW4gImVrIiBoZWFkZXIgZmllbGQgdGhhdCBjb250YWlu cyBhbiBlbmNyeXB0ZWQga2V5LCBpbiB0aGUgZm9ybSBvZiBhIEpXRSBjb250YWluaW5nIGEgSldL IFswXS4NCg0KWzBdIGh0dHA6Ly90b29scy5pZXRmLm9yZy9hZ2VuZGEvODUvc2xpZGVzL3NsaWRl cy04NS1qb3NlLTcucGRmDQpbMV0gaHR0cDovL3Rvb2xzLmlldGYub3JnL2FnZW5kYS84Ni9zbGlk ZXMvc2xpZGVzLTg2LWpvc2UtMC5wZGYNCg0KT24gV2VkLCBNYXIgMTEsIDIwMTUgYXQgODo1NiBQ TSwgSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3Rj ZWxsYXJzLmNvbT4+IHdyb3RlOg0KSSBjYW5ub3QgcmVzcG9uZCBmb3IgUmljaGFyZCwgYnV0IHBl cnNvbmFsbHkgSSBmZWVsIHJhdGhlciBpbnN1bHRlZCBieSB0aGUgY3VycmVudCBkcmFmdC4gIE15 IGZpcnN0IGhhbGYgYSBkb3plbiByZXNwb25zZXMgd2VyZSByYXRoZXIgdnVsZ2FyIGFuZCBwZWpv cmF0aXZlIHRvIHRoaXMgZHJhZnQgYW5kIHRodXMgZGVsZXRlZC4NCg0KVGhpcyBkcmFmdCBzZWVt cyB0byBiZSwgbW9yZSBvciBsZXNzLCB3aGF0IFJpY2hhcmQgYW5kIEkgd2VyZSBwcm9wb3Npbmcg aW4gRGVudmVyIGFuZCB3ZXJlIHRvbGQgd2FzIG5vdCBwb3NzaWJsZSBkdWUgdG8gYmFja3dhcmRz IGNvbXBhdGliaWxpdHkuICBXaGF0IGhhcyBjaGFuZ2VkIHRoYXQgdGhpcyBpcyBubyBsb25nZXIg dHJ1ZT8NCg0KV2h5IGlzIHRoZXJlICBuZWVkIHRvIGhhdmUgYSBjb21wYWN0IGZvcm1hdGlvbiBm b3IgdGhpcyBkcmFmdD8gIFdlIHdlcmUgdG9sZCBpbiBubyB1bmNlcnRhaW4gdGVybXMgdGhhdCB0 aGlzIHdhcyBjb21wbGV0ZWx5IHVubmVjZXNzYXJ5IGluIERlbnZlciBhbmQgdGh1cyB3YXMgb3V0 IG9mIHNjb3BlIGZvciB0aGUgZG9jdW1lbnRzLg0KDQpUaGlzIGRvY3VtZW50IGRvZXMgbm90IHNl ZW0gdG8gaGF2ZSByZWFkIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIG9mIHRo ZSBKV1MgZHJhZnQgc3BlY2lmaWNhbGx5IGRlYWxpbmcgd2l0aCB0aGUgZXhpc3RlbmNlIG9mIG11 bHRpcGxlIHNoYXJlcnMgb2YgdGhlIHNlY3JldCBrZXkuDQoNClRoaXMgZG9jdW1lbnQgaGFzIG1l c3NlZCB1cCB0aGUgY3VycmVudCBkb2N1bWVudGF0aW9uIGluIEpXRSBhYm91dCBob3cgdG8gZGV0 ZXJtaW5lIHdoYXQgdHlwZSBvZiBkb2N1bWVudCBpcyBiZWluZyBwcmVzZW50ZWQuICBUaGlzIGlz IGNvbXBsZXRlbHkgdW5hY2NlcHRhYmxlLg0KDQpUaGVyZSBhcmUgbm93IG11bHRpcGxlIHJlcHJl c2VudGF0aW9ucyBvZiBkaXJlY3Qga2V5aW5nIGZvciBtYWMuICBUaGlzIGlzIGEgc2lnbmlmaWNh bnQgcHJvYmxlbSBhcyBvbmUgZG9lcyBub3Qga25vdyB3aGljaCBvZiB0aGUgdmVyc2lvbiBvbmUg aXMgc3VwcG9zZWQgdG8gYmUgdXNpbmcuDQoNCihUaGUgZmFjdCB0aGF0IEkgYW0gaGFsZiwgaWYg bm90IGFsbCB0aGUgd2F5IGRydW5rIGhhcyBtYWtlIHRoaXMgbWVzc2FnZSBtdWNoIGVhc2llciB0 byB3cml0ZSkuDQoNCkppbQ0KDQoNCkZyb206IGpvc2UgW21haWx0bzpqb3NlLWJvdW5jZXNAaWV0 Zi5vcmc8bWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFsZiBPZiBNaWtlIEpv bmVzDQpTZW50OiBUdWVzZGF5LCBNYXJjaCAwMywgMjAxNSAyOjQyIEFNDQpUbzogam9zZUBpZXRm Lm9yZzxtYWlsdG86am9zZUBpZXRmLm9yZz4NClN1YmplY3Q6IFtqb3NlXSBLZXkgTWFuYWdlZCBK U09OIFdlYiBTaWduYXR1cmUgKEtNSldTKSBzcGVjaWZpY2F0aW9uDQoNCkkgdG9vayBhIGxpdHRs ZSB0aW1lIHRvZGF5IGFuZCB3cm90ZSBhIHNob3J0IGRyYWZ0IHNwZWNpZnlpbmcgYSBKV1MtbGlr ZSBvYmplY3QgdGhhdCB1c2VzIGtleSBtYW5hZ2VtZW50IGZvciB0aGUgTUFDIGtleSB1c2VkIHRv IGludGVncml0eSBwcm90ZWN0IHRoZSBwYXlsb2FkLiAgV2UgaGFkIGNvbnNpZGVyZWQgZG9pbmcg dGhpcyBpbiBKT1NFIGlzc3VlICMyPGh0dHA6Ly90cmFjLnRvb2xzLmlldGYub3JnL3dnL2pvc2Uv dHJhYy90aWNrZXQvMj4gYnV0IGRpZG7igJl0IGRvIHNvIGF0IHRoZSB0aW1lIGJlY2F1c2Ugb2Yg bGFjayBvZiBkZW1hbmQuICBIb3dldmVyLCBJIHdhbnRlZCB0byBnZXQgdGhpcyBkb3duIG5vdyB0 byBkZW1vbnN0cmF0ZSB0aGF0IGl0IGlzIGVhc3kgdG8gZG8gYW5kIHNwZWNpZnkgYSB3YXkgdG8g ZG8gaXQsIHNob3VsZCBkZW1hbmQgZGV2ZWxvcCBpbiB0aGUgZnV0dXJlIOKAkyBwb3NzaWJseSBh ZnRlciB0aGUgSk9TRSB3b3JraW5nIGdyb3VwPGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy93 Zy9qb3NlL2NoYXJ0ZXIvPiBoYXMgYmVlbiBjbG9zZWQuICBTZWUgaHR0cDovL3Rvb2xzLmlldGYu b3JnL2h0bWwvZHJhZnQtam9uZXMtam9zZS1rZXktbWFuYWdlZC1qc29uLXdlYi1zaWduYXR1cmUt MDAgb3IgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1qb25lcy1qb3NlLWtleS1t YW5hZ2VkLWpzb24td2ViLXNpZ25hdHVyZS0wMC5odG1sLg0KDQpUaGlzIHNwZWMgcmV1c2VzIGtl eSBtYW5hZ2VtZW50IGZ1bmN0aW9uYWxpdHkgYWxyZWFkeSBwcmVzZW50IGluIHRoZSBKV0Ugc3Bl YzxodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItZW5j cnlwdGlvbj4gYW5kIE1BQyBmdW5jdGlvbmFsaXR5IGFscmVhZHkgcHJlc2VudCBpbiB0aGUgSldT IHNwZWM8aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2Vi LXNpZ25hdHVyZT4uICBUaGUgcmVzdWx0IGlzIGVzc2VudGlhbGx5IGEgSldTIHdpdGggYW4gRW5j cnlwdGVkIEtleSB2YWx1ZSBhZGRlZCwgYW5kIGEgbmV3IOKAnG1hY+KAnSBIZWFkZXIgUGFyYW1l dGVyIHZhbHVlIHJlcHJlc2VudGluZyB0aGUgTUFDIGFsZ29yaXRobSB1c2VkLiAgKExpa2UgSldF LCB0aGUga2V5IG1hbmFnZW1lbnQgYWxnb3JpdGhtIGlzIGNhcnJpZWQgaW4gdGhlIOKAnGFsZ+KA nSBIZWFkZXIgUGFyYW1ldGVyIHZhbHVlLikNCg0KSSBhbHNvIHdyb3RlIHRoaXMgbm93IGFzIHBv c3NpYmxlIGlucHV0IGludG8gb3VyIHRoaW5raW5nIG9uIG9wdGlvbnMgZm9yIGNyZWF0aW5nIGEg Q0JPUjxodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM3MDQ5PiBKT1NFIG1hcHBpbmcuICBJ ZiB0aGVyZSBhcmUgQ0JPUiB1c2UgY2FzZXMgbmVlZGluZyBtYW5hZ2VkIE1BQyBrZXlzLCB0aGlz IGNvdWxkIGhlbHAgdXMgcmVhc29uIGFib3V0IHdheXMgdG8gc3RydWN0dXJlIHRoZSBzb2x1dGlv bi4NCg0KWWVzLCB0aGUgc3BlYyBuYW1lIGFuZCBhYmJyZXZpYXRpb24gYXJlIGZhciBmcm9tIGNh dGNoeS4gIEJldHRlciBuYW1pbmcgaWRlYXMgd291bGQgYmUgZ3JlYXQuDQoNCkZlZWRiYWNrIHdl bGNvbWVkLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAtLSBNaWtlDQoNClAuUy4gIFRoaXMgbm90ZSB3YXMgYWxzbyBwb3N0ZWQg YXQgaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vP3A9MTM0NCBhbmQgYXMgQHNlbGZpc3N1ZWQuDQoN Cg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCmpvc2Ug bWFpbGluZyBsaXN0DQpqb3NlQGlldGYub3JnPG1haWx0bzpqb3NlQGlldGYub3JnPg0KaHR0cHM6 Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlDQoNCg== --_000_BY2PR03MB442FCA01F4D1B404C2CDC51F5060BY2PR03MB442namprd_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0 YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMt c2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJl cGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3 RDt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0 IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9v biBUZXh0IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KLk1zb0NocERl ZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLCJzYW5zLXNlcmlmIjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4w aW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjEN Cgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHht bD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3ht bD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6 ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBl bGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxp bms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5QZXIgbXkgbm90ZSB0byBKaW0ganVzdCBub3csIEkgZ2l2ZSB5b3UgYW5kIEppbSBmdWxs IGNyZWRpdCBmb3IgYnJpbmdpbmcgdXAgdGhlIHBvc3NpYmlsaXR5IG9mIGtleS1tYW5hZ2VkIE1B Q3MgZm9yIEpPU0UgaW4gRGVudmVyIGFuZCBzdWJzZXF1ZW50bHkuJm5ic3A7IFRoZSBwb3NzaWJp bGl0eQ0KIGhhcyBpbnRyaWd1ZWQgbWUgZXZlciBzaW5jZSwgZm9yIHdoYXQgaXTigJlzIHdvcnRo LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+SSB1bmRlcnN0YW5kIGJ1dCBkaXNhZ3JlZSB3aXRoIHlvdXIg4oCcZWvigJ0g c3VnZ2VzdGlvbi4mbmJzcDsgSSBkaXNhZ3JlZSBiZWNhdXNlIGl04oCZcyBpbnZlbnRpbmcgYSBu ZXcgbWVjaGFuaXNtIG5vdCBjdXJyZW50bHkgdXNlZCBpbiBKT1NFLCB3aGVyZWFzIHRoZSBwcmVz ZW50IGRyYWZ0DQogcHJvdmlkZXMgYW4gZXhpc3RlbmNlIHByb29mIHRoYXQgSldFIGtleSBtYW5h Z2VtZW50IGFuZCBKV1MgTUFDcyBjYW4gYmUgY29tYmluZWQgaW4gYSBzdHJhaWdodGZvcndhcmQg d2F5IHRvIGFjY29tcGxpc2ggdGhlIGdvYWwgd2l0aG91dCBpbnZlbnRpbmcgYW55IG5ldyBtZWNo YW5pc21zLiZuYnNwOyAoWWVzLCB0aGUgbmV3IGhlYWRlciBwYXJhbWV0ZXIgZmllbGQgbmFtZSDi gJxtYWPigJ0gaXMgaW52ZW50ZWQgdG8gaG9sZCB0aGUgTUFDIGFsZ29yaXRobSwgaW5zdGVhZA0K IG9mIOKAnGFsZ+KAnSwgYnV0IHRoYXTigJlzIHByZXR0eSBtdWNoIHRoZSBleHRlbnQgb2YgdGhl IGludmVudGlvbi4pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5MaWtlIHdlIHRhbGtlZCBhYm91dCBpbiBEZW52ZXIgYW5k IGFmdGVyd2FyZHMsIHdoaWxlIEkgdW5kZXJzdGFuZCB0aGUgY29uY2VwdHVhbCBlbGVnYW5jZSBv ZiBoYXZpbmcgYWxsIHdyYXBwZWQga2V5cyBiZSByZXByZXNlbnRlZCBhcyBlbmNyeXB0ZWQgSldL cywgaW4gcHJhY3RpY2UsDQogdGhhdCBnZW5lcmFsaXR5IGlzbuKAmXQgbmVlZGVkIGZvciB3cmFw cGVkIGtleXMgKHNpbmNlIG5vIGtleSBhdHRyaWJ1dGVzIGFyZSBuZWVkZWQpIGFuZCBpdCB0YWtl cyB1cCBleHRyYSBzcGFjZS4mbmJzcDsgQWxsIHlvdSBhY3R1YWxseSBuZWVkIGFyZSB0aGUgc3lt bWV0cmljIGtleSBiaXRzLCBzbyB0aGF04oCZcyB3aGVyZSB3ZSBsYW5kZWQsIGFuZCBwdXQgdGhl bSBpbiB0aGUgZW5jcnlwdGVkX2tleSBmaWVsZC4mbmJzcDsgS01KV1MgZG9lcyB0aGUgc2FtZS48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPkFzIGFuIGFzaWRlLCBJIGRvIHJlYWxpemUgbm93IHRoYXQgaWYgd2XigJlkIHVz ZWQgaGVhZGVyIHBhcmFtZXRlciBuYW1lcyBkaWZmZXJlbnRseSwgYW5kIGluIHBhcnRpY3VsYXIs IG5vdCBvdmVybG9hZGVkIOKAnGFsZ+KAnSBpbiB0aGUgd2F5IHdlIGRpZCwgdGhpcyBjb3VsZCBi ZQ0KIGV2ZW4gbW9yZSBlbGVnYW50LiZuYnNwOyBIaW5kc2lnaHQgaXMgMjAtMjAuJm5ic3A7IFdl IGhhdmUgdGhlIG9wcG9ydHVuaXR5IHRvIGhhdmUgaXQgYmUgbW9yZSBlbGVnYW50IGluIENPU0Us IHdoaWxlIGtlZXBpbmcgdGhlIGJhc2ljIG1vZGVsIHRoZSBzYW1lLCBzaG91bGQgd2UgY2hvb3Nl IHRvIHRha2Ugb24gdGhhdCBuZXcgd29yay4mbmJzcDsgKEluIGZhY3QsIG1ha2luZyB0aGF0IGNs ZWFyIGZvciBDT1NFIGlzIHBhcnQgb2Ygd2h5IEkgd3JvdGUgS01KV1MgaW4gdGhlDQogZmlyc3Qg cGxhY2UuKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+SeKAmW0gbG9va2luZyBmb3J3YXJkIHRvIHNlZWluZyB5b3UgaW4g RGFsbGFzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IFJpY2hhcmQgQmFybmVzIFttYWlsdG86cmxiQGlwdi5z eF0NCjxicj4NCjxiPlNlbnQ6PC9iPiBXZWRuZXNkYXksIE1hcmNoIDExLCAyMDE1IDEwOjQwIFBN PGJyPg0KPGI+VG86PC9iPiBKaW0gU2NoYWFkPGJyPg0KPGI+Q2M6PC9iPiBNaWtlIEpvbmVzOyBq b3NlQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbam9zZV0gS2V5IE1hbmFnZWQg SlNPTiBXZWIgU2lnbmF0dXJlIChLTUpXUykgc3BlY2lmaWNhdGlvbjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQi Pkkgd2FzIHNpbXBseSBnb2luZyB0byBub3RlIHdpdGggYmVtdXNlbWVudCB0aGF0IGV4YWN0bHkg dGhpcyBldmVudHVhbGl0eSB3YXMgZm9yZXNlZW4gYnkgdGhvc2Ugb2YgdXMgdGhhdCBmYXZvcmVk IGEgbW9yZSBnZW5lcmFsIGFwcHJvYWNoIHRvIGtleSB3cmFwcGluZyBbMF1bMV0uJm5ic3A7IFRo b3NlIHRoYXQgZGlzbWlzc2VkIHRoYXQgaWRlYSBoYXZlIG1hZGUgdGhlaXINCiBiZWQgZnVsbCBv ZiBjb21wbGV4aXR5LCBhbmQgbm93IHRoZXkgYXJlIGx5aW5nIGluIGl0LjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BdCB0aGlzIHBvaW50LCB0aGUgbGVhc3Qg aGFybWZ1bCBhcHByb2FjaCB3b3VsZCBiZSB0byBzaW1wbHkgZGVmaW5lIGFuICZxdW90O2VrJnF1 b3Q7IGhlYWRlciBmaWVsZCB0aGF0IGNvbnRhaW5zIGFuIGVuY3J5cHRlZCBrZXksIGluIHRoZSBm b3JtIG9mIGEgSldFIGNvbnRhaW5pbmcgYSBKV0sgWzBdLjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0K WzBdIDxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9hZ2VuZGEvODUvc2xpZGVzL3NsaWRl cy04NS1qb3NlLTcucGRmIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvYWdlbmRhLzg1L3NsaWRlcy9z bGlkZXMtODUtam9zZS03LnBkZjwvYT48YnI+DQpbMV0gPGEgaHJlZj0iaHR0cDovL3Rvb2xzLmll dGYub3JnL2FnZW5kYS84Ni9zbGlkZXMvc2xpZGVzLTg2LWpvc2UtMC5wZGYiPmh0dHA6Ly90b29s cy5pZXRmLm9yZy9hZ2VuZGEvODYvc2xpZGVzL3NsaWRlcy04Ni1qb3NlLTAucGRmPC9hPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBXZWQs IE1hciAxMSwgMjAxNSBhdCA4OjU2IFBNLCBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86 aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmlldGZAYXVndXN0Y2VsbGFy cy5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+SSBjYW5ub3QgcmVz cG9uZCBmb3IgUmljaGFyZCwgYnV0IHBlcnNvbmFsbHkgSSBmZWVsIHJhdGhlciBpbnN1bHRlZCBi eSB0aGUgY3VycmVudCBkcmFmdC4mbmJzcDsgTXkgZmlyc3QgaGFsZiBhIGRvemVuIHJlc3BvbnNl cyB3ZXJlIHJhdGhlciB2dWxnYXIgYW5kIHBlam9yYXRpdmUNCiB0byB0aGlzIGRyYWZ0IGFuZCB0 aHVzIGRlbGV0ZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+VGhp cyBkcmFmdCBzZWVtcyB0byBiZSwgbW9yZSBvciBsZXNzLCB3aGF0IFJpY2hhcmQgYW5kIEkgd2Vy ZSBwcm9wb3NpbmcgaW4gRGVudmVyIGFuZCB3ZXJlIHRvbGQgd2FzIG5vdCBwb3NzaWJsZSBkdWUg dG8gYmFja3dhcmRzIGNvbXBhdGliaWxpdHkuJm5ic3A7IFdoYXQNCiBoYXMgY2hhbmdlZCB0aGF0 IHRoaXMgaXMgbm8gbG9uZ2VyIHRydWU/PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+V2h5IGlzIHRoZXJlJm5ic3A7IG5lZWQgdG8gaGF2ZSBhIGNvbXBhY3QgZm9ybWF0 aW9uIGZvciB0aGlzIGRyYWZ0PyZuYnNwOyBXZSB3ZXJlIHRvbGQgaW4gbm8gdW5jZXJ0YWluIHRl cm1zIHRoYXQgdGhpcyB3YXMgY29tcGxldGVseSB1bm5lY2Vzc2FyeSBpbiBEZW52ZXIgYW5kDQog dGh1cyB3YXMgb3V0IG9mIHNjb3BlIGZvciB0aGUgZG9jdW1lbnRzLjwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0Qi PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw YW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPlRoaXMgZG9jdW1lbnQgZG9lcyBub3Qgc2VlbSB0byBo YXZlIHJlYWQgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gb2YgdGhlIEpXUyBk cmFmdCBzcGVjaWZpY2FsbHkgZGVhbGluZyB3aXRoIHRoZSBleGlzdGVuY2Ugb2YgbXVsdGlwbGUg c2hhcmVycw0KIG9mIHRoZSBzZWNyZXQga2V5Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPlRoaXMgZG9jdW1lbnQgaGFzIG1lc3NlZCB1cCB0aGUgY3VycmVudCBkb2N1 bWVudGF0aW9uIGluIEpXRSBhYm91dCBob3cgdG8gZGV0ZXJtaW5lIHdoYXQgdHlwZSBvZiBkb2N1 bWVudCBpcyBiZWluZyBwcmVzZW50ZWQuJm5ic3A7IFRoaXMgaXMgY29tcGxldGVseSB1bmFjY2Vw dGFibGUuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBzdHlsZT0iY29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+VGhlcmUgYXJl IG5vdyBtdWx0aXBsZSByZXByZXNlbnRhdGlvbnMgb2YgZGlyZWN0IGtleWluZyBmb3IgbWFjLiZu YnNwOyBUaGlzIGlzIGEgc2lnbmlmaWNhbnQgcHJvYmxlbSBhcyBvbmUgZG9lcyBub3Qga25vdyB3 aGljaCBvZiB0aGUgdmVyc2lvbiBvbmUgaXMgc3VwcG9zZWQNCiB0byBiZSB1c2luZy48L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4oVGhlIGZhY3QgdGhhdCBJIGFtIGhh bGYsIGlmIG5vdCBhbGwgdGhlIHdheSBkcnVuayBoYXMgbWFrZSB0aGlzIG1lc3NhZ2UgbXVjaCBl YXNpZXIgdG8gd3JpdGUpLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0Qi PkppbTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNv bGlkIGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGluIDBpbiA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6 My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij4gam9zZSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmci IHRhcmdldD0iX2JsYW5rIj5qb3NlLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XQ0KPGI+T24gQmVoYWxm IE9mIDwvYj5NaWtlIEpvbmVzPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNkYXksIE1hcmNoIDAzLCAy MDE1IDI6NDIgQU08YnI+DQo8Yj5Ubzo8L2I+IDxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3Jn IiB0YXJnZXQ9Il9ibGFuayI+am9zZUBpZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4g W2pvc2VdIEtleSBNYW5hZ2VkIEpTT04gV2ViIFNpZ25hdHVyZSAoS01KV1MpIHNwZWNpZmljYXRp b248L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5JIHRvb2sgYSBsaXR0bGUgdGltZSB0b2RheSBhbmQgd3JvdGUgYSBzaG9ydCBk cmFmdCBzcGVjaWZ5aW5nIGEgSldTLWxpa2Ugb2JqZWN0IHRoYXQgdXNlcyBrZXkgbWFuYWdlbWVu dCBmb3IgdGhlIE1BQyBrZXkgdXNlZCB0byBpbnRlZ3JpdHkgcHJvdGVjdCB0aGUgcGF5bG9hZC4m bmJzcDsgV2UgaGFkIGNvbnNpZGVyZWQNCiBkb2luZyB0aGlzIGluIDxhIGhyZWY9Imh0dHA6Ly90 cmFjLnRvb2xzLmlldGYub3JnL3dnL2pvc2UvdHJhYy90aWNrZXQvMiIgdGFyZ2V0PSJfYmxhbmsi Pg0KSk9TRSBpc3N1ZSAjMjwvYT4gYnV0IGRpZG7igJl0IGRvIHNvIGF0IHRoZSB0aW1lIGJlY2F1 c2Ugb2YgbGFjayBvZiBkZW1hbmQuJm5ic3A7IEhvd2V2ZXIsIEkgd2FudGVkIHRvIGdldCB0aGlz IGRvd24gbm93IHRvIGRlbW9uc3RyYXRlIHRoYXQgaXQgaXMgZWFzeSB0byBkbyBhbmQgc3BlY2lm eSBhIHdheSB0byBkbyBpdCwgc2hvdWxkIGRlbWFuZCBkZXZlbG9wIGluIHRoZSBmdXR1cmUg4oCT IHBvc3NpYmx5IGFmdGVyIHRoZQ0KPGEgaHJlZj0iaHR0cDovL2RhdGF0cmFja2VyLmlldGYub3Jn L3dnL2pvc2UvY2hhcnRlci8iIHRhcmdldD0iX2JsYW5rIj5KT1NFIHdvcmtpbmcgZ3JvdXA8L2E+ IGhhcyBiZWVuIGNsb3NlZC4mbmJzcDsgU2VlDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5v cmcvaHRtbC9kcmFmdC1qb25lcy1qb3NlLWtleS1tYW5hZ2VkLWpzb24td2ViLXNpZ25hdHVyZS0w MCIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtam9u ZXMtam9zZS1rZXktbWFuYWdlZC1qc29uLXdlYi1zaWduYXR1cmUtMDA8L2E+IG9yDQo8YSBocmVm PSJodHRwOi8vc2VsZi1pc3N1ZWQuaW5mby9kb2NzL2RyYWZ0LWpvbmVzLWpvc2Uta2V5LW1hbmFn ZWQtanNvbi13ZWItc2lnbmF0dXJlLTAwLmh0bWwiIHRhcmdldD0iX2JsYW5rIj4NCmh0dHA6Ly9z ZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtam9uZXMtam9zZS1rZXktbWFuYWdlZC1qc29uLXdl Yi1zaWduYXR1cmUtMDAuaHRtbDwvYT4uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGlz IHNwZWMgcmV1c2VzIGtleSBtYW5hZ2VtZW50IGZ1bmN0aW9uYWxpdHkgYWxyZWFkeSBwcmVzZW50 IGluIHRoZQ0KPGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1q b3NlLWpzb24td2ViLWVuY3J5cHRpb24iIHRhcmdldD0iX2JsYW5rIj4NCkpXRSBzcGVjPC9hPiBh bmQgTUFDIGZ1bmN0aW9uYWxpdHkgYWxyZWFkeSBwcmVzZW50IGluIHRoZSA8YSBocmVmPSJodHRw Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItc2lnbmF0dXJl IiB0YXJnZXQ9Il9ibGFuayI+DQpKV1Mgc3BlYzwvYT4uJm5ic3A7IFRoZSByZXN1bHQgaXMgZXNz ZW50aWFsbHkgYSBKV1Mgd2l0aCBhbiBFbmNyeXB0ZWQgS2V5IHZhbHVlIGFkZGVkLCBhbmQgYSBu ZXcg4oCcPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5t YWM8L3NwYW4+4oCdIEhlYWRlciBQYXJhbWV0ZXIgdmFsdWUgcmVwcmVzZW50aW5nIHRoZSBNQUMg YWxnb3JpdGhtIHVzZWQuJm5ic3A7IChMaWtlIEpXRSwgdGhlIGtleSBtYW5hZ2VtZW50IGFsZ29y aXRobSBpcyBjYXJyaWVkDQogaW4gdGhlIOKAnDxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90OyI+YWxnPC9zcGFuPuKAnSBIZWFkZXIgUGFyYW1ldGVyIHZhbHVl Lik8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkkgYWxzbyB3cm90ZSB0aGlzIG5vdyBhcyBw b3NzaWJsZSBpbnB1dCBpbnRvIG91ciB0aGlua2luZyBvbiBvcHRpb25zIGZvciBjcmVhdGluZyBh DQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM3MDQ5IiB0YXJnZXQ9Il9i bGFuayI+Q0JPUjwvYT4gSk9TRSBtYXBwaW5nLiZuYnNwOyBJZiB0aGVyZSBhcmUgQ0JPUiB1c2Ug Y2FzZXMgbmVlZGluZyBtYW5hZ2VkIE1BQyBrZXlzLCB0aGlzIGNvdWxkIGhlbHAgdXMgcmVhc29u IGFib3V0IHdheXMgdG8gc3RydWN0dXJlIHRoZSBzb2x1dGlvbi48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPlllcywgdGhlIHNwZWMgbmFtZSBhbmQgYWJicmV2aWF0aW9uIGFyZSBmYXIgZnJv bSBjYXRjaHkuJm5ic3A7IEJldHRlciBuYW1pbmcgaWRlYXMgd291bGQgYmUgZ3JlYXQuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0 OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj5GZWVkYmFjayB3ZWxjb21lZC48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj5QLlMuJm5ic3A7IFRoaXMgbm90ZSB3YXMgYWxzbyBwb3N0ZWQgYXQNCjxhIGhyZWY9Imh0 dHA6Ly9zZWxmLWlzc3VlZC5pbmZvLz9wPTEzNDQiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vc2Vs Zi1pc3N1ZWQuaW5mby8/cD0xMzQ0PC9hPiBhbmQgYXMgQHNlbGZpc3N1ZWQuPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87 bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX188YnI+DQpqb3NlIG1haWxpbmcgbGlzdDxicj4NCjxhIGhy ZWY9Im1haWx0bzpqb3NlQGlldGYub3JnIj5qb3NlQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9 Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZSIgdGFyZ2V0PSJfYmxh bmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZTwvYT48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BY2PR03MB442FCA01F4D1B404C2CDC51F5060BY2PR03MB442namprd_-- From nobody Thu Mar 12 06:11:31 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6468A1A00E1 for ; Thu, 12 Mar 2015 06:11:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 853b2J54hxL7 for ; Thu, 12 Mar 2015 06:11:27 -0700 (PDT) Received: from lvs-smtpgate4.nz.fh-koeln.de (lvs-smtpgate4.nz.FH-Koeln.DE [139.6.1.50]) by ietfa.amsl.com (Postfix) with ESMTP id B84EE1A0105 for ; Thu, 12 Mar 2015 06:11:26 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.11,388,1422918000"; d="asc'?scan'208";a="18999936" Received: from loiacono.fo.fh-koeln.de ([139.6.100.123]) by smtp.intranet.fh-koeln.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 12 Mar 2015 14:11:25 +0100 Message-ID: <55019208.2030806@fh-koeln.de> Date: Thu, 12 Mar 2015 14:18:00 +0100 From: "Prof. Dr.-Ing. Luigi Lo Iacono" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: jose@ietf.org References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> In-Reply-To: <55006F95.5090807@connect2id.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kr7auKWv3phGtM3grRabgWoR2WdWkmJFH" Archived-At: Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: luigi.lo_iacono@fh-koeln.de List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 13:11:29 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kr7auKWv3phGtM3grRabgWoR2WdWkmJFH Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Dear Vladimir, yes, we do support the flattened serialisation, but you are right, we did not mention it in the "feature list". This is mainly because we do not see any benefit in having this serialisation. We followed the discussions on it and had own discussions internally. I do not see the point to define a distinct serialisation which is very close to an already existing one. This increases complexity only and that's it. The marginal amount of data reduction coming with the flattened serialisation is ridiculous in comparison to the JSON serialisation with only one signature. I personally like the second approach more, since it still give you the flexibility to add further signatures along the way. Basically, this is the way our architecture supports multiple signatures. They are added by the signing parties one after the other. =46rom our perspective, this is the only realistic use case here. Having = a signing process in possession of multiple distinct private key breaks with a lot of security principles. At least in my understanding or do I miss something here!? In our architectural approach a JwsDocument is constructed by a JwsMaker (either from scratch or by parsing an existing one): JwsDocument jws =3D JwsMaker.generate... Having such an object, getting a particular serialisation is just a matter of calling the respective method: - Compact: jws.getCompactSerialisation(); - Compact DETACHED: jws.getCompactDetachedSerialisation(); - JSON: jws.getJsonSerialisation(); - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); - JSON DETACHED: jws.getJsonDetachedSerialisation(); - JSON PRETTYPRINTED & DETACHED: jws.getJsonDetachedSerialisation(true); - JSON Flattened: jws.getJsonFlattenedSerialisation(); - JSON Flattened PRITTYPRINTED: jws.getJsonFlattenedSerialisation(true); - JSON Flattened DETACHED: jws.getJsonFlattenedDetachedSerialisation(); - JSON Flattened PRITTYPRINTED & DETACHED: jws.getJsonFlattenedDetachedSerialisation(true) Hope that helps!? Do not hesitate to ask further questions. We are happy to help and further feedback is welcome! BR, Luigi. Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: > Thanks for sharing this. >=20 > I see that you support JSON and compact serialisation, but what is > flattened serialisation? >=20 > Thanks, >=20 > Vladimir >=20 > On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >> Dear all, >> >> we developed an own JOSE implementation in Java, mainly because we >> missed the JSON serialisation in almost all of the available libs. You= >> can grasp it here: >> >> http://jw-asterisk.realsoasecurity.de/ >> >> We are still doing some polishing, that is why the sources are still >> lacking. Stay tuned, though, updates will follow soon... >> >> The documentation and especially the unit tests should help in taking >> the first steps. >> >> Let us know what you think about it... >> >> BR, Luigi. >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >=20 > --=20 > Vladimir Dzhuvinov :: vladimir@connect2id.com >=20 >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >=20 --kr7auKWv3phGtM3grRabgWoR2WdWkmJFH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVAZIOAAoJEFL6uArWI9sN1+kQANbCvZhsJURJfLS1OZY6CEmY +KHQJMizR6bezUUSB/neocRfClDhvBlSk+ZswQarArQKK2qrVazeuzL7ZJobx0WF alUQ6rQX+tbBbZ+h+qqEmJp7Uwc5t/9SvSZdiKsI5A6a4IT334SZWI8U3NYv3OHd E/Ejohko26LQksQB4pAFg3CjiQlLrL6WUihi8p6QjEzECQAsxUDn7Ths1AYZ7Eti jcak2fy8ogRPELD+KoNRGM9gONLiQ3mM5szhMGVKVOc4ysJamQj7jK8U+78ukPDG wFnLgLLrTbCUW1PEWOVtpSQhn1spOXdLmV7FX579yF9pdMPKFyPs2kfMEBi9EJbY RnDR2peArfLDWhhB1GtRxRklvbmPmkypWKEKURjYkwjhZ3S0oybVqd1hLQnib55m VV7EvXK3mAtO3xj7hBGGVkYfFy4/u4sespXvbK2vePi1wKTyMNVq0IHyVzpMOaIU LB6i1WpM+btC61gMgQF0U8AgzMByKifvtVIwV4kFoj7bO46cjn2YUcfd50G6BieV HtrOJ8xCdfG4gVJCg9bc5rFz82jiuCxLhZC/yW3ntK37WhstgkTu/bTzs32obOzK nnJeC79a+x7QUs/MaM0CEljSDv7ZZML3QdUkJxGXvgxv5sv+chlTbUFly0Rl70/3 /8jVzOGXj8xT+TiQAEZI =Qxq5 -----END PGP SIGNATURE----- --kr7auKWv3phGtM3grRabgWoR2WdWkmJFH-- From nobody Thu Mar 12 07:08:15 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23CD91A0264 for ; Thu, 12 Mar 2015 07:08:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wnzcr86J3_iS for ; Thu, 12 Mar 2015 07:08:12 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E66D1A0233 for ; Thu, 12 Mar 2015 07:08:12 -0700 (PDT) X-AuditID: 12074423-f79066d0000058b8-9f-55019dcbaeec Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id C5.9D.22712.BCD91055; Thu, 12 Mar 2015 10:08:11 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t2CE8ABd025230; Thu, 12 Mar 2015 10:08:10 -0400 Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2CE7Cph002659 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Mar 2015 10:08:10 -0400 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Content-Type: multipart/signed; boundary="Apple-Mail=_581232E4-4B9F-4D76-A45E-780E64DC181F"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b5 From: Justin Richer In-Reply-To: <55019208.2030806@fh-koeln.de> Date: Thu, 12 Mar 2015 10:08:09 -0400 Message-Id: <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> To: luigi.lo_iacono@fh-koeln.de X-Mailer: Apple Mail (2.2070.6) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIKsWRmVeSWpSXmKPExsUixG6nont6LmOowZyZ/BZr1nQzWZxq6WN2 YPJ4tn0+k8eSJT+ZApiiuGxSUnMyy1KL9O0SuDJeP9nCVPBbp6L50g2WBsb7ql2MnBwSAiYS n+4/ZYSwxSQu3FvPBmILCSxmkthxK7SLkQvI3sgocXPycXYI5yGTxP9Lt1lAqoQFjCRWnXkN ZvMKGEjMPfWFCaSIWWASo8SNZd3sEGOlJB7cXgO2gk1AVWL6mhYmEJtTQFti3t8NYM0sQPGm nkdgNrOAoMSkxxsYIYZaSSx6dZEF4qRsiYkv94GdJyIgL7Gp4zWQzQE0X16iZ1P6BEbBWUjO mIXsjFlgY7Ulli18zQxhG0g87XzFCmHLS2x/OwcqbimxeOYNFgjbVuJW3wImCNtO4tG0RawL GDlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrp5WaW6KWmlG5iBMeOi/IOxj8HlQ4xCnAwKvHw PmBlDBViTSwrrsw9xCjJwaQkysvaDRTiS8pPqcxILM6ILyrNSS0+xKgCtOvRhtUXGKVY8vLz UpVEeEvbgep4UxIrq1KL8mHKpDlYlMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnw1s4BahQs Sk1PrUjLzClBSDNxcB5ilODgARqeDVLDW1yQmFucmQ6RP8WoKCXOawmSEABJZJTmwfXCUt4r RnGgt4R554JU8QDTJVz3K6DBTECDWaz/hwANLklESEk1MHaWSaT9vnW+7pfyllIXuQq/GrGi 1ErzrNpron/OlYoeua46d538g1uHK29Jx2d5Mory7LTu52zO3dh44+MPq1KLlfzntk78ZWhS vlGJUX7JhbhUzg0ZwQse1HnFRG1/e7Hbnof1ce/EI1/dLixOD7veyrxZ9dHBnwHfluzdwc6T 0eVz4PL3qUosxRmJhlrMRcWJAKGmKzlUAwAA Archived-At: Cc: jose@ietf.org Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 14:08:15 -0000 --Apple-Mail=_581232E4-4B9F-4D76-A45E-780E64DC181F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Just to add some perspective, if by =93flattened=94 serialization, you = mean the compact serializations of JWS (header.payload.signature) and = JWE (header.stuff.stuff.stuff.stuff I forgot the order), then there are = huge advantages to these, and they=92re the only ones that I personally = use. The simplicity gained in processing the compact forms, both in terms of = generating and consuming. With the compact forms, you get something that = can be dropped on the wire into an HTTP header, form parameter, query = parameter, a string in just about any language, all without any quoting = or further processing. Plus, to get back to the crypto calculations, you = use the literal strings sent across the wire, which is a really nice = feature. I=92ve personally yet to have a use case that required the multiple = signatures or other features of the JSON serialized flavor, nor have I = seen much uptake of it in the wild compared to the compact forms. =97 Justin > On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono = wrote: >=20 > Dear Vladimir, >=20 > yes, we do support the flattened serialisation, but you are right, we > did not mention it in the "feature list". This is mainly because we do > not see any benefit in having this serialisation. We followed the > discussions on it and had own discussions internally. I do not see the > point to define a distinct serialisation which is very close to an > already existing one. This increases complexity only and that's it. = The > marginal amount of data reduction coming with the flattened > serialisation is ridiculous in comparison to the JSON serialisation = with > only one signature. I personally like the second approach more, since = it > still give you the flexibility to add further signatures along the = way. > Basically, this is the way our architecture supports multiple > signatures. They are added by the signing parties one after the other. > =46rom our perspective, this is the only realistic use case here. = Having a > signing process in possession of multiple distinct private key breaks > with a lot of security principles. At least in my understanding or do = I > miss something here!? >=20 > In our architectural approach a JwsDocument is constructed by a = JwsMaker > (either from scratch or by parsing an existing one): >=20 > JwsDocument jws =3D JwsMaker.generate... >=20 > Having such an object, getting a particular serialisation is just a > matter of calling the respective method: >=20 > - Compact: jws.getCompactSerialisation(); > - Compact DETACHED: jws.getCompactDetachedSerialisation(); > - JSON: jws.getJsonSerialisation(); > - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); > - JSON DETACHED: jws.getJsonDetachedSerialisation(); > - JSON PRETTYPRINTED & DETACHED: = jws.getJsonDetachedSerialisation(true); > - JSON Flattened: jws.getJsonFlattenedSerialisation(); > - JSON Flattened PRITTYPRINTED: = jws.getJsonFlattenedSerialisation(true); > - JSON Flattened DETACHED: = jws.getJsonFlattenedDetachedSerialisation(); > - JSON Flattened PRITTYPRINTED & DETACHED: > jws.getJsonFlattenedDetachedSerialisation(true) >=20 > Hope that helps!? >=20 > Do not hesitate to ask further questions. We are happy to help and > further feedback is welcome! >=20 > BR, Luigi. >=20 >=20 > Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: >> Thanks for sharing this. >>=20 >> I see that you support JSON and compact serialisation, but what is >> flattened serialisation? >>=20 >> Thanks, >>=20 >> Vladimir >>=20 >> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>> Dear all, >>>=20 >>> we developed an own JOSE implementation in Java, mainly because we >>> missed the JSON serialisation in almost all of the available libs. = You >>> can grasp it here: >>>=20 >>> http://jw-asterisk.realsoasecurity.de/ >>>=20 >>> We are still doing some polishing, that is why the sources are still >>> lacking. Stay tuned, though, updates will follow soon... >>>=20 >>> The documentation and especially the unit tests should help in = taking >>> the first steps. >>>=20 >>> Let us know what you think about it... >>>=20 >>> BR, Luigi. >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >>=20 >> -- >> Vladimir Dzhuvinov :: vladimir@connect2id.com >>=20 >>=20 >>=20 >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >>=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_581232E4-4B9F-4D76-A45E-780E64DC181F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJVAZ3JAAoJEDPAngkbd+w9QOkH/A3VCd9EkdoOcmP759GMIZqT NNwr8stlISXPIDUSytSFDR249WHgjTybPal4R9T9ShkRINuSc4xKEg6ZoGvKghEC EpB5L5Bjr1OPbVx+d+EhQotFArTlRrqnCVRTLLKSyctmlEzF7zZV2mX79/lJhFMO KarC/fjVfsBLD+qEH/jtIUNJdc+1d0db8q2bYRs/Ze+WVasS4EA/RRThFE/I73oG qgwJEsxdsTmmEl1ADLbVVIGL4EAhG2lmeUp8CX9DWAL8RJ44CsFyAM1vs9Z3yWCV p5FMdRfvbtIXGAKhOTrfXgIiE86jo9YYGV8MEmPDY8F44qURMbO6Epj4IPvPuyE= =pDfX -----END PGP SIGNATURE----- --Apple-Mail=_581232E4-4B9F-4D76-A45E-780E64DC181F-- From nobody Thu Mar 12 07:50:18 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 244991A870B for ; Thu, 12 Mar 2015 07:50:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-aP62GPynVf for ; Thu, 12 Mar 2015 07:50:13 -0700 (PDT) Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 649AE1A8701 for ; Thu, 12 Mar 2015 07:50:11 -0700 (PDT) Received: from mail-ig0-f176.google.com ([209.85.213.176]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKVQGnorPIzuyBVRGNR3+TDlcMERMqviGm@postini.com; Thu, 12 Mar 2015 07:50:11 PDT Received: by igbhl2 with SMTP id hl2so17152497igb.5 for ; Thu, 12 Mar 2015 07:50:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xEJ3BkCzz9+Uiv8RNiYvtmqD6sfHwKi0A8pe3vpkq64=; b=UmoO9VOZ5N770GLjfmoDqnzPKJkB91euL4Sffs+TWmfY0xgTgyTg9UeJtQa5ire/ZQ B7clc7BOd4si8cpLokOI4nz9G1/3dmnWy09IP2tHn44Hp1dWNOuZvljxI3h04TBZ4XKv rqKrw3Lz7Zc2nu7lcJLxvE822YW8e97YVzrZNh7rKOayqC3yidkjuzDSVa2yjdgrNm2g 7+ppO48y+B3KZ87ThOU8gPyqUQiIDAETxRVQzNstRiHnGzqR63fbT+vx811E3izxN5/S xJwQGKrF5w/cJsqdv8eIBOgvOhkDbZ6dlWLjyc+DoXuw8uwlRGaZLwfvLxe8FkFuFLmN kUeg== X-Gm-Message-State: ALoCoQmhWrCiczlMoZMD7a2Ufx0E7B5pTn6rxO8ZGap91SCkz34dNbPQ1UjoHFBMYxTWqfuDx+UW5f/xBlZ/gxSO9BYkeznbivKafitoADyACZcA7GQOXF9nSzvNEicDxKDu4KGYxFlN X-Received: by 10.107.154.79 with SMTP id c76mr77078572ioe.14.1426171810351; Thu, 12 Mar 2015 07:50:10 -0700 (PDT) X-Received: by 10.107.154.79 with SMTP id c76mr77078364ioe.14.1426171809246; Thu, 12 Mar 2015 07:50:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.143.138 with HTTP; Thu, 12 Mar 2015 07:49:39 -0700 (PDT) In-Reply-To: <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> From: Brian Campbell Date: Thu, 12 Mar 2015 08:49:39 -0600 Message-ID: To: Justin Richer Content-Type: multipart/alternative; boundary=001a1140fa20146b4505111880e7 Archived-At: Cc: luigi.lo_iacono@fh-koeln.de, "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 14:50:16 -0000 --001a1140fa20146b4505111880e7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable flattened is not the same as compact FWIW compact -> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-7= .1 flattened -> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-7= .2.2 On Thu, Mar 12, 2015 at 8:08 AM, Justin Richer wrote: > Just to add some perspective, if by =E2=80=9Cflattened=E2=80=9D serializa= tion, you mean > the compact serializations of JWS (header.payload.signature) and JWE > (header.stuff.stuff.stuff.stuff I forgot the order), then there are huge > advantages to these, and they=E2=80=99re the only ones that I personally = use. > > The simplicity gained in processing the compact forms, both in terms of > generating and consuming. With the compact forms, you get something that > can be dropped on the wire into an HTTP header, form parameter, query > parameter, a string in just about any language, all without any quoting o= r > further processing. Plus, to get back to the crypto calculations, you use > the literal strings sent across the wire, which is a really nice feature. > > I=E2=80=99ve personally yet to have a use case that required the multiple > signatures or other features of the JSON serialized flavor, nor have I se= en > much uptake of it in the wild compared to the compact forms. > > =E2=80=94 Justin > > > On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono < > luigi.lo_iacono@fh-koeln.de> wrote: > > > > Dear Vladimir, > > > > yes, we do support the flattened serialisation, but you are right, we > > did not mention it in the "feature list". This is mainly because we do > > not see any benefit in having this serialisation. We followed the > > discussions on it and had own discussions internally. I do not see the > > point to define a distinct serialisation which is very close to an > > already existing one. This increases complexity only and that's it. The > > marginal amount of data reduction coming with the flattened > > serialisation is ridiculous in comparison to the JSON serialisation wit= h > > only one signature. I personally like the second approach more, since i= t > > still give you the flexibility to add further signatures along the way. > > Basically, this is the way our architecture supports multiple > > signatures. They are added by the signing parties one after the other. > > From our perspective, this is the only realistic use case here. Having = a > > signing process in possession of multiple distinct private key breaks > > with a lot of security principles. At least in my understanding or do I > > miss something here!? > > > > In our architectural approach a JwsDocument is constructed by a JwsMake= r > > (either from scratch or by parsing an existing one): > > > > JwsDocument jws =3D JwsMaker.generate... > > > > Having such an object, getting a particular serialisation is just a > > matter of calling the respective method: > > > > - Compact: jws.getCompactSerialisation(); > > - Compact DETACHED: jws.getCompactDetachedSerialisation(); > > - JSON: jws.getJsonSerialisation(); > > - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); > > - JSON DETACHED: jws.getJsonDetachedSerialisation(); > > - JSON PRETTYPRINTED & DETACHED: jws.getJsonDetachedSerialisation(true)= ; > > - JSON Flattened: jws.getJsonFlattenedSerialisation(); > > - JSON Flattened PRITTYPRINTED: jws.getJsonFlattenedSerialisation(true)= ; > > - JSON Flattened DETACHED: jws.getJsonFlattenedDetachedSerialisation(); > > - JSON Flattened PRITTYPRINTED & DETACHED: > > jws.getJsonFlattenedDetachedSerialisation(true) > > > > Hope that helps!? > > > > Do not hesitate to ask further questions. We are happy to help and > > further feedback is welcome! > > > > BR, Luigi. > > > > > > Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: > >> Thanks for sharing this. > >> > >> I see that you support JSON and compact serialisation, but what is > >> flattened serialisation? > >> > >> Thanks, > >> > >> Vladimir > >> > >> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > >>> Dear all, > >>> > >>> we developed an own JOSE implementation in Java, mainly because we > >>> missed the JSON serialisation in almost all of the available libs. Yo= u > >>> can grasp it here: > >>> > >>> http://jw-asterisk.realsoasecurity.de/ > >>> > >>> We are still doing some polishing, that is why the sources are still > >>> lacking. Stay tuned, though, updates will follow soon... > >>> > >>> The documentation and especially the unit tests should help in taking > >>> the first steps. > >>> > >>> Let us know what you think about it... > >>> > >>> BR, Luigi. > >>> > >>> > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose > >> > >> -- > >> Vladimir Dzhuvinov :: vladimir@connect2id.com > >> > >> > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose > >> > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > --001a1140fa20146b4505111880e7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Thu= , Mar 12, 2015 at 8:08 AM, Justin Richer <jricher@mit.edu> wro= te:
Just to add some perspective, if by = =E2=80=9Cflattened=E2=80=9D serialization, you mean the compact serializati= ons of JWS (header.payload.signature) and JWE (header.stuff.stuff.stuff.stu= ff I forgot the order), then there are huge advantages to these, and they= =E2=80=99re the only ones that I personally use.

The simplicity gained in processing the compact forms, both in terms of gen= erating and consuming. With the compact forms, you get something that can b= e dropped on the wire into an HTTP header, form parameter, query parameter,= a string in just about any language, all without any quoting or further pr= ocessing. Plus, to get back to the crypto calculations, you use the literal= strings sent across the wire, which is a really nice feature.

I=E2=80=99ve personally yet to have a use case that required the multiple s= ignatures or other features of the JSON serialized flavor, nor have I seen = much uptake of it in the wild compared to the compact forms.

=C2=A0=E2=80=94 Justin

> On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono <luigi.lo_iacono@fh-koeln.de>= ; wrote:
>
> Dear Vladimir,
>
> yes, we do support the flattened serialisation, but you are right, we<= br> > did not mention it in the "feature list". This is mainly bec= ause we do
> not see any benefit in having this serialisation. We followed the
> discussions on it and had own discussions internally. I do not see the=
> point to define a distinct serialisation which is very close to an
> already existing one. This increases complexity only and that's it= . The
> marginal amount of data reduction coming with the flattened
> serialisation is ridiculous in comparison to the JSON serialisation wi= th
> only one signature. I personally like the second approach more, since = it
> still give you the flexibility to add further signatures along the way= .
> Basically, this is the way our architecture supports multiple
> signatures. They are added by the signing parties one after the other.=
> From our perspective, this is the only realistic use case here. Having= a
> signing process in possession of multiple distinct private key breaks<= br> > with a lot of security principles. At least in my understanding or do = I
> miss something here!?
>
> In our architectural approach a JwsDocument is constructed by a JwsMak= er
> (either from scratch or by parsing an existing one):
>
> JwsDocument jws =3D JwsMaker.generate...
>
> Having such an object, getting a particular serialisation is just a > matter of calling the respective method:
>
> - Compact: jws.getCompactSerialisation();
> - Compact DETACHED: jws.getCompactDetachedSerialisation();
> - JSON: jws.getJsonSerialisation();
> - JSON PRETTYPRINTED: jws.getJsonSerialisation(true);
> - JSON DETACHED: jws.getJsonDetachedSerialisation();
> - JSON PRETTYPRINTED & DETACHED: jws.getJsonDetachedSerialisation(= true);
> - JSON Flattened: jws.getJsonFlattenedSerialisation();
> - JSON Flattened PRITTYPRINTED: jws.getJsonFlattenedSerialisation(true= );
> - JSON Flattened DETACHED: jws.getJsonFlattenedDetachedSerialisation()= ;
> - JSON Flattened PRITTYPRINTED & DETACHED:
>=C2=A0 jws.getJsonFlattenedDetachedSerialisation(true)
>
> Hope that helps!?
>
> Do not hesitate to ask further questions. We are happy to help and
> further feedback is welcome!
>
> BR, Luigi.
>
>
> Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov:
>> Thanks for sharing this.
>>
>> I see that you support JSON and compact serialisation, but what is=
>> flattened serialisation?
>>
>> Thanks,
>>
>> Vladimir
>>
>> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote:
>>> Dear all,
>>>
>>> we developed an own JOSE implementation in Java, mainly becaus= e we
>>> missed the JSON serialisation in almost all of the available l= ibs. You
>>> can grasp it here:
>>>
>>> http://jw-asterisk.realsoasecurity.de/
>>>
>>> We are still doing some polishing, that is why the sources are= still
>>> lacking. Stay tuned, though, updates will follow soon...
>>>
>>> The documentation and especially the unit tests should help in= taking
>>> the first steps.
>>>
>>> Let us know what you think about it...
>>>
>>> BR, Luigi.
>>>
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> --
>> Vladimir Dzhuvinov :: v= ladimir@connect2id.com
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/jose


--001a1140fa20146b4505111880e7-- From nobody Thu Mar 12 08:38:46 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5C671A88F0 for ; Thu, 12 Mar 2015 08:38:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBXX0ukBh4nX for ; Thu, 12 Mar 2015 08:38:37 -0700 (PDT) Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C4901A88E3 for ; Thu, 12 Mar 2015 08:38:37 -0700 (PDT) Received: by qgea108 with SMTP id a108so18965339qge.8 for ; Thu, 12 Mar 2015 08:38:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=SU0VlJZwItS5tIIoc40Ga4pIgZ9VU5eg6UeeNZAyiqM=; b=SdyHe4YIcQqnXaPBoG3KrrasgQtQfmzGNbJhcnVifpDAzWP3Bc/x9KqdAuQ+bJ+RLn VTj5eBCgi0BhjFh38nIh21BOgP2qf12fhK1rsNoUH8rghJva1ou/lYeuWAHxIIUWlBCN ivwuu9FDsKrnJiBlx86m/nCgkIg5JfvMJisQIhRISQOHOjad5LZyhIB+AY7KdaUDFLkv YAokMIkY3al5e8++vHyseQop5BJhHYWkPRq2iYd9TAgVsCPxJ1SsPE6ONO744bgnO9EL LIaUPLjpfgDKB3UZ61WwbpvFMvARRX1ijwuwjkL7hg7BdjyEVSkUBsxsaVIqbSqz0WRa 09yw== X-Gm-Message-State: ALoCoQlMGajATNpFzJyxr+Tv3mzKxHdzeO37fbA/V46ZxFVECAbvtKzokM/u70IaXpAeqfXBvFbs X-Received: by 10.140.148.201 with SMTP id 192mr27786118qhu.36.1426174716568; Thu, 12 Mar 2015 08:38:36 -0700 (PDT) Received: from [192.168.8.100] ([181.202.5.185]) by mx.google.com with ESMTPSA id l49sm4977781qgd.21.2015.03.12.08.38.33 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Mar 2015 08:38:35 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_B21A29EE-379A-4F93-BB63-9B293F1B9536"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) From: John Bradley In-Reply-To: Date: Thu, 12 Mar 2015 12:38:30 -0300 Message-Id: <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> To: Brian Campbell X-Mailer: Apple Mail (2.2070.6) Archived-At: Cc: luigi.lo_iacono@fh-koeln.de, "jose@ietf.org" , Justin Richer Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 15:38:44 -0000 --Apple-Mail=_B21A29EE-379A-4F93-BB63-9B293F1B9536 Content-Type: multipart/alternative; boundary="Apple-Mail=_E1F26B03-697B-4DAB-BB3F-3546D0348A72" --Apple-Mail=_E1F26B03-697B-4DAB-BB3F-3546D0348A72 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Yes flattened is a special case of the JSON serialization that has only = one signature. I don't know that there is a huge benefit to it over the regular JSON = serialization that supports multiple signatures. Some people really wanted it at the time. =20 Supporting the general JSON serialization would be a higher priority for = me. In most cases I have seen, as Justin points out people wanting a = single signature go with compact. John B. > On Mar 12, 2015, at 11:49 AM, Brian Campbell = wrote: >=20 > flattened is not the same as compact FWIW=20 >=20 > compact -> = https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-= 7.1 = >=20 > flattened -> = https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-= 7.2.2 = >=20 > On Thu, Mar 12, 2015 at 8:08 AM, Justin Richer > wrote: > Just to add some perspective, if by =E2=80=9Cflattened=E2=80=9D = serialization, you mean the compact serializations of JWS = (header.payload.signature) and JWE (header.stuff.stuff.stuff.stuff I = forgot the order), then there are huge advantages to these, and = they=E2=80=99re the only ones that I personally use. >=20 > The simplicity gained in processing the compact forms, both in terms = of generating and consuming. With the compact forms, you get something = that can be dropped on the wire into an HTTP header, form parameter, = query parameter, a string in just about any language, all without any = quoting or further processing. Plus, to get back to the crypto = calculations, you use the literal strings sent across the wire, which is = a really nice feature. >=20 > I=E2=80=99ve personally yet to have a use case that required the = multiple signatures or other features of the JSON serialized flavor, nor = have I seen much uptake of it in the wild compared to the compact forms. >=20 > =E2=80=94 Justin >=20 > > On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono = > = wrote: > > > > Dear Vladimir, > > > > yes, we do support the flattened serialisation, but you are right, = we > > did not mention it in the "feature list". This is mainly because we = do > > not see any benefit in having this serialisation. We followed the > > discussions on it and had own discussions internally. I do not see = the > > point to define a distinct serialisation which is very close to an > > already existing one. This increases complexity only and that's it. = The > > marginal amount of data reduction coming with the flattened > > serialisation is ridiculous in comparison to the JSON serialisation = with > > only one signature. I personally like the second approach more, = since it > > still give you the flexibility to add further signatures along the = way. > > Basically, this is the way our architecture supports multiple > > signatures. They are added by the signing parties one after the = other. > > =46rom our perspective, this is the only realistic use case here. = Having a > > signing process in possession of multiple distinct private key = breaks > > with a lot of security principles. At least in my understanding or = do I > > miss something here!? > > > > In our architectural approach a JwsDocument is constructed by a = JwsMaker > > (either from scratch or by parsing an existing one): > > > > JwsDocument jws =3D JwsMaker.generate... > > > > Having such an object, getting a particular serialisation is just a > > matter of calling the respective method: > > > > - Compact: jws.getCompactSerialisation(); > > - Compact DETACHED: jws.getCompactDetachedSerialisation(); > > - JSON: jws.getJsonSerialisation(); > > - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); > > - JSON DETACHED: jws.getJsonDetachedSerialisation(); > > - JSON PRETTYPRINTED & DETACHED: = jws.getJsonDetachedSerialisation(true); > > - JSON Flattened: jws.getJsonFlattenedSerialisation(); > > - JSON Flattened PRITTYPRINTED: = jws.getJsonFlattenedSerialisation(true); > > - JSON Flattened DETACHED: = jws.getJsonFlattenedDetachedSerialisation(); > > - JSON Flattened PRITTYPRINTED & DETACHED: > > jws.getJsonFlattenedDetachedSerialisation(true) > > > > Hope that helps!? > > > > Do not hesitate to ask further questions. We are happy to help and > > further feedback is welcome! > > > > BR, Luigi. > > > > > > Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: > >> Thanks for sharing this. > >> > >> I see that you support JSON and compact serialisation, but what is > >> flattened serialisation? > >> > >> Thanks, > >> > >> Vladimir > >> > >> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > >>> Dear all, > >>> > >>> we developed an own JOSE implementation in Java, mainly because we > >>> missed the JSON serialisation in almost all of the available libs. = You > >>> can grasp it here: > >>> > >>> http://jw-asterisk.realsoasecurity.de/ = > >>> > >>> We are still doing some polishing, that is why the sources are = still > >>> lacking. Stay tuned, though, updates will follow soon... > >>> > >>> The documentation and especially the unit tests should help in = taking > >>> the first steps. > >>> > >>> Let us know what you think about it... > >>> > >>> BR, Luigi. > >>> > >>> > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose = > >> > >> -- > >> Vladimir Dzhuvinov :: vladimir@connect2id.com = > >> > >> > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose = > >> > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose = >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose = >=20 >=20 > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose --Apple-Mail=_E1F26B03-697B-4DAB-BB3F-3546D0348A72 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Yes flattened is a special case of the JSON serialization = that has only one signature.

I don't know that there is a huge benefit to it over the = regular JSON serialization that supports multiple signatures.

Some people really = wanted it at the time.  

Supporting the general JSON = serialization would be a higher priority for me.  In most cases I = have seen, as Justin points out people wanting a single signature go = with compact.

John B.


On Mar 12, 2015, at 11:49 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:

flattened is not the same as compact FWIW

compact -> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-= 41#section-7.1

flattened -> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-= 41#section-7.2.2

On Thu, Mar 12, 2015 at 8:08 AM, = Justin Richer <jricher@mit.edu> wrote:
Just to add some perspective, if by = =E2=80=9Cflattened=E2=80=9D serialization, you mean the compact = serializations of JWS (header.payload.signature) and JWE = (header.stuff.stuff.stuff.stuff I forgot the order), then there are huge = advantages to these, and they=E2=80=99re the only ones that I personally = use.

The simplicity gained in processing the compact forms, both in terms of = generating and consuming. With the compact forms, you get something that = can be dropped on the wire into an HTTP header, form parameter, query = parameter, a string in just about any language, all without any quoting = or further processing. Plus, to get back to the crypto calculations, you = use the literal strings sent across the wire, which is a really nice = feature.

I=E2=80=99ve personally yet to have a use case that required the = multiple signatures or other features of the JSON serialized flavor, nor = have I seen much uptake of it in the wild compared to the compact = forms.

 =E2=80=94 Justin

> On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono <luigi.lo_iacono@fh-koeln.de> wrote:
>
> Dear Vladimir,
>
> yes, we do support the flattened serialisation, but you are right, = we
> did not mention it in the "feature list". This is mainly because we = do
> not see any benefit in having this serialisation. We followed = the
> discussions on it and had own discussions internally. I do not see = the
> point to define a distinct serialisation which is very close to = an
> already existing one. This increases complexity only and that's it. = The
> marginal amount of data reduction coming with the flattened
> serialisation is ridiculous in comparison to the JSON serialisation = with
> only one signature. I personally like the second approach more, = since it
> still give you the flexibility to add further signatures along the = way.
> Basically, this is the way our architecture supports multiple
> signatures. They are added by the signing parties one after the = other.
> =46rom our perspective, this is the only realistic use case here. = Having a
> signing process in possession of multiple distinct private key = breaks
> with a lot of security principles. At least in my understanding or = do I
> miss something here!?
>
> In our architectural approach a JwsDocument is constructed by a = JwsMaker
> (either from scratch or by parsing an existing one):
>
> JwsDocument jws =3D JwsMaker.generate...
>
> Having such an object, getting a particular serialisation is just = a
> matter of calling the respective method:
>
> - Compact: jws.getCompactSerialisation();
> - Compact DETACHED: jws.getCompactDetachedSerialisation();
> - JSON: jws.getJsonSerialisation();
> - JSON PRETTYPRINTED: jws.getJsonSerialisation(true);
> - JSON DETACHED: jws.getJsonDetachedSerialisation();
> - JSON PRETTYPRINTED & DETACHED: = jws.getJsonDetachedSerialisation(true);
> - JSON Flattened: jws.getJsonFlattenedSerialisation();
= > - JSON Flattened PRITTYPRINTED: = jws.getJsonFlattenedSerialisation(true);
> - JSON Flattened DETACHED: = jws.getJsonFlattenedDetachedSerialisation();
> - JSON Flattened PRITTYPRINTED & DETACHED:
>  jws.getJsonFlattenedDetachedSerialisation(true)
>
> Hope that helps!?
>
> Do not hesitate to ask further questions. We are happy to help = and
> further feedback is welcome!
>
> BR, Luigi.
>
>
> Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov:
>> Thanks for sharing this.
>>
>> I see that you support JSON and compact serialisation, but what = is
>> flattened serialisation?
>>
>> Thanks,
>>
>> Vladimir
>>
>> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote:
>>> Dear all,
>>>
>>> we developed an own JOSE implementation in Java, mainly = because we
>>> missed the JSON serialisation in almost all of the = available libs. You
>>> can grasp it here:
>>>
>>> http://jw-asterisk.realsoasecurity.de/ >>>
>>> We are still doing some polishing, that is why the sources = are still
>>> lacking. Stay tuned, though, updates will follow soon...
>>>
>>> The documentation and especially the unit tests should help = in taking
>>> the first steps.
>>>
>>> Let us know what you think about it...
>>>
>>> BR, Luigi.
>>>
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> --
>> Vladimir Dzhuvinov :: vladimir@connect2id.com
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose = mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

= --Apple-Mail=_E1F26B03-697B-4DAB-BB3F-3546D0348A72-- --Apple-Mail=_B21A29EE-379A-4F93-BB63-9B293F1B9536 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTAzMTIxNTM4MzBaMCMGCSqGSIb3DQEJBDEWBBR4Ue0LNKAH9echBe06vSqd X1eMwTCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQCo5T5UqzDZLqYHs3QDIdQLaEQhoZuYGAttwC02MQ/8l3mP1pSnImIj A74FGF2bU4qsBImwS7zRuwKE7ngHIN7jNaoKsfFSSKN/I6zGUyJPIvNbmYUgdoeyqWJuLVwmpEMC vdHb5F/3ArLRH0uG07lSr9cKOx5RyRUpNgKgLayjCEvmy6NbdRZmdKnjaeSg0kYfBZgYwlpf7NMh KKpiA2gu9knDzNF45Y730OjqH5Cj+izrLF6q6xD0ICSQG/AknFgsmGILfZ2+AoQcE4JY9bJwWlLo 2XYNGP9vMYPPlYSulB9dMdiHzAfuUCHVOqys6vyIJCwr5ANIGGC+W6JirI8KAAAAAAAA --Apple-Mail=_B21A29EE-379A-4F93-BB63-9B293F1B9536-- From nobody Thu Mar 12 08:56:16 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE4F1A8779 for ; Thu, 12 Mar 2015 08:56:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52lZ7WpMok8l for ; Thu, 12 Mar 2015 08:56:07 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0751.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:751]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 257261A8775 for ; Thu, 12 Mar 2015 08:56:07 -0700 (PDT) Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.106.11; Thu, 12 Mar 2015 15:55:45 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0106.007; Thu, 12 Mar 2015 15:55:45 +0000 From: Mike Jones To: Jim Schaad , "jose@ietf.org" Thread-Topic: [jose] Key Managed JSON Web Signature (KMJWS) specification Thread-Index: AdBVnrlYeSkbpnXYQGWf+2U9DVU+8wG2dZWAAARd7NAAFJ1+sA== Date: Thu, 12 Mar 2015 15:55:45 +0000 Message-ID: References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.47.90.173] authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444; x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(209900001)(377454003)(52604005)(51704005)(87936001)(2656002)(62966003)(74316001)(19617315012)(107886001)(77096005)(77156002)(99286002)(40100003)(76576001)(122556002)(16236675004)(19609705001)(86362001)(66066001)(86612001)(2900100001)(19300405004)(50986999)(76176999)(2950100001)(54356999)(102836002)(15975445007)(2501003)(92566002)(46102003)(19580395003)(19580405001)(33656002)(19625215002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; x-forefront-prvs: 05134F8B4F Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4420B9763C5DB021DEE13DBF5060BY2PR03MB442namprd_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2015 15:55:45.6825 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444 Archived-At: Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 15:56:14 -0000 --_000_BY2PR03MB4420B9763C5DB021DEE13DBF5060BY2PR03MB442namprd_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I'll add one other thing, Jim. I'm sorry that you left the Denver meeting = feeling like your idea for key management was dismissed. We should have pu= shed harder then to try to come up with an approach for that that would wor= k for all. I'll try to personally take this an object lesson for future st= andards work. See you in Dallas! -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, March 12, 2015 12:37 AM To: Jim Schaad; jose@ietf.org Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification Hi Jim. Thanks for responding and for your honest feedback. While you may= feel insulted (I'm genuinely sorry about that!), I'm to try to take the ne= gatives you've expressed as positives, in the sense that they can construct= ively inform future work by the working group. One reason I wrote this draft was to get down a straightforward way of usin= g key managed HMACs, should people want to do that in the future, especiall= y since there's talk of closing the working group soon. The other reason I= wrote it was to further illuminate the upsides and downsides of some of th= e choices we made in JWS and JWE, given we have a chance to reuse and/or re= visit those choices should the COSE work go forward. Replies to your specific points follow inline... From: Jim Schaad [mailto:ietf@augustcellars.com] Sent: Wednesday, March 11, 2015 8:57 PM To: Mike Jones; jose@ietf.org Subject: RE: [jose] Key Managed JSON Web Signature (KMJWS) specification > I cannot respond for Richard, but personally I feel rather insulted by th= e current draft. My first half a dozen responses were rather vulgar and pe= jorative to this draft and thus deleted. > > This draft seems to be, more or less, what Richard and I were proposing i= n Denver and were told was not possible due to backwards compatibility. Wh= at has changed that this is no longer true? For what it's worth, I've occasionally been thinking about key management f= or MACs ever since you and Richard raised the possibility in Denver. Somew= here along the way I realized that there was a simple way to combine the JW= E key management methods and the JWS MAC methods. So I decided to write it= down, while there was still a working group to consider it, should the wor= king group decide to do so. If the reason you're insulted is that you feel that you should receive more= credit for some of the ideas, I'd be glad to point out in the Acknowledgem= ents that you and Richard suggested the possibility of key-managed MACs and= /or make you co-editors if you agree with the approach and would like to wo= rk more actively on it. If the reason that you're insulted is that you fee= l that we should have done this earlier, I think the verdict is still out o= n whether we need to do this at all. Looking at http://trac.tools.ietf.org= /wg/jose/trac/ticket/2, Karen made a consensus call that "we should not add= the ability to have a randomly generated MAC key protected by a different = key" based on working group input. I think the key question for the working group relative to this draft is wh= ether people now want to see a standard way to do this or not. As for the backwards compatibility issues discussed in Denver, I know that = several participants were opposed to seeing the JWS format for non-key-mana= ged MACs change. I suspect that's what you're referring to. The good news= about the current draft is that it adds the ability to have key-managed MA= Cs without such a change. Should we have thought of this approach then? Probably. Did we? At least= I didn't. I thought of it recently, so I decided to write it down. > Why is there need to have a compact formation for this draft? We were to= ld in no uncertain terms that this was completely unnecessary in Denver and= thus was out of scope for the documents. I can't remember the part of the discussion that you're referring to in Den= ver and I can't find it in the published notes. The only uses of "compact"= in the notes aren't about this. That said, there's a compact serialization for key managed MACs for the sam= e reason that there's a compact serialization for the other JOSE objects - = to provide a compact, URL-safe representation for use cases that need it. = It also makes this draft more parallel to both JWS and JWE than it would ot= herwise be. > This document does not seem to have read the security considerations sect= ion of the JWS draft specifically dealing with the existence of multiple sh= arers of the secret key. I'm not sure I'm following you here, because different recipients use diffe= rent ephemeral keys in this representation. What's the security considerat= ion that you think wasn't taken into account? > This document has messed up the current documentation in JWE about how to= determine what type of document is being presented. This is completely un= acceptable. It's backwards-compatible in the sense that if an implementation supports J= WSs and JWEs but not KMJWSs (I'm still looking for a better name than KMJWS= , BTW), the current rules all continue to do the right thing. If an implem= entation supports all three, yes, a little bit of additional logic would be= needed, just like a little bit of additional code would be needed, but no = breaking changes result. A KMJWS is neither a legal JWS nor a legal JWE, s= o even if the existing discrimination rules were applied to a KMJWS and it = was mis-categorized as one or the other, upon parsing, it would still be re= jected, since it would be missing required properties. > There are now multiple representations of direct keying for mac. This is= a significant problem as one does not know which of the version one is sup= posed to be using. Thanks for pointing this out. We should probably just prohibit the use of = "alg":"dir" in KMJWS so that there's exactly one way of representing non-ke= y-managed MACS - the existing way. > (The fact that I am half, if not all the way drunk has make this message = much easier to write). I'm glad you enjoyed your evening. :) > Jim Thanks again, -- Mike From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, March 03, 2015 2:42 AM To: jose@ietf.org Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification I took a little time today and wrote a short draft specifying a JWS-like ob= ject that uses key management for the MAC key used to integrity protect the= payload. We had considered doing this in JOSE issue #2 but didn't do so at the time because of lac= k of demand. However, I wanted to get this down now to demonstrate that it= is easy to do and specify a way to do it, should demand develop in the fut= ure - possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones= -jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/dra= ft-jones-jose-key-managed-json-web-signature-00.html. This spec reuses key management functionality already present in the JWE sp= ec and MAC = functionality already present in the JWS spec. The result is essentially a JWS with an= Encrypted Key value added, and a new "mac" Header Parameter value represen= ting the MAC algorithm used. (Like JWE, the key management algorithm is ca= rried in the "alg" Header Parameter value.) I also wrote this now as possible input into our thinking on options for cr= eating a CBOR JOSE mapping. If there a= re CBOR use cases needing managed MAC keys, this could help us reason about= ways to structure the solution. Yes, the spec name and abbreviation are far from catchy. Better naming ide= as would be great. Feedback welcomed. -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1344 and as= @selfissued. --_000_BY2PR03MB4420B9763C5DB021DEE13DBF5060BY2PR03MB442namprd_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’ll add one oth= er thing, Jim.  I’m sorry that you left the Denver meeting feeli= ng like your idea for key management was dismissed.  We should have pushed harder then to t= ry to come up with an approach for that that would work for all.  I= 217;ll try to personally take this an object lesson for future standards wo= rk.

 

See you in Dallas!

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      -- Mike

 

From: jose [ma= ilto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, March 12, 2015 12:37 AM
To: Jim Schaad; jose@ietf.org
Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specifica= tion

 

Hi Jim.  Thanks f= or responding and for your honest feedback.  While you may feel insult= ed (I’m genuinely sorry about that!), I’m to try to take the ne= gatives you’ve expressed as positives, in the sense that they can constructively inform future work by the working group.

 

One reason I wrote thi= s draft was to get down a straightforward way of using key managed HMACs, s= hould people want to do that in the future, especially since there’s = talk of closing the working group soon.  The other reason I wrote it was to further illuminate the upsides and downside= s of some of the choices we made in JWS and JWE, given we have a chance to = reuse and/or revisit those choices should the COSE work go forward.

 

Replies to your specif= ic points follow inline…

 

From: Jim Scha= ad [mailto:ietf@augustcellars.com= ]
Sent: Wednesday, March 11, 2015 8:57 PM
To: Mike Jones; jose@ietf.org Subject: RE: [jose] Key Managed JSON Web Signature (KMJWS) specifica= tion

 

> I cannot respond = for Richard, but personally I feel rather insulted by the current draft.&nb= sp; My first half a dozen responses were rather vulgar and pejorative to th= is draft and thus deleted.

> <= /span>

> This draft seems = to be, more or less, what Richard and I were proposing in Denver and were t= old was not possible due to backwards compatibility.  What has changed= that this is no longer true?

 

For what it’s wo= rth, I’ve occasionally been thinking about key management for MACs ev= er since you and Richard raised the possibility in Denver.  Somewhere = along the way I realized that there was a simple way to combine the JWE key management methods and the JWS MAC methods.  S= o I decided to write it down, while there was still a working group to cons= ider it, should the working group decide to do so.

 

If the reason you̵= 7;re insulted is that you feel that you should receive more credit for some= of the ideas, I’d be glad to point out in the Acknowledgements that = you and Richard suggested the possibility of key-managed MACs and/or make you co-editors if you agree with the approach and would l= ike to work more actively on it.  If the reason that you’re insu= lted is that you feel that we should have done this earlier, I think the ve= rdict is still out on whether we need to do this at all.  Looking at http://trac.tools.ietf.org/wg/jose/trac/ticket/2, Karen made a consensu= s call that “we should not add the= ability to have a randomly generated MAC key protected by a different key<= /span>” based on working group input.

 

I think the key questi= on for the working group relative to this draft is whether people now want = to see a standard way to do this or not.

 

As for the backwards c= ompatibility issues discussed in Denver, I know that several participants w= ere opposed to seeing the JWS format for non-key-managed MACs change. = I suspect that’s what you’re referring to.  The good news about the current draft is that it adds the ability to have = key-managed MACs without such a change.

 

Should we have thought= of this approach then?  Probably.  Did we?  At least I didn= ’t.  I thought of it recently, so I decided to write it down.

 

> Why is there need= to have a compact formation for this draft?  We were told in no uncer= tain terms that this was completely unnecessary in Denver and thus was out = of scope for the documents.

 

I can’t remember= the part of the discussion that you’re referring to in Denver and I = can’t find it in the published notes.  The only uses of “c= ompact” in the notes aren’t about this.

 

That said, there’= ;s a compact serialization for key managed MACs for the same reason that th= ere’s a compact serialization for the other JOSE objects – to p= rovide a compact, URL-safe representation for use cases that need it.  It also makes this draft more parallel to both JWS and= JWE than it would otherwise be.

 

> This document doe= s not seem to have read the security considerations section of the JWS draf= t specifically dealing with the existence of multiple sharers of the secret= key.

 

I’m not sure I&#= 8217;m following you here, because different recipients use different ephem= eral keys in this representation.  What’s the security considera= tion that you think wasn’t taken into account?

 

> This document has= messed up the current documentation in JWE about how to determine what typ= e of document is being presented.  This is completely unacceptable.

 

It’s backwards-c= ompatible in the sense that if an implementation supports JWSs and JWEs but= not KMJWSs (I’m still looking for a better name than KMJWS, BTW), th= e current rules all continue to do the right thing.  If an implementation supports all three, yes, a little bit of additional l= ogic would be needed, just like a little bit of additional code would be ne= eded, but no breaking changes result.  A KMJWS is neither a legal JWS = nor a legal JWE, so even if the existing discrimination rules were applied to a KMJWS and it was mis-categorized as= one or the other, upon parsing, it would still be rejected, since it would= be missing required properties.

 

> There are now mul= tiple representations of direct keying for mac.  This is a significant= problem as one does not know which of the version one is supposed to be us= ing.

 

Thanks for pointing th= is out.  We should probably just prohibit the use of “alg”= :”dir” in KMJWS so that there’s exactly one way of repres= enting non-key-managed MACS – the existing way.

 

> (The fact that I = am half, if not all the way drunk has make this message much easier to writ= e).

 

I’m glad you enj= oyed your evening. J

 

> Jim

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      Thanks again,

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      -- Mike

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Tuesday, March 03, 2015 2:42 AM
To: jose@ietf.org
Subject: [jose] Key Managed JSON Web Signature (KMJWS) specification=

 

I took a little time today and wrote a short draft s= pecifying a JWS-like object that uses key management for the MAC key used t= o integrity protect the payload.  We had considered doing this in JOSE issue #2<= /a> but didn’t do so at the time because of lack of demand.  How= ever, I wanted to get this down now to demonstrate that it is easy to do an= d specify a way to do it, should demand develop in the future – possibly after the JOSE working group has been closed.  See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-= 00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signatur= e-00.html.

 

This spec reuses key management functionality alread= y present in the = JWE spec and MAC functionality already present in the J= WS spec.  The result is essentially a JWS with an Encrypted Key va= lue added, and a new “mac” Header Parameter value representing the MAC algorithm used.  (Like JWE, the key management algorithm is carri= ed in the “alg” Header Parameter value.)

 

I also wrote this now as possible input into our thi= nking on options for creating a CBOR JOSE mapping. = If there are CBOR use cases needing managed MAC keys, this could help us r= eason about ways to structure the solution.

 

Yes, the spec name and abbreviation are far from cat= chy.  Better naming ideas would be great.

 

Feedback welcomed.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1344 and as @selfissued.

 

--_000_BY2PR03MB4420B9763C5DB021DEE13DBF5060BY2PR03MB442namprd_-- From nobody Thu Mar 12 10:20:19 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107E11A8ABE for ; Thu, 12 Mar 2015 10:20:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rC0LJK9Mq7rB for ; Thu, 12 Mar 2015 10:20:14 -0700 (PDT) Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1B331A8ABF for ; Thu, 12 Mar 2015 10:20:10 -0700 (PDT) X-AuditID: 12074424-f79356d000004839-47-5501cac93c25 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 2D.A4.18489.9CAC1055; Thu, 12 Mar 2015 13:20:09 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t2CHK8Cw003151; Thu, 12 Mar 2015 13:20:08 -0400 Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2CHK6kN009519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 12 Mar 2015 13:20:07 -0400 Message-ID: <5501CAC2.9000401@mit.edu> Date: Thu, 12 Mar 2015 13:20:02 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> In-Reply-To: <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> Content-Type: multipart/alternative; boundary="------------020100050007060200030509" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrKKsWRmVeSWpSXmKPExsUixCmqrHvyFGOowfXVUhar/99ktFizppvJ 4lRLH7PF6rt/2RxYPJ5tn8/ksWTJTyaPu0cvsnjcvr2RJYAlissmJTUnsyy1SN8ugSuj/+Mz toIDxxgrXj1UaWB8WNbFyMkhIWAisfbvE3YIW0ziwr31bF2MXBxCAouZJI7sescE4WxklFh8 +ggzhHObSWLZpTVMIC28AmoSm6ffA2tnEVCVeNZ9iRnEZgOyp69pAasRFYiS6PnTzQZRLyhx cuYTFhBbBCj+Z8tUsDizgIPErQWtYHOEBYwkVp15zQKxbCKTxO8zfawgCU4BO4kJv58xQjSE Sfy908Q2gVFgFpK5s5CkIGwziXmbHzJD2PISzVtnA9kcQLaaxLJWJWThBYxsqxhlU3KrdHMT M3OKU5N1i5MT8/JSi3TN9XIzS/RSU0o3MYJig91FZQdj8yGlQ4wCHIxKPLwPWBlDhVgTy4or cw8xSnIwKYnyNp0ECvEl5adUZiQWZ8QXleakFh9ilOBgVhLh/Q+S401JrKxKLcqHSUlzsCiJ 8276wRciJJCeWJKanZpakFoEk5Xh4FCS4PUBaRQsSk1PrUjLzClBSDNxcIIM5wEaznQKZHhx QWJucWY6RP4Uo6KUOG8kSLMASCKjNA+uF5a6XjGKA70izGsM0s4DTHtw3a+ABjMBDWax/h8C NLgkESEl1cA4yZK/7NDzvYWBheWXTpgLsXL3fr6+Y0HX9Bd7a6xtjh+y/s75V/fEzy0veUrK m+Z0/VDhmfqTc8ev1ZFz0nPTdjXaPn9uyZdvwFZxdAm/20wBFvbDMz5zaJ55vWvhlJ6g/ofW 2wxTi/5syntw38pNY69jBVdQ5sL6oJcffSIUeQLfW8b4vM1VYinOSDTUYi4qTgQA9HO2PDgD AAA= Archived-At: Cc: luigi.lo_iacono@fh-koeln.de, "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2015 17:20:18 -0000 This is a multi-part message in MIME format. --------------020100050007060200030509 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit My bad, I totally missed that. -- Justin On 3/12/2015 11:38 AM, John Bradley wrote: > Yes flattened is a special case of the JSON serialization that has > only one signature. > > I don't know that there is a huge benefit to it over the regular JSON > serialization that supports multiple signatures. > > Some people really wanted it at the time. > > Supporting the general JSON serialization would be a higher priority > for me. In most cases I have seen, as Justin points out people > wanting a single signature go with compact. > > John B. > > >> On Mar 12, 2015, at 11:49 AM, Brian Campbell >> > wrote: >> >> flattened is not the same as compact FWIW >> >> compact -> >> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-7.1 >> >> flattened -> >> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-7.2.2 >> >> On Thu, Mar 12, 2015 at 8:08 AM, Justin Richer > > wrote: >> >> Just to add some perspective, if by “flattened” serialization, >> you mean the compact serializations of JWS >> (header.payload.signature) and JWE >> (header.stuff.stuff.stuff.stuff I forgot the order), then there >> are huge advantages to these, and they’re the only ones that I >> personally use. >> >> The simplicity gained in processing the compact forms, both in >> terms of generating and consuming. With the compact forms, you >> get something that can be dropped on the wire into an HTTP >> header, form parameter, query parameter, a string in just about >> any language, all without any quoting or further processing. >> Plus, to get back to the crypto calculations, you use the literal >> strings sent across the wire, which is a really nice feature. >> >> I’ve personally yet to have a use case that required the multiple >> signatures or other features of the JSON serialized flavor, nor >> have I seen much uptake of it in the wild compared to the compact >> forms. >> >> — Justin >> >> > On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono >> > > wrote: >> > >> > Dear Vladimir, >> > >> > yes, we do support the flattened serialisation, but you are >> right, we >> > did not mention it in the "feature list". This is mainly >> because we do >> > not see any benefit in having this serialisation. We followed the >> > discussions on it and had own discussions internally. I do not >> see the >> > point to define a distinct serialisation which is very close to an >> > already existing one. This increases complexity only and that's >> it. The >> > marginal amount of data reduction coming with the flattened >> > serialisation is ridiculous in comparison to the JSON >> serialisation with >> > only one signature. I personally like the second approach more, >> since it >> > still give you the flexibility to add further signatures along >> the way. >> > Basically, this is the way our architecture supports multiple >> > signatures. They are added by the signing parties one after the >> other. >> > From our perspective, this is the only realistic use case here. >> Having a >> > signing process in possession of multiple distinct private key >> breaks >> > with a lot of security principles. At least in my understanding >> or do I >> > miss something here!? >> > >> > In our architectural approach a JwsDocument is constructed by a >> JwsMaker >> > (either from scratch or by parsing an existing one): >> > >> > JwsDocument jws = JwsMaker.generate... >> > >> > Having such an object, getting a particular serialisation is just a >> > matter of calling the respective method: >> > >> > - Compact: jws.getCompactSerialisation(); >> > - Compact DETACHED: jws.getCompactDetachedSerialisation(); >> > - JSON: jws.getJsonSerialisation(); >> > - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); >> > - JSON DETACHED: jws.getJsonDetachedSerialisation(); >> > - JSON PRETTYPRINTED & DETACHED: >> jws.getJsonDetachedSerialisation(true); >> > - JSON Flattened: jws.getJsonFlattenedSerialisation(); >> > - JSON Flattened PRITTYPRINTED: >> jws.getJsonFlattenedSerialisation(true); >> > - JSON Flattened DETACHED: >> jws.getJsonFlattenedDetachedSerialisation(); >> > - JSON Flattened PRITTYPRINTED & DETACHED: >> > jws.getJsonFlattenedDetachedSerialisation(true) >> > >> > Hope that helps!? >> > >> > Do not hesitate to ask further questions. We are happy to help and >> > further feedback is welcome! >> > >> > BR, Luigi. >> > >> > >> > Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: >> >> Thanks for sharing this. >> >> >> >> I see that you support JSON and compact serialisation, but what is >> >> flattened serialisation? >> >> >> >> Thanks, >> >> >> >> Vladimir >> >> >> >> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >> >>> Dear all, >> >>> >> >>> we developed an own JOSE implementation in Java, mainly >> because we >> >>> missed the JSON serialisation in almost all of the available >> libs. You >> >>> can grasp it here: >> >>> >> >>> http://jw-asterisk.realsoasecurity.de/ >> >>> >> >>> We are still doing some polishing, that is why the sources >> are still >> >>> lacking. Stay tuned, though, updates will follow soon... >> >>> >> >>> The documentation and especially the unit tests should help >> in taking >> >>> the first steps. >> >>> >> >>> Let us know what you think about it... >> >>> >> >>> BR, Luigi. >> >>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> jose mailing list >> >>> jose@ietf.org >> >>> https://www.ietf.org/mailman/listinfo/jose >> >> >> >> -- >> >> Vladimir Dzhuvinov :: vladimir@connect2id.com >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> jose mailing list >> >> jose@ietf.org >> >> https://www.ietf.org/mailman/listinfo/jose >> >> >> > >> > _______________________________________________ >> > jose mailing list >> > jose@ietf.org >> > https://www.ietf.org/mailman/listinfo/jose >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > --------------020100050007060200030509 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit My bad, I totally missed that.

 -- Justin

On 3/12/2015 11:38 AM, John Bradley wrote:
Yes flattened is a special case of the JSON serialization that has only one signature.

I don't know that there is a huge benefit to it over the regular JSON serialization that supports multiple signatures.

Some people really wanted it at the time.  

Supporting the general JSON serialization would be a higher priority for me.  In most cases I have seen, as Justin points out people wanting a single signature go with compact.

John B.


On Mar 12, 2015, at 11:49 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:


On Thu, Mar 12, 2015 at 8:08 AM, Justin Richer <jricher@mit.edu> wrote:
Just to add some perspective, if by “flattened” serialization, you mean the compact serializations of JWS (header.payload.signature) and JWE (header.stuff.stuff.stuff.stuff I forgot the order), then there are huge advantages to these, and they’re the only ones that I personally use.

The simplicity gained in processing the compact forms, both in terms of generating and consuming. With the compact forms, you get something that can be dropped on the wire into an HTTP header, form parameter, query parameter, a string in just about any language, all without any quoting or further processing. Plus, to get back to the crypto calculations, you use the literal strings sent across the wire, which is a really nice feature.

I’ve personally yet to have a use case that required the multiple signatures or other features of the JSON serialized flavor, nor have I seen much uptake of it in the wild compared to the compact forms.

 — Justin

> On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono <luigi.lo_iacono@fh-koeln.de> wrote:
>
> Dear Vladimir,
>
> yes, we do support the flattened serialisation, but you are right, we
> did not mention it in the "feature list". This is mainly because we do
> not see any benefit in having this serialisation. We followed the
> discussions on it and had own discussions internally. I do not see the
> point to define a distinct serialisation which is very close to an
> already existing one. This increases complexity only and that's it. The
> marginal amount of data reduction coming with the flattened
> serialisation is ridiculous in comparison to the JSON serialisation with
> only one signature. I personally like the second approach more, since it
> still give you the flexibility to add further signatures along the way.
> Basically, this is the way our architecture supports multiple
> signatures. They are added by the signing parties one after the other.
> From our perspective, this is the only realistic use case here. Having a
> signing process in possession of multiple distinct private key breaks
> with a lot of security principles. At least in my understanding or do I
> miss something here!?
>
> In our architectural approach a JwsDocument is constructed by a JwsMaker
> (either from scratch or by parsing an existing one):
>
> JwsDocument jws = JwsMaker.generate...
>
> Having such an object, getting a particular serialisation is just a
> matter of calling the respective method:
>
> - Compact: jws.getCompactSerialisation();
> - Compact DETACHED: jws.getCompactDetachedSerialisation();
> - JSON: jws.getJsonSerialisation();
> - JSON PRETTYPRINTED: jws.getJsonSerialisation(true);
> - JSON DETACHED: jws.getJsonDetachedSerialisation();
> - JSON PRETTYPRINTED & DETACHED: jws.getJsonDetachedSerialisation(true);
> - JSON Flattened: jws.getJsonFlattenedSerialisation();
> - JSON Flattened PRITTYPRINTED: jws.getJsonFlattenedSerialisation(true);
> - JSON Flattened DETACHED: jws.getJsonFlattenedDetachedSerialisation();
> - JSON Flattened PRITTYPRINTED & DETACHED:
>  jws.getJsonFlattenedDetachedSerialisation(true)
>
> Hope that helps!?
>
> Do not hesitate to ask further questions. We are happy to help and
> further feedback is welcome!
>
> BR, Luigi.
>
>
> Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov:
>> Thanks for sharing this.
>>
>> I see that you support JSON and compact serialisation, but what is
>> flattened serialisation?
>>
>> Thanks,
>>
>> Vladimir
>>
>> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote:
>>> Dear all,
>>>
>>> we developed an own JOSE implementation in Java, mainly because we
>>> missed the JSON serialisation in almost all of the available libs. You
>>> can grasp it here:
>>>
>>> http://jw-asterisk.realsoasecurity.de/
>>>
>>> We are still doing some polishing, that is why the sources are still
>>> lacking. Stay tuned, though, updates will follow soon...
>>>
>>> The documentation and especially the unit tests should help in taking
>>> the first steps.
>>>
>>> Let us know what you think about it...
>>>
>>> BR, Luigi.
>>>
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> --
>> Vladimir Dzhuvinov :: vladimir@connect2id.com
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


--------------020100050007060200030509-- From nobody Thu Mar 12 22:52:45 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE041AC432 for ; Thu, 12 Mar 2015 22:52:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGJsvVfVMxh6 for ; Thu, 12 Mar 2015 22:52:41 -0700 (PDT) Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB40F1AC428 for ; Thu, 12 Mar 2015 22:52:40 -0700 (PDT) Received: by wggx13 with SMTP id x13so20916597wgg.12 for ; Thu, 12 Mar 2015 22:52:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=kbJ/Jp971g0uM6NF105v7EWO/0RrV+cy8n2NNdsbYyE=; b=TLcWXjb/26rcDWdJFraGR3jqIIn5HYntjCi4wSiA1lMcphNiJtkT6BnmjeSljiVJsX E/UE5Hhc6UykT0HvN6YDXLNjltMfAe+SVYpO1mr33WVPdnVThAkkIMutdfudvMw6aMVa e3VDCTCmMwKWtsudP/sWva/IK9NsVz0uX1ZXSGseuKYjzF3cibnCQaDtobJM7Qgrh3u6 IQjNnclU3n7cKnwmcHkZeCKXTtgGKYUTM3eE2dbLahlyNIc9YxJGt7sdbbgnN4dNLPuE /0NvWCvQhFK790GKO5M6yYru87IDU1kLGIXoHDV0LPnyLRG78iau3n2YzJM8oKI6NmGm htQw== X-Received: by 10.180.87.66 with SMTP id v2mr15976378wiz.51.1426225959484; Thu, 12 Mar 2015 22:52:39 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id pa4sm1332888wjb.11.2015.03.12.22.52.38 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Mar 2015 22:52:38 -0700 (PDT) Message-ID: <55027B14.4020702@gmail.com> Date: Fri, 13 Mar 2015 06:52:20 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Mike Jones , Jim Schaad , "jose@ietf.org" References: <4E1F6AAD24975D4BA5B1680429673943A2E74771@TK5EX14MBXC292.redmond.corp.microsoft.com> <0f1e01d05c78$94573b00$bd05b100$@augustcellars.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [jose] Key Managed JSON Web Signature (KMJWS) specification X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 05:52:44 -0000 Hi Guys, Mainly for satisfying my curiosity: Would it be possible to get a minimal rationale/use-case for using encrypted MAC keys compared to traditional asymmetric signature schemes? Is this scheme already featured in another standard or widely deployed system? Cheers, Anders On 2015-03-12 16:55, Mike Jones wrote: > I’ll add one other thing, Jim. I’m sorry that you left the Denver meeting feeling like your idea for key management was dismissed. We should have pushed harder then to try to come up with an approach for that that would work for all. I’ll try to personally take this an object lesson for future standards work. > > See you in Dallas! > > -- Mike > > *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones > *Sent:* Thursday, March 12, 2015 12:37 AM > *To:* Jim Schaad; jose@ietf.org > *Subject:* Re: [jose] Key Managed JSON Web Signature (KMJWS) specification > > Hi Jim. Thanks for responding and for your honest feedback. While you may feel insulted (I’m genuinely sorry about that!), I’m to try to take the negatives you’ve expressed as positives, in the sense that they can constructively inform future work by the working group. > > One reason I wrote this draft was to get down a straightforward way of using key managed HMACs, should people want to do that in the future, especially since there’s talk of closing the working group soon. The other reason I wrote it was to further illuminate the upsides and downsides of some of the choices we made in JWS and JWE, given we have a chance to reuse and/or revisit those choices should the COSE work go forward. > > Replies to your specific points follow inline… > > *From:*Jim Schaad [mailto:ietf@augustcellars.com] > *Sent:* Wednesday, March 11, 2015 8:57 PM > *To:* Mike Jones; jose@ietf.org > *Subject:* RE: [jose] Key Managed JSON Web Signature (KMJWS) specification > >> I cannot respond for Richard, but personally I feel rather insulted by the current draft. My first half a dozen responses were rather vulgar and pejorative to this draft and thus deleted. > >> > >> This draft seems to be, more or less, what Richard and I were proposing in Denver and were told was not possible due to backwards compatibility. What has changed that this is no longer true? > > For what it’s worth, I’ve occasionally been thinking about key management for MACs ever since you and Richard raised the possibility in Denver. Somewhere along the way I realized that there was a simple way to combine the JWE key management methods and the JWS MAC methods. So I decided to write it down, while there was still a working group to consider it, should the working group decide to do so. > > If the reason you’re insulted is that you feel that you should receive more credit for some of the ideas, I’d be glad to point out in the Acknowledgements that you and Richard suggested the possibility of key-managed MACs and/or make you co-editors if you agree with the approach and would like to work more actively on it. If the reason that you’re insulted is that you feel that we should have done this earlier, I think the verdict is still out on whether we need to do this at all. Looking at http://trac.tools.ietf.org/wg/jose/trac/ticket/2, Karen made a consensus call that “we should not add the ability to have a randomly generated MAC key protected by a different key” based on working group input. > > I think the key question for the working group relative to this draft is whether people now want to see a standard way to do this or not. > > As for the backwards compatibility issues discussed in Denver, I know that several participants were opposed to seeing the JWS format for non-key-managed MACs change. I suspect that’s what you’re referring to. The good news about the current draft is that it adds the ability to have key-managed MACs without such a change. > > Should we have thought of this approach then? Probably. Did we? At least I didn’t. I thought of it recently, so I decided to write it down. > >> Why is there need to have a compact formation for this draft? We were told in no uncertain terms that this was completely unnecessary in Denver and thus was out of scope for the documents. > > I can’t remember the part of the discussion that you’re referring to in Denver and I can’t find it in the published notes. The only uses of “compact” in the notes aren’t about this. > > That said, there’s a compact serialization for key managed MACs for the same reason that there’s a compact serialization for the other JOSE objects – to provide a compact, URL-safe representation for use cases that need it. It also makes this draft more parallel to both JWS and JWE than it would otherwise be. > >> This document does not seem to have read the security considerations section of the JWS draft specifically dealing with the existence of multiple sharers of the secret key. > > I’m not sure I’m following you here, because different recipients use different ephemeral keys in this representation. What’s the security consideration that you think wasn’t taken into account? > >> This document has messed up the current documentation in JWE about how to determine what type of document is being presented. This is completely unacceptable. > > It’s backwards-compatible in the sense that if an implementation supports JWSs and JWEs but not KMJWSs (I’m still looking for a better name than KMJWS, BTW), the current rules all continue to do the right thing. If an implementation supports all three, yes, a little bit of additional logic would be needed, just like a little bit of additional code would be needed, but no breaking changes result. A KMJWS is neither a legal JWS nor a legal JWE, so even if the existing discrimination rules were applied to a KMJWS and it was mis-categorized as one or the other, upon parsing, it would still be rejected, since it would be missing required properties. > >> There are now multiple representations of direct keying for mac. This is a significant problem as one does not know which of the version one is supposed to be using. > > Thanks for pointing this out. We should probably just prohibit the use of “alg”:”dir” in KMJWS so that there’s exactly one way of representing non-key-managed MACS – the existing way. > >> (The fact that I am half, if not all the way drunk has make this message much easier to write). > > I’m glad you enjoyed your evening. J > >> Jim > > Thanks again, > > -- Mike > > *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones > *Sent:* Tuesday, March 03, 2015 2:42 AM > *To:* jose@ietf.org > *Subject:* [jose] Key Managed JSON Web Signature (KMJWS) specification > > I took a little time today and wrote a short draft specifying a JWS-like object that uses key management for the MAC key used to integrity protect the payload. We had considered doing this in JOSE issue #2 but didn’t do so at the time because of lack of demand. However, I wanted to get this down now to demonstrate that it is easy to do and specify a way to do it, should demand develop in the future – possibly after the JOSE working group has been closed. See http://tools.ietf.org/html/draft-jones-jose-key-managed-json-web-signature-00 or http://self-issued.info/docs/draft-jones-jose-key-managed-json-web-signature-00.html. > > This spec reuses key management functionality already present in the JWE spec and MAC functionality already present in the JWS spec . The result is essentially a JWS with an Encrypted Key value added, and a new “mac” Header Parameter value representing the MAC algorithm used. (Like JWE, the key management algorithm is carried in the “alg” Header Parameter value.) > > I also wrote this now as possible input into our thinking on options for creating a CBOR JOSE mapping. If there are CBOR use cases needing managed MAC keys, this could help us reason about ways to structure the solution. > > Yes, the spec name and abbreviation are far from catchy. Better naming ideas would be great. > > Feedback welcomed. > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1344 and as @selfissued. > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > From nobody Fri Mar 13 01:04:14 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ACF91A19FA for ; Fri, 13 Mar 2015 01:04:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CuRmJ0u82OW8 for ; Fri, 13 Mar 2015 01:04:10 -0700 (PDT) Received: from lvs-smtpgate3.nz.fh-koeln.de (lvs-smtpgate3.nz.FH-Koeln.DE [139.6.1.49]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE5C1A1A02 for ; Fri, 13 Mar 2015 01:04:00 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.11,393,1422918000"; d="asc'?scan'208";a="19016442" Received: from nat079004.nat.fh-koeln.de (HELO mac-01.local) ([139.6.79.4]) by smtp.intranet.fh-koeln.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 13 Mar 2015 09:04:00 +0100 Message-ID: <55029B7E.1070903@fh-koeln.de> Date: Fri, 13 Mar 2015 09:10:38 +0100 From: "Prof. Dr.-Ing. Luigi Lo Iacono" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Justin Richer , John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> In-Reply-To: <5501CAC2.9000401@mit.edu> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gFU9awBW4EKqPVja0jqxxl2FbhHXomxtu" Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: luigi.lo_iacono@fh-koeln.de List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 08:04:13 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gFU9awBW4EKqPVja0jqxxl2FbhHXomxtu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Seems that there is some uncertainty about this "special" serialisation. I would actually vote for replacing the flatened JSON serialisation with one, that provides a real benefit. Taken up on a discussion I read earlier on the list, wouldn't it be more sensible to have a "readable" JSON serialisation (i.e., leaving the signed payload "human readbale")!? This would of course require some form of normalisation/canonicalisaton as used e.g. in XML Security. Still, this would be something valuable to have and a real distinguishing point in comparison to the other serialisations. If people think that this is worth a discussion, then maybe we should kick-off an explicit thread on it. Another point I would like to raise is to have an additional mandatory header entry specifying the JWS/JWE version used. As the standards will evolve over time, it would be good to know, with what version of the JWS/JWE standards a given object have been protected. BR, Luigi. Am 12.03.15 um 18:20 schrieb Justin Richer: > My bad, I totally missed that. >=20 > -- Justin >=20 > On 3/12/2015 11:38 AM, John Bradley wrote: >> Yes flattened is a special case of the JSON serialization that has >> only one signature. >> >> I don't know that there is a huge benefit to it over the regular JSON >> serialization that supports multiple signatures. >> >> Some people really wanted it at the time. =20 >> >> Supporting the general JSON serialization would be a higher priority >> for me. In most cases I have seen, as Justin points out people >> wanting a single signature go with compact. >> >> John B. >> >> >>> On Mar 12, 2015, at 11:49 AM, Brian Campbell >>> > wrot= e: >>> >>> flattened is not the same as compact FWIW >>> >>> compact -> >>> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#sec= tion-7.1 >>> >>> flattened -> >>> https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#sec= tion-7.2.2 >>> >>> On Thu, Mar 12, 2015 at 8:08 AM, Justin Richer >> > wrote: >>> >>> Just to add some perspective, if by =E2=80=9Cflattened=E2=80=9D s= erialization, >>> you mean the compact serializations of JWS >>> (header.payload.signature) and JWE >>> (header.stuff.stuff.stuff.stuff I forgot the order), then there >>> are huge advantages to these, and they=E2=80=99re the only ones t= hat I >>> personally use. >>> >>> The simplicity gained in processing the compact forms, both in >>> terms of generating and consuming. With the compact forms, you >>> get something that can be dropped on the wire into an HTTP >>> header, form parameter, query parameter, a string in just about >>> any language, all without any quoting or further processing. >>> Plus, to get back to the crypto calculations, you use the literal= >>> strings sent across the wire, which is a really nice feature. >>> >>> I=E2=80=99ve personally yet to have a use case that required the = multiple >>> signatures or other features of the JSON serialized flavor, nor >>> have I seen much uptake of it in the wild compared to the compact= >>> forms. >>> >>> =E2=80=94 Justin >>> >>> > On Mar 12, 2015, at 9:18 AM, Prof. Dr.-Ing. Luigi Lo Iacono >>> >> > wrote: >>> > >>> > Dear Vladimir, >>> > >>> > yes, we do support the flattened serialisation, but you are >>> right, we >>> > did not mention it in the "feature list". This is mainly >>> because we do >>> > not see any benefit in having this serialisation. We followed t= he >>> > discussions on it and had own discussions internally. I do not >>> see the >>> > point to define a distinct serialisation which is very close to= an >>> > already existing one. This increases complexity only and that's= >>> it. The >>> > marginal amount of data reduction coming with the flattened >>> > serialisation is ridiculous in comparison to the JSON >>> serialisation with >>> > only one signature. I personally like the second approach more,= >>> since it >>> > still give you the flexibility to add further signatures along >>> the way. >>> > Basically, this is the way our architecture supports multiple >>> > signatures. They are added by the signing parties one after the= >>> other. >>> > From our perspective, this is the only realistic use case here.= >>> Having a >>> > signing process in possession of multiple distinct private key >>> breaks >>> > with a lot of security principles. At least in my understanding= >>> or do I >>> > miss something here!? >>> > >>> > In our architectural approach a JwsDocument is constructed by a= >>> JwsMaker >>> > (either from scratch or by parsing an existing one): >>> > >>> > JwsDocument jws =3D JwsMaker.generate... >>> > >>> > Having such an object, getting a particular serialisation is ju= st a >>> > matter of calling the respective method: >>> > >>> > - Compact: jws.getCompactSerialisation(); >>> > - Compact DETACHED: jws.getCompactDetachedSerialisation(); >>> > - JSON: jws.getJsonSerialisation(); >>> > - JSON PRETTYPRINTED: jws.getJsonSerialisation(true); >>> > - JSON DETACHED: jws.getJsonDetachedSerialisation(); >>> > - JSON PRETTYPRINTED & DETACHED: >>> jws.getJsonDetachedSerialisation(true); >>> > - JSON Flattened: jws.getJsonFlattenedSerialisation(); >>> > - JSON Flattened PRITTYPRINTED: >>> jws.getJsonFlattenedSerialisation(true); >>> > - JSON Flattened DETACHED: >>> jws.getJsonFlattenedDetachedSerialisation(); >>> > - JSON Flattened PRITTYPRINTED & DETACHED: >>> > jws.getJsonFlattenedDetachedSerialisation(true) >>> > >>> > Hope that helps!? >>> > >>> > Do not hesitate to ask further questions. We are happy to help = and >>> > further feedback is welcome! >>> > >>> > BR, Luigi. >>> > >>> > >>> > Am 11.03.15 um 17:38 schrieb Vladimir Dzhuvinov: >>> >> Thanks for sharing this. >>> >> >>> >> I see that you support JSON and compact serialisation, but wha= t is >>> >> flattened serialisation? >>> >> >>> >> Thanks, >>> >> >>> >> Vladimir >>> >> >>> >> On 5.03.2015 14:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>> >>> Dear all, >>> >>> >>> >>> we developed an own JOSE implementation in Java, mainly >>> because we >>> >>> missed the JSON serialisation in almost all of the available >>> libs. You >>> >>> can grasp it here: >>> >>> >>> >>> http://jw-asterisk.realsoasecurity.de/ >>> >>> >>> >>> We are still doing some polishing, that is why the sources >>> are still >>> >>> lacking. Stay tuned, though, updates will follow soon... >>> >>> >>> >>> The documentation and especially the unit tests should help >>> in taking >>> >>> the first steps. >>> >>> >>> >>> Let us know what you think about it... >>> >>> >>> >>> BR, Luigi. >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> jose mailing list >>> >>> jose@ietf.org >>> >>> https://www.ietf.org/mailman/listinfo/jose >>> >> >>> >> -- >>> >> Vladimir Dzhuvinov :: vladimir@connect2id.com >>> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> jose mailing list >>> >> jose@ietf.org >>> >> https://www.ietf.org/mailman/listinfo/jose >>> >> >>> > >>> > _______________________________________________ >>> > jose mailing list >>> > jose@ietf.org >>> > https://www.ietf.org/mailman/listinfo/jose >>> >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >>> >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >=20 --gFU9awBW4EKqPVja0jqxxl2FbhHXomxtu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVApuEAAoJEFL6uArWI9sNGqsQAN5log/3qCZEdhPLQfltPa1i s1cBNDFOh7Sa//+pfBkYdCsRnWH/NQOPMoeqb1Qoj4TqOWQkEbFzVRD3ySt7DbwK 8wzZrkqS5I3xpF24lBk++NjyD05G4IJYWPTqBhg8FLxYmSzzftlnMT7xsdPHeqYP E6GO1rMPIwPTnbmG8yeIW8XxJqrMEg1NhSXxo5qe2XspzevgpFSvMWbN1ZKIbZWB areED95BU/P55f/khAVr/+4sVLoHYMa9vvVYErnQDGWZe6nsL1GS0srslUNe2+zM Z7tfdrlvpfQrO9visTiARFHuHXweY9Gh5bFZrRz0/MS2A7que7bSm9uI+07grzEC ke35DILc+GbxangoDxe7H/0NEJ0FzU/rVpVgoEc0f2J9VlcEIA7J62Kz0R80l4vz bZnSTKB2JGrRcqt+0ziMaSdach8TCyx9IUJsZ1kGzLYwxc4hYdLGS2XFcqIermtP xuEFOrqorUO3JFoVDygBmhPDSUaiBzMQ44/OqIAdux5HE2xzi+M1XEXmWJdX4cHG IxmSoCJmBsGJfldlDfUbvu7AQyYABUqVejKbjsH3Zkwz+FqfOxf7VZwj/TnZLS27 SBwWLWywKZZQXkNzr+tXm4z0FR/CCdGqi4KLk+d+nazUQH0oB007AaVFeTfP4myg vnWMhEYLpZTHDeKRkqHM =ffkD -----END PGP SIGNATURE----- --gFU9awBW4EKqPVja0jqxxl2FbhHXomxtu-- From nobody Fri Mar 13 02:02:22 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB0A1A1B67 for ; Fri, 13 Mar 2015 02:02:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLEiGuKjwkjf for ; Fri, 13 Mar 2015 02:02:18 -0700 (PDT) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 186351A1B17 for ; Fri, 13 Mar 2015 02:02:06 -0700 (PDT) Received: by wggx13 with SMTP id x13so21792842wgg.4 for ; Fri, 13 Mar 2015 02:02:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=hDxCjV/SJeMfJORLgSA256y3AtT7tEculW8jzB1INRc=; b=PDi4sxCFFgHL9qsHwpUOLGyVvdziKndku5dZzKM1WtIqC6jCjzoQLQNEt7VyIkvojk N9cUtPJGcZv/APtV+oJhJkRWlFjJuCAG5w2Fqd6CayzVMeRnud9oG+6eqYI5M5NX/c+a SGs97BIBbJtZ+ODoQDlSVhq73puyZkf9sQL+jxyaGHTtyUuBUTIWAW53O8sgnTYE78TQ amp1cg10hEXWAP5PQzjigIuDi7ayDEnG+zhlFii4XwOJqKqIplrFo8uCgMw5tr9HCCEU tTWYgsisT74V5eQTAzX2IPXpeNkRgsSze33JNgcvRLEhcfDVvD7DYJzNXImJu+7A1DFv 5CHQ== X-Received: by 10.194.174.106 with SMTP id br10mr42983211wjc.21.1426237324838; Fri, 13 Mar 2015 02:02:04 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id ge8sm1887895wjc.32.2015.03.13.02.02.03 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Mar 2015 02:02:04 -0700 (PDT) Message-ID: <5502A778.8090709@gmail.com> Date: Fri, 13 Mar 2015 10:01:44 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: luigi.lo_iacono@fh-koeln.de, Justin Richer , John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> In-Reply-To: <55029B7E.1070903@fh-koeln.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 09:02:20 -0000 On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > Seems that there is some uncertainty about this "special" serialisation. > I would actually vote for replacing the flatened JSON serialisation with > one, that provides a real benefit. Taken up on a discussion I read > earlier on the list, wouldn't it be more sensible to have a "readable" > JSON serialisation (i.e., leaving the signed payload "human readbale")!? > This would of course require some form of normalisation/canonicalisaton > as used e.g. in XML Security. Still, this would be something valuable to > have and a real distinguishing point in comparison to the other > serialisations. > > If people think that this is worth a discussion, then maybe we should > kick-off an explicit thread on it. Human-readable JSON signatures is a reality although not as an IETF standard. Since nobody is interested in bringing in the complexity of XML DSig normalization, there seems to be some possible routes ahead. Phillip Hallam-Baker have proposed a scheme based on separating the payload and the signature where the payload is used "verbatim" reducing normalization and canonicalization to exactly ZERO: http://www.ietf.org/mail-archive/web/acme/current/msg00224.html I have FWIW designed and also implemented a scheme which is based on JSON's intrinsic normalization (white-space removal + character escapes) but adds the constraint that a verifier honors the property order of the serialized object: https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html Since a JSON parser-core typically is less than 500 lines of fairly simple code I don't see that upgrading existing parsers with an ordered dictionary would be a show-stopper. It surely didn't stop me at least :-) Runnable Java+JavaScript implementation: https://mobilepki.org/jcs Partial Python implementation: https://code.google.com/p/openkeystore/source/browse/python/trunk/src/org/webpki/json/JCSValidator.py Minimal .NET implementation: https://code.google.com/p/openkeystore/source/browse/resources/trunk/docs/JCSDemo.cs Cheers, Anders From nobody Fri Mar 13 13:09:38 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76421A1BAE for ; Fri, 13 Mar 2015 13:09:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zv_VkXzydVJt for ; Fri, 13 Mar 2015 13:09:35 -0700 (PDT) Received: from p3plsmtpa07-07.prod.phx3.secureserver.net (p3plsmtpa07-07.prod.phx3.secureserver.net [173.201.192.236]) by ietfa.amsl.com (Postfix) with ESMTP id D231C1A1B34 for ; Fri, 13 Mar 2015 13:09:27 -0700 (PDT) Received: from [192.168.0.106] ([77.77.164.115]) by p3plsmtpa07-07.prod.phx3.secureserver.net with id 389S1q0042Vi9sD0189Sz9; Fri, 13 Mar 2015 13:09:27 -0700 Message-ID: <550343F5.1010709@connect2id.com> Date: Fri, 13 Mar 2015 22:09:25 +0200 From: Vladimir Dzhuvinov Organization: Connect2id Ltd. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: jose@ietf.org References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> In-Reply-To: <5502A778.8090709@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 20:09:37 -0000 > > Phillip Hallam-Baker have proposed a scheme based on separating the > payload and > the signature where the payload is used "verbatim" reducing > normalization and > canonicalization to exactly ZERO: > http://www.ietf.org/mail-archive/web/acme/current/msg00224.html > Sounds appealing :) --=20 Vladimir Dzhuvinov :: vladimir@connect2id.com From nobody Fri Mar 13 13:33:35 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 089E11A6F01 for ; Fri, 13 Mar 2015 13:33:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylqn5jELVfU5 for ; Fri, 13 Mar 2015 13:33:31 -0700 (PDT) Received: from lvs-smtpgate3.nz.fh-koeln.de (lvs-smtpgate3.nz.FH-Koeln.DE [139.6.1.49]) by ietfa.amsl.com (Postfix) with ESMTP id 6F5AA1A6F04 for ; Fri, 13 Mar 2015 13:33:31 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.11,396,1422918000"; d="asc'?scan'208";a="19033880" Received: from aftr-37-201-195-189.unity-media.net (HELO mac-01.local) ([37.201.195.189]) by smtp.intranet.fh-koeln.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 13 Mar 2015 21:33:30 +0100 Message-ID: <55034AAD.4000408@fh-koeln.de> Date: Fri, 13 Mar 2015 21:38:05 +0100 From: "Prof. Dr.-Ing. Luigi Lo Iacono" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Anders Rundgren , Justin Richer , John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> In-Reply-To: <5502A778.8090709@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jPgvlNLjordnXRFdP5QCqXa9qr6iOAQuN" Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: luigi.lo_iacono@fh-koeln.de List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2015 20:33:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jPgvlNLjordnXRFdP5QCqXa9qr6iOAQuN Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Thanks a lot for the pointer, Anders. Will check them soon! Cheers, Luigi. Am 13.03.15 um 10:01 schrieb Anders Rundgren: > On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >> Seems that there is some uncertainty about this "special" serialisatio= n. >> I would actually vote for replacing the flatened JSON serialisation wi= th >> one, that provides a real benefit. Taken up on a discussion I read >> earlier on the list, wouldn't it be more sensible to have a "readable"= >> JSON serialisation (i.e., leaving the signed payload "human readbale")= !? >> This would of course require some form of normalisation/canonicalisato= n >> as used e.g. in XML Security. Still, this would be something valuable = to >> have and a real distinguishing point in comparison to the other >> serialisations. >> >> If people think that this is worth a discussion, then maybe we should >> kick-off an explicit thread on it. >=20 > Human-readable JSON signatures is a reality although not as an IETF > standard. >=20 > Since nobody is interested in bringing in the complexity of XML DSig > normalization, > there seems to be some possible routes ahead. >=20 > Phillip Hallam-Baker have proposed a scheme based on separating the > payload and > the signature where the payload is used "verbatim" reducing > normalization and > canonicalization to exactly ZERO: > http://www.ietf.org/mail-archive/web/acme/current/msg00224.html >=20 > I have FWIW designed and also implemented a scheme which is based on JS= ON's > intrinsic normalization (white-space removal + character escapes) but > adds the > constraint that a verifier honors the property order of the serialized > object: > https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html > Since a JSON parser-core typically is less than 500 lines of fairly > simple code > I don't see that upgrading existing parsers with an ordered dictionary > would be > a show-stopper. It surely didn't stop me at least :-) > Runnable Java+JavaScript implementation: https://mobilepki.org/jcs > Partial Python implementation: > https://code.google.com/p/openkeystore/source/browse/python/trunk/src/o= rg/webpki/json/JCSValidator.py >=20 > Minimal .NET implementation: > https://code.google.com/p/openkeystore/source/browse/resources/trunk/do= cs/JCSDemo.cs >=20 >=20 > Cheers, > Anders >=20 --jPgvlNLjordnXRFdP5QCqXa9qr6iOAQuN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVA0qtAAoJEFL6uArWI9sNVM0P/iMgJQuOHff13jaZK0KP2UiU KphxhWhd163jvGxobdSxNLDKb/5CZCiuwuD5S3abneJrOKejANSv5SwPf3LizY6M EQs6cTtMJOMxNR/oF9joCVYcHxfeoO9BQPB8+5Hg+9r8P8jeoJUPPQ0IbLM2ORJ2 21p/0Qqti47sAMVC97iRTL+2rMyyYQVg+v2etGqj1lmH2Xhg8Cxiwr+Pwxr8kVht MKVA9/NBa2UhKzo5wbNXpi4DXmquthvVVrQArfQVFHnF/Pq6UsfbsRvv5S9jkvl8 F8yMqsx+CyKYCP4Xvj6VGXiQsUXKCp5iK+GalSo3727iX9NwyWqCdWOR+kL79J4P IyAedF5SneTcKq+dTBwR/8X/vI6EiTL9JCFlhKkRVMEZCZlegrp+C4gtiFBprgMM 8D+Antalep9iwKN1HEv9sSsNyzzJMJC+qG0uabeviTCsCCxEtAuPyTXgdtfAocVJ bG9RDK23/nX68DmXzBXLkNkbvC0rjzlbji3V9HQ2hgxxQwzyo0KIva0G1o3u/4dj 2x+rBf88wrHkkHtqqlJkI5AZBoxsL7z5xE+5J8dXYWNvHUFSDNyOH3FmLi5vZmAE MUkmQLoS5cNbtPFEW5ixiPAb0tqB0zCNCLePDER8bwUbVSQTAVCq3uUY8eqzU3Lo 2u4L0bLR9BeWuuXmHS62 =R8hk -----END PGP SIGNATURE----- --jPgvlNLjordnXRFdP5QCqXa9qr6iOAQuN-- From nobody Wed Mar 18 01:57:20 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F6141A00F3 for ; Wed, 18 Mar 2015 01:57:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkLtuPm0ujMb for ; Wed, 18 Mar 2015 01:57:17 -0700 (PDT) Received: from lvs-smtpgate4.nz.fh-koeln.de (lvs-smtpgate4.nz.FH-Koeln.DE [139.6.1.50]) by ietfa.amsl.com (Postfix) with ESMTP id EF5331A011D for ; Wed, 18 Mar 2015 01:57:15 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.11,421,1422918000"; d="asc'?scan'208";a="19142685" Received: from nat079004.nat.fh-koeln.de (HELO mac-01.local) ([139.6.79.4]) by smtp.intranet.fh-koeln.de with ESMTP/TLS/DHE-RSA-AES128-SHA; 18 Mar 2015 09:57:15 +0100 Message-ID: <55093F90.406@fh-koeln.de> Date: Wed, 18 Mar 2015 10:04:16 +0100 From: "Prof. Dr.-Ing. Luigi Lo Iacono" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Anders Rundgren , Justin Richer , John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> In-Reply-To: <5502A778.8090709@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="VsGumkueipmxMqen084woR1FLKOM66p2l" Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: luigi.lo_iacono@fh-koeln.de List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 08:57:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VsGumkueipmxMqen084woR1FLKOM66p2l Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Anders, thanks again for the pointers. Interesting reading. I like your approach a lot. While crawling though the web I stumbled upon this fall asleep dra= ft: https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 Have you been aware of this one!? Anyway, I still think that JOSE requires a readable JSON serialisation. I am not really familiar with the IETF procedures and seing that no one else reacted on the suggestion so far, I guess that raising such thoughts in the mailing list is not enough. What needs to be done in order to have a discussion on replacing the flatened JSON serialisation by a readbale JSON serialisation? Thanks and BR, Luigi. Am 13.03.15 um 10:01 schrieb Anders Rundgren: > On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >> Seems that there is some uncertainty about this "special" serialisatio= n. >> I would actually vote for replacing the flatened JSON serialisation wi= th >> one, that provides a real benefit. Taken up on a discussion I read >> earlier on the list, wouldn't it be more sensible to have a "readable"= >> JSON serialisation (i.e., leaving the signed payload "human readbale")= !? >> This would of course require some form of normalisation/canonicalisato= n >> as used e.g. in XML Security. Still, this would be something valuable = to >> have and a real distinguishing point in comparison to the other >> serialisations. >> >> If people think that this is worth a discussion, then maybe we should >> kick-off an explicit thread on it. >=20 > Human-readable JSON signatures is a reality although not as an IETF > standard. >=20 > Since nobody is interested in bringing in the complexity of XML DSig > normalization, > there seems to be some possible routes ahead. >=20 > Phillip Hallam-Baker have proposed a scheme based on separating the > payload and > the signature where the payload is used "verbatim" reducing > normalization and > canonicalization to exactly ZERO: > http://www.ietf.org/mail-archive/web/acme/current/msg00224.html >=20 > I have FWIW designed and also implemented a scheme which is based on JS= ON's > intrinsic normalization (white-space removal + character escapes) but > adds the > constraint that a verifier honors the property order of the serialized > object: > https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html > Since a JSON parser-core typically is less than 500 lines of fairly > simple code > I don't see that upgrading existing parsers with an ordered dictionary > would be > a show-stopper. It surely didn't stop me at least :-) > Runnable Java+JavaScript implementation: https://mobilepki.org/jcs > Partial Python implementation: > https://code.google.com/p/openkeystore/source/browse/python/trunk/src/o= rg/webpki/json/JCSValidator.py >=20 > Minimal .NET implementation: > https://code.google.com/p/openkeystore/source/browse/resources/trunk/do= cs/JCSDemo.cs >=20 >=20 > Cheers, > Anders >=20 --VsGumkueipmxMqen084woR1FLKOM66p2l Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVCT+RAAoJEFL6uArWI9sNdT4P/2G5J1y8rCLtdpqhm8JYWrG4 oaxq3S02nMW6ZZDe/lV8RQJO+3oOjL1vPMHMokpgnTSlWHE0QTL7cx/Ya7v3gaP0 dj0UM4X7o9jcu2xzz1pYduuPokb9dgfdeIPKYKd0a1YVHrps2q5LHmNLSMfoclog WXxU1eFeXngVrAyQWtDjNsk2MrnkqRGA4m1EjvXC6gHVuZszD6+AgMcc2t1pqW3c qoCfwtNs68ffWW8roHwMs5Q9f6DUdS7XAJQqMXIvuL8eGg1nw01dlrEYalael9wP yvM2rWhSgUReDh7hAwStwH7NcjlZxBknOw4WVjoiOIEQJoANmkvNMDSB+QhG1ff8 dvXKz//4iu8PU3/GO0C3UYYT2SbyasoCDNB7/ydJUZLI9HsIpuyW516xsUG3KAkn SMjvBNEal3qXao/Jadyd7kOQ6lIdxk4R+OLla06eBg9IgqERHLHT3JBFcVL942oJ c8Vi2PUSosPm2/IvlNkTHJvDmS6lL7qOcrRO1gEmMh4vEgihgoHOrVpybRtm4npk /RiD7nsJ0+jBk3DJl5FFzWzjFFQ2dnSSmcsB7e86P3xjEC+zdpVpjo0VNCqiT1RF 84Ja28AgXcGMO5BV6//Wu8hZ6HU1ayE3dNRz2dJjNTQUy2tsbugAKrIGsNb+8fOp qWSUqETq5BzJ0BaHC3hw =szYK -----END PGP SIGNATURE----- --VsGumkueipmxMqen084woR1FLKOM66p2l-- From nobody Wed Mar 18 12:14:16 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75AFC1A887E for ; Wed, 18 Mar 2015 12:14:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pqZ6DOdyvtlc for ; Wed, 18 Mar 2015 12:14:12 -0700 (PDT) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ABC71A887D for ; Wed, 18 Mar 2015 12:14:12 -0700 (PDT) Received: by wixw10 with SMTP id w10so48594506wix.0 for ; Wed, 18 Mar 2015 12:14:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=sR+rQwOSzrq5HmOsMbuAY/U8jRj1Ysq6tLZq6u+Z/SI=; b=B8DHmDJzCu+rgB1QCR5nbcffIpfXzYnMjMckEgqdjBwwxCf0Tq5ZNrDz4g6Rzs5jfk uCCASxs53XN+Bumqg73vNg3ssbI+Cl2sLW9wCw7y1iK4ytB1F8/xjZyLpyD2x5t8KHE1 QHTHG8s0+awt78SxRUVrRl7ZOmP0mor72O8uuBlnp76kUCDpOIIpX/czH/XITGggsoYz LYreBbqixZ06AuAMqzuXevcYmFxOHJICyj/W1pvMXJ4RpCt2SOHdE4pA5BBtkfL24WLi eTiCKf1+fFbI1BzvmUM1Dui+Hk9K/D09vvBlMc4wJvKXCU1r3+uaPOocGo49+tBpgh6P Q5bw== X-Received: by 10.180.89.34 with SMTP id bl2mr9698507wib.23.1426706050998; Wed, 18 Mar 2015 12:14:10 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id j7sm4427006wix.4.2015.03.18.12.14.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Mar 2015 12:14:10 -0700 (PDT) Message-ID: <5509CE69.5080204@gmail.com> Date: Wed, 18 Mar 2015 20:13:45 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: luigi.lo_iacono@fh-koeln.de, Justin Richer , John Bradley , Brian Campbell References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> <55093F90.406@fh-koeln.de> In-Reply-To: <55093F90.406@fh-koeln.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "jose@ietf.org" Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 19:14:14 -0000 On 2015-03-18 10:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > Anders, Hi Luigi, > thanks again for the pointers. Interesting reading. I like your approach > a lot. Thanx! > While crawling though the web I stumbled upon this fall asleep draft: > > https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 > > Have you been aware of this one!? Yes, I think so. As you can see "there are many roads to Rome" :-) One school says: "You must canonicalize data in a similar way as for XML", while another school claim that "Canonicalization is lunacy!". Full canonicalization like in the I-D above forces you to use a stand-alone canonicalizer which is like building a parallel single-purpose JSON parser. Using text "as is" makes canonicalization a zero issue but I felt that it would be cooler using a standard (or moderately updated) JSON parser for creating and validating signatures. This design also enables security properties like keys to be handled exactly as any other properties. When I found (on stackoverflow) that many developers also feel that parsers that read properties A, B, C but outputs them as A, C, B as inferior, the decision to maintain strict property input/creation order became obvious. I'm currently not considering an IETF process, it seems like a better idea establishing this scheme through open source and actual usage :-) JCS was designed for supporting complex signature systems like: https://openkeystore.googlecode.com/svn/wcpp-payment-demo/trunk/docs/messages.html#UserSignedAuthorization Regards, Anders > > Anyway, I still think that JOSE requires a readable JSON serialisation. > I am not really familiar with the IETF procedures and seing that no one > else reacted on the suggestion so far, I guess that raising such > thoughts in the mailing list is not enough. What needs to be done in > order to have a discussion on replacing the flatened JSON serialisation > by a readbale JSON serialisation? > > Thanks and BR, Luigi. > > > Am 13.03.15 um 10:01 schrieb Anders Rundgren: >> On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>> Seems that there is some uncertainty about this "special" serialisation. >>> I would actually vote for replacing the flatened JSON serialisation with >>> one, that provides a real benefit. Taken up on a discussion I read >>> earlier on the list, wouldn't it be more sensible to have a "readable" >>> JSON serialisation (i.e., leaving the signed payload "human readbale")!? >>> This would of course require some form of normalisation/canonicalisaton >>> as used e.g. in XML Security. Still, this would be something valuable to >>> have and a real distinguishing point in comparison to the other >>> serialisations. >>> >>> If people think that this is worth a discussion, then maybe we should >>> kick-off an explicit thread on it. >> >> Human-readable JSON signatures is a reality although not as an IETF >> standard. >> >> Since nobody is interested in bringing in the complexity of XML DSig >> normalization, >> there seems to be some possible routes ahead. >> >> Phillip Hallam-Baker have proposed a scheme based on separating the >> payload and >> the signature where the payload is used "verbatim" reducing >> normalization and >> canonicalization to exactly ZERO: >> http://www.ietf.org/mail-archive/web/acme/current/msg00224.html >> >> I have FWIW designed and also implemented a scheme which is based on JSON's >> intrinsic normalization (white-space removal + character escapes) but >> adds the >> constraint that a verifier honors the property order of the serialized >> object: >> https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html >> Since a JSON parser-core typically is less than 500 lines of fairly >> simple code >> I don't see that upgrading existing parsers with an ordered dictionary >> would be >> a show-stopper. It surely didn't stop me at least :-) >> Runnable Java+JavaScript implementation: https://mobilepki.org/jcs >> Partial Python implementation: >> https://code.google.com/p/openkeystore/source/browse/python/trunk/src/org/webpki/json/JCSValidator.py >> >> Minimal .NET implementation: >> https://code.google.com/p/openkeystore/source/browse/resources/trunk/docs/JCSDemo.cs >> >> >> Cheers, >> Anders >> > From nobody Wed Mar 18 12:52:39 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8464C1A8891 for ; Wed, 18 Mar 2015 12:52:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8jalSWzzDz6 for ; Wed, 18 Mar 2015 12:52:35 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42D091A8884 for ; Wed, 18 Mar 2015 12:52:35 -0700 (PDT) Received: from Philemon (75-150-47-141-Oregon.hfc.comcastbusiness.net [75.150.47.141]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 641B52C9BB; Wed, 18 Mar 2015 12:52:34 -0700 (PDT) From: "Jim Schaad" To: "'Anders Rundgren'" , References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> <55093F90.406@fh-koeln.de> <5509CE69.5080204@gmail.com> In-Reply-To: <5509CE69.5080204@gmail.com> Date: Wed, 18 Mar 2015 12:51:32 -0700 Message-ID: <05d101d061b4$ef63b140$ce2b13c0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQI8ZXUu+YdcphCBR36uGFS1We8LRgIevucCA0QNsN4Cyc5/cgF6V6AFAvYIXqUBZTFrVAIVuVyMAgfVsm4AogZgEwHJvb32m6ZCPCA= Content-Language: en-us Archived-At: Cc: jose@ietf.org Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 19:52:37 -0000 What do you consider to be clear text signatures? Would you consider carrying a payload that is a JSON string which is not base64-ed to be plain text? I.e. {"signature":"abc...def", "payload":"{'tag1':'value1','tag2':'value2'}", "headers":"...."} The item to be signed is not at the top level, but it is readable by humans. Jim > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren > Sent: Wednesday, March 18, 2015 12:14 PM > To: luigi.lo_iacono@fh-koeln.de; Justin Richer; John Bradley; Brian Campbell > Cc: jose@ietf.org > Subject: Re: [jose] Java-based JOSE implementation > > On 2015-03-18 10:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > > Anders, > > Hi Luigi, > > > thanks again for the pointers. Interesting reading. I like your > > approach a lot. > > Thanx! > > > While crawling though the web I stumbled upon this fall asleep draft: > > > > https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 > > > > Have you been aware of this one!? > > Yes, I think so. As you can see "there are many roads to Rome" :-) > > One school says: "You must canonicalize data in a similar way as for XML", > while another school claim that "Canonicalization is lunacy!". > > Full canonicalization like in the I-D above forces you to use a stand-alone > canonicalizer which is like building a parallel single-purpose JSON parser. > > Using text "as is" makes canonicalization a zero issue but I felt that it would be > cooler using a standard (or moderately updated) JSON parser for creating and > validating signatures. This design also enables security properties like keys to > be handled exactly as any other properties. > > When I found (on stackoverflow) that many developers also feel that parsers > that read properties A, B, C but outputs them as A, C, B as inferior, the decision > to maintain strict property input/creation order became obvious. > > I'm currently not considering an IETF process, it seems like a better idea > establishing this scheme through open source and actual usage :-) > > JCS was designed for supporting complex signature systems like: > https://openkeystore.googlecode.com/svn/wcpp-payment- > demo/trunk/docs/messages.html#UserSignedAuthorization > > Regards, > Anders > > > > > Anyway, I still think that JOSE requires a readable JSON serialisation. > > I am not really familiar with the IETF procedures and seing that no > > one else reacted on the suggestion so far, I guess that raising such > > thoughts in the mailing list is not enough. What needs to be done in > > order to have a discussion on replacing the flatened JSON > > serialisation by a readbale JSON serialisation? > > > > Thanks and BR, Luigi. > > > > > > Am 13.03.15 um 10:01 schrieb Anders Rundgren: > >> On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: > >>> Seems that there is some uncertainty about this "special" serialisation. > >>> I would actually vote for replacing the flatened JSON serialisation > >>> with one, that provides a real benefit. Taken up on a discussion I > >>> read earlier on the list, wouldn't it be more sensible to have a "readable" > >>> JSON serialisation (i.e., leaving the signed payload "human readbale")!? > >>> This would of course require some form of > >>> normalisation/canonicalisaton as used e.g. in XML Security. Still, > >>> this would be something valuable to have and a real distinguishing > >>> point in comparison to the other serialisations. > >>> > >>> If people think that this is worth a discussion, then maybe we > >>> should kick-off an explicit thread on it. > >> > >> Human-readable JSON signatures is a reality although not as an IETF > >> standard. > >> > >> Since nobody is interested in bringing in the complexity of XML DSig > >> normalization, there seems to be some possible routes ahead. > >> > >> Phillip Hallam-Baker have proposed a scheme based on separating the > >> payload and the signature where the payload is used "verbatim" > >> reducing normalization and canonicalization to exactly ZERO: > >> http://www.ietf.org/mail-archive/web/acme/current/msg00224.html > >> > >> I have FWIW designed and also implemented a scheme which is based on > >> JSON's intrinsic normalization (white-space removal + character > >> escapes) but adds the constraint that a verifier honors the property > >> order of the serialized > >> object: > >> https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html > >> Since a JSON parser-core typically is less than 500 lines of fairly > >> simple code I don't see that upgrading existing parsers with an > >> ordered dictionary would be > >> a show-stopper. It surely didn't stop me at least :-) > >> Runnable Java+JavaScript implementation: https://mobilepki.org/jcs > >> Partial Python implementation: > >> https://code.google.com/p/openkeystore/source/browse/python/trunk/src > >> /org/webpki/json/JCSValidator.py > >> > >> Minimal .NET implementation: > >> https://code.google.com/p/openkeystore/source/browse/resources/trunk/ > >> docs/JCSDemo.cs > >> > >> > >> Cheers, > >> Anders > >> > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose From nobody Wed Mar 18 14:56:25 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9E0E1A90E6 for ; Wed, 18 Mar 2015 14:56:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3hfWEXjNWv4 for ; Wed, 18 Mar 2015 14:56:21 -0700 (PDT) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 212CA1A90EE for ; Wed, 18 Mar 2015 14:56:21 -0700 (PDT) Received: by wggv3 with SMTP id v3so46736432wgg.1 for ; Wed, 18 Mar 2015 14:56:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=SevnG9wNW5YKoUVcWOvC8b/A1z65dIVAWY/GOxIGjjU=; b=v11RWyoXJQP1UvgUcmza105R/8szmNWDWZ6JZhrhRPoZCwgBI+qD1nj4+1yA2YpNfc NWUzgPV9J6ZjIpb62d9QUVdkMADxRlKcnqTwE7oL1AUXX0Jd4SzFTyFfzm8H4PMvxiAu YbePLq4q4OTzpChj9b5j6WezV/CMI8+7aWJUy4NiDnm7Ec/+9MEygwea5u3ZyVeGvppr thxyul9lm0Ms/X6Y3BOXCccn7dosn+OL+KnFVfgOBd0jyDH/w15Iy5kwYfi0Ai0wLjPX 1sNIgbG7Xi/A/p7a/BbaGojfgZFqHX8rTLMJ6BC+tCuzJfOoUZ71UsmGvgPnFaNXLyVV EzEQ== X-Received: by 10.180.74.135 with SMTP id t7mr10758482wiv.72.1426715779874; Wed, 18 Mar 2015 14:56:19 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id hl15sm4896180wib.3.2015.03.18.14.56.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Mar 2015 14:56:18 -0700 (PDT) Message-ID: <5509F46A.5090604@gmail.com> Date: Wed, 18 Mar 2015 22:55:54 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Jim Schaad , luigi.lo_iacono@fh-koeln.de References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> <55093F90.406@fh-koeln.de> <5509CE69.5080204@gmail.com> <05d101d061b4$ef63b140$ce2b13c0$@augustcellars.com> In-Reply-To: <05d101d061b4$ef63b140$ce2b13c0$@augustcellars.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: jose@ietf.org Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 21:56:23 -0000 On 2015-03-18 20:51, Jim Schaad wrote: > What do you consider to be clear text signatures? > > Would you consider carrying a payload that is a JSON string which is not > base64-ed to be plain text? > > I.e. > {"signature":"abc...def", "payload":"{'tag1':'value1','tag2':'value2'}", > "headers":"...."} > > The item to be signed is not at the top level, but it is readable by humans. That would of course qualify as a clear text signature. JCS was inspired by enveloped XML signatures which I found "pretty" since they just introduces an extra element in an existing XML object (i.e. context is unchanged), although JCS is much, much more primitive. Anders > Jim > > >> -----Original Message----- >> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren >> Sent: Wednesday, March 18, 2015 12:14 PM >> To: luigi.lo_iacono@fh-koeln.de; Justin Richer; John Bradley; Brian > Campbell >> Cc: jose@ietf.org >> Subject: Re: [jose] Java-based JOSE implementation >> >> On 2015-03-18 10:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>> Anders, >> >> Hi Luigi, >> >>> thanks again for the pointers. Interesting reading. I like your >>> approach a lot. >> >> Thanx! >> >>> While crawling though the web I stumbled upon this fall asleep draft: >>> >>> https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 >>> >>> Have you been aware of this one!? >> >> Yes, I think so. As you can see "there are many roads to Rome" :-) >> >> One school says: "You must canonicalize data in a similar way as for XML", >> while another school claim that "Canonicalization is lunacy!". >> >> Full canonicalization like in the I-D above forces you to use a > stand-alone >> canonicalizer which is like building a parallel single-purpose JSON > parser. >> >> Using text "as is" makes canonicalization a zero issue but I felt that it > would be >> cooler using a standard (or moderately updated) JSON parser for creating > and >> validating signatures. This design also enables security properties like > keys to >> be handled exactly as any other properties. >> >> When I found (on stackoverflow) that many developers also feel that > parsers >> that read properties A, B, C but outputs them as A, C, B as inferior, the > decision >> to maintain strict property input/creation order became obvious. >> >> I'm currently not considering an IETF process, it seems like a better idea >> establishing this scheme through open source and actual usage :-) >> >> JCS was designed for supporting complex signature systems like: >> https://openkeystore.googlecode.com/svn/wcpp-payment- >> demo/trunk/docs/messages.html#UserSignedAuthorization >> >> Regards, >> Anders >> >>> >>> Anyway, I still think that JOSE requires a readable JSON serialisation. >>> I am not really familiar with the IETF procedures and seing that no >>> one else reacted on the suggestion so far, I guess that raising such >>> thoughts in the mailing list is not enough. What needs to be done in >>> order to have a discussion on replacing the flatened JSON >>> serialisation by a readbale JSON serialisation? >>> >>> Thanks and BR, Luigi. >>> >>> >>> Am 13.03.15 um 10:01 schrieb Anders Rundgren: >>>> On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>>>> Seems that there is some uncertainty about this "special" > serialisation. >>>>> I would actually vote for replacing the flatened JSON serialisation >>>>> with one, that provides a real benefit. Taken up on a discussion I >>>>> read earlier on the list, wouldn't it be more sensible to have a > "readable" >>>>> JSON serialisation (i.e., leaving the signed payload "human > readbale")!? >>>>> This would of course require some form of >>>>> normalisation/canonicalisaton as used e.g. in XML Security. Still, >>>>> this would be something valuable to have and a real distinguishing >>>>> point in comparison to the other serialisations. >>>>> >>>>> If people think that this is worth a discussion, then maybe we >>>>> should kick-off an explicit thread on it. >>>> >>>> Human-readable JSON signatures is a reality although not as an IETF >>>> standard. >>>> >>>> Since nobody is interested in bringing in the complexity of XML DSig >>>> normalization, there seems to be some possible routes ahead. >>>> >>>> Phillip Hallam-Baker have proposed a scheme based on separating the >>>> payload and the signature where the payload is used "verbatim" >>>> reducing normalization and canonicalization to exactly ZERO: >>>> http://www.ietf.org/mail-archive/web/acme/current/msg00224.html >>>> >>>> I have FWIW designed and also implemented a scheme which is based on >>>> JSON's intrinsic normalization (white-space removal + character >>>> escapes) but adds the constraint that a verifier honors the property >>>> order of the serialized >>>> object: >>>> https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html >>>> Since a JSON parser-core typically is less than 500 lines of fairly >>>> simple code I don't see that upgrading existing parsers with an >>>> ordered dictionary would be >>>> a show-stopper. It surely didn't stop me at least :-) >>>> Runnable Java+JavaScript implementation: https://mobilepki.org/jcs >>>> Partial Python implementation: >>>> https://code.google.com/p/openkeystore/source/browse/python/trunk/src >>>> /org/webpki/json/JCSValidator.py >>>> >>>> Minimal .NET implementation: >>>> https://code.google.com/p/openkeystore/source/browse/resources/trunk/ >>>> docs/JCSDemo.cs >>>> >>>> >>>> Cheers, >>>> Anders >>>> >>> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > From nobody Wed Mar 18 22:41:06 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A34B1A8934 for ; Wed, 18 Mar 2015 22:41:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8y77dlx3wHa for ; Wed, 18 Mar 2015 22:41:02 -0700 (PDT) Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91B011A891D for ; Wed, 18 Mar 2015 22:41:02 -0700 (PDT) Received: by wgbcc7 with SMTP id cc7so52853152wgb.0 for ; Wed, 18 Mar 2015 22:41:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=bxews5fn+BmDAr7tLmirlj6ALfMWVYPWOhcJR7z0M9s=; b=Q1Jwh4mYbfe+N5so5VKiARHUbUBMbhvXpbeGKzMc4bdUgjgl4Ke8rZrF1OF6MKPkY7 U4o/Mvx6U2NKamsovqZaaYxnLOyfVpOsOiexEo/yxPB2uusupRrRqQqgzAFBjf8tORRS JrADuDZCNC7P372Q06cu8iPbKuEQH9HJgW+3wSF06kjB83ROFJGmofr59rqoig2qWUqs X4nh8jinvxM196rQtBv7J2xiPPn8aIwzsjhitasaXhbkRbA9SygbPgAKOZllQXMsB6wz vacf6DbtLeqWK8+3T8EfkQL+M2B4Tb1oVgSWtasAQdzc7TCUENAVl/BmPRso41fP3/EC Xitw== X-Received: by 10.194.86.194 with SMTP id r2mr151985414wjz.41.1426743661383; Wed, 18 Mar 2015 22:41:01 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id ps4sm415271wjc.31.2015.03.18.22.41.00 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Mar 2015 22:41:00 -0700 (PDT) Message-ID: <550A6154.9040907@gmail.com> Date: Thu, 19 Mar 2015 06:40:36 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: "jose@ietf.org" References: <550909EF.4040505@gmail.com> In-Reply-To: <550909EF.4040505@gmail.com> Content-Type: multipart/alternative; boundary="------------030007020407030103010101" Archived-At: Subject: [jose] Charter Proposal: "Trusted Code" for the Web X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 05:41:04 -0000 This is a multi-part message in MIME format. --------------030007020407030103010101 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Trusted Code for the Web Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED. Since web-based applications are transiently downloaded, unsigned and come from any number of more or less unknown sources, such applications are by definition UNTRUSTED. To compensate for this, web-based security applications currently rely on a hodge-podge of non-standard methods [1] where trusted code resides (and executes) somewhere outside of the actual web application. However, because each browser-vendor have their own idea on what is secure and useful [2], interoperability has proven to be a major hassle. In addition, the ongoing quest for locking down browsers (in order to make them more secure), tends to break applications after browser updates. Although security applications are interesting, they haven't proved to be a driver. Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage systems, on-line gaming sites and open source collaboration networks. The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web. *References** * 1] An non-exhaustive list include: - Custom protocol handlers. Primarily used on Android and iOS. GitHub also uses it on Windows - Local web services on 127.0.0.1. Used by lots of services, from Spotify to digital signatures - Browser plugins like NPAPI/ActiveX. Used (for example) by millions of people in Korea for PKI support but is now being deprecated - Chrome native messaging. Fairly recent solution which enables Native <=> Web communication 2] https://code.google.com/p/chromium/issues/detail?id=378566 --------------030007020407030103010101 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Trusted Code for the Web

Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED.

Since web-based applications are transiently downloaded, unsigned and come from any number of more or less unknown sources, such applications are by definition UNTRUSTED.

To compensate for this, web-based security applications currently rely on a hodge-podge of non-standard methods [1] where trusted code resides (and executes) somewhere outside of the actual web application.

However, because each browser-vendor have their own idea on what is secure and useful [2], interoperability has proven to be a major hassle.  In addition, the ongoing quest for locking down browsers (in order to make them more secure), tends to break applications after browser updates.

Although security applications are interesting, they haven't proved to be a driver.  Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage systems, on-line gaming sites and open source collaboration networks.

The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web.


References

1] An non-exhaustive list include:
- Custom protocol handlers.  Primarily used on Android and iOS.  GitHub also uses it on Windows
- Local web services on 127.0.0.1.  Used by lots of services, from Spotify to digital signatures
- Browser plugins like NPAPI/ActiveX.  Used (for example) by millions of people in Korea for PKI support but is now being deprecated
- Chrome native messaging.  Fairly recent solution which enables Native <=> Web communication

2] https://code.google.com/p/chromium/issues/detail?id=378566



--------------030007020407030103010101-- From nobody Thu Mar 19 09:32:26 2015 Return-Path: X-Original-To: jose@ietfa.amsl.com Delivered-To: jose@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E861A1B27 for ; Thu, 19 Mar 2015 09:32:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_h_YjdlVS9K for ; Thu, 19 Mar 2015 09:32:21 -0700 (PDT) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C23B1A1AAD for ; Thu, 19 Mar 2015 09:32:21 -0700 (PDT) Received: by wibdy8 with SMTP id dy8so122759015wib.0 for ; Thu, 19 Mar 2015 09:32:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=MZ5tlUxENikqvkjNAU5yLbPG9jNZVaJPPGYXbTFf+ZU=; b=fCXPuRlNmpPcNTlVHdPu5YLdCklFJXaT1OJdSQs0qhLs29+rXbr8sh4C2ilhnvTxQh KGKxA3ZaH69zf1C5Gha9FrIVkf1I67rutugPjcFOrVGQEB8Xhppbr6XdpicsGBGaJxKs QXA9yOdOPn6wjwSaX2ZLomwRUvLygLVFnGe+5UZRvmFqQr/wZS79GCY/YRvHt1VR1LDe c41u1fcGKzOzGn5yKvN9da0PnUdJYA8QVtp+mKvHHKhajXThJmTakrA1TmzWPurTWhWR SOY1yhh9LQb/UhQxIvhVw9/aG1Qe8h+SXYr/rTYqPHb2hCM5r2gJIunKUOKZgdljDtYT klKw== X-Received: by 10.180.74.47 with SMTP id q15mr17322044wiv.49.1426782739705; Thu, 19 Mar 2015 09:32:19 -0700 (PDT) Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id g8sm3099846wiy.19.2015.03.19.09.32.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Mar 2015 09:32:18 -0700 (PDT) Message-ID: <550AF9F9.2070507@gmail.com> Date: Thu, 19 Mar 2015 17:31:53 +0100 From: Anders Rundgren User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Jim Schaad , luigi.lo_iacono@fh-koeln.de References: <54F8466B.8060007@fh-koeln.de> <55006F95.5090807@connect2id.com> <55019208.2030806@fh-koeln.de> <6CBC4A66-2B2D-42A7-B028-AFE962E44101@mit.edu> <94F8AC9B-4B93-4B0E-BEEA-94CF6E42D79E@ve7jtb.com> <5501CAC2.9000401@mit.edu> <55029B7E.1070903@fh-koeln.de> <5502A778.8090709@gmail.com> <55093F90.406@fh-koeln.de> <5509CE69.5080204@gmail.com> <05d101d061b4$ef63b140$ce2b13c0$@augustcellars.com> In-Reply-To: <05d101d061b4$ef63b140$ce2b13c0$@augustcellars.com> Content-Type: multipart/alternative; boundary="------------040904070305070606050803" Archived-At: Cc: jose@ietf.org Subject: Re: [jose] Java-based JOSE implementation X-BeenThere: jose@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Javascript Object Signing and Encryption List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 16:32:24 -0000 This is a multi-part message in MIME format. --------------040904070305070606050803 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 2015-03-18 20:51, Jim Schaad wrote: Slight rehash of the clear text signature topic.... > What do you consider to be clear text signatures? > > Would you consider carrying a payload that is a JSON string which is not > base64-ed to be plain text? > > I.e. > {"signature":"abc...def", "payload":"{'tag1':'value1','tag2':'value2'}", > "headers":"...."} > > The item to be signed is not at the top level, but it is readable by humans. Yes, this is indeed a human readable signature. Below are three examples which shows the primary motive why JCS embeds signatures in JSON objects rather than as in your example/proposal embedding JSON objects in signature objects. Unsigned JSON Object { "@context": "https://json.example.com/protocol" "@qualifier": "Init", "property-1": ... "property-2": ... ... "property-n": ... } Optionally signed JSON Object { "@context": "https://json.example.com/protocol" "@qualifier": "Request", "property-1": ... "property-2": ... ... "property-n": ... "signature": { ... } } Signed JSON Object { "@context": "https://json.example.com/protocol" "@qualifier": "Response", "property-1": ... "property-2": ... ... "property-n": ... "signature": { ... } } That is, JCS maintains the message structure which makes message validation and documentation nicer. https://openkeystore.googlecode.com/svn/resources/trunk/docs/keygen2.html#KeyCreationRequest Anders > Jim > > >> -----Original Message----- >> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren >> Sent: Wednesday, March 18, 2015 12:14 PM >> To: luigi.lo_iacono@fh-koeln.de; Justin Richer; John Bradley; Brian > Campbell >> Cc: jose@ietf.org >> Subject: Re: [jose] Java-based JOSE implementation >> >> On 2015-03-18 10:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>> Anders, >> Hi Luigi, >> >>> thanks again for the pointers. Interesting reading. I like your >>> approach a lot. >> Thanx! >> >>> While crawling though the web I stumbled upon this fall asleep draft: >>> >>> https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00 >>> >>> Have you been aware of this one!? >> Yes, I think so. As you can see "there are many roads to Rome" :-) >> >> One school says: "You must canonicalize data in a similar way as for XML", >> while another school claim that "Canonicalization is lunacy!". >> >> Full canonicalization like in the I-D above forces you to use a > stand-alone >> canonicalizer which is like building a parallel single-purpose JSON > parser. >> Using text "as is" makes canonicalization a zero issue but I felt that it > would be >> cooler using a standard (or moderately updated) JSON parser for creating > and >> validating signatures. This design also enables security properties like > keys to >> be handled exactly as any other properties. >> >> When I found (on stackoverflow) that many developers also feel that > parsers >> that read properties A, B, C but outputs them as A, C, B as inferior, the > decision >> to maintain strict property input/creation order became obvious. >> >> I'm currently not considering an IETF process, it seems like a better idea >> establishing this scheme through open source and actual usage :-) >> >> JCS was designed for supporting complex signature systems like: >> https://openkeystore.googlecode.com/svn/wcpp-payment- >> demo/trunk/docs/messages.html#UserSignedAuthorization >> >> Regards, >> Anders >> >>> Anyway, I still think that JOSE requires a readable JSON serialisation. >>> I am not really familiar with the IETF procedures and seing that no >>> one else reacted on the suggestion so far, I guess that raising such >>> thoughts in the mailing list is not enough. What needs to be done in >>> order to have a discussion on replacing the flatened JSON >>> serialisation by a readbale JSON serialisation? >>> >>> Thanks and BR, Luigi. >>> >>> >>> Am 13.03.15 um 10:01 schrieb Anders Rundgren: >>>> On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote: >>>>> Seems that there is some uncertainty about this "special" > serialisation. >>>>> I would actually vote for replacing the flatened JSON serialisation >>>>> with one, that provides a real benefit. Taken up on a discussion I >>>>> read earlier on the list, wouldn't it be more sensible to have a > "readable" >>>>> JSON serialisation (i.e., leaving the signed payload "human > readbale")!? >>>>> This would of course require some form of >>>>> normalisation/canonicalisaton as used e.g. in XML Security. Still, >>>>> this would be something valuable to have and a real distinguishing >>>>> point in comparison to the other serialisations. >>>>> >>>>> If people think that this is worth a discussion, then maybe we >>>>> should kick-off an explicit thread on it. >>>> Human-readable JSON signatures is a reality although not as an IETF >>>> standard. >>>> >>>> Since nobody is interested in bringing in the complexity of XML DSig >>>> normalization, there seems to be some possible routes ahead. >>>> >>>> Phillip Hallam-Baker have proposed a scheme based on separating the >>>> payload and the signature where the payload is used "verbatim" >>>> reducing normalization and canonicalization to exactly ZERO: >>>> http://www.ietf.org/mail-archive/web/acme/current/msg00224.html >>>> >>>> I have FWIW designed and also implemented a scheme which is based on >>>> JSON's intrinsic normalization (white-space removal + character >>>> escapes) but adds the constraint that a verifier honors the property >>>> order of the serialized >>>> object: >>>> https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html >>>> Since a JSON parser-core typically is less than 500 lines of fairly >>>> simple code I don't see that upgrading existing parsers with an >>>> ordered dictionary would be >>>> a show-stopper. It surely didn't stop me at least :-) >>>> Runnable Java+JavaScript implementation: https://mobilepki.org/jcs >>>> Partial Python implementation: >>>> https://code.google.com/p/openkeystore/source/browse/python/trunk/src >>>> /org/webpki/json/JCSValidator.py >>>> >>>> Minimal .NET implementation: >>>> https://code.google.com/p/openkeystore/source/browse/resources/trunk/ >>>> docs/JCSDemo.cs >>>> >>>> >>>> Cheers, >>>> Anders >>>> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose --------------040904070305070606050803 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit
On 2015-03-18 20:51, Jim Schaad wrote:

Slight rehash of the clear text signature topic....

What do you consider to be clear text signatures?

Would you consider carrying a payload that is a JSON string which is not
base64-ed to be plain text?

I.e.
{"signature":"abc...def", "payload":"{'tag1':'value1','tag2':'value2'}",
"headers":"...."}

The item to be signed is not at the top level, but it is readable by humans.
Yes, this is indeed a human readable signature.

Below are three examples which shows the primary motive why JCS embeds signatures in JSON
objects rather than as in your example/proposal embedding JSON objects in signature objects.

Unsigned JSON Object

{
  "@context": "https://json.example.com/protocol"
  "@qualifier": "Init",
  "property-1": ...
  "property-2": ...
     ...
  "property-n": ...
}


Optionally signed JSON Object

{
  "@context": "https://json.example.com/protocol"
  "@qualifier": "Request",
  "property-1": ...
  "property-2": ...
     ...
  "property-n": ...
  "signature":
    {
      ...
     }
}


Signed JSON Object

{
  "@context": "https://json.example.com/protocol"
  "@qualifier": "Response",
  "property-1": ...
  "property-2": ...
     ...
  "property-n": ...
  "signature":
    {
      ...
    }
}

That is, JCS maintains the message structure which makes message validation and documentation nicer.

https://openkeystore.googlecode.com/svn/resources/trunk/docs/keygen2.html#KeyCreationRequest

Anders


Jim



-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren
Sent: Wednesday, March 18, 2015 12:14 PM
To: luigi.lo_iacono@fh-koeln.de; Justin Richer; John Bradley; Brian

Campbell

Cc: jose@ietf.org
Subject: Re: [jose] Java-based JOSE implementation

On 2015-03-18 10:04, Prof. Dr.-Ing. Luigi Lo Iacono wrote:

Anders,

Hi Luigi,


thanks again for the pointers. Interesting reading. I like your
approach a lot.

Thanx!


While crawling though the web I stumbled upon this fall asleep draft:

https://tools.ietf.org/html/draft-staykov-hu-json-canonical-form-00

Have you been aware of this one!?

Yes, I think so.  As you can see "there are many roads to Rome" :-)

One school says: "You must canonicalize data in a similar way as for XML",
while another school claim that "Canonicalization is lunacy!".

Full canonicalization like in the I-D above forces you to use a

stand-alone

canonicalizer which is like building a parallel single-purpose JSON

parser.

Using text "as is" makes canonicalization a zero issue but I felt that it

would be

cooler using a standard (or moderately updated) JSON parser for creating

and

validating signatures.  This design also enables security properties like

keys to

be handled exactly as any other properties.

When I found (on stackoverflow) that many developers also feel that

parsers

that read properties A, B, C but outputs them as A, C, B as inferior, the

decision

to maintain strict property input/creation order became obvious.

I'm currently not considering an IETF process, it seems like a better idea
establishing this scheme through open source and actual usage :-)

JCS was designed for supporting complex signature systems like:
https://openkeystore.googlecode.com/svn/wcpp-payment-
demo/trunk/docs/messages.html#UserSignedAuthorization

Regards,
Anders


Anyway, I still think that JOSE requires a readable JSON serialisation.
I am not really familiar with the IETF procedures and seing that no
one else reacted on the suggestion so far, I guess that raising such
thoughts in the mailing list is not enough. What needs to be done in
order to have a discussion on replacing the flatened JSON
serialisation by a readbale JSON serialisation?

Thanks and BR, Luigi.


Am 13.03.15 um 10:01 schrieb Anders Rundgren:

On 2015-03-13 09:10, Prof. Dr.-Ing. Luigi Lo Iacono wrote:

Seems that there is some uncertainty about this "special"

serialisation.

I would actually vote for replacing the flatened JSON serialisation
with one, that provides a real benefit. Taken up on a discussion I
read earlier on the list, wouldn't it be more sensible to have a

"readable"

JSON serialisation (i.e., leaving the signed payload "human

readbale")!?

This would of course require some form of
normalisation/canonicalisaton as used e.g. in XML Security. Still,
this would be something valuable to have and a real distinguishing
point in comparison to the other serialisations.

If people think that this is worth a discussion, then maybe we
should kick-off an explicit thread on it.

Human-readable JSON signatures is a reality although not as an IETF
standard.

Since nobody is interested in bringing in the complexity of XML DSig
normalization, there seems to be some possible routes ahead.

Phillip Hallam-Baker have proposed a scheme based on separating the
payload and the signature where the payload is used "verbatim"
reducing normalization and canonicalization to exactly ZERO:
http://www.ietf.org/mail-archive/web/acme/current/msg00224.html

I have FWIW designed and also implemented a scheme which is based on
JSON's intrinsic normalization (white-space removal + character
escapes) but adds the constraint that a verifier honors the property
order of the serialized
object:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/jcs.html
Since a JSON parser-core typically is less than 500 lines of fairly
simple code I don't see that upgrading existing parsers with an
ordered dictionary would be
a show-stopper.   It surely didn't stop me at least :-)
Runnable Java+JavaScript implementation: https://mobilepki.org/jcs
Partial Python implementation:
https://code.google.com/p/openkeystore/source/browse/python/trunk/src
/org/webpki/json/JCSValidator.py

Minimal .NET implementation:
https://code.google.com/p/openkeystore/source/browse/resources/trunk/
docs/JCSDemo.cs


Cheers,
Anders



        

        
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


      

      

    

    

  


--------------040904070305070606050803--


From nobody Thu Mar 19 11:07:09 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1E51A8743 for ; Thu, 19 Mar 2015 11:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wa-jqIrjawJW for ; Thu, 19 Mar 2015 11:07:05 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C266F1A8778 for ; Thu, 19 Mar 2015 11:06:53 -0700 (PDT)
Received: from Philemon (unknown [170.173.8.12]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 272B038EF1; Thu, 19 Mar 2015 11:06:53 -0700 (PDT)
From: "Jim Schaad" 
To: "'Anders Rundgren'" , 
References: <550909EF.4040505@gmail.com> <550A6154.9040907@gmail.com>
In-Reply-To: <550A6154.9040907@gmail.com>
Date: Thu, 19 Mar 2015 11:05:50 -0700
Message-ID: <069401d0626f$55cb1990$01614cb0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0695_01D06234.A96E1650"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKiIy2EyuGHkycg0453GkEqWmRy2QMyUodcm2cFn4A=
Content-Language: en-us
Archived-At: 
Subject: Re: [jose] Charter Proposal: "Trusted Code" for the Web
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Mar 2015 18:07:07 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0695_01D06234.A96E1650
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

To me this sounds more like a W3C activity than an IETF activity.

=20

Jim

=20

=20

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren
Sent: Wednesday, March 18, 2015 10:41 PM
To: jose@ietf.org
Subject: [jose] Charter Proposal: "Trusted Code" for the Web

=20

Trusted Code for the Web


Existing security-related applications like authentication, payments, =
etc. are all based on that a core-part is executed by statically =
installed software that is supposed to be TRUSTED.=20

Since web-based applications are transiently downloaded, unsigned and =
come from any number of more or less unknown sources, such applications =
are by definition UNTRUSTED.

To compensate for this, web-based security applications currently rely =
on a hodge-podge of non-standard methods [1] where trusted code resides =
(and executes) somewhere outside of the actual web application.

However, because each browser-vendor have their own idea on what is =
secure and useful [2], interoperability has proven to be a major hassle. =
 In addition, the ongoing quest for locking down browsers (in order to =
make them more secure), tends to break applications after browser =
updates.

Although security applications are interesting, they haven't proved to =
be a driver.  Fortunately it has turned out that the desired capability =
("Trusted Code"), is also used by massively popular music streaming =
services, cloud-based storage systems, on-line gaming sites and open =
source collaboration networks.

The goal for the proposed effort would be to define a vendor- and =
device-neutral solution for dealing with trusted code on the Web.


References

1] An non-exhaustive list include:
- Custom protocol handlers.  Primarily used on Android and iOS.  GitHub =
also uses it on Windows
- Local web services on 127.0.0.1.  Used by lots of services, from =
Spotify to digital signatures
- Browser plugins like NPAPI/ActiveX.  Used (for example) by millions of =
people in Korea for PKI support but is now being deprecated
- Chrome native messaging.  Fairly recent solution which enables Native =
<=3D> Web communication

2] https://code.google.com/p/chromium/issues/detail?id=3D378566



=20


------=_NextPart_000_0695_01D06234.A96E1650
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable


To me this sounds more like a W3C activity than an IETF =
activity.
 
Jim
 
 
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders =
Rundgren
Sent: Wednesday, March 18, 2015 10:41 =
PM
To: jose@ietf.org
Subject: [jose] Charter =
Proposal: "Trusted Code" for the =
Web
 
Trusted Code for the =
Web

Existing security-related =
applications like authentication, payments, etc. are all based on that a =
core-part is executed by statically installed software that is supposed =
to be TRUSTED. 

Since web-based applications are transiently =
downloaded, unsigned and come from any number of more or less unknown =
sources, such applications are by definition UNTRUSTED.

To =
compensate for this, web-based security applications currently rely on a =
hodge-podge of non-standard methods [1] where trusted code resides (and =
executes) somewhere outside of the actual web =
application.

However, because each browser-vendor have their own =
idea on what is secure and useful [2], interoperability has proven to be =
a major hassle.  In addition, the ongoing quest for locking down =
browsers (in order to make them more secure), tends to break =
applications after browser updates.

Although security =
applications are interesting, they haven't proved to be a driver.  =
Fortunately it has turned out that the desired capability ("Trusted =
Code"), is also used by massively popular music streaming services, =
cloud-based storage systems, on-line gaming sites and open source =
collaboration networks.

The goal for the proposed effort would be =
to define a vendor- and device-neutral solution for dealing with trusted =
code on the Web.


References

1] An =
non-exhaustive list include:
- Custom protocol handlers.  =
Primarily used on Android and iOS.  GitHub also uses it on =
Windows
- Local web services on 127.0.0.1.  Used by lots of =
services, from Spotify to digital signatures
- Browser plugins like =
NPAPI/ActiveX.  Used (for example) by millions of people in Korea =
for PKI support but is now being deprecated
- Chrome native =
messaging.  Fairly recent solution which enables Native <=3D> =
Web communication

2] htt=
ps://code.google.com/p/chromium/issues/detail?id=3D378566

 

------=_NextPart_000_0695_01D06234.A96E1650--


From nobody Thu Mar 19 11:15:30 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE931A8AC3 for ; Thu, 19 Mar 2015 11:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teeE0k6KemqB for ; Thu, 19 Mar 2015 11:15:26 -0700 (PDT)
Received: from mail-qc0-f176.google.com (mail-qc0-f176.google.com [209.85.216.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C161A8AA6 for ; Thu, 19 Mar 2015 11:15:26 -0700 (PDT)
Received: by qcaz10 with SMTP id z10so73838708qca.1 for ; Thu, 19 Mar 2015 11:15:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=5nAxZuOqsC5GwSTOvbYK9BIIMDRRWbGMMCH6Tz++8D0=; b=EuiUjMi347kzv4XQABPXF99Eg0ENjG0Z2G5k1w9fjbAssvYnElvr+UUhwX8tleuao7 mtE8Q6C+XyUFvNw91znC2X2vSmU/+BaoB/Cp3nQcDm3qcit0KuIqfLXaPfXzaIB4A5n9 mFjSuRKoTak+M2iqDFhZrYlMHn4upLcdgcIHLqB4Qy4EY1VVQihp6nAmawOJPuQZafdG puSWcpd30aSLJucbaPzrNi5Vn9G+L/IKwsGFTZi1JvLaNcUJhMLyfJi8kOthr5sCWDki xMMbXDj2etIeArfqOmBa+ug+quhH93xMPr3Kpnswdq7ag6eeNr2TTkbDUMvOkLfzLdkx xvrw==
X-Gm-Message-State: ALoCoQmg08owQM1szdJ0Km6Gif3G9dp/axDUJSF35lPdnBWJMi+Cddl/kef8Tfdn4MkLPRICUhA9
X-Received: by 10.55.42.88 with SMTP id q85mr128394782qkh.65.1426788925521; Thu, 19 Mar 2015 11:15:25 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.157.120]) by mx.google.com with ESMTPSA id h85sm1324373qhc.6.2015.03.19.11.15.22 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 19 Mar 2015 11:15:24 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_78BB3CBB-7FA6-480B-9C58-675713480499"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley 
In-Reply-To: <069401d0626f$55cb1990$01614cb0$@augustcellars.com>
Date: Thu, 19 Mar 2015 15:15:19 -0300
Message-Id: 
References: <550909EF.4040505@gmail.com> <550A6154.9040907@gmail.com> <069401d0626f$55cb1990$01614cb0$@augustcellars.com>
To: Jim Schaad 
X-Mailer: Apple Mail (2.2070.6)
Archived-At: 
Cc: jose@ietf.org, Anders Rundgren 
Subject: Re: [jose] Charter Proposal: "Trusted Code" for the Web
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Mar 2015 18:15:29 -0000

--Apple-Mail=_78BB3CBB-7FA6-480B-9C58-675713480499
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_327F9D77-3AAB-4A69-8485-C7057E775E7B"


--Apple-Mail=_327F9D77-3AAB-4A69-8485-C7057E775E7B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

It sounds like WebCrypto or something more related to it. =
http://www.w3.org/2012/webcrypto/ =20


> On Mar 19, 2015, at 3:05 PM, Jim Schaad  =
wrote:
>=20
> To me this sounds more like a W3C activity than an IETF activity.
> =20
> Jim
> =20
> =20
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren
> Sent: Wednesday, March 18, 2015 10:41 PM
> To: jose@ietf.org
> Subject: [jose] Charter Proposal: "Trusted Code" for the Web
> =20
> Trusted Code for the Web
>=20
> Existing security-related applications like authentication, payments, =
etc. are all based on that a core-part is executed by statically =
installed software that is supposed to be TRUSTED.=20
>=20
> Since web-based applications are transiently downloaded, unsigned and =
come from any number of more or less unknown sources, such applications =
are by definition UNTRUSTED.
>=20
> To compensate for this, web-based security applications currently rely =
on a hodge-podge of non-standard methods [1] where trusted code resides =
(and executes) somewhere outside of the actual web application.
>=20
> However, because each browser-vendor have their own idea on what is =
secure and useful [2], interoperability has proven to be a major hassle. =
 In addition, the ongoing quest for locking down browsers (in order to =
make them more secure), tends to break applications after browser =
updates.
>=20
> Although security applications are interesting, they haven't proved to =
be a driver.  Fortunately it has turned out that the desired capability =
("Trusted Code"), is also used by massively popular music streaming =
services, cloud-based storage systems, on-line gaming sites and open =
source collaboration networks.
>=20
> The goal for the proposed effort would be to define a vendor- and =
device-neutral solution for dealing with trusted code on the Web.
>=20
>=20
> References
>=20
> 1] An non-exhaustive list include:
> - Custom protocol handlers.  Primarily used on Android and iOS.  =
GitHub also uses it on Windows
> - Local web services on 127.0.0.1.  Used by lots of services, from =
Spotify to digital signatures
> - Browser plugins like NPAPI/ActiveX.  Used (for example) by millions =
of people in Korea for PKI support but is now being deprecated
> - Chrome native messaging.  Fairly recent solution which enables =
Native <=3D> Web communication
>=20
> 2] https://code.google.com/p/chromium/issues/detail?id=3D378566 =

>=20
> =20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_327F9D77-3AAB-4A69-8485-C7057E775E7B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

It sounds like WebCrypto or something more related to =
it. http://www.w3.org/2012/webcrypto/ 


On Mar 19, 2015, at 3:05 PM, =
Jim Schaad <ietf@augustcellars.com> wrote:

To me this sounds more like a W3C activity =
than an IETF activity.
 
Jim
 
 
From: jose [mailto:jose-bounces@ietf.org] On Behalf =
Of Anders =
Rundgren
Sent: Wednesday, March 18, 2015 =
10:41 PM
To: jose@ietf.org
Subject: [jose] Charter Proposal: =
"Trusted Code" for the Web
 
Trusted Code for =
the Web

Existing =
security-related applications like authentication, payments, etc. are =
all based on that a core-part is executed by statically installed =
software that is supposed to be TRUSTED. 

Since web-based applications are transiently downloaded, =
unsigned and come from any number of more or less unknown sources, such =
applications are by definition UNTRUSTED.

To =
compensate for this, web-based security applications currently rely on a =
hodge-podge of non-standard methods [1] where trusted code resides (and =
executes) somewhere outside of the actual web application.

However, because each browser-vendor have =
their own idea on what is secure and useful [2], interoperability has =
proven to be a major hassle.  In addition, the ongoing quest for =
locking down browsers (in order to make them more secure), tends to =
break applications after browser updates.

Although security applications are interesting, they haven't =
proved to be a driver.  Fortunately it has turned out that the =
desired capability ("Trusted Code"), is also used by massively popular =
music streaming services, cloud-based storage systems, on-line gaming =
sites and open source collaboration networks.

The goal for the proposed effort would be to define a vendor- =
and device-neutral solution for dealing with trusted code on the Web.


References

1] An non-exhaustive list include:
- Custom protocol handlers.  Primarily used on Android =
and iOS.  GitHub also uses it on Windows
- Local web =
services on 127.0.0.1.  Used by lots of services, from Spotify to =
digital signatures
- Browser plugins like =
NPAPI/ActiveX.  Used (for example) by millions of people in Korea =
for PKI support but is now being deprecated
- Chrome =
native messaging.  Fairly recent solution which enables Native =
<=3D> Web communication

2] https://code.google.com/p/chromium/issues/detail?id=3D378566

 
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

=

--Apple-Mail=_327F9D77-3AAB-4A69-8485-C7057E775E7B--

--Apple-Mail=_78BB3CBB-7FA6-480B-9C58-675713480499
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig
AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq
YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG
WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO
HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2
F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe
JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml
fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC
BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w
4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq
YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu
Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB
AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3
BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+
VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp
ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv
bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n
IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns
LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v
b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6
Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE
HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF
B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn
JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt
1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD
SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v
WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0xNTAzMTkxODE1MTlaMCMGCSqGSIb3DQEJBDEWBBTxd38Dsh1F2wlZgwomnz1K
KXt8mzCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD
b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG
A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH
MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t
IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN
BgkqhkiG9w0BAQEFAASCAQChaN+DrVhkCPHVl513kin+EPwUDNhhlK1ChEA/Oy/Bm0sQ58eO3WYI
EgJVkXPOY5N8CdyWOsngayGFmQwXy6WdC2wLbDuwd1UhKXDZKT/BrZNIHqZ/SKR/ybM/KhKzTRsq
FKmdKYida7Dy7n6NsS/EbIaVBTO0eCuNQ9K6ysRUqedlttRhmpSBJ/ebIeSOsrdIjkkTpoAnPO1e
/pwArt0dm8twAAOfFBKe7bUmGhWZt2H7oqXggsTeHrO4zIVg1TCb+w/BGFWujXxHFfPWd0dPqjAk
PmIoJ6Qo0ESV4c/yacb5i5GZ/ulmpJVat5yasHTTBs/TA3FYoKkNPjae5NPDAAAAAAAA
--Apple-Mail=_78BB3CBB-7FA6-480B-9C58-675713480499--


From nobody Thu Mar 19 22:50:23 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7BBD1B2C23 for ; Thu, 19 Mar 2015 22:50:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_ykVcUKRHhY for ; Thu, 19 Mar 2015 22:50:20 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9171B2C1C for ; Thu, 19 Mar 2015 22:50:20 -0700 (PDT)
Received: by webcq43 with SMTP id cq43so74058079web.2 for ; Thu, 19 Mar 2015 22:50:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=6KK4Ppf14evsMSTtyyvju9sWxHuj8gGjwsFnb7a03Pk=; b=QvW4qPM+TOx76T8/p1CbBoKQzLheHId9Kt4lgA/1tyrqTPA7YgpQp2uHP/lsFD1A2/ OMrYT145lEQvRSrk4+uP3j8KdE0R+DtBrMH6bwy62ZdKIgy4jGhq70KL8tNuCidTThZd C+Bu2lLt3S0AFhGhGlDljHtzToWdzjuaS3cJBUxMHuBwHwPj3hwb+m+kUKzhIpBFc3wr cEVz0ZMlWc/Q4i2NBvd+vNGGW1BSRp6v+UVR1/PFOx3fc0KaFIN4wgPBSl5P5dnyTdT6 nHBE7X+FK/DHIHkkJoTIn+k8gYlm66XHtj4JvDnekN5xeWVlkgHfXHrJAT7XBxxu/atk veDg==
X-Received: by 10.194.133.199 with SMTP id pe7mr116069283wjb.120.1426830618809;  Thu, 19 Mar 2015 22:50:18 -0700 (PDT)
Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id k6sm1487663wia.6.2015.03.19.22.50.17 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Mar 2015 22:50:18 -0700 (PDT)
Message-ID: <550BB500.4070505@gmail.com>
Date: Fri, 20 Mar 2015 06:49:52 +0100
From: Anders Rundgren 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: John Bradley , Jim Schaad 
References: <550909EF.4040505@gmail.com> <550A6154.9040907@gmail.com> <069401d0626f$55cb1990$01614cb0$@augustcellars.com> 
In-Reply-To: 
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Cc: jose@ietf.org
Subject: Re: [jose] Charter Proposal: "Trusted Code" for the Web
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 20 Mar 2015 05:50:22 -0000

On 2015-03-19 19:15, John Bradley wrote:
> It sounds like WebCrypto or something more related to it. http://www.w3.org/2012/webcrypto/

I would rather characterize this as the opposite to WebCrypto since the referred schemes
all are based on the idea that "The Web is not enough".

That is, the Web needs (as proven any number of times), to be extended with its more
powerful native/platform companion for a lot of reasons including access to platform-
resident keys as well as breaking away from the crippling SOP notion.

The W3C does not appear to be a suitable home for such an effort, they rather prefer
continuing the so far pretty unsuccessful efforts DUPLICATING the native level into
the Web [1], instead of recognizing the power of COMBINING these worlds.

Cheers,
Anders

1] https://lists.w3.org/Archives/Public/public-sysapps/2014Dec/0000.html

>
>
>> On Mar 19, 2015, at 3:05 PM, Jim Schaad > wrote:
>>
>> To me this sounds more like a W3C activity than an IETF activity.
>> Jim
>> *From:*jose [mailto:jose-bounces@ietf.org]*On Behalf Of*Anders Rundgren
>> *Sent:*Wednesday, March 18, 2015 10:41 PM
>> *To:*jose@ietf.org 
>> *Subject:*[jose] Charter Proposal: "Trusted Code" for the Web
>> Trusted Code for the Web
>>
>>
>> Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED.
>>
>> Since web-based applications are transiently downloaded, unsigned and come from any number of more or less unknown sources, such applications are by definition UNTRUSTED.
>>
>> To compensate for this, web-based security applications currently rely on a hodge-podge of non-standard methods [1] where trusted code resides (and executes) somewhere outside of the actual web application.
>>
>> However, because each browser-vendor have their own idea on what is secure and useful [2], interoperability has proven to be a major hassle.  In addition, the ongoing quest for locking down browsers (in order to make them more secure), tends to break applications after browser updates.
>>
>> Although security applications are interesting, they haven't proved to be a driver.  Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage systems, on-line gaming sites and open source collaboration networks.
>>
>> The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web.
>>
>>
>> *References
>> *
>> 1] An non-exhaustive list include:
>> - Custom protocol handlers.  Primarily used on Android and iOS.  GitHub also uses it on Windows
>> - Local web services on 127.0.0.1.  Used by lots of services, from Spotify to digital signatures
>> - Browser plugins like NPAPI/ActiveX.  Used (for example) by millions of people in Korea for PKI support but is now being deprecated
>> - Chrome native messaging.  Fairly recent solution which enables Native <=> Web communication
>>
>> 2]https://code.google.com/p/chromium/issues/detail?id=378566
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org 
>> https://www.ietf.org/mailman/listinfo/jose
>


From nobody Fri Mar 20 00:31:03 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2724C1A90AB for ; Fri, 20 Mar 2015 00:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Level: 
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkJ9kyyuCNWp for ; Fri, 20 Mar 2015 00:31:00 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D647E1B2C68 for ; Fri, 20 Mar 2015 00:30:59 -0700 (PDT)
Received: from [192.168.131.145] ([80.92.115.8]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M82zV-1ZTaqY1CAz-00vimZ; Fri, 20 Mar 2015 08:30:43 +0100
Message-ID: <550BCCA2.709@gmx.net>
Date: Fri, 20 Mar 2015 08:30:42 +0100
From: Hannes Tschofenig 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Anders Rundgren ,  John Bradley , Jim Schaad 
References: <550909EF.4040505@gmail.com> <550A6154.9040907@gmail.com> <069401d0626f$55cb1990$01614cb0$@augustcellars.com>  <550BB500.4070505@gmail.com>
In-Reply-To: <550BB500.4070505@gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NKBGfXpJgO32doH7B51KOm7nANfBJehMT"
X-Provags-ID: V03:K0:OEqRAszdKNkj9bnU9R5oVLkn7RYTPvkNbvnvH8a+UusbdQzyBZ0 YBro6AubypvZXPXNaVPSRnvh+0F42LGUtcneX/+ymlvyDMeUPz80KTvvmXCRw+k2tgXlybx FK0UpXpoYFDv5sHlz+8rV69kMo4ghrLAYTbWY1J4PcPYZMWtwHhkjwUewlb84tdQW+dhoBr DjUYJwR9/P4wQ1/ngYZZA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: 
Cc: jose@ietf.org
Subject: Re: [jose] Charter Proposal: "Trusted Code" for the Web
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 20 Mar 2015 07:31:02 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NKBGfXpJgO32doH7B51KOm7nANfBJehMT
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

I like the proposal Anders put forward.
Doing some work in the IETF in that area might not be a bad idea to
stimulate discussions.

Ciao
Hannes


On 03/20/2015 06:49 AM, Anders Rundgren wrote:
> On 2015-03-19 19:15, John Bradley wrote:
>> It sounds like WebCrypto or something more related to it.
>> http://www.w3.org/2012/webcrypto/
>=20
> I would rather characterize this as the opposite to WebCrypto since the=

> referred schemes
> all are based on the idea that "The Web is not enough".
>=20
> That is, the Web needs (as proven any number of times), to be extended
> with its more
> powerful native/platform companion for a lot of reasons including acces=
s
> to platform-
> resident keys as well as breaking away from the crippling SOP notion.
>=20
> The W3C does not appear to be a suitable home for such an effort, they
> rather prefer
> continuing the so far pretty unsuccessful efforts DUPLICATING the nativ=
e
> level into
> the Web [1], instead of recognizing the power of COMBINING these worlds=
=2E
>=20
> Cheers,
> Anders
>=20
> 1] https://lists.w3.org/Archives/Public/public-sysapps/2014Dec/0000.htm=
l
>=20
>>
>>
>>> On Mar 19, 2015, at 3:05 PM, Jim Schaad >> > wrote:
>>>
>>> To me this sounds more like a W3C activity than an IETF activity.
>>> Jim
>>> *From:*jose [mailto:jose-bounces@ietf.org]*On Behalf Of*Anders Rundgr=
en
>>> *Sent:*Wednesday, March 18, 2015 10:41 PM
>>> *To:*jose@ietf.org 
>>> *Subject:*[jose] Charter Proposal: "Trusted Code" for the Web
>>> Trusted Code for the Web
>>>
>>>
>>> Existing security-related applications like authentication, payments,=

>>> etc. are all based on that a core-part is executed by statically
>>> installed software that is supposed to be TRUSTED.
>>>
>>> Since web-based applications are transiently downloaded, unsigned and=

>>> come from any number of more or less unknown sources, such
>>> applications are by definition UNTRUSTED.
>>>
>>> To compensate for this, web-based security applications currently
>>> rely on a hodge-podge of non-standard methods [1] where trusted code
>>> resides (and executes) somewhere outside of the actual web applicatio=
n.
>>>
>>> However, because each browser-vendor have their own idea on what is
>>> secure and useful [2], interoperability has proven to be a major
>>> hassle.  In addition, the ongoing quest for locking down browsers (in=

>>> order to make them more secure), tends to break applications after
>>> browser updates.
>>>
>>> Although security applications are interesting, they haven't proved
>>> to be a driver.  Fortunately it has turned out that the desired
>>> capability ("Trusted Code"), is also used by massively popular music
>>> streaming services, cloud-based storage systems, on-line gaming sites=

>>> and open source collaboration networks.
>>>
>>> The goal for the proposed effort would be to define a vendor- and
>>> device-neutral solution for dealing with trusted code on the Web.
>>>
>>>
>>> *References
>>> *
>>> 1] An non-exhaustive list include:
>>> - Custom protocol handlers.  Primarily used on Android and iOS.=20
>>> GitHub also uses it on Windows
>>> - Local web services on 127.0.0.1.  Used by lots of services, from
>>> Spotify to digital signatures
>>> - Browser plugins like NPAPI/ActiveX.  Used (for example) by millions=

>>> of people in Korea for PKI support but is now being deprecated
>>> - Chrome native messaging.  Fairly recent solution which enables
>>> Native <=3D> Web communication
>>>
>>> 2]https://code.google.com/p/chromium/issues/detail?id=3D378566
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--NKBGfXpJgO32doH7B51KOm7nANfBJehMT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJVC8yiAAoJEGhJURNOOiAtsLIH/32/f6ayLdFr3ygO7rbBxjbq
UZP6vaiwrNSuHmZ0Pkhs0262p6HEesjfGjQBmYf/sZQ5EW9iD7MLswOCqKgzeoI0
PD4MucUo9FUtKNXoueM7ChM6fQWZZz7bKP9ZXIUXKGNjM4ExDTtGaZKRQ4LX7guD
RT18EbtoKaxMJoJ6ACaeILQj4/NaWGMmC8j6iByo4E5/Oy1dWHuo0zzGThvuiyg2
+Cy6ryMYxGsRLJXNJNeocyaYv2XXTA01mTof1hCC/TmTqflN4F3I6ix7bdU4znjL
d2FxcN7bObcUgrV9vHtxnofs97Pte7Ps6oy9kUv9pFBCHaqRdvqLRQS9jOzvJ2o=
=xUCG
-----END PGP SIGNATURE-----

--NKBGfXpJgO32doH7B51KOm7nANfBJehMT--


From nobody Fri Mar 20 01:23:21 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9070F1B2C72 for ; Fri, 20 Mar 2015 01:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Mi0FPzIWAZo for ; Fri, 20 Mar 2015 01:23:17 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 301471A894B for ; Fri, 20 Mar 2015 01:23:16 -0700 (PDT)
X-AuditID: c1b4fb2d-f79a46d0000006b4-82-550bd8f2808b
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 32.BC.01716.2F8DB055; Fri, 20 Mar 2015 09:23:14 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.133]) by ESESSHC009.ericsson.se ([153.88.183.45]) with mapi id 14.03.0210.002; Fri, 20 Mar 2015 09:23:13 +0100
From: John Mattsson 
To: "Joe Hildebrand (jhildebr)" 
Thread-Topic: [jose] COSE: what would change?
Thread-Index: AQHQWEJ1QLnkI9RDkEaFuLpGIA6Fwp0lDPqA
Date: Fri, 20 Mar 2015 08:23:13 +0000
Message-ID: 
References: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com>
In-Reply-To: <66855374-D565-4E65-8978-36AE2F539FBD@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [153.88.183.154]
Content-Type: multipart/alternative; boundary="_000_D57BD7B602DB45D1B497573AB32C7468ericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42KZGfG3RvfTDe5QgxcH5S3O7jnObrFmTTeT A5PHlN8bWT2WLPnJFMAUxWWTkpqTWZZapG+XwJVxfsprtoKZhRXHf8g0MPbldTFyckgImEis 37SDHcIWk7hwbz1bFyMXh5DAEUaJe7OXskA4SxglXs87xQJSxSZgIDF3TwMbiC0C1P3uzRrG LkYODmYBZYkbfaYgYWEBHYlbR3ZDlehKvGzawA5SIiJgJHHuHStImEVAVeLHi+1MIDavgL3E xwXPGEFsIQEbiW1LT4Nt4hSwlTh+5xTYbYxAt30/tQasnllAXOLWk/lMEDcLSCzZc54ZwhaV ePn4HyuErSSx6PZnqPpkiVm357FB7BKUODnzCcsERtFZSEbNQlI2C0nZLLDHNCXW79KHKFGU mNL9kB3C1pBonTMXyraWeLB8LxuymgWMHKsYRYtTi4tz042M9VKLMpOLi/Pz9PJSSzYxAiPw 4JbfujsYV792PMQowMGoxMNr0MsdKsSaWFZcmXuIUZqDRUmc1874UIiQQHpiSWp2ampBalF8 UWlOavEhRiYOTqkGxrXHl6mzGccYO/HsTeO3O8FiwWEps2+p3aOu6S4tbBx+y9UPq1s4VRzu UZf+Evv4Y2TzBRaFpcfWTXQ4zm60/dUct1/iGecesrkHaS7YfOj6vVbBpq2FoserJl/camMu yl74NN8qL2L7vVerVhsztazn2Hk4/OLm/5VJm9a139wdeaox5KtVqhJLcUaioRZzUXEiAANA 8/GhAgAA
Archived-At: 
Cc: "jose@ietf.org" 
Subject: Re: [jose] COSE: what would change?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 20 Mar 2015 08:23:19 -0000

--_000_D57BD7B602DB45D1B497573AB32C7468ericssoncom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciBzdGFydGluZyB0aGUgZGlzY3Vzc2lvbiBKb2UsDQoNCkkgc3Ryb25nbHkgc3Vw
cG9ydCB0aGUgd29yayBvbiBDT1NFLiBNeSB2aWV3IGlzIHRoYXQgdG8gYmUgcmVsZXZhbnQgZm9y
IHRoZSBJb1QgdXNlIGNhc2VzLCBhbmQgaW4gcGFydGljdWxhciBkZXZpY2VzIHVzaW5nIElFRUUg
ODAyLjE1LjQsIENPU0UgbXVzdCBiZSBoaWdobHkgb3B0aW1pemVkIGNvbXBhcmVkIHRvIEpPU0U6
DQoNCkluIG91ciBkcmFmdCBvbiBlbmQtdG8tZW5kIHNlY3VyaXR5IGZvciBJb1QgKGRyYWZ0LXNl
bGFuZGVyLWFjZS1vYmplY3Qtc2VjdXJpdHktMDEpIHdlcmUgd2UgcGxhbiB0byB1c2UgQ09TRSwg
b3VyIG1lYXN1cmVtZW50cyBzaG93IHRoYXQgdXNhZ2Ugb2YgSldTIGNhbiBlYXNpbHkgYWRkIDEz
NSBieXRlcywgZmlsbGluZyB1cCBtb3JlIHRoYW4gYW4gZW50aXJlIElFRUUgODAyLjE1LjQgZnJh
bWUuICBDT1NFIChhY2NvcmRpbmcgdG8gZHJhZnQtYm9ybWFubi1qb3NlLWNvc2UtMDApIHdvdWxk
IGJlIGZhciBiZXR0ZXIgYnV0IHN0aWxsIHVzZSA3MCBieXRlcy4gTXkgdmlldyBpcyB0aGF0IHRo
aXMgaXMgc3RpbGwgdG8gbGFyZ2UgZm9yIElFRUUgODAyLjE1LjQgYW5kIHRoYXQgdGhlIGZvbGxv
d2luZyB0aHJlZSBvcHRpbWl6YXRpb25zIGFyZSBuZWVkZWQgKGltcGVyYXRpdmUpOg0KDQotIENh
cnN0ZW4gaGFzIGFscmVhZHkgc3VnZ2VzdGVkIHJlcGxhY2luZyBjZXJ0YWluIG1lbWJlciBuYW1l
cyAoImFsZyIuLi4pIHdpdGggcHJlZGVmaW5lZCBudW1iZXJzLiBJIHN0cm9uZ2x5IHN1cHBvcnQg
dGhpcy4NCg0KLSBFdmVuIHdpdGhvdXQgYmFzZTY0IGVuY29kaW5nLCB0aGUgSldTIE1BQ3MgdGFr
ZXMgMzIgYnl0ZXMuIElvVCBkZXZpY2VzIHVzaW5nIERUTFMgdXNlIDggYnl0ZSBNQUNzLiBJIHN0
cm9uZ2x5IHRoaW5rIElvVCBzcGVjaWZpYyBhbGdvcml0aG1zIHdpdGggdHJ1bmNhdGVkIE1BQ3Mg
KG1heWJlIDE2IGFuZCA4IGJ5dGVzKSBhcmUgbmVjZXNzYXJ5Lg0KDQotIFRoZSBKV0UgSW5pdGlh
bGl6YXRpb24gVmVjdG9yIHRha2VzIHVwIDEyIGJ5dGVzLCBJb1QgZGV2aWNlcyB3b3VsZCBsaWtl
bHkgd2FudCB0byBzYXZlIGEgbm9uY2UgdG9nZXRoZXIgd2l0aCB0aGUga2V5IHRvIHNhdmUgYmFu
ZHdpZHRoIChhbmQgdGhlcmVmb3JlIGJhdHRlcnkpLg0KDQpXaXRoIHRoZXNlIGNoYW5nZXMsIHRo
ZSBvdmVyaGVhZCBvZiBDT1NFIChib3RoIENXUyBhbmQgQ1dFKSBjb3VsZCBiZSBiZWxvdyAzMCBi
eXRlcy4gSSB0aGluayB0aGlzIG5vdCBvbmx5IGRlc2lyYWJsZSwgYnV0IGFsc28gbmVjZXNzYXJ5
LiBUaGUgYWxnb3JpdGhtIGFuZCBJViBvcHRpbWl6YXRpb25zIGNvdWxkIGJlIGRvbmUgaW4gcGFy
YWxsZWwgdG8gdGhlIENPU0UgZW5jb2Rpbmcgd29yay4NCg0KQ2hlZXJzLA0KSm9obg0KDQrigJTi
gJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTigJTi
gJTigJTigJQNCkpvaG4gTWF0dHNzb24NCkVyaWNzc29uIElFVEYgU2VjdXJpdHkgQ29vcmRpbmF0
b3INClNlbmlvciBSZXNlYXJjaGVyLCBTZWN1cml0eQ0KDQpPbiAwNiBNYXIgMjAxNSwgYXQgMjA6
MTksIEpvZSBIaWxkZWJyYW5kIChqaGlsZGVicikgPGpoaWxkZWJyQGNpc2NvLmNvbTxtYWlsdG86
amhpbGRlYnJAY2lzY28uY29tPj4gd3JvdGU6DQoNCkluIHRhbGtpbmcgd2l0aCBzZXZlcmFsIGZv
bGtzIGFib3V0IENPU0UsIGl0IGFwcGVhcnMgdGhhdCB0aGVyZSBhcmUgZGlmZmVyaW5nIHZpZXdz
IG9uIGhvdyBtdWNoIHRvIGNoYW5nZSBpbiB0aGUgSk9TRS9DT1NFIHRyYW5zbGF0aW9uLiAgSSB3
b3VsZCBsaWtlIHRvIGV4cGxvcmUgdGhlIHBvaW50cyBvZiBhZ3JlZW1lbnQgYW5kIGRpc2FncmVl
bWVudCBhIGxpdHRsZS4NCg0KDQpJdCBzZWVtcyBsaWtlIG1vc3QgcGVvcGxlIGFncmVlIHRoYXQg
bWFpbnRhaW5pbmcgc2lnbmF0dXJlIGNvbXBhdGliaWxpdHkgaXMgYSBub24tZ29hbDsgSSBhZ3Jl
ZSB0aGF0IGlzIHRoZSBvbmx5IHdheSBmb3IgdXMgdG8gaGF2ZSBhIGNoYW5jZSBhdCBzdWNjZXNz
Lg0KDQoNCkkgdGhpbmsgd2UncmUgYWxzbyBsaWtlbHkgdG8gZ2V0IGFncmVlbWVudCB0aGF0IHdl
IHNob3VsZCBkbyBvdXIgYmVzdCB0byB1c2UgQ0JPUiBpZGlvbXMgaW4gQ09TRSAoc3VjaCBhcyBt
aXhlZC10eXBlIGtleXMgZm9yIG1hcHMpIG9uY2UgdGhleSBhcmUgZXhwbGFpbmVkIHRvIHRoZSBn
cm91cCBpbiBlbm91Z2ggZGV0YWlsIGZvciBldmVyeW9uZSB0byB1bmRlcnN0YW5kIHRoZSBwcm9w
b3NhbHMuDQoNCkZpbmFsbHksIEkgdGhpbmsgb25lIG9mIHRoZSByZWFzb25zIHBlb3BsZSBhcmUg
aW50ZXJlc3RlZCBpbiBDT1NFIGlzIGEgY2hhbmNlIHRvIG9wdGltaXplIGZvciBhIGRpZmZlcmVu
dCBzZXQgb2YgdXNlIGNhc2VzIHRoYW4gd2UgaGFkIGZvciBKT1NFLg0KDQoNClRoZSBtYWluIHNv
dXJjZSBvZiBkaXNhZ3JlZW1lbnQgc2VlbXMgdG8gYmUgd2hhdCB3ZSB3b3VsZCBjaGFuZ2UgaW4g
Q09TRSBvZiB0aGUgdGhpbmdzIHNvbWUgbWlnaHQgaGF2ZSB3YW50ZWQgdG8gZG9uZSBkaWZmZXJl
bnRseSBpbiBKT1NFLiAgSSdtIHN5bXBhdGhldGljIHRvIGJvdGggdGhlIGdyb3VwIHRoYXQgd2Fu
dHMgdG8gY3Jhbmsgc29tZXRoaW5nIG91dCBxdWlja2x5IHdpdGhvdXQgcmUtbGl0aWdhdGluZyB0
aGUgcGFzdCwgYXMgd2VsbCBhcyB0byB0aGUgZ3JvdXAgdGhhdCB3YW50cyB0byByZS1vcHRpbWl6
ZSBhcyBtYW55IHRoaW5ncyBhcyBwb3NzaWJsZSBnaXZlbiB0aGUgcmVtb3ZhbCBvZiB0aGUgcHJl
c3N1cmUgb2YgZXhpc3RpbmcgY29kZWJhc2VzIHRoYXQgd2UgaGFkIHdpdGggSk9TRS4NCg0KDQpB
biBhcHByb2FjaCB0aGF0IG1pZ2h0IHdvcmsgZm9yIHRoaXMgd291bGQgYmUgdG8gc2V0IGEgYmFy
IGZvciBjaGFuZ2VzIGFsb25nIHRoZSBsaW5lcyBvZiAic2lnbmlmaWNhbnQgaW1wcm92ZW1lbnQg
aW4gc2VjdXJpdHksIHBlcmZvcm1hbmNlICh3aXJlIHNpemUsIGNvZGUgc2l6ZSwgQ1BVLCBwb3dl
ciwgZXRjLiksIG9yIGRlcGxveWFiaWxpdHkiIHdvdWxkIGJlIHJlcXVpcmVkIHRvIGp1c3RpZnkg
YSBjaGFuZ2UuICBUbyBzZWUgaWYgdGhhdCBhcHByb2FjaCB3b3VsZCB3b3JrLCBpdCB3b3VsZCBi
ZSBuaWNlIHRvIHNlZSBhIGxpc3Qgb2YgdGhpbmdzIHRoYXQgZm9sa3Mgd291bGQgd2FudCB0byBj
aGFuZ2UsIGFuZCB0byBnZXQgZWFybHkgYWdyZWVtZW50IG9uIGEgY291cGxlIG9mIHRob3NlIGNo
YW5nZXMgYXMgYmVpbmcgYWJvdmUgdGhlIGJhciB0aGF0IHdlIHNldCwgc28gdGhhdCB3ZSBoYXZl
IHNvbWUgcHJlY2VkZW50IHRvIHJlYXNvbiBmcm9tLg0KDQoNClRvIHRoYXQgZW5kLCBJIHByb3Bv
c2UgdGhhdCB0aG9zZSB0aGF0IHdhbnQgY2hhbmdlcyBwcm9kdWNlIGEgbGlzdCwgcGVyaGFwcyBh
bm5vdGF0ZWQgd2l0aCB3aGV0aGVyIHRoZSBjaGFuZ2UgaXMgc2VlbiBhcyBpbXBlcmF0aXZlIG9y
IG1lcmVseSBuaWNlLXRvLWhhdmUuICBUaGUgZm9sa3MgdGhhdCB3YW50IGEgcXVpY2sgb3V0Y29t
ZSB3b3VsZCB0aGVuIHNlbGVjdCBzZXZlcmFsIGNoYW5nZXMgdGhleSBzZWUgYXMgYmVpbmcgZGVm
aW5pdGVseSBhYm92ZSB0aGUgbGluZS4gIE15IGhvcGUgaXMgdGhhdCB0aGlzIGV4ZXJjaXNlIHdv
dWxkIGJ1aWxkIHRydXN0IHRoYXQgd2UgYWxsIHdhbnQgc29tZXRoaW5nIHNpbWlsYXI6IGEgaGln
aCBxdWFsaXR5IHByb3RvY29sIHN0YW5kYXJkaXplZCBpbiBhcyBzaG9ydCBhIHRpbWUgYXMgcG9z
c2libGUuDQoNCg0KLS0NCkpvZSBIaWxkZWJyYW5kDQoNCg0KDQpfX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0Kam9zZSBtYWlsaW5nIGxpc3QNCmpvc2VAaWV0
Zi5vcmc8bWFpbHRvOmpvc2VAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu
L2xpc3RpbmZvL2pvc2UNCg0K

--_000_D57BD7B602DB45D1B497573AB32C7468ericssoncom_
Content-Type: text/html; charset="utf-8"
Content-ID: 
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i
dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy
YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy
ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBhcHBsZS1jb250ZW50LWVk
aXRlZD0idHJ1ZSIgY2xhc3M9IiI+DQo8ZGl2IHN0eWxlPSJjb2xvcjogcmdiKDAsIDAsIDApOyBm
b250LWZhbWlseTogSGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1h
bDsgZm9udC12YXJpYW50OiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3JtYWw7IGxldHRlci1zcGFj
aW5nOiBub3JtYWw7IGxpbmUtaGVpZ2h0OiBub3JtYWw7IG9ycGhhbnM6IGF1dG87IHRleHQtYWxp
Z246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUt
c3BhY2U6IG5vcm1hbDsgd2lkb3dzOiBhdXRvOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10
ZXh0LXN0cm9rZS13aWR0aDogMHB4OyIgY2xhc3M9IiI+DQo8ZGl2IHN0eWxlPSJjb2xvcjogcmdi
KDAsIDAsIDApOyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudDogbm9ybWFsOyBmb250
LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBsaW5lLWhlaWdodDogbm9y
bWFsOyBvcnBoYW5zOiBhdXRvOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1pbmRlbnQ6IDBweDsg
dGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdpZG93czogYXV0bzsg
d29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgZm9udC1m
YW1pbHk6IENhbGlicmksIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTFwdDsgbWFyZ2luOiAwY20g
MGNtIDAuMDAwMXB0OyIgY2xhc3M9IiI+DQo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTogSGVsdmV0
aWNhOyBmb250LXNpemU6IDEycHg7IiBjbGFzcz0iIj5UaGFua3MgZm9yIHN0YXJ0aW5nIHRoZSBk
aXNjdXNzaW9uIEpvZSw8L2Rpdj4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7
IGZvbnQtc2l6ZTogMTJweDsiIGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBz
dHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyIgY2xhc3M9IiI+
SSBzdHJvbmdseSBzdXBwb3J0IHRoZSB3b3JrIG9uIENPU0UuIE15IHZpZXcgaXMgdGhhdCB0byBi
ZSByZWxldmFudCBmb3IgdGhlIElvVCB1c2UgY2FzZXMsIGFuZCBpbiBwYXJ0aWN1bGFyIGRldmlj
ZXMgdXNpbmcgSUVFRSZuYnNwOzgwMi4xNS40LCBDT1NFIG11c3QgYmUgaGlnaGx5IG9wdGltaXpl
ZCBjb21wYXJlZCB0byBKT1NFOjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCkluIG91ciBk
cmFmdCBvbiBlbmQtdG8tZW5kIHNlY3VyaXR5IGZvciBJb1QgKGRyYWZ0LXNlbGFuZGVyLWFjZS1v
YmplY3Qtc2VjdXJpdHktMDEpIHdlcmUgd2UgcGxhbiB0byB1c2UgQ09TRSwgb3VyJm5ic3A7bWVh
c3VyZW1lbnRzIHNob3cgdGhhdCB1c2FnZSBvZiBKV1MgY2FuIGVhc2lseSBhZGQgMTM1IGJ5dGVz
LCBmaWxsaW5nIHVwIG1vcmUgdGhhbiBhbiBlbnRpcmUgSUVFRSA4MDIuMTUuNCBmcmFtZS4gJm5i
c3A7Q09TRSZuYnNwOyhhY2NvcmRpbmcgdG8gZHJhZnQtYm9ybWFubi1qb3NlLWNvc2UtMDApDQog
d291bGQgYmUgZmFyIGJldHRlciBidXQgc3RpbGwgdXNlIDcwIGJ5dGVzLiBNeSB2aWV3IGlzIHRo
YXQgdGhpcyBpcyBzdGlsbCB0byBsYXJnZSBmb3IgSUVFRSZuYnNwOzgwMi4xNS40IGFuZCB0aGF0
IHRoZSBmb2xsb3dpbmcgdGhyZWUgb3B0aW1pemF0aW9ucyBhcmUgbmVlZGVkIChpbXBlcmF0aXZl
KTo8YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9IiI+DQotIENhcnN0ZW4gaGFzIGFscmVhZHkgc3Vn
Z2VzdGVkIHJlcGxhY2luZyBjZXJ0YWluIG1lbWJlciBuYW1lcyAoJnF1b3Q7YWxnJnF1b3Q7Li4u
KSB3aXRoIHByZWRlZmluZWQgbnVtYmVycy4gSSBzdHJvbmdseSBzdXBwb3J0IHRoaXMuPGJyIGNs
YXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KLSBFdmVuIHdpdGhvdXQgYmFzZTY0IGVuY29kaW5nLCB0
aGUgSldTIE1BQ3MgdGFrZXMgMzIgYnl0ZXMuIElvVCBkZXZpY2VzIHVzaW5nIERUTFMgdXNlIDgg
Ynl0ZSBNQUNzLiBJIHN0cm9uZ2x5IHRoaW5rIElvVCZuYnNwO3NwZWNpZmljIGFsZ29yaXRobXMg
d2l0aCB0cnVuY2F0ZWQgTUFDcyAobWF5YmUgMTYgYW5kIDggYnl0ZXMpIGFyZSBuZWNlc3Nhcnku
PGJyIGNsYXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KLSBUaGUgSldFIEluaXRpYWxpemF0aW9uIFZl
Y3RvciB0YWtlcyB1cCAxMiBieXRlcywgSW9UIGRldmljZXMgd291bGQgbGlrZWx5IHdhbnQgdG8g
c2F2ZSBhIG5vbmNlIHRvZ2V0aGVyIHdpdGggdGhlIGtleSB0byBzYXZlJm5ic3A7YmFuZHdpZHRo
IChhbmQgdGhlcmVmb3JlIGJhdHRlcnkpLjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCldp
dGggdGhlc2UgY2hhbmdlcywgdGhlIG92ZXJoZWFkIG9mIENPU0UgKGJvdGggQ1dTIGFuZCBDV0Up
IGNvdWxkIGJlIGJlbG93IDMwIGJ5dGVzLiBJIHRoaW5rIHRoaXMgbm90IG9ubHkgZGVzaXJhYmxl
LCBidXQmbmJzcDthbHNvIG5lY2Vzc2FyeS4gVGhlIGFsZ29yaXRobSBhbmQgSVYgb3B0aW1pemF0
aW9ucyBjb3VsZCBiZSBkb25lIGluIHBhcmFsbGVsIHRvIHRoZSBDT1NFIGVuY29kaW5nIHdvcmsu
PGJyIGNsYXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KQ2hlZXJzLDxiciBjbGFzcz0iIj4NCkpvaG48
YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7
IGZvbnQtc2l6ZTogMTJweDsiIGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPHNwYW4g
c3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsiIGNsYXNzPSIi
PuKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKAlOKA
lOKAlOKAlOKAlOKAlDwvc3Bhbj4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7
IGZvbnQtc2l6ZTogMTJweDsiIGNsYXNzPSIiPkpvaG4gTWF0dHNzb24NCjxkaXYgY2xhc3M9IiI+
RXJpY3Nzb24gSUVURiBTZWN1cml0eSBDb29yZGluYXRvciZuYnNwOzxiciBjbGFzcz0iIj4NClNl
bmlvciBSZXNlYXJjaGVyLCBTZWN1cml0eTwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K
PC9kaXY+DQo8YnIgY2xhc3M9IiI+DQo8ZGl2Pg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xh
c3M9IiI+DQo8ZGl2IGNsYXNzPSIiPk9uIDA2IE1hciAyMDE1LCBhdCAyMDoxOSwgSm9lIEhpbGRl
YnJhbmQgKGpoaWxkZWJyKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmpoaWxkZWJyQGNpc2NvLmNvbSIg
Y2xhc3M9IiI+amhpbGRlYnJAY2lzY28uY29tPC9hPiZndDsgd3JvdGU6PC9kaXY+DQo8YnIgY2xh
c3M9IkFwcGxlLWludGVyY2hhbmdlLW5ld2xpbmUiPg0KPGRpdiBjbGFzcz0iIj5JbiB0YWxraW5n
IHdpdGggc2V2ZXJhbCBmb2xrcyBhYm91dCBDT1NFLCBpdCBhcHBlYXJzIHRoYXQgdGhlcmUgYXJl
IGRpZmZlcmluZyB2aWV3cyBvbiBob3cgbXVjaCB0byBjaGFuZ2UgaW4gdGhlIEpPU0UvQ09TRSB0
cmFuc2xhdGlvbi4gJm5ic3A7SSB3b3VsZCBsaWtlIHRvIGV4cGxvcmUgdGhlIHBvaW50cyBvZiBh
Z3JlZW1lbnQgYW5kIGRpc2FncmVlbWVudCBhIGxpdHRsZS48YnIgY2xhc3M9IiI+DQo8YnIgY2xh
c3M9IiI+DQo8YnIgY2xhc3M9IiI+DQpJdCBzZWVtcyBsaWtlIG1vc3QgcGVvcGxlIGFncmVlIHRo
YXQgbWFpbnRhaW5pbmcgc2lnbmF0dXJlIGNvbXBhdGliaWxpdHkgaXMgYSBub24tZ29hbDsgSSBh
Z3JlZSB0aGF0IGlzIHRoZSBvbmx5IHdheSBmb3IgdXMgdG8gaGF2ZSBhIGNoYW5jZSBhdCBzdWNj
ZXNzLjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCkkgdGhpbmsg
d2UncmUgYWxzbyBsaWtlbHkgdG8gZ2V0IGFncmVlbWVudCB0aGF0IHdlIHNob3VsZCBkbyBvdXIg
YmVzdCB0byB1c2UgQ0JPUiBpZGlvbXMgaW4gQ09TRSAoc3VjaCBhcyBtaXhlZC10eXBlIGtleXMg
Zm9yIG1hcHMpIG9uY2UgdGhleSBhcmUgZXhwbGFpbmVkIHRvIHRoZSBncm91cCBpbiBlbm91Z2gg
ZGV0YWlsIGZvciBldmVyeW9uZSB0byB1bmRlcnN0YW5kIHRoZSBwcm9wb3NhbHMuPGJyIGNsYXNz
PSIiPg0KPGJyIGNsYXNzPSIiPg0KRmluYWxseSwgSSB0aGluayBvbmUgb2YgdGhlIHJlYXNvbnMg
cGVvcGxlIGFyZSBpbnRlcmVzdGVkIGluIENPU0UgaXMgYSBjaGFuY2UgdG8gb3B0aW1pemUgZm9y
IGEgZGlmZmVyZW50IHNldCBvZiB1c2UgY2FzZXMgdGhhbiB3ZSBoYWQgZm9yIEpPU0UuPGJyIGNs
YXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KVGhlIG1haW4gc291cmNlIG9m
IGRpc2FncmVlbWVudCBzZWVtcyB0byBiZSB3aGF0IHdlIHdvdWxkIGNoYW5nZSBpbiBDT1NFIG9m
IHRoZSB0aGluZ3Mgc29tZSBtaWdodCBoYXZlIHdhbnRlZCB0byBkb25lIGRpZmZlcmVudGx5IGlu
IEpPU0UuICZuYnNwO0knbSBzeW1wYXRoZXRpYyB0byBib3RoIHRoZSBncm91cCB0aGF0IHdhbnRz
IHRvIGNyYW5rIHNvbWV0aGluZyBvdXQgcXVpY2tseSB3aXRob3V0IHJlLWxpdGlnYXRpbmcgdGhl
IHBhc3QsIGFzIHdlbGwgYXMNCiB0byB0aGUgZ3JvdXAgdGhhdCB3YW50cyB0byByZS1vcHRpbWl6
ZSBhcyBtYW55IHRoaW5ncyBhcyBwb3NzaWJsZSBnaXZlbiB0aGUgcmVtb3ZhbCBvZiB0aGUgcHJl
c3N1cmUgb2YgZXhpc3RpbmcgY29kZWJhc2VzIHRoYXQgd2UgaGFkIHdpdGggSk9TRS48YnIgY2xh
c3M9IiI+DQo8YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9IiI+DQpBbiBhcHByb2FjaCB0aGF0IG1p
Z2h0IHdvcmsgZm9yIHRoaXMgd291bGQgYmUgdG8gc2V0IGEgYmFyIGZvciBjaGFuZ2VzIGFsb25n
IHRoZSBsaW5lcyBvZiAmcXVvdDtzaWduaWZpY2FudCBpbXByb3ZlbWVudCBpbiBzZWN1cml0eSwg
cGVyZm9ybWFuY2UgKHdpcmUgc2l6ZSwgY29kZSBzaXplLCBDUFUsIHBvd2VyLCBldGMuKSwgb3Ig
ZGVwbG95YWJpbGl0eSZxdW90OyB3b3VsZCBiZSByZXF1aXJlZCB0byBqdXN0aWZ5IGEgY2hhbmdl
LiAmbmJzcDtUbyBzZWUgaWYgdGhhdCBhcHByb2FjaA0KIHdvdWxkIHdvcmssIGl0IHdvdWxkIGJl
IG5pY2UgdG8gc2VlIGEgbGlzdCBvZiB0aGluZ3MgdGhhdCBmb2xrcyB3b3VsZCB3YW50IHRvIGNo
YW5nZSwgYW5kIHRvIGdldCBlYXJseSBhZ3JlZW1lbnQgb24gYSBjb3VwbGUgb2YgdGhvc2UgY2hh
bmdlcyBhcyBiZWluZyBhYm92ZSB0aGUgYmFyIHRoYXQgd2Ugc2V0LCBzbyB0aGF0IHdlIGhhdmUg
c29tZSBwcmVjZWRlbnQgdG8gcmVhc29uIGZyb20uDQo8YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9
IiI+DQo8YnIgY2xhc3M9IiI+DQpUbyB0aGF0IGVuZCwgSSBwcm9wb3NlIHRoYXQgdGhvc2UgdGhh
dCB3YW50IGNoYW5nZXMgcHJvZHVjZSBhIGxpc3QsIHBlcmhhcHMgYW5ub3RhdGVkIHdpdGggd2hl
dGhlciB0aGUgY2hhbmdlIGlzIHNlZW4gYXMgaW1wZXJhdGl2ZSBvciBtZXJlbHkgbmljZS10by1o
YXZlLiAmbmJzcDtUaGUgZm9sa3MgdGhhdCB3YW50IGEgcXVpY2sgb3V0Y29tZSB3b3VsZCB0aGVu
IHNlbGVjdCBzZXZlcmFsIGNoYW5nZXMgdGhleSBzZWUgYXMgYmVpbmcgZGVmaW5pdGVseSBhYm92
ZQ0KIHRoZSBsaW5lLiAmbmJzcDtNeSBob3BlIGlzIHRoYXQgdGhpcyBleGVyY2lzZSB3b3VsZCBi
dWlsZCB0cnVzdCB0aGF0IHdlIGFsbCB3YW50IHNvbWV0aGluZyBzaW1pbGFyOiBhIGhpZ2ggcXVh
bGl0eSBwcm90b2NvbCBzdGFuZGFyZGl6ZWQgaW4gYXMgc2hvcnQgYSB0aW1lIGFzIHBvc3NpYmxl
LjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCi0tIDxiciBjbGFz
cz0iIj4NCkpvZSBIaWxkZWJyYW5kPGJyIGNsYXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KPGJyIGNs
YXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX188YnIgY2xhc3M9IiI+DQpqb3NlIG1haWxpbmcgbGlzdDxiciBjbGFzcz0i
Ij4NCjxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3JnIiBjbGFzcz0iIj5qb3NlQGlldGYub3Jn
PC9hPjxiciBjbGFzcz0iIj4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v
am9zZTxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8YnIgY2xh
c3M9IiI+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_D57BD7B602DB45D1B497573AB32C7468ericssoncom_--


From nobody Mon Mar 23 00:36:36 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398B71A8935 for ; Mon, 23 Mar 2015 00:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level: 
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umMBxAqvHDdD for ; Mon, 23 Mar 2015 00:36:31 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0783.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:783]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2D21A8934 for ; Mon, 23 Mar 2015 00:36:30 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.125.14; Mon, 23 Mar 2015 07:36:12 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Mon, 23 Mar 2015 07:36:12 +0000
From: Mike Jones 
To: Stephen Farrell 
Thread-Topic: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch
Thread-Index: AdBlO/J/G3Fobl38T+ib6QLqsv0XzA==
Date: Mon, 23 Mar 2015 07:36:11 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [64.134.52.104]
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: 
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(377454003)(52314003)(52604005)(51444003)(479174004)(13464003)(24454002)(51414003)(51704005)(86612001)(99286002)(19580395003)(2900100001)(86362001)(575784001)(19300405004)(19273905006)(66066001)(77156002)(62966003)(87936001)(2656002)(92566002)(5890100001)(19580405001)(110136001)(50986999)(54356999)(40100003)(46102003)(15975445007)(102836002)(33656002)(15395725005)(76576001)(77096005)(74316001)(122556002)(1720100001)(562404015)(563064011); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; 
x-forefront-prvs: 05245CA661
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2015 07:36:11.2760 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: 
Cc: Nat Sakimura , "jose@ietf.org" 
Subject: Re: [jose] My quest to learn how to create SubjectPublicKeyInfo values from scratch
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 23 Mar 2015 07:36:35 -0000

SGkgU3RlcGhlbiwNCg0KVGhhbmtzIGZvciB0YWtpbmcgdGhlIHRpbWUgdG8gcHV0IHRvZ2V0aGVy
IHRoZSByZXNvdXJjZXMgY2l0ZWQgYmVsb3cuICBJIHNwZW50IGFib3V0IDkwIG1pbnV0ZXMgbG9v
a2luZyBhdCBhbGwgb2YgdGhlbSBvbiB0aGUgcGxhbmUgdG8gRGFsbGFzIGFuZCBwcm9iYWJseSBh
bm90aGVyIDYwIG1pbnV0ZXMgYWZ0ZXIgYXJyaXZpbmcuICBIZXJlJ3MgbXkgdGhvdWdodHMgb24g
d2hpY2ggb2YgdGhlbSB3b3VsZCBiZSB1c2VmdWwgdG8gdGhlIHRhc2sgb2YgY3JlYXRpbmcgU3Vi
amVjdFB1YmxpY0tleUluZm8gdmFsdWVzIGZyb20gc2NyYXRjaCBhbmQgd2hhdCBnYXBzIHJlbWFp
bi4NCg0KWzBdIGlzIGEgUE9TSVggc2hlbGwgcHJvZ3JhbSB0aGF0IGdlbmVyYXRlcyBTUEtJIEZp
bmdlcnByaW50cyBmcm9tIFBFTS1lbmNvZGVkIGNlcnRpZmljYXRlcy4gVGhpcyBpc24ndCBhcHBs
aWNhYmxlLCBzaW5jZSBpZiBhbGwgeW91IGhhdmUgaXMgYSBKV0ssIHlvdSBkb24ndCBoYXZlIGEg
UEVNLWVuY29kZWQgY2VydGlmaWNhdGUuDQoNClsxXSBhbHNvIGNvdW50cyBvbiBhbHJlYWR5IGhh
dmluZyB0aGUgQVNOLjEgcmVwcmVzZW50YXRpb24gaW4gaGFuZCwgc28gaXNuJ3QgYXBwbGljYWJs
ZS4gIEknbGwgbm90ZSB0aGF0IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM1MjgwI3Nl
Y3Rpb24tNC4yLjEuMiByZWNvbW1lbmRzIHR3byBkaWZmZXJlbnQga2V5IGlkZW50aWZpZXIgYWxn
b3JpdGhtcywgc28gd2UncmUgYWxyZWFkeSBpbiBhIHNpdHVhdGlvbiB3aGVyZSBpbXBvcnRhbnQg
UkZDcyBkZWZpbmUgbW9yZSB0aGFuIG9uZSByZWNvbW1lbmRlZCB3YXkgdG8gZ2VuZXJhdGUgYSBL
ZXkgSUQgdmFsdWUuICAoQW5kIHRoYXQncyB3aXRob3V0IHRha2luZyBpbnRvIGFjY291bnQgdGhh
dCBkaWZmZXJlbnQgaGFzaCBhbGdvcml0aG1zIGFuZCB0cnVuY2F0ZWQgaGFzaGVzIG1pZ2h0IGJl
IHVzZWQuKQ0KDQpbMl0gaXMgYmV0dGVyLCBpbiB0aGF0IGl0IHByb3ZpZGVzIGFjdGlvbmFibGUg
aW5zdHJ1Y3Rpb25zIGZvciBjcmVhdGluZyBTdWJqZWN0UHVibGljS2V5SW5mbyB2YWx1ZXMgc3Vj
aCBhcyBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjMzI3OSNzZWN0aW9uLTIuMy4xLCBi
dXQgdGhleSdyZSBhY3Rpb25hYmxlIG9ubHkgaWYgeW91IGhhdmUgYW4gQVNOLjEgZW5jb2RlciBh
dmFpbGFibGUuICBIYWxmIHdheSB0aGVyZS4NCg0KWzNdIGlzIGFsc28gaGFsZi13YXkgdGhlcmUs
IHNpbmNlIGl0J3MgYWN0aW9uYWJsZSAqaWYqIHlvdSBoYXZlIGFuIEFTTi4xIGVuY29kZXIuDQoN
Cls0XSBNb3N0IG9mIHRoZSBmaXJzdCBwYWdlIG9mIHNlYXJjaCByZXN1bHRzIGhlcmUgZG9uJ3Qg
cHJvdmlkZSBhY3Rpb25hYmxlIGluZm9ybWF0aW9uIGZvciB0aGUgdGFzay4gIFRoZSBleGNlcHRp
b24gaXMgdGhlIEJvdW5jeUNhc3RsZSBwYWdlIHdpdGggY29uc3RydWN0b3IgZnVuY3Rpb25zLCBz
dWNoIGFzICJTdWJqZWN0UHVibGljS2V5SW5mbyhBbGdvcml0aG1JZGVudGlmaWVyIGFsZ0lkLCBi
eXRlW10gcHVibGljS2V5KSIuICBBZ2FpbiB0aGlzIGlzbid0IGZyb20gc2NyYXRjaCwgYnV0IGlm
IHlvdSBoYXZlIGl0LCB5b3UgY291bGQgcHJvYmFibHkgd29yayBvdXQgaG93IHRvIGNvbnZlcnQg
YSBKV0sgdG8gYSBwdWJsaWNLZXkgYnl0ZSBhcnJheSBhbmQgZ28gZnJvbSB0aGVyZSAob25jZSB5
b3UgYWxzbyBmaW5kICJuZXcgUlNBUHVibGljS2V5U3RydWN0dXJlbW9kdWx1cywgZXhwb25lbnQp
LmdldERFUk9iamVjdCgpKSIgdG8gZG8gdGhlIEFTTi4xIGVuY29kaW5nIGZvciB5b3UuKSAgQWxs
IHRoZXNlIHNlYXJjaCByZXN1bHRzIHdpdGggYWN0aW9uYWJsZSBjb250ZW50IGNvdW50ZWQgb24g
aGF2aW5nIGFuIEFTTi4xIGxpYnJhcnkuDQoNCls1XSB3YXMgc2ltaWxhciB0byBbNF0sIGV4Y2Vw
dCB0aGUgcGFydGlhbGx5LWFjdGlvbmFibGUgaW5mb3JtYXRpb24gZm91bmQgYWx3YXlzIGNvdW50
ZWQgb24gaGF2aW5nIG9wZW5zc2wgYXZhaWxhYmxlLg0KDQpbNl0gVGhlIGZpcnN0IDQgcGFnZXMg
ZGlzcGxheWVkIHJlcXVpcmVkIG9wZW5zc2wsIHRoZSBuZXh0IDQgd2VyZSBrZXkgcGlubmluZyBy
ZWZlcmVuY2VzLCB0aGUgOXRoIHJlcXVpcmVkIG9wZW5zc2wsIGFuZCB0aGUgMTB0aCB3YXMgWE1M
RFNJRyENCg0KWzddIFRoaXMgd2FzIHRoZSBmaXJzdCBvbmUgdGhhdCByZWFsbHkgZGlkIHRoZSBq
b2IsIGZvciB0aGUgY2FzZXMgb2YgMTAyNCBhbmQgMjA0OCBiaXQgUlNBIGtleXMgd2l0aCB0aGUg
aGlnaCBiaXQgc2V0IGFuZCBhbiBleHBvbmVudCB2YWx1ZSBvZiA2NTUzNy4NCg0KWzhdIGFsc28g
ZG9lc24ndCByZXF1aXJlIEFTTi4xIG9yIFguNTA5IGJ1dCBsaWtlIFs3XSBpcyBsaW1pdGVkIHRv
IFJTQSBrZXlzLg0KDQpbOV0gaW1wbGVtZW50cyBbMTBdIGJ1dCBJIGNvdWxkbid0IGZpbmQgdGhl
IHN0cmluZyBTdWJqZWN0UHVibGljS2V5SW5mbyBpbmZvIGF0IGxlYXN0IGluIHRoZSBQSFAgYW5k
IFB5dGhvbiBjb2RlIEkgYnJvd3NlZCwgbm9yIGNvdWxkIEkgZmluZCBjb2RlIGxpa2UgdGhhdCBp
biBbN10gdGhhdCByZWFsbHkgZG9lcyB0aGUgam9iLiAgSSBjb3VsZCBoYXZlIG1pc3NlZCBpdC4N
Cg0KSW4gc3VtbWFyeSwgSSB0aGluayB0aGUgY29yZSB0aGluZyB3ZSdyZSB0YWxraW5nIGFib3V0
IGlzIHJlYWxseSB0aGlzIGFzc2VydGlvbiBpbiBbMTBdOiAgImZvcm1hdHRpbmcgYW55IHB1Ymxp
YyBrZXkgYXMgYSBTdWJqZWN0UHVibGljS2V5SW5mbyBpcyByZWxhdGl2ZWx5IHN0cmFpZ2h0Zm9y
d2FyZCBhbmQgd2VsbCBzdXBwb3J0ZWQgYnkgbGlicmFyaWVzIi4gIFRoZSAid2VsbCBzdXBwb3J0
ZWQgYnkgbGlicmFyaWVzIiBpcyByZWZ1dGVkIGZvciBzb21lIGNvbW1vbiBkZXZlbG9wbWVudCBl
bnZpcm9ubWVudHMgYnkgdGhlIGRhdGEgaW4gTmF0J3MgbWVzc2FnZSBodHRwOi8vd3d3LmlldGYu
b3JnL21haWwtYXJjaGl2ZS93ZWIvam9zZS9jdXJyZW50L21zZzA0OTU4Lmh0bWwgLSBlc3BlY2lh
bGx5IHRoYXQgYXQgcHJlc2VudCBTUEtJIHN1cHBvcnQgaW4gUEhQIGRlcGxveW1lbnRzIHN0YW5k
cyBhdCBhYm91dCAwLjclLiAgU28gdGhhdCBsZWF2ZXMgdXMgd2l0aCB0aGUgInJlbGF0aXZlbHkg
c3RyYWlnaHRmb3J3YXJkIiBhc3NlcnRpb24uDQoNClllcywgdGhlIGNvZGUgaW4gWzddIGFuZCBS
aWNoYXJkJ3Mgc2ltaWxhciBjb2RlIG1lZXQgdGhlICJyZWxhdGl2ZWx5IHN0cmFpZ2h0Zm9yd2Fy
ZCIgdGVzdCBmb3IgdGhlIGNhc2Ugb2YgYSBzdWJzZXQgb2YgUlNBIGtleXMuICBJdCBkb2Vzbid0
IHN1cHBvcnQgb3RoZXIga2V5IHR5cGVzIG9yIHNvbWUgb3RoZXIgUlNBIGtleXMuICBUaGF0J3Mg
dGhlIHByaW1hcnkgZ2FwIHJlbWFpbmluZyB0aGF0IEkgc2VlIGluIHdoYXQncyBjaXRlZCBhYm92
ZS4NCg0KRG9uJ3QgZ2V0IG1lIHdyb25nIC0gSSB0aGluayB0aGF0IGhhc2hlcyBvZiBTUEtJIHZh
bHVlcyBhcmUgYSBmaW5lIHRoaW5nIGZvciBtYW55IHVzZXMgY2FzZXMuICBJIGFsc28gdGhpbmsg
aXQncyBub3QgdGhlIG9ubHkgcmVhc29uYWJsZSBoYXNoIGlucHV0IHRvIGNvbnNpZGVyIHVzaW5n
LiAgSGVjaywgWzFdLCB3aGljaCB5b3Ugd2VyZSBhbiBhdXRob3Igb2YsIHJlY29tbWVuZHMgInR3
byBjb21tb24gbWV0aG9kcyIuICBCdXQgZGVzcGl0ZSBoYXZpbmcgcHV0IGEgZmV3IG1vcmUgaG91
cnMgaW50byB0aGlzIGFuZCB0cmllZCB0byBnZW51aW5lbHkgY29uc2lkZXIgYWxsIHRoZSBjb250
ZW50IGluIHlvdXIgcmVmZXJlbmNlcywgSSBzdGlsbCBoYXZlbid0IHNlZW4gYW55IHBsYWNlIHRo
YXQgcHJvdmlkZXMgYW4gYWN0aW9uYWJsZSBkZXNjcmlwdGlvbiBvZiBob3cgdG8gY3JlYXRlIFN1
YmplY3RQdWJsaWNLZXlJbmZvIHZhbHVlcyBmcm9tIHNjcmF0Y2ggZm9yIGV2ZW4gYWxsIHRoZSBj
b21tb24gUlNBIGFuZCBFQyBrZXkgcmVwcmVzZW50YXRpb25zIGluIHVzZSB0b2RheS4gIChJJ2xs
IHJlcGVhdCB0aGF0IEkgdGhpbmsgdGhhdCB3cml0aW5nIHRoaXMgZG93biBpbiBvbmNlIHBsYWNl
IGFzIGEgc3BlYyB3b3VsZCBiZSBhIHZhbHVhYmxlIGNvbnRyaWJ1dGlvbiwgaWYgYW55b25lIHdh
bnRzIHRvIHRha2UgdGhpcyBvbi4gIFRoZSBsYWNrIG9mIHRoaXMgc2ltcGxlIHNwZWMgaXMgdGhl
IHJlYWwgZ2FwIGluIG1vcmUgZWFzaWx5IGVuYWJsaW5nIHRoaXMgb3B0aW9uLCBJTU8uKQ0KDQpZ
b3UgY2FuIGRpc2xpa2UgaXQgYmVjYXVzZSBpdCB1c2VzIGEgZGlmZmVyZW50IGhhc2ggaW5wdXQs
IGJ1dCBhdCBsZWFzdCBkcmFmdC1pZXRmLWpvc2UtandrLXRodW1icHJpbnQgZG9lcyB3cml0ZSBk
b3duIGhvdyB0byBlYXNpbHkgZG8gdGhpcyBmb3IgYWxsIGN1cnJlbnRseSBkZWZpbmVkIEpXS3Mg
aW4gb25lIHBsYWNlLiAgTGlrZSBoYXNoaW5nIFNQS0kgdmFsdWVzLCBpdCdzIGFsc28gYSBmaW5l
IHRoaW5nIGZvciBtYW55IHVzZSBjYXNlcy4NCg0KSXQncyBub3QgIkkgd2FudCB0byBkbyB3aGF0
IEkgdGhvdWdodCBvZiBmaXJzdC4iICBJdCdzICJJIHdhbnQgdG8gZ2l2ZSBkZXZlbG9wZXJzIHNl
bWFudGljYWxseSBzb3VuZCBjaG9pY2VzIHRoZXkgd2lsbCBncmF2aXRhdGUgdG8gYW5kIGFjdHVh
bGx5IGJ1aWxkLiIgIFRoaXMgaXMgdGhlIHNhbWUgcmVhc29uIHdlIGRpZCBKT1NFIHdoZW4gd2Ug
YWxyZWFkeSBoYWQgQ01TIGFuZCBYTUxEU0lHLg0KDQpJJ2xsIGNsb3NlIGJ5IGFncmVlaW5nIHdp
dGggYSBzdGF0ZW1lbnQgbWFkZSBpbiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM2OTIw
I3NlY3Rpb24tMiAtICJIYXNoZXMgYXJlIHdoYXQgY291bnQiLiAgVGhpcyBpcyB0aGUgInNlbWFu
dGljYWxseSBzb3VuZCIgdGhpbmcgSSB3YXMgcmVmZXJyaW5nIHRvIGFib3ZlLiAgTmF0IGFuZCBJ
IGFuZCBzZXZlcmFsIG90aGVycyBhcmUgdHJ5aW5nIHRvIGluY3JlYXNlIHRoZSB1c2Ugb2YgaGFz
aC1iYXNlZCBrZXkgSURzIGJ5IHB1dHRpbmcgZHJhZnQtaWV0Zi1qb3NlLWp3ay10aHVtYnByaW50
IG91dCB0aGVyZSBhcyBhbiBlYXN5IG9wdGlvbiBmb3IgZGV2ZWxvcGVycyB3aG8gYXJlIGNvbWZv
cnRhYmxlIHdpdGggSlNPTiBhbmQgd2hvIGFyZSBhbHJlYWR5IHVzaW5nIHRoZSBKV0sgSlNPTi1i
YXNlZCBrZXkgcmVwcmVzZW50YXRpb24uICBUaGUgYmVuZWZpdCB0byBiZSBnYWluZWQgYnkgbW9y
ZSBkZXZlbG9wZXJzIGhhdmluZyB0aGUgcGVyY2VwdGlvbiB0aGF0IGl0J3MgZWFzeSB0byB1c2Ug
aGFzaC1iYXNlZCBrZXkgSURzIGlzIGdyZWF0ZXIgdGhhbiB0aGUgYmVuZWZpdCBvZiB0cnlpbmcg
dG8gbWFrZSBldmVyeW9uZSBkbyBpdCB0aGUgc2FtZSB3YXksIGFuZCBoYXZlIHNvbWUgY2hvb3Nl
IG5vdCB0byBkbyBpdCBhdCBhbGwsIGJlY2F1c2UgcmlnaHQtb3Itd3JvbmcsIGl0IGp1c3Qgc2Vl
bXMgdG9vIGhhcmQgdG8gdGhlbS4gIFBlcmNlcHRpb24gbWF0dGVycy4NCg0KQW55d2F5LCBJIHJl
YWxseSBoYXZlIGVuam95ZWQgdGhpcyBsZWFybmluZyBleGVyY2lzZSBhbmQgYXBwcmVjaWF0ZSBl
dmVyeW9uZSB3aG8gcHJvdmlkZWQgZGF0YSBpbiByZXNwb25zZSB0byB0aGlzIHRocmVhZC4gIEdv
b2Qgc3R1ZmYuDQoNCkknbGwgbG9vayBmb3J3YXJkIHRvIHNlZWluZyBtYW55IG9mIHlvdSBpbiBu
b3QgdG9vIG1hbnkgaG91cnMuICBIb3BlZnVsbHkgd2UgY2FuIGNvbnRpbnVlIHRoaXMgZGlzY3Vz
c2lvbiBpbiBwZXJzb24uICBJIGtub3cgdGhhdCBJJ20gbGVhcm5pbmcgdGhpbmdzLCBhbnl3YXks
IHdoaWNoIGlzIGFsd2F5cyBnb29kLg0KDQoJCQkJQ2hlZXJzLA0KCQkJCS0tIE1pa2UNCg0KLS0t
LS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0
ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdIA0KU2VudDogV2VkbmVzZGF5LCBNYXJjaCAxMSwgMjAx
NSA3OjQyIEFNDQpUbzogTWlrZSBKb25lcw0KQ2M6IGpvc2VAaWV0Zi5vcmc7IE5hdCBTYWtpbXVy
YQ0KU3ViamVjdDogUmU6IFtqb3NlXSBNeSBxdWVzdCB0byBsZWFybiBob3cgdG8gY3JlYXRlIFN1
YmplY3RQdWJsaWNLZXlJbmZvIHZhbHVlcyBmcm9tIHNjcmF0Y2gNCg0KDQpIaSBNaWtlLA0KDQpT
aW1wbGVzdCBpcyBbMF0gYXMgdXNlZCBpbiBwdWJsaWMga2V5IHBpbm5pbmcgZm9yIHdlYiBzZXJ2
ZXJzLiAoVGhhdCBzaG91bGQgcG9wIG91dCBhcyBhbiBSRkMgYW55IHRpbWUgbm93DQpidHcuKSBJ
IHJlYWxseSBkb3VidCBhbnkgY2xhaW0gdGhhdCB0aGF0IHRoZXJlJ3Mgc29tZSBtYWdpYyBuZWVk
ZWQgdG8gbWFrZSB0aGlzIHdvcmsgYXMgdGhvc2UgdHdvIGxpbmVzIG9mIHNjcmlwdCBzaG93Lg0K
DQpCdXQgZ2l2ZW4geW91IHdhbnRlZCB0byBsZWFybiwgYW5kIG5vdCBqdXN0IGdldCBzdHVmZiBk
b25lLCBpdCdzIGEgcGl0eSB5b3UgZGlkbid0IHN0YXJ0IGZyb20gUkZDNTI4MCwgWzFdIGFuZCBS
RkNzIDMyNzkgWzJdIGFuZCA1NDgwLiBbM10gTG90cyBvZiBwYWdlcyB0aGVyZSBpdCdzIHRydWUs
IGJ1dCBhY3R1YWxseSBvbmx5IHZlcnkgZmV3IG5lZWQgdG8gYmUgcmVhZCBpZiBvbmUgb25seSBj
YXJlcyBhYm91dCBTUEtJLg0KDQpPciwgbWF5YmUganVzdCBzZWFyY2ggZm9yIHRoZSB0aGluZyB5
b3UncmUgYWZ0ZXIgWzRdIGFuZCB5b3UnbGwgc2VlIGEgYnVuY2ggb2YgZmluZSBpbmZvcm1hdGlv
biwgaW5jbHVkaW5nIGhvd3RvIGluIHRoZSBzZWFyY2ggaXMgZXZlbiBiZXR0ZXIuIFs1XSBPciwg
aWYgeW91IHdhbnQgY29kZSBleGFtcGxlcyB0aG9zZSBhcmUgdGhlcmUgdG9vLiBbNl0NCg0KSSBo
YXZlIHRvIGFkbWl0IHRvIGJlaW5nIG1vcmUgdGhhbiBzdXJwcmlzZWQgdGhhdCA1IGhvdXJzIG9m
IGVmZm9ydCBkaWRuJ3QgdGhyb3cgdXAgYW55IG9mIHRoYXQuDQoNCkJ1dCBpZiwgYWZ0ZXIgdGhh
dCwgeW91J3JlIHN0aWxsIGRlc3BlcmF0ZSwgdGhlbiB5b3UgY291bGQgbG9vayBhdCBjb2RlIEkg
d3JvdGUsICh5b3Ugd291bGQgbmVlZCB0byBiZSBkZXNwZXJhdGUgdG8gdHJ5IGxlYXJuIGZyb20g
bXkgY3JhcHB5IGNvZGU6LSkgWzddIGJlaW5nIGFuIGV4YW1wbGUgb2YgZG9pbmcgdGhpcyBmb3Ig
UlNBIGluIGFib3V0IGEgZG96ZW4gSlMgTE9DIHdpdGhvdXQgYW55DQpBU04uMSBzdXBwb3J0IHVz
aW5nIHRoZSBTdGFuZm9yZCBKUyBsaWJyYXJ5LCBhbmQgWzhdIGJlaW5nIG9wZW5zc2wgJ0MnIGNv
ZGUuIE9yIHRoZSBuZXRpbmYgY29kZSBbOV0gaW1wbGVtZW50cw0KUkZDNjkyMCBbMTBdIHdpdGgg
aW1wbGVtZW50YXRpb25zIG9mIHdoYXQgeW91IG5lZWQgaW4gb3RoZXIgbGFuZ3VhZ2VzIGxpa2Ug
cGhwLCBweXRob24gYW5kIHJ1YnkgYXMgd2VsbCwgZXZlbiBjbG9qdXJlIGlmIHlvdSB3YW50IHRv
IGJlIGZhbmN5Oi0pDQoNCkFueXdheSwgaXQgdG9vayBtZSB+MjAgbWludXRlcyB0byBmaW5kIGFs
bCB0aG9zZSBhZ2FpbiwgYW5kIEkgZ3Vlc3MgaXQgbWlnaHQgdGFrZSBhIHdoaWxlIHRvIHJlYWQg
ZXZlcnl0aGluZyBhbmQgZmluZCB0aGUgYml0cyB5b3Ugd2FudCwgYnV0IGZyb20gbXkgUE9WIGlm
IHNvbWVvbmUgaXMgZGV2ZWxvcGluZyBhIGdlbmVyaWMgbGlicmFyeSBmb3IgdGhpcyBraW5kIG9m
IHRoaW5nLCB0aGV5IHJlYWxseSBzaG91bGQgdW5kZXJzdGFuZCBhbGwgdGhpcyBhbHJlYWR5LCAo
b3IgSSBkb24ndCB3YW50IHRoZW0gd3JpdGluZyBjcnlwdG8gY29kZSBvbiB3aGljaCBJIGRlcGVu
ZCkgb3IgZWxzZSBpZiBhbGwgdGhhdCdzIG5lZWRlZCBhIHF1aWNrIGJpdCBvZiBjb2RlIGZvciBz
YXkgYSBjbGllbnQgdGhhdCBlbWl0cyBhIGtleSBpZCwgdGhlbiB0aGUgc3RhY2tvdmVyZmxvdyBh
cHByb2FjaCBvZiBjb3B5aW5nIGZyb20gZXhhbXBsZXMgc2hvdWxkIGJlIGZpbmUuDQoNCkVpdGhl
ciB3YXksIHRoZXJlIGlzIElNTyBub3QgZXZlbiBhIHNjaW50aWxsYSBvZiBjcmVkaWJpbGl0eSB0
byBhbnkgY2xhaW0gdGhhdCB0aGlzIGlzIHN1cGVyIGNvbXBsZXggb3IgYW55dGhpbmcgbGlrZSBp
dC4NCg0KSSB0aGluayBJJ2Qgc3VtbWFyaXNlIHRoZSByZWFsIGFyZ3VtZW50IGFnYWluc3QgU1BL
SSBoZXJlIGFzDQpiZWluZzogIkkgd2FudCB0byBkbyB3aGF0IEkgdGhvdWdodCBvZiBmaXJzdC4i
IEFuZCBvZiBjb3Vyc2Ugc2luY2UgdGhhdCdzIG5vdCBhIHZlcnkgZ29vZCBhcmd1bWVudCwgZnVy
dGhlciBkaXNjdXNzaW9uIHNlZW1zIHRvIGRpdmUgaW50byBldmVuIHdvcnNlIGFyZ3VtZW50LCBz
dWNoIGFzIHRoaXMgYmVpbmcgdG9vIGRpZmZpY3VsdCwgdGFraW5nIGhvdXJzIG9yIGJlaW5nIG5h
c3R5LW9sZC1BU04uMSBldGMuDQoNCkNoZWVycywNClMuDQoNClswXSBodHRwczovL3Rvb2xzLmll
dGYub3JnL2h0bWwvZHJhZnQtaWV0Zi13ZWJzZWMta2V5LXBpbm5pbmctMjEjYXBwZW5kaXgtQQ0K
WzFdIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM1MjgwDQpbMl0gaHR0cHM6Ly90b29s
cy5pZXRmLm9yZy9odG1sL3JmYzMyNzkNClszXSBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwv
cmZjNTQ4MA0KWzRdDQpodHRwczovL3d3dy5nb29nbGUuaWUvc2VhcmNoP3E9c3ViamVjdHB1Ymxp
Y2tleWluZm8mc2E9RyZnYnY9MSZzZWk9YUM0QVZkUDFPY0hQN2dhTzlvSG9Cdw0KWzVdDQpodHRw
czovL3d3dy5nb29nbGUuaWUvc2VhcmNoP3E9c3ViamVjdHB1YmxpY2tleWluZm8raG93dG8mYnRu
Rz1TZWFyY2gmZ2J2PTENCls2XSBodHRwczovL3d3dy5nb29nbGUuaWUvc2VhcmNoP3E9c2hhMjU2
K3Nwa2krY29kZSZidG5HPVNlYXJjaCZnYnY9MQ0KWzddIGh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQv
cC9ob2JhL2NvZGUvY2kvbWFzdGVyL3RyZWUvanMvaG9iYS1nZW4ta2V5LmpzI2w2MA0KWzhdIGh0
dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcC9ob2JhL2NvZGUvY2kvbWFzdGVyL3RyZWUvbGliL2hvYmEt
Y3J5cHQuY2MjbDc0DQpbOV0gaHR0cDovL3NvdXJjZWZvcmdlLm5ldC9wL25ldGluZi9jb2RlL2Np
L2RlZmF1bHQvdHJlZS8NClsxMF0gaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNjkyMA0K
DQpPbiAxMS8wMy8xNSAwNToxNiwgTWlrZSBKb25lcyB3cm90ZToNCj4gSSd2ZSBhbHdheXMgbG92
ZWQgbGVhcm5pbmcgbmV3IHRoaW5ncywgc28gSSBkZWNpZGVkIHllc3RlcmRheSB0byB0cnkgDQo+
IHRvIGxlYXJuIGZpcnN0LWhhbmQgaG93IHRvIHdyaXRlIGNvZGUgdGhhdCBlbWl0dGVkIFguNTA5
IA0KPiBTdWJqZWN0UHVibGljS2V5SW5mbyAoU1BLSSkgdmFsdWVzIGZyb20gc2NyYXRjaC4gIEJ5
ICJmcm9tIHNjcmF0Y2giLCBJIA0KPiBtZWFuIHVzaW5nIGRldmVsb3BtZW50IHRvb2xzIHdpdGhv
dXQgYnVpbHQtaW4gWC41MDkgb3IgQVNOLjEgc3VwcG9ydC4NCj4gDQo+IEkgdG9vayB0aGlzIG9u
IGJlY2F1c2Ugb2YgU3RlcGhlbidzIHN1Z2dlc3Rpb24gDQo+IGh0dHA6Ly93d3cuaWV0Zi5vcmcv
bWFpbC1hcmNoaXZlL3dlYi9qb3NlL2N1cnJlbnQvbXNnMDQ5NTQuaHRtbCB0aGF0IA0KPiBwZW9w
bGUgY291bGQganVzdCBoYXNoIHRoZSBTUEtJIHZhbHVlcyB0byBjcmVhdGUgYSBrZXkgdGh1bWJw
cmludC4NCj4gR2l2ZW4gSSdkIGhlbHBlZCBjcmVhdGUgdGhlIEpTT04tYmFzZWQgaGFzaCBpbnB1
dCBkZXNjcmliZWQgaW4gDQo+IGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
am9zZS1qd2stdGh1bWJwcmludC0wMywgSSB3YW50ZWQgDQo+IHRvIGdpdmUgaGlzIGFsdGVybmF0
aXZlIHN1Z2dlc3Rpb24gYSBmYWlyIHNoYWtlIChhbmQgbGVhcm4gc29tZSBuZXcgDQo+IHRoaW5n
cyBhbG9uZyB0aGUgd2F5KS4gIFRoaXMgYWRtaXR0ZWRseSBzdHJlYW0tb2YtY29uc2Npb3VzbmVz
cyBhbmQgDQo+IG92ZXJseSBsb25nIG1lc3NhZ2UgZGVzY3JpYmVzIG15IGV4cGVkaXRpb24gdG8g
ZGF0ZS4uLg0KPiANCj4gVGh1cyBmYXIsIEkndmUgc3BlbnQgNSBob3VycyB0cnlpbmcgdG8gbGVh
cm4gdG8gZG8gdGhpcy4gIEkgc3BlbnQgDQo+IGFib3V0IHRoZSBmaXJzdCB0d28gaG91cnMgc2Vh
cmNoaW5nIGZvciBleGFtcGxlcyBvZiBjcmVhdGluZyB0aGUgYnl0ZXMgDQo+IG9mIFguNTA5IGNl
cnRpZmljYXRlcyBvciBTdWJqZWN0UHVibGljS2V5SW5mbyB2YWx1ZXMgd2l0aG91dCB1c2luZyAN
Cj4gQVNOLjEgYW5kL29yIFguNTA5IGxpYnJhcmllcy4gIEkgZmFpbGVkLg0KPiANCj4gTmV4dCwg
SSB0cmllZCB0byByZWFkIHRoZSBhdXRob3JpdGF0aXZlIHJlZmVyZW5jZSBmb3Igd2hhdCdzIGlu
IHRoZSANCj4gU1BLSSBmaWVsZCAtIHRoZSBYLjUwOSBzcGVjLiAgVW5mb3J0dW5hdGVseSwgDQo+
IGh0dHA6Ly93d3cuaXR1LmludC9yZWMvVC1SRUMtWC41MDkvZW4gdG9sZCBtZSAiVGhpcyB0ZXh0
IHdhcyBwcm9kdWNlZCANCj4gdGhyb3VnaCBhIGpvaW50IGFjdGl2aXR5IHdpdGggSVNPIGFuZCBJ
RUMuIEFjY29yZGluZyB0byB0aGUgYWdyZWVtZW50IA0KPiB3aXRoIG91ciBwYXJ0bmVycywgdGhp
cyBkb2N1bWVudCBpcyBvbmx5IGF2YWlsYWJsZSB0aHJvdWdoIHBheW1lbnQuIg0KPiBTaW5jZSBt
b3N0IGRldmVsb3BlcnMgd291bGQgc3RvcCBhdCB0aGF0IHBvaW50LCBJIGRpZCB0b28uDQo+IA0K
PiBBZnRlciB0aGF0LCBJIGNoYW5nZWQgdGFja3MgYW5kIHRyaWVkIHRvIGZpbmQgZXhhbXBsZXMg
b2Ygc2FtcGxlIA0KPiBjZXJ0aWZpY2F0ZXMgd2l0aCBjb21tZW50YXJ5IG9uIHdoYXQgYWxsIHRo
ZSB2YWx1ZXMgbWVhbiAtIHRoZSBraW5kIG9mIA0KPiBpbmZvIGRldmVsb3BlcnMgd291bGQgd2Fu
dCB3aGVuIGNvZGluZyB0aGlzLiAgSSBoYWQgYmV0dGVyIGx1Y2sgd2l0aCANCj4gdGhhdC4gIEFm
dGVyIGFib3V0IGFub3RoZXIgaG91ciBvZiBXZWIgc2VhcmNoaW5nLCBJIGZvdW5kIHRoaXMgcmVh
bGx5IA0KPiB1c2VmdWwgZXhhbXBsZTogaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNzI1
MCNhcHBlbmRpeC1BLg0KPiBJIGFsc28gZm91bmQgdGhpcyBvbmU6DQo+IGh0dHA6Ly93d3cuamVu
c2lnbi5jb20vSmF2YVNjaWVuY2UvZG90bmV0L0pLZXlOZXQvaW5kZXguaHRtbC4gIEdvaW5nIA0K
PiB0aHJvdWdoIHRoZW0gYnl0ZS1ieS1ieXRlIGVuYWJsZWQgbWUgdG8gcmV2ZXJzZSBlbmdpbmVl
ciBzb21lIG9mIHRoZQ0KPiBBU04uMSBhbmQgWC41MDkgY29uc3RydWN0cyB1c2VkLg0KPiANCj4g
VGhpbmdzIEkgbGVhcm5lZCBieSBsb29raW5nIGF0IHRoZXNlIDEwMjQtYml0IFJTQSBwdWJsaWMg
a2V5IA0KPiByZXByZXNlbnRhdGlvbnMgaW5jbHVkZWQ6DQo+IA0KPiAqICAgICAgICBBU04uMSB1
c2VzIGJ5dGUtYWxpZ25lZCBUYWctTGVuZ3RoLVZhbHVlIGVuY29kaW5ncy4NCj4gDQo+ICogICAg
ICAgIFRoZSB0YWdzIGZvciBTRVFVRU5DRSwgT0lELCBOVUxMLCBCSVQgU1RSSU5HLCBhbmQgSU5U
RUdFUg0KPiBhcmUgcmVzcGVjdGl2ZWx5IDB4MzAsIDB4MDYsIDB4MDUsIDB4MDMsIGFuZCAweDAy
Lg0KPiANCj4gKiAgICAgICAgVGhlc2UgTGVuZ3RoIHZhbHVlcyBhcmUgZW5jb2RlZCBhcyBmb2xs
b3dzOg0KPiANCj4gbyAgIDE1OSAtIDB4ODEgMHg5Zg0KPiANCj4gbyAgIDkgLSAweDA5DQo+IA0K
PiBvICAgMCAtIDB4MDANCj4gDQo+ICogICAgICAgIFRoZSBPSUQgMS4yLjg0MC4xMTM1NDkuMS4x
LjEgaXMgZW5jb2RlZCBpbiA5IGJ5dGVzIGFzIDB4MmENCj4gMHg4NiAweDQ4IDB4ODYgMHhmNyAw
eDBkIDB4MDEgMHgwMSAweDAxLg0KPiANCj4gKiAgICAgICAgVGhlIE9JRCBpcyBmb2xsb3dlZCBi
eSBhbiBBU04uMSBOVUxMIC0gMHgwNSAweDAwLg0KPiANCj4gKiAgICAgICAgVGhlIFJTQSBLZXkg
aXMgcmVwcmVzZW50ZWQgYXMgYW4gZW5jYXBzdWxhdGVkIGJpdCBmaWVsZC4NCj4gDQo+ICogICAg
ICAgIFRoZXJlIGlzIGFuIGFwcGFyZW50bHkgdW51c2VkIHplcm8gYnl0ZSAodGhlIDIybmQgYnl0
ZSBvZg0KPiB0aGUgU1BLSSBmaWVsZCBpbiB0aGUgUkZDIDcyNTAgZXhhbXBsZSkgYXMgdGhlIGZp
cnN0IGJ5dGUgb2YgdGhpcyBiaXQgDQo+IGZpZWxkLg0KPiANCj4gKiAgICAgICAgVGhlIHJlc3Qg
b2YgdGhlIGJpdCBmaWVsZCBjb250YWlucyBjb25jYXRlbmF0ZWQNCj4gcmVwcmVzZW50YXRpb25z
IG9mIHRoZSBtb2R1bHVzIGFuZCB0aGUgZXhwb25lbnQgYXMgQVNOLjEgSU5URUdFUnMuDQo+IA0K
PiAqICAgICAgICBUaGUgMTAyNCBiaXQgbW9kdWx1cyBpcyByZXByZXNlbnRlZCBpbiAxMjkgYnl0
ZXMsIHdpdGggdGhlDQo+IGZpcnN0IGJ5dGUgYmVpbmcgemVyby4NCj4gDQo+IFRoaXMgYnJvdWdo
dCBtZSB1cCB0byBob3VyIGZvdXIuICBOZXh0LCBJIHdlbnQgbG9va2luZyBmb3IgYSAyMDQ4IGJp
dCANCj4gY2VydCB0byBsZWFybiBmcm9tIChlc3BlY2lhbGx5IHNpbmNlIEpXQSByZXF1aXJlcyAy
MDQ4KyBiaXQgUlNBIGtleXMpLiAgDQo+IEkgZm91bmQgaHR0cDovL2ZtNGRkLmNvbS9vcGVuc3Ns
L2NlcnRleGFtcGxlcy5odG0gYW5kIGNob3NlIA0KPiAyMDQ4Yi1yc2EtZXhhbXBsZS1jZXJ0LmRl
ciwgZnJvbSB3aGljaCBJIGFsc28gbGVhcm5lZDoNCj4gDQo+ICogICAgICAgIFRoZXNlIGxlbmd0
aCB2YWx1ZXMgYXJlIGVuY29kZWQgYXMgZm9sbG93czoNCj4gDQo+IG8gICAyOTAgLSAweDgyIDB4
MDEgMHgyMg0KPiANCj4gbyAgIDI1NyAtIDB4ODIgMHgwMSAweDAxDQo+IA0KPiAqICAgICAgICBG
cm9tIHRoaXMsIEkgZGVkdWNlZCAocG9zc2libHkgaW5jb3JyZWN0bHkgOikpIHRoYXQgaWYgdGhl
DQo+IGhpZ2ggYml0IG9mIHRoZSBmaXJzdCBsZW5ndGggYnl0ZSBpcyAwLCB0aGUgcmVtYWluaW5n
IDcgYml0cyByZXByZXNlbnQgDQo+IHRoZSBsZW5ndGgsIGJ1dCBpZiB0aGUgaGlnaCBiaXQgb2Yg
dGhlIGZpcnN0IGxlbmd0aCBieXRlIGlzIDEsIHRoZSANCj4gcmVtYWluaW5nIDcgYml0cyByZXBy
ZXNlbnQgdGhlIG51bWJlciBvZiBieXRlcyB1c2VkIHRvIHJlcHJlc2VudCB0aGUgDQo+IGFjdHVh
bCBsZW5ndGguICAoSGVuY2UgdGhlIHVzZSBvZiAweDgxIGZvciByZXByZXNlbnRpbmcgdmFsdWVz
IGluIHRoZSANCj4gcmFuZ2UgMTI4LTI1NSBhbmQgdGhlIHVzZSBvZiAweDgyIGZvciByZXByZXNl
bnRpbmcgdmFsdWVzIGluIHRoZSByYW5nZSANCj4gMjU2LTMyNzY3LikNCj4gDQo+ICogICAgICAg
IExlbmd0aCB2YWx1ZXMgYXJlIHJlcHJlc2VudGVkIGluIGJpZy1lbmRpYW4gYnl0ZSBvcmRlci4N
Cj4gDQo+ICogICAgICAgIFRoZSAyMDQ4IGJpdCBrZXkgcmVwcmVzZW50YXRpb24gYWxzbyBzdGFy
dHMgd2l0aCBhbg0KPiBhcHBhcmVudGx5IHVudXNlZCB6ZXJvIGJ5dGUuDQo+IA0KPiAqICAgICAg
ICBUaGUgMjA0OCBiaXQgbW9kdWx1cyBpcyByZXByZXNlbnRlZCBieSAyNTcgYnl0ZXMsIHdpdGgg
dGhlDQo+IGZpcnN0IGJ5dGUgYmVpbmcgemVyby4NCj4gDQo+IFRoaW5ncyBJIGhhdmVuJ3QgeWV0
IGxlYXJuZWQgdGhhdCBJJ2QgbmVlZCB0byBrbm93IHRvIHJlYWxseSB3cml0ZSANCj4gdGhpcyBj
b2RlOg0KPiANCj4gKiAgICAgICAgSG93IGFyZSB0aGUgT0lEcyBpbiB0aGUgdGFibGUgYXQNCj4g
aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29y
aXRobXMtNDAjYXBwZQ0KPiBuZGl4LUENCj4gcmVwcmVzZW50ZWQgYXMgQVNOLjEgT0lEIHZhbHVl
cz8NCj4gDQo+ICogICAgICAgIEFyZSBtdWx0aXBsZSBPSURzIHNvbWV0aW1lcyBwcmVzZW50IGJl
Zm9yZSB0aGUgQVNOLjEgTlVMTCwNCj4gYW5kIGlmIHNvLCB3aGljaCBhbGdvcml0aG1zIHJlcXVp
cmUgd2hpY2ggc2V0cyBvZiBPSURzIGluIHdoYXQgb3JkZXI/DQo+IA0KPiAqICAgICAgICBJcyB0
aGVyZSBhbHdheXMgdGhlIGFwcGFyZW50bHkgdW51c2VkIHplcm8gYnl0ZSBpbiB0aGUga2V5DQo+
IHJlcHJlc2VudGF0aW9uIG9yIGlmIG5vdCwgd2hlbiBpcyBpdCBwcmVzZW50IGFuZCBhYnNlbnQ/
DQo+IA0KPiAqICAgICAgICBJcyB0aGVyZSBhbHdheXMgYSBsZWFkaW5nIHplcm8gYnl0ZSBpbiB0
aGUgUlNBIG1vZHVsdXMgb3IgaWYNCj4gbm90LCB3aGVuIGlzIGl0IHByZXNlbnQgYW5kIGFic2Vu
dD8NCj4gDQo+ICogICAgICAgIEhvdyBhcmUgZWxsaXB0aWMgY3VydmUga2V5cyByZXByZXNlbnRl
ZD8NCj4gDQo+IFRoaXMgYnJvdWdodCBtZSB1cCB0byBhYm91dCB0aGUgZmlmdGggaG91ciBvZiBt
eSBpbnZlc3RpZ2F0aW9uLCBhbmQgSSANCj4gZGVjaWRlZCB0byBzdG9wIGFuZCB3cml0ZSB1cCBt
eSBmaW5kaW5ncyB0byBkYXRlLiAgSGlnaGxpZ2h0ZWQgDQo+IHZlcnNpb25zIG9mIHRoZSBleGFt
cGxlIGNlcnRpZmljYXRlIGZyb20gUkZDIDcyNTAgYW5kIHRoZSBTUEtJIHZhbHVlIA0KPiBmcm9t
IGZtNGRkLmNvbSBhcmUgYXR0YWNoZWQsIHNob3VsZCBhbnkgb2YgeW91IHdhbnQgdG8gZm9sbG93
IGFsb25nIA0KPiB3aXRoIG15IHJldmVyc2UgZW5naW5lZXJpbmcuICBUYWdzIGFyZSB5ZWxsb3cu
ICBMZW5ndGhzIGFyZSBncmVlbi4NCj4gT0lEcyBhcmUgcHVycGxlLiAgVGhlIGFwcGFyZW50bHkg
dW51c2VkIGJ5dGUgaXMgcmVkLiAgS2V5IHZhbHVlcyBhcmUgDQo+IGJsdWUuDQo+IA0KPiBJIHJl
YWRpbHkgYWRtaXQgdGhhdCBJIGNvdWxkIGhhdmUgZWFzaWx5IG1pc3NlZCBzb21ldGhpbmcgd2hp
bGUgDQo+IHNlYXJjaGluZy4gIElmIHNvbWVvbmUgY2FuIHBvaW50IG1lIHRvIHNlbGYtY29udGFp
bmVkIGRlc2NyaXB0aW9ucyBvZiANCj4gdGhpcyBpbmZvcm1hdGlvbiwgSSdkIGxvdmUgdG8gc2Vl
IHRoZW0hDQo+IA0KPiA9PT09IENPTkNMVVNJT05TID09PT0NCj4gDQo+IDEuICBJIHRoaW5rIGl0
IHdvdWxkIGJlIGEgZmluZSB0aGluZyB0byBkbyB0byB3cml0ZSBhbiBSRkMgZGVzY3JpYmluZyAN
Cj4gdGhlIG1hcHBpbmcgYmV0d2VlbiBrZXkgdmFsdWVzIGFuZCB0aGVpciBTUEtJIHJlcHJlc2Vu
dGF0aW9ucy4gIFRoaXMgDQo+IGNvdWxkIHRha2UgdGhlIGZvcm0gb2YgYSBjb29rYm9vayB3aXRo
IGVudHJpZXMgbGlrZSAiRm9yIGEgMjA0OCBiaXQgDQo+IFJTQSBrZXkgdXNpbmcgUlNBU1NBIHdp
dGggU0hBLTI1NiwgZW1pdCB0aGVzZSBieXRlcywgZmlsbGluZyBpbiBzbG90cyANCj4gQSBhbmQg
QiBpbiB0aGUgdGVtcGxhdGUgd2l0aCB0aGUgMjU2IGJpdGVzIG9mIHRoZSBtYW50aXNzYSBhbmQg
dGhlIDMgDQo+IGJ5dGVzIG9mIHRoZSBleHBvbmVudCIuICBCYXNlZCBvbiBteSBzZWFyY2hpbmcs
IEkgZG9uJ3QgdGhpbmsgdGhpcyANCj4gaW5mb3JtYXRpb24gZXhpc3RzIGFueXdoZXJlIGluIGEg
c2VsZi1jb250YWluZWQgZm9ybSBhY2Nlc3NpYmxlIHRvIA0KPiBkZXZlbG9wZXJzIChidXQgSSBj
b3VsZCBiZSB3cm9uZywgb2YgY291cnNlKS4gIEknbSBub3QgZ29pbmcgdG8gDQo+IHBlcnNvbmFs
bHkgZG8gaXQsIGJ1dCBpZiBhbnkgb2YgeW91IHdhbnQgZ28gZm9yIGl0LCBoYXZlIGF0IGl0IQ0K
PiANCj4gMi4gIElmIG15IGV4cGVyaWVuY2UgaXMgcmVwcmVzZW50YXRpdmUsIHRlbGxpbmcgZGV2
ZWxvcGVycyB0byBqdXN0IA0KPiBoYXNoIHRoZSBTUEtJIHJlcHJlc2VudGF0aW9uIG9mIGEgSldL
IHdvbid0IGJlIHZlcnkgZWZmZWN0aXZlIHVubGVzcyANCj4gdGhleSBhbHJlYWR5IGhhdmUgWC41
MDkgc3VwcG9ydC4gIE1vc3Qgd2lsbCBwcm9iYWJseSBnaXZlIHVwIHdlbGwgDQo+IGJlZm9yZSB0
aGUgNSBob3VycyB0aGF0IEkndmUgaW52ZXN0ZWQgdG8gZ2V0IHRoaXMgdGhpcyBwYXJ0aWFsIA0K
PiB1bmRlcnN0YW5kaW5nIG9mIHdoYXQgSSdkIG5lZWQgdG8ga25vdy4gIElmIG15IGV4cGVyaWVu
Y2UgaXMgDQo+IHJlcHJlc2VudGF0aXZlLCBkcmFmdC1pZXRmLWpvc2UtandrLXRodW1icHJpbnQg
d2lsbCBiZSBtdWNoIGVhc2llciB0byANCj4gaW1wbGVtZW50IGZvciB0aGVzZSBkZXZlbG9wZXJz
Lg0KPiANCj4gVHJ5aW5nIHRvIGxpdmUgaW4gdGhlIHNob2VzIG9mIGRldmVsb3BlcnMsIC0tIE1p
a2UNCj4gDQo+IA0KPiANCj4gDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fIGpvc2UgbWFpbGluZyBsaXN0IA0KPiBqb3NlQGlldGYub3JnIGh0dHBzOi8v
d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZQ0KPiANCg==


From nobody Tue Mar 24 12:34:36 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409E11A8ACF for ; Tue, 24 Mar 2015 12:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9v7m68Aq76WA for ; Tue, 24 Mar 2015 12:34:31 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0129.outbound.protection.outlook.com [65.55.169.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49B431A8AB7 for ; Tue, 24 Mar 2015 12:34:29 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.125.14; Tue, 24 Mar 2015 19:34:26 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Tue, 24 Mar 2015 19:34:26 +0000
From: Mike Jones 
To: Jim Schaad , Karen O'Donoghue 
Thread-Topic: Presentation for Key Managed JWS new business (time permitting)
Thread-Index: AdBmaYP+77G2cRcKRDiL00HNb5uXgQ==
Date: Tue, 24 Mar 2015 19:34:26 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:370:160:e9d0:2d22:b046:e6d7]
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-microsoft-antispam-prvs: 
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(164054003)(19300405004)(15975445007)(77096005)(46102003)(33656002)(229853001)(77156002)(54356999)(102836002)(99286002)(19617315012)(50986999)(19609705001)(62966003)(99936001)(19580395003)(558084003)(2656002)(87936001)(86362001)(86612001)(74316001)(122556002)(16236675004)(19625215002)(40100003)(76576001)(92566002)(2900100001)(569964003)(7059030)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; 
x-forefront-prvs: 0525BB0ADF
Content-Type: multipart/mixed; boundary="_004_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2015 19:34:26.4071 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: 
Cc: "jose@ietf.org" 
Subject: [jose] Presentation for Key Managed JWS new business (time permitting)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 24 Mar 2015 19:34:33 -0000

--_004_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_
Content-Type: multipart/alternative;
	boundary="_000_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_"

--_000_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Jim or Karen, could you please add this to meeting information for the new =
business agenda item at http://www.ietf.org/proceedings/92/agenda/agenda-92=
-jose?

                                                            Thanks,
                                                            -- Mike


--_000_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











Jim or Karen, could you please add this to meeting i=
nformation for the new business agenda item at
http:/=
/www.ietf.org/proceedings/92/agenda/agenda-92-jose?


 


        &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p; Thanks,


        &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p; -- Mike


 






--_000_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_--

--_004_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_
Content-Type: application/pdf;
	name="Key Managed JSON Web Signature - IETF 92.pdf"
Content-Description: Key Managed JSON Web Signature - IETF 92.pdf
Content-Disposition: attachment;
	filename="Key Managed JSON Web Signature - IETF 92.pdf"; size=305297;
	creation-date="Tue, 24 Mar 2015 19:22:08 GMT";
	modification-date="Tue, 24 Mar 2015 19:34:25 GMT"
Content-Transfer-Encoding: base64

JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFu
Zyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDQxIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4+
Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDcvS2lkc1sgMyAwIFIgMTMg
MCBSIDIwIDAgUiAyMiAwIFIgMjYgMCBSIDMwIDAgUiAzOCAwIFJdID4+DQplbmRvYmoNCjMgMCBv
YmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1M1
IDUgMCBSPj4vRm9udDw8L0YxIDYgMCBSL0YyIDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1h
Z2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNzIwIDU0MF0gL0NvbnRlbnRzIDQg
MCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJz
L1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVj
b2RlL0xlbmd0aCAzOTM+Pg0Kc3RyZWFtDQp4nIWSy27CMBBF95HyD7O0UTHjsZ04EmLBU1ClDxGJ
BXSRtoGiUqpCu+jf10GUkgToJlIkzznXdwyNO2g2G3Fn2AVstaDd7cCH7yGgQERJhCGEhGA0wibz
vUkN1r7XGIwNLLa+J2FxOIwYSNSF0/Oa7937HvTiDsCRSe5N7cSx+hK0Fm4ymedARwMJUksRRqDI
iCiE5C237FQD35uyay4jlnHDvoErFqfrdOF+smfgmo3Gtzcw4Spg2SPwB0hGvtdznmNXUJLZSEQS
KFRC6p1sysbLxTrlIfv82nCpWAYz5lTX8WjiTOMZL5F/UUa5LoIi6jhFpQoqVaGoXAVZK9wXUSi1
J8bLV66sCzV653Vi62x7Jo5WUlhbHL4YR52IU2qLTJRfURotiPbMYS9x7fSB1xWLyG2h2jydYqkA
BekCq4kq1K3q3k5Nh4GgYpCy93DUKlH0sG66Wrldpme7c9miC/hKd/r/VRqbsyTav9cRp+6BBezp
BUhfuU1JczbPbpeF4UqeHxXvwpcNCmVuZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBl
L0V4dEdTdGF0ZS9CTS9Ob3JtYWwvY2EgMT4+DQplbmRvYmoNCjYgMCBvYmoNCjw8L1R5cGUvRm9u
dC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjEvQmFzZUZvbnQvQUJDREVFK0NhbGlicmkvRW5jb2Rp
bmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDcgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0
Q2hhciAxMjIvV2lkdGhzIDE3NiAwIFI+Pg0KZW5kb2JqDQo3IDAgb2JqDQo8PC9UeXBlL0ZvbnRE
ZXNjcmlwdG9yL0ZvbnROYW1lL0FCQ0RFRStDYWxpYnJpL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAv
QXNjZW50IDc1MC9EZXNjZW50IC0yNTAvQ2FwSGVpZ2h0IDc1MC9BdmdXaWR0aCA1MjEvTWF4V2lk
dGggMTc0My9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA1Mi9Gb250QkJveFsgLTUw
MyAtMjUwIDEyNDAgNzUwXSAvRm9udEZpbGUyIDE3NCAwIFI+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8
PC9UeXBlL0ZvbnQvU3VidHlwZS9UeXBlMC9CYXNlRm9udC9BQkNERUUrQ2FsaWJyaS9FbmNvZGlu
Zy9JZGVudGl0eS1IL0Rlc2NlbmRhbnRGb250cyA5IDAgUi9Ub1VuaWNvZGUgMTczIDAgUj4+DQpl
bmRvYmoNCjkgMCBvYmoNClsgMTAgMCBSXSANCmVuZG9iag0KMTAgMCBvYmoNCjw8L0Jhc2VGb250
L0FCQ0RFRStDYWxpYnJpL1N1YnR5cGUvQ0lERm9udFR5cGUyL1R5cGUvRm9udC9DSURUb0dJRE1h
cC9JZGVudGl0eS9EVyAxMDAwL0NJRFN5c3RlbUluZm8gMTEgMCBSL0ZvbnREZXNjcmlwdG9yIDEy
IDAgUi9XIDE3NSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvT3JkZXJpbmcoSWRlbnRpdHkp
IC9SZWdpc3RyeShBZG9iZSkgL1N1cHBsZW1lbnQgMD4+DQplbmRvYmoNCjEyIDAgb2JqDQo8PC9U
eXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0FCQ0RFRStDYWxpYnJpL0ZsYWdzIDMyL0l0YWxp
Y0FuZ2xlIDAvQXNjZW50IDc1MC9EZXNjZW50IC0yNTAvQ2FwSGVpZ2h0IDc1MC9BdmdXaWR0aCA1
MjEvTWF4V2lkdGggMTc0My9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA1Mi9Gb250
QkJveFsgLTUwMyAtMjUwIDEyNDAgNzUwXSAvRm9udEZpbGUyIDE3NCAwIFI+Pg0KZW5kb2JqDQox
MyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8
PC9HUzUgNSAwIFI+Pi9Gb250PDwvRjEgNiAwIFIvRjMgMTUgMCBSPj4vUHJvY1NldFsvUERGL1Rl
eHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNzIwIDU0MF0gL0NvbnRl
bnRzIDE0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdC
Pj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMT4+DQplbmRvYmoNCjE0IDAgb2JqDQo8PC9GaWx0ZXIv
RmxhdGVEZWNvZGUvTGVuZ3RoIDk5NT4+DQpzdHJlYW0NCnicnVZNb9s4EL0b8H+YI1msGX5TWgQ5
OM0GDRC02wTIodiDYsm2to7UWlID//udkZ2uJVuu0ZNpcT4f3xsSLj7B5eXF/fWH9yCvrmD6/hq+
j0cSpJBSKq1lgKAlOCthnY1HT++gGI8ubh8cLKrxSMHip7GUXknbsZ6/G4/+Ho/g5v4aYC+T2mWa
PmKsvxRYK6S38DiniBgOFCilRIw7LhIuhscXStPmuh2PvrBpMvu6WHMVWNkUKZ9oBtyxpEjhvqzz
H1xplvCI1XlZ8H/g8W48usFUlO4tvpeRUNF+/C8Y43/bg5p1p2YDRgvZLdkaocFEUphoG/BSyihc
dfNTu4euQfZc2dNA3XEQkbZdWwTCs7KmrjPCIV1zLRGAwOb1QBitlfBxN8xkyNYo4UzX9t+yyKoB
eyOVMOG82AaPWat+7CobMvdWaHdm6GCF6oX+yo1nGQKzGXCyKohwJi5WB+F6CV6SIlkg87J0wMnZ
SGh/XgKH5OxjUw0zmhQTnRd5yzeLDm5n+YqgZM8D5ko74X3XYSi0Mk64rmmVc8MWBRGybpCsFmla
00/55xDl4li40I1yUp2mp048mth3JRYLTcKRUvjwU59TdUSfh84KKR2ijjMq1Gi2zrllNY+xo7TE
Ll8L4JOYJVBRfzUK0bAkXyy5kqyec61ZueYTtONKsQSxMCxFD1Tu9gtXjm1IwxSzxJi4GVg+JGMX
Ak7Obl0ncbJ9nHDy6v7kdYgUaO+EVKcH2TFvY/re7HN75E2VFwvAthAGx7J2PhMbcF1BstquknSz
neaefdvtZQX61ECf8wLunm4AeUSj/u4JFw+D8z1G7XTKOAmMO5dAGrUQfpdA+87soRVEXtHcnhMp
Nm2T86ZukEk7nfCJ2y2/Nxl+rogydUWcCWxHKKiXpLCqpd68KXA9o6svWeXEpA0Pnv0BQ3rdVqZi
LdRbZdWybFZ0kVAaz+plhuexgXI2ozLx0IYGfzudO6FOgu6PgB7ZY6grp/De+zXqPe+35va82ScU
pWIl6vYHiTcljD1SC/v91pCaqWmzE+D19OPndv/uI6L6cAPPaIhOBCyxmZTb/qlmTVXRoiyG7kVv
YhG6tZxEJxxo9ZhOlfL0kPmFTo9pdN+TfShmqyZtFRrY6zJpNdfOpAxeaIC1GsS/OJKQDzjfcLC9
ZMQHEivpMc3nNOa28l63r5GCRL4aumy99e3p7NdxEpHovDdYQP5Z+1tvsH1XnPA6Pnhc4SymllGW
RTvw4TmbIThJU9Gl5hhiQ3PpFnDzJaGH2AZN0MGy2QpfNkMPA+8M3pud/H3Jnia5kSI65tmi+B+J
VYBjDQplbmRzdHJlYW0NCmVuZG9iag0KMTUgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1R5
cGUwL0Jhc2VGb250L0FyaWFsL0VuY29kaW5nL0lkZW50aXR5LUgvRGVzY2VuZGFudEZvbnRzIDE2
IDAgUi9Ub1VuaWNvZGUgMTc3IDAgUj4+DQplbmRvYmoNCjE2IDAgb2JqDQpbIDE3IDAgUl0gDQpl
bmRvYmoNCjE3IDAgb2JqDQo8PC9CYXNlRm9udC9BcmlhbC9TdWJ0eXBlL0NJREZvbnRUeXBlMi9U
eXBlL0ZvbnQvQ0lEVG9HSURNYXAvSWRlbnRpdHkvRFcgMTAwMC9DSURTeXN0ZW1JbmZvIDE4IDAg
Ui9Gb250RGVzY3JpcHRvciAxOSAwIFIvVyAxNzkgMCBSPj4NCmVuZG9iag0KMTggMCBvYmoNCjw8
L09yZGVyaW5nKElkZW50aXR5KSAvUmVnaXN0cnkoQWRvYmUpIC9TdXBwbGVtZW50IDA+Pg0KZW5k
b2JqDQoxOSAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9BcmlhbC9GbGFn
cyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA5MDUvRGVzY2VudCAtMjEwL0NhcEhlaWdodCA3Mjgv
QXZnV2lkdGggNDQxL01heFdpZHRoIDI2NjUvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvTGVh
ZGluZyAzMy9TdGVtViA0NC9Gb250QkJveFsgLTY2NSAtMjEwIDIwMDAgNzI4XSAvRm9udEZpbGUy
IDE3OCAwIFI+Pg0KZW5kb2JqDQoyMCAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9S
ZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzUgNSAwIFI+Pi9Gb250PDwvRjEgNiAwIFIvRjMgMTUg
MCBSL0YyIDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+
L01lZGlhQm94WyAwIDAgNzIwIDU0MF0gL0NvbnRlbnRzIDIxIDAgUi9Hcm91cDw8L1R5cGUvR3Jv
dXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMj4+
DQplbmRvYmoNCjIxIDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDcyNT4+DQpz
dHJlYW0NCnicnVZLb9pAEL5b8n+Y424kNrPvXQlZCq+0RDSpjJRD1IMFJkVNCAVySH5914Y0Nq8g
DgjYne+b+eZlw+UdNJuXg/b3DmCSQKvThr9xhIAMEbkQaMEKBK0QFnkc3V/ALI4ur1MNj8s44vD4
3xjRcFQ168lFHP2MI+gO2gAVT3zjqTUMXD0OSjE0CoaTgjHQAQeBilkPSjumPQyfCzelr+s4eiA3
g/49lSQFqki6WryOVq8LyjnJ6S8Y9uOoG4gL8g82zTWTVbIHAhXTnQBFLUAJUjCsx6ckEyAdMunW
hE1EZ5O6+0LbLtTiFpRcQSEoBboNF3vgApFpteVb2i7ytk04byLn4bdHlFqHokjkupPIcOyvkoYM
91K3Eu2bpU15j2L9HQy43OBde/3RnXDfK/GmV16VptaUMG51eSZtb33OMdHB1HYKk8Q2P0kLa91Z
Iz0WhFKfli+jbKG0lrGj1ZNb1ROWeVMvgWdChBxKz0KDf9SvxffEswvmyJl1NTDp36Zd+JZn43xx
oAWF0gx9HXVUhTpVhfCOWX2miiqYdGejBW0o8janjqyoJ/kYaMORG8pdmK1wcUickcz4OtlRcXqP
OKf2qgtDq/jX6rbQH/IqaHJHhSIZ5Ya8PVFNXrLxATmhQZmsuz4ux5xcK+6KLjizVhUwGVyF+rQP
CdCG6br90fjtafuOW8G8PWvfVaGk/fI8z0arsMG3V95nBSTTro5K88U0e5oG1DvlNhTSklXx72UW
mtSQ39kSFMyzxWp56CkQ0sh9nfRoWtyJaRGGOXNeWipQ0k9vf0BKG5KUSoO06XsxeVWlr8t8CcWz
IpsVs6lI/74Ls+w5PyTahIVj636OavantrLToULqzFaugklnGlbLJLTzhAoTtFOuSD6jHMkqSNRk
fTCazqdhajcXy3IxhWxAka/xFwzrYSkhf6jEzS4LLwwHW8WVz5xamDtp+wc6jeMWDQplbmRzdHJl
YW0NCmVuZG9iag0KMjIgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2Vz
PDwvRXh0R1N0YXRlPDwvR1M1IDUgMCBSPj4vRm9udDw8L0YxIDYgMCBSL0YzIDE1IDAgUi9GNCAy
NCAwIFIvRjIgOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0g
Pj4vTWVkaWFCb3hbIDAgMCA3MjAgNTQwXSAvQ29udGVudHMgMjMgMCBSL0dyb3VwPDwvVHlwZS9H
cm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAz
Pj4NCmVuZG9iag0KMjMgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNTMwPj4N
CnN0cmVhbQ0KeJyNU01r20AQvQv0Hwaf5FCvZ/ZbQSzYsvLhYpLWhhxCD6Z1fIlLm14Kpf+9s5KT
euMPfBCLRm/eezNPC8N7qKrhrL6dAIYA40kNP/MMAQUikpTowEkEoxFeVnn2cAHf82x4PTew/pVn
BOs3MKIl1An66SLPPuUZNLMaYEeJtkrjBXNdEWgt0GpYPEVGpgMCckaQAW28MCUsNlGm1brOs8fi
42z60DfFHPq6mN7NG7hZLb+tXvpfYDHNs4ZpI/Url2F+L3e5HgvYwe75k4k/BUoKTO1pJSQoj0L5
jrBC9C6k+nG0/VaH71qL5neffLHc/Hjuq2J1eWQK8l5Ym3aenEIlU2iQTpQ2tVIKKTUojcLQlvJP
b/m85rX2Lnuf53yOjtiRVgnj0t7BMSx7libF3o2a+x7zf+htlhzlV9a74de5NDaW/x6hsmTYc0p1
cgv6vCxlqURpTmUpj2WZtirTBEkVEkoke4VkMAw0xg9XfEdU0PytxkB6BzM2SNQglRhUFVF89TyS
rwMZhrkJP6atoxohOh0GEcc8LdbWQfkqUgQX2V1X5pZWwdnuZCdl1Qm5raCzbakctdYGOvHd+jnn
l7Z8wUqfLOJ0KOZAKPZQKtoJf0Yq9lAsSS/H8n8hhG9pmNNpmKpbTIS9JuL3EmlDcxqRRdqS1jFm
PgNhzEl2gZy12vd7KEuBKplmf7f/AOGiJa0NCmVuZHN0cmVhbQ0KZW5kb2JqDQoyNCAwIG9iag0K
PDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GNC9CYXNlRm9udC9BQkNERUUrQ291
cmllciMyME5ldy9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMjUgMCBS
L0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjUvV2lkdGhzIDE4MCAwIFI+Pg0KZW5kb2JqDQoyNSAw
IG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9BQkNERUUrQ291cmllciMyME5l
dy9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA4MzMvRGVzY2VudCAtMTg4L0NhcEhlaWdo
dCA2MTMvQXZnV2lkdGggNjAwL01heFdpZHRoIDc0NC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1
MC9TdGVtViA2MC9Gb250QkJveFsgLTEyMiAtMTg4IDYyMyA2MTNdIC9Gb250RmlsZTIgMTgxIDAg
Uj4+DQplbmRvYmoNCjI2IDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNl
czw8L0V4dEdTdGF0ZTw8L0dTNSA1IDAgUj4+L0ZvbnQ8PC9GMSA2IDAgUi9GMyAxNSAwIFIvRjIg
OCAwIFIvRjUgMjggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUld
ID4+L01lZGlhQm94WyAwIDAgNzIwIDU0MF0gL0NvbnRlbnRzIDI3IDAgUi9Hcm91cDw8L1R5cGUv
R3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMg
ND4+DQplbmRvYmoNCjI3IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDEyMzA+
Pg0Kc3RyZWFtDQp4nJ1X3W/aSBB/R+J/2Md1VTb7vfYJWQIHqvYUXe+K1If2HlxwCDowORuay39/
M2sg2MYhdw+J1rszs7/Z33xBbj6T4fDmLvl4S3gck/FtQv7u9zjhjHMupOSOOMmJ0ZwUWb/39R3J
+72bD18MWZb9niDLkzDnVnBdk75/1+/93u+RyV1CyNlN4nDTeAa2poJozbjVZHaPFsEcESTiTESS
aBsyKclsg9f4uz6AvQFcqCNBZvNvdESCP8nsU783AWNo8GhBSMOcOLcA26gxC1xE078CJWmWBpo+
BULSNBAhfe6ypbhjuobmG70vAuHodtOlo7liYV1l1iUKUGVD9mFVksk/gbQ0g4sUna/KrEPdyoi5
hvo5qtb7y9r7K3Cv9vZaMUlU5FhUGRtyHrq4fjfS1lBzvK5GZw8ZgfctAyHortjPd3vvid+cB/B2
+/WCBIb+yAJFySYYSLotkAwvsc9X8P8+kAJ24ZUHFgUd3T0F8CYZnOXNp7+ZAgCIDakvALOGaXdy
SI04dzq2sDQTroyB+FXHbYj8BPdiPcTteGCGXEXhQSThXOuTBVdZwCPhbuOBHHLBp1zYiAsxiRV8
CrAXjeCPe2shbJlbSK4QT71iIhAJyHsBg8sRCiEAv3QW8Iz9CVg6XIYo46jSE2Hihe20OuHSK6K5
S2904X2UYvz0Ph6vGZ0ggWllJrH03snqGsPjgYrwYPri1+jk9QHBEdzR1TCqjmBLRAcxZ7yW9vfG
QgxbWuD/ueTVWNShYFFUc+r1lFBvSAkZqfMQenNOnOvRKWbDtiAY3HmJ0b7DnTSfZ+8xDfYlhjbZ
YTY8YGKUWWdVMoYpVzefrnc+gwrQzNMgpLvVzyDCjAorc+nCn7VTR3SmjrSCcXO44DEtAgn1cpNB
5nroYE9yWr7vgiklFEJTt/LkseQkfXxcg7ureSA4TX+s0egvXVUS8KmobudVTnWDU2mhbdTdi6Bi
akBomDUnYsfiQs60lQUXWHbrypAlVXY7i6UB43mg1EuSdPQqE2J/aZiC6tIm6QIOJ5iq42jR+yLr
mLR12Y85VlWIj2xZrHbQA6E7rpdAxBY+HzbkO73DYByBRIJhBMFbrpYQXBH1FR0i4HvQcZ8JObO2
G1uLM/NWzkQEXqv/yVldGSub5oeig5UGCvYVvqCZuCaGt/MVMlfT7aYr1E3RZJvjwyNdfkH8al5g
f3x+hNa4W23zJoddGQXNGkakTigtduwFduxleoxlUXidHnuZn5q2zymbVNUfusAVbpxmpmmhk5rm
/SEMeram3U0O1t2G7K84RmIRgzSCxNikeboMhKbZBsodEAZVbnckx14hJ4TqbrqhtMhxb2hhQoSI
+T+3sHO941w33xeF9y33Ax759BVc+kKwVqT5Aj81ncCnoYsVeF/NfnNw36IKTLQQs+osZuewSMus
vDzVtTGFB/oOEwvMUFhwcfgZm2pCqSanangZv0xOVXmu5jIUG5vTnFXNLiiFRWGAc8xL4PnhDoLv
+pspqOfS1BC+zl3Y4q7Vij1/2jKtX6PPdHbxM1X62U/VZYmt98f6GWtIkWEjzjBCf6a+IxBo0jmy
tchKnFaWOVK7ypcYwMn4tz/wk6AC1B/Y2i7grOsnCjRtVYPQeo5/AQksBfoNCmVuZHN0cmVhbQ0K
ZW5kb2JqDQoyOCAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GNS9C
YXNlRm9udC9BQkNERUUrQ2FsaWJyaSxJdGFsaWMvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0Zv
bnREZXNjcmlwdG9yIDI5IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIxL1dpZHRocyAxODUg
MCBSPj4NCmVuZG9iag0KMjkgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUv
QUJDREVFK0NhbGlicmksSXRhbGljL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIC0xMS9Bc2NlbnQgNzUw
L0Rlc2NlbnQgLTI1MC9DYXBIZWlnaHQgNzUwL0F2Z1dpZHRoIDUyMS9NYXhXaWR0aCAxOTg0L0Zv
bnRXZWlnaHQgNDAwL1hIZWlnaHQgMjUwL1N0ZW1WIDUyL0ZvbnRCQm94WyAtNzI1IC0yNTAgMTI2
MCA3NTBdIC9Gb250RmlsZTIgMTgzIDAgUj4+DQplbmRvYmoNCjMwIDAgb2JqDQo8PC9UeXBlL1Bh
Z2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0V4dEdTdGF0ZTw8L0dTNSA1IDAgUj4+L0ZvbnQ8
PC9GMiA4IDAgUi9GMSA2IDAgUi9GMyAxNSAwIFIvRjYgMzMgMCBSL0Y1IDI4IDAgUj4+L1Byb2NT
ZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9Bbm5vdHNbIDMyIDAgUl0gL01l
ZGlhQm94WyAwIDAgNzIwIDU0MF0gL0NvbnRlbnRzIDMxIDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAv
Uy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgNT4+DQpl
bmRvYmoNCjMxIDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDEwNTM+Pg0Kc3Ry
ZWFtDQp4nI1WyW7jOBC9G/A/EJgL1YAV7stAEJDISaMDZLZk0If0HNSxYhsT22lLRtB/P0VSa2R7
cjBEloqvFr56Frr4AyXJxV32ZY5ImqKreYZ+TCcEkZgQQhkjGmlGkBQE7Yvp5OsntJ1OLj7fS7Qs
pxOKlq0zIYoSMfB+/jSd/DmdoOu7DKFeJFpHunoArBuGuI2tEejh2SECHKJIkdgYg4SEVxQ9bFwY
H+vzdPKYECKvCbWXhMo5oerG/VIBZsIJ1Qp+c//a7ykJLhSOEEaoyYLdH78MdpOllCV+zeVVqgis
rauJp9KZazctHUQ6c64uDK1DMJMyb5s38MGnCeGytCT9Bz3cTifXUHWonB6tHEomtl/5I0ZRd3TU
TTboJkecxWQIKXgMTTYk5iYAQqeMTkeY96/5toXlA1h6BFaTIWyw7pfN6i93V/j29/trFM0Y/lKW
kcCHAv3CzpUjenGbSEyIWNFhrJYNg+4MTklIWQ4Kx9/wbzv0b8Q1LiKNf6JNvs2XkcXFptjCo0LP
EeN4t0d3l5HB2beoD94VGErXKjYIYKnULkLYv0wnLl2pjuxFrJUztAcaQ43XbFdhdvrFBA9BYyu7
Bjzit4hSnJfo6QV6uyuLBcrLiI9acnGjjlwgk0AM2UcFZtCMBiIDwWEWujkCksOIeS5nasRleQSf
KxlbPsA/T2X5MSozK2Ojj1P5f+jaP4pv1xvfq5nE90+rPF/AkuO3fUQl3lURZbhAkcRvq2ILDd6V
6+0SratfT9BNEh1rO4xwtlr1TgaZHomBtjFjAi4KCNQWzOV1OhNO7pRoJcxfUUZT3ckQVZm7Ln9r
Tq1kELQZT/zai56p3a9A2YxNeRJcbBKAnV7a3jG3d1rqjqqk01QnkJluJZiSVCUtixyCy6OvpA5A
1wBBRdMZpQPJ9P5NcFMH71T3yJ27Bqqj/WMkts2drGBc3JUvikjhys3+frOGa94W7v7BtMq9Ejif
dYXe1i/w8gVtd5Wnx/fCP/LFwvOkKGHoYjABW/7egmZU3h8MFuenlKlOixqQgSYtQBO4+HEogJJl
RLnPAB4gSMwJUrVygYXbK1zkoF7VAc7AGj1FlODdpii9w3oLUuCzf4b3Fl74Te5FeAkmjXeHV9hp
XB6eVmOpoGeYSEEytKhThkaGrDj+GgmKi+8ZhN7/fK0bu3MVCB/TuJjNsK2rZuWaK1xzweD7K0J/
GQ7NPTVqnDv9HCQzG9XBThOCAiGoaCUP+KrHfOXv+Ko6vnJpUs3dKN58iIeOgEYOwp7XBv0xJdQy
JkycU0J2SgnfHRWy/9XkNcPYUDev63ZtCTrRaEU4QcKfQl9idG+S4YPJJi3wTCTjTy/RfXpJ2029
Hn16DQTAK1L42vPJgPp95H9AcQUcGNQ/vov/AE7hTdgNCmVuZHN0cmVhbQ0KZW5kb2JqDQozMiAw
IG9iag0KPDwvU3VidHlwZS9MaW5rL1JlY3RbIDcwLjIyNCAzNzEuNzEgMjQ0LjYxIDQxMC44Nl0g
L0JTPDwvVyAwPj4vRiA0L0E8PC9UeXBlL0FjdGlvbi9TL1VSSS9VUkkoaHR0cDovL3RyYWMudG9v
bHMuaWV0Zi5vcmcvd2cvam9zZS90cmFjL3RpY2tldC8yKSA+Pi9TdHJ1Y3RQYXJlbnQgNj4+DQpl
bmRvYmoNCjMzIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UeXBlMC9CYXNlRm9udC9BQkNE
RUUrQ2FsaWJyaSxJdGFsaWMvRW5jb2RpbmcvSWRlbnRpdHktSC9EZXNjZW5kYW50Rm9udHMgMzQg
MCBSL1RvVW5pY29kZSAxODIgMCBSPj4NCmVuZG9iag0KMzQgMCBvYmoNClsgMzUgMCBSXSANCmVu
ZG9iag0KMzUgMCBvYmoNCjw8L0Jhc2VGb250L0FCQ0RFRStDYWxpYnJpLEl0YWxpYy9TdWJ0eXBl
L0NJREZvbnRUeXBlMi9UeXBlL0ZvbnQvQ0lEVG9HSURNYXAvSWRlbnRpdHkvRFcgMTAwMC9DSURT
eXN0ZW1JbmZvIDM2IDAgUi9Gb250RGVzY3JpcHRvciAzNyAwIFIvVyAxODQgMCBSPj4NCmVuZG9i
ag0KMzYgMCBvYmoNCjw8L09yZGVyaW5nKElkZW50aXR5KSAvUmVnaXN0cnkoQWRvYmUpIC9TdXBw
bGVtZW50IDA+Pg0KZW5kb2JqDQozNyAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250
TmFtZS9BQkNERUUrQ2FsaWJyaSxJdGFsaWMvRmxhZ3MgMzIvSXRhbGljQW5nbGUgLTExL0FzY2Vu
dCA3NTAvRGVzY2VudCAtMjUwL0NhcEhlaWdodCA3NTAvQXZnV2lkdGggNTIxL01heFdpZHRoIDE5
ODQvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvU3RlbVYgNTIvRm9udEJCb3hbIC03MjUgLTI1
MCAxMjYwIDc1MF0gL0ZvbnRGaWxlMiAxODMgMCBSPj4NCmVuZG9iag0KMzggMCBvYmoNCjw8L1R5
cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1M1IDUgMCBSPj4v
Rm9udDw8L0YxIDYgMCBSL0YzIDE1IDAgUi9GMiA4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0lt
YWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDcyMCA1NDBdIC9Db250ZW50cyAz
OSAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1Rh
YnMvUy9TdHJ1Y3RQYXJlbnRzIDc+Pg0KZW5kb2JqDQozOSAwIG9iag0KPDwvRmlsdGVyL0ZsYXRl
RGVjb2RlL0xlbmd0aCA2NTA+Pg0Kc3RyZWFtDQp4nJ1UW2/aMBR+j5T/cB6darjH1yQSilQCrTqp
uxVpD9UeUgiXCRJGwrT9+x0HspFSULWn2M53OT72Z7j+BP3+9UN6PwRMEhgMU/jhewjIEVFIiSGE
EsFohG3ue1+voPC967tHA/PK9wTM/4IRrUDdQc+ufO+z78HoIQU4chIHp8GYtG4FaM3RahjPnCLJ
gQAhNA9j0CbiJobx2tk0Xne+98Q+5IEw7FfQk6yGxzoQkuWbQLEKsmIKaRn0NCsmq121LAsHqoJv
MH7veyMydKati0XDRXTs8sTgCHtSuexUrkBJjt3CteISVIRcRXvBPmIUJl1/t+lTaogvqOweNqus
ALcd2qRiJQ0V2zb7DTT7uaxyCEJWL3JYFtNlszTdZSuCCWTTbSCRZQSY1dQcWjTHMtmUADTLqwrO
9GdfkRY8NoeKJqRWrtd5EcSsrpzq82+gz/vlurV4nCyybHpGUcWWi7irebHj6m0dl7HhUXip4/Jc
x19Q5S2K+CbpKeyjMoPExH1acPdboRgYFJGbqKRn+g1QKPqGw/2aGztMi08FCnODQowS3cDbKcmk
DUWfUWnXUKKwaaKcG9Ea1VbGDFunpCfpv4wOFaYN31G6bo3Fv7Hdzwn6lutpQ8uN7bSLvbw4LdO+
1mcd8/A14smZ6zeeOSpu4/9K2TGVjQJJwQkoMXkBS7rGsyZx33eVi0cNWQX1otzNF7Rs2f7p2eTb
pUuBEASYBZJSsQWXw0tJEtZw2bpuyqpyiX1e5U0c08HHL/B8iHExbxL8bh/ke1iUmz1qk5cbIswI
Q9CmoHrhGJczLKTlkT04Hx5PaVhOD4Blk+YZoZ3sqtx1YbZbndGSFrkJu2onJ/kHEo5ZXg0KZW5k
c3RyZWFtDQplbmRvYmoNCjQwIDAgb2JqDQo8PC9UaXRsZShLZXkgTWFuYWdlZCBKU09OIFdlYiBT
aWduYXR1cmUgXChLTUpXU1wpKSAvQXV0aG9yKE1pa2UgSm9uZXMpIC9DcmVhdGlvbkRhdGUoRDoy
MDE1MDMyNDE0MjkyNC0wNScwMCcpIC9Nb2REYXRlKEQ6MjAxNTAzMjQxNDI5MjQtMDUnMDAnKSAv
UHJvZHVjZXIo/v8ATQBpAGMAcgBvAHMAbwBmAHQArgAgAFAAbwB3AGUAcgBQAG8AaQBuAHQArgAg
ADIAMAAxADApIC9DcmVhdG9yKP7/AE0AaQBjAHIAbwBzAG8AZgB0AK4AIABQAG8AdwBlAHIAUABv
AGkAbgB0AK4AIAAyADAAMQAwKSA+Pg0KZW5kb2JqDQo0NyAwIG9iag0KPDwvVHlwZS9PYmpTdG0v
TiAxMzEvRmlyc3QgMTEwMC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDE4Nzg+Pg0Kc3RyZWFt
DQp4nK1a247TSBB9R+If+g/S94uEkJYFBMtVM0j7gPYhMN5hlpkEhYwEf7+n3OUkm7i7HbMS4I7t
qnOq6nS53cY6IYVNwilho1DS0Eh5J5wWWnnhjNA+CCeFUVFYK0yywjlhfRQOf7QUDpeDEV4Lb7zw
SviEoRMBRt6KKHEyioghHCUYeC9SiCJIwnO4HcekRNBCKVAJIKAl2ePojQhWKKNw3uAYAlCEssYK
DJWj8x5H3OzhzxsEAH9BgiXsAiADfkerRYT/CPYR/pMNYCS0VFJEhyM4xYSINa5HHKMUoKS1iSJJ
HGGXkAqDtCA6bSXOw85SLFZop+E/4Eh2OHrkJsF/ULCD34DgEvxGTUmGgwh0JYGQLMKRSK9E7iPy
K5HBaJBuUESWjFaUJ1zQIKpkEMYYcuIxSJQyJYxFDRTuMw54SCYGlDWlhaGMKOUwIERcNoEQFfxE
SQP4iZQ6BUyqjkJoJiEYEoOVKJ1Ckq2yMEeUViEepSEXDW2gQMKSMpSGJkxfMpKJoUHAgBga3Owc
DSA1D3YKnJA5GsBhgA8FAxuIIQprIzHUAE2yrzkGyISCuhwJRhnoVSYaQIGKPKNsDsXDAPU3fVy4
ZIi8VVACkbckCSIP784RedK9J/LQvPOkO/hyQdIZ0rWnM7g5IgJlSfAoENXFJRKhI81pGkDaEpWn
HHllMXAYaEkCTRhQeiEIbxSdIQWTdi3MrSFimBKOLtHccRQXzRVP8xEwPkAvCpF4ErPCXx81SRtW
PR/k0SdEqaCxICUNMJmkI3OP2UQB0nRUELAClQCVooyYTwDHvAgWMws5CQGlQQQhQo6OjiCGqEKi
hNCETASn6aQh/pA8CUp5GkCyjx4t3lOLkOJicbm4/LZcLT78/NYtLreb+8/bZ7fd3eL9tTD99VdC
Pn788EE2iWzyQp0YvPoo1F9iZ7e3GWA+dD+2n9Y/xgxRXtwzZo3qZuv3Y3b6fBNzvomdGxbEinuo
QfcHUwrSqqEStzdX3SgF17vI+We6o4G0aqpOiwqZTyiqKgDVwo97mkfmfoj49ZP11c9KaY/thkK9
fjlm5HUZ0bYQzbidqSO6MmJoIdpxO19HrGR1x3XUMJQNU4uqm5OcIIuIoSkAPwuxLIDQFEAYt2sg
VgRQLUfm01D5aGJ6Q5YJl47zyWTH4/Ct+OOcKRfKqnKpGkZmnJPE7Ga3Gl9WWru5utxccx9k1uMp
HB5/pe6q5Ul3jQN8tbtmw1OgSsjxQOpH5tFN7K7HdrZa6ujLiLGFaMbtQh0xFRGTbCHaOYhJlRH1
xCZ5JqIpIzZblp+F6Mp13CGOliMvP3LqOR9Mcpx/s+WEOTpMoYzY1GGchVjWIb0aNiBTwbDeWOnl
c16ZmNK4ZfWZlBsH64fLxzkd+M7vV2WdtFt0yE+53Ew5iEJWhwCLPVqf9Gh6RZ/SpHUBqhI1bQPs
uR45UM0epgvIqS4dpcqgMla1o+QE09qb1UmQzSZmC4b1hRdtlZQz2+w8biZopZytzOZ1G3P7FUkl
dqT5aIoO2zOLNqzy9PZ8jJW0NhdA/nRy6WkrIF+AqmVCH7bIIwd68iLo2LD+LFDaV0Cb73xmJmgs
g5rJS6Fj0EYbMaoCOnk1dC6oqYBOXhCdC+oqNa0/bHP2h4QMHAv8Jy+IzpSHCRXQyWuic0FTJWnV
dQZPzmG+DPUZEjRw/pXOUK7ChJ6omE5uXUM043TsMPuK26inL4W0sT2hJxpZgKpFbg8iP3HQ6t87
rpqN+nvePfnjYvHu0z+CJ/2IZzc5C2aEzuub1dfRYHgHVTn9fwRlD4yajVpZFoHjCf6f/dtjDvU9
O+Y4buuaTc3NA3WuQnj3dBzny/PS1cQ0uBhdDfpCsM1mFAqG9Xdadbhtc2awrlKcaVOOu5YbjqHo
cELzsaz53CMG9uP0fHPaxdPm46c1n1iAqmXCH+rl2EFzyumCYUPnhzviJ7bNnW0zD/Rwb/vYtr25
bWeC6kqkdZF7ntG8X8wcf6XUvuhggsh595e1OLAf8XZg/GHTdRfr9XZxsb7t3iy/0SfR/nG03HSr
/qrg5yplOL/W5AbGGxTD+9Wwhhim9xAxwe98vUXsr7qfIjKR50Berbfd4i3982x1tf8xpOmy+7xd
vOiWV90mj8lmGL9c3d6sussvS4qHTvy2gofl9ma94t+b7c3fSwz6X3+uN18/rddfF0/Xn+/vwKk/
8/1L122J5HbxZvl5sz74/fsX/Hvw++nN8nZ9fXAiF2N/b8bBbdeb5d3i+c31/abjWN/e333/KOj/
AOT0CO5smr4y08D0n5lplL8z96nuPzTTyO8emqH/5tynllzvP2RmFY5/IKX7hj35XCfPfvPJPN/5
6xJ/8uHvMLvPEeRj2DTKN+Tda95S5n1e3nzlHVHeWOTdvv0GHPnavybzPFIs4N1LOK9o1QGB/TqS
b9KcT83yM+zEsCwNOzEMMqywe2e75wIz2a1P2LljJ5y6/dPo0Mlu3rETziW3s32HefjgX7AaHewN
CmVuZHN0cmVhbQ0KZW5kb2JqDQoxNzMgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5n
dGggNDk1Pj4NCnN0cmVhbQ0KeJyFVE2P2jAUvOdX+Lh7WCV2YhskZAkCSBz6obI9VXsIiaGRihOZ
cODf13kTdpdUSiOBNXhm3kceL853652rOxZ/9025tx071q7y9tJcfWnZwZ5qFwnJqrrsBkTf5blo
oziI97dLZ887d2yixYLFP8LlpfM39rSsmoN9juJvvrK+dif29DPfB7y/tu0fe7auY0lkDKvsMRh9
KdqvxdmymGQvuyrc193tJWg+GK+31jJBmCOZsqnspS1K6wt3stEiCY9hi214TGRdNbofVIfjBz0N
9HBkhv0Kp0gIZty89fI7Ud515e/C9zIuwEsNoRxIEhJboDmhdAm0BBqYKwN78vs3qyy7G9KxNp+T
ycbJyA3RJJJR0MqMkB6Q7hFPkLbik+F5QhVwjmYo8RB+PgrPOSpUFJBzJKOoF1zMgBQhORgiGTno
ZkBrIOoaDwehJRC6plZA6G/4cbIITc3jWoH92EM1LkIP4bcUYobwOgFCeC0IzVGEToFQhEbxK7yw
EHoytZwseM7BVg+piXFquQaNOpNKhBDT1aeSRKmcYa6HKRSbx7nmo1ipXAWeCGX9x30D9y3YuZk0
pRkMtHTaVMNU4/WGyZk0nWOyhPps2v/j+8X0vk7Kq/dhk9D2ohXSL4/a2fcF1zZtr+o/fwEMamcW
DQplbmRzdHJlYW0NCmVuZG9iag0KMTc0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVu
Z3RoIDkzMTY3L0xlbmd0aDEgMTk2MjAwPj4NCnN0cmVhbQ0KeJzsewd8VFXa/jn3TsuUzEwykzZJ
ZpIhk0ACAUIJRTKQQi8pA0kgkJDQVARCEWli1yDqKhbsvYEyGUSiWFCxd9eya8XVdd1dcHEtq0iS
7zn3nRMCsn74lf9++//lJM99nvOecs957znnvkMGxhljblx0bFpJ5fixr6/pO4Mpn33LWMqK0jEl
VcGfgh2MfTGJsYTXSsdMKjYteOBDxj5uYsz45diS0rI/PYOqyn4dY+pXY6dNrVzUNOJcxtpTGb/R
OrYyNEZVe//IlK05jJW9P7Uyf+CPH773HWP8d7hrfePihqUZq4eWMpazAgOY1rhqhS98w763GKs5
xJg+df7SBYu//36ylbG8fYzFpCxoWL6UpTI/7l+F9o4Fp581/9J7y/syNgd1yiYsnNfQdODjgfvR
/yyUD1kIg+0BYyHyW5DvtXDxitXsQk8+BgxbYPhp85rPKNx7Sgljz9zLmG3C6UsaG/rflYH53VXN
WPqUxQ2rl2YM6PUk2rehve+MhsXzku9ftpaxNzBp26ilS5av6PSwCzGeQaJ8afO8paftUOCvwRhD
LwcTvtW3Vcz74fvxc+wjv2PJJibSnr+ue0Xwy+/vPO+nw+2bYg4YH0Y2himMEtoZWAfj+8y3/nT4
8K0xB7SeuiX1H8JiD7ANTK8ZFOZg+WweY84rcF+tii6XX4FSk36rvgBdphOrb7ALFWZiil2vKIpO
VXT7mdIZZNs76b6MTa70+VgQ00mjMRhvVgI+xm/ROt2tjxUzRe+xR0fDX8fTu008l1+XdLVsu66E
NZyw7ADbfsyMvzw2/8+S+gDbrreymT/r78jR9oru5PrS6m5mRq19zi+3MbyH+/Y5cR39JNZ4svfT
7pV5tB9d9XF+eICNPVEb9QtmP+aemez+X3NPYzo75dfU70k9SST1HTbr17bRDWJb1bms9iTr1h9z
v59Y3cm0U5axrF87rv+XSd3HBp9MPeErqfm77IJfcw/+l853uu53xzH9bD1RfUMT29r9fj8bS+HJ
PbOu+tG+xDNUXjq2XzWDlZ9MH8qDLOPX3PO/kzDOLSdbV72JZerbfv4M1TNZb/UWlvkze29W898d
X0/qST2pJ/Wkf5+k3MDNJ1uXd7I+WptebI+iZ9cebxdJrWEXA7n/Y+Nbzkq1fo90fn9S9RezC4A1
/1P3P1FSB7NN+pX/m3f4T+5/hPX61939fyfh8/o44EGgOZrvD8w7rk7Fv2Z0Pakn9aSe1JN6Uk/q
ST2pJ/WkntSTelJP6kk9qSf1pJ7Uk/4/SWoUqfSdMx5EDkrNYzou/u29D/MxHRN/ObExPwuw3qwf
G8gGs+FsIpvGQmwGW8NuZQ/4HL54X7IvrbNT69WGVgGWw/JYfzaIDWOj2WRWgboN3eqmoi7v/A73
alan4/qY+ljXqNIY62xUnv1s7mcNn435bEz0W3cB7ZoTvfZho1gJ1LjjZ6ROUK9Vd6sh9FutfqfO
wPidLI4lYY4Blo0x5WP0I9G2FHOYwWrZbNbEFnKF27mDp/B0nsOn8Vpexxfx0/kSvpKv4uv5JXwT
v5Rfwa/nu/he/hR/jj/PX2EGfkC759fHfy8QeSX6LUKF/XLi3UetyeuADerZmtZmAT6gHlS/Ah9S
v45OU8ysezrxLFnXPJmcKdSKEwzjvzL//9tJ7SYxY3W2OgfXn30j8SRTz374T9dDcGzTnNl1s2bW
1lSHqioryqdNnTJ50sQJ48eNLSstKR4zOlg06pSRI4YPKxw6ZHB+v755OYGsXv5Mb5LL6bDbLOYY
k9Gg16kKZ3ml/rJ6XzhQH9YF/OPG9RV5fwMMDd0M9WEfTGXH1gn76rVqvmNrBlFz/nE1g1Qz2FWT
O3wj2ci+eb5Svy/8aonf18Zry6uhN5f4a3zhg5qerGldQMvYkMnIQAtfadLCEl+Y1/tKw2WrFraU
1pegv1aLudhfPM/cN4+1mi2QFqhwjn9pK88ZxTWh5JQOb1WYySZuG1azShuawtPKq0tLPBkZNZqN
FWt9hQ3FYaPWl2+RGDPb5GvN29tyaZuDza3PtTb5mxpmVYfVBjRqUUtbWi4KO3PDvf0l4d5rPk/C
lOeF8/wlpeFcPzqbWNF1Ax7WZzn8vpbvGAbvP3jgWEtD1GLIcnzHhBRT7HITyqVmGBtGiPllZIix
bGoLsrnIhDeWV1Pex+Z6IiyYn1sTVupFyV5Z4g6Jko2ypKt5vT9DPKrS+ujvqoVJ4Y1zfX3z4H3t
Nwu/KPeF1UD93MaFghvmtfhLSshvVdXhYAlEsCE619LW/vmo31CPSSwSbiivDuf7l4Zd/jFUAQaf
eAaLKqu1JtFmYVdxmNU3RluF80tLxLh8pS31JTRA0Ze/vPoRVtC5v3WQz7OzALu8RowjnFCMhxIo
balumh/21nuasD7n+6o9GeFgDdxX46+eVyOekt8R7r0ft8vQ7qi1wtyOqy0ri5kbs0y+asWj1oin
BYOvDBf/mJEocOBxaVnxRMeM9FVzD5PVcJdoDaGO6QcZNat4nChSRdPicZ6MmgxKvzAkT3RM+qyw
qVtfDhi6xkT3+adDo9piQL19pfNKug3wmE710QFGezvxOBXhi+iN0cIkHuc4WaRmYefCpqAbzSSe
YpIvzKb5qv3z/DV+rKHgtGoxN+Fr7flOrPRPLK+t1p52dJVUHZOj8kLKhVkGimVGKcYaLMv1yMeq
5cdq+a7suOOKx8tiX4vJP7GyRXTuj3bIfNhBmLQhML5hU2HcIGzNMpxu/rIGP14iZS0NbZ0b57a0
BoMtS0vrFw4XffjHN7X4K6tHerSxVlSv96wRt4pjE/nEqjF983D2jGn184vLW4P84sra6kccjPku
rqqOKFwprh9T09oLZdWP+BgLalZFWIVRZHwiI3qqQMak1fc8EmRso1aq0wxavrGNM81mkjbOGtsU
sjmkTYFNR7agZhMJDylpIVyM47bU1yQez7qahS31NWJzsQQ8SvzyMPePYmHFP6qVKwZr2OyfNyZs
8Y8R9iJhLyK7QdiNWBg8gcM54kxqqffjnMKCqmYeTktRFV362jo7q6ozXvUcrMnAUpsF1FaHY3Jx
9uuzJqDeWIF6mMeGNzY2iHGwULVoa8wa31iDZSs7RJXx4Rj0EBPtATXKtDZiOaJRI54NHqDWfiMy
4Y014ZpccdPqRTXacnaE2Tj/cDx26lMfEDfKr2mJ8w/U9ia2gjnrIkExGBurrCaLB1ncrIacZLRi
5I1+FDXW++BtHWusxFKns9TsIcs8HIm6wDwNZk+0kIlpqVkWmzkc0w8d4ldoSz+xJfVZxpoaGryW
uyhaAfd2hC0YUaCbK6MN4B0UjRdjwe9FGKqo+pTopryNVfhX42QRg9Z6MqI4bMsa34DDn9pbYPEX
ysYmcUZYon3sI6tRzNwKv6tZVW2d9/jPyuiW+ub5xctBLEzmeQQLm9W0HG8Iz8ztm2c63mrTzC0t
JtuJG5C/TLYuFkZfKd4ajEViVF+bcv5DMUl8AsR5UpwrxTlSbJTibCk2SLFeinVSrJVijRRnSbFa
ijOlWCXFSilWSLFcimVSLJViiRRnSLFYitOlOE2KU6VYJMVCKRZIMV+KeVI0SdEoxVwpGqSol2KO
FLOlqJNilhQzpaiVokaKailmSDFdipAUVVJUSlEhRbkU06SYKsUUKSZLMUmKiVJMkGK8FOOkGCtF
mRSlUpRIUSzFGClGSxGUokiKUVKcIsVIKUZIMVyKYVIUSjFUiiFSDJZikBQFUgyUYoAU/aXIl6Kf
FH2lyJMiV4o+UvSWIkeKbCkCUmRJ0UsKvxSZUmRI4ZPCK0W6FGlSpErhkSJFimQpkqRIlCJBCrcU
LinipYiTwimFQwq7FLFS2KSwSmGRwixFjBQmKYxSGKTQS6GTQpVCkYJLwaKCd0rRIUW7FEek+EmK
w1L8KMUPUvxDiu+l+E6Kb6X4Roq/S/G1FIek+JsUX0lxUIoDUvxVir9I8WcpvpTiT1J8IcUfpfhc
is+k+IMUn0qxX4pPpPhYio+k+FCKD6R4X4rfS/E7Kd6T4l0p3pHibSl+K8VbUrwpxRtSvC7Fa1K8
KsUrUrwsxUtSvCjFC1I8L8VzUjwrxT4pnpHiaSmekmKvFE9K8YQUj0vxmBR7pHhUikekaJNitxQP
S7FLioek2ClFRIpWKcJS7JDiQSkekGK7FNukuF+K+6S4V4p7pLhbirukuFOKO6S4XYrbpLhViluk
uFmKm6S4UYobpLheiq1SXCfFtVJcI8XVUmyR4ioprpTiN1JcIcXlUlwmxWYpLpVikxQtUlwixcVS
XCTFhVJcIIUMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gMe7gM
e7gMe3izFDL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+
4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TL+4TLs4TLs4TLs4TLa
4TLa4TLa4TLa4TLa4TLa4TLa4TLa4TLa4cU7hUDUHEkf5UXMHEl3g86l3DmR9OGgjZQ7m2hDJN0K
Wk+5dURridYQnRVJGw1aHUkrBp1JtIpoJZWtoNxyomYyLoukjQEtJVpCdAZVWUx0OtFpkdRS0KlE
i4gWEi0gmh9JLQHNo1wTUSPRXKIGonqiOUSzqV0d5WYRzSSqJaohqiaaQTSdKERURVRJVEFUTjSN
aCrRFKLJRJOIJhJNiHjGg8YTjYt4JoDGEpVFPBNBpRHPJFAJUTHRGCobTe2CREXUbhTRKUQjqeYI
ouHUfBhRIdFQoiFEg6mzQUQF1MtAogFE/amzfKJ+1K4vUR5RLlEfot5EOUTZ1HWAKIv67EXkJ8qk
rjOIfNTOS5ROlEaUSuQhSomkTAElEyVFUqaCEokSyOgmcpExniiOyEllDiI7GWOJbERWKrMQmYli
qMxEZCQyRJKngfSR5HKQjkglo0I5TsQ04p1EHVoV3k65I0Q/ER2msh8p9wPRP4i+J/ouklQF+jaS
VAn6hnJ/J/qa6BCV/Y1yXxEdJDpAZX8l+gsZ/0z0JdGfiL6gKn+k3OeU+4xyfyD6lGg/lX1C9DEZ
PyL6kOgDovepyu8p9zui9yKJM0DvRhKng94hepuMvyV6i+hNojeoyutEr5HxVaJXiF4meomqvEj0
AhmfJ3qO6FmifUTPUM2nKfcU0V6iJ6nsCaLHyfgY0R6iR4keIWqjmrsp9zDRLqKHiHZGEopAkUjC
TFArUZhoB9GDRA8QbSfaRnR/JAHnNb+PermX6B4qu5voLqI7ie4gup3oNqJbiW6hzm6mXm4iupHK
biC6nmgr0XXU4FrKXUN0NdEWKruKermS6DdUdgXR5USXEW0mupRqbqJcC9ElRBcTXUR0YcTdALog
4p4LOp/ovIh7PuhconMi7hBoY8SNw5ifHXEPAW0gWk/N11G7tURrIu4m0FnUfDXRmUSriFYSrSBa
Tl03U/NlREsj7kbQEursDKq5mOh0otOITiVaRO0WEi2gkc2n5vOImqhmI9FcogaieqI5RLNp0nU0
sllEM2nStdR1Dd2ommgGDXc63ShEvVQRVRJVEJVHXEHQtIhL3GFqxCWW95SI6zzQ5IirL2gSVZlI
NCHiQlzAx1NuHNFYMpZFXBtApRHXRaCSiOtsUHHEtRE0JhJXBhpNFCQqIhoVicP7nZ9CuZERZw1o
BNHwiFMsjWFEhRHnWNDQiLMaNCTirAUNprJBRAURZx5oINUcEHGKifWPOMXezCfqR8370h3yiHKp
sz5EvamzHKJsogBRVsQpvNSLyE99ZlKfGdSZj3rxEqVTuzSiVCIPUQpRcsRRB0qKOGaDEiOOOaAE
IjeRiyieKI4aOKmBg4x2olgiG5GValqoppmMMUQmIiORgWrqqaaOjCqRQsSJWLDTPtcr0GFv9Lbb
m7xHoH8CDgM/wvYDbP8Avge+A76F/Rvg7yj7GvlDwN+Ar4CDsB8A/oqyvyD/Z+BL4E/AF7ELvH+M
Xej9HPgM+APwKWz7wZ8AHwMfIf8h+APgfeD3wO9sp3nfsw3wvgt+x3a6921bwPtb4C3oN2253jeA
14HXUP4qbK/YFntfhn4J+kXoF2ynep+3LfI+Z1vofda2wLsPbZ9Bf08DTwHBzr24Pgk8ATxuXeZ9
zNrs3WNd7n3UusL7CNAG7Ib9YWAXyh5C2U7YIkArEAZ2WM7yPmhZ433Ass673bLeu82ywXs/cB9w
L3APcDdwl6Wv907wHcDtaHMb+FbLad5boG+Gvgm4EfoG9HU9+tqKvq6D7VrgGuBqYAtwFXAl2v0G
/V1hnuK93DzVe5l5gXez+S7vpeZ7vBeoWd7z1ULvebzQe25oY+icbRtDZ4fWhzZsWx+yrOeW9Z71
E9evXb9t/Qfrg3EG87rQmtDabWtCZ4XODK3edmboUeVCNl+5IDgytGrbypBupWvlipXqtyv5tpW8
ZCXvv5IrbKVjpW+lal0Rag4t39YcYs3Tmjc2h5t1I8LN+5sV1szNbZ17dzZ70svAwXXNNkfZstCS
0NJtS0JnzF8cOhUDXFS4ILRw24LQ/MKm0LxtTaHGwrmhhsL60JzCutDsbXWhWYW1oZnbakM1hdWh
Gag/vbAqFNpWFaosLA9VbCsPTS2cEpoC++TCiaFJ2yaGJhSOC43fNi40trAsVIrJs1RHqi9VdYgB
TEnFSJiHj+nvCXr2ew55dMwT9uz1qHH2FG+K0tuezIunJvMlyWcnX56s2pNeT1KCSb3zyuyJryd+
kvi3RF18MLF3vzKW4EjwJahuMbeEyVVlGheVEA8YrM11coI/UGZ3c7vb61ZKvW7OnPudh5yq+0nH
6w7Fbud2e6ddCdpR3R7rjVXEpTNWDcYOGFpmt3ltirh02tSEoA0W0WO2dVpVmd3itSihIstUixK0
FBWXBS19+5cxlfs4Z9wBUk1iFNztLcO+3pnA9Rzv89aqytzciW0mVjExbJo2M8wvDmdVimuwvDZs
uDjMQrUzq1s5v6ymlSvFVWGX+Iutlr9g82Y2Jm1iOK2yOnxrWs3E8EaIoBCdECytNYGNqcmdvXzl
8tzcFbNxmb18Ra72ixxfKXK5wih+l69AXvys1PIs9xcTVQPNWY60QhpX/HKr/+uJ/6sH8O+fWpn4
ksHoTuV81qScB5wLnANsBM4GNgDrgXXAWmANcBawGjgTWAWsBFYAy4FlwFJgCXAGsBg4HTgNOBVY
BCwEFgDzgXlAE9AIzAUagHpgDjAbqANmATOBWqAGqAZmANOBEFAFVAIVQDkwDZgKTAEmA5OAicAE
YDwwDhgLlAGlQAlQDIwBRgNBoAgYBZwCjARGAMOBYUAhMBQYAgwGBgEFwEBgANAfyAf6AX2BPCAX
6AP0BnKAbCAAZAG9AD+QCWQAPsALpANpQCrgAVKAZCAJSAQSADfgAuKBOMAJOAA7EAvYACtgAcxA
DGACjIAB0AO60Z24qoACcICxJg4b7wDagSPAT8Bh4EfgB+AfwPfAd8C3wDfA34GvgUPA34CvgIPA
AeCvwF+APwNfAn8CvgD+CHwOfAb8AfgU2A98AnwMfAR8CHwAvA/8Hvgd8B7wLvAO8DbwW+At4E3g
DeB14DXgVeAV4GXgJeBF4AXgeeA54FlgH/AM8DTwFLAXeBJ4AngceAzYAzwKPAK0AbuBh4FdwEPA
TiACtAJhYAfwIPAAsB3YBtwP3AfcC9wD3A3cBdwJ3AHcDtwG3ArcAtwM3ATcCNwAXA9sBa4DrgWu
Aa4GtgBXAVcCvwGuAC4HLgM2A5cCm4AW4BLgYuAi4ELgAtY0eiPH/ufY/xz7n2P/c+x/jv3Psf85
9j/H/ufY/xz7n2P/c+x/jv3Psf859j/H/ufY/7wZwBnAcQZwnAEcZwDHGcBxBnCcARxnAMcZwHEG
cJwBHGcAxxnAcQZwnAEcZwDHGcBxBnCcARxnAMcZwHEGcJwBHGcAxxnAcQZwnAEcZwDHGcBxBnCc
ARxnAMf+59j/HPufY+9z7H2Ovc+x9zn2Psfe59j7HHufY+9z7P1/9Tn8b55q/tUD+DdPSXNmM2a8
mbGOq475rvY0dipbzjbi50K2mV3FnmQfsLnsPKit7FZ2N7uPhdlT7EX23n/xO+wnTB1n6Rczq7qb
GVg8Y52HOw923A206WO7Wa5CLl7nO2rpdHR+dZztq46rOh0dbYY4Ztba2pS3YP2Gt3cexvsV+c4h
Iq9cBG3XWnxtvLljR8c9x/mgnNWymWwWq2P1rAHzF/9nYRE8cxo7nS1mZ2i5M1C2ANf5yM1BLZwl
mj5aawlbCjSzFWwlW4WfpdDLozlRtkzLr2Rn4mc1O4utYWvZOrY+ej1Ts6xDyRotvxrYwM7GkzmH
naspyWQ5j53PLsBTu4hdzC75xdwlXaqFbWKX4jlfxi7/p3rzMbkr8PMbdiXWwxZ2NbuGXYd1cQO7
8TjrtZr9enYzuwVrRpRdDcstmhKlj7Hn2C72INvBHtZ82QivkUekX+ZrPlwKH6zDDM/rNmLy35ld
3tqAuYu5tURnuhr2c7u1WBX1o6h5HmpSL/QcRC/rj/PEFZgD6aMzotzV2vyPWrt75Zes0h83dvPM
DVpOqOOt/0xfw27CDrwNV+FVoW6HJnWLprvbb+6qe6uWv4Pdye7Cs7hHU5LJcjf0Pexe7O372Ta2
HT9HdXdF/CB7QHtyYdbKImwnewhP8mG2m7Vp9l8qO5F9Z9Qe6bI8wh5le7BCnmB7cdI8jR9peRy2
J6PWfZqN8k+zZ5AXtSj3HHseJ9RL7GX2CnudPYvca9r1BeTeYG+x37L3uA3qTfZnXNvZG/rPWSwb
zZj+Ufj5RjYbP3qcSsvVt3CKqMzIhrHJbAqb+Riz4XWfwIbzXbvcJSWmvsYn8CpXmA/BgIlxXhy0
6xTb7pSUIv/uwYbNqnN8G+/7UJFxM8LcovaP21/Lb//4YNyw/IM8/6NPP/7U8fVrzmH5BZ++/emA
/tyZ4dTgilWMRpfBn9lPGZwdGFJQMHCUMnhQwJ8Zq2i2QUOGjlILBqYrqktaRikiz9W3jtSqU9sN
ygZ/0fQCfXqK3WUz6JXUpLi+I7MclTOzRvZLM6pGg6o3GXOGjsmceHpp5vtGZ5o7IS3OZIpLS3Cn
OY3tH+hjD/9dH/tTse70n7aohhGzinqp15lNis5gaEtPSu4zImP8dHu8Q2eJdzgTTMY4pzWnZFb7
he5U0Ueq2019tU+GW/ydh3Ub9C6WyQLspkdYr84vH7I6+CR/W1QE2joPPWSBsEhhhgimCJXlEFeb
drVq12AOzxLFeRY+uZc/kPWt1WJNykzzm208QWdlVodV2eF/0v+6X/Vb/da4tIq4kD7EioqK4oYN
y8+vq3MmDnNCOgscBwc6C+Dx3Dp6FbLc3KyEBIPm8mw1Q41V/ZmBwJChnPycaPSrGbqVJu7I8nqz
4mN0S9q/OFU1x/tT07Ls3MQjOltydrqvT0qsbi3/hD99SoInVqcarTF8RMeLMbYYnT7Wk6CLWGJN
qmqyWza3rxX/L2y7+O9cWF3pLJcVsheCKd4kB5/sddjFxYZLkhUXH+Yq/kYczElxB1HuDqLc7bbk
icp5onKeqJwnKueJynmP4jMh69y7C5oFCuDpnagJPrTTHmWbxt/vtGr85U6LYMURtN1q2WtRLCnZ
3w4YYOyl/at0+aA2bmk1VrGig0Xauh3G8+s+1Zw28O1cEjDn5g4jDae6YnX+jMzAYOegIQUZ8J5b
rOd0lQ/qp/j9TrGY449KHfcWTm1cNr7jwcTevRN5YMWWxoEJuaP7DJ5VmtPRnlJYOyGyr7hiSPKU
rLGnlb92eER1cYAvP2VBxag+bm+27txsb17Vmsn9qsYWxpkHV5yh8PxJg1M76vwjprZ/NLx6pLej
MHVoBeOsofOQzqpPxy6euzOVjciNeiU36hXwAeEV8FfCK7lRr+Q+gc/YsSyJ57MMFuB5kfhK3R7e
hw1m/Xm/1pjp2NJvHxTg+TR9x7v7BvTPcsUaum1Lgzu6TcUGdrvSFTFvsax0VkVvcgXnrB2/4eXL
J1de8+bZhafWlnlMelVnsphiB05dNnX65qahgxuvmDl5efkgu9FsUHc7kuJiXb2zPVV3fn3TbUd2
zHL7+nhi41PiXKnxMdn52aUXPrVu7eNnjw7kBwzOdOxAscouxyqLY152ZjCtKIPHi5UTL1ZOvAtz
jo/DhOOTMNv4PWLlsBTyTUrUNynRFZMSXTEpUd+k7MHn/hj4xhqJLfe08UCrnlaJ9MXbckXUiRPt
mCVh7LYALp9+16G7O77SHn/WvV/eVL5r0JL7L9zRuu7+5mHK9ff+dFcFPegZd3y5ddGu8ycccY7a
+JT4H6uYmboOM8tjq1pTsqNPNDs66uzoqLOjo86Ojjq7TXEGY2LiffE+DD6ljZuCto0BvjfA3wjw
QMCQLP5AYyvPBrUaulZ93bJmTCtfO0Yc0dWvPWflZyvdn+E8TqrrdGabqf0qMUNlvslm0utx6TDw
iAlHgy4GeorCTTazbmycJ85EszXFeVxxHqep49QYR2p8XIrD2DHA5PRo8+48rFZh3tlsVqsxPjrv
+Oi846Pzjo/OOz4673jMe5ctjaWnGTG1nfHxyYY2nrMzszxZHJDRN1L+Puewrtnxn01Gvm3kdNUq
TMzYAe8ZMXhNB00uX0pSpsuEqZZp1n3xqZjFOKPD4473OGPa/2i0GfV6XHQPilmmiRnN7PxKt1rv
Y0Xs9mBaaqo9SazQJLFCk8TZlmS2CoVZJImnZ2NPZnNfdjC7PlvNtkfnb4/O3x7dyfboTrZH528X
3w7PH8QHJbVx80OZmcPyR+3hZrzjzbx3ZFilq43nteZPF88bu9lJ7oiec2/X1e3rOuiifjlmNw8Z
6hSrQOx2zVtOcQIe3f863WqdyWq0Fs4+r/a0+1cVla65b97ItYM73nY6dTF4R9xgSYgzxw2fNbdp
wDUH7phed9/BKyacO680xaybHZ8Wbwr0C0xpeWLJur3nl6Sl8bMye8GNJpMjNa4jPiWQlplkrdt+
aMv1h8MNKf7eKZm0PnTT8M7NZ20PFQ3gfmvURdaoi6zRJWKNLhFr1EVW4dzUxF4W4X2L8L5FeN8i
vG8R54NFvCMSWdCNF0swXlwcTj6JBVHOEsUfLVAg+GGUJfapwAskL2jfa+VvWLn12LcxNtTBIo63
xtvCrdEld3Rj1WV1LbXuq45OTTdsUuqmmVwZSSk+l6l9J1SyWHkmV2ZScobLpEzW1iJUCryPJWc1
KaPan5Za975U7YcVg9TR/cWr4T83m7a7KHFq4o5ElUVdyKIuZFEXsqgLWdSF7FGciebOvbvhCbOj
Qpsuptl1EGb9bDK8Wo47xp2RmNx9tEdHKEZl7PyKf45R5bDqR/B6P/nhpGE4Tj45LdZfEbOHD8TH
5CS8u/TRdxc2fW63N7cYnUGGk1rceXSkn6eWLKlIHdov02LUKyreUKZkfz9vZn+fg6YQH8PLJm+s
HRBjd1qtzuS4BMSS9ji7s1/5aPVmMR+xC6Ln1w+YSQGbG3QOENu6v1hd+UJlmKOeNkenZo5OzRyd
mjk6NbNYrFZ3dkWG2eGpcByN84rk6wfrCFfyeCCQzU+wkKLhndtlMHKekKD+YHRlevx5CcaOXsev
Jv6SwZGYkZLiizfa4joq+WtOY6o4yg0Os3JR+1ldh9rRVfWUUhRjNer0MNhSEts7269PiafZG3Jx
eo9k24OO+lFLRym2/v0T8/PN/ZKSUtpO8tUrJp/ea4DVahZ71Sz2qlnsVbPYq2bhTbN49IgCg8li
HfQaUm5JSrTlJw3oZ/DmlHtDcisWxSEkLoDPZCyHuNjRpZzDTskvKBCRcreV6+ciOkaczP3HvBG0
QJkXCJ9qTjXkmlze5MSMeJPSUaBa3Gkud7rLonSM5diXyUlwZJ5noa9/r6QYfqaeX2hJ8QaSF9s9
8dajG2DBT1uMZqOqQ+CDjyJbu+x39+llTcnxHJmh3p3eJ9kSE5/mjp57G/ROdgq7YGe23e6KOlNj
e5RtGh8SznRFnenSnJlu7tdvoHDmwCS7uKDiQIdVKFQZKKo4WHphhbmfPVuXLN6aIjjQ3Cec9zPf
5RdEwwPyFNafPyHBfQJ/pauJBYHA0TWp22Bzp9iGpmT7/e6Ohb7RqYqimOK9SUneOFNeSkVatjfN
yYenDRk4IIkjaIj3Jif44kxjXfjsZUkbmK3sH7Z+xLhrJhz5pmtF3p+TaU7s7W1/YVBjfV3+1G1T
lSfwyQRxBzaj+N+unQd1X+ozcCxks3XBFJfwgUssKJcIDl0iOHQlkZsKgjE+1p9txGeX9Khz06Mr
NT362k2PvnbTo85N34MA2syS8ZK1V/rbeK528HQPEuuOO326PsxqMWK3iFn35YSrPt5y5TubSiZs
+XjL5W9vLt2VPfO6pUuvm9M7UHtt87LrZ+co19x0pHXOjLu/v3Xr4R1zpt/1zX1nPL5pStWlexY0
7900ueryx0Q8jNPneey/VNabrW7tZYhOxBCdiCG65QzRLWeITsQglkCiM024J024J81htfFJ/8He
l4fHUV171q3qfa3qfV/Uu1qtfd+6ZMvaZVneJC+SN4GBAN5twOxbQgwT1ryP5XuQTAaSkASMNxmS
if2Ng4ck5pEFmyRAyOTxACcOD14eS0Ddc86t6pYsyy/Jm/nmn5GPfep2dVf1vb977rlnK7cfPS4/
lvcyQgwsiwMqlQGGqT9gHzbMMKwkAeHPt60isw0qxQyzmDsp7vnuNQ9orWE3qp9SD7GXDl5+1UDq
UMvIWNnjjy7e3BXlHtjw2NWtufLiuoCpVjuza68dGbqi1jT1abJ7EyONWKGHEdczncx9YoAvFxo0
0OsGHEUDHUUDjqoBZ7kBZvlICv3MVFZAKKAlyNAIMjSCDI0gQyNg2a+vnAdb+vBWkYiisw0QOBQe
dspKhlrQ6Dhe4Dc2yauEut3l3AWQOJwBTnYfnVaHg9TGE/F4wXHQq2zRgCds0yv22DPty1t2FMAC
R8Ja1eHp37E4EVmwtilUm0nadpo0uanOJe5szX3f7Ny0IAhKBjYkLSzxqtqRbGTqV0UQwSxVcsbG
lVsWdmwearaZ0q2Lq3K/j/q5OwYud6pVuYFwyxLQNt35c9wmWDe9zDtHmY78uwfNPBnokCHqkKHr
kHVNhwxVxyRbJqarRauNDFSLsCtHq6PVBq8Lr/WiAvfyPDK4xIvT4X2erUItfsBLN/VjB9zy0SYd
D5vRADOUv0ASTAOYsnFRL4QaSIOoN5ABAWtOdNhqEBoERyvY/Yc6vMrUMsckScnrEKbgnIBeTTo9
xp/jUVSnLTKL9MasBao4zzyoLZoLs91cFbdp4Z6vjXVsGWlx6mHr15hqlmzraxxbGK1eevnVly2t
abn8vuXpkcFWq0rBciq9Wl/ROdZcv6TWU73siquvWFZDvrDmv2yqdoRKXLGgw29RlyQjgYYlNQ2L
W6pq2pdvGxq+aWXG7A5a9YLLagHv1xfx+ysXxOoXt1bXtC3bBnNkhrV+BiS/hLnkiEtET0JA1A6i
qfQ3L3zcSIX8sUMo+SoLOk1+eW1Xg2n3AQXnR2n+RLroMk0brwV1Rr2lM9TVe7BgWUBLdgW526kj
SD2lz/6xKIgbNYLPapWCaWgBfhs09bVgN6WZh0X/+gwJ4aoN4SoOoeiEcO8PodTgc52iMNNOB0lj
HPKAHfKAHfKAHfKAHfKAHc+zPNqwaM1j8ZeohVvo4kv5pd5puaHGu6zB09MiMkYuNLJssw1JxbWL
bp7c9YVnb+yUnEWrpmzZrt7+XcNpCk0Y7Mg3dx+9eUH7tYf3cJECHJ9/uPrOVZmy0VtHOOdMu7gN
7Km3AJVWZvOBeCupnsx/Ii5EoY/B9GiwkawgMZ6eiZESFzZSJcQVwkamimQqSSZKMhHSsLR0aaRS
z810VGB3z8Ko4A+GCmWKFe0frtCKx+vrZ9g/M1oOh0qtvE3B+1KBYNpnUuQ+YP/CmTypULjMZ+Zy
31YRIR4KRq1qlkQIsXFaWyzgC9u0HEmxxM+prBF/IMITZdwk4J4tmLiffV5RaCuednpMCk5j0n92
QtGsN6OJbdZ/9qKiRQdtpcnjRP2/FjRVlvsx2Nsi86wYMi8ILqhYwOm1zloDTHstyk4tik0tj2qo
dpJ8LJqYRMLMEAOD0sU0y1qsWbagmmVJwSNVe82TrEa0Cc4fMbV8LdtyrJYw4GnXlneUThKvaH6l
hJSUKPxny/vaXjcMKpiKQlSFOtpj28bHCubAifT4WJMcYamGzWEc7E6MyoKFVKeajqnV1Mm2gXxG
QeVKLSkeBzrkXJb3eT1BU8t9w907hjPtO795+fWOqsVNbRt6qwwaMH/U3gUrL63d8KXl8W/c0zmx
ILhqSceWNpfBAPu3YXW2K9Z1acfA1r5YV+2SOq8/4tfwbrPb74n4rWUrblx+wpnJprqWLegEdB8G
dF9VbmNK0e48BAtDF66XV1S9vMLqZbzwNcWrfpJ8InrtaTSu0iGMOyL+aVzPaZ6GI1mdqGXsuvq6
sEJZOUmUh+N93i5+oAma+5WDdAUChM6mou05jVlxDSbsFy5GSTgLppVacDiosfFqzaZ7x9K9XV0J
jcVrB2NSpbaGXG6wLJP9PT3JjftGkt+z164UQ+3iokTn9QvbRxvc5J1dL9zeJcSbU1fDelQoYD0q
GzWSm6eZejvVGOEX3/bsrkW3TrRZShdU5x5eNtK6aS+s2NWAWIh7ialj7trvo7uZ5Mq+Jbuw7x5E
l2WOgN6fzg/k5c9KAT5WLxorTMTkfico6ow9wegkYQ9a+7g/VKGu1xp7qsomiWq/dhA93vQ5yorB
nRPFUN6skK1K2spUMwO2XIhVqt2t/aMVG756SV3HtodXpYc761xaFWsxmhOtK5r33BQWx1qbVmbT
BnRcvi64BaM75reIew/suuOH17XwnhKXyeqyJILhZPjI90ZuG01H0xGN1Y/rdD3g8pjyKibONDH7
xGC2hei9Tbg6m1CzN6Fl0ITS0YTC0vQC+ZRhmAoJtQoZrAoZrAp5xVbIYFWgQOms4S59U8KrMJVi
UbmrD5a64oBpUDmAmxkVp+ys2C2Vp6LrN3MJgmlWlCouHp9pqDdwj6kFnw3TQd0Pr9l090iyeuN9
64ZuE9W2IMqU9smFN3RmQYJAojrCbWJXwl0QoD2DKwdv279x5wu3dy9ayOoLPszUIpCdjdeLnbde
ArK0sArRGgO0HgatlmZqme+JpRX12fot9ZwVV5M1hIFQa7gM7agyREtKkVD9BrLw6aHO9DfSLAb/
D+Fqq1XIwqeQZYy+1tOjpOAUiF84XHbyZsW9CvaYgryiIAqFr+L1eJ/r7HrTVhNr0p71UQEbmxkx
lhblG2lJ2GiehC5QVSQ8Q6zs5wsfa0/UU0DV3MMJ99Rzga6tw+JEb4VBrVdxLKfW16/cJm55antz
67YnNl3x0PrMk9y1e9rWtpeAq5gI91+zstzusatNbovRajbo3S5r+3WT1+08esuizh2PjlpvfbB8
4JIG3Dlj+b+wdyqvgZ1z4jkHjwuQLjyvrLW8BW3lldWZVxYmLz4+V1kam8y/IlowAhjTnavv9sTP
VfaEBvgeavFXo4eXPlHzgbTGak7Mipva5bjLTIs/IsdQawpxU/ZOhVKjUtsDKW+sNmR6SaPXKi3m
lzSgmlwhq+YmnkdVc1Ok56q+yIKoQcMpzVanSanVa101w80b1YLHGg19/geNHnWSXsPZQ1GrR1CP
jX9xZcpoNli9mIWryz3A3cX9T6adWcysY14R7ZZMN66ybg0MuTvEW8lAd00WrAqEICuvLzi+dRjf
yqqHoCkazRYyMORVmCu5GrUapYeneB0TjdDI1Ki9XnVNRoEYi7UI8ih+xWiIh8tGS2OiHo4xc6Wa
a+z7tWHZu3b7+kbuvdae0tCCXzX2rflVaEhORGSl0PRpSfWna04huE6w0tFOF+AkfyoNf9MFhqgD
xg6HtBXEEyrQZw6n7FUVZK4BttfaesqllQ2OF6mNF7dTTNjFEwkTJ7/i7rKab4n4qsduXtywyWtx
dtT/YeHWpeW1X3hy21UPbyzjw1WhqorqWDBau/aWgVR3kPCCkMtdMlbZXeG8ZE1VT4Vz2brh90Ip
l/b23f2XtHu5nZFgdKRi8TXLyvwOS3kgUs7q2HDbqpb2rSuqYuKq2nB7Y43bPVDWtj4eG1sweN3y
jFYTzn2wdnOosTe56tJgQ8/UeHOW1bgzqaS9Y6G/sh3l+2Gw/p+AnbmaufZgtpaUTqdCZMGekSOR
cyawLTsDUsCbhr5p1JuqDT2+p5Ni3YFSNzi7qiOZvmiXe4CqT+rkFmOp0mbcdH7Al+4m6jmikJLp
aOee0FikPddV3lvZfn0nvKRhssJW3H1v7+q9A2F3QZ5Z8+B4Z3R0xdS+wpmZ+29/b9uld21ATXlH
/i9kWFnB2Jkwc/eRbGQosiXCOWRb7jzr30qPb83yEiSv4AV2G+Nj7BJSdvkqu/yuvQCpHWA6rAti
jhofJDvo5nspPqfPpWVtKO8sc0fDrbjtojCCFJL22QBYy1qa0/ivCAF3eyGuTCqbS1NN8A9GnH81
9wCZgBFHmUrmzgND1Vg1QI0FOH6I/Y4VFDuWE+AAYvhMfdrAyJ+bEUiXxlWMqIPuE3VuN1NdjmMs
hzEeSAZ7bbCT7lfSVQojFWpqCvasNFoYq/I859lxvkd03rCHA+JEdyjj0ioIp9aqVRFnuCJgKig9
xKA03dJSap7Yuzyt0RkFixGzg0pbpqeXe/pCOKR1cD2sg1rmIdGQrSepKlIlWsggmEev0MFVydtf
FY7eQI90+6t6gU2A72yQMbh43giWhseRyTAIibREHCV6ZbLX1yUUloelCZYHGFtg3dM9ofqtghQU
xeBvCtFfr7GWeLwRl1mVu322fJDlGou7xOUusWuN5tzz5GqjnoZ5OLVRSz7MGS9cJp//nOzWGbUc
bKpag4vPPZ+LCXZZd5B2wMzOiDQHtIXmgOZOskzLCPnkoI7voiOWBWDunM8Fku2+sGtyL5SvgI2z
hDkrei2YH6F5+jj1ZhPUld26lHRdmOuVok8zcsJni/otEHBgnDZQLeUKaNaAJgyomtOBfB9ZgvGC
Je0Xps6l216QYn+BfAJKlieq5/r7wPhWicaOvvauTGNvZsA9Y/5nhn2b5Big0FRIP6G2pA8U/Ucq
82I61C6737KwKF+RVKlVYyvrLG/asQhXjzNsVTvKFpY37SxqVpXF53T4efXAV3obV3VW8pnh/u7o
yO7e4LSOjTTN0rEXnuFuB8OE47R6zZ4VQ56KjmRVZ6kVlO9AYQ+CGaxmHhTN0gwik7ej2bN0kcw9
OosBPc8XdiWamp2RlSWfHJE3JtyWRF2mr9Qd7S1Aj1bDdJaPPw/tv2F7sv+17akI4j8M/pXt6Tyg
AKD1uDuhN/gmIIT5h2+KvmyKJC0kJZC4kcQNJK4hcTUppdGQOXIOb82Zc0BjPVChI7oZyYzQ+cmM
51kdxlWPmJnBrTBNbnyS1twXAc9Rdq/RQ5QhqyimKMYKf/5aroJ7s3nHd7dv+W9X1zft+M4OODZ8
z9t+xVDv5Z1hb/aKoZ4rOkPk7auP3tm/4MaD2+HYB8fre2/d2FS77tbBvls3NNWO34qxhdyD3KuA
DcYWbsbYQrh+jnyopH2mE6NoxNilsAINMNDoshRhmDOu0MsPXTSuMFdYYQ4ZuXhY4f7xZGeHGJ0h
LDa716JODQwOZzZ+GcMKNTSs0JXovG5h+6oGD3lv9/dv6+ZLaiO59oIuVLwHMsNxID3Xlran7AO3
P7Nr0S0TrdbUwqrcI8tGWyeup/4zoPWYjNadohfgCurTuGDSOkMhxEKVXBp951KmRhKbGZVxZ+XK
uELFXKEyDnxne6xX35YOKvhy9J09fY3oO/ODuOfP7Tufh1mdIEUKC/LirLu476zFZRa0qVN9Pb0J
hKh6033rkl2LukuxuNLmE9QX+M+5gwWkyKlUU8Rc8KGFWEvqqgJ0uX+XnGgpIANONNVO7FM0Mrjp
4NY6EjfLQjVdNCMLl1mWOjMKl2VGUBmljPGAzMVEbbovbraHeu2odai6pxt+umgLz3QA51I0VIhU
7FOsSqvROP1Ru7uyrjkyW83EOpqb/MZw1G9QcITb6AgIWq1WYysfaJh69kJFc1t9Z8LMaXQ6rYnW
Tg3nz7Evw4h7mZdFQ0V/tn+o/6b+Z/qVMxI3H8kJGyoUHRiess5K6NBEDnldDErZG5q3QRGTkzfo
IqPO8T5PPqIpeB2aRQaRmkrwMg73yxqeMbCG8jcadH8Qlgjrha0CJyVpfoMZmj7Hu9JiLKZn5OTM
GIbbZyRnpm3pvzc5w75cM37r4sqRRZUOnQKTL+nsysbSzmpvQlyyYlhMpJbuXRrtaU7Z1RxYRzqV
tqS+t6JUTNmT4tIVy8QEMS26Eubb6bZFg1awP70hryVSH4vXJoMl6faVrXUbessMFjtvMDt4wc2r
HW6HNVLpS9QlQyWlrctxLsL599mrFN9lmpm1B1OMEMnImGfkucjIc5GRF2RGlsoMCqHBacyci/T4
jeecPVVofasltX0Kxa5Gjl6dOiGF9hRzBxjOD0M4CuEY9ioNH0qVO7smRP+NZgtmaG4oGGrvYOzY
Yn6nodsZ9dk0Sq1SscZfwpu0qlj/jsWsSYownC4k2E9LMYicbmydVqdVmlw47gcxzsd9H2yC+8Ug
WAL6BEpQAiUogYnZBFVSCZ6aXOTTw9JKC8qoBGVU4PgJXZvYOECLhOXFGpRlNIi+itaa6U3ole5e
MMyU08G+mYUyRZGaM9g3K5FT3zAd9ntMbfHbnX5BNfhVuvWrbZKP4qzoqWzfu0htC8LKtWiLFsGe
FYtbN9+1kS0prM6pPw+tWxgbXcHuKpxBfErAZtoL+JQxvz/KRPKwm6GhG6S5nFiQBKRGgDjkcdrl
o23a/KVHSzE/nf9XsQGT22BVCCTBk6SSlCThRFsJiZaQMDazYRINkxA9GyLREEmYye4wCWOQSyvY
e8IhWLXw6l1RC6IYxggjvsKZCOP9DVi8lOwN6z29ekkB0hRZGmvLx6jlkJb+ErQfJNwxm5Sm1f7F
kpoZW4TV2WCVy/z3EpZjc6cURk8yEEi6TYrcywolFn84/RGrVpFTcJ+xOmvY6wwIau5xhVZnUH/+
Law2V2hMOm7EYNFy4BOywLRTHoOB/RetQcOxGj2iXQc+xu2A9iLmzaNMN6inNhhaIwa/Uo2kAY+x
chIPk3iIxIMkHiBxP0n4SFJBUhxpbiEtzaQlQ1rxdyvsZJCXwwd4FHUgrnwI7sCb5dN4FA24keBp
c0cv/RyCmeWH+C38TbyCFy2OHr6mN9bbfG8ZKcP3ylBr8lZHz+ayPWXsIjjrHNAiyK8ikmMnstlT
gKSEd4WkDxlqpRXtNQloVRFnLqGekbubA/IZTeXtCmXuY87oTAaCpW4D9wOWfYYzelKBYAJe5T5V
KsC7cPpKLBruVyx7ktVaQOyDFg17hiWnWa017HH5cVrUNvP0pLD3aLVTO6anyGxTa/UwQ+CpTnm0
WpghIyheLCNzFV6xGh3OVwpWRz/MVwVz51GmCoARML6PeqMcNUZLOXGBPB7GfJ6LOGXd4CicchAt
Smsp+q14TStDGiOkXk/0IXQvcFb0+qrKVG9EL/h7haIL0ZQVLEQKXzMILAqvJL/pmMNWeHBi+rmJ
6Yyo1VpIgxJuocaaCAYidr3itTMKvb3E548JREtcuY81xJoI+SM2neLUKwqdEPT6YxZWm/u0zGQ1
KME7V5NLco/CgVMarCZyhDxlshoVnEqnzu0nQyqsEdPbzLlx1B5gBV4P+ESZpUcZL4y1Dle+l6S8
xEWdZxeJm+pNbEJLPLglN3uIuxGBc5Ngr1tn7dX1K4aYftlpxexvWlq0uHjDnDTUBitWFMZri1lf
K43qOGxqtuYaVVW1JySwquu1PJf7oYaPBgIlNq2SEO4TlVAS8kUFVe4QLygNNhNpUlh03Fq7y6Tk
NGbjVDl72qpXwj5hgZGsAqP2DHeESTMtRxkeRuLAWp04rdipgPdrtZ1aVhsTwGk54O4xJ6jzAh3H
4Hs12AqnxrACslikTiO95LxCZVpaQ7DJnlFpTJqp03YvyiO5J3cTb1VojVpWoRcMajyX20We1Bi1
qi6rV1D7wiUmh8PNs1eEYxZ4rTI5hJDJ5fTwU19V82BpsUSX/4i8rhxn7EyKMR1SxryDfBeA+sbL
Myq9uHgxADbrQaYfqPFBIp9FLRCNPeLzRuwak9adDAZTsB5cqWAw6daSXQWrl3veYDEoVQbB8FlT
OO3V673pcDjj1uvdGcCpNPcm2cG8xXgZ3XN6p4/hf3lKKjtSqyUd0GAtfu8Olckp3KU0Wt1Wwakj
ijv0rqjHHXXqvxKsLc+4X1brNHRZEuvN3hCvUvEh9DxeyH9M7uEeoj6sdz9jm2T3HtEFIuCBm3uY
7KnsKTRJqi8scRNmD/seHGMoiWNMhnCMs19zoVAZjq8sVJLBY2YqGZZOwIBBtXsyqCP+AfpzNYxY
zzj3Y6HLscNY0KLlYDFDV9LHcfgzIo5XV7S3luO/q7oryhfBP7xHKbeL7FBeA6hpAbVuuFLq/98D
mjIerKnIuF5WG6gy0xLrTZ6QRaWyUNS+xO3hyuk3NDDGg6oSRzV8S80pxOm87IT8sJt6jrN0xT2p
d0ZcrhKHXmV08l9UGixuC+/QEWXOOccboHsU3TfKvfAEamBST2l0anxaS5M7d5E3sLdpbg/7s2Jv
9QlnTbG3RVTi8dppWJRzgsX+DDvzJYXR4sLOcLfrnBG3M+LQ5x6Z8QZ0X0Hfwd4rE0HojeuURg+9
gS2cCICioFIJIc/F3oD5W0QOsuVsG2NmTAcZtf6cgsFCRDkjFJbmnq78couQG7fAH/J1WN9K8mki
EIzHAyrBwxBYw+cULHsj3EV4Du5ylPiYi91IwVqtn2etFouVO641a5VsfTwSicciWumplTtyT5F/
U+5jIkyJaOdwq+LQSeKoOuPsQf0dTLYC1olUaqYCq9ziLD6SV87ROZcEgby/bmzdGiUx+d0Wj9XA
1S9t9AWbltYQLe9zOH08q9z4Um7V6TO51T8xCHolq9IoL/3Za29s2/b6r36+WaFSwbbBY4+ugx69
Az0KMzVHGYtkQ1pkHwSPh7BnFlpmp6dertTDdHWxGk5d2O/qLXW1bELWZk6Hhbzjaxyu5wxWj8Xj
NxLl2vHxcQXL+5x2n6BhN+9i3dveeO1nlyo1KlYJCvbH5Kkzp8lTL2l5HfROpTiVGwKJ28ddyj6i
3FXQoN54Nw8ilz01U5FwhQDUrDMOO3ubindaLC6zyqmzhZ2usE1Lcl8871xlnLuzGDj4p0IrV3X+
OZ6HKWfyf1IGlX3McuYy+hx1hajr3VEbuMa9Wm2+epJwhxYPplLmpkmiOtQ5OPFHc1fhySkaGqmq
tOL0SbNYM/1IoLOdq5v2xaRz4GLQdKVkndGDgthobLdQ9cMVgiXlHHyAXBkQN/cmm2J86dj9l43e
siIdX37bWMmSkTVl4I8Y1HzQ7QjawA6rCmQWVgR1OoseUDeEPLZKcUVT6djlOxZmt60fqAOz1hzM
BHs3tXrt5V1Vdb0Vjp2RzksXphZ3i97azetXxaoXpiy535EVDZvGRsrqRwcWRdq3jdTEuza1tWxc
u6Y6tWr1SNK7aHBJKqozahWs2mx0N165eTwZrQwYWI3L7Q6YdRpTpLW8pDnldKTahzZyrLexrSud
WiSKUX9dyuXNtE4la1dmI4I/5cxs2LihPJTNitwdIA1RWstoA6tgjGkS/UuWrmzr/e3qOtXqWvWa
3wZKhcBqoOjCpdEVzulHXoUafNS1Wj5kC4XHqDntUqugn8LFVtFLtso7RI1sCNu5sNxS4w2U8BJ6
BKbpbcmdZqtKY1TfUUpUIOTOAK8ipbmzpazS7HO68FWKfsKguTN1rdlqNX8pRdRCwOnymRWlxJEg
Gj7gcvpNSpLcYbZO7U8Seym3W3CZ1bmDgRJ6/DYaf9QQXDmz7cd3NWQgEIoESAecUijUelXuv89s
B9fnDpIB1OE94HmfpLXuaeas6J4VaI4VAs0Z9DdiZnZwfYbMCCFj3sSGXroNi75t+MCt7QUWNlwm
JAUoQrLyCMmRxJDsqsPxXdyBwavE3x0RtTosoxcZjj7rrMV6Hd2QjmWor0kf5YDvZmj1LjZ0jC5T
5sX/KtK8DGvMCyX0aJHTAl00xPnfjc2M76ep3XrxaLViRtBRwZ2suOrZW6576tJ05ZXP3rwXjs+a
vOnWwcoVV7Q5Ah2X9DSuaAMbhP3yQx/t3zDyrY+fePBjevzOhkd2r2hwL7n7+1fe95Obm6MLx7ff
AXr1ewzDPa50MuXM22I0GiBRP4n6SMRLoh4SdRM0wJ0kRbG3oNdRSeskEO5KwiC0TEqO+KRkQFNy
7CMlA5qS3ZoUFuWbAi68yKVHrhfQ05SK1X95AO4pyPVlM84fk4vXAXq44gmBCFbLJMkeiCxN8ZNE
LT32WZ2dOkXjbfjnFJawFCp9EVkmPe1bjskWdqHUF6xhleRTNsTkhSNQL/5xlc6onlqrNuhVKq1R
Q0x/wWoVTqXXklKFAbZ9FxgfZ8HOVXZiRE3Ne6wWj6DlXntIpzAGnIKLN6h+yCkUBMX6s69oYYMG
tLcD2o+BTLczD4rGVD1JB0jKj366iLA6EVaROFCKHXSrdYSoP8hmDtfEgJgmGeum59mbGL0Ejh69
cj1mmYTGplCoCYSv/HCNQ1W+jAcVnywgJEUnK2hqF+O8p4qPx1KMqP99HjjoUs8q3VQVtwM1LZJ+
TAm2w1SdyW5Wczqz4bORy5ssvroltbRwE9c0q9S4WlZ9oWX8nrFyR/edW06xNRqzXtmHFeBqPuCw
BZxOI9Gtvf+ajen0YHNJSbJEYwnYzQ7eZI9GXHVrr1vUvvcrz2w/rbWgn8JUgl79BejVUpDXz8Rm
DHZkSKKMRBMkGicxH4l7SYQKbsxFYk4Sd5C4ncRtJM6TuJlElSSqIGkvoVJskaQ443BBwxHi5XoK
qY7irSNYZ+ErL+cn85+LfvgEj9PCo3LhMQTIo3Lh0TTi8dnqBKOQZFgBiqFQlibqsC5NUVmR8JZP
Er2oU6TDPK8LL9WtoFEnmI0a1PiSt56WI6H4aNKptFTqWJiZWX/I+cVYxSkj0zLsIBES5n5hs9xf
eIJr6qyBN4KFpVOTnyutgbIAbLL8/YI99zU2t4Y8RbaG47l/LYT/CK8CNW8NuJ1GzoJemxLszc9f
jLDvTTWjJF8C2vmrShNI8nHRmGggiXqa/uOoJB+WBLlBltYG+t9F4KMrWJ6fBOiTcDaJBQhJ01D1
luqbqrnquR/WeZ6toc9Pyjr2EK1ZsE5iMhBrgqyuenxu1VDW/OcQ1i0ry4Zd+F8gFJ6XqBg7x6PU
pwl/Wk5unBj75S9pUwIX0Z3zUUopxxo574FxMKHlAiDuq10377+y9crl9WYVfb5SrSvtvrxn4dbh
8sTw9SvbRuM+V9DPtmnMOqXNkvNHeiu3PLmliTxx2de3NAtul8kgeCyCV9C4/Z5Q5+a+9nXZoMET
Y83hkBYWRzSZe0jJ1m34Msj8UkD6SdAZlcwC5geiNVVOSpUkRSN6pXES15FOFOYQQt5JqjRYGiIB
eF0Vaarqrbq8iktXkSp8mEXLmEwhZivD0gJeCdO3DiKmLaik4dIW1LQWvHxXC6lv6Wq5tIWLtpCW
STYtmipiJCZ+GAqp6/9cugxw1uxXryz+VxNYpEuDpSdgi8OycHhRPRNlirNidtqjYWaZqvxQ1fSz
2tyTtsrhvd/amh7uKLNpQftq9Mm2pTUb9o2WsXUPrr/ygVWJ6iu+sX34hrViQnimZMH6bMfaFp+7
cfWC/rvZ55d/5/F9l7XoeYsl6HF4TEqzxdx/45Nrg5Utl969bOWju7tSg1d9+WtdNz9zZWXF0ERd
y8bOWEb6H6W+JhGpuCi9zW6cQf8kEdc/Bx1UrCnSZ0jKrjnpaeXTqtJZdEa9fQadnZs0m5C0Jpne
miZdt0w/n5v0m+bpYmSwXJSeNjbMQS9LZNoyB334f5fMv72Q+E2UXp+bhE2UppAs4jRZw9bnZpJN
vAidsZ2xb7W/J5HjmQvJmf5P0QtzkWu7u69Iv/Zki/SP8zRP/5/S7+cirw1orfdGSs8g+VS+8b+J
bgF6cg5635/9O+mOQNf/Eb37/4qCj4aWhj4MfRg+UnKlRJHYPM3TPM3TPM3TPM3TPM3TPM3TPM3T
PM3TPM3TPM3TPM3Tf4ZoPpkwjLGLIWytgWG0pJFRMJb8B8ATlDczTuD9+feAT+TXA78s/xbwnfln
GQV5JP9T4MfyvwZ+Mn+GUXArGDPwUcYAfE3+OeDj+X7g62h7O9xTYBT5PwKfyL8CfGf+XUYgSTwD
d0N+jPIX8ZNwT2hzK/L/DHwcuAV69SfgzXB/C/QK2xOMjrHAZz4GvoZZBXwc3+XWQdsF3/W/gDfn
zwKfgFG44Bs/ZFzw+ZeAj0IfXHAVB3w8/z7wddD2wVVngVugbz74RuT9MGofMw798RE2/yZwHvrj
Ix64v48E8r8BnswfA34Dbe+j5x/Ba2FErwA/Tq86iW3A4W0mDt9yD3ALjCJOxxWHfj4AvJ+2x/O/
Z+LwXS8Bx++Kw3f9EXgA7hyHb8Ez++iZe/NvMHEYUS3w0XwWOI4oTseSgFF/BHwn4JOAnvwe+HEY
XQIQ/hD4SbhbGR17M/TnDaYZ7vM28FHoQyv07TngCZjrVujV48DH6fnL4D6tcM83mVaKRiv08DXg
nvxvgSMarYDGO8B3AW6tZDflN9Dzd9H2PvrJu2n7XrwnYPVr4IfomWP5R4Efz38N+Mn800wrIPYm
A3IEM9gPKL0NfAKQ6Yc+nGX6YSx/Bv5TGGk/9P8V4KMwrn7AwQAc+9wPaBiYEbjD5cCb8zuBTwAm
I9D/XwLn868C98C3jED/zwBP4uehz9jeR8/fC30bIY/Q8yeRw3exwEdznwFfw1QCH2eMwNfR9vb8
/2BW0/ldDRieA94P87UaMHwb+ARt78R34RtfB35D/jTwY/l/AX4c8FkNYwcOq0nHjEPPPwDeDH0e
h2s/BL4Tz8Dn3wN+HGZwHD7/DjMO6w7e5VBWx2HdYXs7XDUBd1gP3ALfMgH9+RHw5vwPgffnXwQ+
DuhNAPmYCcAEf8GQz+PvEHry+AuIgTz+BuGSPP764a48/sbibspvoOfvou199JN30/a9efx9xEO0
fSyPvxB5PI+/H/liHn818mQefy/yp/ntzARgWA58JH8d8NF8HXBEcgKQdABfR9vboT+XQf9/AbwZ
JO0yqhMug8+/zuyE8/8VuAUkYSeMC3lz/pvA+2kbx7UTRnQUOA/yvBNGNAk8kD8EfEn+x8B35U8A
3035DdDPnTAibO+jn7ybtu/NHwF+iLaPgTzshFH8hNkJPUkCH81XA1/DmICvo3x7/puEhVXwZ+CP
5M8Bh6uAH89/CPxFeuZk/teEhZn6DTHDJ98Hfm/+I+CP5D8Gfoy2j1P+Yv4M8JO0/dP8PxMzXHWW
8DCu94HfADwAd/gT8Efy/w4crw3QawNw7e+An8z/G/Cf5v9IArgiSBKufQ04n/8FcE/+J8AD+VPA
QRsDX5I/AfyG/KvA99F3782/DfwYYwR+nFEBP8nogOM9k4DDrcBH89cAX8NcBXyccQNfR9v/m7jv
gY+quvK/d978/xOGiBgohQkgBKQhIlU+EDFgUAwIIwqlYSWZJJNkJH+GySQkkMAjBgyQxdGlSlnb
RpaytnXV1RWtWjsxbEI1tYhBKYMaUFBpwEghZt2Ut9973pvJBNDS3V8/v3c859377r3n3vu955x7
X4IvAeV3kBvYaO5Gv0chnUDGjX7PQI7G+N3cza6BrAM+bvQonu/CyN3YU66DXMHuhYR/QeYgnU3Y
ZhO22YRtNmGbTdhmE7bZhO39aDscMgfSR2kfpUswkg8gncpByJHKAcjRyuuQdcqrkNvoSQjaStBL
L+SLyilegrm8wCup90rqvZJ6r6TeK6n3Suq9knqvoppVVLOKalZRzSqqWUU1q6hmHUq/gmxR+iDb
sDp1KL0A2QHk64BwhG8hO9lCdrKF7GQLrfUWWustZCdbyE62kJ1sITvZBmytvAnzfQ/SqZyAHInS
Jsz3JKSb0nXKR5DbKI09BTKMFWnCWtsgxVo3YQxuSFg75Aq2AnIldrUm4CnSAdhMCCM8A7lL+Rwy
jBUM0dhCGNtpyHbMIoSxneUhjO0k34VRfQrpJDkSrXZhVKch62BXuzAe8WSX8jHfhR7vhFyJ8exC
jyIdUFp4GBpOQAoNYbFLQo4mmYKaYZpdGNrOQG6j5yHgFkYkt0KGmR2yhWQ7yQ6schgz9UAuV5ZD
rhB7EvqFT6JfkQ4o7/AW9Ps5pBM6W9DvWcjRJFPgHS3oV6RFvy3oV6RDJHfhtNRC/bagXzNkO6U7
sLIthHAL+oUdUL8t1G8L9duCfg/zNvQbgXQqhyBHKp2Qo5U3IevgZW3oSzwJwera0JcR8kWMsA3a
boLMIRlQ3uDt0HMc0on5tkPPZ5CjgWE7xm+FdNPzOnq+jaTwhXbCrZ3G307jbyfbaKfxt2P8ZZDL
lRrIFWw2pBh/O/oV6QCiTYc4M0A6KT0Ss+hAv0KmwE460O8XkHVUuo2eh2APHZiFKA0Dww5xhoFs
F2n0MgoyB+eqpTiZ4ryIs8xwyAJlHWRQeUBaCvs5LC3Fzoh4LU6kkDmUDipvYn/VMztkonIUciLJ
mewaSOwgkAVKEWSxchYyqPil5RjnEUg3elkOzZ2QYeUFyBblNch2Sncwq7QcPT4AuVK5FTKH0gHl
YYxYf7EPMhH1V6DHFyBnKushF1C6gA2RVgClVZBOpQRypFIOOZqkW6mAvJ+ZIX1KL2Sl8i5kFck6
qr+F0tuofhOlQ8qDkC9SOqychGwh2aa8A9kOfFZgBT+VVmAFZ0Iux5jFqeM+yInKMUmcPfZCCkxw
AmErIIOY40qM821Ip/Ik5EjlXyBHK7+AdCvPQNYpr0Buo+ch9LUS+udCLlfmYM0EDjmEQw7hkEM4
5BAOOYRDDuGQQzjkEA45hEMO4ZBDOOQQDjmEQw7hkEM45BAOOYRDDuGQQzjkEA45hEMO4ZBDOOQQ
DjmEQw7hkEM4BMTeChkm2QYLCYh3E2m9iKuQPnYbvUt9TzeWiW+BiquApERvWAmUE2kdS5D0Wlpi
46VELa2Pq2PAe8jNWtoY99zEqqRFWtrMJqNETVuYS9qvpa265lh9G1smfaKl7WyyfqaWduh26qN1
EliJsV+8A9I1zVSspTkzmXZpaR0zmU9raYklmr/U0vq4OgZmt0ha2hj33MRmWYZoaTO71lSupS3M
acnS0lbujtW3sRss2Vrazq61bNLSDr7QEq2TwG62nsJIuN6i4aymVZzVtIqzmlZxVtP6uDoqzmra
GPdcxVlNqziraRVnNa3irKZVnNW0irOaVnFW0yrOv2AuNg0n2hshXexu+mu1AVbOKsCF8CYXu53+
yq/6t349eOJDqoylomQOKwG52BI8K8I5OIhWIufF3YvaVZAFqHk72pWgTh6e+VDDR/U84FLoKqC6
ZchV4FkZlantfRiBC+xBPR801CC3Bqkg+nLR3xbOQ7oEdV005kq0LqC/XVxEWso1rUHUKNX6FDVc
mGM59emlv1Es5nIXzbUQTzz0t3MDNAsX3T00S9GvOo98lEwhzaX0pIQ0eoCR+jzaSyn0lBBifm2U
ZXhSSr2qOsU8g3EjED36aS7Rv62soq2OXfRUDgRc9FeFiwgFH/0dYfH3mYOUEzMOxtZDxUztxUVj
L9PmVU7Y5lHNgRHHz0igVk3t1FmvQj6V7CF+NSeStlLSUEM4VGorH4+3WDF1/l4av5i/ui4BsgZx
V3sUa+2CDn9sNuoYi7Q6Fcit1bQHMQt1hapiq+QhG/HgaemgeUWtOR8j8VD/+Vr/qWSxRbRWouRy
H5h52ayXaZbj02zs+9ByCzzomy09SH0WkCWKXlbF1iCKzZV8r0iza3+strBcdcXLUN9LtrMQNfJZ
CmE6CXUKSN+d1Lac9AdBfsxjKmgNUSr51OD+UjXtU5GuIQssolH7oaEGTwVihTRjYamDtUafF9Jf
FA+QvUT1/ZDmoFpJDa1uBY0wSHZcQX6ntnbRHIQPeGkFfdSHl9Ywj9pG0ZrHlmLec7S2gbgS1X8K
CJMBn1ij/SXu4m/oV82LuvlYwUrCsCBmYwVU7icLqYmzKz/NtEyzLFWXl6TwlEvnLcpVj0xBK7FS
whryYj1daVRll2m+eowGtEejokuLa0Ead/6g+HL53KPR5NJxzYpDQMxEnYsaZaP7RCAWsQsoZpVR
7PJ840xVnD2DMFU9vlyT6qzUdCVZXiW1LCD/F7PxxvSImiXkNd+2Qv+v/GLAJ6bSaIQPqJE/ldbK
z6p/4ZqWduM0192+/EB5RXlh0HV7ecBfHvAEfeVlqa45JSWuJb6i4mCFa4m3whuo8hak3u4p8eUF
fC5fhcvjKi0v8AbKXBWesgoXyn2FrkJPqa+kxrXGFyx2VVTmBUu8rkB5ZVmBr6yowlWOqkFvKVqW
FbjyywNl3kBFquuuoKvQ6wlWBrwVroDXU+LyBdFHfsUUV0WpByPI9/iRFk1KK0uCPj9UllWWegOo
WeENkoIKlz9QjnGLYUN7SUn5GlcxBu7ylfo9+UGXr8wVFPPAyNDEVeIrQ1/lha48XxEpVjsKequD
aOxb5U11adOcWOEq9ZTVuPIrMXl13MFi9O9d4wp4MJeAD9NGQ0+pq9IvuoHGIjyp8K1F9WA5JlQl
puRxrfEEStW+BMz5xZ4ABuYNpC7xFlWWeAKxFZgZ7XoZwMF0XN9PvWXaINCDAU+Bt9QTWCVmIEYz
sHpFwNovHueXY+JlPm9F6sLK/BRPxSRXgdd1Z6C8PFgcDPpnTp26Zs2a1NJou1RUnxqs8ZcXBTz+
4pqp+cHC8rJghVZVpAs96H6VqPfD8kpAUuOqrPCicwxIFLs8WAFvoNQXDHoLXHk1NKx5SxfOQWmA
Mlifgkp1JdYU+/KL49ri7ivLL6ksQFMgVuCr8JegA4GVP+BDhXzU8pYFU13RvsvLsJApvkkub2me
aDSgqixa+YojourCFLEsFcGAL1+1l1jvwkyiumbRAFJ86AUmK3wiIAy7oHxNWUm5J75TjNmjjhQL
j+kCY5GoDPorg4C9ypfvFXWKvSX+SyZ0NWtBKzG1wFvogfGneir81bH3JqYksc3sShdHDZy82TXM
pChsCM746tsG4ylgl/q7rG+59NIFu52jjm7+1dZ3OER9qfhq6w8ZIurrG6+2vtMp6hueutr6Q4eK
+sYDV1v/mmtQH3cm3r70VF+8fc4lOZQ5WCIbyZJwrhzFprMJ2OEnskU4Va9AbC1GpK5k6ayeZbKH
cQJ4gi3A+8sP2D6WzVrZSnYQ0fcD1BI/Y/+K67idD+HXcScfz0fyqXw0T+cp/E7u5vfxbO7h9/My
7uPreAnfysv547yS7+FV/Flex1/hW/h/8m38EG/iH/EQFz/5u8Bf1HEe1tl5i+463qZL4e26m3iH
LkPK0i2QluqWSz/Q5UrLdaukFbrV0kpdjZSj2ygFdFukoO5hab3uR9IG3R7pcd0L0k7dq9JLugNS
t+6wdEZ3Qjqr+0Lq0fVLX0oW6YI0HGs7bjA+0sT/JT57gM+/A5/Xgc9bwOcI8DmJWueAjwJ8hgGf
McDne8BnBvC5A/jcA3xygE8J8FkLfB5C6jHgswf4PA98fgN8DgCfd4FPF/ARP1ft47t0EvBxAp/v
AJ8JwOcW4DMX+CwGPtnApxj4+IHPOuCzEfhsAT6PAJ8fA5+fAZ+fA58Xgc9/Ap/fA58I8PkM+FyQ
zko6qUcaAnxGAZ9JwOPmwfgY74/D5zrgcz3wuQn4zAE+i4HP/cBnFfCpAT4PAZ8fAZ9/AT6vAJ8D
wOc94PMJ8DnHCqCumCewIB8FfG4CPrcBn0XAJxv4+IBPJfBpQO6fgM9uPHkO+LQAn4Mo+Qj4nAM+
F/kWnZVv043gTbCTkG468MkAPouATzbwKQQ+NcBnE/DZAXyagc+zwOdl4LMf+LwFfDqBzwfA5xTw
6QY+56QNkl56XBou7ZTGSC9JqVK3lC6dkbKAz3LgUwh8gsCnHviEBuNjOROHzwjgkwJ8bgE+dwCf
peL3scBHnF3qgc8jwKcZ+DwLfA4An/eBTw/wUdhK4FLAvwt8pgCfWcDnPuCTC3z8wKcW+DQBn53A
5yng8xLwaQc+h4HPKeDTyyt1Rl4FTOp01wOfG4FPBvBZDHxWAJ8i4FMJfDYCn38EPs3A52ng8yrw
aQc+7wOfLuDTDXz+DHz6pRzJIAWkBMx6mLReGgl8vgd8MoDPXcCnAPhUAJ964PMI8GkGPs8Cn9eB
z+8H4+N4JQ6f7wCfG4DPLPEbduCzAvisAj6bgc+TwOffgU8L8HkH+HSzBdzEfsDHsmw+DfjMBT5L
gE+e+J0d8NkJfH4OfPYBn1bg0wl8jgOfczxbp+P3667hPt1YXgL7KNfNAz7LgM8q4FMNfDYBnx8B
n58Dn+eBz2+Bz9vAJwJ8PgM+f+HtkpV3YN5Z0kRpqTRD+oE0B5awSPy0VFoJypGKgI8f+FQBn1rg
EwI+e4DPvwGfN4HPUeBzGvh8LfXordKX+pHSBf1khOOZg/EZej4On+8Cn1TgswD4FAOfGuCzFfj8
K/DZD3wOA59TwOcrNo8PAz43Ap9FwCcH+NQCn38EPj8FPq8CnyPA5xTw6eMjYRujdUk8BbHDrZsB
fO4CPiuATynwqQc+O4DPXuCD+KN7C/j8EficBj7/zUOShe+SruMvShN5WPo+b5EW8jYpH/isBj7b
gc8TQOQZ4AP/ktqAz++BzvvA5zjw+RPw+RL49Ekb9A7pcf1Yaad+ivSSfoHUrS+WzuhrpLP6rcDn
n4HPy8Dnd8DnqNjnzSb853SmpGTW1tebDdxs6gqFehobG3tExuhvlHE1+s1Gbjb3NDbgQokeJT2y
jP/kQRmZqs3IlOUnGjJnUAYN+kUrM+dmvaxdZomZ9S71ClM/jaHmcHMo1Gg2c7O1tfXnuH78Y1Kw
f/+ePTt2NDVRprqBrmpqQ6MU2sSoKRNqbKTh5IbkDJczlGs2MLOxT+soOhxVgY2ZbQ2uBldWRlbG
PSCX7JKNBm409ZirGxupAxMm1SjUGvXcaPCLgfvpuVlUQSWq72/sk+Vqsx4zSsvoyRAXKhmN1aFQ
ruxXYYSm5w6IJioKTEXBKilmycViOIiRy7IAojk0CC6jmRut+363BRd1qerSesclRmU0qWMlOIwm
dYBms1HiRn2XqgWzMPrlcJqzy6RnJr062DRSI2rvLDYamNHQ2Oh2u1xGCzNaGuVGeSlC61iQWoYS
d6N5oFpGhujA0IWE3BU3ZiZLOsYlPDVybpRkcWiSOS5JFJhFgYTpGtzNzRKQM7jdzVxien0XNzK9
sd+qgybUoSsjg7IiIS5ZliS0bG5uNpuwoGnz56ctaWoKmI1Y6pSU2hR3n9tN607QEDjI5DYTyH1a
idnsdGWombQ0tzvU53SqtiIM2qy18ROEzq5vcRGYlEmYuyxr5v73cxFTzEUs3GxrkVvk3aAdILFM
g10FwFhmZNbjQhcx7/g/uIr9W1zFYuAWkxzvK0bVV6jAHHMWUZAb6hEFemaBs1zJW6LKvsFd9APu
YtFzC9xF8xcL55YYdv8nhxG+/lz4Eoch9864sscYv8VjjAMeY7yCx8SP+ttdxqK5jEVzGculLmPT
QVXUZeAqlI/6jOo0FuE0FhO3WITT5D16udfAOAa8BpkBr6GSqNcgM+A1yAx4jaZAeI3FwiwWMxsG
EmjMYRtoHS1GbjEL5PtgW31iNOb0uTTmuek0tr4GYbf1KBOm0CerbjOQ6yMtoqZot72+XmsnGl0U
YrApCFszOLWri3pvUD2pscFi5RZ7GNeTGU9mPErUBLKYucXa8uSTj2zZsmnTg5RLn7tRXOhKKKCh
xyZDuUb4PQ1RbJh+AYbFxCymi9GeY0Mkn7TYuMUhXGqr5lQ3ysKpTAZuEjBXw7KsRm41o4uX90P9
/pdFkboZN/qpSK/XB5tQ1BQ0GblJbIz9slxr1TOrIeZZGahpMtWK5ZRRoXqQToyXgNK8S7ZLimXA
veBgVgO3ClfU0LJybh2AVTZZuMn+Auug6KMSDUTTHR1Ug9qt9nz/y8KPRVYbO2Zh0nOT5nCySIvg
kSuWSixcdCZppI/UYcICJuFNcCeTlZlsmRmZGZNlQUNxtFOLUeh2N1rjqsLjSH+PU/hej5XrrIaY
78l6HdPphaeYODdhnsL7ZLwq6/SiDFMXZXpAYpwfCoX0BobE/PkhLnG9oQvHZ4PpokPiVoMrzgdd
9EQk1Eto0EMDFISsZm61zsjMxO61tWFzDVnL+PHrx4+f3z9/vmZJmitSTnNFV59WBl8Uzigs0JSU
kjJ/fmO/2Rx1EnijsECjpgVhzdlltTAr/HHAIzfAJymumrjVQkYsPK9fDMwye446hzmzaZz99WT+
G1EqTKg/6ob9ZCMxr5SpMrV9eONGra1op1DrSyyIbNUZc03S3BDd5BqsNm51hHPDuYhZzY+4HoGr
bHUJlyGlwjtV97RauNU2W5tK9JrDZjPSJ6alumpslvDVhoZ6Grjwp1yngMpqYlZzzFmdsYGrTi/G
ktDgiu6BcQ6rWrm+FlZpM3KbcK54jzVpHktl+iu7rE3PbMJlYz5rQtl64Tcyjhu1g9X+Vae1GbhN
OG3Ua22c2+Iw/zu5rZhqNcW9nr+329q4zhZ126vwW1vUb20m1W9FYsBvzcxgVhIkbovzW+Gv9GjA
cTXPtZHn2izcZpuBd8NMNp+lsXvYFraJ1YOrYf8wo7FjxypjM5XMzEwyQe2VRQBq0FnNrpgja6V6
PW2rqmclxVyZsrUYfDXA1kJ3tQa+ucdmZTar+Jf6gpJBGfIGGRPIkDNsJm7TDJ382WZGfrRHnV2G
Z7TIW/s2qx5dv7mPDEx4tObSA3kSMk13DMuVMxjwZg+reuRceQyjogHbUuLs7FK7Iyt3Dng7jbI+
thPX2xzcNiScFE5qTmlOCc0PzReRb5N5k7neTL2E5WZQCNQoN4DqQRvVsY1i+YPcfw7yo5gGA50k
aADRvOr/9TTN6gZMJc0sALaZmC0uAjgvmVt8ZKGx1mNk85wqpYhBNzsznBnaSyoCAhbKbuJ2i+q6
Ytvf//Kg1wUq1eGaeYcovWOm9mIgggJKDcxumDEQFcSymgfCQn3tJcrr69XoGsPBISnW+MjgCtuN
3G6OCw0Nds7t8Wskm23cnPDrcJurIY7oZSLayaA3C9tACUUIykdng4nR+4UWImTtbCjiLcKt2Ecz
MvrUqc0grWoHgAFvW2aoz0xJwfEy/t0jGinUtyERGxAqbPHVnXh1oQMpPMqVIffZuc5ujE0vPlqY
uc5skNVDdly4sEfDhT0aLuzRcGGIhoshEreLcBGNF0i56BmlovGCAobdJAKG3crtdjVgZLIUhAw3
jFiEjNtZethmht1RyFBjBtmpinAUZJslzR3SzPIi5asbAK9ehI2L5N72YcPGZ2Y2KAgVVK7GDdQR
dh3VJ9ZE32e3MbstgSWw7xDdKN8o54Y3YKMVe63dzO3W/ra2tv39ba2trW39dgsejGF+OZeF4ygX
T8YwmtdF1opX0XDc1SK3yhcZ2edFke+npxcHHlxU61HzMbI/Q9XdrjXPDfvDY2QqHNCpxHcQtuuw
rIMewFuMSbFrp58m0trW0XGk58iRjra2VnsCtzu7RnWN6kk/OOVIyZGSAws7OvY3tTe12lvt1FlX
uCd8MHwE1AFqA70Rbg23hO02bneMYas1iKKUG14dBgQqYISVOhIBWD9rY61EbUyk1VyLTBCkF4bD
XdWjEozGjmq7mdktysDAky6Z9sDlkW9j9iHcPrTF2GJs3ZzflN9U2FHYcfOR6cvTq5PSktLoBaO2
zWhc39b2dpXDzB1W0e7YqVZxnTqmvmkVkrLCdCqXcM0qovKiWeI1B2Nra8Pq5KU7jNxhTM/Nze3L
1S67KN8A02irDa9Hi/WXdtHa6tBxhz4cZiw2aqdecRjS0hhLG7i6HCbusIjSNqxOz5GOjjatYdxl
sXPLkGNdn6a1DSJ6F4v1p76ZFVK6MN0eV3bqmFgK8SA2P8yVTsdHuqJdiHe36v1iLexN1eLcZByY
7gzSrfUDcMS7rPiRSz4TdDNoFMiSgP+EAeUnFe0s2Dn9ufSepNykXJyyLebWwsL0pPTCwlb7ldsm
gdIYDaLfnpSUBoPqd+h0jji7Bo4GiesMGE9YxlZhMQhwmcBX7BsGKnaoxQaAah5b2NHRYTAxh7mw
sLCjkeu5wdjDxc8lFNmpx4qmibpRP8vNTaOHlNIuUW7A2ps7xOWwcYdjNlMHXsjS2YxwCfxCOHx+
OD0XM7Nbkun4ochCzgUp8ly6k2doixNdH7t1RvWRqKkr9KC2DQtjNNoBgEK+k8BGs+HAaAI6vAOe
o8hGJohqrxdrU2tEk7bagQ7ybxMa+rTf2lrZbt1yJuXXBErYsKKAdxWbWeIJlrGFKOH3LpnrAvBM
Uej3AEbmwMuQmuPMhKh4LT1Xn+jwsjQEgxnOpLvc7vls/JLFd7tY2n1LFrhwClDriN+bO9l1lJPQ
w9CYdhx4cDYboeUQoNg1bCT7Tr6/ws/2kPwlyedI7iP5Gsk3VnkDZewAybdJdpI8SrKL5CmS3eKf
dbBzQnIjyZEkU0nOJbmM5AOlq0pX8fUkN5PcTvIxkj8luZfkM7Hffv81ya9SmoGkBAyMQBiuAVz+
/z3TYR0cf/NdGKX495XiXwTWs0fZbvY8e4MdYifYOa5jFpqpWZttNxP/tllCu2Fwcy5+x8JnqvfG
zer9J31xbWBvZ3cPynN7/+B8woTB+aGJg/PX7Bqcv/7i4HzKJeWTRw7OT0cg0sXnz8eVGxm/M31w
fuFW3K2w6RTmFv8eHG3qAVWazs026Pbo3mfN0k+kn7BOfVD/JDtseNfYyCXrvVYP/7X1IbwYHLA7
7fN0t9tX2H+qq3EUOB7Q/caxwdGk25+gSzDrDiV8lfCV7o+My70CG+N7jn1XpIOgo45P4ui0Rgev
QOcTxsYoBTQTlAl6gGjnpeQ4mLA74T+cj2nUHEe/FCSOoVcg61B3jLYO3RGjXpUSR12BUkHTh+2K
oz0qUcklNOz5YQdi9Pa1XaBTgobrr0SJqcMTh6dctzWOdhC9cUU6eN3XUUoaljQyRpkaZV2R3ETL
tPtgkjUp6rURdcZIbf1hUs+IySMKRvx0xFOCLtU+4pkrkap9xMsjTmh0foBELyO+pr5kwd9dOG5m
jBaOWxKjAo0eAMnjHhB/KHh8xvWp12eOewAy9fo3JhyY+B7R+ZRskH/SBNCUSScm9YFPTLo4+cAN
PxU06cQNr91w+obTU/RTEqYMm/IKqDN1Nsidmj31CY1ev1G+acJNn01/9ObpoNm3JN2SfUv1jOc1
em1G24zOmZNBM2ZunnXsViNR6NY3iPpn3zz7aY323dqP/NOzeyjXc5vuNt3sp2+bkrE947U5qfOW
gz68s/jWkFob9x611l2zRb27FmaNzUrLmp311IIJRO4FDxBVL9i84AnI6gVvgroWrl0oL/zwbj/o
sUW5qOVe9Paitxe8CXlMpEAnFnUv+nqxTLR3cQfRh4u7wR8u7nXrF/eivNud7T7mPnFPEPToEhfq
7V3cq5YsWbu4d8knS84udS9rW778/sT7R90/oUhflF10pOjr6L14Cuj5MmfZWH+1v94f9p/wd/t7
V+tXT1udubpwtX/12tWNqx9b/fTqfav3rz4U8AceDTwVOFfBKhIr5lfkVbxW8V5wejAv+ETlssrG
ytcrz1cZq6ZU3VH1dNWpNZlrvq4eVX1HdW51oPqJ6meqj9SMrfmHmn01R2q+XmtfO3ztjLVz1xas
3bv2yLrJ6zLXrVy3c90v1x1b11ubUbu29rU6Y11GXaDuubq2uv71I9cXr9+7vnvDzA3VG56R3d8Q
q/ZdGo8GRxu5aoBEHKGfdWikRpBv8L2sSz1usJ+oln7FqBONPHE0OHbIbQMkooPcOUBqXBAx1PnL
pLbrdiAOH53dg6hJMZjuiLdD3YivOxN2Ox9zHIzFTNQd2juuQLR17EvYORA7VZQQnTMp/qq1xibs
jqInnopYTHWPinKqryEIvfscnyCS70aLo6TtIEb3GO5HiQZ2h9OX7AqZcfvAwE6wW4z7suj/y8ui
v1WL+Vsp3lOUJz1onZCJ9M5oJMR6PKWtF2KTGn/U+KatI2IiIqBYtYJYdIyuKGJcUpZ8QrQYWONx
S+QT8gloE7XOo8w94sS4JZfbBOJgZ1xEvUKcjY+rl8dULXK3kTWpUXRhNH6KuI4n6FXuHvEUnixJ
ct88fdHbw/XqPkZ37FnXfX1tF6wqMbr7RHeVxFHD9QM7kGqVYm+j2npRA23fGJ4oSsQTUUs8Txzl
OBi11KSRiaOwAyaK9iKtPh3YR+N3UjEW2jW1fTNu50yEhkv3yR2DdseD2s44LDp6lH+t9i76X+C+
tispE+MZhL5ATWCMlYrz2CjGqicKNFVLGVcAvLPEagokktzDdtF6PyXWJs6rZ454BnON7rCdqla5
O0mWu1USPYj7uCViVURKtTRxl7uvTx0/TWV1hxs/jXalOBI7nLq70f74vyTaU+Po8hq008aRtuPG
6PIWYqf924j24qum2I79DXQpUoJi+/g3EO3sV0102rhKuhQdOqPE0eX40dkljoTdqyv9t9Hlmv/6
6K6OVJzF2SVh963GrLG39juOilMPUYieGMVJh3KhrLHiDKSVgXCCmiFOTepTEftFShCdjpbTyUqc
oXpm99D5CKcjpN64NUSnEzl2ihG0d7G86NhiWZxgKLdXO+eo6b04BZ0QT8SJRrRbpBGdeIJ0NkJd
Kt0r5IhnUHuvOE0hWkxYdIzOXdUauenJBHHqopx70TERl7QyEE5uaTiriROaaLeZUiA6p/npPIe6
dFKLndcWuG/TESL9Aot7gioStxppPhixOtIFb5Ju0dNm0kV6B3vi5SsabwcT31NzzCi+WSXdrbwm
vlclvlYlvkwlvc5uYeIrLQfp+0wi1U3fmeH0dSmd+GYUfTHKxn6l9LP9Sj/PZddwD1vC89gIns+S
eQEbylfRF6umiy8xSSXKbxmnry7pUdeOukNR1466VtJ3kr6zZOHiGxq5bBzKl6L8uygfB13XQ1ey
+BYSff3IhtTzGO9QqRbjqFNewnhnSh8rj0ufsDTpJJsmfcpukD5X3pFO421XaD9IX0HSi68UiW8U
YTQ76JtE1WwIy2JO8Ew2ic0CFyjvMC+4EFyhfMqCynlWCa4CrwFXg2uYna1VDrF14FpwHXg9+EG0
bwBvAm8GPwRuBG8BbwVvAzeBf83mslfAfUhfBCtsEmdgDnazWfwe8BLwveD7wD62mLexMZixT1rG
0qUV4v/zB5ewRvEdGWkjc0kPstH6nymH9M3gJ8GH2CT9u+BO8GHwe+D3wUfAfwQfBUfAx8AfsEkG
p/KOoUs5ZPgTsxu6kT4D7lEOGQ0syzgJ95vYJOPNuJco7xhLwWXgcnCl8qmxCgxsjMDGCGyMa8HA
xvgsm2V8DvwS+Cs2yzSZjTHdAM5hk0y54DzwanAAXAOWwRvBwMgUAj8C/hn4STbX9Cvcz4DPgnvA
X4LPgb8CA0NzPrgA7AVXsjEWxmZZhrExZLun6LtRIvU5ff/pWljtC7DaF2BtE2Btc2Bt9bC2e2Ft
ebC2u2BtGeJbTeKLTNIyZbv4JpP4IhPs5kfiC0zS68pe6WPY2UkmSadgg5+zFWRnn9B3mIbGvGIl
mxqnfz70V0H/POi/BbWzoXsHdL+EVjdB92PQ/c/Q9xr0LWMJ0PIFtHwBLU5omQgtZdAyFVqmQssN
0CK+Y/ah+O4SNIlvRk0T31qimf4OqWdZEnT8Fjp+Cx0pPEd5BXqmQk8O9EyHnnuh5zbuU/4AXVP5
TuVltHwV+vTQV4WRFULnNRjZg9C2TTqhnMfo3pQ+g7d+zr4nndY8dii0ToZWH7TeAq3zoHU8NKZA
27viOyfwvLsxy6XMpkWYvyCSiMjyY/ag0s0awJvAm8EPgRvBW8BbweK7bk3gN5U+9ha4A/x78Nvg
P4APgt8BHwK/C+4EHwYfAX+gKOxD8EfgLvBx8Anwx8pb7BPwSfA5JcL+DD8/D74A7gV/Be5DdPsv
lH8N/m9wP/gv4IsYi6J0cwbmFBU/lrJhYf+gfCGtxD1X+UJ/SOnWvwvuBB8Gvwd+H3wE/EfwUXAE
fAz8AfgzpU//Ofg0+E/gbvAZ8FnwF+Ae8Jfgc+A/g8+DMRb9RbCivGVIVN4yZSh9pnngLPAC8CLl
U9N9uC8FZ6N8BXglOEfpNuWC88CrULYa9wA4iPQacDW4Bvla3GXcN4I3I/0QGOtgehj3EO6PgP8J
6R3gH4EfAz8O/T/D891I70H6V0g/i/SrYKyRCWtkwhqZsEamiKKYjoGxRiaskQlrZOpCm+PgE2Cs
kelzJWI6Df4T5tINPqMcNJ0Ff4GyHuj+EnwOfB55rJ2pF/evkMcamfPBBWAv1kvHtrNhtHNJbDts
d6n40g3W14DcvyGXhdxdsPL90h/YDYzjaS/LhGVGYJkRWGYElhmBZUZgmRFYZgSWGYFlRmCZEdT+
FJbWB0vrg6X1wdL6YGl9sLQ+WFE3LKYXFtMLi+mFxfSiP/EtpYh0PzNIHnAeLChf+RhWE4HVRGA1
EVhNBFYTgdVEYDURWE0EVhOB1URgNRFYTQQr2YuV7MVK9mIVI1jFCFauF6sWwapFsFq9WKlerFQE
qxLBakSAeh9Q7wPqfUC9D6j3AdVuoNoNRHuBaC8Q7QWKEaDYCxQjQDECFCPksUeZCVjOgSebsff+
Bnvvi9JB7LXvYBfCbkP4nsYM38EMjxO+tciJr0uOAr710PA+W459Mhn7ZDL2yWTsk8nYJ5OxTyZj
n0zGPpnMxN+PbwJvZzdjrxyPvXI8fLYTPtsJn+2Ezx6Hz16Az16Az16Az16Az17AfpoInz0Jnz0J
nz0Jnz0Jn8V6swXYN6fDT4/DTz+Cnx6Hn34k5bEJUj64hDVgHx2DfXQM9tHvYO9Mxt6ZjL0zGXtn
MvbOZOydydg7k7F3JmPvTMbemYy9Mxl7ZzJ88SR88SR88SR8sRO+dwE+1wmf64TPncQel4w9Lhn7
WzL2t2Tsa8nwlZPY25Kxt42Hr5zE/pYM+++E/XfC/jth/52w/+Ow/+Ow/wuw/wvY/xKx/yXC/k/C
5jth8xdg8yexByZj/0vG/peM/S9Z2LtyDlifw/lsu7IJKzAf8fw44nklVmI+VuLnKG2Ctc+TDuEk
1alclA6zPFq9CGofRa0j2DG3K+uRy0PbQ2j7Lp5moO12tG1H2yy07US7HzKj5kc/QM3DqNmJmll0
vhI286+kyYvy21D+NsrfQ/ksaNqC0uegaS40vQlNaVT/j3RO/JDk//B27/Fx1tW+x5/MpEmaTLiW
FigI5Q5ykbtcvCBaQaWIbtmIW8zeW9AgIIIF1FNoDcJWwHIRKEIFNxVatK0SCyI2FGhpm5KSXnJp
Wpo06ZBkOkmTNDOZpuDvvGd25KDnnNc5/5zzx8e5PvOs9f2utX6/Z0jHbFRetHd0WNGVuA7X47u4
Ed/DTfg+fmal3zf/e3z5397L//Je/lf2Cnujp6JJ8ZejM+Ov8r8zOtKq/WW7xP2s3AfbJR4Z7zEZ
ekWQ8tyO6Ezr+U3hVUdMtKc8Ir+mO/666GIr2JX5X5mKLo5fVdh9XRztJbLJIpsssskimyyyySKb
LLLJIpsssskim+zICY68wZETHHlD4chKR1Y6stKRlY6sdGSlIysdWenISkdWOjL/C6anOjL/G6an
Fo5MODLhyIQjE45MODLhyIQjE45MODIxduQZY0eeIZOvRSe4d0JB49rCHmEk/zt6+d8cwmX4Er6M
f4rK7d3K7d3K7d3K7d3Kx+f/O21x/lfw8r/KNrbTWF7waFu0sei40Fl0PE7Ah3EiTsLJOAUfwak4
DafjDJyJs3A2PopzcC7Ow/n4GD6OT+CTuACfwoX4ND6DqfgsLsLF+Bw+jy/gEkzDpfglHscT+BWe
xFP4Nf4TT2MefoNn8CzmYwGew2/xOyzEIizG7/EHPI9a/BFL7NaWuX01tBW9htexHCvwhudXhqai
VViNeqxB/jf2GrAWb9lBXOlq5arQWLzCTuINrMQqrEY91uBNNISm4rV4KzSN2zd0jpuAAzARk3Ag
DgqdJbPxGGhQ8qvwTskzYWfJs5iPBXgOf/T8627tNktWuN8Ymko2eH+r+9nQWXooPoTDcDimhJ2l
R+BIHIWjcUxoKj0Wx4W20uOhFkrVQinfS0/z+HSvnRfeKT3f7ZfCzrJY6CyLoxjjUIJSlGE8ylGB
BCqxF/bGPpBv2X7YH/Iuk3eZvMvkXSbvMnmXHYzJOATiLxN/mfjLxF82BUfgSByFo3GMmE4L75Sd
jnNCU9m5OM9zn8RUfBbf8L5/c3uN177lfd9GNa7FdK/NwO24AzMx2/NPe/+z3j8/tJUt8Pg5DHku
EzrHF0Gu4/cPTePlMf6A8M74w9XQjwq/40idIuoUUaeIOkXUKaJOkSOKqFNEnSLKFH7tcV/sh/0x
AQdgIibhQByE/O9B5n8N8jAcjik4AkfiKByNY3Bs/ldMXWUfjxPwYZyIk3AyTsFHcCpOw+k4A2fi
LJyNj+IcnIvzcD4+ho/jE/gkLsCncCE+jc9gKj6Li3AxPofP4wu4BNNwKfK/ZHkZvoQv45/wFXFf
jn/GFfgq8r85eTvuwEzMwo9RgzvxE9yFu/EfyP8qZv43MR/Ag3gIv8DDeASPIv+rj4/jCfwKT+Ip
/Br/iacxD7/BM7ACFs3HAjyH3+J3WIhFMGuLzNqiP+B51OKP+V/kzP8WJl7D61iOFfnfmsQqrEY9
1uAfp8hXwr/mf7HTOrB3/rcz8788mf/dzPyvdRabeMUmXrGJV2ziFZt4xSZesYlXbOIVm3jFJl6x
iVds4hUvco2yGL/HH/A8avFHLMGfQl/xS/gzXsZfsBR1eAXL8Cpew+tYjoYoUbwWb0WJcftG5eMm
RBXjDsBETMKBOCiqKLk39JXcF9Ils91/xP05obvkMWsSDwrT7CmvyaXkN14Tc4mYS8RcYkqXLA7b
S36P571Wi/yUe8H7X/TcS17/M172+C8QZ4k4C9Nvpcf1Xlvj9k3PNWAt3kJjlCjZ4Nyu7Upc25U0
e64ljBQmZZvYXM+VdDvWNUtJ2n276xK765KdcM1S4pqlxDVLyS4MI4Os3EbC9tK9Ql/p3tgH++LA
MFJ6EA7GZByCQ6Py0g/hMByOY6JE6bE4DsfjVM+d5vZ0WGVLra7/NXWjRFksqiiLoxjjUIL8X1Hn
/6J1PMpRgQQqsRf2xj7YF/thf0yIyssOwERMwoE4CAdjMg6BOMvEWSbOMnGWTcn/oT2OxFE4GseG
vrIPu0Y7ESfhZI/tFMpOdf9vk/gM98/C2fgozpHHufiC+5fAdW7ZpY77Ylhedhm+hK+GkbJviPMa
7/vHKe16t8z1btmtmCGG23EHZnr/T51b/xem9iNu5/jcx/BLPI5nfd58/G2K/9ZzPCzLOHZPGBkf
he3ji/L/aCekx9NzfLnbfT2/f5QoTHYr1PhJnjsQB8E8Hn9I/nvJfKeP7atm5H/XtrBHe+3952/I
/4Zs4XuU/H6rPxoXuyj8S/yS8LrdaXn+uy2v9UUnxj4SUrEzcDY+gYvCutjFYU3s87jErvwrYavd
xRa7iy3lV4Q15Vfi7pAq/w/8FD/DPbgX98G1XPls3I8H8CAewi/wMB7Bo5iDx/BLPI4nMBe/wpN4
Cr/Gf+JpzAupxIdDKoqLNBu7wjXxTa6hzxN/RvyZ2LkhKf5M7EK3Pw3bYj9z7fK16CTz6yTvXFP+
5ZAs/ydcjn/Bv4dt5dfiOtyAG/F93B0ycsvILSO3jNwycsvILSO3jNwycsvILSO3jNwycsvILSO3
jNwycsvILSO3jNwycsvILSO3jNwycsvILSO3jNwycstUfC5sq/g8voBLMA2X4ou4LGyTe4aHZ4cW
Dr0ZK/gYVhW+OTxM7vPlPT/2tbAo9k1cj5+GZTTI/9Jym9zny32+3OfLfb7cl8l9mdyXyX2Z3JfJ
fVn5bWFR+Q/wI8zCT8IicS0T1zJxLRPXMnEtE9cycS0T17LoAg5Uc6BabF0cqBbfiAoaVkHD4mwX
SatIWuNf+etw/Iq/ZqwulZw5Jf9b5Nw5Zewaf7nqGlZdw6JrFV2r6FpF1yq6VtG1cqaaM9WcqeZM
NWeqOVPNmWrOVHOmmjPVnKnmTDVnqjlTzZlqzlRzppoz1Zyp5kw1Z6o5U82Zas5Uc6aaM9WcqeZM
NWeqOVNNgVYKtFKglQKtFGilQCsFWinQypnq6EIqVFGhiherqVDFj9Wxi6JDZT9N9tPGvm+9Z+x6
+gQqTMz/onT+d/rzvyk99i3xV3m1mlerebWaV6upMY0a06gxjRrTqDGNGtOoUUWNKmpUUaOKGlXU
qKJGFTWqqFFFjSpqVFGjihpV1KiiRhU1qqhRRY0qalRRo4oaVdSookYVNaqoUUWNKmpUUaOKGlXU
qKLGNGpMo8Y0akyjxjRqTKPGNGpMo0ZVVKoWhmWckPEDMr5FxvvJ8HYZ3hodRKPl9FlOm2baNOd/
yTn/K8ZefUj+y+W/XP7L5b9c/s3yb5Z/s/yb5d8s/2ZxNIujWRzN4mgWR7M4msXRLI5mvVIdnv2H
eTccnRS7zIy7AtXm3LVm3HdwHXy2iDven3UzzIw7wpqKH4VUxX/DDNyOOzATs/Bj1OBO/AR3wWys
MBsrzMYKs7HCbKwwGyvMxgqzscJsrDAbK8zFCnOxwlysMBcrzMUKc7HCXKwwF/caj3JUmHn5yZ4q
xJ7R40k9ntTjSbrlr9OP8ep6vZvUu0m9m9S7Sb2bFHtG7BmxZ8SeEXtG7BmxZ8SeEXtG7BmxZ8Se
EXtG7BmxZ8SeEXtG7BmxZ8SeEXtG7BmxZ8SeEXtG7BmxZ8SeEXtG7BmxZ8SeEXt+Zl0RNlH7TQq/
+v7MymfUHp0mo1qvd3p9hBvvcuNdbrzrve3eW+a9FTqlXKYn65Ry2Z489h3QGxx6l0PvyrJWlrWy
rJVlrSxrZVkry1pZ1sqyVpa1sqyVZa0sa2VZK8taWdbKslaWtbKslWWtLGtlWSvLWlnWyrJWlrWy
rJVlrSxrZVkry1pZ1sqyNjpTJjW8WcWbVbHq6BD+rJLBv+uA3TogK5M7ZTJp7JuZSflvZmTyaP7b
LN6t4t0q3q3i3SrerZJVjaxqZFUjqxpZ1ciqRlY1sqqRVY2samRVI6saWdXIqkZWNbKqkVWNrGpk
VSOrGlnVyKpGVjWyqpFVjaxqZFUjqxpZ1ciqRlY1sqqRVY0+vqLQxx+VxVtj/81pqqgfEvXzUYV8
G+TbINcGeR0gpwO88rB8GuTTIJ8G+TTIpyEqiU3n6y1hd+zW8E7sTnVxX+iPPZz/pt2zo7E7QzYq
8r+7o+O9Ixu7TUX8AHeGpthdUVnsbkffG3pij+R/FzrsiT0W9lTY31bY31Ycig/hMByOKTgC3/Se
q3ENvoVvoxrX4ju4DtfjBnwXN+J7uAk34/uYjltwK27DD/DDsKeQz6hIu2IzQrdctsd+EXbGXOlF
V8ZuUu03Y7pnb5PlD3BHaIzNxCz8GHdGB8TuCotjs73v/tARewAP4iHMCS/J76WKWHizIo5ijEMJ
SlGG8ShHBRKoxF7YG/tgX+yH/TEBB2AiJuFAHISDMTn007Cfhv007KdhPw37adhPw/6Kc0NjxXk4
Hx/Dx/EJfBIX4FO4EJ/GZzAVn8VFuBjflMfVuAbfwrdRjWvxHVyH63EDvosb8T3chJvxfUzHLbgV
t+EH+GF4KSpWOVupuIGK22KPhEG1dGcYUicj0Re5kONCjgOjHMhX2DYrTtaKk/WOLJVzVM5ZYbJW
mKwVJmuFyVphslaYLPVz1M9RP0f9HPVz1M9RP0f9HPVz1M9RP0f9HPVz1M9RP0f9HPVz1M9RP0f9
HPVz1M9RP0f9HPVz1B+l/ij1R6k/Sv1R6o9Sf5T6o1a5rFUua5XLWuWyVrmsVS5rlcta5bLUzVE3
R90cdXPUzVE3R90cdXPUzVE3R90cdXPUzVE3R90cdXPUzVE3R90cdXPUzVE3R92cnrtFded7cQZN
b1fdd0Z7UbuL2p3U3hndSOM6Gtep9B7vXEXrLlp3xX7o8YzQ66ghlZ9W+WmVn1b5aT68x4c6PtTx
YTD287BSB7TogBYd0KIDWvTSm2bDGzxq4lETj+p4VMejOh7V8aiOR3U8quNRHY/qeFTHozoe1fGo
jkd1PKrjUR2P6nhUx6M6HtXxqI5HdTyq41Edj+p4VMejOh7V8aiOR3U8quNRF4+6eNTFoy4edfGo
i0ddPOrSIWkdktYhaR2S1iFpHZLWIWkdktYhaR2S1iFpHZLWIWkdktYhaR2S5nEdj+t4XMfjOh7X
8biOx3U8ruNxE4+beNzE4yYeN/G4icdNPG7icROPm3jcxOMmHjfxuInHTTxu4nETj5t43MTjJh43
8biJx01RNQeTHExycBe/X+PiTs61cW4H5/o518+5fs718z/B/+e5l+ZeOnaP5+7j9OywkIM9HOzh
YA8HezjYx8FBdbKUi+1cbOdimotpLqa5mOZimotpLia5mORikotJLia5mORikotJLia5mORikotJ
Lia5mORikotJLia5mORikotJLia5mORikotJLia51M+lfi71c6mfS/1c6udSP5f6udTPpX4u9XOp
n0v9XOrnUj+X+rmU5lKaS2kupbmU5lKaS2kupbnUzqV2LrVzqZ1L7Vxq51I7l9q51M6ldi61c6md
S+1caudSO5faudTOpXYutXOpnUvtXGrnUnv0ES5luZQtdON/uTDMhUEuDHIgy4H8ddMgdQepO0jd
QeoOUneQulnqZqmbpW6WulnqZqmbpW6WulnqZqmbpW6WulnqZqmbpW6WulnqZqmbpW6WulnqZqmb
pW6WulnqDFJnkDqD1BmkziB1BqkzSJ3B6AST4V2T4V3dn7ael8fukcW9sihE7/4jmGO9f8y6Pdmu
7hAcig/hMByOKTgC3/Seq3ENvoVvww6S1iO0HqH1CK1HaD1C6xFaj9B6hNYjtB6h9QitR2g9QusR
Wo/QeoTWI9G3ad1D6x4Rp0Wc1gUpXZDSBSldkCro/7cOoPv/VPl28LH8Nxv/+2rv4UcPP3r40cOP
Hn708KOHHz386OFHDz96+NHDjx5+9PCjhx89/OjhRw8/evjRw48efvTwo4cfPfzooWCagmkKpimY
pmCagmkKpimY1g0p3ZDSDSndkNINKd2Q0g0p3ZDSDSndkNINKd2Q0g0p3ZDSDSndkPq/6IYUh1Ic
SnEoxaEUh1IcSnEoxaEUh1IcSnEoxaEUh1IcSnEoxaEUh1IcSnEoxaEUh1IcShXW+IHCf4U8i1dp
XqVNm7Rpk6R9mvZ5jdM0TtM4TeM0jdM0TtM4TeM0jdM0TtM4TeM0jdM0TtM4TeM0jdM0TtM4TeM0
jdM0TtM4TeM0jfM5puWYlmNajmk5puWYlmNajmk5puWYlmNajmk5puWYlmNajumKfC1Mxy24FepN
jmk5pqN9zOLM3/eMSrun0OlZMzX7f+oRe/db7FFdmeq2hG4r0W3bdNoBOq08mvb+RJluNZ6B212X
3+lcPw0DKnvAu3N6c8DqPOyokymcpfDwB3ZNA6p7QHUPqO4B1T2gugf+P02bAdU3oPoGVN+A6htQ
fQOqb0D1Dfw/3RXlr1ZylFr5/nXLcBQfey7HpT3RV2hbT9t6/vXxr4+2+SubNk6Mo283fbsL82+2
x79wjfCwndIczz0WuunaTdduunbTtZuu3XTtpms9XevpWk/XerrW07WervV0radrPV3r6VpP13q6
1tO1nq71dK2naz1d6+laT9d6utbTtZ6u9XStp2u9mupTU31qqk9N9ampPjXVp6b61FQf3bvp3k33
brp3072b7t1076Z7N9276d5N9266d9O9m+7ddO+mezfdu+neTfduunfTvZvu3XTvpnt3RT7P6bgF
t+I2/AA/DN0FjXePdUIu2j+2JJoYe9WO8zV1+XqYGVsZ5sd22WdkwuzY7tAYNznjJ7l6PSUsjp8R
ku//tfLl0T7xfy78/5Xl/6awJ7E5rOXYPJ+7CK/pgNfDxthylb4CK51zlds1YXNsrSvdjc7W5LYZ
PdH4WK9OzdjjZu2ERjAaBuNR6IiXogwHufo/JXTFTw274qfhdJwZsvHzQmeiKqQTV4eGxHdgRiS+
6/bGsDnxPZgJiR+5neH2dthDJ2pgxUzcB12ZmO31hzxn9iUe9XgOnvAZ88LuxAKfvxi/D7sSf8Dz
nqv1+CW3cko0em4d1qPF41Zsdn8LOryvL3QkdmEkdFROCP2VB2AiXB1WujqsPMrz14aGSnv6SnFV
3h2GK+8LuyofxmN4OvRHnxtTtY1POaq2ULWPqn1UfZeq26naStUWqu6iagtVW6iZpeYQNYcoOUTJ
IUoOUXE3FTNUzFAxQ8E+CrZRsIWCLRRso2ALBVsp2ErBNgq2/oOCbRTso2AfBfso2ErBNgq2UbCP
gn0UbKFeH/X6qJehXoZyfRTLUCxDsQylMpTKUKqPUkOUGqLUEKWGKDVEqSFKDVFqiFJDlGoZU6qN
Un2UylAqQ6kMpYaiI2LPhR/FloTfU6pODe6h0DNU2RHbGr6lzqbHesOTqvvy2LCd9u7wcXX2Rjwe
lsdLws/jiXCDam+KTwhT4odF18SPDt9X+UfETw6fotrTqn+qmns8/vFwe/yC8LWxv85qj/9zeCp+
Rbg2Xh2W5v9+SVZ/NpNetUq8jpXhbWd8hx9bnTHpDL0+dcAndvrEnXrpPL30MVeEz3Hs1bDOUfl+
ebPQIz3Rhxy93pGrHbldbEmxVfiEjYV+OCNsdOSrYbWj3nHUC47Y3xHbnK+90L+uqgs9fJg+Pcnj
U8JWR3WIcnl0qMraVThyucpagVUqZo2j16qqjXaRTW6bw3bVsV11bFcZ21XGNpWxTVVsUxW7VMUu
VbFLReRURE5F5FTENpWQUwk5lbCdc9s5t4tr+cnfE+0lnhKRz3O+55z3T3J9CavCKF230DOZuC1k
ff6Qzx/y+UOJxzz+Vcj6nKGo2FHDIr/JEZ35urcTfs4sWSKX10OjZzfH1pkjeQ23hhTd1vncFp/b
El3hrLO9e6ae6ipUy5/CDGef4chBSoxSYtQndFEiUGJ4rK+GKTEcaw2LfGKtSmqMpVVPOSaEq+MT
uTEJB+LIcHP8KBwddsSP4/PxOIl7dI9/wusXFP52+VTRnKr3uqg7TN1hvddF4WEKBwoHvddFhRmU
DpSYTYnZlJit/7qoPUrtUWqPUjvovy7910X1UaqPUmsG5YcpNiOx0CRahJfDzYnlbt9EA9ZiE9rw
ttfa3W7zGZ3h5soovFE5LiyqLEEppnh8DK41oWaF2Xqwi5ujlY+EzspHMQe/xNywKKpQkUOqsZPT
p5s+75k+75k+73H9bJ3+nk5/T6e/p6vfiw7hR97LLO0HaD/gqBIzatCMGjSjBuU+LPdhuQ/Le0De
A/IekOuAXAfMl0HzZdBsGTRbBs2WQfU9aLYMinVYnANmxaBZMWhWDBaVO+MsFfAI95dx/0HuPxhb
ytE6vBpWxpZbFVdgZXhaFeyJrff8RrXVGqbHNoW/xNqwGVvwNraGu2PtbjvR5TO3u02iGz3RLNVS
G0u5vwNpldfnth87w82xAQy6P4RdodpsajS5W03uVh18uRm1NrbHa+/ivbA09le3wSpchBjy86tY
tY1zv8ScKg8z4xXuJ8L1hXm2t9t9sC/2w4Rwnmq9SLVepFovsrbeFT843Bqf7LVDcFj01fgUt0fg
SDPvKBwd/iV+jMfH4jiPj8cJ7p+Ik8KFZuS/miwLuTaLa7O4Nku1X2Je3hc/y3vOxkfDj+PnuD0X
54U74ue7/Rg+Hr6uKy6Kf9L9C8JNOuPysb+YXahDbo1fGR0YvwrV4S3z9XeJ6tCYuBY3hj26ZI8O
eVCH7FEls1TJLFUyKzHL6z/Gf+Cn+BnujSYm7sPPMdv7H/bcI3jU4zl4zOc87vGv3D4Zrk/8Gk9j
Xrgr8Ztwq9XsjsRzHv8Wv8PCMFVXTbXC3aECZ6nAWfYHd1nl7kj8Mfw4sQQveN9LnnvZ+/7i/lLU
eX65xys9v8rn1ntuDd70XAPWotFnrcN6bPD+Fu9txSavtcH0Vt2zdO3UxNbwF5071Sp6h+69SPdO
TXR5Tg0m1GDiHajDRA96w7KEOkyow0QaajCxEwMYNAGGkHU/F5YmdmPU/feg5hJqzlSYWanuKtVd
ZTwsrSx2Oy5MNyWmmxLTK8s8Hm96lEMNVibCsspK7OX+3tjH8/tiP+zv+Qmh1UrfaqVvrZzk8w70
noNwMCbjEBzqvYd5/XBMcf4jPGfCmkYzK+8IjTp8VuXd0cRKXlfyupLXlffgXtzntYfCrTp/lkk1
1aSaalJNNQVmmVZTKx/3OXPF/aTPfNrnz/P4N3gGz4aboymmxE2mxB8KK/NrhfV8hUnQreNn6+yv
6+wlunaxrl1tzc3o2Fd0bJeuXKcb63XhUl24Qdd9RmddpZMW65j7dMwKHdOtSx7WJRt0QZ3q/43q
v1T1L1P9+X+pcJaKfyv6N/NqgUh+Z8VaH1tslVpiJvzJcy/hNevc615bHppNz2Yr1zIzq8/KtcQa
2CfaXqvXEqvXEvNrnshXmFO9Il9rFi0Xdat502nedIq827zeKPKdZvZGM3ujebJc9AvNgoVmwUJR
7hHll/J7HqvX+sS/mrRXhyVWsCVWsPVWsCV6s09v9lnB1uvPBfqzT38u0J8L9OcCK9j6xJ2O+wnu
wb2h2VRvNtWb9Waf1Wy91Wy9Cd9swjfrzQVWsyV6c4FeWqjuF6rzhWq613qy0XqyUd32WlM2qtVe
dbpcXc5Tl/PU5Ty12KvWOtVap1rrVFu9aqtXXXWqq051tdxatFFNLbfCLVFTC6xw660czepjnvro
VR+ddpBL1UEdXrVDWxn+ROntVod1auFTpvkW03yLelhD1Q6qNlK1UU28aHJvpewqk3oLZVdRdpXa
2KE23jGNN5jGG0zjDWrkRDUyYsq2mbJtamWTOkmarA0ma4PJ2qBmmkzTTaZoq8m5wURcZyKuo/p2
qm+n9nYTcJ0JuM4EXGcCrjMB11F2u6m3ztRbZ9KtM9FaTbE2U6zNFGs1xRpMsQYTrNUE22SCbTKt
NplWbaZTm+nUZjq1mU4NplOD6dRgOm0yldpMpbaxqdRgGrWZRq2m0QburDJZtpgsW7i0ikOrTJet
pstWE2SrabHFtNhiMmwxGbaYDFs41cipRk41mgpbTYAtnGrkVKPO38KpVTp/nY5fp+PX6fh1On6d
jl+n4xt0e4Nub9Ptbbq9Tbc36PY23b6Fi426fIsu36LLt+jyLa6Je+yO8/vqM8K70Zm6LH+d9R0d
NUdHzdFRr/F5pq7Zzddn+FrL11rdkuJrF18X8XQRTxfpiJwuyPFiJi9m6oAcP2aq+Jwqn6PK56jy
ObyYqcpzqjynyueo8jmqeTe9FtFpkWreTatFtOqiVZeq3k2vLpW8mz619KmlTy19ulTzbtW8m0a1
NKqlzyLVm1O9c1TubjnXyvH1cJ+KHZHBUo92iT0TnlObW6ODZbbLo6TMemXWK7MBWTWYAymZNcis
QXS7RNcgugbR7RJdg6h2iWiXiHpF1CuiXtHsEs0u0fSKplc0DaLIX8v2Roc5U8aZNjlT0pmSztRD
w/w1aqOzDTtbo7M1OlvG2RqdrdHZMs7WSIshWgw5a4YWQ86cceakMyedOUmLIWfPOHvG2ZPOnnT2
RmfPXx8mXSNsNS93hbdk/ZYzDzvjFrPsJRO3xcTNXx+8WJi4Jd41PHYNlRr7N0ynxK+ITiso1+GV
LV7pKDzKX9vtKeg4buyoIY/SPr/Z5w/aDbfa06YpPCrPckpEGGdPWoJSTPH4GMwNAz5ja8GZdd69
2SqSj3E4OsZnrPDKn+g35LP+7B3v/O36vrDeROZLKcpQHv4sq8tk8+90HKLjVjpupWP++nor/YbE
8GcxrBDDCjGsoOXfX3dPxiEfuP6e4v1H6cVj3M71/ic9l7/mLpJzfzRJfINiGhTTDjHtGPsGZ6fo
e8W1U1w7xbFTHDvFsNO5B5170LkHnXeH8+5w3h3Ot8P5djjXTucZdI4d0VE+/WXZvyHzVR+Yshvp
vNCZsoWpWl74S5GfjHm5SfbV+b/o+dv0kfEqZ33ZWV921pf/l5MnP2mmeF9+yhzjNj8x5nrvP06M
8YVVdJd9wG7X1iV8/Uq4ceyvO95y5q8W/mL0NHFv9c4XudbguqBZ/K9QafEHJkh+ZWil1Fxe59fd
d6g1l1pz5fOKT73Hpy3iYoO9WzMF51JwLicbqDhXR7TqiFaONsjvFV3RKsetctwqx61cbbAHa7YH
a7bfav6HydHK5QYuN7w/Oab4jKPCXLm/Iu+tXG4oTI/JVN9M9c2FbyMypsju8Lqo+yi/WcR9Is5/
h9NH7c3U3izKPhH2UXkzlTdTeTOVN1N5M5U3U3izM/VReDN1N1N3M3U3U3ezrsqYuqNWP9WjwjLh
lShmFRy1U9odxe1GVno06FF3NMWjftcwOfuTfvuTfivliJVyxEo5MvYdYcqeZcA+PmfFS1npUla6
ESvdiP16zmqXskfP2Vf025PnrG4jVrcRq9uIfXfOvjtnZRuxso3Yd/Rb2VL2Hv1WmhErzYjVZSQa
by3fLZInrN391uz8vu4dZ+3n4NMcfLowVcZb7YfjE0ySk0JaBr3elY6fGe1twrjmiU51ntao2Ods
9zn571xz+QxknCh8g5DKv58SE/TTmSHn+fy3st7huM7oAI/y2Q/Lflj2w4XMr7RXuCo0fSDzYZkP
F7JudLsO67EZWyA7mQ3LbFhmw9HhzraWvhn6ttC35YNX5s6ddpYkbTPOkHSG5PtX488XvvFL0jZD
2xbaZv7uCr3F49bCt4CFK3Xatjh7krYtH7xaj4pknomOile6NyE8abfUb7fUb7fUL6YXxPQCtTJ2
TL12TPlv1/rotMPOqJ8D73Lgtxz4revI/VxH5v86Mr/r6bXr6RXXC3Y3vXY3vXY3vXY3vXYzvXYz
veJ5wU6m1y6mX0wv2FH02lH02lH02k30RqWi+YMz73LGnDPucrbdzrbG2dZER3p1G926xbhJjJu8
Mzv2Hfb/cOhMO7vz1PUFdJgXumk4SsPR91163nO1Hr/k9mU7rZVuP+hai8et+Jt7b3tPh/d3hk1/
5+JEqnVQrYNqHZTqoFSHuNvHvpPqoEgHRTqo0UGNDmp0UKODGh3U6KBEByU6qNBBhQ4qdFChIzpY
nm/L8W05vi3HnXLcKMcNctwgxw12qvmq2yCfDXaVKbvKlFzetrPMV+AGuWyQywY7yZQ8Nshjgzze
lsPbctgghw1y2FD4V5RHxr8RHRnNib4ZHouuxjW4OTwV/TA8EP0I/w0zcDu6wpxoO5IY8p7d4f5o
FHvwLt4L9xcdFxqLjscJ+DBOxEk4GafgIzgVp+F0nIEzcRbOxkdxDs7FeTgfH8PH8Ql8EhfgU7gQ
n8ZnMBWfxUW4GJ/D5/EFXIJpuBTV0aSiZeGVolfDi0Wv4XUsxwqsDEuLVmE16rEmLC1+MjxQ/BR+
jQaP1+ItyLX4rwjh/nH7hMfG7RfmjLPLHmeXPc4ue9wkHIiD0BEeGJf2nj4MhAdKjsdZuC48VnI9
bsB3MT08VXIL6F4yOzSWNIalJa54So8JS0uPxXHhxdLjcRpO9/h8XBnmlH4NV4X7Sx/FPHR4vA2d
4Flpb3iqNIWdXhv2OBvuL4uFxrI4ijEOJbBTLLNTLBuPclQggUrshb2xD/bFftgf54SlZefiG+5f
43am22fdzg8vlmVC43ifNX5/++OvR/uFtdH+MP2iAzARk3AsjsPxOAEfxufxBVyCabgUX8Rl+BK+
jMvxVXwzPKFyn1C5T6jc26Pvh7nRdNyCW3Ebfhjmq+b5qnm+ap6vmucX/yysLb4H9+I+/ByzcT8e
wIN4CL/Aw3gETzruKfw6zOf6E+NawtpxW/A22tHh+XfcdiPt9T4MeO69sLakBKUYj3IciINwNI4B
HUrooDrml5zh9iy357n9LL6Oq/ANVOG68ITKeULlPKFynlA5t6uc20vkWyJfFTS/7Lt5baIHQmP0
IB7CL/AwHsEzeBbzsQDPoR5r8CYasBZvoRHrsB4bsBFNaEVXeN5MeN5MeN5MWB3twjAyyGIEu8Ni
c2KxObHYnFhsTiwu7gmNxb1IYQfScHVS3I+dGMAghuCK5b8TdybgURR5H66u6unu6ekJVwj3fYrr
gevqikdcN7oegLKKoiDggotgotwCIeCNgnIqICioICIoIvHiEA/Wc1UEBhgGgtyEEDuK3AlT39tN
3E9XXd399nm+5Hnt7uq6urqq/r9fdpkxD0JQLg1av8x6W2KzF9isfZu1brPWbda53VF/bF/HsTPc
RJ6u0F2/bN/O9WAYAnfBMBgJD8IYYL3ZjJHNGNmMkc0YsZ5etp/lOJfjyxyXA+NgMw4242AzDqy1
Jay1Jay1Jay1Jay1j1lrH9v7oRTKKHuQdMaDdfeycbowRTURASv41png+yQgCsGnd8fAC7+fuJrI
gHYiS5wPvXU+czyfOZ7PHB/CHO/HHO/HHO/HHO/HHO8nhlPDCJ3HPM9jnucxz/OY53niPlFF3A8P
wIMwBh6Ch2EsjINHYKloKJbBTj2CNzqCNzqCN/oYb3Q+b3Q+b3Q+b3Q+b3S+CD5B+pgu4K0W8FYL
eKsFvNUCY4Zeb8yEJ2EWzIan4Rl4FubAXHgO5sHzMB9egAWwEF6El2ARvAyL4RVYAoXwql4vzxRV
ZFuRJc/mmA2X63x5hR4kr4JOXPfV98h+OlfeDrk6F812leqqB6PbrlI9OA7Wn6gheo36QkTUGpGp
1qF61+PKNwhX7dTz1S60yG7RWu3huDf4bCCO+0V1c7CoZg6BoXAXDIPhMALyYSQUwCgYDbN1HvtF
HvtFnrlWVDHXQQLWwwbYCEnYBCnYDFugCBhPZnsBs72AvSY/Uk2vZ9aPYI/Ji+wXLvtLPvtLPvtL
XqRcVLMUMLes6lADmsEpOs9qw7Et/FZksafkWedynqvz2T/y2T/y2T/y2T+GsH8MYf/ox/7Rz2Iu
WSOAuWQ9oddbM8J/Qb/ebgANoRE0hrbQUc9npY1gpY1gpRXYA0QVeyDcDffAJJhG+myOz4iGrKYC
eyHn28i/HXYAc46V8xgr5zFWznxWznz7KxG1fSgj/0HuM/9YQQX2EVHFydTrnZqQBbWgNtSBulAP
6gN9deirQ18d+uo0gabQDJpDC+hFXb3hVijgehSM1uujhl7vdtGD3JugQOe6o4F147JuXNaNy7px
WTcu68Z9FMbDBJgIPK87GabAY/A4TIVpMB2egBkwE56Ep2AWMD7u0/AMPAtzYK6oEsuHkVAAo2A0
MLYxxjZ2L7C+Y6zvGOs7xvqO0c8Y/YzRzxj9jNHPGP2M0c8Y/YzRzxj9jNHHGH2M0ccYfYzRxxh9
jNHHGH30ThVVMqLgQoz9QarVrJSd7EbBWfDZI7XkXexmXvjtAhbY4EAUXIiBF36Cvcdu5qEAUiiA
FAoghQJIoQBSKIAUCiCFAkihAFIogBQKIMXOV4OdrwZKoAQlUIISKEEJlKAESlACJSiBEpRACUqg
BCVQghIoYZfswy7Zh12yj7hN+6Iv9IPbIRfy4A64E/rDABgIg3RfdtT+7Kj92VH7s6P2Z0ftz26a
w26aw26aw26aw26aw27qspu67KYuu6nLbuqym7rspi67qctu6rKbusTdLcTdLcTdLcTdLcTdLcTd
LcTdLSL4e8d8eAEWwFJRh523DvHXJ/76xF+f+OsTf33ir0/89Ym/PvHXJ/76xF+f+OsTf3126wHs
1gPYrQeIvXjZYtgHJbAfSuEr8KEMvoZv4ICexs4+j519Hjv7PHb2eezs89jVh7OrD2dXH86uPpxd
fTiaPommT6Lpk2j6JJo+iaZPoumTaPokmj6Jpk+i6ZNo+iSaPommT6Lpk2j6JJo+iaZPoumTaPok
mj6Jpk+i6ZNo+iSaPommT6Lpk2j6JJo+iaZPoumTaPokmj6Jpk+i6ZNo+iSaPommT6Lpk2j6pHGN
yDI6wZ/hWrgOZugEkShBJEoQiRJEogSRKEEkShCJEkSiBJEoQSRKEIkSRKIEkShBJEoQiRJEogSR
KEEkShCJEkSiBJEoQSRKEIkSRKIEkSiBlyjES6zAS6zAS6zAS6zAS6zASxTiJQrxEoV4iUK8RKHx
qXCNz+BzWC1cophHFPOIYp5sF/wbVY5/5Hi5Hk0060g06xhGs666VPaGvkS370U1madLiWwXEtn6
EdkuJLL1w4tPUIP0S2q5fk+tFBnqXaLfavz8Gnz6OlGLKFdClFNqI/7+ZKSLEOmah58xWUL6fiLP
YOER5TyinEeU84hyHlHOI8p5RDmPKOcR5TyinEeU81DSJSjpEpR0CUq6BCVdgpIuQUmXoKRLUNIl
KOkSlHQJSroEJV1iTtO+OR2egBkwE56Ep2AWzNY5RM4cImcOvqsQ31WI7yokirpEUZco6hJFXaKo
SxR1iaIuUdQlirpEUZco6hJFXXSmj8700Zk+OtNHZ/roTB+d6aMzfXSmj8700Zk+OtNHZ/rmIV1q
HoYjcBSOwXEohwpgTRCZhxOZhxOZ+xCZE0TmAfi/JP4vif9L4v+S+L8k/i+JS0jhElK4hBJcQooI
nhPZpX2cQgqnkCKS9yGS94nQpwh9IqLnENE9XEMqkuZaa98SYIAEJTwivYejSOEoUjiKFI4iReT3
iPweziKFs0hZ9cnbAJqR1oLrlsBei8tIoQxyUAaedSb3mYOogxq4jhQKIQeF4OE8UjiPFM4jhfNI
4TxSOI8UyqEPyqEPyqEPyqGPxT5qsY9a7KPWIBgMQ3Rf1ERf1ER/1ER/VEQOfjaJkkigJBLWrPAT
mbKsxfBq+KlMWdb7HL/QhaiMhMW7xPcmrSMiC8WRQHEkUBwJFEcCL1yIFy7EC6/AC69AgSTwwyvw
w4X2+cLFExfiC3x8gY8v8PEFPr5gCyplHr7Axxf4qJUBqJUBdjddat8M3fVw/IFv53LOmrLvgDuh
PwygzoHAc+EdtuAdfLyDj3fwUTguCsfFQ/h4CN8eS/5x4acK+qgeFz/h4yd8/ISPn/BRQcNRQS4q
qA6+wkcJDUcJuXgLH2/h4y18vIWPt/DxFj4KaQAKaQAKaQAKaYC9i7p3wx5gr7fZ61FN01BN01BN
81BN81BLw1FLA1BL81BLw1FLLl4/iddP4vWTeP0kXj+J10/i9ZN4/SReP4nXT+L1k3j9JF4/iddP
4vWTeP0kXj+J10+iuhKorgSqK4HqSqC6EqiuBKorgepKoLoSqK4EqiuB6kqguhKorgSqK4HqSqC6
EqiuhHMWffotnKcLnXbQg7p7cd0bboW/ktaH423QF/rBnboEhZZAoSVQaAnnbspMIP158s7XK5wX
OF8Ah3QyKkQWCi4R5dmiNXRhtKZw3Wv1Tvc6uB666I4ou45uN86H6VJ3OOTDd0rvHs4fgDHCQ/F5
KD4Pxeeh+DwUn4fi81B8HorPQ/F5KD4Pxeeh+DwUn4fi81B8HorPQ/F5KD4Pxeeh+DwUn4fi81B8
HorPQ/F5KD4Pxeeh+DwUn/f/qPi8Hyi+mmK8vsDoLjoYPcW1xi1imPEXcanRS1xg9BY3yMtFF9lX
XK8660tUF/0HtUzPUyt1B7VDf4w2zFTscGqPnqSK9Ydqn6inSvBb+/Vh0UiMT68SC/Va8Te9ltov
qvw02HOo/VRqP5XaLzb66sPE1t20gpvDlXXW7WjlQloZolbo5eotWJkuVe/o14hxG9V7+n21So+n
9ftp+ajarffSejtan0DritZn0foq4ajP9Vz1BX3Cyau1updap5eqBKU26M1ExSJ06kL9AX37gJw3
Ejs/J/c0cuertek0uZ8h9xXE0dcocRclZoSf7XgGvS0gmjcgel8hOxDJ++q+8g6h5AJ08ir9F/mh
ni63it/JQ0TkTFFFnaGfUyuER5Q+gyd4hZY+xI8qtRavuV6/SpSOUHuaJ0oQqfMrI7Wq9KSKJ9ur
9vFUJaTv118ZNwhTLxURsMAGB6LgQgw8iEMGVNHLRVVopzeL8+E+vVjcDw/AgzAGHoKHYSyMg0dg
PGO4VK8Ry/QaQ+rNhgITImCBDQ5EwYUYxKEqVIPqUAMyoSZkQS2oDXWgITSCxtAEmkIzaA4toCW0
gmt0kdEJ/gzXwnVQAKNgNNwN98C9cB/cDw/AgzAGHoKJepMxCSbDFHgMHoepME1vkmfqxfJsyIZO
+k35sE7JsTrFLO/MWyllnlUwxxbzJkqZY1czxyrU4XSxOsKKOKptdSx9RB1Pb1bl2lIV6b3qhM5W
adK1rmNG0sWmpS8xbW2bTvqIGU1vNl1tmbH0XtPT2Wac9AzyDdZLzSEwFO6CYTAcRkA+jIQCGAWj
4Vm92ZwDc+E5mAfPw3x4ARbAQngRXoJF8DIshldgCRTCq/AavKmLzKWwDJbDCngLVsLb8A68C+/B
KvgbrNWLzXWQgPWwATZCEjZBCjbDFijSiyPleqmlgPlrRfRyqzrHGtAM2kBb+K3ebJ3L8RFdZE2F
6VzznNZznPM8Fs9j8TwWz2O9TNpiWAKF8AYsJX0ZLIcVQN8t+m59wvnf4VPOP4PPYTVsgI16k5Xi
3l7YD9/AAfgWDsIhOKKL7AyoAlWhGtTWm+w6UBfqQX04W2+2z4UBerE9EO6Ge2ASzIZn9Bp7Iccj
erHTShc5p+rNzukcz+TYEa7m/Ea9yenF/d5wKzxM+nTSn4AZMBMWQrneFBW6KFqNI+sryrqK1oX6
erPbS6fcfpALd0B/GAysd5f17rLeXda7y3p3We/uozAeJsBEoL/uZJgCj8HjMBWmwXR4AmbATHgS
noJZwDO6T8Mz8CzMgbl6cexKnYpdBe2hA3SEq+Ea6AT5+s3YSCiAUTAa7oZ74F64D+6HB+BBGAMP
wcMwFsbBI/AojIcJMBEmwxR4DB6HqTANpsMT+k3vVL04I6rfzHAhpt8UJrFiMTt/iVovTmdfrhCP
ixF6psiHkVAAo+CYTuGfU/jnFP45hX9O4Z99/LOPf/bxzz7+2cc/+/hnH//s4599/LOPf/bxzz7+
2cc/+/hnH//s4599/LOPf/bxzz7+2cc/+/hnH//s4599/LOPf/bxzz7+2cc/+/hnH//s4599/LOP
f/bxzz7+2cc/+/hnH//sB5/CZXxAPz/UpXjWUjxrKZ61FM9aig+djg+dju9ch+9ch+9cJ+fq4vD/
H3ny/3W0XR7R24lmSaLYTLVaNCJebiOCPYKHm4mHm4mHm4mHK8XDleLhAv+Uwj+l8E8pPJOPZ/Lx
TD6eyccz+XgmH480Ex80E58yE08yEw8xEw/h4xFK8QY+PqAUH1Bqt9Ep+9Tw8zhL0f6Blk+hs1No
6xRaOIUGTqF/ffSvj/710b8++tdH//roXx/966N/ffSvj/710b8++tdH//roXx/966N/ffSvj14t
Ra+Wold9NGqpM4S67+b8+eBT07SP3vTRm6XRTNZTFz0djTkdTbkOTbnOK9DF3igYrYvjmXp7vCZk
QSNoDPeQPkdvF5Ko8iJxHR2nlonz1HJxs3pbnK3eEbUZ3zfUeyipVaKV+lx0ZKw74usjKIaL8PbV
VUKcxbh/iXJoiM7ZQepO0Qa90BG90FIVi8uo973Kv2WfSkvv6oXknxK2uZh7/VAVy0UGaR9ztTr4
XMoff5au0Vdk//Tn6dKftqyOC2i1PfHwCvpwMqUt0fIIqZcQLZcTLUvCzyjeH3wbJan1uboo/Jti
LfK2oA/BdxHsEaeR43SuVotsnjCTew151uBT37roz9Rg0Y7+v2deiF6TpHzE1d/JTWxCE5ZxVcRV
rohzdZyrj0QrYYpsEQELbHAgCi7EwIM4ZNBiZ1FT3YTG6w65PNNydOA76Mx39RpzsMg2h8BQuAuG
wXAYAfkwEgpgFIwW2Xj5bDx7Np49G4+ejUfPxpNn47+z8d7Z+O3s8Psv4qjbg7RUxFPsUW/zJoNv
M3lXv4663c+zD2ZMltGvt8jF0/LscVHd+EI0M9aIMxmZ7ozDH9VN5Ooquqru4WfMdVW5+t3gU4nU
UL1DTRXnqGniXNrxedMtUDKLzPPEWWY7cSaj1VU0pERD2jmbtzlYNKalr4L2w5bild9r8qHqRumb
yd+T4y0cBzPDvtCb0Mil6ONj4fzZIBxKKWEF34RC7ixyZpEzSk6fHGUiS+xkF0VDid3opoG0FLzT
oXoduruUt16FHXdNWF+CN7ieUtQZKOJIdV2Bh6/Aw1fgkSvwyBV45Ao8cgXet4I2O+vi4F88UWMb
Vood1rZeHxS1ftBmN/asnpDHsw1Gia/W39C7Mp7DZ8bVpO1DlHqfdmO0e/QX243R7o7gu1morTrt
RqjxEDWWUuNBaoxS2zeVT1HBOutMavB5gd1Q8j1hIHcGizqUjNJji5KHKVlByTh9SQejRslyVsVO
8SexC3bDMWb2cSiHCjjB7tAZ59JFn6m6sVvcLHqonhxv4ZiH9xlIf4bqOWok82Kq+D3z4QJG/Ata
bBe+m7X6qbC1hN7AmsvE5RyvnCNnmdRtpkGLVpHq4k/2TdAVuotW9jSYC9u43g47gH7aZaQd5HiY
vgWf/1hGz47xzMfoWRue+xg9a8Nz1+W5gx3D4XldnnWv2iiqhrNuBSXeo8QuStSlxC5K1KXE78ld
lT7vCWfeWl1Ov49ScldYKhF+L8FNtNeVmdydYw+OQ9gVd4im7Hhl7DEuO2MddsZq7Hcrwm/UCd5f
ilyKlDLeQ2fOuoRrI/g0vCw1iFl1F/FuD/0upsV92g/n2zbK7aKcS+0ONUvupEQd0Vt/I26Fv8Ig
3n5n3udN9Ks7DGFmBrl3Mkv2MNJ76dM+/GUJtewnTl4oakWq6m8ipfCV/sbKhTy4A+6EITCUejMq
vxMoSc0pak6pQTzVEPb8HbzHncyiXayg8GnZh4sZo33609CL16J/5fSvnP6VVz598DflrdSylVok
tbShj1Wp5Qi1pKkl+KR5hxq2B99HRP/K6V85/Sunf+X0r5z+ldO/cnGa6C3ai1vhrzBC5Ih8GAkF
MErk0GIVWvwNe1aEEe7EnhVhlDuxZz3PSC9hpN9inn7IPL2CedpeLdCTeKa/EyFanuwNcSvoTTFq
4jzRjjnazrxQJ83ZIsd8Gp4ROZGqon1kG8dSjl/B1yLHOgXOgVzR3sqDO+BOCPrn0KvDlfNGVs4b
Gb6rYAT36b3hXyMW0e95lbmyKnNl0W+fnGeFf4HYp9cxM3LTq/CCX+H9tuH1vsLbbTNbp3cz13LT
PqllpJSZrfVF1Jqb3qoOM87llK5gbzihPzcj+gi+8KgZ0wfJ+Tk5LwvLvsvdNaSsIcUNy/rqOO2V
Myon9Ho8ZtqMCouyaXKtx0umyZnNvpSb3kMraVzqQXpWqo5xLKfVCmbmyZIVtJrGnR6kx6Wmw9Gl
FzHST9ZUwRMcYtbl4muPCINayqglTS2aGorDti1hULqM0mlKa0oWV/bhlGCc0hPpww5KN6P0Zkof
VsdZsUHvK5jHJ5hxaXSC1ifoyw5qa0Ztm6ntsBnVifCpYrxnT1TFKZdQ8wn69FIQRbWkxqP0o0il
haTUUdouMuOct9ZNghzp1eTYS3vBSKXIsZc6g1FKUcfXjO4/vS/efuV7ovQvvJ8wb/heyPsL74Nn
/D++B/bTf3P82WX+y+POM/7MeId3fnKcRYaZKaJmTfpXW7hmXWqrR5n6aIYGnDfkXiPuNeVec65b
cK8l91oRD0wzixbqcbcxxxa8E8/M5AoPYdai/bq0UI+Wgroakt6I9CakNye9BenUw1sIcgct16vM
EbQU1FWdfknu7jazSKkFtUVD+lednLupsyH9k/RPUmq32Zj7TaAp6c3J04K0lpy3Cr6VnFqK6Gvw
hNKsQ1/rikhlLUHpIvofPKE0m3GvOfdOlpY8bybUZO5l0efa1FuXZ6nH269PWw2C5+J+I+435n5T
7jcnrQX3W3K/Fc/HU/BualJvFqm1oLbeQB/SjM4Osz7vsgHP3JA8jcjTmPtNoCl5mpGnOXlakqcV
kS14T144rrVFJv0IRuwo/cikHzH64YVj25Tr5uEIHqUPmfQhFrwVocJnr1s5zid7H4yeCp/7ZImy
yl5LUeU/nROsWp/x+6d5wWo/Q8T/3blBqTOF/XPzg7stRI3/1hyhtt/w1P/hPKF0a1Ht/zpXqOW8
4In+O/OFN/FJ+B7/ozkTxob4vztvwl29tTqc3sdO2pMdpz67Wgd1PF3GrnapqkiXsPv0ZldrzK7W
zoyk97Gj9mQ3qs+u1sGMpsvY1S41Y+kSdqbe7GqN2dXamZnpw4zIaYzIKYzIKWZtruvo3zAiGfSq
LaPSklFpYTYkvRH5GpOnCTTluhn5mpOvBflakq8VsyaKc/PwXNkq+F6fVaIGajcTpdscVfF7tML7
qL0q4XcLLTO6i/ONnuIy4xYxzvgLx1449876SXU9XuQGvQzl8WT4TXWn/Itc74e5gu9A2himfne1
+B9XEie/0nhHLw7Pgm+328FZFVzyaUKIdnjSNuIP/J4prhLXirbienEDqTei5S4Qt4lHxJVivFgg
7hTLxEqu3uF3kvhEbBCTRZLf2aIId/K02EuNLxj1jHpirdHQOE2sM9obHcRO42rjOrHbuMnoJvYb
PYwewjduMXqLMiPXuEN8awwxpovDxgx+6xpP8lvPmMVvfeMFY4HRwHjHWG00kmfKs4wz5NnyXOMs
2U62M86RF8ls41z5R5ljnCcvk5cZ58vL5VXGBbKD7GBcLDvJa40/yOtlFyNHdpVdjT/JHrKHcbns
LW81rpB9ZB/jKtlX3mG0lwPlUOPPcpgcY9wgH5aPGn3kBDnVyJXT5RPGYDlXvmIMlYXyfeN++aHc
YEyTSbnTeF7uk/uNQlkmvzZelwfkEeNNeUyWGyulVsJ4V0mljFXKVnHjfVVFVTc+VZkq0/hCZam6
xhrVRDU1NqjmqoWRVK3UKUZK/UadZhSpM9QZxpeqrTrL2KbOVucYO1Q7db6xW12oLjL2qovVxcY+
dYm6xChROSrH2K86qKuNUnWd6mKUqZtUL+OgylV5RloNVHdJoUaqkdJSo9Qoaaupapp01CK1SLrq
VfWqjKk31BvSU0vVKhlXn6uNsrbaofbLpuqw0vI3ZsTMkOeYmWZrebF5oXmh7GwONsfI682x5muy
n/mmuVJONT8zV8unzLXmbvm0WWxq+WrEjbjy04gX8eRnkaqR6vLzyLrIJrkmsiWyTSYjOyM7ZVFk
T2SP3BopjuyTX0b2R76W2yMHIgfk3sihyBFZHDkWOSb3R8oj5bI0csKKyK8s28qQh62qVlWZtqpb
NaW2alsNlbKaWL9VrvU763eqgXWu9SfV0Lra6qzOsG627lXnWPdbD6pu1sPWONXDmmBNUH+xJlmT
VS/rcetxdas1zXpS/dV62npa5VpzrDkqz3rOek7dYS20CtWd1uvWCjXMett6T422PrA+VPdZH1vr
1QPWRiupJlspK6Ues7ZaX6rHrb1WiZpmfWNVqJm2sKV63rbtxmqB3dI+W/3NPs++UK2zL7YvVkn7
j/af1Cb7Sruj2mp3sjupnfZ19nVql329fb3abd9k91B77F52b1Vq97X7Kt++3R6myuwR9ih1wr7b
vseU9oP2GNO0x9rjTMueYE83HXuGPcOsbj9pP2nWsGfZs81Me64918yyF9rLzVr2Kvtjs7W9xt5g
nmFvtg+Yv7MP2sfNDnaFrc3rnJZOS7OL09ppY97onO6cYXZzznbONrs75zntzB7OBc6F5i3Oxc7F
Zi/ncudKs7fT3mlv9nE6OlebtznXOp3Nfs6Nzo1mntPL6WPe4dzpDDAHOSOcEeZQp8ApMO9y7nbu
NYc5Y5yHzXxnnPOIOcqZ4Eww73YmO5PNe5ypzkzzXud5Z775kLPQWWiOdRY5i8xxzgHnW/MR55Bz
yBzvHHWOmhOibHzmxKgZNc3JUTvqmlOiXrSWOS1aJ1rHnBOtF21ozo02jjY257vXujeZL7g93Z7m
K25vt7e5xL3N7WsWure7t5uvuXnuHebrbn+3v/mmO9Qdai51R7gjzGXuSHe0udwd475ovu2+435k
7nbXu1tM393q7jYPu8didc10rFlsYqRxbHLsmcj42OuxlZFZsdWxA5HnPdurHfm7d6p3aaTI6+Ld
Fjnq3e71t6LeQG+wVcUb6g2zqnsjvBFWTW+k94CV5T3kjbcaexO9iVYrb7L3mNXam+o9bZ3qPes9
a53jzfVetM71XvZetS723vCWW5d5b3lvWVd5b3tvW+29d72PrA7ep95aq7OX8BJWN2+Dl7Ru9lLe
l1ZPb7v3tfVX71vvqDXUO+5VWCO9dFxYo+MyLq1742bcsu6LO/G49WC8ajzLeiReO17bmhKvG69v
PRZvGG9uTYu3jLe0ZsVHx0dbs+P3xB+wno4/FH/Uei4+KT7FWhh/PD7VWhR/Iv6EtTg+Mz7TeiX+
VPwZa0l8Tvx5640MmZFhrcionlHL+jijXkYDa3XGkYzj1lohXfS7EN4l1a4RrUVj8V/60cv0Tr1H
nKmLOd/8kznSeqZ+md8yPZara3RXyrzPWXHl/WJdwn+3V14d/lH54G6JPsjv/96zf6Kdb+GxX+xv
Prz1g5SttJAVtPKzPzgv8m3S5Zx7RPJuIs71zh/28bun+Yk2P9XbtK8/o4YdPO3eX+rjr/hxqHVq
Ze27dKl+X++uvDrwo9b3Q5H+Uq/TR/WVIsrYtRFNvnc//UuN6UO8u4PU8L89Z/xRLCfvPqefEx78
4x3+U+mvYLdOUcdWLiPorJbiIs4ahXf/pj/XG5g/zB18+0+3v0A/q2dxfAiy9el6iB7M2ffG8bun
56z0R6XT+gO9lxn0gf47/eA9BKP3w1L/yPvpLwyFwKcKkRGeja9M8an7s+/m5vdnRWXKQZ78AGO/
WX+L3q9C0tm8hX+0rveHb2j/d7l/VL5U72ON+d+NePCX0fC45ft5fqnflflSP7ga8IOrj35dHfy0
DfNXzjS9kffn6I2/0PKR763ttuL3v5D7RT0/WNH6g1/dpx+W3xPMjmDO/ujO+l9RmifTD4Znr//z
etZ/+RXlmSP61XDf2hq8t3/3R78Q7qYvMK4//nF+VQ1lelm4a/7KefETNRz49bPqJ0pX7rB67X9U
enH4343BzvFf//ntr2h/z8lYpsuZR9/+2y14//JuK/hz2Mp3EW/7yd/K+41+oswp/Dbi95Qf9HJe
5XH1yd9/Ub7tT5avHF1mySF2p0M/12H2z6/0N+xg28I1Fczqo2H6lPB2Q/2OXqkTQUT/mfIV3zsf
J+qw/98grg5WSGVaEbFh+Y/34n+UKf/e+UQiTxVxhejJ+aLKtJ2M3pqfj6rftR/O6CcoH2X3GVi5
kwfpS/TLQuk3frb8P8/CCOqpD+mPVt7/SH/I+H9SefXj/fv4987HUrqO6CACJZRdmfaWXkoNL/1s
+7t+Oj3NGwv2R91Jd9S99dWVuWf/qPy97GLP6Zf0FzrxvWQpbhb3iUc4Gy8mBP9mRrzIzF0k3kAd
LhcrxVnhXxXOEavEBnGu2CR2i6vEXsMQXYyeRk8xCEf/ZzE48PJiaODixV2yn8wTw/HjSVEgN8ud
YpQslsVijCyR+8VDgTcXY+VheUQ8IstluRgfeHMxIfDmYhLePCamqEaqkZiuuqmbxROqp7pFzDRf
N18XgavVYlakeqS6+NR6zXpNfGa9Za0Un1ubrS3iC0tbWqwNPJ1YF3g6kbSvsTuJosDTiS/xdDeI
bYGnEzsCTyeKA08nSgJPJ/YHnk4cCzydSOPpxhkCNzfJsOwp9nQjGng6o0rg6Yyqgaczqtlz7LlG
jcDTGTUDT2e0xNMdME7DzWnjakc5EaOr4ziu0d3xnAzjFqeaU8Po7dR0ahl9nLpOfaOf09BpbOQ5
zZwWRn/nIifbGIRru9UYgjt7yBiGOxtnjAj8l5EfeCJjZOCJjIJYfmyicU/gdIxpXlWvtrHce9F7
0fibt9P72ng/8BrGusBrGJsCr2FsCbyG8WXgNYxtgdcwdgZew9gXeA3j68BrGN8EXsM4GHgNozzw
EUZF4COME4GPkDIjmhGTdkbNjFrSzTiacVwG/5vCxnDGGOGMkcyYqTiKaWIGc3qmmEvKc/zaYp5Y
QJRayHyywvlkMZ9WsOreYla54axymVUfk/6JSIiYWM+vZJZtQFVvEltQV0ViB2tsJ3OuidgrvmHF
H+C3qfhWHBHNxFF+m4tj4oRoIdLMyGrhjGwQzkgVzkgvnJEeMzJXVJV5zEsvnJfVmZdFIktulVtF
Dfml3C5qyR1yh6gtdzJf64fztV44X2uH87VmOF/rhvO1htRSixoK+S8ymbWS//IjajJ3bc55+aKO
ijKPM8N5XI953E20VDczm1sxm3tyfgtzulU4pxswp4uEYW41dwtp7jH3CsssNn0RM8vMg6Khecg8
LKqYR8wK0cg8wexvEc7+JuHsbxDO/gbh7G8Qzv4GzP4/ikw7x84RMftS+1Jh2pexHiKshytJucq+
ipT2dnth2x3sDsKxO7JOmrFOrqFsJ1ZLNFwtseAvICJu38CayWDNdBVN7G72zaKK3d3uLlrYPVhF
1cJVVC1cRQar6HZK5dr9yTPAHkjKIHuQkPZgewitDLWHUvNdrLQYKy2fUiPtkaQX2AXkH8Xai4dr
zwj+nkKeh+yHaXesPY67E+wJpEy0J1Jqkj2JPFPsqaRMs6fRk+n2dFJYn8IN1if1zLJnUWq2PZv0
OfYc6plr/w91XwIfRZF//+3u6WMmNUlIQshFgHAFiDGEEDAkCIiI4CoiHotKDhU0kmSCeGQkM4AG
ERERFVERudZVcJFFREV+yLKIqCwiICJyi4CIiIiAiPT/1XcmYyIoBFjdf+dTb2qqq6prZrpfvW8f
LzNRc7Y5GyWvmHPQ9lXzVXwPc835+GZeN9/COBeaC/GdvG2+jVH923wXo11uvo8+PzaxZ5qfmNgn
zU/Njejtc3MrNTa3mV/gO9lp7sG2vjL3Uor5tbkP3+Q35n5qZn5rfostHjAPYsyHzEOo+YP5A9Ye
Ng+j/Ih5BCM5av6I/o+Zx9DzT+ZP6Pm4eZyizZ/Nn7H1E+YJtLVNW/5/VUunhpJNgGATINgECDYB
gk2AYBMg2AQINgGCTUgBmzwEHG2NJlVyCjkkp5AiOYUEOGUYsNLlp0jJLKSBWdaTCPs0bAO5wz4L
O0iRkmVIkyxD8WCZLyha7BQ7KUZ8Kb4kt9gldlGs2C12Y+0esYfixFfiK0oSe8U3yO8X+1H/W/Et
6hwQB1Dne/E98ofED5QgDovDqHNEHEWdY+IY1v4kjlOYOCFsinPL0Dpa8hfQ4XYAdbdBUWAxixq4
nW4X1XeHucNQU7jdlARei0ZJjDuWEiS7USzYLQGY6E5CnWR3I4pxN3Y3Rj9N3CnIN3U3Rf1m7mbI
g/tQDu5DyfPuKdjKC+6paDXNPQ09z3DPRJ9/c/+d6ks2JE2yIUVKNqRIMNY/g2w4Hn8as6EONpyE
/HPgQY150AALvoL8HHoT+BZhbwMbLkF+KThQo3fBgxp48BMw5nrwq8bn7y3mQY15sD7zYCzzoIt5
sAHzYBzzYDzzYALzoFAilAhyK/2V/sDBSgmwTBkCHKoMBY5RxpAbLHk1qcySTrDkrUDJkmHMkk5m
yXDmxBh1n7qP6jEPRjEPRqs/qz9TBDNgpObQHBQF7rOQd2kuqqf11/pTknYj38kmua8hc18jbYA2
AOX5fHeb5MGGzIONtCLtFkoM8eBu0sCAh8gC9x0nF7NeArNerDxri+Ozq9kVR283sxtpzHGWeRk4
zgGO6428ZDeN2c1gdoszrzKvQolkN828xrwG2M+8FjUlxzmY3WKZ3VzMbglgtwISZpFZBLzFvAX1
bzNvAw4yBwEl01nMdK4g0w01h6LkbjCdwRxnmRVmBdp6TS/qVzOdH/kAx400H0BeMp3FTKcx07nM
seZYtHrUHIcSyXoWs54Ist4EcwLKJfdZzH0JzHoas57DfB6spwVZb6o5Fflp5jQw2nRzOupLHtSY
BxNq8KDGPGiBBxciH+C+Rea/kP+3uRoouc8C921EXrJefWa9WGY9F7NeA2a9OGa9eGa9BGY9YX5v
fo9WkvtimfvimPsSgtx3HBynMccJS7EU0gJs5brPVUFO1/2u+4GVrkoKc/nBTWGuEa4RKKlyVZGT
eUoNmxD2DKnMODHiG3BNpPhOHKQo5pdIZpYYMMsR5I+KHykCnHICx7nklHpuza1RBNjEpHDmkSjm
kRgwSBTykkGi3Q3cDVBHckeMu6G7IcobBbmjCXqQ3BHF3BHJ3FGPuSMK3PE8+nzB/QJazXDPQP2Z
YI0oZg2V1MwD8sxrh12XZFMvuuG3dP7/H4u9x/5KpuC7baeKu+R5Hj7XV9e+d8ozXBx5L+H3n1dv
k3F1MPrcJ+NPjkU32jvs3bXP6Jx+u9Vn6GxP3Ud4fhe7NyJP+fqbsfdJLfYg0n7v7M/LhPrZ9+t3
9neMwXLEiofwze6w9yOFzuzViERjarTeiFobSJ73aIBc8AxjdXT9By2u0GhqblfQX7ns61OdXbD3
nnxuzj5ob7c/w5qTrkKc7VJ9lrz2O3n8BPfqGucLMHYtlN/3W7+yvfXks5rnazn1FZzTtpppT+PX
43w2fIVM8vyQ/TJy7wfrVO9Z8gj+wf6ourxO29nJ++iOX97Ls2D25ho1HuXzQfJc+VbO7cRoajJU
8Ps909+Xz1rvOH29ui/Y02r0ax+2jyMdk+e67J9r1fu961L/Y8sffMyfwWJPPofGfU7R3w5KxT6Y
fA69/v6SSsytkk+ZU0+5gBvO+Briuc8Vv+qv1qhqHntn2H6evdieG7w+EGO/YC/m0i/k7F5z9j4r
/bAB3LiN9cNu1ibMZnJOsrfhdXaw1n6+3vYB0rv42137zDUzWTxVn5tdhrngfftjpMko7WWvtT/k
8nUBFcFXtP9a95GeNPKvar3jOdT+Z42SYnuGXWI/LM/y20NCpZ1Q9qY87k6+6kjymuvJ10L32kvw
WTaevyO1en+Q8xgYrFoXvk/B67M1xwBeDl0bkddYTtPzf87XGM92wbfk5tfH5fXmk9YOtZfVqht4
3YzZ7Qu5h5zF9j6Rez3rLf6eZA7z27bgtwa077BX8e99hLRTzGFuyjipz/04Dr4JXl3SwBzVV52O
BNae+/z2y3Xo2tcrq1WK1F48b+/E3/6TtOdW1p6nONpxNJ9n7jrV8is+W3vS+uO/LgmWl5+6nOpy
Hb3Oiz2wjg0C91iMtqv49VtmgNdkQu4le0Egx+uq9Rlf78Qv9dZZjG6e/SYY8/Xgu2X2LJL3B70h
80hgTrDYMrBEtQr+Fuz7YZAnAtfPwk/q8z37dfudYJ8x8l2wvBY72HbdR8vtcJTan4XeVccu22Wu
Oq4MKHFmtPfl/hG4RyR4/BxkRr7Z7sPv3iF5Nc+DdC9y4+1JmOvuDfZS494WfANv296zGG2hXWlP
t0uQW4qjero9iPnhUcxG0/E9v2NPtm/H3PqtvAbIn2yhPceeGthycNZIsJf+qs/d9npElYEjt30o
F9Sd9o+BdOaKuVbfh/h4D90VVHuW4nk6FPmy8t3G9z3UvOMivfYdK3/UUvsqLt/B9M3pR8Kf6KT7
r/6IpXYkK79V7MPfn44/+dc5b5FuXZaa+gNHg4yyPsXrb1zpDtXce+7jtZ+3h9kP2k9z/iPs79Pk
nTLBeSigF3+w5yMtPrftcE8ZgTtZzqmPL+xdmAl5fsRvugv7YUhzB351+wA0x4FTKcA6b+ssNHeN
1h8GflWMRfLgf4LvtgaPn+Co/5zj+VSLPdC+zV5kLyCV31Xa94CtCwKKwH7DPop3Y+1y+yK7KXg0
y77XvuMcthXQj43PabxBTgrEtKH7DafVXns+F3vmeehD7r3rA6wOfXvSr8/rd9hrfpmF/9wFo/kc
xxyf88Q+LCPFUKQSULpY+x7Sb9yr+kcvGO+4mkcu9NXCP3M8v73gaBsqtVPgTlf7LqijdTj6Auve
Yfzcfsu+0X4YucfsTYGys9zWe+c+3jpu8VDN+7z+d5eQxj147ndXnupe9/O5BNQh9PeXmPXOwxmL
092j/Lttz3CPsl/lc/tfn/2Waizx56WXM1qghc5ZudqPn4+RnGYbQaaDuj3n8/Ln6Vc63Va+gLL9
Lx8p52+B6jl03r6ZqHMYx/k43v/A6xFnszdC9+wItAw+2VF9XmQVX2dY9buNS4N159Z9u3/0cjbP
QJzUx29eDfmdNny2Xp4pCkTCgTM6oWvBrt+Lj/ncbjyVkFH37XL7s3jKy97Nc8cvz5JVn5M709gu
jC6r+1b/1CX2bBvW/coTybsa5HXpUGRvv834Dfj5tFcj/tcW6P4ffvuZiRr1jv73x3Jmy5kx5NnO
6qd8Vuq02+I7CH55dpCvWIT2LNcpG1XXleeqkuhGHHN/wlJbuwdYA9HTaXiWr8T8Cef77O/OY1/b
KXhG+ZRPHLXip5zkFfSPTrH2dH3L56i2V7eszvEZ/u3BkuptduJt/WpcNd499Euf1WORz2udNCr5
VFZbeZXmbKJ2e7L9or0w9BxYMCcVQfCc5kehcbQ9abwv1n17tdqfxZ1C9hq+KvFB6D3fAwS9aZzx
lb4zeHrvN7Z9ymeTT9NmF5+1kjM5cwG/W4ZjL8AMrt/TlzyjRFDnM3te8xTtz+b+h7XyeUtOhwPv
GYNnzX+fHYKfJan2/UbYv76zP+Y0mRpAk34VvJq0LXBM875WXPeRnuZzBK6w1YjW7QL7Xvvv9hT2
DQjd02P3tufVsedlf4xilmP87e3YJ051VTlwRfFXZd+d/irO2S58j0yQme2D0BMHoY822Bt/YSJ7
H8rkNeOO9nX8/jXsAevtm+135Xv7HftJe7k8Y87rnqjV9+bq8jqN6Cq7xB5h9wq+4xz2wEGcf9Ge
YQ/BfjAZam0hZl5ZY4H9uj0/OGvLs/OxlMHXnO+zB3NZ4H7EKdDVz8vfQ7okhO4CqnUuyP6x+mn+
Oo33GftlxGrPBt+t4m1PZp5fxd+BvPo61z5k/4srBJ7aD95hENyL29d9q3/W8l95GvvkrWyvZqzA
dec/azmb61T4pb+hGmcdQg4JZzL3RJO8f+cazidRFmLPxtz2S6iOL3k2SaR29ic4QuXfZnuLfRGO
l0Ek7MC8HoxTcXQGYqoGwffzglcqVAo9Mc3lr/zO5+B7K2wv5rngGUi7q52P1NseSNF2YA6u9tCo
RLrU7mRfawefbLBX2Jv4bgl5xO7FnLQ9GL+2oVSeOdtwrd8/u3HqcU2zZwBfDr1fKGO5WndW9Atm
bqS+1JEy2SemOa+p+dldJ9bYYSeO8Ey5yL7Tfk3OYbbPfkDm0OuYWpsN3AN251mMd7Bdhs9fxm8s
5AYzbz7AM/XH+C13nwg8Sf8Gu4JUL/zN2ncF+ziDGO+U2/7q9HVOarOP7wiQOoH3Jt6bl+G9g1eL
39U7slUE5WL0Kq09jY9d/6CP3Ui6XFGV+nQru9Pdx+50o9mdbozSX7mZxit3KHfQk+xL95RytzKG
JiljladpjnSno4XSnY7elu50tEi609H/Kf9SPqJ31Ay1La1Ss9RsWi3d6WiterF6Ma2T7nT0iXq5
2ps+VYeod9FG9T61gjap49UnaIs6U51JO9S/q3PoC3WB+gZ9rb6lvkXfqIvUxbRfXaa+S9+p76vv
0/fqf9RVdEhdrX5Mh9W16lo6qq5X19OPmtDcdEyL1KLouHSYI5sd5ogd5nStmdZMMdlhzmJXuTAt
W8tW3OwqF86ucpHsKhfFfnLRWn/tRiVGG6DlK7HyWTklTrq+KQnS9U1Jd7zhWKz0l65vSpF0elNu
k05vykA9Uq+nDNJj9HjlDun3ppTpm/Ttyj3S700ZJv3elErp96b4pN+bMlz6vSmj9B/0n5SHpMeb
Mk56vClPS4835QXp8aZMlR5vykzp8abMlh5vymLp8aa8Iz3elNXGzcYo5VPp7qYq0t1NdUh3N1WX
7m6qKd3dVMuYasxQw6Wvmxolfd3UaOnrpiZJXze1qfR1U1sa7xsb1FbS0U29SDq6qTnGbuNrNVc6
uqldpaOb+hfp6Kb2kY5uarF0dFMr5PNxqs9SLVX1W4ZlqsOtMCtMHWlFWJHqA1aMFaNWWXFWvDrK
amg1VEdbTawU9WHpuKY+Ih3X1LHScU19zGprtVUfl75r6gTpu6Y+IX3X1KesLlZX9Wnpu6Y+I33X
1MnSd019XvquqS9I3zV1ujXQGqTOkL5r6t+sodZQ9SXpvqa+LN3X1FnSfU2dbT1sPazOscZaY9VX
rces8epc6b6mzpPua+pr0n1NfUu6r6lvW69Zi9VF1hJrrbrCWm99qm6yPrM+V7dYm63d6nbrK+t7
dZ90ZVOPSFc29ahlOxX1R+nKph6Xrmzqz9KVTVOc8c5kzS392LRoZ4ozVYtxtnGma4nOTGem1sjZ
3tlea+zs4OykNXHmObtpLZzdnd21NGcPZ0/tAmcvZ28tw/kX51VapvN65w1ae2epc4jWwdXY1UzL
le5uWlfp7qZdLt3atF7SrU3zSLc2rUK6tWkjpFub9nBYv7BbtNnyqT3tbenWpv1bmCJCWyl92rRP
xI3idu2A9GnTTkifNodD+rQ5TOnT5nBJnzZHmPRpc9SXPm2OJOnT5mgofdocjaVPm6ONmClmO9Kk
T5sjS/q0OXKkT5vjYunT5ugifdocXaVPm+Ny6dPm6CN92hxXS582Rz+xXexw9Jcua46bpMua42bp
suYoki5rjtuly5rjTumy5igJV8MtR2m4CA933B0eFR7juE86qznuDz8SfsThi6AIxeEnVdkB1gtH
xBdBkaRQPfxpFIV52EFxmLt1zOrNUd4Cfya1xCxoURpY0gk+7EQCfCj/z0Nn/g8YkjHDmTEjwJjX
odX1+KsH3rwZPQ6gW6gL3QoO7QoOHQLlcBf+utFQuo/qUwX+YslLPmzZD4aNA8MKilfcSjgl8BPC
iUokOPcCcG5LlKQqqZShtFJao7yN0gb5NHBxPHNxW3DxVcA+YORL2S80XrkZvJzJvJzJvNwOvDwM
5ZXKQ5SljFZGo8+HwdSJYOrHKFsZrzxFHZSJYO22zNptmbXbMmtngLVfRn4WuDsD3P0u5oPlynLq
pLynfEi5ykqweR6zuQo2zwK2B6cbzOmRzOkqc3okc3oMc/olzOkXMqd3ZE5PAqe/TI3UWeosaqjO
Vv9BTdQ5YPkUZvkUZvnGYPlFwP8D1ycz1zdjrm8Irv8PcBUYvzEYfzXwY/B+MvN+MvN+U/C+oOaa
G+zfgtk/ldm/Jdg/jlpr8Vo8tdEStATqLmcC5DETUCvMBC2BqVortMJ8QGlyPkCrHC0H2EnrhLV5
Wh6ws9YZdTA3ADE3oEQ+a30ZP2vdk5+vvoyfr+7Jz1T3wDzhp86O4Y6HSMFsMZ4iHI87JtJFjqcd
kyja8YxjCuU4XnBMowaO6Y5/ULxjjuN1SsCM8gZlSjdRypLzCuXKeYWEnFeAkXokddXr6fWorZxd
KBOzyzrS9E/0T6ixvl5fTxH6p/qn5NA36J+RjllnE0o265tRskXfQqa+Vd9Klr5N30b19e36dgqT
cxK55ZyEmnv0PVRP/0r/iqIwM31Nir5P/wZb3K9/S9H6Af0ANZBzFbb4g/4DxemH9cOUpx/Rj2Bs
R/WjGM+P+o/IH9OPIf+T/hN11n/Wf0bPJwyVog3NcFBnQzd0UjDDmYTJwrDIbTgNF0UYYUYYaYYw
BMUZbsNNeUa4EY46mAXlf3U3otE2xqiPtnFGPOonGIkUZSQZDdFzspFM0gG1CTDFSEEPTY2mqN/M
aIb6zY1U1G9ltKIGRmujNcrbGG3IYaQZaRRuXGCko/8LjQvRNsPIQG9tjbaok2lkom07ox0JOeNi
Wx2MDijvaOSgZiejE3rINbqQbnQ1LkXNHkYPMo3LjMsw5quMq/G5+hrXov+bjQJsvdAowlZuMQai
n0HGndTFGGyUUVfDYwzFFu827qFuxr0G2MOoMLwUa9xv3I/RDjN8+Cx+Yzj6GWGMQA8jjZHo4QHj
AQozHjQexFaqjCrUGWWMwlagAChRKgDKgAJ4nLKMCcYEaid1AMVDBzyNtZOMSZRgPGOAB4znjOco
15hsTMa3PdWYCpxmTKdM6QGL+tAK6GG2MRv4ioG91JhjzEHbV425dKnxT+Of6Hme8RrWLjAWoO0b
xhsof9NYiJpvG4tQ8x1jCdb+y1hK2VAYy1H+nvEepUNnvI/6HxgfoORD40PUXGl8hJqrjdUYz8fG
GtRZa6zFCNcZn2DM6431dIHxqfEpdTA2GBvQFhoFrbYYW9DzVmMrWu02dqO3PcZe1P/a+Br1vzN+
QJ3DxmF8G0eMIxjbUeM4xUsdQ+2gY9zIh5v1KMuMMqMp0YwxG1C2GWcmUQezodmY2kLltKRcM9Vs
RZebrc021MlMM9NQcoF5IeWZGWYGemhrtkXNTDMTddqZ7bA2y0TsCG10EbU3c8wcbKuT2Qn1c81c
rM0z87At6SmgSM1EmVIzAaGZgNBMQGgmIDQTEJoJCM0EhGaiBKmZKFFqJiA0E10gNRPy0EyUKzUT
xUuvWkq3ulpd0QrKCSVQTqgD5QSEcqJsqZyoA5QTIgFrkDWI8qCfyijC8ljlqAMVhbZQUSiHikLN
4dZw9DPCGoH8SGskyqGoMB4oKtR/zHqMsqzx1ni0gq6idtBVE1HytIW9zppkPYf8362/Y1svWS/R
5VJpoQRKi1xSaQGhtIBQWkAoLeBX1nd0sXXQOoitfG99j36guihDqi7kbcuW/3vLSXSpU3EqFC8V
GCVCgZlAy2lReycWynC6nC7khTMcGOHE/OuMdEZStrOeMwol0c5oynXGOGOonbO+sz7lOWOdDVAe
74ynLGeCM4EucCY6E5FPciZhKw2dDbE22ZmMEmg75KHtMBJoOyC0HRDaDghtB4S2A0LbAaHtgNB2
QGg7ILQdENqOXFLb0cXQdtdQpKufqx8Zrmtd1yJ/nes65K93XY/8Da7+FCOVH0oecs0k1fU31yvI
Q/8hD/2HOtB/qPNjmEJqmBqWQJdIFUgdA94NUgWSKlUgECoQeKO4kRqKm8RN1FjcLG6memKAGECN
RL7Ip6aiQBRQiigUhaSJInEb8gPFQNQfJAahzu3idtS5U9yJ/GBRQs1EqShFnTLhQZ0hYgjW3iWG
UjKU5b0ov0/ch3LoS+AwMQxYKXyUJPxiODURI8RI1HxAPICaD4oqbHG0eAQlY8U49AwNiq1MEBOA
T4gnUWeieBpjniQmoZ9nxLPIPyeeQ/3JYjLyz4vn0ecUMQVrXxAvUEsxVUylVlK5UiqU60xqI/4m
/kbdxYviZeRniVmoM1vMxtpXxavAueKflCbmiXlY+5qYj7VviDeptXhLLETJ2+JtlEDvAqF3gf8S
S6m5+LdYhjrviuXUQrwn3kPNFWIFtrJSfISS1WIN+oQaRv/rxXrgp2ID6mwUn2PtJrEJ/WwWW5Df
KrZSFlTydvS2Q+ygllIrUzK08khKcj/gfpBS3FVufEvQzaMpzf2wG9+Ve6x7LDVyP+p+FCWPuydQ
G/cT7ieou9TTKIGepjSppylG6mlSpZ4GQk8DoacpRuppyoSy68J6ugfraZWVdEA3VytmqY/DWR+H
01/xF87KuCcr416sjKNYGV/ByjiWlXEDVsZxrIzja/j36OzfY7F/j87+PTr797jYv0dn/x6d/Xvc
7N+js3+Pzv49Ovv3RLB/j87+PRHs36Ozf8/l7N/Tm/17otm/5y/s33Ml+/dcxf49fdi/JwFKPQy6
2a24WaPHU3slQUmAhpZKvSOU+lWUw1r8GuVa5a8ol1q8kzJQGQiFfbdyN/AexQvdPAyKvAMU+WjK
gxZ/GPlHlEdQXyryDlDkT1MXaPHJ1BUqfD7wdeV16qYsUN7BWqnCr2cVfgmr8O6swi+FCs8gjVW4
VkN/a9Dfl7D+vhz6uzercOkw5GCHoXrsMFSPHYbqs8NQPdboV7NGv0h9WB1DnaWzP/ULKnWpy9uo
r6qvUiv1TejypqzIm7Mib6l+qH4I/S21eBN1jboG5Z9Afzdh16KG6mfqZijyrepWoHQwSmNXt9bq
TvVLlOxWdwOlt1syOxs1U79R9yMv/Y1aqN+pB5GXLkep6k/qceSl11Ej9YRqUzI7HqVoiqYiL32P
Wmi6piMv3Y9S2P2omRamhaEkAuo/nXV/Juv+LNb9fbVELQnlUv2na02h/i/UWkD9p7P6z9Baa62R
T9PSgG21dtQOkUAH5DtqHekC7SLEA+kcD7TVchEPpGsXaxejfxkPpHMkcC1HAtdxJHAtRwLXcQzQ
A+p/IoVD90+hKFb8caz4E1nxd3QsgOLvBMW/jPIc7zpWUjfW/d1reDLp7MkUwZ5M0ezJ1IcjgV4c
CXRlf6beHA/kIB5YSwbHAKb+GWIAg2MAk2OAcFb/Jqv/OH2nvhMqf5e+GyVS9xus+Buw4u/Fij+K
FX8cK/54/ZB+CCg1fQ/W9CZr+ijW9D1Y06uGAU1vspo3Wc3Hs2rvwXrdZKUexUo9ntV5D9blJuvy
ONblPaDFEfca6VDkBmvxKNbiPYIqPMvIQv1sIxv1pRbvwSo8oLlN1tkma+uerK17sbaOYm19BWvr
WNbWDVhbx7G2jmf1HG+MNcZCUz5qPAo1KdVzDivmXGOiMRHlUjG3Z8Xc1ZhiTIGOlFo525gOrZzL
WjmRtXKe8aIxCzp+NlRyIqvka1gf5xnzjfloJVVyNqvka6CS30Tbt6CVE1krd2StnGf821iGHt41
3kV9qZWzWSUnskruyCo5j1Vyd2MNVHIuq+SurJKzWSXnsUruwir5UlbJ7Y3Nxmaslfo4oIzbG/uM
AyiR+rgj6+Mc1sfXGCeME1CoUhnnsjLOgzJugLzUxF1YE3c1m5jNqRsr4+6sjK9nZXwJ6+CurIOv
Zx3cnXVwotnB7ACUCvhSVsDdzYvNi9GndBSLYC8xnb3EIthFLIJdxHR2EXOxi9iV7CKms4uYbvY1
+2Lr0ktMZy+xCHYR680uYtHsItaHXcQS2EUsgV3EdHYR09lFTGcXsQh2EYuu4SIWwS5iLnYRi2AX
sQR2EdPZRSyCXcT0Gi5iOruIRbCLmM4uYtHsIpbALmI6u4hFsItYQg0XMZ1dxCLYRawPu4jp7B+m
1/AP09k/zM3+YRHsH6azf1ifGv5hOvuHRbB/mM7+YRHsH6azf5jO/mER7B+ms3/Y5ewf1pv9w6LZ
P+wv7B92JfuHXcX+YX3YPyyB/cN09g/rzf5hV7J/WJ8a/mE6+4clsH+YjhgmmnIQsTSnrhyfdLNa
Wi0RG6RaqdD6baw21NFKsy5AvJFupaM8w8oIxi3ZVqbVji7l6CXbyrY6AmUM093qZHVCPzKG6Wb1
sC4D9rR6o7crrL+gzpXWldTeugqRTJ7Vx+qLCOF663qslfFMFyvfysd4iqwitAo4McoIpzsinGJs
S0Y44Va5NQT93GXdhVZ3W3fTJda91r0oqbT8+BQyzsnh2CaRnRuzOcLJtcZZ44AyzrmU45xc6ykL
LMFxTjZHOHnWC9YLKJlhzcDWZbTTnaOd662XrVloJWOePOsf1j9Q51VrLvA1RD5h1hbrC+CXiHnC
OOa5jGOebtYh6xB6ljFPjvWT9RM+nYx5wjjmuYZjnq4c8+RytJPN0U4ORzvZTjcinFxEOPWoC0c4
3TnCuYQjnEsR4cQiCmrgjEPNeEQ4HTm2SeR4phvimZbYSmvEM2GIZ7KA2c4cYB5imDCOYcIQw1wF
lNFLGEcvYRy9XIbopV8wYpGxyg2IQ/pzxHKT6yaU3OK6hTq7il3FwMGuwcBSVynQ4/IAh7qGAqUX
XT32oqvHXnT12YuuPnvR1WMvunoc+Wgc21wdlhiWQheF9Qq7mjqH3RrmpX7sVOfgaMeBCKcNoggZ
w7ThGKaVuA0xTBNxhyiGUpdxSxOOWNogYilD3iPKETncI+5BiYxVmor7xf0oqRR+RCkyPmnO8Ukb
jk9aIT4Zg5JHEKW04iilpXhMPIb6Mj5pI54SE7H2acQnLRGfPIPeZHzSnOOTQGTSlCOTdDFNTAPO
EDOAMjLJ4sikr3gZkUlbRCavoPwfYg5lcGTSliOTdhyZZCEyeQ0l88XrdIFYIBag5lviLZTL+ORC
sQjxSbpYLBZj7TJEJhkck2RxTNJXfCA+xNqVYhXKZWTSTqwVa1FTxiRZ4jOxEeWfIyZph5hkM3rb
gsgkmSOTDLFNbMN2ZXySyfHJheILAY3H7oBp7EfaWuwV+1AinQJTxH5xAHnpF9iC/QJT2C8wjf0C
U9gvsBH7kSaLn8XPQOkdmCZsAQXIDoLNIMyhANlHsBF7kyazm2BD9iZNZk/BFuwpmMbepK3d4e4I
lEt/wRbuaHc0SqTLYCq7DDZyx7kTsFZ6Daax12AL9hpMZa/BZu4UdwrWSsfBFuw4mMKOg83cxe5i
asKRWHNEYiM4EsP+4H7I/RAitNGIvppz9NWO466+iLueQn6iexJlcPTVzv2s+1nkpXNhC3YubMjO
hWnsXJjKzoUt2LnQQUriwaThEL9CG0NbiQr6IxUgDUQajDQE6b7Qq+KZhVcf0oNIY5DGI01Emow0
HeklpDlI85EWIi1BWo60EmkN0gakLaQO/4ATFezkpA5fjbQe+b1IB5AOIx0nKlSRLKRwpBikBKTG
gTEUtviN17RAX4WZwSTbdETqzOuosDtSr8B4uc30wGcs7IN0HdJNgfLgqzp8EyfFMxdpAfI7QmWB
tAdpfzC/HulQMH8skEZQMBlIAikKKQ4pOVB3RDOuT4VFSLcHvqfC0tB3HqjbmutR4VAkL9JwpFHB
zzA2sL0RGcHPOgFpEtKU4PqZwfXZwZSLMvyOhfLzLEJaGvosgc+8AGkR0lKkFUirkNYhbUTahrQr
+Lqvxmt1/YNIR4OvG4PtjtZYf4KoyIHkQopEikVK+uVV/n5FKUipZ/yqjuj2y28lP1tRevC3rmtK
qJ14/x4T2A7vVwmBerzdmikLKeeX11AfgX7VET1R3gWpR3D/w7qiK355LeqLdIOj3oBtJb0qVxc8
WEaMBqMAjimLAo4viwNOLEsGTi5rBpxe1rpytWzlv6ngpbIMf9GAXSV9KtcP2FdyXeWmgjll2Yy5
ofz8sm6Vm+Ra/+0DDpbcVLmjYGFZz8odgXwQj5YUVe4pWFJ2JWM/4HLOL+f8yrL+wDVlBcANZQOB
W8oGV+6RrfylwNuRP1FSWrm/YGfZEODesvuAB8p8lftluX9ovqNkaOWhgsNlDwKPl43xe/NdJd7K
Y4Vq2XjGiYyTgVZhd2B42XRgTNlLwISyOcDGZfMrj8lW/uGFLcoW+ibnR5YM9+GbLVvio/zYklE+
Q6J/VH5SyVifKMwsWw7sWLbSJ2SJf2ygPIgpJRN8UfmpJZN8cYWdy9aEsHvZBl+cLPdPCGJ6yRRf
cmGvsi2MO4F9OH9d2V7gTWUHgEVlh4G3lx0PYalH9U8qHOqx/FPys0pm+poVej3hvmbcW+tgyXBP
TDXKEv/M/JySWb6MwlGeBMbG1XlZ7p+V36Vkri+7cKynhS9b5v1z87t40pDvUbLAl1s4wZPJ2DGU
n+TpDJzi6Q6c6ekFnOXpA5zruY7zN/lyZVv/gvwrShb5uuX3LVnq61m4wFMUwkWeIv+iwqWe2309
828oWeG7Mn9AySoeQynj0FB+hceLkdxass7Xr3CVZ3gI13lG+frlF5ds9PW/Y0nFcMZRjGOByysm
AFdWTAKuqZgC3FAxE7ilYpavv2xV5b1jZ8XcquH5npJtvoL8e0p2+QbesbdiAfBAxSJGmT9csdQ3
UK6tGpU/rGSfz7jjeMUKn1GsluyrGhvA/JElB32Di62KVYzrgOGcD+d8TMVGYELFNmDjil3AFhX7
fINlq6oJwKPIjy454RtSnFZxEJhZcRTYsQIlsrxqUv64UofvvuLOXondva6qKflPlrp8vuJe3kiJ
xaM4Hwvs400CXudNAd7kTQUWedOBt3uzfD7Zqmpmcak3p2pW/rP5O3wPFg/1dvE9mD+1NNI3RuKI
Zvkvlsb6xhd7vT2Aw71X+MbLkqq5gfIgvlKa5JuYP680xTe5eJS3bwjHem/AsYPyqgVBfLM01Te9
eIJ3AOOtofwkbzFwitcDnOm9BzjLOww41zsSuMA7umpR8SLvOH9R/uLSdN9LxUu9T1Yt5d7mBEtW
eJ8FrpIoS6pW5C8rzfLNL17nncr4YnVelletyv+gNMe3sHij9xXfQpmvWle8zTuvamP+6tIuviXF
u/DNA71vhvL7vIuBB73LgEe9HwBPeFf7ltzp8K4HurybfEtk26pt+etLe/iW528qvcK38s5I745f
Yax3j29l/o7Svr41+XtKb/BtuDPJu5/xUCif4j3m25C/v3SAb8udqfdTCNPvN3xb8g+V3urbWbjR
M5ZxAnAb53d5JgH3eaYAD3pmAo96ZgFPeOb6dspW/qVFDs8C/4r8Y6XFvr0FVOrxHShyeRYBIxlj
GZM8S30H5Fr/qgKj9B7f4QLDs0KizBeleFb5wwtE6TDf8aJUzzrGjb/Kp3u2AbM8u4A5nn3ALp6D
vuOylX9dQVTpSL9aEFc62m8V9fAcBV7hOQHsW+4A3lDu8lsFyaXj/OFFAxhvLY/0byxoVvqkP6ao
uDyWMYkxxR9T0Kw8FXlPeTrwnvIs4LDyHFmO+tuKRpZ3Qcno8h7+XQWtS5/1JxSNK78C+GR5X39C
QUbpVN8aif59Rc+W3+A/WJBd+iLqTy0fgB6yy2+ViJJtgfIg5pa+4m9c0K10Hsb2Ynkx8BXGeeUe
fDOy/GjRm+X3YPbkfEHP0jf9LYoWlw9jHBnCZeWjgR+UjwOuLn8SuL78WeCm8qnAHeUv+k8U7Sl/
ZbgD/Sz2pxUkl88Ddvt/7H1/UBvZnedrIQuNh9EwDMOwDEMYhjCEEIcQh3AsIQ5hCEMYwhLCegnB
Gvqnup+E1Gq1ZCOEELLsEB/FeL3E6yOOj/X5KMehHBfnOJzjEJ+P9bIUoYjXx7p8FPFSDuEowjmE
9Tku577vSWL8Kxlv1f63W9/6fLvd/fT6/fi874/nbttxBXS9Ywrauea6AHqDaHpl0drkmO0ubr/n
uvSoJteDkLa6rnTnsSbXVDDZ2uK43l3KJrlmu0vJeTDN2uKCK1ar4ybtV1Tfip+zKa5l0OmuNdBZ
rg3Qua57oAtUBLpINUHfyW/vWgXHre4KK3Ysd1exJWrSY7pcTemusqqOte5aq8+x0d3AVjoPE62m
b+kaNau7wRpw3OtuZuvVXNBNVLeoBaCtalEwk8QkwRxWUEsgPoHYIJjPYrW8a5lV1UrQPrUm6sGD
O4gfDO5kA2p9IIsNq02BLOKJgmVsn9pCvJJqBQ2+JriLHVCFQAk7qGLwL7BegtXskKoGlghvg3Xs
sOoL3GdH1ADoUTUc5ViwkcxvcDc7pvZ151lr1AHQMA7BNnZcHSRjog6BjvZ0Qh0GPamOdDdQj3Nb
2dmZBN6HWP5VpawzJYCVXZ3poKs7s2L2+Q6xcvvvKnWduYHhPRc6C0ATO/NAaewsIjanswQ0WJKI
UdndWQ7Wo62zMjBPmb/ITqujQY6dU8eCMjuvjged7II6EdTZJXWy6ya7ok533WLX1bmgH8rMQ5lN
dSEYYu+rS8GDnEFdCfZzZnU9eISzqJtda3vq1PuBSi7VbQge4zLc5uCJPbvdlkA9l+1ODZ7ak+/O
CJ7Zs8OdHcji8tx53Ve5Qndh8BxX7C4OXojGG1ypuzR4iatwV3TNkogieIWrclcFp7hady2ZBXdD
3LNzDe5mqltBN0PbZrlWd3vwOtfuloI3OcntCN7iHG4tuMxp7n3BNW6fOxjciMa07xncEYjionEU
jVK4oPsQxK40buQi7sOgD7mPQhRHuHHvvXY3aO6w+2QP4o66T/eYuOPusz1J3ElSco/Rfb5rgzvt
vtiTEo3crEPuy12z3Fn3VVjjNEblzrtnupbfy3Bf67rHXXTfgKdL7kUYh8vu26CvulcDudyM+w7E
YKfdd6E919wPQN/QjMF+66a2Hepf1JJ70rnbWlpwloxATxa3qmVGud2Ty93RcqCeu1p+oIR7oO3o
KeCN2s6eomiEyW/XynpK+GRtV085WRc9lXyaVg1ROsTqPTVRzWdqddEIvKf+Id1EdQt9ipVqgc/R
GruW+Xxtd9cav0Nr69ogEXUP5ndqXOxcpdpH1ldPIDaSEA/3hKnuI63qGeDLNLlnIHpO9SC/S3MG
UvhqTYd4GKLiniG+TvNHY+Ce4Yf0CESqWiCXb9RCoHcTTaLWntGo5tu0g9FItWeM57T+QBEva0dA
w3W44tSORaPW4K4PdM84WfU9E1RPRjWvaycgFoWItGea92unIPKEuLRnjg9pZwL1/EHtHGindgFi
zhntEsSWZF7mo5rv1670LLTnaFOwuolltvBHtFnwnjnadTg/pt3sWbJmabeIR9CWe1b4E9pa9x3+
lLbRs86f0e71bPLnPKjnPn/BYwoZYradWm9riycpZOYveVLAGvs86SFL1BLyVzxZoVR+ypMbyuBn
XdWhbP66pyCUF40B2mVPEfgC6mX4m8RuR300f8tTEirklz3loWJ+jXhbfsNTCV4PrFaotH3WUxMq
5e85r4Uq2o946rszBORpCmXE/PIpT0u3RTB5rCSW8AiBJSHJg4lP96iB+0KKx9edKqR7AvDcm54w
8V8esIFClmcArud6BrtT2SLPUNxTCAWe4VCVUOQZgbZBLNGTIpR4RoOzpHehWqHcMxa1tN3XhErP
ONRT45kALwA+N9Qg1DvOhZqJnwq1Ck2eyVC70OKZDkmC1TMXcpBxC2m0nn2C4JkPBQXsWYAcB2x4
KBKNdogOtkV1PKpx6KFDREevhA5TfZS0IXSc6pOC6lnqNgg+z0q3WQiQaIREJsE2IexZj56DvwMN
vwJfEDpNrG7otNDn2YzGFaGzMQ29CDYKA5774C/oOe3XaWFQN3RnC0O6GSIKiCtC54Vh3RKNIqBV
Wzp0tP2UntpdKIzoGaBH9eyox4d6QIcuCmN6XtTLhy4L43phd7EwoReDhutwZVIvjXr50NWH9Azx
U6FrVB+l+oYwrVeA7wYPHloU5vQq8NTgx0O3hXm9trtWWNAbQC/pzeDF6vXW7mY65qtU34mNzIre
3l0qrOtSd5WwqTu6G4T7uhZYEg36vtBdheusiWxX5M76cL3i7GwCrXe2BAYUf6c1ICihTiFgUg52
4kgylFHhbn+nL5KmHOkMwN1jneFIpnKisy+So5zqHIBs6ETnYKBPOdM5FMnfc6RzOBBQznWORHYo
FzpHIzuVS51jkTLwmOOBYeVK50TvQWWqczKyS5ntnI5UR7ODPVOdc4Fx5XrnfKROubnvXKRRudW5
ENmtLHcuQR633LmyFYevda5H2pSNzk04v9d5v/ccRn5DhMMmvzki4yS/JeLEKf7UiI7T/RkRP87y
Z0dC0QxUrvXnQc4VzXRoToFz/YWRg9EsDxfAFRUX+Ysh5wJfH+mXT/pLI/1Kvr8icgSX+Ksix3C5
vzYiy4Wk5J5+f0PAhyv9zZET0TzLNuFvjeez0RwT19C8sla+TTI+f/vW00/7JdA0V8L1fgdkTNEc
5wHkmBO4qXO9p1yu8GtQf4t/X+QUtvqDkGfBCETOYMEficUqhzH2HwoMY9V/ODCPff6jkXM44D8e
uRDNB3HYfzJyCff5T0eukDgnMoUH/Gchp4bMOjJL9XU86D8PXgMyaPAXoCM3ie6mOXXkFnlKZDmq
8ZD/IvRoGHIuFY/4Lwd8JP+NrOFR/9XY+QbV90i8dADFRhKy1wOmmIZWHUjCY/6ZA0nRc6pT8Lj/
WmAQT/hvQPYKOeyBdDzpX4xmrAeyHtK58lX/bRixaf8q6DmiSY4Z3B3VeN5/J5pXHijAC/67gTG8
5H8AGq7DlZUuYzTHPFD0kC4hUdyBcqoroxqvd22HzBHyxwM1eLMrGfJEyCIP1OP7XWmBObuhKxO0
uSsnMG+3dOVH2si8HGiiumVPf9eOyJo9tWtnYNye0VUWmLZnd+2Cknld1YEW0awHQw9o7kD9EbVd
kLOIFj3SaxRT9UO9260m/XBPipihHyW+Qz/emyxmEw3nJ3vTxDz9dG8m6LNbulA/35sjFusXe/PF
UviVOZrTiRX65d4dYpV+tXenWKvP9JaJDfq13l1iBrGfVN8Vm/UbPevEWvZWU13XHtIXu1PFVv12
b6PYrq/27raW6He6F0VJv9vbJjr0B70c1TKxk73OWG4FulcXNa+x1x/Ns8R93u29ITHoTe49KEa8
ab394iFvZu8R8bA3B/RRb37vMWIze09QfUo87t3Rewb0zm6DeNJb1ntOPO3d1Xsu6lPEs97q3gvi
eW9d7yXxorex94p42bu7d0q86m3rKadW1CzOeLmAIF7zyr2z4g2vs/e6uOjVe29asdffXSXe9oa6
K8RV78HAWNRDEd17yxoAbwjn3v7Qvmjkxid7j/Qui3e8x3rXrMh7ondDvOs91XtPfOA9E3ogFnrP
9eZIRu+F3h3Sdu+lMJKSvVfCJinNOxVOkjK9s4EBKUc/Gk55uDYp33s9nC7t8N4MZ0k7vbfCuVKZ
dzlcIO3yroWLpGrvRrhEqvPeC5dLjT4UrpR2+0zhGqnNlxSulzhfCmjZlx5OiWmnLyuwJOm+3HCT
5PcV9IakkK8o3CId9JWErVK/rzwsSEd8lWEsHfPVhFXphK8+7CPzGw5Ip6y+cFg642sK90mZPrD5
0jmfNTwQnTvpgk8ID0qXfDjYL13xqeEhacrnAz3rC4SHpevw0xHppq8vlGqt8UGGJd3yDYJe9g2F
R6U133B4TNrwjYC+5y0Lj9uQb7RnwWbyjQVMtiTfeHjCluKbCE/a0n2TAWzL8k2Hp225vrnwnK3A
Nx+etxU5ZnvKbSW+hd4yW7lvKbwAJVegZKVvPbwUfYqtxrcZXrHV++4HZ21New3hdatJyg9s2lr2
msOb1vK9lu5sm3Vvavi+Tdibsd9gw3uz95ttquTfb7Y27QXvbPPtLdwPsdze4u5mW2Bv6f5UW3hv
xf4MW9/eqv3ZtoG9tfvzxOK9DT3rRO8vjGb9tsG9zfuLbUN7W/eXkuhlfwWJUvZXkV2U/bXRFUd3
MA7FdioeXR2XYnsFdGdgf4NteG97bz7x7/ubSQ6+v5WwcX97dHeI2oe7thH9KNRPIzHb6F6p+5qY
t9fRfS22e0P3VWxjDud+SbyzV9vviGb9tvG9+/ZrZK6DjciAXmXWmf+LEPNbZhMZmHvM75CR+b2B
QSbDNoMJPWd43pCEnjckG15CLxheMaShFw0ZhtfQS4Ycw5voZUO+4WPoFcN3DN9BrybUJLyD0rdV
b/sSytimbnOjzG0/3fZTlGUBQR+xZFveRdmWBksrqrfssexHX7e8b/kJClmuWlbRDyxrlk10HVrz
Z8hI//cDC3oRPYdeQk3oedSM2tFXEIe+hVrRf0T9KIwG0M9RBP0D+gWaQv/EbEf/i0liXkC/Z15k
XmEYhnzjZCbvTTKvMi2MyGQyNibCFDAHmSNMDXOU+Q7zNea/MT9jvp7w/YTvM7pRM3oYrzFoDDF7
jQeN32L8xveN7zNB47eNf830GL9r/BsmbBw1nmW+aTxv/BFzyPgT40+YAeP/NP4t8z79HvOIcc74
c+bbxgXjIvPXxtvGXzFDxl8bf82cMP7W+M/MfyZv0TEnt7287WXmv277+bYHzIhpmymXuWZ6y/QW
s2H6mGkH81vTZ01lzO/IFx7M701fNFUZjKZq07sGk+krplaDxfSeiTNkmgSTasg2eUwBwydM3zT1
Gz5rGjANGT5n+q7plKGWfDlhaDSNmv7e8FXTjGnG4DLNmuYNqumm6aah07RoWjT4Tb80rRi6yPtY
hh7Tb0wbhohp0/TAcDARJb5geD8xJfEVw3cTX0180/A3iXmJnzGcTfxCIjZMJLoTDxtWE/8q8a8S
khK/nTiU8ELi9xJHE14m/69qwquJP0y8kJCZOJ7404Qs8j5QQl7iPyTOJ+xMvJF4O6E08VeJ/5zw
tjnPfC6hyfyb595I+IXld5bfGcn3chgdBJ2EssjXxpVnYzADClEebq+5i6WqmneuVxVhB9bwvppF
HMSRKtwwgM/ji/hy1Ti+imfwNXwDL+LbddvrcvChOh0ffrv2bQkfxcfxSXwan63LebsKWGUEjq9T
jv8WMczvmd8jAzA6GSXAvdfpm6jI8D3D9xBj+L7h+3DvrOEHKMHwY8OP0Tb6JqrJ8DPDz5CZfgn2
nOHnhmtoO30HNYm+ffqC4ReGXyALfe/0RcOvDb+G1UHeLE1JYBKYrf81eFuCCaXRL8fSE9IS0tCf
JKQnpKMM+qboawn5CfnodfpVWFZCeUI5yqbfgL2RsCvhCyiHfhWTS9/Z+Ci0P4lJoSNHNFKuIL9y
RZlSZpXryk3llrKsrCkbyj2MlA1swkk4BadTZOFcXKCs4SJcgstxJa7B9bgJt2ArFjDGKvbhAA7j
PjyAB/EQHqYYwaN4DI/jCTyJp/Ecnn9Y7M14AS/hFby+JZv4vt1gNz8kFnuqPcOeDVfzHpFWex6U
LbQX20vx/bjYK+xV9lrQRBrs7XjdLkFZh73drtn32YP2iP0Q1JlnP2w/aj9uPwn9Z57DMatBvll/
iY5JOkgCygQxojz0FtqGCkES0SdBzKgM5DlUDrIdVYA8j6rQ2/Tt8i+D1SHfXb6I/gK1oGTUBpIC
dodDLyMJJBW5kUa/uNxHv7Xspm+U96IMsEfvo9fQt0FeR/8JJAv9F3QKfQR9D+QNNAqSg34E8ib6
7yC56McgH0X/A12B9k2B5NP/DftjaB79IypA/xukEP0TyCfQL0F2oDvoN9D2u+j/oU+hByCfZgxM
ItrJbAfbV0bfH/9TsH3JqJy+P17BZDFvoM8zbzJvoi/S7z2rwBo20C86W1A18w3Gir7EtDPt6Mv0
XfI6+nXnuwxmMKpnOpgO9BXGw+iogeliQqgRbGcE7Qbr+U30F8y3mEPo68wAM4C+Qb/ubANLegHt
YcaZccQyE8xPEcdMMn+LBObvmL9DEvP3zDSyUf4qYAXyETYXmAtQB307z2n+lLkYuegbeW5zmbkM
aeYKcwXy0C+JdPr+nddsNb+H9ppZM4s6YW5vo03K/RLyL0vIY4BxwARgEjAdw1wM84AF9OfyuDwh
T8rT8pw8Ly/IS/KKvC5vgr6vGBQziEVJVTKUbCVPKVSKlVKlQqlSapUGpVlpVdoVSXEomrJPCSoR
5ZByWDmqHFdOgpxWzirnlYvKZeWqMqNcU24oi8ptZVW5o9xVHuCD2Ii342SchjNxDs7HO/BOXIZ3
gVTjOtyId4O0YQ7L2Il17MchkH58BB8j/4PotvZtNnCC37C00X9f4e1/NX6/C/IiZXkyZflLlOUv
U5anUpa/QlmeRlmeTlmeQVn+GmV5JmV5FmX5RyjLsynLcyjL36Qsz6Us/yhleR5l+VuU5R9D0yAF
lOsfp1wvpFzfQbn+Scr1Isr1T1Guf5py/TPAdQMqofz+LOX3f2BeZ7KA94TZ5ZTZn6PMrqDfR3ye
snkXZfMXKJsrKZu/CGzugjXQzXTDGiBfSXyJsrmGsrmW+UvmL2E9EE7X0e8j3qVsrqdsbmCmgceN
zAwzg75q/pr5a6jJ3GJuQV8z28w28r12cjC5D+YpCcb+ecS42oB3xYBSQAWgKnatFtAAaAa0kmvG
l+SdrhJl7o+DlplXr8llrnJ5l6tSWXgU5Jpc7apRlgAr6g0Cuc5Vr6z/cZAycqOrSd7talE2PwD5
s9zmsir3XVZsUBdlziVg8x8HLWNRb8uyC+NUF5adLpVCd/lwBiBbddDzPHUVF6p3ZL8rIIdcYVz8
AeifS9W78kFXH674EFSpD3Ct2yj3uwYojrgG5WOuIdwQBTknfcPNH4D29YRrGLe6hsmR4pRrBLd/
OEg5+YxrVD7nGsPSo5AvuMbj9T4M+ZJrAjs+gHzFNfkscLbpx+Qp17Q865p7Kq675gmcnH6CQL7p
Wngm3HItycuulSew5loncMrufnnDtfkscDr1U/I9130CBakGCpNqJnDq+hly7HB4TitWtV1JUi1K
ipr6OJx+/ZySrmZ8GJwh/QKtI0vNpshV85QCtfARFKnFT6BELX0E5WrFM6NSrVJq1NonUK82KE1q
8xNoUVsfAen3MwBr7u2KoEoKVh1PBdzD+9zJOOhOo+VUVXsm+NR9SkANPgFSXwRwyJ2phNXIswAf
ducofeqhLQyoh7dA7h8FHHfn0/OT7h34tHunMqgepe19DPisu4yeD6nHPwz4vHsXvuiufqSOYfXk
IxhRTz8B8tvL7jplVD2Lr7ob6XHGvftp7fmDGFPPK+PqxScwoV5WJtWrT2BanXkY+Jq7LW7bH7bF
cVu5ZeNuuLktG7Tolh+2I1s8eXhe4/MSH6PbbufW2K669YfbRG3JQbApsPad/VEb4DwSXb90XR1T
M6jfAL47TwBO6ZfifHaegSM8h9zHd9x+fNcdwg/cB+1Gdz/xL/bt7iPkOumbPdl9zJ7mPkHsqz3T
fYrYSXuO+4w9332O+AD7DvcFYttpn4Hv9p3uS3H7bC9zX7Hvck+Rftur3bNkLOx17uvEdpI6KRrd
N+273bfsbe5lO+des8vuDbvTfc+ua4iML/VBZCxhDO1+8JMxf2YPgf+JjbP9INTTr5lIHfTeES3J
fkxLIX5ny9c+NEdbdRLEfErcF5A2Ed9oP6Gl07ad0rLi80zLE9sPc0/9Mvg82rczWi65Zj8HPrws
CuKvyfg+grqoXyb+ivpjeE7cF5MjBfCH9u0xH0ufBbBfcAUIiI+N+9U47JdcAwRbPpL4zJhvfNhX
PuIjY34yDvsV8IMwx9T3gT+0T7nGCShviZ+7FMWWzQLYZ7UCeryuFdlvaiX0OtgP+y2t3L6sVdrX
tBr7hlZPr5M1THwJWbewjsh6st/TmhxIayG2yGHSrHRdxNdBzC5SbkE9xM45ksA2xdYInS+wW+T3
cRv4xNp6bF1t2Zd4+6EOYjcdKZpA5tyRruGt35PysN4cWZrqyNV8pN2OAi3gKNLC1IaT/kAfHCVa
n6NcG6C/+zD7E2uXozJmx+NrPPJQmVibaV8fs8db/SF2OI4/9Kw/YE8dNbFjvXqW9GkLj9vJh20l
sY9xG/mwTYSytB5ShtyDMXA0ueuc5/Qrzgv6FAGJbch807jmkj5Lr4HNcsx5LM4r+vV4/OKc0m86
wtoEtWMQdzhn9Vs0pgCb5hjVVhwBbTweEziv68vUphH/T+IGYutu6mvERztv6RvOZf2eY0K771zz
IueG1+S8501yIW+Ky+RNdyV5s2hMFrOX9LckNovFTTTmiccopK5YHeSeK8WbS+wladdWbBePwzY+
sMEU8RgmFnuQukg85kr3FpB4x5XlLYr/npaH/tA/w3jRdQJ9c+V6S+g1EjfGEYsTH8HjsWAs9nsE
sXF9PK7bAonF4ng8rovHaE+JzVwFUXxobEZir4fjLxJzxeOuh2Is0lb6W1ImNiZPrC1Yf44WbfCJ
dWXVhuIxlkPQhh1YGyG2KF7OoWqjhNcOnzZG+RS3A6QMWXPAP3rs0yYdA9o0PR/U5hxD2jzBw+vN
MawtEBvhGNGWKD/HtPUn4hiAY1zbpAA+EtB1SOzWpMdAj9Mec3wNkjXhmPekOhY8GVvrj9igJU82
tTUrnjzHuqfQsekpJr4nDtJfkmPR9Qd9dtz3lHYYPBW0brAfHWZPFe1nrHyHxVPbkepp6MjwNHdk
e1qJLerI87R3FHqkjmKPo6PUoxH/R30gsU8QE3RUePZ1VHmCxB531HoiNGcBX9jR4DnU0ew53NHq
OUrGq6Pdc7xD8pwkeUKH5jlLxqljn+c8Kd8R9FzsiHgudxzyXCUxILH/cdvccdgz03HUc40C6iN+
hnC747jnBhn3jpOexY7TntuEZx1nPavUhsE8dpz33KH3Lnru0jouex4QW95xVTd2zOjbO67pyR03
9LSORT2z47ae07Gq53fc0XeQ8e24q++kdoz0/4FeRo5Oo76L8MG5Xa92Jut1zjS90Zmp797iD8Tg
JP5w5uhtznydc+7QZXo9ZnOdO3Wns0zX6fzBOnHu0v3Oaj3krNMPbnE1ngfEfRScOxv1flLGuVs/
Qq4hA2IsEcsAQv/+Nyj/hv4GZRXd+eDvAbhNhPkMPpvP4wv5Yr6Ur2gy8lV8Ld8Auplv5TajwmcT
8O28xN2PCu/gNX4fH+Qj/CH+MH+UP86f5E/zZ5v6+fP8xaZL/GX+Kj/DW2JymOIaf4NPjckif5tf
5e/wd/kHglHYLiQLaUKmkCPkCzuEnUKZsEuo5g1xgRJ1QqOwW2jjzVEROEEWnFBOpy0kLSIlyT3y
PHgC2ed/4TRw+51/lX3Qd2FtfAXkJboPmkL3QV+m+6Cv0H3QNCQhGb2KMEgG3Q19je6Gvk53Qz9C
d0Oz6W7oG3Q39E26G5pLd0M/SndD36K7ofl0N/RjdDe0gO6GfpzuhhbCmptGO9AMyKfobmgx3Q39
NN0N/QzdDS1Bv0S/Qp9F/wekjO6J/indE/0c3RP9PN0T3UX3RL9A90S/yGQxWaiK7om+TfdEq+me
6JfonmgN3RN9h+6J1tI90S/TPdE6povpRvVMD9OD/ozuiTbSPdGv0j3Rr9Hd0GZY6T9Ef878iPkR
aqF7ol+ne6LfoHuie4x9xm8hK/2XBtuNF4w/Qhys60kkGJeNv0ISrN9NGEsG+VDgA66y0GP2OnuT
vcUus2sgG+w9GHgTl8SlcOlcFhWBw5zK+bgASJjr4wa4QW6IG+ZGuFEquVwBV8SVcOVUKqmu4epB
N3EtnJUI4Y3h48CbT8R4k0KfTxhjgDl6C9hDuGKE8S8G9hCumChXEoEpbwOHyJ75c8COFuAQ4cfz
lB9JdJ/8BeiXAkwibEgGLrwPfCI8SAEWnAI+EQakoh+AvEIZkEYZ8CrM/xXgLdkP/xOY838EhpFZ
f43OeibdA38dZn4FZdE5zmaSYY7foLObQ+f1TTqjucwexoo+Smf0LZhRJ8pndJjRArrL/XHmEMxi
IZ3FT9BZ3EH3tD/J/JC5gIoQYy4xlz80HwXGl9iCx4XbxwXZIrYkLlweWx6TyseFi7A1bH1UuENs
E9vEHYYrjwl3lDvOtoBYQQQi3El6xKwaF+4063tSuLO0Bh8biEk4Ktx5to/t4y6CHnhSuMvsIDu0
JcOkbExGYjL6uNhGbWPsGDseF2GdnYjJ5ONiG2en48+yTbBzIMNw5THhd7Kb7DwIed4CESmfs8Bx
if6CCr/2ZO3spFRNa5iMjyy7EhXbJLvOrttGQG8+KbZp6N/9LannDFtijspTRuoqN8NZuNQtucZl
ULnxwUjEhVvksrm8uNAZv80VPiargDtcMZVSkLux6w94I+iKrR7VswF+O1f1pPDJXC2fxjVwzUT4
TK41KnwO54Ar7Vw7n8+1P1TPlvA72BVO2hIHp8UlOvrsAswI8Jsvo9yt4Xfx1YRjfB0ZCb6R8IPf
DWdttLeFPMfLtEUy7Wu0JsKUOTpL07Z52wJlwxId/RU60qu8E9ZOEYxfCVvO6+wI74dRtvAhaN9B
vh+4bOWPAN99/DHOwJ8ALg+0H+RPcaXw3H7gSRjKnuHP8RfY+/wl/go/BS0m/B/gZ2kvrTBjV9kw
fx1K1PM3+VtQF1m1tEe0ZHStkNkNs038MrR/Dfq8Adf7oFwJrLo+/h6cFfFtAmLLBZOQJKQI6UKW
kEvXclNUhAKhiKxXoUQoB6kUamC14uiKFeqFJvo0eJLQwoYFK1mTAtQMJbGgCj4hIITZQaEvtv7I
ChwRBgQMXLNQvmXA3UGulisVhrgMYVgYEUa5VmEM5hdmi+8XxoUJYRJGrpCrgjYNcjPCtDAHpedB
FrhiYZwykPSSzhUpBwKMIaMkLAFWuCpYwwPCJlzXhPuiQVgQzSI8W0wVM8RsMU8shLGWxWLCd7FU
rBCrxFqxgXAcRpbOudjM5wPbSsVWAYvtIJLo4CqIwD1NLBb3QQ9quWa4E+RaxQjhKeh28ZB4WDwq
HhdyxZPsiniak8SzwEcH6Zt4XrwIz2wHhmqkf7Z1dsy2KXFgGSZs92F+FqA/VcCXAdkgm8EKjMgW
sBSTwqC4Kqey6ex4+5TYIGfI2WRdA2dgtOQ8uVAuFkbkUrkCGEosxyZYMzI6I7Zx23i0BDsgzcpV
UBexd5TBtGTUygCDoa45uZYdlBvYUbmZneQMUG4c2rMut8LZmNgqt7MTfJlYLJXJkuyQNWoFY5ZM
3mejllUstc3Z5uSgHAE7txS1dfIh+TB9GjxJPsquyMeJNQO9Lh+XT8qn5bNSmgwWXWyNWi5qu8y2
FfmifIhrlS+TloiXYZ4Id1rFq+IM4U9U+H5o96R4jdgk8QbM8SLXALNzG3hVCPagUFyFsT4p3uEq
xLviA7ZeMkpgd9glKVlKa59qn5IyYQZPAm/WWZ+UI+VLO6SdUpm0i2sXFsi4s2NcqVQt1bHrUqO0
W1iS2mD19IGBkTkHPH8B/ONtaResYAvYrHa445R0yc9lSCHpoNQvHWEDnFk6Jp2QTrFz0hnpnHSB
s0iXoFaLdEWaYueh5gVpFtpkgbZcl25Kt6RlaU3agDZOQ91mdh1K3rMhm4ntsyWBtUmBtVQPvEmH
3xQCV0ptWcDfVVsuOyrli6viKt8vLrILwpytwFZky4VxMNhKbOW2SmHaVmOrtzXZWmxWm2Cr4Wrh
iIVNm2rzQemA1C/O2MK2Pk6zDdgGbUO2YanfNsJzNJr6xL9nmP+GMkwJOelbDWnkf5OxjiDmPQNK
tZ4EOQ1yFuQ8yEXrxRYQ62Xr5T3ze+atV0FmrDP02jWQGyDk2iLIbRD43e613WvWVZA7VpLDGiz1
lq/AM5JpRoNoRmOguUwCjXmNNJfZRrMYE415E2kWY6ZZzHM0c3meZi5JNOa10Jj3RRrzJtOc5SWa
rbyMmGQu2UH7RN87tO5EjLUOjmVwbDS+VHPKWv0sqK2F4xnAuT+AC1HUtkZRc+kZcQUw9RTMRlGr
wfH6s6E2CMebMdyKYTmKdxaix9qjgONwvgbYeBK1p+F478NRex5wEepFMZgASY+C9u0xvJPyGNL/
BcgC5D4FBU+pl6DoMZQ8G+ph3N8pB1T+AdREUX89infqnxFNgJanwBpFPczbO8KzoR7m9h0cgxqD
L4r65ejx3UU4zgECgPCTqAcOvNP34ajfiNUxEMMgYOgxDD8FI49h9F+AMcD4UzABmHwKph/D3LOh
9jYc5610fTwVcK92FXAnVm7pGbECWH8K5mN1PoDj5rPhy8b/z96ZQGdZXXv/eZ8pEeGVYmSIgcZU
EZkJSAG5oJQx78BQUIpUEJEiok2RoiIXAREjRSQULKIMpRQxBkQEZAogZZIiUxkVaYoUKWBQiIiU
vLl7/84TiFy6uu6661vrW+v7Vtb5v5t99tlnn3322eec5x2Q18tXS5Z9tVyRqRy8VpWSJnXJV/sq
XyIZQf/hf18idaQ0/H77rJRrSup1irZtJq/p8toqeL33+vb8q5JVW0r965RMKS2uU9p8v0Q6lsvf
5fNtWb4M8lgk2v9Kfon06P/9/FEWJ+XnNfD3FR/1Lufbh75v05WcUj4HlK3hYG3pnlEW812rXxPT
F0x9ZKCUIVKyTY7Q/SUyyvB1TJFxUnJMfu2v8yV5MjJNykyzB0TmBvn9kon3iPikLD9HZE+LLDXj
jawM/CA6NV+qTorqlfmMSF6MiO8iYkNE9Z4M/Bv4U9uyT5btYcfK+Vn0RC2jQ+uisl9EKwZ2XTtP
18zRlT2lbJ5yzN4YrWJsi1Yv1/6SGQv/XhrsffLvaK2Al1+urLxOuXZf3n2dcqDc/lpuj71SisqV
a/bXK/vl/2afrNX/+3th3f5X98By+92VnCUl2i54lX0rGg/WmOSPqOxJUdmDorL/RAcFfFnDun+w
bjua9RSVfSY6zOSi6DPBugjWQVle1NhSPZrnyE9layTH5C1tfyUHXru2rllXZfnlytrKCewfH8z5
xKvtkZf1FpW9KfqasTsqe1JU96CjQU7SMcgeFF0ctPt3OejaPH49mTKbr5OPr9QlXy3/Mtf9u3ya
/v3y3/Jk+VyZWS5HlsuHyKYHMi2MDzRHd5X46VrXFD3b6HzrmaZr44AnsRJrL7TmseD80lXORtEL
QR6TOe2qsTXe5LOY+l79FZwJunYOcpnu/68FeU7jT/borqKvq+iLib1dJW66ir6uEmddVafEWNfR
Qf4sy5eLg7NZ2blp2NU8iq5ABzaON/kSu67Nw9fk4CtnmLI8rONUXVonMdV1Srn2E4PxNDf+4swl
Y+v6WsBrXa50vk659izY/zol8Ou157orZXS5cu25ruyM9r85my3r//3z14b+V89d5c9Y/YO2q8v5
5Nq1JesvuqP/f1tX0b39r5yxorquj5pcdCVfHTdxHT0VxFMZX2UuBPGnr5JXYsG6i8kai4VNKb/e
YikmR8RSTXzGal/nHCMlVj8omaaQB1V/i+C1zdU1qGsiJntdrFu59SdysfvNeovJHh0bIGWw2XvK
Cvkoz/hJxxx7UsrwQLeMIzYyGGcgH5M7XWyClElSpvYnF8VmSJE7XGy+lDyz/2khT8qZILZEygqT
j2NrTZzqXhjbKGWblJ2Bv/ZJ+cTcE2InjJ9iZ4x8TPaO2EUpCXMG1PxflpvjsgfEK5ii+thnJLbj
lY3f43IGjaeZOItnGD/qPMbrBHUNAx3NTC6PyxkxLufDuOYeOY/F5RwWl3NVXM5T8YHGv/EhQR6T
8cezg9cRJh7ichaKyxkoLntEfPLV+NHcreeBuJyF4nIWis8N+EHOjct5IJ5v9Os6iYuP4nIGiK8r
F6tl94CyPUro+CYjE99uePppjEobK23+/5/G+H/pWZlb192k76ja2613LSspXUptKfWlZEppIaVN
udf2UrKkdJNyv5S+UgZIGSzlSSnDpYyUMkbKBCmTpEyVMkPKbCnzpeQFZYmUFVLWStkoZZuUnVL2
SflESqGUE0GfZ/7F6zkpF4Oi8gnLSnYNP7mClMqBbWeCVxlDclUpaVIyDP/Kax0pDY2tyc2ujjm5
lZR7pXSUEjV6knuY/pJ7S3lIysCAP0RKtpQRRm/yKCnjpORImSxlmpSZUuZKWSAlP3hdWu61TH6l
lHXB69yg3bpy9ZukbJeyW8oBKUekHLv6qv5JPiml6H/wWuaLYuPH/2lhDsqXbqaofuarMJA9eU25
ZP7b+bLXsvZlem/wpVQM5lv4N1S5+npDdSm1rHcjnSPxSM9In0j/yCDK0MiwyDOR0ZHxkYmRKZHX
Im9G5kUWRhZHlkVWRzZEtkR2RPbK36HI0cjxyKnIV5ELkctRO5ocDUdToqmU9Ght/l1f/jKjLaS0
ibaPZkW7Re+PTIn2jSyMDogOjj5JGR4dGR0TnRCdFJ0anRGdHZ0fzYsukX+viK6Nboxui+6M7ot+
Ei2MnoieiZ6LXowmYm6sQqxyrGosLZYRqxNrGGsWaxW7N9YxFtV64feI9Y49FBsYGxLLjo2IjYqN
o+TEJsemXbfMjM2NLYgMjeUHf0vl73r0SvlbF9sU2y707uDvQOwI5Zj8nZS/olhx7FLcivuUivEq
sifUuO4vLljBLy4k84sLFfjFhYr84kKYX1yozC8uVOEXF1L4xYWq/OJCNX5roUY4PdzEujXcNNze
ahB+JDzYahseGv6V1SE8PPysFQmPDj9vdQ+PD79o/TScG15j9QoXhNdZY8Lbwqetcfz6woL/iy0L
haqEsvm8ymr93+QzMoMimSWjTVDaByWrHK1FVk3G/QGtcn0DekBQBgdFsm6GZN0MyboZknUzJgSy
kwJ55U0t9+8ZwevsoMwv12de8O8lVr2s7fK3O+tA1pGsY/J3EjyWVSR/xVmXIlbEj1Q0f1nbI1Ui
1SO1IrcLt67wa0UaR5pnHYu0jrSTNcmqzCqWdRmP9Je5uolf2rD4jQ2b39hwwpnhTMsNdwh3tLxw
l3DMSuL3NiqG+4UHyDw8Fn7cqhkeFn7KSg+PDP+nlREeF37Bqh1eG15r1QmvD6+37gqfCZ+x6v4f
1h5KPOj+RLCPREcocSN0Begm0E2gm7qdBZt5w+EPgP876EmCmd570J2hTdsm0N1o20iwIfxm7pPo
0baZ6O/rNlX0HtTPPnkjhU5x2yl6vxZciswc7bcEuqQAG8bBfxy6KXRT6GbG2gBHgr9CRnSW/M2t
J1gYjKgetQ9iFSN1WzKux7B8sNLOIehkai1avQ3nCdpG4NwE3Za2T6PtJixpC3rINEdmkGBj6MbQ
mW4r+EOgm6MBPtiU2kxqf+zeo+g9jiWtkFS6qXMOGeOHSWhbizadi0buQvgGW4A9kBmIzhXoFG/Y
3bVHu4HXX/BFT1a3PQK6LXjIGyY4WmVCNjgdeey0LUVnEJLTvUcEF6DzB8oJHVQ6dJ7aXOQ7IP8q
dArazoOFyF9y/yx8290s2MPdp70oHToLZ5B7ULC1ylgXFENZ4HdggaLjINkFPb1UPvQ5GhZCL6K2
E/KlyNeFPgFuBJcjf9r9pUhGvT8JfVHj1va99UInlB8a4G0XPOZKJNipKmOd9sYKfqMYOhFwBJ1M
9KSCabR9FMwFq7ml1D4s9C5F+wj0WnA3ON3tq3PknwZXgHlgDlikmFRd+mpmZhDJF339DZUB0G3B
SgHmgTmgtq2G5CZql8A5BGc0nLlm3pUWXAHmgTlgEajyXZAcRSvLoPe6RgX0dCxfAL0aXBBw8sAc
sAhsL2PZ4OUQRYMV6f0geJ62uQGuAPPAHFA15OKNV1XGmQG+is3nwUL0FKrNodPeDsFi8LQ3C8wG
+4FEgndGNFRjvi4iWQieCnAsMbBRYwNOAg0JNCTQkCAqjlF7DM6xgLNa0GEst3mbiJkdYDbYD9yj
SCQUmhhTWiJNte2BPi1nerVBOHarAGUs9laNUjsNThqcNFZ3mmoW3AyuJjLzZYwjTXyieQqYG7TV
dfEUMV9N/ydu6WsWmA32AzeDZ0DVeYS2R/DGbrTthp4OPSdA9d527OyepNoqGTSRBr3AoLeGmc1m
HrX2PPRp/z/UwwbVKguO3GkVU+HvZmZ3w1nKGqkNppOFmpDfXvTrCD4P/wtyUTH0VN1BQn8np1Uy
+VAlQxW8XwjeTDYbD1bDG4uRqc9a2A/dHVwY5EDZX0Lot5MU/T06+/5v1BseudTtrz7xVyrt11fa
OUlsLyROMoneHbRa6S3Vtu5irNLaISaf+5o56ynK2tzHmtrHOtLVcQd0LrV/D8b4FPYMou07yL+D
n8kw3kn1j6LkakUzXw182R/tEchXgt6E/Ogge+SRB3J0d2ANDoI/HfwBeAe9HARLkzrrbCbl06/W
dtBZlpWrdEqAqvPuICfPFro6MbkHTjr4iX+rzi/5dg7x/AB5e5lmUW8vMblbJb06xF6ycmTuNIZT
NJ+HdphVLHdl2RGYl73qYckDq4mx1axKg5tZL6vBzewgmqtTta34cz2txrKCxhKH2suv1Sqni9Y6
XUxWceWsEqrJGm9Hq5X+t+QHlW+h1kokK+eErnSJ8P26s2B5ZpB/xiKpvcwHc8GN/p1K+6+wcrvq
LsPKPULt2gDNClW6p1+P2jNwzmC/eri5v0dzHdbO0t0w9DF7YirWlsB/D5/XhE5nLMf0pGR3c1X/
TjcseFJPj3YNRZmvsWQVnbWZjHG2rjWnCfvgXYpOuisc+yM0v4HkeTT/Ffqv0J3Qv0M9L6ias7D5
SUVrCfQp8AGvgqXnCtV/DzNVFw07zf6r5yg5JzxM9tMIn8jp5ZQ7hFFovP2I2plYvoe+CtCWqiN1
/6Le8PCJ+y3zO0L3d6eqanP2K+3eA92R8RYxim/JFd+yElOxk2xvr1ULnWaM/YbAWrUkA7q+K2fX
0FZG/YErp8HQvdi2jbZEu93KHaprnFY99Qxs93S+FJzmdhDNbZjHZe5AjU/7DaH3oe2LAFXbHPTc
jc5M1xX8XFGirqalpzLxgJOEH96i1TBwCjFw0lXvLUZDHfB36IlD/5qxz8LP7RjjEFp9AR4BH1OP
ySlLRzFOT61C36BRwR70BNoGYGdP9Pjea5oBgmjU0a3Bnkv+7YreeXA/WAA/A8zSnGDOnCppNwZb
eQfZR5TuaE6h6NkDbkXPVvRsRc+nyA9CfpBy7Gw4reHEzalVaeuCWiK4HyyAnwGt8pXMyZZeCgxy
juqCni7a1u4F3cvQqkewAH4GWBNOGvHDeQOdn6OtGFwILgLzXd0BO6GzEzo7obMTOjuhsxNe6qSa
nboq6dTFAxvRsBF6OfRyHYV4dTb2K75vxqu02DYbPbNpdR4NymmBnd8GuJ2VpTb08BqxWnV2xrp6
2twQ3A60l83uAdYstwOVtMxJ/jhn+xrcAjqDH6GtBvovgAfAfNr2BjvSdiX8L8AdrkSpn6Hj8vMU
3SEq4+70VslKpy9/mKf7VF98lY0HvkM+rF7181jXTbB2D3HyOTgluKccZHa2EJMHmbWDeIb41FUm
HqitM+VVE3yTO5GNZC0k90CPp/fWJt6Yi7eV4zjMlAO/C/Kfg9+CC8EtnOQX+ifoRTmlOi8yv0qf
CJC5hl5pIkc5EglZzGAWMy73aGu88xe5V8a9GxV9ubeW7NKVWLLLk1l23uCktF194rbUfcd9VGnn
PfC38BfqecydQ1ZEXs7Gei76IW0jnIseR/JDvW+6WzVLO9wfnV56X3YrU/s+rf6omHQr/KpouAzm
I9+fOBmtc+EsV986R6E7gU0V3XSdIzeD2MhBfj0RdVjRm49MU6IiVSWdl5nZL6GHUHsXtdWJlvZo
MHfVfLAzfbXlVDCHHbCjesz5nB0kh9y4iV1ji55PnLmcSCezB83jfDgKzoucaorQsw7cB+4HD6Pn
OLgTfJq96TD77EpF70Po0eAqsusF9qCX9Pzm1uMUdzigV4B5YA5YpLV68/JO4f8uSFYEW/o/EzQ3
Mm6IzqoA88AcUDW8h+QztFquHEHldFOO9xBR0Zez7tNgBMzmZDiM82dH7qScYN3axM8a+kLSydFc
6sIR1FGcRPMdAa4A88AcULR5d+md1F9PzGz1qkqrG9E2F3wE5H7qpjD2Z6FXBLgCzANzqNVxPau+
cguUTqrpvw72Vv20cgNU/3BHcPLVD05bTn2jApwFZoP9QGJJT25+Beb950h21Nzo3eFtFfqs96Hg
6/APBJgN9gM3g4003qjdAmcLnJf1rOu8qys09J+cpWuB/wE+zdkynXtQS86u9TkVTyainiZiJ+s5
0O6I5vehn+X2ugzbPoP/mepxI9h/VDnurQHOArPBfqCurzvVKveHeof13zIxryvCPo62G8G5nBDG
sI5SOD/8ivh/k9rDAc4Cs8F+4GZkxJ/ubdqL96E+VxRUmVW0WgWdggcu4KVPvDzWQi2tNciN9YTe
WN2TyvEK1BJ3BfRZaJc4cZEf5Z1mFgzq7XWX3l7FGxoVO90x2KYRa0GvwvJV1Jos2ga80UsRtHS+
vBp+d6HnKd+7jUj+DHw2yKWaedaSS3ORmYj826y4L1lHN5JRW5CBZ0Kv0QwscSWtvA3MyxZ0cnt1
pqL5CbTVg16h91+54WptNpJrFZMLNMKTLW5bv0Mzz0ySTLb/M7ebHFboKVbQclbH3SC3Y2cRGt5C
m+W+KK3WoucDtc3lOZXLjVjmQvfQR7kLP6W0aCgC97Gui8B9rNYicB/Wvi/0K/S4Ei9d1jOA8wbZ
aSvoYtsavSO7fwCHKzo8OXG2+xN0v2MV50IvR34ObV9hpecoxx+s2cB/HP6HyBeCvcC5/gXFpD66
0yHzR42cpFuhq4JN0XYZ+WnYXEF3B7eKPqdyG3mpxI/SttrmndHZd6uwdkaZ+ybxkO9t0zhRvvt5
cKfWJ5Z53HFasq476R6R1Jm5289M3aO0X8GrJLUX2bNW6Y1YoldzQnutTerMzjJXV5Pkq9XgZvLS
alD30CyeI9WDfxT+Ufhn4R+Hfxh+X7R9Ri/m5jWKnXEfuEr79Qp1RD7PY52l3LjnscfNUHn7T3q/
lizXDw9/i82al1rqXduvxKovYnWvUxRP7iDPNMISxZ3U3si56EY9+Ug+LGEtzCJjaO1oMCfIHtrq
IHljvd67RWYm/JnYT77ynxd6BTZ3cG8V/L2im47/lzDST5mdEcg8EEgqpxb3oI90jO4P9I7s8FTZ
Mbe2Q9zatpGTn8MPacx7A+5lrxMt1T3JRX4yrb7lhPCu3se9Ia7cLNzJ5NgnafskbSdBL9S+7B/T
4wDmZQ63/oGM6CVuuPtYES6cV/RW7tbDzgeR/4oescobDz1K7+bOL6GNzBNoaA7+XM9Lcm7UVbnK
rab7AhZ+QZyb2/R9REInxt7IWSvj6qN6/OHgSEV3rruIzKkr4idKe894z2CV+rMnMub9jgKymae1
zlO6i3kh9FTG/6uw8I9673Y+gT6rt3WnCXQnva077zCWm9QSjxXkPuDWEM5s7B/jnBV83pFIcE/p
uzz+HzgTPqy3dRmd2nOr3tmdieh8KkD1YSXwAb2ne6vAn+k9wvmnjt2vigeyuIMfo1V/vac7t0Cv
o7YYe/6BhUvhf817GenqGb8OvbcB+zHeoWDz4Gypu2oNWu3Qm7v9F725Oy/hnxo8PyzEwofBLGbn
ZeYxorMm0StoL4KThp0zucXkgm0NzQ0ll7WWy00nV29VUis3Ee9OTtQbkHwBXO69SD5UOgxGDKIh
goYIGjohWcRdr55y3HpwDsKZ6cqMh2hr3w5O4L78U+7LP+UW1pL73et6V5JIEHl7MJKH6bEq588G
aGugbd320GMNwhmr2gQL4GeANdnZxTPeHkY3xJVbofMmOlui34yuDfic3j3FfkaBznrorMdIixhp
kfrKfUA1++29veALGkVoWGIQ/wyA7owf2vpRfKXYlfv7J3p/l1FE9dmXu4d+o6ygT9FwHm1R3a3U
Ksk8im+4dwg+5I4T/jNkVO7Lcr/W2pfBNDht3PFCZ7tqWwM45Fu3JnPxJfi1orNd0dup6DYAx2pb
ryG93ILOLmArcD7acoyv0HAWrIOHnwWf0IyXtFU9kBzHnxe59z3OU/onlE7y2fUe1lrvTjy8Hcn2
0I8qnbRVtSXH9WTiJbgPtmRcJjZaMMvtmZc3oVPQ0BqZd/T5gNNf/e+mMgtLiI3bdBdzTujonEXQ
laFHI3MUbECrDDCF2ayqbb15OuPefPhNkXyLWX5ZaftLOC395uA0jTcka+hsSpy8SA5U3I3OfOg7
sDkFHz6nfJG8iLUXWaG8U1/6thWynNKPoBfpe9lgZulb0HeBOfoueVD7NjgP+ZHQBquDufBN28XQ
i9GWD34G5zPoQ8gI3+5eqk9EG4AvgiPAtuAhcLRiyFa0iuFkgpaiMwh6OrgA/EFA67sGB2l7Hk4u
2IFWr0KnUFsIXoJDL3YPOGehjf7W9H4BPEztd2AB2hxkuoC94H8e0GrDQjiL4HSCLqVVXegT4EZw
OXgaySj0RWgfOgFWB48l6urJEHuQt75RjmM8kwamKifEqEMPgLvgH4FeC+5Gxnive+I+0dDMzIXS
dltwNjjXzAJ0JmiB08EFCT2dbjD+V07oXfA8tR+jeYYZHXQ143lkEsjcZsYCpxCrTkDvCcZyH+NK
lrYjaTtKORb+CT2PZGYizihmYvlMrJ2JbYq5cM6Dp+HcpmgZOg1MBY/TY20wHWwCfkFfJgKnQv8d
TE20E+wJfTMzO97EpPLtxdD1E3r73g/dCj5RYScp+kSa/7SiuwoNJeoB/wmlve3M9QLjmdI39N1G
5H9jYgNtU7HhW2S+w1fddVXKmqpO/CtOMbNcck5XHCMdEaANpgtWA9uCo6kdjbbRyhF/Kr8j/EzQ
CjBd9wXo6QGqZBxvHww8n84szAaV7qB851Vqi2l1NxaaCC9mRPg/9ImZEUY6x8Qz9EBkluGlvSZ7
qK/cfXjMrN8U6DQ8sxH5jYl79akU9Aj0/Bp6lqLDKna6EIEX8VsutcxmqCb80+rD0GVs9vFeKiNK
xksJRYkrQ+sY8VXoN6CJw4cDTKftbPSo/C507qX2bRB/Wl8x6lPgLPDj0psFSxhjBTjvQdeETmfW
ukHvxPKT1NZQWjLGQuHcS+1T4ExqZ+MBot1pAm1Weqp6zL4LvlkRH4FvoPlRNDyK5gOBl5Q2mW0H
63oTq/ULZoGsEnLx/D3oMZlwJ/iP0qbqSejtJgciORHJH5kcSC974LP63DGsna3Q35Z2EjvNPjKP
bLNffeXeA90RfhF6voUmE9o3gPXADLNmkdkKfhBkp7sF2SlC25BZZlY0SAawp+GlNsjsA03eIG5t
9gXxqtwpHNZ+6C1wGGhyRR3wd+Cv4Q+HbgcOIQKfhf92sBdoPI8LaPWA2Tv6Ik8OsQeYPYXZ9PF/
dTAX3AWuBcnnofeYr1LoNeAl2u428wWNJ0NnoQeBcbx0AboStQXQXcBeiQtqIfzP0TkFXATmB+vX
9KWRv5XIv8CK6AV2gr8RugXyY9HGvhPaTO8JYoOdMUQmd2ogWUC0QIcukI0PQOfD7w1t8iqz7+cR
UZXBF8gwnE/8WmgzGakX1i4vfVPfY0JDaeI3jFcwtAW8RB7uQSZZBD6E5CXycEXGYvaplCCvphPb
mhlaw2mN91qTVS7Ar4QfCgLU3Osg2SVA1bCQ2kUBprPvDMWH6dipeSmd2h3gctp24xljMc/w03jS
mOa/L5IVg0/X6KdTWvCZnBKeLd+ln3IM7VK083j/dzN3T55Qhf7u6idzNnAj490Wu71/o6503sHZ
qbT9IfQ59xB3Vd7z0vO51ceurfOiTyScuu5j2rv7Bz1jKG0XuV9rNCo659wFlj5fEknriGJoMK06
K3p5PNPwwYbuKF2baFjoyrnX6YuGy1rr96RVD7AZn0+4CCa7qTrjznPqMWeTyihtj9FvuNhDFZ1s
5yjaRNLaphjKMK3g7FV0zyjKKBTnOa/oKNDTXp8q2FuMHmp7K3rj0HARPApOBJc6+jynrqK91tHb
fbre6+2LcKp4fbBTP0VWUTnWXqWtI4oir/Q2lfdaoyedVo0d/fxebWeGzr4zD9vy9Zk2rZaCreDU
UXlvHa2OB5ZobW84s52Rmm3gtwlQP0fkBtrmqZewbYXSoULsceyQolesv3oDbdu2ckLrqNVPIDcN
HeMTs/qptm72RMEG+tTFXmu/qlnXfkktt/+o61ppe4I9QXC0re9u2yofygV7KDqPIzPd5rOO9hTB
Rs7Lgu9B13feQo/QofNI0tbuQNtXoW9G23mN0tBf6f2SfbOuZVujorddHTsra/zbvMtv+8K5z75J
17J9p65llQ/Fwe6K1jeKjoOGzmjrZdfQnGnvQqfSF+zPddeAzkcyioYEbX8IfQL8MKQeXoYNp0I/
EsmGIX3CKXlROJdD+i5zSahY9wK7seZVewzv2usvy54OFao9iqH77KrKsVfqzhX6u+65YBrYUFG0
CVqfQ08Bq4SOInlUVzr0kdBI3U3QuSs0X3Ba6FPdj9QS6ws0fKOW2JctSz+F7n6l6KdA/w26Ep9O
vxH6x/DfhSN63N/7otPtA7YHzyg6J8FFil5F+JcVbRd8BU4dZH6u6B9Esi4YpTYDegB0byRPwIHv
TlRMqgV9J7XrwWI49OL8GfpR6DFgNzjjwGcUQ1hrt6H2I+hC7PGRyQXzqN0M/R70l2BX8GfwGZFT
QlujbQf4AvgYuB/JZtCMy/knPf4KehP2HABPwfkD2gbSqgWS2+HfBr0YehY+WQn9NDgHvItWv0+S
3ce/1cyO0u4ZsNTMkdJeRTiXoe81cwRnqpkppZ2fgwPAbLQ9ZOaLVklm1qDxiX/WzBryi8AT1GYo
JtWCsx7bGiE5CRxi/EPvP8HCDcYnypE9UWnjMfzszgNb0yPeDn1NLZ6016KBqPOmgVuQnwvuBWMg
o3ZNpM3CztHI34EGfO6FsYH4sWsTezcgfxyZd6DbImlirB0YVkx+R9sm34KdDjKd0PABmAL/VkZd
B89sR346tawRdx+tbqcvfOtMM+sOHx6kLb51J4J3oud9ZBqjH3/a99F2GXxWmWdidTB9mZVYy8Qe
ej6GRtJ+mVankfktaCIE7znDTCTT7234arFi6Gs4b9CXicO7wXvA7rTdDd0UDZngF+B38CfQ1yPQ
P0UP4/Lo3WuO5GT0zIDG8zb5wZ0PjgB7IWN6/AtoImQNtY+DzItTgx5/CeL5JDjueXocCd/kNNag
a1Y3K9e7CU4VkMzgEBUO2myTqcgq9lfI09YdDr4NLoRvciO0swvOVuij9E5cOawd+xytiDrPrCYz
ogJkKiD/Jhwz7+vg9wBTQWx2yJl+DjqNVUSF+ynImnKJjRCW+8/T6jnkL0GzEt1R4CH4zKmD/72+
8MlRLlnLJR5ssro7CFyNfDExM4b4MfkqDyQXeawj5wU4JnMW0dbMKfPuMFM+seQ8CLLWnCkg0Zu0
UzGZqPDYvzyi3cfbSYzdp9ZF3iFHOS3Brtq7ZekdxP19Qt8t6gO2B88oOifBRYpeRfiXFW0XfAVO
HWR+rugfRLIuGKU2A3oAdG8kT8CB705UTKoFfSe168FiOPTi/Bn6UegxYDc448BnFENYa7eh9iPo
QuzxkckF86jdDP0e9JdgV/Bn8BmRU0Jbo20H+AL4GLgfyWbQjMv5Jz3+CnoT9hwAT8H5A9oG0qoF
ktvh3wa9GHoWPlkJ/TQ4B7yLtrfSthSZe6GnUpsN/RD8JJCx+GfBRtROAoeAP6HVBvpNw0JjOeN1
54GtacuoQ19Ty4jstbRl9r1p4Bbk54J7wRhoLDQzbsY1GrwDDYzdC6OTebRrEwM3IH8cmXeg2yJp
5rodSKtkapNvwU4HmU5o+ABMoXY6NJHp7kPmdjTjGQf7nfepbYwePGPfB38ZfKLXMzEwGG0mwk2s
fgwfGftlOKep/S3I7Nj4wRkGvoE2M493g/eA3andDd2UVpngF+B38Ceg8xHon6IHyz168ZojORk9
M6Dxlc3KcueDI8BeyJge/wKaOV1D7eMgnnRq0OMvQbyXBMc9T48j4ZtsQPS6Zl0Q895NcKqArCmH
eXTQZps1znq0v0Ketu5w8G1wIXyTVaCdXXC2Qh+ldyLBIcLtc7QiTjwT82ZEBchUQP5NOGZm18Hv
AaaC2OyQbfwcdBqrmHf3U5BV4DL7ISz3n6fVc8hfgmbtuKPAQ/CZUwf/e33hs7pdIsEmE7qDwNXI
ENWuySRF0GammE0H//tEiPMgSMw7U0BiL2kn8c9ce+Rzj1j18WESI/KpdZF3yA9OS0XrU/uwpU9F
dkrt7eY5hjNZOJ25dw/Spw3OPJ4kdKF2tn431knXz6c5M3iWYivH/gf8ycrXD1hY+m0L5fRV9PYq
ug3hF9M2m9qTiv4w6EFgZ7QVGUn67R08zbjd0mcUejecDefF4IlHQ75bp09Rsnh+connISk8G8mH
P1/b2rvhDKL2NWgbDUXgCHAhY6+oaI/BAz31CYm9hacWzaCbOR9oW5WxSnlecXPw/ETQ+pvKeJno
6UGr9jwhaaWc0M3um8KvGjwbyecZSD7PQwQTU0v1OVW30p2ae6F7693W3q10qAN0H2rbQxdAH0Jy
FHQydCtq/0SrU3CqGG1wjiX0pl8fmSq0agwOoPaAQWpToS9R+zoabof/R/jNoetS60P/AvolY4PS
ocPGBmqfUTrRo/SCREJtOEutGoKfQM9W2rmJu3ypotMGPAfnEvQMJP+q6O1VdEPwbTCf2mTFUDF0
EdgYeQuZyWBdcDy1I7BhGvQA6IX0eBqZkdDbqB2Kngro3wjODyxXS4bAWQlnLTgRZKROZ2rDcMYk
1vC/sKvmdQl9EpiO5icDG5R/ROfIaaNoHaHtYnAK2njiYR+H01Nl3NoJ/axaW2rvS7wlmLCiwq+M
TBPl2F8Zm9E8T23wa8IpUDo0BX6PxHsanyrvbqL2gNbK2HV2KqK5B/zq6HwV+28tvSR2jsPab7Dt
E23lZTOWE/DnEnWjtVWoOX2NhM5AT+PEZd5BuKz+BCcqymlKsRBOGjInoKsoOj/BqmbM2hb6egbN
g7CwUNF38W0dEyGlvTTqVMauohz9/R3JkKwyt7KOxa+O/AmlvY7IVITTx8Qh3k6jl4p4pop6LDSB
UfdO6LPZoVi4ELpC4gGNsYQ+7bwZjNP7FrzRAXqASoaKadUY+gKSW9AwBXoS/AN4Ywf82nDOU5sL
5xO05cJpi+RZRck4zJeJQ+yPMpa/YUMhkWAieZqOWm4BR/ES8w6OYaaKkU+goSF9taK2MfFTCL+F
ouR3nZcugYzicWJgL5p3G/8H3lDL2zOWQnxVFX4lsDeSQ4N+L7MuLhN754gEI6l+q6W0xPY5Illl
HgKnwHkAyVT6SkVyJ622IDMTXEltPFi/mTIWH5uXMcaP4aeB67FnsJFkvE+aUaukRBFPrYkoP/Dq
PKIab6hnQoPR/Bp5YB3e2xj0pXoymamqJlPRqohWG5FMEO2NkVxGZKYo7WdYNxFpa5hxtf9Ns6KD
NaLa+jJHt4P9sfBMkPFqsNdoLzuCNTtDapeYtazaJFu+hlWZtDJ5VTWP5ylxkTWQuBqoe3ppd6Hv
J+pOIUMecMw6mkTbuP1nIn8Ns6lj3GByI5LPw++J56cpSl5aQ67QrGJmZCGYTG06o27HeI+Ck8HL
aG7PfN0LZoBZgYxmudHBPGpm+63mTImHNaymt4iKy7yTe5lYvUw8X2YulL6I38YEu1gNODrqmYy0
tdnFyDlFzM5axSSiKIldxjmJ5ECQPc76SuNQzsCfkQPPkQM1w/TEzlZEaWNieDdRTS4SyXlIqvy7
8Ici2Rk6An8+lh+AzoffMbEPzGb1ndMzufaSmFF6jPnqoauVOY0xrgyzryX+xPv1t6i1WD6OsaQj
2SPBmYe2aVYt0ZkazKzQJYtUs2XxO2+Wq9/TCZ40KloV4FdQvmUpJ/Ggfso60Uc/CZ/g+yCJCtBN
oJtAN9XPaSea6WfphZ8NPw+6n35+TD+ZL/Rm6CLoM0rrt3ik7Wr9lRv4zfTTgKLnHX6b5Rt+32at
on6PwLL0e+6JFP02RyJFvw+SWOoP1V+5SRqrv3KjdEmB0olx/qv6KzdJX6l+/7hi0lnoT1V/0kno
f0Ibme5gUyQfBgfq796obSWFxmb/d8jPgzatTmFzMfzb4VdWTLqX0TUEzzLe8dQuA5Pg/xjJdvR1
Bv52dGbCaYVnDOcStQ8iP5Eet+OlS+Dz9H4fkvVoq5KNoRtDZ/rb4F+Erocew6+NJfdD3wX9M/Qc
VExOguaXfJKTqX0QzstoW6W/gYOGH6OhCXQT6Kb6fXmR3wNdFbyFVh2wORObBzDLsxjpN9Rim78A
Tj9wM1hMbTXBRknvQi9B5zroSci8D/4W/jLovdDn1UL9FQ6xVuOwKe/LOyWl0PhN30lPNCn5h9pT
wlzoO+/COae1JQXqScNJPA+mg7RCQ5OSTUjStoRRl8yCPo7OP0EfgC6ilogqOQznC/ToJ3Asq0Io
J/mU5Tzy7LChVsovhj36uDV66MPDn7SW/hd73wFlRdG0Xd09c/vembm1y7K7LEuQnHNYSZIzSJYk
oOQgSVgWRYIiSBAVSZKTJAFRlKAoSA5KkpxBcs45fjW1I7IrfqK+73f+8x9Pn32qe9Kdfrqnnuqe
2RmgkV/tWqXTAI0sHj2CCHDABykhPYRBLigIhaEkVIZ60JiOURPegnegObSFTtANBnjbB0FDKsgA
SSE3xNBRSkEVqA9N6FdrQU/oS56jHXSGOBjI3xiM3wfBTz4jI4RDHngeikJp8s4N4BWQUBt6wbvQ
El6D16E7DIJIUJVq1KgIlWtVfzENNKtTq0oaGM1HScbvDH2OfHMmOmJeKAZloAK8CA3hVVCQDepA
b+gHraA9dIE3YDDvE4A0kBlcpXsBykI1yA7v8/IoCCUe0kI0ZKHj5odCUBzKQUWoDi9DUzrvHPAS
9IH+0Bo6QFd4E4Z4Z5AEbEgHKSArHaEAlIDyUAlqQCNoBibkhLrwNrwHbaAjxEIP912mzfN1ba7q
MjZhbMXYkTGOsXfzpu1j1XuMQxnHMk5jnMf4TfOmXVuqlYzrGTcz7mDcx3ikefMOndVJxusuGpIx
lDE1Yw7GIi3at21tlGesylirRcdOHYz6jE0YWzC2Y+zMGMfYs1WXps2NvoxDGEcxTmaczbiAcRkd
uKmxnnEz4w7Gfe07dutgHGE8yXie8SrjbcaHLppG+07N25sWYyhjFGNqWtnFzMCYjTEPYwxjMcbS
jBU7ucepxliHsSHjq4ytGNszdunUpUVH8w3G3oz9OrvLBzMOZRzFOJ5xKuMsxnldqY3MBYxLGFcy
rmfczLira9uOrcwDjEcZTzNeZLzOeLdrh+adfcBoMYYzpmbMwpiva9c8eX3FGMsyVmWsw9iIsQVh
Pl97xljGnoz9GIcwjiDM7xvPOI1xLuMCxu8ZVxMW8G1k3Ma4h/EQ43HGs127Nevqu8x4k/G+i1oy
+hmxa7fOXXU4YzRjGsZMjDkY88USk7oQY3HGsoyVGWsw1mV0o3FJvif8L1hF13kKSPm3coJfHPq/
o0kewyQvqsH/HysZXIrPC/J6iTH4jKjIz9n8zuV/khPkvZ+OYc+MkltE0lHdEs/2uPrgRonPjEme
GVP9DkOfGdPwmSq24gl0a/DkMvxTVKRUkRD1F3PJOCdJn9L9JZseMvwlmxEy/QUrSEn/HP+cE0EK
/ucY8kyYl6KNWFL9ETANFsBq2AHH4bowRLjIIAqIsqKOaCFiRT8xQkwTC8RqsUMcF9elIVPLqrKH
HCzHytlyifxR7pNn5V1lqWiVTRVRlVVD1U71UIPVWDWbrkH3t/zxfVZVS1Rulqg8JFH5wyfKRqL1
PrrM94AWT5StAgnLztSE++PNhMcPb5iwHAEJjx8RnqicKdH2FROVGyUqJ6pPxL6E5cgsico1EpXf
SHj+KScnXJ/q+4TljDkSlXM9UabrL2OeROv7clmSfwiLr2HmGvE2S3zNDepzkeSrMnlLt3p2n2eP
e/by07bOVsCzxT1b0bN1Ep5FtsEJa5k9JmE518OE2+eun7CcN1Er5MuXqFwgUXlrovK2ROXzicoX
E5bzhz3RyygTE56oHJNw+5hCicqJ11dOVK6aqFwtYSsWrkyIxExzMRJaifHsbZtRArpSR4AwQ80k
rBVh4HMq4VqnIq7G5biSlvjEBXGBtrssLoMQV8VVkOKGuAEKS2EpMLAMliHddPuDVOWU215ShskI
WuL+BxG656OCtGcuKkfSaKQLjIe1cATuinA6Bz+dVbhTE6RT0alFWMmpTejWLpR8choaLeShMU8x
PA1KhtI5nWG7FmmkJSOofI7tWtwFkkp7CNfiPsL1VFe3h0ZDOjxC57qc1v7Cdi0eJbuSysfYrn1i
y+Pelie8LU96W57ytvz1fKvw+Vbl832Rz/fXNdV4TXVeU+PJNfgjn+FGPsPNfIa/rtnKa7bxmh28
RoKWlOgys6X75HaoDCVWI4hV5ZR3KhDry3E5+OicVhJTClzFF4pnmOgvC+3fl2rVl4ohIgT6iGiR
Ct7m71n2Ew1FI+gv2osOMJC/YTlYvC5i4X0xWAyGj8RoMQaGiiviCgwTN8VNGC7uiXswwu0aMFL6
pA9GSUc68IlMIpPAaBkpI2GMTCFTwFiZXqaHcTKrzArjZR5ZAybIWNkNlsnusjssJ+/fA1bIXrI3
rJT9ZD9YLQfIAbBGjpAjYK38RH4C6+Q0uRvWqyD1mvuqgCoAD1VpVRYeqUqqkpBqgpoglBFrTBGG
2dxsLvKZLc2WIr/Z2mwtCphtzbaioNnV7CpizG5mN/G82d3sLgqZ230DRWGrttVUXLIG2EI8dEKd
cvJN52Vnovwi2CLYTl4L9gkOkXdRol/5MS2mVSGYHtOrUMyIGVUSzIyZVRhmxawqKWbH7Cocc2JO
FYG5MbeKxLyYVyXDAlhARWEMxqjkWAgLqWgsgkVUCiyGxVRKLI7FVSosiSVVaiyNpdVzWBbLqjRY
ESuqtNgEm6h07ieFVXpsha1UBmyDbVRG7IAdVCbshJ1UZnwdX1dZsBt2U1mxO3ZX2fBNfFNlxz7Y
R+XAd/AdlRP7Y3+VCwfiQJUbB+NglQc/wA9UXvwIP1L5cBgOU/lxBI5QBXAUjlIFcTSOVjE4Fseq
53E8jleFcCJOVIVxMk5WRXAqTlVFcRpOU8VwBs5QL+AsnKWK42ycrUrgXJyrSuI8nKdK4Xycr0rj
1/i1KoMLcaEqi4txsSqH3+K3qjx+h9+pCrgMl6mKuAJXqEq4ClepyrgG16gquA7Xqaq4ATeoF/En
/ElVw024SVXHLbhF1cCf8WdVE7fjdlULd+JOVRt3425VB/fiXvUS7sf9qi4exsOqHl7AC6o+XsbL
qgFexauqIV7H6+plvIm3VCPqvE3ZfwF7LiHuirvkxR6JR+Q9TEnjAL7OTL7OfHydaRkto8Ev08l0
EJBZZBawVEXybrbZzGwGjtnCbAFBs5XZCtBsY7aBELOL2QVCzVgzFpKYcWYchGEaTANJMR2mo2s8
A2aACMyEmSASs2AWSIbZMBtEYQ7MAckxF+aCaMyDefg99fkhJRbEgpAKn8fnITUWxsLwHBbFopAG
X8AXIC2WwBLkrVz/m579bwasgBUgIzbGxpAJm2NzyIwtsSVkwdbYGrJie2wP2bAjdoTs2Bk7Qw6M
xVjIiXEYB7nwDXwDcmNv7A158G18G/JiP+wH+XAADoD8OAgHQQEcgkOgIH6IH0IMfowfw/M4HIdD
IRyJI6EwfoKfQBEcg2OgKI7DceSvJ+AEeAEn4SQojlNwCpTAT/FTKInTcTqUwpk4E0rjZ/gZlME5
OAfK4uf4OZTDL/FLKI9f4VdQARfgAqiIi3ARVMJv8BuojEtwCVTBpbgUqrL/e5H9XzXynauhOvnO
tVAD15P3rIk/krethRvJ29bGzeRt6+BW8rIv4TbysnVxB3nZeriLNKM+7iHNaID7SDMa4iE8BC/z
O+Ib4SW8BI3xCl6BJngNr8EreANv8LxX/PhKQAH2tVmpb5misWhMi1uKliCMxcZikL4Hvgeg/MX9
xckP/2d6H/nAf3vfv73P633R3PuyudGWaOvb/28f+7eP/Yf6mDDbUTwfKtLJAqq8UR9SQhEoDZWh
FjSk8UI7it97UGQ5GIbBWJgKs+ErWAIr4UfYBvvgKJyFqxTZg/AJJ/AGqEDXQGzgTbbdAj3YxgXe
Yts90ItsLOV6s40N9GHbLfA227jAO2y7B94l242268c2NtCfbbfAe2zjAgPYdg8MIhtH2w1mGxt4
n223wBC2cYEP2HYPfES2O203lG1s4GO23QLD2MYFhrPtHugJktb2JewWGEgYF/iQsPs/YGQk17xr
YJTHzCceM6M9ZsZ4zIz1mBnnMTLeY2SCx8gkj5HJHiNTPEameox86jEy3WNkhsfITI+RWR4jn3mM
zPEYmesx8rnHyDyPkS88RkZQ/bsGJjIj05iR2f+QkfkeI195jHztMbLAY2Shx8hij5FvvL7yrcfM
Eo+Z7zxmvveYWeoxs8xj5AePkRUeIys9RlZ5jKz2GFnjMbLOY2S9x8gGj5EfPUZ+8hj5khlZxD1l
OTOy9h8yssljZLPHyBaPka0eIz97jGz3GNnhMbLTY2SXx8huj5G9HiP7PEb2e33lgMfMQY+ZQx4z
hz1mjnjM/OIxcsxj5LjHyAmPkZMeI6c8RjYyI9uYkT3cU47+Q0bOeIyc9Rg55zFy3mPkgsfIJY+R
yx4jVzxGrnqMXPMYueExctNj5JbHyG2PkTseI/c8Ru57jDzwGHno9ZVH8cxYEM+MJeKZsWQ8M5by
mDnNjFxkRq4zI3fdnuJ+p9E9b55Nqw9ZxTY5SVVV1VUr1Vq1U6+prqqb6q7eVL3UQDVIDVbvqyHq
AxoFH1XH1HF1Qp1Up9RpdUadVefUeXVBXVSX1GV1RV1V19R1dSMY435HSWwVW+kHJrr/nauqqCog
VTVVDZRqoVqCodqotuBTXVQX8KtYFQsBFafiKBJ4Q70BtuqpeoKjeqt3IajGqXGQVC1RmyA8WDBY
kGcZosEyUhvPGWmMtEY6I72RwchoZDIyuzWjM7rBs+vx8UpKb24iu7uO9omfuxaq/eMtsnhb5HDn
plR7WgNGuOG+ASyLkQXsJ/aL/91wI8KINJIZUUZyI9p99x1t+9vvSsgAIUaYkdQwDZ+hDb8RMCzD
NhwjaKARYoQa7nyXQXXrQyfp7iONF4zi4BiljFKAtC4GotQMNUvNVV+o1WqNWqvWqfVqg/pR/aQ2
qk1PY9ydLVPT1XQ64kz3/5rVHDWH+J6nyI8Sc6vo946qc4+PPp22mkNrl6jv1PdqqVqmflDL1Qq1
Uq16Whvz0WeoGXT0WWqW+0SmmktH/0KRd6Yz3ERHd+vhHj0XhD/1qE+pB3N21OPM3e8Zexfv5/YG
2s/sKBfAu9AP+sN7MAAGwiC6rt+HIfx10Y9gKHxMV/lwGAEjYRR8AqNhDF3z42A8TICJMAkmwxTy
AJ/CNJgOM2AmzILPyB/MgbnwOcyDL+BLmE/e4WtYAAthESyGb+Bb8hXfwfewFJbBD7AcVpDnWAWr
YQ2shXWwHjaQH/kJNsIm2AxbYCv8TF5lO+yAnbALdsMe2Es+Zj8cgINwCA7DEfiFPM4xOA4n4CSc
gtNwhvzPOTgPF+AiXILLcIW80TW4DjfgJtyC23AH7sI9uA8P4CE8om4sZE1ZS9aWdeRLsq6sJ+vL
BrKhfFk2ko1lE/mKfFU2lc1kc9lCtpStZGvZRraV7eRrsr3sIDvKTrKzfF1OlnvkXrlP7pcH5EF5
SB6WR+Qv8qg8Jo/LE/KkPCVPyzPyrDwnzytLXpAXlS0vycvyirwqr8nr8oa8KW/J2/KOvCvvyfvy
gXwoH5ELcp+2V8pQpvIprfwqoGqqWqq2qqMaqcbqVdVUdVCvq36qv3pPDVDD1Rg1Xn2p5quv1QL1
jfpWbVZb1Fb1s9qmtqsdaqfapXarPWqv2qf2qwPqoDqkDqsj6hejqFHM/W6rscPYaewydht7jL3G
PmO/ccA4aBwyDhtHjF+Mo8Yx47hxwjhpnDJOG2eMs8Y547xxwbhoXDIuG1eMq8Y147pxw7hp3DJu
G3eMu8Y9477xwHhoPDKDZpgupUvrMrqsLqfL6wq6oq6kK+squqp+UVfT1XUNXVPX0rV1Hf2Srqvr
6fq6gW6oX9aNdGPdRL+iX9VNdTPdnFJLSq0ptdXt9Gu6ve6gO+pOurN+XXfRXXWs7qbjdHf9hn5T
96DUU/fSvXUf/bZ+R/fV7+p+ur9+Tw/QA/UgPVi/r4foD/SH+iM9VH+sh+nheoQeqUfpT/RoPUaP
1eP0eD1BT9ST9GQ9RU/Vn+ppeo6eqz/X8/QX+ks9X3+lv9YL9EK9yP32q/5WL9Hf6e/1Ur1M/6CX
6xV6pV6lV+s1eq1ep9frDfpH/ZPeqDfpzXqL3qp/1tv0dr1D79S79G69R+/V+/R+fUAf1If0YX1E
/6KP6mP6uD6hT+pT+rQ+o8/qc/q8vqAv6kv6sr6ir+rb+o6+q+/p+/qBfqgf+cEv9HQ9Q8/Us/Rn
era+pq/rG/qmvmW9Yb1p9bDesnpavazeVh/rbesdq6/1rtXP6m+9Z79l97R72b3tPvbb9jt2X/td
u5/9nj3AHmgPsgfb79tD7A/sD+2P7KH2WHucPd6eYE+0J9mT7Sn2VPtTe5o93Z5hz7Rn2Z/Zs+05
9uf2PPsL+0t7vv2V/bW9wF5o/2Avt1fYK+1V9mp7jb3W/tH+yd5kb7a32Fvtn+1t9nZ7h73T3mXv
sX+xj9kn7FP2Gfucfcm+Yl+zr9s37Jv2Lfu2fce+a9+z79sP7UcOOMKRjnIMx3R8zjHnuHPCOemc
ck47Z5yzzjnnvHPBuehcci47V5yrzjXnunPDuenccm47d5y7zj3nvvPAeeg8CkJQBGVQBY2gGfQF
ddAfDAStoB10gsEgBkOCocEkwbBg0mB4MCIYGUwWjAomD0YHUwRTBlMFUwefC6YJpg2mC6YPZghm
DGYKjguOD04ITgxOCk4OTglODX4anBacHpwRnBmcxXefeW6f59j7yEmSPCjPnE9RlUnfd6oXSd93
q4bqZdirmqhXYD+r6UHVWXWGQ6R478BhNUwNg2NqtBoNx1nZT7BunWTdOsW6dZp164xapBbDWVaI
80Zho4gAnoGXpmVaIo8ZaoaKvDzHns/3i++kOK3z6ALiIs+3X7MGWOOktKZbP8hk1gbrtszHs+7N
eL59Bqn9VQhAFKQjza9GEdBYUoBl5J3pJ+z+IHED5+Zyzr1HEwqRkNJeR+Xd9nrCvfYGwv32xsfb
7qbcCvBTPBEFqSkCyBZ/98je6y639xP+ZB8k3GQfJtxiX3D3xAj3iBjpHhGTuUfkYz3go/56jyZA
pTVoEa5DO8GaEF4TymuSJFgTxWuS85poXiMhQK2Wh9qukHS/llRUFgUpy8vyoGQlWQkMWV1WB9Ma
bg0Hn7XYWgzaumxdpuNJc5b8+b+ksQkV9v9vff2/UVhXQ59VN/+bmhmmW+hWuo1+ixTIVc5ypJlV
Wc1qkjJ9yDpZnzTSVcd4bWz5jKrY80/08PdqOIZ08DcFfFJd/l9Tw8dqR7o4mvT7SVUsRdGHG3vE
Rx5u3FGDIo87Xtxxj6KOBhRxTOSYYxJFHHep19alnvqK2y9/1U7ZIaFuOqFOEifMSeqEOxFOpJPM
iXKSO9FOCielk8pJ7TznpHHSOumc9E4GJ6OTycnsZHGyOtmeqrb9n663GEAL7WdS3bm/110MwVBM
8jv1XWevtzewBm98qgrvJh3ea++3D9qHf9VjjMRkrMkX/lCVH/xelzEKk2P031LnBNrsPPg/UOdq
QooIGspGiywQLmqIOpCe77lnEU1ES8guWovWkF+0FW2hgHhNdICCopPoAYVETzESyoqxYgI0EQvF
Fmgmu8hY6CXjZC94W/aR78BA+a4cAO/LQfIDGCo/ksNgJN89HyNHSfL2PMafqBwVBpNUuAqHGSpS
ZYOZKofKDd+rvKosLGfF38GKv5NHb7uMqcYWOGsmMZOIKPOmeVMkN2+bt0W0ede8K1L4iC6R0jfI
94FI5fvIN1yk8430jRaZfWN9E0R23yTfbJHbN9e3QBT1LfKtFWV9631bxUu+Xb5doolvr2+/eMV3
0HdYNKPY4IFo6XtEsUFfHaOLim/0C7qEWObP6s8mVvhz+HOLVf68/rxinT/GHyPW+wv7C4sN7v0z
8aO/pL+k+Mlf2l9abPSX95cXm/yV/JXEZn9Vf1WxxV/HX0ds9dfz1xM/+xv6G4pt/lf8zcV2f1t/
W7EnQMN+sddqZjUX+6yWVhtxwGpnxYojVpwVJ86Rzo4T50lnfxA3SGdvi4e2tF+W2m5s95BNnUnO
Udkn+EFwrFwV/3wLjUbn8R2XxqKVt2TRE0sEFAGfF3tkopimAK2fTsnFeRQVTGfrlpZ6paVUOkjJ
fcomu8hOvSaXyEVyV0gUomNWEBVIXKqIKmCI0WI0P2WzHpqa0WYKM6WZykxtPmemMdOa6cz0ZgYz
o5nJzGxmMbOa2czsZg4zp5nLzG3mMfOa+cz8YrvYIXaKXWK32CP2in1ivzggDopD4rA4In4RR8Ux
cVycECfFKXFanBFnxTlx3lCGoW6qW+q2uqPuqnvqvnqgHqpH/2SZQVUxJM80GPzfCkl47ieKkoKU
lAxiLjPVNAe4z6XlpuQnVotQnFiMkgXFKdlQFsqBA1UoIdSjFAINoCHFh00ohUELSkmhDaVw6Aqx
EAFvQg9IBn0oJaerU0K0CBGhkIKu0WhIJVKL1JCan455jq7XGpCGrteGkJbv6qbjKzW9aC/aQwZ+
Xiaj6CbiIJPoJXrRNT1IDIKs4n0xBLKJoWIo5KAreCzkpCt4IeQSy8UKyC3WinWQV2wUGyE/zzcV
4CsvhmPqyjzr1IRnnV59PBe22psLy0lMpZJ5ZV6KGGNkjPu/YbIsRYyVZWWKGGvJWhQx1pP1wKS4
pyX4KOJ5jSLGgdZg8FtDrKFgWzOsmRBqfWbNhTBrl7UbIq291gGIsg5bxyiW7mn3hrSkHv0gg6sM
kJWUYQpkd/045CY/vgvykvc+CAXJgx+GGPLhx+B58uMnoBCNrU5BYfLlZ6AI+fNzUJR8+gVqI/f5
r6Ky0eO6/OjVJRfVJXWCuhSWhWlbt0ZK1qCxjME1MrlGPorvGoLmevkpensdAlwvi+sV5HqFcb3C
rXnWl1Sjr6xFkILrmIbrmM46ZZ2BTNY56xLVy61pLq5pXq5pDNe0EOnfdBofzKRRRgmudTmudQXS
pZtQhVTpAY1M3BpVku28u6/ufzm24BrldusoavF1D4+XAM9lStFGlHy8TIo6IgeVwh9vR1fAU7go
JosRFy4jBrexybz4mBfNvPiZlwDFvY3BYnZsbnWHOQpaDawGgDQy7w0hNPoaRm0/whoHKWkMtggy
WN9YP0AMjcQuQXHrinUbWlIMMQA6ULQwFHpQdDAX+pL2L4SRpPV7YQK3/Tfc9t+Sgv8CS7gHfMc9
4HvuAUu5ByzjHvAD94DlpOyXYAWp+xVYSQr/AFaRnvtgM8U4UbCL4pq0cIhimWxwkqISGy5SdJEE
rpDGR9MIgDwhjZBeB3BHkFDanWWAmu5zW1DbfsspB5tpn1RiDD/lqH5rEWjGvObhXlfjiRbJ81uL
QB0o/niZhJJ89zz88XYSlDXemka/vNxaT73tju32X1rK4+z480nLZ5LH+3VJvxL9dzwr7RnBfgjY
Dwn2Q4r9kMF+yGQ/5GM/pNkP+dkPBdgPWeyHbPZDDvshZD8Uwn4olP1QGPuhpOyHwtkPRbAfSsZ+
yP2/4pVUA0dWVEuIiT+7DyOFJcLoLNOJbCKfKCJKi8qiFp1dM9FOdBZxFLv0FQPFh2IE/epkMUPM
FV+Jb8QysVr8KLYSNweIh9Piorgu7pLz90lHhskomVpmkNmI3RiRjWqfhbjIybYhqZ9rG4vCbJuI
ImxfEUXZviqKsW0qXmDbTBRn21yUYNuCrjzXthSl2LYSZdm2FeXZtidFdW0nUZ3tWDOZa41FZhTb
xWZy1+I9v+1aM6nfca1vmj/Idqkf2S7zh7B94A9l+9CfhO0jf5hrKXpJyrZEiODfaSeykicIIZ2X
VMpB2JDU3o0dyB9QLakPUh3zEr4q8hE2FfkJmwmKI6huBQlbiBjCluJ5wlaitPvshyhD+JooR9ie
4gVJtapI2FlUInxdVCbsIqoSjhUvEo4X1QjHmeEgqb4RhItNd+bjnp8ahmpKvZrqaRAu9VO8QXX0
uU8z+TXhQ7+f8JE/AJLqRtGPvwRkpauqEelte9LZntAPhsAIGA/TYC4sgO9JxzbCDjhAI//zdG17
9/OoJ0VRX89AfSmPiBHFqDdVFNXIQzakereiWswmtsYSQ3PYNhZz2TYRn7N9Rcxj+6r4gm0z8SXb
5mI+26biK7YtxNdsW4oFbFv5U7mW6pjatVTL59gu9adhu8yflu0Dfzq2D/3p2T7yZ3At1Tgj2xJi
IrffJG65ydxyU7jlpnLLfcptNo3bbDq34gxuuZnccrO45T5z28MfzoxHMOORzHgyZjyKGU/OjEcz
4ymY8ZTMuAAjBPipbsW+AvhKFyHuv2i4b/Ktxs/UZ4F8pMXeTJSI5L6WjPtIlPvb7lFE8se5Nm5P
cn0v+ZNR3FcY3TtkIpQ8FIgIGtMI9kSS/YuraVEwSLwk6okGor6oK9pY9Ul9GsbPC8tusrccKEeq
seoz9RXexwf4EB+Rf51gTbQmWZOtKdZU61NrGvnaFdZKa5W12lpjrbXWWevxFkpUaKCJPtTot+5Y
d6171n3rgfXQemST27M/tofZw+0R9kh7lP2JPdoeYy+yF9vf2N/aS+zv7O/tpfYye599wD5kH7GP
2sftk/Zp+6x93r5oX7avOtrxOwHHcmzHcYIOOiFOdieHk9PJ5eR28jh5nXxOfqeAU9CJcZ53CjmF
nSJOUaeY84JT3CnhlHRKOaWdMk5Zpxw6GETEMEyK4Xgb7+BdTIEp0b0HmYlHfcAjPZMihyqkae1k
e1LtWBrRObIXjeiC/PQz8vgthEdloTz3mkTNV/MhzPeF70tI6lvsWwwRvlu+WxS30VgFkrljFYpv
DlknIKs7YqFoZiBpdxEasy+EMjTa3gtVacS9H15k7a7G2l2dtbsGa3dN1u5arN21WbvrsHa/xNpd
l7W7Hmt3ffshqXYDJ5SUuhkrdS9W6rcxgpT6XarnEmj4LC3691rwv9JOv7aQxWwCsxlgHsOYxxTM
YwaueU6ueQzXvCbXvA7HKPXiR34mf+mP8pXBndctDamf7P+Je/Ef98f4vkNHSMI9BbinKG5hH7cn
cnuGcHuGcnsm4fYM4/ZMyu0Zzu0Zwe0Zye2ZjNszitszObdnNLVbMkjhnb1t4hNnjxRvelese81z
PwXup4L7qeR+qrx9HTPkiX2jKCp57AV+vdLZc/BVwD3Z5J6suSf740ex4oq4Ke550UASGSlTyPQy
q6pkNjdbmq3NtmZXs5vZHdNiesyImTErZsecmBvzYgGMwUJYBIthcSyJpbEsVsQm2AJbYRvsgJ3w
deyG3fFN7IPvYH8ciIPxA/wIh+EIHIWjcSyOx4k4GafiNJyBs3A2zsV5OB+/xoW4GL/F73AZrsBV
uAbX4Qb8CTfhFvwZt+NO3I17cT8exgt4Ga/idbz571Pl/z5z+R965lJCKMX8rcykeI80v8QzPVNO
V6Jo5zvwxBPAfvdZGe+pmv/1GZnHz9HQMeQLssnjMXv8kirkgX4d80pxHW5RjF5QFqItytCy6rKm
rCsbyEayBfmqzuT1ern3tJ6W3PtYTyY6SsJU6PfJvev1ZHLvkT01lUmUyrt30BKk6r9P7t20JxPV
5Q8S6UGCRHVOmBo8LZF+JEjEUsLUhNNv5RaJUmtK7f4gdX5ash8mTKRaCVPyRCldwuTVL/58+Qj/
zk38wdyEgEOkn8VI6ytSlF2H34Py69tP3DehDIahMIpGP1NhFsyj8c8SWA5raQS0DfYQf3n4Xu9f
xUJ/C6v/HXzq/Ef87IhDZpQ77oFS7liAtC6SRw/uPQ4hstI4WpLaj6T8KPEJ5UcL9+vdE2nkJcVC
ccl9A6y4QuOVq/wNjBviJuVviTusmfcof188pPwj6X6BREqD+pwpfZTX0n1rqi1p/C2D/D2PUElj
bBkmwykfISMpn8z9PgfpagrKp5RpKZ9O0shNZnC//EEam5Xy2WQ2ymeX2SmfQ+YA94smOSmfS7pf
4hknx1F+vBxP+QlyAuUnqgr8FtdKoFRlM6n7njiT6mtGm+XcNxuaFUCZFc2m7nu6zbaUb+d+FZi0
ujvl33DfGGX2N/tT/j1zObhfOF5B+ZV+8sx+SaNI6c8UeA1EoH2AIr1Ah+BnIIKzgzTqDc4JrqD8
yuAayq+lSFVgaoozFEWTj3iER145RIZkjP8fZ24ZCc28/8z9LQYRHIMIjkHEE/9BKjgGERyDCI5B
BMcggv/vQ3AMIjgGERyDCI5BBMcggmMQwTFI/BlKjkTE/1R37vFQbX0DnzVmXEaEQe733DLsGURF
cleuGSGU3C9hpjFulRNTKIc4KEQapFRuRVFIkue4lULRReVSuRQiiZJ3z+7oOOftec7z/PG85/P+
4TN+a+299p61fuu7v3vtz2c2YiIAMRGAmAhATAQgJgIQEwGIiQDERABiIgAxEYCYCEBMBCAmAhAT
AYiJAMREAGIiADERgJgIQEwEICYCEBMBiIkAxEQAYiIAMRGAmAhATAQgJgIQEwGIiQDERABiIgAx
EYCYCEBMBCAmAhATAYiJAMREAGIiADERgJgIQEwEICYCEBMBiIkAxEQAYiIAMRGAmAhATAQgJgIQ
EwGIiQDERABiIgAxEYCYCEBMBCAmAhATAYiJAMREAGIiADERgJgIQEwEICYCEBMBiIkAxEQAYiIA
MRGAmAhATAQgJrL8+yDffy1EbDf8KYiUosQcIYaYPTuXarxF/BwP4EAzGWLGcJEBGgAiN8TFjl3H
y4YWw6IgD3bcOnaAAQwdNMAwydB2SG1FiUSBVIwE8jhHD2WL8kSFoigwRH1QdPiP9XhnMyS7ojGM
oPIS3jzP0uhUiqTfMPdBilYxj28PkyFEgBgYJsRgO8pkQwM0Guch2pGOnLYvxPP9JAEWPp0o5OzY
dmDY8egdZCIe4mcFnHick0eof0CIH50SQuSDeFmFHHgOex/vYEqIN1EKkmCV4PBC1gFeNEooxZcu
Y0yhUSk0D3oAvIc8JMuqZ8OLraz39pEhB/iFwK3K2BkbQlJreIhEIkSESJAmiaTtAoeaEPF7CMUe
/q+cGw/EzarnxmOsbe3slzdn+yebQwwgt7LPWG+PYsC4gctxaAYAqAnXm9H8CkPx7C99lyyurqlH
D1etIk3RNkerJ/Ta5F8+b6wx55NHHCARTct6GxWOyPaqXz3y04J2N1mi99p2Kdt7vtfHq1ehF1Xc
SosTPrbJVT1s4AybTaSmePVOJkqNphgreLt0J0SnBm8qCb/rtD56pI7PsSRr6tgude9/lCty7Zby
Enqv3yCckn0U3QRVN3LvkV5N63hUXawtEJ+Tz417ne56fMEht3FG1N0oWeCMpEFqtRL+sCiJITnz
OKFH9opewTUO216FixPJs5WPF+Y32J4fnS7faf/hmWGOBj/Vq3/s+cX3wbIYPrJm7RXb5gHyFUMf
8xCdj3WjOcKGv+xVd4Wa0GzwhChkAEm4R0QhPNyXkmsxqyAcOyec1FgsBxsbJMkq5IVlW1DcnneG
X7X61rEm/lj9npPO1wvJIcgASq5mvXANA1/VYiBpViyPEYGEYwTb+UfauqqEnUGrjrqmsPB1q1M4
aciRtYE0xhayhiyZW5nm8ab+dDp1o4aGFy1IPXh5FNW9KMEa1L0BrFINKo3iHeZFD9WABxlORDgN
4Qx0h3QJmkQCCU5BdXgjyGX5nAHA2EBW0LblGELHb/7tEBERET86hA/tX7ZN/9O0Y2NlTpHr+qBS
m5wAgSFKIjonIKIpyJumfPSxvmmwmsiBHmUN/ODOQPHb3FrViYtj1zPechBfB34Iw3Sff7J7I3se
3+IFnvrc7caUJb+M3IHOg1MKFdodh3dNPLlFWb/1lgvO6WPoQN7MEKfVps0aHV13J2zlqHMYafQ5
y5yaFLejvOszgjQ5ai6Ubmfev/3suJxAfdMLRq9j/lz/VJGMEx/f6YmSeHrQvpzGqenb1N3nnwZb
6zhnW0dtua+1y2Vtmd+4uI0Ze0WSinQhX0qR5hn5h5+umkW/nPDKSrXcjC3WqBCp3Hm23JB8nBPL
R1Bt3chuJaF+gbjd0bvkVEdJZpZKYmZqwtjpazCjbsCMKlhmFFb0JMJS8T8zKuK/wgFZJNHgiS/y
e71DQLAPgUz3CKb+TihIh6RNgrRIxA0sQpFgPi2HUGzl/wWhlKC130KpEOMAqr8PTcaEbCpjSrbZ
uMFUR5egu17LiABpbjAhroXkv30jiR9+I7IPLTzAy+cvidbdvolccMakcP8la8d95MSIizrpP4HN
i5fQheQLSw8uyzWjUt+EhUyIjMTy4pv7PFA3pZnhmzA8mGYMs/iLMZk9H4O5zp2WhfbUnezRFJhb
p39gstTUKe6EzJleL61cT7PjN8tePs7b8PHCjsXONxGvtfGTbiMNFum2YsYczrqJh+IEg8Za71vu
Z4S0dwvt4RQ8llHsarCx1UAmOljDWSy6LVG3run2Bv8+grOY/DtVPk4XmSRG0bsHmaZpcR1NOodf
8GQdbO6+9jKb3BfJOftKXpbDM94lMEB0kTpP1oqdW0sUjU/4+daOU4sXrbSFFl1HT7ReImepuKsV
Daxd7d08XaEUtkw0LrhHsCvgFSX/Jp/n5g41fxEVT4bfo5mB9bouf4CVvNanx/ZmVNy7LZ/DP1eu
q2jSrlwNOXyDFYwqCEYV0zTe+D+C1bdq1igigwhnJYIq5xWogkEFWaxAld6/h6oftkz/EcE5f0Qv
89vhsa7Efkq3Xvb0/qCfMvF2atg14nw1JvlXkz44dtZXyFZ5B3tI9E2MjM+mTRgXiJg0LSxMll5z
O5QZbHnV+LOSRySnw8HL8+VZuCr6nYsjBLs70V+jbfKzHykpV5f1vbicclju+L2ZqC8egsEN4x1H
Kl4U1rpiq8ccZj0lg5TOeVkuDOUv1L6IO+kTQK64ti/LW9G3vvm9m2fdLx/0cy2NUDydulhBRZdn
qljLQ4HZun39odkF95LsFPLOjs8aJEZ2OGTvWut71pBduXzrnSr7jLfP0Ye9v1r3LFkWfFGJeTph
cEnvnebRtga5PffdNmEqcFVZwXrnN9qeegCE+T0TDcNhu8LWwfQ6u0wvTUUxhF7EP9PLHcECjitN
8Vj6tJo3EBVmg8eCKAqt+UMh1/ehIhKgdd/mscLv89ieQoEhAY9dgG+AlwfdR8YwjO5PoQXQoxBK
QZCuJpEEQ0mTBFOK9FtIYoV/p+L9FWqu0Ha6iULeDZKn9sjIGGWHk4M2iz+idLS/H9v7NVOY7+WL
jfTDYtUaTNLbpee3jWzkH9JQT7WdcMfaymS2fpjyL7G2TC6qj7Lcl2PO8WRx7YvTYUc7L4aaHOqN
fTpTP73+bKub6bPyUv2Xyv6ZYueLaKGO79dkDC9qZ9CYj8LdpSJMD8fpCt8PdcXe8LNPLroSoPFE
lPtrGl1lMFzDoV8Q2vmpK9lzsb3V3Yxod10JP7wF6qSp8CnL/apjo88k6afezddlj3OzcWQoq2JJ
1Za9tl5vugie703135Rwoj6a5ec9cE1SJI/sv7ht2qxTR083ryrCrWhNXnI7f4qjXmMJlztb9zJq
dsM94gKtZk09PEuEsBAb/LGCPT/0IG5EnFjWBOIhAXau3+4ihAAGizQMXw6+l6FZrSw+INp0Kyae
GMjas6mYSDmnV9dHgES/bySIxqySwqHIqDD4zsMYZfgHuPGWMPZscVTKfLUW/0V1AEc+sXP4LGT3
DW5bIXPIlGnMNIw3+Pfh9r2aBqc2i0oI2BxWgM0CMoNMVoBN9z8BG2vCGH9r9X/bFxqgdm7YfEjR
rHycsuUy6WrgOK9GSPHWuXH3sHdWmwi9xqXcX9tHCcRC+Y6DdlkxsrtK9DWsbhQUO+YOUWtrqj5F
Xd1Km9s8ZniobWDVmoD2olwZwgK33R3Hu4ShbV111DfFPAVsRY4vaxItnaZPGOW+n5mcGIqX1tKr
cTw1RZaPUz3LkEgfzOCQnB60+ZSU3zaCL/rFpkW8K4V2QnVfcI7YJ4kp8iO/DrklN8m7BUn1Slei
vBxNCrbfnR8tdHbsz0Gbmmi4f3hS1sMghXw5ewI/PB7w5kKB2s2WdXy8Psezn84WLAgocvnoZrzf
L72t9sGA48j9yJMibq3awu796ZJbjxNulmqZSEzwCYmhdvVru8rey/qVayKON8k2mBdvo39QxSKX
9mAmqK3xLbXQKc0pOiOZKW7B5jLXWeiHoxetf0fQWNPymqYj8IFyWc+PMW9/JVlT2EeKN7Gf77n3
B8o9s57uNaNRdzBV3Z/VXkgn5pXgPuOVtpQOzw9cOGRWy7HH3GfPFpsKo7c27yrDo/pwWlzBEjFE
6UFeh/5X+Z9fmfOVemct2QmrH2zAyu4fPGGoFNCUnnKiNbkvR7aMxy13qqAs3v/wqkBCbfhelOTJ
0mnhAx+FDytcP9oZWGxO1Dj1bGiffi/qJ0/zB/eOttaILPDSkhsL9cvRWwKXAnJODvIV81Xp2HE+
atKHGOwcML8nl/kt7K+F8Fvi7+A3pANpQTCxtTUhlmXCkskKNSFW+Pfp71/R+0x+0OUXTy3SVA/u
VRcdqB8cas7eLm9Xeq9fxEZh9cSD8w+sSumQDP84x0OHE0JbM8SN0sqy3CDFJ6i9Iwfq3x7jWD3H
i4FvZTuk2zUVEk5Pf/CTUPty4M1RybE3NoX5jfLktuQF006u+7vL71cYYQrmzwWl+/UqPzMjV8Tf
f6Vspq5UEm+7w37VMJva58DUVCgkYWYndHrhp0eZlSOymT996sLPcFaTg+2rTFPPWKC2mfvyK6n4
FmcOd7PHbiuYP3Ke31yQi3HmyLsdkV/BKUk7zjgUH2T2rvq5vFntHYLDmXKpSENiREfOi02H0/M9
0FcleS5/mcu5Au7JWToszWObbstwL9P7Etwj5/8VvX8ohn+gN99KerPeQw3FZn2Db2wqFJv8Y/zm
e531+K+nJ4MvqlQ4fxuzqNQq1PkDB17d5/8N9f8tlYX7mi8zscmNzWR9/2hVacTTe1HbrcFldfo+
1+BV+Ev3bh5IqVHvEShICvascUK328jg7bL7928ZdKotdz4lMSAJ4ktqI6d/vv92E5gYvJmCw7Yk
WwxOkYX6bS+lDb9JDnwY0/g6Y5pdI45t9BdVBTnq549fhiOz1XnmOAapdSI2p4/vxdFO1ORvyPUj
NG/nHfN0MxDO+lnGYJBDjDTfQdwWTtRfR+NuGaPqL8Xh8C9u4zyOT/XWrBm3+flQs/a63YUN43XR
3EYHesg02QmorTbSx80VrMEJ8nY9Ecya1bvu61xJ0HgzHxffsd1x5DQ1I6hkg1XPx6iGiyL7PVUm
C3JUtNgjxDxb9aWCpRlT3L+q1XYaV76afxt9dehsMV27xqZ5n7yAYji3nn3SPhczY8G6ysoKa7+W
M0ZLMVGyMXlCkO+IkcBusZY8Odn7xqPrRms/WHSo9fSRYqwUVS0U3F3GHCfPPc8+3baRUh+rRGfn
nwiXbchhNCo5XLscqH8sP9yjKiQff67hovmUAGUxkRR05euL7S1J8q2+9aclEwS80fqE8p0pNcOy
r65WtHlVRTpgewzV7UoyKooiL1UyT4aJPU5LwIfJaZCKOUOYrklrG5iTR9pkH41L2baemtj6cg74
UI5xR7cEtLwOGTufeY+ossTb7OrWZy2e37egkWegvkN4byu+cJHIwGRCDEw6GgAoNuFv9OU/LNT+
vszLjL3DsrTf0paLjbhq5RoyfNzfI24iL7SyVojlgMs7Yogwi0DPHMFxG+7jlq645mb+PAnXrJw6
yHvFLquIjpADUzVGGWWNCkB5oWgoCrIM7Yuio2RQDqgoFBWO/OByD/g/f1RUvmKMwj+do/QoKsWP
5kH1j5L507UEwwAo/NywqZrXtcqqKmy/p9zC0xgubvcIfOYBc4+yoEMcR9jvhj7VWBgKeTkZd+36
uUkT3RsiR3Gzny+4J8843I3wz1HW1RS4lHvxHc9H6VfHvHFvRWMqtnQp62teEZkZvJseX1ZqcunC
YIj2FXw9T0nm9S6nCNm00wZq1Tdvt6JmpS7XPX460aiF8TJM8v11Srrxs9GR4XI3+9Wjt1zuPIj7
JX9QqkU3e+Ih1J/qEOlXWY7e8Xrzpa+hC4bZrpRxL979IWP4OSEh51lravd2sTHh4q/NWxjZPGGT
I/uenxRZEGr/hH7/c3zSOadrVqdmfXcb7L6FJkxMOTG9tIZTHuqEUOd6mq2OrM9noCUhBnrF4LIT
GWgcXMSOJGPc33bx/8N6HMdvqcjcBYmszEPu3x94APiI32uwxNWspTJIm6gD35Ou14Ql5s9pOEeU
1CxKyJC5JX1Ba5TDKfidTkPnn9jMShDTq898H8+/C++TFPcNNNpr1firDG9r35Hnez+dZzs/9quB
2vXbtfi0Xc+elbeLby7M1LZ8m5ocueuR9tB4r1JdvaoL9DIOd/HrZ9+a8sj3nM7Mo4bxiXKkG+Sr
3C2VZV0pLZZ18tS8/kI2i4qHUsYHZV4/ETp5Yytnf5Svqjj59fA2v9CErHvnGjz3VD7Z/IrrWdlX
ei4bT3H6gXDsJ8vhso+PZ1+eXAobmzlZxaxXcAdDZW37O6Pulv8ja0kh8a78BRRkCWW9baU3mJp1
OYlxOK4TH7fXj/6Ze0NhaJHt1guJIX1GcdEQ4Uua8dtAXk/RG7NJOxRbH2+gPZ3QJKau5vDe3Rva
jkL9D9Dk7T8NCmVuZHN0cmVhbQ0KZW5kb2JqDQoxNzUgMCBvYmoNClsgMFsgNTA3XSAgM1sgMjI2
IDU3OV0gIDE3WyA1NDQgNTMzXSAgMjRbIDYxNV0gIDI4WyA0ODhdICAzOFsgNDU5IDYzMV0gIDQ0
WyA2MjNdICA0N1sgMjUyXSAgNThbIDMxOV0gIDYwWyA1MjBdICA2OFsgODU1IDY0Nl0gIDc1WyA2
NjJdICA4N1sgNTE3XSAgOTBbIDU0M10gIDk0WyA0NTldICAxMDBbIDQ4N10gIDEwNFsgNjQyXSAg
MTE2WyA4OTBdICAyNThbIDQ3OV0gIDI3MVsgNTI1IDQyM10gIDI4MlsgNTI1XSAgMjg2WyA0OThd
ICAyOTZbIDMwNV0gIDMzNlsgNDcxXSAgMzQ2WyA1MjVdICAzNDlbIDIzMF0gIDM2MVsgMjM5XSAg
MzY0WyA0NTVdICAzNjdbIDIzMF0gIDM3M1sgNzk5IDUyNV0gIDM4MVsgNTI3XSAgMzkzWyA1MjVd
ICAzOTVbIDUyNSAzNDldICA0MDBbIDM5MV0gIDQxMFsgMzM1XSAgNDM3WyA1MjVdICA0NDhbIDQ1
MiA3MTVdICA0NTRbIDQzMyA0NTNdICA0NjBbIDM5NV0gIDg1M1sgMjUwXSAgODU1WyAyNjggMjUy
XSAgODU5WyAyNTBdICA4NjJbIDQxOCA0MThdICA4ODJbIDMwNl0gIDg4NFsgNDk4XSAgODk0WyAz
MDMgMzAzXSAgOTIwWyA2ODJdICA5NTFbIDQ5OF0gIDEwMDRbIDUwNyA1MDcgNTA3XSAgMTAwOFsg
NTA3IDUwN10gIDEwMTNbIDUwN10gXSANCmVuZG9iag0KMTc2IDAgb2JqDQpbIDIyNiAwIDAgNDk4
IDAgMCAwIDAgMzAzIDMwMyAwIDAgMjUwIDMwNiAyNTIgMCA1MDcgNTA3IDUwNyAwIDUwNyA1MDcg
MCAwIDAgNTA3IDI2OCAwIDAgMCAwIDAgMCA1NzkgNTQ0IDUzMyA2MTUgNDg4IDQ1OSA2MzEgNjIz
IDI1MiAzMTkgNTIwIDAgODU1IDY0NiA2NjIgNTE3IDAgNTQzIDQ1OSA0ODcgNjQyIDAgODkwIDAg
MCAwIDAgMCAwIDAgMCAwIDQ3OSA1MjUgNDIzIDUyNSA0OTggMzA1IDQ3MSA1MjUgMjMwIDIzOSA0
NTUgMjMwIDc5OSA1MjUgNTI3IDUyNSA1MjUgMzQ5IDM5MSAzMzUgNTI1IDQ1MiA3MTUgNDMzIDQ1
MyAzOTVdIA0KZW5kb2JqDQoxNzcgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGgg
MjM0Pj4NCnN0cmVhbQ0KeJxdkE1qxDAMhfc+hZbTxeDEXbSLYGinFLLoD017AMdWUkNjG8VZ5PaV
PcMUKrDhofeJJ8lT/9QHn0G+U7QDZph8cIRr3MgijDj7INoGnLf5oupvF5OEZHjY14xLH6Youg7k
BzfXTDscHlwc8UbIN3JIPsxw+DoNrIctpR9cMGRohNbgcOJBLya9mgVBVuzYO+77vB+Z+XN87glB
Vd2ew9jocE3GIpkwo+gaLg3dM5cWGNy/vjpT42S/DRX3/R27VaOULuqxraq9rezFVaaUZa8R7UbE
6epFaqwSyAe8Hi3FVKjyfgGKUHHfDQplbmRzdHJlYW0NCmVuZG9iag0KMTc4IDAgb2JqDQo8PC9G
aWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDQwNDg1L0xlbmd0aDEgMTc2MzA4Pj4NCnN0cmVhbQ0K
eJzsnQlgFEW+/39V3XMfmQm5EzI9GTJKBgjkgBBiMjkBI3IkYKIEEiASkCMQQFSQuIpgPFCfsoCu
eKyKJ5NDHIIurLCuIpeKeKxCBLwXQZ8HcqTfr3oCkrfJkpGdl79/6lPUt+7uX1dX11QlmQYIAISj
iFCdVzR8qBClCwO6Og0zFw3Nyy+445e7hwPZ9SgAfW3oqJFFN417bi2Qt6cAPB81tGhszv6c8tFA
F9cCRK+6vKi4YGbCNDW2j8Cjxl5RXDSsd4j5NoD4FgBT2ciixCRL0uLVAOQ4lpePyr2i+PRNmbl4
/CpMDxyXN6Jk1P3TfwRIdgNYH5g8s6L6mYGXHwWydBG2eW3ygnnSYzHvfwNkdTWAuvja6qkzd9xQ
ugbIMqyvnjW1oqYaIkCHxyvB41mmzrjh2r3qh2cBWbsNQPdw1ZSZC78+9fZ2gLy9QNzrqiorpuyf
U3wMj72Inb8KM4KTTSmYbsJ0r6qZ8xbmRFIso3g8x/IZsydXrHnz4V+APFMOENU0s2JhdfAsownr
f4D1pVkVMysLb3QsBLItBEDfq3p2zTw5AVaiPWmsvHpuZXX8vhGbgdztATD8BVjfqyLXuD+eFT8x
KONHbbQWGI8fuiSBhW8+/+amE+tPT7WA1ohJnVKfgaEms/VKyLXAifUnbrTA2ZI2xOtYjqkUYoEq
GRQskAjjsOR5PC9DEJaTe0EFWtUaVTIeINoXCm/DtTRYq6IGtUgZYgskyFtgYa5iAVI8IlcCN9il
ONW7raNJsiaTNLiByLKMR3eqNrErBVHdZhIdDGdCD30fJsDvBPWzsCpQxxZroOC3tKPPwtL/tC3d
Ad0JM7vbhq4g1sinutsGDofD4XA4nP8ryDq5ubtt6Cqq6N+PrRwOh9OdEJCbtegtwOdNDofD4XA4
HA6Hw+FwOJzfP6ZSDSHwnLrrLeZ3nO1ol/LjeH638P/YHM5ZyPmr/IaqnPNACO9NDofD4XA4FwcC
CIShEgRCcQ0UofqnYQsc18qgBa3cCjrQyadBD3pUAxhQjWBENYEJ1axoEJhRLRCEakU9BcFgRe0B
wagh0AM1FPUkhEEIajiEokagnoBICMd4FERiPBqiUGMU7QnRqLEQI/8CNkUl6IlqBxtqHEioDtTj
0AvsqPEQh+pE/RkuAQfqpdALtTc4URMUdcEl8k/QBy5F7atoP0hATQQXan/oizoA9UdIgn6oyZCI
mgL95R8gVdGBMAB1ECSjpkGK/N8wWNF0SEUdomgGDES9DAahZkIaahYMlr8HN6SjZsMQ1BzIQM1F
/Q7y4DLUfMhELYAs+RgMBTfqMMhGHQ45qJcrWgi5qFdAHuoIKJCPwpWKjoShqKNgGOpoGC5/C2MU
LYLLUYuhUD4CY2EE6jhFr4IrUUtgpPxPKIVRqFejHoFrYDTGx0MRahkUo05QdCKMlb+BchiHWgFX
oU5C/RomQynqFLgatRKuQb0WxstfwVRFq6AMdRpMkL+E6VCO8esUnQEVqDNhEubPgsmosxWthiny
FzAHKlHnwlTUGkXnQZX8OW7rp6EugOmo16N+BgvhOtQbYCbqjTAL9SZFF8Fs1MVQjXozzJEPwxJF
a6EG9RaYh/oHmC8fglthAeptii6F6+WDcDssRF0GN6AuhxtR74Cb5E+hDhah3gmLMecu1E/hbrgZ
9R5YgroCbkG9F7UF7oM/oN4Pt6L+F9wmH4AHFH0QlqKuhGWof4TlWLoK9QCshjtQ10CdvB8egjtR
H4a7UP+k6CNwD+paWIH6KNyL+hjqJ/A43If6BNyP+mf4L9Qn4QH5Y3gKHpT/AU/DStR18EfUZxR9
FlahPgerUZ+Hh1BfUPRFeBh1PfwJ1QOPoNajfgQNsBa1ER5FbYLH5Q/hJXhC/gA2KPoy/BnVC0+i
boSnUJsV3QTrUF+BZ+T34VV4FvUvim6G51C3wPOof4UXUF+DF1G3wnp5H2wDD+rfoF5+D15X9O/Q
gPoGNMp74U1oQt0OL6G+BRtQd8DLqDvBi7oLNqLuVnQPNKO+Da+gvgOvyu/Cu6jvwF74C+p7sBl1
H2yR34b3Ff0AXkP9ELaifgTbUP+h6MfwN9RP4HXU/fB3eQ8cULQF3pR3w6ewHfUgvIV6SNHDsAP1
M9iJ+jnsQv0C9si74EtFv4K3Ub+Gd+Sd8A28i/pPRY/AXtRvYZ+8A47C+6jHFP0OPkD9Hj5E/W/4
CPUHRX+Ej+W34Cf4BPVn2I96HHU7/AIHUE9AC+pJ+BT1lKKn4ZD8JrTCYVQZPkPlc3rg5/Tvfudz
+jddntO/6mRO/+pf5vQvO5nTv/iXOf3zLszph8/O6XPbzemHOpnTDylz+qF/mdMPKnP6wXPm9IPK
nH5QmdMPnjOnf/ovc3qLMqe3KHN6y+9wTv+wm+b0vXxO53P6725O/72v03+/c3pn63Q+p/M5veM5
/Y3/D+Z0wBkXTOMNYVoQgIpd/1GOtuPs9r+P9uN4frfgv/nmXAC061U1gbPiooMYwrrbBA6Hw+Fw
OJxAY4zQsV98+7EX0nWc3X4dGsi9FV/xci4AP/ZWnfwYgfMboMaI7jaBw+FwOBwOJ9CYovS4rRFU
XW9h6Dj7QvdWXbeA7604F4DQ9ap8b/Wfg5qiutsEDofD4XA4nEATFGvAjZDqwvdW7dehfhzP7xZ8
xcu5APzYW+kDZ8VFBw2K7W4TOBwOh8PhcAKNRTKyvZUf32EydZzd/k8F/d9bdd2CTv4okcPpCnxv
1S1Qi9TdJnA4HA6Hw+EEGmucCTdC//G9VSD/Fwe+t+JcAH78uWonv6Ll/AaoNa67TeBwOBwOh8MJ
ND2cZtxbqf34DlNQx9nt16H+7626bgFf8XIuAD/2VsbAWXHRQXs4u9sEDofD4XA4nEATmmDBjZA/
eytrx9ntdzz+v2+i6y34ipdzAfixt+rkV7Sc34AQmtDdJnA4HA6Hw+EEmoj+wbit0frxd3Y9Os42
t0v5/76JrrfgK17OBeDHVwE7+RUt5zcgRPTvbhM4HA6Hw+FwAk30wBD238L78a398I6z269D/f9O
VNdb8BUv5wLw489VO/kVLec3IEQP7G4TOBwOh8PhcAJNz/Qw3FvpLnxvZWmX8v8Na11vYTlvDQ6n
U/zYW3XyK1rOb0Dsmd7dJnA4HA6Hw+EEGskdATow+PF+iOiOs9v/jN//9010vUWw38fmcM7ix1cB
QwJnxUWHKLm72wQOh8PhcDicQGPPiWR7Kz/eD9HJ3qr9jsf/vVXXLeB7K84F4MfeKjRwVlx0iPac
7jaBw+FwOBwOJ9DEXx4DejD48X4IW8fZ7deh/r/Lr+sW8BUv5wLw4zUrEYGz4qJDFX95d5vA4XA4
HA6HE2gSiiXcCJn9eD+Eo+Ps9l/DMndc6d/QdQs6+cIXh9MV/HjNSie/ouX8BlQJxd1tAofD4XA4
HE6g6TfeASYwW7reIr7j7Kh2Kf/f5dd1C6LOX4XD6Qw/XrPSM3BWXHSo+43vbhM4HA6Hw+FwAk3S
FCeYweLHd5h6d5wd0y7l/9uru25BzPmrcDid4cfeSgqYERcf6qQp3W0Ch8PhcDgcTqAZOKM3BIHV
j7dN9+04O7Zdyv/3TXTdgtjzV+FwOsOP16zEBc6Kiw7NwBndbQKHw+FwOBxOoEmf1wcs0MOP90Mk
dpwttUv5/z8Ddf1919J5a3A4neLHa1Y6+fNXzm9Akz6vu03gcDgcDofDCTS5tyfhRijMjzeiDeo4
u/06NMxvQ7r+hgq+4uVcAH68ZsUVOCsuOrS5t3e3CRwOh8PhcDiBpnBlGoRCuB9vRLus4+yEdqlI
vw3p+hsqEs5fhcPpDEvXq/YPlA0XIbrCld1tAofD4XA4HE6gKXoqE8Ih0o83ouV3nN2vXcr/9010
3YJ+56/C4XSGH69ZSQ2cFRcd+qKnutsEDofD4XA4nEAz3psPURBl73qLwo6zk9ulOvkPhv8NUpdr
Jp+/CofTGX58FXBI4Ky46DCO93a3CRwOh8PhcDiBZsobhRADMb263qKo4+y0dik/9mptdPJfEp/3
TByOX/jx2hZ3wIy4+DBNeaO7TeBwOBwOh8P5P0Bo8zFAlPQMTGGMzAURRgH7gopFKY+DETAF5qrd
Ug8pTpaB7aDa5ciHfO6Up+WRlsq2o7WDqOFsNqEUgP7vCuhFVddt799x9tB2qbFdP94ZlnW9ar2/
x/6P96o7d2xxtjsr87KMIemD0walpiQnDeif2K9vH1dC70svccb3csTZJVtsz5joqMiI8LDQkB7B
VkuQ2WQ06HVajVolCpRAn3xHQbnkcZZ7RKdj2LC+LO2owIyKczLKPRJmFbSv45HKlWpS+5purHnt
/6rp9tV0n61JLFIGZPTtI+U7JM/OPIfkJVePLsH43XmOUslzRImPUOL3KnETxu12bCDlR1TlSR5S
LuV7ChZU1eWX5+Hh6g36XEdupb5vH6jXGzBqwJgn3FFdT8IziRKh4fnp9RS0JjTKE+XIy/dEOvKY
BR4hPr9iimfU6JL8vGi7vbRvHw/JneyY5AFHjifIpVSBXOU0HnWuR6OcRprGrgbulOr7bKm7y2uB
SeUu4xTHlIrxJR6hopSdw+rC8+Z5wm88HPFrEg8enFuy7NzSaKEuP2KaxJJ1dcskz6OjS84ttTMt
LcVjYFsaX1BeV4Cnvgs7sbBIwrPRpaUlHrIUTymxK2FX5bu+Skc+yymfLnl0jhxHVd30crw1UXUe
GHODvSEqyr1RboGofKmuuMRh92RFO0or8mLqQ6BuzA2NkW4psn1J3z71FquvY+vNQW0Ro+ncSOXZ
MiWmVGexwjFne5YwixzDcUB4pMkSWlLiwGtKY1KZBnWT07AaUkqwlWcK3pFpHl1ueZ0lneWz9h5V
vMUh1f0IOAIcR/7ZPqeiLUcdb/kRWJSNk7NDDcvPxD0ulychgQ0RTS7eU7QxU0mn9u2zwEsdjmqL
hAF2H4zCvq0oTU/E7rfb2Q2+0+uGSZjw1I4u8aUlmBTdAO5EV6mHlrOSLWdKQseyktozJWeblztw
JDcpj3SoR+s8+y/IEtYjvyrdQ8L+TXGlr7ywyFE4+uoSKb+uvK1vC4vbpXzlaWfL2mKeHrklQjRt
i9FoQSnFQTn+bGWWKDF6xHj8p1YG9RSvRoujUskhUoHHUj7Mp6V6u72LjbzyMdZKCX5t1mamJ93V
Pj2kXbqdecY6AQ0WnbSw+Oq6On27MhxqvhMObwtwxENxiV3K9cBYfDLj8Z9X3pLGfGm0x41dlssq
4PjzZbUl21WMbouXImx09u1TgBNdXV2BQyqoK6+r8Mq1kxySxVG3kb5GX6urzi8/M3C8cvOd0Z6C
u0qxr6pIOj4UFHLqHWT56Ho3WV50dclGC4C0vLikgRKaW55TWt8Ly0o2Sji5K7mU5bJMlpBYAgoJ
XmQD1Sr1oze6AWqVUlHJUNKTvQSUPO2ZPAKTvdSXZzmTRzFP9OW5lTwGm2Nyi0vOHT3KI1naF2Aj
FAuXNjojbHteEXpDC3oq9G5w9bRtFC4RejYMsbm9gqMxODQpKLuvIOE5ExWVUGejX49+M3oRJgqx
mG9BXYK+Fv169JvR70GPawVUViqhn41+LfoWViL0FGIaJJsl+xIhEttG4jUECeFwFL2MXgAbaiL6
kegnol+Bfi16tVKP5cxGvwT9ZvTHlBK3EN5wfzLaHt5wpxI0Tp+RpCQrfMnxZUqy8apSXzhitC/M
G+6rlu6rNiDFl90vxxde0scXBscn1bJQb0rakh0mhOFFhqHh1aiEboMgQsAGjwqh4EFPBXVbjlsI
buzlTFq7WRCBCFQguDiwyVsE0mCyJmXrqUyPQjDY6Lf0iK+EHmk0W5PWZl9OD8J69JvRC/Qguk/p
p7CEtrA+R81Cvxb9ZvS70R9Fr6Yt6A6g20/3QxD9BBLRZ6GfiH4t+s3oj6LX0E9QLfRjNj8pyuJZ
6Cn9GNVC/4GX9Q/UIPoRxj6iH6Fp7zYMGpy0UYm4Etsitvi2SHh0WyQ4LMlL32n4pTeOKCfeaRxR
m4Q4yIRkIa4hfoDNK0Q0ZEyzeemhRsllezS7P90LHvRsQbkXz7wXJPSj0Jejr0avxtg+jO2DWvT3
on8UvQc9jjJUC3qJbke/A/0+6I/ejX4Uei3d04Cn8dLdDc4cW3YY3UX/DuHY4zvpG0q4g76uhG/R
vynhmxjGYridvt4Qa4NsA5YDtrFgaMEwEctV9K+NvYJtcraVbsa+s6Emos9CPxL9RPQr0KvpZhrX
MMUWjAfZBNu1gDUb4CslfAoe14J7us3tzMUBKDFxpl+GMZS10londTtXrsYkE+c992OMifO2uzDG
xHnjLRhj4pyxAGNMnFOmY4yJ8+qJGGPiHFmMMRQvfeTlXpfYBo28jkjZQfR67KXrsZeux166HkR6
PXPwi8hse6ghIQF7bI3b1TvBVttMal8htWNI7eOktpLU3kxqbyG1GaR2Aql1kdoYUhtLat2kdhNJ
w66oJe6mdsnB7ghSu53UvkBqa0itk9TGk9pepFYig9xeam8YnqwE+UrQmM0eOgwvy8TZJ4jasUft
OObtOCdsRt2NXlZSbqwkxfkqR8ayMK4xIcuX7peeNDt7GN2KDbfibdgKB9CLeIO24jDaigfZigcI
Qs1CPxH9FvRH0cvo1Vg7Dg1foWgQaiL6LPQT0S9BfxS9WjHnKHoKs9tMXK8Ylthm9EiWolvRxaGz
U7u7pyXG4rIME1bEkKBYMjJWjqWDIIy9NjDYqrV6iWnDz6bjP5tAl62j99AV0BNvxL1t4YqGX3ra
vGRVg3OTLTuU/BFiRRx1ZDA4STyGaVCjpFMhRsvCFIihz2GY1BAzDpsFNTj72JqJmbXaYPsl5rDt
qxgvxeiXMZts70tekTTY3sOc5zbY9sbcYXsz0avFnFecXoJBs6RU3RiTZnthu1L1FixY02C7mQUb
bItjhtqui1EKKn0FE2ow5Q6yjXFebRuGx8uLmWRz1+AxN9iyYibYMny1UlmbDbb+aILLF01AY3vH
KCd1xCoHHDvIS6rcfTQrNSWakZqBmiRNH41dY9P01ERrQrTBWovWrDVq9VqtVq0VtVQL2hCv3OJ2
sZ1oiNrCArXIVFTiFsqUbVrZpEe0FC4HTw+hkBYW5ZBCz5bJUDhJ8vxU5PASPa5WVI4c4gkuhMLi
HE+aq9Crkcd4BrkKPZpR15TUE3JPKeZ66HL8lC4u8RKZZS2NZvuCjUCIdend0Sy8dOndpaUQEbYg
KyIrONM6uCCvAylvU9evRLSL9/SsLCwq8Tzbs9STxCJyz9JCz3+xjcNG8j05lp+3kXzHgtKSjUIm
+T5/DMsXMvNKSwu9ZJxSDyTyHdbDEfOdUk+LH8ysHkjaWF+9Nb568dge6/ViAdbT6SBeqRev0yn1
RMLq1df0ys+r79VLqRMuQY1SpyZcOrfO9nisEx+v1Amrhe1Kne1htayOJ1OpEhODVWJjlCokCmKU
KjEkSqky7tcqiW1V7jhb5Q7lTAL5tU6Mr46p5UwdUwvWcXWVyhyXizQOKZ08nm26yh35lejLPXcu
qIrw1E6SpPrJpW27MWf5pMlVLKyo9JQ6KvM8kx15Uv2Q8R0Uj2fFQxx59TA+v7ikfry7Mq9hiHtI
vqMir7Rx6KiUQe3OdcfZc6WM6uBgo9jBUti5hg7qoHgQKx7KzjWInWsQO9dQ91DlXKCM8VEl9VrI
KcU1vhI2UoMex2t5tL00J8xSnakM3iH2iJujm3G1sg4MuOUx4vbZhJ4V9c3um82K8JliRWa2s24r
irh5iD26maxrK7JgttWRA65582vmQ0T+tDzfvxoEs+bNZx3uU1dNZ2BZPm6S82rmARR6EooKPVm4
mq3XaDC3nF2SJ/1MnsGQj2t7X2Y/zExnmYJwtiLLy2B5Ol1bxX+9//Pbwlz2FNTSTY3EHUvmQU2p
4IktLKY4FRS3bWGacS3FPh5qSvECa4iL1Jw5RpvZLhf40sCu+YyfN78t1tYX89pCX0tsUnOmS87C
Ost1tsfm4QFB1QyR6KNUT0Ok6IQIAPkL9F+ysHWa/CUrZyH9Gic6b5sHWAcvkGnwAmyG18gxbLUe
NwJNwJZAefAwLIIHYBl+rF2NOXfAGHQqzH+ARMpNkAiP4QfbY7AT614FN0MzhJEI+StYAkuFd7HV
UjBBHGTDKJgNd5Mr5PkwHg6It8IguAJmQTWplUvke+T75T/Dk7BReEM+DQaIgsnodsrfqj6QP4a+
2OJBWA0HyP26l8CNZ6nFmn+CubBGKBOJPFU+gRbY4Xq0QYQRsJNsoS48eiV8QSLIIiEXj/KE7JG3
Ya0YKIMqWAPNJJUMpXbVeHmEvBPC8BwL8airoQE2oPPCq/ARMaqOyX+Wj0Ek9IHheD1NsItsEVpP
39KahT2mwl7qDYOxZDb8Bf4Oe4iD/JXOVhlVSSq36kZ5L4TAABiL1j6NLT8nP9Ob0S0RXhcL5Bww
Y7/cx3ob/gafkiiSSEaScbQ3nU0fEeaCFs84AN0UmIb9vQqPvh+H0QZqpLuFJ8TnxJPqnq0tshnv
iBMegj/BX4kJr1QiNeQPZB85RHPpRPoQPSg8ID4jvqOpwKueADPhbngOfibBJI2MJteQKrKILCP3
kdVkJ9lDvqTZtJheR48KVcIc4VUxB12RWCPeqrpddaf6y9aS1m2tb7f+LCfJt8NoHA+3oPUPwiN4
ZRthN3yI7gAcJCpiIGZ0ErGTseQmdDeTu8njZB15hjThWfaQg+Qr/Ej6kZyk+ElL1TQaFz9sCeSg
c3GF+QB9mO5Gt4f+k/4ihAtxgktIFTKEUmE2WrVMuBfdS8KnYpS4W5Sxn5NUK1VrVetUz6leUx1T
GzV/wM/4HaeeOJ1wen8rtC5vXdna0NokfwqheA/x0wM3XBlofQW66Xi/V+KIWw/vEiP2XRRJIJnk
CuyZiWQ6mUMWYk/eRtaQJxXbXySvYC+9T46izSYao9jcj6bSHDoS3QRaSefgYux+2kT30ROCRjAI
QUKokCAMFcqESmGecIOwUvAIO4RPhIPCT8IpdLKoF21inOgUXeJQcaI4X3xE/EL8QjVe9ZbqM7Ve
PVN9u9qr/g5XNZmaUZrRmjLNCs0GzV5tOY7OrfASvHzuz4hJi3CLkC+8BPfQZDEStzC7cDxPhCnC
CIojla4jy+li0kR7qRaqh9Ah5Eo4Jjqxr1+na+lPdIgwghSSIphOB/iOpg4Rn8UgQ9wKR8RX8Np2
4ZEXqo3kZnpUbYQGXCMNxnP+TegvuoS34CPhANGIj8E/RD0JJ0fo08IoHAWvipmqErALD8OLwhyy
GF6i+QD6k9q7cBxfSZ7FeaGYJJHjgozL4CtxFA0SDsGtcB39AI7gc7wc/kimiFPhHkgmi+ALeAqf
it6qWeoEdSh5k04T62gP0gRUfAavbjDpRQRVCNxGyoQ16qP0Q5gPu0U97BeeR+t30xeFEeIx1RhS
hU/AYrgd5si3wA2qEvEdMhUEMg7ixRac3RYJSaIdwyU4q4zHOW0DPt3NOA9kCyMwJwJHzhU4Lsbi
DLEG3SqcJ0QcQdPwGb8KZ7Fd0KQupl6YqjITnHUAxLdax8DV8lOwWp4Ks+T7oS/OB8vkRXjEdfAZ
rIB1ZGnrTVCNW8kP8dm+QlVAd6sK5L60jn5Ii+jK9vcXezueRMDX6F7ERKZqE9SJ70MRZMl3ye/h
6L4UZ9jVMAkXrIfxKr/FMwwTtkBy65W0Xi4QqvF6D8Bo+WnZRvRQJc+AkfAKPKlRQYXGhffYQ97B
670JKukYeZ5Q2ToN+2EF9oIbe2s+zj934GpYmfBU7HdJGgC71W6NR8GVM5yShC2n3Co4CZK4hf3O
x4PWrsBPGRXoYHG9mv2gqYGCykvXuw3aDLVely5mqNMJSTx8+jBknf48K7o+Ril1YikFtd7wlqBL
V6WJGZCG9YQMSiVCyFt6veEW+2OrcOV7peWHsowRliOWw3iIw5ZvIStrhOX057jybVThwoRYMiwZ
paUD+vcQrMlWQUhNDv1i0IGUJ3aTGYKO5LduOvVz6wM7dzJbJwiN9HrFVgPM34gfkccb4+JTVF75
uDvO2TvFoNZjJ+HeSaVSG77VabWCQEGjzdAH6Wp1VIcrBXeoKShFt58IYgYlbpM1hUQa5zwdwUx0
ZYw4nWE57SrLOJ0BWRnMqNMZKMQaPHgw8wP6E5erBzNPSFb03qSdfT8ZsLO/0EjCjx1r/cqnbDuy
Cp/KILTTIoS7jdoEgylnLFW0nrL+3Qha+Se3wWikY7Vmk5WOpV752yYWwUv51n0pixmDWbEqyCjo
gFCtzmAGrY7qDWqLhY41WEwmVK98YgOrZbCAV/68iZVg5HhTUJASOdXEakEiLjV2KoIdv2WLZc+e
Ldbg8MEul3JBLoj23XS3TSMZDOqxakUFRUVFVYpqvfL3bgeLUaNSQ200YtzMVGdkqldUwywwmZQG
x902FnOqiFHSB6cEKaIyCkDMBtBqCdWzC2dHUyLKQTbRcRCMm7txbhMoJwLlRHDmsEDYtfyQ+AOa
npWRlZHhu5gy39Wcs1qLdi8BGqQNodFacYHxduMb2JXG4cbhQUJvMd7Ux1wiXCMuMC00LzNpDVSl
HWwaaB5JC4U8jVs7wpRj1q+iq4WVmpXadcLTGnUwDTKb+6toiEpFtUaTqb9Ki1GtcUzQGOImlGq1
Or3BYDKZzRZ2n8qDa4NpcDNdByYyoEElab1kgDvMqMOHwpAzVo89hSq5jUsMxNCMF2wmBqxFvRgE
EbzUn5pYPRZhwwRjUlC1hVi8dNzLkqpcVasS8BFc12gdUhrhisTHCx+wiNMuV4blSFSk5Qimos5J
Hi6DiKysDGVIn3FRliNHlqn6uZYt3rasXwQLBvTHhbUBF9axuLB+FYzySRyl+4DK+9LS0kpxQ23E
skuxbCOY5OP1Zj3LVRbXJnnvBvtgcx/7YJMXo4MGm5MGKdGX+mJu38G+m1I6d04ZzCkjZbiBdrmS
cTYKCx84iNitDiuuxKyr8GPhmv5hkan4ga7a1DpufWuJqvnk9/cNG/WQcOpEgfjWyVSx5aTEZoEC
+UvhAD5dVuhJNrsX6aloijelmPJMqtSQ1JiraLF+TEhRzFQ6RVWpmxxSHrPFtlf1Xo9PIj/r8VnI
0fBvIj/r2WKTbWE2mysqIywjqjCq2navTdOP9jL1C0unqaZCmm8qCBkec5V+nGmq6TP1F2EnyA9m
CwkVzAZLEETHGDRW0IfGCIYI36DMGcsiL7MbFZHMbt/3Lyu3L94adKYCRn5oYhWC2GN0CSsOirdY
9liJxeq2lltrraLNbTDQsTY3e2itwexhtmIjt5U9zVa12YwaoZSxIxjYk2E1WyxqlvY9OtYzjwiL
uMvZ2azzgrXs9DiZYCrYzM4b3EtjYSmNhZVs1uzWHNDIGtGmydKM1AiaWGaFJoLNK5pYdj6N8hRq
jOzImijlEY+MTRnlmzQVyua4XCOOYOT0OXudsjk4/DDEKTXjMHtWj+DTit7KJlMcbGWEjQd7qtoR
53SmpgQPTE4KC8cPABISlpw0MDXF6YhTC2mV25a8N3/63lvLVyY2npaen7/gyXU3LXzs9kfuOvnE
WiLUjc6m5hMFNHjH9r++/tGObWzuXYpD5HUxE0fHfveIxB7EIhKHmCLm4vL4WnGeqNZZtTqtztTD
qjOBoCWGGLWGqEGvu/ReLdHGST1IDxpnVTrKqnSdVek6azy7r1vcluSBKcfYD5wk2AMt+HnK+vzM
xOu2srsEIus7ULN+VGZhdpOA3cqwoKCz05lWmcuuDB66LcJl+enXTnNlsE48bCn7YS5+3GZlHbHi
p8/gwcqnEFjeXGZWntSyuaQs2ZocOhB7LVzDukqjDrUufTxzWtY1EzJzcoZMCIkVnY/NGZb+9CVD
s8rnnt6LNs8ke2gVrgANYNuIS6kit1mn3iFBf3yk5huveprZUXYEEo/gJ3EKuxuhIezezHywatqD
D06repDumvbAA9Mwjr0snyLbxdn0GlxfxLqDSCrQKBX7tVKk2HgjGxiHyyyfQ+IIPJSQag8VxRqy
/b77WLtmXBmtI+9iu4hXgdKj+Nn2Dd6wY/UqkmjBC8YWxJ5qJ+tag8m3JP7Ftjaq6PO3UUWfWKuq
+LUNgc7afPbreaC1mRT82kbbhTZa+LlZe04bSxfaWOBos8XXhv1Buc9dh/vJADg6yx8nLO7c4Z4n
8K5/ANwV3HHHHXfd4q4NiKvljrv/B90asUncxR133HHHHXfccccdd9xxxx133HHH3e/ZAUA6/Qv4
vpkOMF1RFiegV1IsTsEMX8OZb7BPgB1tcfGcOuxvME+0xdVgJgltcQ1MOltHC/2V/+KexXVQR9La
4ib6LHnt7DeuU8UZbXECKvGxtjgFzf/w9jXgUV3V2uucM+dkwpwEmiJQys8UYxoopCFQSiMfUoyI
CGmaxjEzzZfmP5MQksnkzE9mhmQm5iJyA8WIWBERuTHSXETMjRgxUooUAWulpEVaEAtF/kRKKaWU
InPfvc+ZMK2t3/f43edjnnfv9+y99tprr7X2Pud0ktR0yuASPWg6YnBTnIxMqumCwRVKkAWDJ9D0
IRkzjTE1GTyRviCbDZ4kfEVewn4j3yRhLlXZwrkMPkLp5Vzh7Xs5T+DtL3Fu5vwk54mGD3Wu+1Dn
ug91rvtQ56Y4Gd2HOtd9qHPdhzrXfahz3Yc6133I+LA4+y3ctsucq3HtyZzf5nwEsy1B13k3eErC
OM5Hxsl/iuvR+ai49nv42AzO7+Uyus7xcTIT43gql5/D+RTOF3E+jfNCxs1x9pvj5lLj2tXYWp4l
K2XBI+wndK1UQE6qRL2EGqge0KiZXLzl87hyg7OyFO01XCIDPY9SHT5WykdbNcZr1MSvKlFXQtqL
sgKSj4LXYCyTreEypYDG9VVAZhlqNy1FWwNV/Uu2fFQy+0NzMouqyQPO5skmG7euyRhtpYegYTo8
YaV0aKqhcvQ2oJ9Zo9HkOF1LYNs/WlUwxHK4XT5I12NGKz0GDVVcI+udxm1pQEbW8HlzeY8TLcyy
JpqKtjy+LjfvqeF+egKlB/IVhtVW2PoIzUbs7BjpwTXzXzNqD/c786zT8HMVt1XjbQ0oK3i7i8/X
zOPA9FrR4uY2MclyY0ylcV3KNbn47MsgpfE+NqqM69CMaNUZ66wfskIfEbPDHSfr4h6ugMXlfA7d
Hz5uN/PIx69Bv2ay5ZjNwz1SwTPxo55gI+o4S4f8ZNQsy8oMuz9ed/3/w9rvaK8Yir2b74NYLGO5
+nEriM3+j3Z9Ni5GbCX6WjQ+X2wXMP36WivQ4uMrb+A7659lQumHol7Jo9NglPqqdO7BlYuXVm6t
dyibdT1Msg4S/yyHMp61ZmVOn24tcFZalzTUN2jNrkrr5xvcrgZ3qVbTUJ9hfbSuzppfU+3Umqz5
lU2Vbm9lRcaj7prSOmtNk7XUqrlLKyqXlbqXWhuqPllLrDFbH5lfWe2pK3Vn2yrdTei2PpQxPdOa
vqSm3N3Q1FClTeZSSwqGVBWwIsdd6qupr7Y+VlVVU15pnWbNbyirqbfm1pQ7G+pKm6Za80o1d015
Tan1iVJPfQVUW6c/MjvL3uCxLitttnqaKq2aEzZXNdRrVq3BWlHT5KpDR2l9hdXlrkFjOXoqUZc2
WV2V7mU1mlZZYS1rxrBKax3mrGcq0MF0uHmry91Q4SnXrLDD54QhcTOgrqkvr/NUwF/WmBEN9XXN
1vSaydbKZWXQHSdd/09n5+IVbPXuyia2SubVOxOw4UO6PstXlF6DWbTKZSwE7hrMWtHgq69rKK34
sBNK9aVXuq1YUQOmQunRXB7NWlHpZW6GjLOyzvVhD2XgfGzg+46dvPXIcHZyNgtJyKpaXF/gp3Cs
/wnkmb5T2I6okDZIP5N+LT0H/FLaJW2L01XKT6rY9Smuu/JDc1V+SBvXZ5pgmm76sumLpv+F8hFI
l2InsD2m3wmcwg7hh3gcYzuf3S3c/MRmOvRnQ4reT5/0/3KWiD0F3UVCNKr/VaMl4nOTxEdMaUTz
Xpd34dqqJ3TsXxT/6HPR24/mL87PzDT+vCZ7ElNRXRFuQFseHvo6SBBXi98lSdwgbgD/nvg98I3i
RvDvi5vAfyBeAX9bvAH+vgQLpBQphSTpbmkB+BelL4MvllrAW6VWEqWwdA38XekW+N+l2+BR9psP
JmJPhSbNpIF7TM3gAVMAPGj6Jnin6Vvg60zrwL9t+jb4ejmLBHmGPJMk+SH5YfDZ8mfB5yg5JChf
UDCvslhZAp6rPAFewH68WbEpXwUvVArB7cqT4EWKBu5RPOBexQfuV/6NRGWF8nXwlco3wFcldJGQ
8KOEH5GU0J3wc/Cd5kdJNM83h0gyLzdjdeZW80bw75svg79lvgb+biJmSbQn+khK9FvwNGoZZkki
yZJsSQefbJkBPtPyY/Ctlp+C77A8D77Xsg/8BcvvwF+0/J5Ey0sWPFNbLlr+hvbLlnfAr1mug79n
eQ/8hgWet7xvuQn+AYInqYL6Gzyh7VN/C35AvQr+jnqNRPXdpBEkJN2VdA9JSWOTCtkv+xoxF+k+
7nnd57q3DT9jjflYUYEZfjMXmjHK7DAXg5eay1FWmV0oveZmlAF4g/khgrLN3IaWr5m/Bt5uXgH+
dfM3wFeZ/x18LXzFvHTV8IkIbzwAPtXyINaSacnk6/0r+CXLJb6WF1DuV/djRb/FutgqRqEcnTQa
axmTNAb8HrYuYz3DaL0wQHKpu7SMrOXN7jqaW+2uXEq5zsoyNxXXlWr12P3DSPhKfo6VRmJnReED
E1kMhvcY7hviu4m9yyTFXQt4H0geuhaw86BpccFCK40yJES8GQw3uITeEXTX0kp3PTl5Wc9LjZcB
dkOiMC9X8nItL9fzsoeXL/Hy9LKly5bSdV7eZqWg8DKZl6N4OYFo6M3to6Vo/EJ3rBbYX4SA7TJ7
U4O9w7B6lb8dwlpKobvhl09hRaPxTsR+Y+xeGkfj2Z974P/nnY8b93FtItZv+lA9HPo/qZ6Mp+Ai
nId1OPVC1E4dtI42Uhdtoz4aoH14Z3uFTtAZukTX6JZgElRhrJAuzBJyhMVCgVAkuIVOYYOwRegR
eoVdwl7hkHAEmvGGKazA7HgbTcmEjajHO2Epaivp9X1n9L0wqV2vZ93W64cP6/UjGXqdreeF8MXr
er3wpF5/aa9eP24lE/vV+cd7SGF/Wu6pEClIIKH0jD5/+SZmDQkV7G/OJaDepLdX9Ot1ZYZeV4/i
cqaajJr5NbaaWuPqWM2lWqodqV/VHq29WHt7aYp+tTS8dN3SrUsH9PF1LXq9rFav63O4lLlhQkNW
w8KG4gatYVXD5oadvDXJtdG1w7XPdcx1qZEaRzamN85pzGusaPQ3dujWutnfp2B1sa7NXaXXTfP0
WuvTa89FXc5XbNRVPNsE3xoShru4h2rohKAgblnCPKFYcAltwouiKM4U3WJIXCWuAzaJXWKveEC8
iK2TLFmBRZJL8koHpCO4R4w1FZrcppWmLaZtcpa8WTogH1KsSq3iUrqVE1JygpIwEiPwSZifUJhQ
nFCR0JNwxpxt3mbebz5svpk4LjErcV5iVeK6xOvDZg7rtSy21Fs6LOstmy09ljNqipqj2tR16tEk
ShqWlJk0P8mVtCGpK6k36ZWk68nm5KxkLbkzuT/5UPKx5NPDTcMnDZ86fBGyPTX6ND0cPU5zoseF
t6NPC+8DH0SfFgUgMXpcHAYMR79AI6NO7A+JyzvpESA72odxTrKj3wEUATtxLdHw6Hi6C2DaEzCm
L26Mk48pQttO9JrQe5yG375BdwGp6DFxex4BsnW7sKO5DPSNwAimdzwwget3Uhb6csAXAAuBxdCc
j/orqG2oC1E7MK4ISIKWHENLDrT0QUsf15IDLET7YmjLR81Gs5HMThWjnsao4xj1NEYdx6jjGNWH
UX0YxUYcx4jjGMG8cBknQmxVIzAPW9l4jJwQDcbNlWNYmkNP4LoAdSFk7IBIX2KepM9wTz7NZ91J
i9lJA8m7AHGoXaCfQ1biPrZx/x8nWZwWLRFnAYuBx6MDYkF0APtheHQixkzEE1IX4pyDOOcgzjni
2OhW8X4qJBmtx9F6HK0s8rsR+d0kofWFoSuTkBV9UxwXfU1MjR4UO6Jv0jAhI/qm8CAwHZiB3hHA
aMAKTALSgAcgmShMjb4qTIM2OfoqsssJrU5odYqjMB98Cp3sLxJhLhoJ2dWQXQ3tC6B5ATQvgOU9
sMYJG52w0Qk9q8Wk6CYxBfzuaJ84BvVY1PeiHg9YowuwsjJxcnQBidD7MmZ7GSc8y2Jk6v+VPQqT
ZpKG1DdiUjQcrc9j/NOw8Rw8cA52noOd5yD5PLxwDl44J94DTASsQBowGXggeu4f9A7NPhSHVz8U
B8XIqZvIp5vxXiARMdmEWGyi+4ydwuOMnJuInJuIOY7DyuOwcqKQCUwHZvA8GPiIN4/Dm8dh+UQR
48WR0Vx4IhdereVeHY96As4FK/o+Hc2Dd54WP4O2+2lATIfcZLRPiebifhuzdAT8DmuN7H/6E2L6
USs+HNNR4B8f12YeV5Z/vfB+LzT2QmMv7O+F11+DVC883gupXni8F88EsOt/PK9SoMmH+fugzYdI
9ECjDzb4MPo4rO/B6OOwZxM0HIcGllk90OCDbT5o8ME2H6LXg8zHvqKkf8imj8ukSR/JJjbqFEad
wqhTGMWieArSpyB9CtIvI2J/wIhTGHEKUfoDRp3ivjuIUQcx6iBGHcSog5jrIEYexMiDGHkQIw7i
FIjte7bnLZ84LjYmTR+HWQ7iuWV4VEFGKvRs1Ec9QG90ECfXzmgJL314atsJj8+lHPHR6AXxCzRN
XBgdFL8E/mXU7BRbEu0Wc3GSPQ7+VbQ5aLRYh3oZZOrBfTSNksVstDANC/nICxjZhZEvY+QF8TH0
PY5rnIXQcEG0A5XAMtjyKYwcEOdCYh7XMCB+gWsZgJYBaPFBywCf/zHYoWtZDQ0DYjHkqoA6cGZL
A9AI3hy9gKfOj1k3ZvJhJh9mGcQsq8UFsG8h6i9DK9PoAC8CiiHzFFAGXglUAdWAE221qJeh9qD2
An6gGfoVcQl8kctXuksshT+duF4G34h8vqWwapjhoUHdQ+hfAn8XAMynTyGfnNwrF8hseCHmy0F4
4QL35ePg8B/uNPHe1ufexf4WAK6e5DOPpkRjxAVdP8BsWqr3wlcXELvRZOGxi0WAzbsE9WPwiT7X
IPwxyOMFD+O5fvjt5ThZluNkGcTJMgjvrh7y7DxI3fFu3Fp5Ngwa2dDFtTp4DEuw7m6su1v0oa0Z
d8vhQ/bwjIRUTNNi8CU8E1Yb99ZdPJ/Y6krgRawIbxqxJ6Bno92wrduIPMuxAXEeJHWtg9DYxfNK
t6ULke+GLasR9W6xAqhEWxW3rUSsQc0iv5RHfzU80S02AR7AC/iB5uhqSoN3rsA7V4a8o1vRBSsu
GF7qMjw0wLM8l+8J3c9PAiz//jdkdM/4xBL0l3KrusRy8ArUlWivQl0NsJysQV0LLAVvQO0C3EAT
4AdYfpoNrw7wmRdD45KhCO+CxgFK4HbFdp5u1y4jIweRxQv53mf57IhlNjtB2M7BWxtOlLg8GjC8
vAuxGzSygMVvhpFXJcY50IXs43FB7sei/RhG6Vk3gKiOZrbxfc72tWpEstvI1a64PbLa0M2yqsuI
3gW8WZXyM0I/rxqxkuGI9stc5im0lAClPL+ZPN+nbL1iPc/3AX6iaICPWzBIIzAaOwxg588dDexE
e5nbyTy2dGhOXVMjtGvG2TQsdjZB06Bhx6ChYRCjmQ2DXFLEmEG+RxONGQfj7B2IO/kGmZ1Y65Nx
e1tDhCxD454asvKOhfwEN05NzITzCfGFjmn8rChlvo87M+oM3cwekbcyb0p8BqaZnTjmOBv19cQ8
32B4n0m8bPTu+mgvX7WJR90Zd0INi+1p7nuWF9zvOGN1jxmrgeQISM6A5AzqwXiHcRbeGTGaj9Cj
dA57Rh/JfOAzMixhyGPx1sdsSxyKfsyfd6Id8+UgVvCRXnjpKeNqGfdeHXZAI9+VPDbM27H4G3fX
hiF7Yh6NWR7rZTOJQ+tNGLrj3Tl5SnDylPA7fiJ/U/g/vSWI9BD/b09EI/ERKJXYN7+T8ZHoQXxM
NAMfGVIP4Zn4YXwS6BHKxvvNHHyG0ZfwsdBX8FHJTg688xXhM5x+jneoEbQPnxThAWEa3S08KDxI
o/A+P4NGC28Lb9M9wrvCezRWeF94n8YLHwgf0ASR/dGUiaIsynSfmCAOo0miKiZRmjhcHE7p4mhx
NE0W7xHvoSniveI4ekCcKN6HzE0VUylTTBPTaLo4WZxMWeID4gM0Q8wQM2imOFOE7WK2+Cg9LOaI
C+hz4kJxIc0XF4l59HnxCdyLF4k2sZAWiw7k/2NihVhFXxWdiIpDrBVd9KTYJDbh6dMr+qlcXCGu
oCpxpbiSqsUOsYOcJCgVSg/7lptO0kwi10ZgCwnuE6i3AtvBT6PuA3YBewzsB140cISo0Yn6GHAS
OIMx51FfBK4A14FbkBEBM5AMjATGAlYgDZiKMZdRZwGzeZ/gvsb7BfdN1HOBHGARkAfYSGhC2BuL
gDIiTzewDeglwdOPejewTyh1bXFnu01NLa497vyqYneF66LbxXHL7W00uzeDb2ssalJ5XdakNl5y
h4CVrq3uea7tQJ97XnWme17jS00FLsW9wLXLvWBI5pi7EG3z0DZP11+9trHLXdzY4y527Xfn8/4X
UZ9EfWfeUBwvdl1BDTSKGJcM2evALfdmXG9utLq7uV2sPubehjl24/rwUH3dfZTjlvsEx0X3aeB8
Y5r7RONUYLb7NHAe40835jUpHDnumzEeW3tVcdMEhsZA0xSOFU2z4Lf8xg73BraGxh2wcwvs29lE
jQNNc5gvYj5ovNTkAErY2g0fQx76GazumzH/xQB/LWY+jPmN63rljj7XEaz/TJzf9rgLedz2w4Zj
1euH2j/aH+dH+MTFgPgWx/m6LT72nyDjbRyJdSe71wDrwNexeIBv4O0xjNXjw+IUDx4zsx432NRr
1P1G/Pph676Pxq8xC3Fi8ZqLGM01YsWwo6mdwwqf56FmQHvTqiaFwZBZyxHfzuK7CJiKfNli5DVi
DN16ftv0Gu0n0J4Sy3teO3l9E9djUK9BnRJrb6xHfoSRGwzxXLvDkUOpyJ9Mjg7485i7trETvnsG
4NfV6xs3IafuxGol3y9FLAZN82PgOREDy43XDf4GcDY+92L7EPuO9V1qqsK1F3Ud4G686r7ceKPJ
33jbqPU49ML/h/i67uyTy8A1lvfw50L4LZf1c2x0z+R7kuWBaMT4AGKyF/vAqF17mlp4/vOc5Psg
lrOFmI/Vk5iNejvq2NkQn7NGDrJ8RIxcLOd4Thl7X7vBdABXsMevuM9rt7HfjwHX9WuPCevIu3Ot
54dnEkdcrsTWxXPBrMedX5vZNfTHrsWmFAbEdJYnHWvnZ0JTS2OHJ4OtxTMT9mGferJRn2TrYueH
exKHGHd+wXbcXSz8m1Pi35ma+belifw7zWT+beYI/j3mSP4N5r38u8v7+LeWn+bfGKbx7/syoOU3
4lsi7ifSRGkiidJ90n0kSfdLk8kkPSA9QAnSNGkatD8oPUiJ0nRpOg2TZkgzyCI9JM0iVYpI/0bJ
0telf6e7pdXS0zRG+qb0TbpX+pb0bRonfUf6Dk2Uvit9l6zS96Tv0X3S96Uf0CTph9J/0GekH0k/
pnTpWelZekD6T+k/aar0E+knNE36qfRTypB+Jv2MHpT+S/ovypR+Lv2cpku/kH5BWdIvpV/SDOlX
0q9opvRr6df0kPSc9BzNkp6XnqeHpRekF2i2dFB6mR6RBqVXab70R+k1+oJ0XDpOC6U/SafoS9Kb
0puUK/1F+gs9Jp2TzlGedEH6Gz0uvSW9QzY5XZ5KT8pz5BwqkRfIC6hGXigvolp5sbyYlsm5ci7V
y3lyHjXI+XI+ueQCuYAaZZtsI7dcKBdSk+yQHaTJRXIReeRiuZi8colcQj65TC4jv1whV1CzXCU7
KSDXynW0XK6XXRSW3bJGX5O9sp9WyAE5RN+QW+QW6pDDcphWy21yG62R2+V2elpeIa+gtfJKeSV9
U14lr6JOuUPuoG/Ja+Q1tE5eK6+lb8udcietl9fJ6+g78np5PT0j40PflTfIG2iDvFHeSN+TN8mb
aKO8Wd5M35e3yFtok9wld9EP5G65mzbLW+Wt9EO5R+6hLfI2eRv9h7xd3k5d8g55B/1I7pV7qVvu
k/vox/JO+Ve0Vf61/Bxtl5+Xf0M/k1+Qf0t98kH5d/QL+ffyH2iX/LL8Mv1aHpQHabf8qvwqPSf/
Uf4j7ZFfk1+j5+Xj8nHaK/9J/hP9Rv6z/GfaJ5+ST9EL8pvym7Rf/ov8F/qtfE4+RwfkC/IFOij/
Vf4rHZL/Jv+Nfie/Jb9FL8pvy2/T7+V35HfoJfld+V36g/ye/B4dlt+X36eX5Q/kD+iI/Hc5SoOK
oEh0VJGVBHpNSVQsdEJJUpLoz8pwZTi9odyl3EWnlLuVu+m08inlU/SmMloZTWeUe5R76S/KeGUS
nVdSlVS6rKQpafSWkq6k0xVlijKF3lamKlPpqpKhZNA7SqaSSdeULGUWvavMVmbTTSVb+Sx9oMxV
Pk9/V4qUIkFSipViwaSUKCWCrJQpZYKCp8ZqIUGpUWoEi7JUqRNUxa00CcmWREuiMMLyM0u/cJeK
x1/hHtWkmoSxqqIqwr2qWTUL49Rh6jBhvIp/wgQ1WU0WJqoj1BGCVU1RU4T71JHqSGGSOkodJXxa
HaOOEVLVsepY4TPqOHWckKZOUK3C/eokNVWYoqapacI0NV1NFzLUKeoU4UF1qjpVyFQz1Axhupqp
zhGy1LnqPOFz6nw1T5iv5qv5wuNqgVog5Ks21SY8oRaqhUKB6lAdwlfUIrVIsKnFarHwVbVELREK
1TK1TLCrFWqF4FCrVKfwpFqr1grFap1aJzyl1qv1QgkJ4myx5c7zcyWeRyvLSKjGc3Qlnokr68G3
oNaAABA2sALoMNBJVJWO+hlgE9CFMXj2ruwBdgA7gQFgL3AAeAl4BXgdeAM4C1zCmO2orwI3eJ9Q
3cf7hWo8t1fexhwmYBgwAhiFdjzHV40DJhHVVgF1gJuEWj/qFqCd7qXZtIDy8GbEfnrHT23UQetp
M95V+2g3HaAjdILO0hW6KZiEZGGMMEmYKSwQ8khy7HxykmPgyXTH3idxcjtWOU46NjrOgIUdbzg6
HWfBvI5DjjbHYbA6x4sOv+MIWJljp8PpeAms0NHvKHYcAst1bHEUOLaC5Ti6HIsceFtxZDvWOBY4
1oFlOtY65jjWg6U5NjmmOjrBxjlCjkmONWApjirHGEcdmBl6kx31YKMc+Q6ToxBMdRTYbzocYKJj
rv2KI4dE+w3HPPtZxwKwy44p9hOOTLAzjqn2I44ssL3oPeAYB9bvmGPf7ZhAJvtJxyJI5EHCZj8G
HSaUi9Cah1ab/aKjCNKr7Cfta+1Yv3OH/Q37CufO/7F7osx/3oj4TxrpP9OTyH+eZjT/aZh7SEBU
2vBmrCJeU4nKkEdlyKMy5FEZ8qgMeVSGPCp7wwByqeySAeRS+UrUsLIM+VOO/ClH/pQjf8pHAcid
cuROOXK3PANA/pdnA/OABcBiIB8ojGsvBiqAWsAFeIEQ0EZUjXfKarxPVuN9shrvkdVnaKo93Z4B
zASyq5PtC+yL7aPs4+yT7IfsFfZ59lp7vr3Q7rJ77cX2EMo2+0p81tjX2TfYN6Ol274Nn157P/hu
+77qRdV51TbG2E+Rwf9YoXhNfJdE8T3EwsRjofBYJPBYqIjFI4jIZ4cichci8jiNUZ5AXMbxuIxX
HIqDJiIu28hq2Y7ofMbygeXvdL8lihhN+f84k0DzSOOxziDzP48TzgtzoVYYKAwXrijsKOwsfKaK
/XSKWXxHfAfkunidBDlbziZRyVfySULu2cmkPIkMlC0/sfyEFMtty21K+JfGCCmX70Y/qcJuwpnj
hK3OZGAkMJbEMHLNaQXSAOSsM8u4ng3MBXKM60UG8gwZG1A0BMGpkRgxkYhzUYwM4zU5y8BHgO+P
wy60jQLG6WBtSFExMkkfz5FuIMOQnwlgpZF5wIIh+Ts24ex31gM4950BroPZzMcY85IT9wHnCi4n
RhYbbR3/AnD/cD4TB9xDnF3cH2JZmMSnVgyBnD16Wxmbewe3jdvHr3d+IvT+AVaLf7Kt8u1p3awt
9ARau23rm/tbt2m5nuTWXq2geXdrv5bbvA+9DrTs1kpQ7tOqmg+1HtLqNH/rYd7Sr7mbD7ce1fzN
R1tPaCXNJyDD5E9j7O7W81oL+GWu7ZpWgFnOawvBb0LyNCQLms+HybbVvymsaO2e5LDKW1K0Vc2X
W7u1tc3XwmO09c2HUW70OFFu8QTCE2z7m2+GU7Wt3svhKdrGAIUzte2QmaD1+arCs7RdKOdoe3jL
fv+l8HztxYASXqgdCahoOYZyjG1/IAWjNgbGhHO1k4EJ4Vm2M4HUcIF2JjAl7EB7CiQvBjLDJdoV
jK0CTwG/GJgVrrMdC8wJu7XrgflhQrkQ9sNvYb92K5Db2u8RAwWt+zzmgKP1NHgJ1rg+sJ2tIq7c
HujjHKUnj7ew1W1E+y6s6x9Kjy2wJ+zwFAX2Y71VgRfDW1AeaT1kux44Fp7gKQuchJ5PKLU9gTPh
rbxkkii1LbzcjrGpnuRAVbhFcwTqYK0zcDG83VOP9j7NHxpWutszMuAOk2dswI/SHGiBTCBwPfyi
Jxy4FT7i0SC5y9YeFFvPLy0JtEPGyj2gj0oL5IbbjZapgVXhVZ4slGs9swNrUc4NrA+v9+RwnfHl
osBGeG9RYAsvGV/hv4p82+7bEz6m7dK2hk96OoLmsOrpDCaHSzzPYJY+rGhX+AzPt16+rj2IxdZw
im6hlhu4gqxj7fs9m4IjW0/YrgfHhi96soJW+HBV8+7wFdsx+P+6pyuYFr5lOxKcCu/1MO7Zwbjt
SPPuiKjdCmYhP1nsjnl2BmdHzJ6BwKxIsmcvLO/1HECed/O90+95KTg3MtIzEMxB7yvBRa39iNSZ
iOh5PZiHsW8EbeH5nrPBIqyoz7aKceTqMW2/pxN8Efy5D/K7wmOWrmfccylYBnuuBp3YU9uD9Yjp
raAI22xBLTLWM5LzG4EXI1Z4PjeSZrsVDITPeG4390emek3BcCTLOwxR6AZfEZntHcF0ekcFO8Kp
Otf2BDuRCWzsXO+44DMYq/NJjNvWBze19nrTg12lh70ZwZ7W8ywfImnemWxF3mxo2AarysDnBXcM
8QXBnTgZmK9SsSJw5B64dzHj3nzOC7GiE95i6MnxVkAPj0skR3MEByKLvLXBDrS7uLXe4N7wBG8o
OABrtwcPgLc1jwuv8q4MvtR6yDM7+ErrIe/KwIucv845dod3jaezdDfOhPZInndd8I2IzbsheDZS
5N0M/WXadltfxOntxkkygZ1gkWQuWc9miWjakeClSA729XmcWkcCmZEcjxmWnPbO5LHIMfjV8Bjv
Nk9ypMzb6/OXTsIuQLbbbgW2RwKam+UDfH4j7PD2G36+Cst365ztQd3/fJ9O8O5j89r2BFKw6kPB
2+Ej3sMhE9Z+FDKbEdOrpSs9Nv/I8HzvoeV1YcV7Yrk7XAXu57yF8zvtR0MhREoLZJau1ByhEcic
Y6FRyJyS0Das6FiwJ5zqO+Lb09btO9Z8rW3b0hJ2F/CdXN7e1uu9HOpu62dnbNtujzXU3drvO7N8
FeLIue06O3t9F5evbdvnu7J8fXi+77qvve0QvNfSdpid/G1HcbqqbSc8OeCnMXZjeI/vVvPptvNo
n9V22duPk/8a2rcgB7YFB9qu+cXlW8MbvUfh7c1+M9oNDvtnhTcuLWkRkdVHAn2Rs76LLWbMu7El
GZmf0zISJ0YZO8e8I1rGYl17GLetD43DLsZc7PwMTUI2nkDm7Paexr2p19MZSm896j0dykBWnw/N
hOcvh7LD7d5roXmt27w3QwvgpdxQdiQNfluMnNweysepshCSqeyuEQnbVoUKeUtxZC4kKyIrfBSq
RSafDrkiHT4l5I10spMq8oxP9Ze1HvKlhEJh1VscamN3KG86LO/0KZFNvjGhlZAsCQ6Eb/kmBCjS
hRnXIFL+0LrW077U0Abc6daHNmNPLQy1ISu2hbojPVo7u6viHpQaLvFNwdml+jI9Z5HJJm1jZAcy
+QROoa1aSWQn45EBzL4Y3ljbfD6y1zcr1Bs54CkLbYu8BG/0R16BnlmR13Fy9kfewImBk1Dbw+z0
tbRY28divdRu9Xe0pLWn+TtbprZP9T/TktWe5d/UMrt9tr+rZW77XH+P5m/L9u9oyWnP8e9sWdS+
yD/QkteeZ9sfuhxO9e9tsbXb/AcCF9uLsK834QkB92uspbClCHwL2+/+ZMSu3/9SS9nXHJrDtz2y
iOVP5Abi64wsYvEF39tS316m7WnRcD7sbwm0O/2vtIRh1euwqt7/BqzS/GdbRsbOENv2lhXhW+yO
0B7A2LHhdpyouNtirg7kVSf4HuQVOMur8B7IdIbb9fzxHuWc3x99F3G32uJd2ZIcXhXjgT1t+7z9
LPe8xS3PsNOAcW07eCr0bGq95r/U0tUe9lgZ17a2dIVneRe39MTyE2OHuOZu6Wxf4TV5b7Z3aFt8
eyJO/9XlE9o7/WnBHe3P+G+07EAObMcJM9J/G08+fb6tuA+msti1b2Kxa+9iu0NfReSs93Jz/9fW
sp3LvafvjpPh1GZTy07kzC2sdKNvQrAnclbbGOqPXPLNQSwuaQvxBJXqm49MuIrzZ1ZE9OFpMHID
eyfEcj60m5f7IJMbOhS57ZsfOtRmYvIoC1AO86wIHS4dAflsROdY6CgrsfvG+BwBahthuxI60XqT
5RLa+VysbBul9WkXcXqU+FqGyiptYds4vdR2eTrbJiHzT0e6fHWh823pvMzg5Uy+X5zcfud/k/c1
UFGlV4LfexT1w59lQZBGJEWJNKFpmrBQASTIoV6MvKoixIWqghjaJsQQYghtkL8FpAswrmtcYojp
GKeXsR1jeoxxGOISxhjadljC8RhC265LjEHbsBxjPMRhGA8xsPfe917xqhrbTmYmZ8+Z8517v1v3
3e9+97vf/e73vUcVT4o06JFBj3va5vfdbGpuW8T8jJHZ1NHOvAVN3Q3FgDuaEl+Ka7jVrvVuJWxB
3GltOujWv+KCyLTiSME/rQ332sO8DrCk1Lu9qbdhZ1Ve01FY0bCm2k0vLTYdb+r1ehruNvW+tAie
vN4Z79a3x4A/wRuvtDaVtseDhrn2xM5dTdtgpbc2ngI7W3G+OhcQeysbjv+XN7zVmIe91U29IONq
rMSZBTsrwJJJ6L1WOpWBthTZnvqmE+3pMFI4nXobm067jkLvwH/pQFNxu9Xb5lpoa3tFaOp2nX7F
tbcKdsnEprPteV7v3oj2Qu+BpsH2bd7DTdr29FeONA23F4P3RtpLvX2AK7zHGirad0KWONq+a988
ZEhv592m0Tavt5/2iEXXlZb5LtYcAaf3RcgSE7Cuo/a2ek81x7ZMdGlhp2vtCsMTeJfpS3hH0N9Y
CVf78TzfFYN0VzzRiXurkMYdsyvFtQAytch/JaphBOhqzGxd6Q03Wha7GNLAJ3rvJbwHaTbjaX+v
0NbWZYW1w7zVjUboa37vFNqDa6Qrr+k02FDYnIT85lQffxvxi4kuRdpb23i4ZfwlC94veLfuNYP8
bHMGyFQ0PoA9ax7HAvsU0F07iYYMjBoaBpvveyeas4He1ZzvOti1m/i7kN+1h+hmktnaLLQd6Opo
FtvPdp5tFtoHiR4GWmwf6epuLmkfBZwEe/Q87acjsMu0dR1smIQ99ybReURfJLqX6Nq9Ue1XYE+f
gdx4Uk03XgcfJjW7MJIb+8Hmo8072rVdx4neRvQJkJ+EHFu1t6brtOtg+2RXYnMN0GeR3zXYXNek
7Tr9HnqY5EeaI9pvwLxnuCa7RiH+b3RdadjlutI1qaJvEH0Laa8FbM7tugtRmu6NJroUaczJCt11
D88ncIa0tIe9MgX7WhucARraw7rmGsfxThDOMLc6d7kGm1/rWoB1dKvrMZwHbqL83k6YI3+azgl7
OzuPQ5xcxDPP3k7a0S5288383s5uPdJdV4iOcC00aeFUk9F+tzuqubX9Xueu5s72OciKt9oXXplp
3t/+uNPa09jT1uNtadtn7Cxsadxn7CmAleWFaISMBDGDd5FzmLE7K5quwGoSJdwS0nGh+40WY8el
7nMt0a17us+3xHWMdV9osXRc7b4k3SO3JLcWd4/hnWb3VbyL7L7WktZxDU4F0h0u3dvKd7WqO1b5
XpXuUlsyO6b871Wlu9GW3I7p7qmWgo6Z7umWrR33u2daHB0Pu++3bO941P2wxdPxCFqRnpbKjqXO
mJbqfZruR9hv9xL1m4799mjku2m8d07He+eeELSkx0iWpK9Y0hMtjULKkHin3BOH98g9cdK48M4d
NNP9NeYlbAtxPoo7SI8Fd5CeZOT0pOEa7Iluqd1b05MpaztOdtbvC+nJbfHui/a2SU8npCcGLQea
Rnq2NpTCOWeo5fC+uB6H/CyC7vpb+vZZera3HNuX3OORnzmQ3+SnCnT/3jKwb2tPrfzUQno+INHS
8wpo1bWtpX9fmvdiy6l9mV0nWmr35fZUtpzZV9BTjf+tgn51yFS/OuTpV4cafaHew4Lpl4Zx9EvD
BPqlYaK+Ud/GXtDv0/83ZqVfEdroV4QloR8JTWelofdC77Md9MvHF+l3jp+DPjJYIvs4Y0xgn2Wx
rIq9wjLpPU6lrJd9g5WxfvbXzM1OQSlnZ9g5VsF+zIbZi2yUvcNeYtPsN+xl9n/ZfdbEFtgya+d4
LoV9jTvIHWLnuKPcO+zvuV9xd9k/aWo1X2Z/0JzUfI8tay5o3uSCNFc0b3MGzazmt9xazUJwEPeh
4MTgTdxG7UHtBW6TdkT7JufRvqV9i6vQjml/wX1G+791Wu7zOoNuHfct3QZdPHdSl6Dbx50y7DPs
54MN/9VwhA83fNtwjF9n+CvDGX694YeGcf45w9uGKf6Thl8ZFvhPGf4QEsV/Ef/SxHeFRoSu4btD
TaHr+P2hvw6d5Q+F1Ye9xh8N++dwnv/H8PXh6/m3wzeEb+SvhaeEp/C/DH8+/Hl6u3Upq6UnpfH4
ey3bUYDjACcATrNY23HbCdtp21nboG3YNgLUqO2KbdJ2w3bLdtd2zzYH9YLtscALeiFCiBJiBbOQ
hL/9o7llepvexni9qBfpN5ImPpVPZYzP5rMZx+fyuYznt/BbWBBfyNuYhr7PpeWdvJPp+DK+jOl5
N1/BDPyL/IssnK/iP8ci6PtcRv7L/JfZWn4vvxd0NvGtLJK+z7UO/J3IYrS/0P4Cn/ezG+wWjcyE
v4i0VbMqW7Wt1lZva7S12by2A7bDtj7bMVu/7ZTtjG3ANmS7aLtsG7dN2K7bbtru2GahfmCbty0K
TNAKYYJJiBHihUQhRUgXrEKeUChsA55JKBZKhQphp7BL2C3sEZoFOMzbFlcKyWCZExaomHzlsVwO
Cr3C0U/wwnEAJpwQTsO1s0ANCsPCiHBPGBWuwKdJ4YZwS7iLv6/T/Q14M9ovzvF/KGSyeojaXNYC
MV9IcW6H+D7HnBDhP2bFEN/vsE/Rm9RKyEef1m3UbWLbdc/qnmVluud0zzGX7nldGnPr0nXprFxn
1VlZhS5Xl8s+o8vT5bEduk/qtrHP6j6j28Fe1FXqKmG9cOw4rCT0sgVfkQYxw2xnAQYBhgFGWJ5t
2jZju297aHtkWxI0tkdCiGAUooU4wWJ7KCQLaUKmkCsUCFsFB+DtAB6hUqgWaoV6KI1Cm+AVDgiH
hT7Ax4R+4RTwzgBvQBgS2mxTtqvCRdtVKGNAXwN81XbOdt52wXYJf4uof1m/l35tGuLnrRYomezn
ULLYu1CssOp/wz7GZqFk60p0JSxHV6YrY7m6al0128y4sPlw+m84LAXfAVcaARDFONcc1LEAZqAX
AB4HZZTqXXcJIlz3CJCOcs2VxroW6LPZ9bg0yc0TP9WtL81wRxAfryNPkVPaKXS2O8qnG/nYFgF1
KTTqVuh8dywBXsca+1GuKSC4zXRdaYc09oe1AiL0J8rjwb5LoHaBjVgH6lvNJrVtanhS20DAse5w
J5FfatypvrErdqEteB39o/hVXAWqoE81YDsFcCwKKLahz7Ad6qyDPhXfKH2r5xB1yGMsCHFn+Pmx
RK7xuiKv1HitwZ3t862iG+tW2QakO935VO93Cz6/K7XSN37G+VRqxUb0F44Jx3DILb6nvTI2pT7i
Lil91e0qfc29w89O9VgCbRUD/KDUsSrbcDyK/wJjoUpFq2NWL49B8R/yFB0n3VV+fSh1xBPGr4w3
ImD8ymeMH6SVdtCXSyvxAmufzBvumtJz7rrSR+5zpUvu80/0y2p16we8/jS5P6WfKtm/ip9jA+br
/erWlc+uMGncT6p9fgnwtcsk+elptW/exVVq9TjUsY/1eXeDL29ccLeWXnJ3Eq3USk5W1ueYe7/v
2lX3IeoX417J19fcR0qn3K/6fKZfiQ2qp92v+caI8jPuk6X3Qeah+w3fOpfblGncF8pC3JdIjxKT
UJcZ3WOooyzafdUXr0ot57qyZPd0WZz7GvkwxTPkSvdcdFk9l115nnHM665CzwTxtnmuu4o9N0mu
FHIi5svAOQYfumJAfyAf1n9Zv2c7xX3FSh++Od/puYNj8Pn6abFXFbC2A2MqMF8F5iXZR2iTa5dn
Vskhrt2eB649nnlXs2fR5yulz8B8rMTNavtTAL/M4p4iPyOkuWfKMt331ftUWa77YVmB+1HZVveS
ny5lnwUoc3g0Zds9IUR7PEbacxVQ9FR6oqmu9sSV1XosZfWeZBr/E6Cs0ZOGoMRdWZsnk2qvJ1e9
l5Yd8BSUHfZsVe89ZX0eB9XHQAf4keZXvbcnSXFQdsrjwfHSGM94KssGPNXUbshTq/ZX2UVPfdll
T2PZuKetbMLjLbvuOVB203O47I6nr2zWc6zsgae/bN5zqmzRc+Y9uXC1vU/ZU9R5+El1YHwF6lP4
uI9VqeJttbzfuop+JScq5wNlnShrXq+KJZTDWIyX9+f8ldqVKM23UvvgaeN8Qq71i2V1raybiIB1
FLj/qXIpjUdV+/b9gJzkVz/J3pIAfwb059srA/fVwLpOle/UtTInSr5Olfz9lYavtCrrzdVRznAd
uLrLta6D5WEu5hkg6C03IfjO4Yo+RTfad7Q8xreGsR/1+VhZf8rZWG5P+Rv2Cdfx8njfukc+rDtc
f2p9rhPliauevWW9rtPlKX7rMCBHKbnIdbY83e9MhNcwJw6WW0v15XmlEeWFruHybUSnlheXJpWX
luaXV7hGynfSZ7heKpTvoutwzXWlvJn4IEO1rINoc/lukhkt34N38fqv6/87Y6Efpf9c9bvQ3zH8
j6xJf9nnK8FBbJmeo7xIz1Fe0o5o3+L66AnKq/QE5QQ9QZmkJyi36QnKu4Z9IVF8IT0XuUHPRf4P
PRf5JT0XuU3PRX6Lz0WCYvG5SFAyPhcJ+gg+FwlKx+ciQR+FO9qT7I2VpwdWnm2z5lsFq2gtsbqs
O6yp1iprjbXO2gC4FWje2mndbz1kPWJ91aq3ZlhfgysnrW9YI6icAzhvNQO+AOWSdcx61XrNGpHp
tU5Zp60z1vvWKCgPrY+sSx/TWGOpmK1J0AuWDNKIn2IJskE2w4qvCOX05fj9yYB721aYkXa2D+5q
z0LJofvcXPYLNgl3stegfJz7GTfO8jUTmrdZAT6vgpYc87BK1XjNzCJbkAH9SSPPkMeujLxVNeZD
MGIc7zkY5xtQzoNUlfUC2YhP/tbRLxIZRE8S8JKh8HAvjf9vNxWKhqWxF1gw+yjLgPvrLJbNDGCT
wMLZVigRbBuUNUyEYmQOKGtZMfsUWPpptp1FQcx5WDT9l81Y1ghlPeuAEsc6oWxgV6DEw9jfZh/m
IrgIlkDfDu1YGWvR1aCMoqt5c0XXiqaKpvMPF80U3c8a3zJSdL/oYdGjoqWia6Km6KEYIhqzPKIx
764YLcbl14oW4CXnO6yJeffyHotpYmZWv5iL2Kq1snyHWCBuzerPr80btTLRUTST3/ZCtbi96GrR
VdFTNE1ajaDfV8R60ENlS2ne46xxsRG1KMXKpJI1K1ZCy7Z8hz0GdQF9QDz8QnV+LdDTBNNitVgL
7TUwnmvYC5W+oodgnxHtBiumthzNr4VWh0Vv0YyYBtLHxP6ia/kOhKxZ0PNQPCWeKZqyJhZNiQPi
UNF03j3U4IMlKyMAeTEENIeIF0n7ZXE8y5M3Khph1AjQmwwT4nXUq/RCGhUAGxDEm1DfB60AYp/Y
iAU9Id4RZ7eMiLmbwUYxE+QeiPNg4aKdKdrEELsW+/frG8AeZjeJ0eB9GC1YCZQCyKGWIEV2/Skw
bT/uZ78f2I9njWf120/YT9vP2gd941XBanzk2YdXLPcbBfDtIzjLEqAN2IfP/mt598Rke3x+G+BE
iMo20jpVdM2ekjVrT7db8+vteUUz9kL7Nntx1njRfYpTZi8tWrJXgNRO+678PtFr301zuGjfY29G
T9o77N0QO5kQuTCH9oP2XogOj/2oWOCsdzY625xe5wHnYWef85izP6vAWSC2Fc04T9FsQg/OM84B
BPtB5ykxV2qB15xDL1RS7Pi8KXlO7MubxBlfmVNRA7HVB+tuFmAeY8t50XmZdI87J/Lr8+ay6ilW
j4n12AJ9k3fPmphVAMXjeMNxTqGpFDjOQ+ykQX0B4BKMn2X1YdlydstZx5jjquOaY8oxbU10zIB/
Chz3HQ8dj7aMbhl1LIle8U5W/8frHHy+w6nZnOwMcRodNc5oZxz1UG9NdFpgdV50JkOsQx/OtI/z
+QX2PbSeoGdnpjPX3gu+q/h4Xd4VZ4Fzq9MhLjq3Fy05PThLzkoxE0eSNwczOGq/Yp+03xA9MCpY
gfZbAHftN+wwMvHYZq/PX8fsc/YF+2Mcff7hvMeK34vuO3ipFjMdekeEI8oRi6tI4W3uB92LDjOC
Iym9w5HqyCh6ZNX6gNa2vduRDX0WruQF37xoILch0Lp35AMIDjG9A2PHUeJwUQzJNEXRDUhgOxxV
9j2OGnuho87R4Gh1dDr2K9ENGdUBsoeklek4Atm1DQFnU8odDt7xquM1x8m80aIZiP6HWX0vTmC2
dV6HebjuvOmsdtY674hbMR+CjQ9h7lPthfnHxGTIzo9hTEwsyOqXsjHOj3NWPOa04MyLBdB7svOB
c965KKYVs2JtcVixSSx4odJ+sDimOL44UfQUpxSnF1uL84oLi7dlFRQXF5cWVxSnFD3M74PZMmLO
hZwN2al4Z/Eu9AnaXdwsZUqMYJjV0eLdxXtoL/z8f6ATVA2rp2fm+D/lWVoj4wCi0vZAaYbSAWUn
lG4oB9OupPVCOQolBcpxKAehnIByGgryzkIZhDIMpRTKCJTRtFH875b6F/U76b94foJ9EvxaBAs7
iDnhdKBl/xm8Fwp+/iyLZFzYbNhDsoj+1pUzyLi8PKiHoS4Mysg5m/OYYFAGpIcBRuTPowBXZP4k
wA2ZPyLzRgLaKfQtuVb4kzJcUdGjKvquDFfk+obqmgL35OujKl2Dcq2AejxKrdgYqG81m9S2qeFJ
bQMBxzon97mgGrti14h8/VaAvYEQ2P+ICgZVoNh2V253Re5T8c2kiq/M4YhqjI8D/KjUkyp5pYZr
ubzKt+prig1Q5+rlOkJlw2BA34PyfCq12vZRqc6NWqX9cI7fGHNjAcwASf52+o0l0NZAPwTWgX0G
zoUa1DGrjEHx390VHbmp79PXauMPtCGwvqWaB6V/hRdYyzK5GQDZAJ0A+9/HL/+/1Ip/lfpJ8/WU
2jfup9SBPlb89LTab30F1pOr2K/oz8/xrZ1cAUCUaVElp4rl3BKVjEvST3Ev5+vcHQBVKp+pYwPn
vybHbx3m1gE0ALSq/K7EyiGAIzm+tehbk6/KtryW459rhnN8uS73HMBJid58GKAP4BhAfw7l9c2n
ZN4ZgAG5b8yJC6vMoTKGQD70tTlZGpu6D+X65iFpDH458GmxFphv3y9frZaXRiWbNl9c4W++DDAO
MKHy1ZPykDLW1fanAH7uG7KfEc4DXMjx26dyLwGMAVwN0HV3BXKvAUzJ9LQ0Nz5Q9MzI9X2AhwCP
5PE/AXKXJFDibrNGrkNy/PbSzUaA6By/PL05Tq4tsh+TVWNXAHy1OU0aL45xcyZArtyuwN9fm7cC
OAC2A3gAKgGqAWoB6gEaAdoAvB8gPtR7yvvl5Q8ab0qtrK0n7T1PqtW5Ub3WA2tlzp9U33gCPK3/
p+Xe1fwXuH5W2/+fVqty0ar1nzI/ar1P2DNX7X+1elLVv8rvbmWecA1cl9bB5psAdwAOyDArge+8
qrRXdGMsP8hZWcOjOf7nY2X9KWdjuT3mb9wnNs+v2EBrL1paf2p9mxdzVj97y3rzWI7/OgzIUUou
ytPm+J+JJqV1nBe2Mr48kyouZLm8mIA4kf2dl7jiS9+8qdcAysTnPMbvPdFbFth/nHtNrhf/Cz8L
4yLwxSYpIwCjAFcAJgFuANwCuAtwT/48B7AA8Fj6/Bwvg16SeS4CIEoFsSoZM0ASQCpAhtw+GyBf
5gt/BogAJSpwAeyQ7agCqJH6Iqh7H2hgBSnNKR0p3SkHU3qfaU05+kwDlpReVTmuUM8cSTmRcvqZ
Q/L1EwBnnylJGUwZfDYRMdYyNSx9AskTJIdtR1JOp4ymjILEFVXBdzCY3vtNX3qziIbeKfIhendI
NL075Bl6a0gcvS9kA33H10zf8X2e3hHyUXo7SCa9FySL3gtipTeCZNMbQXLoXSBb/uL9cZyJk741
O8yeY+xZiKVnFwLgsQyFUp0McZMMsZUcoQKIq2SIq2SzDLwMSXKduqKLZGHuk7MlIH7hCuA1y9hT
4blne589GlCOv4fz/vxVCr5NkL7JzejNMdI7Y4Lpm9wh9E3ucHpnTAy9JyaO3hCzgd4NY6Z3wFjo
7S9J9MaXZHrLy0fo/S4p/256OXaWDa78DWhDH3NumtowhGXT9AbPpplN9zc93HSfPj/CmmBpw1CS
JilElhpKMiIfS1I08pIsUIxS2TSFRdGYFAcaffoIL0maFD0bPKQhBGROYTvkSz1vGMInhzz6WMv3
8z+BtP4m/48snv9f/AzbqG3SNjEbZk8mhP44dIR9gt5YEwNgkt8Fk+Brr4H2J6H9KX6YBfMXQFcs
tYkDiWjCsj/WpzEOAd/6hBjfZsSyWb5KIoaZYiZjJtfHW+osDevj1yeuT1lfDCVmfXrMrfVWgLz1
heu3kY5X8Ru4/Pf470HfP+B/AJwf8j9kPD/AD7Ag/kf8j8CyfwBrgmFMY0xPowkBy37CQkN/CvYZ
YcUd4Mbo2d12thYiuZOxD7sksOxfodVgObQ6H4CzPGROi8MyZL5ruWhOt1zG+plqy0CC3jL+4WTL
BNLK59gUy3WUsWy33ESexWO5g3zzLcssyURYbloqLQ+wRlkES7VlntqArKXWsmip38gUoLbpGwsR
UCeBZ6MWoNQHYJsCYBv0vzFRtnHecnhjikRvtFpyN+ZBf5eprz7SEybbNSTb9EBlz3XSXbuxwnJs
Y3psysZ4S//GbZZTG4uV8T/jADsaN4ZZ2jaaaFxeGK9CH9gYQ/OI7wRj9AYtzlBh+CzjDS8adjKt
odpQzfSGXYYvMIPhi4YvslDDVwxfYWGGPYavsnBDo6GJrfnAMcxxZ+idZGGsEc4tLAGyYcJ5GS4A
XJIBslrCVYBrAFMSbNgF9YxUqyHh/godP7UC8JmzRBPtNGebs+MnYqLj4xIG1gG1rmRdSfw8lIsb
ooBaXFdips8JjpjoD++Kj1t3HkpJwpBZMFclHIAr4/HjKANSizHR685Di/MxcTHRMdEJFxMOA3c2
JtosxN8xu9bVxE+Yd/iAdJoPIcQPxC8imIV12WYhYcIH2StFsjH+gWSjuQTatSb0I50wlHDKnJTg
gKtxkn1om2xXNvQugmYRLQLtsj2gG+2ZN+8HOy+DFeNod/yENH6Qq0noM1eZa6A3aBs/C5qATjgG
nxrM+F6VMP7rPORo/tv8t5mB/w7/HRZiKDeUQwRUGiohAj5n+BxEQK2hjkUYXja8zCLprWdRofOh
82xd6ELoAouh95o98yflOHyjWQlAHWU5C/3GpIK+y5AnZz4LybXSNw44tlUll8F24dt5fHIcZKPv
QkTzkI+of+otnnrD9+nqKdIZRbqGIl1Lka6jSDdQpIdQpIdCpDeycNKEY2A0hmAawyay56hs9xnq
eyPxvGQ1x0ZUvKuy3Wq5YbKaY/UyD/971r/G9+j1mCeOWkuaGGniSBNPmoJIk5504JuWg99rA/US
SvojnugLnt75hd6Q5iGRxtgs+6Lex+PZDnkW1XK7ZF9sk3l/ziw9bd6fZPdRNqSyW+INs5Oq2JN4
dfIsqnlH5FlUeP9Wc/hBZuFfM8ur+YJj59kVOhXE4n8fj9ruA2eUCCU2qiTKFbUDcBV82kG8GsIS
LcJVMaoOSlVUA31GWpRLJxQxar8MokqjHopIoOhTNKn11FGNV1qp/xrpM47F8JLhJRhzvQGizLDX
gBHwgfcmNkAzKP9lM7IS4BRzRp6AUkj4tK8+4SunI8/66EEogE0DpsOmeiwqyRHTAIHyWdJ0luoV
DWd9miQ9jZFhEsfkAbhsqjZdjhyOHEZsuoxRbvi8oebPHaHpAcA8c5rmTAumx5F8pD4yIjIKMNax
kebIJKJTIzMA85HZkfnAM0cKkSLQJZEuKlUgGRtZAyVbLthG79NYF9lAODayFWRQm17W1CnrqTIt
wDXk6Kk1gkBXdtAIqwwNf8L+wcP5/zplV2kdJuH/z+cyuGx2CT6/6sdN5tIoC3v9uPFcIuXy3X7c
KC6WdcJnlx83hDPS7ywL/LiM07JS+Jyi4vJsgc7ZUT7eytievsJN/An+dZD4G/4UZLbv89+Hk/UZ
/gy0PMefA98M8UNMB755k+n5y+AhA/9zfgLyzyT/Ngvn3+HfYWv4G/wNZuSn+Cm2lp/mp0Hnu/y7
kHOGQ4ch5/wETuUfglP5TyE28Gz/DcJfJ/yd99DfUNFHVHSfiv6WTMPYOTMH4+WU95Q+S7wYLh4+
zfnxjBz2ftOPp+ci4NOYHw89zMFMq3jsEVuCT/1+vDnwOgd7kZo3yx7QbqTmTbMZ+FTtx5N+Z1ri
x5ug2Mrz44357QUSb4SNqub6WbpHw3lllJM5ysmYjXfTjufnVUPte7x6RMX/JtFVKrpS5fmvqzz/
jRValvmWqu23VDol+kt+sybROBYLfasT7yOl0SSvSIP90j0o4gHAISwYTnshPq5fvglbYixcw5zh
LFwbHgZgCo8JjweMdSJ8TglPhxITbgWcF14I/G1QTMAvDi8FCSy75TqR2qlLPMiZoK02fA/oaIYa
ZcLkq3kAHeEVdE1qjVBBJT18J+Cd4btU54YPej8TwZXSCPfAuJkpBMCoArj/MIHfTBYAiBBTmsxH
uf4AOCXXZ2R6ACATIBegQPpsPMqcId1rp9eWAJ5Ze3/tw7WPoNxfu2TShHRjMYWsXcLauG3ttMm4
dsZkNEWbjCD9EIspxGQxWUjOKBWplaLRlIwaAZM+UxrqQk0rekyZoFezdjpUBDouNDVkd8hxUxzg
7pDd/2Ynng+6m92hbBFG3yVmoekAVoA8uUYoBNgm18XyNZQrlaEC/NkRmgTjOBiaEZodmh8qQBFD
S0IOhnRgAVqkWgCpDChJoa7QHfQZCtQlIIvXd0hFbrWisU6tD3XJmhQ92aFJIJmEukKaQ3pDekOr
Qmug7gjp/TPvT/6syF0Da9MI+dkIkWmECDVC5Bohco0QuUaIXCNErjFTlnMAwGnQ6AGAU5IR8qax
FqBevtYIAFFrLJABPmd0MKdufE1SxFHAqWuyoeRDyV4zvUbUjWNZU7JGoDp/TdIaF8i41uxY46LP
WOrW1Kypoesuqcit/DVmgxTpQ12kaUVPNnwSAfKBrtLv0Q3o7qypAjyuG/iLRy6+j3dRdQLA+x3t
Uv0f7yrlKTsGynM0e5iDx5azlZwc1K3tBXpGi3M7oztI2IN83QXGaTqCb0JmfqDFXWwx6Brjgm9q
4S5ZE4t8Q1rQLON0cRoHcO5o90OMVAYzbLuMO9wMYpCA/M+JtAvMLNUjjTioGzlB3X+cQhnEmg7k
8BdIchEx9AFY83niP0Cs2710AvjNy7CbB21HzKUu1+JJQXsPse404QTilBLuJYz239Tidy/ntOWI
dRMk2YM7lHYa8FEt3sll6PTE300yiPsJs2C8P2V4FeTLiUPPEYIHiYNtmeYO0RHEv0nyrxEmDXJf
1wmjtxep1SKOiC3iKIC+hleX8glnEqa73yWYt+VI1Lz0K9Jv0PyUejwPnvmBTgD8OuE+Lcw0/ybh
B4SnkB+0HumgEeJMEP1zwinEeU7zFmCBcJGEkc8tET2BmLtH9JuEGwnnSjKkJ4z0bEH+8u/53wPH
HAyj0xzWwHk5OFUDu7rmd0hrfkr8JsTBn9G8AfQS0lwr4qBiuvpd4jiD/wGObSaS5Ah/mTRcIp0e
wuHEaSU9f00yIYQjEetE0vYuYUn/iaATOHbC/yMIoj3oneAB9Axy+O3B40Df1WwE/D+Rw6Vq8Bz6
AuIgK9FJKK81yRr+FvBbyOf3aTYA/dkgsIf7Z00W0D+hVt9EHPxVoncRPk747xBrK0nPY8Taaeqx
DvkaLfHvkeR2omOoLzPR3SS5WZNMFuJK+T3ioEnEGuLwLxPdGXQD34JOkpUkM074DGK2nnNhFBE2
ENZzsBKXH/A/ov/Mko5rlsP7oJtB69FyvM/hpnn0wxLioPWwLjk+HWn+NaJ7grZhPBD9gPCvkcO/
TngCOdwG4j9CDFkFf8G0iHTQLsIpdHVCE4vjlfQgzZ8m+guEp0hynOjXCXsIP8dBtuSLyZ7nCOeS
tRqi8Z1iMCLNOcRE35Y4aAP0jjJbCHuIP0dt54nza8TLc5oM8KojuA7wOVz7QV+iGdlL1u4i+ptE
n0AMMnUU8yCpuYqYf51apRAnFq8GzZJMg8wZpEgeRC+RZBhxuhAHf5XobJI/QthFGkaIrsWrunUk
c4TwR0jDN0nbEmWqZbItDDG7TTrfIptbpbgiP39B85+A1lGMRQa/CDIfo1Y50hgJb0O8fAdP+Pxr
lOejl39P2RvzvxlpbgNdfR2v8h6i3yF6gPBBkt8t81F+njjphAXCpqUdyt0dXMU9ZZLkk0hDErW6
R7iJZJYIf4KwdO/4FmF8WwOsI3yiCDP9RcCHSc+DpfM4dpK5SXtKPdLB1AvIo2Q35me4l4Z5h5VA
uxtizYeJ3ku4lSRrNN8Fyc/gLsC5+Byk+e3gpR/xnYR/RPgueeM24LsUV+E8ZCGeo9W0nfCrFHV2
zW9xv9e8C5y/Qs1BZtLvIXoWMTdPnAvE6Sa8HbEmlvhJxDlP+OeEv4Q4OJlkvk10FNHniG4mnZeI
4yD5VwnXI2aLGnyqOUb4a4i5GKL7EYNVSN8mfJE4caStlyzRyxqQQ5r5dKJTCV8hPET8PsK7CXcS
v5LaMrl3pMlOdpPwG4TnZBnERwkfIlyHeHkn0dWE81BPUCZppvniTlJfEzTSa+SHrZK2ZdrBIcbx
PPNj9MbyORwX4QeIgY+ZZBAxnEOQc56uXiAsEL+X8DRijYNkthM2Ew4jPEvyr5PMHdI5Rq3mCccQ
biOZgyRfTzKPNZCruQzNL4D+p+BaopcAm4ONGPkYP1ww0lxUcDzg0OAwpDV4jrytxWcpN4LxTHJP
G0beEwE/jzsOW695ATDtd2wL0Qbc3ZZ/QzImTSfJJxFG/r8gBtpBOIpwNp1z0gl/iE5ELxG2EL4M
rYYwtoHGd3Ksoz3UExyEHsMzJLtNZ61+wrelkxjazCcFUwYIHkOMpzs+Cc+rXKU2lfA8YuJcQknu
EvEvEX+eOPPEmSfOpeBqxHjW5eYRgw2STC/JjxFf0jZGenpJBnv3kEyqpJ9keonuJc29yGGLNJYx
wot00l6UrEX/8FtoLFs0/4IYWwFGDanUV6+kn+w5SbhUpvFqKUrCbkI5lux5nWx7HUcEdCrlfBoL
9gVnhnqij6M9kMMgftincfbpLy/3GP4SljErYbTWwP6W8F7MY8s/hLbfp7waCdkUNCzR7kC4lziL
iLlUicbzPJxmz+NVpLlUCUsndmqVSvcCvXR678VzL2DMtEnI5z0kM086K0mmEu9ZgukJWXAU6gFc
S7m0AluR5Dz1conoY4QvUY/HCM+TzkqycI6uNkmYWjXR1V9SX78k+2+T5G1JJ57AuUrJTvLPosSR
r+IZfoxajSEfruYTnU8jDcP1/sfTyJF6Jz2pOONsjloxega2lTBb/hngqOVJwPHEiSJO/PIf4Pw/
ghxoj/g8Yp6es/F6soqeesIYkZNOdKq0e9JVel7J9xGekHZqutomjUjaW4n+IWLwOKzlZRti6Avp
WMSgDfttJPwy4TrEkK9+hjOClsO8hBBNuz9azleTzBDhXpmWbMaMcYjwDOFJwv2Eb1OPNUTfZHSX
gTsm+xpH9626Kso25EPKhEzKKvStnueRs/wAOZAZcDXF6PBbK5PkeYarBrITZSRtDHk+lmaHopoy
Qy/OHb8F1yyszV7M1dL9snxXK60U9NVx8p4g+/AonleJDie8hfBd8vY9og9KJxDCHpSH88b/Y+/L
o6o4tvXrdJ3qc4QGB1ARUREnVMSDogIqoiAijkE0RolBQBRFQEQkhiigoFHUOMSoQUQc4nWOc+Ks
ibM4RJzHOMQRxxiHCL+qr9pzvffm3nffH79311vrJStff2fX7l3Vu/bep6q7ORGtPfTZnEP0e92G
JZDgLR5Db6nPbfC+BBqeA78USF6D/wW4Fzr1gcsh8QC3A7YD3oT8Hvh24GRgiUAahtYDwHRgD/Ty
GDp+kIQClwAXAkvRWgyMhyQcIw/HjIeLCDF0Be8B3kPEBr9qGfnie60JvFpdj0BxvesRq39g3dUB
1jYAA/Q7zHOQ70LTD/KjwAPAhXKFCc3K+GbvALQFdgL6YJ0wHlwFYgVFagEr6KsX8S0cCs1NAt92
KUPNLJsEzAMOBXoCNwHFqpXp8hSgqLqk9CH4j8CxwhrWuuTtS7RyXnqW8W/ztxfFt3PpI9WW40OB
PMJXAI8gbmuCy7sBL4DjMEKpI96JiNM5xkOfgf+A+H8Avg/yu+BFwEVAUakIdn/EiPELD5Q9EPaJ
I3p5Ak6MkUBci5FfY+kvJj4jb2+a/MTIxXc3l+AeiBoAfATcAUwGitUdEfp8VFg/sNeQDwemAwOB
mfj+LQDu4d8CfczeHA8INN4QqPoKVIBGAhwJ+QqBpqkCDdBXIDFDx1TDjPst0L+P1t7AVQIp5Ow6
OCwYiyE5BMuXwNuBM2BFSALAx0A/BViKvjSgK1qfQvND8HJAabk/9NFKbSF5g1ZPSG5Bchd8Jbgd
9MsD04AK8BGuIh+YAMksYDys9QJi5MZYoLxqR+ARSHKBkUB3YDgwAohrNA7DSOTYWuPqtgDRapbj
34DWRPDd6NcFPBSIkdNfYM0HknECbTBH5TBf5hgg5DQP9qfBTmPIgyEfi3OXwc4ZYA4k8D/DXCiP
ca4TWpfCQme0boQFyJk3eAF4X+BtoAVyREhZfxGHHHkcKuOA6YjMgeIekeFbtbyITxH57IBA4w2B
qq9ABWjEvUHjSMhXCDRNFWiAvgIJj/C5iPC5iO25ImKlBcFNNaRlwY33pTXBld7QWSWQQp9hFU1h
31gMySH0ewm8HTgDVoQkAHwM9FOApRihBnRF61NofgheDigt94c+WqktJG/Q6gnJLUjugq8Et4N+
eWAaUAGieij5wARIZgHjYa0XECM3xgLlVTsCj0CSC4wEugPDgRFAXKNxGEYix9YaV7cFiFazHP8G
tCaC70a/LuChQIycosoZfSAZJ2cTs3YJWIw5IgINcjZXCLQBlsOMm2OAOJfmwcI09NUYciL1wYOh
MxZ9LUO/Z4A5kGC+GOZOwX1skxNal8JaZ7RuhAXImTc47nWzvsDbQAvkiKuy/mIvXNa7jMd5WVd8
q64s7cbxBnCEQOoi0ABUCNAX8t7A/QIJ9A2QGKFDp0Eu9UehtRGwDzAD8sfgsKAMBd7EuQngC8EV
oBmSAvC24H7AcZDkAL8Efgo0AqXN1UDIDdngb9FaFZKnkDwHLwaHNcUEbAM0AEdDpwewFSSdgS1h
rSGwFiTNgfJ6bYCDIAkGWoCOQE+gK7AFNL8GLoC1i0BctZFB5zxat4BfQ6s9+FLgRLQ+AZfztUsg
k/OCOTI2A7aDZhEsHABWhrwO5DhL+Rk4DBgI/AG4AzppOCsXkjDwuuAX0Crl88FPiJUPj6sIxJXA
VUBfINZFRMqfCeRRFIF4E5K54L9Bx73shbjvinXjZsTqS6we8TaOUQVixU7x3g9bAckkrBJvQ4Jd
MI0AT0DrMqAzrO0HbseTrFictbR0jNhZQJKEve01WPAHeguJCXs0gxtQ7gv6QtMevcg3TE6J8Zuw
p2Ny/e8k92vYFwcJZG0EGlXgOshf4jnRRnk/tjRErNgFKtliVPS4vG+JvoYAA2S/sHAOrXfkfhA+
DBdIV+FaTkNzjdgTUbln9IYfUAF4xonWGxj5RsxCCUbYDxLIVYyf+4S3soMCjV2BeWIXrExGj0tg
3xv9FkJfQ+8abKZKC+IuLv8S2o2d9W5ctcBKwO3ADGAq0KLLT8PPAmdDshw8A36LB5bgzgOeLVK8
8WXU72yXTsCuvxD9FmJ2xLn79ZEnYbcoLZwWuwNguEDuSdmLkBzV9U+jmp2GTRnVSdAsBC/EFQm5
GT65JjSNbeX+BRZigAuAB2U06vFfiNiIwCzLGUzCtcPniKWNmJc0zHgF8Cmw8KPcXULfT96TgQUn
XHUyInAIPJ+Ms4JltMio0HOkHOc54iwV9xlYrmhVz8BylLBjfAD7F9DjVIwqV2A5xJ75qUAT7kuo
W3ULYzAjHE3YNasDBGcE8uXw22FpE33ly10z7vPcE2icIOMHI9yNawkQb34zeQ8k0XCJy2tAZy6u
xQk8AnP6Gld6CZJCSOagr5uQhMGHY4FDgc7ArmjdDM3leF5wBpaNsACfsGOI/AxZzTA2ZDqtg1GN
wFPUycDFeK7qCl6MJ61u4G+AqWgNA5ogWQ4codbgWBvPZ2tDUh+8Eix8CUmQQHIfeF3qgF+CtVj5
bBdowZPfJUAHWHgO+VXgbP25s1hjFOMps6tA5gibs/WVm9DZrq/HgsRdCKxv3XQMEt7GGsNVtyOw
M57dD0GPRlizYGwT0G880Cwkxq6Qb8YIPSBfDsvPpTdg2R/YCIh1mlIVrfOBrXDWZMgD2CPxjQP5
TnFnScFaiGD9o/SFvAV6bIhekiGJh/fKwDOgeQFoJ65CkU/GKa7lpJxfvFPRGHawyqVNob8dvtoP
3h2tIeAu4Fiv8pkSNp+Bfya9CssNMB4nyeUTeYz8FHq8CayEK10PnXTwElgoQb8X5FsBkNyF/nrw
q/K65PN9VibGqUfdFDEesVunvoLTCbDsAc2X0JkF3hd9LZZ+VsWbRAFoHYPW7pi7o2i1g4VrkkP+
Cncn7oMPkDEvOB0GNEG+VyJm4TH4RfA5wNsy5lmWGL/gbAVwhoxncd+P3oGOC3y7Hb3nQ+KovwuR
jqzhaMBui9sE19+yiBbRqMek0EyF37LR2gu9rIHkBBC7FSUIOALxfx+5gz0UjZBzjavIxLmZ4I/A
H0mOcyl6vIuRPAd+iX0Bot2E8auhAk2IT3YQ41kt0PwdWr+CvA0QOyaaJH0COxiJCd5Qh8Db2CMY
0mUlQe/1MZIoaRkWcjH+XFkf1DT4Jw1xMgXVSfAw1YdbmAcdXyYqdrZ4MsVrTonYxwkdckNwPu94
uwAYDMTdKsUTrZcQG9fhk63CjrJQr2/iOdEzdbSwr1fCmqhgQj6XiTd8fkNfv6CGrAOOxXWNxvgP
wz/2kKPeMgJsAsnX0CmET44LNDoLZK8huQKJLdAHkurAUTJK2TPOH0JyB/gEml3FnTEehwEYTxr6
DUAtDUDvHE34dmBp6P0OdLoK5DqCO8O3k4HbhT6vFWk4V2AMsIlAWoicvQM8zvBdw2R2I56B2wUa
60LnCritQHUJQ7QING1BhFTFtffGGIpgfxST48SomMwy0XswWjfD5ivwV/AnqqJRgR9WQ34YV+Ei
9XG9fzCZs2l4q0GM8ATszALvC69WF2j0wWj7oPU0ziqQ32vy+0IfbQBmPw1cyDuhrz9ktZT2dU+K
HseD+8HmH5i1h9BpLHo0TYedS+g3BZFzBjbHo6+d6P0KEHlnzAM2xGy2gv5RcHcZRZJD57K0A5wJ
TXiMZYEj2rlXHTH7QtISEuSgugZ8JGzGgNsA96H1I5zVBz5vDvwF17UA+eICSUPgZWAn1IEAcAO4
PSwjB5XBwLewsFvakZkF7oqzXoDPxVnB8rtAoCkb1lDnTfFyPLJKQ3MGJA/AUY25t0UrvhFM+FZi
O2G5kDVAPDfAt1UvzFcDRG8DRHsD5N1McZ8KPeJbUg0H7wjuhL6KMPJdwAewX4DR7pdc2gHuRl+D
oemDjJsMjNfjPwCzI/J6nLBg00/wcjMFN3sDFfSLVUQ5T2QT3qljWImZFsNCT8SqM/gKvT4INOiR
z9FmJPTxXp9xkB7bAlUmYywA2SF4F8g7oZdmgquo3moUPByNaD8onjjQy+w0x2T4ZKTRn3Nb43IR
4cbJXBOrTcMBwXlGTBb32YARAg0DMCNtxFnGkcJLPGJ9xP09o9gLJAuJoVj0YkQ9N8rvF1T7t931
5ymZHMuDl9efpODZdBmedJSNB8YDe+Le0X3wXPFUQuiXvSg7DclM8W0u7CgjBNIq4JOB2yHxBS8W
aHADHoWkL1rDgK6QzAbXwEuAqcDlkB8HXwycB7QA6wODYLmclLw9L77dcHVp4NdhIRat7YSE72KE
/gBgKeRXwa+JVkWOoVhwY3PwE2j1ADrB8mvIzXhC3QDcHb1EgMdD8zms+ckRwlpX6GyGBNdOLklN
SOygPxk2r+HdXZMcs7x2IVHCgNvxXPs2LOxD63o5C+I5uGEA8EtIBus+EdZcYbmjfKqOc7vAWgmw
HWyuBS8G2kk/Q98NkgzYmYBzz0oPyNlE63rsyBygnw75S8j34KqTpLelHbRSYHdIOksuZ0H3mLBz
UUSj4aRAPuOCv4K+C1o/gn44RhWCXkLApZcaQycUo70vrwjXOAdyL/RSqayuQLT66T0KeWNY3iqQ
zRBofCNaOa8r6gMkznIkMubF2whKfWALGf/gFrylUAPWauC9hesCaRW0NgZ3LZshfI69LYU8H7hc
ekYiJBlAP9kKdAHOBq6H5hF4wF/GrRwPsAQYBbwKzUoyciCJx9jOAu/Luzew86GMaujsB57AuRdw
XaHAAcBHuMZb0NkCy9MhvwYcIjMaPBpx0hKaqdIakML/r+CT43KcwME4qxTcDJ6Mvs5gZm+Ls8ze
gpuQp2o4MABz11u0mlCj1AZ4E/4B5rEmrmsMRtULUREDTVQtVdo3Qv5YjvxtKjJL4F45ZpnpuF9E
cVcqFzZzkcX5Ik54PayLuK2LalZXVB5ZYYC+qEXZsOOH+oAaRW5AEqxnn9ApJ+uYQBor6xvkpcCL
wJOwGVTaiCMB94RmGka7UOYUfPgMdy99gXjCrszF9f4mrxrvlkQab/LxpBq7C45o34P9SCTuTu/B
073GhOjvCNiQfMMKwgYmD4wirtGfJseT8MHJg4aRAUMGRSWTofEDUxJImrDbOyzIldTk3xxl4v/x
R8oRW1KROBA78YnLzET81ZpGypNKxJHY88/iTVPRQqzMIP4aQ+cKUQkVdruGh7iK32JBu1FvY6QC
qRwdPTyJZABzgLnAOcB84PKY+LjBZH1sXMJAshW4My4hLoX8CDwcNzIxnpwAnuGKA8kl4C/xidHx
5A6wZPigmDjyHPg6mTcbCBD3wonRihRM3JwSo1P/RvJXZiC4Zy3ffdHR9j00v4d276EJKO3YvIea
jhVJXeJBvEkbEkS6knASQWJIPEkh6fiFgNkkjywhqngtgUySYzZUkkdVvr9mMIvfdBa/sF1XP84m
4i8/DTbdCf4CxmYjxmuwKdKPl+SxQk15dFjPz+PHqsHy6DRE2nHazfvi9p1O6J9v6lch3ifCG0T4
VROFj7qbeJPB5IdP/8O/R8WGiogyuCneNNjYl7gQP9KBhJIw0o9EkaEkmYwhWdxzX5K5pIAsJ+vI
ZrKT7CdF5Ay5Qm6SB+Q5+YN/dWimzYSaVplWm7bguMa0Fce1pu9xXGf6gR9Xc7YNx9Wm7TiuMe3A
ca1pJ47rTLuIwo+7+ac1XHsPjqtNe3FcY9qH41rTjziuM/3EtdeY9vNPa7n2ARxXmw7iuMZ0CMe1
psM4rjMd4dprTUf5p3Vc+xiOq01FOK4xHcdxrekEjutMJ7n2ur/ziPhl8jSS8W955BSufJXpZ90z
p3XPFOueOaN75izvZ5XpnO6f87pfLuh+uaj75ZLukcu6R67oHrmqe+Sa7pHr8Mgvukdu6B65qXvk
lu6R27pHfoVH7ugeuat75J7ukfu6Rx7oHnn4X3hkDskny8iaf+qREt0jj3SPPNY98kT3yFPdI8/g
kee6R37TI+aF7pnfdc+81D3zChHzWvfPG90/f+h+eav7pVT3SJn0CC808IjZID1iVqRHzFR4xGyU
HjEz6RGzKj1iNkmPmM3SI+Zy/w2P/EiOktPkEvfIPfKUvDYoBhuzjfSI2VZ6xKxJj5jtpEfM9tIj
5vLCI+YK0iPmitIj5krSI2YH6RGzo/SIubLwiLmK9Ii5qvSI2UlGjLma9IzZWXrGXF1EjNlF+sdc
Q/dPTd0/tXS/1BNXanbV/VJb94ub7pc6ul/qSr/8tz3ywOqR+rpHGugecdc90lD3SCPdI43hEQ/d
I010j3jqHmmqe8Sie8QLHmmme6S57hFv3SMtdI+01D3SCh7x0T3iq3vET/dIaz1i2uieaYuI8dc9
0073TIDumfbSM+K3NcW48Q00k38TaCRBvDzGvw1cSH1i4f4KIt1JX+1nXukDzR8YZ2qndTZLKwYL
47IzOpulneWsI/TO6WyWdh5M6F3Q2Sz8vkpd4kl8+Hx0JX1IJK/qKWQsmaRdtPZ0ydrTZWtPV6w9
XbX2dM3a03VrT7+860m7z1kncyCXPdDZLO0hWEcuK9HZvxrRDeuIblpHdMs6otvWEf1qHdEd64ju
Wkd0zzqiR9YRPbaO6Il1RE+tI+K5b/A0ePIFjLPizNeDdZQ6+C7mKzc7b6wCUoj4tSj1b2aLr35o
J6Iov4OFWFlnKwu1si5gDL+B58TXinVx5lOc9QxnPIf2b9B8IaJFecrPENEym1T7R1+R+Xxds4Zs
Jad4/rzkmaMZqhhcDY0M3gZ/Q4hBvO9stN3Lbc0D22dlP75jyjHO5oIVWdlxKzthZSfBxKpUU04J
rtzgOAdtP1u1TltZMRjl3rMnjsoZnCFGMlURo/gKOmff06miiDHNUX4ilGvOUc5ZLZ23sgtWdtHK
LlnZZSu7YmVXrewamImvm52IK589T9KStFH42kBZwPs7hF4XKAe41gKFrxSUfP75MKT5ykEuzVeu
W239ovvCpExTvuTxUqAs45rLlVXERlmjrCHllXXKd6SCskHZSCopm5Uf+IqfYmXsyKNG/IqLWPdV
0H9RcRFvWKms5DY3cn2q7FB28LUijzxlNv5SXPxenohD/q0j/h/pfOXL66wyX5lPaih5Sh6pyW3s
IrXwl9/t8JffAfjlO6pOVHMUsVugFN1TG2oj7kNRDfa4Br2r1qAi8g1qLbW2GKEhgqyk92gt6k4b
U0/ajLakWXQCzaaT6GQ6jU6ns+lXdB7Np4V0Gf0LXUlX07X0O7qJfk930D30J3qYFtGTtJiep5fp
dXqL23pAH9LH9ClzZx6sLWvH2rNAFsSCWWcWyrqzMNaH9WMDWBQbzIaxRDaSjWafsbEsg2WxCSyH
TWKTWS6bxr5kM9lsNofNZfNZHstnBWwJW85WsXVsI9vCfmDb2C62jx1gR9hxdpKdZufYRXaV3WB3
2AP2mD1nL9kbVqZS1aTaquXViqqDWlV1Vmvy63ZVa6tual21vuquNlI9VE/VojZXW6g+amu1ndpe
DVQj1Eh1kDrSdr3tRtvNmqKpmo1mr1XSqmjOWi2tjlZfc9caaR6al9ZC89XaaAFaR62z1k3rqYVr
fbUILVKL0cSvVnxLzVQsOWrRWnweGtAGROFebsznoQltwuuDF/UijLagLYhKM2kmMdHxdDwxc+9n
k3J0Ip1IbOgX9AtiS6fSqUTjszGd2NFZfAbt+ax8RcrzmZlHKtAFdAGpSBfRRaQSXUqXEgc+U38h
jny2VpLKfMZWkyp81taSqnzmviNOfPY2kWp8Br8nznwWd5DqfCb3EBc+mz+RGvQQPURq0mP0GKnF
Z/YkceWzW0xq8xk+T9z4LF8mdfhMX+fV7Ba9RerRu/QuqU/v0/ukAZ/5h8SdPqKPSEP6hD4hjXgU
uJPGPBI8iAdrw9qQJsyf+RNPFsACSFPWgXUgFh4dQcSLR0gwacZCWAhpziMllHjzaOlOWvCICSMt
edT0Ia145PQjPjx6BhBfHkFRxI/FsljSmg3lO5o2LIElkLYsmSUTf5bKUkk7NoaNIQE8usaS9jzC
MkgHHmVZJJBH2gQSxKMth3TkETeJBPOom0w68cjLJSE8+qaRzjwCvyShPApnki48EmeTrjwa55Bu
PCLnku48KueTHjwy80hPHp355AMeoQUkjEfpEtKLR+pyEs6jdRXpzSN2HenDo3Yj+ZBtZptJXxG9
5CMev7tIfx7D+0gEj+MD5GMey0fIAB7Px8knPKZPkkj2M/uZDGRn2VkSxeP7IonmMX6VxPA4v0EG
sV/ZrySW3Wf3yWD2iD0iQ9gz9ozEsd/Z72Qoj/83ZBgrY2UknucBJcN5LphIAs8HW5LIc6I8SeJ5
UZGM4LnhQJJ5flQlI9VqajWSotZQa5BRPFfcSCrPlLpkDM+W+uQznjHuJJ1nTSPyuSr+om0szx5P
Mo5nkIVkqM3UZiRT9Va9SRbPJh8yXvVT/cgE1V/1J9lqgBpActQOagcykWdYBJnEsyySfKHGqDFk
spqsJpMptt/ZfkdybTfYbiBTbTfZbiLTePYpZDrPQJV8ybPQhszgmWhPZvJsrERm8YysQmbzrHQm
X2k1tZpkjuamuZGveYbWJ3N5lrqTeTxTG5H5PFs9yDeaRbOQPM1b8yYLNB/Nh+Tz7G1DFvIMDiAF
WpAWRBZpIVoIKdS6al3JYp7RPckSntXhZCnP7L5kGc/uCPItz/BIspxneQz5ixbPc30Fz/YHZCSt
TRtSC/Wmz+gUOoN+Tb+hC+li+i3dQLfQbXQXKuZReoKepufoRXqN3qC/8nr5gDWkz1hD1phOYV1Z
TxbO+rIIFsli2BAWz5JYCktj6ayQLWMr2Bq2nsfS96wx28n2sv3sMCuip/nxDLvALrPr7Ba7x0rY
U/aCvWalqqKqqo1qR39lXdXK1E2trsarLVk4ZwPUKHUwu267VTNqZk3TKmiOmpPmorlqdTVPrbnW
SmuttdMCtU5aF62HFqb10fppA7QoLVZL4NeajJpGUNMMqGYKqhlFNTOiajHUKxWVyoRKZUalKodK
ZYNKZYuKpKEi2aEi2aMilUdFqoCKVBEVqRIqkgMqkiMqUmVUpCqoSFVRkZxQkaqhIjmjIlVHLXJB
LaqBWlQTtagW6owr6kxt1Bk31Jk6qDN1UWfqoc7UR51pgDrjjjrTEHWmEepMY9QZD9SZJqgAnqgA
TVEBLKgAXqgAzVABmqMCeKMCtEAFaIUK4IMK4IsK4IcK0BoVoA0qQFtUAH9UgHaoAAGoAO1RATqg
AgSiAgShAnREBQhGBeiEChCCCtAZFSAUFaALKkBXVIBuqADdUQF6oAL05Llfi3yAXA5DFvdCFocj
c3sjc/sgcz9E5vZFtn6EbO2HbO2PbI1Atn6MbB2AbP0E2RqJbB2IbI1CbkYjN2OQm4OQm7HIzcHI
zSHIzTjk5lDk5jDkZjxyczhyMwG5mYjcTEJujkBuJr+Xm01p83+Zm0focfozPctz8ypyk8eQnpuN
/u3c3MoasR1sD/uJHWLH6M/8WMzO67l5lz1kT9hv7BV7qxpUppaz5mZtnpvDkJu1kZuxPDe3/Glu
NtNaan6av9ZBC9ZCte7/l5v/l5v/i3PTYBD/R2oXMoAU8G/RjWQnOYjd7W3yGPdJsG8mjfg+iu/f
6G88lrPo7xwn0FccJ9E3HKepk4jC2qppHNupYzi2V9M5Bv6JhRew8BIWXsPCH7DwBSx8CgufwcLn
sMD3f+pYoQE2zsoyrCzTyrKsbLyVTbCybDDsqLVngmvP30l4tblGCHvLSonC6wLfJ/LaoBKV1wcb
YuZ5HYu/ew3FHaT6xBtWKtge5dnMz6T33jEeF2K3f4x/esZ3b5ehZ0/H8dznbfJI72GHKHYUBHsD
Az/zqtgT4hmFGTveX/ludJW4B6IUyJ0jKbYtb2v/D08uxJjEsyk34sG9G6DfLziCvexR677/pvj1
Q7BbVnb7HVNHC+1/uTfGExs8kdPwpIm7SnlMqxsHG4cY4/QndwapRUhV8XcWjpCSqgMsWVX7qeUa
5YTk/G5nMCkFWVW7cFEnxWDwsrWUU1lje6o4M2IZqNo0Vg1GQ1YrxWAs6GX5wOLxnsSlsGaGC2mD
f3uQKDKSJJJ4Moik8P/8xb+W2u8ZMzp6Zqu5l1YW/TjHMub+mhptXTwrfzGtIKuSlyXLGGnJol0L
qGJQFBvPlRUv9SyLWHBk97uza/ChJHk1tjRUaW+jrYNbYGLSp8lxg4ekuLpHN3T18vVt5dotLjo5
cWRibIprYGJykqdXTYuLVK78ty2JyQNT4hITvGpbaol26uD01/awxMQU1/ajUoYkJselfGqpWdXO
0sri04z/09zL0qxfVTuvZvxjCy7k//SzfApfcSOqg9K7l5eDpaL4YHaw+XDgyCFxCYNTeDcVLPZC
aHIwhQ2KGZ6YEPNuYDb/bGB1LLXlwJzfb48Z5NorbnACt+raM7C9JcvgZrGzTqDBwAjNMpQnXG6j
ZBkMZMunn5/5eENH3+Xeq7wuvKrXovPo3W9q5R/oOOLRyeA7p3P3DesaFvV8nrKv27nO8U3r+g/a
VVRni23IlnGjLnfcsWK6fc+f6jV+WvCrXZ1aJ9vXfR0173i1jktnhdaad2xDU7d9oU3SE89Xrtk6
17eC7+UdDZ/Htm5iaFZW2iBk2aZ4w8S8Nz+sjx6X9SqiIHNC9rR1T7fOXnzcZ1nP7KoNJna/bHlB
2j7f/6pt5s6ch/G+33p6v9joudbm86gZabF5c0fa5ax9+uMz1+97VJoafcTjfLOO1Uq2hc5p3bOX
U1HsB5+uWD3xYB//hVk9JyWw71rs+azujrDYtvO6H208tnnChE7qyfwToTlKQg5Zsnvi1V6K+FXg
xZmvLZm/Wxy4O2vUM2oWG9XMQ5cxE6WWzEIhNRgz51syv86o0P9E0qO45Pw6H4x1XN9tWtmRRcn/
8/GWVZ7sIVPatJlU8aT/i+gHVwMs5cUYHQyGMiOzUH6w1BACe2MVo+PRGkWpJKn/2icXfuw+/4Mg
z8VB0Y8ttqK5vNHI0yjnvdShIiI+W7lmbGj9p0Xbu6cU9m2Q0mjUhpy3K7vOTiPd7h6+73Qp7if7
wvRnSuD+wxOPvux1dO/CHX0SH0cH/SWIlMw5OL/YZavtwmp2s89eqLm64eePHi4buWr6Fd9pbecO
3e4z/NSktXXeXr17Jq7cjEk7Sq+Tbd7Pfk9/VaGSJ7vfcM6sDsPcR2zxmX7NZHfo4yHHdmS0Hxa7
fNuWbdO8Dz+lFdLH/HbqWoern5Vev76q9MXVYrsNSWdm3uix2acwvcnpthe9baNaKQszh9b54kVE
9PR1/bb5no3M7T3BuflvrecWZGmFn0zZ4LFl0dIjKy+4bt5lqZbt6mjXaHvY8/bXBlhuzHSPm7gn
6Zdn364syuiQnGrPa8wYXmOi9Boz0LD+G9TCyu/nEeN15j+Y1bzgePFC04yXmRbNvfSC08L60ZI5
/v/L2OwQODx0jd169Ax7p07/ifp/WXuWjkhxOnIxr+nrJ9HVMhZPKzuYNF5b1KnR69f91hV1K7+j
9YXax1jx5+ntNs1Lred3qaCH663knwNH3C6Ld3y1cML6ehN3OG76eGerLzx/WpkdOSI7s8H3zemr
1WdmKSWbe1dUjozPfrEnO3pgtQLHvAUL84KjW52r2ObDAyGuvar8frRv6Yvdzoc3B8fb3fFjRctc
bkx6fHnF3qTx/U8+fdpu6/klCxaThBWZx0r8jKt3h870cLh2t31quQxD/GDXjV7r/IedCjCPL06y
TLX8ujP3RNOS0zntnPst3T0k+84X6TNoaMJHga4heZNKD3Xccqer0WAbVVT4wGVWvbcnvrPf/3Jz
XefP3qSfieh+cvBdvfa8tGT+9ue1569ZfD759BEt6pPLi1MWfmI/t/3y/g6B9TF9NcqLrOeJbMpA
3ahRx+hkqZLx52kfJBRqGdtaWlt8C1oVtMhpPiQlJcmvadPo5HjP4e/m0DM6cXjTpGFxQto0KTkx
ZlR0ysimgb144HlykSXk3QgNBmMbi5/F591ni5LjoRscPXr0nxkclPyepZS/SyhUn8jIBufSLZ0r
dWrfqs2AURtvFpKWFUPWefT9Zm76w8WVFs0tcdrw9Yvh085ZnF1W145uHzzr7Fpn9y5ft/w8IDzy
aNT2u3/EffvJuJ8mLsvR0v/yy0efX5xUPDqNLat7OOZl9w+2BLlPc/YIN7sn/1TLqa3HcdIg0eHk
0oFPz0T57SDdWdN5gz+/FR3YrrW2c4ppzPW0gF1X04omuhZWW7Q98vHCVWERqY5vq6exs9GjhmW+
nRi8evVHYbs+27W22pKZ65/aeoy1VLjo1WXnhH7jfv+mUtrdK2MjV9rt96r5Inm+/+DjPiU+Rb7V
R15sfd776vhTeceuT7niXBpj/mTtC8+tzeqlxtV7Vjy1RZ19F+sF8eqzgFefbFl9Kgy1nddjN6m3
suLFjrX6jhlc+Pc16D+z1mlp8fVqafGyeHu3EqXHl3/8D6x1wuOGDxqZMnB40r+71rnUKuHN2oMd
Qkc4HSwK8e+1+/VKxx88mm2r1CPs4PiH/s3Pd/aa6b55Rsy1Wj0n/LC3y8lx7OWjUTunHFhevCYu
KTatQeydzVseZX9/rGTF20pLbD9ya9j0eMD5PsbqqZuGxwwPDb94+cmVXQvHH8i4Oq6r0mr2b7vz
zX1qDul07Pzu1Iimn2+uZ9zYp/9Ql+iyjPQ2JcXGet18R6eYPt4bcS6nlceoQ/b3avqWS08tXRCf
MObaA//pX+ePsP+kUQ+nqMhm+afGd2/sFjGk45QrTSdU6Ln+1SbnqfEl9b5xeHmkwtls++dZqSNb
7v9qTOHRSPUBW5fTfMvL2f0ntJ/QN3t2wrpaHiFHE/MCrw29M67+tGGy3mQZ3LlH6v5ZxTH/71jt
VFDL6TuLygaxhCHvFcrEO93bff2998ouOdO3591b1bp94P4TlmrWExwVo1bThvQio/guJJC0/9uV
0D8so/6kQM3uVtFrb3rPbRWnLRpoMtjnJnWc+mhk+I525ViTsq0f9Mp2eeg7Y8viPrZXcje3rn7y
zapvD2357oPa1RPNcWOH0UK34IfxG4enu20N/nnCs6nld5omt9xzf+zdpI87Lpx56mjR5Wm7r+9q
dCz9waE1zYonfn8k+seWJ51q70q90nr+huoj82tPOrdxY6Xw3Od5eweFznevnxc5uXzrAw6D0kK2
HV893q/Huqi+Vyx37/rWuPHF0wu+ma8caufGZESrxjlP5yuBTT8LnvRDmXJ+0KvQKxdoyqwNLEE7
uuCS+8D0kCdV8yrW9lFcJv6/rWE7Os1ox1OHY8G2e1d23nuRZt77RWnanDMbykMCra4VuWxS/gYs
oFYBC6hJsOYR6yIDcPOIY+CaRxgFAaiMsjAwNzIFFk2GhqagMsoYwjUEcQ0aN9OjeaRuoArhyuU5
ZxZkpBYpuAS7KrgG+1lZmLoY6xobmDrrmjo5uxmqGihD/CSD6ifdYJCnFIJTi8oyk1MJFm8fWHQ3
TTsg1ZiuulEtabOw9zmDXQeELP40ppqwHzHbpJLxjZ3lAPv0L9s/Vssl6bjd9F4SaLL9cs7bKOst
zQvdbQU59EyzXZ8dsulhSmNaKZH52uutus47m/LoJVcKZnqHtwhcWK/7o1P22SvNLc/Pz2NLWl4U
csj62Hn7HQ83RAjkPF16/fChUvO9X1ofNr7QuCH98dO6j02Lr11nXjRftOW37a/VD7cZnVjAlPL5
2X8ptUKO4C5Rpk/N6mWeTYXL3681qjh2PUfMXyl1epKvm/5/5fWtb5YV7GU+feuGEetR7QkO2+Zd
1WnL2X5a2Ki291jdOnF9oz9pu2U3uIb+WPtLN705XXNyy6WohcrIzSlEgfBi+rfv73s+Pst8HJnh
931GV9Xd2XooLSWsJQYlLaWS4oLkRKq0lGAmlWAvrFHaf2wHsJVWvPbl8RNt9i01XXKblbVFPuzT
+5nLjnP06m8+a194ta2mXP7ua/FNe2se/5z5icvVY63I7kydT3bpSSGf3tWrC06yfHPuZrtfx/cE
d+VqdVEHjvn7eQ1Zmm6YbuOZw3C5e1VF4tGtHY5z7czuRCxRn211ay9brMiyTfw+B/tsuj8lzfyR
9vbqZxmNDUa3Txly7vmtlOHm8+tysdJzzT4lht9h+9nWNS4Q3WXyU6NP3iuJdWHn10b3l7wTOa5H
WPfLZXNmrjzgURPaZB/PYOE8h+2M/Q39/f7FnLZ/d8V9Of7G/FBK4gLfK7YFZ6I3CDcevLLYUGpv
yrVpl6rstaLdgjltzjL/tI9kONMZnGjYxDIbWGJNZ2JkNGhsH8AuG0pHEjHUtaDxGKh2gkYbJ7Mh
D/I4GtBeBI/bkM8AWVYUWGrANbIYApP6icvbnR+abus6f+zDjq4PRxY+qN/oZZCGpIXHMMIgbIFO
gxaDL0MmQzJDEUM+eCgujaGEQQFYHeYDRQrAZCJQJBPIyluo1qCCM6WWVBbkpxclFmRUKqCVTCxN
jAy9vim/+h3PtwpUlz07zTttgefv545T9xtwv/oU4zrzVbR7d17lh4sTRK807eAzm2aZfrCd95eL
w/KcOWsLZFIjJ969tLHm+ZydJmsYfx1c6/PRUujfgp23bkhMClLU0opPzE/NeJucOf1j+F7Gr5dv
Kr/Y03T1yA/t//8ygm/12X47Zrqt89qc5asPfVAUqb3HtffIusMvatd4FiyYvOylofQu0SXHw2a0
XfG61juloTdHgSf1Jtf+GmmuylrnoFnKEZfzpTMX3GcuCLRm/HloudbPKT631/Ep9SX9Dut6JVJp
dOC30oTaH5M44kXmXWZVWRWj4Xdi3do0Dv2LqVNXp+3sPr7x8q2M6q8burpDFzYxyRs0MUkjYonN
sImJByjEQffkiF5FolTc7NDkuCDWQAI5LXIjBn4ZgXbCZVgN+cHjD8ZGhobmRmYGxlEYSVE0a+JJ
3aUTal5/KK04LLYv98zp5z/RyidQEjkjmH1CWH1foaNZhFzc+hPpl+fw72F1Z058/mNBwF5G3z96
hrzcjKYzH14qfR3xImLznKaQ1WVRFpMC97y/eq5g8e3Z5YW3Hj6t2Px7ZsnCHrn4TRNvvVzKts+1
2HGPaZmTiY20oOXL8OcfVPfYMc7mY5qkrGx29KLy+6V+R0L7n9XYeH5e0PX14gJR5rOzPvU4aOne
DL3efWBCKUfumaMblJc8KhP/+PQ8+7IS3ZyaaIaLU48fCnv7dGm6bvvyS0LBOn1/bCPKk4NtZbZr
itb9Fi67xvp0zYd4q2sPzScoXDzBdLntwVaj5uQTL//d13AQbf7C9zh2d8xCjzMnr622MLQusAhz
NlpzcYnOL2sGBgDj8YDpDQplbmRzdHJlYW0NCmVuZG9iag0KMTc5IDAgb2JqDQpbIDBbIDc1MF0g
IDEzNVsgMzUwXSAgMTc3WyA1NTZdIF0gDQplbmRvYmoNCjE4MCAwIG9iag0KWyA2MDAgMCA2MDAg
MCAwIDAgMCAwIDAgMCAwIDAgNjAwIDYwMCAwIDAgMCAwIDYwMCAwIDAgNjAwIDYwMCAwIDAgMCA2
MDAgMCAwIDAgMCAwIDAgNjAwIDAgMCAwIDYwMCAwIDAgNjAwIDAgMCAwIDAgMCAwIDYwMCA2MDAg
MCA2MDAgNjAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjAwIDAgNjAwIDAgMCAwIDYwMCAw
IDAgMCAwIDYwMCA2MDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA2MDAgMCA2MDBdIA0KZW5k
b2JqDQoxODEgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMzA4MzcvTGVuZ3Ro
MSA2NDcyND4+DQpzdHJlYW0NCnic7Hx5YFRF1u85dW8nTSchCyFkIaSbJgt0wr6GhnRIwhbZAySA
koVAFFA0gAhCog6IAWVxQ+EDxgWXiHRClAQQwoi7iCKLCzOggsyIiBvOKCT3+1V1dwioo++9+eN7
73kP51d1a69Tp06dunYkJqJWAJ26Zo4bNiSwsnct0SddiWKeGJKZNTjcEjSeaC3SxDVDRo8aF/3Q
jotED+pEfccOGTd+kJ9p7/dEB3LRyNFR47p0D3ZMHkTEKE/5EzJH5HavHpGItsqJQh8oml0w58ve
UQOIUsLR3tqi+XOtz7YsRtzVk8h/5fQ5M2ZXhfXuTtTlaSLTBzMKSueQg1qgf7xTyIxZt02PnHvo
K6Ih9USJbUuKC6a9/7nfDejPifzeJUiwPC8Q57l471Aye+6CjudaPYa+Iomips+6qaig5ZN+DxDd
eBzvhbMLFswJ+TGgI8qvQ3nrjQWzi+/54JogouUuIkvWnJtK5zYmkJz/cpk/55biObs3r4oj6oX5
WKpIys7UtuN3SwsCpwY7L5hbmEk+j8ePKZDhKxvHJBr+P63WL5odeG2hyssHod8zDY9A6AcMf+OQ
frEpx/doMiXQTUNIqHdBIdRFjkT7BP2qFP0AryYTmU2PmnqgyVhPqBXQdBFmMgl/rYUQJqHrJ6mT
UU8LMtQI8OSMyLCSi6y0VT/TuESORMxwERuGgdqF+lo5U9L1AzRDlkYoB3yWLbSLToEb+RNxLafQ
p7SaHbSTD9DndBo5lfQyHaX9HEbv0xluxQe4LxVSMT3AregYhdJEKqONlEubqJxmokYl5SEWSZ2p
hLaDc6mOVtE4zDOeRlMRHRED6DOs6yn0vptWUwpqLEGNY7QYcniJamgvRtOaZtEa5JUj9yCtpcnU
n/qi1wfpHD8onPwAyoSCytC+7GkcWrpMlajnoZ1ekq35aLKXLvEYjOJ2WsU3qVErsfAuTkM/YRjr
bLRUSA+AJ5Eb+tqbnqJPOIkTaABmM4c+57OY5z1UhbGMw8zKUE+OqQQcRmuMbzD/j7mB49HOeoy8
CJL3p5kih1pSK7oISTroJNoKxRwk50J6HipRNE7RTnaiTyenCuIq3sn9+TCkNwF91kEyR+iccBoN
dAdafxD9pWD1WvJ8Hs9FXo2T67IYbcrSZZin5CXGabEffa5WvBHvDei9XHE5WvZxZ8hNcgmklot6
kmU7q7AiksdBipIxCsVlmOEkyOsFjqF19C4tMk5zGOItSfBiH0ukZyCrR2i1iJUbRMSKWIke9j28
GLmytGdb/Er81x8xwxcBBXv5eax3AnahhpGkUy1mKTC/TRyMcbfAqiAZ67ULeYKv5+vpeeiGlJFP
cj4peSS1uIlnQndn0kDIeVczfgk1aqBZeyErnzzLvfL0ydQjz4VNsvRxPPRdrukx1X8YNG40zcGu
lOk+Rj70y0nLMfpAlAugGGGGfuxiM7mMS5hPuvEDzMRh+lbt1GL0eETt0jxIQ+7R+zGOadCb/RhD
EXqIJSdyi6gQq7aCd9FE1mkwT6AVtF0EQ1PSKYeGcxbG/ibGPRFrmEXzOAmxNeB5SpPLQHVKjyvJ
DvmH0q2UjF7kCKS1GE65xkW6hZJAt6JEJEbkGUUZRpGsxpFHHXFy6WrtJkK7IzDe1ZDdIujVJITh
eEsFLaAeFIf6a8DSkmzB+G/FPEfQYLKBstH6FrqTOtBdqHUfakt78hIsQg31ML7Cii1AjZnoeR12
eDcqEfE8nIfxMNGBd4DW8TrEskUH0RtavU44tRVUx29Dtzdya3qcNvOtPAyrW8KlWKsaqofVWIr9
15ZGIf4t/UR/o8foFXqO3qbNWOWlyN1L/8T6/h3lH1T6WY+8OsXvKvK1XAxLe7ndpapN2WJTe3wr
VqQGKc+JDF7J+dyBX+PX6KLApuLj/DD4OD8OfpM/5g95Gizb91zGOdyHzezPifQQSn8uhvN7/B0H
cSKHYmUv7783hSZYaPwYP8GVPJvHIm0DF3I+dC9eFQkgP1UyBOOQz2pIXu4t+VhA8nkWlvJrehj8
NUptxF4AYSTSTnvSH+a7+AhG/jS/ifKxWAdHU+iL/wcejH2DOuGIwrHLLfQWJPQwNL+ed/O/1DiV
sUDcOz9+nf/UNFdfmneuPws38hjJSgaS/TyyaQqvfgK98vGGHI31bRb6ZAvtParCGux3mW+mm1VY
zdUqvRFaLd+/w1jlg/mouTxL89X7DOzRO+nPtAGWBCyisNrQCyqgayCRj6EbQdCAxyGJa+EfmLAO
b4KOYDXuQq7sZQNt4C/4Al/A/p7JL/D3/BkniCJIzY19k04JfBIpn/FXvA8tvgYpbERfx+A3vEMH
+Ab4bPfRAdqtvLkH6R5oYCh9BW3fDXqNHoX9WMbXgvaAdvOjfOKytJukIDVFyjlW6QPxEFAufUcf
8b+wXu8gSdpT2E2M4RHs2v38FtfDDr4Cza1jB3ZGJF/Hmdpiel3V38Qv8ZP8strjDkVJiowm2g8J
NH+/TINQGtx0fv5ebn52/BKfhlWSZ4bvdPi9fPXJ0ZyLlN/hYTkG2cev1OEuHE4XwLCFsM/hsKML
FM8EFaK+5NHQ7I6wrfK8G4Qxoy3ow0qezEN5L2ioolvVLpKa6NPGq3bR7w1/dbf9xi78RX4YvL7Z
Dv01vnrn/sYO/tmO/a1Q7mgfm0Dy8VlN7y7/Weizpr8RNlmHXwl91uK3wiZ5wqrA6/xOxRGCX29a
11/jYOxSrzX1rr/HEslwkofkiYPbRC5OlXreLCw45cLJImJEW56JlFJ+m+eCtlI3aRVEDNdfvQo+
qcOSVyvpaTjpN9AOn51rzmgvFb7cUhEmYjCG++hHDlK+yMPKV2kNPygM+jYG3ocOll50BHJTFMsS
lfCPZUo5vYCdegu6Lcd9pDV202fKu9sFK9gaqdKzc2J3RaDeduXZ7YfvtBaWVfrLTuwy3JGVp/xn
RR/DG9kPnVtLKbjTnKFi3CjMIAvGY8Z+9QdZ0Bd2Lndp8gN9Pqfs2WcD/kwroSueujLPghFIb/Nq
2+OxMTuv8EAl++yAz7uvBHl82mV0Ro3Y14rc8UlX2B9pW0pwh+ukPLAbEJP3uZHqhC+hu0GLQZX0
BMqOx3k0g16CLyk95F24VYZCcq290ktFiZE4ZdZQqaJKSOg48D7QQdyzJL2H0cn7YC3WQ94J0/F2
DjezlbQVGlYDrkSvi9CrnEEd3QjPrlzlWLxU2BR7BrfJMNBsTuFOoBT6O05Dhm+EWxs3iJaiJe5b
LnULXEgLRW+cKLuBTpxTu+VZoEqsU+Tkzbh59eARnMe92IV3J25/QNyB5N0tDXunPztR+wjCVJDs
I16LUm15WjhzuTU5V1kH/vxOPqz6tMnWVM0k+V3Ecy+E3J6CD9cSb89yO35ZEPrbjXEmoXWzrAet
OoIWPefbDbzDu4ES8daVR3MCt+F+rGEl3oMU+uME6OWZJTR4CLxZAq+h7jir5VqvxDpsArlwI1iJ
U1munEdX5kHWdbiJvKzu7HdAa3arWA3qVdKP0J0kvKdinz8Ev7yfsp+h8sYFC9gR54oMb8OOjMWN
QvYUjdWV3A7+vYumol44Ziprl6HNGkjZKYJEEDEoCe1OpOlq58ZTT+zQ1erkagO/X97ILdhHE7G/
5Q1uFexuIEieYibYKsmnm847O+4TM70kS0RSHKc27SK5++QewMmnash+XoYcZP+SfTviDnhcydgV
PpYtCbQ1FzsjBDOSu3oM7KBF7ddwJSeMC75KNh/HDaQWvskHPAB4CvykNow+pXCewEuwjkihT+Bt
PYn3Srytwzvx17ildAHJNf4rL/JaC58N89ixSnnT/xn/kieyCXbz8q32SpYeirQg0vr4uPk3A8mR
0Aof+74hNP+W0Jy3K1uZ0mSJmn9nuJp93x2u/v7QnEOgM5J9d2TpsUiWVsr3nULyeNTvi7TVmGvh
VdTsMWKMGG5GzfOwB66kq+qJID4Nq/CQYstVnwKl3q5pRrLOBtB+Y786m5oTGXNBMdhjVxIZXxoT
QEtAMYa/HLsaI8bC5Vyp2p2o7uXzfmuOvzWX39N3M5K7Tt7dQ7FHe0MO0MtmbQsvzVQ+fxIscLiS
rvw4Kr8bIM+T0ySBN0EyLALJmvBoYN2Smo3H16ZTJMEqPAJd9T3ym2IC7FsqfS6/CeA++xj2zSnY
492wxP3R/wH+h5ekhR3Gp2BPU3FDkKUiRUtvO1JL++P+EQ9NlF8RJK2mHczYRwdhpeTpdSe4Etpm
5w5K+lvoLtAWmoARReIUkifWOdRyI28d3mYiLxY25xM6itt3KEfAGrdRt/Pp8MQvchs6TN/AUwqD
ZbiGe7OdA+ivapdrdIgaYbe7wl53A2mw5Umw4f1h0Z3gBOT2R1vXQL8voGYeNcAzt+KUGw073wZp
MqWbTLm80poVftUyXsu3oe61uBfuEdHw7X33Wt+TSkGwW+1w4sfC12mHvBNUjRE5IKO0plLSIy2T
FhSe7xBQqLJB5di5ByGDBdoKrEMMb0Ypu/KyJK2D1tbBlt3K6+g47oKfqlvFAejCRxjnf+oW0fyu
7vUrr75//6pX7/PUrwp99/Gr7+U/86x9nvjVtw3CubcHKE/09Tjv8qDt52gkR8HnJPiZp6B9E6g3
cAlWNLjpK3mK0sUq6FIxyk/CmizBGvRF2/7q+6P8rworoR39OBi34G48DaTBUxgtuvI8UCG8YyfW
bz88qyNID4fuhHMOj1TaM5Rb4bZ+gW9W1JMzpGbxl9CwA8p/SID29cKaynOxDKfCVVYGLXko0ENX
WzY2gZqnS4/9JeyOTrDlweoskh5EDsJgxKQNr1S0S32x89l2eQ7j5OaJHqJ9tA/ri72Lucu9Ohfl
58A3yVW+tjzF5KklTwHP7XYRv8oncfNwKq+tHOdUOZd5vqLzAi6BLV0AKud4nFjl6lSZhxO5BDI3
UTQkkcKfgBaDzipy+jSD5WPSNIZTSZGmLwPq6V9mA6e+n9FILagF7hUWhQEUAIRfAgwCXqKWFAQM
VhhCLYGhFAyvI0xhKwpRHkgosDXwJ+zDMGAbagWMpHDjR4qiCGC0whhqA2wL/Bf2bCSwHUUB4xRa
Kcb4J2yjxPbUFminWOMHeE8S4xUmUDtgIsUZF+DrSOxINmAn4PfY+e2ByWQHpijsTB2M76gLxQO7
KuxGCcDulGh8C4vXCdiTHMBewG+g2cnAPpQC7KuwH3U2voatkdifugCd1A04AHieBlJ3YBr1ALrU
t9x06gkcRL2AGQozqbdxDvuqD3Aw9QUOoX7AocAvaRilAodTf2A28CxdQ07gCIUjaSBwFKUZX0DH
JI4hF3AspQPHAf8BvRwEHK9wAmUZf4cGDwHmKsyjocBJNMw4A79E4hQaDrxW4XWUbXyOfX4NMJ9G
AAtopHEau2aUIb/AS5xGo4HFNMY4Be9W4gwaCyxReD3lGJ/hvjUeOFPhLJpgfAp/fSLwRoU3US5w
DvAT2J084C00GVgKPIl9MQU4j64Fzld4K11nnMCuyAfeRgXAhVQIXERFxt/odpoGXEzFwCXAv2IX
TgeW0wzgHQrvpBLjOM48iX+iG4BLaSZwGfBj3MpmAZfTbOA9wI+ogm4ErlC4km4C3ktzjA9hLW8G
rqJbgKupFIhbofEB9u9c4P0KH6B5xjHYhPnAhxQ+TAuA6+g24yhOXImP0u3A9Qo30GLjCP0XLQFu
VLiJyozDtJnuAP5Z4WN0J/Bxust4HzdWiU/Sn4BbFD5FS41D9DQtAz5DdwOfpeXGe7Ax9wCfU7iV
KoDPA9+lbbQC6KaVwCqF1XSfcRDn5CpgjcIXaLXxDr2ocAetAdbSWmAd8ABs6v3AXfSgIb+hPmy8
Dfu4DriHHgHuVVhPjxpvwepJ/AutB75MG4D76b+MN+kV2gh8lTYBXwO+Qa/TZuAbCt+kPwPfoseM
1+lthQfoCeA79CTwIPA1epe2AN9TeIieMl6l9+lp4GGFR+gZ4FGqNF6B9Zb4AT0H/FDhR7QVHu3H
9DzwuMK/0jbjZfobVQNP0HbgSaoBfkIvGH+BXZX4Gb0IPKXwNO0w9sF3qwWeUfh3qjPq6R+0C/iF
wrO0G/glcC+s+kvAr2gP8LzCr2mvsQd+VD3wW9oH/I7+YrxE3yu8QC8Df6D9wH8Cd9O/6BXgj/Q6
8CeFF+kNYxddUthAbwIb6S1jJxkKm9t0i7Lplv8vbXrSHzb9D5v+h03/P7Dp6/6w6X/Y9P9RNv3/
JT8983/Rpmf/YdP/rU2/+Q+b/oef/m9t+s7/UTad1Lc6yW29v8w97PlFLn9EOsnfNneSv5GFrW8P
69gdti4V1ioLdmgEbMs47Pxp2NmzsTcXYXdthsQMkr+qTUbZXs3KjoL1KVC/95zVvKzx2e+gIqPo
Z78a/rcP+9HlHyALQd5fFjcrgCnrpqbX4BCJrYkio6jpp1UdwEnk+XFNV+reg3r1vqKNTBo8hGCD
8YwaLXG8L+c6WMX/4KP971X7v3b1XOk5rrSBA5z9U/v17dOrZ4/u3bp26ZyS7OjUMSkxIb6Dvb3N
Gtcutm1MdFRkm4jW4a3CQkOCWwYFBlhamP39TLommJKz7IPzre6EfLeeYB86NEW+2wuQUNAsId9t
RdLgK8u4rfmqmPXKki6UnH5VSZenpKupJIdYneRMSbZm2a3uA5l2ay1PGpOL+L2Z9jyr+5yKj1Dx
1SoehLjNhgrWrMiSTKub861Z7sHzSyqy8jPRXFWAJcOeUWxJSaYqSwCiAYi529jnVHGbgawiok1W
apUgcxAG5Y62Z2a5o+yZcgRuLT6rYJp79JjcrMwYmy0vJdnNGUX2QjfZB7mDHaoIZahu3H4Zbn/V
jfV6ORtaYa1Krq9YWRtChfmOwGn2aQVTct1aQZ7sI9SBfjPdbRaeirz8isbDMnLvbp4bo1VkRV5v
la8VFXdb3ZvH5DbPtUnMy0MbqCviB+dXDEbXKyHE7HFW9CaW5uW6eSm6tMqZyFl55ldsz5Ip+TdY
3S3sg+wlFTfkY2miK9w09jZbdXS0qw6uQHSWtSIn125zp8XY8woy21aFU8XY27ZHuaxRV+akJFeF
hHoEW9Uy2BsJDGoeKW7KUzFVXMayxzZJluWI7MOgEG5rkRUjybVjTn0lFPeliqK+KIYnj1HLPQ0r
cr27RUZ+RUiqTJf13ab4ELu14gJBA+znvrwypcCb4hcfcoFkVOpJk6oh3xd3OxzuTp2kivhnYE0x
xoHqvVdK8vxacb19TogVAcRHoyHbgrzULhC/zSYXeEWtiwrx4i4fk+t5t1JhTDW5ujjy3CJf5tT7
clqPlznlvpym6vl2aHKN2uqt3eaEpn/BIRGtskpS3Rzxb7KLPfnZ4+zZYyblWrMq8r2yzc654s2T
37cpzxtzt8rI1WKENyZiNJULpZzSVFi+5Aa69Xj881NKPa3W3wytVClsHewOyR/qwTyLzfY7K9Ua
X8taKrhczTtMd6rjyvf+V7xfMbzACg0D1hNEds6kigrLFXmDYYEqKgbbrYMr8isKao3yQrs1xF5R
pyVoCRVzsvJ9K1pr7FwR4x68Mg+TKOFUaKugQVV2Xj6mysXLx03KrQuBcV+ek1stWGTkD8qr6oC8
3DorbK5KFU2p8s0q3yiboenVwqyyYupcROUqV1cJ6r2olkmlmX1pTEW1wpMWotLwpOyE01+v1VeP
7+GqRZCqgu0tO3Qvl2FAkAqrW/RIS++i1dMc8DbwQbBOU4Fl3hSN4oBpYJm6SuVv1naRG1wPfhcs
U3YiZSdSdiJlJ1LStFpibYf2YnWHOHRdsz2qQ/fz6dHadjLAQlujrcBFMk67zhtO9YarEHZCuNob
3qutqO4fF5zeAu9M54EGWGBuG6qHjOpepyJ9nCqy3peyfjtS4tKjtA0Y1QaMagNGtQGjOg9ktLoe
6euRvh7p61X6emLVlK2jtylvZEN1cIQ3BZF0i5anTcB5HaflesOJ2oTq7nF70/O18Wh6m8LNWg5w
lcKpCkcpLFO5ZSp+k4rfpOJpKp7mjUvs0gzjFAZL1MZq43CfjtPGaMNVOFrLwr07ThuFdxmO1Iap
cIQ2RIXXID0SYTbKhSEcrqnfFGnD8J6JcCjeZThEG1ydGdc1fQ7epyJPoD+ZnokxZGJMmRCSTFkF
3gw+oVKmAsvAB8GaKslaJigDlK6lo4YLbbiQ4yJNc4HSQAO1gcgZgLIDgC7NqeboRCknenJCVk60
7MTyOLE8TvLXnECr1ou6gl3g0eB8sAntJKNeMsaVjB6StRR4knGaTaykcIRWbxgnVsjfcWntxIrq
dnGu9BaihkaD88FzwOWiptoUFpwejnKybBfwKPBUcBl4E3gb2ExpnhxXgEgTadooMUrTod0dtzud
3VXYo7cnbBvrCQOjuwen36J1hJg60iawhiF3xJA7Yqq+tziwgOok0l7wQfAJsBR4IoSRCGEkYoKJ
qJ+oSvmpcufBBliDEiWi/SvLmFTtOHCXZq3I1CSkJOEtCXWSUDYJqSeArGrI/NHgVeC93rz2Spnb
K+Vsj7baY7RdgGkqFgyM09pXixbBtZAvpwan94HcR4GRKe6FNO+F3O6VGiLkJu6CnDRviVXgbWCT
VgfqCEoEJYHag2wgKwgrqLXD6q0GrQLdB7oXtBK0AqsRvs2x1yGm9rqpV1mvVb029drWa28v/12i
AJQv8l0WiojASRgWao5ODxE6TaEg/knhVoW3KHQpbOOKnhJ0akrQ61OCHpkS9OCUoNwpQSOnBA2e
EtRlSlAtF7raOII+dgStdgRNcAT1dgT1cgT1cAR1dASlh3IeT6Qg2qNwkMLuCtsrjOWJ1UHUYjdP
JpsZGs+JNbY74k7banWujrvLVmtGcKfnbbIn6C8TX4zrapsRl+xJSfAEHWwv6WiBxvNz5M8OV7L/
G/5T/V3+/fw7+6f4J/kn+tv94/zDzWHmEHNLc6DZYjab/cy6WZjJHF5rnHQ55K0s3C9EBn66RF3F
Q+Qvm9QFjuVPm80CVy53Ky1bZI8bxNnu+iLKLrS6fxhnr2ULzlSTfRC7w7IpO2dQpLuPI7vW3xjr
7uvIdrcYPTm3ivm+PLy5xXIcWTm5tWzIpKUx0n2tI+bkpffGeMO8PFknt0rne+/No4j5aZFpYQND
+w3O/AXI96Lj8hPpaP6CkcS6H8oel+t+NjbP3V1GjNi8bEhOert1oq/onZVZJ/rIIC+3zlIu+maN
lemW8sy8y+XIivTMOrLJQJUjqyxH1qvKtRN9ZLl4GXjKtVPl2l1RrmqALSuzymbzlRmgygy4ssyM
K8vMUGVmeMtonjK2ZmX8T5JNlbH5n/xZmXa/o0z8L5ZpJs3iQY5/83AdDeejVRkL5VUh355VDM53
r5hfEukuL7Ra6yiDj3pvEQn5hUUlMiworuWj9uJMd4Y901o1fOHP890LZfZwe2YVLczKya1a6CrO
rB7uGp5lL8jM2z6koNPWK7q7x9ddVaeCX2isQDbWSfY1ZOsvZG+V2UNkX1tlX1tlX0NcQ1RfSuuh
lmYalAffVIXbRYAFCpwfY8sbFBEyZ6DS5v62yCUxO3XipykArnogrn1BYJmVkp6SLrOwy2RWS3kj
9GZFLulvi9nJT3uzQpAcah9EkVnXZ+Jfaak38jv/lZaWzr2u9LpSGap/pXPngeUyyR+zzyXMID1Q
nW9xsMbSNq8Ar1Q2WistzZtLak1L55Fsba6Ey403xeahZS5trgRUevUjNcNBHkZzpfMYpWTBeV61
KZV/8oRmSA7S2wqRfga8lmIQttMKcWKTccLLn8q/KJf5jQ2GIY6hcI6XPU8O6EGFOTzCE9I0Oqx+
O/4w0nrwO/QMuSgY6YdJY+JcctL9dCsdofHGN0i10eN0npKpH5UYjeq3go28mB5nz1/v9qX35e/l
hFNz6GdhHDtxV62S76QUtJJDD1EbOogWOxkWvG8XscKJWjn0ljbVnGx0Nb7lev0No5AeY6c4qj9P
b9M5bq9T413GCmO9sYFa0vdabMPLRjdjNmqNp3yaR7djBOW0kQ5wnhgg9hr3qL/RLkbqDnqLHVCo
fHh0Y1H6T7SO6mgPHaQP6DQzB3MSl/P7fNhEDfsb9xvDjELjJsqikTSaypEby/GcLiZpk7St2rGG
zxpPGu3Qdg7NpwW0iFapv18/Rh/Sx6wJi8gR47WtFEMD1F9Wr4HMNkKSb9AJNnNPTmUXL+PnxHxd
a9iPE16n1pDgUCX9NbQeMn2SttF+epfeQ5vfqF+MRmHxx/MUXsxL+T5+gJ/k5/h5PitM4gNN0+7Q
X9XPNh41LMajxjPoN4bakhW+bjLW4Bqs5wH6AvPrxMmcxoeEQyRrrAc2NDb2MIYYZcYrxjGyUyLK
DoBfm0UjaCJGfRvdRbvoVdQ9QO/Q5/RPSEljC4dBFla281gex/Mwiq18nhtEBNavr5glqsVhzaEd
0CfqzzfUNLZurG4832gYlYbbeNl4W61vb/STgRW4luZgi8kVewH9vEKn6B90AX34cRzGOpSzMd91
aP8EX4I6mcUS8Zww4P2u1t7Qo/R1jSMbZzeua9xu9DRGQLc0OF1R1BOUCm2SvxUsVb/rfVz9bcl2
aM9R+oojuR135WE8gXM5n0v4Jp7DN/Mivh1SfYZreBcf5Y/5K1wd/URryMkhisSd4n5RI/aLo+KU
Rto43GFu1hZp92s12rva3/UQPVnvqo/Q8/Xb9IUmuGR+Eea3L7W5NLuhsOHRhpcbOzdmNs5sXNG4
r/Fo46dGgLHXOA1XtCvGmEczMMbFmP8yuo82QT+exRg/oTN0Fmv+LWShcQuOxojj1LplYNwjMPKJ
cJmmg0r4Bsi/nCu5mndzPe/jN/gtPsTH+Twuz61FZ1B/7ILxYjrm8KioFG7xIeiC+BHX8mStu9YD
t4p8zOZubTnm87B2XDutC7213k0fp5fpr5k00zTTQ6b1pv2m101f+IX4TfbaiMsWBI/2ttinD9Rm
0WbcDjTtC3FIOHmxuMhPiVjeh95icd8aLTJEf/hGu6Dlsyncf72fzc8mwinEP1+2IR4RKdpEPUEL
pLnyr0rEJLFM5NMW3k0XxVBo2nztgNgspmrr9bX6QD6G+8U+nUQQ/0DplM4DsXbv081YoRRtmy7/
rpRMZu2SabYIMu7Wz5iEdgh2cAAL7U2exOd4tIiAtPqL+8iO9xA+h3AYduCH0Pw6uJ199ZPaSjFc
fIy0WXQ/78Mcd9EssYsfw7r0xX68hUfzBq0bLeGbIY1+dIN4gNqLOaI99Hk8fcd3cmvs3ItYmw5i
OulakCiiwyIPq/4uh4nOvAR6OptWcAUlcwPX09tiDfXmYm3PpaiGJMGXznGVNpSq+KL+hv4GnO+L
kGQsNNcMh/sT6PR69PIq2bQEaE1fMgnc47Cf8rHXQ8UFvl3Mout5nfYPflKk0ygq1krFYH6o8YKe
rvWAxHbCmmT49TOTyWmK1Xtixc/QQPU3XuRXop8w3Snj2vva90aeYWucamrZeJwWQjpDYd1WYC8N
pY84gq/jMbohsnXDmECVYpt+3GjDgWyj9wzssMYX2MkdDCvfbATwGGj4dfL/saKv0Jfq8/TbcTZd
hNVcRmvpUfoLTpMncG4lQo7XQJpTYHuuxxnRVX3h74uRDYJVGoa80TQB9jQfVnI63Ug3w/L+Fz1H
VTihsiGP61BvOt2A9FKcUItoCfb/3bQSNuAh2kLviWfFJtxxl4tXxHxxPX1EH2mvaS6eQIf1e/Qy
Goc78BhuhZ77YJXiUG+l8T5660gxsP49sUuh98ZZ46jxdMNBtLdF/kWb3yA665dBSTSKf9Cj2QT7
BhnqM0zyP4n40+AqP/9aDqwRTCZdRjSy+JkQeVHTRHQLf5n2IlOUedSiSMfIkO+dIxqcI0N+cI4I
acCl3tnglNyta49QW2i8LdQ2Q6dLVq3+kstEF8mq12M/nTU+FZ+aTDiJ4miUK/howOkAYfa3UAi3
mhuN5ne4WgVRdEDE8yED2TIw9nlco/zZf7cYhtOhkUdSpCPkh2vPnToVcuoUpaWdCznHoWH98K9b
V5hFzc/P3j4hUUvo1bN3j+4RrcM1hX52pCJJ7EgQbULD2oh40cVu71yc6BgwsJMEfW3DJGt0tFVs
iQxo37mz3XLJPMCR7BzQKcUp70cW8ZS2Tz+k/lYyv6qlqVYsc1nY0kL+H3ksx1rsFE9QgNjjCrSG
7g09GHoi9HyoKXQnR5AQe7absfdrxRMvdDXfhHvZbvEITvNveLRnHt+fC2nAbL4/B9k5Q5yQJ6Zh
887icgR9DfazRkVZ/XiGikZGW036ocbohLi4BP7cE+KG5Wg8LN7jztSCergi/0KH6CR9jaP6RZ2/
E/voUDAui8J/N68jC83mWM8QTjWcoi7n0O21bGM/Jac+MM2hjcdiEqLsGndu+KC7PcoSKK+KO4W/
3kqUQVOiXYFULyjaJKL0okqpCqdCPqcuI2RDrW299FaXnhJlCxagTiUU6xjW28HWKj+RkZO7IybA
YdLDiWp58guWwPAB7U2Udi6tAeuCRcRNMcL4mys5pkPPocELWy5LXJa0rOOWpC0ddwXWdGoRFGaJ
6BXYt5Pe0d6pnSM8sV2SPTA8oNb40hX0Rdi5iJ/CGiL0JLNZ7BTPkImP72CTSfAes+klPgWhBHAQ
hDS55r/Z+9LwKKqs4XurqvfudHX1vlfv6T1JZyOEpCEmILsICGjEkASJhmwEEMcFt1EZ13EdRYjr
KCoiiAZQ4XUcdURHRsFRxwH05WUcZlDGB3l0JMl77q3uEFDnm2+e5/t+JTenzrlL3bp1tnvurUpF
pVJrHf34uxfotXeAhmlAyOe/oPzMMC40Xsd0gilbodQD7TXMUnB4d2I5ssECFhgGIjsBAuNBZEeP
1lbzA4dABfmBccKYtA3x3xx/vbioblXW5Q0KNktIDJt9tiwyBgxZbPWaslgIwoFEzfBzzTWosVL6
Qd24Oz6/wpdTW+BgsKKGKSsNB/xyBSRJfSWVlssVSDHA3GAzCraTezH6unu2d+PPOjbY5Sotb7C2
bWt66PPw+SsGP9o+2+dxODzLrzj8ZeeSGYXtT1zVaFOorXzRYxd+sqaqaVnv4KcPE6m+PvQ5h8Gf
JtD+rF/jVLn8qqi9yiZLRqdGF0Y7ovdHf2f/k+1vNqXdD1Kx9IN4jEA4xYDSxItBi9eBvW4fegWT
j8lgsu2BD2VV7nEcp0bhkLEf/3dWZR2ndozjwZC3MzegKNO+FVpeHAr24z+/xNuTIU6t+/t2vBp4
HLwhDmaNwbVMOw6uhD860HgUESZXg42njw4A44EgNj8GzH4MZbbN5pKpXDJHFttUcHDK3VlsV1qz
CFFOA58rATV2Y0OehQF/JByRnITVkikpp5yW2GzwSS3w1ZNvGrdu37EXVnZMz4ZtvMF43+a7dj2x
+rrrRJ1gYSYT1nK/HGz1evdvfevbslCFzyLYhVt/9+vbnq3nbRYmSeQDaiUAdx2g/wFUhDdktSm/
KVjq98Q9Pk94+9AJsuTJFpRxY5V13BTlHG6BUh4CBm8B/oo57Kc4UBrsH9qbVUNBFM4OKnX9cObV
HMcpTZxJGebCypixyjjFeL7xEuMq403GG4I7jFuDn2g+Ef6mM2qwTKkQ5WG7PiiGfK1is2+Vb1Xh
snRX0Rb/jtiH2s/Vh7XCAmVA7+MNgmg0ec0ei9tq5206PwrqtCFNWI2L0kwqAdYVVcRjMqu8QBcs
Bsf2+NbkOJZVOfvx/qzFO84ki4xT6WyfycehGB8TY0UxLvYK8y7Mi0EcRFrmiZf844oKcIG9eAeu
xNdIRgXCbpxGbGqgEZwR+IKjR4msD0me3TpG8gzEqkIJ0ccZeb1BL+hZuVan0THyBBfLYtHo78fP
ZM0orA5mUShYqITCuCyZxT69l9RocEgXyaKoIkLVgigGXw0oFrvmmmtwNzVEujyVTDKOT6kK1RQw
R6IrOd0J+JHZZLWMUB3cPv3x1p/vefXXS18pr6st6tt3xexKm8WgE6LjfjO40x5+tLNrfV9r04Jq
xris48Bj93738188+/66m9rWt/r1dsGqNg0+/xffH15c+9wt1z1zbgXozbtDn7MYVsc6WBkVZ1X6
zRaNcjOSCztgXrEjDlu2ajR2u2vpNuxBuamYl7xSLXHCp817xtNnwTnBypnnVJx+YBfNrBg7ncDA
7TMqq6YTIH9XCbHBTlirx1AKv5iNlxvA6pw1iYrkROFsx9REQ3KmMNOy0LEwMTP5bUwfR7FYIoUZ
JqnmYc7LWnS369brmAM6rIsadDre4FYbhECUVBWEw5lYOByNuQOxhIqlRXJ5hpHLWcatYpJ2Iy2y
WOYKFotRcNsFg99FiiZ5kXe19w4vu8eLvVGn1+tyuv1OhyMRi3mcDpPT6RAMBg+TNMEogoGAWqVE
2BPXp7ywuEip7MlE2GEMO+yMYzss5BO4JmuKhZ1ZvaoWGbDe6XUedB5zcqDOiReLmLAhGRa24xpk
GNq1xaCuNfQP7cry0FZvwMgwA+b5IQNngLZb0vXttn5pggA/E4+TCUIiB+jkDrpNHVgjDZFgqr9R
lopfyb9+Y8oWv/HK121ImZtCMP+Pxu708ddHFvxfZenZCr66moA0reeDIB8VfyaDJT3I+PAZFSwb
YNmfDXzU/TDxboNvkON4vOxbgvGv8QPjafGbXofD23fXF97P8I2D71rBzdkEo5U9YjUard+/ls/j
G5nmgYfI/DIPdCgNOlSGhaxjobdTfrWcNWgK4oLg1vhd3rJAwO1iVXLg7Ra9p5bgbEJvr5XPZUAT
TA5r3Gh0O0pT+mJvMVMcLytzpyJJ4l2YWDwcdifBvNuz1Q4GhzWBYNhRBnOOByGNg9Eo/WG9C3/l
GnIxrvGw8FDhmao+1R7VQdUxlUxVFg6nUJJPMsl+0AJLKBQERVHNMqaFr4RjAivYyyd3UsNqrJ52
dKAahHacSI9v7D56HABmKeD4AInaBugvRAEwU33TuLd6mCBl3xAE2Xg8XzFcXlyEGrEhP+kb8lIw
5MVjoN6nrMx3qk2uBM9hfk7YfbKJSKS7mxzZZaRk4AlMZx4QgY0pG/RS2Q2+cEpCgwdIybuDUxbS
mi/JcSFI6VKQUidIqQ6/ltUKD1s2prdYdqY5yZA1unjOfh0itUvejd1xn9st+tyORAktQmmcjmbS
6ZKMO1E9gRTx+lpvLVMbr6utnVDnrpasXCOP54xcMnGNJZqz8HiI9qMvxIXxYGFhKOiOjy0jRXUw
f1fGSysry0rdYwN+DwQZKntJOJGIi2FHKByPSxZdPXasGsw94wmWeoJ1EIKVrq97ro65ve5AHVPX
z+zIOusFj89n8BQxWeYOhp3B7GEYPbOQ6WRY5mVYLp9FNrlJVHy8EQQMUgKiO15NvSqRczWxY1JM
j8SciT7kLe+bRjDEn8r9dOZfnXVmH9Sc68iziDQYiUpvqrVk4ZAGk3mpwAgZOJBJbD72Gc4w7bxS
5WcCWKCdWXKmM7hu4AOqWIOfUh0pJWb/HdU3Jtnlcdi935GS0oX5NnZvF1M+6DndIVCVm4pfyNMn
Lfl60Dkb6Nwu0LlKJpKt+tx92MM0oMmVu9Ae9AH+yPUH9wl0Ap9wq0Mo4o54wpUTXee5nvRs8+xF
e/Fe9xH8hVs3z4O1AtER43o91uu9ekYfNer1gtGt9VJ14pF/pp/xR8N+fyjs9qapQmlKMuUlJWXl
7rRGRvPKDKdUyji3xmmWOrNhvc1rY2xRk81mNrmdqUJJx+Mz40w8GonHCyPuVP/QL7IuN0aiy+32
YMaEydFTiZDH7TFBEYRH7qzGE4LVmcfjcocxyU92uZyVFQxrDjuZVDpSHk6nNRotZwxrleFIZaXb
43FXlHsgSnkPeyMLI52R5yI7I7JINhItjWSFMn3k9sieyMHIMSjrZz7Lmt1evBAzt+P3yN/+ci4X
xzCcu59ZlbUYRZYzcZ4ZxveMB4xfGTmjfcxrOY82DbS72mHnj9oMY9LSb2M3ZBvj8W4bf9hBZita
ysOqnvo46uKqa4kfpJmjtAxMgUxkMIPdqISZTAYzWtz20+rc/Z/ZRDfV/J7uRlgmBfAPFHVYkTH+
KV02BJh1Fw2+wj9IdfVtcpxYRo6/xzV4zO+pHjeQ4+BuCCK8Dwp4IXPglKpKqjyQYPaersLsEfIW
7JKhA9wS7lmI1Oz4ZHbod/rf2hnhsOWw7Tv+O+G45bhd/qblY/5j4UPLH21/5f8qKBy8QzBbLDbu
TeGf+hNG9iHVPdrHmKdkT6ke074tf1upvI65RXarcrX2ZuPN5ruZB2XKCnmFMqOq1lbxGSFjqbIp
Y0xcm+ZDQsiSto2FNb1+J79Z2GzcbN5k2Wnbblc+q9/IPy48YnzU/JjlOdsGu/I84zmWRtt6/h7j
XZa1tl/ZlfXGenO9ZbJtqn2BfgE/S1BGbVX6cmOFeYxtun4yXy8oNXK10il3KqP6iDFiVsjNdswp
jXodhxTWEKcyhNRsQQghHomoCPUhGVppCinsWxx1l1Mlm0aXbiQcxSSAt9IdGvrTSH4QIHBlWy1q
l6FW6B86sQUw3z/07RbBVguLzG+zBSZnrcVmcdfayEHVP3RwC4QFUHWEYFn/0IfDeY1A8q8RrMph
I8E6Q62ZnCfh49kCLV9rhvVbjdEDB9w/9MUWo71Wl8MMwby5VpvDtv6hr7M6g7EGF8BB6yfUD5+N
Sk/T4vNhLjcxMD0jA49A/QRFKRPwM2YTZARuyU1f3bx7cDcu233zlzfP+fKV57/Hisdf+ZJpeHLw
sz48HxdgPZ7XN/j5U+/ihsHffXpk8I/kE5kM2gIe8nzwkAGURMeyNs7BORUe5DU6BW/IWeasd26L
q2NCpH/oyyy/3HG9g4koY8q7HPd46Vsa4Nm0cV6r1fNulZKheVk53RNxK23UbRab4wazWTC4bQkh
bLcxAeQJCfpgbZAJBm0qpTIaggjK5UgnscfA21MnVklR7qmdP3AlMDmSyJY8d8zqg1ngfRDmJjho
9GQ2mp/bFfx3DF+a4sh+SGUlhvW678ctXSqmGyMhX0k5XYP58CYsUvN2noqJ8BfP/mliyZSZVXMH
v8PaxkenbLh2cB8+ONh7umW/c/M514YqHcbZ515W07yO8J3ErK8C35OoAj+8DfmGXs9OF301cZPV
VnN+2eLi5cWsIl5VPLl4gWNeca/Ym7is7Nayx2Mbit8L7/N+IB4I70t+FTbow6riem+D77LEDd41
iTu9j3ifTrwl/s53OK7z7Bj6FqmQ/kdllDlNRmNPycgrxuI+uT+ZCHhTqDxstwthG5NEnnSKsD1F
OJ5KKW3RQDgWU4H4vNuZy1GS6cvqENyIh8+EXCiMw/24cevVrtshLO7HhVny4spMf59/j/+Yn/OT
OUpvyPI4zR/jGd5eObl9WOaN3SD1xu5DjYcaebKiqeZP5EKjo3R1A6ZAhH1Uio7oNo11zL/l8ang
K9GUTcK5UzYFz1kwb7NXK24fOk7+mOyFuLbM4gUPsblULAZrz++ZVc6HdTtYHazlf2pKyCmKxWLN
zwxMOBLKDKvMnAep0+8boTEnH/rjDWsXrL41S3Jda5/uHPzmfzq2nPPUqsHdjHpw8umK8+aVC9aX
1az9mpRi66tls2e2V86+HyKbbTAnmGBOOAv9KRsbl5nqnJFpzKy0/Nxyo+Nm5y1jfjVBfbbYMJ4h
KvHU+Ccn7LMetn5jVTjJTRpt5WSLbX48Gx031mHTy0wIVxSUFAXYVKleh2DpZA9XV5caQnWaX3Cp
X0RKQ746lgPD96kKwsqLKkILPZ0exuNoMIWyxeFAODu+M3p19Pbo+uhzUVnUXv/Qduwdse9y6ChM
4tSQBwbIoqa2lga4IF6Y/o/mt1+kDTertNGOgPuYOHCc36/MbZOQ7UqzycNYLVZLbqvEnFux0IbD
OyaR8PD+G3uXFBoKVix79PpfPJaaetHip8efN//wb/50HWGrVLNj3bqXGuqL7v/DBRd88OwmrsZF
pPOhx2Fzzv757U0lszJeg8sdWXPhHbtvLiJVX3ih6oL71rVPuNhjdgQmTbrh+leJXd8BcpnLrkaF
qBwvyp6zQfGYd0OKDStC3rFcr3GlY4VztekGxy9N9zieVvSZHnNsTG9VvFzwvOkFxzbP7oLjxWY1
tuMYZh8w3O1gfpZak3owtaHg6dRvi/cV/0+xshCsZ2PWEUr7QiG/z18ouI3WaLkPlUcxm9GqEuX9
+GB2Ab6pEKkzPlaj8qEEn+hKsInoWK220LSW97kVpEKHRNGX1Vlq9T6c9tX6ZvgW+tb7nvPt9B3w
KX2OSuvtRT45qe+Ur5fvlB+Qc3J7RWzHKTvF8WkDh6dLGxDEUZ/aVEs3AlVbfZwaqPXURuoZtgiW
aM9Z4k6kAFdVOnQMlQHYh45vEZQppWSDMOl1Q1MNNDVB0x3IA02MQ7tIDahHo68st3VNhD9ik7W0
orxCWtDm7JIN0zqziShIBTvvpT33bTj4x6qbZqxeveh5UcVb1QXNa2eu39xF7PW3Y68/+6WLp6/s
WbqjedUDv+q8/EU9f1P94jFqm2BQ6x2xh5oH9lKLfMTAzxg7a+qS8xaSfYinQfZTQPYxdGyrTw2u
EkKCE9kEEG+aPw19HDnoPej7W+hIRBE0RyxnidNC0yJzxMbQgsgl+kvsbaGb7VoLCQiWGU3zjXPN
l4YWR044ZHKIos2OKB8VQo41/IP8vbZ7HI+bH4e2gbBg0NtNToxYZYHdZZVsF91k8EUVmi2c3PWI
1RfQFIxVzu/z4ju8u7yM15Ew+cJkL6ovjPVhb/iOMBu2x1+/bYQDBslSa+2edlx6AgHpkGSlkrsF
eRpyZkp2NcFFEgeZN1T5SEOlvJa2OYlYUFkpxCrsb8nWAbYaDVZG/tzdO177cMOi3bPMvMHa+uhb
uwe/x5rd/8XqXEQOr3odVufE1Ufue3TvpJkmqyE+4VLMvrkba4mlXQXcfpq84QP8/uzFs2NLYgyZ
3jbCIkqGZWk6w/mVHhsp4p1pq9Nps/o9aou/UNWo7sfNWwp9wG/cnBX9PpMHaTUmBXld0epViavJ
uy8YOxIh32oe8/34li3x2Or8/lt3jj9keqomDo1MT4fg9zjR9Z9ecRQXTdlkyen8lgKloCRKPGWT
Nle0DcWG/r5ZNEW2gzWEh/6yJaAM2oetYHgGClCNzz2tsebnIWPpKY5zjKTEv/ys5w+rVv1h2af3
0nzXR/fc+9FH997zEfeX75cS7f31W6sOrrzswOVv4U/oo563+j79tG/9n/8MvL1y8CruKtDkCMpg
T7a43tRlYj71fRD6u+9Q6Hvf8aD80ujSZHO6OXO57opod+aW6OrMQ9E7M09H+zLbPQWMkvB8ERWD
SiZTqvwM8sSLbSJvFQ0GvsBzV7FPVMd96K6wQjmWkWM5LnSLWFSreVWfapOK1atmqBaqnlO9p5Kp
HGUp3+rAHYG+wKYAtzPwXuBg4FiAC9hLY00jtDans2SLGsRCntvWHiKKW0uXkKfLpTHnf/KM34Gc
EAc4ho5vjilLYF2w2aNEEMtvTiiLCIpqM6QwaUmfCg1yUiEeCJcNrwlNigImtwWesRLNLyOyYspK
hUzJSAGx1/yWxgNBW9cF0+j+2D8mr4xYbtz37PffP7vvxt233vr227feupt56wEql22zJyQuLIRJ
zIannh0bf3Ibxlu3YjQ45e533r3r7nffBc+zA6JJE9iCDTVmSxeZl5mvMwMTtfN43q9ilLJ5GCxB
sJnvMRj8NqRSqhEWDTw/g9/Js7zdfs7V+W1I+oy9Vto8RPzpmO4NnREwD+/xMHfiyUTJBmw0xpn8
NVnl5hWNhDNcDX1cBWM1kx1/0K0GJpat1lfoKwvG6Kv01fpx+qy+Tl+vEsLacu0Lzs0JLoLLMTPH
tUixyNWr6HXJyhUlrnpFvWuOQlakrBhHbf1AFa5qqKmqGlfjrzDrSZFHFPBMYY9wUDgmcEjghazA
Cg0FgqAv8JtDXuoOkJ/3M/4Gj9/v9fhD5UVSYYbPMJmGdCZTlPaXN2RJYeuBOlzXUFtXl631J9Ny
TziVLHS75FgRq8iORQ3ymI91+FQqVlFRXh4KmdW6AtFqyXrLiiyrLYzlZNjtESNhkg+vDjPhkzUo
LdbWkIkV1eysea+GrbFPjD1ry02phP9AkBA3h4a3BYkW11YfzUdKwhj0H+zvNZ6xPwK10hPzbUg+
tGuLJViKyR65k+KDmw2OUrL0nE+fjImFUZtdreVkmlCUi3ixTG5XW724UBbzYpvW4cUo/8TrmmvI
c+dGMDBnzsDGk09OfIk4AMXQJ3CtTxAe+iBvQ7ibbjgqyAgcNXSXHjAZyWbAdAS40WimMzz1eacm
9YBBeoB9el4xouCMcP2LS9vHL/JVLqs6v3ziRKKpD07PpBaPb6DkjOJkYlwdLf6cbuBQkl00Z1l9
Q0P92KkLBrYSbWbuy86ubx34gNJ31p3njrZIGaLmzDaq5vStBG4BuxLFsTlruqIAJ1Qz1JcIq4Sb
hXvlDxkVLhrIabxvBbxef8Dvcpq3MxshaM5mVXRD0O8km9UbszMKp9Odan9cU2CifywrU+iwEZkK
eHUwNBbF5epa3scpzGOd/rEul1OtVxxTMApHEpnEoD4wMyC5zmMBecCeGLjtlJ1P5w83gnbRR3r0
PQP6+Ig4SknHxvy7y6q8BuEfaM586mUNOSXYajQVWARXXubYfNrzT0mMP7EaZ5jHHq2fco3dqC4w
BkrtFQ/uxL3U2Swle8K7HyRHdtHeu+e0Oox2hTHgmPf0YCkN7QWIMV6WJILvGRxgq8BHFqP7t+4T
9vkZBayCXvKUWfwuf6mHrIhMQAT8wZRB4Fm9LHF+tjaIg/2MbSsSlednwbnYsj4kOlBkb0q7l5MF
jUbTXkc6FfT5xL3IwTsYh73kn9vwlSi3B3qc7mnS4yH+ELKn0w5+wOY4agfUCBjnwioSShHr6cYW
otwmC1ne5B4ElxnIYoawATwMZPLRlEIuJw9rmPISwTqh2KvWOewzyiZOyLgsFlfp+Mtm2xw6lVgy
vhB/HfYnawZ/NeZsGavSgoaW1DfjJRVTONZiMlpYbkoFXnLhlTZB0KpZ2eSKwftrpwGv7h48yY6h
vNqXNcb8+HL/2/4jfnaDH7sSoWSpjbwpUACE2w8HLzlYid0CNpOXCQDTtzh8QHjICZxgEhjKWr3M
M80yDYkK4K4e6yXuxs/PEj5n3RJ3cyx1DDNZ7/ACc19mXoRwZAfenXu1SeKrhH7IXMBH869uEQY3
Dv+pQWN3Dw7nOTv8kobEd2nbR55/DkaXEZTtzP0ZAzBaVOns9pmlE+syTqvVWTrhsnPtdq06z+hE
DV5SOZljVTpBsGXOahm8nzLaaKKMHrwfGG0UtCpWBly/uHY6eSmzIpfuHP6fWSMSNtNvYdOU+yzw
c+xuKXEFI5OsSEpyliTFuHxS9in7VL9Xr1Gv0WzQrvjppOvV9RbECz4mSf98PvEKw+X5JNT9IH0s
fGy8bTSNptE0mkbTaBpNo2k0jabRNJpG02gaTaNpNI2m0TSaRtNoGk2j6f9vop/jqGLI/6OTPsh8
ifSBDvphMgvNEZpBBbgI5b+qvQDX5GhuRBsZsuH7c7QcufCmHK1Abwy3UaIi9ESOVkGbd3K0jnkA
fzH8PeUy7tocjZGGeylHM0ghc+RoFiVlvhzNjWgjQ1rZ9BwtRwWyBTlagZqH2yiRjduXo1XQZkmO
1uFpshXkK+EcC9fSyn9DafJ9Bl7+AaXltPy/Ka2g5V9RWknpIUqrcjyUaImHEi3xUKIlHko0N6KN
xEOJlngo0RIPJVrioURLPJRoiYeEVo8Yv4aMTaGntHZEeQGhFV5K82RsijSljUALinGUNo1ob6b3
KNGWEeV2eu4MSjvptaQ+3SPaeEfQQdq+kdIxSl9K6SSlVxFaOWL8yhHX0o4o1+bv5SkkohLgSBGq
BGo2WoJaAU9DnagDoBetQl20pA5yPUCTYxOUt9EWKagZj9ohiWgWlF0M5/eiZTTXCpj8x8EVcGyB
lqSH5ZBvo6Uimg54JeA22r4JoJf23QLlSwH3oEuhrBMt/g/GRXrtoD1K582BXBvkyEhEdC5QTTQn
XbkDStO0B5H2vSQ3wmY64g46rjbaOkXv62IobacjPHM8VT9xl1WUCz3QQ358ZdBXMSQRFUIvbXCt
HqhZRu+3F0XR3J9of3r/Uu/km+3kW2KToG4lHRe5yylQ1wupnbacT88TKWdXAV5OpSNxSJLAYnql
XsoRku+i5y2lfMtzbhE9N8/VeuDrVJC/dG7PiJouejctcJVm2qMkjZX0Ws1w/PHrSnnSthlGvZxq
Qgtt2wnHFlrfRTm/alhu0rXacj005/pqpUeineIP7py0aKdUIZwXBUz0bdHwtX5sXB0/6Pvf59Kp
3ltoTxdDWQ/VJkmvmoe19sfv/pQmnz6usSN4QO5Eupdeer28PZD+pXttobpB7ryT2tiP36nE6abT
uNqas4szrYNwtRfaLadnktGuoHfTOtwPadkOLf6ljJ4SS4qKKsXZS1rFaZ0dnb2rulrFus6ers6e
pt62zo6UOL69XZzVdvGS3mXirNZlrT0rWltSdZ3Le9pae8TprSvFtmVik9jb09TSurSp51Kxc/FP
9iW2dYi9UDeno623tUU8t7eptxVO7mhJd/aInVDTIzZ3Lu/oha6XpWa1Xry8vakn30/ViEtWrWjt
WUb6K0sVF4uF09qaezqXdS7ujc4dUZ5rD81nnjtt9qTOlU09LeKU1t7e9tae+Z3LxaVNq8Tly1ph
QHADizs7esWmZWJXa8/Stl4yuEWr6FDr50wdD7U9NNPV09myvLmX3MbKJW3NS0acC7ito7l9eQuc
2tsptrQt62qHC8C9wVlt0KAZWrV29KZEMX/xzo72VWJhW1RsXbqInHWqr4586x8dEm3e0tZxsdjT
ugx41UxYO+LylMm5vsbSERS2wVV6W5cSOfS0wVVbOld2tHc2jbwoDLpJGirweFgcnct7u5b3ii2t
K9qaW0mbJa3tXWfcETjBTmqCTaBsHaDsncQAsQ4U7BLI/5U66Hy95PqJ0VA3yT7APs++wu4E2MZu
Z58Z0Rdp3Tac/4z23XratVpP6432x3m4Ym4KN5EbB8cx0LoJjIKYmzRJLMGb8MMQrxEnMB7a9+Sm
l6Z8zAg/gwH6rbcf+98YLCKRUhDhoSHpv7Eg8qL6WTS2uxCOH0LZHyGx6CPmFoSZW5lfIZZ5gHkA
6AeZB4Fey6wF+iFmHdDrmWNA/4P5FujvWBnC5MUexLJKVgm0ioUoi1WzWqB1rAExrMBaoMTKWqHE
xjqAdrJOoF2sC2g3Ww50BdsALSeyU6BkKvszoK9gr4Tyq9irgV7NHgf6G/Yk0AMc+WcrmGNIvEgi
Ok5N4itOB5ESy1k4K9A2Dq7COTkX0G4uAHSQCwMd4SDW4oq4YqBLuFKgy7hyoCs4iLu4Gi4L9Hju
bKAnc1OAnspNB3oGNwPomdx5cMV53GKgL+bagV7K/Qxqr+CuBno19zDQj8giCMsKZXHEyhLy8QjL
J8gnIVZ+tnwy0FPk5wI9Wz4b6DnyeUDPl0MMLG+TX4IY+aVyiMfk7fJ2oJfKlwLdIV8B9Er5Smhz
mfwyKFklXw30NfJrofw6+e1A3yG/D8rvV74NEdtu5V8Rqzyi0SGsKdAAzzVWDYxHU6iJAR3XFANd
oskgRlOqmQj0JA2MTXO2ZirQ0zQQSWpmamYCfY7mHKBnac4FerZmPtALtFMg8puqnYYY7XTtc+Rj
yjlNI6AGc9mL2KaepkXItKR1UQ8qaW/q7UA1UIPnzDpLRCaEQPMYSVcpRXogfZAc+RwzRMJTZ08S
kWXWjGkictFydNpRRpw0EukxRo+lSy9deilaQI+LhtdOzGmUASJ7OUTxSvI/5pAG9F6HCpAermdA
AjLCyMzUClg6Ggl7YOQNYIJzwTbIt+tWoKvoVx/vRevQM+hV9A7ajw6jL9EJrMUJXIqr8Vl4Kp6N
L8AtuF3iCi6HfjDgb+H6gLUijAJwQbWEeWk9hfknpXaGLIwQsGCCvAJwVioXLsrh9yVs2k7bcdZ2
62rr3dYnaU5u22/72i63O+wp+wSp3vGa40PHEcegVO/c5Hzd+ZHz7y7kMkn9uO+WsGe1hL0LaEul
WCpOEi8Ue8U1Yp/4ovgOLdUFXw7uCR4KfhvShsRQaWhS6IJQV+j60P2hZ6RRh1vIEfAaqbfwLyUc
aZdw9HIJxzZJ7RKv5vAbVBNwYhAwaVvyfeb/faLfBSbeC1G/paQeSw1eyog01APpODmsOAWw40Jk
pBZsAtudgZzyWWDBItjuXOSXzwMLDoKdmVEIrGQuSmrmga0UIaw6S/UIWSOBVy1BKNEAABaW+j3g
WQDzgN4LGPxuogVgBcBNAK8iVASeMPUJ0F25+iqAbA5gbZuZAPgKgNsA7ga4FuABgD6AJ3L4GYDN
AP3Q10HArwOAd0gdBrwH8N+hnycBJgFMB4A5IwOr9cxFgBcDtANsBHgBYDvALoA3GGdCmypMrksv
TgRTKQqxVDYRS/ckJqRa0pelr0oqU/9M7E/9M+lIXUgg0Z66NnERhbsTF6WvT7yQepVAsiT1JYWC
1IXpNVLbZBjgcOrz5N70hIQH+iZgy8FGOI+AkKoCKE0ehHafQLsFcP4dcB0B2gj58aSmwnguTF+W
aklugD5fhvqiVAOFSVB+L+TLgSYwHfJrTxvnTTDOR0bkb6PQA/RiCrcl3ge4KvUMhetTzyRfBPwk
jO3J3Bh3AbyRej0Hb1N4B2gC7wP9Pi37lMJ+oPePyB8CmsCx/wPsT32Rg7fhum8nLgOawEmgN9I+
JDkAf5MmuL9DMKb9wPecXJKJM/g/Ny0kLwDoTXuSl0N+XbqIwmOpt9PQf3JDujyxMb0xMVviX3LT
SEhr8/efPJyeROQHeDqVo6QXL4BMGijsz41LhPMAhuUrybVqWI4j+bnxVL+J6lRDevsIuZ0pRyJ7
Sf6XwHV3gcxnUZid6kq/Afkz2//w/Hmgz+/A+Svg/PeBp9fm4LYcnJ4/pScPUCD5HprvA3hiZHvQ
2ZHtn6Dt14DuELgjtTkH/RTW5OBeqLuX1kvla1PPpD+C/COA1+bwfsDbgU/bc7q3K8e7fwX5djl7
HNbPj1J7AD4cob8fUjilvx9SeCP1OYX90J5AXn+PgO4dGaGnJ6hOfpFkgD5J9fZ0+R+iOtFAdRJ0
8Qf1R4AGn0J9Q5jWUz0e1melRIM+H6dwpl/J63kN5A9BHuj0EcifBfljpD6NkiXpE/9L3XXARXVs
/bl3di4rA4iAiAq4LLCgUpaiYjeKxhiwYCNKCAIqWBCRWIixYA2xYFdiwd5L7FGxYENFYo8htqix
JEaNErvwnTm7rIsxeSnvPd/H/ObcM+fOnDt35vzPzLm7d/G18bfyz/B/gXVDIJf6I+D1MpRb+UXr
1aLsr+hlf8W3ir+Vrw5yiD/Ry3obQ31RNtZvC/UBd76x/nb6KoCrEYCrqVBOgLIGymOhPBvKSVDW
QXmCv6s+BHHoBDh0Ahx6+Kb51zDgTu8D9jvU/5A+ELBW22eF/zrfrf61fQvguMq/wavz4H9RDuVX
/ioL7C5L+EDMuXCtV7i1E/k3trHuzdk377VcYMylmL8Dxwfok+P9M6EvpfVu+DWB8x2gXhc4xvg+
gfETudiQzWzrRBnbug5lkUt9G8wb2GwR+qUQwzwFng+cKfCAmChdWwrg3rbCXBiPPjWCdJib+g/z
nwm+vTb4B5FbB/kAhuINPiMoEH3VTP9h4C/CfPRQ7gBlGNOgEL+woBBTefNv6guflAl2XLoW9TCO
/Rt9BKyBGUGNIIcGtQpqC8dOpnF/fY14YcBOKaaCYv1uYY4CPurVeSP/W2y9Vn4TFjCXYkHgALEQ
lOCfEZQUNMJfjzkVrpcGa0DZNeGZ79agsb4FQWNLxyVogn/toKl6MabRQUsgz4by/Ffl19cYk+95
3QcZ7/8/vEOTSSX5HsSwBGJPKNEgiEAd6UiIMatAlNeOTFJ1gFgvk/mwxWQ6W8ZWSlZsHTsg2bJD
7JDkxfIUSfKGDjApVlEr1lK8Yqs4Sr0UJ6WK1F9xVpylVMVVqSN9rNRTGkuTIcqLl2YoPZQEaaFl
f8v+0hKIy1ylpbwrz5PWQoywQbZ5tV/UOkJ2JpLHfDhqIXsDvwSOfpCDIcN+UhsJGfaAOoglPFYB
38R43hKyrTHD3rG6HRzDIMNeUgt7TS3sP7Wwj9TC/lI70HiE/aQW9pHa8aBrAxxhX6mFuN9jKxyz
4bgL9AyG7ATZFbIH5Bqwp9fDsTbkBpCHQR4NOQNyJuSZEFvpYKTrkVCIoyIhOusDUdQIkkGmQwy1
gmwku8ghcoLIuhdeai/ZC+7fy1JX7GXrpQLOSlfkZad7Bpys+9HLRncf6j3xsoSzjsDd1Z3zsvNy
Au66Ll/3QncKuEJdLrS2hBaKbrvulm43tl2n+1H3CM4W65bozuhWAfdMl6U7p7sK3CNdpm6vbiZw
D3RjoXUBcNNB9xodxNa6DGi5TrcDuBG6BN1sXRJwA3XR0HrZf9w2KT7nIEo/iP7VGHPbgo3YSUMh
UrIiO8Q/kK32ADL0oFoxIRqIWzUw7xqYcw3YiwZsRANz7H4Vjs6Gc9Vg71/tjiFrwL50d+HoDRls
RAO2owHb0YBdacBWNBHGI9iYBuxGA3ajATvRgL1owFa8IF7QFUF+BjyEsF4KZLAzmBHi1QUyxBFe
EEdA7Ee8UkhNzyWeqzw3eG713OWZ65nnWeB5xrPQ84rnDc87QLd6PtANhBpPPIs9l+hUgkIu9tyg
s9TZ6hwhH9UN1aXrxusmwexk6U7A7F3QXdXdEr/PCrMA4yAXyb8SWX4MM6LCGVFwRtQwI3akHM6I
Jc5IeZwRW5yRCjAjrYkTzoiz0glmxBXmwo5U4w4wIx44Izqcker/xStJgJcEnOUaxAJGG5CogehO
A1GdBqI7DUR2GojsPHXEwuOQR77HKY/zHpc8rntWEZ/Qyg/lh9DHR/IjIlF7sEZZaQNWR8HeOhIV
2hvj9tyeKH+5dkuIzDX/hqjbRp4oz4CrzpLnkHL4XNEKn2tZq/PVXxMb9Un1KWKnPqc+RxzU59Xf
korq79TfkUrq79XfEyf1dfUPpLL6lvoWqYpPtJzxOVU1GK91ZDOOmp14pgI+M1yr1Xpr/bTB2nra
6dom2hbaMKAR2ki3Jdpobby2lzZZO1A71K3ArUCb7rZBO95tA6RibZY2UjtJmw01I9yWQNpgyFrD
n7nGV/rihS6hyUzPdDgfCdxUkEwtm8TTDhm8DlHkbDkHxmKffJC4yoflG8RdSVPSSDOxQpBQXo3r
SHN8Vive2bYzPmlzNLVXQXtYFeRl8g7C5F2gqwq2Ef91uwrR4niIT3CJhxXkHkTSDBNPxPAJLuiA
awhra/Jq3DQxxF7TBdIpzXnIl0TyGAGplUdbj04eUR6xHgkeSR6pHmnYh9mgu5y8XF4OfVgrwyom
r5fXg/6N8kZC5S3yFujhTugVg3vLI2q8K0vsIQdvNl7KwxUvQvzKMnqnv58l96MkvFo2pGWQ1yBn
SOb8m8oibXxNvvENdUTa/jvyv5r+qI+v9+/3+vKm/iz7632BGbBEFBJEoYQolBGFCqJQjSgshyjk
iEIrRKE1oPA2Kf+nrViSW8hTwZatYA9QhRAX8Dlmmbwh/5789+qa65LdruAx3GXCb9IqSKX8Bki/
rTHBZSqkCS5bXa688awh7XK5AXQ2pLLyXJcCE5/ncsfszAOUPPkDnea9KnApBnoG6T9Pf3zXhvs1
XLGwTE8mvHaP5nf3V+/rHyfhL0zrxyzwPXNgFbFUH1MfA9s8oT4BtnlWfRZs84L6Cqwl19TXiD2u
Ew48nIeTSrwNb0OccM2o/Jf8byTktpCT0ANXIuI7SkvIJCg1MHrlSljvAGTxL0YLX9WTbMkzKDmY
6gkP/AVgDXZ5huvj1VzxauK7OmrEIEEMqhCDCmLQAjFYDjFoiRjkuBJa/5s1idEgOBoMR8PzLWsS
4yo+KxD/TeUMjqETysQ31sRnDsWvZJJimCfJ2UzmirMkScFmstqGeZLCzGQdcJYkqZdRJhP+j2xN
WJnT786NgpoIapJQk4yaKGpSo45yv9taJf4vLPRsCvRPwp4peD2L321B5UlypvFeKPZT9btz9Ffq
/nFP3tTiz925QFgWGY3zaUBOZZx1A+YkQF+pTIa932ycT/N6iwyzSbYbZf8+XP0xfs3P/vbu/9xZ
cU9njDZvuKcqKHtALqDNm8kkS1JkNkYGWbDR5s1lYUabN5f1Mtp8qew/a/H/Ppv9Z3j6X7V4iWwl
+bgXF7NDnCDWdoJYu+JuEu5w6H81iXtWn1afhru7qr4Kd3dTfRN/CuZP7grJRrLjVZxiD7u2SkNJ
uP05SBcErdQBedPReOaCWem19KqmQ1NDNmtnOm+m77e6zCQOO8omgVH1N+rCv3uHdsWYwx2HQRoN
aZi9nb2dKNmfRxqDVG84GnlIjhmlZdHCUPNVHVMabZ9fqvGVvtJ6qMdMg+MwuyK7IvthZRPe4Rn1
jb+wP5IlD4y+1xg9SVWQUWmRNFfygfJsc6mslmVJRMDpZaRJcoL0BMp9ykjPyAVyNJQ7mUtpPRos
i31WkzLSbJpFa0C5hplUVhGaaebhqprdm528SF4M97ZUXgZed6W8EnC9Rl4DseoGeQPc+XZ5O7GA
O99H1PIBuP9y8tfyCfCPp+TTxFo+K58l5eXz8nliKxfKhaSCfEW+AjqvycInargGfKI7dycVuSf3
xJn/I6/x3+2LiNwnIp3yFq89561ce8pbvPbUt3jt6W/x2jPe4rXnoHcKFH5IKv22mjPKaoDPksj9
MjItxg0XysiqSGIXmVdGZidZQWlzGZmlJL7dlF1GJpMXUJpgLoNYsMhsX+ds3NfdMdvXGWQ/kutm
+zqD7Cru/xqUkRViTORdRnYK9xEOJpnw5MLjENyHSLgPkXEfQmEfcgl2w1dgN2JRBiEmi1VfKGO9
gk4zkxv4M6+sTOxxTLM+0Yyf8oo3r2NsO8NMp4G/WMZ6xH15Ey1QR/HNQLwzl1f14C5EvY3E8GxU
Ipb436UtTeUyq7DNdULKh5BwnvS/mswihT+5z5BWSHfxeWoK3Ddsz4lkY2PKovx6Nshlsxz1WjnW
xEs2CZCT8GiQqUm4pf4tpktv9ep/O/3bYqw/u/u8Kjmi3bcgMNtWfpCDCSmX/OZsZWnkI19lK0cS
rm7x95MV+Set/1X6m3H938KUxToiWQwzZVF+PZeVx/y2jrrKq7rAl+ZSWbhy4X84XTXm/7H0X8eU
+L7zM7NYQnw6py5OfnndPP2FVVfsMCREqVjH8kpCStc1uRuriNQVaDzSAUyPvIRyb6C9UB4p3siV
tapwlHsBTWRxQJuougHdqgpDeXnRVtUOaJQqAs+KOn3xbFfVdDwr+DqqrshfFzzqj8CaXY31xdlc
ugqoXrzlK+uVXOTvIx8tKD0jqCoE6QE8C72lVkJOrVRzBWUTkBKk4nlsLp0tqCoG+WCkL1AiNOxC
bZGilVTE8gRvlAwGqhMSkF8QPF5dh610LB7pBKTie/nR4qwULfoA9ABSwxXP4LVCBMWauapHyA9G
ij3Eq+eKtnIo6g8VbeVQnItQbHsFa2Yi72Okc1EudGaihiUsG+hQQeXRqlFANUjT2FWgT9hioBvY
SxiZZPEfcOQMMc70jOIjqBhn4DOFXEjgrBh5Nd71LqQZ2LcMA499y8ARyJBX4MjE4GhgP4VEyqTJ
2OcDyJ9BfgPyVqL/WMcHtX1UEoBU2FhKSV2gA0vaA00oEfMeUbIS6N2SL8SMC0uWp78sFLyg5Fmx
eC77DC08D/m8YrH/mymobCfk0johl+2KtyK9JebUKBG9SnkJVirZiLNSCta3KU5G2khIUO6DbSPx
6pHYNlJcXco19kEjeGwbjVd/hlffhfozUU8uXsUH62QaamKfnxWvEXK8IzsDFfWBF9gpxCvaYR0n
QWUd6okuxjEUlDxDSabolZQpeNAJGsgNHI1VqE2NeuJZZRwZUbMIZ6SVccRED6/gTBXhDBahdRWh
XdkY7tdg4XjXPqghH2u2wvEpEnZIJuD9Ohn0I4IiBXYkJzybJ+yWXBA64YprsLeFKJ+L8mzxDEfI
yWa05AJ2GDSMYluAVhd2C3daiHeKFihslYg/qWQu0g24hw9E/gDyhhgLI5mSXjJoKLFF/rygEMEJ
fjzSVEOrksdAFVGzGJ88SUtQgyGOeoZ1wgSFHpDSuAnGTniDSJT8inQPtk1Bfi3Sb1EyFHlDNGiI
65Yj3Yj0a6SnsGYm0isomYkU40rJCfkfkW4SVDY838ox8hCd0OY4wocQ3cElnaDVdkFB3hblDoJX
5Qle0aJkt/AJog45pIKoTHZ+eQj5MNFW8KABYlv5eyUSaRNBxcxSR+EhqUa8bwY0UugR9elsQeV4
pQ3STWh7ecgvEWOFHqa1MlRILCqhhxeeJ1SxEWctIlF+AinySj76w8HIZ6I2tC7UEGqUXMCzqPOl
WGXii3sDzXop/OrAl9vEKvPyCJ4V/Huq9rgGFeMatBbXJoHxKQzWT3l4yTygfqpfUXNDbDsN9fcQ
Z5WlQoMitA1EukUZKdY+lMcjHyFGWI5gWlzdTqL+QqR5eMVfke4RZ8W3JOSBTPS8q/I+0qZA7ZXv
hAalImIWfQKiNRvxqEeEjiyuALQJ0nxcreyF7yLfoAfLFesUUBH73UefMAH17BJ+GFY6QdWCkjxE
VrRANHmGuI4WIwy8WKfshUXBVYX9K2jzLQ2YMkbNvgLvaJ/RSHOxjgZtUoc0FOX4fNXw1AT8kagz
CWmaoNADQa8j3YWaWwrNhJQ44lV2I4XdQkl08W1BUc9RpPuQ3iWwD4E2gl+PGhojXWXwE0S8UzhW
SiLm7xS2xHcKO5neKXTF9wLFf0ZSYFdWnlSAMyqUiT2aBSkHeypbYkc4YaY3DWV8llD2XUNXs7cM
JYgQDEcbYh8X1zeZpCJNQzoivk9iTzK+R2JSNzIJ6fTEpMRUkoU0O3FAvz5kGdI1ULEb2Yh0e59+
cX3IbqQHkB7t2z0+kZxAei5F6LyA9Creu2yiMr6zSHB3KCgzoxZmVGVGuRmlxrEkuMMUVDGjaiO1
gRHQET9S+41vPRraJRuPAw3v8ZEJhl2rFAW0HBwHGo+ZhqNyynC09IH6cLQ+ZGhnc8f49uM6g7yC
8W3ECsb3BCsMFTEdkaxao/5U8Z1BorKwsrC2sLEoj58tPRXeXaomafDNwVzQ4kS0xAd634S0Ih2g
xwIlKmonvqmJ3LsmrqWJe8/EtTJx7yOnwBUdSBWigTHxQS2/oIYH2PohtizCVr9ii0fil2/Aypxg
FD0oRBLyE1oJW1XBVo5Yv7KoL6ICYkUroh4HbCs+NfwFrkqoBbUgFvhNTDVGnVQZoQyX0WKp4cd/
LKkl7qGtcBygBr2tONBpoobiqDgCDKooEFGK75+LGlInsoK6Ug31oN7Uh/rRQFqbptPRdCwdTzPo
JJpJp9OZNIvOp4voMrqKrqHr6Aa6kW6lO+humksP0aO0gJ6i52ghvUSv0hv0R3qH3qX36QNVO1VH
5sv8WQALYrVYHVaXNWTvsObsPdaOhbOO7AP2IevGurNE1pf1Y/3ZAPYxG8SGsE/Yp2w4G8lGsTFs
HPuMfc4msslsGpvFvmAL2GK2nK1nm9g2tpPtYfvYfnaQ5bHj7CQ7y75lF9n37Ad2m/3MfmG/sqfs
pSIpTCmnWCsVlIpKNcVNcVc8FS+lulJT8VX8lQClllJHqa80VBorXZRoJVZJ4E68CnfmUTyGx/ME
3ocn81Q+mA/lI/hoPpZn8El8Kp/Js/h8vogv46v4Or6Rb+U7+G6eyw9w8YnnCupCXWA2qtFqMBvu
1J3I1It6wWzUpDXBinypL2E0gAYQhdaitWBOR9KRRE1H0VGkHB1DxxBLOo6OI5x+Rj8Da5hIJxJr
OplOJjZ0GsxmeTqDziC2dA6dQyrQeXQesaML6UJiT5fSpcSBrqQrSUW6mq4mjnQtXUsq0fV0PXGi
X9IvSWW6hW4hVehX9CtSlebQHOJM99F9xIUepBDV0iP0CKlGj9PjRENP0pPEjZ6lZ4mWfku/Je70
Ir0IFvw9/Z540h/oD0RHb9PbxIv+RH8i3vRn+jOpTu/Re6QG/YX+Qmqq2qraEh9VB1UH4st8mA/x
Y5CIv/hfH0TPAlkgCWDBLJgEstqsNgliISyEBLMGrAGpxZqwJqQ2C2WhpA5ryVqSEBbGwkhd1hZ2
PvVYB9aB1GeRLJI0YFEsijRkMSyGNGLxsEo2ZgksgTRhfVgf8g5LghWzKUtmyaQZS2EpJJSlslTS
nA1kA0kLNhjWxHdZGksjLdlQWLXfY8PYMNKKjWAjyPssnaWTMDaajSbhbCwbS1qz8Ww8acMyWAZp
yybAStqOTWKTSASbyqaS9mwmm0k6sCyWRTqy+Ww+6cQWsUWkM1vGlpFIto6tIx+wjWwj6cK2sq2k
K9vBdpAothv2bB+yvWwviWa5LJd8xA6wAyQG7DqPdGP5LJ/EshPsBIljZ9gZEs/Os/OkO7sAe6Qe
7Aq7Qnqy6+w6SWC32C2SyO6wO6QXuw8RX29WxIpIH/aEPSF92Qv2giQpwrH3U1SKiiQrakVN+itW
ihVJUWwVWzJAcVAciHgvxZV8rGgUDRmoaGFXOUjxUDzIYEWn6MgQxVvxJmlKDaUG+UTxgb3fUMVP
8SOfKnpFT4YpwUowGa7UVmqTEUo9pR4ZqTRQGpB0pZHSiIxSPlA+IKOVD5UPyRilm9KNjFV6Kj3J
OF6JVyLjeWVemXzGXbgLyeBdeVfyOf+If0Qm8DgeRybynrwnmcR7895kMu/H+5FMPoAPIFP4ID6I
TOWf8E/IND6cDyfT+Sg+iszgY/gYMpN/xj8js/hEPpHM5lP4FDKHz+AzSBafw+eQL/g8Po/M5Qv5
QjKPL+VLyXy+kq8kC/havpZk8y/5l2Qh38K3kEX8K/4VWcxzeA5ZwvfxfWQp38/3k2X8ID8I+34Z
4oDeVEt1tAbV02BaRCfQqXQ2nUuz6RK6gm6m2+kuupceoHk0n56gZ+h5eoFeodfpLfCXd2iRqr2q
M6vPGrNm7F32PmvP2rDOrCv7iMWxnqw3m8JmsDlsHlvIVrIv2Rb2FcsBHTp2mB1jX7PT7Bv2HbvM
rrGb7Cd2jz1kj9lzVkJvKZxqFXulshKoRCkxSjx35dE8lvfgvXgST+EDeRofxsfzCTyTT+ez+Vye
zZfwFXwN38A38+18F9/LxXewe6MnI+jJJPRkMvowij5MhT6Moa9S0EtZoH9So38qh/7JEv0TR/9k
hX7IGv2QDfqh8uiHbNEPVUA/ZId+yB79kAP6oYrohxzRD1VCP+SEfqgy+qEq6Ieqoh9yRt/jgr7H
FX1PNfQrGvQrbuhXtOhX3NGveKBf8US/okO/4oV+xRv9SnX0KzXQr9REv+KDiPdFxPsh4v0R8XpE
fABiPRCxHoRYD0as10Ks10aU10GUhyDK6yLK6yHK6yPKGyDKGyLKGyHKGyPKmyDK30GUN0WUN0OU
hyLKmyPKWyDK30WUt0R8v4f4boX4fh/3AGGI1HDEYmvEYhvEYltEXjtEXgQirz0irwMiryMirxMi
rzMiLxKR9wEirwuirSuiLQrR9iGiLRrR9hGiLQbR1g3RFotoi0O0xSPauiPaeiDaeiLaEhBtiYiw
XmCFd8gA6kY9aXXqT4PoQ/o5nUJn0S/oArqYLqeb6Da6k+6h++lheox+TU/Tb+h39DK9Rm8Kq1BF
0IeqCFUn+jmrxxqxpqwFa8UiWGvWiXVh0SyW9WC9WCabzmazuSwbvPYKtoFtZtvZLmhzmnqyQ+wo
K2Cn2DlWyC6xq+wG+5HdZQ/YI/aMFdObrJ5iSd0UO8VJCWRNgeuqfKTEsVO8Kv+Qd+PdeSLvy/vz
j/kQ/ikfxz/nk/k0Pot/wRfwxXw5X83X8018G9/J9/DDcK8D/p8hTqz5Log7V8RdNcSdBld1N0Sf
FtHnjujzQPR5Ivp0iD4vRJ83oq86oq8Goq8mos8H0eeL6PND9Pkj+vSIvgBEXyCiLwjX22DEYC3E
YG3EYB3EYAhisC6ut/UQifURiQ0QiQ0RiY0QiY0RiU0Qie8gEpsiEpshEkMRic0RiS0Qie8iElsi
Et9DJLZCJL6PSAzD9TYc8dga8dgG8dgW8dgO8RiBa2Z7XDM7IDY7IjY7ITY74zoZiQj9ABHaBRHa
FREahQj9EBEajQj9CBEagwjthgiNRYTGIULjEaHdEaE9EKE9EaEJiNBERGgvRGhvRGgfRGhfRGgS
IrQfIjQZEdofEZqC3662gggnhiwia8hWspccJWfIJXKLPCAvIGIxxj+kBtFDJNaAQqwDscZjoKPp
U6Dj6XOgk5SRQF2VRCIzX6U3UH+lL9CAN2h4hBqeoIZnqOEFakhHDb1QQx/UkIQaIIJT+okayCWb
uP4mLsXEDTBxqSbuYxM3sJSzCjNx4chB/AZe5woh4B3uwVUfsIdEBV4CokbwFM+JGhC+VzyfkOaS
yiSENCVhEE3HgIdLhVh6vGnsCsl18QqW5CC5St5SoNRAaiG1xW/Gqbg3xIVzkKtu4mqUcvJx4GYj
V2DivjZxJ0zcSeQoRvcO8ilRkvcRmbeWrwE/E+ucNtU+Y+LOlml3DtvlAp0o7wc6A+t8Y1bHUT4g
9MkHIY6dDcfzJk3fmrhCE/edibtg4i6auEsm7rKJu4KcBbEF69AYn1I0kI/A1ebB9Y7gVefJh/G9
tqNQmg/loyidL8PuBuj3Jl1XkRPvPhq+75stL4OaK+Q1xFJeJ68j5eUN8pfEVt4kbyZ28lZ5B3Ew
/gKvg/hVH3xXjuAnyOLdu4VwYrW8GnRuhvpUzpFz8HvDsjwdP40U71WJON0CdDB8nuVu/EU1F/wt
NVfQsYdUw08XG+Oni0J/K3xLSkeC8VmBLQ+E9QAsjv5YyimOaBFBUHoIMfxFrGdDh8PqAecMR/oj
PjUQkSXBGFGClpfxeYkdMXyCqZJvQk/FE3xJzsbrMhjj0uco+JxCPob3km+a9+viWynI/WDibpRy
Spqo/YdjU/ocyvirYVXFE0UHlJKqY/XpVdOVcjXGthz72FqykLPTqw4AUT9ZkgK4vpzCatpQuQoj
+m6KZU1FUknpdWRJld1e307vYyZxXuQ6wpk0wNSGxOKPovbBHzPtThqJpHczU6ZyCBu2Ynjln3pq
+2+52nH5xVVH8+u83ys73fFdfbrKTp8uP8umsiTL5ck+8nmDBuMrnGz0KO7O5SZ6a1NPxa8U65MD
auqrK7Sjittrm/VLHpIifnJS4x1XXRNQt24djelHHvEHJf0CXPXOhsoVy54x/tRkgJu+mjhP7Z1e
nY/o1y9V887HqQn9UhJTh+hdK1nXraMPCNDr6+jhr0sl60B9QGBQgLH4FnqULmnNh0VihKZL5QnI
LeV0SSIr5Zx9yTfqP2hd1XvBrMHR+h8XrZzo+dGT4hlhi7cVz1ukaTS03aIvFk2OCex9smn8kLtr
Bh7pUPjgp7ljnScvGN1j08HeabHu51waXCovTb0188Ae3x5ZWQm6OSfq+eyx2hKp29fipmWjkJk+
K73rrrjz3qim10aX35nVp2O3NelDF8b4Dgq7PWdzfP2sts4Bag+HBStvTqnpdKPh7DiHmEjWfYFL
nYhxj5ffmy4fqnp6T8fmmz4bsafenQ7TW697uTytb2rr9U75M8t5u5HOmTGJdXa+b2fRoFNJ1+dL
eliql50a2anzva31ox1HDlIVPtq9bsSM4g3Hh59bXiUlqsHRXffVi7X6TcqYI5s0g+zHXJYpGP7i
kSv0I5fqRy6C0XSRVCOz9CNnjbDteiL5XmLKfPd2wxw2hk8qObYw5b8/f+n/wsapmMMZt/jeiQ9n
OdX6ebvkcX5QhYdRMYEL5vNjjdiU8ZOP1Lvh9uB+52k+W7LfzYu99+Kb/Pr1u6ys3SGx2KNv4yP5
qy6xoRcDJjZcYJvca2exXRunxL0vTjS7VqGLps2PsZ+sX1U5r2YdT9/d3RfaZXiWj1v8uIPzU7cj
5yo+jFiT1CzQ4mV6pSc/9Oxj3e5Rzi8Rh3NuHtC/0ASUG+8yo3qV8LMu8tJfRlyhm7sWfXkxr/Pd
7u8djuiwdTP1tivJPHdfPXnY9lkHV9fxuZ52fcWgawOzyYlejfedqp1x5R27FbV6Ve31Xa3vzzir
rq9orsrrEhSSFO5sHbvNctGE02c7NG5x3LnjsuTv7OqNm/bxguWnssErxOjTaZjBK1j6ra5woW1J
1Lxje0t9isvbcgaA+5BA+AMPEAjOICAQirVKncEQ9KCgRLGXO7YPsNdXEAW1vWXnbgMSEpN6psJl
bPU2QmhhbxHRPb5vv6T40o5Z/l7H3PVuho5VMT8f313TPrFnkviJ17bN3vmXXmHbkE/Pfbiped0V
wWsCCp961npv0N7n1eYfbt7/3skWt85M2N87LCK2aI68P/z8e338PRp131Pgvo233Db844vNc1ZN
tml70LPmg+yb1u7VTr7j8Sx2zteVmy+d1qranOOb/LX7W/kO7fdtRdf6E+ra1r2YU72oR31fKbCk
2Kvlsi19pHFzn+/YGDc8/WlU9sjRYyZteLB9+uKvQ5a1HVPJa1zri/pHpGHRoacNR+4e+3Ofusv9
gh9t9ltv+WnslME95s4eYD12/YMDDzVftbGbGHfM59vA5pXv7mw1s37b9k4FPdoNWbV2XF6nRgvS
245PYl/W2veJR05Ej4ZzWufXHBaUNPpd5eT8E63GykljyZK94y63N3qFZ/qRj/X2wil4qqz0looa
FjTGLCj9/+Eqyos+2ktSiYrpKRz0LkJgo3JUOeS7FAwkyV3X/1J4oHVWu1C/xaFx9/VcnC6vUgGM
xppBB33MJ6vXDWule1Cwq3Xqokiv1Bofbxr7cnXY9MEk/PbRn5wuJB60WTT0odzs0NFx+U/a5+cu
yOnU735c6MpQcndmXtZZ5+18QWXr6d8Uuq6t/um9n5cNWDP5Ut1JDWf32hXS99T49e4vL98+l1hu
yvic4u/JzuCHj4c+tbXzYz9VnzmtaW/v/ttCJl+xsD7yYcLxnBHv9O6xYue2nZOCjz6gtkPTfj11
penlT4q//35N8aPLZ603JZ+beq3N1pBFQ33PNPwumMfWkReM7OX+2aOouMkbuuys+03MhI6jqwT9
Wn92drrVoo8+3+SzbeHSY6sLNVv36CuP0ThY19gVUfTOlWj9taneieP2JV99uHx1wYimKQNtwMek
gY+JNfqYborXSNwhqc1xxMDPvEVUC4cTAp4mMDAgMLhWLeFw9LD9gGKQKOpHjvqP9M0aDQdMVxXe
pm1EaXX6O9X/pe/JSdn82U3nBWMOp26PiaK1G859OSctq3oL7Ybl49r/fLdFvcNdGe+8YttRln86
bNC7yWM2/XDscs+bi1+mek3rueCbDBqqP/T4yI4j9VzUnULbVFJbP91cOWGVh/Nz1nnM7YOtLdzq
LP+pwMd/a9Pjbmz5uRunvTsfrppWUL22xfH5HfN3/qL9aYX7Euvquc9P7O/SKK7hYZ/3+CdDxtwf
f69/TrMu1xZvsn7Y8bnnlaua0zezoqcvDfL1Ht65asdeVoGh93r06Xc/ZO49eW3WwouzLWxtGjgl
Xh3SuoXDla8mnPi479w1ZK5v01/bbe9SNLj5qNt+Q2vu/PB45W7ea6c3szzYq2nJlsB1S6prLzne
Om30PU/0I399s+95hWL3kwNqhOU8/8HtWX/XORVPVnp6YFkGTp9LeYF6ALLFCPQbLu4qJ73jiDfD
PlRUqKZqqK+vr5tdJ7vW2KCE1NTkev7+cSl9/PqWzqFfXL++/sm9E4XU3/iz5QP8m7UHw/MDkb5l
aQ9hX9JAX08fUlrWy2N9jAoHDRr0JoXdU8w0pb4GKPQ+zap/HZfT59qAvvvnfNPXanz9Qy0HpHkW
+Fyt88m84AU57gW7L5+PGlKht307jRT3Vcpj9bVDn7ar4eh95uTNL2p87WR9yr7/lOp3OuU8PXfQ
2n99d9++4c2rd0oZ3abxqV4u78SuHBI16f7hQRnHZG+/eYfn1vzhqxrlLt6ZdfWHtInRtuPbL7wY
02bQ7P4xK7rWnXJ6tV01dnt/85Wnc9t9tX77hRfKaFKUuvi7knyXbHdmcd2rVu6szMqr0mO8bj0f
XdP1pOrYpK/Trb9ZEd6sycenLl0cdC8jqnf5cfGTN+/YtmN1zw5uzVe1SrjZIfpzh6ieg+9kRlHb
Kep5HppZty6TCskrn25MSd627mruAkcZvM888D5jDN7H9v+WxT3T/wCD6mrB267yEVXpi9DLoIFp
65gZWBqaGRgamJiYg4oeSyB3ANo6IZm5qcUlibkFxLZ17pjn/V5/wsmrUOLEOQ+74AO/Vovs0jHa
LeQfdKL5rZ3xTU/DSRrbJqY8kA9o2XXI+2I964/3pfu6j6+4ui6zIK1CPe3Ftu3vW3eefbfqr9AS
7kglTf3zDjfDWKTLtuam5HqF3L778d7++c3HG+7X+zCZT/l6YB5HmFyG+9mbB8pi9Gu3qbJsCYvO
kkn+31Bj8+4qi6qvZXkJe+yhmBtt5jqlJ/leyVly1pT9m5uTV/XgjV3/9HmFfPFa/hJJCUbzLjX7
aSvFZLh239NvEQjY9HOrVG/OO9XZwj9OC1xv5fvSVFZsdmxq1aIzCWxvWDe0GW//MSW6xbElonVK
3gZ5HY8z+XOcH2S9qFfry4aUN02MGsAQUcFW4nAMjdaOABsndLxBlBHUhGFAKijzX/jZT99pstq7
rX/PnFdrrB2dj10wkIRrEGFi4ZHjYghmKGVIYnBmcERtCWE0o7AUUFN8BQ0P1QTsFuxbmMjOyNdT
4Nr7vjhkrz0nq+7/HYHBrTJvLSduXxzGfa9nm7X0xd9rlp/cvjFQUTqfI7Mum3mRktvbnC25NUo7
3C63fO7l38feZXbwdd3LgljX+ZMunTl3t+/Aw/1aZ2venFxndLV95+nkI2YXJRT3l92znrVZunie
YseNLVuEQnq+zDmU6jVLQ21OQhe/9XHh1AqP3efXNlv5b0iKuGfw8qWl7OPOT7csG38KK/akNCSz
sUz7NIvJWb/arWPXf6abqT+97t1iLpm8mTWP58zcOxqJNR4fxecIKlowybSvYTs6zWjHU4djwbZ7
V3bee5Fm3vtFadqcMxvKQwKtrhW5bFL+BiygVgELqEnw5tEUXXDziHPgmkcYBQG4eWRgbmQKLJqM
DMFllDGEawjiGjRupkfzSN1AFcKVy3POLADdiOES7KrgGuxnZe5oYaRrZmHhqGvpZmlkqGqgDPGT
DKqfdINBnlIITi0C3aBBsHib2sil4CQRWHVz6tvZf++0X/zN1y/8apW5hlDZP9+A1WXTtSa7P1gZ
lsn0dEqdb+vt+sL3pQy3dzvn/M5fU/hB+2LNpHNTxOcuPLrr5/e6u4kPdQ3k5qjpltk/c5vWt+5G
p/mNM+8/n48+/CfjwaeU/tkvDgv9XLyv5c+17nOstnsZywLUmX+0bBdr603YF6upY3N+6d8ZUaay
/mIHLG7IJdrbmm0OExEtn2ot8Ithw+RHsear1Xcn63iINIY+znm1Untqbwdf3WKGpeUq7DO0Cph3
aKlMmHXv6CIl7/0+kWzlIUXOG+xS7k5u4YjY9u9luyen2ebNP4xX1vksqqw3itTkm7f16wObefZv
3KyRm1OIAkFjasd+JuvXt6bsqnXj/3X6S93c/xdRWkpYSwxKWkolxQXJiVRpKcFMKsFeWKO0/9gO
YCutGN6t+fPoUkfaKc3HUTvPMjTVicccVYkU2r3ie/b19n+9p7eWyUsrffv+8NSWnY6MUuZrPcyn
Ffw6Y7xco2cH97YSYY3tm0sfanE+6va/P8N++nYTocZXAndl7+xKOe8XYO3T9Vfyruq6q9PaX3kf
efrhp6N4LOPr8I7asqqn+f/aFdZMntMza3+81AJRA5UHi+oSJ8pqah72nGDl3Nz57t7V5rv+OqbW
zx0dGVcx8HB/uuYpfc6pt3rDZ93eWM2H+3rrJ4qWbUn4LaK+Kl8o2UkjwqrLutvhyfajZyaFy7iF
ZfefnuQbxspw6oeBg6vffcmOvV8FPtyVuq8htyXwU/kDtce7ORuF7shZXXA1bGJZCyyxVjIxMho0
tg9glw2lI4kYAF/QeMNABF47aTAasjOzgqc8QHUWNDI5mQ15kMfcga5B8LgN+QyQZUWBZQlcI4sh
MANkFIZ88r8XO4tNRsROYoJGx1yhtVMMkpC08BiGGAQt0GhQw3nLG8q9aQvVGlRwpt2SyoL89KLE
goxKBbSyiqWJkcHuE/uJentmo02PA1W/H34V8uvU5OAJIT8td8xl5Pq13yJyvqRmffnnSTfs5ntV
8e18pnnsZWCpettbV+WSrkpOZaWGS027j04R6p+1R8U9Y91xgR/p3yZvMju0o66h9On6QC4xlmeX
3XbM+1/l1ufyYsWBkF9i4VOzd6uW9flO1ZvCMEct7pp6rqex+9IpxVxeN57P+FfqzyNd9V3jZmvq
NedvhrUxUZe/fmdRUuH651Cw7IjRq1NsHu0r3givtin4Ubv4em5CofxvVftDucsDRbpz7ddrVatt
2xI41cr1vabH92mPDgUynPw7v6mlwH9z72f1CPcDPTslvjjaOy76e81XLMProct/3ui1nxc2Mckb
NDFJI2KIzbCJiQcoxEH3BIpeaaJU5ezQBLog1kACOR1yIyaIGIF2wmVYDfmBVa4laAYEiM1MTKMw
kmHEzOD0HYXTe0Pv5KjvKDdf7uP55ghaiQVKImkL2VurZh/f+KXfUN+3pHPe6xT/XZtmy2ZN+pN/
6lzmuYv3byX+8whP/62YdOC+kpQQS3xgt1eJpdgxliNhKhZ+9mmWwlMctx64pNM+7Y7q1MseebPm
/8xfuuGYR5f2HJWfTEaHeb9LukW99vk6IXX95mjhyRqpvY9r37A77Wo3Kzl8exvDe8vO4s9PVMp/
b9Moc33ay3TzgzFv5ZmCCrHz/7YEvX3MGStVprprZaUk33Xf7UaSlVOZYn3v//WvzmvK7+Gcyy4r
X/NY4OBNobL8Rvkog95AvyOnO6pF9/9fyzhx3x+u6KeVjs48zG7nThe/f+YZcbw2aapqhqTywUz3
+gy3r5m5hR9XH1nGwAAAmuV76A0KZW5kc3RyZWFtDQplbmRvYmoNCjE4MiAwIG9iag0KPDwvRmls
dGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAyNzM+Pg0Kc3RyZWFtDQp4nF2Ry2rDMBBF9/oKLdNF8CON
HYMxpE4DXvRB3X6ALY1dQS0LWV747zsahRQ6IMHhzhV3RlHdXBqtHI/e7SxacHxQWlpY5tUK4D2M
SrMk5lIJdyO6xdQZFqG53RYHU6OHmZUljz5QXJzd+O4s5x4eWPRmJVilR777qlvkdjXmBybQjses
qriEAR966cxrNwGPyLZvJOrKbXv0/HV8bgZ4SpyEMGKWsJhOgO30CKyMsSpeXrEqBlr+04vg6gfx
3VnqPmB3HKdxhZSkJ6IsIzpeAhVEeRboOdBNuxIVZ6L8kahOAuWBgi8/eTocn5BSdFC6Ww6f06/z
vgSxWovz085pcD+y0nD/FjMb7/LnF29IhUgNCmVuZHN0cmVhbQ0KZW5kb2JqDQoxODMgMCBvYmoN
Cjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTE4Njk2L0xlbmd0aDEgMjI4NDQ0Pj4NCnN0
cmVhbQ0KeJzsnAlYnNX18M+7zL7PMDPAwCwMDMuw7xAIb1jDFiAwyUA2CNk3EshiYmJSq0aJe6z7
rnUpLpOJC1Gr1qLWqnWpVf+2Lq3WLkqr/mursYHvvO8ZCODS1H7f1/Z5uHDmd++5y3vvuecu75An
wACAFT94aK1ur68rXn9/MXA9vweI3V5TWd1xd9iaCnD9TwBUH9dUNlVVGf+yF+DqrVghWFddU2uK
i78JuGUfAnDH61pb2j8f+uPNAHc8Auz67rr2QOXGjTcFgDPHATS+2NKelfv52689BsC8jk/t7t3c
s7XXtOY3ACnVWH97787t7ofO+NnTADUvAsii1mxdu/mmP1beBeAfxudb1vYMbIU48OLzu7G+ce2m
3Wv2vHwv9qfhPQDXJ+tW96z6oLL4ELa/FPML16FCd6ce22Yuw3Tius3bT9t8l7IBgC0G8Kk3ru7f
8tSyx64COO8+fH7ipr7enrMb9x8F2ID9c76xuee0rTEvmAaxPj4f3Ft6Nq/+6Ym6zQDnY75u3da+
ge3jRjgH+yOI+Vv7V29d8ePxdwDynwMwsSDaVja8sPtsh2KFoexTiFGCGB7+YO9zIp99Y/jc4/kn
nlVHKeOABRUKBawnhzFgRtQ3Hs8/rsF8YK6GKYG7Sixj2ASLQSYpWDBCFqBVVKMmaoXj/czFmKuU
XSXLwyadRO5FOIcFJbAGGcuyvJrl3wF2XIC7xum5AM3tbrcYc8dQHxTXsz5U3CA1+kOZSRwptq4/
2RvmBfhWge+CDj4TBr5d7f+sIH8NFn5dnqwM+v+ZtviEk23xwa9vdzbMhn934OOh7VvUKec6oOnb
tM+9DM2nUo/dNl7+z/br/2fAcVWeYrmKiTjz6sn4vxK+qZ2pz/tSngMWfNtnso9Ob5eLx/PuVOrd
A9u+7TP/XwbuEtgrG4aLvqTfNf4idxlY/x19mg2zYTbMhtnwnxPYa+Dhf7UNZhz2/9/oy39L4Arg
b//uPsyG2TAbZsNsmA2zYTbMhtkwG2bDbJgNs2E2zIbZMBtmw2yYDbMBuIjE0b8hg5cxxUh/9efh
AUw7wYga8d+M6SABqqAZWmEhrIdN0AfbYTfc6I4ZH5dq6sANlZjfgvk9mL8F+mFnJJ8Z/xRg/IVx
8a8DSgCGo4eP975bGXlu7OSnKCmQBpkTPeQauCugERYzLGNgjEws42RSmFami1nG7GT2MeczFzNX
M48zP2KeYp4GOfOhVOvjSLsnAwNs5N/psfDNgZny3H8tmMD8FdpqFBwPfnZ9Yze+NF5J24eC45bi
0tiRE6P/Tw/cVyqXfMvW/is9VKhdsXzZ0iVdncFAR/vCttaWBc1NjQ318+tqa6qrKucJFXPLy+aU
lhQXFRZkZWakp/iSEr0Jrugok9Gg06hVSoVcxnMsA+k13tpud8jXHeJ93vnzM8S0twcVPVMU3SE3
qmqnlwm5u6Vi7uklBSy5ZkZJgUoKkyUZo7sMyjLS3TVed+j5aq97mOlqC2L8gmpvpzs0KsWbpTjv
kxI6THg8WMNdE72u2h1iut01odqd6wZruquxvSMadZW3arU6Ix2OqDUY1WAslOLdeoRJmctIETal
pvQIC0qd+NgQl1TTsyrU2hasqXZ4PJ2SDqqktkLyqpBCasu9XuwzHHIfSX988PxhI6zs9mtXeVf1
LA2GuB6sNMjVDA4eDJn8oVRvdSh1z3vROOTVoXRvdU3I78XGGhdOPoAJyZKMXvfgp4Cd945+OF3T
E9HIk4yfghgVhzhpJsyfiAP2DXuI4/N4xL4cGhZgJSZCB9qClHbDSkcYhCx/Z4jtFnMen8ixBsSc
AxM5k9W7vR5xqmq6I78710WHDqx0Z6Sj9aXfJPzFfHeI83Wv7F0nsmf1oLe6muzWEQwJ1RgReiJj
rTmSnYXle7pxEOtFM7QFQ1neraEobyUVQIVbnIP17UGpSqRaKKoqBN29kVqhrJpqsV/umsHuauqg
2Ja3LXgM8sbfOZLvdhzNg3zoFPsRslXhpPhqBoOr1oRc3Y5V6J9r3EGHJyR0ovk6vcHVneIseY2h
1HfwcR7piVItHNuM0hOFxZErkpTuIOvgOsXZQoW7Fj+8lWWYYcTpkpLijFaWuYOMAyaK4VMiJcTY
tHYwwSVVzRezOLFq1XyHp9ND4Ru65Ij0SZYUUk5py4iKyT7Rc762a1Ra7FCqu2Z19ZQOTmtUFulg
pLWv7icr2iLyYKyhFKdz/kQWl4QrF3UsNiOpxFmMdoeg1R30rvZ2etGHhNagODbR1tL8NrZ7G9u6
gtJsR7ykY1qK8ospFQIPZk8k2Cr0wVq/Y2JapXSdlJ5Mzp+RXT+R7R5UehvbB8XGvZEGwY0rCAct
99X3HCo25+PSrMXdzVvb43Ub3bWDPcPjB1YOHhGEwa013etKxTa89asGve3BMofU14XBfY494qPM
0Mg0dlRmpOPeU3nEy5zbdkRgzm3vCh4zArjP7QiGWYat6q7sPJKIecFjbgBB0rKiVlSKCbeYEFta
iAmlVN5xTAA4IOXykkJK9w4zIOmUEzoGeodZ0hkndCzqeNIJkk4MOEnR69DEuN3WuFeJ07O3c91g
d6e4uMCGU4m/TIjxzoUQ6517hGHl2pDau7oypPFWivoKUV9BermoV6BjMDYGjSPuSYPdXtyn0KGC
4GDIFTmxSffw+HhH0PO8Y7TTg662FKUrGFL5ce+XJTVguTpRulFdFzrQ2yP2AwJBsa4iqb63E912
okEsUh9SYQuqSAtYolaqI7ojVurFucEJlOofwEToQGeo0y8+NLi+U3JnYwjme0tx2qlNmU98UFbn
oNmbK61NXArqpIMiVNg3aA+SxoFJfFgnGUmhxZ73ejGrt9uN1uahtx1dnfZStYM0q3FL5H2rJVE7
IpkgDotL0ujUIVUmNoi/YlyTKS5JWZKis5M6L6UORgrgs40hDfbIN8WUkQpoHcyqF/uCvwexq2LR
H4nNtA3DQu9puLOInZZaUmB2SJdU34ObP9XXoMZbPFFZKe4RmkgbI6RViCPXot25pI7h8du9uz1T
Qka6VzwcRMcExzF0bOgcnKkILfFnpCtnanWSenBQqfvqCmQvpW6SqIQjKm6Y3RN2znUNs7sJp4Wd
GsQuws6wsxSxg7CdigyEnXMQ/WFnGWIbYSuhL+wsR2whbKYKmwgbw/HzEBsI68PxlYh14fgqxFrC
GsJqwipCL1VYSRV6CN2Ut4KwPBxXg1hGWEpYQugidBKChMWERYQAoYOwkNBGaCW0EBaE46oRzZRq
IjQSGgj1hPmEOkItoYZQHXbUI6rCjgZEJWEeQQg7GhEVhLlhRxOinFBGmEMoJbQTSqjNYkIRNVZI
KCDkU5t5hFyql0PIJmQRMgkZ1Fg6VfdTvTTKSyWkEJKppI+QRBUSCV6ql0AlPQQ3wUVwEuLDsQsQ
cQRHOLYFEUuIIURTnp1gI6WVEEWwUJ6ZYCKlkVIGgp6UOoKWoCGoCapwTCtCGY5pQygIcoKMwFMR
jlIsgSGABGacMEY4IVVg/k6pLwjHCZ8TPiP8jfDXcHQ74lPCX8LRHYj/JXxC+JjwERX5M+FPpBwl
fEj4gPBHKvIHwu8Jv6O89wm/JbxHeJeK/Ibwa1K+Q3ib8BbhzbB9EeJXhF+G7YsRbxD+h5SvE14j
5auEXxBeIfycirxMqZco9SLhBVL+jPA84TnCs4SfUslnCD8h5dOEpwhPEkbCNtyXmB+HbRWIJwg/
CtuWIB4nPEZ4lPBDwiOEhwkPUb1jhGFSPkh4gHA/4T7CUUKYcITqhagv91LqHsLdVOQuwhDhB4Q7
CXdQvdupwm2k/D7hVsIthJsJNxFuJNxAuD5sXYm4jnBt2NqLuCZsXYW4OmxdjbgqbF2DuJJwBeFy
wvcIlxEOEy4NW3sQl1CbF1ObF1GbFxIuoKbPpwqHCINU8jwqcm7YGkAcpMbOocbOJpxFJb9LrZxJ
1b9DOEDYTziDsI+wl3A6YU/Yinsys5uecBo1vYuwk56wg/qynTBAz+un6tsIWwl9hC2EzYRNhI00
lA30vPWEdWFrIWItYU046kzE6nCU6LurwlH7Eb3hKLHeSlL2hKMERDcpV5ByeTjqDMSycNR3EUvD
UWcjloQteAgzXWGLE9FJCIYtasRiwqKwBY95JhC24PnOdBDaCQvDFjzmmbawBQ92ppXQEjaLvV4Q
NtcimglNpGwkNJCynjCfUBc247nJ1FKRGlJWE6rCpjpEZdgkLsp5YVMQIYRNnYiKsKkLMZdQHjaJ
3lpGmEMoJZSETX5EcdiUjigKm0oQhYSCsEl8UD49KI+QGzaJFswhZIdNoiGzCJnUlwxCOnXJT11K
I6RSl1IIydQJHyGJkEjwUoUEKumhLrmpEy56npMQTyXjCA6qHkuIIURTSTvBRh20EqKonxZ6kJlg
onpGgoGgJ+ioiJZSmrBxGUIdNi5HqMLGFQglQUGQE2RUkqeSHClZAkMAYRw5juXGkCdQ/o7yBcpx
1H2OFT/D+N9Q/oryKcpfDCtd/4vyiaHX9bFhlesjlD+j/AllFPUfonyAeX/E9B9Qfo/yO5T3Uf9b
lPcw/i7yNyi/xnLvYPptlLdQ3kT5FcovUd7Qr3X9j36d63WU11BeRfkF6l5B/hzlZZSXMP0i8gWU
n6E8j/IcyrMoP0V5BuUnuo2up3WbXE/p0lxPIkd06a4fo+4JjP9It9kljD+u2+B6TLfe9ahuneuH
mPOILsf1MMpDKMe021zD2n7Xg9oB1wPa7a77Ue5DOYrpMPIIlgmh3ItyD8rdKHehDKH8AOVOzRmu
OzR7XLdrdrtuQ35fs9d1q2af6xbU34xyE8qNKDegXI9yHcq1KNegXK3JcF2FcqX6dtcV6u+7Lkd+
D+UylMMol6rXuS5Rn+m6WH2N6yL1da4L1Te4LkD9+Shnc0mus7hi13eZYteZgQOB7wwdCOwP7Auc
MbQvoNnHaPY59jXuO33f0L5f7hPMcvXewJ7A6UN7ArsDuwKnDe0KPMSeB2vYc4WywM6hHQF+R9SO
7Tu4v+xghnYw1TuY7B0MCzuMO9w7OO32QH9gYKg/AP2t/Qf6Q/38nFD/O/0s9DPq4fHHj/Y7nLVI
YW+/zli7LdAX2DrUF9iyZnNgA3ZwffHawLqhtYE1xasCq4dWBXqLVwZ6irsDK4qXBZYPLQssLe4K
LBnqCnQWBwOLsfyi4o5AYKgj0F7cFlg41BZoKV4QWID65uLGQNNQY6CheH6gfmh+oK64NlCDg4c4
Y5w7jjOKHVgQhz3Bd9/KbIfgeMfxkYMHR8jxuIMzG2JdsWyqIYapaolh+mL2x1wUwxmiX4hmhejU
9FqD/QX72/Y/23mLYE/NrAWb0ea2cVZxbLbmjlqJFdXEnAJprM02r6/WYGUMVpeVrXFZGTC9Y/rI
xFkfM75gZA0GxmAYN7CCAYsb9C49K36M6zlBn1NUa9C5dKz4Ma7jbIIONWKLydrWjlqDxqVhAxWa
Fg0raCqqagVNRnYtcIybYYAxIjil2AvG6qrFdX3UxsgYPM+PdLT7/Y3DivGFjSFl65IQc24oqV38
FNq6QvJz8a27a0nwCMNc2HmEYas6QlHit0VS+uwLLoDK+MZQfHswdGN8Z2PoAEYEMTKOEYg/YoPK
Tv/ygR0Dfv/25fixfGC7X/rFFLNDTPlFpfg7sB3T4s8OKQ3+bwxUDLFiAMP2CeX2b671XxuYf3cH
/sND9Irl4p+RFNcDjB2e9heuVtgAA3AAf86BC+AwPAa/hJXwXYxdBTfCbXAnhOBH8Ay89i3/gvaV
YWy3bDNouQdBDhaA8ePjo2O3oQzL9FM0hzFl4d0nNePG8T/N0P1p7PC4cWxYbga1VFfHvoza/2VO
jB9nK8T0eKGYZg9i3CDV+Fhx/di9Y7dP604DNEEHBGARLIZOaIEFKK3QBs2wDFZAD/TCKlgNa2At
rIP1aK+NsAk2wxaUNdAHW2Eb9KMNt8MO2Inx7RENpU+D3bAH9kV4OuzF+G783CPFzoD9aPnvTPLM
SZ7UfBfORjkLP8+Bg3AunIcUP6frpqcG4RCcj/N5IVw0Gb/oK7Vi/GL4HsolcCnO+mUYvxLn/mq4
Bq6VtIfhcrhCSt0AN2P+5dPKinkny18H12OpG+EmLHkLes/tM8qKJW+AR+CH6FNPwaPobY9h7Ak4
hvEn4G14B96D38Hv4Q+Mnylk6uAT+Au8gNZfg1YXbb5V+hT/8rp20uK70LYTlj0DLTbdDjsjeWTP
MyU7TeTtwpIHcTbOnFJnUJqnibbE0hNtTbWXOCZxRCd1NMLDk5qT455ei8pNtdl0C14taabnzrTs
1PhNX5tzC3wf5Vb8FOdhZmoidgeucFF+AENwF8bo82R6InY33AP34l5wBI7C/fAAPAjDk+n7MHUy
PyxpJsp8tf4heFjygsfgcWn+fwwjku4xjB2L5D4WyXlIij8BT+Mu9Cw8B8/Dk+g7T0vyLPwM/eMl
eBl3rV/BWxEPelXyIC/jhxfhJd4Hr8v0jIx7HJ5gF8BpmH6NvQpnAmTvgV78P5LGBrg3cPfgQAFz
pF2g5f4MW4ZNWTZPzYxCPSiYVcCCmzkflMAwqwQzzyYVybk2h860tY1pq1awHVDx5ltvLnvrzeeR
zzNZb46+Omo88eqouaQkKysnmzF5TJJE6VmFQi73JmSyRUWFhXl5uXPZgvxM1pugR/EV5M9li+Zy
eblOVipKJSUtFha13Bt/X8K1nJCzp7tqtixIZF0OfZRWxrhlLruyvCXTYvAUpKQIWS6FWs7KlHJl
aml1QvXy0tix+zmFRqF222yxehmv0CpV7hhLjJ4fq5Xpj38i039RxW/64jIuJ3/twkLZlWoly8vl
jzjsSXNqPTF+t8VgMWr1MovNLFdYzBpfecOJQ0p7rF2hViu0RrUqOtqmVKnlWuOJYrRih/i/gaA9
neCHQjj0ELuPPQOCfvFuFAgeg3S26KhabYVhtlgwunKSbFaZb9TmirVmZ5uSxHer2LYcfOE6Kpg6
UvzRFbHNoxVox6wStOVoCZP1VG7eK6OmkqzRHLyFav6JqjnZnZJRnZw1Ss97PQm+Igta1YNmVYhT
4OXE2eDyfZEY7/CULy5Kq8+PjysJ9F+wbOxOj0f1viLXwdh6z+lMf9CW01j+QPuPW9bMcyXvPP3N
ro8XbmtK4c3lm5fW2pVpFYvyCzb2tM9N8CTxZya7PMLypZ78JOvYsvy2lSd+075krDireY3474AG
xj/id8ucUAzrp1vqaHw8GIfZwAMZfCwfa1WJr+P57VZ8Rz8qpCyaHJ9JdDEma3SkBB3Ncf8/LivZ
gTwL3Y63RjlZcbh5uTa0izLicLzobfxuvV2n9wmrmzoG+zqK4lKattQu2NZWaNKoOV6mVFmrenZX
r7l1oCJlwY5rnthev78rhR+0zk1M8idVbDz/qmtrW/ctSvf6vUYjuk6s3RKV7I0p33VkYMUzj96x
v96TmyyOf+H4cfkIekspHJ0+fqEy3ROly8y0ZIDaGuXOUKuN7osymOwMxpDBaLiMjNIsLb5I5Ldl
ZugsoLa5M7TWqPQsT6ne4WtzBIwBWUAcOAazvcSUV8Fk5flHmNzckpisFcuXLVtm8pdEZ5nQNUxM
nikPf/FD9Kn4U24RLZmk56TFbPEyokl9yZyXm1DhQhataLfkMZGoQvZzVh3liYl2m2Xsr9kTLcq0
lNQE5jWMk9okY0d5c7RDv8rtjzfyD8vYSoMzKSOu3xBtkvExCq1CJsMPfu0X39PrDFpcs1dO6m6P
clpUutiUuL93crc7kh16lSXeKv5LtP7xUZlZ5gE7ZMHi6TZ+DPNLIBoS2XbQQjyTHLa0pw4zqUcF
xUmvQed6RVxtx76uAK0sfqrrKPKneRcvM8dVbr7xVxf23zVQ6qzpu+n187cNDZQOu2u3L1x33UBj
hsU1f6B97bX9TZkWbmnzoyPHLgqWbLtt86KnnnzggvY5A3fuqd3RkdW897obLy+qG1iY0bjnmhsu
F8eG3sOnoPe4cGxnztxpgC0StG5LilKVjD9RlpRhhnswym5RKZX6ZNwn7hfsbXqaUhyHuFHgToHD
fT4v17jv4MgIE22MDDzlVCpOmOGkB0g7vM3u5BT5vmRfZGPh+ZSYwvadV60LL2PVdk+M3W1RsH9S
5nrGc5sTCxeXuR8oF6JLPTevuaVuZUOe28C9VbC9r7fJP5YhTrW4d/NDKQkKpTa3vrtpbqdZwZ/4
3J1f29g8YQ8f2iMH5sJt0+3xgN2m1MpScN/tEHS5KSXxzmL8SU2RlQwzjKBPTdemOG0qu1IRH+8t
xkE+KKS3eQOmiMvTOO3iOEumW+iEqeQVTKOdjvzzTU1syjab3WITNyBWtFwyl8lNN+OMXZr3Jbfs
aimoNBdwMrUtOS7WbVKweUpcuqUDfazalhBj95gV7EfK7HgmZumh5VkPRee1lxwNXtm5ryWJG6/Z
u64txrJn1dhvLB6dSqfkebVBx2QXLKrwnnh90sr3JrsSa1YvTShNs401ZbesEu3bNj7K/Zr7Kfjw
pnDBQ+x+9sDJ/VoVr3QOM/feh1M9RznM3PMgGHyMhfPlDLNOwW4B1ZzkeJ+c89SnfR7bUPiZoG/m
miZ8qGJU3FPElYZ705ujuBcZxd1a3I9sp1BR3IkmrhVkNVqINnvk4qBQoPtN2e2LuHQ+MS0q1ojN
6qqX9c9pXT/Xbs1q3HB+Z+f+XAvvS4lyGHnm51mbqwsXV+W4DBpXob+or7vBHGPS8wqN6gfuJiGt
eOn28uILLzu/r2p+xRKjnlNqFR/W1OR1bOzfku6tKfGWb7o0KFqtHK32omwbZEAlXDvdaoJZY4p3
utzeouKSuJI4c4nJDKK94jJN6pLiBF6R93lyQ5zZpOH19lp9U9lngqJ5YuMRR44HvGi3V0azxA0c
nVI/QsHMSNaLPfVWJrcxX7J08/IVMXQXU6AnKqQoH9nX0J42m7iWuRdtOQ0bDy3uOpBrZpNT0uJ4
Rs2qrLiXO8080yrTGwxyY82yLcVli8qSopR3q+OLMgu3djeaPFmbqvM7qnM9JvassksOH9o4r1oI
mvRGg6xYib7H48fYltjiohyzt7EizV1QPb8u3VFbljp38+HFt9VUZreu3daPp2cTWnYR9wwUwMEZ
3hgXBybRkPEp+X9LcckYmfqvWQ3uv6ZAjDGGVXMxUceFpIgNTrwC6HX+0QqMICYvE0LcP1s1spxP
3i1sJ68WcrrgiscDzy1S6C1avTOnsVTorc926ro65y2bl2ZUqniVLrqsZWnOTTdYcxf0X96T0jCv
IF7BLTD7PLb4RGdBYNOWtb61G9ypboNe6/E6YxLjLbfeXH7J4cGNgs7miTVHVilfItsM6VAx0y6C
2pNRkYAZqoQi0Tyx1oR0LrkWlSolyPXZn8c1lM5cYaKD4D2B7JKXK/mYaJ6YU676pfXJTxyUdkvE
x5iJBWqj9ZnBJaZZY40y1i2tzzmL5yRZFbbsxg2Hgv6mufnWNYw6yh0T7cKbxNiruEwLAtU5bmNl
/dRFeoensSLVlV9T3+AqvfiSQxsrLZ7MGGZMoROvDDrFiZU183MWbti2JbNnbdmGSxej5ZrRn67D
/S0TymZa7oG03CI5D6phVi+ovCatk4uK8mYNszrBCl75o0VFaU6TSZv7UlqD9m3B2Tzl0inesrJG
xUUq7fu4s9mltWk5hVoTHuWVy6d5E6uYus+Jh4NPWpfSHf464dxXLtugkPX2CWsas1UqFa/UKbXl
HatyO/HmHlO4aNe1Kzt2NCbc2dowb1VzkWnN+gsCXva3+EaV5pnrWLXBYrPotOq4+FiV1m7RprTv
7Zj3vUvPWTM3rbKtKK8io2l1cWxGGTDj5WOHuRzZafjOeOGM1Wd2mlwPM7/FU8LE/Fbw1pfNF+rn
CPU2W70wh4c07bsL6pxl785xJZrnzy98V0hsmRj4CHrLiRHx0jVix8t6lnRDNY5OngaWf1x1ynWM
tiqy2MTFRLyJTFhNcjXLxMLMi7x72m02Lofl5Eq1XGGN89n95elOjekZjY6XqzR6xU+HTKUdW2oy
ShQ8z/FYSqHQGazGtHJ/vPbWA2oNvnhqdeozYoxlgb4qW3aqSy6Xy4p4k9Uehe+dytiijpIug0kT
bbca1X+/q+P0tmS9XKZV8xaxAMdxWGAOl6szK+3RNrNm38LTW5NlKq1cZkb/rESLi+dvGbTBfTNW
ti4vv6ysvK01Pq48rrxOXNw+TSrE5ZdBHC8rqne1lefxicLn2Q0pqk/NZnvTZ4nN9l8Lspapr4ow
6o8sWvFUycsaGR2JnCn4lmCmKUj41i3izMi+cgoKC0/12I431m25orv9vFSDhpEpNEaVNrGsc17h
4nmpalOCxli7dEtJ47qKONoovnSUL6rKdRkMngKftEtktp7WkuKxqy0Guc0WbdFYY2229OqsJad5
khorknMX76opxZNpc+XUwz23fdO2vgz//Dxn+abDi/EEqhg/zoXwbJ8H+2bMhzczJnGeBtReTbRm
Xj4vs3wulDR4Y9SQmCl3ptY6m2S0UUoHsHgpFE2eNZJryqPrpBB7yvWmvokVFk58o6KYuEF+6Rxn
rVFyBfq42ipuoSYZ04evUA6/q6BvRaOpVXwZi45BNTtxmLtMk4d59dK+OUJXSaxSEaPUiAe1Rsmm
x86Ljs/2Rs3dfFlgbNuEespJvj62sCBbOsmT5nXlJ1Z7xVMKLcf8WZYFFkiFDdNtd1+qK8qJ96CV
gkbtcjqjXKl8YoxhmKl7QCYk1sdEDpi3mkdNktFefWVUvP2gzR78B2XFvSFilMj3TFPeVqVj6A8y
U1yaM95nZmVyswNjSRZ27G8nTXKUkV5VRaPxz+HmoFbbfXFxSTEqVUzSFzkTY+fOUtDYFUA+wnyM
PmKFuhk+YrSCRlDjC76GlxlrIxMrjSk24gSaL2fiIIpmzOz7Xz1nMV+eC5jwWdxFSuH0Gf3x5cTG
Ony8ngMDE8UZ9EnWz4XChiSHno815PiUbn+9u0k13f1wpx7BOxC67VN5udIkCLZ/XIu+hVFwU73W
N81pJ2Yk4rFcSKnYhiObcFiFLL98prvez+A7f5TVYeCZBEP18m3lVV3F0eyr3urEEz876ayuUlt5
Y/nGw4vGtkxO19k4XZy4xO9KwHt9alUQ/XMB3gVeQiuJ3xsEp9tJfLd2CSqINkazFi46UdxsNdr4
Ty0Nqe9OuVqPRl5opO/q1F/OPoUvDriX4kqCu65Y1n1eMM1RuliKdabdY81pKS5b2VySZLblLCgu
7xFj7EDD1RedsbwoM3igreHqC/cvL8oKHujKbS1y+utX9u0ozm0tdvobVm7dTh7AfoJjy4NNM++H
KSZTvDkO4uO0w0y0YBQyGsxxppT4ZLk9od4+6YM081kjprzIyjsG2n9QfOa5/DUTbbdhz9BTdUql
xe6MSuhcVGdqmb7+InPssVc0tCWbvE67XM5dy9udbodZoVbMWXdh+1jfl6f21tSmkgSZQiWXi2tA
NT7KfoAWqIW7p1vgEXT9E3hxycd7nt82B3/Aa8gXHDUvpLhl2TJBhq/cLwgN7s9TIM2Yxmq5tKy3
BMdXvw+YpGvziPi1o3iHEd0g8V9pa/r7Be7iTn7yO4PpRyqeAeIdm41Y9AO5xqDSerKrMtOrM6ML
Wpe1FBStvbQrq70qW6dUsHLpm+yEooXlRS35MfktS1sK8lec3earK0vXaLhNao/bZomOivEXOVMK
0lLntFfU7l6co7c5tEqTVmkTrykOl8ORUeZJK/CnlbQLldvaM7Vmm0YtWnrb+J/ZJ/m7oQYGZ/ha
amG6v8hfqVTNU80rUvn92UX2IjtkV84vmlemTH9X5fcUzjd8JngmV4z4RXbu8yUlFUzW86JR8XWZ
3npHRowH6aXEcgq1T35T9fW36sl7ITt5L5RukuyTrFyt0aveX83L/dmOlHibUqnCG59C6U7Lshcv
LHawMhm3ep9GK9dadGf4GQ16rrRl+d83qLnDKqvNZlKPqa35prwslVqlMehczmiFQq+RR+c1F2rj
3W49c1xn0Se5ba8qtCqeV2kVr9rQjntx176FewRyYNHM3cjDHAybbSkPsy4AcDNfCBrBllGfoHPU
6yJLUDQZ2uCVUeObkhuqZmZHNmS8IZAJkjmfb9KBLFY0QcQK3C1yPmnZtoOtCnOM2+byWVXM2Qyj
NLtiY90mObNJNmdlR2Myp7F6Y6OdJgX3fTy/Nr/95i96NVoFyyv1ai6gMSl0elyUCp3qRKxW3nl7
eGSnSqfgOJkKx3nR+HHZEzjORjhr5jgzmB/c50ywmLMf/j/snXt8VMXd/+fs2Xt2k00gEBLEQ8Il
IIYAoiCIkSJ3bMqjFPGWJRcI5LJNNuFS0YCRUuTxSa21ltJKbWvRWqVqfaxYn6AYFBER0YAEg0Kj
7oOISiNa5fzeM2c32WDa0t+rv1f/+MWvnzlz5nznO9/5XmbmALurfcnuNUG7/YmUS1MyJ2+zJTHx
EdpXeSl5mdNmjJ2RM7GX3m8ou78/btuJmaDjjSJqi8Df7nG2VcbqWqzS1TzRjbiLpRzPOfQh15Xf
Mt2VmpGZmp6V6vnGmdccgfSh/ftn9/PdhNF6DUxPPx+jTbVr19i9KQP69j0/xa3NdORcP2+OYfOl
ZqannR9w6L9O6OvuYkLb3V9VktB2Zc5ve5KdviSPZc40j8f2Pm973PncX2W43dMf3b4rGDMu72x7
iaJNWHekWHn2upeFFfuJBNvAPL8mBvnSOD9AfQdvsyXC7rdl5SXm9R0+Y5AvZcCMlNnOmJ3GR2Nr
pPXXfSl9x8fWOl+3zNKmvfrE/qRT2XPIkIsv0fQhMXMqY/bp43TZLtzh1PsMPb+/keLU7znzZ6c/
bfCA8wYl616t9o9OW68hPCHE/ktLdPr6DMwYMCRF92vHzkxP7OVzyL/w0wrP/MyV4LQ7fCmJ2jPa
r2i3606v68xWLZ+Lbvf2SiTiUs/crTIrVyw+6z02q3evYdtsAYIrU/vq8bQ0+fovzdArZ0aWu/d5
M3rPSvzmWWbYwVt7x+uqr1u+zqjqmH2vLvE0JhpDffRf2h0Dr1p8R8GZr5wp6YP7ZWSl2BJO/chm
c7GqZJyf7NJqbJOKrp52vi0hdVDGhQP0XyX09V73QnNk9Zn73CweDl/vRG28Xunr7UpQIZLo/Srz
20/88U9BuTX6OOVsM9ttNztu5Gw6UkzI652a0CcrISOrT7b9ggEJqcJrDzgueEqb+8SAOYGp2THj
XHD55V/tSe473jp9j1QHgLMP0nr3f4H7oNy+U/ukJ9ltD+u+tEHpGZm97Hor21NC4ois9KxeLoc3
4A0MH3jeoF5MLnZq1Z/2pyQ4cKPvr+WJQ4dmeZMS3UlpSf4h2YMTAgmeQBpevFWvsRmO5YTwefJ8
dtUfAome1GlxSr/CmwJxKU3v6rB7NFdtxpjcx1yBPv1TUvp4dNczfR2BtCH9+w3s5XZMGR++ZI/L
J6OFl85etekEo8PfG9t9ppfocx01vMEMFRN51eut3SIGiPNJI/lXe7cIr+hlS8rzJAx19Bs0LRCv
yuWHd0hlDn8Y+EquQV2M18d11q3toOZJTuMF22/XpmsJfTP75mbZz2RrnkA6jb64Rn1tzGDaq7IW
CJwZdXaL+hc/W/4RaZdr//P/nmyhLvR294SVIXufHvqX0u//FjludHzwdXKutch1Xjf05r+W3Pd9
nTwTFf3+HOjzePJu6EJf/D1K+K5FvtxuaP+/jvzT/Z/FKHF1otlDPfT/OyUV/UP62b+JPu+hHuqh
HuqhHuqhHuqhHuqhHuqhHuqhHuqhHuqhHuqhHuqhfx+pv9vWhNANytt0IVwiRSRr2eYxyo2qbDQj
lE3mnyl30pIiZpnHRYp+nbhWzKK9Xcyi7pPfNG8eogyYzZTpqj5A1bOFnzJftaxSLRtVy05Z0jdX
LBAp5gnKWbKkVwvlKvNNykazjXK72Uq502zVktDNpGww2yk3mp9RNqr6dlU2mc2UO6kH0OdTyoB5
Qn7/vaoPUGW+KleZH8nvxDfPUG40/0LZSPsA5JyibDLfpNxJSzZy3qMMMHo2cmR9gHmEMls45Hfq
q5ZVqmwwT1M2Ch/lduGi3CnrzDGkLWCU45qcUYsmZyTrTfSS8zqk3QBPH61W8dQqnlrFU6t4ahXP
Kto/o5QzXaU0XEX7KW0DI/ai3C68lDtFgrYBadfJb/g3P6DEg5RyXg30ki1S2kbmdYwyQMtG5iXr
A+DcyIxkXc5oIxI+omwyv9I2InOa1sisfZSr0KSR+cpyI+M2qlk3ooMs5awb4Z+gbYffRrlRlY1C
p9yuyp2yVDxNaPIaZUCV6aocwOya0ETWiRnKBnzUhByn1kSv0dpOpclONfpOJXmnkrwTyTZtJzyX
gRTzecpZ5jb9OkappQyYNZTpqj7AXE6Zr+o3CB9lrXkn5SqzmnKDqjeY/0mOXGjLFLHfiihSpa4y
J1HdybqN/sNF7NdLRuv2aN0u+uvp0bpDpOkXR+tO2q+K1l2iVl8SrbvFcPXLEbLuEYZ+JFr32jZ3
jJUg5tljOvjEcPu8aN1vu9deF60nijJXWscvjox21UfrmnC5nozWbcLp6Rf7bRHRz+OM1u0i0ZMc
rTuEz3N+tO6k/YJo3SUmeMZH626R6rojWveIgCccrXu1/I6xEsQFnpgOPpHqeTRa92uzPTui9URx
cYL85QzN7ona2apbdrbqlp2tumVnq27Z2apbdrbqlp2tumVnq27Z2apbdrbqlp2tumVnq27Z2apb
drbqlp0fFIYYzUo2itIQc0SpKBRVolJUgxIRpu0b1KpESJVBWkqpVYgcnlwhyiBD/UKI/MagML3k
XTHXYvV7IMVolIME+QshpWIhbaVwlCq+IChHVpHireCumrYK9czqX4oGBghGvwlnBXfLqIUZS/LU
IDFMezF3UucaehfxvEJ9Z46h9DTUt+cUI8EaU3IYzLFSjVmsvs9IzmWGmmsJLUH1bTtVahaGugbV
LOW41jwKeTJCSS5XLWVKYhAbWe2xUcqRU6YsFopqWUFLuRrVkinnGY7TQI4YUnOx7B2ztqV7mfod
lmXUF0ctLrWS3xUkv7kprO7kjMMd/rBsZo1iKN0rovOqVLZdqDg7NY6fkbTactXPmvVS7nNUPMR7
c6iSVq4krFB2qIl6Pt7e0mPW/IuV/nL+ll+qVDTIqzWi9LWBjFDHbCwdF0V5qrlbGZUeZhaWh2o7
vBRUMRKktbzLvGLRXIgmQTV+YXT8nG6i/tKvzdPyT8z/86KRUxqNsbFIuYQM6trnwi59/nYWhJU+
RSpKpW5LO/wTs1t3ebkoGvOhDm4Z1VY0VMBfrOJqNhyFIlvZexg8RUreNNW3UskPq+/xulSMhJYp
ylH51nW8nKj0kep3gGR0LlJah5CwglZpzRJlDRnFXaXG2mUmW7Nf2iHvWjUHK4JWKM9XKw3DKsar
VU5avQ01B5kfxcq7pWqMYuXfhapvzFpXimuY9xXRvlVxT6zcKlI26cyXZWqsQpVP3Y1r3UveQjxY
o2xY1BF/Req5zHBrBrGYC6mZVkSjzpJVrEqZRWfPWz63sjWbXtJTMhoWdozUnVYVX5N87jbqlB5b
MY3omhdWehd2WXu+PvfYSnO2XhPiLCBnYs3FWoFje0hVx2pepNazCrWuBf/mTC07B7vY1FoNKqOl
NSurXqMir0b1LFJrg5xNcYccyVmmsubveehflRedOTEy+t16weiukKN8FRLLHzRG544abcwpLayq
rK4sCRvfqKwKVVYFw6WVFTnGFWVlxtzSRYvD1cbc4uriqtriopxvBMtKF1aVGqXVRtAorywqrqow
qoMV1QbPS0uMkmB5adkKY1lpeLFRXbMwXFZsVFXWVBSVViyqNiphDReX07OiyCisrKoorqrOMWaE
jZLiYLimqrjaqCoOlhmlYcYorB5hVJcH0aAwGKIuu5TXlIVLQ4isqCkvroKzujisBFQboapK9JZq
I72srHKZsRjFjdLyULAwbJRWGGE5DzSji1FWWsFYlSXGwtJFSrA1ULh4eZjOpUuLc4zoNIdWG+XB
ihVGYQ2Tt/QOL2b84mVGVZC5VJUybToGy42akBwGiYtoqS5dCXu4kgnVyikFjWXBqnJrLGnmwsXB
KhQrrsrpMP2lsTGZj5z/PIzDdIyxOZeMjj650HrSxQXhqmBRcXmwaqmcj9St05eLsHxINhdWYoaK
0uLqnNk1hdnB6mFGUbExraqyMrw4HA5dOnLksmXLcspj/XJgHxleEapcVBUMLV4xsjBcUlkRro6y
ynpJkOGXSr5rK2sw0AqjprqYwVFIPjaC+KO4qrw0HC4uMhauUGpdec3sK3hapW7wVlGN5Zdli0sL
F8f15VpaUVhWU0RX7FdUWh0qYwBpuVBVKQyFcBVXhHOM2NiVFbg1u3SYUVy+UHbqFFURY+5WI8Uu
AxMnVYerSgut6OkYXQZNTNYEpUB2KaMQwDJDqmSYF1UuqyirDMYPis5BS1PCgOliY1mpCYdqwpi9
trSwWPIsLi4LnTWhc/GF8sTIouKSIKmQE6wOLZfvLeo379LE2m6+BFS+u+ic1b2il3CZpkiK/mqi
/HhiNtd1QnS873T/X7L+Y59Pg0fbeq78fr/kt407V/6kJMXfeK78gYDk16efK39ysuLfe678vXrB
n6x+NdLNO5Lkl6+O/UUyZYrwiykiXcyS3/QlJooFYoZmE/O0JBHUAqJCSxcrtAFiLdb9gZYvNmsL
xO94T35aqxQ7tVqxX1slWrUNIqI1iL9oGzX5m48+3uz78p6ezXv4GH2mlscb9Bz9x9o1qHpDVz20
4DnqUYkeK9FjHXr8ED1+iR5bkfYseryMHgfR4xh6fIQeX6CHAz1S0OM89MhBj/HoMRU9rkaP6xm3
qKsethfi9EhEj/7oMQY9ZqLHfPQoQY8q9FiNHv+JHpvQYwt6PI0eL6HHAfRoQ4+/aKs0Tdug+bUG
rR96DEaPMehxOXrMRY8b0aMcPW5Gj9vR486uetj/I06PJPQYgB6XoEc+etyEHhXosRI91qPHPejx
AHo8hh4voMd+9DiGHp9qtZqOHknokYEeQ9FjDHpcgR5z0KMAPcrQ47vocQd63I0eP+uqh+NknB4B
9LgAPaaiRxA9voMeq9HjTvS4Dz0eRo8/occu9HgbPU6gh6lVMn6tZqDHhehxKXpMQ4+r0aMQPULo
cTt63IUe96PH4+jxDHq80FUP1x/i9DgPPS5Vv1D6bfb8BcSjTTyCHs+gxx70aEGPvxJ1Hi0fny/A
5jdo30KPQvSoQY/b0OMH6HEfevwOPf6EHi+jx7vo8bk+09ZHv86Wrf/YNpp4mCjXFbdTc7uWT5my
vL6+/rS8cY6bkldXV7cu5PZobm+wLlg3F/qR+JH4PuR2aW73xMmT16ypr1/udsAemj59+kk6dAhq
WLdundOhOZ3jpq9raAgpprw82NY1HJHtjtzpdXUNBard7baYFH+ulBPyuky33emeGAgEDMNodHdK
ChzplNXQ0OC2aW49T+TlSXWtmzzrRkmzmKKC161rKHDaNac9FGUQTse4PCMQOOKyay573knZXKC0
Y6TNjXVOj+b0rKv7ifqa190sQU4nXaZk5+bmr3Or6vTp+flGHgPb3HZrXFGnW1rU6Xab25Gfv7mr
cTGdq/9COT6m82ruhILGYN638ubm3VV3d906yO3W3J4BwStWr16zdnms75TTXzOuU3O6Jk6pX3fv
Yo9T87gYfH4RtyfjrKse2O12iy3OvAku04N5O+3bKcx9Mk4c43QxsMemeSwDKwPKXhaXqo6bUl+/
LtS9hd12TVqo08ROvJFfkBc18Tpi6xrOuVOUiZ2dJnZKE+diYo/N5oma2LKxJ2pjj7Sxx6V53BMz
J0+5efLk+tMeN3cDBireyRM9Ps3jNxCYX5C/eYYxw5hp1OfV53k8msc7QAwUeXWSb7VYLSazGsck
TZ6ynOYOucunMzmXU3O5J8pZ3rvY69S8bsOQVpJWdzk0l1NaHbN7XTyy2exRTtlL2gYXLve7TK8j
anhpeaMR5g6Z7nWheLHY1TK4iM7bq2tenYfRW6VOlFHVpQPwgNTFMb8gyiNcMplzke2xax6HYZxU
vQuUWrCvwy4ur+ZKqM/bkLeBILT84HLx/+RB2YHs6fVeVZ88BbcwulIDOUoPUVdn59Yu2+12m9eJ
MzZLA3ii3lhTf9rrZk5Rd+APr1/zJhppudn52fn5+Q3TG2YE1gfWGvWG16N54zzS6RNl0A6f1El5
nkkDr7hi8s1T1qxZE++VBKeW4Dbi3GLZXi1lCS6e2br6xR31S6LbTHC43G73pDjHCJd7gBx09kV2
esdLxuBea9Yx1yToWoLd+Pf7RuoR803UOQkx5yQo50gz4JwO7yR4uD9fGHWEmfqme4uk3RP8WkKS
9FSu9FS+9BS+wlP1huyVEO+rTm8luBE4aaDyjzJN7B53sWWskUugZ5LaPTaEfS7N55H6Xr9wMqm7
4ym1yMV2H5+bpxwzbDH22M7zpVw+k9ymr9NpltcS3HHCcdtZ8uvro44SMUf5dM3X4Ti1iUj1Ytzq
pstOJ31nsbENTpyM8+z1y70Ozes0jNOWiJDSUnZhdyhwJ2hunzQZHsy7ml20ECup3tKD0oUJbuF2
Y63MQdnZcqnz6Tafs0Mly4k+y4kOm88ltzSs4vNeLkbVjWJrLhS3yD9Kpra97nlxRvi8PEyqS8vL
FQVQYwcFxSThS9J8AfndphMvLptYJv/bXba7fMML9+5M25nmS9B8Pno25hbI/xol8d92hqBn/JjW
qJ3iu3lYAj2vSK7H3ssLC59//vmmPbV+t+b35ubmFlRUF/JfU1uLWmX7L1Rj7Vju9/Bcq5Oki8uZ
WWFUTJPYI2rVAu3pX1LS9KVkDnjP+J1ao857kVOcX+cTMUqLUq44InxdxnduWH62Ck1Nfrvmt+fm
ClFgzbyxMdpiWUK1qGl09FB3AyyhTcvVplkWinG6UHPiwoLQuP6+Dcvl0uHMzf0yKiekptvUtHv3
i/NDoQKPX/MkNqU1pe3J3ZN7qOC6gurG7zQG6zwezDaqbozow7EwDVyEOZuws/B4LAsXiiHQRDEO
ylWO8Ds0vzMtLS3XUls0NjqYhEPeNDpcNr+7pGT3bvkipd6MvOJ+23yhF66oKhO9F1UVLxWXlgXD
FWI2T7T/mDvZYFjBm6d8g3LyztI7eqcJF28OqardarFxik1C0T5Cn8EyIQbN/eYcQ+RePXeWQdxY
PPJdNiD6qjudEZI7pNtFAmfeftE7B77rxdtRRmGoOiR+pcqHVLlVlU+q8hlVPre0uKpCvKjKParc
r8q3VHlElW2qPC7/oEV8IkvNqcp0VeaocrIq56lySfnS8qXaLapcq8o7VXmPKn+uygdU+UjHG+k/
KrVzLN1YUscG7AvU5d/I/fvabPjB/09f5ffa54i56k/s14i7xP3iMfGc2CfeFZ/wDuNRM3VHZ3tc
yL+X1OnXm/DW5HuIdql1XTnFuv53VVwfIu+pk13vm/O73h9Y2fX+UEnX+8Mnut6fnN/1/pNTXe9P
hbven2kQHlvcvXl13HOnsCXf3/W+z0muXmI6m/daG9axYxVhy7Xli1ttv7I1i836z/Sfif32sP0X
4g3HYeddmu79ifc32h+9ryRM0170zfPdYfuG7xe+Y7YV/of8W21/8r/g32fbkTg98SrbvqTLki6z
HRRa1RaZi84q34nuyO+GMv0j4mh0lNzd0ET/yg6qg+6CNkH7JCWKs8nvTvQmjkhqi9LJOGqXFLi+
WyoJPBOjZGdyWgetj1JjN7QPOtB7UhxNt0g9OYt6z+td1kFVqfXQekVbuqPkfalPpr7Yd7ii+d1S
Sd+GDnqo79YOeitKR6C2vsfjqF21nUVpBlxtaUZabVptv/clyVpabbozPS19bvqG9Kb0vZKs1k5K
b+uO1Jht6SctyvB2kpScEVDyDYnzZg4c0UGTB87voIoo1UH3DKzLnA7NzXwqcw/1pzKfypo9aO7g
AkUrBx+B2oc8DD02dPHQW8DiofXZM4cZkoYuHjZpWBm0ZtiGYXcND0BDLtgA/fyCLRc8EqW9F941
ctzIL3J7j3oSahy9cXTL6C/G3ByltWMaxvz8opPQmbH5F99/yQ5J4+aNu1vRvvG+8eujxB3368fv
UXd7xh+A1o8/M2HdhCcnZufdk3fPFSMmPzZunsXNdY/FNeUpyTel6cpNVz505VNTM6duVrRr6jFF
n0wT0/pMM6Z+Qu0qqGjamem+6Utm2KHhM07Bt2vmwpkLp11FGZI1qHZm3SznrEGKhs/uPTsdGjd7
Ergb2jj7yzl95hhzjNkb5wyf0zCngXaeXFUCbp7TZ/a4q9q/Kb61cO6Bq5dca1w7/NqLgnsWXrTw
6YUtsWthInTv4kmL80sfKN1aemJJYEn6kkFLRi8Zt2TmkrIltUvqlty5ZNOSx5Y8s2TXkgNLa5fe
u/SRpafLnGVpZTll48oWlC0uW1/2cNmespPlznKj/NLyvPKryq8vX1m+qfzp8v3lb5e/X/5Fhb1i
SEVuxdyKuyuaKgOVw7trq5xSeUtlQ+VzlS2hIaGC0P2h498Z0l3bd+Z/54vu16HoShRHXVeSKqOT
5BpRNa+TrNXh7FzqmgtWPHe7csRWjzjqmv9VGzpJZnvVxk6y8lyug0nt/d7vO5y1NHP8HlY+tY6q
K2tm4Bn/JmbhTWrzu2PrXnKaPzN5/cAK2dd3IlF0rn9Ra6xUfUSUa2WiN2Yl2SrXU8krx0teL9tj
lkpO424Eq7E30evPlNLoc1dSG9dMRZ0r/OizVvZNnWt53GrulXp/bQVv/9oKXmKt26zYzthareTI
WW9KXp8o5GokVzf8sZfaEbn+WGuMtVqxsklPVXR4j1VL3nX6EAtLGcczvKr95MD5lkzW07g11Foj
O1bBbtdAa3VV48+PrnqTY+sdrSMGzk/fSx35o56cuTB1i7WfqCt7R98GdowtqU927AjRlT65MXVL
565gRZbcYxT3FslB3/mpT8onqgUu2Z7c6HfHoq3vVp6tRzb9VV21du5n8Tua1EXtXrH9q3MHezKq
Xdc9qyS6Uz2kdilrbxrOvTUmo07dlVrf9y20OBK1rGVdlT9942yZ4bUyR9rM8uzACmnXgRVyzn2P
9J7UV1p/r7R/XA6OSG9jVkdkFMSiQUq0rA3vccnHzjLdgrW3ZE5X+0Ecyb3F2lfUzvR/SWo3i6Nu
OJ7qStG9roO+3kPtcf8UqV3w3OmRv09nW0pSxw76N0jtqedMap8/RzrbOup0EEdft586NcSRjGPL
0/8cfV3yP9bu3Miyszw1JHov2XHlpnH7/JnyvKFonmy5ZIc8Y8i7cfOu3CRPH9YzSRedueiMPK9Y
rWq3OGCR7JN3jzrTyNPLnvF71MlEnl720GMeJ4P06AkCmhlS54Z0ebKQ9+oqzxSS526LJIfkgaIt
6W2zBslTCnm+eWZInmjkaUbRLtWyWZ5m1N2umSG5jkSfQZyJHpp6TJ581ElIqDMQpM4/dnVSglee
ejrPQVN3jT+gZrxPznWOYc30kh1RrXpbGk67SsmW5yohZVlyz8q1r3ks3s+DC6w74dQazT/qc8w7
9GtEkj5f+PQqc6f+rLiYJ37zsJYIMsxDWn/QaL7G0w+ETf6rcP0a86jQKD8TNsrt+nzzRZEkfmt+
KXaYX9L3Zfq+TN9j9D2mFYheWlDM0BaK87RCkakVCb+2VKTQ81J6TtHLzCeFhtw/Czu8Pnh7weuD
16fk/xmuE/Txmy3IbUHu68h9XbtRDIR/EPzXwJ8J/xBkD0J2JtI2oe/bIoHag8wvWb/ZbNBXmTcw
v/H6UfMe/ZjI1f8sRujvieH6B+YBPcJbpRxtH6O9I9yM1sxozTEL8KQfT5xoeweSm0UFM54qAkD+
G6UJ8t8XmftEMSgB1WarCJvHRQ2oBcvAcrCCd9mV5kviu+BmsArcAm4T40U9uB2sBd8D68D3wXpw
B9gA/iiuFE+D07wHnxGGMIWhyW+i1UCp+JbWJDKYbak+T0zQrxMu/SZQJtbpt4rz9dXgNnGe/T7z
Jftm8AuwT4y3vw72gzfAm6AZHAAHwVvgEGgBh8V4R29znyNivuT4i3A62ql/Br4wX3JiC+cYrpeJ
kc48rrXmPucysBysALearc46sNo87lwDbhNOZz243XzJNVZkuC4GS4ThWgrKwc1ivGsVqKfO3F3M
3fVj6j8Fm6g/BB4WV7qe5IotXJ+Dv/LsS/CVMNw2Md7t4fogV3jdvwXbRIZngchQMdxGvHtV1LWJ
fkTu40Tu4/h8ET5fhM/n4vO5RFgOEXY1EbaWCLuGCCsiwmYQYTOtuDLH6vPMO/VvmyuJjYuJjR8R
GwX6s+YD+lExivjS9TbzE/0DcZ2KrUNwHRapcZnyX4z3X4y3ifE2MV4u413OeCHGm8J4hYw3gfEu
pvcCxrqbsf47bqy7kP8M8q8RKUj9CKkfIXUrUrci9VGkPorUDKQOQ2oZUscgdTRSRyA1m1m8jeRi
JL+M1DFI3EIWZphv0PMNnr5Eyw9Ff2Q3IrsR2SuRvRKOGjhqlIVuIkMK0DwoqpE/FvlzkX+ZVmq2
Mkaudi/9Gs2nGWcS46xlBmsZaywzWIP0O/R3zS+ZxSn9fbOdmeToEfOMyvZTjHSKkT5kpA8ZqRej
jGCUJYwyilGuYJTBjDAM6fuRtF/YWc0eIP79eNdPyylWqSrWjp+I2yjrwe1gLfgeWAe+D9aDO8AG
sMs8LV4Gu8ErYA94FewFr4F94HWwH7wBDoDD5ufibdAKjoB3wLvgqPmaOAb+DD4x3xSfmkfEKfAX
0A4+A6fNV8Tn5jbxBfgr+BJ8Bc6Yx4TJ2imAZh5Tq+ACs0W/nvqNXAvMY/Z95gn762A/eAO8CZrB
AXAQvAUOgRZwGLxvnrZ/ACLgf8Fx8CE4AT4CJ8HH4BPwKTgF0MV+BpjmNkcf8zXXLPO0Kx9cA+aB
a80jrpu4FoBinpeAUnOba4l5zLUUlINant1snnCtArdSXwNuA/U8+x5XbO/C9q4fUL8L/Jj2jVx/
ynUT7T+nfh/YDH4B7kf+Q7T/jvqj1J+k/jT1JtACDoO3QStoMz93vQfeBx+ACPhfdDwOPgQnwCnz
TddfAD5x4RMXPnF9DvCJ66/o8CX4Cpjma25hHnFr5ja3zTzh9pjH3A9yRRf3b4kdm7hT9Fa7oi7u
ND+gtos43ysc3Mm1Yjl3i4j65/VXxXCh0douphCZrURmK5HZSmS2EpmtRGYrkdlKZLYSma1EZivc
ESLtNJF2mkg7TaSdJtJOE2mniaLjREw7EdNOxLQTMe2xfVO/QTj0IFhovqsXmu8SNa1ETStR00rU
tBI1rURNK1HTStS0EjWtRE0rUdNK1LTiyXY82Y4n2/FiK15sxXPteK0Vr7XirXY81Y6nWvFKK95o
xeqnsfpprH4aq5/G6qex6nGsehyLtmPRdizajhVbsWI7VmzFiq1YsVVlbItwYcsr1LnkZvO77NvX
6HvFUP01drDX2fmkfeUpZD8zPCrs3H2fu6u4uwj7bhLz2U+z2E+z2E+z2E+z2E+z2E+z2E+z2E+z
2E+z2E+zGGUSe+pg9tTB5Ote8nUv+bqXfD1Kvh4mXw+Tr4fJ18Pk62EsbZKvLeRrC/naQr62kK8t
aFrCnjuOHD1Ajr5Njh4gR9/WF4ohOucS9uB69uBB7MED2YMN9t0s9t0s9t0s9t0s9t0s9t0s9t0s
9t0s9t0s9t0s9t0s9t0s8rCFPGwhD1vIw73k3WHybS/5tpd8a2G/zGK/zGKvzGKvzGKPzCJPWtgn
s9gnB5MnLeyVWcT+XmJ/L7G/l9jfS+wfJfaPEvuHif3DeMnESyax30K87yXeDxPvLeynWeylWeyl
WeylWSIBmzdg81+yor/Iiv4atl+N7f+A954lvq/U97Gi7zfP6G+IQuWvd+A+Btcx9t075SptLqHv
bvr+gdY19L1TntjoO5O+7fRbwFnpTvMxOO+C8wCcr8NZDterKkoeVJJ+yPPvq/3r2yoefqIyrMrc
g6TJSos3OJtJ/n1qv/9Ule2cAjLMT9lZPhVeLUkM0BaAMlAOKkEIfAdUgTBYLwaIVHalfexK++j7
Hn3fk59eZPz7GPdeRmhT56zNIlvfJi7St4N3OeceFf/BabM3p4F0TpuD9fepf4BuERHQ/1dcJK5X
n978KdgEfg7uA5vBL8D94JfgV+DX4AHwG7AFPAgeAr8FD4PfgUfAo2Ar+D14DDwOngDy86Hy06HP
gefBDvACkJ8VlZ/tfBG8BHaBlzmtLGDXvtF82v6Keci+B7xqHnKkcnpDHyf6ON8yDzkPk9PZYBgY
Di4Ao8xDrtFgDPWLwFjzPdfFYCL1y8Aknk0zD7kN87h7IMgEWWAQGAyGgKEAuW7kupHrRq57BLgQ
5ICRIBeMArciqw48DLaZ77mZm5u5uZmb+0PaTpjHPdPAteYhzwLzPeHCjwfx48HYOwq+247P+vB2
kMkpYoHwcHqeod/I9SYxQyQSIRlESAYRkkGEZBAhGURIBhGSQYRkECEZREgGPQ16LqWnQc+lqmci
PRPpmUjPRHom0jORnon0TKRnIj0T6TmEnsPoOYSew/7pnmOjPcdy0ryO95qbxAjhYJ6HmOch5vks
83yWeT6hzr+fydOoes/bzfPd8pPAtJQQx/PV242mPr99J5EZITIjRGaEyIwQmREiM0JkRojMCJEZ
ITIjRGaEyIwQmREiM0JkRojMCJEZITIjRGaEyIwQmREiM0JkRojMCJEZITIj2h84tzaa7xCdB4nO
g0TnQaLzINF5kOg8SnQ2E53NRGcz0dlMdDZru82PtVfAHvCq+THRupdo3Wt/wfzI3gR2ghfBS2AX
eBnsBq+YzURzM9HcTDRHiOYI0RxxbjE/dm41P3L+HjwGHgdPgGdpf4XrHsA4RH0zUR9xvmt+TORH
iPwIkR8h8iOuEeZHrgtBDhgJcsEos5lsaCYbDpINB8mGo2TDUbIhQjYcJBuaXVORNY3rDeZHZEWE
rIiQFRGyIkJWRMiKCFkRISsiZEWErIiQFRGyIkJWRMiKCFkRISsiZEWErIi4y5C13PzYvQLcajaT
Ic3u1bStBRvAf4It4GHafwfPI+BRsBVsM4+SRRGyKEIWRdxv0PYBvB/Ce8I86P6I+5Pmx55x5kdk
VoTMaiazjnquo62E95DTRNY7RNY76tPWw8BwcAEYAS4EOWAkyAWjwGgwBlwExoKLwSVgHBgPLgUT
wERwGZgELgd54AowGXwDTAFXgqlgGpgOZoCZYBaYDeaAq8A3gfxE+i3gVlAHVoM14DZQD24Ha8H3
wDogP7v+A3AX+CG4G/wI3AN+DOTnyn8KNoGfg/vAZvALcD/4JfgV+DV4APwGbAHsZtpD4LfgYfA7
8Ah4FGwFvwePgcfBE/KT8+guPzX/HHge7AAvyE+2gxfBS2AXeBnsNtvIlDYypY1MaSPT15Dpq1g5
XPKT9Kwc8k8KJtifMj+z/xE8DbaBZ8CfwLPgfwDrhn07eA48D3aAV4TPvge8KnyOVOF1pHHtB9JB
BugPzhM+J/Zx/oTrZq7YwIkNyLg256PcM46Tcci0NudLXHcB9HS+ybUZHAAHwVv0P0y/I9TfAe+a
bS4hfK5+5meudJAB+oMsMAgMBkPAUJAtvK5hYDi4ABBzLmLORcy5iDmX/LeRxJWLuCIb21zEjtsP
EkESCIBkkAJ6gd4gFfT9P7zde3xddZnv8dW92ySkO5SbRRgVRa4KyFUd74zjiCBaZagojEjGS2FQ
p4PDxTMV3IJYKEK5w1SKomaoaJFbamkbSltaUtOGdDcXspukSXebrCQrTZq9G2jr77x3pvpyzuv8
cf46f3xc+7rW83y/z+95fmvTVsi5Ss5Vcq6Sc5Wcq+Rc9Q4ch3dG1VXvwvF4N07AiTgJJ0NsVWKr
EluV2KpOw+k4A+/DmTgL3w57q76HG8NOq3pn1c3OfQvUX9Vi/Mrjp/Bb7/0OS/E01vjuWqzDK97f
6rUun+8GLatoWTXs9QQj3tuN0bD3EOvtkPMdPx1VH2KtHPIlj7/seHnYOTlbYis8Lv8bCirqJyrq
F5OvDnt12MR5zcQp/2rYNPlqn1f7Dn52vs/+LJrq1R1e3fHn39iiaakLwhz38M/aTx918BfJPdFp
KR0tdS4+EIZSH3e8ILyW+kzYmLoIF4etzrhd9y/o/oXqx8LG6sfRFOLqTdiMZryGFmxBDlvRija0
owOvoxN56PDVXehGD7ajF33YgQJ2Yhf6MYA4xJm55mYqdZkd7L+5Kzsm9aHQn/ok5oe+1B2hz3o7
3Vo73buvVT8S+qsfxSL8Ak+Gvuqn8QyewwtYHvqm34OFuBf34X48gAfxkDuVaZQZpEpZjY3UKO/G
e6LjXHuxay9OXY6v49uYH9rF0V6+y3L9xa6/2PUXu/5i1293/XbXb3f9dtdvd/326lXea8BqrMfG
sFhM7WJqF1O7mNrF1C6mdjG1i6k9Op9rWa5lxdbJtaz4ilwb59q4ODeJpFMk5V9WTxfvW3SjaeV/
1UU3mkahM+3j55f3Ihwd5+i46DpF1ym6TtF1iq5TdJ2cznI6y+ksp7OcznI6y+ksp7OcznI6y+ks
p7OcznI6y+ksp7OcznI6y+ksp7OcznI6y+ksp7OcznI6y+ksp7OcznI6S4FOCnRSoJMCnRTopEAn
BTop0KkSstEnqVBLhVpeNFKhlh+NqQt4Mz/Mkv0s2X/K3cud7l5+SoULqTCTCudQYSYVzqFCHRV+
xKtGXjXyqpFXjdSYRY1Z1JhFjVnUmEWNWdSopUYtNWqpUUuNWmrUUqOWGrXUqKVGLTVqqVFLjVpq
1FKjlhq11KilRi01aqlRS41aatRSo5YatdSopUYtNWqpUUuNWmrUUmMWNWZRYxY1ZlFjFjVmUWMW
NWZRozaqOHjX94hsH5XtbNndIbtHJtfJOtqso0srXVrL/waL/I/w7v1yXyf3dXJfJ/d1cm+Ve6vc
W+XeKvdWubeKoVUMrWJoFUOrGFrF0CqGVjG0WidXu0u9uPxb5GR/OcrZR6PTU18IA1bsDu++lLom
rEz9C67Fd0LbwV/e1uota6vXhJXV68LK6avDwPSXsQZrsQ6vYD024FU0YiP+iCZswmY04zW0YAty
2IpWtKMDr6MTeWxDF7rDwKGfxyyId/KONp6MvWh9F6zvgvVdoNtZdDtrsr+s0g8bsBrrsTEUxF4U
e1HsRbEXxV4Ue1HsRbEXxV4Ue1HsRbEXxV4Ue1HsRbEXxV4Ue1HsRbEXxV4Ue1HsRbEXxV4Ue1Hs
RbEXxV4Ue1HsRbEXxV7kw2Whg9qNFN7wl99xyhktjc6SUb33O70/wo0xboxxY8xnW332goOrpNwr
ph3sFdPU0aPcGePOmAzrZVgvw3oZ1suwXob1MqyXYb0M62VYL8N6GdbLsF6G9TKsl2G9DOtlWC/D
ehnWy7BehvUyrJdhvQzrZVgvw3oZ1suwXob1MqyXYb0M66PzZFHHl0a+NKaujt7Gm0bRL1D9r6n+
AVnUyeLog2v96INr/Rka/JpvjXxr5Fsj3xr51iirOlnVyapOVnWyqpNVnazqZFUnqzpZ1cmqTlZ1
sqqTVZ2s6mRVJ6s6WdXJqk5WdbKqk1WdrOpkVSerOlnVyapOVnWyqpNVnazqZFUnq7qoki/7ZXGn
LDbLolUWd4r6FVFvj6bLd5V8V8l1lbzKOR3tnTr5rJLPKvmsks8q+axSA9eHP6VuwK0e3+X4QPlX
Ga8mqVtV9hT/O6FP3hAmPMqlfhxNTd3uU+5cUg9GM1IPh32pR8K+6UvwGzyF3+J3WIqn8Xs8g2fx
HJ7HC6jHMvwBy/EiVmAlVqEBL4V94roh9KTmhZ3i2566PwynHgrj0ZdT/xZeTl2HG1XpTbg5NKdu
wQ+Rxa3RzNSPHe8OXal7QltqIe7FfXhYj9PPpl8QXp7+GVyIi/BZXIzP4fOYhS/gi7gE/4hLMRtf
wmX4Mr6Cy3EF/glfxZX4Gq4yiWrxz/g6voFv4luYAzFPF/N0MU//EW7FbRD79NvxE8zHHbgTC3AX
foq7sUQev8FT+C1+h6V4Gr/HM3gWz+F5vIB6LMMfsBwvYgVWYhUa8FJYx+3rqffjsIWKHakH3VOm
1MEY/0uTtTEUVflEL4dKHBpL/aBcN9E7faPPN3omv/GvnGrgVEPq3+0cb6D8jY434ft2ZGVff+Cb
N9s73YIfIotbQzCFGkyhBlcbT/2Ua/eEbi52c7Gbi91qoUW9tnIzz828idRgIjWYSA0mUoOJ1GAi
NXC5gcsNXG7gcgOXG7jcwOUGLjdwuYHLDVxu4HIDlxu43MDlBi43cLmByw1cbuByA5cbuNzA5QYu
N3C5gctDXB7i8hCXh7g8xOUhLg9xeYjLg1we5PIglwe5PMjlQS4PcnmQy4NcHuTyIJcHuTzI5UEu
D3J50FRtMFUbTNUGU7XBVG0wVRtM1QZTtUEV5FVBXhXkVUFeFeRVQV4V5FVBXhXkVUFeFeRVQV4V
5FVBXhXkVUFeFeRVQV4V5FVBXhXkVUFeFeSjqzlY4GCBg+P8fpGLZedaONfGuYRzCecSzpX9P4T/
v+deN/e6U3fqFeWVe3d4goM9HOzhYA8Hezi4jYP96uRlLrZysZWL3Vzs5mI3F7u52M3Fbi4WuFjg
YoGLBS4WuFjgYoGLBS4WuFjgYoGLBS4WuFjgYoGLBS4WuFjgYoGLBS4WuFjgYoGLBS4WuJRwKeFS
wqWESwmXEi4lXEq4lHAp4VLCpYRLCZcSLiVcSrjUzaVuLnVzqZtL3Vzq5lI3l7q51MqlVi61cqmV
S61cauVSK5daudTKpVYutXKplUutXGrlUiuXWqeX91cvYgVWYhUa8JJ91ZlcKnGpNLkab40O58I4
Fya4MMGBEgfK+/cJ6k5Qd4K6E9SdoO4EdUvULVG3RN0SdUvULVG3RN0SdUvULVG3RN0SdUvULVG3
RN0SdUvULVG3RN0SdUvULVG3RN0SdUvUmaDOBHUmqDNBnQnqTFBngjoTUYVVP2zG1KTuNFsWlCN2
NGeiOXLrl1v/X3rHze5Ab8EPkcWtPmn9yHWwnKdK61dp/SqtX6X1q65YdcXyH5T/oPwH5T8o/0H5
D8q/X/798u+Xf7/8++XfL/9++ffLv1/+/fLvl3+//Pvl3y//fvn3y79f/v3y75d/v/z75d8v/375
98u///+hR8SqL1Z9seqLVV+s+mLVF6u+WPXFqi9WfbHqi1VfrPpi1Rervpi+g/QdpO8gfQfpO0jf
QfoO0ndQ9cWqL1Z9seqLVV+s+mLVF6u+WPXFqi9WfbHqi1VfrPpi1Rervlj1xaovVn2x6otVX6z6
4ukvTd5t3xpGJ3/Pfj+vEl4lVveQ1V2gfUL7hMYJjRMaJzROaJzQOKFxQuOExgmNExonNE5onNA4
oXFC44TGCY0TGic0Tmic0DihcULjhMaJHBM5JnJM5JjIMZFjIsdEjokcEzkmckzkmMgxkWMix0SO
iRwTOSZyTOSYyDGRYyLHJDpM7yuqwAMq8EB5+k2usDu9drdafdCnrgoHOHyAwwc4fIDDBzh8gMMH
OHzA3u16+xm9X5XPOFjlBVU+U5Ufbm7+eQXPi05J/SA61tSb8O4ZVCz+/1ihkzu/8k5v/eSjco7j
UdqjNzx6Q7b7o38UY16MeTqU6FAq7xNlM83qS6y+RFY1Yj6c+33iTrg/yv1RKy+x8hIrL7HyEisv
qV4+WRV5eeXllZdXXl55eeXllZdXXl55eeXllZdXXl55eeXllZdXXl55eeXllZdXXl55eeXllZdX
Xl55vpT4UuJLiS8lvpT4UuJLiS/lzpRYOYmVk1g5iZWTWDnJ9LKnD01W1aiqGlVVo6pqVFWNqqpR
VTWqqkZV1aiqGlVVo6pqVFWNqqpRVTWqqkZV1aiqGlVVo6pqVFWNqqpRVTU6qe+bVEzoOxEdlXre
fcrq8ErqZXvrNeGG1PrwX6k9ZmUx3Jt6IzSnMyFO14R8ekYYTB+F03Gu1y4OT03+t/rZ0WHpL0WZ
g7/cDXHsl879O5X6sp37Gvu4tWFvah3W67YbVPFGu+dNdsruJFNbHVvRr1YHoiNctS1Vwl686SqR
u/FKVOGYUEqfFXamz8Y5OC+MpT8cNmV+HcYzvwnNmd/jOY+fd3whdGbqscLz1Y5rQpJZi3V41Wst
YW9mC3LY6v0Or72ObZ53odc54lDKjDh/EaWwM7MXE157w/MQSjU1mBl21hyNt+Ltnr8D7/L4eJwU
NtWcE9pq/hYfxVdwOa7AN/BNXIOnQ3PN+pDUiKumKeyt2eK7nejGQGiLLqDoGEWHqLmVmsPUHKbm
3oNq5qi56aCam6i5iYrDVIypWFZwNwV3U3A39fZQbw/19lCuj3JDlNtEuU2UG6LcJsrlKJej3BDl
cpQbo9wY5cYoN0S5YcoNU26YcjnKDVFuiHLDlBum3Caq9VGtj2p7qLaHYn2U2kOpPZTaQ6E9FNpD
oT4K7abQbgrtplBMoZhCMYViCsUU2k2hTRQao9AQhYYptIdCeyi0h0JxdEJqSfhO6vmwQiWvpsyv
KPMnioykulR0fzQvNRAeV9VfS42HX6vqT6mtV9LpsC5dER5Q4Z9V4a0q/NT0YWFp+nAc5fFx0XfT
J4bLVfyp6TPChen3hXkq/2x1d3/6Y+Hm9PnhShPoPvfFfe6Ly3/O75fpq8NLk39KYYZIyn71i6bP
lUd4ssuVC6424mqJqyWukqSPc3d9uuO5uDT6sPX0Ud9eotOtti7WWEfrw2a5lORxvDO1OMurzrLV
WbY7S5uztIl1urO0OUsuOtQ3N/jmTt98wbeO9K3Nrr/NN1/yzQ7f7PbNDt/s8M3DfHOrb7a78/6l
66wxI9bqy+uwQeVttJveBGtFhW1XYduddZpvplXPdtWzXeVsVznbVc52VbNd1ZRUTUnVlFTMhIqZ
UDETKma7SplQKRMqZTtnt3O2VFP+c3cpZz3UWatlUK74JXJfJp4/YIOKvVR+l1mrq5zzr6uy2/Md
zqFCnGNNuLa8LtwVLKH881bCmtDolabUa1zIOWcXBy4Nm51rc1TrSo/65M3WV49PP+uKC1xxgW8N
U2EfFfb59lYqlKjw32fY6tiK9vC0sy1TXc2podCYrkYm7KLtLtruSs/E0XgrjqPYu8PK9Ak4MfSn
T/HaqTg99NK+kP5wVJn+uOfnh+HJX1vKf7rkK//9a5d12kPpEUqPWKc91B6hdonaJeu0hyILqF5W
5VGqPEqVR63VHsrvo/w+yu+jfMla7bFWeziwjwP7KLeACyPUW5AZiSoze8KuzDiKHr8RVdZMCStr
qsOumiNwJORUcxzeCbnUnOh4ks+d7HiK5/8QGmsuCk/XfBYX41ueX4unwwh3HrV+ezi9rybv89vQ
hR70haej6ap2m4ptT22crIRzKPaByf9a+VXRvBClMvVYja1Rysz670rdxaMhHg35RoX+NqC/Dehv
A/9HBQ7RYYgO5T41JPchvWlAbxrQlwb0pQF9aUBfGtCXBg5W5JA+M6DPDOgzA+V/ISssmrIQ9+I+
3I8H8CAeCotENF8lPaCK/qiK5qui+amVam8VVqu/tXZY67A+LFVNe1ItXs+FLlV0S6pD73odnchj
G7rC7alux170YQcK2IX+6HJV91wq9ngQQ+Hu1LBjgpFwXWo3Rj0ew55wtb7XbCK0mwjtusBl+t+6
1D7v7ceBsDL1J8cQVqSnIIU0pobr0tMcK8ITKvvu9HSPM+ES3WOrCr9Er7xdr7w9fUS4S7Vfotqv
UO1XqPYrzOqF6WPDI+m/8d7bcFx0Wfpdjsfj3eFaq+Baq+D69Emen4xTfP9UvMfj03B6+KKee72e
exdXs1zNcjVrpXxG/30s/X6vfwAfDLem/9bxQ/hwWJD+iONH8bFwo9V0RfoTHp/vM5eGBw/+qbVl
Vtbd6upYdXWsfv2Cfv3Liu1hUeW7cQJOxEk4OSyqWhwWHXI+vhQWZZaGxszTeMFEq8eqMN+q26PS
5qu0+Sptfma99zdgEzajGS3RsZktyGGrz3d6LY9tnneh2/e2e77DsRDuyuzCAOKwMDMYHjFNF2R2
ez6KMewJl1ill5iwC1RxVhVn7UsWmrILMm+GWzP7sN/nQlhoBV9bkwp31aQxNdxqNV9i37Kw5tDw
SM1hXjscR3jtSPDQashaDVmrIVtzjM+/3WffgeO89068y+vHg4c1J4QVOsAlpvgCHeAKHeDamlO9
9h68F6fhdJyB9+FMnIWzcS7Ow/vxgXBdzQfxEY8/pot8HJ/w+JP4e3wK/xDurvm04wX4jPcvdLwo
3KLT3KLT3FLzOc8/7xyz8AWPv4hL8I+4FLO9/iVchi97/pXQbqfRbqfRXvNPzvdVr12Jr+Eq1OKf
ffYb3v8mvuX6c7x2tdeu9XidrrY+zK9pio6t4XUNr2t4XfMarGudI1vTQeNOxzyNtqEL3Z73OG53
nj5xW892MO01seeDGMJwuC46USe5SSdZpnPsmtxJrzeDNoT9B3c1t+kA39ABVlrd9VZ3u/letLKf
trJ7rd5Gq7bTav2N1brJal1otTZZrU1W6kKr8Uqr73mr7B6rrNEqW2ll/aeVlbNyXrVinrdi7rFi
1hz8uwfzJ/8E5lV63HKRvWBabk65lxfhJr1utV63WpRFHfm3OnKbjtwm2hf1uZ2m5hNm767JPcxW
j1vRHtbLoklv2yuLDv2rUwaDf961yuJ1O9eCLEp2rwW714Ie1Kl35PWOvAgPiLD8p0hXm46bM3Uh
NiGfMCGfMCE3m5BPWKc7rdOdJuRma3W1tbrTWl1urS63VpebkJszjb63Ea+hJbSZEm2mRJt1utO0
3GxabjYx2kyMNut0tWn5hHW62rrKWwN5NZ9X33vtYgt2sQU1vNdOtqBu96rZTjW6Xo2uV6Pr1eXe
/7HDvcrzWvx5p/stn7/Gd691fDo8ob6Wm5ibTaI2tbJereyd3O3+0FRpNlWa1cYfKb5fbaykdDul
95sqzVTeT+X9auRs06DFNGhRJxsn94Al7+/FG6bQATuqiN9TQwuVX6VyeWe5Uc10qJmcmimpmZKa
yenuOd09p7vn1M8Z6ifWtXO6dk4dNenSTbp0ky7dpJaadOa8jtyuC+c4s1/3bNY9y3dp+7mznzvt
3GnnSruu2axrNuuazbpms67ZzIF2nbJZp2zWHZspv18nbNf9crpfTvdr1/2adL8mna9d58vrfHld
Lq/L5XS1nK6W09VyulqTrtakqzXpanndLKeb5XSzJt2sSRfL6WLtuliOk6/qSC06UgtHX+Xmq7pS
m67UpvO06TItukyLjtKio7ToKC1cbeZqM1ebdZM2naOFq81cbdYxWrj6Kkf36xrNukWzbtGsWzTr
Fs26RbNu0aRTNOkUOZ0ip1PkdIomnSKnU7RwvVmHaNEhWnSIFh2ixX18f3Q4J2qoPR6dZ0UmauFG
q2+R1bfI6utVE/OssBLff833ZXxfZmUN8b2D70t4voTnS6ygxKpJeDKPJ/OsmIQv86yQxKpYZFUs
sioW8WSeVZFYFYlVsciqWKT6SzRbQqslqr9EryX06qBXh1VQolmHyi/RaBmNltFoGY06VH9J9Zfo
tIxOy2i0RLUnqn2RSi/JeZkc14SfqO6CDOo926ObFMNitWt2ymzcs4LM+mXWf/D3giY9I5ZZk8ya
RDcuuibRNYluXHRNohoX0biI+kXUL6J+0YyLZlw0/aLpF02TKMZF0e+uqFdnK07uoLpcqavcY2mY
uFqzq427WrOrNbta0dWaXa3Z1Yqu1kyLhBaJqxZpkbhy0ZW7XLnLlbtokbh60dWLrt7l6l2u3uzq
RVfviqr1yZ/LPCfrVlced8Vdet8K3blNd+7QA1dMdueKg/eZ3T454F7ys+4lz0xfFp09qVy3d/Le
6fnLszfLZ4ymeVbOrtezYeff5PzDUcoOqfzfqM+xL29XWUO0fjOM6sHj+tq4vpboa4m+luhb43rW
uB6VOFuXLl40Hd609tN6B32ik5yj2zvlvexu51ruEzupOUbNMZ/cRsk8FfNUzLtG+e+NLZXXbym6
m6J5iuYpWv6VIE/J3WJYLoZuMXSLoZuq5V8Pxqg6RtUxiu6m6G6KjlF0TIzLqZoX53JxdlN3N3XH
JrXolWtKrqnoaHHuFduo2BKxJQdralQWg+IbFd+oeEbFMyqWUTHsFcNeMZR7e+L6iesnrpu4buKa
o65X7tvJpAprqbCBAhv05V59udf12yi/1ZUm9OFe2Zf/dMSWv3J3i/imim9q+e8z6E29elMvBTa4
+lpXX+vqa/WlXn2pV1/q1Zd69aVefahX5hv0oF6Zb9BLekWzVi/p1Ut69ZJevaTXvbL5JpJhkfTL
dUwECw/+9/7yfXL5bx1uMUva3SN3mfS9jn3mzVBYQ62l1HqWWs/KYbV10U6xx3jf6kw7qfYY1R6T
15qDf0qthas9doTtlHyMko9xtoeaj1kr7dZKO4d75LfGemmXY48ce+TYw+UeO7t2O7t2u7h2ij9L
8Wcp/qx11M71Hq73UP9Z6j8r9zUceEzua+Tdw/UeTjwb/Q31O6jfcfCXkTcmfxmJwhAHOkQ8JOIh
0Q1Ru4PaHaIcEuEQlTuo3EHlDip3ULmDyh0U7nClIQp3ULeDuh3U7aBuhxor6sdvhq5yFUVTPPuZ
eiv/HnBeKETvcq80Yl+z075mpyk6YYpOmKIT5XdN0Lb0V3jwVfuQ2J36iH1IEaUwYfJN2PePmH5t
9voj9iQ77e1HTLsJ027CtJuwfx+xfx8x6SZMugl7lvLvkm32LTtNnQlTZ6Km/DfLKkXwoghePLjy
fu5sL/r0iz75YjRFLMPRhyb/n9QW4l7ch/vxAB7EQ9Z6Rk+sUUEz9J/DZHU4jvJ4JkWPxltxTNhv
3zBg3zBg3zBgevXLssc+YUiVve5OrOROrOROrOROrOROrOROrOROrOROrOROrESJ8l6gx15gwF5g
gCI9lNhPiR5K7Df/Byix3x5gwB5gwB5ggBL7KbHf7B8w+wfM/AFK9Jj5Q+bugLk7YO4OmLkDk/mO
0iQT+uSyUy4TcpmQy86Dv38PT35mV/QWe+c/ca3EtRLXSgcd28KxLX/lVolb5V+O27hT4k6JO+Vf
iktcKU06ssWxE93lP+swWRlv5UkPT3qcf9T5R51/1Ds9rpF37rxz55171LlHnTvPsx7nH3X+Uecf
df5R5x/lY49rlHerPa4z6jqjrjMaVchmJP3BaFrmTeyLptVMxTHRtHL/N2W+KsPy32FeoyKWR8fQ
o4cevXTo5ekOnu7g6Q5+9vKz19m6adPHyx286eVNLy96+dDLh14+9NK/l/699O+l/Q7a99K+l/a9
tO+NznOVcVU05krjrjTuSuOuNO5K46407krjrlT6H6qc6/kHJ9UvuPq46fd3pt8ZsnhdFq9TqyCi
cRGNU63wV6oV7BxLdo4lO8dSTXm+HYEj4dr/Q81jvH+c196JPyt7oscn2bOf7PhnZfMeb0MXqCyr
cWv9/6byO6yGcS53cblLPt3y6ZZPt1xGVPm4OLvF2a26x8U5Is4RFT7O6S7xjqjycozdYuwWY7cY
R1T6uEovx9gtxm7ud3G+S3zd4usWU/fk3xc6OX1ldHL0cPT18HD0DXwT14Wbo++H70b/C/+BefgB
+ry3AwWMhcejN8I90ZvYh/04EO6Zcko0c8qpeA/ei9NwOs7A+3AmzsLZOAfn4jy8Hx/AB/G3+BA+
jI/go/gYPo5P4Hz8HT6Jv8en8A/4NC7AZ3AhLsJncTE+h8/j6ujoKS+FlVNWh/opL2MN1mId1odV
UzbgVTRiY1g1dXH47tTH8XM0eb4JmyHXqX9CCPdMOyo8PG0m3hrNnHYMjsXf4G14O+Lw3Wkl7+/F
m+G7FefgE7g+PFxxA27ETbg53FxxC27z3iPRzIrXw6rKKJpZeZbj2Tgn1Feei4/iY55/Gjyr5Fnl
1eGeyl9gKQY9H8IwEoyHxyuL4FVlCA9XTQn3VNVEM6sOxQwchsNxBI7EUXgLjoacquRUJacqOVXJ
qUpOVe/Acbg5rKq6Bb/y+CnHVxyHHZNQfwj/DqH5IV8Oq6J/io6wOz0SR+EtmImjcTJOwal4D96L
i/BZXIzP4fOYhS/gi7gEdibRl/H1sEjlLlK5iyYr93sm67/jetyAG/H98KRqflI1P6man1TNT069
I2yeeicW4C78FHfjHizEvbgP9+MBPIjFvvc4fh6e5PqiadvD5mk7sQsDiL2+23EUJe/vxZvhyYrK
sLniMBwOGlTQoOJ4vBvvw5k4C2fjHJ//mOMnHD/lKOeKb2EOrsY1uD4sUjmLVM4ilbPoL5Xzw/Cz
iixuC09WPV/WJloYmqN7cR/uxwN4EL9GHf4LT2IJGrERf0QT3KVG7lIjd6mRu9TIXWq0BTlsRTv6
wjN6wjN6wjN6QmO0B+MoooS9eCMs1SeW6hNL9Yml+sTSqf2heao72qkxBjGEYSQYwW6MYgx7MI7y
9/6EEJZab89UXhSaK2fhUszGZZN/P7qx8krHr+EbPvNNXB2WVl7v+c24BVn8CLeDPpX0qXwUj2Ex
HsfP8Qvf+63jUsfljq8gj23oQjcGnX8Iw0ggd2utsVLulXK35pZac89URaHRuluqF06NDtP1D4sq
UIkqlP9d32pMRwY1OBS6YGQVqfG5anyuGp+rxr+jxq9S41ep8avU+FVqvPz/ZnaIOp+jzueo8znq
fI46nxP9KJoR3Yrb8GPcjp9gPu7AnViAP7jOcvSFhzj6EEcf4ujtHM1yNMvRLEezHM1G9opcncfV
eVydx9V5XJ03hYpT/hOLQM0p1JxCzSnUnPILPIFf4ldQgVNU4BQVOEUFTlGBU36Dp0D1Kb/DUjyN
3+MZPIvn3IOfGc1ImSKpcx0/jgvC3NRnwk2pi/CF6MjU1eHe1DXhjtS/oPw3Db4SLkxfHr5nF3Bh
+krH74XGdLN5/Fp0VHpLdHx6q/1ba1Sd7gv70jvs+QrRqemdjrui09Kx42B0xNTvRYdN/Xdcjxtw
I27C9/G/8B+Yhx/gZiwOc/SKOXrFnKkt0YypW5DDVrSiDe3owOvoRB7bQEuVPk+lz9Nn5k57S2hW
8Q/pL3OmFaND9Ja5estcvWVOhVqqUC8V6qXibXg7Tsc53jvX8cMwQfWTORXne3x9mKt3zNU75uod
c/WO7+gd39E7rtI7rqr4UXRIxa24zef5VcGvinLFn4JT8R68Fx+ZXG1Zq+whq+whq2xe5X9EMyrn
QU1VqqnKRfiF15c4PmWSLfX4BY8HfX4Iw0gwHm63am63arJWTbZSfVW+AfVl9Txk9WStnnlVqWhG
1TtDc9W7cDzejRNwIk7CyRBnlTirxFklzqrTcDrOwPtwJs7Ck84lrqrfYI3na7EuNB/y6dBc/Vi4
qfpxrAl3VK9DUzSjehM2oxmvgafVPK3maTVPq3lazdNqnlbztJqn1Tyt5mk1T6u70I0ebEcv+rAD
BezELvRjAHE0Y/rq6MjpL2MN1mIdXsF6bMCraMRG/BFN2ASTdnozXkMLtiCHrWhFOzrwOjqRxzZ0
oTs6MjM3mnHo56MjD50F68lOcXOUTvdN3hNsjk7wqDJ1kk6Wmfy3xitQiSqU/39vqzH94L8hX4ND
cYR74CNxFN6CmTgaJ+MUnIr34L34kCt+GBeF2C4gtguI7QJiu4DYLiC2C4jtAmK7gNguILYLiHXI
63TI63TI66I5IYmuxjX4F1yLb+M7+C7+FXNR/heCrgs36abzddP5uul83XS+bjpfJ52tk87WSWfr
pLN10tk6aUYnzeikGZ00o5NmdNKMTprRSTM6aUYnzZi5HWZuh5nbYeZ2mLkdZm6Hmdth5naYuR1m
boeZ26Hr1ui6NWZvbPbGZm9s9sZmb2z2xmZvbPbGZm9s9sZmb2z2xmZvrFPfoVPfoVPfEe3yvB/l
/zYQYxBDGEaCEezGKMZ8fk+4TVe/TVe/TVe/TVe/TUefq6PP1dHn6uhzdfS5OnpOR8/p6DkdPaej
53T0nI6e09FzOnpOR8/p6DkdPaej53T0nI6e09FzOnpOR8/p6DkdPaej53T0nI6e09FzOnpOR8/Z
kz9nT77CnnyFPfkKe/IV9uQr7MlX2JOvsCdfYU++wp58xZQ/RtVTmrAJm6Nq06DGNMiYBjWpD4Vd
JkJN6pOOF4QfmAq1pkKtqZBJXR7i1NdxdbjddLjBdLjBdLgh9e0QmxDnmRDXmBDnmRDXpP8t3J1+
0T3vqqgmvTpcm94cdpsWR5gWx5oWsWmRTre51+xzj7rDJCmYIuV/US72+qDu/70oY1pkTIuMaZEx
LTKmRca0yJgWGdMiY1pkTIuMaZGxG43tRmO70dhuNLYbje1GY7vR2G40thuN7UZju9HYbjS2G42n
PhSSqQ/jETyK/8Qi/AyPYXGYbQLNNoFmu3dZ4d5lhXuXFaZRxjTKmEYZ0yhjGmVMo4xplDGNMqZR
xjTKmEYZ0yhjrxbbq8X2arG9WmyvFturxfZqsb1abK8W26vF9mqxvVpsrxZPLaKEvZjAG3gT+7Af
asuEm2vCzTXhrjPhcibcHXbUHXbUHXbUsR11h4k3e1oSErvqDrvqDpPvOpPvumkTXnsDb4bZJmDm
fzN35nFSVPfar6pTXVXTUzUoAUVUlmETlyhqooIwatQYFTVvIkFRcMG4hJh444IGJW+MC+j1jSai
Eq9b0kbAgMQBIyKCLaDDZg8NTE/P9HQzXXTRs5Q60PYww5z7rZ4heG/M+773/nU/9XnS3VXVtZzz
fX7nORPsImEnDEu2G2UojMqRjag/jIw26TtB+k6QvhOk7wQjpW0E/3V6Je9HoNHsOwadwrpT+Xwa
GodOR2dwjjNZP57tE3idqHyDhJ5gRJ3CiGqT0hOk9AQpPUFKT5DSE6T0BCPtLxhpf8FI+wtG2l8Y
D/D9X6I56EH0EJor72f0vZ/Rdx6j7zxG3SmMunFG3bjxhhI21iAYZy64mlE4buxWwozEcUbiOCNx
nJE4zvxwNfPD1cwPVzM/XM3IHGeOuJo54mrzYvb/Lq/UUrJynqycJyvnycoJRu9HyMp5snKeUXw+
o/h881be34Zul3eRmfPmfWg2uh89gH6JYJdR3iZP58nTCfJ0njydJ0/nGfltRn6bXJ0nV+dNWDVh
lXydJw3YZOw8GTtPxs6TsfOkg7tIBzbpwCFr50kId5EQbPJ2nrydJ2/nydt58naevJ0nOcwnOcwn
OcwnOcw34c+EPxP+TPgz4Y80MZ80MZ808Qhp4hFSxF2kiPmkiEdIEXeRImxSRJwUESdFxEkRcVJE
nBQRJ0XESRFxUkScFBEnRcRJEXFSRJwUESdFxEkRcVJEnBQRt2YrYet+NFeuZh68mlRhkypsUoXN
fHi19Re2LUXL0FtohcyTNuKkjThpI27tYF0b+7Ujn/efKWESSJw58+qyaUo4/ILMhReiF9FL8iZS
yU3h13i/RubDH6B1KCrvI6XcF97Ie8YQ0opDWnFIKw5pxSGtOKQVh7TikFYc0opDWnFIKw5pxSGt
OKQVh7TikFYc0opDWnFIKw5pxSGtOKQVh7TikFYc0opDWnFIKw5pxSGtOKQVh7Rik1Zs0opNWrFJ
KzZpxSat2KQVm7Rik1Zs0opNWrFJKzZpxSat2KQVm7Rik1Zs0opNWrFJKzZpxSat2KQVm7Rik1Zs
0opNWrFJKzZpxSatOKQVm7Rik1Zs5RjlKXnhV36xaZ16HJquTFFvUK5Wb1TmqDcpF6g3KxepM5Wr
tUuUadrtpd9vu1BMlReIVfJ1sUZeLnYzR2hmfVa2iz3yt8KTH4u9yrEiL2tFiywowzlLmbJE7lI+
krs42yzONouz3cvZ7uVs3+Nsp3C2sznbKZztVM52IWc7krNVcLZzONskznaPWC1XiffRmp4WsVau
ZLzZJT6UH4mofIqreIQrKApX7uEqzuEqnuIqBFfxb1xFVLHEVvkn8SnXxgxd1MqbxXb5rojzrZ0y
yQhFW3GNK7nGlex5DePYNvZewN5zRG1PD3u/yt7fY0xbwTdm842FSqXylPIt1VFMtQKtlXMZXY9n
ND1Pm8xci8qg3ckIu1gZqUXl+dpGebmWUr6l7ZczxSTmT6sVm1Hzm9zFcs72MfMsIWqZQ+2Q1Yya
Ic7Qw13tYOSc0zdyir65luDu9oi93Fme9S2yTR2r6HKVEkIGMpGFylAYlSMbOagC9ZOrlSPQeFmv
TEAPyw3Kb9Aj6FH0GHoczUPz0RPoSfQU7fiubFRWyUb6sZ5+rFePQEei/ugbaAAaiI5CR6NB6Bg0
BA1Fw9BwVIlGoJFoFBqNxqAHZYP6EJqLfoX+N/o1ehj9Bj2CHkWPocfRb2VGfRo9g36Hfo+eRQvQ
czKjnSbf0c5EVej78gNtntytzZe7IfeHpd/VzJZ+W/MtWrQVXq6Cl25R6PHEl/I7oigt0dnzpTjQ
kxRd0hDdPTlxUFaJHtZLOUgP9Xi6Ib+jBw+QtHq+1Mt6knpYGnp5T063ZZXusL6C/e6Wq/R70L3o
PjQb3Y8eQL9Ec9CD6CE0Fy2V9foy9BZajv6K3kbVaAX6m2zQ30Wr0HtoNXofrUEfoLVoHfoQRdFH
qFZu0LejONqBdqJdqA4lUD1KogbUKDcYsGTAiwEvBrwYx/F6PDoFnYkmoImy3jif1wWywXgFvcbn
ZbxyPQbXY6zn8wb0Ce9r0A7e7+QVtxl1KIHSKCMzRpZt+1EX6kYHUQ+Sst48RjaYg9Gx6Dg0QmbM
kWgUGo3GoDlyg/kgglUTVs0X0WL0pmw0V8oNloZ+Khusu2S9dTevv+f1WV5flhlrEdvY11qCUqxr
QlyXlUGfy4ay82Wm7Edohqwvu0HWhxfJ3eG30F9RNVqJVqEt8p3wVrQNfYpiqBZtR3G0A+1Eu1Ad
SqB6lEQNqBGlUBNKowzajZpRFrloD8ohD+1FeflO+W/l7vKn0TPod+j36Fm0AD2H1skPyj9EUfQR
Wo82oI3oY/QJqkGb0Ga0BW1F29CnKIZq0XYURzvQTlSHEqgeJVEDakQp1CQ/sO8q/Tf/H1RchfCe
olN336KK5sUO6t4u2a1czfxxIfPHhcwfFzJ/XMj8cSHzqxrmVzXMr2qYX9Uwv6qhurarG2SCeU4r
85xW5jmtzHNamee0Mnd5nrnL88xVNjNX2cxcZbP2J9lJ1Y1TbTOH/u2EOIa5yTq5kJn5EGp7E5X2
GbL/QrL/QrL/QrJ/K9m/lezfSu6uIXfXkLtryNYLyc8LybcLybILyZ4LyZnBr/i1kieDX+9LmN8u
/U5ZKxmylUxYQ16rIaMFf9cM/p5ZQ+5pJfe0knVarfdkgiwT/Npea9m1MkFeeZ688jz5ZDP5ZLMd
lZ32R2g9ysvP7CKS8jPHQcejIf/p328c+ncbG2Vn6d9paFS1Nxkf5in9xCrlHPGecr34QDlTrFUG
cf8rxYeMzlFljNiqXEFbXMF8LcTIYzNnO0LElXG0S4oRaDhj5m5lImN7GePOFYw7Y4SnXMxxo31/
6zuZM63jTDvkgtI5v2DbHYxOwe8E7iAV7JVbFVW9Xami57cFx1UmcLTLqbPf49i9a8ZRhb9k7QVU
4Taq8BelX35skZ0csZmz7FXOLv0tZRD7ji79bWUcV3MCZ/8mn7YpZ3Hlx7AtxD1czXVPlVvE3dzz
OrlOn1j6ffSpjK3r5Gb2piaRG3w+NfBpFuliLePwOvmJMkbRucoQMpCJLFSGwqgc2chBFUqVuFoZ
yDx4BXPgFRxlIvPfbRxpF0eqZT5bxXy2ivlsFfPZKuazVcxnq5jPVjGfrWI+W8V8tor5bBXz2Srm
ZFXMvaqYe1Ux16pirlXF3KqKeVQVc6gq5k1cS+laV8l9nKmBu9gjPoDetTLBGVeQgFq497uVk+nr
gWzdF9wt916h9Fc/VUaqMeVUWub6Uma7lr2mKdPE9NLvH04Ts+R6ZvCfiHtlRixQvi2eQ6voh/eU
0YyQf9HPUcbpwa+3C741im+M4jxn0Jt3K8M5U1tAU+lMIfyUICu1kpM6S32/M3jSG2vb+eSX0lcr
vdWPClDLPt1UgW62tAf7BUmHM2ylt7dB4A7qAnTIz/m2zzHb6OFv8J0CW9b37V8MjshZt7H2U44c
465rWbeDs/fu0V3aI6DMYI8Ce3T3Mh784irH3SW7Slf1KXuML11nLXkq2BqXO+FpACmvizP0HsPq
O/oesSv4fyRK1/kpn2Kyhe919d11M1t2K5U4wYfRMI4ZjGOOwAerFZX/9Uu/dl6E8h4R/Bsnwd4W
e2p8SnD3wadmrnUPW3IcYy+ZM8/WluC3HPBJD1s7OXpP79HxjcfR9kJ8kLOD7x/BHl/27RH8lqrF
1nTpl/u5MrkZ94zp3UodDrZ6nFcrHW2v3FPycHC84HfCi7T7QdlEtmkjywT/H/hB6fMu6MsCe3Wh
blr9oNymh2SR3FPUy+U+9thW2reWd0GbHeBTF2c8SKtK2aOXKRr79rB1J9mohysusPVLeqdIP3Zy
xN4jB9/YwTe6OXoPKaubK2nVLc7Qe6bgCDs4Qjd9+iWtW6S9OvlWl5R80yudy1BUvuXzrR6+JfmG
Vzpnf86ZEcGzGYpk/05a/ICMl66yGxf3yL2lb4dkhiNoHCHJEQp6mYyXrrxc7iLZ7S0dyeAIRc6X
Ej2lPYucI6U7pfYuwseB0n0k2LKH7wfXnFAq9AFKmT6Q6xrEdwYrR+jkGv04xdKP5/0Qtg1lWyXb
RvJ5FNtGs20M3On6UZzhWLYO43UUfWHrA/g0ULbrRwfH4gzHcqbgWENYP5T1w4PjsH4U6zmOYpT2
HqSES8cJ9qjkfXCs/lyXxlZXP4o1R6NBylCurz97uhxzKNencX0a33L1YWwfjipZP5J9RrFuNO/H
BM8e5CgNXGvvHR7DtQ5WQn1HCb7dwPX33uEIto1kW++3Ne53ABoIc0dxzYM47mDu5VjZwTfDnJ/7
YvtQtg9jeyXbR7JuFNtHs30M98ddyDxHKHKEffrRaBCkHcPeg+nP4+jH47nnIewzlH2GsX04qmSf
EexDqtRHs88Y3Bn0k11q10HKAK4jaLEi1zGA6yjnOuxS21byeWSpBYtcwwCuoTzoFUX09W5vO/de
fdB6oq9nS23ed9Ua41mhZy8umAE1x0HkZOYcPkRexJwjD0EzoXIoVE5gzrEXN8yAqOOgcjJzDh8q
L2LOkYeumZA5FDIn6AN6DtAKp9AKJ9EKp+iDeoq0wim0QtCfp9MSY2iJsfoQ9hvK+mHsN5zXSvYb
wetIGfTp6bTGGFpjLBmAOSTjQhUpooL08A0qYzBfHUX1OJuasYFxoJ/iMCfcxtx+G3P7bcztJzC3
v5i5/RPM7S9mbn8xc/uLGY1eFFOo5T9iLj9Vvlj61iq+tYpvreJbY/8f31pf+lbwm9m7SmsPfXrr
75809UhG9FMURRnP+Hmicj7Lacplyg+UccoU5UesvUb5sXKucpvypHIps/jFys+UVcoaPgUPGH5a
qVF2Ks8odSwvK82Kq7yi5FRV+aPqqAOVNeqx6rHKRnWIeorysXq5OlmpU69Ur1Tq1WvV65SkOkOd
oaTUG7nmJnWWeqfSrN6jzlf2qE+qzyvd6kKWMvVFlrD6Eku5ukhdrNrqWnWbWqGdpp2uDtHO1M5S
h2vjtfHqKG2SVqWO1r6jXaieoF2sXayeqF2iXaaepE3WJqunat/XfqCepk3RpqpnaNO0aeq3tRna
DPUsbaZ2i3q2dqt2qzpeu127U52g/Yt2r3q+Nlt7TL1Ym6f9qzpF+z/aAnWa9rz2gnqz9idtuXqL
9ra2Xv2FtlHbqT6q1WnN6gLN01rU1zRf+0x9XSNDq29onVqXulSTQlGXC00I9W1hinJ1hXCEo64S
/UQ/9T3RX/RXV4ujxGD1fTFcVKofipFilPqRGCPGqhvEyeIU9RNxqjhV3STGidPVzeJM8W11qxgv
JqgxMVGcp24XF4gL1V1isrhSrRc/FFPVRnGtuFndLWaJn6qt4l/EfWq7mCPmqPvEQ+Ihdb9YIJ5T
C2KpWKoWRbWoVjvFO+Id9YB4V0TVLrFV7NIY/0SLxmgjpDZYD+kV2kh9gH6C9k19oj5R+45+t/6Y
dqE+X39Vm6ov1VdoP9f/pq/RZutb9G3aXL1Wd7Vf654utQWhilCFtjR0ROgIbVloQOgo7a1QY6hZ
ezu0J5TXVoXaQm3aB6HPQp9pa0NfhDq0daH9oQNaNNQd6tY+CUlD1WoMYQhtixEyQtpWwzT6aduM
I41BWp0x2BispY3jjKFaxqg0TtBc4yRjotZqVBlVmjTON74vFOMaY4Y40rjVeFIMMp4yfismGb8z
nhXnGy8YL4gLjT8YL4qLjFeN18V3jcXGYjHZWGYsE1cYK4wV4krjb8bfxFXGe8b74vvGWmOt+KGx
3tggrjY+MTaLHxnbje1imrHDqBfXGY3GbnGTkTWy4jbDM/aK240vjP3iJ0aXqYifmeWmI+4xjzFP
ErPNceZ48YR5rjlJPGteZF4injcvMy8TL5pXmP9L/Jt5tXmNeM28zrxO/NmcYc4Qb5g3mjeKReYt
5h1isXmn+TPxlnm3ebf4q3mv+bB423zEnCfWmU+YT4oN5tPmM+Jj81lzgagxF5p/FJvNiBkRO80/
m38Wu8xF5mJRZy4zl4l6c6W5QSTNrWZctJoNZkZ0mC3mQdFpSiuk25ZphfVvWLOsWfrR1p3Wz/VB
1t3WPfqx1n3Wffrx1gPWA/oQa671K32o9Yz1jD7c+r31rF5pvWD9QR9pvWy9rI+xFll/0U+wVljv
6KdYa621+mlW1Irq46yN1sf66dYWa5t+phWzavWzrB3WDv0cq86q08dbDVZGn2C1We36+dbn1uf6
d6x91j79wrKzy87RLyqbUDZB/27ZpLJJ+iVll5Zdqn+vbHLZZP3SsivLrtQvK7u6bIp+edk1ZdP0
K8pmlN2of79sZtlM/YfhF8Kv6FeHXw+/rl8fXhxerE8PLw0v02eEl4eX6zeG3w5X6zeFV4ZX6jPD
q8Or9VvCa8Nr9R+HPwyv128Nbwl/of+k3Civ0J8uP7a8Ul9YPrL8JP218qryG/TF5beX79Q3l9eV
50Ljy7ttPXSpPdA+O/QDe7I9PXSffZf9RGie/ZK9NPQne7m9MrTC/pu9KvSevdpeE1pjr7XXhtbZ
H9qbQh/aW+14aLO9094Z2m7X2fWhuN1gZ0O77D32nlDaztt+KGN/YX8RytkFuxjy7IOOEmpxypyK
kO/0dwaF9jvHO0NC3c4wZ3ioxxnhjDIUZ4wzxhDOWOfbhu6c40wy+jvnORcYg5wLnYuNY51LnEuM
Ic6lzuXGUOcK5wdGpTPFuc44wZnuTDdOdW5wbjJOc2Y6dxhnOLOcWcZ4Z72z3pjgbHQ2Gec6W53t
xvnOLidhfNdJOg3GpU6T02Rc7mScjDHZaXZyxhXOXqfN+EHFJRU/NKZWTK243ril4saKm42f9JvY
7zzjTkWdEDxVXNGO0E/8x8V43ni+7LzDS3hV7xKs/8+LfUHFp4cW++yvX/o91e+p/jcEy39cP3D0
1y3G80c/Ovjs3uXECw8vJy8NluM+/Lrlm7edVnloGeedMf7QMqSidxk1yTpgHTiqLliOvy5Yjqob
ZlVeFSzDXqqsD5YRPx/5+MiHRvx8xM+H1wyvGWmNtIa9NOyl4eey1Aw/d0Rt6d25Ix/61tSzjgo0
atLXtd2h9vsPbfQP9zpq9uEluP4xqcNL75WfvHTUpMPL8HMHju7th+A1aPPTKkdN6vfUwNFBWx1q
l0P3q584cPThtum9oqB/gv0Hjg72qPj0uA+PfjTYEqwJWjrYM9jWuyZYzhivn9j/hqMfDY4w+Ozg
U+/6wzx8lYjgmoJ+PtTT/W84dJyjH/26/uztza/25zdv6+3FcV7Qg713cvLS0yp7ryO4ksFnD3up
31NDKmi/Sf/15XDvlJ2nn3iYhICM/9+ll6DDS3BvvUf5ry3/eOQRtQFrRz9aedWI2oDEgMNggU7W
VF4V8Bh8GvbSiNqgVXu3lRYLkusDZksEPx68O0TwyBLjJaZh9zDNvKsJvhds4Tvs1/ud3mv56pUq
f1CeljnlGfQ79Hv0LFqAXkd/Rm+gRWgxelcZRiIdptTwfhPajLagrWgb+hTFUC3ajuJoB6pDjcxM
U6gJpVEG7UbN8l4li1yUY3buob0oj1pQKwr+a8l25KPP0OfoC7lI6ZBvKvvQflRAX6JOOUc5gLpQ
Nzoo54hr5Y/ENLlGXCcvE9fLiJjO5xl8voHPN8qI7smcvhflUQtqRW2oHfnoM/Q5+gJ1oH1ov6zV
C+hLVESd6ADqQt2I8+o9SMo5oaPkveZlMmdeha5GU9BUdI1805zB6w3oFvb5MbpV1pq3odvlHPNe
1t/H+9nofvQA+iWay/pfoV+jh9FjiH406UfzWbYvQAt5/xJ6Gb2CXkWvccw3lWHmX3i/jPereN2A
GlAjSqEmtEf2mDnkob0oj1q4tlbUhtoRfWHSFyZ9YX6BOtA+ucjcj+gLk74w6QdTynstRb5pqfTF
88rDMq8EvxP7CHoUPYYeR/PQfPQEehI9LXdD5W6o3A2Vu6FyN1Tuhsp6qKyHynqorIfKemhMQ2Ma
GtPQmIbGNDSmoTENjWloTENjGhrT0JiGxjQ05qExD415aMxDYx4ag39dlYeqVqhqhapWqGqFqtbS
s7o6mX8fQF2oGx1EPXK/IuV+VUGq3C+uV/qJG5V+ei1z+e0ojnagnWgXqkMJVI+SqAFxLRCYhsA0
BKYhMA2BaQhMQ2AaAtMQmIbANASmITANgWkIa4ewdghrh640dKWhKw1daeiqh65W6EpDVxqa2s07
5H7zJ+in6F7WzZF580E0l/e/Yv9f8/ow+g3bH+OVvjDpC8hKQ1bafI71C3n9A68vsv4l3r+MXkGv
otc4x2LW/4X3y3i/kvereL8BNaBGlEJNaA/bcshDe1G+9C8/8tCTh55W6Gn9+7PHaHOzi3N2o4Ny
PzS1QlO7pcm8VcbnRbxyXmsJfXekNk3mtJnoDjlb+wmahX4qc9SAy6gBb+H9y/D+W+E1Mhf+AK1D
UTk7vB5t5H1Q16bDXwr+UvCXgr8U/KXgLwV/KfhLwV8K/lLwl6Iq2lRFGw5TcJiCwxQcpuAwBYcp
OEzBYQoOU3CYgsMUHKbgMAVvBdhKwFYHbHXAVgdsdcBWh7hWscU05RpxnSLgarSYzucZfL6Bzzcq
o2EmBTMpmEnBTApmUjCTgpkUzKRgJgUzKZhJwUwKZlIw0wEzHTDTATMpmEnBTApmUjCTgpcUvKTg
pQNGUrCRgo0UbKRgIwUXKXhIwUMKFlIwkIKBFAykYCAFAx1UGBsGUjDQQf+n6P8U/Z+i/1P0f4r+
T9HXBfq6QB8n6OMEfdxBn3YoM6gQLhXCpUK4VAiXCuFSIVwqhEuFcKkQLhXCVd6VvrIKNcuNjB8b
GT820ppp3NuCe1twbwvubcG9LbTw+7RwHS1cRwvX0cJ1tHAd7vVwr4d7PdzrwchWxohNMLKVsWGT
uEmmxc04rVa6uNnFzS5udnGzi5td3OziZhc3u7jZxc0ubnZp5TpauY5WrqP2b8SJLdT3jdT3jbRs
HU70cKKHEz1c6OJCF9d5OM7FcS5O83CZh8tcWrQOV7nmm9KnRetwlUst3kgt3kgt3kgt3khrpmnN
NM5pwTkttOr7tOr7tGodzvFwjodzPGrxRtzTQkvX4R4X93i4x8U9Lu5xFQ3OLNiylD/SD1H6IUo/
ROmHKP0QpR+i9EOUfojSD1H6IYpTPJzi4RQPp3g4xcMpHk7xcIqHUzyc4uEUjz5bTp8txykeTvFw
iodTPJzi4RQPp3g4xcMpHk7xcIqHUzyc4lGx26jYbVTsNip2GxW7jYrdRp830udN9HkTfd5EnzfR
5019FbtInxfp8yJ9XqTPi/S5T5/79LlPn/t9Tw07EZeFuPvhfU8POxGXBU9gHA4DU2BgCgxEYSAK
A1EYiMJAFAaiMBCFgSgMRGEgCgNRGIjiTg93erjTw50e7vRwp4c7Pdzp4U4Pd3q408OdHu704KYI
N0W4KeJOD3d6uNPDnR7u9OCoCYd6ONSDoyIc+XDkw5GPWwOWorAUxbUervVwrYdrPdjycW7AVxS+
ojjYw8EenPm4OGDNh7UobvZws4ebPdzswV4R9qKwtxxHe/BXhL8orvZwtYerPVzt4WoPV3tU9Taq
ehtVvY2q3kZVb4PNRthshM0m2Gz6SlUvwqYPmz5s+nDZBJdFuIzCpQ+XUbiMwmVUORXKeqCsB8p6
oKwHynqgLEiPPu73cb8PCfsgoQMSOiChAxI6IKEDElKQkIGEDCRkICEDCRl626SHTVo9Q6tnaPUM
bvVp5Q7c6uNWn1bO0AoZ7jyD63xc5+M6H9f53Nk+7mwfd9bBnXVwZynuLMWdZXBacEdBTcso1Xgp
g5cyeCmDlzJ4KYOXMngpg5cyeCmDlzLc5RLucgl3uYS7XMJdLuEul+ClJXhpCV5agpeW4KUlXxl1
IngpgpcieCmClyJ4KYKXIngpgpcieCmClyJ4KYKXIv/USzmZJH8nyd9J8neS/J0kfyfJ30nyd5L8
nSR/J8nfSVrb/SfP2vSV4Nc9DqAu1I0Oysa+Zz+MxmdhWn5i3zMgRuOzML0wEX9l8FcGf2XwVwZ/
ZfBXBn9l8FcGf2XwVwZ/ZfBXBn9F8FcEf0XwVwR/RfBXBH9F8FcEf0XwVwR/RfBXBH9FyOxJMnuS
zJ4ksyfJ7Ekye5LMniSzJyGhERIaIaER/0XwXwT/RfBfBP8tKT2/cwbvb0C3yiQ5PQkhjXgvQk5P
ktOT5PQkOT1JTk/ixwx+zODHCH5cgh8j+DGCFyN4MYMXM3gxghcj5PYkuT2JHyN4MYMXI3gxghcj
eDEChY14MdM3ukYgMvg3RBm8GMGLEbwYwYsRvBjBi5Gv9SL9R2ZPktmTZPYkmT0JxS4Uu195lqgP
xT4UN/Y9R7QRTwb/HimDHzP4MaMsVx5Wxiq/QY+gR9Fj6HE0D81HT6An0T8fHWIQHYPoGETHIDoG
0edA9DkQHYPoGETHIDoG0TGIjkF0DKJjEB2D6BhExyA6BtEx6sBc6sBc6sBcKI5BcQyKY1Acg+IY
FMegOAbFMSiOQXEMioMnPM+G4nlQPA+K50HxPCieB8HTIXg6BE+H4OkQPJ10MIkEeQ8J4VRmkT8j
JUwiSd5DUjiVWeTP9FplrL4dxdEOtBPtQnUogepREjWgRsQ1QnAMgmMQHIPgGATHIDgGwTEIjkFw
DIJjEByD4BgExyA4BsExCI5BcAyCYxAcg+AYBE+H4OkQPJ1aNheKY1Acg+IYFMegOAbF86A4BsUx
6txc6txcaI5Bc/AU6OnQHIPmGDTHoDkGzTFojplzlLHmg2gu73+Ffo0eRo8h+tukv6E5Bs0xaI5B
cwyaY+aLrH+J15fRK+hV9BrnWcz6N5VzoDkGzdPNlXxexfsNqAE1ohRqQi1cYytqQ+2I9oHkGCTH
IDkGycEToWdD8mxIngfJ8yB4OnV4LhTPg+LplqaMtRYhzmstgc1Z1GWfuuxTl33qsk9d9qnLPnXZ
py771GWfuuyTW/aQW/b8X/6GUQN9NdBXA1E5iPIgyoMoD6I8iPKoi5uhahNUbYKqTVC1Cao2kUeS
5JEkeSRJHgme3tpOnTSgbCuEtVMjDQjbSg5xySEuddKnTvrUSZ866VMnfeqkT530qZM+ddKnTvrU
SZ866UPEJojYBBGbIKKG3vfo9Rp6vYbe3kSGSJIhkmSIoF751CufvJCkPvnUJ5+MkCQfJKlJPr22
iRrkkwf20GObqD/+P/lbQQ29VUNv1dBbNfRMjp7J0TMePeNRYzZTYzbTQ5vIAEkyQJIMkKS3augt
j97aRM3xyQFJ6o5P3fGpO75yUumZT3fILczstjCz20JrpXqfKMTrDCXETG4LM7kt/yOe9fQmfFXD
VzV8VcNXNXxVw1c1fFXDVzV8VcNXNVXSp0r6VEmfKulTJX0leBLK68xd/ozeQIvQYvSufAcW3/lv
PvO+AL8FJfiFkjTKoN2oGWWRi75gvw7ZBb9d8NsFv13w2wW/2+DXh18ffn349eHXh98G+G2A3wb4
bSj9ElPwNKvrS794pJWeanUj72+SF8HvRfBbDb/V8FsNv9XwWw2/1fBbDb/V8FsNv9XwWw2/1VTJ
IlWySJUsUiWLVMkiVbJIlSxSJYtUySJVskiVLFIli1TJoh78qyByPsz7MF+gChapgkWqYJEqWKQK
tuCDLqpgkSpYxA8F/FDADz5+aMAPDfihgUpYxBPVeKKaqlek6rVQ9YpUvSIeaaDyFfFJNT6ppvIV
qXxF/NJA1SvimQY8U03lK1L5ilS+IpWviId8PFSNh96h8hXxkY+Pqql8RSpfkcpXpPIVqXxFKl8R
fxXwVwF/FfBXAX8V8FcBfxXwVwF/FfBXEX8V8VcX/urCX9vw1zb85eOvBvzVgL+CZ4MX8FcX/vLx
VzX+asBf1firGn9VK69BbA5icxCbg9gcxOYgNgexOYjNQWwOYnMQ60KsC7EuxLoQ60KsC7EuxLoQ
60KsC7EupLqQ6kKqC6kupLqQ6kKqC6kupLqQ6kKqC6kupLqQ6kKqC6kupLqQ6kKqC6nNkNoMqc19
T3tvh9R2SG2H1HZIbYfSJihtgtImKG2C0iYozUNpHkrzUJqH0LJShZ3BK9UVKnNQmYPKHFTmoDIH
lTmozEFlDipzUJmDyhxU5qDShUoXKl2odKHShUoXKl2odKHShUoXKl2odKEy+KtAE1Q2QWUTVDZD
pQuVLlS6UOlCpQuV7VDpQqULlc1Q2QyVTVCZh8o8VOah0oXKHFTmoNKFShcqXagM/ooQ/JdcLlTm
oDL4q7ALlcFfFIL/isuFyjxUBn8ZdqHShUoXKoO/MjRBZQ4iXYhsgsgcRLoQ6UKkC5EuRLoQ6UKk
C5EuRLoQ6UJk8BeJZohshshmiGz+yhPq2yGyHRKbIDEPiXlIzENiMyS2Q2ITJOYgMQ+JOUjMQWJO
GQ2JCUhMQGICEhOQmIDEBCQmIDEBiQlITFAP26mH7dSXJPUlSU8m6MkEPZmgJxP0ZIKeTNCTCXoy
QU8m6MkEPZmgJxO0ZIKWTNBiCVosQeskaIkE/gz+gpng6hJcWYIrS3BlCeXkvmfEpbSZ6Kel8Wds
8Ozv8BqZCn+A1qGNaJNM/Y94/ttDtGWBtizQlgXaskBbFmjLAm1ZoC0LtGVBCZ7Q9bTM4uosrs7i
6iyuzuLqLK7O4uosrs7i6iyuzpLWLdK6hbuzuDuLu7O4O4u7s7g7i7uzuDuLu7O4O4u7s7g7i7uz
Xzu+dMpOXNuJaztxbSeu7aRlSdrKWbQuCVs5i74t0LcF+rZA3xbo2wJ9W6BvC/Rtgb4t0LcF+rZA
3xZwaRaXZnFpFpdmcWkWl2ZxaRaXZnFpFpdmcWkWl2ZxaRaXduLSTlzaiUOzODSLQ7M4NItDs33j
RhaHZnFmJ27MwlABhgq4MYsbs7gxixuzODELVwW4KuDELE7M4sIsjBVwYBYHZnFgFgdmcWAn3BVI
xBYuzOLCTvgr4MIsLsziwiwuzOLCLC7M/r3W02Z9Nb0TVguwWoDVAqwWlFGaL1u1z1BBfqx9iQ7K
54Qi3/h31u4FTqq6/v/4mXWZM4B4SSUt07J+hpkW5a/6lbd++7OtLMsuZqWGpVb+sosXFMMb3sBU
FDf5pSZK2/68bWuouIAiCuIyozMgJAs7ujty2JVl2A2Xi7Er5/88u4uQ4v/30///cR4vzpkzszOf
+X7e389lmPOdXSrj8i6hfSa+Z8Sn8dm4POJz+DfHR+HoeOqIY/AVfMP5b+IkfA8n4wdx04gf4hSc
6jE/ce5Mx2f1r1VYHnG25yjZr3G7034tylgXl4OPsmoDqzawqpVVraxqZ9UMViUrcc5g1QyV3fOq
uudZN4N1G1i3gXUzWDeDde2sa2ddO+s2sG4D6zawbgPrknVBW1nXyrpW1rWzLlkXtJV1razbwLoZ
rEvWBm1l3QbWbWDdBtZtCD7cv4Lky/2/vzGPdfNYN4t1k1g2iWWTWHYyy04ecXi8jnWTWDVpxJGO
j7I/Op7Fslkj/sPtr9jvuLrkic79IJ7Hsnksm8eyWSNOd+7HONPts3C250hWm1zt3Jp4XvAh1qzv
t6Ycd7JoBYtW9I/VtnEaFncOWjKjf3wGLJnRb8GX3Hd8vJ4F61mwftCCFSxYwYIVO7z6Cq++YsRP
+3+tY8aIX9iv8vgBK1YEB7FiCgvu47kWnmupeF3NXSniDovvU/FlVHoZXmrhpZYRRwdDRhyDL8X3
jfiK/fHxFBZMYcEU3mrhrRbeauGtFt5qGXGqx4jcXv0+3mnx6vfxTgsLpvBOC++08E7LiORTqETR
EQsiY1E2FslKuN3GYzZrImMy25jMNhazWROxJjIms43HbJ7p5pluXulmRcSKiBURKyJWRMalbFzK
xqXMM90sioxL2biUWRUZl9msioxHmVURqyJWRayKgn1Z1caqNpZ0s6SNJd0s6WZJN0vaWNLGkm6W
JK/e5tXbvHqbV2/z6m1erc2rtHmVbq/S5hXavEKbV2jzCm3BCO93ofe70Pu9wXu5wXu5wXu5gd0L
2b2Q3QvZfQObF7J5ITsXBh/gt+SXBZazbx371rFtHZ8t57M0n6XZto5tiVKW89Nj/PQYPyUrsa9j
4zo2rmPjOjauY+M6PlrOznV8tJyd6/joMbauY+s6tq5j68DKsx/x7B8JDvP6HdS71uv3ev1e72K1
d7HaOK1kS69xWmmcVlLwWmO1kj297Ok1Vispea3xWknJa9nWwbYOtnWwrZdtvdS8ln297OtlX6+R
WG0kVhuJ1ZS9lrLXsrnXiKw2IqvZ3Wt8V7K7l90d1L3WKK1mfy/7e9nfy/7eYLfU7sGuqR/gFzgH
v8Kv8Ruci/NxXbCr9zlKjvqW9zpKjvpW8Id38ElvSaYtybQlmbYk05Zk2pJMW5JpSzJtSaYtybQl
FU5JhVOSaUsybUmmLcm0JZm2JNOWZNqSTFuSaUsybUmmLcm0JZm2FKwKDgkirMar6AkODDZgIzZh
M17DP9y3Bb3ow+vY6nwcHJgKkAoOfBef0JZk35LsW5J9S7JvSfYtyb4l2bck+5Zk35LsW5J9S7Jv
qdLrVm5FHBwyZGRwiAxckoFLMnBJBi7JwKXw+8GBMnBJBi6FZ3rMWfg5znb+P3EOxvZffbnt09eS
rFySlUuycim8yv38ssMnsCWZuRROdf42+9vtBz6BLcnQJRm6JEOXwuleo/8TWNQn/yfg9sAnsCUZ
uiRDl2TokgxdkqFL4Vr3l7EOXdiAjTDuoXEPjXv4Dxj3sNe+D6/De88Y80zKPvnkdajjHT99TVRW
R2V1VFZHZXVUVkdldVRWR2V1VFZHZXVUVqCyApUVqKxAZQUqK1BZgcoKVFagsgKVFaisQGUFKitQ
WYHKClRWoLIClRWorEBlBSorUFmBygpUVqCyApWNprLRVDb6/4PK6qisjsrqqKyOyuqorI7K6qis
jsrqqKyOyuqorI7KClRWoLIClRWorEBlBSorUFmBygpUVqCyApUVqKzwJpWNprIClRWorEBlBSor
DKqsQGUFKhtNZaN3orICldVRWR2VFaisQGUFKisMqqxAZXVUVkdlBSorDKqsMKiyOiorUFmBygpU
VhhUWR2VFaisMKiyOiorUFmBygpUVqCyApUVqGw0lY2mstFUNvodqGz0DiqrG1RZHZXVUVldcBuV
9VBZD5X1UFkPlfVQWQ+V9VBZD5X1UFnPO/sGWdxHZX3vasWkt//0dU0QYTVejV/RXazRXazRXazR
XazRXawZ/N/gDh1Ghw6jQ4fRocPo6F9d9ofx1mSF2V1+FG+lvh7q66G+Hurrob4e6uuhvh7q66G+
Hurrob4e6ut5V6vreF0dRocOo2PIyHjNTlZ3Sb4ZtmaH1V3WhGfh584nq7qMj3sormdwBZeOf17B
xXk+eWMFl/6VW9x+68otHVTWQ2V9gyu3dFBZz9uu3LLzT3nX6PnX6PnX6PnX6Plf0fO/ojNZozNZ
s8P/9Hbo99foUtboUjqorYfSeiith9J6gl9SWi2l1VJaLaXVUlotpdVSWi2l1VJaLaXV/l/W5spS
WpbSspSWpbQspb1EaS9RWp7S8pSWp7Q8peUpLU9peUrLU1qe0vKUlqe0PKXlB3/h/YhdTgmG6j+/
OfhL70fsMsbt093+cXzrLj+Jb6WWWmqppZZaaqmlllpqqaWWWmqppZZaaqmlllpqqaWWPLXkqSVP
LXlqyVNLnlry1JKnljy15KklTy15aslTR5468tSRp448dSRrZOYpI08NeWqopYZaashTQ5Ya8tSQ
p4Y8NdRSQy015KkhTw15aqilhjw15KkhTw15SqilhJcoIU8FtVSQp4I8FeSpIE8FeSrI81wtz9Xy
XC3P1fZ7rpHnGnmukecaea6R5xp5rpHnGnmukecaee5VnnuV517luVd57lWee5XnOnmuk+c6ea6T
5zp57hWee+XdxIj+Xxv7YVDNc7vz3Jjkl8d4rprnku/ljeG5m3juJp5r5LlGnmvkuUaea+S5Rp5r
5LlGnmvkuUaea+S5xnczz3cyrzvfmNMD87iR5xoH53Hnm+ZxI881vmkeN75lHt/n3APmXDKHZzp+
m/nLc40818hzjTzXGPyG55p4ronnmniuieeaeK6J55p4ronnmniuiec6ea6T5zp5rpPnOnmu8208
t57n1r+r7/e8Fm8a9N7IwXl33qD3Rg7Ou/N47w7eu4P3mnivifeaeK+J95p4r4n3mnivifeaeK+J
95p4r+ndfBdnJ9+/6XzjuzcD37Vp4r2mwe/adL7xXZuB79k08V7TG9+zua3/u1xNb/l+zX3OPRCv
7/9uzUzHb/e9GmMjkm7ixSZebOLFJl5sCr7DO/N5Zz7vzOed+bwzn3fm884c3pnDO3N4Zw7vzAlm
BUOC2cjGOd7J8U6Od3K8k+OdHO/keCfHOzneyfFOjndyvJOTe8tyb1nuLcu9Zbm3LPeW+3PnwDen
fpbkz8FvTf3MiOeMeM6I54x4zojnjHjOiOeMeM6I54x4zojnjHjOiOeMeM6I54x4zojnjPgcI54z
4jkjnjPSOSM9x0jnjHTOSOeMcM4I54xwzujmjG7O6OaMbi58IBhiZHNGNWdUc0Y1Z1RzRjVnVHNy
WllOK8tpZTmtLKeVg2vNi3rzot68qDcv6s2LevOi3ryoNy/qzYt686LeyD9r5J818s8a+WeN/LNG
/lkjnzPyOSOfM/I5I58zL3rNi14jXzTyRSNfNPJFI1808kUjXzTyRSNfNPJFI1808kUjXzTyvUa+
18j3GvleI99r5HuDraqoOO5LBUjFfYPfrzmIN/bjjesGv19zEI/sxyPXmTvXmzvXmzv15k69uVNv
7tSbO/XmTr25U2/u1Js79eZOvblTb+7U82SRJ4s8WeTJIk8WebLIk0WeLPJkkSeLPFnkySJPFnmy
yJNFnizyZJEnczxZ5MlieLaK4z9xDsa6PT6uN4/qebfIuzneLfJuMbzK/dfaG29zqZ6nizxdDKc6
f5v97fZ3OH+n42m4C3fjPuceiHt5vmhO1fN+kfeLvF/k/SLvF3m/yPu9vN/L+72838v7vWGv5+zD
63GfuVafGWp/r73nNN/qg19RRxV1VFFHFXVUUUcVdVRRRxV1VFFHFXVUUccT1PEEdTxBHU9QxxPU
8QR1zKWOudQxlzrmUsdc6miijibqaKCOBupooI4G6migjgbqaKCOBupooI4G6migjgbqaHi7/yfj
5SperuLlKl6u4uUqXq7i5SperuLlKl6u4uUqXq7i5QZebuDlBl5u4OUGXm7g5QZebuDlBl5u4OUG
Xm7g5QZebuDlBl5u4OUGXp7Lyw28nKzY3cCzVTxbxbMNPDuXZxt4toFXG3i1ilereLWBVxt4tIE3
q3izgTcbeLOBNxt4s4o3m3izgTereLOBNxt4s4E3G3izgTcbdvZ/UjxYxXtVvFfFe1W6ziu39gVX
4Wpcg2sxEZNwHX6H63FTPJMHv8yDX+bBL/Pgl3nwyzz45WCq+/4Lt+MO/BF3Yhruwt2Yjj+hFn9G
XXwcrx/H68fx+nG8flzwgPN/QQMexF8xAw/hYTyCmXgUjZgVn0ElZwRzHD+GxzEXT2AensJ8PI2F
eAZNWIRsXE1Z1ZRVTVnVlFVNWdWUVU1Z1ZRVTVnVlFVNWdXBC/5mOZodr7BfiRYU8WI8geImUNwE
iptAcRMoboL8vURMmiYmTROTpolJ0yqf39pXuRTL8De8gOVoxgqsRAuKeBEvxTMrW9GGEl7GKkRY
jXZ04JW4mlqrqbWaWquptZpaq6m1mlqrqbWaWquptZpaq6m1mlqrw6/HMym2mmKrKbY6/J7bJ8fH
hT+wPwWn4UfOj8HZ8TRxapo4NS38pfO/xrkY677xW/vCS3CZ48v9/QT7K3GVx17tMdc6nmg/CdeB
rkK6Cm9wfCNudv8U3OK4BlP9HU2Ff8Btzt/u9h0eT1tmRLUZUW1GVJsR1SE9hffgXtznMffbPxCf
YYZUh/QUznSOZkKaCWdhtvM0E9JMSDMhzYQ0E9JM+CToJqSbcAFox+yqDmknpJ2QdsIscngWeRSw
GEvwPJZiGf4GugnpJmwG3YR0E9KN2VpttlabrdVma3XIvyH/hvwb8m/IvyH/msUTzOIJZvEEs3iC
WTxB7bNE7bNEbJ4mNk8Tm6eFW+OZmYqtfZnQPoOh8bTMrvb3OmdMMvebwxXBqcGVwfVBENwYTA6G
BTcHDwS7Bn8JHg1GBXOCucGn+ldV+EwwP3gh+GywIlgdHN+/nsLJqTGpMcF5FSdWfCs4P1m/IBib
rFwQXFhxdsU5wbiK5orm4JKKlopVwaUVr1S8Elxb0VmxNpiYrEcQXFexqWJzcH1Fb0VvcGOyHkEw
OVmPILg5WY8guGWXA3c5MPivXU6Rn/+wyxhZ+fbKmZUiSOXzlXFw55CRQ0YGz6afSD8RPJd+Jt0U
5NOr0+3B4nBYOCx4Prl2PViaXLseNIc/DE8JXkyuXQ9aw9PDHwdtybXrwcvJtevBK8m160Fncu16
sDa5dj34R3LterA1vDm8NRWEt4V3pNLhneGfUkOTa9dTuyfXrqf2SK5dT+0Z/iVsSO2VXLue2ie5
dj11cFgMX08dFsaZYalvZHbL7JH6YWavzD6p0zL7Zt6XOj3zgcyBqTMyH8p8OPXTzMGZUamzMx/L
fDx1TuYTmdGpX2euylydOi9zb+b+1AWZ5zL51EWZJZklqYuTa85Tv02uA0+NT64DT10y/MnhL6Su
SK7uTk3d9aRdT0vNSa7HTi1Irq9OPZ1cX51amlxfnVqRXF+dKibXV6dak+urU23J9dWpVcn11ak1
yfXVqb8n11en1ifXV6c2JNdXp3qTa6dTfcm106nXk2unKyp2+8ZuJ1aEu/1wt1Mrhu1+9O7HVowI
Un3l5KrpXe6fs//OtnBMOGbP5pHTt2/77TqwJfe8edt/2agTtm2H/N225ZAth+5/6P6fOSjZjjz2
zVs45piJX6ob2OZds317al6yHd+2sy0//YRg2/b9s0//9bbtVzMHtrHLxi4bVzf54O1bcubN25TT
xtWNq5ty2tSvJdvtB9hGJdu0W3e2Jc84ru6uMwa3l7dvA38/9WvJM005bcu527YHb3tkj23bo9cN
bHvemWzv/+r7v3p0+553Ht1+dPvXRybbir+v+PvNtul3DGzjH7uiLtkuzV/9fLJd+4tku7rm6prL
Gy9vnPTwpIcvzbtv2+3Dbzj4hnuS7cYP9m/TV5504/Qbp98ww3bwDQdPzkzObDu+YUZ0dNdHElYu
Xrl45x4f8PmO2z/7bPrC7Vvij3vHb98GPPHmsb79gH8ezYFRSbTx1LzBsR/c9mzes/nqmiOPHVBZ
sk8UdUJw6P5HHpsoJRyzTRen/3rP5l/NfPS6Q7bcfkDCHI/YrpGBdzHqhOTvjjx24JGjTjhm4rZ3
l5xNNJc8NnnNX81Mzm97h6f/es7+I6d/5qBjJh4zcc/m5NnCMYds+VLdnP2TxyazYdsc2HEWJJYm
Wt+m9u16T57nrSof0PiOKs9PH9D2989OdD2g5uR5kr8+dP9fzTzy2ESFiWqn3Xr7qHF1Y5clyhvQ
VzJ6A0od0PCj1yUjnxwlik1ubR/9qV9LnmXywXe9nJy/64xH9hh43h1nypTT/nk+7Fz/29Sf+HNA
9YnuB9Q+9Wtbzn1kj9tHPXpd8vzhmB39vOM2MLe2WTCuLnmu2w8YuL3t9ZLnHHj3tx/w6HXJKyeW
j6szDgckNiZH297dlnMH5uvADB/YJ+8xsWTarZMPTh51dHsyBxMGZuD7vzowN9/dlszoHbe3PiKZ
6ztuA6+6fXvrXyQx4Z1t26LH223/L+/wnW1JbDpm4hV1kw6/9hd7Ng9Er2t/cWk+OQPxK7l1aX7S
4Un8Grgv2cY/Nv6xJN4NnE1mWnK0LeZNejiJidsi4bb459/nL82Lbvdsi3v9sU80TOKe4/6IOLBP
ImDyqP5IOBgZxcYkciZ/M3h22q03fvDyxsSW5LX2bJ6cGbDhirr+5/P3A3/3P3nw6yMTdVdMDirj
zmAI0giRwVAMw3DsihHYDe+J24K9sDf2wUi8Fx+N24NROAQfw6E4Pm4Nvoav4wR8A9/EifgWvo2T
8H2cFpeDH2EMTseP8RNcFm8KLscVmND/Xbi3+x/6t/4OSNbz5vAsnkMeBSzGEjyPpViGv6EZb/9d
7B2/4boi6PGaG7ARm7AZr8XLgn9gC3rRh9fjZamKuCW1CyoxBGmEyGAohmE4RmCPuJTaE+/BXtgb
+2Ak3ot9sR/e57H/23WyR8XzU4fgYzgUH8dhOByfwCcxGp/Cp3EE/hWfwWfxOfwbPo8v4EgchaNx
DI7FF/HvqMJ/4Dh8CdX4Mr6Cr+J4fA1fxwn4Br7pvZyIb+Hb+A6+i5PwPZyM7+OsuDt1AcbiQlyE
cbgY43GJ93opLsPluAITcCWuwtW4BtdiIib5m9953uvtb8CNmIzb4tWp23EH7sQ03IW7MR1/Qi3+
jDr8N+7BvbgP9+MB1OMvaMCD+Ctm4CE8jEe81kw8ikbMwmzMwWN4HHPxBJ6Ml6aewnwswNN4Jl6S
asIiZJGLl1SeH3dWXoCxuBAXYRwuxm8xHpfgUlyG6+LWyt/hetyAGzEZN+FmTMEtqMHvcSumxy2V
f0It/ow6/Dfuwb24D/fjAdTjf16jfGXlLMzGHDyGxzEXT2AensRTmI8FeDrurlyIZ9CERcgih2fx
nLHIo4BX2LwGnViLMtahC934O9bjVfRgA8zbyq2I42VD9olXJ98MH7JvPH/Ifngf3o/98QGU4rYh
7eiIW4essf871qMv3jRka7wpLbamw7gtLYamxdD0Ho73hDiaFkfT+3jM/s5/AAe5/WGMcu4wtz/h
+JMYjU/hCOc+674v2B/t9hftj7M/ET/Fz/BznI3fxOX0uTgP5+MCXONvr8VETMat8cr01Lgl/Yd4
fnpa3J2+y+3pcSlN42kaT/Nl+gHn+THNh+kHHf8VM/AQHsYj7puJR9GIWZgNfkzzY3qe4yfxlMfO
t1+A7eu9r0xn8Zz78ljivmUYWP99ZXo5mrECK+Ml6aLHvMiulzymFW3OR+ztcLwe4nF6k/1mvIZ/
YAt2tlZ8EM8PxeZwaNwdvgd7YW/sg+SK4/diX+znse/D+7E/PuDcATgQH8SHcBBGxavDQ/AxHIqP
O3cYDscn8EmMjpeEn8Kn46XhETjS446yP9q5Y9jy76h2/FWPlT9D+TL8LuTJwd+XKYWnuu9Hbo/B
9qsRloVj3b4MA78f0xpeiWthHofmcXgb7sQ03IW7Md3f1ds32M+2X4giXsRLaMXOr3V585UFK8KN
kAtDuTCUC0O5MJQLB68qKGVS8bLMiHh+Zjfsjj2wJ96DvbA39sF7Ya5lzLWMuZYx1zLmWsZcyxyA
A/HBeHXmQzgIH8ZH8C84GB8FX2T4IsMXGb7IfByH4XB8Ap/EaPwi7s6cE6/M/NI+We//3Lglcx7O
dzzW/kJcjPG4BJfisnhJ5nJc4W+ugfyRkT8y8kdG/sjchJsxxWNvgTol83vP90fn/sz2e+wf8PeP
xK0ZcyZjzmTE/szj9vPZtABPY6HHFpwzJzLPu38ZXkALis695DlbYQ5kSljt/Bqs89xd8dLMeud6
3N6ITXH30M/h83HLUDl86Jfsq+PVQ+ls6AmO5eGh8vDQb7v9HXwXJ+H78ZKhpzh/Kk7D4O8aDP2x
Y/k42K3i83F7RRW+Ev+84vj454Mrujw0uKLLQ8P+ELcPuw134M7458PuwvS4PfWpd1R3nhE/F5yJ
s3Be3Bycr+a8AGNxIS7CuLgQXBwvCH6L8bgEl0KeU0N2qiE71ZCdwZXxxuAqXI1rcC0mYhKuw+9w
PVapPyOsxqvqu51fV79EzbdczbdczbdczbdczbdczRWpuSI1V6TmitRckZorUnNFaq5IzRWpuSI1
V6TmitRckZorUnNFaq5IzRWpuSI1V6TmitRckZorUnNFaq5IzRWpuSI1V6TmitRckZorUnNFaq5I
zRWpuSI1V6TmitRckZorUnNFaq5IjROpcSI1TqTGidQ4kRonUuNEapxIjROpcSI1TqTGidQ4kRon
UuNEapxIjROpcSI1TqTGidQ4kRonUuNEapxIjROpcaLUQnXOM/ZNWIQscnFEJS0U0vKO65Vp8YLK
u3A3nosjOT6S46PK5+ONlUuxDH/DC1iOZqzASrSgiBfBR/L7cvl9+ZC94+fk+EiOL8vxkRwfyfGR
HB/J8ZEcHw3pjBcM2dj/C8TPDdmMLW73xZ3ye2d/ft+W2/fBtlw+CkkO/3S8YDBvd/bn7WPdTvL2
2Pi59IW4CONwWdycvhxXyN0TcGVcSF+Fqz3+Go+/FhMxGX+IIzk6kqMjeTFKJ9egBKA7OSiSgyI5
KJJvIvkmCv9VnvkM6EiuieSYqH/dhDPjsvyR/A7F8nB8vDG8BPQfXt+/mtRG+WF5eJ99g/1M+7Ue
W8Y6dEEPJO6XdlinYOD/BcwHcb88uFbB8kxFvFHsj8T+SOyPxP5I7I/E/kjsj8T+SOyPxP5I7I/E
/kjsj8T+SOyPxP5I7I/E/kjsj8T+SOyPxP5I7I/E/kjsj8T+SOyPxP5I7I/E/kjsj8T+SOyPxP5I
7I/E/kgcj8TxSEyOMveyz/vM3A+6zswRf+fbL8DTWIh1cSR2RuJmJF5GYmM09Afx6uC2YPdg72AP
JGuBj8Ih+BgOxeeDEcEXcLwo8jV8HSfgG/gmTsS38G2chO/jjGBYcCbOSv6HRISZgltQg9/jVuz0
28LBvsFsvJu1GjrijuAVrEEn1qKMdehCN/6O9Xitf4WegXWwBte/0kmUdRJlnURZJ1HWSZR1EmWd
RFknUdZJlHUSZZ1EWSdR1kmU3+VaCx2Vm7AZr+Ef2IJe9MUdQ/YOhqnEy0M22W8OhqX5Jn1UMCI9
1vGFuAjjgmE7WYOh8Mb6Cz+NO8Kf9X+vM1lzoSO8CONwMX7bf33nksFvFW9fa2H7Ggsd4a1I1lh4
8/oKDwT79q+r8HbrKRjj0BiHxjh8FT0YXPlDtVAOks9q2uTMNjmzTc5skzPb5Mw2ObNNzmyTM9vk
zDY5sy3YPV4X7AEZOvgCzpA3z8RZOM/t86nzAozFhbgI4+KlcmizHNoshzbLoc1yaLMc2i2Hdsuh
3XJo9ztYo6EnmN2/2k9PsDV+LYjj11IBUvFrckC3HNAtB7TJAW1yQJsc0CYHtMkBbXJAmxzQJge0
yQFtckCbHNAmBzTLAc1yQPM7XXdBrG8Wy5vF8qViebNY3iyWN4vl3WJ5t1ie9GltYnlb2viJ593i
eZt4nvRk3eJ5m3jeLJ63iefd4nlb+qi4XUxvFtPbxPRmMb1ZTG8W05vF9HYxvV1M7xLTu8T0pWL6
UjG9WUzvFtO7xfRuMT25xv218D9xTv/17dvWfHhthzUfkuvXX+tf82FgvYee/rUejC2F9IS97uvD
6/3rNSXrNLz2T+s0/Ljik3FXxRH4fNxacYx9lf2JcXfFD+3PwDmYFLdUXBe3qNta1W2t6rZW9Vrr
MJ39sAcxAw9DxzdMlzdsrvuewJN4Bjk8F3cNy6OAxViC57EUy/A3vIDlaMYKrEQLingRL6EVbSjh
ZaxChNVoRwdewRp0xl3Db4pbht8MlfdwlffwGvwet0KXO/zJuHu4LnT4fCzA01iIZ9CERcgih2eh
Kx2uKx1ewGIsAcUNp7jhFDec4oZT3HBqG05tw6ltOLUNp7bh1Db8JbTG3bv+Ju7a7Rtx927fRDLe
L5nHNeZxjXlcYx7XmMc15nGNeVxjHteYxzXmcY15XGMe320e3x28x/zcC3tjH4zEe7HTrBNPNeen
yjpdsk6XrNMl63TJOl2yTpes0yXrdMk6XbJOl6zTFZwWR8GPMAan48f4CdRj5v9G83+j+b/R/N/4
v/5u+E1xnwy2SAZbJIMtksEWyWCLZLBFwVT3/Rduxx34I+7ENNyFuzEdf0It/ow6f/ffuAf34j48
4Pxf0IAH8VfMwEN4GI9gJh5FI2bF94pJ9wZzHD+GxzEXT2AensJ8PI2FeAZNWNR/hURWZs3KrFmZ
NSuzZmXWrMyalVmzMmtWZs3KrFmZNRu84G+SXxhqdrzCfiVaUMSL8drgJbSiDSW8jFVxq76jVd/R
KiuXZeWyrFwOkm9CJr/vo/4Kkit21V+ycllWLsvKSY/ysh5llR5llR5llR5llR5lldi7SI/Srkdp
16O061Ha9Sjt4vFi8XixeLxYPF6cqlCb74JKDEEaITIYimEYDnVcao94VWpPvAd7YW/sg5F4L/bF
flDDpQ6IS6kD8UF8CAfhw/gI/gUH46P4pseeiG/h2/gOvouT8D2cDDVX6iw9xQUYiwtxEcbhYozH
JZ7rUlyGy3EFJuBKXIWrcQ2uxURM8je/87zX29+AGzEZN8XF1M2YgltQg9/jVkzFIx4zE4+iEbMw
G2rH1GN4HHPxRLxajquR42rkuBo5rkaOq5HjauS4GjmuRo6rkeNq5LgaOa5GNdWlmupSTXWpprpU
U12qqS7VVJdqqks11aWa6lJNdammulRTXZX6tko9QaWeoFJNW6lvq9S3VerbKvVtlfq2Sn1bpfq2
Ut9W+Ze4VNmAB/FXzMBDeBiPoBGzMBtz8Bgex1w8gXl4Ek9hPhbgae9Vz1f5DJqwCFnk8Gz/NyDf
2bUZL8V9la1oQwkvYxUirEY7OvBKnFVJZlWSWZVkViWZVUlmVZJZlWRWJZlVSWZVklmVZFYlmVVJ
llWSZZVkWSVZVkmWVZJllWRZJZn8rl+7HrFdj9iuN2wdIgsNkXVUl11D1vT/fnbXkPXYqA/sizeq
HzaqH2rSYfIb2fZitxri7vQebu8JsTstdqspNqopatQUNemD3P4wRjl3mNufcCxLp0fjUzjCuc+6
7wv2R8VT00c790XHx9mL4emf4mf4Oc7Gb/SC5+I8nI8LcKV+8Spc43muxURMxq1xKT3V/dPi1em7
HE+PV6VpJP2A2/SRpo30g47/ihl4CA/jEffNxKNoxCzMBn2k6SM9z/GTeMpj9VBpPVT6aecXYhGy
eM59eSxx3zL8zbkXsBzNWIFi/+e8UboVbW6X4mI6YmOH2+shxqU32W/Ga/gHtqDXY/vwOrYi1p+K
beFQ/e97sBf2xj4YifdiX+znce/D+7E/PuDcATgQH8SHcBA+HBfDj+BfcDA+io87fxgOxyfwSRzj
Nf8dX3V8fJwNvx736TiyOo6sjiMbfs/tk+NF+vBV4Q8cn4JTPfY0+x+5fwzOjFv15606krKOJOnT
29WJi9WJi9WJi8NfeuyvcW7/97azupWybqWsWynrVsq6lfIO1yJldS2LdC1ZXUtWbbk4vLr/+9zZ
cKL9JFyHbdcn3eD4Rtzs/im4xXENdG86nLJ6dHEof4d/6P/ud1Zturj/OiZ5XOeT1flkdT5ZnU/y
G5ftofwd3oN7kVzbdL/9A/G9OqJsKH+HDR6TXOckT4fydDgLs90nT4fydChPh/J0KE+H8nT4JOTq
UK4OF0C+1lVlQ/k6lK9D+TrMIodnkUcBi7EEz2MpluFvkKtDuTpshlwdytWhXK1Ly+rSsrq0rC4t
G4pFoVgUikWhWBSKRaFYFLbHa8MOvII16MRavitjHbogX+vwyjq8sg6vrMNLPkN5OdwI+TqUr9Xz
i9Tzi0L5Wk2/WE2/WE2/ONzqNeK4NRPEqzKpuL3/uq8w7stkMDRenNnV/hfx6sw5cSnzS/vf2IsF
GbEgc77jsfYX4mKMxyW4FFd47DWQ/zLyX0b+y8h/mZtwM6Z4zC2o8bq/9zx/dG5aXMzcY7/DdWc6
1K6MmJAREzJyYeZx+wLM8czzbi/DC2hB0bmXPFcrzO1MCaudX4P1jnvsN2JTvHro5/D5OBr6xbg4
9Ev25tPQE+zVC0O/7fg7+C5Owvc85hTnT4V6duiP4tLQMVDLDlU3BD9TTW9WTW/WDW/SDW/SDW/S
DW/UDW/WDW/WDW/WDW/WDW/WCZd0wiWdcEknXNIJl1RnfaqzPtVZn4pry9usmtOn2upTbfWptvpU
W32pJ+O1qacwHwvwNBbGG3b26agOt6TDLelwS//0KafnkZH6ZKQ+newmWalPN1vSyW7SyW7SyZZk
nM061JKOtKQb3aQb3aQb3aQb3aQb3agb3agb3awb3awLLSWfHr7xKeGnKfYI/Gu8IfwMjnK8/dPC
XtGoTzTqE4X6zOhkxvZReB+F91F4H4X3UfMWat6yw0o4iWr7BlfD6XvjU7eBT9k2JJ+qZbritYOf
pm1I1qn4P5zde3xcdZ3/8QlN50wRBBEQRFBBARUExNuCgOIFhdXV3fXaVWR/65Vdfo1LoDA0oKCQ
KK4EhBUIoSU10EAShgmXaimdhCZNpiFk5kzmlGnTWgqUxLjd36OtVfT7e/aisAq/n/jH63HOXHKd
8/28X+88zsns/rtA6qNaUk1LqmlJNS2ppiXVtKSallTTkmpaUk1LqmlJNa/rZq/rZm1lWjuZ1k6m
tZNp7WRaO5nWTqa1k2ntZFo7mU7t/DvVhaHGymqsrMbKaqysxspqrKzGymqsrMbKaqysxsp2vjP2
NHuZZi/T7GWavUyzl2n2Ms1eptnLNHuZZi/T7GWaGUwzghobqLGBmtdms+SvSf6atK9J95pkr0n0
mpSeltI7p/W0aT1tCk+bwtMm6rRpOW0yTlvx01bctBU3bcVN77VCJ8zphDmdMKcT5nTCnE6Y0wl7
dcJenbBXJ+zVCXt1wXZdsF0XbNcF23XBdl2wXRds1wXbdcF2XbBdF2zXBWd0wRldcEYXnNEFZ3TB
mdTXw/rUN/BNnI9/xb/hAvxvzEMDvoULw1oraq0VtdaKWmtFrdUF+3TBPl2wTxfs0wX7dME+vS6n
1+X0upxel9PrcqmHUgenlmLY4yMoYjVG8RjG8DjGUUIZMap46W41avWOWr2julVRtyrqVkXdqqhb
FXWrom5V1K2KulVRtyrqVkUrfaWVvtJKX2mlr7TSV1rpK3Wrp632Iat9yGofstqHrPYhXaqkS5V0
qZIuVdKlSrpUSZcq6VIlXaqkS5V0qZIuNaFLTehSE7rUhC41oUtN6FITutSELjWhS03oUiVdKtal
Yl0q1qViXSrWpWJdKtalYl0q1qXiumNNl7fgrXgbjsPxeDtOwIk4Ce+AVV9n1de9C+/Ge/Be/A1O
wal4H0yDutNxBt6PD+BMfBAfwofxEZyFj+JjOBvn4G/xcXwCf4dP+lk+hb/HP+Af8Wl8Bp/F5/B5
/P/P+anqelVdr6rrVXW9qq5X1fWqul5V16vqelVdr6rrVfec81P6s3N+9Cpdb0bXm9H1ZnS9GV1v
Rteb0fVm6m4Oa+puwa24De24HQuxCHegA4vxU3TiTtyFJejC3bgH3ehBL+5FDvchj5d3TtBCibJQ
oiyUKAslykJpskSaLJEmS6TJEmmyRJds1yXbdcl2XbJdl2zXJdt1yXZdsl2XbNcl23XJdl2yXZds
r78prK//T/wEN+MW3Io23IZFoaRrlnTNkq5Z0jVLumZJ1yzpmiVds6RrlnTNkq5Z0jVjXTPWNWNd
M9Y1Y10z1jVjXTPWNau6ZlXXrOqaVV2zqmtWdc2qrlnVNau6ZlXXrOqaVV2z+hecA7REci6RnEv0
wz79sE8/7NMP+/TDPv2wTz/s0w/79MM+/bBPP+zTD/v0wz79sKgfFvXDon5Y1A+L+mFRPyzqh0Vp
PCSNh6Tx0OyDwhppPDr7kDA1+1C8FofhdTgcG0JOd8zpju26Y272zK7zhHL6Y272r+3vCOv1xlw6
YzsHe+MV2Af7u/9VMOf1x5zOmNMZc+mjPXYMTrB/Ik7CO3CK+063/TA+ha/h6/gGvokGPfFb+Hdc
iEZc6mOyuAwL0IRvh7UsYa2eWNUTS+mfhKk95whVdcWJtGM+7ZjXGUt7zhEq6YzVlzhHqKQzlnTG
ks5Y0hlLOmNJZ6zqjFWdsaQzlvacI1TSGUs6Y6wzxjpjVWesvuAcoZLOWNIZY52xqjNWdcaqzlhl
M0v2nCO0Rncs6Y4l3bGqO87ojhO6Y0l3LOmOE7pjSXcs6Y4l3bGkO5Z0x1h3jHXHWHeMdcc4SrEg
8/wvOE+oqj9W9ceq/lh9yfOE9H39cUZ/nNEfZ/THmejYsCZ6C96Kt+HFzx1awtKWsLSFLG1h9D7P
O832dPed4fs7E2fZ333uUJ+u2adr9umafXpmjsGt3HPuUJ9u2cfmRtncqG5Z1C2LrG5Ih+zTIYs6
ZFGHLOqQRR2yqDv26Y453bFPd+zTGfv0wj69sE8fLOqDRR2wT+/r0/v69L4+va+PJQ5Fd6cO1vH6
2OLOa+n7dLQ+napPp+rTqfp0qr6X6E6jzHKUWY4yy1Hdqag7FXWnou5U1J2KbHMl21zJNleyzZW6
09O609Osc4h1jrLOlaxzKLNvmMq8Evthf7wKB+DVOBAH4TWwfjPWb8b6zVi/Ges3Y/1mjsDr8Yaw
JvNGHImj8Ca8GUfjGHgdM17HjNcx43XMHIfj8XacgBNxEnafd1Tdc95RrKeV9LSSnlbV00p6WklP
K+lpJT2tpKeVmPMS5rzkLzjvqKSvlfS1CX2tuuu8o3bdbLHvf/e5R0t0tXZdraSrlface1TK9Pu+
BvAoVnruY+6z1l7k3KOS7lbV3aq6W1V3q77g3KMlbH6hDld9kXOPSnO4hB43o8eV5pwV1uw5/6g0
hxPoc6U/O//os577+bBEpyvpdCWdrqTTxTpdrNOVdp6DVHd1ar/UB1P744CwnA0vZ8PL2fByNryc
DS9nw8vY8DI2vIwNL2PDy1KnpA5NnYpz7P8tPo5P4O/wSXwKf49/wGfwefxLOE9nPE9nPI8JdzLh
TibcyYQ7mXAnE+5kwp1MuJMJdzLhTibcqV9ewIavYMNXsOEr2PAVbPgK/XKufjlXv5yrX87VL+em
rkwdlroK38X3cDWuQTNa8H38ANeFYSY9zKSHmfQwkx5m0sNMeohJDzHpISY9xKSHmPTZTPpsJl1g
0gUmXWDSBSZdYNIFJl1g0gUmXWDSBSZdYNIFJl1gzIsY8yLGvIgxlxlzmTGXGXOZMZcZc5kxlxlz
mTGXGXOZMZcZ8zWMeTFjXsyYFzPmxYx5MVvOsuUsW86y5SxbzrKrhF0l7CphVwm7SthVwq4SdpWw
q4RdJewqYVcJu0rYVcKuEnaVsKuEXSXsKmFXCbtK2FXCrhJ2lbCrhF0ljKmXMfUypl7G1MuYehlT
L2PqZUy9jKmXMfVqoKfOmhsu0EJPnXVuuIBBLWNQyxjUMga1jEEtY1DLGNQyBrWMQS1jUMsY1DIG
tYxBLWNQnQyqk0F1MqhOBtXJoDoZVCeD6tTx5+r4c3X8uUyll6n0MpXe+vHUYfUllBGjgglUkWAN
nkANa/FMKDCbArMpMJsCsykwmwKzKTCbArMpMJsCsykwmwKzKTCbMrMpM5sysykzmzKzKTObMrMp
M5sss8kym+zsA8N57CZhN4tYzHIWs5zFLGMxy2c/G+YymU4ms5zJLJ+9zXO349fu24HfhLmsZjmr
6WQ1naymk9V0sprOtDXLbJYzm+XMZjmzWc5sljOb5cymk9l0MpvlzGY5s1nObJanT/b5TnH/aalD
Gc7y9Pvd/rDtp/A1fB3fwDdxUTgvfTHm4xJc6uOyuAwL0ITLwwXpK/DtcAXTuSL9XZ/PscZqEibR
m975n6iPxVvwVrwNJ4VeKdwrhXulcK8UTqRwrxTulb69krcgeQuStyB5C5J3SPIulroFqVuQuouk
7iKpW5a6ZamblboFqVuWumWpW5a6Zalbji5LHRYtwOUev8Ln+Y7tlbga5kBkDkjhghQuSOGyFC5L
4UJ0q/tvs23H7ViIRb7OEvffnTpbGhekcTa63+2l9leihrVYh0lM+R6n8UvMwNqWvmXpW5a+Zelb
lr7XSN9rpO9i6btY6mal7iKpu1jqZjN7pQ6TmInETCRmIjETiZlIzERiJhIzkZiJxEwkZiIxE4mZ
SMxEYiYSM5GYicRMpF+v9OvN3OVz+jkyXbjb7b6wTHIlkiuRXIkE6pVAvdIlkRy9qbtS9WFzajbS
iJDBHOyNV2Af7ItXYj99fn+cEjalTsW/mKhfwVex+5yZZ03xZ03xZ03xZ03xZ1OXhH6TfMQkHzHJ
R0zyEZN8JHV5eCJ1Bb6N7+DKsCV1Fb6L7+FqXINmtOD7+AEeCtOppbve3fLJP31ftLqVYVtdEasx
isd2/n+mXe9Nss+e9yXZp/7CsLm+ERfhYszHJbgUWVyGBWjC5WgPIybRiEk0Uj8ettSXUEaMCiZQ
RYI1eAI1rA1bTIdhU2Bk9tbQb/UPW/3DVv3I7OfCE7N/H55I+72n/W7Tfrdpv9v0Qe57nf3Dcaz9
421PDiPpd9q+x+1TbU8Lm6zskfQH7F8Uhq3iYat42CoefsH5NM9asc+mrwz96avwXc//no+/Gtfg
P3Bn2JZ+GH5H6V+EbdG78G58BC98j7bLwpZoAXa+H5vXIPIa7HoPtt3vv7YlWoK7d/0Fbgu/fJJf
Pvk/3iNtr7Bl13ujzQ/bMpfs+l/fWzI+JtOFe9zuRg968TPE+BX+K2yb8wXMDdtSx+51Yti8l9/C
XmfgY6G21zmh5lXdzyu63963hdret2N12Lz3KB7DGB7HOEooI0YFE6giwRo8gRrWYh0msR4b8Ats
xJPYhKfwNJ7BZjwbNu/TEDbXDVpHTdZRk3XUZB01WUdN1lGTddRkHTVZR03WUZN11GQdzbeO5ltH
F1tHF1tHO6yjHdbRDutomzWzzprZas1stWa2WjNbrZmt1sxGa2ajNbPRmtlozbRaM63WTKs102rN
tFozrdZMqzXTas20WjOt1sxKa2ZlamNqVupJbErNepnX3f2lf4Pbed3dRN3r8Qa8EUfiKLwJb8bR
OGbnOeCpfevegrfibTgOx+PtOAEn4iS8AyfjnXgX3o334L34G5yCU/E+nIbTcQbejw/gTHwQH8KH
8RGchY/iYzgb5+Bv8XF8An+Hv/S6uwV+liZcjivwbXwHV+IqfBffw9W4BjuvqbvZ578Ft+I2tON2
LMQi3IEOLMZP0Yk7cReWoAt34x50owe9uBc53Ic8BjGEVRjGSGrfWV9IvdLKOXHWl2zPTZ1oHjaZ
h03mYZN52GQeNpmHTeZhk3nYZB42mYdN5mGTedhkHm41D7eah1v/imvdJup70It7kcN9yKMPD+Ih
LMXP8HMsw8NYjkewAgX0YwCrU/vWj+IxjIdW87nVfG41n1vN51bzudV8bjWfW83nVvO51XxuNZ9b
zecdsw9K7Tv74NSs2YfYHorX4jC8Dofj2bDV/F5nfu8wv3eY31vN743m90bzu8n8bjK/m8zv+eb3
RvO7yfxuMr83mt9N5vdW87vJ/N5ofjeZ3xeb31vN7ybze4f5vcP83mF+7zC/t5nf28ztdeb2OnN7
q7m90dzeaG5vNLc3pm8ME7uvSUvtm77d/q6/Ndl3vOy6Hm33tWgT/4/rzibSfqd/vO7s+WvOJtIr
sQrDeP5as4l0BROoIsEaX2stnr/ObGLP34/+cJ3ZxEtcZzaRfg6/w+8RwkSUSu276zoz8yN6LQ7D
62A+ROZDZD5E5kNkFkRmQWSdR9b489eD2f9Kalb0VVwWWmVVq5xqlVOt8qlVPrXKp5XyqTWa8pxp
/BIzCKlZ8qk1s29q38wrsR/2x6twAF6NA+EYybwGjpGMYyTjGMk4RjKOkYxjJHMEXo834I04Ekfh
TXgzjsYx8DNl/EwZP1PGz5Qx8zJmXsbMy5h5GTMv4+fM/FuYyDTg+eutJl76eivPvwLPX0+18+8a
ExmzQ9a2ytpWWduaMS/+eD3Vrmup3B7Ao1iJP1xLtfvaqYnMJLyumQ34pce3hInd10el9t19fZTt
rmujbHdeG/V52/95LdTEnC/jn827T7ysszNf3lmZm1Ln4ss4D/+M/7XLTEcl6qhEHZWoo8x0EzPd
xEw3MdNNzHSThK1I2IqErUjYioStpK4LE6lWXA+/yZTfZMqKS/0UnbgTd2EJnv/flC//vdyf9r0/
g814FlOYxi8xg1/hv7AFL/2eUdOp3+C3eA6/C9PStyZ9a9K3Jn1r0rcmfWvStyZ9a9K3Jn1rUqsi
tSpSqyK1KlKrIrUqUqsitSpSqyK1KlKrIrUqdSvCZF0B/RjAoxjEEFZhGCNh8q86M689VCRKRaJU
JERNQtQkRE1C1CRETULUJERNQtQkREVCVCRERUJUJERFQlQkREVCVCRERUJUJERFQlQkRKV+te9r
FI/hr3nPer/zer/zer/z+l9jB36D3+I5+L3X/x4hTEuU0T87E+7ZUPnj2XDbPL4dvwmVXWfC/enZ
b3844+1Pz3Q72fN3nt32ftuXPrttU/pb+Hc43tOOdwkzKmFGJcyohBmVMKMSZlRD2KQhbJIwFYlS
kSQVqVGRDhXpUJEGNWlQkwYVaVCRAjUpUJECFSlQkQKV9JowafJXTPWaqV4z1Wumes1Ur5nmFdO8
YppXTPNKdFKYjN6Bk/FOnIbTcRbOCeujT+LT+Aw+Z/rvfk+x9dGX4eeM/JzRN7SMi9y+2P58XIJL
kcXl7mdf0Xdsr8TVuA6tcJzp/jO6/3q9f73ev17vX6/3r9f7p/f8z9X1Ov+0vr9e31+v76/X99fr
++v1/fX6/Yx+P6Pfz+j3M/r9zIu8X9j0nvcHmzbBKyZ4zeSu6OaTuvmkqVzRySd3nQm0zv4k/P5M
2IpePqmXT5qyFb180vSsmZ611Mf1inG9YlyvGNcrxvWKcb1iXK8Y1yvG9YpxvWJcrxjXK9bpFev0
imm9YvplXIfyh079HB8c54PjfHCcD47zwXE+OM4Hx/ngOB8c54PjfHCcD46/3GtMONM4ZxrnTOOc
aR1fGudL41xpnCeNc6RxjjTNj8b/eJ3HH67xeP7ajuk913Y8p28+t+t6jhdey3GKvtiiL7bsJbF0
xpa9PmjbHK7eqyVczX6PYL5H7P2T8MTeN+NWMNm97wpX792LHPK4H0uxOrTolS16ZYte2aJXtuiV
LXpli17Zole26JUtemWLXtmiV7bolS16ZYte2aJXtuiVLXpli17Zole26JUtemWLXtmiV7bolS16
ZYte2aJXtuiVLa/4Ubj6FdehFdfjBvwYN+KmcLXe2bLXGsdHh+Ojw/HR4fjocHx0OD46HB8djo8O
xwczxCuxX1jg+Fggjaek8ZQ0npLGU9J4ShpPSeNpaTwtjael8bQ0nnYs5RxLuZd1hd6XwnapvF0q
b5fK26Xydqm8Xa/d5phsdkw2OyabHZPNjslmx2SzY7LZMdnsmGx2TDanfuR1vC7kpXFeGuelcV4a
56VxPnWTx/4Tt8AxkWrDbWjH7ViIRbgDHVi8631J8xI8L8HzEjwvwfOpu93fjR704l7kcB/y6IPj
LPUAHty1TpZaJ0tTP7P/cyzDw1iOR1BAPx7FSgxiCKsw7OuNoIjVGMVjGMPjGEcJZcSwjlLWEVvI
p6yjlHWUso5S1lFqLSNYh0msxwb8Ai/veohfsYqnWMVTrOIpVvEUq3hqz3v+vtj1EBtTIWysS6EO
e4Weulmox2ykESGDOdgbr8C+2D/cU/cqHIBX40AchIPxGhyCQ/Fazz0idDOYbgbTzWC6GUw3g+lm
MN0MppvBdDOYbv28Rz/v0c979PMe/bxHP+/Rz3v08x79vEc/76n7alhV14iLcDHm4xJcisuwIHQx
oS4m1MWEuphQFxPqYkJdTKiLCXUxoS4m1MWEuuqafcz3fd4f2F6LH+I/8KMwXHcdWnE9bsCPcSNu
Qp/n3I8H8CAewlL8DD/HMjyM5RgMRWZVZFZFZlVkVsU//LXLfO4wnzvM5w7zucN87jCfO8znDvO5
w3zuMJ87zOcO87njr7rydFHo0et79Poevb5Hr+/R63v0+h69vkev79Hre/T6Hr2+h7V1s7Zu1tbN
2rpZWzdr62Zt3aytm7V1sbYu1tbF2rpYWxdr62JtXayti7V1sbYu1tbF2rpYW1f9o2FV/UoMYgir
MIwRFLE6FFldkdUVZVCzDGqWQc0yqFkGNcugZhnULIOaZVCzDGqWQc0yqLl+nSyaxHpswC+wEU9i
E57C03gm5Nlini3m2WKeLebZYp4t5tlini3m2WKeLebZYp4t5l/WdRMbwhRTnNp1Re5m2//CFmzd
9X9xOhjilKzskJUdsnIBW5xii1NscYotTsnODtnZwRqnWOOUDO1gjlPMcYo5TjHHKZnaIVM7ZGqO
QU7J1Q4GOcUgpxjkFIOcYpBTDHKKQW5nkNsZ5HYGuZ1Bbk9f6Xu5atf/wulK3xR60u1hFVvsSi8K
96QdB+m73XYMsMeudK/9e5HDfcijz2P34wE8iIewFI4BptmVfsT+ChQ8t992AI+GbvbZzT672GdX
erXHRvG4x8qIPVZx/wSqSLAmFNM1z1nn8Umsd9+GMJx+0vf5tNtbsNX+Ntvt+DV24Df4rc/3HH6H
3yOE7sh8i+aEVdEBeDUOxEE4GK/BITg0dLHcLpbbxXK7osPddwRejzfgjTgSR4Xh6E14M47GMTjO
/cfj7TgBJ+KkUGTJRWZcjM7w9c/EWfbP9tg5IR99nPN80vbT+Aw+6/bnbD8fnoq+YP+f8EXP/dKu
81jy7Dn/J9dGbIzOx7/hAs+Zh2/hIs978WsjmvlXM7vOs+s8u86z63x0lY/nlCw7H/HJiE9GLbs8
rZmnNUfX2v8h5DcDz0fX278Bz18bsTGS39FPcLPHb3H7Vh8nxxl6nqHnGXqeoef3XBvxq+hO3LXL
/5qjrl0OuJS15yP5vefaiOZITkdyOnoISz0mpyM5HcnpSE5HcjqS09EKyOpIVkcDkNesPx/J60he
R/I6GsYIihjFYxjD4+C8EeeNOG/EeSNZHcnqiPNGsjqS1ZGs1iLyWkRei8hrEfnIvInMm8i8icyb
yLyJzJvoKT//03gGm/EsXvxaiF9pHL/SOJ7SOJ56wXvS77wWYmP0HH6H3/PgVHhqz3UQzZnI7cyu
a543Zvax/dewSkPpylxg2xC6M98KPZl/x4Xuu8j2YlyKy7AATbg8FLWYYubbPuZ7kH8Z+ZeRfxn5
l/kRrkOr516PG8I9Gk9Xps197WE4c6ftXb4Xrx9Hb9aEijuv2s+YCxlzISMPM8tsH4N1nhl3u4wK
nkDNfet8vklY21pTV2aT+zfjlz7XFrf/j/2t2BZWzXkvTgk9cz4Qhud8xNYamvMJW94w5x/s/yM+
jc/gs57z+VCc808e+yK+hHNDtwbWPeef7XOIvepYc4E1F1hzgTUXWHOBNRdY8wrWvII1r2DNK1jz
Crbcz5b72XI/W+5ny/1suZ8t97Plfrbcz5b72XL/S/53x+tYdyuuxw34MW7Ei58NfnxqKYbtj6CI
1RjFYxjD4xhHCWXEqOIl3icltTGsSj0Jv2VmOcAsB5jlALMcYJYDzHKAWQ4wywFmOcAsB5jlALNc
zSxjZhkzy5hZxswyZpVjrHKMVY6xyjFWOcYqA6sMrDKwysAqY1YZs8qYVcasMmaVMauMWWXMKmNW
GbPKmC3GbDFhiwlbTNhiwhYTtpiwxYQtJmwxYYsJW4zZYswWY7YYs8WYLcZsMWaLMVuM2WLMBhM2
mLDBhA0mbDBhgwkbTNhgwgYTNpiwwYQNJkwwrrs5bKi7BbfiNrTjdizEItyBDizGT9GJO3EXlqAL
d+MedKMHvbgXOdyHPPrCZN2KMFZXQD8G8CgGfQ9DWIVhjIR41tzw37PODf/N/vrZXz/762d//eyv
n/31s79+9tfP/vrZXz/762d//eyvn/3F7C9mfzH7i9lfzP5i9hezv5j9xewvZn8x+4vZX8L+EvaX
sL+E/SXsL2F/CftL2F/C/hL2l7C/hP0l7C9hfwn7S9hfwv4S9pewv4T9Jexvkv1Nsr9J9jfJ/ibZ
32T9zr8xFrHa1x3FY3gm5FhajqXlWFqOpeVYWo6l5VhajqXlWFqOpeVYWo6l5VjaAEsbYGkDLG2A
pQ2wtAGWNsDSBljaGEsbY2ljsw8KG2ZLfbZWYGsFttbP1gpsrcDWCiytwMwKzKzAzArMrMDICoys
wMYKbKzAxgpsrMDACuyrwL4K7KvAvgrsq8C+Ci/6HwlvDAnrihlXknYcpR1HrCtmXDHjShjXJOOa
ZFyTjGuScU0yrphxxYwrZlwx44oZV8y4EsaVMK6YccVsK2ZbMdtK2FbCthK2lbCtSbY1ybZithWz
rYRtJWwrYVsJ29p5/k+cXut7WWc7ifXue9p2C6x3hhUzrJhhxQwrZlgJw0oYVsKwEoaVMKyYQSUM
KmFQCYPaeT7RhugteCvehuPCJEuaZEmTLGmSJU2ypJglxdHJYSx6J97neafZnu6+M3AmzsI5IceW
cmwpx5Zye87yjRnSJDvKsaNc9BW2ZLqzpAGWNMCSxlhSYEmBJQVmlGNGA8xogBkNMKMBZjTAiHJ7
zvjNMaIcIwpsKMd4cownx3QGmM4A0wkMJ8dwArPJMZscs8kxmxyzGYvuTh3PYnIMZoyx5FhIjjXk
WEOONeRYQ+7F3vMpmvI9T+OXmIH5yxYG2MIAWxhgCwNsYTVbWM0WYrYQs4QxlhBYQmAJIQqSMhVi
ljDGDELmDWFD5o04EkfhTXgzjsYx8NpkvDYZr03Ga5M5Dsfj7TgBJ+Ik/GuYZBcJs0iYRcwsYmaR
MIuYWcTMImYWMbOImUXMLGJmETOLSWYxySwmmcUkk4iZRMwiEvYwyRhixtDPGGLGELOFONPv6w3g
UZgFzCFmCjFTSJhCwhQSppCwhEmWEGdm/KxbQsIOJtlBzAziOWeFDcwgZgYxC4hZQMwCYhYQs4CE
BSQsIGYBk7OuS9WH81OzkUaEDOZgb7wC+2BfvBL7ha+n9scBYZA5DDKHQeYwyBwGmcMgcxhiDkPM
YYg5DDGHodQp4Y7UqTgnjDCIEQYxwiBGGMQIgxhhECMMYoRBjDCIEQYxwiC2MIgtDGILg9jCILYw
iC1/9v+hrwznpa7Cd/E9XI1r0IwWfB8/wI/CI+yjgX00sI8G9tHAPhrYR0PqJo/9J27BrWjDbWjH
7ViIRbgDHViMn4b5jGU+Y5nPWOYzlvmpu93fjR704l7kcB/y6MP9eAAP4qFwc2opfmb/51iGh7Ec
j6CAfjyKlRjEEFZhOGRZUZYVZVlRlhVlWVGWFWVZUZYVZVlRlhVlWVE2VfExE6jaT2zX4AnUsDa0
s6V2ttTOltrZUjtbamdLZbZUZktltjTGlsbY0hhbGmNLY2xpjC2NsaUxtjTGlsbY0hhbKrClPFvK
s6U8W8qzpXzq1+F2xjTOmMYZ0zhjGmdM44xpKVlaypiWMqaljKmRMTUypkbG1MiYGhlTI2NqZEyN
jKmRMTUypsa6/cOFda/CAXg1DsRBOBivwSE4FK/13CPCPGY1j1nNY1bzmNU8ZjWPWc1jVvOY1Txm
Na/u2DBS9xa8FW/DcTgeb8cJOBEn4R04Ge/Eu/BuvAfvxd/gFJyK9+E0nI4z8H58AGfig/gQPoyP
4Cx8FB/D2bBm6qyZOmumzpqps2aYXyPza2R+jcyvkfk1Mr9G5tfI/BqZXyPza6z7Ynim7quhra4R
F+FizMcluBSXYUFoYIcN7LCBHTawwwZ22MAOG9hhAztsYIcN7LCBHTbUNfuY7/vcP7C9Fj/Ef+BH
4dq669CK63EDfowbcRNuDmVGWWaUZUZZZpRlRllmlGVGWWaUZUZZZpRlRllmlGVGWWaUZUZZZpRl
RllmlGVGWWaUZUZZZpRlRllmlGVGWWaUbXX34wE8iIewFD/Dz7EMD2M5VoQC8ywwzwLzLDDPQt3K
8AD7XME+V7DPFexzBftcUVcMi+pWYxSPhUWz5qYOm3Vu6rD6C8P59Y24CBdjPi7BpcjiMixAEy5H
SxhhryPsdYS9jrDXEfY6wl5H2OsIex1hryPsdYS9jrDXEfbayF4b2Wsje21kr43stZG9NrLXRvba
yF4b2Wsje21kr/PY6zz2Oo+9zmOv89jrPPY6j73Oq78/PFP/AB4MDSy2gcU2sNgGFtvAYhtYbAOL
bWCxDSy2gcU2sNgGFtvAYttYbBuLbWOxbSy2jcW2sdg2FtvGYlew2BUsdkX9eDivvoQyYlQwgSoS
rMETqGEt1oVH6iexHhvwC2zEk9iEp/A0nglZdpxlx1l2nGXHWXacZcdZdpxlx1l2nGXHWXacZcdZ
djzGjsfY8Rg7HmPHY+x4jB2PseMxdjzOjsfZ8Tg7LrPj8uxDwsjsQ/FaHIbX4XBsCIOseZA1j7Dm
QdY8yJoHX/D/v89n0INpmZmWmWmZyaYH2fQgmx5k04N7/gf4+enDcaTbR2H3/wA/n2EPMuxBhj3I
sAfT73Tf7v8Bfn76tHAH4x5Mf8D+h20/ha/h6/gGvomGsIV1b2HdW1j3Fta95UX+D3gDC29M/ySM
pNtDGxtvSC8KFzLyMiMvp+8Mi1h5Y/pujzmmmHkDM29j5m3MvI2ZtzHzNmbeyMwbmXkjM29k5o3M
vJGZNzDzhvTDPs8jbq9AwfP7bQfwaJjH0Ocx9AaG3sDQ2xh6W9raYumNLL2Rpc9j6Q0svYGlN7D0
Bpa+Il3zvLW+x3WeM4n17t8Qrk3/wsc+6Wd42n1bsNX+Ntvt+DV24Df4rc/7HH6H3yOEeVEqjLD3
xmhOaIsOwKtxIA7CwXgNDsGhoYHdN7D7BnbfEB3uviPwerwBb8SROCpcG70Jb8bROAbHhrImUNYE
yppAWRNo0wTaNIE2TaBNE2jTBFZoAis0gYImUIjeFR6I3o33ef5pbp/usTN8n2fiI2GRVrAiOtvH
nROy0cfDI9pBVjvIagfZ6LNufy7M1xDy0Rfs/xO+6Llfsj3X41/GV3zer+JrTPrr+EYY1xaWagtL
tYWl0QWeOw/fwkWef7HnzMcluBRZXBbOixbgco9f4et9x/ZKXOXjv+vjrrZ/jW0zWsDJIk4WXWv/
h7jO46243v4N+LHPeSNu8vG8LPoJbvb4LW7f6uP4meaR1TyymkdW88hqHuMRL4vuxF1Y4nldtneH
m7WRbMTLNJLx6H7386+If0UPYanH+FfEvyL+FfGviH9F/CtaAQ4WcbBoADxMm8lGPCziYREPi4Yx
giJG8RjG8DjGUUIZMThYxMGiKjhYxMEiDqYdZbWjrHaU1Y6ykfkXmX+R+ReZf5H5F5l/WlO71tSu
NbVrTe1aU7vWVNaaylpTWWsqa01jWtOY1jSmNY1pTWNaU0FrKmhN+f/L2Z1HR1rX+R6vJN1JdXci
LqxuzaJAq6gNuCKizijuuyigOBsonBmOjrbsm7bGe5lGW1FPDzAog1GxlQZB9DGpmUYbNUgeluoq
KsFOiqL7qefpPIlMuqoCLfndVwKOjPd4z535432qUgm1fb+f5afplFPTLX16WN8j0MOcniKnp8jp
Kepb8BghlJ2gbnGCurfYHf662Bf+vVjEihAV+10OhDuLT8E+eCqehqfjGdgX++EA8M4i7yzyziLv
LPLOIu8sPhercbDHOQSH4jA8D8/H4TgCtOJkVnYyKzuZlZ3Myk5mZSezspNZ2cms7GRWdjK7xsns
k8WzXX4yfMLpbJ3T2Tqns086na1zOltXPDdcVzwP57t+IS7CxbgkbHVK2+qUdo1T2jVOadc4pV1T
1GmKOk3xy9iIr/jZr+LK8Gknt08Wr3HbtWFD8dtex3dd/573yb4Vv4/N7u8HHuuHuBFbcKuf449O
eOuK+kjxZ+E2J711TnplJ72yk165eIefid3G+4r3+pkytvtvKy4n8IDbd3jsSfA7J8BPFne6PUXu
MWfC7cVZP/87POx7c25voR2ucTK8xslw3QpddMXrwwYnxHVOiOUVfMMpcd0KndJJcd2K9/n6/fgA
TsIH/ezJYeuKU8JtK04N1zlFrnOKXOcUuc4p8hNOkZ9wily3YrFjLv5rgZZTZMspsuUU2XKKbDlF
tpwiW06RLafIllNkyymy5fTYdHpsOj02nR6bTo9Np8em02Pm9Jg5PWZOj5nTY+bUmDg1Jk6NiVNj
4tSYODUmTo2JU2Pi1Jg4NSZOjUnh02FvYR0+g3NwLs4PjxYuwIW4CBdjY6g4CVacBCtOghUnwYqT
YMWpruJUV3GqqzjVVZzqKoWfFo4tRBh1/U78BndhDDHuxj24F/ehjO24Hw2P/xB2IvFamkiRYTem
kWMGs/gdHsZ/hEknqKYTVNMJqukE1XSCajo9NZ2emk5PTaenptNT02kpd1rKnZZyp6XcaSl3Wsqd
lnKnpdxpKXdayp2Wcqelaaelaaelaaelaaelaaelaaelaaelaaelaaelaael3GkpdVpKnZZSp6XU
aSl1WkqdllKnpdRpKXVaSp1GcqeR3GkkdxrJnUZyp5HcaSR3GsmdRnKnkdxJo+Gk0XDSaDhpNJw0
Gk4aDSeNhpNGw0mj4aTRcNJoOGk0nDJyDb2modc09JqGXtPQa9r5uHY+rp2Pa+fj2vm4Nn6UNn6U
Nt7SxlvaeEsbb2njLW28pY23tPGWNt7SxlvaeEsbb2njiTaeaOOJNp5o44k2nmjjiTaeaOOJNp5o
44k2nmjjybJrw6PLvolv4bqQa+a5Zp5r5rlmnmvmuWaea+a5Zp5r5rlmnmvmuWaeauapZp5q5qlm
nmrmqWaeauapRt7QyBsaeUMjb2jkDY28oZE3NPKGRt7QyBsaeUMjb2jkDY17XOMe17jHNeOKZlzR
jCuacUUzrmjGFc24ohlXNOOKZlzRjCuacUUzrmjGmWacacaZZpxpxplmnGnGmWacacZNzbipGTe1
4r3ab1P7bWq/ifbbXJ6FRzXgpgbcXP5oeFT7bWm/Te23pf22NN+m5tvUfJuab1PrbWm9La23qfU2
Nd6WxtvUeJsab1PjbfYe436OXforiC1tt9n7Ol+/3vU3uv4efAwfx5k4C5eFvb2fxef93NdDQ7PN
NdqGRjutxeYabK7BNrTVXFvNtdVcW8211VxbzbXVhrba0FRzTTXXUnMtNddSUy011VIbWmpDM801
01wzTTXThmba0EwbmmlDM138CxS5RpprpA1NdFoTzTXRvHfx70K1XXYwj0fwKPa6n9/jMSwghFQL
zbXMhpbZ0DIbWmZDKxzXCse1wppWuPjvT2ua4LgmmGuCuRY4rgFWtL+K9lfR/iqaX0Xza2p6FU2v
ount1fT2anqZppdpek2NrqLRZRpdptFlGl2m0WWaXEWTq2hyFU2uosFVtLSKllbRzjLtLNPIKlpY
RQuraGEVLayihTX7NheO1bgq2lZTu6poTBUNp6LhVDScioZT0Vr2ai17tZa9WsterSXTWjKtJdNa
Mq0l01omtZZJraWptTS1laZ2slc7aWonTanfkPipxM8lfi7xGxI/l/i5pM8lfS7pc0mfS/pxST8u
yXNJnkvyaUnekNbj0jmRzrl0zqVyLoVzKZxL3FziNiRuQ+I2JG5D0o5L2pqEbUjUXJLmEjSXnrmk
HJeQuYTMJWQuIVMJmUrIvHBL15FhoWsNXoAX4kU4Ci/GS/BSrMXROAbH4mV4OV6BV+JVeDWOw2tw
PF6LE/A6vB5vwF/gL/FGvAkn4s14C96Kt+HteAfeiXfhn0Or6ypcjX/BtfgmvoXr8K+4Ht/GEL6D
7+J7uAHfx2b8AD/EjdiCm3AzfoRbsDXs4eh7OPoejr6Ho+/psiFcfY6rz3H1Oa4+x9Xnun4jXe7C
GOKQ9pwStvecFrZzvDmON8fx5pzVW87pC87pC87pC87pC87pC87pC862C86zLefZlvNs6iyaOl+m
lDrn/NhyXkyd+xacy1rOZS3nspZzWYva5qhtjtr2UNseZ7CKM1jFGaxFeXsob87ZK6W6OX14QR9e
0IcX9OEFfXhBH17Qhxf04QV9eEEfXtCHF/ThBX14QR9e0IcX9OEFfXhBH17Qh1v6cEsfbunDLX24
pQ+39OGWPtzSh1v6cEsfbunDLX24pQ+39OGWPtzSh1v6cEvXTXXd1MbP2fg5HXXBls/ppKlOmuqk
qU6a6qAV/bOlf7b0z5b+uaBvpjZ8zobv0SVTXTLVGRd0xZaOuGDD53TBii6YFrbZ6GCjg40ONjrY
6GCjg40ONjrY6GCjg40ONjrY6GCjg40ONjrY6GCjg40ONjrY6GCjg40ONjrY6GCjg40ONjrY6GCj
g40ONjrY6GCjg40ONjrY6GCjg40ONjp0fTm0uzbiK/gqrsTX8HV8A/8cOja+Y+M7Nr5j4zs2vmPj
Oza+Y+M7Nr5j4zs2vmPjOza+Y+M7Nr5j4zs2vmPjOza+Y+M7Nr5j4zs2vmPjOza+Y+PbNr5t49s2
vm3j2za+auPbNr5t49s2vm3jF/+ld8PGN2x8w8Y3bPxWG7/VxrdtfNvGt218x8YHGx9sfLDxwcYH
Gx9sfLDxHRvfsfENG9+w8YvZ1Lbxnd760r+Mbtj60HdYaPc9D8/H4TgCR4YOJXQooUMJHUpoU0Kb
EtqUsPgvqquUUKWEDiW0KWHxX1c3KKFNCYESAiUESgiUECghUEKghEAJgRICJQRKCJQQKCFQQqCE
QAmBEhb/P7sOJXQooUMJHUroUEKHEjqU0KGEDiV0KKFDCR1K6FBChxI6lNChhA4ldCihQQkNSmhT
QtuJrU0NgRra1NCghgY1NKihQQ1VauhQQ4caOtQQqGHR79vUsPivtxvU0KCG4ATVpogORQQnpDZV
LP6r7ipVNArru38YdnWPhLu6S/hFuK57G+4Mp3SPhUu673XbdpcVSLxuidfdDqXuDh4L1/QUwjd6
loWsp89lEfuH3T0H4EAciTVYG27qORrH4JVhtOe4sL7nBLefEt7cc2q4zLa8ueej4bL+obCr//vh
kv4bw139W3CT67e47VaXPw6n9N+GYV9vdflL3/8Vfu3rMZcx7sa94br++1DGdj9X8/1xTPjeA/it
23eg7vqD7nc2rO+fC7v796Dlejvc1N/BI64/Gkb794bRgWVYGXYPPB3PwL7YP9w0cAAOxEG+v9pt
B+MQXx+K57t+eFg/cITLY8I3Bl4RsoFX4lWuH4/XhmsGTsBb8C63vxsn4YP4EE4JpYFT8WF8xM/8
rdtOd/0MnOn6We5jS7hkYFu4a8B7MHBXuG7A+zDgfRjwPgzcA7MbuM9zmcADnsdvsQOTvp5yWXc/
qftzshtwshtwshtYPNmdbxumbcO0bdhtG3bbhtw2NGzDtG1o2IaGbZi1DbO2YdI2TNqGhm3YYRtm
bcMO27DDNszYhhnbMGMbZmzDjG1IbUNqG1LbMGsbJmzDjG0o24SyDWjYgGkbMG0DGqbfMP3c9HOT
z01+2uSnTX3a1KdNfdrUd5v6blPfbeq5aU+b9rRp7zbt3aY9bdoN054w7RnTnjHtCdNOTTs17QnT
njXtWdOeNe0Z054x7RnTnjHt1LRT005Ne9a0Z0x7xrRT005Ne8a0J0x7xrR3mPasac+a9g7T3mHa
DdNumHbDtGdNe9a0Z0171rRnTXvStCdNe9K0G6Y9a9qTpj1p2rOmvcO0G6Y9bdK7TXrapKdNetqk
p0162qRTk05NesakZ0x6xqRTk54x6VmTnjTpWZOeNelZk54tHNd9fbiH/qe6bwwz3T8JO7p/il+Y
5jbcGeqmvtnEN5v45u77w1z3dHikZyUOC7We54UazU71f8e7+f2w2bQ20+uUiW02sbqJ1el1qr8U
dphcvf/n4Z7+X2Abfu32Uf/dnbgH94ZJE5w0wUkTrNPtFN1OmeCkCU72T7qPB93vQ96JrlAb8PgD
R+JN4ZGBt4W5gbfjHfiYr/8eW8LmgV+Ge2hjyjs2OdAIc4W98nWTfN0kXzfJ103ydZN83SRfN8nX
Td6Ns7wb896JC7wTF9DBKB2Meifm7f6od+D07lrY1j2OCTyA32ISD6IRbu1+yOVOJMiwG9PhnO7c
5Qxmw5l0c2b3w67/B9rhfvq5v3uv67/HY+G27gWXIWzr6UI3loUze5a7XBnO6Vnlcp9wUc9T8TQ8
HfuH4+nseDo7vuegcF7PM8OGnme5/dk4BIfisHCUiR3Vc7jrR+DIsIYe1/S8wPUXYS1XPhrH4OW+
fgVe6X5e5fLVOC7c0PMal8fjBI/zOpenFA7tOa1wqIzeJJs3yeZNsnmTbN4kmzfJr02yZ5PM2WRT
5ul6lK5Hbcm8DZm3IfM2ZN6GXGBD5m3IWTbkLBtyFp2P0vmoTZmn9VFaH6X1Udsxbzvmbcc8nY/S
+ajtuIDGR23HBf07w0X9CVJk4bz+3WED3d/Q/ztfP4z/wFxYwwPW8IAbeMB6HrC+f97PPuLrR/38
Xvzez4Vwnm07aqA7XDTQg2VhA29YMzDg9qe4bgYDZsAr1vCKNbxiDa9YzyvW84r1vGLDwHP87HOx
2vcOxiFuPxTmMfC8sI13rOEdN/CO4230UQNr3PYCvBAvwlF4MV4Sbh14qcu1OBrH4mV4OV4RzuQ3
Zw68xvXXhtt4zW0Dr3P9L/CXeCPeFM4ZONHlm/EW33+ry7eF0ynndMo5feCdvn6X+3g33uP6ez3e
+/B+1z+Ak9z+QXwIJ7v9lHA/z7qfZ93Ps24bOM3PfBR/hb/G3+Bv/ezpvn8GPubxP+62M932965v
k5q/DGdR6Dw/G+Vno/xslJ+N8rNRfrZ+oOb9m3D5gPfot9iBSV9Puay7n4bnTWu87X7ediZvO5O3
ncnbzizsw8du5mM3U+9V0uVK6XKlrbvK1l1l267iOTfznJt5zs226ipeczOvuXlg8Td2z+AB0zxg
mgdUeUDVvZS5YYUPVDlihSNWaHmclsdpdieNjtPhdjrcTofb6W0Xve2isyqdVemrSl9V+qrSUkZD
27lmhSaqNFHlnhXOWfEMy55hmSamPcsyHVTpoEoDVRqo0kDVsy3b/ardr9r9abtf5Y4V+z9t1zP7
XbXfVfud2e+q/a7a7cwu77K/Vftata9V+1q1r1X7WrWvVTtataNVO1q1o1U7ust+Vu1nZj+3289d
dm3cro3bs532bKdd2mlvxu3NuB0ZtyPjdmTcTuw0/3HzHufGFfOumnPVnKvmXDXnqjlXzblqxlUz
rppx1YyrZlw146oZj5vruLmOm+u4uY4XPmEiYyYyZiITT7SSsSe1kpqJ1LhqjavWTCbWSqqmU9NK
qlpJ1ZTqplQ3pbrp1EynZjpl0ymbTpnr1UxomwnVn2gjYyY09qQ2MmFCE6YzYTpjpjNmOmOmM2Y6
Y6YzYTpjpjNmMmNPNI9tplIzlZqpbDOVsqmUTWUbx6lxnBp3qZlOzXRqplMznZrplE2nbDplblIz
oZoJ1UyobEJl06mZzjbTqWseVdOpmU5N86hqHlVTik0pNqXYlGqmVDOlminVTKlGxTUqrlFxzcRi
E6tRbI1iayZX0zyqTzSPMdMbM70x0xszvTHTGzO9sumVTa9mejXTq5le2fRqplejzJoJ1kywZoI1
E6wVDqHM2ynzdhO83KSGTWrYpLaZ1B2mdIcp3eFdvty7fLl3+XJKvZ1Sb6fU2727l1Pq7ZR6u1d8
h1d6h1d6h1e6zStd9LZtXtWwVzXsVQ17Vdu8omGvaNiruYO6b/eshgsPaANlbaCsDZS1gbI2UNYG
ytpAWRsoawNnc4HzucBiI07sXOIZt+xboglcoQlkmkCmCWSaQKYJZJpApgXcrQVkWkCmBWRaQKYF
ZFrArVpApgVk9rRkT0taQKYFZNI/k/6Z5M8kfyb5M8mf2duS5M8k/62SP5P8I5J/RPKPSP4Ru3y9
Xb7eLl8v+ZuS/x7JPyL5RyT/iOQf4UQbONEGyT8i+Ufs/EY7v1Hyj0j+Ebs/Yfcn7P6E5B+R/CM0
8KDkH5H8I7TwiOQfkfwjNHG95B+R+GWJX5b4ZYlflvjlvsX/D/TaUJb4ZYlfppuEbhKTbJlki6Od
b5otKX+2lD9byp9NPwn9JPST0E9CP4kJt+gnoZ+Eu51PQwlnO1+yj0j2Eck+Itmbkv0eunpEso9I
9hHJPkJjG2lsI409QmMTNDYh2Zt09gidPUhnD0r2Ecne5IYbJPuIZB+hvQdpb6Nkb0r2eyT7iGQf
ocWNtLiRFjfS4gQtTtDiBC0+KNmbkr1JkxtpciNNTtDkBNfcINkz2txIm4/Q5vWcc4NkzyR7Jtkz
yZ5J9kyq3y3VM6meSfVMqmdSPZPqGS2XaLkkyTNJnknxTIrfKsUzKZ5J8EyCXyHBr5DgV0jwjMZL
NF6S3ndL77uldya9F8+WJZov0XxJet8trTNpnUnrjOZL0vlW6ZzRfEk630rviXQ+m+YTmk9oPqH5
hOYTmp+QzPfQ/QTdb6T7jXS/ke4n6H4j3Zck8xV0X6L7Et2X6L5UONiGzv5nLq4N87Zu3tbN27Cq
hI4ldGyys6a6mF1VE5w3wXkTnDXBqqnNLmXYgMv99YYDcCCe4+vn4hDXD8Vibh3OuRbz6j5fT2Ay
zD/pczue5bns8RxizyH2HOKljT8lHO27R3sOezx27LFjj73nPzcnhD1LmzLgcn9ueQAOxOPbsMdz
2OM5xJ5D7HFjjxt73Hjplade+aRXPvknr3zxfzHLPGrWv/hX7GZlRQt/fOWLp9OGR0698kmPnP7J
K089avqkVz7plTe88sn/8soP4hRNTtHkFE0OsIsD7PLoOUU3PWpOObsoZ5dHzz1iTg27bP8u27/L
9u+y5bts+WIfWHxvc1vdNP1dpr/L9HeZ/K5Cn9fY8Bq9psI+Tgb7eM4Nz2nx+TQKN3d1h7muHizD
cvSiD0WswEqswgCeGma6ngbn8C7n8C7n8K79sD8OwIE4CM/0s8/FahyMQ3AoDsPz8HwcjiPwbrwH
78X78H58ACfhg/gQTsZFYbbrYlyCS3EZPovPYT0+jy8s/lVnfHHp0xrmll2Hf8X1+DaG8B18F9/D
Dfg+NuMH+CFuxBbchJvxI9yCW/GTMLvsp4jwMwxjBCX8G/4dW3E7fo5fhNner+MbYa73my6vCzO9
HrPXY/XeuPTX7ed6f4zb8BP8FBHcb6/77f1317fi5/gFtuEO/Nr3Rpf+ov1cbxnbUfF1Ffejhh1u
m8SU6w953MT1h9Fyve2yg3k8gkexF7/HY1hACHN9dqOPP/Q9E8/Cs3GC294Q5or/sPQXyOeK/4hP
4dO+/ozLc3A+LsRFuBhfwVdxZZgpfs3Peb1Fr7c4ghheR/EB7PC9SXjOxToeXvrr33Mr3oR3wq6s
+DA+gtPwUfwV/ibMFZ7V/Y9hd/enwu5Vb8Zb8Fa8DW/HO/BOvAvvxnvwXrwP78cHcBI+iA/hZJyC
U/FhfASn4aP4q8XPNqGbhG4SuknoJqGbhG4SuknoJqGbhG4SuknoZpJuJulmkm4m6WaSbibpZpJu
Julmkm4m6Sahmym6maKbKbqZopspupmimym6maKbKbqZ6jqysLxrDV6AF+JFOAovxkvwUqzF0TgG
x+JleDlegVfiVXg1jsNrcDxeixPwOrweb8Bf4C/xRrwJJ+LNeAveirfh7XgH3ol34d1ey3vwXrwP
78cHcBI+iA/hZFyEi3EJLsVl+Cw+h/X4PL6AQXwRl+PLYV5LnNcS57XEeS1xXkuc1xLntcT5rq2F
vq7b8XP8Atvwy0J/16/wa4ziTvyGT9yFMcRLn01+UM+phU9wyYN6Plr4BP9I+EfCPxL+kfCPhH8k
/CPhHwn/SPhHwj8S/pHwjyn+McU/pvjHFP+Y4h9T/GOKf0zxj4R/JPwj4R8J/0j4R8I/Ev6R8I+E
fyT8I+EfCf9Ilt1V6F82hrjQv/zAwvLlB+GZeBaejecUlvOYhMckvZtc/6bL68Jk73fp3vPjNQmv
SXhNwmsSXpPwmoTXJLwm4TUJr0l6S0t+k/CbhN8k/CbhN1P8ZorfJPwm6Y2XPCfhOQnPmeI5Cc9J
eE7Cc5Le8UI/30n4TsJ3Eo10vvfBJf+Z5D8J/0n4zyT/SfhPwn8S/pPwn4T/TPGfKf4zxX+m+M9U
X6GwnAclPCjhQQkPSnhQouXOa7nzWu68ljuv5c73rS309x2NYwp9fcfieLzW1yf4+TfgTbzrxEJ/
caCwvPgU7IOn4ml4Op6BfbEfDoD3uui9Lnqvi97rove66L0uPher8Q8h4X9T/C/hfwn/S/hfwv+S
4rm86zyc7/qFsON8MCle4vEvxVdc/yquXPrbV4mGPl/8tvvc7Hs/8N/9EPKhuGXJKxNemfDKpHiH
n9H8+GVS3L70iQoJz0x4ZsIzE56ZFHP3MVPoK876/u+WPDThockKGncKmOelCS9NVtAoP02cCuZX
nFzoX3Eqr/2wrz+C0/DRMMVbp3hrUtjz3/yM35Tbpdwu5XYpt0u5XcrtUm6XcruU26VPfMZvxu0y
bpdxu4zbZdwu43YZt8u4Xcbtsv/vz/j977vJQ13/TP1X4Wr8C66FtO76Fq7Dv+J6fBtD+A6oq+t7
uAHfx2aYXJfJdZlcl8l13YSb8SPcsvQ3uB/jMN0c5kQO081hTvwffPZuxmEyDpNxmIzDZBwm4zAZ
h8n+Jw6zfL+llpIsfabr4+6R9nrNvdcvOchDT3yma/L/+PzWxx3kD5/f+sfPbs24R/af7vHHz2zN
/i/n+O1SY/nDZ7YmHCN90ue1pn/m81ozjpFxjIxjZBwjW/q81j91iyMpfw1egBfiZeGxvpfjNUtt
ZumzVosHU8ohOBSH4Xl4Pg7HEXAfRfdRdB9F91F8EY7Ci/ESvBRrlz6bZdEVsid9fmbyZz8/84+f
j5kuucAfPgPzZ+Gxpc/A1CCLGmRxG/7weZiPf/7lf1X84wp/aOkzLk9c+lyUxz/j8pTw2J98pmVG
0dniZ1oubeH+NnD/rmfRdom2S7Rdou0SbZdou0TbJdou0XaJtku0XaLtrbS9lba30vZW2t5K21tp
eyttb6XtrbS9lbZLtD1M28O0PUzbw7Q9TNvDtD1M28O0PUzbw7Rdou0SbZdou0TbJdou0XaJtku0
XaLtEm1HtB3RdkTbEW1HtB3RdkTbEW1HtB3RdkTbEW2XNIVcU8g1hVxTyDWFXFPINYVcU8hpv037
bdpv036b9tu036b9Nu23ab9N+23ab9N+m/bbtN+m/Tbtt2m/Tftt2m/Tfpv227Tfpv027bdpv037
7a5bw320XqL1Eq2XaL1E6yVaL9F6idZLtF6i9RKtl2i9ROvDtD5M68O0Pkzrw7Q+TOvDtD5M6xGt
R7Qe0XpE6xGtR7Qe0XpE6xGtR7Qe0XpE69GybZ7HHfglfoVfYxR34jfhvuX7Lf2bnogXlHhBxAu2
8oI2L2jzghIvKPGCqHdLuK/3JtyMH+EW3Op7P8Zt+Al+igieF3+I+EOJP5T4Q4k/lPjDMH8Y5g8R
f4h673IfY7jH98rY7nsVt1dxP2r4reexw/cmMeXresh5xVZeUeIVJV6xlVeUeEWJV5R4RYlXlHjF
MK8Y5hXDvGKYVwzzihKviHhFxCsiXhFpFrlmkWsWuWaRaxY5/2jzjzb/aPOPdt+Lwn19R+HFeAle
ite4/QT39wZ8JNzHT9r8pM1P2vykzU/a/KTNT9r8pM1P2vykzU/a/KTNT9r8pM1P2vykzU/a/KRd
/Hv39Q8h4inDPKXEU0o8JeIpJZ5S4iklnlLiKSWeUipe5ue/gH/CBnzFbV/FlWErj4k0jbz4Xbeb
Ea8p8ZkSn2nzmTafafOZEp8p8ZkSn4n4TMRnIj4TFVP/3cMhWvHKcB+/KWkTi7+5WOI5bZ5T4jkl
bSLnOSWeU+I5JZ4zzHOGeU5pxRnhvsIxf+b3mBZ/c29P16/wa4ziTvwm7NTPd+rnO/XzncvuCnuW
jSEOe/TbnTrrTp10Z++4rx8MO/vWhj19R+OPv2f0+G/cPf47Rnt0wJ19J4Y9+tlO/Wxn8RLXL8Vm
/MDXP8SN2ILF32zb7jL3vcd/d2enPrVzxclhzxO/vbazsNpJY6WTxkonjZVOGiudNFY6aaxy0ljl
pLHKSWOVk8Yqub8/xz1V7i+67qla/SqtfpVWv0prXqW9rtJeV2mvK7XXldrrSu11lca6SmtcpTWu
0g5XaXertLuVGtuqwtncK+VeKfdKuVfKvVLulXKvlHul3CvlXin3SrlXyr1S7pVyr5R7pdwr5V4p
90q5V8q9Uu6Vcq+Ue6XcK+Ve6Z/5bcvUzCbMbMLMJsxswswmzGzGzGbMbMbMFn+H5IGe08IDZjdh
dhNmN8FlFhtGylVSc5wxxxlznDHHCQpPzXLxk+1SqkupLqW61GwnzHbiSb9NmZptSnnpE79NOWG+
M+Y7QX0p9aXUl1JfSn0p9aXUl1JfSn0p9aXUl1JfSn0p9aXUl1JfSn0p9aX2ZMaezNiTCXsyYU8m
7MmMPZmxJzP2ZMaepBSUUlBKQamdmbEzE0/89uOMnZmhkNTeTNib1N6YX7d77nbPq/4af4O/xd/h
dJyBj+Hj3sEfFJaFbYXl6EUfiliBlViFfgzgKdgnRIWn4umhXngG9sV+2B8H4AgciTV4AV6IV/vv
jsPfFY4rnI4z8KnCmsKnsQ6fwTk4F+cVVhfOd3kBLsRFuBiXFPYtXIrL8NnCvhpFrFHEGkWsUcQa
RaxRxBpFrFHEGkWsUcQaRaxRxBpFrFHEGkWsUcQaRaxRxBpFrFHEGkWsUcQaRaxRxBpFrFHEGkWs
UcQaRaxRxBpFrFHEGkWsUcQaRaxRxBpFrFHEGkWsUcQaRaxRxF1nhHrXOnwG5+BcnIfzcSEu8jMX
4xJcisvwWXwO6/F5fAGD+CL+l//mcpf/5HIDrsCX8GW3bcRX8FVcia/h6/gGbvUzP8Zt+Al+igg/
wzBGUMK/4Te4C2OIQ33Zp8O2ZevwGZyDc3EezscFuBAX4WJcgmsLa5Z9E9/CdSHWSGKNJNZIYo0k
1khijSTWSGKNJNZIYo0k1khijSTWSGKNJNZIYo0k1khijSTWSGKNJNZIYo0k1khijSTWSGKNJNZI
Yo0k1khijSTWSGKNJNZI6hpJXSOpayR1jaSukdQ1krpGUl++b+G45XWXu5AiK6xZ/juXD6NVWL28
7fsdPOr23xf2Xb5Q2LeXXnr7Qr2XLnrpopcuep/q66eBLnrponc/P/ds33sODvX1YTjSbUf5+iWu
vxRrcTSOKazpPdbtr/B9Wuk9Hq9d/Kx0t7/e9Te6/h58DB/HmThr8XPUC8f1noNzcR4u8fOX4jJ8
Fp8rrO5dj8+7/gX3PYgv4kuwG1pY3Hut+/mmS7PilYt/4yju3ezSPDSxWBOra2J1TayuidU1sbom
FmtisSYWa2KxJhZrYrEmFmtiMb+ta2OxNhb33u66WWhksUYWa2SxRhZrZLFGVtfI6ry5rpXFWlms
lcVaWayVxVpZrJXFvQ8s/b2jWCuLtbJYK4t5eF0zizWzWDOLNbNYM4s1s1gzizWzWDOLNbNYM4s1
s1gzizWzWDOL+1aEeh8f6zOvPvPq42N9fKyPj/UdCJ6gucWaW6y5xX3PcdtzsRoH4xCYq0YXa3Sx
RhdrdLFGF2twdQ2ursHVNbi6BlfX3mLtLZYh9b634iNLf6+nrn3FxbNdftLlP+JT+DQ+g3PAM2RE
XROLNbFYE4s1sVgTq2tidU2sronVi7ygyAuKX8ZG8ALNLNbMYs0sLl7jtmtdmrGMqcuYuoypy5i6
thZra3GRL2hssZYWa2lx8V5fl7EdFUzgAbebheYWa26x5hYXd7qdduRRXR7Vtbi4OOeyhXaoa3R1
jS7W6GKNLl7x1qW/+xNrdPGK97n+fnwAJ4F/yrC6lhdrebGWF2t5sZYXa3nxikVPXfxXnINSa1Bq
DUqtQak1KLUGpdag1BqUWoNSa1BqDUqtQak1KLViqRVLrVhqxVIrllqx1IqlViy1YqkVS61Yag1J
raHC21x/O94Bz7jwLnjWBe5f4P4F7l/g+gVuL+HWSri1Em7tEwm3WsKtlnCrJdxqCbf6iYRbK+HW
Sri1Em6thFsr4VZLuNUSbrWEWy3hIgkXSbhIwkUSLpJwkYSLJFwk4SIJF0m4SMJdLeGulnBXS7ir
JdzVEu5qCXe1hLtawl0t4a6WcJGEG5JwQxJuSMINSbghCTck4YYk3JCEG5JwQxIuknCRhIskXCTh
IgkXSbhIwkUSLpJwkYSLJFwk4SIJF0m4SMJFEi6ScJGEG5JwQxJuSMINSbghCTck4YYk3JCEG5Jw
QxJuSMINSbjFc3Uk4SIJF0m4SMJFEm6LhNsi4bZIuC0SbouE2yLhtki4LRIuknCRhIskXCThIgkX
SbhIwkUSLpJwkYSLJFws4WIJF0u4WMINSrhBCTco4QYl3KCEG5RwgxJuUMINSrhBCTco4QaX/W//
jRRe9k/YgCvwJUjhZVJ4GeUto7xllLeM8pZxWqm4ViqulYprpWIkFSOpGEnFSCpGUjGSipFUjKRi
JBUjqRhJxUgqDknFIak4JBWHpOKQVBySikNScUgqDknFIak4JBWHpOKQVBySikNScUgqDknFIak4
JBWHpOKQVIykYiQVI6kYScVIKkZSMfo/nN17fNx1ne/xX9JkZjq04nK1i1C5g4BQQI+AoK5H0WVV
SFakIOLZY9BUYFfl0oZLuVcQL6hQHcZw0Q4zTEvKpRR+FrAMaaUE0oGSQBOCaRgDaTpCabj1J9/z
TA+7hz179jwe7h+vx+83v7lkHH7f9/v1SeP8tGKsFWdpxV6t2NssYTVjr2acpRl7NWPvu804SzPO
0oyzNONMzThTMy7QjL2acYFmXKAZF2jGXs3Yqxl7NWOvZpypGRdoxgWasVcz9mrGmZpxgWbs1Yy9
mrFXM/ZqxlmacYFmnKkZF2jGgmbs1YyzNOMCzdirGXs1Y69m7NWMvZqxVzPO0oyzNOMszTjrPc04
UzPOfE8zztKMMzXjTM04UzPO1IwFzRhrxlgzFjRjXjP2asZYM8aaMdaMBc0Ya8ZYM8aaMdaMsWaM
NWOsGWPNGGvGWDPGmrGgGQuasVczxpox1oyxZow1Y6wZC5qxoBkLmrGgGWPNGGvGXs0Ya8ZYMxY0
Y0EzFjRjQTMWNGOsGWPNGGvGgmZcqhl7NWNeM8aaMdaMec0Ya8ZYM8aaMdaMsWYsaMaCZixoxoJm
LGjGWDPGmjHWjLFmjDVjrBljzRhrxlgzFjRjQTMWNGNBM8aaMdaMsWaMNWOsGSd/17FUMy7VjEs1
41LNuFQzxpox1oyxZow1Y6wZY80Ya8ZezRhrxlgzxpqxoBknfzdR0IyxZow1Y0Ezxpox1oy9mrFX
M8aaMdaMsWaMNWOsGWPNGGvGWDPGmjHWjLFmjDVjrBljzZjXjAXNOPl7i6WaMdaMvZqxVzP2asbe
DNPRjrF2jLVjrB1j7Rhrx1g7xtox1o692jHWjrF2jLVjQTsWtGNBOxa04+TvNmLt2Ksde7VjQTvG
2jHWjpO/74i1Y6wdl2rHWDvG2jHWjrF2jLVjrB1j7Rhrx6XasVc7xtox1o6xdixox4J2jKdO5vHu
2qOqParao6o9qtqjqj2q2qOqParao6o9qtqjqj2q2qOqParao6o9qtqjqj2q2qOqParao6o9qtqj
T3v0aY8+7dGnPfq0R5/26NMefdqjT3v0aY+q9qhqj6r2qGqPqvaoao+q9qhqj6r2qP4XruBX1QQT
mmBCE0xogglNMKEJJjTBhCaYaMhFqYabkEcnbsYtuBW34Tf4LRahgNtRRAl3oIzFWII70YWluAt3
4x7ci2VhfMpp0eFTzogOl+hViV6V6FWJXpXoVYlelehViV6V6FWJXpXoVYleleh9Er1PovdJ9D6J
3ifR+yR6n0Tv+y9dja87jEv0cYk+LtHHJfq4RB+X6OMSfbx55yj17hXsqu9eva6a8lmkfBaSrSrV
qtuuXrc0jEu1cak2LtXGpdq4VKtKtapUq0q1qlSrSrXqe65oV5VoVWlWlWZVadYnzfr+7Yp2T3iN
J1F13zo8477/+8p2z3sfQ+57AZNXtRsOE1KsKsWqUqwqxapSrCrFqlKsKsWqUqwqxfqkWJ8U65Ni
fVKsT4pV/8NV7fYOE9JoQhpNSKMJaTSRPiBKpQ/Eh3EQDg7j0mlcOo1Lp3HpNJ7+hOOf9Hp/h9PD
eOZDUSqzJ/bC3tgH+2I/7A+vmfGaGa+Z8ZqZg3EIPoJDcRhm4axt1yqavNpcn3SrSrfqu1ebq0q3
qlSrSrWqVKtKtapUG5dq41JtXKqNS7GqFKtKseq2q87dHCYk2OS3elelVVVSVTMVP+dRdKPXbZ+/
hKr+h6vMvex5k1eZ+3gYl0RVSTQhiapTj49SkqgqiaqSZ0LqVKVOVepUpU6f1OmTOlWpMx51NhwQ
TWs4EB/GQTgYh+AjOBSHYRYOxxE4Eh/Fx/Df8HEchaNxDD6BY3EcPolP4dP4O3wG/x2fxedwPD6P
L+DvcQL+AV/El/Bl5KKsZMhKhqxkyEqGrGTISoasZMhKhqxkyEqGrGTISoasZMhKhqxkyEqGrGTI
SoasZMhKhqxkyEqGrGTISoasZMg2rIymNDyCCh5FN1ZHjQ1/wGNYg8cn/y4xSkuQY6d83faM6Nim
J6LGpifRGzVardnmD0TTmmfgb7EbPojdo2mpX8F7tXKzqfVRo5WTTUfRNGdz1tmcdTZnnc3Z9Kyo
MX04joimpI/EJ7b93ndK+jjHjo8aM9OjaZn3YXu8H3+DHbAjdsLO2BXeR8b7yHgfGe8j431kvI/M
HpiJD0VZKyJrRWStiKwVkbUislZE1orIWhFZKyJrRWStiKwVkbUislZE1orIWhFZKyKbme89XYpF
XnOxbcWxR9GNVY5tcqweTZnq3HBmZqf6bzp1dtQYvfhXXlF3g77boO826LsN+m6Dvtug7zbouw36
boO+2/DuFXVH9N2IvhvRdyP6bkTfjei7EX03ou9G9N3IX3HF2mF9N6zvhvXdsL4b1nfD+m5Y3w3r
u2F9N6zvhvXd8LYr1v40bNR3G/XdRn23Ud9t1Hcb9d1GfbdRD01eZXt3Z9Du/4Wrwo7ooRE9NKKH
RvTQiB4a0UMjemhEDw3roWE9NKyHhvXQsB4a1kPDemhYDw3roWE9NKyHhvXQsB6q66G6Hqrroboe
quuhuh6q66G6DhredhXVW2xvCxvec+XUYd1T1z113VPXPXXdU///XE11WPcM/z+upjqie0Z0z7Du
GdY9dd1Tf89VVUd0z7DuGdY9w7pn+D1XUx3WOxv1zob3XFF1w39yRdURvTOid0ZSk1ekDWHk3aup
DuudYb0zrHcmfz+0Ue9s1Dsb9c5GvbNRz9T1TF3P1PVMXc/U/+2qqqeHum6o64bJ3wmNvOdKpMP/
6ZVIL/P4q3EdfoT/c0XSDbph8vc+G3VD/d9dhfTfX3V0WB8M64NhfTD5u5y6Ppj8vU1925VHPx02
brvy6ORVRyevOPpVt//9FUdHdMHI5BVHdUG94dRoh7A22hE7YWfsgl2xPw7AgfgwDsLR0a7RMTgh
rIr+AV/El/BlnIiT0IJWnIzZ+GY4JWrDmfh26I7aMQffwVk4G+fgn/Ev+C6+h++HcyLzfmTej8z7
kXk/Mu9HHeHE6EJchItxCa4P1UjLRlo20rLRDbgRhbAmuh1FlHAHHogOjGKsCU9Fj6MHT+BJ9GIt
qngKT2MdnsGzGAlzoxdRw2gYil7CyxjDRoxjE+r4M17Bq9gcboheC0uiLZjA63gDb/nf+Da2IsFf
wuS/5K1uuAl5dOJm3IJbcRt+g99iEQq4HUWUcAfKWIwluBNdWIq7cDfuwb1YHZY1/AGPYQ0eD8um
nBo+M+W08JMpX7c9I/yk6dqwqumHuA4/wo/xE/wU1+Nn+Dl+gRtwIxaG7qZf4lfI4Sbk8Wt0Tv6r
Qzix6RbciifCsqYn0YuXwlNNL2MMGzGOTajjz3gFr2IzXsMWTIShptfxBt7EW3gbW5HA59n0DkI4
p3mncErzzmF18y5hbvNwWNv8J4yGVc0v246FE5vrobv5Ffuv4nWPfQNvOvYW3g4nptJhbSoTulNT
kcV2mIb3O/43sIZS1lBqL+yN/dy3/7Z/QVibOgyzcDiO8FpHT/7LQbRr6ji3P+X2Z21PwrfwbbRj
Ds4Pp6QuwFzMQ4fnXYiLcDEuwfxwTupSXBYWpC7HVV7POZJyjqTWh2Wp58Pq9AE4EB/GQZgVlqUP
xyfsH2d7PE4IT6VPxFdwMk4Ja9Kzw5L0Gfa/gbYwN30mvhWG0t9Gezgnfb7jF9ifi3nowIWY7/il
nn+57RVYgOvxM9zg/huRs9+Jm3ELbsVtXnNxdGB6if0u+7HtKgzieQzhBWz0PsaxCXVYa2lrLW2t
pTfjNWwJN6QnYK2lrbW0dZYOYW4mCksyDeGczIfC6sye2At7Yx/si/2wP3xmGZ9ZxmeW8ZllDsYh
+AgOxWGYhflhWeZSLMaysCpTcexRdGNTWDb1+LB66uywLPrxX/V9hkdHzZK2WXpulp6bpedmiTgs
ETdJxE0ScZNE3CQRN0XzwhapWJOKNalYk4o1qViTVv3Sql9a9UugtRKoXwL1S6B+CdQvgfqjN8Og
FFohhVZIoRVSaIUUWtGwMrzS8AgqeBTdWB1GJcaoxBiVGKMSY1RijG+7jsrXbSevpfLXfl/ezaEm
DWrSYPJvOkalwag0GLVyV1i5K6zcFVbuZqu23yqtNU+ELVbnZqtzs1VZ2/bdcP/6vXD/+j1wk9//
doT7/vX73o6Nmq2y2rbvezs/bLaiNltRm62ozVbPsNUzbPVssno2pa4IW1JX4qptf0syaqWMWimj
6SPCK+kjcSyOc/t4zDartuFMtIcVzt4VztoVzs5+Z2e/s7Pf2dnvTFzrTFzrTOx3Jvanfebpt+Az
d0b2OyP7nZErnEmjzqRRZ9KoM2c0Uw+vOHNGG9905rQ7c9qdOe3OnHZnTrszp92Z0+7MaXfmtDtz
2p057dH24ezo/dghDOj1Ab0+oNcH9PqAXh/Q6z16vUev9+j1Hr3eEx0dVkfH4AT7/4Av4kv4Mk7E
SWhBK07GbHwz2j1qw5m4Inw+uhJX4WoswA9wDa7FD3Edfhru0dWn6+rTdfXpuvp0XX26rj49Wui+
X+Im5PFrdOJm3IJbcRt+g99iEQqc4nYUUcIdWOz4nejCUtyFu3EP7sUy3IfluB8P6OYYv7O/Ag/i
ITyM3+MRVNCNVViNP+AxrAltHKKNQ7RxiDYO0cYh2jhEG4do4xBtHKKNQ7RxiLaoz3P68az952zX
YwCDeD7E0RBewB8xjA0YDTmekeMZOZ6R4xk5npHjGTmekeMZOZ6R4xk5q3y5Vb7cKl9ulS+3ypdb
5cut8nut8iGrfMgqH7LKh6zyoegdqz+EwYYIDWgMLaazFtNZi+msxXTWYjprMZ21mM5aTGctprMW
01mL6Wy26Wy26Wy26Wy26Wy26Wy26Wy26Wy26Wy26Wy26azFdNZqOms1nbWazlpNZ62ms1bTWavp
rNV01mo6azWdtZjOWkxnLaazFtNZi+msxXTWYjprMZ21mM5aGs4MnQ3n4XxcgLmYhw5chIu91iWY
j0txGS7HFbgSV+FqLMAPcI3n/NDrXmf7I/wYP8FPwxwT3RwT3RwT3RwT3RwT3RwT3RwT3RwTXWfD
fViO+/EAYvwOK/AgHsLDWBkWSdRFEnWRRF0kURc1rAqLpWpBqhakakGqFqRqoaEnnNvwBJ5Ebzj3
3b8ZO/Tdvxk7VMq2S9l2KdsuZdulbLuUbZey7VK2Xcq2S9l2KdsuZdt5XA+P6+FxPTyuh8f18Lge
HtfD43p4XA+P6+FxPTyuh8f1mFBbTKgtJtQWE2qLCbXFhNpiQm0xobaYUFtMqC0m1BYTaosJtdWE
2mpCbTWhtppQW02orSbUVhNqqwm11YTaakJtNaG2mlBbTaitJtRWE2qrCbXVhNpqQm01obaaUFtN
qJ0m1E4TaqcJtdOE2mlC7TShdppQOzVGQWMUNEah6anw+aansQ7PoA/9eBbPYT0GMIjnMRTuaXoB
f8QwNmAEL6KGP2EUL4U2XtrGS9t4aRsvbeOlbby0jZe28dI2XtrGS9t4aRsvbeOlOV6a46U5Xprj
pTlemuOlOV6a025D2m1Iuw017xTtzkcH+OgAH+3howM8dICHDjS/7r43ot21XDv/HNB07ZquPSXj
eecA7xzgnQO8c0D7tWu/dv45wD8HtGA79xzgngPcc4B7DmjEdo3YnjqWGx7n9qftf9b2JHwL30Y7
5uB8P/cCzMU83BhaUwtDS+rm0Jm6xf5tYXaqGM5NOQ9Six1zDqT8908ttX8X7sY9uBfL3HcfluN+
PIAYzoGUcyD1kNf5vdsr8YjHV2wfRbf7VuExrMET7nsS1kSq6v51eMbxPvTjWTyH9dv+va0zNeT+
F/BHx4bDnNQGz3vR+x517FVM2H/d9g28ibfwNrZ6fIK/4B2E0JqWjempoTO9A3bETtgZu2BXfAAz
PO5vsRs+iN0d2wMz8SHsib2wd5iT3gf7Yj/sj4MdPwQfwaE4DLNCgX0U2Mci9rEo/dGwOP0xHGv/
OMc/6T39HT4XzmUkhfTfe84JoS39xXAPl2/j8m1cvi39VbdPCacwluXpU+1/Dad77Ndtz3D/N/Ct
kOP1OSYzlJ7DTr6Ds3GOx/wLvofzPe4Cj5mLeejAhbgofD59Mea7/1I/53LbK3Cl51/leQvs/8D2
GlwLPpDmA+kf2f8xrnf/z/Bz+7/ADV7zRiz0fE6Q/hVy7r/J7bzncQOzQ5vZoc3s0GZ2aGNfQ2lO
kC6ihDs8rmy72AywxP2cgJ0Npe9zXPendX/6AcTu0/1p3Z/W/Wndn9b9ad2fXgn9n9b/6UfBAcwj
bWkOkOYAaQ6QXoPH0YMn0Yu1qOIpPI11eAb6P63/089C/6f1f1r/m2/azDdt5ps2801bWialZVJa
JqVlUlompWVS+k8hTo/iJbyMMeh/s0/O7JMz++TMPjnGuZxxLmecyxnncsZ5L+O8l3EOpbf6DBP8
Be+Ee9jncvY5lGkMn8+k3c5gahjMTLM9K3Rmzg6tmXNsv2v7vdCS+T7OtX++7QWYG87NzEOH/Ytw
MS7B/FBgs4XMZZ57NXRrRrdmdGtGt2Z+iuvxM4/9OX4RZmdu8Lq/duzmMCdTtC15T/47ZspY7LWW
+Dl3ogtLsSz0ZGRKRqZkdG/md2Fx5kH7vZAPmaccW4dnPLbPdgCDjg/5OS9ALmSGUXP8ZWzyM+ph
UebPHv8KXnXfa45P4PXQOfXjODq0TP10mDP1c7bW29Qv2fKWqa32/xFfwcn4qsfMDoWpp4bFU08L
5079msecjq/jjNA69Rv4J/tcpvFphl9k+EWGX2T4RYZfZPhFhl9k+EWGX2T4RYZfZPhnMfyzGH6d
4dcZfp3h1xl+neHXGf4owx9l+KMMf5ThjzL8pQx/KcOvMfwaw68x/BrDrzH8GsOvMfwaw68x/BrD
r0VfN1eegW/gf+Cf8D/x/SjD+DsYfwfj72D8HYy/g/F3MP4Oxt/B+DsYfwfjTxh/J+PvZPydjL+T
8Xcy/k7GnzD+hPEnjD9h/AnjTxh/wvgTxp8w/oTxJ4w/YfwJ4+9k/J2Mv5PxdzL+TsafMP6E8SeM
P2H8CeNPGH/C+BPGnzD+hPEnjD9h/KsY/yrGnzD+hPEnjD9h/AnjTxh/wvgTxp8w/oTxJ4w/YfwJ
4y8z/jLjLzP+MuMvM/4y4y8z/jLjLzP+MuMvM/4y408Yf8L4y4w/YfwJ408Yf8L4VzL+lYx/JeNf
yfhXMv6VjL+f8fcz/n7G38/4+xl/P+PvZ/z9jL+f8fcz/sn5fR2L38rit7L4rSx+K4vPs/g8i8+z
+DyLz7P4PIvPs/g8i8+z+DyLz7P4hSx+IYtfyOIXsviFLH4hi1/I4hey+IUsfiGLz7P4HIvPsfgc
i8+x+ByLz7H4HIvPsfgci8+x+DyLz7P4PIvPs/g8i8+z+DyLz7P4PIvPs/gKi6+w+AqLr7D4Couv
sPgKi6+w+BKLL7H4EosvsfgSiy+x+BKLL7H4EosvsfgSiy+x+AqLz7P4CouvsPgKi6+w+CKLL7L4
Iosvsvgiiy+y+CKLL7L4CouvsPgKi6+w+AqLr7D4CouvsPgKi6+w+Apbr7H1GluvsfUaW6+x9S62
3sXWu9h6F1M/kqUfydKLLL3I0ossvcjSiyy9yNKLLL3I0ossvcjSiyy9yNJrLL3G0mssvcbSayy9
xtJrLL3G0mssvcbSayy9xtJrLD3P0vMsPc/S8yw9z9LzLD3P0vMsPc/S8yw9z9LzLD3H0nMsPcfS
cyw9x9JzLD3H0nMsvcTSSyy9xNJLLL3E0kssvcTSSyy9xNJLLL3E0kssvcTSKyy9wtIrLL3C0iss
vcLSKyy9wtJrLL3WNPn/23kqdLD0DpbewdI7WHoHS+9g6R0svYOld7D0DpbewdI7WHrC0hOWnrD0
hKUnLD1h6QlLT1h6wtITll5m6WWWXmbpZZZeZullll5m6WWWXmbpZZZeZullll5m6f0svZ+l97P0
fpbez9L7WXo/S+9n5XVWXmflNVZeZ+V1Vl5n40U2XmfjRTZeZONnsfE6G6+z8Tobr7PxIhsvsvE6
G6+z8SIbr7PxOhuvs/E6Gy+y8SIbX8rG62y8yMbrbLzOxutsvM7G62y8nvpu2JL6Hr6Pc3Ee5keZ
1KW4MZSYeZ6ZV5h5iZkvZOZdzDzPzCvMPM/MS8y8wswrzLzCzCvMvMLM88w8z8zzzDzPzPPMPM/M
S8y8xMy7mHmemeeZeYWZ55l5npnnmHmOmZeYeYmZV5h5hZl3MfM8M88z8xwzLzHzEjMvMfMSM68x
8wozzzPzPDMvMfMiM+9i5guZeZ6Z55n5QmaeZ+Z5Zp5n5nlmnmfmOWaeY+Y5Zp5j5jlmnmfmFWZe
YeYVZl5h5hVmXmHmFWZeYeYlZl5i5iVmXmLmFWZeYeYVZl5h5hVmXmHmRWZeZOZFZl5k5kVmXmHm
FWZeYeYVZl5h5jVmXmPhNRaeZ+F5Ft7FwmssvMLCyyw8YeFlFl5m4WUWnrDwTgaeMPCEgVcYeMLA
ywy8zMD7GXg/+97Kvrey763sO2HfCftO2HeZffez73723c+++9l3P/vuYN8d7LvMvjvZd5l9l9n3
VvadsO8y+07Yd8K+E/bdwb472HfCvhP2XWbfZfadsO+Effez7372vZV9J+w7Yd9l9r2VfXew74R9
l9l3mX2X2XeZeSfMO2HeCfPuYN4J817FvMvMO2HdHaw7Yd0J605Yd5l1J6w7Yd0J605Yd8K6E9ad
sO6EdSesO2HdCesus+6EdSesO2HdCetOWHfCuhPWnbDuhHUnrDth3QnrTlh3wroT1p2w7oR1J6w7
Yd0J6y6z7jLrLrPuMutOWHfCuhPWnbDuhHUnrHsl617Juley7pWseyXr7mfd/ay7n3X3s+7J3+uu
Y9nrGPZWhr2VYW9l2Amz7mDWCbNOmPVWZp0w6wqzLjHrCrPOMes8s84z6xKzzjPrPLPuYtZdzDrP
rPPMOs+s88y6xqxrzLrCrCvMusKsK8y6wqwrzLrCrCvMOs+s88x6IbMuMesKsy4y6wqz7mDWHcy6
g1nXmHUXs+5i1l3MuotZ15h1nlnnmXWFVedZdZ5V51l1hVVXWHUXq66w6gqrzrPqEqsuseoSqy6x
6gqrrrDqGqPuYtRdjLrEqCuMusKoK4y6wqjzjLrIqPOMusKo84w6z6grjLrCqCuMusKoi4y6xqa7
2HSeTefZdJ5N59h0jk3n2XQlmtH4y/BO46/CO9vdgTIWYwnuRBeW4i7cjXtwL5bhPizH/XgAMX6H
FXgQD+Fh/D68E+0xZca2b1oem7IPZoWtUw7HETgmDEwbC29t+z7r//091lunvYE3HZv8LusQ3pre
EMamT7fdJWydvis+gN3d3gN72t8LXnvb91YfYPu02wN4IWxtPC1qinaLmpFCGhlMRRbbYRqm433Y
Pjo2ej92YIo7YifsjF2wK/bHATgQH8ZBODqaER2DE0K3aaHbtNBtWug2LXSbFrpNC92mhW7TQrdp
odu00B19M3wsasOZ+HboidoxB9/BWTgb5+Cf8S/4Lr6H74ePRueGr0Xn4XxcgLmY5513hH2jC3ER
LsYluML7uhJX4WoswA9wDa7FD3Edrg8Dpo4BU8eAqWPA1DFg6hgwQQyYIAZMEAMmiAETxED0QLRH
FGON9/M4evAEnkQv1qKKp/A01uEZPIuRcGr0ImoYDYPMfZC5DzL3QeY+yNwHmfsgcx9k7oPMfZC5
D0abw5ei18LZ0RZM4HW8gTejHaO3wlHR29iKBH8JRzXkwoMNNyGPTtyMW3ArbsNv8FssQgG3o4gS
7kAZi7EEd6ILS3EX7sY9uBcrw/yGR1DBo+jG6tDBejtYbwfr7WC9HQ090bSGJ/AkeqNpjYdZd0fi
6NDT+Enbz9h+IXy08QScFO3WeFpY0/hNzAmfafwOzsLZbt8ZNTV2RVMa74/2bHxg27ePrmjsxuPv
DDS+HtY2voG/hC9O2Tvafso+mBWWWWnLrLRlUz4ebm06N9qt6TycjwswF/PQgQtxES7GJZiPa0M3
y+5m2d0su5tld7PsbpbdzbK7WXY3y+5m2d0su5tldzctDD1Nv8SvkMNNyOPX6MTNYd+mW3ArnmCt
T6IXT0Uzmp7GOjyDPvTjWTyH9RjAIJ7HS17rZYxhI8axCXX8Ga/gVWzGa9iCiTDIYgdZ7CCLHWSx
gyx2kMUOstjBJudO0zsI4ajmncLHmncODzbvEk5lt+vY7Tp2281u1zWPhX2b/RyWu47lrmueiLZv
ft3j38Cbjr+Ft8O+KbnDftelMqEnNRVZbIdpkDkpmZOSOYx4HSNex4jXMeJ1qQ86vjv2sr839vP4
/XGIY4e6fRhm4XAc4ecc6bhzKXWM7bHRDIa8LvUpxz/t9mftn4Rv4dtoxxycHz6WugBzMQ8dnn8h
LsLFuATzw0dTl+Ky8LXU5bgi2j51Ja7y2tZQyhpKFaNpqYfgvGasHannHdsw+Xeb4cH0gfgwDsIs
VnM4jgjz00fiE44da3ucY5/z+ONtTwg9LLCHBfawwB4GOJCeHc5mfT2sryfdFk5Nn4lvhUH2N5hu
D0cxvR6mN8j0BpneINMbZHqD6YuiGemLMd/9l3qdy22vwALIvbTcY3M9bK6HxQ2yuEHm1pPOO+48
ZWw9jK2HsfWkb/Nz7nB8cbQHS+tJd7l9n9ux/VUYxPMYwgvY6D2OYxPqkGUMaJABDTKgQQY0mN4S
vpSegCxLy7K0LEu/BVmWDuHUTBTOzjSEozKN0YzMh8KDmT2xF/bGPtgX+2F/+KwzPuuMzzrjs84c
jEPwERyKwzALc6NpmXmYz2QuRclr+9+VKWOx20vcdye6sBTLQnem4nmPohvPTP69qsfVw/zMn+2/
Mvk3q+FBptEx9bRoWtaaz/oMs9Z7tjN8NHsLbrP/UFiTfRgrUQmfyXZjtf3H8UQ0I/skerEWVciC
rCzIyoKsLMjKgqwsyMqCrCzIyoKsLMjKgqwsyA7hBfwRw9iAEbyIGv6EUbyElzEWzdhuZbTbdo+g
gkfRjVVYjT/gMazB4+jBE3gSvViLKp7C01iHZ9CHZ/Ec1mMAg3geQ3gh2m3ad6MZ0wpR07TboynT
7rW9752Bacuxwv5D0Z7TVtp/zP4a9z+OKp4KK6Y9jXV4xv3PuX89nnd7CC943ot4PSxjT8umvR1u
nbY13Dq9Idp+epPtLmEZc1rGnJZNn+H2nrZ7QU9MPwDHhS9O/yS+gFPD2umn4Ws43e022zPhPU1/
IqxgV8vY1TJ2tWz6y2Ht+74c7fa+EzHZW/OiJs3ejBTSyGAqstgO0zAd78P24SvR+7F/GGJVQ6xq
iFUNsaqh6OiwJDoGJ4Q6q6qzqjqrqrOqOquqs6o6q6qzqjqrqrOqevTN6NSoDWfi+9FR0bnc7jyc
jwvg7I86ooOjC3ERLsYluCKcFl2Jq3A1FuAHuAbX4oe4Dv/5X06uZ0nrWdJ6lrSeJa2PHgi/jWKs
CWMsaYwljbGkMZY0xpLGWNIYSxpjSWMsaYwljbGkMZY0Fo1EJ0cvoobN0cej17zvLZjA63gDb0UH
RW9jKxL8JTqooTGsbJiCJjQjhTQymIostsN0vD883PA32AE7YifsjF2wKz6AGfhbj90DM/Eh7Im9
sDf2wb7YD/vjRJyEFrTiH/EVnIyv4hTMxplhS8N5OB8XYC7moQMX4WKPuQTzcSkuw+W4AlfiKlyN
BfgBrvGcH9peZ/sj/Bg/wU/DUMP1+Bl+jl/gBtyIhVjmMfdhOe7HA4jxO6zAg3gID4ctjYeFUxqP
xNHhz42ftP2M7ReigxpPwEnhNMY2xtjGGudE+zd+B2fhbLevCSsbrw0rm84Npzadh/NxAeZiHjpw
IS7CxbgE83FtqDOvOvOqM68686ozrzrzqjOvOvOqM68686ozrzrzqjfdHB3cdAtuxW1+5m/wWyxC
AbejiBLuQBmLsQR3ogtLcRfuxj24F8twPx5AjN9hBR7EQ3gYv8dKPIIKHkV32NK0CqvxBzyGNXgc
PXgqnNb0NNbhGfShH8/iOazHAAbxPF4KY4xvjPGNMb4xxjfG+MYY3xjjG2N8Y4xvjPGNMb4xxjfW
ZF00vYMQHdS8U3Rq8y7RySyu3jwWHdz8uttv4O3o4JTMSsmllFxKyaXUB213xyE4wv1H2h6DY8OS
1Kfc/rT986NTUxdgLuZhfnRU6lJcxoQux1Ued2NYmVqIm8OW1C22t4WHUz771GK3fe4pn3lqqf27
cDfuwb3wmafuw3L47FM++5TPPuVzT/ncUz7vlM879YjH+rxTPu9UN1bhMazBE+57ElX76/AM+tCP
Z/EcBt0/ZPsC/ojhMJR60Xsctf8qJuy/bvsG3sRbeBtbkeAveAchrEzLn/TUsCW9A3bETtgZu2BX
fAAzPEampHfDB7G7Y3v8L8rOP6yp+9D/JydwzgESFOcyrxPmnLXMWked1+sotc4555i1zjlnrZUA
ISQRQpKTnPwgP07CSQhePY9zzlnGLOU6ZhmzllHKgDFKkVFqkVpKGaXUMkYtl1rLqHOOa77vc8Lc
7vd7v3/cp8/rfT588uskOXw+r/fTpxR8AawEXwSrwJdi4/RqcB9YA7BH0Osw/yBYD74CssCjeI5t
IBfj78SmYY/TsMdp2OM07HGUfgJm+RRuy8PPWlBE7Kf1wEg8AHOcpr2xJ2kfCGDM4/4hHCtAJcC6
T2PdhyVOwxKl/+fqNF2Dn8/i+AyoBc+COjxXA+YbY+dgh9P08/i5BT+3YdwLxsC7YBy8B/4Trz8D
PgLYveg5YjP9KcDaTmNtp7Gu0zFiP0PAsBTEAwwZe5Ipic0xpbGXGTOOVhxtgAV2wAEn8AAvwPrJ
+OX/s/ocEwFYFxmsiwzWRQbrInMC/BCcxH1+BE7Ffsf8GMefYe6Z2DhzHsfn8Jp4T8wvwYvyf2Px
MoPrkMEayeD6Y64AXFfMVfw8BIbBO2AMc7ieGFxPDK4n5n3wJ8x/CHA9MX/G8VNwKzaXtBlkx15O
+npsPGkHjvgOk3bjiH0k6XsY7wPfB/vBD3CfQ5h/ChwGeUALCgD2E5jnxzDPj2GeHyefJR5IrgV1
GGOtS8aaloz1LBlrWTJ+p5LxewQjnYaRTsNIp5NfIe5PvgR+jzH26uTXYweSB8AVMAjeAFfBm2AI
vAWGwdtgBPwBjIJ3wBh4F4yD98A18D6YAH8Ek+BPYAp8AK6DD8F07EDKidjLKT8E+F5S8L2knAL4
XlKwhqRgDUl5OfZkSjd4BfSAS6AX/B70gVdBP3gNXAavgwFwBQyCNwDW3BSsuSlYc1Ow5qZgzU3B
epuC9TYF620K1tsUrLcpWG9TxsF7sSdV1tiB1MdjT6buAdjrlJ+B5WlgeRpYngaWp4HlaWB5Glie
BpangeVpYHkaWJ4GlkfA8ghiSewV4jNgKfgs0IDPgftj7bC/dthfO+yvHfbXDvsLwP4CsL922F87
7K8d9tcO+2uH/bXD/tphf+2wv3bYXzvsrx32twj2twj2twiWlwrLS4XlpcLyUmF5qbC8NFheGiwv
DZaXBstLg+WlwfLSYHlpsLw0WF4acSL2NkxPgOkJMD0BpifA9ASYnkD8BLedAT8FNeBn4Cx4BtSC
Z0Ed+A9wDvwc1ONxvwDnwXOgATRi/gJ4HlwEL4Am8GvQDF4ELeAl0Ap+E6uATVYQ7Rh3gN+CTvA7
0AW6wSvgEugFvwd94FXQj9d7DVwGr4MBcAUMgjfAVfAmGAJvgWE85m0wgvEfcBwF74Ax8G6shRgH
74Fr4H0wAf6Iz3wS/An8lVDDTNUwUzXMVA0zVcNMOZgpBzPlYKYczJSDmXIwUw5mysFMOZgpBzPl
YKYOmKkDZuqAmTpgpg6YqQNm6oCZOmCmDpipA2bKwUxdMFMXzNQFM3XBTF0wUxfM1AUzdcFMXTBT
F8yUg5lyMFMOZsrBTDmYKQcz5WCmHMyUg5lyiqcIFexUhJ2KsFMRdirCTkXYqQg7FWGnIuyUhZ2y
sFMWdsrCTlnYKQs7ZWGnLOyUhZ2ysFMWdsrCTkXYKQc7FWGnIuxUhJ2KsNPjsNPjsNPjsNPjsNPj
sNPjsNPjsNPjsFMRdirCTkXYqQg7FWGnIuxUhJ2KsFMRdirCTkXF5dgLitfBALgSewG2mg5bTYet
tsFW02GrbbBUGpbaDEtthpk2w0xZmCkLM9XATDUwUw3MVAMz1cBMNTBTDcxUAzPVwEw1MFMNzFQD
M22HmbbDTNthpu0w03aYaTvMtB1m2g4zbYeZtsNM22Gm7TDTdphpKsw0FWaaCjPlYKYczJSDmXIw
Uw5mysFMOZgpBzPlYKYczJSDmXIwUxfM1AUzdcFMXTBTF8zUBTN1wUxdCS2EKuEl0Ir38hvQBtpB
B/gt6AS/A13gZdANXgE94FJMhKGKMFQRhirCUEUYqghDFWGoIgw1DYaaBkNNg6GmwVDTYKhpMNQ0
GGoaDDUNhpoGQ02DoaYljMfeTngPXAPvgwnwRzAJ/gSmwAfgekyAyQowWQEmK8BkBZisAJMVYLIC
TFaAyQowWQEmK8BkBZisGiaLOk+oYbKLYLKLEt+PvZI4BT6ItSd+iOM0kZp4E8dPwC3c/hdwh0iF
3WooOvYKDFcDw9XAcAlqMX5OA1iTKazJMF4NjFdDrcL4S+BBjL+CYxZ4CGwAX8VzbcT8w+CRWIDa
grmtmPs6fv4mxt8FxcAAjMAEOGIRLHkRLHkRLHkRrDgVVszCijlYsQgrZmHFDup87AWYMQczFmHG
HMyYhRmLMGMRZizCjEWYsQgz5mDGHMyYgxlzMGMOZszBjFmYMUt14nm68PPLoBv3fwXHHnAp5oId
u2DHLOyYhR2LsGORwu8LDJmDIXMwZBcMmYUhszBkFobMwpBFGDIHQ+ZgyCwM+Tg1gcdM4pw/wNwn
4FOMb+H4F3Ab/BXcAX/D882D/wJ3QSzmgiVzsGQRlizCkkVYsghLFmHJIixZhCWLsGQWlszCkllY
MgtLFmHJIixZhCWLsGQRlizCko/Dko/Dko/Dko/Dko/DkkVYsghLFmHJIixZhCVzsGSO3hF7AaYs
wpQF+rHY27BlAbYswJYF+gf4+QCOB3E8BJ7C/Q7jmIc5LcDeCnNeBHNW02bMW4ANcLjNG0uDRafB
ogVYtACLFmDRAh3G7ZU4RnGsAkcB9llYdRp9HGMRYK+FXQv0jzA+BbC/0k+DaszV4H7YY2HcAoxb
gHELMG4Bxq2msbfS58FzoAH3+yWOjbEKGLhAY2+Fhath4Wk09lAaeyj9G9CG27CH0thDaeyhNPZQ
GnsojT2UfhlgH6Wxj9I9AHsp7F2gsZfS2Etp7KV0P3gNXAYD4AoYBG+Aq+BNMATeAthHaeyj9AjA
PkpjH6Wxj6INCGgDAtqAgDYg0FgraKwVNNYKGmsFjbWCxlpBT8Va6A/AdfAhmAb/ic9/BnwEbgDs
s/Rd3DdGLEJTUKMppDF07G2GASpQEhPRGli0BhGtwYXWwKE1cGgNLFoDh9bAMa7YC4wbeDD2Ah/w
gyAeEwHYt9AeRLQHEe1BRHsQ0R5EtAcO7YFDe3CgPbBoDyLaw3G0BxHtIQ3tIQ3tIY35FZ77Ange
XAQvxtrRJji0CQ5tQkSb4NAmOLQJDm1CRJsQmbdwv2Ec3wFjmB/H878H8PuHRsGiUYhoFCLzMe53
E3yCuT/j50/BrZiIZiGiWXBoFsfRLDg0CxHNgkOz4NAsRDQLEc1CRLMQ0SyOJz0ZewHtgkO74NAu
OLQLF9qFC+2CQ7sQ0S7a0C7a0C7a0Cra0CpYtAoWrYJFq2DRKli0Chatohmtohmtohltohltohlt
Ih1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1t
Ih1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tIh1tgkWbYNEmWLQJFm2CRZtg0SZYtAkWbYJG
m6DRJmi0CRptgkaboNEmaLQJGm2CRpug0SZotAkabYJGm6DRJmi0CRptgkaboNEmaLQJGm2CRpug
0SZotAkabYJGm6DRJmi0CRptgkaboNEm0tEmaLQJGm2Clv/CCqn4MlgLHgDrwINgPfgKyAIPgQ3g
q2Aj+FewCfwb2Ay+BrLBwyAHPAK2gEfBVvB1sA18A2wH3wQ7wLfATvBtkAu+A3aBx8Bu8DioBj8F
NeAseAbUgmdBHfgPcA78HNSDX4Dz4DnQAH4JGsGvwAXwPLgIXgBN4NegGfzPf2FFqegDr4J+8Bqh
XPgLKw8v/IWVhxNeJ5QJA+AKoUz8LEEmLgP/ApaDz4MVIJ0gqacBzpXCuVKjhJJ6lyBpAuDzp/H5
0/j8aXz+9EOEkt4A/vEXVsiFv7CipL9FKBk1QTKpYBFYDNLAEvAZsBTgHJjPAZwHg/NgcB4MzoPB
eTA4DyYDfAGsBF8Eq8CXwGpwH1gD7gc4LwbnxeC8GJwXg+uCwXXB4LpgcF0wuC4YXBdMAOfEA3z+
TCOOr+DYAy6BXvAR5uJ/YYVMwvedhO806QlCSZDEJSKBeJAgiGziUWIt8XX8k0V8h/ge8RCxn/gB
ZqV/l5BDGIgQ8W2FWvFZQqfIwBVaqtiF66Nc8TiuDp/iKbQGv8KoMBIBRYnCTPAKn+IoUaE4pvgJ
8UNFNa6enylqcO2cVeAf4hnFc7gmahUvK64QdWQW+RDxArmR3ET8mswms4kW8lHyUeIl8hvkdqKV
/Db5HaKNtJEs8VvSRbqJ35EnyB8RL5PnyHPEJfIX5AWil2whXyIGyN+QvyEGyQ6yk3iD7CEvEUPk
q+SrxDD5OjlAvE0Okm8QfyDfJN8k3iGHyWFiTKlWqol3lYuVS4hxpUa5nHhf+UXlKmJKuVq5mriu
vF/5ZeJD5UPKDcSM8mHlw8QN5SPKLcTHyq3KrcQnyu3K7cSs8iCuwD8rD+P6+1RZoCwk/pJgT6gk
/ppwNOFZhTrhQsKLivsSXkroVDyY8HrCFcW/JqYmpio2Jy5OXKz4WuLSxM8qshOXJaYrchLfTfyj
YlviVOK04tuJHyV+pNideDPxpuLxxNnEPyv2JH6aeEexN3E+cV5xIDFGJSqeoGhqkUJLpVHLFEZq
ObVcYaVWUF9Q2KhVVKaCox6gHlH4qEepRxUnqK9T31X8kHqCylPUUcXUMcVzlEidUFyhfkT9WHGV
epp6WvEW9VOqRjFMPUvVK0aoBqpRMU49Tz2veJ96kXpRMUG1Uq2KP1Lt1G8Vk1QX1aX4gLpE9Squ
U69SlxXT1JvUm4ob1FvUqOJj6l1qQvEpNUlNKv5GXac+VMxTs9SnirvU32iCJOkUWk0y9L/QD5Ap
9EN0NplB59BbyEz6m/RO8gH6Z/TPyK8wakZNZjFpzBLyIeZzzOfIrzKfZ1aQG5mVzEpyE7OauY/8
N+bLzJfJrzEPMuvJbKaEKSFzGDNjIR9h7IyD3Mo4GSe5jfEwHvIbTIDhye1MJVNJ7mBOMifJbzGn
mB+TO5mnmZ+SucwzzDPkY0wj8ytyN/Mi8xK5h2lj2sjvMV1MF7mPeYV5hfw+83umj9zPXGGukAeY
q8xV8gnmLWaYPMiMMCPkIWaMeZ98ivmIuUEWMp8wn5BFSZuTvkbqkx5Oepg0JG1J2kIak3KTcklT
0mNJj5FHkh5PepwsSfp+0n6yNOmJpCfJsqS8pHzSlqRL0pGO5KeTa0kuuT65nvQnv548SwZSqJRU
8ucpn09ZRV5IWZ3yANmS8miKluxMqU55jryWMpLyHnkzZV6VQN5WPab6vlKhsqr+XZmselZ1QXmf
6gVVi/KrqlZVm/Jrqg5VpzJH1aXqUj6q6la9ptyqGlANKXNVw6ph5XdVI6pR5V7VmGpS+X3VlGpK
eVh1XXVdmaeaVn2s1Ko+UX2i1Ks+Vd1WFqv+S00oj6iT1KnKMvUS9TKlQ71cvVzpVa9QZyh96pXq
Lyp59ZfU9ylD6vvV9yvD6kvqS8qI+vfq15SV6gH1m8pj6rfVf1CeVL+jHlP+WP2e+j3lT1J3pu5W
nkndm7pP+UzqgdSDyrrU/NRC5c8XPbLoEeX5RTsWfUv5HKH4/OwKrGyESnmUeI8gtDbgAn4ggKPg
xL2jwqbF8TSoAXXgPLgAmkEb6AK94DK4CkbAOJgE0+AmuEWQIV6G0M7LkKEIOEYQ+SRgQCpYCpaD
lWANWBc/r/wN8XPI3/z/OWJXDp3EcXsc+TG5YA/YDw6Bgvj55hsWjmZgBx7Ax59r4UiGzoCzeO96
UILxuXtzcbADhy4uzLWAjoX57gX6FhgAQ2AUXANTC/edke9P5Efi5yF9TvnSZ3FS/szj950FtzF3
Bkj3PQcawEXQsvDadxfeawfoBn0L720gfj4VCQskY24IjOL92IBr4fHSc18DU2AGzALpNfG8BQkA
jytYDDRgBVi1cMz8x/0L1oONC8fkhcdt/Kfbs8FWsAPsAnvBgX8cpe+v4DDQAROw/A8///cjWSGd
Ewe88fdWEALRhe/7f4F8zf8TBeICp0A1qAX1oBE0LcxLx1bQCXpA/z89flCGrJA+r2EwFuf/eZ0J
iYS0PFMZETibz1hakKmWDjm7kUstfcjllgHkSssQco1lFLnOci1wVnpUcG3+BstUMCvPUkYFzuVx
ZapAQ/5my4ycs/fGWyy3Aw3SrcFNed6yJYGL+dstdwMX4+OFDJUtC7Tk51oTkHusyffGufJ4v3Ux
8pBVgyywrkAarKsCLdKjgjnIDIyjZasDHflmaybSbl2P9Fg3Bjqk+eC2PLFsbaA7n7dmIyPWrcGd
eafKsgJ9+cesO5Anrbvk3Is8Yz2APGs9jDxn1SEbrCbkRasl0Cc9Krg7v8XK8aa86rJNgYH8Dqs3
MJBXW5YTGJIyuA+5LTCa320NIfus0cCoNBM8mD8gzcdvzasv2xm4ltdYtjswlT9kFZGjcl6zngpM
SfNBrZz6vKayfYGZ/ClrNXLGWouclce3rfXIu9bGwExBgrUJmWxtvZeLrZ3BkgKNtSdoy2stOxiY
LVhh7Q/Mys92e2FmlXUQmSmlNBN05XWWaQN3C9Zbh5EbrWNyYizNB/15PWV6PqEg2zrBJ0jjoJDX
Y72OcX9ZCZ9csNV6A7nDOofcJY/3Wu8gD9gI5GEbhdTZVEiTbYk8XsYnS48NHs0bLLPxi/OGy1y8
psBiy0BycnptGcETBSHbal6TN1bm51fkTZQJOIeobS1StGXJKY1P2TbhTK6XHeVXFVTbcu5lrW0b
vyrvRtkJPvMIV75Jzhw5tyG95TuRofLdyGj5PqRYfhB5qlzLZ0qPqhw/Ul2ur5zMmys7za/Pu1NW
w288Ultegqwvt8kpjRvLXfxG6dbKaS1RVhcYOtJU7ke2ltVV3oynlio7z2cf6SwX5DyK7JHHPfK4
v/wEcrD8NHK4vAY5Vl7HZ0uPqryFvICxqqyZ33pkovw88nr5BeSNcsxI85Xz2iVlbfyOI3PlUt4p
74qS2mVlXfyuEqK8V8qSHHl8GUmVX0WqykeQS8rHkcvKJ5EZ5dP8LulRUaZkdfnNaKo2Q6vn95as
Lb/F79WuLuvlD0hZsVi7tuwyf7gkq3weuclL8oelmcre+PxCZpVd5XXaTWUjvKkkx8vcy23eVN4k
zUeXyrlcm1M2zltKdnqXyrn83ni3dyVyn3cN8qB3HVLr3YDUezcjS7xboitLbN7twSzttrJJnitx
eXOja+Rn8y7M+L17kIKU0kxlm3Zn2TQfKjnq3S/nob+PpfnoOu3uspt8tOSEt4CPSuPohpLTXkN0
s3Zf2S1eLKnBJ4/0mu+N67x25HmvB3nByyObvRFkm/cYsst7khelx0a3aA+WzfOntFoLyVeX9HrP
/F952XuWr9bqLQxfqy2xpPL1JVe95+RsuDce8V7k67U2y1K+sWTc23IvJ70dfKPWZVnONxXU23Yi
G227kU3yuNW2D9lpO4jssWmR/TY9ctBWwjdJjwqeLhi22YI1Wr9lJd+qFSxr+M6CMZsLOSHndTlv
2Px8p3RrsE571LKO79EetQlSSuOCOdtRfkx7wrKB7y+4Yzsh52nkhDyekMaFhK0GSdnqkCrbeeQS
2wW+X3pU8Lz2tGUzP6itsWzhhwuX2ZqRGbY25GpbF3KtrZcf1tZZtvNjhVlybrJdDl7Qnrfk8hOF
Obarco4gt9nG+Qntedskxjtt08jdtpvIfbZb0rwlN9hceNA2jxktSwbbtBcse/jrhXqWQZawqfx1
bbNlP74FZLCr0MYuDfZq2yyHcH8XuxzpZ1dKaTmE5/HL83JquywF/A1tr8WAcxPYNfxYQZOUhUfZ
dfhkMB+8XHiC3RC8Ko9HtJctZn6u8DS7Wc4t/BzujyysYbcj69hc5Hl2D/ICux/ZzB5CtrEFwfHC
LtYQnMTz2Pk72jrWjOy1eJBXLTzOp5e1Iy9LKc0Ep7UjlkiQKLzKepAj/0h5/mbhOMsHbxVOspHg
vHbccixIFU6zSGkcIrXj7EmMJy0n5fd1Rs6zyJvy+BZ7DjnPNvBjOpK9iGTYFmQq24FcynbjveOx
eL/TljNBlfam5WxwiW4524dcKecaOdexA8El2luWc8Fl2nlLQzBDt8G2G7mZHUJukXM7OxrMyCct
F4OrdbnsNeQeOfezU8hD7EyIkZwklKorYGfhJ3CD0FKdgb0daNGZ2btIuz0hvoOHlkv7YGilzmNP
DszoePviwIy0E4XW6CJ2jbQr2VcgsdeE1umO2VfxCbqT9kw+Qfp9CW3QnbGvx+8OrtvQZt1Z+0a+
X3fOno1ssG/lJ3QXLbmhLdL3G9qua7Hv4Oe0l+27kPgcQrm6Dvte6TOxH0DG32m3/TCyz64LZkg7
TnR7ybS3m8+UVv5obslNbx+fXXLLO4Cc9w4trM97pFUuur+U9I7yFm2O9xpSWmcOlTLeKWnN8c4g
sZJEC0pTvbN8felS722+Xjdgmw8264bsptAe3ajdEtqvu2bnQod0U3ZvqEA3Yw8FGnSz9mjgou62
XQwZcJ9TuM9de3XIXJRgrw3Zi5Lt9SFP0WJ7Y4gv0tib4FeD9lZ+cdEKe2coUrTK3hM6ljdm7+dX
FGXaB0Mn8xrtw6EzeU32scBM0Xr7RLCmaKP9euhsUbb9Ruhc3DeKttrnQg1FO+x3eFEyitDFol0O
ItRStNdBSd+CQ/X3nb3ogGMJ8rBjGVKHc+soMjkyQt1FFsfqUF8R51gbGijyOrJCQ0Uhx6bQaFHU
kRO6ViRKTlt0yrEt0FdULblTUa1kKUX1jp1wV9kbixodu5FNjn2wOOnamCpqdRxEdjq0oZmiHoc+
NFvU7ygJ3c6fle856LAFuouGHa7Q3aIxydyKJhx+vMp1h4C8ITlq0ZzjKPKO40SgT084TiMpR01g
Rq9y1CGXOM4HZvXLHBeQGY5mPlm/2tGGXOvoCnn0WY7eQLd+k+NyRYI+x3E11CF9AhXJ+m2Okfi1
XbFYv9MxjufZ7ZjkE/T7HNMVGv1Bx82KFXHD1GsdtypW6fWO+YpM6feiYr2+hCNh6XD1io1yZutt
HBM38Iqtcu6Qc5ece+VXOSDnYb2LSw206P3c0kCHXuCWB7olo67Q6Y9yKxfGJjkt0u9XBac/IX+S
8OEKr5wh6awqovrT3JqKqDwW5Tylr+HWBa7p67gN8GFYcUW1/jy3Oe7AFbVy1svZWJBpy8JndYHb
gmyWUrLWiiY5W/Vt3Pa4qVZ06ru43MBdfS+3B4l5zFzm9settaJHzn45B6Xf+ophOcfiqb/KHYKL
wkgrJvQjXAHME15acV0/zhn4FfpJzoyc5uxwzmrOA7eUvpcbcs7pb3J8xZ2COS6C325pZR7T3+KO
Yfec47B+6ue5MwKhrePOSjsCd06gikmuIdhbzHAXBVVxKtciLCleynUIy4qXc91CxsLaLq/exSu5
PmF18RpuAKvxPDckrC1eJ62ExRu4USGreDN3TdhUvIUlhZzi7dyUsC3uAMW53Aw/UbxH2mWK90vr
dvEhaY8uLuBmhZ3FBu62sBu7M3bbYjN3F7seVi1hX+F5Z4Kwr9huOyEcLNzmTOavF3uci/H8vLwv
C04NnifiXIHnP+ZchTzpzMRufsG5Hs98xrkRr3jWmY0859yK121wYg0svujchZkW515khxOrX3G3
tFMU9zkPC9riAacOnwlcInS3eMhpCnVI707QF486LfGVVigpvubk8DxTTm8wQ9qRBVvxjMUguIpn
LccEf/FtZ0gQiu86o8JRQ4JTFE5In5twWn6eGt2A85RQZ0h2VgvnpTVcuGBYLNsOnEdolrPt71Zj
WSd0ydkr52U5r8rnMBJPg8ZZyw8aVjjr+WHDKslGJDMRxg2Zzsb4GPudNDMp+YYwXai3zQvThvXO
prhXCDflvCW/i3nDRmdrmJTGYUaemTZkOzv5G4atzh4YBbwinGrY4eyPW4QwLmevnFfxXQzydwy7
nMPIvc6x+I4vzEsZXmo44JyI7/Lh5YbDzutBwqBz3kBiHjMm51yQkj698Eo518i5TtqnwhukxLuW
02Bx3sHejR08vNnAuQjs1NjHw1sMXhcVXGYIuVTIqGsJdrFc17LgammPDm+XM1f+HHoNoisjSBlO
uVYHlxiqXWuDGYZaVxbfZKh3bQrvKV3uvRs1lK70JURqS9f4kpHrfIv5w6UbfBp+Y+lm34rAUOkW
36qoGffJxK3bfeuj9tJc30bcuseXjZn9vq1RT+kh3w60odW+XfyB0gLf3iivXeY7wO8qNfgORyOl
Zp8ueqzU7jNFT2pzfBbeUurxceHRUt7njZ4pjfhC0bPxdqDd7Yvy0dJjPjF6rvQk/L+h9IzvVPRi
6VlfNXpcia/27x5ees5XH20pbfA1YnzR1xRJLm3xtUY7Sjt8ndHu0m5fT7SvtM/XHx0oHfANRodK
h3zD0dF4Ay0hfGPoXPGmI3eK0lHfRPRavOWVXsPM1tIp33V0Lmmvnyo56LuBHPfNRWdKZ3x3orOl
s34i2n1kQrqndomf4neU3varorfjPesI519yr8/KHbP0rtQr0QRrpMbnX3bv1bX+DKTclcwJ/tVo
TPGO04yOKZqTffUVmUfm/Gv5HebF/qzoXbPGvwk9C59AVYJ5hT8n7ipVyeZV/m28xZzp38nXm9f7
d1ctNm/076vSxPugOdt/sGqFeatfWyX38apM8w6/Hp0azboqnhvNu/wlgSGpQVdly7lVyuA+ebxD
fpVd8TTv9dv4bPMBdK6t5sN+F79D6r9Ve806v39hfEDOw5IvVekWPkm01yqTlKGl0lmFl5pNfqHK
Io2rODm9Zov/KK8zc/4TaK/osFUhs9d/Ot5Yq6JyinKeKvH7a/CJhfx1yKiUUsesmJOyqtos+s/H
e2VVrfmU/wIfMlf7m5GYx0ytvy3eMavq5WyUs0myuKpWOTvl7DHX+7vQHNEfq/rNjf5e9ES0yKpB
c5P/Ml9rbvVfRXb6R/CZ9/jHoy3y9zIs5xiuiskKr7nfP81HzYP+m3y1edh/C/cc88/zmYZGV054
v9wd5P1IXrtW8mOGJte28CFDq2tnuEB71LU7dNfQ6don9TvXwbDB0CMlxtqw2dDv0oftyJJ7Oeiy
hT2GYZcrzBvG8KjheKczTLj84YjhuksIHzPccB0NnzTMuU6Ezxg6pfVTyuCI4Y7rtKCS2ln4rJzn
Cg+6avgJI+GqCzcYKdf5cIO2zXUhOG1UuZrDF41LXG3hFjk75HWye6FbIcN9xmWurvBAvGcZM1y9
4SHjatfl8Khxretq+JoxyzUSnjJuco0js1yT4Rl5zZyV87YxxzUdvou8GUkwbnPdiiQbd7rmI8nx
PcW4201GFi/kPjcT0RgPulMjK4xa99KKTKMe+9FqY4l7Ob/RaHOvjKwyutxrIplGv3tdZL32pntD
cIlRcG8OqoxH3Vv4kLROCjVSRjbmk9gNMXZvF2ri5qbXu3Mj2cYT7j2RrVrBvT+yw3jafSiyy1jj
LgjvNwy6DWGPsc5tDkeM5932yF7jBbcncsDY7OYjh41t7gh/2Njl2hfR/bdn63Ufi5iMl90nIxbj
VfeZCGcccZ+NeI3j7nORkHHS3RCJGqfdFyOi8aa7JXLKeMvdEak2zru7I7Um0t2HZNwDEd1CprqH
+CbTUvdopN603H0tPGRa6Z6KNJrWuGciTaZ17tlIq2mD+3ak07TZfTfSY9riSYj0S99vZNC0XTsf
GTblepIjY8Y2D9Z80x6PJjIR/+5M+z0rItdNhzyrQh5TgSczcsNk8KxHmj0bI3Mmuyc7csfk8WwV
srSXPXAME+9BzzJFPHsrCdMxz4FKynTScxh5xnWrUmU669FV3DGd85gCQ6YGj6Vyiemih6tcZmrx
ePlsU4cnVJlh6vZEK1eb+jxi5VrTgCVSkWka8pwKnzSNeqors0zXPLW455SnvnLTwqvMeBorc0yz
nqZQh+m2p7Vym/aosZfvMd31dFbu1HZ5eip3H0nw9FfuO5Ls+T/sfQ9UVNe197l3Zu6MSgYkBglB
SpQQQoxVYqm11BiDhhi4M1BirLGGIty58+/eYf6j1qjlCbXWorHUWmP9rKXUWmL4rDXUGp4x1hKe
tdZSno/ns9Raa3zUWkKtz5i39753cATS2PXet9a3Vutev33OnHvuuefPb+997mHWeKp+iTtpRXd9
hTvFlVZfUdGzordecqev6Kv3fI5fcWltlnvyiv56vztnxUB91D1txY361e6ZK1l9nXv2SqEuwT13
pVC/QXvrdy9YmVDf6C5emVzfhLuX+h24S6nfjaco9S2axdEJRjnuKNZeHmYdQe2sQDsZqG91l61M
rT+A8b2+Hd/B6zuQjfXHtdMh9A9re9yLo+XQPp3VuJetzFjbIneuzFrbop/e4LnKZXeVL7u+y9m4
Mrf+tPbW73atnF7f4/aBLfOMZxO5q9wfGePe5QYZz93g/osZufd5jgm8iRfYGH4cn8DG8Un8eHYP
fx+fwhL5NP4BNp6fzE9h9/I5/CPsPv4V/hU20VBkeIalmuymUpZmWmX6PEs3vW16m2VYq6xV7CNW
yfoyy7Q2WXcz0fpt69vsBeuvEk1sXaI1MY+9ljgzsYB1Q2/KmJElMMasLJGNYeNZORvHFrFKZmNV
7EtsKfsy28TqWCP7BVvPfsl+zTrZb7ix7FdcAncPe59L5O7jOC6Ny+EsnJ0r5yZySzgHl845ufVc
LtfAbeWKuG3cK9xz3A+4n3EvGL5v+D4XNgaNIS5iXGNcx9UaG4xf4lYZNxs3c2uMXzN+nVtr/Kbx
W1ydsdW4n/ui8aDxdW6j8Q3jG1yj8S3jT7jN9G2DrcbTxl9wXzOeM57nvm68aPw9t8P4B+MfuF3G
d41/5v6P8T3j+9we00TTRO47pn8XLFyLkChM484IM4QZ3IDwuDCLe1d4Uijk/ktYICzk3hdKBJE3
CnbheV4QPiNIvFVwCwqfLviEVXym8JLQwD8mvCxs4z8ubBea+U8J3xX28wvxOwR8mXBI+CX/aaFH
6OFrhLNCH+8XLgoX+ZXCZeEyv0r4ozDAf14YFG7wa4X3hFv8ejMzM77BzJvH8F80jzOn8pvNk8yZ
/DfNk83T+G+ZZ5jn8vvNxeYI32FebX6Fv2LeZd5lSDDvNn/HcI/5oPl1w73mH5nfMEw0HzW/aUg3
v2XuMmSYT5r/zZBtPm/+jWGm+bfmPxpmmQcsvGG+xWO5bigf84kxDsOvE59MfNKYxDjmYQ2gE1gG
rDubxwOsgDTAHJatnCtcvaCs8LhyobBVuaxcVQaf6VNuqnzh5bK5ap46S50zf5ZaqC5U7eoidala
WdJS0qFa5p9XrfNPzL+oTlDT1Ew1W51a0jH/KHDLCEy/Skx/l3Hc+9z7jAdeJ9E3cybRt1wY/z3+
e4zjv89/H67t519jBv7H/I+Zib7lIvA/43/GLPzP+Z+DXfyCP8PG8j18D0vg/4P/D7COX/O/Zlb+
Av9bsJE/8H8AGxnk/8ySDZyBYxMM8I/dZzAZBJZiSDAksFRDiiGF3W9INaSyNMMDhnT2gCHHkMMm
0TdhMgwFhgKWaZhjmMMeNMw1PMkm4wqzrITfJfyOPQT9T+CSaeZQM2UuW6XMVRYosAdTFivLlCrF
pfiUsAI7J2Wd0qBsUrYCtiu7lGb45FL2KW3KIeWIckzpVE4p3Uqv0qdcUvqVAeWGypQBVVD61QSl
U01Qk9VUNUPNUnPV6Wq+WqDOU4vukOOqqJarS9SKIZFUj+pXo3GyWq1TN6iNUNoUJ13qadAedYe6
W22BNCat6gG1HTRKh9oDdxXBM86pF9TL6lW4axBavKk2+XjV47P4rDB+bkwbrGEpcAhYBF4D5yQV
xMDSQYwsmz3MTGwqiJl9FMTCZoOMYQUgY9kckHGskM2H2XwWxMqeB0lkn2FLWBJbBpIM3qeK3ctk
kAkswILsPlbLVrCJ7CWQ+9kXQNLAK21mD7CvgUxi3wDJYN9mzewj7HsgD7JWkMnsdZAp7EcgWezH
IA+xN9kx6F8nSA54wG72COth/8py2b+DTGW/AXmM/Q5kGrvG/gR9v87+wmawWyCPczxnZjO5seAB
Z3P3gAf8JHjAJFYAHjCNzeEyuAfZE9wUbgp7CjxiDisEn2hn88EnLmELuM9yFexprpKrZM9yEiex
YvpOWQnn4TxM5FROZTYuxIWZnfs8t46VgQddzxaDD/0i+wz3JW4je4Fr5BrZZ+kbZ8vAnx5iL3Lt
XDtbznVw/8yquOPcT5jE/ZT7KZO5t7ku5iT+usELKMxjgYVjqiVoCTKfJWKJshr8JhELWNZY1rCg
pc5Sx0L4fSIWtmyxvMwilmbLd1it5buW77KVsLYX2SBxPx9Wj3kzAFmAXMB0QL6OAh3zAEXseW+W
N9c73ZvvLfDO8xZ5RW+5d4m3ArTk9Xj9yjVv1LvaW+fd4G30Nnl3eHd7W7yt3gPedm+H97i3y3va
2+M9573gvey96h303lR4xaJYQSYoaUqmkq1MVfKUWcocpVBZqNiVRcpSpVKRleuKogSVFcoaZb2y
UdmibFN2KnuUvcotZb9yUDmsHAU5oZxUzihnlfPKReWKckU1qmPVJOAzb/KYAhAKv2XdA4zlgZ//
W/wuAUkklicRy8cTy+8llk8glt9HLE8hlqcSy9OI5Q8Qy9OJ5RnE8o8QyzOJ5ZOJ5VOI5VnE8oeI
5dnE8oeJ5Y+wLpBc4vqjxPWpxPVpxPWPEtenE9dnENcfJ65/DLjOs3zi98eJ35/gJnEZwHtkdgEx
+1PE7Dn0DckniM1zic1PEpvnEZufAjZ/HmzgJe4lsIEvApufJjYXEZsXci9zL4M9IKeLgdM/AHtA
NovEZjvXBTwu405yJ9mnLd+wfIOVW3ZZdrHnLK9aXoVdCpe0JmkDrFMCzP04xgXOMOZpAbQCDgDa
9bIOwHFAF+A0lhnHe/YG9ilFfx1URwwt9OwPtHkOBg4p5XcCyzyHA0eUJYCKkB3hORo4pkh/HVjH
cyLQ6TkZOKV4bgM/e84EuhU/IBpa5Dkb6FVW/3VQnbrQUs/5QJ+yIdDnuRi4RLgS6FcaAU3BC5Tf
EapUdodkz7XAgOd64IbSchv0uTWkeG4FmXLgQ9AeCiodoRVeY1AgjA0meJOCycpxDZjHsSldt4Gf
vSnBVOV0MBVTQnowQ+n5cGA97+RgljcnmKucuxPeacHpsXbj4Z0ZzFcu3IZ3drDgbuA/U5vknRuc
510QLBoVxUER4T9bm4LwlgXL7wqLg0u8y4IVI1AVlBD+82Gj1xX03A38F2vTvb6gnxAORgmrgqsR
/iu1kzGtuRDN9HYHe7zrgnXehuCG4fBfq83xbgo2fhj812unURtbg02E7cEd3l3B3XegOdgyAvuC
rXegLXjgrnEo2O49EuwYgWPB497OYNcInAqevgM47ruAcjm0xtsbPOftC14YFXBNuRparwyGNlK9
S8HLd4X+4FXvQHBwBLC9m8FzKh/a4r0RvHk3UC2hbQoL8UMQQpYY6LoVMCG0k/JpoT1qZmivkhCy
Un+HQc0O7ac+JIcmfBjUqaGDal7ocPz9Smoo7Q5khDJHAO+dFTqqZIWy1TmhE5QWhk6O1p8PgpIb
mqpMD+WNQH5ollIQmjMC80KF8VAXhs7EfPsdvlj3lTEfp9pDZ2M+SF0UOh/vR4Z4Er+u+poMzdHS
0MWhua0MXYnvE/mSW+BTwPYDRs0HBMbqNgx2FUgKNmLcQL4HUgDptTNjfA5MhhSeg9dVOXRNVULX
1WDolroibMT4oq4Jj8VyHJu6PpykbgynoH9Vt4TT0U+q28KT1Z3hHIwB6p7wNPTtNGbgu7o3PDPm
n9X94dnqwfBcHLd6OLwA50I9Gi5G34ltEk6Ey9ST4cXqmfAy9Wy4Sj0fdqkXwz71SjhMMRJjEMYE
nMNrECf1eKZeh/gTm+db4RSfMbwK28BrvrHhdb6kcAPFnlisjVujoTYRekyJxQLsE8ZGX0p4E/bN
lx7eOrTOWB/WDtee4jLEPBybb3J4O5b5ciCG79eA8Rrn9w4c1eIyxSyMx/CcWCzGlAD8obENi7GY
InzTAgMIjLGxuBqDb2ZQQMRiJMVMPTbGx8o7YqQeJ2PwzYY4CGtMsQ/ioW9ucDqCeItxbqaGIZ8F
8C0I76K0ONzsKwvvIxsD/+FbHG7zLQsf8lWFj/hc4WNUDjaM8YPsFuwI7cnnC3f6wuFT6It8q8Ld
ZBe6HcT8InIL20E/51sH/ilmI7he4Lfw/pgPHGFbw+wq5l+GbAvbAL/pawj30ppvCvfF7qf6YG++
reFLvu3hfuy3b1d4wNccvoE+nHwSjmFfhPnaIgLd92E+SO+X75Dux2N+6WZcHb3PNNZh/nhoPOCH
Y/hAX/cB/tR3RE+PhbJxTDGM8JPxvhL9Y8xHxvlDWntsB+ugb4I58HWGjgZyamcHptXOReDeBtcb
9zSBmbULqAx8Vk1RpC4wu7Y4tn8JzK0t892I5JMfg31HYEHtYtpTgE+ryYpU+AYi02N7gkBx7TLy
aRj/cd+Avq6stgpjdGBxrSuwrNZXkx/xB6pqwwFX7aqAr3ZdIFzbEFhVuymwrnYr7cl0f4n30t4s
tm/CPY++R6G29Daojw2129FfUr9ie7vYPsx12wcTYnsYfe+BbeF+LLCpdhfudwJba5uH7sf6OB78
jHtB3HPB2ALba/dRGe4bY9D3iXdg+F5Q3/vdAX1eh+/rhoB7sRiG7+tie7RR9maBXRo+dG+Ge6/4
/RfuuWL7rvg9FvYV78U6sTkZbltgf75TkYQRdtUdSY7tsXy9kVRfXyQDfdGQv7oUyUJe+/ojucSn
WDnWQZtD/kFawyIFNUJkHuUTIkU1yREREW9vNamRcvQRNRmRJcjPmtyINGIfA6iZHvEQgI8IskPw
WzUFkSil8yKrYzaINlEjRjbUlEcah+wP7KpmSaQJ7a2mIrKjRorsrvFEWjD2xED+CN6xyP5gzDX+
SGtNNHKA2gb/UbM60k7j1OvX1EU6ajZEjtc0RrpqmiKn0RfV7Ij01OyOnKtpiVyoaY1cxviHID8J
e4KaA5GrNe2RQfTHNR2Rm8hTjIU1x6N8TVfUUnM6aqX56olOqDkXTcP3hJrL0Wycp5qr0alYv2Yw
mldzMzrLz0fn4B4Q/X/MN/st0UK/NboQge1RnMH3oQlRO867Py26yJ8ZXYo882dHK8mHwTr6p0Zl
upYXVaiNWdEg+nL/nOgKf2F0jX9hdL3fHt3oXxTd4l8a3eavjO70y9E9OL9+JbqX/BiM3x+M7qd0
RfQg8sG/JnrYvz561L8xesK/JXoyxh/cg+P+w78tesa/M3rWvyd6nsp1n+vfG73o3x+9gu2jnfgP
Rq/5D0ev+49Gbw1xNfYeEItRkPefqDViHf/J2rFYxnjGWbus3Yz94+8of3d/R7nCrt3+a4BDYh7H
Bkejo8mxw7Hb0eJodRxwtDs6HMdBdzlOOyRdGgk9jnMOjy4XHJcdVx2DjpsyL1tkqzzh+Zlympwp
Z8tT5Tx5ljxHLnTUOVZrIlsQ8kLZDmUki87Li+Slz+fIlY6oLMuKHHx+n7xCXiOvlzfKW+Rt8k55
jyw7/JpAjb3yfvmgfNgR1QRqHJVPyCflM9Q/7BHWxGv4RHgCnvbfcxUY/sz/ymloCViIDWQ8nYYm
02novXQaeh+dhqYwmbnYROYBSaMz0QfoTHQSnYl+hM5EM+lM9EE6E51CZ6JZdCb6EJ2JPkxnojl0
JvoInYnm0pnoo3QmOhUsr4tNYydBZtCZaB6diT5OZ6IfozPRfPY79nv2cfYOyGw6Gf0knYx+ik5G
n6CT0bl0MvoknYw+xWVwGayQTkbn08noAjoZfZpORovoZPQZOhldSCejz9LJaDH3ee4lJnJrubWs
lE5Gy+hk9NN0MvocnYkuAnv/IXuee517nS2hk9EX6GT0s3Qy+qJxg/FLrALsfRurNB4yvs6qwLqP
M8l4yfh7JoMVD8JccizKVt/mqjST5UkzpdnSXGmBVAxSJi2WlklVkkvySWFpFckxqVM6JXVLvSB9
0iWpXxqQbjiYQ3AkoEjrpAZpk7RV2k6yi3SztA90m3RIOoKCvOEfBd48pvMmmZ6PjOFhjR4G9iBX
jDD/ecAe5IpAXDEDU+YDh/DkfAywYwlwCPkxjviRQKfl98C43PibbyBJwIXNwCfkQTKwoBn4hAyY
wF4DuY8YkEIMmAjrfwx4i6fi98Oa/yswDFf9AVr1dDoJnwQrf5ll0Bpnckmwxg/S6k6mdZ1CK5rF
vchVsIdoRR+GFfWxHC4MK5pLZ92PchthFafSKj5GqziNTrY/yv2QO8SmM86Sbym4vR7VDcbx1Q3D
ReqRzlVvqt4aE+lC9XZddg0X6XJ1c/U+TaSr1W3VbdIglAwT6aaDrz4EcgTkGIrD4rBC2ll9KiaO
CdXdI8WRRi10V/fq0qeJI7P6UvUlhwV0/0hxZFcPVN+IicSwriaSoEvCcPGkejKkZCk1Jp4sKUOX
rOHiyZVyY8/yTJdQmJQ7XDz57slSPgg+rwDFUyD5IZ0nFcVErhrZOrQ/j1rIGppZURNPkVQulXtE
0EtGiqccxlcRE7jr9j+PLsJwcUx15EGfojFxzNLL59yeiZg4CqXVUt2QQC14xoY7xbEQYJcaSZqk
JscivXypoxLSHbERgfQ6ZGn3SHEoUgtIq3QAxRGU2jVxrHCscayXOmDVN0odI0cCfd4Cc3R8SLqk
00NSoIljG/LbsZO42+zY49hLHNtPnDlIjDoM7Ryl8W5wnIAc9ugota+1BExxHKRVyvUs8VTQalXg
7MvdONGOhY6TYDubHGfAcrY7zjrOOy46rkh+xzWYqyLHdeDyEcct4Hu3bJTHLkwBLvfLSXKKnA7p
ZJjRPskPn3PkaVKFPFOeLc+FHiP/++UFNGtH5GK5uLoPa1Tvk8vkxdAWWi2NiGpqtoLc7Ktuk5dJ
u+Wq6gbZBeWXoN5WsLpLsg9ym+SwvKp6u7xObpA3yVvl7fIusuU2TeRmeR/aq9zmOOg4KB+Sj4C1
dmoWKx+TO+lp8CT5FPSmG21S7oWW++RLcr88IN9wsuoBp6DZH1qgJDgTnMnANT/xTYCrqbDOTc4M
Z5bU6sx1Toc1niV1OPOlAnmys8A5z1kEs74BVkBwisBS5FyTsxxkidToLNAYCEJrRfV2E2egzFkB
kKTdTmC80w/lp51R52pnnXODs1GKOpucO6RGOcW5W/I7W5ytUOeAs93Z4Tzu7HI2EccF52lqp8d5
znkOWHzQecF52XnVOei8Ke1Aqd7n4p2tLgtx9YDzsssqtbsmIE9Bd7jS5F5XpivbNdWVJ4muWdJx
1xxg7xpkoqvQtdBlBwYfh0+CY71HkpI9HhdwRMrw+MHbFnii0m7P6up+YLAEXkBwHwJPkeWpqy72
bKgOw2jbnU2eRk8T2jVwBmbLs8Oz29PiafUc8LQDQ8FzgDfIQA5IgqfD0wE1jnt2V/e75zpOQFvo
74jBVJO8DDF4sjTd01U9IDeANzwNVySolwp2U+7pgVwyzoKUIYc95zwXnLs9lz1X0QtKmv+bjnNF
c9buGZS7PTe9PPi5eZqv81q8VnwaPsk7QRK9aejNQJd707yZ3mzvVDnFm1d9yTtL81zkuzxyt3eO
vEpqd+dgT1yLoHXkTrtrqatSElwyCvR2MvQ7y6UgP1xB1wqn6FoDV9cTJ0Rpg2sjyBZY8R2uba6d
sG57XHul3a79zlzXQbzXdVBqcR0G3pRXd7uOOvNdCshh1wnZ5zoJT8yCcZ+XjY7zUrnrjOus67zr
IlhPn+uK65pjTfWAVFC91ZklL5ZToGetdOW665bb6Mxyj3UnuVPc6dW9EAWapFbXHmm6O8c9zT2z
6oTjDEQav+O6e7aUDy0XuOdC/QWS6C52l7kXu5e5q9wuYG0usMEDvt7v9rnD7lXVYfc6KcvdAHYM
fte9yXkARpgqNcnpwJGt7u1SkXuXu9ndDNYjQpv73G3SBeDOBpi9lucuuo9Ide5j7k7Qp9zd7l73
ManF3ee+5PS4+90DUDvFfcNVCVtfwZnvYWAr+Z4ET7Iz33mVdlOP/eM98+/uPVNmPvqGQwpotjyD
ccsr2ITlaSCZINnLs5eKS8XlU5dPfaH7he7lecvzMF26ZOmSzzV8roHKZoHMWT5nad3SuuWFIAtB
8L58kKalTcvty+3wHN661fpVeEYSvdcweq/h6Y3GQDtfI73RmOhdRqCdr5neZSz0LjOG3l/G0ftL
Au18rbTzTaSdbxK9uYynd5Z7GZdUlaTQmOg7iJVbGFe5F9JtkO43jn82qXLP3aD4AKQpgPQPwGQN
xcc1PJtzl5gGmDkKZmsoPgfp3LtD8WVIF+go1lGmobhIS0t4gAXyiwHLRqJkAqRVH46STEA25F06
fIDwMEwbBauGYd3fgAbAplGwdZR2EduHYdfdoRTnvhmw7wPQpqF0roZnD90ljgCOjYJODaW4bqfu
DqW4tt06enX0aSgt01L7Qlj3AshfAvSPRClyYODDUbpMb+OGhmIGEIYhYRQkD0Pq34AMQNYoyAVM
HwX5w1BwdyixQzpPs49RAddKFgGW6vXEu0Q5YMkomKe3KUNacXcoUSCV4uCJQ6zOCj1dA1gPef/t
Z8WjZKOej344SrYAtg1rY/Uw1I0CvHcnpBsg3aOne0fvzweiEdA0CnYAdo+CljtRsr/ytv+O97cx
fxnzYwdv+5eSw3f6jyGexK9rbF1ic3Q0bm5P3NmnIZ8S7wNiNhyzL4wZOudLoQ93cLpCu15yEnAG
cFbzERhfSi5q5TimkiuAa5XkXys3an6y5FblHtFYSTFAHFup+fcqje8izonun0WIaWK6Nl5xsjYP
Yo7mL7FNhIjtAhdE8IsizJ0IfRCx3TJ9fmPzif3HOBmLYcVx84ztuLQ28JoI8UIM6/0avk7D1mgo
nsTWCceKfVml9U1cF3d/lb5++BnHVaaPrUEvS4nD5FEwPC7PHgVzK2/H17gYO4TFcRgeY2Px8n8S
Jxsq74yFWytvx8C4eDfkswDiPj2FuCUe0svBf4gQk0SIQSLEH/GUXg42jPGD7Ha/Zk8ixBmxV/NF
Yp9uFzE70P0icatT93OeOBu5pvktvH/IBw63rWF2NeRfYrZ1Te9/v77mA3H3RzV7EyE22ZjWbxvE
JBvGoCLdJ8EYbBCDbKn6fR/mf4b78dHqxPo8ij8egj8OH/SsD/OnG4ZhuJ+M95U7Km/7yHifOE+/
t0m/VqD56FLgT+lWDbi3wfWmfc12vQy4YmuFPPoxff9SCnsjW4Xux2BNS3FP1K/5MxvOPc6Xvico
bdN9GcZ/pvs55B/E6FJorxTas0F/S3H/g/sa4Fkpton7mEu6/9T9Jd07u/L2vqn3th+ltvQ2qI/9
mr+kfg33w8N88NAeJuaHcZzYFl4HTpXeiLt/QBsPfd6n2wmMrYzpZc1xaBsFw/eCnaNAn9fh+7oh
XIrD8H1dbI/2P9mbZVTeuf/Krby974rbY2Ff6d6s23MywrbA/mz5I+3KVlA5tMeyQbmtSPNFsXo2
UeO1rVznU8yPHdHsyqbblw38ik23OxvYmC2qId7ebGhXWF6n87OxcuQ+BmBr0rFDA9ketr9bT1tu
2yDahA1ina09zv6gnq1DszcbxGhbF+C0FntiwPHiOxbOE47Z1gM4p7cN47Bd0Mep17fBO53tKmAQ
cLOSfJGdB8A7nN0KmKDFPwT5SdgT2NMAmZo/tmfrPIVYaJ8KyAPM0ubLPgdQqL0n2O3aPNkXafXt
EDvslQBZ2wOi/4/5ZjvEAHtQR54WZ5Db9hXavNthD2pfr/HMvlGbR1xH+xb92ja9jZ2aL7fDHtEO
+0M7+B477MfssA+zw77KDvsp+0ltfu1ndD+G4z+rp+c1PthhL2SHPZAdYoT9ehx/4Jm4H7DDXqgU
9kKlY/Vy3eeWwn6gNEVfP7CTUpijUtgDlObEcTX2HhCLUZAvnabVKZ2pldE3MyzWcf/4Zsbf34mZ
Mdd4DP+6yneyVxkzZwKyAVMBeYBZgDlxaSFgIcAOWARYCqgEyAAFEASsAKwBrAdsBGwBbAPsBOwB
7NWxH3AQcBhwFHACcBJwBnBW78N5/ZkXPyC9ArimA+tfB9xizGIEjAUkaX2zpOhpOmAyIAcwTWtn
KJ2pXce+WmYD5mpjtiwAFAPKAIsBywBV2vMsLoAPENbbXwVYB2gAbAJsBWwH7AI0A/YB2gCHAEcA
xwCdgFN62h1XvxfQp6eH9Pv64q5fAvQDBgA3GBgrQLid4vyMAUsekwxIBWSM8nl4mgXIBUwH5Gtz
+Tdh6p0YU6BjHqAIIALKAUsAFXo5phLAA/ADonH3r9ZRB9igYcQzGgmvluwqaS7ZV9JWcqjkCOFY
SacglJwq6S7pLekruVTSXzJQckNkoiAmiMliqpghZoHkitPFfLFAnCcWiaJYLi4RK/DP1gS/GKXP
q0HqxA2ARrFJ3CHuFltK+sRW8YDYLnaIxwld4mmxRzwnXhAvi1fFQfGmjbdZbFbbBFuaLdOWbZtq
y7PNss2xFdoW2uy2RbaltkqbbFNsQdsK2xrbettG2xbbNttO2x7bXrq+33bQdth21HbCdtJ2xnbW
dt520XbFds123XbLbgSMtSfZU+zp9smYp8859mn2mfbZ9rkgC0CKQTDFz5gvA8HPi0GW2avsLhAf
SNi+yr7O3mDfZN9q327fZW+277O32Q/Zj9iP2Tvtp+zd9l57H0SG+0f9JQam/xKDhX6JYSz9EkMC
/RKDlX6JIYl+iSGZfolhAv0SQwr9EsNE+g2G+62SNcIesNZaN7DHrN+1trInrG3WH7L51nbrG+xZ
6zHrW6zU2ml9m33a+qtEjj2XaEg0sjWJ1sQZbB39KkPz/8c947hkzkffXWlnjzI25ZQOsPIpYNVT
wJqngBVPASueMhCXR4BFgzFSWRZYc1aCVp6VrCNVB1htFlTMAqvNAqvNytfqZhXo9bEMrCyrSG9L
1MvLdSzRn4vXKrTPWRJ7tGQ7SLxFoT6ENhVnUZoM2VVJr5gAdsHQukrayL7irStfFGGtEukXOBj9
9gZPv71hsEatUWa0fsm6kZmsX7G+zMz0OxwJ1m9bW2AdXrW+xiZZD1lfZ5nWDuubbLL1hPWnLDuR
T+RZTqIp0cQeScxLzGO5/49b5269YHwK9DpTAPQ4ytspP4byM/TyItAzTUEqr6Tyr1F+I+g802uU
L6K8du8Mytvp3o+Cnobl7103KtQO3juW2s80Pg56qekF/B6UaQWVzwO9wBQCvZXqfBOf+14b5t/7
N+pDE5W/QvnHSc+k5z6ua2znaVMNPX0e5fHp7xsfhXwh1ZlDer4+ukepjko9fIr6/wnqv5/uwvwY
wyD1Kh3HDoEY5s2Ed02iUS8xeUF/Sm8tkfIfo/axPIFKikxPUP4pyms18+m5YE23LJQvpPxY42wq
x3ExKp+vl2O+gPILSI+jmgtofv5o/CTkHzO5qf+z6S7MjzNcozrTcGZovUpNHrp3I80V5hMMv6de
3Q96Ao3oPpw3GHsl5bEmh+Xv/Setwn/SrHJU/jRps7EFR016POmnST9ONccZZ5EuA/1xHDtfapLw
r9mmCtD/hGPhw5R/gnQPzjy/GutwPOmvUv081AaJ6nzVtBx0M7U2Hku4X2Ge+xNd3Uz151P9r1B+
ArXzJ9Lnqf4N49tQzhvfAl1mPIPtY577A5VIxl+BLsA6bBA1t5D0X0j/GLXBQDWfoXaew/rcb6iF
Fsp/n64+TfXfp/q5lL9I+ijpH1D9d4zAPb7Y9CbkyUZ4wfQG5G9hOVdp6gTdZwQu8WlYh71jWgv6
XdTcRb0EtCGP2kkjnU73VpPeTHqi8X26+jnI/ww130v5w6RPkf6qcSmujvAO6C/r+iDpvaQbSPej
NqfCE2/SbP+Qav5QwN9x2Ur5J0jX6Pm9pBtI473PUM1ButqHJYaxVLKfSnZp6455bqauD5LeS7qB
dD9pvOsZqt9K9zLSeaavg15A6/4XKvmJrnEszZTvIX1Fzx8kvZd0A+l+qlkIbxNZpgbimAz6c1T/
KdIzSI8h/RDpzaTfJf2mrg+S3ku6gTS2/Guava9gHcM/k+7U8zjGP9G9z+sa702mfDqOl3vH1AX5
SaRn6/lXSPtIv0j6LdJXoM2JtPrXqWYyau6yrtcSo44i06jkFrWQjC1A/i3KryXb6SL9FmmtpB3q
fIx69aDpGDEQWxiDGvI+0i9Syc8h/21i13ni7auYB/Z2kR1huRfeSTjOhhyG/mjjwhH9BJnPp1NJ
OpWkUw/TaYzp1B8RewJs3wcjXUEj/QK13Ep6M+nX9RbQ4gJkTROF+6BkFpWnUctp1HIatZxGLafh
7IFVYvt7qWYv6at6HupzO6n9U6T79byP/BWNjvT/pRnrpLH8wIxPqSH9BLFawrxhLJU0m36E/KH8
Q8Schyg/SfgU6OmoYV2gtxyVsPepZZGuFtPVw3T1FF19nWy8jSw0m3QmWcQM8q7/JOSAfonKf0f+
cIDyWzBucr8lv3qP5o2xJhs0OaD8XvKodaRX0oytojpTyQZ/SfmPkG7R/bATyql9/n7SZtRmYo7w
TZwfE3l142oci9CFeWEujetrZPsS2cVYYtq/oDYWkx1dp5KobsUNZB3Y5iFTG2ivsRX9CY33JI3l
q1SzlKzvCwJ6+3so/1nMg7dBf1JG5c26R8L8eKrzPOU3a5ZL9X9LYzlGbW6h9s30rC+TR+oj/VHq
VanpEs42aog+qDUmvCj0gN5JNZ+g/CDV3697QrT6Ks2bYblhG83DNrr6E9JPkX6e9BjSk8xFpPfR
07EkgiwCr4L5BaQLqOWHKP8xPeLshHwq2cXPqSST9FnhAWQORZNvkmXh/0zMcc9TbIpgpODWoTbd
IIu4jneZCsjG36cSkXQ2WcEAtmCYSPY1gWLZdPMsYh1y4ACtF6Oa75DFfRJtENjeTp5E02+RFePV
QrpaTV7oe7q1Yvk0Kj9KUawY24d1eYM8ITJqOkXMNurDeBqRAUdkeIbq/JZKThlh98jNo5JFNA+X
hT+DHqS7KshHLaKSi+S1HhZ+iZEXew5a86hrybfgs/aQ3kz6qPAw6DeFL4N+QrBhFCbP00tXD+va
Rz3EfLnwKF29Ql4FfZGN1kgWfo69ot6+grsF7l9oz5BG6/Ielb9GqzYJNdPiex/uRXm7Eds/abSC
voS7O/5+1Kyfnhig8fppjDvRDxhmkA95BLUh0wgl/E+p5W/8N2vnAuZTtT7+tdfae3+nMfZ3YkyM
oUlyv1/K7egm43YkUZLINWkwjDu5pRqSECW3JJWESjgI0XEpR8JRSDlCkUIuSTLf+a/3s7/neTK/
3/Oczv//f3r6zLvf9a53rfWud6291/5+Z2D5Cp7/hZyJ551kxU7x6bSQ3qr36PMp+KCXaDW/8RzS
Fs8NmalK+NkVPpnI06x9ghJ5KitlEs91p9w+9F9y9WZKZ9PnPbS1B29pMkb3nxIHj2i4vwrNEGY5
VbyZL0R2GyI3ZaRn6P+v7GC/sq7T6O2P+FwvPTR1GPV18d5KT8ogV3HtycXZzqj/5trnbfUzffuE
uiuxaeBmyY5BrXbyPKzbmdOWM9x7rOfGzOBKt4fktp5j5X14OxGneHsVP3XjUXKtfExo862UkudV
GwETIQ5vUWsgnEomnHQlesvRvM2MV8Dbw/SwNfJgIjCPaN/FSPtQ9wT8GrZk7R9lLOO9HsjXSVbI
nVQxX2o+PvvCbvS2HT597yXZT+KZKeMdLO2qOdhc8csKvQvwC7gBfRnYwnrYHT6li6W9DwobePvZ
80VuGj6342cP3I6f7fjZjp9D2PfCvpdodDaaRmhah8/5Its73QX4BdyAvgyy2BcOzwK0siEkT5vN
8dNc6ur2yO1DWfxYbkBfBpZCk05ebSWS4vMY3i7CxXAZXOrK/ToTn5n4zMRnJj4z8ZlJlDLFs6kk
lqYSEfgYDx8jr0JeJaOwUZ1P/4UfhOMV2fZtPn7mU+sCHkRTj37+Gqesjg2u9KGtV51VLLMzzpV7
6Kb4eUpa2ep+yVrmPCWWKjz7HOc0VIJzUzP4Kd5K4P8S/BIupW4H2JS6a9CfgDtdm7d+GRmXv0To
9hEbd5e31u4AtOUP9OQO2IlYZROB37APJKr+EtZ7TXq7hzw5BqfGT3b7mZ1t5OR+Zm0/kSE/ZfXZ
CJSTmfJusJzLKVJjWRrLPcgTaL1RmG/MxduiMYaZMuibY38M/goXw22cdxb739OKaPJlXuz8ivx9
nMw18powc0RjM6EFM9iCGbcnd9XL/NOewWt4hSyH+M/ZszzrMe+YN8Paz+G5bofExK0vdyK3p8jm
ffgi+sXy9Oi+ym6JvX3+l+e3G6nbkue3J7DcLCd0d7vs3oYTt2nv2T3QTab0A2q9IYyURJ+Kh6tw
KfaPkiejZS7MKomtOYycCWsL3QyZI7cMuZGL/Udk1EGhtwib2mRFmliaiczsaeQ+lFaktDjZ0gQP
4el+KWxGW7fz9PIq98SmEjFzjDtLLrvlFu4m2+Spxizg+XkK96aFQjMKzdM8HZ3Bz0a4D34BD+Ln
ONwFh3LPOsidd43Q24w8GobP9pe4Nz3LU3Flng8PxuXVcAnMhfJMe1BOnd4p4t8cyyRY33/IMjyN
joJr41wCc6F4eB9LnrrdVaKxFE0b0XidyYpOPLUOhS3hTM4y2Tx5DuQptynP22/KU6hbjiz6kBax
N7myo7poLGUsJ/F/S5yr4RKYC603r6Kc1v2PyJztXqqtVQhvC2B3uB+fKURgOPLqOFfDJTCXUhnd
cImYu0HkSCn/FdhB/FPLjVOitAf/SyUa5naeBkfFOQ9mwy6QjJInOj+R2X8Ey6ayQ3q3eNutfNbb
bPkK+i/jzIZd4FZYXbKO0m1otqGZKE/C5l1Zp86TPIGXhn+BQ3nmzODsVp9n2io8M08hr4aSt1Pk
+VA3xfMHyMPlWVevpG/foP9G/Lgt6f9h0bgl45wHs2EXKKusvPTKvVHO6f5bYebLutDH8VYILuBp
YSyrKYUT+gBWwVxKD8Y5D2bDLnArNjae7k3SirdZ3gBbig1nf0uRw/cYl4jSV94SVkRpKQ3Jefx7
OXG7J0XjbZCeuKuRzyK75ImL/SjvR2YhpJy7P5dzt42GZMUudyx9k4xVyGvp+VpKw720MSzkpVgq
mS+vhH+flReK3ruJTP4GDo/vqLL/rGdHnYbNJOzfZt2dZh0VYl+txz48G/lD2YdtXtla3ibmZRs+
17DTTsdzX7xVRl4tZ3b3UUqzsVwvTNggGZ7AGc17Gc8xyZZIuOf/g1NPLiv0FCtoFauDk75dv7KH
LMPDW3hT7tO21nr8/E365nIGtzvVPuZC7qQ9OXHniGw9nIH7WNdn4D5W6xm4j95+YGXeW7priNJV
eRIwc9ijtkOXvn0oJ3H3dThIaHgvZHb4z8hdj1U8DXkV9q9Sl7egJlc0fm/ZDfwn0G/G/ghsDxf4
l4SRjnK/w+YNyZxISeRUWBtvV7HnrambKPcIt4i8kXOre2nkj8ha+ub9JLPvFmHtjIq/KxvAvfIT
yRPRu8fip3U5YS3hBFSfdZ0pd4pIM+buC2aqoch+olfYll7mzrVWzss2e2VPaCKlkWbcXxbIarL7
1Tq4lX1pHZQ7aQvO3ZXRH0Z/GP1Z9MfRH0TfCW/f0Ep4LhvF/XEfXCvtekdkRD7vsc0KTuILudPN
4jz+dzl3212uCxH+lT7LvlRfzuB+YVb9GVb3RqHL2067z1SnJ8JdlBbi6aiQ35D9MI+1MI8dQ0pH
w9z47iG19rNvfCTncWszG/1s+s9+5Y+x8mr6fI9b0vI1oZtB/N9jpIeYnSHYPBi3FE1pzkSfyhjd
6+UEbTitm/BMd4Az3SfsySOJQzrzXjU8fZMtxT27F/kJ1PqV54R35Zzu9XHt+cKdwh7bj7r9qDsZ
ebG0pW+jxW7My6ucDZ/l5LuPteAyuuflzO5WpocPY8kJ19AfbwLyKDmzm/7IoU1fPNwKH5HnJfvc
KOtxrXuD3BHo2wkyPDxl30kOZDLq6ma9HVFH8eMPgiOE7gJ3GXumrIW7RfaGecPolUSyHTaKXWsD
+5gnpSZH7l+eg59kIr+WHr4h53HzFfJZOcWbmsiZcoo37zCWqPTEY+24D7olrGY+/R9rzlqOMTYH
3FPy+Zr/Os+EXeUUb0cn/SkpZ3kzCZ85cUoMC8MH5fzurYUPyTnC/C5j91OJQAtO5Uep9aic300x
5I2UXqQ/P9DDFejP8elPhkTGr0DrjWEXxpsFb40/W8r9tAS1dspZXv9TzvLmWeJTgveTR+hhV9iC
2ZnIPLaUWbN5a6mXoUmnn7M5xUyDt4cyJ5RprLJpnHSmyanKltqTiFeeJ+pNWD4FV3lPsxOKHMCW
IfHQEg8t8ZCJ5RnOepVF41ZGsx/NbHeYvKngpFwWPsN5+X7Oy/dzCqvP+e4VOSvZTLD2ujeWB2kx
lSfPqnirKnXdJsjjQqIZJ94sN6AvA0txT7eR8fYwuj6uPRWaufisj/9wdI3hSDl72v4zCnxWxmdl
RnqGkZ6RWLkPime/ibcXPiVZhIf3QhKfbsjNiMPtfitiJbyX8/tXcn63o2gl78TcPbTbihV0CA8X
8NZK7lPSK7vnCOe4t1h2dsdb/TD2Us7L9nwtpRNhOprG7gQrZ7vSt6po2GndUszFaXhOaHYIvV1C
tyocJ3W9arRSDJ/NYQO4CG+5YazwcBZWIMLDYV/Z6yLbJQIJrYnnZc59T/BpQl+RIz73u65S6pUn
wjuwbILcU+TIdvGW0FqeSbwY58H6jCvMjXrMchPmZS5yCh4aYfOOvB8wj0r83TRm4T1y4ya5f5nv
ZXRmGXIy8mhsDsOq1CoDU5jNVKnrLZQZ9xahr43lW8zyRJH1aTT1/VuhnNz7YFlCZtPmydPsgcLd
+FyKfAt9TiGGI0VvLS/T28usUPlmQv/8t5WjKuR/Kt9wyF8mn+PDvvAh2Cj/Lcvu+RXR58o3CtB3
i1u+DRfiYQS1RqApDqdZvhb3sJwWl6M/Jd+jyF8Kv6GusF/+Act7Ra/vy5c3qFXh03AIvB0egKOF
jhaqi2hqQSU0vZBnwjfh9XFZPonYT90LaKbBe6j1AnIKpUfgFTS0otuiOYsc+m9E65fgQUp/gxvw
ZrBpDtujPxaXpQ+L0SxDk4mcT61KyN/Dj+Eq+COWrZAvI/vIMVg8Jp9QHI1VkmdF+oO9miYaE0Ym
HaaJxmHUzoPwc/RfI6+Hu7EJo3df7E7roQ7y/SLr22EWXEAru5GV0PZB5O5wJnwzJk+tm/D8AzZP
ws2UzsH/rHCMyDcgT8Umhs1NtLIWOZ2+raR0D5Yn0T8VHx02+QnWz4gwDli2iNe1UVKXidUY9LVi
rRmjvb/rwkJ1HDkXPi50voC/wN+w+TtyDF7FcgWtl4MZsCY8QQ/D/JyO/B1Mi91l2Q65KPM+IcxY
0evlyFViclr/ArkBenJGR4Q+eegPFbpr8ZAnkfH7iuztIBNyGeOR/DnyaSn2z4WZg7fp9OFXbLYT
n/tk5doVV5zVIZyK/Y159snH+Z2R3gZbwyzYJKZhhoxOaCMpbEXpaDy3Eo3NE9FXQF+L6B2Al+BR
KTWVKO0OZ8Kh1CoXb0ss34Cb4YW4LDZdYvIGOwe5qOjNAEp3wot4qMuIiofzQgSYL+ercAaJzKvh
6kDugc1Koro33Isktu4+IhzuBinICUTyY+w/jt0hb72Qv0Q/BG+D0cwTmnBn+I18vky0p1FKDths
F5/XU/dH4n+Y/vuMZQdyGvJJib/NQ4n/EXgyrs/ATwZ9mE0PJXvfhWvhj+jD+D8H28OucExcDn3K
JwUvYr8SfV/IHKmfWVOniNs8+Fl+Ucs8xpiI5n3kUqzK9WRFG/S7GPVJSksw9h/zF1vNHZTmoJ9P
xFhTpiZyLTykSZx1RfThuvsUdsFnTzz0xOcaNKWQw901zIGd9OcEcWZnc1xmqiF+wt14V7h35deW
GCLvCPdhLCdheXN8H5ZW9qBnjbtjWaHbkX/Nz7T9DO9lC9nrvpAouQ2Rm6I/g59fkdmN9XWQXVGX
CXcGbLbDv9H/d2N1LblbOZ9gszLcNyD7jJ5BlBpjsw+GuxPZrrk32aja845hh3HeggNhuCNVgC/D
wegHybybjmgegH3I5+GU/h2+DY+yIsbHZYlGeC/rRC12Ld0tvMcxsz5zURxOgxnwc0j+ONxfnPeF
Kh/5Q3gFD7vjcyQysXXOIteBrYnbFuTCYYSRm8P2sUvST2p1xudIuBTLJshfk/97yP9drIuqsCL6
Rcj1sB+HH+6AKkaGcI92jhPzEthsIGeQ7X7I52LIS9F3QA73cHLAX0JeJUPufR5PSn5pvIW72c30
c1X+XPkUDA/5secYo6WzjdINYcTY+duyCy2DncNcYuf5irFomAh7xPdw2Rk+YL9NQdMIb5fYebZQ
eohovAo3xHcMsSduNuaz6U8oZ3CPFpuxcCR8JS6HpVlEWORi+P+MupexmQ1XoWnDO9JfeLuYjtza
/8BGOyn+qZN8k2c034bK4w15RW+9ZJdQL+HT6q2co3nP5nznyneiNnG65JMj3cQvJDsDn0btEllv
Rj7vHuDczed3ctbIv6RrKHnXnSh3N/dxude7r8sTEXKqe076L3R9902rOc93J64InWeo1Uvo7eX9
TBpMdkfJWsZDHaGe737K6ewcn4RKrWzYFqbiLeamWcsVZqTlNnNU9kzkIfK7VLqD0LQ1h+WMKZZq
o9AJqLVN6B4Qmk7meatZTN10eSuiV1C3E6XlhF4ban0Fd8BJ8LiRT4i+MhLzbmaE9F/eS1hvomng
dcRGTgHrRaMWiKxWopmBfEXs3UvY7xY6F80mGZ2ZJfs5lvOF7jrksTAdzVFqnRF6HZEnwSKwQ1xj
e6VriGxSpbfqJer2EZoRQmcRPTHaEXoX5W8qIWutReNspFS+2V7bsXGO/c63etroSbJLyPsivV6/
ICPSz0r/9Ruy3kXWz+hnJDO13G0zxN55F04RmonYbNB8f0xPtXzRTLR8H3mqeQs/Il+P5Vpa7E7d
15FrwoiWz7LzaP2KLiqrW5MDujj9TJZs13w/QftWc6eOyurW5eW8I/ZOa3ifUP0iNAYPzfDWXpeQ
vUJ/js9QPib3FJGdpVi2wkOMujcifw83O/ZE6aykD6cc+VSxmiNvZe1+aTVXHfl8PM+5KHcHWVnO
ReQWboo8OThHpD9C506dallUr5H7mvOd9ZAGi8BqQuvNUh1DngqLOIexPCzrGvlrZ4TcWfD5ubYn
C2eGc8jq3yTOvvRHp+PnBPyF9T5LKTvv2a4tjS31U5C/RS4sMp/LL/RvQ/+u6D150/iav8iyI2wC
fxKak3CZ0EtCf1WoXfg8mgrYPCL092NZCbaitAxyN+QOWH6PBr07SRgpjVye0o/gRTS0Yv6B3BN5
LGyDZjwcJnTorW5M6afIR+iPj800uITSrcjvI5+G98KH0DMik0fd0NtO+BR8HH6BZR1kxmV+p8UB
yFvoz5fwFJrX8daDWvWw3IH+JuTlyPOIyRrkofBVWJFar0Xs3ccvGc6OyO5PMD+cI5G9JDRXke8I
5wjN9HCmRDaPwG4wG2+dw/miViScNWRi4p8NZw37ZfB7SssII6XRfETfqmM5GfYJ40Prd9PDTWFM
RKPTkcOIEWd3IWxEi0TbOUcpkdTr8UDWeTPgNuwXwL3wr5BRu2GmzaOfo7G/BQ/E3AvoA/mjy5F7
12F/HJt3kG/HMsyxu2AgTHhH6iYUo58Gm0w8/A2moC/JqCsQmR3Yz6SUNeLuo1ZZ2iK2Zka47ojh
fuoSW3cSLI+fD7CpgX/iqe+k7kr0rDIvzNXetBWuxNJh7uHnM2Qs9URq/YjNizDMEKJnBoaZTLs3
EavlQuccmjm0FeZhXdgQ3kfd3ci18VALnoC/oX+Gtroj348fxuXRuncrllPwMwuZyGv2B3cRHALb
YxO2+E8YZsiHlD4BmRdTghb7QyIfQeNeoMUR6MM9jTXohqubletF0RSB7AyGrDB40+FOxa6if8ae
uu4g+DZcjD7cG5HN52i2Ix+mdfLKsHb0eWqRdV64msIRbcAmEfu5aMJ534i+LUyD9NmwZ/q5+Ax7
RVa4hyBryiU3HHruj6HWSOyvILMS3VHwAHrm1BB/rxN69iiXXcslHzS7utsLrsP+IjkzlvwJ96sl
kL3IYx2Zp9CEO+cZ6oZzyrwbZsonl8zDkLVmpkKyN7JLmEBWeNy/PLLdJ9oRxu5T6mJv2KNMfXiv
tK6UnFPc12LymVdH2AT+JDQn4TKhl4T+qlC78Hk0FbB5ROjvx7ISbEVpGeRuyB2w/B4NeneSMFIa
uTylH8GLaGjF/AO5J/JY2AbNeDhM6NBb3ZjST5GP0B8fm2lwCaVbkd9HPg3vhQ+hZ0Qmj7qht53w
Kfg4/ALLOsiMy/xOiwOQt9CfL+EpNK/jrQe16mG5A/1NyMuR5xGTNchD4auwInVLUjcfmzuQp1Oa
jdwZfQQyFv8srE7pZNgH3k2tTbSbTg/DnjNedyFsRF1G7ZyjlBHp9dRl9r0ZcBv2C+Be+FcY9jCc
8XBco+EteGDsXoBP5lGXIweuw/44Nu8g345lONd3QWolUJpQjH4abDLx8DeYQulMZDLT3YdNWTwT
GUP/zQeU1sAPkdF3ol+Jnuz1whzojbcww8Nc/Qw9Nnoimh8pfREyO5o4mIFwDt7CeawLG8L7KN2N
XJtateAJ+Bv6Z/DZHfl+/NBzj1a8W7Gcgp9ZyMRKs7LcRXAIbI9N2OI/YTinH1L6BCSSpgQt9odE
L4LGvUCLI9CHuwHZ64brgpz3omiKQNaUYR4N3nS4xlmP+mfsqesOgm/DxejDXQXZfI5mO/JhWicT
DBmuz1OLPPHCnA9HtAGbROznoglndiP6tjAN0mfDbuPn4jPsFfPuHoKsApfZd+i5P4ZaI7G/gsza
cUfBA+iZU0P8vU7oWd0umaDZCd1ecB02ZLUb7iRnkMOZYjYN8ffJEPMwJOfNVEjuRXaR/8y1x37u
kas+MYwwIp9SF3vD/mDqC9VQfdrK591dSn4rM5G3AVOsJknO46axvHMwE3if0JzS+Z6n5HsRKZJ7
vEXRotE/oJ/C9+583oG4onFmo+8k9PYK3WrYp+Mhm9KTQn8gci/YDJszeLhI6x3ibzbKWl6WNyd6
AJrLbjXxw1uUb3mLcmv49gPN97xLOYp+J3XX885kGDZn4JDw/YmMWmfx5qGdJ7/7U0doknmLsltK
Vb7ITlE060NZbLwUIpaBPiFOOVkXdedK62gWw22wnDA2PV/eR7XJ3yXekDvISVbvFtm5B7kjpU2Q
NyAfwHIUcgJyA0r/Tq1TaIqE3tAcjUlPqmBThFo1YDdKvwxJaRryFUpfwUNZ9G+gvxW5EqU+8mPI
z4Z9ENk5GPaB0mEix9rmX7IRKIdmhZK3E18hzxfZREVW+ULTGJ5HcwWZc73+l9DbK3Qd9BoupTRB
6FxEPgNrYK+wmQIrwQmUDqEPM5C7IS+mxR+xGYH8CaVZ+ElE34tWPoaL4v2X/vRBswbNejgJMl41
PrZPZiH2oeQhmmExeeOXged+8T6IfoHMkT4uVF/jczmcSutXsbwc9k1szJGYfLPudvRNxL8+F3vL
6mOqle1VMpbfikb/jJ92+P8Bb53E3i+F/jmRjY69b5kq9u6WsF18ZhGf+aK37Yq3++l/yfwrVtOI
3v4Sjlrsvba0O5l8q4b9cTT9JA7qZ3qeJHongLHYVav/TKiHwA5C52N4BJ7CZqXQ3E1/OpA5dWAq
rW+Lz77VqI4xWZU7ifACWIERDQzzP5zZsCfojwgT8BNh9dmnXztGvzh1l4jsNQ3nV/rsdWREK+Oz
sBD9hzz7vS/vkMNsjI/lPLNzlficZyVmo5H3qN8i18DDDCJWFLkbtYpgvwWb9Wg6I/dDP5XITEVe
jv905M3Y5GC/Am9d0BjsP8AyQUrdXPrJGE0zMpkVrebQE1foj2LUrSUC7lyhTg/XF3P3ZWwps7NU
9nNqxYjDkTgXyt0E/UWh3etl7r6jV+XgYliDaOykbzWkb3Zmw6w+z6cMUnocbodfYtkAz0Hc23lW
kOTJEkbqolmJ/SE0PyEvwucdaFrAB9Ffjc/UQmTRjKaV+dh0hmuwaQBbx9d7LdvbheEo4rknq+az
cK9A/xXsj+feYR6G0SA+77H6lpJLnZiFN/HcIbSnbgM8D0OzBs1l7FNVlGgsJAck5jEinID/l/D2
E/PYWSxtzz+UeZQ+2+dq8dAW+xVYPhrax/dDafGl2CzpYXzPVOzbjFe9ROviZ1eYIazE1bw3PqN6
yFO00JzMv8/KDzDqU9hkk2Nfy27gTUZfhv63iOeVRG+Flm+a9UAzlvysjj4dfhXupew2wxh1gH4I
TICLGWkuY8wOY8tOtYSY10PTjL1udNi3uAfZP1+U/dP2UDK8OJGshU1v2r0SX61v8Zl+uO6usjOX
oLfh3S28v0gM28he5K5jFBn5oymNkjmWPvesyOJwzyH+rdhzGsEr8VVg24qw7kyH+FzLPnNHGJ/4
biD63az0dORR8Z1TSuegzyJvU5Fbou+NzU7kbPQVuFulkP9r4jvweflrQvlH2S3b2tLdzGz18M4V
k7+RsjK/GHe0HjL7shvYZ5W27BWliYll7BbxoBR/P1C58rtF8beLQpWIPlH0Sokm9rJ8Mzy2Ub69
H8tEnox8D3LfuH6evM+X7/9bzRJKu8h32+T3CKy8FfkM8k8iy+8cxfrLd+Zj09HXkW8wWg/v8Jd8
PlPyF5PWW86SzzFVG/mt/1hT+d2T2Hj57ZXYej/L8lDE1so7g3yDyLafL1gejPwsvfKPSyuRs8iH
xH/kJPLvyGLTX367JPawL3+j6eVIV9hD/i4QfWsS9tmXv+Y0ImJnMzbOxzOlT/mn6PkRvCVjKRwX
uUO+4xeRv0c0PkE+9WjoTSAyK4nAvxhFVDTYvJzQUb5D6O+wfCneW7uiY8MjDWhL9MP9K/h/GP+T
+FtGop+Avpl8Pz82IfIGdStL3yIP03+RxyKP9z+x/Chy2bIN+pnom/rlLIdFHkCuSN8eYnT7xT4h
QpTkO4pLEhKYR6m7gLqZ/kTaWmtZFT+P4+ch5JnImfJ3AKzPofgReQkzlemnorEZG3ve/0XiEKdo
ViFnIvdHbubtYrwXpf/k230w05PSh2FmpDJ5JXJD/01sJA//QgZWlM8r7fzeQGxvoOfCJyLvon/P
cjDyU8j9/Y30YSNZNBn9ZFr8AL4Ip9P6XrgHzV4ocg7xyWEV1Oa7ASov38o3yrcFYoXk8/pYzTz5
y1SloMqT1VFePuuP1QyZZ9d+rFjeBstyaErFxlCagZ8MNPjBZ808u35jPUM/edKHinnz0MtaKJ33
d9r60jIl7wwa4Y2wZt5BKPtMrbwTlkX51pBSic5L17VSpvvwgVkq5bGBPZ9Q47O6Duqn1ih7sry/
7V0Zyu6T+fkqVSUpX6Wrm1URVU3VVQ3Unaql6qA6Wx9t7a7UR2WrIWqUGq9y1ZR4jcIqokqpsqqo
qq5uVQ3VXXbXf0jZWVP3q57qCTVADVVPqqfURPUC/8JmWCtQCXY3u0WlqBrqNtv63eqvqqN6VGnV
TvVSWWog/x7oBDVJTbXWpnmbNs1Uq7b3/jVD9WrXtmWGmo+f4vy13Bvt/aGcKqZqqr+oJqqZaq0e
Vl2VUZVUe/WY6qty1HA1Rj2tnlPTqJWoMlR5JXfdeqqxukfdqyqr6ZSUUMm29CaVpiqoG1RtVV/d
rpqq5qqN6qS62d5XUQ+o3qqfGqRGqLHqGTVZvRjvx/WqkCqjSqqKVq6j7lCZqoW6Tz2iuitPVVUP
qsdVfzVYjVTj1LPqeTVDzexeK6e7GQtz4VQ4Cy6Ai7t3zRpk3oPr4Ba4Cx6AR7t3zelpfoLn4WUY
E7ouTOzevW+2mwxLwyqwAWwGH4A9emQ9/pibDYfAUT369e/rjoe5cAqcAWfDBfDNXgO7dneXwtVw
E9wB98HD8KR13NU9Dy/DmNBzs/oN7uslwmSYCtNhGVgBVsvq3z3LqwMbwLtgM9jamgz02sGO8FHY
C2bBgXBYf/E2Gk6Ak+BU+BKcCxf2H9ijn7cYLocrs0W/Dm6C2+BOuBcegIdz7Ex5x+EpeB5ehjGh
7+c83q+XnwSLwOKwNCwLK+X07Z7t14ANYBPYGnaA3XJyatT0s+AgOApOgJPhDMta/ly4CC6FK+F6
uMWytr8T7oNfw+PwJ3jRso5/VRjRMAEGMAWmWdaNZMBysAqsBevBxjmDu+VEmsAWsA18AHaC3XIG
Z+dEesN+cBAcAcfCZwbZaEcmw+lwFpwPF8ElUJ7Etd17iv0XP41d3emq1P+VZJ/I/iM9+59v99IE
/pTw/58rl6tQdlTG/2DwJ2ns7pZkd/r/N8mxO/X/zqJ/moYZMdxJHMW7K+5w8r+w0J9mkT/N0v+D
1/9p3kR/XX46f6D0/I+66H+ksXesG+wd6r+TiiNpe2+6+b/6Wdbem/+bn/Kvq//5n46q8CdY8U/w
P8fNsXfz/8zkP8Xa9u4/zD77zFKL7bPTJ+qAOqkuOwlOcaeCU89p5nRwejvDnFxnlrPYWeN84hxw
TjqXdYIurmvpR/UUPV8v1xv1Ln1Yn9ExE5jSppppbFqbzqafGW2mmPlmudlodtn1K+0lhLlt+hW4
Hl/gekaB640Frjf94dquG3P0D9e+3TKqqYjzh+vESddeJ12+tn601bX+U9679rrYA9f6L9anwPWo
AvbzC1yvKHB99Nrr1BoFrkcXuH6zwPWua/uffuna8tJFrr2+JbfA9aQ/XNt1e8vkAuWHudZ2Fy8S
jrD80vBnhWxKXLuHptqdo1yorVgl/vPW+M874j9b/W/WlYP4z+Lxn2XiP6td24vKS68dZZUO117X
uuta+1pzr72uW+ba61uTClwHBa6XFLheWuB6W4HrTwpc/3Tt9W3j/5B1VmgwocB1gVltsLjAdcHy
dQWu1xe43njtrP5lnWVgI9Xdmal6OXO5y3Sz/ylnhjND3jJ6xaxO/kVQ4yV6SV5hsXC0Y+vyL5A6
/AukYlFE+UkvRJOSpkQTo340wWp857Rz2tr97Pxs7c4755V2fnF+USZ4NnhWucHEYKK9U0sGaXOP
aSY90kW0tJesPLtPFDXFTGVTw157prCx91KTbJKVY1JMiq1RyVRSxlQ31W3vHaeaHVGqPVUNVHPV
NnVEXXFS7EgS7NhSkl5WOmlK0izLF5JesZxqY5Bs7xEZdsetYU9vjaLVlNHJtt/V+ZkUrWF/FrPX
NfmZFE1X2l6VtkyKZlhKxCTv01SZaDll7HgTo+X5mRStYH8m2OuK/Ez6g2WluGXluGWVuGXVuOW/
+zuN/k6nvy/S33+XzKBkJiUv/bEkmkwPi9DDFHr475JUSopTkkaJVhFt/7OLt5CWb8Ina1tbF7OR
N0mTk55Xru2dr+wc2lmMWD+Ols94w6cCxV8+78qcKmbTca44V+zM5jv5Nlqe9pSLXw+/Pn4jOk2n
qQRdRpdR1+kKuoJKNM1Nc1XIy/KyVJLXz+unCnvZXrYKPHtKUVFvlDdKJXujvdHqem+sN1YVCXoF
vVTRoHfQW6UEfYI+qliQFWSp1KBf0E/dEGQH2ap4MDAYqEoEg4JBKi0YEgzhL+oPV+nByGCkKhU8
GTypSgdjgjHqxmBcME5lBE8FT6mbgqeDp1UZcvJmcrJs8HzwvLoleD14XZUL3g7eVuWDd4J3VIVg
WbBMVQxWBCtUpWBlsNJuU6uD1apKsC5Yp6oG64P1qlqwMdioqgdbgi2qRrAt2KZqBjuCHapW8Fnw
maodfB58ruoEe4O9qm6wL9hnN5j9wX51W3AwOKjqBYeCQ6p+8E3wjWoQ/Cv4l2oYfBt8qxoFx4Jj
6i/Bd8F3qnFwIjihbg9+CH5QdwQ/Bj+qO4PTwWl1V3A2OKvuDs4F51ST4EJwQd0TXAouqabB5eCy
ygyuBFdUs+BqcFU1D2JBTLWIymNCy6iJGtWK+f4r893a5kqiutfmSpJqEw1sttwXTbbZ1TZaxGbX
/dEUm13toqk2q9pHi9useiCaZrPqwWi6XSMdoqXtGnkommHXSMdo2WhZ9TB/zb5TtG60rnokelv0
NtU5Wj9aX3WJNow25L3HeLs+xttMijpRNcZJc0qpsewrE5yOTif1tJPl9FW5/GvGk5wBziD1nDPJ
maResM8ar6ipzjnnnJruXHIuqRed353f1QzZiNRM7WtfvaSTdJJ6WV+vr1ezdKpOVa/okrqkmq1v
1jerObqirqjm6hq6jZqnB+nBaqMeqoeqTXqEHqE26yf1aPWxnqAnqC36Wf2s2qpn6Blqm35Zv6y2
60V6v/rE7kmBumrqmDoqZu4yTVS+5LSjzTwzzzHuIPc1x/X6en2dWl5/r79T2xvgDXDqeDlejlPX
e9J70rnVG+ONcW7zxnnjnHreN/50p37iK4lvOWcTPyuU6cSSHkh6Tg9Pei3puH638JLC7+kLhbcW
3quvBM2C1iYheCx4zESDx4PHTXLwRPCEuT7oG/Q1RYL+QX9TNBgQDDApQU6QY4oFg4PBJjUYGgw1
NwQjghGmeDAqGGVKBKOD0SYtGBuMNSWD/8Ped4BXUXT9T9m9M3fLbEgChE4o0slNAiGETugtQKgB
QkuAUCPVAiKRJhZ4rfSmKCACCoj0LlVEOghI74QOAiLf2ZMLBsXv9S1+z//5PzIPc2Zr9vzOmXN+
M7t7N02l8dxquBrO86iRaiTPq0ar0TyfGqPG8PzqbfU2D1Ufq495ATVXzeUF1Tw1jxdS89V8Xlgt
Uov4c2qJWsKLqKVqKS+qVqgVvJhapVbx4mqNWsNLqE1qEy+pNqvNvJTarrbz0mqn2snD1C61i/vU
HrWHh6t9ah+PUAfVQR6pDqvDvIw6oo7wsuqYOsaj1HF1nJdTJ9VJHq1Oq9O8vDqrzvIYdV6d5xXU
RXWRV1SX1WVeSaWrdF5ZXVPXeBV1Q93gVdUtdYtXU3fVXV5d3VP3eKx6oB7wGuqheshrqkfqEa8F
Dkh5bUdzNF7HEY7gdR2v4+X1HNMxeX3HdmzewIF/vKGTxcnCGzlBThCPc7I6WXljJ7uTnTdxcjg5
eFMnl5OLxzt5nDy8mZPPycebO6FOKG/hFHYK85ZOpBPJWzlRThRv7UQ70TzBiXFieBunolOJt8Vx
HkU+VQZjbQk399F2tB2sTqbJhGpLtaWECSkk4XK4HA695+9o/Hc0/u9E41+9Lyd6n8vYGU3xnPnb
x/72sf+Sj1G9O3D+AFqAleG1tFYkN4kh1Uk90pQkwKijO/D3l4APjCHvkIlkJplLviTLyXqyjewm
h8lJcpHcAGZPqIda3tWEe5d5l3vXoFzhXYtypXcdylXeDSCXQ2sjyuXeTShXeL9BudK7GeUq71aQ
K2C/bSiXe7ejXOHdgXKl91uUq7zfgVwJ++1Cudz7PcoV3t0oV3r3oFzl3QdyFey3H+Vy7wGUK7wH
Ua70HkK5yrueMNi6BeoV3p1Qr/TuhXrVf4DID6j5Mu8RPzJH/cgc8yPzox+Z435kTvgROelH5JQf
kTN+RM76ETnnR+S8H5ELfkQu+RG57Efkih+RdD8iV/2IXPcjcsOPyE0/Irf8iNz2I3IY9F/mPY2I
XERErv2HiNz1I/KTH5F7fkTu+xF54EfkoR+RX/y+8igDGYNkIGPQDGQMloGMwTOQMbQMRAw9AxFD
ZCBiyAxEDG8GIoaRgYhhZiBi2BmIGCoDEcPJQMQIyEDEyOJH5A4i8rPrKYbHRcSw/jNEjKAMRIzg
DESMrBmIGNkyEDGyZyBi5MhAxMiZgYiRy49Ibj8iefyI5PMjkt+PSGiGrxgF/MgU9CNTyI9MYT8y
z/mRKeJHpJgfkeJ+REr4ESnpR6RUBiJGoIuIEYKI5HU9xSj6HyIS5kfE50ck3I9IhB+RSD8iZf2I
RPkRKedHJNqPSHk/IhX8iFT0I1LJj0hlPyJV/IhU8yNS3Y9IrB+RGn5fqelHppYfmdp+ZOr4kanr
R6Y0IlIGEYlBRKq6nuJ+Z9W9bpyja0WK0d1sGm/A43gX3pV35z14Pz6AD+Iv8iF8NH+dj+Fv8Df5
WzB2OclP8dP8DD/Lz/Hz/AK/yC/xy/wKT+dX+TV+nd/gN/ktftse7H4Bje6iu+APTHXff+b1eX3C
eCPeiHCexJOJxrvxFOLhfXlfInl/3p94+UA+EJjAC/wFYvLBfDCx+Cv8NWLzSXwSCeLL+bck2H7Z
fpmAVYGFGFpeLZ+WXwvVCmgFtUJaYe05rYirGVzRbZzrpyQk09xEKXeWi/d094Aji/j3yJ1pj9KZ
tkFv5j1hb6IFa+7vxBXVihLT/3eDtaxaNi27FqLl0HK6v4sIe/z6d907AI4WqAVpuubRhCY1r2Zo
pmZptqZgCBGgZXHvf4BuQ+ES3GOYVkmrTCytmlaNuDMwUSSEf8Jn83l8Ad/IN/Fv+Ga+hW/l2/h2
voN/+yzE3Rk1PovPgjN+6r45zj/jnwHe8/l80GM53wB/7yS/9OTss2Cvz2Drcr6Cr+Sr+Gq+hq/l
6/h6vuFZNsazf8I/gbPP5rPdZwr5PDj7Ar4Azr4R7KKhHu7ZS5PgZ571GXogZif9mLnH/UnvwuNc
b4Dj9N5sMXmNDCcjyEgyiowmr0O/foO8iV8HHkvGkX9AL3/XfbqAfEA+JOPJBOjzk8hkMoVMJdPI
dDIDIsBH5GMyi3xCPiWzyRyIB5+ReeRzMp8sIAvJFxAdFpHFZAn5iiwlX5NlECtWkJVkFVlN1pC1
ZB1Ejg1kI9lEviGbyRayFeLIdrKDfEt2ku/ILvI9RJU9ZC/ZR/aTA+QgOQQx5gdyhBwlx8iP5Dg5
ARHnFDlNzpCz5Bw5Ty5A/LlELpMrJJ1cJdfIdYhGN8ktcpvcIXfJT+QeuU8ekJ/JQ/ILeQQOTVkT
1pTFs2asOWvBWrJWrDVLYG1YW9aOJbL2rAPryDqxziyJJbMurCvrxlJYd9aD9WS9WG/Wh6Wy59l0
dpAdYofZD+wIO8qOsR/ZcXaCnWSn2Gl2hp1l59h5doFdZJfYZW6wKyydm+wqu8ausxvsJrvFbrM7
7C77id1j99kD9jN7yH5hjyANUs445xrXuYcLLrmXN+FNeTxvxtvydrwD78h78ef5cD6Cj+Sj+Lt8
Ap/MF/Iv+CK+mH/Nl/Gd/Du+i3/Pd/M9fC/fx/fzA/wgP8QP8x/4EX6UH+M/8uP8hFZBq+h+d1nb
q+3T9msHtIPaIe2w9oN2RDuqHdN+1I5rJ7ST2inttHZGO6ud085rF7SL2iXtsnZFS9euate069oN
7aZ2S7ut3dHuaj9p97T72gPtZ+2h9ov2SM+iZxMNREPRSMSJxqKJaCriRTPRXLQQLUUr0VokiDai
rWgnEkV70UF0FJ1EZ5EkkkUX0VV0Eymiu+gheopeojeUVCh9ofQXA8RAMUi8IF4UL4mXxWAxRLwi
hopXxTCRJl4Tw8UIKKPEaPG6GCPeEG+Kt8TbYqwYJ/4h3hHvivfE++ID8aEYLyaIiWKSmCymiKli
mpguZoiZ4iPxsZglPhGfitlijpgrPhPzxOdivlggvhJLxddimVguVoiVYpVYLdaItWKd+9VmsVFs
Et+IzWKL2Cq2ie1ih/hW7BTfiV3ie7Fb7BF7xT6xXxwQB8UhcVj8II6Io+KY+FEcFyfESXFKnBZn
xFlxTpwXF8RFcUlcFldEurgqronr4oa4KW6J2+KOuCt+EvfEffFA/CweSi41qUuPFFJKrzSkKS2x
UHwhvhSLxGKxRPwiHkkiqWTGamONsdZYZ6w3NhgbjU3GN8ZmY4ux1dhmbDd2mOvM9eYGc6O5yfzG
3GxuMbea28wd5rfmTvM7c5f5vbnb3GPuNfeZ+83j5gnzpHnKPG2eMc+a58zz5gXzonnJvGxeMdPN
q+Y187p507xl3jbvmHfNn8x75n3zgaVbHktY0vJahmValhVgZbGCrGArq5XNym6FWDmsnFYuK7eV
1ypiFbNKWKWsMCvcKmuVs8pbMVYFq6JVyapsVbGqWtWs6lYNq6ZVy6pt1bHqWvWs+lYDu5hd3C5h
l7RL2aXtMNtnh9sRdqRdxi5rR9nl7Gi7vB1jV7Ar2pXsynYVu6pdza5ux9o17Jp2Lbu2Xceua9ez
69sN7IZ2IzvObmw3sZva8XYzu7ndwm5pt7Jb2wl2G7ut3c5OtNvbHeyOdie7s51kJ9td7K52NzvF
7m73sHvaJ+yT9in7tH3GPmufs8/bF+yL9iX7sn3FToe4G5oxI4szo0PZNAYRFOc7Z/B6kN/38YaQ
3w/wBN6GHOKJvD35AXPoUZ7KU8kxyHjDyI/8Hf4OOcXH8/HkNGb2M5i3zmLeOod56zzmrQv8K76U
XMQMcVkrr8VQgvOmTFe6oj49WA+m4TgzGuG55LlGz4sKogpNx1nSm8a3xgnGjEumzrKbjlmZReBc
aSecJf0Esv0N4gV2UICUJI2AAU2EDLAaojP8CXM7YY6DrRvYcu/RBJBsJLdlw3IeC7Kck89yoA61
Ah/vawEDcNxnTALhrHmBARTPuHtk5XPXW6FQZ7EKQh1kFYY6qxXpHqnauGdUbd0zqnbuGfFcsXhW
/z0aFQdLpmoMta2aPLWlOW5pgVtaPrUlEbe0xy0dcAsjXrCaD2wXzdwvbFVgFQhjtRgwSFaX1SUa
i2NxRDcOGYeIx3hoPCTCjDKj4HxMn82+/4ty7NMZ9v/v/Pp/k2HdHPpn8+ZfmTOziT7iedFPjIQM
5GbOxpAzW2I2awuZaQLmyc6QI93smJEbU/9kVhz1T/Lh77Phx5AHf82AmbPL/2PZ8NdsJznk8E+e
yooNgH243CODebi8o41IkFoG75AeYB1JwDjmIOeYK3pIHby2BXhqe9cvH+dO1uvpvGm1sFparazW
VoLVxmprtbMSrfZWB6uj1cnqbCVZyVYXq6vVzUqxuls9rJ5WL6u31cdKfWa23f7sfKviVGPV5E9l
3Ru/z7uquWqhWv4u+9qWshzMwYHPzMJ5IA/ns0Ktglbhx/lYtVXtMCdH/mFWjv19XlaJqr3q8G9l
56dzc+z/QXaOo4xmhaFsTlqUBNPGtBkpiHdKi9JEmkxK0K60K4mkKTSFlKE9aC9SlvahL5FoOpi+
T2rQiXQKSaRL6HekE+vL+pMhbCAbQl5lQ9kwMpq9xkaRN9jr7C0yjo1l75D38Z7nBPYBg2iPY/yp
3OKBZBo+gfEJz8aLk095SR5GVvJwXoOsxYy/FzP+Phy97ddmat+Ri3pWPSsN8RAPoTk8zMNoTg8M
m2kuT3ZPdprb867nQ5rHM8EzhRbwTPPMpEU8H3s+pSU8czyLaZjnK89qWsGz1rOL1vDs9hymzT3H
PcdpoueU5wxt7znnuUA7eS4JQpMFE5K+LAxgCGmimqhFvxZ1RD26WvaRqXSd7CsH0A1ykBxEN8vB
cjDdIofKoXSrexeNbpMj5Ui6XY6Wo+kO+aZ8k34rx8qxdKd8R75Dv5MT5US6S06RU+j3crqcTnfL
WXIO3SMXyAX0oLeetx49ZMw25tDDxmfGfHrEWGgsp8eNlcZKegmy7Ql62Xho6vQ2ZNvK9BezjjmD
CfMjcy3raJ2xi7Kh9h77ONuQ8SQMjEnn432XdrSLf81XmdZQEgMwZjCQ54DZlIHts6C49XzgBrNQ
ukur/EurYOkoFPd5nBK0BPhOaVoakl40jYZz1qa1IcXUp/WJRsfT8fg8zhbSUS+kF9af04voRfVi
enG9hF5SL6WX1sN0nx6uR+iRehm9rB6ll9Oj9fJ6jF5Br6hXonvoXrqP7qcH6EF6iB6mP9Aj9Cg9
Rn+kx+kJepKeoqfpGXqWnqPn6QX3t+LoZY1rGr/D7/Kf+D1+nz/gP/OH/Bf+6D9Zp4EqGsP5Bg2f
mM2C97RCoHCSG4qGz2PqgF5JIkgYFAmoxgBbrAjFIJWhmKQGqUksUh+KIi2hOKQ1SQCWmAglkCRB
CSLdoASTfqQ/yUpeJC+R7GQolBz4fFRO6tAAkgt6ak6Sh+aleUlefLIhHz4xlR96bQIJxXu7BbC/
FqQ9aU9SCJ91KEwH0IHkOTqEDoGe/Tp9nRSjb9A3SXE6jo4jJaEfTySloB8vIaXpWrqOhNFv6GYS
TnfQHSQSZ53KYP+LQmZdD+eeEnHuqQPOiOXMNCMWhs9dVWDAUEkeFs7CgT9GsSj3LTxWA7bUY/WA
PzZlTYE/tmQtiQ4sKJl4gP/0IMLYaewi0tht7Cemcdm4QgKMq8YNEmjmNvOQbGY+swAJMQubxUhu
yCYbSSjkkm2kkJsnSDHIE+dICTeqkzCI6rlJOMTygqQsxPPCJAoiejFSDqJ6CRINI61SpDxE9jAS
A9E9nFSACB8JtvqtLj7UpS7rDrrkfUqX8qw8bHE14qwxjGw01EhHjTzA9hKIQL0kcLnniRf1MlAv
G/UKRL2CjVvGHRJi/GT8THKhjvlRxwJmKTOMPGeGm2VBL1fT0qhpOGoahZpGQza8RCpCLrxBqqDW
NVHr2pClKpL6kKNiYZyScQ+2AfTPJNQo3NXR/UVDEuPXMdy/T1HovePoB0/WMbqbzoWl4Cf7QQ94
BgYVGeCGSGhoWx3x8CAeAvGQiIcX2G87YiAqJlrbQmxsY5oxjSgYn28kDozBDoLNDxsnSG7jEqBS
yPjF1EFjB5CobJYzK5NkYBLfkl7AGfaTl4Aj3CBpwAAekPch4+cjU9DmX6PNl0EeL0KWo+VXoOVX
ouVXoeVXo+XXoOXXQn4vS9ZBji9H1kOejyUbIKs3IDuB6SSS/cBuupJjwGhSyVngJk1IOnCMluQ6
ZPoOMA6ASAjjpOcJcceRpLo710CauM/ckHhznfUG2QnHdKYT/vR++Kuif9FZn/gD6YRWjUCf75LJ
HyJ+9Qd8U+3xOgajuL6Z/CHCne82ThoXCTE9piJeswr8zUB3LY71M64nFK/E9wdrH2v6rx8RA/Hw
38gPcGRW/9OmbjSlGE05RlMNo6mO0dSD0VRgNJUYTb0YTQ2MpiZGUwujqcJo6mA0DcBoGojRNAij
aTBG06wYTbNjNM1BqH7QzbisEV+rr9S/0XeRqv/0zhKjBg2Eay1Ai9MIGkOr03q0KVxjJ9qdptKB
wMbS6Gj6Nn0P/vZ0+gmdR7+kX9PVdCPdRncBQkcAjfM0nd6i9yGReZjFAlkIy8sKseKAcRQtDhgU
BURKoUyATO7KdrQ8ykQag7I9rYCyA62IsiOthLITrYyyM62CMolWRZlMq6HsQmugTKG1UPYEduDK
PjQO5UQ9lyu1r/TcKJfqeVzpVJPZXalnlyGu9MyXOVBuljlRbpF4HAx48DjhlXicMGReVwITy4dy
hFMb/053WgyimgOchcFSSagTgLm4PCgM6kQKPgc6QpwDDcG7Qb9IqDtR4ESgW1mok2gU1Mm0HNRd
aHX3aRYaC3UPWhPqnsB9GGhVB+pUWhfq52k9qPvSBlBPpA2hnkwbQT1JDyEM9M0B9VLdfYq2mrQJ
A00VmGe+dKDeLAOg3iKzuM9nSehXoF8Q1IYMJgx0ywr1CFKMNCNtgTv0BM4wmAwnb5L3yGTyMZlH
FpOVZCPZQfaSI+Q0uQxxyn+HEjwpBDy+EPiSj0bRiuBNdWgj2gzQ6ABa9YSoz+Fqi9LPULaj81Am
0s9RtqfzUXagC1B2ogtRdqZfoOxIv0SZRBehTKaLUXaRxVwJOrreNhG0LIFysyyJcot0vW8i6Foa
pVeGoTSkz5WgcTjKEXQq2m8aWm46Wm4GWm4mWu4jtNnHaLNZaMVP0HKfouVmo+XmuPaQ+RHxUES8
ACJeEBEvhIgXRsSfQ8SLIOJFEfHyfwLpn6kGOAfT3IBySVrmGRj3pS/QV+hwOsbNueAVM+lsOp8u
psshYnwDkWI3xLRjEL8u0mv0jowkXDepI6NQJsjqKNvJWJSJsgbK9rImyg6yFsqOsjbKTrIOys6y
ritZoKyHy8myPsoushHKFNkYZU/ZHGUf2RrlRNnZlYBVkisBrWSUm2UXlFtkV1cCZt1QemUKSkN2
dyUg1wPlCOn2KkdCf4Iltz8lSLcntZPuyCFRlnetKGNcK8oKruVkRdeWspJrS1nZtaKs4lpRVnWt
KN1elSLdXtVDxrn9TzZx+59s6vY/Ge/2P9nM7X+yBdq7pdv/ZCu3/8kEtH0btH1btH07tH0i2r49
2r4D2r4j2r4T2p4STWZzrxhb1R63nFr49oOOGYRg/KeAlwnHu69fcKcW7KHDPo3wvZSikDsrPp53
pdkwDmXH+BHiXqd7RprjSaubq6Wb5SHjfIBxBGv3fjANgBxGaFYYwVPMVQwzkMvdJpPtgHGEjJRl
ZFkZJcvJaFlexsgKsqKsJCvLKrKqrC5jZQ1ZU9aStWUdWVfWk/VlA9lQNpJxsrFsIpvKeNlMNpct
ZEvZSramzWlL2pq2oi1oN2MqsLbpGXdV2AD2ChvN3ucT+Rz+pZ5Xz6fn10P1AnpBp7oT69QQ1Kkp
E2Qb2Va2k4myvewgO8pOsprsLJNksuwiu8puMkV2lz2ATZwyThtnjLPGOeO8ccG4CMxCmNL0moZp
mpZpm8qppOqouqqeqq8aqIaqEbCOqmY1s7oZa9Ywa5q1zNrmAfOgecg8bP5gHjGPmsfMH82fzYfm
L+YjCyC0mMUtzcpvFbAKWc9ZRa3iVkmrtOWzIqwyVpQVbTW0GllxVmOridXUireaWc2t562+Vj+r
vzXAGmgNsl6wXrResl62BltDrFesodar1jArzXrNGm6NsEZao6zR1uvWGOsN1VTFq2aqlWqtEpzK
ThWnquqoOqnOYLdi4CfNwG7u3EopGF3UB17dnfUk4aw/60/KsCFsCCmLT4lH4YxJOZwHica7HeX5
F/wLEqOHQI6s4FnmWU6qedZ51pFY4b6IU8N9EYPUlDZkvlruTAFp7c4UkE5mIbME6eHOF5B+5k5g
zoPNm8CZR1j5gDO/bYVaoWQsMudxyJz/gcz5HWTO7yJzfg+Z8/vInD9A5vwhMufxyJwnIHOeaNUA
zjzJagE8+WPkyWuQJ69XbYAnbwLNl5OEP2Pjf9Omf4HlntjMQDQJoulFHAMRx1yIYyHUvBRqHoWa
N0HNm+EIoWXGvIuu9CwYJ+qRrVBXJ3kz96Lf+vUfe2iGN8EZsqDvEPQdjhb2oD0V2tNBewagPbOg
PQPRnkFoz2C0Z1a0Zza0Z3a0ZwjaMwfaMyfYrR3J5b96Rw/MdPUKRnv+fu9GIvRcgp5L0XMZei73
HxugB2U6NgTY9JNYkhEjnJoYz9z5R4JeraNXC/Rn992vMaT6fzueZY5Ugv65CIVXWRR4K8EeWBR7
XWnsb2EZM130Or1DH/hZdhaWjeViBVkxXlfvpffRn9f76UP0ofow1VWlqB6ql+qjnlf91AA1SL2k
BqtX1KsqTQ1XI9VoNUa9rT5Wc9U8NV8tUkvUUrVCrVJr1Ca1WW1XO9UutUftUwfVYXVEHVPH1Ul1
Wp1V59VFdVmlq2vqhrql7qp76oF6qB451NEc4Xgd07Edx8niBDlZnexODieXk8fJ54Q6hZ1IJ8qJ
dmKcin8/nf3309n/tfexAoAVddGzO9WAT434U2+fQLyg3T1nM70rIN1n6Z48ife/PE335Dk8OAer
xBIzzUS6a+pDnHwyn0dvkbsw9i3LomGPWFgXx5qwFqw1a8uSIKKmQmze4N79flZx73hnLnCWp0v0
74t7fzxzce+mP7PE/qbUcu+1P1Xifl/c++6ZC+jyBwWy1lMFdH66tH5WgSz3VAGUni6JWH5dTvpN
6Qql+x+U1GcVyKhPlxa/Ke1/U7o9Xfz64dVmnOHv+cs/mL+k5Bhk+YrASNxffWqGvyD121+P+gDG
ujPJbDIfRrvLyVryDYx3d5ODgJ8Pnwr5V+vof6uO+3fqZ85SujOYFsShmXQu7BHrjqIg02XDcVdO
fA+9GHXHlI3p+9D+gH4I7fF0CrSn0sXQXkKvur+/Ta8TTm/gF4hu0zvQvkvvYcZ8AO2f6S/QfsTc
b0ExpoHH6cwDbcHc36w2mQVtG7+sFMCyQDuQBUM7K8sG7ez41aScLBe0c7NQaBdgBaFdyP0GE2TY
YtAuzopDuwQrAe2SrCRxvy1VCtqlmfsFtElsErQns8nQnsKmQHsqd78/WAfyMuf19OwwRnU5DAMe
FOf+vr3eBEbpTfUe0O6p94N2f/1laA/Wh0E7TX8b2mP1sdAeh19m365vh/YOaREK/MedjcoGY2Mq
s8twaEd4vyDU+6X3S8K9i2zAyr5mXyPcvq4EoUoqk3BlAbOmKgkYB3cqAQOkME6uTZhTx+lBqP+3
adxo3sn/xv+vbIQiG6HIRmimt84pshGKbIQiG6HIRiiyEYpshCIbochGKLIRimyEIhuhyEYyrpAh
J6HISShyEoqchCInochJKHISipyEIiehyEkochKKnIQiJ6HISShyEoqchCInochJKHISipyEIieh
yEkochKKnIQiJ6HISShyEoqchCInochJKHISipyEIiehyEkochKKnIQiJ6HISShyEoqchCInochJ
KHISipyEIiehyEkochKKnIQiJ6HISShyEoqchCInochJKHISipyEIiehyEkochKKnIQiJ6HISShy
EoqchCInochJKHISipyEIiehyEkochKKnIQiJ6HISShyEoqchCInochJHv/C0ZPfO8rp/ipfMK4l
OVv40nI29XiLj6wz8q5NBZueljMWVlVhlIabPq9HL6E4y6kTX0ePUcJDNZpWjlFteryvia9kpjW5
Z+Z9NTfe/K1I4kgn0o/0gXCaTPrDf/dmcGVfaKaTacFHy6dH9+yRY07D1m/dLzN84e6CJ6Yvmp6W
tZQvTZvuS+Ojp3NGGTM65tjxLl52F5/95CKpDpfzIl4db655gljz+PAgXxZ3QQYZLTv265bSu2v/
Pr3DA3zKXSmCRNPkpF59eieF5/XldtcYQVkbpnTu26dfny7988f26Zvap2/H/ilwREFfqLudB+XM
vD0pOX98StfecNb8jWOr+fJmt8PDw33hvghfZERE2QRYjPSFP1n0DXvtL7k222e6280grWFc46aP
d+d/sLsvjRbIjBnVCU8Dd4T1BkujlKS3WT0kS6FTIz3HuzyqsyT7KnZ6sRVxrW/lIaVHHWg044tP
Y8PuJk8NPxERXnP+gXWFhoceKL1k+Cv3y+6Jz33gqyZ543Z2WXZpqcUeFmv7+exRd7YVWLxvjRxw
e0zq2M4Hro7Je2FsbKGkhD2jhozrVWHewG9bRg05vzKgxbzx115vVzrpmwXPeRPzds56vdKabGMn
jGYbfEvXmR3yOX137F86u2zgyEkzTOPsu23evt9s8rqbOdpXfytwWp4q45YWCXotR0RanpuHRu0N
/bLizK9E3IFCc9Pfur3o0P175eM+vXBjQeumt45UmxSWJbXz0YvH5l7vFaoFxEeu+DJu04n4L6sl
1+5d7s7KC5OyVftHj9JtfBsYhw7xURrNA4jk8AUBlnkKa5bP8Ehwal0XnPvyuCsV0O7gXE3VzSzF
l659fUOWYZX2ftBq2UfxvdGAeRz3o5caZLhXffnc5YJaiC/bq8Hbs5zftntxtlZ0a7nSkdmyLWsw
0cjna+HukE+L8zX01Z9ed3rtkTW79e+fGhMW1rlvz9K9HluxdOc+vcJSe6S4a8NS+/ZJGtC5f78w
MDI4IrgheGB7X3SpyPBSEeCCpWEnX8Lja6ZUa+Rr4Kv3eNnHRlb2/4lBgwY9608k9/1fz93/N92O
u54zq01Uz88bTUoJPNVnDJuUMmhDz6S+RUcfqlSzV8mQl/cWDQs62bp7rvVmmaVjHl5c9t5lEX62
+60B2p5PDyfGeKYGPJxjr5rcJLbPo67vTT7x3eBrhRaW3fFau/TDa/tE1V2bYLS80+/E1JunZIMK
lcN27P42Pa5A6l0tH/uk/qSvx7YdraLe6xkpvp7zeZPpu9YfebtA4KoNP6YdaDHj7tFrs/K3DAiY
kj5vZP+ez09ad+3G+tTET3/o1bBcqwkNX6y6q0y7hMLzu17K1aiWZ+GbxfJ9FDB2VuS0gvt+WlJr
yPH0zuPH1a+szw5bGLKo9ccLqsW/LfWAUsW3xnga5C49J7xJi6R5E3fM+3B8sTEfjht1ccpXEKOW
Q4ya+ThG6Tk+wFia67cxatBfEgdC0dGg44f8ur1ZSq/kUvH9O/ZK/TVC+cpFlI3wlYkIL+9GqAiI
T48XfcMW/V9EqCK+whmLeXvHpqR2S+6bv0Z8zfw14xvFlK9ZLrpUdFSZ6qV8keVrhBf2FczQKPcz
NYpP7jswpXPyP41oe7ZXiJ85rcZHL33WsMXz8WMGzS337iu08sPP2Efxcx59/0WBTWTcuQG900PO
D1NBmw52JKvzTR9YQbO1Tdr02T/HxntmaNoy853xrFP01b2RgXdLVHr56uc1W454P/+0A53LTO5U
6+3V848fmlr+zpzmD787N+hs2aCrbc+vqfNuXM5Y0Sp6zNARwT0vbt1V/6W03tv3ZO0gg19/b3ab
KjFbq+Qf0iusVc4h28ZEr9ywvny3g6Va5Sx4pXiATMj/ZtqsK99/WPOdETs2lHvtR3v84E17vjo+
If7gC/L2mYKhotPIhO4pOR6m3osvM+xu4fAcI0e9sbb5xIdzG5TN+rDNhfe3fhY/vlj7krNOFHaS
Nt1YWGTA44jmBUT0TMHrxYLnZtirm5fsFlKsU1rX/TdPREUnPBWsCpb56VDTWqnGlaoPBj5YVGLh
hrKLHF+zjGAFocoHoWp6zZGx/1KwytjsWhGNCF6JoapVplAFgcpXJ1OoqvjnQtUzz9z/WRFcPit6
1V4/cFib8KN99lSccOOlnq98GNS4pJ49V8DXNWYsefNWi+9WLQxdnNSrY+6D6ecv3X4nPXZmSI0N
9+9f/fyrtkM/7FV/SeyDIh1fkM0Gf3FvwXhjcf+Nc8+XarxxyC9DGs2YsP9/qjPPqKaWLY4nVEkQ
aYIiJRRDkcBJEEUl0jsGhBgVUKQXgUDESEQEQhERRCnSpIQmCkhV0IA8VJb03q70JlWaKIIIL2BD
333v3vfhLdf7dM7ec2ZmrZm9f/OffcQlih929eeH+YncbHhHWrXgdi6fqvPP60+lmjIWT2LfWwo4
iWdY6a0MU1ao/QF3bByM8x67xVjDbcsq580sS28vou/qqYK2NyowcsNNeqQY9bwdYxW6ei/EpjSE
GIolpk29Vwr2qMPGntlrm6bCJJGr87LIKHK6j87Peu1Y27peyqqkT/eMUpbiW7mgmnKRc01mRxjy
IEUxzor3DhvENYN5OCyDVYg0dcVYSqNX2jd6ycH5NumF/JVe5ptYgLCEw69HLEhbg3fz0NP2Arkb
4P3JyfJ9q5AIYN+XPBb7kcdGeDwNErS9c7B1sLJwt4GpXHS3xxMc3EmblAIABTkkigYlORSNUqiv
JmrD/J0S769QU0A4bbYbsC4XiDsHg6nGEo2dju7pwNfVzk+eX4vmYR/oP+zux1csm4yaXu97rooR
bSeAuuVPQq7XPITpLM7ZZx/TC00vI+m5xWsxv/68tz/hYlDjgwvq3p2+3e/KFg6kVZtp9OTmoAck
7KP57qUTLuDmeSNHPstHEpI7iOaClzT8AhR4mi6YMj61MwpNL3CQfb0buhbuLjlElMX2cgOnP7aE
Wn6urTbXRBo+EecaUQYaCZLsEiKvDmLQySj0rXqKAlOAGQZHlpBiRBXrdRpYjbUgLOc10GPZ20Af
NCmJzaYhcOPxyw90FzQbDyoqJBZdMkvnTQyt5QjDKVZks5jTt35DzVnaipgAOzZSj2tDCDEC9LTH
Fvb8qQ6CbgqnDdUEDgQ4mVi+3iJ2ghkYNwemHQfffXQbo3xuRmJa4cFRgzHnjmQi8RmKpV0IYPf3
j7jpGFgFISBj0EXazUMNpPIT3NiyyeeUceLRo3u5VqUGIcZRp0fSAMMvcNMBtACNZLVklUClvw+3
780EWmhvUGkTbNgtYNMGNAH1LWBT+G/AtpEwal9G/Vf1RQcGnT501BuumTuFV85HPXKcYpN1ydRZ
mjK/+Fb/CKJTLQe6VjuBQKaK1l0xjPERPpONltV/mpKJuzvsSi0p+kh6pENYOjqp4l0zyMrrUJt+
F4ZYgRq+xNUjhnVbSl3HMren0KfjBkqC9U4uRKnenX83OzMcKLRfsQQXN2csGiCVRuaPGIpkFlgY
wnwModSMc6XfxlTtaQkjREm5OcfzfeSfM+6wqxNZNxOoTwkpEy8gWeHUU47XL0+knsL1xtNpqMua
L75+2EZGuaymRXGNTDmM3U+Rfla1j53N5mZs9/uUFU44i41C5PxlIV1q8yBuvMnjzi6zanke894I
AZ2biGc5+9X5Z9h38oHO9MqbCjfEvGKZCWALMXBm48Kgr0hq3yU0v3OqqZh2TT0ZftIrMjR5jza9
yVJjqh3EPf3AW4Qsb9UbwkHORXy+oh152aggVI7HRpAtuJe9z3oR36DZ1so7QXrJUNT6SbpfKDgx
G/KJS1w5Z2R58L63JpX5nJbNOWVMnuo05m0hkdQF2c/izO+DFBpiw/aOUj6NarHnWMesG/LIXCln
FL48FKUi7vAiIiyqOrQrXvjhdrO7cykPA+39WB0RVOJ5kMCdnAUezw88fmJPghodM7WQsnE9w27o
TtBVS63mhqDqkl0rbITQilR0Lp2y47pD/J0h9kz2ooOG2zpeoAEyEzON37Pf+M1jv3+T3/y/g9/A
QWA/QCO2vBywoTJpInPDlAM2zN8nf/+K3kkUp/z+bu1wqSvnZXYPlg0NV8YeFzXMaejdhRHbMdN8
r1k/xx2AcUwxt2OjdupE7lENfxhjBsBfg86Pe5ZNX2fescTGQLvK1gnVyoldS1hYtOOXXvUcCxKY
HMOkUipEjWtCVzQaWZrO5jblqTKkLGc4Rdh1SvRoGucFNo1KaMqIZwcanDBiHaGX/uR46xbgcu3d
aSBh5WpHdOG4cPTVjy1c77YVGzsbFWncStIG6WrZcohL2mZGj7Qy+eqmLPvf49DiZiEn+b894bEG
jhMw3BYAYgc03xb3iWpSXyKwSbmCHirIS3Xx/Uf8IigWdI8EtuevLsUXgBtE9LDry4wvnsOg3+id
RVuRe/+J3n8qDH+iN/tWetM8IMA35gt8fW8BvqF/jl+KVZrF/zw8yeykHB6KbnJ6jv6FU4vMXDI2
/zfU/1tSlrbW7NHBL8zo1Q/0ThTlXOpuIB0/Bs6XcXczdWblymp45hlWItPGmRLibFlykq4WA+My
jO29rDx0kpp7Ko5/UAAcmE31WLjRNH0EPDP0LAzCWBWqPTRnvLPXICt8ZCzUsd2n4k3kApNsAP3E
bSkxEddPH1ZHPGJlti8xD7mW7sIk3DwPIUSVUA7dtUNUHmebtDRT4om5AVMaYuZDLdchdYlI9D4C
tGrSFb0eAOHqfw6xuDnXWcI7hbnhXSm/72xq+VSpF1TVs82YIDwD1FA9bMxMwbwQbraW19wx7xWf
2J4qRMiOLQcE1h3HjSe4RjplH9Jv+0Aqf7DrsqXkbEq85H6mS3yW1WhBZyHyHPSVNLVRrXB0edrr
0XBaprt8CabSTZQTToQqGoW4mWiqcZcWFuYds6tKUl33IQn7JO4EbMdVOc/yVSWKCDepTeyboC5q
10m3daF89OFS2mLmJpO42Yy+2ISaw/gyX3F3Jo4ZonB5PLlCHPs43xF9nUK0KHKhcGWUP9Ca48R/
DkY5Faz1H68KEa22LUsQuMZpTYdG5J4OKxkRHn2UV2NV5IFlbFORMcyOzEv3yCpMvnOR74/wa1wX
RWRRmdtckk1D9pYnz/rXCHdMCRpUx83oDCyBbfDXoV5VDlVvXCbvRTcgJdfZKk3Nuo7toXStyCYq
yZzgOV/NlfoZSWaIBsgMEXRgMOB77Tfq5Z8KtT/KvMm+LzdU2tewZaFHsm6tIdPm/WFBkWzA1tad
GxrwW0cGJI1FjzhSvdmeCGHq9YSKNMtzgrxEs44A1lu6sCJxADZZykcCdAzkALICEUD4zTK0Lcgd
BANhQSSQK82yo/ktaG/2IBIF7iP2b3PUneSKtyNYuNqTYL+cJQxkWuaxp5yJNC1K1Td9xX9b5qTB
tKC/cBvF4cbp10PNo7ENM3Yc11YdrBeeZgfe8Bq2TVShTuYRwnSlOjAxaT0HPce0DYRWo30GliFP
WvvnW6daBMTkrFzN4+ZYqEahe0Zig81FB+aDy1QaTMKlig31lW/rr3hlxf9RVOajciVCyqUzGBZU
pqPfR2J8nESi+o/n9FW+j6+DwqAiklfpJ9094ldv8raPDPwDiUB4zErmgSgR2+5nPaRKX5c3a65Q
ythF5N/xoeUC5k7GYLB9PzRL9630e/ihKaynLS6y5Qh+vO9Muhd/foVhT6qJ9MSh1oJkhx5Ypq7k
vQZTJFEXLTegwi/uSyHTCQBkui2by4Qk00FoLqbNYAz4bYf/T/U45q+hmHwG2LU1DqE/fniAaTN+
b2FE7tgolQHyyIO0O+kBOZqI+TUMYwf2PtU77/N4Wtt7kSiGtcPDCyx+YfNGgLAyK5/oWGJweZHI
EsQSLPo+DvJp3wkSUQd7u5auLUnb7zZlvTit3VQ/8g+/bjJd2FpnhsqeKq91jZbXo3IUJqHFN7Lr
QvpBXU36A+YG7Gfr1HIq/VZy1M7NqVFs5mzq1YISzlJC1kXARquZa/X+24vchtV54PmNs2Kfhv0P
rxmnJD2qCXzTPh8827X/RdCNG29gyYIL5qWfIfCR8jknIdTyimegTLhHu+B2j2W3+lBj76NYjyl0
j1ZZVeVz9KlD/ddGTLJOHHXqEY4//vi+/fxTJwth0vqTLqsXZeuK6r7GWqKltvxpYkpLebovJ2UK
oa42u/1wxaiV2faqW7bE7gn3E+0g0D8BzznASA0KZW5kc3RyZWFtDQplbmRvYmoNCjE4NCAwIG9i
ag0KWyAwWyA1MDddICAzWyAyMjZdICAxN1sgNTQ0IDUyMl0gIDc1WyA2NTRdICA4N1sgNTE3XSAg
OTBbIDU0M10gIDI1OFsgNTE0XSAgMjcxWyA1MTQgNDE2XSAgMjgyWyA1MTRdICAyODZbIDQ3OF0g
IDI5NlsgMzA1XSAgMzM2WyA1MTRdICAzNDZbIDUxNF0gIDM0OVsgMjMwXSAgMzY3WyAyMzBdICAz
NzRbIDUxNF0gIDM4MVsgNTEzXSAgMzk2WyAzNDNdICA0MDBbIDM4OV0gIDQxMFsgMzM1XSAgNDQ4
WyA0NDYgNzE1XSAgNDU0WyA0MzMgNDQ3XSAgODU5WyAyNTBdIF0gDQplbmRvYmoNCjE4NSAwIG9i
ag0KWyAyMjYgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDAgMCAwIDAgMCAwIDAgNTQ0IDUyMiAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjU0IDUxNyAw
IDU0MyAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTE0IDUxNCA0MTYgNTE0IDQ3OCAwIDUx
NCA1MTQgMjMwIDAgMCAyMzAgMCA1MTQgNTEzIDAgMCAzNDMgMzg5IDMzNSAwIDQ0NiA3MTUgMCA0
NDddIA0KZW5kb2JqDQoxODYgMCBvYmoNCjw8L1R5cGUvWFJlZi9TaXplIDE4Ni9XWyAxIDQgMl0g
L1Jvb3QgMSAwIFIvSW5mbyA0MCAwIFIvSURbPDMzOEFDQzBBMDU4MEFFNDZBRkRFNzI1QUEzNTFC
NTU1PjwzMzhBQ0MwQTA1ODBBRTQ2QUZERTcyNUFBMzUxQjU1NT5dIC9GaWx0ZXIvRmxhdGVEZWNv
ZGUvTGVuZ3RoIDQzNj4+DQpzdHJlYW0NCnicNdTLL9xRFMDxOy+GdoxXzRjKUGMG9axntbSo97st
+vZqlXa8WqVF0U1jX7ESsRCNvTQW3WBhY1V2hEpY9g9o0vCb862zuJ/cm3uSk5Oco5QWZ2c67QxR
ysckHAq6U8GwDn8E47xg+ir4BYIbtgX/UMFsEAIsgqUQfsCeEOQFHq2rQvBPIexACP8r2FoFuxn+
CQ6HEJsNlOs8EuLtQuKM4M6DTfgteGbhl5C0IySTnrqmlF7rRLr6CJ9gHPzh/5cJLSHt+OKmBx34
gQGMYIIYMMMkBEIAXIVouAyXIBKCwAIhEAxWCINQuALhYAcbREAUOCAXYuEzxIETciAbrkE8XAcX
JIAbEiEJPJACyZAGqZAB6XADsiATyiAPpqAA8qEUbkEh3ITbUALFUAR34Q48gnswDRVQDm3QClVQ
CTVQDc1QB7XQAPXQBI3wAO5DCzyEt/AYZuApPIE38Aq6oBOeQTs8hxfQAS+hG3qgD3rhNYyBF77A
APTDKHyAIRiEdzAMI/Bem7jcJZnU/H0fumWPsLIofD8RVqN86CsXYFeogo1lYUvvw/hNFotxzqXU
Ofj3Y68NCmVuZHN0cmVhbQ0KZW5kb2JqDQp4cmVmDQowIDE4Nw0KMDAwMDAwMDA0MSA2NTUzNSBm
DQowMDAwMDAwMDE3IDAwMDAwIG4NCjAwMDAwMDAxMjUgMDAwMDAgbg0KMDAwMDAwMDIyMyAwMDAw
MCBuDQowMDAwMDAwNDg2IDAwMDAwIG4NCjAwMDAwMDA5NTMgMDAwMDAgbg0KMDAwMDAwMTAwNiAw
MDAwMCBuDQowMDAwMDAxMTc1IDAwMDAwIG4NCjAwMDAwMDE0MTUgMDAwMDAgbg0KMDAwMDAwMTU0
NiAwMDAwMCBuDQowMDAwMDAxNTc1IDAwMDAwIG4NCjAwMDAwMDE3MzYgMDAwMDAgbg0KMDAwMDAw
MTgxMCAwMDAwMCBuDQowMDAwMDAyMDUxIDAwMDAwIG4NCjAwMDAwMDIzMTcgMDAwMDAgbg0KMDAw
MDAwMzM4NyAwMDAwMCBuDQowMDAwMDAzNTExIDAwMDAwIG4NCjAwMDAwMDM1NDEgMDAwMDAgbg0K
MDAwMDAwMzY5MyAwMDAwMCBuDQowMDAwMDAzNzY3IDAwMDAwIG4NCjAwMDAwMDQwMTAgMDAwMDAg
bg0KMDAwMDAwNDI4NSAwMDAwMCBuDQowMDAwMDA1MDg1IDAwMDAwIG4NCjAwMDAwMDUzNzAgMDAw
MDAgbg0KMDAwMDAwNTk3NSAwMDAwMCBuDQowMDAwMDA2MTUyIDAwMDAwIG4NCjAwMDAwMDYzOTcg
MDAwMDAgbg0KMDAwMDAwNjY4MiAwMDAwMCBuDQowMDAwMDA3OTg4IDAwMDAwIG4NCjAwMDAwMDgx
NjYgMDAwMDAgbg0KMDAwMDAwODQxNiAwMDAwMCBuDQowMDAwMDA4NzI4IDAwMDAwIG4NCjAwMDAw
MDk4NTcgMDAwMDAgbg0KMDAwMDAxMDAzOSAwMDAwMCBuDQowMDAwMDEwMTc5IDAwMDAwIG4NCjAw
MDAwMTAyMDkgMDAwMDAgbg0KMDAwMDAxMDM3NyAwMDAwMCBuDQowMDAwMDEwNDUxIDAwMDAwIG4N
CjAwMDAwMTA3MDEgMDAwMDAgbg0KMDAwMDAxMDk3NiAwMDAwMCBuDQowMDAwMDExNzAxIDAwMDAw
IG4NCjAwMDAwMDAwNDIgNjU1MzUgZg0KMDAwMDAwMDA0MyA2NTUzNSBmDQowMDAwMDAwMDQ0IDY1
NTM1IGYNCjAwMDAwMDAwNDUgNjU1MzUgZg0KMDAwMDAwMDA0NiA2NTUzNSBmDQowMDAwMDAwMDQ3
IDY1NTM1IGYNCjAwMDAwMDAwNDggNjU1MzUgZg0KMDAwMDAwMDA0OSA2NTUzNSBmDQowMDAwMDAw
MDUwIDY1NTM1IGYNCjAwMDAwMDAwNTEgNjU1MzUgZg0KMDAwMDAwMDA1MiA2NTUzNSBmDQowMDAw
MDAwMDUzIDY1NTM1IGYNCjAwMDAwMDAwNTQgNjU1MzUgZg0KMDAwMDAwMDA1NSA2NTUzNSBmDQow
MDAwMDAwMDU2IDY1NTM1IGYNCjAwMDAwMDAwNTcgNjU1MzUgZg0KMDAwMDAwMDA1OCA2NTUzNSBm
DQowMDAwMDAwMDU5IDY1NTM1IGYNCjAwMDAwMDAwNjAgNjU1MzUgZg0KMDAwMDAwMDA2MSA2NTUz
NSBmDQowMDAwMDAwMDYyIDY1NTM1IGYNCjAwMDAwMDAwNjMgNjU1MzUgZg0KMDAwMDAwMDA2NCA2
NTUzNSBmDQowMDAwMDAwMDY1IDY1NTM1IGYNCjAwMDAwMDAwNjYgNjU1MzUgZg0KMDAwMDAwMDA2
NyA2NTUzNSBmDQowMDAwMDAwMDY4IDY1NTM1IGYNCjAwMDAwMDAwNjkgNjU1MzUgZg0KMDAwMDAw
MDA3MCA2NTUzNSBmDQowMDAwMDAwMDcxIDY1NTM1IGYNCjAwMDAwMDAwNzIgNjU1MzUgZg0KMDAw
MDAwMDA3MyA2NTUzNSBmDQowMDAwMDAwMDc0IDY1NTM1IGYNCjAwMDAwMDAwNzUgNjU1MzUgZg0K
MDAwMDAwMDA3NiA2NTUzNSBmDQowMDAwMDAwMDc3IDY1NTM1IGYNCjAwMDAwMDAwNzggNjU1MzUg
Zg0KMDAwMDAwMDA3OSA2NTUzNSBmDQowMDAwMDAwMDgwIDY1NTM1IGYNCjAwMDAwMDAwODEgNjU1
MzUgZg0KMDAwMDAwMDA4MiA2NTUzNSBmDQowMDAwMDAwMDgzIDY1NTM1IGYNCjAwMDAwMDAwODQg
NjU1MzUgZg0KMDAwMDAwMDA4NSA2NTUzNSBmDQowMDAwMDAwMDg2IDY1NTM1IGYNCjAwMDAwMDAw
ODcgNjU1MzUgZg0KMDAwMDAwMDA4OCA2NTUzNSBmDQowMDAwMDAwMDg5IDY1NTM1IGYNCjAwMDAw
MDAwOTAgNjU1MzUgZg0KMDAwMDAwMDA5MSA2NTUzNSBmDQowMDAwMDAwMDkyIDY1NTM1IGYNCjAw
MDAwMDAwOTMgNjU1MzUgZg0KMDAwMDAwMDA5NCA2NTUzNSBmDQowMDAwMDAwMDk1IDY1NTM1IGYN
CjAwMDAwMDAwOTYgNjU1MzUgZg0KMDAwMDAwMDA5NyA2NTUzNSBmDQowMDAwMDAwMDk4IDY1NTM1
IGYNCjAwMDAwMDAwOTkgNjU1MzUgZg0KMDAwMDAwMDEwMCA2NTUzNSBmDQowMDAwMDAwMTAxIDY1
NTM1IGYNCjAwMDAwMDAxMDIgNjU1MzUgZg0KMDAwMDAwMDEwMyA2NTUzNSBmDQowMDAwMDAwMTA0
IDY1NTM1IGYNCjAwMDAwMDAxMDUgNjU1MzUgZg0KMDAwMDAwMDEwNiA2NTUzNSBmDQowMDAwMDAw
MTA3IDY1NTM1IGYNCjAwMDAwMDAxMDggNjU1MzUgZg0KMDAwMDAwMDEwOSA2NTUzNSBmDQowMDAw
MDAwMTEwIDY1NTM1IGYNCjAwMDAwMDAxMTEgNjU1MzUgZg0KMDAwMDAwMDExMiA2NTUzNSBmDQow
MDAwMDAwMTEzIDY1NTM1IGYNCjAwMDAwMDAxMTQgNjU1MzUgZg0KMDAwMDAwMDExNSA2NTUzNSBm
DQowMDAwMDAwMTE2IDY1NTM1IGYNCjAwMDAwMDAxMTcgNjU1MzUgZg0KMDAwMDAwMDExOCA2NTUz
NSBmDQowMDAwMDAwMTE5IDY1NTM1IGYNCjAwMDAwMDAxMjAgNjU1MzUgZg0KMDAwMDAwMDEyMSA2
NTUzNSBmDQowMDAwMDAwMTIyIDY1NTM1IGYNCjAwMDAwMDAxMjMgNjU1MzUgZg0KMDAwMDAwMDEy
NCA2NTUzNSBmDQowMDAwMDAwMTI1IDY1NTM1IGYNCjAwMDAwMDAxMjYgNjU1MzUgZg0KMDAwMDAw
MDEyNyA2NTUzNSBmDQowMDAwMDAwMTI4IDY1NTM1IGYNCjAwMDAwMDAxMjkgNjU1MzUgZg0KMDAw
MDAwMDEzMCA2NTUzNSBmDQowMDAwMDAwMTMxIDY1NTM1IGYNCjAwMDAwMDAxMzIgNjU1MzUgZg0K
MDAwMDAwMDEzMyA2NTUzNSBmDQowMDAwMDAwMTM0IDY1NTM1IGYNCjAwMDAwMDAxMzUgNjU1MzUg
Zg0KMDAwMDAwMDEzNiA2NTUzNSBmDQowMDAwMDAwMTM3IDY1NTM1IGYNCjAwMDAwMDAxMzggNjU1
MzUgZg0KMDAwMDAwMDEzOSA2NTUzNSBmDQowMDAwMDAwMTQwIDY1NTM1IGYNCjAwMDAwMDAxNDEg
NjU1MzUgZg0KMDAwMDAwMDE0MiA2NTUzNSBmDQowMDAwMDAwMTQzIDY1NTM1IGYNCjAwMDAwMDAx
NDQgNjU1MzUgZg0KMDAwMDAwMDE0NSA2NTUzNSBmDQowMDAwMDAwMTQ2IDY1NTM1IGYNCjAwMDAw
MDAxNDcgNjU1MzUgZg0KMDAwMDAwMDE0OCA2NTUzNSBmDQowMDAwMDAwMTQ5IDY1NTM1IGYNCjAw
MDAwMDAxNTAgNjU1MzUgZg0KMDAwMDAwMDE1MSA2NTUzNSBmDQowMDAwMDAwMTUyIDY1NTM1IGYN
CjAwMDAwMDAxNTMgNjU1MzUgZg0KMDAwMDAwMDE1NCA2NTUzNSBmDQowMDAwMDAwMTU1IDY1NTM1
IGYNCjAwMDAwMDAxNTYgNjU1MzUgZg0KMDAwMDAwMDE1NyA2NTUzNSBmDQowMDAwMDAwMTU4IDY1
NTM1IGYNCjAwMDAwMDAxNTkgNjU1MzUgZg0KMDAwMDAwMDE2MCA2NTUzNSBmDQowMDAwMDAwMTYx
IDY1NTM1IGYNCjAwMDAwMDAxNjIgNjU1MzUgZg0KMDAwMDAwMDE2MyA2NTUzNSBmDQowMDAwMDAw
MTY0IDY1NTM1IGYNCjAwMDAwMDAxNjUgNjU1MzUgZg0KMDAwMDAwMDE2NiA2NTUzNSBmDQowMDAw
MDAwMTY3IDY1NTM1IGYNCjAwMDAwMDAxNjggNjU1MzUgZg0KMDAwMDAwMDE2OSA2NTUzNSBmDQow
MDAwMDAwMTcwIDY1NTM1IGYNCjAwMDAwMDAxNzEgNjU1MzUgZg0KMDAwMDAwMDE3MiA2NTUzNSBm
DQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMTM5ODUgMDAwMDAgbg0KMDAwMDAxNDU1NiAwMDAw
MCBuDQowMDAwMTA3ODE2IDAwMDAwIG4NCjAwMDAxMDg0NDcgMDAwMDAgbg0KMDAwMDEwODc3MyAw
MDAwMCBuDQowMDAwMTA5MDgzIDAwMDAwIG4NCjAwMDAxNDk2NjEgMDAwMDAgbg0KMDAwMDE0OTcx
NiAwMDAwMCBuDQowMDAwMTQ5OTcyIDAwMDAwIG4NCjAwMDAxODA5MDEgMDAwMDAgbg0KMDAwMDE4
MTI1MCAwMDAwMCBuDQowMDAwMzAwMDQwIDAwMDAwIG4NCjAwMDAzMDAzMjUgMDAwMDAgbg0KMDAw
MDMwMDU3NSAwMDAwMCBuDQp0cmFpbGVyDQo8PC9TaXplIDE4Ny9Sb290IDEgMCBSL0luZm8gNDAg
MCBSL0lEWzwzMzhBQ0MwQTA1ODBBRTQ2QUZERTcyNUFBMzUxQjU1NT48MzM4QUNDMEEwNTgwQUU0
NkFGREU3MjVBQTM1MUI1NTU+XSA+Pg0Kc3RhcnR4cmVmDQozMDEyMTQNCiUlRU9GDQp4cmVmDQow
IDANCnRyYWlsZXINCjw8L1NpemUgMTg3L1Jvb3QgMSAwIFIvSW5mbyA0MCAwIFIvSURbPDMzOEFD
QzBBMDU4MEFFNDZBRkRFNzI1QUEzNTFCNTU1PjwzMzhBQ0MwQTA1ODBBRTQ2QUZERTcyNUFBMzUx
QjU1NT5dIC9QcmV2IDMwMTIxNC9YUmVmU3RtIDMwMDU3NT4+DQpzdGFydHhyZWYNCjMwNTExNA0K
JSVFT0Y=

--_004_BY2PR03MB442AE4BC9D853A29D0C7643F50A0BY2PR03MB442namprd_--


From nobody Wed Mar 25 09:14:38 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4629D1A8547 for ; Wed, 25 Mar 2015 09:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKDtb8uOdhsF for ; Wed, 25 Mar 2015 09:14:36 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5304D1A883D for ; Wed, 25 Mar 2015 09:14:29 -0700 (PDT)
Received: by lbbsy1 with SMTP id sy1so21356878lbb.1 for ; Wed, 25 Mar 2015 09:14:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:date:message-id:subject:from:to:content-type;  bh=F+fXB+B/rvSxUWZQfp1ySRHGiYkBrxLIcaUg2l6X1Eg=; b=Qu7XR3JNnVaZFcm1WsB0NT3Ue7m3Kt40Q+XXbqH0hQcLzhFkgcAsTGICEBJbK1k/jz ZPPpnhbyPgUegyXCsy1mf1J1rposhCHV4SVZDmzOyqDDNLyv6g34rPBVjKEBRY2vtvXK skuj7DuOED6HKi+FvCTArgY9q+CUDeLapDVr+ONr/Gp2xkRRrSLEKZzJQOLc+xIS4q3+ zJzA81OGkjT5/8LhIo3i7wlukA5b3aYD8QuyhA9hF2aELUfgskMfjEIA3VecS3ZVXUHU kSOe3JSkSYDPCBB/wmWMyPl97yJBuuK79LozYRJGuVbGBKDjXNsOkCuShE8pmPP+IeJ5 TbmQ==
MIME-Version: 1.0
X-Received: by 10.152.18.225 with SMTP id z1mr9329551lad.124.1427300067842; Wed, 25 Mar 2015 09:14:27 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.45.203 with HTTP; Wed, 25 Mar 2015 09:14:27 -0700 (PDT)
Date: Wed, 25 Mar 2015 06:14:27 -1000
X-Google-Sender-Auth: iKxTmDdv9jQOnHg89Q5lYy3ZpYk
Message-ID: 
From: Phillip Hallam-Baker 
To: "jose@ietf.org" 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 16:14:37 -0000

The revised draft is now up. It is essentially a one pager. Which
turns out to be five with the boiler plate and IANA section.

http://tools.ietf.org/html/draft-hallambaker-joseunencoded-01

2. Serialization

   In the JWS Direct Serialization, no JWS Unprotected Header is used.
   In this case, the JOSE Header and the JWS Protected Header are the
   same.

   In the JWS Direct Serialization, a JWS is represented as the
   concatenation:

   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.' ||

   (JWS Signature)

   The calculation of the signature is performed over the octet sequence
   that corresponds to the concatenation:

   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.'


From nobody Wed Mar 25 11:45:00 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53DF51B2B06 for ; Wed, 25 Mar 2015 11:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvwtSWLSjCb9 for ; Wed, 25 Mar 2015 11:44:53 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E55C1B2AFB for ; Wed, 25 Mar 2015 11:44:41 -0700 (PDT)
Received: by oier21 with SMTP id r21so29604067oie.1 for ; Wed, 25 Mar 2015 11:44:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=40DZh+mYFsCHkudSAG+4s7iRkz9OgAn3olevv83HBtY=; b=0/FId4It1Mm80rE7HmPJxl8VB2guVaNedaDu6lncEGhGpToEPxZmUqPG83tQJRGKTk 9uC8B4p/dqM3Bqmbvs6dkWJSp1CFhhiMuFtpiI2nhQF6vEIdHV6StHhnF9NzuQKnJpZ9 4x78hG5ie3/ub9j3ZUyY0TAwTbuN6JU839pTehKJ8pgr6hGIvAM+HdDnB46vPEYoDxmQ XbGGCcUJnnww65BcA65R5AnMi0CNXcd0wVuHSLAOsPBvU1peY8qi8Z48UbTAhSaCHgYu BfiA+xA+lP28mDNBPRJRRGRWpW7fzkTYVHmBo/W45SuZhNyhRoNIvMV4o0ipnpXT6ulI 4oZg==
MIME-Version: 1.0
X-Received: by 10.60.45.165 with SMTP id o5mr8886274oem.44.1427309080653; Wed, 25 Mar 2015 11:44:40 -0700 (PDT)
Received: by 10.60.141.230 with HTTP; Wed, 25 Mar 2015 11:44:40 -0700 (PDT)
In-Reply-To: 
References: 
Date: Thu, 26 Mar 2015 03:44:40 +0900
Message-ID: 
From: Nat Sakimura 
To: Phillip Hallam-Baker 
Content-Type: multipart/alternative; boundary=001a11c2560cbcc6700512214a1d
Archived-At: 
Cc: "jose@ietf.org" 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 18:44:57 -0000

--001a11c2560cbcc6700512214a1d
Content-Type: text/plain; charset=UTF-8

Thanks.

So, is it correct to understand that this is intended to the environment
that JWS Payload will not be munched by the processing middle-ware etc.?

Also, JWS Payload may include linefeed etc. So, the compact serialization
may appear like:

{"alg":"ES256"}.{"iss":"joe",
 "exp":1300819380,
 "http://example.com/is_root":true}.eyJhbGciOiJQUzI....etc.etc.etc...OJ-LWr


Is it correct?

Best,

Nat

2015-03-26 1:14 GMT+09:00 Phillip Hallam-Baker :

> The revised draft is now up. It is essentially a one pager. Which
> turns out to be five with the boiler plate and IANA section.
>
> http://tools.ietf.org/html/draft-hallambaker-joseunencoded-01
>
> 2. Serialization
>
>    In the JWS Direct Serialization, no JWS Unprotected Header is used.
>    In this case, the JOSE Header and the JWS Protected Header are the
>    same.
>
>    In the JWS Direct Serialization, a JWS is represented as the
>    concatenation:
>
>    UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.' ||
>
>    (JWS Signature)
>
>    The calculation of the signature is performed over the octet sequence
>    that corresponds to the concatenation:
>
>    UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.'
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--001a11c2560cbcc6700512214a1d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Thanks.=C2=A0

So, is it correct to unde=
rstand that this is intended to the environment that JWS Payload will not b=
e munched by the processing middle-ware etc.?=C2=A0

Also=
, JWS Payload may include linefeed etc. So, the compact serialization may a=
ppear like:=C2=A0


2015-03-26 1:14 GMT+09:00 Phillip Hallam-Baker <=
phill@hallambaker.com>:
The=
 revised draft is now up. It is essentially a one pager. Which

turns out to be five with the boiler plate and IANA section.



http://tools.ietf.org/html/draft-hallambaker-joseunencoded=
-01



2. Serialization



=C2=A0 =C2=A0In the JWS Direct Serialization, no JWS Unprotected Header is =
used.

=C2=A0 =C2=A0In this case, the JOSE Header and the JWS Protected Header are=
 the

=C2=A0 =C2=A0same.



=C2=A0 =C2=A0In the JWS Direct Serialization, a JWS is represented as the
=C2=A0 =C2=A0concatenation:



=C2=A0 =C2=A0UTF8(JWS Protected Header)) || '.' || (JWS Payload) ||=
 '.' ||



=C2=A0 =C2=A0(JWS Signature)



=C2=A0 =C2=A0The calculation of the signature is performed over the octet s=
equence

=C2=A0 =C2=A0that corresponds to the concatenation:



=C2=A0 =C2=A0UTF8(JWS Protected Header)) || '.' || (JWS Payload) ||=
 '.'



_______________________________________________

jose mailing list

jose@ietf.org

ht=
tps://www.ietf.org/mailman/listinfo/jose





-- 
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation<=
br>http://nat.sakimu=
ra.org/
@_nat_en




--001a11c2560cbcc6700512214a1d--


From nobody Wed Mar 25 12:07:39 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480521B2B47 for ; Wed, 25 Mar 2015 12:07:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGRP3NjsL4qg for ; Wed, 25 Mar 2015 12:07:30 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0131.outbound.protection.outlook.com [65.55.169.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 067501A8A68 for ; Wed, 25 Mar 2015 12:07:20 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.125.14; Wed, 25 Mar 2015 19:07:17 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Wed, 25 Mar 2015 19:07:17 +0000
From: Mike Jones 
To: Nat Sakimura , Phillip Hallam-Baker 
Thread-Topic: [jose] Direct Compact Serialization
Thread-Index: AQHQZxcIKPOt4tXan0WU5JPbyvNLhJ0tiVIAgAAAVrA=
Date: Wed, 25 Mar 2015 19:07:17 +0000
Message-ID: 
References:  
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:370:136:254b:a821:d660:543a]
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: 
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(377424004)(51444003)(377454003)(52604005)(2900100001)(77156002)(15975445007)(19625215002)(99286002)(87936001)(2950100001)(76576001)(19617315012)(106116001)(74316001)(54356999)(19609705001)(122556002)(19580395003)(19580405001)(102836002)(40100003)(92566002)(86362001)(50986999)(76176999)(77096005)(15395725005)(16236675004)(19300405004)(2656002)(86612001)(33656002)(46102003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443; 
x-forefront-prvs: 052670E5A4
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44221F898A039399D785607F50B0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2015 19:07:17.5328 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: 
Cc: "jose@ietf.org" 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:07:32 -0000

--_000_BY2PR03MB44221F898A039399D785607F50B0BY2PR03MB442namprd_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciB3cml0aW5nIHRoaXMsIFBoaWxsaXAuICBJ4oCZbGwgcmVwZWF0IGEgZmV3IGNv
bW1lbnRzIHRoYXQgSSB0aGluayBJIG1hZGUgdG8geW91IGluIHBlcnNvbi4NCg0KRmlyc3QsIEkg
d291bGQgc3VnZ2VzdCB0aGF0IGFueSBleHRlbnNpb24gdGhhdCBjaGFuZ2VzIHRoZSBzaWduYXR1
cmUgY29tcHV0YXRpb24gaW5jbHVkZSBzeW50YXggZm9yIGRlY2xhcmluZyB0aGF0IGl04oCZcyBi
ZWVuIGNoYW5nZWQuICBGb3IgaW5zdGFuY2UsIGl0IGNvdWxkIGluY2x1ZGUgYSBoZWFkZXIgcGFy
YW1ldGVyIHZhbHVlIGxpa2Ug4oCcYjY04oCdOiBmYWxzZSDigJMgd2l0aCB0aGUgbWVhbmluZyB0
aGF0IHRoZSBwYXlsb2FkIHZhbHVlIGlzIHVzZWQgYXMtaXMgaW4gdGhlIHNpZ25hdHVyZSBjb21w
dXRhdGlvbiwgcmF0aGVyIHRoYW4gYmVpbmcgYmFzZTY0dXJsIGVuY29kZWQuDQoNClB1dHRpbmcg
ZXZlcnl0aGluZyBvdXQgdGhlcmUsIEkga25vdyB0aGF0IHNvbWUgaGF2ZSBhbHNvIGFza2VkIGZv
ciBhIGNvbXBhY3Qgc2VyaWFsaXphdGlvbiB3aGVyZSB0aGUgc2lnbmF0dXJlIGlzIGNvbXB1dGVk
IG9ubHkgb3ZlciB0aGUgcGF5bG9hZCDigJMgd2hlcmUgYWxsIHRoZSBoZWFkZXIgcGFyYW1ldGVy
cyBhcmUgdW5wcm90ZWN0ZWQuICBUaGlzIHdvdWxkIGJlIHBhcnRpY3VsYXJseSB1c2VmdWwgZm9y
IGRldGFjaGVkIHBheWxvYWRzLCBiZWNhdXNlIHRoZW4gdGhlcmXigJlzIG5vIG5lZWQgdG8gcHJl
cGVuZCBCQVNFNjRVUkwoQVNDSUkoSldTIFByb3RlY3RlZCBIZWFkZXIpKSB8fCDigJgu4oCZIHRv
IHBheWxvYWQgYmVmb3JlIGNvbXB1dGluZyB0aGUgc2lnbmF0dXJlLiAgRm9yIHRydWx5IGh1Z2Ug
cGF5bG9hZHMsIG5vdCBoYXZpbmcgdG8gbWFrZSBhIGNvcHkgb2YgaXQgdG8gZG8gdGhlIGNvbmNh
dGVuYXRpb24gY2FuIGJlIGFuIGltcGxlbWVudGF0aW9uIGFkdmFudGFnZS4gIChNYXR0IE1pbGxl
ciBoYXMgdG9sZCBtZSBhYm91dCBzb21lIG9mIGhpcyBleHBlcmllbmNlcyByZWxhdGVkIHRvIHRo
aXMgaW4gSmF2YVNjcmlwdC4pICBJIHdvdWxkIGFsc28gd2FudCB0aGlzIHByb3BlcnR5IHRvIGJl
IGV4cGxpY2l0bHkgZGVjbGFyZWQgaW4gc29tZSBtYW5uZXIuDQoNClRvIE5hdOKAmXMgcXVlc3Rp
b24sIEkgd291bGQgaG9wZSB0aGF0IHRoaXMgd291bGQgbm9ybWFsbHkgYmUgdXNlZCB3aXRoIGRl
dGFjaGVkIHBheWxvYWRzLCB3aGVyZSB0aGUgSldTIGNvbW11bmljYXRlZCB3b3VsZCBsb29rIGxp
a2UgdGhpczogSGVhZGVyLi5TaWduYXR1cmUg4oCTIHRodXMgYXZvaWRpbmcgdGhlIHF1ZXN0aW9u
IG9mIGhvdyB0byByZXByZXNlbnQgcGF5bG9hZHMgdGhhdCBhcmUgbm90IFVSTC1zYWZlLiAgVGhl
IGFuc3dlciB3b3VsZCBzaW1wbHkgYmUg4oCcdGhlIGFwcGxpY2F0aW9uIGtub3dzIGhvdyB0byBk
byB0aGlz4oCdLg0KDQpJIHRoaW5rIHRoYXQgaXTigJlzIGF0IGxlYXN0IHdvcnRoIGNvbnNpZGVy
aW5nIGFuIGV4dGVuc2lvbiBzcGVjIHRoYXQgZW5hYmxlcyB0aGVzZSBvcHRpb25zLCBhcyBpdCBj
b3VsZCBicm9hZGVuIHRoZSBhcHBsaWNhYmlsaXR5IG9mIEpPU0UgdG8gYWRkaXRpb25hbCBhcHBs
aWNhdGlvbiBjb250ZXh0cy4NCg0KSeKAmWxsIG5vdGUgdGhhdCB3aGVuIHRoZSB3b3JraW5nIGdy
b3VwIHByZXZpb3VzbHkgY29uc2lkZXJlZCB0aGlzIHF1ZXN0aW9uLCBpbiB0aGUgY29udGV4dCBv
ZiBodHRwOi8vdHJhYy50b29scy5pZXRmLm9yZy93Zy9qb3NlL3RyYWMvdGlja2V0LzIzLiAgVGhl
IHRoaW5nIHRoYXQgbWFrZXMgbWUgcGVyc29uYWxseSB3aWxsaW5nIHRvIGNvbnNpZGVyIHN1Y2gg
YW4gZXh0ZW5zaW9uIGF0IHRoaXMgcG9pbnQgaXMgdGhhdCBub3QgaGF2aW5nIHRvIGNvcHkgYSBo
dWdlIGRldGFjaGVkIHBheWxvYWQgdG8gZG8gdGhlIGNyeXB0byBjb3VsZCBiZSB0aGUgZGlmZmVy
ZW5jZSBiZXR3ZWVuIEpXUyBiZWluZyBhcHBsaWNhYmxlIGFuZCBub3QuDQoNClRoYW5rcyBmb3Ig
c3RhcnRpbmcgdGhpcyBkaXNjdXNzaW9uLCBQaGlsaXAuDQoNCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTog
am9zZSBbbWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIE5hdCBTYWtp
bXVyYQ0KU2VudDogV2VkbmVzZGF5LCBNYXJjaCAyNSwgMjAxNSAxOjQ1IFBNDQpUbzogUGhpbGxp
cCBIYWxsYW0tQmFrZXINCkNjOiBqb3NlQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW2pvc2VdIERp
cmVjdCBDb21wYWN0IFNlcmlhbGl6YXRpb24NCg0KVGhhbmtzLg0KDQpTbywgaXMgaXQgY29ycmVj
dCB0byB1bmRlcnN0YW5kIHRoYXQgdGhpcyBpcyBpbnRlbmRlZCB0byB0aGUgZW52aXJvbm1lbnQg
dGhhdCBKV1MgUGF5bG9hZCB3aWxsIG5vdCBiZSBtdW5jaGVkIGJ5IHRoZSBwcm9jZXNzaW5nIG1p
ZGRsZS13YXJlIGV0Yy4/DQoNCkFsc28sIEpXUyBQYXlsb2FkIG1heSBpbmNsdWRlIGxpbmVmZWVk
IGV0Yy4gU28sIHRoZSBjb21wYWN0IHNlcmlhbGl6YXRpb24gbWF5IGFwcGVhciBsaWtlOg0KDQoN
CnsiYWxnIjoiRVMyNTYifS57ImlzcyI6ImpvZSIsDQoNCiAiZXhwIjoxMzAwODE5MzgwLA0KDQog
Imh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfS5leUpoYkdjaU9pSlFVekkuLi4uZXRj
LmV0Yy5ldGMuLi5PSi1MV3INCg0KSXMgaXQgY29ycmVjdD8NCg0KQmVzdCwNCg0KTmF0DQoNCjIw
MTUtMDMtMjYgMToxNCBHTVQrMDk6MDAgUGhpbGxpcCBIYWxsYW0tQmFrZXIgPHBoaWxsQGhhbGxh
bWJha2VyLmNvbTxtYWlsdG86cGhpbGxAaGFsbGFtYmFrZXIuY29tPj46DQpUaGUgcmV2aXNlZCBk
cmFmdCBpcyBub3cgdXAuIEl0IGlzIGVzc2VudGlhbGx5IGEgb25lIHBhZ2VyLiBXaGljaA0KdHVy
bnMgb3V0IHRvIGJlIGZpdmUgd2l0aCB0aGUgYm9pbGVyIHBsYXRlIGFuZCBJQU5BIHNlY3Rpb24u
DQoNCmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWhhbGxhbWJha2VyLWpvc2V1bmVu
Y29kZWQtMDENCg0KMi4gU2VyaWFsaXphdGlvbg0KDQogICBJbiB0aGUgSldTIERpcmVjdCBTZXJp
YWxpemF0aW9uLCBubyBKV1MgVW5wcm90ZWN0ZWQgSGVhZGVyIGlzIHVzZWQuDQogICBJbiB0aGlz
IGNhc2UsIHRoZSBKT1NFIEhlYWRlciBhbmQgdGhlIEpXUyBQcm90ZWN0ZWQgSGVhZGVyIGFyZSB0
aGUNCiAgIHNhbWUuDQoNCiAgIEluIHRoZSBKV1MgRGlyZWN0IFNlcmlhbGl6YXRpb24sIGEgSldT
IGlzIHJlcHJlc2VudGVkIGFzIHRoZQ0KICAgY29uY2F0ZW5hdGlvbjoNCg0KICAgVVRGOChKV1Mg
UHJvdGVjdGVkIEhlYWRlcikpIHx8ICcuJyB8fCAoSldTIFBheWxvYWQpIHx8ICcuJyB8fA0KDQog
ICAoSldTIFNpZ25hdHVyZSkNCg0KICAgVGhlIGNhbGN1bGF0aW9uIG9mIHRoZSBzaWduYXR1cmUg
aXMgcGVyZm9ybWVkIG92ZXIgdGhlIG9jdGV0IHNlcXVlbmNlDQogICB0aGF0IGNvcnJlc3BvbmRz
IHRvIHRoZSBjb25jYXRlbmF0aW9uOg0KDQogICBVVEY4KEpXUyBQcm90ZWN0ZWQgSGVhZGVyKSkg
fHwgJy4nIHx8IChKV1MgUGF5bG9hZCkgfHwgJy4nDQoNCl9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fDQpqb3NlIG1haWxpbmcgbGlzdA0Kam9zZUBpZXRmLm9y
ZzxtYWlsdG86am9zZUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz
dGluZm8vam9zZQ0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWlybWFuLCBPcGVu
SUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvDQpAX25hdF9lbg0K

--_000_BY2PR03MB44221F898A039399D785607F50B0BY2PR03MB442namprd_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg
MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv
Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw
MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs
InNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0
eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp
dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN
Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNv
LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBD
aGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6
MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0
dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNv
LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7
DQoJZm9udC1mYW1pbHk6IkNvbnNvbGFzIiwic2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTE5DQoJ
e21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwi
c2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5
bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi
O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4w
aW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0
aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh
dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh
LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86
aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb
ZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9
InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBmb3Ig
d3JpdGluZyB0aGlzLCBQaGlsbGlwLiZuYnNwOyBJ4oCZbGwgcmVwZWF0IGEgZmV3IGNvbW1lbnRz
IHRoYXQgSSB0aGluayBJIG1hZGUgdG8geW91IGluIHBlcnNvbi48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s
b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkZpcnN0LCBJ
IHdvdWxkIHN1Z2dlc3QgdGhhdCBhbnkgZXh0ZW5zaW9uIHRoYXQgY2hhbmdlcyB0aGUgc2lnbmF0
dXJlIGNvbXB1dGF0aW9uIGluY2x1ZGUgc3ludGF4IGZvciBkZWNsYXJpbmcgdGhhdCBpdOKAmXMg
YmVlbiBjaGFuZ2VkLiZuYnNwOyBGb3IgaW5zdGFuY2UsIGl0IGNvdWxkDQogaW5jbHVkZSBhIGhl
YWRlciBwYXJhbWV0ZXIgdmFsdWUgbGlrZSDigJxiNjTigJ06IGZhbHNlIOKAkyB3aXRoIHRoZSBt
ZWFuaW5nIHRoYXQgdGhlIHBheWxvYWQgdmFsdWUgaXMgdXNlZCBhcy1pcyBpbiB0aGUgc2lnbmF0
dXJlIGNvbXB1dGF0aW9uLCByYXRoZXIgdGhhbiBiZWluZyBiYXNlNjR1cmwgZW5jb2RlZC48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt
c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx
RjQ5N0QiPlB1dHRpbmcgZXZlcnl0aGluZyBvdXQgdGhlcmUsIEkga25vdyB0aGF0IHNvbWUgaGF2
ZSBhbHNvIGFza2VkIGZvciBhIGNvbXBhY3Qgc2VyaWFsaXphdGlvbiB3aGVyZSB0aGUgc2lnbmF0
dXJlIGlzIGNvbXB1dGVkIG9ubHkgb3ZlciB0aGUgcGF5bG9hZCDigJMgd2hlcmUgYWxsDQogdGhl
IGhlYWRlciBwYXJhbWV0ZXJzIGFyZSB1bnByb3RlY3RlZC4mbmJzcDsgVGhpcyB3b3VsZCBiZSBw
YXJ0aWN1bGFybHkgdXNlZnVsIGZvciBkZXRhY2hlZCBwYXlsb2FkcywgYmVjYXVzZSB0aGVuIHRo
ZXJl4oCZcyBubyBuZWVkIHRvIHByZXBlbmQgQkFTRTY0VVJMKEFTQ0lJKEpXUyBQcm90ZWN0ZWQg
SGVhZGVyKSkgfHwg4oCYLuKAmSB0byBwYXlsb2FkIGJlZm9yZSBjb21wdXRpbmcgdGhlIHNpZ25h
dHVyZS4mbmJzcDsgRm9yIHRydWx5IGh1Z2UgcGF5bG9hZHMsIG5vdA0KIGhhdmluZyB0byBtYWtl
IGEgY29weSBvZiBpdCB0byBkbyB0aGUgY29uY2F0ZW5hdGlvbiBjYW4gYmUgYW4gaW1wbGVtZW50
YXRpb24gYWR2YW50YWdlLiZuYnNwOyAoTWF0dCBNaWxsZXIgaGFzIHRvbGQgbWUgYWJvdXQgc29t
ZSBvZiBoaXMgZXhwZXJpZW5jZXMgcmVsYXRlZCB0byB0aGlzIGluIEphdmFTY3JpcHQuKSZuYnNw
OyBJIHdvdWxkIGFsc28gd2FudCB0aGlzIHByb3BlcnR5IHRvIGJlIGV4cGxpY2l0bHkgZGVjbGFy
ZWQgaW4gc29tZSBtYW5uZXIuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UbyBOYXTigJlzIHF1ZXN0aW9uLCBJIHdvdWxk
IGhvcGUgdGhhdCB0aGlzIHdvdWxkIG5vcm1hbGx5IGJlIHVzZWQgd2l0aCBkZXRhY2hlZCBwYXls
b2Fkcywgd2hlcmUgdGhlIEpXUyBjb21tdW5pY2F0ZWQgd291bGQgbG9vayBsaWtlIHRoaXM6IEhl
YWRlci4uU2lnbmF0dXJlDQog4oCTIHRodXMgYXZvaWRpbmcgdGhlIHF1ZXN0aW9uIG9mIGhvdyB0
byByZXByZXNlbnQgcGF5bG9hZHMgdGhhdCBhcmUgbm90IFVSTC1zYWZlLiZuYnNwOyBUaGUgYW5z
d2VyIHdvdWxkIHNpbXBseSBiZSDigJx0aGUgYXBwbGljYXRpb24ga25vd3MgaG93IHRvIGRvIHRo
aXPigJ0uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z
cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu
MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90
Oztjb2xvcjojMUY0OTdEIj5JIHRoaW5rIHRoYXQgaXTigJlzIGF0IGxlYXN0IHdvcnRoIGNvbnNp
ZGVyaW5nIGFuIGV4dGVuc2lvbiBzcGVjIHRoYXQgZW5hYmxlcyB0aGVzZSBvcHRpb25zLCBhcyBp
dCBjb3VsZCBicm9hZGVuIHRoZSBhcHBsaWNhYmlsaXR5IG9mIEpPU0UgdG8gYWRkaXRpb25hbCBh
cHBsaWNhdGlvbg0KIGNvbnRleHRzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpw
PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90
O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SeKAmWxsIG5vdGUgdGhhdCB3aGVuIHRo
ZSB3b3JraW5nIGdyb3VwIHByZXZpb3VzbHkgY29uc2lkZXJlZCB0aGlzIHF1ZXN0aW9uLCBpbiB0
aGUgY29udGV4dCBvZg0KPGEgaHJlZj0iaHR0cDovL3RyYWMudG9vbHMuaWV0Zi5vcmcvd2cvam9z
ZS90cmFjL3RpY2tldC8yMyI+aHR0cDovL3RyYWMudG9vbHMuaWV0Zi5vcmcvd2cvam9zZS90cmFj
L3RpY2tldC8yMzwvYT4uJm5ic3A7IFRoZSB0aGluZyB0aGF0IG1ha2VzIG1lIHBlcnNvbmFsbHkg
d2lsbGluZyB0byBjb25zaWRlciBzdWNoIGFuIGV4dGVuc2lvbiBhdCB0aGlzIHBvaW50IGlzIHRo
YXQgbm90IGhhdmluZyB0byBjb3B5IGEgaHVnZSBkZXRhY2hlZCBwYXlsb2FkIHRvDQogZG8gdGhl
IGNyeXB0byBjb3VsZCBiZSB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIEpXUyBiZWluZyBhcHBsaWNh
YmxlIGFuZCBub3QuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGFua3MgZm9yIHN0YXJ0aW5nIHRoaXMgZGlzY3Vzc2lv
biwgUGhpbGlwLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv
dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw
Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7
Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1
b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVv
dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IGpvc2UgW21haWx0bzpqb3NlLWJvdW5jZXNAaWV0
Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPk5hdCBTYWtpbXVyYTxicj4NCjxiPlNlbnQ6PC9i
PiBXZWRuZXNkYXksIE1hcmNoIDI1LCAyMDE1IDE6NDUgUE08YnI+DQo8Yj5Ubzo8L2I+IFBoaWxs
aXAgSGFsbGFtLUJha2VyPGJyPg0KPGI+Q2M6PC9iPiBqb3NlQGlldGYub3JnPGJyPg0KPGI+U3Vi
amVjdDo8L2I+IFJlOiBbam9zZV0gRGlyZWN0IENvbXBhY3QgU2VyaWFsaXphdGlvbjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYW5rcy4mbmJzcDs8bzpwPjwvbzpwPjwv
cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvLCBpcyBpdCBjb3JyZWN0IHRvIHVu
ZGVyc3RhbmQgdGhhdCB0aGlzIGlzIGludGVuZGVkIHRvIHRoZSBlbnZpcm9ubWVudCB0aGF0IEpX
UyBQYXlsb2FkIHdpbGwgbm90IGJlIG11bmNoZWQgYnkgdGhlIHByb2Nlc3NpbmcgbWlkZGxlLXdh
cmUgZXRjLj8mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPkFsc28sIEpXUyBQYXlsb2FkIG1heSBpbmNsdWRlIGxpbmVmZWVkIGV0Yy4gU28sIHRoZSBj
b21wYWN0IHNlcmlhbGl6YXRpb24gbWF5IGFwcGVhciBsaWtlOiZuYnNwOzxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Nv
bG9yOmJsYWNrIj57JnF1b3Q7YWxnJnF1b3Q7OiZxdW90O0VTMjU2JnF1b3Q7fS57JnF1b3Q7aXNz
JnF1b3Q7OiZxdW90O2pvZSZxdW90Oyw8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPiAmcXVvdDtleHAmcXVvdDs6
MTMwMDgxOTM4MCw8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPiAmcXVvdDs8YSBocmVmPSJodHRwOi8vZXhhbXBs
ZS5jb20vaXNfcm9vdCI+aHR0cDovL2V4YW1wbGUuY29tL2lzX3Jvb3Q8L2E+JnF1b3Q7OnRydWV9
LmV5SmhiR2NpT2lKUVV6SS4uLi5ldGMuZXRjLmV0Yy4uLk9KLUxXcjxvOnA+PC9vOnA+PC9zcGFu
PjwvcHJlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JcyBpdCBjb3Jy
ZWN0PyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj5CZXN0LCZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj5OYXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDE1LTAzLTI2IDE6MTQgR01UJiM0MzswOTowMCBQ
aGlsbGlwIEhhbGxhbS1CYWtlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBoaWxsQGhhbGxhbWJha2Vy
LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnBoaWxsQGhhbGxhbWJha2VyLmNvbTwvYT4mZ3Q7OjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhlIHJldmlzZWQgZHJhZnQgaXMgbm93
IHVwLiBJdCBpcyBlc3NlbnRpYWxseSBhIG9uZSBwYWdlci4gV2hpY2g8YnI+DQp0dXJucyBvdXQg
dG8gYmUgZml2ZSB3aXRoIHRoZSBib2lsZXIgcGxhdGUgYW5kIElBTkEgc2VjdGlvbi48YnI+DQo8
YnI+DQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1oYWxsYW1iYWtl
ci1qb3NldW5lbmNvZGVkLTAxIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3Rvb2xzLmlldGYub3Jn
L2h0bWwvZHJhZnQtaGFsbGFtYmFrZXItam9zZXVuZW5jb2RlZC0wMTwvYT48YnI+DQo8YnI+DQoy
LiBTZXJpYWxpemF0aW9uPGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwO0luIHRoZSBKV1MgRGlyZWN0
IFNlcmlhbGl6YXRpb24sIG5vIEpXUyBVbnByb3RlY3RlZCBIZWFkZXIgaXMgdXNlZC48YnI+DQom
bmJzcDsgJm5ic3A7SW4gdGhpcyBjYXNlLCB0aGUgSk9TRSBIZWFkZXIgYW5kIHRoZSBKV1MgUHJv
dGVjdGVkIEhlYWRlciBhcmUgdGhlPGJyPg0KJm5ic3A7ICZuYnNwO3NhbWUuPGJyPg0KPGJyPg0K
Jm5ic3A7ICZuYnNwO0luIHRoZSBKV1MgRGlyZWN0IFNlcmlhbGl6YXRpb24sIGEgSldTIGlzIHJl
cHJlc2VudGVkIGFzIHRoZTxicj4NCiZuYnNwOyAmbmJzcDtjb25jYXRlbmF0aW9uOjxicj4NCjxi
cj4NCiZuYnNwOyAmbmJzcDtVVEY4KEpXUyBQcm90ZWN0ZWQgSGVhZGVyKSkgfHwgJy4nIHx8IChK
V1MgUGF5bG9hZCkgfHwgJy4nIHx8PGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyhKV1MgU2lnbmF0
dXJlKTxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDtUaGUgY2FsY3VsYXRpb24gb2YgdGhlIHNpZ25h
dHVyZSBpcyBwZXJmb3JtZWQgb3ZlciB0aGUgb2N0ZXQgc2VxdWVuY2U8YnI+DQombmJzcDsgJm5i
c3A7dGhhdCBjb3JyZXNwb25kcyB0byB0aGUgY29uY2F0ZW5hdGlvbjo8YnI+DQo8YnI+DQombmJz
cDsgJm5ic3A7VVRGOChKV1MgUHJvdGVjdGVkIEhlYWRlcikpIHx8ICcuJyB8fCAoSldTIFBheWxv
YWQpIHx8ICcuJzxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fPGJyPg0Kam9zZSBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86
am9zZUBpZXRmLm9yZyI+am9zZUBpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3
dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2UiIHRhcmdldD0iX2JsYW5rIj5odHRwczov
L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2U8L2E+PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiciBjbGVhcj0iYWxsIj4NCjxvOnA+
PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLSA8bzpwPjwvbzpwPjwvcD4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5OYXQgU2FraW11cmEgKD1uYXQpPG86cD48L286cD48
L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0
aW9uPGJyPg0KPGEgaHJlZj0iaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvIiB0YXJnZXQ9Il9ibGFu
ayI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9hPjxicj4NCkBfbmF0X2VuPG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_BY2PR03MB44221F898A039399D785607F50B0BY2PR03MB442namprd_--


From nobody Wed Mar 25 12:11:36 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A094C1B2B58 for ; Wed, 25 Mar 2015 12:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9cVoRd9QHHL for ; Wed, 25 Mar 2015 12:11:34 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 449721B2B44 for ; Wed, 25 Mar 2015 12:11:34 -0700 (PDT)
Received: from Philemon (dhcp-a0fb.meeting.ietf.org [31.133.160.251]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 7629B2CA24; Wed, 25 Mar 2015 12:11:33 -0700 (PDT)
From: "Jim Schaad" 
To: "'Phillip Hallam-Baker'" , 
References: 
In-Reply-To: 
Date: Wed, 25 Mar 2015 14:10:27 -0500
Message-ID: <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHWsO0jGczEIx3ZUZnJ/IqcXg7Azp0g/MCQ
Content-Language: en-us
Archived-At: 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:11:35 -0000

So what happens if my JWS Payload contains a "." character in it?

> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Phillip
Hallam-Baker
> Sent: Wednesday, March 25, 2015 11:14 AM
> To: jose@ietf.org
> Subject: [jose] Direct Compact Serialization
> 
> The revised draft is now up. It is essentially a one pager. Which turns
out to be
> five with the boiler plate and IANA section.
> 
> http://tools.ietf.org/html/draft-hallambaker-joseunencoded-01
> 
> 2. Serialization
> 
>    In the JWS Direct Serialization, no JWS Unprotected Header is used.
>    In this case, the JOSE Header and the JWS Protected Header are the
>    same.
> 
>    In the JWS Direct Serialization, a JWS is represented as the
>    concatenation:
> 
>    UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.' ||
> 
>    (JWS Signature)
> 
>    The calculation of the signature is performed over the octet sequence
>    that corresponds to the concatenation:
> 
>    UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.'
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


From nobody Wed Mar 25 12:21:53 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAFDC1A0379 for ; Wed, 25 Mar 2015 12:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ZJfV4HVKQpn for ; Wed, 25 Mar 2015 12:21:50 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD3871A6EFB for ; Wed, 25 Mar 2015 12:21:49 -0700 (PDT)
X-AuditID: 1209190f-f79d16d000000d3d-fe-55130accd2eb
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id B3.93.03389.CCA03155; Wed, 25 Mar 2015 15:21:48 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t2PJLl8k031094; Wed, 25 Mar 2015 15:21:47 -0400
Received: from dhcp-898e.meeting.ietf.org (dhcp-898e.meeting.ietf.org [31.133.138.142] (may be forged)) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2PJLitV009480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Mar 2015 15:21:46 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer 
In-Reply-To: <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
Date: Wed, 25 Mar 2015 14:21:43 -0500
Message-Id: 
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
To: Jim Schaad 
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFKsWRmVeSWpSXmKPExsUixCmqrXuGSzjU4NcJOYvV07+zWaxZ081k MfHDbEYHZo+Nc6azeVxY/ZXJY8mSn0wBzFFcNimpOZllqUX6dglcGbuOn2ItWC9S0bP7AlsD 40bBLkZODgkBE4l/j9+xQdhiEhfurQeyuTiEBBYzSfTt+MUC4WxklLi4sZ8RpEpI4AmTxKRL al2MHBzCAgYSWxvBBvECmXNPfWECqWcWmMIo0bDqIwvEVCmJptfHwHrZBFQlpq9pYQLp5RRw kNi3Sx4kzAIUnrKoixnEZhawl3i+q4sdYqaVxNM1/6BuaGGUmHNpHdilIgLqEltX3wSbIyEg L9GzKX0Co+AsJGfMQnbGLLC52hLLFr5mhrA1JfZ3L4eKy0tsfzsHKm4psXjmDai4rcStvgVM ELadxKNpi1gXMHKsYpRNya3SzU3MzClOTdYtTk7My0st0jXRy80s0UtNKd3ECI4mSf4djN8O Kh1iFOBgVOLh/SEhFCrEmlhWXJl7iFGSg0lJlLeYQThUiC8pP6UyI7E4I76oNCe1+BCjCtCu RxtWX2CUYsnLz0tVEuHteQTUypuSWFmVWpQPUybNwaIkzrvpB1+IkEB6YklqdmpqQWoRTFaG g0NJgreHE2iBYFFqempFWmZOCUKaiYPzEKMEBw/Q8FiQGt7igsTc4sx0iPwpRkUpcd4skIQA SCKjNA+uF5YEXzGKA70lzKsPTIlCPMAECtf9CmgwE9Dgc/l8IINLEhFSUg2M/C+EA+dN2fB8 58qim0oq9VdMGg/FFJxydRAX0ftTzvtoeS7vxg1zRMXtpF5oG6vpq3D08uq27bQu0DicdOTe 8cPT7+U7/Nkpeuq8eMzylo4slYcJC99Ii/W5h3+IemRUa/fr7nr5rgk3ejUnCnJe3sthI7w9 evaMS+uvfMhYWRjH2FQqJflLiaU4I9FQi7moOBEAot/9ol0DAAA=
Archived-At: 
Cc: Phillip Hallam-Baker , jose@ietf.org
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:21:52 -0000

--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I=E2=80=99m also confused by this problem. Why not use JSON Text =
Sequences instead for this use case?

http://www.rfc-editor.org/rfc/rfc7464.txt

 =E2=80=94 Justin

> On Mar 25, 2015, at 2:10 PM, Jim Schaad  =
wrote:
>=20
> So what happens if my JWS Payload contains a "." character in it?
>=20
>> -----Original Message-----
>> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Phillip
> Hallam-Baker
>> Sent: Wednesday, March 25, 2015 11:14 AM
>> To: jose@ietf.org
>> Subject: [jose] Direct Compact Serialization
>>=20
>> The revised draft is now up. It is essentially a one pager. Which =
turns
> out to be
>> five with the boiler plate and IANA section.
>>=20
>> http://tools.ietf.org/html/draft-hallambaker-joseunencoded-01
>>=20
>> 2. Serialization
>>=20
>>   In the JWS Direct Serialization, no JWS Unprotected Header is used.
>>   In this case, the JOSE Header and the JWS Protected Header are the
>>   same.
>>=20
>>   In the JWS Direct Serialization, a JWS is represented as the
>>   concatenation:
>>=20
>>   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.' ||
>>=20
>>   (JWS Signature)
>>=20
>>   The calculation of the signature is performed over the octet =
sequence
>>   that corresponds to the concatenation:
>>=20
>>   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.'
>>=20
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVEwrIAAoJEDPAngkbd+w9WOkH/0wfVto1jbaXh1VIw7lja0N1
33qnwSFeFS1W88SL3lczxW/u469SiS3CaupYI1gtLlL3HYxcP3LH8+c/ZvYJcAr6
vUNtKd3owK5MSiw8eUe4OOBn4NsxLNr+Ghi6g4sqPpW0Gr42aYBbnNDWC+OfPCyM
UuXEjoL0M87Hl61HHNdCFOuu/hbXKcZorkaQ/pbo8etn7HSyVFkqd5IzgqTNap0G
K+M4Wg1p6UcXe+QMUABLN7SoZuRvdUnysg/RrwCMS9etyGeLa0ExT5L1HcufqrIw
vcWxlCNKo1U9iWxdsghx4RaLXlNKYuBydcVPAiZ8kmuCEog/6LZQNncFd5/0yAo=
=STqL
-----END PGP SIGNATURE-----

--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1--


From nobody Wed Mar 25 12:33:26 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B340C1B2AB1 for ; Wed, 25 Mar 2015 12:33:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsIgw3_NbVZ5 for ; Wed, 25 Mar 2015 12:33:23 -0700 (PDT)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E471B2AAB for ; Wed, 25 Mar 2015 12:32:30 -0700 (PDT)
Received: by obdfc2 with SMTP id fc2so28049577obd.3 for ; Wed, 25 Mar 2015 12:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=29uZ8YVQkfsEiVXJYocdUK1nYZaKxzIkReu4TgVJSEg=; b=h1g5iLnUQtYPL2kDJCPXWDgJpC/eCzJXlt3zO4711I9v/WD2FuZn4oXOKPd3Elc7RT siqQVqWPZgNI8slKcb0Nb1MsdWIkErtjgkW5B7pVvK0emWH1lURp3qwC8FblxguY++h2 F7Wgc3fFYah21hA6KbxBGOSnDiJzBlC24zL2AMuvWCoCNLrl3v1i79Eow3q6fwoJWNKW SPD9Ol2Uk1xw5Q3oVVvvZ4oTlsNQcoylAFsNbsmW7Ae7nUpqSY5hl17yan0c0UkCf3wB 0/iAYSnPCVY5huhEY/B5MpzG9Z1/J7vipiQNISUa7kgR5gyUGdl7c124a1uqkm50Pipt sc8A==
MIME-Version: 1.0
X-Received: by 10.182.39.195 with SMTP id r3mr8985931obk.44.1427311949827; Wed, 25 Mar 2015 12:32:29 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Wed, 25 Mar 2015 12:32:29 -0700 (PDT)
In-Reply-To: <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
Date: Wed, 25 Mar 2015 14:32:29 -0500
Message-ID: 
From: Martin Thomson 
To: Jim Schaad 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: Phillip Hallam-Baker , jose 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:33:24 -0000

On 25 March 2015 at 14:10, Jim Schaad  wrote:
> So what happens if my JWS Payload contains a "." character in it?

Yes, this seems to be a problem.

You could fix it trivially by moving the signature ahead of the
payload in the serialization.  At the cost of having to buffer the
signature.


From nobody Wed Mar 25 12:43:17 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68A561A8A23 for ; Wed, 25 Mar 2015 12:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level: 
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsRgmCPQmjew for ; Wed, 25 Mar 2015 12:43:14 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0782.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::782]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94A0B1A89ED for ; Wed, 25 Mar 2015 12:43:14 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.125.14; Wed, 25 Mar 2015 19:42:55 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Wed, 25 Mar 2015 19:42:55 +0000
From: Mike Jones 
To: Martin Thomson , Jim Schaad 
Thread-Topic: [jose] Direct Compact Serialization
Thread-Index: AQHQZxcIKPOt4tXan0WU5JPbyvNLhJ0tkIaAgAAGKICAAAIi0A==
Date: Wed, 25 Mar 2015 19:42:54 +0000
Message-ID: 
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com> 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:370:136:254b:a821:d660:543a]
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: 
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(40100003)(50986999)(86612001)(86362001)(2900100001)(74316001)(76576001)(2950100001)(99286002)(15975445007)(2656002)(122556002)(77156002)(102836002)(76176999)(46102003)(77096005)(106116001)(92566002)(87936001)(54356999)(33656002)(19580395003)(19580405001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; 
x-forefront-prvs: 052670E5A4
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2015 19:42:54.9715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: 
Cc: Phillip Hallam-Baker , jose 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:43:16 -0000

It's been my assumption that this option would only be used for detached pa=
yloads, in which the payload is transmitted and delimited in a way known to=
 the application.

As a historical note, the signature comes last in the JWS Compact Serializa=
tion to enable computing it in a streaming manner, for algorithms where thi=
s is possible.

				-- Mike

-----Original Message-----
From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: Wednesday, March 25, 2015 2:32 PM
To: Jim Schaad
Cc: Phillip Hallam-Baker; jose
Subject: Re: [jose] Direct Compact Serialization

On 25 March 2015 at 14:10, Jim Schaad  wrote:
> So what happens if my JWS Payload contains a "." character in it?

Yes, this seems to be a problem.

You could fix it trivially by moving the signature ahead of the payload in =
the serialization.  At the cost of having to buffer the signature.

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose


From nobody Wed Mar 25 12:51:21 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F5E71B2B45 for ; Wed, 25 Mar 2015 12:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j-z8CWQkuwsR for ; Wed, 25 Mar 2015 12:51:19 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 719DC1A8941 for ; Wed, 25 Mar 2015 12:51:19 -0700 (PDT)
Received: by oier21 with SMTP id r21so31227593oie.1 for ; Wed, 25 Mar 2015 12:51:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3WoFFcUOM20r6U8Lffo71HzHXC6cCw5UcdIMguQ4y4k=; b=iqfYwfrlDOAGpqAAMeF1ni57/emfiZU9QluvtSrwLDjBZjV7ZqEag9BWk4sICbch7y 5k0VagNwohzKjQlpwvbv3pGKZfmaZsuzillqsrqy3X88SbJfDZliNzgmSjRqujNLXpD3 U1UQVPaikCmd26iHNxUAp8SUBGmdyXyMwHLy9KvQvw0EYH6O7+SX/b5/deTqBUgLR2eM JulzFnrmy8e8PAc6wSINiFi+hHUIx+eGqtpEyWjGbmdGQLDC6VJUoQb5lmB5V7ALXVQH kiHDN2tQmiy+SH+7VgxYynCyi40mb156zEQne0LKyD+7auVwZl/shCEgr+hHIXkqyOnX AHPA==
MIME-Version: 1.0
X-Received: by 10.60.84.40 with SMTP id v8mr8939797oey.80.1427313078978; Wed, 25 Mar 2015 12:51:18 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Wed, 25 Mar 2015 12:51:18 -0700 (PDT)
In-Reply-To: 
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>  
Date: Wed, 25 Mar 2015 14:51:18 -0500
Message-ID: 
From: Martin Thomson 
To: Mike Jones 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: Jim Schaad , Phillip Hallam-Baker , jose 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:51:20 -0000

If this is *only* used for detached payloads, then that's fine, but
you then to define it as just that.  Otherwise you get the problem
that Jim identified.

  JWS Detached Signature =    UTF8(JWS Protected Header)) || '.' ||
(JWS Signature)

On 25 March 2015 at 14:42, Mike Jones  wrote:
> As a historical note, the signature comes last in the JWS Compact Serialization to enable computing it in a streaming manner, for algorithms where this is possible.

Yes, that is the logical place for a signature.


From nobody Wed Mar 25 12:56:08 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA021B2B69 for ; Wed, 25 Mar 2015 12:56:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhXb6GIF1VqC for ; Wed, 25 Mar 2015 12:56:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B8011B2B63 for ; Wed, 25 Mar 2015 12:56:05 -0700 (PDT)
X-AuditID: 1209190f-f79d16d000000d3d-68-551312d47214
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id F9.17.03389.4D213155; Wed, 25 Mar 2015 15:56:04 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t2PJu3DT019445; Wed, 25 Mar 2015 15:56:03 -0400
Received: from dhcp-898e.meeting.ietf.org (dhcp-898e.meeting.ietf.org [31.133.138.142] (may be forged)) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2PJu06N020637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Mar 2015 15:56:02 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer 
In-Reply-To: <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
Date: Wed, 25 Mar 2015 14:21:43 -0500
Message-Id: 
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>
To: Jim Schaad 
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNKsWRmVeSWpSXmKPExsUixCmqrHtFSDjUoGc7n8Xq6d/ZLNas6Way mPhhNqMDs8fGOdPZPC6s/srksWTJT6YA5igum5TUnMyy1CJ9uwSujF3HT7EWrBep6Nl9ga2B caNgFyMnh4SAicSkY78ZIWwxiQv31rN1MXJxCAksZpJ4enMNK4SzkVHi4LVGFgjnCZPEld0H mLoYOTiEBQwktjaCTeIFMuee+sIEUsMsMIVRomHVRxaIsVISTa+Pga1gE1CVmL/yFlgvp4CD xL5d8iBhFqDwlEVdzCA2s4C9xPNdXewQM60knq75B7W3hVFizqV1bCAJEQF1ia2rb4LNkRCQ l+jZlD6BUXAWkjNmITtjFthcbYllC18zQ9iaEvu7l0PF5SW2v50DFbeUWDzzBlTcVuJW3wIm CNtO4tG0RawLGDlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zro5WaW6KWmlG5iBMeTJP8Oxm8H lQ4xCnAwKvHw/pAQChViTSwrrsw9xCjJwaQkylvMIBwqxJeUn1KZkVicEV9UmpNafIhRBWjX ow2rLzBKseTl56UqifD2PAJq5U1JrKxKLcqHKZPmYFES5930gy9ESCA9sSQ1OzW1ILUIJivD waEkwTtHEGiBYFFqempFWmZOCUKaiYPzEKMEBw/Q8BiQGt7igsTc4sx0iPwpRkUpcd4ckIQA SCKjNA+uF5YGXzGKA70lzLsNpIoHmELhul8BDWYCGnwunw9kcEkiQkqqgVGcZcGW+FtHX/FM F9o3SVTAkiP0vgj/y+Dnj4uPOyvumV3SpXZ/WuBSr5+f1Rdand57Zm353FtTi67Z6U/x/fe2 Zwb3YhehaS+LN7/hLM3uYOA68/5Sz0e957qiojHrtp07enpV9LG9V7I3sTgvjCsPLt9z8JO6 VFeo8u+7R2uEBcwPdzpIfTqtxFKckWioxVxUnAgAYTxRGF4DAAA=
Archived-At: 
Cc: Phillip Hallam-Baker , jose@ietf.org
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 19:56:07 -0000

--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I=E2=80=99m also confused by this problem. Why not use JSON Text =
Sequences instead for this use case?

http://www.rfc-editor.org/rfc/rfc7464.txt

 =E2=80=94 Justin

> On Mar 25, 2015, at 2:10 PM, Jim Schaad  =
wrote:
>=20
> So what happens if my JWS Payload contains a "." character in it?
>=20
>> -----Original Message-----
>> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Phillip
> Hallam-Baker
>> Sent: Wednesday, March 25, 2015 11:14 AM
>> To: jose@ietf.org
>> Subject: [jose] Direct Compact Serialization
>>=20
>> The revised draft is now up. It is essentially a one pager. Which =
turns
> out to be
>> five with the boiler plate and IANA section.
>>=20
>> http://tools.ietf.org/html/draft-hallambaker-joseunencoded-01
>>=20
>> 2. Serialization
>>=20
>>   In the JWS Direct Serialization, no JWS Unprotected Header is used.
>>   In this case, the JOSE Header and the JWS Protected Header are the
>>   same.
>>=20
>>   In the JWS Direct Serialization, a JWS is represented as the
>>   concatenation:
>>=20
>>   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.' ||
>>=20
>>   (JWS Signature)
>>=20
>>   The calculation of the signature is performed over the octet =
sequence
>>   that corresponds to the concatenation:
>>=20
>>   UTF8(JWS Protected Header)) || '.' || (JWS Payload) || '.'
>>=20
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVEwrIAAoJEDPAngkbd+w9WOkH/0wfVto1jbaXh1VIw7lja0N1
33qnwSFeFS1W88SL3lczxW/u469SiS3CaupYI1gtLlL3HYxcP3LH8+c/ZvYJcAr6
vUNtKd3owK5MSiw8eUe4OOBn4NsxLNr+Ghi6g4sqPpW0Gr42aYBbnNDWC+OfPCyM
UuXEjoL0M87Hl61HHNdCFOuu/hbXKcZorkaQ/pbo8etn7HSyVFkqd5IzgqTNap0G
K+M4Wg1p6UcXe+QMUABLN7SoZuRvdUnysg/RrwCMS9etyGeLa0ExT5L1HcufqrIw
vcWxlCNKo1U9iWxdsghx4RaLXlNKYuBydcVPAiZ8kmuCEog/6LZQNncFd5/0yAo=
=STqL
-----END PGP SIGNATURE-----

--Apple-Mail=_7C29C684-5CA5-4BDC-B20B-ADDAC8C247D1--


From nobody Wed Mar 25 13:16:11 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE101A9008 for ; Wed, 25 Mar 2015 13:16:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wz8S38nwHgvQ for ; Wed, 25 Mar 2015 13:16:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED761A92EF for ; Wed, 25 Mar 2015 13:16:06 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-75-551317849a6e
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 2D.E3.03355.48713155; Wed, 25 Mar 2015 16:16:04 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t2PKG3Bq009143; Wed, 25 Mar 2015 16:16:03 -0400
Received: from dhcp-898e.meeting.ietf.org (dhcp-898e.meeting.ietf.org [31.133.138.142] (may be forged)) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2PKFxVD027170 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Mar 2015 16:16:01 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_386CC661-D040-41DF-BD57-79B1CD3D53E7"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer 
In-Reply-To: 
Date: Wed, 25 Mar 2015 15:15:59 -0500
Message-Id: 
References:  <02d001d0672f$5bc279a0$13476ce0$@augustcellars.com>   
To: Martin Thomson 
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIKsWRmVeSWpSXmKPExsUixG6notsiLhxqcGetpcXq6d/ZLNas6Way uHbmH6PF3mmfWCwmfpjN6MDqsXHOdDaPnbPusntcWP2VyWPJkp9MHq07/rIHsEZx2aSk5mSW pRbp2yVwZXTd+sRUMEOyYsPRFrYGxuWiXYycHBICJhJn1k9khLDFJC7cW8/WxcjFISSwmEmi v+kNC4SzkVHi9cJ2ZgjnCZPEzEV7gco4OIQFDCS2NgqCdPMCmXNPfWECqWEWmMIosfDcdiaI sVISTa+Pga1gE1CVmL6mBSzOKRAose7nZzYQmwUofvH2dhaI5uWMEv+m97BCTLWSuLTiCivE 5rtMEu9e7ACbJCKgK7Ho7AN2kCskBOQlejalT2AUnIXkkFnIDgFJMAtoSyxb+JoZwtaU2N+9 nAXClpfY/nYOVNxSYvHMG1BxW4lbfQugeu0kHk1bxLqAkWMVo2xKbpVubmJmTnFqsm5xcmJe XmqRrrFebmaJXmpK6SZGUOxxSvLtYPx6UOkQowAHoxIP7w8JoVAh1sSy4srcQ4ySHExKorx8 wsKhQnxJ+SmVGYnFGfFFpTmpxYcYVYB2Pdqw+gKjFEtefl6qkghvzyOgVt6UxMqq1KJ8mDJp DhYlcd5NP/hChATSE0tSs1NTC1KLYLIyHBxKErwnxYAWCBalpqdWpGXmlCCkmTg4DzFKcPAA DW8DqeEtLkjMLc5Mh8ifYlSUEudNBkkIgCQySvPgemEp8xWjONBbwrz6IFU8wHQL1/0KaDAT 0OBz+Xwgg0sSEVJSDYxdx35+YLBexub4+MuvuHcJhjXWJp9/5fCdYD6i0P9rX/lPlvefzT+0 KGpKrKq4vH/ur2uKKqU8W/ndxVOL//PMKX262fz4pOxpCWl/189zFtq5pOaDGrOdRCbj05zV LtsuTgzt/jbZo4stw7k9P/+u0GZdj2fmRkaJGfdMDwi/OTxLTZbh+g0lluKMREMt5qLiRAAc oDBBdAMAAA==
Archived-At: 
Cc: Mike Jones , Phillip Hallam-Baker , Jim Schaad , jose 
Subject: Re: [jose] Direct Compact Serialization
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 20:16:09 -0000

--Apple-Mail=_386CC661-D040-41DF-BD57-79B1CD3D53E7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

There=E2=80=99s also nothing stopping the header from having a =E2=80=9C.=E2=
=80=9D in it, though, especially if it=E2=80=99s a private header =
parameter as defined in JWS =C2=A7 4.3, to say nothing of the values of =
these parameters. In fact, it is practically guaranteed that the =
=E2=80=9Cjku=E2=80=9D parameter will have =E2=80=9C.=E2=80=9D in it =
several times over, since its value is a URI.

The =E2=80=9C.=E2=80=9D works in the b64-armored compact version of JOSE =
because it is a character that does not show up in the B64url alphabet, =
anywhere. So you can just do a string split, then decode, then parse. =
Really, really simple to write, but not the case here.

Unless there=E2=80=99s a way to easily separate the fields before they =
get to a parser, this is going to be problematic to deal with. You =
can=E2=80=99t really use a regular JSON parser because you don=E2=80=99t =
know where to start/stop the parsing. You can=E2=80=99t split it ahead =
of time like with the b64-armored version because of the issues =
discussed here. If you=E2=80=99ve got a streaming parser, you might be =
able to do this, but that=E2=80=99s going to be tricky; and if you=E2=80=99=
re doing a streaming parser, I think you=E2=80=99d be better off going =
with something like the JSON Text Stream thing that=E2=80=99s already =
got an RFC definition and a handful of implementations instead of =
something newly invented.

 =E2=80=94 Justin

> On Mar 25, 2015, at 2:51 PM, Martin Thomson  =
wrote:
>=20
> If this is *only* used for detached payloads, then that's fine, but
> you then to define it as just that.  Otherwise you get the problem
> that Jim identified.
>=20
>  JWS Detached Signature =3D    UTF8(JWS Protected Header)) || '.' ||
> (JWS Signature)
>=20
> On 25 March 2015 at 14:42, Mike Jones  =
wrote:
>> As a historical note, the signature comes last in the JWS Compact =
Serialization to enable computing it in a streaming manner, for =
algorithms where this is possible.
>=20
> Yes, that is the logical place for a signature.
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_386CC661-D040-41DF-BD57-79B1CD3D53E7
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVExd/AAoJEDPAngkbd+w99ZcIAKMFZNtCeAAxBQg3u53eLOpT
a32IXaYihVJsApTvuefNbRuoMKKPm/b+hFCcGV2ujFV79sRO2R25nGyA6Mg+O2mn
+2RZ9FabJoU+U2UubxdWPvIkQ/1E2qZEHmI3VZWv7vj+x6B+8bXjPk6+TWYAoeFD
vsb+cK3h8FZtfo9wbeR1bsjMwNaV2H5xilMJWph8Pujt873S5F94Ff5PRUATzOe+
wfLjVOvFVxReUC4LvbCnX9pXObCHyl3cJCtGb97QVhi+AlGKG3g4xAn/AvPZ888Q
Qx0ERO15cRosvOuIvrpvj6L5viIn0XCwZ6ZKg3s5RVQGPgKfhc8SISUs9NjCAMs=
=xGlA
-----END PGP SIGNATURE-----

--Apple-Mail=_386CC661-D040-41DF-BD57-79B1CD3D53E7--


From nobody Wed Mar 25 13:59:27 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A12E1B2BA9 for ; Wed, 25 Mar 2015 13:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level: 
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1MBiKTbyR3Y for ; Wed, 25 Mar 2015 13:59:24 -0700 (PDT)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D461B2B8B for ; Wed, 25 Mar 2015 13:59:24 -0700 (PDT)
Received: by lbcmq2 with SMTP id mq2so27094762lbc.0 for ; Wed, 25 Mar 2015 13:59:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=3Kpu2jNgwRkEFO9qWaPUuK3qDHxVulWCluV9ocozkOA=; b=bjWtpsqrWIG03faQP/jf7ZrhGWp/U6p8SIZIUT2qkL70eYsV2tW5PhF81KIJhspPtw 7/u6ueDkD2p8VHDeIxD3pJqMnavOBURdwUKD4CoPBMmpoC2fjiZEMOhHX9rsG6Vd/GXm M/+847gkgqNyHtQsVtp9DF4PuYp9UXm85uhy1BfgIBWvOPpOqZ7bvrZfFSe3SvdmQSZG SuTb9lhlhYL++5hRonAJxNuM1JMaFx0JBqTn5aAXhSqOVE580S05NxGJXEMEhg44R2qc ySVFcYWRkJFn8Phx894uPPgnMA6TY+Kpy9Pud4l5PM1ySqmgWABA0/wrOgas+HRSwqan rgTA==
X-Gm-Message-State: ALoCoQmzpZK0RYI62f1s5UQ7JgbLobzbGyeiVyY0Pfk6clUOJ9Y9WYmaQao1g306UQS+46pZHWBB
X-Received: by 10.152.37.164 with SMTP id z4mr10192163laj.5.1427317162836; Wed, 25 Mar 2015 13:59:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.3.242 with HTTP; Wed, 25 Mar 2015 13:59:02 -0700 (PDT)
X-Originating-IP: [118.93.37.222]
From: Tim Bray 
Date: Thu, 26 Mar 2015 09:59:02 +1300
Message-ID: 
To: jose 
Content-Type: multipart/alternative; boundary=089e0141a73a7918010512232ced
Archived-At: 
Subject: [jose] RFC 7493
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 20:59:26 -0000

--089e0141a73a7918010512232ced
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Of possible usefulness for Jose.  RFC:
http://www.rfc-editor.org/rfc/rfc7493.txt
A few words of background:
https://www.tbray.org/ongoing/When/201x/2015/03/23/i-json

--=20
- Tim Bray (If you=E2=80=99d like to send me a private message, see
https://keybase.io/timbray)

--089e0141a73a7918010512232ced
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Of =
possible usefulness for Jose.=C2=A0 RFC:=C2=A0http://www.rfc-editor.org/rfc/rfc7493.txt
A few words of back=
ground:=C2=A0https://www.tbray.org/ongoing/When/201x/2015/03/23/i-json
=


-- 
=
- Tim Bray (If you=E2=80=99d like to send me a private message, see https://keybase.io/timbra=
y)




--089e0141a73a7918010512232ced--


From nobody Wed Mar 25 14:08:15 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46AF1A00BE for ; Wed, 25 Mar 2015 14:08:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgRCQhWHhktU for ; Wed, 25 Mar 2015 14:08:12 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0724.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBFD21A9008 for ; Wed, 25 Mar 2015 14:08:11 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.125.14; Wed, 25 Mar 2015 21:07:52 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Wed, 25 Mar 2015 21:07:52 +0000
From: Mike Jones 
To: Tim Bray , jose 
Thread-Topic: [jose] RFC 7493
Thread-Index: AQHQZz65BSAX0i1CVUiI+dlb+9ijEJ0tsInw
Date: Wed, 25 Mar 2015 21:07:52 +0000
Message-ID: 
References: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:370:160:d9af:fdfd:457b:505e]
authentication-results: textuality.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(377454003)(122556002)(74316001)(86362001)(86612001)(2900100001)(16236675004)(19625215002)(92566002)(2950100001)(76576001)(40100003)(99286002)(46102003)(19300405004)(77096005)(15975445007)(102836002)(19580405001)(76176999)(33656002)(77156002)(54356999)(87936001)(19580395003)(2656002)(50986999)(106116001)(19609705001)(5880100001)(19617315012)(107886001)(3826002)(562404015); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; 
x-forefront-prvs: 052670E5A4
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4422F70D5DEB31304A6604AF50B0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2015 21:07:52.4727 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: 
Subject: Re: [jose] RFC 7493
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Mar 2015 21:08:14 -0000

--_000_BY2PR03MB4422F70D5DEB31304A6604AF50B0BY2PR03MB442namprd_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Q29uZ3JhdHVsYXRpb25zIG9uIGNvbXBsZXRpb24gb2YgdGhlIEktSlNPTiBSRkMsIFRpbSENCg0K
Rm9yIHdoYXQgaXTigJlzIHdvcnRoLCBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p
ZXRmLWpvc2UtandrLXRodW1icHJpbnQtMDMgYWxyZWFkeSBoYXMgYW4gaW5mb3JtYXRpdmUgcmVm
ZXJlbmNlIHRvIEktSlNPTi4gIFdl4oCZbGwgdXBkYXRlIHRoaXMgdG8gdXBkYXRlIHRoZSBSRkMg
d2l0aCB0aGUgbmV4dCByZXZpc2lvbi4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hlZXJzLA0KICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9t
OiBqb3NlIFttYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgVGltIEJy
YXkNClNlbnQ6IFdlZG5lc2RheSwgTWFyY2ggMjUsIDIwMTUgMzo1OSBQTQ0KVG86IGpvc2UNClN1
YmplY3Q6IFtqb3NlXSBSRkMgNzQ5Mw0KDQpPZiBwb3NzaWJsZSB1c2VmdWxuZXNzIGZvciBKb3Nl
LiAgUkZDOiBodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9yZmM3NDkzLnR4dA0KQSBmZXcg
d29yZHMgb2YgYmFja2dyb3VuZDogaHR0cHM6Ly93d3cudGJyYXkub3JnL29uZ29pbmcvV2hlbi8y
MDF4LzIwMTUvMDMvMjMvaS1qc29uDQoNCi0tDQotIFRpbSBCcmF5IChJZiB5b3XigJlkIGxpa2Ug
dG8gc2VuZCBtZSBhIHByaXZhdGUgbWVzc2FnZSwgc2VlIGh0dHBzOi8va2V5YmFzZS5pby90aW1i
cmF5KQ0K

--_000_BY2PR03MB4422F70D5DEB31304A6604AF50B0BY2PR03MB442namprd_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov
KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z
b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps
aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6
Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I
eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl
Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv
LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z
LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10
eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K
QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx
LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x
O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz
IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp
ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h
cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp
Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy
cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Q29uZ3JhdHVsYXRpb25z
IG9uIGNvbXBsZXRpb24gb2YgdGhlIEktSlNPTiBSRkMsIFRpbSE8bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s
b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkZvciB3aGF0
IGl04oCZcyB3b3J0aCwNCjxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0
LWlldGYtam9zZS1qd2stdGh1bWJwcmludC0wMyI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwv
ZHJhZnQtaWV0Zi1qb3NlLWp3ay10aHVtYnByaW50LTAzPC9hPiBhbHJlYWR5IGhhcyBhbiBpbmZv
cm1hdGl2ZSByZWZlcmVuY2UgdG8gSS1KU09OLiZuYnNwOyBXZeKAmWxsIHVwZGF0ZSB0aGlzIHRv
IHVwZGF0ZSB0aGUgUkZDIHdpdGggdGhlIG5leHQgcmV2aXNpb24uPG86cD48L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7
Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv
bG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsgQ2hlZXJzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1p
a2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90
O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi
PkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls
eTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IGpvc2UgW21haWx0
bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPlRpbSBCcmF5PGJy
Pg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgTWFyY2ggMjUsIDIwMTUgMzo1OSBQTTxicj4NCjxi
PlRvOjwvYj4gam9zZTxicj4NCjxiPlN1YmplY3Q6PC9iPiBbam9zZV0gUkZDIDc0OTM8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T2YgcG9zc2libGUgdXNlZnVs
bmVzcyBmb3IgSm9zZS4mbmJzcDsgUkZDOiZuYnNwOzxhIGhyZWY9Imh0dHA6Ly93d3cucmZjLWVk
aXRvci5vcmcvcmZjL3JmYzc0OTMudHh0Ij5odHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL3JmYy9y
ZmM3NDkzLnR4dDwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPkEgZmV3IHdvcmRzIG9mIGJhY2tncm91bmQ6Jm5ic3A7PGEgaHJlZj0iaHR0cHM6
Ly93d3cudGJyYXkub3JnL29uZ29pbmcvV2hlbi8yMDF4LzIwMTUvMDMvMjMvaS1qc29uIj5odHRw
czovL3d3dy50YnJheS5vcmcvb25nb2luZy9XaGVuLzIwMXgvMjAxNS8wMy8yMy9pLWpzb248L2E+
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw
PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gPG86cD48
L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tIFRp
bSBCcmF5IChJZiB5b3XigJlkIGxpa2UgdG8gc2VuZCBtZSBhIHByaXZhdGUgbWVzc2FnZSwgc2Vl
IDxhIGhyZWY9Imh0dHBzOi8va2V5YmFzZS5pby90aW1icmF5IiB0YXJnZXQ9Il9ibGFuayI+DQpo
dHRwczovL2tleWJhc2UuaW8vdGltYnJheTwvYT4pPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_BY2PR03MB4422F70D5DEB31304A6604AF50B0BY2PR03MB442namprd_--


From nobody Thu Mar 26 16:41:27 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1141E1A6EE8 for ; Thu, 26 Mar 2015 16:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0rVoifLvThz for ; Thu, 26 Mar 2015 16:41:22 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0134.outbound.protection.outlook.com [65.55.169.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B0A41A1AA0 for ; Thu, 26 Mar 2015 16:41:21 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.125.14; Thu, 26 Mar 2015 23:41:19 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Thu, 26 Mar 2015 23:41:18 +0000
From: Mike Jones 
To: "jose@ietf.org" , "Matt Miller (mamille2)" 
Thread-Topic: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
Thread-Index: AQHQaB5bkfOhNCQj00mWiSuBrydmng==
Date: Thu, 26 Mar 2015 23:41:18 +0000
Message-ID: 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:370:160:50c4:759d:a7ff:aa6e]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(36304003)(51914003)(584324002)(377454003)(43784003)(2501003)(230783001)(2656002)(19300405004)(46102003)(2950100001)(33656002)(19627405001)(19627595001)(106116001)(19617315012)(74316001)(19625215002)(2900100001)(15975445007)(62966003)(99286002)(87936001)(77156002)(50986999)(99936001)(77096005)(76576001)(76176999)(17760045003)(16236675004)(19580405001)(19580395003)(122556002)(18206015028)(40100003)(102836002)(92566002)(54356999)(86362001)(3826002)(16866105001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443; 
x-forefront-prvs: 0527DFA348
Content-Type: multipart/related; boundary="_004_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2015 23:41:18.8233 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: 
Cc: "Shaun Cooley \(shcooley\)" 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 26 Mar 2015 23:41:26 -0000

--_004_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_
Content-Type: multipart/alternative;
	boundary="_000_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_"

--_000_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am working on the formatting of the algorithm cross-reference tables in J=
WA Appendix A http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithm=
s-40#appendix-A with the RFC Editor to make them more readable.  When looki=
ng at the table content (in a more readable rendition I'll share with you s=
oon), I noticed that this string appears for the JCA value of three algorit=
hms:
               AES/CBC/PKCS5Padding
which I believe should be
               AES/CBC/PKCS7Padding

This would be consistent with the changes made in -28 for the reasons descr=
ibed in this thread.  JAVA IMPLEMENTERS - If you are currently using AES/CB=
C/PKCS5Padding can you please verify that your implementation still works a=
fter changing this string to AES/CBC/PKCS7Padding and that the results are =
still correct and reply to us letting us know what happened?  Matt, if your=
 code for the cookbook is in Java, it would be especially good if you made =
this code change and verified that nothing changes in the output.

Also, this clearly inconsistent sentence currently occurs in http://tools.i=
etf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:
      CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS
      #7 padding using the cipher with the key X.

I believe that the identifier CBC-PKCS5-ENC should be changed to CBC-PKCS7-=
ENC.

Unless people disagree, I will plan to apply these corrections during AUTH4=
8.

                                                            Thanks all,
                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, June 20, 2014 7:03 PM
To: Shaun Cooley (shcooley)
Cc: jose@ietf.org; Matt Miller (mamille2)
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

This change has been incorporated in the -28 drafts.

                                                            Thanks again, S=
haun,
                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, June 13, 2014 2:27 PM
To: Shaun Cooley (shcooley)
Cc: jose@ietf.org; Matt Miller (mamille2)
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

(Adding the JOSE working group)

I believe you're right.  I'll plan to make this change in the next version =
of the spec.

Thanks for the careful read!

                                                            -- Mike

From: Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
Sent: Friday, June 13, 2014 10:34 AM
To: Mike Jones
Cc: Matt Miller (mamille2)
Subject: draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)

Michael -
 I am working on implementing a browser compatible JS implementation of JOS=
E, based on the work Matt Miller did for Node.JS.  While going through the =
spec, I noticed that PKCS #5 is called out for the AES-CBC ciphers.  Should=
n't this be PKCS #7?

PKCS #5 - RFC2898 section 6.2 specifies:
The padding string PS shall consist of 8 - (||M|| mod 8) octets all having =
value 8 - (||M|| mod 8).

PKCS #7 - RFC2315 section 10.3 note 2 specifies:
For such algorithms, the method shall be to pad the input at the trailing e=
nd with k - (l mod k) octets all having value k - (l mod k), where l is the=
 length of the input.

PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKCS #5 i=
s intended for block sizes of 8.  This means that PKCS #7 is a superset of =
#5, and given that AES is a block size of 16, it seems the spec should requ=
ire PKCS #7.

Thoughts?

Shaun Cooley
DISTINGUISHED ENGINEER.ENGINEERING
Collaboration Technology Group
shcooley@cisco.com
Phone: +1 408 902 3344
Mobile: +1 310 293 2087

[http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]
Cisco.com


This email may contain confidential and privileged material for the sole us=
e of the intended recipient. Any review, use, distribution or disclosure by=
 others is strictly prohibited. If you are not the intended recipient (or a=
uthorized to receive for the recipient), please contact the sender by reply=
 email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html




--_000_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











I am working on the fo=
rmatting of the algorithm cross-reference tables in JWA Appendix A

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-=
A with the RFC Editor to make them more readable.  When looking at=
 the table content (in a more readable rendition I’ll share with you =
soon), I noticed that this string appears for
 the JCA value of three algorithms:


   &nbs=
p;           AES/CBC/PKCS=
5Padding=



which I believe should=
 be


   &nbs=
p;           AES/CBC/PKCS=
7Padding=



 


This would be consiste=
nt with the changes made in -28 for the reasons described in this thread.&n=
bsp;
JAVA IMPLEMENTERS – If you are currently using AES/CBC/PKCS5Padding can yo=
u please verify that your implementation still works after changing this st=
ring to AES/CBC/PKCS7Padding and that the
 results are still correct and reply to us letting us know what happened?&n=
bsp; 
Matt, if you=
r code for the cookbook is in Java, it would be especially good if you made=
 this code change and verified that nothing changes in the output.


 


Also, this clearly inc=
onsistent sentence currently occurs in

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5=
.2.1:


  =
;    CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS


  =
;    #7 padding using the cipher with the key X.


 =



I believe that the ide=
ntifier 
CBC-PKCS5-ENC
should be changed to CBC-=
PKCS7-ENC.


 


Unless people disagree=
, I will plan to apply these corrections during AUTH48.

 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      Thanks all,


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: jose [ma=
ilto:jose-bounces@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 20, 2014 7:03 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org; Matt Miller (mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


This change has been i=
ncorporated in the -28 drafts.


 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      Thanks again, Shaun,


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: jose [mailto:jose-bounces@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 13, 2014 2:27 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org; Matt Miller =
(mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


(Adding the JOSE worki=
ng group)


 


I believe you’re=
 right.  I’ll plan to make this change in the next version of th=
e spec.


 


Thanks for the careful=
 read!


 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: Shaun Co=
oley (shcooley) [mailto:shcooley@cisc=
o.com]


Sent: Friday, June 13, 2014 10:34 AM

To: Mike Jones

Cc: Matt Miller (mamille2)

Subject: draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #=
5)






 


Michael –


 I am working on implementing a browser compati=
ble JS implementation of JOSE, based on the work Matt Miller did for Node.J=
S.  While going through the spec, I noticed that PKCS #5 is called out=
 for the AES-CBC ciphers.  Shouldn’t this be
 PKCS #7?


 


PKCS #5 – RFC2898 section 6.2 specifies:<=
/o:p>


The padding string PS shall consist of 8 - (|=
|M|| mod 8) octets all having value 8 - (||M|| mod 8).

 


PKCS #7 – RFC2315 section 10.3 note 2 specifie=
s:


For such algorithms, the method shall be to p=
ad the input at the trailing end with k - (l mod k) octets all having value=
 k - (l mod k), where l is the length
 of the input.


 


PKCS #7 allows for padding in block sizes of 2-255 b=
ytes, whereas PKCS #5 is intended for block sizes of 8.  This means th=
at PKCS #7 is a superset of #5, and given that AES is a block size of 16, i=
t seems the spec should require PKCS #7.


 


Thoughts?


 








Shaun Cooley

DISTINGUISHED ENGINEER.ENGINEERING

Collaboration Technology Group

shcoole=
y@cisco.com

Phone: +1 408 902 3344

Mobile: +1 310 293 2087





3D"http://=

Cisco.com








 








This email may contain confidential and pr=
ivileged material for the sole use of the intended recipient.
 Any review, use, distribution or disclosure by others is strictly prohibit=
ed. If you are not the intended recipient (or authorized to receive for the=
 recipient), please contact the sender by reply email and delete all copies=
 of this message.


For corporate legal information go to:

http://www.ci=
sco.com/web/about/doing_business/legal/cri/index.html=









 


 






--_000_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_--

--_004_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_
Content-Type: image/jpeg; name="image001.jpg"
Content-Description: image001.jpg
Content-Disposition: inline; filename="image001.jpg"; size=5673;
	creation-date="Thu, 26 Mar 2015 23:41:17 GMT";
	modification-date="Thu, 26 Mar 2015 23:41:17 GMT"
Content-ID: 
Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAZAAA/+4ADkFkb2JlAGTAAAAAAf/b
AIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgIC
AwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD
AwMDAwMDAwMDAwMDAwMDAwMD/8AAEQgASQBuAwERAAIRAQMRAf/EAKUAAQABBAMBAAAAAAAAAAAA
AAAJAQIHCAUGCgQBAQACAgMBAAAAAAAAAAAAAAAFBgQHAQIDCBAAAAYCAQQABAMHBQAAAAAAAgME
BQYHAAEIERITCSExFBVBURbwcZEyJBcKYfFCQycRAAIABgEDAwICBQcNAAAAAAECABEDBAUGEiEx
B0EiE1EyYXHwQrMVCJGhsbIzVDWB8ZOjwxRkdFV1Jzco/9oADAMBAAIRAxEAPwD38YhDEIYhDEIY
hDEIYhDEIYhDEIYhDEIYhDEIYhDEIYhDEIpv5YhFNb3v54/phF2IQxCG8GEU1vr/ALY/OEVxCGIQ
xCGIQxCGIQxCOqTWdQyuI6sl0/lUfhkXbhpi10gk7siZWhKYsUFpEhRy9wOITgNVKjgFlh2LuGMW
ta1ve8yrOxvMjcLaWFKpWumnJUUsxkJnoAT0AJiJzeewutY18xsN3b2WKplQ1atUWnTUswVQWYgT
ZiFUTmSQB1jTT2QWVJILwXuWxazmDhHnkltroyPTKIPA0a8lvk1mwVnUrWN9bTdGEacWJ4NAWpTm
6F4zu4set9BZa/H9hb3m52ljkqK1KPKryp1FmJpSqMAysJGTKJgjuJERqrz7nMjjfDWVzWtXj294
adqaVxQqFWCVbu2Rmp1UMxzpOwDoQZNNT2Mdt4ZWcrd+E9K2pacz85hdVlSCZzuYu5Rei29lC4bc
JBJpA5nFl9qRtb/KrWqje4WgCNOHsWxD3ibbj0pbbeY7G0pA3JVKdNfVpSVFA9SeiqOnYADpEz4o
zle58T4jO7Ddl6wxwevcV3H20+XKpVqOeskWb1HMzIs5PUxs/CZxDrJizNN6/lMfmsOkKYatjk8X
dkT4xupBSg5IeNE5Nxx6Q/aZYnMINDoXcUeWMsegjAIOq7dWl1Y3D2l7TeldIZMjqVYeomCJjoQR
9QZ9pRsTGZTG5qwp5TEV6VzjawmlWkwdGAJB4spIMiCCO4IIMiCI7TvfT+OY8Z0Y7rW3asuVncpD
UtjQmzGJnfnCLurzBJMzylrb5E06IG4Mytcyq1iYhwTEqiTdlCFoWyTizNdSzACFl3mPv8dUWlkK
NWhWZAwV1KkqexAYAyMj/lBHcRH43LYvM0WucTcUbm3SoUZqTq6h1lyUlSRMTBl9CD2IiDb0k8hr
uu+5fZG0W5a05sdsgtuwYcKbphIXB8RQ4qRSe+kjs2xRKuNOIjrIemireADejCShIClD4igdRddm
+SsTjMZjsM+Ot6VF6lu4cooUvxWhIsR1Y+5vcZsZ9TGnfEGazOVyuwU8tc17inSu0+MVHLCmGe5B
CAkhFkiyVZKABICJxIncdTzqZTqu4ZZcFlk8rFQiSWJDo7KWV4ksHVOQThIU8pZUC1QvZDlO05gQ
hUFg3sZYw/zBFrWsq2Pv7a3pXlxRqpaVwTTdlIVwO5ViAD3HYnpG5LfJ4+7uq1la16VS7oECoisp
ZCewZQSR2PcCMlZiRnQxCGIQxCGIRo5z+5USjiJTUcsqJR2PyZzerOj8JPQyUTiFAU2uDBK5AvUl
bbFaJRpcIqM+EoQh7LLEd3iAZoPYK8aDq1pt2Yq428qVKVNLV6oKSnyDIoHuBEvfM+plIETnGg/4
ivLOb8OaVabNgbW2u724y9G1KV/k4Cm9G4rOw+NkbnKhwUklVLciry4nXj2/u/1vBBU8bL+n04TO
s1uyPJ5PD9acco0T5ewvy6B5Ond2h69OvTX4S/ipTR3YU+p40ao/PsPr/N+PeK1/FSBlPChrMvH5
Luzfj3lymZT6TlOXpOOo88VeyfTAvVa69dUrxVH1+H/ZOaWDr5/L4Dz300BvLXX++Xk/9HX6Rz5W
H/y1xX/pGI/b2McLH1Hf6I3RTr8eHU7M/f0bpB+X4b6fP5Z2uv8A3AP+6U/6VjIw9Pn/AAsil6HX
ao/lV/8APHZ/VzPTK29Pld2cW3hdzK/r3kvOC2sw8SUDmOI21cz6FvGqCWaJOFZtu8ezNAFsOhde
m+nTMHyBai/8lV7KfEVa1tTJlMjlRorOXrKZ/CLD4Uujh/BdlfhOTW1vf1ePUcuF1dOBP0nLvL1j
O3rA5lzPnPxj/vPP4tGIlKkNhy2DOKGHfdS4+sAxJ2ZyROCJI9OLw4oRjRPxZJoBq1GhHEiMDsAT
NFAhd41u21bOfu20qPUtjRRwXlyHIkEEgKD1WY6D6ekzcvGG5X286v8AvrIUqVG7W4qUiKfLgQoU
ggMWYdGAPuPUEiQMhGr/AI0hvl4qX0Lr16chTtfu/wDN4Nv55cfM3+PWv/Kf7R/0l6doo38PSGnq
96p/vx/ZU/0/ljH3+PUb5L59qvx/ltqqtfxmPJ7Xy+fw6Z7+Wf8ADMGfT4Kv9W2jt4XUDL7CP+Jp
f17qOa9Vh3f7i/bqHX/CWv8Arp8fwtt010+Pw30/b89+W8dPH2B+nxqf9UP0nGboI/8AJGxH0+Vv
2x/njfiifYjYFt+1zlPwEcYHDmmuaHp4ieR6YolD2fNnh+SradTOZTyM9Zpi20LQWsLZBJCMo5Lt
FrvOP8u/HV8nqdrYaNZbStWo15dXBRkPHgqyqylIcpj4+5JB5dhLrcMVt15kN8v9UelTWztbcOrj
lzLA0pzmeMj8vQAdOI6mZlLdlEi/wxCGIQxCMZWvTVX3lGksPtqGNE5jSJ6QyNI0vGlP06d7bSla
dG4EjSKEx4Di0y88kWtD7TCTjCx6EAYg7ksXmMnhLg3eKrPQuGQoWWUypIJBmCJTAP4EAjqIrO16
bq+845MRttlRvsbTrrWWnUnJaqBlVxxIIIV3U9ZFWZSCrEG+0aerO6oMurW0Yc1S+DuA0BqmPL9K
U6XRrWoLUt5qY5uUIlqE5IaVrsGQaWLQeoevaIWt9MblMhiLwZDG1WpXizkwlP3AgzBmDMHrMH69
wIyNh1jAbViGwOwWtO5xD8Z02mBNCCpUqVZSsuhUgy6diRGv/NXi+s5HcOrH4yVwvjsEVSFig7VD
znFMrJi7IVAZlEpU0tJ5DSnUq0TSamioUQREEHCTgM0MJRnZ2bmdU2BcFtFDYL5alYI9QvI+9jUR
0LdehM35dSJn1E5xWPI+jHcfHl3pGJajafLSoJS5Aikgt61KqiEKCVQikE9oPEGYBlI81x94ytlc
8QYBxWtP7DY7Sz1eKu52SFEpKjslSuZCst9RkEKRgXfbzAuBhRZovCeIIdG6CSPegh8c3nql/stb
YcfzoO9f5KfUc1IlxMx0mJTPcenX1zdT02hhdCtNJzHxXdClZfBWEj8dQMDzAB93H3EAmRIE5KTI
ZdgdJVRWNUoaOgkGZI7UzazPMfSwVKUeoZfs8iUOKx/RqArj1Slbp7Vu6o1WM8wwxQaoMEMQhC3v
cZeZPIX+QOVvKrvkGdWNQ/dyUAKRKUuIUASkBISixY7BYjE4hcDjrenSw6IyCkJleLklwZkk8izF
iSSSSSesfLSVDVBxxgxNa0jBGeu4QQ5uL0FgZdrTSDHZ2GWNwcFKpyVrnBYqUaJLB3mnD2EosBYe
gAADpk8pkMzdm+ydVq12VC8jKch2AkAAB+A79e8MLgsTr1iMbhaCW9iGLcFmRybuSWJJJ/EnoAOw
EcZRXG2i+MkcfIjQlaRysI5JJMumD20xwtWFMvkLimSI1C4e1qpYcUWBGgJJJTliAmTFF6ASWAPX
Wd8pmMpmqy3GUrPXrogUFvRRMy6AepmT3PqZxxiMDiMBQe1w1Cnb0KlQuwWfVjIE9SfQAAdgBIAC
I+vWN65p7wVsnmrNZpYESmqDklZsdkcLSRhK8EK2WLxZ5tF3RGSf7ojSEEPzjqyfGalSiVpyPo+4
Kk3ydAWrc9utdntMdb21KpTazosrlip5Mwpg8ZH7R8cwTImfYS61HRdLu9Tvcnc3VanVW+rqyBQw
KqjVSOUwPcfl6gTAl9xn0kBrzjPQ1UWbaty11WEaiVn3etRuNqTFqJVBdJetQiONKPWBOVHJEWz1
SgahRpIUnCrVC2efow7fflVusxk72yoY67rO9lbAikh7ID9PyAkJzkOgkIuNnhMVj764yVnQSnfX
RBquJzcj6zMh3mZATPUzMWxrjJQkOvWd8mYxV0ZZb4s2NoIjO7MREqgSCRxxt0yaTNivQ1Q0BJQ/
003ecZJBRqnaFPs4RmyS+3mrmMnXxlLDVqzti6L8kpmXFWPLqOk/1mlMyEzKU4UcLi7fKVc1RoIu
UroFeoJ8mUceh6y/VWcgJ8ROchGdsjIlIYhDEIYhFN4hEQntS9gs+4ittXVVQscSSfkBeLgeli2l
7Ya+kMDYS4N7KlNRMBJhQnyTSV+cy0jYQLvI0Mo4RoB70WWPZXjzTLPZKlxkczUNPDWizaR48mkT
1f8AVRVHJiOvUSPcjQvm3ynltFp2OC1aitback5FPkvMIgZUBCD76lSowSmOq9GLAniDbwcY/bk1
W+kX83JrC5TTb5Xj0r00MSOoUr1EJ19eymMbe7ig8QjLgeaNvGtCZtIpc0OhAD3GaF03vrttbxxU
x5TVKVWnklrKJsa3F0keRX5HYd5dwrfQSj38b2vm+3zAreRbq3r4WpaseKLahqVaa8Q3w0qZPt5f
a1RPxnKMb8IOYvIi4PZ1zm472HYX6gqCmgTz+3UR/SUHadx3bNZ7BHW3f35kjLZJ3b6ZmWmk/wBc
tU9/d3j7h6CLXts+u4fHaRi8zZ0eGTuRT+Rubnlypsx9rMVWZAPtA7fSPXSNt2PLeTM5r+RuPkw9
n8vw0/jprw411Qe9aau0lJHudp9+p6xG7JfZF7AuR3NbkJSFNcweMnC+O1fPJbB4HGLzboM0oZsb
FJiuhaRAmlEyqyyHJxmjuc3aUqkoDkoQ7P7Eqczs3rVuo6fqmI1u0yWQx97katekru9EuSnNA8yq
1aYCiZAMj9WI9alU3reM/t19icZlLDE21vWenTS4WmBU4VCkg70arGo0psJqBOSr9JdfZ97C5V66
uJEIlprdHJfyOsTbPB4yicAHiiRcsRR4pxnk3cEaD7Scuj7CcDoUlKGlEcpXJQ77CvJ26/0vVLfb
c9UoTenh6U3aX3lS0kpgmcmYdyZ9AZdZRtfedwudN1ylcFadTN1uKKDPgHCzqVCBxmqnsBxmWXss
41p4FF+9eQXbR9mcvZvCD+L82Sy1zn9ZFMVIMc3ijW6VpJ3SvVbgljMFa5QhFqbDaChpCHlW4J9D
EBcQEITtgl9pPjKljbmywFOr++6RUU6nKsVYiooqAFnZD7OfXgFP6rHpENqQ8q1cpa3ux1aRwdQO
alMLRDqDTY0ywWmrD38JgOWHZlHWME8xvZP7Ab653yz19+rlsjUff6kAp1ZttPzHFXxQU4sOmvUz
WK1FgNT9D4rBoo7PJDKYIxrVuK926hSj35SCxymvafq2K1iltW6s70bj+zpBnHRp8AOBDPUYDn94
ULOY6EiP2Lctsy201NS0cIla3n8lVlQmay5kmoGRUUnh9hdm+09QD9nCH2V89qd52sfrq9obLHnm
b2YiArq+2Y81RFlNNWrkDy5R0w4UAQNENk8Ll4mRQ3JFCZvRODc7FbIVhHvzaS9Nk0/WMhrTbZpb
MttRMqlJi7divIe8l1dAeRBLKVM16SLe+tbftVhsq6nuqo1zWE6dVQi958fsARkYgqCAGDiRn1A9
OWuv45pkE+sbmiudoQxCGIQxCLRfL9vj/piH5RBV7ieGt+2u+UHyw4sNRkmuLjo7p1ZkWQgRHP69
AzSNvmkRf44iXDJJelkTkqE8RzdoQz1ZazXhAMRYgD2v422fE46hea7nWCY69X7jMKCyFHDETK81
Mg3ZePUx89ebPH+ezl9jN11RPkzmKb+zEubBai1aToD0c06gb2d2D9AZEHJHBTnPzl5I3OlgF/cH
JjxzgbZW74+PlhyeB2zG0D3NUS9iSNTWxHThnZW1pTOBC1WbtEM1zVdpGuh2tBFsUbtWq6thMabv
D5SneXTV1Vaa1KTFUIMy3AsWlJfcAo69pxZdF3jeNkzAsdgwdbHWK27M1V6VdA1QFQqr8qgKCCx4
k1D0+7p11t9edMXPDPbx7FLImlR2fEq4mgbI/RU/k8BlTFCZfpbcEac0P6XlTq1JWJ/2tbiRqCvp
DzvKQWIwPUAd71Lbbk8dc+P8RZW1xQqXlP4udNaiM6SpMDyUHksj0Mx3l6nrEaHhMtZeUc/kru1u
KVhXNb46j03VKk66MODsoVpjqJHt19JxGZ7MoxbvMWw7GiEK9L11Q69CbTXxlm5bxdFaKSOz2Pxu
ULWlPIJC0aqeK1w8pZjHUZGwPLo9qRJSdliLV7KDoOXDTa9hr9pRr3WxW9TF/AGNqxp8kZkBKqfl
eovFpjiqCfWYBiq7za3+zX1ehbavc0st/vBUXiiqFqKrkBmHwpSbmoHvd24iXuIEokA55+rLkfyC
9W/Eir21akmPKjilEGA9fHFb6mFqXI1sUTM8ugLLI1y4tpUvsf8AoG0pCrUHgTLQNQwBEHagvYap
rO7YjFbtf3rjhg7+oRyl9pDzR2AE+LTYsB1BYfQxddq0HM5fQ8dj1IqZ7H0lmsx7gU4vTViZclko
ViZEIZdSIyFwF9h/s7t+8aP498mfX1YdXxfaSYNlwckpJWduRWPqRxCt5S4sLql28x1vhLM6S2bM
zemNNLcViNWJaMKQgrQy9l4e06pplhjrnLYbK0a9eamlbrUpMw51FDAybmQiFj9ikSBYmRnIant2
8ZHJ22IzmJq0KMmFa4anVVTxpsVImvxgu4UGTsDyIUDpLTjk5QnsD9avsstznlw4oR85VVDyTTOw
pxCIywyCaP7cql7iwvkrjTuwQ5OrmLWpSzdmA6M7yiQK0ZKE7aU/u3o8I7Bhsrqm4ahQ1jYbpLG/
syODsyop4AqrBnkpmh4shYEn3D0iFy+I2jT9yuNo1+2e+x96GLoqs5HIhmUhAWB5gMjhSAswfURT
iRxz56exn2dwD2Ic0qDd+MNY8fWtrRV7X8vjT3EZA4KIgdJV0Ii7PH5kQjmastvmcpVP7i9LkadM
aP8Ap0gdBML0n4z2W1fUtMq6prt0t7e3THm6srKOfEOxZJoJqgRUUkju3rHrhMVs22bjR2rYLZrO
ytVHBGVkYleRRQrycydi5ZgAew9JetnX7flmix0/KN4CK5zHMMQhiEMQhiEU6a3iEOmsQ7Q6a6dO
nw/LEIdM4kIQ6azmEOmsQ/CHTWPwhDprEIriEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhi
EMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEf//Z

--_004_BY2PR03MB44255D6D63EA00274A86086F5080BY2PR03MB442namprd_--


From nobody Thu Mar 26 17:32:02 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833481A8840 for ; Thu, 26 Mar 2015 17:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level: 
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JKvz0FpY8_Q for ; Thu, 26 Mar 2015 17:31:58 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A791A882F for ; Thu, 26 Mar 2015 17:31:58 -0700 (PDT)
Received: from mail-ig0-f174.google.com ([209.85.213.174]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKVRSk/cgW0+dJDvPAzh6h2nUMWpoF5kZj@postini.com; Thu, 26 Mar 2015 17:31:58 PDT
Received: by igcau2 with SMTP id au2so23095944igc.1 for ; Thu, 26 Mar 2015 17:31:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=RvLxGsqBLpgCep1qiSnOyiqR4pzPYq2CIOrL90bYGzA=; b=PYWWmk53wwxI1lCvT+6YeIqNxCIbCFAbVMIxkuNo7+3nCV3iDMFjR7cQA8M2124xtj HT8Wi7qcOv8yaCmuGrjCluGQQoZ0o3nuNN9lCdOpdLZAiTaiPb5nYMiA0ptA1ZjznSVH HHO4HntpuiPBu0xo6Ckgcw59Nca3Rx3McJrLIZnIbz4L5zd6pUVNVHpvY0SiX38MP8rB e2it9VzItffbL93CdJeE6W4yH6ULvRPvW8M0gCZCbnibPXhPHHAccxJPzXJMc6piSzMG boHHD14VBH+7llu5D9IuyFm0MbMw5SwhhbLFiBrKPeNIA8HbpK1Hh7Zp4SBuTIz1slPx Ka+w==
X-Gm-Message-State: ALoCoQkBTLcAlJTwwWbb8JQxt2g0okdtwFiDElw8fEJHT4hJy8TG9LrIfBS02AEdMLtrivN8grYpBFGGiwMiMyH2nstvoB266Dtm+4sW0VIyHKTHC+L9jUcqvN9W/bPxhuI63wThwh9x
X-Received: by 10.50.176.196 with SMTP id ck4mr41447306igc.40.1427416317495; Thu, 26 Mar 2015 17:31:57 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.176.196 with SMTP id ck4mr41447290igc.40.1427416317333; Thu, 26 Mar 2015 17:31:57 -0700 (PDT)
Received: by 10.64.7.193 with HTTP; Thu, 26 Mar 2015 17:31:56 -0700 (PDT)
Received: by 10.64.7.193 with HTTP; Thu, 26 Mar 2015 17:31:56 -0700 (PDT)
In-Reply-To: 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com> 
Date: Thu, 26 Mar 2015 19:31:56 -0500
Message-ID: 
From: Brian Campbell 
To: Mike Jones 
Content-Type: multipart/related; boundary=089e0111b8fa8ad4a305123a4216
Archived-At: 
Cc: "jose@ietf.org" , "Shaun Cooley \(shcooley\)" , Matt Miller 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 00:32:01 -0000

--089e0111b8fa8ad4a305123a4216
Content-Type: multipart/alternative; boundary=089e0111b8fa8ad49e05123a4215

--089e0111b8fa8ad49e05123a4215
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I am pretty sure you should not make that change to the JCA algorithm
string. I'll have to search around to remember why, some oddity of Java I
think, but I'm away from my laptop right now and that one is too much to
research on a phone.
On Mar 26, 2015 6:41 PM, "Mike Jones"  wrote:

>  I am working on the formatting of the algorithm cross-reference tables
> in JWA Appendix A
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi=
x-A
> with the RFC Editor to make them more readable.  When looking at the tabl=
e
> content (in a more readable rendition I=E2=80=99ll share with you soon), =
I noticed
> that this string appears for the JCA value of three algorithms:
>
>                AES/CBC/PKCS5Padding
>
> which I believe should be
>
>                AES/CBC/PKCS7Padding
>
>
>
> This would be consistent with the changes made in -28 for the reasons
> described in this thread.  JAVA IMPLEMENTERS =E2=80=93 If you are current=
ly using
> AES/CBC/PKCS5Padding can you please verify that your implementation still
> works after changing this string to AES/CBC/PKCS7Padding and that the
> results are still correct and reply to us letting us know what happened?
> Matt, if your code for the cookbook is in Java, it would be especially
> good if you made this code change and verified that nothing changes in th=
e
> output.
>
>
>
> Also, this clearly inconsistent sentence currently occurs in
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section=
-5.2.1
> :
>
>       CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS
>
>       #7 padding using the cipher with the key X.
>
>
>
> I believe that the identifier CBC-PKCS5-ENC should be changed to
> CBC-PKCS7-ENC.
>
>
>
> Unless people disagree, I will plan to apply these corrections during
> AUTH48.
>
>
>
>                                                             Thanks all,
>
>                                                             -- Mike
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
> *Sent:* Friday, June 20, 2014 7:03 PM
> *To:* Shaun Cooley (shcooley)
> *Cc:* jose@ietf.org; Matt Miller (mamille2)
> *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2
> (PKCS #5)
>
>
>
> This change has been incorporated in the -28 drafts.
>
>
>
>                                                             Thanks again,
> Shaun,
>
>                                                             -- Mike
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org ] *On
> Behalf Of *Mike Jones
> *Sent:* Friday, June 13, 2014 2:27 PM
> *To:* Shaun Cooley (shcooley)
> *Cc:* jose@ietf.org; Matt Miller (mamille2)
> *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2
> (PKCS #5)
>
>
>
> (Adding the JOSE working group)
>
>
>
> I believe you=E2=80=99re right.  I=E2=80=99ll plan to make this change in=
 the next version
> of the spec.
>
>
>
> Thanks for the careful read!
>
>
>
>                                                             -- Mike
>
>
>
> *From:* Shaun Cooley (shcooley) [mailto:shcooley@cisco.com
> ]
> *Sent:* Friday, June 13, 2014 10:34 AM
> *To:* Mike Jones
> *Cc:* Matt Miller (mamille2)
> *Subject:* draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
>
>
>
> Michael =E2=80=93
>
>  I am working on implementing a browser compatible JS implementation of
> JOSE, based on the work Matt Miller did for Node.JS.  While going through
> the spec, I noticed that PKCS #5 is called out for the AES-CBC ciphers.
> Shouldn=E2=80=99t this be PKCS #7?
>
>
>
> PKCS #5 =E2=80=93 RFC2898 section 6.2 specifies:
>
> The padding string PS shall consist of 8 - (||M|| mod 8) octets all havin=
g
> value 8 - (||M|| mod 8).
>
>
>
> PKCS #7 =E2=80=93 RFC2315 section 10.3 note 2 specifies:
>
> For such algorithms, the method shall be to pad the input at the trailing
> end with k - (l mod k) octets all having value k - (l mod k), where l is
> the length of the input.
>
>
>
> PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKCS #5
> is intended for block sizes of 8.  This means that PKCS #7 is a superset =
of
> #5, and given that AES is a block size of 16, it seems the spec should
> require PKCS #7.
>
>
>
> Thoughts?
>
>
>
> *Shaun Cooley*
> DISTINGUISHED ENGINEER.ENGINEERING
> Collaboration Technology Group
> shcooley@cisco.com
> Phone: *+1 408 902 3344 <%2B1%20408%20902%203344>*
> Mobile: *+1 310 293 2087 <%2B1%20310%20293%202087>*
>
> [image: http://www.cisco.com/web/europe/images/email/signature/logo05.jpg=
]
> Cisco.com 
>
>
>
> This email may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosur=
e
> by others is strictly prohibited. If you are not the intended recipient (=
or
> authorized to receive for the recipient), please contact the sender by
> reply email and delete all copies of this message.
>
> For corporate legal information go to:
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>

--089e0111b8fa8ad49e05123a4215
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


I am pretty sure you should not make that change to the JCA =
algorithm string. I'll have to search around to remember why, some oddi=
ty of Java I think, but I'm away from my laptop right now and that one =
is too much to research on a phone.


On Mar 26, 2015 6:41 PM, "Mike Jones" =
<Michael.Jones@microsoft.=
com> wrote:











I am working on the fo=
rmatting of the algorithm cross-reference tables in JWA Appendix A

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-=
A with the RFC Editor to make them more readable.=C2=A0 When looking at=
 the table content (in a more readable rendition I=E2=80=99ll share with yo=
u soon), I noticed that this string appears for
 the JCA value of three algorithms:


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AES/CBC/PKC=
S5Padding


which I believe should=
 be


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AES/CBC/PKC=
S7Padding


=C2=A0


This would be consiste=
nt with the changes made in -28 for the reasons described in this thread.=
=C2=A0
JAVA IMPLEMENTERS =E2=80=93 If you are currently using AES/CBC/PKCS5Padding can =
you please verify that your implementation still works after changing this =
string to AES/CBC/PKCS7Padding and that the
 results are still correct and reply to us letting us know what happened?=
=C2=A0 
Matt, if you=
r code for the cookbook is in Java, it would be especially good if you made=
 this code change and verified that nothing changes in the output.


=C2=A0


Also, this clearly inc=
onsistent sentence currently occurs in

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5=
.2.1:


=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CBC-PKCS5-ENC(X, P) denotes the AES CBC encryptio=
n of P using PKCS


=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #7 padding using the cipher with the key X.


=C2=A0


I believe that the ide=
ntifier 
CBC-PKCS5-ENC
should be changed to CBC-=
PKCS7-ENC.


=C2=A0


Unless people disagree=
, I will plan to apply these corrections during AUTH48.


=C2=A0


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks all,


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike


=C2=A0






From: jose [ma=
ilto:jose-bounce=
s@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 20, 2014 7:03 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org=
; Matt Miller (mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






=C2=A0


This change has been i=
ncorporated in the -28 drafts.


=C2=A0


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thanks again, Shaun,=



=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike


=C2=A0






From: jose [mailto:jose-bounce=
s@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 13, 2014 2:27 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org=
; Matt Miller (mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






=C2=A0


(Adding the JOSE worki=
ng group)


=C2=A0


I believe you=E2=80=99=
re right.=C2=A0 I=E2=80=99ll plan to make this change in the next version o=
f the spec.


=C2=A0


Thanks for the careful=
 read!


=C2=A0


=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike


=C2=A0






From: Shaun Co=
oley (shcooley) [ma=
ilto:shcooley@cisco.com]


Sent: Friday, June 13, 2014 10:34 AM

To: Mike Jones

Cc: Matt Miller (mamille2)

Subject: draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #=
5)






=C2=A0


Michael =E2=80=93


=C2=A0I am working on implementing a browser compati=
ble JS implementation of JOSE, based on the work Matt Miller did for Node.J=
S.=C2=A0 While going through the spec, I noticed that PKCS #5 is called out=
 for the AES-CBC ciphers.=C2=A0 Shouldn=E2=80=99t this be
 PKCS #7?


=C2=A0


PKCS #5 =E2=80=93 RFC2898 section 6.2 specifies:<=
/u>


The padding string PS shall consist of 8 - (||M|| mod 8) octets al=
l having value 8 - (||M|| mod 8).


=C2=A0


PKCS #7 =E2=80=93 RFC2315 section 10.3 note 2 specif=
ies:


For such algorithms, the method shall be to pad the input at the t=
railing end with k - (l mod k) octets all having value k - (l mod k), where=
 l is the length
 of the input.


=C2=A0


PKCS #7 allows for padding in block sizes of 2-255 b=
ytes, whereas PKCS #5 is intended for block sizes of 8.=C2=A0 This means th=
at PKCS #7 is a superset of #5, and given that AES is a block size of 16, i=
t seems the spec should require PKCS #7.


=C2=A0


Thoughts?


=C2=A0








Shaun Cooley

DISTINGUISHED ENGINEER.ENGINEERING

Collaboration Technology Group

shcooley@cisco.com

Phone:=C2=A0+1 408 902 3344

Mobile:=C2=A0+1 310 293 2087





3D"http://www.cisco.com/web/eur=

Cisco.com








=C2=A0








This email may contain confi=
dential and privileged material for the sole use of the intended recipient.
 Any review, use, distribution or disclosure by others is strictly prohibit=
ed. If you are not the intended recipient (or authorized to receive for the=
 recipient), please contact the sender by reply email and delete all copies=
 of this message.


For corporate legal informat=
ion go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html








=C2=A0


=C2=A0







_______________________________________________

jose mailing list

jose@ietf.org

ht=
tps://www.ietf.org/mailman/listinfo/jose




--089e0111b8fa8ad49e05123a4215--
--089e0111b8fa8ad4a305123a4216
Content-Type: image/jpeg; name="image001.jpg"
Content-Disposition: inline; filename="image001.jpg"
Content-Transfer-Encoding: base64
Content-ID: 
X-Attachment-Id: e4a8c34cd4e61946_0.0.1

/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAZAAA/+4ADkFkb2JlAGTAAAAAAf/b
AIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgIC
AwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMD
AwMDAwMDAwMDAwMDAwMDAwMD/8AAEQgASQBuAwERAAIRAQMRAf/EAKUAAQABBAMBAAAAAAAAAAAA
AAAJAQIHCAUGCgQBAQACAgMBAAAAAAAAAAAAAAAFBgQHAQIDCBAAAAYCAQQABAMHBQAAAAAAAgME
BQYHAAEIERITCSExFBVBURbwcZEyJBcKYfFCQycRAAIABgEDAwICBQcNAAAAAAECABEDBAUGEiEx
B0EiE1EyYXHwQrMVCJGhsbIzVDWB8ZOjwxRkdFV1Jzco/9oADAMBAAIRAxEAPwD38YhDEIYhDEIY
hDEIYhDEIYhDEIYhDEIYhDEIYhDEIYhDEIpv5YhFNb3v54/phF2IQxCG8GEU1vr/ALY/OEVxCGIQ
xCGIQxCGIQxCOqTWdQyuI6sl0/lUfhkXbhpi10gk7siZWhKYsUFpEhRy9wOITgNVKjgFlh2LuGMW
ta1ve8yrOxvMjcLaWFKpWumnJUUsxkJnoAT0AJiJzeewutY18xsN3b2WKplQ1atUWnTUswVQWYgT
ZiFUTmSQB1jTT2QWVJILwXuWxazmDhHnkltroyPTKIPA0a8lvk1mwVnUrWN9bTdGEacWJ4NAWpTm
6F4zu4set9BZa/H9hb3m52ljkqK1KPKryp1FmJpSqMAysJGTKJgjuJERqrz7nMjjfDWVzWtXj294
adqaVxQqFWCVbu2Rmp1UMxzpOwDoQZNNT2Mdt4ZWcrd+E9K2pacz85hdVlSCZzuYu5Rei29lC4bc
JBJpA5nFl9qRtb/KrWqje4WgCNOHsWxD3ibbj0pbbeY7G0pA3JVKdNfVpSVFA9SeiqOnYADpEz4o
zle58T4jO7Ddl6wxwevcV3H20+XKpVqOeskWb1HMzIs5PUxs/CZxDrJizNN6/lMfmsOkKYatjk8X
dkT4xupBSg5IeNE5Nxx6Q/aZYnMINDoXcUeWMsegjAIOq7dWl1Y3D2l7TeldIZMjqVYeomCJjoQR
9QZ9pRsTGZTG5qwp5TEV6VzjawmlWkwdGAJB4spIMiCCO4IIMiCI7TvfT+OY8Z0Y7rW3asuVncpD
UtjQmzGJnfnCLurzBJMzylrb5E06IG4Mytcyq1iYhwTEqiTdlCFoWyTizNdSzACFl3mPv8dUWlkK
NWhWZAwV1KkqexAYAyMj/lBHcRH43LYvM0WucTcUbm3SoUZqTq6h1lyUlSRMTBl9CD2IiDb0k8hr
uu+5fZG0W5a05sdsgtuwYcKbphIXB8RQ4qRSe+kjs2xRKuNOIjrIemireADejCShIClD4igdRddm
+SsTjMZjsM+Ot6VF6lu4cooUvxWhIsR1Y+5vcZsZ9TGnfEGazOVyuwU8tc17inSu0+MVHLCmGe5B
CAkhFkiyVZKABICJxIncdTzqZTqu4ZZcFlk8rFQiSWJDo7KWV4ksHVOQThIU8pZUC1QvZDlO05gQ
hUFg3sZYw/zBFrWsq2Pv7a3pXlxRqpaVwTTdlIVwO5ViAD3HYnpG5LfJ4+7uq1la16VS7oECoisp
ZCewZQSR2PcCMlZiRnQxCGIQxCGIRo5z+5USjiJTUcsqJR2PyZzerOj8JPQyUTiFAU2uDBK5AvUl
bbFaJRpcIqM+EoQh7LLEd3iAZoPYK8aDq1pt2Yq428qVKVNLV6oKSnyDIoHuBEvfM+plIETnGg/4
ivLOb8OaVabNgbW2u724y9G1KV/k4Cm9G4rOw+NkbnKhwUklVLciry4nXj2/u/1vBBU8bL+n04TO
s1uyPJ5PD9acco0T5ewvy6B5Ond2h69OvTX4S/ipTR3YU+p40ao/PsPr/N+PeK1/FSBlPChrMvH5
Luzfj3lymZT6TlOXpOOo88VeyfTAvVa69dUrxVH1+H/ZOaWDr5/L4Dz300BvLXX++Xk/9HX6Rz5W
H/y1xX/pGI/b2McLH1Hf6I3RTr8eHU7M/f0bpB+X4b6fP5Z2uv8A3AP+6U/6VjIw9Pn/AAsil6HX
ao/lV/8APHZ/VzPTK29Pld2cW3hdzK/r3kvOC2sw8SUDmOI21cz6FvGqCWaJOFZtu8ezNAFsOhde
m+nTMHyBai/8lV7KfEVa1tTJlMjlRorOXrKZ/CLD4Uujh/BdlfhOTW1vf1ePUcuF1dOBP0nLvL1j
O3rA5lzPnPxj/vPP4tGIlKkNhy2DOKGHfdS4+sAxJ2ZyROCJI9OLw4oRjRPxZJoBq1GhHEiMDsAT
NFAhd41u21bOfu20qPUtjRRwXlyHIkEEgKD1WY6D6ekzcvGG5X286v8AvrIUqVG7W4qUiKfLgQoU
ggMWYdGAPuPUEiQMhGr/AI0hvl4qX0Lr16chTtfu/wDN4Nv55cfM3+PWv/Kf7R/0l6doo38PSGnq
96p/vx/ZU/0/ljH3+PUb5L59qvx/ltqqtfxmPJ7Xy+fw6Z7+Wf8ADMGfT4Kv9W2jt4XUDL7CP+Jp
f17qOa9Vh3f7i/bqHX/CWv8Arp8fwtt010+Pw30/b89+W8dPH2B+nxqf9UP0nGboI/8AJGxH0+Vv
2x/njfiifYjYFt+1zlPwEcYHDmmuaHp4ieR6YolD2fNnh+SradTOZTyM9Zpi20LQWsLZBJCMo5Lt
FrvOP8u/HV8nqdrYaNZbStWo15dXBRkPHgqyqylIcpj4+5JB5dhLrcMVt15kN8v9UelTWztbcOrj
lzLA0pzmeMj8vQAdOI6mZlLdlEi/wxCGIQxCMZWvTVX3lGksPtqGNE5jSJ6QyNI0vGlP06d7bSla
dG4EjSKEx4Di0y88kWtD7TCTjCx6EAYg7ksXmMnhLg3eKrPQuGQoWWUypIJBmCJTAP4EAjqIrO16
bq+845MRttlRvsbTrrWWnUnJaqBlVxxIIIV3U9ZFWZSCrEG+0aerO6oMurW0Yc1S+DuA0BqmPL9K
U6XRrWoLUt5qY5uUIlqE5IaVrsGQaWLQeoevaIWt9MblMhiLwZDG1WpXizkwlP3AgzBmDMHrMH69
wIyNh1jAbViGwOwWtO5xD8Z02mBNCCpUqVZSsuhUgy6diRGv/NXi+s5HcOrH4yVwvjsEVSFig7VD
znFMrJi7IVAZlEpU0tJ5DSnUq0TSamioUQREEHCTgM0MJRnZ2bmdU2BcFtFDYL5alYI9QvI+9jUR
0LdehM35dSJn1E5xWPI+jHcfHl3pGJajafLSoJS5Aikgt61KqiEKCVQikE9oPEGYBlI81x94ytlc
8QYBxWtP7DY7Sz1eKu52SFEpKjslSuZCst9RkEKRgXfbzAuBhRZovCeIIdG6CSPegh8c3nql/stb
YcfzoO9f5KfUc1IlxMx0mJTPcenX1zdT02hhdCtNJzHxXdClZfBWEj8dQMDzAB93H3EAmRIE5KTI
ZdgdJVRWNUoaOgkGZI7UzazPMfSwVKUeoZfs8iUOKx/RqArj1Slbp7Vu6o1WM8wwxQaoMEMQhC3v
cZeZPIX+QOVvKrvkGdWNQ/dyUAKRKUuIUASkBISixY7BYjE4hcDjrenSw6IyCkJleLklwZkk8izF
iSSSSSesfLSVDVBxxgxNa0jBGeu4QQ5uL0FgZdrTSDHZ2GWNwcFKpyVrnBYqUaJLB3mnD2EosBYe
gAADpk8pkMzdm+ydVq12VC8jKch2AkAAB+A79e8MLgsTr1iMbhaCW9iGLcFmRybuSWJJJ/EnoAOw
EcZRXG2i+MkcfIjQlaRysI5JJMumD20xwtWFMvkLimSI1C4e1qpYcUWBGgJJJTliAmTFF6ASWAPX
Wd8pmMpmqy3GUrPXrogUFvRRMy6AepmT3PqZxxiMDiMBQe1w1Cnb0KlQuwWfVjIE9SfQAAdgBIAC
I+vWN65p7wVsnmrNZpYESmqDklZsdkcLSRhK8EK2WLxZ5tF3RGSf7ojSEEPzjqyfGalSiVpyPo+4
Kk3ydAWrc9utdntMdb21KpTazosrlip5Mwpg8ZH7R8cwTImfYS61HRdLu9Tvcnc3VanVW+rqyBQw
KqjVSOUwPcfl6gTAl9xn0kBrzjPQ1UWbaty11WEaiVn3etRuNqTFqJVBdJetQiONKPWBOVHJEWz1
SgahRpIUnCrVC2efow7fflVusxk72yoY67rO9lbAikh7ID9PyAkJzkOgkIuNnhMVj764yVnQSnfX
RBquJzcj6zMh3mZATPUzMWxrjJQkOvWd8mYxV0ZZb4s2NoIjO7MREqgSCRxxt0yaTNivQ1Q0BJQ/
003ecZJBRqnaFPs4RmyS+3mrmMnXxlLDVqzti6L8kpmXFWPLqOk/1mlMyEzKU4UcLi7fKVc1RoIu
UroFeoJ8mUceh6y/VWcgJ8ROchGdsjIlIYhDEIYhFN4hEQntS9gs+4ittXVVQscSSfkBeLgeli2l
7Ya+kMDYS4N7KlNRMBJhQnyTSV+cy0jYQLvI0Mo4RoB70WWPZXjzTLPZKlxkczUNPDWizaR48mkT
1f8AVRVHJiOvUSPcjQvm3ynltFp2OC1aitback5FPkvMIgZUBCD76lSowSmOq9GLAniDbwcY/bk1
W+kX83JrC5TTb5Xj0r00MSOoUr1EJ19eymMbe7ig8QjLgeaNvGtCZtIpc0OhAD3GaF03vrttbxxU
x5TVKVWnklrKJsa3F0keRX5HYd5dwrfQSj38b2vm+3zAreRbq3r4WpaseKLahqVaa8Q3w0qZPt5f
a1RPxnKMb8IOYvIi4PZ1zm472HYX6gqCmgTz+3UR/SUHadx3bNZ7BHW3f35kjLZJ3b6ZmWmk/wBc
tU9/d3j7h6CLXts+u4fHaRi8zZ0eGTuRT+Rubnlypsx9rMVWZAPtA7fSPXSNt2PLeTM5r+RuPkw9
n8vw0/jprw411Qe9aau0lJHudp9+p6xG7JfZF7AuR3NbkJSFNcweMnC+O1fPJbB4HGLzboM0oZsb
FJiuhaRAmlEyqyyHJxmjuc3aUqkoDkoQ7P7Eqczs3rVuo6fqmI1u0yWQx97katekru9EuSnNA8yq
1aYCiZAMj9WI9alU3reM/t19icZlLDE21vWenTS4WmBU4VCkg70arGo0psJqBOSr9JdfZ97C5V66
uJEIlprdHJfyOsTbPB4yicAHiiRcsRR4pxnk3cEaD7Scuj7CcDoUlKGlEcpXJQ77CvJ26/0vVLfb
c9UoTenh6U3aX3lS0kpgmcmYdyZ9AZdZRtfedwudN1ylcFadTN1uKKDPgHCzqVCBxmqnsBxmWXss
41p4FF+9eQXbR9mcvZvCD+L82Sy1zn9ZFMVIMc3ijW6VpJ3SvVbgljMFa5QhFqbDaChpCHlW4J9D
EBcQEITtgl9pPjKljbmywFOr++6RUU6nKsVYiooqAFnZD7OfXgFP6rHpENqQ8q1cpa3ux1aRwdQO
alMLRDqDTY0ywWmrD38JgOWHZlHWME8xvZP7Ab653yz19+rlsjUff6kAp1ZttPzHFXxQU4sOmvUz
WK1FgNT9D4rBoo7PJDKYIxrVuK926hSj35SCxymvafq2K1iltW6s70bj+zpBnHRp8AOBDPUYDn94
ULOY6EiP2Lctsy201NS0cIla3n8lVlQmay5kmoGRUUnh9hdm+09QD9nCH2V89qd52sfrq9obLHnm
b2YiArq+2Y81RFlNNWrkDy5R0w4UAQNENk8Ll4mRQ3JFCZvRODc7FbIVhHvzaS9Nk0/WMhrTbZpb
MttRMqlJi7divIe8l1dAeRBLKVM16SLe+tbftVhsq6nuqo1zWE6dVQi958fsARkYgqCAGDiRn1A9
OWuv45pkE+sbmiudoQxCGIQxCLRfL9vj/piH5RBV7ieGt+2u+UHyw4sNRkmuLjo7p1ZkWQgRHP69
AzSNvmkRf44iXDJJelkTkqE8RzdoQz1ZazXhAMRYgD2v422fE46hea7nWCY69X7jMKCyFHDETK81
Mg3ZePUx89ebPH+ezl9jN11RPkzmKb+zEubBai1aToD0c06gb2d2D9AZEHJHBTnPzl5I3OlgF/cH
JjxzgbZW74+PlhyeB2zG0D3NUS9iSNTWxHThnZW1pTOBC1WbtEM1zVdpGuh2tBFsUbtWq6thMabv
D5SneXTV1Vaa1KTFUIMy3AsWlJfcAo69pxZdF3jeNkzAsdgwdbHWK27M1V6VdA1QFQqr8qgKCCx4
k1D0+7p11t9edMXPDPbx7FLImlR2fEq4mgbI/RU/k8BlTFCZfpbcEac0P6XlTq1JWJ/2tbiRqCvp
DzvKQWIwPUAd71Lbbk8dc+P8RZW1xQqXlP4udNaiM6SpMDyUHksj0Mx3l6nrEaHhMtZeUc/kru1u
KVhXNb46j03VKk66MODsoVpjqJHt19JxGZ7MoxbvMWw7GiEK9L11Q69CbTXxlm5bxdFaKSOz2Pxu
ULWlPIJC0aqeK1w8pZjHUZGwPLo9qRJSdliLV7KDoOXDTa9hr9pRr3WxW9TF/AGNqxp8kZkBKqfl
eovFpjiqCfWYBiq7za3+zX1ehbavc0st/vBUXiiqFqKrkBmHwpSbmoHvd24iXuIEokA55+rLkfyC
9W/Eir21akmPKjilEGA9fHFb6mFqXI1sUTM8ugLLI1y4tpUvsf8AoG0pCrUHgTLQNQwBEHagvYap
rO7YjFbtf3rjhg7+oRyl9pDzR2AE+LTYsB1BYfQxddq0HM5fQ8dj1IqZ7H0lmsx7gU4vTViZclko
ViZEIZdSIyFwF9h/s7t+8aP498mfX1YdXxfaSYNlwckpJWduRWPqRxCt5S4sLql28x1vhLM6S2bM
zemNNLcViNWJaMKQgrQy9l4e06pplhjrnLYbK0a9eamlbrUpMw51FDAybmQiFj9ikSBYmRnIant2
8ZHJ22IzmJq0KMmFa4anVVTxpsVImvxgu4UGTsDyIUDpLTjk5QnsD9avsstznlw4oR85VVDyTTOw
pxCIywyCaP7cql7iwvkrjTuwQ5OrmLWpSzdmA6M7yiQK0ZKE7aU/u3o8I7Bhsrqm4ahQ1jYbpLG/
syODsyop4AqrBnkpmh4shYEn3D0iFy+I2jT9yuNo1+2e+x96GLoqs5HIhmUhAWB5gMjhSAswfURT
iRxz56exn2dwD2Ic0qDd+MNY8fWtrRV7X8vjT3EZA4KIgdJV0Ii7PH5kQjmastvmcpVP7i9LkadM
aP8Ap0gdBML0n4z2W1fUtMq6prt0t7e3THm6srKOfEOxZJoJqgRUUkju3rHrhMVs22bjR2rYLZrO
ytVHBGVkYleRRQrycydi5ZgAew9JetnX7flmix0/KN4CK5zHMMQhiEMQhiEU6a3iEOmsQ7Q6a6dO
nw/LEIdM4kIQ6azmEOmsQ/CHTWPwhDprEIriEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhi
EMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEMQhiEf//Z
--089e0111b8fa8ad4a305123a4216--


From nobody Thu Mar 26 23:20:57 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2B71A1B27 for ; Thu, 26 Mar 2015 23:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxA1qnBHD4yu for ; Thu, 26 Mar 2015 23:20:53 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17F2D1A1A62 for ; Thu, 26 Mar 2015 23:20:53 -0700 (PDT)
Received: by wiaa2 with SMTP id a2so17557720wia.0 for ; Thu, 26 Mar 2015 23:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=CVUqpqBAhIh4I+D8rP1HthIC0A4HmRdPGeZ1oiM/M2Y=; b=yN2qJWPOnhMzig1zBJAaiBx08tfu3wyQxVKwGA3inLSbGq5YS+TQx4H/CNit4mIBji DT1WzmblD7xbX3RpetC2cT7aQhBAUBzSfWU9j61AHepIQpV+ngl6La/qgIg/HoCtUI6e FA6PG5smB2SUUQScvWqlPqphqbx1deqrIB3D7w9h13OGts+S7w2yiVi7nJ6mWZscnMrG AIqcVVwsExZyfJvILx813VS5ihXPTYF7blIkR6v/kiaV0x+W5jwLUrxMjS/o1myTY4i8 fN8/pXXy1wpjhXOhtUMZClwIE8zl76SRKmFh18m1DVNxtOtzClumZeHfrLeCmCPwT8VQ xZgw==
X-Received: by 10.180.107.198 with SMTP id he6mr20881245wib.68.1427437251860;  Thu, 26 Mar 2015 23:20:51 -0700 (PDT)
Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id ei8sm1957260wib.10.2015.03.26.23.20.50 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Mar 2015 23:20:51 -0700 (PDT)
Message-ID: <5514F6C0.7090905@gmail.com>
Date: Fri, 27 Mar 2015 07:20:48 +0100
From: Anders Rundgren 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Brian Campbell ,  Mike Jones 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>  
In-Reply-To: 
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: 
Cc: "Shaun Cooley \(shcooley\)" , "jose@ietf.org" , Matt Miller 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 06:20:55 -0000

On 2015-03-27 01:31, Brian Campbell wrote:
> I am pretty sure you should not make that change to the JCA algorithm string.
 >  I'll have to search around to remember why, some oddity of Java I think,
 > but I'm away from my laptop right now and that one is too much to research on a phone.

Indeed, this is an old SUN bug that we have to put up with:
http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html

It is worth a note though.

Anders

>
> On Mar 26, 2015 6:41 PM, "Mike Jones" > wrote:
>
>     I am working on the formatting of the algorithm cross-reference tables in JWA Appendix A http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A with the RFC Editor to make them more readable.  When looking at the table content (in a more readable rendition I’ll share with you soon), I noticed that this string appears for the JCA value of three algorithms:____
>
>                     AES/CBC/PKCS5Padding____
>
>     which I believe should be____
>
>                     AES/CBC/PKCS7Padding____
>
>     __ __
>
>     This would be consistent with the changes made in -28 for the reasons described in this thread. JAVA IMPLEMENTERS– If you are currently using AES/CBC/PKCS5Padding can you please verify that your implementation still works after changing this string to AES/CBC/PKCS7Padding and that the results are still correct and reply to us letting us know what happened? Matt, if your code for the cookbook is in Java, it would be especially good if you made this code change and verified that nothing changes in the output.____
>
>     __ __
>
>     Also, this clearly inconsistent sentence currently occurs in http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:____
>
>            CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS____
>
>            #7 padding using the cipher with the key X.____
>
>     __ __
>
>     I believe that the identifier CBC-PKCS5-ENCshould be changed to CBC-PKCS7-ENC.____
>
>     __ __
>
>     Unless people disagree, I will plan to apply these corrections during AUTH48.____
>
>     __ __
>
>                                                                  Thanks all,____
>
>                                                                  -- Mike____
>
>     __ __
>
>     *From:*jose [mailto:jose-bounces@ietf.org ] *On Behalf Of *Mike Jones
>     *Sent:* Friday, June 20, 2014 7:03 PM
>     *To:* Shaun Cooley (shcooley)
>     *Cc:* jose@ietf.org ; Matt Miller (mamille2)
>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)____
>
>     __ __
>
>     This change has been incorporated in the -28 drafts.____
>
>     __ __
>
>                                                                  Thanks again, Shaun,____
>
>                                                                  -- Mike____
>
>     __ __
>
>     *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
>     *Sent:* Friday, June 13, 2014 2:27 PM
>     *To:* Shaun Cooley (shcooley)
>     *Cc:* jose@ietf.org ; Matt Miller (mamille2)
>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)____
>
>     __ __
>
>     (Adding the JOSE working group)____
>
>     __ __
>
>     I believe you’re right.  I’ll plan to make this change in the next version of the spec.____
>
>     __ __
>
>     Thanks for the careful read!____
>
>     __ __
>
>                                                                  -- Mike____
>
>     __ __
>
>     *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
>     *Sent:* Friday, June 13, 2014 10:34 AM
>     *To:* Mike Jones
>     *Cc:* Matt Miller (mamille2)
>     *Subject:* draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)____
>
>     __ __
>
>     Michael –____
>
>       I am working on implementing a browser compatible JS implementation of JOSE, based on the work Matt Miller did for Node.JS.  While going through the spec, I noticed that PKCS #5 is called out for the AES-CBC ciphers.  Shouldn’t this be PKCS #7?____
>
>     __ __
>
>     PKCS #5 – RFC2898 section 6.2 specifies:____
>
>     The padding string PS shall consist of 8 - (||M|| mod 8) octets all having value 8 - (||M|| mod 8).____
>
>     __ __
>
>     PKCS #7 – RFC2315 section 10.3 note 2 specifies:____
>
>     For such algorithms, the method shall be to pad the input at the trailing end with k - (l mod k) octets all having value k - (l mod k), where l is the length of the input.____
>
>     __ __
>
>     PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKCS #5 is intended for block sizes of 8.  This means that PKCS #7 is a superset of #5, and given that AES is a block size of 16, it seems the spec should require PKCS #7.____
>
>     __ __
>
>     Thoughts?____
>
>     __ __
>
>     *Shaun Cooley*
>     DISTINGUISHED ENGINEER.ENGINEERING
>     Collaboration Technology Group
>     shcooley@cisco.com 
>     Phone: *+1 408 902 3344 *
>     Mobile: *+1 310 293 2087 *____
>
>     	
>
>     http://www.cisco.com/web/europe/images/email/signature/logo05.jpg
>     Cisco.com ____
>
>     __ __
>
>     This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.____
>
>     For corporate legal information go to:
>     http://www.cisco.com/web/about/doing_business/legal/cri/index.html____
>
>     __ __
>
>     __ __
>
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org 
>     https://www.ietf.org/mailman/listinfo/jose
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>


From nobody Fri Mar 27 06:09:40 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2721A8780 for ; Thu, 26 Mar 2015 17:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AwaOOVkPUxg for ; Thu, 26 Mar 2015 17:11:21 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0B91A873E for ; Thu, 26 Mar 2015 17:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19557; q=dns/txt; s=iport; t=1427415081; x=1428624681; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=0Trk+rviPAT66mBzVD0BCGHtx/lmFk9qw0Bh2cs111w=; b=dVr+nwQMIQ/+VaEK1/pxHH+dj2MfKG9XfEmGF2ArdaI9CZDuZ5V282sx YhHKZu1TfEhwfuKFYSYcLWIiRdcxMXiSY6aU0tCTFmg7kwtFQVKhMYrV5 nKn32l9HzgSHtnabgPhmG02S2qG4GB+SH682mW55vkURz3fHuR8blZ1B7 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BRBgDynxRV/5JdJa1cgkNDUloEwzCCAYVzAoFFTAEBAQEBAX2EFAEBAQQtXAIBCA4DBAEBCw8CDAcyFAkIAgQBEgiIJw3MBAEBAQEBAQEBAQEBAQEBAQEBAQEBAReLKIRHNwEgBwKCboEWBYULgUKHdYIOg2+HGzqCdoJaiUGDRyKBfwMcgVBvAQFjH0B/AQEB
X-IronPort-AV: E=Sophos;i="5.11,476,1422921600";  d="scan'208,217";a="403915256"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-1.cisco.com with ESMTP; 27 Mar 2015 00:10:57 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id t2R0AvRw014358 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 27 Mar 2015 00:10:57 GMT
Received: from xmb-aln-x10.cisco.com ([169.254.5.108]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.03.0195.001; Thu, 26 Mar 2015 19:10:57 -0500
From: "Shaun Cooley (shcooley)" 
To: Mike Jones , "jose@ietf.org" ,  "Matt Miller (mamille2)" 
Thread-Topic: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
Thread-Index: AQHQaB5s2b3uP7gIUkup1RKg/ZrPmZ0vdJOQ
Date: Fri, 27 Mar 2015 00:10:55 +0000
Message-ID: <187A7B1DA239514F9146FC78B19AADE356CB143A@xmb-aln-x10.cisco.com>
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com> 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.19.187.27]
Content-Type: multipart/alternative; boundary="_000_187A7B1DA239514F9146FC78B19AADE356CB143Axmbalnx10ciscoc_"
MIME-Version: 1.0
Archived-At: 
X-Mailman-Approved-At: Fri, 27 Mar 2015 06:09:37 -0700
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 00:11:24 -0000

--_000_187A7B1DA239514F9146FC78B19AADE356CB143Axmbalnx10ciscoc_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Agreed.


-Shaun

From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Thursday, March 26, 2015 4:41 PM
To: jose@ietf.org; Matt Miller (mamille2)
Cc: Shaun Cooley (shcooley)
Subject: RE: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

I am working on the formatting of the algorithm cross-reference tables in J=
WA Appendix A http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithm=
s-40#appendix-A with the RFC Editor to make them more readable.  When looki=
ng at the table content (in a more readable rendition I=92ll share with you=
 soon), I noticed that this string appears for the JCA value of three algor=
ithms:
               AES/CBC/PKCS5Padding
which I believe should be
               AES/CBC/PKCS7Padding

This would be consistent with the changes made in -28 for the reasons descr=
ibed in this thread.  JAVA IMPLEMENTERS =96 If you are currently using AES/=
CBC/PKCS5Padding can you please verify that your implementation still works=
 after changing this string to AES/CBC/PKCS7Padding and that the results ar=
e still correct and reply to us letting us know what happened?  Matt, if yo=
ur code for the cookbook is in Java, it would be especially good if you mad=
e this code change and verified that nothing changes in the output.

Also, this clearly inconsistent sentence currently occurs in http://tools.i=
etf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:
      CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS
      #7 padding using the cipher with the key X.

I believe that the identifier CBC-PKCS5-ENC should be changed to CBC-PKCS7-=
ENC.

Unless people disagree, I will plan to apply these corrections during AUTH4=
8.

                                                            Thanks all,
                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, June 20, 2014 7:03 PM
To: Shaun Cooley (shcooley)
Cc: jose@ietf.org; Matt Miller (mamille2)
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

This change has been incorporated in the -28 drafts.

                                                            Thanks again, S=
haun,
                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Friday, June 13, 2014 2:27 PM
To: Shaun Cooley (shcooley)
Cc: jose@ietf.org; Matt Miller (mamille2)
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

(Adding the JOSE working group)

I believe you=92re right.  I=92ll plan to make this change in the next vers=
ion of the spec.

Thanks for the careful read!

                                                            -- Mike

From: Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
Sent: Friday, June 13, 2014 10:34 AM
To: Mike Jones
Cc: Matt Miller (mamille2)
Subject: draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)

Michael =96
 I am working on implementing a browser compatible JS implementation of JOS=
E, based on the work Matt Miller did for Node.JS.  While going through the =
spec, I noticed that PKCS #5 is called out for the AES-CBC ciphers.  Should=
n=92t this be PKCS #7?

PKCS #5 =96 RFC2898 section 6.2 specifies:
The padding string PS shall consist of 8 - (||M|| mod 8) octets all having =
value 8 - (||M|| mod 8).

PKCS #7 =96 RFC2315 section 10.3 note 2 specifies:
For such algorithms, the method shall be to pad the input at the trailing e=
nd with k - (l mod k) octets all having value k - (l mod k), where l is the=
 length of the input.

PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKCS #5 i=
s intended for block sizes of 8.  This means that PKCS #7 is a superset of =
#5, and given that AES is a block size of 16, it seems the spec should requ=
ire PKCS #7.

Thoughts?


--_000_187A7B1DA239514F9146FC78B19AADE356CB143Axmbalnx10ciscoc_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable











Agreed.


 




 


-Shaun




 






From: Mike Jones [mailto:Michael.Jones@micros=
oft.com]


Sent: Thursday, March 26, 2015 4:41 PM

To: jose@ietf.org; Matt Miller (mamille2)

Cc: Shaun Cooley (shcooley)

Subject: RE: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


I am working on the fo=
rmatting of the algorithm cross-reference tables in JWA Appendix A

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-=
A with the RFC Editor to make them more readable.  When looking at=
 the table content (in a more readable rendition I=92ll share with you soon=
), I noticed that this string appears for
 the JCA value of three algorithms:


   &nbs=
p;           AES/CBC/PKCS=
5Padding=



which I believe should=
 be


   &nbs=
p;           AES/CBC/PKCS=
7Padding=



 


This would be consiste=
nt with the changes made in -28 for the reasons described in this thread.&n=
bsp;
JAVA IMPLEMENTERS =96 If you are currently using AES/CBC/PKCS5Padding can you pl=
ease verify that your implementation still works after changing this string=
 to AES/CBC/PKCS7Padding and that the
 results are still correct and reply to us letting us know what happened?&n=
bsp; 
Matt, if you=
r code for the cookbook is in Java, it would be especially good if you made=
 this code change and verified that nothing changes in the output.


 


Also, this clearly inc=
onsistent sentence currently occurs in

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5=
.2.1:


  =
;    CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PKCS


  =
;    #7 padding using the cipher with the key X.


 =



I believe that the ide=
ntifier 
CBC-PKCS5-ENC
should be changed to CBC-=
PKCS7-ENC.


 


Unless people disagree=
, I will plan to apply these corrections during AUTH48.

 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      Thanks all,


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: jose [mailto:jose-bounces@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 20, 2014 7:03 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org; Matt Miller =
(mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


This change has been i=
ncorporated in the -28 drafts.


 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      Thanks again, Shaun,


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: jose [mailto:jose-bounces@ietf.org]
On Behalf Of Mike Jones

Sent: Friday, June 13, 2014 2:27 PM

To: Shaun Cooley (shcooley)

Cc: jose@ietf.org; Matt Miller =
(mamille2)

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


(Adding the JOSE worki=
ng group)


 


I believe you=92re rig=
ht.  I=92ll plan to make this change in the next version of the spec.<=
o:p>


 


Thanks for the careful=
 read!


 


   &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;      -- Mike


 






From: Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]


Sent: Friday, June 13, 2014 10:34 AM

To: Mike Jones

Cc: Matt Miller (mamille2)

Subject: draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #=
5)






 


Michael =96


 I am working on implementing a browser compati=
ble JS implementation of JOSE, based on the work Matt Miller did for Node.J=
S.  While going through the spec, I noticed that PKCS #5 is called out=
 for the AES-CBC ciphers.  Shouldn=92t this be
 PKCS #7?


 


PKCS #5 =96 RFC2898 section 6.2 specifies:


The padding string PS shall consist of 8 - (|=
|M|| mod 8) octets all having value 8 - (||M|| mod 8).

 


PKCS #7 =96 RFC2315 section 10.3 note 2 specifies:


For such algorithms, the method shall be to p=
ad the input at the trailing end with k - (l mod k) octets all having value=
 k - (l mod k), where l is the length
 of the input.


 


PKCS #7 allows for padding in block sizes of 2-255 b=
ytes, whereas PKCS #5 is intended for block sizes of 8.  This means th=
at PKCS #7 is a superset of #5, and given that AES is a block size of 16, i=
t seems the spec should require PKCS #7.


 


Thoughts?


 






--_000_187A7B1DA239514F9146FC78B19AADE356CB143Axmbalnx10ciscoc_--


From nobody Fri Mar 27 07:36:37 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F0C1ACEA0 for ; Fri, 27 Mar 2015 07:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDDd25TStZ-d for ; Fri, 27 Mar 2015 07:36:32 -0700 (PDT)
Received: from p3plsmtpa08-07.prod.phx3.secureserver.net (p3plsmtpa08-07.prod.phx3.secureserver.net [173.201.193.108]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DF011ACE8E for ; Fri, 27 Mar 2015 07:36:32 -0700 (PDT)
Received: from [192.168.0.106] ([77.77.164.50]) by p3plsmtpa08-07.prod.phx3.secureserver.net with  id 8ecV1q00Q15ZTut01ecWne; Fri, 27 Mar 2015 07:36:31 -0700
Message-ID: <55156AED.3060402@connect2id.com>
Date: Fri, 27 Mar 2015 16:36:29 +0200
From: Vladimir Dzhuvinov 
Organization: Connect2id Ltd.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: jose@ietf.org
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>   <5514F6C0.7090905@gmail.com>
In-Reply-To: <5514F6C0.7090905@gmail.com>
Content-Type: multipart/alternative; boundary="------------060403050007020901020908"
Archived-At: 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 14:36:35 -0000

This is a multi-part message in MIME format.
--------------060403050007020901020908
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit

This is indeed a JCA oddity, when "PKCS5Padding" is specified Java
actually does "PKCS7Padding".

If you stick "PKCS7Padding" you'll get an

|NoSuchAlgorithmException: Cannot find any provider supporting AES/CBC/PKCS7Padding


|

Vladimir

On 27.03.2015 08:20, Anders Rundgren wrote:
> On 2015-03-27 01:31, Brian Campbell wrote:
>> I am pretty sure you should not make that change to the JCA algorithm
>> string.
> >  I'll have to search around to remember why, some oddity of Java I
> think,
> > but I'm away from my laptop right now and that one is too much to
> research on a phone.
>
> Indeed, this is an old SUN bug that we have to put up with:
> http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
>
> It is worth a note though.
>
> Anders
>
>>
>> On Mar 26, 2015 6:41 PM, "Mike Jones" > > wrote:
>>
>>     I am working on the formatting of the algorithm cross-reference
>> tables in JWA Appendix A
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A
>> with the RFC Editor to make them more readable.  When looking at the
>> table content (in a more readable rendition I’ll share with you
>> soon), I noticed that this string appears for the JCA value of three
>> algorithms:____
>>
>>                     AES/CBC/PKCS5Padding____
>>
>>     which I believe should be____
>>
>>                     AES/CBC/PKCS7Padding____
>>
>>     __ __
>>
>>     This would be consistent with the changes made in -28 for the
>> reasons described in this thread. JAVA IMPLEMENTERS– If you are
>> currently using AES/CBC/PKCS5Padding can you please verify that your
>> implementation still works after changing this string to
>> AES/CBC/PKCS7Padding and that the results are still correct and reply
>> to us letting us know what happened? Matt, if your code for the
>> cookbook is in Java, it would be especially good if you made this
>> code change and verified that nothing changes in the output.____
>>
>>     __ __
>>
>>     Also, this clearly inconsistent sentence currently occurs in
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:____
>>
>>
>>            CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P
>> using PKCS____
>>
>>            #7 padding using the cipher with the key X.____
>>
>>     __ __
>>
>>     I believe that the identifier CBC-PKCS5-ENCshould be changed to
>> CBC-PKCS7-ENC.____
>>
>>     __ __
>>
>>     Unless people disagree, I will plan to apply these corrections
>> during AUTH48.____
>>
>>     __ __
>>
>>                                                                 
>> Thanks all,____
>>
>>                                                                  --
>> Mike____
>>
>>     __ __
>>
>>     *From:*jose [mailto:jose-bounces@ietf.org
>> ] *On Behalf Of *Mike Jones
>>     *Sent:* Friday, June 20, 2014 7:03 PM
>>     *To:* Shaun Cooley (shcooley)
>>     *Cc:* jose@ietf.org ; Matt Miller (mamille2)
>>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27:
>> section-5.2 (PKCS #5)____
>>
>>     __ __
>>
>>     This change has been incorporated in the -28 drafts.____
>>
>>     __ __
>>
>>                                                                 
>> Thanks again, Shaun,____
>>
>>                                                                  --
>> Mike____
>>
>>     __ __
>>
>>     *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
>>     *Sent:* Friday, June 13, 2014 2:27 PM
>>     *To:* Shaun Cooley (shcooley)
>>     *Cc:* jose@ietf.org ; Matt Miller (mamille2)
>>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27:
>> section-5.2 (PKCS #5)____
>>
>>     __ __
>>
>>     (Adding the JOSE working group)____
>>
>>     __ __
>>
>>     I believe you’re right.  I’ll plan to make this change in the
>> next version of the spec.____
>>
>>     __ __
>>
>>     Thanks for the careful read!____
>>
>>     __ __
>>
>>                                                                  --
>> Mike____
>>
>>     __ __
>>
>>     *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
>>     *Sent:* Friday, June 13, 2014 10:34 AM
>>     *To:* Mike Jones
>>     *Cc:* Matt Miller (mamille2)
>>     *Subject:* draft-ietf-jose-json-web-algorithms-27: section-5.2
>> (PKCS #5)____
>>
>>     __ __
>>
>>     Michael –____
>>
>>       I am working on implementing a browser compatible JS
>> implementation of JOSE, based on the work Matt Miller did for
>> Node.JS.  While going through the spec, I noticed that PKCS #5 is
>> called out for the AES-CBC ciphers.  Shouldn’t this be PKCS #7?____
>>
>>     __ __
>>
>>     PKCS #5 – RFC2898 section 6.2 specifies:____
>>
>>     The padding string PS shall consist of 8 - (||M|| mod 8) octets
>> all having value 8 - (||M|| mod 8).____
>>
>>     __ __
>>
>>     PKCS #7 – RFC2315 section 10.3 note 2 specifies:____
>>
>>     For such algorithms, the method shall be to pad the input at the
>> trailing end with k - (l mod k) octets all having value k - (l mod
>> k), where l is the length of the input.____
>>
>>     __ __
>>
>>     PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas
>> PKCS #5 is intended for block sizes of 8.  This means that PKCS #7 is
>> a superset of #5, and given that AES is a block size of 16, it seems
>> the spec should require PKCS #7.____
>>
>>     __ __
>>
>>     Thoughts?____
>>
>>     __ __
>>
>>     *Shaun Cooley*
>>     DISTINGUISHED ENGINEER.ENGINEERING
>>     Collaboration Technology Group
>>     shcooley@cisco.com 
>>     Phone: *+1 408 902 3344 *
>>     Mobile: *+1 310 293 2087 *____
>>
>>        
>>
>>     http://www.cisco.com/web/europe/images/email/signature/logo05.jpg
>>     Cisco.com ____
>>
>>     __ __
>>
>>     This email may contain confidential and privileged material for
>> the sole use of the intended recipient. Any review, use, distribution
>> or disclosure by others is strictly prohibited. If you are not the
>> intended recipient (or authorized to receive for the recipient),
>> please contact the sender by reply email and delete all copies of
>> this message.____
>>
>>     For corporate legal information go to:
>>    
>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html____
>>
>>     __ __
>>
>>     __ __
>>
>>
>>     _______________________________________________
>>     jose mailing list
>>     jose@ietf.org 
>>     https://www.ietf.org/mailman/listinfo/jose
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

-- 
Vladimir Dzhuvinov :: vladimir@connect2id.com


--------------060403050007020901020908
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit


  
    
  
  
    This is indeed a JCA oddity, when "PKCS5Padding" is specified Java
    actually does "PKCS7Padding".

    

    If you stick "PKCS7Padding" you'll get an 

    

    
NoSuchAlgorithmException: Cannot find any provider supporting AES/CBC/PKCS7Padding




    Vladimir

    

    
On 27.03.2015 08:20, Anders Rundgren
      wrote:

    

    
On
      2015-03-27 01:31, Brian Campbell wrote:
      

      
I am pretty sure you should not make that
        change to the JCA algorithm string.
        

      

      >  I'll have to search around to remember why, some oddity of
      Java I think,
      

      > but I'm away from my laptop right now and that one is too
      much to research on a phone.
      

      

      Indeed, this is an old SUN bug that we have to put up with:
      

      http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
      

      

      It is worth a note though.
      

      

      Anders
      

      

      

        

        On Mar 26, 2015 6:41 PM, "Mike Jones"
        <Michael.Jones@microsoft.com
        <mailto:Michael.Jones@microsoft.com>> wrote:
        

        

            I am working on the formatting of the algorithm
        cross-reference tables in JWA Appendix A
        http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-A
        with the RFC Editor to make them more readable.  When looking at
        the table content (in a more readable rendition I’ll share with
        you soon), I noticed that this string appears for the JCA value
        of three algorithms:____
        

        

                            AES/CBC/PKCS5Padding____
        

        

            which I believe should be____
        

        

                            AES/CBC/PKCS7Padding____
        

        

            __ __
        

        

            This would be consistent with the changes made in -28 for
        the reasons described in this thread. JAVA IMPLEMENTERS– If you
        are currently using AES/CBC/PKCS5Padding can you please verify
        that your implementation still works after changing this string
        to AES/CBC/PKCS7Padding and that the results are still correct
        and reply to us letting us know what happened? Matt, if your
        code for the cookbook is in Java, it would be especially good if
        you made this code change and verified that nothing changes in
        the output.____
        

        

            __ __
        

        

            Also, this clearly inconsistent sentence currently occurs in
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:____
        

        

                   CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of
        P using PKCS____
        

        

                   #7 padding using the cipher with the key X.____
        

        

            __ __
        

        

            I believe that the identifier CBC-PKCS5-ENCshould be changed
        to CBC-PKCS7-ENC.____
        

        

            __ __
        

        

            Unless people disagree, I will plan to apply these
        corrections during AUTH48.____
        

        

            __ __
        

        

                                                                        
        Thanks all,____
        

        

                                                                        
        -- Mike____
        

        

            __ __
        

        

            *From:*jose [mailto:jose-bounces@ietf.org
        <mailto:jose-bounces@ietf.org>] *On Behalf Of *Mike Jones
        

            *Sent:* Friday, June 20, 2014 7:03 PM
        

            *To:* Shaun Cooley (shcooley)
        

            *Cc:* jose@ietf.org <mailto:jose@ietf.org>; Matt
        Miller (mamille2)
        

            *Subject:* Re: [jose]
        draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS
        #5)____
        

        

            __ __
        

        

            This change has been incorporated in the -28 drafts.____
        

        

            __ __
        

        

                                                                        
        Thanks again, Shaun,____
        

        

                                                                        
        -- Mike____
        

        

            __ __
        

        

            *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of
        *Mike Jones
        

            *Sent:* Friday, June 13, 2014 2:27 PM
        

            *To:* Shaun Cooley (shcooley)
        

            *Cc:* jose@ietf.org <mailto:jose@ietf.org>; Matt
        Miller (mamille2)
        

            *Subject:* Re: [jose]
        draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS
        #5)____
        

        

            __ __
        

        

            (Adding the JOSE working group)____
        

        

            __ __
        

        

            I believe you’re right.  I’ll plan to make this change in
        the next version of the spec.____
        

        

            __ __
        

        

            Thanks for the careful read!____
        

        

            __ __
        

        

                                                                        
        -- Mike____
        

        

            __ __
        

        

            *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
        

            *Sent:* Friday, June 13, 2014 10:34 AM
        

            *To:* Mike Jones
        

            *Cc:* Matt Miller (mamille2)
        

            *Subject:* draft-ietf-jose-json-web-algorithms-27:
        section-5.2 (PKCS #5)____
        

        

            __ __
        

        

            Michael –____
        

        

              I am working on implementing a browser compatible JS
        implementation of JOSE, based on the work Matt Miller did for
        Node.JS.  While going through the spec, I noticed that PKCS #5
        is called out for the AES-CBC ciphers.  Shouldn’t this be PKCS
        #7?____
        

        

            __ __
        

        

            PKCS #5 – RFC2898 section 6.2 specifies:____
        

        

            The padding string PS shall consist of 8 - (||M|| mod 8)
        octets all having value 8 - (||M|| mod 8).____
        

        

            __ __
        

        

            PKCS #7 – RFC2315 section 10.3 note 2 specifies:____
        

        

            For such algorithms, the method shall be to pad the input at
        the trailing end with k - (l mod k) octets all having value k -
        (l mod k), where l is the length of the input.____
        

        

            __ __
        

        

            PKCS #7 allows for padding in block sizes of 2-255 bytes,
        whereas PKCS #5 is intended for block sizes of 8.  This means
        that PKCS #7 is a superset of #5, and given that AES is a block
        size of 16, it seems the spec should require PKCS #7.____
        

        

            __ __
        

        

            Thoughts?____
        

        

            __ __
        

        

            *Shaun Cooley*
        

            DISTINGUISHED ENGINEER.ENGINEERING
        

            Collaboration Technology Group
        

            shcooley@cisco.com <mailto:shcooley@cisco.com>
        

            Phone: *+1 408 902 3344 <tel:%2B1%20408%20902%203344>*
        

            Mobile: *+1 310 293 2087
        <tel:%2B1%20310%20293%202087>*____
        

        

                

        

           
        http://www.cisco.com/web/europe/images/email/signature/logo05.jpg
        

            Cisco.com <http://www.cisco.com/>____
        

        

            __ __
        

        

            This email may contain confidential and privileged material
        for the sole use of the intended recipient. Any review, use,
        distribution or disclosure by others is strictly prohibited. If
        you are not the intended recipient (or authorized to receive for
        the recipient), please contact the sender by reply email and
        delete all copies of this message.____
        

        

            For corporate legal information go to:
        

           
        http://www.cisco.com/web/about/doing_business/legal/cri/index.html____
        

        

            __ __
        

        

            __ __
        

        

        

            _______________________________________________
        

            jose mailing list
        

            jose@ietf.org <mailto:jose@ietf.org>
        

            https://www.ietf.org/mailman/listinfo/jose
        

        

        

        

        _______________________________________________
        

        jose mailing list
        

        jose@ietf.org
        

        https://www.ietf.org/mailman/listinfo/jose
        

        

      

      

      _______________________________________________
      

      jose mailing list
      

      jose@ietf.org
      

      https://www.ietf.org/mailman/listinfo/jose
      

    

    

    
-- 
Vladimir Dzhuvinov :: vladimir@connect2id.com

  


--------------060403050007020901020908--


From nobody Fri Mar 27 07:42:11 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50CF51ACE75 for ; Fri, 27 Mar 2015 07:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYDuqxNOzP2h for ; Fri, 27 Mar 2015 07:42:05 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0139.outbound.protection.outlook.com [65.55.169.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4BCE1A8834 for ; Fri, 27 Mar 2015 07:42:04 -0700 (PDT)
Received: from BLUPR03MB440.namprd03.prod.outlook.com (10.141.78.154) by BLUPR03MB1476.namprd03.prod.outlook.com (25.163.81.18) with Microsoft SMTP Server (TLS) id 15.1.118.21; Fri, 27 Mar 2015 14:42:03 +0000
Received: from BLUPR03MB437.namprd03.prod.outlook.com (10.141.78.147) by BLUPR03MB440.namprd03.prod.outlook.com (10.141.78.154) with Microsoft SMTP Server (TLS) id 15.1.125.14; Fri, 27 Mar 2015 14:42:01 +0000
Received: from BLUPR03MB437.namprd03.prod.outlook.com ([10.141.78.147]) by BLUPR03MB437.namprd03.prod.outlook.com ([10.141.78.147]) with mapi id 15.01.0125.002; Fri, 27 Mar 2015 14:42:01 +0000
From: Mike Jones 
To: Vladimir Dzhuvinov , "jose@ietf.org" 
Thread-Topic: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
Thread-Index: AQHQaB5bkfOhNCQj00mWiSuBrydmnp0vep8AgABheACAAIp+gIAAAWcA
Date: Fri, 27 Mar 2015 14:42:01 +0000
Message-ID: 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>   <5514F6C0.7090905@gmail.com> <55156AED.3060402@connect2id.com>
In-Reply-To: <55156AED.3060402@connect2id.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [64.134.52.104]
authentication-results: connect2id.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB440; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1476; 
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(979002)(51914003)(377454003)(24454002)(43784003)(36304003)(377424004)(92566002)(66066001)(2950100001)(2900100001)(76576001)(46102003)(74316001)(99286002)(86362001)(93886004)(19617315012)(86612001)(107886001)(19300405004)(2501003)(77096005)(2656002)(16236675004)(33656002)(106356001)(77156002)(62966003)(50986999)(87936001)(76176999)(54356999)(19580395003)(19580405001)(40100003)(106116001)(19625215002)(122556002)(102836002)(15975445007)(230783001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB440; H:BLUPR03MB437.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BLUPR03MB440; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB440; 
x-forefront-prvs: 0528942FD8
Content-Type: multipart/alternative; boundary="_000_BLUPR03MB437FA23B6B756B3DB551FC6F5090BLUPR03MB437namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2015 14:42:01.3812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB440
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 14:42:10 -0000

--_000_BLUPR03MB437FA23B6B756B3DB551FC6F5090BLUPR03MB437namprd_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks a bunch, Vladimir.  That definitively answers the question.

                                                            -- Mike

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Vladimir Dzhuvinov
Sent: Friday, March 27, 2015 9:36 AM
To: jose@ietf.org
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PK=
CS #5)

This is indeed a JCA oddity, when "PKCS5Padding" is specified Java actually=
 does "PKCS7Padding".

If you stick "PKCS7Padding" you'll get an

NoSuchAlgorithmException: Cannot find any provider supporting AES/CBC/PKCS7=
Padding




Vladimir
On 27.03.2015 08:20, Anders Rundgren wrote:
On 2015-03-27 01:31, Brian Campbell wrote:

I am pretty sure you should not make that change to the JCA algorithm strin=
g.
>  I'll have to search around to remember why, some oddity of Java I think,
> but I'm away from my laptop right now and that one is too much to researc=
h on a phone.

Indeed, this is an old SUN bug that we have to put up with:
http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html

It is worth a note though.

Anders



On Mar 26, 2015 6:41 PM, "Mike Jones"  > wrote:

    I am working on the formatting of the algorithm cross-reference tables =
in JWA Appendix A http://tools.ietf.org/html/draft-ietf-jose-json-web-algor=
ithms-40#appendix-A with the RFC Editor to make them more readable.  When l=
ooking at the table content (in a more readable rendition I'll share with y=
ou soon), I noticed that this string appears for the JCA value of three alg=
orithms:____

                    AES/CBC/PKCS5Padding____

    which I believe should be____

                    AES/CBC/PKCS7Padding____

    __ __

    This would be consistent with the changes made in -28 for the reasons d=
escribed in this thread. JAVA IMPLEMENTERS- If you are currently using AES/=
CBC/PKCS5Padding can you please verify that your implementation still works=
 after changing this string to AES/CBC/PKCS7Padding and that the results ar=
e still correct and reply to us letting us know what happened? Matt, if you=
r code for the cookbook is in Java, it would be especially good if you made=
 this code change and verified that nothing changes in the output.____

    __ __

    Also, this clearly inconsistent sentence currently occurs in http://too=
ls.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.2.1:____

           CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using PK=
CS____

           #7 padding using the cipher with the key X.____

    __ __

    I believe that the identifier CBC-PKCS5-ENCshould be changed to CBC-PKC=
S7-ENC.____

    __ __

    Unless people disagree, I will plan to apply these corrections during A=
UTH48.____

    __ __

                                                                 Thanks all=
,____

                                                                 -- Mike___=
_

    __ __

    *From:*jose [mailto:jose-bounces@ietf.org ] *On Behalf Of *Mike Jones
    *Sent:* Friday, June 20, 2014 7:03 PM
    *To:* Shaun Cooley (shcooley)
    *Cc:* jose@ietf.org ; Matt Miller (mamille2)
    *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5=
.2 (PKCS #5)____

    __ __

    This change has been incorporated in the -28 drafts.____

    __ __

                                                                 Thanks aga=
in, Shaun,____

                                                                 -- Mike___=
_

    __ __

    *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones
    *Sent:* Friday, June 13, 2014 2:27 PM
    *To:* Shaun Cooley (shcooley)
    *Cc:* jose@ietf.org ; Matt Miller (mamille2)
    *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5=
.2 (PKCS #5)____

    __ __

    (Adding the JOSE working group)____

    __ __

    I believe you're right.  I'll plan to make this change in the next vers=
ion of the spec.____

    __ __

    Thanks for the careful read!____

    __ __

                                                                 -- Mike___=
_

    __ __

    *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]
    *Sent:* Friday, June 13, 2014 10:34 AM
    *To:* Mike Jones
    *Cc:* Matt Miller (mamille2)
    *Subject:* draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5=
)____

    __ __

    Michael -____

      I am working on implementing a browser compatible JS implementation o=
f JOSE, based on the work Matt Miller did for Node.JS.  While going through=
 the spec, I noticed that PKCS #5 is called out for the AES-CBC ciphers.  S=
houldn't this be PKCS #7?____

    __ __

    PKCS #5 - RFC2898 section 6.2 specifies:____

    The padding string PS shall consist of 8 - (||M|| mod 8) octets all hav=
ing value 8 - (||M|| mod 8).____

    __ __

    PKCS #7 - RFC2315 section 10.3 note 2 specifies:____

    For such algorithms, the method shall be to pad the input at the traili=
ng end with k - (l mod k) octets all having value k - (l mod k), where l is=
 the length of the input.____

    __ __

    PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKCS =
#5 is intended for block sizes of 8.  This means that PKCS #7 is a superset=
 of #5, and given that AES is a block size of 16, it seems the spec should =
require PKCS #7.____

    __ __

    Thoughts?____

    __ __

    *Shaun Cooley*
    DISTINGUISHED ENGINEER.ENGINEERING
    Collaboration Technology Group
    shcooley@cisco.com 
    Phone: *+1 408 902 3344 *
    Mobile: *+1 310 293 2087 *____



    http://www.cisco.com/web/europe/images/email/signature/logo05.jpg
    Cisco.com ____

    __ __

    This email may contain confidential and privileged material for the sol=
e use of the intended recipient. Any review, use, distribution or disclosur=
e by others is strictly prohibited. If you are not the intended recipient (=
or authorized to receive for the recipient), please contact the sender by r=
eply email and delete all copies of this message.____

    For corporate legal information go to:
    http://www.cisco.com/web/about/doing_business/legal/cri/index.html____

    __ __

    __ __


    _______________________________________________
    jose mailing list
    jose@ietf.org 
    https://www.ietf.org/mailman/listinfo/jose



_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose



--

Vladimir Dzhuvinov :: vladimir@connect2id.com

--_000_BLUPR03MB437FA23B6B756B3DB551FC6F5090BLUPR03MB437namprd_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











Thanks a bunch, Vladimir.=
  That definitively answers the question.


 <=
/p>

    &=
nbsp;           &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;     -- Mike


 <=
/p>





From: jose [mailto:jose-bounces@ietf.org]
On Behalf Of Vladimir Dzhuvinov

Sent: Friday, March 27, 2015 9:36 AM

To: jose@ietf.org

Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






 


This is indeed a JCA =
oddity, when "PKCS5Padding" is specified Java actually does "=
;PKCS7Padding".



If you stick "PKCS7Padding" you'll get an 


NoSuchAlgorithmException: Cannot find any provider supporting AES=
/CBC/PKCS7Padding


 


 


Vladimir



On 27.03.2015 08:20, Anders Rundgren wrote:






On 2015-03-27 01:31, Brian Campbell wrote: 






I am pretty sure you should not make that change to =
the JCA algorithm string.



>  I'll have to search around to remember wh=
y, some oddity of Java I think,


> but I'm away from my laptop right now and that one is too much to rese=
arch on a phone.




Indeed, this is an old SUN bug that we have to put up with: 

http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html




It is worth a note though. 



Anders 










On Mar 26, 2015 6:41 PM, "Mike Jones" <Michael.Jones@microsoft.com
<mailto:Michael.Jones@mic=
rosoft.com>> wrote:




    I am working on the formatting of the algorithm cross-re=
ference tables in JWA Appendix A

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-=
A with the RFC Editor to make them more readable.  When looking at=
 the table content (in a more readable rendition I’ll share with you =
soon), I noticed that this string appears for
 the JCA value of three algorithms:____ 



            &nb=
sp;       AES/CBC/PKCS5Padding____ 



    which I believe should be____ 



            &nb=
sp;       AES/CBC/PKCS7Padding____ 



    __ __ 



    This would be consistent with the changes made in -28 fo=
r the reasons described in this thread. JAVA IMPLEMENTERS– If you are=
 currently using AES/CBC/PKCS5Padding can you please verify that your imple=
mentation still works after changing this string to AES/CBC/PKCS7Padding
 and that the results are still correct and reply to us letting us know wha=
t happened? Matt, if your code for the cookbook is in Java, it would be esp=
ecially good if you made this code change and verified that nothing changes=
 in the output.____




    __ __ 



    Also, this clearly inconsistent sentence currently occur=
s in 
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5=
.2.1:____




           CBC-PKCS5-ENC(=
X, P) denotes the AES CBC encryption of P using PKCS____




           #7 padding usi=
ng the cipher with the key X.____ 



    __ __ 



    I believe that the identifier CBC-PKCS5-ENCshould be cha=
nged to CBC-PKCS7-ENC.____




    __ __ 



    Unless people disagree, I will plan to apply these corre=
ctions during AUTH48.____




    __ __ 



            &nb=
sp;            =
            &nb=
sp;            =
            &nb=
sp;  Thanks all,____ 



            &nb=
sp;            =
            &nb=
sp;            =
            &nb=
sp;  -- Mike____ 



    __ __ 



    *From:*jose [ma=
ilto:jose-bounces@ietf.org
<mailto:jose-bounces@ietf.org&g=
t;] *On Behalf Of *Mike Jones


    *Sent:* Friday, June 20, 2014 7:03 PM 

    *To:* Shaun Cooley (shcooley) 

    *Cc:* jose@ietf.org=
 
<mailto:jose@ietf.org>; Matt Miller (mamille2) 

    *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithm=
s-27: section-5.2 (PKCS #5)____




    __ __ 



    This change has been incorporated in the -28 drafts.____=
 



    __ __ 



            &nb=
sp;            =
            &nb=
sp;            =
            &nb=
sp;  Thanks again, Shaun,____




            &nb=
sp;            =
            &nb=
sp;            =
            &nb=
sp;  -- Mike____ 



    __ __ 



    *From:*jose [ma=
ilto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones


    *Sent:* Friday, June 13, 2014 2:27 PM 

    *To:* Shaun Cooley (shcooley) 

    *Cc:* jose@ietf.org=
 
<mailto:jose@ietf.org>; Matt Miller (mamille2) 

    *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithm=
s-27: section-5.2 (PKCS #5)____




    __ __ 



    (Adding the JOSE working group)____ 



    __ __ 



    I believe you’re right.  I’ll plan to m=
ake this change in the next version of the spec.____




    __ __ 



    Thanks for the careful read!____ 



    __ __ 



            &nb=
sp;            =
            &nb=
sp;            =
            &nb=
sp;  -- Mike____ 



    __ __ 



    *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]


    *Sent:* Friday, June 13, 2014 10:34 AM 

    *To:* Mike Jones 

    *Cc:* Matt Miller (mamille2) 

    *Subject:* draft-ietf-jose-json-web-algorithms-27: secti=
on-5.2 (PKCS #5)____ 



    __ __ 



    Michael –____ 



      I am working on implementing a browser compa=
tible JS implementation of JOSE, based on the work Matt Miller did for Node=
.JS.  While going through the spec, I noticed that PKCS #5 is called o=
ut for the AES-CBC ciphers.  Shouldn’t this be PKCS #7?____




    __ __ 



    PKCS #5 – RFC2898 section 6.2 specifies:____ 



    The padding string PS shall consist of 8 - (||M|| mod 8)=
 octets all having value 8 - (||M|| mod 8).____




    __ __ 



    PKCS #7 – RFC2315 section 10.3 note 2 specifies:__=
__ 



    For such algorithms, the method shall be to pad the inpu=
t at the trailing end with k - (l mod k) octets all having value k - (l mod=
 k), where l is the length of the input.____




    __ __ 



    PKCS #7 allows for padding in block sizes of 2-255 bytes=
, whereas PKCS #5 is intended for block sizes of 8.  This means that P=
KCS #7 is a superset of #5, and given that AES is a block size of 16, it se=
ems the spec should require PKCS #7.____




    __ __ 



    Thoughts?____ 



    __ __ 



    *Shaun Cooley* 

    DISTINGUISHED ENGINEER.ENGINEERING 

    Collaboration Technology Group 

    shcooley@cisco.com=
 
<mailto:shcooley@cisco.com> 

    Phone: *+1 408 902 3344 <tel:%2B1%20408%20902%203344>*


    Mobile: *+1 310 293 2087 <tel:%2B1%20310%20293%202087>*____




        



    http://www.cisco.com/web/europe/images/email/signatur=
e/logo05.jpg


    Cisco.com <http://w=
ww.cisco.com/>____ 



    __ __ 



    This email may contain confidential and privileged mater=
ial for the sole use of the intended recipient. Any review, use, distributi=
on or disclosure by others is strictly prohibited. If you are not the inten=
ded recipient (or authorized to receive for the
 recipient), please contact the sender by reply email and delete all copies=
 of this message.____




    For corporate legal information go to: 

    
http://www.cisco.com/web/about/doing_business/legal/cri/index.html____ =




    __ __ 



    __ __ 





    _______________________________________________ 

    jose mailing list 

    jose@ietf.org 
<mailto:jose@ietf.org> 

    h=
ttps://www.ietf.org/mailman/listinfo/jose








_______________________________________________ 

jose mailing list 

jose@ietf.org 

https://www.ietf.org=
/mailman/listinfo/jose





_______________________________________________ 

jose mailing list 

jose@ietf.org 

https://www.ietf.org=
/mailman/listinfo/jose












-- 


Vladimir Dzhuvinov :: vladi=
mir@connect2id.com






--_000_BLUPR03MB437FA23B6B756B3DB551FC6F5090BLUPR03MB437namprd_--


From nobody Fri Mar 27 10:15:55 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692701B2A52 for ; Fri, 27 Mar 2015 10:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.978
X-Spam-Level: 
X-Spam-Status: No, score=-2.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AK-pWaQFE4Ia for ; Fri, 27 Mar 2015 10:15:51 -0700 (PDT)
Received: from na3sys009aog109.obsmtp.com (na3sys009aog109.obsmtp.com [74.125.149.201]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86DE01B2A3A for ; Fri, 27 Mar 2015 10:15:45 -0700 (PDT)
Received: from mail-ig0-f181.google.com ([209.85.213.181]) (using TLSv1) by na3sys009aob109.postini.com ([74.125.148.12]) with SMTP ID DSNKVRWQQcK3PDQ9w/Ijgm6wvZkzi0rLc/q1@postini.com; Fri, 27 Mar 2015 10:15:45 PDT
Received: by igbqf9 with SMTP id qf9so25654382igb.1 for ; Fri, 27 Mar 2015 10:15:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Ssmhff6RcX8P5jFylwqi27Qv/US++WyUuX4fqIhw85Q=; b=AZ+2Cp3F8uwxIcHAEKHBJv4YZWv1FP771svwgOw8LYdKbxovdO8SvcreEfxxEluy0W 7BeXlG74pVIy12a4nBD8lgGJ4J38TUogDeBLXmpt4bghcQCK1XUTSDXmYEfz1J1BC/mR cudx7k+PfLTW0zUxXZKL6MM0YpDHsF4Oks2QnvlUx4+XvuavbrD1glULrK3ETfj3ux/t YiKOg64qB12ieZI+jrWAGyL5fttNV+SQCGMCKmIlIfGida8ZEKiAG6ZDu12j45JM7CH6 pMtgWYP57dLC7OtHCPVKNYbuK+uaYiuCRbtBOP2kc3iKJmWvvEI2CAEjEHtYDFpEvUpZ um3w==
X-Gm-Message-State: ALoCoQnyYT4JJCN+V8C4HAaPs23Pajr5ujPnav5DP9E50e8jykompbvhRWbf9CQcYkKscvvZzEeShVdPKpSN/XP6VzBfw09nOfmIqnQsrDpf5DrOaqVMsdzDuVI+jCKtGap44Bt/vUi1
X-Received: by 10.50.30.138 with SMTP id s10mr3444525igh.3.1427476544769; Fri, 27 Mar 2015 10:15:44 -0700 (PDT)
X-Received: by 10.50.30.138 with SMTP id s10mr3444509igh.3.1427476544593; Fri, 27 Mar 2015 10:15:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.7.193 with HTTP; Fri, 27 Mar 2015 10:15:14 -0700 (PDT)
In-Reply-To: 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>   <5514F6C0.7090905@gmail.com> <55156AED.3060402@connect2id.com> 
From: Brian Campbell 
Date: Fri, 27 Mar 2015 12:15:14 -0500
Message-ID: 
To: Mike Jones 
Content-Type: multipart/alternative; boundary=047d7bdc9f505dbbdb05124848a0
Archived-At: 
Cc: "jose@ietf.org" , Vladimir Dzhuvinov 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 17:15:54 -0000

--047d7bdc9f505dbbdb05124848a0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

It may or may not warrant a note of some sort to explain the discrepancy
(not sure if that's really in scope). It looks as though some providers
like Bouncy Castle and the one on Android will work with
"AES/CBC/PKCS7Padding". But "AES/CBC/PKCS5Padding" is what is needed for
the Sun/Oracle JCA provider (I verified this again against Java 7 & 8) and
is what is required by "Every implementation of the Java platform" per
http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html and it
actually give you PKCS7Padding even though it says 5.

On Fri, Mar 27, 2015 at 9:42 AM, Mike Jones 
wrote:

>  Thanks a bunch, Vladimir.  That definitively answers the question.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Vladimir
> Dzhuvinov
> *Sent:* Friday, March 27, 2015 9:36 AM
> *To:* jose@ietf.org
> *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2
> (PKCS #5)
>
>
>
> This is indeed a JCA oddity, when "PKCS5Padding" is specified Java
> actually does "PKCS7Padding".
>
> If you stick "PKCS7Padding" you'll get an
>
> NoSuchAlgorithmException: Cannot find any provider supporting AES/CBC/PKC=
S7Padding
>
>
>
>
>
> Vladimir
>
> On 27.03.2015 08:20, Anders Rundgren wrote:
>
> On 2015-03-27 01:31, Brian Campbell wrote:
>
>  I am pretty sure you should not make that change to the JCA algorithm
> string.
>
> >  I'll have to search around to remember why, some oddity of Java I
> think,
> > but I'm away from my laptop right now and that one is too much to
> research on a phone.
>
> Indeed, this is an old SUN bug that we have to put up with:
> http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
>
> It is worth a note though.
>
> Anders
>
>
>
> On Mar 26, 2015 6:41 PM, "Mike Jones"   >
> wrote:
>
>     I am working on the formatting of the algorithm cross-reference table=
s
> in JWA Appendix A
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendi=
x-A
> with the RFC Editor to make them more readable.  When looking at the tabl=
e
> content (in a more readable rendition I=E2=80=99ll share with you soon), =
I noticed
> that this string appears for the JCA value of three algorithms:____
>
>                     AES/CBC/PKCS5Padding____
>
>     which I believe should be____
>
>                     AES/CBC/PKCS7Padding____
>
>     __ __
>
>     This would be consistent with the changes made in -28 for the reasons
> described in this thread. JAVA IMPLEMENTERS=E2=80=93 If you are currently=
 using
> AES/CBC/PKCS5Padding can you please verify that your implementation still
> works after changing this string to AES/CBC/PKCS7Padding and that the
> results are still correct and reply to us letting us know what happened?
> Matt, if your code for the cookbook is in Java, it would be especially go=
od
> if you made this code change and verified that nothing changes in the
> output.____
>
>     __ __
>
>     Also, this clearly inconsistent sentence currently occurs in
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section=
-5.2.1:____
>
>            CBC-PKCS5-ENC(X, P) denotes the AES CBC encryption of P using
> PKCS____
>
>            #7 padding using the cipher with the key X.____
>
>     __ __
>
>     I believe that the identifier CBC-PKCS5-ENCshould be changed to
> CBC-PKCS7-ENC.____
>
>     __ __
>
>     Unless people disagree, I will plan to apply these corrections during
> AUTH48.____
>
>     __ __
>
>                                                                  Thanks
> all,____
>
>                                                                  --
> Mike____
>
>     __ __
>
>     *From:*jose [mailto:jose-bounces@ietf.org 
>  ] *On Behalf Of
> *Mike Jones
>     *Sent:* Friday, June 20, 2014 7:03 PM
>     *To:* Shaun Cooley (shcooley)
>     *Cc:* jose@ietf.org  ; Matt
> Miller (mamille2)
>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27:
> section-5.2 (PKCS #5)____
>
>     __ __
>
>     This change has been incorporated in the -28 drafts.____
>
>     __ __
>
>                                                                  Thanks
> again, Shaun,____
>
>                                                                  --
> Mike____
>
>     __ __
>
>     *From:*jose [mailto:jose-bounces@ietf.org ]
> *On Behalf Of *Mike Jones
>     *Sent:* Friday, June 13, 2014 2:27 PM
>     *To:* Shaun Cooley (shcooley)
>     *Cc:* jose@ietf.org  ; Matt
> Miller (mamille2)
>     *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithms-27:
> section-5.2 (PKCS #5)____
>
>     __ __
>
>     (Adding the JOSE working group)____
>
>     __ __
>
>     I believe you=E2=80=99re right.  I=E2=80=99ll plan to make this chang=
e in the next
> version of the spec.____
>
>     __ __
>
>     Thanks for the careful read!____
>
>     __ __
>
>                                                                  --
> Mike____
>
>     __ __
>
>     *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com
> ]
>     *Sent:* Friday, June 13, 2014 10:34 AM
>     *To:* Mike Jones
>     *Cc:* Matt Miller (mamille2)
>     *Subject:* draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS
> #5)____
>
>     __ __
>
>     Michael =E2=80=93____
>
>       I am working on implementing a browser compatible JS implementation
> of JOSE, based on the work Matt Miller did for Node.JS.  While going
> through the spec, I noticed that PKCS #5 is called out for the AES-CBC
> ciphers.  Shouldn=E2=80=99t this be PKCS #7?____
>
>     __ __
>
>     PKCS #5 =E2=80=93 RFC2898 section 6.2 specifies:____
>
>     The padding string PS shall consist of 8 - (||M|| mod 8) octets all
> having value 8 - (||M|| mod 8).____
>
>     __ __
>
>     PKCS #7 =E2=80=93 RFC2315 section 10.3 note 2 specifies:____
>
>     For such algorithms, the method shall be to pad the input at the
> trailing end with k - (l mod k) octets all having value k - (l mod k),
> where l is the length of the input.____
>
>     __ __
>
>     PKCS #7 allows for padding in block sizes of 2-255 bytes, whereas PKC=
S
> #5 is intended for block sizes of 8.  This means that PKCS #7 is a supers=
et
> of #5, and given that AES is a block size of 16, it seems the spec should
> require PKCS #7.____
>
>     __ __
>
>     Thoughts?____
>
>     __ __
>
>     *Shaun Cooley*
>     DISTINGUISHED ENGINEER.ENGINEERING
>     Collaboration Technology Group
>     shcooley@cisco.com  
>     Phone: *+1 408 902 3344  <%2B1%20408%20902%203344>>*
>     Mobile: *+1 310 293 2087  <%2B1%20310%20293%202087>>*____
>
>
>
>     http://www.cisco.com/web/europe/images/email/signature/logo05.jpg
>     Cisco.com  ____
>
>     __ __
>
>     This email may contain confidential and privileged material for the
> sole use of the intended recipient. Any review, use, distribution or
> disclosure by others is strictly prohibited. If you are not the intended
> recipient (or authorized to receive for the recipient), please contact th=
e
> sender by reply email and delete all copies of this message.____
>
>     For corporate legal information go to:
>     http://www.cisco.com/web/about/doing_business/legal/cri/index.html___=
_
>
>     __ __
>
>     __ __
>
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org  
>     https://www.ietf.org/mailman/listinfo/jose
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>
>  --
>
> Vladimir Dzhuvinov :: vladimir@connect2id.com
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>

--047d7bdc9f505dbbdb05124848a0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


It may or may not warrant a note of some sort to explain t=
he discrepancy (not sure if that's really in scope). It looks as though=
 some providers like Bouncy Castle and the one on Android will work with &q=
uot;AES/CBC/PKCS7Padding". But "AES/CBC/PKCS5Padding" is wha=
t is needed for the Sun/Oracle JCA provider (I verified this again against =
Java 7 & 8) and is what is required by "Every implementation of th=
e Java platform" per http://docs.oracle.com/javase/7/docs/api/javax=
/crypto/Cipher.html and it actually give you PKCS7Padding even though i=
t says 5. 

On Fri, Mar 27, 2015 at 9:42 AM, Mike Jones <Michael.Jones@mi=
crosoft.com> wrote:











Thanks a bunch, Vladimir.=
=C2=A0 That definitively answers the question.


=C2=A0


=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike


=C2=A0






From: jose [mailto:jose-bounces@ietf.org]
On Behalf Of Vladimir Dzhuvinov

Sent: Friday, March 27, 2015 9:36 AM

To: jose@ietf.org=


Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-=
5.2 (PKCS #5)






=C2=A0


This is indeed a JCA =
oddity, when "PKCS5Padding" is specified Java actually does "=
;PKCS7Padding".



If you stick "PKCS7Padding" you'll get an 


NoSuchAlgorithmException: Cannot find any provider supporting AES/<=
span>CBC/PKCS7Padding


=C2=A0


=C2=A0


Vladimir




On 27.03.2015 08:20, Anders Rundgren wrote:






On 2015-03-27 01:31, Brian Campbell wrote: 






I am pretty sure you should not make that change to =
the JCA algorithm string.



>=C2=A0 I'll have to search around to remembe=
r why, some oddity of Java I think,


> but I'm away from my laptop right now and that one is too much to =
research on a phone.




Indeed, this is an old SUN bug that we have to put up with: 

http://docs.oracle.com/javase/7/docs/api/javax/crypto/=
Cipher.html




It is worth a note though. 



Anders 










On Mar 26, 2015 6:41 PM, "Mike Jones" <Michael.Jones@microsoft.com
<mailto=
:Michael.Jones@microsoft.com>> wrote:




=C2=A0=C2=A0=C2=A0 I am working on the formatting of the algorithm cross-re=
ference tables in JWA Appendix A

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#appendix-=
A with the RFC Editor to make them more readable.=C2=A0 When looking at=
 the table content (in a more readable rendition I=E2=80=99ll share with yo=
u soon), I noticed that this string appears for
 the JCA value of three algorithms:____ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AES/CBC/PKCS5Padding____ 



=C2=A0=C2=A0=C2=A0 which I believe should be____ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 AES/CBC/PKCS7Padding____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 This would be consistent with the changes made in -28 fo=
r the reasons described in this thread. JAVA IMPLEMENTERS=E2=80=93 If you a=
re currently using AES/CBC/PKCS5Padding can you please verify that your imp=
lementation still works after changing this string to AES/CBC/PKCS7Padding
 and that the results are still correct and reply to us letting us know wha=
t happened? Matt, if your code for the cookbook is in Java, it would be esp=
ecially good if you made this code change and verified that nothing changes=
 in the output.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 Also, this clearly inconsistent sentence currently occur=
s in 
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5=
.2.1:____




=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CBC-PKCS5-ENC(=
X, P) denotes the AES CBC encryption of P using PKCS____




=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #7 padding usi=
ng the cipher with the key X.____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 I believe that the identifier CBC-PKCS5-ENCshould be cha=
nged to CBC-PKCS7-ENC.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 Unless people disagree, I will plan to apply these corre=
ctions during AUTH48.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Thanks all,____ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 *From:*jose [mailto:jose-bounces@ietf.org
<mailto:jose-=
bounces@ietf.org>] *On Behalf Of *Mike Jones


=C2=A0=C2=A0=C2=A0 *Sent:* Friday, June 20, 2014 7:03 PM 

=C2=A0=C2=A0=C2=A0 *To:* Shaun Cooley (shcooley) 

=C2=A0=C2=A0=C2=A0 *Cc:* jose@ietf.org 
<mailto:jose@ietf.org>; Matt Miller (mamille2) 

=C2=A0=C2=A0=C2=A0 *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithm=
s-27: section-5.2 (PKCS #5)____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 This change has been incorporated in the -28 drafts.____=
 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Thanks again, Shaun,____




=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Mike Jones


=C2=A0=C2=A0=C2=A0 *Sent:* Friday, June 13, 2014 2:27 PM 

=C2=A0=C2=A0=C2=A0 *To:* Shaun Cooley (shcooley) 

=C2=A0=C2=A0=C2=A0 *Cc:* jose@ietf.org 
<mailto:jose@ietf.org>; Matt Miller (mamille2) 

=C2=A0=C2=A0=C2=A0 *Subject:* Re: [jose] draft-ietf-jose-json-web-algorithm=
s-27: section-5.2 (PKCS #5)____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 (Adding the JOSE working group)____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 I believe you=E2=80=99re right.=C2=A0 I=E2=80=99ll plan =
to make this change in the next version of the spec.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 Thanks for the careful read!____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 -- Mike____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 *From:*Shaun Cooley (shcooley) [mailto:shcooley@cisco.com]


=C2=A0=C2=A0=C2=A0 *Sent:* Friday, June 13, 2014 10:34 AM 

=C2=A0=C2=A0=C2=A0 *To:* Mike Jones 

=C2=A0=C2=A0=C2=A0 *Cc:* Matt Miller (mamille2) 

=C2=A0=C2=A0=C2=A0 *Subject:* draft-ietf-jose-json-web-algorithms-27: secti=
on-5.2 (PKCS #5)____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 Michael =E2=80=93____ 



=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 I am working on implementing a browser compa=
tible JS implementation of JOSE, based on the work Matt Miller did for Node=
.JS.=C2=A0 While going through the spec, I noticed that PKCS #5 is called o=
ut for the AES-CBC ciphers.=C2=A0 Shouldn=E2=80=99t this be PKCS #7?____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 PKCS #5 =E2=80=93 RFC2898 section 6.2 specifies:____ 


=C2=A0=C2=A0=C2=A0 The padding string PS shall consist of 8 - (||M|| mod 8)=
 octets all having value 8 - (||M|| mod 8).____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 PKCS #7 =E2=80=93 RFC2315 section 10.3 note 2 specifies:=
____ 



=C2=A0=C2=A0=C2=A0 For such algorithms, the method shall be to pad the inpu=
t at the trailing end with k - (l mod k) octets all having value k - (l mod=
 k), where l is the length of the input.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 PKCS #7 allows for padding in block sizes of 2-255 bytes=
, whereas PKCS #5 is intended for block sizes of 8.=C2=A0 This means that P=
KCS #7 is a superset of #5, and given that AES is a block size of 16, it se=
ems the spec should require PKCS #7.____




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 Thoughts?____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 *Shaun Cooley* 

=C2=A0=C2=A0=C2=A0 DISTINGUISHED ENGINEER.ENGINEERING 

=C2=A0=C2=A0=C2=A0 Collaboration Technology Group 

=C2=A0=C2=A0=C2=A0 =
shcooley@cisco.com 
<mailto:shcooley@cisco.com> 

=C2=A0=C2=A0=C2=A0 Phone: *+1 408 902 3344 <tel:%2B1%20408%20902%203344>=
*


=C2=A0=C2=A0=C2=A0 Mobile: *+1 310 293 2087 <tel:%2B1%20310%20293%202087&=
gt;*____




=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 



=C2=A0=C2=A0=C2=A0 http://www.cisco.com/web/europe/ima=
ges/email/signature/logo05.jpg


=C2=A0=C2=A0=C2=A0 Cisco.com <http://www.cisco.com/>____ 



=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 This email may contain confidential and privileged mater=
ial for the sole use of the intended recipient. Any review, use, distributi=
on or disclosure by others is strictly prohibited. If you are not the inten=
ded recipient (or authorized to receive for the
 recipient), please contact the sender by reply email and delete all copies=
 of this message.____




=C2=A0=C2=A0=C2=A0 For corporate legal information go to: 

=C2=A0=C2=A0=C2=A0 
http://www.cisco.com/web/about/doing_business/legal/cri/index.html____ =




=C2=A0=C2=A0=C2=A0 __ __ 



=C2=A0=C2=A0=C2=A0 __ __ 





=C2=A0=C2=A0=C2=A0 _______________________________________________ 

=C2=A0=C2=A0=C2=A0 jose mailing list 

=C2=A0=C2=A0=C2=A0 jose@=
ietf.org 
<mailto:jose@ietf.org> 

=C2=A0=C2=A0=C2=A0 https://www.ietf.org/mailman/listinfo/jose








_______________________________________________ 

jose mailing list 

jose@ietf.org 

ht=
tps://www.ietf.org/mailman/listinfo/jose





_______________________________________________ 

jose mailing list 

jose@ietf.org 

ht=
tps://www.ietf.org/mailman/listinfo/jose












-- 


Vladimir Dzhuvinov :: vladimir@connect2id.com







_______________________________________________

jose mailing list

jose@ietf.org

ht=
tps://www.ietf.org/mailman/listinfo/jose





--047d7bdc9f505dbbdb05124848a0--


From nobody Fri Mar 27 10:19:19 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B551B2A75 for ; Fri, 27 Mar 2015 10:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level: 
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOd07P7Ny8YZ for ; Fri, 27 Mar 2015 10:19:13 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0110.outbound.protection.outlook.com [207.46.100.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9687C1A87A6 for ; Fri, 27 Mar 2015 10:19:13 -0700 (PDT)
Received: from BLUPR03MB437.namprd03.prod.outlook.com (10.141.78.147) by BLUPR03MB439.namprd03.prod.outlook.com (10.141.78.151) with Microsoft SMTP Server (TLS) id 15.1.125.14; Fri, 27 Mar 2015 17:19:12 +0000
Received: from BLUPR03MB437.namprd03.prod.outlook.com ([10.141.78.147]) by BLUPR03MB437.namprd03.prod.outlook.com ([10.141.78.147]) with mapi id 15.01.0125.002; Fri, 27 Mar 2015 17:19:12 +0000
From: Mike Jones 
To: Brian Campbell 
Thread-Topic: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
Thread-Index: AQHQaB5bkfOhNCQj00mWiSuBrydmnp0vep8AgABheACAAIp+gIAAAWcAgAAq9ACAAACAcA==
Date: Fri, 27 Mar 2015 17:19:12 +0000
Message-ID: 
References: <187A7B1DA239514F9146FC78B19AADE322D48DD4@xmb-aln-x10.cisco.com> <4E1F6AAD24975D4BA5B16804296739439AD6D7DD@TK5EX14MBXC292.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439AD86E7C@TK5EX14MBXC294.redmond.corp.microsoft.com>   <5514F6C0.7090905@gmail.com> <55156AED.3060402@connect2id.com>  
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [64.134.52.104]
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB439;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(36304003)(51914003)(24454002)(377454003)(377424004)(2950100001)(2900100001)(19609705001)(87936001)(76576001)(92566002)(102836002)(15975445007)(74316001)(77096005)(93886004)(19625215002)(33656002)(62966003)(77156002)(86362001)(230783001)(86612001)(19300405004)(110136001)(54356999)(76176999)(66066001)(46102003)(19617315012)(40100003)(16236675004)(19580405001)(19580395003)(106116001)(2656002)(122556002)(50986999); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB439; H:BLUPR03MB437.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BLUPR03MB439; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB439; 
x-forefront-prvs: 0528942FD8
Content-Type: multipart/alternative; boundary="_000_BLUPR03MB437DD348A3D595DE05D7E14F5090BLUPR03MB437namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2015 17:19:12.2047 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB439
Archived-At: 
Cc: "jose@ietf.org" , Vladimir Dzhuvinov 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 17:19:17 -0000

--_000_BLUPR03MB437DD348A3D595DE05D7E14F5090BLUPR03MB437namprd_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SWYgYW4gaW1wbGVtZW50ZXIgdHJpZXMgQUVTL0NCQy9QS0NTN1BhZGRpbmcgYW5kIGl0IGZhaWxz
LCB0aGUgc2l0dWF0aW9uIGlzIHNlbGYtY29ycmVjdGluZy4gIFRoZXnigJlsbCBjaGFuZ2UgdG8g
dXNpbmcgd2hhdOKAmXMgaW4gdGhlIHRhYmxlLCBldmVuIHRob3VnaCBpdCBtYXkgc2VlbSBvZGQu
ICBHaXZlbiB0aGUgUkZDIEVkaXRvciBoYXMgYWxyZWFkeSBkb25lIHRoZSBlZGl0aW5nIGFuZCB0
aGUgZG9jIGlzIGluIGZpbmFsIGludGVybmFsIHJldmlldyBzdGF0ZSwgSeKAmWQgc2F5IHRoYXQg
bGVzcyBpcyBtb3JlIGF0IHRoaXMgcG9pbnQuDQoNCkZyb206IEJyaWFuIENhbXBiZWxsIFttYWls
dG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb21dDQpTZW50OiBGcmlkYXksIE1hcmNoIDI3LCAy
MDE1IDEyOjE1IFBNDQpUbzogTWlrZSBKb25lcw0KQ2M6IFZsYWRpbWlyIER6aHV2aW5vdjsgam9z
ZUBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFtqb3NlXSBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWIt
YWxnb3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpDQoNCkl0IG1heSBvciBtYXkgbm90
IHdhcnJhbnQgYSBub3RlIG9mIHNvbWUgc29ydCB0byBleHBsYWluIHRoZSBkaXNjcmVwYW5jeSAo
bm90IHN1cmUgaWYgdGhhdCdzIHJlYWxseSBpbiBzY29wZSkuIEl0IGxvb2tzIGFzIHRob3VnaCBz
b21lIHByb3ZpZGVycyBsaWtlIEJvdW5jeSBDYXN0bGUgYW5kIHRoZSBvbmUgb24gQW5kcm9pZCB3
aWxsIHdvcmsgd2l0aCAiQUVTL0NCQy9QS0NTN1BhZGRpbmciLiBCdXQgIkFFUy9DQkMvUEtDUzVQ
YWRkaW5nIiBpcyB3aGF0IGlzIG5lZWRlZCBmb3IgdGhlIFN1bi9PcmFjbGUgSkNBIHByb3ZpZGVy
IChJIHZlcmlmaWVkIHRoaXMgYWdhaW4gYWdhaW5zdCBKYXZhIDcgJiA4KSBhbmQgaXMgd2hhdCBp
cyByZXF1aXJlZCBieSAiRXZlcnkgaW1wbGVtZW50YXRpb24gb2YgdGhlIEphdmEgcGxhdGZvcm0i
IHBlciBodHRwOi8vZG9jcy5vcmFjbGUuY29tL2phdmFzZS83L2RvY3MvYXBpL2phdmF4L2NyeXB0
by9DaXBoZXIuaHRtbCBhbmQgaXQgYWN0dWFsbHkgZ2l2ZSB5b3UgUEtDUzdQYWRkaW5nIGV2ZW4g
dGhvdWdoIGl0IHNheXMgNS4NCg0KT24gRnJpLCBNYXIgMjcsIDIwMTUgYXQgOTo0MiBBTSwgTWlr
ZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVz
QG1pY3Jvc29mdC5jb20+PiB3cm90ZToNClRoYW5rcyBhIGJ1bmNoLCBWbGFkaW1pci4gIFRoYXQg
ZGVmaW5pdGl2ZWx5IGFuc3dlcnMgdGhlIHF1ZXN0aW9uLg0KDQogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206
IGpvc2UgW21haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOmpvc2UtYm91bmNlc0Bp
ZXRmLm9yZz5dIE9uIEJlaGFsZiBPZiBWbGFkaW1pciBEemh1dmlub3YNClNlbnQ6IEZyaWRheSwg
TWFyY2ggMjcsIDIwMTUgOTozNiBBTQ0KVG86IGpvc2VAaWV0Zi5vcmc8bWFpbHRvOmpvc2VAaWV0
Zi5vcmc+DQpTdWJqZWN0OiBSZTogW2pvc2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdv
cml0aG1zLTI3OiBzZWN0aW9uLTUuMiAoUEtDUyAjNSkNCg0KVGhpcyBpcyBpbmRlZWQgYSBKQ0Eg
b2RkaXR5LCB3aGVuICJQS0NTNVBhZGRpbmciIGlzIHNwZWNpZmllZCBKYXZhIGFjdHVhbGx5IGRv
ZXMgIlBLQ1M3UGFkZGluZyIuDQoNCklmIHlvdSBzdGljayAiUEtDUzdQYWRkaW5nIiB5b3UnbGwg
Z2V0IGFuDQoNCk5vU3VjaEFsZ29yaXRobUV4Y2VwdGlvbjogQ2Fubm90IGZpbmQgYW55IHByb3Zp
ZGVyIHN1cHBvcnRpbmcgQUVTL0NCQy9QS0NTN1BhZGRpbmcNCg0KDQoNCg0KVmxhZGltaXINCk9u
IDI3LjAzLjIwMTUgMDg6MjAsIEFuZGVycyBSdW5kZ3JlbiB3cm90ZToNCk9uIDIwMTUtMDMtMjcg
MDE6MzEsIEJyaWFuIENhbXBiZWxsIHdyb3RlOg0KSSBhbSBwcmV0dHkgc3VyZSB5b3Ugc2hvdWxk
IG5vdCBtYWtlIHRoYXQgY2hhbmdlIHRvIHRoZSBKQ0EgYWxnb3JpdGhtIHN0cmluZy4NCj4gIEkn
bGwgaGF2ZSB0byBzZWFyY2ggYXJvdW5kIHRvIHJlbWVtYmVyIHdoeSwgc29tZSBvZGRpdHkgb2Yg
SmF2YSBJIHRoaW5rLA0KPiBidXQgSSdtIGF3YXkgZnJvbSBteSBsYXB0b3AgcmlnaHQgbm93IGFu
ZCB0aGF0IG9uZSBpcyB0b28gbXVjaCB0byByZXNlYXJjaCBvbiBhIHBob25lLg0KDQpJbmRlZWQs
IHRoaXMgaXMgYW4gb2xkIFNVTiBidWcgdGhhdCB3ZSBoYXZlIHRvIHB1dCB1cCB3aXRoOg0KaHR0
cDovL2RvY3Mub3JhY2xlLmNvbS9qYXZhc2UvNy9kb2NzL2FwaS9qYXZheC9jcnlwdG8vQ2lwaGVy
Lmh0bWwNCg0KSXQgaXMgd29ydGggYSBub3RlIHRob3VnaC4NCg0KQW5kZXJzDQoNCg0KT24gTWFy
IDI2LCAyMDE1IDY6NDEgUE0sICJNaWtlIEpvbmVzIiA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQu
Y29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+IDxtYWlsdG86TWljaGFlbC5K
b25lc0BtaWNyb3NvZnQuY29tPjxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj4g
d3JvdGU6DQoNCiAgICBJIGFtIHdvcmtpbmcgb24gdGhlIGZvcm1hdHRpbmcgb2YgdGhlIGFsZ29y
aXRobSBjcm9zcy1yZWZlcmVuY2UgdGFibGVzIGluIEpXQSBBcHBlbmRpeCBBIGh0dHA6Ly90b29s
cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTQwI2Fw
cGVuZGl4LUEgd2l0aCB0aGUgUkZDIEVkaXRvciB0byBtYWtlIHRoZW0gbW9yZSByZWFkYWJsZS4g
IFdoZW4gbG9va2luZyBhdCB0aGUgdGFibGUgY29udGVudCAoaW4gYSBtb3JlIHJlYWRhYmxlIHJl
bmRpdGlvbiBJ4oCZbGwgc2hhcmUgd2l0aCB5b3Ugc29vbiksIEkgbm90aWNlZCB0aGF0IHRoaXMg
c3RyaW5nIGFwcGVhcnMgZm9yIHRoZSBKQ0EgdmFsdWUgb2YgdGhyZWUgYWxnb3JpdGhtczpfX19f
DQoNCiAgICAgICAgICAgICAgICAgICAgQUVTL0NCQy9QS0NTNVBhZGRpbmdfX19fDQoNCiAgICB3
aGljaCBJIGJlbGlldmUgc2hvdWxkIGJlX19fXw0KDQogICAgICAgICAgICAgICAgICAgIEFFUy9D
QkMvUEtDUzdQYWRkaW5nX19fXw0KDQogICAgX18gX18NCg0KICAgIFRoaXMgd291bGQgYmUgY29u
c2lzdGVudCB3aXRoIHRoZSBjaGFuZ2VzIG1hZGUgaW4gLTI4IGZvciB0aGUgcmVhc29ucyBkZXNj
cmliZWQgaW4gdGhpcyB0aHJlYWQuIEpBVkEgSU1QTEVNRU5URVJT4oCTIElmIHlvdSBhcmUgY3Vy
cmVudGx5IHVzaW5nIEFFUy9DQkMvUEtDUzVQYWRkaW5nIGNhbiB5b3UgcGxlYXNlIHZlcmlmeSB0
aGF0IHlvdXIgaW1wbGVtZW50YXRpb24gc3RpbGwgd29ya3MgYWZ0ZXIgY2hhbmdpbmcgdGhpcyBz
dHJpbmcgdG8gQUVTL0NCQy9QS0NTN1BhZGRpbmcgYW5kIHRoYXQgdGhlIHJlc3VsdHMgYXJlIHN0
aWxsIGNvcnJlY3QgYW5kIHJlcGx5IHRvIHVzIGxldHRpbmcgdXMga25vdyB3aGF0IGhhcHBlbmVk
PyBNYXR0LCBpZiB5b3VyIGNvZGUgZm9yIHRoZSBjb29rYm9vayBpcyBpbiBKYXZhLCBpdCB3b3Vs
ZCBiZSBlc3BlY2lhbGx5IGdvb2QgaWYgeW91IG1hZGUgdGhpcyBjb2RlIGNoYW5nZSBhbmQgdmVy
aWZpZWQgdGhhdCBub3RoaW5nIGNoYW5nZXMgaW4gdGhlIG91dHB1dC5fX19fDQoNCiAgICBfXyBf
Xw0KDQogICAgQWxzbywgdGhpcyBjbGVhcmx5IGluY29uc2lzdGVudCBzZW50ZW5jZSBjdXJyZW50
bHkgb2NjdXJzIGluIGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtam9zZS1q
c29uLXdlYi1hbGdvcml0aG1zLTQwI3NlY3Rpb24tNS4yLjE6X19fXw0KDQogICAgICAgICAgIENC
Qy1QS0NTNS1FTkMoWCwgUCkgZGVub3RlcyB0aGUgQUVTIENCQyBlbmNyeXB0aW9uIG9mIFAgdXNp
bmcgUEtDU19fX18NCg0KICAgICAgICAgICAjNyBwYWRkaW5nIHVzaW5nIHRoZSBjaXBoZXIgd2l0
aCB0aGUga2V5IFguX19fXw0KDQogICAgX18gX18NCg0KICAgIEkgYmVsaWV2ZSB0aGF0IHRoZSBp
ZGVudGlmaWVyIENCQy1QS0NTNS1FTkNzaG91bGQgYmUgY2hhbmdlZCB0byBDQkMtUEtDUzctRU5D
Ll9fX18NCg0KICAgIF9fIF9fDQoNCiAgICBVbmxlc3MgcGVvcGxlIGRpc2FncmVlLCBJIHdpbGwg
cGxhbiB0byBhcHBseSB0aGVzZSBjb3JyZWN0aW9ucyBkdXJpbmcgQVVUSDQ4Ll9fX18NCg0KICAg
IF9fIF9fDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgVGhhbmtzIGFsbCxfX19fDQoNCiAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZV9fX18N
Cg0KICAgIF9fIF9fDQoNCiAgICAqRnJvbToqam9zZSBbbWFpbHRvOmpvc2UtYm91bmNlc0BpZXRm
Lm9yZyA8bWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZz48bWFpbHRvOmpvc2UtYm91bmNlc0Bp
ZXRmLm9yZz5dICpPbiBCZWhhbGYgT2YgKk1pa2UgSm9uZXMNCiAgICAqU2VudDoqIEZyaWRheSwg
SnVuZSAyMCwgMjAxNCA3OjAzIFBNDQogICAgKlRvOiogU2hhdW4gQ29vbGV5IChzaGNvb2xleSkN
CiAgICAqQ2M6KiBqb3NlQGlldGYub3JnPG1haWx0bzpqb3NlQGlldGYub3JnPiA8bWFpbHRvOmpv
c2VAaWV0Zi5vcmc+PG1haWx0bzpqb3NlQGlldGYub3JnPjsgTWF0dCBNaWxsZXIgKG1hbWlsbGUy
KQ0KICAgICpTdWJqZWN0OiogUmU6IFtqb3NlXSBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxn
b3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19fXw0KDQogICAgX18gX18NCg0KICAg
IFRoaXMgY2hhbmdlIGhhcyBiZWVuIGluY29ycG9yYXRlZCBpbiB0aGUgLTI4IGRyYWZ0cy5fX19f
DQoNCiAgICBfXyBfXw0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIFRoYW5rcyBhZ2FpbiwgU2hhdW4sX19fXw0KDQogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIC0tIE1pa2VfX19fDQoNCiAgICBfXyBfXw0KDQogICAgKkZyb206Kmpvc2UgW21haWx0bzpq
b3NlLWJvdW5jZXNAaWV0Zi5vcmddICpPbiBCZWhhbGYgT2YgKk1pa2UgSm9uZXMNCiAgICAqU2Vu
dDoqIEZyaWRheSwgSnVuZSAxMywgMjAxNCAyOjI3IFBNDQogICAgKlRvOiogU2hhdW4gQ29vbGV5
IChzaGNvb2xleSkNCiAgICAqQ2M6KiBqb3NlQGlldGYub3JnPG1haWx0bzpqb3NlQGlldGYub3Jn
PiA8bWFpbHRvOmpvc2VAaWV0Zi5vcmc+PG1haWx0bzpqb3NlQGlldGYub3JnPjsgTWF0dCBNaWxs
ZXIgKG1hbWlsbGUyKQ0KICAgICpTdWJqZWN0OiogUmU6IFtqb3NlXSBkcmFmdC1pZXRmLWpvc2Ut
anNvbi13ZWItYWxnb3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19fXw0KDQogICAg
X18gX18NCg0KICAgIChBZGRpbmcgdGhlIEpPU0Ugd29ya2luZyBncm91cClfX19fDQoNCiAgICBf
XyBfXw0KDQogICAgSSBiZWxpZXZlIHlvdeKAmXJlIHJpZ2h0LiAgSeKAmWxsIHBsYW4gdG8gbWFr
ZSB0aGlzIGNoYW5nZSBpbiB0aGUgbmV4dCB2ZXJzaW9uIG9mIHRoZSBzcGVjLl9fX18NCg0KICAg
IF9fIF9fDQoNCiAgICBUaGFua3MgZm9yIHRoZSBjYXJlZnVsIHJlYWQhX19fXw0KDQogICAgX18g
X18NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAtLSBNaWtlX19fXw0KDQogICAgX18gX18NCg0KICAgICpGcm9tOipTaGF1
biBDb29sZXkgKHNoY29vbGV5KSBbbWFpbHRvOnNoY29vbGV5QGNpc2NvLmNvbV0NCiAgICAqU2Vu
dDoqIEZyaWRheSwgSnVuZSAxMywgMjAxNCAxMDozNCBBTQ0KICAgICpUbzoqIE1pa2UgSm9uZXMN
CiAgICAqQ2M6KiBNYXR0IE1pbGxlciAobWFtaWxsZTIpDQogICAgKlN1YmplY3Q6KiBkcmFmdC1p
ZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19f
Xw0KDQogICAgX18gX18NCg0KICAgIE1pY2hhZWwg4oCTX19fXw0KDQogICAgICBJIGFtIHdvcmtp
bmcgb24gaW1wbGVtZW50aW5nIGEgYnJvd3NlciBjb21wYXRpYmxlIEpTIGltcGxlbWVudGF0aW9u
IG9mIEpPU0UsIGJhc2VkIG9uIHRoZSB3b3JrIE1hdHQgTWlsbGVyIGRpZCBmb3IgTm9kZS5KUy4g
IFdoaWxlIGdvaW5nIHRocm91Z2ggdGhlIHNwZWMsIEkgbm90aWNlZCB0aGF0IFBLQ1MgIzUgaXMg
Y2FsbGVkIG91dCBmb3IgdGhlIEFFUy1DQkMgY2lwaGVycy4gIFNob3VsZG7igJl0IHRoaXMgYmUg
UEtDUyAjNz9fX19fDQoNCiAgICBfXyBfXw0KDQogICAgUEtDUyAjNSDigJMgUkZDMjg5OCBzZWN0
aW9uIDYuMiBzcGVjaWZpZXM6X19fXw0KDQogICAgVGhlIHBhZGRpbmcgc3RyaW5nIFBTIHNoYWxs
IGNvbnNpc3Qgb2YgOCAtICh8fE18fCBtb2QgOCkgb2N0ZXRzIGFsbCBoYXZpbmcgdmFsdWUgOCAt
ICh8fE18fCBtb2QgOCkuX19fXw0KDQogICAgX18gX18NCg0KICAgIFBLQ1MgIzcg4oCTIFJGQzIz
MTUgc2VjdGlvbiAxMC4zIG5vdGUgMiBzcGVjaWZpZXM6X19fXw0KDQogICAgRm9yIHN1Y2ggYWxn
b3JpdGhtcywgdGhlIG1ldGhvZCBzaGFsbCBiZSB0byBwYWQgdGhlIGlucHV0IGF0IHRoZSB0cmFp
bGluZyBlbmQgd2l0aCBrIC0gKGwgbW9kIGspIG9jdGV0cyBhbGwgaGF2aW5nIHZhbHVlIGsgLSAo
bCBtb2QgayksIHdoZXJlIGwgaXMgdGhlIGxlbmd0aCBvZiB0aGUgaW5wdXQuX19fXw0KDQogICAg
X18gX18NCg0KICAgIFBLQ1MgIzcgYWxsb3dzIGZvciBwYWRkaW5nIGluIGJsb2NrIHNpemVzIG9m
IDItMjU1IGJ5dGVzLCB3aGVyZWFzIFBLQ1MgIzUgaXMgaW50ZW5kZWQgZm9yIGJsb2NrIHNpemVz
IG9mIDguICBUaGlzIG1lYW5zIHRoYXQgUEtDUyAjNyBpcyBhIHN1cGVyc2V0IG9mICM1LCBhbmQg
Z2l2ZW4gdGhhdCBBRVMgaXMgYSBibG9jayBzaXplIG9mIDE2LCBpdCBzZWVtcyB0aGUgc3BlYyBz
aG91bGQgcmVxdWlyZSBQS0NTICM3Ll9fX18NCg0KICAgIF9fIF9fDQoNCiAgICBUaG91Z2h0cz9f
X19fDQoNCiAgICBfXyBfXw0KDQogICAgKlNoYXVuIENvb2xleSoNCiAgICBESVNUSU5HVUlTSEVE
IEVOR0lORUVSLkVOR0lORUVSSU5HDQogICAgQ29sbGFib3JhdGlvbiBUZWNobm9sb2d5IEdyb3Vw
DQogICAgc2hjb29sZXlAY2lzY28uY29tPG1haWx0bzpzaGNvb2xleUBjaXNjby5jb20+IDxtYWls
dG86c2hjb29sZXlAY2lzY28uY29tPjxtYWlsdG86c2hjb29sZXlAY2lzY28uY29tPg0KICAgIFBo
b25lOiAqKzEgNDA4IDkwMiAzMzQ0PHRlbDolMkIxJTIwNDA4JTIwOTAyJTIwMzM0ND4gPHRlbDol
MkIxJTIwNDA4JTIwOTAyJTIwMzM0ND4qDQogICAgTW9iaWxlOiAqKzEgMzEwIDI5MyAyMDg3PHRl
bDolMkIxJTIwMzEwJTIwMjkzJTIwMjA4Nz4gPHRlbDolMkIxJTIwMzEwJTIwMjkzJTIwMjA4Nz4q
X19fXw0KDQoNCg0KICAgIGh0dHA6Ly93d3cuY2lzY28uY29tL3dlYi9ldXJvcGUvaW1hZ2VzL2Vt
YWlsL3NpZ25hdHVyZS9sb2dvMDUuanBnDQogICAgQ2lzY28uY29tIDxodHRwOi8vd3d3LmNpc2Nv
LmNvbS8+PGh0dHA6Ly93d3cuY2lzY28uY29tLz5fX19fDQoNCiAgICBfXyBfXw0KDQogICAgVGhp
cyBlbWFpbCBtYXkgY29udGFpbiBjb25maWRlbnRpYWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwg
Zm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LiBBbnkgcmV2aWV3LCB1
c2UsIGRpc3RyaWJ1dGlvbiBvciBkaXNjbG9zdXJlIGJ5IG90aGVycyBpcyBzdHJpY3RseSBwcm9o
aWJpdGVkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50IChvciBhdXRob3Jp
emVkIHRvIHJlY2VpdmUgZm9yIHRoZSByZWNpcGllbnQpLCBwbGVhc2UgY29udGFjdCB0aGUgc2Vu
ZGVyIGJ5IHJlcGx5IGVtYWlsIGFuZCBkZWxldGUgYWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2Uu
X19fXw0KDQogICAgRm9yIGNvcnBvcmF0ZSBsZWdhbCBpbmZvcm1hdGlvbiBnbyB0bzoNCiAgICBo
dHRwOi8vd3d3LmNpc2NvLmNvbS93ZWIvYWJvdXQvZG9pbmdfYnVzaW5lc3MvbGVnYWwvY3JpL2lu
ZGV4Lmh0bWxfX19fDQoNCiAgICBfXyBfXw0KDQogICAgX18gX18NCg0KDQogICAgX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCiAgICBqb3NlIG1haWxpbmcg
bGlzdA0KICAgIGpvc2VAaWV0Zi5vcmc8bWFpbHRvOmpvc2VAaWV0Zi5vcmc+IDxtYWlsdG86am9z
ZUBpZXRmLm9yZz48bWFpbHRvOmpvc2VAaWV0Zi5vcmc+DQogICAgaHR0cHM6Ly93d3cuaWV0Zi5v
cmcvbWFpbG1hbi9saXN0aW5mby9qb3NlDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fXw0Kam9zZSBtYWlsaW5nIGxpc3QNCmpvc2VAaWV0Zi5vcmc8
bWFpbHRvOmpvc2VAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL2pvc2UNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X18NCmpvc2UgbWFpbGluZyBsaXN0DQpqb3NlQGlldGYub3JnPG1haWx0bzpqb3NlQGlldGYub3Jn
Pg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlDQoNCg0KLS0NCg0K
VmxhZGltaXIgRHpodXZpbm92IDo6IHZsYWRpbWlyQGNvbm5lY3QyaWQuY29tPG1haWx0bzp2bGFk
aW1pckBjb25uZWN0MmlkLmNvbT4NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX18NCmpvc2UgbWFpbGluZyBsaXN0DQpqb3NlQGlldGYub3JnPG1haWx0bzpq
b3NlQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3Nl
DQoNCg==

--_000_BLUPR03MB437DD348A3D595DE05D7E14F5090BLUPR03MB437namprd_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg
MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv
Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw
MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs
InNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0
eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp
dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN
Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNv
LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBD
aGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6
MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5N
c29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNv
LXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1i
b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIs
InNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5h
bWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCglt
c28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFz
O30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0K
CWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpz
cGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IENoYXIi
Ow0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0
IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQN
Cgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJz
YW5zLXNlcmlmIjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJ
bWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFn
ZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxv
OnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtl
bmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJl
ZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0
PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJs
dWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5J
ZiBhbiBpbXBsZW1lbnRlciB0cmllcw0KPC9zcGFuPkFFUy9DQkMvUEtDUzdQYWRkaW5nPHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiBhbmQgaXQgZmFpbHMsIHRoZSBz
aXR1YXRpb24gaXMgc2VsZi1jb3JyZWN0aW5nLiZuYnNwOyBUaGV54oCZbGwgY2hhbmdlIHRvIHVz
aW5nIHdoYXTigJlzIGluIHRoZSB0YWJsZSwgZXZlbiB0aG91Z2ggaXQgbWF5IHNlZW0gb2RkLiZu
YnNwOyBHaXZlbiB0aGUgUkZDIEVkaXRvciBoYXMNCiBhbHJlYWR5IGRvbmUgdGhlIGVkaXRpbmcg
YW5kIHRoZSBkb2MgaXMgaW4gZmluYWwgaW50ZXJuYWwgcmV2aWV3IHN0YXRlLCBJ4oCZZCBzYXkg
dGhhdCBsZXNzIGlzIG1vcmUgYXQgdGhpcyBwb2ludC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21h
JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7
c2Fucy1zZXJpZiZxdW90OyI+IEJyaWFuIENhbXBiZWxsIFttYWlsdG86YmNhbXBiZWxsQHBpbmdp
ZGVudGl0eS5jb21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gRnJpZGF5LCBNYXJjaCAyNywgMjAxNSAx
MjoxNSBQTTxicj4NCjxiPlRvOjwvYj4gTWlrZSBKb25lczxicj4NCjxiPkNjOjwvYj4gVmxhZGlt
aXIgRHpodXZpbm92OyBqb3NlQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbam9z
ZV0gZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXMtMjc6IHNlY3Rpb24tNS4yIChQ
S0NTICM1KTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IG1heSBvciBt
YXkgbm90IHdhcnJhbnQgYSBub3RlIG9mIHNvbWUgc29ydCB0byBleHBsYWluIHRoZSBkaXNjcmVw
YW5jeSAobm90IHN1cmUgaWYgdGhhdCdzIHJlYWxseSBpbiBzY29wZSkuIEl0IGxvb2tzIGFzIHRo
b3VnaCBzb21lIHByb3ZpZGVycyBsaWtlIEJvdW5jeSBDYXN0bGUgYW5kIHRoZSBvbmUgb24gQW5k
cm9pZCB3aWxsIHdvcmsgd2l0aCAmcXVvdDtBRVMvQ0JDL1BLQ1M3UGFkZGluZyZxdW90Oy4gQnV0
ICZxdW90O0FFUy9DQkMvUEtDUzVQYWRkaW5nJnF1b3Q7DQogaXMgd2hhdCBpcyBuZWVkZWQgZm9y
IHRoZSBTdW4vT3JhY2xlIEpDQSBwcm92aWRlciAoSSB2ZXJpZmllZCB0aGlzIGFnYWluIGFnYWlu
c3QgSmF2YSA3ICZhbXA7IDgpIGFuZCBpcyB3aGF0IGlzIHJlcXVpcmVkIGJ5ICZxdW90O0V2ZXJ5
IGltcGxlbWVudGF0aW9uIG9mIHRoZSBKYXZhIHBsYXRmb3JtJnF1b3Q7IHBlcg0KPGEgaHJlZj0i
aHR0cDovL2RvY3Mub3JhY2xlLmNvbS9qYXZhc2UvNy9kb2NzL2FwaS9qYXZheC9jcnlwdG8vQ2lw
aGVyLmh0bWwiPmh0dHA6Ly9kb2NzLm9yYWNsZS5jb20vamF2YXNlLzcvZG9jcy9hcGkvamF2YXgv
Y3J5cHRvL0NpcGhlci5odG1sPC9hPiBhbmQgaXQgYWN0dWFsbHkgZ2l2ZSB5b3UgUEtDUzdQYWRk
aW5nIGV2ZW4gdGhvdWdoIGl0IHNheXMgNS4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+T24gRnJpLCBNYXIgMjcsIDIwMTUgYXQgOTo0MiBBTSwgTWlrZSBK
b25lcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFy
Z2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7IHdyb3RlOjxv
OnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGFua3MgYSBidW5jaCwgVmxh
ZGltaXIuJm5ic3A7IFRoYXQgZGVmaW5pdGl2ZWx5IGFuc3dlcnMgdGhlIHF1ZXN0aW9uLjwvc3Bh
bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y
OiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJv
cmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBp
biAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2Vy
aWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm
b250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IGpv
c2UgW21haWx0bzo8YSBocmVmPSJtYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9
Il9ibGFuayI+am9zZS1ib3VuY2VzQGlldGYub3JnPC9hPl0NCjxiPk9uIEJlaGFsZiBPZiA8L2I+
VmxhZGltaXIgRHpodXZpbm92PGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgTWFyY2ggMjcsIDIw
MTUgOTozNiBBTTxicj4NCjxiPlRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOmpvc2VAaWV0Zi5vcmci
IHRhcmdldD0iX2JsYW5rIj5qb3NlQGlldGYub3JnPC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBS
ZTogW2pvc2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBzZWN0aW9u
LTUuMiAoUEtDUyAjNSk8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdp
bi1ib3R0b206MTIuMHB0Ij5UaGlzIGlzIGluZGVlZCBhIEpDQSBvZGRpdHksIHdoZW4gJnF1b3Q7
UEtDUzVQYWRkaW5nJnF1b3Q7IGlzIHNwZWNpZmllZCBKYXZhIGFjdHVhbGx5IGRvZXMgJnF1b3Q7
UEtDUzdQYWRkaW5nJnF1b3Q7Ljxicj4NCjxicj4NCklmIHlvdSBzdGljayAmcXVvdDtQS0NTN1Bh
ZGRpbmcmcXVvdDsgeW91J2xsIGdldCBhbiA8bzpwPjwvbzpwPjwvcD4NCjxwcmU+Tm9TdWNoQWxn
b3JpdGhtRXhjZXB0aW9uOiBDYW5ub3QgZmluZCBhbnkgcHJvdmlkZXIgc3VwcG9ydGluZyBBRVMv
Q0JDL1BLQ1M3UGFkZGluZzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOzxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPiZuYnNwOzxvOnA+PC9vOnA+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPlZs
YWRpbWlyPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5PbiAy
Ny4wMy4yMDE1IDA4OjIwLCBBbmRlcnMgUnVuZGdyZW4gd3JvdGU6PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206
NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij5PbiAyMDE1LTAzLTI3IDAxOjMxLCBCcmlhbiBDYW1w
YmVsbCB3cm90ZToNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JIGFt
IHByZXR0eSBzdXJlIHlvdSBzaG91bGQgbm90IG1ha2UgdGhhdCBjaGFuZ2UgdG8gdGhlIEpDQSBh
bGdvcml0aG0gc3RyaW5nLg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPiZndDsm
bmJzcDsgSSdsbCBoYXZlIHRvIHNlYXJjaCBhcm91bmQgdG8gcmVtZW1iZXIgd2h5LCBzb21lIG9k
ZGl0eSBvZiBKYXZhIEkgdGhpbmssDQo8YnI+DQomZ3Q7IGJ1dCBJJ20gYXdheSBmcm9tIG15IGxh
cHRvcCByaWdodCBub3cgYW5kIHRoYXQgb25lIGlzIHRvbyBtdWNoIHRvIHJlc2VhcmNoIG9uIGEg
cGhvbmUuDQo8YnI+DQo8YnI+DQpJbmRlZWQsIHRoaXMgaXMgYW4gb2xkIFNVTiBidWcgdGhhdCB3
ZSBoYXZlIHRvIHB1dCB1cCB3aXRoOiA8YnI+DQo8YSBocmVmPSJodHRwOi8vZG9jcy5vcmFjbGUu
Y29tL2phdmFzZS83L2RvY3MvYXBpL2phdmF4L2NyeXB0by9DaXBoZXIuaHRtbCIgdGFyZ2V0PSJf
YmxhbmsiPmh0dHA6Ly9kb2NzLm9yYWNsZS5jb20vamF2YXNlLzcvZG9jcy9hcGkvamF2YXgvY3J5
cHRvL0NpcGhlci5odG1sPC9hPg0KPGJyPg0KPGJyPg0KSXQgaXMgd29ydGggYSBub3RlIHRob3Vn
aC4gPGJyPg0KPGJyPg0KQW5kZXJzIDxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0
b206MTIuMHB0Ij48YnI+DQpPbiBNYXIgMjYsIDIwMTUgNjo0MSBQTSwgJnF1b3Q7TWlrZSBKb25l
cyZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIg
dGFyZ2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4NCjxhIGhyZWY9
Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iIHRhcmdldD0iX2JsYW5rIj4mbHQ7
bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSZndDs8L2E+Jmd0OyB3cm90ZToNCjxi
cj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBJIGFtIHdvcmtpbmcgb24gdGhlIGZvcm1hdHRp
bmcgb2YgdGhlIGFsZ29yaXRobSBjcm9zcy1yZWZlcmVuY2UgdGFibGVzIGluIEpXQSBBcHBlbmRp
eCBBDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2Ut
anNvbi13ZWItYWxnb3JpdGhtcy00MCNhcHBlbmRpeC1BIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRw
Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGht
cy00MCNhcHBlbmRpeC1BPC9hPiB3aXRoIHRoZSBSRkMgRWRpdG9yIHRvIG1ha2UgdGhlbSBtb3Jl
IHJlYWRhYmxlLiZuYnNwOyBXaGVuIGxvb2tpbmcgYXQgdGhlIHRhYmxlIGNvbnRlbnQgKGluIGEg
bW9yZSByZWFkYWJsZSByZW5kaXRpb24gSeKAmWxsIHNoYXJlIHdpdGggeW91IHNvb24pLCBJIG5v
dGljZWQgdGhhdCB0aGlzIHN0cmluZyBhcHBlYXJzIGZvcg0KIHRoZSBKQ0EgdmFsdWUgb2YgdGhy
ZWUgYWxnb3JpdGhtczpfX19fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBBRVMvQ0JDL1BLQ1M1UGFkZGluZ19fX18g
PGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IHdoaWNoIEkgYmVsaWV2ZSBzaG91bGQgYmVf
X19fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyBBRVMvQ0JDL1BLQ1M3UGFkZGluZ19fX18gPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBUaGlz
IHdvdWxkIGJlIGNvbnNpc3RlbnQgd2l0aCB0aGUgY2hhbmdlcyBtYWRlIGluIC0yOCBmb3IgdGhl
IHJlYXNvbnMgZGVzY3JpYmVkIGluIHRoaXMgdGhyZWFkLiBKQVZBIElNUExFTUVOVEVSU+KAkyBJ
ZiB5b3UgYXJlIGN1cnJlbnRseSB1c2luZyBBRVMvQ0JDL1BLQ1M1UGFkZGluZyBjYW4geW91IHBs
ZWFzZSB2ZXJpZnkgdGhhdCB5b3VyIGltcGxlbWVudGF0aW9uIHN0aWxsIHdvcmtzIGFmdGVyIGNo
YW5naW5nIHRoaXMgc3RyaW5nIHRvIEFFUy9DQkMvUEtDUzdQYWRkaW5nDQogYW5kIHRoYXQgdGhl
IHJlc3VsdHMgYXJlIHN0aWxsIGNvcnJlY3QgYW5kIHJlcGx5IHRvIHVzIGxldHRpbmcgdXMga25v
dyB3aGF0IGhhcHBlbmVkPyBNYXR0LCBpZiB5b3VyIGNvZGUgZm9yIHRoZSBjb29rYm9vayBpcyBp
biBKYXZhLCBpdCB3b3VsZCBiZSBlc3BlY2lhbGx5IGdvb2QgaWYgeW91IG1hZGUgdGhpcyBjb2Rl
IGNoYW5nZSBhbmQgdmVyaWZpZWQgdGhhdCBub3RoaW5nIGNoYW5nZXMgaW4gdGhlIG91dHB1dC5f
X19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7Jm5ic3A7IEFsc28sIHRoaXMgY2xlYXJseSBpbmNvbnNpc3RlbnQgc2VudGVuY2Ug
Y3VycmVudGx5IG9jY3VycyBpbiA8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9k
cmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcy00MCNzZWN0aW9uLTUuMi4xOl9fX18i
IHRhcmdldD0iX2JsYW5rIj4NCmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
am9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTQwI3NlY3Rpb24tNS4yLjE6X19fXzwvYT4NCjxicj4N
Cjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyBDQkMtUEtDUzUtRU5DKFgsIFApIGRlbm90ZXMgdGhlIEFFUyBDQkMgZW5jcnlw
dGlvbiBvZiBQIHVzaW5nIFBLQ1NfX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgIzcgcGFkZGluZyB1c2lu
ZyB0aGUgY2lwaGVyIHdpdGggdGhlIGtleSBYLl9fX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7
Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBJIGJlbGlldmUgdGhh
dCB0aGUgaWRlbnRpZmllciBDQkMtUEtDUzUtRU5Dc2hvdWxkIGJlIGNoYW5nZWQgdG8gQ0JDLVBL
Q1M3LUVOQy5fX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0K
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IFVubGVzcyBwZW9wbGUgZGlzYWdyZWUsIEkgd2lsbCBw
bGFuIHRvIGFwcGx5IHRoZXNlIGNvcnJlY3Rpb25zIGR1cmluZyBBVVRINDguX19fXw0KPGJyPg0K
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MgYWxsLF9fX18gPGJyPg0KPGJyPg0K
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2VfX19fIDxi
cj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8YnI+DQombmJzcDsmbmJz
cDsmbmJzcDsgKkZyb206Kmpvc2UgWzxhIGhyZWY9Im1haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5v
cmciIHRhcmdldD0iX2JsYW5rIj5tYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnPC9hPg0KPGEg
aHJlZj0ibWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPiZsdDtt
YWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnJmd0OzwvYT5dICpPbiBCZWhhbGYgT2YgKk1pa2Ug
Sm9uZXMNCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyAqU2VudDoqIEZyaWRheSwgSnVuZSAyMCwg
MjAxNCA3OjAzIFBNIDxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyAqVG86KiBTaGF1biBDb29sZXkg
KHNoY29vbGV5KSA8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgKkNjOiogPGEgaHJlZj0ibWFpbHRv
Ompvc2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5qb3NlQGlldGYub3JnPC9hPiA8YSBocmVm
PSJtYWlsdG86am9zZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPg0KJmx0O21haWx0bzpqb3Nl
QGlldGYub3JnJmd0OzwvYT47IE1hdHQgTWlsbGVyIChtYW1pbGxlMikgPGJyPg0KJm5ic3A7Jm5i
c3A7Jm5ic3A7ICpTdWJqZWN0OiogUmU6IFtqb3NlXSBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWIt
YWxnb3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19fXw0KPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBUaGlz
IGNoYW5nZSBoYXMgYmVlbiBpbmNvcnBvcmF0ZWQgaW4gdGhlIC0yOCBkcmFmdHMuX19fXyA8YnI+
DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoYW5rcyBhZ2FpbiwgU2hhdW4sX19fXw0K
PGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0t
IE1pa2VfX19fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8YnI+
DQombmJzcDsmbmJzcDsmbmJzcDsgKkZyb206Kmpvc2UgWzxhIGhyZWY9Im1haWx0bzpqb3NlLWJv
dW5jZXNAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5tYWlsdG86am9zZS1ib3VuY2VzQGlldGYu
b3JnPC9hPl0gKk9uIEJlaGFsZiBPZiAqTWlrZSBKb25lcw0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5i
c3A7ICpTZW50OiogRnJpZGF5LCBKdW5lIDEzLCAyMDE0IDI6MjcgUE0gPGJyPg0KJm5ic3A7Jm5i
c3A7Jm5ic3A7ICpUbzoqIFNoYXVuIENvb2xleSAoc2hjb29sZXkpIDxicj4NCiZuYnNwOyZuYnNw
OyZuYnNwOyAqQ2M6KiA8YSBocmVmPSJtYWlsdG86am9zZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxh
bmsiPmpvc2VAaWV0Zi5vcmc8L2E+IDxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3JnIiB0YXJn
ZXQ9Il9ibGFuayI+DQombHQ7bWFpbHRvOmpvc2VAaWV0Zi5vcmcmZ3Q7PC9hPjsgTWF0dCBNaWxs
ZXIgKG1hbWlsbGUyKSA8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgKlN1YmplY3Q6KiBSZTogW2pv
c2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBzZWN0aW9uLTUuMiAo
UEtDUyAjNSlfX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0K
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IChBZGRpbmcgdGhlIEpPU0Ugd29ya2luZyBncm91cClf
X19fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8YnI+DQombmJz
cDsmbmJzcDsmbmJzcDsgSSBiZWxpZXZlIHlvdeKAmXJlIHJpZ2h0LiZuYnNwOyBJ4oCZbGwgcGxh
biB0byBtYWtlIHRoaXMgY2hhbmdlIGluIHRoZSBuZXh0IHZlcnNpb24gb2YgdGhlIHNwZWMuX19f
Xw0KPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNw
OyZuYnNwOyZuYnNwOyBUaGFua3MgZm9yIHRoZSBjYXJlZnVsIHJlYWQhX19fXyA8YnI+DQo8YnI+
DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2VfX19fIDxicj4NCjxicj4NCiZuYnNwOyZu
YnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgKkZyb206KlNo
YXVuIENvb2xleSAoc2hjb29sZXkpIFs8YSBocmVmPSJtYWlsdG86c2hjb29sZXlAY2lzY28uY29t
IiB0YXJnZXQ9Il9ibGFuayI+bWFpbHRvOnNoY29vbGV5QGNpc2NvLmNvbTwvYT5dDQo8YnI+DQom
bmJzcDsmbmJzcDsmbmJzcDsgKlNlbnQ6KiBGcmlkYXksIEp1bmUgMTMsIDIwMTQgMTA6MzQgQU0g
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7ICpUbzoqIE1pa2UgSm9uZXMgPGJyPg0KJm5ic3A7Jm5i
c3A7Jm5ic3A7ICpDYzoqIE1hdHQgTWlsbGVyIChtYW1pbGxlMikgPGJyPg0KJm5ic3A7Jm5ic3A7
Jm5ic3A7ICpTdWJqZWN0OiogZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXMtMjc6
IHNlY3Rpb24tNS4yIChQS0NTICM1KV9fX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7
IF9fIF9fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBNaWNoYWVsIOKAk19fX18gPGJy
Pg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEkgYW0gd29ya2luZyBvbiBp
bXBsZW1lbnRpbmcgYSBicm93c2VyIGNvbXBhdGlibGUgSlMgaW1wbGVtZW50YXRpb24gb2YgSk9T
RSwgYmFzZWQgb24gdGhlIHdvcmsgTWF0dCBNaWxsZXIgZGlkIGZvciBOb2RlLkpTLiZuYnNwOyBX
aGlsZSBnb2luZyB0aHJvdWdoIHRoZSBzcGVjLCBJIG5vdGljZWQgdGhhdCBQS0NTICM1IGlzIGNh
bGxlZCBvdXQgZm9yIHRoZSBBRVMtQ0JDIGNpcGhlcnMuJm5ic3A7IFNob3VsZG7igJl0IHRoaXMg
YmUgUEtDUyAjNz9fX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJy
Pg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IFBLQ1MgIzUg4oCTIFJGQzI4OTggc2VjdGlvbiA2
LjIgc3BlY2lmaWVzOl9fX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IFRoZSBwYWRk
aW5nIHN0cmluZyBQUyBzaGFsbCBjb25zaXN0IG9mIDggLSAofHxNfHwgbW9kIDgpIG9jdGV0cyBh
bGwgaGF2aW5nIHZhbHVlIDggLSAofHxNfHwgbW9kIDgpLl9fX18NCjxicj4NCjxicj4NCiZuYnNw
OyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgUEtDUyAj
NyDigJMgUkZDMjMxNSBzZWN0aW9uIDEwLjMgbm90ZSAyIHNwZWNpZmllczpfX19fIDxicj4NCjxi
cj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBGb3Igc3VjaCBhbGdvcml0aG1zLCB0aGUgbWV0aG9kIHNo
YWxsIGJlIHRvIHBhZCB0aGUgaW5wdXQgYXQgdGhlIHRyYWlsaW5nIGVuZCB3aXRoIGsgLSAobCBt
b2Qgaykgb2N0ZXRzIGFsbCBoYXZpbmcgdmFsdWUgayAtIChsIG1vZCBrKSwgd2hlcmUgbCBpcyB0
aGUgbGVuZ3RoIG9mIHRoZSBpbnB1dC5fX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJz
cDsgX18gX18gPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IFBLQ1MgIzcgYWxsb3dzIGZv
ciBwYWRkaW5nIGluIGJsb2NrIHNpemVzIG9mIDItMjU1IGJ5dGVzLCB3aGVyZWFzIFBLQ1MgIzUg
aXMgaW50ZW5kZWQgZm9yIGJsb2NrIHNpemVzIG9mIDguJm5ic3A7IFRoaXMgbWVhbnMgdGhhdCBQ
S0NTICM3IGlzIGEgc3VwZXJzZXQgb2YgIzUsIGFuZCBnaXZlbiB0aGF0IEFFUyBpcyBhIGJsb2Nr
IHNpemUgb2YgMTYsIGl0IHNlZW1zIHRoZSBzcGVjIHNob3VsZCByZXF1aXJlIFBLQ1MgIzcuX19f
Xw0KPGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4NCjxicj4NCiZuYnNw
OyZuYnNwOyZuYnNwOyBUaG91Z2h0cz9fX19fIDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNw
OyBfXyBfXyA8YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgKlNoYXVuIENvb2xleSogPGJy
Pg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IERJU1RJTkdVSVNIRUQgRU5HSU5FRVIuRU5HSU5FRVJJTkcg
PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7IENvbGxhYm9yYXRpb24gVGVjaG5vbG9neSBHcm91cCA8
YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0ibWFpbHRvOnNoY29vbGV5QGNpc2NvLmNv
bSIgdGFyZ2V0PSJfYmxhbmsiPnNoY29vbGV5QGNpc2NvLmNvbTwvYT4gPGEgaHJlZj0ibWFpbHRv
OnNoY29vbGV5QGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPg0KJmx0O21haWx0bzpzaGNvb2xl
eUBjaXNjby5jb20mZ3Q7PC9hPiA8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgUGhvbmU6ICo8YSBo
cmVmPSJ0ZWw6JTJCMSUyMDQwOCUyMDkwMiUyMDMzNDQiIHRhcmdldD0iX2JsYW5rIj4mIzQzOzEg
NDA4IDkwMiAzMzQ0PC9hPiAmbHQ7PGEgaHJlZj0idGVsOiUyQjElMjA0MDglMjA5MDIlMjAzMzQ0
IiB0YXJnZXQ9Il9ibGFuayI+dGVsOiUyQjElMjA0MDglMjA5MDIlMjAzMzQ0PC9hPiZndDsqDQo8
YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgTW9iaWxlOiAqPGEgaHJlZj0idGVsOiUyQjElMjAzMTAl
MjAyOTMlMjAyMDg3IiB0YXJnZXQ9Il9ibGFuayI+JiM0MzsxIDMxMCAyOTMgMjA4NzwvYT4gJmx0
OzxhIGhyZWY9InRlbDolMkIxJTIwMzEwJTIwMjkzJTIwMjA4NyIgdGFyZ2V0PSJfYmxhbmsiPnRl
bDolMkIxJTIwMzEwJTIwMjkzJTIwMjA4NzwvYT4mZ3Q7Kl9fX18NCjxicj4NCjxicj4NCiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8YnI+DQo8YnI+DQombmJzcDsm
bmJzcDsmbmJzcDsgPGEgaHJlZj0iaHR0cDovL3d3dy5jaXNjby5jb20vd2ViL2V1cm9wZS9pbWFn
ZXMvZW1haWwvc2lnbmF0dXJlL2xvZ28wNS5qcGciIHRhcmdldD0iX2JsYW5rIj4NCmh0dHA6Ly93
d3cuY2lzY28uY29tL3dlYi9ldXJvcGUvaW1hZ2VzL2VtYWlsL3NpZ25hdHVyZS9sb2dvMDUuanBn
PC9hPiA8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgQ2lzY28uY29tIDxhIGhyZWY9Imh0dHA6Ly93
d3cuY2lzY28uY29tLyIgdGFyZ2V0PSJfYmxhbmsiPiZsdDtodHRwOi8vd3d3LmNpc2NvLmNvbS8m
Z3Q7PC9hPl9fX18NCjxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+DQo8
YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgVGhpcyBlbWFpbCBtYXkgY29udGFpbiBjb25maWRlbnRp
YWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5k
ZWQgcmVjaXBpZW50LiBBbnkgcmV2aWV3LCB1c2UsIGRpc3RyaWJ1dGlvbiBvciBkaXNjbG9zdXJl
IGJ5IG90aGVycyBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50IChvciBhdXRob3JpemVkIHRvIHJlY2VpdmUgZm9yIHRoZQ0KIHJlY2lw
aWVudCksIHBsZWFzZSBjb250YWN0IHRoZSBzZW5kZXIgYnkgcmVwbHkgZW1haWwgYW5kIGRlbGV0
ZSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZS5fX19fDQo8YnI+DQo8YnI+DQombmJzcDsmbmJz
cDsmbmJzcDsgRm9yIGNvcnBvcmF0ZSBsZWdhbCBpbmZvcm1hdGlvbiBnbyB0bzogPGJyPg0KJm5i
c3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHA6Ly93d3cuY2lzY28uY29tL3dlYi9hYm91dC9k
b2luZ19idXNpbmVzcy9sZWdhbC9jcmkvaW5kZXguaHRtbF9fX18iIHRhcmdldD0iX2JsYW5rIj4N
Cmh0dHA6Ly93d3cuY2lzY28uY29tL3dlYi9hYm91dC9kb2luZ19idXNpbmVzcy9sZWdhbC9jcmkv
aW5kZXguaHRtbF9fX188L2E+IDxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8
YnI+DQo8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPg0KPGJyPg0KPGJyPg0KJm5i
c3A7Jm5ic3A7Jm5ic3A7IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fIDxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyBqb3NlIG1haWxpbmcgbGlzdCA8YnI+DQom
bmJzcDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0ibWFpbHRvOmpvc2VAaWV0Zi5vcmciIHRhcmdldD0i
X2JsYW5rIj5qb3NlQGlldGYub3JnPC9hPiA8YSBocmVmPSJtYWlsdG86am9zZUBpZXRmLm9yZyIg
dGFyZ2V0PSJfYmxhbmsiPg0KJmx0O21haWx0bzpqb3NlQGlldGYub3JnJmd0OzwvYT4gPGJyPg0K
Jm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v
bGlzdGluZm8vam9zZSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt
YW4vbGlzdGluZm8vam9zZTwvYT4NCjxicj4NCjxicj4NCjxicj4NCjxicj4NCl9fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fIDxicj4NCmpvc2UgbWFpbGluZyBs
aXN0IDxicj4NCjxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+
am9zZUBpZXRmLm9yZzwvYT4gPGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp
bG1hbi9saXN0aW5mby9qb3NlIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcv
bWFpbG1hbi9saXN0aW5mby9qb3NlPC9hPg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fIDxicj4NCmpvc2UgbWFpbGluZyBsaXN0IDxicj4NCjxhIGhyZWY9Im1haWx0bzpqb3Nl
QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+am9zZUBpZXRmLm9yZzwvYT4gPGJyPg0KPGEgaHJl
Zj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlIiB0YXJnZXQ9Il9i
bGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlPC9hPg0KPG86
cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPHByZT4tLSA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5WbGFkaW1pciBEemh1
dmlub3YgOjogPGEgaHJlZj0ibWFpbHRvOnZsYWRpbWlyQGNvbm5lY3QyaWQuY29tIiB0YXJnZXQ9
Il9ibGFuayI+dmxhZGltaXJAY29ubmVjdDJpZC5jb208L2E+PG86cD48L286cD48L3ByZT4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fXzxicj4NCmpvc2UgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0i
bWFpbHRvOmpvc2VAaWV0Zi5vcmciPmpvc2VAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0
cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlIiB0YXJnZXQ9Il9ibGFuayI+
aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlPC9hPjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_BLUPR03MB437DD348A3D595DE05D7E14F5090BLUPR03MB437namprd_--


From nobody Fri Mar 27 11:16:46 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46EF71A89AC for ; Fri, 27 Mar 2015 11:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.61
X-Spam-Level: 
X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKOV5n56umEK for ; Fri, 27 Mar 2015 11:16:37 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 980A11A8730 for ; Fri, 27 Mar 2015 11:16:36 -0700 (PDT)
X-AuditID: 1209190d-f79676d000000da0-cf-55159e82abe8
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 83.0C.03488.28E95155; Fri, 27 Mar 2015 14:16:34 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2RIGXpp004933; Fri, 27 Mar 2015 14:16:34 -0400
Received: from [IPv6:2607:fb90:92f:5ba4:0:44:fbb1:df01] (md64636d0.tmodns.net [208.54.70.214]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2RIGU3d027836 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 27 Mar 2015 14:16:32 -0400
Date: Fri, 27 Mar 2015 13:07:09 -0500
Message-ID: 
Importance: normal
From: Justin Richer 
To: Brian Campbell , Mike Jones 
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_4304169759815660"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprOKsWRmVeSWpSXmKPExsUixG6nrts0TzTU4GabscXq/zcZLdas6Way 2DvtE4vFu3cfGB1YPOZ/bmH1WLLkJ5NH646/7B53j15kCWCJ4rJJSc3JLEst0rdL4MrYeusF Y8GLmUwVE6bsZm5g3DKJqYuRk0NCwETi3be/zBC2mMSFe+vZuhi5OIQEFjNJ/H0ziRHC2cgo cf9lExOEc5tJ4t75PnaQFhYBVYn+nRfARgkLBEucXbyYBcTmFXCTaJ+1C8jm4OAUEJLo2iUB EmYDKp++pgWsXEQgRWLryxdg5cwCMRJXvpxlg2gVlDg58wlYK7NAqMThtvAJjHyzkGRmIWRm gTWrS/yZd4kZwlaUmNL9kB2iRE1iWasSsvACRrZVjLIpuVW6uYmZOcWpybrFyYl5ealFukZ6 uZkleqkppZsYQWHOKcm7g/HdQaVDjAIcjEo8vD92i4QKsSaWFVfmHmKU5GBSEuU1nyEaKsSX lJ9SmZFYnBFfVJqTWnyIUYKDWUmEd8NUoBxvSmJlVWpRPkxKmoNFSZx30w++ECGB9MSS1OzU 1ILUIpisDAeHkgTvhblAjYJFqempFWmZOSUIaSYOTpDhPEDD94PU8BYXJOYWZ6ZD5E8x6nLM ufl7EZMQS15+XqqUOG8rSJEASFFGaR7cHFh6esUoDvSWMO9akCoeYGqDm/QKaAkT0BLDDhGQ JSWJCCmpBsYLDP9ysyVXl8mcmXBUYZZCPLc6c+RqvwczRFazi2XcdY2cpb1Kx7x1XY3uM8VO 6dVRBmYFCxZcmBxS4vQ999lHOa382ntffd7+NJk2s15JWPrPNSE5djOtymiWbUVnP+7l3d0U tECpVXbayljnW+d8blpMkyiSPeyX+eOfRWfM9ct1aqdajyqxFGckGmoxFxUnAgDvb5GoKgMA AA==
Archived-At: 
Cc: "jose@ietf.org" , Vladimir Dzhuvinov 
Subject: Re: [jose] draft-ietf-jose-json-web-algorithms-27: section-5.2 (PKCS #5)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Mar 2015 18:16:45 -0000

----_com.android.email_4304169759815660
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

CiAgICAKSSBiZWxpZXZlIGFuIGltcGxlbWVudGVycyBub3RlIGlzIGFwcHJvcHJpYXRlIGhlcmUu
CgoKLS0gSnVzdGluCi8gU2VudCBmcm9tIG15IHBob25lIC8KCi0tLS0tLS0tIE9yaWdpbmFsIG1l
c3NhZ2UgLS0tLS0tLS0KRnJvbTogQnJpYW4gQ2FtcGJlbGwgPGJjYW1wYmVsbEBwaW5naWRlbnRp
dHkuY29tPiAKRGF0ZTogMDMvMjcvMjAxNSAgMTI6MTUgUE0gIChHTVQtMDY6MDApIApUbzogTWlr
ZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPiAKQ2M6IGpvc2VAaWV0Zi5vcmcs
IFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+IApTdWJqZWN0OiBS
ZTogW2pvc2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBzZWN0aW9u
LTUuMiAoUEtDUyAjNSkgCgpJdCBtYXkgb3IgbWF5IG5vdCB3YXJyYW50IGEgbm90ZSBvZiBzb21l
IHNvcnQgdG8gZXhwbGFpbiB0aGUgZGlzY3JlcGFuY3kgKG5vdCBzdXJlIGlmIHRoYXQncyByZWFs
bHkgaW4gc2NvcGUpLiBJdCBsb29rcyBhcyB0aG91Z2ggc29tZSBwcm92aWRlcnMgbGlrZSBCb3Vu
Y3kgQ2FzdGxlIGFuZCB0aGUgb25lIG9uIEFuZHJvaWQgd2lsbCB3b3JrIHdpdGggIkFFUy9DQkMv
UEtDUzdQYWRkaW5nIi4gQnV0ICJBRVMvQ0JDL1BLQ1M1UGFkZGluZyIgaXMgd2hhdCBpcyBuZWVk
ZWQgZm9yIHRoZSBTdW4vT3JhY2xlIEpDQSBwcm92aWRlciAoSSB2ZXJpZmllZCB0aGlzIGFnYWlu
IGFnYWluc3QgSmF2YSA3ICYgOCkgYW5kIGlzIHdoYXQgaXMgcmVxdWlyZWQgYnkgIkV2ZXJ5IGlt
cGxlbWVudGF0aW9uIG9mIHRoZSBKYXZhIHBsYXRmb3JtIiBwZXIgaHR0cDovL2RvY3Mub3JhY2xl
LmNvbS9qYXZhc2UvNy9kb2NzL2FwaS9qYXZheC9jcnlwdG8vQ2lwaGVyLmh0bWwgYW5kIGl0IGFj
dHVhbGx5IGdpdmUgeW91IFBLQ1M3UGFkZGluZyBldmVuIHRob3VnaCBpdCBzYXlzIDUuIAoKT24g
RnJpLCBNYXIgMjcsIDIwMTUgYXQgOTo0MiBBTSwgTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0Bt
aWNyb3NvZnQuY29tPiB3cm90ZToKCgoKCgoKCgpUaGFua3MgYSBidW5jaCwgVmxhZGltaXIuwqAg
VGhhdCBkZWZpbml0aXZlbHkgYW5zd2VycyB0aGUgcXVlc3Rpb24uCsKgCsKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgLS0gTWlrZQrC
oAoKCkZyb206IGpvc2UgW21haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmddCk9uIEJlaGFsZiBP
ZiBWbGFkaW1pciBEemh1dmlub3YKClNlbnQ6IEZyaWRheSwgTWFyY2ggMjcsIDIwMTUgOTozNiBB
TQoKVG86IGpvc2VAaWV0Zi5vcmcKClN1YmplY3Q6IFJlOiBbam9zZV0gZHJhZnQtaWV0Zi1qb3Nl
LWpzb24td2ViLWFsZ29yaXRobXMtMjc6IHNlY3Rpb24tNS4yIChQS0NTICM1KQoKCsKgClRoaXMg
aXMgaW5kZWVkIGEgSkNBIG9kZGl0eSwgd2hlbiAiUEtDUzVQYWRkaW5nIiBpcyBzcGVjaWZpZWQg
SmF2YSBhY3R1YWxseSBkb2VzICJQS0NTN1BhZGRpbmciLgoKCgpJZiB5b3Ugc3RpY2sgIlBLQ1M3
UGFkZGluZyIgeW91J2xsIGdldCBhbiAKTm9TdWNoQWxnb3JpdGhtRXhjZXB0aW9uOiBDYW5ub3Qg
ZmluZCBhbnkgcHJvdmlkZXIgc3VwcG9ydGluZyBBRVMvQ0JDL1BLQ1M3UGFkZGluZwrCoArCoApW
bGFkaW1pcgoKT24gMjcuMDMuMjAxNSAwODoyMCwgQW5kZXJzIFJ1bmRncmVuIHdyb3RlOgoKCk9u
IDIwMTUtMDMtMjcgMDE6MzEsIEJyaWFuIENhbXBiZWxsIHdyb3RlOiAKCgoKCkkgYW0gcHJldHR5
IHN1cmUgeW91IHNob3VsZCBub3QgbWFrZSB0aGF0IGNoYW5nZSB0byB0aGUgSkNBIGFsZ29yaXRo
bSBzdHJpbmcuCgo+wqAgSSdsbCBoYXZlIHRvIHNlYXJjaCBhcm91bmQgdG8gcmVtZW1iZXIgd2h5
LCBzb21lIG9kZGl0eSBvZiBKYXZhIEkgdGhpbmssCgoKPiBidXQgSSdtIGF3YXkgZnJvbSBteSBs
YXB0b3AgcmlnaHQgbm93IGFuZCB0aGF0IG9uZSBpcyB0b28gbXVjaCB0byByZXNlYXJjaCBvbiBh
IHBob25lLgoKCgoKSW5kZWVkLCB0aGlzIGlzIGFuIG9sZCBTVU4gYnVnIHRoYXQgd2UgaGF2ZSB0
byBwdXQgdXAgd2l0aDogCgpodHRwOi8vZG9jcy5vcmFjbGUuY29tL2phdmFzZS83L2RvY3MvYXBp
L2phdmF4L2NyeXB0by9DaXBoZXIuaHRtbAoKCgoKSXQgaXMgd29ydGggYSBub3RlIHRob3VnaC4g
CgoKCkFuZGVycyAKCgoKCgoKCgpPbiBNYXIgMjYsIDIwMTUgNjo0MSBQTSwgIk1pa2UgSm9uZXMi
IDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20KPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jv
c29mdC5jb20+PiB3cm90ZToKCgoKCsKgwqDCoCBJIGFtIHdvcmtpbmcgb24gdGhlIGZvcm1hdHRp
bmcgb2YgdGhlIGFsZ29yaXRobSBjcm9zcy1yZWZlcmVuY2UgdGFibGVzIGluIEpXQSBBcHBlbmRp
eCBBCgpodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWIt
YWxnb3JpdGhtcy00MCNhcHBlbmRpeC1BIHdpdGggdGhlIFJGQyBFZGl0b3IgdG8gbWFrZSB0aGVt
IG1vcmUgcmVhZGFibGUuwqAgV2hlbiBsb29raW5nIGF0IHRoZSB0YWJsZSBjb250ZW50IChpbiBh
IG1vcmUgcmVhZGFibGUgcmVuZGl0aW9uIEnigJlsbCBzaGFyZSB3aXRoIHlvdSBzb29uKSwgSSBu
b3RpY2VkIHRoYXQgdGhpcyBzdHJpbmcgYXBwZWFycyBmb3IKIHRoZSBKQ0EgdmFsdWUgb2YgdGhy
ZWUgYWxnb3JpdGhtczpfX19fIAoKCgrCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoCBBRVMvQ0JDL1BLQ1M1UGFkZGluZ19fX18gCgoKCsKgwqDCoCB3aGljaCBJIGJlbGlldmUg
c2hvdWxkIGJlX19fXyAKCgoKwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAg
QUVTL0NCQy9QS0NTN1BhZGRpbmdfX19fIAoKCgrCoMKgwqAgX18gX18gCgoKCsKgwqDCoCBUaGlz
IHdvdWxkIGJlIGNvbnNpc3RlbnQgd2l0aCB0aGUgY2hhbmdlcyBtYWRlIGluIC0yOCBmb3IgdGhl
IHJlYXNvbnMgZGVzY3JpYmVkIGluIHRoaXMgdGhyZWFkLiBKQVZBIElNUExFTUVOVEVSU+KAkyBJ
ZiB5b3UgYXJlIGN1cnJlbnRseSB1c2luZyBBRVMvQ0JDL1BLQ1M1UGFkZGluZyBjYW4geW91IHBs
ZWFzZSB2ZXJpZnkgdGhhdCB5b3VyIGltcGxlbWVudGF0aW9uIHN0aWxsIHdvcmtzIGFmdGVyIGNo
YW5naW5nIHRoaXMgc3RyaW5nIHRvIEFFUy9DQkMvUEtDUzdQYWRkaW5nCiBhbmQgdGhhdCB0aGUg
cmVzdWx0cyBhcmUgc3RpbGwgY29ycmVjdCBhbmQgcmVwbHkgdG8gdXMgbGV0dGluZyB1cyBrbm93
IHdoYXQgaGFwcGVuZWQ/IE1hdHQsIGlmIHlvdXIgY29kZSBmb3IgdGhlIGNvb2tib29rIGlzIGlu
IEphdmEsIGl0IHdvdWxkIGJlIGVzcGVjaWFsbHkgZ29vZCBpZiB5b3UgbWFkZSB0aGlzIGNvZGUg
Y2hhbmdlIGFuZCB2ZXJpZmllZCB0aGF0IG5vdGhpbmcgY2hhbmdlcyBpbiB0aGUgb3V0cHV0Ll9f
X18KCgoKCsKgwqDCoCBfXyBfXyAKCgoKwqDCoMKgIEFsc28sIHRoaXMgY2xlYXJseSBpbmNvbnNp
c3RlbnQgc2VudGVuY2UgY3VycmVudGx5IG9jY3VycyBpbiAKaHR0cDovL3Rvb2xzLmlldGYub3Jn
L2h0bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXMtNDAjc2VjdGlvbi01LjIu
MTpfX19fCgoKCgrCoMKgwqDCoMKgwqDCoMKgwqDCoCBDQkMtUEtDUzUtRU5DKFgsIFApIGRlbm90
ZXMgdGhlIEFFUyBDQkMgZW5jcnlwdGlvbiBvZiBQIHVzaW5nIFBLQ1NfX19fCgoKCgrCoMKgwqDC
oMKgwqDCoMKgwqDCoCAjNyBwYWRkaW5nIHVzaW5nIHRoZSBjaXBoZXIgd2l0aCB0aGUga2V5IFgu
X19fXyAKCgoKwqDCoMKgIF9fIF9fIAoKCgrCoMKgwqAgSSBiZWxpZXZlIHRoYXQgdGhlIGlkZW50
aWZpZXIgQ0JDLVBLQ1M1LUVOQ3Nob3VsZCBiZSBjaGFuZ2VkIHRvIENCQy1QS0NTNy1FTkMuX19f
XwoKCgoKwqDCoMKgIF9fIF9fIAoKCgrCoMKgwqAgVW5sZXNzIHBlb3BsZSBkaXNhZ3JlZSwgSSB3
aWxsIHBsYW4gdG8gYXBwbHkgdGhlc2UgY29ycmVjdGlvbnMgZHVyaW5nIEFVVEg0OC5fX19fCgoK
CgrCoMKgwqAgX18gX18gCgoKCsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIFRoYW5rcyBhbGwsX19fXyAKCgoKwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqAgLS0gTWlrZV9fX18gCgoKCsKgwqDCoCBfXyBfXyAKCgoKwqDCoMKgICpGcm9t
Oipqb3NlIFttYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnCjxtYWlsdG86am9zZS1ib3VuY2Vz
QGlldGYub3JnPl0gKk9uIEJlaGFsZiBPZiAqTWlrZSBKb25lcwoKCsKgwqDCoCAqU2VudDoqIEZy
aWRheSwgSnVuZSAyMCwgMjAxNCA3OjAzIFBNIAoKwqDCoMKgICpUbzoqIFNoYXVuIENvb2xleSAo
c2hjb29sZXkpIAoKwqDCoMKgICpDYzoqIGpvc2VAaWV0Zi5vcmcgCjxtYWlsdG86am9zZUBpZXRm
Lm9yZz47IE1hdHQgTWlsbGVyIChtYW1pbGxlMikgCgrCoMKgwqAgKlN1YmplY3Q6KiBSZTogW2pv
c2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBzZWN0aW9uLTUuMiAo
UEtDUyAjNSlfX19fCgoKCgrCoMKgwqAgX18gX18gCgoKCsKgwqDCoCBUaGlzIGNoYW5nZSBoYXMg
YmVlbiBpbmNvcnBvcmF0ZWQgaW4gdGhlIC0yOCBkcmFmdHMuX19fXyAKCgoKwqDCoMKgIF9fIF9f
IAoKCgrCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoCBUaGFua3MgYWdhaW4sIFNoYXVuLF9fX18KCgoKCsKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgIC0tIE1pa2VfX19fIAoKCgrCoMKgwqAgX18gX18gCgoKCsKgwqDCoCAqRnJvbToqam9z
ZSBbbWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZ10gKk9uIEJlaGFsZiBPZiAqTWlrZSBKb25l
cwoKCsKgwqDCoCAqU2VudDoqIEZyaWRheSwgSnVuZSAxMywgMjAxNCAyOjI3IFBNIAoKwqDCoMKg
ICpUbzoqIFNoYXVuIENvb2xleSAoc2hjb29sZXkpIAoKwqDCoMKgICpDYzoqIGpvc2VAaWV0Zi5v
cmcgCjxtYWlsdG86am9zZUBpZXRmLm9yZz47IE1hdHQgTWlsbGVyIChtYW1pbGxlMikgCgrCoMKg
wqAgKlN1YmplY3Q6KiBSZTogW2pvc2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0
aG1zLTI3OiBzZWN0aW9uLTUuMiAoUEtDUyAjNSlfX19fCgoKCgrCoMKgwqAgX18gX18gCgoKCsKg
wqDCoCAoQWRkaW5nIHRoZSBKT1NFIHdvcmtpbmcgZ3JvdXApX19fXyAKCgoKwqDCoMKgIF9fIF9f
IAoKCgrCoMKgwqAgSSBiZWxpZXZlIHlvdeKAmXJlIHJpZ2h0LsKgIEnigJlsbCBwbGFuIHRvIG1h
a2UgdGhpcyBjaGFuZ2UgaW4gdGhlIG5leHQgdmVyc2lvbiBvZiB0aGUgc3BlYy5fX19fCgoKCgrC
oMKgwqAgX18gX18gCgoKCsKgwqDCoCBUaGFua3MgZm9yIHRoZSBjYXJlZnVsIHJlYWQhX19fXyAK
CgoKwqDCoMKgIF9fIF9fIAoKCgrCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAtLSBNaWtlX19fXyAKCgoKwqDCoMKg
IF9fIF9fIAoKCgrCoMKgwqAgKkZyb206KlNoYXVuIENvb2xleSAoc2hjb29sZXkpIFttYWlsdG86
c2hjb29sZXlAY2lzY28uY29tXQoKCsKgwqDCoCAqU2VudDoqIEZyaWRheSwgSnVuZSAxMywgMjAx
NCAxMDozNCBBTSAKCsKgwqDCoCAqVG86KiBNaWtlIEpvbmVzIAoKwqDCoMKgICpDYzoqIE1hdHQg
TWlsbGVyIChtYW1pbGxlMikgCgrCoMKgwqAgKlN1YmplY3Q6KiBkcmFmdC1pZXRmLWpvc2UtanNv
bi13ZWItYWxnb3JpdGhtcy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19fXyAKCgoKwqDCoMKg
IF9fIF9fIAoKCgrCoMKgwqAgTWljaGFlbCDigJNfX19fIAoKCgrCoMKgwqDCoMKgIEkgYW0gd29y
a2luZyBvbiBpbXBsZW1lbnRpbmcgYSBicm93c2VyIGNvbXBhdGlibGUgSlMgaW1wbGVtZW50YXRp
b24gb2YgSk9TRSwgYmFzZWQgb24gdGhlIHdvcmsgTWF0dCBNaWxsZXIgZGlkIGZvciBOb2RlLkpT
LsKgIFdoaWxlIGdvaW5nIHRocm91Z2ggdGhlIHNwZWMsIEkgbm90aWNlZCB0aGF0IFBLQ1MgIzUg
aXMgY2FsbGVkIG91dCBmb3IgdGhlIEFFUy1DQkMgY2lwaGVycy7CoCBTaG91bGRu4oCZdCB0aGlz
IGJlIFBLQ1MgIzc/X19fXwoKCgoKwqDCoMKgIF9fIF9fIAoKCgrCoMKgwqAgUEtDUyAjNSDigJMg
UkZDMjg5OCBzZWN0aW9uIDYuMiBzcGVjaWZpZXM6X19fXyAKCgoKwqDCoMKgIFRoZSBwYWRkaW5n
IHN0cmluZyBQUyBzaGFsbCBjb25zaXN0IG9mIDggLSAofHxNfHwgbW9kIDgpIG9jdGV0cyBhbGwg
aGF2aW5nIHZhbHVlIDggLSAofHxNfHwgbW9kIDgpLl9fX18KCgoKCsKgwqDCoCBfXyBfXyAKCgoK
wqDCoMKgIFBLQ1MgIzcg4oCTIFJGQzIzMTUgc2VjdGlvbiAxMC4zIG5vdGUgMiBzcGVjaWZpZXM6
X19fXyAKCgoKwqDCoMKgIEZvciBzdWNoIGFsZ29yaXRobXMsIHRoZSBtZXRob2Qgc2hhbGwgYmUg
dG8gcGFkIHRoZSBpbnB1dCBhdCB0aGUgdHJhaWxpbmcgZW5kIHdpdGggayAtIChsIG1vZCBrKSBv
Y3RldHMgYWxsIGhhdmluZyB2YWx1ZSBrIC0gKGwgbW9kIGspLCB3aGVyZSBsIGlzIHRoZSBsZW5n
dGggb2YgdGhlIGlucHV0Ll9fX18KCgoKCsKgwqDCoCBfXyBfXyAKCgoKwqDCoMKgIFBLQ1MgIzcg
YWxsb3dzIGZvciBwYWRkaW5nIGluIGJsb2NrIHNpemVzIG9mIDItMjU1IGJ5dGVzLCB3aGVyZWFz
IFBLQ1MgIzUgaXMgaW50ZW5kZWQgZm9yIGJsb2NrIHNpemVzIG9mIDguwqAgVGhpcyBtZWFucyB0
aGF0IFBLQ1MgIzcgaXMgYSBzdXBlcnNldCBvZiAjNSwgYW5kIGdpdmVuIHRoYXQgQUVTIGlzIGEg
YmxvY2sgc2l6ZSBvZiAxNiwgaXQgc2VlbXMgdGhlIHNwZWMgc2hvdWxkIHJlcXVpcmUgUEtDUyAj
Ny5fX19fCgoKCgrCoMKgwqAgX18gX18gCgoKCsKgwqDCoCBUaG91Z2h0cz9fX19fIAoKCgrCoMKg
wqAgX18gX18gCgoKCsKgwqDCoCAqU2hhdW4gQ29vbGV5KiAKCsKgwqDCoCBESVNUSU5HVUlTSEVE
IEVOR0lORUVSLkVOR0lORUVSSU5HIAoKwqDCoMKgIENvbGxhYm9yYXRpb24gVGVjaG5vbG9neSBH
cm91cCAKCsKgwqDCoCBzaGNvb2xleUBjaXNjby5jb20gCjxtYWlsdG86c2hjb29sZXlAY2lzY28u
Y29tPiAKCsKgwqDCoCBQaG9uZTogKisxIDQwOCA5MDIgMzM0NCA8dGVsOiUyQjElMjA0MDglMjA5
MDIlMjAzMzQ0PioKCgrCoMKgwqAgTW9iaWxlOiAqKzEgMzEwIDI5MyAyMDg3IDx0ZWw6JTJCMSUy
MDMxMCUyMDI5MyUyMDIwODc+Kl9fX18KCgoKCsKgwqDCoMKgwqDCoMKgIAoKCgrCoMKgwqAgaHR0
cDovL3d3dy5jaXNjby5jb20vd2ViL2V1cm9wZS9pbWFnZXMvZW1haWwvc2lnbmF0dXJlL2xvZ28w
NS5qcGcKCgrCoMKgwqAgQ2lzY28uY29tIDxodHRwOi8vd3d3LmNpc2NvLmNvbS8+X19fXyAKCgoK
wqDCoMKgIF9fIF9fIAoKCgrCoMKgwqAgVGhpcyBlbWFpbCBtYXkgY29udGFpbiBjb25maWRlbnRp
YWwgYW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5k
ZWQgcmVjaXBpZW50LiBBbnkgcmV2aWV3LCB1c2UsIGRpc3RyaWJ1dGlvbiBvciBkaXNjbG9zdXJl
IGJ5IG90aGVycyBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50IChvciBhdXRob3JpemVkIHRvIHJlY2VpdmUgZm9yIHRoZQogcmVjaXBp
ZW50KSwgcGxlYXNlIGNvbnRhY3QgdGhlIHNlbmRlciBieSByZXBseSBlbWFpbCBhbmQgZGVsZXRl
IGFsbCBjb3BpZXMgb2YgdGhpcyBtZXNzYWdlLl9fX18KCgoKCsKgwqDCoCBGb3IgY29ycG9yYXRl
IGxlZ2FsIGluZm9ybWF0aW9uIGdvIHRvOiAKCsKgwqDCoCAKaHR0cDovL3d3dy5jaXNjby5jb20v
d2ViL2Fib3V0L2RvaW5nX2J1c2luZXNzL2xlZ2FsL2NyaS9pbmRleC5odG1sX19fXyAKCgoKwqDC
oMKgIF9fIF9fIAoKCgrCoMKgwqAgX18gX18gCgoKCgoKwqDCoMKgIF9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fIAoKwqDCoMKgIGpvc2UgbWFpbGluZyBsaXN0
IAoKwqDCoMKgIGpvc2VAaWV0Zi5vcmcgCjxtYWlsdG86am9zZUBpZXRmLm9yZz4gCgrCoMKgwqAg
aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlCgoKCgoKCgoKX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18gCgpqb3NlIG1haWxpbmcg
bGlzdCAKCmpvc2VAaWV0Zi5vcmcgCgpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL2pvc2UKCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X18gCgpqb3NlIG1haWxpbmcgbGlzdCAKCmpvc2VAaWV0Zi5vcmcgCgpodHRwczovL3d3dy5pZXRm
Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2UKCgoKCgoKCi0tIApWbGFkaW1pciBEemh1dmlub3Yg
OjogdmxhZGltaXJAY29ubmVjdDJpZC5jb20KCgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fCgpqb3NlIG1haWxpbmcgbGlzdAoKam9zZUBpZXRmLm9yZwoK
aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9qb3NlCgoKCgo=

----_com.android.email_4304169759815660
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0
L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjwvaGVhZD48Ym9keT4KICAgIAo8ZGl2PkkgYmVsaWV2ZSBh
biBpbXBsZW1lbnRlcnMgbm90ZSBpcyBhcHByb3ByaWF0ZSBoZXJlLjwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9ImNvbXBvc2VyX3NpZ25h
dHVyZSI+PGRpdiBzdHlsZT0iZm9udC1zaXplOjlweCI+PGRpdiBzdHlsZT0iZm9udC1zaXplOiA5
cHg7ICI+LS0gSnVzdGluPC9kaXY+PGRpdiBzdHlsZT0iZm9udC1zaXplOiA5cHg7ICI+PGJyPjwv
ZGl2PjxkaXYgc3R5bGU9ImZvbnQtc2l6ZTogOXB4OyAiPi8gU2VudCBmcm9tIG15IHBob25lIC88
L2Rpdj48L2Rpdj48ZGl2PjwvZGl2PjwvZGl2Pjxicj48YnI+LS0tLS0tLS0gT3JpZ2luYWwgbWVz
c2FnZSAtLS0tLS0tLTxicj5Gcm9tOiBCcmlhbiBDYW1wYmVsbCAmbHQ7YmNhbXBiZWxsQHBpbmdp
ZGVudGl0eS5jb20mZ3Q7IDxicj5EYXRlOiAwMy8yNy8yMDE1ICAxMjoxNSBQTSAgKEdNVC0wNjow
MCkgPGJyPlRvOiBNaWtlIEpvbmVzICZsdDtNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20mZ3Q7
IDxicj5DYzogam9zZUBpZXRmLm9yZywgVmxhZGltaXIgRHpodXZpbm92ICZsdDt2bGFkaW1pckBj
b25uZWN0MmlkLmNvbSZndDsgPGJyPlN1YmplY3Q6IFJlOiBbam9zZV0gZHJhZnQtaWV0Zi1qb3Nl
LWpzb24td2ViLWFsZ29yaXRobXMtMjc6IHNlY3Rpb24tNS4yIChQS0NTICM1KSA8YnI+PGJyPjxt
ZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0
PXV0Zi04Ij48ZGl2IGRpcj0ibHRyIj5JdCBtYXkgb3IgbWF5IG5vdCB3YXJyYW50IGEgbm90ZSBv
ZiBzb21lIHNvcnQgdG8gZXhwbGFpbiB0aGUgZGlzY3JlcGFuY3kgKG5vdCBzdXJlIGlmIHRoYXQn
cyByZWFsbHkgaW4gc2NvcGUpLiBJdCBsb29rcyBhcyB0aG91Z2ggc29tZSBwcm92aWRlcnMgbGlr
ZSBCb3VuY3kgQ2FzdGxlIGFuZCB0aGUgb25lIG9uIEFuZHJvaWQgd2lsbCB3b3JrIHdpdGggIkFF
Uy9DQkMvUEtDUzdQYWRkaW5nIi4gQnV0ICJBRVMvQ0JDL1BLQ1M1UGFkZGluZyIgaXMgd2hhdCBp
cyBuZWVkZWQgZm9yIHRoZSBTdW4vT3JhY2xlIEpDQSBwcm92aWRlciAoSSB2ZXJpZmllZCB0aGlz
IGFnYWluIGFnYWluc3QgSmF2YSA3ICZhbXA7IDgpIGFuZCBpcyB3aGF0IGlzIHJlcXVpcmVkIGJ5
ICJFdmVyeSBpbXBsZW1lbnRhdGlvbiBvZiB0aGUgSmF2YSBwbGF0Zm9ybSIgcGVyIDxhIGhyZWY9
Imh0dHA6Ly9kb2NzLm9yYWNsZS5jb20vamF2YXNlLzcvZG9jcy9hcGkvamF2YXgvY3J5cHRvL0Np
cGhlci5odG1sIj5odHRwOi8vZG9jcy5vcmFjbGUuY29tL2phdmFzZS83L2RvY3MvYXBpL2phdmF4
L2NyeXB0by9DaXBoZXIuaHRtbDwvYT4gYW5kIGl0IGFjdHVhbGx5IGdpdmUgeW91IFBLQ1M3UGFk
ZGluZyBldmVuIHRob3VnaCBpdCBzYXlzIDUuIDxicj48L2Rpdj48ZGl2IGNsYXNzPSJnbWFpbF9l
eHRyYSI+PGJyPjxkaXYgY2xhc3M9ImdtYWlsX3F1b3RlIj5PbiBGcmksIE1hciAyNywgMjAxNSBh
dCA5OjQyIEFNLCBNaWtlIEpvbmVzIDxzcGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRv
Ok1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9u
ZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7PC9zcGFuPiB3cm90ZTo8YnI+PGJsb2NrcXVvdGUgY2xh
c3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4
ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+CgoKCgoKPGRpdiBiZ2NvbG9yPSJ3aGl0ZSIg
bGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSIgbGFuZz0iRU4tVVMiPgo8ZGl2Pgo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFmNDk3ZCI+VGhh
bmtzIGEgYnVuY2gsIFZsYWRpbWlyLiZuYnNwOyBUaGF0IGRlZmluaXRpdmVseSBhbnN3ZXJzIHRo
ZSBxdWVzdGlvbi48dT48L3U+PHU+PC91Pjwvc3Bhbj48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMWY0OTdkIj48dT48L3U+Jm5ic3A7
PHU+PC91Pjwvc3Bhbj48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z
ZXJpZiZxdW90Oztjb2xvcjojMWY0OTdkIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTx1PjwvdT48dT48
L3U+PC9zcGFuPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm
JnF1b3Q7O2NvbG9yOiMxZjQ5N2QiPjx1PjwvdT4mbmJzcDs8dT48L3U+PC9zcGFuPjwvcD4KPGRp
dj4KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjYjVjNGRmIDEuMHB0
O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDss
JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjp3aW5kb3d0ZXh0Ij5Gcm9tOjwvc3Bhbj48L2I+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+IGpvc2UgW21haWx0
bzo8YSBocmVmPSJtYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+
am9zZS1ib3VuY2VzQGlldGYub3JnPC9hPl0KPGI+T24gQmVoYWxmIE9mIDwvYj5WbGFkaW1pciBE
emh1dmlub3Y8YnI+CjxiPlNlbnQ6PC9iPiBGcmlkYXksIE1hcmNoIDI3LCAyMDE1IDk6MzYgQU08
YnI+CjxiPlRvOjwvYj4gPGEgaHJlZj0ibWFpbHRvOmpvc2VAaWV0Zi5vcmciIHRhcmdldD0iX2Js
YW5rIj5qb3NlQGlldGYub3JnPC9hPjxicj4KPGI+U3ViamVjdDo8L2I+IFJlOiBbam9zZV0gZHJh
ZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXMtMjc6IHNlY3Rpb24tNS4yIChQS0NTICM1
KTx1PjwvdT48dT48L3U+PC9zcGFuPjwvcD4KPC9kaXY+CjwvZGl2PjxkaXY+PGRpdiBjbGFzcz0i
aDUiPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48dT48L3U+Jm5ic3A7PHU+PC91PjwvcD4KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5UaGlzIGlzIGluZGVl
ZCBhIEpDQSBvZGRpdHksIHdoZW4gIlBLQ1M1UGFkZGluZyIgaXMgc3BlY2lmaWVkIEphdmEgYWN0
dWFsbHkgZG9lcyAiUEtDUzdQYWRkaW5nIi48YnI+Cjxicj4KSWYgeW91IHN0aWNrICJQS0NTN1Bh
ZGRpbmciIHlvdSdsbCBnZXQgYW4gPHU+PC91Pjx1PjwvdT48L3A+CjxwcmU+PHNwYW4+Tm9TdWNo
QWxnb3JpdGhtRXhjZXB0aW9uPC9zcGFuPjxzcGFuPjo8L3NwYW4+PHNwYW4+IDwvc3Bhbj48c3Bh
bj5DYW5ub3Q8L3NwYW4+PHNwYW4+IGZpbmQgYW55IHByb3ZpZGVyIHN1cHBvcnRpbmcgQUVTPC9z
cGFuPjxzcGFuPi88L3NwYW4+PHNwYW4+Q0JDPC9zcGFuPjxzcGFuPi88L3NwYW4+PHNwYW4+UEtD
UzdQYWRkaW5nPHU+PC91Pjx1PjwvdT48L3NwYW4+PC9wcmU+CjxwcmU+PHNwYW4+PHU+PC91PiZu
YnNwOzx1PjwvdT48L3NwYW4+PC9wcmU+CjxwcmU+PHNwYW4+PHU+PC91PiZuYnNwOzx1PjwvdT48
L3NwYW4+PC9wcmU+CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy
LjBwdCI+VmxhZGltaXI8dT48L3U+PHU+PC91PjwvcD4KPGRpdj4KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+T24gMjcuMDMuMjAxNSAwODoyMCwgQW5kZXJzIFJ1bmRncmVuIHdyb3RlOjx1PjwvdT48dT48
L3U+PC9wPgo8L2Rpdj4KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu
LWJvdHRvbTo1LjBwdCI+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIDIwMTUtMDMtMjcgMDE6MzEs
IEJyaWFuIENhbXBiZWxsIHdyb3RlOiA8YnI+Cjxicj4KPHU+PC91Pjx1PjwvdT48L3A+CjxwIGNs
YXNzPSJNc29Ob3JtYWwiPkkgYW0gcHJldHR5IHN1cmUgeW91IHNob3VsZCBub3QgbWFrZSB0aGF0
IGNoYW5nZSB0byB0aGUgSkNBIGFsZ29yaXRobSBzdHJpbmcuCjx1PjwvdT48dT48L3U+PC9wPgo8
cCBjbGFzcz0iTXNvTm9ybWFsIj4mZ3Q7Jm5ic3A7IEknbGwgaGF2ZSB0byBzZWFyY2ggYXJvdW5k
IHRvIHJlbWVtYmVyIHdoeSwgc29tZSBvZGRpdHkgb2YgSmF2YSBJIHRoaW5rLAo8YnI+CiZndDsg
YnV0IEknbSBhd2F5IGZyb20gbXkgbGFwdG9wIHJpZ2h0IG5vdyBhbmQgdGhhdCBvbmUgaXMgdG9v
IG11Y2ggdG8gcmVzZWFyY2ggb24gYSBwaG9uZS4KPGJyPgo8YnI+CkluZGVlZCwgdGhpcyBpcyBh
biBvbGQgU1VOIGJ1ZyB0aGF0IHdlIGhhdmUgdG8gcHV0IHVwIHdpdGg6IDxicj4KPGEgaHJlZj0i
aHR0cDovL2RvY3Mub3JhY2xlLmNvbS9qYXZhc2UvNy9kb2NzL2FwaS9qYXZheC9jcnlwdG8vQ2lw
aGVyLmh0bWwiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vZG9jcy5vcmFjbGUuY29tL2phdmFzZS83
L2RvY3MvYXBpL2phdmF4L2NyeXB0by9DaXBoZXIuaHRtbDwvYT4KPGJyPgo8YnI+Ckl0IGlzIHdv
cnRoIGEgbm90ZSB0aG91Z2guIDxicj4KPGJyPgpBbmRlcnMgPGJyPgo8YnI+Cjxicj4KPHU+PC91
Pjx1PjwvdT48L3A+CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy
LjBwdCI+PGJyPgpPbiBNYXIgMjYsIDIwMTUgNjo0MSBQTSwgIk1pa2UgSm9uZXMiICZsdDs8YSBo
cmVmPSJtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+
TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9hPgo8YSBocmVmPSJtYWlsdG86TWljaGFlbC5K
b25lc0BtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+Jmx0O21haWx0bzpNaWNoYWVsLkpv
bmVzQG1pY3Jvc29mdC5jb20mZ3Q7PC9hPiZndDsgd3JvdGU6Cjxicj4KPGJyPgombmJzcDsmbmJz
cDsmbmJzcDsgSSBhbSB3b3JraW5nIG9uIHRoZSBmb3JtYXR0aW5nIG9mIHRoZSBhbGdvcml0aG0g
Y3Jvc3MtcmVmZXJlbmNlIHRhYmxlcyBpbiBKV0EgQXBwZW5kaXggQQo8YSBocmVmPSJodHRwOi8v
dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcy00
MCNhcHBlbmRpeC1BIiB0YXJnZXQ9Il9ibGFuayI+Cmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1s
L2RyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTQwI2FwcGVuZGl4LUE8L2E+IHdp
dGggdGhlIFJGQyBFZGl0b3IgdG8gbWFrZSB0aGVtIG1vcmUgcmVhZGFibGUuJm5ic3A7IFdoZW4g
bG9va2luZyBhdCB0aGUgdGFibGUgY29udGVudCAoaW4gYSBtb3JlIHJlYWRhYmxlIHJlbmRpdGlv
biBJ4oCZbGwgc2hhcmUgd2l0aCB5b3Ugc29vbiksIEkgbm90aWNlZCB0aGF0IHRoaXMgc3RyaW5n
IGFwcGVhcnMgZm9yCiB0aGUgSkNBIHZhbHVlIG9mIHRocmVlIGFsZ29yaXRobXM6X19fXyA8YnI+
Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7IEFFUy9DQkMvUEtDUzVQYWRkaW5nX19fXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5i
c3A7IHdoaWNoIEkgYmVsaWV2ZSBzaG91bGQgYmVfX19fIDxicj4KPGJyPgombmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgQUVTL0NCQy9QS0NT
N1BhZGRpbmdfX19fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPgo8YnI+
CiZuYnNwOyZuYnNwOyZuYnNwOyBUaGlzIHdvdWxkIGJlIGNvbnNpc3RlbnQgd2l0aCB0aGUgY2hh
bmdlcyBtYWRlIGluIC0yOCBmb3IgdGhlIHJlYXNvbnMgZGVzY3JpYmVkIGluIHRoaXMgdGhyZWFk
LiBKQVZBIElNUExFTUVOVEVSU+KAkyBJZiB5b3UgYXJlIGN1cnJlbnRseSB1c2luZyBBRVMvQ0JD
L1BLQ1M1UGFkZGluZyBjYW4geW91IHBsZWFzZSB2ZXJpZnkgdGhhdCB5b3VyIGltcGxlbWVudGF0
aW9uIHN0aWxsIHdvcmtzIGFmdGVyIGNoYW5naW5nIHRoaXMgc3RyaW5nIHRvIEFFUy9DQkMvUEtD
UzdQYWRkaW5nCiBhbmQgdGhhdCB0aGUgcmVzdWx0cyBhcmUgc3RpbGwgY29ycmVjdCBhbmQgcmVw
bHkgdG8gdXMgbGV0dGluZyB1cyBrbm93IHdoYXQgaGFwcGVuZWQ/IE1hdHQsIGlmIHlvdXIgY29k
ZSBmb3IgdGhlIGNvb2tib29rIGlzIGluIEphdmEsIGl0IHdvdWxkIGJlIGVzcGVjaWFsbHkgZ29v
ZCBpZiB5b3UgbWFkZSB0aGlzIGNvZGUgY2hhbmdlIGFuZCB2ZXJpZmllZCB0aGF0IG5vdGhpbmcg
Y2hhbmdlcyBpbiB0aGUgb3V0cHV0Ll9fX18KPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBf
XyBfXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IEFsc28sIHRoaXMgY2xlYXJseSBpbmNv
bnNpc3RlbnQgc2VudGVuY2UgY3VycmVudGx5IG9jY3VycyBpbiA8YSBocmVmPSJodHRwOi8vdG9v
bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcy00MCNz
ZWN0aW9uLTUuMi4xOl9fX18iIHRhcmdldD0iX2JsYW5rIj4KaHR0cDovL3Rvb2xzLmlldGYub3Jn
L2h0bWwvZHJhZnQtaWV0Zi1qb3NlLWpzb24td2ViLWFsZ29yaXRobXMtNDAjc2VjdGlvbi01LjIu
MTpfX19fPC9hPgo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IENCQy1QS0NTNS1FTkMoWCwgUCkgZGVub3RlcyB0aGUg
QUVTIENCQyBlbmNyeXB0aW9uIG9mIFAgdXNpbmcgUEtDU19fX18KPGJyPgo8YnI+CiZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAjNyBw
YWRkaW5nIHVzaW5nIHRoZSBjaXBoZXIgd2l0aCB0aGUga2V5IFguX19fXyA8YnI+Cjxicj4KJm5i
c3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgSSBiZWxp
ZXZlIHRoYXQgdGhlIGlkZW50aWZpZXIgQ0JDLVBLQ1M1LUVOQ3Nob3VsZCBiZSBjaGFuZ2VkIHRv
IENCQy1QS0NTNy1FTkMuX19fXwo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxi
cj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgVW5sZXNzIHBlb3BsZSBkaXNhZ3JlZSwgSSB3aWxs
IHBsYW4gdG8gYXBwbHkgdGhlc2UgY29ycmVjdGlvbnMgZHVyaW5nIEFVVEg0OC5fX19fCjxicj4K
PGJyPgombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGFua3MgYWxsLF9fX18gPGJyPgo8YnI+CiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlX19fXyA8YnI+Cjxi
cj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsg
KkZyb206Kmpvc2UgWzxhIGhyZWY9Im1haWx0bzpqb3NlLWJvdW5jZXNAaWV0Zi5vcmciIHRhcmdl
dD0iX2JsYW5rIj5tYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnPC9hPgo8YSBocmVmPSJtYWls
dG86am9zZS1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+Jmx0O21haWx0bzpqb3Nl
LWJvdW5jZXNAaWV0Zi5vcmcmZ3Q7PC9hPl0gKk9uIEJlaGFsZiBPZiAqTWlrZSBKb25lcwo8YnI+
CiZuYnNwOyZuYnNwOyZuYnNwOyAqU2VudDoqIEZyaWRheSwgSnVuZSAyMCwgMjAxNCA3OjAzIFBN
IDxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7ICpUbzoqIFNoYXVuIENvb2xleSAoc2hjb29sZXkpIDxi
cj4KJm5ic3A7Jm5ic3A7Jm5ic3A7ICpDYzoqIDxhIGhyZWY9Im1haWx0bzpqb3NlQGlldGYub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+am9zZUBpZXRmLm9yZzwvYT4gPGEgaHJlZj0ibWFpbHRvOmpvc2VA
aWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj4KJmx0O21haWx0bzpqb3NlQGlldGYub3JnJmd0Ozwv
YT47IE1hdHQgTWlsbGVyIChtYW1pbGxlMikgPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgKlN1Ympl
Y3Q6KiBSZTogW2pvc2VdIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBz
ZWN0aW9uLTUuMiAoUEtDUyAjNSlfX19fCjxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgX18g
X18gPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBUaGlzIGNoYW5nZSBoYXMgYmVlbiBpbmNv
cnBvcmF0ZWQgaW4gdGhlIC0yOCBkcmFmdHMuX19fXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5i
c3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsgVGhhbmtzIGFnYWluLCBTaGF1bixfX19fCjxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZV9fX18gPGJyPgo8YnI+CiZuYnNwOyZu
YnNwOyZuYnNwOyBfXyBfXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7ICpGcm9tOipqb3Nl
IFs8YSBocmVmPSJtYWlsdG86am9zZS1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+
bWFpbHRvOmpvc2UtYm91bmNlc0BpZXRmLm9yZzwvYT5dICpPbiBCZWhhbGYgT2YgKk1pa2UgSm9u
ZXMKPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgKlNlbnQ6KiBGcmlkYXksIEp1bmUgMTMsIDIwMTQg
MjoyNyBQTSA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyAqVG86KiBTaGF1biBDb29sZXkgKHNoY29v
bGV5KSA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyAqQ2M6KiA8YSBocmVmPSJtYWlsdG86am9zZUBp
ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmpvc2VAaWV0Zi5vcmc8L2E+IDxhIGhyZWY9Im1haWx0
bzpqb3NlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+CiZsdDttYWlsdG86am9zZUBpZXRmLm9y
ZyZndDs8L2E+OyBNYXR0IE1pbGxlciAobWFtaWxsZTIpIDxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7
ICpTdWJqZWN0OiogUmU6IFtqb3NlXSBkcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGht
cy0yNzogc2VjdGlvbi01LjIgKFBLQ1MgIzUpX19fXwo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5i
c3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgKEFkZGluZyB0aGUgSk9TRSB3
b3JraW5nIGdyb3VwKV9fX18gPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+
Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IEkgYmVsaWV2ZSB5b3XigJlyZSByaWdodC4mbmJzcDsg
SeKAmWxsIHBsYW4gdG8gbWFrZSB0aGlzIGNoYW5nZSBpbiB0aGUgbmV4dCB2ZXJzaW9uIG9mIHRo
ZSBzcGVjLl9fX18KPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+Cjxicj4K
Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoYW5rcyBmb3IgdGhlIGNhcmVmdWwgcmVhZCFfX19fIDxicj4K
PGJyPgombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlX19fXyA8YnI+Cjxicj4KJm5ic3A7Jm5i
c3A7Jm5ic3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgKkZyb206KlNoYXVu
IENvb2xleSAoc2hjb29sZXkpIFs8YSBocmVmPSJtYWlsdG86c2hjb29sZXlAY2lzY28uY29tIiB0
YXJnZXQ9Il9ibGFuayI+bWFpbHRvOnNoY29vbGV5QGNpc2NvLmNvbTwvYT5dCjxicj4KJm5ic3A7
Jm5ic3A7Jm5ic3A7ICpTZW50OiogRnJpZGF5LCBKdW5lIDEzLCAyMDE0IDEwOjM0IEFNIDxicj4K
Jm5ic3A7Jm5ic3A7Jm5ic3A7ICpUbzoqIE1pa2UgSm9uZXMgPGJyPgombmJzcDsmbmJzcDsmbmJz
cDsgKkNjOiogTWF0dCBNaWxsZXIgKG1hbWlsbGUyKSA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyAq
U3ViamVjdDoqIGRyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0aG1zLTI3OiBzZWN0aW9u
LTUuMiAoUEtDUyAjNSlfX19fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJy
Pgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBNaWNoYWVsIOKAk19fX18gPGJyPgo8YnI+CiZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBJIGFtIHdvcmtpbmcgb24gaW1wbGVtZW50aW5nIGEg
YnJvd3NlciBjb21wYXRpYmxlIEpTIGltcGxlbWVudGF0aW9uIG9mIEpPU0UsIGJhc2VkIG9uIHRo
ZSB3b3JrIE1hdHQgTWlsbGVyIGRpZCBmb3IgTm9kZS5KUy4mbmJzcDsgV2hpbGUgZ29pbmcgdGhy
b3VnaCB0aGUgc3BlYywgSSBub3RpY2VkIHRoYXQgUEtDUyAjNSBpcyBjYWxsZWQgb3V0IGZvciB0
aGUgQUVTLUNCQyBjaXBoZXJzLiZuYnNwOyBTaG91bGRu4oCZdCB0aGlzIGJlIFBLQ1MgIzc/X19f
Xwo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJz
cDsmbmJzcDsgUEtDUyAjNSDigJMgUkZDMjg5OCBzZWN0aW9uIDYuMiBzcGVjaWZpZXM6X19fXyA8
YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IFRoZSBwYWRkaW5nIHN0cmluZyBQUyBzaGFsbCBj
b25zaXN0IG9mIDggLSAofHxNfHwgbW9kIDgpIG9jdGV0cyBhbGwgaGF2aW5nIHZhbHVlIDggLSAo
fHxNfHwgbW9kIDgpLl9fX18KPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+
Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IFBLQ1MgIzcg4oCTIFJGQzIzMTUgc2VjdGlvbiAxMC4z
IG5vdGUgMiBzcGVjaWZpZXM6X19fXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IEZvciBz
dWNoIGFsZ29yaXRobXMsIHRoZSBtZXRob2Qgc2hhbGwgYmUgdG8gcGFkIHRoZSBpbnB1dCBhdCB0
aGUgdHJhaWxpbmcgZW5kIHdpdGggayAtIChsIG1vZCBrKSBvY3RldHMgYWxsIGhhdmluZyB2YWx1
ZSBrIC0gKGwgbW9kIGspLCB3aGVyZSBsIGlzIHRoZSBsZW5ndGggb2YgdGhlIGlucHV0Ll9fX18K
PGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7
Jm5ic3A7IFBLQ1MgIzcgYWxsb3dzIGZvciBwYWRkaW5nIGluIGJsb2NrIHNpemVzIG9mIDItMjU1
IGJ5dGVzLCB3aGVyZWFzIFBLQ1MgIzUgaXMgaW50ZW5kZWQgZm9yIGJsb2NrIHNpemVzIG9mIDgu
Jm5ic3A7IFRoaXMgbWVhbnMgdGhhdCBQS0NTICM3IGlzIGEgc3VwZXJzZXQgb2YgIzUsIGFuZCBn
aXZlbiB0aGF0IEFFUyBpcyBhIGJsb2NrIHNpemUgb2YgMTYsIGl0IHNlZW1zIHRoZSBzcGVjIHNo
b3VsZCByZXF1aXJlIFBLQ1MgIzcuX19fXwo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9f
IF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgVGhvdWdodHM/X19fXyA8YnI+Cjxicj4K
Jm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxicj4KPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgKlNo
YXVuIENvb2xleSogPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgRElTVElOR1VJU0hFRCBFTkdJTkVF
Ui5FTkdJTkVFUklORyA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBDb2xsYWJvcmF0aW9uIFRlY2hu
b2xvZ3kgR3JvdXAgPGJyPgombmJzcDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0ibWFpbHRvOnNoY29v
bGV5QGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnNoY29vbGV5QGNpc2NvLmNvbTwvYT4gPGEg
aHJlZj0ibWFpbHRvOnNoY29vbGV5QGNpc2NvLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPgombHQ7bWFp
bHRvOnNoY29vbGV5QGNpc2NvLmNvbSZndDs8L2E+IDxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IFBo
b25lOiAqPGEgaHJlZj0idGVsOiUyQjElMjA0MDglMjA5MDIlMjAzMzQ0IiB2YWx1ZT0iKzE0MDg5
MDIzMzQ0IiB0YXJnZXQ9Il9ibGFuayI+KzEgNDA4IDkwMiAzMzQ0PC9hPiAmbHQ7PGEgaHJlZj0i
dGVsOiUyQjElMjA0MDglMjA5MDIlMjAzMzQ0IiB0YXJnZXQ9Il9ibGFuayI+dGVsOiUyQjElMjA0
MDglMjA5MDIlMjAzMzQ0PC9hPiZndDsqCjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IE1vYmlsZTog
KjxhIGhyZWY9InRlbDolMkIxJTIwMzEwJTIwMjkzJTIwMjA4NyIgdmFsdWU9IisxMzEwMjkzMjA4
NyIgdGFyZ2V0PSJfYmxhbmsiPisxIDMxMCAyOTMgMjA4NzwvYT4gJmx0OzxhIGhyZWY9InRlbDol
MkIxJTIwMzEwJTIwMjkzJTIwMjA4NyIgdGFyZ2V0PSJfYmxhbmsiPnRlbDolMkIxJTIwMzEwJTIw
MjkzJTIwMjA4NzwvYT4mZ3Q7Kl9fX18KPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9
Imh0dHA6Ly93d3cuY2lzY28uY29tL3dlYi9ldXJvcGUvaW1hZ2VzL2VtYWlsL3NpZ25hdHVyZS9s
b2dvMDUuanBnIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3d3dy5jaXNjby5jb20vd2ViL2V1cm9w
ZS9pbWFnZXMvZW1haWwvc2lnbmF0dXJlL2xvZ28wNS5qcGc8L2E+Cjxicj4KJm5ic3A7Jm5ic3A7
Jm5ic3A7IENpc2NvLmNvbSA8YSBocmVmPSJodHRwOi8vd3d3LmNpc2NvLmNvbS8iIHRhcmdldD0i
X2JsYW5rIj4mbHQ7aHR0cDovL3d3dy5jaXNjby5jb20vJmd0OzwvYT5fX19fIDxicj4KPGJyPgom
bmJzcDsmbmJzcDsmbmJzcDsgX18gX18gPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBUaGlz
IGVtYWlsIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBhbmQgcHJpdmlsZWdlZCBtYXRlcmlhbCBm
b3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQuIEFueSByZXZpZXcsIHVz
ZSwgZGlzdHJpYnV0aW9uIG9yIGRpc2Nsb3N1cmUgYnkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hp
Yml0ZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQgKG9yIGF1dGhvcml6
ZWQgdG8gcmVjZWl2ZSBmb3IgdGhlCiByZWNpcGllbnQpLCBwbGVhc2UgY29udGFjdCB0aGUgc2Vu
ZGVyIGJ5IHJlcGx5IGVtYWlsIGFuZCBkZWxldGUgYWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2Uu
X19fXwo8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IEZvciBjb3Jwb3JhdGUgbGVnYWwgaW5m
b3JtYXRpb24gZ28gdG86IDxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHA6Ly93
d3cuY2lzY28uY29tL3dlYi9hYm91dC9kb2luZ19idXNpbmVzcy9sZWdhbC9jcmkvaW5kZXguaHRt
bF9fX18iIHRhcmdldD0iX2JsYW5rIj4KaHR0cDovL3d3dy5jaXNjby5jb20vd2ViL2Fib3V0L2Rv
aW5nX2J1c2luZXNzL2xlZ2FsL2NyaS9pbmRleC5odG1sX19fXzwvYT4gPGJyPgo8YnI+CiZuYnNw
OyZuYnNwOyZuYnNwOyBfXyBfXyA8YnI+Cjxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IF9fIF9fIDxi
cj4KPGJyPgo8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBfX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fXyA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyBqb3NlIG1haWxp
bmcgbGlzdCA8YnI+CiZuYnNwOyZuYnNwOyZuYnNwOyA8YSBocmVmPSJtYWlsdG86am9zZUBpZXRm
Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmpvc2VAaWV0Zi5vcmc8L2E+IDxhIGhyZWY9Im1haWx0bzpq
b3NlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+CiZsdDttYWlsdG86am9zZUBpZXRmLm9yZyZn
dDs8L2E+IDxicj4KJm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYu
b3JnL21haWxtYW4vbGlzdGluZm8vam9zZSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lmll
dGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZTwvYT4KPGJyPgo8YnI+Cjxicj4KPGJyPgpfX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXyA8YnI+Cmpvc2UgbWFp
bGluZyBsaXN0IDxicj4KPGEgaHJlZj0ibWFpbHRvOmpvc2VAaWV0Zi5vcmciIHRhcmdldD0iX2Js
YW5rIj5qb3NlQGlldGYub3JnPC9hPiA8YnI+CjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3Jn
L21haWxtYW4vbGlzdGluZm8vam9zZSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYu
b3JnL21haWxtYW4vbGlzdGluZm8vam9zZTwvYT4KPHU+PC91Pjx1PjwvdT48L3A+CjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxicj4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX18gPGJyPgpqb3NlIG1haWxpbmcgbGlzdCA8YnI+CjxhIGhyZWY9Im1haWx0bzpqb3Nl
QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+am9zZUBpZXRmLm9yZzwvYT4gPGJyPgo8YSBocmVm
PSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2UiIHRhcmdldD0iX2Js
YW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2pvc2U8L2E+Cjx1Pjwv
dT48dT48L3U+PC9wPgo8L2Jsb2NrcXVvdGU+CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4KPGJy
Pgo8dT48L3U+PHU+PC91PjwvcD4KPHByZT4tLSA8dT48L3U+PHU+PC91PjwvcHJlPgo8cHJlPlZs
YWRpbWlyIER6aHV2aW5vdiA6OiA8YSBocmVmPSJtYWlsdG86dmxhZGltaXJAY29ubmVjdDJpZC5j
b20iIHRhcmdldD0iX2JsYW5rIj52bGFkaW1pckBjb25uZWN0MmlkLmNvbTwvYT48dT48L3U+PHU+
PC91PjwvcHJlPgo8L2Rpdj48L2Rpdj48L2Rpdj4KPC9kaXY+Cgo8YnI+X19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+Cmpvc2UgbWFpbGluZyBsaXN0PGJy
Pgo8YSBocmVmPSJtYWlsdG86am9zZUBpZXRmLm9yZyI+am9zZUBpZXRmLm9yZzwvYT48YnI+Cjxh
IGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZSIgdGFyZ2V0
PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vam9zZTwvYT48
YnI+Cjxicj48L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2Pgo8L2JvZHk+PC9odG1sPg==

----_com.android.email_4304169759815660--


From nobody Tue Mar 31 08:22:02 2015
Return-Path: 
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108311ACE36 for ; Tue, 31 Mar 2015 08:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4sU_6nJoQzh for ; Tue, 31 Mar 2015 08:21:53 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE11D1ACE38 for ; Tue, 31 Mar 2015 08:21:52 -0700 (PDT)
Received: by lagg8 with SMTP id g8so15378910lag.1 for ; Tue, 31 Mar 2015 08:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:date:message-id:subject:from:to:content-type;  bh=xL9YRhu05tiL8Wqr8qEyRDBgf30SM2VvPcKhwT47+h4=; b=oEXUlp3cA3o9BzfK+4AjqzrvnfkGJuMwzUzr4cbXOciyAdS3fatEZy5XThZCBi//4i 7nz0oUk9+AOCLOuCj7c5wbGDCPA96neOZFog4PQVeLJ8ROJC+/isxViP84DELU85kSTS da6UJEPemE5GweqAwt1TaaSCz8nLtgAzk7JvqNKxqeSEEmnFerkUO1guNQaUxU/f7maf rBzLzWVqd7S7bH/w13iyQlhJhwyAD/wBut/arvSsskxwtrpwnSfXWoahQyzUVFl4sDVP CChQzUA9XTAlIY5xXNDvbwcPObRpzK7jlOsnxPbzJ7Pfab563I/4h+bx7oJz5UXoWHjS OfJA==
MIME-Version: 1.0
X-Received: by 10.152.4.136 with SMTP id k8mr31357305lak.103.1427815311346; Tue, 31 Mar 2015 08:21:51 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Tue, 31 Mar 2015 08:21:51 -0700 (PDT)
Date: Tue, 31 Mar 2015 11:21:51 -0400
X-Google-Sender-Auth: auTCEORhfLjlrpcqdNIa5eS-Y0Y
Message-ID: 
From: Phillip Hallam-Baker 
To: "jose@ietf.org" 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [jose] Initial results of Binary encoding in JSON-B and JSON-C
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 31 Mar 2015 15:21:56 -0000

Yesterday I added implementations of JWS, JSON-B and JSON-C to my
existing JSON encoding suite (PROTOGEN).

For the sake of fair comparison, I have not attempted any further
optimization or made any changes to the encoding described here.

http://tools.ietf.org/html/draft-hallambaker-jsonbcd-02

I could easily shave a few more bytes off the total with additional
techniques which I considered but rejected as not being worth the
space/complexity tradeoff.


Implementation took approximately 2 hours for the encoding scheme and
4 hours for JWS. Much of the latter being spent writing test code to
make sure that the test vectors in draft-41 work (they do).

While implementing additional encodings is additional work, the binary
encodings are actually much easier to implement than the text. There
is no need to perform Base64 encoding. Estimating space requirements
is a lot easier, etc. If I was implementing one encoder for a
constrained device I would much prefer to do implement JSON-C than
JSON.


On the decoder side, JSON-B is a strict super-set of JSON which means
that a decoder must support both encodings unless a 'binary only'
subset is defined. But this does mean that a JSON-C decoder can decode
JSON-B or traditional JSON, one decoder fits all.


For a test case, I used:

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41

Encoding the HMAC signature example results in the following encoding sizes:

In JSON:   244 bytes
In JSON-B: 165 bytes
In JSON-C: 129 bytes

In each case the Payload data is the string given in the example, even
though this is JSON, this is left as is to provide a fair basis for
comparison.

This slightly overstates the advantage of JSON-B as my JSON encoding
has indentation.

The main saving comes from avoiding the need to BASE64 armor the
binary blobs. Looking at the internals:

In JSON:   244 bytes
    Protected 35 / Payload 70 / Signature 32
In JSON-B: 165 bytes
    Protected 24 / Payload 70 / Signature 32
In JSON-C: 129 bytes
    Protected 13 / Payload 70 / Signature 32

Since the payload and signature are the same for each example, 102
bytes of the message are irreducible. The move from text to binary
blobs saves 79 bytes, 30 of which are coming from eliminating Base64.

Tag and string compression saves another 34 bytes, but only in the
case where we can pre-exchange the tag dictionary. JSON-C also
supports an on-the fly string compression technique but that only
provides savings for longer messages with large areas of repeated
texts.


Conclusion:

1) We do not need a new working group to specify a binary encoding of JOSE.

The fact that CBOR requires hand tweaking to apply it to a JSON data
structure is the reason that I and others objected to the approach
from the start.

Note that I wrote JSON-BCD in response to the statement made by the
CBOR cabal that they were a private group that was not required to be
open, consider alternative approaches or respect IETF consensus. In
particular the statement was made repeatedly that 'CBOR is not
intended to be a binary encoding of JSON'.


2) A binary encoding of JSON should not require additional IETF time,
effort or review.

The implementation of JSON-B is entirely mechanical and required no
additional input whatsoever.

The only additional input required for use of JSON-C is the
compilation of a tag dictionary. The one I used has 88 defined code
points which I compiled by looking through the IANA considerations
section of the draft. This could easily be produced automatically
through use of a tool.

Since JSON-B uses byte aligned tags and there is only a need for 88 of
them, the choice of tag values has absolutely no impact on the
compression efficiency.


3) A binary encoding should not require ongoing maintenance.

What worries me most about the CBOR fiasco is that we risk a MIB type
situation in which every new IETF JSON protocol requires a parallel
'CBOR' encoding and this becomes an ongoing maintenance requirement.

JSON-B is designed as a strict superset of JSON so that upwards
compatibility is guaranteed. This allows use of a new version of the
specification or support a privately defined tag that is not in the
dictionary without waiting for a new dictionary to be issued or a new
'binary' version of the specification to be defined.


4) The IETF needs a binary encoding of JSON that encodes precisely the
JSON data model with (almost) nothing added or taken away.

A Binary encoding of JSON does need to add a binary type which is an
extension of the JSON model. A case could also be made for a DateTime
intrinsic type which would be rendered in RFC3339 format strings in
JSON but I have resisted this so far.

One of the main reasons for rejecting many of the existing Binary JSON
formats is that the designers have found the temptation to add code
points for their favorite random data types irresistible.


5) While it is possible to improve JSON-B compression efficiency, the
savings are unlikely to be very interesting.

The use of the JWS example is instructive because the only way to
improve significantly on JSON-C would be to compress the payload.

Out of the 129 bytes used in the JSON-C version, 104 are data elements
and 25 are framing for two nested structures with a total of six
structure element. That is an average overhead of 4 bytes per element
including the tag and length data.