From nobody Sun Aug  1 06:38:17 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F78B3A3C3B for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 06:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhnKMJLrDuii for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 06:38:09 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 097853A3C38 for <kitten@ietf.org>; Sun,  1 Aug 2021 06:38:07 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 171DbvPF014054; Sun, 1 Aug 2021 13:38:03 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 171DbvPF014054
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1627825084; bh=S+sK2zDo6N/ta1kxg1xI6urgbWSvTu8P5IR0n7BqLR4=; h=From:Subject:Date:Cc:To:From; b=wkGP4y5FarOOvtrQg3aN3WHl8OwTp9v98nwBNUg5GcHFE4vEVfyYakzDGAWCzErI8 1Trgf5fMiSCUU6ePKtgYvBAIGk07F6hyBXm0W/We5gm53uQHnHAZjE5Ai71ggPZr/R xfG6lPdJb4SKURGQjxzwtXm0qYt1pvScYF/EKC4yrAGtHwMoEOgf3SntjotnB2PRl5 gulC1YKjpF4c62VlK2ds9GaSUNZgwwfEb/GKKvYX72OsJOwVmtx+mYGjJoCOm1mfMD awef5bvYb0nLbAnknfMFpO80MpbK3qEjP2i9Q3KEJFnIphQFwAesTT5Or8Mxsj+dHq 6ENltPogWdRsQ==
From: Luke Howard <lukeh@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C186FCA9-C546-414D-9A45-EAE93DDAD7EB"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Message-Id: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com>
Date: Sun, 1 Aug 2021 23:37:57 +1000
Cc: Alejandro Perez Mendez <alex@um.es>
To: "kitten@ietf.org" <kitten@ietf.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VeEgHZrjtdyh4PRA4AOjzmTI1Iw>
Subject: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 13:38:15 -0000

--Apple-Mail=_C186FCA9-C546-414D-9A45-EAE93DDAD7EB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I=E2=80=99m working on an implementation of =
draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.

Is this something the working group would consider adopting?

Luke Howard
web <http://lukehoward.com/> / facebook =
<https://www.facebook.com/lukehowardmusic> / instagram =
<http://instagram.com/lukehowardmusic/> / spotify =
<https://open.spotify.com/artist/3duTXsC49HoPt4f4EySDKf>=

--Apple-Mail=_C186FCA9-C546-414D-9A45-EAE93DDAD7EB
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">I=E2=80=
=99m working on an implementation =
of&nbsp;draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.<div =
class=3D""><br class=3D""></div><div class=3D"">Is this something the =
working group would consider adopting?</div><div class=3D""><div =
class=3D""><div class=3D""><br class=3D""><div class=3D"">
<div dir=3D"auto" style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, =
0); letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div dir=3D"auto" style=3D"caret-color: rgb(0, 0, 0); color: =
rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); =
letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
style=3D"color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div style=3D"color: rgb(0, 0, 0); font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: 2; text-align: start; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; margin: 0px; font-size: 12px; =
line-height: normal; font-family: &quot;Akzidenz-Grotesk Pro&quot;;" =
class=3D""><div style=3D"margin: 0px; line-height: normal;" =
class=3D""><span style=3D"-webkit-font-kerning: none;" class=3D"">Luke =
Howard</span></div><div style=3D"margin: 0px; font-size: 10px; =
line-height: normal;" class=3D""><a href=3D"http://lukehoward.com/" =
class=3D"">web</a>&nbsp;/&nbsp;<a =
href=3D"https://www.facebook.com/lukehowardmusic" class=3D""><span =
style=3D"line-height: normal; -webkit-font-kerning: none;" =
class=3D"">facebook</span></a>&nbsp;/&nbsp;<a =
href=3D"http://instagram.com/lukehowardmusic/" =
class=3D"">instagram</a>&nbsp;/&nbsp;<a =
href=3D"https://open.spotify.com/artist/3duTXsC49HoPt4f4EySDKf" =
class=3D""><span style=3D"line-height: normal; -webkit-font-kerning: =
none;" class=3D"">spotify</span></a></div></div></div></div></div></div>
</div>
</div></div></div></body></html>=

--Apple-Mail=_C186FCA9-C546-414D-9A45-EAE93DDAD7EB--


From nobody Sun Aug  1 18:47:09 2021
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 396673A0A10; Sun,  1 Aug 2021 18:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFipjfNTOM_x; Sun,  1 Aug 2021 18:47:05 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 167E13A0A0C; Sun,  1 Aug 2021 18:47:01 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1721kqTD028863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 1 Aug 2021 21:46:58 -0400
Date: Sun, 1 Aug 2021 18:46:51 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Luke Howard <lukeh=40padl.com@dmarc.ietf.org>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
Message-ID: <20210802014651.GD3932@kduck.mit.edu>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/oZn1mtenQXtdOIdG2eo49NmVB9g>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 01:47:08 -0000

On Sun, Aug 01, 2021 at 11:37:57PM +1000, Luke Howard wrote:
> I’m working on an implementation of draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.
> 
> Is this something the working group would consider adopting?

It doesn't seem fundamentally like a bad idea, but since we typically
recommend that applications should use the GSS-API rather than Kerberos
directly, it's not entirely clear to me what situations will require
the GSSAPI->Kerberos bridge as opposed to using GSS-API natively.

-Ben


From nobody Sun Aug  1 19:07:31 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B843A0AE7 for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 19:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJeg_YUFRBcD for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 19:07:25 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BAC03A0AE4 for <kitten@ietf.org>; Sun,  1 Aug 2021 19:07:25 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 17227IKW003023; Mon, 2 Aug 2021 02:07:21 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 17227IKW003023
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1627870042; bh=TQZR2rtitpbWxbQLO1jMiOlz8cPRLF2rAYpIwbL5yNw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kexWUTxIlrLomj2kR1q3antaPT5VMG88Na/tB8l3mD+PslBn/K0GFnDbk6R8TXUMT L9nmsfg30zaTYgeHL10hzalfig9UWCKXoqypqW/Nug8f7Ydl4AdAFqmToc9BlrxRpD oHkflbcYXBRJbLqJFBkB4uK239d/4l0idSUio5WXR/6Q0mpz5NTsJG52ewlldbgJAW JTnXA6Mtx3+7K1Jm0nX+pX1gyTjwD/z8HAw/ovaIMoqeN0PuHZEcBC/zfMmW9eGSEF Ph7gZNJUrMiSkUXfSDu5FZsi2WowxNyfRQHsa8oLjvtypayWfAgUzyr2zjodwaxIPc FBlV3Pqp/5zIA==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <20210802014651.GD3932@kduck.mit.edu>
Date: Mon, 2 Aug 2021 12:07:18 +1000
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FA42326F-A24D-4878-9D81-EABB8D7883F7@padl.com>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <20210802014651.GD3932@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/coJ_PNPuUcRVSAB54b6ZFpjwFC8>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 02:07:31 -0000

> On Sun, Aug 01, 2021 at 11:37:57PM +1000, Luke Howard wrote:
>> I=E2=80=99m working on an implementation of =
draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.
>>=20
>> Is this something the working group would consider adopting?
>=20
> It doesn't seem fundamentally like a bad idea, but since we typically
> recommend that applications should use the GSS-API rather than =
Kerberos
> directly, it's not entirely clear to me what situations will require
> the GSSAPI->Kerberos bridge as opposed to using GSS-API natively.

Good point. Our use case is supporting existing applications where =
it=E2=80=99s not feasible to install a new GSS-API mechanism on the =
acceptor (for reasons of local policy, platform limitations, etc).=


From nobody Sun Aug  1 19:16:16 2021
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B1B3A0B52 for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 19:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwEo8tVxMRMn for <kitten@ietfa.amsl.com>; Sun,  1 Aug 2021 19:16:11 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884E53A0B4F for <kitten@ietf.org>; Sun,  1 Aug 2021 19:16:11 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1722G4ZR003388 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 1 Aug 2021 22:16:09 -0400
Date: Sun, 1 Aug 2021 19:16:03 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Luke Howard <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
Message-ID: <20210802021603.GE3932@kduck.mit.edu>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <20210802014651.GD3932@kduck.mit.edu> <FA42326F-A24D-4878-9D81-EABB8D7883F7@padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <FA42326F-A24D-4878-9D81-EABB8D7883F7@padl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Etl0SOSE3YljSb3-tafGVMm3EUw>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 02:16:14 -0000

On Mon, Aug 02, 2021 at 12:07:18PM +1000, Luke Howard wrote:
> > On Sun, Aug 01, 2021 at 11:37:57PM +1000, Luke Howard wrote:
> >> I’m working on an implementation of draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.
> >> 
> >> Is this something the working group would consider adopting?
> > 
> > It doesn't seem fundamentally like a bad idea, but since we typically
> > recommend that applications should use the GSS-API rather than Kerberos
> > directly, it's not entirely clear to me what situations will require
> > the GSSAPI->Kerberos bridge as opposed to using GSS-API natively.
> 
> Good point. Our use case is supporting existing applications where it’s not feasible to install a new GSS-API mechanism on the acceptor (for reasons of local policy, platform limitations, etc).

Thanks, that makes the motivation a bit more clear.

-Ben


From nobody Mon Aug  2 02:30:30 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA9A3A157A for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 02:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUGwtVJVOk4b for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 02:30:24 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28FE73A157E for <kitten@ietf.org>; Mon,  2 Aug 2021 02:30:21 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 1729UDmR017785; Mon, 2 Aug 2021 09:30:18 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 1729UDmR017785
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1627896619; bh=jSnIJdsOs/vb6+AUkEbRzhfKMeDjOdpyPj/iweO0E1w=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=u9z/BVTKFOJ9zjQIN/BXfuKL7WXgMJ32G5QgBIamDIyO1G7mjJ0Z2LOGq7f4s1tvv E176M1vi+LK07jQJeF73tZTTF/3ACf8gC2ETMz9VXSVRPF1bQkzewThej+j75QOTY7 0i1s4hCQz6d2Od+F9DFpzHMfmJ87mu2tugXYjMg9uAGLpuch0bhfx3XLy08bBVZnRj D74A6FydrAnHMzvk05sZQSAyuK4ucPmo1425fPgzekF+GxS5Bw2zMwZEMKVBCxk2UX trP64L0qU21pALgbAjDL15R7PITgiF319IZVTQtNhIg6B+4ZmPTu6uKYJLwnVX+Tum z4LISOHO65KKA==
From: Luke Howard <lukeh@padl.com>
Message-Id: <2A5A60E9-CC65-4426-8042-018C6A86E28D@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5B24A126-853A-4FCB-BE65-B4E00411477B"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Mon, 2 Aug 2021 19:30:12 +1000
In-Reply-To: <20210802021603.GE3932@kduck.mit.edu>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
To: Benjamin Kaduk <kaduk@mit.edu>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <20210802014651.GD3932@kduck.mit.edu> <FA42326F-A24D-4878-9D81-EABB8D7883F7@padl.com> <20210802021603.GE3932@kduck.mit.edu>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/kvZms7Fvk-mW3uee96TF-vX8tqg>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 09:30:29 -0000

--Apple-Mail=_5B24A126-853A-4FCB-BE65-B4E00411477B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


>> Good point. Our use case is supporting existing applications where =
it=E2=80=99s not feasible to install a new GSS-API mechanism on the =
acceptor (for reasons of local policy, platform limitations, etc).
>=20
> Thanks, that makes the motivation a bit more clear.

I suppose another use case might be a fast re-authentication mechanism =
for GSS mechanisms that involve a lot of round trips (such as EAP). Of =
course this could be handled within the mechanism itself or as a =
pseudo-mechanism but, in practice, neither have been deployed.=

--Apple-Mail=_5B24A126-853A-4FCB-BE65-B4E00411477B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D""><blockquote type=3D"cite" style=3D"font-family: Helvetica; =
font-size: 14px; font-style: normal; font-variant-caps: normal; =
font-weight: normal; letter-spacing: normal; orphans: auto; text-align: =
start; text-indent: 0px; text-transform: none; white-space: normal; =
widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; text-decoration: none;" class=3D"">Good =
point. Our use case is supporting existing applications where it=E2=80=99s=
 not feasible to install a new GSS-API mechanism on the acceptor (for =
reasons of local policy, platform limitations, etc).<br =
class=3D""></blockquote><br style=3D"caret-color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: 14px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none;" class=3D""><span style=3D"caret-color: rgb(0, 0, =
0); font-family: Helvetica; font-size: 14px; font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
text-align: start; text-indent: 0px; text-transform: none; white-space: =
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; =
text-decoration: none; float: none; display: inline !important;" =
class=3D"">Thanks, that makes the motivation a bit more clear.</span><br =
style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
14px; font-style: normal; font-variant-caps: normal; font-weight: =
normal; letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none;" =
class=3D""></div></blockquote></div><br class=3D""><div class=3D"">I =
suppose another use case might be a fast re-authentication mechanism for =
GSS mechanisms that involve a lot of round trips (such as EAP). Of =
course this could be handled within the mechanism itself or as a =
pseudo-mechanism but, in practice, neither have been =
deployed.</div></body></html>=

--Apple-Mail=_5B24A126-853A-4FCB-BE65-B4E00411477B--


From nobody Mon Aug  2 07:21:32 2021
Return-Path: <mbaushke@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D81C33A2662; Sat, 31 Jul 2021 06:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pui37_Rw1yvf; Sat, 31 Jul 2021 06:33:56 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C3E3A265F; Sat, 31 Jul 2021 06:33:55 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id c3so12253894ilh.3; Sat, 31 Jul 2021 06:33:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YQedW9piQYPQxAt43y8vTfYYhMgfHBMYXh6bbIIsQ6g=; b=uiwFQKK3obtf18otBCtLoDYtfIqOtKXR8m9JiFRHjzPI+5sTlWpVbyUc+kUkoyJAwo LsKcgAY4wc/QFmcWwW7UtvPUYBqxPa4fV/lTU3zVwDwMEMmLdo4J01Dg9bqbNX25NOcK 7kupwBPFV8BqdIbGvMeLe/+AkztKDsSvG9vcaud6BSKoQAMYzhXrOOjC9mVIo5NKIWTa Mykr2hoMaYko9EmcbPo+Age1Mgbb98w8be8FIRtAauBWiteWnVznDAkbKkj4u1ex1WK6 5MW6js3MeSW94bss2JWXNnFMyJwKcc82hsoqLTv9uhAL96WSmv+DLcfpMh2OhnkPQJMF zNlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YQedW9piQYPQxAt43y8vTfYYhMgfHBMYXh6bbIIsQ6g=; b=mM5HAf1hivj5adCcu5Q7UAeIkDdlxgeY6f/MnR9NWZ/jU2eSVGs0Veze0SRXh62J9G q/hROmSLWGuzJdJCquX174juqc4VRR/12LlXeNDk/UhsYfIpm1DrfKnhalqXVYtnYl3s 00rGw8o4Ysjupe9+Ug6leYBcX1vig3rsA1VC2FATjW10zhx42lY95rz/BqLh10PLuwYA 2Y121SY+NoTFZOkr0mFLGIX0FUpUt03Q4K/i+PZlLfxp90kOux1qGJL0OEDLrwUIXCfr PlX4v52AhzxUhkjmoYLsVqJZbLFTsPh0501RDHzd2W00wlWVNpNaiSkl8euxYO7QdUm/ IgTw==
X-Gm-Message-State: AOAM533ZP5I1sqhPV/kaowYj50lyPNTtXzi4mvcvKdiIOhkntjzlDQ45 /1OWOKPlSkUHVRO4z/O6hdA=
X-Google-Smtp-Source: ABdhPJxMSgcs90/Ozzr9FG0/k9Lsc+phGP+lAE/sMxpLIzErDMgBkrryDbocUzXSndsvLVaQnMb+ww==
X-Received: by 2002:a05:6e02:1c2d:: with SMTP id m13mr4574692ilh.137.1627738433673;  Sat, 31 Jul 2021 06:33:53 -0700 (PDT)
Received: from smtpclient.apple ([2601:246:4e04:9f90:d4ff:36e4:9380:72ed]) by smtp.gmail.com with ESMTPSA id y14sm2343025ilv.76.2021.07.31.06.33.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 31 Jul 2021 06:33:53 -0700 (PDT)
From: "Mark Baushke (ietf)" <mbaushke@gmail.com>
X-Google-Original-From: "Mark Baushke (ietf)" <mbaushke+ietf@gmail.com>
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
In-Reply-To: <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net>
Date: Sat, 31 Jul 2021 06:33:52 -0700
Cc: curdle@ietf.org, kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3BE35A6-CFF7-4CBE-AB4C-291FF02557F4@gmail.com>
References: <jlgeebfzxe5.fsf@redhat.com> <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net>
To: Robbie Harwood <rharwood@redhat.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KkjdVSvDAzJ15EUdLIqjWF0tYWg>
X-Mailman-Approved-At: Mon, 02 Aug 2021 07:21:30 -0700
Subject: Re: [kitten] [Curdle] Diffie-Hellman modulus sizing in Kerberos PKINIT
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 13:34:01 -0000

Hi Robbie,

I made a few mistakes in my last message.

> On Jul 30, 2021, at 12:07 PM, Mark D Baushke <mdb@sonic.net> wrote:
>=20
> Hi Robbie,
>=20
> To summarize:
>=20
> DH Parameter Set.             RFC 4556 Guidance.   Draft Guidance
> 1024-bit MODP group 2   - MUST                           MUST NOT
> 2048-bit MODP group 14 - MUST                           MAY
> 4096-bit MODP group 16 - SHOULD                      MUST
>=20
> I would have thought going from a Mandatory to Implement (MTI) as a =
MUST to disallowed (MUST NOT) for the 1024-bit MODP group 2 as the =
logical path, but moving to deprecated with a MAY is defensible.=20

I meant to say SHOULD NOT rather than MAY to make It deprecated.
On further reflection, I like the MUST NOT better.

>=20
> I would suggest moving from MTI  for 2048-bit MODP group 14 moves to =
SHOULD for now that there is a good period of interoperability.
>=20
> I think is may also be desirable to add either 6144-bit MODP group 17 =
or 8192-bit MODP group 18 to the list as a MAY for forward looking =
groups that are larger than 4096-bit MODP MUST.

I should have written that it would be desirable to have a stronger MODP =
group available that MAY be used. I regret that the sentence was =
confusing.

        Be safe, stay healthy
        -- Mark




From nobody Mon Aug  2 07:50:05 2021
Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77323A0407 for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 07:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4g2dWGygKSqX for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 07:49:58 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A78E3A0766 for <kitten@ietf.org>; Mon,  2 Aug 2021 07:49:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;  s=42; h=Date:Message-ID:Cc:To:From; bh=dyNn/+ZEqxA5nMEdFnnJPvXZwBmcVr6Mxqmaf5Bly5Q=; b=2t05xjDTuGVX1SA4RCEqjocc3p +ovVMDYDn/IbIDh5xwp7P37Ql+QuY9bIgY4pw03tCVY/h4wRgJZF7YHOPQT5c3lWuS3TwS6ILa9Cb QDUrr/fArj9tAS3t09WAiqhq0D/2ge88ZN5K6HFJvex3naDzB2IjtvLlS8krTETgaZ9vJH/hKwi8P Kg/LN14tYGvvq+VW+7kx/wfdZhIvphyp6IuKrABE/R9Gw1qGx9F8xjmHgTRpCAET5Sji2bzgDTXsx icpM1Yqsz4vrg4CTdy0UoxgR9IS3mjxt8jDvfdxheAGN46dPNOzMsxVJPsggYNx+gp7mP7BHwrIXz qHEAukP2jgFtvsVa/g4ohpI+vd7p8xFrmdaJCWpX7WgYFIV9SjR4JBMvM+VuFivgIvP8/1RwfrCfJ lc1Qdy3PABW+YDd/jmt+9y19zdMof/+YJk3DOhYWmTKDAN1sfex84h9EPErJKFI6YvpVlvG2grsrD H8iXWV2lLSya4galouTZ1tqy;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mAZGM-000Eoy-1C; Mon, 02 Aug 2021 14:49:54 +0000
From: Stefan Metzmacher <metze@samba.org>
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
Message-ID: <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
Date: Mon, 2 Aug 2021 16:49:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="i9CvRT2uIYCtTDU3c3fdsuq14xeYAnYJj"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/UNpMVfjdaFec1815rFA__KPClBc>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 14:50:04 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--i9CvRT2uIYCtTDU3c3fdsuq14xeYAnYJj
Content-Type: multipart/mixed; boundary="GP2uJ8NdENUILjz7eoS7M5T34ytx8zZ1H";
 protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>,
 "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
 transitive cross-realm trust situation...
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
 <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
 <1503578184.3428.19.camel@redhat.com>
 <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
 <1503596189.3428.26.camel@redhat.com>
 <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org>
 <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org>
 <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org>
 <20191121223908.GC26241@localhost>
 <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org>
 <20191122224526.GA28614@localhost>
 <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org>
 <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org>
 <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
 <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
In-Reply-To: <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>

--GP2uJ8NdENUILjz7eoS7M5T34ytx8zZ1H
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi,

due to customer requests I'm trying to resume the discussion
about ways to disable the transited checks in gss_accept_sec_context()
when we know we're in an active directory situation and rely on
the [K]DCs (of our primary domain) to check the cross-realm topology
base on their knowledge of the trust topology.

To summarize the discussion we had active directory DCs do transited
checking (even without a PAC) and fails to issue service tickets
if the check fails, so any service ticket is already checked,
but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
ticket.

As only the [K]DCs have the full picture of the trust topology,
we need ways to implicitly get the behavior we would get
if TKT_FLG_TRANSIT_POLICY_CHECKED would be set.

The related bug is:
https://bugzilla.samba.org/show_bug.cgi?id=3D12907
("pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trust=
ed
domains with more than 1 hop between server and user realm")
It only has references to the past discussion and related bugs,
which also need to alter the gss_accept_sec_context() behavior.

As a start we have the following basic call sequence:

	gss_cred_id_t acceptor_creds =3D GSS_C_NO_CREDENTIAL;
	gss_ctx_id_t context_handle =3D GSS_C_NO_CONTEXT;
	gss_key_value_element_desc keytab_element =3D {
		.key =3D "keytab",
		.value =3D "FILE:/path/to/keytab",
	};
	gss_key_value_set_desc cred_store =3D {
		.elements =3D &keytab_element,
		.count =3D 1,
	};

	gss_acquire_cred_from(..., &acceptor_creds, &cred_store, ...)

	gss_accept_sec_context(..., &context_handle, acceptor_creds,...);

So we need to a way pass KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK to
krb5_decrypt_ticket() used deep in gss_accept_sec_context().

The initial solution I proposed was:

	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)

which would be called between gss_acquire_cred_from() and
gss_accept_sec_context().

As GSS_KRB5_CRED_NO_CI_FLAGS_X is already using the same way
to alter gss_init_sec_context(), I thought it would be the natural
way to implement GSS_KRB5_CRED_NO_TRANSIT_CHECK_X.

But it seems gss_set_cred_option() is not accepted because it's
a deprecated.

The following alternatives would be able to solve the problem:

1. An additional cred_store element could be passed to
   gss_acquire_cred_from() in order to set the
   GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds

2. I think someone had the idea of using gss_set_sec_context_option()

   In theory this would be the perfect way as we want to alter the
   behavior of gss_accept_sec_context(), but this gets GSS_C_NO_CONTEXT
   in the first iteration, so we don't have a context to
   pass to gss_set_sec_context_option().

   At least in heimdal gss_set_sec_context_option() seems
   to work with GSS_C_NO_CONTEXT and would alter some global state.
   E.g. _gsskrb5_set_sec_context_option() supports things like
   GSS_KRB5_SET_DEFAULT_REALM_X, GSS_KRB5_SET_DNS_CANONICALIZE_X
   GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X and more which seems to
   work on a per thread global krb5_context. These are
   also available via special functions like gsskrb5_set_dns_canonicalize=
()
   or gsskrb5_register_acceptor_identity().

   krb5_gss_set_sec_context_option() in MIT doesn't support anything
   at the monent and kg_accept_krb5() doesn't seem to operate on
   a global krb5_context.

3. Implement a krb5.conf option similar to "dns_canonicalize_hostname"
   or "ignore_acceptor_hostname" from MIT

   I think this would be a good addition in order to allow admins
   to specify "disable_transit_check =3D true" and get it also
   for unaware applications.

   But I think for an application that's aware of the fact that
   it never wants any transit checking in gss_accept_sec_context()
   we should better have an api to disable it instead of playing
   games with the "KRB5_CONFIG" environment variable.

It would be really great if we could find a way forward with this,
I typically point customers to the related branches (in most
cases using the heimdal version shipped in Samba), but
they are really unhappy with that situation and asked
me to trigger the discussion again in order to get a solution
that is acceptable in the upstream projects (Heimdal, MIT and Samba)
and would be available by default in distributions.

Nico it would be nice to get some constructive feedback from you,
as you're the one blocking the current patchsets.

Thanks in advance for any possible help!
metze


Am 24.01.20 um 19:49 schrieb Stefan Metzmacher:
> Hi Greg,
>=20
>> On 1/23/20 6:25 AM, Stefan Metzmacher wrote:
>>> it would be great if we could make some progress here...
>>
>> Does this need to be an application flag, or can it be in the krb5.con=
f
>> realm configuration?  Presumably people are currently working around
>> this by setting [capaths] on the server; a realm variable would simpli=
fy
>> this workaround by not requiring specific knowledge of the domain geom=
etry.
>>
>> I reviewed the thread, and it sounds like the current understanding is=

>> that AD applies a transited check (of sorts) to cross-realm tickets, b=
ut
>>  doesn't say so by setting the transit-policy-checked flag in the
>> ticket.=20
>=20
> Exactly.
>=20
>> From the upstream point of view the server's realm
>> configuration is in a better position to know that the realm is an AD
>> realm than the server application; perhaps that is not true from Samba=
's
>> point of view, but I thought I would check.
>=20
> In Samba we know that we're joined to an AD domain
> and then we want to force disabling the transited check
> for gss_accept_sec_context().
>=20
> For Samba as AD DC we want also want to disable this for
> krb5_rd_req_decoded in the KDC too.
>=20
> A krb5.conf option would also be good in order to support
> non-samba services in AD-Domains. But the c library should also
> support changing it at runtime.
>=20
> metze
>=20
>=20
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>=20



--GP2uJ8NdENUILjz7eoS7M5T34ytx8zZ1H--

--i9CvRT2uIYCtTDU3c3fdsuq14xeYAnYJj
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAmEIBgcACgkQDbX1YShp
vVZYkw//S88bkxOmwFBd9/1QHEdBA3dw5/mRu4YGyniPSPORVnQtqFjGt8rH/bLh
8THLbOPF+lonM0YMEF955fWDGOvgyEi3wnIBYJTeApM0roDC0F4KZDY5fKOqvwDt
vhCks+nAYBRvU3k+gdL14UaRA3XPWLC9wgpl62lve6yavW0h7cLWI1NyMGCzoZqj
LcPI/3gJ3XzvYPBoOQjutonfhxSP5zm71f6gLcRsvmuXXGk6vjqb8xvysUUBhD3C
dO82CCQ9woHMG6pdqdWrwgZwGAc/X2jfrDpu1zt84UZbwvniIHEL6e8hhnKWuVC0
fztnL3cfWB7fBU68CdAkDS7qG2dK6V3G2pu4YtSLKb+BsJndjmO/qEIKNsuWZJsU
xriDwIsBC8zeCDKomNqk6VPTX3j1DMX4qXkDZZMb2GxONH99DijeG+SLIqVMfn1r
TIlkGOybPTaIwj+SMQr+tzWW+D3TJuRgxWUjzP6u7fINOMzFxByTVaUZ/WoFuN/9
JCi7X2Mu9es1wMk1w84ZzrTmV3I2XsPfIgBWQQBsrvrbEbCvk8szlbI/ytyVpUCu
GPAHAwkzXfWjQdc5GtKPq9Hl5W0dVDaBfu3CaxN+yA0HWwMk3gsvA7zRJdeLBVK9
8LiRpReIzB+id+g73LuHsSjYb116JClpYGImJUxCOG8MeoJp9Zs=
=IAxw
-----END PGP SIGNATURE-----

--i9CvRT2uIYCtTDU3c3fdsuq14xeYAnYJj--


From nobody Mon Aug  2 09:23:33 2021
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BC83A0BF1; Mon,  2 Aug 2021 09:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level: 
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70GhfmexVXUn; Mon,  2 Aug 2021 09:23:28 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 407313A0BEF; Mon,  2 Aug 2021 09:23:27 -0700 (PDT)
Received: from [18.30.9.158] ([18.30.9.158]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 172GNOcC025208 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 2 Aug 2021 12:23:25 -0400
To: Luke Howard <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Cc: Alejandro Perez Mendez <alex@um.es>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu>
Date: Mon, 2 Aug 2021 12:23:24 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/IR2XpqU4UjuqlMaSHQYww1jCZvg>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 16:23:32 -0000

On 8/1/21 9:37 AM, Luke Howard wrote:
> I’m working on an implementation
> of draft-perez-krb-wg-gss-preauth-02.txt for Heimdal.
> 
> Is this something the working group would consider adopting?

I'm not writing to support adoption, but I did have a note on the draft.
 PA-GSS contains a state object which has similar protections as is
needed for PA-FX-COOKIE (see
https://web.mit.edu/kerberos/krb5-latest/doc/formats/cookie.html
and note the additional binding of the client principal to the cookie
encryption key).  It might facilitate sharing to just handle the state
via PA-FX-COOKIE rather than baking it into the preauth mech.


From nobody Mon Aug  2 10:13:50 2021
Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22BB83A1019 for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 10:13:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level: 
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VzIaMpuDhAYf for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 10:13:44 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4493A1015 for <kitten@ietf.org>; Mon,  2 Aug 2021 10:13:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1627924423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=z/RkYLxvnV1Cc0KuP8ScmJWy5Sl/zZutJrIjXafbIAQ=; b=MYum2JRSrVjC3LYL4F7LoN6FfHP6iasN19VpiI0hOtCYsYnGJLVBDrH1LoV8ZM0LSV2u3F q2AOoryLIx3EzjczHqw3V57T4cu5GK86DW5ihCJmp6DYGbtVNp9XKDThfCpQf+4bcKceiY GHlEhzXWHUAZedSp+yaKM9XiOTfEf00=
Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-384-OeyyuywTPqeXijcwfbciZg-1; Mon, 02 Aug 2021 13:13:41 -0400
X-MC-Unique: OeyyuywTPqeXijcwfbciZg-1
Received: by mail-qk1-f197.google.com with SMTP id w26-20020a05620a129ab02903b9eeb8b45dso9363980qki.8 for <kitten@ietf.org>; Mon, 02 Aug 2021 10:13:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=z/RkYLxvnV1Cc0KuP8ScmJWy5Sl/zZutJrIjXafbIAQ=; b=im5gNJ4l55vvkjUcBNJickHhQD70qzj7zwTeMp8Cfh+1uj6OK67qjNG36+bpl4HCQM ouzzT6hbjd+/8cQFvk/B3sCiP+tWEP2c8HpBOWU72yg07Sd1lxfXkga6VTHh3McPMSkx DO94adE8vIBdWUgpSD+OWT8LXXR3JczYBr9TOIIdYHIFoT8Dl28EfJgFnawTdH5bDJ33 x8lEm7FM1LfAQ5LSLO5FONzRKbMtqGet4c7IaJfZ23d3d8ysjEktmZGP4lW1LId1MI91 n8o005UHtiLa99QnJJwlCEuab/ZQVedVqDgi+xd8rTr8U1M5L/CCWRQQuhODgyo18i3d on9Q==
X-Gm-Message-State: AOAM533P5YHw/2hBHxWWtnl83BkSr2Jq92EkJ9f8XgiQlWrG42PzAHB9 hTUlNbkwJe30c8iC5G73uqms4uKJ8A3sTlOT8gPBw33+iV8L8RDfZPF5O+ARPCKhYl7odtWD99B ECclt2/4=
X-Received: by 2002:ac8:7645:: with SMTP id i5mr14993783qtr.133.1627924421491;  Mon, 02 Aug 2021 10:13:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwqFZBOmN8Y8dqxOPSNpWfO4YZuc8RMe7w7Z7W+wXlSgT1oGrhyMY8ErAVtVoP8k9HAFcCB/w==
X-Received: by 2002:ac8:7645:: with SMTP id i5mr14993764qtr.133.1627924421275;  Mon, 02 Aug 2021 10:13:41 -0700 (PDT)
Received: from localhost (c-71-232-17-31.hsd1.ma.comcast.net. [71.232.17.31]) by smtp.gmail.com with ESMTPSA id n5sm6080076qkp.116.2021.08.02.10.13.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 10:13:40 -0700 (PDT)
From: Robbie Harwood <rharwood@redhat.com>
To: "Mark Baushke (ietf)" <mbaushke@gmail.com>
Cc: curdle@ietf.org, kitten@ietf.org
In-Reply-To: <F3BE35A6-CFF7-4CBE-AB4C-291FF02557F4@gmail.com>
References: <jlgeebfzxe5.fsf@redhat.com> <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net> <F3BE35A6-CFF7-4CBE-AB4C-291FF02557F4@gmail.com>
Date: Mon, 02 Aug 2021 13:13:37 -0400
Message-ID: <jlglf5jlqgu.fsf@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=rharwood@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZJjZuMh191aQyweuMKTOWS17F1U>
Subject: Re: [kitten] [Curdle] Diffie-Hellman modulus sizing in Kerberos PKINIT
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 17:13:48 -0000

--=-=-=
Content-Type: text/plain

"Mark Baushke (ietf)" <mbaushke@gmail.com> writes:

> Hi Robbie,
>
> I made a few mistakes in my last message.

No worries.  To be sure I understand, though, please let me know if this
matches what you're suggesting:

    - 1k: MUST NOT (matches the draft)
    - 2k: SHOULD NOT (strengthen the draft's MAY)
    - 4k: MUST (matches the draft)
    - 6k/8k: MAY (not present in draft)

I'm probably fine to add larger groups like the 6k and 8k you suggest at
MAY.  If I read right, Heimdal implements MODP 6k and 8k already.

For completeness: Heimdal also implements 3072-, 1636-, and 768-bit
MODP.  It seems worth taking a position on those groups as well.  I
imagine that position would be imagine would be:

    - 3072: MAY
    - 1636: SHOULD NOT
    - 768: MUST NOT

(though it may be cleaner to adjust the language to address sizes rather
than specific groups at that point).

Be well,
--Robbie

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmEIJ8EUHHJoYXJ3b29k
QHJlZGhhdC5jb20ACgkQJTL5F2qVpEKPyw/+LkyjyfLmxH6WGK/HNlz9oyRT95i8
HVYdD6M7ayCZatEPzsYhY8Lb4lD0DyzDrWGGxRU5wT+EGYuBmYpU17YSHX33PbNl
YlP5IrPSlvbIU8d7xk1GTnRB2aqR1WUnybXP+m01lmynpOJsYdLy1r9KOSZM1RG/
ayNzk0D5pjJO+u5yeSw60PD24m5t+OQ1EtWRvKOsV7KHoqju43Om7rjOZQ0eTM6N
xPvOjFoj/jJZnhKqdZuL7mr/by6jaqvHaF030z5Rkv682b8zWq4Xr4OPh3SoWzy/
H49PEeEV08VsOBXEUcQx08qbG3C1XJhN/C/yXyObC1kxIBg+AQJPNQpoLyaqH2bJ
w/Rs897UAeN10bIwNzEAJvAqwz44Y6BUiyRYv4nXYVRLpEmtwXHZ0qc7cCsX2kUw
A2xhSO1cwe4N1TLEQ9bZV2P9TKkHWwNjpQmkuRMp8I4Ism9T9PB2X8NIP/sJjL7R
NnOwk3FcIfPtxOAiDJRUmj1Wk0hLIQfNEDBo9isGDyoIwfKpcBUIvKMcJKOxdLpL
Mrz3kjaCb6UidxeKWI4IbM9c/D7tVEthuKUB/iXO3Sh/QBaiwSjxD30yG0PzoozT
Ww4pTc0RODBTz48C758PnZmbD4A/lARzz3ztHr13HJeT6AjFZCiRNF5hBdm34cjS
EpbRkMEgBM5xVWA=
=AfdV
-----END PGP SIGNATURE-----
--=-=-=--


From nobody Mon Aug  2 10:24:14 2021
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F30B3A10C7 for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 10:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPURNhDoRcDx for <kitten@ietfa.amsl.com>; Mon,  2 Aug 2021 10:24:10 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C70C3A10C1 for <kitten@ietf.org>; Mon,  2 Aug 2021 10:24:10 -0700 (PDT)
Received: from [18.30.9.158] ([18.30.9.158]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 172HO4iI015024 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 2 Aug 2021 13:24:04 -0400
To: Stefan Metzmacher <metze@samba.org>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org> <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
Date: Mon, 2 Aug 2021 13:24:03 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/yOKH1ajnq3A3av1_nR5xBTBgO5s>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 17:24:13 -0000

On 8/2/21 10:49 AM, Stefan Metzmacher wrote:
> To summarize the discussion we had active directory DCs do transited
> checking (even without a PAC) and fails to issue service tickets
> if the check fails, so any service ticket is already checked,
> but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
> ticket.

I just want to acknowledge here that we're taking on technical debt
because the non-conformant party is perceived to be inflexible.

> The initial solution I proposed was:
> 
> 	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
[...]
> But it seems gss_set_cred_option() is not accepted because it's
> a deprecated.

Personally I'm fine with this.

> 1. An additional cred_store element could be passed to
>    gss_acquire_cred_from() in order to set the
>    GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds

This is similar to a cred option.  I don't see any strong advantages of
one over the other.

> 2. I think someone had the idea of using gss_set_sec_context_option()

This seems hard to do without (per-thread) global state.  Even if we
bring in gss_create_sec_context() from some versions of the channel
bindings draft, the mechglue doesn't know mechanism will be used to
accept the context, so it would have to store OID/value pairs in the
mechglue context and replay them to the mech context once it finds out
which kind of mech context to create.  (And hope that all of the context
option values are flat byte strings, not structures containing pointers
to objects whose lifetimes might have expired between the
set_cred_option() call and the first accept_sec_context() call.)

Doing this with global state seems strictly worse than communicating the
flag via the cred.

> 3. Implement a krb5.conf option similar to "dns_canonicalize_hostname"
>    or "ignore_acceptor_hostname" from MIT

I would argue for this to be a per-realm option if we do this, since
it's a statement about a particular realm's KDCs being non-conformant.


From nobody Mon Aug  2 13:46:06 2021
Return-Path: <mbaushke.ietf@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9737C3A1A8A; Mon,  2 Aug 2021 13:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onLeVSRzECgt; Mon,  2 Aug 2021 13:09:08 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A81D3A1A86; Mon,  2 Aug 2021 13:09:08 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id z3so17542572ile.12; Mon, 02 Aug 2021 13:09:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; bh=8xFzMK/FC6lQ9XAvoCZMuwxAKuFa669cOQYt6OFrOBo=; b=AgF0BCc/JGxO/5y+q1qiwojsOoNnk1sn6QySp9s2HQ35FvIbIIWUYRCGc2mz1Pp6S9 DzwbUeFcxZ5YMu9ir03eWsegvDh24Mvo0tNB/QkWSWrSbRWMsijyMEE9sdSWDio48x1l ucG0E07OGYTVkiXQI9I4UbHefIsdYEVH8aZUUalULLWkj+Ed1MWJti77XAJRu9xfP1PQ a88Q3cKrxLzxCfHDvy+am83ZOsXOmZEUQnTQJ0ufsWclNkbJPf+yPPFJ0iDhIeDh0ssZ +JGDm6WD8lpmncOW32AS6hVlfew79nbJ/OGmioi3IW3HYF2JVugud1Fbh95beLgVDM9o JkGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:date:cc:message-id:references:to; bh=8xFzMK/FC6lQ9XAvoCZMuwxAKuFa669cOQYt6OFrOBo=; b=Hf+B57tjuHxRsbo2BFoc/on8STggUymAzUeGpC0O9XmPjd0Tp11c5O7nQmWKyhiP24 XWaYkyIlS8LJyoKHelRR3rJyV8D9qB3aNKmuvamhSmN2UdMR/vHGf4T//xL2A45i1vm6 BdcGqYwbZFNnGZcJDv149E3E7+8AiNjPN5Y4MAenzUxFrMbK+C4w1zyNEmJA5s1Z4Kso unSS8UYjMOZ/JL8ttw9aTmDNaaoHFlEACw/1wZGAiacQdGesEvPNYIc8/omskFgLFmB+ O62eC82crxURIP3fdLsDiBudP+aIaEN3s4Crgfld+lfN2ExRMOoFE6mZ5eOkXz3RQQ24 J/Yw==
X-Gm-Message-State: AOAM530pyLVvC7KZh1NdZ1nfDeY9H9RJFko/9ESBcQzkfEjxL7EN/btU fK4fpt0nsFKgZHPvGzPXV4CaQ1I8pEM=
X-Google-Smtp-Source: ABdhPJzebqP21mDtH2v0kJJAOjJM2cuGMJZ9A+vmEAlbt+h+4YochCfOeahdt/WGgwhJ1CWdIYjisg==
X-Received: by 2002:a05:6e02:ecd:: with SMTP id i13mr592576ilk.182.1627934946070;  Mon, 02 Aug 2021 13:09:06 -0700 (PDT)
Received: from ?IPv6:2601:246:4e04:9f90:65e4:591a:17d8:7d87? ([2601:246:4e04:9f90:65e4:591a:17d8:7d87]) by smtp.gmail.com with ESMTPSA id x4sm6285024ilj.52.2021.08.02.13.09.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Aug 2021 13:09:05 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: mbaushke ietf <mbaushke.ietf@gmail.com>
In-Reply-To: <jlglf5jlqgu.fsf@redhat.com>
Date: Mon, 2 Aug 2021 15:09:04 -0500
Cc: "Mark Baushke (ietf)" <mbaushke@gmail.com>, curdle@ietf.org, kitten@ietf.org
Message-Id: <07B0C900-8C77-43B1-9B8E-F111E8D456C5@gmail.com>
References: <jlglf5jlqgu.fsf@redhat.com>
To: Robbie Harwood <rharwood@redhat.com>
X-Mailer: iPhone Mail (18D70)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dJUjBWTRgJ4ggUQtUijjNwCb2ro>
X-Mailman-Approved-At: Mon, 02 Aug 2021 13:46:05 -0700
Subject: Re: [kitten] [Curdle] Diffie-Hellman modulus sizing in Kerberos PKINIT
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 20:09:15 -0000

Hi Robbie,

A 3k group is 128 bit of security strength and I have no issues selecting su=
ch to be either SHOULD or MAY.

For example, the 3072-bit MODP group 15 is reasonable for use with 128 bit s=
ymmetric ciphers such as aes128-{ctr,gcm} or chch20-poly1305.

For the rest, yes, I agree.

        Enjoy!
        -- Mark

[Sent from my iPhone -- Please pardon
any auto-fix created typos.]


> On Aug 2, 2021, at 12:14 PM, Robbie Harwood <rharwood@redhat.com> wrote:
>=20
> =EF=BB=BF"Mark Baushke (ietf)" <mbaushke@gmail.com> writes:
>=20
>> Hi Robbie,
>>=20
>> I made a few mistakes in my last message.
>=20
> No worries.  To be sure I understand, though, please let me know if this
> matches what you're suggesting:
>=20
>    - 1k: MUST NOT (matches the draft)
>    - 2k: SHOULD NOT (strengthen the draft's MAY)
>    - 4k: MUST (matches the draft)
>    - 6k/8k: MAY (not present in draft)
>=20
> I'm probably fine to add larger groups like the 6k and 8k you suggest at
> MAY.  If I read right, Heimdal implements MODP 6k and 8k already.
>=20
> For completeness: Heimdal also implements 3072-, 1636-, and 768-bit
> MODP.  It seems worth taking a position on those groups as well.  I
> imagine that position would be imagine would be:
>=20
>    - 3072: MAY
>    - 1636: SHOULD NOT
>    - 768: MUST NOT
>=20
> (though it may be cleaner to adjust the language to address sizes rather
> than specific groups at that point).
>=20
> Be well,
> --Robbie


From nobody Mon Aug  2 20:47:55 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 239AE3A0E88; Mon,  2 Aug 2021 20:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level: 
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_CmUwArIORk; Mon,  2 Aug 2021 20:47:49 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97793A0E87; Mon,  2 Aug 2021 20:47:47 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 1733ldQ0017786; Tue, 3 Aug 2021 03:47:43 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 1733ldQ0017786
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1627962466; bh=zpgBflTQKM/KvoHwzapo4p4qjPW2S5N8tg15XBO+VA8=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=sZfxOwZ8LHY5K+n+hgYLEKhmUVF1FTxFM009rnn0RgOnBBKh9jloYArVDAS7lEijL ZcQ6Zoyun5UufnunE/VV2DSbCWni3mQFFBTbUtBFyO4s7hTx9+wDcOYUJnmKmjhhOz AaHRkjnuIANbYPsYrBjvRE/pbTznlTidVu2+UeOQt0T34Aw1ynyaG+Sk6W01UnQ7rd ECWI3U51MyEVMTxulKOMCJ8eanQtBIyEIEvzafgtKtKjmdbqRyXKH4UznT+MvoIkLh G4P5FCMXL1z2EbJsSQZv6lqf5Ov3F9slskvWLlN3ZTZI6H6dr+1O4NLhSggT7tdhVS pwHgcje+FUkVA==
From: Luke Howard <lukeh@padl.com>
Message-Id: <6DAAE721-CD5F-4271-A18A-1719254A972E@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_999BBB82-276A-4C64-BECF-BB303CF1D9DC"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Tue, 3 Aug 2021 13:47:38 +1000
In-Reply-To: <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu>
Cc: Luke Howard <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
To: Greg Hudson <ghudson@mit.edu>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dRQjavg78ewIcI7vnOO5L1b_8Rk>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 03:47:54 -0000

--Apple-Mail=_999BBB82-276A-4C64-BECF-BB303CF1D9DC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Greg,

That sounds like a great idea, although obviously it will require FAST =
for multiple round-trip GSS mechanisms. I=E2=80=99ve provisionally =
implemented it in Heimdal, albeit using its existing KDCFastState =
(below).

-- KDCFastState is stored in FX_COOKIE
KDCFastState ::=3D SEQUENCE {
        flags [0] KDCFastFlags,
        expiration [1] GeneralizedTime,
        fast-state [2] METHOD-DATA,
        expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
}

Cheers,
Luke


Luke Howard
web <http://lukehoward.com/> / facebook =
<https://www.facebook.com/lukehowardmusic> / instagram =
<http://instagram.com/lukehowardmusic/> / spotify =
<https://open.spotify.com/artist/3duTXsC49HoPt4f4EySDKf>

--Apple-Mail=_999BBB82-276A-4C64-BECF-BB303CF1D9DC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">Hi =
Greg,<div class=3D""><br class=3D""></div><div class=3D"">That sounds =
like a great idea, although obviously it will require FAST for multiple =
round-trip GSS mechanisms. I=E2=80=99ve provisionally implemented it in =
Heimdal, albeit using its existing&nbsp;KDCFastState (below).</div><div =
class=3D""><br class=3D""></div><div class=3D"">-- KDCFastState is =
stored in FX_COOKIE<br =
class=3D"">KDCFastState&nbsp;::=3D&nbsp;SEQUENCE&nbsp;{<br =
class=3D"">&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;flags [0] KDCFastFlags,<br =
class=3D"">&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;expiration [1] =
GeneralizedTime,<br class=3D"">&nbsp; &nbsp; &nbsp; =
&nbsp;&nbsp;fast-state [2] METHOD-DATA,<br class=3D"">&nbsp; &nbsp; =
&nbsp; &nbsp;&nbsp;expected-pa-types =
[3]&nbsp;SEQUENCE&nbsp;OF&nbsp;PADATA-TYPE&nbsp;OPTIONAL<br =
class=3D"">}</div><div class=3D""><br class=3D""></div><div =
class=3D"">Cheers,</div><div class=3D"">Luke</div><br class=3D""><br =
class=3D""><div class=3D"">
<div dir=3D"auto" style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, =
0); letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div dir=3D"auto" style=3D"caret-color: rgb(0, 0, 0); color: =
rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: =
0px; text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div dir=3D"auto" style=3D"color: rgb(0, 0, 0); =
letter-spacing: normal; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
style=3D"color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; =
text-indent: 0px; text-transform: none; white-space: normal; =
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: =
break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D""><div style=3D"color: rgb(0, 0, 0); font-style: normal; =
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; =
orphans: 2; text-align: start; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-text-stroke-width: 0px; margin: 0px; font-size: 12px; =
line-height: normal; font-family: &quot;Akzidenz-Grotesk Pro&quot;;" =
class=3D""><div style=3D"margin: 0px; line-height: normal;" =
class=3D""><span style=3D"-webkit-font-kerning: none;" class=3D"">Luke =
Howard</span></div><div style=3D"margin: 0px; font-size: 10px; =
line-height: normal;" class=3D""><a href=3D"http://lukehoward.com/" =
class=3D"">web</a>&nbsp;/&nbsp;<a =
href=3D"https://www.facebook.com/lukehowardmusic" class=3D""><span =
style=3D"line-height: normal; -webkit-font-kerning: none;" =
class=3D"">facebook</span></a>&nbsp;/&nbsp;<a =
href=3D"http://instagram.com/lukehowardmusic/" =
class=3D"">instagram</a>&nbsp;/&nbsp;<a =
href=3D"https://open.spotify.com/artist/3duTXsC49HoPt4f4EySDKf" =
class=3D""><span style=3D"line-height: normal; -webkit-font-kerning: =
none;" class=3D"">spotify</span></a></div></div></div></div></div></div>
</div>
<br class=3D""></body></html>=

--Apple-Mail=_999BBB82-276A-4C64-BECF-BB303CF1D9DC--


From nobody Wed Aug  4 04:44:17 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915C73A14AB for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 04:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5foIABvrxCMO for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 04:44:11 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E207B3A14A3 for <kitten@ietf.org>; Wed,  4 Aug 2021 04:44:09 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 174BhvA2030701; Wed, 4 Aug 2021 11:44:03 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 174BhvA2030701
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1628077444; bh=QMDVRtYJncG8NAH1L5Wor0UboahavDHAKDKpGOrAcNI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=HuJfBwsLU6pYA2bftdyxKCQs02ooohop0gBBdRm5GujZtn0SQcfZvkKfi0iZ9R55D iMh6tMHwoeEodIati1D7rgCqrt5RLYCddbKc8hlmKw6zHzb/r3VeomsyS5UTY9Qasy 8Ads7D5lcHCYlEfoEhoifuycxroFi49Phb8MsnzZ4unXfXbkzTOEjd26iu9/DOT9w5 5NQuI9CvWvqacNIRLH+1urm3LaMF6kuXoH9Q7gY0A+CGiNe2MAc3GyreQ51uiCsnE7 MKJR3cF+yZBe3GQrGNhuLiRq2oUCzakCS8gFKRgTPQYXRUvsd47xCVy2EmteANzZHh 1N+85HaGmLiMg==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <6DAAE721-CD5F-4271-A18A-1719254A972E@padl.com>
Date: Wed, 4 Aug 2021 21:43:56 +1000
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DEDFD3FE-C17A-417B-B1C0-B19F68F00DC9@padl.com>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu> <6DAAE721-CD5F-4271-A18A-1719254A972E@padl.com>
To: Greg Hudson <ghudson@mit.edu>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dTwe_vKkJIGDFh0obhdQpARRu8g>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 11:44:16 -0000

Greg, If we make FAST a hard requirement, would you suggest dropping the =
PA-GSS type and encoding the context token directly?

Alex, is it possible to get the source for the draft? (If you=E2=80=99re =
amenable to me adding my name to it and progressing it, even as a =
personal draft.)=


From nobody Wed Aug  4 10:11:13 2021
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73BA3A0BFF for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 10:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level: 
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kbpb32Fw2eDR for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 10:11:08 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63383A0C02 for <kitten@ietf.org>; Wed,  4 Aug 2021 10:11:07 -0700 (PDT)
Received: from [18.28.8.87] ([18.28.8.87]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 174HB3WY007684 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 4 Aug 2021 13:11:05 -0400
To: Luke Howard <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu> <6DAAE721-CD5F-4271-A18A-1719254A972E@padl.com> <DEDFD3FE-C17A-417B-B1C0-B19F68F00DC9@padl.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <4c2fa532-5d99-a5ac-794f-7046fd0a9844@mit.edu>
Date: Wed, 4 Aug 2021 13:11:03 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <DEDFD3FE-C17A-417B-B1C0-B19F68F00DC9@padl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/iJUCJo33O2A8JNLecmxxBQ_Me3Q>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 17:11:11 -0000

On 8/4/21 7:43 AM, Luke Howard wrote:
> Greg, If we make FAST a hard requirement, would you suggest dropping the PA-GSS type and encoding the context token directly?

Note that FAST armor is not required to use the cookie.  SPAKE preauth
requires PA-FX-COOKIE support but not FAST armor.

I have no opinion on whether to encode the context token directly or
give it an ASN.1 wrapper.


From nobody Wed Aug  4 15:06:43 2021
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 644D33A0DE5 for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 15:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZrfG0CL4fJA for <kitten@ietfa.amsl.com>; Wed,  4 Aug 2021 15:06:35 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B769C3A0DD5 for <kitten@ietf.org>; Wed,  4 Aug 2021 15:06:35 -0700 (PDT)
Received: by us.padl.com  with ESMTP id 174M5eHU017927; Wed, 4 Aug 2021 22:06:31 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 174M5eHU017927
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1628114792; bh=VDE86APVei13BPXrJSxS3qkH/cVpZ8mUb6Y3TT8qaII=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=je+e1AIKUGfWI/BEMfIbtIOyqmbYBFguwzye32x4hG9EbfxnA+ZoCnZbWohvs1844 F2NLQ8mPEjo0YO8jpXbhlG9qJd3J4Z3MYzp50LGJP0RfcJpLoBDoQxdnQIpSSfNNBH FoPd/t85YexI9F8GHBzq72ljr8v0wAMuxneavw4QQtTZHL8X87LycGTXHS4R3Cg7p3 EgHvmu0ZwMsilKw0dXxeA1rlbWNhNTjujbxWrJoNRnW11TOu36on4l+SCRxO3iwZqQ prNcaMT8qgQSoIHw/RJy8t1SXBnTGa68hocF9Wrb7CAQ3DTOYo2RZxVEP3Yqnon37h 1dacSu3EH7tbg==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <4c2fa532-5d99-a5ac-794f-7046fd0a9844@mit.edu>
Date: Thu, 5 Aug 2021 08:06:30 +1000
Cc: "kitten@ietf.org" <kitten@ietf.org>, Alejandro Perez Mendez <alex@um.es>
Content-Transfer-Encoding: quoted-printable
Message-Id: <22D721F7-AF8C-4820-979B-394B42143840@padl.com>
References: <919B7645-005D-417B-AF1E-EDF165E94BAC@padl.com> <24346b50-09d5-f4b6-f5fe-7790809a7fe7@mit.edu> <6DAAE721-CD5F-4271-A18A-1719254A972E@padl.com> <DEDFD3FE-C17A-417B-B1C0-B19F68F00DC9@padl.com> <4c2fa532-5d99-a5ac-794f-7046fd0a9844@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/DTyoLzDgrCoioQdoln3r8E_3AZQ>
Subject: Re: [kitten] draft-perez-krb-wg-gss-preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 22:06:41 -0000

> Note that FAST armor is not required to use the cookie.  SPAKE preauth
> requires PA-FX-COOKIE support but not FAST armor.

Ah, I didn=E2=80=99t realise that. OK, that sounds like a good approach =
then.=


From nobody Fri Aug  6 11:23:42 2021
Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3ED63A0E1E for <kitten@ietfa.amsl.com>; Fri,  6 Aug 2021 11:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level: 
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbOC7f5knq3A for <kitten@ietfa.amsl.com>; Fri,  6 Aug 2021 11:23:34 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CBA63A0E2C for <kitten@ietf.org>; Fri,  6 Aug 2021 11:23:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1628274213; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Q1LUeQ4M4I4qGECGSUF1EpWJQ0l7m6I2tEijOm4BX4s=; b=U9LeXP55nNIE9YF06XtoEmBnvOyNUs1LDpflOQgpzDBJm9m9iIFMgylt80+dHnGZ3ynh9j yTBtfk8bUAryOGJr2yNAvurab9fgbeh2Aj9CVXHySrAGLtKDDjsWHCE/0rgqg4+7kiNI/h 8ZIVBIZ0uuh0CQR1pJW0dd0jkaozn0U=
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-412-9AgouvKRMT6tYyXROnpcrQ-1; Fri, 06 Aug 2021 14:23:30 -0400
X-MC-Unique: 9AgouvKRMT6tYyXROnpcrQ-1
Received: by mail-qv1-f70.google.com with SMTP id kk20-20020a0562145094b029034e3ec4ffb4so941709qvb.11 for <kitten@ietf.org>; Fri, 06 Aug 2021 11:23:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=Q1LUeQ4M4I4qGECGSUF1EpWJQ0l7m6I2tEijOm4BX4s=; b=FiD7P0T+Xr0+WGZJv1viFDO2c2qtlufcKqDjoEB1wGCwy6kcQFuH7j9tyn+M/8Y6Lh qc6zSEAltnbMzHYbmBcR1VmIEQAecRuz5BCwho7iUDlAwylXN0tgODJBbVwO6CkzZf51 94OsN2qUnwfhH3i+ro5qZqZVJszWPryK3EYebUV3zCBxNU7nehnKoXTlWvJrDlo8BhvO OgggADx+qY1n2mOcAnC5fPJsVT1xe8N0vQZ56imbgPg5+obD5E8iSEdK6q0wu8o9m/7b ko29BYyYxmwbkEpunh7G+MDsDbgQj6lEYOGhMTb0xkc7F34ZA4VJjJy2PfYn4uIqySRc nlZQ==
X-Gm-Message-State: AOAM530vzFjteDi3ajRetxI3Rp+FlRHtSN+IoZmYRyqQcmwu+3nSzVTQ yUrMUucQ6jwyQEjz0g0ITQaxlTQMLZCHOM11rLp8CSrhdo6uPeUov78VG7RISxDt/KBGaVptC0Q bfJVXUB0=
X-Received: by 2002:a05:620a:15f5:: with SMTP id p21mr11310507qkm.380.1628274209719;  Fri, 06 Aug 2021 11:23:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJweul6HI4Z50RrBmQQAQUTmNJnCkyU+Ol0V1exWIq5UGIMr9+2rFMz8OscpeVPzRfUY60Rugw==
X-Received: by 2002:a05:620a:15f5:: with SMTP id p21mr11310495qkm.380.1628274209554;  Fri, 06 Aug 2021 11:23:29 -0700 (PDT)
Received: from localhost (c-71-232-17-31.hsd1.ma.comcast.net. [71.232.17.31]) by smtp.gmail.com with ESMTPSA id n25sm4958657qkh.21.2021.08.06.11.23.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 11:23:29 -0700 (PDT)
From: Robbie Harwood <rharwood@redhat.com>
To: Mark D Baushke <mdb@sonic.net>
Cc: curdle@ietf.org, kitten@ietf.org
In-Reply-To: <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net>
References: <jlgeebfzxe5.fsf@redhat.com> <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net>
Date: Fri, 06 Aug 2021 14:23:26 -0400
Message-ID: <jlgk0ky8map.fsf@redhat.com>
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=rharwood@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/X7FX1znomXmZFhlkcSyY-NojKhE>
Subject: Re: [kitten] [Curdle] Diffie-Hellman modulus sizing in Kerberos PKINIT
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 18:23:36 -0000

--=-=-=
Content-Type: text/plain

I have uploaded a -02 that hopefully provides the changes you were
looking for.

I was mistaken earlier about what Heimdal supports: while they test
their DH implementation with many other groups, the built-in support is
limited to 1k and 2k groups.  So I've elected to make minimum size
guidance rather than standardizing the intermediate groups, and limit
the additions to 6k and 8k.

Be well,
--Robbie

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAmENfh4UHHJoYXJ3b29k
QHJlZGhhdC5jb20ACgkQJTL5F2qVpEIjXQ/+OEVPcZhzELltO82Uh8MpUJ3cLede
Xsekw73K1bd4VD+mZ7Jz6M2k8Olw+DQyabdaVhMc5t4Ju116XhO2gsBTPddcRHde
45uupSRMJvwXEk+YpDP32HPZiudMgdmy1shZgSClih15u89f0/4/XTofyw2rD+HN
fA0NLglHMht11cBnXeWVbYkaamdcWlxIa3GKWgID+HvxCYGmU33e3pAsV5ECDnRq
sGArPYDjpzuQmDT/R6v/iDuDnGJHpZ3vBjteU0q2nVLfgj1K776xymH29sKlpD9P
Re/Uz+QRceZl5Ggoq9+KLrxKkYvVsq9QD+NHeGJxKNlC8OV/XWjZTasNa0JE26fh
l0r3WU4Hh8GsSvhUUQyxc4d+83MUlqCpb8a2QlNNEL5c+OdVB9y8PFM1CNIR6sPx
h/jyMLm41epE9K5Pa6OIu3ndztPHqvuqKRy6c9huIPizmwQ5vaUeCfXcMfoL54B7
wXW3zeGreqStkHKS0wdrGpeyKd9wL9JhCSWUTuOYD32qR0SmAKEdgFU9urNQVWJq
xb7zXhLc5usdMt6JZcwLqp+XYCM+12JdSmloh7JI8F1FvqIEdzAiqMHcOtrAYkg8
NqShOW27zmmhqtfFYAbgIMqHtosVPyWi3HNnOxS7RKaWKQZeE+bbQhLzwzLv9Szc
Bph0LDf97YSc5xA=
=6KLR
-----END PGP SIGNATURE-----
--=-=-=--


From nobody Fri Aug  6 13:50:43 2021
Return-Path: <mbaushke@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 347993A16CC; Fri,  6 Aug 2021 13:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6RlUA9obnzG; Fri,  6 Aug 2021 13:50:31 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6463A16F4; Fri,  6 Aug 2021 13:50:31 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id dw2-20020a17090b0942b0290177cb475142so24495438pjb.2;  Fri, 06 Aug 2021 13:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:mime-version:subject:in-reply-to:date:cc:message-id:references :to; bh=Uxb6fm/yxX/2XJ2yU1sZFKyL4OBrwbw+936d/A838w0=; b=O0ET5CUpyQ4Vs9piW7tuvpAZiW2bKR+m7JWniDkjssEZXGY3bxLuL4davORKPAJH+f 4aS1TtaF/RPHx3v06+pNqWF/77kjSLsW6UiKyAqzcPPoCcYVoC5TIVHVqAmUxz1xdNgV JZUWwR5U7coeVEAe+kPcB0mTVWHgMMlxzqFU148YcYTJrkeW5AiCe6iPqd8IneDssYit tYC274X6Fdji7KS+G+Bk/WC+13nDoktvnYCzuqR9miba6DPISCzZ2zL/NlDa45V43309 efoO9BVgUS7Cv46wc5pFiX0L6wVt7O7K9JYf0B3/vwrLEQAnZCtR1hi8KhGfPYmG7s4Q cj6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :message-id:references:to; bh=Uxb6fm/yxX/2XJ2yU1sZFKyL4OBrwbw+936d/A838w0=; b=iOW7qyNMNOs9ZjArzMTLD0kvrQkmyUYjI/NGBNuW+e0P79Ikr5q4SEn9+DhCcKQcNg Yb8HLDDECdfmhIQGAGzvsKNq1Gm1XkkqDa+s5QdqsLWDwzmV+RjT3jrh6epHE6XRDkfx ToFjFJ9k/IA/NXmYQcvkgj+4Oi7gWvAL48o0SF6ilXegdDbZj/0nr2yJxlWJ5zb0AG9C PcJVCpN2RoEYYS5mz4drC2owsj/gv72k7fMTMCrkl7thCnkKsrnlY+cZAE3WVV4Brzr8 fmQ6FOmmIZtPEqK1lZgqQBAHK5YGYhMH0GUWYVQ4C14YcXfjZkSMvFE5QY5pXb9ZbYTy mKfQ==
X-Gm-Message-State: AOAM532DMoagTourguxqx1dOy98XLLLLpLIg08mGQDBu149PcKu3BUEQ en5FAfnbdk0Y4YdE3tqnsGY=
X-Google-Smtp-Source: ABdhPJwGJYcOCCwVLS5jXnYQcI6lpwcsEZa3bCNciPtaYkXJ0/m0m++swhpA6zj5zQLF4QWG0sjaKg==
X-Received: by 2002:a63:4f51:: with SMTP id p17mr135597pgl.29.1628283028808; Fri, 06 Aug 2021 13:50:28 -0700 (PDT)
Received: from smtpclient.apple (c-98-234-187-55.hsd1.ca.comcast.net. [98.234.187.55]) by smtp.gmail.com with ESMTPSA id t19sm12478178pfg.216.2021.08.06.13.50.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Aug 2021 13:50:28 -0700 (PDT)
From: "Mark Baushke (ietf)" <mbaushke@gmail.com>
X-Google-Original-From: "Mark Baushke (ietf)" <mbaushke+ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0B219B0D-B108-4680-B8DD-22B1E42D7380"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
In-Reply-To: <jlgk0ky8map.fsf@redhat.com>
Date: Fri, 6 Aug 2021 13:50:26 -0700
Cc: kitten@ietf.org, curdle@ietf.org
Message-Id: <0FA91C67-9712-40F5-8363-D176D63E12BA@gmail.com>
References: <jlgeebfzxe5.fsf@redhat.com> <A3B7F66E-1724-4D8C-B888-E862D65448DF@sonic.net> <jlgk0ky8map.fsf@redhat.com>
To: Robbie Harwood <rharwood@redhat.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ulsNoQ79XUUMacaVGcvQ1KC_dSI>
Subject: Re: [kitten] [Curdle] Diffie-Hellman modulus sizing in Kerberos PKINIT
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 20:50:41 -0000

--Apple-Mail=_0B219B0D-B108-4680-B8DD-22B1E42D7380
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi Robbie,

> On Aug 6, 2021, at 11:23 AM, Robbie Harwood <rharwood@redhat.com> =
wrote:
>=20
> I have uploaded a -02 that hopefully provides the changes you were
> looking for.

I think you meant to type -01 as=20

   =
https://datatracker.ietf.org/doc/draft-harwood-krb-pkinit-dh-upsize/01/ =
<https://datatracker.ietf.org/doc/draft-harwood-krb-pkinit-dh-upsize/01/>

aka

   =
https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-upsize-01.txt =
<https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-upsize-01.txt=
>

is the latest version of the draft.

>=20
> I was mistaken earlier about what Heimdal supports: while they test
> their DH implementation with many other groups, the built-in support =
is
> limited to 1k and 2k groups.  So I've elected to make minimum size
> guidance rather than standardizing the intermediate groups, and limit
> the additions to 6k and 8k.

This seems reasonable to me.

I have reviewed draft-harwood-krb-pkinit-dh-upsize-01.txt =
<https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-upsize-01.txt=
> and it looks good to me.

>=20
> Be well,
> --Robbie


        Be safe, stay healthy,
        -- Mark




--Apple-Mail=_0B219B0D-B108-4680-B8DD-22B1E42D7380
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">Hi =
Robbie,<br class=3D""><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Aug 6, 2021, at 11:23 AM, Robbie Harwood =
&lt;<a href=3D"mailto:rharwood@redhat.com" =
class=3D"">rharwood@redhat.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">I =
have uploaded a -02 that hopefully provides the changes you were<br =
class=3D"">looking for.<br class=3D""></div></div></blockquote><div><br =
class=3D""></div>I think you meant to type -01 as&nbsp;</div><div><br =
class=3D""></div><div>&nbsp; &nbsp;<a =
href=3D"https://datatracker.ietf.org/doc/draft-harwood-krb-pkinit-dh-upsiz=
e/01/" =
class=3D"">https://datatracker.ietf.org/doc/draft-harwood-krb-pkinit-dh-up=
size/01/</a></div><div><br class=3D""></div><div>aka</div><div><br =
class=3D""></div><div>&nbsp; &nbsp;<a =
href=3D"https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-upsize=
-01.txt" =
class=3D"">https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-ups=
ize-01.txt</a></div><div><br class=3D""></div><div>is the latest version =
of the draft.</div><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D""><div class=3D""><br class=3D"">I was mistaken =
earlier about what Heimdal supports: while they test<br class=3D"">their =
DH implementation with many other groups, the built-in support is<br =
class=3D"">limited to 1k and 2k groups. &nbsp;So I've elected to make =
minimum size<br class=3D"">guidance rather than standardizing the =
intermediate groups, and limit<br class=3D"">the additions to 6k and =
8k.<br class=3D""></div></div></blockquote><div><br class=3D""></div>This =
seems reasonable to me.</div><div><br class=3D""></div><div>I have =
reviewed&nbsp;<a =
href=3D"https://www.ietf.org/archive/id/draft-harwood-krb-pkinit-dh-upsize=
-01.txt" class=3D"">draft-harwood-krb-pkinit-dh-upsize-01.txt</a>&nbsp;and=
 it looks good to me.</div><div><br class=3D""></div><div><blockquote =
type=3D"cite" class=3D""><div class=3D""><div class=3D""><br class=3D"">Be=
 well,<br class=3D"">--Robbie<br =
class=3D""></div></div></blockquote></div><div><br =
class=3D""></div><div>&nbsp; &nbsp; &nbsp; &nbsp; Be safe, stay =
healthy,</div><div>&nbsp; &nbsp; &nbsp; &nbsp; -- Mark</div><div><br =
class=3D""></div><br class=3D"">
<br class=3D""></body></html>=

--Apple-Mail=_0B219B0D-B108-4680-B8DD-22B1E42D7380--


From nobody Mon Aug  9 02:00:16 2021
Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79DE13A0A3E for <kitten@ietfa.amsl.com>; Mon,  9 Aug 2021 02:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfhGrjRM41bw for <kitten@ietfa.amsl.com>; Mon,  9 Aug 2021 02:00:09 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9BE3A0A3B for <kitten@ietf.org>; Mon,  9 Aug 2021 02:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;  s=42; h=Date:Message-ID:From:Cc:To; bh=CWlIwO0c80xZCxL4sR47eLdNzUc//D/fAJvO2Rzo1mM=; b=ZcZvhpDEW0VJxt2bcALQq7H3Qz 30jor+lmmunLonTQvr3knY0k152uw5T3laLkIN5xRirup0tue36ApXDa/hYtyC5qbiQ0TkUUsQgVP gOVRPzwO+kepqiEfxXb0VOWokf3owqFYYjPA9sxBXp0cGIZ4fhz+lDIkFW/EErHwFcum8ohXzbn7Y yTacELlMhPlvXfiR6/qDfpBeR9jinqN/uVGXTGE7blUmPdVJSxotsMGm2r3FU97vreSA5uaaqVwTQ RFNwOPfy6fgsasvbUn4GuLf2r8DMrRAqPTavEatjysve5eah8E8TX5HMYmHAoNV7rRy79jdFfA2U6 9QWX8KCGfZtJDZ6EnmQpxHaUv5OrMm83GkdCIMbPWN+fzHwcPx440Bp/jXRQmB5UkZI9Fs+KCiB/p bSb8I5c9zn2vvTxtsiD5CChj6nWsl6j84zdT7HDgeS4Hv1wtjOXGGySf1WjOGxtZRLnRRAxcHakcG uuukzd31MghUWXI3oKgCTJsi;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mD18d-000KN9-Br; Mon, 09 Aug 2021 09:00:03 +0000
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org> <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org> <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
Date: Mon, 9 Aug 2021 10:59:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xp3Yih5Hu6WcbkPjq8hyTMyVwN4ZgedUI"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/i5lqsILQ5iOgV-aI78TzYXrmaRA>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 09:00:15 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Xp3Yih5Hu6WcbkPjq8hyTMyVwN4ZgedUI
Content-Type: multipart/mixed; boundary="7BsiALzeUZ4T5C7RAdOICnGuxRazFL8vM";
 protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>,
 "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
 transitive cross-realm trust situation...
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
 <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
 <1503578184.3428.19.camel@redhat.com>
 <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
 <1503596189.3428.26.camel@redhat.com>
 <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org>
 <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org>
 <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org>
 <20191121223908.GC26241@localhost>
 <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org>
 <20191122224526.GA28614@localhost>
 <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org>
 <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org>
 <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
 <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
 <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
 <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
In-Reply-To: <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>

--7BsiALzeUZ4T5C7RAdOICnGuxRazFL8vM
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable


Hi Greg,

> On 8/2/21 10:49 AM, Stefan Metzmacher wrote:
>> To summarize the discussion we had active directory DCs do transited
>> checking (even without a PAC) and fails to issue service tickets
>> if the check fails, so any service ticket is already checked,
>> but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
>> ticket.
>=20
> I just want to acknowledge here that we're taking on technical debt
> because the non-conformant party is perceived to be inflexible.
>=20
>> The initial solution I proposed was:
>>
>> 	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)=

> [...]
>> But it seems gss_set_cred_option() is not accepted because it's
>> a deprecated.
>=20
> Personally I'm fine with this.

Ok, should I just use a different oid (I can allocate one from the Samba =
pool)
and submit the changes to MIT without the "wait for heimdal first" tag?

It would be great to have that in MIT and we can also apply it to
Samba's fork of Heimdal and have most Samba setups covered.

>> 1. An additional cred_store element could be passed to
>>    gss_acquire_cred_from() in order to set the
>>    GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds
>=20
> This is similar to a cred option.  I don't see any strong advantages of=

> one over the other.

Same here, I just wanted to find ways to make Nico happy.

>> 2. I think someone had the idea of using gss_set_sec_context_option()
>=20
> This seems hard to do without (per-thread) global state.  Even if we
> bring in gss_create_sec_context() from some versions of the channel
> bindings draft, the mechglue doesn't know mechanism will be used to
> accept the context, so it would have to store OID/value pairs in the
> mechglue context and replay them to the mech context once it finds out
> which kind of mech context to create.  (And hope that all of the contex=
t
> option values are flat byte strings, not structures containing pointers=

> to objects whose lifetimes might have expired between the
> set_cred_option() call and the first accept_sec_context() call.)
>=20
> Doing this with global state seems strictly worse than communicating th=
e
> flag via the cred.

Yes, it seems way to complex.

>> 3. Implement a krb5.conf option similar to "dns_canonicalize_hostname"=

>>    or "ignore_acceptor_hostname" from MIT
>=20
> I would argue for this to be a per-realm option if we do this, since
> it's a statement about a particular realm's KDCs being non-conformant.

Ok. I can also implement that in addition to the GSS_KRB5_CRED_NO_TRANSIT=
_CHECK_X
option.

Thanks for the feedback!
metze


--7BsiALzeUZ4T5C7RAdOICnGuxRazFL8vM--

--Xp3Yih5Hu6WcbkPjq8hyTMyVwN4ZgedUI
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAmEQ7o4ACgkQDbX1YShp
vVb7zhAAojul0CNfaewO4+Xw8+6iXIJMJOiuKbgDQnX6kZmmpCVyKB1SaHE8KOF6
Y+bZUIPWoF9yq/euKEV7AEv1b2cKd214h45CwbH0eB4+fLHT5EoFZt+eahCH6IGQ
nv5ENxFXu6dWE3GXa5yFqqGImmcNi1TKKdBSdnpZByct8l0oWw3FRI/1P9RVXXCs
hLQqKwBzedTemBV/yQuKIhO0dCsljSHMAiH7CAXRpMYl9HDiI2z9fS62/jBIJChp
z7SiQSduJXqTVJJRlEIOlKqAODLDvxFPUhIzusaizOAo/oEWBYPy7o+/WqzEisDj
yYqG66zB3JMqaWw5ttWTiUgxh1EI5dcDMWhsMLk5MvwztgVVPjQUPXw2kRFyG2+e
i1T9E17/lzD7XExoYGu8/7JoBADbWVYssztPEVhMOiVPcEbPaHXDI0LDwMSAqChq
pYtLFJSmLg+L/3doGL12mFc8N7GdKn5ofr3cxiT6EWAr7XDcb8VKbQVVCL50CW4x
RRp+8HTWTZLwGd7+9m2Rr56D7Z4GWkKTXoijMJtb+GwG4dYE27sW/LTIa6iunlqX
ptSoIphFMDK8Kv1s0deubZb+ihT0AlvtQU4vVtVKRyYvDk9hqeQvEi7ttdkjhRpZ
PXJa713sJv9wxm7iMFVa/GipqiV7GYxLbeWflbXm7CQQjNqywmk=
=WGMY
-----END PGP SIGNATURE-----

--Xp3Yih5Hu6WcbkPjq8hyTMyVwN4ZgedUI--


From nobody Mon Aug  9 05:15:31 2021
Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4493A0C34 for <kitten@ietfa.amsl.com>; Mon,  9 Aug 2021 05:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gjeHPxGX_EI for <kitten@ietfa.amsl.com>; Mon,  9 Aug 2021 05:15:24 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6443A0C33 for <kitten@ietf.org>; Mon,  9 Aug 2021 05:15:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org;  s=42; h=Date:Message-ID:From:Cc:To; bh=x7UJGnJnT70mNioi9y7Q176ixy8oR1x3cK6KYD8HYKI=; b=QxugdTQ6vl+D5yVls8AitN37YW 8f3Bfgl4tyvpLesmCogn42JNpbsZx9ruUqyK66Sen4tb58Zjb+zbut+urRbGt29yhoz89E6j1ml9F wsho2V3pL+4rVtn3wrLvS2Rj/u6mudMeILVD5eSeZ0cG7kdcymqYSl6ekMUPqcoB2w/FOQHFToviB LWjgxlxZqpWcmSnEI3M3zPxujdXe9qURvbOf04vffnXzBhSjJIk+LVyuUqAudveuJq5+DNL89K6La AA/ONfa4F9u+S/oaPAO1cSrheAgRLwUURhIotuhuEH1SlJzD4n9L29kfQyzxrNCdQ2myCFFWNR+g9 1ALk5LTzP1Otx+5LENTU6+kJ1Fu2r8PNq5d7WXnbhTwCrMIRlRaniqscQvk7mcyAHf/+55+yFv1or MrDDUS8fK4zEBcee5RP5e0D2ZKRCuHVidh41irRuYaSyOlxeomOuRJvKK0ZIIJK8dn6/Qsf+i6lDm Eg3jOmWFQiWQ7NUh6B2CYR6D;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1mD4BY-000Lvg-IT; Mon, 09 Aug 2021 12:15:16 +0000
To: Stefan Metzmacher <metze=40samba.org@dmarc.ietf.org>, Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost> <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org> <20191122224526.GA28614@localhost> <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org> <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org> <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu> <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org> <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org> <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu> <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <4c48be85-1cec-ca04-19be-296423d3435d@samba.org>
Date: Mon, 9 Aug 2021 14:15:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CMVlaZV9k76CfTXOeddOoVj5dgzimXB7p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/FIEizNcGh3HhMVHxWjSjIbezBS4>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 12:15:29 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--CMVlaZV9k76CfTXOeddOoVj5dgzimXB7p
Content-Type: multipart/mixed; boundary="PK8PA3pSYb89HIiXo3iNUdZLTQ1gBzejt";
 protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Stefan Metzmacher <metze=40samba.org@dmarc.ietf.org>,
 Greg Hudson <ghudson@mit.edu>, Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Samba Technical <samba-technical@lists.samba.org>,
 "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <4c48be85-1cec-ca04-19be-296423d3435d@samba.org>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a
 transitive cross-realm trust situation...
References: <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org>
 <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu>
 <1503578184.3428.19.camel@redhat.com>
 <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
 <1503596189.3428.26.camel@redhat.com>
 <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org>
 <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org>
 <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org>
 <20191121223908.GC26241@localhost>
 <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org>
 <20191122224526.GA28614@localhost>
 <8b72197d-2fcc-5b4f-4392-12d53d1ec624@samba.org>
 <5bcc2951-afdf-0849-5c16-f542afe214a1@samba.org>
 <3d693bdd-9a4c-7135-318e-593e18e52cd0@mit.edu>
 <9062428f-f26d-4f10-b71f-f54464df2ff4@samba.org>
 <c388e3f9-bf85-8ffd-3640-b27e0552a96a@samba.org>
 <276401e2-5d09-29d2-be1b-5e876f49c0eb@mit.edu>
 <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>
In-Reply-To: <22c35d56-cc7b-e3b1-c357-d387f11d9d22@samba.org>

--PK8PA3pSYb89HIiXo3iNUdZLTQ1gBzejt
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable


Am 09.08.21 um 10:59 schrieb Stefan Metzmacher:
>=20
> Hi Greg,
>=20
>> On 8/2/21 10:49 AM, Stefan Metzmacher wrote:
>>> To summarize the discussion we had active directory DCs do transited
>>> checking (even without a PAC) and fails to issue service tickets
>>> if the check fails, so any service ticket is already checked,
>>> but without TKT_FLG_TRANSIT_POLICY_CHECKED being added to the
>>> ticket.
>>
>> I just want to acknowledge here that we're taking on technical debt
>> because the non-conformant party is perceived to be inflexible.
>>
>>> The initial solution I proposed was:
>>>
>>> 	gss_set_cred_option(acceptor_creds, GSS_KRB5_CRED_NO_TRANSIT_CHECK_X=
)
>> [...]
>>> But it seems gss_set_cred_option() is not accepted because it's
>>> a deprecated.
>>
>> Personally I'm fine with this.
>=20
> Ok, should I just use a different oid (I can allocate one from the Samb=
a pool)
> and submit the changes to MIT without the "wait for heimdal first" tag?=

>=20
> It would be great to have that in MIT and we can also apply it to
> Samba's fork of Heimdal and have most Samba setups covered.
>=20
>>> 1. An additional cred_store element could be passed to
>>>    gss_acquire_cred_from() in order to set the
>>>    GSS_CF_NO_TRANSIT_CHECK flag on acceptor_creds
>>
>> This is similar to a cred option.  I don't see any strong advantages o=
f
>> one over the other.
>=20
> Same here, I just wanted to find ways to make Nico happy.
>=20
>>> 2. I think someone had the idea of using gss_set_sec_context_option()=

>>
>> This seems hard to do without (per-thread) global state.  Even if we
>> bring in gss_create_sec_context() from some versions of the channel
>> bindings draft, the mechglue doesn't know mechanism will be used to
>> accept the context, so it would have to store OID/value pairs in the
>> mechglue context and replay them to the mech context once it finds out=

>> which kind of mech context to create.  (And hope that all of the conte=
xt
>> option values are flat byte strings, not structures containing pointer=
s
>> to objects whose lifetimes might have expired between the
>> set_cred_option() call and the first accept_sec_context() call.)
>>
>> Doing this with global state seems strictly worse than communicating t=
he
>> flag via the cred.
>=20
> Yes, it seems way to complex.
>=20
>>> 3. Implement a krb5.conf option similar to "dns_canonicalize_hostname=
"
>>>    or "ignore_acceptor_hostname" from MIT
>>
>> I would argue for this to be a per-realm option if we do this, since
>> it's a statement about a particular realm's KDCs being non-conformant.=

>=20
> Ok. I can also implement that in addition to the GSS_KRB5_CRED_NO_TRANS=
IT_CHECK_X
> option.

I just found the "reject_bad_transit" option that's already implemented f=
or the MIT kdc,
but I guess we want an extra option, correct?

Do we want the new "no_transit_check" option to be used via:
krb5_appdefault_boolean()?

That would allow the following combinations in MIT:

1:
 [appdefaults]
     app =3D {
        SOME.REALM =3D {
             no_transit_check =3D true
        }
     }

2:
 [appdefaults]
     app =3D {
        no_transit_check =3D true
     }

3:
 [appdefaults]
     SOME.REALM =3D {
        no_transit_check =3D true
     }

4:
 [appdefaults]
      no_transit_check =3D true


While heimdal falls back to 2 additional options:

5:
  [realms]
     SOME.REALM =3D {
        no_transit_check =3D true
     }

6:

  [libdefaults]
      no_transit_check =3D true


metze


--PK8PA3pSYb89HIiXo3iNUdZLTQ1gBzejt--

--CMVlaZV9k76CfTXOeddOoVj5dgzimXB7p
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfFbGo3YXpfgryIw9DbX1YShpvVYFAmERHEsACgkQDbX1YShp
vVba5A/7BXdZWE/ZYPm3p35biNDoaaUcmnMIJf3a1BI6HCXaIiTE6368wAWV2hT+
wCx85Gr1kzGsmpTJkbCgzc+Dbj2vvAgObeXWDUjr/ak2VQ8tOruLTsqTsMAgxjeZ
v8cQJZdsG4+U9FWBQsp0BDRUNqHApGon7fz54BjaiCv8Os+zUp/zLwZSLmJTd8K8
GppGrXDo3Rcjx91+scjmDFv88Q8+fcGFqLkJp7tILuTk6b8N9WeakU9j/jhwVHX7
NjRv3OctvyqqVxgyA6jafJzTdKdqHSMW/D4zIu1ZoHW2K/7wRS7pQ0F1Gsrq4dh/
SKj+teWv6lqUwGC/nKbA+CIrmDuTv9IlQ9+4iE8/f6+u9KMGJzJcTgcYNsaCCAwa
oGc3Ayxn0npvmguv+4kO0D9KNXksZzOOFxOcHJDHzNKR2B9Usrjrd8ehdBo839rs
xMMlpP3o4u6fJ2/grZhZT5AlPhV5Dd/+FDmPJP24Trt1tzjLm8iOrZfvcspIHpLv
D+MUXEeNmLxJzkk2LEGKrytVAa9obSZj/P5Q6N68s4izFP8k056G6NOzw1kAp0O1
ZQOf5KquzVAfozeO6qChVvoU6s0z7SJdMor3B2WSaiKZlW/Js2LMfAVJFm2+h9ne
t5kriC+aFmcCBi+/DpoI3rce9LgWudhjkUgVawx9rN8vO8EcT0E=
=2drV
-----END PGP SIGNATURE-----

--CMVlaZV9k76CfTXOeddOoVj5dgzimXB7p--


From mrcatcrack@gmail.com  Wed Aug 18 09:20:22 2021
Return-Path: <mrcatcrack@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1793A00D9 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 09:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level: 
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eb1luH4040lk for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 09:20:20 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 792553A05AA for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 09:20:20 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id u10so4098813oiw.4 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 09:20:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=bN75RPo+hOLQ0kQevPvhEiffIi4FJhlboSmBu2fybLs=; b=kO8woV1aJoiRmOO0Lt/yatBVvo9r9vbK1v01vpG4YwpcKwfdEZwXyLSspsxiV7Dwru 8Zu29Q4SwIIgHsaiHFsKE1C7vrEqUZIqJXJ/Ae2GLvpGLH9Zf7KXBud7IqLNOIVR4YWC DE2iZGNOKGCWGvTEZV6EIl1VqNh+DE3FCU2isgKNwkyB/7eDsUJG1gjuCdNs9SNHXS2u I0wJCxKRtm+/HzY7DqudGWNgqAhCcedyQpH12yZcvw6hKyaz8rmMGuG2mF28ntkfYxaj ACGSGXYRcZO9PBHnLESyLPGFZnuEQ/9MfbudZrqSYPdFxgP8sNnn3DDLVKQS5R4DWqiU KZHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bN75RPo+hOLQ0kQevPvhEiffIi4FJhlboSmBu2fybLs=; b=rleb3W5kNMjWwvY8L3FvHLmPAa+fNpGRi6+KQ5jhbXr314My/oZpVwHRXOQOWmQDGD WR8Bp/L3+8O/jEy7RmeDiJzu4mvsHKkopt/3UonWnteRRiE7EbMz5z4/9FHotvE3VxMm axCACGZFID/1oYL9Sc+aeqb3DylkweIiSX+bl81xfC4iZ/Td72S7P/0LLIa3sqX4KgeU fHJifLkQAed38QiAteoy44/F2Wo+GGXlfg2L7J2jsiJxTmdXZahW5Qg0STn1bcN0NAnz fsMeyuUKNXTUiot9X7Qj4x43ELuCVwh13ooAeMbds0vsWxVXBDtMl1pffQOg5GjZ5WGH 09wg==
X-Gm-Message-State: AOAM5302A2FF63Jd73WhNyx3yvydSQB7HUsKjHZtMIYGhxnMHPxUEQiv DkKNMPuQkxm+Oqx5koCy+wroa5criSD5S2esB1zYfmi4UB4=
X-Google-Smtp-Source: ABdhPJzfSPozz67Ec5nQ6Yo4JsVCut7uq3OFDVblG8YVkLxwC3PdmarB1REYpgzfNbo4UnLc7KpRAl4c8t+02bKEIhY=
X-Received: by 2002:a05:6808:10c1:: with SMTP id s1mr7504189ois.69.1629303619143;  Wed, 18 Aug 2021 09:20:19 -0700 (PDT)
MIME-Version: 1.0
From: bc a <mrcatcrack@gmail.com>
Date: Thu, 19 Aug 2021 00:20:10 +0800
Message-ID: <CAD8oZZEFh7+XBb=Og_5US+YMj4-+3Ds+BRqPDix2PNEKDVc3bQ@mail.gmail.com>
To: kitten@ietfa.amsl.com
Content-Type: multipart/alternative; boundary="000000000000734aee05c9d7cf5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/d8ZdEsn2d2ltlmm-cG65XOWC1Dw>
Subject: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 16:38:00 -0000

--000000000000734aee05c9d7cf5e
Content-Type: text/plain; charset="UTF-8"

reply

--000000000000734aee05c9d7cf5e
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">reply</div>

--000000000000734aee05c9d7cf5e--


From mrcatcrack@gmail.com  Wed Aug 18 08:54:01 2021
Return-Path: <mrcatcrack@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F473A1F75 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 08:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.551
X-Spam-Level: 
X-Spam-Status: No, score=-0.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_20=1.546, HTML_IMAGE_RATIO_02=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFn_spiTXYi0 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 08:53:59 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B77C3A1F6F for <kitten@ietf.org>; Wed, 18 Aug 2021 08:53:59 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id 108-20020a9d01750000b029050e5cc11ae3so4658905otu.5 for <kitten@ietf.org>; Wed, 18 Aug 2021 08:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=Anca3rMpPnEi5k9lEPZp1iNRZ5QVNL1VvcUazqPmGlg=; b=F8j3iQZRx2XCmmQUte835nTOxR5pEPhrcXbMqgkT1bdVzpEt6wGB27hnqfsL+vK6Y0 jlIwUgUFyGzEiilKgGFpOYpn7BBADZMpi+KfurwvpT64xqYCxXE8nI6Qe9X2vrwRqFrc zp1bQ/su1mnzRJIBh/M1ofaZLcyLmaXVhPzhOUe5HbRRMOFDj3zsRz7Kl00413Oai8K6 4qNMEYhSUPpNz9EP14M3eIGa357ce/OFeqKzsbxRIUgdDtb5gFjEbW7d9xGABEUP7ZQn 3iGCxBUiTLiHkLT9O4sH/9SQWz73VDF4l9OheUME3j15FzoZ7r6WBqNrr3AjTyf2BIHP P/dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Anca3rMpPnEi5k9lEPZp1iNRZ5QVNL1VvcUazqPmGlg=; b=OhDWuUpyQsefjDYoIdaO7w6G7yxLwObAdf+z6KSV5A7tEs73V8wLGZ3GDqoA3KkCpz Zzr6liUCHJn6sq4G8KvFq6xbPcWoZ1RaWfJzlBRB+y1m8575Wg5KojSdU40n7jROO+gb MkJPWQ/wPeqkanzN4f5DZw+huG5rji2m/67nVz+7LTqYDYXVo4unz3rKJdMrds4hf7p0 I8oJUkt2g74e5bFF4wxJ082gMKfO86g8YqoGGtwOZdr+knyigpFYwVfkYtcAZcP8iurI u5ZrJz7e6+zKbdcTqA194rP9srXjFF1z0IEY1NNTUPVtjyaoNR9FcrPcNuBuMfUXWCpp 1mjA==
X-Gm-Message-State: AOAM531jW8vx2R4YDZOk0HxrRZgJdxWYrcFQAf4pLnZO/M0wR2HW6Im6 cl7/sirIwk75PvQ2MOj+mZPlNF70eNmIRz0AdRALAx5CshbnzQ==
X-Google-Smtp-Source: ABdhPJyCNXzyYK23OIVOf6BrkOBwyH6MVCyg8a0PTGMN1rgQTfcvoACK3luIosDCvxC/FtEKLCnQihqdmJ4m66GqOMo=
X-Received: by 2002:a05:6830:40c7:: with SMTP id h7mr7605900otu.334.1629302037068;  Wed, 18 Aug 2021 08:53:57 -0700 (PDT)
MIME-Version: 1.0
From: bc a <mrcatcrack@gmail.com>
Date: Wed, 18 Aug 2021 23:53:47 +0800
Message-ID: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
To: kitten@ietf.org
Content-Type: multipart/related; boundary="00000000000027321c05c9d771af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5Yk9cBBjdNhLbYbMq8XbC-0_zUg>
X-Mailman-Approved-At: Wed, 18 Aug 2021 10:41:04 -0700
Subject: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 16:22:34 -0000

--00000000000027321c05c9d771af
Content-Type: multipart/alternative; boundary="00000000000027320d05c9d771ae"

--00000000000027320d05c9d771ae
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

 Dear Kitten members,

I'm Xiaoxing Xu and I'm a cyber security researcher from China. I had a
question about Kerberos v5 when I read the RFC 4120 paper, which expects
you to get your reply.
The question is, I see the "key" appears in the "enc-part" field in the
"tickets" chapter of section 5.3, just like the first picture shows, and
the "key" is used to pass the session key.
So we can think the authentication server creates a session key and put it
in the "enc-part" of the "tickets" field in the AS-REQ phrase.
[image: image.png]
Then in the  section 5.4.2, I found that there is also a "key" exists in
the "enc-part" of "KDC-REP",  that is to say, there is also a "key" in the
"enc-part" of the AS-REP phase,
not the "enc-part" of the "ticket".
So I want to know whether it can be considered that the authentication
server creates two "keys" in the AS-REP phase=EF=BC=8C one in the "enc-part=
" of the
"ticket" field,
and the other one is in the separate "enc-part" , And whether these two
"key" values are the same?
Thank you so much for your help.
[image: image.png]
Best regards
Xiaoxing Xu

--00000000000027320d05c9d771ae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">=C2=A0Dear Kitten members,<div>=C2=A0=C2=A0 =C2=A0 <br></d=
iv><div>I&#39;m Xiaoxing Xu and I&#39;m a cyber=20
security researcher from China. I had a question about Kerberos v5 when I r=
ead the
 RFC 4120 paper, which expects you to get your reply. <br></div><div>The
 question is, I see the &quot;key&quot; appears in the &quot;enc-part&quot;=
 field in the=20
&quot;tickets&quot; chapter of section 5.3, just like the first picture sho=
ws, and=20
the &quot;key&quot; is used to pass the session key.</div><div>So we can th=
ink the
 authentication server=C2=A0creates a session key and put it in the=20
&quot;enc-part&quot; of the &quot;tickets&quot; field in the AS-REQ phrase.=
</div><div><img src=3D"cid:ii_ksho2qon1" alt=3D"image.png" width=3D"542" he=
ight=3D"500"><br></div><div><div>Then in the=C2=A0 section 5.4.2, I found t=
hat there is also a &quot;key&quot;=20
exists in the &quot;enc-part&quot; of &quot;KDC-REP&quot;,=C2=A0 that is to=
 say, there is also a=20
&quot;key&quot; in the &quot;enc-part&quot; of the AS-REP phase,</div><div>=
not the &quot;enc-part&quot; of the &quot;ticket&quot;.</div><div>So
 I want to know whether it can be considered that the authentication=20
server creates two &quot;keys&quot; in the AS-REP phase=EF=BC=8C one in the=
 &quot;enc-part&quot;=20
of the &quot;ticket&quot; field,</div><div> and the other one is in the sep=
arate &quot;enc-part&quot; , And whether these two &quot;key&quot; values a=
re the same?</div><div>Thank you so much for your help.<br></div><div><img =
src=3D"cid:ii_ksho3z4k2" alt=3D"image.png" width=3D"406" height=3D"542"><br=
></div></div><div><div>Best regards</div><div>Xiaoxing Xu</div></div></div>

--00000000000027320d05c9d771ae--

--00000000000027321c05c9d771af
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: <ii_ksho2qon1>
X-Attachment-Id: ii_ksho2qon1

iVBORw0KGgoAAAANSUhEUgAAAuYAAAKtCAYAAABrBqv8AAAgAElEQVR4Aey9u+7lzNfntS9h/pCB
NK8mQmwuhIAICd8B2TsSYZP5JYKkJ+ISOto3gESHE5C39g2gSXqIIJvMqKpc5bVWnbzPtvfnkfrZ
PlStWvVZdfi67J99mvgPAhCAAAQgAAEIQAACEPg4gdPHPcABCEAAAhCAAAQgAAEIQGBCmNMIIAAB
CEAAAhCAAAQgsAECCPMNBAEXIAABCEAAAhCAAAQggDCnDUAAAhCAAAQgAAEIQGADBBDmGwgCLkAA
AhCAAAQgAAEIQABhThuAAAQgAAEIQAACEIDABgggzDcQBFyAAAQgAAEIQAACEIAAwpw2AAEIQAAC
EIAABCAAgQ0QQJhvIAi4AAEIQAACEIAABCAAAYQ5bQACEIAABCAAAQhAAAIbIIAw30AQcAECEIAA
BCAAAQhAAAIIc9oABCAAAQhAAAIQgAAENkAAYb6BIOACBCAAAQhAAAIQgAAEEOa0AQhAAAIQgAAE
IAABCGyAwPaF+WWYTqeT/jdcbkB3mQaVf5huyX1DQXnSku+zL7oKwcfzeM1tNI5cx3Pgch6n23Jq
o96OdkgnYA8CEIAABCAAAQhA4OUEdiLM7xfTl+E0nYTo9PsPCtnVUfHCPPi++BFEuHBptblSQi+q
H6zP4lupBI5BAAIQgAAEIAABCLyDwE6EuVgxf4YIfdDG6sCsEOZp1dutpBfV+nUaz6L+fsX9PMXF
dSnMvcA+nSZtpnXHwJ6by5EGruN0Vnccan6upkJCCEAAAhCAAAQgAIECgZ0I82XF/L4VbylAF1sF
Hi871FuVLp+fRbm8kJgfj4naeRHmIa16HGYW1TGtq1y4EFiEvTtWLtuf8Y8BZfmlPy8jhmEIQAAC
EIAABCDwXQS2L8xtPMQqtD3V3y8I3X6mp6Soi99gvnjeC2stoqfJXWQsx6Iwv4xns1IeRbhdbQ/7
UmwXy/ZuFVbrZcankMEIBCAAAQhAAAIQgIAjsD9h7sXqA6veRbH7+sZQF7+h7OL5Fb6GFfAovjWX
cE4fK9W0WLZJ6NPER1pYMTd02IUABCAAAQhAAAKPE9i2MC8IUy8QM2FYWQkv5I8rzPotJpX8j/NN
Fnrit3x+9kutUodj8ZGVpT5zWrGaPvn6m2fCzaMwzkFvI5Uh7Pv8Rtg/dMci4WADAhCAAAQgAAEI
QMAQ2LYwj6IxrtS630yUuxrNorRwTq30ejtGaHog9fyG1327sxh2r32MgnoxJJ9/dyvfy2MqIU0U
3HFVfGEQVsSX/UmUczrFelr7In1ywqSJHKOwl/wz/5IRNiAAAQhAAAIQgAAEHiCweWH+QN3ICgEI
QAACEIAABCAAgd0QQJjvJlQ4CgEIQAACEIAABCBwZAII8yNHl7pBAAIQgAAEIAABCOyGAMJ8N6HC
UQhAAAIQgAAEIACBIxNAmB85utQNAhCAAAQgAAEIQGA3BBDmuwkVjkIAAhCAAAQgAAEIHJkAwvzI
0aVuEIAABCAAAQhAAAK7IYAw302ocBQCEIAABCAAAQhA4MgEEOZHji51gwAEIAABCEAAAhDYDQGE
+W5ChaMQgAAEIAABCEAAAkcmgDA/cnSpGwQgAAEIQAACEIDAbgggzHcTKhyFAAQgAAEIQAACEDgy
AYT5kaNL3SAAAQhAAAIQgAAEdkMAYb6bUOEoBCAAAQhAAAIQgMCRCSDMjxxd6gYBCEAAAhCAAAQg
sBsCCPPdhApHIQABCEAAAhCAAASOTABhfuToUjcIQAACEIAABCAAgd0QQJjvJlQ4CgEIQAACEIAA
BCBwZAII8yNHl7pBAAIQgAAEIAABCOyGAMJ8N6HCUQhAAAIQgAAEIACBIxNAmB85utQNAhCAAAQg
AAEIQGA3BBDmuwkVjkIAAhCAAAQgAAEIHJnAdwvzyzCdTqfCv/M0Xqdpms8Pl34TuI7n6ewz9dPu
McU26nedxvNpOp3HyYVnS/+V+Lhjp9PclrbkbPTlhvYds9z7G1gsfW1Nn7q3rP3m2277/jTTUv/6
tE+U/zwCjA/PY4ml/RP4emEexbQbGKJYuAxCTF2GdHz/4S7X4DIM04prj3Lmtx+9TuOwPWFew6Da
Ui3Ri4834/uW9n2Zhg1eTEXsTT4x0dt+99W+n4FlW/yfUaNt2dg+322PD9uKJt58A4HvFuYiwlKY
i8N+1Xy4XKYhrawbEStW3aPIV/n9wvuyUngahptFymVo5Ze+lVeT1WrEeZzGdOFh8s51jBcovh63
1u8k+MQV2XGczjV+Fla2r30cLla46POl1fQ2v2mq83HhD+x9bBOLvI7uzksp/kGYSx/FRV8ALNpW
OX7RB39356b2I8td2pCNb7N9T8bGjQJbsY1twNhQ9ZPtR/SdnP/s19n1J1e3YbpcYzsT8UnHRBxT
GzN1K7X/lLay0bK/qv1rH/L2XSk3Hdb5VftfVf4j7T+WLdp07CPncfrp+855Gi8xLi4GIq1tWyX+
0V6lfzkM1fazsv4JpdkIdlv+Tw6eGNvyMSD6lrffubBq/pltr31bhqpvxfgsfd+NIar/N/MvbKv+
W/43jU+m7T11fDDBZBcCOyKAMJ+D1RLmajK5DEUB5h57KQkze9wLFTV4dlqLsWvzZyuybjIS9n16
ORL7yUpOjm7wFUKm5o7xIyZzE4+qt5toRPnhcSBhv2In2tO/7ta+9DW/1d+rf4//Gj5p8o31uo7T
aG8xVOqVJvf07I2bLBcej/qveZX3mvG17cHUo+tfuUhztL4i1m0/zlIULxn/IDx88/ZpZq7yLsD1
Ml0S+yA0ZHdw5pt8TE2y3Z59z3eJt26P/fadlWcOdOPTLH8WRhKIbQ+uvCr/cG4wj/BJnqH9i/p7
ISj3V/I37TJi6LafTv2jndpv1/9e/Lv8Wu2z37678e+07zX5m/E3cbHzU42rPv6q8UGXwh4E9kIA
YT5Hyg0ocn5KAZSTvDt4HSc7Efm0ZoBK+adZTMbVACHKljStrVb+8oqIXz30Ju3qcrkcOZGWU/jR
XQtwn/AyDQVo13EIz+i7NGv5lQouspaDeK/+zmiL3zo+1ZhLnyvxdxN7higxedR/6UB9uxnf5Muc
XzFf41+93OWMjNlydHIiLYPjuphoPy658snkF2L9HG2pOuV1iMmipSafmKj627GvfDF1Kdarxqrk
QF52+JsZIXxb5bu+seaxsKKfiz+Kn0nbbv/Bhsq/mNVbxf61ov0066+LKO31/c9jYNtXvf26Elv5
RVtwF0fRcKpTnjeLf1OYr8vf9r81vpaIlo6JeqrTK+Lr0ps2p0ywA4EdEkCYz0F7nTA3rcINsFFM
mFOrdlX+3sTaOx9K3OzEWBxw5SC+rn6K60385pxFP5RVfwGi7hzMp7MVKXc8TayP+m98qOw245t8
mTOrut7hX9EHGTOZ4NGJV9gtChcnGuQdF8l+8aPJZ0lW2Fphv8VXsY7mRZ3ioervivi0yn+SMJfC
yLJst/9QMZunWN2PCXPTfpxziemK+Lv0xTj7E532KdpCrX2vuLCq813Rfpr+u5PmPzW+mnPVXVFP
lebR8UEZYwcCuyGAMJ9D9Sphnk1McoBd0Ux6+Z3fJUEYTefnwwpHXHxx6VQZzr/Sqn5xYjR5faFm
sE+T2OxRdZKKHstf56tY/fNz3Dl7VKdVf1U3Z9rwX8OnPrEKX6t87HPjbpVqqVNevrBpY1PwX6cu
7ykGNr6d+PT8K5doj9Ym3hXtx5mqthlhV8Y11Umc9y6FFULZ9t3hJh9bFbW/wn7yZc6o6tJv36q4
wk43Ps3yHVo7fuTjQ53/4pAXf6pu4Zx/FMQsRFihuIp/tX9Z4fzM8ce1Ddt/3bHYf1fE32EocJnp
mL83su1T2C+271L8lpjErRbfPP4xl/it+m/6jssi/RQm2puiniah8t2fM/F1xxr+GXPsQmAXBBDm
/hlE+ccxcdANKyPh1uD8OIIXNfKPyMIkFtMsv4sNP7Cnx1hc3uXcmhayJn8vjT1vhYkfTJOP0r9+
/Zq3YgVbX2bGbwUBkcfzHcbslYm2fpJx61ws3aZZ+JTr3zsfy3eTnv/7hFG+ltMKiXnyT/x1G7G+
RdvR91W/iqGI78r4POJDnvc0nRaArpPpP35Vf5zW4i/yOXtzHf1F2lwvX4yoo4yFcqHGZw3cln1x
zpcnykkXk+JYrX333MgZzzFeU74f5uT4Jx+9avE3Xvl6iLY1n/bCSrV/8zcpLp1iIG2Uy9d9QLSD
uQ+l2K6sv6mJ2u36L8rI21fZ/+SfK6maX9TLZZgZZe27ED/Np8U3VLXafrLHAEM7kf7X8yqM1Z08
/7PGh2qRnIDA5gkgzDcfIhyEAAQgsHEClVXLfMVz4/Uw7u3df1MddiEAgR0QQJjvIEi4CAEIQGCL
BMJdoWXFvbqaah5n2WJdrE9qNXeH/tv6sA8BCOyDAMJ8H3HCSwhAAAIQgAAEIACBgxNAmB88wFQP
AhCAAAQgAAEIQGAfBBDm+4gTXkIAAhCAAAQgAAEIHJwAwvzgAaZ6EIAABCAAAQhAAAL7IIAw30ec
8BICEIAABCAAAQhA4OAEEOYrA7zqQwwFW+Ev+/N3VxeSHuDQ/N7erbzBYH5HsHxTxKcg39t+PuXv
58uV74Ce+49837UL6obi+2pe97af7xp/nhyFDbWve+P/ZCIvM3f0+r0MHIYPSQBh7j/QID9q8fw4
P/ou3OVLc8/37fkWC19me34hymKTj/3yocr5nJ1m+c8pomnl0+U3nXvk5Jp3Y78hvo9UYU3eV8fv
u8afNcR1mib/N7SvZvna1Zfsfbr8l1QKoxDYMYEvF+bi62riy4tqhVV8mS19rc8E3F3tp69+nsdp
HPQKeZoYha3l62zGB7XabM7ZL9vNfqj37Q6D+cyzcdbuylXIk/kqX1wxGsfpnPjYixjt43C5UZiv
Kf8SnI6clzjosmMMbPyGi0zX9v8k+XfrL+2W3+UcV3Wdb4vfOgixXt5/235afApfzXQ2VP2zLwPq
+se2I78ouLTN4GdM4/27tX3pqt64d5mGuTLOh8hPCQkvnGQcdP2yL4veFN8V7jbj08sv/X5R+/Hx
n8ejF40/3Vq6z9pXxo/Ytlrtr2m/xT/2X8aPxD/2ocB0Rft7wvjRjJ9ok9q3JVdsI+8ffxYf2ILA
Owl8uTAPqNVEX6N/GZIwkEm8qJJKyA80LWGuhUMS7dGoyy/FQ29F3/jl/TH5o+ni7/UyXa7LGTcI
yuoEYSl8VuW5xw1kXe94lGVF+cqfwipqM342Hsp/9zSE9N/D1vx9/lr9A7dm+RGtKTce7rafHp9O
+5CC1pfphIxtH1HcxOPXcRpnMePiLyfMm9tXrOhdv5f5ItNd7A3TMIzT1X0m3P/OBt8Q36brK+LT
zN+JX8pr4hCPd9uPty+FuWjL8lw0eOv4E/NVfh9ufxW76XCPv13xZvzQ43un/b08fjGQlfb92fEn
OscvBN5LAGHeGZhSOIoDhxEJKbHecIObv9qPwiedLq9Y5CuWejJN2f2GfBbXldNKq3OGvdwHJYRb
E1thkvMrlFk9S+XGYw+UP5toCuOW/5UVZ8WwmX8mOKxgfnf76fBptt9lxTnSdr/XcZhGcTE2FeMY
czzavqKde37n/jX7Fy6iTJ9rxidnF1ZuRbya+df4nJeh+s8KE832G/Pf3X7cxecrx5/oYOn3Ge2v
ZFce6/BfEd8m/2b+vOx72lez/FjVu+Of+2jbZ738d8RvrmCxfu7cJ8efCJ9fCLyXAMK8KWxEMIoD
hxEJIrncdBPj4B8HEYLAJ1ib3+aT1s12aUXUJFl23aCXrxirgbs1MRUFXVzlXEqpbz1Y/my4PrH4
4OoVIuXzCv6t+q8pP1b+rvazgk+z/b5gYr2pfcXK3//rYjuO5xBDz3BMj7d4q834PCe+de/Xxaee
P5xptt+Y+a72E+2/cfyJ/vrfF7Q/ZX8F/2b7iHwa42sz/3Pa1+viv4LPu8cPFT+xU2zf4nzcfPP4
E4vlFwLvJIAw9wOTEKf+tn5hoK4MHO5WsrzVH6/wpbhNj0sUbOf58/Cn/O6UsaHOxfOy8NycOGJF
dFhdUdl7E9NZs7rtUYd15S98g3/LfqiKYmD4uFuhqj5KmDucNn4Cj9vs5A9JXtV+VvDptF/Fxlet
ICYME0kgy+/4KqAutRMA99ytkSWVt13559TGHI/zNMjl/k58nhHfsmfu6Lr41POHM4qxbb8x80bH
n+he7VfVzSe6rf3V7IbjK/grbowfQ/FvUOrj12vjJ6Kr4rQcz8ovjj9LerYgcAQCCHMXRT8Zzrd7
1aMgUXDEc/FXi9F0q7jwx5nhXBj4vGid00hxafOrRyma/onb1JU/ruo2Uv+MbqzXeRrHwT9247WX
OOf3BafkvzgW/jhnDCJt7eMsoozTyZTvnZe3Ys/TeAl/iJrKb/ERtqv+e2Eb6x9/5/iuzP/K9uMu
DMLtcedbiU+r/To4kl+o36Kry+17Ob+2fUU7ul90296KBL7PCIdcX0mxF2xeGt+Wn8KHanxa+d05
1Yckw8g1tsv4K9PkMRK45sdYXjf+9Kr2aPvr2u/yl+2f8UON7xFutf25BJLf7eNHLKL822/f3bmx
bJijENg1AYT5rsOH8xCAAAQgAAEIQAACRyGAMD9KJKkHBCAAAQhAAAIQgMCuCSDMdx0+nIcABCAA
AQhAAAIQOAoBhPlRIkk9IAABCEAAAhCAAAR2TQBhvuvw4TwEIAABCEAAAhCAwFEIIMyPEknqAQEI
QAACEIAABCCwawII812HD+chAAEIQAACEIAABI5CAGE+R7L7IZJ7Iy7es5vev3yvrfghl7XvCM/K
md8be0f+l/HJfOSAIvDU9qMssyMIvLp9v9q+qMqON+8fn3Zc6a913fUJ/+7/6xoE7n3q+v39a3Jt
O415j/sd8/K264d39xJAmN9L7tZ8lS+b3WrGf2VxGKdVY1nReOHLe8V0HIwEVn0yOyZ+1e/T2s+r
HDyu3U3Ev4H30/49t3zGp0aoD3cq+7LnB2r43PZ7TwXCF2wv4zDJjxrfY4k8xyCAMG+tSM7nhjF8
bTJ8gTG/ag9X/vNX+c7jNA7iE8exnZSEVbR/CYmiHb2yrr+8NlzsxKXPn7Krbn0+zx8drPw+gU/F
cqz0dE5fLRVfdWxmCifTV1Xnr4GG+Gj28ctxnmmqi45hTJPHV7OLX+CUX1Z0ntTzxyq6laF6++jl
91ZK7SeYr/x/9v08TMPZlT1Ml/SFP1l/U8es/Zj6Dc6evjBU/tvzqcxQf922nety1aj0Zca+fxUA
6w6nNlFqe6bsOYY2/s2CmvZDzia/tvHJfWI9ta2Cf9F2vf2bOprY6q+SWkYmb6H87MuR1r75suTN
41O3ffXbbxNxy/4c29780LTfGD9C7JY+EeKsx7d2fPL25fm68cDFIfp/w/yTzy+92hn+ZtU7CHPZ
jnT9YvuNbTwfP2TeuV7GpTivehtqfjZ5i+3XGHvF7mWY4peLB5T5KwjvzibCPIasJnz84CWEjEnn
O72cqX16Pbj4Iky+WKz75LrM7gbapXM60SJt5bd6sxUHV36a/Pr5kx+9jYb/XvTF/LV08bz9vV6m
i1j+dwOx4mHTm/0wcIv4+Ile7otPnkcu13Ea58nI5VeDvZuIY7q5rNaKSi9/r3308qfq3srVZwwT
Txz0z3FSFG2u3X68alB8fH0kH+NXdr4TX1f/Jd7BXxmPrn8J0IMbph7SWiv+Ml1zu2bfHM/4NY2G
k13/oriMcVPtX44vId7L+OH6Tr9/tspvx+8J41PPv0f5rrD/yPjX6//uvLJvx7eOf9p+4H2Wd1zF
WOBbk5p/nKjutI9O+9Tlz2NxbIfpokSW4cYAM37HMoxv7nDPv974G2xUyovlvvh36T920e3FBWN+
swQQ5jE0ZgCPh7vCWQ5yKVNh4x77hYHIr0Clga18xZ8G8m7+gp+1Q/f4X7Oljud1WISaSljccQN/
lr4z2SyGLtOQZZ6mq7mluAycS86w1cvfG2h7+UV5Nf4iSb4ZbpH66x4nzmJdE5+cfViZkhPVfDGY
VmblOVdi73xeRnRDt+XZe1XPPG/uX17ru46ocrWFevx1uuZe1X6PX9OqP9n1rzgOuKxr+OZplvgF
3+rl53lV/Ip+iTbbr3qxDtq/R/nmdVD2U1+anS3WqVaRfv/vj28t/wos7cJD0//ctopfrVrp+DPq
l4y5gVksWrnjPf9642+wXW+/ouxXbcpx2V+3nPP57FVlY3ezBBDmMTS1ibM5cK3r+L6Ie+xnA5Gz
JAfbTvnd/LHyK37v8b9r1k2acrXEVc/cQejYyFZMXHpro8jBJ/xyYd5pPyX2dmK3adT5XnxlW54N
qVjd4Z/1Z+1+rX375mQvRtYaFeka9kUqLz7sHRt1vrDTFRaKqTTQ49uLX7BVL79jv+hXoU1Il9X2
Ov90lvyOmDqvdlbYXz3WKMPzzhrhasZHlzOV2fOvxNIcS7Zml1RMOvErVUkde7R+ylhBmPf8650P
9uvt15T/gl2/op8WPebH0tSV3wsKxeTmCSDMY4hqE2dz4HJjxVnd6o8riFnfathfbt2HFYBl3w28
WhTYW915+bFC7refX6Zubjf8V3VVA3vTopthzPPKof7KXseEW1FSt95LQqrhUy7s88FcpXHCU9xq
Vee8rzp/Hh8Xk2WVv5c/Vb/GPyUobQi+cmVGtOncP20n80/a8ayNcFDnRfnebB5fa9/e+u755836
mJym0y0NR1fTi52l3+mTykdflu6TOnVlrxI/ZdtlVfwqtsxhZaPkX6P9t/n24+dcaZXftv/o+NT3
T/l2M9++/UUkz0FpsDZh87uZf27MFndh2+Nb3z9r38VDjZeqXdr5pzS/lWpRP2bL93NSs37Oh0r/
KrBtt6+S/3r8dZ4rH0v9J90VrPhVr37njI51TPzJC4XoA7+fJfDlwjx00nB7Tv4R1dwB5z+Ocef9
nO87bUgnJ3E/eIqr3kUfdOz72IfBMPiw/KFPsi/K9GmG0Qs7Obja8tOjLM7+ivz1JtjxfyWfun0/
Koo/XjtP4zj4/YVhM3cYVOc8MY6JXRpQZWwXURwsS/4hXVa2YmgH535+Gx9tv5W/w7+JRth1Bc51
8GzmuEU/rH+y/bTOueJ7551wiXHxr0bL4iv8PJ2ms/vjUfMHUL0yvNg4mQuEJpt4ciXfZvyjrdJv
336vbiWr2bGqf+XyY9yjnaYP3fjZMcb2j04bUb67i6t8fIt+Fn87/jXrVjRoDrbsi3OeqajLMgYZ
e9mubv+ur8j4eNFYHd/WjJ/GvuMrhLF+HKQw/6zp41md5AFTvqhf6reqfo1+XBDmrqRejO15ydd7
KuImx76lFrEf5W17SXPrluQS6xzLcfNQPHarXdIfgcCXC/MjhPC766BWO74bxTFqr1bw1lXJTbzr
hdA6m6SCwBYIPH98K6/SbqGuXR/uGBu6NkkAgQ0SQJhvMCi4tI6AWglJfxC7Li+ptkPgsTi6ladn
rmRthwuefDeBx/pFzi6sUM93D3cxXsoV5PyRxbyGHIHAMQggzI8RR2oBAQhAAAIQgAAEILBzAgjz
nQcQ9yEAAQhAAAIQgAAEjkEAYX6MOFILCEAAAhCAAAQgAIGdE0CY7zyAuA8BCEAAAhCAAAQgcAwC
CPNjxJFaQAACEIAABCAAAQjsnADCfGUAex8yqJkJf1n/+XeS3ut/rV7feXx+S8Cz3mgwvwc5e6/u
u+A+o3zxLudDvrJwZf2+sn89o/08qa1/Jf8nsduDmX3Gl7fK7KFtbdFHhLn/QMFrX7f26Lto+RLY
lrrO7e8BbsZPfIXz3lo27feMPqF8X8TR3zH8wfo9FN9e/Fecb5b/rPbT8KNZfiPfs069uvxX238W
B+zcSyB8ofUyDpP5dtq9Bsl3cAJfLszl17eWr0OqFcwVK2buaj593fDsvqymV8iTMBe2li+MGR/U
aqw5N39dVPnXa6CizNqKpnpfrvvyovKhU4D6atrtH3qJZXvfkq/yQskwKPjW57/EduEe6nVr+cPl
FmFufC/FzwsbmU7W3X5V0fKV+ZY63to+hou0Y8qf5LnGu4QLwjXdLbqM0zl9GVf3DReFGAPfh97c
/lz5vfbjW0qhfvF47Pvl/tXgN7f3YZR8JH+Tt9R+vBON/7X6Zyz/EvJHDks9VpTfa7+t9hPLf6T+
acywfWNhEuvl42TH5xYf63uRv2FUGJ8WT+yWyVu0b/rHre/sb9bP+lPeb/dPUwdT/5i3NL7LuPjz
0tdo59H42hhGu+WqvuZovHitfLn0NYVidc8EvlyYh9CtWrGoTMx+cJFKyA8kWnxoYS4nXjfo6rT+
E+Zm8FjlX68VVvx35S0T8SxSTPlN09fLdLkuKdxALHEsZxpbcUCO5V7HaZzFQo9Pj7/zR9bPf5o+
lhNdqpbvbkXK+Nz3KEszfra9mHhMK/g27cc61n475ff4J7PW7/lEmJhlm3cTudg3+Xw8bXxSIYWN
FXwKudKhXvtJCY2f6XjcqJzv8vP86zyc+Yfi2+MTRUOsR0E8NMt/tP08q/4V/t349vh0+HfjG7k2
flt8V41fDdtrxo9W9t78sKr+1fHVw83H59IEcmd8V/nXBPD4ySW+tyzqPF4uFvZLAGHeGXhTaIsD
w7qOFsRJabXRrDakVUUxUa/1Lzla2Sj679Ka5+CkaKqY0ofzOpTGVZ3H7BXEQEiR2w6rk5FPj/9l
GgrOXO0txVr5xePhtqS4FjGVyXeXgTk/5yY+5WJWZs5ApX+0fTTLz8vW/EV9Ku3LtX3rr67zJ9tf
r/3065dSFOu/gl+Tf7DebD/JgdpG7oOKx6PlN/PnZWftp5n/hvoX+a+Jb+6j4tPsX3nerH61sIjj
9fiuHL+ErXwz99HWL88jj7T6Z267WP9sTLP243heWKiKSe+K70r/Yhmv+HUXJQK4u1AUu68oEZsH
IIAwbw68IsJ3DQwhvxcn/nbtMgCFM2smjsbC1f4AACAASURBVAdXzGIViv7Hk+LXDSSrVyzdoC1X
lD3M2wee6sDd49M7v3Jiq5VfPP5OYb6Ob31iF3GtbTaFUY+vMFppX9mKlctiyxRminc05Hm1vY6P
yqJ2Hq9fMles/wr7lkWhzd0f3xV8Hi2/mf+N9b+L/wo+zflhRf1SA6lv1OO7cvyqml5Xv2r20gk1
P6ysf6FNK9OxDRkRa9OoO5/+ZK/83nlVwkt2/B2btOA2P26IMn8J6yMZRZj7gVeISzc4lFaNiwN/
ePRDDxhuMNSrhEmcFGy7jqvz580r5XenCjbyHIUjFf+V7Wh/9cBhRWpYoVidPbrZGLh7fPLzmn9W
P3eHYBgnteJdLd/Z0hdTfqBdfeESKqh8sPGLk1KRxTq+TfvRbu23WX6pfVcMVdtXfqdIChHluzPt
+KxuQOv4VDz2h3vtJ+Wt1K93PrefcoSNDn+XSDGy7ceY07sr+Kh6hf5rx6Nm+R3/31Z/VY+FQl6+
HB9W8Onwz+0vZa/davFV57zBwvhVLWhd/arZbd1dQtM/V9W/Or7GkkOd7N9mxbP+9674rh2/Qpuw
f3+kyr9rpxwrOf7dZZZMhyeAMHch9pNd/OM5KcRih43n4q9M4ybOeDz8Sl0RzgXh7waxcKtPP/ds
82cDRNW/Xvvs+98tu1eEf0Y01v88jePg6ygZ1E2U/bN5ez7a8zp/fjtzOb+ifMX+NJ2G0V94nW4R
58qGaDuCnfdJpEviSKQ5nSp8Rb6s7dTh+5Xr2B6r5fvJOcY3/sY6lPlJH7ywmNtELCvVrWm75bg4
t4aPSF7arLefXv1650Np1n7iI3xv8a+PT6XamGOijHL7kf3jPI3zH+rKGFXLF7Zb/r+u/vfx975G
TKIOZT6t+aET31hG77fZf2V88vmlZ9rdnYr9rlq/hpFq7ESeeppyfBT/aMf5mZ0o50/9Z85ry7dm
7Hmbf3mcM45r0alHfmXc4sKfrE889kgZ5D0qAYT5USNLvSCwAQL5it8GnMIFCEAAAhCAwEYJIMw3
GhjcgsDeCaiVqlvuMOy94vgPAQhAAAIQuJMAwvxOcGSDAAQgAAEIQAACEIDAMwkgzJ9JE1sQgAAE
IAABCEAAAhC4kwDC/E5wZIMABCAAAQhAAAIQgMAzCSDMn0kTWxCAAAQgAAEIQAACELiTAML8TnBk
gwAEIAABCEAAAhCAwDMJfLcwV+94je9odr/5O0ZXfUihEJnwZorcXiHpVx+6l+9Loc3tw74X9xVl
ynfcu/cOry5TtGH17unoZO98TPfg76fj92j5d/N/kNuzsj9a/2f5gR0IQAACEHiMwNcL8yhm3MQW
xdCz3738qL2tfyls6/71ukjTf/tlw56xu87bL/TdYaTyZbxkqXc+JfzGjSfwfyG2Zvt8YbmYhgAE
IACB9xP4bmEueEthLg6rryNGEa/O+w/DLV/0dF+EtJ8WTsJcrF4uXx+TXwizny835053fPltlX/y
boH4+llcMR7H6TyXvfjtKKzwT33VTn/x1HMUTDK+3fJDJNT7sodhGla/M3uF/16Yy3SCT6jANCQ2
Nn7Bv9b/7Uqt/0qf8V/V72TLn633hHfjfM1+Oh6vWGVbij4+HD/zNbzSlydbAB8s/1H+kZFvu8kX
F6O5zZxde3T9a5guqS+IGKZjoQ/qPiDb3dJHRThWjU/Rx/AFSFH2yv71mi8jtoLKOQhAAALfSwBh
Pse+Ksxj26gIGz+xy5nST3b60RUtzMXE6D9JrtP6TyhH0TOX/ciKWc8/N2krMeCEgizf10f4XODQ
9O96mS7XCNHpiMpjGgW7PlevfJPP11f6vxRd3Wr6b+NpykuxjdZd+hvL9xc4lTzd+IhyVRzj8fhr
/F4Ot+J/mQbZtudM13GYRhFTf7hiP3wSvN5+dHsIQrRZj+i4/b2z/GCmvmK+in8U1zGG13EaL85y
qI9H6NPMHORdmBX9o9k+I4dK/bv+9/qXtx8vnkQcY7n8QgACEIDAUwkgzGec9wnz6zQO42Q1io2Q
mxxLK6Fx4g4rWcuKmF6VdmL23gmx598K4SVFhKvYdZwGo8ra/uWrfgWt51f+ioKsW34UDZHf7aya
/jfLz+uWrUraxlDcrwnDFfGJ9irCLJ52Ajnn27cf2fg27IVnpU0V7fsrz/SImPdFtZ9CvWt2UkUq
G7V8zfhFWwU//Kk+H59M1SnadL/CrhPmseErn/I2FJNFSzEGcb/4W6z/Cv+VL+X+XSyPgxCAAAQg
8BICCPMZ66uF+eAfB7GisSJyTKhXTcwmT9jt2X/OxF33z4nm/I6AFR7e16Kw6Am7QqXtin8hiT1U
979Xfo+vLam2LwScSrIiPjF9jV/zfN9+WB0P9bz4lfJynrLw7/Er1LsqcmNFKr+1+q8SngU/fDHl
umZ3DKo+C7tFYb6ufzTbZ8RRrP8K/1fxiYXwCwEIQAACryaAMJ8J3yfM3QLy2axEhhVcKT7T4w7y
drYoN1/J1GFP+d3hgg2dWu/1/FO2fVYjNldM3MqG8k8IE29b3NrXbt69Yq7KdjalALJlVPaVDeV/
T1iW4l8ppHnYcloSK9/8YROfmLQozOLJUI9SO+vad49ljPNdEidAz8sfSQvrT4tf9uiFKqSxU6v/
ivarVrZNEV0+Lv3dwtzGvdw/lA+2fUZ/K/VXeX1a035W8Yl3pezCQiycXwhAAAIQeBYBhLl/xjI+
BuF+5eQTJyR53qZxmkSf16LcnQurxk4kx8dWpEiy+bUPUYzHMqR/65qBtS/9Kz1Ok84LNv6YFwXB
D+l/uFio+CdseA7j4BmEMjp8Rd5a+bZuGbs1iES9VP4V5Tvzj/iQ5z1NpxQAb13/cal6lWKH39Q7
37Mfz8e7Hs5e3HbnOvZX8dOPcpzdH++aR6VcSeX/Hi//FfxD+ES93IG5jfl+M3Px6QSjvH/Mta61
zx5/n134Yf94XJTtfRHlqP6dyrl97CnHjaMQgAAEIFAjgDCvkeE4BCDwfgKVld/3O0KJEIAABCAA
gfcTQJi/nzklQgACgoBatY5vNhHn2YQABCAAAQh8CwGE+bdEmnpCAAIQgAAEIAABCGyaAMJ80+HB
OQhAAAIQgAAEIACBbyGAMP+WSFNPCEAAAhCAAAQgAIFNE0CYbzo8OAcBCEAAAhCAAAQg8C0EEObf
EmnqCQEIQAACEIAABCCwaQII802HB+cgAAEIQAACEIAABL6FAML8WyJNPSEAAQhAAAIQgAAENk0A
Yb7p8OAcBCAAAQhAAAIQgMC3EECYf0ukqScEIAABCEAAAhCAwKYJIMw3HR6cgwAEIAABCEAAAhD4
FgII82+JNPWEAAQgAAEIQAACENg0AYT5psODcxCAAAQgAAEIQAAC30IAYf4tkaaeEIAABCAAAQhA
AAKbJoAw33R4cA4CEIAABCAAAQhA4FsIIMy/JdLUEwIQgAAEIAABCEBg0wQQ5psOD85BAAIQgAAE
IAABCHwLAYT5t0SaekIAAhCAAAQgAAEIbJoAwnzT4cE5CEAAAhCAAAQgAIFvIYAw/5ZIU08IQAAC
EIAABCAAgU0TQJhvOjw4BwEIQAACEIAABCDwLQS+W5hfhul0OhX+nafxqpvAdTxPZ3tQJynuXQZn
P7dXTMzB7yWQ2qJsK9dpPIv2eR4n0yyn0L5EmtNJtdPm+es4nVX7H6aLiYBr91kfGXQqlcb5eBmm
kKTjf6qz9l/2F2U7+torf65DzJv6rSyvwNJUPe1mdtIZt7HUMZWjzvd3VIyGcRqHOc7S31h392t8
j/75OIlz8rj3Tdqb45TFVtiP+VO9bP65ajFdKj/GX6Zv+N8n5FJcpsG07XX5SAUBCEBgXwS+XpjH
ScdNLnG+vwxSHD0e0EftXYZcMD3uFRY2ReAyKEGtfbtMw3mcLuOQXTAGYajbh25vTji2zk/TtWhX
ezBV/POiLHYcl2UWY/KQF1Ul/4XNbv8TaaVnxfKVOB2ms6p/YGkvcKRNte3q4ypzHaehdWFe8U/Z
Ku2YfL4+wv+cu/a/WP/TEu88ttdF+Dt/TPkxVpGPy9/iVy7/lMbSnv0SkuKxzM9iKg5CAAIQ2D2B
7xbmInxugtFiYj4pVn2iiBfZ/KafnOKK0NmteGlhn4SSsHVKk2dYCUorV3JSnleJ0rm5jKKf1in2
byAQVz0XQaMzV86reOpV31pb0XbFXkt4xBXIojjMhbcTQ0sb6Z1/RJhfpmEpSFTGbEZ/iv6HtNX+
F00V+WiRGpNKW16YXsbpnPws54l5q78N332eon9Va8uJXr503gjqUGiZf8pTiq2xk9Ka47OHbX4r
4t+xv4DobCU7nXSchgAEILBzAgjzOYByMi/GtDIxeFGeJv24YtgS5lr8JdEeC3ViT4lzt6il88Sk
/D6LQEV4J/O98ynh/RuV9uUMLvEviadceOs21TtfEm+FapT864nV2Uzb/5Dorv5X8smZE37FFeP4
a1eECzUtHxI2iwlqvhQT64PqURbT991FVrowt+dqPonjS71jmaYNtex7lOEuzWJHXNiIcqL17Ldj
P0tfO/AA35pJjkMAAhDYIgGE+RyVu4SBe740Pg/aiG6aeO3EWlkRX1bTg9FF2DQK4dT7CUjREe+Y
zL9PWzF3z4GLC7+8ncaLhmXFXpfdO/9iYd71P4Qtr5cJZ0mYlY65bEIw5oJSCEtTRHNX2Cymq/lS
TNw46NqUHCeS3cJYk84Ze8LXpf4xjbGTbJjjc/Ilf+QWfzXnaD377djP0hcOuLahmBTScAgCEIDA
UQggzOdI3iUMbhDmw+j+0M6ufJcnQ9u4EOaWyAH3k4DRdfOixIh+/8xzSpaviKdTfqN3viDM46Mn
0lDRPyHSZFqx3fc/JL6v/5XLl7YWYRnuZg2Xch7hcnlTiN1igiKfYsrOQROvpt3yoyTV+vuSTf2b
9k3b8O1C5pfblWp17Fdy5YefZSe3zBEIQAACmyKAMJ/DISezYoQqE4PLV1qhFIucU3q0wL8FQ4vz
PH9eesrvThVs5Dk4chuBuKqsY7PY6J1fUt69VWxf5Qs3faFmhFzmQO+8EV8u/2ph7vK22v8a/4PD
j/Q/daFiVpyVMI9vUJEr0hmvyoGXCHMXG/3Ym3/URg8eZnyRjzYV+Jv6+0dhjD3LS49f1r78g+O5
Hwh+7fiHttSyX6GdHy72jzwZRyAAAQjsnQDCPHscQYqzeSKyK5Zm5Ts9qjKn0/Oge8QgTL5uEovP
i8rJyua3j7IEMR4fVZD+7b35bcX/GOca2975J9QjEx7yj4KjeIt+LG1Kt52YbvGned5f5MV2pX9j
G5ZtNrZdJey89irlXee/eoba9x8dgzXlqzRGNEafU39zdRZpFlLlLWU7jgOl/Fn8yvb0URnPyFDE
MBubYhrNSMW44JuqgzzfsS/ztfip8k/6jSyRv/7V/msmlb27+FZscRgCEIDAhgkgzDccHFz7IgII
j30H+5PxEwLbC+hP+vKyKPIe85ehxTAEILApAgjzTYUDZ76WQBJXYsX0a2HsqeLLqndaVX6r+06w
xjYTfbljRfqtPlMYBCAAAQjUCCDMa2Q4DgEIQAACEIAABCAAgTcSQJi/ETZFQQACEIAABCAAAQhA
oEYAYV4jw3EIQAACEIAABCAAAQi8kQDC/I2wKQoCEIAABCAAAQhAAAI1AgjzGhmOQwACEIAABCAA
AQhA4I0EEOZvhL3HosI7iuNbH/ZYA3xeRaD1Vph07jTZd5hP8aM9p1P2IZw15cp3Zad3Xc8vUY/n
0ttOpB/ufdxyP75j3P/O7bV2Xr7L276H/TxOl3H+qE4vf+k98Mb2GgYyjfqYmD8h3wfv3mNu37iy
4uubsgC2IQABCEBg0wQQ5psOz3uc01+SzMvMxYJO08uvU7O3SQK1d1+bD/I4sRw/PqTqUcuvEjV2
KvndlzvPZylGhRAVeaRfqr2KNKF0kd9/SNd8udSLcXEh2snvPpCULhxK9hpVzk451hncyzRkx3RO
WXd9hj0IQAACENgbAYT53iL2VH/talz4sqDVAUnoqBVEJ5bW5a+5HFdE3UqpFzdyBVKsiA7jOJ3T
iqgUacGy/vJgfr5WPscFASMw4xn9SXt3tCIUK/mjne5vJb8v/yIFqxbW0W5VnCa712kcxukaM/jf
si2dJArvUv7SJ+crfJTR8o5rx7bvVXkrEyvqodKzAwEIQAACWyWAMN9qZN7oV2/FWwvzXPj28jer
koTTnMquGvqLAVGmSe/EjFyxnMwKb7NsTi4EDNd4oijMS49rVPJHO93fSv5Yfvz1QrVQfkuYp0dk
bL7rOA2jluqZn/Ji1OZ3iY3fZXGdWS0ccB8HEu08pbAXv6U0Lq9Y5U952YAABCAAgb0RQJjvLWIv
8LcnrNOKdEmYeG1SEgvO0fglwrASnwSSek5WC5J0ERDreRn0KqISU+XVyUXERSP8dgkYgRnT5ywr
q7OV/NFO97eSfyk/lht/tcWWMA8XboUVb9WWTFuNS9fJr0J+54IU7vHOj3Zt5Z4T4LV+JEzYC9f5
1P0XBMI2mxCAAAQg8HECCPOPh+DzDqwR5uFxkrJw6OXv1jCK75LoiOeiESWmEOYRy8O/SYBqS7ng
LTO3K8fayoq9avnzH2I6E74t3CvMSz6U67JcDOQr4pkV6bdrv2vEdWbEV26dMHcXu9kjOQ5N6TGY
YkEchAAEIACBDRNAmG84OO9yTa1SF8RFOl8453xM591OJU27LkFsjEPhdnxTmJuyfSFl4dIun7N1
YX2ZRvG4Ry7UZ3ZSoN6Ds5JfieR4B6Zw5+YWv+SFpGq7s9+qzIJfMn/Gza2gx9X2mzjoO0cxqxPc
6lGton2Xt9B3ohHfJ0tv1IkJ+IUABCAAga0QQJhvJRKf9CNO3P4PLPWqeHiMJUz6TvzEx1GUWGjk
X12tkuAQjwl4rSPKWcq3z+CycriauUxYEKDxdGgD8+NINdHZyB/tlH5lm4ptKwpbeS7F27UBKcxF
Gwn5RfvNzsVHqkSa0h8wxzr28ov2eBI+eV5iv1Tv0jGXLxYtzyv+RbvluwjRRuDYEO4xIb8QgAAE
IPBxAgjzj4cAByCwAQJ3Cuvk+aP5k6Ev3nBCv6TMO0ic8G5lc8I+Xdh0bHEaAhCAAAQ+SwBh/ln+
lA6BbRBIq8O3rqwufzSJ+Hs8lKVHa9pW26vl/i02dz/33i6ZsxCAAAQg8HwCCPPnM8UiBCAAAQhA
AAIQgAAEbiaAML8ZGRkgAAEIQAACEIAABCDwfAII8+czxSIEIAABCEAAAhCAAARuJoAwvxkZGSAA
AQhAAAIQgAAEIPB8Agjz5zPFIgQgAAEIQAACEIAABG4mgDC/GRkZbiKQ3vbBK9tu4vbuxClO+VtZ
4vvEy29deeCtLPI94P4d+qdJvg/8KQhSvWh/T+GJEQhAAAIQeCkBhPlL8WI8EeA91wnFJjdq8XHC
1r0k+zpOg/gCaFaHWv4soTlg8rmLgPIFgMl3664p59bspIcABCAAAQi8gwDC/B2UN1xG/KqgF0Np
dbHxZUT75UGz6lkVVZkwmr/YeR6m4ey+yDhMl2RLlr9heEdyLYuPqdybhLl/77b6Wo75sivtzwSG
XQhAAAIQOBIBhPmRonlvXaIgjqLnOk7jJRjLPnjixHtM55JcL9PluhRc+6z4VBR+QXR5HeZ9mAX5
ZWh+yXApja2nESjGR1h/kzC37Yf2J2LAJgQgAAEIHJ4AwvzwIV5RwaroMquV8Tlg9SXBPI1a8IzF
F4Wf+GqhE+YxI8I8UnvfbzE+ovhqG5nT9PILU2oz3aVxd03sc+B523Jp/N2VZCRPE5tRSuI2iv7R
/hQjdiAAAQhA4OMEEOYfD8EGHKiKrus0DuMkFsSNs+4P/8wfC9ZENcLIsNvYbjE+wsdqG5nT9PIL
U2pT5pN3TXwi2p9ixQ4EIAABCByeAML88CFeUcGG6Gr/MZ5YcfTFhNVLVixXMN9aEimQS7412kgI
/XDfH23acuMfm84+bKL9xUe9ig27BItjEIAABCAAgfsIIMzv43aQXMur7sIjAuFxAqs/4h+ILmnE
H2eqRxHO0zgO/pGEYKNsPzyKIB5BcIln8SP/CNX6cRDo26yGFcizl/FViUvsK680rORvVjYKXvd4
ivi7Bd/e7H56jMo8yvKG9hcYmDtDzYpxEgIQgAAEIHAfAYT5fdzIBYFjEbhHWEsCj+aXtja27S4U
qm8b2pivuAMBCEAAAvsmgDDfd/zwHgLPIZBWnm9dGV7uihxTvLo7O+IO0XNoYwUCEIAABCBQJIAw
L2LhIAQgAAEIQAACEIAABN5LAGH+Xt6UBgEIQAACEIAABCAAgSIBhHkRCwchAAEIQAACEIAABCDw
XgII8/fypjQIQAACEIAABCAAAQgUCSDMi1g4CAEIQAACEIAABCAAgfcSQJi/lzelQWCbBKpvZVne
uuLeZZ6/eWU5n5/rVzV/R36pjL6d9oeI+vl7KV5mP3HP6x3fIZ+4irTyve893zkPAQhAAAL7IYAw
30+s8BQCryNQeQ+5E87yQ092PzlUyZ/OVzecsNevI7wMt76ysWp8Pycq/K7jMJ0VH/u13f1UEU8h
AAEIQKBPAGHeZ3T4FGrVchimIX51cV6hG8ZxOqcvL2oRFb/YGb8MmVb3pvnLnmdnb/5aY/rSo7Qh
vgBqvgB5ePBbqmBFGGYuXgYl1NP5tflThriRC/NJlBHbpm9XacVYtJ90LF9xdnZcu2y238l9dPbs
0/k2fB6nUV4YNOwH387TeJH9w1xUpDYfvqq79I9Y//m3ws8Jc28/XR0ZYV61T/8zhNmFAAQgsAsC
CPNdhOmFThpB4EVKFOauWC9MtBBS4uJ6mS7XxT+9ohrEgdcUXkDMdpTwMkLGlSfLX0yz9UoCph2U
izKiUCZalV9miNu5MM9WzKP4jO3iOk7jJeaff2vld9qvb+9J9Mb2btqkK6JiP4hz0T/8BanYb/YP
UYeKfS/Mr+7iYZhG389MDJr26X+CMJsQgAAEdkEAYb6LML3SyeUZ4bDqLUSFK1aIaO/FdZyGoBBm
p8yKt1uhTKJJiAgnruKJZDPPW/ThldXHdiBQEYYLHhergmCNCbr5Y0L7a9tfYeU7a3PWRl04t9vv
dRqHcRLXlQXD86FK/fSF6JI2NvUp3jlKd5xk/xDFVeznglz0KZ8970OqbHExQ/8TvNmEAAQgsFEC
CPONBuZjbjkBHSdz50QS0bNHSiQ5UWXEmkovRERRmN8gjD4G5EsKrghDX3u/6mzibLG08tu0aj9f
MVen3Y5qc9nZcKBWvmqP1tYN7a9iP1vdd96kMnv9Q9SlYn8R5tGu6FNTz75IS/8TsNmEAAQgsF0C
CPPtxuYtnmXCQk7gzoMkMmZ3lEgSE78/HVbv1q/Yhed71aMxb6k1hWQEKsLQP6rRulCLhir54+n6
7yeFean9OX8Kq9qV+mV8fJeJd516/UNQqdhXwtwL8ZN41KtnX5yX/Vr0afcoT7f/ubxuxX/p2MJx
NiEAAQhA4JkEEObPpLlDW+EZ2fCHadljJH6lNJzzc3KcoOVr80Sak3vUYZz/4O4ibrG7zHNeLwLm
PHGeb/qwQ6a7dLkoDEUM73wUo8dCx96uygeRHNrl0kZju5miUBW+qTYs2ma1/Xohvdh2+Vfb93mX
Nh/9VEJX+KD7hyNTrt/pFIS9/KPUZNP1I3OhFMvV9kXsXIUe6H/BDxubXmQ5DwEIQAAC9xBAmN9D
jTwQOBqBojC/oZKP5r+hqC0lze44bcm5J/niLp7ShcGTbGIGAhCAAATKBBDmZS4chcB3EUgru7eu
jC6rvt8m3tRqv1zFPlTLcSvv8dGcQ1WMykAAAhDYJAGE+SbDglMQgAAEIAABCEAAAt9GAGH+bRGn
vhCAAAQgAAEIQAACmySAMN9kWHAKAhCAAAQgAAEIQODbCCDMvy3i1BcCEIAABCAAAQhAYJMEEOab
DAtOQQACEIAABCAAAQh8GwGE+bdFnPpCoESg9VaWdE5+3CYaeeCtLNKufBf5Yd9wEpnVfmeWqf7i
XeSJzxe9IeXV7aNm332P4apjtOpDTDqL3wtv7sntFZLedUi9GWhuI9/2dqS7wJEJAhsmgDDfcHBw
7TkELsMXiZl7kVXeQ+4/LpOEYvgSbHHir+TvupPlE1+r7GbeRoLntq/rNA7jlHSh+zDQ8sWj+UNB
t7Xn5/r3ZuavbB/CtmvnEfOz303/qL12/NzFnG4Pj5ZnI9wu36ZmHwIQeJQAwvxRgrvPb1bljAjz
X0Ic509y+xUZPQm46ocvA85fTzyP0zisWyFKq0kXad/knb9YGL9uaEVhXDHyx9MKWPTR1G1eUYoT
8O5D98wKCJHSNFtLVzveNCaFvhGkLt8cz+GB9reufYg2F9vQeZx+Dq5Nn6ex2j7XtC+TRvYvz0af
Hy6GgxXmM5fUD5r9Q9uOfUi1/2b+XvDecD61K8Nl5vCs8UkKc1Wr2B7k145Vgv74l4SysBW/7jpN
JkaqfZhzxfErF+au36QYd+K7rn/UvoxrQLALAQg8hQDC/CkY92skTRqxCm7ykJODn0yi0JVCKmTw
ojzNAlFMCaET7VZ+w8Qg7PuJSuxfL9MlLR86rSY/mT4bjZNP9Ps6TuNlKZAVn4VFdSsJoFKK5XEV
1TZk0mZ+mdBsS7ES4yeTPKP9tdrHdZwG89yCbC/d9umbvGiv0nd/zvQF1b8cV3l+5iw5ON9l/3L2
5bEV/UPWx7g3TSvyZ3neeeAd7WNeXLCYVTUr7XvN+JfGWNuWu+0jeNCM35QL81Sey74mvq3+0Wnf
ihE7EIDAUwggzJ+Cca9Gyisyy2qOH5WX1RdXTSVkCqtYCoUQdPNqT1i1W4RMUWjLFR+7onQqC3Mr
rqQb7YlNpvzi7YrwsEScEEmrtfLkyvwyi99O+SptSbWFW9vfXJpqs5kHk2ofJm2/fbqLxaU9a+ud
/mXKCnnNozxShEfj6lhehhWYdf+cMhe1AQAAIABJREFUwX7+WGz+2+vfvfO5xezIO9rH3cK80mZN
JcLFXenvM3L2dnx0ptrxyxnr/pmXYduHHtON893y8/QcgQAEHiOAMH+M385zr5hYniGMGpTU6k5M
l8p0k45cUSxcKLg8RYETjfUmtiXdV28lAdSjUGkzq/Mb+718qS3M+VSsK76YInrtQ563IqjdPkNB
Ns9SfMc/VZeYa4UwT8zW9Y+mf2v6V3TtE7+prpXCn9E+3iDMw+NY9gKu0z7mKtfj5xK4NmDtRlbr
2ods/zGn/G2XL1OyDQEIPIMAwvwZFHdso7oCGuvUnPjC85V6hcZNBoVV7WjP/PrVJHnrXq3QGJEy
r+7dvuIjxL2/bVubyIxz37RbEUB2xTi7dR8ZVfLH09XfQj4lBJ7R/ooCWHvkyyyka7fPYEOJd9O+
2v0rF1Wer+wPanXclSfzrOsfdf/W5dek3rz3jvZxtzBfN/4l/qZt+GjW7kAJzCl/yDCdT3L8ku1B
ZPKbK+NbaPfSUrt8mZJtCEDgGQQQ5s+guHMb6VZretxkHvjF851eDPuJJfwhkBTjNn8mnBt8/KA/
DlP8wzT3K23HPwAM58/TOKcNZYSLAJnXbWflC7/VYzoNv77uVEEABQaGsRSNElI1v0xktkX70jF8
Vvszvhf/eG72qSCa3Jlu+3SJOu3L9g/VBlXe03QaRn9hG57lzx9DyNq3Ymj7h6xb/AM+KerCHaiF
fSX/bObtP6pu0X/3+6z2YesvbPvKlttPKn8GYuMrx59wLiwM+IuuuQ3KMc7mt/Zb7UvnFQsQMViK
oY1vuX7S/4BB/nG+aT+xHH4hAIGnEUCYPw0lhu4hoFZj7jFAnucQuEdYy5IfzS9tfWK7smpI+/xE
MCgTAhCAwPcSQJh/b+w/XnO12lNbif24l1/iQFpZK6y6NREsq25yFbCZZUMn5SqmXY2mfW4oULgC
AQhA4EsIIMy/JNBUEwIQgAAEIAABCEBg2wQQ5tuOD95BAAIQgAAEIAABCHwJAYT5lwSaakIAAhCA
AAQgAAEIbJsAwnzb8cE7CEAAAhCAAAQgAIEvIYAw/5JAU00IQAACEIAABCAAgW0TQJjPH5fI3h27
7bjhHQQgAAEIQAACEIDAwQggzOeAutemZR9WOFiwqQ4EIAABCEAAAhCAwHYJIMxjbOynv+NxfiEA
AQhAAAIQgAAEIPAGAgjzCBlhHknwCwEIQAACEIAABCDwAQII8wQ9fMFwj18vTFVgAwIQgAAEIAAB
CEBgtwQQ5jF0rJhHEvxCAAIQgAAEIAABCHyAAMI8QkeYRxL8QgACEIAABCAAAQh8gADCfIbOW1k+
0PooEgIQgAAEIAABCEAgEUCY8x7z1BjYgAAEIAABCEAAAhD4HAGE+efYUzIEIAABCEAAAhCAAAQS
AYR5QsEGBCAAAQhAAAIQgAAEPkcAYf459pQMAQhAAAIQgAAEIACBRABhnlCwAQEIQAACEIAABCAA
gc8RQJh/jj0lQwACEIAABCAAAQhAIBFAmCcUbEAAAhCAAAQgAAEIQOBzBBDmn2NPyRCAAAQgAAEI
QAACEEgEEOYJBRsQgAAEIAABCEAAAhD4HAGE+efYUzIEIAABCEAAAhCAAAQSAYR5QsEGBCAAAQhA
AAIQgAAEPkcAYf459pQMAQhAAAIQgAAEIACBRABhnlCwAQEIQAACEIAABCAAgc8RQJh/jj0lQwAC
EIAABCAAAQhAIBFAmCcUbEAAAhCAAAQgAAEIQOBzBBDmn2NPyRCAAAQgAAEIQAACEEgEEOYJBRsQ
gAAEIAABCEAAAhD4HAGE+efYUzIEIAABCEAAAhCAAAQSAYR5QsEGBCAAAQhAAAIQgAAEPkcAYf45
9pQMAQhAAAIQgAAEIACBRABhnlCwAQEIQAACEIAABCAAgc8RQJh/jj0lQwACEIAABCAAAQhAIBFA
mCcUL9i4DNPpdMr/ncfp+oLitm/yOo3n03T6wvpfx7NqB8PludFy9s/j7a3qMrj2eZ7uyPrcCmAN
AhCAAAQgAIEJYf7qRnAZjGC6TMPOhOllGKbn6cjrNA7bujB5bv1KDeqxmL/av8vwmDB/tX8lohyD
AAQgAAEIHJEAwvzVUU3CvCBI5xX1YRync1pZz0WwWm09j9MohFRY8TwF8Z9W6KONyzR4u0J4xTTn
cfoZV0svsnyRdor59aq/Xu01abKLDn1+uBQ4VGKQVnOr/k3TdJW+zxyEvXV8WvUTxiqbsYxwdySy
D4lV7GKMM0YVw2v4x3ie8rpHq8oH035cmiTMha3TKdZDx0/f7TDn5vrp9hG94BcCEIAABCAAgR4B
hHmP0KPnpdgpCTJ/Poogr5LUCrsXVVLp+PRSPAtxGu1fx2mMS9zXcRrMcwpyhTOISlG+F4Ny3wk3
vS+RJFEXDzr/oh+Te3RF+nr7oyxd/66X6SKe4HDpJS7vVhTv0S/JxyOv1y9Wq/brylOPkLiyYjkp
0xtWzNMFYCrUb6xpPymGti1K0R7NqviGg632EbPxCwEIQAACEIBAn8CXC/NZKMaVzPQbhVrvfB/w
lARTZaX4MmghqYR0JY8tVuWxJ42wNmmLQtb4VBde5RXTtNpqygqe3SZS+/7lPpSEub04kZTq9ZOp
StuXacgKc4v4g3lm+7Y625JW+Zfamcy9rv04xn61v3RBkfqEvKsQ+0coa5V/0i22IQABCEAAAhAo
EvhyYV5k8tyDRcEkijAi2D2asYjIdcJK5xG246awaUVUWi2Nad2v8cnmWZJ2/BPlLnluE6lt/+yK
fO67L7foh/CocUdgSVXaOo4wD49TacE9uTseK/4eoN4+Ssw4BgEIQAACEIBAjQDCvEbmWccLwlwJ
GSOCrch2jyKoRyX84yHmcY2O8HRV8WUW0vnVUrNSqvyzjzP4x0IWAZf7J8E54bykdWf8oxWmPJnD
brf9syI/rJ5ni9iFestylPg39ZPpStsqr09QErPWz5Kl+jFVRs2/QjtzFvP4hLtAklGyX7Cd58/9
TPlDgdM5PZ+ep+UIBCAAAQhAAAJ1AgjzOpvHz/hnduUjAHF7FqvivBdKXhiFNFKMp0cNsj+uKz9q
I0VXqkRBdLlzXlSN+rWOsmyfX/iVHlNJhp2NWK/4K8S4ynuaTsN40ysTu/4Jhv61f3NdAoOVfJSP
wndRx/pm+1GanI1jEP8AoG5Vnan6V66fjZH1QRYfzoW/A/AXTXMbk23A5rf29R/g3spP1ZQdCEAA
AhCAwFcTQJh/S/grq8ZqtXODLLbu3waR4RIEIAABCEAAAjslgDDfaeDWui1XQd0f+OWrpfMq9w2P
l6wt+9F0aqV2g/49Wj/yQwACEIAABCAAAUkAYS5psA0BCEAAAhCAAAQgAIEPEUCYfwg8xUIAAhCA
AAQgAAEIQEASQJhLGmxDAAIQgAAEIAABCEDgQwQQ5h8CT7EQgAAEIAABCEAAAhCQBBDmkgbbEIAA
BCAAAQhAAAIQ+BABhPmHwFMsBCAAAQhAAAIQgAAEJAGEuaTBNgQgAAEIQAACEIAABD5EAGH+IfAU
CwEIQAACEIAABCAAAUkAYS5psA0BCEAAAhCAAAQgAIEPEUCYfwg8xUIAAhCAAAQgAAEIQEASQJhL
GmxDAAIQgAAEIAABCEDgQwQQ5h8CT7EQgAAEIAABCEAAAhCQBBDmkgbbEIAABCAAAQhAAAIQ+BAB
hPmHwFMsBCAAAQhAAAIQgAAEJAGEuaTBNgQgAAEIQAACEIAABD5EAGH+IfAUCwEIQAACEIAABCAA
AUkAYS5psA0BCEAAAhCAAAQgAIEPEUCYfwg8xUIAAhCAAAQgAAEIQEASQJhLGmxDAAIQgAAEIAAB
CEDgQwQQ5h8CT7EQgAAEIAABCEAAAhCQBBDmkgbbEIAABCAAAQhAAAIQ+BABhPmHwFMsBCAAAQhA
AAIQgAAEJAGEuaTBNgQgAAEIQAACEIAABD5EAGH+IfAUCwEIQAACEIAABCAAAUkAYS5psA0BCEAA
AhCAAAQgAIEPEUCYfwg8xUIAAhCAAAQgAAEIQEASQJhLGmxDAAIQgAAEIAABCEDgQwQQ5h8CT7EQ
gAAEIAABCEAAAhCQBBDmkgbbEIAABCAAAQhAAAIQ+BABhPmHwFMsBCAAAQhAAAIQgAAEJAGEuaTB
NgQgAAEIQAACEIAABD5EAGH+IfAUCwEIQAACEIAABCAAAUkAYS5psA0BCEAAAhCAAAQgAIEPEUCY
fwg8xUIAAhCAAAQgAAEIQEASQJhLGmxDAAIQgAAEIAABCEDgQwQQ5h8CT7EQgAAEIAABCEAAAhCQ
BBDmkgbbEIAABCAAAQhAAAIQ+BABhPmHwFMsBCAAAQhAAAIQgAAEJAGEuaTBNgQgAAEIQAACEIAA
BD5EAGH+IfAUCwEIQAACEIAABCAAAUkAYS5psA0BCEAAAhCAAAQgAIEPEUCYfwg8xUIAAhCAAAQg
AAEIQEASQJhLGmxDAAIQgAAEIAABCEDgQwQQ5h8CT7EQgAAEIAABCEAAAhCQBBDmkgbbEIAABCAA
AQhAAAIQ+BABhPmHwFMsBCAAAQhAAAIQgAAEJAGEuaTBNgQgAAEIQAACEIAABD5EAGH+IfAUCwEI
QAACEIAABCAAAUkAYS5psA0BCEAAAhCAAAQgAIEPEUCYfwg8xUIAAhCAAAQgAAEIQEAS2LQw//v7
5/Tjx4/p5++/wec/v/y+O/bj5+9pPirrw/azCQjmKQ7PLgN7mybw59ePpd/9+j39/vWpvvd3+v3z
lX3/yfZF3/Fjlhu3/L+fUxzSXh34ELv3lffq+mD/oARSX9FtVY09c//Z5Dz09/f0M/XvX9MfG6bq
+XnMkTrH5mX/6whsWpi7aPz9/Wv6+VM29D/TL0S5aqh/fkk+6tTzdv78Wi6QnmcVS1snYOLuL5ZN
/3tL+0uc/r74wuCJ9gU7x+3XPFv/+aXFR6raizbeXd6LqoHZIxMQfUVX0wlXPb9trj37iwrto6pD
77xLXK2/ssTOlxDYhTD//ef39DPOapMV5n+mX+lK1aymzVfhMategZ/z/fw1/XKrcD9+TX/SVa3o
ZOlYWO1SV+vR/u/O1fJDjalRP8dC1n3ejvVdVWyrftIAA4ek8T3bzbivaH+t9rWq/+gyfv0xwrll
3893ot/O5fm+niLYsS9s+NXuX268uP2OgRTmqWhh248rJf869XO24rgW7yT+NsI/CZlkfx7vpCNs
Q+CTBKrjTC7MnYhNc1y3fywr0j9+/Jy8llCr07r/334n3uoRC7F3fk5frb+1x/43ENiHMP8bVs7D
7V/d0NOkE6PlJh85ccpO7NL8/T39SveRQ6f0ndx38FmQyzx//0x/xDMz7tZaGhScPT/ZCSH/5A7W
rZ93QZQfOaz97dUv2nlyvaJZfrdPQN1Oln1rdr25Yt5rX83+4yZVubo8T7LSh55952OcvGO+v7+n
3371eoV90+69CI52bghdTZh7E1X/nO/t8cf7Iwckz1Myc0PUvG9Z3+A/SSHwUgKmny1luT6q57fU
nl2iTv/Q83WY7+XimrLl7Lk+ckv/9nrit1gg030v6I3G+VjRav1jAn6/icBuhPmUVsqlMDdXu2n1
WHRkKbJdZK0wj53QTY5xglN58jJiMt9QVFpr/9GmlJcdnlEV9XtUmBdW3VX9YhUYOCKJ7/4tTFxN
Yd5rX63+o/pqxC77vzuW95Gs/Rbt1PqqtT9fDJTGlujSit+eMF8WC6yxVv3M3QObdd5PF1ZxrKuk
4zAEPkagOr/Y/if+5sw72+ofti8H4b0I8zxvaX5tMvEXu9InU2bvfDRerX9MwO83EdiRMA+d6tcf
2fBXTEytiT+J/TBJ58LcrqhFH0QTadoX6e7aXFE/75IW6uuLWlG/aIyBI5L48l/XZnR7qwvzFe2r
1X+Kgtr0f7WiXuifLlpFO7Xj0n4h1O4C/g6Be58w7/FbOz78mH75x+103Aq14xAEPkOgOr/k483i
YK9/FPqyGgvW9Z+lvMJWcaFCrJr3zkeT1frHBPx+E4F9CfPJdUT9HLmb8JYr4ELoVIMPV8hLetFx
iyvm4rw3HfKrFbmWsIjuxFvVKmM82f7t1s9rETEQ+LLWTsAr6hfdUxzjwfg7x8U9px8P8XsAAoWJ
z13Mmnasbger9reifTX7jytftynXH5ZbzSvsuyioyViGpWdfPAYSs8lxIh5b8XufMO/XLx8fQl+U
IUrxUbFZ4TRJIPAuAtX5Je+ji0v9/pHa/pzJ3T1a5n83NHT0w1JYdUs/LpOL/d55b7ha/2qxnDgw
gU0Lcz8Jz7eQU2dyk4tZsUq3aou3m+XtKvnHH/9+eS7MzWJ+0po77Xz7yU9u83a4xfVz+v07vLLR
nvP7sw2XNvnrdYF77aMQzzc2qHb9gvBovqqpVV6rfvFCKHENf0in/3jOGQ9iID/eKphz2ycQ4xrj
7n4L7Vi0+6wNtNqXOFftP8r2j+mHe12jvDgXNrxvsn+mdin9N38j0rHf7Xu9ICr/nB/yQqPE1/in
8pvxZy7b+uhZqnMhZsXxtOc/5yHwDgIVYarbdmHs6fYPOf//mH66P95Of2MWKqbLsH10TeV1P5b9
L+TunQ93+qRmWFMqaY5LYNPC/CjYXcen0x0lmtQDAhCAAASeSqAizJ9ahjP2rnJudXyrft1aD9I/
hQDC/CkYW0bcFbtcJWul5RwEIAABCEDgywikle/CqviDKNSKuLnb/qDpJ2RfVtNZvHsCzoOYQJgf
JJBUAwIQgAAEIAABCEBg3wQQ5vuOH95DAAIQgAAEIAABCByEAML8IIGkGhCAAAQgAAEIQAAC+yaA
MN93/PAeAhCAAAQgAAEIQOAgBBDmBwkk1YAABCAAAQhAAAIQ2DcBhPm+44f3EIAABCAAAQhAAAIH
IYAwP0ggqQYEIAABCEAAAhCAwL4JIMz3HT+8hwAEIAABCEAAAhA4CIFNC/NhGCb+wYA2QBugDdAG
aAO0AdoAbeAb2sCmhfk///M/T//yL//CPxjQBmgDtAHaAG2ANkAboA0cvg1sWpgf5K4E1YAABCAA
AQhAAAIQgECXAMK8i4gEEIAABCAAAQhAAAIQeD0BhPnrGVMCBCAAAQhAAAIQgAAEugQQ5l1EJIAA
BCAAAQhAAAIQgMDrCSDMX8+YEiAAAQhAAAIQgAAEINAlgDDvIiIBBCAAAQhAAAIQgAAEXk8AYf56
xpQAAQhAAAIQgAAEIACBLgGEeRcRCSAAAQhAAAIQgAAEIPB6Agjz1zOmBAhAAAIQgAAEIAABCHQJ
IMy7iEgAAQhAAAIQgAAEIACB1xNAmL+eMSVAAAIQgAAEIAABCECgSwBh3kVEAghAAAIQgAAEIAAB
CLyeAML89YwpAQIQgAAEIAABCEAAAl0CCPMuIhJAAAIQgAAEIAABCEDg9QQQ5q9nTAkQgAAEIAAB
CEAAAhDoEkCYdxGRAAIQgAAEIAABCEAAAq8ngDB/PWNKgAAEIAABCEAAAhCAQJcAwryLiAQQgAAE
IAABCEAAAhB4PQGE+esZUwIEIAABCEAAAhCAAAS6BBDmXUQkgAAEIAABCEAAAhCAwOsJIMxfz5gS
IAABCEAAAhCAAAQg0CWAMO8iIgEEIAABCEAAAhCAAAReTwBh/nrGlAABCEAAAhCAAAQgAIEuAYR5
FxEJIAABCEAAAhCAAAQg8HoCCPPXM6YECEAAAhCAAAQgAAEIdAlsW5j//T39/PFj+iH//fw9/RXV
+vPLnI9pf/1Jqf7+/rnYcPn//JrE6ZSuvfF3+v3zx/SjkDHa//lbehatzflmv4pp/vxa/CvYj5b4
hcCuCMh27fvtn+lX7J+mH99Tr9Dvfk7FbnePwbfmESx+/JrCaCWPxXrJY26si2nf6iyFQeCFBGwb
v6GdizGmOLc+7PUT5m/hY64fbN3p3w+H7AAGti3MHeA/vybZ4dxkLPdDEtuY/0y/ZoHrJ28pdudO
Ig+tiaO7APj1Z7Gb8jh7ztjf39OvgkII+VLqye67fD+FSHH+3urbYp0tCGyMgLkIzvrjg+7++RUF
7IOGPpL97/T7l15ocG78+SXHs8KY8xFfKRQCbyBgxovVJRqdsDpfJ6Gdr+1+d/7uzu/0704IvvL0
7oT5NOUNOU1kWefM094T5eVioGGvIsyz8szA8/f3L7Pi1ygjM8YBCGycgGjvblLrrhiJi1RXM5/n
x49wMZ5WnhbhGoS5XHWyQl2e+zH9uNG+9CHcuVvKjuSjj/78r1/TL1NGTFf6zS7Es3GE8aDEjWMH
JSDGC7co5/pUXKjyF/VxLLDVz+Z+lyD2fTEmxDHkhj6qipL+TW49rj1/986X9Iwqj52vJLA7YZ5d
sYrJ23VitZqeTXJ3xDiuiPusjUlyVVl/skm72HHvHTTuqB5ZIPBSAn4iC7eDVd+cC81WvF1/s+0/
PtIWj//9Pf2en1QLolhMvH4yXsTzM+wrv80KWOmOXuZ/E7AeU4rjQXz8x/8udWua5SQE9kjACF/X
v6Iw99WpzbNFYe6Vc3YnOy3k3czn9vm72J/jOObLjxcP8ZFc+vfNYTlghl0I87BSFRqumiTngKSO
ZjtnrRPfEMh4ld7zofYoy1KU64BSQIQz/Y67WGALArsjIFa9nIjW/ddOSpXJqdGPSxfqy2T+qH0t
miN73Wf1M6j3PAO+XDzkE38sM/26CwOlVNIZNiCwMwKu7xghaoW43a+NBXbuFySSPnDHavlF+vLm
ffO3Hiuc5U4fp3+X8X/Z0V0I8zSZ+5Uz05H9inl+LMSx0wluDnZ5ovZmWh3ei5NclLt82a3swqM6
N7tJBghshYCZWNUkOZWfsc5cb/StRdSKXKnMR+2X+3s+2Yqy7Yq6OFXdjPVLfldTuhGj+Fx6Kwfn
ILBNArkwz+ZD2ydiX7EVaghzKcb1+GONVPYfmL+z+nTnd/p3JQpfdXhfwtyFxnUSs2LU6myuYyRh
70MbVriMiZVBL0/UwWz9jz/VrW070Ex/pt/ij0bzjrzSNZJBYIsEbHs3K0J5/yxUojYZx8fYslvD
y4X64/btBbWeOLMLA1O/Qm0Kh9yY9HP6aVcP5/qp8asw/hUMcggCuyCg76IVVqWV4A53wFR/iLVU
6eLB5ddrhMY4sqTUW/5ROTm+2PGsO3+353dd/7K+0R6x9w0Eti3M/Qr5fHtbdA7ZWfx2egbTTqIh
hDrN8scktwTYTfDxcRY5MMjj8fwixMu30u1FgfLPnrzFSdJCYEsE/EqT7b/hwnjpI8sfeKb+k14J
OKdN/TvYil0k9L2f0+/f4nWjhcfFVP9Sz2m37QeUeR+O5bvzdds3BqIhLFQZYhy8sQSSQ2CTBGT7
ln0rOCv738/p95/wCuUwB5f7b/FxMq8llgv2dSBk2fExu1w/SP/toqEr56bz9O91oTl4qm0L84PD
p3oQgAAEIAABCLyYwB2r5S/2CPMQqBJAmFfRcAICEIAABCAAgb0SsHe08xX5vdYMv49MAGF+5OhS
NwhAAAIQgAAEIACB3RDYtDBfnjldnu/6pmO7aUU4CgEIQAACEIAABCDwMIFNC/OHa4cBCEAAAhCA
AAQgAAEI7IQAwnwngcJNCEAAAhCAAAQgAIFjE0CYHzu+1A4CEIAABCAAAQhAYCcEEOY7CRRuQgAC
EIAABCAAAQgcmwDC/NjxpXYQgAAEIAABCEAAAjshgDDfSaBwEwIQgAAEIAABCEDg2AQQ5seOL7WD
AAQgAAEIQAACENgJAYT5TgKFmxCAAAQgAAEIQAACxyaAMD92fKkdBCAAAQhAAAIQgMBOCCDMdxIo
3IQABCAAAQhAAAIQODYBhPmx40vtIAABCEAAAhCAAAR2QgBhvpNA4SYEIAABCEAAAhCAwLEJIMyP
HV9qBwEIQAACEIAABCCwEwII850ECjchAAEIQAACEIAABI5NAGF+7PhSOwhAAAIQgAAEIACBnRBA
mO8kULgJAQhAAAIQgAAEIHBsAgjzY8eX2kEAAhCAAAQgAAEI7IQAwnwngcJNCEAAAhCAAAQgAIFj
E0CYHzu+1A4CEIAABCAAAQhAYCcEEOY7CRRuQgACEIAABCAAAQgcmwDC/NjxpXYQgAAEIAABCEAA
AjshgDDfSaBwEwIQgAAEIAABCEDg2AQQ5seOL7WDAAQgAAEIQAACENgJAYT5TgKFmxCAAAQgAAEI
QAACxyaAMD92fKkdBCAAAQhAAAIQgMBOCCDMdxIo3IQABCAAAQhAAAIQODYBhPmx40vtIAABCEAA
AhCAAAR2QgBhvpNA4SYEIAABCEAAAhCAwLEJIMyPHV9qBwEIQAACEIAABCCwEwII850ECjchAAEI
QAACEIAABI5NAGF+7PhSOwhAAAIQgAAEIACBnRBAmO8kULgJAQhAAAIQgAAEIHBsAgjzY8eX2kEA
AhCAAAQgAAEI7ITAdwvzyzCdTqf833mcrs8IYM3+6TyNpoDreJ7O9uAKHy6D8z+3tyLrqiTBvmZ0
j5+rCvvmRKmtyFhep/Es2BfaZS8+zfPXcTqr9j9MFxMD1y6zPjLoVCqN8/EyTCFJx/9UZ1FH78/C
QNmOvvbKn+sQ86b2KssrsDRVX3ab+ZY6pnKWnKu2VIyGcRqHefyR5ca6u1/je6ynj5M4J49736S9
OU5ZbIX9mD/Vy+afaxfTpfJj/GX6hv+rIE2XaTid7hoj19knFQQgAIFtEPhuYe5icBnMYH+ZBjG5
PRQmYdtNXlFPXIZFeDxkf878qL3LkAuyxS8nPPT5R8tbbIetdvk29UH3RVvJaxja5GUcsgu6aerF
p3d+mq5Fu8aLin9elMWG7bLMYkwempyoOo9T5r+w2e0fIq30rFi+6L+ubmfVfm/r396+sJePF7M3
Ff+kr8Vtk69fnva/WP/T0l/z2F4X4e8cMuXHWMV1gx6/cvmnNNb17BeZlA5mfpYScQwCEIDA/gkg
zNOAbyYsF9soMka5srhMejHDDAQQAAAgAElEQVT8fnKKK0Jnt+KVC2+XRouVObdYVUorU9Hw/Nuz
n4SysHVKk3NYaUorY1JkzKtQ6dxcB+1nLuwcl5TGrLraOsTVQL1iFxka34rlGxgv2XV1dKu20S9b
SOW84q1XfS0HazHbT+0wO+Pboed9Hachu6vSiU9BuKv4TY8I88s0pIZQ8Dseiu2l6H9IVO0fwkbO
VIvUmFTa8sL0Mk7n5Gc5T8zb/a3FqXa8Z7CXL50vjE+u/6Z6iYJSnlJsjZ2U1hyfzbX5VcoXrizC
vGxfJm1uJz+bqTgJAQhAYPcEEOZSXCnROsfWnxeCzUwQXjTLydGnv0GYxyZk7MbDa+xrYS589dcW
xhfnn6lne8U6F36pPOfk9TJd4vKaL0+sli2VCI9MxHKv4zSKpyHa5Ucjr/ytCO9UZO98Snj/RiX+
zuDCpyRuOvEpCHMVv0eEeUNoSxBt/0NKKaZl3rRd4lM65jIIv+KKcfy1K8LJfnMjxj9/jCRlq/mS
EtQ34sVrehREJm2NT6KeMkup/st504Za9kXbKPKrlb8UlhY3inWT6XrbD/DtmeY8BCAAgS0RQJin
Ad9MWDFKcbUv7qvJqJInphW/dwkPJ6ri86bClt1ME3sUvilBeUXargwvwillFBtClMwr2nrlMi9D
Xqd4Q4qZMD1vtsvP02/miBQ18Y5JkdEKj1M7NGndHQkBNG9Hvfj0zpdWVY0PbrfkXyeu3krX/1BW
Xi/jQ6n80jGXTfiVC8rHVsydn7r9z37WfDHV6O7aC+dktzAWpHPGarH+MY2xk2yY43PyJj9RTrSe
/XbsZ+kLBxxzu5hQSMYhCEAAAocggDBPE0clnjsR5oN/3Eavlvvnj1cJe5tPsnDCrnbenctX5IWO
DIY6E/huhbnE9Oh2pR16UWJE/0kBbsXHOdU7XxDmts07M0X/+iK3738A59KpalmeN5QvbS3CMtRh
uPR9tkXr/bKALfPROdftmXgV6x0tlR8lqdbfZzP1b9o3bcO3C5lfbkefzG/Hvkld332WnXoJnIEA
BCCwCQII88KAr4SiFSlGZLpJUK+guYk1f5xDTpbFyBf8cOnW2E+PJvjnvbWIzvPnpaf8ocDprJ61
NkJBZbcTc1g9zwSWYaZMeL0kxH2hDjb98/dDzOydhKWc3vkl5d1bxfiXRaBqn13h3Ypf8FaJV3fI
tvn5mG7nMW+r/a/xf7GTtZtwKvy/yCf0D3WhYlacdd3mOGZ3lmRBetvdjZJ+uf6kyovJK/7F0+Vf
549o+z6REdsFuzL+Wf829XexVP4W9m1ctX35B8c5v6x83x4Fs47/ZS6FowU7hVQcggAEILB7At8t
zN0kZVcj/f4sbsV5Pzl70Rj+yE9OZulRktmWnMj9xKjKkMJ5nujU+fyPEFv2w7kwuXvRMNtq+ZcJ
UFEve06XbUVEEHELw/M0joFpYFCun+LjulCj/Pf0sOinjI0suXdepr1zOxMe8hGhyD364dpIONaL
T/O84q7/eDXGSLapFOd4cq6qLiOKsnX+t/vHLLxt/zDlKx+F6JbHU39wdRZp+tGSzJ/9jLmx7esZ
Y237loyPbqeKf6FukoN6JESMbym23odgX+Zr8VPln2L81/vfj0GwlXxYlYFEEIAABPZJ4LuF+T5j
htdHJJAJ8yNW8sB1+mT8hMD24vWTvrwsxOFCD3H+MsAYhgAENkIAYb6RQODGlxNI4kqsmH45kn1U
f1n1/oxodII1tpnoi15R3wdHvIQABCAAAUcAYU47gAAEIAABCEAAAhCAwAYIIMw3EARcgAAEIAAB
CEAAAhCAAMKcNgABCEAAAhCAAAQgAIENEECYbyAIuAABCEAAAhCAAAQgAAGEOW0AAhCAAAQgAAEI
QAACGyCAMN9AELbggnxnsXuncXpVdHpbyMl8SGkLXuMDBJ5EILXz+IYTYTedO+mP9fgk8U0od/QP
aVe9qz33wfXPe976Et4xntsTtXto077DPL0PPQ4goo73+P+Qc2SGAAQgsEMCCPMdBu35LtsveBZK
OOS7kQv15NB3Eqi1b/NBIieQo+ZUoGr5VSKzI/JIu+pLvCbLPbuP2pNfAi2Vn583Xy91mURdSzY4
BgEIQAACgQDC/Mtbgl0p9yteha8HVidW8/XIfFVsWVH0X6u8jNP5pFcX1arbMExDqfwvjxPVfzGB
inC8jvKT9M6Hguj0h4e7VrRjraQwj8f874oVZ9WHz+M0DnqFPAlzYWv5wq/8Qqv9sqk5N6/q2wuT
JMwrDGM98rHBfvVXjwuBA+OHag/sQAAChyeAMD98iNdU8IEV8+tlulyXMpzIlhO33i98vc9M5l5k
IMwXoGy9h4Bph7HQojAvtc9K/min91sV5jFjxb7vL7rDTf4CWPXJWah7Ya4/PpREuyjnZOqXhHdM
Y37lhXVRfLv0Ff8nxg9Dk10IQODbCSDMP9EC/s//Y5r+m3+apn/6V9P0r/8xTf/a/fIPBrQB2gBt
4KvbgJsT/uv/cpr+93/3iZmJMiEAgQ0QQJi/OwhOlP/Tf4YQ50KENkAboA3QBipt4B/T9L/+y7tn
J8qDAAQ2QABh/u4g/Ff/RWUgZqXsq1fKECj0C9oAbUC2AbeAw38QgMDXEUCYvzvkcuD93/6Xafp/
/uO7PVDlyedDs1edTfIPr05TOn8Sz6mqPyg7T+M4+HTLY6/6D8jO7o87x+UB2Lx8YVt5yg4EXkig
9gy0fzxatP2lYWtnGvl1QrOn+o8rR7b/Ff3P+idfdZrOhWfM5R+JymfBu31Q/YG39M89Oi7YnPQf
nU4bGT9Cva1vJg5b2f2//r2+ONmKX/gBAQi8jQDC/G2o54L8c+Xz6vj/9/++u/TPl3evgPm853hw
ZAKPtstH8x+Z7TPrdgdnd/EgL0Se6c5LbKW/O/rHS8xjFAIQ2DYBhPm74yNXzN9d9ofKU6tq5o0P
H3KJYiGgCaSV61tXVpdV7V2JP137Te89Nn64O3Z6lX/TlXXOfeEcsfmY4CAE3kgAYf5G2L4oBt13
E6c8CEAAAvshwByxn1jhKQReQABh/gKoTZMMuk08nIQABCDw1QSYI746/FQeAgjzd7cBBt13E6c8
CEAAAvshwByxn1jhKQReQABh/gKoTZMMuk08nIQABCDw1QSYI746/FQeAgjzd7cBBt13E6c8CEAA
AvshwByxn1jhKQReQABh/gKoTZMbG3TDGw9ufRNFs4achMD+CDTeyhLf/11+68oDb2VJZcp3gZ+m
0wHfXOQYlvk90FQkP89MfDNhzww3Nkc8ECGyQgACdxBAmN8B7aEsGxx0LwPC/KGYknn/BGrvx3bi
z31U6DqqD2NlFa7lzxKaA1m+yzTsTFRehg++jvAyTPKbT/4iSh4wuHexu8E5YhfccBICByGAMH93
IDc46CZhLleg0rt/xSrUya7mxXNC2EcbOxMX724GlLcxAplANv69XJhfp3EYp+WbuP6zneEruuM4
nV3f8/9yERxX9P358ziN4kI7vgPcr1bHvpn17XL//em/6nmexossX6SdYv+PvoVfpYtTmfWP/EQf
s/rNeYdW/YUw93ZU4S6Gxkc1LsVzok7RX5XOtIVX725wjnh1lbEPAQgsBBDmC4v3bG1w0NXCXE/8
6Vyk4yYuOWkVBMtHV9Cin/xC4BYCHxTmQZDai97ZeS8URZ80fmYrxD69EJrOzHUW1rHfXsdpvMz2
O/03iGZRvhe6cn+aVvV343cMjbOvHnFxvkY/XaJO/d354RIeJ1J25gJ2OX5tcI6I8eIXAhB4PQGE
+esZ6xI2OOimFSs5IXqv44qSXhE7pRW3UDU1MRcmeg2APQhskEBFOCZPe+26lz8ZMhspX2HF3CUV
K8I+p/KjkscU0XsMp9V/3diQL0Lrx0dUflt23E/1jAfc72UaMuPuOmKYxnjroFn/KNyDj5nIt6vl
lbsOyn/FV/r6xu0NzhFvrD1FQeDrCSDM390ENjjo+snX3y7WK2HTdPvErya5d7OlPAjcS6AoHIWx
nmDr5Rem1GYvX1OY3t4/VdlxR9TN9t9sxdnlMT7ZPNGs+i3W8znCXGp77cvtfHR+VYP37Wxwjnhf
5SkJAhBAmL+7DWxw0E2Tr7/lrcX52rcp+AlNTPDvxkp5EHiIQFE4Cou9tt3LL0ypzUI+JQ6NCLar
33n/DI91SLFq86jy551a//V308ydNOWf1+ni0ZnCGOKLKNTTHU9jT3LKiOlO/e1Fgn9sR1Q+55MK
Uhu1+vtE8VEgYVdlfvbOBueIZ1cRexCAQJ0AwrzO5jVnNjbo+on3FCZW/7zqfLtXPq8Z0sjHWbR4
96BqE/JrKGIVAs8lUBGOsk/0ngWXfWaVc/75admv4vbcv8R5rwmjQDzp57Jt/1z04/Iqx+T7qfBo
inO20n+9cB6H+Q9Pg39ZPYVf+jG3cvk6Tf64XPK/V39xfvm7l7lMcTFh+ejy50hV6h/QnKfTPEau
iuujiTY2RzxaHfJDAAK3EUCY38br8dRHHXR7K4qPk8MCBF5HoCLMVxf4aP7VBb0oYaX/5ivaLyr/
02Yr9XduOWGfXYy80t+jzhGvZIZtCByIAML83cE82KBrVxTTate7uVIeBB4hkFZfxWMZq+wtq8Jv
FW+rfOsnavVftdIsVqD7VveTolX/UAu3ol+4Q/jKKh5sjnglKmxD4IgEEObvjiqD7ruJUx4EIACB
/RBgjthPrPAUAi8ggDB/AdSmSTfo/tO/mib3y38QgAAEIAABSYA5QtJgGwJfRwBh/u6Qy9WQ//B/
v7t0yoMABCAAga0S+E//KSzaxHliq37iFwQg8DICCPOXoa0Y/jf/uRh4/yG251X0OCDzCxvaAG2A
NvBlbcDMCZVphMMQgMBxCSDM3x3b//l/+rKJhgsO/9gSAot2TxugDdzSBv6H/+7dsxPlQQACGyCA
MP9EEP7t/ygmKLNCcsvATVrBkQsALgBoA7SBI7SBf0zTf//ffmJmokwIQGADBBDmGwgCLoTPfO/x
dXPE7iAEKu8hd68MlK8Atfup9pX86Xxtw+Rzr+97ST8w5dTc4TgEIAABCHyWAML8s/w3Ubp6l+95
nMZheZdzfJexFwvpXc/yvb7my332fcfqq4CND3VkwmG2ex6m4ey+ODhMl2RLlr8JhDixdwJZ+6tU
yH4iPiZbmz+mj79Zvss0yCuBif4VUfELAQhA4BsIIMy/IcqNOnpRLoWAF9+LMPdZoyCOovs6TuMl
GM2+DOjyx3QuyfUyXa6LA7etOAZR4t2Tn8yuiaOlGLYgcBuBTCCXsl+mQbZtmWRVfplh3jb5bP+g
fxWYcQgCEIDAgQkgzA8c3H7VrtM4jJPQzeUs1c9Vm9W8k1vZnle3k6U8jbwOWJINhVv4Qgg5YR4z
IswTNjaeRMAI5Nyqa8fmglUm6uaXicV2ugsV+o5+jCXvO/QvwY5NCEAAAgckgDA/YFDXV+lRYd7L
7z5XbsRMTVQXhQ3CfH0sSfkQgWL7my2W7iLZwlr5bVq5L/PJu0I+Df1LomIbAhCAwDcQQJh/Q5Qb
dcz/2MyJaf0Hb1N1xXya8vyyMCGs/eGwAhgXvmXKSQqUdELkZ8U8UWHjBQSK7W+a/N9YyMdXbrqw
XOGnLdddBIgOson+5S8YTsqvFTUjCQQgAAEI3EEAYX4HtKNliX/gGW6TS1EeRHo8Hn+FbvAobH7/
h5oRkrpVf57GcfCPuwQbZfshv7iN7xLP4kD+Ear1IxbJLwRuJmAFsjcg2mB6TEv2D1FKMb84X9qM
gtfZFuLfXgx8un/5v0NpPcZTqhvHIAABCEDgLgII87uwkQkCEDgUgXuEtQTwaH5pa2Pb7sJAP/u+
MQdxBwIQgMCBCCDMDxRMqgIBCNxJIN3ZMX8T0TW33PU5pnh1dw14PWm3GZAAAhCAwJMIIMyfBBIz
EIAABCAAAQhAAAIQeIQAwvwReuSFAAQgAAEIQAACEIDAkwggzJ8EEjMQgAAEIAABCEAAAhB4hADC
/BF65IUABCAAAQhAAAIQgMCTCCDMnwQSMxCAAAQgAAEIQAACEHiEAML8EXrkhQAEjkGg9VaWdE6/
bzxU/LG3suTvKL/v1YTtDxE9HqKX2Rds7VttwvvTBQ+RVr73/fHaYQECEIDAdgggzLcTCzyBAAQ+
RaDyHnIvDsXHf8pfqJ3cJ0LvfNe3E/b6dYSX4dZXNn4K2hPLrfC7jsN0VnzE14CfWDymIAABCGyF
AMJ8K5H4oB9xZcp/2fM8TmMUBvMK1TCO0zl9+VCLiPhFzvhV0GXVa/5q4nmYhvNp8l/zTF86lDbM
1xWlCPogE4r+MgIVYZhRqKWrHc8M2AO5MHciP37VNq6o+36VVoxF/0nHxMpyLGJN/53cR3XP/mu8
Wf93dhr2g2/nabzI8cFcVKQ+78aAgo/C12XsiAedb0OwH4FMRphX7TP+LBTZggAE9kQAYb6naL3A
Vz8pp0kvTsRicvUTsxYCagK9XqbLdXHMTdaLuTA5+n0/gc52lPAQZTkzrjzE+QKUrfcQaArr5XGV
atts5m9VIRfm2Yp5FJ+xX1zHabwYm7XyO/232/9jMRX7QZyL8cEJZ/lBoub4EI3X7zh4YX6dBbof
Z6wwZ/wRFNmEAAQOQABhfoAg3l+F6zQO4yR0dW5KiGh/8jpOwyhzmBXvkxHmQkyco2JPNvO8YeVd
TvS5SxyBwNMJVISnLccJWXVhGhOszB+TL79C9M93pTL7WZ9bcqetWvmpr80pla0V/T8WULGvL8Tn
xKrMvI/HYSCa9r8V+1GYT2ml3AhzfyEQVuPjXbvFvkjrLm7iieRf7hvjj4oKOxCAwAcIIMw/AH07
Ra6YmNMkNnttJ/ZzvuId579lMvX3ywsT44rytwMLT45MoCIM8ypX2uzq/NZivmJuU7jHxfTFcJai
/ox7r//2LsxjUZX6Zav7Ln0q09WtNT5E4/0Vc5/S2xVie+rZF2mLwrwSS+EWmxCAAATeTQBh/m7i
GysvXwEMK3hJXKdJdnZciQQx8fnTYQUq5U2rXDVhHp5vzVYIN8YId76AQFV4yjtA8/PYSwNfwFTy
LwlqW58U5qX+Z/p/dLtSP/8oS7wrNqe9DPGOV298iMZXCnMvxOWbcXr2xfmiMC/VX/gUN+OjRKW4
xzT8QgACEHgSAYT5k0Du2Ux4TnS5HZzmH/GHX/5YnKDkH3GJNKfTeRrHwf+R13ARt4ld5jmvF+Fz
nliOLd//oeiegeL7/ghUhOcUxWD842cjQlNFq/lTiuKGbvtmddmWPfsQ+03mW/QxPuMt+ma1/3pN
vPR99yjHavs+79Ln46Mk6kJb+KDHB4cjXATEfMtvEPb++Xf7eI8bR2QMqvafN/4EP2xsiuHkIAQg
AIGHCSDMH0aIAQhAYPcE7hTWqd6P5k+G9rVRfJRlX1XoeusuntTFRjcHCSAAAQjcTwBhfj87ckIA
AkchkFZeb10ZXVZ9v028qdV+uYp9lDbh6+FW3uOjOYeqGJWBAAQ2SgBhvtHA4BYEIAABCEAAAhCA
wHcRQJh/V7ypLQQgAAEIQAACEIDARgkgzDcaGNyCAAQgAAEIQAACEPguAgjz74o3tYUABCAAAQhA
AAIQ2CgBhPlGA4NbEIAABCAAAQhAAALfRQBh/l3x3m1t8w8hvaIq8xs2DvuGiVcwO4jN7ltZ5rax
vOR7rvgDb2VJZer3iPv3fV+3xfUj/a/G52P9sz4+vIfPttoE3kAAAq8hgDB/DdddWV2+1Lcrt5Oz
z/Wfz3QnsN+00XkPuXs1oP9oVibMZ0id/EWUIo8TdtH03t4N/tL+JxgFhuJrnkWorz7I+PBqwtiH
wLcTQJh/dQsQX8dLXw2UX/6bpviuYvnFTvVlTvE1UPflPvUu53nFaxjH6Zzs5+8EjmX4L/8NwzTI
FTGxaqZs+7j1/Z8mk0baLtgYLky8X9klMgG4UFhWQy/TENXzcjpsNfLbpKV9Kczl+dg3vrb/Ja6F
frlyfHFs01dFz+M0Dvpd9ZFxSGPHJz1+ZONDa3xa5d9yx8XfKbmEsTIf62SrYBsCEDgyAYT5kaO7
sm7dFa8ovqOovY7TeJmNXy/TRdx2d5Oc0i5+chKTXZpo5/xm30+isRzpv0mnTwn78kT8ZLjwb3L+
JPtuUpSTdP1WtTHL7tEI1NqXay+pQb9fmHvM39z/ZnHrRXPqt6LxdcYXP56k+PkBYZKPCrnxSolg
xzqVc8P40Go/8gNFJp0eL8NFgPJHVJVNCEDgOwggzL8jzs1arhHmwyjVrTSnV5TcBCrnQSeE1f51
nLQtuWLknrWtiGwzoSkPhkoeu1puV+0zX5zVT98qlzVj+20EKu1LrbbO7aconCr51/rvylH9RGYs
ttOY4OD9L3EtrJg7BM3xpZInonN9vQD9Og6TH+6K3CvjQ/IzGQ8bTf8Ktmp2jFl2IQCB4xJAmB83
tqtrdr8wtytKhYmyOTEVXFQrVuJ8Y8Kq+9+ZmG+ZeIUrbB6QQKN9LbUtCzl/flX+xZLduk+Yf0H/
63Ftji+d/r9FYV4ck2xrYR8CEDgyAYT5kaO7sm7qj838bXOzAl2dLOyKT1i9U4tQzYnTLXjJR0mm
aXLlKwNzJRoTtLJh/HeCp7jC6c06YaPr6ldI063slQBJtn8Cjfa1VG5rwvwL+l8hLupCvDO+5P0/
3KGLQ4waO3ygpZi/YXwo+OnNdfyz5WeP1jgjfkw7iUeqlhbJFgQgcDwCCPPjxfT2GsWB39+ql0I1
TGLpD6fmW/lxUvMFyWdAT+dpHAf/h1Y+jTjn90U5USy7iUjb75efPe4i7Gbn/CJ+owyV101+4zSe
T+I59NtxkmOHBGrCaq6Kv2B7xaMsoo+EftBv/1/T/zI2sR/PjMT52vjiwmfHGMWv8LibOt8cH8rj
YxqDVvmnH0U6uz9+N48NhrZnFjB22MVwGQIQWEcAYb6OE6kgAIEjE+gI827VH83fLYAEX0Gg0I6K
q+hfAYNKQuA7CSDMvzPu1BoCEJAE0urmrSuTy6ppvAskzbINgR4BtaKfPUbnVtTlXZSeNc5DAAJ7
J4Aw33sE8R8CEIAABCAAAQhA4BAEEOaHCCOVgAAEIAABCEAAAhDYOwGE+d4jiP8QgAAEIAABCEAA
AocggDA/RBipBAQgAAEIQAACEIDA3gkgzPceQfyHAAQgAAEIQAACEDgEAYT5IcK40UrMb7pQ7wW+
09X8QyF3GiIbBEoEqm9l0e+ZTu+oTjYeeCtLKjO+N1+Ulb2dIxW4emPz77+W9Z/fER/e5Z6/GYf+
vzrsJIQABHZOAGG+8wBuwX31JT7rkP3ynT3vPwDC68AKWDj0TgKF90eH4htf+5T+VfPLRIVt0z+8
mH7GlexclP2yZMGDzx0SzFy9Y7U37fPnaFEyBCDwJQQQ5l8S6Go1zZft1LuYzYp3WIE7iU/cixU+
seIVJ1hfphceMp0U4fJ4/KrfKU3QMX/8MqjyLX6x7zxMg/tSp3vXb6pLo4wnrERWWXJivwSESNSV
eJ8w9++zVp3HeWL6iGm/8R3Yvm+kFeil/QeRK23Y1Wh5Lq7cLwR69r2H6uu9S9nRSrTh+7H7sqWp
g0snhXnM539TneS4487MftP/FS52IACB/RNAmO8/ho/V4HqZLtfFhJtElTYwK3rTdcw+Gd1bMT+d
hBgoCKBm/uhaIV+cnL2/XpTPokD4nK2+uYm+IAxiMfx+KYFi+3IsjHCtfeylmr/D07fV8DiMvvAM
+Va133hBGtv1dZzGS8zvLlpF//P1WcTzM+wrv50v0Q+PbxAX8kGAl/pfVZhHfEW+ITb0/wiJXwhA
4AgEEOZHiOJDdfj/2zu3K2d1GIxOPemHeqjgNJKnv5j0w1myLSP5AuQKJPthFgTbsrxtw4dgcCk8
Xi/MndC/V9hr23oXZhUBIgi0oizM67bF6PssTNQ82x8n0BxfDSZ2nNnkreVtGdk3T6XkptiJ3Oqm
QJ8qFeO3Mae0mupGO9UZp8rG+dG1336acBuHacw3+/M7+Etz72FhzvzXrmYLAQh8CQGE+Zd05GPN
kIumjaZFoaD6NtjMIjfV0LhIL0a8ny2vDWsKn+v8WNwKplznbRqHccoaQW2xhUBJoDm+ykzyuzOm
NpcvbOaxGo/7udSpqzDReoqlWaqIuCTkOp+1v0WYqydpW0bU8+H5HfOiRPzZ5Mv8b7LiIAQgcGoC
CPNTd9+zzpsLWzBlHg2raXdBjOk+qifXeSPu5cJrH/dnEZAMNoX9QvmmH/ngijCPj85Lf7U0Wwhk
Am6c56NTFcWWCLe7c015O+VnS529xvzIT37Su9er47cxp7Q28d+/OiJzeI64S6T6Oftm7oZKvdh3
5wZJtzfQ6uTSO+aap8nXnL+sXcN0a/su8j8yrX7V+tlCAAIQ+BABhPmHQB+2GvPPVeFd1HGY5JHz
fI2yj7sv03gV4V08cg9ivPGY3dgO9kw+JwbMcf85uvIxuK3D+CXGk41g17weINyDODH/nOrrOGzP
4NgnCTSFX3TAjR99daL0baF8mTX/NvNjFs9pzJt6XP1hHKuwbs8PnbsiSu2cjq+SlEJ6aX4s2090
psHNLXvuWLKdKFgGrm2S3q4/zt/Xzf/MiUdreWiyAwEI7EcAYb4fe2qGAASOQuARYW19f7a8tcX+
RwnIjY8LFHy0diqDAAQg4AkgzD0PfkEAAr9IIEdu64jyMo45qou4WyZ1zFT/as8xfcQrCEDglwgg
zH+pt2krBCAAAQhAAAIQgMBhCSDMD9s1OAYBCEAAAhCAAAQg8EsEEOa/1Nu0FQIQgAAEIAABCEDg
sAQQ5oftGhyDAAQgAAEIQAACEPglAgjzX+pt2goBCEAAAhCAAAQgcFgCCPPDdg2O3UNg00Ii9xgk
728RWPsqy4Zv7d/9VZZcpy4CZL7Nbb5j/mhHHP773Lb97lvo9Zdx9pzfkWNaQ6Hol/ob8+bTixva
52wrA/0Qfep4l8fUr1Clmn4AACAASURBVMfzuLP1hXzzF4PCN+xN2WDajWlpn34f/9ERRzkIQOAV
BBDmr6D45Tb8MuGvb+ya/bX013uExZ8jsPQd8iB4VkTLUvklmGaVSskWxFYhzJaKr6VVK2+uFfhk
umEm7dZmH8nnqj9kLDiBK+LXj43s/z3tM3ltF6zVfxuH6eLqN6uhZkPx2HUcprGxiJLYaB3PxdmB
AAQ+SgBh/lHcx6zMRX2GYV7mfjIRPI3muFVB0xLbJi1Hb1JT1XY4niM6eiFbs7+WHpb1DCuVSkTI
153KXqQ9KRqUI0RavzhZ1OEuusfsL7x6A4GOMArjY8uY6JZf8dUI8zBXVJ3mYsvjc3l+ycqbEn22
NspotE3TyH2uPK+a256/MZ/6EFcWtXOrke7OL3M9VpjPR/ee3y2RG2+e5m6qhflk+lTb0m2fZmiO
n/X6g6iW1ZizQ40y6s9tnIaGAkeYayewhcAxCCDMj9EP+3lRXBBChKYQIosR69t1upoojFyk8zVC
W6WCWO3exmm8aqKIh/piPqeup4e8RTti+Sg6gj/Bh1SPXqjCdb8QKlVEzHrC/tcSaI6feOM5jKNZ
dr4YLwqkV17Te9swFuMrB/7GMhbI0Vct3xqfC/Mrimbrs8yJeb69wr7zW3zReS4+F1xa5xfJ9rBw
1UDBO+Z34bt2weQEbi3MK6aPtm9D/Sqqddu6kZzPr7dpHMbJnK5Dk+ayuYXsQAACOxJAmO8I/xhV
R1EQo13t9wznE3vL4yLiphdKm9VdyGxC3F+2/6QwV5EgF269Y8jCvPa9F/WrvebIVxHoiaD0lGcW
n42IpIDolV+DlOzL0BQRPdcTjJobgvSOc3g6NQvrYH5hfjVvlO8d/13712nQOWXa6YXe+vlFij4s
zN85v3t96niU7Sv7MIJ5qH0b6p9Z67jUbeoQe97rcJ5tmE5kFwIQ2I0Awnw39AetuIx4Bc1RCIHs
ulyUbDQuCpTqWu0uZLlw3tlPmLcjSNkxdn6HQE8ENSLUrYjoM8Lczhc/FzaOz4X51fM11vms/S3C
vBhCjfOL5HhIuMpraIvCfGP7Chfnn8b+fLDwVc6BvfPjXOjp9s2mXP1OVIcbLu+z1DsHXdLNnR1w
gX3xjnm+cTOVsgsBCHyMAML8Y6iPWVF14S4iLOK1yyPp+VG4vwjo+9rFeV+uus13G5VI337MsZYe
cjWFlfHPtstceOTC5aOU6hXbnyLQHD+RgI86d8TeQvlFjmYshnx2nCbBujo+F+ZXeJVFxWuowL/K
smn8L9ovbswnz8fNXam/aJ+yeVq4WruG6ab2qRONrZT/sye06kbtncI83rAs1e+EubCX/6fJ/e37
Qpvnb/6kjhVhLmzlSY3loMbYQgACLyeAMH850nMZDBdu88+bzU9m6Ym59Rg9PYqPUZnLNI5DiNDE
c3i6UDj7C++gt+wLzm79bfuxDeY1FXEm2Qgix7w+IOY3MThXt+LtvQQWhbUfZ019sli+44ydO1ZM
OXG1ND69XxoZVf+CqPyb52Seo8VLxv3xv2w/tsrMszTPtX5J79tOTCyDav636//0/I4cU7Q591Nq
/WBfMSpvUuITRO2XuPXRdWdbz5MWYLo5yzZM/bZsvnmT81zIY/tF/bI8L9P4LwlurddsrQt5HBXj
JvUgGwhA4MUEEOYvBoo5CEDghAQeEda2mc+Wt7bYh8CBCMjNVRb+B/ILVyDwrQQQ5t/as7QLAhDY
TiBHbjW6uLXoHIVEvGxlRr7zEPCvPp3HbzyFwHkJIMzP23d4DgEIQAACEIAABCDwRQQQ5l/UmTQF
AhCAAAQgAAEIQOC8BBDm5+07PIcABCAAAQhAAAIQ+CICCPMv6kyaAgEIQAACEIAABCBwXgII8/P2
HZ5DAAIQgAAEIAABCHwRAYT5F3Xm/k1JX6gw39rd6pN8K5evWmylRb6XE+h8laX+Dnf56bgnvsqS
69RFYcy3px+YQyWTw39/2rbffEP7T769Xnwzm/ND2bv8hgAEvpUAwvxbe3a3dtWrzZUrze3mGhVD
oEeg8x3yaux28k2947369LhZpVIOBTFtV3fRfA9uq5U3H7TzlmKGmbRbm31on98CAqMQgAAEZgII
85nFj+6ZKJ1ErWykLkW0htGuEOdXrpsmX364WmHu03T1Or0AB+AmauYj5qnsZZgGWQnxb5iueQVQ
60NRh/X/R3uUZj9AwIjEpdKVUNfMG8tr9rw1wjxE593kkFzL41sj+mHu5Lk0z48ocq2NMhpt04r5
b1bu7NkPHrrVL+e6tY3qY5j/g8zncSoC4uGGpGp6NB5WEpaynB+UKFsIQOCbCSDMv7l3N7Stik7J
xd1eOMPF3lxsnQCRx/j2Qt9+laUrZqx/zq4mRNEQLthBlCc/nJix9aclsK3/aootBJYINMdfWeA6
DU31GMedF45l2c7vMJbjvGmVX52fYlZvWHXc38ZpvMb6oii2c0Tm1DyfX2Hf+Z2XhE/tLbiGJwLq
p0FiI+bm8Lxb2IkJnB9mQOxBAALfQgBh/i09+VA7imhZfs9zvnDLI3qnRW7jNOgLoHY/13+tImJP
CXO9iMsFXx3JPm3wP/vFDgQWCDSFX5E/j7viuPzcUr5RTMpJNFiGtohoJ3LLaHlrforN5jyMlYlN
nTa5+tyOjfOna799o3IbB/OO+PwOfnxiZs4t2aH4Ck/lp0lv8zXnGs4Plhb7EIDAiQkgzE/cec+7
bl876VjLF/GUbi/Sdj8XNxfLdOx9wnyD/9kvdiCwQGCDsF4cxxvKN2sv5pevY+P4bs7DWFsVEZfD
uc5n7W8R5kWry4h6Sn44Yr54476xfYWL/IQABCCwJwGE+Z70D1C3XBB9lK5wKl/E03EnAiQa5iNg
rUfVThzIhdk8Ss+1NYWNEfnNiFiMtC36nytgBwILBJrjz+Zvi9CcY7V8zul3GvMrPxlK/wy6Or7d
nCzNl++NS5R8nrOr81/MLdq3r8mEzNM4zO+Qu7mfbNn2qbfvEeYbzw/hnPQ3/S2G7NVTthCAAATe
SwBh/l6+p7Du/jkrPC5PF+78z2TpcbhewOw/Yplj8Z+7xmmUf9bUSJYQcHlmUTBN5WNu+SfP9I+e
9jG+XDCTjSBSzON/Md/1/xT0cfIQBNaEdSmgS6fXypf55beZX/N8SXPCzJ/++G7PH9WX4SZZPj04
xtdl4twqhfTS/Fm2H5tUvw6j9ccm6pzWrZ3/BYM89xVWu/7wj+AvPD9kTuV/pKobbCEAAQh8kADC
/IOwqQoCEDgogUeEtW3Ks+WtLfY/SkBufFafSnzUIyqDAAR+mQDC/Jd7n7ZDAAKRQI5e1xHlZURz
VBdxt0zqmKn+1Z5j+ohXEIDALxFAmP9Sb9NWCEAAAhCAAAQgAIHDEkCYH7ZrcAwCEIAABCAAAQhA
4JcIIMx/qbdpKwQgAAEIQAACEIDAYQkgzA/bNTgGAQhAAAIQgAAEIPBLBBDmv9TbtBUCEIAABCAA
AQhA4LAEEOaH7RoceyWB7kIq+WscnU+mraW/0kls7Ucg93P9VZb4nev0HW77ke7g7RNfZcl16nf/
zTfBzXfMH4Vy+O9z2/aHb5jrt87bfbDXV29c/xf9Un9j3pxHNrTP2VYGxRhzeUz9ejxzsfWFfPPY
DN+wN2Xj0JXF3pS5bItvzD868CgHAQg8RQBh/hQ+Ch+BgF/G/EGP1r5DvZb+YLUUOwiBXv+K2DFC
ScSQ+Tk73ys/52jvFQsXBbHVrKBdfO1otfLmWoFPphtmluuRfK76Q8aDE7gifr2gzf7f0z6T13bB
Wv23cZgurn6zWnI2FI9dx2EaG4soiY3W8VycHQhA4KMEEOYfxX28yjTiE6IuOeJiLzQmiifRFXtR
SvmH0UZebFlpb7+81l0Kn2Z0p4musJ2iP07X5DaZSFbLVufCmLOupeeM7JySQK9/C+Esq3XmCKVt
aO+4zdPaN/bDfHCDVwoUY9zOv7BwZox49uZvFInWRhmNtmnF/N5gP3g4LEdd8zyX+TkM01C0QWxY
Ye4wdedv8vsi9lK0N68wbM9By+1zdVU/WiK39LUW5jJGym7stk/rbI6f9fqDqL6O0yVX2Cij/tzG
aWgocIS5dgJbCByDAML8GP2wrxd6QdML5m2cxmt0KUd/1EO5UGo+ORYunOZCWFxglstfpyFfULQC
ufDdF8HZFDEv/JprS3vPplcGOXAqAt3+X3kdQBvZLa8ZOtsgmmIdLcG/PH+SzcX5K6LVinERqvN8
fYV957f4UpwfbHqIANv03ITOkwjF1uQbRXc4hQQGqV0qRMPpybY9na8a9Ws1btusM9xFGIFbC/OK
6dKNh1bYqqt1TPIbga3nSt2GG7miffP58TaNwziVQfO5rDrDFgIQ2JMAwnxP+kep25zovUtFtCm/
jzhf2KvokLO1Xl4vGiGqFi4o9uJRiKJW/eFaa/zxDZh/9S5ymuPZdLXD9pwEev1vblJDw65j+7F/
r/wajRQRFnEpc8CK2Cpa3hn/VqiV1YnN6t43C9f1+RnsuTlta9hyY13O4fZcfTqiLMJcG3pv+2yT
7H6vTx2Psn1lH0aDD7VvQ/2zqNZIuW5TQyyXzg3CbMM2nn0IQGAvAgjzvcgfqV53obGOWZFsj5v9
fBFMx5yt9fLxohDzxXcg2xd7U2O1q+K+SrAHehc5zfNsutphe04Cnf6vRIsb36apnfImR3u3mD9+
LK/Pn2C051MrYiwFcp3P2m/P1YqZbXkZUU9pDwlXec1Ho8NWgN7bPuuf2zf2zXHvax0xN1nzri+T
D887zfGzXr9jHdrty0i94dXAfFMnrxOlx6GpdmdDjmV+s3vsQQACnyOAMP8c6+PWtHBhlxO7j+IV
zShP4oWt1fISkRzTu49S9rLySLuoXn66R8dygTaP6nP25oUvp4aL0Vo7F9ONKXZPSKA3PlbGd25p
r3zO0Nlp2M+R3xThXB13xZyzNc1PovSoRMnnqPXq/JRii/aLV0UmL/bd3Ey2bPvUK/Gj0IuaFLdN
vkaENoV5fB98lZ+vyf0Sv5yQLV/lk/a6f750xfOPx9oX/V+q34vqFL3Xm5WiL9QZf/MndRSvDrbG
pAj7xQ5S62whAIFnCSDMnyV46vL1Y1iJrpTn33BxtxEXvbCnx/C5TBDF5p/REptu+ZAuQkEv7uKP
7t8B1tTrP/nVbt+c59n0O3wk67EJNIWfuFyOkVnUugZ1y7tc/oeZP/P/baT6sriSe0b7z5XpHx2D
pdK3mE/nbxCVMrfGwURN6/n1qP3YmPp1GK1f0vu2EwrLIJxjLN92++L8NfVKhekcEER4sql+rPqQ
XOltIsfUB6Zf6vbVbOP/4Nj+s+1LwtudW2sB3KvfHs83H8Ih+Gj4uPOr+nKZxn/2n/b1eNwqO2lj
Hkfly+k9YByHAASeIoAwfwofhSEAga8g8Iiwtg1/try1xT4EDkRAbmyy8D+QX7gCgW8lgDD/1p6l
XRCAwHYCOXLbiHouWpmjuoiXRVAknpKARN59lP+UzcBpCJyIAML8RJ2FqxCAAAQgAAEIQAAC30sA
Yf69fUvLIAABCEAAAhCAAARORABhfqLOwlUIQAACEIAABCAAge8lgDD/3r6lZRCAAAQgAAEIQAAC
JyKAMD9RZ+EqBCAAAQhAAAIQgMD3EkCYf2/f7tCy+hvM3om1dJ+bXxD4GIGFr7LY70XXi6w88VUW
8/398N3o8vfbGz/7HlaHLL7RXVe/Nn/X0muL33DEjY+CYf0NdfPpwTzm/DfE//J3x/Ub4kW6/ch4
/s54ymPqV7/y14JsfSHfSv+b8RhXD+XrLN8wXmnD8QkgzI/fRyfz0K/8Vzu/ll6X4AgE3k6g9x3y
vGBL9EDEThY61qleeZuntd9aZbEQXq1i9xwrV3qsy8YVNK/lCpB1xrjg0jBO/bVmfmt+B/Fr+0vE
rxHHcYEqL2jzaqhmzIgdNZPTLX+T1x5eq19W9by4lUnNaqnZ0HL/VyuD5nLsQAAC7yCAMH8H1ZPZ
DCd3XX3uMk7jYL7lXERNalFiV5iTVUPLC/NyukaUgt0c0fEXspPhxN0zEugIH1m5UQVTbFY5vlNj
e+XXWJT2Zb75CovVM+u5oXMoRDWHYRqyMPRzL0Y965V9cxtv4zSMpeT2Nl4/v719L2ojvH77tqQ/
b7/fhS2RG6PccxdKVLros7LPU9R7LtOosTm+1usPovpqx1SjjPrT7H9pzzBVw6LhIocgAIHXEECY
v4bjaa00Iy7mUep0u05Xc62Wi+R8AZGLjhHxunx5FgZr6Qmbin8tdxun8XpapDh+RgJN4RMUU1ri
PDUq3DwWQkuSeuXXWOSb0fl1BXvzK/PN/g5Lz+s8adQb5rNND641/DV+zRH18qZjbf6upadKFuZ3
FR0uI84F16p9K+lP2zecqt2i7pzuBK4w8vwrnx4V5hvqV1Gt22mqhXm//2OL5rK5hexAAAJvJIAw
fyPc45suL8Qtj4uI058R5u4CpGXNiX8tXYs082kiWwh8gEBP5EjVVjyHJ0peaAXvlsovua/RSs3j
5sJ1Gua7YM1RRDBF+M2i/q+xSuMsvLKJeaeI0IvwzVU6X7TIK+d3fW6p32Vea99S+ivsa7sb216f
O26lf8WNVjLruDeqat74bah/FtXab7rNFbsnNC0/ZhstxzgGAQi8mgDC/NVET2VvTZjLRcVGxKNI
+dyF+1QwcfbMBHoip2pTZ85sLl8YfFqYF/ZEaN8RMQ8RaH2NTbc6wZ3A1HqMsFtL1yLNfJLYYanl
WttG+1w2l/4G+64yw8Ic9+JWzqGNGzmTX3Z9mSJRfjbH13r9TlSHsebLLPZ/csPZSL7oEGl4yiEI
QOBJAgjzJwGevbicmN2j8vQ6Sjzx+pN4eAxqI+Yhr7/ohBN9Fgb1RcmnJ3rdC/fZ6eL/aQg0hU/t
vYzfpijZWL6yuCjMRY8VN8aFmK3Siwi41OfySHqOqreF6xxhX5u/a+mptQvzuz7/eELOd0kq2reW
/qx97039K5zP7IAoX8VpnCNrK48K81jOfSmoqN+LaumvP/PPqWv9Hz31NorgjGQJY+pvcn60Gskx
CEBgEwGE+SZM353J/XOVE97xJKz/NBY+4zUOk/zO1yI9Kedo2+hP/ovp6UKhZdM22/5u7LTuSAR6
wroav51/fuiVX2qjeUUmjHlT13yzXL+OYedHOXdbr7Jk4RTml95IW7sq/u18TMeMT+E8MLx+fi+1
YSlN0K6lr+XZUn6pCyUtiHM9h+WgRCzl7StnY9GMgfo1nsK21mEHwEL91q88nqQ/g48b+v+f3MTZ
16TmfetCrKfRNtNMdiEAge0EEObbWZETAhD4VgKPCGvL4tny1hb7EDgRAbn5yML/RH7jKgSOSgBh
ftSewS8IQOBzBHLk8t7I3xxlRpx8rruo6SgEJPKuT2GO4hN+QODcBBDm5+4/vIcABCAAAQhAAAIQ
+BICCPMv6UiaAQEIQAACEIAABCBwbgII83P3H95DAAIQgAAEIAABCHwJAYT5l3QkzYAABCAAAQhA
AAIQODcBhPm5+w/vIQABCEAAAhCAAAS+hADC/Es68pDNSF+6sN+8fZef8i3dPb+KsXf9kWu5gMi7
aH+h3YWvsuj3oLvjK5dtLbLyzFdb5rLhG9fFN7Kf7gXm55MI7bfA9Rvfx/tCiY7f1hjy31mPbcjj
3I5r9z3z+ctFzrbmKU74Lo8Zw3q8WV/ItzL+y2/s83WYJ8czxY9CAGF+lJ44sR/zSoGNRpQrGzay
HP3QYvsO53x7Nb8lN8/VvqWWPJHW+w65iBMRGr3VK/OCLbFuERuFLokJPfubXI4r8F7HYRpvmwq4
TIv9y/x0rO7+If1vOzyIxfvE+WL/3O2QLxDEr/VPxrMRx1NjZdK8mqoZs3Zc53RblclrD6/VL6uK
Xi6WV7natFhbHv/VyqTWAfYhcEICCPMTdtpLXS6iDjl6IZUUEbVwkv2zi0m0IkZmVdBkY7jafPYk
HFviozY+XdOCXzmCY/LkY9YvQ8ikx5X17JLUZjnpFO1x7ZcLgkaBzNZe55SR2PZlZx+0DbH+2vdh
tCvsmfTZxMKe93G4FsJ8qX+3tG+x/IJbZ0vqCIvcjI4wr0XBdRrcAEkW1uzniho7Kp5LH5if+89P
mR9lf9u+Xpw/fu7q+cmZWyzfGCvuUEvkxtVE5zokKl2cc3S8GVtWmJvD865tcz66Xn+YP1fLsFFG
/SnHf6qnnoPZAXYgcEoCCPNTdtsLnb5dp6uJwomInE/aUZy7342T42LEJ4iH+dGnCFkrYKU++zss
H+4iOkY86/HbOI3lyuiF3UxIT+rhgFwIjS9ybK39AUFx4crGzU6n/tX2BT7GfseOqcnsykXVtic9
+lVOkvPZ9m0obxw67+4a98a4D3irKHZDWEjGNfsL5Ob5Vdx0JbvMTzN/ehw7/J+eny1hbo9tmD9z
/zac31C+USoe6rTZP/2phXkrIv6QMN9Qv4pq3Wp03FySpplPY/yHy8NjT5K63EiAwM4EEOY7d8D+
1ddRG3ehd8I2iuSheJ4+nzgbrVks344uzifpZK8jilxtvYtAztQQ5SFtpf1PCfMN7Vvkk4S2ida7
qHuTSykMn23fevmM+Mw7a+OnyVqij6UoKPknKGv2e+ysyAvTr3hVZnH8RKPMz96N0bPzM54Pq4i5
67P1+bPYP42nWu783Bs3crw35txYrs8xLlCS7L9bmM+CvJg/jmUZ7Y/O1XNwCQppEDg+AYT58fvo
jR7KSdlGXOPJ3J34v+LCLxfHop2B6ob27yrMV7reXWA1r72wPdu+beW15lNveyJGG9Vk3RIKbbHX
FUlqv7PV18f0NYewtROU+Wkiqh2IcrjZv+2+ckJvjW8hHIMHua5t86cvzLeV77fangvmXF5kSx3r
Txx8mdlW3sttzkcE+jTYp3cpydqqWfsyq+O/FTEv+8y6xD4ETkAAYX6CTnqfi/4kGE6kf/WrLHME
JUZ/5t/RM/foUy5U9r/jy5NkIXBc2WCu8biyKNPk0bwwSM5SlFv7G9ofrulG1JftU2c69a+2b4WP
mm9v64tquJDli+Gz7dtWvu3byY52+i+3ojsGr9NoniBZ0ZHLys6afZdZf9ixqsfElBFSzi7zM7wK
Z88/is1x0oPC0sztcLhgvjY/K2Fu5+S2+eN8cOeXbeXn1tR74XxQ3Mit/fNnbaV1A1rk6vBdq98J
8/CPqPZ/gIq+SFW68Y8wLzqCn99AAGH+Db34TBvcP0depnEcJonKzefyeLGPEbvLNMo/6pT/6Bgu
Jo3PhRnbwZ7JN4t7az/amOuWi5zanbdr6X/mwhwuDOWrIFm4RsE0RyNb7U+Pq7MNI4r0QpLT1Eeb
Z6F9m/isdK5hGqOpY2SmbTR1/MlTg6p/l9q3kc+Ki6dIXhIWZf8q29QweU85j6F5cPpmd+z7TPaX
HTcqHu180GNFPubnNP/7ieVl+sicHzQYkfvPnvvM3Gmfvyz72b4bAsbGXvPPnQOXxm7rqaLzX9po
z21RsFt28Rw094CM6F799ni+Hsj5LPho2epYt/15mcZ/9p/mZ/7ig+sDO63Yh8AJCCDMT9BJuAgB
CLyZwN3C+U5/3m3/TnfIDgEIQAACxySAMD9mv+AVBCDwSQI5MqjRuVdVPkf5clTwVaaxAwEIQAAC
X0cAYf51XUqDIAABCEAAAhCAAATOSABhfsZew2cIQAACEIAABCAAga8jgDD/ui6lQRCAAAQgAAEI
QAACZySAMD9jr+EzBCAAAQhAAAIQgMDXEUCYf12X0iAIQAACEIAABCAAgTMSQJjn76z677OesTPx
GQIQgAAEIAABCEDgvAQQ5qnvZLEDFiU470DGcwhAAAIQgAAEIHB2Aghz7cFy6WU9zhYCEIAABCAA
AQhAAAIfIIAwV8gIcyXBFgIQgAAEIAABCEBgBwII8ww9rtDH6nwZCDsQgAAEIAABCEAAAh8kgDBX
2ETMlQRbCEAAAhCAAAQgAIEdCCDMFTrCXEmwhQAEIAABCEAAAhDYgQDCPEHnqyw7jD6qhAAEIAAB
CEAAAhDIBBDmfMc8DwZ2IAABCEAAAhCAAAT2I4Aw3489NUMAAhCAAAQgAAEIQCATQJhnFOxAAAIQ
gAAEIAABCEBgPwII8/3YUzMEIAABCEAAAhCAAAQyAYR5RsEOBCAAAQhAAAIQgAAE9iOAMN+PPTVD
AAIQgAAEIAABCEAgE0CYZxTsQAACEIAABCAAAQhAYD8CCPP92FMzBCAAAQhAAAIQgAAEMgGEeUbB
DgQgAAEIQAACEIAABPYjgDDfjz01QwACEIAABCAAAQhAIBNAmGcU7EAAAhCAAAQgAAEIQGA/Agjz
/dhTMwQgAAEIQAACEIAABDIBhHlGwQ4EIAABCEAAAhCAAAT2I4Aw3489NUMAAhCAAAQgAAEIQCAT
QJhnFOxAAAIQgAAEIAABCEBgPwII8/3YUzMEIAABCEAAAhCAAAQyAYR5RsEOBCAAAQhAAAIQgAAE
9iOAMN+PPTVDAAIQgAAEIAABCEAgE0CYZxTsQAACEIAABCAAAQhAYD8CCPP92FMzBCAAAQhAAAIQ
gAAEMgGEeUbBDgQgAAEIQAACEIAABPYjgDDfjz01QwACEIAABCAAAQhAIBNAmGcUv7Bzm8bL3/R3
GafbQ829s/x1mP7+/hp/l2l8zIGHvN5S6DZepsvbnbqTn3Fc/LMsh6tJnKbpYf9NH623/3H/vbf8
ggAEIAABCECgRQBh3qLy1cdu0zg8KswFzB3lr0MWuyIcVUxeh+MJ86Uuvw7DVOjgpewraXfwy5au
0/DwzVQ2srxj+mo54yP+L1skFQIQgAAEIACBSABh/vaRcJ0GGzW2AitFK4dxnC45Ty0CXbT0Mk5j
IWyvg41Kl+V9/cO1FFY+vY6m+/S6/DaAVpjbEup7iNbm6K1pw82y+ctCP9jYyE/rCBHnYfAiN9dZ
2I4V+L5LfaQ3mJKJNgAAFVRJREFUGLEdns+r+bm+1zHSGEPStnbEe82/1BtdYe7LP9r/qRY2EIAA
BCAAAQgsEECYL8B5RVIVHRYhWAkrI0QLgRSEmVWCQUjOEWcRnU6QiZDN9uXVgzlviHYXr7Is+7de
fiujnjAP5VV8q9+3cRo1RH27Tlfz2ou01+KYAo8+P0m3fAJPrcc6X+TzSca+TZim6TP8NkTMO/4v
+2ca0yz/uv43NbELAQhAAAIQgECHwI8L8/TOrEYi81aF2Fp6h2o+7KON8zvCaj8oOy80b+M05Hed
y+h2Npx2rtPgVGo8fBuH+A63s6Vlrchb8W+1vNpc364J87nNpa3aR9fk67DAT2yVfWjY26qawjRm
6L/KUvsW+zjV8TJ+ts+s02a/6f+Kf6Z4eQMTkl7mv62IfQhAAAIQgAAEegR+XJj3sLzq+Jqw3luY
r/j3QmH2mDAvI7YNXqvCvOhL90TBpDWFbUzvC/NP8XtUmK/4Z5qPMLcw2IcABCAAAQjsQwBh/mbu
IkjtqxRVdSvCsi4fI8AaNa5eVXD/nCl5fYRY7NlXaWr71sP18jb30r7Uoz5X+Zo3AJKrFKQxAuzs
rPCr+IgwdwaSN4vC3LwOFF67mZl+hl/JoSIo79Q0x9myf8ZOs/zr+t/UxC4EIAABCEAAAh0CCPMO
mFcedv98GF6XScLO/ONh0Ir6rnXxj3xlea8r69cVXLqxGf/5caw+mVja//ubhee0ofwiK9NG95pH
KBRvMuZXfOI/sTr/XfnLNI7xE4whj0kLv42vejO02LbqNRf9J1rTfvHT2HVsUsMX63Bl/6a/oea/
xK+2LTbyC/ixL/MrWG3/axvavjZ/18Yn/V9qG2kQgAAEIAABCHgCCHPPg18QgAAEIAABCEAAAhDY
hQDCfBfsVAoBCEAAAhCAAAQgAAFPAGHuefALAhCAAAQgAAEIQAACuxBAmO+CnUohAAEIQAACEIAA
BCDgCSDMPQ9+QQACEIAABCAAAQhAYBcCCPNdsFMpBCAAAQhAAAIQgAAEPAGEuefBLwhAAAIQgAAE
IAABCOxC4LeFufkOtv+WtllQZpduqSvdvFBMXfSOI+m71pdxukmpHh9Nv8Pya7IW/hmjn+FjKmT3
ZQTcd9blO+/DfeNP+j7PXzM27fHwXXs7niWf/W2/BZ9saHn9Jr6bD516wuJduujViv37AMb1CrIv
9xUmNwQgAAEInITAzwtzvdDJRVjXbalWizx4Z/aXjH/E8WIZ92pFyA2rUD5S7eYyhX+by5HxkASK
8RXEsBG99YqmfvyF/DpxpYFBDOsCSrI21DCN4S5TW1+Mn6L+crVZKX9xq+duqf8vn0vW/FevVreV
n6slyAABCEAAAick8NvC3HSYFebm8KTRPB9xmy/8flXIP78seoqYDeM4XXJEzpRNFWkdIeo3DNNQ
CBONBupNxOxfveqn5LU6JQiNXPffFCJ6s4G47L1JH6494VIcFxsb2xfEk9ZxkYiofyLh2m9XHQ1+
+ja2/Ovy2eSfXf3yMo3X2Fc1awfty34og3psxoZ20hNf5W+3m/mtCc6c3hh/03Ua/GCP7uYy9wjz
lv1UXsZErscK8079dnRkX9r2bdbF/WxnMReJEIAABCBwcgII89SBPWEeknVZchXMt3Ea86ro1+lq
InIiMvM1XAoH8WIET3mBLX4HEav12MFV5PNJxr5NCNV7ERz8yfZFcNn0JMByuvqflnq3x7WelfaF
9lggIf9cp/ByIk5Y53o2+Gf8cHbMcbfEfMHR99evvi7QEd7KcFpLzxkf2nE3Zrnvkykr/su02zgN
PhweC5njWyLm+YaitD/Nwn62Y4S5qafb8CX/u4UaCcW4beTgEAQgAAEIfAEBhHnqxDVh3hQAoayP
6MpF3upQEcLud3UxV9GTxG8VMU4OLlyY+6+y1L5FEZKEfOWL1GWER/g5JOHcifgttq9TJjUp1OXg
xIQsgrb4p7Z6fBb9K9rq2quG2XYJWNGpT0TStnmT1DVkEsSmFci5XxtjKaeZ8rJrxk0eSzlLYSfb
KI6n/HN5HSu69fVk8+XOiv0ye+t392a9lZljEIAABCBwagII89R9jwnzMqIbI8xOay4Kw8bYcRFj
k54v8OZY2u0L87bYyBaMgMnHusJ8zuH2Ftu3Un/nVYQshrb4p870+Cz6Z0SW2mnWqYls309A5pR5
AtTr1+BI+1USO5fzWMqOF32+aH+OmMfq5Cbblrf7uQK/s2LfZ1749So7C1WQBAEIQAAC+xNAmKc+
sBfzqlu6Yq28MMcI9T3CvPpHUxHmzkDyZuHC7GyE125mYSPt6kcvCxEUgoCXTsRypuJuBBaFrwib
sv74hECb6HwPVVgxv8E/davHZ8W/sv7q1Rq1/9Xb2CfulR/X3rV0l/mOH2J3fq0pFizEdqNf7fir
xlcj4v6ng00qkPTidzk/vH37z6OJg4noV/Wn135yFSv+b4bVsLO5LBkhAAEIQOA0BBDm1eP4WdRO
+d1afc0kbvNFV7rZlb9M4ziET7eFPCYt/A6iOdpQMeDerw2vAazXXwkoY7dKCy56/10eV/Zv+pPP
1V3SP4ka//N7uNZHk95rX0Tk63f8JGpevAbh0pf86/RPbt8m/3z9F/nn29Z7y6eZ0o84uia819If
qVPKqF07PoxQN/3XHH+pWjeHjGhWr0Q85/I2fcW+LafzNfyzt7XRmF95/K7YV/82bRHmmzCRCQIQ
gMDZCSDMz96D+P9aAgig1/L8hDUjgIOA/so+jDeQ+QbhE1ypAwIQgAAEPk4AYf5x5FR4NAJrEdej
+Ys/loAIVo2yawTePnWyedmHAAQgAAEIHJsAwvzY/YN3EIAABCAAAQhAAAI/QgBh/iMdTTMhAAEI
QAACEIAABI5NAGF+7P7BOwhAAAIQgAAEIACBHyGAMP+RjqaZEIAABCAAAQhAAALHJoAwP3b/4B0E
IAABCEAAAhCAwI8QQJj/SEfTTAgsEsifHNQvnJjcOU2+c381CbKrX0L5W1jIqihiftpvhedvjVd1
mAKP7Fr/i2+QW/+lfj5HuB1w7LvGeNlu4jA5pS3n7/s0F6sxfhjMOAIBCGwggDDfAOnbs9iVDt/R
1nfbf4fPP2ez9+1vWeDJXOhFwDR1c6/8VpBPlF8aX0E8Gv9lQTArwORTmbY95e+t7p853xK/tXaV
K+eu5f/G9Gf4vZ6HXTn59daxCAEIvJ8Awvz9jA9cg1/1UiOWpVDJkcQcedz6neg1+5puom5ax2Wc
/htkRcjLNF7H6ZJXBzV5A1m1kVaPtCLswOQP51ohWNW/22iXpJej12mwA0Qzdspr8uq2VT6NhWG0
/W/HXtH3aYy03Mv1t+rJiXEl38XyNu9b91PbLsM0yEq8f8N0zavgJgbKJz3EiBHsOurvvtMvK9vm
OfIAv6LNUZhbO6+dn+p7uJnSc4OwyH7YutOKxTlNduYnOvZckm/Oss2am5pRH8L58W5+y/6p7cfb
5+0PV4S59htbCJyVAML8rD33Qr9XIz4qCPSCfhuncb4yrnqyaP82TsN4czZs/njhKi/E8+8qYicX
WvXTWeXHIoGOYG0K8xbfTvnFOm1ir3wQTnN/lxFvMWHHizU57xtx1vI9Z7wa0ZoP7rgTRVe4UQhz
MHG4DnOU3+6Lp+V8KrhWTxA28esjiPPTinHxee6vl8zPhfPPmn3xb77RijyzKLfNKjjlpOL4vfzW
/Av1PNw+GdeWPa+y5H5jBwInJoAwP3Hnvcr1VWFTXuxzxUbw5Ih2iu7lPOvCydVf1OUvrMloFiM+
WqQR/xBdNPWzu4FAIUC0xBGE+SysGsLzTmEpwqopzORJQF5BVFu/tl0b/2vpa/bNjYKINwWRx38j
wl/MHx8xruemeODm35pLRfpH5mfVJnVibf4bfrmIf5VJD7du+GJa2YfzTYeW7fNb8y9ZeLR9zXKN
Nquj1bZsW3rqmG+s1tIrgxyAAAReQABh/gKIZzfRv7CkljUvANtbfY/9Mm8VcZJqszDhse32XljJ
2RXm5TvlH3yVxfV18r8xFssxs9zSxpgJUXkbeVy28LlUI7IeFuaFt2KneGpwHz9v7yPzs9Hn0YtG
Xzr3DD893rPVGf9aLG/v4rfmX7La80lewxnGyT9PzJ7UT0dCUqPNpgi7EIDA8QkgzI/fR2/30F1c
5cKTIyap6u6FY5trq/Y1ateoJzwqXxAS/QjoNt/IlQh0hcl1Gs2rRsJbA7eOXbe8y9X/0Sufb8JS
0eYYMaK6GL9lRDe8imAaUI2vsr6+xx9IMSJL2qV+Wx8dtxihtU8E3NwTj62d1AKXp+C31siKX3jy
MEeVXzI/G32ufq3Zd20L55nOu+SOo1qXGIAZW3L4Tn5r/oWaHm6fRLRn1tG9y+df5QtjpvXFppkj
exCAwHYCCPPtrL43p55Yw+so9kTffpSp+mAzkK59YyHksXXHtHBhHIdpfk2lvrAGcbDwKo2phd0e
gY4wkeyOb6/zF8r3qpTjQSi7vjMXePOPeaFaM46s+AxiKdsox1Axht1NXvtVg14Tl9rx+jTjmziU
2h7anbhEP00+84/Sysf1XTW/k9eG6z2vgcW+u0yjm5+FkC3HT8+HJsCi71Ifl/2z3EbL52+6yD9v
5hvNtn3LYNn2Nn59G+3672qf6zuZO+M0yj8Lu3HehPuyg3kcdEP7L6sKQxD4CQII85/o5hM0shM1
qiJWJ2jKKV18UFjntj5bPhtiBwJvJMA4fTlcufHQG8GXG8cgBH6QAML8Bzv9SE0uI6Y2WuQiTR+M
AB2Jz8d8ydHpOuK57MMc9ePivEyK1H0IcB55J3d5IlE+pXpnfdiGwPcTQJh/fx/TQghAAAIQgAAE
IACBExBAmJ+gk3ARAhCAAAQgAAEIQOD7CSDMv7+PaSEEIAABCEAAAhCAwAkIIMxP0Em4CAEIQAAC
EIAABCDw/QQQ5t/fx7QQAhCAAAQgAAEIQOAEBBDmJ+gkXITA2wksfJVFv5zT/urK819lUfvhW/WN
r+9U6brATvZZlxLXbfqyTC9d6+ily/fA7/gms/vqh3xHWldrXLNffoNavtOtvqUOd21P3/H+S58u
0rTcL7Y+Y8f5dxmn6zjc1b63jz0qgAAEIACBTABhnlGw8y4Czyz5vcWnd9vf4sPp8/S+7yxiT4Rg
5zvzud298jlDeyeIS/+NTCdOm+l/f3H1UVOn5FMz7tv3Jk/0wKymadK65dtuz0eNDTkY/FVRbNK6
9k0eLZ+F9lyLrPLU/Fb0bRymi1v90bQv+ePsBfF+342HdYN9CEAAAhB4LwGE+Xv5nsJ6EBMajbtI
xM9fuF3EzX6zNkXohnGcLlrepofluTWKOW9VQEU4fmU+FzF8if1y5cphGlQ4naJ3PuRkR/jl2t8i
zL2I1LpmEXudBj9YNEu1ncsUSbldtzmSXWSRn93yjbzuULbvjlY/uvar8p02V/liFSLMx+s4XTIn
y9TuVy5xAAIQgAAEDkgAYX7ATvmkSyIY9NF4qLeIqIkodxE3efxuhW3IbxaYaAiIpYi2i26KA2Lv
hfbLSGNor7X/SdhHrqvRb87ddwjzXp1al26dI+0fS8I3vCLTeE3EWuqWt5k6++7GtTO2uvYLBmIr
a2xbX5FPk4Iwv8mNhb6eYsT4HfzUHlsIQAACENiXAMJ8X/47174cRZwk4t1QCbMIiELaZWmIgb4w
L6Llrai7vk+spO6yL4Xmd6CjQDM3EWqTbfdViYymwT2nyU5HOLo85Y9eGa1Lt2W5xu914bs81rvl
G3UtHipvLFPmrv1wYzs/TXI3wbaiDqt5Lqog1214DDAN+WX5Yh64SWsrYh8CEIAABPYkgDDfk/7u
dS+LlfcL87X6nxX+DcBlxL+R5ScPdYRfZrEmktfKZ0N2x4hIc3gWse10kzXvzmXyobiz0a9u+cLc
+k8RwPXNX9e+9S/8M2hdNtRp8xknZmGuc8Uy23BjbWyxCwEIQAAC+xNAmO/fB7t6IILBR+liZE0D
atWrJhKB1q9OiOebItrmnfVCfNT1FzietF/5L/Vr44qqfvpnR/hlJm8R5umfJW1/FBHnenz48an+
bRK+KXPrCU63vFbQ3IovZmyHPD0xPP9zqjNVcpf2Wx6aucyXjjthrk+HzOs01fgPgXR97UWNs4UA
BCAAgaMQQJgfpSd29MO9I6tfvMj+1K+bZN1gHsOHY0F0x8fyTuyb43/un0NjJWX9Oc8L7Hdt5/ax
Ewh0hd9lyu9o66tGRvhlep3yOX1hR0RxrqNhu+zDPP7Ephkj1atKVZq+MmKi0lUek7bgc0yKNwnZ
98CnEOpL9u28MO0O7U2/HRvlnwDYtDzfxKaxFZ56aTndOoCrjSQDBCAAAQh8kADC/IOwqQoChyXw
hLAObXq2/GHB4BgEIAABCEDgcwQQ5p9jTU0QOC6BHNktIr6rHs9R4xy1XS1DBghAAAIQgAAEWgQQ
5i0qHIMABCAAAQhAAAIQgMCHCSDMPwyc6iAAAQhAAAIQgAAEINAigDBvUeEYBCAAAQhAAAIQgAAE
PkwAYf5h4FQHAQhAAAIQgAAEIACBFgGEeYsKxyAAAQhAAAIQgAAEIPBhAgjzsOCGfEf5nu8Xf7iX
qA4CEIAABCAAAQhA4OsJIMxTFz+28t/Xjw8aCAEIQAACEIAABCDwIQIIcwVdLv2ux9lCAAIQgAAE
IAABCEDgAwQQ5goZYa4k2EIAAhCAAAQgAAEI7EAAYZ6hxxUMWb0wA2EHAhCAAAQgAAEIQOCDBBDm
CpuIuZJgCwEIQAACEIAABCCwAwGEuUJHmCsJthCAAAQgAAEIQAACOxBAmCfofJVlh9FHlRCAAAQg
AAEIQAACmQDCnO+Y58HADgQgAAEIQAACEIDAfgQQ5vuxp2YIQAACEIAABCAAAQhkAgjzjIIdCEAA
AhCAAAQgAAEI7EcAYb4fe2qGAAQgAAEIQAACEIBAJoAwzyjYgQAEIAABCEAAAhCAwH4EEOb7sadm
CEAAAhCAAAQgAAEIZAII84yCHQhAAAIQgAAEIAABCOxHAGG+H3tqhgAEIAABCEAAAhCAQCaAMM8o
2IEABCAAAQhAAAIQgMB+BBDm+7GnZghAAAIQgAAEIAABCGQCCPOMgh0IQAACEIAABCAAAQjsRwBh
vh97aoYABCAAAQhAAAIQgEAmgDDPKNiBAAQgAAEIQAACEIDAfgQQ5vuxp2YIQAACEIAABCAAAQhk
AgjzjIIdCEAAAhCAAAQgAAEI7EcAYb4fe2qGAAQgAAEIQAACEIBAJoAwzyjYgQAEIAABCEAAAhCA
wH4E/gcwKs77U+sOZAAAAABJRU5ErkJggg==
--00000000000027321c05c9d771af
Content-Type: image/png; name="image.png"
Content-Disposition: inline; filename="image.png"
Content-Transfer-Encoding: base64
Content-ID: <ii_ksho3z4k2>
X-Attachment-Id: ii_ksho3z4k2

iVBORw0KGgoAAAANSUhEUgAAAqUAAAOICAYAAADvnYhuAAAgAElEQVR4Aeydy7WsOoyGK5Ce3Vkl
0cOOgHiI4CRS8ex86CXbsiVZflBFPfnvWucWYFuWPslGGDZc/vvvvw3/wAAxgBhADCAGEAOIAcQA
YuCdMXB5Z+foG8GPGEAMIAYQA4gBxABiADFAMXDZ8B8IgAAIgAAIgAAIgAAIvJkAktI3OwDdgwAI
gAAIgAAIgAAIbFgpRRCAAAiAAAiAAAiAAAi8n8BnrpTelu1yueh/y20/rb91uwY5y7av9d+2XkX/
9/S9X9vQ4raIfpPuS3WsrhPtM3pnhtdt/ZtT6J7+PTx/67X4b7ltJNerp7Vq6c/+a5UTj1Qn+1wz
uk4B8OWP9dZW8F7FUgm6bcvlss3pxRLlb7994K/6k21pu9/e1sY+CIAACIAACDybwAcnpZyI3I+A
koLrlZKjPbJSYpJP6K8/eYdkJvdP+QMn6dEOWx72r+vGeactDwmKKB8Rte11/5FHVi/pJpOr0P4i
EuFUJ7cZKGD7D/tCf1se9ZM+NjruSsBMW8e+gfqxOLSTOk21OqxSxegwyRAEAiAAAiAAAs8h8MFJ
qVjpEgnJNAZOCvh3vmFYwZIJ1N6kbrqrRkWdUKQkWTDQ5Zy0lgTIlod90b7RbT6s29v+TdJGrVLi
RsziCqlISIPUKEMyzZ05G7p/lu/YF1ZFr9u6UtJeynkVUPZXyXT6jYf69sk6ZTVf9p145VVqjuNS
JzJKx6WSG/O7bJflllhSPc2z155tL7rV/fTbk4XGBhE7uW1HvyZaFIAACIAACIBAh8AHJ6XlJL43
qeKTali9252UWlrpBG2SB1vryP2SQMW+5Sok9VPKaS/pJxKHUG6SIiujp2+R7/XvJG1pJZIQhaRF
6NLrp1VW+p+xTydsUabRMd3Sn3OhaRsEimOOrJioGT0m4k7bWWiE49frtqRHDlpMW+1JUq+Me/Lr
RFspKeb/Qj2R9If9Cf24PX5BAARAAARAYIbAZyalVvOJE7xsEpOElNTubCvleAmfLn/OXkwW1vRc
q0l2OOGQSadJAqtkIzCYeaYz2tPvXyRo2fxyrJVA5aoTG6H/Gft4pZSfW8iyU2IlZIgcK9fyN4ot
pbwci7HFq5/6V/UxEXeVn1KH4bj0aUNWqz2J6ZWxXW4dt69if5Y9oR/3g18QAAEQAAEQmCHwHUlp
SD7KymnfsDohCbcy5Um0LyCVJjkq05hq+HClkCyEW7ZpFVSsUpFwlUw4CacqZ2voj6Umben3rxOU
IF7oEJO2OpHeA0XpL2SzDFUeFTCPXDg6cuPhr9NW6KAueHqyQpt+zNZ2RIHV8Yasqp7Qp1fG1dw6
bl+aSdXObcO94BcEQAAEQAAE5gh8XlLqrH6Fk2CVVNa3rV2TmyfMdnteDevncO32rh47DuqTfupH
KKPL+TnEkgjacl7xnb2Fr9vb/nWCws+TStmhvXoOMsqQdXo4dP8z9hmdxOMEvX78MiMrxI/4K/l0
+14l+KmOcBFdOZjnXOverJ1cozrekFXVYwH8bGpWyOfvt4/2S/tCPXFhVLVr6CfUwSYIgAAIgAAI
DAl8XlLKJ1Rx6/VSJaRkV0qW3LJodzyZplusVb1G+5Rg9P5QJEpvtB8i71dQOnMikHX6b/vf/+Qt
Y16JS7rQK4b+R5aL7ZygHNl/lO+J5sQ+c/QqVaoUO2K7HfZd0uMJnDSK+JlNhnNMibakR616Stxk
vRxfThnVy+VktK1TLigUN+pY2pNltNsXpKZObtvvP7Zv+YEvEFJcNfUrWmALBEAABEAABGYJfGRS
Oqs86oEACIAACIAACIAACPwGASSlv+FHWAECIAACIAACIAACX00ASelXuw/KgwAIgAAIgAAIgMBv
EEBS+ht+nLJCP68qnjcVz0bOP3851aWq9O7+lTLYAQEQAAEQAAEQ+CgCSEo/yh1QBgRAAARAAARA
AATOSQBJ6Tn9DqtBAARAAARAAARA4KMIICn9KHdAGRAAARAAARAAARA4JwEkpef0O6wGARAAARAA
ARAAgY8igKT0o9wBZUAABEAABEAABEDgnASQlJ7T77AaBEAABEAABEAABD6KAJLSj3IHlAEBEAAB
EAABEACBcxJAUnpOv8NqEAABEAABEAABEPgoAkhKP8odUAYEQAAEQAAEQAAEzkkASek5/Q6rQQAE
QAAEQAAEQOCjCCAp/Sh3QBkQAAEQAAEQAAEQOCcBJKXn9DusBgEQAAEQAAEQAIGPIoCk9KPcAWVA
AARAAARAAARA4JwEkJSe0++wGgRAAARAAARAAAQ+igCS0o9yB5QBARAAARAAARAAgXMSQFJ6Tr/D
ahAAARAAARAAARD4KAJISj/KHVAGBEAABEAABEAABM5JAEnpOf0Oq0EABEAABEAABEDgowicLym9
LdvlcnH+Xbf1b9u2VL7cnuQn2f913f6227awPrT/t25X3uffUC/pI9tz+SXpPqOybO/1L/XJ8pfN
4vhbr4Uhybkt2xSzu+y7bBfB4LbU/rsG580AQB0moHx4ucz5jxt/wS/Z9/1x8betVx3/s+g/0r/P
nl9n4TxST8yhz4yvj/TfiNuz/SvYx3OCOX8++/wl7P9K/wj9P3XzlEkpTyQUVJxI3RaR2M0mWPd6
1cgPwc2KkMzbok6mVM46hy5N+40SPZG0DdUy7av+SZ7UJySSJTGt6u+diCbsU/bSRKPsoxN10Sci
E/4bAkCFrWL6WUxui/bvZ2n3am3+tnWhC9g9/9kxs6ft43W7/jPzz+O9vUmCmceO1eK9/hvZ8lb/
mvipzkfPPn8FOJ/tn5H/Prn8fEmp8AYFs8y9clEIenEFdrEnSFl2xyqGGFRh1c8qUU12t22RdUT7
oLMdhNmQxoZo7/bvycs6GV0aXXQPZ1lcy8jM5a2TcZ2UUiIvEbFk/Zv8dl22hVafyK8h4U7bufLY
v2q1diF5Omnoluc+44qvTsBJibQ6Flaqr9t6i6vnpd5Yv2yKsxEm8bwKnlade/qb+Gfbgj555YLG
yCTfrv3GtqTn2LfC0KzTRV/MqSrJbpLv+E9U1ZvmAoxZFt/E6swo3JWp5BsbDftwwSD8s9xa40Cr
xnusk7ojZPpQ+k37l3vo/RrbPP+FsSrrHTu/sm11fLLesm89f8e2ZcxFho0L3jxPsVz6ZdmiDcej
8YFsJbdH/hvbR+saIr6zf5Nuw/lPamO32T4p39xlebJ/5Vwf7LSTw5PPXyP/EDGff2TJZe34tMzP
tY+k1N6XjhG1XeQtcTP5qFVVrj854YTwCoM2Jh72ZMbl8jgFsRp3PMnlE5ed1IOU9v9G/XuDmo/9
rdvy6K3yimfHPpdrnZRWPmlaHyfVwDMkR4ldYBIbVbKIt9TD6B8mqT3lf7ftJpa9rH/1ftRXx4M4
4ZHKVr+m7bKgfaVP/cv+3JX4wE6c0P/WbQ1jacx3G9gfTdoZ09I03jZ+4sPenQjl31yxsSFiJdSw
Y8L0a+OjH18U29K/6QJFxldDLX34Wf7VvbT2RitpT51fSalmfNJwkXzr8UPxHy5Ys3EU0048Gj/n
6jYeQhdO+9zA22j7L9Tu2tcbvxPj01PHHHurf999/gos2v55bP40oE+4i6S0kZSqJFBNMnFQq1WI
kBzumHRSUkl9VAFMQWiSTpUgpHKr31Um0aNAHvVPE57qIE3ydEyxGHXUKJ+wL9rcWiFKJ+qclJtJ
uNFtPCwmE2lnTjRm/Gv7t74fldd9FNxCP7ZDnfzqtjEWrQ7cuPXr9BOqmlXr1PxvXeIz1yyuGQdC
rsuXBNQ2FPtjB92THusw+lXcZOWRf2RdZzvHSiqrWPTk17Yr/1WyqA/B1FHHP9Rq86h//d7s0a7/
uvwGfGxHrX2XI1Uey6c52cajXJ3LXTbji6ZwMR6bumRJzkbLf6lqU+bIv0Juc3w66phDyj5TVrFS
uo75W3HV/rvPX0EhwVEpOOKfKismSsDpd5CU7k5KW4nSjlgyk3I1wOVkRxOHvUo37UPP3rGWSqZu
1b+crFhG1qk1GLnixG+WxSsaYgKn5rLcFUcnfdPGrecdFPpLOzOTO/xLcnorWaqcdK9XaspJUOjH
6qsJ7A79WI76dfoJ5Y9OqkJui2/X/qhkFZNK98mdYRwlOco/E7JzrJT23bsHSv7Af8rXrItgyoeG
v602j/p32HGo0PVfl9+Az1z3nYvnsfxqJZX6tDqnY9WCAesn/NhlwfWr35b/UkUhXzcd+VfIdcen
ltba69pkWSldx/xbfebjRn6li7SLG+W5QNjPZXf9tuSM+KfOFJO7FPjZRkhKdyelNN+ZPzzaGx5m
UIVbTSUrqZMyujI05XI3PoNoEp2eTqP+q0Gtk8Da/rgypHXqKJAniFTHsc9O9nri0fp0enKKxGQi
7RRMavu0mOqkJeWE85fxhSoX/QexceVAsrPy7Wr6SD+tbWvP6lHq2f5DfNk/tGlOqkKutDvzFeUN
++mw0oHk2Auzom57y8ZZqqlk0zGpZ1taKVFyo/9kvI7k9/1XxzbV3/V4QdDUcpbqm/ikZ5in/Vvk
9LYUA+u/HAtJgomlPp9er6LMyBQlw/mbxpvlreefJE3Fgewhboc2HT3qFvJI23+hVkeuYh8rC/8K
uTLurU+kKs626uPV/rW6SjtIV7sfntEvixh1fO08fwUegqPho9iEsuPHl+nyp3bPmZSa28fq+SFR
FhKFMODiQ936xKMf9FYyeiEi5JeJLw6KsC/6K+V0kk4TpWx/z+1r2T6v7on+G7e3ZNJE5gV9RP+2
vIngTvskX923PcE2eyaty+u3SOGkS/Br4sJ26D70M2a9Mo+N1D1oJ31Aj12s8TVl3LfS83LZrvSH
MuY53pEOXQrqjyBSHJfONafk41KcYkX4nm4/x/JJvkP7eQWdx1g5ofTsimW+ftIHj7CLfQg7yX/m
D9Fm5HfryDFCnJd112uhatkkQ159S/0j41Ls8yvlYw+EGsoG4T/h+yBT1DtkflV/JMjxw/FZdK8Z
FR1DUpHGJD+mVXTz+cj4yr0E24rcfHywUesm/ef3r/3T8q84Tg0Se2/+G6iY26pHT6jRs/0r5Jfz
Y2ISzmfCRjFHaT4PnL+cc19goDqodSjFM/4b0v/pCudMSn/apTDu5wgMVmR+zl4YBAJvJFCvdN2p
TGc1806JaAYCP08ASenPuxgGfiMBtVqSV7S/0RLoDALfQ+CIcRcet+is0n0PDWgKAq8ngKT09czR
IwiAAAiAAAiAAAiAgCGApNQA+e7d+lkWfiaqevbnKYa+u/+nGAWhIAACIAACIAACLyCApPQFkNEF
CIAACIAACIAACIBAnwCS0j4flIIACIAACIAACIAACLyAAJLSF0BGFyAAAiAAAiAAAiAAAn0CSEo7
fOqX7HYqc1F6j1p5LxkX/N7vXXwEhre1F++6K+8fFIrt3NSvkDHvoWv85bz6K196D6V6eXn7xcw7
VUP1HyMQ/7J7z7t5fwzAHeao8SnGvn7eXjNV4/O6bjfzmV1VjvF7h1ee1GTk3xOdn59E+OlikZTe
idj9wgfLsl+c4OP4nSbQ5TstZVDxiPd/0guo3SuQmFjak1nQyPQbEg2TvNIxV+zApF8pfon/vxSW
SrK+1IaR2of5345PMfbkGJNM6bi6WA2JjEhahQyyA+O39uZh/qtF948I37T8634yti8VpS8kcNKk
1PyVuEkI5Fcp1OQUHGPapvfRqQQiJKWynv2qhyzzPmkXv0Qiv7ThfjGkFSjpSx28EqBs4CvFlT7d
yF88sfq1BKfj4mpUyabiGfm99vKrS1k/80WWbnv7NaCLPsFI08QEJg/v2aYVE+V7bswXJt4LtKf6
vX+1lFdx2vHTjz8ygWVQDC038cUU9m/6QFA4IdNXp9QXp/bJv9AXq/IYNG298cWMO79Sfzt2uKzN
pyOYinrja9CUi1mHMEal/RN8YwIlOYmEKXXQlB/KZdt6/qEqsv2h/mf7mvOP0e1O/0vO7vhMyWRd
NjHuMH5VfDxj/LL/HvmVSamS8/Tzs4nhPLcpLbDTIHDKpFReFQcuNFF6gdOZfLpXgmHiFScKI2eq
fz7xsV5/67bKLwU2HBoO/92221+pQCcYNfkG/UQiavQrLQdbrXaz8lvtw0lR6NdSo9V+ZD/La7Xn
8uEvJWu+niU+nO8em5O+G3vhc4kihoa6mAqd+BnFH8VLSTLJxut2lY8XcMLNXZrEeySfLlyKfH+l
qfDjTuZ/tf4pieRxxGI6fLhK83c2vloCRvYP+dLFpIwNOgmKOBzIH/lH83uO/9WFgtGXsD3i/4K9
PT6pjpu0mFgusvQWMeKLfozfa3X+PMZ/mvnePde/JOTJ5+fR+Nprx9nqnzApNVcxeTVOTOocBc5k
WYqc+qVQJ4FqopvsX7VhwbO/dR82KVX79/bV4jM4qWYrWu1nT0rN9gP7WYFme64w+qV+nDighEcA
bk6OLJ4mSZs0pcRViOHac79Nn9Zs4smV7XBWisgeqV/XvyP5pD4lC+Kk7jC8/6R22xYH2p95JpBW
Oxe1ujuHNdaqbXS67Agc2N/lG1cxq/5Um578WveX+1/pGi8arC/u97/ETrZyXMvjcdsdlyouDMcK
epKJ8bvZ9ZJj/Ff7bM8R178koBt/o/GRNFBxIrWabC+bYFsROGFS6q9cKSq800lauoOuG/ST/TeD
npVr/dJEKldRnEHY1a8l1zne4jMrv9X+oaR0wn42pdM/V+n/+ic9mgzzKgpf9LROaKED0rk+edJq
TLdZT7lm/Iziz0lK6ZGK6aR0JN9R2ia9s/53RG2kqwPtuKR0R3y5+jkHrf2D8VOtxJBI20Z2o+SP
/GN8HeSYY7YvFWsj+Y6uqn1UvDu/Stu62/745CZ+0jIZPywk/GL8qovWh8avAvvQju/fUfxNxC9p
5cRsVHay/UOW/XbjEyal8baNvH3YdHEnaVEnBpr05RV5d9Ke7L8Z9E1tU4E5gaRnNNV5eqDfqIdc
3uIzK7/VPswbIrG2fFkBt/2E/d32XDjz652M/EmpnGSdpMZNpLx6MzqlOp34ocm6F/8qttNtTrWS
q7jHlQEpb6/88IymClDKsSb838Ch2oY6jk86fBpi0+Ed8dUQVOlH8S3tH/ANt47lRUIY4+WiZiR/
r3+o/pH+rxJoxxfKhtb4b/Ath73xKUobf0yo+k7Vy0WNNy69RNarV/oebjlMuM27/VfxsfE7NX8T
H7pbUuKW7TvqlzjJYZXlDs5PI75BzgP+yXpgwyVwyqSUSKhngsJqFg8OHizy9qIzeMJEyXW4bbwK
41WyMCBEPXni3tu/O7hcl2odwrNn6xJW7oKM8DxN1LunX0t0fevVMBjKf5BvdevX9B+dK1Yqr9sq
7Z9p3za+KtGrmfLWDSdV0l46JvdZd64rxdvkR5b1tj359YprO/5ItrTjsl28V97wCjA923iLfzQ3
F9+9sSfsEuNm/4nL6B/+WItlz/Hh2u6viPFqfLkN9ME+e6or9dd8Q4JIzFNMx7lGx89Y/sgHsv+D
/S/Ydeefh/xfeOvxmY4LHfSjC9zO2E+xnidgL340/ygF47f/h7TMUZw7Gf+jvz3/irJe/LXHEOvN
c3f8zeGRdG+3f9S4329/2qT0910LC19CgE6edkY6oOPmVf4BsveLcFYa9wtBi68l8MX+f9L4HLkS
43dECOUg4BNAUupzwVEQmCZQ3c6abtmqeO8qS0ve/cfjylxaFVC3jO+XiZbfQ+AX/H/8+Bz5D+N3
RAjlINAigKS0RQbHQQAEQAAEQAAEQAAEXkYASenLUKMjEAABEAABEAABEACBFgEkpS0yOA4CIAAC
IAACIAACIPAyAkhKX4YaHYEACIAACIAACIAACLQIICltkcFxEAABEAABEAABEACBlxE4dVJKf1kq
3634Muro6BQE1F8uq3dlPtF88R6++MJz8c5F+ut59f5H56/qZXv5LtK/SZ1l+/DX+qZ/9Q5Oftdf
/a5CxY7k2Bdet9S5y76Lejl8/Y7By0vnCWU7++AJrx1rITz2eHqv46ve3JDi72txHQu/K615/hNj
2D0/jso7vcbY9t7r2mn0pKKm/b3+EF89OoeUnTopPYQghLyFQPlC0lu6n+j0ja+FMQlcOBHIs7T6
YpDzhTHTPnxxaU9SYdpX/dt3R4ZEsiSmVf29J4IJ+/TJ1vqKEqmiDzn79a8Vih/B0HpOhN1kldeO
n+Pfc9rV38TfJJJd1br975L0wZXNOKo0HZVXDeKBt4ylhi6tw13/viC+Wnqd4fg5k9KJKz21WrIs
+tvfvcjgE+gav3LjfzHEflFFnwDb4tOq05X0oVWmZbvllSEpQ6xO0UqLk1CM7OuW5z7jSld94pRf
vdBfpIm2jfUbMuAVpPRbci6WLa7G2d/Xdfu3kM5FJ++LOPqLOj6/tn4xyYtyeSWwlqH4mk/tcVng
yrqbOr3+5Wccg6wCJ+FfzMqf+UyinXRtEtntPCZT3KXbvycvn+CMLqO+vPIsiwuNzFzeSpbqpFQy
ZalP/816ip7umV/U/MXjQ8RmtYpv6tj5Yzj+dfvl1uIs7Jre1LJ5nHG8BTEhfmU9OTdSDVlWj82+
Kqbth80/PHeUL1CJ+Yj9mOeUwR0AL/4knFG5rCu2Y1IqOYq5OtSTZXv9QwIG7bv2m7aVf3l+k/X2
xRf76O75XbD8xc1zJqXsydagMsfDyg0PaG7b+w1BLwLVyKOgVIkcTfLT8uNgCJNwODmkfkQiUV2J
kj5SvtGnsm9U/nfbbuJ2LtkjTwp6P+or7R3q12ObyrpXss53iWX9OCkI/4RJrOwfoV+YGCVzYdOU
//nEzzL+1m29CSG9zRAL8cJAcs9NjH+1v+Kkyyf7+FvYZBm9jVH/ZJsMGJLFxxzf9bpyy/bYx3yV
oDoprWJC1X/SjrEj9zKYXyiBln6vxndwcdunla12/uiOf2Ink4wYh2r+yYbcvyHHcyUl8BE6GB5D
+yqB9YFu/04My/rPnX/MBVhS/W9dtlXM2eGw4VJZ+Wh5JTAeiPYL/xw8/077t2Of9FdlxhHx9cj8
Xin0WweQlFYjlRycJtK8GteewN1wEAliKFeT1I5JwxdeVm35RE71cp/yCk6uhkgbRvaNyus+So5h
b4VG3cpJsm57T+LTnTTsSVfxj6vURd8EeRc/1zHmoMMh1Jj0v9HZCO/vhkkzXihUCTC1TOWceBbf
JLGZRdoPE6g8ifS7Z/nE2O1fxi2L4mOP2M2yJuyLNrdW8Gz8m4tI7ufZv62TpuOfRc1jVn859qPS
7fEzMz7rOnk8uf5rjYX7Abb1l3Nhkq90qnX/tfmH2YTkL1x0NeK8FV/slkfLWY75Jb1yvHBZjulH
/bOjfcc+Zsjqqd+sazp6T3ypNkr66XeQlKrJvBEPdMJ0V1Qa9UdBW41IWihyrmRd8WKC5xM51ct9
NiYgV1Y6OLJPldMJzyQoue+gSEmauU81AO/Qj+WI3+6kQfVEn7ZudSVN9bMNx+jXXil9TVIqQ8za
T7bmRJR8ax8NyCwU8PpEIorVpmlf9S/jlhtmnUR8c9ne3ywrrcA69mX7XdkU43Ui51Z95kFph+zH
8JWxLqvlbTV+49HKJ6Xyti7rZhfVcnG4YO+MfzHuSpsDfFqEha22/nIsp0ZKp2PGd7d/6lb0aes+
e/6J55Jo5y2cV/w5R80Dhm+CXOaJe8q9NsE9Jn6oXo7pR/2zo31rfAV1OuM/65oMFL4OC1rd8eO1
aYA66WEkpU5SWk0a3km0FzDdoKXxZwfljoFEtzo4QZZ6iT7pdl3vpFv1L+V4k4YqF/0HBvHKVCdB
2j67WjbSr4eWy5QNpJ9NPHhiURNGbF1WEFga+aRMQkfo105KJ/3v6F20HWyJWAg1lf/iCUDFB60s
ageaBNS5EOmpMOrf6hMSnR7/uPInVex1X51sHfuU/RwrWehMUhp1Cs9153YHb7ROmg5fuVKqxgap
VPE2MWjGTz/+R+O/Zkfyqtv3oc+Ljrsd+JSNRv+S4CSBZiz17ZtTott/EhHmFNM3FT19/qFHfdZ1
CzFB/V+vZjxnBbvniWocWTSt+LT1zH5tP51DeuPfCBjsTvu3o3/Xv4PxN9W/ExcDs05TfMKklE8m
8tY2bZdBEQZNvnWvy4aRIW4dhpMoT74XeQuwvsUwd8IV7ahBkh1OsKlfltOzoVdG9o3KabLiW7/h
j4bWuM992wfNr/SHFib5H/YxAi24St+pZvZklQrDhJN0ZjvqJKUdH6oPZ6e2zZ58hR+rB+n9+Cxs
nQ7lIekbvnjhx1FoX3LL5eJEKduLMWD5yC7Vtmyf5Sebwn5tO/nA2mcZ2nLVp9y50z4ZQ7pvfYFV
umI/lXmjlD22FZI4wT7EKAMQfMMhYS/7SOvfmL9EO2k7a96VIXRwx7+STbG/biv9YWaOB5q6rvEP
DttLsqyK/6v6ED4QurX4kMCufX6P+mirf1kr1BG6pbJnzz9x/uW4pTjlbVKA47Y1vz1aLgHU29nv
av6V+sU2j/qn3X5kX9K55d+H48vvn4d3Tex8R06YlJ7PyW+3uHNF+lTdGlej6ir4qQpAOAiAgEeA
kgZOor3ynziG+ecn3AgjXksASelreZ+mN3WlKlZIXgHArjTJq9B36vUK29EHCHw+AVotr1cQP1/v
OQ0x/8xxQi0Q8AggKfWo4BgIgAAIgAAIgAAIgMBLCSApfSludAYC30zAfx6Un8v1nk081tp393+s
NZAGAiAAAiCgCSAp1TywBwIgAAIgAAIgAAIg8AYCSErfAB1dggAIgAAIgAAIgAAIaAJISjUP7IEA
CIAACIAACIAACLyBwPmSUvGesfjePPGcGv2VuHo/WXqXm/zrcdk+v0uwfs9a25fmPWVStmik/kqc
3vM385UIan+X/vodgqrvZOPHvL5F8g/sXuw/2X/2P8WJjgHF8Lpu8csqxcGq/Ez+HfFL5fKNCYXa
MVuRvfbXMZI/UUqabxrzzCdqfGqdXhD/syYzyAQAACAASURBVHzpLQK75/0P0n/WTtT7LALnS0qJ
v/kiQ3iFhzwLmvdqVoPTtA+J4O5JP34ZxSYrITyc/uWLp4ch5LRXk4spr78+RCcy/cqWj3q3p+H/
Uv8JdtQvh43k48WLSlqFDPJl0H9P/Djtv8a/QvcWPzs+h/F+RwXprzuaf1mTPV+Mi6bJL5x9mbEv
UfdRPt32Zn57iUFHdvIC/bv8DrDl2fIPUPFnRZw+KQ2rJpxZsJvFiTMeMt8OtoOOVietDJbV+mUZ
3guWq/5bQhrHq/a1/jGJaZ2s6qR0b6KgVgLNOwm5LOiQV850EtywLB5mdvxlFst+wn7V5B7/pWRS
yQna2c8wOpZU+jl1eoeq9q/3b0+92TKZlKo2wb9iBdzEj/1i2K4LttRRTkpz/MkvH8m+9V2E0rdY
aWUZMxcWZiUpXJCor71FBXmMxK85LeXTwqG4px9V0OXLrTXOEwz1o9vymxVsnCv9Kv8ogc6O6UNy
Yz4rfTqYvzpUzw3MLeh3pTtJxR+smz+/cN+lfv5C3XXd/i3prsdN9i/qGrYtPo7R6RD3z7bFX8X3
BfHf45d5NOPyuq1NPrzoI+20/pNldnyVr231/dfhZ30k40uUBeb5ziL72OiWYlD5p+1clBxA4MRJ
abytFZMzQ9Kc9GmSU0HJJ6HOpGkkVrvlSsw/YfDEypPurq/x7dFfDVhWs05K80mcq3R+SXfFlQa+
7YcnAz5O32u+dYTKojBpv9d/pI6bVHkXGVL3tP3N/nXMueuQy48khfHFJ4m4L+OpikWqz3E0qUmW
EfrSJ81cxrKsfMfHZTxzo86vuKgKtaw8M35DAiHs6+tH40Kw489KivYdzXJRz56p8Z0l1Rt9/dn/
wiceDzkh23ihLnvzi+Uduiz9xbFZ9mOSL/cpRPV+bWX/SLe9tcfYP+TX7zremRnxIxmmXxY75HOE
/j3/GX+xXvw75kOJJ4+RmIRKHNH0x/zLuuB3P4HTJqWU7FEgVhNsjEjxbXeTYKVyFcRhAHGQTziB
6gsBzZMzi7InRT7e+g2TQrmSlCf00CRPNn5C7H0fuZLR6puuRIVtXO1vXbZVZtbOiYHrDn+TfW/z
X1LQ9ZuyKybOvJpycbgEUV/l36F3piu4/Kh1N2nzVzL2viM1nljrVRq7yph9Z1YDVVKhfD5hftc+
am/iRvU9sN/VZWL13qit7FNlk+NbtZE7A/2papdPa86SfcSkdFETji5X9hlmFBvVUDU6qfZa9NRe
t73pixLsYssEv64Gk/xIRj5PaIFDPkfor2zW/UfVWknjLB+qd92u6gKu9NP1T6mGrScQOG1SKied
KgDlYAwJpxkAdtCRY7xjDYeFlY+8ypqSR6lQ1Y5OUkaHqo44MKF/P8nc2Z/oOpzUHVuOTkplF6/2
H5vrJ1X3nLR38n6rf9n6x399fs5YUieoHSfVjorhxBpuEdtxNSlf6FTFX6ffUGTnCiHLbUpzUF7p
HOjnyvqkpHSgPwHo8ploTzJcDoKuKLf+q1baHJ1sGyF5arPb/gj7m1pM8ks2e+eJIZ8j9Bf+8Uxp
85u0L5zXLyEplecS7qstn2vg91kEkJQSWbNyWV0h0kqWjFw76MLKxuxKqT9oyiCgBMXK8hOdZlDI
pIUqOfrbyab0H4DsS4KNIvWk5dg8mHSMSL1r+b/Uf0WVVlJV208hxivF3+Jf0pMumGzSVux/dKvF
r5+UEMs7/irYKJt9FE5O2sZZ+WHM3BPHanzGlR05HrNurLOJ775+9QUO1b/78QbSwTCq9KP5b/bt
IEHcwH/O+C4rhZ7/Y6zKKXqYlIZpcdlujv/CKnq+CIhO0PMjTalijjZ82G2932773fb3eqrL6vhx
+FEzFadFzpDPEfo7fika9PnX9smW6XyY57Vouxx/0fTH/Gt6xO4OAudLStOtX/2sZgzMMHGHCSat
XoqJKQ9E2V6sdtqg9n0gby1w0Ke+gyw6Jvf5FjzX9aWqo3fqL5OPYGu2bUffWRFpZ7ShnDA8+5zb
ZVmW2ZD8s39e5b+ki9QhcNJJjXsLOAPw7N/B+GX+ZT2tbcYf9+z2+ImygEzYK8eYjtF9yXNsG5mH
hC3F+m75Qbd7+MjxUf5ohPufsa1bRzAL8xy9cowuMPJ4mXCakmFtlPrb8T0hO+QFPLfxb+rjTv/n
4VU9+tDRr+G/kDCuS/8Rri6fCQat9nfaL+fvid7DY2vl0RQ5//K4Z7/wb4mBLp+H9ff7L/5N1rX4
peLm+JjUL16I1bbPsEWdxwicLyl9jBdagwAIgEAkMFjNAaYPJ9Dwn1rF/HAT3qEe+LyD+nn6RFJ6
Hl/DUhAAgQMIyNVVWm2qVnEO6AMinkeg5z+1wrZnZfl56n6UZPD5KHf8pDJISn/SrTAKBEAABEAA
BEAABL6LAJLSQ/1VP2sln9vZ+9xPrdqz5dc9nuvIu/m+u/9zeRvWggAIgAAIfBYBJKWf5Q9oAwIg
AAIgAAIgAAKnJICk9JRuh9EgAAIgAAIgAAIg8FkEkJR+lj+gDQiAAAiAAAiAAAickgCS0i92e++v
SO82K73H7av/oli8i47f/Xg3j2HD9F69j/1L3U/XbwhYV/iF+NQWYe/FBNRfkOf3MV/0B1KepZOY
m+J7Y8Vz5DSHqPdvpvdkyrlFts+673jPsX2Pq5QtbFaM6D23sx9HuEt//Q5d1bfzDmGh5vGbmF+O
Z7pTIpLSncBmq9svgMy2m6+3/9OBUnZXP/tFDtnwm7YbXyQ53oR9X7Q5vv+RxE/Xr9b/FPFZm/0x
R7r8P0bL+xWp7dv51bz7uw5fSpIX/WFxQR4w8xaVq4trOz9TIthILttqxvPHLX9pTtR0+t/14QWn
vdVf7W/2XEYX0uVl/aTZ0e9Grf2v7ZfuECXYfAGB0yWl8SqsfEUl/nW8udI0V3t6ANEAiVew4Xi+
cuVBJK5885Xs/ncZch9RP5YdI8KukIY605PShH5h0pP1dP/VF4um+476s20+P6oj+/auogf+44Fj
JsfU+7YEvwifsw+n7dD6LTeb9OlyOaFPxV/H/vDJWHo3Zvhue+uLI7r/Wr8SwyF2lmVbpm3XPqzi
k1cauvqxg7xfrXuUb8bP0+Iz9X0lHsQ2fobyGuJFjgGjo8OOY7zFt1s+mH82tdpVxkKZp8b6eeST
Z9P44NiKv+UkzbL98fMvzI1Fp+g/UTd0wjJSHw6/tn7HlOSkxJ0jzPjIn6RMhLrz/4R+IqkMcVDg
cgc6CaX5QNYR7UMDihdZPqFC/pSv9wGBBpMZsaFO1b7WP8aqnTe5hzopzfpylbt/Teylc7TC97T5
5W6lT9XwdEkpeTeeEOxJRuz/3bbbX4kDqq+Clor4xMET6t+6rTfZRsgrh6e2qL9ygkl9cT9Zgr26
zAVTG3lS9mqHxEKcSMwkU121Uv1KP0+wONbhN5I/9B93Y/Tmw953sbs8ckPaoAlTsOEEQdj/qP6j
9jExFfGl7BzrR+1lfIWLHKG/MtfZGcZniJ+Wfo5A51DXH0+Nz3jSCuM9xGiyQyQCM/7p8h3xH8w/
ej6K+sr+hvo5vO2hLn8nkZH1R+PzCP2svnv3o44xKZbsSM4wvqlSZ/4a6hJiicapmee5oYkP7e+g
oPoE6j2vGiz+8hNDyWf33L5Hf3feqZPSKmaY1Z2/xX5HwFPnF6c/HFIETpuUVkmmOOlUK3XeV1uc
iVmS7Qa9rFhtm6vKVP5X3WZ5blKq+Chb/SvN3ROjkikhjOVXkzQ1V/5L8szkqHpZRNLU1EW2SNtu
XemLR/Uft69slTrJ7ay+1I8OxhMir0Lu891EfFpfuDpl5dyN7vjpyp/g5/bIBwUrSjx4IOQ+Z+SP
+I7K6z5YjTA32RO5ivO6bfSziHc2tfPb5R+Gm5Bn/Nsfn8fo11F9qijbp9hR04n4pmrG5qlOuVJI
euJCB7GySXG86Cwr1V55iQdOkOWFMnfU+JVxHZpf60UX2ZT0tTEny+12so/nF0//eMxPiOv5yWFk
+9y5n/3vtctjPRUqX39G/Hpq/8qxkyalzgDOgUgnDFOey4TbVaCK42mzG/R1dXFkclKkyXPPRCF6
oM2uftZeZWtrIjEdjHaVTFl5LN+9arY6RyPrCZ+7Ev13WXB9/hXt+JBOFB7Vf9z+8aS0aB626CQ1
HUsT8Wl94TIzOpjdrk+68if4mb70rhhX8uSd+7xD/oivKh/NP0I/VlzxvUM/liN+u/ypnujT1u2P
z2P0E6retWl1LkIm4tvYX9pObuVYivUrXWSiTLFhHh+oxj+JMTJ7mriPf6ks17ammBQXIbbY7k/o
XyWqSsbO/lTbuZ2KuWxmWYpYDwnz7B99SZnYniZw0qRUP6dItEqQ2kk/XhlVY1YFas1bTczexFI3
yUdU23DUm8itnrn51Ibqw+rXHZR0PjIP3k/1aCp1+I3kh1tLJokq/hP9yMlRHObN0KajB9fTv/WE
aW9/P6r/qH11AlI2jPVTvifjyP9VgGur5V7VnlZe5UQ9iB8pq7Wt+nhpfIpxJbkIm0b+UbqTgVJO
mGvMRa8qF/0HOPX8Y+Xb1baRfi3m8rjqw/JPFVvjZzQ+5/SjOKbVwh3JkDRgsO3OF9ku4x8b31RP
jblBZ7ZYxFIoUv6PCaZK2mjlUY5P2z7c+bA6205534zVdLjwIO5Wlp+os8Tq1867jv7KPnX+JWn1
HFb1EWLy/jcmdOPb8jW+novfSmMcmCRw0qT0uq3rop7LUYNE3X4odeO8wJNlub1CtynknBHY86Cp
/khixjP1LQIpP0z66QFtvkWiJq2ZLlr6CdtDn6KeZFTrMHvymOPXkx8mlKb/fPnuyS3YNqu3gCqY
BP70yhQ6gYpE+X79Yz/N9jP+GejXlC1M7G924nNGv77wWKpsED6alH+fjcIuCv6kQ4j71C+Pw578
XhkZNyqni448ri92/gkS1B8jXekP1VbxEPxMHyMftPjLdqGO8E0q64/PWGnIICQmz0lKdd82ASP9
RBxUfwjjzy8cFxKPuy19m+eLJJP2JfdcnmKG9mV7cQ6Qc7Pbbzgo7WK7pT10TO7zOY7rtiXnkjv1
l/Pz2D80NK/bhcaGDvusxnBD6ikvfATf55z/hpqdvsJ5k9J7g/n0IfN+AOoq9xF1zBXwI6L2tD1M
/z2dou7vErArU6+ytDF+EN+vcsB5+6HEdS4RPy+jb7X8dEmpugoTV6Lf6sCz6X2E/+JVNq8COKvc
T4R6hP5PVA+iv4TAO+OoN37eqdeXuA5qPkyAVnzrFfqHxULARxA4XVL6EdShBAiAAAiAAAiAAAiA
gCKApFThwA4IgAAIgAAIfCMB+cxouRNUnk9+dHXx2fK/kTl0PpoAktKjiUIeCIAACIAACIAACIDA
bgJISncjQwMQAAEQAAEQAAEQAIGjCSApPZoo5IEACIAACIAACIAACOwmgKS0g+yul+Sm95xNv7eu
0/+3F93F79uNfrn+4h2HO/t+i38+YXyIdxH2XivzFj7Zh/f7NYs46UZ8A8AD77D8Km4HxwnG56T3
D+Y+2esZqiEpfYaX7RchntBH+QLHE4RXX9h4Th9nlnqs//yvtLyTb9e+F4yPKdvf9X7PyfEVkquT
vrauGz8Tzj3Xu1L3j/8uX4xP8YXHdrCdeXy2qTxectqklFZB8l8lXtdtXcSVdWclJV+F3+ibxPwX
jqIt+SQMavmXivavHmWZ/hJQbB7lyi/JlC9emLbVF0eCBPXFF/mlIfm1Ev3FCrZhRv4g8Dr8uGXk
mPjRF2l2nXyNjrItX+mv0j+WP38RJPVv/M+69fkzr+jvEEvXdfu3kMzrtjbjw+i+23+1f5fbzpNS
zz+T/NiP9e+EfQ+Oj7rP+kh3fHP1VlLa4xPaGht3xZ9p6/o/KhjisHHLhWM0xN3u8WO+KlW1NzpK
+xK7Hl/WzR8/JKAn35R1+CRV3J+clApfNudQZR/374/vQ765or4mZF4CPzX+WMc4f+0b/7otnwNV
mGF8ltygE3/PHJ9uUJ/k4CmT0jChylEYJgIxCbHzGyetOOnKRIcGuti38oycPGGKfnTimL6XTQOC
J8y/dVtv3IBOKqK/cjhsjeWTvmxvnKQkDhLSk2+6a+8au3NFczz4g+3MldobQ/sCf8HH608abP1F
XfOJg/WS/J0v2Uhew/gY8O3bR7eN2HdB0eoTp21ypsRwyaUDfrleZ0PyqKpZ3kaPvv2VtOrAo+M7
CzR68fGhfhP8unxSR2SH+3iB0Wvv+KGLZinXth/ZN8W3M35G8sn8GT7sD+8392F9EWTL8RMOlHmW
hA3Gt9ffrmN/t+0msluaL+R0FD8z25q/jhn/Xb4Yn1Px97TxuSuYfq/yCZPSHatKZvJm91eTCBXI
Wx5ym8rUJOdfqZar+NSLasM9l9/2pDIpP6xWXLerSnBm5Jc6w60Gvy1/1zqtVMqEfixUrwKnK1nF
r8t/0v97+Ju6w/jonnQH/jN9RVy3nSvNCXLLP11+QweFCu34NGOFaiubBvYPu5/0L8lp2c99uOUT
+k3w6/Lh/pu/6Xk2L/abbWRBr/3Ivkm+yqey75H8WPcxPuTachdE5H/k9PH8Ycdn0xZp157tWgeb
lKp92b/czl3uH/9dvt34rXWPq60iic56eRuT8UNN3fEnZLrlE/p17Yvyu3yECv5mb3z5LXC0EEBS
WljUW27Q01gxV9rUUga63KYyNZFMDkrVxlOtNQnMy6fHDygpVRNg6uqxQZmFqBWZ2op0hFZVeEWy
WYkLJux7AX/pU8tqGB/2pMemhd+BfW5c7D8pha4a8a1imSq6fSqlqx3LRFU4wj9KoNwZ8JNVW/Zz
Hbd8Qn7Xvii8y4f7n/3dNX4coar9yL5ReZLfjJm59o/yCReG4REeO0/O9S9j/lFdNHG70mnOHVS5
Fz8u1/3jv2tTr39aUFjWTSf62sL+3o727vgT0t3yCfld+6L8Lh+hwtSmGl9TLU5d6YRJKZ1j7W2x
eGVTJWdu0NOcIW6rp/BRQTwI+rp/JwbdyafUU4kPBb1YbRzKV7e0ou3ydh710pNftBhsNfmZpJ70
r+C3Zc/Yp8QZlnV7x/+mjadN8LlTbxgfA761frJ30lWfaKl+fsxDVh1tN/zTPSmOZKbybvwcMT46
etT8HP9S+5b9LLtRXsvnBul3YF/sWowBM36NtGpXsaXSneNn1H5kX13u8HXGBRtSt+eS8qt03MmH
pOT2TtuZ/qOMZbu17AhyL9tFTTRF//aWTSDjyp4S042fY8Z/5kOKWkbd/r3zZ9tar6Tm78QPNWyM
vyyzUV7Lzy3ixsC+2PX7xqfR9nS7p0xKY9DxrWN+WJx9HwcIPwBefksiEAb0uqiHoXNSFxI+IZMn
L1qVXMv1Zb69VN2C8/tXkxapKuSqW9fJjKb8Sf1G8plW/evrL3Vs6lYLax5pypi0z7YvfH39S7lQ
yU7mqagbH9z8Xv9Re9WWTozrjudKffuyfyb5sRnNX6VjGTt0ouExFZiKenPjo9mjKtjr32x/9WgJ
zxPChnC+5OP8m8on7dM+1LKVIc6Ota3o7lR2Ds20H9Wx5WV8+PFVyqNCtn1lg4iLqsyxSR6KsmNS
QQkKx9vu+Ao6+L6JckXiIhUYbYsYCX8Umc4lgZEoa44PxWbv+E/KKRnCxpn+e/E/sj2VW/+X+PDj
p8TAqDx2YOXn9pP2vXN8TiL82WqnTUof8ai6ynxEENp+N4HGKgri47vdCu1BIBBojG8qo6RHJrkg
BgIgcAwBJKU7OaorsOnnIHd2guofTUCuvtAqTLnKjycrXpm565b6R1sO5UDg9wn0xne0nm65i9XF
30cCC0HgZQSQlL4MNToCARAAARAAARAAARBoEUBS2iKD4yAAAiAAAiAAAiAAAi8jgKT0ZajREQiA
AAiAAAiAAAiAQIsAktIWGRwHARAAARAAARAAARB4GQEkpS9DjY5AAARAAARAAARAAARaBE6ZlMa/
oL/zHXMtkl94nP7K9Ndea/LQ+wMP9uGz+T5NvniX3+Pxkd4rePebKu5v/zQ+vThJ7OQbGXrV7ynD
/BWpvcW/9zhsRxuyKby7tLzSekfrY6tGXfg9vPotI8f2tEPaC8bXDm1Q9QkETpmUEke8S/IJ0fQh
IuHbgxzR+GLKfukTn/7rCn20fVf4XYXqC25Wgv1ijC0/YB8xfgDEDxXxGb61X556Lax3j6/XWove
JAEkpWJVKH/1YYuffvPfN8llYqWVZUysBsmrz7AKJb+skdtzH+kqNR+PruN3pYb23Ld5bx7XCTYs
y7ZIGblN+wXQqr2Undou4bvSfBW94519o/Zcfou2Mq+4Ype4XMke6jt+BvAavopVdIiTumQofBXE
yjLvk7HRrh5fOYiq7b18rX8qgeZATz7zG/iHuYb4uK7bulhG4cqtXkln+a5/WE/Nd7nZpFKX1+9z
1eV1e+6n8XsAn4ZkgrIt+StsHP9mFSkkpbJeic0oV5bV8dfuu5TkxEXYivlL8im+KVxiTFPMY/4q
rOyWmhs41uX5I2Bs8BVl982fZmyk/tWdhxeML8sE+68jgKQ0TOr6pJEnfPYD1ZGD0vnSR/fKjuXw
r12BosRUjLph/ySHk1nW62/d1pQo2G8Gh0mG67EO9Gv1SGWUkMYkMB2gvmR7y6whR3altkft7UqT
4h0nrYArMEi+E21iQi2TLGpTfPwwX2VMZ6fFxRxv+qcjOhQZObn6gG/oT8Rb/PSn5JUkdeTL5hSL
S/6ELt1ul7Lq2+99/uP22c7RRkd/m6ioeB/JDUOnxFNVPfAXDIweffsrae6BLMP6Ougm+qbWVEeO
X+WvKB7z14775Za58S/xbo+Pb5m/2iulw/MDhVTv/ORGtD7YjccXjC+tDfZeSeDESWm60pOTdSDv
X6mpk5g9KTmTfN+JdOItJ7V8gtnRv04EbG8pEeCrXJGQqZp2MuX+1YwaW/yty5bzju6kq3rwd0bt
u+VisqSJj3UVbWjS5MNZgVw+598+3yy1v+HypSaT/ulLb15U9E+KdtWy00lL/8wytZXxL7ezaOGz
xkpjHl/D9lnoeOMe/cdSQ43RSVPFn7JpMv4GesQLL2+VdU6+0l/pN+g4FGP+avs3XgS0y8VY+Oj5
S+ipQuK2Lcq4WKjOD3Rod0ypTjYVn7oozHtKBdXXXPxbkdj/HAKnTkrjLZySHEa3TJ60xUDoDqCW
r/nELiemUHd//60u8nHqo0q+4+RZrxBNTDqsO3cgWPCh7u+ofbdcTJaSnWijk/ykSS5/At+Wsa2k
yNZv+cfWs/st+dnW1ED5Z9J+anqPfNUXKyx8Rgn5sm7Ndalhe5Y58XuP/hNiqUp3zB/Fv6NLuPAK
j2hg/tKYMH8FHu440qT6e3LMypoTfKn6g/2/e3xJi7H9WgInTkrTLS5KCMxKIt3erJO12jFh4Nw9
+OLJ2XuWb6r/Tr9VUiaTN2lG46RdtbeJRPekKztobI/aK73ilW/xh5gspV1CZlhFUkk4ySgn70f5
NqyqDys7SnHFV9pRqo23GvL7K6V0vrDxHVdu1eoD9d6Rr/xxkY976FU0EkP9ydvHdf/S1HF7Wbu7
3dFf2doZSy35yod2DhGxGNob+X37Wz3q47l/23fiXfyj28k9zF+JhvGPZORuD/yrx823zl9injUQ
cuzl486F5l6mWVbcUH3YGB/wP2J8GXWw+0ICp0xK462vmJSGE2a6zS0n8nx7rHcL3A6WvY6jZ2PU
2bEIaPcfE4j8R1jOg+DttiTfb59vnwYV6lsgWc3wPE989CEcCwzivuRXLDFbU+1l/9dtvdGFAyU+
/8ofmVDnqe/Qb5L7f0t6pcq6bIWRecYu5FvyQX3a5qTV55PtN+bUu377Ip9yvVbftbT6yED+FN9a
h2LfQH5QqOWftP4pYiL4YFm3lf4wTVwodBlMtK+58JGB/pN8WFrzV+nIsRMTeY673vjo2t/sNBbE
tpi/mHP8FT5wHhHJ8f2o/6fat8bHN8xf9dwQxzD/wQLFoLQvzmWZb+P8UsoHwc3FbxxfrAJ+30Pg
lEnpYagfvBo8TA8IAgEQAIG9BDB/7SWG+iAAAk8mgKT0DsBydZWuIndfBd7RJ5qAAAiAwBEEMH8d
QREyQAAEnkEASekzqEImCIAACIAACIAACIDALgJISnfhQmUQAAEQAAEQAAEQAIFnEEBS+gyqkAkC
IAACIAACIAACILCLAJLSXbhQGQRAAARAAARAAARA4BkEkJQ+gypkggAIgAAIgAAIgAAI7CKApHQX
rl+snN7rKN4huc/KR9vv6+0Vtet3SKb3ir7iNQviPYjxvZ7inYDkI/X+vqSX9J1sn9+xW7+ntcnR
bU/9aBmK0XXdbvIztPY9sPSe0t5XnKQyd9k3egeqfLm/7OwJ24nfK0JlpP1dLxH/IP1H9j27/C5+
z1bq5+Tff/54i38wPp4egUhKn474OR10P8O2u0vnixy7ZOxvf6z+u5Sdqlzr539eb0rY3krmiyXh
FT4yyzFfKqomZ9M+fGRAJq49fYRsksvdyi+seP2ppFXIoK6C/rP9UwOnvfowgykPL/NW8ulEJ1+m
TiJ1Ut1DMFNWx4doZfmLoq/YfIH+XX4HQHq2/ANU/GoRx/Ldf/54NryufS8YH8+275PlnzQpFatP
tJokT2h8JRS+K51WovLXfoorw4mWV6KutBJUTnq8iiS/NFS+6MN9l/p0Eg5fzbiu27/wtZ/yFaP4
tRJR1/maRv2uVO7DWUkLJujy5bZ3Uhi0N6tdKqGY0b/bvvjgmVt5UqoSoNgr+zj6xyZAkbvv/wmt
xaQX+uHMkJtWOpmEWbQPTYinlcGyOr8yKS3V2p8fzHUq/XLJ3EbVvrYvxlQrbuuklMbYHQgcfXXs
R/+bdxWHvmQ9HR/VF3Hk/OP06B3qzT95PlGff41SYtz25pd4UbDc7tefx4Yf/1Iuz6+Gn50jFJ/S
PvgzzxU8R5Zy9k09P3pExTGejx1+CZHEPQAAIABJREFUXIttDH0sy7YoHblW69foKNvi/NOCVo73
/DPJrwizW8Y3zhcT41wi6x0/vq1WZ9o/ZVJarZpQIFcTgwg0c5IMJwR5hgsDgSfFFD48WbLcv3Vb
+UttzpdUchKUb32K/sMkLfdp5Ufvy6Dt20cnbKnr3tsnE+3/btstfXGS9KIJXOKKx9r6bxPtpb3P
2JYnHZ1UR3vUMfI1+5mV6fmf67R+Q1IT/aL64fomHiu+YtKOJ+YOa5bp/LpJqRO7TlP9KVXLxmsg
j+2xz5VN7LTN1ZiQ/d2x3Rt/MSkUY6yyR5RR33b+GegzNf8kuV78xNiWfOgEK/btfHaP/oP47/Gr
fFXxIX2ZYUwOds0vA7652NjdOh784cZhbqE2hvYF/tof0o9T/u/xd8aw9McwPkLICv2UdRTO7JtU
oPw3cf4w8pq7Hf+URaA4viS/pjxRIHmIw3HziPFRCcUBJnDCpFRe4ZQrdRvEapJTg7i1OsNI069q
Y8rsoDZ1qySDmpuVnvagGdhn+oqaTax+sQlT7WsdFE9rP8vOv+P2ueqTNjLfauIzq3ap/z/zTCXd
Ml9WkZnv0TNMejGRp1ioJtRUzitBXrniHU5Q5kQxoc84KY2JM+txUZ2KDtRJSRxvbU7YF21ujUWj
V2fFq6XC6HiOD6+iGas6FurY3nfh0LLZUaSK3VhnOL8cof8g/tv8ZvlQvet2VRfYhUFbfqkz3Grw
26rvu7cTtLqPCfu6/Cf9v4e/qTuMj+78PbDP9BX57Dj/SKAt/3T5SQHt7W78dOUP7G93iZJE4IRJ
6cSg7gbdRHuC6w4+EXei3A6A6kqTmhmdbJsieaCf6Le02TEpDNvbK+Fa92hOayKfa190f85Wm+9r
klKZ31W6yMk4JJyGpYmVQMg7NkDnJqW0ai+VSzKqpFzJJp8aHVW52Zmwr0rElYid/am2czuVT2Qz
y1qNmcH4lHLc7R3tJUchazi/HKG/sll0njbb/CbtSyuBlJQ64di9k1Rr0zjS4FfVJl2mV0on7HsB
f3l+sr4Yxkc3KR3Y58bFjvOPhN/yT5efFNDetkxUza78gf1KEHY8AidMSuMfXnRPat2g89rTSdDc
onYHn3ZBCHynHl2pqscJnElATRwmMaFkom1ffcIOt4P2TKomwdDt7QQTrxztiaOt/1z7slqxI9nR
+Lt7vUlJ6R6kOBOR49duh7LQiT/1TKidjGllUQK27cPKzkErpSEWa1klKaX4suV+IitNVtsT9tn4
1v6qY1zJp52U1ChuVaX2ARUDZvzZC0iZAMSue+Oz3SeX1OPbmX+osuWYBAznFxs/Jpbr/lkz8Wva
iJKw2eM3lB9W0nncR9vreBAxaP1jlWntN/kJ2dSW5Mvx15KXjs/Yp8QZlnV7x/+mjafSd55/hCUN
/4zGn5DQ3OzF50h+7Z9mNyhwCJwyKSUOYWLmP1QKv2mSE7cOw8TAJy9zC9C2L5NInCDyLU3vQWl2
RGOyDANiTX/8lNrbSTefVKXuLLdnH9URNgU96ZU91zoRFuL05qi9YBj+KjvZUhhZHfgEk7qZaZ9v
oZm2WtO79rRvzQkoSKxv0RTbdvjf007ani8Ukkzal+xzeYpn2pftU+yQj6v48frmY5UMy7i2vyR3
nv0eQ+7M/N5pn3z8Zuy/eGGp3hhg1BjuSj2r5zHjY0F75g+p/7BvZ3yP4k/K784vwvf36e/531yw
k4Etfsl47UPiuW9+HslvM/b1z/077GVZW64uedQ+237k/1Iu9Ag+sGOb5pLrtn7s+Wfgn8n4FRT8
zVZ8Tsq3/rknRnzFfv/oaZPSj3Bt42pWXaV9hKJQAgR+iwCdNHYl6j9kPuaXH3LmI6bg/PMIPbR9
EgEkpU8C2xNLy/tyJVVexaorLLES1pOHMhAAgT0EaKW3XiHaI+Fb62J++VbPHac3zj/HsYSk4wkg
KT2eKSSCAAiAAAiAAAiAAAjsJICkdCcwVAeB7yXgPAsqnjt9/nNP7+7/ez0HzUEABEDgDASQlJ7B
y7ARBEAABEAABEAABD6cAJLSD3cQ1AMBEAABEAABEACBMxBAUnoGL8NGEAABEAABEAABEPhwAkhK
dzoo/uXijvcu7pT/yurveslv/Avg9zPs/RXqK/2wq6/0njz5xoZd7YeVzXsAj34DxNP1HxqYK7wr
/rMCb94Y2f/o+BjJf9T8Z8v39ItM3j93ebq95NgHjd+X2ItOXk4ASekdyPGevzugmSbvZ2i/HGUU
fPOu/kKRUcZ+cccUH7Mb+dzWZVv/9kt8t/7d/vebs7vFu/vfrXDV4Lnj45v5vH/uohfcP/eVZl35
L5l/qoDEgZMQOG1Sqt7XtyzbwitC5kqQVwvki7bjpCT/knj/lXOz/xB4Urb/paV+e/PFKmkfyU82
9r70o+TLdzoyn3Xdrvkvt/dPkHliF7qUv/7u2c9lgjnLYB8OBi/7VL4rVn7WlW0PPmfZkkH1VRe2
P+l2pXhKX6HJXwbhOgPl6NvymWv8MhDpqVZGw0lB1rOyZZkfPyMt8qf07Au22f+3KIFZlvFh+k62
HKY/99+Mv7n+2fdFb02E7Qr1ruu20lduODnPPo3+0TIm+m/GT9RhJv7KZ3aFXtqE9l6Oaf8DAsp2
jsXJsRU67cqf49NW/o75y85/XeH2a1M1o5n5n30Y4qfq3zCQbI+I75F93XKj29Hjt9s3CkFg286Z
lJpv5oZJ2EwM6iRqTsxxwpEnAxrINjHohNeg/5ywsQiaqIx+8kTo6d8tF3JlvXLYTMR0Ejb9lwQy
niQ8OSzP+802hklYs8tl3NDab/xB1bpX9ixH/Q5WgjjxYLv/1m1NiRj5X9mr+MRJPcRPkJFs27m6
0LUnMBPxZ+JpyE9x8HdK/3/buqwb52OhtrVlrz8e1d/GjLGfdCz6+/axHcqPqWoYT3ICsPr+3bab
AELxIKuP+u/HT1YiXvQ58Rdr8GMWIg5S0+kfh1tpOxgfpWJ7qyN/yj9tybGkJd8cr+bHkdyBf4fz
/6D/4fg8Kr5HdnbKu/6x48HYO7Sv0y+KQOCcSWn+bjqvROmkKK8ScXyYk653Eipt+GTBsvlX9mHr
yDL/SlUlgSP9h+XJMDOZxKO3bbFn2LB4IG7jTiQljK71Gyd2bxVvxn6TdBj/tPrUxwcn3abMER8h
l5JSZmmZaWWqvdFJgcWGhkrXOX5Vh/KA1Dv4/qqTLmuL6j8Keqr+j/bPtrrx7yThXD//1oyVP7pJ
8Sh+UicO09z9URuu/SxcxDEf2vvbkd+Nj9l+mvJ78+uM8L5/+/M/ye/1X8uOq/biHHBUfM+Y2qjT
9U9Xvwn7Gn3iMAgQgZMmpcb5aqUrrvypk4w5QVRXgiTODlTTRXdX9T9zUjTSVHtTRrutcndSnzhp
WlsNH0eD6lCY2MMtWDEZh1qT9os+uxNo1TMfGJx0hXxuEX9HfIRc4s6BZJlpodVe1yYrS+k6ya/q
sRwIK0t825Z/2Q6q1u0/ynmq/o/2z6a68T/iRwmHWZ20+iAp5SDQdxSYe5ePqDTadP3nNGrNf07V
mFD2/bt7/lf9j+LrgPHl2rXv4FPH7z5VUPtkBE6ZlFaTikweKADUZBev/ORtvrDKx7fVQsBQHZtc
tSNp1D8lBbI/K2nUflSe5Sk789Gtak9X/vIWrj0Jq6SoyOlt5T6IvWE3sp/lhonzjr5je5E8skD5
25Gbdc/1JR8hV8aVZZbb+huqD8vIyjK6zvLze5a2lBrqJKXiph4f1Oqp+g/sH/bPZik7+CBdw9nx
F1e+Yl4u/BuaRPtlzj7qX7EJMhzmxqdFu7QVYsK701DVbB9o2B8bWDvbYpolHfmKgY3vpkBT0JCv
ZFMTOQ6NiHrX2l37dzT/j/qv48tocUR8c3zYwDRdtXaVDdY/A/2G9rU6xXEQOOtKaZhUeAUo/NqE
Mk5E8bbKdVtv8Y96KFGkAXe5XLd1XbZYTrfnzZX1ILTG/dNJnW/782/RsVdGXffL7a2lWv7m/LFN
ntvC80SxTTjGk9/FPGfZYRD1i8wizyhPJuJ9G5JwO1l2+pRFtezLdskG+nxycRAk40OwkNyoQWIT
7ErctBypldkWXNWjG5P8axtL/JiexK60i2Na8uBjpp4YH1nYs/SftJ/ZV7dGq1urXvzXY0j5Tegg
5wJVp2V/ACT5yfihQsmbdaufWY3jZsan2SNpw5cvY6yOHTk+rDy7P5YfWnT5WJlyfyy/1n8np45/
Z+b/mf6bdUTfIZ4EJzk/tuM7ssp6imefJcXhtuhXxgYt2PB5r6df075hx6hwdgKnXCk9u9N/xv7R
atLPGApDQEASoMSMLxDkcWyDQCRASaFKYgEGBL6EAJLSL3EU1CwE5OoqXbWrFapSDVsgAAIgcEIC
tBK/c3X4hJRg8mcSQFL6mX6BViAAAiAAAiAAAiBwKgJISk/lbhgLAiAAAiAAAiAAAp9JAEnpZ/oF
WoEACIAACIAACIDAqQggKT2Vu2EsCIAACIAACIAACHwmASSln+kXaAUCIAACIAACIAACpyKApLTj
bvor792v1UjvccNfhHsvIe/ARtGdBNJ7G9XHHOZE3RXfc6LbtU40Pt7CN7+n+P2vjPrKt2Q8Oz7F
ez75fZ/xV/tLvefzum63NX3mebJ9ewC+ugTz06uJf3t/SEqf4UH7xYsn9KG+sPOF8p+g8leJPNZ/
zheB3kyja98LxsebzX979+qLPG/Rxn4Z6S1KNDt9W3yKr1BR0s6LF9Jf1cVMSERT0jrRvmn02wow
P70N/Rd2fNqkVF3FX9dtXcSVqrgatSul8Qq2fOXJu8qN3waXX22x74yTZfWnAvkqOfSddWEZpm36
MhVPbjEGTR21ilbKQpv85Q62v5TLK3ktfxDpWef2C5zZxtDHsmyL0nEgX345ieyXbVPfyxq/whVt
YHZFbs//rFufP/OKn6UN/VzX7V/4ElcvPmb4mjrSvmCCLl9uOyf9nn8m+RWSdkvrxjGk4ickpbKe
9Y8sM/613TX22Yd+fI3l99ubLz7Z+O3xTfoq+fKdkg/zjx3kJEfoUr7M07Ofy/z4nvlAkBpb/OU8
EcNsuz++WP/yNatK7yvNF1S+bLc8f9kYagSGnTu8+fMF8UnaESc1LoLK88m8375ldzrO8XWL++wr
/zyXfGDj2zIUvo1SOYZie8xPA5+gWBE4ZVIaBqKcDcJAFZMwIxJXpXyIfuOkKidBGoRi38ozcvIJ
g4VSfTuwebLl43/rtqaJJOog+mM56Xcsn/Rle+MEInGM5Jvu2rvG7lzRHA/+YDtzpfbG0L7AX/Dx
+pMGW39R1z3+zpek5MrLMD5CDAn9jKl9++zXfO6/PUYXT/ZkFFQZ8DPquruSR1XB8jZ69O2vpNUH
jDwbX0P5g/aWm5WfFTJy+DjFh+JOsSbj/xD+aXxbWSH2eOwnjaiO7H8Q32xH/3eQXHXGV5+PmK+C
jDSOdq6+vzU+EziKGzkNhcMO+xZnt32rsjxuWdk+Tdza+O6PH8xPEjW29xM4YVK6Y1XJDE7GS5Nm
NZnIgS63qZEa9HFS5RWk8muSFNWGey6/7Ul1Un642r1u18bnCtvyiw7DrQa/+vvexvau4An7uvwn
/b+Hv6k7jI9uUjqwz/QVUQ0SgBbPln+6/FrC9PFu/HTlD+zX3TT2UqLOq3TygtGu8rh1eu2py1F5
Usvle9uWavKgKSI9M0hNu3waJpvDFINhbpHJZqgzx1f5z40502G1O4jJpswRHyGXklJmaZlV+ugD
yj5dNOA/x8+K9PbdpFJxMXHGtiZhbnuvI3vMslJ9UmXT757xU8kiecJnVpfevjt+jhofnXNOl89x
/u+ZfuYyJKU97zcGRXWlSDJkIMttKlMD9QlJkbJhXv71cglJqZnrgrTupK366+w0+FUt7EpRVUEe
mLDvBfylTy2rYXyEcGlNigP7VCwxl1+a9Af2s8l7flV83SFftXc6bpW78T9KusxcQt25Pnf0EIfC
hVF4hMXG2aT9ok8b36KbzuYgJoV8LWTER8gl7jx52TGvhVZ7XZusLKXrJL+qx/qAn1SO7C9y/Pal
vLnVtc9ppeJ7YL9ixbKEz/jQzK87fo4aH3ZcCIW6fAb2CzHYvI/ACZNSmuPtX9XHK0Oe3zLKxqAI
qxBmBUJNct2g9vrPPZYNd3CXYpX40KQhrmZr+0q7sKVu6UXb1e3EMO7FLT4j30hr7zb5CdnUWp5c
2tJyyYx9ypeGZd3e8b9pkzsXG8HnTr1hfAz41vqJTsMqhp5Qqb66/Sqr97Yb/lEXWNTesbEnlsp6
8TmS37d/1LPpO+mfk5dgjh3/WqbS3Wk/Ks/SGnyr9uTTZd3y85qD+SPL72zkPpyxO8u3Fd+dbkXR
IBHpxFTWPUuTfIRcOW9YZrmtv6H6sIysLKPrLD+/53KU5Kh5KhUp3dIxtZKej/ntSw+NLRWXceVP
zv9V/5LzcPzQXIr5qUEehycInDIpJS759lb1oHtMUMpt9XQbTCR9YdCuS7w9ltrnQR0SPn7AOyVc
to7Tf3mY3++/mrzCRFrrxj639mX5k/qFRNG9tck9tH59/XP/XdtbMuvjj9pn2xe+vv6lXOhiT2ap
qBsf3Pxe/1F71fayXZZ1W+kPP8yFEnelf337sn9m40MLrfeUjuIkNSnf+ifrV/dUHZlp26vTK6PO
+uUDvkHb+hZgjq9JPpXR4kDUL174UeLDc1meo4Y2JGGN+BZduZs1H4pRfiDe55OLg8QWH3GcGqQY
C3YlblqOq148+Mb4pIsy9kn8FeOjYX/hF5w3aN+xu5Jf/iiT46P2n9VvMAYUW8xPI2+gXBM4bVKq
Mezbq64k9zVH7V8hYFZQ2CzEB5PA71cTaMT3V9sE5UEABD6aAJLSne5RV5FTK1M7O0D1jycgV59o
pUOuziA+Pt59UHBAoBffg6YoBgEQAIGHCCApfQgfGoMACIAACIAACIAACBxBAEnpERQhAwRAAARA
AARAAARA4CECSEofwofGIAACIAACIAACIAACRxBAUnoERcgAARAAARAAARAAARB4iACS0ofwoTEI
gAAIgAAIgAAIgMARBJCUHkHxZDLsX+eGd+3JP0F/Jo+97yN8pi6Q/dEEKE753YsfregO5eLYMx+f
2NH+lVWb/MV7Ol3/jMo7RnwTn44ZX1HU9O8ztcf8/0y6HyEbSelHuGG/EuoLUvubH9NCfRnkGJEs
pWuf/eIKN9rx25W/Qw6qgsCrCfzMe3BH88eovAH+Z/g07Dvi8KfPf139Dpj/j2AIGc8hcMqklN8l
Kb8Eor8YI74cQl81ct5HyjLieyrTV0qonrmSi1fuF7Nis0/+ZVm2Jetg2qavLr1qoVKFoXfSYPvD
d7fbX5xSctTOhH1hUpL1zBdHzBdF9GqMbMf66XeNKnUaO+zXsEp8Xbd1EatX3f6jQBk/2r9UbnTM
vm8os+fwpH+UfuJrZqOuJJfAXbLIdvTt477b49N8UUaND/3FG+37oj33Efwn7ZvkUySZrVF7Lk8f
OGJeUc/E5UrjnWJz2W6ZX4nxmHRJhiL2gjqyrJ6/2PYeX2NV3uW28gtDbEOeJ5ONxLbFP6q5PFae
tdIbj/LR0vRetL98BSnGj+bPjNp8+/6hHllGkG/juzc/cHw151/T9z3nj55/h/1rnvXehH6j+b/H
p+4QRz6MwCmT0uADnuz5RPm3bms6UVRX2jTQuF6aMMpkSwnpdbvu+Hb1SD59hq7Ip6/p1d82715J
virIjJ652zAxlZOotSfX62x07QvyxYnA6vF32275Q+JxgrdJe1d+Ry8qCv6QAq0+o/6Nvta/w/gY
6DcsHviHTogy/sLnHEX8z8iv2gteU/Z1xqeNJ8sv62c48/GhfQM+LKf5O2pvV3rUl5PiSTngCgzS
OBJtYsIi4j+chMt4e5hv0zAquG2L8CVX9b7Nbv3EdfNvwz/T5bmi3jiEjxap9qL8wjteRMp98Slg
Hjc7zi+Wm43voX9H8RfOYUZfZeHkTst/E/2PeujOz0G+iH+jx5DPqHOUv5XAqZPSZRWZS3aDf6VW
VlJvYtUyNaKTB08+dEicQEIN56QTr7DLSl2RTy3s96HrCaQ7aJNaT/8xk0Hur2t/rtXd6No3lF/7
0J5Hu/K7mv1tq7wAceuO+u/5t24bY6WOAbfrmYNdfjuSjmZfZF/RV58kJu1TY8Z21OMn6rrxOWFf
l4+Q39octe+Wi/mF5hUOXNGGkiI+nFXI5UfwzVLdDR47ITkL815jTLj8hchHy4UouXkIHynQbPfl
p8rN+J3xTy++J9rnWGjrwj40pu3bbflvov9RR139uvIn+Iw6R/lbCSAprfA3JthcT5w0Wse6g2Yk
PwstGzbpPepKt/Rw39ZHTko0oYuraLLM+uMhfiP/zfWvgCv/juSrlvftWB7qBDqRtM30yn3IxCq0
m7RP6TToUPETdd34nLCPdWdRe3ShNqP23XIxv0h2oo1O8pOSufwJfJlD+o2rorGf27ps65/P1K74
GTGBk1pRtxVc/9lK9f4hfGqx+UhffqrWjJlJ/+Te0qprXvSYaJ9joa1LN+mTffe2W/6Z6L8nlsq6
+nXlT/AZdY7ytxJAUurgp9slvcnSTkr29oqejOOVm5S3V364fWqWRpQOdPKSz8UFm/hqu6xYOaY+
duipk5JILK193UlJnNSDdZG/wbeN+bXR1P6LrGMf4/5V39SNTD7Cbj/+gmaByWWTz/a1NTYlXX50
QhDsY2cTq8OmD1rtX8yztqlKzc+2jUz8OxmOfoZfltaIz6F9Az5Zfmtj1F7pZecHET/SLiGzrFCy
AiSjjPNH+bLU5i/dil7XLfiHkq/rtV65pcbKTkfao+WOyNitfY72Dj4N2b58J4lqJqXx8R95PrBd
VfEp42BmfhCxEmQ7uqg+wlxS4sfq09xv+W+i/6bMVNDVbyB/Kv5HCqD8bQROmJRysiZvnde3w8LE
nx4Cr2+fxhNJvgUfTr7rVh4GkOXloXg5EfXk98pypISJhG3wJhS20yvLUu7aoEGfbWdGnPWF532i
XuGQ0FPaP+xYtFOPNszIF3Uul+u2rkvQl1UMfbfkDxWLFayPlOxB/7atsi/1P6oTfWCTxwnlhW5t
/8j4Fb6cEK+qUF8KTClt28dxy7Fd999uS/L99ppxx74pPsWOamuqvexfzg//tkWOpxSjYdwkuf+3
0NgrMR3HYR0HbUY+n4abKvPiAdKf+yR5vE2lvvzC/9HyhkrpcB4Xaczv59OXT6UhYVLy5TPYvn2W
b9s/JF/HfmFXdGvWmYq/eNF35VgTFzSlh9aWb1/Wcbb/lng+3pqfJ+U3+bB8/H4sgRMmpc/wBW4Z
PIMqZLYJ0KS7K8lvi0IJCIDADgJqFW9HO1QFARAYE0BSOmbUraFWDfNzP90mKASBBwnQStXxK+AP
KoXmIPDzBNQKHOb7n/c3DHw9ASSlr2eOHkEABEAABEAABEAABAwBJKUGCHZBAARAAARAAARAAARe
TwBJ6euZo0cQAAEQAAEQAAEQAAFDAEmpAYJdEAABEAABEAABEACB1xNAUvp65ugRBEAABEAABEAA
BEDAEDhfUirec6betXnav6RM753L9st3KPL78vCX3mbcYBcEQAAEQAAEQOBgAudLSglg9SUK8RWV
gwE/S1z3M2y7OzXvWaUXF8u3PYcXGe9LTI/Vb7dBaAACIAACIAACIPBlBE6elJpkjJyXVlKXlT7d
2V4ptO8nXcWnGflddvJLLPmLFxuvRIqvoPDq7XXd/oWveZSvvNRfJOH2rFv8lTnklvtIdfIqKEen
lrHcDAeblCYu+WXt6msb9iXuWjavRiv9uu1Zx/4vMw7yl2VblI1GB1UW5cr2wf5r+jQh+/8W67Gf
s+3hcEc+t38gfsb+67NBKQiAAAiAAAh8I4HTJqWcLF2chCUmpmJl0KyshkRFZlkhERFJJkUCJ14s
n74XnRIdKrPf9ZYrizFhEv2HJFPuU+6s92XwVV8cIf1Yj/AZQKmrvX2fdJf2sT187O+23co3VcNn
8biI9ejpt020Zznur+ePbB+xkfalCw1VLhNpsv+6XRfxmdjBt5VH8h+Nn6F8FwoOggAIgAAIgMB3
EzhtUhpXvswKIfuym5Q02nBb/nUSTy6iX5W0mbqUlNokjxIdeUy1l4LtKqld7TV9xabm8QVvpVQd
MyuFl1rftn7B+vKN76SftE2Z4+7Y7y/LBL3WLV6AcB1jK8kn20TSalnri4iR/JgEK3sU81H8TMh3
meAgCIAACIAACHw3gZMnpQ3nmQRQJyWjpCLJVImI048otwlctVJGzY1Otk3pYaCf6Le0MYmaSkBT
rbw6GVcWV7FSanWL6nISWHqJW3PtbavuvkoqB/ZT0i4T0CDYHDOsd/v/ofYj/bskUAgCIAACIAAC
X0sASWlynUryukkFLaxdN/2MYVy5a6+O+fER+nSSxHD73iROSr+Qo4pb1JSUiW+h1/rJ/klXnTCG
xxFkf1VSKtuYBC6tzCrbu/rNtZca2+0qaTf69u2vb+9X9ucEnHqOK5fS3yP5VZJufFy31/FTl1sC
tB/blGeVvTo4BgIgAAIgAALfQ+B8SWn6Q5T8TKm9vS3KQ6IVEr74B0MyMZF/KEOySlLGyULvD5FS
gJhkksMmJF3rskkdZd+hntDLS0ysfqqOanvZLsu6rfyHPo3b/8W+uGpbdLtua9JV1VF96CSYkrZh
e4bh/HZtS/X7dcwtcrJfPlOqGJQ/OpM+aMoXtt0XP9GApvzMg+PMsM3l2AABEAABEACB7yJwvqT0
k/xjVtBYtWolkAvw+yQCuGX+JLAQCwIgAAIgAALTBJCUTqM6rmK4XZxXaOUqK91aFius8pb6cd1D
kiCgfAHeggw2QQAEQAAEQOC1BJCUvpY3egMBEAABEAABEAABEHAIICl1oOAQCIAACIAACIAACIDA
awkgKX0tb/QGAiAAAiAAAiCYRymAAAAgAElEQVQAAiDgEEBS6kDBIRAAARAAARAAARAAgdcSQFL6
Wt7oDQRAAARAAARAAARAwCGApNSBgkMgAAIgAAIgAAIgAAKvJYCk9LW80RsIgAAIgAAIgAAIgIBD
AEmpAwWHQAAEQAAEQAAEQAAEXksASelreaM3EAABEAABEAABEAABhwCSUgcKDoEACIAACIAACIAA
CLyWAJLS1/JGbyAAAiAAAiAAAiAAAg4BJKUOFBwCARAAARAAARAAARB4LQEkpa/ljd5AAARAAARA
AARAAAQcAkhKHSg4BAIgAAIgAAIgAAIg8FoCSEpfyxu9gQAIgAAIgAAIgAAIOASQlDpQcAgEQAAE
QAAEQAAEQOC1BJCUvpY3egMBEAABEAABEAABEHAIICl1oOAQCIAACIAACIAACIDAawkgKX0tb/QG
AiAAAiAAAiAAAiDgEEBS6kDBIRAAARAAARAAARAAgdcSOF9Selu2y+Xi/Ltu69+2bal8uT3JEbL/
67r9bbdtYX1o/2/drrzPv6Fe0ke25/JL0n1GZdne61/qk+Uvm8Xxt14LQ5JzW7YpZnfZd9kugsFt
qf13Dc6bAYA630KAYuzj/Prs+UE4R42xy2VufFF7McZdfqNyocMjm+/234jf3frt4ve3rVc9fz3C
FG1B4NcJnDIp5YmaJiVOpG6LSOxmE6x7o8PID5MnK0Iyb4s6GVeTp2m/UaInkrahWqZ91T/Jk/qE
RLIkplX9vSfqCfvYR9GW27Yo+2iiL/pEZMJ/QwCo8GwCt0X759n9HS2/q78ZP0f3HeXZmL+jFzPO
Kgmj8qrBNx04gN/I3Gl+f9u60AIE/gMBEBgROF9SKohQciVzr1wUTjpiBfNiT7Cy7I6rYHFSC6t+
Volqsrtti6wj2gedbRKZDWlsiPZu/568rJPRpdFF93CWxbWMzFzemszrpJQSeYmIJevf5Lfrsi20
ekF+DQl32s6Vx/5Vq7ULydMnnW557jOu+OoEnJRIqythpfq6rbe4el7qjfXLpjQ2woUFr4Rf122V
F2XhukiuRov45wuQVa7oi3J3pd2s8o3s761EDfuPBnf5N5ikluXOBfOxq5Qh1qQPpP0kRZbtnx+U
b1iHXnxV81MyMI+jhsGdcsVPyM/HxWDL+rKOD/tvFP8Ne9LhrA+zo1/Wjer09AsyJv3X5KfbL7d6
HsscSTdn/ihzgI2tvu0oBYFvJ4Ck1N6XJo+GSUusvJnJR62qcn056Y2iIpzU4sRbEg3RqOrPnNTF
pBofRdg5cY3695JSPva3bsujt8r32OdyrZPSyicCp96MJ4xwTg3JUWInktpKFvGWehj9w0lwT/nf
bbuJZRM6QYlz/Kb3o74yTob6aYOrvaCv7nC7iEdAqH/ZX7USH+JPxJzhQR12VxoH9meFHbmhbNS/
aVf5J3fQ3ujqH/p/4vwQjawudFjboX9KRe1HPs6/hlM53PO/uYBMjf7WJT7+xELotyE/zq/t+BnF
v+yivT2xUtrQb3p8ue1pbhKxwReYe+aHYBQn5oJT21iUgMDPEEBS2khK5TmbTsolEdNXweX51B2T
RzipxUSkOsFQaKVylq0ShFRu9buKpGIYnaP+OQGVgviYYiEr7NiesC/aXK8wxF54wi6reRWjpjri
ZMU2Ud2clM741/ZvfT8qr/so/hT6sQ3q5Fe33Xdh0mKaO9Or8umwSjoyq1woxkc81k3q7EqiXYnM
qujHWPhw8VWr/xH/LKm50dW/a/+j/mGVnDgIRQckhbkLj+9YPrOhuSterDViSsUtdyrHWjqm5hTH
7pYcIbLedOTYSq7cHf7z2itbuEOry+PxyZLxCwK/RgBJ6e6ktDEB74kMc1LjST6LkJOdXM3jCqZ9
OOwd4/r219St+pfJGrfNOtkJlivs+M2y6E413QY2SZ0sd8XSpG7auPW8g0J/aWdmcod/SY5cCbHd
qnLSXa6k2JO00I/lqBPdHfqxnPA7aj9OSsZJYW+ldGS/ULYVB9lXqa7iI9rzpuLPB/u/1ZiQ1bv9
j/hKQb1tJw5C9Qn/sNgWv275WH68QIl23sIKqd+G4sS9WOzyc+we+ZftUb+OHFUex12t3w7/efa5
ug50uSM+rSnYB4FfIYCkdHdSSnnUg38V7EzK6g+L7GRHK4tlKU2s6nEYOid6LvJ+R/3TJCn7C7eg
ShJY20/961vQXrf52IR99mShkwTqr+iT5U5tiBOEtFMwqe3Tgqvbe1JOONeZpFOVi/6D2LgyI3Fb
+XY1faSf1rbeq9tr/9n+w/Nt8g81BKsg3TkRKxlkf77wGNufNbZxwgWD/lXf1EbxZyH9XyVD6W8v
IqL8ciflgPkhqGY5FX2VbuFwI5Fq8WNRjfKh/L91W9d094h8f20/m2/HcTTNPP9t4sf2b+Of1e//
tvnldg376/GRW+gNt309N5E8+fiPtc+Pzzgmw3PvulfsgcBPEzhnUmpuH6uBL8pCohBOSPUfpIRb
V/JB+nzSHcSLkF8mqjQB0Wqb6K+UUx6abpXJ9qJ/d/L3VJHt8+qe6N+5tUq3h2XSRGKt/bbc6zoc
u9M+6SPdt0kAmx0HrcsfsZDCSZfALnFhO3Qf5P+SBPfKQi/VK6tK26Ce9AE9drHG15Rx3/YPZa70
hxDmOd6RDl0MQ//VtzCzbkL3cEz4U8WgOC7Zje3nk3F5NEM9njDR/6Nsgo4t/Sf6p/aP6FC3pT+G
kVfPHf/wM4xiblD8huVB+zJOkhzVfZgjeNyRv3ib2j7uv5n4Dz5q/K/Pb6BfklnL4DE80V7FDvlu
Va+FasuWBnE/3K8swzYI/C6Bcyalv+tPWPaLBNwVmV80FDaBgEMA8e9AwSEQ+E0CSEp/06+w6ssJ
qNWUvKL95UZBfRCYJID4nwSFaiDwYwSQlP6YQ2EOCIAACIAACIAACHwjASSl3+i1ps71s2bxeTJ+
Pu/Zzye9u/8mGBSAAAiAAAiAAAh8OAEkpR/uIKgHAiAAAiAAAiAAAmcggKT0DF6GjSAAAiAAAiAA
AiDw4QSQlH64g6AeCIAACIAACIAACJyBAJLSM3gZNoIACIAACIAACIDAhxNAUvrhDoJ6IAACIAAC
IAACIHAGAkhKz+Bl2AgCIAACIAACIAACH04ASemHOwjqgQAIgAAIgAAIgMAZCCApPYOXYSMIgAAI
gAAIgAAIfDgBJKUf7iCoBwIgAAIgAAIgAAJnIICk9Axeho0gAAIgAAIgAAIg8OEEkJR+uIOgHgiA
AAiAAAiAAAicgQCS0jN4GTaCAAiAAAiAAAiAwIcTQFL64Q6CeiAAAiAAAiAAAiBwBgJISs/gZdgI
AiAAAiAAAiAAAh9OAEnphzsI6oEACIAACIAACIDAGQggKT2Dl2EjCIAACIAACIAACHw4ASSlH+4g
qAcCIAACIAACIAACZyCApPQMXoaNIAACIAACIAACIPDhBE6YlP5t6/WyXS7p33Xd/hwn3RZRZ1m3
dfHrVU3/1u3KsvlX9nFbSt9cTr+ijuo71bmunpZV7zjwTQRyLFy34t5xfI7io1texeey3Qyzv/Va
x+iia6k6FLu3ZYtVBvpnm8X4CjFeGCjZPEZG/ScbuG0eL7I/McaMydVuJcfU6JcXBlkP0765W+l7
2xZmEPQX+3z8MvCh8k+z51hQxYeemzapX+5f1+nG36B7FIMACJybwAmTUnb4bVuu63ZbF5EQpLLb
ssmTSTgB7Tih0cRt28t9W75tUZeSdtJJTZ9obks5abMF+P1yAiZOtDWd+NxG8TEq37Y/L+61Alsd
p7FCGA8ySUyJijzEMV2NL2EzyeE2bnyLulI1t38xPsm2qxo/dnxJac422UOK/a3bUq4WSsVROdds
6M/Fzd+c4Mcalb2UODI4qhISyTJfVPVd/zR7r/xO8jB/dXihCARA4DAC501KeeL3Tjz3nkzYLVX7
27bIk0gu/2uswNZJBSUIUgR3hd97CRBjWq0rJ3MtqVGeTvB5pV2sFqkTtxbm7+U4cIrZ3158Okmp
jo9x/NyflJpYdlQPh7r6x0aU7HRj2uXjJ5hSVrDtJhM3v01L9XzcZZ9L20krV3H158LOL7PbKD+8
xARZVrdJKZXlvib9I+XZ7SyLC4zMXI75iwnhFwRA4BgCp01KbwsnI/7Eqm5BiVWYKex50o61SZY6
+crExpVdJxXuStKUMqjkE2gknbnyqDxXvH/DxIkU1I/PUXyMyh9YKR0lasmIvv6xkkwkpe152+Pj
HaMGQi9OuPmXV23LnYjcQ39DyHQrjspburrCxMGQlMb4cy90vKSUj410Et00N43emL+apFAAAiBw
MIFzJqU8gSeYMyfH8swnJyv2mThOcuOqhVxJq04sedL3E+ItrIRp+ZWMgwMB4iYJyAsKsUpK/t7t
oxwHpu9hfNYxqPselT85KR3qH+2dGXfaLrkiWDPjW+11Mvp9K6UUT3QhSwlhxcDwDST42DAprWMj
zlWYv0xEYRcEQOANBE6ZlNLJUCaNYVstZVpP0EQuJm1bbPdlskEnC3uLWJbbtmF/Z3+uDBz8eAKN
OBjH5yg+RuVOUipuGWdurn7jBG+sf+zhrqS0ev66llWS0pjELrexztlmuTFK8EblLj/ZQWPb+KKs
Oqf6nIDK5rmvO211ZdXPq4ZquS/ZSG6P40/WxjYIgAAIMIETJqX+6mSZ+GlCtX9UZJ6pYnqtXztp
0+qaTHpteTh3yqQXk3oL7XHHifEdz5Qep4B4DlAKHcUn1R3Fx6j8kaSU2po/fEkr+zHEZ/SP9t6X
lMb+7XgqdzKsbcnP7mMykruzPUo6R+XOOHd6qQ+ZpDT8IZOcP6qkVPu775+6u+qI1RvzV4UIB0AA
BJ5D4GRJqXydCiee6aQVbsXSMbnPt9C57oQTwspoaidOhOEZVdpv3v4tSWmom28N7+h7Qj1UYQLs
58KdS+LvqFzXvmvPnvxpFbDyO+tBMRVjYRQf3XIZn7mvGK+c91BSM7qToPvgZ6bn9Kc/ytHytQ9m
+ld1xDiTx/Ntb7JZ1Bn5SsrIeor2o/Isv/JvLmlvSDa5zxQDYV8y5vmJ+Rexvn9KeXNLxkfuP/3B
Fe1L/VT8FB/qvjF/NVmjAARAoCJwsqS0sh8HQOB9BO5JWt6nLXreSwD+3UsM9UEABE5OAEnpyQMA
5r+RQF51wmrSG73whK7L6nZerX1CLxAJAiAAAr9GAEnpr3kU9oAACIAACIAACIDAFxJAUvqFToPK
IAACIAACIAACIPBrBJCU/ppHYQ8IgAAIgAAIgAAIfCEBJKVf6DSoDAIgAAIgAAIgAAK/RgBJ6a95
FPaAAAiAAAiAAAiAwBcSQFL6hU6DyiAAAiAAAiAAAiDwawSQlP6aR2EPCIAACIAACIAACHwhASSl
X+g0qAwCIAACIAACIAACv0YASemveRT2gAAIgAAIgAAIgMAXEkBS+oVOg8ogAAIgAAIgAAIg8GsE
kJT+mkdhDwiAAAiAAAiAAAh8IQEkpV/oNKgMAiAAAiAAAiAAAr9GAEnpr3kU9oAACIAACIAACIDA
FxJAUvqFToPKIAACIAACIAACIPBrBJCU/ppHYQ8IgAAIgAAIgAAIfCEBJKVf6DSoDAIgAAIgAAIg
AAK/RgBJ6a95FPaAAAiAAAiAAAiAwBcSQFL6hU6DyiAAAiAAAiAAAiDwawSQlP6aR2EPCIAACIAA
CIAACHwhASSlX+g0qAwCIAACIAACIAACv0bgfEnpbdkul4vz77qtf8W9t0XUua7bbV3a5cu6rcu6
ieZFkN36W7er7f8q2rb0E3WUbknWVSpv+8T+ZxLIvpax97etVx17Nq5G/u+WV/G3bDdD52+91uNj
0bVUHYrN27LFKgP9s83CxhDDhYGSzWNl1H+ygdvm8SD7E2PImFztVnJsja7cwiDrYdu39iu5t21h
BkF/sc/HLwMfKv+0Ok7Hq/i4bBfJTeqX+9d1uvE36B7FIAAC5yZwyqSUTxR04uFz3W3RJ0WuE8Ij
TMSlfLstmywPJzA5cY9iymkv5Vn523bbFiWfTnr6RCT1H3WP8g8hYOJAaxV9bi+GYp2R/0fl2/Zn
LrJ032mvoV+Idx44VDUlKvIQx2ylv5DZGn9ZF1E3H9tI9+t2kZ1R/2J8kG1XNT7s+JHSnG2SR/L/
1m1xLvaq8d7Qsx7HTl/eoZzgx8LKXkocpf0hkSzzQVXf9Y/XcTpm7CF5mJ86vFAEAiBwGIHzJaUC
HU22cm6PRRMnMDNpC5Fzm1X727ZIRXL5X2MFtk466AQoRcwpcuZaxJBW68rJXNNolKcTvLfark7c
Wpi/l/3sFLM/3cRo5P9R+SNJqYlVR/VwqKt/bOSPPyHQ5eOPTykrJNw3mbj5bURP/qbL3qnq6hmT
9d0xQeKZXdi86AScym1SmtrEvib945iRD1X2GJm5HPNTZoYNEACBQwggKdV3JZurI5a2ukUlVmls
PXc/T+qxlGSphFImPq7sOunASqlLunOwkXTmFqPyXPH+DRMHUtBt4WTZO/GP/D8qfyApnUzU+vpH
S2UiKW3P2x4f7xg1EHrxKjD/8qqtfQwi99PaEDLrKhwf+ta1qtfSVVVydkJSGuW7Sa2XlPKxrs5O
X94hozfmJw8SjoEACDyDAJLSblIqTjz0/JTKHIU7KInMyaNpk5+74iSj3O7k1bbqxJNPCl5CQv3W
fVQyhHrYPJCAvGDIvo3PR+72Qfaz0Y8TjHS4Tt5G/h+VPzkpHeofDavtMhw8Pt4xaiaSsToZfe5K
Kdnh+r6lqzGz2k0xRtMNJYSVbMM3tOdjgkMlN1bUzyznGMb85PPCURAAgVcSQFJqk1J6ftNJPsuJ
znMPJQFiUveqyGPyZEUnE3sLWZbLdnl7Z3+5HTY+ikDDz5Tk8AVL/lUxOfL/qNxJSsUt48zI1W+c
4I31jz3clZRWz1fXstRYDXaNdc42y41hgseVGxePLj9u0/k1viirzqkNJ6BSRO7rTltdWelRAcxP
kg62QQAEnkgASWmVlNLqhPijpgS/nOjohG/L/US26bd8Akk1aGVEJh22PCyuyqR3nHQ0+0ZBIkAM
73im9Eh+jp/DKrjzJgedmIz8Pyp/JCmltnZlMLKMIewnaFr/CPG+pDT2b8dLuVNhbUt+zncydjiw
kZTa29khCZfjl7tw/cuFnV+TlFbPkFZJqfZ33z+dfrnI6o35icngFwRA4MkEzpmUVrdgZcJHxJ3X
ruSTTjrJ5dtelNjYJLXjtbAyGm/3yhMpnejCfqVbqitWK0Ld3P+Ovjtqna+I/Wh9zyRG5VzvgV97
8ldxx35lPUqcjfzfLZfxl2MoxhiHeEiyTJlKAvkPcESd2FaOm7b+/Nf6eRVYxDbRnOlf1REJpzye
b3uTzaLOyGNSRtZRtZc+OfiZUjn+c5+pv7AvGfPcYJ5Jb/pnZDmvjCa5uf/4GAHmpwl+qAICIPAQ
gXMmpQ8hQ2MQOIhAlZQeJBdiPoMA/PsZfoAWIAACX0MASenXuAqK/hyBvCrGq4o/Z+FJDSorqXm1
9qQkYDYIgAAI7CGApHQPLdQFARAAARAAARAAARB4CgEkpU/BCqEgAAIgAAIgAAIgAAJ7CCAp3UML
dUEABEAABEAABEAABJ5CAEnpU7BCKAiAAAiAAAiAAAiAwB4CSEr30EJdEAABEAABEAABEACBpxBA
UvoUrBAKAiAAAiAAAiAAAiCwhwCS0j20UBcEQAAEQAAEQAAEQOApBJCUPgUrhIIACIAACIAACIAA
COwhgKR0Dy3UBQEQAAEQAAEQAAEQeAoBJKVPwQqhIAACIAACIAACIAACewggKd1DC3VBAARAAARA
AARAAASeQgBJ6VOwQigIgAAIgAAIgAAIgMAeAkhK99BCXRAAARAAARAAARAAgacQQFL6FKwQCgIg
AAIgAAIgAAIgsIcAktI9tFAXBEAABEAABEAABEDgKQSQlD4FK4SCAAiAAAiAAAiAAAjsIYCkdA8t
1AUBEAABEAABEAABEHgKASSlT8EKoSAAAiAAAiAAAiAAAnsIICndQwt1QQAEQAAEQAAEQAAEnkIA
SelTsEIoCIAACIAACIAACIDAHgLnS0pvy3a5XOK/67r9bbdtae3z8cuy3QzVv/Wq5dyWbbGVTJuw
+7du1yxX6pEqS/1kvaBrrHNbUjtRfl3/vN5w7EMJKB8u67YuFIvbtk34n6pV8ZfslMdDTEh5FENy
X8TPJcUXt8/xJOuLGOR6YSwluSH+ZX1H/j53xLGZddnXGLVBAARAAAS+jMD5klJykEkgwwlWZpSU
ONp9kZhW9dOJWDbpxsFt2eSJluTJfdJP7VPiLBKCbfvb1qtOlG/LdUNe2qX+OYXGvyGepH9N+Wb8
78dfiYe/dTGx8FeS3hT/vfii9lcVXzr+/P4v5aJsoP+0Iyo50y1REQRAAARA4AsJnD4pDStWNpu0
SSk5Np8gb9ti6+91fJbFDY3MXG6SCa7uJKU20c5VsdEgQIk9rTiXZE5XbJS3VgIvF3MhoaWpvexf
dbTs5HLP/yZWuFVuQ6uos0mpJz+1v8kLM5mUNvpnPeg36+LLl1W721lOtxYKQQAEQAAEfoTAiZPS
mHToFaPkVS8p5WN/67Y8uiRpTraUGKs8VyY+cgUtBx1WSjOKuzcaSWeWNyrPFe/aULfvrY97/m/F
nzg+k5TqR1i0Cdyef9VKrehHtxJ7Pf1FteGmGSfD+qgAAiAAAiDw1QROm5TSSZkSQUoOqsSUE1Dp
Wj42PClzMmOf+xQrcvKk7a2w5ZNxa6Wp7qOyQeqO7eMIGN/l5M7z42yvJFMmpj3/5zIjXMRlSSa5
jomjLMMcT9VLe14h5d/wMOv4omwgn7Xq/VaPNPQqowwEQAAEQOAnCJw2KZUrk7dFJIzkVk5ApYvz
iVacoGX5nu0sK/VlbyHLclcuJaVGZ7ceDn4HAePPrv/92+eUxHFMl6SSrTcx25Vvbv+H569le7nN
8s3vQL6p3d49Sk67B5SAAAiAAAh8EAEkpeQMm4TaffMMJyUAemUyrlxyUjD0rz3Z0kqZbGzLw2N6
Mgk1ScywQ1SoCUSf7X6mtBa08wj1a/8ozSSaA/9X8eestNp4svs6fumOQYkvndQmTmIlt+o/jA/x
CMpA/2lgjpzptqgIAiAAAiDwdQTOl5TK26/5RCtPvOIVUeKVNjJnJC+rZwLTowBT3qeEl+Xm/pM8
2pf6cb3wW5IG3bdNcKa0QKWUSL0nKbWPdggfTvi/ij8RR+xYShzzowWyfCBftsuJK8WslNGL/4F8
1m/qF0npFCZUAgEQAIFfIXC+pPRXPAc7zk1AJH8hefzJBA7vKT13kMN6EACBsxFAUno2j8PeHyBA
yRqvro4eQ/gBc2ECCIAACIDAKQggKT2Fm2EkCIAACIAACIAACHw2ASSln+0faAcCIAACIAACIAAC
pyCApPQUboaRIAACIAACIAACIPDZBJCUfrZ/oB0IgAAIgAAIgAAInIIAktJTuBlGggAIgAAIgAAI
gMBnE0BS+tn+gXYg8DwC+bVS/Jf8oqtcdtEfdghV+C/+nU/0ChGtTfku1Pwu1fQiYC7L70iVenTf
45tskPXle35771m9rtttXbb1L7yAtbzf1Wsv3zPM5UZ2y+7W8dti+dt3JZd3FEcZE1/VanWG4yAA
AiDwwQSQlH6wc6AaCDyVQOvdpuZl+ZQo2o9HBL1a7WeVbrSnL0pd1Wd0RRIm2ki9VGIn6kRVRPvw
ATfzRbaQyIrEcNB+M+WkR06iZ23nesS6gmu+8MV1xa+0XRzGJgiAAAh8NQEkpV/tvv3Kx69BXbf1
Jr4sld95SV9cLV8CCidauTIkVqqWVba3Kzn2i1d1+X7N0eJwAia5Yvn6M6N0tJEkNdqznOFvo33o
n+IzJ2s6qWS5zcQsy/3b1mXdaAG0/OfLKuVxtTQmmV57Wc6tGny4uPNL4zGbmevNyJuwI8vDBgiA
AAh8BwEkpd/hp0O1jImpTBTpdqHYzyf11K1dzQkrS+36JF+tHJmVt0ONgbD7CVg/Z3enW9lZciMB
arTPzUYbjfacFPNvSIqdW+S9pDQ/FmDb/a3bEu7Td5STjwDY9tTM6O0nlh35uYgegxDjKB8f3b6n
itRWrO7mttgAARAAge8lgKT0e313t+buSfS2iBUbfbJUt0apV1U33A8VJ3p/lackGHerjYZHEzDJ
FYuvffWepLQko37/vaS0udKpktLybGxIYnnJMnNpr5TmpPdiLsAY4tSvuRhstbEXhameO45bMnAc
BEAABL6AAJLSL3DS0SpWSSZ1YBNN3vdOiFzGiqkTPZJSxvLxvzn50prWyZ7vU7tiqKVM7DX7Fyu1
IdbuTUo9HXxbVCLe0CtLk+U0PuRdhlxpZmMyKaVV0eoxhPiIDOfRM72hDgiAAAh8OgEkpZ/uoSfo
RyssF3Nb8rbY24jxRLhWfxnsJLAqKaWTpb2t6J9Un2AaRO4hIJMr1e62reIWd52kpsrN9kpYe6fR
XiWI4TZ1Ha8kdI9eMr7r+CRZOhFWj5+EkBfjw+pNt/vvyg71HQkGReNT9e/KH9y+D8my9+YE7gW/
IAACIPB5BJCUfp5Pnq5ROCmvi3r1jToJsgbeyVA8bxfOw3zyU7cx7TNx3h9zcCf4fRsBm1wJRcKF
C7/yqJVwddoLUdUmJZPy9re8dS7LckxSjMmLKBGDUY5OGCvZwQ5Rh/5wi23jX7axkn1Juqb2It7l
hZ13oVcZ7hygdty1LFb8pe25kr96zMWRo7045FL8ggAIgMBnEkBS+pl+eapW3krRUzuE8M8kcGdS
mY15tH0WdOINSnK9rHSApLlKnNpRUpuT+oEsFIMACIDApxBAUvopnniRHuMVmBcpgm7eTyCvCu5d
USt/IITE53E37r9I7K+Shj8Qu/s518ftgQQQAAEQuJcAktJ7yaEdCIAACIAACIAACIDAYQSQlB6G
EoJAAARAAARAAARAAKesbg4AACAASURBVATuJYCk9F5yaAcCIAACIAACIAACIHAYASSlh6GEIBAA
ARAAARAAARAAgXsJICm9lxzagQAIgAAIgAAIgAAIHEYASelhKCEIBL6MQOev7/l9of5f1z/21/cs
W71PNL0Wictyv1nH9AJ9uc/vGA2/6Q0CrXLzrk/7Foobvzx/1F6+p5T7N7L3RoH31/cVByN0VG6q
v3C3xEbwb4ON4r+s7herXqi039UDrzwb+kfGWYORr9STj0q9OL7l+ErdK/9d1y2PH6/85f4dvZ3i
yQwh/iECSEofwofG9xKQX9i5VwbaPUigddKlExMlieZLXVVvrfZVxcaBRnv6utL1al52zydu0YZO
/PyKT5XYiTqxZ32SonY56aUK4UQsXos1aG8/r1rJa5jrHvbeUzriPyr/f/beXtd25tnXmpdw/pCB
dLaIEIMLISBCwndAtpEIF5k3ESTrRFzCika0MyRWeALypXkDiGRBBNnJjLrb1a6q7rY9PjyG7fG8
0nqHp91dXfV02/1z+ava0KtXJuZerEQvHN8o4KR/X+3mXHvOz7miZttC/xTx3tuOafRJfyhfgp+1
/asY7wv7TxHvk1ydM6N9nyvHtv0RQJTur0829Gj8ks2lG7pL+FJNN1xz5keLgPRd7ZzJ6kL5fvjO
nulsyGXor+H732tf1l35ms6X/qqNbLciQbIuP8MnUr+mNpOPqmz0UWyMX+MxvucgWFATUBXGG0Vp
HFMyI4YvMFX6sDnx5Lhqn7et2zLxz9ZPItaI2uBf9tVYWvwjZJyaVZf4L21fbH3DAtcuxVXzMfPd
sP1nmH7Uz1rsNb8ebadm8wnr6vvXLfvPE5y428QKP++2TcUtCSBKt6S7S9tJsMWJMArSUYzKJBJ8
dgdJf6ZrJ9Jkz07Sy4HPZkorB3NdPl060iI6+DD9bbJmYzz6k5DL3n1ICdfPRdSVfjBlluqbwpU/
GvXlO/TyG18Gf6MozSdUvt5STMHNmPmZOaFxftv9oRJnc1U4uZvGbVFsydel7YXB162Y9tfaiYE7
6fV99Do351ty/TxfuLJ1tn/Uif1O46+K0tmYJgbpGD2zD01FN1oKfH2yYqOmMPtUAojSp+I8gjF1
BqkvHWpROqgDZryfSE+cqr6Eaw7evu54YFKiMVSbJi0xYn/NdncgrIqA7L/Lkub7onQMtq2P/cv0
W4WC416UWKpfVHArGvVLMVoZc0O4u2C6vGgsZ7sVQWRicmNVUpZz9UNDWrSuvkJgPBz/sCdTRQnj
a7F1+faKSpWh2Lf9/umY3LP/6OPKXD+Jf4HnamG25N/Sdml0xW8eByvK1oos9d9YJ4zj9Sf1S/Et
ba85Wl9X3b9MTK4t2X+8uTf1b3We8L7x9+4IIEp31yVbO6QmeD15ZFFXaT+Uy5OGqi9FzYFKVs7/
GtFZK6ps+rJFJjTUz/5XhEjNPusis9nJUPVBFdejk3aj/iRKpV8rY25O7DTsphjql9p9m7NctP2w
b7gTriqr6sp3iNKqI09dGcRMzlSLqG0JlthyEDc7PGnU/XwPoaX9J9vc5zGrKkobt6qY/SfHJQvv
6V9EqfA/1i+i9Fj99QRv1QTfEKWF6NPlok6wl0XCzj87iVe8Nm00JvYoRisH9tCez6xo4Xpb5qHi
3KesWpp0K+wNmqX6pnDlj0Z9O8GN2Zh8UjTZqU+aScj68ajHhxl7oznTZsUvXd/f3hIzp7Oia/LZ
Li1M1kv8l7bbxl70V11gTfxCzPb4EW/PuIvfxiFVxsFNLTb6x4ulKOJ3GH9r/5rff/bSvzU/VO/F
OecrPdCpVrP4fgKI0vf3wQs9UJe2w0Fw3DHjBD5ekgyro+iTDEf89VkMZSdcvgwPQvXTY1CrApKD
QtX+aKEpVi9D33cmG1OKELksKb8+hlVenrtQY9KNk6Tp//IkIIJp1F+CVrU/Tsp6W+7TMA60KHWX
z+MDe9Josa3W/3b8xqyeiIKl+nrcKp9qJ0ri0tyvFyihrGaQM46qraXtc+1tu01zFeEZxIH0QVin
/9brt/XsLuvPHN+q/4pbKMy2uzx9bqViH/DHTt3PYx/K/lO9PUTGwnPdnLemki+VgmkfeodfFWdY
ZQggSg0O/riLwJ0H78W2mpkGDiaL7NYUeLTfHq2/xsezlwkiN0/oZw/2YPExvg/WYZO7QXTO7Vbh
ZDCf9E7VWNoBAUTpDjrhiC6YbOqTz/R9JkgfXLZs94j98JDPOSNyq8ifsl0c2B/qgVi5djn0catY
eJgAovRhhO8xMJ8ljbeL3H0f+Hsi+qRWEaWf1NvECgEIQAACEIAABHZKAFG6047BLQhAAAIQgAAE
IPBJBBCln9TbxAoBCEAAAhCAAAR2SgBRutOOwS0IQAACEIAABCDwSQQQpZ/U28QKAQhAAAIQgAAE
dkoAUbrTjjmOW+OT2E9+Av848R/Y0+bT99PT9eE9meUT9tP2cts6HuYtCl0/9F0/xDfdZp/kHZbj
rxtf5g0NapteH33T9kI5/bd+F+toQ+rnuHT5RjvxQw7yRTFdvmJ/HR33rlLVbqhv2Ok29GsqZhqq
1c/x+vdMurZnzI6bKu+wNE86T2MnvoPV22/x+5I3RCzUX3YwlpB+rvkwy2fRP9d30j+ub1rty/rc
H7q9yGohfv0e3di2f8foSkAUg8CbCCBK3wT+XM3Wv+IyF+P0hZe5UmzblEDjlTdhUtZzqP87+9So
n7e3Fly9OBFrceK2x1e4qO2xvHVw0C/QN19nij648blovxsu5rOX9hUz9fYVswX7LSyyvmpfxR/K
lftP/fOpYtP+BmFjxUr5WqoU87Xvhlu/ixE/yqH7Jwol2570aWFfsQscxMwz/VvmO8NntX/1L4uF
flhqP4zfufGX+nK+f8p9wI4A/oLAXgkgSvfaMxv5lbIAl6G/hm92SzZKshBjo+5sO5+1Z59sNqS7
ukl/tr6tK1+skcknNjFbPzvBwqME1AQ7a0qygL7Q2vq31st23biKdhriK9cJk74XUs5OLuvWj37G
+mH/yINSi9JG+zrGBfu6aLms25q2aoEW1mZRmtuayi4vlaIrfCo1h5saSH83PmAx20bYf42xikCT
9mbs+5hNmyvqm/L5jzV8V/AZxaUPMzcTFqp9s9z+/PgbW1iIv9wHjGf8AYHdEkCU7rZrtnMsCVOd
uQhCUf39fR2u6quhNlMWDthaxIa/3WcoZ+unuPKkWgtzRf1aNdbdSKA6aXob9Uk0llpV39tLf6cx
WL80H78lLydMLkMYsnDVT9qq9eWE7MRncUnU+ij15VeyenGXUO3YWuqvBfuqZLnYYura1fzKk8bS
rF1Tii6fiZz2T8fOGqr/VROlbt0a+3OidE39qnOr+C7zCbbn/Itt19qqrUvG8riWcSe/ZvyNQS3F
P9UdK/ADgYMQQJQepKOe6aYVmaNlOfOOf5bZzJwRcJNjqu2Fy0z93JwSweO66We5/lSWpbsJtCbI
bDD0gz4ByRvSwmJ9V771ZxBxWnxmuxVBlLc5Y2pclhOys5NtuPWjyam+jGv5jUokiwfnwfTngv2p
YGUp13XbVHxhSxYlrfKuuv1zPJEU4e/vG3YC0oqvsm662qH2Z1c/tq3X6eUZcWfbVRGsrK9qTIst
XoZvGWNN+Df9k9ZqbdXWhfKq/dnxN5bVmeiaH5MNcYZfCByDAKL0GP30VC99ViQaz6I0HJCdEMnb
7MFzckpN2vFBiZn6Y6U8qU5GxqWF9ovyrLibQGuCDAZjts/1o29orr4vO/t36HMlambt1i+f64m5
nJD1+GxdVp0cNPXj2Nf19fJUxyzN+m9KVv6o29fxhUrt/adisljleLvtoS25rSb/5rNSV7j2pxON
sYhista+j1maWltfytvfNXzn+Yi9ln+y/aHL93Klqhh/4z2p6oQi9pHrHzOGg0P6GJ4dZAEC+yOA
KN1fn2zuUbz0pzNTZpLzB+2UtZyOeeUBO04S2d5S/RSeEcZhEsu3D6yrvzmkT2hACQUdbjE+WhNa
o762VS6H8ePFrhOaFbtahIXxZjJXlUzr1zRgk8B2f5v6Zvz7e1KDv/b2lKL98Yn13MSC/yUTuybu
T9lYEhQmk+z8tbXX/FXuw1OtevZY85/KNpYKUarbW28/cNAYUmvr6ze8W3zQaIj9qU6SGobq/qnC
lXEQti71rxWUfvyti9/aSGOoZKl8ZRECOyGAKN1JR7zSjSgI+85kQ8wkre+JC5dvx7L5oBZFpDwk
9TV8hVf66Il7qX4I1thwE8Ca+q8Edta2qpNmeetEyMTkvtcsqvV1gdryOMmaTI8Sqabv1RjLJy3J
pr6n0gu2UCJO/NJGPmEaBZ6sN79pDOp6eZ8IY1XbiGa0b4rPSv9rZPQ67YePz8Q+d3uFNqiW2/V1
30uf6P6SdcpYsahtTIzS+NHbxFbFfsFQjg8r6xc+lSse4tv0L7VjbMsYczuQKaPGll5fjr8V8f+r
foB14t/ch0s0rIHAWwkgSt+K/z2Nmyzle1yg1T0QuEtUKscfra9M3byohEGcvN/py83OUwECEIAA
BGoEEKU1KideZ7Ik6gz9xCETWotAFnaStWoV9Oun7FbO5vgim/4dMkbis/gi2bRNG8Y4BCAAAQhs
SABRuiFcTEMAAhCAAAQgAAEIrCOAKF3HiVIQgAAEIAABCEAAAhsSQJRuCBfTEIAABCAAAQhAAALr
CCBK13GiFAQgAAEIQAACEIDAhgQQpRvCxTQEIAABCEAAAhCAwDoCiNJ1nCgFAQhAYJGAvGcyv5Ug
v+GgfAF//lqSfguGLi/vuIy/49sGWtu1jUUvKQABCEBgnwQQpfvsF7yCAAQOSiB8TeeiP5s62K+U
ReGqX6YehKaISvW+1VBOipl3C6syCZG1vwdsN30B6g0O792/NyChSQjsggCidBfdgBMQgMBZCMRP
PF774SKK0ojSuoDUAlQ41NbFbVmU1j85merf+f7WMRPb9frLQOU7YM37js3XtvRXh6YvCmUUEtzs
r7Mhgj1wDFnjSzd04Qtyod38ZbjkY/LrMvSBf840yzttQ6PO9lhm8k+2qzqSnc5+zDrPRghA4AEC
iNIH4FEVAhCAgCcg3x2X3yiERNBkQelqffdD13+blXOitHrp39ZOn/41gtEUaP8RRZgSos7nIPzy
7QnBSvUzrKp+u6XqFpMVDiV0JnkUlVFERkE6tnPtVFZ5FKzZehCa1p/ZTGmlL2bL53ZYgAAEHiWA
KH2UIPUhAIEDEZAM4pTFSwJPRMvS9uVQSzGqsqNO4GVrFSE0J0qTKJzLlGbLty8ogRcrG9+uQzel
FbPtKea06n4RJ5nKVv8olkGUii/K5yCaZXV2UG0P65b8M9tN/NliY2Fp/Cxtb5hlNQQ+hACi9EM6
mjAhAIHXEDACLYohJaTMpfzJn5oAra2LNVrCdjL32JITcCETOmVxtxalS0JbsWyKUnXpXUi4mIzo
lDL6V8W8WFbXYxkCEHiIAKL0IXxUhgAEIGAJGFE6jJkxuXwfr3Zfhi+dyjOXpydbt4jSUjhJRk4y
wJPdxSUn4KwoDVlGL/pKIWnK6Mvsi42HuwEu9vYAU2eNKLVvOgjVPZ81/sU6SpwaN7b+IzL7suNk
6zaxD4EdEECU7qATcAECEDgHgSCo5H7PfN9lEBhKlIZIdbn85L0gkAdr8oM6SlgW2+QytyoT7dwp
SpX9qJtFHH3p+0jLS+xaY6fm9YNG3jcJtP1rH6SSe0RVu6HB0bfIefQ7rI6Cs+9yP4T+yH0hTaq4
4gNTsl7/xjK3+65N3LucxocX//daox4EjkMAUXqcvsJTCEAAAhBYIGCyoAtlZze/K0saM7sVIT3r
LBshcA4CiNJz9CNRQAACEPh4AibD6rLTa+GYLPZX5aGptYbuLle+LeBuU1SEwMEIIEoP1mG4CwEI
QAACEIAABM5IAFF6xl4lJghAAAIQgAAEIHAwAojSg3UY7kIAAhCAAAQgAIEzEkCUnrFXiQkCEIAA
BCAAAQgcjACi9GAdhrsQgAAEIAABCEDgjAQQpWfs1b3HpN6FWLw/cO++n8m/3A+V9yHmbeWLyAd5
IXzt/Y9LfMz7Icd3bN75lHSzKeU746tJiQ0QgAAEdkcAUbq7Lvkgh7b+XOIHobwr1Ab/+EocLRQb
5YbW+iVnXL3Q3ibi0bWz5BbbIQABCEDgvQQQpe/l/7bWzbv4Lv3Qq08Hyrv+olDIWSf9ZRP1ZZXw
1RktYEJELhvWFByFaBjtXrqhu4xfccm2dPtvw3auhgv+jfBa5VrrG2by6qKe/5464yuzYgECEIDA
BxFAlH5QZ0uoUZDq7wJG4eku4YoYFMH53Q/9NVkovpgS6ku5UOT7Oly/pbXw2b/GC6gLcRLqJEES
3Ys+jGLUf497Ms/SvQSq/MWYfKayctIhRWbrS6HKr6vnxwfjq8KMVRCAAAQ+gACi9AM62Yb4PfRd
PyjNaDfLX81P7LksVu373KOwlG+Ah1+tgaWJ+uXf69CJwA2iVCoiSjO2py04cdiy27y8vrJ+YTdn
39M9pTaTzvgqeLECAhCAwIcQQJR+SEdPYT4qSpfqhwyby7q2BGVV1CBKp77aeKnKv9Zmo89X13c2
dT2dDY/FGm1lE4yvjIIFCEAAAicjgCg9WYeuCafMfKVLtZKUjDaamdJwy+jcgylKVEZD6nK8d06L
k7xN1SdTmqlsslDlX95uUdzuIc406svm5q+vFzKnavDtYnxFsfxl/GrGwwYIQAACEHgKAUTpUzAe
z4g8zCSX2CdNoO4lzJfmy8vvvv7Xl3oQyVyevQx93w3TJfy6/VRfXboNDo3CQD9wNfl5POa789iL
w+yg6yO5nSJvHxea9X1B9beIPfeAXBxPqp13j68oxL9cxl+FwSIEIAABCDyfAKL0+UyxCIFjELhH
VOrIHq2vbe1sOYhie6/rzhzEHQhAAAInJIAoPWGnEhIEVhHIGe1bM4JTJvWcwi1k7FXmfxVMCkEA
AhCAwKMEEKWPEqQ+BCAAAQhAAAIQgMDDBBClDyPEAAQgAAEIQAACEIDAowQQpY8SpD4EIAABCEAA
AhCAwMMEEKUPI8QABCAAAQhAAAIQgMCjBBCljxKkPgQgAAEIQAACEIDAwwQQpQ8jxAAEDkpg8en7
8Sn74uWwjz19X76D9L7XL82/ZP/xPtnMfuZexp3ej6rWq7Jf6j2uj0eHBQhAAAL7I4Ao3V+f4BEE
XkNg4T2jQTx21+vQFaJ0dG+hfjuIIGrtK5eu3a2vpWpbP8yWBr/vvhsuho/6ytlhgsNRCEAAArcT
QJTezuwUNSQjE7/odOmHXkTBmJnp+n645C86WQEhX1qSr0FN76ocv8h06Ybu8jXErzTlL/hoG+rL
Te7LPqeAe5QgGqIouD9lCV8jSodrN4j2lUyq/pJX64th09gboa8Zv2N8Mn5DBjKP/2BGZSe9/eTb
Zeivev9wgjqP+bAPqKynHxcN/kGURvsCZHCitGmf/c8j5m8IQOBYBBClx+qvp3gbBWme8GQSVhNr
nJSViPST5/d1uH5PrqSMmvydJsZoPk6eox0jOlRboVpoj0uTAvB1v75fpeXQH3l8vEaUFplSEV4y
Lr77ob+Kg+PvnP/65feu3OL4l2ZcvWn1eMIlK4Jo1O3N7h+5Uhz3XvSGrVGUfk+/QyFK2f8URRYh
AIETEUCUnqgz14XyPfRdPyhNWVZTAjJu/O6Hrtc1XKbzK1zmFTMqqxOEhWzINsu6KWOlRLCY4ndb
Ag3RZbLoY7a8Jp7CyUR1/aLX0z2pkq0s7BRjrmK01X4ea2MdY2vF+JemGvbtSdhY2LRZjnHZDcR0
/G3YF1E6iVG1T6WKQ5evYqRs7GRflWX/M7j5AwIQ2D8BROn+++jJHq6YlM0EG1M3SpQGQVFmOtdP
iivaf3LEmGsQaIgiW/o1mVLbph9zxda0ouX/0vhdOimT5hr2i6xuKJ/bXNo/xHiqU4hxlSmNJaNd
JTSHJfuqbFWUsv+pHmARAhDYGQFE6c465BXuTPcLSmspc5WFZZ5gx+0m06Qmvbg5ZYVyXX2psTop
6vsVpX1+30KgIbqsL2cTpbXx58a/AGjwifeVym0FY9lrJ5n+pf1DjK8UpVGEfqnbW5bsq+2P7H+h
bsjGTju2cpxFCEAAAtsQQJRuw3X3VtMDG+nSX7iEmuce9ZBHXCeTk35gQ5X5+roMfd/FBzrik9py
WTFUHuvGbNBYR9rx7ZsHWXZP7yQONkSXRKcv49cyevdevrd977LuIsJkHI2/Mm6GxvY8ftTYbI7f
qAensW/G/5L9WHca89XbD5QPdv8IZJMAlnrTbxK1VeZhP9IiuGlf3Tbw4P6X/PB9IyODXwhAAALb
EECUbsMVqxDYP4EFUboYwKP1FxvYZ4Hq5ft9unq3V+HEoXoicrdFKkIAAhBYJoAoXWZECQick0DO
uN2aEZuyfZ8mXEyWV2cvTzVCQsZVbkc4VWAEAwEI7JwAonTnHYR7EIAABCAAAQhA4BMIIEo/oZeJ
EQIQgAAEIAABCOycAKJ05x2EexCAAAQgAAEIQOATCCBKP6GXiRECEIAABCAAAQjsnACidOcdhHsQ
gAAEIAABCEDgEwggSj+hl++MsXzJ/jpD6QnlW5/oXmebUk8k0Hz6Xr3vMr4n1D+J/cDT97lN+57Q
+D5P/SXb+GWjy12vJWL8PXGMYAoCEIDACwkgSl8Ie09NTV+g2carR9/luLV/20R9MKvN94zOfMVJ
h9isrwu5ZVUnnPTIS/EfHS+uleFRe4w/T5S/IQABCGxPAFG6PeOdteCzYCljJeIgOquyWa33UOov
z3xd+qHvbGY0iwJlK391J3yKVH+xx7zv0W0rvuizM5xHdkcJRBvGhqJUNaRFqVodvyMvXzpi/Bky
/AEBCEDg1AQQpafu3nZwqzJBDdESBalWsVF4zolSe/k3C1ZxL9Q3wjToEltHivL7RAKN/h38SUPr
RerN+ut8bIpSqd6wz/gTQPxCAAIQOBcBROm5+nN1NKtEX1UUfA991w/u9r+i3fzlGyc2S8Ej9xZa
EbrKv6JVVtxEoNq/FQvh2+v6JESKrK0v5d3vfaKU8ecw8icEIACB0xBAlJ6mK28LZJXoq4qO9aKg
6/vhUmTZ1ta3IvW26Ci9ikC1f2s1G322un7N5jBsLUoZf3XurIUABCCwVwKI0r32zMZ+mUvoIRNW
iMch3ttXu6cviAm7Pj2NrZNp2X7Fdlm/DDbXD5sqNsoarLmZQENUhiy36d9we4XuXGmoUV82L/3e
J0qTmDX+DW8Yf3FMftW5LAXOdghAAAIQqBJAlFaxfMBKmVSLV/5Mr/uRh03Sr81c5svzlQeR9Ct5
gvAQO1pI+PrTQ1Aj+6Z/H9A3rwpxRlSa/iluwRgdnKk/G4J5+C3cvqHH1jHGXxrX9j7q2ZjZCAEI
QAACiwQQpYuIKACBkxK4V1QKjkfri50D/gbRrk+yDhgCLkMAAhDYHQFE6e66BIcg8CICOWN5a8Zv
ymZ+pjALry3T2d0X9RfNQAACEDg5AUTpyTuY8CAAAQhAAAIQgMARCCBKj9BL+AgBCEAAAhCAAARO
TgBRevIOJjwIQAACEIAABCBwBAKI0iP0Ej5CAAIQgAAEIACBkxNAlJ68gwkPAhCAAAQgAAEIHIEA
ovQIvYSPENiCwNLT9813xT7w9H1uUz4vO/623oW6Rdy7sjmyzPGHJ/sdG57031WP4QwEILAdAUTp
dmyx/EYCqz6j+kb/dtH03HtGo3hceO3RXP25AIt616HLomyu4n62PXd8uc+4hpMB/QWteHKw0BcO
zXP9c8b5EwIQgMBGBBClG4Hdt1mXjdGCYMxkpe+GS8amnBD1l5q+Lv3Qd+vedZm/9nQNnzYV+66u
ydCVLymXrw3Fd2TmzJv46GKrfHFq333zQu8KcShtrxSJzfpip/Gb6zkxFoo/YfytGx9qzMkYuvTD
zy6MycvQN8fnmvHlyuj9KyKx27ur4+BF6cglvxN2dv+wtuVralrjps/2yr5X7l+NXmM1BCAAgc0J
IEo3R7y/Bsx35YN7YVLWE2ecpEXkpe15Qoyfor/Yb37H8mqSXwg5iQZlfwgTqfr7+zpcvycjobyZ
VMMmmZjF7+9+6K+6jrI3rWZJE8jiUK9MbMNJyXQZudG3rfrOXPGniMBwwiD9pws9Y/zNjY/vfuh6
NcDiEJ/Gy+L4dOW162F5fv8Kl+s1T3/5fhzbfsBrobpi/5jNlK6o72PibwhAAAKvIIAofQXlXbVR
z6SY749fOysCzSTusjpFbNP9hpKlSb920vdzbhDG07rSx2nb2KDxqXBimJ2Uy+KfuaYlKkfROJ2I
NDKnrfpLNHO9xlgyY0FEsojIRh3f5i3jw5WtngQ5n9rjqxy7Zvy7tpLbjq8WoBKXWVe24fePtn/B
4HJ9aZZfCEAAAq8kgCh9Je1dtLViUncTcMhKTpmlFfUX4iwySaF8btNnkvQ2Zdj4pNaPi/OTcln+
I9dkceiiD6LUZTBbfTYJV2dj7s9Wu1Inj4VxhenrlePP1BHD6ldt92OlFasWfr7OZHnBP9XuVGeF
KM3M1u0fs/6ZTG1j/5qcYwkCEIDAywggSl+Gej8NhftBZ8XErCgIV859/ZQd1ZP2XLTx8mgheiST
6iboMatT2K5O7lOrRljES7lifyrz8UtZ6JQkbLawIbRm6pcW1ZpKPSOinjH+FsZH8Ca2WSk3Pz5T
HHPjq9w/VOxD2FfsWIz3Z+v9wWRFQ11dZ93+0fZvXX3tMcsQgAAEXkUAUfoq0jtrJ068+UGj8NDD
OFGq+/2iEIyCLj0UoYWsr1+Ixpl444TZd4O+vK9ty8Muaftl6MeyqY0kgHXdsFy0r/zOsc349JGb
KuJw4mA5F3xDwdn6kyWzpMaX7cNnjT/rt7RR9b9xsrI4PkNAC+PL7x9mDJq6X8NX1w/9Re6vLS+t
F+PbMPT7x0jbd989WAAAIABJREFUtGFF8Pz+ZXqLPyAAAQi8lACi9KW4aSwQMFkckLyPwD2iUnv7
aH1t6x3LlSxpcIPx+Y7OoE0IQAACw4AoZRS8lIDJIOlLli/1gsYigZxx00+Dr2EzZSNNhntN1R2U
iZfL1VUCnUVlfO6gg3ABAhD4WAKI0o/tegKHAAQgAAEIQAAC+yGAKN1PX+AJBCAAAQhAAAIQ+FgC
iNKP7XoChwAEIAABCEAAAvshgCjdT1/gCQQgAAEIQAACEPhYAojSj+16AocABCAAAQhAAAL7IYAo
3U9f4AkEIHB0AvmNBundvvKeVP+FrPvDnN58EG033mBh3iIQ3oPa9UP8UKt5f+noY8PGvT6atse3
HBzxLQ13xb91/7fsf9k3aJg+uPTDte+GXr7UG197psYn4+OurqbSNgQQpdtwxSoEIPCpBIr3t/qv
KD0DTLLpxUa07NovvhhV2f5c0RiEs31h/7Pf/Wq+APYMnM+04fgO4at0zxL+ynboV3mdmeYb1pv+
jEJWiVZlI4TN+Hhm52PrUQKI0kcJUh8CEICAJpAn/crnWcdMV9f3wyW/K9UKuGAqCgXZfgmZTiUq
QgH5FGvtAwC5fe2UWi62X4dO1E0s5r4qpQRVysBdhv6q/Xe+mc+iju2Kv+FPl601Akpl8eL6nBkU
Rs63kZFxX4XaWjSZRPmaXXZVfcGuaL9lUa3PfDfs/3GMlHGvEMDZP+WzXiy2f9740DhYfi0BROlr
edMaBCBwdgJZyMinQ13AcbuIrCQwtTCLglSrjVjeCr8pU1gRPkrYVS/xO9ERBJptzrYVP0taCFPl
f8gEGmG3kCn9vg5XdylZtx9piXCVdr/7ob9OHKf4p3Vrl0K8mncUydKOGFloX4pVf1/Q/6HdME5q
3Dp9nb7qYDinUZfvfewfPj4ayFj9IgKI0heBphkIQGAPBNw9mZKNzKJqafuKGPKkXheMOcsppky2
s1FHyobfIJiUGqmKE10+iCQtPLRo+nICLQpMJVgKPknQqOZTSzoTGjOl1oYRgZU2CnuGiQ5GmtOi
uNzeXuOzfqnkt7vnMjBeI+6q7Wzd/2Oj1X43fruxXEAeDTE+qt3IyvcQQJS+hzutQgACZyWQRUkj
QCPgksicBNCyKI2Z1CwWR/HXEhzRBZe51P7FjKAWeMvt6/sXc4QmJtdeLhQWwrYyE1u4b8SVMRD/
uD9T+kpRWvo9Om8znCbWZf5itSpKg+AvYIbzGPugk9hIv66/Pnp8WDL89XoCiNLXM6dFCEDgzAT0
pD7GaUSUEXBelKbLsjazGESDXGKvi5bJfkX0eaHi/QuZMiVkgtix7dvOipd+deY13i7ghK170Gmy
4O95TPeIquZTUSPUptqyZIRxIaylVP3X1I1FKkwX2q9bHtd6vp7PQ/0/tVwXpSGT7UR/HGIiShkf
qcvHe6KLgTfxZek9BBCl7+FOqxCAwBkJuEvj+ZVQcnuA2h7nQ7l30V1GN/f8fYkg1Q/5iPBIgjW1
E9bpv+USupRNAjg/YKWEpReavv0v8T8KrMvQ990wxWZvAbB1VdvS34rBV3iV0Wgr6YOa/xK/GHBx
KN9UiZlFzTExmrTJyvZb1k1swj/8jqJdbb+9/8dGlY3UB/qEIJQp45tOOmrxqT5S41Hf8nG28ZGu
Nqi4W/3J+pcTQJS+HDkNQgACEDgugVom7rjR4PmzCRxhfASRPXc14NlMsLeeAKJ0PStKQgACEPho
AiYLqjKtHw2F4DOBY4yPkEn22eUcAgtvJoAofXMH0DwEIAABCEAAAhCAwDAgShkFEIAABCAAAQhA
AAJvJ4AofXsX4AAEIAABCEAAAhCAAKKUMQABCEAAAhCAAAQg8HYCiNK3dwEOQAACEIAABCAAAQgg
ShkDEIAABCCwOwJLL/HfncM4BAEIPEwAUfowQgxAAAIQgMCeCExfuNqTV/gCAQgsEUCULhFiOwQg
AIFbCOiv4rgvNYkZ8z7Hrhu6W975OWM/2b0M/XX8jOJX+JrQ9OWape3BP/Etvlw8fz3IvtdRyvgv
Cj3Ffm6z8YLzmfirXzPKX8TK9Icuchm/uHQLezHBLwQgsAkBROkmWDEKAQh8LIHv63D9nqIPQm36
jGVUfeZrMvGTh7cIowX7SRhqEWlfFr60PXouwk/8+u6H/ppiCvXN13BCWSmXRW27/SX7mVzlG/Kp
7gLf6INuP1uMC8UXh4IIVv7b0vwFAQi8kgCi9JW0aQsCEHgzgdq3v9W3yYel7WvcL789bkRp0UZb
QNVbm7dfiOBg5NplYby0Pbb53Q9dr5R1duQ6dDaYsXg3SPHH7OeGos9G/OZN8/GHYu3L92Vdn+3N
zbAAAQi8nACi9OXIaRACEDgvgSBqp8vlMU4lCKtxu0xjtUxeuWy/yASGusqHpe2xqYdEqYvftT9v
P25N/6tmSpfjT821hP730Hf9UJPbqmUWIQCBNxFAlL4JPM1CAAJnJHB194emzJxOLhaiMIhSXWAW
yxr7X8XlaJ05DJlMf7lab4/NN0Vp0LdedFqh96j9HH5VlC7HH+obH+OtCJNI5an+TJgFCOyOAKJ0
d12CQxCAwKEJqAd14kNGfTeES8SiO6No0w/afE2CaVXci/YvQz+2mS5N23tAo2Brbq/fviC+J//K
S+B6+2P26+1/aUYL8UcfoxAdH2TSdUfAD/fBqo6iEAQgcCsBROmtxCgPAQhAYMcETJaw4ufS9kqV
m1Ztbf8mZygMAQgcigCi9FDdhbMQgAAE2gRMBrDyRPnS9rbldVu2tr/OC0pBAAJHJYAoPWrP4TcE
IAABCEAAAhA4EQFE6Yk6k1AgAAEIQAACEIDAUQkgSo/ac/gNAQhAAAIQgAAETkQAUXqiziQUCEAA
AhCAAAQgcFQCiNKj9hx+QwACEIAABCAAgRMR+FhRGr83XXl/3Yn6llAgAAEIQAACEIDAYQh8rCgN
PRSEqX7p82F6DUchAAEIQAACEIDAyQh8tCjV34M+Wb8SDgQgAAEIQAACEDgUAUTp9VD9hbMQgAAE
IAABCEDglAQ+W5QO6TvLl/77lJ1LUBCAAAQgAAEIQOAoBD5blF477ik9ykjFTwhAAAIQgAAETk0A
Ucrl+1MPcIKDAAQgAAEIQOAYBD5alPL0/TEGKV5CAAIQgAAEIHB+Ah8rSnlP6fkHNxFCAAIQgAAE
IHAcAh8rSo/TRXgKAQhAAAIQgAAEzk8AUXr+PiZCCEAAAhCAAAQgsHsCiNLddxEOQgACEIAABCAA
gfMTQJSev4+JEAIQgAAEIAABCOyeAKJ0912EgxCAAAQgAAEIQOD8BBCl5+9jIoQABCAAAQhAAAK7
J4Ao3X0X4SAEIAABCEAAAhA4PwFE6fn7mAghAAEIQAACEIDA7gkgSnffRTgIAQhAAAIQgAAEzk8A
UXr+PiZCCEAAAhCAAAQgsHsCiNLddxEOQgACEIAABCAAgfMTQJSev4+JEAIQgAAEIAABCOyeAKJ0
912EgxCAAAQgAAEIQOD8BBCl5+9jIoQABCAAAQhAAAK7J4Ao3X0X4SAEIAABCEAAAhA4PwFE6fn7
mAghAAEIQAACEIDA7gkgSnffRTgIAQhAAAIQgAAEzk8AUXr+PiZCCEAAAhCAAAQgsHsCiNLddxEO
QgACEIAABCAAgfMTQJSev4+JEAIQgAAEIAABCOyeAKJ0912EgxCAAAQgAAEIQOD8BD5PlF674evr
q/x36Yfvp/T399BflP2G3WunynT90Hdj+9/9cPH+NWzc665pe2zr0j8n+nt9+sh6eSxehgn/8vhZ
6r/Z7cX46oarg//dX8r9o7OlTJkwPq/dkIos+J9jVuM/jsGJgbEt+8JS+2MMUjePZ93e6v3IxpBt
ZU7XoRO/4q9nONUv62Yj9QXtr25jte91s3mtth9tqlj837l9H98wCOd4LA31pP+L8fU1fD3L9zGI
2fGdA2UBAhA4IoHPE6Whl67dYCeL69A9+cA5DMnmte+U4BiHiGs/HuB1+5Xt1t9Hh1qYNO1Ec+0m
UfCo9YTY2n+GzdPZcP1s45sZP8NS/y1tD6KiMi6tA5X9JBWI41WLxFHo6FXN8a9iDnakTnX8qbLa
tWr7av8JsV3M+L5t/w6iR/wK7fq/Y2y6gHZOLzf810Wqy0W92/yv2tQrRUCO6wqeQVjq+KLQnPbn
orzvf+d/KM/xS3cAyxCAQIvAh4vS7ylDKYTkANvrjOV0QJZi8cAsmYRLyHQ6UScH/u9+6KY0WKru
DtpiM/8W269DpyeJIHil7fCrJuSURbgM/VX773yriJog1HMTLtvhJxTJVMT1OfMijJxvo5/Zdg7y
3QuSzRK/vT+N7Tlen+n7un3iLfpZ+SD9URs/S/23uP0RUerHovJZL876nwqGfWh2XFT51AWathUF
dxj/2Xi9jnZ3dlliyYXWM/D7TjYxt5Dj3uj4pOKJ+3LmNDrlRWlYnX1aEXsuK0H6Ou4YwfFLQPEL
gY8n8LGiNF/CVwfEPBqi8FBixR1koyDVB/JY3gq/ayf1KxPLmH1p+uDa85maIqsU2ldxJNEo7Yeo
wiSg/17IpH1fh6u6mu/bj5xEuEq73/3Qqyu8U/yZ6s4WGqIze7m0PRe8f8H1szY08auNn4X+q4hS
P2buzpRWRbL2PC3P+5/KaCFZWtBCSG1tMVN+SWzyK1lbNaSVwaXFmqB1osrsW8pey1dVpLqoT3xk
/9IFHz0+RVGaxndVNNdEqaxTnLVLZtnF7Y8ffiwGwcvxyxDkDwh8LIGPFaXpYFyb8NNkqDXnYA7E
jTp6CMkBfFy3ZvLVB+V4kFaZUDtx+AlRMnaT6PSTQHRDZUeGKFqkXvpdasPwCAYNEx18Wp5ESbnt
0Gu0YFB9FE4wLMMVUbrJO9dYHD8imKc+tG0vbX8gU7rQ7zGGRf9TpGv2CxtXQ6gGc8qvUozWhGWm
PbMQ9jV7slkt7OLNZVr9mws0FnK9xrHG7Ms29rhvy/3pDfNyfAn7dDhWFIxr8cg6xbllXuzLSbe1
z/GryY0NEIDA8OGitDECHjzox0yqEyxfharTbbvMV56U0oRzMZmYxkSlzBWZiLDNxOTaU3WTYHUT
sak7Fl6YnE4rSg2rB//Q/axMLY+fuf4Lhpa2V0RprY+r/i0LvGX/U7B3idLxXm2f9dS2JlEq437Z
Z4U/LcaTD7cfFIVkRWOfrPKTOjO/S/V8X5l9seGLbs7VL/ZVEaCuThKXK1hq/4Mtjl+aJMsQgMAM
AUTpCMccmN1BW2dhQvEwAdqz/yAC5OGI+qQw2Q9l/WTn7rnSB/XQYJgglagt27c9HLIfJvMaTUyZ
1HnR4iedlNlQzafGzERo208uqxiLiaks//o1qc++zISpvVjarsveuez7OZpZGj+hUPBN96dvf2n7
I6L00fE/+aqF5LRWLVX5pPb1/hD3D3WZ24hSuSqgtqsWqovF/uOOB0V20e2f2WjD/7y9tVCpNx0/
RGirym5fLI8PaSznfdjFE45v0/2344lwLhzaseNpjX1zfHR8yvoqlhgexy9LhL8g8DkEPk+UxgzI
dNlTLjFlcaK2x+NyFFTlJe44calsaDqG60tTIsrShJDaCev03+KHlB0nBLGrJlI/Ufr2s//xoH4Z
+t6++kpPEraualvGvWLwFS5fjrZSjDX/RZCLARdHU/ip8i9flDha4m5p+xMcLsTHmvGTLrlO47bs
v9n+VeN5spHGoeiQIBr8NiMCRTjIOP2S/l/nv7+8q8duoLqmfVNG7Sd6fR7zIWZVZr7ndAyyf0p8
U03DuGW76N+pfnPJ7HtT+5mR2n778SkJ2ty32e9xrMe/74g/97/b77P9ccz6v9X4yfFx/GoODTZA
4BMIfJ4o/YBerV6+/4C4DxfiPaLlcEF+sMP0712dz/HrLmxUgsApCCBKT9GNUxCrMjhTcZbeSSBn
vcps5zvdou1HCUiWvfIQ0aOmT16f49fJO5jwILBAAFG6AIjNEIAABCAAAQhAAALbE0CUbs+YFiAA
AQhAAAIQgAAEFgggShcAsRkCEIAABCAAAQhAYHsCiNLtGdMCBCAAAQhAAAIQgMACAUTpAiA2QwAC
EIAABCAAAQhsTwBRuj1jWoAABCAAAQhAAAIQWCCAKF0AxGYIQAACEIAABCAAge0JIEq3Z0wLEIAA
BCAAAQhAAAILBBClC4DYDAEIQAACEIAABCCwPQFE6faMaQECEIAABCAAAQhAYIEAonQBEJshAAEI
QAACEIAABLYngCjdnjEtQAACEIAABCAAAQgsEECULgBiMwQgAAEIQAACEIDA9gQQpdszpgUIQAAC
EIAABCAAgQUCiNIFQGyGAAQgAAEIQAACENieAKJ0e8a0AAEIQAACEIAABCCwQABRugCIzRCAAAQg
AAEIQAAC2xNAlG7PmBYgAAEIQAACEIAABBYIIEoXALEZAhCAAAQgAAEIQGB7AojS7RnTAgQgAAEI
QAACEIDAAgFE6QIgNkMAAhCAAAQgAAEIbE8AUbo9Y1qAAAQgAAEIQAACEFgggChdAMRmCEAAAhCA
AAQgAIHtCSBKt2dMCxCAAAQgAAEIQAACCwQQpQuA2AwBCEAAAhCAAAQgsD0BROn2jGkBAhCAAAQg
AAEIQGCBAKJ0ARCbIQABCEAAAhCAAAS2J4Ao3Z4xLUAAAhCAAAQgAAEILBBAlC4AYjMEIAABCEAA
AhCAwPYEEKXbM6YFCEAAAhCAAAQgAIEFAojSBUBshgAEIAABCEAAAhDYngCidHvGtAABCEAAAhCA
AAQgsEAAUboAiM0QgAAEIAABCEAAAtsTQJRuz5gWIAABCEAAAhCAAAQWCCBKFwCxGQIQgAAEIAAB
CEBgewKI0u0Z0wIEIAABCEAAAhCAwAIBROkCIDZDAAIQgAAEIAABCGxPAFG6PWNagAAEIAABCEAA
AhBYIIAoXQDEZghAAAIQgAAEIACB7QkgSrdnTAsQgAAEIAABCEAAAgsEEKULgNgMAQhAAAIQgAAE
ILA9AUTp9oxpAQIQgAAEIAABCEBggQCidAEQmyEAAQhAAAIQgAAEtieAKN2eMS1AAAIQgAAEIAAB
CCwQQJQuAGIzBCAAAQhAAAIQgMD2BBCl2zOmBQhAAAIQgAAEIACBBQKI0gVAbIYABCAAAQhAAAIQ
2J4AonR7xrQAAQhAAAIQgAAEILBAAFG6AIjNEIAABCAAAQhAAALbE0CUbs+YFiAAAQhAAAIQgAAE
FgjsTpT+/f1z+PHjx/Dz99/k+p9f8e+w7sfP38O4diEsNj9EQDHP/fCQQSofjcCfXz+m/e7X7+H3
r3fte3+H3z+33PefbF/tO/GYFY5b8d/PQQ5pW4+F1Heva2/reLB/UgJ5X7Fj1Rx7xv1nb/OQ6JS4
b//6U3SQbK/7PR5ztM4pLHzuit2J0tAVf3//Gn7+/DVMXf1n+IUgNaP0zy/Nx2x63h9/fk0nB8+z
iqW9E3D9Hg+wbv97yfjLnP5uLIqfaF+xC9xkvvrzy068ObSNFl7d3kZhYPbMBNS+YsMMos3Ob7sa
z0FMy44d9cq0n8c4ZPvf38OvuTPRZvyWxqf9tVtR+vvP7+Fn7ngvSv8Mv3IGwmVRxrMvqWrPWMZ6
P38Nv0L25cev4c/f38PPaEvtBHldynKYsx2x/1vqjXaeOnJm4hvctpGDxLvKjbn4tAF2Gk3jc5Zn
+33F+JsbX6v2H9vGrz9ONM7ZH4ZBMi1xvx3bi/t67sEF+8pGyoSE48XtmWItSnPTynbTv4X4gi05
rkX/foZMthW9eRLP8W9xnNJRsQyBGwk0jzOlKB3+/MoneMPi/jFlIn/8+DlELWGyknb/v/kKrPYl
hNyKA1F644BIxfcrSv+mjGk60bCiNB9wJeRw4NWThh80ZnCkARlFXBzcoxjVdf7+Gf6o+wTCJGdE
XzzQKxHbGpTi342/i/HF/UC1f6P9YSk+sffkuMQsv/snIMJORI/aHaLzs5nSpfE1u/+ECUULrHGC
0fv3kv3goUxcUu/v7+F3vPSywr4b91EAip0buq4lSqOJpn/B9/njT/RHH5AiT80szJPj3571Df5T
FAKbEnD72dRW2Eft/JbHcyi0sH/Y+TrN9zqxZGwFe2EfuWn/Ho9Jkhhr1TW6Y4ouLzXjzyU+cmHX
onQIWcHY4fIb+sid5cjACFlP6UItMMM6MziUrTAxyMHd1CnbkGKxCVPW2xcn7v0t247CQMf3qCit
MDTxievsNELis38rB+1ZUbo0vub2H7OvCna1z8ZV5T5SjN+qnda+6u27Scfte+LV0u+SKG1f2puL
z2WNG07kk4rWhNmox2oIvIxAc37x+596xiQ6N7d/+H05ic5JlJZ1a/PrLIN8gjuW+vO7fr946xgk
xpvxS4HP/N25KE0D6tcfPdBWHJTnJr0sdNMEVYrSsEPYrIO5dBDGyaz9RwfSivgeEqUr4pMQ2GmE
xIf/hjGjTvpmx9+K8TW3/1QP5G7/X9o/Q29V7bTWa/uVrg4nr3eIu/tE6RK/tceHH8OveIuR7bdK
dKyCwHsINOeX8ngzObi0f1T2ZXMsWLf/TO2VS+GZF3OrqLGvyrfWS5Fm/FLgM3/3L0qHMAjtfaPh
YD+d+VQ6znR2OjOayqtBW82Uqu3RdKpvMjFzk6q4I5fnTEXZOP+7GF8UBUo4x7bWTj4r4hP3DEdZ
Kb9jv9yZRRIr/O6NQOWgH07k3Dg2l8DM+Fsxvmb3n9C+Hcthf5gur62wH5A2J4Ql++rSt3SNPk7I
uhW/94nS5fjK40PaF3UX5f4xfbPCaYpA4FUEmvNLuY9OLi3vH3nsj5XCVYNp/g+HhgX9MDVWX5o9
fqkqzWNQdsz4pWp+9OLuRGmcgMZL8nkghQOry1Tky1O1y/fm8qG+0fnfTw9IhSN4PGCPAzbeezXe
Ozoup7T+z+H37/RaqnjQV9vi36ONUDb7G+fE8GorJRxvHGbz8aVJNz2gdccDDCqG6KOOT04CMtf0
sJd9UCQEkybCcv2NgVJ8ZwSkX6Xfw29lHKtxX4yBufGltjX3H2P7x/AjvJJKn5gqG2vHb2xLSC/Y
X9z3xE7r1/jn988a39o968LfHX/GNr2POr60LfVZ9Xja8pv1EHglgYYotWO7cuwx+1dt/7CX6H/+
+lU8BW/b8PvoEgS/D1dOov386fRLbKER/1LrZ9++O1F6FuBh0GuRepa4iAMCEIAABCDwMIFXibJX
tXMrkL36dWscTy6PKH0y0GQunKnZs6dNmsEoBCAAAQhA4IgEcsazkg19MB6TCa1lKR+0/1j1KdNK
4qokiSgtmbAGAhCAAAQgAAEIQODFBBClLwZOcxCAAAQgAAEIQAACJQFEacmENRCAAAQgAAEIQAAC
LyaAKH0xcJqDAAQgAAEIQAACECgJIEpLJqyBAAQgAAEIQAACEHgxAUTpi4HTHAQgAAEIQAACEIBA
SQBRWjJhDQQgAAEIQAACEIDAiwkgSl8MnOYgAAEIQAACEIAABEoCuxOlXdcN/IMBY4AxwBhgDDAG
GAOMgc8aA7sTpf/8z/88/Mu//Av/YMAYYAwwBhgDjAHGAGPgg8bA7kRpmcxlDQQgAAEIQAACEIDA
2QkgSs/ew8QHAQhAAAIQgAAEDkAAUXqATsJFCEAAAhCAAAQgcHYCiNKz9zDxQQACEIAABCAAgQMQ
QJQeoJNwEQIQgAAEIAABCJydAKL07D1MfBCAAAQgAAEIQOAABBClB+gkXIQABCAAAQhAAAJnJ4Ao
PXsPEx8EIAABCEAAAhA4AAFE6QE6CRchAAEIQAACEIDA2QkgSs/ew8QHAQhAAAIQgAAEDkAAUXqA
TsJFCEAAAhCAAAQgcHYCiNKz9zDxQQACEIAABCAAgQMQQJQeoJNwEQIQgAAEIAABCJydAKL07D1M
fBCAAAQgAAEIQOAABBClB+gkXIQABCAAAQhAAAJnJ4AoPXsPEx8EIAABCEAAAhA4AAFE6QE6CRch
AAEIQAACEIDA2QkgSs/ew8QHAQhAAAIQgAAEDkAAUXqATsJFCEAAAhCAAAQgcHYCiNKz9zDxQQAC
EIAABCAAgQMQQJQeoJNwEQIQgAAEIAABCJydAKL07D1MfBCAAAQgAAEIQOAABBClB+gkXIQABCAA
AQhAAAJnJ4AoPXsPEx8EIAABCEAAAhA4AAFE6QE6CRchAAEIQAACEIDA2QnsT5T+/T38/PFj+KH/
/fw9/FU98eeX2y5lf/3Jpf7+/jnZCPX//BrU5lxufuHv8Pvnj+FHpaLY//lbeybWxnqjX9Uyf35N
/lXsiyV+IXAoAnpcx/32z/BL9k+3H98TV9rvfg7V3e4egy+to1j8+DWko5VeJ3HpdeFYJ2Vf6iyN
QWBDAn6M3zDO1TGmOrc+7PUT5m/lY6kffOzs37rL9idKg3d/fg16sIWJSP+diviO/DP8GsVdnLi0
0BsHiF6lIbSWg/j99Weym8sFe8HY39/Dr8rsmOrl0oP/O9T7qSbo4O+tvk3WWYLAzgi4E8Bif3zQ
3T+/RLw9aOgt1f8Ov3/Zk+zgxp9f+nhWOea8xVcahcALCLjjxeoWnU5YXW+hoJ+v/d+L8/fi/M7+
PdcFhxClw1B2Yj6IFwOzLDsHoLVtEsIz9hqitLDpdrq/v3+5TM9MG4UxVkBg5wTUeA8H9MVMgTpB
C5HFOj9+pBPRnHGYRFsSpTrb4EWq3vZj+HGjfe1DumIztS3kxce4/dev4ZdrQ8rVfouT0OI4wvGg
xo11JyWgjhchIRX2KUnSxBNaORb48Iu5PxSQfV8dE+QYcsM+aprS/g0hFzU/fy9tr+kZ096H/3EI
UVqcqaiJKwxgk0UtDvB39LBkQmPVmQliVVt/igmrOmjv3WHuCI8qENiUQDyIp0tgZt8cGy0ynWF/
8+NfbuOR9X9/D7/Hu3OSIFSTTpyIJuH4DPvGb5f5qF3JKfyfBWyPKdXjgdzyEH+n2GbNshECRyTg
RF/Yv0TA3gdqAAAgAElEQVSUxnBa82xVlEbVWFzBzEmsm/ncPn9X92c5jsX2RTjLbYjs37pbditK
U4YidZqZIEbv8yDzA7M1gHXUC8tydrbkQ+vy/WQ+DD49eaYty4N2ssASBA5HQGU7goC0+68/IDcO
zDP7ce0kdZrIHrVvBaOwt/usvefsnns+J+FcTnrSZv4NotjM0nkLCxA4GIGw7zgR5kWo/7t1LPBz
vyKR9UFY16qvytcX75u/7bEiWF7Yx9m/Df7ditI8kcWMiRvEMVNarkuRLQwAE/6aP+qTVKw5N9jj
xFwK0lCvuHxXuT1hjWeUgcAuCbhJxUwQQ/2eyiKOmX1rEnSqVm7zUfv1/b2caFTbPpOqNjUXJb7s
d7NkOGJU70Odq8E2COyTQClKi/nQ7xOyr/iAZkSpFqL2+OONNP5+YP4u4lmc39m/dS/sX5QGb8MA
cZmCuYEWBkUWtTHalNlwJjSHmeX6JJXMth90Mpfz/E42/Bl+qwekykE84w6bILB3An68u0xAuX9W
AmpNRHLrTnE5bDpJfdy+P5m0k0Yhil18lWgqq8Ix6efw02eNxvjM8aty/KsYZBUEDkHAXj2pZCON
2ExXPsz+IFGacrJy+o0aYeY4MpW0S/H2IH188cezxfl7fn638df1jfXos/7anyiNmdHxkp4aGHqg
xOV8z5WfQFIH2jLTjdO3dG+Y3OQSvt4p9HrZPonQ+uVDL4iNf37jLU5SFgJ7IhAzDH7/TSeF0z4y
PcyU95/82qOxbN6/ky3ZRdK+93P4/Vu9Uq1yi4zZv8x9mfP2E8pyH5b2w/a27Rs7YmZSNW2o4+CN
LVAcArskoMe33reSs3r/+zn8/pNeE5nm4Pr+W72FJmqJ6WR1HQjdttxaVOoH7b9PmIV2btrO/m26
Zn+i1LjHHxCAAAQgAAEIQOBGAndkSW9sgeIbEECUbgAVkxCAAAQgAAEIvJ6Av5JZZmJf7xMtrieA
KF3PipIQgAAEIAABCEAAAhsR2J0one4xm+7n+KR1G/UzZiEAAQhAAAIQgMCuCexOlO6aFs5BAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbEIAUboJVoxCAAIQ
gAAEIAABCNxCAFF6Cy3KQgACEIAABCAAAQhsQgBRuglWjEIAAhCAAAQgAAEI3EIAUXoLLcpCAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbEIAUboJVoxCAAIQ
gAAEIAABCNxCAFF6Cy3KQgACEIAABCAAAQhsQgBRuglWjEIAAhCAAAQgAAEI3EIAUXoLLcpCAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbEIAUboJVoxCAAIQ
gAAEIAABCNxCAFF6Cy3KQgACEIAABCAAAQhsQgBRuglWjEIAAhCAAAQgAAEI3EIAUXoLLcpCAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbEIAUboJVoxCAAIQ
gAAEIAABCNxCAFF6Cy3KQgACEIAABCAAAQhsQgBRuglWjEIAAhCAAAQgAAEI3EIAUXoLLcpCAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbEIAUboJVoxCAAIQ
gAAEIAABCNxCAFF6Cy3KQgACEIAABCAAAQhsQgBRuglWjEIAAhCAAAQgAAEI3EIAUXoLLcpCAAIQ
gAAEIAABCGxCAFG6CVaMQgACEIAABCAAAQjcQgBRegstykIAAhCAAAQgAAEIbELg80TptRu+vr7K
f5d++H4G4pb9r8vQqwaunfLh0g/Xvmtv7/qh70b/vvvh4v1/lu9j/Ma3sa2Ldv4ZnLAxDHms6LHx
PfQXOzbUsInUlvpndnsxfrrh6vriu7+U+0dnS5kyYfxduyEVWfA/x6xijGNsYmBsy1hfan+MQerm
8arbW72f2BiyLcdpMCw1x6l+s663JX9rfyX28LvadzHU+NX2o83r0Ek7/m9Z/6VjS3aFczyWhnrS
/4bJ2MfP8n0MaXZ8N8JmNQQgcAwCnydKQ79cu8FOFtehe9aBU9kOB26ZS6+dnXRN+3GimLZ7/+IE
oP1TbYRwwnZj7+GxFyZVOxFp/x82H7vA2n+GzcPZcP1o/U9j0p+spDJL/bO0PYwZexJk2x7/avgX
x6MM7FB0FDp61TA0/Fc2W/tH9kWVzevG8f6lGwvtq/0jxHYx4/e2/TuIHmve/h19iTEvjOGG/zqW
6nJR7zb/qzb1ShGQ47qiP4Ow1ACi0JxiLcr7/nf+h/Icn3QHsAwBCLQIfLgo/Z4ykEJIDrC9zkhO
B2QpFg/Mkkm4hEymEpVjoVBGH9vT6hUTjDuoS5v5t9h+HTrTkMp+uCxLyjJchv6q4/O+l6ImCI/c
hMuG+AlHMhlx/cjzK2dbnG8jw2w7B7n1QogxZHLKvk0tN7bneHym7+v2ibfoRxWz8P7uh67IUi/0
z7C0/RFR6sea8lkvzvo/Eq7uH8pIlU99/9H7WhTcYXznQVWvo1qaX5RYcqmV9qr+ZyPthVxvo+OT
iifuq5nT6JIXpWF19mlF/+eyEqKv444B6oSC45Mw4xcCn0ngY0VpvoSvDoh5CEThocSKO8hGQaoP
5LG8F3Ypg6mLRftVkZFbzgsi7PLlsbxFTxBpZSir2ymymsE/FWeyreILWS0jzkpRY2x+X4eruqbs
249eiXCVdr/7oVdXgK+dbl8H96rlhujMzS9tzwXvX3DjShua+FSESUV0mv5Z3P6AKF09fqV/a/6n
SLWQ1LHn5Rqf2rpQQfklWWD5laytGrK5ieWFigCNbfXTZW93a0622fI1F2gs6BMf2X900UePT1GU
pvHtTyhjMzVRKusUZ+2SWXZx++ODHatjpl3FyfHJ0OQPCHwUgY8Vpelg3JgwVSYhjgZzIG7UqQyb
6qTrben7B7Wy1PacqJTLpSKs7cTishCSzVWi008SsSkTswiyKRu41EbhuolTB5OWJ9FVbtv1Gi0Y
MtvEyTJaEYWbvHMNEQDjinIcLfXP0vaNRemi/ymwMq5MIC3U+NTWhdJqvJVitCIsXVP1P8O+VJ5s
yv439XfDfsvXemPT2lyvcawx+6qNfQgnJHL/+WTRLo1jOOyz4VgwxTEWc/0X18o6xdkaVX+5fcTa
5/ikSLEIAQg4Ah8uSh0N+fPRg/5opz7p+ktZqfA0kYoT+jeIDMk8uUxpmCyU4FwzKRWZitCUidm1
p12JWTg3UZu6Y+GFyeuwotSwePCPLD6snTBu5IQj/xrVP9c/wdbS9ooorfVh1b+GAFMhLPufCtf3
D2Xohva1LbMvxbiWfVatpsUorNw4l0Jhm8rshdWtfcoKMjGw8FuNW9XxfWX2tXWiVA+nYl8UAaqa
NJfvXey6WFzW/nN8KvCwAgIQaBNAlI5szIF59qAfJnR/434QAfYSejCrJ0rdBbUJbJpIgy0/GToh
qw/6wXCYJNUsU/qnW0/ZkXJSVaJ3VtT4CT5lPlTzqTEzUdr2k8sqxmLiKss/f03qs5vvKX2mI74f
o+26qDDjc7Z/gpEtRenS+F/jf4LY2j8y4iqf1L4e73H8K6E07UvC4ran1+PlY2XPnrAl7+zVhnrM
k5DLEa1bqMRt+v/R41Ol/nT/bcq8mr/deCqPL+745/3n+LSu3ykFAQgMnydKYwZkuiydM1GSbVTb
o9CKgqm8PBsnLnX51ogyZSPZ14IvjLrKJaxsQMSS9tELuHGbmjj9ROr90+IriuLevhpLZ3RsXdW2
7DAmvsvQj7ZSCDX/S8Hefp2ONLL1r/jp+0baXdou5R749ZO3GRfCXfwIfZ7WLfXP7HY1nqexn8aT
DMEgOvw2IwLjeZAen9K/ely3/Y8iUu07emwGmmvaN2XUfqDX5zEdYlZl5ntMxzDFKGymurpfJP5p
a1wq+tdtr/1p9q2p/cxIbY8+qf7M8Tb7ZzyBFfaZyRhL/Htd/HaMqfiVP/rEN5bP7Y0nxuJH/J32
Q45PtYHBOgh8BoHPE6Wf0a+zUdYytbMV2LgNgXtEyzaeYHULAvTvXVQ5Pt2FjUoQOAUBROkpunF9
ECbDoTIX6y1Q8mkEctZLsopPs4yhtxKYsqg6e/lWlw7SOMeng3QUbkJgIwKI0o3AYhYCEIAABCAA
AQhAYD0BROl6VpSEAAQgAAEIQAACENiIAKJ0I7CYhQAEIAABCEAAAhBYTwBRup4VJSEAAQhAAAIQ
gAAENiKAKN0ILGYhAAEIQAACEIAABNYTQJSuZ0VJCEAAAhCAAAQgAIGNCCBKNwKLWQhAAAIQgAAE
IACB9QQQpetZURICEIAABCAAAQhAYCMCiNKNwGIWAhCAAAQgAAEIQGA9AUTpelaUhAAEIAABCEAA
AhDYiACidCOwmIUABCAAAQhAAAIQWE8AUbqeFSUhAAEIQAACEIAABDYigCjdCCxmIQABCEAAAhCA
AATWE0CUrmdFSQhAAAIQgAAEIACBjQggSjcCi1kIQAACEIAABCAAgfUEEKXrWVESAhCAAAQgAAEI
QGAjAucWpf/7/zYM/+U/DcM//Zth+Lf/GIZ/G375BwPGAGOAMcAYONgYCPPYf/GfDsP/+u82kgOY
hcD7CZxXlAZB+k//ESIUEc4YYAwwBhgDJxoD/xiG//lf3q8e8AACGxA4ryj9z/+TEx2EDnZGzwTI
2GMMMAYYA9uNgZBw4T8InJDAeUWpPiD+L//TMPw///cJu4+QIAABCEDgIwj8H//eityPCJogP43A
eUVpvI90zDD+f//v1K/Xbvj6+ir/Xfrheyp1/5K2H21eh07a83/L+q9uuLoWv/vL5GOod+2GLhT6
7odLrjfG8SzfRx+uXcnn0j+Fjovyc/80jLt+6Ltx/Onxo/vZ9XExPkaUen3sM21vHEdz41/q5/72
9SvtfOnxqcvP+L+u59O+k31ZV4lSEDgvgfxsxD/OGyORfTSB84pSnSn1XXztBjvRXYfOTfq+yk1/
i4AcK8WJPirKvGK4+L+VMC3KjxN9ruL8D+VtPDd5Wyn8PfQXK5Sv3WV4pi69dtZ+xYnzrqr0XxR2
ErHbPgx2fNbHx8Tzu+9cX31Poje0sWi/Gy6m/9e0/5VOmlbYlzAXfws/F2tQAALnJjA3r507cqL7
EAIfLkrdZB06XQRgrzOS04Qv4yIKA8kEXUKmS4k2JUpjRiyrybF2yHb6dXkCvg6d3yaNym8um1e4
Oio7G3xUgjtl6C5Df9XxKd+jyVKUBi7ZLZet9YJYsoBxfc6cCUPn28gw25aQNv8NMYaMsPjlG2xs
z/E8kE0u+s+1nbdXxmcQqDVYuU5Ipq8VpTX7Y/0wPnI7WpQ22tchZF/q9nXR2eVsZ7YUGyHwOQQQ
pZ/T1x8a6ceK0nwJUwm2PAai8FBixU2O9UyVEnZRwCVR4wVbbKMmSmXddz90SylJ508QgVk/RF2t
fAkNhnhUnEk0qviC0DHirBSlJlP6fR2u6mq+bz/HqAXxdz/06h6F92dKG6IzD4Kl7bngXQsi3OM4
VH0TjWnh67e1xodav0aUzo1/qS+/JlOr2mkGPud/s1JlgxvnlRKsgsBnEUCUflZ/f2C0HytKk1hs
ZHJ0VjAMCjMRN+rowTNOykEoBvFRCFMRoLqOrDNt6QJqWU/6X95+PROpM4JVEWliFkE2ZQNtDGUb
WhRHTxfieL8oVTxvWXTss7gr+uEGo8GmFp9ZjFXGWt7m7Cvek5iUMs5OtuHWj8Wn+pIhlV+/L4h9
97tg35Wu/hlP/DSTailWQuDDCCBKP6zDPy/cDxeljQ43As1PxPWJ3Fhy9QsBJgJUV8oTuRIAerte
zmXlwSed9Vz2z2Q9xa7xucyUSrFhCNvKTOzHiNIJxBOXHG/dv0Ur9cvnQcRJH0yiUiq7MTVr313+
j+NC19fLYt/9Lth3pdt/PstOuwW2QOBYBBClx+ovvL2ZAKJ0RGaEoxFoXpSGSds/WJQyiyIKzP2X
wb4Xof7vKPQmYbnGvslchkxbbrzmnx0X8dKxy0KZ+J0/rrZ7KCxlTVXzqbjK3Nn66S8jjAMPc/tA
rcaz16U+0xlk28LSdlt6/V/BrhP1/j7RihjT/VOMj0qmVY+HePuG7qBF+/qe1JGDGi9F+3G8qFtI
FuyvZlWxs7ouBSFwRgKI0jP2KjEpAp8nSpuXX0dRqLbHeTwKpnQZWwtBc0/gl52Q8yXdPJHrib28
9B3Ka80Q+qdpX/mjL/l6oenra/EVBWFvX43Vjs0LqOlhsBTnZehHWykGEXPTpf9afPbVVpMgV2Nz
40Xxs9X20vZ73RO7mo9irMZfHkfxYTDrp+nfPM4mn4JwzPX19gX7ul4eE2HMaRtz43PB/uThiiVE
6QpIFPkoAojSj+ruTwz280TpJ/ayi9lkKd02/jwIASX+ong8pYBLJ3BZHB+ka3ATApsRQJRuhhbD
+yCAKN1HP7zMi6UM28scoaEHCASxJtlVybzaTOoDxqkKAQjslQCidK89g19PIoAofRJIzEAAAhCA
AAQ2JYAo3RQvxt9PAFH6/j7AAwhAAAIQgMAyAUTpMiNKHJoAovTQ3YfzEIAABCDwMQQQpR/T1Z8a
KKL0U3ueuCEAAQhA4FgEEKXH6i+8vZkAovRmZFSAAAQgAAEIvIEAovQN0GnylQQQpa+kvZO20hP4
8vT2TpzCjdcTyK+VqoyFvO3LfJghOSlP/PtP3K4IQduN718d39fq3oO6wtLui5QfGXiCy5pfZKbe
e3xChk8gdi4TiNJz9SfRFAQQpQWSz1jBu0o/o59no2y929S9LD+IK/9xh2i3VX+20fTxBfvu0RWf
Ll2y+eLt+gtbL246fFnD9Ef84EG1g17uGQ1uTQBRujVh7L+ZAKL0zR3wruazKNWZl/ypT5V9Cdks
k4GRbSq7JjZMuXdFRrurCTRE5XevPzMarF2HriZ6GvUX28/1voe+64dvXWEcS10fPj0rX70q38Gq
vzwVxmffTeNR3sUrHxVIX7YSG/Pj92cX2rwM/VW3P9mOLLJf4p/7IpvsD1/tTLL4aH2bvpY2G78S
pdFO0TcSYy0LLdtUTOIv+68eiftcRpTus1/w6mkEEKVPQ3ksQ1aUyoSdYsjbJKQwaekJq/Jd+7dm
jsRPfm8jkMWhrVYVpbr/pXijvmxu/ooIKk54xhpxuxqTrp0iMxjLK5EVzMjneMXv737or6P9hfGb
BKNqP4jyfMKWbKwa787vsfX4CWGTKXaZ6ZAJ1Z8FDn+b8lGUplsozPqxAfZfIX3CX0TpCTuVkDQB
RKmm8UHLOVMjk3aOXTIpUxaoyObEhI6atCuTfDbHwn4JeLEzevoKUZrEVCVTGnxQmcDokhlfjTqe
sqnjN4Ym2uM37Btl8tFeMjf1S/NpTZVvPetsmM/Gr7Kp1xCHz8ay/7a64xTrEaWn6EaCaBNAlLbZ
nHpLnHjjJVI1OceIb5/0V03Qp6Z50OCqoikkGf09pHUhVWTw1mJotJurz4qy28dntqsXlGj147fI
NIZ6zidfR5vOy9U46yxvFaVaNFtfbudj62fvWdgjAUTpHnsFn55IAFH6RJhHMpUn3niZ0wrTIEpq
lwV9fHEyU5O7387fOydQFU3B5+vQ99OdnqVIHeNq1l+Iu1LPCCMnAMOl+M75Y8dnupSthZqvU/Oo
NX7jVQR3BcH4FzWqul2gsg/F9ipxhvV538tOOSG5EL8XyPFWBRX8U/Zfuf1B2c3usvA+AojS97Gn
5ZcQQJS+BPO+GomTbniY4ztlxdLleXsZMJXRl/CtcI0RtSbjfYWLNy0CDdEUipv+bwmTmfqtJoOg
kvFmf8fxpbbHZkUcuYeGjH9f+nL79Loqbb8aQmP8RtHYWz+tCFb3rMaHnvS+UW/f3CMa71HV+5by
fyl+tX26z3tsUwlpz8e2P/ZOI/6wNQjb+MDXdG7S7FI2vJAAovSFsGnqHQQQpe+gfpY2XQbrLGF9
TBz3iEoN59H62tY7lhvjt8xkvsO5F7TZiD+0HERtIcRf4BJNLBBAlC4AYvPRCSBKj96Db/A/ZVGm
TE81C/UGv2jyRgI566YuRa8yMWUDjyhc5savyTCqzOMqLAcpNBd/CqF828BBQju/m4jS8/fxh0d4
blH6T/9mGMJOzH8QgAAEIACBoxMI8xnz2tF7Ef9nCJxblMpZ5f/1f84gYBMEIAABCEBg5wT+w39I
SRaZ13buLu5B4B4C5xWl/9l/rHbgf6jlMXsqOza/sGEMMAYYA4yB3Y8BN4/dM+NTBwI7J3BeUfo/
/g8cZHd/kOUEId5eQj+xrzIGGAO3jIH/9r/eubTAPQjcR+C8ojTw+O//O3Wgc2eZtxwAKKs4IiQR
kowBxgBj4D1j4B/D8N/8V/fN9tSCwAEInFuUHqAD3uJifuqa1768hf9eGs3joHz6Xp7Qrj9d/8DT
9+q9o+k9ovodny8AU7T/NUzv+3xB+zQBAQhAAAJNAojSJpoP2LDheyb9F3A+gObxQmz1fxCr4T1f
M++xjMG26q8gYT6ruaL8rUVmx5/zOwjwuvi+tVXKQwACEIDAIwQQpY/QO3pdNznncFw2qTZhm/c5
dt3Q5Xc6hnccTu8wla/q3PIuU7Ed283ZPJ1Rc23ktnME5otE3bX84s1U8oOXWv0vSN4lSrcef0Xc
/nv0jC8ZAvxCAAIQeCUBROkrae+trWJyHh38vg5X9XnBIBKNqHT14qVeJwxnM1VrOIgwEbvf/dBf
U8XiiztBuEq54ms0QZBehkvXDyqkNR6cv4zrxyLgt4nSjcefi9uPb8ZXMRJYAQEIQOAlBBClL8G8
00bc5Dx56TJF5tviodR0T2HrvsC2KPV1JauqM6Hp2+JdX5ORpW/Wh6vK2o4RBYGrROsU54cvNft/
4lbvg3H7Uv0ZvPOX78s+NidFD42/eNYySAY//NorAWXbjK+ZjmQTBCAAgScSQJQ+EebhTFVFRcos
Gj147Wym1AdaEX1tUeorN/5uZum+h34261kRpUNtXaPdT1pd7X8FoNkHY5ml+sqUXyxEaR5jLxh/
2u+YkdcnRIwv31f8DQEIQOBVBBClryK9x3b05Jz98wIuZY50pqq4vBkmdl0gJqPUE93FxJ8bay/M
CKKlB1O8f7XbC9oNf9CWav+r+Gf6IJZaqq9M+cW2KH3B+PN+y4Ndo5NPGV9xzH+lB8Z88PwNAQhA
AAJVAojSKpYzr1xx+Tw/XBQurV+Gvu/i5U7RnfIg0nQJVGeaRnYyKceHnirbm4jr/knbUm3eB3cJ
tusXsqti9cN+vTgbw48i3j+sVrv9oVF/lqIZF3LrRvrNfbzl+NPtq5jiePJ/GwZ6DC+Pr8RQnZjN
QmEjBCAAAQgEAohSxsEHEFi6JPsBCGoh3iMqtZ1H62tbh14ux1cQufZe1UMHiPMQgAAEXkIAUfoS
zDTyLgIm66cyYe/yZ1ft5ozkrRm9KZv96cKrPr5CJlVnVnfV6zgDAQhAYLcEEKW77RocgwAEIAAB
CEAAAp9DAFH6OX1NpBCAAAQgAAEIQGC3BBClu+0aHIMABCAAAQhAAAKfQwBR+jl9TaQQgAAEIAAB
CEBgtwQQpbvtGhyDAAQgAAEIQAACn0MAUfo5fU2kELAEmk/fT0/Xl5/hDCam7bc+fa+fVo91sw9f
w9f4dgRdJr8LN7/E1IZw91+VdidbU3z1+KeSLEEAAhCAwPMIIEqfxxJLEDgWgcZ7RsM7NrUG9H/n
IBv18/bGQvE1pyBya5+OvdN+aHbuM7dR9OrXg7l2fLz+70ZYrIYABCAAgQcJIEofBHi46mOGqOv7
4ZK/WFO+UzFMxDlLpd+5uLK+yXZdwheV9Lsw3RdxtEA4HNADO+zEWDOS/F16V2JtfVftIVG6OP7c
2BrHuBbZzp2gYOdfdN+KvzDECghAAAIQeIQAovQReketGyd2JUTdpBwEqbksGz7NqIXjQv0oSLUK
iOUnUeq/TR9EgVy6PSrSQ/rt+r0eg/8WvSq1qr4qPy4+JEqDjYXxl4qo8V26YG5BmB97M/FX7bIS
AhCAAATuJYAovZfckev5zM93P3T99xjRdei0oBzXGiExW79xKTbzqmeyvnQ2NpdlYVMCi6Iy9NV0
MlH4sli/qBFXmLGU1tx2+X52/KU25y7fe6/CSZQ5CcsFFuLP5ViAAAQgAIFnEECUPoPi0WzMTupb
i9Il0Xo0mAf2d05Uuux2Ncq5+tUKaWUpShvZyJb92fGb2rhFlMYHt/w9rWvin4mRTRCAAAQgcDsB
ROntzI5fY2FSLy6v+wdRFuqXmaf0NLMkYMvtx0d6yAgaoi/eT+xu15C+M3E26psytT+C4NMG/d9S
p2V/YfyF6mYMh9tPVCbeP7jkbzdZFX+0+WXjEL/5hQAEIACBuwggSu/CduBKMQOUHmKKukAm1y99
H2l5iT1riFX1gyjQD0rZp7kDPb+dy/dvGFNV0Vf2fXjgLfe/drNaXxdoL0chKA/aaQEc7vbsL+oh
u3EciQMrx9+gxnU5tuwrn+w9peviTz7O3NrQDp0tEIAABCDQIIAobYBhNQROT+ABURnZPFr/wIDD
SVX9PtQDB4XrEIAABN5MAFH65g6geQi8jUDOOt6a8ZsyjZ8pzEI2denp/rf1Kg1DAAIQOCwBROlh
uw7HIQABCEAAAhCAwHkIIErP05dEAgEIQAACEIAABA5LAFF62K7DcQhAAAIQgAAEIHAeAojS8/Ql
kUAAAhCAAAQgAIHDEkCUHrbrcBwCEIAABCAAAQichwCi9Dx9uTqS9I7QW5+4Xm1+NwXDuyTf+XT4
u9tf7Ii5p+/ztq/BvsczWH3g6fvCrnovqHtf6aL/lQK7f3+ojl/e0xp/y/3xneMncRzfEev6pXzH
sD+mqUQAACAASURBVHo91or4jG1hIO+hHfvUlFHty/q8X+v2YrlpbIb36xZj17y/NsTHWxQquxGr
IPA2AojSt6F/b8PmizfvdeWQrd/2Gcudhth4z2ic+JUQGBrlmuuXwnVfZIrtOVGyZGJu+67HtmIZ
4paw9+Rz0R9B+OnxEE9KrJjL/t8Snyqr+3Op/fCZ2stFt1/7TG1ad+27of/W1tNy+anbsgxrIACB
1xNAlL6e+S5a1JNIzCjEjIUc6FX2qsg2yDaV2ZFshZm45sIUG7VMzLQtTtg5s5Hay1nea/h05Fj/
S/kSmhV/zFeqJn8k0xOzLbmsxB4/KaRsqyxQNDH5N3FzXzzKNn3d0odkQ7U91u16HZ/aPpl4fKkh
CgrDrXKt9YUBt0KJ0tgXosxyMcfYjaul/ktjW9tw42PQ28ps2pL94KaUKfpvjMFs77qhczGEYlqU
5tCT8fxFq5wRjAVGvy/B3pjly/uHHiPz8Zm2ij9qAs/7GrKRur20z/lubMYnbVbHz3L7UVCG/T83
WKkjY+y7H7qKKkWUSifwC4F9EUCU7qs/XuaNFaV2gsnbxJsglPSkWjnQ35I5XLQfRYMIiTTB5vkn
CwLtcyij/x4dr0564zaZzCWu737or7LtOlxVdiUIDN1+KLUq3kb7wZ4RG8EX8SMZt5cVG3ZGb+//
mbWrLoNq33Rrs/V1QbccBUOybziMxZbHhzpxEN9U/yVBKOMnGLXj4xn2jd+V/tPbY+ZP/FQo7hZt
8tnXOIbHcS8iLI5NHXtcYfdf5UOx2OpTs8+XorRgOie6pdFaW7V1obxqXwSl/Mb+dXyn/fN76Lt+
ULtzbH2qK87wCwEI7IEAonQPvfAGH3Imxx3M0wQuGUj9a0XfdNC3E4a+31BnEqd7t1wWJ2c7rf3k
x2W4XNwEG+fYUiSG7KgXjrOXl9UkV+IvffS2TfylgbSmOsFeh84biwjVZUYfy6yvrcZXrK/6V9YL
4kmLrFxiZf1cXhYkG3xNGUdru2RfzUbOMKmdREzj41H7K/pP3XNb9X3kcLcolX02iFIZS3nMrIxP
+sL/tvrU8FYnLOP+a/swGb0rvhXtT4JSMqTym8FOXBrieLLhAfA3BCDwTgKI0nfSf2PbceKOl4i9
GKxnFgpX1SS1SqBlA+vth8vzQZTKvCsmalmZSXRIqZQhqk2WsYTyX9UIU9jQeyGcJ/yp5KqYqxPs
ClHj22v6Ovlz11LVv5qlRp+tru9suvgsy0ZbzoTOnPlN8+PjUfsr+s875DOp4/a7RFvI+s6K0pXx
eR/z38p+Xrfi8r0qK4sPxyeGnLA0gjKOJetzaNeeEH8NX+4gYmyEdtyYVE2zCAEIvJAAovSFsPfU
VJ649SXA0cFwUG+KORVEFBN3CKZF+zGTJmK5vMwbs7wyMY/+WGGTV7bjaPptJzjJHLs5bcj8QlMV
htGDhmgzdWNBJyT8BNn0dYzz3p+mfzYTHSd5DyC02ai/6E4lvpzxGwXI4vibYVKOj5A9lPGUBNZj
9n323vZf0b86o6ngBK41rLlIla8an9quYrq4f+UG6gtFf/vbdyoPOtUs3Rdf6h8jIl37VlCOWdt8
PLB9IX7544O1URGlcZ8uxazY4xcCENiGAKJ0G667thon7fHhoDgBVS7BpTLty/cxwJYYWxF90/54
aTdkOuKELZODemgpTvp9Z7Ihk8goLy3aS6j17UYcKB++AqexLVNG+TXdmhACr9u3ZcpLrNm2arsV
/wq864pURU8lhjzhO7PN+q6c/lPFN92n7IVFuqxvs10iKut8hV8az1OfJRteRN5vP4Uy039R3+j9
JiyL7yMIzSDue3p7Pb5kQ7UbAh7HYBz7o03h0Ny/dF/MLOvjwtRPY/Sdjq9kG05W6n2X6hvbcvuO
OD76ZMqo8afX530+cIhlFJ/88KPmeRn6f9UPEOo4Kidi2cYMKDZBAAJPJYAofSrODzM2k63akkSR
idqysTPbvkdUah6P1te2WIbAjggEUZ9F7478whUInJ0AovTsPbxBfDpbETIiLsmxQYuTSZMBUhmU
qQRLqwnkjFYl2zVrZMo+MXHPgmLjIQmEjKvOXh8yCJyGwCEJIEoP2W04DQEIQAACEIAABM5FAFF6
rv4kGghAAAIQgAAEIHBIAojSQ3YbTkMAAhCAAAQgAIFzEUCUnqs/iQYCEIAABCAAAQgckgCi9JDd
htMQgAAEIAABCEDgXAQQpefqz5uiaT5Fn5/K5rUoNwE9WuHcz62n78en7IvXKzzw9H1u074jMr4P
1n2gPIzPe57uT29oaMX0eCeZN0DIezbDr3BSMd7j/+MeYgECEIDAMQkgSo/Zb0/wWn0ZpmWN91C2
yJxj/UL/BvHVXeuf1YwAFupXIak6QXROOu65IvLRd9n6LwD5WMrtFU4qVl+fvyEAAQhAoCSAKC2Z
nH6Nz5DGr6/U3vnZmlTN14xq2dQpkxYzYNf0FRWdNTLZpq6bvud9evo7CrDVv+ZTnxWxJSHM1Jci
c79alJpyKzKNZgxf+qHvrKjNolTZmr6spL/88zXYLxa5bWMmVMSz+JlF6RyD1jb2H8HILwQgAAFD
AFFqcHzSHw9kSr+vw1Vdak0ZtYmd/TtN8lqQ+m+mR4FRE8WTSZa2INASTUHIZRX2BlEqsTb8i+Ml
+5e+W+4v/1tRal+EnrepdqwwDZ8htXWkqPzqkyoztqVA+G34P7D/aEosQwACEMgEEKUZxactPCBK
hzKbNGmEit1ictaZ1Mq3wT+tK94Vb9EvyRGThRwzhVXh1ai/NpzQzjRuKrWq9r+HvusHdU5Uqai+
bV+c7JRjN32n3YrQZVE6lq/6OLrU3Fb6MHFg/6l2KCshAIGPIIAo/YhurgVZmfx8seqkGgSlvVQa
MkKzk+p3P3T9jIwIlzML8eCd4e+nE6j2r29lb5nS9aK068NtI1ZsDsPa+r6e5bIkWmPpKl/2H0uS
vyAAAQhMBBClE4sPW7pXlPp6KeszidKQpbKiNVzq1Jk2v30IolQb+LCeeFu4VdHkvdmbKB2GkGHV
4ykKzUt4KGvyPY+xeP+mFZhl/ameLOX6YUXFxv2i9EX7T/RZvRFAAuMXAhCAwI4JIEp33Dlbuabv
h0uXLvXk5S+ty6t71MRuHh65DH3fDcHOJArs5clLeJBJZUrL9pXtrYLGbklgQZTqy/hWBI6mFuqX
DU718riLtwfo/l8x/uLtmjIu0+809uTSfToxasWwOAZF1BX+iX1p356AiUC28YWyKsYX7D8pbu9b
s0fYAAEIQGAXBBClu+iGkztxr3g5OZa3h/dovzxa/+0ADuLAHZz91YmDRIqbEIDAhxNAlH74ANgq
fJOJ4n7RrTA/Zjdn7G7NqE3ZzGoG9TGvqO0zwTfvP+FKhcrMQhQCEIDAQQggSg/SUbgJAQhAAAIQ
gAAEzkwAUXrm3iU2CEAAAhCAAAQgcBACiNKDdBRuQgACEIAABCAAgTMTQJSeuXeJDQIQgAAEIAAB
CByEAKL0IB2FmxCAAAQgAAEIQODMBBClZ+7dd8Q2PtGt3xt5rxtrXnJ+r23qyTfjwzs0/dP39j2z
5h2bEdwDT9/nJ/6/hvS9edXWzU+Zl724+/dz6vjHT7imd5r6Pqh9JKCMlzUQgAAEzkQAUXqm3nxh
LLNftDGfHa07NVu/XoW1zybQfP/lzFectA/N+rpQZdmNjygkn3EWMzZlvsZUaf6tqxSzELeEvWuf
3wqMxiEAgU8igCj9pN6WWM3XauwnQMN37PXXmVLmSZdRmS2V6ZHJNTYRRYcup9+ZqNfLV3H016B0
Bk+3GyyPdS/d0F3Gr+TkWGbaeEIGTtCd6lcJJBvX60RpfJ+tGTyqn2V8uf6Td+DGd6TmzOPU/0ng
6XHms5B6m2RsJwJL9qOH3TR2y0yy++pT+KKZiyHY0KJ0ap3xb1jwBwQg8FEEEKUf1d1jsN/X4fo9
BR4mYaMLXCYrfPtbfyY01JzNdEahoIRARfzM1hfXKvVEmEZ/oyAdxYjyucg6BX8qokCa+djfKt/Y
u0MngjD+ToLPsGrWN6XKP2JfpVsAai/fX9V/cjIi/frdD/01NZVEpRp/8WRmiuEZ9o3fwRfxI7jg
uMQTO719JNIUpULM2Rmji33D+BdI/EIAAmcigCg9U2+ujsVlisx369OkakTqHaL0ofoSR2tSlgk+
iAFpKIvSMrZ0z94kSsT8x/9W+VaoaM5689r6uk5YVtn4ICCNwJNsuBHFY1Zc26mMSdlcnGSNbaah
snJ8NO3Xs8jffTf0+URvuud2buzdLUoZ/9LV/EIAAicjgCg9WYcuhxMmTJ1FqojQLPBGa5UJejbT
+Wh9CaIqeq7TpVAtlnKb30Pf9UPWB2KL35JAlW9ZbBgaTFfXdzZzX6X1diw12nImatl7KVJkQsOG
3Oaj9teIUvFk/PWZ1Lx6uqfU1Uh/Vvky/qusWAkBCJyCAKL0FN14SxBqUovVUuZIEo5pVaeyV2m7
zWaFOV4J2zDp6m9tZwEw+lUVtTP1JZy7JmWeWhZ8i79VvqFvXfYyZDbNABktN+qvadeY0ycX472W
frwVNitjSsrEy/eSTYwrwxieMuUhQ/mYfTV2o30rdM2+Eba7+MTPbTKlK8d/3Ge/6v0qDvILAQhA
4MUEEKUvBr6L5sbLp/lVNL19uEnu28zbr0F0OqEik5q/51DZjsJDlTNCQK23D4r4S5/yQEkQFerS
azA+2oh21SXhwDgKE3MJeBIlu+iDPTgxIyoNPyPwlOMz9VUpu6jGx3Sf79jnqh3Tvhlj9fEhIjcI
vfiKq3FM5zHsUuf32k/BqHE4jjFpP2xv2x5RaAYmtrC9Hl/aR1S7D47/zMlxGT3kBwIQgMBbCCBK
34KdRiGwAwL3iErt9qP1tS2WX0ogCGdzkvjS1mkMAhCAQJ0AorTOhbUQOD+BnLHzl6OXQp+yeQib
JVZ73G5vZ9ijh/gEAQh8JgFE6Wf2O1FDAAIQgAAEIACBXRFAlO6qO3AGAhCAAAQgAAEIfCYBROln
9jtRQwACEIAABCAAgV0RQJTuqjtwBgIQgAAEIAABCHwmAUTpZ/Y7UUMAAhCAAAQgAIFdEUCU7qo7
cOYWAqtegn6LwU8ru/T0/Yp3yd789H1u82tI7ylV795U7ym9tyt2//5NHb95j275BoR3ju/EcXxH
sOuX8j2s6vVSK+IztoWBftHr+AGF9I5ZGSdpREjdPO50e9HP6c0Qsb7zXd5tnG2rjyrcO+aoBwEI
PI8AovR5LE9lyX768fmhLdlf2v58jz7Q4tx7RuNkv/DBgbn6czjdF7+i0HCiZK760rbii0pLFV65
XTELcUvYe/K56I8wFoy4C8LPjo3s/y3xqbK6C5ba/+674WLa91+pC9bSumvfDX3lAwHBRm299oNl
CEDg9QQQpa9nvosWTbaj66bvyeuvJkkW4+srT57ReZNBU1mSMTKxHbMZOZMhk5jKjFXtL21P3zGX
TEfOmMS2x7qXEE/I8nTDNfsq7YeCrg0z4Y5BfMJPQxTIhF6Zyy2VZn1brPhLidI4VkSZ5YLz/TM/
vuQTuNqGz0LqbTYTF1xYsq/LpHGox1YKQmzE7Wb/ykEOWpROa989vmsCL326dOqmUpQOqk8llmZ8
UqA6fpbbj4IyfGUuO1SpI/40PkeLKJVO4BcC+yKAKN1Xf7zGGzcZxMyEE2azmcrv63BViiVMwHl+
kAhEDIrd737or7IxTPzlRD5tXd4ey7o4Uv0kOKI/0YexHZmk4pzvREqRCdKenHi5yi99q73r+6HL
Jw2OlyBp1Zftrd/YF+kyqz2pSBVy1k3q1/pnZnwlQah9DmNiGm/PsG/8Dr7IOA8+Oy61/SsUu1u0
yUniFuPb+S5dEC57dzm1WIrSgum98a1oXwSl/NZOoqbjy/fQd/2gDlcxpKlujpAFCEBgBwQQpTvo
hNe7kASBZBvtt+eTN9NBveadyzTJJKmLmklMb1hj/0FRKgIhTNqilrMoLX1vZbtKr0+2piUAxuz2
JLwqmaiAolV/CdNoP3RNEJBTO9GoEsPjPY1RHE+iMpqfGV/Vk6Rb+79p/zp0MqZUnFbkLO9foerd
onTL8d3qU8PDx+f7MIG5K74V7U+sZVzK79gher9vcJ5sqE5kEQIQeDsBROnbu2AHDvhMT9QbTgRk
N8OEpLNQSZwU87SZxHLlvDAvercUpfXMSXbskxZaAqCSmaxlwh4RpXq82LGwsn9mxlfL19Tmo/bX
iFI3iCr7Vyhxl2gb75WMmT8tvrLoXhmfc3H60wm8cYP1NRwDWseHyZKtM63PS9Xxt9y+EZQxblsn
tDudcI8nNnrARfbuntLML3vHAgQg8AYCiNI3QH93k8WkrSe30TlTJmzPlz/tBCD3Z7pjfphx1eW+
MuK2/VR2aXsstTSp6bjUpBMmLZudK/37iDVVfsJf35LREDoz9Wf5qb6I5XQ/jWJtsX9mxle8fC/Z
xNiAvXy/qv9n7buTssHyMWM3tO/iEzYPizZtVzFdFZ84UfkN9b/0Dl2cpGwpSpNYn2vfiNLAPtw/
nvvb9oWEZ098QhsLojSwDRl6zUGM8QsBCGxGAFG6Gdr9Gk733M1cGg2uy0G5dul0vPyashGXoe+7
mJlIx+9xksj3I6Z2imP7nP3Z9uv20y0I6tJ8aHBsIwocdck4mF/FYL9d+BzPZkWl5Vz0X4J4u7jX
Y0cLCSMs5vrH+iUZMfEvCqqvaUzmMepuKmz3/7z9BF6Ns3GcS/sJi963wrLLKmoGxf5Vb//V4ztx
HOPI/TRG3+n4vEBPV06kX9Kvjd/YluOEBjiemGQbqn1dN5+4hP08ltH9In5pnpeh/9dRbEq76le7
kMeRGzeJAP+HAAS2IoAo3YosdiGwdwKzonSF84/WX9EERSDwDgLhpCWL3nc4QJsQ+FACiNIP7XjC
hkC4J7SVSZynM2WfmLjnSbH1iATs7R5HjACfIXBUAojSo/YcfkMAAhCAAAQgAIETEUCUnqgzCQUC
EIAABCAAAQgclQCi9Kg9h98QgAAEIAABCEDgRAQQpSfqTEKBAAQgAAEIQAACRyWAKD1qz+E3BCAA
AQhAAAIQOBEBROmJOvM9oYxPYqt3Ca71I7wLkKe319LaoFzj6fvyHZ7+9TgPPH2f25QXnqt3S94x
hjyV3b9fUsev3pH5Fd6t6t6Jyf7he5e/IQCBsxNAlJ69h18SX/kVFf8FlZe4QSO3EWi8Z7Tou0a5
Z31mNApJ/eby26IoShdfVCpKvHGFYhnilrB37fMbcdE0BCDwWQQQpZ/V32O0KjsVsjU6QzVmcrpe
f/nEfpFFPi0qX1zprlqUOttjNkgm3+iAyhbZTOlY99INXfjCT/gSTv7yk/bBtaH9/8j+vDNoJZDm
LBQiVQqvrC/F86/6JGbMyprBEUrN969kcuPYyWNpGh9J4GkbPgupt7nxr7721bIfPTRfNZralhjF
x7iPdGE894NLhA5alEq9+Jtj8hnq0W/2D4OLPyAAgfMQQJSepy9XR1JkZcIkqCfNOCmqidaIj3Dp
Vk/y9cv3TSGjvTR2ZUOaeKNOiYJ09MMIGd3++FlD7b+Y4neeQJW/r3IdukI0jmVW1ff2Un/FE5mL
F12p7OL4DMXkZEX6/bsf+qvUDyc0eoyEMTWN52fYNydT+TOXY6yOS8wEi59jkRTClClVq6dFZydt
YP+YALEEAQicjQCi9Gw9uhjPmG0x97ONWUmpqwRgXPXdD53c8KaXpXzIbLlJ9yFRKrbCZC+CKPu0
wv/sFwuzBKqix9XI3N368Oea+pVq8iWp0LUho2gEns+S5nE6icposjoOU2PBpgyb3HyOY+X4adqv
i/TvvlP3hE733KarCc730almplScrvJV+xr7h5DiFwIQOAkBROlJOnJ9GPpSe6NWnsDH7XqC1su5
upoox3XbidIV/me/WJglUBU9tsZsP66ob62Nf7nxZdtY2b/VcZjsF5nQsDq3+aj9NaLURe0zqePm
bUTpyvici/wJAQhAYA8EEKV76IUX+xAmQ5udcg7kCXxcbwRAyALZzE/t8qQRBmFSVpdPc2tVUaME
bjUTFK7cLvifG2BhlkCVv65RF2C5xGL9XNIuVMZXzojHK/Mr+teMSW/e3ycasqPTmF01fmbt61sD
QttWCJqxHzerjL9yNfhRZHTV9nom+kn7R9wnv4avWQe0MyxDAAIQ2J4AonR7xrtswTyIES+RjpO2
esgizlcyeX2py6xqXXqQox/68GCSXHYPEZsykyCIE3h8iCncMqD/hTLq0mpofLShHziRObTp/y5p
79SpJVHpxaMPY6m+Lx/+VuNrGi/lfcnt/vWXxtMYknERT5DC/aR9p8aXF5HptoFy/AUH5+2nkNQ4
HcewtJ9C1OM6LOvx7xjofS8ar7efbKh2H9w/Mif/9FUKkP9DAAIQeAsBROlbsNMoBHZA4B5Rqd1+
tL62xfJLCQTRP3u15KXe0BgEIACBRABRykiAwKcSyFnLMpM4j2TK5iFs5kntc6u9nWGfPuIVBCDw
iQQQpZ/Y68QMAQhAAAIQgAAEdkYAUbqzDsEdCEAAAhCAAAQg8IkEEKWf2OvEDAEIQAACEIAABHZG
AFG6sw7BHQhAAAIQgAAEIPCJBBCln9jrxAwBCEAAAhCAAAR2RgBRurMOwZ3nEWi+JD0/dd54Lc7S
9ue5+F5LOc7y6fv0HsvxfZv6JZzR4weevs9tyntt1bs39Xtu7ySz+/dv6vjNe3rrffCutxuY/nf9
Ur5DVu1HK+IztoWBG2OmjGpf1mcuur1Ybhqb8T20qm4auuFDHvo9su4dsneOO6pBAALPIYAofQ5H
rLyYgP005Z2NL71nc2n7nc3uplorvjDRK5EQhID6c3K/VX8qUV9yL+WPQqPaQL360trii0pLFV65
XTHTXPfkc9EfYTwYcReEnxVz2f9b4lNldRcstf/dd8PFtK++cpUNpXXXvhv6ygcCgo3a+lydBQhA
4C0EEKVvwf7eRiXTEbMNOdOgJxmVvQpZBT0hjeW7XmccdN0QW7u+tO1FTzWrUcXkbI9ZD6Npckwq
g1Oz1ZgUc9Gl7bngQRda8TnRWP/cZfoyUc5Y3YJA2Y/jwXReMOT6WI+/2GzKdLXGbxJI2obPQupt
bnyvsB897OazbXmch/HZdUPnYgg2tCg1+Jrjd/T7EuyF9rvhmr+cpvfB+fhMW8UfNYHnfS1FaRgj
vhub8Umb1fG33H4UlFf96dZKHfGn8blYRKl0Ar8Q2BcBROm++uN13shkJpPldz/019R8znqIN2GS
lHJhXZw01SToJpf5+vXvqd86SazKlDq/JJz8++j2bOigC834Fy6BSrjN+lKg8RsFQ2qjJmrnx89o
c3b8BsGmhWgQadN4fYZ943fwxe0fenvM/OntOYRGBlqwVfkmwRkFYGQwxiUiLO6eOvZxf620L82Y
32qb6bPBXU4tlqK0YDonuqXBWlu1daG8EpdyrJDfeBLj4puOD99D3/WDT5ZOdcUZfiEAgT0QQJTu
oRfe4YM6yNvmXZYl3381TepFVsTYWq4vE0bMJsXJRE8cThDV2o/zrPLHBjD91ZrgpMSj28XOUX9b
8asTlBjata9f6mzVX+IxZgKDsApjQAu4Ikva6H8tUnxzwabP2k1jdnl8RntmTOsW1pxU+TFcH6sP
ZxKDKJVAsyhdGZ8OSS+3+tTw8PH5PkwG74pvRfuToJQMqfyOgWguDXE82dDBswwBCLybAKL03T3w
rvbNJKOd0AJRr1fLeQIc1xlby/XThJDKpXu+6hO9arFYFGFbbNArWhOclHl0u9g56m8j/mLCNv2r
gm3UVyXqi2782L5cHj/RaMunWqYwVMhtPmq/PlYLZjpyn0kdt90l2sKtDZIV1OLr1vi0f2ZZ2Vfr
ra9lplQVzYu2Tl49LVTHz3L7hnWM29YJ7cbbgfIJTbiFYrwMNLZubIR1md/kHksQgMDrCSBKX898
Hy3OTOrhoG6zV85lfwB3thbrh0xc3w/xcmCoe1m4jOmaD3+ay4VhclaXZ3Px6qSXt8aJaCnO2e3K
1CEXW3wW+jfH2qqfCzQWKvZzxm/MbC1yd2NOtzRl4GVtyB5O2crF8Rmqzdp3l8cHK3TN2Bxt6fjE
q+CH00qyKf1W+SoBVhWl6f7PRX62JfNX8MuIOH/7TojXPGhkquc/7osv+T/XvhWUY9ZWhLrrC3HG
nviENtyDTrUxGUTtbAeJdX4hAIFnEUCUPovkYeyUl95CVsEfe+PErjMNMqmPl15znSgI1YMnI4dm
/bg9iASZ2IM/snwDRNVufOAjV63HN5V5dHtu6PgLVdETwvKMJkFngm7WN6XsH2r8TPcpj+1lYRHO
F/SDRONDPdGS9y2Vk/EbBVUYW32nsmXl+LrXfgqmvEQu7YftbdsjCs0g7mOabz2+NH5Vu6HBcR+I
AnS0KX4s+jC60vpJHMc+UP1SxleyDVlHm6nU8Y2i0xxbSvHXal+vz8I7cIg+Kj7m+CJj6TL0/6of
0JT1dgyFGPM48jejtoCxHgIQeAoBROlTMGIEAgckcI+o1GE+Wl/bYhkCOyIQRH0WvTvyC1cgcHYC
iNKz9zDxQaBFIGe0KtmuVp24fsrmMXHPgmLjIQmEjKvN7h4yDJyGwAEJIEoP2Gm4DAEIQAACEIAA
BM5GAFF6th4lHghAAAIQgAAEIHBAAojSA3YaLkMAAhCAAAQgAIGzEUCUnq1HiQcCEIAABCAAAQgc
kACi9ICdhssQgAAEIAABCEDgbAQQpWfr0SPEk5/65rUrb+2u3A/l0/f6fZDlC8QfePrevF+2/h7M
h5nkuBhfD7PEAAQgAIEXEkCUvhA2TTkCvOfSAXnxny3++WXkyZ8gUKuvfmrVXwrD1WvaX7KztN21
s1Sc7RCAAAQg8F4CiNL38n9b6+aLL103fU9bfZEmCpGcddLv7dNfTvkapi/zjOG4bFhV0ISia1r6
8AAADhlJREFUhWgY7V6CPyGL1g3XbEu3/zZs52q44D+G5z+52Ph0Y9l/K/EU7frvyTO+VpKkGAQg
AIFTEUCUnqo7VwbjREG8VOs+JSifMMyCM3yv/prsF9/2DsJV1/++Dlf1eb4ggOXzh8ZD58dofejk
s6dRkI5itBBKxhJ/3EOgyj999z19tnE0Gk9MKicFrfpLvrh6fnwwvpYAsv3/b+/csqRVYTD6j6fn
43icTz2dwfR8OCtgMEEQq8qq9rIfeqkFhLCJzSdegAAEIHBNAojSa/Zrp1XzM4FpjeqK4PgdwzAa
ZZktFrNYeQ1ra2OZ5ylRqgJXRKkWRJTmHthtpxCHzm6eIU8z4eNg+3fKuVbeGSsOrO1/5XOfy9hZ
xugyj4aJq6nq32O+K0B8OVwcQAACEPhrAojSv+6BI9Qvg7MKQfWnKUp/wziMoSZXU1ERvMWLMy1B
iWhQ2n+zrfKvudLo883lC5u2nJ0Nj9kadWUTxFdGwQ4EIACBixFAlF6sQ7c0Z3F71M4YqYGmKA1h
/cUUMxMVbaVZLWayFOyBtlYcrrgl/b29/1YMaVJZr8ycmgoOEV9RLP9zfqn7bCEAAQhA4DMEEKWf
4Xpoq+4lp3j73d6aLW/tp8/2GM0Q27Zqw92e/QnjOAS5BZts1O3Hl5qCuS0rmSdhYF+4Kv04NOij
O1eKQ/VXBZk+mtGC3iqvdmpba9vMzsd4Ko+1/jJGvxBf8Tnrf8WMf609/AYBCEAAArsRQJTuhhJD
EDgZgVdEpW3iu+WtrYPti0hufjXiYL7iDgQgAIGrEECUXqUnaQcEniWQZxyfnRGcZ7uvKdxkxt7e
PXgWLPkhAAEIQOAVAojSV6hRBgIQgAAEIAABCEBgVwKI0l1xYgwCEIAABCAAAQhA4BUCiNJXqFEG
AhCAAAQgAAEIQGBXAojSXXFiDAIQgAAEIAABCEDgFQKI0leoUQYCEIAABCAAAQhAYFcCiNJdcWIM
AicisPL2ffpO58pnkXLZ2gfm33s7f/kN3BU/VnCvf4R/peDGpI/ZN2zLrxss+sXk/We+87qxCWSD
AAQgcCgCiNJDdQfOQOCLBFrfGRWhMy1eMIyVBWXlA/hGAIlQqn5fv2W/20QRtf6TTItVyLo2LpCh
we93HMKP41OuonaBttMECEDglgQQpbfs9hDcbNQwhEFFxjTzMoxj+Mkr6niBoCstySpN8jfP5kwr
Mv2IPUkbwiOv4GNtmJWbxIbWfdO++LNmN0RP9qex1KyIIq9VH2GoqdKe/VxRubMUpeExZOGrsRvj
Ls8UmvjKv9nYnOrYEt8hLaWr8S3xOQ7mW64r9pNvP2F82PPHlBU38jlRnj8Fhwa/yF/sZ+aFKG3a
5/wsCHMIAQgcjACi9GAd8hV3isEu3hK0wjAOun6Qn4WnDKqP8DATaDIQ5/FxWio0HsfBcbLjREUx
SEt9tv6vQKASEXquX0skz4jSWv/17Jf15eOlKF3MlKrw0np/xzA+soG006q/E9/xfJgDWq7gwr/a
kqMN+0mYmvMnnhPmePX8MW1o2NeLAt0Gsa8cpPiq/SRMOT8NZ3YhAIHDEECUHqYrvunI/Mxfmg0y
A6a4YQRk9GohToqZzryufSw8D5AiHHRwzzaXZas+fBPHXetqiJ6MY9HvKWUWQ5qzEEX5547o1XyL
bRmflRnPhm/OVKt9ORan3M7WbxiHMZhrLmfSHTTs+4u0qYSrc3kO6Gmyxf7MX7nrVkuv2Td5OT8V
GFsIQOAgBBClB+mIP3VDBic70+IG0HS7cX62UATDcqZzHlR7g94Tg/6fQrlB5Q1RlVvuxFr+NSyf
If3C7fu5+rTX8M1la7WvF99vi9Li/BCncp2988e0oOH/LErVrjnnQs++yVsVpZyfpgfYhQAEvkwA
Ufpl4EeornordFaVZgCdvHUCwAxqMTnNyszFTXp10EvP663eNj4CpDv40BA9uemu3/OvooTCaB4q
XYrUKW/PvjXp9kVYFbP3Lr28UCoTp+NW/VkgTvmKdkp7fHyKP/YRlXX78fa9vciL2lHbY86PaKY8
fybbsmn470RpFKH2ueyefZP+zvkpZeV58PnEN46zCwEIQOA1AojS17idulR65i29ZLG4dR6fn0tp
cbzRwce+0GTyxGftRnnmTgZtc9tQCk9l4wA/ldExbNWHU9M9kfNN0fMT+zPFxhQnC5Fl4kc7tWx6
w36ZrTz2sVHOOiaB6Hxzj4/U0+NLd1KRid1mfMdspn3P2I9lf8I4nRPqpxO5xgd//oiD6/7H513L
FwzlPLP907S/3/mZ/Cj7puxJjiEAAQg8RwBR+hwvckPgOgReFI2bAXza/mZHvptxcSfiu9V/pTa5
cHBC+yu1UgkEIHB1AojSq/cw7YNAi0CeUdt7xmue7bubcHGzvHb2stUHp/xdZlz1cYRTNgCnIQCB
gxJAlB60Y3ALAhCAAAQgAAEI3IkAovROvU1bIQABCEAAAhCAwEEJIEoP2jG4BQEIQAACEIAABO5E
AFF6p96mrRCAAAQgAAEIQOCgBBClB+0Y3IIABCAAAQhAAAJ3IoAovVNvf6St05vWzTeNe+kfcQqj
WwisvH2v38NsvT2/nv7G2/fmu7jld0Rbn0Pd0tTteWbf4zdGm3GtFnvx3UtXO9faanzUGLovFJTf
XM0x6b8TG7/nOq396mxP5cuP+Ls8pg/19xzXtr6Yr9P/Jj7TN2j5CsG1IpfW/DUBROlf98Al6u8t
TdhLvwSE8zWi9R1RGahFARYrHeUG9tI1Y8u+pre2lRWXfnZWpI+hJybSykePcQhm8aqGx7347qU3
zJ705yj8bH9JvBhhmBYI8Pzzt11NzIgdNZPTLROT1/7cq19WxPpxK4aZVa6yofX+96tq5ULsQAAC
bxJAlL4J8KzFdcZAZzLGwXyrspgNyLMKubFmZZi42k056K6n60xJtJtnKvwglati53MEGoN6rrAl
SjVDL71nX+2U2w2iVGOoNVvl0ochDFkU+dhM5etLiEZBVG2jtzE89o5/b98LugSr3b4t6e/bL7ts
Pq4JvLS0sArMmiiVlbbm9GTNitLZvtmrxle//igoH2OYL3QqZdSfav9Le7ZcrBhf2YUABDYRQJRu
wnStTNWZhH9WlD7CY7pVJi2XAXAeMOT2lsmryyLmQb+XPrFU4avlfscwPq7F+fCtqQ7qxuvGgJxz
9NJ79rOhYidfqMy3cO2FkcSjPY7L2Wociami3hjvNj1mWb8ImmdSS8HZi+9e+tTWlfhfzAqWM429
9nXS37ZfdJc7LOrOaS5WhJHnv/BJFlw1M6XZjt2p1VX7TcqY+lVQ6jaEpSht939yYC5rHWIfAhB4
lwCi9F2CpytfDrK1BhQzKXbtb/PPfS5p/qn30rVQNZ8msv0KgdYArpX3+qiX3rOv9ZRbnaXS3109
jzDMV0iao5i5EtEzC9q87n3OLbrViyKTFAXMPItWiCPni5baM/6X595yNrjXvrX0PexruyvbVp87
bqV/xUXGZPbTonQWo6b/pG65YDAxVvMDUVrpe36CwA4EEKU7QDyXiZ4olQHDzoSmmaf8P9oNLtpy
80+9l65Fqvk0ke1XCLQEhFbe66Nees++1lNu3xalhUERGU/MlMaZVX2BRrd6AlTbvGf8987Pom1y
WGmfy+XSP2DfVWZYmN+9sJP/MSsXBVM5X8YY091qfPXrd4Iyxpovs9r/2bfi9n0Zs+ojWwhA4CkC
iNKncF0js/zTdbc/p1vwadz1/6DjbIKdKY15/YAS/4nnQX854Pj0iWF1cL8G39O0ojqoG+97fdRL
79k3VbndcoAv6lne6vVCa5FezHxJXS6PpOe13L0t9WueWe3Fdy99sli0SeuR7fL8tKmF76mAm9lz
baukv2vfe7M8iue7inhJLh8/qPwPWVopZqhrGRrx1avfidLa40fDGMzTS7Hmuf+TI95GceFe85Xf
IACBTQQQpZswXS+Te1HCic5pENEZInnWdByC3ELM40wcxM3t0WFMt0tVmK6my6Btyk71ZNvXQ33c
Fq0N6rn/p77Svp1Ek74glLcmPTe4YT+n13bM86QxJkwszRdSy1vQNn7K2K7dvo+zi7mNepFl7erd
Ahuv02/Gp9j+D8T/WhvW0gRpL72XZ0v5WtfZ36IwVL5FbHj7ytmUNjGQ4kv7J+VxtrUOGwBljJr6
bdkcT9KfMc+G/v9PLmCW/7/Ez8IF0yB2IQCBrQQQpVtJkQ8CVyPwimh8hsGn7T/jC3khAAEIQODw
BBClh+8iHITAhwjkGanKbNVbVc6zi3k26i17FIYABCAAgTsQQJTeoZdpIwQgAAEIQAACEDg4AUTp
wTsI9yAAAQhAAAIQgMAdCCBK79DLtBECEIAABCAAAQgcnACi9OAdhHsQgAAEIAABCEDgDgQQpXfo
ZdoIAQhAAAIQgAAEDk7gtqI0fa/Of//u4H2FexCAAAQgAAEIQOCyBG4rSqVHRZjywePLxjYNgwAE
IAABCEDgRARuLUpl+TtE6YmiFVchAAEIQAACELgsAUTp47J9S8MgAAEIQAACEIDAaQjcW5SGtPIM
q86cJl5xFAIQgAAEIACBixK4tyjl9v1Fw5pmQQACEIAABCBwNgKIUm7fny1m8RcCEIAABCAAgQsS
uLUo5e37C0Y0TYIABCAAAQhA4JQEbitK+U7pKeMVpyEAAQhAAAIQuCiB24rSi/YnzYIABCAAAQhA
AAKnJIAoPWW34TQEIAABCEAAAhC4FgFE6bX6k9ZAAAIQgAAEIACBUxJAlJ6y23AaAhCAAAQgAAEI
XIsAovRa/UlrIAABCEAAAhCAwCkJ/A/QmudL2biZzwAAAABJRU5ErkJggg==
--00000000000027321c05c9d771af--


From nobody Wed Aug 18 11:04:09 2021
Return-Path: <derek@ihtfp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F1533A084A for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 11:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level: 
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocQM5bra-Vno for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 11:04:00 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D74BD3A08CB for <kitten@ietf.org>; Wed, 18 Aug 2021 11:04:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 6FC22E2040; Wed, 18 Aug 2021 14:03:28 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 18642-02; Wed, 18 Aug 2021 14:03:24 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id E6820E2045; Wed, 18 Aug 2021 14:03:23 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1629309803; bh=03iocM6BX1y6etupRGGx6NWuDzPiN7uoxziEM5p7LAo=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=eZmZ1cPJ5Qgp7x9QJQOT0b709tvachB/xTu6b+QYCc6QF0gfHwVfyYBWgriFqQuta mPzx4z85fUoHs7PDZflXd3t2Ugn4siqw+2MFbDD2+hVC69f8jIvDkmNu+ZExJZrVor mX3X5IxeBsuFK0tamtHtnHTOfp0Dtk8iRrmD9QqY=
Received: from 192.168.248.243 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Wed, 18 Aug 2021 14:03:23 -0400
Message-ID: <6e2d2c9a41b1ef12cb74dff687d15258.squirrel@mail2.ihtfp.org>
In-Reply-To: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
References: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
Date: Wed, 18 Aug 2021 14:03:23 -0400
From: "Derek Atkins" <derek@ihtfp.com>
To: "bc a" <mrcatcrack@gmail.com>
Cc: kitten@ietf.org
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5I6dMRpU-Q3NVcAOq1Oq9eRBVIc>
Subject: Re: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 18:04:07 -0000

HI,

No session keys are ever the same.
Whenever the KDC creates a session key, it is supposed to be randomly unique.

The only time keys are "the same" is long-lived authentication keys, the
keys shared between the KDC and a user, or between the KDC and a service. 
Those long-term keys are used to encrypt the unique session keys.

Hope this helps.

-derek

On Wed, August 18, 2021 11:53 am, bc a wrote:
>  Dear Kitten members,
>
> I'm Xiaoxing Xu and I'm a cyber security researcher from China. I had a
> question about Kerberos v5 when I read the RFC 4120 paper, which expects
> you to get your reply.
> The question is, I see the "key" appears in the "enc-part" field in the
> "tickets" chapter of section 5.3, just like the first picture shows, and
> the "key" is used to pass the session key.
> So we can think the authentication server creates a session key and put it
> in the "enc-part" of the "tickets" field in the AS-REQ phrase.
> [image: image.png]
> Then in the  section 5.4.2, I found that there is also a "key" exists in
> the "enc-part" of "KDC-REP",  that is to say, there is also a "key" in the
> "enc-part" of the AS-REP phase,
> not the "enc-part" of the "ticket".
> So I want to know whether it can be considered that the authentication
> server creates two "keys" in the AS-REP phase， one in the "enc-part" of
> the
> "ticket" field,
> and the other one is in the separate "enc-part" , And whether these two
> "key" values are the same?
> Thank you so much for your help.
> [image: image.png]
> Best regards
> Xiaoxing Xu
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>


-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant


From nobody Wed Aug 18 13:01:36 2021
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8C163A1B43 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 13:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhGdiUla81pY for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 13:01:30 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639C93A1B45 for <kitten@ietf.org>; Wed, 18 Aug 2021 13:01:30 -0700 (PDT)
Received: from [18.28.8.129] ([18.28.8.129]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 17IK1RHY030643 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 18 Aug 2021 16:01:28 -0400
To: bc a <mrcatcrack@gmail.com>, kitten@ietf.org
References: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <e196987b-225b-cf39-b9c8-b1b47fe8daa1@mit.edu>
Date: Wed, 18 Aug 2021 16:01:27 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/GnEIi-oUPuC4uWA3uz_3ODgZcf0>
Subject: Re: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 20:01:35 -0000

On 8/18/21 11:53 AM, bc a wrote:
> So I want to know whether it can be considered that the authentication
> server creates two "keys" in the AS-REP phase， one in the "enc-part" of
> the "ticket" field,
> and the other one is in the separate "enc-part" , And whether these two
> "key" values are the same?

The two key values are the same.  For an AP exchange to work, the ticket
session key must be available to both the client and the application
service.  The key field in the EncKDCRepPart is visible to the client,
while the key field in the EncTicketPart is visible to the application
service.

I see that Derek gave the opposite answer.  You can check the Heimdal or
MIT krb5 KDC implementations to see that the same key value is used in
both places.  In MIT krb5, the relevant lines are in src/kdc/do_tgs_req.c:

    enc_tkt_reply.session = &session_key;
    [...]
    reply_encpart.session = &session_key;

and similarly in do_as_req.c.


From nobody Wed Aug 18 13:22:47 2021
Return-Path: <derek@ihtfp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D80943A1C38 for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 13:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level: 
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppLLod4NKv6V for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 13:22:27 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5FE3A1C16 for <kitten@ietf.org>; Wed, 18 Aug 2021 13:22:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 199B4E2040; Wed, 18 Aug 2021 16:22:26 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 19955-10; Wed, 18 Aug 2021 16:22:21 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 78A3EE2042; Wed, 18 Aug 2021 16:22:21 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1629318141; bh=HqEKFqB1Ucx5tcOJGHoTvyYk4ge36x3G/0nL8S+kEnc=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=DUMM5nSJ++OuSy2F+YZMrBicVpWmTjokIvVlMJ79LVlJfve+0eCIVzOqVLQB5+ULu WH0BxMZws0C5ImOGz8B2VrgCTAsFiwIyUN7mk2Tvx56Kj+ZKrymEOAMp14+w3P1dxx pHmt0fgSaIspMf6qlNoEj7WMC1lH/oX/oc2Hgug8=
Received: from 192.168.248.243 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Wed, 18 Aug 2021 16:22:21 -0400
Message-ID: <2a1053eb77e1a74efff7b25288de9cb4.squirrel@mail2.ihtfp.org>
In-Reply-To: <e196987b-225b-cf39-b9c8-b1b47fe8daa1@mit.edu>
References: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com> <e196987b-225b-cf39-b9c8-b1b47fe8daa1@mit.edu>
Date: Wed, 18 Aug 2021 16:22:21 -0400
From: "Derek Atkins" <derek@ihtfp.com>
To: "Greg Hudson" <ghudson@mit.edu>
Cc: "bc a" <mrcatcrack@gmail.com>, kitten@ietf.org
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/gKfrAnZy4PK2PhRcgQF6cX5zBTc>
Subject: Re: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 20:22:45 -0000

Hi,

On Wed, August 18, 2021 4:01 pm, Greg Hudson wrote:
> On 8/18/21 11:53 AM, bc a wrote:
>> So I want to know whether it can be considered that the authentication
>> server creates two "keys" in the AS-REP phase， one in the "enc-part" of
>> the "ticket" field,
>> and the other one is in the separate "enc-part" , And whether these two
>> "key" values are the same?
>
> The two key values are the same.  For an AP exchange to work, the ticket
> session key must be available to both the client and the application
> service.  The key field in the EncKDCRepPart is visible to the client,
> while the key field in the EncTicketPart is visible to the application
> service.
>
> I see that Derek gave the opposite answer.

I didn't *quite* give the opposite answer.  Every session key is unique. 
But you are correct that I was unclear on the fact that the KDC has to
transmit the same session key to the user and the service.

>   You can check the Heimdal or
> MIT krb5 KDC implementations to see that the same key value is used in
> both places.  In MIT krb5, the relevant lines are in src/kdc/do_tgs_req.c:
>
>     enc_tkt_reply.session = &session_key;
>     [...]
>     reply_encpart.session = &session_key;
>
> and similarly in do_as_req.c.

-derek

> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>


-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant


From nobody Wed Aug 18 20:11:13 2021
Return-Path: <mrcatcrack@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A120F3A109A for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 20:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level: 
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2Ig-NqWKuWJ for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 20:11:06 -0700 (PDT)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2569D3A1097 for <kitten@ietf.org>; Wed, 18 Aug 2021 20:11:06 -0700 (PDT)
Received: by mail-oo1-xc2b.google.com with SMTP id l12-20020a4a94cc0000b02902618ad2ea55so1389755ooi.4 for <kitten@ietf.org>; Wed, 18 Aug 2021 20:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wjOH1RHX6v2ibqSs4Kgo7KG1jByRDIW6FnTRQcLqUZM=; b=SOqd7EL4nnyU5S65oRc5VGO3YHZhQszdVhEg6MRsylKOiVVzaYchurz50g0hu7S0d8 xtXHXfFg1p/CN5xdD74U7zc0fYAervEObnIj9okCKmpWA7ZlFM6uRa4+y2vJXKkWXRbZ MVMB10p39UoiiwzN307jZ7qsXSYqU3k4qRmFMt74wgBh/Mg2TiAhU52de2JvuLLEg+Ec 1AQxpY2ZP1R4W/yMFL1xofh4OmA6PblzvoGNkTnJ8qUVfnzsk3wqaw2kLC9LQU5hAaH2 yfH8GDs9caqPyr1yKZCcUJ3kllIPYSq21bJOtOT35BdC/FDUsXgonuSo42YcBt8CsGR3 ZW2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wjOH1RHX6v2ibqSs4Kgo7KG1jByRDIW6FnTRQcLqUZM=; b=Pm9AQnSmgGZInEsQaY3zYf5RigNCgIs8t3wbWbzaDBEWbQLBbveFiJmxWsdJkzmxPq eoTG0u0h3IrNwOT81qeBS0h76+445uUSGAFUt7Z42zjerx9r/Pl33bpM/o+xnAkCmJo+ NowJHHLN7z8DpN8SR7LpgQDF1YGTsp4VAzoUGRR4QhMqOs5F3+cVZ/3D5kFvo8VLgg1r oDbS9nEWOxW1wR4gWkFFg4r4mrb/ULUW7eb8BS5GyFSj2DL+syMc/zsd6o67aq8mMTl4 eyTrzFClEfAnID6U68AnQrGkK10QZfmD2y6XOIz23AQuGvwqmtM7AZ1XlGksELfvK0m9 abaw==
X-Gm-Message-State: AOAM531roHa6vaZUt6dO4HgA1VwJsGQbm1+n5Vnf1MzW6aI0GBsaZDVr Tf75+8rFsW61WjFSKYoC2+Mp8PCAS5ZK6v0HgKs=
X-Google-Smtp-Source: ABdhPJz8ptOvHB/ClIyDez3xBa4Qom4iPUyZ1EFmxY/1vPEigTuUzbn6P3gC83Foa+FjugcaLZ/d8/1CgLiRoD/C/+I=
X-Received: by 2002:a4a:3e58:: with SMTP id t85mr9461724oot.81.1629342664089;  Wed, 18 Aug 2021 20:11:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com> <e196987b-225b-cf39-b9c8-b1b47fe8daa1@mit.edu> <2a1053eb77e1a74efff7b25288de9cb4.squirrel@mail2.ihtfp.org>
In-Reply-To: <2a1053eb77e1a74efff7b25288de9cb4.squirrel@mail2.ihtfp.org>
From: bc a <mrcatcrack@gmail.com>
Date: Thu, 19 Aug 2021 11:10:53 +0800
Message-ID: <CAD8oZZFtdPUfkkf-HM_BWveC5RPK9kWSt8y5FMoQmkUjJ+Pr0g@mail.gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Cc: Greg Hudson <ghudson@mit.edu>, kitten@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b5e2fe05c9e0e6e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/qPTZiEh9xvZlOleTW5pCjj0r9FU>
Subject: Re: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 03:11:12 -0000

--000000000000b5e2fe05c9e0e6e6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks a lot for your clarification. I'll check the  MIT krb5 KDC
implementations later.Thanks again!=F0=9F=98=84=F0=9F=98=84

Derek Atkins <derek@ihtfp.com> =E4=BA=8E2021=E5=B9=B48=E6=9C=8819=E6=97=A5=
=E5=91=A8=E5=9B=9B =E4=B8=8A=E5=8D=884:22=E5=86=99=E9=81=93=EF=BC=9A

> Hi,
>
> On Wed, August 18, 2021 4:01 pm, Greg Hudson wrote:
> > On 8/18/21 11:53 AM, bc a wrote:
> >> So I want to know whether it can be considered that the authentication
> >> server creates two "keys" in the AS-REP phase=EF=BC=8C one in the "enc=
-part" of
> >> the "ticket" field,
> >> and the other one is in the separate "enc-part" , And whether these tw=
o
> >> "key" values are the same?
> >
> > The two key values are the same.  For an AP exchange to work, the ticke=
t
> > session key must be available to both the client and the application
> > service.  The key field in the EncKDCRepPart is visible to the client,
> > while the key field in the EncTicketPart is visible to the application
> > service.
> >
> > I see that Derek gave the opposite answer.
>
> I didn't *quite* give the opposite answer.  Every session key is unique.
> But you are correct that I was unclear on the fact that the KDC has to
> transmit the same session key to the user and the service.
>
> >   You can check the Heimdal or
> > MIT krb5 KDC implementations to see that the same key value is used in
> > both places.  In MIT krb5, the relevant lines are in
> src/kdc/do_tgs_req.c:
> >
> >     enc_tkt_reply.session =3D &session_key;
> >     [...]
> >     reply_encpart.session =3D &session_key;
> >
> > and similarly in do_as_req.c.
>
> -derek
>
> > _______________________________________________
> > Kitten mailing list
> > Kitten@ietf.org
> > https://www.ietf.org/mailman/listinfo/kitten
> >
>
>
> --
>        Derek Atkins                 617-623-3745
>        derek@ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>
>

--000000000000b5e2fe05c9e0e6e6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks a lot for your clarification. I&#39;ll check the=C2=
=A0

MIT krb5 KDC implementations later.Thanks again!=F0=9F=98=84=F0=9F=98=84<br=
></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"=
>Derek Atkins &lt;<a href=3D"mailto:derek@ihtfp.com">derek@ihtfp.com</a>&gt=
; =E4=BA=8E2021=E5=B9=B48=E6=9C=8819=E6=97=A5=E5=91=A8=E5=9B=9B =E4=B8=8A=
=E5=8D=884:22=E5=86=99=E9=81=93=EF=BC=9A<br></div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex">Hi,<br>
<br>
On Wed, August 18, 2021 4:01 pm, Greg Hudson wrote:<br>
&gt; On 8/18/21 11:53 AM, bc a wrote:<br>
&gt;&gt; So I want to know whether it can be considered that the authentica=
tion<br>
&gt;&gt; server creates two &quot;keys&quot; in the AS-REP phase=EF=BC=8C o=
ne in the &quot;enc-part&quot; of<br>
&gt;&gt; the &quot;ticket&quot; field,<br>
&gt;&gt; and the other one is in the separate &quot;enc-part&quot; , And wh=
ether these two<br>
&gt;&gt; &quot;key&quot; values are the same?<br>
&gt;<br>
&gt; The two key values are the same.=C2=A0 For an AP exchange to work, the=
 ticket<br>
&gt; session key must be available to both the client and the application<b=
r>
&gt; service.=C2=A0 The key field in the EncKDCRepPart is visible to the cl=
ient,<br>
&gt; while the key field in the EncTicketPart is visible to the application=
<br>
&gt; service.<br>
&gt;<br>
&gt; I see that Derek gave the opposite answer.<br>
<br>
I didn&#39;t *quite* give the opposite answer.=C2=A0 Every session key is u=
nique. <br>
But you are correct that I was unclear on the fact that the KDC has to<br>
transmit the same session key to the user and the service.<br>
<br>
&gt;=C2=A0 =C2=A0You can check the Heimdal or<br>
&gt; MIT krb5 KDC implementations to see that the same key value is used in=
<br>
&gt; both places.=C2=A0 In MIT krb5, the relevant lines are in src/kdc/do_t=
gs_req.c:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0enc_tkt_reply.session =3D &amp;session_key;<br>
&gt;=C2=A0 =C2=A0 =C2=A0[...]<br>
&gt;=C2=A0 =C2=A0 =C2=A0reply_encpart.session =3D &amp;session_key;<br>
&gt;<br>
&gt; and similarly in do_as_req.c.<br>
<br>
-derek<br>
<br>
&gt; _______________________________________________<br>
&gt; Kitten mailing list<br>
&gt; <a href=3D"mailto:Kitten@ietf.org" target=3D"_blank">Kitten@ietf.org</=
a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/kitten" rel=3D"norefe=
rrer" target=3D"_blank">https://www.ietf.org/mailman/listinfo/kitten</a><br=
>
&gt;<br>
<br>
<br>
-- <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0Derek Atkins=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0617-623-3745<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:derek@ihtfp.com" target=3D"_bl=
ank">derek@ihtfp.com</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a =
href=3D"http://www.ihtfp.com" rel=3D"noreferrer" target=3D"_blank">www.ihtf=
p.com</a><br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0Computer and Internet Security Consultant<br>
<br>
</blockquote></div>

--000000000000b5e2fe05c9e0e6e6--