From ietfdbh@comcast.net Tue Dec 1 07:36:25 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D96E3A6768 for ; Tue, 1 Dec 2009 07:36:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.973 X-Spam-Level: X-Spam-Status: No, score=-1.973 tagged_above=-999 required=5 tests=[AWL=0.626, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXqQMLvnxVFi for ; Tue, 1 Dec 2009 07:36:24 -0800 (PST) Received: from QMTA10.westchester.pa.mail.comcast.net (qmta10.westchester.pa.mail.comcast.net [76.96.62.17]) by core3.amsl.com (Postfix) with ESMTP id 8D5D03A6403 for ; Tue, 1 Dec 2009 07:36:24 -0800 (PST) Received: from OMTA08.westchester.pa.mail.comcast.net ([76.96.62.12]) by QMTA10.westchester.pa.mail.comcast.net with comcast id BoRs1d0040Fqzac5ArcH9s; Tue, 01 Dec 2009 15:36:17 +0000 Received: from Harrington73653 ([24.147.240.98]) by OMTA08.westchester.pa.mail.comcast.net with comcast id BrcH1d00M284sdk3UrcH7G; Tue, 01 Dec 2009 15:36:17 +0000 From: "David Harrington" To: , Date: Tue, 1 Dec 2009 10:36:16 -0500 Message-ID: <0f3301ca729c$0596bd30$a1135d85@china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcpynAToLaMmbIghQ/yAc5TQtESqVQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Cc: 'Tim Polk' , Pasi.Eronen@nokia.com Subject: [secdir] secdir review of draft-eastlake-nlpid-iana-considerations-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 15:36:25 -0000 Hi, I reviewed this document for the OPSDIR. The document is a process document, coordinating registration of network layer protocol identifiers with IANA and ISO/IEC. I believe this document introduces no security issues. David Harrington dbharrington@comcast.net ietfdbh@comcast.net dharrington@huawei.com From sra@hactrn.net Tue Dec 1 13:23:20 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 50C383A6809; Tue, 1 Dec 2009 13:23:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tx9l4ktyS4no; Tue, 1 Dec 2009 13:23:19 -0800 (PST) Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id 12F8F3A6890; Tue, 1 Dec 2009 13:23:19 -0800 (PST) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 1D76228441; Tue, 1 Dec 2009 21:23:11 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id BEC3022807; Tue, 1 Dec 2009 16:23:10 -0500 (EST) Date: Tue, 01 Dec 2009 16:23:10 -0500 From: Rob Austein To: iesg@ietf.org, secdir@ietf.org User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20091201212310.BEC3022807@thrintun.hactrn.net> Cc: draft-reschke-rfc2731bis-04@tools.ietf.org Subject: [secdir] Review of draft-reschke-rfc2731bis-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 21:23:20 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The substance of this document consists of one paragraph: [RFC2731] defines "Encoding Dublin Core Metadata in HTML". Newer specifications published by the Dublin Core Metadata Initiative [1] (DCMI) over the last decade, in particular "Expressing Dublin Core metadata using HTML/XHTML meta and link elements" (DC-HTML, ), have obsoleted this work. The bulk of this four page draft is IETF-mandated boilerplate, interspersed with a few footnotes to the above paragraph. I have no security concerns with this document. From bew@cisco.com Tue Dec 1 14:09:52 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C7763A699C; Tue, 1 Dec 2009 14:09:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuefhRPos4Ok; Tue, 1 Dec 2009 14:09:51 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id ABFF43A682C; Tue, 1 Dec 2009 14:09:51 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAJAiFUurRN+K/2dsb2JhbADAc5gehDEE X-IronPort-AV: E=Sophos;i="4.47,323,1257120000"; d="scan'208";a="112342593" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 01 Dec 2009 22:09:44 +0000 Received: from dhcp-128-107-163-97.cisco.com (dhcp-128-107-163-97.cisco.com [128.107.163.97]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id nB1M9ide029153; Tue, 1 Dec 2009 22:09:44 GMT Message-Id: <6D9E638B-DF8A-47FB-A555-EF928E09F513@cisco.com> From: Brian Weis To: secdir@ietf.org, iesg@ietf.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Tue, 1 Dec 2009 14:09:39 -0800 X-Mailer: Apple Mail (2.936) Cc: draft-ietf-pim-sm-linklocal@tools.ietf.org, pim-chairs@tools.ietf.org Subject: [secdir] Secdir review of draft-ietf-pim-sm-linklocal-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 22:09:52 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I had previously reviewed -06. I've evaluated the diffs for all of the successive drafts and have no further comments. I believe it is ready for publishing. Brian From hartmans@mit.edu Tue Dec 1 14:53:19 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D7CF3A6783; Tue, 1 Dec 2009 14:53:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.438 X-Spam-Level: X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[AWL=-0.173, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VFjJegtjoOK; Tue, 1 Dec 2009 14:53:18 -0800 (PST) Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 7DCC63A6931; Tue, 1 Dec 2009 14:53:17 -0800 (PST) Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9A046202F5; Tue, 1 Dec 2009 17:53:09 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 69EDC427D; Tue, 1 Dec 2009 17:52:54 -0500 (EST) To: Hilarie Orman References: <200912010218.nB12IvHB022301@fermat.rhmr.com> From: Sam Hartman Date: Tue, 01 Dec 2009 17:52:54 -0500 In-Reply-To: <200912010218.nB12IvHB022301@fermat.rhmr.com> (Hilarie Orman's message of "Mon\, 30 Nov 2009 19\:18\:57 -0700") Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: iesg@ietf.org, hartmans-ietf@mit.edu, lha@apple.com, secdir@ietf.org Subject: Re: [secdir] Review of draft-lha-gssapi-delegate-policy-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 22:53:19 -0000 >>>>> "Hilarie" == Hilarie Orman writes: Hilarie> The document describes an augmentation of the semantics Hilarie> of the GSSAPI service delegation policy. It allows a Hilarie> client to ask if there is a policy allowing delegation of Hilarie> the service. I'd say it's more like the draft provides a mechanism for a client to request that the decision about whether to delegate credentials to the service be made by the GSS-API implementation and the local platform rather than by the client itself. Previously, the client needed to either decide not to delegate or to always delegate. The local platform is often in a much better position to make a trust decision about a service in an infrastructure environment than the client application. Hilarie> This is a something of a policy band-aid. The API Hilarie> currently supports only unconditional delegation. This Hilarie> change allows a client to learn if the local policy Hilarie> supports it. The Hilarie> decision might involve tier of Kerberos Hilarie> inter-realm servers, and the API is charged with Hilarie> enforcing the policy of assuring that all tickets agree Hilarie> that delegation is permitted. Hilarie> The change is minimal, involving no over-the-wire Hilarie> changes, but I imagine it is only part of the tip of a Hilarie> policy iceberg. Well, the over-the-wire changes were made years ago. However, yes, this does represent an evolutionary step and there are additional steps in progress. See http://k5wiki.kerberos.org/wiki/Projects/Services4User as an example of a finer grain way of expressing similar policy in the GSS-API Kerberos mechanism. (It's not clear how much of that work will be or requires standardization in the IETF.) Hilarie> If clients are to make policy decisions Hilarie> about something as complex as delegation, ultimately they Hilarie> will need more specific information, I would imagine. Again, this is about removing that decision from client applications and placing it in the hands of the platform/infrastructure. Hilarie> The security of the mechanism depends on how wise the Hilarie> administrators are when configuring the delegation Hilarie> policy, but the clients have no insight into how the Hilarie> decision was reached. Hilarie> I recommend that the security considerations section make Hilarie> some comment about why a client would or would not make Hilarie> use of this new mechanism. Perhaps it should be avoided Hilarie> for security-critical services ("don't delegate, even if Hilarie> it is allowed")? Or should it always be used? Avoiding this for security critical services doesn't make sense. In general, what is being delegated is permission to act as some given principal when talking to *any* service. So, it wouldn't make much sense to say that the audio service is permitted to act as any delegated user, but some security critical service is not. Giving advice on this topic is quite difficult, because the value of delegation to a given service depends on a lot of implementation details (like whether that service will need to access file servers or the like) which a portable application simply cannot know. It's probably reasonable to use this mechanism exceptt when the application has information that could allow it to make a better decision on its own. From Sandra.Murphy@cobham.com Tue Dec 1 17:42:27 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 869683A69CE; Tue, 1 Dec 2009 17:42:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBGM+SvdSS2z; Tue, 1 Dec 2009 17:42:26 -0800 (PST) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 2CE063A6972; Tue, 1 Dec 2009 17:42:04 -0800 (PST) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id nB21fr6T009865; Tue, 1 Dec 2009 19:41:53 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id nB21fqIh005738; Tue, 1 Dec 2009 19:41:53 -0600 Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.248.11]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 1 Dec 2009 20:41:52 -0500 Date: Tue, 1 Dec 2009 20:41:51 -0500 (Eastern Standard Time) From: Sandra Murphy To: secdir@ietf.org, mnot@mnot.net, eran@hueniverse.com, apps-discuss@ietf.org Message-ID: X-X-Sender: sandy@nemo.columbia.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 02 Dec 2009 01:41:52.0649 (UTC) FILETIME=[9F75B790:01CA72F0] Subject: [secdir] review of draft-nottingham-site-meta-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 01:42:27 -0000 This is a review of draft-nottingham-site-meta-04 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft defines a new registry for applications that wish to use a well-known URI for some purpose, for example, a URI for a policy or metadata that would be specific to each application site. A registry is needed to prevent conflicts among the URIs defined or conflicts with other resources. I have no security concerns with the draft or the idea of a registry of well-known URIs. Comments: Note that this specification defines neither how to determine the authority to use for a particular context, nor the scope of the metadata discovered by dereferencing the well-known URI; both should be defined by the application itself. I'm not sure what "authority to use for a particular context", but I presume that it means that each application should consider the authorization model of who should have the authority to use the well-known URI at each host/site. This sounds lke a general security concern, but it is not verbatim reflected in the security considerations section (the scope part is mentioned, not the "authority to use".) Note: given that I say below that it would be impossible to be complete in the security concerns that might arise in any particular application, this is NOT a recommendation that the text should change. Security Considerations section As this is a definition of a registry, there's not much to be said about what the security considerations there might be. The section notes two possible security concerns. No statement is made about possible solutions to these security concerns. The first is that access to the server might give an attacker the ability to modify what is stored at the URI. Depending on the application and the way the well-known URI is used, that could represent a security concern, obviously. There's nothing to be said here about solutions, given that the use is still to be defined. The second possibility mentioned is DNS rebinding: Because most URI schemes rely on DNS to resolve names, they are vulnerable to "DNS rebinding" attacks, whereby a request can be directed to a server under the control of an attacker. My understanding is that DNS rebinding allows the attacker to rebind a name it controls to a local address. So it is the directing to a server that is under the control of the attacker, not the server itself. I'm not sure that is what the text here is saying. DNS rebinding here would be a concern if the well-known URI provided some access that would be useful to an attacker. That would be a subject for the application to consider, so I'm not saying that it needs to be mentioned here. Recommendations for protection against DNS rebinding have to do with the browser or the enterprise, not the application, so I don't think they need to be mentioned here. I could see that there might be other ways that the existence of a well-known URI could be a concern, depending on how the application used that file (DDOS if the use caused transmission, exposure if the use caused access to sensitive data, whatever). But I don't think that this document could possibly be complete in discussing all the security concerns these unknown applications with their unknown uses of the URI could have. In general, I think this section could be replaced with just guidelines about what the specification of a new well-known URI should discuss or consider. Consider the authorization model, consider corruption, exposure, etc. of the URI file, consider vulnerability to DNS rebinding attacks, etc. IANA considerations section The draft mentions several things that a specification of a new well-known URI should discuss or include. Is the IANA resonsible for ensuring that a specification for a new well-known URI meets the stipulations made here? Or maybe the Designated Expert does that? --Sandy From lha@apple.com Tue Dec 1 23:07:18 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 390393A69EE; Tue, 1 Dec 2009 23:07:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.999 X-Spam-Level: X-Spam-Status: No, score=-104.999 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDMX2LiTzAKD; Tue, 1 Dec 2009 23:07:17 -0800 (PST) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id ECD343A6844; Tue, 1 Dec 2009 23:07:03 -0800 (PST) Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id 800EE8140ED6; Tue, 1 Dec 2009 23:06:56 -0800 (PST) X-AuditID: 11807130-b7b0aae00000102c-cb-4b161210e68d Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id 87.8F.04140.012161B4; Tue, 1 Dec 2009 23:06:56 -0800 (PST) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from [10.0.1.8] (99-52-202-108.lightspeed.snjsca.sbcglobal.net [99.52.202.108]) by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KU0008KZJRJGK20@et.apple.com>; Tue, 01 Dec 2009 23:06:56 -0800 (PST) From: =?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?= Date: Tue, 01 Dec 2009 23:06:54 -0800 Message-id: <56A9F347-A2C5-41BA-B9AB-03647388ED02@apple.com> To: muenz@net.in.tum.de, bclaise@cisco.com, akoba@nttv6.net, Thomas.Dietz@nw.neclab.eu X-Mailer: Apple Mail (2.1127) X-Brightmail-Tracker: AAAAAQAAAZE= X-Mailman-Approved-At: Tue, 01 Dec 2009 23:38:03 -0800 Cc: ipfix-chairs@tools.ietf.org, IESG - , Security-Directorat Directorat Subject: [secdir] SECDIR review: draft-ietf-ipfix-mib-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 07:07:18 -0000 Hello all, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. ipfixSelectionProcessTable is left undefined, so it could possibly contain parameters that should not be exposed. Other then that I didn't find any problems. Love From paul.hoffman@vpnc.org Wed Dec 2 10:28:54 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 927043A6A0E for ; Wed, 2 Dec 2009 10:28:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.018 X-Spam-Level: X-Spam-Status: No, score=-6.018 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zfor1fZBfMQZ for ; Wed, 2 Dec 2009 10:28:54 -0800 (PST) Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id D7E0C3A69DD for ; Wed, 2 Dec 2009 10:28:53 -0800 (PST) Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nB2ISi2t077853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Dec 2009 11:28:45 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: Date: Wed, 2 Dec 2009 10:28:42 -0800 To: secdir@ietf.org From: Paul Hoffman Content-Type: text/plain; charset="us-ascii" Cc: draft-ietf-tcpm-early-rexmt-03@tools.ietf.org Subject: [secdir] SecDir review of draft-ietf-tcpm-early-rexmt-03.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 18:28:54 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document talks about early retransmission considerations and protocols for TCP and SCTP. Its Security Considerations section is a pointer to RFC 5681, which lists some DoS attacks but indicates that no one has thought that hard about them. I think this is sufficient. --Paul Hoffman, Director --VPN Consortium From mnot@mnot.net Wed Dec 2 21:49:55 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A85F3A68AA; Wed, 2 Dec 2009 21:49:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.185 X-Spam-Level: X-Spam-Status: No, score=-4.185 tagged_above=-999 required=5 tests=[AWL=-1.586, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFniCijyLTdL; Wed, 2 Dec 2009 21:49:54 -0800 (PST) Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 4972D3A6961; Wed, 2 Dec 2009 21:49:18 -0800 (PST) Received: from chancetrain-lm.mnot.net (unknown [118.209.211.109]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4C35022E1F3; Thu, 3 Dec 2009 00:49:00 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Mark Nottingham In-Reply-To: Date: Thu, 3 Dec 2009 16:48:57 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Sandra Murphy X-Mailer: Apple Mail (2.1077) Cc: apps-discuss@ietf.org, eran@hueniverse.com, secdir@ietf.org Subject: Re: [secdir] review of draft-nottingham-site-meta-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 05:49:55 -0000 Hi Sandra, Responses inline.=20 On 02/12/2009, at 12:41 PM, Sandra Murphy wrote: >=20 > Note that this specification defines neither how to determine the > authority to use for a particular context, nor the scope of the > metadata discovered by dereferencing the well-known URI; both should > be defined by the application itself. >=20 > I'm not sure what "authority to use for a particular context", but I = presume that it means that each application should consider the = authorization model of who should have the authority to use the = well-known URI at each host/site. This sounds lke a general security = concern, but it is not verbatim reflected in the security considerations = section (the scope part is mentioned, not the "authority to use".) = Note: given that I say below that it would be impossible to be complete = in the security concerns that might arise in any particular application, = this is NOT a recommendation that the text should change. Not quite. It's basically saying that, given a particular application = context using arbitrary network resources, it's up to you to determine = what the appropriate URI authority (e.g., 'example.com' in = 'http://www.example.com/.well-known/foo') should be. > The second possibility mentioned is DNS rebinding: >=20 > Because most URI schemes rely on DNS to resolve names, they are > vulnerable to "DNS rebinding" attacks, whereby a request can be > directed to a server under the control of an attacker. >=20 > My understanding is that DNS rebinding allows the attacker to rebind a = name it controls to a local address. So it is the directing to a server = that is under the control of the attacker, not the server itself. I'm = not sure that is what the text here is saying. DNS rebinding here would = be a concern if the well-known URI provided some access that would be = useful to an attacker. That would be a subject for the application to = consider, so I'm not saying that it needs to be mentioned here. >=20 > Recommendations for protection against DNS rebinding have to do with = the browser or the enterprise, not the application, so I don't think = they need to be mentioned here. I agree; DNS rebinding was brought up as a concern during review, but = AIUI it's more of a concern for applications using well-known locations, = if they choose to try to address that problem. It may be that they just = pass a warning upstream to their implementers/users. > I could see that there might be other ways that the existence of a = well-known URI could be a concern, depending on how the application used = that file (DDOS if the use caused transmission, exposure if the use = caused access to sensitive data, whatever). But I don't think that this = document could possibly be complete in discussing all the security = concerns these unknown applications with their unknown uses of the URI = could have. >=20 > In general, I think this section could be replaced with just = guidelines about what the specification of a new well-known URI should = discuss or consider. Consider the authorization model, consider = corruption, exposure, etc. of the URI file, consider vulnerability to = DNS rebinding attacks, etc. I think that's a good suggestion.=20 > IANA considerations section >=20 > The draft mentions several things that a specification of a new = well-known URI should discuss or include. Is the IANA resonsible for = ensuring that a specification for a new well-known URI meets the = stipulations made here? Or maybe the Designated Expert does that? The designated expert. Cheers and thanks for the review, -- Mark Nottingham http://www.mnot.net/ From Sandra.Murphy@cobham.com Wed Dec 2 22:28:03 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1F123A67F5; Wed, 2 Dec 2009 22:28:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNn5Qw9iOOFe; Wed, 2 Dec 2009 22:28:02 -0800 (PST) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 95A193A68CF; Wed, 2 Dec 2009 22:28:02 -0800 (PST) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id nB36RnBX027281; Thu, 3 Dec 2009 00:27:51 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id nB36Rlki025044; Thu, 3 Dec 2009 00:27:47 -0600 Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.248.11]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 3 Dec 2009 01:27:46 -0500 Date: Thu, 3 Dec 2009 01:27:41 -0500 (Eastern Standard Time) From: Sandra Murphy To: Mark Nottingham In-Reply-To: Message-ID: References: X-X-Sender: sandy@nemo.columbia.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 03 Dec 2009 06:27:46.0806 (UTC) FILETIME=[BA8C1960:01CA73E1] Cc: apps-discuss@ietf.org, eran@hueniverse.com, secdir@ietf.org Subject: Re: [secdir] review of draft-nottingham-site-meta-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 06:28:04 -0000 On Thu, 3 Dec 2009, Mark Nottingham wrote: > Hi Sandra, > > Responses inline. > > On 02/12/2009, at 12:41 PM, Sandra Murphy wrote: >> >> Note that this specification defines neither how to determine the >> authority to use for a particular context, nor the scope of the >> metadata discovered by dereferencing the well-known URI; both should >> be defined by the application itself. >> >> I'm not sure what "authority to use for a particular context", but I presume that it means that each application should consider the authorization model of who should have the authority to use the well-known URI at each host/site. This sounds lke a general security concern, but it is not verbatim reflected in the security considerations section (the scope part is mentioned, not the "authority to use".) Note: given that I say below that it would be impossible to be complete in the security concerns that might arise in any particular application, this is NOT a recommendation that the text should change. > > Not quite. It's basically saying that, given a particular application context using arbitrary network resources, it's up to you to determine what the appropriate URI authority (e.g., 'example.com' in 'http://www.example.com/.well-known/foo') should be. Ooops, yes, sorry. I forgot when reading that that there is a special meaning for "authority" in this context. > >> The second possibility mentioned is DNS rebinding: >> >> Because most URI schemes rely on DNS to resolve names, they are >> vulnerable to "DNS rebinding" attacks, whereby a request can be >> directed to a server under the control of an attacker. >> >> My understanding is that DNS rebinding allows the attacker to rebind a name it controls to a local address. So it is the directing to a server that is under the control of the attacker, not the server itself. I'm not sure that is what the text here is saying. DNS rebinding here would be a concern if the well-known URI provided some access that would be useful to an attacker. That would be a subject for the application to consider, so I'm not saying that it needs to be mentioned here. >> >> Recommendations for protection against DNS rebinding have to do with the browser or the enterprise, not the application, so I don't think they need to be mentioned here. > > I agree; DNS rebinding was brought up as a concern during review, but AIUI it's more of a concern for applications using well-known locations, if they choose to try to address that problem. It may be that they just pass a warning upstream to their implementers/users. > > >> I could see that there might be other ways that the existence of a well-known URI could be a concern, depending on how the application used that file (DDOS if the use caused transmission, exposure if the use caused access to sensitive data, whatever). But I don't think that this document could possibly be complete in discussing all the security concerns these unknown applications with their unknown uses of the URI could have. >> >> In general, I think this section could be replaced with just guidelines about what the specification of a new well-known URI should discuss or consider. Consider the authorization model, consider corruption, exposure, etc. of the URI file, consider vulnerability to DNS rebinding attacks, etc. > > I think that's a good suggestion. > > >> IANA considerations section >> >> The draft mentions several things that a specification of a new well-known URI should discuss or include. Is the IANA resonsible for ensuring that a specification for a new well-known URI meets the stipulations made here? Or maybe the Designated Expert does that? > > > The designated expert. > > Cheers and thanks for the review, > > -- > Mark Nottingham http://www.mnot.net/ > > From Thomas.Dietz@nw.neclab.eu Wed Dec 2 07:31:36 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D574828C1F2; Wed, 2 Dec 2009 07:31:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.705 X-Spam-Level: X-Spam-Status: No, score=-1.705 tagged_above=-999 required=5 tests=[AWL=0.594, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ticxuVW1hjWv; Wed, 2 Dec 2009 07:31:32 -0800 (PST) Received: from smtp0.neclab.eu (smtp0.neclab.eu [195.37.70.41]) by core3.amsl.com (Postfix) with ESMTP id C2F5228C1EC; Wed, 2 Dec 2009 07:31:31 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp0.neclab.eu (Postfix) with ESMTP id C20DB2C00C525; Wed, 2 Dec 2009 16:31:23 +0100 (CET) X-Virus-Scanned: Amavisd on Debian GNU/Linux (atlas2.office) Received: from smtp0.neclab.eu ([127.0.0.1]) by localhost (atlas2.office [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcbzstNM7gb7; Wed, 2 Dec 2009 16:31:23 +0100 (CET) Received: from VENUS.office (mx1.office [192.168.24.3]) by smtp0.neclab.eu (Postfix) with ESMTP id 886CC2C01D45F; Wed, 2 Dec 2009 16:30:48 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 2 Dec 2009 16:30:47 +0100 Content-Type: multipart/signed; boundary="----=_NextPart_000_023E_01CA736C.CD6B3D60"; protocol="application/x-pkcs7-signature"; micalg=SHA1 Message-ID: <547F018265F92642B577B986577D671CF6707E@VENUS.office> In-Reply-To: <56A9F347-A2C5-41BA-B9AB-03647388ED02@apple.com> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: SECDIR review: draft-ietf-ipfix-mib-08 Thread-Index: AcpzHyyNuD/UrAauRHWctjo88F+DNwARLNbw References: <56A9F347-A2C5-41BA-B9AB-03647388ED02@apple.com> From: "Thomas Dietz" To: =?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?= , , , X-Mailman-Approved-At: Thu, 03 Dec 2009 01:49:46 -0800 Cc: ipfix-chairs@tools.ietf.org, IESG - , Security-Directorat Directorat Subject: Re: [secdir] SECDIR review: draft-ietf-ipfix-mib-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 15:31:36 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_023E_01CA736C.CD6B3D60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear Love, thank you for your review of our draft. Unfortunately I do not get your point. The ipfixSelectionProcessTable is well defined in the IPFIX MIB. = We don't see any security implications in exposing the objects defined = within this table. They should not contain any sensitive data. Thus, we did not explicitly mention this table in the security consideration section. = Could you please explain your concern in greater detail? Best Regards, Thomas --=20 Thomas Dietz E-mail: Thomas.Dietz@nw.neclab.eu NEC Europe Ltd. Phone: +49 6221 4342-128 NEC Laboratories Europe Fax: +49 6221 4342-155 Network Research Division Kurfuersten-Anlage 36 69115 Heidelberg, Germany http://www.nw.neclab.eu NEC Europe Limited Registered in England 2832014 Registered Office: NEC House, 1 Victoria Road, London W3 6BL > -----Original Message----- > From: Love H=F6rnquist =C5strand [mailto:lha@apple.com] > Sent: Mittwoch, 2. Dezember 2009 08:07 > To: muenz@net.in.tum.de; bclaise@cisco.com; akoba@nttv6.net; Thomas > Dietz > Cc: IESG -; Security-Directorat Directorat; = ipfix-chairs@tools.ietf.org > Subject: SECDIR review: draft-ietf-ipfix-mib-08 >=20 > Hello all, >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. >=20 > ipfixSelectionProcessTable is left undefined, so it could possibly > contain parameters that should not be exposed. >=20 > Other then that I didn't find any problems. >=20 > Love >=20 ------=_NextPart_000_023E_01CA736C.CD6B3D60 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIISNzCCA58w ggKHoAMCAQICASYwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE0RldXRz Y2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQtVGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMT GkRldXRzY2hlIFRlbGVrb20gUm9vdCBDQSAyMB4XDTk5MDcwOTEyMTEwMFoXDTE5MDcwOTIzNTkw MFowcTELMAkGA1UEBhMCREUxHDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsT FlQtVGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20gUm9vdCBD QSAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqwujNeCLKRSxFIWvPBDkOW81XUqu 3ephjZVJ9G9koxpgZqSpQCKE2dSl5XiTDmgBrblNXDrO07ioQkDfz6O6gllqkhusHJraCCslJ/lp I0fx4Ossepv1EwLQfjR8wp48AFmr9doM9TI8K6xQ2tbD3oOUyqgMmTIOCEhWW2r72uFYWAFJX3JB PBUGAY5draq4k7TNnuun6GotUjTbOu9cdVHa2/Mx+e5xmDLEVBVEDPmbVe2t3xgIoKOGiknuUwWP GUzV3lh5m9JqHEKrxdWnz2gPluThYZh2YciRfNY+AOKRUIfhnQrmrZfSHcY6fcu82gM01Y5bAfVq B7cWtm5KfwIDAQABo0IwQDAdBgNVHQ4EFgQUMcN5G7r1U9cX4Il6LRdsCrMrnTMwDwYDVR0TBAgw BgEB/wIBBTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAJRkWa05ZOcp6xP+WsOL E1fIBCTwdHfAYONn++mJpoO/loJ8btTDPe+egG67KbSYerE7VOs5F0d+Go4L/B8xWTEEss4X8yzH YjZV4iLYiVW0mEiqZPrWHDbYRHhaWiM6V5f1ejBPrp9qTEsrjqAD4z7gqdTSe9KzqOJyPK2e/4BZ 5JtFtPY7sM05GZgy5eohYZDkMSGONLH3LzVKhRDa54o3Ib5ZY+DyhYgxU9RUFIVwefQuBncndS8f uIr5/sW62Dbkg+znZbe/Y1rzRq+BlDfUQYzWI9Yez/VoG0Rjolq6pzVZoeVwBZsOI1eZlAptujlj KIaS8xiE2PvRzwVWZFcwggQhMIIDCaADAgECAgIAxzANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQG EwJERTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMDYxMjE5 MTAyOTAwWhcNMTkwNjMwMjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZOLVZlcmVp bjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAx MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTDllA1PWLpbkztlNcA W5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1OXstkEXQ7aAAeny/Sg4b AMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8Br3QPwQmi9mvOvdPNFDBP9eXj pMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9 ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSacXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7 wxLyvQIDAQABo4HZMIHWMHAGA1UdHwRpMGcwZaBjoGGGX2h0dHA6Ly9wa2kudGVsZXNlYy5kZS9j Z2ktYmluL3NlcnZpY2UvYWZfRG93bmxvYWRBUkwuY3JsPy1jcmxfZm9ybWF0PVhfNTA5Ji1pc3N1 ZXI9RFRfUk9PVF9DQV8yMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAW gBQxw3kbuvVT1xfgiXotF2wKsyudMzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB AjANBgkqhkiG9w0BAQUFAAOCAQEAO+Fad8BIF9ypGOyBr1qJ8L0okqbKWRgScOwo8ueuf5Ys5/Jd GTH2Eyt0vb2Asrn3Z8k5onk74RER7mt4kTN+O18mJ3VTZY4zY+7Pc8OwkiNJIVB1I6EfGOKUhT0/ M+l3II2iveahhSlA9j9zMlgNCWum2oVswD+7jWZkViROrg0/MjUBW+mMgtlyWU+xhoXxdIVW5cP4 XPON7kezUwVw5+VNimmDKOETCYaeXsjqWB4MH/mk1FoEaP0oPosCtli19qEsN1cAZ6sjaI1jpe+Z a1z9S1b2q0CHNNQRkmzsh8UKCwczcrRvDB1ULNhRx8y/MNNDcvEyv4zOSWOoAPfyHDCCBS8wggQX oAMCAQICBA0hCkcwDQYJKoZIhvcNAQEFBQAwWjELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAt IEcwMTAeFw0wODEwMjQwODUyMDhaFw0xOTA2MzAwMDAwMDBaMIGQMQswCQYDVQQGEwJERTEYMBYG A1UEChMPTkVDIEV1cm9wZSBMdGQuMSAwHgYDVQQLExdORUMgTGFib3JhdG9yaWVzIEV1cm9wZTES MBAGA1UEAxMJTkVDTEFCLUNBMTEwLwYJKoZIhvcNAQkBFiJ6ZXJ0aWZpemllcnVuZ3NzdGVsbGVA bncubmVjbGFiLmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvIVsbURqjIOcbnf ruYkRceWOZpyvM2ebnYpbd1cP+zdWm6yR7HSO9ppOe1ZZFIasArqQpedPEFvcncSG94FRuW3ND4r Rcq08mbpUTmpWmXfdYlJpQezbsOHCWR74NXoEEbK6TPZIMFpJr6dzQDAxnRc7UOgO6JQ1V42Z39B PhIbPIWz64t8svafxbORmxulJn7F5zDLDcR1AEGyn+L9b645AGwapoKNh7cSQFTqdb6kGyPQjLWf tv09dvmBDKesrcyLZXuDWJ1LMeizSjUEygdSszNXD3gePgJaVaZDS3o923W5gAyPCTSxpAFj8XJ+ /7Ap5jJwYhjJgJ8khFR7JQIDAQABo4IBxDCCAcAwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8E BAMCAQYwHQYDVR0OBBYEFE8ch3od4C+Z9r4VqtE1nQ5K5ro2MB8GA1UdIwQYMBaAFEm3xs/oPR9/ 6kR7Eyn38QpwPt5kMC0GA1UdEQQmMCSBInplcnRpZml6aWVydW5nc3N0ZWxsZUBudy5uZWNsYWIu ZXUwgYgGA1UdHwSBgDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290 LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2Jh bC1yb290LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGiBggrBgEFBQcBAQSBlTCBkjBHBggrBgEFBQcw AoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2Vy dC5jcnQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev cHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQBsMQ+dD0mmi48dgDU4R6Q/ eXcY0zQcHNp1Vu1s3kwO0WahWB0tiqVBodvfTAWG44xuw0I7NXSTwQ68FU5P0GIQnvRFZyVJlDjr SNlLYxjqfmgb+KVm67o383cZIuDakEE0f29kULIEn2fg/HsDiBAXTsb4I19XaN0TXLI+PMhU+GDp sGCJrydeugEV7qi15q8yymjSAsYgnrc2wJuXpyQ9r3qCtP6aedAPSHqOT8ga1dLT2YRZFs3vNm7T HSr5JJymWMbfpD6OcbRTnNAjSMDHwJxgRBAflA6WzDVm7fk4jiWyLvJwWTMk19t8QLiKG7D0nYvj cEUYyiOSE+SFUTEdMIIFODCCBCCgAwIBAgIEDTI0WzANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UE BhMCREUxGDAWBgNVBAoTD05FQyBFdXJvcGUgTHRkLjEgMB4GA1UECxMXTkVDIExhYm9yYXRvcmll cyBFdXJvcGUxEjAQBgNVBAMTCU5FQ0xBQi1DQTExMC8GCSqGSIb3DQEJARYiemVydGlmaXppZXJ1 bmdzc3RlbGxlQG53Lm5lY2xhYi5ldTAeFw0wODExMDYwOTIwMTFaFw0xMTExMDYwOTIwMTFaMGAx CzAJBgNVBAYTAkRFMRgwFgYDVQQKEw9ORUMgRXVyb3BlIEx0ZC4xIDAeBgNVBAsTF05FQyBMYWJv cmF0b3JpZXMgRXVyb3BlMRUwEwYDVQQDEwxUaG9tYXMgRGlldHowggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCniLuqlMflMs7ag3idESVRwfZ9nrdIyUmq5Tget4k9APGSPo2GZ1f1hr8y MuJIGowc/HzS1laVSICclOXju1xW93Tm+Vco5gwkRqHXY3Rmda0r2jlb8niVie4qXQgXPzunFRqk yNmbwYep3oD5Kq0GfB6EuZ7X6cYH5A7erAMeeQPhoDQDIfR79lRHlcMtanJZyORYNQONPEa+L4AF v5f3nAsmY7ZLJ72wX7X8BtcF6Vdkr0T2b1YrPl8Qir7e0TKY9Rf0q5DKu3QdLnXk0Rb+63V/4vLS PZ3XQVdwHzLiOhIZJVVMJE7TmJI0DFeDFn99O/F/Le/sJOJjNO4n6KMLAgMBAAGjggHHMIIBwzAJ BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisG AQQBgjcUAgIwHQYDVR0OBBYEFLkbmpJJpIXhIR9JFttGC+KHW5g5MB8GA1UdIwQYMBaAFE8ch3od 4C+Z9r4VqtE1nQ5K5ro2MCQGA1UdEQQdMBuBGVRob21hcy5EaWV0ekBudy5uZWNsYWIuZXUwfQYD VR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRmbi5kZS9uZWNsYWItY2EvcHViL2NybC9j YWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvbmVjbGFiLWNhL3B1Yi9jcmwv Y2FjcmwuY3JsMIGYBggrBgEFBQcBAQSBizCBiDBCBggrBgEFBQcwAoY2aHR0cDovL2NkcDEucGNh LmRmbi5kZS9uZWNsYWItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEIGCCsGAQUFBzAChjZodHRw Oi8vY2RwMi5wY2EuZGZuLmRlL25lY2xhYi1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZI hvcNAQEFBQADggEBAEbKwRBhNxAzsH6kAYRBoIziyI2IY2QnZGeiGitOfkLKcFNIBH3ZfQXH4j20 4BP34Vzzob17EgsbLbNkMlxh2M7tenXH9vA4MiN5yPPBKoR7SfI6mIaIr+7kewOizJ8D5dvpdfP5 HbAUTZVSYHqixgBWJyNp7sXWVQtOo+eOv8qKUeiodClanKuCnGD42Bl6EQR486dlXvOronEikRYX Xg6gFrhO+DonUYluMZpNdabnybKozchSdHcceOKd0JFMmyiSNG944ystXbR7QZqfNSh/Pbyc5QRp Z1vdFZLFh907iS3KxueDYKDPWmlsPt/QnmXmF4A9/5OrmVS1C45k5rcxggQ4MIIENAIBATCBmTCB kDELMAkGA1UEBhMCREUxGDAWBgNVBAoTD05FQyBFdXJvcGUgTHRkLjEgMB4GA1UECxMXTkVDIExh Ym9yYXRvcmllcyBFdXJvcGUxEjAQBgNVBAMTCU5FQ0xBQi1DQTExMC8GCSqGSIb3DQEJARYiemVy dGlmaXppZXJ1bmdzc3RlbGxlQG53Lm5lY2xhYi5ldQIEDTI0WzAJBgUrDgMCGgUAoIICczAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wOTEyMDIxNTMwNDdaMCMGCSqG SIb3DQEJBDEWBBTBNn7XvZpuiAH++FJBZNb3HmgVyTCBqgYJKwYBBAGCNxAEMYGcMIGZMIGQMQsw CQYDVQQGEwJERTEYMBYGA1UEChMPTkVDIEV1cm9wZSBMdGQuMSAwHgYDVQQLExdORUMgTGFib3Jh dG9yaWVzIEV1cm9wZTESMBAGA1UEAxMJTkVDTEFCLUNBMTEwLwYJKoZIhvcNAQkBFiJ6ZXJ0aWZp emllcnVuZ3NzdGVsbGVAbncubmVjbGFiLmV1AgQNMjRbMIGsBgsqhkiG9w0BCRACCzGBnKCBmTCB kDELMAkGA1UEBhMCREUxGDAWBgNVBAoTD05FQyBFdXJvcGUgTHRkLjEgMB4GA1UECxMXTkVDIExh Ym9yYXRvcmllcyBFdXJvcGUxEjAQBgNVBAMTCU5FQ0xBQi1DQTExMC8GCSqGSIb3DQEJARYiemVy dGlmaXppZXJ1bmdzc3RlbGxlQG53Lm5lY2xhYi5ldQIEDTI0WzCBtwYJKoZIhvcNAQkPMYGpMIGm MAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqG SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMC GjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTANBgkq hkiG9w0BAQEFAASCAQBW4IJHeIPnblDZS6T4KQf4PuGF9fKzRAj4xMXb/DX4lQUF4Bd4miU7mKxp UzzMmhQ74HFuLDyq1dKXjlebbi/MVo9ORpF/62E+NO7FwfQ0OJlskdGxW4hVcRJ6L7hoZjS0/fR7 mtBMq1KB10lNBhQcPc4XEsyqq1dNztArlb1a0P1xWDC3zvycDv/h3DBmbTKNIDyFPaTQsfKMT4fE yQDZ14s7nRsRoDJXUjBX8WefQ6ROZ6Mcl4/hIDS0O6zwAoZHOq5VwqHV+SNcHsgAeRLylRz6Bvst yNgLzXQ+DWXuU16FFIbx3bHNgLFaitRImBdqRDTDrsfWJXavD+R7FiQmAAAAAAAA ------=_NextPart_000_023E_01CA736C.CD6B3D60-- From lha@apple.com Wed Dec 2 07:51:23 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FB573A698C; Wed, 2 Dec 2009 07:51:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.298 X-Spam-Level: X-Spam-Status: No, score=-106.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeXXb9WAGNtR; Wed, 2 Dec 2009 07:51:22 -0800 (PST) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 182213A6811; Wed, 2 Dec 2009 07:51:22 -0800 (PST) Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id 525757B67F62; Wed, 2 Dec 2009 07:51:14 -0800 (PST) X-AuditID: 11807136-b7bafae000000e8d-13-4b168cf243cc Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay15.apple.com (Apple SCV relay) with SMTP id 99.ED.03725.2FC861B4; Wed, 2 Dec 2009 07:51:14 -0800 (PST) MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_RdRFHq0WKjLHWZmu3SgKyg)" Received: from [17.151.93.129] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KU100HXU81DNA20@elliott.apple.com>; Wed, 02 Dec 2009 07:51:14 -0800 (PST) From: =?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?= In-reply-to: <547F018265F92642B577B986577D671CF6707E@VENUS.office> Date: Wed, 02 Dec 2009 16:51:13 +0100 Message-id: References: <56A9F347-A2C5-41BA-B9AB-03647388ED02@apple.com> <547F018265F92642B577B986577D671CF6707E@VENUS.office> To: Thomas Dietz X-Mailer: Apple Mail (2.1128) X-Brightmail-Tracker: AAAAAQAAAZE= X-Mailman-Approved-At: Thu, 03 Dec 2009 01:49:46 -0800 Cc: akoba@nttv6.net, Security-Directorat Directorat , ipfix-chairs@tools.ietf.org, IESG - , muenz@net.in.tum.de, bclaise@cisco.com Subject: Re: [secdir] SECDIR review: draft-ietf-ipfix-mib-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 15:51:23 -0000 --Boundary_(ID_RdRFHq0WKjLHWZmu3SgKyg) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Thomas, Sorry, I think I really was after ipfixSelectorFunctions Since IPFIX does not define any Selector Function (except selecting every packet) this is a placeholder for future use and a guideline for implementing enterprise specific Selector Function objects. but lost myself in the indirection between ipfixSelectionProcessTable = and ipfixSelectionFunctions. Since ipfixSelectionFunctions is part of security consideration I was = just confused and you can disregard my mail. Love 2 dec 2009 kl. 16:30 skrev Thomas Dietz: > Dear Love, >=20 > thank you for your review of our draft. Unfortunately I do not get = your > point. The ipfixSelectionProcessTable is well defined in the IPFIX = MIB. We > don't see any security implications in exposing the objects defined = within > this table. They should not contain any sensitive data. Thus, we did = not > explicitly mention this table in the security consideration section. = Could > you please explain your concern in greater detail? >=20 > Best Regards, >=20 > Thomas >=20 > --=20 > Thomas Dietz E-mail: Thomas.Dietz@nw.neclab.eu > NEC Europe Ltd. Phone: +49 6221 4342-128 > NEC Laboratories Europe Fax: +49 6221 4342-155 > Network Research Division > Kurfuersten-Anlage 36 > 69115 Heidelberg, Germany http://www.nw.neclab.eu >=20 > NEC Europe Limited Registered in England 2832014 > Registered Office: NEC House, 1 Victoria Road, London W3 6BL >=20 >> -----Original Message----- >> From: Love H=F6rnquist =C5strand [mailto:lha@apple.com] >> Sent: Mittwoch, 2. Dezember 2009 08:07 >> To: muenz@net.in.tum.de; bclaise@cisco.com; akoba@nttv6.net; Thomas >> Dietz >> Cc: IESG -; Security-Directorat Directorat; = ipfix-chairs@tools.ietf.org >> Subject: SECDIR review: draft-ietf-ipfix-mib-08 >>=20 >> Hello all, >>=20 >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >>=20 >> ipfixSelectionProcessTable is left undefined, so it could possibly >> contain parameters that should not be exposed. >>=20 >> Other then that I didn't find any problems. >>=20 >> Love >>=20 >=20 --Boundary_(ID_RdRFHq0WKjLHWZmu3SgKyg) Content-type: text/html; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Since IPFIX does not define any Selector Function = (except
= selecting every packet) this is a placeholder for = future
use = and a guideline for implementing enterprise = specific
= Selector Function objects.

but lost = myself in the indirection between ipfixSelectionProcessTable = and ipfixSelectionFunctions.

Since = ipfixSelectionFunctions is part of security consideration I was just = confused and you can disregard my = mail.

Love


2 dec 2009 kl. 16:30 skrev Thomas Dietz:
Dear = Love,

thank you for your review of our draft. Unfortunately I do = not get your
point. The ipfixSelectionProcessTable is well defined in = the IPFIX MIB. We
don't see any security implications in exposing the = objects defined within
this table. They should not contain any = sensitive data. Thus, we did not
explicitly mention this table in the = security consideration section. Could
you please explain your concern = in greater detail?

Best Regards,

Thomas

-- =
Thomas Dietz =             &n= bsp;   E-mail: Thomas.Dietz@nw.neclab.euNEC Europe Ltd. =             &n= bsp;Phone:  +49 6221 4342-128
NEC Laboratories Europe =      Fax:    +49 6221 = 4342-155
Network Research Division
Kurfuersten-Anlage 36
69115 = Heidelberg, Germany    http://www.nw.neclab.eu

NEC = Europe Limited =           Registered = in England 2832014
Registered Office: NEC House, 1 Victoria Road, = London W3 6BL

-----Original = Message-----
From: Love = H=F6rnquist =C5strand [mailto:lha@apple.com]
Sent: Mittwoch, 2. Dezember 2009 = 08:07
To: muenz@net.in.tum.de; bclaise@cisco.com; akoba@nttv6.net; = Thomas
Dietz
Cc: IESG = -; Security-Directorat Directorat; ipfix-chairs@tools.ietf.org
Subject: SECDIR review: = draft-ietf-ipfix-mib-08

Hello = all,

I have reviewed = this document as part of the security = directorate's
ongoing effort = to review all IETF documents being processed by = the
IESG.  These comments = were written primarily for the benefit of = the
security area directors. =  Document editors and WG chairs should = treat
these comments just like = any other last call comments.

ipfixSelectionProcessTable is left undefined, so it could = possibly
contain parameters = that should not be exposed.

Other then that = I didn't find any problems.

Love



= --Boundary_(ID_RdRFHq0WKjLHWZmu3SgKyg)-- From weiler+secdir@watson.org Thu Dec 3 09:41:40 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 144F428C193 for ; Thu, 3 Dec 2009 09:41:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.197 X-Spam-Level: X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKSduALO7M2a for ; Thu, 3 Dec 2009 09:41:39 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 15E9428C150 for ; Thu, 3 Dec 2009 09:41:38 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nB3HfTb6048019 for ; Thu, 3 Dec 2009 12:41:29 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nB3HfTE9048016 for ; Thu, 3 Dec 2009 12:41:29 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 3 Dec 2009 12:41:29 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 03 Dec 2009 12:41:30 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 17:41:40 -0000 Chris Lonvick is next in the rotation. Please try to complete last call reviews by the end of the last call. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2009-12-17 Reviewer Deadline Draft Donald Eastlake T 2009-12-15 draft-cheshire-dnsext-multicastdns-08 Love Hornquist-Astrand T 2009-12-15 draft-ietf-ccamp-confirm-data-channel-status-08 Juergen Schoenwaelder TR2009-12-15 draft-ietf-l3vpn-2547bis-mcast-09 Hannes Tschofenig T 2009-12-15 draft-ietf-l3vpn-ospfv3-pece-04 Sean Turner T 2009-12-15 draft-ietf-ipsecme-traffic-visibility-11 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Pat Cain 2009-11-28 draft-ietf-pkix-rfc3161-update-09 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Steve Hanna 2009-12-04 draft-ietf-rohc-rfc4995bis-01 Dan Harkins 2009-12-12 draft-duerst-mailto-bis-07 Sam Hartman 2009-12-11 draft-ietf-tls-renegotiation-01 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-10-15 draft-ietf-idnabis-protocol-17 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Charlie Kaufman 2009-12-14 draft-ietf-dkim-deployment-09 Scott Kelly 2009-12-14 draft-ietf-fecframe-dvb-al-fec-03 Stephen Kent 2009-12-10 draft-ietf-tsvwg-rsvp-security-groupkeying-05 Tero Kivinen 2009-12-14 draft-ietf-fecframe-interleaved-fec-scheme-05 Julien Laganier 2009-12-14 draft-ietf-geopriv-geo-uri-04 Barry Leiba 2009-12-16 draft-xli-behave-ivi-05 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-09 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Radia Perlman 2009-12-10 draft-bryan-http-digest-algorithm-values-update-03 Eric Rescorla 2009-11-10 draft-gennai-smime-cnipa-pec-05 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-12 Hannes Tschofenig 2009-04-23 draft-ietf-pce-monitoring-05 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 Larry Zhu 2009-09-17 draft-ietf-rohc-hcoipsec-11 From stephen.farrell@cs.tcd.ie Fri Dec 4 09:35:10 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7030A3A6936; Fri, 4 Dec 2009 09:35:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.543 X-Spam-Level: X-Spam-Status: No, score=-0.543 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jc6UJ-hATwVG; Fri, 4 Dec 2009 09:35:09 -0800 (PST) Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id 5E6313A676A; Fri, 4 Dec 2009 09:35:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id 767E036006B; Fri, 4 Dec 2009 17:34:59 +0000 (GMT) X-Virus-Scanned: amavisd-new at newbay.com Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPXkyJR2qFsu; Fri, 4 Dec 2009 17:34:58 +0000 (GMT) Received: from mail01.newbay.com (mail01.newbay.com [192.168.12.25]) by mail.newbay.com (Postfix) with ESMTP id 9A16E360063; Fri, 4 Dec 2009 17:34:58 +0000 (GMT) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail01.newbay.com (Postfix) with ESMTP id 925ED7C335; Fri, 4 Dec 2009 17:34:58 +0000 (GMT) X-Virus-Scanned: amavisd-new at newbay.com Received: from mail01.newbay.com ([127.0.0.1]) by localhost (mail01.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHVlsIJ3UVl4; Fri, 4 Dec 2009 17:34:58 +0000 (GMT) Received: from [192.168.3.23] (unknown [192.168.3.23]) by mail01.newbay.com (Postfix) with ESMTP id EB8367C332; Fri, 4 Dec 2009 17:34:57 +0000 (GMT) Message-ID: <4B194840.6060904@cs.tcd.ie> Date: Fri, 04 Dec 2009 17:34:56 +0000 From: Stephen Farrell User-Agent: Thunderbird 2.0.0.23 (X11/20090812) MIME-Version: 1.0 To: Jean-Michel Combes References: <4B1470EB.2020906@cs.tcd.ie> <729b68be0912040931k808e9a4q9459966edf11932b@mail.gmail.com> In-Reply-To: <729b68be0912040931k808e9a4q9459966edf11932b@mail.gmail.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: draft-ietf-csi-sndp-prob@tools.ietf.org, sec-ads@ietf.org, secdir@ietf.org Subject: Re: [secdir] secdir review of draft-ietf-csi-sndp-prob X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 17:35:10 -0000 Looks fine to me, S. Jean-Michel Combes wrote: > Hi Stephen, > > at first, thanks for your review. > > 2009/12/1 Stephen Farrell : >> (Re-tx, messed up draft address 1st tiime, please cc secdir@ietf.org >> on any response) >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> The draft is a generally well-written description of some issues with >> securing neighbour discovery when proxies are involved. As a problem >> statement draft I find it just fine. >> >> I have two minor security comments and a few nits below. >> Stephen. >> >> 1. The suggestion at the end of 4.2 that certificate serial number >> or time field ordering be used to indicate relationships between >> end entities seems very hacky. I'd suggest either deleting that >> if its felt to be unlikely used, or else, if its actually >> likely to be used, then documenting how it could actually work > > OK. I am going to delete the text in the new version of the draft. > >> 2. 7.2 mentions "signed, non-repudiable certificates" which is a >> horribly odd phrase. Hopefully that's just sloppy language. >> (s/signed, non-repudiable//), but if not, then its a concern (the >> concern being that non-repudiation in protocols is mythical). > > OK. I am going to delete "signed, non-repudiable" in the new version > of the draft. > >> Nits: >> >> 1. 2nd last para of 3.1: fix word ordering in last sentence, think it >> ought say: >> >> Such a message would be valid according to the SEND specification, if the >> Target Address and the source IPv6 address of the Neighbor Advertisement >> weren't different [RFC3971]. > > In fact, I am going to change the sentence as follows: > "To be valid according to the SEND specification, the Target Address > of the Neighbor Advertisement message would need to be replaced also > to be equal to the Source Address [RFC3971]." > The reason is that the Source Address and the Target Address are > required to be equal (cf. RFC3971, section 7.4). > Is it OK for you such a change? > >> 2. 2.2.4 1st para: similar word ordering, maybe: >> >> The router or CA may then be able to certify proxying for >> only a subset of the prefixes for which it is certified. > > OK. Fixed in the new version of the draft. > >> 3. 1st sentence of 7.2: s/The certificagte delegation/Certificate >> delegation/ > > OK. Fixed in the new version of the draft. > > Thanks again for your review. > > Best regards. > > JMC. > From jeanmichel.combes@gmail.com Fri Dec 4 09:31:31 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA4A428C0EF; Fri, 4 Dec 2009 09:31:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56ZNEiGH-kQ1; Fri, 4 Dec 2009 09:31:30 -0800 (PST) Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com [209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id 9BA7028C108; Fri, 4 Dec 2009 09:31:27 -0800 (PST) Received: by iwn33 with SMTP id 33so1875152iwn.29 for ; Fri, 04 Dec 2009 09:31:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=PyleZEuPI9kuajwlwrF96xn9RUNb2yRee89ENx9shME=; b=tu3HUszb37yWIGGmdkJ3ec8+ti5bZEzCybZW/4I09c3cdXLmriEPvuAAFFw0jsjfdk 2Hz2fQydtKHqOKJns6YpL2C3hH2AlcjNlaRtUYT+mQVl1R0vV9Inz2xf72QUsvjdyXFq VjMsPPjeYHxLGhQqUvDi6qRK6+XTusMSvD2nc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xbr0+NV6sb4zVjRcUDmbX+cKWRmAKvyBjUPZpxBClzkJCB/IqM3TQKm+tgZBurtaNu CdxqRlOEfH4a90E9PR8ttwEuhhEFOq79/u6JLtwAGLygRmfXYZKBsqSMETZElnRVvhCh B+WVSMB0NT05TlJ+ybINJ4zhKI85m1nuMMxd8= MIME-Version: 1.0 Received: by 10.231.24.208 with SMTP id w16mr2695753ibb.38.1259947875993; Fri, 04 Dec 2009 09:31:15 -0800 (PST) In-Reply-To: <4B1470EB.2020906@cs.tcd.ie> References: <4B1470EB.2020906@cs.tcd.ie> Date: Fri, 4 Dec 2009 18:31:15 +0100 Message-ID: <729b68be0912040931k808e9a4q9459966edf11932b@mail.gmail.com> From: Jean-Michel Combes To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 04 Dec 2009 12:19:11 -0800 Cc: draft-ietf-csi-sndp-prob@tools.ietf.org, sec-ads@ietf.org, secdir@ietf.org Subject: Re: [secdir] secdir review of draft-ietf-csi-sndp-prob X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 17:31:32 -0000 Hi Stephen, at first, thanks for your review. 2009/12/1 Stephen Farrell : > > (Re-tx, messed up draft address 1st tiime, please cc secdir@ietf.org > on any response) > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The draft is a generally well-written description of some issues with > securing neighbour discovery when proxies are involved. As a problem > statement draft I find it just fine. > > I have two minor security comments and a few nits below. > Stephen. > > 1. The suggestion at the end of 4.2 that certificate serial number > or time field ordering be used to indicate relationships between > end entities seems very hacky. I'd suggest either deleting that > if its felt to be unlikely used, or else, if its actually > likely to be used, then documenting how it could actually work OK. I am going to delete the text in the new version of the draft. > > 2. 7.2 mentions "signed, non-repudiable certificates" which is a > horribly odd phrase. Hopefully that's just sloppy language. > (s/signed, non-repudiable//), but if not, then its a concern (the > concern being that non-repudiation in protocols is mythical). OK. I am going to delete "signed, non-repudiable" in the new version of the draft. > > Nits: > > 1. 2nd last para of 3.1: fix word ordering in last sentence, think it > ought say: > > =A0Such a message would be valid according to the SEND specification, if = the > =A0Target Address and the source IPv6 address of the Neighbor Advertiseme= nt > =A0weren't different [RFC3971]. In fact, I am going to change the sentence as follows: "To be valid according to the SEND specification, the Target Address of the Neighbor Advertisement message would need to be replaced also to be equal to the Source Address [RFC3971]." The reason is that the Source Address and the Target Address are required to be equal (cf. RFC3971, section 7.4). Is it OK for you such a change? > > 2. 2.2.4 1st para: similar word ordering, maybe: > > =A0The router or CA may then be able to certify proxying for > =A0only a subset of the prefixes for which it is certified. OK. Fixed in the new version of the draft. > > 3. 1st sentence of 7.2: s/The certificagte delegation/Certificate > delegation/ OK. Fixed in the new version of the draft. Thanks again for your review. Best regards. JMC. From julienl@qualcomm.com Fri Dec 4 18:08:01 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1479C3A6800; Fri, 4 Dec 2009 18:08:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.654 X-Spam-Level: X-Spam-Status: No, score=-105.654 tagged_above=-999 required=5 tests=[AWL=0.945, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+y2j3DVyqRW; Fri, 4 Dec 2009 18:07:59 -0800 (PST) Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by core3.amsl.com (Postfix) with ESMTP id C30323A63C9; Fri, 4 Dec 2009 18:07:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1259978867; x=1291514867; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:accept-language:content-language: x-ms-has-attach:x-ms-tnef-correlator:acceptlanguage: content-type:content-transfer-encoding:mime-version: x-ironport-av; z=From:=20"Laganier,=20Julien"=20 |To:=20"secdir@ietf.org"=20,=20"iesg@iet f.org"=20|CC:=20"draft-ietf-geopriv-geo-ur i@tools.ietf.org"=0D=0A=09,=0D=0A=20=20=20=20=20=20=20=20"geopriv-chair s@tools.ietf.org"=0D=0A=09 ,=0D=0A=20=20=20=20=20=20=20=20"geopriv-ads@tools.ietf.or g"=0D=0A=09|Date:=20Fri,=204 =20Dec=202009=2018:07:41=20-0800|Subject:=20SECDIR=20revi ew=20of=20draft-ietf-geopriv-geo-uri-04|Thread-Topic:=20S ECDIR=20review=20of=20draft-ietf-geopriv-geo-uri-04 |Thread-Index:=20Acp1T7n9fjq+iCqPThmWwISnFb6QaA=3D=3D |Message-ID:=20|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 400,1158,5822"=3B=20a=3D"29112405"; bh=W2UuhTq/Oat+n8gDW4XqQoJKl80fmk/PGw6WwLFHrAk=; b=v0SeKrAG+0qZzWJXlzsMdL2m1Mm/Mg6lli4W1z1TiqioSJBXkwBOlDG/ EC80YOvaFkVvpvT8bBgoDuCNnk8AmhtjW0zR3kIEVdHsqwnWXXeTnI96j CmJxNrMTAOMvJLimKdgrdpIALarZ7f5WOihu2pkFYfzzoExD4ZB/lbFmn 8=; X-IronPort-AV: E=McAfee;i="5400,1158,5822"; a="29112405" Received: from pdmz-ns-mip.qualcomm.com (HELO numenor.qualcomm.com) ([199.106.114.10]) by wolverine01.qualcomm.com with ESMTP; 04 Dec 2009 18:07:46 -0800 Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nB527kwt008496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 4 Dec 2009 18:07:46 -0800 Received: from nasanexhub06.na.qualcomm.com (nasanexhub06.na.qualcomm.com [129.46.134.254]) by totoro.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nB527j3O018423 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 4 Dec 2009 18:07:45 -0800 (PST) Received: from nalasexhub02.na.qualcomm.com (10.47.130.89) by nasanexhub06.na.qualcomm.com (129.46.134.254) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 4 Dec 2009 18:07:45 -0800 Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhub02.na.qualcomm.com ([10.47.130.89]) with mapi; Fri, 4 Dec 2009 18:07:45 -0800 From: "Laganier, Julien" To: "secdir@ietf.org" , "iesg@ietf.org" Date: Fri, 4 Dec 2009 18:07:41 -0800 Thread-Topic: SECDIR review of draft-ietf-geopriv-geo-uri-04 Thread-Index: Acp1T7n9fjq+iCqPThmWwISnFb6QaA== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-geopriv-geo-uri@tools.ietf.org" , "geopriv-chairs@tools.ietf.org" , "geopriv-ads@tools.ietf.org" Subject: [secdir] SECDIR review of draft-ietf-geopriv-geo-uri-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2009 02:08:01 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These com= ments were written primarily for the benefit of the security area directors= . Document editors and WG chairs should treat these comments just like any = other last call comments. Document Abstract: This document specifies a Uniform Resource Identifier (URI) for geographic locations using the 'geo' scheme name. A 'geo' URI identifies a physical location in a two- or three-dimensional coordinate reference system in a compact, simple, human-readable, and protocol-independent way. The default coordinate reference system used is WGS-84. I think the document is fine security wise. I have a couple of questions; m= ostly to satisfy curiosity: 3.4.3. Location Uncertainty The 'u' ("uncertainty") parameter indicates the amount of uncertainty in the location as a value in meters. Where a 'geo' URI is used to identify the location of a particular object, indicates the uncertainty with which the identified location of the subject is known. The 'u' parameter is optional and it can appear only once. If it is not specified, this indicates that uncertainty is unknown or unspecified. If the intent is to indicate a specific point in space, MAY be set to zero. Zero uncertainty and absent uncertainty are never the same thing. Shouldn't this MAY be a MUST? (since as you note zero uncertainty and absen= t uncertainty are never the same thing.) 3.4.4. URI Comparison Two 'geo' URIs are equal when they use the same CRS, and , , and 'u' value are mathematically identical (including absent meaning undefined 'u' value). Hmm. About comparison: I understand that when is present you are delimiting a sphere of rad= ius centered on the point (, , ). When is absent (undefined) the sphere containing can have any radius= , thus two geo URIs with same coordinates but undefined might corres= pond to a different spheres in which case it seems to me that they shouldn'= t be said to be equal.=20 5. URI Operations Currently, just one operation on a 'geo' URI is defined - location dereference: In that operation, a client dereferences the URI by extracting the geographical coordinates from the URI path component . Further use of those coordinates (and the uncertainty value from ) is then up to the application processing the URI, and might depend on the context of the URI. It seems that the document is also defining an equality comparison operatio= n between geo URIs. --julien From kivinen@iki.fi Mon Dec 7 05:01:01 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B16C728C153; Mon, 7 Dec 2009 05:01:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.591 X-Spam-Level: X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KM8RjCl5yPT; Mon, 7 Dec 2009 05:01:00 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 88C563A679C; Mon, 7 Dec 2009 05:01:00 -0800 (PST) Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nB7D0j9M011379 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 7 Dec 2009 15:00:45 +0200 (EET) Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nB7D0jbP004255; Mon, 7 Dec 2009 15:00:45 +0200 (EET) X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19228.64637.664835.801627@fireball.kivinen.iki.fi> Date: Mon, 7 Dec 2009 15:00:45 +0200 From: Tero Kivinen To: iesg@ietf.org, secdir@ietf.org X-Mailer: VM 7.19 under Emacs 21.4.1 X-Edit-Time: 14 min X-Total-Time: 35 min Cc: fecframe-chairs@tools.ietf.org, draft-ietf-fecframe-interleaved-fec-scheme@tools.ietf.org Subject: [secdir] Review of draft-ietf-fecframe-interleaved-fec-scheme-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 13:01:01 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines new RTP payload format for sending forward error correction that is generated by the 1-D interleaved parity code. The security considerations section refers to the generic RTP (RFC3550) security considerations. It also mentions generic solutions to different security problems (encryption for confidentiality, integrity protection mechanism for integrity and authentication of the source of the payload). It does not list any specific mechanisms, but points to Secure Real-time Transport Protocol SRTP (RFC3711), IPsec (RFC4301) and TLS (RFC5246). The only thing missing from the security considerations section is that it should mention that the repair flow should require exactly same security features that what is provided to the source flow. The repair flow packets are xor of the multiple source flow packets, and if those do not get exactly same confidentiality, integrity and authentication of source protection then the original source flow confidentiality, integrity or authentication of the source could be compromized. I.e. it is not acceptable for using for example AES, SHA2-256 to protect source flow, but send repair flow without encryption and without integrity protection, as when doing that attacker can replace repair flow packets, and cause source flow packets to drop triggering error correcting procedures on the receiver which will then use repair flow packets having weaker security than source flow packets. -- kivinen@iki.fi From abegen@cisco.com Mon Dec 7 07:51:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 673213A68C2; Mon, 7 Dec 2009 07:51:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.439 X-Spam-Level: X-Spam-Status: No, score=-6.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qhsmxqw+-mSf; Mon, 7 Dec 2009 07:51:37 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 924C13A683E; Mon, 7 Dec 2009 07:51:37 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEALqyHEurRN+J/2dsb2JhbADDSJYWhDMEgWc X-IronPort-AV: E=Sophos;i="4.47,356,1257120000"; d="scan'208";a="115308017" Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 07 Dec 2009 15:51:27 +0000 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id nB7FpRoI028163; Mon, 7 Dec 2009 15:51:27 GMT Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 7 Dec 2009 07:51:27 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Date: Mon, 7 Dec 2009 07:51:22 -0800 Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540AD0E252@xmb-sjc-215.amer.cisco.com> In-Reply-To: <19228.64637.664835.801627@fireball.kivinen.iki.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Review of draft-ietf-fecframe-interleaved-fec-scheme-05 Thread-Index: Acp3PVaLPgjswfngTi6Dlwli1SxNJQAF0Cag References: <19228.64637.664835.801627@fireball.kivinen.iki.fi> From: "Ali C. Begen (abegen)" To: "Tero Kivinen" , , X-OriginalArrivalTime: 07 Dec 2009 15:51:27.0805 (UTC) FILETIME=[2315FED0:01CA7755] X-Mailman-Approved-At: Mon, 07 Dec 2009 23:56:50 -0800 Cc: fecframe-chairs@tools.ietf.org, draft-ietf-fecframe-interleaved-fec-scheme@tools.ietf.org Subject: Re: [secdir] Review of draft-ietf-fecframe-interleaved-fec-scheme-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2009 15:51:38 -0000 Hi Tero, Thanks for the review. Yes, we should add that to the document, which is = something I tend to do in the next revision. Cheers, acbegen. > -----Original Message----- > From: Tero Kivinen [mailto:kivinen@iki.fi] > Sent: Monday, December 07, 2009 8:01 AM > To: iesg@ietf.org; secdir@ietf.org > Cc: draft-ietf-fecframe-interleaved-fec-scheme@tools.ietf.org; = fecframe- > chairs@tools.ietf.org > Subject: Review of draft-ietf-fecframe-interleaved-fec-scheme-05 >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. >=20 > This document defines new RTP payload format for sending forward error > correction that is generated by the 1-D interleaved parity code. >=20 > The security considerations section refers to the generic RTP > (RFC3550) security considerations. It also mentions generic solutions > to different security problems (encryption for confidentiality, > integrity protection mechanism for integrity and authentication of the > source of the payload). >=20 > It does not list any specific mechanisms, but points to Secure > Real-time Transport Protocol SRTP (RFC3711), IPsec (RFC4301) and TLS > (RFC5246). >=20 > The only thing missing from the security considerations section is > that it should mention that the repair flow should require exactly > same security features that what is provided to the source flow. The > repair flow packets are xor of the multiple source flow packets, and > if those do not get exactly same confidentiality, integrity and > authentication of source protection then the original source flow > confidentiality, integrity or authentication of the source could be > compromized. >=20 > I.e. it is not acceptable for using for example AES, SHA2-256 to > protect source flow, but send repair flow without encryption and > without integrity protection, as when doing that attacker can replace > repair flow packets, and cause source flow packets to drop triggering > error correcting procedures on the receiver which will then use repair > flow packets having weaker security than source flow packets. > -- > kivinen@iki.fi From dharkins@lounge.org Tue Dec 8 10:02:29 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65CEF3A68F6; Tue, 8 Dec 2009 10:02:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.265 X-Spam-Level: X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxkh1XantVf6; Tue, 8 Dec 2009 10:02:28 -0800 (PST) Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id AD4263A67A7; Tue, 8 Dec 2009 10:02:27 -0800 (PST) Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 9EB65102240AE; Tue, 8 Dec 2009 10:02:16 -0800 (PST) Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 8 Dec 2009 10:02:16 -0800 (PST) Message-ID: <825be751fdcdc5da34213d44f5ef0b67.squirrel@www.trepanning.net> Date: Tue, 8 Dec 2009 10:02:16 -0800 (PST) From: "Dan Harkins" To: secdir@ietf.org User-Agent: SquirrelMail/1.4.14 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: duerst@it.aoyama.ac.jp, jwz@jwz.org, LMM@acm.org, iesg@ietf.org Subject: [secdir] review of draft-duerst-mailto-bis-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2009 18:02:29 -0000 Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors should treat these comments just like any other last call comments. This document adds support for internationalization (and internation- alized resource identifiers) to the previously defined syntax of a "mailto" URI. It will obsolete RFC 2368. This document does not introduce any new security issues. The Security Considerations describe some of the dangers inherent to using a "mailto" URI and recommend some guidelines in their use. They are illustrative and seem fine. There is some requirements language that I think could be cleaned up a little. For instance, in section 4 it says: "The user agent interpreting a 'mailto' URI SHOULD choose not to create a message if any of the header fields are considered dangerous; it may also choose to create a message with only a subset of the header fields given in the URI. "SHOULD choose not to" made me stop and read that a couple times to try to understand what behavior is being specified. I eventually decided that "SHOULD NOT" is equivalent. Is that correct? If so I suggest changing it. And should that "may also choose" become a "MAY also choose"? Section 7 has a couple of cases of "SHOULD never", such as: "A mail client SHOULD never send anything without complete disclosure to the user...." Never is pretty absolute. But then it's qualified with SHOULD. Should it be "SHOULD NOT"? I like the example in section 6 that illustrates how to provide a link in a browsable archive that will do a reply and preserve threading information. Very cool! regards, Dan. From turners@ieca.com Tue Dec 8 15:54:37 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA98B3A694E for ; Tue, 8 Dec 2009 15:54:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.553 X-Spam-Level: X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9UHvVMq6zf9 for ; Tue, 8 Dec 2009 15:54:37 -0800 (PST) Received: from smtp106.biz.mail.re2.yahoo.com (smtp106.biz.mail.re2.yahoo.com [206.190.52.175]) by core3.amsl.com (Postfix) with SMTP id 604813A6915 for ; Tue, 8 Dec 2009 15:54:20 -0800 (PST) Received: (qmail 72457 invoked from network); 8 Dec 2009 23:54:07 -0000 Received: from pool-96-241-2-70.washdc.east.verizon.net (turners@96.241.2.70 with plain) by smtp106.biz.mail.re2.yahoo.com with SMTP; 08 Dec 2009 15:54:07 -0800 PST X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: 2cNCgI0VM1kIbABlt8mQeFzOzBQmc05ZQzw0Z4ZvPcplrejkD57JvpYHjT6jRLR7zikbdEfFK1W.bkTTec3E8xwIdv4CagAh0pH9i6jCX6rik7cw8NdzkLJEqlKJ2q8K76kyhp93TITnI09p7grih0GXPpoAttTS0msp5ZovAttEfihb9EX6LF1leuY9WBAmoO8L6a5smYmRUqV89vZKfdKtEXutDEK7w5pzwo2GIsm8s.AWcfRXtKzZC1GGnHzJxGYUTdWLZJhIiXJpxzXRR.xJoXwWPgLdtyDft8Tk_T.DwK2IMdRObh0_YU9E4.h4OJmXMWzTy0kARw5ohM.MT5GIyxqoiX4.vjsvgp1SySz6EOqjPC5wIICpO.d8O4.45agqaHvpgI.YUHTteQc2TVzDL9bUzWzanu29.vuK7tzc X-Yahoo-Newman-Property: ymail-3 Message-ID: <4B1EE71E.1040704@ieca.com> Date: Tue, 08 Dec 2009 18:54:06 -0500 From: Sean Turner User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: secdir , draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [secdir] Review of draft-ietf-ipsecme-traffic-visibility-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2009 23:54:38 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Document Abstract: This document describes the Wrapped Encapsulating Security Payload (WESP) protocol, which builds on the Encapsulating Security Payload (ESP) [RFC4303], and is designed to allow intermediate devices to (1) ascertain if data confidentiality is being employed within ESP and if not, (2) inspect the IPsec packets for network monitoring and access control functions. I don't have any comments on the technical contents of the ID. But, I do have a comment w.r.t. the approach.* It seems to me that what you're looking for is an indication early on that the coming packets are encrypted or not. Don't we already have that with the 50/51 value in the protocol header (IPv4, IPv6, or Extension) immediately preceding the ESP/AH header. Why don't we use that as the indication, prohibit those NULL encryption algorithms, and then we're done? We don't have to worry about implementing this protocol, the heuristics algorithm in the other I-D, and we don't have to complicate the adoption of ESP/AH? spt * The only rationale I saw was in the 3rd paragraph of the introduction that says AH doesn't work in NAT environments. Is that really the entire reason? I thought we were trying to kill NATS? From weiler+secdir@watson.org Tue Dec 8 19:22:17 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6947A3A6956 for ; Tue, 8 Dec 2009 19:22:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.297 X-Spam-Level: X-Spam-Status: No, score=-2.297 tagged_above=-999 required=5 tests=[AWL=0.302, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1SIhmfBUKfyN for ; Tue, 8 Dec 2009 19:22:16 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id D8C2A3A694C for ; Tue, 8 Dec 2009 19:22:15 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nB93M4g8049128 for ; Tue, 8 Dec 2009 22:22:04 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nB93M3vQ049124 for ; Tue, 8 Dec 2009 22:22:03 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Tue, 8 Dec 2009 22:22:03 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Tue, 08 Dec 2009 22:22:04 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 03:22:17 -0000 Several items have been added to the IESG telechat agenda for next week, so I'm sending an interim assignment note. I'll likely send a note on Thursday or Friday as usual, reflecting any late telechat agenda changes. There are four new assignments below. Sandy Murphy is next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2009-12-17 Reviewer Deadline Draft Donald Eastlake T 2009-12-15 draft-cheshire-dnsext-multicastdns-08 Steve Hanna T 2009-12-15 draft-ietf-rohc-rfc4995bis-02 Sam Hartman T 2009-12-15 draft-ietf-tls-renegotiation-01 Love Hornquist-Astrand T 2009-12-15 draft-ietf-ccamp-confirm-data-channel-status-08 Alexey Melnikov TR2009-12-15 draft-ietf-tsvwg-admitted-realtime-dscp-06 Juergen Schoenwaelder TR2009-12-15 draft-ietf-l3vpn-2547bis-mcast-09 Hannes Tschofenig T 2009-12-15 draft-ietf-l3vpn-ospfv3-pece-04 Larry Zhu T 2009-12-15 draft-ietf-rohc-hcoipsec-12 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Pat Cain 2009-11-28 draft-ietf-pkix-rfc3161-update-09 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-10-15 draft-ietf-idnabis-protocol-17 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Charlie Kaufman 2009-12-14 draft-ietf-dkim-deployment-09 Scott Kelly 2009-12-14 draft-ietf-fecframe-dvb-al-fec-03 Stephen Kent 2009-12-10 draft-ietf-tsvwg-rsvp-security-groupkeying-05 Barry Leiba 2009-12-16 draft-xli-behave-ivi-05 Chris Lonvick 2010-01-01 draft-giralt-schac-ns-02 David McGrew 2009-12-18 draft-ietf-ccamp-gmpls-ethernet-arch-07 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Catherine Meadows 2009-12-22 draft-ietf-sipping-config-framework-16 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-09 Russ Mundy 2010-01-01 draft-ohba-pana-pemk-03 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Radia Perlman 2009-12-10 draft-bryan-http-digest-algorithm-values-update-03 Eric Rescorla 2009-11-10 draft-gennai-smime-cnipa-pec-05 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-13 Hannes Tschofenig 2009-04-23 draft-ietf-pce-monitoring-05 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 From secdir-bounces@mit.edu Tue Dec 8 16:00:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CA783A69AF for ; Tue, 8 Dec 2009 16:00:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JXvl1O6a24C7 for ; Tue, 8 Dec 2009 16:00:37 -0800 (PST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id C6C1E3A699E for ; Tue, 8 Dec 2009 16:00:36 -0800 (PST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nB900Qkt021449 for ; Tue, 8 Dec 2009 19:00:26 -0500 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nB900Mpw021440 for ; Tue, 8 Dec 2009 19:00:25 -0500 Received: from dmz-mailsec-scanner-1.mit.edu (DMZ-MAILSEC-SCANNER-1.MIT.EDU [18.9.25.12]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id nB8NxSds001441 for ; Tue, 8 Dec 2009 19:00:14 -0500 (EST) X-AuditID: 1209190c-b7ca4ae0000075eb-57-4b1ee87ca5a4 Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by (Symantec Brightmail Gateway) with SMTP id 97.D0.30187.C78EE1B4; Tue, 8 Dec 2009 18:59:56 -0500 (EST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB3BD3A69CF; Tue, 8 Dec 2009 16:00:04 -0800 (PST) X-Original-To: new-work@ietf.org Delivered-To: new-work@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id F2CE63A67F2; Tue, 8 Dec 2009 16:00:01 -0800 (PST) From: IESG Secretary To: new-work@ietf.org Mime-Version: 1.0 Message-Id: <20091209000001.F2CE63A67F2@core3.amsl.com> Date: Tue, 8 Dec 2009 16:00:01 -0800 (PST) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 Precedence: list X-Brightmail-Tracker: AAAABBHz1csR89XMEfPfJBHz4aA= X-Scanned-By: MIMEDefang 2.42 X-BeenThere: secdir@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@mit.edu Errors-To: secdir-bounces@mit.edu X-Mailman-Approved-At: Tue, 08 Dec 2009 23:07:51 -0800 Subject: [secdir] [New-work] WG Review: Multiple AoR reachabiliTy InformatioN Indication (MARTINI) X-BeenThere: secdir@ietf.org Reply-To: iesg@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 00:00:38 -0000 A new IETF working group has been proposed in the Real-time Applications and Infrastructure Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday, December 15, 2009. Multiple AoR reachabiliTy InformatioN Indication (MARTINI) ----------------------------------------------------------------------- Current Status: Proposed Working Group Last Modified: 2009-12-08 Chair(s): TBD Real-time Applications and Infrastructure Area Director(s): Robert Sparks Cullen Jennings Real-time Applications and Infrastructure Area Advisor: Cullen Jennings Technical Advisor(s): Mailing Lists: General Discussion: martini@ietf.org To Subscribe: martini-request@ietf.org In Body: subscribe Archive: http://www.ietf.org/mail-archive/web/martini/index.html Description of Working Group The MARTINI working group is chartered to specify a means by which an entity that is authoritative for SIP URIs can dynamically register reachability information for multiple Addresses of Record ("AORs") with a service provider. The SIP protocol [RFC 3261 and its extensions] supports multiple means of obtaining the connection information necessary to deliver out-of-dialog SIP requests to their intended targets. When a SIP Proxy needs to send a request to a target AOR within its domain, it can use a location service to obtain the registered contact URI, together with any associated path information [RFC 3327], and build a route set to reach the target UA(s). The SIP REGISTER method can be used to register contact URIs and path information. SIP-outbound [RFC 5626] enhances this mechanism to cater for UAs behind NATs and firewalls. When a SIP UA or Proxy needs to send a request to a target for which it is not authoritative, the UA/Proxy can use RFC3263 procedures for using DNS to resolve the next-hop connection information. In practice, many small and medium-sized businesses use a SIP-PBX that is authoritative for tens or hundreds of SIP AoRs. This SIP-PBX acts as a registrar/proxy for these AoRs for clients hosted by the SIP-PBX. UAs register with the SIP-PBX on behalf of the AoRs concerned. A SIP Service Provider (SSP) provides SIP peering/trunking capability to the SIP PBX. The SIP-PBX must be reachable from the SSP so that the SSP can route inbound SIP requests for the AoRs addressed to the SIP PBX, routing these requests to the SIP-PBX itself for onward delivery to registered UAs. Experience has shown that existing mechanisms are not always sufficient to support SIP-PBXs for small/medium businesses. Since a single SSP may support multiple thousands of such SMB SIP-PBX's, it is impractical and cost-prohibitive to manually provision their IP addresses in every SIP node along paths to those SIP-PBXs. Furthermore, IP addresses can be dynamically assigned and therefore can potentially change relatively frequently. In current deployments, dynamic reachability mechanisms based on the SIP REGISTER method are commonly used. Effectively, a single REGISTER request registers the AoR of the SIP-PBX, so that any out-of-dialog request targeted at a SIP URI for which the SIP-PBX is authoritative can be delivered from the SSP to the SIP-PBX. However, implementations of this mechanism vary in details, leading to interoperability issues between SIP-PBXs and SSPs, and the need for equipment to support different variants. The task of this working group is to to standardize a multiple-AoR registration mechanism for SIP that can be widely deployed by service providers at large scale. The solution will support AoRs with E.164 addresses at a minimum, although support for other classes of AoRs may be included. The solution will utilize existing SIP mechanisms to the extent possible, although it is anticipated that small protocol extensions are likely to be required, and hence a standards track (rather than BCP) deliverable is expected. The solution will accommodate existing SIP extensions relating to registration (e.g., Path, Service-Route [RFC 3608] and SIP-outbound) by ensuring that they are not precluded from use in the context of multiple AoR registrations. The solution will incorporate a compatibility mechanism to ensure a deterministic outcome when interworking with entities that do not support multiple AoR registration. The working group will coordinate with SIP Forum and other industry groups on requirements and will coordinate its work with other IETF working groups including DRINKS and SIPCORE. Goals and Milestones Dec 2009 Solicit solution-space drafts Jan 2010 Interim meeting Jan 2010 Adopt Working Group draft Feb 2010 First Working Group Last Call Mar 2010 Second Working Group Last Call Apr 2010 Multiple AoR Registration specification to IESG (PS) Jul 2010 Close or recharter working group _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir From sunwq@MIT.EDU Tue Dec 8 18:34:41 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9ABF13A6892; Tue, 8 Dec 2009 18:34:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.449 X-Spam-Level: X-Spam-Status: No, score=-6.449 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, STOX_REPLY_TYPE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gobSTtuRqnVX; Tue, 8 Dec 2009 18:34:40 -0800 (PST) Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by core3.amsl.com (Postfix) with ESMTP id 5B6B13A6359; Tue, 8 Dec 2009 18:34:40 -0800 (PST) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id nB92Un5F009672; Tue, 8 Dec 2009 21:30:50 -0500 (EST) Received: from APC ([202.120.39.240]) (authenticated bits=0) (User authenticated as sunwq@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id nB92VEfR006344 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 8 Dec 2009 21:31:26 -0500 (EST) Message-ID: <7EB0E891E84D41FDBF35C04AAEEB6A10@sjtu.edu.cn> From: "Weiqiang Sun" To: , , Date: Wed, 9 Dec 2009 10:31:12 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="gb2312"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8089.726 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726 X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 08 Dec 2009 23:07:50 -0800 Cc: draft-ietf-ccamp-lsp-dppm@tools.ietf.org, ccamp-chairs@tools.ietf.org Subject: Re: [secdir] secdir review of draft-ietf-ccamp-lsp-dppm-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 02:34:41 -0000 Hi Tom, [Seems that the secdir review email does not reach my mailbox. I am following up this thread manually. Hope it gets sorted correctly.] Thanks for your comments. Please see inline for our responses/proposed changes. >This document appears to define a set of performance metrics for >characterizing dynamic LSP provisioning performance in GMPLS networks. >Editorial: >The document claims (in the Introduction) that these metrics >characterize the performance of the signaling protocol. I find that >the metrics more accurately measure the performance of the LSP setup >and teardown operations, and are only tangentially related to the >performance of the signaling protocol (unless somehow the performance >of the signaling protocol implicitly includes the actions that the >routers take in response, in which case I think the document should >state it more plainly.) Yes we do have this. This document provides a series of performance metrics to evaluate the dynamic Label Switched Path (LSP) provisioning performance in GMPLS networks, specifically the dynamic LSP setup/release performance. These metrics can be used to characterize the features of GMPLS networks in LSP dynamic provisioning. > >Security: > >[Most of these are probably minor points merely requiring clarifying >text.] > >The Security Considerations section mentions the consequences of >active traffic injection into the control plane, including skewing the >results of measurements and causing congestion and denial of service. >If the injected control traffic is expected to have the potential >effect of enabling dramatically more data traffic, I think this effect >should also be included in the Security Considerations, perhaps with >advice to select probing control messages that do not materially alter >the flow of data channel traffic. > >This document does not address security considerations related to the >protocols communicating of the results of the measurements, or of any >protocol used to request initiation of a measurement, perhaps because >this document does not specify such protocols. I assume that these >any document that specifies such other protocols will cover those >security considerations, even if this document does not obviously >refer to such specifications. > >On the other hand, if this document is intended as guidance for >protocol specifications that describe implementation of the >measurement of and communication of these metrics, perhaps it should >also outline the security considerations that those additional >protocol specifications should address. For example, what sort of >authentication is required in a protocol that initiates a measurement >of these metrics? > >It's not completely clear to me what sort of threat the passive >measurement scenario involves; perhaps a router could repeatedly and >with high frequency initiate LSP changes that overwhelm the monitoring >channel? For the security consideration section, we propose the following text. Hope it is clearer. 16. Security Considerations Samples of the metrics can be obtained in either active or passive manners. In active measurement, ingress nodes inject probing messages into the control plane. Since the measurement endpoints must be conformant to signaling specifications and behave as normal signaling endpoints, it will not incur other security issues than normal LSP provisioning. However, the measurement parameters must be carefully selected so that the measurements inject trivial amounts of additional traffic into the networks they measure. If they inject "too much" traffic, they can skew the results of the measurement, and in extreme cases cause congestion and denial of service. When samples of the metrics are collected in a passive manner, e.g., by monitoring the operations on real-life LSPs, the implementation of the monitoring and reporting mechanism must be careful so that they will not be used to attack the control plane. A typical implementation may use the Management Information Base (MIB) to collect/store the metrics and access to the MIB is limited to the Network Management Systems (NMSs). In this case, passive monitoring will not incur other security issues than implementing the MIBs and NMSs. If an implementation chooses to expose the performance data to other applications, then it must take into account the possible security issues it may face. For example, when exposing the performance data through SNMP, certain authentication method should be used to ensure that the entity maintaining the performance data are not subject to unauthorized readings and modifications. Rate limiting on the performance query may also be desirable to reduce the risk that the entity maintaining the performance data are overwhelmed by too much query requests. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Besides, the security considerations pertaining to the original RSVP protocol [RFC2205] and its TE extensions [RFC3209] also remain relevant. Thanks again, Weiqiang From gmonte@microsoft.com Wed Dec 9 08:40:43 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85C1C3A68C6 for ; Wed, 9 Dec 2009 08:40:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.432 X-Spam-Level: X-Spam-Status: No, score=-10.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WjAFRJzo9l7T for ; Wed, 9 Dec 2009 08:40:42 -0800 (PST) Received: from smtp.microsoft.com (maila.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id AA8C43A6AFA for ; Wed, 9 Dec 2009 08:40:42 -0800 (PST) Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 9 Dec 2009 08:40:31 -0800 Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.0.639.20; Wed, 9 Dec 2009 08:40:31 -0800 Received: from TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com ([169.254.2.203]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Wed, 9 Dec 2009 08:40:23 -0800 From: Gabriel Montenegro To: Sean Turner , secdir , "draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org" Thread-Topic: Review of draft-ietf-ipsecme-traffic-visibility-11 Thread-Index: AQHKeGbnOkwDTlf2mUWHcb7VNERg/pFc6Iow Date: Wed, 9 Dec 2009 16:40:22 +0000 Message-ID: <17CBED0797974641B6FF531FCB74E0931B5A9376@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> References: <4B1EE71E.1040704@ieca.com> In-Reply-To: <4B1EE71E.1040704@ieca.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 09 Dec 2009 08:49:28 -0800 Subject: Re: [secdir] Review of draft-ietf-ipsecme-traffic-visibility-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 16:40:43 -0000 Hi Sean, thanks for the review. As you noted, the WG decided not to use AH as NATs are unavoidable and a fa= ct of life. Not sure if there were many other reasons, but this one seems t= o be a show-stopper if one wants to deploy this in any real scenario.=20 > -----Original Message----- > From: Sean Turner [mailto:turners@ieca.com] > Sent: Tuesday, 08 December, 2009 3:54 PM > To: secdir; draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org > Subject: Review of draft-ietf-ipsecme-traffic-visibility-11 >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security are= a > directors. Document editors and WG chairs should treat these comments jus= t > like any other last call comments. >=20 > Document Abstract: >=20 > This document describes the Wrapped Encapsulating Security Payload > (WESP) protocol, which builds on the Encapsulating Security Payload > (ESP) [RFC4303], and is designed to allow intermediate devices to (1) > ascertain if data confidentiality is being employed within ESP and if not= , > (2) inspect the IPsec packets for network monitoring and access control > functions. >=20 > I don't have any comments on the technical contents of the ID. >=20 > But, I do have a comment w.r.t. the approach.* It seems to me that what > you're looking for is an indication early on that the coming packets are > encrypted or not. Don't we already have that with the 50/51 value in the > protocol header (IPv4, IPv6, or Extension) immediately preceding the > ESP/AH header. Why don't we use that as the indication, prohibit those > NULL encryption algorithms, and then we're done? We don't have to worry > about implementing this protocol, the heuristics algorithm in the other I= - > D, and we don't have to complicate the adoption of ESP/AH? >=20 > spt >=20 > * The only rationale I saw was in the 3rd paragraph of the introduction > that says AH doesn't work in NAT environments. Is that really the entire > reason? I thought we were trying to kill NATS? From suresh.krishnan@ericsson.com Wed Dec 9 15:36:11 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C4AD93A6782; Wed, 9 Dec 2009 15:36:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WglBJHbIcRFv; Wed, 9 Dec 2009 15:36:11 -0800 (PST) Received: from imr2.ericy.com (imr2.ericy.com [198.24.6.3]) by core3.amsl.com (Postfix) with ESMTP id E856A3A63EB; Wed, 9 Dec 2009 15:36:10 -0800 (PST) Received: from eusaamw0712.eamcs.ericsson.se ([147.117.20.181]) by imr2.ericy.com (8.13.1/8.13.1) with ESMTP id nB9Na7nD002856; Wed, 9 Dec 2009 17:36:16 -0600 Received: from [142.133.10.113] (147.117.20.212) by eusaamw0712.eamcs.ericsson.se (147.117.20.182) with Microsoft SMTP Server id 8.1.375.2; Wed, 9 Dec 2009 18:35:47 -0500 Message-ID: <4B203408.7090805@ericsson.com> Date: Wed, 9 Dec 2009 18:34:32 -0500 From: Suresh Krishnan User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Yaron Sheffer References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF888AD7B@il-ex01.ad.checkpoint.com> In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF888AD7B@il-ex01.ad.checkpoint.com> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 8bit Cc: "draft-ietf-dna-simple.all@tools.ietf.org" , "iesg@ietf.org" , secdir Subject: Re: [secdir] SecDir review of draft-ietf-dna-simple-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 23:36:11 -0000 Hi Yaron, Thanks for your detailed review. Sorry for the delayed response. On 09-11-18 12:56 PM, Yaron Sheffer wrote: > The Security Considerations are focused on one specific aspect, namely > the use of SEND. I think we should make clear here that none of the DNA > operations by themselves add any measure of security, unless SEND is > actually used. Specifically, I suggest to add the text: “The DNA > procedure does not in itself provide positive, secure authentication of > the router(s) on the network, or authentication of the network itself, > as e.g. would be provided by mutual authentication at the link layer. > Therefore when such assurance is not available, the host MUST NOT make > any security-sensitive decisions based on the DNA procedure. In > particular, it MUST NOT decide it has rejoined a network known to be > physically secure, and proceed to abandon cryptographic protection.” Sounds good. Will add the text into the Security considerations. > > > > Other Comments > > > > 4.1: DUID - is this the host’s DUID or the router's? Per RFC 3315, both > have such a value. The client's DUID. This section probably needs a rework anyway to add a few more fields. I will clarify this in the next rev. > > 4.3: "all currently configured IP addresses" - but only for this > physical interface, right? Yes. Propose rewording to "After the indication is received on an interface, the host considers all (non-tentative) IP addresses currently configured on this interface to be deprecated until the change detection process completes." > > 4.8: why is no DAD performed? Someone else might have joined the network > while I was disconnected, and has a duplicate of my address. One reason is that this issue can already occur in current networks due to network partioning and merging, DAD packet loss etc. We attempted to quantify the conditions under which DAD should or should not be performed but there was strong working group consensus against doing so and strong consensus for adding this current text. Thanks Suresh From j.schoenwaelder@jacobs-university.de Thu Dec 10 01:26:34 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 867C93A6A93; Thu, 10 Dec 2009 01:26:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.139 X-Spam-Level: X-Spam-Status: No, score=-2.139 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6CNr9mZ+ItV; Thu, 10 Dec 2009 01:26:33 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id A29A73A6A90; Thu, 10 Dec 2009 01:26:33 -0800 (PST) Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 4F23CC0014; Thu, 10 Dec 2009 10:26:22 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 9TcJ321-76YE; Thu, 10 Dec 2009 10:26:21 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 65A81C0003; Thu, 10 Dec 2009 10:26:21 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id A3F43F522EA; Thu, 10 Dec 2009 10:26:19 +0100 (CET) Date: Thu, 10 Dec 2009 10:26:19 +0100 From: Juergen Schoenwaelder To: rahul@juniper.net, erosen@cisco.com Message-ID: <20091210092619.GB61657@elstar.local> Mail-Followup-To: rahul@juniper.net, erosen@cisco.com, iesg@ietf.org, secdir@ietf.org, l3vpn-chairs@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Cc: l3vpn-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Subject: [secdir] secdir review of draft-ietf-l3vpn-2547bis-mcast-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 09:26:34 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I have previously reviewed the -08 version of the document and all my comments have been addressed in the -09 revision. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From pcain2@mail2.coopercain.com Fri Dec 11 08:03:14 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80AD73A68D9 for ; Fri, 11 Dec 2009 08:03:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwxN7xC5TEEi for ; Fri, 11 Dec 2009 08:03:13 -0800 (PST) Received: from server1.acmehacking.com (server1.acmehacking.com [72.51.39.79]) by core3.amsl.com (Postfix) with ESMTP id A7C5A3A68C4 for ; Fri, 11 Dec 2009 08:03:13 -0800 (PST) Received: from familyroom (familyroom8.bc.edu [136.167.27.73]) (authenticated bits=0) by server1.acmehacking.com (8.14.3/8.13.8) with ESMTP id nBAJJt1v024141 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 10 Dec 2009 13:20:25 -0600 Received: from familyroom by familyroom (PGP Universal service); Thu, 10 Dec 2009 14:20:27 -0500 X-PGP-Universal: processed; by familyroom on Thu, 10 Dec 2009 14:20:27 -0500 From: "pat cain" To: Date: Thu, 10 Dec 2009 14:19:55 -0500 Message-ID: <02f601ca79cd$c433b4e0$4c9b1ea0$@coopercain.com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acp5zbtpe0AaM7i2RWyyVwO4obpXfw== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Language: en-us Cc: pkix-chairs@tools.ietf.org, secdir@ietf.org Subject: [secdir] Security Review of draft-ietf-pkix-rfc3161-update-09.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 16:03:14 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Document Abstract: This document updates RFC 3161 [RFC3161]. It allows the use of ESSCertIDv2 defined in RFC 5035 [ESSV2] to specify the hash of a signer certificate when the hash is calculated with a function other than SHA-1 [SHA1]. Comment: The purpose of this document is laudable. My only comment/concern is about the 'note' at the end of Section 2.2.1. "Note: For backwards compatibility, in line with RFC 5035, both ESSCertID and ESSCertIDv2 MAY be present. Systems MAY ignore ESSCertIDv2 if RFC 5035 has not been implemented." When RFC3161 was undergoing development, there was a robust discussion about signing A TST multiple times. I seem to recall the output was not to do it. Since the requestor has to verify the TST when the TSA sends it back, I'm unclear on how a requestor that "has not implemented RFC5035" is going to do this verification if both ESSCertID and ESSCertIDV2 are included. I expect more guidance is needed here since the different signature algorithms will have differing characteristics and strengths. It seems to make more sense that a TSA return a TST with *either* an ESSCertID or ESSCertIDV2, but not both. Is there a specific use case that was intended here or are we just trying to be polite. Pat Cain From manav.bhatia@alcatel-lucent.com Thu Dec 10 20:53:47 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DA803A6A1E for ; Thu, 10 Dec 2009 20:53:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.036 X-Spam-Level: X-Spam-Status: No, score=-2.036 tagged_above=-999 required=5 tests=[AWL=0.563, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvEdwlzvuIyi for ; Thu, 10 Dec 2009 20:53:46 -0800 (PST) Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id E87163A6A20 for ; Thu, 10 Dec 2009 20:53:45 -0800 (PST) Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id nBB4rRoT026749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 10 Dec 2009 22:53:30 -0600 (CST) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/ICT) with ESMTP id nBB4rK6O008394 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 11 Dec 2009 10:23:26 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Fri, 11 Dec 2009 10:22:54 +0530 From: "Bhatia, Manav (Manav)" To: Gabriel Montenegro , Sean Turner , secdir , "draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org" Date: Fri, 11 Dec 2009 10:22:25 +0530 Thread-Topic: Review of draft-ietf-ipsecme-traffic-visibility-11 Thread-Index: AQHKeGbnOkwDTlf2mUWHcb7VNERg/pFc6IowgAJaWkA= Message-ID: <7C362EEF9C7896468B36C9B79200D8350AB31C58FE@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <4B1EE71E.1040704@ieca.com> <17CBED0797974641B6FF531FCB74E0931B5A9376@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> In-Reply-To: <17CBED0797974641B6FF531FCB74E0931B5A9376@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 X-Scanned-By: MIMEDefang 2.64 on 135.250.11.31 X-Mailman-Approved-At: Fri, 11 Dec 2009 08:10:12 -0800 Subject: Re: [secdir] Review of draft-ietf-ipsecme-traffic-visibility-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 04:53:47 -0000 Hi Sean, In addition to what Gabriel said, the other issue with AH is that the work = involved in taking out the fields that are immutable, hashing the packet an= d sticking those immutable fields back can be quite challenging. One needs = to know the contents surrounding the IP header to calculate the AH field wh= ich violates the layering and raises interesting challenges for HW based Ip= sec implementations. Almost all IETF standards (e.g. RFC 4552) that explicitly define how IPSec = needs to be used for authentication state ESP-NULL as a MUST and AH as a MA= Y. I don't think there is any RFC that states AH as MUST. This could also b= e because RFC 4301 deprecated the use of AH from a MUST to a MAY. It is for= these reasons that ESP-NULL is widely implemented and I know of at least t= wo major router vendors that don't even implement the AH standard. AH has its own use and is really not equivalent to ESP-NULL. If there are i= ntermediaries that are changing the IP addresses then ESP-NULL will not det= ect the IP address spoof and AH is the only standard that can detect this (= i.e. if you care about this). OTOH, if you know that your IP addresses can = change, and you want to verify the integrity of the payload then ESP-NULL i= s the only protocol that can be used! Cheers, Manav > -----Original Message----- > From: Gabriel Montenegro [mailto:gmonte@microsoft.com]=20 > Sent: Wednesday, December 09, 2009 10.10 PM > To: Sean Turner; secdir;=20 > draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org > Subject: RE: Review of draft-ietf-ipsecme-traffic-visibility-11 >=20 > Hi Sean, thanks for the review. >=20 > As you noted, the WG decided not to use AH as NATs are=20 > unavoidable and a fact of life. Not sure if there were many=20 > other reasons, but this one seems to be a show-stopper if one=20 > wants to deploy this in any real scenario.=20 >=20 > > -----Original Message----- > > From: Sean Turner [mailto:turners@ieca.com] > > Sent: Tuesday, 08 December, 2009 3:54 PM > > To: secdir; draft-ietf-ipsecme-traffic-visibility.all@tools.ietf.org > > Subject: Review of draft-ietf-ipsecme-traffic-visibility-11 > >=20 > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed=20 > by the IESG. > > These comments were written primarily for the benefit of=20 > the security area > > directors. Document editors and WG chairs should treat=20 > these comments just > > like any other last call comments. > >=20 > > Document Abstract: > >=20 > > This document describes the Wrapped Encapsulating Security Payload > > (WESP) protocol, which builds on the Encapsulating Security Payload > > (ESP) [RFC4303], and is designed to allow intermediate=20 > devices to (1) > > ascertain if data confidentiality is being employed within=20 > ESP and if not, > > (2) inspect the IPsec packets for network monitoring and=20 > access control > > functions. > >=20 > > I don't have any comments on the technical contents of the ID. > >=20 > > But, I do have a comment w.r.t. the approach.* It seems to=20 > me that what > > you're looking for is an indication early on that the=20 > coming packets are > > encrypted or not. Don't we already have that with the=20 > 50/51 value in the > > protocol header (IPv4, IPv6, or Extension) immediately preceding the > > ESP/AH header. Why don't we use that as the indication,=20 > prohibit those > > NULL encryption algorithms, and then we're done? We don't=20 > have to worry > > about implementing this protocol, the heuristics algorithm=20 > in the other I- > > D, and we don't have to complicate the adoption of ESP/AH? > >=20 > > spt > >=20 > > * The only rationale I saw was in the 3rd paragraph of the=20 > introduction > > that says AH doesn't work in NAT environments. Is that=20 > really the entire > > reason? I thought we were trying to kill NATS? >=20 > = From weiler+secdir@watson.org Fri Dec 11 10:30:54 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 709553A69A0 for ; Fri, 11 Dec 2009 10:30:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.358 X-Spam-Level: X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjjATAg44f5T for ; Fri, 11 Dec 2009 10:30:53 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 627CD3A6890 for ; Fri, 11 Dec 2009 10:30:53 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBBIUeGV056690 for ; Fri, 11 Dec 2009 13:30:40 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBBIUenn056687 for ; Fri, 11 Dec 2009 13:30:40 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Fri, 11 Dec 2009 13:30:40 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 11 Dec 2009 13:30:41 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 18:30:54 -0000 Nothing has been added to next week's IESG agenda since I sent the interim assignments on Tuesday. There are, however, five new LC assignments. Eric Rescorla is next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2009-12-17 Reviewer Deadline Draft Donald Eastlake T 2009-12-15 draft-cheshire-dnsext-multicastdns-08 Steve Hanna T 2009-12-15 draft-ietf-rohc-rfc4995bis-02 Sam Hartman T 2009-12-15 draft-ietf-tls-renegotiation-01 Love Hornquist-Astrand T 2009-12-15 draft-ietf-ccamp-confirm-data-channel-status-08 Alexey Melnikov TR2009-12-15 draft-ietf-tsvwg-admitted-realtime-dscp-06 Hannes Tschofenig T 2009-12-15 draft-ietf-l3vpn-ospfv3-pece-04 Larry Zhu T 2009-12-15 draft-ietf-rohc-hcoipsec-12 Glen Zorn TR2009-12-15 draft-ietf-rohc-ikev2-extensions-hcoipsec-10 For telechat 2010-01-07 Reviewer Deadline Draft Eric Rescorla T 2010-01-05 draft-gennai-smime-cnipa-pec-05 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-10-15 draft-ietf-idnabis-protocol-17 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Charlie Kaufman 2009-12-14 draft-ietf-dkim-deployment-09 Scott Kelly 2009-12-14 draft-ietf-fecframe-dvb-al-fec-03 Stephen Kent R2010-01-07 draft-ietf-smime-cms-rsa-kem-10 Stephen Kent 2009-12-10 draft-ietf-tsvwg-rsvp-security-groupkeying-05 Barry Leiba 2009-12-16 draft-xli-behave-ivi-05 Chris Lonvick 2010-01-01 draft-giralt-schac-ns-02 David McGrew 2009-12-18 draft-ietf-ccamp-gmpls-ethernet-arch-07 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Catherine Meadows 2009-12-22 draft-ietf-sipping-config-framework-16 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-10 Russ Mundy 2010-01-01 draft-ohba-pana-pemk-03 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Sandy Murphy 2010-01-14 draft-turner-ecprivatekey-02 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Chris Newman 2010-01-07 draft-ietf-krb-wg-preauth-framework-15 Magnus Nystrom 2009-12-24 draft-josefsson-kerberos5-starttls-07 Hilarie Orman 2010-01-14 draft-kato-tls-rfc4132bis-04 Radia Perlman 2009-12-10 draft-bryan-http-digest-algorithm-values-update-03 Radia Perlman 2009-12-25 draft-ohba-802dot21-basic-schema-06 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-13 Hannes Tschofenig 2009-04-23 draft-ietf-pce-monitoring-05 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 From gwz@net-zen.net Fri Dec 11 13:57:23 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A37F13A65A6 for ; Fri, 11 Dec 2009 13:57:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.571 X-Spam-Level: X-Spam-Status: No, score=-1.571 tagged_above=-999 required=5 tests=[AWL=1.028, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnJ51J22b781 for ; Fri, 11 Dec 2009 13:57:22 -0800 (PST) Received: from smtpauth12.prod.mesa1.secureserver.net (smtpauth12.prod.mesa1.secureserver.net [64.202.165.35]) by core3.amsl.com (Postfix) with SMTP id 481833A63D3 for ; Fri, 11 Dec 2009 13:57:21 -0800 (PST) Received: (qmail 10057 invoked from network); 11 Dec 2009 21:57:10 -0000 Received: from unknown (24.22.129.187) by smtpauth12.prod.mesa1.secureserver.net (64.202.165.35) with ESMTP; 11 Dec 2009 21:57:10 -0000 From: "Glen Zorn" To: , , , , , , , References: In-Reply-To: Date: Fri, 11 Dec 2009 13:56:58 -0800 Organization: Network Zen Message-ID: <004801ca7aac$dcf92700$96eb7500$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcpJgUZTvvSj8esxQBWoNMBBXN7O9gxIXCBA Content-Language: en-us Subject: [secdir] secdir review of draft-ietf-rohc-ikev2-extensions-hcoipsec-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 21:57:23 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a re-review; my comments on the previous version are reproduced below. Most of the issues that I raised in my previous review have been addressed; however, a few remain (see below). COMMENTS There is still no "Intended status" line in the first page header. SECTION 3.1.1 Paragraph 1, last line says: "The ROHC Attribute is shown in Figure 2." Suggest changing this to "The format of the ROHC Attribute is shown in Figure 2." I would still prefer bifurcating the ROHC Attribute number space over using a 15-bit type and a flag, but I suppose that is mostly a matter of taste. SECTION 3.1.2 The description of the MAX_CID attribute says in part "The range of values for MAX_CID MUST be at least 0 and at most 16383 (the value 0 implies having one context)." This seems a little clumsy to me; suggest changing to something like "The range of values for the MAX_CID attribute is [0...16383], the value 0 signifying a single context)." On the other hand, the use of zero to mean one is less than intuitive, so maybe a better idea would be "The range of values for the MAX_CID attribute is [1...16383]." QUESTION: Is the maximum number of contexts 16383 or 16384? SECTION % This section has changed quite a bit, but I think that the results are not altogether positive. It says that the IANA allocation policy for ROHC attributes is "Designated Expert", but fully half the attribute space is given over to "Private Use"; this seems self-contradictory. It also assumes that there will be an IETF Last Call but I don't see that as being a requirement of the "Designated Expert" policy as described in RFC 5226, nor of RFC publication. I would suggest that this section be reworked to give explicit instructions to the IANA WRT the allocation of values (presupposing that none of the "canned" policies in RFC 5226 are applicable). SECTION 6 If the people mentioned in paragraph 1 actually contributed to the document, maybe this paragraph should be moved to a new "Contributors" section. What, no acknowledgement for me? ;-) SECTION 7 Should RFC 5226 be a normative reference? Hope this helps. ~gwz > -----Original Message----- > From: Glen Zorn [mailto:gwz@net-zen.net] > Sent: Saturday, October 10, 2009 12:12 AM > To: 'iesg@ietf.org'; 'secdir@ietf.org'; 'ertekin_emre@bah.com'; > 'christou_chris@bah.com'; 'ro@breakcheck.com'; 'kivinen@safenet- > inc.com'; 'cabo@tzi.org'; 'rohc-chairs@tools.ietf.org' > Subject: secdir review of draft-ietf-rohc-ikev2-extensions-hcoipsec-09 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > > > COMMENTS > > General > ------- > There are lots of occurrences of constructions similar to "The Notify > Payload (defined in [IKEV2]) is illustrated in Figure 1." Roughly > translated into English, this says "The Notify Payload (defined in the > reference to RFC 4306) is illustrated in Figure 1." which, of course is > nonsense: the _reference_ to RFC 4306 doesn't define, the document does. > Suggest changing all such instances to something like "The Notify > Payload (defined in RFC 4302 [IKEV2]) is illustrated in Figure 1." > > Abstract > -------- > I can't tell what the intended status of this draft might be (i.e., > Standards Track, etc.). The I-D Tracker says that the draft wants to be > a Proposed Standard, but there is no reference to RFC 2119 nor any use > of 2119 keywords. It might be a good idea to fix this (under the > assumption that the editor will do so, I'll not further comment upon > 'must' that probably should be 'MUST', etc. > > There shouldn't be any references in the Abstract. > > The acronym "ROHC" should be expanded on first usage. > > > Section 2.1 > ----------- > Paragraph 4 says: > > A new Notify Message Type value, denoted ROHC_SUPPORTED, indicates > that the Notify payload is conveying ROHC channel parameters. The > value for the ROHC_SUPPORTED message is specified in Section 4. > > However, that's not really true: section 4 just says that IANA needs to > assign a value. Suggest changing to: > > A new Notify Message Type value, denoted ROHC_SUPPORTED, indicates > that the Notify payload is conveying ROHC channel parameters (Section > 4). > > > The description of the Notify Payload fields doesn't include the SPI > field or the Notification Data field. Since the SPI Size field is > specified to be zero, I would assume that the SPI field itself must be > omitted. Is that correct? If so (RFC 4306 isn't crystalline on the > subject, either) & since the diagram of the payload and the description > are specific to this application, I think the this should be stated, if > not illustrated in the diagram itself. Also, I think that the contents > of the Notification Data field should be described; maybe something like > > Notification Data (variable length) (2 octets) > This field contains three or more ROHC Attributes (section 2.1.1). > > I find the headings for this section and the next misleading: this > section is headed "ROHC Channel Parameters that are Signaled" when it > actually seems to be talking about the "ROHC_SUPPORTED Notify Message", > while the next is headed "ROHC_SUPPORTED Notify Message" when it is > actually describing "ROHC Attributes". Suggest changing the headings > accordingly. > > > Section 2.1.1 > ------------- > The format and description of the ROHC Attribute are quite confusing: on > the one hand, the ROHC Attribute Type field is stated to be 2 octets in > length, but on the other hand the actual value is only 15 bits (as > reflected in the IANA Considerations section); further, since the length > is not reflected in the registry value itself, an implementation would > need to set the AF bit (claimed to be, but not, part of the Attribute > Type) according to the Attribute type. A different, perhaps more > elegant, way to accomplish the same goal might be to dispense with the > AF bit altogether and simply specify that fixed-length Attributes are > numbered 0x8000-0xFFFF, while variable-length Attributes are allocated > from the range 0x0000-0x7FFF. > > > Section 2.1.2 > ------------- > The sub-headings on the attribute descriptions are disconcerting: since > the first paragraph lists the attributes by name (MAX_CID, etc.), I > scanned for those in the following paragraphs but was met with textual > descriptions (like "Maximum Context Identifier") which might better be > placed in the description itself. Suggest changing them to list the > name first; it might also be nice to put the actual Attribute number in > the header for quick reference. So the suggestion is to change, for > example, > > Maximum Context Identifier (MAX_CID, AF = 1) > The MAX_CID attribute is a mandatory attribute. Exactly one > to > > MAX_CID (Maximum Context Identifier, AF = 1) > The MAX_CID attribute is a mandatory attribute. Exactly one > > or (if you accept my numbering suggestion above) > > MAX_CID (0x8001) > The MAX_CID (Maximum Context Identifier) attribute is a mandatory > attribute. Exactly one > > Under ROHC_INTEG it says "The attribute contains an integrity > algorithm". I'm assuming that this is actually not true (unless some > _really_ amazing advances in compression have occurred recently ;-). > Suggest changing to "The attribute value contains the identifier of an > integrity algorithm". > > Under "ROHC_ICV_LEN": > The acronym "ICV" should be expanded on first usage. > Suggest changing "If ROHC_ICV_LEN length is zero" to "If the value of > the ROHC_ICV_LEN attribute is zero" > > Under "MRRU" it says "If present, the attribute value is two octets in > length." but this doesn't seem to make sense. Suggest changing to "The > attribute value is two octets in length." > > From shanna@juniper.net Fri Dec 11 15:01:33 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 954023A68F3; Fri, 11 Dec 2009 15:01:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fT3IVsQcimzp; Fri, 11 Dec 2009 15:01:32 -0800 (PST) Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) by core3.amsl.com (Postfix) with ESMTP id 9887D3A68F6; Fri, 11 Dec 2009 15:01:30 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP ID DSNKSyLPPlS+U7ZrA5jju831KZmZq9DDnX6d@postini.com; Fri, 11 Dec 2009 15:01:21 PST Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 11 Dec 2009 14:59:34 -0800 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Fri, 11 Dec 2009 17:59:33 -0500 From: Stephen Hanna To: "secdir@ietf.org" , "draft-ietf-rohc-rfc4995bis@tools.ietf.org" , "iesg@ietf.org" Date: Fri, 11 Dec 2009 17:59:09 -0500 Thread-Topic: secdir review of draft-ietf-rohc-rfc4995bis-01 Thread-Index: Acp4MKAIMZ3QHusWS0yAOB7er4hAdgCe2nhg Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [secdir] secdir review of draft-ietf-rohc-rfc4995bis-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 23:01:33 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors should treat these comments just like any other last call comments. Before providing my review, I will state that I do not have any substantial experience or expertise with ROHC or with header compression in general. My comments therefore should be taken as those of a security expert but not a ROHC expert. This document is an updated version of RFC 4995: The RObust Header Compression (ROHC) Framework. Mainly, it fixes an error in the definition of the ROHC feedback format. I won't explain the error here since it's not significant from a security perspective and the fix looks good to me. I am assuming that the WG participants have dealt with any compatibility issues introduced by having the erroneous spec out there for two years or so. I have three comments on this document: 1) Currently, the document does not actually say what was fixed. The only reference to the fix is this paragraph in the abstract: This specification obsoletes RFC 4995. It fixes one interoperability issue that was erroneously introduced in RFC 4995, and adds some minor clarifications. I suggest adding a paragraph somewhere in the Introduction (maybe at the end) that explains what the issue was and how it was fixed. Otherwise, readers will be left wondering. They may have to do a diff, like I did. Unfortunately, the reference format changed from [1] to [RFC2119] between RFC 4995 and this draft so the diff is about 30 pages of meaningless differences with one real change. 2) Have the editors verified that all contributors to the document are OK with granting the new rights granted in RFC 5378 on top of the rights that they originally granted under RFC 3978? This would include anyone who contributed text that has been held over from RFC 4995 and RFC 3095 and their employers at the time that the time of the contribution, or other assignees. I suspect that the answer is no. If I'm right, the editors should use the text designed for this situation, which is included in section 6.c.iii of the IETF Trust Legal Provisions Relating to IETF Documents. 3) The Security Considerations of this document are pretty good. However, I think that they may ignore a particular risk of using header compression. Namely, it seems to me that using header compression would substantially increase the complexity of the devices that perform the compression and decompression vs. the complexity without header compression. For example, a switch or router must now maintain per-flow ROHC state and implement the ROHC protocols, which are a bit complex. This complexity may result in implementation bugs that could be exploited by an attacker sending a packet through the system with a particular format designed to exploit the flaw. If any device along the packet's path is vulnerable, the flaw will be exploited. Depending on the nature of the coding error, such a vulnerability could result in denial of service or compromise of the vulnerable device. It could even result in a cascading failure where all the vulnerable devices on the path are compromised. The fact that ROHC is a stateful protocol means that testing will be more complex. And the fact that application layer protocol headers are compressed introduces the possibility that an untrusted application allowed to send application layer data could exploit vulnerabilities in network devices that implement ROHC. To address these concerns, I propose adding a new paragraph in the Security Considerations: Implementing a ROHC compressor or decompressor is not a trivial task. It can add vulnerabilities to a device. Implementors should practice safe coding techniques and recognize that both compressed and uncompressed packets can come from malicious or compromised sources that may send malformed packets and otherwise attempt to exploit vulnerabilities. Regard all packets with care to protect your implementation from such attacks. Otherwise, the compromise of one network element may result in a cascading sequence of compromises. I apologize for sending this review a week after the close of the IETF Last Call on this document. I hope that this feedback will still be useful. Thanks, Steve From shanna@juniper.net Sat Dec 12 04:00:01 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E4853A68B3; Sat, 12 Dec 2009 04:00:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIWEPbFcA2jZ; Sat, 12 Dec 2009 04:00:00 -0800 (PST) Received: from exprod7og117.obsmtp.com (exprod7og117.obsmtp.com [64.18.2.6]) by core3.amsl.com (Postfix) with ESMTP id 63E2D3A67BE; Sat, 12 Dec 2009 03:59:55 -0800 (PST) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob117.postini.com ([64.18.6.12]) with SMTP ID DSNKSyOFrtiDcSVd/Ekz2K2d86JO5gjw3fOc@postini.com; Sat, 12 Dec 2009 03:59:48 PST Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sat, 12 Dec 2009 03:59:11 -0800 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Sat, 12 Dec 2009 06:59:10 -0500 From: Stephen Hanna To: "kristofer.sandlund@ericsson.com" , "pele@sm.luth.se" , "lars-erik@lejonsson.com" Date: Sat, 12 Dec 2009 06:58:45 -0500 Thread-Topic: secdir review of draft-ietf-rohc-rfc4995bis-01 Thread-Index: Acp4MKAIMZ3QHusWS0yAOB7er4hAdgCe2nhgAAsvEsAAElokIA== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-rohc-rfc4995bis-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 12:00:01 -0000 I see that issue 1) below has been addressed in a new version of the draft posted earlier this week. Never mind on that. Thanks, Steve > -----Original Message----- > From: Stephen Hanna=20 > Sent: Friday, December 11, 2009 10:13 PM > To: 'kristofer.sandlund@ericsson.com';=20 > 'ghyslain.pelletier@ericsson.com'; 'lars-erik@lejonsson.com' > Subject: FW: secdir review of draft-ietf-rohc-rfc4995bis-01 >=20 > I think that you may not have seen this email so I'm sending > it to you directly. >=20 > Thanks, >=20 > Steve=20 >=20 > -----Original Message----- > From: Stephen Hanna=20 > Sent: Friday, December 11, 2009 5:59 PM > To: secdir@ietf.org;=20 > 'draft-ietf-rohc-rfc4995bis@tools.ietf.org'; iesg@ietf.org > Subject: secdir review of draft-ietf-rohc-rfc4995bis-01 >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors should treat these comments > just like any other last call comments. >=20 > Before providing my review, I will state that I do not have any > substantial experience or expertise with ROHC or with header > compression in general. My comments therefore should be taken > as those of a security expert but not a ROHC expert. >=20 > This document is an updated version of RFC 4995: The RObust Header > Compression (ROHC) Framework. Mainly, it fixes an error in the > definition of the ROHC feedback format. I won't explain the error > here since it's not significant from a security perspective and > the fix looks good to me. I am assuming that the WG participants > have dealt with any compatibility issues introduced by having the > erroneous spec out there for two years or so. >=20 > I have three comments on this document: >=20 > 1) Currently, the document does not actually say what was fixed. > The only reference to the fix is this paragraph in the abstract: >=20 > This specification obsoletes RFC 4995. It fixes one=20 > interoperability > issue that was erroneously introduced in RFC 4995, and adds some > minor clarifications. >=20 > I suggest adding a paragraph somewhere in the Introduction (maybe > at the end) that explains what the issue was and how it was fixed. > Otherwise, readers will be left wondering. They may have to do a > diff, like I did. Unfortunately, the reference format changed > from [1] to [RFC2119] between RFC 4995 and this draft so the diff > is about 30 pages of meaningless differences with one real change. >=20 > 2) Have the editors verified that all contributors to the document > are OK with granting the new rights granted in RFC 5378 on top > of the rights that they originally granted under RFC 3978? This > would include anyone who contributed text that has been held over > from RFC 4995 and RFC 3095 and their employers at the time that > the time of the contribution, or other assignees. I suspect that > the answer is no. If I'm right, the editors should use the text > designed for this situation, which is included in section 6.c.iii > of the IETF Trust Legal Provisions Relating to IETF Documents. >=20 > 3) The Security Considerations of this document are pretty good. > However, I think that they may ignore a particular risk of > using header compression. Namely, it seems to me that using > header compression would substantially increase the complexity > of the devices that perform the compression and decompression > vs. the complexity without header compression. For example, > a switch or router must now maintain per-flow ROHC state and > implement the ROHC protocols, which are a bit complex. This > complexity may result in implementation bugs that could be > exploited by an attacker sending a packet through the system > with a particular format designed to exploit the flaw. If > any device along the packet's path is vulnerable, the flaw > will be exploited. Depending on the nature of the coding > error, such a vulnerability could result in denial of > service or compromise of the vulnerable device. It could > even result in a cascading failure where all the vulnerable > devices on the path are compromised. The fact that ROHC is > a stateful protocol means that testing will be more complex. > And the fact that application layer protocol headers are > compressed introduces the possibility that an untrusted > application allowed to send application layer data could > exploit vulnerabilities in network devices that implement > ROHC. To address these concerns, I propose adding a new > paragraph in the Security Considerations: >=20 > Implementing a ROHC compressor or decompressor is not a > trivial task. It can add vulnerabilities to a device. > Implementors should practice safe coding techniques and > recognize that both compressed and uncompressed packets > can come from malicious or compromised sources that may > send malformed packets and otherwise attempt to exploit > vulnerabilities. Regard all packets with care to protect > your implementation from such attacks. Otherwise, the > compromise of one network element may result in a > cascading sequence of compromises. >=20 > I apologize for sending this review a week after the close > of the IETF Last Call on this document. I hope that this > feedback will still be useful. >=20 > Thanks, >=20 > Steve > = From barryleiba@gmail.com Sun Dec 13 16:16:46 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E5A03A680B; Sun, 13 Dec 2009 16:16:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.977 X-Spam-Level: X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XtcCyFdFztZ; Sun, 13 Dec 2009 16:16:45 -0800 (PST) Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id B7C273A67FE; Sun, 13 Dec 2009 16:16:44 -0800 (PST) Received: by fxm5 with SMTP id 5so2990767fxm.28 for ; Sun, 13 Dec 2009 16:16:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=2KEQJ+HuwPEe8GNcFRVcmT254NuPs5HaL0FFKf7McEc=; b=S05bZw+ar24AYo386Fqb35LwZlGY+hPBZh45AofCy1bUmakn3DAVfitYDqyPnDZJ9o 60kt+Z4nOO9ao3uJVayk1oy1ud5l8mrW3EgQWUC1th8f1pAnsXK9UjUfLOcu4yxvAJ/y 5Y+1bUYAByF3gT26WLHSxfMFLoThbVdIVy3l8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; b=ErvZSRDwJ+R9/OXzZAYuvK3sDB2lm1nE95NXgqlXuZqwP+RIbLPevuWVGM51fw7YOK qA7DlItzHbLsaUKfyu0daVzfQ5jXff4MUm9/Gq7xUJ6fgjz275XeUzJQAB2q/tkIp7PM 45ZT14fhJ+k5W4oKzjgg4YVu4GBOXBjCV0AYg= MIME-Version: 1.0 Sender: barryleiba@gmail.com Received: by 10.103.122.29 with SMTP id z29mr828440mum.117.1260749787795; Sun, 13 Dec 2009 16:16:27 -0800 (PST) Date: Sun, 13 Dec 2009 19:16:27 -0500 X-Google-Sender-Auth: 9c9dba71c02a97d8 Message-ID: <9abf48a60912131616qc769589qca5c343cb3366676@mail.gmail.com> From: Barry Leiba To: secdir@ietf.org, iesg@ietf.org Content-Type: text/plain; charset=ISO-8859-1 Cc: fred@cisco.com, draft-xli-behave-ivi@tools.ietf.org Subject: [secdir] secdir review of draft-xli-behave-ivi-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2009 00:16:46 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This nicely documents what seems to be a rather clever way of helping IPv6 and IPv4 interoperate, using a sort of address encapsulation mechanism. I like the document, I think the scheme it documents is interesting and useful, and I see no problems with publication (including from a security perspective; the Security Considerations section seems adequate). The document lists its intended status as Informational, while the tracker shows it as Experimental. Either could work, of course, but Informational seems more appropriate here. Barry -- Barry Leiba (barryleiba@computer.org) http://internetmessagingtechnology.org/ From d3e3e3@gmail.com Sun Dec 13 19:55:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 151E73A687F; Sun, 13 Dec 2009 19:55:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.579 X-Spam-Level: X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7-ob76yxnJB; Sun, 13 Dec 2009 19:55:36 -0800 (PST) Received: from mail-ew0-f214.google.com (mail-ew0-f214.google.com [209.85.219.214]) by core3.amsl.com (Postfix) with ESMTP id A35013A672E; Sun, 13 Dec 2009 19:55:35 -0800 (PST) Received: by ewy6 with SMTP id 6so1489253ewy.29 for ; Sun, 13 Dec 2009 19:55:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=B+/j/bYH/ZJ91KoIMUGNIoEaDO9kAuCZsJYFkcV79XU=; b=yFGq57ixHLIR+/3kS8BGmq+UF/FHPgJ2X7SAyyUx72UJ7mx87dG51wYd6NV5r3mKVu YV529shqwUamoLg9/p6T0Ibto5jGbP14f8ScWkR4V5cTTXEANXqeXiME9RKzHvRl8mNo SZEcW13FAcPDmsxxjT2qbcSIHbbYkp41DgBkg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=YU1FtDF7rw/d0Pa6KjIZcAKyrUvbN63B8Ur1OfCEU416FVpuzlZe4t66kxPBr+RNeW LAAbCnv1X5QcHFrlRqWzjmIpqfbjBbNFiBHFzEnio7iHHqHNXgx12/P1T8kBcOAaecDm 4OpiM5P9ytcNa46igW41BqPUD7tJzerY11cBM= MIME-Version: 1.0 Received: by 10.216.90.136 with SMTP id e8mr1728345wef.110.1260762919430; Sun, 13 Dec 2009 19:55:19 -0800 (PST) Date: Sun, 13 Dec 2009 22:55:19 -0500 Message-ID: <1028365c0912131955h2272eb7bpddbff3d5b0c222a6@mail.gmail.com> From: Donald Eastlake To: secdir@ietf.org, IETF Discussion Content-Type: multipart/alternative; boundary=0016e6dab093f569b4047aa83d20 Subject: [secdir] draft-cheshire-dnsext-multicastdns-08.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2009 03:55:38 -0000 --0016e6dab093f569b4047aa83d20 Content-Type: text/plain; charset=ISO-8859-1 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This informational draft specifies a multicast link-local variant of DNS which varies in a number of ways from the IETF DNS standard. Much of it is written in a style to persuade the reader of the merits of the protocol specified or head off potential complaints about it. SECURITY COMMENTS: The Security Considerations section seems reasonable for an informational document describing an existing link local usage. The following other sections have security implications which could be briefly mentioned or referenced in the Security Considerations section. Section 4 mentions dependence of earlier versions on IP TTL 255 to detect link local. Section 14 gives various details related to failing over to multicast DNS from classic DNS and having the TLD ".local" in ones search list. Section 21.2 (Arguments for using a different port (UDP port 5353):) point out that use of 5353 is more convenient for unprivileged clients providing mDNS on systems where they could not access a low numbered port like 53. But this seems to imply some sort of security risk of making it easier for a random unauthorized client doing this. OTHER COMMENTS: Section 3.1/3.2. I don't want to comment on the politics of this but it strikes me as a bad idea to dilute the claim on .local. by giving a bunch of alternatives. Just stick to .local. I support its use for, well, "local" names. :-) And numeric TLDs are a really bad idea, conflicting in commonly accepted syntax with IP addresses. Section 3.3 (Maximum Multicast DNS Name Length). As far as I know, and I've checked with experts, the answer is that the wire encoded limit is 255 bytes including the final zero value terminating byte that is the length of the root label. That's clearly what RFC 1034 says. "all label octets and label lengths" means *ALL*, including the label length for the root label. In this regard, RFC 2181 is simply confusing/confused. RFC 2181 appears to be talking about text representations of DNS names, not wire encoding. It talks about "separators", which are the periods between labels, which have nothing to do with the DNS length limit which is defined with reference to the wire encoding. So, "example.com" has 10 bytes of text labels plus 1 byte of text separator, for a text length of 11. But its wire encoding has length 13, one for the length of "example", seven for "example", one for the length of "com", three for "com", and one for the length of the root label (which is the empty label). So, when RFC 2181 talk about "the zero length name" it is talking about the number of text bytes in the root label, which is zero, not the wire encoding length, which is one. Section 20.14 (Name Compression) is questionable. It gives advice that implementors should do name decompression in all the rdata for RRs that the implementor knows about. I guess this is not a problem but, due to the difficulty in updating every old implementation in the world when a new RR type comes along that has potentially compressable names in rdata, it just seems impractical to believe that interoperable name compression can be provided in the rdata of future RRs. Having an explicit list of RRs where such compression is done, as is also provided by Section 20.14, is fine and I think it is OK for this to differ from that for classic unicast DNS. Other/future RRs should just be handled as in RFC 3597. Section 8 (Responding), 3rd paragraph, last line. "must not" -> "MUST NOT". Section 9.2 (Simultaneous Probe Tie-Breaking). I was initially puzzled by all the stuff about initially comparing the class of answers. When you do a query, you only get answers for the class you queried. True, there is a qclass "*" (0x00FF) for any class, but why would you be using that? Different classes are meant to be completely disjoint spaces. Names are explicitly local to a class in DNS. However, I concluded you were just trying to compare the top bit of the rrclass field which this spec re-defines... Maybe this should be clarified. Section 20.3 (OPCODE), the parenthetical "(only standard queries are currently supported over multicast, unless other queries are allowed by some future extension to the Multicast DNS specification)" is internally inconsistent. The allowing of something in the future has no effect on the current state. Suggest just saying "(only standard queries are currently supported over multicast)". Section 22 (Summary of Differences Between Multicast DNS and Unicast DNS), I'm not convinced that all the listed items are actually differences. For example, defining a clear maximum legal fully qualified domain name size on the wire is the same but gratuitously different. Its 255 bytes for classic DNS and you have changed this for mDNS to 256 bytes. Is one byte really worth the inconsistency? Section 24.1 (IPv6 Multicast Addresses by Hashing), does this actually not apply to IPv4? If it does apply to IPv4, some minor rewording of this section would be called for. TRIVIA Section 8 (Responding). "immediately without delay" seems a tad redundant. Three occurrences, one with a comma. Suggest using one or the other. Section 17 (Multicast DNS and Power Management), this seems sufficiently beside the main point of the draft that it could be made an Appendix. Second paragraph of Section 25, "administered" -> "configured". Administered could mean anything but configured sounds like you've actually set values. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-634-2066 (home) 155 Beaver Street Milford, MA 01757 USA d3e3e3@gmail.com --0016e6dab093f569b4047aa83d20 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security directorate'= s ongoing effort to review all IETF documents being processed by the IESG. = =A0Document editors and WG chairs should treat these comments just like any= other last call comments.

This informational draft specifies a multicast link-loc= al variant of DNS which varies in a number of ways from the IETF DNS standa= rd. Much of it is written in a style to persuade the reader of the merits o= f the protocol specified or head off potential complaints about it.

SECURITY COMMENTS:

The Securit= y Considerations section seems reasonable for an informational document des= cribing an existing link local usage. The following other sections have sec= urity implications which could be briefly mentioned or referenced in the Se= curity Considerations section.

Section 4 mentions dependence of earlier versions on IP= TTL 255 to detect link local.

Section 14 gives va= rious details related to failing over to multicast DNS from classic DNS and= having the TLD ".local" in ones search list.

Section 21.2 (Arguments for using a different port (UDP= port 5353):) point out that use of 5353 is more convenient for unprivilege= d clients providing mDNS on systems where they could not access a low numbe= red port like 53. But this seems to imply some sort of security risk of mak= ing it easier for a random unauthorized client doing this.

OTHER COMMENTS:

Section 3.1/3.= 2. I don't want to comment on the politics of this but it strikes me as= a bad idea to dilute the claim on .local. by giving a bunch of alternative= s. Just stick to .local. I support its use for, well, "local" nam= es. :-) =A0And numeric TLDs are a really bad idea, conflicting in commonly = accepted syntax with IP addresses.

Section 3.3 (Maximum Multicast DNS Name Length). As far= as I know, and I've checked with experts, the answer is that the wire = encoded limit is 255 bytes including the final zero value terminating byte = that is the length of the root label. That's clearly what RFC 1034 says= . "all label octets and l= abel lengths" means *ALL*, including the label length for the root lab= el. In this regard, RFC 2181 is simply confusing/confused. RFC 2181 appears= to be talking about text representations of DNS names, not wire encoding. = It talks about "separators", which are the periods between labels= , which have nothing to do with the DNS length limit which is defined with = reference to the wire encoding. So, "example.com= " has 10 bytes of text labels plus 1 byte of text separator, for a tex= t length of 11. But its wire encoding has length 13, one for the length of = "example", seven for "example", one for the length of &= quot;com", three for "com", and one for the length of the ro= ot label (which is the empty label). So, when RFC 2181 talk about "the= zero length name" it is talking about the number of text bytes in the= root label, which is zero, not the wire encoding length, which is one.

Section 20.14 (Name Compression) is questionable. It gi= ves advice that implementors should do name decompression in all the rdata = for RRs that the implementor knows about. I guess this is not a problem but= , due to the difficulty in updating every old implementation in the world w= hen a new RR type comes along that has potentially compressable names in rd= ata, it just seems impractical to believe that interoperable name compressi= on can be provided in the rdata of future RRs. Having an explicit list of R= Rs where such compression is done, as is also provided by Section 20.14, is= fine and I think it is OK for this to differ from that for classic unicast= DNS. Other/future RRs should just be handled as in RFC 3597.=A0

Section 8 (Responding), 3rd paragraph, last = line. "must not" -> "MUST NOT".

=
Section 9.2 (Simultaneous Probe Tie-Breaking). I was initially puzzled= by all the stuff about initially comparing the class of answers. When you = do a query, you only get answers for the class you queried. True, there is = a qclass "*" (0x00FF) for any class, but why would you be using t= hat? Different classes are meant to be completely disjoint spaces. Names ar= e explicitly local to a class in DNS. However, I concluded you were just tr= ying to compare the top bit of the rrclass field which this spec re-defines= ... Maybe this should be clarified.

Section 20.3 (OPCODE), the parenthetical "(only st= andard queries are currently supported over multicast, unless=A0other queri= es are allowed by some future extension to the Multicast=A0DNS specificatio= n)" is internally inconsistent. The allowing of something in the futur= e has no effect on the current state. Suggest just saying=A0"(only sta= ndard queries are currently supported over multicast)".

Section 22 (Summary of Differences Between Multicast DN= S and Unicast DNS), I'm not convinced that all the listed items are act= ually differences. For example, defining a clear maximum legal fully qualif= ied domain name size on the wire is the same but gratuitously different. It= s =A0255 bytes for classic DNS and you have changed this for mDNS to 256 by= tes. Is one byte really worth the inconsistency?

Section=A024.1 (IPv6 Multicast Addresses by Hashing), d= oes this actually not apply to IPv4? If it does apply to IPv4, some minor r= ewording of this section would be called for.

TRIVIA

Section 8 (Responding).= "immediately without delay" seems a tad redundant. Three occurre= nces, one with a comma. Suggest using one or the other.

Section 17 (Multicast DNS and Power Management), this seems= =A0sufficiently beside the main point of the draft that it could be=A0made = an Appendix.

Second paragraph of Section 25, "administered" -> &= quot;configured". Administered could mean anything but configured soun= ds like you've actually set values.

Thanks,
Donald
=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Donald E. Eastlake 3rd =A0 +1-508-634-2066 (home)
155 Beaver Street Milford, MA 01757 USA
d3e3e3@gmail.com
--0016e6dab093f569b4047aa83d20-- From new-work-bounces@ietf.org Tue Dec 15 08:11:29 2009 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 584883A6A87; Tue, 15 Dec 2009 08:11:29 -0800 (PST) X-Original-To: new-work@core3.amsl.com Delivered-To: new-work@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57FC13A6A7D for ; Tue, 15 Dec 2009 07:28:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYO3OE886Ont for ; Tue, 15 Dec 2009 07:28:53 -0800 (PST) Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 7E1F43A6A56 for ; Tue, 15 Dec 2009 07:28:53 -0800 (PST) Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from ) id 1NKZKI-0006yM-EV for public-new-work-dist@listhub.w3.org; Tue, 15 Dec 2009 15:28:38 +0000 Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from ) id 1NKZKH-0006wv-QN for public-new-work@listhub.w3.org; Tue, 15 Dec 2009 15:28:37 +0000 Received: from jay.w3.org ([128.30.52.169]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from ) id 1NKZKG-0001V7-HE; Tue, 15 Dec 2009 15:28:37 +0000 Received: from localhost ([127.0.0.1] helo=[IPv6:::1]) by jay.w3.org with esmtp (Exim 4.69) (envelope-from ) id 1NKZKG-00057o-Ac; Tue, 15 Dec 2009 10:28:36 -0500 Message-Id: <3C183F82-CB62-4DAD-8E75-D631524199E6@w3.org> From: Ian Jacobs To: public-new-work@w3.org Mime-Version: 1.0 (Apple Message framework v936) Date: Tue, 15 Dec 2009 09:28:36 -0600 X-Mailer: Apple Mail (2.936) X-W3C-Hub-Spam-Status: No, score=-4.4 X-W3C-Hub-Spam-Report: ALL_TRUSTED=-1.8, BAYES_00=-2.599 X-W3C-Scan-Sig: bart.w3.org 1NKZKG-0001V7-HE 847a9a6c9c531d73f26f940261882185 X-Original-To: public-new-work@w3.org Archived-At: Resent-From: public-new-work@w3.org X-Mailing-List: archive/latest/51 X-Loop: public-new-work@w3.org Resent-Sender: public-new-work-request@w3.org Precedence: list Resent-Message-Id: Resent-Date: Tue, 15 Dec 2009 15:28:38 +0000 X-Mailman-Approved-At: Tue, 15 Dec 2009 08:11:24 -0800 X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Tue, 15 Dec 2009 08:18:09 -0800 Subject: [secdir] [New-work] Proposed W3C Charter: RDFa Working Group (until 2010-01-26) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 16:11:29 -0000 Hello, Today W3C Advisory Committee Representatives received a Proposal to revise the Semantic Web Activity [0] (see the W3C Process Document description of Activity Proposals [1]). This proposal includes a draft charter for the RDFa Working Group: http://www.w3.org/2009/11/rdfa-wg-charter As part of ensuring that the community is aware of proposed work at W3C, this draft charter is public during the Advisory Committee review period. W3C invites public comments through 2010-01-26 on the proposed charter. Please send comments to public-new-work@w3.org, which has a public archive: http://lists.w3.org/Archives/Public/public-new-work/ Other than comments sent in formal responses by W3C Advisory Committee Representatives, W3C cannot guarantee a response to comments. If you work for a W3C Member [2], please coordinate your comments with your Advisory Committee Representative. For example, you may wish to make public comments via this list and have your Advisory Committee Representative refer to it from his or her formal review comments. If you should have any questions or need further information, please contact Ivan Herman, Team Contact . Thank you, Ian Jacobs, Head of W3C Communications [0] http://www.w3.org/2001/sw/ [1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation [2] http://www.w3.org/Consortium/Member/List -- Ian Jacobs (ij@w3.org) http://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447 _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From kent@bbn.com Tue Dec 15 10:36:53 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 08B233A68C1 for ; Tue, 15 Dec 2009 10:36:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.607 X-Spam-Level: X-Spam-Status: No, score=-2.607 tagged_above=-999 required=5 tests=[AWL=-0.008, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFDhjRYqIFgf for ; Tue, 15 Dec 2009 10:36:52 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 28F903A6AA0 for ; Tue, 15 Dec 2009 10:36:52 -0800 (PST) Received: from [192.1.255.196] by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from ) id 1NKcGD-0005ie-C9; Tue, 15 Dec 2009 13:36:37 -0500 Mime-Version: 1.0 Message-Id: Date: Tue, 15 Dec 2009 13:36:35 -0500 To: secdir@ietf.org From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: [secdir] re-review of draft-ietf-smime-cms-rsa-kem X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 18:36:53 -0000 I reviewed version 05 of this I-D in July of 2008. The current version is 10. My original reviewed cited only a two major concerns: - the previous version was ambiguous about support for Camella. This version clarifies this issue, making support for Camellia a SHOULD. - the pervious version called for using an algorithm ID (with very complex parameters) in a cert to signal when a message recipient requires use of RSA-KEM. The authors addressed this concern in Section 2.3 (and Appendix B), by stating that these parameters MUST be absent when this OID is used in a cert in this context. I have corresponded with Sean and he suggested that he could provide more explicit words re the fact that the parameters MUST be omitted when the algorithm OID appears in the SubjectPublicKey field of a cert. I encourage Sean to include this additional text. Steve From turners@ieca.com Tue Dec 15 11:54:56 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90FCD3A6AC9 for ; Tue, 15 Dec 2009 11:54:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.556 X-Spam-Level: X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDJkL5LGTxhO for ; Tue, 15 Dec 2009 11:54:55 -0800 (PST) Received: from smtp109.biz.mail.re2.yahoo.com (smtp109.biz.mail.re2.yahoo.com [206.190.53.8]) by core3.amsl.com (Postfix) with SMTP id C7E533A67E4 for ; Tue, 15 Dec 2009 11:54:51 -0800 (PST) Received: (qmail 54755 invoked from network); 15 Dec 2009 19:54:35 -0000 Received: from pool-71-191-11-55.washdc.east.verizon.net (turners@71.191.11.55 with plain) by smtp109.biz.mail.re2.yahoo.com with SMTP; 15 Dec 2009 11:54:35 -0800 PST X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: YV60f7wVM1lnN8H7BKvD1DdAsx.I4_r2Z_siVjGxFOFlHnilixDUEuPWCwtZAYJvtUlVm4x5yv.euqs6LrCwqVWeGK49HjPuJYL5zSbv7ngSQvFqJKc5yQQqv0AMGyIZuJYgwg2XEKlXZA.3KCofzGezupi3NTpLDB9uUtPN3gbZSxprPHuLaWJjQCUZYU47V6g3Uni9GuiOLBj5Y8TkhUwsAwAjWfPt5fHf9vFdgxAK2Yca0TZcDBrnDFXWxMoRDrDZNckNTEsTHVs780HIcxzzVwmEHZmLzCK_iu8HZdaTD3LkaUOKGY9SW1EFEbqmCC3lfIHTkjnAjcKYi3ZkeoiX3x3bflRo_R96bRQKs8.qmGTHTg.MHRzVwWLH6yz_2WxpyNrqNU2rvFaakGa9qsfHMbFDwySFCIJsrQCmi1zAbXI- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4B27E97B.2090904@ieca.com> Date: Tue, 15 Dec 2009 14:54:35 -0500 From: Sean Turner User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: secdir@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [secdir] re-review of draft-ietf-smime-cms-rsa-kem X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 19:54:56 -0000 Stephen Kent wrote: > I reviewed version 05 of this I-D in July of 2008. The current version > is 10. > > My original reviewed cited only a two major concerns: > > - the previous version was ambiguous about support for Camella. This > version clarifies this issue, making support for Camellia a SHOULD. > > - the pervious version called for using an algorithm ID (with very > complex parameters) in a cert to signal when a message recipient > requires use of RSA-KEM. The authors addressed this concern in Section > 2.3 (and Appendix B), by stating that these parameters MUST be absent > when this OID is used in a cert in this context. > > I have corresponded with Sean and he suggested that he could provide > more explicit words re the fact that the parameters MUST be omitted when > the algorithm OID appears in the SubjectPublicKey field of a cert. I > encourage Sean to include this additional text. In the working -11 version I have not yet submitted, I've got the following: OLD: The parameters are absent. NEW: When the id-rsa-kem algorithm identifier appears in the SubjectPublicKeyInfo algorithm field, the encoding SHALL omit the parameters field from AlgorithmIdentifier. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, the object identifier id-rsa-kem. spt From xing@cernet.edu.cn Wed Dec 16 06:23:51 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E64853A67B3; Wed, 16 Dec 2009 06:23:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.269 X-Spam-Level: X-Spam-Status: No, score=0.269 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, FH_HAS_XAIMC=2.696] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ezNTVzZOVJ5; Wed, 16 Dec 2009 06:23:51 -0800 (PST) Received: from cernet.edu.cn (sea.net.edu.cn [202.112.3.66]) by core3.amsl.com (Postfix) with SMTP id 98A253A681C; Wed, 16 Dec 2009 06:23:49 -0800 (PST) Received: from [192.168.100.249]([218.67.241.11]) by cernet.edu.cn(AIMC 3.2.0.0) with SMTP id jm04b290c70; Wed, 16 Dec 2009 22:23:14 +0800 Message-ID: <4B28ED47.6040000@cernet.edu.cn> Date: Wed, 16 Dec 2009 22:23:03 +0800 From: Xing Li User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Barry Leiba References: <9abf48a60912131616qc769589qca5c343cb3366676@mail.gmail.com> In-Reply-To: <9abf48a60912131616qc769589qca5c343cb3366676@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-AIMC-AUTH: xing X-AIMC-MAILFROM: xing@cernet.edu.cn X-AIMC-Msg-ID: 4S8muUXB X-Mailman-Approved-At: Wed, 16 Dec 2009 06:48:32 -0800 Cc: fred@cisco.com, iesg@ietf.org, draft-xli-behave-ivi@tools.ietf.org, secdir@ietf.org Subject: Re: [secdir] secdir review of draft-xli-behave-ivi-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 14:23:52 -0000 Barry Leiba 写é“: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This nicely documents what seems to be a rather clever way of helping > IPv6 and IPv4 interoperate, using a sort of address encapsulation > mechanism. I like the document, I think the scheme it documents is > interesting and useful, and I see no problems with publication > (including from a security perspective; the Security Considerations > section seems adequate). > > The document lists its intended status as Informational, while the > tracker shows it as Experimental. Either could work, of course, but > Informational seems more appropriate here. > > Barry > Thank you very much for the review and the comments. xing From mcgrew@cisco.com Thu Dec 17 15:54:29 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 323713A68F5; Thu, 17 Dec 2009 15:54:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.599 X-Spam-Level: X-Spam-Status: No, score=-7.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybK-BM4zvLLn; Thu, 17 Dec 2009 15:54:28 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id A06BE3A6875; Thu, 17 Dec 2009 15:54:27 -0800 (PST) Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAN9TKkurR7Ht/2dsb2JhbAC/H5cphC0E X-IronPort-AV: E=Sophos;i="4.47,415,1257120000"; d="scan'208";a="121596221" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-5.cisco.com with ESMTP; 17 Dec 2009 23:54:13 +0000 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nBHNsDIm001132; Thu, 17 Dec 2009 23:54:13 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Dec 2009 15:54:13 -0800 Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Dec 2009 15:54:12 -0800 Message-Id: <86FD1A1E-AE10-4FAB-83D6-BC5042211490@cisco.com> From: David McGrew To: secdir@ietf.org, loa.andersson@ericsson.com, lberger@labn.net, donald.fedyk@alcatel-lucent.com Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 17 Dec 2009 15:54:11 -0800 X-Mailer: Apple Mail (2.936) X-OriginalArrivalTime: 17 Dec 2009 23:54:13.0040 (UTC) FILETIME=[3BD79B00:01CA7F74] Cc: IESG Subject: [secdir] secdir review of draft-ietf-ccamp-gmpls-ethernet-arch-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2009 23:54:29 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Section 9, Security Considerations. "The architecture for GMPLS controlled "transport" Ethernet assumes that the network consists of trusted devices" I believe what is meant is "The architecture for GMPLS controlled "transport" Ethernet assumes that the GMPLS core network consists of trusted devices". This is fairly vague, and it would be useful to use the terms from draft-ietf-mpls-mpls-and-gmpls-security-framework-07, and say something like "A GMPLS controlled "transport" Ethernet system should assume that users and devices attached to UNIs may behave maliciously, negligently, or incorrectly. Providers are trusted to not be malicious." The document refers the reader to draft-ietf-mpls-mpls-and-gmpls- security-framework-07 for most security considerations, which is a fair thing to do. draft-ietf-mpls-mpls-and-gmpls-security-framework-07 recommends encryption, so I suggest adding a reference to IEEE 802.1AE Media Access Control (MAC) Security, like this: "Cryptography can be used to protect against many attacks described in [draft-ietf-mpls-mpls-and- gmpls-security-framework-07]. One option for protecting "transport" Ethernet is the use of 802.1AE Media Access Control Security, which provides encryption and authentication." Nit: Section 1. "SONET/SDH TDM" needs a comma regards, David From lberger@labn.net Fri Dec 18 04:24:08 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 896B43A6A36 for ; Fri, 18 Dec 2009 04:24:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.265 X-Spam-Level: X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCpEaCkBsrCM for ; Fri, 18 Dec 2009 04:24:08 -0800 (PST) Received: from outbound-mail-121.bluehost.com (outbound-mail-121.bluehost.com [67.222.38.21]) by core3.amsl.com (Postfix) with SMTP id 5B9603A6A1C for ; Fri, 18 Dec 2009 04:24:08 -0800 (PST) Received: (qmail 18788 invoked by uid 0); 18 Dec 2009 12:17:14 -0000 Received: from unknown (HELO box313.bluehost.com) (69.89.31.113) by outboundproxy4.bluehost.com with SMTP; 18 Dec 2009 12:17:14 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=labn.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=ua2oS/fW7o5tdhSmu0ZGngOLIGvjcVKZzKsFo6WfzJhyLdXvsEmq6hvBjwedbcwjK7IeeqijYeRscI4K2BXAKloGUIvJer88MatwUWUO7yfwgggPUuvKU0mHxWy7hO2k; Received: from box313.bluehost.com ([69.89.31.113] helo=[127.0.0.1]) by box313.bluehost.com with esmtpa (Exim 4.69) (envelope-from ) id 1NLbli-0007lI-7v; Fri, 18 Dec 2009 05:17:14 -0700 Message-ID: <4B2B7316.4000103@labn.net> Date: Fri, 18 Dec 2009 07:18:30 -0500 From: Lou Berger User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090902 Eudora/3.0b3 MIME-Version: 1.0 To: David McGrew References: <86FD1A1E-AE10-4FAB-83D6-BC5042211490@cisco.com> In-Reply-To: <86FD1A1E-AE10-4FAB-83D6-BC5042211490@cisco.com> X-Enigmail-Version: 0.96a Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {1038:box313.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 69.89.31.113 authed with lberger@labn.net} Cc: loa.andersson@ericsson.com, donald.fedyk@alcatel-lucent.com, IESG , secdir@ietf.org Subject: Re: [secdir] secdir review of draft-ietf-ccamp-gmpls-ethernet-arch-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 12:24:08 -0000 Thank you for the comments! On 12/17/2009 6:54 PM, David McGrew wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > Section 9, Security Considerations. > "The architecture for GMPLS controlled "transport" Ethernet assumes > that the network consists of trusted devices" I believe what is > meant is "The architecture for GMPLS controlled "transport" Ethernet > assumes that the GMPLS core network consists of trusted devices". > This is fairly vague, and it would be useful to use the terms from > draft-ietf-mpls-mpls-and-gmpls-security-framework-07, and say > something like "A GMPLS controlled "transport" Ethernet system should > assume that users and devices attached to UNIs may behave maliciously, > negligently, or incorrectly. Providers are trusted to not be > malicious." > The document refers the reader to draft-ietf-mpls-mpls-and-gmpls- > security-framework-07 for most security considerations, which is a > fair thing to do. > draft-ietf-mpls-mpls-and-gmpls-security-framework-07 recommends > encryption, so I suggest adding a reference to IEEE 802.1AE Media > Access Control (MAC) Security, like this: "Cryptography can be used to > protect against many attacks described in [draft-ietf-mpls-mpls-and- > gmpls-security-framework-07]. One option for protecting "transport" > Ethernet is the use of 802.1AE Media Access Control Security, which > provides encryption and authentication." > Nit: Section 1. "SONET/SDH TDM" needs a comma > regards, > David > > > From weiler+secdir@watson.org Fri Dec 18 15:13:25 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB6BA3A67E5 for ; Fri, 18 Dec 2009 15:13:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.398 X-Spam-Level: X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhK1ZnXiIopJ for ; Fri, 18 Dec 2009 15:13:24 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 8D9623A6778 for ; Fri, 18 Dec 2009 15:13:24 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBIND8w1018371 for ; Fri, 18 Dec 2009 18:13:08 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBIND8tQ018368 for ; Fri, 18 Dec 2009 18:13:08 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Fri, 18 Dec 2009 18:13:08 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 18 Dec 2009 18:13:08 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 23:13:26 -0000 Juergen Schoenwaelder is next in the rotation. Documents on the telechat agenda typically have a last call end date before the date shown below; reviews by the end of last call are typically more appreciated by the doc editors. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2010-01-07 Reviewer Deadline Draft Scott Kelly T 2010-01-05 draft-ietf-fecframe-dvb-al-fec-04 Russ Mundy T 2010-01-05 draft-ohba-pana-pemk-03 Radia Perlman T 2010-01-05 draft-ohba-802dot21-basic-schema-07 Eric Rescorla T 2010-01-05 draft-gennai-smime-cnipa-pec-05 Hannes Tschofenig T 2010-01-05 draft-ietf-pce-monitoring-07 For telechat 2010-01-21 Reviewer Deadline Draft Joe Salowey T 2010-01-19 draft-ietf-pana-preauth-08 Stefan Santesson T 2010-01-19 draft-ietf-trill-rbridge-protocol-14 Larry Zhu TR2010-01-19 draft-moriarty-post-inch-rid-09 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-10-15 draft-ietf-idnabis-protocol-17 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Charlie Kaufman 2009-12-14 draft-ietf-dkim-deployment-10 Stephen Kent 2009-12-10 draft-ietf-tsvwg-rsvp-security-groupkeying-05 Chris Lonvick 2010-01-01 draft-giralt-schac-ns-02 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Catherine Meadows 2009-12-22 draft-ietf-sipping-config-framework-16 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-11 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Sandy Murphy 2010-01-14 draft-turner-ecprivatekey-02 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Chris Newman 2010-01-07 draft-ietf-krb-wg-preauth-framework-15 Magnus Nystrom 2009-12-24 draft-josefsson-kerberos5-starttls-07 Hilarie Orman 2010-01-14 draft-kato-tls-rfc4132bis-04 Radia Perlman 2009-12-10 draft-bryan-http-digest-algorithm-values-update-03 Eric Rescorla 2010-01-11 draft-brown-versioning-link-relations-05 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-13 Juergen Schoenwaelder R2010-01-13 draft-ietf-behave-turn-uri-05 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 From kent@bbn.com Fri Dec 18 18:23:35 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD48B28C11C for ; Fri, 18 Dec 2009 18:23:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I21v2uOX2i3M for ; Fri, 18 Dec 2009 18:23:35 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id D53FE3A659A for ; Fri, 18 Dec 2009 18:23:34 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15] helo=[192.168.1.3]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from ) id 1NLoyT-0002rX-A3 for secdir@ietf.org; Fri, 18 Dec 2009 21:23:19 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Fri, 18 Dec 2009 21:23:14 -0500 To: secdir@ietf.org From: Stephen Kent Content-Type: multipart/mixed; boundary="============_-950933100==_============" Subject: [secdir] draft-ietf-tsvwg-rsvp-security-groupkeying-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 02:23:36 -0000 --============_-950933100==_============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" This is the message I sent to the WG chairs o 11/30, in response to this special request. Steve ------ Folks, As per your request I reviewed the subject document. It has a LOT of problems: - the authors are inconsistent in their use of terms in various places in the document (e.g., trust zone, trust domain, trust group) - the authors do not clearly define what they mean by static, manual, or dynamic keying. they then make general assertions about the costs of various keying methods without providing any analysis to support their assertions. - the authors are clearly big proponents of group keying, and so they sweep under the rug all the details of what one has to do to authenticate group members to a group key server and what the server needs to do to distribute keys to the group members. there may be good arguments for why group keying is preferable to alternatives, but this document does not make that case - the authors assert that tunnel mode ESP is unsuitable for use with RSVP due to a MITM vulnerability, but the argument they present is flawed. - the authors assert that using the group keying mechanisms in RFC 3547 solves the problems of using IPsec with RSVP, which contradicts statements elsewhere about problems with IPsec protocols and RSVP. - the authors argue that Section 3.1 of RFC 5374 describes how to use tunnel mode in a way that fixes problems otherwise present with AH or ESP, but the argument is suspect. The cited section talks about a new version of tunnel mode for use by secruity gateways when sending traffic on multicast SAs, but there is not reason why routers using RSVP should be viewed as secruity gateways with respect to RSVP traffic. - overall, the document is very poorly organized. it rambles and makes arguments in one section that appear to contradict analyses in other sections. I have attached an edited version of the document with suggested edits and lots of comments. Steve --============_-950933100==_============ Content-Id: Content-Type: application/pdf; name="draft-ietf-tsvwg-rsvp-security-groupkeying-05.pdf" ; x-mac-type="50444620" ; x-mac-creator="C74943C8" Content-Disposition: attachment; filename="draft-ietf-tsvwg-rsvp-security-groupkeying-05.pdf" Content-Transfer-Encoding: base64 JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmls dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNXVt34zaSfuevwM7uzqh3u2kC4DVv SXd6T2Y3c3pin5mHdB5kmbY50S0k1Y7//X4FAiRAWbJIx2x1zokpiASrCnX5UChAv7G/ s99Y4gdpHGcZ40noRzxjYcJ9EbKYB77MQsnKnP2TrdnF+4qzRcUC9V+1wKOBz9MwDYKm qfsUSl8GSSRZEkc+l1niLVbsuyuGzuhW/edqxS4+cj9gnF3dshl7w67+xb6/AlGnkOW9 hKwo9kWcSabI8s6GrDDxBQ8hZZLW+ZAlU1+GMtVkBX7AOcYco361MGP59JD+La8fNuWv 7J/4X7G+Y/9TbnZbdtq/H332XX5f4rG8fONBM9TrTlaPQ1rrHdZamQk/lnHIEofhgyx6 I7R2BFmdMYnMDxOptRbGd3AcvJ5p/bCu83Kd18rChslxhJmlwucCjoElDsHH9fndq1t/ GvtZImM4JZesI3JkPTl+KOe39Wnq29z10Wf/l7OP893iPt9NrsYOn2ekxoEfByJr3MlQ NV7f5Desquf1rvqG/bC+3ZSreV1s1vPlwXF5X1SLDbt8rOp8VeGZxdTuRDgMH4o2k7sT zv0oTJLh4/D979uizCH/D/kiX13nJYvfMhEEWTsE0zgaEaQI4+RoHFa8ARbdUrx38dfd Omdhw9fUCuOwcz6GGyA+JomJP+eix8BxfhrExp+cDVlp6CcRH2Felip+u90ui8X8ulgW 9SPb3LL/zR8JSP2Y1/ebm4rB/bGfLv/xiV3mi12JeybSVBn6IQ8zBuOzmTwb2SeRn6bc aOoRf9BHSpbsbyjYT+PIOCJEJmPBYofwr42YuIj8JE0wzC5ZR+TZR0xFXt9OJMMQU80s 4n1iD+mkmnO+PurkEaQVwjuNl2FdfXm4m0iISAHIIEr71H5tISaZz6Mk7pM1QBHL6st2 IhlmqR/F4bnJUAQSPjt+iQwrE2QoUfPq00gRCl9IgMqe5XxlXRRI0gSpSPpkDdDFO0qD /Koi+TQqKYPADyMh+zR/ZVHC08DbIN/VG+EBokQP9e8TRWnZoh43HB6V4oRZzTiGZnIY zHmlD+Mo8bMo0kB4yOTsUk3zCfbW90UF0Lva2PbinZYoPpRyO5K/5jLyw4xHzNB+Zvnr OMzgg5BfP7ORDgPkr6O9hIL3XJ4YqPuKRnjaPGWHuh26HXPuzw8GAkZb97zT1k460O1Q 5fjE4xODJksJcVa761VR10iY1Rv2w/dXH1mxZre75ZItNk3mbL3I2UNR38PAJpo5pgmm FCEsy+HOkbk1h1A5sVwZ/SSZ/wFUDXTstibYq2hH1iPaxH8sORZgIDRl7kMypjCsbbn5 UlTIkFbkSL97/4klKZuvb5rLzLc96ustvQkusSgQINQ7vBxX5IEiHrFU0YlYAGymWXhu HhViC3lqQrrjBA7mBZvVVDaxN81iSg4KjLBL8yHTnmr+HSDLjcUGlyrLhp4NTsqdVmyO 9WZazKT0281msVvl61qZVH2ft6Jm36/vinWe07LlRA41kb4QGVJHjtgPKsfUqwxxgKKC MB3nu67m1a/s46ZElPo8owD2+c1bVkDsGIx59Va5MfpoxkVNrCqfsb9t6hwxbV5PNAgx VsiTBDUTLreHdH/qQYgywrNjVo4RQDZQ8JI1omWr+SObL6sNuymquiyud5CzkX5nFXML yk2zdB+l8D4oUehxenQAXoDlTozgWG2G84niQWQNjHovARYR1sRjeI9RwKLxixPhh4z7 qYhCwVySzwY/RAlwbSTiM8MPERxTjKqHMyErRRY3kxhEl6xBsGbaOWKLanokH3IsE6Ma l6qRqEYtdFmY5st8WdyopcU5/P3vxWq3oqlDVfzOVpt1fV9NFFRNOVaPyUOinzyoRhl8 0rj1XZp/USi9ztluezPHFP0t/Ph2OV/QFRZ1N9fVZpnT1P0a674qAlvhtQbymWqp10zY I4fd8xkErJxG8Th4WRerHGDxh5ohWVKs51vMlbdlgeGghMmu6nC9O0lG4vFVymZFzFGA CBCDNUNi6pSs40AQM2KOLOLYD9OsI0sHkwFe20yhKij5bV7mSDvZEn29RK5sceEAkQ4E YCNE2qYdgGio+tpU/A4QKYA5Ct8w0UThG/wF9HVRqDlPDmet/AWmP2sGJP4n4PNpPHan KQ5bVljaqxju51d/pRQlzPAO9WWV/ydbS14vOSVlhjqyOGG94Tjk5JoEi6Lt5Kzki7RE Sj+gldDzSvdHIvR5HGjfO2RhR+X7c7bEHJKQBUqX4BPqNosyjbZy1I0lqBFy2TieOBno bUfMzbipHuiRdcQ19G1Ie9sFzB/4Yr5YwJQAJJAMmWTdXnLgIszDe4I9n6kaj3yRBWJ4 GIPa3tf19puLi4eHB59Km/xNeXdBFxe8uJlYbR02zkdtXbIGqO38Ghml+aKuaEV/orRC F7Ecss9HVwNsVJIG3TrxqG/1A1GL7ZpOXJlsUUuYJT72yehkhxvenxEdLfR2jn/auTyP Qh84NmEu/ccpHujxR4R5pESQOkIY7ZF1xHSsFVKFRZTHZ5f385vNA/uA2vxFvSmLvGJP xIBp8rEmIe7ydNxLvUCDT8zHdhqcpkiIm512rga7RO6Z2dMxoFKy9+/r1XIq14X1HrWi Gjq8HNfmgSIeoc2diFGzGUqTWj4b15UEKM58ejnqGdF93RqV0CH8OKkT+CxTGd4ja7DP eihQjTINLuWmiHg8zbna+MQ2672dT8rovWE1sXYIth3YkcI0iT3ZHJk47NFu9PiUFNGU Rk8ZrCw12Nqx+n7QmpKsSFCqdsQO5veb7WNZ3N3XtKRcuGkr9vfXSgS2lWko2lWEn9sw w8uj1uPcVrtCFOhiYme0b4AzwsyuG+nPs8XnN81+RlU0d1XukKeglD3yamyblxUVUxU3 SFkUtwXNrCv6ZprpX7uk7DLrghbL1KZeFQlFjFwV16Y2EFmZJQ4232F/W0mVHN8iPigD pNxxlZdf8ps9gIUaulc4xKIt9DcsnZsRctrQjg0d55UVDLEplwfYy9aQNcwIVRVwqwVN Ceu/MJuh/LZVukh22JnmXypssr+bLycywAjbTeFjXD7Pxv5khly2NNX2A+3vU1cr+lO+ xL561LqZ0uEPTu396yXj231KLidD0sumOA9LCfntLakPEBvpDK20IuE8laLomiSXkTPS FDqwJ3gyi+MS+cQceLu7po3JdPICZfDV/ozWbj/PdJq0psiZ512qFM/k62qqUKktVWYO o4dAqYqUA6dOhyD8karudkmyR9YRR9mXf4Hi/c9v9sLgCYvSIyb00hQAuPQen4FOiO1l iuJ4PjKd/2mJOtIco/ilyB/IReCDUWPKnmG5GtslHlFpqiDeI7vJqwXKHnP2uNmVGphM 5E5MOYzLsGupXxH4yURQvmcc8CNwDXiHitIFuRRU9NKmFLRsdfB3HEyn+d7J66+HLPXI ZFukOEUgS5jh7Mzwn5oJxGe3ZUEiyx5xVGoOxn/f6gWgadJB7SlVPYIPhYepF/0lzjOI u1PXzoYsGWPqL81GmSNRy/JFjeyatZ+f8gquExX97jC/eipFasK1FQ8gvMwv8/IfDdYB Qq43i80S+xHo3BXkCebL5eahYveb7URxwGyaNgw1hnY8DkwAa0xmskfWETn3Yc31o6sS Jx0Dqfy6N+h0yrZAoUeqY2J94l4gwROXVyXKaXCQlWQ9shwJHoddpITT1HiYiimX1uPU TQkKBcrxeZuHdkR40FKMl6LkE+X2uumNOmJpnSMPfN1kpVSeosx/29E5aGyFApv5HS4w V76eanJjtpZIh9WDzB3NA6rsWRKgAA4r+ymKIliC/Qzqon/Kqp9l2OIdZ5iPZ9iQQXU0 3RUOhVVVVTIEakJ6KsVmcGg1zmlLGXasR5HAdBM93p5k2iMmK+3qIzKQfhqOyfgjFbwo H7c1ShDn23soAfB/F6teADiRmo7SFAfr4lhdgbVnnkKG+oodPU6Xm6ONXK6s5M6zmxhR UlkDSuc3f4R/2Oek4+kZTrBWjXJXAe1oxuclmPqw1u5pznMUKwlLHJBCWptlmMWESN4E AuvXGKM4i7E3mDo9TXFHzDVMMWJPLgMc166iPaeTeH/BcaJHgpOiDbXDsT6bM5RMlFg8 waFCZV7Db9YPeY7a33kJz1tsVfJxGkQV4lxDlAD32XlVV/r+EoqlHYLlBjqHcPl+b2b6 rjtgu13uwFkKfsabnZ084MITEbD5iuE6YLgWbMkulbftHqYjuE/oCwvM1JvUvfnkylE8 Nb4/D8+nTW+C+orG9sXDoOWTZpov4RPHbVt8qk8v4hP0tHyCTpvPvQPUMSNBjoG3oRIS j8Iw4CGDc0wCnEf9qj6nC5ZBBntOwpc44wOHx+95YuhecDxGWGQRsmiXcx14vje5VJ7v 5GzQS8jCZntAGbPCeTaQV6SoB0uhO4PzLu0x6+zP9mnVjOlzfveKXQCR1L9p3HM7XXM5 tNDPs7tKNL0/fwJKZ/yXaaJke5y8S/c4hXke6/yMn1Hg7BdY103zUw12iLHw2egQQ94B Z/KlcLdYXsS1hLKpADE8JKi+JM0OEGAQWRCw6HcP9Kemv9ZdmikHRcwnphxehPUd9BUq P4pjcij+7bct0YYMdYQQRiBP3Rdl2MECcIcWzL2DJENfbYugUxyxOobn+m0ntHjWczij 2g+o/Iho0H0J/DJGSgchtVSJGF9h4tSSrhvQU4gSYZzUDQHpe5ZoQg22xGZB0xRGkR9l ON6+7dlqad6vemrv0jTt3YWu+/cQBbpN8kYuHpHQtjXS64hqJdxS3rZY3Jg2b/+u/ZYF uwf8FuyB/dwoef+HHI5BGtI3qEhMGkba1l0vSRsSSI70Gt9JjhPRoWU44BhTW/0JDy66 a69r7a7M9wkWDKhP6iVFKQR13L0hRdho3k1XCyAFnBMq6HoJ2wIeoJeqz7A0q4fmE/W9 IBvEN3TtXnmqzXwfgWbqk+413HRvIE6bd9MVPUN0mFYCV+739wpEtoj1SXeCKWynEQF+ ySSIQm9ltWnNAVndfdruTtEc2w6M5uA5bRlHWsgSex4C2tvaXftka5vGG+CevuVbVt1a wv5d+y32c1o2jhyMvJZ6ikl8cfyEjjLvhCAhx8FZOGUCZ4lwxPkMe0Z7qRly/9xAqyDD 3BX/FNzCLNJ8bPvFdkJMcJNUYz68iYCZ/qN+9gIoB/3Rb5xc1vkWGTEcPr5u9pApnEX2 1/ZLD1sfn38N3DTOBeJ4TL0M2EW/7N86JPeHvqFjB7HmQgYX2E+ZfSNj9unH7o3Oxu6z irkpQtEfHXMTRBuYOgXgvZDbz1VZJl8tPB7GFH3IXUJPhQrg/aYlo6yKQBkdOUA/EagX pTaYFLa8mCdhiXudLZWrH+nm8bNT2NoBzRfINipo0W9ZMjBO01nDekJzQHM/vtU9wA2q HogcmkO3Bta6E4EkbCCRZrYAR9tmuRjT1sEL2uqPU3kp2htAQBYf4Qwpy1UI07Z3l9WT ucd+DmORxci12oADgk85joJpHR/CgQ/Mk3YAyrSAhtaxtm025tBPdo4cAUT1jlBuwIOh wQoLwrTt37XX4oAVw6MVOloJWkhIj0ZHux4fO3SYsbA4NKO49xzkYEDHOLRB6V6DNuja Rhv0WeMEmGCHNggUGjSBa402qFXfbX2fca76JLSBqXIPbdBROw3aoCuDNujaRhv0ucEJ pgf9CX0bNEHv6VrpyhPUZr4n6gzaSDU3HdogTjXSwZVBG6bVE+YKyEd9PxRtwJB96LGw 0UZrOtOrzJ57sNFGq36dSQ9yBU8YfteTMRPbFWjZYHg6EzPy2kcbMOxYIqXWog2Vp8/g r1+ENnAGGvBgEL8y2jj4mj8MbZz6hgNoI9pDG+S9whC5LZq2YWadQvQRzgRBphQn5KYh TUp7oldYywC9Az/ASJqg4CPKgdG72fkiEwXz9B+FvEID835ms/dv2DvkjWco9X2XsdmK PsruLw5teZey2Zq+9WaAgu8iNvsGf3APlsh+YVd/7X6/8QTGtE557UxfEXd0KUztJ5WU hHAYQ42WxVizdo+fA2kgJRgDqHyXsBnOE6E//978+Q/8AQP/iT8xm/25afwL/oCdzzPz pUdffn7T3OQ+8l/NPeZe/eh/oxUv0d2+xSfITH3yZvp5TQBqCt6FbKb/oKqNntO9PEkj vtNC1kfmnC7kQT/f2WkP1VYKY7aOkBvcbgtZs3rR8KGFo9kJGjFAVN5BmfNGHPp5LaqO ZSAwgucnsDzGYHDQG5YkoFYNx7qoxuF4X63MyIuGcj3yWg56BLUctABaBWrUSmuZxPNQ Oi2rsJGVVlatR+ZV+qO+NcKtnHtG2cxN5q8mwdVI8+VUkm2VyU1QO6LdV6ZWUMo4Y/AJ 29BC1OJub1Gy1BLRLOs7tfBdUerx0d/pzhoL94xvcL/UKqkfdN+kG133IaDmsGz3TXro 9Gho6vXr9fs6H2A5UxSTn6D0/QA9KErgBy2CKBA6PD8zNEaBjGZq3+hquJbAHl+uc1WD qyWRNGPsjEfrOM07U9zUWUqGT3Cu7mDr4dGy73sjjx7Xg6VfpQfEHQmtR9o36z4NFepW b/aMvVtD+Gp+Cz+K5Id0rrrQQ6iXf54ZwtZ01AAYtsDlFDS3ySE6fSVDGYFasXouhBPO MIGUmUDaGxetkXCnFh+vZz4J0rtAa4Buio8TrIdcvP0j151dU1okTeMO/aFv5AcyOSaY tS4X8+1AtlsEn1AKG/19gIQxp5vljaSX+AMfpj9ptKc/4awjAojPY7+DbNnu6sQCSRSb YYdBQrNVmy3KOwb0I+T4R3VQT3DZ/ch4VdytUXTSXwH8fzgRtU4KZW5kc3RyZWFtCmVu ZG9iago1IDAgb2JqCjUxMTEKZW5kb2JqCjIgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1Bh cmVudCAzIDAgUiAvUmVzb3VyY2VzIDYgMCBSIC9Db250ZW50cyA0IDAgUiAvTWVkaWFC b3ggWzAgMCA2MTIgNzkyXQo+PgplbmRvYmoKNiAwIG9iago8PCAvUHJvY1NldCBbIC9Q REYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9G Mi4wIDkgMCBSCi9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAwIFIgL0Y1 LjEgMTQgMCBSID4+ID4+CmVuZG9iagoxNSAwIG9iago8PCAvTGVuZ3RoIDE2IDAgUiAv TiAzIC9BbHRlcm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+Pgpz dHJlYW0KeAGFlE1IFGEYx/+zjQSxBtGXCMXQwSRUJgtSAtP1K1O2ZdVMCWKdfXedHGen md0tRSKE6Jh1jC5WRIeITuGhQ6c6RASZdYmgo0UQBV4itv87k7tjVL4wM795nv/7fL3D AFWPUo5jRTRgys67yd6Ydnp0TNv8GlWoRhRcKcNzOhKJAZ+plc/1a/UtFGlZapSx1vs2 fKt2mRBQNCp3ZAM+LHk84OOSL+SdPDVnJBsTqTTZITe4Q8lO8i3y1myIx0OcFp4BVLVT kzMcl3EiO8gtRSMrYz4g63batMnvpT3tGVPUsN/INzkL2rjy/UDbHmDTi4ptzAMe3AN2 11Vs9TXAzhFg8VDF9j3pz0fZ9crLHGr2wynRGGv6UCp9rwM23wB+Xi+VftwulX7eYQ7W 8dQyCm7R17Iw5SUQ1BvsZvzkGv2Lg558VQuwwDmObAH6rwA3PwL7HwLbHwOJamCoFZHL bDe48uIi5wJ05pxp18xO5LVmXT+idfBohdZnG00NWsqyNN/laa7whFsU6SZMWQXO2V/b eI8Ke3iQT/YXuSS87t+szKVTXZwlmtjWp7To6iY3kO9nzJ4+cj2v9xm3Zzhg5YCZ7xsK OHLKtuI8F6mJ1Njj8ZNkxldUJx+T85A85xUHZUzffi51IkGupT05meuXml3c2z4zMcQz kqxYMxOd8d/8xi0kZd591Nx1LP+bZ22RZxiFBQETNu82NCTRixga4cBFDhl6TCpMWqVf 0GrCw+RflRYS5V0WFb1Y4Z4Vf895FLhbxj+FWBxzDeUImv5O/6Iv6wv6Xf3zfG2hvuKZ c8+axqtrXxlXZpbVyLhBjTK+rCmIb7DaDnotZGmd4hX05JX1jeHqMvZ8bdmjyRzianw1 1KUIZWrEOOPJrmX3RbLFN+HnW8v2r+lR+3z2SU0l17K6eGYp+nw2XA1r/7OrYNKyq/Dk jZAuPGuh7lUPqn1qi9oKTT2mtqttahffjqoD5R3DnJWJC6zbZfUp9mBjmt7KSVdmi+Df wi+G/6VeYQvXNDT5D024uYxpCd8R3DZwh5T/w1+zAw3eCmVuZHN0cmVhbQplbmRvYmoK MTYgMCBvYmoKNzkyCmVuZG9iago3IDAgb2JqClsgL0lDQ0Jhc2VkIDE1IDAgUiBdCmVu ZG9iagoxOCAwIG9iago8PCAvTGVuZ3RoIDE5IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29k ZSA+PgpzdHJlYW0KeAHNXVuX27YRfuevQF9a+5yYJgiAl7w5tnNrnG672/TBJw9aLder RreIkt399/0GJEBCErki16KY5EQilqRmMDMfPgxuf7J/sj9Z7AdJFKUp47H0FU+ZjLkf ShbxwBepFGyTsf+wJXv9NudsmrNA/5tP8Wjg80QmQVAUVVdS+CKIlWBxpHwu0tibLth3 Nwwvo1vLj5sFe/099wPG2c09e8Fespv/svc3EOoUsbzniKUiP4xSwbRYXuAHnEML6HEz NdIdF/Kn5TbbLLOtllXffk6Bk9DnIaqYxa7ArfX46uz1mER+GosI5nXF6lCP7zaT+y2z //zr+rcr9vfscbb8xN6s1/PZdHI7m8+2j/YO/eXn3TJjYRCkLz24Srfqb3Jjr9mNRRr6 kYj2q7/RQ7webtxDrCq6ZOyHXCIqW6NrcLFE4gspkrGJFaa+jEUZ9MCuxqD39pGJseXq Lst9xm4eZjm7W013i2y5ZdPVYj3ZZDn7tFnt1uyPwoHvVxumHfrLbPvA1tnma3irnwYq SUIJsBJhKjlPoIH51grGQgk/CUMWu/o7GLKvcROG6LYiDmKm0hgvjSIWx+WXGhx71EoY gWtiOgKTWHHMFeSK/ShEYyH9JJBxnNITURqFSYrg8O5Pag2awqilkRIq8aMYbmoq5jmN VHPFNLZTAm1QorjWX8oggtpK4QuXLPGTOBARJ61O07/xV5rRrYKRMPCjIEy7t4YA5WU2 +/RwC4/Hf+Tq1IaXwOyd1pAfmO7Qc2pO3+rqXEAT0A3UaV0lF7Av4OskV8zh2TFP/FhJ cCzt66ksfF1F+Ns5fZ0L5ctUB1tRMaWvt4Ag2wPBGTGf+8k0K2HuGzZZ3rG7WT7d5Tkg cPuQsUmer6azyTa7o5u+BuxpvphP2xrpOAGBpTBqNnlNl9bGsDmKD5yUBV7A4Iw2imFZ kQDFqihO/UCpUMQDRTHnvgJ89ori9Wb1eZbPVksiYIts+7C6y2FNimaoCVJ8Mss9UlGw YXvURmiYFVhWqUF332Rfsvkc8rKJwx3JQeezxWw72UK1nK3uB3LJCL4Qx5VGY2NCAXht HPdjQojzHJG+hstMpviuSVFWdN66uUqPNosbV2nSwHuqA2e522Ser2rw5XjOMH4vZIJ+ VABmVmpzKQISADmlVDXo0gREgjQOQkDQE0dzGPUjIKt7l31vVwX5zpbTzeOaAt8fJupD 4rGxUsxVxyUfp7ZEHXMxLe2jpXlRIsE9eNlAjEesWPlJwg0YOd2SS9ZWBDLAg9InERon 9xZvJrfzDG0Ne7sCZVpudStqOPH5kls8VH6cgEdGjuReU4UOnXOLVOynShl+MhqxJGga 8bbOqUB0fjgaP2QEN6u73ZSQRlPiq80KDrBg16AdmU4T+Kz5XyaGQSeby4ochccDAzJA LkuVTKlDuMEMoeYg9a7n+cLM5j6jBoGfZCBZ0T79uFoPI7Ht+7kSOwF4ap/4hGZJJ3/K bltL9oWj+pAkFMyVyjF8O3bdPg5UfwpCSbATV9JL159CCiFN4j2pOtQfHJDdbHb5ln1A cnPOWkCK4OsCQFVHBKe6L8kLBIffgiwXOXenvl0w3Y8pAJVANbrDG6AJGPZgN49rpFBs 4rjFFEwN3V64Co/GDmGI9CkSaH3sQJYo2+4yp0WpApvKvJ3kRQYrbw6K4e3gKjwaO3Dh S45UfV87UOP9gxk+yRs9v471fRPLT7dKGNHwJWAVg9+FWt1zUU1Uj0VDB65rmdE4TIBZ BjLpB6ASzkJ4CY5d5Ss/lPnKU+ATz8dD28FVeCx2UCkNCfQcDmUYwCAApT7ObHpoksYw rqJjcDvsKTwaO6BHEYVm9K1LogGEguxAAPrucTlZFIagDH5Vy09/Y8nA8aBchUdjBwxk xyqMejZk2hL1Rup8XdCUY+hdyZApR+Qu05h08P5qhm6J/OiJTXp47zvNfghlf80+rbYY zqPMRuVIwzuMo6ZLsi/YE1AY5YkwD+o5DuMEb8GCqOLfzfLtZna726v5ygb0bXg7uAqP JnBVingwae1uHTJFbdg6m87uAZ5v4fjNBNSt/OpqeDM4+o7HCpjxo6J+tI4xTBOFKfSs qV+BOfeP7EOW55NPhwapY+wZOwKYAyskj5hC9of06t4RqEFm5S2XCNtSgxKnRuMwMqSJ x2byYre4JYch3kMOU3eI8zW6nEcQV0qGhrcmd3uKsmkaXUMatc+AOGa9pCICF3DFaqnO WpOpx4Bu3uthix8+XP1y3ZzvqLswfR8e9hwFx8MChPAD0WecEOQ9Qj0e5AN/usqz6Um5 QLIDD4am767Co4GTED3SKOjb/kS6/fkhW2abyZxGbvPZHb4SAcvZv3PqVBV22Y8Dcz28 HVyFR2MHDmROMamlXz4Qc2IRE8NAeoqOdxyHnClH5i79qLpnvL++Oh0+LxG4jpbjAdAA Nhf945bGVOpmePNjA/Eykep+cj40fjr6jiVsJebzY6VL3+wHsubHmrKb3XKJkUUaX3zC KIObYU/h0dghSZCVtUt6WmjckeFFIhTUoz2gFDebyTJfrzbFUG+BUnWMPWc/Ci1rKiST pWLd+1FuvJorHg4ct0aBkXWjZIzJ06Lv8BtawKP+UotbvYjpzd0dljnlGHfB5N/N5yol OLwZHH1HE7Yxpv1HPQe1YpjgPVKwP64wF2OPej4Bm5eLBlfh0dgh4sjJJv3YZ3IQCphL /A/Md9+wN5vpw2ybTbc7Wu1H+XKMQG5X09XcTRjyoWfzSVfh0dhBhZSTNUtAuzVjKexw vVssJvUm6oyZnQALZzD+JptkfnJG3wbLlE0kdvvkcuhWzFVyNP6CWeroivWjn9ingF1n 092G1ov3xM+hZ1VJV+HR2EFIrL7Euo9+vXdYAmn8693t52xDiwDLfD6WTp8YH3xwO7gK j8YOIbLNAmu8+9gBy+jYm+kfy9WXeXb3SU9Bb6l/C7LeOdf4hQk2+gDCMllq1r0fcNSF hncY1zKjcRgMT6Qx1uP3chjk3N4+TJY02gbKA5L/ebba5ey3bENrQk9p3Ia3g6vwaOwQ JD4PMB7Txw5YUIINX3w2LW1xv1kt2G32sEH62V1afz42FAY08RGOJB1NLj3OFUKaECvY 9sVqYZb741zY3QfO3VidWEKnl39/3Z2QKtwrq7PEvSZ/1SNy5x82xMYTWD0Q79VmbfLZ k5w34IewwCPbmJy+YLzHoKddy9TFRwfcXkqkKaW0zVK3Dj6qp/QBBADIDSAwyMZHFgRc TdrHDDp6bdNGAS1LWS0I7InVUsH7WVK4LUBglm3vh3HVEDtkxQm2ynJFvjicUtoAW9+4 UnWK/+AoH8O41h4IILd8FmS1IGB0OAVZBwUB2g8P2/poJtBlUNGAAEa2pg+HbuqdoZkC ZcHuJQE5RCF1d3pe0EdNWZzwOmu3Anvq+FzF0b7cF25esWWfj13qpBWruxMUbMWpybO2 qaEIkQXDbFbjAaXIF65JbJ+DrVRSvi9WC+Qf8L4jTKXK0gGuBmlSa3BVx4X2JrUjXPVo Uu3uEAIddMF7z9sAZ8EIsMNZhvPdCgUcJS7dyFYo4IrVzXeHpSsWBVyRR4MCrlhdajI8 7K9cEgUcRcaDAjHiWGD9Y+/0BeYfXBwFHCXGgwKuWN1890Io4Io8GhRwxepSk2JcKOAo Mh4UiARmM/ReWw8ugFklF0cBR4nxoIArVjffvRAKuCKPBgVcsbrUpDQocNi7fjIJ3CNf abKt2DL9eFw9mW2tmEr1jcfDSF/1XBzx2yOqY8+lR6VWPRfshKM4lsP2TrRgAtZRtBpg 61ObvyiVOCWJ1THR2qNuq55L77oN5MCJVttzcUUeDVq5YnVBK2XQqor96htQYOD8haPI eDiLVNjE1B460FK/+0MCSLdipxQsgMf+IQvMbP2MDdqy+2yDDURPnreCtPfgdnAVbvLz 1v2uG9YhPiuPhA2xsbVwv32Z3uyw8/Qm/xsr5xt3qH8TEXzos0GEq/Bo7IDdaLHbvJmI MBqxsE16Iu3E0NGIFaSYPoMdu4u8x3jEwure0E7HG4tYIc7FCZSdnTYasRLs6pbg+Ixx GTHEsVqC91jn/l0582cYmm/PmmqS98lOyob9lf2Sse8nO+wLv9tgUcP/1jOaL/8um2aL W0yjj77RpzfpAc7qfx+vsM8DC38fmMi4evZy4qfPi/iIw804+x07z915+gC1t9cYZS/P 8sE3c4JP9e367cGuqa9oxKg4Z82O/cYYYky5ENRhCGWIkVsYME2RusW1QBCIKGBzdo2Z YvtHwDz5OoF9ePG4r/CuKDXfi5fZU+BalcB5D5zaxVCknj6YI8UOywtbVhzWQWVzlIG4 cToHB00DkCXVZejSBXTAGB3qYe7bf9+cPeB0nI+6cjspSQAR06x/T+AELdJSX7Hiak46 YxEeTsQrKgEFSYrbzJ/dmx90HXOP7Ay1FQbQUX909gPUCTD+vzhSNkcZMu0K+7fa+1SK Few49siLMbVRRgLrkssS3EMQQmn5I2WHd5kSvOnIczhsgNN+YyRD8YtQmJq/FLudGKmw iAZnANLa6FIfz5bghDzsQIOTRjieK++aowwDtQL825ZJpXyVwoj27abEowMPtAz0rvIu W3ZKSfVcpSPJYN5latBKZWvZym5LKn3wrtJmh3cdlky1+4XsSyffo3iFf2DGAgIMPhbD P9zrOa6xhbuCue09guNgF4E1VzgeCl/0FUaQ6HkPZ9DUr1uvynsl3B7Pkg/oZ0k5nOiV evaXJfZ60ndo2ezVFFgjE2av57hGnEuMG9syuA0mFpo3Flfm9+h5+qu5brsq76WBaa0n /RaetbVgf9nWkpbNXpWy2mvnr55zhbgqwrgdmhHelYthPmdK+00svKrMhFtPV4QpD93s lJIjsOO1QQwApQvEeBYoLKAcltShydRNvR7KMshVnGhGenEcEqoBA9ij0BIAkmNM5tF9 hLQ4/qx+8ihBrAZZatGCFI0L+bA+fLS6tO+l44SwM05aptTwS3Rn+aEPtwKLxfvo0Mbr bbZ+yJbYyHJZHO2p10I872dwpBE2OuX4Tf1j4Kblj/1FE7qv/wuVOozz1yJ4jV1p0m9F xK4+VL/ozMZr5i8maVjjL8UBsGfjL7QgX9uz5C8UVfr6GSRGYvalbsgXLMExYfp1tqwD n/GIzwB9cVQheAoar1RhB3DwmYMy8BkcURTxBNwFx+rg/C9OfAZoqgIwKfMsouDYsz35 DHl4ghndCsCK2fsUFAcFc9QAkZia+kmM4YjqEdxB7/DsO4hfEX+0YWe4AEIWq01oD98a t7FlFfCAM5T3WbggahVy9IZqJdhACfuw1LkNnaCjy8xdeNNeCWQ48lwS0MmJLreB4WE3 OrKyYFxeFEOqFDOBK31MSQ2Ay7tCmM+yCFtmIB/vKt9uSsAVSQZ096q2whQd3LNfoBuA ksNY/WogamuvksjUsG0mTJ3XGxNTVjUvLSXP5DUS5/nAA6kfUnAHc13jNfaegn3A7cBr QHeIx0jSCM8bXmOu3b/uXZW8RoFtlpRG0WHWSOngxoJMeQqrR7RE9KUkBwopA/xYjKcs nbBlmm7Y9xRXke5kEelyrluvynutIiWRQfxotUFFDIUyVVWQLHNVymorzf2rcwW5uhKZ KEGiEBvxwV6VO5axBZiqlZWRe4Lvaee3fYQCA0CT9kqOeGONyFgPrfDE4k5FSGxEGKQ4 jgsGKw7uqr/pGJ6UdVOvB1Nfh0QG+9TiAFfwl30iY1pT03m2iHoSw4hoTrZJIHnn4jHl rxywpa9GY078gZNZDPmhRGMFi6e+QAKBMglBkiQ4PhdxTt2Z2pnEp55cb1gpdfJxFK8Z VcYpnsQeyw9N6DDFuyB0H9mLdy/ZK1joRYbPhL2Y40PaKzDKV8pe3b30XqXsxbcoFPrQ +9/Zzc/V1O6ntaqPzpx42I6EB0kR00mDda2MOoVWB+NiLmmsBEOTFybo6R/Udx/JTH3j BFxQCrOLr1PdhWC9q5s51e01VfdJWtW9qGWhkq1vVyt0WoIk0P/QmapHlIR1yk7Cmnba wRHj+8nf/wO6XGqNCmVuZHN0cmVhbQplbmRvYmoKMTkgMCBvYmoKNDUzOQplbmRvYmoK MTcgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDIw IDAgUiAvQ29udGVudHMgMTggMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVu ZG9iagoyMCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFj ZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAg UiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAwIFIgPj4gPj4KZW5kb2JqCjIyIDAgb2JqCjw8 IC9MZW5ndGggMjMgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AdVd a5cbt5H9zl+BdXYTKSvT/X5kn45sx042e7y2Tvbssf2BmmlpmMwMxyRHiv793gKq8OgH h90ctsZKjqcb7EYDBVTVrUKh8LP6H/WzKpdRVRR1reIyW+ZxrbIyXiaZKuJomdZZqraN +l91qz57uYvVxU5F+n+7C7waLeMqq6LIFLm7LF2mUZmnqizyZZzW5eLiRv3+lUJl9Cj/ eXWjPvsqXkYqVq/eqGfquXr1V/XlKzTqmGYtTmlWXiyTok6VbtYiWkZxjF6gH68upHX9 jfzmdt9sb5u9bqt+/JwNrpJlnIDEqgwbfJCOn56djlWxrMu0wPCGzRpBxy+2qzd7Zf99 9/1fvlV/aj6sb9+qz+/urtcXq9fr6/X+g31CX/zx/rZRSRTVzxeYKuPIPzSNF8PTOK2T ZZEWbfIPzpDFhGk8oVmOu7JymcQZuPIgd83erLRapllaPbVmJfUyK1NmesiuQaZftCRT vFQKjL/dXN5f7NebW7W6vVTfbjevr5sb9f1+tW9umtuZREKSlMuizHNVBt1ZHBQJc4rW JFoWUVKzaH0yzYrjZZ6V5XiJD8Hz6qpR3zW7zf32ogG/ft9s/7LS8wBzYL+52FyrH777 6mWSRPlPanV9vXm/U1ebu5lkVFwvq7zGfAh6eFhGjVQRE2RUmmRLtAgqImzWCK57/WGC ktVNXYwCK2maLbM4q9tNDaZuWyScQMHFcRgqTWtglKJsNyug4GG2p0lImGqcopwArNI8 XVZJ0m7qQQqOlEn+HDySgk5PRtDjZdkr+Q9TEMy/ut9fNbfz0NEBq6DFYwDqHtBJy6bN G6VR1W2zfnv1erPdvVCrndrdNRfrN+vmUq1vjdQqs/Inrd/U/mq9m0loWWAV9POw0Dph wvhmywG8ZycMTINlFRWsxMZABUyYm81lA1rfgsL75u2WQOzm9V+bi71a79Rqv19dXIH8 +41qcGXG6KbZ7VZvGxTORH/m11Y/A35VDgTNDSCLCsojj1lZjyT/fru63d2s92ql/tZ8 AKWFuJfrt81uj6n+CvO8VSpqG6w+0wgUwMhlCSs77OuTGYIyX1YV9LcxLQKlE7JpWzOC A7aQMXdrQGKa5e+a7frNBwiXxjDwicpoWUd5VcE9AedEUmdxXHlXB50S5N5I8bICfNZ9 Y6fEgb55PKBdFOtLdAoM3dYGkCmjvSiHOrI42JEkTuEWiGLbkYOG1uKwd0W3u4xKldcl dHhRqLLki7aDRVoMddRLek1g+H3QrmwZpbC0IFCLOClrGqKiLpKqJjX+5lz+nSQu4ZiA B0tGeDzah9akmQrN2R7jIzxlE5ATCL7MqtpNyvFN/lbdQuOg2au92mmmgxDzYN/iOH+a D7B8fXnAzQcX0DJP8sLS+xQ33/BEHCRrCi9elRMfQF1nVY5pludZFsWZqpZVGWWApOec bw4vFGh9HInRO0KiEF4wyp8gg4YF71bX60v4FPRE9DCEmZn8tFZj28392yt6bCadBXdk nSaYq0F3Q3XgiczZYUMO9s/zabBhfXtxfb8j5w5EwAqM9PN9cwtz//b+5nWzJbRMcmF3 sblr6Am6MYDihXc90zgIei7CDj8Z7JDVWFKA938Kdlhd7zYg8JtmuwPv3l2vPqg7eFkA nzE2S1+unW+dIIlSeASgCougJw+Yirpt51wNcOImi+D3zfvUfgeNjWuVrwTGWtlFGsPt m0mzAiH4AOmUM0XV5abZQaPtwV4X5FqFK+29ZjGgefVms9XXRizOxG5xvowiuA4PdTAU gu1R0DbgXbM1ljmsbE89n28a2+WLsOEPjMW4CTOom4dXVdw0ThLo7zobD3mgNS9hVrxr LqEHX95vt4A91x9ewPTewcq+uYNfHiWa2juS1toRcr9rSLBT8QW8tB9mmj1lBWEIjBJ0 NpwuH1NnwpbIYuDyKbL6YnP7Zv32fgsjG8z5QmGGa6fH9s0KmhOsSgXif8JIfb1538Ac hMbcqJvV7f2Mo1CVy7KCbCrC/j4ZlRlh6Z0Q7EnD8LEN7KhYplUEfMi9GW9grw52YYSJ ILaq5xxwVius65jammD4sVa1LKOoUPWyrGE7IEKBbNW8KGuSbcfZqr7aPNJ2iuMCciGD A2gysUghEofBDEBQgrpbrbdqdbHd7OBmvFXkqUAHEKvwfrP9G3yPM8m7LFvCKeP61YdS jhV4wwPeQ/FFBHiurE2IcU1TmGTOJgQqzfMkLend48b1FO2GNbllVsty8xgXPrQbrAwD FkhEqqvV9vKFarTvXhc8xlAKhwx5c4YVeBJVWJnCEIddBKVlRX3xUBjNeyypzMXq1Fw4 o2o0F+6oDHYJ1iZRqB2Hxit1Vk5P0gReEqw+CbnGi0Xi9Iur1S0c2CF0hG9nXtdjBddp Tc5Cf3J7I98JoGpDYbUC90H/v25Idr3ZhP2Z5hmUqUyie5xP2HqwpEPHeLC2J0LkU5rL qwat5jrO69DfE7XahX3TXH5kkosXaXofFIXg9IiPhdYXFMo4QnEcGg3yw8PDuKwz1GnF B0Lylkniyw+jUWxgpOggeiMrgC2cDtJ+ybSIT5A43QZ7IvzgwoG1vHIsNMMg6aL+BwX3 tnl7f73aqter3WEzdngEOkq12yGPkdEhbrbKaamsBIZPoWiAz+ipOZCawFqh2nj5Ddvn S7i04MN612g7dXWr15AAWaApj/YZ9YAexHYcHHLrymo1fsjwORiJO2JM0a4AjtHY5TXW rFqsMJuLPseqVpknxSRnA1wHcEeKIwG+320DTxTFgu02W73K+ZERGZwLFSHbsJcg9tGI DL5vxN4eUg0jRv8hjk7Q3jKrAImwFFtHsMsRzBjXFUJZNU/TSuEJElIm3wEIm8dYyoD1 JQQbz9N6OWB105DrAz5JvRYDQ4zck7DDyOP0GHOCu3IoaAWGZFUD1UpXPpLBRUOZp/4a nLa34rKYyd5CREWBsPRJDM5WslmDC5lgboiNlX1MzSJRedAhj5c7GK+NsTEFP8zFyrq5 CcY9x0p2lcGbG1hX5/ejZNhhUmMRWMg1npONZaUQMrSFcQJ7e/1GGT/l6+ZiRW5jXvDz rPJ5eBs7ZxAdAO+xdO5j8TbGtiiyDpC12htTtsaKFCLmcJXkWR0l7opQtPW3YX2WHG2x QtRtFKUJ/G6zemVyhEsn3SXiB4EvnDKv77eI/wGW+yGUENOM1oeVlKYZ+VPzqY1GVHqa F8lMzcWqJLZ9QBFNbe5P6mqmpuYZdGYFvDS1qWYlA5rtYnODtaZLWqw2lpHnq4E62avr ZrXbzyQurGkddGsI6x+MzxhGe6TO7X7Al98Tn5uQPM8MdY6Y7192Aog+dRsF9Ve0wQ77 oI6NtzRP60WcpJG6UTkwbQxbW12r7zWbuVfJwHi4pnKZoy5YurquZa7gm06n17bQrm2q C9slYwjmae0qk0h6WCJG6YQelvBF2B7qm1N6iMZID9FEv4cT/IwwbtkIHMbhziORYxrl xbQFMFLWH1QdqcvVh91MMSJxkmNFEU6IPGj5k1lcz7OE9vXy3sCn06wUzhtaltELnSNX RV49inoQcQXBNdJbjLA3oNwMaoN7MR5rzuY0o7bG2KKbIyonriAA9fpmio1i81jYcLck el21RashZXTQ8TSwM73jSXxY4Ngd1dKs8RPxcnNxT+ElCFDaXdzvdghX8lHL1HDb7rT0 9OlBH58NbA/7hIE+2vuzUu9W23VDW1Xe+J1pBycNo4LOWHT74zEcWQQUjk/R4naG5lhW jGN42ueZoW5dbjI3k++H3GY3zf5qAwyoI3jJ/zMT3uNtPK1xH2Kxx8B7Zu9iuNSep2T+ VWTxBeHXWOaYyfUDl0NcRAweRiqVVZBuACuTl2uKPiUGJyceAs3urjcfNMM3t+/W280t XWM3HcUivt7sr2Yaa8S4A8fCLRR0dlog2TAbB+CeBlsMe1C1Y9jT0kNcwLFPuSByRFZF JRzsGfxwETbozOz+Q5RmQm6HKcBCtoi5aHviZCMIyTNwzhUaIiDoRQQ0PRgPKhCovv1w RwHSoeye5rp8WInaDUjTmwwvyjfQoBLra+1oiNC5AjMxT+sSE0Y6MYNv7RzWcpVnixgp e2DhVjlsyQxOuGlWKV5f5lEUU3VkfMs96gQ7T6pzYZqU5Lq6jGpKJtYUx9jWwx3FdXFC T2HjgtfgCzD9tHeTeknsyu3R3cR10M8RlvNiSoqlHMvT5H9vR44e49G8W20RDK0X9A2E 0UG7ktTix2fN8u3yhVGDZhu83V0Oi3t3v1PffLtrLmZSgLLrJezwucHOQ/qPtuBEyNKQ ISIqTbEble0sMrjIsY3oj1nCDTMsFSBV0bT17VBtnMufDVJVBSzRsKmAGEebKZ9/PU9L raEfNnUMsvzx+QssGOg9/zfNCmASyRdWCt5i8Bx2ILxr1Nt7bCeeh3cSWe4O++OR/sE1 RYrZu7/FrgtsoAA2QgAnpjVlMJhnRFKBv2EPpvm1huFvYMX62hqk6jqLRvq2SVMk2EeE dbIK+jBBKBMuiwn60NSkVRgWWE1dpM/yZIpHmmuj1xNdFzURu6jHa3yqKYUJwD2kvaIn 9DBFqitNIuqh3EzuoWmM7qFpou1hR+tK/J6V6W3Dtk7OGp1iveJY+0UMeRYTXZE+0UnK Dru2wzyxXKmt18BBQQlIXiMHBtu0DYLKiZfX+526XiNlhtkwtZxHJtm0S9LJU/D3gIOw Y82ybXMonEZSV2Yl0sVhmedB0rejL0D6r+63FCR2gxixFyDvPCIyhhumQMQA8nf2t/xh ROg8mrTpUk8g5JBSr7EFAX9aEHC2HSWSZSDs1yTgd5Z5AulQTNy6hb2Kq4u9ycZEAWV3 iCjU284RcXLbNufPhcvsfg6YQ15XDuvWkQnQAsV6XAI062VoNWuEFNQzmLJjwF0Hb93u /jXsFiI3l61vZ5J1vAk07Mk03905pnARI3QODtwpso6mLc3a7TutPrANbX811xoswhzK HH7fLOjA4Ylr3HpHe/QmTFynvuFQQbARJ0J9Os1CA0vy1OrhHmPUQLW9osQXsgL2iWaw 75uLe53mDOkwsadnv252n6gfn1FOzAxhHD/9+JxSOLyDtUMrJDNxnFUaQWefDssh/A3e 6mkst4EUe7du3tuIdDhh9AgAbFAak0tak6KhCYHH2dzByAJdVlgCyLhTE+DqS3Jgb95u V3dX6wu/2VOXUx/2YtsUpa1mDwGLmVaonfRIsEOYPEpT2PRznbXSuut0flrK9GicEtbv zoBPx7BjRz5yENLilnbOz8SnohmDzj4dNkVwfV3CRp+iGSnVBESeTsz1CYShogzB8APt ED7AxcK4VLq5WBsDTG+RXF1vm9XlXGshkh4BWW/8/g6xwsGV5HMAFGzhjSPExE8ZhtW7 1fp6hVzdn2Bek/oyIJtWnziQ4w0uKIyDk6Pq7CC0xxDG80xcwAv5WdjPp0L+tEYq4nRi Yi0nVtT79f7KW16nSNmZbGNr4oRdGYN9PtyRFeH061vs+LmjKbIz08psCZtpvshaSNid JyM205ridLH0MYVfKQ2x403ymJt0PjudJEojypnsCxshFPbnyQD5tELGrdjGPAyJi7mB S1om5DkT4PJkmkUmQTEl3VTCikNbO1+3k6qfC1bbjWA6SQEazrD6ID3P75axgc/SrPH4 dFJm/wmGeJxSlgokyms19WNTUDbKtJo1wrGFSahebe/hyv8zvFvXvsFEIZtT8hE/bDBZ h5y0+5gJOaO7JcWunhwRJjwhD47ynM3CDsXCHoczBnLA3fJnxEPpBJj6mBFrLtw0tGlx vbvZKSBXncyft7DSRqSf7ynzEy3t4MeZEAnbcWnQ2acDSLCkhwMgONXgoYW0ntUcyrF1 1+A/4QIIlMKXlMG/tTQCO4IW1CTtHYHeuYaAI0TTyZ29Uqu2KDk2v9DIM1fE4Gy1NeDZ zlDoth3tufUX/8bmMqXV5hLbJvoA7APwT6kd8nWZlIi06HBBHtE3dCpHo2EEwC3+r9Pc kuucTou4NkxMAcUEMeZagJWQilZngzHw1pXnNvrh+sKGcvGej+RZoxx11mZQ2xAZF/pw iDWF3wj3akxnEqiTPt2p5u90/Nwa+URnYlvLCmF/n8wwRDVcQjipYoott7ml7fSgqiFz 8/e9FpckTWFMc9YMSpkhWdDhHqBTOhAohfyt61ut2mYaB2tThx1+OuNAEfgTVwyIwt/8 96sv//DdN6/+j4+jYaPmlgdlguCfAMnt8XVp5HdnFCrScwm+utXfoJOJxe+3+I/hXsy1 maaL7LUOO/JkEA+2iiD+VFYPnk6zKpxdUiFC2kiTp8JcCW1Gi5/aQZoJTs9NcpxYM1r0 /r652mIREPzxa/VfjfpqdY9Dp+63QKx/v4NtsFNfNBeNPtigeKEPVIWp4f/74Vs6jir9 aSZeEtHb6vCk2TEc3CmA8AccOByrn2DwXpqI+7MEemZ0UAb2atX4R1GVKSZ9gQRo06Iq 8ToS30Ux/BmI8LrBZnfv1lRpwxgP7bzUuVh0piZ9TE6xjJEYDvXFnbJrvUMT7lZzvgqO +qWdGzFAI3qCvMmleXdBZZT5ya/vWl0hw+4PmsSj0j+QR6GmEyOR7I9CH01fw4Jr6jye sNS4VhUWKLxX8AS9srB1UHsofwSNe0y71pCKDt3IMSLoDzCmzg/RKbvGc3Bl5lW5sM/l NfYa4igjvBkjhxlGxZUUaEWNpBBUvzwlZVKywFHb5ikpwXEqPe8hWF4fZENtkLpyEgeU Dci2CutGeouB64+UIG0iomNw4imGT8quUYZdAimO5rVlGSrN6yJdFFK7lOAZbgPVZZ5y ZcMlqKnnPekjtUHqEgq6VsloSNsd3f3+tJ9yoyjvuZILPRUT9b4T8/lQ8hDMD5wAgjTS YGCK1w7uMe1T5KCkkXTPpDGdEhFjykTgBnOXpOZ9ZKbWv8p9cLcI7jB/zH0F5E0sQN9C zSXYH6d0lbjjL5c4ol0/odsmdwskLc2yCqdx8q/XuIdPIMNKgS1LMmRBsjXqu0K+R+/j V7lfBHfhb2ir+VX6Rd+id4UK9stCSdSGtsmdft+/D38N72gsiY3RrQMZZ8Debophc2WC IN4bv4i5rWcmLoZnoj+jurOsU4KahPtktvZJHSdhXP2O35k/Fq5EuOiQhHHypPMeZoZX Zkjjk4Gpdc3p0akPcUQZV+FZpb8xkkkgzSAC/Mk0r00aW5sLCGGdVsBSypeoBunxT3uW vVtXLaUVw9G7Bt8s8AFKGMN/9PGTwLCok45V/37f3FHS8D8hPsX5gUZ9ht3V7jMZOYwp 56TxcgCZ8sf+4UxfcN3BlsHP0ugzJEJJfoctUd/+2X0x2DA4jGbE+PLQjNIQ4GxoJo4K 2haqkUwcpZM3rkBYIR8cBBLtCo0jKF++G4FjoMQXCQx1ZJwkfYhcPCWWm9G4ThkEEqIq sgTxaZSPOS3g1aMyKEIAF/suBHrfuyfgGJwHRzAF67NQ0rqn/j1gE3quf9eU0Pf0ID9P 9/T8wt4PQRjqVVRjJiEtlUAYW+YJGClz4iSvsX5MOTutUMjRpCQGSvUEhS3rPOXV1Pce UsBEMXzuHoTJYWfhYD4HYZC1FGyHDTmoiyGZlKANVojaMg/C2DIr7aV2CF+GGJQTVbfB 0wm2rPtUpwQC05VJHz2JaSloFYdQ2Ws7j4+ui5XC8FPd90AHmoWAMKOhtIYFYC4LX/S1 B130vQYXcZQRaksM1IijHDtf3LUBKLqUn/Z+x4qwQBSc+A62BiayEAW7oQvcAUrpK3At qX99TVCBYYm+18DB1sB3qJshRkzfcaV0hY3c3u/UZqoT8MP2xn2BqGC+TVcMkXT/qRRs 1vq9BTWgz7obAH2okcOzQYdR3niz7+PNGMdNMvt6JIHH96MkQQ/fd2QDKOyVGdL4jGOo BalrTmKxmIC4ukBmxg7UEOtdzNxxUIPSnyd5KjEUDgMQ4ng8qDH4mUeDGsd+oR9qIKni LwNqYKxIm5PTRKdvPMFrQu9rBYz0iLoy3HSQxnD2WkIajpvItE0g0XxdK2U+h0mZ4wGo JMzr2OMdMst1XIDHKVLmvcdPdUp8MJ8D9uCMwkDVIi8EgvILVG58GAo7ZXBuNGWWtqqW SwLVJE/5qlbKnDKU2r0S3YRAY3Kr2s94OpWf8NWskODaE6RMPLzI/gtKI6wHwkEEKfFh A5c5a+zge6JmJzqujJYjhxk7C5DElPx9ThfSvdGfCWKAnLZNkLhFtC2uWdtSKT/t/Y4z pXSdeiM5nR0WaFvEv7C2pSvRtnTta1u6N3oy5xrMHdUt2pauXSldIS+M9zu1TrSt9MZp W+qp0bZ0JdpWSin5afj7aG2L7D04ZaxYeJZ9bmeON8FGzJyAC2Q2dedXt4RUnYBXmXFH CYMexvfVJvenR2R0hEGgbpk2GB7HeUKvrsIFbxcV3MlW4yJZBE6ExLKDn+h3tHFPeVHJ c2rWLs6mcAe+8nj69rgP9Knb+neIRftlqFtki7XqNsVa/ynqFu9rdYujIDGn9E1H3Rr3 3QCmXiCWLEd2ZeTWRWbGNILBfqO6ZdcKxh0ObITlqzMQok60G8sSOAKM8p6aV4Ew+149 wa5PASWJW7DnlMz64BbCvsK0d/02/eeH6Vf3Llo2aNJDKkfYR4PqnWSRMl+ycJknIeCv Tkp9WhWvGiCjFwxs2sLkSRspc3KES/yauu9liFWpKbKb2sD149RSJPQv6DRAxhkZcnnD FkNVLBS5AC2wslOKPJAhRVZm2ZqlZGG/7+EFWyZPIQEht7Jb4t5bWLr4UlKo53CGUN22 nDSmHhvXG9TFZd2nuiWnmvNY8KFpp01quvYBBt0byJAD9DqAQV5OARi4ZoBBpfy093uh caQpL+DoDQEGjubhb9OVAAy69gEG3RvwIDXwHeoWgEHfcaUGYFCZ/E6tE4AhvXEAg3pq AAZdCcCQ0gVy2YS/jwUYSLsCn2KZBgBD2GbilAkAxrgpY3lJphqkh2U4KXNMmctEtmxq p3uPGOhh+oPvCW0wPI7FhF4dgEF8jWOXUwcwZPXgNIBBmaDisj43whj8zKNBjGO/8AvH GAV8gGLSPxbGyOD0n4Yx4H8iu8ziBDStU4TAAmjTiMIDPISBTVdRTf52D2L0vHoCwsiw eOohjOAWLAfT20MYGYSSfRi/eu8eQBgZha9BSvgIw5Z5okXKnIjI0P8kho/VigjKyxPp jVU9ZZ2nvJr63qNTpCg3hY8wsCxZ6tTHFmEUtCofVx7E4BJoAqtxMykjMcV+A1vmBBfX 7rwNmbTBoQVkGOF2ee8NlfguEEsbX1QKBV2rZDRc27nEVxkyFl4PB98DHcSbQWukMJWr KDIHchyKeyBrzSCLAgs3/rWPMug3xgfIVuBQBkJI8F3+Jc8ZZVCpLbO/kzOO6iQ3Rkkn JAdujBL2iGkHXQnKoGsfZdC9QRBSA9+hbkER9B1XalAGlcnv1DpBGdilo3vjUAb11KAM uhKUIaULHLAQ/j4aZcDbjZCM2EcZH3HKWJQhU81HGVLmMblM5A6Tg1Sdsh7G7zwTvmdo g+FxTCf06qIM2t2JPECPjjIozg2rTGf2Y2RDn3k8lHHkF37hKIMC3h4bZVCw5TSUYUMj BSugbd0yCqHM4M6GT9TDGTbUUt4FM/a9ewLQMKGW1pUR3EqYpe24CbK0rgz/4UNAQ1Jz ea4Mm67LBxr8nCclEH1Uk0HopAS0eEVuEV+6SFnnKb+mnvdooyLlY/GBBsl/ZMbCF8WV kSHIEzkVPaDBJWiDU9ZS5gMNKXOyi2v3gIa0wQcaUua9xy3tlARAQ+jgS0uhoAMaMhqu 7UJ3vz+DT3l9lmdOBRplRpErouxpBd+tl9BvDBFwOIwDGgj2Af35lzJioEGltsz+XulA JVOO7WQtoFEhq4n5Nl0J0KBrH2jQvQERUgPfoW4BEvQdV2qABpXJ79Q6ARol98YBDeqp ARp0JUBDSheY9OHvo4EGUtEhkDkJgMbHmzIOaMj06xEFPuOPEQU9jN8RDiCxV2Zog+Fx LCb06gINHKwGDzNOWmgHQ57ozqAzKYuoODfQGPrM4wGNI7/QBzSS3+FE2F/GkkmFlK8C NOj4jVOWTPA+bHh9jgSQhrnrrJkcGaKQYWW5AJLw9S0X+TzGRY4JUoT01l4sILY5Y888 uQh8VpEy7z1+qlvi3ltQYqsMUg9Ucs/Bj5GmiN9y2hY+UcRyokAWDrjA6SbUZJ7xVS0X OeaVmr0S/r7TtK5N3ae6Je49bKXjHjtxAVox9ZymZQI7RcsFri9Khqr9jAtXkCeckj0p NoGSNIqupWtf19I9a0nK32MjAauK8Bb/UmWsa6nUlsnvSYTjWtmoTyKsOAdGPcAWLx3o K9a1+trTtfpe61FbA9+hbtal+juuVOtaXSa6llonuhbepJZRTz01upauRNdK6SKWK0S5 699H61oohrQOIgF75gzm0fFzpjsj2nPGQ2Z2ojk+4iInABYysxw7SnO8kjECwNO6wiBO AKCzhiaOZ7yiVghgRtFGdJK81bCUVzQp41pi3qfFAOJsaqxUkh+HsumfbbuBfKajyB9P w3JHHvrCL1vDImzfLRjQMRenaFi8rzUscl3QkRR0M1nBRrAScZBNoGGlzHEY/PT8nGMo bOAqsTrtWIXy9+HgwsCitWX2veESWIDuKXjAcHpmoGMpSCGiY5Wtjk1hE9JeTSsbuMB3 NMszno6VIqsZbc1eifm+b5VSpijdps5TDmrbZzwdKz2GY8G+iU11mnooEWe+UNgJQynx tSyXeTJUnup7T9zmpyhanPpkvef62lO0+l6rTqwsGX8z39EZAkapYuqz95yuXJn9PdGb WMx7CSK8Q0WbRqTKsdyG7NtQcCbkXl/7ipZ+M0pUauA7Snsjv+DalRpFS9+W36l1rGht b6xRq3uqFa2+YkVrS7F/B1Tyfx+raFOsOSMYNzBqZeagWZNmjs8HloO786RbQpxoYavh /MB7LnPO8qudz7bEtt3napYQPTLjgfcMbXw6WHp1jFpi74ryY1mVC2cV8BpCME4KAkxr 2uFXnduoHfzMo6ncY7/Qp3IRB5j+MozaBCfYQa3BEY2Z8FgqF7u7YNQO6NzDgYDYBQAk WJoj47BTVB+b1SmDAIK3JiLITSc2YdMpWTYJAjdrknEUXkHvghu79Z2UqQBBLWS3xzj1 2JjvwT289ei5/p3xBphL7/gzz9Pv9D5ilfT7w+GAqT4ZO1yst2Ue4pAyT1YgNX9W+ov1 lCSRNjJBhDv5IWWdEr+mnvfgCqO9e6C2ezOFqw6OBJRorxrcqzAscACdt1gvJWiDlaO2 zAcd/KaT5CnX7nzoqbTBRw9SZjWAfapTEqAVoYOnO1KhoEUdQmWv7Tw+vu4Yfqr7Hugg qGPSYj1Uu/Wh62sfbtBvBihQQjVr14PVrQ+dro1dr0v5af/3msbYlGfYORvCjSxmH3pC VwI36JqgAYxB+qj+zUAJqcHcQbJaOEHXrtTAjeB3tInqxISGjDK9cV+gnho4QVcCN6R0 oSnj/z4absCjQScG+z50y07zTxkLN2Sq+XBDyjzGlInsWFWme48o6GH8w+8xbTA8Hosx vbpwg3wNlM/fwo3HCQnEZvAlsk+fHW4Mfebx4MaRX+iDG70+dJJeWUZ5ezDoOISVojHz ZVRVlYKbDlvH6rTtXDHRQtji2pZJLpyIpDcniCA9I0kCF3DV0dv8R2+vRIC0Sa7wg3r2 xXP1KZJtPWvwt1LPkL7408zeIbvDp7m9u3y++LRWz36HwlQ9Q9ben9SrP7rz2I/olg9g j00DCiCfYR6BWH63KKVFRGFU+Edn6fX0EtY2p5CwuWLX+w8m2TD2mXonyduW06Z1ZCeg wBU7IDDe6rLj7RozIDmiPZBfQHxdPU0984AMd+uUAQm7NWpAKLtqT45DNw5YNKBztO0w wGdaQVWdNgyoBHEdnMAtGAWT3dYfhZeY5HGknm3wF3P+hm4x6eUvc8ut+ZXZRDPG4gBj yGnZnW75w6DkRD5KD3aA3emMaTpHNR/ultlMDQfuQudtAbdnaDC4/BP8KdWzBH/A7D8+ w1+w+W/wB338F/zBM/+KP3jm38wf/u3XEAEo/CcUFurZr8xvyHPfU82/o5QEC3/kt7jF N/jLurqFVGAr91sVm1r5D3/xH00tfPcCd2jpb9Eo0/wBgTSG7ouIcpIdoLuI2RyBkklN IEufBxvMpy7haW6gqdz+z3AHMjJN+O7H5ygFVfmWqVqhEIPyG/QRf2So+BkmXEhbJg7/ FlLMfGMh38hROY2R/A3p+mvTSi7kO672P/Ab+vNPaBaajDNAqD/8m3SEx5pnCQ/WPweV 4g07ZvrshodFQC+vHDtmyAEYw8fLzvr+MbOqkWeunWV6AjM1mKyl4YeQEZgM/dzFtYUz QL+xeMa/8SeEjHLLXCpTgL/JDeGP8aRB1mpvPPhJnoL8h5+URvLc40drM7r6mYVwO3eL RzWkA9/ZyepGVR+U+vCongJ4chyUFWkzWq8lPTCqLXIyOaSU6aDJYuUT08oS15/sLJ94 PHk0mFRMTeZdYbLII66VAf3jIGPNDM7TREpbbeZ6wwnBbzoGteymT6Z4eGBOYjeYpxXO Mj2O3Zha0jv5y5QVycWE4oe5e1zIjzIbpZ5sOeMshMcfTh1Ei3JneUXz0CwkQfnqrz3I mXZZYiMMcvI4/Hm6QUB7MKOYQuqG+MNHPl9gej6yQTDcLX92jTUIwm6FFkD7uIJmiODY cBJHeuOSB/gpNaznaj+2YYIMMqQKLgtKbNRFBl2kOYreGoySyAIWUM8XHjMDslhmzo7p lcWZWnci6be/L8XdZWJ/tXrl2V9kSwXTvU19OeTvEOSHPQy3sV71CEfiFM0AKxuHKcuR kR/BFB7s1ZT5ZUci6NUow4tyz79bbdeb+93BwUDUR0lJuKwcAnDKS0QceWwRTqDWxiZv Alm2QO49eDuONINfkhg6zgBbPPMNsEOeCYpm6e0XD4dJQS0G2AOgUgww2JRev/o4AULd gsr/pH6BexlGOcVMLC0oIDTItJ636FBgIet5roBhzCF9yKAkBzYk+c7oIUS3vYqUn3QG gBU7IWR/iLomJeaR1LWzJqZzw47FEIfA6eegPGwVRmO/xx0MmBDaMYkYRzC040ImbfgF roypH0KvXkjIRGwNtIAbhnACfeRv76hws0L8KZMjwiCjd1JBZwRpsoVoiavDHzu6IWga HN2TZAKl/kQ4kdGUpFOwhfaAT89y0rMEExcYasCR96iNhTatI+xOobUS19gejWdbB08L TxemPFu94QThR0IR8CtjujFbOp6jEWPQy7Okd0K22XmhPTOhdccv9s6qYdD8mCRFqjUs REEKHU/SQcycFuTW8zEzHDMl8rXWU3SsiB1KDoNkCVgOOwbDjVBWKlBWh7yFx3XMauEj 3YWHOtZ1W4X+wtDook5jUoqMYQHCE5CFi3PN0aM88ZgLeBozh2Di0SNcyxe4g0uPK+PC T8EacFeGreDXuc5h8TVMzVPkV4p8RsjaewDT+DJBSMVtFmHdw49O24dQ4AjN1FItrKFY kPD78mUeAvFMcLtCGeKPyOLZl0ZtDvSEn201wXmFaIStwtIuKjdu3gRp69ghlXSuMY2W ONsJgXVD5rI/pkI7oSyPF48pE0TjA+tO4j7zIyF1+Dceia9Abcz4znzR/m4u7VURPITh b/zBNnW1Y5md/ki2To7DP5hR5sFGJwYwwZkGALkiIgQQDYpen/5foKmQFF/jD9ZpWF59 Y9r/R/OH+8ZP8iN/MgiJB4hHj/2eQ2TXX+I3gjm+ELkVDp+wGdcuU0X+8gCGY8UedR65 YXU8TPoJai8HxKnSEpGqR5N+WB8jLAiNo1wwoSE/oV12TTvFDl7kbv94LhUKdnqwV1YX H+lSafVqjEvlGufxtQHw/wNMbaIwCmVuZHN0cmVhbQplbmRvYmoKMjMgMCBvYmoKMTA0 MjkKZW5kb2JqCjIxIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jl c291cmNlcyAyNCAwIFIgL0NvbnRlbnRzIDIyIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIg NzkyXSA+PgplbmRvYmoKMjQgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0g L0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjIuMCA5IDAgUgov RjQuMCAxMiAwIFIgL0YzLjEgMTEgMCBSIC9GMS4wIDggMCBSIC9GNS4xIDE0IDAgUiA+ PiA+PgplbmRvYmoKMjYgMCBvYmoKPDwgL0xlbmd0aCAyNyAwIFIgL0ZpbHRlciAvRmxh dGVEZWNvZGUgPj4Kc3RyZWFtCngB1V1Zc9tIkn7nr6jt3emRZy0Y99EbMRs97vas5+jx 2I7dB8sPFAVZHPPQkJTV/vf7ZSHrAgiIACWY444OCkUArMrKyvzyqKx/ir+Lf4rM8/M0 LQoRZLGXBIWIs8ALY5EGvhcVcSQ2pfg/sRIvXm4DMdsKX/63neFR3wvyOPf9qslcxZEX +VkSiSxNvCAqsslsKf7wXuBldCt/vF+KF68CzxeBeH8tzsQz8f4f4uf36NQh3Zoc060k 9cK0iITs1sT3/CDAKDCO9zPVu/2dfL3alZtVuZN9lbc/ZYfz0AtCkFhkboc76Xj+5HTM U6/IohTT63arBx1/2kyvd0L/e/vuf9+IP5df56tP4sfb28V8Nr2cL+a7r/oO+cef7lal CH2/eDYBq/QjfxsbT9rZOCpCL43SOvlbOWQygI0HdMusrjjzwiDGquxcXaN3K8q9KI7y U+tWWHhxFvGih+xqXfSTumQSYn2/ErdludmK6epKbNdivfKEeFeWYrrA1e6mFFfr2d2y XO3Ed5Kbt+XsbgMOHolVowISLc1E5o6yTVKMzhOh76V+WDBP9CP+7WZ9W44tcZ0O91ER m9283H4nPrx99TIOI/+juF5vxHINdXU5nX3+tFnfra68cbgiTAMIsBxM4VD/ZJgiCLwk zrJTExQ+xH6WDRMU7yEJPpdft+JuW17JqX8MxvUKP8lzgDJAsrCIgyC3/uqEYkEMBFYk gch4VAzFOlagqIk/LL9dOdtBN7tDmRwC0xr6rWsok+6hFJGXBUAd7vzs5+ZJN6iUoDfz M5EUmZdDcoos4z/quFJ1GDJgL+0lhaOQ+uXjVUCVSeTFfhbSFKVFkmYFEeH6qVBtUORe ksZY5Q5d+ogsqbCW5XY7/VRuxWy6ei7m0HdTiLLZ3WK6eS4uy3EkVpRFXhgWYW0wwyBX j0kW/sQX4L4IhkEuVwskZhwnmMMkiWM/iEXu5Zkfh+GTTqbGdrBOvNxPWWH2mUwgZVIy t5UYujgj9VP+Ol3eLoBR5tvdZn55t4Ns+jKfij/+9LfXUlNFkMMfn4vplm6Z3W0hvEaa 8DzzshyEdgc8bMJ7WrAd0N/MQx57WRIoHdUhNvegRiyiD69doflUUkCbiqnT4cl+6cgm 94imYq1bHXSsq5+fvPtyvh2HikGQwhsSw/lxUlQMgN+KKA3r3epBxU9X6/lINIyh92LY WSdGQwWEat3qQcPldDYSCZMCQseHUDwtNkxjMuIaM9uDhLvy88eLZ95jkFHhMgsJG4R2 EJBU1O0PicXrazE1albMK7z/XDoCpo+hOdXo2lBnh9dKuQLU8Bo29+QhL+cd/BkrYL/p br5edc1VO8JquGfVgNqmKyB0H8UZeD7EvVEGR18O6xVYUONoeulhOPoAs8OibCe3xIDV UQT/eI2ejmZtKH9JtaZvuJ1gdo8ntptdQVKiSxbkxeNC0oempZ3PDETKEi/Pg6j/Mvq0 ma7IviBH72U5W8ME4UW1LJeX8LbdzG+fi9V6J77tkgrhaPXzELzJQ93nsaizwMVZCw8c gFIlAwyfmjAJgBcIxgyemvnqav5lfnU3Xbjrf2yjP4JRHSekczpIryEjW/0Xz4aTXoa4 FOktGXGgbon8BLEv+ORr/TU68kHpKx3NYnqwEG7hp94SuGOpaxHo8pMjAvUksHFRKfk+ IrB3j1kEgdax50eAnAhKwUoPWGWkYV4coTIOiHP6GZxrMA7VZB8T52xXDQ26qJ5p1QCv CQKx39BbkaL3ga+8FZ18MWKcN00yr0gSNt57OlHIk7vb3G13CPkI6SFbra9KcQMfyW6N tjVA0qb2Be4sf6Xw5ZyeGs2FAsAUhblwh3s6LpS4gPZENkAVpjSSsBFtr6tQuLJA0Tlc V5KiAAi36xWQKUJvPzOZF18l5pZTI2cLs4OJqyanal0/BnjgJdfhMoq0J8sdb9tiGDsE l8IuD4Nk0Cwsp/PVDv9L2lbeYhcWPJVbK0jALjHcoG29f1CbKq82DWC2E3CGztar6/kV GTjTxXNxVd6WwDpIPICpM05aAZRUEiZpbUwnwydRAP8NPLJDluv9TSnFooteiOrlarb5 eksGpbg4w/UllujFs0oZ+DSLTaTQAmxsS8lBa8a0tHBbp20HX7+XF9DfHWPudqFOYZJ2 LYUeWl2BTjMM6y8MgzpbxGSIUoy/SBMR4NMn01RayE8Odwy2ZXL1t/goKgrp/f4GHpNl OV0Zv+5k+PwrONQOYI1sdnvetuY6E9J6TKnqmQZqmLkAdqSJKkE1JggvpCNFlcIQ8a0i rtZ2T0C0XkllO91JLcDhQomHyEK/LMsVkmGQHofYEtb3lq4vvyqgRGb8WPI1y4E3YIE5 g+2GQz0jIQ0RdAg8UCitR7d6YuUB3TJenABRa3IvDRH7Enlh3glwYXm/ZsQGfimnsxvZ XGHpbdVgwbP7+W4ktZvAnZghGyYdPNIbcX8zn910yfsWndVqwnXILJV96Pa3Wx31ZJgB 3TIM4yNdmIxOyTA9ZQnsIzKkpmxhbcqF9DWTw0+U2930cjHf3nCQmvD8spzdTFfz7XIr YHXBMBsL1CtZ4gy2W5b0nINjFm1SJEACA3Map1dMSinPKctnPVsvxPa2nM2v2fm/FYvp HPL8DgK+srS+wF27vtuOtWbh2EDKRW2cbWp7bJMqQSY0tMwwmQkuX11NN1dbCMxfkGGF WYBqhY01XX01oSUyTLazm3JZisX8c1llbEylRB1pClRGTm2wJzMHyNvKkjAdrrcghhYL uQYqtcSxB7G+lo0ymcYV+WM7wWEsIkkGCffJ8MFenCHCMgX+loOq2WdA4+4Ih9nzD1kw 7couDkLY+VGiR9jftFit7zsH0QO2PzQOOR8JfCkJ/OGFD1s5SAsvj5qOZ71ZRlkA9ESC cT6qBfBQfzvornbqJCnQEXZ19Kd7lWxmB+yg2GERQHtPL9dfSgRjOtwq7bPS0ItqlJZx 7wRlVDQgSVN4w2HkBCmcR1Eqc2VHSMQMfULQSCVVtGRk1CYppZHZFiV5PBxJYfQQsete 3WrDMO3T1QolNedjWtI0Ti3WHzelMkFWDQVxKwPHmZWG41lKw0EeCSd2f8jCg4cTScJ7 3W0PYH3yo5RVBEKjNyTvCuyW2EwBKNhfe7spt/C+wSlOSSvjmeHwTuUAbiJxR+gQ3goa SvA2gh0eIqEzQBp5rVs9whLSAY4UW/g6QOPHUJzKT9TOL3ovmtvtBzikHxu3LuH2bmlr MImhwPOU96L1tAbJwrud7m7E9Wa9lPgEDHsF6iLQRt9tylk5/1JupOewHJGFVfKBO7pu 828EFlY5BrVu9WXhm/WtuJ8vahkew6DfARwMhBFlGfSQyypt8qDTB/t46tFwcBQBLegY dgcxLaFVdVKI+acV7fAiZrU3U1AQWPyDYsi30+1WjOXq0vk/iTMmaN7D9zxOF+vVJ7Xg yl93JtI9ksCjNECKartjOB2BBz0CgDnM/UVaGryCPTab9QwRygbjgPCv4ESXvFSz1dab LjzdsjAaYPoAh7XylybOSLuFXxtufLxumfUaJF5Y+OEgw9+KRkLH3K83nyu0BEN4Nt2W VSIv9vGZbXyUfHBHm+D0XI00DSqtAPamPd42sTm6D8zHlikYtEPCBiqGdDXHvrOdWJXl lUyuuSzF9gaR1SvldNzdr1n+lPNPN5frzfa5KL9g/cyvx54FZ7inMgkxdjGiUMFAJ9gN +Jzi2BTGe/1mHPEeRNhgh8ogwu16L+C4UswAafk/63swBHYq7jF6xjN5YugEqtfhDqpb ZI6AF+McBTsgKWvd6gEHSBENYAyonUnP2jHw11QwsdZZZ6l9Q3s9znOEXHTRDYeGD4AT IYC4IbkQRMReTEAAqd5lktp0cT/FpvHPcGJWYGBFkOv1G3oCoXXs4RxrA67mFXecDvkt ADy2uokz5LxEwyIuoOI9Ai6kwxXx/1qlh0Fs7FDAA9sPSAZak6GVPZTTr2MFqlXExR3r oBlo99c1EKFXFEgPTAuI4CJMYkJW5i+kH1EurY8KIzEWKDzYuQgQ/8UzYtwUljiD6zwd GHYeIMIGOEVAqRw5WiikZXfVsr4eTFrEqh+nq1lISR9wirp97aOGoXxfr8Q1kiufy5IB Km62WUPISZfjG3LtKKwHhA2H5Gy+LSmbaLQwPpcVcIfZrZjbbJkD19TLd7R+qrodoGez dsS7l40Sauemhpr8FSrLht3xXhFUMf4wyyYB1cBYijBD1AmOTLEQ76TLxjxKQaeH34Q4 FL0rrN7lUQwLsYvBb5vg8Uy+K6M3xQPfFCWRGmGUHDVClDQwI5QXx4wQnVEjRBftEQ6o goJaE/RfZ2qqtnNjKuJT5MPs3AFSRCqGSa96f1rgtXX1QYFHVScQK4THV3nQJAAi9HNx Rk40WOlXX1fTJfJSFhAcY8GhEAk2qe+n0HrOLHQq4xEQvXJM17rloFFXutUhs6Y4kA+y tmFKj1TUUEcy3L4/gJ0lIx8ckBugtM16S0IKE3L5uj6aENtVKEsNvoznsvKTqrqiEi+k MqS4ESHQ6k7shaco3h2eAOeP5MtAfSJKqsK2SmugLrd8S4SPmciygQk9dqyTzH4qKdqv TuQA1jG+DKfr3RzdU0gM6hYlByJLJXa71SEkrGmXkQ1poJLRSpuwgPC2HFumXRzg5m/q nlbpse7oToeNI8A2H8tsiGPUck+T8ltOv8Kvdb24k2F8UpFAz1SSTU6DzeTITBuARyQa eQCPhFmKva4RfFs8sP6ZQlSRShrftwh7IC+83FbZL0du/3kYSxmfktv3Ni0+dugxDlF2 KEJRvyqV+mS6hWpIRQajoOpWD7kBTfhq/ukOPuVAIMCMACglpJBnC+bfdlauKIkYmu9t qMMut/PZjh5QXpiRdKH2NjpjPR0pguStwEflpyFSpCrgN0dmhcwFImldBbbM9gvUe6N5 gAEvp6aKfWFWKC1AxqxHmgYV5Ird8bathLG9jthjR0EulTvWsRLqMBsrAUKaUrqlsmQv CMoFrSoAeIWie5Dwkt4miWApBSPMxKP2RR4gGBFT9H1UYFUDZKHeRvexBWNUkFcD5tdp CcYoxxbZQIWee5oI4IjGP63Cn3QXZACPSF7kmG3uf38Vfo5/urOHb9kdgl5R0wMbTnPd 2f5a6G00UlfhoUNR+viIro5HVlUtVvHAqS0t8khHhYJCHZK2bqvQohpnvlMqxEVFCaKj OutKgRf6kgbx9KJflw1WgzhE9F9gx/4TH9Khs+hVv06NQal6QzpwC7WA4UaJrePwaYGE e3hSAlkWaVifR5T3qvQq1XAa1tm3wTh0DcIE27FQ1nt4V8eT96oa6/C+vg0vzn6HhV/9 exu7RB62F+5haKq3raiOnzJYCcMMSw3xKtXZ/mBF5bi71D3ImzMAXaHivRcDC9Y7fDLA n4J3Qcx27/EIW1P1iQE28IoEBtz9E9GpBvgfT9YXmpRPCv8NDHC7fDIMinLSqT7k6HgG NdD1iTlUmYDc/1OWqpQ0XpmAg4n9NhmHXZH0ySbg4K6OBwm0Cej29WSWFnaM4vidYUWK Kqjyy77Q30Sn1PTcjdBI0zGpNkWAECo2NImIO32IxH/60J9B/oNpKd2Vo+WhBRHHKhUd T83qA8BD8W2FR05mqQTYQh0PzFXQDgf+Q0VsfhA/jrfF0sB8ZyjdAZieC6iR6srWR0cx zxA1onDqBkxnt1sd/qi6518uoF+oZKzakoA0yHG0UaTd+k7vuxMS2tIdW4TlAKNDp9hg lyUCi9gKemJufWRVFaEK2ffEdLKk4WxTyjjnlNJ7FosSuUAyE+jtOGE0A5qdkViZxw+W 3KWDWGsbDik+ZRISZLRwJDZWUUEqAm9NzKlIX5xThuqNOmzfIRv2+Kopi8POVqoqM8h8 peOqoT7sWgnU8TJqAKcBWgJ1vIzqVn8nigIt2GMzR875FidK1OKu2zvUI6TKc+OsSH2e nTumbvXWUxIPUG9aEoc59FyO0+2q/IK2lTV2vD0kyw+57SfWK5xmHiYISZ5Yt1AdLMoT NYcdYqgOUf5Q3myQkIW06+/FX0rxaorFUd5tZHX1OarGiJ9QeIMOYhHpc3nudg0yfniD AyNF/HGktaQy/qj8ljXgQUz78CaOD8hdCsRHiNOryYuX20DYGzqgUo/e0EFSN4xR4YD2 eRUFnLG4jrAW4wRVxfBvwBYK+U7AP7wDDl56x1JkOFRJX1b7O+R46JAhtUFl33joNFaE OXH4EbZ30+GiRYJKZ8s9bQu0YWngmBx5CGqSIOZEbbQbNsEOFn52Qm319y0Eyr6ID5LO DUO7axcLDTWjo1ZplJQEqobbaFsQCbDBxSJCFuPoYf0UOtZ8E3WMdtYQFwS0VyNBMgpI i+PgAUdo+82y2bSYJODSOEGShborKUCGgg7vI79LhOesFlCjIC/3njZ11ySFNS/vUi14 057n4IEKUMANhDf3oYaGjw6rPk3SnIaAYlN6LLplBvLQAekZCieruxZow8byiIrmqjZi zqRII7xLvjzAPVWLPCBLdoHeVW9rb8GbuOv2c2qI1Af1LkVA3StFY9X1iWqwRqOa1D16 YhoNM8mKSH7rzYdgC2wRoR2SBba0L2E12tcLXOOAlAQrXN8TBci6itGKs2WRkCOvUGuW np/gGFr7uvOK78UZtUpkyGcTLH8cbVxM9C+jxFh1h+ybvkJZ+RhnB+vrBa7hM8KhZ6YN QgoHJVdvTCfVlfo9ep6+VdddV3wv/BXVOOm3aOuhooL+ZU0l2Td9xX3V18636BfGob+j uaTV2ynhaFVb3BUgCTeGxJxYbbzQenGh5rAZ3sRrqg8X6sWpHqIlXUkVzeBmjatFYbXs kQ5qOTXugsDS8mnfc0wUhwC6rTqMjwYZ+BBsJCRwSHIhApTZR63SVEj/Q5EGdW+BFqpU WswvQuQfQorLbXHm0rwXZwPGgNJsEOCX6E7+kKeVQxRBSL+/FmfvduUtbWf6Mw74kGaq 3DTU62fYHDI/E1MMClv+kY+5FC9eATLzj/3bE/2CGY4IgheR/wI0DX+AS/zNX80vOon+ 7XhGkd7CM+Jp8UyC6cJ0PhWeCVDTE8uW8U1fQINM3gyns2ONGkDTaANQwbLCqSAEXqhU awVoUGUFR9EF+lkCNHuePQLQBDhh3AImhLZqLfhJjN9FM2hBJzWcEYtJ86k2MIPj6b3Q hwvZQjO6zRI8us3ICxQjxn5qqs6tJAiK20aQ6Dac4ab6PZbY2fMQUoCwqYpApHkOxVyL HMVclSjEcVfoOaqf41UMzFQLOqAFr26zwQw/aQn/6u2FJfpVH2wVodqMgmhtgRY3d/EQ bSGqiEcaq0JYaiJM17lFvkphs9a7rCGre44ENEmGYyQtQKOvLUCj2yrYgcRigg7VBXQW Pa7wDE2cfJ3zrXsvZk5+m6L4GO4lE6i6plIKRW7gDLGjvEHCGX3FEEFfW3BGt0nQkcoX Zgxn9M8xRNHX1b2qM+4V36uGBWEgv0+YBhrNaBJVSEsRlbu6/9sKzejvBqAZFKQukP3n oJnj2FBYcIaIKaVGg1n3sqFZofwciGXWsXqXWetqcVgtTcnCI8SrzEJTo17wOcEGQmDJ 53SqcAOa2O4zKt7bE5ogBTjKIKoqn5DBDEAolbvF6PJjoAn/zBNCkwN/wQznXxGa5MoK YldLDnULMZJDzvStoqFdLXnleyANiuPqCqGve0KTEOGOIIHXk04jA9zF+xpNkDE4cwKQ AAfi4iwp2CsJuh7CgMYpIADg1ZMkiuovO8rPgm7BBhc5YAa8LNVI3RbAEoyd7lHUkC1I 5TVPAZbU3tPuY8FhZjjsDLDLhiWqzQiPib7PiAqE6kMfriirBbuccIqOg0uQwyvb1F14 U60FFN7zHA4qyKnSng1NAt9DmjVKSisrLcU2tiKH28QIPtViQxPVZkMT1aZk2iRVb1ct OMCI+2BDDNXWvEu14E17nlNjtKWooqDBJoryStwbutvjqd8FCvIsqudMi8YmjSh8l9OP xKzU+MRmUv/XrsH62uWh75EQAieQkrMFWdvkXMEcVs8z4NDXzrfAG3vuLbAMWGjI78Gn 5GxBMq1y8xR0ADctFNlXdQUgJCGAuqaVq5wtuk1iCP3G6kr9HiMO9fuVK0ZdVehDX/G9 elz0W4Dmmgr6lxWVKsihrrBWZF/1dddVA54gdt50jzvOFhSHh+lAy1uxp1lue1gRuFzB 5C6WarJZo8W4ZDRzWq5d3WZEjGFZJSrQUokYy4hRy8g2fVSb9VybiAFrmLsUbWw6mLa6 z4WkLjZzNYGNMvyVs78nsMExdbAi1dZLB9hUbhCDBI4BNvwzTwhsDvwFMxwH2KT/Gj6X IINThEGNrOp1BKCh56G3IVkRO+CLBpapigWSf3VPsUBjklO1QJQDoypjWhfqNmuR6Ta9 DGLaogAYYxZZDJmNQ1AR6DSLRbdZz/FdjRZ7kcUB6jkhtcnW4zGWUozIEN7OMRw4ijwQ Fke6KBeDasG7tGhRbXiXFlO6TYs3/XbTwn2Q7+IYh+5X4y4jKPU9lv5XdLCtIUVBq1dq NkzfVYs9Hm4zolLPzr7nyN1FQZOBMTypIsFlMTEcxU3k35Yal9dS0QZZSDqc/QtgeZSd rtQ5/V0pa9nKd5vvQz/0MT2yHVlS8E5L5cxRGcBFyvTDb8u/ZpUqlH9bKlpeSyWq38BX eDerW/k7ppX+msg2/l72jlWxHo1WxXKkUtHKv1gF61YqjBdXapm/7xvjQGAS6xXueEvt Ks6R3Ku4kNfeIZzjrATFTU0+abZYalfxF7jXrD31LmsdVxJhz+rfIxH2yA3rTXskCdPG oYOiV8OfQIUqwsLSuvAvREhmtb0JdDh1P6VLJdFw5kHa0IYU73i8QEfrzzxaoOPQX9in dIsfIOLrgQ4SrDGi/IgxwTiGygHeAZjK81wgqo4aFvADo3pMz2LTxJQcuUKB0EwdpDmB 8U0U5w9JeOzvqII+H8TZT8/EOez0sxKfuTjDASrnsb5C1Ok80VdXzybnhTj7AY2ROENm 10fx/k9m59QBw7I56tDDpaCt4EBAygHSu8ywKNTm5778RzmGe0aJyB6Htj6VKzpFiuo1 7cn2NP2G4xzFgEN7OiBJKfR8zHRgiz2sA5UgvKejTz0drcM6ajqcYfWaDkoX7ZwHeAkQ R0XFVLMsHmEegFCwrZXr3nyLZdE6rKPmwRlWr3nYf1KmXg6kFnJIUTMNsp46oonHLIcY 7gRkxypb7IHl8BKyJvDF2RqfED1LuoTsUZ8stFAb8byYnLG0elA+tQ+MJ6LKkaOcMvkf jH2KuWNfHAmcqlFfydL+dLaPOzBXIFXe80TF2iF2/1INCDtQzzNx9jt8QM5+V139Fh8Y JMLj9N0v1cff1NWEGvmWf68an+MDsvv76oq/4wf4LTjxgJ77u3PL9xDoaAzRCJl/cYZP 9AKHXIrzVJz5+MBbdTN/jde3yP12uh7FMPCO+ZHeQreHYWy6upT8TTUSpkhtQL/B6DFM /pJnAmUXiBbcyPTlK56evUQHlSbWFPI9/12R0O0Gd5F/kN/9H7gTtOc76ZxR6hvfk+FL zBN/ybfyg9xhbuQHsFNUKnV5z+TMDKP3zNmiCRjwoGrPCoio6oocT6rP3OTFK3vmFNvx SLjPivvcpcHD1JSY0Hoxo6Qr/k4RlJmXac+38j3ciApL59FETf1bXEHi4JeG0qyPFEFS BlRegkK2bqlNh2ZNKVIbHcuBlzQQLVSYT9yFEYK/rCXP9zzA4LaMYgpKBp8ozsRrhhKr SuPpy2CoNUlJnlW80qEVLIwaf3GPz0EcjJw/mJF+j0YCwYrbmB78yG9BLNBTfclEd4Xu 3rW5Z6VPlJTmB/gW93G1fFkw8y/xPXo+bXnjfsfPsT7g7/gt/IN8C195GKHRKkwUIwp7 T+pR8h55djhNSVXNqs8qctZsqcEDYM51yVATASxT+R4mQJdodcnPdK+4YKKUJv8+qxZm GJfGTE6mv+Iift3vQXniPHcAfC/f477AHSN/J4eqZZfiH/tLrT7w0pHnE+kuOE61WqX7 cLc9nzxyM+RR+koJNAjgxEDopqudEO7snZu8eABqtlXpocYvEhlkefPDOwZs+V+QZgBu SOikRf3H6urn6oNZipcGk5m593fgRYNB+JYavzKHE8bGT/AHsyR/5/IiN7rylmf5P6se cp9alrKUvfxD7vriNfPjOAxNuVB+gYxJl0s6GZrAhK4x9//17RfhCmVuZHN0cmVhbQpl bmRvYmoKMjcgMCBvYmoKNzY3MAplbmRvYmoKMjUgMCBvYmoKPDwgL1R5cGUgL1BhZ2Ug L1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDI4IDAgUiAvQ29udGVudHMgMjYgMCBSIC9N ZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagoyOCAwIG9iago8PCAvUHJvY1Nl dCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250 IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAw IFIgL0Y1LjEgMTQgMCBSID4+ID4+CmVuZG9iagozMCAwIG9iago8PCAvTGVuZ3RoIDMx IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVnVlzJEdy59/rU6S0 OppaDlh5VpXWbHfnXB0rsxGnV3rQ6AHsBtnQgEBPAz0cfvv9eYR7HHkUMrNQ1ewmzZDp mRkVp/vfj/D4Y/GvxR+L3dV233WHQ1Humqu2PBTNrryqmqIrt1f1oamLDzfFvxf3xVe/ fCyLN4/F1v33+IZPt1flvtlvt54U75r6qt7u2rrYde1VWR92mzffF794XVCYvKp/Xn9f fPWb8mpblMXrb4tXxRfF6/8qfv2aSs2p1uaUarXdVdUd6sJVa7O92pYlraAdr99Y7cYr +Y/3Tzcf7m+eXF3d6+es8L66Kiu6uNjlFT7ajz87ez/uu6vDru4Y3rxaC/rxVx+uv30q wr+vf/dvvy3++ebH2/vvip+/f393++b6m9u726cfwxvu4p8+3t8U1faLDRNlWedPTeLN 9CSu6f1DXe17rWTST86WTW9Kbw8r5omr6mbReqsP1VVXd/15kk/lfuUWrre0BzdL2UCz u6rKBvYxZAOfslr1/qpu6v1PrVrV4arZ1cqd8vm2Obr0WSS//fnrfyi+v3l8vP7u5svi +r5wS+vDw0f4VvH24eaxuH94Kv5w//BD8fTuxj+9v/nzU/Hu4X3x7cMHqNdPF1pgYdbm DZ5q4maFlEhnbSq8jqz7KLyq7VW3rQ46PRase8ZBh6C4fnL9/HT7/U3x8K308A/XH94K n7t9uiqK39DjN3++/v79HaN1e1/85va7jwi28svi6/JCoxDYXN7cn8wolOVV2+x2q0ZB 5vmjm9JuFNxE/8ffhrl+Xfz2+uldHKu3bz+wcm7eFk8P8v6FBqDdX3U7uNAub+lPZgC2 CJfdbpQdPSNhCpbfm5vbP8F6bh+Lr6svi28+PjHxlRHxDD714fZuKCU3Z0ClVVNdVfX2 UOy0RYpKjyzsoifQf4zc8/ZbN6UcezUGeqEJE/hmPjKrJozr5912V7SH3dW+6rpit9OL PsC+Ohyqsu0O4OVD1TaHbYVssiv0gXLLSi0PbdEduNgfmuJwtUOBgHK42rZtueuEHX97 dngPsr/abztl3EvgPYxbJmpdwJYvMyldpyFjrM7L5+TX7bCmzyp1K7SnEvZU1VUXquo5 8nFEcuXqdk4dqSw7FNgGfTUf9anVcFTXnF4NWYf98ncy87ftfo+ejJZcHZqy3CdXv/vl QDv+WVSPA2/b7ZurQ1nXMuhtWRftlvvDYV/IbcktGgj/irvid27RxCJEjX6+RJahlOmL 47ppd1Lgbn2BFLGPVay5bU+qIkpk2uhO6ntaozuMGNZod31qo6lT2mhq3Gv0ua0VHbNk B/ecs94WKnXZrF6o1HW79mq/Z9YuNqLAZV+/g89+f3N9r+jsvUAEsa18e/3mBrXlbSGU +5vb7959Ay/+w82Pj8Wb63vRXW6uH2/vfiy+uRQ82++uWKdItay9OfJJcMKltZSug52U oBqvWx8BMwNNuyg+CthF7RBV8D3Y9+ae3kdNuX+4v5BQ2e+v9l1ZFXkzjguV81u4SmTJ jqmd1woGb6afzXOGwkTtfiwetIdF2fjm5umHm5v7gr5+e/Ph8UKQMUzifLZMCcmjk3ha SA60bWTDUcgI1KxLQWqdyJEKHIT2zXTYe8RY1bsLIUYRjG1rLDaO87MGYXiZcKvLrBa6 q9ptt0Cw1fU1hezxMjUuMSoc6o71ndd4auI5dHYB0Fi1MPWdzLts4I9Wa0q2Tq+HTLye AzRiowb3BkRW77fcYp1fDxopAvxEmYBGvW5LKXAtaHR1ah2m82VS4+ZwShW70lVQipAS O5DRiY3u0CGs0Xp9WqNdnWKjXY3zRp8dNPJz2z0uOI/OVk3sCYdgNquXgsZmiyegHYCV Z+UpfPYXPxZvHu6fPlw/Pn1ZfIdJ+73gQjGl/nB7d1fcXz99/HB9d3cZiVrh0tjuK6be RIsGkqMPv34sfnj48IdPir7qAAuyRmSTpV/theArhQQz3UbBm5V37dFaTfHmiSm8olbB LdDVJV4jFIIRwH0ctzKHU1iI+f/rm29vPnyQKfzN9Zs/iNk5OgB+uAUtptP8gj6BDsfY bodNJW9rNgSfUuepsOSKgXFkCHLFrD97GYIfHj7evRXNx2k9oYOl818CEx21Cx2NmiiD LqTNW24LfP/h4enmzUh0wnJ7+rF2bI62o6L6e4HuXT5M47Nnczz6YxpcpWvYufasxhh8 hxY5sU/Tv4cKc1oHKG0a1Dv8v/uts9sBIJhQZ1U2qmqHH6UFZ2TdssQ8/dPwV+32SL6y 14x82c3lDQtGt9hutgWjWBO6s2/l50ESLcY58GrbNNuyKRjN3bapqrMOY5QDZX3VlEwa j7CW6YymhjnlUZ3Cj+IZgwt9XSEZfnEjUuHaWWIuEu5SEfVVNyW6Zdau4+N6AhiY6Y2v dt0V1hgJR0u7OzHFPAu0vIvu4S0e9q8rhxVfgs+7SLajfJAIqauWKdqr+jMYwdXtnA6T OIHxNrTNXoHMEj6EFL397v4BZ57YPr7tdyfBFW5hv2xQYXT0aL2Xi0cffOHkfub4l0Xn fH5ft8Xbm/dY5mTxeavdZdSJOiCubFCOr74TQO/M1RfmSntor5rDeExSXskRxPXm44cP N/dPxeO7hw9PN49PxXsxhF4/0tdY/L+/vccI/c2PhQQp0e8wv39/d4NFGo8AwQLqjr3Q MJhC1GvvOHQpyqN20hm6x+JhIPQS+LDO2P91+2UMWdCIMIn2Qly6IA1xxdzkETFOsf6G Zf7NHXD54UKDoACjzRv7kxkDrLC7Fj/4GuXj+iN9fP9EfOvTjUzvx49vJAjm2493uLT6 fHRGcPbAFmMgOHFGRzh8VFyV2BHbrtkXrTZwOX/9+Mj6/bStCMpHrxVTs+clwgHEBvZc v7velVCYFjfiYYv5gKBHiPVBRsqrHzKY86JjBrrP82gkqB+9jlmAW4U9BH3ZG+k1Cnsz L2Z/TbURPJ24PHrVPvd4WoeauiHD1taptnHZmKYWgNARda/axqrmTwikAQ+xtk/Hxkdc 0B7Q9S04M6vVAAgsQ7bpXJlpOExqxXoU3dCz6KPVqs9frf1V2bKToGjbrFrZyjuuFYCJ 8m0R+OjZLlG8/vE9Ed0Sti1Kjue8YkqfrT+kvZyCkUH4Ugw9IgYMtYaZaM1ROZH1cmIA OMphzzElCfNkR5NuNjjer1MIetouMVgsuKGci1tEwFhUpESdlm1Fd9W8ccBhVxLev62x QxkHOSvfj4uirq+2hL8uF+v1VckEdFufJDwnCPjN+mk2FJeJ1e44TLF4v1bbM2eRn2Cn cLxnWN0EXx2vrjnArbrLu/+ba6J0QqePrO1Fs/VI1CINESWbUEbCgbH8l3s0DQ9TXJjj BVBK2bBh8IB5b313OZuERY6l3bYWpAwHf+5crbZ79hmyf89ac8pcnR7llInPmq5Sr7oG eoZRbjCENxh1AxalzM35sCi2PCJDThlltyhGNKbljo7n0U7YOGDDuHwNSwBjOhfPt8m1 6kr2AqLFLWCPy8VgNuXOEdlSVrgfy3rXEuHBNVKzBnKsC4SW74nvoAQJhQ53RJmtL4/S YI6uNKkn5oCVZdXsirB21ru9XK9uJz7bpJ12t76dvj6+nb6eoZ2D3eBBUTKY0/PL1F15 IZxTNVdlt21/arC0bK8q2TOzxl30Lw9YTc2M6vwZiSHpFkP1rewg/B7L0vUTt4/Yld6/ x9gaY6pfwnRngjARfzNtS0wk5zNss044bjiewmwvKAelWmUnaEOcS01VFpeVg2GLufXL KXN2ul8GOouJvLBmaf52x9qOa9Z0E2H083DA5K/MMSNs8epiXembVOeEhXkk4BaFSFnv PvAB13FHAW6E9w/cvsQy0N47soU4OC3brF1TGrLzIkxN9wkNORXAqeJ+rFZ7km00LXaI rFaZGeL4ksQDIDk6VqReWJbPAD55tWv2gJispln/9c1LJ/TfTPNSFUyRWa2y/jtubnBT sPj9K/GaioPrBstNVKdHNLuJwV+x1EJQ3YIunYKFE7VKp+TMLg3GiYbdpySwGHWqHO9T fNG9LAcr5uiKDi3BOR2pbYq86kvc6O9wgb5EZU0uJzaJmXK5xCK5bdh/YY1Yrtk83D/j uVogl55riFSXhDhSXazxSO4CrIcym4RwyUjOk1fpdE056BHTp0z8GgPKCd11XYiPDG+q j0qxDW5AuJvrN+8iXvv9F19eRlYZNLMZMGaiSKy5Rz3e00M90tl5OJeMaF27TbRZOBd8 S76dN6QrlnHkQEQHNuzjXYXPn2Q7I//f/PHj7Z+u7yTYgZiSYIR6gQAuWxrLsXe1lcAp NvYjUJMWHpf0U9J03gjPNEKRJaxBpjfi528w2DvwTcYAb4VqDxjOzmqFMuucdcxy5uex p8BOi+NnW5+LLCas4vpCC7gl2wFBj9aKT7WAGUVw70CHqPDdXmYB7/CrYNNco0O8vf2W QHxZtoylLGS3MVb8ao4r20JGt/iHhx9uyGfyZfEDcRwuYCYoGRcabsv+0WTtzbDxXH49 A8ilkvGIbhHZ6A4dsrOgQlay7Zh9NkxTggrZE/7x7unW4WSyV7Grx4nJx/c3139gs6yE 5F0X35FQhv2zH78hD1/x7vpPEplEbNnFlpum62lWt5TlAPpfgfyEHS5MxRi2+PSqm82X vi51SeAv5mrxivaXLfPlWeD/eE1WLbdiZSnK7CHK907W5i1Y6nvmjIup/nj/+PH2ycWw yZImwvPu4Ucxll1oxVpsJzIubWs2BHOX7DwB7FateaaBDOOeafHCMD/IZ4EqU2KaDCFJ l7X+YJOQIBLNw7dEg4JnPL65uSeH1MOjcGRWVmTlTx8+YjW9zBhX5tHK27KE/7nIqjVO ohVcIXi0Jqv7vOUNjkt3o884Rvyli0LRVHY5a8PvepaA8KC56PS5gPH0LJ6ukg3M5Z4M HniTSvbGcr12s7V8Lx4g2dXkS5O7HfvvV3qnXH125LxxpVHPXbddWxY7TEI7JX7olHaq R0/bqXcntNPVR9vp6hnbuWD2bgZesRm2b1Sgq50Y3/sS8PklqEE5goNu/vzm3fX9d6Rx ETO3WMH/UTDSm3eyFlG1zx0UZnv+rDXLdSny+zyuAUUDpd9U5eXmsLCpu9eKKUntQts8 yx6GQk1L6sU1lnqRPhe7V0MuhgozaeanEk35rHavSrIhoKvz+36uLh/dL6M1JHMhrBMO x4b4+ObUesveTwnHs6YcVZd1c+pp1hAFYz7wasp+I/XCAC71Sod4R44SF5Oj1pDzGcKw a2LbxP6Vd8wSNJZYQ4AGOQgo/vU8u8KIlrhiQwzmj3xqHl2yU/rNgiXbd6HKsO3EHRBd qJfdjtrU5A7cYgdyYmTJsAGiP4jh8sPN2yyo38conSOgypJeWp1PQW4TNowBj7UBmyOR K1JKii3ad+WqqXSOahGbeRAL25oR/nfJJmF2rHxpXpoFh5xQWKWTBuUG6aAPX44Fu3pJ FEIDiCYHmUrZvkH6fCy4tKxUeccsWctTYZHPbshdsV7KFhRyEPtBNo5LqiuW8y8/tQ+U 9JrbLV4Ha8ZycCNG4nxNrctxfAzWSO6Dad4VnTw6Fqew1AVi8Lkal/v66sBuh7imMo/t +ZFr8PHk/XLELh04j55LY5FFYp3+5uGjhG48SMhBsPsX7+8+Pl7K29OQHpfIbVSBbNFN MM9ndihPD7S4bHqW5p6/tgRuyNkZPbxzOX8tI1tusWyskYYmCP0ef3x1YTBFccZ1d3cn Bwe8hO3QVghscTQrzZE1bSnGmqyp9Lj5VJ61EIi5+xhjmp4AA3lg7RB1ZJDvGt4UdVSJ jmrZSxD2OTkFRvLrnFdJ7bqrBnlUWHct5+OywfVYd80Fdc/11ZEx35NUWYKKdMiXt+Hm z7ePTy6Pb96SHOVND/xg5Q8bk0xlGXiqfGiEI9nAN3jItlW6s1kKPVsIR43m05SNVGAt S2A7ZfAb5N0mgvwcKlCIx7NKX0hgmxpkob8yaNsd+XU+FR9Hlkno77rUu97F4z0n3jms 0VWBn7vdYN5FAWv//atPzNIthDRv9RKW7jKnXz8+fuSEoeFUXY7zh8s74fBHMWetgSfW lgvN4OcqLGG6LflbCqwxV7g392QxRGJ2XARL2lkFUW0H+vQ6JsrtQSxEH3O6Q7gyO+k6 hcJW+7TAMSea1dXDqRxOzg0PmCdUstBgY0MyVlv2myZsyPmgLxY9VBNyjkNqnXHl7vrH mw8vsRifH69wJGSvwkeNVFP267l4Zka17EjIXrUWzPmKlPhscZJDH9G03jyQM+rNE7HF srVJ+vaCTixrxAr0JWEl/gAxzlMgTump8JPjBUJAdRSORGGhGLLfuNvB+tLZnK/mhNdc aOMJniPZVN4sqlbl1tPQrTYxZwewdUZvgVMPnAW2qFrLXQeDmj0XlyMp6bcyiAT4VZKF F3y7xR4dE0acFU6HUL6a/UKczrBOw74MN6Sr9h37U/OqLoFT109PZF5+EST1PJfkXLQ9 OUKYcau79ur3X1yma81Hk1c1ZyUvDAzOEV3DAirYMdIRwFKxmZzLZmX8Cp8TTEMBsiXd btA610XW+Mq0W1eWVLFZG/PD4VTWwobgnBNa2JDMKbTQbla30FfGtdBXMbRwQUSNO3U8 Q4zTUDYyLrb7Ewn+UzvX1+WD7cazlj8b6vrblwGYzylP070rfQpARyxJWluaMUfdmwKe 05rCYrujpHbYtogAgmt3LKORXSRn1fbCmTy9flmAfHNjBQefBQ7/aTIswQZ29GkY6Tk6 4fKRTnHRrA1DJFEjxIIAySNDTaHnS1tTcp6gGDZDxyzXD4Ljwe0Z4kQ7zgPzm03kuAdO YrP9gS9hp5oBgS1FtU3esaHuKwwvAIH7ydxlROs22/2Xh6BL6rTJNGsS8RUOn62JBiaT URMSV13YjoBTvC2BeGvcUkEBDgwg7Ak/hw06QDyt8/Lp/Pbh++vbkaMCz1Jb23Bdr64u FuCfy7GTJOB9kKTT1988/Ims8MJxX0A/N9mauEeir+yoJZUk8RxHRpS1NW1sGfbB9gU4 rqsXuUmoF2eAdzhbB3GnZ2W4lsvKumX5BI2i1TFc2bEgG9ZfYrhncFeLTbT6jw3rC3PX VIcanYgLjyaWKpMdZ1NxNgS6ihxLXEnmuOVajy+JI4mlLNF7KEvUDZzJ60vb8LnoY3J6 sgsDXVevji1a2+22tGZ2OxSp9c3sOhQpa6a7OaWZVMaaafVM2zrYcxBs6iYJe649Tkg5 KyKOehjJHAlp3i9ftpLU4/37O9KkS+J5t9VWNoOKf/6eLX6PcB1CrtxDf0pDwRbRN7ff 3r6JkRyXXuPa2AuscZ9v/PjJqu4E2xqVW7zjbSs2Ass3fmFAxHTciYN5DSDikOeLeME4 FbftOtdba2t798CRIUSGyRx1+1IzMHd+54UdWVxrfy9fdJcEcyFNf6+6R91Y5z8XNiTJ t2rprD1areX6UGbkSCV24nqP0HGhxJaBB9mzm7fhDDZ3jTBriGteLhu1LASIlCBGVEp2 d3iYTigP4XoQOOHrWZPAZ2XdJK+JtbPsYHIntJMQgaSdendCO119tJ2unrGdCyygq/YU 1pw1txN3umO664z2Mxxtiw2zJXtiGtvonbhp5mz2f/2O8+ndbv8nl/VejCfXd48PwYIS T1ZXN7JnaASYExTEufZw5ksBf8vRwSaStMFTbORoUqUZ47A0SQdZ4PF84ln00+OIqbKv dAowQ4cKaEtCoTnO6QMn2ny8u+bEJrzfHyRJfEHkqRm7RO3+DjvBl/HxhcBZGIe8wT+d cZDUDLZnK1+mc/XCM0wPttNdbcUaN8I9PmW12EtQimXvJ1YtSQqHWrx4Lf3i5p0c/cs5 Z39T/N+b4jfX7Na++fihKH795/dsxnssfsW5XN9/w/Puy6JiiwqLL/33H7+9Zr93e6Gl ZCejkZc7ae7RlfSfDryfNYTDFviCWi2Ha+ap+A92hJTFf2L4eeul8jmgG6k5gDH0Nsfb S0qIqmbG442R+7UwiTI4eIoyCNOWxBAc8xVvPfIKVoTnDO0toUUU1xS7Gn/4jtwVlDeg 3UHDDt+yOyy81x4IA+KcXShkLKubapNQJDMOM/wN34W3lDaDskm/s3x3Ugcra1sSSsPx haFWnE0p5zmRYtbqbhTKEt93syNdhdGApw2xJpyZQDSpfdm0dMABq+3OSk8oPueeKyu8 ZXn44neTFKmDfcdJHNI3G6lDoPkejLUKvRzqHihJe4y2Gb41pLwp3hG0z4mpxX+4OT/Y fvazeCiQc+jSM8WO3XSHsq5Fc2CagM6JZEou76AKzmYeypO6lPgMznjlAF98uO7O5j5n /ab3m+wuf8a8cU85B1jWiYRS+HtMYC1Ihzv9UcnBJG9QGpWzO76vGo6+C/d3Tt+hVpi8 9QsoeL8lYY4r0d/p7zHO2f3RO303rHH5LUq2XtiIpuV+WTrIVUsutIYZLXn4rvgdIcK0 vn++S2IExgcRZxB7nMm3KWMTaTrT3Gyfmmkbm0N8p6skUEZm2shb9l0sSVZvn6vM4iBh hVPWaRwk4TwbkrH4vklXXKT5jSzSinJLSNGOzA3bA4eZlFSBU+o6idc7kERGjhPP0rWJ 9ChtH+f2gA7MP+dGkBL0NpZb7XF3W0LSgl/a8p//42E5KI3yXn9bvPrd0817yUf4z5LU TCxmTuhKMEcoVz5Obgc/o/ai+DONuNn4eXLHfF989Ruwl/7YX5zpF2JzyIP0Vb39Cnlw +HsOTP/tv8RfzDTn58NIEpHtQomKs4lsSb/JcIp4dSKbpHb+fp1lw4lsKQORLYu0k5O5 7XatyHYFVKR7TkR2oCULLtCCAOXop6tuf2ijyCYCiOkhx6yFRUgFlZZ8N0VJRXYHINhJ GupEZHeyoLfYnKLIxoK97/jFwCwI/XSUTGTbW6nINlpgdaH0hOLrkIrs0J6EEVhPwNgC IGCUpFeNsfmBgpLVSwZv9K3hd/RpX/TCxomg3uOkcmzgmOgVTUSlm0ORMiWze5BEIg/1 HS8viWZCEu95jtAMU9qkq03x7KmXy/1396WWq5KYo8REbkrJKon3tS4QVze7o8ucVLN7 pkSQh4Hm5GUo0d/Z75kk1rrSVi+ZrWWhtIZ6uAWrkl/v9PfHnyKbHUoI706KXXitbZNN xS5riHFkQYPAVMJ+wkkWF5JOTnorLjebsMli9kxgZMGnTMA3MYWr1uo73QQahE9HTEdT EWoWZCeDAsQiYUCyAV3MjMtkZ0ekdbsPoZZRqLF6XlB22s+cT3bO/YUx2Vn9PW72z0J2 wtUdKDfZuSef0wlic8/oIzZFzEkO8XA7EJt9rBwXrQspA5MyL9ECSW6He9AdRTag3ZHH EI9qRVhgx1mPxAiW1J01LmpQG75lOZQj3wqbX6ldHSiuLdjfGNqaE+6k8f5Z0gOw4PSr u02vmDskj2gSYb1FHgEebSVPYQoejBb5xoaN/v69yDfAznv6IiEQSHkQA+MIbfBWgjlI HjL4rsTOwP7zDDvgoyKcMMUObA3vSKFHWapodEqhDlFuGy3FDkaLDFtLT1i41SFRsDqj Jd9pTQeUDHNYG1PMoR0YIYf1cay6UjLIMflW0mR7J0KOfgz4MawR1Pw94Q8suaDrh/sE awSaww97BKDo1/5GOQDVz+6P3um7HK0sPy0zwH17YLsZUOMAMFGocWCnsnvDQY1wp6I+ 3CdQI9AceAgl+jv7PYUa4ffzp/mdvmuczmCJdUJAJaGPPAqyXtWqjj/1qCQ8k5GcMAZE BidqaDIPDyi8FQwumdOnzcOC7N1mHwgcYQ4lsQXYdxkqsfmasIk53IVkJNLCDJUojXnT U+k73EV4bxNY4vx4B3SP02BJJUkC4VXeV3A2WKI/c0ZYMvMXPm9YctirNVFV+rIkjOkE XML3bJ1Bfpai1+rdAlDCmt2UWJ93DQmisTThWvaYpEcSqIG4kx2jLZvWONhQTict2WJP 4lPUZ/+lQySDL08AJOWWo85ZM5JHz7cyvacCtNo9d73g7uVFfV/u5f1NuJ8EIlsassUD kQIRo0UgUnRKS/ADLpCdJIKIzANnQScJdVMkYrTBW2lJw+9agZ2y3zCxYqCEXFV7MucG tQqXiNhNDhGJGCVFIoGWIJFAC3zbSo9cO9Qh4e6BFr+zmg4oGRKxfkiRiPVghCLW85G5 W79nyErHbPBWAkWspBOhyAG5k0KRcJ9AkUDziIF43QBFbNUbFLF7BRfGE/yHdqdQhCkc fA8l2gU4JFo8NqQrkzv8Du5KZbq7TqCHu3fgIZSgd5TtYQQlcR2p8UphRqizWj8O2sAA M6z9HjrYnSseA0e4dyBk4m4AMxJPw7jxg84gPUEryeTDxMPE5xfgyCRjWpuJzabGcPrM mmQJFrGSUpxhtBHmkbIKzzyeYwLaxqQ9od0DoNFipSIGjlz45jswoJGFCC63f+CTIA+E JVXKgIY350fJfILvoNOfOSPQmPkLsTnRd/D52D/Krd9ULq5+dxb4KSCDU869+OX8bylN 7gYgY3oznYCMoCS3HOpFAH+VitpAS1ZLoAWR2WJ7wDO2i6ulJXVN20rQWVxTgZZ8p28N KPDjSMM3Ve3lnPSEVGGtYaN/lLQcawNX57xb0/lbpTgpp85Lo1FWYDeBFthUi9vXlZ5Q XBVSgcnBha5W/Xcit7M3Uuls3XKXSHHtvKRGNhCBAYYuTxig0SK7MwolWXutpChlVxqg VJIxoupfwB0q+Dio3e7eyclyS+xWkLBuugeJiVNJ35GcXeJ3yJ5XyCNV7MmPLE6EKFGL Uhwqvh5y9caLM0dNJao88zLSStA7ylaJWcrvRKpcbRzNnssSVWkaWhPEqWupE5buSr6h uEBFXtMzkTYQnYlePiE6weyA+nKTiM6weFJRs2DmZKvAZsVwngwpiei0+ZWq6EZL1qbV Kq5Wm/XporY2pu1RGl3f09FljR5ajLJBdCZu95C7drnroCXrDnLNziLPROcLug7sZ84n Ouf+woTo7D4P10FZ+dwuLys63bFHE6Jz2mkgopMMFBiaMEa2aLn11onOIQ1GwoFhKONo 47jAJGhHmAsm41IcCfYtq2rs21N0dI5PFp1bNtw7HT27RwfXA6Ss7SW8OL4vz+X7jX4/ 7SxoG/TeAwF3iY4eaClw0PcSmEDWY7dfLfIKjKANvD8DDkYbvJWWNPIdo0IeAent+CXY e7urUh0dZ3VdS7CDOgtaT6AGkRsqKYUNSory30o2ykZG1v1+igCMZm+58XdvDSnxu01r fZDyS+u9iGVsJGLNjRJbQ1k6XsO3hpSIHFa5CkrJfWSQQa5TyCD3HgRgNkkggyxzgwxc K2QQqr6dPK/deWeeLufD5JChBjd6yCBXBhnkWsS7ht5xLiIbiiUsDwTtS9A7yThuT7iO VA8Z5LftudROypRSrDXxF1wGKAcT5Mogg1EBH1A9ZPDPlxr1W2ITt8y3DDKcOGUyyLBs ysS1pN9lkMHKiovSJnJCGVnO1sZsCfh20/V9yMD63O8PI9r2aWZ9MroRtGApjM8WqWc/ c0bIoA157hcmIMNnEm2AG1j2HrooPYxxJwXV8z3iitJkl79kECiUMtC4p2GDizVAUhxK 9kQ2WOkJIXDHNw5oyF/Qwh5DOu+14AfmMjSmNSHonFuj34plf+TbE2BDJ24EcbGWosG6 9vYod64HQBa+Q+RWfB36Prf6/iZQpsz7LR4+ziHLzPuBlkIHfS8R+BKjuyU5ReQZODHL TsD8CG3wVlrSyHekqyDaPzfvg4721TaFDoQLgPpS875SqEMUpUZL0YPRotDX0hPDgNUh wgCXRsPVK35nbw0ombXC+iblndaDET7YaMS6W7+n7Zl8K2mzvXMqfJAtuQYf/PbcaHGQ exX8OMqixUGWvMEHrhU+CNW/nT13LhylY6DN4UPj7A9iw5crgw9yncIHufeCXwIjpQS9 E5tsch2pcrUhC2TynNoZfJD03NKaCB+kpR4eyJXBB6OC0HvPF8MHsURjms7gw6ebMhE+ 2PQbYQXpIp/FCqyN6RJQ2gh8YIGy/sVEiw4kgf7eWI82cVJUQItKRcSjGuvPBx/0Z54T 7usD/a0hz/3CBHwoPxOLQyuBMgofOnbQnGKsJ6zfiVNMighXf7cAOjiLg2joRLu5cG1s b65yAxqMhOlLJADQAVsfseSOueD5gtEBHYRL8a1YHEa+PQE6iDFXgIA4+qRq+T1IhZa7 564n3L0DDv59uZfvN/r9EYsDB5kcdiTeSy0ORkt5hdISYY9Pu6rZYhUBAXXdcuAtbHVI G1DSkobfNdgQ9gdGJbE4SG/v2lo8E7pJsiEqAAgn7hI1ORiFOgTRG2gJbAi0IOyt9Agb Qh0S2BBo8Tur6YCSwQbrm5RnWg9G2GA9H+reWr8n7TFabOERyqmwoQWmGWyQ69TqIPde 4JNILIENstQNNnCtsEGo+nb6HPRujgqyhPZgA+GgfCOwQa4MNsh1Chvk3kMCK8HfEcLh RLxYEuQ6Uj1syJ5TJ4MN1poIG6SlHjbIlcEGo4LOe8+XwgbRQQhxqzLY8OmmTFhONrEy q4NN0mRJL2EFIws/KWmMFfi+YXiSJab9NbBWyMJu5XiCHtzIgxAl9UeI1Z614a/FpY79 thtIadlZ5Lb6Rfl8QmzA5M+82L7Cub8Qm5PFBnwucKNDoTW4gerP5JHg3qWWV7efkANu RNYihKsd88rfDeDGzNiARs59IxAxkbdGSsStkcLCaDDrlh3OVKNsGnyB28rZTY0GHlHa HEqU0ptmh/FP0u+m0hYTzX63lag/k7ZEmxOLKWq7SVujROm0aYyWSlujxQVspUeK1SFK 21iv4VtDSvwu9kNkGfSX9mCQttbJQdgaIbaGkvxw9d+JsQL2RhS0JwUGdM6IZTJP1OOo psszL0E7MlVFNV3muslbrlXeClXfTp7vkFQmb3ec2Jyr6Tsno0XeypXJW7lO5a3ce1lq JeidykaRt/I7kerlrdBMjZfamby11kR5Ky318lauTN4aFVjbe75Y3pI7QU78SSL3w9qJ c4bRnz9nhjOiP2ciXotzJi4lnWiRCTBj/dxLFnOPCcSJHhdzpCXfebYQJW9obPqd9kna /kDq+QRkkXd7CTpJlHpJBekOK02PwF0mZSngasvWTh/qv0HFEvGqf15OytrPDIT5i0nZ ub/wmUvZXSuao/cJ7J1/+AQpS9iqk7LsP0LKuruBlJ32BzilvpJzs5GSDZuZtmJNpHID GmyHrYl72Q7QNGyXb1z8VYWhh3QY7EfXb0WpH/n2FKW+FKcobZOtVoInsnuUdrfzKrad exd24N+X5/L9Rr+fVuqbrgUaEJ6fggyjRQZDjhb/XsIXcD+QYUWSBcBqJOuQ5HEp5cTq lFMYbfBWWtLId3J0mAv1jh82bEPK8hU0OFu3JE2nKEMZSqEKkaUaLUUZRovYQEtPdHqt QgoWlJR85as5IMSPQDnavJRbWudFhGGdHuttlNgWytLhGr41pESYsRTLekzBFGdaxOsU X8gzjxjYK5PgC1nlhi+4VnwhVH07eb5HMhu+8LkG0sDDvcMkgi/kyvCFXKf4Qu49drAS 9E6xgOAL+Z1I9fhCaIYvpHaGL6w1EV9ISz2+kCvDF0bdsM7y54vxBbs0yenUpvr8qVMm jSJYOGXiUrIVP8IF0jW/hAuMrPm4vG2ZpNxD+4bhiSvM+muoz7Oo2SEO10yQxr7pbSpc rs+TZE1SSgwQwMuq81O/8nI4Y6IZvR8YgxkkCfpcohX3hBtEmHGa78ADC4QvG9ujqBXY kiTzOw4zaixgBNvhO4gwY0iDC2LgbRrxHUSYUW8l0lF8BxFmjH17CsyQjAopzMjugRG0 3D1XiIWTADcGfeFgiTyX72fADI4s2PVSGzRGSxmM0hJGQcTMVpwvkVFwBiv5FnKYYbTB W0lJ9k7KYFCO0SGy3AZNhaqb5TZowHakRU1yGxglwxn6lmNWuq0qvBfZl5ae4AyrQ8QM Ba5qX6/kuylK6jvgUD7fNynDtB6MWMN6PmIG6/eINZh1OmaDt1Jspe+cijX2DoJ6rCHX KdaQe48ebDO/3rmkfeFascYeaqAFLCKRsoY1fLKBFGsc2Ovqf1uuDGvIdYo15N7jCCtB 7yjbsIT8TqR6rCE0ey61M6xhrYlYQ1rqsYZcGdYwqiyz/PlirCFHVdRVl2GNTzdlItaw 6TfCCpKFbxN5sMjpqgFtZOEP3sm/833D8MRFZ/01xBoEatTdHnT6wliD8NgDgdEj+Qte 0HUgQbhjv9KDAusDFWb+wBjWYFNh9ZnEKbBdyLAG2aOFwaw2afA9Dk1K62i93iy0aLAp i6yYYtEgU1vVooeLG6JPQ2YjgQipw6KBbN/LuU5CYzNhKRYN/VYiHEe+PQFqdOjOIIeD C0aQdia3RC+ytrEU+17g1icy8C/L0/gyNfNsL5gLIxvBVrPr5S3gLCZPS1mL0hIWAYw5 dLsksJEIUXrJceHINow2oCQl2TspSwIEYrgWbTd+CbjDZixeGvOZMAMkRyNlmTVDKbCp KIONJmzKUIbRIuPS0hOUYXVIUYbRku+0pgNKhjKsjSmrtB6MtbKej3W3fk/bM/lW0mZ7 51SUceD4ZrNoyHWKMuTe4wbby693LHKzaMj+wEiNV/qcOFWR7o6OHsqcxawYfDJVSE7g rhRluOsEZbh7hyBCCXoXkhOwTCw5QbjauCtDGcKYDGVYayLKkJZ6lCFXhjKMSgKU3vPF KEMiPLq2yVDGp5sycTnZ9BthBcnCtIkcl6rVPV3SShtZ+M985/uG4YlLzPpriDKI66jx tr44ysCbBxK1c+PO5juZ+pmXwxkzf+HzBhoEDIqB3vlOREQyeU4HGmzt9SnbgtCdbdhw +ynwOKIS52hjQANF4BfdclpShjaIPZBs3BnaGPn2BLRBvL7upzDA0aeQvdEZNULzD63z oBjmsPfhhw6yHIEdnE7Q9XI4kOPX01Jeo7TIMyTo/EAOh8h9aonu6uVwCLTAWYySljTy HV3adltRpuOXkiYAm3WEHfWemu4O+wg7jJLCjkBLYEegBU7Gnj5XeoQdtdUhgR2Blnyn NR1QUthhrU55Z+jBCDus5yPssH5PYcfkWwnssHdOhB1g7RAY6a4T2OHuFTCkGRxY8iEw Uq497HBUfTt5jpWOPvF0ojF6sENOKXPGjcqdV+YzOLjrFHbIMw80rAS9o2yFFZX8TqTK Fbuxk+dSZ4UdxEIzFdL9FK6lDna4K4UdgQqAsQwO+nwp7KgB0vVhnwVGfsIpE2GHTb8R VpAszEWsYGThxyU+ykJ83+RLR/trADvgZcRro4i+sHGjxlNMgvVzB0ZO/syLwY65v/CZ w46KYMgAO9qTAiNRZjRnoZz6o3cLDRwkDECekdu9wQmBqHFMdUCDEWK1g/kDL3CqeFWI c4UkXzFuGP0UK8KwOBHxq7NFk1dHglJkn5Ez5OT3ACEa7p67jpB7HKzhffecD2GD7vtp tFGTEY9ToRiYwGGMlDAYJSV8grTUe5qccByJ2DrAohO1pjZa5CZKSUsa+a6TRNgueWf8 soO/tGzYDRaOuiNpGmalBGooJYMaRkuhhtEiQNDSE6hhdUihhtGS77SmA0oGNawfEjWt th4MUMP6PSAN6/UEaEy9E2GGvXEqyig55FWNG0j3LBzU3Ss+QDqEcNAKQEHX+ydcK8oQ aqDF56iJhjIqdjjlxg2fKAI3MYfE47pQlGEJGjTpg3vmEYSVoHeUbSjDp2VAY+CsYB88 yuHs6XNqZyhDUq7mKENa7lGGXBnKMCp4pfd8McpgFXOsUxoOGhbNqslCX/Xnz3BuDN6Q NatWQps/cfVvjBTXos3dhDKyim3WD956ZvVrn2Tt9900xBYS5iFRe32/yWn5GCWHCMfP nTsa1H5m4J95OWihDXnuFyagRf15uE4qlwvdLBous/wJFg2gs4uRbEU/2bq7hdACPkXe YhRx0SfryieVGtDgOmyV7Fr8JORBxIThk0q5M5lgCfatRIOOfHsKtvA5H1CqdDNrdg92 oOUOS2jbSQHhsYV73z332ELvpxwoNen/JK41xRZKityl0LcSniCGlL2cgGmhoDW/79Ja ptjCaIO30pJGvsM5XEm6CqmChppyahv7R7FyR2yBGxt8kWILpSAEIvs0WootjBYRgZae YAurQ4otjJZ8pzUdUDJsYf2QskvrwYgttN9j1T3BlaSZJm24+u8k7dVSTsUWJP0I2EKu BQfo0Q+V3Hu0UMuJHABKvSPhl2GLumoUW3A19pxcCoYtxHSWYwufRUKwhcsiodhCrgUH GLaQe48mrAR/Z9kbBFH4nA3p1cbRDHtI7QxbWGviL0hLPbaQK8MWRqWk3vPF2ALVYIsT MtlqEhbSqsmSYYuJCTU2WSK20I/i6t/YpItr0eZuQhlZxTbrB289s/q1T7L2+24aYgtW 8gE29NLYgtS0TTgW+2w7TWr9meck//qojLm/8JljC4LgYFbeW1I6k+R6bMH3DlvAYskU 6W4G0GLmdk6ONiYsg7jFVLoaLS4w7BL6XlwpEg3BzopkpWDiqDECpOJVSclX/p0BIX4E Tyahci8yQfjeNotMqOU8JlzOkS0oIUpWSvLvpIJVSVEaWskJRX8/ytVYp+FbQ0r8zpl9 pE8ip9jU2nHwOA2VCJ0bZaZ1d2xMHAJ7i5J0UIwS34my9ZTdnIi2cLSTu05FrDzzQpX8 IomI9Ztt9Em9VxEr1EALIrhNYhPaQWyCZGnzTgK5MvXd526LAlDuvVC1EvQuiU2Q34lU udpUQjMRK7UzEWutib8gLfUiVq5MxBoVyd97vljEksptW5b7NDZB7IX5xGFw/YqbM3Ey RDY9TcYmTlxQ+h2qQ4Jop/hAgoMn+cCQVxzhAwUnabpuSRZPoFGn3pZOWeucx5yEJTAr d5xiIQcyh8zQyzdaYFfBfUhqi/NGP07+zMsp8VMN6f3ChKBtPhMlvk3CEqrTTpTEMujj HzFdiQlRbgaC9vhWCzl3kZWNbo7vn1OMRdAOaXcFZvpmW4uJE6WZdPWC+DF8VYcGPUY/ Zc6PfXqCCl871RtZ620V2S2sXoz6sd0+ObS+LE9F7fe31GxSeyf3RNWLQ6CdnpYyFqUl LMKdz5LFIeA6qftxCEaLnEQpaUnD70hTLTkisziEigOStlkcQiUHOWVxCEZBDATmGWgJ zgi0AA+s9KjAhzokgCHQku+0pgNKpsBbP0Skwf4dTCASyRGRhvV8qLuNRSYwJt+Kbbbv 6AeZgFXxw+LkJCrakzgEGdsUYsi9Bw1tFofQJnEGXCvEEKq+nTyXo8OlTDb7V90gDqEL cQhyZRBDrlMtXu49fLAS9C6JM5DfiVQPMYRmEENqZxDDWhMhhrTUQww/v+O1XAFWes+X QowKIxzH1OdxCJ9uykSMYct+hBUkiMIm8mCR070D2sjCH7yTfmd9w/AkS0z7a4AzZGHj 5n35OATipZsLxCFM/UwPBZyg0M/8hc8cZ+ySOISXwhl7Nn2vwxklfvudbMs0sADOGNIw uuN75oBVNLeIM0rwBe6DiFEQ52PfngA0yK0RwAI1y27vuAVZSRbt0Hb2lMX35YX4+RGs UZFgscyjEIyUsBcjGU/YiNe3yaIQJG1/1YtCCDT7rhhQKGnkO2SOyyopVVBPAScTcYpN GoVQdehVRCHwjvegbgIlBRr2Vgo0jBZ5l5VulA15vyyzpdGKQJtDiQAltjHlltaDAWhY JwecYYTYGkrywzV4Z0A4FWN0+NctCkGuU4wh94oOsiiEXRKFwLViDKH6t7PnLDzDGDvB xdkWix0aicc6cmUYQ65TjCH3Hj9YCXqXRBnsuI5UjzGEZhhD6mQYoxtEIUhLPa6QKzNj GFUmXP58McZAOznkUQhhQaycLDEKYclksTXECvUzLK7+MOniWrS5m1BGVrGt7MFbEW2E xiaYBDOm65O0/YHUs2DIiuec2pf2FFTEUhNqdu4oBPuZgZ3kxYDF3F/4zIHFnux05imo m9MCHPkeOZqcU0EErVAGVoxpd4Hsq4gLirxpHFhBiQNSXGPoWf6tuFZAJ2S8kaOVggQk UaqYBdK1Ag5xtOFbAwrqaqSxTXPvtKuEtGXHAmbZYLjEo+pTRMaKKyXVfMNbqYC1L6Og pA9d6QnFVSFVyOHOrlb9dxIdQ9+IwpWe0y5IjoXk7FzXeVGLt/6NclI7PArXMAb2Duzd D4oRwhtRuJ7kKiALVpCxcp3KWLn3UnOfeePZy8oE0CfBGy/UQAvPk2QJWMXYFp/J2JAs gWAYylRvfC9Zgnvm5aeVoHcxGYI7vixS5WrjaCZjpXYmY601UY+XlnoZK1cmY42K9Ok9 Xyxj8RnJluDEGx/nTDK1FsyZRMZOTZGROROXkX4U13+YanE5WnUSypL1/wzf0D5JZWwg 9WUsixmHUZIiwbwEp4X6VcQCb8/vjrefOaOQ1YY89wufuZDFFPbiQpYz4ySaZ1zAHncT kAdZdtihvnPQ0u6AFwsEMKDBdtDayTuA+o7KXONWEBICnSi/8CkK8tinJ2jvciyeqOPs mHRoIr/HWEDD3XNtOvcu8s+/L8/le0KR3PfTvoKKXQYciimNj+zFaJG/UBH/XsIWcI0S +5WkSmAcfA7JFCgYLbIhpaQljXxHas19LyCBuAsyyKapEiqyVJAdkqI0BloJSIHIP/07 DFvUlJUUcYKVbBQizfX3U6RgNHsL44m+NaTE7xgEbV/KLa33YqWs12PNjRJbQ1k6XsO3 hpQIM1YlfiR4NaRJcNcpvpBnHjFYYgG9i2kSqpAmQa7s7ficvGYhTQJ5z3ppEshwpqEI 7krxhbsWLED/uRBDecthh1CC3sVQA/c7kerwhaMZvvB7g9wbtLN3/pNruccX0mbDF5Yc AaRiaRLclfS5hBn5s2YFuTA1QU94JJMrAH4yZTjtqJcm4dQpkwPsRVMmriVb8iNsINEE bCIPFjhdNaCNLPrBO9l3nEElfeNWLxFYbMZm0Wl/Df0EJGPAxJfEI0h2BpL7nhiPQAgZ +WXPniZh8mdeTp2fakjvFz5vpIGfNKZJaNw5gusD//jeC2DZrALbkbsFqrykmI4ripOX 9j3HPBunPS1dZUaLa4P8FiVu5WT9oNWRuECUueQtpc2gZNo8B5UcmAI0LHxJtgP26FZJ ZL3ssdp2ZEIK7TFKym2MlsrbQAs8L5QeKKRfcHXI9Hmr1+CthHvaOylH1b4BlsUvtQdT FKA9HwWn9XsUuAR7+rcSlc3eGvvOHPOn6PXEEIQ8Ae46kbvu3klajjz3O+v1Lvrfmf/q n5crL3fdler9hOyHKHs+7kXZ11iN+IYoe3dlcleoqdyVey9TrQS9UxlJbL37nUiVK0z6 yfMkT0BoTSLZzf/u2qxy1107/3y4kpgLWQaL5a54uHv+eTkY3q2qlTMnXQk2c5hxuk/j CEVWccCwOuNmcYS4YkPdRzjCCN8IK330O+0bt4pN7lp/DeSurO8OE2Uab+9OdjgtDJBt 53LS77nTBEz+TE8ornfPz/2FCbHbDsIARWkgGXBd7OB+Henv6XoSwu+dN4ld4ft617et SJLqLdJoEDLEGVX7hmwMWzdPyy0a8U5wFAcd65EaSFD5Vv+4IzVQaDgM6zWb5ItXv/yi +BmO+VcP/D0Ur76X2zr+veF+X7y6l6ebV0/8aYtXf88f3im+KP6zeP1Pxa9fg5jlqKUZ DdM5tQmpl2c0jPlZs5uv1zBrkW/YxjUMMRsa9rVUuXhV8acpXv3+la/677/gb1e82vKH dgWyPv5byPXm1V/yZ1e8+sr/+Z/8YVfSK/ewePV33NIJ+k6vfH1Heoji/+qLjbyq5Rw8 8Wf8oUZ/zR8q0vInKfxvuI2/rO/4Wm6kAms7POa6lg4XF0VfqRydSRwKwDYMH8g7MpHo 741NJG3kX9EAmqz9cKQ54Z0v+YK++oq+ouXau/q99q6+os+0V/SX/pvvMRtY947rKpmi NnRaTj50+hs5UQvXZ1sqlUyT/KG2uKQCjCdfLB6ck5Y5UUPITj0OdzM+OmE12ETXFnS+ 03QVKFF7mZ7cyMzMG6sP9QubtTql9VUdEfst14ebV9o/o/NDBy8fXwbrEj3ZioaMZZCz A5OOPMpWXv3ui+L1f61heG79bTiEcAYnb7EK4ohfUjEYuXa+DoUyIOU12s1XftTrrH83 S/h2zkaOCySSluE5iP2rBvJjE1UW0Wj/djX6xY4M70FSSt47RN8pK6jDz1+RXeYTCsrJ dp0iJ/N2HZ3QzJt/YFIgJ3V5wgwn1t5kVVcMQUv+ni3p65bVNGdIOdvWGa5E5d7hFSdZ xiX1OFWL03LSpbUJmEFZoS6x/JfnioaX7FRRVBwA7Eg+ITbL6Xmd4iQTnDnm0QYYK3e9 tHmlfPq/ez6S97J+ocQevsqHjlIdLlJ+ZMLE/urL2qPa+TZOit/0Z/4XNdlvTFRpefrq aGWnhJFO+k0PyE6OT183msHW4/iIc7erZ/BDlqfORO3PMKMdStSO+tKDFH3W66h8YehD HSvtIeSBYCXXpQE5/QoiOC6CG3lFpYpWJsezye9eoDNbEQjElGNentmXk7J7cozXMDYy lGEpOVi9xqDzUFVxszgALp3F+erSoe4tVh157fpRUGcrmOIuwNjjHEfH3WKemseDDKZr K1N+G9QEfdYy2UVfygGOTmjtOn1VlY99Mr2DfuG43aavHWqfW3W01JzRa6n6qi6hUeUl B8f6QZQsFx0OOfJuewzqpCIhaK+OBWgv5Ku9Nxp5H+t8VL6ir+pd/mbsDVG7ewLApq79 1ZdV+mix2q22MFxlN6beq2zOh2x0WOw3tOr6G7q+8vnELy4dOictNvdL0HNcSRI71x2I jfq++MXr59CcTV1tRy4v8vmsz7QD/5cXImE+OwFjpeUmC+3O0XHQ/s/FRl6LfOC0olqm PtNa/J2HCXlbcvaoTZr1e5tVw1aMDdsmWkuc5B9a4bq6ktTRCsLyYfNnwNiK2yDltcHa /NdwrIEp5H9AxBTxF/7Z//F3v/Z/dAz/kv6KxiNdxbm2l1rpJgXfiunakuN+R55ezvyY bndP8k1re+xx48h0CexWuyiZQsv2QLhKsjN9pjYdF1KJr8RtQphaSKldVPCPyJkb38N3 /MHIo3dqB9W7tzxDg5L+dlbRyXk2q1my4d7QJLr55ETD4YA/EwSUN0uM7mIPFpPwa1xG qfXX9z/ecG8WevV4+909Rlw0bvfu0I7bsh2gI0lEOhCyP/ZQr8BGYSDEV8J8OYINVg/E JhuIKT493aw188sGIm8WAxcGYtMfCM8A4kD8cPv07vhASFb7ks0qYUVw1M/JnoJWomXq 7lMaQDiib6JhOhSrPAV5w8YWgTFfcYH8bxau+DxUA84FzBFFdmPGav3wrykHu6lBCb1V 3qwyUIkg3EwY4Z9Wn9CzHbIERLSk3SKGmyg/Hel5OqfhMGuJNiFXJf8WYUOnTcn2rHnR MzTdvJM4ClGeRJDhRxbW/pwtPAeACmMUZKgg1j8VbYTr652+qb2xBHk4wUBvOquHTRO1 ZGgH6u9rqfqLOVhOuzrYPPRNrZSNmAG3HDoZSNb5GmZm6qRSooKHiel6pvFs2VlWIfYl D2YczqPLd1Krn55oa3i8mdbaFj/yzkxrR2sGY8nn1IADJPYVXVo2QH/NTIGT6FjoQx3p XJn5NOMEkOlaCR7OuuPoulsxUCs4AqljiAAhzHtBzQbwW4dNl7suFmUaquirhUIHKPey jI7zz3sM/1wrSMwu1Y4orwUjQytGnS5iYyNMYQSGrxiZiP5QEMptp17lsTlzbvQ32aw1 nCGgv6xZY5whwj0P9UbgNuuKNOSy1ybRezpCOU5Qe2RJbDlRZdp+sLq/56k97ZxWpVpP 8cdp9Tp0d96qBGw/q/U83N/9eBRsN2g9RNxJIHI+DKdM+4YsKAc5O3sSoqwehnlKz2Sr 1kwuG4a8VetmfUMKYmzmkh8m7+41FTNB3bA13O2MmbSapd39S9EA5gVBFVkQ1OZIENSs doV5/0xIjsVAHWtXMCuFmJyvaReWCUVxaiTLUYk+y6GG3v0/D0NUoKnM6ylE+lC/UJmp ryqYdV9szGL/b5OScG6Hbcw8ciSGSSAkx7B2xTMdtvnqN0EVnLRHNSRXKYmsOzZBGcg5 9QpisGl2PnJ8ZIIykNQrnaC/kgn6staomY0Ktqg5XLnXqCVcubg+ZohqOO0Y33ZmiJJg ZJGMm38fNdFOW84Cj5CdrJJ+9xPZA481Ksu/Gef784JRkrFONCq3OjnWNYr7yKvIidJj Vr+UIwfOJZskjtgpQ2+TPG1HtoKx7vY1cxN+48NST5jwZlnp+/KXN+sIf2mCBNRmTVtW nsd9clLbbu/2WAcJeLqZtSYDCydwfzrEMd2sdB7NNeNbh+fNWmRmvT5u7ZYMX7vKbUAL w+CYzCm4T9KLUeVPOApTrTppELJWLRqEt7ePT7f3b55uH54ZDfye7B0cwsKTRoMMIkQl HDEUrpa681C4bHYfbdVJo5G1atFo/Pzx8eP3t/ffHVWIapQttmIl0pdNVMj66qShYPd1 1crBdVM223QoFiD0+dsUJtulg7HK91Bn7RpTiQLgHPoe1NSXg+rcvBRiXJyJUJG2wu9/ ASbiANY7Mwb3DM4K4PVLpw0ET0bu+1BNwcqh2Amr/mRHnjRBOFC9ZF/SJDxL+1GNo9pU /ZMHFehdGu1WvPqVt8lrh8ssw6eRNFhutWzVZvKxMYutG6NglNdhzAdH1S8lamnmatEh 08LVkT/s/7R22kitnX6ZE33tQrVi05eO44oFgX2YxJlsbqpnj+OkAkZqSYToGEBawzYN kUp+8ioApLGVmnKgX728CjavWXOBtgGkY81KVAAB2mK9GFUBJN8mjGxoAkv7O1TsGdtF 6O8dMZsBCuX9HTSAYLs4ob+NTfU1gGWtOr67ISgAlbbqFAWAXQiyBSUXsOSkqQ+nMNCq weQ4G+ycRcJON2wFR2nMCJY3LJ9IvRgjRKxMJCKZe0xdWfQxURnCCJVlKztWTpuLShUu Pa6uP5K7kfusPg3l7lVHvzch4Zj7sW2Az3Z3Hjwwd91ykN5h3E7ily2COCxbrfLR3tYe 1G4dGBSdO1p7YtqgGEKAca0lzlL97muIzvLpUNIMy2eQvG44xiRvAEkqY7X6NjjTcXbT o7JidftdVcBmDtGZGpXeGpgWqyRO2ma4XjKwSHhXyubnKuiBzVew+QlDj6/ZucXqrGYF 6fWM/SqI1SPNmitWJXEGx2X0xCon7jRph2vNMCfP26ZLJnJMyWboydnhUK7+UnDMGl9H 2PC9GXouFzUMk/Lxhhmft4ZNi9ZUBWhomNtz7dh9wlUSsJtudnzROouXtSxLXLc6GPPq rFznOLNzW5A10GM6jmBec2Yu5hZXXCsHcFhzZmhhGZv5/8UPC7cKZW5kc3RyZWFtCmVu ZG9iagozMSAwIG9iagoxNzU0NgplbmRvYmoKMjkgMCBvYmoKPDwgL1R5cGUgL1BhZ2Ug L1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDMyIDAgUiAvQ29udGVudHMgMzAgMCBSIC9N ZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagozMiAwIG9iago8PCAvUHJvY1Nl dCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250 IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAw IFIgL0Y1LjEgMTQgMCBSID4+ID4+CmVuZG9iagozNCAwIG9iago8PCAvTGVuZ3RoIDM1 IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVXW2T2zaS/s5fgbu9 25vc2TTfX1xXW5WXTS6bu6qs7bt8SPJBntF4tKuRZqWZOK7Kj7+nATReSJEiKYuRs7Ue AiLBRrPR/aC7AfxD/FX8Q5RhVBVFXYu4zMI8rkVWxmGSiSKOwrTOUrFbih/ERrz4ch+L 672I5P/213g0CuMqq6JIVdlSloZpVOapKIs8jNO6DK7vxRdvBBqjW/WfN/fixddxGIlY vLkVV+Iz8eZv4s9vQNQQsoJTyMqLMCnqVEiygiiM4hi9QD/eXDN1h4n8dvO43G2Wj5JW efs5Ca6SME7AYlH6BPfy8fnZ+VgVYV2mBT6vT9YIPn61W9w+CvPfq9f/9734bvlhtXkn Pn94WK+uF29X69XjB3OHvPjL02YpkiiqPwsgKuPY3yXGQbcYp3USFmnRZH+nhAQTxHgC WXZ0ZWWYxBlGZe/omp2stArTLK0ujaykDrMy1YMeuqtz0AdNzSTEevnLci3+vvywF9eL jVJV4+Rvgr6K0wjyV5ei9Egfo6/eLsXN8mG9/bC8EfvF7XL9waM9GKZrW0Ia1lFeVTAS MBFJncVxBaL0leg1DUmShFWSNvvkfI7gmA7ebhq9aFoMadHKqBR5XeJlRSHKUl20PkK7 I7ZL1BEit8wqqLqkDIsEJi3JwiSqKrqtqIukqqnN20Emq8XG45Y0wRCPqsSyS1vSHukV Del9f7fciMV6LR7vlqBgcX23eLtekpEIxknwBPLTPMUHSIwAn4IDRnxV5msKM1/lsfx4 WRYV+Gh5jos4E1VYlVFaxNSpW9TXdRLnRQ0xrpM8q6OE6vQV5CDFZy/zshZlDOVWkRzU YVxXaS3qMMpzkujBctCSQqa32xRZnZ9AJ0RJPR66wIJulqt3d2+3u73YbqQ4rAjO3C6u l+Ltcr2F8X3cyvr94n4p9svrpx3Z4JmsLbE4jmmouV3EdxisqG+294vVZgI2w7cLRmJc K9oetR40axqScBw0cwdcMAx5p3kVFiVsb4OJvWR1Ie/uEedR9uVrGitNg4A6Ngivv2zN FZ7byYJ8C80/yioL6zhNSUnEZRKLtIgEXWJOkuYlhmhdibV4LXWtfZ5mFMebi+swRysV tVLrVqkmTlTN9HbRRiYbJIoxZzqFzKoESarXVVme3OuqLBq91jUn9lrSpnotKfZ7PWT2 NmHAWRUYx2GegT0HYG9zxHWJ9oC57sARZ8mKMFsoy4P4MvDGX9NCQzN/vhc3q/31034P oLZSyvlht/xltX3akyJ+XG21XiN4NHjO6Y7TgXP3JE3CPEE3St2f8YjjmXhY7iZo4ZZd 7NUq/TATM9Oyoimq34ve79A1c+7Wg6MpToiuPM5BVwRkBBdEFlZRVsWkLos6L8oz48ki xpQC5sFnS4+NbQorYwix2Nx43zmYLpXt7zx0OpGmNTw5BfCxP/q879xUCuO/szuOpF5o U+zYO8KLoAs2C9Cz8zuTCjzbvCHNshCzMrguJn9ogw2bIxkeE2OzB+jRgXonrUqM2IxG htKjv9dcAR+syEBHY66QYRozC8KHXxIqoZiG8I2HYrN9BKYXT7492S83wPrbW7GBOZnF h4bBGWYVgJvfrX4fWtcAHSltPa69BD7uNIuLJlk9irCpRaTP8m77sFeoftxcumU4jk8B U0DYKq/zBslHoMW4GccEsgz+KQDfYdo0LLscsso8rCpMK0f7+tMwCYX4Zrd9epCeP18P wnV2Fj0YY/Zbp0UiCk34KXqwY8Cc9JkLKP84YvXkGdomVhiJvk8iiyaIec7S1zOOW0QK zyXadCYOZeExRNDt2wHlVQGPTqG7MB5wf6smDNeLvVTu76zI9uj4blTroh1pvblvDiqz s3ugHSI8AggrgG7jCDMzRK3CJHG9pGe1nXEJZ1xeQptPloJn0kV6v7x/uyT32K1YCMVG XEpNv9neLDEVu1sABJAntc98jmAt6f2AAKN2VRZ5Dr8jpOF3gx8ZHJrk4BytL6XTEAAE SvPN3Wrvq0vx1/PAxjguQG6GcLWm+9LUZRYhRpdrX4VVS0ejHHAKrO4RCYXQPd4tHiGP JIEE6KgC3lly0YLbGFjvFrubPnHsUGGtYa4xyCDY1NGtVgC9iZrWy70cXtSFzfLXRzW4 AKOa4jLAuk6wFyakW3gd8KxYk+SRVsxl61gfUpESLMXkQ7m2rLiAr0cQlVBi8n6FSM/D bntNfCYm3+Ni8W4pfrp6v3q8064lo9qsVqPQO+6fR47MZK/RYe87OIZ67hB2gbAfQnvZ oe/gT11awiLEw2L3uLp+Wi92ND5/+gz68FuM3/V+e3BEyy+GYe2N6rk+A7zfaYLJmd/f i/kMcRpmcaWxJkzi4EgQtKcOce2W18vVLyTdCxP2wjT4hmr2K2hUDAyKkC5/RWB0846q yd7P9AF0fLTwO3ox/I+QEZZVB9XR0WGgFc9eWL0zj46PcwhKBgdK4ZEP8NopPo6qUblo UkFi6M5EcYVwdBFjzudT3CUHc+fLwesQZjWnzhwxRJJlg33BE2y48TjkSESD5uKp6Jjv 687rxQIZZx/EZvH4tEOexAcKgsP5uVvMowMSyiwp81z43fHHlyOg0hbO4CHjOFCDrB4u N22hCscrhLd4ArjYwC4uKJT1DKoXnsh5RpfBfH5Ppolx99SuJcmIBMucEtgtziSxV5jy IWcEYA8R3xyenjzNTWqRzCiJy4JaPFuEwI4i5EaVeVKMdzvAyFJekTM9ljOW69UjDaLd 0/5RULpR71T5I85NiJ1lHYOdqkPjwdsWMjolcAnIPzZ9JNGBuE5ij04QASv/F6PonfZT kOf/GWHID81RdZ6Jd4rkZIkduQenTLwHjqqzZJokWSWQdpRSDkeSFXQdT00zwfNIuEAL iW6NSkivP6E9er5UrYFOuDqmtpXCP8b9TEvZ58n9TDHEbD916YR+Snp0PyWdtp8j3OzB lCUKeYGMKaSzt7TF0QEI9QcHBqYSGHUrTLalwtMJdMYFi+SN3S/LnfaJCdy3WyKxAzOQ R5npMQ/GAH/hJYNq9DvbhS/nnm7nOUJbSHI94PXwYVATYeATfL169wQ7mcwF1SMkHwFy +iR7jGwROQ4Rn+I/yjH1QRIJT9guhqwsgfgh2fbABz4Cw/CF5X+h/O+b75rG7TxuwjjJ kYyAdN/co3zMFPJ1rEjW/zbpPo9RRkZymBcwaEz3KUa5A5q1cO7x0LXFmmkaRqkJHvbM JZwJj5rtsiC8pAv6h/8vf3g5jx61/PU64isph/TZFSlyqOMi4vHfw9+WkpJs1Gw1vJXM pl9eNuX3TOPOyK/XkSM6Ypx+PUl+4zxMaHHA6OCYZO9++7Sba9ZbwzdSUhY1sg0n0vxc eRnOntkSRwXWVETQWpNJfRXPJKAcbpxO6mxcNTZsOleTmbiakn8RUdJPgKsZVjTXWFM0 ndRX6UxczZFbXGPyOJ3U5/TfTNRyDsd0apGg8biCG9fkylM0+pyeaJMr36DZw90OHJjd bw/FmsCx2ITdQ6a2QvwmbVbPP7+RZJx/EaHlsurOhWHaDItMsUi8mIgJfvvPecYXPDYJ ktELMZ3eObWBnmb7xDoR4KMirIMPc+ECpJNgzTuWc0yWBsld9x9fLs6Vb2oWZDPl4+MA f5KKANPAudQtk6qH3KWo2wxh3Ayr4S+NLFjWDAuVp1kB6H92sb3UydDfIevstXRrcmx/ QfG8d2taMzzPRDzFKo0Mq66xWc3hzh1NRNNrmycvGZ4wjcSWKfAd5lDBHtGe+Lbm5VIL DAYxpzgPsxI5p4XJ9rgYsihSVld6zu2YgCE5cZ+zYFqHPPbvoMUxm+3uXkb7eZUMPPfX W7jqxf3T+nH1IIVZCclMIs27zWR+h73v4IDJXt9Sd0DNlRCd3N2/9QEnd2fwLWNPqESk WRhFWI2idj5AnJqaHBannjBojO8Qw52CBHpbmTGuWKgw35YO2q1jAq1glczk90l1RHYg amnlTp/H21bHYCg8xcKndwxrn2GR2fWCshfffsBOM7erzYqmXzKX8WZ1e7vcIdAllJLF Euctht2jipTNNKhKrOJJ6mYXpzlsBw4qN0oNXvIuCPZq5H4IZLiTsgziCo5zukTktcLu NuO3LFAtIdmE2qpUWxTHLbHcaHJrAR6n4DlIpJaiiS1lecU9zNDICT3MEE00PZSFU3oI YriHINHt4YjING+eh8ky/Q/JP93LgazCwxU8uHpi6WiRo9gGCk8m3sh8Fhl6BmJ7v31a U6gaQ/J2C42tV4hS+jFlkVDgWkWw9eKCuQaoikxnfmcnGb2OgFXL4ulv0LPOwX4DGDv4 +w+CD1+JtICbsIk5Ngng6+0OKznmsUZmVVTmdWKMeteo3oInSAnjJSwl2GNXNKRMziQp Bj173fG/wlB8dA5RSbASKY1527txsTez15I2lTKTC4MU+SJY+LNEqgjGLC5bH0Sllzyb 6xNg86uyzETm9/ViRiuiM3WJ/d6aU90hGvP93Qq5ipzIA44D0byFBgXP4ViGFv3hboVJ gcz1obvultCilNCKlOGZ2J9h+yJsjyCwcN3t58WwP6qw/BNYYgr7H7b7/Qob0z2j7W8e dgtseYOtClaP9EWeNuvV32nvQrkSTpowNTLY6/B0fTfTJ0AClRoBfl8v5ROkNfZDwcYj kz4B5WdjuzcJA5Y3MxkpjlL6lI8xUmagat2Joao9VqkAuEEa8m7xKFdNQpT2y8enh3Am YeHJh9+3i7FYaU27qCEkoMbrxchwhUWQ5GiYokZUuMpLvQrDb75rZGMdSMqauhXqcUCf YBe2uE4zkeqOXVgAKy0T8g9Pc6wofnckZeFHN0trpiQty2+vY5cz7AjIFhMXl47jN+2o rsMyc8i37tilyTfyIPIYbi6pT0ZZFuL275K0lU6mebZ8DU7amk7q7Elb00mdjasGDk0W gFdzJ219AlzlpK3ppM6etDWdVM4hmAnAY7u6Ettr+fQ63sqjMY9X2TyUJhHtJgDvgE/q GIMwlxpIsB8ANgLDhsLT1UA+E1d5Q//ppM7GVV7SPJ3UV8VMXMW6k4QWSkwndTau5jEW gmIHpumkzp64mUY5TihCpk6D5q4p8NyJmykMVmGOUPndlz/ArZdjrS8i/x5ZPS5uxw9v lu8cyCeVVQfqCXf/NpOThjOJ/M5dzmwRO8NhV/FpWxGBi3Onl6YeveOMK5DLPOo11uml PrFjQIvyNYq500t9gkdydybeArLIZQfTaf2T0gsziS58cwrBepI7Rhg04p6Hv2a/mOn8 1cI700TRbAE9nWDJ4JnYC6c4TnyqsIW7q3jHDLW58qFNEmyD1ItBMdjZCOclsePtYsjC EU5VNjGRkJCJCS+9FJ+L1yrx+Ru5566TGb243iGiiXiTl2i8nwnUcJgS+QhOXy8H1EQ1 AthIJLiwyBOwIDbfnRZ5+lzcU1qVDl0v1rSt2G5L+x9R6obcJGmLc1Hk8jTRIR1z5XFw qjFpEKfDXSO0N9X4DKk0SNjEoWomleZiyKrglalw7tFlSW2Cc3vTmDfXuBhm4ejfJEfG 5Ogo7hfLuwmmXmb5BaOOKeZ07aSL1KOuyx2UP1YM/FH891J8vUAWyvJpJ8Sff31YYYsf 8RW2HqX9xEXxTJ5aK22H/efH72lf3uLnmUwCj/lGbyfJy/FM6B9xqnMsfkb08UZty+Rm RQNbn5wVTUHGJMPetSkWuOKSTmE78fg1tEEnwsVYxIVo+L3AqdhY6UBeWK5TSdJmmyne F/9Qf2hTd+wkhhPtsCUdHeBa5tiXA3uMterWqMNhUHGkThlN6TQo1NEjEZ0UpZ8N6L5m e2sB8yJ+lHxu5RQfOxWPTphAV2ucZUkL11SfW3VryQeHMVSBCLZ5CoS1WyLC6KQ+koKY Ep5z4GrwFycSARVGpUxlb9WhqRxyikRrOvFU35fX2NQER62iBl67FK4QpwYaucYXovbN XaouaNW07/Gek6fYYQkn0cBtIcurytES0xSVOFYpwUYFpjdcg4PDkXeOY+nozCd91xp1 WBycygO3VF2QYYP/vJYnk1HbuIPL/H5qqVnXXROUh55LNF+IAm6LuWdpYg4z5YHhudub 5l32y/BztuZaymMi3reSq/uEkWwEZAORGT6YsFGGXKQxDh7JIaPmnjSmIxIRfsCBrnCU yxK25ZEHPOJABa/slQKvBBlQZaTO6bMbZRmnGuN9mCaYN2d0NAsNE0krlwLs5JlhyyUu Q36SDHPHjBI1+QloqhJpm7pFWaKkMNkaPY9fuRx4Jf830Kp+5X7Su+hZ5oJ5M3MJrYE2 Lsnn3bL/q1+ib0lDGJ1Wh3tiDtxW2xjaVsRiLICiqMW9U9cjihgMPDy6hWyQKKIlHnzc 0iGVM0i9HFAcrnrhPrpDy9apdXBEDQ5CocPMsLkv7IhU3dgpE1sw0oSsLuLm8jKjKGll SFQnEAdoZrlexBZtuxCsBIpFoasAb6I79R95ADQQNBQvnUj/+nH5QDucf4f8Tgms5GrS Ua/RGT32NRnFJRE/QXLRvXjxNbSNftk/nekNtjvYxPJFGr2AlCUvcVLC9/9j3+ityOnG KMx6B6OoBTpnwyhZJlduSYwyaYWURDsSnhRYpEswAie50lGxKLRASe+2w5BuNsTI4MFC TtpctF3njhS+zzGLOAS9KBJnpODQvlhuxe0aT13nPNdVAyVq7ipAYIz5jGOHCxwOWGM7 K9ykLXGBvb8RIE0s6VyDpowy4Dq0ZVSNqTNqy7RuaxQJsiltPpmq5j1W0/EdrkJktqxd u6+YZykqmcGGblPj9IXrHFXX9xzhQtjhqdhQmzisMyA1pM0xLfuQZcccmzplNKXhY3Oc 4fR6uh98VL/qcm9J35srKEAnPstnc+wIB3NcwnhrIJArIwjrR9DBlLQ5NmXHHJs6aTRN i6rE79Mm1rzf/9Uv6XtNP7U5VuYfXDDm2HBJQwXNR03r4V+V6Ta/tczxoVkHIW1HQuHB LmiAu9Knh6BrvnDqAA3nIRLpji6WSDzHxrdPIltKxkP7/KRRAyVT5dS0lUyBfe6oj2ir 3e+1XpZuzCaNfXnIKM2k2BwXBfZjcBcJ0qk948wxji/Hvotmg1NrJ2GV1cJAa79OMMf8 mvOZ46FvsN35FM1xrhYskzkmodEqbcrB8tJlkOHYOzmPptk9jJQptyyzwtGHBi65C5Ii gZcAwkNH4NY5wA38Gq066BjaICKjKTLct3mOPR6pDpfAjOZZDIhDz57gLohT+D8xYcXi WNNbv4Y8FHJncIcDqMFQs0+tg2Y73a4COlIUZ2ESH4zyMHUWoQSmzqiKgly14IZTEcOl TAujDtS17rLApsCajdZziK5UOY4lchEKzrktpR0yCKUA8WUVW8AFRSNrQIPRmKbORSh8 n9VounWrxwumwdX3XOc8pylt1XjQhvvo6lDNQAc26W9hSddfxzUJ5ku07nK6zF/VOAtG e66UxceeW3LoanSSc9lBJ6ZOYQhsYWKdBTmGkYtOuKzxhv61UdLopMAsE88adFLgvG9y Flh0ggGq7pC0mpK2+KZMiEE7C0ydxBimRVXi92nEYd7v/+qX9L3cL9II5CygTcIlF8yb DZckOjElTaspe78qdGJ+m4BO4GmE9cbgdqT6NEkUOCSPochISWzpFxecmLYcRTFEv+ge etiEe93GJohC5Cl8iy42ka6CE7EJ7f1fm0PUzoZN9GvOiE0GvqEDmxSfhquAZrk6nPGx sUmVEN7RWGUkNqHsSOxfRs5tg03addC8GeYSOYJKDjbBxohhjM6YZzEgDj17CjaB29FF GeQg8WuATdB/usdyAMFc7JfvYZPWU11hDIqBVDjU3sMmXOdiE66zugOQDmMc211zmKGA 0qor2nntQB3fFZi7uAbHHR94DnNsnIJE2wPZ+2TeLo6OYfdJgORiRKbgQ7N6j2tccMJ1 LjjhOoYUaIuygtE61+AsXk2DC064rn0X16ClA89xH11wwhy06IS5zPo/MN/H7U/zLhnJ kl+Rn7M1Bp1MC2UU8JC66ITLJPvsweA6hTEIClp0QiE1+TwjDi5LJMO/qlAGlyA/8tcy k8jGoJMSx0z6oQzs+OSgEy4ByUkbz2WaVzA6MXUSQ5gWVYnfpxEHv1+FMrik0Icp6XsN 7RqdGC6YNzOXFOLgEvoqaTXlvlILnRwNZVCzOJSdhjeLpx1uB0QRwEOHMozgHRKpdl2r xoEwLK6kFrTT1rRuVYwVWTvg9QBx5jE8jDwVo/vo9of73cYn0OxZgYPBW/iE/ekcFx/p OwHjsG+O3rLibKEMOhqeXnNGfDLwDZ82PikhidBLBqRga06oicm+EzxO3gTZHKCpKY6E J5BuxNsAcou8osCYtMqNKowYOWmLcVNOcUo6lg1goKqReaGfk6i/9dwJwCTBjAbdqmSm heylXwGtB8XudTxB2onzCO6gR+Dk0G30+EuwaqyK4A9y/SVcZxUG7Ky+zyoMaPCINjG3 NSnmr1iH6GESruO7gqJZI0yNq2gQNygT+LOIBp1aURAYq3DmrcUktJKQFj1ZZcc1rg3n OheTcB2r6sC0zjU44lrT4GISrmvfxTVo6cBz3GtXcTIHrSFgLrOKt3x3+9O8C+hJfx1+ ztaciElKOIhcTMJlF5NwnUYSmHNZTIIB5mESU1aoQ/+qMIn5TWOSSjlaDSapZBTHTa9A RNPBJFxiTMJlF5OYOolCTIuqxO/TOIPfrzAJlxQmMSXGL9xPjUlK5oLBJMwlhUm4xJjE lDWa0lz3SxMwCQJeeSGHN4unHW4HRNHBJH0i1RazVo2DSbglF5NwnVUxVmTtgNcDxMEk PIxcVcF9dPtj6xrpFQWSS7BzDQCHE8/5COkVBQ6kqTGvOXN6Bb/mjJhEd+TYGzowSflp +Exicrxrp4k84vQEQELPw/zqUI4utdDIwBQLOtk5zZGl4BhkU+eMFlNnRkuOvcNwInxp R0uOOApOtUf2uTWips55Tt/VqoEitXVYs50iPOQa5DwDhqroaEuOYOSYjmfI9LEGmWtc lz/XoS1j+kyd0VOmdVujaZBt6SSLnOlq3WVnYeYex5AzH2DI7JOagw5V/DWMfjN8dwwy 11mdxzVoSce5TY0xyCflWUDKMoiIjBTIa8dHIMvSvsYxXC+UVahLcKhp2wr5z5XVpasD vycFHRusnpN4UyYx6jyKOIHnSb2brq6VTZO1ZP90dEKWpWWFVNLnqpTtjKltbTfltb4H tXQVeL8Tddqmmt7YNxAXpI2Ufdbze3lNtYG5omOM6Z2N9MRDYVUvHyJHFC3GxnKBM6dn yZHSy1I4QnK8kdAtX4ckx8BcliY5+dD5TVznjFmmyo7iHo1wQG/0P6d54/GB+dXyBdD4 BpDEdthsdwkl1wWEE0ugfhB2GcY4XwCdT4zEGz6L3otVqExDa6hOyKPofM1HS2sc+gbb HS+P4lOxu5U86FyuvcBGkhQQn+wIoOel3cVQgateFqaaXTqqIkMUwjW7ps4xu6bODA3o mRDpgLUdPhkd6Y5/XLNr6pzn9F2tGtfs0kbcKZYIgE/2PmxKk0TYPsWY3QyBi4xyho2C 4BpX2XCdHLDa9WjqjBHMuHWnRtHgml1DV+sua07NPY7ZZT64Zpc5aM2u4bJRgqbGMbtc Z80u11iza2o+ktnFmhtjdunaNbtUVgazimH1jdmtEANjs4trbXapVt/t/g6/FpvdGktJ 1PIFNrs1QkDK7NIVm126ds0ulZVJ5RZUqULbbHbp2tYqs+v9DprY7HJvrNmlniqzS1ds drkWhzI0fh9rdjNM/OIqz1yzy5IDsqzM6bE3RHK8kcCjvS1f7Rpn2srS5JpdrnPGJ1Nl R2yPRjigN448p3jj80Hzq2V2M1hbuPcya3Z5NcFpZpdSurDkqmrNEmlRwcdbTdD5mo9m doe+ocPsVq3pLs1oMrSK0DX8yuQOjTGjjirsD4HhHEVlnTajH3LJxpEjPpS7GgFxrN2K KIgsF8kGSNWlp/UfyXictaRWVvworr76TDxHXvzVEn8rcbXGn8yUsLTjeW5KN58Fz2tx hWO7n6fiCgdO/Cze/MWehTqgW65EUULskG4hNJBhN+FGt2g9S1RhISX+oxW1B3oJsdbr R7YbbPN+YPmvoZiS9bGgjlbUmA8BFJoANDag5xCK+UMUOLqvisuBH+JLsBVK8WqLv+Dy PRXBZv6rv8+Gfg2u9Ic5+im6O6Y/hVpHO/RTEJewOtbvmM97lZmM84yNhGEnRpKsf8Ef yFKkSj9dqeK/qz//hj/o7H/gT2lufQF5Q0k/QX1FM593il1vXwN3/jDgI+YQhDyvKWTi fsTevl6hF9gb2ZyrZ8ULc56kRDTSES8Y6bqdIT6AMjI/chlYAZuPPfL4DEZvBKivMHmc Swk0whV0jHOsQRvQLXkenBzp++tW1gPtFZ/RMMYZp3qc93XL2QHu0PYRluHIHsH6TY/h SrG6GkhThvOTkCdNS9eYFvkVTMkyHDYa8QA+B8FjuKIMDA/k+rixitVnOCtWvb32tG6B 5f3dMgzX3dKG+kC3rCZVWvSAhMNnXuMYSlfCT7dkBVYXQzjYY36AsskSPsySUSjgcLdc ORpryfxujbJk/4WDtvoMWQ5gmdMaSqNpcKoLfLJpfYohw44bWImCIOogRHEWQ9bdsVMM md+xXuWOEf2FskDakP0rSoUgnU+WCxvjShila7lY0yPBla7VT7Lt04++wD0wc9j1j5CX rtR28Z/Vb+ZdAb2Ln/+D+pHfZW6SBOkGeqxuQO/qUO1H2c2HzykIRwtNBihQShJPDCDy 2a0UKHCDUaBNMCC5NBQMdHdgykDA0bpI105llrvtwCFobYBPJxig+RZONMSibQ9rxnU+ hTIGAzgmHCkqA7HAiBEqPKgZ9KD+7n65utKggSMiQyeeE9Ts6VdbYkYgzT+qsaPHHg+h PyjEiT0MaSg+wx8gTh5u3cizu+sTPinynBHeo6zqY5/0sKz9P8Z1yREKZW5kc3RyZWFt CmVuZG9iagozNSAwIG9iago4MjE2CmVuZG9iagozMyAwIG9iago8PCAvVHlwZSAvUGFn ZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgMzYgMCBSIC9Db250ZW50cyAzNCAwIFIg L01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjM2IDAgb2JqCjw8IC9Qcm9j U2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0Zv bnQgPDwgL0YyLjAgOSAwIFIKL0Y0LjAgMTIgMCBSIC9GMy4xIDExIDAgUiAvRjEuMCA4 IDAgUiAvRjUuMSAxNCAwIFIgPj4gPj4KZW5kb2JqCjM4IDAgb2JqCjw8IC9MZW5ndGgg MzkgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AdWda5cjyXGev+NX lC6WhvYuFnUFau1DmSJF25JlU9yxZB9KH3p7MDst9XQPu3s42nP44/1EZkReUCgAVejG 7AwPt6uishKZUZkRb0ZERv6++Ifi98V6udp0Xd8X5bpZtmVfNOtyWTVFV66Wdd/UxcO2 +Kfirvjml49lcf1YrNz/Hq95dbUsN81mtfKkeNfUy3q1buti3bXLsu7Xi+v3xV+/LqhM iuqf1++Lb35dLldFWbx+W7wqfla8/tfib17TqFOatTinWW23rLq+LlyzFqvlqizpBf14 fW2t29/I/3H3tH242z65trriL9ngTbUsK1hcrPMGH+Tj1y/Ox0237Nd1x+fNmzWBj796 uHr7VIR/v/3uH39T/N32x5u7H4pffPhwe3N99f3N7c3Tj6GEu/jbj3fbolqt+p8tGCrT 2D82jBfjw7juq2VXd7vsHx0hixnDeEaz4uxq1suqbJiVB2fXxZtVb5Z1U29+as2q+mWz rnXSI7tGJ/1iVzIVxc1j8XRffHzcFlfF4/bD1cPV07b44eH+44fi37Y/Qnr4w/aheHv/ UGyvrt9xf/3xQYbvm/v3Vzd3XxVXd28uNGaRGX1dbYp13t0xkXHxwVGtlt2q6nVwTPsK +gk+bB+eQ/4u+1W72aDp0HNV35TlJrk6qN/KVbesNythsu/NKfptTC47/bterYu2Xy83 VdcV67W/GKi4Yy127ar41Otys1y3Dbp8uVmhoSvpWde33bqXSt+epGHHRNMBxV+WQIe6 ogs5Yw585mJnst2Ihn17db0tmEzpl16crGkHDR/yDZ1v3/zwl95slpuurEKH9gm1XXkx /UunLV4Ixhq2OB+bJe3qK0Bb/qXXvRvN/ktT6eLlvnRfL9clI232h77b3vzw7jnm8XE8 WpVrEAvQ1lrrv+IU4Pc9o/E5Gnvsw46jkapeL+t1X4ZOqNCZMLdQVY+fuRMgxvVGoGM+ bsbU08GVwTNKTsfcZt3G+VQ1y2q1cSrhAoKz6kqg5kChTPi232+fPm23d8XTu23x9Ok+ fOYzxObxiVXXzbIp0TMX/pzWspp13KZlSqDv6g0LztWybZtmVTZFv1y1LZ9VROtpUnCg bu1XxudkhOIovrZZr6cLFhY2HiQ+Lovi1zc/fKS9TfH47v4TkPMduPOR1eZFljtRSmad gacnI+WPH5Zh4J2+lHfabzHJwgDIWLbVWpBOyvh8abarl8csDONyZKCXbUiEgbfqsZm0 ybgDL6xXdVdeaNytWKKu4YO3ZMwSoyN2n3OmA7YVgGenKH+Kng0L/iX//tvffVfK3yVT w/+Ta6iV/HX/LjQ11t2y7GuMYlnH8uGWINlLr6q6TQPeL1X8TJmxxtjiW7mS/9j/3RO7 cU/lYTq9F6dZ6tJJdKIBsQr81o6dssAam94vMb7X7XKzAf5ONiA6rsp/HEd32RuYH/l9 GdEf+J117KczvjtkdLmaZzUoisf7jw/X23TovpyRue9EIFdl0WVtniIDv/YLyGn2zRni Opgx5jf1t+VluFqWHW6KBgH80+dq1bLEWfdnNPW31YW4WrfLpge+fAFcbfAk9UD9+U39 bX0hrrZY3frN+oymfs2/CzUWp1+NHfTLaKwanfIxkMCdxTH/3W+by7C1WtUsjLHl5k39 KWqBqqzxMq7OmlnthbhaVVjIWdN/AVy1Ber8pv62uxBXmwqjPeBqflMvJa2qtsS7dRYM eLN9fLq5u3q6ub+7DHuRrkhYvLQ77P3JrNVbjONtO890VRR/DCuacOFIe+hS4I+XWbDX q9WywfxXdFnvfjoLmgb7pBgsvet+gonNcfmP/+UyYxdHZLVerVBjWXunqbHLYZkVtkBc y3ljp8ADb4ktLrWoafBCNkQk5A2eyN3LjIQygNrZI+HnXi5caOhirnMOypy3UwaDgHD+ XYa/VbXGbtCyFJvNXx28F1o7EqiwbFjmnNHgS7K3Xy3XDe68+ez9+R8vMxKi6spHwk8G LyC1KmwGe4LOTnW4jFhkU0Oxi4Iwb8sJDriuLpGljTUrU6iLw6wLuIULc8B9W/xCw7uI Siy+8+FdRKPsRnZdCM3UPfGqHeuevJdj/bq4+4F1WbUh9mTPmPicXhFWtk25mWc1/sVj 8ebm8frj4+P2TXFz95mDP8pgqdM+neIQ+c4JrGHY1Li/c2BEPhauIu1q0V1Ei4O91iwi XcRZiEPqGBZS6Wke+FQAnOgpKgOGyhmTCYBR2O/CS7bXshgsqq9iQKfEIV9f3RXfbyXm 801xoWlOxH3ZtgDY2QOXgSoBIB8eto/bu0u5PGqLOc3bfUTsnj84TT2YM17GYL3pJNjR okAu643vVuygaDaqhKbgeFTP/dvi7lI2iRDBv9PiMYXi5slYWOOINh/IEvtc49q8LzHv tU1V7DRrwmR2Owne3X94nBOIMqPJUf7k3/4gJy/oqW57cfFY1Pu8Kfl8HzjES7WMwK6y MPCfTrMweKxb4pcn+/UbQlQEKv7m4f4PN4/oE1Ehf799enf/5tHtC5CBeRk1UpmVvM16 M6oEL40W226z7NhAdA5aHIcwAwyx7HuWK12POO4RLr0Lhrcrgr/XRJKtULqYQJfglrJg 40TZb+r+wiGEKH6k3zCE56hPq1mWDL7LLE5hFoiaVs5u7XdP2N6vL9PaUg2Csxs7mNIX ajdRT+xya3a4nOmUU9fap82UxS+/AzUd2hDz3S8H+z6+jjs+3a/IJtI1Te/Lupb1Sd12 RYlnqZDLhku2Jd0W37nNJ/FV2RF6vCaAlVTQ+7rkptzU82uT1xtXF00sN+XMmtqS3au+ hy2bRM7oYSvrJ+uh3szvoWuM76FrYuzhKVtrUxE61Q7TtgyjtjM7zKwhO4I3zmoWPk62 OdtWyQxQHkEfRfGaFdXjzfsPt7gOi09XP8pWQHf7fnv3VDjEefWRZdcdgs05FpPtgo9O 3H11Gc0fFmJg6LS72Vf4jAaZtq6XK/E0eztR9hVyeDKQboWsaa/v7966CPk3sutSAua9 NpG73SX7p5und9htdDPZc/DfxCNAwvaOxauDu8jqlnDoqip2+p99lt0ej622TpTnp2wi k2at15hyW8yKaHUz3hC7Rse6Xow3TLqX20RWtyDBNdtejDHTtzR9f4V95jJaOc6ubBgf ER+ubWfZ4GzdbGaOtkbE9pvPZ+Zo2RtVdqt5Zo7LfCuwPIYgQH3W1CnePxEwXxVukyJ7 /56j1SY/ZHJN3G9sIaXWnVOsv9MFyMD8cazFpbSrAodhAl7WJetmv9+49PLj5bcbMxM6 0ouEzzxTfjhtIvuNw45+zEeXCby3gCb7shdaFBerxapAZwWZwgcsK/av7ZhOG7TWyeb7 wfgxyTVu8YsGobJdVrI295aXTDUmiOX59oN6owD9NVNAvIIvJYvxdS2qEbNetSKcv2QF giXBGwXKdSedfTGvRmQLmQaqup0+rjEo//f7T1uyUnxVPH6UlBQOiF7Ik+HYh1UF9rn2 Twd8iN8ZMtctEabtJJTFhguAHmvqUfsLyDSx+bFjc/vvH7Z3jzd/IIWBd8fc4zl2C4Or 28uIlZC5Ju/U2Kw6aAE8DXAWqQFhL0KeaECQIbOpNouyrcSAQGIMJiUpOqYbEHxN3bKl LnIAuLpkrU0ymPm1LXhdDAg0UWqaY0CQdvWrxnrYE2Z3Rg+x3cQeuptzekhjrIc0Me1h SANmdtUxEVrhecDw1hYNF3XNpytJwLOqMRL5vdn8xEVkaENeFbI4dbOE6OPNmy0S9AZn Ku45H/5BEqCPTyT2ecIz/H57/e7q7ubxvfmLLzPBhbmdBGZa56ZLWHFszxOxi4np4NCj mDMBF6ONPSpjXQYllvM3TzfIUEkU9+K74+r1BhtKudvoTIbuLtrHHHunydAXMcLi+qiR K90GYcUfgEzLtpTpUlRmj7wvkhNgr7W5O9DR/PqoDYzp6pZ2IqBn1tVhdKRlrp8SK3VO PzuCG2M/7W5+P317fD99O0M/T5enpGWsW/JENfhO2SBNUDbWtLJbby4tT8k91OAomyVP M6x09Vh82t7eFvwF7xUfP7xBpj4C4n7/8QbVcCFRKnxlrxZ89f2aLkrNLnnJXSWWeSVv 9ZSYE8ynr0kwciFpitO3XgOZdtqbidNnXuilkFQsEgOjy0RI6kRgU+Pn6RguiKwG3xbX zVyRxfsiZjrWmb42L3Rmi0DXHqLwfG20UwT1THG6phrrJ/vZz+onRuakn3qHS35+26Rv vp+unbGfE/xbiyB6J9gpmjUgltgAZ6ZgUFlqnKMIhgX5excO4pxD77YPW7JFbov3949P t4i+x+3bj7cuUOTx/RUi8c32w+39j+Jgwgr5SYqLiLyMRAzIJ+vrgZm6mJq8163T9+YU RoAdySncrJk0nQXZJZ9gkLx3gM6KQsD6D6gYDe68vnp4uAHF3398Kt5f3X2E8z9+JYZA yeSZfIJCvEkXYn5DZr81hrCdfo6x/znW7t5ZdDhMxtlJyOpcNJjGwDB1YRnSbDV3GUNh I5nSxPvhZuAUfccMjOu2TGU72I5BlN3jQ0/NCd7oU2OVzdRkfZiOoJ7u728vpLGJgWKe NZvCWqscHxuIB02zI0wcWIyPeRzGLclhx701dwZz3109S2LvMzphoXs7nZjF8/FF52S2 C3PZXVO7yb9pkU42+Z2juO03zYvacsLuuB2+RP07EP67WPLx44cP9w9PbqGhWsCFCL/8 tK/hFWnqYJ6KLh2ZL/lRXwL69gh/HB8l6BL7IpcETc4Dl2qeXHeCVO1mNoz2jXEY2jeR SKx57SpXtfTLdZFr6e7sPvK+syH4Toa72b3U9vilgm9n6OcAyJpbL+jqoVvvRedr8F+x B1+CWjfnDPlTdccUFE8DWdTMiPMGRMSYo4HnhyAwxfV3908kfS+wHl/dFu8vBB0t0wSS OuneFIh8/2Z7K7vdrorbq4cfLpQyLaw38mZn8nGA5Z3ZYhZamxrS2GBqwTOtiDPn5pHg n4IAEpLxPvzbhXajhORzeZuPtHIaKwfgYcq8q0jjJq4gD96zL7yrsKfb0gctO+aicpq5 JdyNHMZLjrrZFHzq1QoLj61pLiQlyW7XY9GdDlkRR//77dOWEyZk29/dx/ffs0eZnWQu 8JE1zp1ubvxwD+WxuLp+uH8kr/Cn+wsZVyP20S4ODCcD4LY70zU78oXMlBaRiEHYfZIZ y0xnrblQczfsWdmw632nuS85sV4CWpaSMJODfWqxXEqifq5nO5V4H2sjNTi3kr8jdeBs p5e0h/edy0vayfVsi69EOFk/xbF+Tj97FmWxn/7unH46R7/2U9qZ9PPFraqrzZJspEMV e4pZ1QXgE3aD8Y6IpzcSnf/0cEUAzpOYWh+2t7hl/rDFyOotqxzF471OiMenh/vb2+2b CwX7hQDiJu/u2Gw9aNobQcVjltUDx1wFsE5ohgSbDbegHZXRqKFf3D7eey305ubtW2Aw WyNUdGNa/ZHgiSfZTu+w5Yd7Po7subczle4uBJBNuu/09KfzAcT6TVTHrnfhlA9wc/f2 4erx6eHj9RNnCFxG/7gAYMl1W5NfJ7Z8klWWFj9KJM33Pxbf37NnwwaNjA3nENboXLIx yGMJyLlUdG5t6jXvXr5VJcGtByfsuDluMGcNt8LH/dGp+A3XpbAdDw1Ru+JVlVO1bM8q JozLGOPrDb7zEl0xxxj/+t1HfFvmdsk2sL5cZvnSQsat6dMxt7kOdsOnaPSLnKbJhyYt CJ90fpP9FBIxjAi+0gMWbzkoho1sskXqQuLXYhasIyrnDorfsW0Mz6f/asuutNOsA8bl /WsUtxXwMoI3BPjmbZ630B+XTNmK+iWAf0fkbFX2Ek3BGbSsvYH93M/F11IHkBjkqhXK DccTzTMHJy1qxVLtG9vMDanoiRbRvnJC4znd7NmvF7ppN7O76RvjeuibGHo4VaBNtazV kk6gJofgHrxzZCg7X26y5fZCBraoPrKmH2mskwkn2yqzSTfxwGVO5cVpa5nYfjrNInto W5LYZw5O+M4FX/vVnKwi3m6vHm++99pLAjh+dOEbz6HCzHEL7hoGix3c4VtZDm0SHSQ9 zZHirta4mjYuUpjoZpo1F5P05OaKzCeNhzX3HP/MierjlB3JwkbigWvaxblWHQYBtmH1 HOgmJ7vJAaYv7mi2/Xg7jDmABRL870IgJJLVO5iLqydnlt3++9X1hc5wc/O/wtZl7T8F Yk23tKdDUYNf8v2E8v2aDc7OoePxQisTzgvpwiHUkxaknBd09R5sfMN/hmhu4Ya7pDo5 FYEemqaLg1IFk5g/Z7jOepO7oA7LmJu7YReKk7qQbqM71AXZRjoelhMO7rEunCNpRjg+ UJhnNJdjSfsaubPT3Anz//r+/fuPdy4TyN0PKfPnLmqHvUn002HmWx4h680+abCrlcak wQjzU1FwplaSQ43dYcvW3Olrc2cLvsOLvRMkl6/NxzVW2hsn2I4x301ROXKbRO6oKg7S KQHnmGLsyG001otKvHAssDFtOsZif9s9su6HBzl1m62qN/dv8FtvSVyHfQCDwSFoNYGV 4icWeWfBKcIxUnbuqgiWti/KsGjupiEcnalZi6eoiJD8Z9cEdNK56gNxddyBHvz6dd7m McvJs8RiHm9WZCXZ6zmDdx6+f/PxQZL3fHp3wzZ1YmbCHCbqWjYHXV9vP+A7EOOvOLnv b99QCjePOLy3n8S0dWn/TZ11N1fACRw8aA4+QZymYcUn+W84BXnTsB9sz3I6b+RA5hNG ILFLn24e2e3qPkDYs158uv8Iyx8/ilfHmwsfPn4Q940kYPrnV//r/gmwJKGzF8mYUa/r JXng0NB5b8emwsU/AicC92KSn/MRrnCiub0GxZsf767e31zL6JbJgc324f7q+h1bF+Q7 bW0Dw1XhIMYFglgtNzXpu1z/puvmVL3kMRIve0Z5z1KS/d/FTsvHBszFZSdHFfXkbJ2u t/G6SiQPQwTnN2PiD1e3N8hGv+gMa5j/XHCWuE8EIiIz0/KsDi48abPO5kLpM0pO5AnH xVtc2k+nWRuO5pNVtJclYyP20iKukn0sALefWKs6Mgi1APDJgvevt+8EgaDd/qL4n9vi 11fky9l+fCiKv/n3D+xDfix+tb3eusi67iuJ2OmZeOm/3/3m6odtsf6XC80lk2dV3uFZ o+M4fP9dQcRT8S+AwTd+w+RLuIGw+xF7KccIkNgOT0tVM+hrtgfMc9zweiuv4yR5X7CH Sa99ZSFYfri0EyOjbhJmnVKWZIYmI8FijVEA26MLTlMaWaOVdku5krwmZFkAAZPDiqxz QuOQnH7d5uV267st3pFD6neOuQMbyqGcuDLG2f9Kwpe6Wfteyh2LULm7lT7LneMAd4S9 JM+yku9cPl4+8aIUQ05LHAfMa3xfJMEIPzSgUSWDsGk549b1Wcq1PUkBSRkJhYOhOKhm kVBEXoibJy2ltGGpAWWRvreSRGWOx6EcxjggCU7E0Co2CC4ZUyUU7Y9RqEs2RTRsQi6M BsMaEgbWNQHAgda0pK/p+aqh9kBhd6Zrg6tLSxmNmo5TpA1Wishj4c1C2hBonoOxVYHL oe2BkvTHaIthqSHl2o29qvg0aeAJ6mN8YF9mbDFZJSgyv7/lnjO6sdTHMnVJ8peacdes Si7cHZEj8j48zO4P3mnZhlHOuzLP3LvSuZYBsAi/3JBtwJVwbQt312xbcxsa9ekt9yyo GwJYQhmGjd/j6mr0d/Z78r48tftDd1pW/POun/Jb4nAxLoRfDpx0bQt32tZwnz1dZHfM Kz+N+SQc5bypxOxugixeMb3jECMCsZcUnu8ZLGHY6ZScORTTqWVDkV/UyXaAskfsMB3C ZA5vhglvImaPOElFhU2t5L1RoZO+Z7xJ+aA02uWT/km/yhUCXgQGsod9Y+KUXxOm49al PZvIgORppiTRo07IirV81ROtJWNY0p8nt6Fedgzi8ap6XWfxS1JS/7x+X3zzayAr9b1+ W7z67mn7AV842erv/AZW52s+72cacWRyGgK7ouXHAKL6Y38SvZbP+guxO2jPb+rVN+Cs 6luiGn7z9/EXs4iEcfBiJrYEvBRO778YeJHUVu57Pi944QSDVdDjkjn/VPSyIIgGTwbb FwNSIbR+QAOpcE4mnuAyQy9od2YdiEZRDsN+37sz0YsMaTom2yMNvmS3/BjdTgBMuZLD dQK6SQvTsgBh/OxKVD5bOOQ0pgTCkNTa0xL5YrQIWAB7HHHICidIjg4urTq0WCInAm1Q Kq1pz3ub1XIjR6VJGxQ0kcWJTLrUH6Ret6al/UpglEEYpdCGIFW1lGx4jRDGl0OnmWS3 2qOs71wbWMIlhZQU3xojxJcWgQeJrAzciy0yrsd2GyX2hbr02wxLDSlnwpdm3cp0lbWG hwh2n8CXUMaDjA0HKa0wEfg7aSvvG3xp9D5/unOn8EUSsilyaVlJgzMEE3nMtGhxF7kW yYVigBYzAD8mcWcBNQSaQxWhHn/XuYWUYKvs/uCdlg0dUbzC/HHdBnEYUjJWeSxld9rW wLT8aXZHu6bilU4isTnAge8Vx6fOSURAQtOZO23socX92IvQ2SjUHZYLOj4TvBJKfVZ5 orxJ+WD8GuIVDoVqmwaYsotXTGmaipmGVzrElIhMZ31ZvBRc0V8ZgKJnQysn/sCXDVbk oMSXACsVw0oWLGKCmARWqhoLRSPmBDOrCIzapSGS6rUEjAJqoqmlQi6RXhYAE8HKvnfP ASsV4UyGP8Au6S1ghW6nYKXiSFIrLE/ju4fACnJ0syFJSApWjJYKF6UlEAMdQiY6zjqI YILhuZLzGfbQBqXSmva8h/TbSCqMFKxgLOlk8RjBCkgDH0afgBWlZGDF0UT5RemspCjA te4EqvgWiPUoKeVaRW4i3vdWGis1oLhlqZUiatdxJhWVxr/YKON7FP3G9QhXiAbXLzYo lagMK3MmXGk3WLgSuBLuE7gSaA6gkKs+gSsdcDqFK3bvAcrIncIVQb0KVzoCdHK4wurX wxW5UAjA2X4DuBJoDpCEevydw6vOFJTde7jiES7gJ3+mcCU0XeGKdTvClcAWB0HCnbY1 3OdPs7s5cIX8sR1JBTK4omMvgysTxl42k2w8njb2kiWEjtnPKVGMN+kcjLRd80qLfU7c 6c8NV2S3SYwPfTG8oj/zgoDlxF/4shHLmpNmUsTSrJyMmXMcgHwK5yCSXdiNF6pliaUr 3E8ALxLPxp4eFDCbZsRkx/nFTPoBCfEEYiFtE9CFAAqOVRGMVEmSCW97cW8iGva8eQ5w 4WgCwSLYM2JPMwoAhb5TJuk9ucrQl/Gt2wVldt4aNbpgNsRjLUnCotQxWpQ6i85oEY9w GtlqTcLahILWwiuD5BvSjEJNWsooRaCk74Em17XLfB7LgRxbORvZcMyiY4fihoNgk7Yb JdX8niaDL2IGoxn+oC6t3Sjk69Y2pEjGaMNSRqGmPe9Zr1MpahyMrTIum56IfE/7s1sK DupXtPciJSCZQUTaMYelM2usSVqRIhm7Z+ibDYQZomUcklmXdYJk1iTTc+8rOgn3vqw+ xRMEagnPrCxLVN4NcGaDHy+DM8WGlGqumXLhIcJi4xdLmfUl0BwoCfW4u7X9ikKUcC9P F9ldEe6srPVO4Uzoe7C+BN4IRFmEO9/WyDkHYMLT/O6A9SUPLLcBWHRsP8DEJPlUIu2U ARiH276BNKSNU2JNqfXFhmkULHGgxmlu08IoUWSkAsL6Y6WiGBlS4nuLwJt0Ihq/htYX JGsjG+YHcAZvUXauxkTri7gk5UwAZ34xN5FHNT7YM+r/M7xFnf7MC8KZE38hdudL9BYR J5HBmR4Jr5JpzvHIDs70bGNXJS9ZisLtRDTj0ECFKaZD7mLedEmUBCFkNGADVo6mxBQj xqSKDqANS5qAJYbICn0XqT6sb3bUi4w6nCRAk548cqGvGeGWEgJnku5zwqkU5tghe+uW kJ6dt0bxDL3DVZU7kYwWxc5CuODKRWEBzqvWfepEArQCrXInktHsvUW3SykCJYodB4jo I0y3Fx2KYQdK9CFhjaFRLWH5AYoFSqL+Ay2BM4Fm8p668AlK7UYJTUjQjLRFWjUos0vI jDLW4VSCGvMilDEGRx2hFFeX2ehHS9Gm3TIByswLgemZAQwrdyS5hMSE+wTKBJoDJD06 Bh8SeVsEnhAi4N6n/dn9wTstiwqRCefeIzOsxL+IIUadSOUKt7nDMe5KwYG7FmChjhx3 7yBLqEHvqNsDkoX7nUiNVwpYrA+0xT0LPQy/YhzwISt2p+Aq8sxBlPA0vxsAlgSm7A9v 6VYlW3tQhylgOTDMsDZa/Nf4AEqmTJjtg0GVOJCsphSwGC1KDic/90uOxDJrbU8kQJAK QQCMUxhiSSnlTTbdAm3H/iKCoMOGPQQsZ7qL8OhLBqMXdhf5X3lBuHLaD3zZaIXPL34J F5SrsZezUYq8j3rGOgBM0JsBQjl4Nmv0MbBQx5KCzymxNQRaMsMCLcyBFrcBLuUkRrVl kdA6e2CcKYGWvKelBpR0hrUYqyoiIzLlXBFBRcJpMzVwZDHxXRuiU6JuVkqqz0KpVDfb m1GpauUJwbfAVaW+j9CqQalEXVvLU52unEnt1sY/3lS5GXgcJGKgJHLTaFFKGiWq50CJ 6nlGhLRMea8BGbYMkHidaOdSnnkdKk47iQPVu1aW/+HamxPEkxdp4XmDI8w0saRhTTUx 6Jdv7n9brq69FnTUVBPLM69brQa9c068eJ1fcUJn8lxap1oYj6TvTdDCrqdOq7orQwTS f6EuBs+nBmjgvZWDe7pFonHD/Ek0zZSRk00Em+vD8TWkJBrXRhOjN049qyuZxV4e7Jn7 iea0/kS9bJQj7ylv+Dxx7hm/BiYCmfJ9Q4R7MBFgWhQrcX9eQGkL+CRif6ALJaz0+eJJ x37l2QI0TvyBfRq3/xbz+xcRTVrCrqBxa7xfXkVKvG16OtYhi6t8Z6a3ADcJMqO2khTB djdQuQfjxhf4LQgXJy9PW3MQDJmDRKIOaEhBdppsWg7RaEmzKLHoIhmZbWtxj9i7Yurd 8+45bo6e5aL01B1P6nqa3GOD0OTInhPcb3BRh/LuOeUX+v54RClHUcuSXjY9JFpbaamA 0XKJoMD70zbCQAvSaFEVpD4DAe+hDUqlNe15DxTqDqmXNmhEKYf0yNp/A0W36rTsvaxJ h5cAKKXQhihEjZYiDqNF8aW1xzCN1tqQQgejJe9pSweUDKoYb1KBaRyMkMO+Rmy78T3t z2ippM9WJkKOqVNNdTxpPwxryEGRggt0MwwhOoYeGsxpEWs0gGvDGlwr1hCqxx/pc388 rqfLFMuxRtsQKy6WCDZwrQLWkOsUa8i9xxFWg96hYHRV747hjVS58men23Npk2EN603E GtJTjzXkyrCGUUEtO88nYw1ZRTN3Mqzx+YbMQBRkWMOGVpyYNpATyp4pbX3MpoDvN6zf XaUzQTdrTT6TbEKBkmxCkfQ809wKrfjeZB+dW6a/mFvBfmaATZ4PNWhHjv3CPthQfUtu zC8DNvjjr1H7xMsQY8BAmb9Q530HG0IWVKkRygToINERgmL7Uszg+DYbjgAWJDKgoYMR ZxsMkZTjI9ROwJTYCtYrMIy9y8za9+4Z0EGi+JxzgLWUN0zsUm5dZlrQgnW/kxyb3Lry PNUaZDUmNYzDB36HbSUs9RL4EGgJfDBaVPqyu4jI+sSX0BDSQdRrtqc20IJkMUpa0573 JM1A7fLHxjfZ/NH3HHMc4IOcfFuBYSJ8MEoKHwItgQ+BFpR+o7VH+NBYGxL4EGjJe9rS ASWFD9ZrPkUsZxwM8MG4HGGAUdJ1p9GGpfZQzoUPrbNlmQqXA0sifJBnqvgxXkX4IEcf G3zgWuGDULV08rwj1kXqZBKWXSNbT6LTAAprDv/bcmWmCrlO4YPce2hgNeidi9OJ1/nV opTfNvjgj2v2JcQgIL2J8EF66uGDXBl8MCpAZOf5VPjQSDAth7+l8OEzDpkAH2yopfDB aBHXTxMFeyZ+nOL7RIjyJps6xq8B7JCJvZFdOcFUAbbZsIXozL2vDUuWet0OlPXzmirG fuXZQMeJP/CFY46OfaLmHPDrk/mYg/cd5nBHevqbAdw40TlA0LDscM+VrdFSZWu0OC+I R6/AUMncwYKyknV/slZvjJa8p6UGFBRKpGFOJ8OoCPeEhvtN0rBHZYuxbiXJbKJ0UEqm nKxUqmyNFlUfOY1d7QnFtyFTmtauQalEiVqZVEkrH5Ba8U3lIBR1D4SvEdbqgZKs1Y0W 3QNGSZStfa+obM9yD3TutFfVe1ynOleeqbZ0aRtsAd9JpkN7sqlU5wpVSyfPJQLEdK4P FEx1bgg4JM0Tdap7QK5TnSv3XltaDf5O6jadKteRKlcL/KvxubTOluyd9ibqXOmp17ly ZTrXqGjvneeTdS4JOdifletcm0EzR042E2xUDMfXkCKzUfdU2/jKdK7VFeenjeeEskci WB/T/igN1u8s2RvmKbtXkkhAopMIsCGe5Kwle7MucTSCtd4Xf/36xVbs+isDDf18utN3 49gP7NOd5erb1ZeyYN9gjAvKE6R+zoIdVO2UJ5NVTIDubrb2xD3VY7NPV6pKSnWnkuK0 IHqzWnH6ilEWDaGwK0nkn6pAo1kpMupoqSElvsdpFuwQYAUKl2I5cTSUJFOIqhOjQSlp feMkN0pUNQscbL5UqjqNFhWZ1Z5QtA1RBcZ2DUsNKfG92OsoMOCXcjCqTmVylGNKiL2h Jv+5dsskijS8JMYSSft0ltbcYHkwQ7dcp1pT7r0eJK9IslLdEBhoWpNr1ZpC1dLJczmL 0rRmT/xmvlLlUDTeEUO3XJnWlOtUa8q914hWg95Rt2lNdwan5GXCReTXtSROSZ5L60xr Wm+i1pSeeq0pV6Y1jbpAp+fPJ2tNAvvWK2ZhYiexmRLHjMtH5WbdCWNmOCJ2x0wCtcKY iVNJSVEIMGL92ItT0oZwQpkiBBLcbZ2NQoDcnJ4naf8DaVfHMqGJ9PU52c0s3hHE3p8X vIZJnORPBPg4JftiyQ7sZ44pwfm5mU79hX1qFrN4+YWYxX3uRm8W77BpnqNled9rWckg WPq72Vq2Yk9ghzkrVbNGi1OsIDumLxdnFGCRLOTpGhXzOimb8jWq0ZL3tNSAkq1R8duu SGkJo2I5Qmpxm8fNcuwYJBpBBHOUDkrJkLmVShWt0aJ6tNoTim9Dtka1dg1KJWtPK5Mq WuVDtkZVDiZrVONylIhGSVWt0hJBaqX2vfcs2pYj3oK2letU28q9158SPR3twn0Swsa1 aluhaun4nHVZWKNWK7apZ9q2knAPp23dlWpbd51oW3fv9GuoQe90PYmOdb8TqXK1cLSg jZMQNutN1LbSU69t5cq0rVHR2zvPJ2tbMV4STprZhW0GpepmwsjJZsL4ONk3cuKsshF3 kkRIZqy1PdWe1se0P0pjWO3qT+bpGr9XtO8+0xqVELeKAfHCa1T/Ky+oPU/7gX3K8wta o7pEeLZGXZ+Xk5mDiSU3Dh7gVQ1693dztScRIBwXhHhJtGegJXMl0IIuq3EGluxni0iz lo1LG3F7xfkTaMl7WmpASbWnRJltvPc9lkOqkiIlWaZKIlgcJcky1SipzDAaczOA+0AL WlDO0XS1JxTfhlR7hnYNSkXtGcok2tP4kGpP42DSKvsaQZYFvifa02hRexqFmnR/VqA8 j4UXzRS2aLnrRHu6e6cPWT+RDcICwBnzBFB5TSnXXns6qi+dPidlg9PIeFVxG+wEZVWE Yqv2lCvTnnKdak+595rRatC7GJRVye9EqteeQlPt6Vqna9XQm6A9XU+d9nRXqj0DFT0M l9LnU7VnjZewq7oq1Z42ctzo1W0IU0ZONhPGx9e+kRO0p42m1MJrtHSue4mQUsYlwh65 EWf6PkmivMn4YPwaaN0a0yd555NV6z6tK4cDTQvmkjOj2TbYDRTi87pVR3/m2WzDp/7C PsXLqrX+MlatVdWFoxBEUzJ45jtWo97FFDumdw/HgFcsrFpUB6nSiehaoysBBQMaAojs HWwx1STqLBiFhD+fwOnwKpNx36tnxHFxDh8R1nImpxrBs3vCxlZsuZfnmp6wXJFYKpR3 z3kfl5l7fzyGi0NoiXDPY7gCLQUdWi4RFTSwJLI2ETEc4NGTyTADHUaLAkUpaU173sM1 uybfQ7Jir/H7cg5D3A9OAmUaz94SqlL/l1FoQpSiWspJK/XfhnIRO2jt0TRJzJ5rQgod lJS85csMCPGlRW0sSNYotTEvoiD7ELHdRol9oS79XMNSQ0rEG7Oiv1H1YsnxS2W5ToGG 3HvowBk1CdCoYngWE17Dt+TKSifPJRWSGsWrejd8q+LEX/1tuTKgIdcCCnTPtyvlQYTV oHcxPKuS34lUDzR8GiZPldZJnbKkt97EX5CeeiAhVwY0jLpwXEqfTwYazGB2JGfL9HOH TAY0pg2ZOJX0vQxoWF3JbJ4iBfbM+aSmPVJAecPniTPM+DUEGrigsd4/e/iWHEJN1O5L 44yRX3k+mHHaD4ygjOoLQRmcuiSKXELGOdrqrJBxed+v7mWnmd7NXt3jVlrLijxd3Rst VbRGixMDFb4SH09CAcuvnDQa0k6gIB5iqbpChwIAUk3Lqm/d4A8KTmhOX2EKoNqjeFBK JmqsVLq6N1qcwFZ7QvFtcHXZusraNSiViAIrE7UtmMDzJlvdKwd5M+h//RpRaxrfo7al Ll8qWd1bqX3vPYdtnOzPEkHhla5cp0pX7r3SFRwQV/ccyoNi0iebUlf3Qg208FxSpZvS FXbktvHGKWo80eg37Jk+fstdp0pXnnl1aTXonSpIUaTyO5EqV1KZV6DyXFpnStd6E5Wu 9NQrVbkypWvUheNS+nyy0pUUM0jWbHWvI4dmxTE3YeRkM2F8nOwbOXFW2Yg7SSIks9ja ns5smwlxrlupISV9T3mT8cH4NVS6zO9WAmLSmGnnk07jvmas7tlUSMQOJ1IMA7+ecX93 PfYzz6d2T/yFEb37pazu2XEQ9G7J9Rmre4yAKAFqcx4wfzNb7RKyI9o71bpKSqeYkuK8 wETFBpIk8KvG+7Ryx9oms85oyXtaakiJM2yBqR7In8dMV3IwyZqVStC5FVuI1uxAjzo3 UKKOoi4tlejcQAtyLNSeULQNUXfGdg1LDSnxvSLwJkrORW0cjDpXmRwFoBJib6jJf67d MokGDi89i7qF5UHdynWqbuXeK9CGozyjum168avok75RdSvUQAvPuxguXcmZirm6XRMI 7VW9XJm6letU3cq9V6VWg7+Tus1YLteR6tVt+lxaZ+rWehPVrfTUq1O5MnVrVBT3zvPJ 6haXLNsM08CvPWOGr6+z7oQxMxwRu2MGLW4emDBmoqJVUhQCjFg/9pKpuyME4kCPkznS kve8EEgAuwmK9D3lSZwzDAXPpoGSrTakGejT4OpGwjY3TXle4BfpEwjEEfOKKNkXC/yy nxno8udTstqRY78womTbL2Rxu3aJyP3itnYut9kmdCxu6rqu1ogXfzfQskdM6IxCrKQE r5K4mM0ZzoQ+oDmxw/G1hF/XnB2DY81JIsL6JX28vSom9D2vnmNCJ1ISGFHJvHY++uwe Ezkdd88dI+SeUxtCefdcTOj6/rgJvRLlIP7xBGMEWpQvhdGiWKjYNrxmaR8RhWuieNET QRFoQcAYJalJurr7Ht2pJRpP2qBZVCoOUsbxmqIM/AhsTN5Ql9rQcXo6Cm0IEjTQUpRh 5SI20NqjDV1Y6tqQoIVAS97TUgNKahGwXtOfWM44GDSGcTlpu36fdH02Xmr4HnwwqDHP ji6prmxJL9cpxpB7jxrWhEVFjLEW57o9acxhL1QtnTzfuMhGT9+Uu0t6wrx5R5b0cmUY Q65TjCH3Hj9YDXpH3YYx5Hci1WMModlzaZ1hDOtNxBjSU48x5MowhlEXLiFY+nwqxqjW tSQNyhz2n3HIxOlkw2+PKEgmpg3kOFX3TWml7Zn4R97zvMmmjvFriDbEUCx21HRJ/wzb oCsyS3SYLQdK+nkd9qM/82xo49Rf+MLRBieHILcUbZB565wlPalBnRJuiejG9ic3E8EG p1OTtJ0m1eyiYNM0TRuQnN+bNO5ixQRMtCXOIKGRI4T9zvYmUGPPm2cgDRKtOuDA+BaO ZbfMeg75E1ihnW7lnEpuXWGeJu/SMC/1QiBMlCIEKfCK1B71tCelckVLmTBYVCyBOnnP KEWFzZfFYLaBLdCGpYxCTXve40tUvUvnZ+UciCOlhYQFACNI0AiF9GBi7bCWs55USoow jJYiDKNFfQ+3XO1GoS5tQ4owjGalaIOWGlLie7GPKcIwDkaEoUxOwJH/ELE3i2qszJ6X zgMXG0xGBi7kOgUXcq+wgB0+EVz4wFB9ghE8XFlpWRHqdV95H4REA2KP2zFg9HxoDy7k ysCFXKfgQu49cLAa9I66DTzI70SqBxdCs+fSZgMXRKO63kRwIT314EGuDFwYVYxk+fPJ 4IKFC8uV1IARJsTMwRINGFMGi82hwl6Ksz8MujgXbewmlD2z2Gb2oFQCM6xMui5RnmT9 92waQgpmMqFBQ0Rxnv2C/E1LxOtL2y/sZwbA5fkQhXbk2C984Yii72Ql9LyIoudg8aBc xRxi5z37jK3sgCHLLP7rRtzX8erxWnbGMqnJ254gil0SUIHAVpYVSNIEUWDA70Ue6JuC KIZvnoEoemoLIAFHSHp7W9Bln+Qt9LtXU4eCirT8IVCB5QNgJGGZUa4YLQoWJKsvl8gD DvhpOY8rwRUSkSULzCEpyhUtYwTx4w5ewlRKzHi2KR63y5K0TMlug4o0lMTwxd0GxGEp JWphormUlmIKo0UkYLUbRWK6fBsiNqAupVmpQ5T4XuhiKiWNeRFSGNMjPDBK7A5Qx3+G xEQxTjnXaOGzJZhuF2NByN3GXLJwvl6OMw27DHoifANu6DaKK4TqEUbyvF6R0UDqBFfU K9BZ5hipyRXkcYW7UlzhrhNc4e4dZgg16B11K25wvxOpDlc4muEKaZPhCutNxBXSU48r 5MpwhVEXjhPp88m4AkS16vByJ2nmbVLMHDGZmWt8fOwbaQMhgOxIYLyOPpu9InVPFgKp 6PBzPqlmKASULXyZON2MVUNwwZTGx5tsMJAdgDiks9Qz00MQCBzFJbuqBkr5me0VYz/z fOjixF/4stEFedxlKfS86IKjJzB62tp9Erxw06NhARzhxYCE5ME6QA4IMU4Eg4VIAJKh BmDCNNzz5hnwQo7+SPFFfg+YodepzcIdwBHwiDyX99FtijdGrRbkv0NrZQkBiO7wtFS2 KC2REmLHXrEDOooJ0qbgMMp2F1RGG5RKa9rzHns6yOCJeIkvsmOfo8yS3QUcBrjEZp7s LjAKiiCIz0BLMEagReGltSeeEW1ChApEmPpWJW+NEOJLi8CCVFQa8yLAMKaHdofPEPtC XfpphqWGlDMBRi2b9NVw4a4TgOHuFRqkiercSQ0KMOTaAwxH1dIYre152fg0PgIwSOuw AzBK0KQDN6AavBFgK4q76xRgyDMPHqwGvaOwAQz5nUj1AENo9lzSDSjAAGvvnGPjeup/ W/ihACNQF+EKkOSeTwYYJYkXV3miunOHTIYwpg2ZiDBsxu+RAsmktIEcp6nN+HSdobQ9 c/7Ie543Gcowfg1QhkzqjSS63PGKnI0ySjFm1S8NMkZ+5fkwxmk/cDLEENHVNE1ddPCd rV+wnaRLG9wQG85k5ZjrQc4jQWWrghTtu17aeMiMSDFM/y0HS4u0Fyu4C3zBKSHv6h93 ehAhPOxHff22+F3x6lc/K75GG7/a8ndTvLrlTxPunrhrw92bny2+7otX30Ksi1fFz4p/ KV7/bfE3r7FL/AMNO96rNGpWDjg4pVdYB8hEX+30yrrje+VPTabXvlfStNf/uq9hWBIw lwqY3uH3nJYZvzsyK7sVlAvmzdjtGzab3UXG7sUYu0/qlSwRjN+D4+CTUWT8PtArH6Ls 2L1gEI2zm2EOzCFhW2Q3B9uQ3zZltzZscerw7uTcorVgpSG/fcvg92LW8M75bcN7sTu8 p3QLnh+etYHf2i2VlSK9Nyg3/hWvUfvDSRyH+9XHp3fbu6eb66unm/s7P/jlrcWeqcmX 6DkG/aRPcrTtYQaA88l7a87vPY2dPgUWIo3eIGpOkjiHupUd1W5T4JAgDZ9Eu7VvpO2K nK9HRI6YGPAPyglxQeQM58CpwtAYLqpfztrYMwUuInJO69VUkXOgV7si53GM3dg7ybrP kSrGbkyb7VpyrSWZeqeKHI5hwpRreXr3D+8gcX7JmCUjyat7P3bfyy3q0v6qnr3zT1XB 5ip1z7yVg1ZO7tfReUtKnbrm4Gjtl4qcPf1ql+Kt90Dhn6QjAIU/4++6ePUVf5ihK/9H iV+DEEAPfwmRLlf84e6fX/EXFKFU6Ssv/rknfsMfaus9Uatxd4tXzCl5f+mL6Ov/kTsq +1NP/A/86VzVI8pxnHG73rlTJEOYf2zOq3o02yjESjmX91ibXNJyOqd3yo0/h390Tol/ 4fuYdzx/oaWIfBQtk3JlYSzWNzYU5aNoSWW4fj5lqj4TSBi/15/Rpvi984/xzz+jKPzX 72ZfWn9Rq9NX3Jde2IDRZzqK9AX9E/t92Y+KqCg7OaV1DDenH1VZpuNXu6Mt137oJ678 pMi7qi+MjWb5UvpMK9MR0lJZ8sHDT7jBpGXsM2gF9ShQf9bJ0RKKzDYQQmFO56OMxr1I vWUN09SrbGXk1eZZ0xYjFGGTn29lNN6tVD2digYMp2BLTLqVY8VdnDK2NJJTnurOnWQb cAomI75AojdPbZiJSdmMsyK8+rPhlJN6lcKU4veLuBZyGiEc4toYuw/1KsEpqM3F6NKo ISOL8/EGnEKqWjhFCuuE32nLDq3ZAr9JHyGeoT2wMKyMilLWbCz8fymq4yycwgp7d200 vV8HgbjilMb36zSc8nf0C3yhglkVnIpbk4x/6nVaXkbhRtQ+IoRHJLoTt0GiLxSDyAs/ F7aikVUVq2ZUUazNSDVigFA8E3W3B/w9L1PDYCHfz+rgoi1VdwY0VBtpt5QD2q0ersL5 HYig6E85kPPDEKLCCK3nr+QLLgwF5dXlWEo/4JoXgChWm/6i3n7jv7U2VYl6959GVeM4 z2cooBaPEufz1ZjIPM9PgBijqhG16Fw3cYkjRkMk9YyGBZthgwO6x1463rB0BT9BdCxe 7V3i7DHOjfZLJeIixD45O9YRq4pJjqxf+1RjOsj/L+MIc4NJiQEcTVDZLu5zGDknHpQE vxgfec/4fVtSPPQ9p0Ue/76BD+MDD0xGnjtxEihEMJ111sjDKbE5GZO9zMgb7dhZQy/r 2LGh919FbaA+xtTGyEqoGW36jG/SlrLTES9QkzV9ccQwYNNFR78uQnKNp89KZHG0D9jq UR+qTM6XNEhoEe2qxrVup0QWtkAKcj61S6g23SdnnpNlUYCy/50AcLVKH2PZXi2mS3KF ISp8bL1nTFYVqWpU+bGj+PRVLXrIJnBACo1yacacaCX5doezmnC6hEsH58SoGJIEyrJV ZiCFUuQ8daVCxh7yU0sKn6FTYWhRnSCFikz/uQXByFQ+qV9hRSDHNR/wBZqF71C//JIA uR9Mlw2TDQCXjphgMMqHrA4xm8FBUzo1OMBYMoN1NNo41jd0zquwSImLVzuV71SgM0B/ K4L2qdydISfDpK/ZZtiXh+wJQauy4NJO5tzVGaw91z7+HDEpawil7i2jnMshh3FXxaXn 4MI+qNau7dA39Y9KHavg/43Ck9FhOoORLbF76/WK4JTTGTkuF1hSr4jaDnKBAE7nbJzR sPiFQe4bHPQniYVfiQ7ns239NLrlD8pO73Zd6blja8y3K3lh93YqFXZBKDhX43EDhmQq iJ065GnctR59endz/S46GPdo1xr0WnJQSPoZzl6dEC9IfkH89qOW2RdfnYz2a4Y6lGOh nf8l79dBdYj8+BPGE4JUhYJJxxwZqTjUKR6WzgtZuehMV2mSCwMlmtzI1+wpSsDgk0R6 HONK3K9yfM3Wkh6O48KJjdevfYK5Z1QYSFKZjaTkC9IAjw2GaRIIjtjXDmlTM5nU4OK1 7Pb8fONwvGNnDcSsY8cGosg5/EOmK3Qk/R+ouILMUKT6WdWUG1gL8xOpstE/YZQ6/5SN ax2t+v7uosDhjHzo67xQJPCPvjX5KM9VL89GDG5HmTxlXEddAvhF21nI/YmrKuWjsVV7 qf1S39z+L2FUFQZakd7ZkkEtb45dCwNpTPjEonmEhyJa9PMECeO8mDtNzuWO/X7uG9Y2 6i8afMlXRFpGq1N+xMpH8N/4Jz1HILBHhi3oew3uXnXuwX95i41J4YOmi9iAap381mln zFHO6STQdbL+0d/YGQHuzYXZZ/Vj6ftaq97Zi/loy5XLXwJS+fRK1HlqL+oo0/f1k4Xu uImuv++Gjht5k7/cXgx0ZGFkopyzNYCHbA/cg+yGC6Odbh2cSrmfXdmTGz5U4u39Arkt WxlopkT9gsrdKM7msm6KTVUW8ezlYM/YAdYNR/3+AW4M1WGn3eyQO2bsWdjIUoYoz3NZ oKNO+aGV5WNPQyqsGfbD407xcUnBeJsaS9aSGKMk1fIUpo2DGnLXrNdpcJNa/tOJMNXy UXGCQyPbWPZMhKHlQ2TQMy9xqlN6NXWJs9OrKWscYikPrnDYBSG5WpIQs+dYaLJPghwo srdzLPgkXeJM+gynBW2Pd2vO6DJfed4ttqiHqNbFsajWNJJ1z0KTTG+SgkUSOYWAhfPX ++yFZ9e4RSzsM+O+9GcY7dZZnyHr1qTP8P09lgtidFwY8jCg+Fk/Qyvm4VLSmWTtxaIR hs3RYOjD5gkOOkCJZWFFsuGCRLdnLAvlyCR31v1nm7tjvTprzGS9mjRmHm/ebH2EbjJq /j8MigZVCmVuZHN0cmVhbQplbmRvYmoKMzkgMCBvYmoKMTU2NzYKZW5kb2JqCjM3IDAg b2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA0MCAwIFIg L0NvbnRlbnRzIDM4IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoK NDAgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwg L0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjIuMCA5IDAgUgovRjQuMCAxMiAwIFIgL0Yz LjEgMTEgMCBSIC9GMS4wIDggMCBSIC9GNS4xIDE0IDAgUiA+PiA+PgplbmRvYmoKNDIg MCBvYmoKPDwgL0xlbmd0aCA0MyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3Ry ZWFtCngB1V1bd9zGkX7Hr+hssgmVyCPcL9lzsieW7KxjO6tY2vXZtfUwIiFp1sMZhkNK 0b/fr7qr+oIZDAFQA9PSA4EeoFFdXfeurv6H+rv6h6oWcV2WTaOSKl8USaPyKlmkuSqT eJE1eaauW/W92qgnT3eJOt+pWP/fnePVeJHUeR3Hpsnd5dkii6siU1VZLJKsqaLzS/X5 S4XO6FH+8/JSPfkyWcQqUS/fqDP1SL38P/XFSwA1BKzoPmAV5SItm0xpsKJ4EScJRoFx vDwX6A4D+dXmpr3etDcaVv34KQGu00WSAsWqCgE+isfPTo7Hulw0VVZiekOwRuDx2fXy zY2y/7578d/P1dftx9Xmrfrz1dV6db58vVqvbj7aJ/TFX283rUrjuHkUgVTGob+PjKN+ Ms6adFFmZRf9vRQSTSDjCWA57sqrRZrk4Mqj3DU7WFm9yPKsfmhgpc0irzJmesiuXqaP upJJqcvl5na5Vj9pEp2H+ZM0XjRZmaoqAHyMtFI37eZip2626nWrdqu3m9UbcNbmZv1R rbebt+21unm33KgPq5t36uLjZnm5OqchzsRddbWo6rzojO/hcBfwX8Zpw2Q8jl6ut+v1 9j0QvDt/1162u8WPj2aimhwatykSYNUHPzqqMuZUvUmyKPKqYtX7YMCKIeqraoJFkC/S hVLPmHuMDvOnOhpmzvTpgSNWVpLDQMsh0CoG/oFZWTCwFnVcMgM9GAos63xRFYlQ4BG+ Vh09QFOdYLL/1q7evnu9vfanWf0dEz3BmF40cVHXMLcxl2mTJ0ntrqKjRrbVD+GAeuRn ZIzskcbhHlUKuNBCe+BC1h2j1rSAuK8a1QHX4T+6y/h+vdy1FyHSQ1dBuzJVXKmiqRZ1 WpaqqszFnrcgA3HY9q4wEI3dNCsAbopns0pBCydNnTX0XNkUZdVQp29CCD6dD5UUwEwO 7hF8MXc7fN3prKjl5kJpj+XN8rz1ETdVKO1jzSOEo9OfJhWcBniXMpxD1mHX8Oqj1v55 9gk2Imd1H+JwnjVcuT/POYRWXjWaI808o9PoZPOcpilIFfQliBk/z58TX5D7BMn0dnuz Wt6sthua7ujTuEhHuDpLIUyTJOtCP0mv90/rHvtKDCKDI1/D2iEurZKamLMo8jxOclUv 6irO05RIYtjs9X6l30W0vlhZFYu6BiJMSGHS+HuEx73AKoHUJBYdPEZ4KPVyq5bvt6sL eAmturrevl63l2r7xnOGqPX9agdyI8+dxM3t1cXypt2p1UbtbkCI5zM5E+Kql8GAe5Sh Sub2icsC4q8o2OgAlY5xPuGSqYv2ar39eNlubnaP4aP5wvx0ATOngwLwx7igH9XGySS4 oTcf2najdLxnw2bUTp1vb9cX5KPekoKfN7bTmZk+xp2dYPIGcVmEUE1sZxzBwOG/aK9X 71vVwrWHF7qisGXXCJhKN3ep1H5piVDmAtE7xJZ5dEM8lj4jYKi0vA+40CFlknbBPTIZ XZdhVpO1zhZNHkMXU1wwq3I2WREgnMdkTZMM8eoY2jic3hH4UttrCIx99+pnMFixCpLl SWkH81AMVoKrgI9jZ1kbrLU3yae1V6sSflC2x8MjJlkzBQUad3Cm/2P7oUWg7LFq/7na 3cCMmEf+52myqLDSdXR6PW4+Kv/7DVffH+HFMxjl8JSs4QpejYu07BquWZnMZLgiipQm xZ6eudMbx4oMGSa+eoc1eLM93653and7/k4td+qrr794n6gfvvvyaZrHzStib2pKdVOe xeWreaY7k2BzGQz3wWj7jIQNYuFTtP3lErOwvSH7aXmFKbi6hgfYkgW+XK9Vu3m/ut5u tOWIR86XsLF0vHcG5zAusA4M9VPy8Ma7tvA2yPm4btfwJd47szcavOx6gAPhPB6NVWRV DdtrD+w+Yjm6et0vGvbcukXTgBER8UHQIi3yJk69KwCcFgn0ewnJj9B+WpSFymtaoUBI CrZiUUDlU5/DfN0JaHG+LkIWad3k46cTMuN8e3m1hqzH2i5PrpMa5EDqqUY4Yx65oHEK zgNOzZjGc+D2qr3WEZfdPE5ZFseLHJPdAfl4fH2hYRvMNHu0KfGWfts+s8weYPI4WH0L TwO55ukL4pD+ALp68XQvdvWZS1PRX6HMFyxDLpoky4igkyytVN2kSl8Wqq4bMCYeWqsX Otbr3qdclgHdFQv00gBQ6sX0Si05vnm/ftFHQX1UpleAnSNW3TT1VFiLupShY1Hi3kMv oHTDoXPLPYeuYfOGrsEOhz5kLWYCkTsRCFcnp3jjAwv3xUjhymu2I8bEaWhty1/I/Mv1 9vZKx5SfwSy/Xr2+1UHlWWIzaVphMbbA2kswnAcTzCuaYpE3NpOkzy446jL0RC/61PKR LCVLk2CDBdTYtISF7ykH5ObdamdsyOX5u8fqraYB8tPUEoYFZ4jAqEQ4UogCmnp5iVwS tZxHYYtt1hnsg5kDrDdW5M5NMeR37Q3ZRDo4CtQjZEcO8pfwmdp/Lslqeqx++GrfyIis HhtJVHu60ak22JKLrGoSVfCA5ojU3W1kpJDyaYblDAGL5e+I4MOzxYd2NZOplkoMqQNu H7VqT+K+8c4BWJQQTgesEVh8e7Fd7VPinbnEE1RuCmFbxnHZnfKfGYfWCp+Ow8vl+Two zJICYXfkXHVg/blRmDSLGrq0C9YIMrxpf3qFpY7dOQyUdo+poTRPIBptKEmwOUQ09jk6 PRJ7Ap84M6BEVAD52Q/ENK0XSdFkqSpCsEZMslJLddmeI1N1tbukZFZnfPgmCn5Y8r0o 0d1Vu/wJWvTxXLZJtoD91R3rw7FbCzAcvNsptsntjlb4//LsP7/SodsMOZyvYJx8tTFG 42671g7CY8wBRYV37TVlvy5vEb3bIAuAcgJmmgTK18rSWhXBaPtk3VEjvT8MsWenw+/W wTv4XAeDd0nZLIq0gOWCoF2TIju+zJAEUNYmdpdUJXU5LHZ3L+mAtDIkr03wEBG7a+EW SNTOLOFvIXxniiYTBvMix7yaEYyPPq42yKJARjwocv3RV71TVxcHmFpZimmHMJ4ONVgK YVHiI0/wwSMzsm4mpuKIuIyCRcgpmcqP7XlJhi7vdGRsj0BGghYMoTiJkrSqETSrMSwd g8N9OSFohj4jpLQiyIUOKAonN1kyoTciaA8i6EwHMT4Ax35iCDJF2iWPGN0kdD1ltAQf 3keGHfWgg45yN3m8DI8eK7a6EZx2nHbDochWbznESVksjCS05yFDRLzIoOBKhL+QlZjG lGw878JIAfcUmymT8aKJF1Nhw9ByF6lMaAMSUadfpdPYox0j06HXgSJfoE5NLbpboFot wKg+JIm6acQjFz983a5ziAdAha2zWACB0TECrD6fYJjVEfkCEpyxn44/UkAS0VY5ODBD +IouK7rMJwodvE5yIksL05cRGlNFmAYmrWPdlxZm1US4asSzjMg3wySJLfdTx8pS34xV VACEzzRx7SAyA3YQk9A1fZ56eaPIYJxSnA008fnLaWt4p3BtIdeTMhbjtc/8OLogfwqw EF9JabneYGuEa1vAhXpx1Z7Tvkz1dNkVoacJYCRJCS2FNe+C4R6vrnb7wRYEk+8Ktuz5 LUfXbo+maCQZdjeisMA9xqBe3F5dba8p5YzyjsmvsYted6ShDZPQOt9LhnjQhCXbBQOp EgiLglYUkZWmKOk6TytK/sA+oxKJFif1DFOyiZFPYDF5H57vR8ze3ItSlUQ4Gn9cBYlw 2nibzzOOsZcEG4E0E4cxm65B0ae5e2TLBIPCRvNy7GRDCYKDC0rH5TJsYkgX7ab/DZuC 3nxU37a73fLtIdY9xRKSWGoyApYyD0Vo53WNRVwpnnAclSPnu5fW+7Nn3HzDHsmR0WWo 0KmSIemYlGaZocTBK8r3v95e3J4jOEP+BM8/9qHT/Ot4AlZxtx84T3OmGAI2UBbIBER9 GX+IffTwqQJzKg4TbrH3fJHHKKvQ2SmGYh8nlbPeDOPL5KSOthbgJPIU2poO8BR1oicS QDfzTCNyv6GwMsyiP4xQXnbzpkcuafry0q84dCQJAjtzgdS87oLlGGhvt2xXqL/bXnXt rwE2jYY1GlUdyW6TOIbCLnT3QOFAH9bu0O2AFaDwuJx8HURVTxcEsAlCIajHgRuJwQlC PJVgbwesAIO9nKK9FhCherPcvcOOSijvP+8o5Ht+u6P9vcjnhiyfh8lt5aNwJL2wHxXW A6yigVzuZGiZYI2zZo8LonzMdsoX7fntNeUfP91uditslDPZu1izOqccN3IErCZ9DJxL tgip4MEZtH0y7EjOjU0pyHl04/0yheo+pPyx2a9FAJEK+xiZdnLYZf9tB/Y+7T63iw4H h5Y+uSbVmMRIKF2yoX+3UwcVxEksZ3giWR1DmTHUQ0zn04u3BKV7IOJKC9Z4C2YuBWFr owgGGdSj5DgDBqUGSgesI/LLM6WsgiAGf6slGK0MemvsJL0usSS7hu6wImwmjYH0jqzC ntNwaA9HY0B3VBRe6DpWd9qFEAA2wwgy4APVNdhcLK9RWuU5VIYyuxmPzgmk8kyzIMkP eTjcPrqfXW9n2PQQoybHlFng+gCUAURbhqCtO44tZct+j0Dea519As29vMHi+Zoqdurd Y+uPcyUCyW7DPBzvg5mGFBHgDKWmpkwDVfbYXtIipdtY+NhESMaVm5lgYSdlrne8qTwY wRh9bpPaKe5LWyd1JEQiwNft29v18lqr/JlY1grOYEgPR3BitaCpUEprCq10dNOPZ3on MFbzXv34SL1BYjszMpvdFMSgIsDxqc1VrNZg9ze2OGGDvx7dw7CwbK6zgGWQPoa8Dxqp 41dmJDrfH7HMUB46QY6dRSHD2ifjtPVyehPL5jpPR+FcRqqtndUB9efGoI3TBpw/kghZ NU+IqE1QC7IpKERkKEK7AbWRMX3fnx8YUHPRihhJ0BRyPiBCj8esvIgvbJtgJ5Deq0X6 y2z71yWz1y0ZR+dbiv6v17OVUqKMVtQgVXk4zj46ntvozJqGFvam5T37Vo76gFpKLULt lPS62rzf/kQ2BEov6LLKOnZ03f7jtt3dmA1zP222HxC0285kSIjR2RnvpGnoX8j1GYFX uAdmPmdYcUtyxGBMdh5nPqfY2qMzn5HAhBA+0tPtc6gjXscVtjObLL64JNEwLEV6D8q7 FZpl1wzGQYLCtRPCbwrcuN7uC71TRImwjpVWtDFqOrygXs443C1h0VPi/jz2l6wNTwd9 zpRDXvESYPfE+N1rs6iEY6TG23aj483APC/KhsQyrYjw3cRtmAuLrzKI8cQtS48hwKh7 fHfizwRuzMQt6gDcJ820eTky0XOSpcFbfASsIVZvn6nRL2QDyE6R6CmZ8ArnRwSZ8Lif mhtuMh/RgcuETxNUg5uaBsm5+egjyIRP4+nFOFB8UEYMyBK6njpavE+Z8Dxcezd5vAyP HisOowGc9xgn5csCMppZrL5pKCePE+9745S76eM08JhxajjvMc4G+4FknNjVdK/5RHlW b5xyN32cBh4zTg2nG+eQ9F2WmZHdBXG3kHcWDHL64J+LwxHIzJ/RD8qqlHKbDoYdj/tB yK+F/0PrcF3tMyBFIxCmww6wahKsFiKXX4UgHwfy9MGNBgU+sIgBLR5gcoxr/vILnf71 l2+ff/NiH5ensFOTAgUqmxp2PQM9JNbWpzJ7cgkmTLFjFmzERNW1/D6a/BRgAW1FAhLU QYMxU4ygwX+ZfGad/NmJwVLUVTPSvKV8sGHYG04YmvHWOHVsYCQj9VmXR9LFbKZOB6wj C7FduQlG0kusUNOvNEtZxOoINi0rDk4WmUC+WYHDVbCQ1hnAUVF/D7wODHllBWoPVNjc 3AErwOtxKQq8frnczXTAns1zCuE9DuGcsgm2V2mPUhspBL5rdREhTaYovhrrShm0Lx/R qYuLFcWrcKQZooVeEtRipliVVCTJggEeFwsj8T5BLDidgF0JOA2KdcLDAQuF0XDKhdh1 AVeFQHalFXQCV/hCBG15bs5WfL08/wlF3i7bm3dbFNycRW7Z5FeUWfTGMoa0kZ9HEkIx fVPJCR7Jze1m067Vm+vt5Ux0LGlv4WjCueiqtznpOEEIlUKuB1YeQiAPEAztHHi+RWIL ZUR+sz2HsPiuvVqurtWPZ8+/+Q4ruBw8/La9xq4C8+iPZ98+xy+oI0dnOcwX/OYCBUhq 8AccqMOfcx5i7DKl7Kgp8yDJLt8sEVxWL5DUiTMFL9Tz5c27HaaCf0bLNy+e74D75dvl agP+oPl7s1ytbxE1376ZiSHsIkQ44oczEVQ5wCYgPRSwUDQIFZxtQs6DAQsnSiQ1zlIy ZPtgwKLd9ojejWamz9t311iyQ2Gi36pvWmgRVKlvb6+V+uKfVyi4sFPP2vP28jV+Lx/r c4ahNv1/Pzyn7VP1XDXrRbmkwXgnzUJ/qFnMpB9wDHeiXiHKdGFiTqcIO6N+I1bzEl35 mIKTaUYHdUlt5GmBYvRBRYYT7OYz9ZVRZNjdmz5tEO1YKRE6brEALOiPTj9HKRF0dLnf tEYTAln0GXmqaLAxHXt10UBrnE0ReS3ItdOL/3jNPsVtA1oiAorfw/a5RZahMj2BYNsS fBqhXgsUFb7KC6o5JIORFvSV048Vzr2QNvSFh9EtvDbbllMstMEJ3wW2IujevRYDg+7L PsVw7T2FvrvPEAzcVtJOdOAmIhhsm8Ggg0qQbEGXBm800iTPRN0GO1Xn6h3WkFP1Qf2g iX1vQ8ZdFb1BHrpKNpWNIBoO79e4xxFkBX5CEXHzTJagcAPSXrHvEMeOmjvsdqb3gcXg /ugdP5skegFEv4eaOViFwMfkqyhtlMa4A4z6CscG5CAOfb3GNRybHIFhfQ9uRI0P6cHc Ud/0TlpF+juu1V2Z38HHZgygIP2bHaH9imAg0jDIne4fMNn78NfwjqaL6q5DbZs67/AU 9kudgHM9AkJpAL0G5TUxvx2gs8hS/xGSEbKyVNTbYAnvgCwZIjgcY1vm8ARAidmmsQXj kCaTGUGQJXGFqpql9g8x9zh9A7UqUUG1AeriuhttIrmfyIkYMWrT6XooVNweHcit7bak ffqofm20b4QP0ZP8Rx+YC1MG/b18o85e3LRXVLfsa2xT1e6ljohRTqHt967PcLDYfQYl 4FDiPME39cdgoPDHfnWiL7jhqCR5ksVPsDaXxH8EEz3/1n0yWNLp17aCe0/bKq2cTqZt UWAiEU2ry3bdQ8vS+1gjM2XAIDn03QgNCyKDYmQNS4UQcVYnAbff5rGKfc6pvLxc1JCy TsniyE+KO4IoHf/YNu89fmqvxVeyOGFlUdI5zJ6SzUtUfMcBreidNX8OVVwhn8KCzg2+ ipVnPA0rTVY02Z69FvP9QMHK+DzGLxgLTlFaTFnpJC0+VNKG98QUkJnYb9nXlpC/OMav Rhk9zfjHtCWJCNZEKHDiXzstSaX4GqP1kpRKMoCvjGbDdkhMp7s+dCW/o4KKWkfmiSoF XXkaESvgFJDWGpGuRCPSta8R6d7oOO4BWov0I/XNGg+8FIu2s9BabadHwtoWY5LvYHxG /+393tFsEIvHNRuVt4PBnESXTttZKp+fMizpC0XBjLP8IW0+Pxqu9VsOcK2M0R8PtwH1 HR2XYz8Izv/NnY6Dx1olVEADQY/vldmXT4sX45QcxBK6sZsenPYB0ZtImdMK91By8pnT KbmhX3DDCZVc/gtRcrRBhd1JXb/uPkoOW1y1knO1OE3LCEUXuJJ5mdK5HJTEZFnGtnks Y9usesphwtWI3zpFB68TG1coIuPYyLa59+SpvZZA0SG/FoIyDRQd+QfgXfQuig5b2CAC PW+SNrVRi69UpA19WXvatjnVJr17LQYGX9lhvcvAtfeUE3v2Gc/wFzz43qRg0INKZsMq O4t3z5+UNngHrCSlBT11W/aVJET5UCVJvM/KCSXZ/GunJCmJK2dVWGHh1ynJiio5yy9l ISoQrawMvd9rxJ+pTzijSV2Tu+3cRrSgEL+Bg67OWWXRta8k6d6oRemB7yi2Lb/g2rXS VZTQt+V3gpldxkRG45QojdQoUboSJSqtkcaE//tYJZoDfxlWzn0lKpSjqZfjEGMoJ+CE fvo6RDl7EsFXopbmHB+zRDjA/QckwgG54XoSGRG8Z3AT4EHwta98M6RlYTnSKV8Izqop EEHwlC/tERinfIntcSJbsacVyeL8dB5m72c+mYc59AuHlG/6R1ST/WU4mA2KxIruLcup RVR1GBcmF7x79AY2R/VYc7end48c+AcHM6OKiqgNqeuMwYgjvbvfBkGI/SZlgbrHVBEs S7Q3gHMDEFxA3JNqlNG74MZD71IIcWL4ECIP4RiMTf+hkfr3az1y/bvGBN3D+rXP0z09 H/H7aw6PWQ5z8gQlXHM6Z8C3OqTNtzq4zZMViBeVNQV/Jcac09YcrDv4ooKb9p6RhujQ SwkwDaEG+SKPYfsopEiMot/O4kCECW4xOdsmVBDl0uJraGnzLQ5pc5aD9C4t6Ith8C0H aZOnABU/td/i3rND9HyVXJDnmUE8EU78yzS44SDjqPepQ+9JDLu7P/eYO+4sDapVK5YG XfuWBt0bG6FBvRdnaSAQiPnnX9KMLQ1qtW3ud9QsZUsjRaAgtDRwQDwHqPUVWxr62rM0 9L22ImwPxqZo6NBFti/o2rUaSyP4HdCJpSGjcZYGjdRYEnQlloa0RolcKX21F4i+013P qVpxjUN5PXddmGIixQSGxjiKEWZC2oehtMDQkL4cWwodu5ZeIeCJjj6pEEgOgxbMjGMu QdW+kYHFwhjV/ZyRoTM8GnM8unj4E4wMcvJqCHiziBx4+J/SyOj7zKczMgZ+4ZCRkf0R 8axfhJGB4oQ2iq233NzDwaf3jZFBkojv9oyMo2dxg+I5iq1PA6vgRHtq1rZ5ata2WX7K cFxnjEqkjnsyBK/qRntK3lPcNqAF0sE9hTHmTRjFpmTLjE6Htao2Q8YjYt1W0ypu8OWM POPpWWmy/Gt79lrM93VP7FKhNq2Bae8pJwnsM07NYkOwwYHv2Av2nGNvMWz1pW1xehZ9 Ie0Q8+Uce2lxjr1t+TSOPSjMRr/1tadu9b1WoDg9yot+g95t9JuujbrVrfy093uGM+FF 3VIphMCxhwnI0W99JeqWWn11S/dG3UoPfIe+Wd2m9B3XqtWtbpPfCWZWt3Y0Vt3qkWp1 q69Y3drWyF4RR5KKH+vYa7jh2fvqVijH1zVjKCfgA6acA3RyiOL2JISvby2FOX5laeBx 8BFpcEBmeD0dkCJEFcBNgAduA1ydqHqG1Sb4F15UHWICTheciXs59qhpuGhI4p1W5/Z+ 5pPp3KFf6NG5yS9E56KcCtSaztECT8rZI2NdDu3Y0/tG52Jj5b11Lg7ZKaiKnK9zpc3X udLmeCOn2EDu61wEm0tAB4HjnpK2AS2BzkV2BvQXmMy9iJIoaZzhnAqJp2co7pmX8IGd gOCWQNjIU77WlTanPqV312JACLQuQ9V9xtO5/ISvcgUFayhKq74N8jyVKwh2AlBafJXL bZ7KlacOvSeu7cT4io5hI4fFxtL1ta9y6TejRPMYrpD4uykiEaAC/iXhWLputW32dxRw xzSb9gKxolDlFvBLDRx0JSqXrn2VS/dGnUoPfIe+RaXSd1yrUbnUJr8TzKJyZTRO5dJI jcqlK1G50hppzPi/j1a5cBtTLG0FKtdSjkdgzHZDKCfggn46OUQ5jqOE4gYJA49bBfYD wsBTufKU43JpCd4zuMH0OA4SfO2r3Bg5Q1QKxyZrUeVIRNfvGUvPEKNHFPXkKrfvM59O 5Q78Qo/K3U/WovhcjjKpOk8OMVVgHqdk11QTEEusNRY4JVfLJg/rhJejxxIRVerkuxLZ nlghA9PpA7SgAGjxgv/oNQyENUzi2g/q7Okj9Rlc0TNUDvqsUWeXdJu5vy3ua3WG2oif NdEZMuk+K9TZH/EHz2Az0Sv18q9ur+nd42IjblRlATqFhg7VDcclAzLjMokROHbGjis3 gP8L/lTqLMWfXJ39eIa/GMDv8AcDONQanf3avMLPVObuX/GnVGe/wR+8j2Iv1Gv4CL/3 B/Nb/CgixPF7/OSPj4Ju+Pu/N50KNPyM3GqQo7MCD8FbPsvwF6CjwzlwLzRF4qaiogTG fA5oah/3XwNGjP0J/gBLsbljFDw2d4wX/vNb8+TvgDOMjfHBr/N7TfAeNwpS+FGeHd1p JLMjc05E6yZEZoKxnOBH0IfgnKeAv5ICLPzIkHMjgyxvMGEJQJ1mgSHsiSkFHU6aynEn f1jxgMgjpYTANiDxcBcb8VwwG/F0yXD4ljHCCOZJeAKkYfLDuRSs83xhU7jPlY60iQo+ N/Oln4ks5/KbNX40XEB//oQ74g2GkhmRP83QcWNj2JK7YdIMnzw4ZO6Fpcr/4oMY3K/M GKdOIKeI8QEU5qigrofjkjncBMJ51uG1AxNowseQg5HOgoZ8D3HCNMzEK/MYPvPvBvF2 cjVPMoOEjMZICV8IZWPI7n8wCONeGNHMK+GscSM/yb10Zz3yZ11YjnmXx8QghiOUcbuJ 41O4Byswkzg9rKCLN3FYjkIOCMcgAiFqJ84qMF+YQXPxsHhWGCG/Bz6hjpiPQsyHAjN8 j7HCKGdqYI5lNubJ4fesgNZsN4gYItKXIUgiHfm7PAi+Y2nIH5RH9W0kstcx6iSJqTaj DA+r/JBWg7w32fQXzNu+8hNhxPQYShNGPPYLkPz4N8NpLFS+MKLpzxPVwUhpgpgA6kwi OHBkcJYojTQhjYoK2ba0iOUWSoWtqbiStWMrJPMgwaHqBu3oQLRY9nv4aWqH5BztHSns sQkB2gFZ9OTLiXas2rNjox5yGjEwNtCPFH7RhxGSIVscH5h68qU2ZKkeDQT454ZImFlC RhSZF5q1IcnpZ5wCDVk/VIAsJUNZwb3Jpx49mgVZoB06Tn0ssgYoEUYA/oye9Pt4ZUVK S99wrXq9Mt97YeHNwxF9dVAYs9hm+uDR8WxxI9+FM8l9s+6wqlVre5G+/Ax3w8QSvsgf 7Bp/kG/RGftOQjpMpXwbqvYQYGcZk3nHI2StM2XifDE0sJyQ09p8UvEwe/mgLSTzB9FO SpFR9gx3UN52WBrz8ihjx06L1rshY4ds6k98JGY3N/ZaP4Tdzhdl6rl3dskYHAtrPzj8 SemVicX0Gnnu8Gjm8+cQJrNWJINVCUJcCc4LOGwxQ5P4vHeAlNUZMyRzCyNHcCWDZWSx 0cM4C91fxoe8IWYdG3vMBfpjFlmhyGca4M4Z23x3kD5+Y2xEfvIgfeK30dNxH1mI3fKI OCIXfJAsFCyHwojvulajcQlC1mC0MAakO34mxBkjUqO8T2cyKfCjYXwodGEth+v4AX+f hWk4ZSGfM2gvISBgJTI9Mun92rhQobzkruefR+wRaSjNvy/S6PMVSyEeuJjJDHo4Df+K QTpByXPMPMLvM1sxcriXHuoOJCsjl3sLp48buTcmMd9GisSfPkhhPCnC1Pw+D43fEM4P Y12h5TX7POLoLuyMOBIx9udx+HQUmEaKy/DQhfOYgcKJcHjRuiVkduZHnhcWiIJtNisY zTyFviS1IUg7E5q6Ol/sUqCvqvuHHAl7Tpmz+6i0HIVZyuxwRNZ4R/6c9TCGqPFZpD98 QiSA4aiOAPKo69eJ+0O7+OH+MLvz1B+cJKGrDOTmgoJDFgCYkjqsafg3kmA/kxJLGoaA Gxm60PjmRmssaaj+aty47/AHyyw/mD/P8McsR8wyAxLQQA4AkhjYFbkrAixsIgKbkcV/ GCvykD9NXVkpz/Cb/CgjUn6Uvyx03czoQBe/wz8y1sNJDEX4QXph0ctPcmfM4v8zjylE URccL4LzTAdPRX/0BYuHNZbCXfQFpW3yvNJnykuW8livJ6fimGnMqv0QjXyS4Et0ZBEx HzIuDp5ja/TxxVFZRDw2rk64647YS0haHTK2xK0tPyFqbhV5xZQn5gLbAPxQ6GmgB80A nZ7kVZY40nFoMTIPsTWJ7l9FBxdtx+F7YBAvz7DUXTcDY96hZSCjC+0wQQUPi31q96dP kvZR0xRHBhW/sEsJ3MujG2AA97MvdhlU8E1t7BSH2SZlnEyBywp4kgApirX3GuY+95IW IjOtxV+skK7xB8udfHdjVBTfXYAMob6IwKBp+xMAEC4/OCjf4hkqkpDuDjzDbggGRYV8 YioFgn90CM4BMyKRNIczc96Njl6H54TaEDblnTYxTuSw05Ah0S/N63vNQ1Yhbc0eYHnI 1PHn4Smw+slTMfoHxnMxaklExGg4sBD5+0sibOZYg0jMTrJ9WOodlp8dXheBMMAGY5kh 8tL8jSQXQQQlyxB5ikWvyGV2LPgh/tEad+LT98ibO/HulhBHrIlksBvqjLaM7S/e71v9 /W6LjSrwqA74B5FkQ7CZxZ3xCzxfPBPcKHgMPX3OhGGFxtZa5w2ernC5ULpjlOtX7BSy juN+mLTYpOMXGHCG0YVmeMa6a74jZowXe/bq9x1YxaLq7mXTDFvzZbcgNC2Y/nhsf2Kf usMwIZGGHXQeZZTp+bDZToLrwxPKvYcIDRvBm9qrDgGRbrmV/wj7ya8MEU+bZr9uCNuy ndZNeGE0291Hn2LjMM7pkFrWh+S472yH5pdIonABH9RII4j2F1M/LRlW2OiF2mEygAFk 2GuoZAiiF9isaDUkNk4WKJZwL8SmSPCmgwQHGSqnUZA9w5pkqnCqYhYM6y71OCRSEYo0 y2Q6tMB3bOAzvQmPhcRoX9QqOBAMNmGO32B5w29ALvRxXA/+JpAFjsJBggxWyEP83cVv LLOc8jg9pHZ1EGn4yHSgDPchIXCZFEY8y1O+kx/1BEaS1OPUFlncn8NEhInOAlPeYOII Z4yf4ZQrnkb+It/xC0IGYdZjGFYxohpLIvxQ+CqTDE8E9xeSbCjjEygL+BjcyH/4dbYe HKnOOZ0oHY+9imxf3UV4ggweMONEWtmMNJPkFpN4lMymPCHyDg+6oxgl9KYxY9cFD053 iEOZ2TA/xLX6QTV+k3tl4N0kEPW5FyVsSa16CBYqfiOkHr5jpXcgg+gT6pYC5aWaCkVi s+FzGei8/wepZf9XCmVuZHN0cmVhbQplbmRvYmoKNDMgMCBvYmoKOTgwMAplbmRvYmoK NDEgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDQ0 IDAgUiAvQ29udGVudHMgNDIgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVu ZG9iago0NCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFj ZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAg UiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAwIFIgL0Y1LjEgMTQgMCBSID4+ID4+CmVuZG9i ago0NyAwIG9iago8PCAvTGVuZ3RoIDQ4IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+ PgpzdHJlYW0KeAHVXVuX2zaSfuevwM7uzLZnHJn3y7wlTrI7M8keb+ydeUj8IHezbU26 pY6kTsb/fr8CULiQIkVSEt2Oz0mTIAkVCkDVh6pC4Rfxv+IXUSzCMs+rSkRFusiiSqRF tIhTkUfhIqnSRGxr8Q+xFi9e7iJxvROh/Le7xqfhIirTMgxVkb1Lk0USFlkiijxbRElV BNf34qs3ApXRq/rPm3vx4ttoEYpIvLkVV+KZePNP8c0bEDWErOAUsrJ8EedVIiRZQbgI owitQDveXDN1h4n8y3pfb9f1XtIqX78kwWW8iGKwWBQ+wb18/OLifCzzRVUkObrXJ2sE H7/eLm/3wvz3w+u/vxJ/qz+u1u/Flw8Pd6vr5bvV3Wr/0bwhL/76uK5FHIbVswBDZRz7 u4Zx0D2Mkype5EneZH/nCAkmDOMJZNnZlRaLOEoxK3tn1+xkJeUiSZPyqZEVV4u0SPSk h+zqnPRBUzIJsRS3y2s1In+6qhfvF+cQAIsqzMoSohaCNq7SKCqdq14BGyXZIq2iTBS6 UUME7PMOwSAVQBEWIquKRRnnuSgKddGSsccoJrqyOC5AV7HIY2iAdFGGaVHJNuZVHpcV VXo7SMR3zY0ezROl4GWKTm4wpqe3RbO3l2K7eYSY/+mZuNtcL/f1jXhX73+r67XYf6jF q+9+EMv1jbz+/tViJlGUJ2Bshq7xR3GXJuid890dfoDjQSgwFBMozDKLZL+maZhjoGYZ LqJUlIuyCJM8om+H9WtrWI1BFHG4yMO4Gq+6oUG+ftyShqFevF2u7h5B8eZW36rZ/dx0 8ba+WW3r6/0Oc/9hu9njEgPhu9evZupwo3u8Bj8d3RNFiywtCi3ke+bXAWm6Wu9WN7Vk 9bvl9c+PD2L/uF7Xd3JeLYnj2/ocAvb4uIqTGPOqgLzw2jMGEu4e7/Z22JBk+P4VNW0t 1jVGzH4z94DxWvJ0BkwIMFWA0wqsjBsw9b+uPyzX72shgeL1Zr3fbu7Efb3bLd/XOyOe 6+X1B7EB77dCa+kz4ETWeRgTI7V0EqcLjCsMLr/tntBuTo/xWtoV2gEt0JhiB01Y2kmY E11ZUYGuEAof6yCppcuIPsirLMejbR0ME+burw9cHoKNiyxPoE00XzR66RkTLSV9u9nS JGtKCaD5C6xnkxyItiiwEPAJ9jqyReLpcIvll9G+6K88TbOm9k3jmLphWIedon2xZgae y6dp3/vlCqvn9XJ9bdSup1h/erYQ4vXm3jyVk705yWeWpn6Ln4w0zUuawtE09Uv4h1Es dNUSQ2dXr/di8ysEJz30lbJd8AALwkAy2OLREg1tweQI1d4FTwJjVJRllWg03JuBn0KU SrrKAnTFaF1SzC1Ko2wRhoBhzJcJonQpXi33H1ibGokaTO9nlls9ppWyWBQlJFmDbq8/ Z5Co1G1FVFafTqIW2aIsgRFGmyKxnrndbu7FK9Njw2fmBB1gjH75ZIqxcN5vgI6xsP7t w+oOUoeEPYkftdS6+yiWNzdboDqJm6UokjpgvbmpZ5L7RQlzeCT8Rj4dsZ8D3USh1r8Y tGNsWFaOY36OkeOt0dKW44QctQmrV44bi3auW/JEDFdEV5Sl0C/ksYBpWyHiMKaGKUhM XBiGsFp677g8tLPL50tPD7ek41L8UO9+ZTmuhAMtRTek7CW4cuwf21oauW7EQ71dbW6e zzS9SEsmcQk2ewO5S+xfyoyV54BPFcyE1oxVLcIMgCqfCUhnxaLKMo3fxpgbIPZd/EbX 6OT69hYGqtWvNWTou/qa5KqSnPXq/Yd3m+3uuRa5eP+juF9+nKu/Wc177X068jRFt5cw U08xSqw3e/Da6i6YJdbKSogp55gilLH4caccnGEwRvROECVxlcFCChNtrhs3HhLebIRq 3Iflr1DQO4MwLosJi2QRx1XcJLxLOMztNc7hW4jhc2mOFerQfhpFYzKKlXIlLN9h3aVW w9oejRXwmw+rnXjYYK0scLFdrggNrdYzTVjGP15be1oXjPXbd49oSMEj4QSwGcG7g1VD swtafvvmUlBLzdf1NVwAcCu/3EgT9Ha5X+EKy18Iz82avAE//vDtyzSswrcQs8u92C0/ 7v4sfvc/cADM1QM8C/zGdvVBr4ocGdLR4ws3Tuc8juEKgkNvWh+ApaSyjDdVmxru6/2H zQ3Gxi+P8LrsFO+xMNW+thXcMLv6TkrXmbrBLFD99j6ZboiSRUoL1yndcF9vYUtXMma/ fdztlXy6b5lTB4QHtRYHx8FuVFQw5gBq5V4jxqAgbfiHg64G6LlRYNfq3MXvhPjHXBM2 K+HYQLiD35pOlTD7hA0R1pWW04TmBhpqCwygZOEj3Cv1+tfVdrO+h8FwR0ASEGhd3672 qgveY1XxIH6WkTznmKi80nTshANXmklaIkoJC7jcb783gZtqQoV1tA1fwzzmw5wvRBeW P6ALpifCaTM7XzKY8OEvYLYMWYCfGprHvehYCYb2oplcuheHkPvl6Z6XYxQnoKvIIxiK vF4s4Dmbx2CA8DsVENLoxzEGAzlZDbY31sPgEh40DmdokOvNxpZF4/R+ZGXEHjTqriSB Aa2x8I9huR9s35mg8gx8yrA6S8nyIPX2GJUHCAu5Kq6Xa1p1PtKqYHm/QTjLEtAIzptb Hba0g4hevrsjpQgf6bdL0u7K2HMOgawZ2oMUzcj0m/pk9GEGWxtA7DTkBOy6rd99xPJ+ t4KppV7vOKQIwLY9lY46oycMpagq4T1PS+E3ZMxQYlhNzr9HNGm9R8DtvmbT4U7q8plG i15w+o2ZNliGaWkdpODHtWXwp2ZVSBEQXlzbbJ71DCGXRRbnk+TCTLg9J19ZCu//dGJN gM455soxJd3tfozCfJGUIeaQZvt4GxkLYncC3VCrupzkI0YnN6wL9UryY+jODL64KoRB JAojoDoIBYk+KMz2ouosDktsoMDGBObf+GELg/QKa/7HvV70U2DmA1wRW7F7qK9Xt6tr 0SeBRnCTVFbgxLAS07LEDaKZ1/afIZooxwaK8TyDhfl29f5RWa1I4wMQ7FTAGHn0Lmqd jTJASzn5NflDkPipCweGb90z2QKrrMIMaAfEDLHOYtAtyXsirYGar+Lx4UbpRAo9XO3u n0s8VSNG5iNMJ7vdChhLPCxXW/oAGrVvtJ7PDmf2pCAYxmlvF47uNTaMmEOLqoLpO68g kaoYflLpGOUrzC2IUYTokGqg5W0Ma0gFBxsCxBNczOlYyzBMEcGorR1jQBHwNXlqzqGY jg9b8CuWi//p9H4/d+BHg9SuISfdMl2GlI6JMAEGV6TwsjQWY8jqkkfdM8Gj7OVr6Ne+ TTuvX7b2pnxhvRryV2inJSKfFlWUJCRCkzIWUVyUgi6xFzKGXfROvJYbZOyntG3yeE0A r1RBoeqSN4iynVwb6kpiWReRiBXTtJpS0KBbSDtzTmhhStH6VAG1kG8mt1ARI1uoSDQt HLL/lPAVb4uVhr/jk97qqjSmTbcHN+41TZJdQ7ZjJp1EVpIsQjKOHPApBL3THbLzH7Qy ln6EeSSohfAe1f10Xn5vbITdF5g1uch8skbY5d58IwBIfsCW2Jk4CSRRZGHWJLm3x2fg JGJ0YK7DIucUTrr2L/Kn39QPd5uPZDu73gLEiS9fz4Tb0hQRZrRi8lozzdAxYO67WzF6 jHVWJGFPSJRjEByY+z6RLQElxLvN4/pmuV3BcfvT1a6uZwJRZhds5hE/BvRJb38c5W9/ eqb2cGGJRXvTODDgAc5omMdovLxDePyMcRg6CsBvmt8Tjr28F+dfYrgg7jymVcCU4cLR FskikpAbTRVL7Pr/eA5514vPemNTjVs6040bssIdv13LQ5RDtmtJupIM8pnc5WkcKY/h jJuqAVeRdAGyy2fMCJ0mduQ7ll5kBJy6/RwMS/fh4hop29r97FjLevs5ziIEoaa2OXoQ e/quKeW69F33ysGleJBnWNKVwjPc6Gf2KWqr3uX25WF/OTZlIPh5ej/TDq8tgnuwh2tL ocWmp0+wTU3v6SRJESSDqG5u0BPpaaIrwRaDRk/zBsyLd3SSVDDfypGmxPh48/daBxab Dtbu4wttwGQvkS+AvBnraMPeyNDuGduSzLykY+8xTcywALi3XqKZrVvwW8QwXTe17hAj J9mK2WkhvccmqcVvmwPxqTcrhJRvaVvgl6/r3UwgWcemZF4ze3p51ujTFOlRkA1Iu+gw BsZtvlmtsfao8b/1Hp5j2IwpDlJFSsHxKsMfVbd8lE9o/ac9+rSFY7+8m6kP9FRrtLar EyTw/FlKgXbY1PmAJ6xkauPIGLJOMJ2MXT6lZYmwDpOKadzYoO7FWHB6fMcR4rsldnJ8 +Rq7d5qCVvxyiTgdkw+DGzQEA4/kc6eYHeDlQSqhRZqwhcoblE3ENpKqFlxj4T+IKiiE /HCIZb9BCoYzuQQti+wtOz6xiqZ98ZtrpLio/4Ud8zsZo07RPLvHh4fNVgb7vKIdAjOJ BA6lTAuvnR77HfUrZUIXYD6jTNDaokHViLmH3CyUc5B8pyb67WjIjhwowah8iCYkqkGq x8Dm+D2BgQPt0SatxRiy5pxWeQRHOfwjTbhDvm6Pd87gU9hPiO+RlmelQtx/unoVy13H h22ql5CjERsvU92GIXJ0ZI9PkKNRDvGZpYKpanH2KJB88w22KP1lLWhHxoTJ06K5vbij EJYhW4mRZg5x9zCLcGOGsPh1B1IZsSg4RjHRVSRYtKfkoc9gI/Nz4GVVmRIbLraX2Opw f+z1CMbm/OFtUs0enrK66+MXheV069cYiWiTNEKEvC8IDk/9QKWRfTm6h13N75mWHIOS NyYlXRkSJvo9zMt36mCqc1gHt2bEcdwBF/EiggWrwZcxdm/fyq0NsjNFElks74/Pw916 JDvwiInLjOXVPPUetvu7m8BlLsPZYj7TLKYQHp0odUz3ebBRKrmdoFA6aWCV6widNgnr iH39Xm55vK91IBPCewElP2weZkKPZunmNbfflTFSFbamsO7rHs9Xwhv8/F7oJ+sE8DN6 RQnXXEG2pgPgxyeyCRwxON5NcaWAiQFHNLjU9khoZHHIkEsBktCn1pvKTfpO6NuBwLaI aW8kggEbZHkasB9BYnqoBflu9X69vKPoVOmikrYYLNZp+vDa4QTbNsukHiWIWJGYgjK4 LUNgzkgWT9FByD0dtlk8RohNGqRTSGW3BnNQTan+/p+Bg6T9ECjpU+WYFY9icRqjtLKZ MVbEpLT0qf7UvDQZJRtkeRPel5pNyIuoGzPVZzK2mVhepnrI1B6pgibMFxMTksJNBR+/ Xn+PmdpQQVgj7h+3a4T5wxfo7iImU+c5kAevK0AXrxftVe+6wuyg8hs4ZuotoRM+7uAX YR0w3H7U6hFuiLPwHdgQ7FpEXtIKAQG6p04ZQCOQ9DGKJYOTCktzCnaiIF2MqRxxm7w7 9uJLYKM0fcaMkAcyRQsFjG2uH2mzu7V2nKDu24xzRm/vmLWC15uUY8bs5rZvtJ6x+01+ YdP9ZjMABjayqV26+43ff+Z5wWjOrDARr1zm8vADb1chBP9FDQRWgsc5InpxroRcRIyU 4J5vEknZKUJLIEHL8g5/KaucgR5nyLJ9fMFmolNSr1GdWn0mL0TMMM6nqkfSNNdDQB46 m7W3qjhBo/A47F5VWMDkkf3JcRyEmwzY8ft4zMCda1WBADIV0Nsg1Vv6NkHm5VcVJu1J g6ye8dgk0l3aXnYQcg6LBq29LJwT/0Z00BXOw5kiPedeTES8pRkGc0n1KViww0nbgq7H BY1VRdgyDBp5MfFU+jipEAqXTEzEqaLHw/wtthXcrtZw3H+nHEwz7MaFU6lC3nGmX/f2 iGn+Svz3CnHu2+sPH+VWbPFf37/67rWANqJtkAhF2iEJ5FxpBzkgkZujrZ5do2Qm3W5k fIOsHi43lfs0YSrt2SNjDDhTUoNWj4VN6kbqI9fMPtAUa0IfGmR5LOyHHbNpdM4/6pPa T9xIDk6QoIkOyPOpGrPwmzYGp5DKWZ58Wvs5OKNCTyraUYuUa6cpdCG+qq+XkJCIgsCU kKISB4M58hTxW9f1Dc4XU742mecey+9Z1kl2vLiN7V8mjewDVw64nqIed5vBAUkJp340 cecQRZ1ssK1ApW197ixBz2CHOw5mzA4hvxH94/vyEgLbCtX+nAZZnoztHAAyYIq0/t1u Y9W+x0/s0bnIuUq8dma6h0DWy7MTOyMWKcAV9uO7Q3XMInQ2iRuDROT/iZu0elq/ucCb gYUlTjWpgE49Do7RWXMpfZMt3Sf1U0/pBCd9oVuTBgdHjsEej9aUSK7jAtJElDI3h8zo kcpnAi6xyociAxJM7SkA4CucLEgHgIoPZt1EK6W5zaDYgxTFyFSXeG3pFO8zLZXiCAda FDg9vkFWjw5qLkagg7Z0fgXysJOPEEFpKlc7By71eS/OZ7BIzCrA4++YmXd/FrfggNnG kVU+z/tl15yzjex75P6YMtuURYVOPpA7JBIc3f1WWias0YWs5jBRzBfKZrWt17JPPvdY 2/pUjZh6k7StXAWMM1JYbeuT6sGVplwYCVfcxclQI4XRtj5ZHgf7pxUQ35xhOMZe5hHc T+JIPk7Qs9Ze5pPl8bFztuiFyExiXm8ekvYpI6N82poDcaTonDAQLVDJkI82QuCEFJ0O cB6y9cW6HugUBDrKRyfwJ7WqYnFUpkPI1nPYJDiqATpyZCSOifBP/Pb2yoPxezhaPcEU g7EHKTYR/glilvMcXgs/Sb+K8L9gJgaO8Ge+jDfv6xNtKMeK3Gu80qCEogpP3qnbExJs Db66S09ZAowISmG4xLEX1HNpGaXoYi/2Yrbo/iTFOVwpAjwnoR+OOkLaIcT1k60Rveie riFjBvT5yfroovncNXyAt99GX3o6VoeZ1iAm7KdBVo/6aYr4aYabCUjI+OkbtPZKvpEa vCX2eI70xIWwWvQG7xj9MwlKTsEaBDEQEyR8Bn5yCMRHxTfI6hmDzkSREGjaGJzCQrN+ 9Hq7n4UjQdAEsiwIgiwvCuxzmyJBzbnxZtvGJxKWZp9q4jXnUwtLs0u0QVbPQP1kwjLm zSYNWj+xsDSJxBpkeSzsn01zSUvjaekZg83uvby2sZ4Wn6wRDJxNWFrbj0frGLugNcdL 8AZTsrvWnZoIb4BSNzpJk34KJD+fpdXKedoxj/16k+S8DWLyjfFwYHadxNHRBBcuuV7t nsUO51NIdAuGMHbktJqgQKl9SZjBgTmdscjz4A5OpCMf4gOeQmyFfa4RHF0erb52bEqm kRjE7diBFkE7NiPsCU95j/bTISus4G4p+BTWXkU4J7dgSK1i3jH2ZLiFQ6WxDYm3QTwd skpYZ8hEoYx8T6UTYxIfONrwiVGVI1VlBqGmyBoBEb6qP2yxf7veij+I72qciIdUtPXj Vohv/vUgDxv+GqfI3r/D8/y5iJHoFrsX3f9+fLXEabnV23OYSrWy7gmUMptCY7/B3uhw lozSttI1xbvtZywTf0R+jUi8BV03wYuXu0hc4oyLOI1LOqIqwrENcYIBj8hlnCiDkzCm nSiBOjLUQSn3UMe9iEocmmHuVZ2yMcfSK8tjoWCnrAokC6CjKXHGO1VIZle/7A5lODg1 R+45OkMSJ9xkIJ6MjEhBRMeAqm8DKmt/+wHJYH6UTG6BiWOnekQlVuloLQ6tMq31S+5k ++kd5ogsgd3TfnUXNOu5Ex/kKSPU/ZHA3kMcf4dpj+RQ1D4c80ad1S67QxkMq1lZBOa9 rMJWmApG8pz8aDjYAu/oEmz1Q6ZZ5Fih+ptlXBKYt7gELx/4Dgc3hpRlj2jguiBCcQwR ToFhqjIwB+MBWZS5PabkWibsSYsiwtmJ+q07lGETbQI7rSlLMxwQVuVJkHHtXCLPXJQ0 UF3qLVvWXYKaNO3ud9xGokHXZThoqDJcpnQ1RLvlu9Oe1lu2F/k7W3KNrr8VsfitJYb6 BiMJXowPmmhyivAlRnxEeUCqMqAnSQTeV2haihhPeYOJH6L/7fWhK/NcHn9DbwRRCCmB ak39ECEUU0Y/LK+uRZziyDt5fYdrrG7oR+U9RE6BK1VDoO9QN30jn+D60JV5DpqpTrzL jeEfkM2Uv0zt1UTQpSkzF8RpOsqn99QgEkJmANA4rkI5+ZwyPRkGDZTgUIe3ywaUBIeE ghUAdkCZ6WiGrynhiSzr4knLbXTaY9p9p/NmEX1RSDmyMVULynofJdEC5w2i8wmSV3nU XG0YUUb27RCnkEkVQ0cnObe2XpzEm4SctDPAL9Gb+s+be/HiW4BGiMY3t+Lq9b5+wDGp 4m/YCC6XRdKDNupn9NLQ/gzy8OFc9gi/KX+MHHXqx/7tQr9gmyOi6EUSvoCqS/4cpuLV 9/YXvVVeN3xg1jvwQVwYPkTIhXQh+FDRMXVWedKMHQEfsBLLEanJEEDCh2YZwQKMWjp2 kkS1gQ8wfKRIn8TfSvjQ/vYU+FBhpegAAYClRgnAAtrfhA/Ide18BfjQ+qoLPmRliNhf hC448MGUWekBlajfs7ICyX0h3El1s6TAOXlhRB6AA2X8VkCHkMq3uEQeS9r6Dik5ywgn A7rwAUfa5gWOALPwIYespv2AFj5wiaNuMy5z4QOXsdwOMq6dSwTObVY0uBKfy9pvcQlq OvAdt9qVosxBAx8Ml1neW7677eG+4LcgdXXvtEtOhA9RBJGjoYS8dgCEvFfwIKLDTgyE iGIkvdcQgq71O96VeY6EKHeBeiPGZPMhRBwRLCEIQVcMIejahRB0r+CBrkFDiAh1M0Sg a/WOf2WegzoNIXAqmGqNwRCypQq+ED+YDrq2pfaqB0g4UTcekEDyzJxSr+CkPEaXZqL0 DRk7QA51fbusu8TW5AAJM7CsKLCDzZnADVFgJ7knCnQbvfaYMpWAk+hTQAKZGuTJpecG ErCXhPbIUavhCU+cEUjon7kgkBj4Cx1AIvtMgESchpgU0g6BBUKKOTrltE1pg6DvoSeh VMOEFiXyboT9AetuaFZkx0mRTZbWiFWIyH7S0c0y0tI4NjpBhD2dVY9jEAoQHpGaBiXm WwCIQ9+eAiBC5FKiA8YhT1RL3Xv8HFoun+u2454sD/p9ek7vYzEnv++2OvB5xi5qwMyl FIOupFBFsBgwQgCsCkukmnJKcCZ6SokGDpS13nJrOvAd/ABFWiWSBP7FFAIGe0gZMuBE P5AJuwSq0hYULgEJVjrqt1CVVc5cZiW0qhxrODYuMAUuYuCy9lutEqy7bBkqlZxxxSXz zxKluW4p1zx3G9PxjtNc/YYBC6MNX6yk5cm4WmGX4B5bG0iBk20AEwGH0xYOWMDCD5zX T5KKoQBKTZl5Dj+ZrJNqQc0NsEAHeSo66OoaIIDsDXTtggW6V0CAa9B3dJwiP8G1LaWr IKLf5udEM4MFbg2DBdVS9dvUZgYLdE2lgeSE+3yA1YFMfs7IwJxFNol7Z+CdNFjAq+b4 aY+N1hsuTNDjx879gCWEM4eHzX3VNjvoURMXNSFCCgMm1nIthMDmcl4WsqlBWtCOmxpg JoaBiB09hxGCzl9+iqlB/8wFEcLAX+hACJ+LqQEmfIMQ6LDpUxACvpd6E8dVYx7LmxZA qGLIN8qNCFO2RKj2CgDBUSslvA0wiLo6MtFldqJAIekyO1OQKBKJPGHRNnoTmbZK5GN0 laQuar3TKrAfBXRUF6wXJBDta3CGwH9gV9UCpyAsChg98A6rSC6xWgV16bdcFcllVlZx 7U6JpsFKNEtX+612if0OvFN8caWFZh4EGHsKmMFWgnGJbY7tBn4rMB3DJfYdqycn+om0 mlIHtkt1meDaVZd0rxQgDlVw1CUcWxgG+kmWaHVJpabMPEd3yzpJXWbY8umvrTOANUUH XbG6pGtXXdK9UoVcg76jxBz8BNe2VKlL+m1+TtSxuuTWWHVJLdWqGlesLrkUirfxfLS6 pPh34PHAXVu3Bg46V826IQNH4jTl4LGDoj1M2iWuztSDEIsAB5x2yQJnvh6QBdxCOw9E psvA+KbahP0Q5xhAwLGJHjVWcYFAEJyDwTnlKfSG9aZEg8f1Jqpzwkk8valigqyiOUVv 6p+5oN4c+Au2OZ+liT7DaTy8sk7hZT1Fb+J7td5M4F6P1F1LcSLIrYxpi8+hXVxBDHld kbSh419x6oj0H7TKIEaQIL6kU+WyiHAajI5UluEUH/w0f4tJ1a6PlrPTPfswM9NKGc50 bqlzj5Uzfl4+1ytn2MGxKOT35XO8H+jve1bWIRasCJhwUYMucgWFKrIIAdEGQAiYc0av 09mLCMf3VtamrPWWW9OB77BnGfKRrC/2S7jbEzpmWvvyBfZvwYaZ5xYCcQmEuhGFpsyB DabMKPtUVW4XOClT4Gh/U+Z8pulslbgra8MFR1wa/lnYoLluKM80z53G6CLbus4CixjI D4kcQGUYSl+n6PPik4zTKjpJMCTstQsVMjxTyh8WZAcqYCcdOK+fZKmGClRqyszzPCYP uiqH3aoBFXJ4PtVv0xVDBbomtc6efLpXMIBr0Heom6EA/Y4tVVCByvg5UUd1Qg4gukW1 xv4CtVRBBbpiqMClQcRX+FY+HwsVUozlBJPIWVmfNli8lXXHgGqPHhcl6I/s3AdYVhLC zsTLzn3NE2+yKDa1oEUK73+MwDGDLM7j/MdZrdhaVKDH78VXby7m/OefuRyyGPoLHcgi /0xs9nlhbfZnQxYFltLTkEUCOxFiURODDkiStsog/WDgTVOyTltkgVAznGpH9n6NSsjp f+DbU5BFiTWyQQoUH+neAzmg5R6yKDAjzft4Lt8/jiygcpDPP6ZwMLOwN2VWvkCPq/cc SICkljkwlqP8seUdk53cq1YMcVmrxK3pwHdwl8ellPv2SzjjKaGCBRfw16ewXDjgQpeA BKOiUy5zwQWXWUygKnfABVPgggsucz7TdLZKPHDBXHDlJfPPgAvmsUM6c91tDveYbWB3 yakII4exnBEGXbsIg+41NgAKto7+HHYwRhi41giDSvXbznPgc4MwirRpuy9ob7A0hNAV Iwy6dhEG3StswDXoO9TNCIJ+x5bSVRBRGT8n6hhh5Lo1FmFQSxXCoCtGGFwa4KRY//lo hIHlQQSbtYswPt2IackB1xhhxqidlTyOnZID81m358CsP/KdYo03cWQRqGrYMGii42SS NtBwTRi0LWycCQNpq2ibetpCAOcNDuj8mbNFGQ79hc8caBQICGATRpHTCmZ6cAC+h1aF +o2xHInU3VgTBg5QKsg0QUfgYg+AIq5ZBuGDk2ZyMleQXM+Aa6kIa644T8ynZMFoVXea BSPG6SHADQX2Z+uGOvfAEWi4fC4ZQfeRxCXqffkc70OYyu+7LRjUKKQOg3/SwRlc5uIM XebICTKxSKDGjg9StfKIERdncJmVJrrErenAd3DEwwlL9iL7JWzrIWIGHKABEJjA1OEA DV0CbWD1MJe5QIPLLD7QtTtIg2lwkQaXOd9pSlslHtJgPrgCkzlokQZz3tLOfHfb0/mW 02Z+51SkUSDcg5EGXbtIg+4VdsDmCQdpFIDvjDRwrZEGleq3necIN5d1ktujpMHs7Uoo sThRSIOuGGnQNaECtmXQvUIRXIO+Q92MJOh3bKlCGlTGz4k6qpNsGdwa+wvUUoU06IqR BpdimjWej0YacJuHmE2u28NMp/mHjIUaPPwOiAJnYvJAtlOVh7snCnQbvfaoMrC+CRow QcsKYRgt84SLGsY7PuhMYpiF0YlknuBNCcr/cUbHB/9MC5ycDzXohhz7hQ7UUHwm5gnK Fn521JAmk1EDUtdiV6KPGlplECQkEFOEDzqoocBSPcFmUwYchBoOfHqKdYJEoosavHug AjTcQw1p7KMG+f4A1ABDSwwzgIcauMwVFbrM0fUksytYHa2ogEMTKWjh1D5Q1nrLrenA dzEsEYBqLmgATgpDVG+tE7BzxkUYO6BBl4AEq3i5zAUNXGZVva7dAQ2aBBcz6CLnK0Vm q8B+hNw2unmutGTmWcDATLd0c4ltC+rS3dV+q11yKmCgDcMMGOjaBQx0ryBACReRNU1Q QnsGDLjWgEGmuZdBiO5z7B6VdRJgqBBW7QMGSh+pAANdMWCgaxcw0L1S9VyDvkPdDAjo d2wpXSGe2HlONDFg4NZYwEAtVYCBrhgwcCm2DDeejwYMcQl/apl7gOHEIeMGSowcMhYw 8Iw/IAXc+T1ICnAb3Smgy8D6JmDA5ITHGrHitDpzNzOeCBhQXUJ7Uy6LF9SvHFPm07cy QhdRM479wOeNFpC8nzyvagNCJeOPp9sY8L1aessNCOpupI3BbBhIk2wB1wDZGNpl0Mu8 AQGhjHCeSaOn2YDA3wIuHPr2FLigNyCU0kcB0rx7/JzegMBt5w0I6n16rjYg8L0SYsaK Z4UCn/boGhm4zBUUfL6iVftw5CB+24UL2O4VVpSsxBEnXOZ8p95y4AK/436HpAqlTJVh PsQJFpR2woELCUIzQlgiLFzgEpBg1Kcpc+CCKTN6nmt34IImwWp+keoi81Vngf0oSLl5 rqxk5lm4wEw3dPORlk5bUJc+nLP9VrvkVLhQoXMZLtC1CxfoXsIFpI4hj5K2NmCW0xpc P4liBRdkqSmzz5FgiuoEXIixm8WHC3GI3pdwQV5puCCvHbgg7yUUMDXoO0pepUBCHOLa lkq4IMvMc70NkiI0uTUWLlBLFVygK4YLXEobmfzno+FCSHFCCPdxwipPHTIeXBg3ZFqS AbLNwed6+JlJmfJAdkq6pcCBOd//neYNhokz5TS/WjCDJnVWIOCtF2ZM8GZEiDTCjpoD MOOMOx3Tjl85n1Vi2A985jADuw3ODzPoiB/kAiDQMRJmJDF2n2UQEQwVSKK2yiAFsdov M2RkcGBGEpPLAzGM/C2m4qFvT4EZBWiBVcLADO8eMAItp+fcdtxT0gT9Pj2n77FmkjCl 25eRIO0IcikQyDICxpQ5AobLrKBAaCTgGYyNRlBQrrAwRr4lBy6YstZbbk0HvkPqgDJB 7USD3uqYYLtKjmWjFXsIZUMnRg7MUAWgwGhd/Y6UVHrDBBcZ0WVq5pIg4d+3eAFnSWma +K2+EvtdYHjgCEvDPYMzmMMO5dw3tjWoS/eXbV93yYk4I46wGtA4Q147OEPeK4QQwYtm cQblRWGcgWuNM6hUv+0+r5RvhHBGTEk/XD9GHFMaToqYkFeMM6jUxRl0rzAE16DuItTN OIKubanCGd5z0KTNEgjuU60xOEO2VOIMeaVxhikNzJXQz8fijAQbrRGzkbo449Qh4+KM kUOmJQZcnGHqspNylBg4MOmdmg6IAc0bOXsh0MiYZPjVxhkIzMhCeKXPjDMSYGBsGC8v DDQ6f+ZsSGPoL3zmUCPJTdREjFhGDJ7JFg36HnoV6/yUJJG6Gwk1aJtlQomEKBdjUSHh JMwtrTIIIAxf5JbH6gpuKnQVySToMyBcLOn0p5iMhz49BWkgOQFaiJANHTXh3QNJoOHy uWSEvCeO6Pfpnr4PzH2XQYMahcQz3nZRU+YiDf2eIyrg6EXAAsJbDRJIYZyHo8gFGrqo 9Q4XBHTGSfMjOAdC2kLiogwEpZSARA7KgIEJ8fa0EwSEIGo/wI49VWI1M4JrdZlrzeAy ixi4di5BXZoGixhQly7jt/pK7HemiS7QYOZZoMEdYSEEl9jmBKZr2m+1S04FGtQFDDRU d5i0CphybMKgDUgWaOBkJwM0cK2BBpUqoOE+TxEUzAaNlMaxBzTSTAdMxHTFQIOuCRSQ /whWFPlMgQiuQd+hbgYa9Du2VAENKuPnRBPVSQYNbo39BWqpAhp0xUCDSzHDGs9HAw1Y HktSY45BgyfFxBHj4QweRe3x0S6hmasmk5R2JBg8nMF18ezFW8OFgCM6uqSCJzkUW9Az droxq9oYA1O6IMPVuTEGdtMh1XV8aYzR9TPnwxgDf6EDY5StGAsSXCniApBVCFFjVU5m pAxZdspSYOtClFVFxfkfOR+G2niGlCLNvWh2ZxoNSZWHC5mCYAiAM1XuvUkKmXhT/5H5 spBPS+XC/FFcff1MfAFP/FWNv6W4usOf1NwhGecXmbm7eRZ8UYmrP6MwEVfIif1WvPmr PexuQLOaTrghzcKsSnEAr0zLZJuFlarTrOYBBiDxzT8PUQbNHscwDrQYPoUyw3AclQWz BJaJ0jt4gLLJDBcew4Muhg9qlnvmRiszsTOODMN7mtVMkL7sYjh0kzxHwWF4hkgMpHxy dq5rynCeyMARTsIMQd+HGK4oA8NVvpexI9xnOI9wfXaMHeFjmoVx2t8sw3DdLC0xKWSF 9pziP5xK6g94h/8yge5SZaiXL5rTJy25MEWUlEXJ9AJF/CAU+yQxE0dwknEMHexLznw0 nWDEzEsIDaR8vtrgL2TIPd1CiPBfLX3W9DS40mLnuKDpapceXCrjPiWpl/+O9ALZ0pBH P/Pa5bNdyRmsYEy7UlAMsfk7/CnE1e/xJxdX/4E/EJv67j9xh6b+u3rFPAvoTf+ZvsMJ NiSDX6gP/og/qEw/04WRekUXxhDM+OA5CkHLT1fqC/2h/l1++AwP8cOaNn7XrT24srV3 CZwjjOf0vpjR9K+f8UaMwuCbA0gekKIYT8GLb12+/5/XjAR3YPGf8Ae9oO/+rl4xPJJM lWwImJuaRbr3YnwANjZ4QqMQXPW7T9/9CYzHD+o+1YX6A12pJkZT8ZWqzAwC2Rf62R9R GTraH0o4JYh+Qb+if0EPEP0Hz8Z200nzHs4JbLmE07MLXrj9pMfZG9UMTX+GO8IcmlO6 Hb9H+zEymf0lXkKf6pbrca8Zpwv5Vc0y/U6ID8vgStf6B/XLjS/0q0yIP1ObcywgOvyh oj/g73XtFf2ymVu6UI9UObgCHpv6e3+kfjlLR1IaTOBECLrhHUm9cBBQ0fbxAmlwrWYh BJuHrdzxYwRBSgk4pdula4RNxlPDAGxnq1zQMvSkK9bufqsO6RVsbFF6hbD1YXZjl1Je yURAzoIB7J5CGMvdFDgvyc0xSZ4iVwpvMrt9NNUFXykU+mirXPQqfkFSZjcjh71Deje1 XOhrlY+egm52A+allOrU4CZs6+5Cr1LP9eFqw2/APKxBePOBx28HONHBQ5dBr2TuGdes vmWnYbhulkavB5plx/eua3zDBwynpMvv06UJ8BxC1DS7j+HUryHCz7wcTjsaNWXOGmZ7 jeoXJtcdzKY4NJxDRoaf8wkTnAlC+ygPgbhZZMmgRo2VJX6j+tZlTUPE9Wa9W93U2+Ue Z8jvehdp5LIPyY7rdIcSNqegtQQbwCvS9p1obbJwH6ZLu5t1yvj3m0Xnz/BSOTi2VN5g kQnl2rFUxklVOFAL0uK8vUCRvxGM7p+sFzqbdVIveM3ql0KuyP9/4qVkcgplbmRzdHJl YW0KZW5kb2JqCjQ4IDAgb2JqCjExNTA5CmVuZG9iago0NSAwIG9iago8PCAvVHlwZSAv UGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDQ5IDAgUiAvQ29udGVudHMgNDcg MCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago0OSAwIG9iago8PCAv UHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+ IC9Gb250IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0Yx LjAgOCAwIFIgL0Y1LjEgMTQgMCBSID4+ID4+CmVuZG9iago1MSAwIG9iago8PCAvTGVu Z3RoIDUyIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVfWt73MZy 5nf8CqyzOaGz0hj3i7ObXdmSHSc5sY6lXJ7Y3mQ0HFmTQ3JoDmlZ/z5vdVf1BbcBMCRE yc85BHqARld13bu6+tfwT+GvYbmKqqKo6zAus1Ue12FWxqskC4s4WqV1loY32/Bfw6vw i68Pcbg5hJH677DBq9EqrrIqinSTvcvSVRqVeRqWRb6K07oMNpfhV69DdEaP8p/Xl+EX 38SrKIzD12/Ds/Dz8PV/hS9eY1BjhhWcMqy8WCVFnYZqWEG0iuIYUACO1xsZXfcgv7u6 3d5cbW/VWNXjDzngKlnFCVAclv6AB/H49MHxWBWrukwLTK8/rAl4fH6zfnsbmn8/vPqX l+E/bD/srn4Jn11fX+w26ze7i93tB/OEuvj7u6ttmERR/XkAUpmG/j4yDvrJOK2TVZEW TfT3Ukgwg4xnDMtyV1aukjgDVw5y1+LDSqtVmqXVYxtWUq+yMmWmh+zqZfqgIZmKVdig yv3b8LuXh+0mfLu/CYl4l5EHSZxCIERxWHqwBIPyYEm5mkSrIkpqlquPZlhxvMqzspwu 7otVjLn/dnu1vVm3pzh4ANUZRxgrMFjymFlzDlBr2KDWi/Dr/dVhd44h3+5wFf7zgcSq otdl5GaSlqu0rEGmHuIfj9yMINfLUiRBH5kuLTdhkKyqqGDumSKgoBxfv9uG57vD5u5w UJO+frO/uw1v0frb+ma3vzuEf9bq9XJ7+25/fgh3V/h1dwjP95u7y+3Vbbi+2S5DHkat NgB+NPNQZasyj1lcTJyH9cVhH67ZhLnYhu/fba/CO8uB4e0+vL7Z3243t0pxQLz8E+4w F+vbhdCfVTDfoiQsfDgfDfrLfFVVsXDngORr6mmwwY8/fPN1Umblz+Hhdn27VWQOPU2C MIRXo9DMqhu0f7UH2V+F++vb3eX6Ity82+82SzEBbPs6Taqw8MF9NLNQQLnF0Txh1KDx tuY86nTO8O7iFMYHfM2w8IY+xbsDM5IchaSENPxFi0WQCfEm0Yk2+V49w/U53Suv5dWz hdhWnBEfvEejVIu8XNV5PlNqwpknZnyzPmzPQ/AqKa7D+nIbXq9v8AdO9wGT83f799vf tjdPXKn6y83+7nqhKSjg2JQlQiM+rI+GZ7MasRyEXbQ/OE1yavPgCRP5BuT9ZgvFhelo cDMzyTW01tXtDmJzdzjcQdKCKRaahqpclVWWh4UP7+OZhghueT5rFg77iztttWubQVG3 mG6w0L5cRpYmMZi5RCywyFxYPAy3tK8a2uhwmBv4CCaGFYs0RoQBFNAR+PiYw0qSVVLV WdfMH/HRw3DvGS/X283u7W6ZyY7zbFXVFRSnN/4pilMbWvcx3FUd5VWF8DOCz0mdxXHl XA0GnREnXSE0COnMYIwJOr/qIVrl2ZdRGeZ1uaqSogjLUl+0LJNjI46rdFVnUYpxRass g2ELdEdZFRNgRV2AYqjPt6Oi3i7XjAzGx1W1qooY9r6PlwH10AwpsAGdrZIn4Zu7i4vt bZg+0WbRm/3tO6WtoT8WEv9lBS0XG3C6hIADwKAX3z/NHYgOohAEmGLpoMrp85CMeZFj FvM8y6I4C4HnMsqShN4dN50tYpqwtlIgGJjFlQTbJkynDqojQgT9/Xa3vVH2rLK4tlfn FCs6fDjcbi/D9fn5zfYAzQ54xBK4u9r9ere9WGyu01WS1KBdD9h5Ru+EyV7VNTR4UUMG 1kme1fCW7RWIIIZaTJMSJghCSWkKNynG2hleCmGB5TkCYAvRQITPZhUrwikSW9PAOVnW lzusqtD0u/I7GLcK18EmIOFhOU24yxCHL3jw00OcJGtosXDaCtAMZrOqcTaiYS5/dxWu Q8+SO2y2VxSWC3e34fv93cU5jO2FpGeOICNElCB/Aen59StiHq3WQaJttf7q69Za8lO7 mKzYltanYfOv6lgv4JTQZTX+BbBb1EV4iUWROKyrnG6r8CJ8pRSq7YdWnoe6JTJEF6sc nWCBkzoxDSBZ+tr8XkOYMnaceuxhjYUy9FrO7RYDcsDHOrz+wok4oH48HHDDaTiwo3MQ QQD4OHjolf+8zldZLYuA0wXm1XYDjbi++UBe8XYHqXmDSOMeCnIdXuwOtyFWBg/QoohX 0BPnewjW3eFJiGVC3CLEsRCXi4vswztPb07MCxlYUDcr1zk4DOaoRBc9v3Ks7XaPw6pW cY5gbNgY1oBJ1fIySZ/CRlJ6lAigw4wievD0LdQYtMNXZEHzqsxC1CGhxAa8H3saJGso h6tV5knR5Uf7JNw5Dcpe/W19sTt/oizbPcwbsCVZOLfv1eLMzX69eQef9fIOHIswFwL/ mDMJbN3sD0vPgw/wo5kHxDsLZPrMngeEyTe0Ak0OxJvthz3ulZux2V/zlDgLkCtt0gVI wZoVRBrpDqdQbxks9DBn6MaECRbMocjzGgZaO4xOeOkjDJ0/p2JIz+DTLWMb1zHGmWeQ mt6IvTE2+XNibprrXYyMEdZQLCVZgv6oPFE+HIu72V5frD/IIi0tHGKpvM9+v1lIUsQg CujyIah86mhifvvr3Q7OfHjYX26XoY+U4zT+RAySx0Q2m0Ee1gLJYS1T+KZjrWSYPrTn vHm3vvoF+IRSJ5H2HhRj157Pt2/hU9OSCJhxkVTFBDm7aRYXIBAPLg/dTcvqBG50he2A wZeUyKCq06w5LI8dhwlXsyN088s9UlveXCxFvTl0X4kkRh+hR0hDcdZo7TUjIGHpN0so b5tzP6c7MnahiZQzZw5hsQ+yDkbqeodlvavwx+8Wot4ixtI9cO0B5dPFRyDeolhlWBhp DmsC8T5fvd/uDjPkLURbMDHpPoFrW0QRRMAAFptq4QQRMFIhW3vLH5aHxWG2+uV8v5BN kxo96w12eHgTcTiD69MEGWkxVo78qZ3C9ZfrzQwynDPWtMbeigIrZ48LhVm2wmIiNJE/ LI8MeyWOMrBvt3/++afP2U2hnSIPKejTklc+GuPtU+hLb6HJ03QV0cKHsp+mUKK2n75B RGz7+/ry+mLrpfNs9ne0xWYhvYMockWLNT40vWSg1hInsrtrpI61mpIStkcOa99DMqLo o7cs6EQqyfV9j0ClyQPm8ORC0sCEmjxQhgXqRDdghpCyZhQka1xEsxfQlGtI2b1I9X31 jNbEOW+N6HghIpZNIbkHyxRqAcOFl/BgEAq7QYB79xsMwUsKaiPzEemxV5vtk4XIRbJi fVgeD7nE+Sqh1eCZUk9l3CMk9hY73G4PoeJL4zaSHNxt3knmsso63SJQiRjagjIxlSTH 3IN1WCb2cex9LrnTxpiYQiBYik0iRHi8Jfe4LEjSPnzaRR4hASRtxw3GxOeg+hCXvvNX 2h9uv6vsJZo9ZMiEZfg+jgt4sxmsMw+7nrHTdF36aG7EutBI1wVb7ZCjXyDC6Y3KU8PD ogkCdb3ZbK9vIVDvA5OyjA7h3l5GH866KGsscoFJGJbpSRf7q4sPg0D0M3tLQx+DI6bR pmQBgdlTpCZCtSVRpXIBizqvq4y6HMfsfQZYK+fApgokEaVWIenvBGRttrSetEMKu7bF sCdIlp0o4rJexjiw0twjYY+xmpGVPsbqn18PxQ+R7pHHaRDnSYSMjDyG5M+RFjo9w4O0 Nl5f5egLuc18Az2CJa7ZvQV4PVN9pdRTPLcnZIEKhNg5eQqENfI3DIR0cxKEdWwgRK6h A2GrHoRkRhoF3c6MfFCuNUZ9hpxdbNsvpss47ZtKbFTt7u7M2zqslmHfBDv8I1oNFJB4 uWIW/45QjCMdVItp5BZnSG16bMOC+shSyS7x9LVvx7ZsCt5IK3tiP3sNf+6Pdxe3KEiB VIFvb/b3ocWPJ/lC1yGIhmhV1gPJUWvz7jp8td3c3VANjWc3m3c72nF6d7P9TC1TpWUW /axBefD1dl4GZEge2Wp7VkJIFTMTaGWZz66ZrMPPQCMe7g+H/WanduJ/Fv509u2rZwgh EpVhWWCRlcGUEz59SH02GGsBPIQEoaWfumKPekrQArJaTcBObe5FIklz6zWmhcIxcLdv t7/fOmtcSNpD0HG5/WriUWc+rI9GiOcUBS2lXss0cbm+uNi/py2yaosA5Vn5hVE4qWr7 O5IjKSfu2+fff0cRjqvz9c1S+wWFA3w4Hw36oU2RsTIv242CRylqm/ysyHy9Q7LVMhoq Rp5BlKFYReYNf8pCAEgHjsPF9jekSYTXe4TEPqit+JQxhrQKbNuHvtKbrClQtpC4FHXl gTVPXI50mGjzIzK3Bzec0IbjCItqWQpeLbDJTRxivd8Eq76j/eGWM37cHLH2XooU/Ajb B+bEP5chTGCqKpBZnHlDdRTLUdNJV8pZZH+JKfDmj3YKF+kc1ytko/+ODdlc/AXEYDLV IYGfXclam5a/zGxq58lCbCXrQD6gD8pXDxGISMoyiMGJcPhp+xcus5kOP14nNx37YnRf 5KYjxW9+b0FcFRQgwRCppzm7Soits0iNiiDMsP/1BAgzhJwMhOrmFAgxGIEQQ3QhHLNn xItQbQ7Yykn/DUZMrdBLEJxOEXFSQs+RJK1qkR3uJCLA0GXbq83Nh2sUEYHKu15v/rzF 4g+npKsiIlQRaL/ZI+nq9rC9eAtH4buXKgOVGhfiUFF8PrSzrKR7VHxIJcEOR/BFhuUe VCOtIDJW2M1cYuuQ2mq5mOrDEkVdIiY8R/VlhfL6noVwDmmxdUd5D1R1y5jEVFJGW87L TDfhVSW3Ic7twDWFuoVo5+S3zTBCUtSjjZFMDEpwRzxFV6JUCXkqN8tYIqkU2po/4C3q Sy6V8CoJR43R9gmAwYSjfgHgTbyroUF57SWtiTtDKbiErdkF1YhNocBwDUs5QsHM6eF9 7gv7q6mHhHsjLY208RP6o/dL3VtB13PsBzU21LoycBYIwZ4CJ5V5sXDqu1PgpPEInDRO B06zbCAuDya+e499UaMSJvE77IioRBI5+An77TMj+BdaTUAsNo6KhCOXA+ERJ4wmO3LW SFgnA8AIfO3PLiPjY2AwA4FlDMF0A4btFmyCWUZkmrpD/pCHF9l1RuZDJmMmkic4ZVjT l1EfXDairCJK5EAcJhEqmFyGFWw+ta89ibI5ngexRIUVChIdOfkecjPLK9K9mREpx8gZ MWTwTCkONSAQxzE2rJ0ALd6nCgEMrrmbDS+PR8GKaxqngXOCXxMYqTrBr0lrZGqnpmKf p+hbnozi/9E85rpbI5NtjLuVYsk6Rh3cLmk1LAiQmIVghy53vIy8kgyr3jEfDTa9eLVQ 7XCTYuWPdRijJ8owt6ybZAekWDJGFgGl8nh1k1AVeJkYZgohCF9CYpge2bc0+DSy9wS4 C3z/GQOW7MuE1qw5yjDJq1EVZnQhrrurq+0FcnfPkWFEu61v1leH6/3NrWp6EoLaUJMC OxOp2KaUIYZHtIw9YpKRUg/WeUHAB1iLxJEWWAzurt/nD7IlHsPw3XaNqh+I3NCyozMN tDKmnX79hFn+JWcU2dWqeqbKBF56Enxo+/hgsH7aQ0wCqhHmpKXnRNu8ZB2n9DbRvV1S auuGh6jkn2CjUUI7ZLA+pyCa7kDo2OBCw5UdxPOHqwObX6rFYB3l1EN/8BQT2avbGHof Sd9H6MKV7ka1YYEZdR2pdqWn2hYrCZhm2AJqTl6ZqENYgGGzgSpHRhqDqgOiNBmqYWN7 yGLbWbj0rA+ML38dPb3YnizeKtYY1kA4oKkkdnOcaGVJB5NO30qwRpwnyGltDNVjh+bg TtjVNtLAN6eCNIblYXDYHCVLZZF12SRHtTZUGG6gcHh0E1E4w1hEvVFUvsbBWz4KpzD6 5e78HCGp9e0tpPUTUBeKnWxoFYJxi5WxKTtbXUfPTR4dSK43x38IEKwXPfJ0GHxQWvcY IDNwaw1xiHMcDsNVnKfgVmWkUZqTSvcz5VPVLq81LG4qFqdUuqwC6QQ1HCf3fn/z52Wz Anm1L/WAHRay053BFnVIzBdY7Yz5prTIV2B3VZpAk1WIXSKLA7F8qau61GIfartiw71k JU6kAZ7d9zuV36S2Uzom0RNTJs4Yq2SaLmT8Y09fFCFBwAcQBsvoncXnW7WUvYwcNkto /ngnTchiSsO6tz71zBJsH3MFrSgq5JdVlAKCTVBYTcuQiT4z9or3KV5KNYp1b+oOS0Lz +0NvCJSq3mic2L4/s68KQW+Bk0p6nwJnhXxIC6fczYdTj0fDqcdp4DSxXpGmfStoSQUx W2AlNMWKeYUTKXBqYFxXGJSkTpCefLBddFajxqiMjpDfdAcYGhVLUOvrw90FTnM659wZ pLwtIy7jIqMVR0KghmB6UEKXPEQBOZz3xefaKBNgGfmZ0IIPqh02AJgiP11HfpJpOMMG MykePr6nDJetKFWQDS5rw1tAqTIlWO/3uGOpdCejPsWg/Zhyn8R8ksPypcwJGD+4nr3m hvdJHqKCCfempeNsWa3Gk2EHsBob5T9Do8yU+ypzguFUmRMnwMmZEwwn32XYsTx3bJTJ wXCqcVo4H3w9MKqRCYbNrM3I69FFLIhp7VDCwcHJUbS4sLnZQmIjC/k9nIDD9uY3PowU ZX/Wb9/S6YdmSwjq86JC9pu7pWtjIzbrwttnpi0eAKc67sg44Gl4LMPCKRzItzRZsI9m WDhdJ6aYqybaRzOsEnULsFO9yUpHU4a/2r67QTgGjPSH8B+34TfrO1SqvrsJwxe/X6sC rs9RoOfyDX4vnlCyQA3ec/79+HL9yzaMsblzmc2FktaPMzcdeGfNQr/mkzDCjyGyysKf keJwrhMeHiJ/EMs2OJST6hDpEyASxCTCCovT8wQ6Xs/xeoxt0jjt4BIHNlBvfKu7dOz5 /rOvAjp1hjIjiKroJKe8QPFaKMNW2wVy42HfJzBb6Ywi2LCU/hjTORkoqWHeDdDW8e47 +AM/KhS3QnjHDs+o0R1gRWRJYPUbLgh4/ZuDgRrPO29dBI1uLsJ36igPmvqYMvZz9Aqk 4pyvAlgoVTJlu+0Cz2E1Jq/KwDyX1yj2hQO38Ga0qtIK9RRNCy0h1fAHqX95StqkJSia LTgJsuO9DKnVtKWVxiB9ofwgVqdqZ1RYHiwQvkSLwCMtKPSNkto4sBwzLW0XaENVgxQJ 8KYty7GFBOGyoJDepQXP8BioL/2UbetvQU8d7wmMNAbpSzBoRyWzIWO3eHfhaT5lZ1He sy0bTP3bMAnftyoMD5EiyVzQR4F+1JErZDJ696B8OMQlUAdcyjNpjKhYgTVQnORV4Xe6 EyGAQ7+8e+8u8O5AP+q+pNxvfbSLvge+cJQcAm/y5RLJmeoJNTa5Czaw/rIqlHvQECIc mBPkq5g2iKgSd9yjvpPv0fv0K98H3p3/G8aqfjVw0rfwrsGC+bJgCb1hbHKn3nfv/V/9 O5pLOpEHts3ASUBgb0ti2LabpjlNn9PG7NZBikE/Kbok1SazVgt6EvYTcu0SO1bE2P4t wzODBLZF2GhIxFiB0noPpOG0MW5cPAi+LjikQ1DEER1ShkhMjHB2COUBiYkiUCqcURdx 00c3QpYSlqI6QYogtJbaLGVvbb+QBiiRLZlU+BI9yX9eX4ZffAOTEUL79dvw7NXt9pqO Qv8HbHpRXrnKJZz0GXar7WeQ24y9QTG+qT4GIPlj/+OBvmDBCeP4izT6grI7vsT/vfyj /aLnpvUbNYJ6x6gJlSXwYEZNibMRMJ3EUMqoqVHP5wSjpla1X5RRUyKTVFGKaWtZNnp7 c1ekkiwbRweCQnGGMcbYbnMZjtJw6TnLEqg7DI0ZOwyXoowq7YZ0GUfanPf4qVaLy3A4 HggMgJl2dDoNsM6opBpbGjg/CBm1yAm1Y5cW9GWEirShLyOyTJsRdaZ3p0WPQfXFetiM q/WUFZrmGVe4Mh6gC82bCDcoDNpRwXTUWDZjNy0OPNLmiM2h91inz7UytbrE5lkmZf/e Ue2lPKMVMA6Gg2oHv5IqF1YAKr37wTt+No5gg9F30E+MvHllR4haD+IIO1bUmNQVq3N1 7ahyda+UremB79C3VsvoCde21V6Jihd2ZrVdCoRGbQsGtNqWO1Hb5l4bHIIt/26G2kb2 CUoXqf3DxloUruugNkdtD1FNmwJbLR301yVZPqIUKQQ3Hh4YXy21TTKhLHDKtVHbyEqB b5dXojvEc5yotrGmDhtPxyYCq05Jed+j1tZfeUClPe4D3To7jj4NnR1HCCWzvlblAU9Q 2FT0EK620qxUYJBuJuhp+N7Qreyrwq9GOAFrw46eNm0Oh5k2o13pzDmU93T0dE4Hd5Oh 7+hp0+a8x0+1Wjw9jcxyLNhR+N0+B0+rwonbjp5GRSakGJM3LvBwi6en5SlXT0ub0ZpI GNe92xYeg6enZVytp6z+zeUZR08LHlw9LRi0etpg2chE0+LoaWmzclJa0BM7PKbF+N4n 6WnsmyQSYX2Ia0c/q99Yi0L5kIfLdyB5o2sRv7Gt9kp+B08YXRxTQjvMW9HFsNEpCZJC Aepqo/WgunZ1MT2ltav0wHfom3VtTN+xrXQVqDb5ndiU9TC5XAoao4cVpEqvqit6B26z aYWmV0kW0tbSubCa21ujXVc5RwytQG2CwHGVhXIwLEtzzHtjKMfjBOH2Np20WxydK9QE 6nVsZJYclj9lVE5Lh0QQGF14uA0w6iwGGo1yeeVwP6s74fIWBYoQSjCZdCdlrk7TnTkt qJdy6Lr4ulqH6pRaq29OcHnlMw+nPcd+wYLjuryIQX8SLi8qeKuSOBTDvzf1WeCYtT71 2R/AJ/UZI24fo6arqiudx6hhjwB+qw2BeRxDHeFIWlX+Oo7UCdEx9HUdwWyjmtT0Lpiq 690TAvhqWQGg0QcwMu/2IgTYaDaAFyjHQbfqYfxKSxJ8i5H1xexzxF0jHFTn2Q3S5koJ brPePM7qw9ELdK6QxNRzyPuYFt5du0HaWk+5PXW8J8fmuXYDYqhVTMcCG/+eyvFixcGx g7gFY7CSUNpcu0HarCzm3qGNxZeXMbj6X9raT7VaPHtD8OBKS8GgjToI5u3YBe8uPL1P OTDLM9ZuoNgeDlzCwd8qfnj07HVR1LRKZq9dgwFmI5sIMcWejMFATC4GAa7ZYKBWbTB4 v7MRQs47YkMNgyGBGtffpisxGOjaNRjoXhsD0gPfoW8xCFBfR57hK3C/+ztGJwaDQGMN BoJUGwl0JQaDtML0aPzeiK0fNxiwllSibrNnMHw8knHMcC0ePINBSMth6VGiQGB0WYDb OgwGMGiRInRnnG2JkZ9oMGAdAGuOcl6I523fp8HAn3lAg2HkFz5xg4EsBfG3qc7fKf42 VrqUIqWKRFhrp5vZ/jZ29pHyc91tbnK1JjdZTsHCcIKDIY3SDOxxcqbNHonnvIdppNNF 2y1W2QYZFArq8RCSzHMZVsxQtIOW1vXye0hVj2PalGi43LRYJYO++ClHaZo2o+pM704L j8EqTQujy/mCCav8GFlW93GDMypUnlNobz3TarB6b2b2BKudmvIl7bWr/hL8phVaGgG3 Rv0RyYr6wzWrP2rlp53fy5SSQXR7idwC318uVaYw+ct0JeqPrl31R/da4UkPfIe+Rf3R 10W98WjhffNCdkyQaPVGV6Le/Fb394Z6Qz7wEX+YdjUlKE7s+sOAVpF0B1HYGHTvhFui ALscIQoQoH7CdYW5aRK3Gs6EaWc4LBfgXEBsW8MRJh5S9dWNXkPCXAl+rE8LIudYLFLz qDLcHiyKLJ95QL3GgBz7Qpdei6Mv4+QT8YRLmIys2GAPzznwhjCk0tnwPjl78F2R76wq Fp2g2TLYFYj+ojdHP+gmh1fkKcMFyOyCOwhzSlrAwwgsUzqAwyumTZ6Cx8JPtVvse0GG U4JUcpar2ZAujKN+SCeKZotgRacw6u3IpcWKiwCFa/VTrmaTNqvHpHfbImNwNJsZV/up dot9z0JtZQbwxRg0GlGQbJSbNFhooM313DSfQXccQpYn7kkjlioDSGtEunY1It2zLoOT YDUi0bpoRFyzRqRWftr+jpMEyRFT7Tj2C+vdbgQZlcJi/AaNqK5YI6prRyOqe6UDTQ98 h75ZI6rv2Fa6ClSbaEwanWjMkqGxGpMg1RqRrkRjSmsAfe3/3tCYRx3CDHGGEnbiJeaR wxGGUyzNgI7G00ybIlok0mpwFKaQkRUCsBE17Tms2xACltAtM6NNw2bhwNCkqaku6eAd On9LMqX0kissYeyUcw9kl7CxSk08mimVITcrrs3WCs8LNGuuwcmZUvKZY7psfqbU2C90 acv0S6RCfxJh4yRStqPKklKl/k7wAul9rSxROhBiRN3NdQOpFCpSmiiFy9E53GY5RZVM Vc9ZVsFBilUdpTYMCnG5KukED5dVpM15j59qtbg2Kc6Tgm7EGSaOvqQiXzDTHU8wpcOW auQhmrFLi7vYJG3oy2gm02akk+ndadFjcMOgZlytp9A3yznzjKsvGQ+IQ5nnUEtYYdCO ysyGlWMyP67G5DZHHspTXe/dR3oUFBKFCkRxUfTSLIqq31jdwRYyShM0T4qFfykqrTRV q2kzvydYuhClqcrNeEoTyo2/TVeiNOnaVZp0j/8hlCo98B36FqVJ37GtdBVgZ5T9ncbM ShOcpaExSlNBqpSmumKlaVqhfoEl9/epSjOlcwax38GNohqumkk5LicM0FcX5Riukvfc KKq0gfd4S4KhZ6elLREMjA480gbUN9RnigT6GEEaqz+RpFMnJfLuHP05fdmVSpWW5tzt B1t2lc88nP4c+4Ue/Zl+IvoTMw75o/Unin2CUCj3f+qKkHY28b7Sn3Twa6JvWurzyLIr SfMEh5lQ6VPoFFKfKADaaMNyKo4YL7DOGlKN0ggl3DDuGLsxc/gF5l0wVde7Jyy75jEB mMRgFeUGu7fQp3RgrQU8V2Fkfph+te9iZFqCiW3q6FkkKSW0JcmxG1Jpc+wGabNWQgpX JC+AOyMlUkR9M9q45NgNpq31lNtTx3uwixPoGCDavgmTGyVqXLsBSbYpSqPaZdeUWzAG IwlNm2s3yHNGi6fcu/Vz6IBENQZH/5s25z1+qtXi2RuCG1daCgatNSOYt2PnFlf6y1w4 EPa+BzyI3TCVybSRkGBrmhgMdO0aDHSvTYAE7p81GJLSLLsmuGaDgVr5aed31JlSfWLZ NUmJoT2DgYpQ63GoctQ6T0uVpnYNBvpNGwPSA9+hbzEY6Du2VRsM1Ca/0+jEYBBorMFA kGqDgK7EYJBWmB6N3ycbDOTA5lXiGgyGdZYnGWMwCKm5BoO0OYwphGxZVci9QxR0MP6R 9zRuMD2WxQRfbUMDjF3VsCCNo961XEsV6YwwJMY46qinWL5CmEGOju521E/f0tT7mXvb 0jT2Cz2GxqfiqKdqq5A2NFIEo08xNPC+UsDIC4Fnou8mWhoQJdjmS/XrsDUNSc5qLbnV pgTQCoIGUg8lY1O1DyvB7gfsz4ao5VfBjO3uSMXP3qANwGivNdwtMhoo9cy9p3QyuOz0 u0IE3eviXfp59TveD/j9AWsDqU2YEs/Y4CbX1tBNjpxQe4+BPCsn1L5mLHS68kXaWk+5 PdFu68Z72HuBbDGy6eybKUSC3q/FIf00wdARyHBMDW7BGKy6ljbX1JA2K724d8fUkDG4 poa0Oe/xSFstnqkheHDlpWDQmhqMdzt0xroLTc8zDrz8xKlWBgqsGyuDrl0rg+613aCq w8vqdpKiYIKEJXDNVga18tPO7wjrqj7JyqCFT9/KyOCUaCuDriQsQdeulUH32oKQHvgO fYsVQd+xrdrKoDb5nUYnVoZAY60MglRbGXQlVoa0gr0av0+2MlLaew72cwjvJGIBrpr0 06aN1hPEs7y7gso4kkCw3B9Ik+VFoV2npYOLBZDWU8e4X+PEZRZGU9u2ACfjPOy2aXHa ijmyXlcpigo/8L4r+cwDxjAYkGNf+MRNCxQxgbDSpoUtwjXVvcL70Kh4X2tcFIaUu5Zp 0b9F2tt6RdoYG1W8NQDTZjlMlXhVz1lWQVHdLEG9EKcFXi3qoLj6NdFNrWdaDfalgAwJ rCV4JU+SEusSkdpkxcqVigRVBcIqRjCYFquO0Bc/5ShX02ZUoundaeExWOVqx9V+qt1i 3wPuNBKsuAioIjEhD5KP67AYpFvRJ1NjwbHTIE+hJ55AabHPWAV7ShYZdhjY8D9du3qW 7rXmRIVXx5tHxRqQAf+CWIu5sm3m91LVNdVPlLSg5XnzqEzCepauRM/Statn6V7rUOmB 79C36FH6jm3Vepba5Hcas+hZgcbqWYJU61m6Ej0rrQgyNH6frGcRe0OJDC/83yYcTO54 wvHiP/1k0kU4hqeEvDxnXvpymJhH5bT0yYK2vBh8idGCmTE8BlLRqGopWzoGO0NRWqtt j624qzDycUcepa/SxJza+GCOfN9n7s+RH/mFHm1bfSIrBqUq7am1Le3pOcWRx/ta26r0 NH03V9viHI1ViVprrjNr2hxta9oMa5AzjYITzkZnZKSuKp2/Y5+SthEtkA72KaoSSYd7 Ou4s2GhVRVgeNRlqyDlZRajpZTWutLiSRtoUx7JyM22Gh03vpgV5gGoMrltqYHS4XzBh VafBlpFk0uKOS9qsszHQ0ladSBMeu//I1AyDWWE2LKtrqzphTOA3VnruhmUYP2bDsrrm Z9Bqr1i1YhkealArV/zYcFFRQJhdVHXFKktdO6pT3Su1KD1Al8FfUX2LaqQxiWqkSh8U treqkSDRqpGuRDXimkPvzd+nqsYEhbNzlAdwA90fkTKMbhT6cXWjtDm8xZzrtAiXuhzI bVY7Gggtl3a+p3GjuI1zUAy+WvqR+LDAkqSJc2Mu8yr1F9Snx7kpslfHdcuFu98aIH1f uTflOPIDXbqRcreLlnIk4z7LUL+UaqYhDkiZgNhgUkE7IfSJozPqtBkF0LsbsR2/6Rpa 8UNSjiuxYfawa4JjAKhTQW/zH1V7BRvf9fLCj+HZ88/Dp1j0PsOhR0+r8OwCfzJzhypq T3Nzd/558LQOz75EYxqe4aSWn8PXfx+a81pHgNVM0BgDFi2nI74FZLlgCTwarOZBUwe/ UpoZmeZRInTGN4LQBVaevczLkUdNWXwnCCGphKHL8KvXXQNz8f01sIfCMGd7/AUyL+kW 2JS/PA0oKk+/Mv4VxoMBjI+CyxydRMXQBuiIEo4QosZu6364dD5pvop1PinoCOXwnpbh WYI/oJ8n+ANq+ulz/C3Cs7/Uf/4KfwDrX+MPqOoz/LFv/HQG6kIrP4Nb9RC/KR3xq/yV L3QP/DF+k5BVBWcR/QnP/qfuRjWGZ/wCN3Jn8il/dPzoX30e9FD5NJxTUdlfG8ZCF+9i /3tK5WZ1TecO3gXOFe8GwDkD8BcaDTgajFD/fzXgFf4A1wwUP1Lr3xg2RtFfe4gneYBp eKGfFNw40zAVHTNEWY6dC6heAgHpoSMYQEcIdPggMyCMgL8FPCTmDOgBUQej7A/4EZTI jzKsr3UjU46DACJoxrx6I5A7QzIK8w3UcQd4YwEEWtlEqeYZbHO9g+oIApkveKgxEAB6 4jv/tyegmTZ/C8iMSEaSj5a/Qa94839r7P4f+hMI5r/XjTismqbjT/rPTz/pv9wpUzLz vD9zCUaFEXfzNT/KokOGKoKFecE0szQaEjQMF6Np8YmF9IipLgUpnWOcwaKWRyy8wBhl yf0V0ExT6sthRrc/+/wiI4cRy3TCE8NzwDPCOOIX+Mnm3LmKw59svssxvcTDPFfMvOZL 6n2ZTx63zCc/hI6Y+4I/qVzBaZaB0aBKmjdKT3RIc+Shr5AQhxJAbcvAaFBjifkILDXV M8oY/18AA+AMxnGORwgf/osMampABaCUFnkc1BmSGsFR7F3GsVYC6gh6JG5//V8ddiNV OcP2XapFaMxhuCQJVsqdxN7Jk4ANATXWRzrmQJuND2+d9cLl2sMGrpHmWd4Pl6EtY539 K5PKv+Ev7Epm+Qx3YPln/aTSO/IZM0JppHWGZPqBkesZERtHqeRuUsFiL+Iu2ERuSUV7 Ti5Kp1ryOZYZcA7kSFp5zjjdaixe4A+UD981PSeFdmXHk+fUa1OOAstQCi3ZDRny7Dk1 wAKMERXMoZo5OIbVswmajtT+6uKDPpLTP7LVCBMqlpDk2JRjJgKxTPDwaSyLxXFIlQHl NpNnA8+jGvJhe+Fi+tJng7gHdA9NBHtUuQdXF+YN5cOcZe5suUnKPmeV2NBvSusZe5T1 wqCaaPTDr5g3tcKVr/DDrGGsXddj0fbicIbwMBZtjqWKKh2Kbrg4FHOAx8qKk80RNiBY xeLRoGnah2diK/FDDDrPiY8PblS4MyZtww4RTDKCWa1zr/wNf6xwQMmP498YAP7wzxA5 MAeg6umRP+q7zkHxMHxX7zu8APHPyuCFvuPXBSnshqN10UmOsXGClvWnWLcNVDMg3Mp3 pTagfAuSkerPCb/HHjOjw6cYxubKw7sQjEsNxmLjUTScDaYY3x6WfvjLnYT3v/SXjXGo qCECiJhV9ltnTNxJGhT7F/My7oxfNHQ7JByHKhjxjEef0hlERpz5TYHIjT5quDP+jb1N kPgC5EtlCjMUPFMVFS0Wjjln32rGe+HxH4PBpGmcAeXf+vPNjwxKeZYQjBT1Jzjr8MRN DOSlpqz/r/98r//8k/6D1z1kIm+P49m9At8lKdd6GQpDSjg7Qwl6nMUr2fKeuWIMXeNE +c6oiFtRA4w59kqZtxnV8iwjyZcbnZTKeBTM8xs8H3zH9MvfkEf92WUCZknPjOtPMj/C qkHA4VuWSjxwpdwCCXRxN805s97gsTmbZOiYOcPeNpx8yGmIxwydLnFoKHFADhol26nI /GggzwpjzGBcKc6vtMT8D5A3fCP/PaEKfpFx3C9yAhPz5jdkyuVvz9Srgfg6h519xo4d ssd8YycyuNIHv4y0WO1EIqxRyuk7xybSRwsLa8Ego65H6igjRx7tjrlyf2y89WsLQxaM TmYPn0v8ofKk8BD/GYSAGO+Xmix8JhOgeGHD1/38KA+fP6HeMPzIdCiQ+vRkiWzqHJ9i UaOmAs5vHqmyZeCMMZFETKQsbXx0qhkPxMz8FsiFefJC/2H4B5jcCILneEMtTOjIc/f6 0L/oqeNuZbKsEUt2snAiawGBiOmDx860w+qEO+LJ820S9aTxufDlqXPXUI7BmEVRw5+o p4rgFrIqOyOMwRffuN5Qt8JjOu0PGPaqiDlUh/BAhAhLNjDwhqHYGy/MsLhRUXqSiT1g ObdCKaxWIYBJKMWifJRKCn2XyJsZfBi/nDsOMGNIjQwYIuOgFzBjSJmI4VeaQTs5mqUe iyvmfeY5wzHKVBXmasgJ08ycOcRf7M/IK75s4SGwTuAhGEkhCxp2JdmqZ6vm+/h1mLrm KlSqVYFzU7sYtkH3cJAYPJ4EBq8T5m8wXYg+WlNKLaYza/OLQzqPp5ttIPslQk7QTvGY SKHD6yUoNE/nllZhxsgZt17iY6XTBjzVpBaiQ4T8aWHsigH6sikPjEL+09JEfRHg6Ygd igAbNZGgVintR+vUEjhDUWkJOoQcROe7UMxaPocyE/KTPoxKSRpc8W89Vp+yer8HchHF eqn//En/sau+yjJkdcwKuPO7Pq0zcfBAC90pixKGxX9EphoDniwQ5uhBMzV0ZgjqTowL dY2YGzNTyk7qsFWa0agR5GymszOBxJ8VnirGLqsKI23VbFopZSWzsfM6xVuH6DJj4vjl D5hjuG8v8Af25fLTSCVccCLdqIjlEDkzOCyQf4AT0nJKmaoZKaJbBwy4XlU2h3KRH5Yg 5TzM6HCOcSD3mnBUy6mMqHS5rONR0lmNLepzRiY8hc3uCBlRReq+5IiZJtz49aN+wE5Z QPIB67JNXXP//4EVKLeQQ9G+r8piwhF75BspygokwUAoy+flDvfWWCosCljq4321pMLf Ynpl6vWFOI+Rf/NFsxUePZL5KLJbsY8xSjPFMUwZypWOUpriwfpw+OhgrmdHU9xQlneY iA6TjfHB8V8fOzyfXV8OJO+R3+D54DsegEy9/wwPh0f+FIOCWdlJOvyIP6usb3gC/Ylf oTMo+n7RPGEelZc8nMdqpIFakaYzTzutn4aPPCSa+TdWX506yUeKMBlHi/h9fpF/9BHO M8WGK7/gswM/wvwjn2BPSljWU7HwevxwCb8Ls3YyR82Qy0iwpr3u2NfizcTguki/xkCO RkHuudEYCDVjw0vrmPEpPj9VSMG5TwPa21UYz0mu3m/KPAqJdEPlBofGprNIxrwPFVUm kryPoJn3of1/1ETTCyln3708bDeDiR+ouoqiMtCxzjycvnchRUlknCUyUnM/xET0gnXS THhgTZqJ23fbwXmgva0o+kxFquyeBhUEm8GpJssihW0X47i1j2hB9QN2kgXlAXbMgvpB +xSsIUW2sjhmpeibQypSQDpOOTpsxHfKb36dxT/La5bt/AI3shJmSc8axnfs0EuPJO9H 4wz6oNNjqcK4Tx7HsOjry371f69DtaSMIpxUW7ND+7cDbp7aNJm1PCs8VX6w0cSdlG3z YsY8uIJFxXRH2Dbk4NBpw3TsTQ9wjZDu2auerNt+rM8ZGDKeS9IK4weGiNPfaTb7N/3n 3/EHZiL/MQylYkU8E8xX1pBVpjPPj3EX1BsdVpoJNfh8qdk7kFQr5mvmOhYBvnk3RBd/ cczYvV+8i7GLWuioWSjhJJ8zQRENY5eRw1TPwPEfhthfFnOdtkByjNhKFfHo50rwJxhV 8ozvJqFV+Yn8phir/M7QDPoyUY08kHx4nl3uxf8iD5nBYVDtCyxLm5sEJkyZ2nM5zj9J ULenLKqRCS48chb/fOejoduVHEJjM+akIml2ytTkNGbZxyc/+59gXazR9kd7g7PvNXe/ 1H8a0d61fl++zE4L8zW3GjiUwGXIHZKZrAch5gL31I0pjgOdzVmguP847cIoZAj4TwOv zAMMrHbuTfYAMyrzpMuMJqjLyOLOvW4oSqOQxoTOn+qPGw7S+1Sc5SgPg0NNUahqPM56 vUCqE4Ej1R3vg44JRLSmcpXWWIfJCE9U98fmhIHFOdcN/BrEeu87eccBNnXpNxkArGEn QB034oY+1TJF+RKHTSLDqMr45UYmNv5Nol5NZlYqn+Uw/6YUcHDWzR/8qE/mzBD8KX7E ioa+NbeJOD+y68IQE/ZyFKjc1CUaDM7DmBfdGJBOqcoYFHg4mMS3PBEqQtij+gaNWv6w mTplNP1BywkfyXzHo5GJ9AmBn3FnN5D4s/+bTAt/mMfInYuZwK8YG1DR1XOtJKwZ3iPx B6d1qvQy7kSCHJOsxoaXUf7E0LSygdlH3wObEfyZ8PHKvTIiFXZNchI/KdjlwXGrr00a NINZJix3ZAIMYtk7zWqEXs1Rn7Oqigx1YzSWx2UCsMXqu8TGMVOi5QUoWi8Ldu6mmExC M5xnS0KoxpsWQ8tT7ioOzxJPyJCNzkEH4UzmLN/G9Z0j7o2f9DjbCF42NpilmflegAeB TmHiBmG5ApxKMLjemRCfvCJxa/7rixN/RsVNYI7hgfEfGQq+vexkYsEygber5cFgTBuq 1VeUjHBXWprVur8E1pCEyr/xk4K0fhVgYhZu30YA8ERzp0wZjHJBoEwQY5n7MdJBieAh scbfYHr1ZYw7KIJUWaMMFH/PJ1f7wrKTiroTEUqzjpLxPHDmJYMopUh9Ge8vo3GEgDHk I4o740aeIcYs/+ZTDVv23Og/yRzif5277jQ4ODOWP8R/eJrsjJAg9V/vmULF/vAy6AUM cPJMnmTSo5QIzjTvtMLa4b+vtFhjLMqm6efa4OD9mNLKD2l2OdlDs0Jb8YTPmiw1hiaQ Uc+zymN7vAwW46ytik61VRx2TGr6us+XED7fiIrgVsYKZy35fNDv9vabNHO0PiCNUTov nACy5/b+N3oWhLIKZW5kc3RyZWFtCmVuZG9iago1MiAwIG9iagoxMzM4MgplbmRvYmoK NTAgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA0NiAwIFIgL1Jlc291cmNlcyA1 MyAwIFIgL0NvbnRlbnRzIDUxIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+Pgpl bmRvYmoKNTMgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3Bh Y2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjIuMCA5IDAgUgovRjQuMCAxMiAw IFIgL0YzLjEgMTEgMCBSIC9GMS4wIDggMCBSIC9GNS4xIDE0IDAgUiA+PiA+PgplbmRv YmoKNTUgMCBvYmoKPDwgL0xlbmd0aCA1NiAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUg Pj4Kc3RyZWFtCngB1V1pkxu5kf1evwI73rVbXolT92FHbMR4Dlu+Qmv1rmNjNLFBdVMS bTbZJtkz1r/3SyATB6uKZJHsUksTE11IolA4M18mEol/qP9W/1DVJK7LsmlUUuWTImlU XiWTNFdlEk+yJs/Ueqb+qpbqy683ibrZqFj/t7nBq/EkqfM6jg3JpfJsksVVkamqLCZJ 1lTRzZ36zbVCYZSV/1zfqS+/SyaxStT1O3Wlnqnrv6lvr1GpY6oVnVOtopykZZMpXa0o nsRJglagHdc3UrvuSr5cbmfr5Wyr66qzP2aF63SSpOhiVYUV3tuPLx69H+ty0lRZieEN qzWgH79ZT99tlf33l9f/+0r9YfZxvnyvvrq/X8xvpm/ni/n2o82h1LMI02NYl/dN3ah/ 6mZZPsmTvNlpG6Z67xyJdieyUr9/WM5UGsfNOPMka9JJmZXD5smY6y2vJmmSg30QG4j2 Tt8xq5XVkyzP6qdWrbSZ5FV2AnfCavkwUzfTpfpiPWtPvegRWH0Sl5OsjmtVca2PYfWP z6KSBDIsS0tbreGs/na+nt1svwAP2czWP06389Vyo7YrdT9dbzdq9U5t0dcQBT+t1n9H UqdH4lFlNinSYrdxvZIrOkG8nsA6ndRP40kZp43p84Gsc3qzfZgu/F5Hj28/PKfuXs/e flT3q+1suZ1PF4uP6na21DIDY7R6WN/MaIBGGoMqm6Rpk2KCBY3t422jjwEWQJFX1Ulj sKK+VlMjiM3EXy0xANOtnv07k39iOU10NBhqTa9JExd1DdgJ0Jk2eZLUgGX8pPaCzbQu JnVTqSpscTAQLRE9DCP5tY2Og8BpE0+qvAZfvEC1NN+u4koVTTWp0xIrv+IHDwUHNcuA cOsiUVXcANQX6NaiyPM4yVU9qas4KxNq1LvHh9oxoElViTALRkXtAqdho3KOBgDwP6nj klnUEA0A4m6i1P9sCKraiW/VlscRsVjK4KZSZ5awexDpbsd+9bt2TQ/qfSd0r5W6UtVz kFX/pO+tmUz6skGP1Q0xE5n1zSQuiqQqx5n1ZZ1PKnzunPb3qOO9je/XaaxgLiuwyjqR xThgBgFZXgPuvPzz9be//cvL6/9Tq7d/AzqCAH43X87GEblJDdZVJqkKmzEEX9wqAIjv //Ld12mVVz+o+/Xqx/ktUMMcav37NfTNcdZJltfQoOPdljwZxagssfiS+ATuiHmCTt1i agAuq3ertdKq/XSxWaGT1VS9X68e7tXfjap/s0K//3P7XE036na+uXnYbGa340ymrITu V1UwcwVtfTIYuiyqSVMUp+G36dvVj7NJh3h6DKYPXlunRY7JHFR5iEz96nd6UeZZnP6g 5hsFBXa6IEMbtK4fZ+putv2wutW6l1mwI02RFEw8AbcMG3baFOmXZj64ZPtqFBPktdKs KCYNdA1PmmkMl6fpSNIsh/SsYc4dbC4FO7CstZMx3E9v/j7bbibjjGiap7AKgK+VQYtO G9Ee+dwxnLBabm722BydfM5j2MkK1tn6sPLYqmSZJTCT5VKtPaihpWYZ1KBFQAs6sJyA yg5gAY0+FL3RMXsAfX29Z2siLROYSmsljRoOpmEWMkLtbrbZTN/Pnqu3DwBCq9lmnEmc 1dWkqjEc0oSnNl1SLDIC32bPZ9h0Wa5gYjAAQs+Ll69g0ZzewhrBBjfDMNQSyILmDX5f 3RsLxZsrAIyXr37M3zwbeyDCFj+ZdZtk2MqoTzPDoX+BzGbLDeE4MwQbJV1cvnnmjD5W 930McJHGNXbqsANWBo15Okg5xp5pXjNvfDLVKppikjd2C6FvRl5k37VtuQNQOcpyBy0o KZoshVnLVHc4M8a2IO0a92wL9oOulhZ9qBVU1yTNUNVsUubAQs2kwuY4ts3R2LIpwfGo zOMMaifILWDrugQGPL2rALK3D8vlbKHuVrczrOXterrc3K/WW0MA7ibuewneKZ3pmXCP nBIWoUk7W1IkOrRFz2brt4uOHTDHoi44NajOSeHPDUwW7H9kY80Na2uWThu+jp6rzWyG /7Xe7i8p4LBHQmJZARMsVJidSp/EqwaMJnhFoF3Rgs7LuNzVrkazkBdwpyhJvTtFuyon xZtngpgslCaIulrP38+X2El7+eoSS5q7bY8Wg+1WmKlh6Q8bhH493nPCoLvnUBpvFg+3 ZGJnkGcQiD8xH89NyALssCFPR7hj76cqsLd9yoRhGO3NDmzpkQ4OgfDFHOJhzWjvizfP nvvw2geE40yoDO5PQAe1KoIGPxltvYAJsYQjVEtEtbzIOvRihtTP1f3iIVi3Wlk2Q4J9 ppdbWMJgOw2U5fnd3cN2SgJuHJco8S7aaXAfpx7bPlEUDQTJaZbSd/PZ4tZ6c6weYHTk +T+SgmM3NcJWBH3bmj6aD5601x7sER+xY1QUMczQpdh+nky1ALngtcoOZaGIOcCnjUnq dv7uHdxJljcz9RYuPLMZuTfMFJx5YKr7MINph7YrtiOtsBQet1melApm9N52hXxvd06s 7/QsvoHhfz27VTyv55uxRWbQgANDMWwat1Q2QXLHTOMsm8Rk+D1FZGJirGfYypqpnz5g JwIcIgAl2K247ROUYjkZiVFbgRk0N5w4nm/A6IwaGypJGQszGQIMldj/OoDLFCPD8hEz /80VNhOhy9IY3Uw3GLT59oP66neAyav12OMQNjjgnp9yHJJiAp0xPQm4kI2gu4/1qthx EIChUKmvgGCeX8SwcFgLyWTTDk5PJzbyJG8ZbdKJBp2SsK7mO1UNpskun+9zj+7XgH1j UyD+ZX+xgGk1rqBPfCpvmQI+xGnWZgsHTT3YXtQCz6x2gcXjiLwEyCjO4UF2cu1hLTwO fT6eDcZZjswQsOEomIEeo7qIvXiA2M7h7ohjDaLpPplqwREph4/qSWjiK7i6zDY36/lb CCvCmJBTS2y1iPGNlG7Y4QJbLXn0E999OxIezQpothV2SeHA6rX0yQCJvMIJCZhXT9lh 1OZhQsjimwQz+Lt38xsZi3vy9ye9AJaS5WppmckZvs2HZ7z4MHPDjlmGj3+GwjKHvu4+ yJ+1LWOJ3YbNr2meGxRte/RRNw7tkaiw8gELOVa2HuHpEQjWIxSSvIKwLWXfcKACSywD LOKBHBbhOrdZ3cz5eAr4yVs472vgu3kO1GuUkx1QBn87HA8a13a00+BgHDwJM7ZKkpM7 SFOfBoWd5WCcOZ3IWauw1kM87TBxpnfsv7Kczd9/eLtabwDRv1uv7uCdyX6Z9yt4bRED /HE++0nPqJFmS1XD/JGosH1PR+wUKRka+bxguGjDSrY4i6LTNOvVFLYluDdCYbXsEAj2 DkfKyJyLcbj+ANX1dnXzcAePKMgouMTiBbhgmJEZaRjE4JuHDX4yixYOcxUpLCfKfxmH 1XLx8dfkkzzDtgd2yixPNUMy36DfzX4JzAje+MGqNjLzDBt80jgcpyBqB9RJ08ALsWzA WBp49pKlwD3BMTWps0mTxxnmPBZECVcvHKSlM6D6kEWKvVRM8OM8Ic4x6uU4qo26Me8e wgWhN8LUv4Hrv4bfm5vVvcZ7W1p944wtTvVPcD48Rx/6rRjCVIRNjCN8Uji51WlW7VR4 v4nXbKIcvVNxwmxI0wqqSlEMqtZwI0pQs69f03rYPa8Imng9vf665YH6wkXH0CuRAm7A i3PSJFlGcL8pEICjwdKhR8RXwD9K52qhXmsPDPc+OTAcLq6aFFRAoQvUiRqfOLU0qVFd xrpAVK7G4YTTiksSnGDkxuK5PqeheN9rqaROb6qpj2kmnlFP184BjjDRKdFS8rTELkUi +CJg8y1EoVf90Sur1wh4jK6SULwPdEWHuN2//MtJTuZffY54HC6VxOasJDbTuut8UGeV wCMQ/NfGXe5PUGDHqb31dg2rv7+T+5hZj9YacLLjzjLb8wk5vHGhhIjEDSaop8SNbSaE FybZj+W05Z59pVYl4WHRsrbB+jO93zwspltAb9K17Z6TuCfBRnQ/W2r/pCmMdz+NAxms X1LYXkg+bWDiP+5M9di6dIYj7wkOVXfxibCSLWZGw7DXk7dnMoOtRQNjU1UpOcXDXaS3 ugdZBJ9I0J47sMx++xqHENZkbNk8vA0ZxaOdYhG3eGnEE7EYYicpSeNkp2+HQHPTt1oT 1qeCfFdG6lscjYMD8Ely78jgZfZw7pC+7WPC/VpXLx+WbbkMtvckh7XBbcuZ0A0IOjKK fpXV8EpJZJt4yCDSKWDjVGi927BIvuQVcgHdWdA3KiWY2z3tjRZi9a6wdfv5U5+tvX90 W3hLauxpCUGNrU6d0d4G/IFVDpU6hzEM2UpoBzgDA2Z3nFbtf/3IWW/90KRfmKMMEKbM FqFCa0PK7Bar+KXZ4NKOGEBUxCohUUeSl2LGkiaxYDpJXh431J3nd2lEUzpq/skWMsm8 rJE4ZwOGFAsZ8OY5WUvg9gRP8uCwzWNJN4gQOP4CZmZc8eFzkR2v1IfVTzN4xJFDEG2g 3qw/3m9X79fT+w8IMUgRpHiqmt2/0Q170sCRZuYhwx5O+cJBCyFAcfhhkhXQRIUJjRs+ BbElsTsmR0iHSp71CoHAaFNDG9MXOD4KGL/SSB4meNjZ78Id+NccraIc6RS67mWK6hk2 MxRBnqaicXyql97ZuGfP+Q2He4LeB9c6+vwGKfunhBoiyTYQxmcSf21fJ7b0jJ5OPI65 R49h94MqUiodSO4OpibEP8NzfKpdDe/D6ocSEhjpqDSdwlHxE+10pj7wv9GlUT0hO08t CzFVbTsRmOysdsL3ymsnp85op64Pt1PX07bzsW1+WUFBlxE9Zde4dlALhWz2z3PqYyJG mrHVwjvMgB1/OClDCLptR4jDkWCYRKvcaepJMKzfDtAZo3oPu7NGrSwvcKJXosAOYXcY AWj8Og6WkS/YJrybOpeh49XUXmWw3zybYOLUTQ07RlD//bbCPkWmp1tPqhYORhfYdtip 1h4p4ok6bTmcj9WDJTStAmI46MBQDO9KkIEd6CtiR7oI0VBk2FvarVbQgftHmTSsAKgf dYT3lMGWiGxhF+6v3cAuPKVaONJbIW5TWCtvZR/krXfz29sF9vy3W5gxEJ1olN5EXM9J jiW9U+/9vdlneLrcinaMEpYpRPLkwC5Pp1rYAa4AdowEHagsvOJgdR3BPCE7NC687NUI NkRmxtUertt6J0Q35nRLew+DglLzj9PlR/ZiGUneS3wiaeE5ym3PNPb5qm/gOkreJzCj kl11F3Edc2xXR9bz1Ed2mDMR6kyAHFhK3k1vEBZK/Otoc8CEPXyL80i3OFc99kCELX4y wAuhiRuyi500EBu1WGHV4rCXxrTaqW65Cly2Hxd/WdkXNGM/WxxR9gW1GiL7nNM2+R2i c3X8daj2f0ZcT6QRBBy+8yQSR9iLYYdQHN3UU+WYba4xJWJMfnHWA61vYY29H46w9Ih2 LH4k+2fkiL2Vwm0wqRGBXK/3p1MtAtxJ+yj5QZD4m9mHNUKUwLr8c/XHmfpu+gDv3oe1 Ut/+8x7blhv1zexmdvcWv5fP9WUw0BdH8i7MMDHhvJspxDnubNwxso6qi3/fv0KQQ5Uk P4yDgu3BjbDqwdra1cr6JvFhu973UYLrp36AA8WtueDqMWx8CBCFICbAe9qr706lGRZB gchxSNcn2tNQRoEyKG4ayrhTBWawTRoTnXVB27f3GJE/L2L04xqLykSYb2B3h72vRVuA hsMSCbYHKL563uDsI9FgioPTmn03ItpueQv1AQ7B35t+3rVpHPJlRBx1WPtyMDXb1oCw oMYjh9d8evReoRx4JbJlUH3IrZIGP6FYuwV8V9CjiDNITYthSkSXtmgoh2pR1FVk8xUN 9kwQ/02VdTNBMGkMg6Pgo+QyS+XbXEwTSlQCL+tcQkFJHe8hdDsANXrcZYMJHNvGdCuE VApxJHJsHoMizREK7jVDmBRcCIKREtoCNBywzCgcqtByBBsumjKLcP7PlC4UHXadqkBF mUyWdJAQ+S9J8+j7UpB0nquRDISrN1N0WdKW3lxeeyXPjZ6FqfppsHcupgaCc2BS6RV7 p8L0AmnyQsVCtHmyBHev0MFu3LmB/TSdgnsnvY/6B+m9KcmLIca7NP763ZLiTgI8R/bL FCBT59B1s6kbleY5xld+XSANPT6n4PNCA3/C2pcSdYqmlC6N3sevNr0vJXmlnfQteld6 wX7Z9pKum01xXW06+DUKUpiEZgXvd8TGyvamGML00WHiu8ij8Uobfyq6JSrT2nEXx4Xc YpcF4lE6uATdGIg2ggl7beR2L/hMBi2oBNczYvUCJ8aw1SaI8IwgW+TsDNW4MXfDyIYc 2S0tnyTeHTcIbYh/2uvQS7py4ddelBKQCR8ij3Xzx0hufBZF0q1Ur7ez+w8IvvMHCQCt dziHfIVVAvcVmHQRkjXBJ7UrJLgYf+vfNIC5+AdcYwCSvsziLxFmJvsVpPOrP7kPBttI /bBEjJ3f6x4fA5ZUaUILvYG807AEhyHPQSR4naR0heIwHTCPOTkQkcCAC0MZBWrHSfQU cWxxKmKXtFDgUTHO/1Au3GuSwfMUtBi7Ihn28PhNrISON89AIzmuNMXSwaVT0s6QQCsP Vy75TUe4WP8V5KBXIPi5jD1ohORjodvv+IXQHL+IqAN0PscdKLomout6cKEAeqtShNno oMl7KIlzCQUd2fFeRvIXmxQ+HMkIS6B8B0cy1KohgqARJvhghEnUbYJFmOQ4GJfs8W35 vs/fhea9x7VsUQI4Iu3zeab0nquU9DCNroFRTAngSG8uPSuC97QIe6dOhiOwS9PKJfBv RL6kPThi82jQQHeBOThCF9fR+wJHJG0ARk+K4UhFV8B6cKTCOg/hSB1rdQfbkwSdbIpF vE17cMTSNGiwJZqUfI8hhv1++GuYkrzSToYjthcsHLG9ZKCS9CPXtftXA0fsbyfAkRw3 iSXYTfHhyKebim6NyrR27EXz13PYS9RmJm2Kz5akb/wlyTQwdOME6+AG8Cxu7M33wxja JhgIYxDGuUoKLBB9ebVDGARnNLZwov8cHNP3mcsBmSO/4JoTIJn680AyOJhEZxM1iklw weE5MIbeh8hGaTDucmIAhKHrXnDDDJY3Cb8Cu6b6YGeLhOkNeBPnpF/hyvQSm5ggAR7S aVB5kbD8blln2VPSFMyajDSESqiJXhI8Eud86VfdAUjiIJ3NTL+6zKhYnxWFmhM3wG+e FcXSPMYiNMcgCmhDiAxO/cYWE1zkh0txcKjEYxCW1srlldT1HiIJx8R0PdxSwESKGzHJ bmPMKIg3DKyJy4NRFgMXoaAOVv5bGjEphi6WZhGHlO6wC0Uz1nXwsIulee9xrhbFxy62 H6gOBLZwKbvtQVcrGQ1Xd6b42EXGwmth73vnYhdML4tb9LOHWXRa45UEK0NbKjiFRcH4 I4mLBqYPmFjoySAW/SS/J8ChbCrBDV6YwsBJ1lSSJLACaFyin26MLNfPhBGQncwjOq0R hS2BUxpDu+fwKcI1EYSxDZVqR2XCDGJb475AvaAxh24z4w39TNTIPtFyxH71YJNHgR0X ugTWgxifcMa41SSzr4MTeOt+ECfoWPct3oAe9Gima/yFY3qrDTBoVcMme2l8QeHl0yLL Hxlf9H7mYvji2C985vgCviiXxxdAlVjcJGMH4gtjxMPtToITtKwlw55PwwrTehhJN4sw EF+ibhC+Rd7EjG+Xdh7EwNFBixoAMfwk2CH2Mrxmp/DDtJnxq5d5H8Qg4yVtrvgQQ2g+ Y2GaxyAQey2ttaQUiIFI/vDBJvHiGITQWhSvJMnjvwc53NAeDNVByidzQqxv7xGIgchK cVnkHsRgCurgxLTQfIghNCfwuXQPYkgdfIghNO89rmmLEkAMaaPPKaUHHcSQnnd1l373 29Oby2uz5DlztybBlTyYGyzm8exDDPrNwAccd/IgRkK3OcgvVcYQg6ic2/ud7vcRiJHS EYQAYqRQRsy36UkgBj37EIPSBhxICZyi4JbyC54dlZ4iXETlfqfaCcSQ1jiIQS01EIOe BGIIFWBl5/ehuypFib3eOqsjMvgKAv10U8ZhDJl+HazAW5gykd1Slbr7S5ppHQv/wHum bzA8Xt9wf7XMGAUWNs7eIRrOvt2Y4WYM3N6AjdwyfWyY0feZy8GMI7/wmcOMtCbV6LJm jCStTrVjgJWIQm4NGW2aZkATMJrAlJHmCRTp0JbR9e4Z2zFombNIoN/CNHxR0HIfbCTk Ze+hDZMfqpa2huyxaIDD64tQfLghNJ/HMM3jFbDepAmO5DleQSaeiuLVdNBaufySOt5D +Li6IknkXkRUvorC4TiDRkam/jr10AZTUAUnsYXmow2hOQbGpXtog6vggw0meW+ZarYI 7qWokG7x2aV0nkMa0umu3kJxbYnsvTXtXG3KuUgDU8oiDXr2kQalDXYg1Et2BU5BnxSk kcKfyFHdk/wOe5guk8wdCIe+gzQyqCUGadCTIA169pEGpQ2KkBI4Rdd6yy94dlSDNOjb 8jvqqcskY4a0xiENaqlBGvQkSEOowCw7vw9GGmAmFSKyBUjjzCkT2L9kGrUnSJtCK1ds g7LiO7iAtyhlIrtlKnXv4AIda/7Ae6ZvMDxuhUl/tZEGAQy6QO7SSIPCByTNYwONnq9c Dmcc94EumJHEv8K5s8/C8UPvmAnOyOEWaOwPQ50ztR8qwhSRvg/pW8HZjVMD7RnwHICA JTEJdzFc/adZaosG1opT7TU8TpEPLmrQqlHxDMK7yskhlt+F3aBd3lkWjQSeE4Qb4PzJ LfXTwBlouf5d94RO0/YK56c05Y9sunfnBK2qa5xO8nGG0HwOwzSPU8AJFpeSkFlHzA7Y 74/h1uszGCa18gghKtovwSMMviS6pyUbtqRyeLsidqcFGeRc26TYhhXOqN1tNcUJZu3G q2keyLBvWt5lSxcKyuI6OMCAspgmufZR3Hu2iT6zlM5zOEM63TF/objmRDQJ9XC1c7Up 5+KMHCBeLBr07OMMShvkgJhRHs7ALeAYf/6lEYsGUS3N/o4rCHWZhDMKuqAgsGgUtVg0 6ElwBj37OIPSBkNICZxC2YIj6DuOanAG0eR3qp1YNKQ1DmdQSw3OoCfBGULFCtv5fTDO iOmG7yq0aPCiOHHGBDBj2IyRxaTZHc00bawVK6KUZZclecIfywQ81tHHFQLOYboFI2OX G7iN6aoWxMAQ4iwzNq0uDTFwBUJcxMljY4y+z1wOZBz5hS6UAe/S5jMBGWD1YFnGmEHB qM8BGXjfiF442+vQ1ki1QIaJXA8v5a7I9U7/pcj1cppEgLyleWLW0uwKy6ERV2WaudWD 0z1kuAMrcpmYdJjgXooyKIgNdms9VZ6iHMEvzlPlKWJYXEEWW8ZgKZ5YsjRPylqaXb62 dI9iquAJS6lVK0+L4F5S0iUer7D9ZiWs7VsrKS3FNQXhOHikWrlggWBXTJvHSdgTzxoZ RboBaBJBS8++oKW0EZ0NXGOcQt/gjJcIWjyzQk9Uzu1+T1MoCVQmBhbuNjsKfZrCP0XX Qz+xoNXPnqDVaS1EbQmcQtksSPV3HFULWk0TQUu1E0ErrXGCllpqBC09iaAVaoQA7uHv QwVtDtSeAmP4Cv2eiQOxw142drhbE8AXtP25nMnL5qFlyPq80HxBKzRvhTMb8Ci9bKDN Klp8wbEBrB3TLRgZu8SEhjrtOD/Sqi5T+LNYQYtFkSGQ+G6IhGG+jzm0lRJRSB9ZzvZ+ 5mJy9tgvdMvZNPk85GyaYsOZ5WwKBIy5c8qtEVqZp/e1nEW8Lrj/6URLzO65/AK+j5Ba FYQUHLOwqLBsSZtt0xaKTPNNDVUEsRTiAp8DCcpL3eD8hryKKd/16hlbBlmpo8fBDdA0 00+CK9PxIdduiopISZ0Zv3qZUbM+LT6D9oRjVOQvYvmKpXnwQmiOQyDW7wS8nfRq1uIz HC2MdVj1Dlorl19Sx3sUNIxguY8xsO9Y5cBmVpNH5E/YDQjhMEtkAmSA5bhC8gGGec1x rUxKFj4WUefq73tYwdIklx4CnatNce9Ftl88Pml7z8oK6WGv5jI2rjWAXjxern39FAcy hhrLWKrn5Kfsnj10ATBASrbGBTAYW3SB9U3+r/xLmRh0oamWZn83x4QNHWd7QzUe4IIQ Cc5k6CdBF0T10QWlDXKQEjgF27+gC/qOoxp0Yc4HGyrVmdEF2mVaY9GFbqlGF/qJ0YWl RvYJCAl9Qn1OHA3DtJf1eJMPjh043Jb76OLcKePDi4FTxq0lnlg+vLBlect5CBvoWPRe SR1sgPsGw+OWmPRXG2JgXRfwY3YQo+uY6HDHBNqIgifLY5+v6P3MxTDGsV/4zDFGhgPC gjEQYgaT53SMQSFq9IYBTPlY4TrVAhlH6vI47Ql/RoRQ9YWt0HxhKzS3NiDcwQrJ0V+E LU4ZsXN+m3YEBRzC5SIMXWtU49GwK5ADVjphiwO4CPSP8AJW2jIl4DaSy5e3QnNrmJwY qHSPYuqgy2L3LNoZ0fVq5Wq/B8brcnHfgHN5NNODoLByZkfDiVLpdydwEeLQjJnT4YWC klirtxQncM/R6nFDEOExln16WOyJAP0bS0yEq3VyF9YPJ1erguUuUTm393uO63xFq6et icB8Dv8+PnOgn0TuEtWXu5Q20lNK4BRdFSy/4NlR6QkHGLzfqXYidyk6NrXGyV3qBSN3 6UnkrlAj3RP+74Plbh5P4NiaBnJXVtWJMydYCTKb2vOkTfHUeplNgdyVstz6ZI7grWKp u7+yZSV47zHfaFOC90zfYHi8FcT91Za7OIlFzlNWs6e4GnTNJm5/keAMJ0hd+HPFxPMe 91Rj1veZy0ndI7/QI3XTlmZPLCzPEWiK4mJAG6WeL6B6wR+vpuBATdVIfAYbWkmHtth7 4QxNSo62kcMPDBe6mPBn8Fync6T8Rx8nxY2gJlTF9+rqm2fqBUI6XSGS74taXS3wJ7ep LVKFTd0+i1406upXIGbqCrGwflDXv3exD49olj+jjgxTjFthcacIttpKHJ9zzaLwIFBW 9T8KoNbRSuiWHJDDhC3tCCvmqoyTEeh/7KNfdCRIKXLx8Trq+Ngj0duss0YiaNagkeBb 8PYNBR1kxAWVMCNeciiKCnwT4O2TLYr+Zp0zFGGzhg2FCWYXXnNmFwRO4U9wDikYhQI+ HtjZ35EKxFxiCm22a6RwF8la1lTAcx+BVCSE8vgLor9ZZ41C0KxBo3CYNRXYl8KR80BI XGAkMkTxwm3GRjgHA2FCJ53MmVQgI6IeGdHfKn8gCHXI/NoXcllkBCLYeK3yRASFoexo pBMRuHV9MZ/izp59rIm8hXBANlgUgPbwEjhjTeR0bj+20UqDWproDycPxXHiurdV/kgM ldZhqy68JGg/OYEvupUQANMN/OLqs8aBosfBd/04CfE1QFASq6sV/gIT3VESoEj+MprC BRMvmuiKYdRB4NTbLh6JQZc9N6QnY98V7opeu7pWAY7tBHAQiC9BxQEDf4E/aNV/4k+l rv4Df0p19Rx/gBQ59e9I4YWfARsiC+JOe++9uTI/ctY3z5BEATH+oAB+ExdO0Su/NFlx BcKLKqIP9zCOQ31koqsK36Coo0fIpRxBhGCz7eKGZgmiixDAFYHkgJilGV9SVW13SFu5 OT83P+52kn7jl+grdBnn7C6Ge/5nphjuKi6Nf9MvRtKb3H97q8EvctYvgir+ApXCUMv7 O42kqevGvEYKebm4/0KKNAgu79OM4M5VxR1c1A7hFcbm+m8desuQqYWQ5PunFo4rwscG 5pvgzuhw+bXnVjh7uIN1j6ornii8evg3GS87QJG3RHkS7mTlcpha8OhxsTLuejD1OqSR 5hnD8+8ar2DiM5HL4Zozc2AiQjlTzszMLdzqSCn+jSvH70k75PtSHeYg8nOKksAs+CvM l1DgScwiWobM4sCIin6dIV4EYmzI9dPBVDPYyWeonYtNOv0r9AgYIvfIX5GihcQLW9oc 9jOPXsigOz/CpTK32Td2ISfoZDZ2tHT/S9UOjBZ/M5yGjl1oicEczjVy1KFEGNPG3jQT Ls72UP4G4wMm+P/4A5HP3csLjzuNR4dbw+1HL+lVyVTpPC6gQnFYFULNkOzlrbqzop2V t2/wf22qjIik9I3fmtS35g9z/G+QgjTCdYrUqtz89tL8+b35w6VwTs7yB/MbWkEjFtkb I60KOYSdHq1B4ngZIsdaf6Fg8Vl2atEMD0djqvod/oB5uFHRi4/Xx6Dh5Bd1x3kD90PU aQ+7ZEdQNPeSAnUO6Aiaqt0CD34TCH9KztPW/ni+aomTfBB9cOn/VPZHcgfpbtY5Gk3Y rEEaDV+fuE+1pJNFMWkfdijg9Alnq+wsUzAUAHKQOnIoHken6W3YOUpN2LBDjPuPWPjg bYwpmF+GIJbFkCxm5gbfgHGDN3KKUUcnjw9lXCcYYn7LX+IyRYJyoQIM5C/zKv4y1xyv 9nGaQ53dAXhwkRnuCCZTujG12JS12tFJuIqczDqMRSHPjaAecfuY53K7WMhxc8KuD+UX vx5yZSZyN3CKdU1GxzJyO3hSd3N0JaCDX5XMPAgMprhAziOvcJ15gAFl+wDK4L7fY9Ei O2VawKJwZN/rq5vRGsvm/wX7nrs0CmVuZHN0cmVhbQplbmRvYmoKNTYgMCBvYmoKOTQ0 NgplbmRvYmoKNTQgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA0NiAwIFIgL1Jl c291cmNlcyA1NyAwIFIgL0NvbnRlbnRzIDU1IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIg NzkyXSA+PgplbmRvYmoKNTcgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0g L0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjIuMCA5IDAgUgov RjQuMCAxMiAwIFIgL0YzLjEgMTEgMCBSIC9GMS4wIDggMCBSIC9GNS4xIDE0IDAgUiA+ PiA+PgplbmRvYmoKNTkgMCBvYmoKPDwgL0xlbmd0aCA2MCAwIFIgL0ZpbHRlciAvRmxh dGVEZWNvZGUgPj4Kc3RyZWFtCngB1V1bd9tGkn7nr+j17GTkXYfB/ZLZy8nF2cnMzjme iWbnIckDLUEWE4pURMqO//1+1V3VF5CACMiEFeeciGgAjerquld19y/qb+oXVc6jqijq WsVlNs/jWmVlPE8yVcTRPK2zVN016p9qrT77ahuri62K9H/bC7wazeMqq6LINLmrLJ2n UZmnqizyeZzW5eziRn15rtAZPcp/zm/UZ9/E80jF6vxKnann6vwn9fIcQB0D1uwxYOXF PCnqVGmwZtE8imOMAuM4vxDoDgP57XrX3K2bnYZVP35KgKtkHidAsSpDgHvx+OnJ8VgV 87pMC0xvCNYAPH59t7jaKfvv79/93yv1l+b9cv1GfXF7u1peLF4vV8vde/uE/vHn+3Wj kiiqn89AKsPQ30XGs24yTutkXqRFG/2dFDIbQcYjwHLclZXzJM7Alb3cNTlYaTVPs7R6 amAl9TwrU2Z6yK5Opp+1JZNSmkBvmu128abZqt1GvW7U2+V2+XrVqMX6Ul1s1tvlZXPX XKrFTjWLi2t1vbl9obb3+LVQu/v1ullNTbXhgLuExuTkkUTzIkpqJo9h8/Buc7+6VOvN Tl3cbbZbdbe5h0DevlCv7xnteqbWm8tGmWeb7W7xerXcTj4NVTkvqyxXZTjeJzMNcTzP s7IcNw3L3bWh8s00mjAGtEmaFKoMwB6iuq/UcrdVt40ml+bqqrnYLd82q/dq1SwuSfGA q1fL9c/q9m6zo5ub9Xwiji3SeZ7k7cE9HT0TQQ+WpUjOp0LBMODmVVSMEyTfrtXuusFc N9tmfdGozRXE9HqznoicYWqnUV6pcAyzLtRqA/n0hl1c1vM4L4s2WD0yWrV0pRa/WvUZ naduSBRfLBixMxjYR1vMXbZRj+eRRtE8y5PUjoA9jwEjIOUC7b4gM7S5fGEJYnZSuMt0 niR10oa7lyC6PCbt0ZVRqfK6nFdJAcFSmh+dTlMKh6jKY3weWqGqM5hHeZ5lUZypeh7l eQyigMN1dXLXrKiyeYnPGbU0RL7DQ3jdXCzut5g7tgvU/e12d9csbtSHEOTzGhxbJRmA SpM6i+MKWJJfvf4wXLg5vBb41MHoPBuU+KJ3rq/uNhgFecgdbs+ASZeBeOAHA4mrdF5n EZgIDmgdpaVKsnkSVXq8RZ0XZU2EdBwxjGBifAruOdxeQddwJp5QlsMsgfaGdhRomXR7 p/P0sjxJy3la1mDpgOaGcJTIcnW5gdNDcvHn9ead1pvr5teddoo+BGPpoND2oscTz+Jk HmVp3hpMJ8v0+jTdnHKAVmeRAmtb8QiGKOOq9sRjNa/KKEsSIx6jeV0ncQ6jBL+SPKuj xP2aoSdIWfAWom0FJD6CZ7mClxbXVVobQYtpm0jQlvm8quIRMTAIWq3gtd+7IDvq3lAH qcz3mjwuNnd3MKHZ7/0g0vdhIiHUVnUJzPojA/qPdvSv4Qk0fUK2O0Q6GxgiTRFdjfOc 6CCANpAa7UDEnYZtlB0yOy5ym8Y5NBW8whZYARL7zdS5UufXy61abkdgstNA6YnSifcU gtwP5CNNp6++I6425gB+iRHgfn331Z6R+qmLj9uQOwIE8zpOU1JwcR5DWEcxJEhdKbqO alhwNV3XaqW+07aX64Qi6Q/3GdVzSM0o5g5xAbuOuiwf0SX6gBQTMAF2nsNQeASYRaGB tH0WBRmvjxt6URRu6ObisUPXYHlDJ7BbQz916gIgQJ6BMganLiC2l+vL5rbB/9Y7cnjJ Af65gcR+f9so2M2XE8U7krhEAgGZpnAw47R5t0g+mLXqMzIka1XkgC/PJTQWiGTP3+01 Mk4BVgZXrEJWzYT7A5Ec4q6tN8AIkMphYgXzf363WG9vN3c79Vc46dNI6yRJ4JLCyCmC 0YyT1h1IHqFEbE6lyCLkVHLGcTD1bax26ZAOqHzj8kht7KBKY6RUEEw+MPUPoE6pb19t mwu1s5NNEZkXarFVl83Vco2MxXKtvv/7N19laZT+CLWtLf3t/ZLi5vDyNnfT2PipDYGE gw3m4GOyHyg3odDIgTnoZz9IXszA/R0FmbVP9WqB8Llkk5AkWlIEcne9QehCWk1k8u4t tTcTTUBeIcyLvF0RjvTJTECczjNyvsZMwOZu+Wa5XqzUdnN/B2yT83KJ3BDaJkrmxwhX l/C3iq5hPBgDooyE8lgVma0dHPPmV0qYL3fa9zKjgdd66kBrWUEZwWDl0TyxCo8iQi0L edeaVoYEPcCsz8gwojgi2UiB2FSv34NyIDCRdLxpLpfAv9q+3+6aG/XDWTN/M4dcnYpZ ET5A1CEcaCiHPqKwzOt8ntUjk+1GWKL44w3w+27x/ofnpJVugfLlbgd9tVmD1N9dN2sJ 0lPq7nZx8XODBN87EqMTzYForNZon4rAzFGoA1k+TmCKnLy8RIpsC/KGIaCQbX+9uYfo ZGxjZtAqchTySS3856eehnC8T2YakHwpc+Sux+it5doifBoD3Wba8wDsISKU+NDwLGSl EMTrZrVZQwXrPDsJ2ANCdCJ6oaxGmlQqHOHTkZ0F7DAU2I2jl922WV3Nn3EQztXLIKVJ WL9YQK8RK+8bohN5/2lWwftHXDwPx/lk2DWvoVmfmvOf5wg45og3DRYi0AEHnX9dkqY9 f/WOynm+YMn9ikoi7t4uqABmIoZMMxj2GaKd4SCfDEVkyD5VxVOrs8zTdB6lEgockueA jXsOWXC5ubi/oVjgs7/er3aoud3u1Mtfdw1KGVHOSEYVSYzvtOsKa+yLu4vrJVVG3VPy d7KwgJXW4XCfDHEgNx4XkTDmxwarQlYJyk3lIVgDgoVKz7oUuqtXqIbbXGxWz7Tjmadl 9iMHjpDiWVNggwSFSucxFVA1SA9PWesqRZat4Y6ahQF5YSQqdJYXVtFelpfyxVTBkKbI 6eZwj6MSth9iK0kcI5EzbTlNjnxeQknoMX4wBQo/V+dGUeg6Lq0oxKKbRjnYYpBwKEPE nS7yE43WU0LTEbgdEU5GzdU8q5DGC4EeYkRLGlXj/WJzu6S6c4QCBf4Tl6OZ6I6A/5jo TjdbBYg9SUo1Qv1LjPVMlP2MEDmMM1RmjEyl4n3kE9FbxL3pKyyUGt8fekty3ZuGE+Gc kX1RsZaMM4Muesw4Mwqd2XHK1fhxGnjMOA2cdpzHJEs5bTIbs/wsj1DWiKqhts38YKQV BlIQ1EDEY3NLem6x4gqXVnhEl+eRtbTEQo87pQtJpsqbWAMpGO0oFdghAf3Ulb8E8Jhk aoYaVKyhGhf9YBNUL/JgpGq5iIU2MECNR4vy7YWVilxcDMBsjcXAMe3VbbiKiyRHcQbS cErGNLwu8XZ7v0JQUwJo8LxWK3W9mDTNI6vaZBTMHk+GYKoKoWO7qm2Q5aq2ixv4NZzX IbtUjBWkO4k9bRrIBDARrgdrIzSy3tzdEG9PY9OkiHykZQlCCsf6ZKYA6wAyWK9tubm3 PHYvJY5M5/3rn3Tpn/Ee9YTQKi2K/F02F1gzB98STPzP6yWyy5R3Nj4FIvxX8EeRC30z 0SSI3MyC0T6dOUAJfiEZrCHmLpQXCP/GuvTN+u3ybrMmTx8L5fxlGYE571vJesHGNGts xYODXeWP98lMQxEjGFuxAzVwGiBYqKxKLVbbydbJFQhVkYoK4B7ieOhkmlkCp+7XJiqE LOjV1fKCHH6sdP3pfm2cfk0/b8DdtxOxrCTcwtGNi9x3+yV75s5D7j7Vi0UoWcwQv8S2 CQnXdE+9dgYLnyhyzQuvB8256l1b0mFCBf7bcfXFwFRVICMZguqx1YOmOQoWSUWIG3z8 arIR0NqNDkJw+yuu5hq2o4u0R4CFNVoV1hYkLSz2g9VVrdbNBgFkp3DPE9SZxxUC2Dcq KeFyVliyNs4Bxuvks1YRFU7zRVmMdac1MCX2t6C+AGJZRCPhylLEH8wIMxRDPGKEGa0y khHyxfgRamDMCDWIboQDXHK9I8zQSsYMNY0lBUSNbRmo+T1rchgn+WJ7MFhIQSFMelDN P8BXyKV0RUh9k+rFR1ee1ukIxxpMwUcsGcoSmC4pFlWO8TqMVoA7t1pt3hlXjwu4ptEU doVnOIohOviLP1EtzcvvXun0vNuEgKrQdLK+edtMlZCVJTXhaE5uZ6koXG6XJShyow1u WquRk2ii1chZTFsdYQG1pskhswknjIxlVFtQSRriVcHmAicN3scZNt2qsZhboD8men/6 BalYz4Q1nIi/C1jDkarZgPZ22XLMTO/DA+fkLXH56Ytek7IAZlN4V0wXwwOA2H0E62zs EjlZsj6R/2Sd7YCux/F1h1Pga+HBsWKkTeMIdtsYFbDcifSXcBMvcTLrH1igutDr7hrP vbnWYUHa+GOacIeVrOFQe5XwQN4cMQMuIBmCNSD4Srw5QtcC2MFLZy0Vh8AGODzWlux2 f3w0anNSogDQRoeT/iQdsDJSYcNDrNFDzAi2bhEnpSzt1lprdrJtE+xqoRQrJ5H2kl0X eybRM/fMHowKaorEK3QXhct19BYV2LRaaEkbKKl3+EU7ARimmoZprNiVgQ2XD5b7R5Bo 4AcfF+ZIY9QQoiocpGCmgnVdQKJt5J8+cJCiKAgbaKWDwHqCgQNYOBVqbFBNg7x+ho2z 8Hts6IDeh2eNHvSia7nKxwYPGB4s09SwEZz52PBBjO147Dhpv9LHjLNA3s+NU67Gj9PA Y8Zp4LTjHBBEGJXXT2tKykKcPq0gQlphlSaFf58YWGVC2byDjnV/bKOEofoSCdI/bVAZ +hVvcakLgw/s7TDTqvTDbiRMNqbeJy3lMRzjynQJrA6DdYR4d5qWzLlC1oT2I3NKsLDF Q47aItY6wwyAf6xXtOBH+1oo/vz1vULicLmj+rMfzr7/diKVH9FaTzjeaTCUfk/l9Hay LUZsgdWD4bYh+vV82eyuRpghIyxluwdUC9zADGkD+AgsHhl1TVBPn1DhegusAIv9zLTb vn03URLI1nKG0PbDNxCJI2RQgl3aU7BIC4lDYlR327e3IwhxDLBQ2CWKXdrABoTYtocn wCFWqRYR7IjW1AaE2ClztMcEx+LX99Mg0TkVgUz82ITonIoQrAFIxMZhdxvsmd1sf5wI lbx6PZz3cKbbcnGg/t4LH/AGZj31hc6sQAS3cDuoB5jsn26EnReINVPVyQujwrfLN6ha peorVFiheGN3t1mtEAXDSnbsBMSr17e6Dg5+/TTaPc3N4vU0HGeXNJh6o50U2/1hu+Nx O31Q8BFBXljOX2CHleUWJW1UAoSAit5jBXrvR54ZzlW93mDxHSZsqnLhFBEJ2siqNcpe 5A8UxT7tHxkDRlntHDuqZm2wAtrvZ9DXSLZcjpAfIwwrGy/tQ+LHFCAJlpxTBPJAIP1B AWK3X6DaWOymMNX+KNh5CcdGIDgVAN8P7kDCHGG6IJ5jsmktsHoIs23IaMLkLYB27yEZ /kHcLhVMJ80FJjgiJKLVzAL9MQ706ZFqK+kFrOGeqkHq4h5harinFzoqoRbLG6gyTbCn zwamkoeQQRyD24FWxAiCdVZEjL1ps5HlgM9gkb1d6nMRbjfYXui9YoRf3iy3VMMttgR2 rLq4nmjTG9nhFVUi3si86sEHC9TXy+0NjwRD0FpX+PCklYR2c7MQ9H7hNiWtYJ/QmlYk aIUxxImkQgfaUNJEiFDBojfON/yot6HY8P0rszUw4ZwKXSi95D36YiLLUxa/IPzgDTg0 LDz5PbnpifMLauyRyIq71ygbSB4jjDIrSnAyAU4BsLVZTwYsbFQfo0DoqWGLotbYFfeA 8RUSWttC/LK5pk0CwSCfqP9t1DcLnB7V3N8hCP/r7RLbcqivm4vm5jXuFy+QC0IELfj3 /SucTqXi5MeJeSkJxjuKOB5Ow3+PYwJj9SO86EuTMzpJRXJG2wLB/tSbGaP8NwVx5VgQ qzc7HlmbjD210Qfth8b7OlfY3FiuTZ92cWvfptK0fXyK/aGxCwx2S6bDb2pkHm4OtK3Q RuegwMujAz2yWq96TpCLTrHYyb47o+fa/WE5Ik52+F4jei9W8fB+0wArx/pIZJxktGHL Cvtaw27yMKJbAIV7azWjPSyCFgBF+18TCcS0wUKOgCLwiiMiaHwRdka9OdC2QhsgwQdn 9rm8hqNZo8aowHpu+MHYvNq1ADDam5b6t09xm7TMCgKfnpIW9HTgPVSkwy5E3bh7DKtX cLQGvShAIYabZYDFDUdacBwI9iHC+VzYYlHaVmjDYtqUtuiUtgzbUed1kc7oPAHdu7To LdwJBOrKPGSbHmyY+S/J8Oj70pEgz0EkE+Hg5hbdl4yl8ylvvPLMhSbFRL0bTIcgDWy5 AR7TfAsWCa5B9nGBKaP9GeSZNEalP213gDNvkJjQVyhIpvcBf3DdeyXPYorxLs2/fldv 0wgDa2a/TBtn6ic0bPYKe4dkGeZX7q5wjXBUhqyybUP+BIxNy/SpR31FJKV7o/dx1173 XcmzMk76Fr0rWLBftljSsNkrhtVeB3cBF8Zh79FcEgfDvOnZNh+c7ZEYTj+lheM3M6+N OW16UnQsKmTtpIuTQo7ZhUG8lgNSAmtQaYyQxN4YedwrPmGHGCrGcbrgXlhhEW3vgB2S sXldgfUg8INq7EyFmK8cQEFJOCsn6diEqE5QhoRiGX1Mr7t0/eIUAtIVxl7Bh+hB88dY KPgsuqTTTb/bNbe08eZfYPHrCIZe5zTkK+wku69klDagGm9jdtNGQuZb/3KaD7jBqDj+ LI0+o0Tk59jf4tVf3QeDCpZu40Tcc884Meckn8w4QVoAqk7bJXSqwyNMEjpqAkq6pDol HI+gj57Q13smSf+JNo4xsII3xjmGgSqWNp9ZpM2xBpamZHE+8xqwcUdJp4B56hN76ui2 /af2WiCyXRtEaRFBZ/qqGKdIZpCgWk6SfYDR1/MS58a50ZiGQHnxM74e5ibHvdKz12K+ r3sS9Skw7T3lyQF5xpeJjINAXhjk4UVrG/A8OE0sGKeuRBNzG4Rrq2X/GUwDGYWkiUca hkbJ4SRULYhYIRdy7Slk22bUZgoz1irkItOHo9SikOWaVSzfbV2xQq5ZyYlCrnFIMdRn 5RRyjVApoEOOmowFe8VKzl57Ctm2abVpezRX8j1Wsvb74d3wip+VcWGW9f1CsGAVssWS MRYEjwzr4btGIdt7IxRygemLib89hSxM6SuwIQR5FPntk6jvAQghHyNiPLEgkPuigkcY shePel8d4wgnrA/Fsk5Rx+CkFCVCj9TGqCmD2ym7bzhFCa38IdUxf+aE+vjILxxSyHH0 Oczw34RGxlSRF65Vst6D6xE6md6H30uVw1BOfDVAH8M1hhJl1zjHoXlVhfi/5xrbNo9Z bJtVmTiJCpo8Sp1CxllUdC6Yr4+lyb3Fz+w1OA6bZQW2eqXNfz1lDAcYbFPAWWC/GJtX YMEfHbVhx2JbnAZDX/yUp49tm1WstnevhWFwitXBtf/Ufot7D/6NwYsTfzNBnlPIFsFW jtkWNxy4XTxd8hR6arW4Zz6MQgaBJaAOrfD0b08R62uthOMMdc3kgPIV6tBZqYL0UyhQ WiOPXwfuUxEFe8CoviXjh9Qr+95xSWtlSNnqXxdGQenfnpLV11oN2h74igo0jIKM6Tuu lX7NdJvcJ+hYmdrRWGWqR6oVqf7FStS2zuwvYkhE5gd7suAklPPA1rgBTbAFuE84mFzD dccQjm+W9pCJkJJPOJan5D1oO8t50ub0pIWqh62FDfblRf9LBi2YGQ8tjKo9bUtbvsRU E+W0LRqqlvNL1SbDnF/aIxArNOI9PUhOsD7c2umnR3i/nZ/5YO7vsV9ww3H+L9QtfJ/f hrqtsLuxqFvaWuMx6hbva3WLDTX0Ph24GKttae8f7OZJpoDlMNvmcZhts6yBONkcIeTa cQ9iwgiJ0J6Jjg9tm/ceP7XXAung2iJMeAQrwNO4tCqtKhA0t3yP5SFzrFR0oHODL2fk GU/dSpPlX9uzbYHi0N/XPbHwkzbH9z0tnrYVHPj2uWDPSU2LYSv9bIunbqXNOSDSgp7Y I7YtH0jdVjHtHWtUHv321S1dG1VaYfGgU7cVtpARdYvfrG6plZ929xPsNK37hEKGG4IM iq9usXaMVLRZLQcVbtStbvXUrb7WqtT2wFda9bnf4a+Z/raoW4JO1K2MxqlbGqlRt/RL 1K20zpDQDe8PDRxnCATEVZ756lYoB2A5ymS+O4ZyfD6wVLFPJ/stxIlsj8t7vr6VNo9f BSrHwT3S4IDMeOA9g5sQD4yvPZ1L7F1Qfv0D61zaBAhBN2RWbtSX5xxqlj8fTud2fuaD 6dxjv3BI56afp9FvQ+UmMQpSROXWUHGPUbl4X6tcHGZigoHYqoRa9vRud5qIEuFgcJiD yKzTFjUxhBEA3G9Dbhm5jYiyoLSXTJmghIXakCxDTsS+C4489O4jEuHIyFJwHTuOYydb M95Wy0rVCNgilyPDx44t+lI/j7v8/Ix7oLz84RR4WhfzKoUH5Fkets2zPKTNyYwU61+i GoeQW5mRUh5Rn1V1oG3vKb+nA+9VWPSTY6W2b3lg4QW2RPAtD+yaUJUU+2cxmZoGKAYr TaXJtzz4KSvNU+lZWmapfN+zIGybPKV6Wtx7M4sXT39Y7NnIu2DYg1zmxo0GffF8ufF1 tzjLg5JsoOYKGUCdoHuoFsOo+hhPs8mR0G/P5NDX2ojAL8/kALtbk4N+G5NDt/LT/n3k TtjDT2Koi9DkoGCogYN+iclBv32Tg66NOSE98BX6ZpMCjAubhrLT9tdM/7L3ARObHHY0 1uTQI9Umh/7FJodtRU/AjH9/qMlBpcAoWQlMjseSjG9yDCQZx0tMWL7JYfvy2HmIGDjA 9F5Ph8SAwQ2mx2M6xte+yYFT57IEoT9rchzKcQ9381Pk4+s6P7XJ0fmZD2ZyHPuFwyYH GOg34eUnSYrCDxNUh0vyKC+f3tcqGNtpYGtec7VnbnQnuYOgeoq6LmwIR+aG4zJp85Wt tDneQJVklKAUzWvBRq5wVCDk9tuOaIGEcE/BeigzfbKGa8MR65DHpN5NwZlC+R8cf6pp tNqWWwJpI0/5+lbaHA9L766FYdB9saufClx7T3nSQJ5xClelSIQQbnxXH2dPaQziTU51 29lwqlTw7hQu+jJz5lx9afEUtXvvQ6S6kwRIFr1Lv329S9dGk4LMnauPCxxVInfSnPUu tfLT3n06hkL0bqqDyl5kHczDkXX9S/Qutfp6l66NTpUe+Ap9i16l77hW+jVLqE3uE3Si d2U0Tu/SSI1epV+id6V1prHk3x+sd5HEhbWa+K6+UA7AcjQ3gHICThCq2Kev/RbP1Rf6 CvSu9OX4U6DyWrolwgG50f8e4ybAg+BrX+8i7AB3yguvw68q4RvUfjZ7hN5FMUCdVMWJ XX1akHnwMx9O7x75hUN6l8Lr+/VlJMUyRBB0XV+eI+MfpzDEKmyTgONBUAKNkLBX1+cv pN0riHWuAdElVwtmOHIOR7SbJT2oOya/gf/oIAukqSm1+16dff1cfYolC2c4YOzTSp2t 8CezVyj1+zS3V5fPZ5/W6uxzNKbqDKtQflTnf3arp44Ylk9SR+4ZkkFhZdgFCMjyhyXj McNqr6dorZBxkCHTFsWQfhbhoP6yooIzD+HHQmYRjlXtyJpL4UaAcAOZj/CvgD4EOs9w MARh84YugU75y/OwNnd5AjTKZ30oP2pglpIokNJ2Kz1KopOb6JzkomdgJkWGWMxMF20y JYFYYkAOCvoD/mBY/4Y/aHyGP6U6+z3+FPbeD2fmJrdiJRhR4CfBo/9qHuHe/htXeOSF +fOZefK/8IcoWLrTz87OpJk//TvzMMODZ7qItxOTj+JJ5MATWq3QyZPApOXJEAUyLgY9 wUCAX8bB74A0IDa8x4jhRxh3jADum/8wenkG8KUZzZZ8kd/kP/jGFDjLExQ/ZEAV8lQD cMZjDgdLfAN64T9Y3kyYw3HXhDJ+MkSnGyrhgbHDmGN0CnJ0p7Mz/i4/+rHIK0Wpst24 YhZIIMuolrxy4IEYhkEPqa3CTfCtRYQmiJB9Q7pq8Rk2s/Swy4/qL82ESo+aI78XxqqF YnZAiPAkydicpJmCZp3uTWCOZBQmowTHQxMRYl4IK+RlxuAUfM4oFDgsCXRLcJ7XCHMO NmPAGfWh5LZzpxVAKIvsC5rWvkBnRkcMnrlHKXHU0lZ27WbAQUaH+wL6L2bAzEA8fMYX TxgPiv/wTP8BoscpRX6d3+Mnzw3/hCKL8dWWVX5njGB+pDWHrVa5y4DrL8+E5dsf0eJA 2IpBDtUGD8BSs2ZPJoYQcpbAeGHw3D5K+6Keriix4uEormTIw9kRBPB42BD5PebT2TOM OX6fsfLDc0PPPHSeZe7G5xErHsMPh6jm9yyqNavwIzKr6fPZYOz6nGOtRIp/dVuJOL1P L+nC8jQfu6Fh7ikfvaIeSDn/6YDLYM/1coY5TtTKaaWLZ5gzZOasiG7IrDTOkOYqIwpA 6HRzwNQGMhjm1n79ChM1yjC3vpDb0cV6HIMGBjftOMNcBsbO9YGB+dIqM9KqV0L8EZQM Ef4fRvr8p/nTZmxNbWzfh2KCydqQoBUlzAm9HxbGYqoPKZvlJX8yFD7dQqQb548RIhlS PSU560cJERatwpOMH0ZobSbEmkpajjNr8yOtF0WKcLfM8aHA0d1Z3P+7mULulWeCwRCT jW9aOLSod1/Wso3VGc9LOOv8DQaZv8Gwcd88dTHIC6Y3vy6j4Rd5XvlLaOwQXyeaV5wC WujF38eYbOEsCfHytLCMZ0QkZsw02MED2pN6kHkPCQcUN1RUkk3HmroB7cnj2Wff+MKB BySzzrDzzGAlJhnzXxp6TfHHuQaZkRjM3CGBc6eMFu6Tnwy52HzXUm2/8aQ/z71xNwwo f/4cMAHeo4yn4ZPyKOlB6/axFuw46RGiStiVxxqiU6iMYyn8DE8AIyLEBzMho0wmXr/Y YYP80cw/U8P/mKuX5s/rgCi+xhUcZ5bbAjjPVcglLFEYYDuBmuAYYN04OxNxEdJmiAZ+ H70N5rVHTSstdaK82lFKgamb0RGqumAeyJfSzlBI5cKrbFKG+JCbISEwCkMpzjiXT7L8 l0vuljEqIs7cnZ2F8YFwRCFATC5/NnQivUOI8AzN/oZtAX7ROT0dDe8W73vSUEe0e00l LGtHhRNJQ56hI0wl8oAOWqf2MI896/RRtJOm2A37Y0aNu8d1EONHRo2xlWPXuKw7YI1u FhgvQyJh2hPGZ3plqbhH6L75xCpYJA8/26Jw7o9v8iv6j43nSQcMSSismM4ZHn4EnQai B0lnTvMMRPMDPoBkHbDmYI7tuSTB9oAPEBpuoZpli42FNmPloMQIBXkoKGwvWks/M5qY ccN9hhKPXxDBwJPCnfqCb3bGBrPDtBdF2ZsFuied8odFiLG/7mRYMGNOFB03Y0PzRFlc YtMPURahYbYfYwrHLKzAA2JVKsP0ETMTK5sx2U3sNgIsxC7d2anQOoi/xQQRkg7zDr8g aD6g4KyFd2B+1eH5PTzGTwxh4YuPmjsdSjjCqLbcRus9U3vES5vbWkZ1OHc8ZMEyTxb/ YXwyBplADzKfzE5LmHHv3J1MAR7Wkxfa7KySeX4cGxDLALzBGB2h/rDjC5bd4YSsLMDo Q6HyUPaHpC1epbV8tEJg8cJ4Yb7xZT1lgiTLMMXIXVgKe7RhC7dDUal9McAyk8do3Wmd yeKxhSNl2mEDkukqFJLhC19MNPFYD1ahuAETf+zwuw0y1HzHRYUFxH7hRCtaOFQ8p/Cb sYBJjksKWHw/jf81aOfougmd6SenBnymOsOzVMn+4Kj86Kz6BRu2+qXh7sqWTbRGhV2h Iqokp2Lyc9Sc+cUhZpBgT5MpPOOj/vb3yXWWDconalrVb+cB54tmWCw9QjBY9khz1GTQ /l+dPtXIcorZmV9OYaO2B8LRade42C4edHiZVFOE4zqEej8u89JYxMyqLLFLI7BYGITm FHM660cWDSwoWfrxeywERZ90i4hZq2CDe/NtM1vT0Z+30tE/p+q6xO0DaB908Lxo7hTr cwtaJXMgCbAvbnmIobxkDNmkj46DO+VBXD0a7eEH9UTZKAx/V3Q6z2IIBj8TduM0ojYC +BkxQHj+mLS4O+eXwysP/PJOZhjB5Dm2AYlzVHOFs9Kr/QMt8P9P06xKCmVuZHN0cmVh bQplbmRvYmoKNjAgMCBvYmoKOTEwMQplbmRvYmoKNTggMCBvYmoKPDwgL1R5cGUgL1Bh Z2UgL1BhcmVudCA0NiAwIFIgL1Jlc291cmNlcyA2MSAwIFIgL0NvbnRlbnRzIDU5IDAg UiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKNjEgMCBvYmoKPDwgL1By b2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAv Rm9udCA8PCAvRjIuMCA5IDAgUgovRjQuMCAxMiAwIFIgL0YzLjEgMTEgMCBSIC9GMS4w IDggMCBSIC9GNS4xIDE0IDAgUiA+PiA+PgplbmRvYmoKNjMgMCBvYmoKPDwgL0xlbmd0 aCA2NCAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB1V1bl9vGkX7n r+jNbpLRrkzhDsIvu45kO8rNijVJTo6ls4fiYDSMOaRCcqxof/1+1V3VF5DAEJgZaCzn ZIAm0KiurntXV/9T/Vn9U5XTaFYUVaXiMpvmcaWyMp4mmSriaJpWWaq2tfqbWqtnz3ex WuxUpP/bLfBqNI1n2SyKTJO7y9JpGpV5qsoin8ZpVU4W1+o35wqd0aP85/xaPfsmnkYq VueX6kw9Uef/UF+fA6hTwJrcBay8mCZFlSoN1iSaRnGMUWAc5wuB7jiQL9f7eruu9xpW /fhDAjxLpnECFKsyBLgTj188OB5nxbQq0wLTG4LVA48vtvPLvbL/vn/911fq9/Wn5fq9 +urDh9VyMX+3XC33n+wT+uJ3N+taJVFUPZmAVPqhv42MJ+1knFbJtEiLJvpbKWQygIwH gOW4KyunSZyBKzu5a3Sw0tk0zdLZYwMrqaZZmTLTQ3a1Mv2kKZmUmqsPG1Dlp3H4viqm RVkmsSoDmPsIKlWv6ut6vVeL+WpVX6iv/nL+2/998dX5V0/Vx6vl4kotd2qxWe/nyzV+ Xa7V/qoeiauyGcRHlDQG93i4KommRZRUTL796OTVd394+fzvGtFq8+4f9WL/VGN6W8/3 wPO7T4RnpcXdxby+3qzVfK+bbnb19tc7dbXZ7Ueahlk5LWdZjmkIxtumW0aXInE8zbOy HDQN8/WF2m/n6931ck94X653y4va4f663u3m7+upUudXYISP809PweI0B+p6/mmkCchn 4HKIyTIc6aOZgAjarywHyssb0Pl6Dz2+B9o3GvOvtARVL+rFcrcE5b/aLCGf3pxttupi uQWrrMAd5tGxZ2DwUC+XWzAsGa69rZFJT6M6hTVYpQnoJYQ2oJcD1dXPGPStkUlPWx/2 9HQWFUfl5iQAUh3q16vNB7Xd3MC4fvMEXPlbEoP9sTrAJ4gzeChVHqsQ/G6AH97EjnPo nQzIbIDVoY2aWH0330Hy7erFzZYM6W29WtY7Bb4jDbSbX9fqul5czdfL3fVOzXcjsVw5 g7vZxPaj0f3FLJuWeTxM6byr9x/res10vINkW07r6X2Q8bSK8tkMPjk88qTK4njmXXV6 4nFeYUBRrmRk7In3oKOnRDBdo9ABhDIqVV6V01lSFKoszcUBP942EA1uGhO4EHZRWqok mybRrKxowEWVF2VFnV6eFCLwpdmJkQs421P4l4h+MCX0x5d6+afzr7/9/uX539kCfPME 7KV2H6D3LpfG2P7h+2+eJ2VWvp2Ow3YZVEaaIsYjw7qLb9Y+30cQPokUCDRFvGVGQhbT WsYzms08z7IoztRsOiujLEno3dOm9YCqdFCpkw2sy1yU+XQ2iwdEfhCA+AaWijbQR9FM 1glswNypSkfQTBHscnhHIVSYUHGnJ7fF0ELFBP+IYmqX88WBkEFopndwskvCTDppJEkS SC+InMbIjuN7YoKWPfF9wCACLlz7npI9SUqY5zlEZUDSvSdiJMlO2C2zWQpwIWFThGEQ 2oirGaJXWrIXyexhJXuSxzCfM0h2xtcAyQ7+X9fL91fvNlsfbZPTItatk08YMGrdI4NO Wk0Rm4/z/IALA1pt+gJttHqaPNfugJCrg9i7Ijmv4ZoRD/EsZ/AJMhh8dpKBhclpcv4A X7fLeZgOUN8IGgyfZCOdfqw/7SgUoN45qTQ5OdQ/BHLYThk0UxPyYEabJn7bkkn7jLbq TquhS3hx2SzHhB3X0NG0qpI4LyrQapXkWYVInrsCDSSISiMoDdosYExXltPTSlXTKId1 XRB+TqOBVnjbo/ZO1xfAQxyxQ9oreKooFnTxFNr+Y/1TvX2qQA8ghzViRtcjhUnjGSyj Ik6ARn8YwLUo2oPFqibDI7rycbm/Uh+2jogfdIEtyZJpkgLjIcyf25kmioxmCaRCgMo+ FLG7mm/rC1/oP9wyZVIW0IwpNNVgcIleEd+fryG/EFy7vFwublYuovKwkkziVAL+XRZ/ T5Rkz1+TDOpwkl8/P1iu/sKtV+uv0BI4AuLTKk5TAjlOI0jjrIK8wy+4T8h/AinhdqZW 6rX2QV0ntLJ9a5/oYwqTjZZAqBfTK7XAQbtjv+gjtbBq2AH/QDAzsiu9oWc5mOeOQ8+w WBwOnVvuOHQNmzd0Dbsd+impBGSS9AzGOiWTgyByoMeswTrpfKsbBIcSy25ztZpv3yMg h3U6sGr9YbX5ROt2WI/Y4Xa32C7fmZgBInl7CptniI++XEOoL9eL5YfVSOrIroUX4YDb 7JOxl4uIWqMZUk6a83CrlsQ8QE7WWDEi314LzflqtyHJ+WG+3avNJSbpPYLTH7QVsFtc wQZ4qnY3WETFHH374ruXNCOX40Ry3DyEAx40D+3S9cCChWTptvpIaeUkNrD6H8+wdm0i dzNj9JFfPY7Rl0XIicgPyOAUdqTAONHB7tNuX1NQHBALCdig+f9tkIMCmhhnup0t0DKu W8l7v70ZtJYyQCimUTTN8gQ+fguwt08CGIowjQyrj6GP/XDmVlogXaUsYW4FUAcM1bSs f9SW4CB/8MRltRR+WJJUMP9Ph6q/O+iz+eRBjKgsx4JllZOlA3WPS23nVMMNEzIi4FVa S8cYEYilm5bBBg9gM1ZZaWAF2FgavItNls9ovHroWL2589BzJGyEQ+eWOw5dw+YNXYMd Dv0UI+pOnnoaI2MMuShaeffxy8iI2u/q1eVTp6IpiZBdn/pfewh02E/IK4C5tLrhJBBP yo+puyXlpgjGO2z18x51N1aGpmlewttBKlCSF/nn0t2IESMMnA0igwPlTSlAVpX8qJU5 7G1yhustJcaRIsd6+FianJCMtVH4UcEo+8RzxlTlRYpVHgjsBrSdWvHpw2tFq6tDJHaC 9RjVIpLm1QzaHWqxRBxgNuMww0D1hT6gG2YVBWdNsIJbMsQzqGV4vwo5gtSHVosabAT5 cD84BFIhhYmHXqXAwh2HXmEdKRw6t9xx6Bo2b+ga7HDoD64W43Sa0Wr5ELVoPVZWh+vN nlxaimuPlHSAGCYW++ENBMMYpu167k3pSOp3kZsI211opcNEDAIR4i20jB3IyKt8mtGq yR3AukfbICmw3J9jr0eO0GheIa4GBGJZAhk5467mwCydQhkNYIYZTLxwUwmswe9gG2zV V9vF1XKPwNrNFrYAZQ2P5NYDqwiUAKn+oPrYAq+2m/1msVntxlmTSKMcW7qwWB9C3L2y 01/xBk7Eg/ijKQg3RqCQNC+8frpOh2pHvA/Vgx4y7k3fYVoHalsDD9ZJNWwEZ1oM7QtC 146zQDzsLuMsYrC+HafcDR+ngceM08Bpx3mKSuWgxWTIhsQcU1bmSXFMujaDPG3ke4Iu OjHIY3VRDru2wJ46BsutIiC8dwuPKfW3q+WKAtIbdTnHUvUeOxrGEQo2STkEv5f/frFZ 3Oh9SiOBTIYylt/UcJAvlrvFzW4HfXEfIHeuWnbmANlVbRlK/4SmzRpbLrpG0W5IBJKa dgrcNhCbFpIXBTJM4OXLAoFODXrwzN4Eu5rTLC7szPdHl962ZRPq57vdzTWMa8IfslyR 9TgoHnxiYnLKifONyW6zWjt3VPeYVUm5kvQgmjzk9RSY7+PpQacI8APaka+ckNSDpDdk aQ5bbqVwEHaFXSxpHXW+MtvwrjcX9costl7qvZDYo6fTs5Mof6tNQpusbTLhx916HI63 bbpHd1KwPQXJ+OI7BfoqdPAOlCqtts5Xn3bYdof/6ZXWOe/4xgI4LPONtszNFkm7HK70 NNE+FfWxXq3GsdLtjqs8HO6jmQWEI1C7QfZ/95wFrLRt1G55vUQCArIJ2J34sksdtFg+ A/iZeoJPAT0cjOEWW0fDdrKUHQCWM8jSFFnKNnewbcY7xez9YcuBBZ0ZF9jOMyQitIEb /P79tn4/13kkiHxrJrtEVvM4/GRTGvNgGH3c3pevfsq0UMZFob6vsWP3Jz2cnRbaaVzm b7/Um3qbdDxkM8HtesmmY8iQ7pLs9hAEg4TohFJ0hxAMFtdMtgsSkUg3QvyG9LNcXyx/ Wl7ciC5FEMXOBxKY1hfj0JW1jYLBhnroc0b0Iux+SofpSkyB8zcQu6X1Ks21c7fBmpLC iInJvNkt30O7UsiXt7jvRgr2Ol0ZjLZNcI5tsGRIr0clF/H7+6lKTMK3kv9FqCW7JTBZ yOVmVnmqM4Yo3Xa+hXP1EbvgR2ICWbFrDPXRzADy2eH1DTNWVKeX2iI3B2QwIeEaHk5W KmzFOA7tCSlMN/vNNXTSApUORF6CO4mNN9hL8InIx+wu2CEloaYk0P0VqoAssF97TA9D khEaQ3009FKiXA9ihGYZpDfDiqVDmN9Ac9Hy14/rzUc1v6rnFyRG90tsgTe1cIKJ+rgc zb+QHK8sGOvjmQE4+YVdIOs9BXpf56L+YArcLNdwu2EoIPWmaZqdUIRugC0vy49ZGQwj wG7TO23bItcuYWxpvBNDvtjyaAKQDbAC7Ha7QfvNOAjEvntkrGBxIwS1G7ieGBwwrwmW k+OEFiKDie0Tdab0L21FvZpje5QUA7JYfdjtMTECWFjkteA/Mo8ho6XJajbMY4CL+W29 rrdQfiKAUe2q3m1uttB039ev6+1fjfcp65eokkEz8ebJSFZSmiGlIkORy2CYj8ZXQPo0 hTcfS+08pPLnqDmkGmAFwirEXVOiwnZWh356Nisi9tOhnnkFSMcCnbcjthPcm5FoQzau NUYbaIzP6EdmCAOhKuBgHwY2T5fDjiyJ3yIzEj4+agI20mm1u1OPVSNIym42Bvxo5gEy BCEVlpB9oleaGXT4Cj4ArXqCts3mLvLdX0uppucbXa5uy4Et3vg1liOPvDkUGILWD4f5 aLCfFIjMogLSEMfgSAi0SzmNYxGgMs50hvzKjEfWf2HSKtFA0hL0IyxMWqkZgt9GL2OH zLHki3KjKEo1MAJKPrv646s/vFbnXz978XockrBV6QT6U4zEhze9bcKHgNUfqedfq/Ob 9bpemYA9qodnb9+c0RKruXxiovcSeCabYCztz/VQw7GF1s3n1P7wxuKoGKx1bAifYsXX FADxDCwbVvYi+OrdDXnu0FQUKRlpEjjLIQsH2yZLxo4io4IaRfIPsw9u3YVpNL8vS4QN YHa9NouwKxShDbK2Tf0ZHSykKCHtOB5pGsQCawz48cwDlV2IBlvCer/3T8vtZk1GmBXp pyfwDAhbxNjHiaroqUqxS8MB3x1NMdUjH3LF22qaPmD1zIwcgC274p3OkLYVD1zAhLn3 aqzaN/ZQhAbEbTyj7aCHV9lVjHgCkixUA6wOF95TchpIuCPv653OGfjTZo8alijqTGuO b85ePf/TGyjsH16OI5ZsCbdwLN0quieK/R3Rfmpex44SbJNDJXVskWiA1YHiZpTkxXRZ 7y8HCKIBa1zibjSgDei0Cd8dkHhiXBxJClQfcNaJxG5h+WGxHoDBAcLJboYIUdgNXU8U DgFLigI2wOqgwyarz739MG8PkTnRmaP3e1aQLXQgUJ/i6oypgMqE1iE53tBnlcHYfNbu Rq0fD7s6Y+NyRQuSF9fLnS6Ir08tqLdIKjYCVpciHEe02vSNNBhut2jtOQsDRKszAyi7 oZCt4f1jblBX4u4g4DZaQbw4R/3LCvUwcVqSB//nlhS2KngDrB6SAmfHiFGwXJNHqUkW zsx3KI/jyliZvN2RaJidx3BQj4eEQQt5DEtsSOASssSkeMEdD8QI7k3FUlA4Didz8Snt zKAy7YAayrenPTqThwfVP2aJREGl/eEXqMiAdcGfvqQENtI5I8QsJVcqDcEPbKCmbuwp 7QYocCftsO+8sCdo9dc5glJI3PdkqYNIYKqPg1vUM8CiIWq8pjyIU/T5wxtHtrC/gNU/ dFmv5+9wlNZTkzpgMi11qiXQSwldOrVlnN0hcnRQOJhuUdcTxwO0tRa8VDSkAVaHWmk6 GoNyWzSok14nVDqrM2C1EINN4O6AwRO9IMlk7kJgt/EwWnqVzXwPYe2GbkwZii1rOL1q WDEhqFsT/a5FcEIn8g6/h9KpcZIjjIDt6SlD/kgEZ4rj4XCEqwWrv+C8QD4s4tdkuiBB ff0e+7x09hUOfcLpDzgjB6cS0dlfWAMnNTWSCEWdc6zhC7LZKmuzAPRKwx34/8RQUmoF e0C9oVjyDJPRF0Bw6ATObxlsw77b3Kwv5tuRjtGMcbBekiJhJg3A7hZRPSd5gJkXY0Ua NSOyJlgdatKbch2SXWPT6o427S1wkKFhJrvfQ1cH5h0JMFm2y42xWEbiK6nQFeL88VBw jLL6mU2w68B5U/ubcE5j341eojsMlN16bs0QsimQEJ+DatpGcOvWhBqG0j9vcNTihZrj 6NH3h7rtpGO1BsCOwnc43QJBtBD4z82JtiZAA6wOqmhy4rgSzZ770gC4TW2NtMhkj11p gNUDj0ai6QjosdPmHibybM4iFKBPsbfGNGAj1ASkusQDE5cQoaNDbyWLcA5KxRYYc8Y6 8jm3mzkqmaPGPJczgfuKHWtLJDvpDUmoITOOHSbpY9hs7Q338egL1LSucHjVKfZhT+IY 4GHbCBEqQ+MsHZsF2cb/Y9uHyQx7M2Y41c/EOB8NWFRtIB6w9fA39RWOWXgPpviV+kOt vpkjBae+2Sr19b8+QI/u6DDj+vodfi+eqgQHRxojQf7/h1c4MAh1xt6OxEuStoOjJb3x DpqF9hoxQrY/qBj/vYVjfGFKcT1EvTacKDRDDVquYnqtkhTEVdjTPZoFY247fwWv01kr MfZ2moKmBRJD7b0p22bLinVVNKKjBFPY8TFtFi302Qeo9n19pG2FNhxKZg5rQwJ/jhQ+ akMF84xKLvO7E2pr9rdSVzgn6weN4/7n1xRYystRsI92svJow5aVijF+PONhAC3YLufe Wk3iRj8EFJ19Q7MfI08Tx74iswkrXRgL6pWWqFd6faRthTaspKJm+cQ+l1fINa+AkALF mcoMc+NaYO3mFc5Do/7lKWmTlknRbMGZSUfew5El+qxRgkH6ylEYIUf/DqqcSh4jqcyN R1oW2AAD47uk+ZK2FdqwpzxFGTzbhqNnAHSRTgrpXVrwDMNAfZmnXFt7C3o68p6MkWCQ vgSDDiqZDYHd4d0fT/MpN4vynmtZaHpM1MeDbJguxiNlAPogRuPKwY17Q/vYeg0HwT6D Uh7grBgkE+EsOXOX6LL/WIpv3Ae/ToI7+6wpM1xq3kPPJR1jCvOKuM58uUT6hK5zrGGV uwkdaId6cXKP95MMwRmcqOvaIKW8HvVdId+j9+noMb6fBHfhb4DV/CrjpG/Ru4IF+2XB EnoDbHKn3/fvw1/DO5pLYmMM2pybhWWmo0eQOhLDeX6JrtroNTG3HaHESTsl+hR1SGUH LehJuE+o9ZjUcRLG9e/4nflj4lqEi7okjJMnB++BMrw2gxofDYytFZ90SGOIoxLCFmuO 9DfGIQAoR1ko7c9XRdz0q62AJS0XVUA9/um1We/WdUuV2bC1kd0FfIAOJOM/59fq2Tew GCGwzy/V2et9/QGFKdTvJftVZ5j2+gw7S+4zCE2gnHKMb+qPwQ7kj/2bDo/c/xfccFQc P0ujZ7C+0i/TWL36o/tisP7dbtMI6j2bRmk74MFsmhLHJOn5FJtGTlsbVjvWGDYoUwZV r+vH0mErhdwfGDbmLCfi/eYJnmTYeAoQ4jeOqfT7YZvPbti1qp9zDIFP4wzY1GM3HDGS 64paHttIm3uvtSVgNwhELJdkEMbuTfIf6dwpUegQi9i/nqHmi4OdW9CXEynylK/Qpc0J OundtTAMui9RwgLXwVOeopZnfEOARw1F6N5kDKLFmhmMZQe74N0fD7d5QlOeOvYeGZhQ 6EONTNaV2GJljjMM77VNK9qVn9HaGbtYPb1epuZQRaDS/Mr3nXf8LM7JlNMI9LtVBoMW eh1WAOt1nM5nntCw2TvW6/be0+u2TWtf26O5k++xrrbfD38N7/hZO07W6xYLVq+XtFmN MKl1tb1jWO198KuxAexvB3odXH6LXkdUIcaqjroGzQglCx8OpMiAw9rp7xhFOm4VSj5J 0niSQGD3FbRwmJMX8tRhS/Ae48bHA+ML3GoOMaZRGNUOuVFC/lrVjidhXEErYl+1f8Jk T9WOHIW8zJIDnUsa/h5Ve9tn7k+1n/iFFtWe/DxUe4UgmK/a7Wlld1DtJfxWUe1woXGY GN8PVu0RTummrWy+apc2n+GkzbEJHQWAMXqqHaevkh0B/8N7ittOaIGwsE/l2LAClqEY iWtDCKOioh1WtdPJZ/APM7Rw7EFafMEjbejLKlHbZkUdBUh0766FYdB9sUC0cB085VS2 fcZX7YybQLUzBh1UhWDZCURp8VU7t3mqXZ469t59qHa4JULLRn3Kvafa7TNGAcPRci47 LDL9PlBpfuX7zjt+No4w5fQdfUwDhaX0AqJR6xMI3Ai/wczVV6wi9bWnyvW9VsbYO2t6 4DtNrnSNnnDtWt2VqHiBmdV2JSO0alswYFSx3Ik7bu+12m65O1Dbt7rjsHKQW44SuteO AukIaM2JvroSfrU80I/a0Lt43+30RxwsUUChyc8qRRg3Hh4svg7UNsmEEquATm/fk0uO taPElVJyvvI9623+zIF5cH96+8QvtOjt9Oeht+MI8oXdcXuU2h109gxqRHQ2ziTDoWd8 P1Rn09k7ERXk83S2bfO4zbZ5GhQLQlgBczobKhYrdZCsvu6VNu89fuqgJdDZKMSGwssU W3XPIQ8oShPS0PBawWE4dwFlcCutxUVnc0ugs+UpX2dLm9O90rtrYRgCnS1wHTzlJGYu z3g6W3Dj62w6/oow6HS2xbKVj7bF09nS5nS2tDi5altsfP1O7jh0nlmKMrqRjhCyzrD+ jTUqys5QFJvvsEJk9W5F7rPWupT3aa/k95iXsOiJGBFZXy+jBQcqGb1MVwujE3Wrr5fp N6NppQe+owoX8guuXStdTZA7536PAB3rZDrSSY/G6mQ9Uq1x9ZWzDwr0mc3IfjBXZD+g kkAzHH6r24w9DsggnRUTT/8K5QAsR3M9KCfgBOH2Q/o6bPH0r1ATqNfxnvTl+FOg8lra JcIRudH9HuMmwIPg61D/gr/1iTDWb4b+pTK81d385hxbURAYPdCL96t+275yb9r3xA/8 zJVvAtnKylefqHYHxUvvYw0bp6jhrDJ9bhnueihdLGqD4K2SyqEoIXV8pVtwm89i0uYY A7vMIGlKj3ngPWHzONZofEXJbd57bS2B0kWsqUjhAvtKF7XX6WQlx/c44xIZB14IPOeW QNLIU77OlTYnx7hzr8FAEKhcgergKU8gyjO+ymXMBCqX8eepXMGxE4DS4qtcbvNUrjx1 7L37cJOh3mjVRdSecVs5/qx/M0qUiv86lZvEkVW5uGaVS63maf/3DAVjxRXOMRGhys1x rJX5Nl2JyqVrX+XSvVGn0oO5o75F5dK1azUq1/+dYBKVK6NxKpewYFSuPrXWuzYqt/l7 YwX6dpVLofysSAKVKzzlq9welBMwQjudHKOcAxkRqFzpy+NrIw+O8P4ReXBEang9HZEj jBtMj+M9wdehyqWgABwe5/LCyU+TCCbdnULVOTawpKju+tA6t+0z96d0T/xCi9YtfiYu b45tKKJ1kbgJ4qGcEMoEwIZZnPZNplKkurJ7aKb16jPkHBIaSOvSsaV8d6B1Ta5JC6dP YhRYK7OInEUEZctMd3fQhrw1CNIiRV4QOZV5iVVfasNKIyCx74IbD/u7W0pdhNOqkLkR AzozUv8en8PI9e8aE/qekun4ebqn58mJoffbE+lyhPFg/lI0wskYafNtDm7zZAXSmiqA 4WQMIhDTsgj8fGmy8qTZMJEGTy7BkAGm4S969gZOz56iailO8RInP8PaB1KdXGB+Yls8 DW3bPIPDtlnpZXuXFvTFMHiWg22Tp3B2Bz912OLes0P0xaUgz0ZK7UQ48S/T4IYz6Xjq 2HticPTlMtbwyEUXSyPHte/c072xHXIkFzlLI0cKsDjvuGZLg1r5ae/3AkpBLI0iCYPu MKhTCbrTlVgadO1bGnRvrAjpge/Qt1ga9B3XaiwNapPfCTqxNGQ0ztKgkRpLg67EuZfW SSxXSl/1d+5hRQN/SCPwnHthioEUExgaQkWH9HHY4vv2wvBHhIBj+Vzo+IDBfX6WEXrD kVED8Y2V7QweFbCPgE8za823F2iXe7+l7ayC62/L+0m6momUmw14TsHeIWtNPnNgltyb vXDqF9xwoBZc1tphiJxkUIYK6DpfsEgqHOedIo98hhJpUB5RhFVlyVqzGetaWXceGkzU hXgXZSHCVXS7izCzpOj5j84pQJaiyeD7QZ29eKK+gH9+hvosX8zU2Qp/MnuHAppf5PYO Z759UakznCP5RarOsCXmrTr/nausecKwmhRlbJDuYcFbB3UikTwYlozHDOtgQ2eYJugg Q65XmqNSp0V4mkzLqMqDcNSJFR0cwjF7maP0AOEGMh/hz4E+uFpnOOqFsHlNt0Cn/OV5 QL07+pUnQKN80oXykwZmt6pTKmBTRzm7UB8zltLujI6BmewUBEsmOvEUlPQXgFwY8gAh /QfuQDq/bKeSVpAHEH+ODO8opcTIAORJMBcWZMmV7U0lgyBLsLqA83R7QAZkvjkz+PsF /pTq7N/NH4dUwvSvTONfwZa4+zXuQEcJ/oCB5X1uRbVZ6gazQY/+J/5gbvg37vspGmeT s2fmSX6EP8/v8ef5vf+mF2yf/AX8xlIBxTTI3ejJe5ZEaftJB4laYYf9/zhUpWLx3zXf wGoOkEnY+UO2d/9lRv5Lg055lIeusdPEHCMpxI68mKK7dCJI/h/6MqaHEeqwRXPGE8mo 5+4aM5gALMzr0akj8YCZ4D/8fkgyPGd2PjXJhOTkpg4Td/rUTfzst1MEup06HJcUu/36 wdQZsQnpYvVUjDFi/EzeDLngiLGiUW7p+gXeAJXjmYlH7dxBiEeeAP6NP8V/wtll6jhK DvwCw8azKeTAExBAPBFCZGiEd58AcsfR3BF3y/1It5aSJ0QBkSEEbkS9C0LZkHkdIOic OkRtjiiWE8Q7RTBY8qgUYUQwlpkxf415BLPw4ASRjI9wBuVHnD2lMcl4sc1MEjy1/C73 FH6bG5m1eA74ETsxPn3JN4SLGYJwhvlNHh+9MobQpIjKLAGfFTxDJwjNs69GUZLYsFMi dG0h460ugUxoqm9Mzfk/jpifelskjDpn5OF4hTROkuIuVJ3TLq8MtrrZs38EsoFG3iQw 8rrs6vaBsV1tNuvCUztFDNOxuWTkhQM7Zlf7YngBhoIhERIw0zrzSmkeEUawQllzb6jq GlLsKOsd686qVRYNochlbmeeBQG3+Cnt+BxAKJQzUMUH+OwUfySaj5MwFpiyCDRm/RTE 3lHatawGQGYFM6rsIslIjrgIKHgkNyVvHZfvGVob8EQ3pWNcVmZYL+UFqBNWQYU/UJhM cUyVINU2UmkFfMCEkLOSF6hf1wF4wwBqpxSs9syw79BRCjY/II0V+W7eak9fjzZHJ1gl kFM4PgupnDSw3qTSMbBDWskMkbDRzLQico2l3fFWVvfPYLI4aclvsMxi64zfZ3q0wlL7 cr8332dhG6EzkCz30hCdzqFoo+BWfA6gYCdScPRJRAGVVq3oKw9BHQtoRgT/EYNJO76T hqPD+OSZYBOQGxkh4SNWJfk2I9tboXnMmBPYAjAstrUumXhBDbLPG6+EPgH3E9qWw9yv vHXqwOOD3S+KvHvlb47wuD91jDPWqfyHSdjRHtnnlvS1ocBG+9HJaeCP55Gp/cgbFv/8 pFj3oTHCLzL+z8FC4EBulC/OjCvB/TDvMVXyo0ep6ijhsWcuffOL7AzyG855G5c9UW6g rKQ6zi1TLANgImWsMuQhVvg3HiPPMaOREc9yrenCabnGSGFMMYvwezGmxvn5/Dp3xkDw HRuG/B53xl2bsUyaLBoOhvsJyWcGggEVo7tgppBxxEH7Tm4MtgKeYoVLMCRHJZkCBt4J LhmcZh6zzBizo7Syy8l0yRhhXj3KsiyBj+KVZ4DnWL7IOBMlFM5Bkzo0QnnuNHFNZAA8 afw6zw7/4V74Tj7MbzCoTwOV6H/C4qg5kS4g2T6Rd9KI2COTI3f4NI3Ik8NIDqeqoZiO i5kXIFcXyg3141EG0ZibSMiRMc/fd/wV0P4DoSxPYhiZ2FOb90IZCx2mAB7AUQMepWwe hmth8OCgdyzXCeQncG2rBU/rryVtJQp8PdRtugsVIk9rinPQpWRIIPmNnetHK4iI7nkN sHVUQ9wSWQIMR4VMoyiiRCb8owKpRwaJQCSv9egy1NrbttW+1Z//HzhkTUIKZW5kc3Ry ZWFtCmVuZG9iago2NCAwIG9iago5MjM1CmVuZG9iago2MiAwIG9iago8PCAvVHlwZSAv UGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDY1IDAgUiAvQ29udGVudHMgNjMg MCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago2NSAwIG9iago8PCAv UHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+ IC9Gb250IDw8IC9GMi4wIDkgMCBSCi9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0Yx LjAgOCAwIFIgL0Y1LjEgMTQgMCBSID4+ID4+CmVuZG9iago2NyAwIG9iago8PCAvTGVu Z3RoIDY4IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVXVt320aS fuev6J2HiXxWhgE0rtmnXJyMJxOPJ9bZnJw4DzQFSZyQhIak7NGe/Pj9qtFXkIDYoAhp NGdioHFhVXVX9ddV1YV/sX+wf7E8CIssK0sW5UmQRiVL8iiIE5ZFYcDLhLN1xX5mK/bq m03EZhsWiv9tZng0DKIiKcKwaTJnCQ94mKec5VkaRLzMJ7Ml+/qC4WV0q/znYslefRcF IYvYxRU7Yy/YxT/Z6wsQdQhZk2PISrMgzkrOBFmTMAijCFyAj4uZom4/kW9W22q9qraC VnH7KQku4iCKIWKWuwT3yvHlyeVYZEGZ8wzd65LlIcdv19OrLdN/P73/33fsh+p+vrpm X93eLuaz6cf5Yr6913eIgxcTjBA/qXeN3kn36OVJAf7CuMUeRnvnMJm0xvJf71YVi8Ow HGec8DIOMp75jZMx9S3JgzhKYD7IDEx6h++YZPEi4AkvnhtZcRkkOR9gnRptuaxnd8tq tWVTaNJ9wNibFbudrrfz2d1iuj5n1+v67pb93mjbcnrPrqYzUrbpthpJwdIiyHLIPXc4 7bS8kwHTwwC9N7NWHAZZGJfNuPDR+6YD6ttqPd3O69WGbearWcW2NxWDaVtXmw17983b cYxCHOeQcppCyjY7/dp3+skj5nGQxjkmD5esHuvKWtb1Y323upyu70eSI+AQT6KsTXCv FRtBjnkWRCWHzR8sx1V9WbHLutqwVb0H0UxOgAw5L4G8slxT/dyQYRQFaZLn/siwUf1V NYOST9fzxT37fVV/ZtObanrJ6iu2nS8r9vlmPrthr40lGAfQhGGQpDFUzuGu3956juAB 9paHKZYJQAUtsnosQRtnjWsJeJIEkYDjjhyf2qIavOqS1SPHtkUVluDzfLEYx6QavOpS 3GtSxwSGIfB0jjnKe33YWIE5rRJn1S0g2OqS3a5rMgoSBcy38+mCVavLcbBWnEYBZglM Ew5PT637MVaOeUFLSJesnjHb1v1tPWCwCjM18XJmYLoKkqIEWnVJdQZrm7gjrOfkMB9L rGGJS5YjwX7ThEHI3k23N2xJc9Z1haXC2xqLAPLD+K2yBzhjOJwbJY/bYu2neEQbAPdQ UISZXAT4+IgaG7C9mW7Z1bpeCr3/NK8+39awCwQFNtXsbk2ujvGsQBbBQVAwl6knNwJK s1pkOUPYJbKtZ6MZAYW2W6Q+tREo4D8FtGt3rCPBfpUiI0Dut3Map/CpTun/I5sAV6j9 9I5pAookyNNo8GJgUTfqPl/O4XjBxI+V1nzFNrNqhdOaTj7Vi09kCYQD9KtrLAyuheeA 1Z+q9TgIQRvizGHX1TsLMI7tjYEPIyiKSIIxf2/MVEq1aoQMJ0y1/iTdMx/Ofv3pu294 lKe/nTM6TIos/O3Di3Nx70jyV6uKFqOOaXlK+WfwA0ThYG9Ye1Q3CnxyfBGlSQDUljN4 Gyz6fSbyH9/97f04lpBCb1gOY4J2ie0aAyJg5okxB2C0KC+DKM2zNlnO9NJpKASRF6/Z 9m61qhYb1igb4oWJ0DBaGpHZG0nLeBIkUVK2WOkkfnQrl+ZBmaZyrvG3ch/OLD378ELM H+RrVn7nccZxHIGLHDHkzGGnf0Y//TiO4zgoYg5b4JLlMY6rxmenJ5NNYEt0cljMustJ 1hNK54jCR2lqJPrMHKZZUiJ/AKH+5xXay5IQEcdURnAcM9peQngCSrsPD1yq68BSximU kCiynOHXryMl1ubv75bL0aIeZUYesDhiLs39VHqKcsCMZEQJlY6LMnlu4y7imGaKYV6D C4QJr+rFov5MS4Lt9OOiYhvR6fP/w9KBooifaOFwt6HQ7rqezm7QfFWvx5xHVew2czh9 PvNoiCSmpNirYi6RO3aAyZj4ufDaQtrztQihm2SUba07QCzY9EpOBNlHAjK6A1xOHRv3 hMuFtEyDpFTZC55Axk5TsOfX0+WERVGG+Qv+cZdun2XC5g4xPZlOMZuu2MeK3W2qS62Y bHqHwbRC/kWztP9wVgXXwflIwyUvwF/UYs/VhKccLcgly+KBqRZ3yK6AnYRZFNr45u3F 6+9/enPxC6s//rOawfeyHmmtqVMtUocdn0H01V8A2rEkekVUa5OuPPGTg7MMbXhyYLYm j+HmiuBgUdQfAzFFzkAe5hhwOTB3hrSJvDnonO05kjGLFEMU/qe0DCPYjDRNkjBKWBEU eZjEMXF1dfK00BSU5mmcDQr7VavZ+v6Wsn6w0BUKDitA45Ps2MTP3TGgE7UHQTEhO9HB mJ1qL5bqr9+/I/dks1xnSySHfHghVjmnp14Hs1rUd01qvQnDxwxB+BpTnlojEKubFC7g bKQRmCEzDrm1zwzVYv0JXd71TUweSpdGKOy/x5nHsxg2LEG4bjCtL/v+bCZOt9iPQ1o9 wGZKJg4xxI18D54fOq1wdz50HBbI2UIW+qOK1pbo6eCdzjFyaXfsSnsh4ClR21gf6BDQ Th2XKsdW96+022N1JGkWmCAL+C9cup9amir73YMqT0/FgD7Wnoo0DeHZzfauSPs7Gdbz D0omGKdz9WYTl2AfEEvE7v37g72t5tc3H+v1K5EbhYzzSvD2vcpF3+C5P0ZaEpnx4vSM M4yfck2UxLQlS+6W8FxBiwGztw+osbn6cUrLU6xYSeiqURw2/xm9H1yGn00/cB6EfGDg cwjsgZWZeO60M7Cni9gHMVp7KnHObdMzBu6RXDw34OMI18ciOsKUJ+PI1CCfZyVTA30e Taa2PNk/MEpPsqeVa+zzvOSpJzNXnl1GtHfl3LEDeMCawaAfOJeiLJTox0d1xMz0c73+ nfKktutWTtqpujnCbpqSZzFLJeGHmKLTR7CjOAXyzrG8HSzPy3o5hXtH/xmk8ItI+R3B yyOzUBUP/i6qBrCIkdHw8QsCYOJvdMzi9EOnY23sNJI0SoO4xN5lEY73xo5a3ZB8qHzP J92Sb9TNIbx/XTSmurlkOSv0zk4XNrZP3XaG8du6GcXjL4Ec/jo5Gn0Yh4gJwA97zCim DFpsbFyNNJA5hT2RcZI6pDvTcNvR5DmOBzghIqTBYIc7QjsOVc4w7tc1EVm7qW/FkDVT hh6wavlIhvjDWYQgFv5GN8YOd47Mn3AdnyAChqIMMpzkbYu/vV9Nl/OZiixLA9H8Izui EfqbH143YqflfdP0KBv5gxIZqUWcALTxuEyw8xE8qKPe+i96R2JLBE7PtLWhSajbdWR3 h3N2FEJRbNHpUCzoot3HCZIU0gg+OeQIhwnC47gtKzMkFNEa/LBIo/3rh0ZaU+wpQjRT ieUQbHkt7NeuWA7F6g/JpNvvz1WmSYtcx3p0ThliEkSWQw+M6O7ZnRXHQ1wQrXkWRaZn yyAvEURGxSHVtfTS03UtInc8z5N233oIi33/7d/fQJP/aMsMtWqEqB65SFOYo4AAdre0 utdRUst89q4cPbpSlICC+VBhf9JFzoVxccL+2CRMKnZYj+0MGPUr3cNbL1GTosDUravT +PTY+OHN4cS+bOCGXybCALnmMWVAIlp8DKn7/GaijXRjhJWqCsQqHg6x1J5xwwGi1ZFY RZZ/pso+wdr25nROXu2QVMQ/D5lqh6Qi63iZ2vIcwSGpCH8m8lQOSUWWlOegaeVQkONj 7bGnKeFqN5tDVRuRjhgkTnIkvWX705b7F2jNguBCJItHX7K/Y9VLm81pn7nMSbVyxWnP 1Z7E5pHirjkPkOoJ+Osy6/SBBTjGdjok5J4sC+U7ezZkpbR5KZdV6gBnD65CiKEhluRf NvmxFHm/xjbke/Z5jqIPugzchn0WXnbbYXL6KZarokTYvi74O8R8eXpMBkyxZpZyxO4T uBAuE6qos/mfZmOGswQ6VeBCb+P2kaenhRsgT4OycYQNRUcn14qxS6mqav9oO71+HGOm M1YThy8f9RScfPUXoX3Nfs3RvJVcm2KH+v6ZZgTlk5sVWjJ1LPFTTtLYQ4zYipogHEvc LzpYYmMVKMn6iwuxKZr9SCX4moFwednUh7QKFHwhDcg4VeJUHYLEZdOR/lNOzzF26pCf YEhQwMrO1wbkz02ftHbnKK28rKkqolHOccwKVxrgMvts+gC7pcocCcpD+mCYdSOHrGdS lPFAuOQ6UmzbEU/rZnt/D8z6xe6SOA/DjCHFu1OK/Xak24h84exHp4Tq03gNY2z7RNAW jlbJxCGwbUyYgWT1KET+hhih/dIckSxeou4pV+UdfNAkpo6fUZFpsanZcvp7U0vYbBKu P5pqNl+OY6J0RUGXp85AwNjLOF7ShwigZo2NcpT+CacvjlJd8DXtBQ+u7NqWCSMA6QFf LRa0oGfb+9uRKvRFHHWj8fEG5pLuM3g3zN4Qu0GJcWyCXSzuz2mXo5hpL02Uc5zhq2OT LlduFzzlOKHZi6Pc5JApFkNlVV3XKDFKGxGxK/3iZo70ueXtdLZtCgi4vslhWyofCsZ1 x1x0IRYuuZSzhwOlO7tCRKCW0xVKVcrPQ9jctD3X3SEpe+4WkdtdhqyYN0JVRHaeFJxx 8lyVwKAZUsOjTATEszItsTnqlKEqbI9FLSsoYtfYeDDJW1SgxkbpTb24o6Fxzj7e7Sn5 /WCccYAHQCfOutQPm5q7O7WTMhVnpL5LsDH5qXYX44MpcPHqiiUeQx5aTYqN1Qjtdaev OpiSFPPtplpcBePYTg3+XF46FXb0qR8139IoGTzHfodZyVopwoUuALcsj7uxrc3QLYu7 poYSFGR6TW9SjbGdkstDkHeTf7GbPeKhRw9RbIwjPKZZBujtJNWQcSTdPCyOv2OaH47s 6OIL3JWLj4K9eYeavGx3A7yEL+Nol/bgKkaOQbDdHbxHxPD2WwkZHP2InKjk6SxlkgaZ +S6PT0cKS0nVVwT2oXq2ttK2IUJHeHGPhDAMe5UzUumfXNLuD2wA1G7qzxVlrU5liWiE amY1PiCzxny9qSr2HlVNqMAEkmNHsvjC0KNYO1N8HTMmPcXd84kuHVXgmN1RqF+WAfPx vmOkYFV1oWseb2p8n2NzW82oPP8MOyRFrV6y/+dsMcfCW7uvCGztWlRP5npK/sVIiMrI T6SYO8TQe7qvOtFSN3bXATtFVjMUfJaDYja9qTfbjag2bavm6TxWOtah6D5EnGO6hvCd phwJU/7iFMaO/Qk1++dX939SVfwR851u2OV8M7vb0D5fRBseY/5SMMBaGR0KXDjyoPMy Ytzh1EWNbadHU3h3V80Om9eER1ZRbAEsh2IUBEVyfJ6CLiyv6IN/O8AFM8HpsoFjbHuO aX+xkov/nCHnA3xkk2pW0+pAFQgkVXuMbpf4q8cWG9jS072HOlQO616Zbt2CLehFZNDs wJbR8kgRmwqKRCVq+NjFRpEvq9tFfS++3EfFl1Ax2VFiNfkXIvJNtanZBb6ieTWfjdTP 6rOYLp+uGh/az56zZc/wM1AgLBFVQQb2EMdZeyo6dA+x36dkUH24yFDsDkq/n9SH/TiM vV5dz1dVJT4gQjkQ34uh4AwVLGYETsReQHYuPzr2ub5bjPTNIQMaXT6fjSseqUcllq3P DMsiNQ7FxnSA+7lIKy4Q8aPl4POKp8RUMh8bPry1/evqhnQHy6w/s79V7LspyndWd2so 1r9v50i+YN/iG37Lj7ienYtv+DbWWf3313dwP7Mo+W0kq6vSaV1+Bw2OhyfXX/Et7oj9 hkn/ciK+9/3Ne6AnuQ9sL456/83OSual+RC4+EXatoKqUUEZcU4QB7inYPjgdsFwzDGw cJiwBXsvohHmYfpU+IPv4thySc8HKd4WRXCvyrPmffqj5b1MbGaTOMZHnzlAKhXBLEME uEHcTtsCbbDhHNuKqFolds7kIDxGsgZKZWPvp3x2Qm3t9y3YDZxgvwrhessMIXf4rcEb vvolOHXOF4JzcV1Igs6xqUXfj3Nx/0Q+T6SQtKmzI3JsoOwmlAnYibiKY5RrWO5pW6AN rqEUH9VQ903SEvUdsHMOLeQ1glxMA95J4UN6vb5JtnW3TNJiz3PYXQW/bglhmyfxbfmy LFEsTxOVgfgMNcsVO5NUteCz7qhhiA974qJqW6ANKwCO72LptiTFxsAS36VDwa7m7aoF 75I00Lv0XbLtkBbznOGRaFDvkgI0RKm+MKSrFsMOXiV7bPeu3ZaZGIMx++w9ADE6MlKt DCPDHC9wjC+WwMfbXMOXdHIcUQloLKeaM4w5DAF9PNFHps1cR+lLeie9BR/aFC82v0Da 3fw2HUFnk4QMCY6hbwk8QfSj4hwmxnqDPKOymmR86AqO3aOJaNPXQTO9k+5V3JhfICk0 v01H9AzRoVqhZK3rjbL121EooRkJmNrKIkwnS6tNacWwETMxI0brLl6uVKJ7DO2xDbBu RuXUk0YtD7IDikObG9kGwTexAiIPgwdmFRpb0G7dCN9PQIVYDERaaZUokQYHr0oOozW/ NmjkxgrLGCkqmHxoIrFOzXuRkYXVq9oLgl+iO5t/Gn8EABneSZ8ff7+tblHEm/2AQt5i sSBcE14/I5f35mcSClhg3yG25C3Zq+8As+SP/deJfsGwAxV4xcNX5Hz4kmfs3Y/mF536 Sd2QQXkQLcjATgwZCLIryAAsgYEyHDLgeTGRAttAFuLEEzHgo2GoFYxv3VDNYiqKCfzR bsLEi1GdAOXgLhjFBPnv1MYx2wLCySehUHuePAItlPRZXbCFWkZElnO6YGBZXJVMF0hN 0zfjqvUsCOsECohmRyk6wQYKqs02ELLNAgrYZpNE+KKNMRlQ9DiPUe5jT9vOXdab9j2X YMjmSLSzkQIym/GpUarxr+ALvAaYN0q8SwEf2QIajFlUbTZSUG3GWsu3T6wWSYNt0xVd u3fttAhjrVCB4tG2lEqCBiooyRvaldxtfjrvsnhW9xwLFQA4MTaa6ZqObahA580kH8ND YKBCDOymoAKOJVSgVnm3fR0oVEGFuATYBQYxUIFjddH8Nh0pqEDHNlSg82aSV2+QZ3i3 ggIxjk0rHU0iatPXQZOCCoobAxWI0wYe0JGCCqoVb2pd94YKqCgh1lU2VHi6IWPUSQ2/ PabAUnI1kHeUHKKy2iSPtgpIviH6NliAgub4AMmjgwV8sRojCh2/ZF9fSJRwArAgf+aE YOHAX+gAC/l/BljAmjyH/RH+hRj6iIEyGCzQ82IixcdiYAyaM0+0EMcYxCh1IXL4clTd IPdCqwlmhD5UR0lqlKwGiEBoAeYvyAlnUP4cnhTOhZ0nj0ALtPIBeyCngQvuObCJWOLh upCCOCd4Ie+nc3oeHhTxfDdkIJ5CDge9BRl0m2UnVJuZ6DmW3jEheW0TOD4djRUprb52 23Za7DfteY5sCU0fFmTgadQsOTRk4CjjHeYWYpANoEBPuqrJwguqSU/y+s2qZcLV71tw Qbepu1hPi3luouVi2UotPQ0XlIQtylXfGG4mPXcZjs1zNAIHexYwuAipiilbHFtwQZwL ABDHWDFpuAAVp/6XV7KsgQuiVbfp65zH6N+mHRXRXLiAnRnI7SUPhziScEEcW3BBnAso EKs3yDO8W8KBmH7HtAq4INrUdaJZwgXNDRSr8V0ITgVcEEcSLuhWqBikZF/3hQs8C1EW KU9sz8KxQ8Z2LXgOGQ0X1HO2a0G12QruYwb2KP2OYUC3WW2NbNA9RumUvHZgBul1xpF4 1OuToEC1n0+CYmdRWRY78z+5JoSbwMzLR/gkOn/m0XwSh/6CYQcTifFJ/KfAjBQuFAUz 6LODx8AMPN/ADCyGoebizBdmwLTBmFFOC77EW8KjD+J22oQBCmBIADSQNZECLVNTFCCN sUlHoUcJaOx59BikgTIWhBwSIBnhL3HOgSTAuLguWY9gLc394jqeh99X3NaDNMAUzDkF mIyJUW020pBtlqkAJktzJGMZswD4lVAp0t2mnXtUw4TveQgr3RjeRkha3YY8ADgKgArR Ih0TovxECoyk6J7oFjMz4znwR3fZQEO1GeOl3q5a8C5Jg0EMIhdB0KXu6msxz2kWbWup hGeAhhK6AQyqxbCDV8nu2r1rt+VIvwTUirB3M9nTsQ006LyBCHAuW0AjJR+CvIJjCTSo tbnbuS66RbbTOLb9EjG+Mil/m44U0KBjoWwSBtB5AyJS+QZ5hncrIEHdb1oboEFt+rr0 dSCEEStuDNAgThsgQUcKaKhWaFjrujfQwO5guOEKB2hIpRg4Yhyc4TdilDIJa0eGwcEZ 6l1GLdU4tlq6jIBtOpp7eh+SYhGKKz18cFo1otrFGFBpuGMRW+qLewzAGAifIE8tPjXG 6PqZx8MYB/7CwRiDDFeC6iMi/MsRLKa8/rAoCnyJMg2x/OMq7KETC0TMqHdvANkwGcdC BQDzcWh8j55AnfxHYLtExZt+ZWffvmAvkd9yht2+Lwt2tsA/iT5DDOplqs+Q1/WyZGdf opGzM+Qu/8Yu/mpy1B/mqh1HI7oe2PGQwHOewCUBUdlcUaAtLELxR9lse5iMFJNnzbab Pbl3hmI415FtQSrwmB2RkBcAThjhy8NCd/SO6GTrqJ5w2HrkniC/RVQgu/VRe4K8GiGK 9z5ZT3SzdUxPuGx59YTY37xne7PccKg1g6PmeYav5lrdgZkkjI4xUIiHkNdRbUUYXy+6 mDqqLxymXIPU3nXQbPFsdh38Pz46zHoKZW5kc3RyZWFtCmVuZG9iago2OCAwIG9iago2 NDU4CmVuZG9iago2NiAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAv UmVzb3VyY2VzIDY5IDAgUiAvQ29udGVudHMgNjcgMCBSIC9NZWRpYUJveApbMCAwIDYx MiA3OTJdID4+CmVuZG9iago2OSAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQg XSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMi4wIDkgMCBS Ci9GNC4wIDEyIDAgUiAvRjMuMSAxMSAwIFIgL0YxLjAgOCAwIFIgPj4gPj4KZW5kb2Jq CjcxIDAgb2JqCjw8IC9MZW5ndGggNzIgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+ CnN0cmVhbQp4Ac1cyZLbyBG98yvy5JAiaAwKhdU+aRnNyONwyFLHzMHyoQgWSahJgAOA 3eq/96vC0gTFDZBZguYwbIlSZFbl8vJlZv1J/6Y/KbDs0PejiFjgWh6LyA2Y5bjkM9vi kcspl/QHpfTTm4JRXJCt/yti/FXbYqEb2nb1W88/udziduBxCnzPYjwKJvGGXt8R/jH1 1fp/dxv66R2zbGJ0t6AX9JLuvtDPdxDqGrEm3yOW51uOH3HSYk1sy2YMWkCPu7iR7riQ 79NS5qkstaz667cUOHQs5uCIKegKfPYc/3rzcwx9Kwq4j+vtitXjHN/mYlFS++vjp98/ 0G/yKUmX9Gq7XSexmCXrpHxqv6E//GOXSnJsO3o5gan0O/5TZjw5bcY8ciyf+4fHf9JC JgPMeIBYz97lBpbDXHjlWe8yLhYPLe7ycGxiOZHlBrx2esSuk04/OYxM2vhmMpWLpKRF nm1I0DLPdlu6r2xWbLd5ZiYmONyxPCeA83X06RPERLyyDAnrMSviLjyoK+zZAGYyETi2 5dtOVCeC0YjFmOW5QTA2sWzEwwCm1zttAkoQfZLxLlcx/U2WFslc5qJM8ElZ4uT/E8vP QBIWRBbzAp+CWomRQRKgESu0/bFZoh+6VuCxxhLPBE36NmjerZKCZFomgGrzLN5t8Jnm SRHvikIWpJN+URvF36lU38aPyihoLos4T2ayMJTpw8AKQtejrr6jyfR+4FlhyIblLkHF VsbJIonV8VYuGHdcECBkDWcE+CozKnazB5mXcl5dUJrhLkzdgoNs4YR0oO6psGwa2Pg+ aiVm1z46HuPwAivyvNpH+wAbhGWmAnP3xv+lb1wVY/2i8oCKTJWc3PZw4x0dJqdu3HSh 6LsRqmMUslXGG49YNoC/V0m1d+GTS+UrgOyrPQdXvk2IunMA2xQOv5KI1KIgkdIuLXMz Xu/4vuWGEWzAPa7VN0X5IT7fFSpaKWWmtMhykl/FZruWZiAuD0KYCDuQvmMph/L2BLj7 JeKkJwHjc4ZaDImtKhE7+fuClxHNZCx2BSwipQTmsANkoxXMYym0tSCHlHm2pgzpgpJS BZIkjaVOG2ZMB5pZTPEjB2p2Tn8PmBhPGI5jOWHkHjv9bvr4xkSIxK5cKfAUa5is3HSV bc3YNPMioD4bcKijwHmDuT3vxHxXVWv8UKyOVXfPde/yde6YPRk6wTaxjesEmyro4GJ7 nCCMEAFBhdsS2H5+eJyg025AKDsNj9DIfU31dnuDdMB/BiGI0EasGif0OM7SFG3UZtlR GaSDXgN3mf8dJwgjnIKPey5bKlSTVpapINHVFP1+pr2y1cHbyrE+12sssycAGACsW47Y Z9xyWdjwCj0sE1gRCYi2olzRLJfivtA/xytkf8oWBEBQqKSvq3xkJ5SOgtYiX0oAsBKZ yxAG8EKQUmCbu5qeTAPGMYCNrpobHkVgXSGPYIAkncstDFwRJ+rIcR/l01aqz/eHkfeK Vt4AQ2LgpQIQD/4pNS7WHBVDDhw5N0U6oy1ih05wIPN59GLQJb3Is9yoaUSMRyy09ZDH hkWKdyi7UCPIfCFQAeCHrcxbA53cMgAzz7VQPQbk1fJfE4BvDw1aCN2I1R8apDJZrmY4 y6rJNNXuf5DmYtRmafZoKNT6aOwFgdsedV3XjKXc8gKwuJ7jDyq3VIWbzXew3oW4l7SR RSGWYKmR1pKyoOYyiibjqZOfSVJxDZZPwvQVdHUdzRXARHwMBwy6ggeRJxL9IWS3R/FU dMgcmj0RoEe61Cw18mAuY5ko5kHM5zkuS10C8qOha2hQn9fVdzTXgAJeZcAjrM9FzPFB Ab7a/KcqlOPkl+h9q3YdOgSLNqxfj6sH4A4HuJU5NiPvhCoXcYfy4n1dWs8V63X2WGhg a7hGqHW5JkOZxCOejf6BXyPUPoMEKBGKUpRVlEQwjFEmKCoWDTwJ13yqOkgYlAAwILHO YD4ifSKRz5IyF/hzVVwY8tiapvU6ynadYY8sMl0leK6jxvCaUZ4zZdqRKqFc4YiXK40P dFN1nm1QpOlMJUoVGJHB5HpBcbZbzxE5i91a/7ZQdPkG8dbwHXSVHU3Q5Nyyedve63cH b2WaCHDhC4w55A8JYATCpo40KmjKrysw6bqzjW8U2Qb5q/IKXEa2y2NjLdaAW8D4Dnld ZUdzBw4YfR/M85DM9fmFtJYWbcxkqIghxcJvyevI3Cd+yk2WP31+qR1VHjJYlbOKdZE1 6beGph9l8WDIYVvA31FxPFGTeZYT2c4ga2kR/m5blEhcG4THHO64zdJ5PQrxINbJvAIR VZ7DTb3HcEqm/rzIpoZuAWPAeizC66o7Gp+1MU3Nh7msYrSOlLS4BkRRRSQiMhaA+SQ2 GVrShQqwM7QfHpM5UCr+di7R0jE7Dex19B3LLbhRYGFWeVjxu81wyrM1ABkYHEACZd8C YwFNTlO3oXKaKEsR3z/zeDdldpwQQ09RQI1mI4PNbhiCxmumr0dD47lo8bm8mVF6BjEX 6yWqSo6bz/x4QFmMMayZDBX0l87odVXNqUACJiBRGAs4TMzU4ILCWmDPlTVrUkeBY0PB AlqGjnOg5KlYgdb0pO/+y+leFRDIhbUcN7AtMBfDQnabN1XDB9Vc3W47rD6mukP8BagX 9/IFrDBaGAbP3+eYkvd8XEBH1VM3YLrec30GniwchlzUiSs249fsUZXZU1XhbXOByVmE aD1GW5OTGPRP8I35D+vNNcjlQN3R3ILnKJqs2VR5DpYXR87AfGhk/pgAhiBptvywIsye GyFg7kFjYmSqnnpWlcntZ925musE10RurV+dOc/ot0d96DkZ2IyYYbDrOdXXbN9t5jt4 Ey67Ap+yE9NjoC7a6UHQNBb6VHiwkzsFUgGqlGti2nKzhaPqzNRO3Wp/VqSZ+oLut6Od Hmf4Zi5ma1R9maFRzHbhravwaOo9l7sWyr1hURNkTLOuVcQriTTWeCWMXU++fn6x37W8 qcE7oMAcxTU1Kl0Dbm/ftXSa1nkjVlVZ97H4NvhNOz3gm54mR2Fs29iXasQex2lyhi4M uv2tWP1Ps2k7Tqt9w0Nm60bRuNl77XOcBhsWruODqGV12u5jnAjHKiWDcjs8ydtMz7Sb 0gcijyaxMbXK7dekwXhqWDu0mO3XcX40YvEoUkTXgGU47HNi8yK+x6jGWs6XSD7gsloT vCmLwlw8wRB5jBrpr4mNBp2ZR6pctcdmgjzEYCprqOWeMQaQT4/vZ3lBj7rntk7QjUbB XGKE4b5qjs6y+RM9rjKUbtkD1mHntJByPhOxKYainpvsarq3TXSxCLoHZm2N+PppADAX k54PijRLNgeydsLoN41RLdqg0bO+WzY8cBTndrSOvBC91JCt2sCq12MRJj41y5raVvQA 0utsRq9zLM5m2HD6VaQpsOsdQGy2AEO7NNWGqDvoB8p27mCvjDTNqOA9EnBaA3dtcLgY 5/pDJqjWP+LTq/I+SYtB1v3NrAsqFi8M8aAOntNxwBcDtzx/OvuMTrsd2eh2TeienjB7 vZUR2JiTRKMgxNIdBRghUx96S6zlwgM/xMFiBXiBhDCCaYPP1Tr6kReFrvpHF1c95HOa yMQ5HScy22X+g4PpQXDoHZbfJFwJBM4vFr0R+Xom86VlKPratgV2huMIO2Y7yJtOX+2R swX9BKPjaNmFChTgBrmnTdLzXNfGXWLj1cPGv6/+7nU3+I0B6Veezpp2u5/AMb7rMXTR x7Vhy4Ga/PYNmwsx/ITHnXhP67tOC/eGBzjqhcI+qIQ5SC1v1ABlNa31IZcPSbYr6HeZ F+iZmDF7FoUI0m5IvKPIaAgm7mCCmLW0/CBvPHHtR1wRblLEZ96fenYSFlqhO5Cn1vs5 zbsaNdbEinc1TStpnWFkht6X9JiAIMMQX46pFNUzqOZpCZvhYm3GOtpdKtT2+/qO5hrs CNUy5t+HDCc1CO9vAxDzgJDBbDwhhGUOcIz7MneO8kciZuS/yGmZ3LGIhck4ZL+GWeqG pR94Wk6IYegQubkyvNGcllpyRif/iDucz5iv5cqMF+BVkdCHFzgnJL04FJFjdgDdvb/Q PyW9Ezv0DXY50c9ft3jTqKC32EHYADWSP9XPEoJe3Pv1nw9YICHm/ddQ9GxY266yHWM5 V5/9D6mStVwKZW5kc3RyZWFtCmVuZG9iago3MiAwIG9iagozMTExCmVuZG9iago3MCAw IG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDczIDAg UiAvQ29udGVudHMgNzEgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9i ago3MyAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8 PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDggMCBSCj4+ID4+CmVuZG9iago3 NSAwIG9iago8PCAvTGVuZ3RoIDc2IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+Pgpz dHJlYW0KeAHNXVtz2zYWftevwOhhp5nJsgTAa192HMdN3Ws28XZnp+kDQ9E2G4lUSCqO //1+IAlKoCJGYIcw04c4jtM55+Bcv/MB+kj+TT4S37IDzwtDQn3HcmlIHJ9azCEetS0e OpwUCfkvyci3lyUlcUns+r8yxj+1LRo4gW0339r/yeEWt32XE99zLcpDfxFvyIsbgv+Z +NH2t5sN+fZ7atmEkptb8g15Rm7+Ilc3EOocsRZ/RyzXs5gXclKLtbAtm1JoAT1uYind l4W8zqqkyJKqlrX+8SkFDphFGUxMfFXgQTv+c3I7Bp4V+tzD8apiadjxZRHdVqT79ebt 76/JT8ljmt2Ri+12ncbR+3SdVo/dT9Rf/LjLEsJsO3y2gKvomf+UGy9OuzEPmeVxr2/+ kx6yGOHGI8TaR5fjW4w6iMrB6DIuFg8s7vBgbmKx0HJ83gY9ctfJoF/0MhNFGFqExPdR dpeU5LbIN+R9cl/AW5PCTCZAErDg93BFRYvFE2cCGgRW4FHWF2vAuKRnXCTdKj9tToTn BAWKeRSRHXRin1Ofps+rzPMsJwj3YunXJ5ua8UfmexYNuZ4/mqzwzLY8m4WtBQfDxKRY lFqu4/v6B4v6lxPya/JAyiSu0jwjS7VQIoh+q+6TglwU8X1a4Yd2BZJVlK0MFUskJtfj lPiKjjp5lrwu8iqP83W5/M6MG/PAt/zAcXtCD6dVk/5iowPx/RGNatM4vcqjNUlLkWHj dVSkt48EPkLKON8mJL/FH/CXqzzebZKs+o7c4O/SVRKRLVwH30lM+U53DIq+s2m0MCpY ge212UTLpetzQFjCsAjGdZmTqO1v14k4lryO2egwZhvXX2AUOXu2ONVFDsxoLHSRIW2P SOXOqYEGXd9Dx+O7dFyqhNXfffP68tc/ro/zyGKCfoLayOuoNlLoc2w5fT9Bbc/igR10 YumXnZdWmlS3x0b8alM2Yjyn3LWckLp9cQeLtwErOsBBHMwN8nD1rbiNM0MmdB0LDaTf l/WpTeiGiGX76GQ1xoTDDPnnc/Lm+0tOfVe0N+JrJ/Ds5ySpYstQs+OiIDDWM/N86pXv WkFAR4y6TZt5WfcKabIa6BbIp6Qod6WwvpmCxW3bclyGOGy1a5OshhM5jNsoDGkm9DqM yMV5mOOIMsvdAB0cRs2e1IMRabLMeiiH1JaDkoYxmw4zzaoiX+3qkeQ5WUdlRbZREd0V 0fb+3TND4cioD0QS0LWnaDOfeHQhn+u2vYxm/4ix72K1QixG3egnpr8rZL4fcpj7Ms9K NO1FJKbCcml1fr2Ytn20Ld8J4Netbue0PCb92gmx18AKQhvib1Lg1ectagusLsdt13KR Omqg+iqLi8etMPe7Z+poFVXk1cvfrk0VIZlaFF3n4/VonBjauQadHsgsfby1ySxxnlVR mompaU2yJE7KMioeySYROGxabuqpdpWT+kgSHMn2URyJoZTDHceiYjXjKVqeSuumMXgA MWhaAWyMMT4yzk1RV/9D2KDLK+ePpWOGAM8RwB2qvKKBzo4uIcuq2CEzYryGfzzcR9W/ luTjLilr3KyI0hJx/f6RvMjfG4pUP0Ayoj2d5hOojFkswHJhjLMgWF8UKRAlIBwZatQm StcEBYp55MfdWmzrfOxO3iZAOwTy1IKX+IHmjDb5Klmbilm5z/NUhWcTtJRbDg3GwUwI 2p/zqhSoXrkRKTNZpVVepAAA5eLq3TdFcgsoKkMufU6qx22O327TOwEU19OTsYat26x6 qsqzOQkbVAgnGJ0+24YtIxfxhyx/WCeru0RArKUMgH2X1mXTKXApxn2L+yEyT6vQzLo0 FyCkE8qd7GxgdxcMB+SIEUMRVsXsC6virnZO2pNTif5I+fUn5FM77Smcs9tp98Q9lQRq lpABvE/utKVY+iOETUXvYQ457cK8J/ITW5I5iAYObKEn1sAocMwO6EKnS5RTYM/MpRbW 2U5f1EELGhxnXR+LShc9VTPOzkYsDyMouGD6IdJM2Z+wk8wBIopepZ7nNtEH9JEVtpVJ VGCZXaF5JytBFjPTqbMAhESgjMRVNBtu1TVz0ikUcYCJxgIAuqHfl2ogkPoz9UOSliNC CbIuNMmf3HbB/gQrbciEffH+hgkX53FSOeis1HWRjNSTVWw43IHcrfJ0hA1HTMFckilU YYfF07ThGLG4gwHF6dtQZzi/zQ0x5rgTABO2+5H85CZsN0fqwR5AwmLvP5jei/LTFmQC Q44omRmqvMNWNFkXsVkM2DGw/lUrNhhjlJHkc7TZgouBufk+fyCrxyzapDG5K/Ldlnxo KMlxvlsDMUpIBGpV8gnoEdy4Bh7NVKWOpoT8daDuKTcxDTa6ro31hjduWsZBiCVullcd yJuuG5pSkcT5BmNzDcPn652A7zq3n3SS6uptq9ncxmY01ri00RK/5xOMnFu26PebJlWp rMM5DWMz74/N+/FpaioUlfQEt1XgnOOevtpSCYVLsfTt2pCr95YU91vO3gqOaBAY4DzK MP72RD6VqQyN9N1+uCeWhocaI1YzH3wB19WyoMmCy7D38kDlmdkgSl2Lhej2tFNPM4i+ Te+y9BbXjrIKI09XZBAs01FDqCSWua3wM0k7Du7shS5ieLRNS+x2BP9cXOeqWcYJAfid ggQrucZYPwAg22yL/FO9GDLdRymqnaxNxhspEDYZH91H3a7zh+d1NyXsCk4I2eSwORbp ZVpWWPs8ihWdxFzaVVxpavnGQ9y59IBhKEqeqgymTe+E2JR4TguwHcxjR1dC+9BFk0B+ gSM3dLnl2917cONAnm+oCRk2nOWSrLAj3ZUlWlgcApy/3YYiSKpHQ94P4IP7vkN6us7m CAC8O2F3nXGgOH/hCHAKtZ93RKiBTdsUAHK3zAAn6kCL2fTmjo/bj/x4tXzOoHzAQFuW u80GNJzDCjndhW2K8ct2cO9itPRL024QBrgF5QQ9iZUQO/Le2phnt+WH8PGZ2Gd3Y9jx bYj35b32V1y1vn92mQuspEp6PdKEHsBcXNDyhQccSj4sq4HRjON6Id416Is1kLP6m60H JP72DhZ+A7wkqTEHREPBapNEw7qwGyoULV1JtflsuiRHXN4Ng7bX1yzVqBNLdEebXIBJ S9GFClqtoCzjNNojME3OkAqd0/8bHPWwBhNgY3uPXwfkb1qiy/q+/Aq5oiUdkeuXVr2H MvJ6A64nWz7uQKhqDHuxZuY4TMWHT6MMbPJoVyAU6+p48cg1FITVXeV1uMmQDfvl7G/Y 8MxyxkDfC8B56B+tkn2HS4SxNVRHzVBNOCydpgnHAHWSmtETSzHhyVipYbt6D9UOMhnu pddberMhzvFATsgZui01mJR266Dw1kOlpnFHxHi3rtERSzOxjxBr3wXiK9+XZBKd1IPE jl8jE9AINw0pAt11GHEUkZ86ekLQA2FA2hdLI3o2UWxohsJzDIzjsOdlQko9rLBAuOqJ pWHCKvlgyIRdt6/hhZrxPCI49vEMWgaw79HgN0DBElvtAlTx7TqqyeHJZ/EIV1phEyt4 y2LxaqRp63h4jqKTTo4C7rbcD07LblVfX/w04zD7AqBoMZy2TDoMQ/BxOq6zRwEQ49J6 nazr8WkHJBMeEtf3D43dIGB2ADgZ968cRZeTLYtxPBn5LfS90Xjy7y0zcpNmoJrU/Mgv jKWTIJkekEIXhlU1UHqqfs+v6buHzcuZPf8+2eHg8bCFnP7nIhYPsd7gX77iOxz34D44 p7kPU2/sO+6DqsCwyJot9Ija1nEfemJptAfGSfiS+9ATWfHQg2HENPehJ5aOJZmZsskk 96En6qAFNVPPCF/sUg8PxRO3eDJpXtwHDs462M2j2783Ct9hOiy/e822J/Dg8U6farrX bHtiaQTIA96tAzkUNEaVO9LYcpK7U5KkIYU+Bzue3pbdwk6Kpc/HkdyRdpsutyJYm1+/ xh/QxctvecaaTbx1jOe9XI+oas2m2eQ+egiOh0PrxKQzLKGZx3bXfAZQBH7qZmOfAVSx tDNA74a7eJmiqZxTM1i7aUh6wjzSQUcHlWLpp4Obqzqvvvrl9c9vD2K/a0gmpYFzCro9 7igTKX9rVg3HAC1RpCnxtL3yXvkURaF7k6Qn7mCBNdk/iTTqyXcm9BeKciY+etnAEIWt 293V9aBTZD5lAPe/XQq0vCkDp47dNBTC0at4+/fgB4KnDytgNHbnMBorCjx1tdqPxqpY A3btT52YFQT91tjLnvs6oIp8ykONj8aqWDqW5MepfQpQbj8aq6IOWtBkauceVop4D35m ozEQBZ9KqpB+xbn6DNp0zdkVz+q0bxfhUV10Iv8pBbu9mUkufnj3rGa0R6sV3tIpQUUV 99aq0szShPvcwmsljHBF3fnUJYpPiXAkkUhzPMGEgnuASVrfuhSfvPEGlzYvqg94GQ6P vRFyncXrXfM8IqyOzUSK74tbB+LdL3Lxg6EjkNxqbFUOdT0Vn8ZrsB1iHQHu95gJUWx8 BMIR442GT2VjWDHqXP96c/XqzfXN/wgeUjvqcCdJgxwdAcN7E7hleKCPTmD/BTU6dY4a 82k+bqR7ulaKfc54ZjJ742ndEKyqmWVvpDTLdrs15alYqrsFg9ZiAS45BnRutY7h49s4 lR8Gte9hvsrwfyE/yoj8g/yckO+jXXyf7ApC8AYq7myV5CXy7+Y9XmPxntefvoV8cPDr j9fRXUKo96ehTCsf8VP1PeUcR4n2/8QkPIcKZW5kc3RyZWFtCmVuZG9iago3NiAwIG9i agozNTM5CmVuZG9iago3NCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAg UiAvUmVzb3VyY2VzIDc3IDAgUiAvQ29udGVudHMgNzUgMCBSIC9NZWRpYUJveApbMCAw IDYxMiA3OTJdID4+CmVuZG9iago3NyAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1Rl eHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDgg MCBSCj4+ID4+CmVuZG9iago4MCAwIG9iago8PCAvTGVuZ3RoIDgxIDAgUiAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNXVtz27YSftev2PHDaTyjogTB62NiJ23S pscn9jQzp+4DI8G2TiRSpag47q8/H3iTQEeMQI9gJTORLNuZxWIvH75dLP+m/9DfFDIn CoI4Jh56zOcxeSFnrkcBd5iIPUG5pI+U0k9nK06TFTnl39UEv+owHnmR41Qfbb7yBBNO 6AsKA59xEYejyYJeXRH+M/Wj9cvVgn56w5lDnK5u6AWd0tX/6PUVhNpHrNFTxPID5gax oFKskcMczrEKrONq0kj3bSHfpoXMU1mUspY/fkiBI5dxFyqmUBe4V48/HlyPUcDiUATY Xl0sAz2e58lNQe2fD5d/XNCv8mGW3tLL5XI+mySfZvNZ8dD+RPnm3TqV5DpOfDqCqZip f5cZj3absYhdFoigq/6dFjIaYMYDxNp4lxcyl3vwyl7vsi6WiJjwRHRsYrkx80JROz1i 106nH3UjE1FG9HI6lVNayUkxy1IKmE94OSnWaSrntMimku5nxR0l02kuVyta4l+Zf0nU TzNL9hoI5rt+QKG+1F3hwrphuA4LHDeuDcN4By6zhaTFLM1yktOZpRjMPaSw2OdQ6rb0 JkljxeykC+57LIqjsCvqrv23nnY5Z74XhnXaPRqxHIT5MByABjh+kRFN7pL0Vq7oJs8W NJPFTbXdI4CJvdHBrjzQg7K4H7PQd3wK6wXsg7IOjw544CkvBzoYrFdHUJFtaVLBsr01 OQAYulwAaDnwcV3kXgs9vCZdHgJoAZF3xOoJnNRJXY5nJ/S4bggf8je2eGQ+DrDPIieo U8+od2MtHkSCyIML8yYiGmws8HCLST7JeXZPRfJpLnGWmqWUZoWk6xf8+pSKu6SgkxJf y3SSPyxL9FIildeXF5SkU0vYpMHS+pKPBkvDeFkU8WHoEJtRajhZF3cyLXB62Wj55S90 n+WfKfsic2xMuu2Po/2OugNyg4szvPB4QM26jiM3uGEAMCVALmjqNgFTpaJTwO2VsvQf rkr83Sp1tHeaGKBUEUbgSngr/D46tRlMAlA53GlinFkwgQm/b88wOOqUZ5iLrTPMDyd2 AkWbSQJtOccTKHwkZd+vQ/bxiOXFsE1QbhUX0LP53dMtQGy4G8QeGnq1IDbQFtCfoQ8P vVoQ2xGrR6+PoRfZOqICRYAUQ1TVdWgg7LOg7Y64vaDs8Fveou2OWAZadPw2ER32vNKg 7Y6ovRq0mYk8B8SkX8ciTapu9DGUajtrjwyLEYFQmMhrxNL2tT/eVGD7bJ7ks5sZSEAA jw0PiLOqwthvL/ARAe0l81Wmvr1G8sS3JM0Wi3UJzu0kUBGFLIywzM56tW3YCla2WcDA dZkbIVoZZypsA/5gB+bTFWU3pXKzNQoydCeTKV6uX0yyxQIIvKJiXmWf6FU+W00yeX1q SflgXn0onjqrPBrlg+nweDScgp0tUJ3pOoFbbkWj+9Idiny9KpSj3ObZekmfy9qOpT0I BXPd2EUFU1vs0eyBgzqrF30zDul48lGwLB1Afi1kCg8ARZbMUXqQi08ybx2i0vf1i6me inDUPEipF+UGRBvUAoN6VfWhSIuu+qq2Yk/JQMu5LBBUVajESVm5dn1IPjSBKrwI/JoD Q9Fl32UotvlyP/aZFzcVK5NDcmkndCK/qlLqrFA0D9JQ9cXJ9Sl7FCnzWZLSRzlbWQuU PGYRFkj6Indaiu0s5aPIjRg+OFC+pHSt/FLlqUmW51XZcDUGgNEd81DNDq6jgl8QkL6S fqBjAWU7EVov0NLQEcsgXqgggUaBVWnVkwqUVYybooQs5RgffLLrdlZxPNYbAgP6bjAU YwG6LrN0JVWO+VWiwo3C9lmSz2HQtz+sSC6S2bzCWC7ZbspoEJavr3FX0LYeOIKIBWiP +dbhZyvzWRcLxcLIPTbWyvcdkGnBACgEaEf0Nr3J8gXI9i+SPsgbmaPEIVd24qvqlhOO H5G+hv74anjaHVDKbJuDfM9VjX11c9DxiCUEc8RAkvrPt3b2FsyzHwReSL4u7a4YUwLD w+fO0FVnNzhxRyyD3HnONv0JB6d2HbR7AEHp0uo5snvCMVTiADqIOwETkQO/1fZW7wfr d5flRKviHa5hFT0JLBYBYIYma790hiocEGO46+PMF3Z31uSAkuSTu5kdZ+bIMY6H0n9H iQZeUwC9g877y5LAUcQQuM123WZmcT3GA/QdGXdPV8fS5t/XST6dy4cxXbAxnaDWaAe6 o/7MQhT6fW0ZeljqAjVDn9oOS9st8z29xjyOkHM8hCVdrB4r7cbOs0x1oZWdB79nBUi6 ug3h+sXF2e8416v2erOe6QGxQYgY57sAOUpbR3/Ismm83GduDM7nicb7UgWwOi6cjGmq +tnt2K/bnqC1pTy3Abc9dL4uloEBD4Qm8LaR4QUVV7iAJjikdYTVAF7Xv54QBPYsVbki ZCKMeVcsTYf9rmQNm7g+BzbxQORo+90vnaEKB8Sflo/uiKWpcKevlEC+xCa1az8OmqMD 3JcSUKHjoDG6EXqfzqLD61K0HK2+xQa65BxUc9n/BmbuUQI6iC6b6o+JLm0mIJw/XPGY 8VDFDi38bGGQqvDQ4KbydZlnt6pH6/p0jBtTOeg4dS+KKR2PzJL8LrDS03netkr41WL2 MVeLKvZihNHAq9nP/ohkUyzgei9urmuZnJaw49apD0+Xttc0Dx+KWuqjI5ZBKHoO6kOX Vvdv+/CipT46YmlK7HeXYvXl/vZxIP/uJeIBmZwL3LfC3WHSpe2X7/CWyIUqyqK5qSOW pkR9p7uRPF99WVrSYXMjrCPsM3tz2/TZEctAh8h/Xx8sKbFpr+xI+9xKbGiijlgGSkyW UGMyuZMrS9SWi6KEq9j/jsy9qrSZokPcERaPi/6G4OxNsoZS1/mY3oDaep+ggIr3lbUe uqmlxWZetRbzfpx3kPkjCuxjOsc71TryG6PNksrLRHaojvYCfr2WI6upeqEDzm54I1cD 6C9ULFNzD2pnPBlbCmwN56gvpD/D2vTGgKOUHj2Zq6vIua3T5+HuXW3QQS37PkcjC6AF DdkYySDIG6zSgeTcEODX3GvuCNubJCzosLnX3BHLIN/aRM8tOtB3/LmVWBdfdB1uFV+/ m2ntgeeW0daF7Q+Ph7fDTYLXd9bADi2C5w3i06V9Zjt0MTrHUa0Unb01UOIGPNvJ1i66 gQPHCboiP7MmheMwz8e4h+GadELrJHHdvtnIvE+Wtgl8fFc169UTlAyZwgZV4hV+3pLE 75OHmiK2MjurrVLCNrbWspMYsd0P6aFRLgzbDtldTmRdLOExVKdryLuVFx9NpuvSh0M5 4gHV07Y9ztOl1ZTYlc8wMW5XJfasnm44Yl0sLab3Z+9zdo87EHbiOa/b445LiRuOeLAS b6eZrdauphFN12H/Hhsa4pADTMtcazo0ieOLZGLJCpvxZkemwqZpryOW5ss7k0lZLy3k Z0usJg/AGvoexNGCd284NEQTA8Jh2wnuuQFarnkzj1FTYb+rbEEJvFXXw8b0ipWU4CWj D9n9XOKTk5/P//2WfpYgOWcTeo+idHJriR9Ej1nI0cvXWaKm+a3qS5nNq/tXT54T09PL J5orKiZiPcEg9mwx3BgEVwNccTVs4A3sxixe6uOOztT8mIsMNw4f2o44K6RbO1UI993K he0D5w+fBtwIw40Bf6kRy7zn0B4a2RzjNOPojw+H1yFu2OCWDXomhuvQHhwRbTg6Lh22 4UgXS0sE/bnUGhxBQyHjauJ1Z793RXRLN2/am+IdsQxUCDhiB9FhMHc1Bbgj63OrEPci RRg+2lkDFTqOJQ3Wc950Beoe0j3ePiF973m83aRvNIDjmPZNjqA/XjeJu3ptGzM1nujd el4SRZGlodVtw66nL2uXudpmZESMCw3i6Oa9iVg9bgFs8BAM9+eHN2eu6/h/EebjYHJO qmD9mP6r5hiPUe3Hl5gokuHjS7z/Reb/ZPhcvVfdAJeWLEM0EaOz1qOxDOA7wZurJIZc 3ZYrvksw0xzHqA9yla3zibrKfCnzP6oZougNKLJJNgdD/gEPScBEV1tHq3qQkRi8yh8r eDigG3lk9LSR9srRTlG/W1SkP2Dvaqy/pQSDB3vEwo1Il7g/ePNStr3PrQN4q3ZymIlY holvgFht4hOK4RXxk8sib9Zp+RCHZE6XSzlpb8rh1IrASCoyItrJZVFOViIeo5/cktc1 2E1fqg49uoSG4Q5sU0mmzEGJLYN2dtvRRGK0ufrc+yYi0nX3CLahs14lQ8+JkQx/SfLP sxSU1nlFcuEFU09yOUd0vsJ4qubpP+pRNfT6azX335Zl1PBZ6Gs9mi0AjxxsHvrSg+q/ sQVbyfD6xdtfX1+fNq6IfRnT75idXc5SgicCltrhlIKAeXiYBol6YftwSoae+KRYKDB3 LcQk7eoe6y4zqG4OHTxzbEI0JpOGmFFhTnXBBkpPDL1QwdLks2qZVe2zv83SqZzDBRVE VfjzPaOrZH6f4PvVYPszNdYele5keWfJGdv8rS3XBALOhtR3ytBtCI6auftCF1UzmEcu aWYw2xnF9DCLugSLvKbVQddgPx7aChp4q3PRTfiAMY3pXZKuk7w81Dq28nhDW3aWp2n9 OfM4rgrGioypTo/HIxbmnbht98OxiIVZoszx2wLa0YgV4ak1ET+2TXTVYCzc+zUmJl7J uxzXDjAz8V/0m2xvHBCQ1nKmhimfy0mFA4Jx2cqkR4A/L5JbPP8k/MtSDmgCq77evY3j /z4d21gKZW5kc3RyZWFtCmVuZG9iago4MSAwIG9iagozNTUxCmVuZG9iago3OCAwIG9i ago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDc5IDAgUiAvUmVzb3VyY2VzIDgyIDAgUiAv Q29udGVudHMgODAgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago4 MiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAv Q3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDggMCBSCj4+ID4+CmVuZG9iago4NCAw IG9iago8PCAvTGVuZ3RoIDg1IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl YW0KeAHNXE1TG0kSvetXZHDYsCPYctdHf+0NA8YeYIe1FJ7YHc+hLQqkGdHCLQkv++v3 VatL6pKQoEWo3DOHERrsyKzOfPnyZVZ/p3/Rd4pZkERRmhKPFQt5SirmTCiKeMBkqiQV mn6jnN4dTzj1JxSU/076+KMB44lKgmD+1fInJZkM4lBSHIWMyzTu9O/ofY/wl5lfrf7T u6N3HzgLiFPvht7QW+r9Sac9GPUSszqvMSuMmIhSSaVZnYAFnMML+NHrW+ueNvJTPtVF rqelreWv79PgRDAucMQUuwZvPce/7/0ck4ilsYzweF2zGpzjSZHdTGnxz+fulys614/D /JaO7u9Hw372bTgaTh8Xv1F++GWWaxJBkL7tIFSaHf+mMO5sDmOZChbJaPX4N0ZIZ4cw 3sGsZXapmAmukJVbs8u7WTJhUsmkbWaJlKlYVkkP7NqY9J1VZCL6/fOHY8nj8A+i99lf ujikD+yQPk1nRZGNrvUhHePHC00fXGDovATJNoXAFoAVSLw4MRlYOVUB7BanaMWpbNYf 6FnlSJZf03tGJ9nDUB96Si6AWypFsnChdeESsCgQaWXWlpN9IlxqsHVwdHtb6NtsOhzn NL6hEupuxgV9unpQZA4eHyL6rCe6eCh/a3Lg6xFESNQ4Br4Jx9dN5cU7kHDOQhXHr30E yF0yyXtIXX0/1XffdGGqCGdusu6LdggpWChiJKvjT2fTMXtnQwHKXAz75myoLWaBn7Ek iKoEbELSkH0lXosgBV4f/bg2UHdIJ4Do97q4Neh9gc9nWT7/8mJ4SD180S2G+fAhm5jv vzBfSZjEgHIVkutva0hGlCgWh/zVSWiQ7oxR90c2Go1/HNKBAUJPCcgleHTAyfVlewLu n0YLHoNHo+FaMWtLqVkt4r3Tf9Dpf6c6nwzH62fZ2UNrJ+KI8VSiPaziojnzyCc0HS/r 4EW3CoMOmq8Xd1M7kCZ0LMDhMFo1vTWAF4csSbjF4QZhUKMb+Nib5bkegUVQWfiAgoA5 3a/XPS/t0zJUHMfag2wR8oMHluFtCgPfrCcKAQthuBvglnUPXY7pU2ql7uBM5xqdyvB/ +pouZ6Pp0EWLvfcp1qmXCEEekDfiaOwTslatEUwDRZvioaRnV8V4Ou6PR3SRfdMjVLXh tD+AeuEeq2GU+wBhGScQ7VDPqlB5yal6lNcilcI8yH+N5TUXyL6+Obu8uuh+fUvd4W2O 6IU6hD5pPCv6et4wfZm3VfZpeOpcZQr1MIrJ9XNjwJQA0jCoN5W3bWqVUowbsXDFrC11 ZLVz7UGVuxn214P4WZF4BzV2EcROtLinuGpgwyCun2KnoXQdqQDiWrgGDZCItxNHN4ZP 89thrjU6i1v6+maV8wJ396QQgaOxGFyicuMlCNEwRHd45DxNWBgpAO+Gw30Wd3unQAPL ePPJgZ9QFZiISMXBHHe1u+JiqMyH9EuWz7Li0UgQck2CQILvgbUvlOwG4dAw13YIh4WQ HUlzvuiBW6ZACMFEkqqd6ljJxKBelYrx7HZgVIdLiAy/6eEEOgQ+fcyK6z/H+XguPpj+ +CMzX+b6Ee1xb6A9lTMrxEaOuy4Q1xpP73wY3bviiaXpDcqZi8RnxXh2Tyfju2xYCrHl KO++0NOSQ9huCU8MGTob2fT00ilJK8RGrq+bKKj3RxBgMqwSWwzbYlaYhkylr5nohJFA fl5o3R/Ms/MAQ0i6zPLsVt/pfErHY0gr12idjHw/IaPbTweaesdXdHkS+krQSiFc8bc1 jwHzYGDHqxMUJN9POecihOQapxQ6ljeRmPMMoz9Nv96buFhgRyR+AnYEAVOhkCvOtAa+ wxjRG4qoItKtCVpAboQthqf4vXt2az1INV2IVQDsqBfxcpqHMeq8xJsKPtda+tlkSvPy 09X9WYG9Bk/IUekEoetsa55BmLJE7CZ01Wr7UQHpZar7JiNtKuLhANAz/B9Ds9WSZnf2 qTCLBApuGlM4d+wlTZdHlh2GAYTFqG0sO1TCbKBVWyxNQBgxYFi2ClKTiVdmbHcFXr0Y MZ3hB0OrjxgdTUcZaPfBB5OKnzWo4NQXvVYJpjyBINdPF2N+Ir0OpWSBXKjgO9PrZVNu pzueirnVFFxHtms0+5c6BHp7KAYRrZi15XxrQVBqzL3Tkm9iPrYy0jEB72s6vYheN0xa U0IERM8osJ3JltN9oozXashlVjZ84bJQvHwUuYPywUOFQpGgUjj2bw9an6WCh0ykAK12 CTJhgL1duf6wn5UNbaUQQYRKcT6+u9ejUXZI56wsEP9mqAl/DbDaixJRn+hgWnaVTQcT SLdIw69vPdE2q8i4/rYl51QaM2zFWka/c859HKKvBkN7JEzPBrR1RLk/oRyTHKaQi2Td eglr81A/rORszWouQtqp2NMzyr1vW9i9JuvAS87VI8SpJIF4ZJenG9LOWuVYDimr6Rm5 Ix8zsai6EiUCTwAC+A4CLE66TjbZeY4O6df+dFytSvqqi4s5hWt4a+qiirFDLq3S5QDy Gr8o6e9O3WbTUaWKA4zVFvKsA8jPHF3VQQlu6uJ/Bll+i0nVvCj+wuhLNpmUO+IHZg5P pWLuJ4JBPliMIMBlJMc358hrhNnTjF1AcY6CIFo1yzlyt7VbjYuj2RQzn7vxbELdxwm2 kf20SXbavu08V01tiMavmbYrs5GTJhXhdIHq2RB20PjI7ItshmIQve+zYVGq+3ZFTiH8 ffVTsWSQygWtOLw1rl/xHOoX9rbsjiwmsVCSjSRn7+40iOvaQ8DHf44fFvuGvooHBzjz MEZyOk48Ez7NYHqHXm95tvgUx1YJb49ZUjG0erbX2/LIa3g7v6Ngq4c0+ltv0h+Mb3Q+ RAnBINsIb6gkZ0WGSDDSXLnwjRsYXgVw+Ka4wp1Wx0kXoWtu+R6sKhFBfOOvSDc/1WNx EdU1uDlrRk9yr4vpUC+xV0Kpr68nAy68DN2XFMN9CK2BYm6u2UJBLDWY9oRskDAeRE9W atfINTpRwYUMzND9HON1aPWQ6A8+XRFY0QBf4N5veU/uo84wdLdtE/6Ar/JsVzuV62Vb YkKmWD2VO+6G1yr0Sr6Zi/fNblPvUAcX5dl1ojV1UKLl4Lhw1jLNUybYjeMLKXaH8iwD cx3AzbfTvJ/dT2YjpBsWU21Rhtj5OBpn15A7T43c6e8ianUzx3XWhZOfWKZlLEzb/4oy Pc89cx9H4XGsFTwvCShEjHueYUiuO+1JQHM/K1qsW27CXN/XYyVmNSFXr+DHElOHdZ62 j4shHJeaQ2xiWZsrzbURaJxns5uSsB+Xtbl64Yl5OwcWr/tGItLAh0/npw8CnbYVmb1B hW2grYsto0dSQSFavvxiy8k/QY9qFbqCCsiwP6NWL6HCcac9UCHx/osYt1DbNZ+UQNiY WxWrYXdUrrIkgUKtNi8Scd7PsfYSieUtqK4u5reg/HRNi1Vl19f2lGqesES9XsCyuFZd 2gHS1d/QQZC3CipF8d7pu5Oup7PHsgDeISHxMgvHyU2V0pMoLvEOmhBXOFbNaoB9WHVZ 3Fper5TP3ojZoRuRdjzpnmV7EC5I0f3j3SxzhNtyljVebFW51TpSP9L9TdK5NOv4uDKH bbLS9ubsA/CHNyvpb4W9IBVXCzn7nlYvC55r+6bU8k5CseWdioVI2xazMMlgQWj1y9Yk j0jwwo+E2+RpzWnhBYuS29e1LVP62fWl93pgLpCi5Pytzg0IhPwes6zJkiOCL5r349UA AB9/v8J1FuLJH57KlH1tnnD83fQU1jT3/wP0NdcSCmVuZHN0cmVhbQplbmRvYmoKODUg MCBvYmoKMjgzMgplbmRvYmoKODMgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA3 OSAwIFIgL1Jlc291cmNlcyA4NiAwIFIgL0NvbnRlbnRzIDg0IDAgUiAvTWVkaWFCb3gK WzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKODYgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERG IC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjEu MCA4IDAgUgo+PiA+PgplbmRvYmoKODggMCBvYmoKPDwgL0xlbmd0aCA4OSAwIFIgL0Zp bHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBzVxNc9tGEr3zV3T5sImruGPMN+BT JEvyetdOaU2uU6k4BxgaiciSAAOAVvzv00MCIECKFEEW4ZEPgm3Z9aanv97rBv+E/8Kf oInnKxUEQLUgkgYgNCVMgKIe4YHgkBn4BRJ49SanEOXgLX/lEf5Tj1Bf+J63+qP17wQn 3NOSg1aSUB7oQTSDyzHgf2Z/tPw2nsGrG0o8oDC+hx/hJYz/gOsxgjoE1uAUWFIRpgIO S1gDj3iU4inwHOOoQvc0yHdJYbLEFEusyx8/J2CfEcrQxKDbgPfa8Z9nt6OvSKC5wutt w+pgx6ssvC+g/vo4+nQL/zHf4uQBLubzaRyFX+JpXHyrf2L58O9FYoB5XvBygK7Szfy7 3Hiw2415wIjiatP8Oz1kcIQbHwFrHV1CE0YFRuXe6OodFvcJF9x3DRYLiNC8DHrMXTuD frCZmQB++3jzRvjK+x3gvYGbcBFNzCIbwg0ZwlX4NTZDuMTHyzTHp1t8ejPJ4rxIF/iE vwuTO/hA+vba9oF3JY3e3YN5RHksKN2j2z2U+aCf9BtQ4jMpGOgW5C71wuJF/zDJPM2K Ibx4axKTxRFcPDxk5iEsDHw0ebrIIvswMtmnsIjTpCdHkRzPt3k6d7IbpUQKrU/xE2v+ 2ywt0iidwucfbZn5/NKa3GRfl5bOXwwBQxtsbA/hQ/jNlhfdV6RWF9A+qTOB6mH507pK mK7Awr6N+J46Ln+s8riWmMcxBMPsMZyiA2CGvg3n4V08i4sstkn7qkzaIwK/hvni/+Fj OOwpKoWP3ZXHYOOczpjfF0RLenJYvrj+qzBJjtkuhyJtpsE6ONeh25PpsWBKxSmo9hn3 mr5ju31Ev8e5IIKKYBNWl8o5xn77Po76qZtcc8JYgC7csuNglx37pn9KS+L79Aj6ByuS 2o15HMFUsTBgd4qO2ELa6FkHzxFVW/mqr+vkIU4M9h3IrlZFsOkHg8P49i7H3SMDUMzU Gs1cneIQFaBjOB1hWxr4GOXCr2GtGowuXd34GruI+zSD2zROtrQAZJRn0FSYokhG16jd MCZTigg/WMPqbswibXrj+dQfphVBj0RhqxVU+7PS+d2R+SiBCYnJsg1rT3aHDX76YTEt 4rl1RRhfw/vwi5k2TXq+AF8n+hL7IU7Zo86nFAYi9cpWsUuEV6lz9X30GBdI+O+wSywm OebQ96Pb/PPLmjto2T93oAHxZSChfUZn2JuSmgRSVm3irtLft/igRIByNyrTK8lsT5Dt EIEk1wLJwy8mzleSz9sszfHxbUkYrgi8e0j+QHIZId1fRmYU5kVPDawQhFq9eOOY7ljf Q8FSHmX8RkS2mUMxMTAy0SKzcvFFFk3iwkTFAscDtkLbv12K9j3dgELtU2t7A0ce9bjh wrI7G3Qa0nCcLgScYeluQW35ylYQLOvKwSOPZs846Dg6Qh6GKrJ40ln21+yGp+BjJf+U ydrG7xB+Tr+a2ReTWbXH70ntWRf69slaBm+U9t5TI2OE+YEoo9MZWJQj+/UruccZWB4O S4X/pHu2i/BmDF0sikma5T/Axd1dZvLc5M1m7Xz9L+Wou+MsFlQL+jOx1C3gj6Bj9TQL mxkigmo+4w4snHYqVDO6ExtMPh/iaBKaKfyLwKXBiVDyYLL6tgdH5dEDR/BUCoK8TIMs 8TvWmkutUUZk6iizvonzKIXRt7wwsxzLe0vXOh/doVgocbDJoQLvmk2x+VA4mT/Kpp/i 6TR8MHD3w3VSZGaO40uTw9vMmARG8Z3pp39imO0p8yjI1lnaGfU7FkkpkXaxitV0ow/C wxHTBc4CFzjsSxezMEGT28ExkoWZseQdeJ0czroIwzgjkqGjtI/Tqq2bZasjbT+l9ZPS Q+6onqytz9QFgMs4LXpSaev1nDbg/RDPryjV6zkbsPZ4ayOiVmL8KJ1P4hAuEissTeMc wFOCeiv3tOLzOWsX82zLpxS658oRXMuzgtmduXLvpqOsdJOFSWT6ifO1J7QRtwJ96+6X 2A6+35NaPo5zDl7rc87AYiijKK/MPx3v93oWxtPXgOxysnnJ5xkM4JyIYELHaClhl9HS IdxtY/pTZJsqEqWzJuwzNlM6IFTqLdjOOAGVhAU4h++8I4p9//8+vnuN3yZFMX/96tXj 4yNZW7eX1UXq+wQzFAPZOoY7fZSHG7i8qvC77rxvCUQEmuC+Z0lKnDGWwMsUQb3nuSew t5o2gGW9SbGCN/YWmxF+RsGhoqBt/Pvbo45t5inVR2AGErwSltZWPWS2vpeBntGkFQNt Y2/Fz5YPdKvnpzTuQns4Wn9aFHvm2gGeJaD29QC7eXFW3aQmoNVZHOs9hV0DCPzjytJB DLSX+lQz0PZ53Em5klmeX+2wr5PD1hsiW+H2fSgobhA0AO8Pth4p6AasPXbcoiFuUNDq AK6lAZTNtT5SPv0uFFS0EbdK1tbddytZJzUBuFyJXX6VT52BxRQyY1rmn+Mo6P3U3NsX VdrMbtBtebHZDhw6eqiYnSgP4VrsUPv+GspLpzG77SZ6cIa1P4pEifueDyiILVF3Z/fb FLSXTqqmoBvInQkxnPyjdV2LfB4ElhmXI4b9hbxHssQD+3qvVwWNK5fIcXuS01qlcQaW ZpZaVunbGViKIz+rVjzc8S0UCiTF9+xWCdkZawlJVP0eqzvW4gpbP9xjdsxaDAf6tCam zlwiRSFUVETOnUv0AqzmuCfo2CV6OHBjznXD+C4R8WTdDbviW8zHZQWfunaJDD/Hg+PL Q0vX6vLOUL2iBP9oqsUA13/NY1xVgysTrdYm1XD5MQw44mh8/XZr90do8Hs/qyL1pzO0 z7vLOfqeJTD86BMmZaUgHQzrbz6f9DUKZW5kc3RyZWFtCmVuZG9iago4OSAwIG9iagoy MTM3CmVuZG9iago4NyAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDc5IDAgUiAv UmVzb3VyY2VzIDkwIDAgUiAvQ29udGVudHMgODggMCBSIC9NZWRpYUJveApbMCAwIDYx MiA3OTJdID4+CmVuZG9iago5MCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQg XSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDggMCBS Cj4+ID4+CmVuZG9iagozIDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDkxIDAg UiAvQ291bnQgOCAvS2lkcyBbIDIgMCBSIDE3IDAgUiAyMSAwIFIgMjUgMCBSCjI5IDAg UiAzMyAwIFIgMzcgMCBSIDQxIDAgUiBdID4+CmVuZG9iago0NiAwIG9iago8PCAvVHlw ZSAvUGFnZXMgL1BhcmVudCA5MSAwIFIgL0NvdW50IDggL0tpZHMgWyA0NSAwIFIgNTAg MCBSIDU0IDAgUiA1OCAwIFIKNjIgMCBSIDY2IDAgUiA3MCAwIFIgNzQgMCBSIF0gPj4K ZW5kb2JqCjc5IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDkxIDAgUiAvQ291 bnQgMyAvS2lkcyBbIDc4IDAgUiA4MyAwIFIgODcgMCBSIF0gPj4KZW5kb2JqCjkxIDAg b2JqCjw8IC9UeXBlIC9QYWdlcyAvTWVkaWFCb3ggWzAgMCA2MTIgNzkyXSAvQ291bnQg MTkgL0tpZHMgWyAzIDAgUiA0NiAwIFIgNzkgMCBSCl0gPj4KZW5kb2JqCjkyIDAgb2Jq Cjw8IC9UeXBlIC9DYXRhbG9nIC9QYWdlcyA5MSAwIFIgPj4KZW5kb2JqCjkzIDAgb2Jq Cjw8IC9MZW5ndGggOTQgMCBSIC9MZW5ndGgxIDE1NzMyIC9GaWx0ZXIgL0ZsYXRlRGVj b2RlID4+CnN0cmVhbQp4AYV7CWAURbp/VXX33EfPZDIzSYaZnkwyHBOuEAiBSDqQ4BGQ M5ggkYRDTiUYQEWQeIFEFHRXFNdVvMEVHZKAIeASldUVZWUXF49dlXVZdX0bZX0sq0Jm /r+qmSDs8//e9HxVXx3ddXxHffVVN6GEEBtpJhLR517X0EjeoCuQ8w6ga+6qFdrWxj+s IoRuIsQw5NrGBdfVPPXPckKMBwhRfr9g6c3XfvR7y9eE2LcQElm6cH7DvLNt7z9HyJBz uH/EQmS4r7NtI2RoEdJ5C69bcdPcj8yNSNcgPWvpsrkNtacaEki3Iz3kuoabGuWttgeR Pom0dn3DdfO/cE1cQEihzNONy5pWkPfZcqTzkJ7ceMP8xqmJQ39HGn22JJFHcfGfjRgI f6ZGqtM5IvsnAoaRy0RBfSMxETOxECvutv9EzYuzHEg6RZYqQtfFxT+ZcovcjAvKPMAz 02mv0kmyANnKcyRLjhI/IckvAF/yOLEo+SUv5zH7Cnd0pIGQHWQXXUR2kYPkNXoKd71E 9mHsvyU+UkEeJWvIz8kGjG4mcjaSqbgU5P+cZiXbyWDyBEb/BDmCuleRW0kn8VJ/8u9k HblLOoa77sI85JJyMpksI/fSCcmVZBb5VL6DFJMJ5HrSSJuTNcn7kg8knybPkH3Sb5M9 mLtsMhfXkeTXygfJP5OBuONBso18Sh8w7yE6WmlGzV+SG8gjUp1MkwuSP6AHYXIj+iCT ieQI7WIxPH0++YL66RppHJ7yVDKePIRaAVJHFpJHSCcdTi9lYWVWcmLyCPGijZvw1G2k lezF1UFeIR9Rm3Iq+XTyFMkiBeRyjKed/I52SYme2xJlmDcFs9SflKBkGfk1eZMcpRH6 Klum2JRCRVdWJ98jHjIUnHMVeQ53fk7/zW7FtU56Qx6fHEscmJf7+WyT35C/0Gw6mE6i M1h/tow9Jt0AHirAvUPJPLII8/0wnv4JjdG9zMbelZ6SfyWfNfRJnEg6QJEo+QX5JXmV 2jFSjTbR2+lx+lc2js1mv2CfST+Xd8p/MDZg1NeQ68i95Ffk39RNR9Ip9Gq6kK6hG+j9 dBs9Qo/SL1k5m86WsG+khdJy6RV5LK5pcpN8h7JeucfwZaImcSjx+8S/k4XJ9WQK+OE2 9P5B8hhGto+8Sz7E9Sn5jCrUSh24NBqm1fQWXLfSe+mTdAfdSdvRylH6Gf07/Zb+i55l BJeB5bAwy8UVYTewG9nP2aPsXVxH2T/Y95JPypVi0nCpVKqVlqFXG6QtuPZIf5Gz5Xfl JOa5UNmqPK7sUH6lvKacMtiMt5uI6Z1zT/UM6PkkQRJ3J7YmWhPtyb9AOrLAUwESIqXo fQOuxaD3VnDcS+QYtWHusukAOoZOwMzMpovpcnoTZvJO+gh9RvT9RXoAs/Q+/QZ9trOA 6PMgNpyNZZNwXcPms+VsC3uAtbPj7AfJKFklp5QpDZAuleqk+dIK6WZpqxSX3pE+lj6T zkjncCVlixySc+WoHJMvlWfLK+XH5C/kL5RZytvK3wwWw3WG9YYOwz+NI4xjjJONU4x1 xs3Gvcb3TPXgztfJHvJyWt5FRE9It0mV0h5yHxsmZ7Hfsd+Bn2eTedJEBk5lO+jdbC1t Z3nKTYbRbDS9kpySo5jrN9jj7AwbLU2kVXQaWcyGpp5p8MjPAyuVXyfd8gGM7Xd48k0G G72VfWOwkVZKWAmU5G+kIXJMept8JH1KjfIT5E+yhfpoN3tOmgwueEUeo9SQsPQoeVFa TteSPawS2vWsaRP4+Er6PPTCdFpIv5OSRGJXgouKpb+SO8gS9gHphhzfTR6i8+QF5D4y jK4hX5BnIRX9lesNAwyZ9C22SG5hGbSdMHknRldC86ikeMidtE56xPAN+5CsJO/KFvKJ 9AJ6/y57UZoon1Km0oWQgLVkPVmevI3crNTIf6ALiERnkHz5BLTbGqlQDiNeB60yCzpt L6S7E3qgXJqIHD84ZwL4ohoa4hFcD0NPyOCgRZDxq6DFfkfaDdNZB1mgOCi0DiHy24mp ZGbyWbItuYBcn3yADIQ+2JBcgyfuIH8jm8kOelfiFtJIgpCcT+gEZTx7VxmfHMha2Ids Gtt6MX0x2/nUT77C9SIZT8Yo+0mL/D6ZRsqSm5J/BHf3g4bdRuaQK8hJjPJrtHCZ1EWG Ja5ku5PjpUaM91MyJflcMkQtZGFyKZlEDpBnjAppMMb0cdXTy/WyMZeUjh5VMrJ4eNGw wqFDBg8aWBAb0L9f32h+XiQ3rIWCfQI52Vl+nzfTk+F2qU6H3Wa1mE1GgyJLjJKCysj4 ei0erY/L0chllw3k6UgDMhouyKiPa8gaf3GduMbva0DRRTV11Lz2P2rqqZr6+ZpU1UpJ 6cACrTKixY9URLQOOnNKDfB7KyK1Wrxb4BMFvkXgduDhMG7QKv0LK7Q4rdcq4+NXLWyp rK8YWEB3Wy3jIuPmWwYWkN0WK1ArsLgv0rib+sZQgTBf5ajdjJjsGGI8O1JRGc+K4FY8 RsqvbJgXnzylprIiJxyuHVgQp+PmRubESWRs3BkTVcg40UzcMC5uFM1oi+IYDblH213Q 1bKpQyVz6mO2eZF5DbNq4lIDnlEZd8XQbkXct/qk/8ckHu4eV7PhwtIcqaXSv0jjlVta Nmjx7VNqLrg3J8yfUFuLZ+Belj++vmU8mt4ESlVN09Aau6u2Jk7vQpMaHwkfVWp88yOV PKd+sRY3R8ZGFrYsrgdpslviZOrN4dbsbH1f8gTJrtRaptdEwvGynEhtQ0Vgt4e0TL25 LUvXsi4uGViwW3WlJna3w5lGbPYLkfmY9FSZwER1jlVNPT+zlPcocnlcB0fN1dCTmgjG NJIH80eSlrkjQQD8ainuis8DRRbFzePqW9RRPB9DpHElX41oLf8i4IBI9z8uzmlI5xjy 1X8RXsj55DyrxWlDLx6PxeIDBnAWMY4DTdHHMSI9fGDBqg4WiTSqGiJMH5mMuW2oHTUY 0x8OcwLf06GTOUjEm6fUpNIamZPTSvTBsdo4q+clXb0lmdW8pLm35Pzt9RFwcrswTDPj puj5v1P1ZlQuHBWn3v+leH6qvGpapGrKzBqtsqU+zbVV0y9Kpcr5hGLeUJbG4hnjaqQc hjyOsRxJlIIpZ808XwWJGltczsffIJh6XofRBK4UOVQbH1frL0uFtZZwOC0z/9dNHclT /C4R/XhbehjxUbF0R1Pdjo++KH1R92wtUtV0qBxWNX1mS4vlojKwWqqXl6cjcDyZXhPW xsVJNSQzH/+OZNdIDrU5cR1ThpLpkCKRXZuTTl5UMSd9Uy1+nDsHFoyHzmxpGR/RxrfU tzR0JJvnRDQ10rKPvcZea2mshLZLMU5HsvOenPj4TbWYsYV0FMSDkbFcjMdNr0mPXJCF czfIxBdxqGRuoCoEFq+RjG1n9KTB2MG26RlEkU9KxGKUT1KSZTIoJ5l0AAu/GWbgIOKP qWdKe0qvVE+XTuwpJWXA1XMIhg4Ju8KufAQUy945Teo6pyvkLNHkLsIZMPkFK1GOoa1p +4iU/KTVU8I6kp/omqfkIYky6XHpJYlJqwjFRoWia2hf+pKwL2kH3bkHa2XbajRcqp7u VrvRZlnpBmVQrG6temjoEFoXi2XSYZTu3JKoyVL+8QOewEh18gvZpXQRlfSh1bsZnwfd kh2UFU/QbveZO5JftjudrJojepbdDsxFbDyHeG02hDaeRwbHYrEjCI6Qsu6y7qFDcnYb /ueTTuNJBv6kz9vtdoF8rWdZrcBcROU5RLXZeMjzzj/yx2e2G7QsNQB2bWWa9ddQlV6A G+BMntDnyIYN7G7r3c63HIrZaPWzyowJmVdkjcuZnjErc1bW1JwlxiXWuRlLM5dk1efc zG40rLKudm4wPGzcqr7l/4gdNxy3/smZfX7gTWY9HCkaYqbErJqZeUvI1UTAoroDuRq2 TYxsCb55D6dxXawbwfIYplsMndYtx7ZoJP9RQG1thuoeMazQ63VnqswQye0bzVC9wwpH uNRoJNdoqF5ybPuq1hVjFx974r2b79+3c82anTtvXXNFHTtGZXrJC7PbEsmPEonE67se fpn+MvHQN6ew11j89aL1nFc+BQHPgnYW8pKuSbrdVbREXsc2s20m+QWZmolBYZJZoTZG D1tE7y18TIRquLcjeaJdVUG6juRXuksQNCAI6hAExSzrWZxcvTQR9Mm2KbrdWaT0zsQQ hWrYnzEly9pJS+ldYPor1ZOYDMwLOIL/kEjxf5mvhLpKOBuSulg44jIYjMNHjCgexs62 lx+b/tBng1fIt4xZE3rx0sOz+dhKwctGjC1I30zzktml2v0ZGYZqe0fydLvLJZCvdbOq Agt6lCBnUR+vEAzy0mDAgZIgGBRhB9uv25jF59NCqosxLeRylwx+7wgPj5DB3bynZTw8 BIMtJy0GvEGb281Eg7rZ6QKWaueEbnVnsOqgh+fxZ7fi0VxUrFZWDeQfupjFn2qNywhv j7cmGtNHjFZGG/YrBw37jW+a3goYL7fV2qY7ltjmOVa7V2dsdB9w/y37bzmnsm0HrS9n sBw1oPZRg6rh19hMG8H8JsRmUCs7aFFNBsPhQLYnEMg2BbKhLUzZAckeVDvY022TXNTV Qf17+AiImA4nZTZLk+8YZpvzOt3PboN3RqUjdZtrTxk2vcvYOiazTpZHQnTz7hSzQ6+c iXH1IhRaWXdP3UmXm1MWwQbHoJgDqgYJ0FmIAJeAkaSO1t1QW5ufGY4Wg+IjRgwvAusb jH1HcLnI9IAT8JeN54qZL/+pR77Zse2W2x+l+zK++/2xM5c999qTs4K7dpWXzu269dDf rl3ys0dbMt798KtdNc8fePruBr7LomRG8nPZC16J0do06axZfp3zsT9AKGfWmA0J2j9i sTttzqDF0j8zGJCD/QNKf3vEbvNnUeLWoHxYtWaMcjry6tHBXKUdGcwv4i4pK1OhU8Ev 3W+ob7hL1EOxQg5gF72fYvfaK+3r7XKl6yrXqhxpqneputgzz7vSfrNnvb3FszHnGbtF 0SQInW612uwO2UjRLuWE0TGA/diQ9Cd2OrzdZsuU/Z3saZLFFup90UsF3bS7m2ZryzSm +Tkva83GpqjQTlFKomqUocenX+Yl0S0D/R10ZGvWMdpJR2Ip6dKtP+qrgg76QJqKsW5B R661TsfqUpqrB4TE4FRB0RRBIaxQYpBXurw2o9jLtZYgnbH4PNpLRU5GoxchieRGZ7SH Hlyy7qUn1w6b4HFbmzrWL160ydMe/urFmw4vuXbe7VsSXx5/NUnv8G/bEL99zROex9hN a+fefued2p43F7TOm/3ooOAr93Ul/vU5aMvgaSCyqnRCx9lpVB/hrrEttD1i22l7y6ZM kCbYfy5LbvA5sRkko2KxSkZig8AflmSPJMmSnTCbXTZK+9l+uIEY3a5biCyjCjlskTvY tS8rikXvEyqy9GpDIHxxYtVAvharlKWDFut2o54bKTI2h4cbtzixHGNe7Z4iwlSmMQnp E+IeICf3cjqwPY4OuknM9T+gAYUyPM1VTKn6ucptgTIYBWdKXSV8mktKNgyKyRAbp9OJ CYeht4/Yse67S6Dn3tOtw0qk3IElktynTyl/RC3IgTq6x6ZbS2zNk0tserTElhtAPLCE V4jVwrQYToe5hmVGXJKLsq09d7Jf/uyNN9oTw+nsZ6S95654JvEEBPvBniVgPb7+h5Vn oWdnpGRnH6EYn51PAg04LMHMzICba0+rU5aDAbuDEqMfa4awCgQi5Iyv/VxO+BoINuo5 BNngotHfLfSvU4RV2Tf3aemzNeO5jNdtx21/yjGZM/yOAdmSeYgyxNoJXSZBPtQMS6Y7 I+Oww+lxZHgcTjuERM/gHdEd2x3M4XDqmTTdqZedMj3GBQiaTdd491yz1WXqOnWzKqsQ E78QEz8lftXP0NmUmPi3aO4DdDhx0gfBVCNbHXt+SlxCF4vLjwJTBwJyvScGWucqGVwH xXByg2lQTAEViVB+Qu/R5bC4LhIcSEtGODMsQe+RTI8R1kC0+pXMbUtvb9+16apN/Xbe xz7seXnSnfd3UdOKe0//toc2qy33HHrykdZJZV72zxcSq2Ylzvz+zftbT0A0IBsTQbtM 6L0+ZACdlNZ8IScNwe0m0Zx+Qd1O7XYsjDlKbtBjtwQpyVcxCSk7Tg36VL7s+4Te84FA wNN23JH3jqi/6aVlXbd6qI7TcuCSLFph1DMrsiq0me7p2hJpnnGeabF7nrbCtDJwl2l9 4LjpPa/LqHEZ6JuSCkN1RCg9nhUWBUZe0FeLaGFe4OK9nGxn6GcOPTabkxKKz9zbZ1i1 I3U32ZPfpApSqpSosFowilMvc1tR3VJg4aouSEt0b5lvtm+Zb51P9sE0NVT7vLxRXwfL a4ulTDXIYjdfv4TeS2s9vn6BhLBZBc24AHGNV0uN0b7CQDMY+TLl5stUJJe41GKkvNTz ozY0SGfb/AWXL5lRXj2HlR9Y0N5z49E7/5I4+cuNX+76uKd40n1X3vD0k7esfl6e5lg8 ZOKQMV//eW594t9/aOm+Fa7CNXTnqzteO/dx3fO1HY89/NJLoCuFR5VgPXsOvv5G3XHI TmX8mUk2Q59xSRzCqGy22ZskifFJmSSWaollO01N5v8ik0D92UwqQ7SMroMRmQVlJBQ/ tiJ1y0snnu6+Uj3DrTK+Q+DbkhKX0EOYgeV1GcPDmQYiGYyREW53cYO0Z1Oiu2qEc590 +39vlH/YtenBhDtxtuNPu+hX9M1H+Y5oGngwCzzoIxEyhJEUF7bbSE5wENeTsMdY9aBB 7nDQoPQLuu1Bs40vs9gEnIaqBBJzgpZCmQBJGVAcEYVOP1bMU8JMFQhnVyBpBpbyMm3c 3soUT8wUDJyZZuDUbuSCLQloHOsugVmS3pm8LDoiNiG8I0B4R06KHQpHRF66fW4Go9lz ei6vyJvl7MUb5CEf6Y/j6xUatEWFTkz1ROyNuAwVD/fS/t7LvZdHP7f9fYhiHgJ37lq6 Rl5hWm69wbbSvtp3D2mhm+T1ptusd9rW2+/1veN6I8OdC1lpDWjZPNK0wTwaqGHdP6EH +2s2EvQTG7qxfRD9sSfBpoNmau5gC3Q11uTUNVj+TkqcqpM5O+j9ewv9TXGJSihvzWvK 7DXotUw9k2VuGXp+a3Ma0g+ugZ2QNhPcJXWD+eD4wpWWGW7jwcJbTpbX1tJodHgRl5AL 7AGCnAyPt9d6MEgXCg9d3Lj084NdXy25bsO9iTMffpg4c/+c9UsW3rXx2gV3j7p8y7Tb duy6fd1zUk7/hxdv/+jT7dc+1L/g0N0HkoTSrs2v0ukL77xj9twNd55LTtwy6dnm25/f wfUiX9M4TwahF19M7R5etoawDOS7sAicEUTmq4FY4IGc0vtxivpdgqQusQt1+V0FMWu/ oNMRckxySA6Hh0ymVBiTdhW7C8pXG6hVRVD8UKyuUKiRQjExoDxnRJXr0Y9/w5lObKwv 6MSP66c+QCygLsHF/59WL27rP5pCSz82pBeNyp7g1SNXe6+KXCst9V6XvSCyOnttcFP2 PcFHvDuzD2R/5f1cO6NlXOJ9zLvLK43qP8/A+vK1NwJm8oc1g9YvOMkxmy+0AT48emxy Sim3806EOmkJsUInuy5eWrcUcE3dzhW16zwvuXQXc21J615sk/kSylmJa97z62ev4iV1 y2kdNsvCzBzDhhf15foWMQEzwUvOt85RKjYOmYKXGnd51zRMWzt5BB2x/7q956jxjc3d t6z+55MvfMTefmbFTa0716x9gk5TV18/Yd0HjTb/jCXU9MGnVH0k8dfEt4kvEm0vHpSK frH30KObuNJlOHkjdD3OeLmPZyRsCZw/G83MUCpLpdQgW1gpbBvCNMzFE6YnHsbGH1LB 9Sf2BILkQhwyhg/LlAD7jhw5ItUeOXLuuSNHcMdW+I+mwoa10oQelHKLS0zmUX0tww0j LJdarpLWS+9LxlWWD6UPLZKBazdY+ay6n7JJblGel78yKRaZDpePywxK84RudoeLJI0H 8Aq12UrcPLcNaVM6lnncJ1yEuKvN7eX5n+iXZKHN/PxLTOasrEuw2TLjvMGiSLKsKRYP jGCzyaQZDR6j0WCxEIXJlBmtOP6zSMwKL1UHG6U7sdffrsSVLuWEIitXmHiedYiRasZm Y9wowSG2XrdZNT5BWtqvwAVNOBjOCPMYnoYfsL8RORyBb6Ej+a1u4WqU1NlG7+CTytdf vkz3YHb5DMOVVVrKvWel8GWVlkLGuEOL7zIR+4XdbDSppaZSWhX3T6uK58ADu4/IyQ9G 1qYEnydOtdlcfL5O6T4gBtXhKjKpDrXIzDGLaleLSKrdWmi0FBbjNrbLnIt5K8gqkTnk 5pTA8fHJXi9Qbwko9Qm8ACWmXE+JrHtK+DTvyQeambLC0w/kD6bLb6iLEW4Mwih34TQX f6Nr62vsA2rs2cZuT5KeM6eUzp7+7P2eF889zD7/KsHfrqA4GSMGJ/hGZSd7bXNT8oxu 5ZNoctjhe8CWA9sUIOjZ13o/jtncvFhx2iQzHIQms9VBTGZmsRo4VazwsyEEJfbyWlYV JPi81w/0XS+9zqXoxVUYX7i4B66sq0s9erSLb/NjMOz5LJFeJ1/IqHGPnUGEkghlESoi xMx8q0d4DYb1GguogdOeOXjIrQFDtUWEMAy/ExoZN3ynhzhbROG80izuIqcIFJtEqMNK TCbKxP6MP00g4iH72QzixlzN0O1ENEREQxhh6rGEL8ix04PBY8IzWpoaDEzbXprHUmyQ o68jzGnysByTvMq23vZbTKXtctvlTqm/nG8vcNRIV8ur7Dc5NthNVqaYSuwjHJNYlQTT 2DTRPtZheZhtk7Yat5p2SM8ZDW7mdDiGKAxSxkxYX4YoJqAm21TnVKpTxkwms8Vqtdsd DpXTqd7d7GbuTrYDO5OhrYpm6qBDdYvNbNF02zortXZikA5qRQnroFY4pSBuzkaVwscz 42VNqVeaFUnpYDvaXKNr/bEsaKnTdaV+uJ67s7NUSFRp9vnEyTrih/0HAfvxyla7u7mA bVh7aAPECxEcOVVxKyQrCMl6hdiSZ+FxOk5Y8jhW/VpInQ1l/YTU2ZPf7XZYeG56E/ve 3nCJoyAsNrJ7i0schcUC3TMQuenNaqz2huV1kA2u+4fBJe71jSimYVfEhRdAXA/jNPrq Id4s7Fupsj8x46VEjdJ59tv7L5v8C+ncD+Plt88Ol0+c1cRe6DHYzD2QFTvOl1v1gvmu JR5WpVZ5rlav9shWG9ZxB/H5g4ziwNEdNUHrQIaEpxnsdlrP4SxkytayKf7ZfrtG/w9N lpLCNKOlNJtQaKd6FVrW6FncPQyW4786cRSwvI6nJ6btbigzcR7A9xsYe6EvyDI9LBx2 AeeOFuw/wo+x/g9MXPpA7deJtxJ301sOPFY3YeidiY1Kp8M9f+91+xM9PS9IdNO6WXdk ihekKJkF2+e/cH4whGXqfedKc+UmaYUs5/cdLpUExkmXGyf0qQxV5I3vO02qNc7qc1W/ jRmOCARU6IC8XgRHL6kcmJgpBNu5FILKUOdQJaicQlA5haByCkHlM/p4XqmfPZrH8qS+ +SOcRZGK/MrBM7UZker8pdbF9iWOaz3z/TdbV9tXO9eqK/Oa8tdLLdaN9hbnvepdeXfk P2Df6tyaGUw7fweGo+6caLY52p9GCemf7ZYLh0bxUhIj9oE352zMYTn5XvvAYN98mq94 oQxP60KnKMGB5mDQKwkjLQabtQ6Qjuqwbvvg8Upd2N7m5znsViUc6BPMwWE8zuINND8v F3kGbEcHZuOJrHozuKMbbzgJQ1BoWpVqdDIONRvpFmqAFRTXMwbyJnnT6PEV5ijpT/tz j4nDwaqBnNbt/En9swsxJhp1w10sioBg+sCWQL7TnbwONtlYBrKGzr2aO9ZP1008CfaB xYENHFhqIiwqMTD47GIneXCaj8iFP6wRChTrGewqzn+pH84mMoqDDJZ4ir/y+gpzndvr Xp8xiv2uIdPj82IDLdyykdy86KyX7bN/u3bZ89MmzxqdWDpl0YJbv/35U9+vVzqdu3bG nygZST+saV69/uwv30z89zb6vnr9vVeNbaqoXBDxNcSKn5q/7NV5i965zXHPfbddPWnY sCX9Ru9ZtfLdphV4QZDbXFXJL+WgPIZk4uxpmu4LkUAmNnh1Sp252jpfWqIsM8+3mrA3 OSmWBRiWJ/WpfFnoE+BhX/eHyg+eM9nyUPeorKGBcvfE7PLAFDfOegJ4yTG7IXCT4abM M+yMX8VLdE67zzfZW+9t9EregHOLuh1OBFXOCViMpJM9z11eQgIEWeFhgGcBxv6DGQHZ 6tPhh/uzIAyQlFMQyFfCggHSpZv7DiiKw9WSHeImV360iMd6eRA7rhANeYepeUY9b0BR yFhmnARLCYsiqzb6OX2NGAhCB1/IjDh+QejlQzNmBYuKBclTdKuLTew5eaUKSmLjjh/X IDCRYrG0E6q0Z3lp2grFagZ1gjqwOqgv7bOADU1cHmNYOC1oWHg2DNI1nQVf7/t74hvq +fMf8Z7ZuS8trXfN3dTzEZtiGzlj45qddIbvqXZ4kyS81NUv8Unie1V7qXMhfXD9uIXP gn4U7x0Rib8D6aEN+3AY19WW6eNm1gl++mGozpeH4z2qTrssskb5sop8JpfN5ZEUbEMD itFjtdjyzfqwEUVJM+0yU6/OJ8arczvF3E+EHi4yMHD/obv4RJllPmnmbF4PubCE+MSZ PZxeSH8HryzaNVvSx4xnYOMgeaWXk8NXNKIo7j3lZY3e7d64N+mVvcyTz8/BunQVfTiF 8eD44yg5gVNZrs/TRuwPuo93goimiYk3TWTeLK+ke8URGePt4GU2NE6uzLx08gV6X5x/ YfmFFKZt2zRFxYFhKdylLu5+4Qcm427WHQaHMd9hsOVQu8mZQ3GgEYvdRuBBpsJ0FHKa icVRbIMMma4N7bd2rXqxqn3lksn3lsKC/PaBuqcf7ZnNnthwy7T71vbsT9Poc8iYl67V MxTJkMF2qB3qX6UvMk5JZzIM2CWc0kut9qKbVfqwetR/wp/0y5rJ4/B43aARNXjtFrvD 5sjzC7r4BY2sgjpWQR3YkmnqWMUUWXP5FCH3dIo6VkEdpL9PUccqqIP0GR3q01BtFQxg pUkYN1diL96lZ3NK+U/5WaN/uz/u7/LLfokNy/QKYp3BwV96B/GTBIItdRGBcLLJSSMI JAsC8Sbc/0nwK31ia5qiDUKsy6cF0fiG9cJfN4wlbj2Wdf9INa/BZbaYLEZs39Soy+DI oU6LO029Abfx82BwAffHp/SsN0VBoWxdG55c+XH9E5NVS/uAJZc1PSdHH3qpsnFi4dqe Jrb++uvKH3inBy92c125IbFIDoOObvg65+j32dSB6iVqlSqXaXGNhbT+tkifwszCPmP7 NGpbNNMo36icK3xX5NSarrbN8s3KWWxaYlukXudbktOlHfN87P84+1jwpOdk8ISW1LwR OabGMofLo9Tx8hXqTPVv1v/qk1CtLgdUZcDAeSAAq9uRlXfUQlWLbqm3NFtkTXCCJk7Z +KkJzgew2bOIvSvSqZ3ehVZ66vQfOV/qEU4OywqaMYwNc+cT0kWxdm6ncXqKyiFahrd3 JSjic3ofLnlUbFmo8FJTGGzIEdY9apyBkMITw6sKQaRizaduTmeaFbq02E/5snmefnXL b4DXs+c01srevPQmXtBTnFrCEl1+A1mewcmVkjePcD30dcFtdd6FteHpUQ8svPvo4pWf 3jJz8yDXs6tu+tVzK5p2JxYpr7RMmbIp+fBTibP3TBjVc1Z6+siht//49uH3ub7MS37L Bijb4Cv9YB/eju9qi0SLoLewVgBpxiEktdktVCJeFd5IC6ZdsjrVXJJL7e58G00aTZXm ynpjI3bcW4wyMWrG7dh6dxmPGvE+ClYmLhBA+EQL5FthViCH739Ezndi/40crt6wzHDh B92Aia0S0l+KpdbYyRYTPx2x+9oLVRm4GFPXDdlQT57mhyDceewqgUE1bJj6Fl94YrF8 H/fTRIe7IsOHuYrFGZTw9jE1e0LpnKUFd97ZtmdPRqxf8InH1THzn2RzN1Hj0sS9m3p+ NrEAR33QwUSyHXFcWyzPdpb+y5Rj4txP3hylH/0xTizCrhjH1vg2gNfnP8TGMYkryTiV /PBSYpg66nxJqpwQnwFZ/F1bDnITqQZ8CigFzABkA3jeREADAO9rk2rU3afMIFsNz5OH ET8GmIX8KsCGXkAd/u3DCFzX453nTnZU+rV8vTLBMNJwn/ED07dmzVJq/YNthv0Fxybn NepYV55rr+idD52W8Ga+AulW8ZbsDPTLjm8mJKT5iNzpMRjwfjsZe8XMqqrJsfIbFjUs nThd1EClZF/uW/qJnw95Ep6QgXdqM4kXHOcXb23n4L3tPmQQGUKGob+XkSq8wT2NXLV7 urM8V/KRbwBJgERCCAcDJgFmAzYDHgcYiDOdswzxOsBBwCmAgeiSr/WBYXoHontE1LZ4 aaFINqSSs+pEsu2q2lQ8cUoqrrg8VW1UqtrQolT2oLGpuG9BKnbnFzbj4W0We2FXOew4 chTASCNCyg7hOI/izeLtUiaJA5iEroocXXK35UULHz8oyYTi3SmKLwFCyS6JttpdheUW lmTfYKZC7GvWnSph3W0OV+Hj5Vewz8hLgIMAiX2G6y/sL2QdOwHCqAjLAI8DDgLeBXwD MLATuD7F9Qn7hDjZx2QwoAwwG/A44CDgG4CRfYxQZX/mZBYhx8sAjP0Zocr+hGH9CaGT fQTsI/ZRsosday0uKdwnkNjgNBLKTyO+nDTi9hZ2sD+0ft8/1MH+2qbFQtvLh7D3SBwA 3kKoAjTAZEA9oBFgAHYc2HHSDNgC2A6IAwy45zjuOY57DgPeARzHDvM40QGTASZ2tBXN dLB3W6NjQ+VevDb/JpguxI4w/tlLiL3D3hDx2+w3In4LcRD5h9kbrcEQKbeinOAeFbGK eDDKFfZqW547lCx3sYOYpBDCwYAywCTAbMBmgIEdZLmt80JuPGQ/OQyNEWKt5O8ifpY8 aSL64pAeHQce03gQHXUJMASPa49HmR7dug1JHkTvewAYD6J3bgLGg+jq24DxILp0FTAe ROctBsaD6MzZwHgQnTQdGIIO9tjLeX1DxZOWUK3cyW7ELN2IWboRs3QjkfFVBi7yPdx7 IfaL1gEDMGOP6LH+A0LNnbT5AG2eSpufpM3zafOttPk22lxKm6+hzTHaHKDNQdqs0+b9 OOykpJnq7RclS3Q/bT5Mm3fR5ibaHKXN+bQ5jzZrtFjvYOHWyyFYiCpF1FbO5YqF2y4Z U+hEH8OY0TDYOgyxP4jwXUBSpHRU0nJTlbOCPM5tG1CWSg8aVbis/DL2Om58HWR4nXwK kEGg18FGr+Mhr+NxToRlgNmALsA3gCTAgNq5GMdmEToRDgaUAWYD1gG+ARhEd75BVxhZ hpB38SXRscEIywCTeIq9jot/9hJmYb0PXo+KqZdJmwPUGaSTgskgKyZeL9Sh22XCC1D2 vf+2f/dvOzGXm9l9bDOUYQgfm6Tiza3f98Gp/8Ot0f2h8kz6EAnK4DoceERpPuKRpEmk h5OAiecXkQD7FeLC1sAM3OZsjRbgeMTB79ob+j5wMvT3QAcD+mVgf+h9rUOmraE/IudX e0PvBTaG3hrcYULOgWgHRdSpiar7AiNDuw6Lqreh4JHW0K082htaG7g0tCQgCuanCq5p Qkp3hqZGZ4Yuw/MqAnNCehOeuTdUFrgmVJqqNZzfszc0BF2IpdAB6Gz/gGg0EhQPrC7u oAv1AuNWYw32pyOMhcYCY9gYMvYx5hg9JrdJNTlMNpPFZDIZTLIJ79qYPHyPF+NrlMeA b+0oMYChcU4gcBUahooFius1amL4kCKeIVWxqmlj4S7smkuq5mjxM9MiHdQyZWZciYyl cXcVqZo+Nj4yVtVhTE6NF8eq4sbJV9fspvS+WuTG2d0dFO8Ed9Akz7orh7+xj/dUqOuu e3N43O+ue2trid+7qsxf5h7jKhlf8RNBvcisr+g1/RD7L8L7xLdWTauJP9+nNl7IkWSf 2qr4z/gr/fvwmdWpyop99J88qq3ZJ42h31ZO5fnSmIra2qoOOkPUIxr9J+qBYxChnilI NF6PaKZgqt4jqXr5uB/18niEemYzyRf18s1mUU+mvN7uprzKit15CFDHp5EmUafJp11Y 53A+6uQjQB1vMzks6hz2NvM68THiMYEAqgQRoArFt1uiSoBmiyqi57tFlcHpKhvPV9ko WpJSvRF1eIDH2E/01rGfQJ0LJvJ/R+ePhWuibXTt3FmV+ByiPlI5H1Afv2fVQn+8eY6m 7Z5bywvwVUK0fs7chTxumB+vjcyviM+NVGi7R4v7/qN4Fi8eHanYTWZVTq/ZPUufX9E6 Wh9dGWmoqG27dHJR8UVtbTzfVtHkn2hrMn8YvJXa7kvFff/RVjEvvpS3VczbKuZtXapf Ktoigscn1+w2kbG1cIKLuI1ZLeDX+pxw7Viv2jhGMO/osP/WnE4YJDuIFZ8p2PBhix3A +Xpg+cByXgSZ4kUO/s1Lush/6+hwTifdkS5Ske2KjCWxFSubVhJ/5aKK1L8JP2StWMlJ kQpjPO8nf6hSic9XKvAlLzz9A+DNL4M3f7fRiNz6ilrkjerNs1orsVtJZQ5C5iheUZLO V+R5pTzPbE5X/J+8IPqEbHFE0Mz2t1E9iA+cm2qleLBqOoMqmD4T04BvHzphLvFFoqkW A2yiMdrU+zQ+jvRZTYxgyE29sGJlGkvPw4p0LG7ktzT1Tkfvo2J8lsj/A4J2ZSkKZW5k c3RyZWFtCmVuZG9iago5NCAwIG9iagoxMTEwMAplbmRvYmoKOTUgMCBvYmoKPDwgL1R5 cGUgL0ZvbnREZXNjcmlwdG9yIC9Bc2NlbnQgOTA1IC9DYXBIZWlnaHQgNzIzIC9EZXNj ZW50IC0yMTIgL0ZsYWdzIDMyCi9Gb250QkJveCBbLTY2NSAtMzI1IDIwMjggMTAwNl0g L0ZvbnROYW1lIC9CSlpLS1ArQXJpYWxNVCAvSXRhbGljQW5nbGUgMCAvU3RlbVYKMCAv TGVhZGluZyAzMyAvTWF4V2lkdGggMjAwMCAvWEhlaWdodCA1MjUgL0ZvbnRGaWxlMiA5 MyAwIFIgPj4KZW5kb2JqCjk2IDAgb2JqClsgMjc4IDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAyNzggNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYKNTU2 IDI3OCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDY2NyAwIDgzMyAwIDAg NjY3IDAgMCA2NjcgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDU1NiAw IDAgNTU2IDAgMCAwIDAgMCA1NTYgMCA1NTYgMCAwIDAgMjc4IF0KZW5kb2JqCjkgMCBv YmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvQkpa S0tQK0FyaWFsTVQgL0ZvbnREZXNjcmlwdG9yCjk1IDAgUiAvV2lkdGhzIDk2IDAgUiAv Rmlyc3RDaGFyIDMyIC9MYXN0Q2hhciAxMTYgL0VuY29kaW5nIC9NYWNSb21hbkVuY29k aW5nCj4+CmVuZG9iago5NyAwIG9iago8PCAvTGVuZ3RoIDk4IDAgUiAvTGVuZ3RoMSA5 NTMyIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1aC3xU1Zn/vnvvTDKZ 151JJplkEjLDEERuIJDwCkllQjI8jI/wEGfESAIJhjcoKopKBFPYAS0pBK2/7mrbdbvb 6o+bScUJakldRdtqG62vrdal1LbuWn74Flsy2f+5MwkB0WV/bfdmzvnOOd95fN//+75z 7z03xERko3aSKbRiXfNGuoUz0fICUt+Kmzf791wX/zci3kNkmrFy4/XrbspRk0TmZ4js FdevvXXltR3PthJlnyLKqG5rbW751PTiRUS+KRg/rQ0NtpPy/aivRX1M27rNW2Z82zSI +l7UJ63dsKLZutLyNup9qBesa96y0TTREUD9LdT965vXtY51Fo5H/TTq4zduuHEzPcrf JCoch/rMjTe0bnyqxnsz6i1EmW+gjfEnLhuZ6Uegfroq3WI0X3AmfaGnTMoX2v5vDSbI NPLKoEyyUNZwk9WsUT5wfp6Cw20jCsqlgks0+Bsj/6ORv0mUvGnwXVhkOkrCan/VJUwv 0l+rKrBfAkkvG/wBJuulRpTnDn7vy0XjufQhT2EbT6WXuYo+YdiXx9LzMKfQeQDpSbRY 6efpOXrpv+j79PyXzyg4/C8j+VyDWXvpKG2gz0a2G+VHkYt05rrrTPErSg/RxjT3Oykq T5DccoyOUA91ETz7rKsXK++nTjrMFvqASySNdvOTnE3v0Eu0lXZLj8tfJ0QbpPzi9TZm 24XRwxdfTJ9xO9XQ63QlTaYe9nErvcAOrPEeNH2L3qPtdIQLhzFLjxT2FZdCyqMpj0rV /w75VmD9LK248Jl5HMvs/bL+iIwSxIec4p/RI1VX0mgPIibgb0Z8GKWqFB/+sB4+MB1r FHIufC2TZTpFfwL6r8Mremkv3U1bhD2NfhPRzw9MVVZYos+B6vv0Y3pgqBfXYFbN8PJX B3/AJYRdD7pe0GVaKXAfiudMghwvnYk506vpOE9F+MdDUyY/MEqH6BD9mY7RSfoFq3QI O/NnWPdp+NseWH0PJNxKy+kj5iTJT0OvBvx9xWUqNAlNzr620n5oL6JlA2R5m1/ESue7 9sMfz/FxcwO/ek4kEf0EcfwQ5ht5PTKyki7vl7fQx3TpWZx3oM9L0uO0G3GzndYbvA3K Q0ovVhmf+guFFs6fV101s3LG9GlTp1SUT55UNnFCqTb+4nEXjS0ZExwd8BePKir0FeR7 83I9Odlul+p02G3WLEtmhtmkyBJTKXt1b20kvFrPr23SbcG6oOrXbVe8f3mZTm5fIOjy V5RFJ6R76SZNp+x6Pach0k2hGVHdrJ3b5QpdLlE/DGDw5T5/WFdK8Ate2tyij1sYCQTV 13zD/Cim1QtqI4GAT5dK8JsPFn6XNvtbdLUB7WAYLfN1aoiIlBg8PgONNCMQRb4woo8a qkbFbClVRgiJ3WSw7xwxr+CY2m3Lr63TKaebbMd18ohu788gnar1cRoEUVEyZqMynXM+ 1DlbZ8/lUOnsJcSwYzPOg0G4ZXUw3LIKiLY0ncH0/RSiAX/MH1sYcVX4AgFD6Hr9+QWR bmtWbbC2NQtakNFA3VlWtFhFA8yysZttl7BRkGzhmd0SZdoBn1uIGxZptR7a3YRCsA64 gZN9hpMY7NszkkUYlupE6GaU2FhTN9fqGSkh/Kv0ULNOu/3dpX2xPQmVljdptpZgS/O1 EV1uhlDdJJeE2xbrhfUN16AJQiA1tfmFueuMTBjPH27zx1AXfZuQB+sw9Oz2lrbWJuEm 3BSsA89SG9kZ6PPpbtCw7tJ0O4bbb3vHJ8fC3lV+UY3Fdvr1hxZERnIDog+cwDuh1B8L B7EaJguvni0sVjZsNsMb57cYxgntbvbr7ctXAzP8mvcM+X8gpuq2TwOwDuyDkSI6BMAi tTStFqqsxkgFxB/b3WqousdQDf7qD6+uE0kMhPfTVRh9TSTcFgwDz/SCAATj5ZJzxwYC er4mBsZiYSFicwukF8jgl68ZYqQqiAmfxpCnVg8tNggtNmyAFUPNddF0U7oDOArsoIea 6qJRoVTKAHpGyU7TxKA/JqbPKNFzNDXwDHh9E0rrF0bCdcI70VOqjXzthNd3AuX6huFm 9qJPrOyEAElwFgXrF6S8oE3gI7KmxakABmppy6Nrur8x64te34sYOyc4pykWmxP0z4k1 xZoTg+3Lg341GOu22WIbw01+I/IZ7Yd3+/Q5e6K62tTGM2Fk4W9zFtbr2QuWCvPM8bc1 owW/WcHADF/AhalTfbBznJ+djjN4PPxexFlM/RM0tmFH8vnniO0lgV3Bp6szRJhCkqsi iIMVWCLcYmSIj0WY3CciRY6WhFctSgPkC2BJw2HEvrcg3YpJAgERQ7sTIVqOit6+IJKq +2m5L06hMg22axKcviGO5yrBaR/iDA9vCsJW3nqsb/jEl/k09vNhf465gm5/pdjMIR1+ 81v0vsXQ8dQMPROIGebOro3IPkl0QUnyyaKUpeGWUK3nacZAgQl2yZga9PcHdVXTTbWR Pl911K+6sEHysDOkZxRuqvYHf8piE6UcVedqnXNFWBE2VcCITT9vBpjDA/3hWFPa+0bq h66id0vbcByltEDgCiUBgxpE3PpSeLjcQaHqC8Lbh+4KJXNEUME2BmKXRnWHuNnpjj8Z GZTz1Ub82IYQtguMgj/sbxNW1/1NdcZ+EPUJ/lBzYvBYU53Y/yJwNHTxpf0bXg7Y0jGR hqF+cWSotDByh++26IQELSqtT5AFd1Lme6MJHuxIUF1RL96L5GXXgb241O8Pr6rDgqhc VYqG8QGUlpTCN4XrR4JRcSeZ3xLzC+dvgVoGBaM1Fi2Dvy6KYL8kxKEeivqGi63R6EzM c7WYB0PQPRbFDKvTM4AaTWUD6BQprcdONbYhgs22vQ6OXidCGOr2Iar6hMZCkeiwpJD4 jlXetMzXQOboePCXpmaBr7ZjimgsJuZcFAnCzWMxXwx6pOsJpnMbQumGBIkhUDyc4PYG jAUJGs8H4WAgKJCP1mGpa4H70C6VoMavRvi6Ybkxchmkvc5AuOlvhHDzhSC8/IIQXjEs 6VkIt0DmFQLh1vMjrEtjvwLjkZCGUpCGzgPpyrMgvf6rIW0bFhRSrYJ4bQakq/9GkK65 EEjXXhCk64YlPQvS9ZB5nYB0w/kh/Xs47cazEN701QjfMCw3hLwR0t5gILz5b4TwTReC 8M0XhPAtw5KehfAWyHyLQPjW/z+EbxuBMBHeevAujT+c/GUQNuFFWoIyy7AZI2WqCaJ+ JFFHWX4LZVAFVAY1vUWHjUOiJRikqIdJwtmWKEvqpMkBV8BVgozR43RIbj/dbqK/UEhp R69VRNyJN1+x5oSQVzlocvJBcpsPmsySSTrIoUwLHyyfpHGBV738RJ/ap56gWSdmnZg8 qQKzMtIqHpd8Q7ydJt+QR4scajA1Dr5pajKdIA9tD129VOYMma/KYEsGs8vlkuzOIqdk 87rz5uUqnG/mVge3unlLxq4MiTpVD3uyO6XsrE6rvTNTsZK6wxTaJk4NVZpE/aRYZMrL Na2VNPaqR5dd19hYANHUZ2jWwGsnkBohHDc2NlJjowaCq8Qc8JNLpUB5ngevnxKKFeXT TU2vJ19L7k+u5m/x1g9PJj94/L+T7Pro129XNfEDvIFv5n2VHyxLvp48mfw4+YrxoiuJ kyDTaZx7ZFI2rQ7NW27lDSo3KBuVdmWvoizN4MUyLzWzZGa3OW5+2iyvc7LdWmSV7GqR KlkUSydlZ3eybN9hsmyjkMe0QcqhNZKWBngYXRZ6QYVNhgKNADulQUlFuds15aKJrHGv dAdHeH3y9uT3ki//4aOTTbMPxw+bnk/uS/5r8pvJNS+znd2v3NMs3t4l2OOPShfOMx3k pTtCC5ao3OHke7M56uGdHo4obJV8kibVS0pW3rgs+zzFmmMdY5VlcqtuyW4ij5dzD8i5 Tqury6LayOqlDkfODnOowNEm5ZtXnlFgoL+PZs06UV5uJFgCitCyRk2og4sbA1PNMMFU 1V1RnidcaGxwtNmjwh7y2hs+OXp88PVH7uGLk6+vuW3d9jfu3vLLd3l0knN43i6p4fNX ZW3Ly93Jg+JIDjotgU7TlRVwCw/dFxrjsnONfYH9Jftv7R/YTR0KdykPK1KBmc1ed+68 ucrViiTjOTFUALe7VObbsth2n9PFR1y/dEkulyOH7lfxThryO7PnqY77pdycrkxVdbrZ Irt3WG0uOKEVbgdVhdvB5QaeVU9AOagrvE474XJXljVuMpxvk0aN2iYYb1OJOQjDTYG/ uV0Bd6B8OgfU4Ghl+q+eSp5IPs3Bkx+8PXD1KK7qemJgEcceS5RcwjPYMcjTk/3Jx5NH w/xtceDKwu/4t7CfTIUhB3mY5A5EsIk6hmMTqKeCspfHmbXPXxUYGeMycoGRjx4JZeVa WDZnmyWLNTHYH2qx2Oa9az1llaqUeuVN5T1F2Wy527LfIotMcnjIk+k6kCV7D5hUdmZS jqPDLvuwKtnZSZwleyjH3lqV0+EJbfOw0zPLc8QjP+RhHcJ5wC4s8hjCAaJNNzRuMvYP zXBrURzARgLAhKtU9J+omNXfJ4J20ybgdh2cBP7umVZRnps3rcKfzwHXlODoDDiLQXq5 cPv7tz/kfuDXPCH5zvaOO5Pv7Nhxp3LpL9+9bf27yR+d/i/p0L/3DcyVDj3zk4G5aQyU /YafNPdSxuAboSxoLjndTkl2CiCsOXnzJNktS6oCB3k3VIS6U7YbemdRVodFUqG229Im uah1yNOFAlTWZ7i6Bh21ZY3QQBsS3HNG2nGdv9/3g+Qbt9+zXch4+DunT0lHnnhu4PJh H34Wslkpl64NzXRkskPhf7B/yy6xhx1OdmRzlp1lq42tVhzascPk6jKrti7Kdeyw5OyQ Q17LKilPHhGAQ/tzagdZJrZBcZlS+4eRl5S7phhhl5MrfT05mHyJJ7OZM3hy8hfJU4M7 b75p59fzcS6bwVk8JflC8lTyw+QvenlnT3//Yz0vp/zqssE/SidNJdgFrwyVZ2VSV7ar S8p1mKymrkyn3WlWrM5MJdvZ0aT0KRLuSIofe+ReHBPqyjElU0GgDBzFzaRPPaoeRQCh JHZv9cXJk0TE5HNwasXUEk+FJ+jKwdYgnVz9teS2rVt53HvvPTx2qrmY26TZvb2j3+wd +P3PHMLGIu34x7VFa5Y5qz9hX6aQkp6bGeofppcNvpmRiwhivMuI/uICzXgy2UDYFj9r +KzKfmyYk+Lju5UZTRK+lPCfaZWphxrNEeo1XU6Nik5LpAeoN+Np1GuQCmmJfAldhoEz 8bcS300m8v2SQxovPSL9WV4i/1NqPXwJW4e960rcb9m4oW3FSXPMXoHITmnhTstgxk5N 88KXL7rsCu2ym1asammee0Pz+pbWCbM3rG3BXOkvYoMzSNS+eNnQJFMRjcVJ+FyahxUb aAEtpKuJErQJjwbXIzUiLdJqRtOVUjbWXYZ8A9I2pG8gPYiEBxLJTSqSH2kSko5kktzg 5ZLPoPmDffxW6CaLtfI/j+XmFb7yKrKtt+f6tt6e/9LLKN98C7J1G5Gt3YBszfpc37L1 G9ZvWy/TGl6zftsNBZtvyvEUXr8a2cpVyFrbcnwb2ra1faNNpla11d+qtx5rNfW1cmtb x6aC/Btzb6vND9yKJEm90gGp67Gq4uSgpCVY6gEJ4ZXtUFZW5ftdGVqNQ6qSZlIVFUt+ qRhPRZo0lgeAjDbYJxXFXa7Kp6QiqTDdUBgvm1TZC05hPL8gXXCq6FI4PKYgnp1tcAri dgc4+eCIWXN5IG7Wsmom8WuI01f5ZVhI41fS9Fdp+lKa9qfpi/yc0e+FNP15mv4MFDLy T9P0+TQ9ys/FFc1aY+FnYS8rWn1I0mA/PxOfVgm5XkOhOJAu5OSlCj0WR6XzSb6LipEk 1uIHZGB1cbxTkIt6OjMFZCU9lqxK0GCP1WbQOOoJ9sW7AsUJDsQ7i0G8KaIcArRfgri4 iVb9wZ1duX1fprarS9E697FG9/K9XVlaZ5es7euStPu7yosfvI/7Dxw78P4B+UAXa6Gu fF9lqAtgJ6T18btMWkJaGz9i0oQxlvfAmO1PSPOIUfP1jL0I8oHm5ho0brMbBvHE/aPT hTxvZS8eaDxxGZpJefFc1DE0J26xgZHDp+OGl5zugZhQ+XQcrtvLb/N98VEB1N+O5+RX 1mTx03zEsM5P0rSPj2Ag1Yzn35CKJJEf+SSj1M4/ht2fYDxzw26H07Q3TR9P00Np+lia xlN08Bgn4jYHZOjhbixhfYK7oWw/60NW1YesqsfTVtXjsOpTvIO3k4uKEYHbxQxPchuv onJYOi++zQzzjo93CDIuvksBGRu/W5AxPXdBj8M8GiKP7kEHKJ0fzx8lUELBa8CFgsMF DygOqTsCxQOngeVfAOxf2uE1g309pzyeSoPiPi5sbjtlt1d++omsfdKeaXT4qLzC6PDR mDFGB+tHuQWVk7pD3Q3duM9iQLfLWxl6Z0JZpfoOi5niBaOMjtPiqqtSP2jSDnaYNPV3 Db/b+zt5Twec9Hh+fqX/+KzjDx4/ePzI8WPHzXdsQ+udTmflnek122dWGWu2p9duH1+a qvuMqXvagylZctpzvJXtHZK2t0PR7sIs2zC/EMq3c3ZD5c6OLG2HWLCjpKQy1FFcjAzB UHOrJEuKZCIbf8an+HPQj/kT/hR7erEk9u9i/oxmITUgyZKTP8ETg12yYIwV1MynpExQ J1VLFiQzkkzV6FvNHyM9iG9y38Gc+3g/d4Hu5U78b4WNfwj6KJ66Hgb/+6DfBf+fQX+I MQ8jfVeMRdqHtBdpBr7YOyBLFVfz1zC+jCfxZNBSnsATQeeCzsf4GvBrQS8BXzzVzcXY GqRLkKqQypBKQ/uqfdM93mkez1SPe4rHWeGxlXsskz3mSR65zEMTPWMvcoy7yDlec5Rq ztFBx5igc1Sxw1/sdKoumyXLajNnZNpkxWQjlmwku4uL5SvlI/KgrBQ7ZzkbnLKPi+ze jAK7R82zu5Uce2n1+Opx1WOrx1SPrvZXj6r2VXurPdXuame1pdpcLVdTdUMF6+56ql88 W89m0EWz9QqtPiH7F+rlWr1uaViaOr1Eqy7twr1gsa7sSkgg7tprlkbg6eJws8PXC+cn vb6p454ovlzN1nmXHsRpHkgIJ4v+XThXXxzplng2vuDo03GiKnpFtSK9RZxwtxdF9XJR 2FsUxaH9zAW6LzhbO991440jW7vHjQ3r48PNemm4qW4k438vGxPxefphAWMNZJvPZZ+1 +JnKjTeetydheEreL7CH1jgzh+h77nJ4k62N+KIiafg8pIdgHkiVxmAEFAl+XXyTSvAb KfIfKfLrFHkzRd4SxBBpc7dFGPeShbPr9Ux8YclsWKoXBFF5HpVpqNiCs/8HYGQ0Jgpl bmRzdHJlYW0KZW5kb2JqCjk4IDAgb2JqCjU1MjIKZW5kb2JqCjk5IDAgb2JqCjw8IC9U eXBlIC9Gb250RGVzY3JpcHRvciAvQXNjZW50IDk2NyAvQ2FwSGVpZ2h0IDczMiAvRGVz Y2VudCAtMjExIC9GbGFncyAzMgovRm9udEJCb3ggWy0xMDg2IC00NDAgMTczNCAxMTY5 XSAvRm9udE5hbWUgL0hFTVNMTitMdWNpZGFHcmFuZGUtQm9sZCAvSXRhbGljQW5nbGUK MCAvU3RlbVYgMTUwIC9NYXhXaWR0aCAxNzUwIC9TdGVtSCAxMDAgL1hIZWlnaHQgNTQy IC9Gb250RmlsZTIgOTcgMCBSID4+CmVuZG9iagoxMDAgMCBvYmoKWyAzMzAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAyNDcgMCAw IDAgMCAwIDAgMAowIDcxMiA3OTMgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA2NjMKNTg2IDAgMCAwIDAgMCAw IDMyNSA5NzAgNjU3IDYzOSAwIDAgMCAwIDQwNSBdCmVuZG9iagoxMiAwIG9iago8PCAv VHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9IRU1TTE4rTHVj aWRhR3JhbmRlLUJvbGQgL0ZvbnREZXNjcmlwdG9yCjk5IDAgUiAvV2lkdGhzIDEwMCAw IFIgL0ZpcnN0Q2hhciAzMiAvTGFzdENoYXIgMTE2IC9FbmNvZGluZyAvTWFjUm9tYW5F bmNvZGluZwo+PgplbmRvYmoKMTAxIDAgb2JqCjw8IC9MZW5ndGggMTAyIDAgUiAvTGVu Z3RoMSA4ODYwIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1ZC3hURZY+ Vbfz7qQ7jw5JGpLbXALIDYSHYoItdEg6ClFsIGA3KHRDBwIKRBLerxYNxAYfoCPzjY7i juu3j1FuOnHsrGKyOriyqzPI+pp1VvDttyMjM+uI3+rS+9e9t2OSyfixn+5W96m/zjlV p06dOlWhC2JEZKUISeRZuS7UQul0FSSvgIpWbm6Tz3/6+a/Q/pAo9RerWlav21Rgv0iU 9jBR9rTVt25bVWx55gmiglPo42luCoW/eOKVx4kcdvDTmyGwLubd4K8FP6Z5XdvWVBIT Om5FlX7rhpUhkvEhRxv41HWhrS2p23NU8DvBy+tD65q61v1OA4/5qLxlQ2tbwk1h8L8E P7ZlY1PL2PevKQT/GRZxDDKGjyhWSgURuYQkVaViopSXqTxZ633MyjKTikQz8Y5ef5ps X9yU0NtEF98Wsu9T0jFYkOX7GBFjT9AGsiauShxKfEG91EwFiZrEjxNY/TBlb2I3naHT dJK66Ul6iN5F+wQ9Tz309/QB2i+h9ST9iFZg7OP0U2oH/h09Rg/QRsgFCsmJP7fMxg+S XaALdITV0Fzg0PIArDwwVPgX+Y8TJcPo3k2Mpp20k2/iH9ImfH4Ciz+nowN6rkH7r6mV dtAJdo5WsOdoFdbTgUy5l/sS/5FykgqlrVRIGyxHRSYMKg+Sn7ZRWHo48QfkiS3NRzZ+ LPEH2BpcvqvfBsydLD10kGXSbsRtCt0AX2cnFYMRMbyANazEWvbicwS70YXPTsx7aGDP 1DrBJf1OJyNbk3mUcrnRN/EJ8ner3j4h4m1m7Hu0GTO4aSKVki1Rhry5NtGU2Jb4aeI4 skHs/hNmVvSC+1s6xI7AgxV0Ey3mr7BzOrcB/GKay0axbHoEtq8wZkzW5qmSDF7kuChJ /yxmFM2zBS+NkhB3jF7YYTYCkXiZXqS47s/DdJiiFEEc2pDfS8gH32fgYBv9PtJzWHj+ bZ9l1IjcQ0EOzsR63jUsG3XKG/rZX2Vwf+afOPsnpBeMMSKKRsEVlyyvYieN09CB2GzC +VuJnb2gnx6xfyewa48h15K6xf3al/S9Ff1n0lThRWJGYjdi/yu6kTbwLjae3YFxHcmJ BuDPIU1mchG9y2YO0A1sfp+834kzdIIeHGgO5/1mahokGcIMjd8Q9TBsyjmmIQ6n6ReY bwc+4mYfWnqQ3ycQp+00n2poP/bxXZyPZpzhMCJ+msnYn9dwiw1XQrB7CruyQVolmbs8 XDdkiPgMU1LOGcJ0YhZkfn/uJrsauZvkBuHMFIneZnnIj/vpbeTEk/QM7pLVQoosNsr/ bo/20nqaYH7I41kw51r3VTOqq66cfsXl06ZOmVw5aWKFOuGy8ePGlo9RRrvkstJRI50l xUUjCh0F+Xm5dltOtjUrMyM9LTXFInFGFaxIK6r1e9dqxbVBzarUKXZZs847f32lRnlO l5IrT6sMTDR7aSmqRvkNWoHP30meqoCWqg7tMk+Tyu1/dGHw9U7Zq1nK8VXmhsLa+AV+ l2J/09mvD8CsVlLrd7mcGi/Hdw5U+M4NyWHN7oMcCl0yRyOfX1A88X4VhFTlCqBe4NdK k2xAWDOWMsDJHpyoviFuzmNRe6e1uLZOo4JOsr6vkUN0O19FGrm18SocsaOlW6NKjRX8 UWP5GnNcjyUNnkIMO1s1TAy84bWKN7wGEQ0Hv43peSOiLjkqRxf4c6c5XS7d6Qbt5fn+ zqzMWqW2KROrIF1AnZlZkGQJAbalpZNZZzK9wa3eGZ2c0rMRvjzhrlfQWs1zIIiGUoe4 QZP/rSae6Ds4UEUYZnQidNNbTJ9TS63V0gwn5DWaJ6TRAbmzoi96MG6nFUHVGlbCoZv8 mhSCU50klXubG7WRDb4lEMEJULBZFttdp1di82RvsxwFL/oGUSt1GDpYHm5uCoo0YUGl DrqMWv9+V59TywN6tVxVy8bw7O0fOqWot2iNLNhodL+sHZ3vH6h1iT5IgqKJFXLUq2A2 GPOunS12rLJ/2/RsnBPWN8dzICRrkRVrETN8QweT+e+K2jXrly7sDvYHI8XpEAEWFA6u FUtZi5EWgBw90KQv9aC+NOSr7F1bJ0gMRPbTIoxe4vc2K17E05wQAcF4qXzoWJdLK1bF wGjUK1wMheG9iAy+xaruhsHgTDhVBn9qNU+jDtSo7wFm9ITqAqbI7ACNBfugeYJ1gYBY lLEBWlr5/pRJihwV5tPKtQLV7voldH0TKxoW+L11IjvRk9f6rz5X5DyHdoOvX8yK0Cda eU4ESWgWKg3zjSxoFvERVbDROMCImrnz6Gr2162+WuR8FWPrlfpgNFqvyPXRYDQUT0RW KLJdiXZardEWb1DWTz6D/B8OOLX6gwHNHmxmM7DJIt/qFzRo+fOXiu2pl5tDkOA7S3FV OV25MG30wc0xvNo8Z8h45L04Z1H7Z1ixFTeSU64X10sct4JTs1eJYwpPFvlxDlZiCm9Y r3A+FsK4U5wUKVDuXbPQDJDThSn1hBH33nxTCiMulzhDB+IeWgFGi8z3G7xMK5wx8lSq 2Lug0PQlNY5FQhNJavqHBxXsVVED5tdz4i/lNO7z/nyO5ip5crW4zOEdvnPCWl8j1vhV lZaOiOnbnV/rl5xcdEGLOyXRylTxJ8GtjVD1gSImuCWjdkU+pWh2VUup9fc53QHZnosL kvUng2lRpKn9lHKSiUuUCuwac2usUBwrwqWKMOLSH1EFZf9A2RsNmtk3cH3oKnqHm/vP kbEKHFyxSITBruDcOo145OYpYqmviGxP/lUorxeHCnujR2xuQMsRf+y0nM/0Cotz1vpl XEM4tvP1huyVm8Wua3KwTr8PAk6hT4rjibPBOnH/+ZFo6OI08xtZjrCZZ8IMQ0OjP9la 4N/l3B6YGKeFFQ1xysBfUsbuCcRZoj1OdaN6KIOk5cugbqyQZe+aOkwIZlEFBBNcaC2u QG6K1PcrAfGXZE44KovkD2NZOkLRFA1UIl8X+nFfEs6h5gk4+5tNgcAM2LlR2MEQdI8G YGGtaQGoiyr/G538FQ24qcb6/LhsI3VI9DpxhLHcPpyqPrFisZBAv6fweNeaItPnJfA5 MAH6pYYV5GoEJgLRqLC50K8gzaNRZxTrMPk4o6ECjymIkxiChXvjLOLDWICi//vAq7gU EflAHaa6CXFP3lJxuvm7I7ys32+MXA5vl+kRDv5AEQ5dSoRXXFKEV/Z7OijCYfi8UkS4 afgIa3zsd8R4YEg9Rkg9w4R01aCQrv7ukDb3Owqv1sC9Zj2ka3+gkN5yKSG99ZJCuq7f 00EhXQ+f14mQbhg+pP8XSdsyKMK3fXeEN/b7DSdb4e1GPcJtP1CEN11KhDdfUoS39Hs6 KMJb4fMWEeFt/38R3j4gwkT41YNXPnzwoplGBc+kcgsJqnz19Vf1aspkV64rtxwVw2+9 bzxS5JtICn1NHksEI/X3w1SW+vvpJeuW29x/Yk7jN+8/zfCIN04S2D8D4T4XjCjAtOcu +vAuWnph84XabPHyOLhw4+1TF8okA0UPTltAN8BXRnaajF/IlHI2exq8F1pGeTridZTy ifxzrqmdV6det2nlmnDomo2h9WH95zpHT5RElXgbHaaY+jjdpsZpNehm0EK1JgfT15Md xGkPryPGZ3E35lP5TO6OMfXzZ/nVEF4NpqCMjkNnB3G2n3XESso8cXZXl72wmmpyWAfZ QZzdwdphS2V3mriPtce4GnmW7YHZM2ynZxU7c7ZwxMjX30C1Y2eh07ajbEflDmnHzuLX TkO0eQuqdS2obt2A6pb1hc7l6/fcwm9Zv2djSdumAsfI1WtRrVqDqqm5wHlv09GmU01S U3P7bSXFrYXba4td20C8R1ogzcXM9uNSPflAnDxSdSwrp7on0SdVxXLMRleGtdpXkyVN JCZNlqYg6ir/gv8nHmtV/kHsea7G+W+7ng9jrfydrikzqgXGlHHCChoFBXrjN7Fp1WZj wiSz4VLMxohis5GTqzdOxXLR4BG+VbhXo/I28oE4QnszWjejlcWvIyfoFpAErgFcA3E+ A2lcSGW8CpgHnMqniGDzySZWAkshn8SnxErL5Dggr7C6h11gH8QkNbNGZl8QY5+z34tR eN4z8DMTf2fip+wTEQb2MdAC/AiI/ol/Zh90ZcH1mlEQMNqMep9QsQfYYd3g/SYeZvch W1V2CJgGvBcoJryH3Ycl9/aCZdSCOiIU7MbYYYsaZwtjhwTcEDsiYHrXHklFglXH8oqq azLYGFauO2VnuTpaPFd9g/B95fuKez4uKan+yUOS+vBDFvWhI5nq/bB36HCqehiWfgT6 8RGuPnhEUo8eYY8eOXak94j0nHStNEcsTpoTa+eqSInaLntuddnzEg4BnRW1dIV0OaIm 1+RJ02gyyAPygSzSNKlAOCFNNbFSKkDPyl6wOLPIHhnE+fnY8VTkz/ux3nQxBX8vNmK8 ngLvxZALcX42tj8T+jNdvRYslb/VpZSL/Hor5sCmof/pGFyqyeYv8RMinvwF3qfjP5p4 UPj+HN/Mt4il8C3mUvhtxlL4RrEUvfbwYNJoMJaZpVtfHhtRpDeWxcZcpjeW6ONqCvhS faCobXwu6kI+h8aCOGXwiVQM4nBPjeU69HGXdWXnViPbFJFtx/loLovt5i4uxyzqSdiT cYeUohaHq8zQsi/Zr/WNPMuexlXoYmfY07GxLjnOzsRKXdU1Jezf2W/1rHnHxH8z8Tcm vs3e0g28xd7U+73JXkd2ab1gGXuDva4L/1UXrqnJYqexjh5Rs9Om7jVdhxlPxXAJ9CC/ fy3yW+1lP6PHQd0gKXGWPRHLd2Ab2N3soD7hAROjQJHWi2P7cE2wRbGIBGiM7UsBLIjt FzA/1iHAF+sQunmxdgHXiY2Ks6rYfgFTYr1CONoQ5niyoPyvry3q16JTos+T+SeRmF+y s18ywWZ0OkZWez5Cygtu0rFsWzU89XT7uoPdLd2R7r7uU91nu893Z3QfC5d9+olFvSua pkYPpKoHQRjyzD2Tp1bfczemxPCCu0uV6rsPcPVAe7q693aLertYQ6KvKzL3emG/KzKr 1sDLqw0cP0mf1xoZpVRHdnN1z27dqse6yzuneheY3bAkTMsdMN2BFe6HYF97qnrHnZnq ncCW9kg7721nNZnSQqmRciSfNB/1POkGUcekcFnNIuk66XqySU5ppDSKrJJNsku5QKuU LeUAxwEvo2zJBb0CLIVeBo4jt+QClYKcIBvISm7+JH+KHyMrf4z/Ff8Z8BH+KD8K7AE+ S9m8C/qngRr0MWAPxnSB8FDInwQ9BnoEdDvfSzl8N9+DeiffJWrd3018O9+Bs2LnuTwP drN5DrcBGedcIiu7yBL4C2zFTZ5LD4G46Iu73k6PgnpBZ0ApuLmzaRZoD0iiMnYR56YY Y53wKR82HcBi+JEPsoOyQakgRm70dbPj7HnWi/k6WYx1AZ9ix/BL3MpOAv+FstmL0J8A 9kH/AvAkxrwI6hNjQZ2gp0Dr2HqG/2ZkIbaCrQQuY8tZUOdXxUaUldXMZqtoFmgPSGLb oN0Ba60YtQnYglEbgdtgqRXUIiyCVoFCoGWgCjaRbGwsG4d6PLuMctgEpqIuYsWQ5LF8 1AXMAUkh/nsoh6WwVNScSahxhEXt+RukysWEzXmlo2i6w3GFI+9yh22awzrVkTHFkTrZ IVU6aJJj7Lic8eNsE9ScCtU2WskZo9hKy3LkMpvNnmvNyMyypqalWyVLihWRtpLkyS9R SMovS5VGlpXZZtn22CRZYmXSDVKvlJAsTjYquyitJNthH5GdZynIvs/JKtwT3OPdY91j 3KPdsrvU7XQXuR3uPLfNneFOdUtucvumMS2vgRoaZ2v5DLhwtjZNbYhL8gJtqtqgZfiW Gm8EkGq8Az+SGzVLR5wD8mqXLPXHWbF4Qmh39oh1aw3B9rsDeB+erbEOTcFvZoAHv9/l DrxeNfo7OZuNd1LtSrxbiF4BdZQWFu9IkVEBbapo3DcqgKexGfM1pzJbHVpahaC1TYdv dZ3jx3q1Cd6QVuEN1n0rVlUCA4e92kVvKM64MkiZ7DjEWFIMbEUx2Tjf6Y3z7TDDdw9v pn9cXJrnjUvXoavkE13bWlm/bphGaxuETK+HavXJ2zbBkUEaCFBaEQYxVMRDhwGV7nar oaCBauq3lJQmccAkA5Zt2hSjWlVW63cGVDwFawqSJDnAtCiAxdlO8fwcZ7sM2G3AHgMi BtxuwF4D7jDgTgPaDdhnwH4DOgy4S4C5Mvyr5Cpdyt0GXG3ATANmGeAxoMaA2QbUGqC/ k8e51+DqDbhGAOKGtbV2Zojs9y2Y3aCl46E33bdUK1HAvAxmOhirMpv+B+ydesQKZW5k c3RyZWFtCmVuZG9iagoxMDIgMCBvYmoKNDc0OQplbmRvYmoKMTAzIDAgb2JqCjw8IC9U eXBlIC9Gb250RGVzY3JpcHRvciAvQXNjZW50IDk2NyAvQ2FwSGVpZ2h0IDczMiAvRGVz Y2VudCAtMjExIC9GbGFncyA0Ci9Gb250QkJveCBbLTEwNjcgLTczNyAxNjQxIDExNjJd IC9Gb250TmFtZSAvWElHQ05EK0x1Y2lkYUdyYW5kZSAvSXRhbGljQW5nbGUKMCAvU3Rl bVYgMTAzIC9NYXhXaWR0aCAxNjQwIC9TdGVtSCA3NyAvWEhlaWdodCA1MzYgL0ZvbnRG aWxlMiAxMDEgMCBSID4+CmVuZG9iagoxMDQgMCBvYmoKWyAwIF0KZW5kb2JqCjEwNSAw IG9iago8PCAvTGVuZ3RoIDEwNiAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3Ry ZWFtCngBXZDBbsMgDIbvPIWP3aEi6RkhTZ0q5bB2WtYHIOBESAsghxzy9jMs7aQh+cD/ +zM/lufurQs+g/ygaHvMMPrgCJe4kkUYcPJBtCdw3ub9VjU7myQkw/22ZJy7MEZQSgDI T0aWTBscXl0c8KVoN3JIPkxwuJ/7qvRrSt84Y8jQCK3B4cjj3k26mhlBVvTYOfZ93o5M /XV8bQmBEzHR/kay0eGSjEUyYUKhmkary0ULDO6ftQPDuHeeWq1KNXxq/8MpaPniM5Jd iThN3UMNWgL4gM9VpZjKg7V+AG2acBAKZW5kc3RyZWFtCmVuZG9iagoxMDYgMCBvYmoK MjIzCmVuZG9iagoxMSAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5 cGUgL0Jhc2VGb250IC9YSUdDTkQrTHVjaWRhR3JhbmRlIC9Gb250RGVzY3JpcHRvcgox MDMgMCBSIC9XaWR0aHMgMTA0IDAgUiAvRmlyc3RDaGFyIDMzIC9MYXN0Q2hhciAzMyAv VG9Vbmljb2RlIDEwNSAwIFIgPj4KZW5kb2JqCjEwNyAwIG9iago8PCAvTGVuZ3RoIDEw OCAwIFIgL0xlbmd0aDEgMjU5NTYgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt CngB1bx5YFXF2T8+c865+83d19x9X5O7ZIEswA2ENYCIiCxGQRYFREVARWrRKlVEXAoq glsVqVCryGaDuNWAtZWqr6il1VZt6tKmqa9StRpOfp+Ze8Pi2/f9/f0lzJw5M3Pmzjzz 7POcQyghRE+uJyIpzVs69wpVSPVfqHkN6Y15V60Ifn3TFTsJofcTIty58IqLl851XjGR ECmL9g0XX7pq4TmH7urF/UFCpm67ZMHc+V8u+Q2eP28O2hsvQYXy7wP7cL8Z99FLlq64 ZuO44gO4R3865dLL5801/P7f1xIyU4/2nUvnXnOFepH+n7j/Je6Dl81duuAD94pHcf97 dn/F5ctXqKLqH+L+G9z/5oorF1xxzbWHqwmZ1U2IFuMSij/2T0+UBHUkSDp5jcBrCVYp EQXaVERNNERLdOhZRQzESEzETCzESmzEThzESVzEjWeqiYd4iY/4SQBjhUiYREiUxEic JEiSpEiaZAiDRQ2pJTmSJwVSxF0dqScNpJEMQXkoUhNpJi2klQwjw8kIUiJtZCQZRdrJ aDKGjCXjyHgygXSQiWQSmUzOIlPI2WQqnjoHaTM5QGaRX5MjKG0nWsEjjCOryXVkL+7v J0+QQ4KW3kPepiPoL8lGuo6+ROfTdbz3ETxtE3NYl56+JKmFXjzxJOrWkZvJEfoX6Rj5 I351A/mjuIWsEkegZRV5ks4SR2K1yyQbv9+GPm9jd5vEFnIP1dKD9Bj9I11PttNXgBFP iDPIFxhvnXi/uB+zXCe5yRdinSjgl+7BbzzOx8C4qN8sCvQR+j7tI/uJky6kT1I9eVzY jN+8mn5LVqL/OlpD7iJ30RFkDrlIehh1N5AZ/O9z/MpmsoH+FuvegPSSOBH9n8Rqj1AP 5nGE7KXLyHxRTW8g/USm34oG0cnGIg9irTeTjWSzcCMdQ+8SfOTPHAIbkBPpK+mR8h9u AoBbH35zAwlJfexPYSArBQ9mgj6o3aC0KafTV4Qa+kv6CiA9X3AKG+hS8jKeddP57ClR i353CZPFNWSD+KbgJgdxfwO5ga6WHhG2CQtxp8dK7qCbhVl46h6hBbu8WmmTtIAf/0Pt BrZSYZziiGKYwoc13yPeT+8Q7yfPUyVx47qaPCjeo1wLmF1NdwJ61zH4k2WA2nzpYcz0 cvwtQ1qNsWaQxeRzcgm5XFSTC7AfmC1m7QSktAxSGGMZIBUiqxXLyPNkufAmWc7zjYDW KrIGsOJwWjOAOW0mPyL5kkqpkLCRJBs07RJi4+fvKp09I/jrmaGa7PdugyZVcBeZsqtq VfCXAwNTZkgexcxdCu8uMabeJcUiH/5vjR/WZDumzAj+ko4a3V4ZdvScdlSeMwO/gP+s Gj83ur0GCyQCWSjfIy1UbANdq4izpJGIkqoVgkRyr733WoGYjr529LW81Rwyx0Lm0EKJ 9C8XPf1/le9RGb754kplio9BZ4hLxZWKWaD/CBleSgT9TrtBrxDVFvJMtXpPNBL0VNst Sr/DbNCoRaLUC5JD8EdNR3vf63U2mS3OJvxQf2tP0dmUp+F4Qmyob2yhRYePigYaCf2P GlHvdkgBp2OuwxmQHG75ZrdTDDicc5wOP27Fpe44XaZ3u1xuvXxH3H3mHV/z3oHPJCLN AR+ZQH5cOrtExrXUtcXE+pF5TTTlsfjt+a6UvdvjH3coJfq7jS+L++q7WmLRhmhT1YWa yzUKzehQS0NdOp9qVQ2NWmIlMrJN5QoZ9UNdNaOr9MoO03vdvUe7u019ZmcTVme2NBU6 Sa6vR+4zHe4zHe1Dg4XVNpkrzU35GFYajmPhQ2op8rqiwzmcIrfblKiPhJV2m8NpbRzC AYNKlYGqnOX2DA0n4jkGK/SpKzaKpva7zrr56TlLi9mty+LntCi02mCk6LGsri2ODA/9 2mrz1g93hKpj+nj1MLfV5XVOcwUV4soPW5ovHp89+4KW5mfWz3lw6tjL6xb/pDpAacAb aZ4wvDY4oUN+IjdxWTYY96uLlwyZHg3EMjUqUFcuNad58qVxQgW1uFQ4xPEgWuIYIJFn 1Hssp7bdgj0v73bPf9xrYRbbWZfzQqeL7WxlK11ut4tvJaQTvV++XCxIh8BjQyWzqDG+ 4tnj1xPrnUqqNNv9GL+zp8jQqacJyAQ4KQUGOT9gwwCZiAsN9ZYhHLRiYZS5vSlfcJ9n NQUmFpcsPm9m80Vxk1XabF+fekj+5vYb/3XtyD12h7tt3H10StcOWnfnhXMg0ijdcnIO daWwRvS8Ytzjd2vcotvqdqY0KTFlTTnVD/EZWfUEk2o93tsJFKjMCpvcaGmojydObrXD YrcJ2FLMkG5pt4xqLhSrp9tMoQ7MaubM4Z1xk01+0LYu9TDVbLj+6x+M3OOwudvGbpaf 7Nohv3bnRedDgDPJ/Sa9X/wWPGwMuao0efTwttaWhvrammw8FvD7nA6T0aBWUWKXwtVD pbY9Y0e2tRK/YjRrrlEMY12lQor3U4xmPSWrzm61jS7YU7ZhY01He3re6+kZROgyXpe3 8rVid5HVM4DHOGQDlMNbpSjD3Uj5ynK0vMIc5eseQWOVK3/GqThF9sLDVK0ySGqdyi2K JqP86UGVqko3Um9QKA3KTRtVRpVk0paqMMmD8t9MZhV1K/VqtV5B1R6LZ7LXLM5aJkhG 20S9UVTrxRF/UBpVCqMmp1Hptd98o9Op1TkNq1H+YYRYpRHsiok2oyAspwG9WY//ZVhe RBZKi6WbobWUSiGjRq8KuL2/dZLX9L81qV4NOs02IyDkUBOnzeEyBrHFPeBgoGiAAeh3 /LTbPA2V6Thk5jjYYAZLYzQeMnNCtwu76JJwTTYi350M+2vkeyM1+SBdlA6Fk8JL2WAw Ka+LZlFzdTLor6VXRbPZKHBwqfy8WEMnQsuqKVW7LGadZNASt0E84mY3WkkkapXb7j5J cK8xdsOIbjhlvJWxkMFtwTa00iH0c3V14I9GiyTJ/1C5DKJKPcZkEqgzbNVrFCbViW6j RRCrVRa9TqMArm2hS6U6IQe9L1RCnSRKqjfJGyajWkUknWgyHe3m2HGcEbo1HB9G2YIZ TwcMDtmcTps4zFntt9Klbsdiq8NhXWzxMRymjwx8IWbodOiVtpJGPKp5S6/0ED2WwaDa m4+VQcYBSR9Zet7MS5fOmHHptsnzL5oy5aKLMK9PBu6QJMVm6KH+kkmssi0kC62CVash kklpK88KhHi0O684yXEBkjInVdG1joTHm1YqhCvccY8/rVB4itGUT23XK9rqY0mv2qZh MvPIwJ+hBBswRye5tDRb2aUnXZbn9W+7WnQtqnpar+jQdajaabtitnl21TTrEvOSqvnW rbqtqk10k2KHbodqO92u6NJ1qfbT/YrD9LDiXfO7Vb+3/t75ifmTqk+tnzqjGpVdVBm9 LiwZK8eEe/p7TX2QjuBmlroiuIcghgWziZXNJkFYuPz665evuP76FQfff//gwT/9SVoj f/7Nv+V/UvO/v6Gm7+bQebSB1tN58v3yEfxt5ThOJajz3yrU0MrbStGQCUBSiFXPB8zd Lm3QZbGbiFsTkIJKu8kXVBq91Bs2He3sPtrfzUQ2Q3TINZLrLfZjq/NlZGICrMwD7OaK 9Cojews106urqhSBRDhIUzq7zup4eGY+mTyxM5nMz9wuFQQh4nNFNVNEMeL/7rAvGcW/ pE98k/G1RzDPvwDedWRtaV5UCb2uqmuNjdp8qVi373nid6/WX6tYrf5xeJ30kHqrYou0 xXNP4AH3NuM2y07lTtVO9U7FTukX7sdiXep9sWdVzyqf9RyUDiq8uWxdPg6FJKpQh2Oq oKhVZYMxp1gP9HjxaHcvWyYWyoV3b3+36XAnk9tgc3xJI2jjEAIuDtmswh9YN1t8BZWo 0khDg2hlZ3yPahvqXvT5htBZ184dsTyirIrVRv0Ga+m5edv/LD9xXu1q+qqUCIXiEKJ+ V6ambY/XW0/H3L1kbX1WbR2VHR4NWYePf+f+bvnZs2uvyoCpi0ZxUiDC+f7+gT+L3wA+ BXJvaQXx2SNd+TiNZ31ddmOXXvl29nl7Uaqx1UyNTjXMNs2LzjMsMl0RvcKw2rbav9q0 CSbDpsKm6E9qNynuMjxWu62wjT5seKzq4eguwx6yt7Cb7q3dFX1BHbITd1CVs6iuEKk4 J3VFSkiZ3EG34Nb4i6bj3Z3dnUc7gaxm8D/ga3fv8W5gbAVm+bJAKMMIeAEthck//DXU D2FAK8PxZDu4kyisvOGbQ5v/kQmY3z7/6rsvnuXJTpsatE+ec9XsaU87vLEPbrn/9XnC ruCOa5/688ox/sTCWy6dudqsEBVtLVpR0l8y4cJrLol6hq167tZFtzCa3Q0c6lPoURpK 7ivNu5UeoAIN+rzVdpsq5soaTRlJFwuR7pyuoOl2PS8m7UPt04WFwlXCj4VNwnZhn6DJ JIcWc2EpGxRsetGo9HmDGtEuKglpoA3ZpDKgJT5jkiYD+eAaIzU2gVggFTohFkyHi50M mRgL5qQziFV9fcWjrXLr4UplvpOaNZQjUgttAJaBawI8nD85HVyqgqqYcggAMamaofYK lQkH5LXUmA9HEivkGrfXpxDpdoPFqDRK0kKDuQ4yyuYVRLXK45sWKYHu6BFh+4lZcl0g FQ09HvSPTmah9b/mNgiUmgSP44Q64ndojOpUtPrxQDwaLcvEJ8D3BKkPNvvVpbMCqTDx iyM8Z3ku9IgeV5cRaPGupWsKlq5JdYff0bydWeK81LpEvdr5A+sm953mbe6HzZqwPxUh dlXcCO2I+C7Xr9EL+jl+6s8w1gL86QTZccZS4Xmgua865e5ODjouvfiCpZOoUkYlECGr YQJ1UNjStSOvqHvqM1l+9fG/pL26t2f/+GcPXjPrFxa/O1VHv83ni7Vyi2hwOb/c+8I3 s9uqU5N+uuYHj83KNtMvQr5EIpYq83mxn/P5KJlbGh30hPV2zTEjVviu2GUPd3met78d kyK2yDTHNGGJeok0X5jvWK1eLa0QVjhuqr7JdpNpe8SkVPnDFhLUqywhlzdmOt7T32Pq 6TvJ1L/q7OPGALTVCl1gMYlB3hFhXJ7wNTEuI9A7frRwzuo18+eucTTeNPnB99/52aF/ 0AtoYO7wqybnHjxE167e+pOrrt38k81jxvQ9uf9vtIkq6DT6gDdREqjGLw9wfvH6QJ/Y i30MY1UlvzPgkKrDeh0RTfru6nfEA5FFurVkvX6LfovuUbJDv4c8q+/SaZ2OatFaFfbo dQrYin51lV89x0qtEbZx3RWRAJFf3rdubCI3bphhkxHKvJGGBkXuCIbSFW1AJaxUG6zm sTanKNJ1siRGI+EQpVrIAeFun0ers7kMJoPaqJUyuZpwVKuVZnn9bmxFIsS8Ua+D98kV WZwjd5WWR13GpzRU8wexK23v8j+ffjuv9SkC1T574Fr1tdJK7UrhJsdNhh9pfySst603 rVevl7b6tmY2BTaltro2Rbfmtro3RTbFtkW2xX6e+7l7h3d7cH9wf2R/rMvb5e6qjUdd eosqFFGqEnqVJ5IgqhpvHlK6+zi43fG+Cvfj0vp45++4DXJqV62n7bB1UPlnmtigeQIJ QpevvezytbdcuuQW7Y0LL77xxosv/lFo7kV/+sXOj+YsWHDpX/bt++hSOmPxTdcvvuSG NbRv3g/XzJ9z3XXyqvzGi7a+8us7l2zKpx5a8tgb//WzhQ8xmhXIqxXZ4ILXbWnpbKIR bUZH+Bhh1Ort0ji6jG9rno/p1DpJ5/Q4p4Vme2Zr5/vmh5Z4lmhX+FaEVntWaxmQbjVs VW817HDu1DrcQaLShwIqS1jJ8bn3eH8P2/deBgOgM4Qk/p/SCLiOQrjQBDdrtFi50KwY qxMafwQ0fnt79+fyT+U/dA67+qzaBw8pblw495ofzpt7vXD+6PZ//GL/3+VDcr+8Q77Y Gy+JgsYHJ+V7P2CIft9GrLGsM8JrxPSxYMmkOSoaj9rfEr90WZQePXFBOe9lNiGfX54p ooN2dUUB/542OahVCkcqaqWcGNQvBejdL4kJ/BaDZ1spNqh5xwyvi+Gj3i/FI6iylxVw pdseVQU87pjpaP/RXsbjuW3QC1XuY8bPoDVBV/oP2jj0COtps6SfaVy+16vM0MxltdWg 1ogjwYPEDOZ52WUzZ1x6PGTRa0So6J+YDJS6lBadpNWJ+yfPn3fWWfOYTtxONkjTpQtg M5dKWbXNZRN8NqtOS+HyUVHn+6r3/Bn4TIXxxsXWky3VUszIzOmis4mbrrBgMd9OzUlJ nqCD4pvLp7JFkRDez8YjAUM40P9XSXn+LLUkejxxQyASzwqr5CftqWp/VGuky6mYLhaT EsBZpQv7PCnmLaXw6W6Qpp2cp9alFXz2yjydVPW+8z1/lFxIhDHGBbqTLcZYtcQsbPgV zpznIH05qcOJyYF70pNamrjsRKw2HvEbY17RI6lnzdBKmG+9yx+J1wqr6GTM0xfWVckb BSlZLKQkQd4gOKP+6pSd09S3sFH+Kv0V+FYgHaVUIWNM6xW1vlA06HPUivs1jg980T2a fUVUW5OJdIKZMIl4sGh6r+c9qEjc/QN87OmHiiQfAa0wgmHYcNqmAwEYsZyhYHIjqmy7 gWswgUcvX3DOtIUXnzN14WWxGk/DoR8tHnNVlSiqR4QSv9/6szd3/joNjWDdyGnnjBo1 7Vz6XONwp8E9+9rzl8ccSuesfPKiIRN/tWX1jglTQql4uMwv3h+4RzyimIGVDScrS+Pq ij6xlXgbc/HWFCXuD6XGj3JV2kjrh7mU9kNraoSkkaptGpsi42pxNac7XBPSs12z0rq4 iQSLJGPyNqWzqrQjNcJ0vB9L7+4tQlKUFcT3euEM6zbBS/Z2WQCioWyh8jWXjZuTpFq+ ddjNg6wyMShLQMxWcy1cJ8xFxtxfofOn/XDDoz+tucZsrb5lwbG//b77gZ84jMWgOeJK TYjPu3HvFqVTqTYZz18yfqS5KG5zrd8k/07+m/yy/FLc5yiMotfTi2kn/eFf++VLvP6q UJ292mrauuruXwhyG51I6aWdHVOZk0AYkOEDfxf+FgHnFptKxQ5htiAkxS4t6Qr8RduT C/lEY3fSkRd1BiO8Y/5AMKTPVteYIDVrYzWqbLbAvCrHO3uw9zCkgMLFMouCs7bNDb7W jnFF2MTt8K63Ez+SEX8G3iKCYNpJECmExPrlVQpTb2+vqVfFLuremaSThmBLc+HLpK1z 0KHIWTE8iYmQqsIKB2voZnrfu3f8ZFghM4f6hiRM9GZzYzJeL38+MZNr65wrS9Pnjsxn xsv/LqXTrVaBCJZQIhXwJfpzflwDqXigry8QZ6WEn+GTSKYBRssBIzW8w0X4pc5KaT5R fewxdYV73KTbIqWkmC1li0VjM1OLFItSi8RV4irFqtSPM7eKBm/YbZUC1cWsJRU3aakq YlGSqqp4wBGXqrIODTFW5+pM/cCpo70ckbgXCmjEiAkCKddXlNl/EFZZS8zQhsGCdXDF 5oomWVYby5KY22t3/englo1dn755+7ofrPjmVbkUiWTPCYUmZaNh+tbRP7WPunTRrKmF ay7bcOFll1+wetYFMy/8ro9brGsDqUjssQfOuiqeuO3S2ffkvewUjJLJA3+RpkovYaeu Kc1QZ9U1wmzzEvNq83rzPZ6t5kfz2z178s/aD0S/qfkmW7XCu9crEKtGL7oPBZL6z6zd 4qe1e5L7CoyVxZ1x+wrXCtv61LaavTUak0NJCmGNoyqTLzB3QXdv2WQFe2Ga5mEmji1N nfnOZYN82tHAmAesL0Y1ZYfCScOVOZYjYQKdE5ghPqKNhmN+KZgaaVNJ1jvnPv3Osd3N 1zR7LrAFMrnStJ0XfC0/T8d8PXKddIPHER160Q5dLnSB19hxoXziD3+QT4RChlEpv39I ckg9CMpEq+j8INNJLhrol1YCJ/Q4+ZtZatY49V1+sTttJ93+niqP2iNl1BmpRd0i/Ty8 I/Gs+llJa/S77JLDEiLKqmidx1IfrCJGR7GGbX6xp3i899Se9/YWwWHl1kP5mB/4PshA zRU6gB+ivOEtYpHAH8eXG6dXB0f4v/rrxydyBfuDNbFYptViaq2JJTIPvv9vmjz37I53 d9gu3CCK7/2j75ggso1O+MW1wWQsIr8g/3Ntz/TJYyUuv3DSh3UNI7eVpiRrc5lQNGA3 aeqaGptVJNoX+CTTR3L08xzN9fo0Xe6/m3oKqu7Gv5FhFq/dpIU/US3VBguJordgJwn6 eYIm8n5jk72hSlLnhpv6u7HU/tbuzmWmviL+l01JplLkYEfKLHUu65F7GAEwQ7PJYmZ5 U76usuKTS2cOSe6IYxYmznWYM/J/rTmQi8Yyk0qljppYvEZsDkcYpZ/opUpfNOLxRqMe +VvBxig/GhrE/1gkleitT2Yn3SE/1dCYrplwoCOdHx2RRz8yKZtq6o/irICcD75wPmA1 FD6djoZcYzEZz3hd5kxf/JNiH2mknzfSxt6ouSv4d1ePgXSrVCQRc0e8LotBLZl0cF01 JAq1kYJXIrX081paOyRm9Np1piacvRS7OZQgWTiUODtgQAEsGKzOBNUgkMAimArDjpsA jhbhdL5Q9tv+Z1AJFyTS8WhYtoajiVxoxIiJmWhYXBmORMJp/4kPqdoLpcATjnrlbzaE opFYLBILipxFpBKyDJ7CYFQ9vhhPy8V4cbxPHg3YtA98KG2UXsaZ9z2lSybkZ+dnO5Y4 luSvy6923JF/KP9Q7tHgs44D9Xsb9wSNoWIykYlaXGZiHmqkXSPUVP3Pod2uzGfF7uin /j2ufS2OekdjvD7euKJuxZBtPpVRY9KrhZpQTqFIFBQpYtSbGqo8+RbOO/p7uJ7KIMUN OcZB+uROIBvHKAZCaPadsYYzuGaGmpkVA84RrHCO8uFVGcfOZDTitm/8vuoY3VXtDqWr 9JamP1whH5f301Hftq+boI14c4Fwut6pVsRunbnnnd7uplVP9AVDcW8oFPPKf3d57Npw nk6nEKF0YSBQ7Ry64JZComTVnjVdPvHeX+TjkDqUXATcWgzcGkNWlcaFu0Z/XBcNiuau jKtnVINRJN2tqrqa1kapPj9qWCYmJSNGjcsimfTBapCgRErJoe0RY1O+vt4nDQ0RY71d X28qjsXhTfE1dkpp6inKuJz05EDYcIEDCd7nRBPL+pjIYfhUsX1PsR2hXE1xpFohy5M1 lSdoGQPRg149qiWfHvvH0znSm1MyjR019M/tTYWaGa/URGPpRpepNZue+PrZ2frxBTm0 IRhLBU4xqEAqGZS30fPDkMqoDfWvHpTP9GEGq+cBKwNgFSZDSoGgqcvJqE1pUDvNklEX rFYSySc2hYw2XZMxAv21CCicXC9cv73FfKxCOP+TywwuyCzeMymTmXTip7loPDvpo486 auPxGuFCMJaajo82+JJsZvD1gixikWg0Fehnh++Y21LIzI2YW46cXarTWaelp9XOT8+v XZFeUavKxWNei0eZDWQ/gaO6S9Vj35c3ac1V2EJirDKHYgVPHubL8e7+bo66IH3mRAfj PMwML6hGFTCHTs6Sq9QQihU1G4dXQGB2dsjEiCDLX3RkI4kaoSYXjWQn3PCr31+wc1rE 4Yu6wmpJUiodPzr/1h9IlsE1nLjhr7/N1Fhjhb+PiVgtWm9UGxriOWv21qewrnGAOVvX OPJMaYxubGZsqi7WkCm2h9rD00LTwppkXWjsOImYi+EA0Dbt6mnEngxThYt1jcPbxqpq iVcaOm4ExENtc2icEVwvN55JB0i+o92dpq9aGToybCyWsZHdllXKNqiKjWQschY0U8eu SCwoB4mVkIpoGcdrUacySf2qXkWvSWXo7Vcaek2K3pn5Aun8v7glkB7O/tP0TkYGFHaj dRDS7ByWnQImVHQLw/AWeSfMlFywVJqYjoTp9JY0Q/Gf6h2FLA5EE+FortUgX3feIz+3 DEf7nKDPqFmYGPHDsZcB15PBUyw1mASuL6L3YvxQLJIIybdaDsov+BORmMFteG78ypXa SzheNQH+lwP+STKllFbrlMQqxuxd3h4xYe3WxQLxsNdhrZJsJrSE46SgbHab4kZbyvRe bzd0DRMzYcrUXxEoh6FmMtZohtOjIkqZyAj9HxQREv/sT0ej8XD/ulw0mpl43XUTmL5B XwaJ1Ex8XLDRjR1ZVMjPRBL/gTgodCcivYQ1tJEtpcsVbUYcVNrbciTW1uBriOEMqq2+ 1O7DGVRbe2kBecr3VOwR8oLvhdhuhGbFon5fG1WFhoUadV3DpJ76uEes6q6xRf2kjSp8 MVfJ6zOoW/UtXqN5RFW6FI8ZmlsbW6qGDY8bCyMaAiPhw+wt9hzv6TF9bPq4j12hdJRt mDIHLB62lInMetK/kRnc/kEJS3XlI6OE7vtmiXUQbjBZhEveNRRqtwVDqSEmr7MN2rf8 SXO6ODZjP2zMZtNZw6uWMgZ9Clna5vCZhqTDwW21hSraK1wZDUZCcV//lb4kpG4SKtv5 J15KYyhhRP82hjkcsLf74qFIEB5uSkIDn0vrANMW6OhD46GG0MLQohYp2VwfagkqvOpi 2NKV9vaYSPcQdXOwJeQYVZUYGUrk6usUI1sSdVX1XrOmrRWRLK093czHK3O4NIEUu6F0 MHJkUMqDFF/glIaQNtBZEH8hmGym3pmMsCruoO/Ljbo8j/xw0pOK7EmxUWZblE6vm9BY mxn/LfAp1WJ1T2upa0raLqiNuek3ibGNhfSof+ajkUyT3lMoOD0neitygvFdKLIhwZ7p 3yI6Ilx4JIP9Zp9DVyveDXoRyAToIzdCH2H+tWGlrL5btHRr9oj7XFFr1JkxZ6paquqt 9c4WM3MU3qS9SdAbq0i7vUqZZweYx08/wDSRQeuCUH6Mye12i3Sj/MY//i6/Tmv7/kHz J/7y+EsvPb7jhZeEqXKf/FM6B/zERjvlh0/oKf3oI0oHej7irmzMbQbogOmRalDzBaVh tIvg6MsFC7zHoek2xsPx6GzVbHGJaom4WrVaVAfcDpPktBo1aiEeVOqJoiqiTxBjZLTX 6gSBQ8WG7sgcNBUhN2hFvtOJ01d2+MKcE9YzVMVBtbpy8sCY3/PPPnD/A/eDfYG1OcNQ +24YMwN6IX39y/5v//WUZJHzK1YuX9G/OhRl7CsSLmuEB5955oD8OtbUgjXt5msqkZ+V zmMLOL+VLWFh7VW1qppWmmytHaHJYK0jTCOEEdWkK9STc2q6G02N+bqkx2kOSW5bbWtG LYxoyqmT1KQNj5CqSJ2iKlk1FGZz0m9z59qYyICmDAUPDA2HU6DY8rIZxnLh0VfEsrne XEbaJqBrjrQir2XRmiqDqRcuB4a2MO8GgSOWufwgmZ+uSJfDQWBjO0+JAmiHYi2kBb35 9ds23Lru7fbmfLpZ3hWOJmtDzc2QuBG6/b5760dN2vDD6pT11dBQSIBlhZxSfLFl0oi1 kke+dMH8BQv7rzwpCW73JsJhX6Rm07nLHwsak175tUA8EhunlGhkZn1Zr7hj4C2pDjFE o8jLpTtTzWNb1rl/3LKx5T73JtP9hQehXz8W/vmo7U1do/a1HHDvDZvTyXBNjCi1YovL 3Sy1BWo+q9d9ZoFN3lbfHfs0sKdtX7tjxMTi+cUFpvn++Q3zm5ZYlzhX+Fc0rGha7Vxt XWlaa1pvvan1Jv9NDbYlhdWF9QXRSLzNLndLuKAckkzZlV5Vyj5m+JAxKm87Dx7rLcsY Hh7WVHZsQhXvHeQpbKfKWg1TxpnFDnnKrTjnoL5SzyVs2bIra+OBcgxURR1n3rJKnA6e piMV0UQ6JVbB9K3W6yL3Lrrhp/Mu3PT68yeeG3LtJMEbzoYlQzLa4DMYQj84a9W9y1Y8 /OSub98cd3ukJlIY8qkln5yecYyZeO2FZ80x2HwP33XfG76Az1FdeFMbSUxI24uN18yd OMNkc/7s9sd/yxyNZftvGXC8QC4vjfB6SAG6m8du0SiJ0usS896uqp4af3c8UZNLB+O+ iMFiFj32Kq0G562egn1cZKwPgnmcz5gemyvCjcYcZz04f6nQ7SB4KvZe8fBghJLKoLJy eDXkGxsgnbhfDOcyDWUuKobMFQZ8Cn9DnwuBmkhE0ArRuLggHqU6IR5P+gWt/OEWbvud eJ3bflvkD0VDRyoWDZjohBgMFnm/JUijkVQHlRipDxp/ZRwchrPUDVh/kVxXmtRub3dP s09zz7fPd6+wrbBf6dZUm7NFiTi7c2kPTJausKont68unYkmIpFM2BuoZmYc03UDQ6sT ifqMfqjJmJHq1aQNHrGT8mcQDOzKDWAEMzA1mLkaeXRivnNQ2J4SJ4MY9D/sEw6ihv3w jEB9P8LMjYzdFblu4h03NkxuSI98Px+NZZsNx/5w6O+ShflGmOlx4r3LF6SHtT/xojAk kOJ6fvDEni+//PJ3DAcMA8el5wGDJGCQm2aiyYQpCZeJ2YAFu1Q90X2poC5nF8CfzcGQ Kan2SvbxJsSh6MZLKez50U6udnSeXBKMVLg7mKprIiZwKYKRzYMiltcYeS3qua8UUpe7 SSswOMnANYygGOmUnYJgTuyoPZxDBEsxDTaea0ll85fhXLVjba4m3UzhFEnX6+XNgai3 aWRKkOAUZQpHLNK/WbwkwlVUGF5TO2KLESyAdQvg74ew7mayvlR8IUzHVp9XLYTDNNmU cYnarqK5R4r7go05g+CuTmeoupmENVpAwjDB3jgh18KWPrjyXOthbnHyVduIBuvTQBZW Ey1KbvwhNJCvmeLUvhmlDP7SbPUmNRzF0OzLjuJO8PCKsub0fH/5CC1l6jw0tUpB/D58 5j+hcfprfG7Nyxc9UJtJDaWjHOF4XH+7aLaOdbo0x15UOdwdNoRW6hOJoJO2D0llajYA ENODZovnxHbRE4zE/QlfONTvCtgsbmHXiclukzUsfhwO+eP+OPwKDG4TATfEguPdgBtK GUXoypCQDMH3GRBNXSlnTxXs1pCpWGuLT66dJI6t8062TaozascaGzh/gDJ2/GNGCJBu XB1zwqnBwWbh2lgdXOsmbgUVQZR1vM7IHewm1sJBxlzr6oqi9j0doAKzlkE6GgTiyQpq FkfCCm6TY23p3IS75D3mVij4NX9tSRXaQl98l2pMR8dXPzgxk2k1yU9woxj046MThSaG Sdy0mUx3B5NpP6erLvlXHCb74WTvBUxy5LJSflxurHNWbrrz2pyisZYmYRYbe5xdvoSr EI3i1Lag12sldyGYs0oFrdWZgYH8InznphffYU5iEwKekIFlHu6TD/eVRT72iol65A78 OctQYCcLnSyaE5YdMGEYw5wKrahoaEh9Az+2ySvtlfhtkNIQSq/TUhpLxEJVyIXWllar 5cRu+rpeMTYWFgw0mjhxW6bR5RaGS5Y3qpz6aChRk6C2aLgm4yh4+7f/jYrLUzUI6X4z FigmXc0xsY2tH/HAGxAP/Ag00+ZSUO8w6sh/q75w/Lexx2VU6xwmxiKtcF0De87S4SSY hQfzYwLGCPshNZgkzStO01lOxZBkqDDucV807JO/DKTTAVrlC0d9j38T9Pgica/iLm88 BM8ew8tXB+5AfBqLOQyWLGaVTatdRBZRkZ2wwrdyZtRhOfgVv+c8eZIqjjuxXqHIBtwx l7BMkhJeT9yjmKCzqL3JWP23L2htOh+CZs5Y6/BSmK1VRbDSL7DiU6uVHuJLtVoldu6N U1um1jE7la8Wi2XrPZ3AuaVa8YUIax/3R0J+qg+m00H5uA/O3scRleb1wQP37eXeeMTn DRA60Cf7pD/LG3G6Yy4psUYiSAiZw08grJLaQw3Sn78zyhuvuorZDjcPfCLdLO6FvdpA biydd61ivQIReva7VT9XbFMhxiK5075P+2zggLmq2uduqCpoiD7tTokffOCgjn7Nt6bg N74P4l+b3kp/V8iYmy0HLGIhU9tQrBJJbcBNEqkpymTE2siUpuOwSZkey32Xud6e/orv ktnlg/oS/D61WHzlqLDBWVYFuM3u/H4MWiWAkXM+sX3IxXVbdl8+fc0x9dSXFt79zJfv NV81/LIVk18M+OLvP7Frb2Esgqoe8EaV9IDFfMmM9hlrx70+YfL2tQ8+aTSpll82LRdr mbrnKbnFD2s+HARc2gf6pBsRyajDidCxtnOhi1bhfaUqvJHkII/iehDXPbgq0Z7F+1J6 MCG8wYK4Ay/w/gO8YxWjBC1KlI3ka9y/hbsBvIHxHXp04B2tDiDCbFxn4/oYTt8eA37u w3UfrmoSx7tXEUQEZLGLQTxRQ6KQHGx8PWqSeJMLO4F3tCzkXPQ8B32mosfZpAA/aA9O rqE+VKDK8IuftvEXHNjLDbyB4VlnbPAABtqmCCZRJHYbLMB4gvuEBh2dZWnCFS/h/g27 9ty6/umnfzH08cWvUr38j8OL7i9aHc8k4rXtdms7vN2b/Z71u29fv3fPbbftFW4YM0H+ 718fkvsmdEzxuJhBL5Eggkdtdqx6DnCvBriXJatL56/13mG8L/KQcavhPsu27LPGA5G9 WS1CzCkRzdJZugt1l+vme1d41+ge0j2l2+bd5df6nd9GdeYPpPTX0bdq2i3tjmmWaY4d 8R3JA/EDSbXBRgoh1TRbMjGdnUMh3JGDgZ/qd5sQssZ1UeZpLCvhlQMXfuhWwT92wM85 D8LZEErKj9w2xuEOjcc9CW9+3cz7X35246hVjdZgWyyQkN9+/Jj8Zxr8/cT7xDlSKJDv OBCLBQpnn/PLn9z9XCymdzckAmc9Rh1vvEGd7MUc2MZY/xbgWBQ49G7bdOCYETtpBI4p yE7gwKMoH0T5AMp7UFYDD1zAEBNYfhWwQMIoSeCXCloUQUstylXANRVwzQVc8wHXCKJL ckgJnPTmkBIYWYekwag6JKaNsBPQDGbhh5uR/YIFI7PR7eiXwa8lUH8eWs4FnifxTuF0 hmW9CJTrRvQ48OgkTYOoWVDp6RgGN+4w7kjCix0MgM5BtZVCQFdIOHJ6aJ240W5u3bvo uQFq+u3F21oazqtLJY74PTWFbDzYv2v3ult3P71+w5N2/9SOc2jVr1+n1vFj6RqESQKl vrsvFIWt9NKtu57ZsH4vJC9gvBAwnoW397ygpufaJpOFgOdVSNt5cpAdWN8O9NuPexVW zag1hNwO6HWR60G/FOkOjPUBHw9sHm1fo9dbgFg7npyGtB3ybQfodgd2Zwee2If7A7g/ gPsDuNfytyxdGMEH6HoBdT8gqQGsZ6CGUfN0Eh3E0rIQ4Ac8vf0s6pKBFHjKHN3RsiQs nwJziIJi4b6NhTjfpDb1nq0rEXntT6Zr57+9CK800fBnb1FH7hLjiQXCeuOO1Wv300fu fOC6uNeXdxbqqerY+9QyQPYPjd949V23YYKYLd5dlVoUAdh+d7TVYfejmKcH/C6E0gco sbcKujBrI+oocVABdQPAPAJ8U6LOhDJeMwAMtLgn4E853LEYCCdGS+DqB80nUJMAjLSI mEDoTTfi1MsvZQ36dpgeiMMtuDpArgAKGNbgWcb3OVOZhMvqDsSH79QrHeKWVCaVOHEl y3duS9Wkkw/+7uMrltRGLesKyy6iF6Uy2bi8/Y4oDjaiyIR5cZTa9z1abAgkXRde1gRx kDjBXrzFLq+Vl0lrxQdBN0PIP9rmgl7T0HmDoNk0zkuD5FKk5Sj/ANcnkB5F+SCuB4B7 e1Bm5+kZOPhzcAb7OR8PAz6NlKCGQfgD4AHDsyRqPyBhYqGM038N9U7COWw7YN0OLJ2G 6zRcbwXm7ISc2IldOYDrAVw1GD0P5TiH0TX4LT8gXIdfuwP3TyEJSNMA/wRwOEaGQiHo Pd7JXGoIBi2fKfb29kDj7APEQcZ8J2CyddKTIrk+zt7aOk0uw+dWJnBukYHAsReDTlIq TLhx+/Ybf/Szn9G8Nzz0N+uuXFQX8Vzh2/SDYZvmPPuv/gOTNnZ4fPcmk8XRFlH9yA1r Hn10zZptJ2puW5mdMCmbD+SMtzy2auzIf7/w4omm5nF2WySSDGL185mdAb7ZRF5tGwdc SwDj9OBjzIaKAqPY+pg+RlCXIN+i9WuUBgCPMN5+RmQO8LQIeHtxH2GOeZRdeC6LWga5 JsBMjX6NgCGDmQJPBCBfI9hlFzihFb3O4/uZQNs5uJ+NvuyN5pmkGfIXbBBuu/JRP9D2 lDeI8Uro7+wIsg8vGw4CGNX5IWfwRSaKT7HHwaMwczkwc5Brlqvr+qztYJGbPf7xd0y6 9xe5YjaZlL/KhVJNkcULLt4aaU2HcvJXiUSufUNZ9Dqsckt728HtcgsCAqLciHl45epb F8pzWOQAE9EM17cDxlMUc4DrCXJtWxp5BPASERWuoQriBWwjwMpqwOc7rN+GUhDUHQUk 8bYf9sQEHGb6SxBQuQDlEmoo36cE+gXRLwmax+lfJ38ngUEGqQIgdnB5nJk7Z0SDWsvm fsXzg9ezynoJt2wEbaI0PBlrKyW6aFsiFsn1f5NMptO08HIqg2j6mCcgHbx0aG7G9FS8 vyqEM0wQe1i4Ac7diMPK1vuZvFLcwtebJle1sffe45xGA9hxvuqTFBrA2hkM4lg/o9AM KNGLtSWwciVWFgc+ldesRymC2gRGQgA9Yn/wcmlZ+6oc3yMShtMZFn/mWv8nkZ16LQ2Y IaxPtg1LREttSWr0h5t+c8uyxSCsK30/+YG8am4hmRQSbMFLmmpnzkgkvjuw5ibQUy2j p5u3C68jAIotmuLNaSJtBh21kq/axgCTs3hfP4tT+RoyEquahvJUXLegfQt83syDX40U BCRs2OFWtLvRTvBkEqPpwOOrABsbSSIPAjo20FwLRtMBR+rRyp6oxhM1qEVQFJ5kus9Q lNSgH6aFJCAv9WQYMxeKPUchDxgLAsEgjIiF5TIzmLvBGaIwP5KDZCmbM8bEtQV/rSTD apBaeQteo8aVe1q4O6m3l9nIcKrkC8wpzmTn94UJo7zyu49loxmhqQZqpJwkYVCXyQ4G 865QdVcimZuUT00vphIvePw0FApk09QYT8616lIXFe+iq6dnYggk+e9sMpGQ36Vr5GPJ fFkJZhqLw3qi7gtD2On3h8OtWkFQNGTXyPPZgak/5EnoYdRTcHUisTflPWRmWwCQRBVk 68BJyivTmhotKjQxOsSr04CkCTUJRA07UevkNV5w++7O8tthACPnRIzQvmdufo/IhMjO uYVUgk7A8prjkXDuBLgECMsubSgvgSldZXLCr1Iec/kJ9K2zaHXbYrIJu3s35rQR0aqM 747CDD3Ye4ZrZ0HaGTDrYZCmdZxmQGng1s3YPXxhAvhTQvlryLw04zzo+R1spgieGQ38 xP5CHx2J1EoWIK1EUuLbEwmsdzT6jcNv1UAW1gM3fHiKcZxh0FgswDUDYKNk3ir0mof8 fPQNkrnooUM+CjHMSszJg/o8+HyCUwGrY9bWFBa00IPzVRM7VjX19ZSZVpl9QYiWY7pY qHOulfN5BJuwMCcGcMbdgM8Qp2cwcoaBw6i5Ekp8Jnc/FZgCfbl8TlDOB3Vnjr7isbrh E86zDEuFI2sygfaWmg5PrDUdzoPvx3LtNsuYumTyvpBdSF3QMma2I33Z2BuuNg1PRyOr knGhZsO866+Q57A3+pIjfXT75I7zGupPHGOyAK5Rn3BDMBmJOGPZ9LDhI1ofP1g2kfM4 qSnzjzWw31rI620TwBEM4ANq7HAGugXiYgHZJPbTXJbE2E8zdjOLvbBzXPgOu860csYD mIXrAJXaUMd2rQrj4G1HjNyAqwgs0qKuLInLlu756H0e+rMdyqCtLIltkMRDsV/sIGkm YWe9/1EYs40YTP9BHp8mjeEu9FXiMk/zN3AV50xpXDkQrvsC0jidy805JY5zre+Xoulm SOOF90MaR8fsb0ylII0ZZGMhh7V9UBgnQv50wk9PCuO0n20AVj0LNsxycTew00lGl+rJ B0blB/avjW+52lXtug5FB52mmqabrZhNd5p3Wh9zPlZ1wHzAus+5r8okJvXzNUnLdBf3 LpWFDtgo9OhK4CXsfsos/rJ5S4SFWw4dvu++Q93Cz+T3PvtUfo9GP/2Uxpa/fO+9hw7d u/lXdNY78ufU9M471Ch/DhgLZCR04huhEycB8z+1nQe9N4qUgO7rg+4bRUpA9/WBetjX ZGKgKi9WYQKuMC1MhboPUJsDngRwAkDw7RQJLz2I8J6oUPM19r8Ddm0HeMBsXGfj+hjs kO3Am3247sdVDXlUxJhmjKkGpzMCTowXMi6Yxa+GUWLaHpMuYfALG9qZlX02aWAxY0z7 HZTBTFXjkXW9cKFws6scociQBVRbtr0GT54Gz5WZslvGEZhi8BTEE2dAd/7n8XgsJ49N pupGW62j61JJOEjaH7vwVWoYIK8s3t1KG9fv3nPrrbueGiAIAAtGoeNKBkZ0NvvcMWPk z48ckjvGCE+tv+XpXetu3cVgPhkwv4PbIfXkPfimdmLtP8fqHwUkmMX5LMp7UFaC87qx B3gfFxAXoZkwba0GpQ9wHwW0faCuD0B5X0N+ioC/ivgA/wbwXC0Ss221SAJ+wYKRLZwH pqHNMG8U9gg7UI9dKWBcH+6YTGc+MKbxMI9BGnCOAeKMD1hh4QLejHcygAOgZQL8XyDO GnH4ddoLWdTMjI5oxYtwupFxJses69+1Hv6p9bc9JSwfvnvJIXmAGn9zwbYxHv+9yXhh lJX5qJLymFwsGaev3PLk0+tueXp3/5P0jjEd8qHfUeOYMXPtNpxuB7/7AnsQDcIfiPkj 1g1y+HLwugy5sS0HbEoC47yc00HWMrzFSpkvhuEsw+FB/N4ESGxD2oskopbhKcNSG/bH WMHTMm7agJ061GWZXtwNIPEzwXKkfC/UH+7TKzOufOwMKX2GkBhkV9z1D1tYJUh0ItOI T1yZSKYyT7bPzSeSPR7vhb+7euZlQ0LOpZnJv1iE2NdBlZhph3bbzqtXjGuKNQ27/Bqs fTe+x+LE2kt0dtvdCE0rQkc0Y3+L2FMzvqHTgm/nVCN5kLxkPfZ6HXDlJvDyH6PPA2jf yHUAD65eshXt96F9E9rvQfs9wM77gCu/QL9H0e9RjPMo+u3gtF4F6OWBf7XA6hZgdTWS B8kLfEzDC1EDyBYA+zBSCC1ZYCfiMyAFdBjbgvkx6eHi/ECH/RmK7/7E8PWgJLA6Rkvo /wGecGHXhqPtLXIF9ga8Ay1t0Enr8QtV4DLMd6HDuGqMiW/v8HHt2M0F5CH86lNICBlC nxBoJ4daAhnXxrRYBPyxF2ahtDLmy0438FJRbydzkQ1a15wOgOxDuBPjtACBimYKrgMb G/kZ4brMRVmO12Ach9vju0OxlMtUld42b/H1F1835LV33nxu0sOSbrg/HApG/NmAreGa sy9YftXLb7x4dG/TbYsjRTPiLnZn40PD5sa26WPGtt5+800/ySSKxZUNubqIpZA5pzSi UVLcvOHmR+xup5Pp6xQ+yz7pIukAIPJwWzMs8SqyAukmpE1I25AU4AVOQMqPZAA/yIHH Z/Es07q+RUsAdV2oiXOvGkiH4isdgHwBNUHwcyYrmI4romzG04gsx58R9RQJ7+R0whxg r7SWZTiONXr6O1thMJS9RIOCHfwaijzT182ci5SZd9lzwYNITxrclXhSfM7o6kJNOi0v Offi2bLfmyi0XPTA6JUPJWzmnel4/bnLYolsWJwfhs0o7952yeKkL1RwJqIdEyJz5gfo ZADff6QhkyrO/C2D07iBXsjs+7Gqx9sYPjLuKALzC8AdpvWy761Vo4b5eeKQeOwLawbw jTAgYQWXrsaaa4DhMZRsgI8RuH1Kd61FPQE8mR+J6aVOUKMFvk3GcZmci0G6FcFtEZQC FajCbBnvGIQZO38BGBkecoAxtbTihT0Jl1MeiLKGWnb6nN5Mly5evnTrukQknn47Hqgt wMcGP8ScdRMfe8zeXkyk7o146LIfrrj1EvpAKBKPhkonpgZjzO5pnzDkqafpr5iU8+Yx Y0pSA+9LDwNecfLTtgR4ghE2Zww0yryMygpm+LneILLuWLES0IoAWgk8HwckgoArOyJW AVIiYMZ4tBalBOwe/OeWZCW2AouGQGcGpIUYYR4yo52x8dF8mACvi2M7RqMWg3//bBnf S2G0WubBGfqfwhEYUd4/EpY4dTXFi6NiVKKh1kmN8SbakEwWRlrk/e5CLpNzi1zSBxKI xFgl3IzXsgLMx3UiMSQUHIqfpgO9gMubgEszOdo2ApJahT1mui0hi5AkrDECnPFitcwO bwHHoujLvK8BpDrIaTdgoAbEsliWBLtGAsxa0INFIXjQm51XNeO58pf/6kDBetwvAtVe DCqnKFlR0hMW14DABnaGB5LDmy4sSOUw5Hc5ZhKgjABgbDZRXOvwV088KDGNrxpXNftN BTfCy/lMZoGzI2jA6syIBVBpBl++414whDsMMsIywFWVR4Q5N2iTyWjS9FdNOpaIU11j 3GE21wSbn7hBl0xEU6brHnNlRuej9VQfCESLH1YlEtG0gfbLMUQsFIVjIQQuBxKuiKSQ TjxO9yK+oSDPEWbAIebHKUJQOGFlVQzZ4NmT8A1AMopeBZu2EfBqBMqsxPVqyIObkdbB Er0Z2HcT6lhM5t1Y/Q7U7cVVD4iEoCkQ9AsBsqMgNUN4ByKEr9eNAs2G8ZW7URhhFKTg KNB0EjnracJOEexAGDuJk1zsYIq4sINtGNOAGqY/s502gksWUBdEz5GoVWOPdUDopeAf SyDVluLei9yOOwnXEu6nIM1BEpF0pB3k0Yl4YdPHLAKjHJteeVNicHNrsfjRpIgUxg9i QSgxehmJHw/jWsAf/qHEXoEM8zb2xEgkNjXEbKDEngoimflzg211jL6AF3DNVLKyp4bd zeTBi98LZz9JcSf9zM4hQKIzabLM7yuog3cp6XpfcWihQe71JxtbbLRd/pWhuaZu3JHG wpB69btH7EMb841UCiSKQ7zyh/QCbTyd73itoZhPD+3fEAtHw0l/LIzXSxsC3DAOR996 KxRJRBIBvGP2trwzhvZwNBT/iuFLE/TzDcCXHHm+rQhgBKFLB8kCpIV8V5kPLQ8gMB2x CzuYw277K3sMvRJ7zCygPADJvtmZQ6/ytznVoGEbuOLFuErYNw8vwQbG/sFbZipv3sn4 MRbzXok7YlvFAM/GYwyPbQQ7dSC8NoA7vJ9UDqLhm6CuQL4MxJMWj7XsK/sfnK+yDyrB kxlfD39XXS6WSBx7RL6Lc0DnUM4BjdSWGF0fb/o6lcgOHSDQM7l2TUcIrzM5wHngMSGB QHDwQNAfJgdYvgLa0wOWCSq0zYNnh0D3TEDaJUA9NrIA96twXQUetQoScB3K61Bm+ud9 KN+HMtM1d6BcPp+zAOI2JCuSBSW8XAAbKAHOagWnTIBurKCzBCBrxc4wuyWBXsyr2QXo KbATbuyeArBzYw9Qxm6xXVSAzqvQ24a9ZBJJSaLor8cdBWlEQZV2XE2gxCR2qxcvxBe5 Bojgc3y7CEoipDOPPGc0hGGQM7WHMFbJIpryLKYndvqrgIN+yFD52ItrMRUOSTfQLwDf cP3IE48ObXbXCq0yov2i0VHjBOeYsTU1G+qnwyO0vSZRm/Xka4WWuvNgE+1MJfA2+XjG qPA2dEpWC48oc8BKS0mFABK6DF/o4l/5YkEkdeaIkFq1Spn7+hjWx/aJTDjngzkXGlv/ Rc1qNgJ5pbn0xuB1oFdWS59gNAYX1p/9w1WpltFZec+3L3/7K6X/ZEu5nZBp0hF85e0I MOAInYHrXumIoEb5fqQtuH8T6SKUl+KKe/oIrp8gHUFZwpXd70fajfQEEurJ65X0ark/ f7YddSORvkV6XzoyIOPKfnsyEsbnbefjyvqx++eR2G+OQ2pC0iOFkCYgsXm2IN2BxJ4Z hmRAEpAmImE+bP6E/T6u0KaPkJuR2NhzkNjzbM0HkdYizUfajvQZ0iVIByrzY+VZSGze bJ5sPmyd7Hk2rxT69eI6FYnN8RXAjkUdhPF3LY3TGXQL/Vi4TXhP9IrjxEvELaKM958/ UqxQOpS3K79VzVF9rr5IvVn9hWaMZotWrX1Ql9ft1Tfrt1e1Vv3GsBhcfrLxgOla03vm H1ssljmW31ivtbXaDtqH2w84pjs+wNc+H3G+46p25V0H3Ze5+6of9jR7Dntv9bX69vpr AyQwIzg5JISmhLXh7sjI6Ljoe7EVcRL/VeIPyetTrSl2lsbwZBq9Cxh4LahLAO2UwKOI 6lPtT1HHWikouIxNSsZLp80cOa3jnMyoy1deuWjBlXiC/0Mc1FXl0vfyabgXMfL//1eS T/9GMnsZ6z99Ifn07yPXwQpk30Yeyr+LfOqryCMhB/6vLyKfA1/LudAOzkNUwEx8b3g2 PNCd8EaTtgHhetoGtiDSEniKSIcTGfkwnjcz3zptgn0s0qG8ZggvN+JZkTZAlxZpPa+v 4/VFWG0izfOaGp5naRRXBU3zuxT0BJEmsQaRJniZ+Y1EGuOtrKdII3zUIA0AGgoa5HWs LFJ+ro0X87ywRBTUx/uxskg98LiLtJqX3fwJF3XiquC5SB3kJX5n421W/vsWeBtEvLBh guWooGbewsoiNfKynuc6nmupBvahguciVZMvof3jk5PAG5GqyH9hJAWu7bhT8v4KnkuV fhK/E3kucIhS+BxEoBfgh/MWGRim4FfW5wSwhj3P9DBWFkk/6w2NDNDB/P6N7xYrcGV3 rCySb4CrIrwMX8FOVuDKWr4mL0KGfEX+hVMHBW8RkV+Pun+R4xhPwVtE8q+2AeC+hDq+ Jt4m8rKI7x8zb/o/+Xh95B/QChSkj9+xskh6ycewlRS4sl/8O/kb7/F3fsfKIvmM6x6f wqcqkk+AsSKe+CvklYI/KfKySHrg5QA8cWXj/IXnHzEMIx/y8gdoF/FFZdb6J57/ked/ gEQUyTHyew6RY7yOlUXyLm95h9e8DU25DaO/ze+O8vyt8p7BWmE7wPZPJG/yljd4/jq3 n3/HRznCy6/x+t+S37C9Jr/ld6wsklfxhXEb6l7ldawsQrM4zOtYLpJDDNPxRXVQEb55 /Sve8jJ0LdwNsF36VWX9rEXkmCri3dznyG0Y9Xk+6vN8N5+Dx3sm6liLiJzt5kGMGkcd axGRs71kNSJ8WOV1H4CCjKB6Dpdf8tGe4fl+vq592P9yv328dt/AGxiB1YjwhO3mc9jD W/bwOewmT/M5sBYR7WwOT5NdfA6sRcQdm8OuyppYi8jLItSOJLC+neXkSb6nv+AjP8Hz n/OcxaaJ5HFe/hnPt/N8G/x2oFOei/gqJOiU/BS+e5E8DD8Z+AGuDL6sLOLb5QxXHsBX 3hmtsFyEzX8fahU8F/FNbtbjbt6yCZpDM1o28fE2Mo5EfsLb7yJ3cpxmuQif0nDkt8Mr mULv2zlVsrIIWLDR1vP8Vp6vI7egtwLaIvttVhZhxbFeP+aYvZbjxE3kRtQpeC7Cw8na b8BcRMAVHA/+xB9CJ1XguhN3rCxCF2WUcQ0f92r+xFWwF9n8r+J3rCziO+ZsrMt4vhTR Q0a0L4W5JPKyiF9n7YuJjP0XYYdfAl6mwJVRGiuL0FKZDbcQsoLR5kLG3cgC/qvzIUtY 7/l8F+bB3sTLdDjtZCOysgieM4d76+bCThR5WUSkRifHfJaLkD/lcWfzp1hZBPawEWZU Rp/BIXsetGLGD8/jbdP5759b6XEur2NzEbHr7NmpkI2MS03ld2fzEabw8mSO7ZP48xN5 3gEZKuIr4Oy58Uxu4cSWlcdynjCG86zRvGYU52IjK2OPBOxF0Afb9xL2lUGnxJ8fUbkb wUdgLSLOhVneysdp4Xkzz5t4PhQwduH5oRySQyq/wOpYhBDDuXo+Vh3vXeR5ged5/kQO 1hqioXkNl7e4Z2vI8DzN+6Rga7BYrzKO430b3CU4rcRZr7Z7wIkYF2SReIyPRTmuRvgI YZ6HeM4lMd8NFmPHThkUuDKs8AGKIqyPcp2X9/YA3kn08PA7VhZh0ZR/wc3rWJlF7bH5 OnjOpTM0EeaLVPAcvgnsLqM2lovAYgMkvQJXRv+sLALPyiur4mPoATVGUSwXAXsNxmZ6 mAN3al6nqvRXcRiwZ5mmVp47i5xm0alsZiLvTTneEC5h8YG1tRto5v/hf+T/rbmzz0L/ f3am1pgKZW5kc3RyZWFtCmVuZG9iagoxMDggMCBvYmoKMTgwNTgKZW5kb2JqCjEwOSAw IG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0FzY2VudCA3NTQgL0NhcEhlaWdo dCA1ODcgL0Rlc2NlbnQgLTI0NiAvRmxhZ3MgMzMKL0ZvbnRCQm94IFstNjU1IC00MDkg NzY0IDEwODldIC9Gb250TmFtZSAvVFlCVEtTK0NvdXJpZXIgL0l0YWxpY0FuZ2xlIDAg L1N0ZW1WCjc2IC9NYXhXaWR0aCA4MjMgL1N0ZW1IIDY3IC9YSGVpZ2h0IDQ1NyAvRm9u dEZpbGUyIDEwNyAwIFIgPj4KZW5kb2JqCjExMCAwIG9iagpbIDYwMCAwIDYwMCAwIDAg MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwCjYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDAgNjAwIDYw MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAKNjAwIDYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgMCA2MDAg NjAwCjYwMCA2MDAgNjAwIDAgNjAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAw IDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYw MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCAwIDYwMCBdCmVuZG9iago4IDAgb2JqCjw8 IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL1RZQlRLUytD b3VyaWVyIC9Gb250RGVzY3JpcHRvcgoxMDkgMCBSIC9XaWR0aHMgMTEwIDAgUiAvRmly c3RDaGFyIDMyIC9MYXN0Q2hhciAxMjQgL0VuY29kaW5nIC9NYWNSb21hbkVuY29kaW5n Cj4+CmVuZG9iagoxMTEgMCBvYmoKPDwgL0xlbmd0aCAxMTIgMCBSIC9MZW5ndGgxIDI1 MjY4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ae28eWBU1d03fs69d/bJ rJktk2Umk5lJMkkmk8nOJLlJJiEQAgECJGFLYEBARJBFcIEoRjAgiooLWqWVpeVpHwaw T7FPa6OPUrVisVoeH7soLq1VUfTphsLk9zl3ZgJY+7y/P973/eud5Hv2e+853+18z/ec ewklhGjIEOFJ+eLrBlcL/y4Lo+QngMcWb1jnOpdIcITQXkKUm5euvua602/GKghRvUmI tvmalZuW7h3804OEWLMJqdu4bMlg7C+ql7cRMu0BXF+9DAWm58y3IP8K8gXLrlu30XyN 7SLy53FPw8rrFw+qf3rpGCHTUU1GrhvcuFotMzUivxN516rB65b8yrV0I/LfZ/nVNyxZ fZ/uE9x/Ou5n+BBlFH/spyVyci9iN2klRpJH7KSIZBMnaotJFgmQXOIlHlJOfKSE5BAX CRMTKSCFpJSEiIP4iYEoiEDKSD6xkGrCkRqiJnrcLZNk4M5KYgV+GnFvkTSRCJGRShIk taQOzzWTKuBPRxpIC2kmKlJPJpAKYpPdjTsQ2SzcOSD1kAg2pFM//ifJ9Nj5sW8RMgZs JH+JGZfTuPooyeAbSAa7C2cZO8+9Qwxj+65skb7ucsyjTTKnRMRAYNkWciuL8FucjBCv llKzU/lvjp775uL/sfRV8hL5d7JVavMTcpww2rHf98kPyTB5DrwFiuLXR6aRO8g+hD0o 6SeTyCyygCxHzRqynxyQ2hCyiAyARiHkGoHRkVTpy+RD8m/0Ito9miq5HN2Pp9xATuBJ j5LJuF8j2Y3RPkD+hTxBOsmdyF3+nZGS73CDZAVZSw6ROK6NkWVSaRe5jXSQeehbO5mN Pq3C0/vJEfIUWUKOkkdQ/hMygzwuf4YouXWMUmP/zdWP/TfZgasf5NZxt3G7+CGyjtxC Hie/J38Gf96TeO5/pt7ljv3T1L3kYYziDrILNO3nG/hufmCctv/0olTFj4CvZ4GbjaDK QdDjcXIv9ZK9ZBu5lWrJt8hPaMVV2Plf3e+b6n9EduLeV//+gzwNvB0AfXcBY2tBl++i 991XN4IwF1I1+GYF6ac68iVZ+PX6/y351eCFjeC42/GcGzDyXrIU3LUe8TLA+vQzaDVt JNtB9SdpKXkf5S1kM1lF3bScnCTbqZ3chPbfQukD5Me0HG3XkqdoIbkAqZqLUf7DD/oA cinpA9QpCbWSV5ls8l+ypvxHaX3AcoxHaAF5kZDL+oB6aAb47UfkMJ7/HfIodVKe/IWc JQkapNmgXBF5DXASePsxeRb4+wQt7OQ/aVI/stuO/77eF1yxQ7ZE0hNo8499AbfffWVf IBeHyGOQr1vBQ09B1p8l95F/Q7wTuX2QoIfID8ADB8FLQ+jr+E/WD71LZNewUMKBjvxH Sj8hz4+y8rHXxk6x2mTIUold4+lfQ5p/A3nuhq74f7//h4H/ixjgFBffk73NTZLpZXTs Y+GwQkjMpX9BBw5A4u9HeDP+rvnmDvGX+A9lR8Y+lf040SIzygoSaxK3YC77T/Jf5Jfk BfIeeZ38mrxM/siX8y/wZ/kvhAFBLjsl+w75oVBGbiSwr67+CauEZcJ0Yb/QL5TJ/JCg bNIFvToHc9UA5strodeI2BdbuGD+vLn9fb2zemZ0TemcPKljYnu0taVZbGpsiEyor6ut qa6qDFeEyoNlpSWB4qJCv89b4Ml3u/Jyc7KdWQ67zWrJNJuMBr0uQ6tRq5QKuUzgOUpK qD1ub+1tWxF3tA7EtZ6ox+CKa6ee7wrGicnp9hhd4WBfaapVXBaIE3NnPLO79ygRa/vi 8sDXm0yN817DF25c3OV0tcUFL/49kwdj8cIZvW6P4YxzvL4Pt41ntfa63c4458X/JFTh f/KgKxY3dKMcFVLJpDjp7mVwYuzdWhSSWncfwhm98dx0to/dLTmUKzr5NFTP6Ne6OZWO GI5qHa3ROMk8SrTvxomFNTtfC3MhEi8MoCMGpKS7kWCcZn4Rp+Y4tXRhSFc/gl32Tu03 4KAttsLTFlsOjMYGLuP0fBKjbteIa2RGrzHsdLulTnfGX5zee1SjbvW0LlFjFEQqIEfV GpRoWAHIsvoo1TZSKcFp2+qPckSZAfSZWHfbGKyIizsGkPBEgTfUmC/XnBgb3XllFcFl yUYEzaQUlZ4Zl7fGFclOuJbHxcE42eE6WjI6svOEgSwaCGhjntjgvN44P4hOHSW8t21Z Tzy7s7sfRegEYGCZi5E7KgWMeK62Za4R5FnbAYSeKC69ujy2bMkAYxM64ImiTtXau809 6oybELfFjYF4Bi7PuOl9Jz/SZl/uYtmRkW2u+L7pvVfWulkbMIG9tMQ10ubB03CzthUt jGLBcbJJ3DgpJhFH3DHoig8tWgGc4X9wZ5r/3SOGuPavblAH9MGVTDoYghnEBlawoazA lQIi18iOJdJQd0pDA7+62lZEGbALwf1kFq7u721b5mkDPlMPBEJwPe/9+rVud9wRYBeO jLSxLg7G0HuGGfw7AlI3khnIhDNA0Z/WuNgjRaRHogGeKA5G+1JFqQaoEUCHuDgQ7etj g0oSIK7wbpOVeVwj7PYKbzwzYHA/j7rR0pLOGb1tUcadaMm19jacszvPId3ZPV5M7Wgz EjzHkMRqZno6pye5YBnDDwsGepICDKylKI+mqfbSXU/ZnaeST5jX2+5pHxgZafe42kcG RgZPjA0t8rgMnpGjWu3I6rYBlyT+FOU/3uGMt+/sixsGltF6iULs8Rgc722f0Rk3T5/L SNXuWjaIEvw3edy1TrdxvA20yDdXp2QO3A8ZYDI3YvgEo9dCOzld7UzVnICGcMYNtUxk 0aFZvZCJxXhEW0wKICszcXMnkxq+z9u2fGYKWU43HikxD9OB01OluInbzeRpxwmRLEIm PjS9N5l3kUXOY0QMBkDHAVYzmq6xzGI1Q+ma8csHPKCbvRPPl/jjn/E3dPs4b48YPSZX HVPs6B3+J8Xioz0Y499r40pgTCK9ubWXd3KsCVKck2cpdQDTQyRuC0gXMpxAY44YPK7T nrghEJe19o46I30ugxHKkqJNBxoyTjWc9rxEmR4lmYY4jcSplZUT6FVgD3rfVovKcUZy tY0MpBjwymGhKWsdWzYuSsnOQ3bZ2DB6gwei60yiwWjysBG+whg+PTF425lcgSQSoib3 xXVsvovrPpEC9NfZ2uuCJoLkTpcSrjbXMkbsuGsgKqmEPierTxefGHtnIMpUYC94EE2c KRYHoydRezUrlpb8/2X0ITD6bTv7ltWjT2IxRuCqwmMZ0lt7elPiJtFJEgI8axIbytX1 41hMt4Figzi74+VZL9nBqFl2SaqTsjveGETowWjGCXDlw6S6NHuwnsTbMf8ndYDUs/hE KS+NnVV3fK16Uroa6uNW501oh4ms5aiHbp9+VKTbZ/b3Po11lWt7T+8xjnKtAy19RwtQ 1/u0CzaQVMqxUlbImrhYhnRS3O0Yp5TaO58WCRmSagWpQMovPkGJVJZshDJKFp/gkmWG dDsOZUKyTJTKMJ+gi232ZVBvvR4QPRYXu3tv6Vs2MtDHkE2sSQYEZ3saSZzzNB6lnFwb V3uWtMQ1nhZW3sTKm5Llclau8LSA/SEcrhMQ9ZEBD8QfCriXOGkfY2HG5ZzXdWJsDBr0 FDSvOy73zgNAwaoCfa64zDsZ7SYyGEDxxPjQ4kHWD8amuFbhnbS4L64cvyGaTIqrcAdV 6g5o0S5dg+mZXbQYzDrokZIohnAM9cX7AuyhvctZj1wu2EMdnvq43JfspMzHHhTsGzF5 KqTpRO6Nq73bcAWeMVlShFKJE1k8jM1H+Fdo0fPFHrRaPOACBQSyeCaYUfCxfzWjG0qW YFYXfJhUAWoIslRJ2LB4ryZDHVeV4Yb4Z2lNGW6If0UfkMIGL+W2pRrg2Ya4Bj3yXYHK 1AXADqomsb7gfxs6z5o+y24z/QSZ4dkYpxJGpUcpUB3P8E4ahLGQvF6DEg/svuTFuJfS y4rYPZ5PlirYyLWSQdtzYuyQZxMTkvSvtMQTJz29jDGJEzakSPpGvl4QnwvFqfx6aYZU PDKizPjmC5L4UmaMx+wurrbl0VI8Cuh9BsGdsh54SkvgPa0knaLXEqwsLCohJTmaUFll iaasTFNSKVRVk6JAedhkNuvs9rIQT5pOVQTx3/S7M6cqjCZqqwviZzhlOGUMG05VGH53 MlROqyobuZpGvqrS58nXcQpPVXV1uCKXs2Qio+MtFpvFU0WNbiMDrkZuLS6w+Zz65kZX eYFDNRC5q7V9cWO2viBS4vJZFKZ76cVLcn7wYi39o9XqLa7yO4LhOk/njMyCitzbc8ty wu1FvsaG9lJ3ib8wW77q299OvC/s/Wqp8Lcvv48BEg5+XiL8SbYE3uN8slmMKlXufJlG 7crX5Tvs+S53Pi/TybLy8gp0NrNSk5/pUvPq3aLeNc3FGXmXy26imbm80WQ8GCVWndwp M+XbBdIUDtrCASOxhY2mOnsQS7KsrnMBo4nU1ZXDzAyHTXUIjCZbnTEcNmwbHR1lEHJX NXJAi9/vVsjllkyrzeIGcmpomOZyNgt183x2Rchu0HsTZflZhoamxKzamX767cdpj91b WXrxOP3OMyG1PVCQPy1026LJU/IitapQSLV6mTDzqwNTZ5RpQlw2NwyXC9mEMa+AVyoH fvJqskqcYLVUFxdX89W7xWJtTvHuwvKcUr50d46YQw9Gc0xaH+/brRW1moNRLW/c7HaH rMWOzaFQbXFgiyx4tgKjOWusYyFpCpAsuwGDJfbxJNLB8fGHysNslMbKMs5f5a6wYrUp lyssydjDV2B1WsZ58uUKo9EarqhG1ufzeDY1FmeobT7UPPHsgtaVs7bv3PTWowUPf7t0 2som3y15k/q37m6e+MDtj4YM/o7J/GBbk8eSEYoOL58z1FOgKvqXDdu/38V9fv/OtrnV NoG79OWlVYqW2wYHNzdCvd84dl4wgf4uslo0ZBp0lo5MvWmh6XoTb7IRGC5iOYrAKN3c AHeaE1Q8l2vT8brdos2cK+flu3OFXCqXc2pq3s+ZTPnqzVnBs4y8ZyEAdfgnTRIyGAKI 3fA8eKEuYHgeAUTB6JHGCt43SYOtCRvlck8+MVaaCsIVVsG02D55Uds135435YGVM5ZN dC1e8MKGROLiNir/t7l7ZbWJj+dcU3JX4tx/PJ/4+O7g0sWJdx0O2ktnnaEtcTPjbXjc hTdAZyd2I+pFlzOXz93tFJ0gqtOk0x6M6or4ot063nyr11uavUUudRw0PBe4knwSxfhx ijFJ5RRycKjHj043ClWVHCRZsbGs0KoGjYL03376+cEZXZPF+V0vH6ornNpzx8rZ1Y71 v34g2hDSWvPFNn6wvSkf9Jn5nc8PfS8xNmdKqDB/vpAduXbH4SW/oLKNzCVJJR4tRt/L yF1PE/3YqNip0nbo1Xl5NjvHqfAk3iSixGTbLarL8tXg2XzPwWi+nbfvFvPLSg9Gy1S8 ancZb9yvN5nsdD/H2d2u/Xl55Wr7Fn+KaSXOlYiVGrTEp2z0SFw6GZBE1h4EFYOGkymC CR63kTEmaMWo5zG6Kxr5mjAvCW+SrQXXIr0rv6jWn3j+TEmFW79ggS4/GDxDa0INJfm2 zMXmi4tS/CyblfhVaHJFrubSnx0RMTEUaci69DNjUcvEaOLbV/Ey08tJnKiAk2KyXZxJ dAadS7dPF9fJVLxOxXFKlcrK6415xqDxiPFnRpnKaN0tEhW18KriXNVuVXl2Xm7ewWhu cdHBaLGSV+4u5vX7jTqdhyGnRGXb4kmh5SqMQI2FGUIkJXbp5IL5KaQYTqIkycP811GS yfTVlQhRLbIWlUZCid+8msSHPj9Y9qrOVV2YiF6BiWhPienSOznRiYn+aFtOYmOko9gC DXalTCfxwGT2YchsKblZzCr0+rzQvj6q4n0+LZcjy+FzdotUZtYz6S2C9OqJodswYDht gPQatFoLb9mtFSxardKw32jkSre4XEHHrcok99dJuswYToptSl6bwpL+ItDbEiIYTkLl XoX/Smm1fU2aq5jqgo6zYFITqqdOat4179IY2UnlR+d/f/li5+Rrpl23f27Xw9dvuMFc XkMfKCgwK2SWqYU+OpfO/jVt+YElK3Guf0lgZ+KzZ59PfHT3NddG+rtLdKGQNq+sFZul KX6QCeCHWrJALA/oef1uMeCxBXaXl8tVFt5usx+MKm0mb6iSz6/wePIPRj082VKSkVGv L96SA+wc19OunGBA0uBhprwxLqMtbG9KTl5JOTgHxvdikktT1G38OnmlIWK2To+Xswj3 ynWZXn9ifk2J8dIbKktRWWJuitD0QInfpuFKjIUT6JO1JYYv6+s9VpM6FNLlt8+kTybm tzYW2LVXUz2ksbpb2hKP00VzxHwDmnraZ6TGz+Vh/FmkQDTJlArlwajCYjKbDkbNGKhW mo8wJHswRbBv7Dg9LPWvP92/g6x/X/7TXqTl0IDn5pIO0U9UBhWn5VUqG9FAp2owv+4W NQ6rzXowauPVqv1KpYtsMSTZqyKJ5OSEmJIkSY68UCPC1WpEQiv9HpUH6ovcuc7MJZkX b0138kCJ166dp7Z4I3PnJlZdJSIhrdnVghkL+gL7WnK2j1xNlooTKh2iytThcIS9Gp2f L/AWHIxmeEkoHDoYrbI5+TDvsFfawRCVlXnyc1ZbFW8y1WY5w3zeUCB41sZUpS3MZrZA GMIhmTdA7BVWTgAiQcHrV7GHqcaDPSwQ+OpiafKn1C3PYMiW8L+wrsSgkhsT69Ym7oXu ksruTw93CV1Ib6czZAUSI1x8IkUdXUH7dLrlIVpVd9HNf9aQGP1e4r5vINzFMM92l4CP sS9lPPBRSVrFgqTeEGw+Q0ZFZcXBaLaukrcM8YKNVyqrndmVvGuo5PLAYdOxsYYx5pMV SXaiVqst7OMg59JwmJwbPRQyz4Zr+Qde4x8rCGVlyJRKi7eMLiv12rS3Xnq9ssRsVEBY ISDjg63jciL9tQ302vt+1SayiTKkzXSJk756gj84p9vflbjuxVe+YZBsvmd68T+gFw2w ZkpEG8nkMzEDmFXZfPZulZBxq92eb7xVFvwTqPinK+ySULks34eBVJpgiaPvmZycGkyY 5EzJuV3Hcbs2vnB31/ZLh4799807xxIZx79/3cNT+vYu7b9tlt8w7RAVfvg2FQ99K/HL 33yUeGYf94vEqcToDqo9/hbNu73n0d+yvjGbs1aSmQBpE73ZLt61W8zOhtJLyq0ktcwe MfO2zQUFpXmSAFcYJatSskgkKZYMaqaNJaV09TQDc5KtIjz5/qqk6cisKwX9XoazLJSY lOal8x990HHHU4uvb1i35v6pZdNXtyyuuDShvcimuVrnHP/RsoMryoSZE+5aM3ttew6M kuQY/o4xBHEaZKlYle0koRDhQ8AxmaAoUMEoOhh1+xSZ5oPRzAn8hN2ZfHFentPnxZ7s 5pqaRm+IbsnAHBtkgzLC9oeBKE00TNGm2Gt8fNJqgc2v/8BIbJSSyWyzSfMsOM5fxnt4 mCXS+gHWGD2ssfrKEuM67bOPPnzooYY5Vf3+2vryxMe+qLu3MBwIhVatmbNyXk3zHav7 uemJ73c0uxm3XTnfHj5+12i10jF/0f6OKYXKUNVNTYemdORouO9e+ldH+61zF25uYXK1 euw8vwd8V07uFPVBZkMHS4MoJxrByibhCEqsZpi/dpd9yC7oeLs9W1NQIGSXCrywWyw1 mxmHmgX7/mk2arMVus7p9eWF5xSKCrK/PKk4wbJAWXC+ZJ5icZFeUDAkSnOyqQ7qFA0Q h8rNuRw4QJqAy8DXbIVpTc/PbGVlBeZSrGJ8IzO6ctb6Wys3bFq/vXX5L7ZO2X3dYlv7 gs7mayLhlSuG7p7Wsv7JwW+dojW9S0M3re9c2h+pv/72rtUH+g3ZiS96F/nLB1snLuqp FFfdvWD57rlFVdQk6RogRrgFvOIis8VSvcmIScnI6/NoBp+XZ1Q5iIN3gG94bj+vU+fZ W/L2u1xu9RZIqJsNgynaswFq6PriLBssFo/jxkc4NZuZ3TA4eBigaQYRqozJFXWLUL/I GiivqdkicX4NlsFmzeZgQ2XAvBgW5/7ZsUrrRZLieYXBVtAYEYipbjmOZlDSDx3yFvod IpVitlKSUqXZXFzKWy2Y0AIWPrTP5wtnbdEl+wi9iL4xmyEplDQTawMmg8B7apFn0XGS 9pfY80ojYUmm2edZ9kBs0w/WVKjNBSG6H/ZA0eSlU9pXTMwy+hvoPfUBA33zummd9ZWT iqtvPnQbd9/UGpcNPMosgEuRwTsmuUOx+27m1iTtAn1BVLILrBjDrzEGN7lFnCV3GWmX 3KXW0SkKllRISSVLKqWkSlShTuXC3Kdymk0WF4/zZTzBKsksy9HbZYTPUjmd2Q693uOW FeoNdIosO3hK4rZTIFNqOkxhAZNgIEAD0o+ykWMZb6aNzN0h2YKcAvMhmy/oW2XlWMt/ RPPkWhVf00L3F1WEPInBrYkjzsJyrHxCSnuJF0v5i6f5anNxYW5GpAZWktrXM++r7wtz 53b51TgeRYl17IJiAGP1ks3wEY2dFsFcdIqlnIUmKcQq9rRYp6JdKKRdKKNdXpOF50wa LAiVKhhN5mxBR+z5ChXvLbBYcglHTSZlphmnNXL9Six9mK6SlBXzZyCZmv8Z1W3SgNlw KRsYzwaZdF6Y4bcwMxlM2sAYN/+DxOh3Er8z5eZ63PT7jSGT4SXa8l0q+yQQnkBHcgvc /qzEA/cIs796UmiMzg45YPtrywOegYaLHwmrvtrNfbVjQkM1w4Ej0D/lq5cgZhg/pA1r gVlY4c4Ry3KITqfwenxe38GoV2ax89LcYuXUJqdMwdt1OTLSIpOV6HK2EFJaIgka81sw QXsXcpZy2iTtRdQyrQwVLNELw5JoaZZ8EmlajgsfX0XfTXxSUVkJ3bvA6XnxhUJ3oJje XNQoNiY+0mZjAqopL8vO4Bo4Or8brpiQpj2noyWxlc6bONdXUCSEQvqq/msTvsRP6tqL 7ahX2wLt9RjfAjhsvsT4rGSJWEUUBgVsTYUiU62kSsrT3aJSb4JOMZlUVm1mppbXYtIx 7TebrRqNWrFfLrcTdRCkk4Q1jIhN+2xqMSa15rhjJqVFMavCEOWwuHVXUXe+jldggWuh E+ny1ubifPuiizHuB4k9/tICj8e8iL9znqNqYElid0h4McNZOTdK55SDJhzpxnwQh83l w5nID58mdOzDp5jYgBE/FNUsxZXRHKEQuyJiVKXvKNRo/Lz/QXG1ZkgT14xqBKIxaLo1 92r2aWRaXqNxlNMyoYwve1wUrN6CQ1GvxWUuN+8zx81COQLOjI1r0e8v6RDMmcg5Miw5 llKsenmLwWHgDQ87DObMTGXuMNX4+Ar2UBVEvaKisnhYiRxbBCmxCGJ8kLRwT0lIImEY 5vDYrAnMXwNfVmrKgQWYQtWa1JowINnvgYBXWg36fFWVBV428zAnlqeqERMRnFvgE7aA 4iXRkHw9VdyT+jmPzJ6yrhHHy9yFszumLrRvHRgaalm8McKpM/0liU+1v3i5rL08en3j PULf5AnXtt/3REbzso21M2bcXhF0Nt2+NbF/ckNlnlUboi9yy5bXtThallZI+C8H/i/I HsJZ2DIyIHpLaJEMltVDoswAO9xqyPBkeHjPHjHDmuU4FM0i2VS11cdwmMFo4/OVG8rK sofNkjeAYQVMcxkB4B17U1Ny/gUyIB621BjhyPPk+/wKP/Q+9AB4CINOTsNsXrLQ+UL7 /MUTrn1k5uJn75i8taO9jc+w+cNfTNC5m6aWb7xlzQ113dO8fB6d1OK57q3Hnzy71pnf YBCaBqZU5ZpUleqvXuuaG6kwP//8yZ97JneUQTaWY5wzwGduskmMunAgj4tTSvOGzBNd xGQwuUy8Ks9EISAOOIt8RR0mvR2L5IdEuzUPrrs9Yp7BYFCbXGazh4P2Um91SjYGU+pZ DoT2IGFTb4r0MF/OMFrfAG+uo+sc3Jyn5q/B8C1JJx60g2R01MA7CDSkjA5+8hZjRUuo fWWTvX5gYtuNYl14at+c8E9fXP3yHTN28Adea+7M7T8xPOvuWG11tKW2ocj81bkHPrgF qpfJEcYnBEDHfKzgVohlxsMGg/5Q1GAJZwbtQT7IBpJflJcH2rKxKOSHogqipOphU2Y+ 72EEZYzu8dSWsJGl+PsfaJliY+hyjNTQ9QGGdJl+MLAVnho/m9DTQ7Ix8oK5oQ0l9x8v pMgozwxUfxLR6pvmL4/sP7buhZtbVtbp3LWtwaE7V60uqa+td+quIOZNU1sLHZpK9X6h tbXwwsf7P1htsSeOTl0glmSeGh19Ue+uL28MAQfLQOMHQGMHqHyT2OIyW3PdRt74oOh2 a6xkouttx2cOjjgMDpfjvAMOHodVsPLWh6AqNHB37hE1qLGZiNtk2JqV5THdoZAw8bmp 7oyxDlROWldXkBgUXsPoK6l/ZniB4eugFq9AAaxuNzMiwds1PFtjyBX8kHjtUNerv7r2 5G1Lds0K8pdGqjYNztjafK28uCd6zc2aw61TAn/7fM/7t4jXf2+7acO35za00Vkr75p0 4BE2h00Dsf8oewy7LdeJLrVCqTgUVVoMJpDaSj8N6InL4HK5Rl2nXbIMHrtUo6I939vh gnu+gC94MAd2Nuc+4Apww3a4vEaPG2iXHqv0zyveYDSX1nmMWRnvNnWdC1cwhmb2JAh9 2XiEgxfKSsDGTLgCOzBMfWE9awlziz/LcBSVJq4p8VnUm3wOmzFDUDWsH+6fVrPYHC5z l/qcGZ/xcy492Rr1WDA3Sx5ebn4YRmBWuOy67QN+zQ8nhEw+ceGU5eBpbBElmvl3Qc8K 0kxmkv8W57S4Z/j9amVQWc0r94xWU311XnWwmldVVwf1M+gMkRioBXpJb8gzBA2fGcYM Mg9vMAQ7KG7Bk0/FCr2jg+/YIzqyg018056gwa/W5k8pYGgqAioKCnLdLS1T2lwGM53S lpvbw6kKQ0LxhDtkBgiHTGYJEzJrCpsVNHq0mGKxzArfUSwxyakA8MeMBEwO2KqpY0Yf zB8kUHGqAr6cK5RDWiNKfMOYCGriFFYjQSTTmz+oAytRv0La7sA6VVqLhKUZQtKe0mKl hs0h1VLINKvNTSVJY1tDbFIxS3PI+ALXk8+/+7Qqr+Clp2dGpuS0Rs+vuLNu5Svblxy6 sbmnK1gtTu/orFsy0t0xkS66NHnpQLij1FIxu3ZhzBEO33N//21Rnb+jfs90fo5Ck3dt 45NHLfW1Xp+h5frJC+6fYa+b3950jd88uaJuYUPxvfNmb5lZZEycvnW7P9oX6t1Qs/ni Od+s6v5Z5f2R7KpiB9NZFLuURMiHzqon14oRnuGYK0RAWUBYYDAH+MKiwkNRU5HFRSV3 LZuZamsORfFuBdUO2+0R4hkuT7Fyeco/edUkxPwwqYUHs7dhfEqTUC7zPmFxx3zPbMdC 4uLk4mO8LDk10euEqXP7wjWzm4sy9f4JiQ3+fFuGc9rEQrEnoMgsCiTWMX6XFNvnEUxJ 05pcWVVd185IbJvT5IEHUmtytUapfPju9uyOKYHEbdF6vwNGW3J/oy09YzEdPhNI+ZMs ClZ1wEIttgkO4VDUYUnrcj23eDVP9fzbPKfnFyLiebqVMw9z6pRpglgSaXUwEHj+rOEs Cc5fM/9cSlen5Rhbprw0YrayYBOvhAS65cRSv9uWIdhDpX9qMJSGExtl0eee+/Icet/S Tp8SpwZtyirVparZrZ4MpmtliTa6XuqrDR7lkEapxB7Kw6Iy25J5KGo9bEFnxa/3VulS qfR2egdnG75C+5x94ywTHEnBsg5nnWv6ID2RJlUPumxmW3/+K/pN1//oWP09Q/mNzcVW eWZxzUcNUn9/ufO767299kDdQCf3x6lRv11TpZJ4rQm8FgGviWyPyDT2ITPlYAxKcSZz PDSgoLiswWVzyiwFfJHIYbnAaeHL0TuyQ3xZsOxQ1Bm06HWHonp9Y8OhaCMRqc5ocRTI SPFwdQrz1YwDbZB2yQhio0gueVN2YNYpWxhrIgxXYkUarqjB7hD7T619MEgF8xVKu7lM iOGuwcYRm0G+zpUrXW6LI1JTFlQpvcX0SNmymj9QV8X08sRQlkOTX3pjfo7LWcsIubbC b1Sk2JMrVagC4UDEgaVbvhw7vmLlW4ntLU3QxrwxU59T0bivNFt7XiJyKCPb31rNX8Gh TGaBR/pb4NFKykWLgAX8oSg0k/lQNJNYcASFDGekUJGRNAaTiJDo6P2mUXy9h1/+D8+G fMgX8q/gDPO74myNEgRTMy+0tBwXWJZnAcdW55QFhAXKsNzuDE+bIauuqj4U7c6qsiw8 vGDB/EPRBXqqKgy0y1rlrXzrQxlyg6p0OMI4AjMBi0WmkCKRXvOw3k1b34blzcQMlYg/ xAyAhHvRAOkYxhm30eNwESCW2Imd62PteiGGYAfmDg8EoOMlswoF8IPAVpAcIUkzKukv Bmuk+IJpKaamML9ak8rq64pJkKzkK1aUMLTGy5LbL0ypJUWcXq+LdHU0uWOb7Z3zB2tb B1vz1GZfaeJGpshUZmd+ma+wbXrB5TK1xZ1fllPU0emTZ2R6vYmNPrddyzTDRw18vhBp 8BrmLZzS4fdPv+maxLYp9S4b9mBSWm7W9S2+bINrSldl4v6ra/pWR4utGm/7lJLEXXWR fIuZWQBXKRdJTkFjIQgaR8iNYkMZI0EpmwlKWBBggSM7gjPmHBYj1FJ0uLDQfyhaqC8x 6cuZuV5uqB5WKhtLijOH8+HKYEKOePQpg5FOyQcVktTA/MAIwCaGNAEkeiTnB3dqRhhH 6JWyJ+lMxeUZBPadEExOCUqz01vu97f3+CT1mdamHzVodJPnzq+sntVcbFFm+oJpVLXf MKkox5g3ZXJ5YkeS6a9Gx5NCp+hxVHatnJnY1tYIUgE/kp3Pn4FNlIEV22Qxj8C+3SMS qyKLz9qjMFgNGtpl3ap2aSEb6lwdOPGHKNFt5RnvopCHVDJTBeEVJonk1U8tQ9ghi6ut CC7z9G/Wvjh05rerXk5s33pT64IJWc2rOzbdZvjL+QPvX3/hTwffX0O/fPV3zat2T7v/ ubm/QjfRz0mJGYIGdCzEjuPtYjFzeGPJ4SS+Mh+W53tEn7U6K5wX5sMPYTliOwwrB9OG Pn9rKDWXIcYiE1IUCtUTexZfK00ZogolesYVMFsDya0mxOwsCVuPpLyfoGva55s2X73j myySXEhrTpCRSRgbMJYsfHJNVmVILkBXq2yB8sSyglK7UtDa/KUfN2ToGzu6JhYeOBr7 2R2TN1bYG2ZGN930Qe30bnfu682i1868TZai9nq+v6OhMMukqlI9KTTV+Qx/+/TA2TUO unBgWbPrpefpds/UScVJHC0DjlygZS48qHNFX67E1tRZpizWFvPFD4laq7XAbIbhvsds sOttBqtjWCnhha3VQqGwf6s+uVYLn8XZkaaUu+ay9yE9eJrk6CuWJVZbjU3SHli/sUVJ eoEmuBLLygM2VfX8G8QDR9e+um3iDZH2qMpWWpB4z14/teq2u66/vnhC3YQsXWIGzg95 m1poX8Oksr9+fPCDNTmuBsNXuya04WwH/9r8pRPzTv8Ua7P8+iDWZpTZNnwpxuqHbyrX 6rDDm2C3MA+N77BXr8fLhUqDksvklbIhLZuNTQZrBxw6WplBpVQW+alpODclz7lsimV7 PXC9nAqQAFuvwIbGtNrUJdkNqfWKJKPp5QnTn/8gxtCLNQuua6sPrrFXBwsmtjis4XDi uit0nZVv7SqW/6E6VNzdXp74ztw2F3MzXqGzKtUgJPxuWHeqMbYQ2Stag1lNWdOy+J9l UZJlyHJBLrN8OZRxc4fJ2hGE04HKfNoN2ju1nFdbpeV4ojXgwFS3dkArU8m0OWUWHErY I1qsZdh/3FNmyDrgcBRXULztqjQM5+eHlcPJFQfb4pAMJ0mbpValbAUKZCycD3wwm4Od wMBGx/wb2AIuTenLOxrwt4bZ2jS5FwRTI73/wY0NWCNTaroX+rqXLL2+qXrRtu6exzsX OVfML2irdhX2rJi7qqnvu2tabp7PnY20ZXc2l0UqAyWTF0WnrYzmOjJfmzdT74mUhsWq Ul/HotYZm8QMM/DkxRvKzwnHobnmiCGbgc90mUVfsMMsavUdZsNDNjhf9XKq5eUKUU1g bqk/VejNmSpVrkKmGcZZqTpG9jPM5YaFaZrudU1dl84EAjAf2WZOI87XWNwW6eABW3Pb JNnGgtVb0ejJ1OyirYmfGkpqSwrb80snbonetvkBfkRZ2LRw7t+WJFoH1zZnu/Oq2xof eZILoL+T4FPx4k3sEuzg5ecczs52HopmW7Dq9ih4xUOix2ouoSWwfKjeOuzKBd8m3YVa bRk3DI8lfCqwCgqZEVLItBVTu2F2dkLaHb5KTFPeFOzTSFoI9Eg6xqR80q8iDcQnrVT8 k2iOqaCl3tc+2yvXmT1+mgMTuPqDBrl+5kNT5m6oz/A28j9J8OtvaizO7ZwcojfWJQ9O XJrVFU15Uvp7Ou65nd7U0+TF6WiM1Tz2V0GNseaRZaKoKjfDrCpnex0KA3P0KaUQhhbS KrvVYM5lGx+HorIMo9UpI3qzDlRqyc11OewqldsFpmuAP5xxIPOXvwPuTPvLm9gmADY9 CCyc9J7H1X7y1J7Hv5T5zBm6f30l01AaoRv8xcU5iSMbEp9nu/0gSUiT6XI6J/gTcvpB eaOzuAT7PEr3RPGSk/u4qy5byd4GpyRn7Ct5CcbkJc+JBp1BmjoQwJMH25AZcTlIZLoQ GFmgk+YVFsB3JrU4jx0S4CDTwEKjFErXNeixY5LpYqExGWZ6eWohJr0a+ySSU0bIsGfn y5R6b0FmZo6Zo0ajGdsPypwc7JKAEaS9EbY/AlRdvUsSvnKfBHYgECVtEsHrCAfSVXsm 5isQx7NNk9zElzvO2/LAEDvqi7Tab1F691txnam0ms4H87odibe3cR9fMnB/6JiQw8wv v5/hkOPlF7+kf/K15Raz3QaFPqdBvOQC/mzQ2T8H/mpI7GlSPPZ3Zk4F8EKHWI6Es5jo BE+5yeLl8z35kAKPQl3BB8uDcEiV64nOWSxg/6hc5TWZ6rzJIeOIL5wj49uA4ydCbGw5 RAMUK6Er1kHmpMKWivyXT7lix8GcRgSmLRunvN2SlV9AJ/qm1f3y/dBUf2LVTJ15916j 2VuYOOauqik9/euSyhIr3T7NYuWaDzjDTluuIhTSiBMTiVMt7XpM25UWn+PlF61em9OD 3RVtQV0N5WhBpDobSyRtha0sm83XlGQmJksyUgYZadTYjdaODzR/0XAKESm23eJSYCNB oRFh+Gj+RRSyXcRgtfiL2ekqGKk2vfKAQmHFgQtXkTXJAFBn58bRgVWAZLYwzfYKlHhg PhSajE3a41q6JrW9lNorvIL8nIJT1iy7dXZNW5+2ID83GG4LJD50un1++lDQZ8rQHXvR aA7WJ+Voxi17p2acLHLZatf1cZ9Pqs/FrKaxuLOc9f6Ehr5T2JoTSMtTctz2xCe0Fd9T yCAe0SQ/NpohqjI6MuSKDO6oRqPXsSnm7MmTFSQYyPoE7s/kOV0/m1T8tEpXvnxedbgs U/Fhe7R93dq2hvIuHDienLQRP6Hr+G24r5E0ij4D3iczrjYOGePG80aZcfxBhiP6Fi71 NLxumnqa4Tz8G3hgEA6Drz3UzI6FLx1/8L+/ePWjuSc++kii53Ugag3GxRObqObjQxw9 wnEyQXoCCUq3ZXeqefnDDz9k9F9Jn+Ui3Dy0d4smjvLcUyKhODNJBRklhfWwQdPntzHd uqvcXCRRTk/TZx+FPTyKG9yPvTke3xEpE7M4RVyUw4GD/dPCevI63yI7Ileq5EcKIQiG rrNfwDy3N7GTpa/iVjiwIQ3p/ubB0EsvymZd7OR/+NX9rE8c3uglvBXnKbz4nslUscil VFqJLy4Wsk0Nzs2brENWHEG+zyr4jhR5hwgxZW1Wq2EVBNnWBZuSzp5JGhCp+VR6JnNd 4rnJ4/dpZ2Lq+D3zR2KvDyyYPH4fUTuqQvXhrOIpFdMWmrbf8ETXxm9N1OeW1U2sKs/0 vEj35RdV1E1tmDxvcUPXtdULFuyvL+u4ZXpRW0tb+8zGzol1jhMYCCUT+e/RefAr6IhX NCiAV51Oo3ApeXCYQS9R5MzljZZT6JzkF4VPKKkzaKs2o3BOX0OoTK6VPeSe6mpZunxq ZMKmObnRNtCaJ8v553kq+y54zQn7QxRxIEe0Ki2KbJqRoVEoNU6nw+KyOjTHecdxY/Dz 3581pJ9nOJPe4DlT4ThVkWU/hVeicXaL2UrMvrBk2txX5Sh9VaMp6JleV+M3JkzjSfoe /3zBlJymJSsmVbff3Nc6/aoMfR3dBD0n8se5hyU85JAaMUtpcymsJIfm5DitNqdOp1Uo tabjTv64NtlHRkXDGRZCj7xRARSxzqVxI4mg+6ocDWs0npkz64o8JiP99HJa9hDrTmzZ lOqqyfOakp27nGN9o+SpRBf3nuxRrFdKRZsaSu5BUU0Jtk4eJE5NruUOmcyVx0h1Cbrg sr8b/WFHxowGE87WWPLhMpL+cJDdhoOPNmuYe+/wf26srtr45uH26oZAea7HaMr1ZBd7 wxMWJLqWvkan0lyaTae/sWKGVldYMm3ew98eO5t4IdYTLLLYpX4F0K/+r/XLmewXzdXI 7rBYkv0697V+mbHditfXOZhWVfDEJf9wjs3vY3+ewD/tluzRpa8ljiXeTbyfOHJVt+iE 8W6BlrdhXXAOssnW6uyMHdbqe3HGTomD53uVgmZnZmaubieflMKrECbL53Cunx1FYt2T DtiZjNLZeZyvK3nz9eb1+wd/c+aDRGTTlk3rI9dOaZtfZzfQHtp/gmqP9CT+NXE48Xhi D/dK4seJX9I8WvoHmnPLjL2/YzQ8BmF4FX3KgsbNNVkhxEq5Sql6BKd/8f0hndWqkuMb RSM6XbYzqWlxpCPMdjZI0+VDdWG2NZE+58sW1D62seWnYbmF+1GGu3FB16Wc6xdW2LKd rg1zSugbNXIqq5/gtWi4SZNkxvzGdj5Q6G2p76K2gcPo023o00voUyFZLIZdOTigYLdb lTlWPsv6qJgjqGSiwdwhK1QW8oVPKB0Ok0qmkLt2mkzFjkKVyr7LETwbDjJDKvj5mYpT LCZB6Q2KkwFpRsUZTLYTjaN0qMNUIR1awCF85netSS59cPYv+XJRUrnJFdwzoUiBxTDL ePGlwH13rgvX1tjLF3f+e/OmTa/3/PgZS+mUeWue6dunzS4NJn5bvvy3e4ZaOpbPD3au bTk9Whd+8tGqvjmxaza+JH2YgZJ7wQcvY3zlZEiMZmi9Pp+X9+4VfYLVt7ewXJ9FjXwW CJJbas3lHblYQ5qFUp6WPioIWqXPV1yOr8VkKXcWF2eZdrrdFc5dyddGJOWNwbJYendE 2q2D4yM5XgyYzUZsUko7QzB4s/QKVUojWHL5lPMjZWEwW8vDDiKwGBR9Yt3LC9Yc7o/e vKhhTW/VktN7Zv985kbP2sW3D8cP9297un/DmgUbsoX6Z2qq27fOnXXbQJlKU9WzvnPd U8v8rjeWLdi14769vcrekdnXb1y6HPLQBd+eWzYPQ80nA8k3NYLsTQ29Uq2QqbNlONn3 KA5ny5RZdrQ5GM2C/tdj1/2ubJdbKchkBU6FdEDFhg3LX2MZmDzeBqLi8E1qaxrWtLTq AJkxiiqcTIHDXXoFQwEvunQGEjMztsw8lBNwzPPSG9ykeyz1FW7dFO156WztisSndJtc UCc2Sacb93fyay8+aQyEXt2fPElLxy4s+NOES/eDbx8EXX8NXe0jD/2IUq0sy5DD9jVE nzG7Q6/NgfviMVGf80TOEazo+Zwco8yLJf1e0Ws24kTfEzjuiN1ZjN9q5K02m1uftcNg oO6dSmUht4smtQIjL/s0Rmc8Y0Z/79GszNo+aXORNL0aGN9QTHI3aM1wgJXkSWw9MjQE Q+U1yfU9o2tSRPEKCtg+rHAbpYOOKefXg5tyNw0Mb++4aXp0UW0358/PNWmn6i89W3lT w40nYqvf2P2DmjeWDux7YsWORlgO3H0am+vDxCSrdfD4hjtHY9K8dTvWymrwuANvWswR S3JlcrlRpYL34zFRpXL4HDiAJDoEI14Pg2Uu8ziwnMm4OxAIenZmJocKWxgLxrQaxPap JLNp1sUaCSrHki/nFLYrey7pyYIamo+dE/ylHFmMf/l79n76LZe658mFa57ojr32yG/e Xv0qNTyYGAvN7fZp5Wr50O2dS5ucN8nKQneMkbgQqV18fOPtP7+BGqjqGK3+47Dy0rXW YpdGa65t+dmLlXNv7njgAGj+wNgFgYMdp8Objtk8V67Vyjl2dB6HRJ7I4CnHaWU6nSFD ow2eegEkCF+m3tNENvZhbR8KmQeDeansTchkGV7CyCjszCocosJLjmY33jv78W7Omego Crmt5tmZfL/M++UbIWG9Xp9dFqVRpseZrUDaf0GfXKiP/IU4lSgg5Of14unxWJZoxmm/ 7yKvYm2lH65T7E3UEWLr/3Plpf3Wz6U7pSqlKIo9vWco++rSRSIX3iebhCFyo6yTbBT2 It0JeA/5zWQT93AyL7+TrJfdAKgnNwo7UPZ3son/O1ktPIPzc0HSL7wB7/RCYhXuJSah iyzgPyTdwiAph92/XFgNu+yPZBm3kkzj/0yahBVE5OrITM5NZAJsCK6ENMm/S2YKNwKa 0H4tmSQMkGX8NDKTX00WcD8kXuFalCmJWV5BcvjfExvSmXQ/sXPZZBLi67jvkpXcJDLK D5J59AXYVzgLBJjI68hTgICwitwGOJaK70XcBXgQcDuAfadwA/7O0w30fa6Fe4Xv5t8Q eoR7hfdlK2W/lRfLdyrsiu8oEsoB5RnVbNVJtUv9jqZH87y2XXsio0yXqzuou6jv0f/d UG0sNJ4waU2P4+TZ7ZnWzFWZ71umWj61brB+Ycu1LbBtsD1gG7UX2Hvs37X/1dHi2OV4 Mys/6z6n1bk5W8jemP0T9ITRPYq1hEBi+MYgh9P7QXxrjqia8K1DHEOVWphSNJWDR0l0 VnTGnLZA6+B1i25YPvg0cdHEUyo7new6Qb9MJy6kE39PJ/6WTvw1nTifTnyWTnyaTpxL Jz5JJz5OJ/6QTnyQTryfTryXTrybTpxNJ95JJ15PJ36VTryWTvwynXg1nTiVTrySTuxL J+5JJ3alEyPpxPZ0Yls6cWc6MTed6E8n+tKJ3nSiJ53oTiempBOd6cTkdKI6nShPJ4Lp RGk6UZJOqNIJRTohE8ckyv1ZCr+Qws+l8LwUfiaF56TwEyn8SAo/kML3pfA9KTwrhb+X wrek8E0pfF0KT0nhK1L4shS+JIUvSuFJKXxeCp+TwlEp/JkU/lQKj0vhUSk8IoUHpHC/ FO6Twl1SeLcU7pTCHVI4IoV3SeGwFN4hhVsRio2TXUNSbosUbpbCW6VwkRROl8JuKeyQ whYp1LFwYXMHPl1HyRBUzb2AfYA4YBRwGvAO4DxASYICzi0DpgEWAq4HbAHcA3gCcATw M4Ca5An40CegCTANsBBwPWALQEF+KXjI24DPADzRI8wDNAEWAp4QPKJHdv5dGr80eokb vXT60juXzl8SkhE/OnZ67B18/lNY3awWvOj2KMLTgHcA8EuLWuGdZ84/w0mBvtkouHFj N9MJXC9a6xG+A+DwWDXLC8qnqN5H9c1OQSHl5Qi3cDap7WMkj3uMBAFNgGmAhQA5eRvh Z4Ax7jFxJv/2O1Zb9hu/RnDzLVbnzbc4XvsV0htuRHDdagQrr0dw7Sqr89pVW27IWrc+ 05J9zQoES5cjWLIs07lk2TAOzK213tTqcG8COJpD3H3kEQBHshGWsBT3CLeXe5Roubu5 Xdw9iEe4HdxOfEjVyT1CdgAwJIRPAP4d8BuAwB1Am0Mkg3sC134b8WO49nGSMfYht+tY pqfuaST2skRzFnc7dytIHMDXN2+BDg1wm7mboE8D3K2p+CZujlR+I3eNFF/DzTkmC7hO cKuPOV11P+VuQD1rvwrlAiufczwUrlM1N3NriANwGPUoRJvlyL2F1IcAnruD2wSMBrgh xOz6LYhZP25OxZu42VL9Rm4p9HiA24CY1a9PxWtT8dJUu3WIWbu1qfh6bvYxRaCouRt5 Su5kITefW8AtBAqnczO4mYinctO4bqBSw00FTCdqbj6ZgHQf0hsA65F/FPkfIv4vxGpu Oa64FghdjDthJYs322dwixAvJxFuMWAAMB8wHTAVEOXY128DXCtnBKECnJjKNyLPRt3A GYG19mYLyilpR3gSwHETUK9AfR1ihqWaVHs32isYlsPHzNa6ZisXTFWUpeJSxOyBJal8 IBUX40JZYGJzC/KUyBAeAHAYbph0AmLIrQMImNTZx30DXDNidqcmxKzr9any2lRcnYqr UrErFVciZteFUnF5qrwoFRdyBgxhpHkV8tgURPg0V4Eh2zg75wBRNJyWy0Cs5FScWiKO EsTRAPk29FYJ4mhAHA2IYwNxlCCODcRRot6DK7wgRg7ulIc4C3fKRuwBIXIAWQAbQANQ kgidiV0NjAwelWQ8m85jRKGzUvEcxKz+LfoGdFuAvpmKP6DvsBHSs6n4HfqxlP8MMWv/ Cf0YuBZPIFKpIWyjVDgWCqUSEBqsdJ76eZ6rDi34YyUldT/GagCoOJaX73maJY+P4j2P dGFOTrowO3u80OlMF2ZmpVJDGnMqJarUSOFc9nGxewdSFHdkqWY1CvEtaZLHiliMnpFj 3bOknpHjHg/rEflRTm6d+KHTKXXzjwXeutknqFI009+9KQtMONN5hhPjmoy6Z0dl2PsY FWueMJvrxMeC5XWP7aWBR/fKAnt3C4HvPSIEHrmPD4gvlITq7tvNB7bvfng3p1psX/zz xbxrcYYeNz//1MQ8b90vTlC1mE0f3kMDNY/TB/dwAftDvuI620PUsKdJrPuvPfQn+LRs CeaLAC0/dkoInKDBY6+wqPTYKR5RCSv8CZ1CJ0ttJh/bIgs8jTfBeyBX+mYH7cFwe+BX vpNul4izDTEj8l2peDu9R7pwF2JWfs/xYVmgqVlL98GZ/Sp9Rar8FWKIIX2NvnJMziir OFZRUceiI+gDzjv9Plciq2j8rT2r7qWX+cDLLwoB8UV3PsPi8RctNik+CWyy/ElrFotF z89KQ3Xd04Gn6cD3BxjW++8h815xcd2pV8BBr7REpfav+P0s/tErtqy65z6iGLXq2FvS g8XwR15v3dsfUfF5Z07d8aOywFEQRhxtaKgbPSIEXj8iCxy5Fer6LZO17oWfUtcuatjF dt+P76iulW69wx+QulKxA/feebcscPeIELhrRBYYAR7//Bkf+OIzWeDzIS5wfp8Q+Ayo EfGqTp34CZ7GbrNv+oxk3DYxGddGpNtp9oHwb++j+3Ala/cA+B+x+MYQ8HPbFhrYjF7d ikecA7y5hW4Z9uZtH6aBbYA78JStgKLhuuFJw/zSYdo+TKuHqW+YOmss9mqLpcpiqrTo wxZtBb5yYJGXW/ighZRZLnypd10ov8D5/LpCv744oCsJ6PM9ugKPPjdP58rTE5lBxkUa dJrIusgjEfhSjFqVWqOVw4nMCzItJgitnI/lrS6m+mKq0XfqoSkmkCi/jv8X8hu9XEPg 49VPIBNUffxc1Qb+UfKo6hH9fxHt01RDtWKx3klzMuyKrAyLwZZhEjIzgheuv/DEhX0X fnnh9AV50wXxwpEL8QvvXJCRE1RzLHgh+GOqIU1UI5YJX0UuRP4W+UukJFIcKYz4IgWR /IgrkhtxRuwRS8QU0UdUEXmEj5BId7iHxk2dpLMHXyqhiGe2xMOBzhO8a0a8ItAZV3XP 7T1K6a4+lMa57ZDnnriw/QSHyNTaP7f3BHWw6mF8FglKIN45MHx3XyCQE4+xj9sN5fTF K1ji3pw+fK+vYnrc6Wlhp+/+4bd23XqpDPHadcnatYG1ycTRQl9bvLhtMF7SNhANpEul OroWv2T71FWBdJy8Vgpxz3RuPJEuuBynqliUfGuQrGM3W8ceuO7Ku679pmfgKraVfPl3 OSfdMT2qVAOSHnAyn6r9X15z+fZXXEfZ1XF7vAm0+3qDoypGxO4ZLXGudV5nPIZPLuZ2 zx2IZ3la8P1Q5Kq75+JTfC3oD0MlfojXrV2PgAErOErw3bij+Ipbz1E5grlze5sX0wSJ 0S8BFwB/B/wN8FfAecBngE8B5wCfAD4G/AHwAeB9wHuAdwFnAe8AXgf8CvAa4JeAVwGn AK8A9gHuAewCjAC2A7YB7gTMBfQD+gC9gB5AN2AKoBMwGVANKAcEAaWAEoAKoADIxOWx P8e+iH0eOx/7LHYu9knso9gHsfdj78XOxn4feyv2Zuz12KnYK7GXYy/FXoydjD0fey42 GvtZ7Kex47GjsSOxA7H9sX2xXbG7YztjO2Ijsbtiw7E7YltjQ7Etsc2xW2OLYtNj3bGO WEtMF/s6Xf7P5CF5/zd+/x/C9BYfCmVuZHN0cmVhbQplbmRvYmoKMTEyIDAgb2JqCjE2 ODY3CmVuZG9iagoxMTMgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Bc2Nl bnQgOTUwIC9DYXBIZWlnaHQgNjcxIC9EZXNjZW50IC0yMjIgL0ZsYWdzIDQKL0ZvbnRC Qm94IFstMTQ3NSAtMjQ2MyAyODY3IDMxMTddIC9Gb250TmFtZSAvRFVEUldFK0NhbWJy aWEgL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDAgL01heFdpZHRoIDI5MTkgL1hIZWlnaHQg NDcxIC9Gb250RmlsZTIgMTExIDAgUiA+PgplbmRvYmoKMTE0IDAgb2JqClsgNDk2IDU1 MiA0ODggNDE0IDQ4OCA1NTUgMjIwIDQzMCA0NDEgMzM4IDQ5NCA1NTggMjcxIDUwNCA1 MzEgNTUyIDMwMyAyNzgKMjA1IDU5MyA4MzIgNTQ3IDUwNCAyMDUgNTQ3IDU1NiA2MjEg NTM3IDU2MyA3NzQgNTI0IDkyMSA0MjIgNjIzIDIyMSAzMjQgNTY4CjI2NiA2MDQgNjgx IDU3NSA2MTEgNTcwIDYxMSA1NTQgNTU0IDU1NCA1NTQgNTU0IDY2MiAzMzIgNDgzIDM3 NSAzNzUgODE1IDY0OAoyODYgNTM3IDY1MyA1NTQgNTU0IDU1NCA2ODcgMzgyIDM4MiAy NjQgNTM4IF0KZW5kb2JqCjExNSAwIG9iago8PCAvTGVuZ3RoIDExNiAwIFIgL0ZpbHRl ciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBXZTLbtswEEX3+gou00VgSiTtBBAMBCkC eNEH6vYDZIk2BNSSICsL/33PHadpkcVdXA1nOGdEcvW8+7wb+sWtvs9ju8+LO/ZDN+fL +Dq32R3yqR+KsnJd3y5vzr6152YqViTvr5cln3fDcXR1XTi3+kHKZZmv7u6pGw/5k759 m7s898PJ3f163tuX/es0/c7nPCzOF9ut6/KRcl+a6Wtzzm5lqfe7jni/XO/J+rfi53XK jo7IKG8ttWOXL1PT5rkZTrmovd/WLy/bIg/dh1Dyt4zD8W1pVW5ryfsUtkVdVVjk/fpB NmARtpSNWOT9ppJNWEQ0ya6xCBtlN1jkfeNlH7CIXNvoEYtYbLbBIqKWe8AiohvltliE zbIdFmFb2YxF5D7KHrGI6BEbmIVEVE0GWCWia1lYJaxyA6yS9xTEwioxHHUVYJVY3MnC KlFZwwmwSlirDGswXjonCqtErkYXYJVYrOEEWCU2siiswXijlYI1GG/UrAKsErkaToBV ovIBG2GVKKVohFXynjVYWCXv+YiFVap8KfwIq0TULKzReJOapBcTGzWysEpspCYjrBK5 Gh0FTFiNPcIqYa0rWOON1zaCNd54hR9hlejZLKzUlLVcWKPx8muKmtZMRDWcBKuEVc+M 08S+LOY+/D34ZfpwETj+tcQoLJEx8NOps9FFSIwBTEX1NxmtibI6CQluiVEINsEucYo0 5AS3xGLLhTsZOxRE4ZZo2BbDnW7smmqCWyJqleFOxs6oi3oNOxdTG5kFltOlxToJXCwT XfG//mPXs6Dn6/25aV/nmZfG3jh7hPS49EN+fwancVIB0x/JMEooCmVuZHN0cmVhbQpl bmRvYmoKMTE2IDAgb2JqCjYyNgplbmRvYmoKMTQgMCBvYmoKPDwgL1R5cGUgL0ZvbnQg L1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvRFVEUldFK0NhbWJyaWEgL0ZvbnRE ZXNjcmlwdG9yCjExMyAwIFIgL1dpZHRocyAxMTQgMCBSIC9GaXJzdENoYXIgMzMgL0xh c3RDaGFyIDk5IC9Ub1VuaWNvZGUgMTE1IDAgUiA+PgplbmRvYmoKMSAwIG9iago8PCAv VGl0bGUgKGRyYWZ0LWlldGYtdHN2d2ctcnN2cC1zZWN1cml0eS1ncm91cGtleWluZy0w NSkgL0F1dGhvciAoU3RlcGhlbl9LZW50KQovU3ViamVjdCAoKSAvQUFQTDpLZXl3b3Jk cyBbICgpIF0gL0tleXdvcmRzICgpIC9DcmVhdG9yIChNaWNyb3NvZnQgV29yZCkgL1By b2R1Y2VyCihNYWMgT1MgWCAxMC41LjggUXVhcnR6IFBERkNvbnRleHQpIC9DcmVhdGlv bkRhdGUgKEQ6MjAwOTEyMDEwMzQxMDRaMDAnMDAnKQovTW9kRGF0ZSAoRDoyMDA5MTIw MTAzNDEwNFowMCcwMCcpID4+CmVuZG9iagp4cmVmCjAgMTE3CjAwMDAwMDAwMDAgNjU1 MzUgZiAKMDAwMDIyMjI5NyAwMDAwMCBuIAowMDAwMDA1MjI3IDAwMDAwIG4gCjAwMDAx NjA3MTUgMDAwMDAgbiAKMDAwMDAwMDAyMiAwMDAwMCBuIAowMDAwMDA1MjA3IDAwMDAw IG4gCjAwMDAwMDUzMzEgMDAwMDAgbiAKMDAwMDAwNjM5NSAwMDAwMCBuIAowMDAwMjAz NzM1IDAwMDAwIG4gCjAwMDAxNzI4ODUgMDAwMDAgbiAKMDAwMDAwMDAwMCAwMDAwMCBu IAowMDAwMTg0Nzg0IDAwMDAwIG4gCjAwMDAxNzkxNTAgMDAwMDAgbiAKMDAwMDAwMDAw MCAwMDAwMCBuIAowMDAwMjIyMTMyIDAwMDAwIG4gCjAwMDAwMDU0ODAgMDAwMDAgbiAK MDAwMDAwNjM3NSAwMDAwMCBuIAowMDAwMDExMDY3IDAwMDAwIG4gCjAwMDAwMDY0MzEg MDAwMDAgbiAKMDAwMDAxMTA0NiAwMDAwMCBuIAowMDAwMDExMTc0IDAwMDAwIG4gCjAw MDAwMjE4MzggMDAwMDAgbiAKMDAwMDAxMTMxMSAwMDAwMCBuIAowMDAwMDIxODE2IDAw MDAwIG4gCjAwMDAwMjE5NDUgMDAwMDAgbiAKMDAwMDAyOTg2MiAwMDAwMCBuIAowMDAw MDIyMDk1IDAwMDAwIG4gCjAwMDAwMjk4NDEgMDAwMDAgbiAKMDAwMDAyOTk2OSAwMDAw MCBuIAowMDAwMDQ3NzYzIDAwMDAwIG4gCjAwMDAwMzAxMTkgMDAwMDAgbiAKMDAwMDA0 Nzc0MSAwMDAwMCBuIAowMDAwMDQ3ODcwIDAwMDAwIG4gCjAwMDAwNTYzMzMgMDAwMDAg biAKMDAwMDA0ODAyMCAwMDAwMCBuIAowMDAwMDU2MzEyIDAwMDAwIG4gCjAwMDAwNTY0 NDAgMDAwMDAgbiAKMDAwMDA3MjM2NCAwMDAwMCBuIAowMDAwMDU2NTkwIDAwMDAwIG4g CjAwMDAwNzIzNDIgMDAwMDAgbiAKMDAwMDA3MjQ3MSAwMDAwMCBuIAowMDAwMDgyNTE4 IDAwMDAwIG4gCjAwMDAwNzI2MjEgMDAwMDAgbiAKMDAwMDA4MjQ5NyAwMDAwMCBuIAow MDAwMDgyNjI1IDAwMDAwIG4gCjAwMDAwOTQzODIgMDAwMDAgbiAKMDAwMDE2MDgzOCAw MDAwMCBuIAowMDAwMDgyNzc1IDAwMDAwIG4gCjAwMDAwOTQzNjAgMDAwMDAgbiAKMDAw MDA5NDQ5MCAwMDAwMCBuIAowMDAwMTA4MTIwIDAwMDAwIG4gCjAwMDAwOTQ2NDAgMDAw MDAgbiAKMDAwMDEwODA5OCAwMDAwMCBuIAowMDAwMTA4MjI4IDAwMDAwIG4gCjAwMDAx MTc5MjEgMDAwMDAgbiAKMDAwMDEwODM3OCAwMDAwMCBuIAowMDAwMTE3OTAwIDAwMDAw IG4gCjAwMDAxMTgwMjkgMDAwMDAgbiAKMDAwMDEyNzM3NyAwMDAwMCBuIAowMDAwMTE4 MTc5IDAwMDAwIG4gCjAwMDAxMjczNTYgMDAwMDAgbiAKMDAwMDEyNzQ4NSAwMDAwMCBu IAowMDAwMTM2OTY3IDAwMDAwIG4gCjAwMDAxMjc2MzUgMDAwMDAgbiAKMDAwMDEzNjk0 NiAwMDAwMCBuIAowMDAwMTM3MDc1IDAwMDAwIG4gCjAwMDAxNDM3ODAgMDAwMDAgbiAK MDAwMDEzNzIyNSAwMDAwMCBuIAowMDAwMTQzNzU5IDAwMDAwIG4gCjAwMDAxNDM4ODgg MDAwMDAgbiAKMDAwMDE0NzIzMyAwMDAwMCBuIAowMDAwMTQ0MDI1IDAwMDAwIG4gCjAw MDAxNDcyMTIgMDAwMDAgbiAKMDAwMDE0NzM0MSAwMDAwMCBuIAowMDAwMTUxMDc2IDAw MDAwIG4gCjAwMDAxNDc0NDAgMDAwMDAgbiAKMDAwMDE1MTA1NSAwMDAwMCBuIAowMDAw MTUxMTg0IDAwMDAwIG4gCjAwMDAxNTQ5MzEgMDAwMDAgbiAKMDAwMDE2MDk2MyAwMDAw MCBuIAowMDAwMTUxMjgzIDAwMDAwIG4gCjAwMDAxNTQ5MTAgMDAwMDAgbiAKMDAwMDE1 NTAzOSAwMDAwMCBuIAowMDAwMTU4MDY3IDAwMDAwIG4gCjAwMDAxNTUxMzggMDAwMDAg biAKMDAwMDE1ODA0NiAwMDAwMCBuIAowMDAwMTU4MTc1IDAwMDAwIG4gCjAwMDAxNjA1 MDggMDAwMDAgbiAKMDAwMDE1ODI3NCAwMDAwMCBuIAowMDAwMTYwNDg3IDAwMDAwIG4g CjAwMDAxNjA2MTYgMDAwMDAgbiAKMDAwMDE2MTA1MyAwMDAwMCBuIAowMDAwMTYxMTUy IDAwMDAwIG4gCjAwMDAxNjEyMDMgMDAwMDAgbiAKMDAwMDE3MjM5NCAwMDAwMCBuIAow MDAwMTcyNDE2IDAwMDAwIG4gCjAwMDAxNzI2NTEgMDAwMDAgbiAKMDAwMDE3MzA1NyAw MDAwMCBuIAowMDAwMTc4NjY5IDAwMDAwIG4gCjAwMDAxNzg2OTAgMDAwMDAgbiAKMDAw MDE3ODkzNyAwMDAwMCBuIAowMDAwMTc5MzM0IDAwMDAwIG4gCjAwMDAxODQxNzUgMDAw MDAgbiAKMDAwMDE4NDE5NyAwMDAwMCBuIAowMDAwMTg0NDM5IDAwMDAwIG4gCjAwMDAx ODQ0NjIgMDAwMDAgbiAKMDAwMDE4NDc2MyAwMDAwMCBuIAowMDAwMTg0OTU0IDAwMDAw IG4gCjAwMDAyMDMxMDUgMDAwMDAgbiAKMDAwMDIwMzEyOCAwMDAwMCBuIAowMDAwMjAz MzYyIDAwMDAwIG4gCjAwMDAyMDM5MDkgMDAwMDAgbiAKMDAwMDIyMDg2OSAwMDAwMCBu IAowMDAwMjIwODkyIDAwMDAwIG4gCjAwMDAyMjExMTggMDAwMDAgbiAKMDAwMDIyMTQw NyAwMDAwMCBuIAowMDAwMjIyMTExIDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgMTE3 IC9Sb290IDkyIDAgUiAvSW5mbyAxIDAgUiAvSUQgWyA8ZGJmN2QxMzE2YTUzMzhlMWY2 N2NmYjMwZDJjNDBhMTE+CjxkYmY3ZDEzMTZhNTMzOGUxZjY3Y2ZiMzBkMmM0MGExMT4g XSA+PgpzdGFydHhyZWYKMjIyNTkwCiUlRU9GCg== --============_-950933100==_============-- From Radia.Perlman@Sun.COM Fri Dec 18 19:43:48 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27C5C3A686D; Fri, 18 Dec 2009 19:43:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.753 X-Spam-Level: X-Spam-Status: No, score=-4.753 tagged_above=-999 required=5 tests=[AWL=1.293, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F+GQ7TBCSonH; Fri, 18 Dec 2009 19:43:47 -0800 (PST) Received: from sca-es-mail-1.sun.com (sca-es-mail-1.Sun.COM [192.18.43.132]) by core3.amsl.com (Postfix) with ESMTP id 52D3E3A6829; Fri, 18 Dec 2009 19:43:47 -0800 (PST) Received: from fe-sfbay-09.sun.com ([192.18.43.129]) by sca-es-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nBJ3hWpQ008585; Fri, 18 Dec 2009 19:43:32 -0800 (PST) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.fe-sfbay-09.sun.com by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KUV00300RCAAV00@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:43:32 -0800 (PST) Received: from [192.168.1.3] ([unknown] [98.117.140.91]) by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KUV006JIROJOG90@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:43:32 -0800 (PST) Date: Fri, 18 Dec 2009 19:42:00 -0800 From: Radia Perlman Sender: Radia.Perlman@Sun.COM To: iesg@ietf.org, secdir@ietf.org, anthonybryan@gmail.com Message-id: <4B2C4B88.2030604@sun.com> User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) Subject: [secdir] secdir review of draft-bryan-http-digest-algorithm-values-update-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 03:43:48 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document just updates the HTTP digest algorithm values, and as such doesn't really have security considerations. First a question...this isn't a cryptographic checksum, and it might be nice if the document said what its purpose is. I assume it's for caching, so that you can quickly check if a page has changed? Now not to pick on this spec, but perhaps something IETF might consider, two issues: Terminology issue: even though people routinely use the terminology "SHA-256", perhaps it's time to also include the version of SHA, as in SHA-2-256, since other versions of SHA might have overlapping sizes with SHA-1 and SHA-256. And having a registry for each algorithm for each protocol seems unwieldly---each time a new algorithm happens, does it mean a bunch of specs have to come out with an update document like this one? Could it instead be a single registry that all specs point to? Radia From Radia.Perlman@Sun.COM Fri Dec 18 19:51:49 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2EBE3A68A8; Fri, 18 Dec 2009 19:51:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.012 X-Spam-Level: X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[AWL=1.034, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 044NX8doO-c0; Fri, 18 Dec 2009 19:51:49 -0800 (PST) Received: from sca-es-mail-2.sun.com (sca-es-mail-2.Sun.COM [192.18.43.133]) by core3.amsl.com (Postfix) with ESMTP id 621503A6824; Fri, 18 Dec 2009 19:51:48 -0800 (PST) Received: from fe-sfbay-09.sun.com ([192.18.43.129]) by sca-es-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nBJ3pXON015703; Fri, 18 Dec 2009 19:51:33 -0800 (PST) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.fe-sfbay-09.sun.com by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KUV00500RUPH400@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:51:33 -0800 (PST) Received: from [192.168.1.3] ([unknown] [98.117.140.91]) by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KUV006GMS1WOGA0@fe-sfbay-09.sun.com>; Fri, 18 Dec 2009 19:51:33 -0800 (PST) Date: Fri, 18 Dec 2009 19:50:01 -0800 From: Radia Perlman Sender: Radia.Perlman@Sun.COM To: iesg@ietf.org, secdir@ietf.org, kenichi.taniuchi@toshiba.co.jp, yoshihiro.ohba@toshiba.co.jp, subir@research.telcordia.com Message-id: <4B2C4D69.7080708@sun.com> User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) Subject: [secdir] secdir review of draft-ohba-802dot21-basic-schema-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 03:51:49 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is the specification required by IANA to maintain a global registry for the RDF schema. As the security considerations section correctly asserts, there are no real security considerations for this document. typo: "acronim" is "acronym" Radia From charliek@microsoft.com Fri Dec 18 22:38:30 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCD913A6882; Fri, 18 Dec 2009 22:38:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q2fg-cV5Y6Ca; Fri, 18 Dec 2009 22:38:27 -0800 (PST) Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 801BE3A6887; Fri, 18 Dec 2009 22:38:26 -0800 (PST) Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 18 Dec 2009 22:38:42 -0800 Received: from TK5EX14MBXC119.redmond.corp.microsoft.com ([169.254.10.191]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi; Fri, 18 Dec 2009 22:38:11 -0800 From: Charlie Kaufman To: "secdir@ietf.org" , "iesg@ietf.org" , "tony+dkimov@maillennium.att.com" , "dkim@esiegel.net" , "phillip@hallambaker.com" , "dcrocker@bbiw.net" , "stephen.farrell@cs.tcd.ie" , "barryleiba@computer.org" , "ietf-dkim@mipassoc.org" Thread-Topic: Secdir review of draft-ietf-dkim-deployment-10.txt Thread-Index: AcqAddMLj/a/j0q5QOmyQX86zq6iRQ== Date: Sat, 19 Dec 2009 06:38:07 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [secdir] Secdir review of draft-ietf-dkim-deployment-10.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 06:38:31 -0000 I am reviewing this document as part of the security directorate's ongoing = effort to review all IETF documents being processed by the IESG. These com= ments were written primarily for the benefit of the security area directors= . Document editors and WG chairs should treat these comments just like any= other last call comments. Feel free to forward to any appropriate forum. This document covers development, deployment, operations, and migration con= siderations for DKIM (DomainKeys Identified Mail). I would expect such a do= cument to give guidance to implementers and deployers of this technology th= at couldn't be included in the standards track documents because the standa= rds wanted to allow flexibility to implementers and deployers. Such guidanc= e would be particularly useful with DKIM because it's not at all obvious ho= w to use it from the specs and if everyone makes those decisions independen= tly it will limit the usefulness to everyone. Unfortunately, it appears that there hasn't been enough real world experien= ce with DKIM yet to provide a lot of useful guidance. This document seems m= ore of a tutorial on DKIM than guidance. I have no problems with the guidan= ce it gives (other than it mostly duplicates the contents of other specs), = but there is a lot more that it would be good to have (assuming anyone has = answers). Specific suggestions: In Section 7.3, the document mentions problems likely to be introduced if A= uthor Domain Signing Practices (ADSP) is enabled. There are common practice= s in mail processing that will cause email to be dropped if these practices= are followed, and it would be useful to have an explicit list of things kn= own to fail and their prevalence. For example, mailing list expanders (like= the ones that got this message to most of you) are likely to break the DKI= M signatures on messages they pass, causing those messages to subsequently = be dropped by receiving agents if the sender has enabled ADSP. It would be = good to know which of the common mail forwarders have this problem and give= advice to the authors of mail forwarders as to how to avoid problems in th= e future. The most general solution is for the forwarder to change the "Fro= m: " field in the email message to itself and copy the name of the actual s= ender somewhere else. But that causes other problems. Similarly, there have= been in the past many web sites that let you "mail a copy of this document= to a friend" and let you specify the friend's email address and your own. = ADSP would delete such mail sent by users who used such a web site if the s= ite forged the "From:" field. I've noticed that practice is decreasing (Dil= bert.com doesn't do it anymore). Guidance to web sites not to do that and t= o users about how much trouble to expect would be useful. DKIM allows the signer to choose which header fields in the message are sig= ned. Guidance on which fields should be signed and which should not would b= e helpful. When rolling over keys, it's a matter of sender policy how long the old sig= ning key should remain valid for verification after it is no longer used fo= r signing. It would be good to hear a recommendation as to how long that sh= ould be. This would be coupled with guidance to verifiers as to how long af= ter email is received it should be expected to be verifiable. Is it reasona= ble to wait until logs in and reads mail, or must it be checked as part of = placing the mail in the user's inbox? Do we expect to change keys every few= hours or every few years? It probably belonged in the original DKIM spec, but it would be good to kno= w how DKIM is supposed to interact with S/MIME or OpenPGP. It appears DKIM allows the signing of only the first 'n' bytes of a message= in order to give better performance. Advice and rationale for picking an '= n' would be helpful. On page 8, quoting RFC5672 on the issue of interpretation of the d=3D and i= =3D fields, this document says "To the extent that a receiver attempts to i= ntuit any structured semantics for either of the identifiers, this is a heu= ristic function that is outside the scope of DKIM's specification and seman= tics." While true, the purpose of those fields is so that the receiver can = intuit something from them. While DKIM may not specify the semantics to all= ow implementers flexibility, this document should suggest possibilities and= report on existing practice (if any). Another area where guidance would be useful is in what a receiving agent sh= ould display to users concerning DKIM signed messages. Perhaps the answer i= s *nothing*, where DKIM is only used as one of many heuristics for spam fil= tering. But either way, it would be good to know. If we expect users to con= figure some signers as good, advice as to how they are expected to learn wh= at to do would also be helpful. Section 8.4 begins "It is expected that the most common venue for a DKIM im= plementation will be within the infrastructure of an organization's email s= ervice". Section 8.5 begins "The DKIM specification is expected to be used = primarily between Boundary MTAs...". I don't believe these can both be true= . I'm more inclined to believe the latter because within an organization th= e organization can just filter email coming from the Internet and making su= re the return address is not within the organization. --Charlie From anthonybryan@gmail.com Sat Dec 19 15:25:30 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 624AB3A68C2; Sat, 19 Dec 2009 15:25:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.571 X-Spam-Level: X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=-0.972, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40FT8H4UwdSJ; Sat, 19 Dec 2009 15:25:29 -0800 (PST) Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com [209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id 258BE3A67E4; Sat, 19 Dec 2009 15:25:29 -0800 (PST) Received: by iwn33 with SMTP id 33so2933189iwn.29 for ; Sat, 19 Dec 2009 15:25:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=PtX+eod5D1JSOMHChizBVrg+wLaWourxSYLUpSZ2Mog=; b=kXVxvGlfCcfU0085ayEmLRHWqmh8kxgakhleA7ZapEKGUTzRUueuRigV4gwix1tE16 zEj7j7h1Vr/RNf2hawOXVWxAfAXWjqYfMFt3Iij0BA3DXXQtVSLLBgIMUkdq++hxDbs1 1Ob8qK73tvAaXvhH6ZYQhRAolVMn0d7EVpRC4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=WKCtJQwL3E7Lm9Ryvv2Nsz0gVkrieoYdca3BuyuzP7gGGralXjrkWp5GQuQzCl7QEU +Frq8WV6uxqGAo7OwxonNKujgMkd7LT/E94tHjsMlv68vcikzqIkAwnWGrWYCuua8zha 3splenS9SsEkZFyOpwC0MsTKqazMZi3Cf44qA= MIME-Version: 1.0 Received: by 10.231.121.164 with SMTP id h36mr3296632ibr.9.1261265109243; Sat, 19 Dec 2009 15:25:09 -0800 (PST) In-Reply-To: <4B2C4B88.2030604@sun.com> References: <4B2C4B88.2030604@sun.com> Date: Sat, 19 Dec 2009 18:25:09 -0500 Message-ID: From: Anthony Bryan To: Radia Perlman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] secdir review of draft-bryan-http-digest-algorithm-values-update-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 23:25:30 -0000 Hi Radia, thanks for the review. On Fri, Dec 18, 2009 at 10:42 PM, Radia Perlman wro= te: > I have reviewed this document as part of the security directorate's ongoi= ng > effort to review all IETF documents being processed by the IESG. =A0These > comments were written primarily for the benefit of the security area > directors. =A0Document editors and WG chairs should treat these comments = just > like any other last call comments. > > This document just updates the HTTP digest algorithm values, and as such > doesn't really have security > considerations. > > First a question...this isn't a cryptographic checksum, and it might be n= ice > if the document said what > its purpose is. I assume it's for caching, so that you can quickly check = if > a page has changed? The newest version is hopefully more clear: Abstract The IANA registry named "Hypertext Transfer Protocol (HTTP) Digest Algorithm Values" defines values for digest algorithms used by Instance Digests in HTTP. Instance Digests in HTTP provide a digest, also known as a checksum or hash, of an entire representation of the current state of a resource. This draft adds new values to the registry and updates previous values. This can be found here, and includes all changes made in response to comments during last call: http://metalinks.svn.sourceforge.net/viewvc/metalinks/internetdraft/draft-b= ryan-http-digest-algorithm-values-update-04.txt > Now not to pick on this spec, but perhaps something IETF might > consider, two issues: > > Terminology issue: even though people routinely use the terminology > "SHA-256", perhaps it's time to also include > the version of SHA, as in SHA-2-256, since other versions of SHA might ha= ve > overlapping sizes with > SHA-1 and SHA-256. Secure Hash Standard (SHS), which my draft references, and other RFCs seem to use this terminology: "This Standard specifies five secure hash algorithms, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512." (Sometimes, without the "-", as in "SHA256"). It might be confusing to use other terminology? > And having a registry for each algorithm for each protocol seems > unwieldly---each time a new algorithm happens, > does it mean a bunch of specs have to come out with an update document li= ke > this one? Could it instead > be a single registry that all specs point to? Both registries appear to be updated rarely, if ever. I've contacted the authors of the original RFCs which created the registries. It would be nice to know what the reasons were for creating a second similar registry. >From looking at the two, maybe the first registry (Hypertext Transfer Protocol (HTTP) Digest Algorithm Values) didn't contain enough information - it also has looser registration requirements ("Specification Required"). The second registry (Hash Function Textual Names) has the OID field ("The Object Identifier (OID) of the hash function as used in X.509 certificates.") and requires "Standards-track RFCs which update or obsolete [RFC3279]" --=20 (( Anthony Bryan ... Metalink [ http://www.metalinker.org ] )) Easier, More Reliable, Self Healing Downloads From j.schoenwaelder@jacobs-university.de Mon Dec 21 06:07:31 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3043D3A69A3; Mon, 21 Dec 2009 06:07:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.799 X-Spam-Level: X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_50=0.001, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h8v1eWoCBqS; Mon, 21 Dec 2009 06:07:30 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 2361C3A680D; Mon, 21 Dec 2009 06:07:30 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 15C9CC00B5; Mon, 21 Dec 2009 15:07:14 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id A8KJeQHPnaPy; Mon, 21 Dec 2009 15:07:13 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 341D3C0057; Mon, 21 Dec 2009 15:07:13 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id C8EB2F94A8F; Mon, 21 Dec 2009 15:07:09 +0100 (CET) Date: Mon, 21 Dec 2009 15:07:09 +0100 From: Juergen Schoenwaelder To: petithug@acm.org Message-ID: <20091221140709.GE14343@elstar.local> Mail-Followup-To: petithug@acm.org, iesg@ietf.org, secdir@ietf.org, behave-chairs@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Cc: behave-chairs@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Subject: [secdir] secdir review of draft-ietf-behave-turn-uri-05.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 14:07:31 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by theIESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treatthese comments just like any other last call comments. I have reviewed the -03 version of the document and the -05 version addresses the concerns I raised in my review of the -03 version. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From ma.saito@nttv6.jp Mon Dec 21 07:38:04 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 029903A6897; Mon, 21 Dec 2009 07:38:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.769 X-Spam-Level: * X-Spam-Status: No, score=1.769 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5yGfN4FhlIB; Mon, 21 Dec 2009 07:38:02 -0800 (PST) Received: from guri.nttv6.jp (guri.nttv6.jp [115.69.228.148]) by core3.amsl.com (Postfix) with ESMTP id 5AD933A657C; Mon, 21 Dec 2009 07:38:02 -0800 (PST) Received: from z.nttv6.jp (z.nttv6.jp [IPv6:2402:c800:ff06:208::212]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id CD94ABDC28; Tue, 22 Dec 2009 00:35:08 +0900 (JST) Received: from [IPv6:::1] (localhost.nttv6.jp [IPv6:::1]) by z.nttv6.jp (NTTv6MTA) with ESMTP id BD3DE7046C; Tue, 22 Dec 2009 00:35:08 +0900 (JST) Message-ID: <4B2F9611.8020308@nttv6.jp> Date: Tue, 22 Dec 2009 00:36:49 +0900 From: Makoto Saito User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Eric Rescorla References: <20091130004123.DBE146C3D38@kilo.networkresonance.com> In-Reply-To: <20091130004123.DBE146C3D38@kilo.networkresonance.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Dec 2009 12:04:26 -0800 Cc: draft-saito-mmusic-sdp-ike@tools.ietf.org, mmusic@ietf.org, secdir@ietf.org Subject: Re: [secdir] [MMUSIC] Review of draft-saito-mmusic-sdp-ike-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 15:38:04 -0000 Eric, Thank you very much for taking your time to provide such detailed comments. My comments inline.. > This document describes a mechanism whereby a SIP/SDP exchange can > be used to kick off an IPsec association. The idea seems to be > that I have the AOR for some machine behind a NAT or a firewall > and I want to set up an IPsec tunnel. So, I use SIP address > resolution and then SIP to signal to it and then set up an > IPsec SA as if it were a media connection. > > > GENERAL COMMENTS > 1. Use Cases > When I reviewed this document back in 2007, I was sort of > lukewarm on it. The authors list some use cases, but I don't > find them that convincing: > > o Sharing media using a framework developed by Digital Living > Network Alliance (DLNA) or similar protocols over VPN between two > user devices. > > o Remote desktop applications over VPN initiated by SIP call. As an > additional function of click-to-call, a customer service agent can > access a customer's PC remotely to troubleshoot the problem while > talking with the customer over the phone. > > o Accessing and controlling medical equipment (medical robotics) > remotely to monitor the elderly in a rural area (remote care > services). > > o Local area network (LAN)-based gaming protocol based on peer-to- > peer rather than via a gaming server. > > My skepticism is that setting up a VPN for applications like this > seems like overkill. VPNs have a bunch of ancillary security > implications that aren't really necessary for these applications. > It's important to remember that IPsec provides not only a network > connectivity function but also a firewalling function. (RFC 4301 S 2.1), > and I worry that we're confusing these two to some extent. Consider > the last case, the gaming system. In this case, we don't want to > open a generic VPN connection, we want to open a connection directly > to the gaming up. Why is IPsec a good mechanism here? The > other examples seem to raise the same issue. Actually, joining the same local network makes DLNA perform very effectively. We are particularly focusing on LAN-based applications so that it is not necessarily an overkilling to set up VPN for those applications. For example, DLNA is used to share private contents inside the LAN but it doesn't have sufficient security mechanisms for the use over the Internet. So we think VPN is a simple solution for that purpose. Anyway, we already have the implementation for this application and start to deploy them. > 2. Coordination Of Multiple Elements > This brings me to another issue, the tight coordination required > between multiple elements on the home network. Again, in the > gaming setting, we have: > > - The IPsec Security Policy Database (SPD) > - The user's SIP stack (e.g., softphone) > - The gaming app which is consuming the traffic > > As I understand the current proposal, what has to happen here is: > > - A call comes into the SIP stack > - The SIP stack somehow notifies the gaming app (or maybe it > has preexisting policy) > - The gaming app agrees to accept the connection > - The gaming app then generates the appropriate SPD entry(s) > - The gaming app notifies the SIP stack that it's OK > - The SIP call is accepted > - ICE is run to establish connectivity > - The IKE stack runs to set up the IKE channel. > > This seems like a heck of a lot of interlocking pieces to set up what's > basically an app-to-app connection. Of course, you could also put > the SIP stack into the gaming app, but that's ridiculously heavyweight > for this purpose. > > I should also mention that in terms of implementation complexity, > ICE seems like a real problem. The issue here is file descriptor > and channel management. The obvious way to implement an ICE stack > (and the way that mine works) is that the stack opens socket(s) > locally and then presents an abstraction to the application which > it can then use to read and write on. However, in this case, we > have three separate pieces of code (and probably execution contexts) > which all need to send/receive data on the same socket: > > - The ICE stack > - The IKE stack > - The IPsec stack > > And the demultiplexing between these is data dependent. Doesn't this > mean that we'll need a central dispatcher process whose job it is > to hand off the packets to each other module? I'm having trouble > visualizing this being something people are willing to implement. The demultiplexing process is simply a combination of existing demultiplexing processes of ICE and IKE-NAT-T. That is, if bits 0..31 == 0, dispatch to IKE module else if bits 32..63 == magic-cookie, and parsing packet yields STUN fingerprint, dispatch to ICE module else dispatch to IPsec module Anyway, it is true that the combination of ICE and IKE/IPsec is complicated because ICE by its nature complicated. We don't think ICE should be a MUST in this specification. In fact the environment where we are deploying this we actually don't need ICE, but we foresee a need for ICE despite its complexity in different environment where this specification may be deployed. > 3. Security Model > As I understand it, the way that this system is intended > to work is that the home system has an ACL indexed by remote > AOR. If a SIP call comes through allegedly from a permitted AOR > (via RFC 4474) it allows the VPN connection to be established. > That seems to place a very large amount of trust in the SIP > proxy. In essence you're giving the SIP proxy the keys to your > firewall. I can't really see any circumstances in which I would > be willing to do that. > > By contrast, classic IPsec/SSH/SSL VPNs rely on credentials > that are immediately on the the remote side. That seems far > more secure. SIP proxy is not necessarily given a strong authority to establish a VPN into a home network. This draft does not eliminate other authorization or authentication that a user or an implementation might want to perform before bringing up the VPN. For example, password authentication can be used in addition to what is described in the draft. This is described in Section 8. > I am also concerned about the fairly loose coupling between the > authentication at the IKE layer and the firewall hole punching. > As I understand it, the SIP/ICE system doesn't do any authentication > at all: it just punches a hole and then propagates the packets to > the IKE/IPsec system without looking at them at all. I don't > see any immediate way to exploit this, but it's not clear to me > that it's safe either. I'm afraid that there is a misunderstanding here, and likely there is a text in the draft that is misleading. In our use cases, a home router is a SIP UA and it doesn't open a hole to the home network until IPsec tunnel is established. The holes which SIP/ICE try to open are on external routers such as a large scale NAT on ISP network. In either case, the home network never sees a packet until both SIP and IKE negotiations have completed successfully. > 4. Multiplexing > Why are you using the same channel for IKE and IPsec tunnelling? > IKE supports multiple media channels. This seems like an architectural > issue, which is why I have it in general comments. RFC3947 and 3948 specify the method of IPsec NAT traversal and it uses the same channel for IKE and IPsec. We don't try to do anything special here. > 5. Grammar/Writing > This document has a lot of writing/grammatical errors. It really > needs a copy-edit pass. > > > DETAILED COMMENTS > TECHNICAL > S 3. > I'm not sure I understand what information the remote host/app > has. Is it going to be making calls to my ordinary SIP AOR or > to some specialized AOR connected to the app... > > Forking to multiple registered instances is outside the scope in this > use case, so there is only one registered instance for each side. > > How do you guarantee this? See above about which AOR... Forking is not necessary in our use cases, so we made it outside the scope. Therefore, at least UAs which use this mechanism don't try to fork. If they encounter with forked answers, it should be treated as an illegal process. I'm going to specify this in the next revision. > S 4. > This set of definitions seems clumsy. How do I know if I should be > establishing ike-esp or ike-esp-udpencap? Should I be establishing > two media channels in parallel? The definition of ike-esp and ike-esp-udpencap may have been awkward. In fact, whether ipsec nat traversal is necessary or not is decided during the ike session. So the definition of ike-esp-udpencap should have been "ike supporting nat traversal" (ipsec nat traversal is optional spec of ike). Even if they exchange ike-esp-udpencap when there is no nat between them, they will start normal ike and it will end up with normal ipsec tunnel. I will specify it clearly in the next version. > S 8.2. > This PSK mechanism seems to introduce a weakness not present in > the original IKE-PSK spec: in RFC 4306, you only do the PSK exchange > over an encrypted channel established via a DH exchange. That means > that an attacker must actively intercept the channel in order to > mount a dictionary attack on a PSK which is actually a password. > Sending a PSK hash enables an attack by any attacker who can > see the data on the SIP channel. > > Why are you allowing MD2 and MD5? MD2 and MD5 are certainly obsolete algorithms and we will delete them. > EDITORIAL > Abstract: > This document specifies how to establish secure media sessions over a > virtual private network using Session Initiation Protocol for the > purpose of on-demand media/application sharing between peers. It > > You're not establishing a secure media session over a vpn, right? > You're establishing a media session to use a vpn over. Right. I'm going to fix it. > S 2.2. > SIP has a cross-NAT rendezvous mechanism, such as ICE > [I-D.ietf-mmusic-ice]. This effective function can be used for > > "such as ICE"? SIP *is* a cross-NAT rendezvous mechanism. ICE > is a mechanism for opening ports through the NAT. Also, since > this is the only IETF mechanism "such as" seems weird. > > > specifies the method to exchange the fingerprint of a self-signed > > specifies a method > > -Ekr > I'm going to modify them in the next revision. Thank you very much for your helpful comments. Best regards, Makoto From petithug@acm.org Mon Dec 21 07:44:13 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21F8D3A6A0F; Mon, 21 Dec 2009 07:44:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.64 X-Spam-Level: X-Spam-Status: No, score=-100.64 tagged_above=-999 required=5 tests=[AWL=-0.975, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSmYq5RRoEbW; Mon, 21 Dec 2009 07:44:12 -0800 (PST) Received: from server.implementers.org (server.implementers.org [69.55.225.91]) by core3.amsl.com (Postfix) with ESMTP id 473B63A6A25; Mon, 21 Dec 2009 07:44:12 -0800 (PST) Received: by server.implementers.org (Postfix, from userid 1001) id 30620DC04002; Mon, 21 Dec 2009 15:43:53 +0000 (UTC) Received: from [192.168.2.3] (server.implementers.org [127.0.0.1]) by server.implementers.org (Postfix) with ESMTPA id C2B26DFC403E; Mon, 21 Dec 2009 15:43:27 +0000 (UTC) Message-ID: <4B2F979E.7030702@acm.org> Date: Mon, 21 Dec 2009 07:43:26 -0800 From: Marc Petit-Huguenin User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109) MIME-Version: 1.0 To: Juergen Schoenwaelder , iesg@ietf.org, secdir@ietf.org, behave-chairs@tools.ietf.org References: <20091221140709.GE14343@elstar.local> In-Reply-To: <20091221140709.GE14343@elstar.local> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Dec 2009 12:04:26 -0800 Subject: Re: [secdir] secdir review of draft-ietf-behave-turn-uri-05.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 15:44:13 -0000 Juergen Schoenwaelder wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by > theIESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treatthese comments just like any other last call comments. > > I have reviewed the -03 version of the document and the -05 version > addresses the concerns I raised in my review of the -03 version. Thank you for the review. -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org From rdroms@cisco.com Tue Dec 22 08:08:45 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DB373A6917 for ; Tue, 22 Dec 2009 08:08:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBKH4H6jwZgi for ; Tue, 22 Dec 2009 08:08:44 -0800 (PST) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 767893A689A for ; Tue, 22 Dec 2009 08:08:44 -0800 (PST) Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAGJ+MEtAZnwM/2dsb2JhbAC/VpZvhDME X-IronPort-AV: E=Sophos;i="4.47,437,1257120000"; d="scan'208";a="282418046" Received: from rtp-core-1.cisco.com ([64.102.124.12]) by sj-iport-1.cisco.com with ESMTP; 22 Dec 2009 16:08:22 +0000 Received: from [161.44.65.110] ([161.44.65.110]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nBMG7cTd015984 for ; Tue, 22 Dec 2009 16:08:21 GMT Message-Id: <6631C820-4234-4E20-8A34-05A2046E2EA4@cisco.com> From: Ralph Droms To: secdir@ietf.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Tue, 22 Dec 2009 11:08:21 -0500 X-Mailer: Apple Mail (2.936) Subject: [secdir] draft-ietf-dnsext-dnssec-gost-06 publication requested X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 16:08:45 -0000 The dnsext WG has requested publication of draft-ietf-dnsext-dnssec- gost-06. I expect to start an IETF last call of the document soon. Please start a secdir review of the draft and thanks... - Ralph From new-work-bounces@ietf.org Tue Dec 22 10:00:03 2009 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B24733A6A36; Tue, 22 Dec 2009 10:00:03 -0800 (PST) X-Original-To: new-work@ietf.org Delivered-To: new-work@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 0F7C33A68A2; Tue, 22 Dec 2009 10:00:01 -0800 (PST) From: IESG Secretary To: new-work@ietf.org Mime-Version: 1.0 Message-Id: <20091222180002.0F7C33A68A2@core3.amsl.com> Date: Tue, 22 Dec 2009 10:00:02 -0800 (PST) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Tue, 22 Dec 2009 10:45:34 -0800 Subject: [secdir] [New-work] WG Review: Internationalized Resource Identifiers (iri) X-BeenThere: secdir@ietf.org Reply-To: iesg@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 18:00:03 -0000 A new IETF working group has been proposed in the Applications Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by January 12, 2010. Internationalized Resource Identifiers (iri) --------------------------------------- Last Modified: 12-12-2009 Current Status: Proposed Working Group Chair(s): TBD Applications Area Director(s): Lisa Dusseault Alexey Melnikov Applications Area Advisor: Alexey Melnikov Mailing Lists: TBD Description of Working Group: This working group will produce * A new version of RFC 3987: "Internationalized Resource Identifiers (IRIs)" using draft-duerst-iri-bis as the base * A new version of RFC 4395: "Guidelines and Registration Procedures for New URI Schemes" The new version of RFC 3987 may be split into separate documents, if, in the opinion of the chair(s), it would facilitate distribution of the workload and allow more focused reviews. For example, the following breakdown has been suggested: * Handling of Internationalized domain names in IRIs (BCP) * Internationalization Considerations in IRIs (guidelines for BIDI, character ranges to avoid, special considerations) (BCP) * Syntax, parsing, comparison of IRIs (Standards track) The working group starts with a relatively mature update to RFC 3987 in preparation; the primary focus of the group is to resolve conflicting uses, requirements and best practices for internationalized URLs/URIs/IRIs and various other forms, among many specifications and committees, while moving toward consistent use of IRIs among the wide range of Internet applications that use them. In particular: * The IRI specification(s) must (continue to) be suitable for normative reference with Web and XML standards from W3C specifications. The group should coordinate with the W3C working groups on HTML5, XML Core, and Internationalization, as well as with IETF HTTPBIS WG to ensure acceptability. * The IRI specification(s) should be follow best practices for domain names. The group should coordinate with the IETF IDNABIS working group and Unicode Consortium to assure acceptability. * Explicit review by experts on (and native speakers) of RTL languages, of the recommendations for BIDI languages, is required. The Working Group will examine at least one and possibly more URI/IRI schemes to check that the new specification(s) are appropriate for existing schemes. Schemes suggested for review include http:, pop:, imap:, xmpp:, mailto:, and sip:. Changes to RFC 3986 ("Uniform Resource Identifier (URI): Generic Syntax") are explicitly out of scope of this charter, and may only be considered with a charter update. Goals and Milestones: January 2010 Additional update of Internet drafts by editor(s) February 2010 Review of Internet Drafts, directions during W3C and IETF May 2010 Working group Last Call of all documents June 2010 Publish IRI documents as RFCs (BCP, standards track, as appropriate) _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From new-work-bounces@ietf.org Tue Dec 22 10:00:09 2009 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AA573A6A55; Tue, 22 Dec 2009 10:00:09 -0800 (PST) X-Original-To: new-work@ietf.org Delivered-To: new-work@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 1CE293A6A1F; Tue, 22 Dec 2009 10:00:01 -0800 (PST) From: IESG Secretary To: new-work@ietf.org Mime-Version: 1.0 Message-Id: <20091222180002.1CE293A6A1F@core3.amsl.com> Date: Tue, 22 Dec 2009 10:00:02 -0800 (PST) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Tue, 22 Dec 2009 10:45:34 -0800 Subject: [secdir] [New-work] WG Review: Messaging Abuse Reporting Format (marf) X-BeenThere: secdir@ietf.org Reply-To: iesg@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2009 18:00:09 -0000 A new IETF working group has been proposed in the Applications Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by January 12, 2010. Messaging Abuse Reporting Format (marf) --------------------------------------- Last Modified: 12-21-2009 Current Status: Proposed Working Group Chair(s): TBD Applications Area Director(s): Lisa Dusseault Alexey Melnikov Applications Area Advisor: Alexey Melnikov Mailing Lists: General Discussion: abuse-feedback-report@mipassoc.org To Subscribe: http://mipassoc.org/mailman/listinfo/abuse-feedback-report Archive: http://mipassoc.org/mailman/listinfo/abuse-feedback-report Description of Working Group: Messaging anti-abuse operations between independent services often requires sending reports on observed fraud, spam virus or other abuse activity. A standardized report format enables automated processing. The Abuse Reporting Format (ARF) specification has gained sufficient popularity to warrant formal codification, to ensure and encourage future interoperability with new implementations. The primary function of this working group will be to solicit review and refinement of the existing specification. ARF was developed by a messaging trade organization independent of the IETF, and uses a format similar to a Delivery Status Notification (DSN, RFC3464) to report fraud, spam, viruses or other abusive activity in the email system. The basic format is amenable to processing by humans or software, with the latter requiring the format to be standardized, to permit interoperability between automated services, particularly without prior arrangement. ARF as initially defined is already in widespread use at large ISPs, so interoperability can be demonstrated. Some tools already exist for processing ARF messages, a few of which are open source. In order to preserve the installed base, the working group will make the minimum changes necessary to the existing specification and will seek to have backward compatibility. Furthermore, some extensions to the current proposal are of interest to the community, such as the means for an operator to advertise an email address to which abuse reports using ARF should be sent. The working group will take on the task of considering and specifying such a mechanism. The initial proposal is published as draft-shafranovich-feedback-report, and this will provide the working group's starting point. The working group should consider such factors as: * implementer experience * ability to achieve broad implementation and interoperability * existing uses of ARF * internationalization * ability to address broader use cases than may have be contemplated by the original authors * overlap with the INCH working group's work (e.g. RFC5070); it is unclear whether such overlap is appropriate or should be avoided Thus, the working group's specific tasks are as follows: 1) The group will first produce a Proposed Standard track specification of ARF. This will document current use, removing any portions that are not implemented and/or not required for a minimum implementation (to be published later as extensions). This will include not only the format of an ARF message, but must also include appropriate documentation of security considerations and creation of IANA registries for elements of ARF to support future extensions, as well as informational sections conveying current best practices. 2) The group will specify the integration of ARF into DKIM DNS key records, with draft-kucherawy-dkim-reporting as its input. It contains extensions to DKIM that are related to ARF as a means of reporting DKIM-related failures which include phishing ("fraud") and as such are relevant to the ARF effort. The group will produce Proposed Standard track specification for these ARF and DKIM extensions. 3) The group will finally consider a means for publishing the address to which ARF reports should be sent. Not all ARF participants wish to use abuse@(domain), which is the current standard (RFC2142) , as the place to send automated ARF-formatted reports. The group will either conclude that the industry should continue to use this de facto standard (and thus no specification is appropriate), or will produce a Proposed Standard track document identifying the means by which that address should be advertised. The group may consider re-chartering to cover related work, such as further extensions, once these deliverables have been achieved. The working group is aware of a related activity in another group: - Open Mobile Alliance SpamRep The goal is to coordinate efforts with this group as required. Goals and Milestones: Jan 2010 Issue first WG-based Internet-Draft defining ARF Mar 2010 Achieve consensus on any WG-based changes to ARF Apr 2010 Submit ARF ID to IESG for publication Jun 2010 Issue first WG-based ID for DKIM reporting extensions Sep 2011 Achieve consensus on DKIM reporting extensions draft Nov 2011 Submit DKIM reporting ID to IESG for publication Jan 2011 Issue first WG-based ID for advertising the ARF address Mar 2011 Achieve consensus on ARF address advertising draft Jul 2011 Submit ARF address advertising ID to IESG for publication _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From magnusn@gmail.com Wed Dec 23 17:23:49 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E27743A687F; Wed, 23 Dec 2009 17:23:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNkeT8MC+ky9; Wed, 23 Dec 2009 17:23:49 -0800 (PST) Received: from mail-yw0-f185.google.com (mail-yw0-f185.google.com [209.85.211.185]) by core3.amsl.com (Postfix) with ESMTP id EB0923A6873; Wed, 23 Dec 2009 17:23:48 -0800 (PST) Received: by ywh15 with SMTP id 15so8001230ywh.5 for ; Wed, 23 Dec 2009 17:23:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=tUTzQzOTqBzBpdZsyW0vyPJplKe4/KMMfmfhhAJrjkw=; b=tOWL6KbfIEzMC51KlqffhkbGvTIBGLjGv269//iP94PSd4vrOwQchFNC5JA1outQ1j QhYt37ioRRsw04a7LmW+im0dDSDWC0DK+wFEmc7uEsxlL9sAfMVrqUHoZ01jtKsAij1D ViKIVL+1w52uoFZNMJOxCkwPL+lOjWHKnNHmw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=Wk8WZNLerV1RxG7uG8lRL9oqJO1N9SieVEVvSL7SZ29SNZMGirSZTvYFJxn0Wbnmx+ 70W4nDVoCqpCNEBXvk/THo3LkGru+7YsedVLNAmJX6nDIXs+khs1F9oLXbOJ6oFPZDvY qtvBJ+IlxjE0daQ8FnEXX5VGaLSma0p97YJ0U= MIME-Version: 1.0 Received: by 10.101.132.22 with SMTP id j22mr5809700ann.6.1261617809211; Wed, 23 Dec 2009 17:23:29 -0800 (PST) Date: Wed, 23 Dec 2009 17:23:29 -0800 Message-ID: <2f57b9e60912231723x12e87864g9c0ad1ce095fc2c2@mail.gmail.com> From: =?ISO-8859-1?Q?Magnus_Nystr=F6m?= To: iesg@ietf.org, secdir@ietf.org, simon@josefsson.org, larry.zhu@microsoft.com, jhutz@cmu.edu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [secdir] Secdir review of draft-josefsson-kerberos5-starttls-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2009 01:25:26 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. =A0These comments were written primarily for the benefit of the security area directors. =A0Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a new Kerberos extension to allow Kerberos protocol runs over TLS. I do not have any general issues with this document but a few questions/comments: Section 1: "The TLS protocol has been studied by many parties. In some threat models, the designer prefer to reduce the number of protocols that can hurt the overall system security if they are compromised." This statement seems to me like a strange reason to motivate this work - Kerberos is equally well studied (at least) as TLS and this memo does not reduce the number of protocols in the system (c.f. the recent TLS renegotiation vulnerability) Section 3: In the packet flow, why are the first two Kerberos exchanges ([0x70000000 & STARTTLS-bit] and [0x00000000]) wihtin square brackets? Is it because they're seen as a separate protocol, or some other reason? A clarification would be helpful. Section 5: "Use of TLS, even without server certificate validation, protects against some attacks that Kerberos V5 over UDP/TCP do not. Requiring server certificates to be used at all times would enable attacks in those situations": a) It would be useful to give examples of attacks that unauthenticated TLS protects against that Kerberos V5 does not protect against. b) Last sentence is ambigious - if server certs are required and the client verifies them I do not see what attacks would be enabled. I assume the last sentence intends to say that requiring server certs to be used when clients cannot validate will enable some attacks but I am not sure. Section 5: "When clients have the ability, they need to be able to validate the server certificate" I suggest rephrasing to: "When clients have the ability, they MUST validate the server certificate" (or at least SHOULD). Best, -- Magnus From new-work-bounces@ietf.org Wed Dec 23 09:15:04 2009 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B18C028C0F2; Wed, 23 Dec 2009 09:15:04 -0800 (PST) X-Original-To: new-work@ietf.org Delivered-To: new-work@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 836A328B23E; Wed, 23 Dec 2009 09:15:01 -0800 (PST) From: IESG Secretary To: new-work@ietf.org Mime-Version: 1.0 Message-Id: <20091223171501.836A328B23E@core3.amsl.com> Date: Wed, 23 Dec 2009 09:15:01 -0800 (PST) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Thu, 24 Dec 2009 03:13:49 -0800 Subject: [secdir] [New-work] WG Review: Internet Wideband Audio Codec (codec) X-BeenThere: secdir@ietf.org Reply-To: iesg@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 17:15:04 -0000 A new IETF working group has been proposed in the Real-time Applications and Infrastructure Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by January 20, 2010. Internet Wideband Audio Codec (codec) ------------------------------------------------------------------------- Last Modified: 2009-12-17 Proposed Chair(s): * TBD Real-time Applications and Infrastructure Area Director(s): * Robert Sparks * Cullen Jennings Real-time Applications and Infrastructure Area Advisor: * Cullen Jennings Mailing Lists: General Discussion: codec@ietf.org To Subscribe: codec-request@ietf.org In Body: subscribe Archive: https://www.ietf.org/mailman/listinfo/codec Description of Working Group Problem Statement According to reports from developers of Internet audio applications and operators of Internet audio services, there are no standardized, high-quality audio codecs that meet all of the following three conditions: 1. Are optimized for use in interactive Internet applications. 2. Are published by a recognized standards development organization (SDO) and therefore subject to clear change control. 3. Can be widely implemented and easily distributed among application developers, service operators, and end users. There exist codecs that provide high quality encoding of audio information, but that are not optimized for the actual conditions of the Internet; according to reports, this mismatch between design and deployment has hindered adoption of such codecs in interactive Internet applications. There exist codecs that can be widely implemented and easily distributed, but that are not standardized through any SDO; according to reports, this lack of standardization and clear change control has hindered adoption of such codecs in interactive Internet applications. There exist codecs that are standardized, but that cannot be widely implemented and easily distributed; according to reports, the presence of various usage restrictions (e.g., in the form of requirements to pay royalty fees, obtain a license, enter into a business agreement, or meet other special conditions imposed by a patent holder) has hindered adoptions of such codecs in interactive Internet applications. According to application developers and service operators, an audio codec that meets all three of these would: (1) enable protocol designers to more easily specify a mandatory-to-implement codec in their protocols and thus improve interoperability; (2) enable developers to more easily easily build innovative, interactive applications for the Internet; (3) enable service operators to more easily deploy affordable, high-quality audio services on the Internet; and (4) enable end users of Internet applications and services to enjoy an improved user experience. Objectives The goal of this working group is to develop a single high-quality audio codec that is optimized for use over the Internet and that can be widely implemented and easily distributed among application developers, service operators, and end users. Core technical considerations include, but are not necessarily limited to, the following: 1. Designing for use in interactive applications (examples include, but are not limited to, point-to-point voice calls, multi-party voice conferencing, telepresence, teleoperation, in-game voice chat, and live music performance) 2. Addressing the real transport conditions of the Internet as identified and prioritized by the working group 3. Ensuring interoperability with the Real-time Transport Protocol (RTP), including secure transport via SRTP 4. Ensuring interoperability with Internet signaling technologies such as Session Initiation Protocol (SIP), Session Description Protocol (SDP), and Extensible Messaging and Presence Protocol (XMPP); however, the result should not depend on the details of any particular signaling technology Optimizing for very low bit rates (typically below 2.4 kbps) and for non-interactive audio is out of scope because such work might necessitate specialized optimizations. Although the codec produced by the working group might be used as a mandatory-to-implement technology by designers of particular Internet protocols, it is explicitly not a goal of the working group to produce a codec that will be mandated for use across the entire IETF or Internet community nor would their be any expectation that this would be the only mandatory-to-implement codec. The goal of the working group is to produce only one codec. Based on the working group's analysis of the design space, the working group might determine that it needs to produce more than one codec, or a codec with multiple modes; however, it is not the goal of working group to produce more than one codec, and to reduce confusion in the marketplace the working group shall endeavor to produce as few codecs as possible. In completing its work, the working group should collaborate with other IETF working groups to complete particular tasks. These might include, but would not be limited to, the following: - Within the AVT WG, define the codec's payload format for use with the Real-time Transport Protocol (RTP). - Collaborate with working groups in the Transport Area to identify important aspects of packet transmission over the Internet. - Collaborate with working groups in the Transport Area to understand the degree of rate adaptation desirable, and to reflect that understanding in the design of a codec that can adjust its transmission in a way that minimizes disruption to the audio. - Collaborate with working groups in the RAI Area to ensure that information about and negotiation of the codec can be easily represented at the signaling layer. The working group will inform the ITU-T (Study group 16) of each new revision of working group drafts, with the intent of submitting the completed codec RFC for co-publication by the ITU-T if the ITU-T finds that appropriate. The working group will communicate detailed description of the requirements and goals to other SDOs including the ITU-T, 3GPP, and MPEG to help determine if existing codecs meet the requirements and would therefore enable co-publication of an existing standard at the IETF. The working group will also continue to discuss with other standards bodies to determine if it becomes possible to satisfy the IETF requirements through a new or revised standard at other bodies. Suggested Codec Standardization Guidelines and Requirements for achieving the foregoing objectives are provisionally outlined in draft-valin-codec-guidelines and draft-valin-codec-requirements respectively; these documents will form the starting point for working toward consensus and, if accepted as work items of the working group, will be refined by the working group in accordance with the usual IETF procedures. A codec that can be widely implemented and easily distributed among application developers, service operators, and end users is preferred. Many existing codecs that might fulfill some or most of the technical attributes listed above are encumbered in various ways. For example, patent holders might require that those wishing to implement the codec in software, deploy the codec in a service, or distribute the codec in software or hardware need to request a license, enter into a business agreement, pay licensing fees or royalties, or attempt to adhere to other special conditions or restrictions. Because such encumbrances have made it difficult to widely implement and easily distribute high-quality audio codecs across the entire Internet community, the working group prefers unencumbered technologies in a way that is consistent with BCP 78 and BCP 79. In particular, the working group shall heed the preference stated in BCP 79: "In general, IETF working groups prefer technologies with no known IPR claims or, for technologies with claims against them, an offer of royalty-free licensing." Although this preference cannot guarantee that the working group will produce an unencumbered codec, the working group shall attempt to adhere to the spirit of BCP 79. This preference does not explicitly rule out the possibility of adapting encumbered technologies; such decisions will be made in accordance with the rough consensus of the working group. Deliverables 1. A set of Codec Standardization Guidelines that define the work processes of the working group. This document shall be Informational. 2. A set of technical Requirements. This document shall be Informational. 3. Specification of a codec that meets the agreed-upon requirements, in the form of an Internet-Draft that defines the codec algorithm along with source code for a reference implementation. The text description of the codec shall indicate which components of the encoder and decoder are mandatory, recommended, and optional. It is envisioned that this document shall be a Proposed Standard document. Milestones Mar-2010: WGLC on Codec Standardization Guidelines May-2010: Codec Standardization Guidelines to IESG (Informational) May-2010: WGLC on Requirements Jul-2010: Requirements to IESG (Informational) Dec-2010: Freeze codec structure Jun-2011: Finalize codec parameters Jul-2011: WGLC on codec specification Oct-2011: Submit codec specification to IESG (Standards Track) _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From rdroms@cisco.com Thu Dec 24 04:03:37 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D8373A69B1 for ; Thu, 24 Dec 2009 04:03:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.581 X-Spam-Level: X-Spam-Status: No, score=-6.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yNFMJD7hFdD for ; Thu, 24 Dec 2009 04:03:36 -0800 (PST) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 39AA33A6818 for ; Thu, 24 Dec 2009 04:03:36 -0800 (PST) Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAH7nMktAZnwM/2dsb2JhbAC+I5Y4hDMEjTU X-IronPort-AV: E=Sophos;i="4.47,448,1257120000"; d="scan'208";a="76443039" Received: from rtp-core-1.cisco.com ([64.102.124.12]) by rtp-iport-1.cisco.com with ESMTP; 24 Dec 2009 12:03:16 +0000 Received: from bxb-rdroms-8717.cisco.com (bxb-rdroms-8717.cisco.com [10.98.10.88]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nBOC3FOG015405; Thu, 24 Dec 2009 12:03:15 GMT Message-Id: <45766AF2-50A0-4770-BBF5-E6E29B3C4C9D@cisco.com> From: Ralph Droms To: secdir-secretary@mit.edu In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 24 Dec 2009 07:03:16 -0500 References: <6631C820-4234-4E20-8A34-05A2046E2EA4@cisco.com> X-Mailer: Apple Mail (2.936) Cc: secdir@ietf.org Subject: Re: [secdir] draft-ietf-dnsext-dnssec-gost-06 publication requested X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2009 12:03:37 -0000 Sam - thanks for arranging for the review. I wanted to give you and the secdir list a little extra warning for this particular draft. - Ralph On Dec 23, 2009, at 2:31 PM 12/23/09, Samuel Weiler wrote: > FYI, to all: > > I normally assign these special requests as part of the ordinary > rotation, whether they come to the secdir list, secdir-secretary@mit.edu > , or some other address. In this particular case, I've gotten three > volunteers for reviewing this doc. This doc will get adequate > coverage, methinks. > > And to Ralph: > > I normally assign secdir reviews within about a week of the last > call being requested (even if it hasn't gone out yet). Unless you > need something even earlier, a special request isn't needed. > > -- Sam > > > > On Tue, 22 Dec 2009, Ralph Droms wrote: > >> The dnsext WG has requested publication of draft-ietf-dnsext-dnssec- >> gost-06. I expect to start an IETF last call of the document soon. >> Please start a secdir review of the draft and thanks... >> >> - Ralph >> >> _______________________________________________ >> secdir mailing list >> secdir@ietf.org >> https://www.ietf.org/mailman/listinfo/secdir >> From weiler@watson.org Thu Dec 24 07:40:43 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A59C3A659B for ; Thu, 24 Dec 2009 07:40:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OW1GZAxas-K9 for ; Thu, 24 Dec 2009 07:40:42 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id A2A923A67BE for ; Thu, 24 Dec 2009 07:40:42 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBOFcve7031501; Thu, 24 Dec 2009 10:38:58 -0500 (EST) (envelope-from weiler@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBOFcvMv031498; Thu, 24 Dec 2009 10:38:57 -0500 (EST) (envelope-from weiler@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 24 Dec 2009 10:38:57 -0500 (EST) From: Samuel Weiler To: Ralph Droms In-Reply-To: <45766AF2-50A0-4770-BBF5-E6E29B3C4C9D@cisco.com> Message-ID: References: <6631C820-4234-4E20-8A34-05A2046E2EA4@cisco.com> <45766AF2-50A0-4770-BBF5-E6E29B3C4C9D@cisco.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 24 Dec 2009 10:38:58 -0500 (EST) Cc: secdir@ietf.org Subject: Re: [secdir] draft-ietf-dnsext-dnssec-gost-06 publication requested X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2009 15:48:19 -0000 On Thu, 24 Dec 2009, Ralph Droms wrote: > I wanted to give you and the secdir list a little extra warning for this > particular draft. Thank you for the warning. I know there's a great deal of interest in the draft. -- Sam From weiler@watson.org Wed Dec 23 11:31:21 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 865A43A6A06 for ; Wed, 23 Dec 2009 11:31:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GokDYws+69aG for ; Wed, 23 Dec 2009 11:31:20 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 523CA3A685E for ; Wed, 23 Dec 2009 11:31:20 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBNJV10I017119; Wed, 23 Dec 2009 14:31:01 -0500 (EST) (envelope-from weiler@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBNJV05u017116; Wed, 23 Dec 2009 14:31:00 -0500 (EST) (envelope-from weiler@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Wed, 23 Dec 2009 14:31:00 -0500 (EST) From: Samuel Weiler To: Ralph Droms In-Reply-To: <6631C820-4234-4E20-8A34-05A2046E2EA4@cisco.com> Message-ID: References: <6631C820-4234-4E20-8A34-05A2046E2EA4@cisco.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Wed, 23 Dec 2009 14:31:01 -0500 (EST) Cc: secdir@ietf.org Subject: Re: [secdir] draft-ietf-dnsext-dnssec-gost-06 publication requested X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2009 15:48:36 -0000 FYI, to all: I normally assign these special requests as part of the ordinary rotation, whether they come to the secdir list, secdir-secretary@mit.edu, or some other address. In this particular case, I've gotten three volunteers for reviewing this doc. This doc will get adequate coverage, methinks. And to Ralph: I normally assign secdir reviews within about a week of the last call being requested (even if it hasn't gone out yet). Unless you need something even earlier, a special request isn't needed. -- Sam On Tue, 22 Dec 2009, Ralph Droms wrote: > The dnsext WG has requested publication of draft-ietf-dnsext-dnssec-gost-06. > I expect to start an IETF last call of the document soon. Please start a > secdir review of the draft and thanks... > > - Ralph > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > From weiler+secdir@watson.org Thu Dec 24 09:39:01 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26E183A6948 for ; Thu, 24 Dec 2009 09:39:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.427 X-Spam-Level: X-Spam-Status: No, score=-2.427 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDvHSgoL8vim for ; Thu, 24 Dec 2009 09:39:00 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 3A6593A67E1 for ; Thu, 24 Dec 2009 09:38:59 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBOHcfgQ045011 for ; Thu, 24 Dec 2009 12:38:41 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBOHcfA8045008 for ; Thu, 24 Dec 2009 12:38:41 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 24 Dec 2009 12:38:41 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 24 Dec 2009 12:38:41 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2009 17:39:01 -0000 No, I don't expect any of you to be working today, but I figured sending the status update would still be helpful. There are only a few new assignments below, though a few items (the idnabis doc) were added to the January 7th telechat. Hannes Tschofenig is next in the rotation. Documents on the telechat agenda typically have a last call end date before the date shown below; reviews by the end of last call are typically more appreciated by the doc editors. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Merry Christmas! -- Sam For telechat 2010-01-07 Reviewer Deadline Draft Sam Hartman TR2010-01-05 draft-ietf-idnabis-bidi-06 Jeffrey Hutzelman T 2010-01-05 draft-ietf-idnabis-protocol-17 Charlie Kaufman TR2010-01-05 draft-ietf-idnabis-rationale-15 Scott Kelly TR2010-01-05 draft-ietf-idnabis-tables-08 Scott Kelly T 2010-01-05 draft-ietf-fecframe-dvb-al-fec-04 Russ Mundy T 2010-01-05 draft-ohba-pana-pemk-03 Eric Rescorla T 2010-01-05 draft-gennai-smime-cnipa-pec-05 Yaron Sheffer T 2010-01-05 draft-ietf-ippm-framework-compagg-09 Hannes Tschofenig T 2010-01-05 draft-ietf-pce-monitoring-07 For telechat 2010-01-21 Reviewer Deadline Draft Joe Salowey T 2010-01-19 draft-ietf-pana-preauth-08 Stefan Santesson T 2010-01-19 draft-ietf-trill-rbridge-protocol-14 Juergen Schoenwaelder T 2010-01-19 draft-jabley-sink-arpa-02 Larry Zhu TR2010-01-19 draft-moriarty-post-inch-rid-09 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Richard Barnes None draft-ietf-dnsext-dnssec-gost-06 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Stephen Kent None draft-ietf-dnsext-dnssec-gost-06 Chris Lonvick 2010-01-01 draft-giralt-schac-ns-02 David McGrew None draft-ietf-dnsext-dnssec-gost-06 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Catherine Meadows 2009-12-22 draft-ietf-sipping-config-framework-16 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-11 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Sandy Murphy 2010-01-14 draft-turner-ecprivatekey-02 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Chris Newman 2010-01-07 draft-ietf-krb-wg-preauth-framework-15 Hilarie Orman 2010-01-14 draft-kato-tls-rfc4132bis-04 Eric Rescorla 2010-01-11 draft-brown-versioning-link-relations-05 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-13 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 From j.schoenwaelder@jacobs-university.de Fri Dec 25 09:00:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D82A33A67B2; Fri, 25 Dec 2009 09:00:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.471 X-Spam-Level: X-Spam-Status: No, score=-0.471 tagged_above=-999 required=5 tests=[AWL=-1.422, BAYES_50=0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_44=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYrI+QPkJalg; Fri, 25 Dec 2009 09:00:38 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 9A5EB3A62C1; Fri, 25 Dec 2009 09:00:34 -0800 (PST) Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 16CD2C000D; Fri, 25 Dec 2009 18:00:16 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 3+i4JV6Pk91I; Fri, 25 Dec 2009 18:00:14 +0100 (CET) Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 6E20EC0003; Fri, 25 Dec 2009 18:00:14 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 0201FFA14F6; Fri, 25 Dec 2009 18:00:10 +0100 (CET) Date: Fri, 25 Dec 2009 18:00:10 +0100 From: Juergen Schoenwaelder To: joe.abley@icann.org, ogud@ogud.com Message-ID: <20091225170010.GA4657@elstar.local> Mail-Followup-To: joe.abley@icann.org, ogud@ogud.com, iesg@ietf.org, secdir@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Cc: iesg@ietf.org, secdir@ietf.org Subject: [secdir] secdir review of draft-jabley-sink-arpa-02.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2009 17:00:38 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document creates an IANA registry called "ARPA Reserved Names" and allocates the name "sink.arpa", which is guaranteed to be a never existing name. The security considerations briefly discuss what could happen if the name suddenly would exist and I am fine with the text. On the editorial side, I am wondering why the authors use ARPA and SINK.ARPA instead of the quoted writing style ("arpa" and "sink.arpa") for DNS names, as used in RFC 2606 and RFC 3172. Note that section 5.1 suddenly uses "arpa" - if there is a subtle semantic difference between ARPA and "arpa" please make it clear; otherwise I prefer a single consistent writing style. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From joe.abley@icann.org Sat Dec 26 05:27:23 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DD1D3A6997; Sat, 26 Dec 2009 05:27:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.722 X-Spam-Level: X-Spam-Status: No, score=-5.722 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQuvA+VI4p+Q; Sat, 26 Dec 2009 05:27:22 -0800 (PST) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by core3.amsl.com (Postfix) with ESMTP id 6F9633A68AA; Sat, 26 Dec 2009 05:27:22 -0800 (PST) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Sat, 26 Dec 2009 05:27:04 -0800 From: Joe Abley To: Juergen Schoenwaelder Date: Sat, 26 Dec 2009 05:27:01 -0800 Thread-Topic: secdir review of draft-jabley-sink-arpa-02.txt Thread-Index: AcqGLxzbgeN8pXQ4QhK94T0LjSQP+Q== Message-ID: <1D8A26A2-5BFC-4DF8-9628-480A8E42C370@icann.org> References: <20091225170010.GA4657@elstar.local> In-Reply-To: <20091225170010.GA4657@elstar.local> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 28 Dec 2009 02:37:15 -0800 Cc: "iesg@ietf.org" , "ogud@ogud.com" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-jabley-sink-arpa-02.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 13:27:23 -0000 On 2009-12-25, at 12:00, Juergen Schoenwaelder wrote: > The document creates an IANA registry called "ARPA Reserved Names" and > allocates the name "sink.arpa", which is guaranteed to be a never > existing name. The security considerations briefly discuss what could > happen if the name suddenly would exist and I am fine with the text. thanks. > On the editorial side, I am wondering why the authors use ARPA and > SINK.ARPA instead of the quoted writing style ("arpa" and "sink.arpa") > for DNS names, as used in RFC 2606 and RFC 3172. Note that section 5.1 > suddenly uses "arpa" - if there is a subtle semantic difference > between ARPA and "arpa" please make it clear; otherwise I prefer a > single consistent writing style. noted! Joe From yaronf@checkpoint.com Mon Dec 28 03:54:50 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 960993A6882 for ; Mon, 28 Dec 2009 03:54:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.57 X-Spam-Level: X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaFVn9TnMjQE for ; Mon, 28 Dec 2009 03:54:49 -0800 (PST) Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 4416F3A6884 for ; Mon, 28 Dec 2009 03:54:48 -0800 (PST) Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.32.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nBSBsST7012289; Mon, 28 Dec 2009 13:54:28 +0200 (IST) Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 28 Dec 2009 13:54:40 +0200 From: Yaron Sheffer To: Yaron Sheffer , secdir , "draft-ietf-ippm-framework-compagg.all@tools.ietf.org" Date: Mon, 28 Dec 2009 13:54:38 +0200 Thread-Topic: SecDir review of draft-ietf-ippm-framework-compagg-09 Thread-Index: AcpoeGxYXUdrY+VLRKuuzZmGkUkAXAfO23rg Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF89C466A@il-ex01.ad.checkpoint.com> In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF888AD7B@il-ex01.ad.checkpoint.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [secdir] SecDir review of draft-ietf-ippm-framework-compagg-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 11:54:50 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG.=A0 These = comments were written primarily for the benefit of the security area direct= ors.=A0 Document editors and WG chairs should treat these comments just lik= e any other last call comments. This document presents a conceptual framework for aggregating and composing= network performance measurements in service provider networks. I am entirely happy with the Security Considerations section, in fact I bel= ieve it is somewhat of an overkill for a document at this level of abstract= ion. Thanks, Yaron From ekr@networkresonance.com Mon Dec 28 13:23:46 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4989B3A680A; Mon, 28 Dec 2009 13:23:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.105 X-Spam-Level: X-Spam-Status: No, score=0.105 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZgkM7FOTLYZ; Mon, 28 Dec 2009 13:23:45 -0800 (PST) Received: from kilo.networkresonance.com (unknown [216.187.66.243]) by core3.amsl.com (Postfix) with ESMTP id C91163A67BE; Mon, 28 Dec 2009 13:23:44 -0800 (PST) Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id E81706C9A9A; Sat, 26 Dec 2009 12:38:45 -0800 (PST) Date: Sat, 26 Dec 2009 12:38:45 -0800 From: Eric Rescorla To: Makoto Saito In-Reply-To: <4B2F9611.8020308@nttv6.jp> References: <20091130004123.DBE146C3D38@kilo.networkresonance.com> <4B2F9611.8020308@nttv6.jp> User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20091226203845.E81706C9A9A@kilo.networkresonance.com> Cc: mmusic@ietf.org, draft-saito-mmusic-sdp-ike@tools.ietf.org, secdir@ietf.org Subject: Re: [secdir] [MMUSIC] Review of draft-saito-mmusic-sdp-ike-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 21:23:46 -0000 At Tue, 22 Dec 2009 00:36:49 +0900, Makoto Saito wrote: > > My skepticism is that setting up a VPN for applications like this > > seems like overkill. VPNs have a bunch of ancillary security > > implications that aren't really necessary for these applications. > > It's important to remember that IPsec provides not only a network > > connectivity function but also a firewalling function. (RFC 4301 S 2.1), > > and I worry that we're confusing these two to some extent. Consider > > the last case, the gaming system. In this case, we don't want to > > open a generic VPN connection, we want to open a connection directly > > to the gaming up. Why is IPsec a good mechanism here? The > > other examples seem to raise the same issue. > > Actually, joining the same local network makes DLNA perform very > effectively. > > We are particularly focusing on LAN-based applications > so that it is not necessarily an overkilling to set up VPN for those > applications. For example, DLNA is used to share private contents > inside the LAN but it doesn't have sufficient security mechanisms > for the use over the Internet. So we think VPN is a simple solution > for that purpose. Anyway, we already have the implementation for > this application and start to deploy them. So, this likely is bad design by DLNA--the distinction between LAN and WAN just isn't strong enough security-wise to support this. ISTM better to fix this issue than to perpetuate it. > > I should also mention that in terms of implementation complexity, > > ICE seems like a real problem. The issue here is file descriptor > > and channel management. The obvious way to implement an ICE stack > > (and the way that mine works) is that the stack opens socket(s) > > locally and then presents an abstraction to the application which > > it can then use to read and write on. However, in this case, we > > have three separate pieces of code (and probably execution contexts) > > which all need to send/receive data on the same socket: > > > > - The ICE stack > > - The IKE stack > > - The IPsec stack > > > > And the demultiplexing between these is data dependent. Doesn't this > > mean that we'll need a central dispatcher process whose job it is > > to hand off the packets to each other module? I'm having trouble > > visualizing this being something people are willing to implement. > > The demultiplexing process is simply a combination of existing > demultiplexing processes of ICE and IKE-NAT-T. That is, > if bits 0..31 == 0, dispatch to IKE module > else if bits 32..63 == magic-cookie, and parsing packet yields > STUN fingerprint, dispatch to ICE module > else dispatch to IPsec module > > Anyway, it is true that the combination of ICE and IKE/IPsec is > complicated because ICE by its nature complicated. We don't think > ICE should be a MUST in this specification. In fact the environment > where we are deploying this we actually don't need ICE, but we > foresee a need for ICE despite its complexity in different > environment where this specification may be deployed. I think you're missing my point, which is that intermixing IPsec packets with STUN/ICE/IKE packets requires a fairly inconvenient system architecture. > > 3. Security Model > > As I understand it, the way that this system is intended > > to work is that the home system has an ACL indexed by remote > > AOR. If a SIP call comes through allegedly from a permitted AOR > > (via RFC 4474) it allows the VPN connection to be established. > > That seems to place a very large amount of trust in the SIP > > proxy. In essence you're giving the SIP proxy the keys to your > > firewall. I can't really see any circumstances in which I would > > be willing to do that. > > > > By contrast, classic IPsec/SSH/SSL VPNs rely on credentials > > that are immediately on the the remote side. That seems far > > more secure. > > SIP proxy is not necessarily given a strong authority to > establish a VPN into a home network. > This draft does not eliminate other authorization or > authentication that a user or an implementation might > want to perform before bringing up the VPN. For example, > password authentication can be used in addition to what > is described in the draft. This is described in Section 8. Wait, so I now need two separate authentication mechanisms plus I have to worry about coordinating my firewall and IPsec with the SIP authentication? This seems problematic. > > I am also concerned about the fairly loose coupling between the > > authentication at the IKE layer and the firewall hole punching. > > As I understand it, the SIP/ICE system doesn't do any authentication > > at all: it just punches a hole and then propagates the packets to > > the IKE/IPsec system without looking at them at all. I don't > > see any immediate way to exploit this, but it's not clear to me > > that it's safe either. > > I'm afraid that there is a misunderstanding here, and likely > there is a text in the draft that is misleading. > In our use cases, a home router is a SIP UA and it doesn't > open a hole to the home network until IPsec tunnel is established. > The holes which SIP/ICE try to open are on external routers such > as a large scale NAT on ISP network. In either case, the home network > never sees a packet until both SIP and IKE negotiations have completed > successfully. I'm not talking about the home network. I'm talking about the interaction between the NAT/firewall on the home router and the rest of the networking system on the same router. > > 4. Multiplexing > > Why are you using the same channel for IKE and IPsec tunnelling? > > IKE supports multiple media channels. This seems like an architectural > > issue, which is why I have it in general comments. > > RFC3947 and 3948 specify the method of IPsec NAT traversal and > it uses the same channel for IKE and IPsec. We don't try to do > anything special here. Hmm... I'm surprised to hear that, but I guess if/when this goes up for IETF LC the IPsec experts can weigh in if there is a problem. -Ekr From clonvick@cisco.com Wed Dec 30 20:34:09 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A81FF3A6A76; Wed, 30 Dec 2009 20:34:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPRRrSHwtz5Y; Wed, 30 Dec 2009 20:34:08 -0800 (PST) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id AA6813A67C0; Wed, 30 Dec 2009 20:34:08 -0800 (PST) Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsFAEy4O0urRN+J/2dsb2JhbACPdgGxDZRngiOCDgSBaItM X-IronPort-AV: E=Sophos;i="4.47,479,1257120000"; d="scan'208";a="459101650" Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-6.cisco.com with ESMTP; 31 Dec 2009 04:33:48 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id nBV4Xmoe027301; Thu, 31 Dec 2009 04:33:48 GMT Date: Wed, 30 Dec 2009 20:33:48 -0800 (PST) From: Chris Lonvick To: iesg@ietf.org, secdir@ietf.org, victoriano@uma.es, r.mcduff@uq.edu.au, Lisa Dusseault Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: secdir-secretary@mit.edu Subject: [secdir] SECDIR review of draft-giralt-schac-ns X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2009 04:34:09 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. First off, can we get the status of the document straightened out? The document says that it's STANDARDS TRACK but idtracker says that it's INFORMATIONAL. The only security concern I have is that the registration URN is not yet active and that it is limited to HTTPS. While I think it is still going to take some time for this ID to become an RFC, I'd just like to see the web site set up sooner rather than later so the kinks may be ironed out. Beyond that, I think that it would be better to state that it will always be a "secure web site" which will offer credentials signed by such-n-such, and will require the latest secure methods for accessing a web site; that currently being http [reference] with the latest TLS transport [reference]. My issue with this is that "https" can still reference SSLv2 and I don't think that's the intent of the statement in this ID. I don't have any concerns about the Security Considerations section other than the statement about using "HTTPS" as noted above. I do have a few nits that the authors may want to address. The terms TERENA and TF-EMC2 are used without first defining them. Maybe some changes in Section 1. CURRENT: The SCHAC international activity was born inside the TF-EMC2 middleware task force of the Trans European Research and Education Network Association. The initial aim of SCHAC was to harmonise the PROPOSED: The SCHAC international activity was born inside the TF-EMC2 (Task Force on European Middleware Coordination and Collaboration) of the Trans European Research and Education Network Association (TERENA). The initial aim of SCHAC was to harmonise the... I think that the second paragraph of the Abstract could use some polishing. CURRENT: This namespace is for naming persistent resources defined by the SCHAC international activity participants, their working groups and other designated subordinates. The namespace main use will be the creation of controlled vocabulary values for attributes in the SCHAC schema. This values will be associated to particular instances of persons or objects belonging to any of the SCHAC object classes. SUGGESTED: The namespace described in this document is for naming persistent resources defined by the SCHAC participants internationally, their working groups, and other designated subordinates. The main use of this namespace will be for the creation of controlled vocabulary values for attributes in the SCHAC schema. These values will be associated with particular instances of persons or objects belonging to any of the SCHAC object classes. In Section 4, the word "Anyhow" is ambiguous. I'd suggest replacing it with a more definite word such as "Regardless", or with the term "In any case". In Section 5, the term "NREN" is not defined before it is used. I'd suggest: CURRENT: The assignment and use of identifiers within the namespace are open, and the related rule is established by the SCHAC activity members. Registration agencies (the next level naming authorities) will be the National Research and Education Networks and established organizational cross-border organizations that participate in SCHAC. SUGGESTED: The assignment and use of identifiers within the namespace are open, and the related rule is established by the SCHAC activity members. Registration agencies (the next level naming authorities) will be the National Research and Education Networks (NRENS) and other established, cross-border organizations that participate in SCHAC. In the third paragraph of Section 5, remove the term "as soon as practical". ...just get it done. :-) Could you add a URL to reference [4]? Best regards, Chris From weiler+secdir@watson.org Thu Dec 31 07:07:18 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF7053A6828 for ; Thu, 31 Dec 2009 07:07:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.148 X-Spam-Level: X-Spam-Status: No, score=-1.148 tagged_above=-999 required=5 tests=[AWL=-1.149, BAYES_50=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkFJ2a81dMFm for ; Thu, 31 Dec 2009 07:07:18 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id C8E1E3A6A7D for ; Thu, 31 Dec 2009 07:07:17 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id nBVF6u4I072415 for ; Thu, 31 Dec 2009 10:06:56 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id nBVF6uFJ072412 for ; Thu, 31 Dec 2009 10:06:56 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 31 Dec 2009 10:06:56 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 31 Dec 2009 10:06:56 -0500 (EST) Subject: [secdir] No New Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2009 15:07:19 -0000 It appears to have been a quiet week for the IESG (no surprise there). No new assignments, but sending the below as a reminder. Hannes Tschofenig is (still) next in the rotation. Documents on the telechat agenda typically have a last call end date before the date shown below; reviews by the end of last call are typically more appreciated by the doc editors. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2010-01-07 Reviewer Deadline Draft Sam Hartman TR2010-01-05 draft-ietf-idnabis-bidi-06 Charlie Kaufman TR2010-01-05 draft-ietf-idnabis-rationale-15 Scott Kelly TR2010-01-05 draft-ietf-idnabis-tables-08 Scott Kelly T 2010-01-05 draft-ietf-fecframe-dvb-al-fec-04 Russ Mundy T 2010-01-05 draft-ohba-pana-pemk-03 Eric Rescorla T 2010-01-05 draft-gennai-smime-cnipa-pec-05 Hannes Tschofenig T 2010-01-05 draft-ietf-pce-monitoring-07 For telechat 2010-01-21 Reviewer Deadline Draft Joe Salowey T 2010-01-19 draft-ietf-pana-preauth-08 Stefan Santesson T 2010-01-19 draft-ietf-trill-rbridge-protocol-14 Larry Zhu TR2010-01-19 draft-moriarty-post-inch-rid-09 Last calls and special requests: Reviewer Deadline Draft Rob Austein 2009-11-28 draft-ietf-pkix-attr-cert-mime-type-02 Richard Barnes None draft-ietf-dnsext-dnssec-gost-06 Dave Cridland 2009-11-25 draft-ietf-nsis-qspec-22 Alan DeKok 2009-10-01 draft-ietf-enum-enumservices-transition-04 Alan DeKok 2009-12-07 draft-ietf-capwap-802dot11-mib-05 Love Hornquist-Astrand 2009-06-29 draft-ietf-opsawg-smi-datatypes-in-xsd-05 Love Hornquist-Astrand 2009-10-13 draft-ietf-idnabis-mappings-05 Jeffrey Hutzelman 2009-12-07 draft-ietf-capwap-base-mib-06 Stephen Kent None draft-ietf-dnsext-dnssec-gost-06 David McGrew None draft-ietf-dnsext-dnssec-gost-06 Catherine Meadows 2008-01-17 draft-ietf-speechsc-mrcpv2-20 Catherine Meadows 2009-12-22 draft-ietf-sipping-config-framework-16 Russ Mundy 2009-10-21 draft-ietf-hokey-preauth-ps-11 Sandy Murphy R2009-11-18 draft-ietf-mpls-mpls-and-gmpls-security-framework-07 Sandy Murphy 2010-01-14 draft-turner-ecprivatekey-02 Vidya Narayanan 2008-11-21 draft-ietf-sip-saml-06 Chris Newman 2010-01-07 draft-ietf-krb-wg-preauth-framework-15 Hilarie Orman 2010-01-14 draft-kato-tls-rfc4132bis-04 Eric Rescorla 2010-01-11 draft-brown-versioning-link-relations-05 Joe Salowey 2009-02-08 draft-ietf-geopriv-lis-discovery-13 Sam Weiler 2008-08-13 draft-chown-v6ops-rogue-ra-03 Brian Weis 2009-10-20 draft-ietf-l3vpn-e2e-rsvp-te-reqts-04 Nico Williams 2008-08-13 draft-ietf-v6ops-ra-guard-04 Larry Zhu 2008-08-13 draft-thaler-v6ops-teredo-extensions-05 Larry Zhu 2009-05-09 draft-ietf-ecrit-location-hiding-req-02 From scott@hyperthought.com Thu Dec 31 10:05:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 801033A6A57 for ; Thu, 31 Dec 2009 10:05:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.185 X-Spam-Level: X-Spam-Status: No, score=-1.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPqN58OIrpKC for ; Thu, 31 Dec 2009 10:05:37 -0800 (PST) Received: from smtp232.iad.emailsrvr.com (smtp232.iad.emailsrvr.com [207.97.245.232]) by core3.amsl.com (Postfix) with ESMTP id A15D33A6A59 for ; Thu, 31 Dec 2009 10:05:37 -0800 (PST) Received: from relay13.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay13.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id C18BC1CE565; Thu, 31 Dec 2009 13:05:16 -0500 (EST) Received: from dynamic7.wm-web.iad.mlsrvr.com (dynamic7.wm-web.iad.mlsrvr.com [192.168.2.148]) by relay13.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id B96491CE4D9; Thu, 31 Dec 2009 13:05:16 -0500 (EST) Received: from hyperthought.com (localhost [127.0.0.1]) by dynamic7.wm-web.iad.mlsrvr.com (Postfix) with ESMTP id A3661153806F; Thu, 31 Dec 2009 13:05:16 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 31 Dec 2009 10:05:16 -0800 (PST) Date: Thu, 31 Dec 2009 10:05:16 -0800 (PST) From: scott@hyperthought.com To: iesg@ietf.org, secdir@ietf.org, paf@cisco.com, idnabis-chairs@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain;charset=UTF-8 Content-Transfer-Encoding: quoted-printable Importance: Normal X-Priority: 3 (Normal) X-Type: plain Message-ID: <1262282716.66785621@192.168.2.230> X-Mailer: webmail7.0 Subject: [secdir] secdir re-review of draft-ietf-idnabis-tables X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2009 18:05:38 -0000 I made a minor editorial comment in my original review of this document, an= d the authors updated the document according to my suggestion.=0A=0AI have = no new comments or concerns with this document.=0A=0A--Scott=0A From scott@hyperthought.com Thu Dec 31 11:03:32 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB1E43A6864 for ; Thu, 31 Dec 2009 11:03:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.392 X-Spam-Level: X-Spam-Status: No, score=-2.392 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJ8MPyMXmHVU for ; Thu, 31 Dec 2009 11:03:32 -0800 (PST) Received: from smtp172.iad.emailsrvr.com (smtp172.iad.emailsrvr.com [207.97.245.172]) by core3.amsl.com (Postfix) with ESMTP id 9D4453A6873 for ; Thu, 31 Dec 2009 11:03:32 -0800 (PST) Received: from relay27.relay.iad.mlsrvr.com (localhost [127.0.0.1]) by relay27.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id D8F7F1B40A6; Thu, 31 Dec 2009 14:03:10 -0500 (EST) Received: from dynamic4.wm-web.iad.mlsrvr.com (dynamic4.wm-web.iad.mlsrvr.com [192.168.2.153]) by relay27.relay.iad.mlsrvr.com (SMTP Server) with ESMTP id CCB2E1B40A0; Thu, 31 Dec 2009 14:03:10 -0500 (EST) Received: from hyperthought.com (localhost [127.0.0.1]) by dynamic4.wm-web.iad.mlsrvr.com (Postfix) with ESMTP id A11A61D4806E; Thu, 31 Dec 2009 14:03:10 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 31 Dec 2009 11:03:10 -0800 (PST) Date: Thu, 31 Dec 2009 11:03:10 -0800 (PST) From: scott@hyperthought.com To: iesg@ietf.org, secdir@ietf.org, abegen@cisco.com, stockhammer@nomor.de, fecframe-chairs@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain;charset=UTF-8 Content-Transfer-Encoding: quoted-printable Importance: Normal X-Priority: 3 (Normal) X-Type: plain Message-ID: <1262286190.65839253@192.168.2.230> X-Mailer: webmail7.0 Subject: [secdir] secdir review of draft-ietf-fecframe-dvb-al-fec X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2009 19:03:33 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments.=0A=0AThis document describes implementation of = a forward error correction protocol over RTP using already-defined protocol= elements. The protocol was originally defined by an ETSI group.=0A=0AThe s= ecurity considerations section says, "This specification adds no new securi= ty considerations to the DVB-IPTV AL-FEC protocol", which I take to mean th= at the authors see no way in which the proposed approach changes the securi= ty properties of the original ETSI specification. Since the protocol doesn'= t seem to implement any security features, I guess this is probably correct= . Still, it might be better to add some additional commentary such as what = is found in the security considerations section of draft-ietf-fecframe-inte= rleaved-fec-scheme-07.txt (or, perhaps point to that and the framework doc)= . =0A=0ALacking much necessary background in this area, I don't feel qualif= ied to fully evaluate this document. With that deficiency noted, the only p= ossible red flag I saw is that the FEC protocol requires that the SSRC fiel= ds of the FEC frames be set to 0, while SRTP requires unique SSRC values fo= r security reasons. With my very limited background, I can't be sure if the= re is an important security interaction here or not, but it seems worth ask= ing about.=0A=0A--Scott=0A