From ietf@adambarth.com Sun Jul 3 02:45:09 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA55F21F8707 for ; Sun, 3 Jul 2011 02:45:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9cconuKFRqQ for ; Sun, 3 Jul 2011 02:45:09 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 555B121F86F6 for ; Sun, 3 Jul 2011 02:45:09 -0700 (PDT) Received: by iwn39 with SMTP id 39so4732674iwn.31 for ; Sun, 03 Jul 2011 02:45:09 -0700 (PDT) Received: by 10.42.199.203 with SMTP id et11mr5638754icb.257.1309686307757; Sun, 03 Jul 2011 02:45:07 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id d6sm5240106icx.1.2011.07.03.02.45.06 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 02:45:06 -0700 (PDT) Received: by iye7 with SMTP id 7so4731543iye.31 for ; Sun, 03 Jul 2011 02:45:06 -0700 (PDT) Received: by 10.231.42.12 with SMTP id q12mr4553175ibe.81.1309686306055; Sun, 03 Jul 2011 02:45:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.50.16 with HTTP; Sun, 3 Jul 2011 02:44:36 -0700 (PDT) In-Reply-To: <7200e23e5c5a.4e06a4d1@naist.jp> References: <7200e23e5c5a.4e06a4d1@naist.jp> From: Adam Barth Date: Sun, 3 Jul 2011 02:44:36 -0700 Message-ID: To: Blanc Gregory Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Cc: websec Subject: Re: [websec] draft-ietf-websec-origin-02 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2011 09:45:10 -0000 On Sat, Jun 25, 2011 at 11:17 AM, Blanc Gregory wrote: > Hello, > > please find below a few spotted typos and comments. > > abstract: > "underlie" instead of "underly" > "concept of origin" instead of "origin concept" Fixed. > page 5: > "an idna-canonicalized" instead of "a idna-canonicalized" Fixed. > page 9: > 3.4.1 > "content retrieved from one URI" instead of "content retrieve from one URI" Fixed. > page 10: > 3.4.2 > "permitted to use" instead of "permitted use" Fixed. > page 13: > 5. > "Two origins" instead of "To origins" Fixed. > page 16: > 7.2 > "For example, consider a user agent that executes scripts on behalf of > origins. If one of those scripts causes the user agent to issue an > HTTP request, the user agent might wish to use the Origin header to > inform the server that the request was issued by the script". > Since the Origin header is a list of serialized origins, we can > assume this contains the origin that issued the request but not > the specific script as the sentence above indicates. > This is somehow tackled in page 19, section 8.3. I've clarified that the Origin header indicates the security context in which the script was executing, not necessarily the origin of the script code itself. > "In some cases, a number of origins contribute to causing the user > agents to issue an HTTP request. In those cases, the user agent can > list all the origins in the Origin header. For example, if the HTTP > request was initially issued by one origin but then later redirected > by another origin, the user agent might wish to inform the server > that two origins were involved in causing the user agent to issue the > request". > Does the sentence above only refer to the case of redirection as > evidenced by the example or does the author implies other cases? There are other cases as well. For example, imagine a call stack that involves a bunch of origins. If you were interested in stack inspection, you might list all those origins in the Origin header. > To the best of my knowledge, I cannot think of any other case? > Maybe I should think more about it. At least, cases implied here > are only sequential and never concurrent, aren't they? I'm not sure there are any other concrete examples today, but there could well be in the future. The point is just to have the flexibility in case we need it in the future. Generally speaking, there are many causes for any particular event, so this syntax+semantics gives us the flexibility to handle that case, if we need it. Thanks! Adam > 06/25/11 $B$K!"(BAdam Barth $B$5$s$O=q$-$^$7$?(B: > >> I've posted an updated version of the origin draft: >> >> http://www.ietf.org/id/draft-ietf-websec-origin-02.txt >> >> The new version includes Security Considerations, IANA Considerations, >> and a completed references section. Feedback on the new Security >> Considerations section would be much appreciated. >> >> I also removed the (stub) Privacy Considerations section. If there's >> something you think should be discussed there, let me know. >> >> Thanks, >> Adam >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec > > From ietf@adambarth.com Sun Jul 3 02:47:19 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BF321F871A for ; Sun, 3 Jul 2011 02:47:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWBpKnZeceji for ; Sun, 3 Jul 2011 02:47:18 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id B27A221F8719 for ; Sun, 3 Jul 2011 02:47:18 -0700 (PDT) Received: by iye7 with SMTP id 7so4732143iye.31 for ; Sun, 03 Jul 2011 02:47:18 -0700 (PDT) Received: by 10.42.95.137 with SMTP id f9mr5538944icn.376.1309686438231; Sun, 03 Jul 2011 02:47:18 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id s2sm5232481icw.5.2011.07.03.02.47.17 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 02:47:17 -0700 (PDT) Received: by iye7 with SMTP id 7so4732136iye.31 for ; Sun, 03 Jul 2011 02:47:17 -0700 (PDT) Received: by 10.231.26.205 with SMTP id f13mr986279ibc.56.1309686437072; Sun, 03 Jul 2011 02:47:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.50.16 with HTTP; Sun, 3 Jul 2011 02:46:47 -0700 (PDT) In-Reply-To: <201106291559.28951.robert.buchholz@goodpoint.de> References: <201106291559.28951.robert.buchholz@goodpoint.de> From: Adam Barth Date: Sun, 3 Jul 2011 02:46:47 -0700 Message-ID: To: Robert Buchholz Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] draft-ietf-websec-origin-02 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2011 09:47:19 -0000 On Wed, Jun 29, 2011 at 6:59 AM, Robert Buchholz wrote: > Besides the typos noted by Gregory, page 20 has: > =A0"This practice is incompatible with URIs schemes that" > which should probably be > =A0"This practice is incompatible with URI schemes that" Fixed. Adam From ietf@adambarth.com Sun Jul 3 02:53:28 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B6021F8789 for ; Sun, 3 Jul 2011 02:53:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LF8vgv7k4knG for ; Sun, 3 Jul 2011 02:53:28 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0D2E121F875B for ; Sun, 3 Jul 2011 02:53:27 -0700 (PDT) Received: by iye7 with SMTP id 7so4733777iye.31 for ; Sun, 03 Jul 2011 02:53:27 -0700 (PDT) Received: by 10.231.47.207 with SMTP id o15mr4566632ibf.35.1309686806091; Sun, 03 Jul 2011 02:53:26 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id v15sm2927927ibh.11.2011.07.03.02.53.25 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 02:53:25 -0700 (PDT) Received: by iye7 with SMTP id 7so4733759iye.31 for ; Sun, 03 Jul 2011 02:53:25 -0700 (PDT) Received: by 10.231.42.12 with SMTP id q12mr4559504ibe.81.1309686805072; Sun, 03 Jul 2011 02:53:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.50.16 with HTTP; Sun, 3 Jul 2011 02:52:55 -0700 (PDT) In-Reply-To: <4E07AB57.6030702@lookout.net> References: <4E07AB57.6030702@lookout.net> From: Adam Barth Date: Sun, 3 Jul 2011 02:52:55 -0700 Message-ID: To: Chris Weber Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] draft-ietf-websec-origin-02 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2011 09:53:28 -0000 On Sun, Jun 26, 2011 at 2:57 PM, Chris Weber wrote: > A couple of questions: > > 1) Do you have a reference to the "chrome-extension URI scheme"?=A0 I was= just > trying to figure out what it was. > > 2) In section 6.1 where it says: > > "4. Apply the IDNA ToUnicode algorithm [RFC5891] to each component of > the host part of the origin triple" > > Should the reference be to Section 4.2 "ToUnicode" of RFC3490 > http://tools.ietf.org/html/rfc3490#section-4.2, or Section 5.2 "Conversio= n > to Unicode" of RFC 5891 http://tools.ietf.org/html/rfc5891#section-5.2? I've made this more explicit (and added a reference to Section 10.1). Adam > On 6/24/2011 1:59 PM, Adam Barth wrote: > > I've posted an updated version of the origin draft: > > http://www.ietf.org/id/draft-ietf-websec-origin-02.txt > > The new version includes Security Considerations, IANA Considerations, > and a completed references section. Feedback on the new Security > Considerations section would be much appreciated. > > I also removed the (stub) Privacy Considerations section. If there's > something you think should be discussed there, let me know. > > Thanks, > Adam > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > From ietf@adambarth.com Sun Jul 3 02:54:43 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72E221F878A for ; Sun, 3 Jul 2011 02:54:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2C7dmwH6hJl for ; Sun, 3 Jul 2011 02:54:41 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id A637021F8789 for ; Sun, 3 Jul 2011 02:54:41 -0700 (PDT) Received: by iye7 with SMTP id 7so4734100iye.31 for ; Sun, 03 Jul 2011 02:54:41 -0700 (PDT) Received: by 10.231.128.199 with SMTP id l7mr4293334ibs.150.1309686881351; Sun, 03 Jul 2011 02:54:41 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id x13sm2926335ibh.33.2011.07.03.02.54.40 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 02:54:40 -0700 (PDT) Received: by iwn39 with SMTP id 39so4735422iwn.31 for ; Sun, 03 Jul 2011 02:54:40 -0700 (PDT) Received: by 10.231.6.25 with SMTP id 25mr4589134ibx.6.1309686880369; Sun, 03 Jul 2011 02:54:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.50.16 with HTTP; Sun, 3 Jul 2011 02:54:10 -0700 (PDT) In-Reply-To: <4E0D0700.6020805@lookout.net> References: <4E0CFA2B.7070205@lookout.net> <4E0D0700.6020805@lookout.net> From: Adam Barth Date: Sun, 3 Jul 2011 02:54:10 -0700 Message-ID: To: Chris Weber Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] draft-ietf-websec-origin-02 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2011 09:54:43 -0000 On Thu, Jun 30, 2011 at 4:30 PM, Chris Weber wrote: > On 6/30/2011 3:51 PM, Adam Barth wrote: >> Actually, I misspoke. =A0The idna-canonicalization is a defined >> algorithm in the spec (which eventually references 10.1). =A0I need to >> go through and make sure all the reference point to the right things. >> >> Adam > > Oh duh, I feel silly. =A0Editorial nit - maybe a minor change to make the > terms (or tense) match would help. =A0Keeping with section 2.3's defined = term > "idna-canonicalized" then the sentence in section 4 step 5 would read: > > =A0"Let uri-host be the idna-canonicalized form of the host component of = the > URI." Fixed. Adam From dross@microsoft.com Thu Jul 7 12:36:19 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60EF421F8550 for ; Thu, 7 Jul 2011 12:36:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQ0DZlPdBRvH for ; Thu, 7 Jul 2011 12:36:18 -0700 (PDT) Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFF921F8541 for ; Thu, 7 Jul 2011 12:36:18 -0700 (PDT) Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.178) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 7 Jul 2011 12:36:17 -0700 Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.178) with Microsoft SMTP Server (TLS) id 14.1.289.8; Thu, 7 Jul 2011 12:36:17 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi id 14.01.0289.008; Thu, 7 Jul 2011 12:36:05 -0700 From: David Ross To: "websec@ietf.org" , "Tobias Gondrom (tobias.gondrom@gondrom.org)" Thread-Topic: Re: [websec] FYI: New draft draft-gondrom-frame-options-01 Thread-Index: Acw826riqXiyj4iUQzWtC4vxlmLS+A== Date: Thu, 7 Jul 2011 19:36:04 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.90] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [websec] FYI: New draft draft-gondrom-frame-options-01 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 19:38:27 -0000 I have some feedback on the FRAME-OPTIONS draft, specifically the ALLOW-FRO= M syntax. There are a couple of good arguments against the requirement for= a list of trusted origins as opposed to a single trusted origin: 1) For privacy / security purposes, it would be preferable for the server = not to have to explicitly expose the full list of possible frame hosting UR= Ls. 2) Responses may become bloated when there are a lot of sites in the ALLOW= -FROM list. =20 3) Support for wildcards as a solution to list bloat would introduce a new= level of complexity w.r.t. parsing, etc. Even dealing with the delimiter = between static URLs in a list can get slightly problematic. 4) Servers would have to enumerate a list of sites in advance and ensure t= hat the list is actively maintained. =20 Relying on custom server-side validation logic instead of permitting lists = of origins in ALLOW-FROM would help alleviate these problems. Eg: Server-s= ide code validating URLs are of the form: https://[five alpha-numeric chara= cters].contoso.com. Given this, I would suggest a single-origin syntax for ALLOW-FROM similar t= o X-FRAME-OPTIONS: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacki= ng-with-x-frame-options.aspx --- Note that the Allow-From token does not support wildcards or listing of mul= tiple origins. For cases where the server wishes to allow more than one pag= e to frame its content, the following design pattern is recommended: 1) The outer IFRAME supplies its own origin information, using a querystri= ng parameter on the Inner IFRAME's src attribute. This can obviously be spe= cified by an attacker, but that's OK. 2) The server for the Inner IFRAME verifies the supplied Origin informatio= n meets whatever criteria business practices call for. For example, the ser= ver that serves the IFRAME containing a social network's "Like" button, mig= ht check to see that the supplied Origin matches the Origin expected for th= at Like button, and that the owner of the specified Origin has a valid affi= liate relationship, etc. 3) If satisfied with the information supplied, the server for the Inner IF= RAME sends an X-FRAME-OPTIONS: allow-from suppliedorigin header 4) The Browser then enforces the X-FRAME-OPTIONS directive. =20 If an attacker had specified an origin in step #1 different than the actual= origin of the outermost page, he'd be blocked at step #4 when the browser = actually enforces the origin. --- David Ross dross@microsoft.com From tlr@w3.org Thu Jul 7 14:12:37 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E3F21F88F0 for ; Thu, 7 Jul 2011 14:12:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DsUqYQZ-cqF2 for ; Thu, 7 Jul 2011 14:12:36 -0700 (PDT) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id B973B21F88EE for ; Thu, 7 Jul 2011 14:12:36 -0700 (PDT) Received: from ip-88-207-235-30.dyn.luxdsl.pt.lu ([88.207.235.30] helo=[192.168.2.114]) by jay.w3.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1Qevrh-0000ZK-ME; Thu, 07 Jul 2011 17:12:05 -0400 From: Thomas Roessler Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 7 Jul 2011 23:11:58 +0200 Message-Id: To: Tobias Gondrom , Arthur Barstow , Brad Hill , Eric Rescorla , Alexey Melnikov , David Ross , Anne van Kesteren , Adrian Bateman , Brandon Sterne , Adam Barth , Charles McCathieNevile , Maciej Stachowiak Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Mailman-Approved-At: Thu, 07 Jul 2011 14:23:08 -0700 Cc: public-web-security@w3.org, "Michael\(tm\) Smith" , websec@ietf.org, public-webapps@w3.org, Mark Nottingham Subject: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 21:12:37 -0000 (Warning, this is cross-posted widely. One of the lists is the IETF = websec mailing list, to which the IETF NOTE WELL applies: = http://www.ietf.org/about/note-well.html) Folks, there appear to be at least three possible specifications addressing = this space, with similar but different designs: 1. A proposed deliverable in the WebAppSec group to take up on = X-Frame-Options and express those in CSP: http://www.w3.org/2011/07/appsecwg-charter.html (We expect that this charter might go to the W3C AC for review as soon = as next week.) 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding = Exclusion") currently considered for publication as an FPWD in the = Webapps WG: = http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.html This draft mentions integration into CSP as a possible path forward. 3. draft-gondrom-frame-options, an individual I-D mentioned to websec:=20= https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ http://www.ietf.org/mail-archive/web/websec/current/msg00388.html How do we go about it? One path forward might be to just proceed as = currently planned and coordinate when webappsec starts working. Another path forward might be to see whether we can agree now on what = forum to take these things forward in (and what the coordination dance = might look like). Thoughts welcome. Regards, -- Thomas Roessler, W3C (@roessler) From w3c@adambarth.com Thu Jul 7 15:24:19 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452A321F8733 for ; Thu, 7 Jul 2011 15:24:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTHEcaAqd9ba for ; Thu, 7 Jul 2011 15:24:18 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6F22D21F872E for ; Thu, 7 Jul 2011 15:24:18 -0700 (PDT) Received: by iye7 with SMTP id 7so1532779iye.31 for ; Thu, 07 Jul 2011 15:24:17 -0700 (PDT) Received: by 10.231.41.69 with SMTP id n5mr1168900ibe.83.1310077456020; Thu, 07 Jul 2011 15:24:16 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id b6sm2931488ibg.48.2011.07.07.15.24.15 (version=SSLv3 cipher=OTHER); Thu, 07 Jul 2011 15:24:15 -0700 (PDT) Received: by iye7 with SMTP id 7so1532747iye.31 for ; Thu, 07 Jul 2011 15:24:15 -0700 (PDT) Received: by 10.42.19.69 with SMTP id a5mr1281750icb.69.1310077455054; Thu, 07 Jul 2011 15:24:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.50.16 with HTTP; Thu, 7 Jul 2011 15:23:45 -0700 (PDT) In-Reply-To: References: From: Adam Barth Date: Thu, 7 Jul 2011 15:23:45 -0700 Message-ID: To: Thomas Roessler Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 07 Jul 2011 16:04:15 -0700 Cc: Charles McCathieNevile , Maciej Stachowiak , Eric Rescorla , public-web-security@w3.org, Adrian Bateman , "Michael\(tm\) Smith" , websec@ietf.org, public-webapps@w3.org, Mark Nottingham , Arthur Barstow Subject: Re: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 22:24:19 -0000 My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first iteration. If it helps reduce complexity, you might consider dropping option (1) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF webse= c mailing list, to which the IETF NOTE WELL applies: http://www.ietf.org/ab= out/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this= space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Op= tions and express those in CSP: > =A0http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon as= next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusio= n") currently considered for publication as an FPWD in the Webapps WG: > =A0http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm= l > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > =A0https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > =A0http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? =A0One path forward might be to just proceed as cu= rrently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what for= um to take these things forward in (and what the coordination dance might l= ook like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C =A0 =A0(@roessler) > > > > From dross@microsoft.com Thu Jul 7 16:07:31 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A643C11E80BA for ; Thu, 7 Jul 2011 16:07:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.542 X-Spam-Level: X-Spam-Status: No, score=-10.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdNfFIN-tcwL for ; Thu, 7 Jul 2011 16:07:31 -0700 (PDT) Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 082CA11E8080 for ; Thu, 7 Jul 2011 16:07:30 -0700 (PDT) Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 7 Jul 2011 16:07:24 -0700 Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC104.redmond.corp.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.1.289.8; Thu, 7 Jul 2011 16:07:24 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.01.0289.008; Thu, 7 Jul 2011 16:07:24 -0700 From: David Ross To: Adam Barth , Thomas Roessler Thread-Topic: Frame embedding: One problem, three possible specs? Thread-Index: AQHMPOqPvqL6Q2gkPU2EbegwuDrztZTh5JWA//+PFMA= Date: Thu, 7 Jul 2011 23:07:23 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.90] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 07 Jul 2011 16:10:40 -0700 Cc: Charles McCathieNevile , Maciej Stachowiak , Eric Rescorla , "public-web-security@w3.org" , Adrian Bateman , "Michael\(tm\) Smith" , "websec@ietf.org" , "public-webapps@w3.org" , Mark Nottingham , Arthur Barstow Subject: Re: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 23:07:31 -0000 #3 is a narrowly scoped effort to standardize something that works pretty w= ell today in practice (X-FRAME-OPTIONS). A conflict with CSP would be bad,= but per Adam it seems like overlap is looking less likely. So proceeding = down the current path on #3 sounds good to me. David Ross dross@microsoft.com -----Original Message----- From: Adam Barth [mailto:w3c@adambarth.com]=20 Sent: Thursday, July 07, 2011 3:24 PM To: Thomas Roessler Cc: Tobias Gondrom; Arthur Barstow; Brad Hill; Eric Rescorla; Alexey Melnik= ov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; Charles = McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; Michael(tm) Smith; Ma= rk Nottingham; Jeff Hodges; public-web-security@w3.org; public-webapps@w3.o= rg; websec@ietf.org Subject: Re: Frame embedding: One problem, three possible specs? My sense from talking with folks is that there isn't a lot of enthusiasm fo= r supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first itera= tion. If it helps reduce complexity, you might consider dropping option (1= ) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF=20 > websec mailing list, to which the IETF NOTE WELL applies:=20 > http://www.ietf.org/about/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this= space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Op= tions and express those in CSP: > =A0http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon=20 > as next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusio= n") currently considered for publication as an FPWD in the Webapps WG: > =A0 > http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm > l > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > =A0https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > =A0http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? =A0One path forward might be to just proceed as cu= rrently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what for= um to take these things forward in (and what the coordination dance might l= ook like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C =A0 =A0(@roessler) > > > > From bhill@paypal-inc.com Thu Jul 7 16:31:56 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C319121F86CE for ; Thu, 7 Jul 2011 16:31:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.117 X-Spam-Level: X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAcClYcHEGxm for ; Thu, 7 Jul 2011 16:31:55 -0700 (PDT) Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id A7B5B21F86C7 for ; Thu, 7 Jul 2011 16:31:55 -0700 (PDT) DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:Received: From:To:CC:Date:Subject:Thread-Topic:Thread-Index: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: acceptlanguage:Content-Type:Content-Transfer-Encoding: MIME-Version:Return-Path:X-EMS-Proccessed:X-EMS-STAMP: X-CFilter; b=iSc7x2+UcS2Hc2i/t+X9YvAfmSOY8+1v9gzOJkS92Nntyi4JpSwis+/8 eVFqXOfT2UeujL7f2EVKIcEY9XmGnh57Kc+mR89E9mw0zLEynqeIXh0Xm sp697wEw6jmkUlo; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1310081516; x=1341617516; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=OOe3vtMeliJqD/KSF2yd7tNYCjc0fDyXp7PUb1JfSoo=; b=xTWUgsOtKViSPxI0rx7EriPfMatsLfQ5+G4YfINTWYyX71xKfPUqheGL GkDp/dTc4wTAsyMAnYN/2OUUHX7WjUectUj/lXpXdc1xOcgHrgU7hhDT2 7l9qV6iHMRc5qJo; X-EBay-Corp: Yes X-IronPort-AV: E=Sophos;i="4.65,496,1304319600"; d="scan'208";a="2641245" Received: from den-vtenf-001.corp.ebay.com (HELO DEN-MEXHT-001.corp.ebay.com) ([10.101.112.212]) by den-mipot-001.corp.ebay.com with ESMTP; 07 Jul 2011 16:31:55 -0700 Received: from DEN-MEXHT-004.corp.ebay.com (10.241.17.60) by DEN-MEXHT-001.corp.ebay.com (10.241.17.52) with Microsoft SMTP Server (TLS) id 8.3.137.0; Thu, 7 Jul 2011 17:31:54 -0600 Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-004.corp.ebay.com ([10.241.17.60]) with mapi; Thu, 7 Jul 2011 17:31:54 -0600 From: "Hill, Brad" To: Adam Barth , Thomas Roessler Date: Thu, 7 Jul 2011 17:31:52 -0600 Thread-Topic: Frame embedding: One problem, three possible specs? Thread-Index: Acw89KBnR2GKzOrJSyCVy/J3HXN0yQAA6TlQ Message-ID: <213E0EC97FE58F469BB618245B3118BB550C592DB8@DEN-MEXMS-001.corp.ebay.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMS-Proccessed: 10SqDH0iR7ekR7SRpKqm5A== X-EMS-STAMP: DmAc3lPloLCu0u6WVqIHBQ== X-CFilter: Scanned X-Mailman-Approved-At: Thu, 07 Jul 2011 16:45:36 -0700 Cc: Charles McCathieNevile , Maciej Stachowiak , Eric Rescorla , "public-web-security@w3.org" , Adrian Bateman , "Michael\(tm\) Smith" , "websec@ietf.org" , "public-webapps@w3.org" , Mark Nottingham , Arthur Barstow Subject: Re: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 23:31:56 -0000 The latest draft of the WebAppSec charter includes a secure cross-domain fr= aming mechanism as a distinct deliverable from the CSP, it's relation is on= ly in proposing re-use of same browsing context capability grammar as CSP. = So retaining option #1 is not in conflict with dropping frame-ancestors fr= om CSP v1. #2 and #3 (and frame-ancestors in the current CSP draft) allow expression o= f similar policies: "This content can only be framed/embedded by these orig= ins." I think it makes sense to consolidate these going forward. #1 in the new WebAppSec WG draft charter is different. While there isn't a= strawman yet, it seeks to allow expression of a policy like: "Anyone can f= rame this content, but it must allow X, Y and Z." or maybe, "This frame is= non-interactive unless X, Y and Z." (where X, Y and Z might be: an unobst= ructed canvas, allowed to execute script, allowed to top-nav, top z-order, = minimum display size, etc...)=20 I think both approaches can co-exist and that #1 can proceed without confli= ct for now. If the proposal that emerges is determined to be best transpor= ted as additional semantics for X-Frame-Options or From-Origin, the WebAppS= ec WG is already chartered to do the necessary coordination. -Brad -----Original Message----- From: Adam Barth [mailto:w3c@adambarth.com]=20 Sent: Thursday, July 07, 2011 3:24 PM To: Thomas Roessler Cc: Tobias Gondrom; Arthur Barstow; Hill, Brad; Eric Rescorla; Alexey Melni= kov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; Charles= McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; Michael(tm) Smith; M= ark Nottingham; Hodges, Jeff; public-web-security@w3.org; public-webapps@w3= .org; websec@ietf.org Subject: Re: Frame embedding: One problem, three possible specs? My sense from talking with folks is that there isn't a lot of enthusiasm fo= r supporting this use case in CSP at the present time. We're trying to concentrate on a core set of directives for the first itera= tion. If it helps reduce complexity, you might consider dropping option (1= ) for the time being. Adam On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler wrote: > (Warning, this is cross-posted widely. One of the lists is the IETF=20 > websec mailing list, to which the IETF NOTE WELL applies:=20 > http://www.ietf.org/about/note-well.html) > > > Folks, > > there appear to be at least three possible specifications addressing this= space, with similar but different designs: > > 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Op= tions and express those in CSP: > =A0http://www.w3.org/2011/07/appsecwg-charter.html > > (We expect that this charter might go to the W3C AC for review as soon=20 > as next week.) > > 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusio= n") currently considered for publication as an FPWD in the Webapps WG: > =A0 > http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm > l > > This draft mentions integration into CSP as a possible path forward. > > 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: > =A0https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ > =A0http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > > How do we go about it? =A0One path forward might be to just proceed as cu= rrently planned and coordinate when webappsec starts working. > > Another path forward might be to see whether we can agree now on what for= um to take these things forward in (and what the coordination dance might l= ook like). > > Thoughts welcome. > > Regards, > -- > Thomas Roessler, W3C =A0 =A0(@roessler) > > > > From dev.akhawe@gmail.com Thu Jul 7 18:02:12 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06F821F8A3E for ; Thu, 7 Jul 2011 18:02:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uus+eFo1i98a for ; Thu, 7 Jul 2011 18:02:12 -0700 (PDT) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id F11F621F8A36 for ; Thu, 7 Jul 2011 18:02:11 -0700 (PDT) Received: by gxk19 with SMTP id 19so85843gxk.31 for ; Thu, 07 Jul 2011 18:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=EkrjI05JYF4PLdgQ9G9usrhRrtPbNYHvmSD0b2TlZd0=; b=bZd7YmpngKMskUVsUFnIuVQzWwMF1ISwuHvJiuq6/xQwdtczDkbAN0I9HArpTZsosV lnB/pl8BQM+pYJalpdBZFY0Rreff3qsdAwMnqIiWuCNjJLwwW6oa/9xVfDV3let5FPfm qpJ1KzpfhxLwXmtEEiL3u7z1En/Cz0PGuvCiA= Received: by 10.150.141.13 with SMTP id o13mr1562464ybd.287.1310086930065; Thu, 07 Jul 2011 18:02:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.113.14 with HTTP; Thu, 7 Jul 2011 18:01:50 -0700 (PDT) In-Reply-To: References: From: Devdatta Akhawe Date: Thu, 7 Jul 2011 18:01:50 -0700 Message-ID: To: David Ross Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "websec@ietf.org" Subject: Re: [websec] FYI: New draft draft-gondrom-frame-options-01 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 01:02:12 -0000 I don't understand. A list of origins also allows a list of only one, right? (1), (2), (4) don't seem to be an issue: a server concerned about them can just use a single origin for each response. With regards to (3), why do we even have wildcard support? Why not just a list with no wildcard support ? If a site wants to allow foo.example.com and bar.example.com, it can just reply with both in the list instead of having to figure out when to reply with foo and when to reply with bar (with the concomitant programming hassle/bugs those cases) or worse reply with *.example.com thanks devdatta > 1) =A0For privacy / security purposes, it would be preferable for the ser= ver not to have to explicitly expose the full list of possible frame hostin= g URLs. > > 2) =A0Responses may become bloated when there are a lot of sites in the A= LLOW-FROM list. > > 3) =A0Support for wildcards as a solution to list bloat would introduce a= new level of complexity w.r.t. parsing, etc. =A0Even dealing with the deli= miter between static URLs in a list can get slightly problematic. > > 4) =A0Servers would have to enumerate a list of sites in advance and ensu= re that the list is actively maintained. > > Relying on custom server-side validation logic instead of permitting list= s of origins in ALLOW-FROM would help alleviate these problems. =A0Eg: Serv= er-side code validating URLs are of the form: https://[five alpha-numeric c= haracters].contoso.com. > > Given this, I would suggest a single-origin syntax for ALLOW-FROM similar= to X-FRAME-OPTIONS: > http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjac= king-with-x-frame-options.aspx > > --- > Note that the Allow-From token does not support wildcards or listing of m= ultiple origins. For cases where the server wishes to allow more than one p= age to frame its content, the following design pattern is recommended: > > 1) =A0The outer IFRAME supplies its own origin information, using a query= string parameter on the Inner IFRAME's src attribute. This can obviously be= specified by an attacker, but that's OK. > > 2) =A0The server for the Inner IFRAME verifies the supplied Origin inform= ation meets whatever criteria business practices call for. For example, the= server that serves the IFRAME containing a social network's "Like" button,= might check to see that the supplied Origin matches the Origin expected fo= r that Like button, and that the owner of the specified Origin has a valid = affiliate relationship, etc. > > 3) =A0If satisfied with the information supplied, the server for the Inne= r IFRAME sends an X-FRAME-OPTIONS: allow-from suppliedorigin header > > 4) =A0The Browser then enforces the X-FRAME-OPTIONS directive. > > If an attacker had specified an origin in step #1 different than the actu= al origin of the outermost page, he'd be blocked at step #4 when the browse= r actually enforces the origin. > --- > > David Ross > dross@microsoft.com > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > From dross@microsoft.com Thu Jul 7 19:19:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62B0C21F8999 for ; Thu, 7 Jul 2011 19:19:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.561 X-Spam-Level: X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bv78jcVZM7q4 for ; Thu, 7 Jul 2011 19:19:58 -0700 (PDT) Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 5222E21F8995 for ; Thu, 7 Jul 2011 19:19:58 -0700 (PDT) Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 7 Jul 2011 19:19:56 -0700 Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.289.8; Thu, 7 Jul 2011 19:19:56 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi id 14.01.0289.008; Thu, 7 Jul 2011 19:19:56 -0700 From: David Ross To: Devdatta Akhawe Thread-Topic: [websec] FYI: New draft draft-gondrom-frame-options-01 Thread-Index: AQHMPQqs25ue1XmKxUOxDyUVQzUsxZThqf5Q Date: Fri, 8 Jul 2011 02:19:55 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.42] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "websec@ietf.org" Subject: Re: [websec] FYI: New draft draft-gondrom-frame-options-01 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 02:19:59 -0000 I think that if the multi-origin syntax is available and common in examples= , web developers won't really have an incentive to implement the design pat= tern for server-side validation. It won't even be particularly obvious tha= t it's an option. So I worry that we'd begin to see a whole lot of (1), (2= ), and (4) out on the web. (3) below is a little confusing because the draft RFC doesn't actually cove= r this, sorry about that. I was just anticipating the suggestion of wildca= rd support as an alternative to a static list. Your foo.example.com and bar.example.com scenario is probably the most comp= elling case for the origin list. Add a few more sites to the example thoug= h and the origin list looks less optimal. I'm optimistic that frameworks c= ould help with the backend complexity of the single-origin scheme. David Ross dross@microsoft.com -----Original Message----- From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com]=20 Sent: Thursday, July 07, 2011 6:02 PM To: David Ross Cc: websec@ietf.org; Tobias Gondrom (tobias.gondrom@gondrom.org) Subject: Re: [websec] FYI: New draft draft-gondrom-frame-options-01 I don't understand. A list of origins also allows a list of only one, right= ? (1), (2), (4) don't seem to be an issue: a server concerned about them ca= n just use a single origin for each response. With regards to (3), why do we even have wildcard support? Why not just a l= ist with no wildcard support ? If a site wants to allow foo.example.com and bar.example.com, it can just r= eply with both in the list instead of having to figure out when to reply wi= th foo and when to reply with bar (with the concomitant programming hassle/= bugs those cases) or worse reply with *.example.com thanks devdatta > 1) =A0For privacy / security purposes, it would be preferable for the ser= ver not to have to explicitly expose the full list of possible frame hostin= g URLs. > > 2) =A0Responses may become bloated when there are a lot of sites in the A= LLOW-FROM list. > > 3) =A0Support for wildcards as a solution to list bloat would introduce a= new level of complexity w.r.t. parsing, etc. =A0Even dealing with the deli= miter between static URLs in a list can get slightly problematic. > > 4) =A0Servers would have to enumerate a list of sites in advance and ensu= re that the list is actively maintained. > > Relying on custom server-side validation logic instead of permitting list= s of origins in ALLOW-FROM would help alleviate these problems. =A0Eg: Serv= er-side code validating URLs are of the form: https://[five alpha-numeric c= haracters].contoso.com. > > Given this, I would suggest a single-origin syntax for ALLOW-FROM similar= to X-FRAME-OPTIONS: > http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-click > jacking-with-x-frame-options.aspx > > --- > Note that the Allow-From token does not support wildcards or listing of m= ultiple origins. For cases where the server wishes to allow more than one p= age to frame its content, the following design pattern is recommended: > > 1) =A0The outer IFRAME supplies its own origin information, using a query= string parameter on the Inner IFRAME's src attribute. This can obviously be= specified by an attacker, but that's OK. > > 2) =A0The server for the Inner IFRAME verifies the supplied Origin inform= ation meets whatever criteria business practices call for. For example, the= server that serves the IFRAME containing a social network's "Like" button,= might check to see that the supplied Origin matches the Origin expected fo= r that Like button, and that the owner of the specified Origin has a valid = affiliate relationship, etc. > > 3) =A0If satisfied with the information supplied, the server for the=20 > Inner IFRAME sends an X-FRAME-OPTIONS: allow-from suppliedorigin=20 > header > > 4) =A0The Browser then enforces the X-FRAME-OPTIONS directive. > > If an attacker had specified an origin in step #1 different than the actu= al origin of the outermost page, he'd be blocked at step #4 when the browse= r actually enforces the origin. > --- > > David Ross > dross@microsoft.com > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > From Jeff.Hodges@KingsMountain.com Thu Jul 7 21:38:38 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CDF821F86BB for ; Thu, 7 Jul 2011 21:38:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.965 X-Spam-Level: X-Spam-Status: No, score=-100.965 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aFRmOQJl8GN0 for ; Thu, 7 Jul 2011 21:38:37 -0700 (PDT) Received: from oproxy5-pub.bluehost.com (oproxy5-pub.bluehost.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id B619221F86B3 for ; Thu, 7 Jul 2011 21:38:37 -0700 (PDT) Received: (qmail 12832 invoked by uid 0); 8 Jul 2011 04:38:36 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 8 Jul 2011 04:38:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=23UTSUiAKYDnhqT6Jz8I822ugwJ41NrR/5EpGCWKgB59yGinVGZIQT0hMbLl5OP6qsmoqd1XmUNxoOzqEEVINvg25mILinSToZ+uZboIVKt5ey99RvaX6ub/YrbLZrmu; Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Qf2po-0002iL-B4; Thu, 07 Jul 2011 22:38:36 -0600 Message-ID: <4E1689CB.3010504@KingsMountain.com> Date: Thu, 07 Jul 2011 21:38:35 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: Tobias Gondrom Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 04:38:38 -0000 Hi Tobias -- thanks for working on this spec, it will be good to get this all more formally documented. It appears that the -01 rev of draft-gondrom-frame-options takes into account the apparently present X-Frame-Options documentation here.. [2] Combating ClickJacking With X-Frame-Options EricLaw [MSFT] 30 Mar 2010 2:42 PM ..which apparently supersedes the prior nominal documentation.. [1] IE8 Security Part VII: ClickJacking Defenses ieblog 27 Jan 2009 9:40 PM ..and which draft-gondrom-frame-options-00 appears to have been based on. As Dave Ross earlier today noted in.. Re: [websec] FYI: New draft draft-gondrom-frame-options-01 http://www.ietf.org/mail-archive/web/websec/current/msg00388.html ..the -01 spec rev differs from [2] in that it allows for declaring an origin list as a value for the ALLOW-FROM directive. Also, the header name is declared as "Frame-Options" rather than what's presently implemented and deployed: "X-FRAME-OPTIONS". Why don't we (WebSec) first simply document present X-FRAME-OPTIONS practice and get that more formally nailed down before we begin enhancing/altering it ? After all, it's apparently implemented in most all major browsers, and (I hear) emitted by a fair number of web applications. Plus, there's always the question of how closely all those implementations today conform to the present de jure specification, especially the "new" ALLOW-FROM directive in [2]. This would be in the same spirit as the RFC6265 "HTTP State Management" (aka Cookies) effort where we (hopefully unambiguously) documented the present implemented and deployed cookie subprotocol. thanks, =JeffH From dross@microsoft.com Fri Jul 8 10:00:25 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA0C21F8BEC for ; Fri, 8 Jul 2011 10:00:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.571 X-Spam-Level: X-Spam-Status: No, score=-10.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0v26YPUk2Uv for ; Fri, 8 Jul 2011 10:00:24 -0700 (PDT) Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 83E9121F8942 for ; Fri, 8 Jul 2011 10:00:24 -0700 (PDT) Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (157.54.80.61) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 8 Jul 2011 10:00:17 -0700 Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC106.redmond.corp.microsoft.com (157.54.80.61) with Microsoft SMTP Server (TLS) id 14.1.323.2; Fri, 8 Jul 2011 10:00:17 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.01.0289.008; Fri, 8 Jul 2011 10:00:17 -0700 From: David Ross To: =JeffH , Tobias Gondrom Thread-Topic: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) Thread-Index: AQHMPSjqCDw5zppXfkizqeI87OTEMZTioxqA Date: Fri, 8 Jul 2011 17:00:16 +0000 Message-ID: References: <4E1689CB.3010504@KingsMountain.com> In-Reply-To: <4E1689CB.3010504@KingsMountain.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.43] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: IETF WebSec WG Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 17:00:25 -0000 I agree it would be good to get the ALLOW-FROM in the draft consistent with= [2]. The major difference does seem to be the fact that the RFC supports = a list of origins for ALLOW-FROM, whereas [2] does not. > Also, the header name is declared as "Frame-Options" rather than what's=20 > presently implemented and deployed: "X-FRAME-OPTIONS". Since the RFC will standardize it, I think it may be appropriate to drop th= e X- prefix. But then also we should probably have the RFC draft explicitl= y specify the behavior if there are multiple conflicting X-FRAME-OPTIONS / = FRAME-OPTIONS headers present in a given HTTP response. (Eg: What happens = if there is both an X-FRAME-OPTIONS and a FRAME-OPTIONS header, each with A= LLOW-FROM directives pointing to different sites?)=20 David Ross dross@microsoft.com -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= =3DJeffH Sent: Thursday, July 07, 2011 9:39 PM To: Tobias Gondrom Cc: IETF WebSec WG Subject: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New dra= ft draft-gondrom-frame-options-01) Hi Tobias -- thanks for working on this spec, it will be good to get this a= ll more formally documented. It appears that the -01 rev of draft-gondrom-frame-options takes into accou= nt the apparently present X-Frame-Options documentation here.. [2] Combating ClickJacking With X-Frame-Options EricLaw [MSFT] 30 Mar 2010 2:42 PM ..which apparently supersedes the prior nominal documentation.. [1] IE8 Security Part VII: ClickJacking Defenses ieblog 27 Jan 2009 9:40 PM ..and which draft-gondrom-frame-options-00 appears to have been based on. As Dave Ross earlier today noted in.. Re: [websec] FYI: New draft draft-gondrom-frame-options-01 http://www.ietf.org/mail-archive/web/websec/current/msg00388.html ..the -01 spec rev differs from [2] in that it allows for declaring an orig= in=20 list as a value for the ALLOW-FROM directive. Also, the header name is declared as "Frame-Options" rather than what's=20 presently implemented and deployed: "X-FRAME-OPTIONS". Why don't we (WebSec) first simply document present X-FRAME-OPTIONS practic= e=20 and get that more formally nailed down before we begin enhancing/altering i= t ? After all, it's apparently implemented in most all major browsers, and (I h= ear)=20 emitted by a fair number of web applications. Plus, there's always the ques= tion=20 of how closely all those implementations today conform to the present de ju= re=20 specification, especially the "new" ALLOW-FROM directive in [2]. This would be in the same spirit as the RFC6265 "HTTP State Management" (ak= a=20 Cookies) effort where we (hopefully unambiguously) documented the present=20 implemented and deployed cookie subprotocol. thanks, =3DJeffH _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec From Jeff.Hodges@KingsMountain.com Fri Jul 8 12:40:56 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E55E321F8D24 for ; Fri, 8 Jul 2011 12:40:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.432 X-Spam-Level: X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXy0l03LtzAC for ; Fri, 8 Jul 2011 12:40:56 -0700 (PDT) Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by ietfa.amsl.com (Postfix) with SMTP id 35B9121F8D20 for ; Fri, 8 Jul 2011 12:40:56 -0700 (PDT) Received: (qmail 30485 invoked by uid 0); 8 Jul 2011 19:40:54 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com with SMTP; 8 Jul 2011 19:40:54 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=jHZXlwD2LVhmxrY0phDymyzbmsn0I00JuKEHwLRUnGPNdxCxSFCdqSEgId/npby88bi7CV/ngh+CbvsvPQibHn1RwIPUyTOS9Gy2Ma0zflIejRIRbhV2DiikyP0D/HPq; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.43]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QfGv0-0008Jw-Hm for websec@ietf.org; Fri, 08 Jul 2011 13:40:54 -0600 Message-ID: <4E175D46.6030403@KingsMountain.com> Date: Fri, 08 Jul 2011 12:40:54 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:40:57 -0000 > I agree it would be good to get the ALLOW-FROM in the draft consistent with > [2]. super. > The major difference does seem to be the fact that the RFC supports a > list of origins for ALLOW-FROM, whereas [2] does not. yep. >> Also, the header name is declared as "Frame-Options" rather than what's >> presently implemented and deployed: "X-FRAME-OPTIONS". > > Since the RFC will standardize it, I think it may be appropriate to drop the > X- prefix. But then also we should probably have the RFC draft explicitly > specify the behavior if there are multiple conflicting X-FRAME-OPTIONS / > FRAME-OPTIONS headers present in a given HTTP response. (Eg: What happens > if there is both an X-FRAME-OPTIONS and a FRAME-OPTIONS header, each with > ALLOW-FROM directives pointing to different sites?) seems to me, this confusion & potential issues are reasons to /not/ specify the header name as "Frame-Options" (for now), given "X-FRAME-OPTIONS" apparent wide use. FWIW, we can make this "X-FRAME-OPTIONS" spec be on the Informational or Experimental track. Microsoft already has a modest passel of specs in the former group. thanks, =JeffH From dross@microsoft.com Fri Jul 8 12:59:12 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1797B21F8C2E for ; Fri, 8 Jul 2011 12:59:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.576 X-Spam-Level: X-Spam-Status: No, score=-10.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUbq1IZXSHz0 for ; Fri, 8 Jul 2011 12:59:11 -0700 (PDT) Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 909DC21F8C1C for ; Fri, 8 Jul 2011 12:59:11 -0700 (PDT) Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (157.54.80.67) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 8 Jul 2011 12:59:10 -0700 Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14HUBC107.redmond.corp.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.1.323.2; Fri, 8 Jul 2011 12:59:10 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi id 14.01.0289.008; Fri, 8 Jul 2011 12:59:10 -0700 From: David Ross To: =JeffH , IETF WebSec WG Thread-Topic: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) Thread-Index: AQHMPabzCDw5zppXfkizqeI87OTEMZTi1V0g Date: Fri, 8 Jul 2011 19:59:10 +0000 Message-ID: References: <4E175D46.6030403@KingsMountain.com> In-Reply-To: <4E175D46.6030403@KingsMountain.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.41] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:59:12 -0000 > seems to me, this confusion & potential issues are reasons to /not/ spec= ify the header name as "Frame-Options" (for now), given "X-FRAME-OPTIONS" a= pparent wide use. Sounds OK to me though I'd just want to be careful to do whatever the stand= ards process dictates here. I have to imagine there's a precedent we'd wan= t to follow. David Ross dross@microsoft.com -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= =3DJeffH Sent: Friday, July 08, 2011 12:41 PM To: IETF WebSec WG Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New= draft draft-gondrom-frame-options-01) > I agree it would be good to get the ALLOW-FROM in the draft consistent w= ith > [2]. super. > The major difference does seem to be the fact that the RFC supports a >= list of origins for ALLOW-FROM, whereas [2] does not. yep. >> Also, the header name is declared as "Frame-Options" rather than what's= >> presently implemented and deployed: "X-FRAME-OPTIONS". > > Since the RFC will standardize it, I think it may be appropriate to drop= the > X- prefix. But then also we should probably have the RFC draft exp= licitly > specify the behavior if there are multiple conflicting X-FRAME-O= PTIONS / > FRAME-OPTIONS headers present in a given HTTP response. (Eg: W= hat happens > if there is both an X-FRAME-OPTIONS and a FRAME-OPTIONS head= er, each with > ALLOW-FROM directives pointing to different sites?) seems to me, this confusion & potential issues are reasons to /not/ specify= the header name as "Frame-Options" (for now), given "X-FRAME-OPTIONS" appa= rent wide use. FWIW, we can make this "X-FRAME-OPTIONS" spec be on the Informational or Ex= perimental track. Microsoft already has a modest passel of specs in the for= mer group. thanks, =3DJeffH _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec From Jeff.Hodges@KingsMountain.com Fri Jul 8 14:41:27 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A9A21F8C33 for ; Fri, 8 Jul 2011 14:41:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.321 X-Spam-Level: X-Spam-Status: No, score=-102.321 tagged_above=-999 required=5 tests=[AWL=-0.056, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66dAWcVRjuAp for ; Fri, 8 Jul 2011 14:41:26 -0700 (PDT) Received: from oproxy7-pub.bluehost.com (oproxy7-pub.bluehost.com [67.222.55.9]) by ietfa.amsl.com (Postfix) with SMTP id AC04821F8C0C for ; Fri, 8 Jul 2011 14:41:26 -0700 (PDT) Received: (qmail 11687 invoked by uid 0); 8 Jul 2011 21:41:26 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy7.bluehost.com with SMTP; 8 Jul 2011 21:41:26 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=oqSzsOPbTGT4zJr999sj6t/5lrnVIkI3XzOzDLfwsAmX5yqfQpHjUt1s9osYZGEXGVu7ayTXIh4tw+lePe07ePnMYev+CLLk4B0KL2sLSM6TesODDTXSxrPTr7gd7np2; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.43]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QfIne-0007Fo-8R for websec@ietf.org; Fri, 08 Jul 2011 15:41:26 -0600 Message-ID: <4E177986.2030902@KingsMountain.com> Date: Fri, 08 Jul 2011 14:41:26 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 21:41:27 -0000 >> seems to me, this confusion & potential issues are reasons to /not/ >> specify the header name as "Frame-Options" (for now), given >> "X-FRAME-OPTIONS" apparent wide use. > > Sounds OK to me though I'd just want to be careful to do whatever the > standards process dictates here. I have to imagine there's a precedent we'd > want to follow. there isn't much "process" wrt which we choose. In terms of precedent, AFAIK there's examples of both (a) documenting/specifying current practice, and (b) documenting/specifying how proponents would like various practices to evolve. Given that there's a fair number of web apps (aka websites) emitting "X-FRAME-OPTIONS" (see below), and given its wide support in web browsers, I think its justifiable to do (a), then see about (b). There's a recent I-D, 'Use of the "X-" Prefix in Application Protocols' (being discussed on ), which argues against its use. But in this case current practice long predates said "X-" deprecation effort. thanks, =JeffH ------ Here's www.shodanhq.com's counts of web apps emitting x-frame-options... * United States 6,853 * Germany 1,190 * United Kingdom 861 * Japan 793 * Canada 736 Results 1 - 10 of about 16032 for x-frame-options <-- total ? From stpeter@stpeter.im Fri Jul 8 14:56:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ABA521F86C1 for ; Fri, 8 Jul 2011 14:56:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.498 X-Spam-Level: X-Spam-Status: No, score=-102.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gh7-qozjbYFg for ; Fri, 8 Jul 2011 14:56:58 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 6D45521F86C2 for ; Fri, 8 Jul 2011 14:56:58 -0700 (PDT) Received: from dhcp-64-101-72-207.cisco.com (unknown [64.101.72.207]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4164B40327; Fri, 8 Jul 2011 15:57:07 -0600 (MDT) Message-ID: <4E177D28.3070709@stpeter.im> Date: Fri, 08 Jul 2011 15:56:56 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: =JeffH References: <4E177986.2030902@KingsMountain.com> In-Reply-To: <4E177986.2030902@KingsMountain.com> X-Enigmail-Version: 1.1.1 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 21:56:59 -0000 On 7/8/11 3:41 PM, =JeffH wrote: >>> seems to me, this confusion & potential issues are reasons to /not/ >>> specify the header name as "Frame-Options" (for now), given >>> "X-FRAME-OPTIONS" apparent wide use. >> >> Sounds OK to me though I'd just want to be careful to do whatever the >> standards process dictates here. I have to imagine there's a > precedent we'd >> want to follow. > > there isn't much "process" wrt which we choose. > > In terms of precedent, AFAIK there's examples of both (a) > documenting/specifying current practice, and (b) documenting/specifying > how proponents would like various practices to evolve. > > Given that there's a fair number of web apps (aka websites) emitting > "X-FRAME-OPTIONS" (see below), and given its wide support in web > browsers, I think its justifiable to do (a), then see about (b). > > There's a recent I-D, > 'Use of the "X-" > Prefix in Application Protocols' (being discussed on > ), which argues against its use. But in this case > current practice long predates said "X-" deprecation effort. Correct. This is a perfect example of how parameters leak out from the non-standard space into the standard space. Thus "X-" is unnecessary: someone could've just called it "Frame-Options" to start with. But as you say, that train has left the station... Peter -- Peter Saint-Andre https://stpeter.im/ From dross@microsoft.com Fri Jul 8 15:15:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 976FB21F8C50 for ; Fri, 8 Jul 2011 15:15:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.58 X-Spam-Level: X-Spam-Status: No, score=-10.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O6MgQfcehuD for ; Fri, 8 Jul 2011 15:15:33 -0700 (PDT) Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 59D3521F8C4A for ; Fri, 8 Jul 2011 15:15:33 -0700 (PDT) Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (157.54.80.67) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 8 Jul 2011 15:15:32 -0700 Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC107.redmond.corp.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.1.323.2; Fri, 8 Jul 2011 15:15:32 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.01.0289.008; Fri, 8 Jul 2011 15:15:32 -0700 From: David Ross To: Peter Saint-Andre , =JeffH Thread-Topic: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) Thread-Index: AQHMPbfJCDw5zppXfkizqeI87OTEMZTjbdEA//+PiyA= Date: Fri, 8 Jul 2011 22:15:32 +0000 Message-ID: References: <4E177986.2030902@KingsMountain.com> <4E177D28.3070709@stpeter.im> In-Reply-To: <4E177D28.3070709@stpeter.im> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.41] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: IETF WebSec WG Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:15:34 -0000 > Given that there's a fair number of web apps (aka websites) emitting=20 > "X-FRAME-OPTIONS" (see below), and given its wide support in web=20 > browsers, I think its justifiable to do (a), then see about (b). Works for me. David Ross dross@microsoft.com -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= Peter Saint-Andre Sent: Friday, July 08, 2011 2:57 PM To: =3DJeffH Cc: IETF WebSec WG Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New= draft draft-gondrom-frame-options-01) On 7/8/11 3:41 PM, =3DJeffH wrote: >>> seems to me, this confusion & potential issues are reasons to /not/=20 >>> specify the header name as "Frame-Options" (for now), given=20 >>> "X-FRAME-OPTIONS" apparent wide use. >> >> Sounds OK to me though I'd just want to be careful to do whatever the=20 >> standards process dictates here. I have to imagine there's a > precedent we'd >> want to follow. >=20 > there isn't much "process" wrt which we choose. >=20 > In terms of precedent, AFAIK there's examples of both (a)=20 > documenting/specifying current practice, and (b)=20 > documenting/specifying how proponents would like various practices to evo= lve. >=20 > Given that there's a fair number of web apps (aka websites) emitting=20 > "X-FRAME-OPTIONS" (see below), and given its wide support in web=20 > browsers, I think its justifiable to do (a), then see about (b). >=20 > There's a recent I-D, > 'Use of the "X-" > Prefix in Application Protocols' (being discussed on=20 > ), which argues against its use. But in this=20 > case current practice long predates said "X-" deprecation effort. Correct. This is a perfect example of how parameters leak out from the non-= standard space into the standard space. Thus "X-" is unnecessary: someone could've just called it "Frame-Options" to start with. But as you s= ay, that train has left the station... Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec From trac+websec@trac.tools.ietf.org Fri Jul 8 14:54:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA8B228006 for ; Fri, 8 Jul 2011 14:54:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aVwPxrcZSgQ for ; Fri, 8 Jul 2011 14:54:33 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id D5F0021F8C0D for ; Fri, 8 Jul 2011 14:54:33 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJ0L-00062k-LY; Fri, 08 Jul 2011 14:54:33 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 21:54:33 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/1 Message-ID: <070.f8fc0b2bd09928d1a738c38b65bbdcc1@trac.tools.ietf.org> X-Trac-Ticket-ID: 1 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #1: port mapping should be explicit about case where URI does not contain explicit port X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 21:54:34 -0000 #1: port mapping should be explicit about case where URI does not contain explicit port S 7.2. URI Loading and Port Mapping -- should contain explicit language about case where URI does not contain explicit port. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:00:53 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21EF811E8071 for ; Fri, 8 Jul 2011 15:00:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY4K2HhPT1PM for ; Fri, 8 Jul 2011 15:00:52 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B65B89E8004 for ; Fri, 8 Jul 2011 15:00:52 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJ6S-0005Q9-FJ; Fri, 08 Jul 2011 15:00:52 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:00:52 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/2 Message-ID: <070.635a7e567ddf1f9f8a84288abf1b42d3@trac.tools.ietf.org> X-Trac-Ticket-ID: 2 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #2: Effective Request URI definition dependency on HTTPbis spec ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:00:53 -0000 #2: Effective Request URI definition dependency on HTTPbis spec ? Should we have an explicit normative dependency on the HTTPbis spec (Internet-drafts, advancement to RFC timeframe uncertain) for the definition of Effective Request URI ? Note: there is another ticket in case the answer to this question is "no", stipulating that we need to copy the ERU text from the httpbis I-D. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: task | Status: new Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:04:02 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 763389E8009 for ; Fri, 8 Jul 2011 15:04:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64-eNTOXPwXJ for ; Fri, 8 Jul 2011 15:04:02 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 27D049E8008 for ; Fri, 8 Jul 2011 15:04:02 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJ9V-0006TT-Vw; Fri, 08 Jul 2011 15:04:01 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:04:01 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/3 Message-ID: <070.63a0bf52be517dce3a5d316b05756c40@trac.tools.ietf.org> X-Trac-Ticket-ID: 3 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #3: Better Effective Request URI definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:04:02 -0000 #3: Better Effective Request URI definition Present Effective Request URI (ERU) definition is not as good/elegant as that in HTTPbis. In case we do not wish to have dependency on HTTPbis spec advancement, due to normative reference for ERU definition, we can copy the httpbis definition by value. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: minor | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:11:21 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A793C21F8C00 for ; Fri, 8 Jul 2011 15:11:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43FWCL757HSJ for ; Fri, 8 Jul 2011 15:11:21 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 5499921F86DB for ; Fri, 8 Jul 2011 15:11:21 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJGb-0003d5-8e; Fri, 08 Jul 2011 15:11:21 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:11:21 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/4 Message-ID: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-Trac-Ticket-ID: 4 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #4: Clarify that HSTS policy applies to entire host (all ports) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:11:21 -0000 #4: Clarify that HSTS policy applies to entire host (all ports) Clarify and make more explicit that HSTS policy applies to entire host (all ports). Also include security rationale, e.g. Secure-flagged cookie eavesdropping, XSS vulns, etc. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:12:44 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E601A21F8C09 for ; Fri, 8 Jul 2011 15:12:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdMz3JPD8j2i for ; Fri, 8 Jul 2011 15:12:43 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id EF01621F8C4E for ; Fri, 8 Jul 2011 15:12:42 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJHu-0003ef-T8; Fri, 08 Jul 2011 15:12:42 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:12:42 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:1 Message-ID: <079.927138a71fe539edc17169cadce7a7fe@trac.tools.ietf.org> References: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-Trac-Ticket-ID: 4 In-Reply-To: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: Re: [websec] #4: Clarify that HSTS policy applies to entire host (all ports) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:12:44 -0000 #4: Clarify that HSTS policy applies to entire host (all ports) Comment(by jeff.hodges@…): add reference to "Beware Finer-grained Origins" -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:15:13 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4D121F8C50 for ; Fri, 8 Jul 2011 15:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhHKKYgdAe2h for ; Fri, 8 Jul 2011 15:15:12 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B473E21F8C4A for ; Fri, 8 Jul 2011 15:15:12 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJKK-0004vA-Ih; Fri, 08 Jul 2011 15:15:12 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:15:12 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/5 Message-ID: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org> X-Trac-Ticket-ID: 5 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #5: Clarify need for IncludeSubDomains X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:15:13 -0000 #5: Clarify need for IncludeSubDomains Yes, this is an unfortunate consequence of the way cookies work. Suppose you wanted to protect the confidentiality of a Secure cookie (i.e., a cookie with the Secure flag set), which, actually, is the primary use case for the header. Further suppose that this cookie is a domain cookie (e.g., set for the entire example.com domain). Now, if the attacker causes the browser to request https://aiodsfnuiasnis.example.com/, then: 1) We're unlikely to have the HSTS policy bit for aiodsfnuiasnis.example.com. 2) The request for https://aiodsfnuiasnis.example.com will include the Secure cookie. If the attacker then substitutes his certificate, the user will be able to click through the certificate error, which lets the attacker obtain the cookie we're trying to protect. If we remove the "includeSubDomains" directive, that means sites can't use HSTS to protect domain cookies. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:18:52 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCD421F88EB for ; Fri, 8 Jul 2011 15:18:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drHqMZt9JOkW for ; Fri, 8 Jul 2011 15:18:52 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 1736121F88D1 for ; Fri, 8 Jul 2011 15:18:52 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJNr-0003Zb-VG; Fri, 08 Jul 2011 15:18:51 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:18:51 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/6 Message-ID: <070.49c4e104dbd9e8852151d18762481bb1@trac.tools.ietf.org> X-Trac-Ticket-ID: 6 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false X-Mailman-Approved-At: Fri, 08 Jul 2011 15:19:18 -0700 Cc: websec@ietf.org Subject: [websec] #6: cite FireSheep as real-life threat HSTS addresses X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:18:52 -0000 #6: cite FireSheep as real-life threat HSTS addresses cite FireSheep as real-life threat HSTS addresses, in response to this query: http://www.ietf.org/mail-archive/web/hasmat/current/msg00074.html Subject: [HASMAT] HSTS Threat prevalence From: Devdatta Akhawe Date: Fri, 6 Aug 2010 11:36:12 -0700 To: IETF HASMAT list Hi all The HSTS specification talks about possible attacks that could be prevented by the use of HSTS. Do we have any data that suggests these attacks are actually a concern / being used by attackers anywhere ? I couldn't find any citation to this effect in the specification. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:20:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99DE21F8C53 for ; Fri, 8 Jul 2011 15:20:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqNrQ1tF0PZ5 for ; Fri, 8 Jul 2011 15:20:58 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id DA4C721F8C4A for ; Fri, 8 Jul 2011 15:20:58 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJPu-0008DC-PH; Fri, 08 Jul 2011 15:20:58 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:20:58 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:2 Message-ID: <079.7495dcaebb7f7d3570e7bfa0fa23ecae@trac.tools.ietf.org> References: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-Trac-Ticket-ID: 4 In-Reply-To: <070.f2694dbf4e0bed916917f9676fcbe406@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #4: Clarify that HSTS policy applies to entire host (all ports) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:20:59 -0000 #4: Clarify that HSTS policy applies to entire host (all ports) Comment(by jeff.hodges@…): http://www.ietf.org/mail-archive/web/websec/current/msg00041.html Subject: [websec] HSTS -- what about ports? From: Daniel Veditz Date: Sat, 20 Nov 2010 22:29:48 -0800 To: websec@ietf.org The HSTS spec needs to be more clear about how to handle multiple servers running on different ports on the same host. I think, by referring to host name matching only, that the intent of the spec is that a server running on any port can set HSTS behavior for every other port on that host. If this is correct it might be clearer to rename "HSTS Server" to "HSTS Host" and to somewhere in the spec mention explicitly that the port is ignored when matching host names. An alternate behavior would be that a server running on port X only specifies the behavior for that port, with a special case for the default ports 80/443 because they go unspecified. This would make sense from a security POV only if cookies were port-specific (with again a special case for the unspecified default ports), but I don't believe any browser implements cookies in that way. Handling HSTS in a port-specific manner also complicates the meaning of includeSubDomains. ### -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:57:49 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0A621F8C51 for ; Fri, 8 Jul 2011 15:57:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Tbrb7+qdXN0 for ; Fri, 8 Jul 2011 15:57:48 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id CE26121F8C45 for ; Fri, 8 Jul 2011 15:57:48 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfJzY-0001jS-O7; Fri, 08 Jul 2011 15:57:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:57:48 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/7 Message-ID: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org> X-Trac-Ticket-ID: 7 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: [websec] #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:57:49 -0000 #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors http://www.ietf.org/mail-archive/web/websec/current/msg00045.html Subject: Re: [websec] Some questions about HSTS From: "Steingruebl, Andy" Date: Mon, 22 Nov 2010 09:57:21 -0700 (08:57 PST) To: Yoav Nir , "'websec@ietf.org'" > In sections 2.4.1.1, point #9 says: > 9. UAs need to prevent users from clicking-through security > warnings. Halting connection attempts in the face of secure > transport exceptions is acceptable. > What exactly are these secure transport exceptions? Expired certificates? > Mismatched FQDN? Revoked certificates? Unreachable CRL? Untrusted CA? > Self-signed? Anything that would currently pop a browser warning for a user currently. Browsers differ slightly in how they handle OCSP, etc. In any case where a browser has already made the policy decision it should show a certificate "error", it must now abort. > Also, I don't understand why this change is needed. HSTS is supposed to stop > a very specific attack vector - a user duped into using insecure HTTP over the > (presumably secure) HTTPS. > > As it is, HSTS cannot be used by servers with self-signed or corporate > certificates, for fear that user agents may not allow the user to browse. That is correct. I personally believe, as do several of the contributors on this (and I hope I'm not speaking too much out of turn) that self- signed certificate warnings are just a punt, and an easy way for a user to make a bad security decision. If you want to support HTTPS, do it with a cert that your browser already trusts. Anything else is just a recipe for a MiTM attack. If a host advertises HSTS, it is specifically opting into this scheme, whereby all certificate warnings will cause abort, with no chance to "fool" the user into making the wrong decision. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 15:59:28 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E96D21F8C66 for ; Fri, 8 Jul 2011 15:59:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQTdLgElcPjv for ; Fri, 8 Jul 2011 15:59:28 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id F296D21F8C5F for ; Fri, 8 Jul 2011 15:59:27 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfK19-0001m2-Th; Fri, 08 Jul 2011 15:59:27 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 22:59:27 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/8 Message-ID: <070.9ee40aea6eccfa2ee82e172d4a18d11f@trac.tools.ietf.org> X-Trac-Ticket-ID: 8 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: [websec] #8: clarify/explain behavior when STS header not returned by known HSTS Host X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 22:59:28 -0000 #8: clarify/explain behavior when STS header not returned by known HSTS Host http://www.ietf.org/mail-archive/web/websec/current/msg00045.html Subject: Re: [websec] Some questions about HSTS From: "Steingruebl, Andy" Date: Mon, 22 Nov 2010 09:57:21 -0700 (08:57 PST) To: Yoav Nir , "'websec@ietf.org'" > My second question regards the UA behavior when policy changes. Suppose > a website has had the HSTS header for a while. The UA has a cache entry with > a TTL of several more weeks. Now the UA connects to the server (over > HTTPS) and does not get an HSTS header at all. What now? If there was a > header and it was merely changed, the spec says to update the cache entry. > But if the header is missing altogether, does that mean that the UA should > delete the cache entry? I think we can make this clear, but until the client receives a new header, it does not tinker with the cache. We do say the header should be present in all /most server responses, but the behavior should be that the value persists until set to something else. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 16:01:15 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B58521F8C6D for ; Fri, 8 Jul 2011 16:01:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSzjwtqHznEw for ; Fri, 8 Jul 2011 16:01:14 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id B485521F8C68 for ; Fri, 8 Jul 2011 16:01:14 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfK2s-0008A4-La; Fri, 08 Jul 2011 16:01:14 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 23:01:14 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/7#comment:1 Message-ID: <079.0f97f4dca4a81aec11be538df5f4f6be@trac.tools.ietf.org> References: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org> X-Trac-Ticket-ID: 7 In-Reply-To: <070.70d4f97ece5def5d52ae93f9d858bdc2@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 23:01:15 -0000 #7: clarify and add examples/justification wrt connection termination due to tls warnings/errors Comment(by jeff.hodges@…): see also.... http://www.ietf.org/mail-archive/web/websec/current/msg00063.html Subject: Re: [websec] Some questions about HSTS From: Adam Barth Date: Mon, 22 Nov 2010 22:06:24 -0800 To: Yoav Nir Cc: "websec@ietf.org" (text/plain) On Mon, Nov 22, 2010 at 9:46 PM, Yoav Nir wrote: > Taking both your answers together, suppose I have a web server with a corporate or self-signed certificate, which is OK, as I expect all my users to approve an exception (as it's called in Firefox). I turn on HSTS because I'm worried about them being duped by a fake server using HTTP. To me, HSTS reduces the attack surface by making them dupable only on the first ever connect. Then, as it turns out, a certain browser breaks the connection when connecting from outside the organization, because the CDP is not available. Fine, I turn off HSTS, but because the cache is untouched, the users will get intermittent connectivity problems for three more months. I don't recommend using HSTS with self-signed certificates. In this scenario, I'd recommend the corporation install a root certificate in all machines owned by the corporation and then use that root certificate to issue whatever other certificates the corporation needs. > I agree with Marsh, that this is too much of scope creep. It makes sense for a big website like paypal, amazon or gmail to want strict enforcement on the client. But smaller websites don't have the IT department of such companies, and often let their certificates expire. In their case, having HSTS on would cause a lot of trouble on certificate expiry day. Folks are already in for a headache if they let their certificates expire. They'll get big nasty warnings in either case. The difference is only whether those warnings will let the user ignore them. If you don't think your organization is sufficiently competent to schedule a reminder to update its certificates, then I don't recommend using HSTS. > The use case that I am interested in is not a big commercial website, but rather an SSL-VPN portal. These have two relevant properties: They come pre-packaged, and they're SSL-only. It is up to the customer to get a certificate, or generate a self-signed one. I would have liked to have HSTS on by default for such a product, but if that means that customers with self-signed certificates or corporate certificates get long-lasting connectivity problems, I can't justify that. Indeed. Please don't use HSTS with self-signed certificates. HSTS is a feature for well-maintained web sites that have a need for strong security. The reason we designed HSTS was to differentiate between sites that actually want strong security and sites that are using TLS but don't have strong security needs. If you don't need strong security, you don't need HSTS (and the additional careful administration it requires). > Sure, I can have a configuration flag for whether or not we should have the header, but administrators tend to configure those wrong just as much as users tend to click through dangerous screens. I don't think user agents should offer such a configuration flag. > What do the current implementations (Chrome, Firefox) do? They do what the spec says. TLS errors on HSTS hosts are treated as fatal errors, much like the host's DNS name not resolving. There is no recourse except to reload the page. Adam ### http://www.ietf.org/mail-archive/web/websec/current/msg00304.html Subject: Re: [websec] Decouple HSTS's two orthogonal effects? From: Adam Barth Date: Tue, 29 Mar 2011 13:58:08 -0700 To: websec@ietf.org (text/plain) There's no coupling between HSTS and the particular algorithm a UA uses to verify certificates. The UA is free to use whatever verification mechanism it desires. You can remove whatever CAs you consider sloppy from the list of trusted certificate authorities and add in whatever other verification mechanism you like. For example, if/when certificate verification through DNSSEC becomes widespread, we won't need to change anything about the HSTS spec. Of course, we'll need to change our implementations, but that's true regardless of what the HSTS spec says. Adam -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 16:04:49 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 755C121F8C71 for ; Fri, 8 Jul 2011 16:04:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HiNMYtnRm0WW for ; Fri, 8 Jul 2011 16:04:49 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 0739221F8C4E for ; Fri, 8 Jul 2011 16:04:49 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfK6K-0008LC-Us; Fri, 08 Jul 2011 16:04:48 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 23:04:48 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/9 Message-ID: <070.44d3a8d3efb1d14822e889e8f61bab63@trac.tools.ietf.org> X-Trac-Ticket-ID: 9 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: [websec] #9: explicitly note revocation check failures as errors causing connection termination? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 23:04:49 -0000 #9: explicitly note revocation check failures as errors causing connection termination? http://www.ietf.org/mail-archive/web/websec/current/msg00306.html Subject: Re: [websec] Decouple HSTS's two orthogonal effects? From: Adam Barth Date: Tue, 29 Mar 2011 14:35:58 -0700 To: Tom Ritter Cc: websec@ietf.org On Tue, Mar 29, 2011 at 2:29 PM, Tom Ritter wrote: > On Tue, Mar 29, 2011 at 4:58 PM, Adam Barth wrote: >> There's no coupling between HSTS and the particular algorithm a UA >> uses to verify certificates.  The UA is free to use whatever >> verification mechanism it desires. > > This is good, but perhaps some clarification to the draft would be in order: > > Section 2.2 states: > >   2.  The UA terminates, without user recourse, any secure transport >       connection attempts upon any and all secure transport errors or >       warnings, including those caused by a site presenting self-signed >       certificates If a self-signed certificate does not cause a secure transport error, then you're all set. For example, it's fine for a self-signed certificate to be in the list of explicitly trusted certificates. In that case, no secure transport error is generated. Try it. :) > Knowing that HSTS allows any validation method a posteriori allows you > interpret this correctly - that self-signed certs *may* be allowed > under HSTS, if the user has added them to their store.  But without > that, it may be interpretted incorrectly - that no self-signed certs > would be allowed. That's not what it says. > Furthermore, I'm not sure, but "any and all secure > transport errors or warnings" may be ambiguous.  I don't know if it's > an existing standard to enter a warning or error state in event of > (for example) a revocation check failure - although we do know that > most browsers do not present any warning or error.  There's more on > that in Adam Langley's thread.   If HSTS does not define whether or > not a revocation check failure is an error condition, I think it > should. Indeed. A reference there would be helpful. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Fri Jul 8 16:06:28 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3419221F8C7B for ; Fri, 8 Jul 2011 16:06:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AvT8pl0DWmP4 for ; Fri, 8 Jul 2011 16:06:27 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id CB41121F8C71 for ; Fri, 8 Jul 2011 16:06:27 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QfK7v-0008Os-Gc; Fri, 08 Jul 2011 16:06:27 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 08 Jul 2011 23:06:27 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/10 Message-ID: <070.e5eb4060c3ca435f535b76c7060ada83@trac.tools.ietf.org> X-Trac-Ticket-ID: 10 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: [websec] #10: note that end-entity certs can be dristrib'd to http clients ? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 23:06:28 -0000 #10: note that end-entity certs can be dristrib'd to http clients ? http://www.ietf.org/mail-archive/web/websec/current/msg00306.html Subject: Re: [websec] Decouple HSTS's two orthogonal effects? From: Adam Barth Date: Tue, 29 Mar 2011 14:35:58 -0700 To: Tom Ritter Cc: websec@ietf.org > Also Section 9 recommends distributing root CA certs to users' > browsers, and does not mention the possibly of distributing the leaf > certs instead.  Less related, but I prefer to trust organizations leaf > certs individually than their root cert. I don't have a problem with also recommending leaf certs, but you should check with =JeffH. Adam -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From Jeff.Hodges@KingsMountain.com Fri Jul 8 16:23:24 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2230E21F8C84 for ; Fri, 8 Jul 2011 16:23:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.307 X-Spam-Level: X-Spam-Status: No, score=-102.307 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkVHv+mEpvWO for ; Fri, 8 Jul 2011 16:23:23 -0700 (PDT) Received: from oproxy6-pub.bluehost.com (oproxy6-pub.bluehost.com [67.222.54.6]) by ietfa.amsl.com (Postfix) with SMTP id 80E5F21F8C82 for ; Fri, 8 Jul 2011 16:23:23 -0700 (PDT) Received: (qmail 10058 invoked by uid 0); 8 Jul 2011 23:23:22 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 8 Jul 2011 23:23:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=X5dDLHqIzDhGfEp+56GX+9+V4xZGOApSVZ16vbQHWRNYZ7xAz/xhU+XvJzIktmO/MsXG52mEjEK0ge8MyBUHXXOb8rG4dsdju08Nnf/9XeiLCsq1nYjwpbh9AbviRHdk; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.43]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QfKOH-00059h-Om for websec@ietf.org; Fri, 08 Jul 2011 17:23:21 -0600 Message-ID: <4E179169.1020403@KingsMountain.com> Date: Fri, 08 Jul 2011 16:23:21 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: [websec] HSTS spec issues noted in tracker X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 23:23:24 -0000 As y'all likely noticed, I worked through hasmat@ and websec@ mailing list archives since approx Jul-2010 and documented issues with the HSTS spec that've been raised, but aren't as yet addressed in draft-ietf-websec-strict-transport-sec-01. an overview report is available here.. http://trac.tools.ietf.org/wg/websec/trac/report/1?asc=1&sort=ticket (that URI in the future will gen a report for all tickets submitted against all WebSec WG specs, just fyi/fwiw) If there's any issues with the HSTS spec you feel are salient and that I didn't capture, please raise it on the list and/or submit a ticket. I don't know if I'll be able to get the spec updated before Monday's I-D cutoff, but I will get it updated before Quebec in any case. thanks, =JeffH From tlr@w3.org Tue Jul 12 12:08:07 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A76B21F8EA6 for ; Tue, 12 Jul 2011 12:08:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQdHO6q94PVc for ; Tue, 12 Jul 2011 12:08:07 -0700 (PDT) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id DF12121F8EA2 for ; Tue, 12 Jul 2011 12:08:06 -0700 (PDT) Received: from ip-88-207-235-30.dyn.luxdsl.pt.lu ([88.207.235.30] helo=[192.168.2.114]) by jay.w3.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1QgiJ0-0005nV-6h; Tue, 12 Jul 2011 15:07:38 -0400 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Thomas Roessler In-Reply-To: Date: Tue, 12 Jul 2011 21:07:35 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: David Ross X-Mailer: Apple Mail (2.1084) X-Mailman-Approved-At: Tue, 12 Jul 2011 12:13:02 -0700 Cc: Charles McCathieNevile , Maciej Stachowiak , Eric Rescorla , "public-web-security@w3.org" , Adrian Bateman , "Michael\(tm\) Smith" , "websec@ietf.org" , "public-webapps@w3.org" , Mark Nottingham , Arthur Barstow , Adam Barth Subject: Re: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 19:08:07 -0000 So, looking at this thread, here's what I suggest for the webappsecwg = charter: We keep the deliverable in there, but make it very clear that = the group should liaise particularly closely with websec "and other IETF = work around framing policy" (or some such), explicitly to avoid = conflicting or competing specifications. That way, if the vision of complementary specs that Brad describes = materializes, we have the necessary charter coverage, but we're very = clear that other work is going on and should be respected. If that's ok with everybody, I'll make the tweak before we send this to = the membership. -- Thomas Roessler, W3C (@roessler) On Jul 8, 2011, at 01:07 , David Ross wrote: > #3 is a narrowly scoped effort to standardize something that works = pretty well today in practice (X-FRAME-OPTIONS). A conflict with CSP = would be bad, but per Adam it seems like overlap is looking less likely. = So proceeding down the current path on #3 sounds good to me. >=20 > David Ross > dross@microsoft.com >=20 >=20 > -----Original Message----- > From: Adam Barth [mailto:w3c@adambarth.com]=20 > Sent: Thursday, July 07, 2011 3:24 PM > To: Thomas Roessler > Cc: Tobias Gondrom; Arthur Barstow; Brad Hill; Eric Rescorla; Alexey = Melnikov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; = Charles McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; = Michael(tm) Smith; Mark Nottingham; Jeff Hodges; = public-web-security@w3.org; public-webapps@w3.org; websec@ietf.org > Subject: Re: Frame embedding: One problem, three possible specs? >=20 > My sense from talking with folks is that there isn't a lot of = enthusiasm for supporting this use case in CSP at the present time. > We're trying to concentrate on a core set of directives for the first = iteration. If it helps reduce complexity, you might consider dropping = option (1) for the time being. >=20 > Adam >=20 >=20 > On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler wrote: >> (Warning, this is cross-posted widely. One of the lists is the IETF=20= >> websec mailing list, to which the IETF NOTE WELL applies:=20 >> http://www.ietf.org/about/note-well.html) >>=20 >>=20 >> Folks, >>=20 >> there appear to be at least three possible specifications addressing = this space, with similar but different designs: >>=20 >> 1. A proposed deliverable in the WebAppSec group to take up on = X-Frame-Options and express those in CSP: >> http://www.w3.org/2011/07/appsecwg-charter.html >>=20 >> (We expect that this charter might go to the W3C AC for review as = soon=20 >> as next week.) >>=20 >> 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding = Exclusion") currently considered for publication as an FPWD in the = Webapps WG: >> =20 >> = http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm >> l >>=20 >> This draft mentions integration into CSP as a possible path forward. >>=20 >> 3. draft-gondrom-frame-options, an individual I-D mentioned to = websec: >> https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ >> http://www.ietf.org/mail-archive/web/websec/current/msg00388.html >>=20 >>=20 >> How do we go about it? One path forward might be to just proceed as = currently planned and coordinate when webappsec starts working. >>=20 >> Another path forward might be to see whether we can agree now on what = forum to take these things forward in (and what the coordination dance = might look like). >>=20 >> Thoughts welcome. >>=20 >> Regards, >> -- >> Thomas Roessler, W3C (@roessler) >>=20 >>=20 >>=20 >>=20 >=20 >=20 From tobias.gondrom@gondrom.org Sun Jul 17 15:38:23 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E628621F87C5 for ; Sun, 17 Jul 2011 15:38:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.155 X-Spam-Level: X-Spam-Status: No, score=-95.155 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7slADo55bzZI for ; Sun, 17 Jul 2011 15:38:23 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id CA02021F8764 for ; Sun, 17 Jul 2011 15:38:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=XNmBRY5m1JE9GX3AIOTTMBPjUEwIZ0GePz+FvlhEQPTZ2BzYubQ8beoVdIXTVin5S5P7D31bzm7F7JQxGEigCnXLZCJ8rkL4w1eNm3PCSbTtGohO4u2ZISZv09VGN4gi; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; Received: (qmail 19678 invoked from network); 18 Jul 2011 00:37:36 +0200 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.64?) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Jul 2011 00:37:36 +0200 Message-ID: <4E236430.9070000@gondrom.org> Date: Sun, 17 Jul 2011 23:37:36 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] Websec Agenda for Quebec - any proposed items? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 22:38:24 -0000 Hi folks, am currently going through and finalising our agenda for our meeting on Monday July-25 in Quebec City. Any proposals for agenda items? Please be so kind to provide any ideas until July-18 15:00 PT. Kind regards, Tobias (chair of websec) Ps.: the first agenda draft: http://www.ietf.org/proceedings/81/agenda/websec.txt From tobias.gondrom@gondrom.org Mon Jul 18 12:38:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A54B11E8070 for ; Mon, 18 Jul 2011 12:38:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.238 X-Spam-Level: X-Spam-Status: No, score=-95.238 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvQKDVM+OfGs for ; Mon, 18 Jul 2011 12:38:55 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 55D2F21F8AD9 for ; Mon, 18 Jul 2011 12:38:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=VUD2gvrUGzCRqGbQAKjuHU5E0nTQ0tycSeUl4RmgYPNd5qvGrsgM+2uMsD4ieULP6c6ePCnckDfKN5iOrL1lyKwr5qFSfjIaVy1+0ahlIFNjHJCoCmYBjeCORUD+KzII; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:Content-Type:Content-Transfer-Encoding; Received: (qmail 1613 invoked from network); 18 Jul 2011 21:38:04 +0200 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.64?) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Jul 2011 21:38:04 +0200 Message-ID: <4E248B9C.1070701@gondrom.org> Date: Mon, 18 Jul 2011 20:38:04 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org X-Priority: 2 (High) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:38:59 -0000 Hello dear websec fellows, after reading the feedback and the update on the origin draft, I have the impression that the draft is in good shape and like to ask for WG Last Call for this document: http://tools.ietf.org/html/draft-ietf-websec-origin-02 As we are close to the IETF meeting in Quebec, this last call will be extended to four weeks and _*close on August-15.*_ Please make a last careful review of the draft and submit comments, questions and discuss items for this draft ASAP. If you perceive any major issues, it might also make sense to raise them during our meeting in Quebec on July-25. Kind regards and thank you, Tobias chair of websec Tobias Gondrom email: tobias.gondrom@gondrom.org mobile: +447521003005 From chris@lookout.net Mon Jul 18 15:17:49 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3DE21F880C for ; Mon, 18 Jul 2011 15:17:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.525 X-Spam-Level: X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=-1.267, BAYES_20=-0.74, DNS_FROM_RFC_BOGUSMX=1.482, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fXnnCJkGOJp for ; Mon, 18 Jul 2011 15:17:48 -0700 (PDT) Received: from cl02.gs02.gridserver.com (cl02.gs02.gridserver.com [64.13.232.11]) by ietfa.amsl.com (Postfix) with ESMTP id 8B3B821F863E for ; Mon, 18 Jul 2011 15:17:48 -0700 (PDT) Received: from c-71-231-104-2.hsd1.wa.comcast.net ([71.231.104.2]:53249 helo=[192.168.1.192]) by cl02.gs02.gridserver.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.69) (envelope-from ) id 1Qiw8J-0002sU-5f for websec@ietf.org; Mon, 18 Jul 2011 15:17:48 -0700 Message-ID: <4E24B10A.1070000@lookout.net> Date: Mon, 18 Jul 2011 15:17:46 -0700 From: Chris Weber User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org References: <4E248B9C.1070701@gondrom.org> In-Reply-To: <4E248B9C.1070701@gondrom.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: 17546 chris@lookout.net Subject: [websec] lower-casing in the idna-canonicalized host name X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 22:17:49 -0000 Under the definition of an "idna-canonicalized" host name in section 2.3, step 2 - is it known that the reader will handle NR-LDH and A-labels as locale-insensitive ASCII, or should it be explicitly stated that the lower-case conversion in step "2" should be locale-insensitive, or use English as the locale? Otherwise even with ASCII input a lower-case operation could result in a U+0049 LATIN CAPITAL LETTER I becoming U+0131 LATIN SMALL LETTER DOTLESS I under the Turkish "tr-TR" locale. Best regards, Chris From trac+websec@trac.tools.ietf.org Tue Jul 19 14:39:08 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BB6822800F for ; Tue, 19 Jul 2011 14:39:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJf0SOyNSEhz for ; Tue, 19 Jul 2011 14:39:03 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id D572A228011 for ; Tue, 19 Jul 2011 14:39:03 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QjI0A-0007so-1N; Tue, 19 Jul 2011 14:38:50 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Tue, 19 Jul 2011 21:38:50 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/11 Message-ID: <070.af0bfffe62bd5e0a6e782fea2e8d2597@trac.tools.ietf.org> X-Trac-Ticket-ID: 11 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20110719213903.D572A228011@ietfa.amsl.com> Resent-Date: Tue, 19 Jul 2011 14:39:03 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #11: failing insecure connections and user recourse X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:39:08 -0000 #11: failing insecure connections and user recourse http://www.ietf.org/mail-archive/web/websec/current/msg00076.html Subject: Re: [websec] failing insecure connections and user recourse (was: Some questions about HSTS) From: =JeffH Date: Tue, 23 Nov 2010 16:42:03 -0800 To: IETF WebSec WG [ I'm outta the office this week; expect longer than usual delays ] Yoav Nir noted.. > > In sections 2.4.1.1, point #9 says: 9. UAs need to prevent users from > clicking-through security warnings. Halting connection attempts in the face > of secure transport exceptions is acceptable. > > ... > > Point #9 seems to say contradictory things. On the one hand, it says that > "UAs need to prevent..." and I interpret "need" to mean "MUST", but on the > other hand, halting connections is just "acceptable". So is it MAY or MUST? section 2.4.1.1, comprises core functional requirements for addressing the threats noted in an earlier section of the Overview -- its non-normative expository material. The relevant normative language in the present spec (draft-hodges-strict-transport-sec-02) is.. 7.3. Errors in Secure Transport Establishment When connecting to a Known HSTS Server, the UA MUST terminate the connection with no user recourse if there are any errors (e.g. certificate errors), whether "warning" or "fatal" or any other error level, with the underlying secure transport. Paul Hoffman notes.. > > ...the IETF, generally does not make such decisions for users. We make > protocols and recommendations to developers. The text in this document > should be worded as such. Agreed. I propose moving the "with no user recourse" phrase (no more, no less), in the language quoted above, to section "10. UA Implementation Advice", and appropriately elaborate on it there (and in security considerations). -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: draft-ietf-websec-strict-transport-sec@… Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From dev.akhawe@gmail.com Wed Jul 20 13:17:15 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F9D21F8680 for ; Wed, 20 Jul 2011 13:17:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.299 X-Spam-Level: X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7PnxpAnKxIX for ; Wed, 20 Jul 2011 13:17:11 -0700 (PDT) Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id D891121F86AE for ; Wed, 20 Jul 2011 13:17:10 -0700 (PDT) Received: by gxk19 with SMTP id 19so307364gxk.31 for ; Wed, 20 Jul 2011 13:17:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=Xop6rihyYpf0VssEzEVXbVrecB39WyLuOGDK5ho1wcU=; b=CyqKGq6P+Ixx8Y3TZh4OcSLS7LR3da8nGn9rxb0MgSC4oapRhprns4FvhdDkdg0N9I qKbWWKGLC6mlxbZzH6RWO5BwqkeRgF/4KLm0LOTskRrzb5yb4cUhg4f4ORtYpXSeWsNt mGl0GzQcHvsxONwYl2YhXuNpPYRHz2hz+yCTY= Received: by 10.150.55.23 with SMTP id d23mr4148976yba.10.1311193030095; Wed, 20 Jul 2011 13:17:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.51.4 with HTTP; Wed, 20 Jul 2011 13:16:50 -0700 (PDT) From: Devdatta Akhawe Date: Wed, 20 Jul 2011 13:16:50 -0700 Message-ID: To: websec@ietf.org Content-Type: multipart/alternative; boundary=000e0cd598aeca746504a885eaa1 Subject: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:17:15 -0000 --000e0cd598aeca746504a885eaa1 Content-Type: text/plain; charset=ISO-8859-1 Hi folks Consider a site at www.alice.com that wants to only be framed by their friends at www.bob.com. Say, a request to https://www.alice.com might respond with a X-Frame-Options: allow-from http://www.bob.com Clearly, the https://www.alice.com has the privileges to act with the 'secure' cookie for alice.com. In this scenario, http://www.bob.com might actually be MITM'ed by Mallory and contain malicious code. In this scenario, does it make sense to allow http://www.bob.example to frame https://www.alice.example? I think this is wrong behavior: a more higher level invariant that should be maintained (at least in the newer specs :) is that only HTTPS content has access to secure cookie privileges. Thus, I think the right thing to do is : Enforce https for all the origins in the list returned in allow-from by https://www.alice.com. Even if https://www.alice.com responds with http://www.bob.com in its X-Frame-Options, the browser should only allow https://www.bob.com to frame https://www.alice.com I think this is even more compelling in case alice.com has enforced HSTS. What do others think ? thanks devdatta --000e0cd598aeca746504a885eaa1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi folks

Consider a site at www.ali= ce.com that wants to only be framed by their friends at www.bob.com.

Say, a request to https://www.alice.com might respond with a X-Frame-Op= tions: allow-from http://www.bob.com
Clearly, the https://www.alice.com has the privileges to act with the 'secure' cookie for alice.com. In this scenario, http://www.bob.com might actually be MITM'ed by Mallory and= contain malicious code. In this scenario, does it make sense to allow http://www.bob.example to frame https://www.alice.example? I think this = is wrong behavior: a more higher level invariant that should be maintained = (at least in the newer specs :) is that only HTTPS content has access to se= cure cookie privileges.

Thus, I think the right thing to do is :
Enforce https for all the o= rigins in the list returned in allow-from by https://www.alice.com. Even if ht= tps://www.alice.com responds with http:/= /www.bob.com in its X-Frame-Options, the browser should only allow https://www.bob.com to frame https://www.alice.com


I think this is even more compelling in case alice.com has enforced HSTS.

What do others think ?

thanks
devdatta


--000e0cd598aeca746504a885eaa1-- From ietf@adambarth.com Wed Jul 20 13:24:33 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 960EF21F8A51 for ; Wed, 20 Jul 2011 13:24:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.115 X-Spam-Level: X-Spam-Status: No, score=-3.115 tagged_above=-999 required=5 tests=[AWL=-0.738, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivCVgpjm06TA for ; Wed, 20 Jul 2011 13:24:33 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id E21EB21F8A1A for ; Wed, 20 Jul 2011 13:24:32 -0700 (PDT) Received: by iwn39 with SMTP id 39so571364iwn.31 for ; Wed, 20 Jul 2011 13:24:32 -0700 (PDT) Received: by 10.231.200.82 with SMTP id ev18mr8601130ibb.0.1311193472418; Wed, 20 Jul 2011 13:24:32 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id t14sm364067ibj.30.2011.07.20.13.24.31 (version=SSLv3 cipher=OTHER); Wed, 20 Jul 2011 13:24:31 -0700 (PDT) Received: by iye7 with SMTP id 7so619080iye.31 for ; Wed, 20 Jul 2011 13:24:31 -0700 (PDT) Received: by 10.231.180.155 with SMTP id bu27mr5497416ibb.162.1311193471104; Wed, 20 Jul 2011 13:24:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Wed, 20 Jul 2011 13:24:01 -0700 (PDT) In-Reply-To: References: From: Adam Barth Date: Wed, 20 Jul 2011 13:24:01 -0700 Message-ID: To: Devdatta Akhawe Content-Type: text/plain; charset=ISO-8859-1 Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:24:33 -0000 I'm not sure that invariant makes sense. As another example, it seems entirely reasonable for an HTTP page to include a copy of jQuery from an HTTPS URL. Adam On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe wrote: > Hi folks > > Consider a site at www.alice.com that wants to only be framed by their > friends at www.bob.com. > > Say, a request to https://www.alice.com might respond with a > X-Frame-Options: allow-from http://www.bob.com > > Clearly, the https://www.alice.com has the privileges to act with the > 'secure' cookie for alice.com. In this scenario, http://www.bob.com might > actually be MITM'ed by Mallory and contain malicious code. In this scenario, > does it make sense to allow http://www.bob.example to frame > https://www.alice.example? I think this is wrong behavior: a more higher > level invariant that should be maintained (at least in the newer specs :) is > that only HTTPS content has access to secure cookie privileges. > > Thus, I think the right thing to do is : > Enforce https for all the origins in the list returned in allow-from by > https://www.alice.com. Even if https://www.alice.com responds with > http://www.bob.com in its X-Frame-Options, the browser should only allow > https://www.bob.com to frame https://www.alice.com > > > I think this is even more compelling in case alice.com has enforced HSTS. > > What do others think ? > > > thanks > devdatta > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > From dev.akhawe@gmail.com Wed Jul 20 13:26:57 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B108A21F8A71 for ; Wed, 20 Jul 2011 13:26:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.148 X-Spam-Level: X-Spam-Status: No, score=-3.148 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyhXuyzYy1wv for ; Wed, 20 Jul 2011 13:26:54 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id C3B2F21F8A62 for ; Wed, 20 Jul 2011 13:26:53 -0700 (PDT) Received: by gyd5 with SMTP id 5so311746gyd.31 for ; Wed, 20 Jul 2011 13:26:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=HNFqvUajvvKUovWAL6s4PvpyQEnIfOqT6yPbpi+PL68=; b=Gi7WlIYfG4EAWcAOo5GrXzYLY2NvEM15b30abURqH/Lq7e4dJwTRdKNFlPUldv1rgZ 7WSqc0NarGG1VpS90QgT9sIyNv6f1DBt9YmFn2k7o1rzLUTMKln5TVuY1aslUBHt9Euz QqOEat6EjBnQ0a0ZEAXOHrkv6gxq2ii1vsNHA= Received: by 10.150.235.17 with SMTP id i17mr8494950ybh.67.1311193612119; Wed, 20 Jul 2011 13:26:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.51.4 with HTTP; Wed, 20 Jul 2011 13:26:31 -0700 (PDT) In-Reply-To: References: From: Devdatta Akhawe Date: Wed, 20 Jul 2011 13:26:31 -0700 Message-ID: To: Adam Barth Content-Type: multipart/alternative; boundary=000e0cd23b0c7b710204a8860d9c Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:26:57 -0000 --000e0cd23b0c7b710204a8860d9c Content-Type: text/plain; charset=ISO-8859-1 The invariant I am talking about is more comparable to an https page including jquery with an http URL, something afaik is considered not safe and blocked by browsers. -devdatta On 20 July 2011 13:24, Adam Barth wrote: > I'm not sure that invariant makes sense. As another example, it seems > entirely reasonable for an HTTP page to include a copy of jQuery from > an HTTPS URL. > > Adam > > > On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe > wrote: > > Hi folks > > > > Consider a site at www.alice.com that wants to only be framed by their > > friends at www.bob.com. > > > > Say, a request to https://www.alice.com might respond with a > > X-Frame-Options: allow-from http://www.bob.com > > > > Clearly, the https://www.alice.com has the privileges to act with the > > 'secure' cookie for alice.com. In this scenario, http://www.bob.commight > > actually be MITM'ed by Mallory and contain malicious code. In this > scenario, > > does it make sense to allow http://www.bob.example to frame > > https://www.alice.example? I think this is wrong behavior: a more higher > > level invariant that should be maintained (at least in the newer specs :) > is > > that only HTTPS content has access to secure cookie privileges. > > > > Thus, I think the right thing to do is : > > Enforce https for all the origins in the list returned in allow-from by > > https://www.alice.com. Even if https://www.alice.com responds with > > http://www.bob.com in its X-Frame-Options, the browser should only allow > > https://www.bob.com to frame https://www.alice.com > > > > > > I think this is even more compelling in case alice.com has enforced > HSTS. > > > > What do others think ? > > > > > > thanks > > devdatta > > > > > > > > _______________________________________________ > > websec mailing list > > websec@ietf.org > > https://www.ietf.org/mailman/listinfo/websec > > > > > --000e0cd23b0c7b710204a8860d9c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The invariant I am talking about is more comparable to an https page includ= ing jquery with an http URL, something afaik is considered not safe and blo= cked by browsers.

-devdatta

On 20 = July 2011 13:24, Adam Barth <ietf@adambarth.com> wrote:
I'm not sure that invariant makes sense= . =A0As another example, it seems
entirely reasonable for an HTTP page to include a copy of jQuery from
an HTTPS URL.

Adam


On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Hi folks
>
> Consider a site at = www.alice.com that wants to only be framed by their
> friends at www.bob.co= m.
>
> Say, a request to = https://www.alice.com might respond with a
> X-Frame-Options: allow-from http://www.bob.com
>
> Clearly, the https= ://www.alice.com has the privileges to act with the
> 'secure' cookie for alice.com. In this scenario, http://www.bob.com might
> actually be MITM'ed by Mallory and contain malicious code. In this= scenario,
> does it make sense to allow http://www.bob.example to frame
> https://www.al= ice.example? I think this is wrong behavior: a more higher
> level invariant that should be maintained (at least in the newer specs= :) is
> that only HTTPS content has access to secure cookie privileges.
>
> Thus, I think the right thing to do is :
> Enforce https for all the origins in the list returned in allow-from b= y
> https://www.alice.= com. Even if https:= //www.alice.com responds with
> http://www.bob.com in its X-Frame-Options, the browser should only allow
> https://www.bob.com<= /a> to frame https://ww= w.alice.com
>
>
> I think this is even more compelling in case alice.com has enforced HSTS.
>
> What do others think ?
>
>
> thanks
> devdatta
>
>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>
>

--000e0cd23b0c7b710204a8860d9c-- From ietf@adambarth.com Wed Jul 20 13:31:21 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A00C621F856A for ; Wed, 20 Jul 2011 13:31:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.033 X-Spam-Level: X-Spam-Status: No, score=-3.033 tagged_above=-999 required=5 tests=[AWL=-0.656, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5H6uXIckaBf for ; Wed, 20 Jul 2011 13:31:21 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id D647521F8672 for ; Wed, 20 Jul 2011 13:31:20 -0700 (PDT) Received: by iwn39 with SMTP id 39so576001iwn.31 for ; Wed, 20 Jul 2011 13:31:20 -0700 (PDT) Received: by 10.231.51.4 with SMTP id b4mr45481ibg.64.1311193880241; Wed, 20 Jul 2011 13:31:20 -0700 (PDT) Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id g10sm362473ibe.63.2011.07.20.13.31.19 (version=SSLv3 cipher=OTHER); Wed, 20 Jul 2011 13:31:19 -0700 (PDT) Received: by iwn39 with SMTP id 39so575982iwn.31 for ; Wed, 20 Jul 2011 13:31:19 -0700 (PDT) Received: by 10.231.113.33 with SMTP id y33mr8222640ibp.62.1311193879125; Wed, 20 Jul 2011 13:31:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Wed, 20 Jul 2011 13:30:49 -0700 (PDT) In-Reply-To: References: From: Adam Barth Date: Wed, 20 Jul 2011 13:30:49 -0700 Message-ID: To: Devdatta Akhawe Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:31:21 -0000 Why is that? We're talking about HTTP Bob including HTTPS Alice, just like we're talking about an HTTP page including HTTPS jQuery. Adam On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe wro= te: > The invariant I am talking about is more comparable to an https page > including jquery with an http URL, something afaik is considered not safe > and blocked by browsers. > > -devdatta > > On 20 July 2011 13:24, Adam Barth wrote: >> >> I'm not sure that invariant makes sense. =A0As another example, it seems >> entirely reasonable for an HTTP page to include a copy of jQuery from >> an HTTPS URL. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >> wrote: >> > Hi folks >> > >> > Consider a site at www.alice.com that wants to only be framed by their >> > friends at www.bob.com. >> > >> > Say, a request to https://www.alice.com might respond with a >> > X-Frame-Options: allow-from http://www.bob.com >> > >> > Clearly, the https://www.alice.com has the privileges to act with the >> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com >> > might >> > actually be MITM'ed by Mallory and contain malicious code. In this >> > scenario, >> > does it make sense to allow http://www.bob.example to frame >> > https://www.alice.example? I think this is wrong behavior: a more high= er >> > level invariant that should be maintained (at least in the newer specs >> > :) is >> > that only HTTPS content has access to secure cookie privileges. >> > >> > Thus, I think the right thing to do is : >> > Enforce https for all the origins in the list returned in allow-from b= y >> > https://www.alice.com. Even if https://www.alice.com responds with >> > http://www.bob.com in its X-Frame-Options, the browser should only all= ow >> > https://www.bob.com to frame https://www.alice.com >> > >> > >> > I think this is even more compelling in case alice.com has enforced >> > HSTS. >> > >> > What do others think ? >> > >> > >> > thanks >> > devdatta >> > >> > >> > >> > _______________________________________________ >> > websec mailing list >> > websec@ietf.org >> > https://www.ietf.org/mailman/listinfo/websec >> > >> > > > From dev.akhawe@gmail.com Wed Jul 20 13:34:37 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87C821F8784 for ; Wed, 20 Jul 2011 13:34:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hv7XCFRTG1dN for ; Wed, 20 Jul 2011 13:34:33 -0700 (PDT) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id B123D21F86BB for ; Wed, 20 Jul 2011 13:34:33 -0700 (PDT) Received: by gwb20 with SMTP id 20so721027gwb.31 for ; Wed, 20 Jul 2011 13:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=FIkzRZPFdzi33MGjotEcZu/k4NiVgeg4k5ScKRqDrLA=; b=QEhAgD4G9WO7zOK6GpGP0ZEmOQGgyvofN8g/T0hDdp8nciYnT8SFarvp7UmTr4yYmK IzKRQI76qskHnIWhEcw9qXcWqH3laUGqQFi8eveuaVNjSP7KDnd7ZeR9jukVR/9ZFu3a Fhn5TUsifR9+KEOgR4xEeEDt6Qj0bR89o/zyk= Received: by 10.151.29.15 with SMTP id g15mr3858141ybj.181.1311194073109; Wed, 20 Jul 2011 13:34:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.51.4 with HTTP; Wed, 20 Jul 2011 13:34:13 -0700 (PDT) In-Reply-To: References: From: Devdatta Akhawe Date: Wed, 20 Jul 2011 13:34:13 -0700 Message-ID: To: Adam Barth Content-Type: multipart/alternative; boundary=00151748e052f5957704a8862828 Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:34:37 -0000 --00151748e052f5957704a8862828 Content-Type: text/plain; charset=ISO-8859-1 In case of http bob including https jquery, the HTTPS Jquery will run with the privileges of http bob. In the other case, https alice frame will run with the privileges of https alice =dev On 20 July 2011 13:30, Adam Barth wrote: > Why is that? We're talking about HTTP Bob including HTTPS Alice, just > like we're talking about an HTTP page including HTTPS jQuery. > > Adam > > > On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe > wrote: > > The invariant I am talking about is more comparable to an https page > > including jquery with an http URL, something afaik is considered not safe > > and blocked by browsers. > > > > -devdatta > > > > On 20 July 2011 13:24, Adam Barth wrote: > >> > >> I'm not sure that invariant makes sense. As another example, it seems > >> entirely reasonable for an HTTP page to include a copy of jQuery from > >> an HTTPS URL. > >> > >> Adam > >> > >> > >> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe > >> wrote: > >> > Hi folks > >> > > >> > Consider a site at www.alice.com that wants to only be framed by > their > >> > friends at www.bob.com. > >> > > >> > Say, a request to https://www.alice.com might respond with a > >> > X-Frame-Options: allow-from http://www.bob.com > >> > > >> > Clearly, the https://www.alice.com has the privileges to act with the > >> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com > >> > might > >> > actually be MITM'ed by Mallory and contain malicious code. In this > >> > scenario, > >> > does it make sense to allow http://www.bob.example to frame > >> > https://www.alice.example? I think this is wrong behavior: a more > higher > >> > level invariant that should be maintained (at least in the newer specs > >> > :) is > >> > that only HTTPS content has access to secure cookie privileges. > >> > > >> > Thus, I think the right thing to do is : > >> > Enforce https for all the origins in the list returned in allow-from > by > >> > https://www.alice.com. Even if https://www.alice.com responds with > >> > http://www.bob.com in its X-Frame-Options, the browser should only > allow > >> > https://www.bob.com to frame https://www.alice.com > >> > > >> > > >> > I think this is even more compelling in case alice.com has enforced > >> > HSTS. > >> > > >> > What do others think ? > >> > > >> > > >> > thanks > >> > devdatta > >> > > >> > > >> > > >> > _______________________________________________ > >> > websec mailing list > >> > websec@ietf.org > >> > https://www.ietf.org/mailman/listinfo/websec > >> > > >> > > > > > > --00151748e052f5957704a8862828 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable In case of http bob including https jquery, the HTTPS Jquery will run with = the privileges of http bob.

In the other case, https alice frame wil= l run with the privileges of https alice


=3Ddev

On 20 July 2011 13:30, Adam Barth <ietf@adambarth.com> wrote:
Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, jus= t
like we're talking about an HTTP page including HTTPS jQuery.

Adam


On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> The invariant I am talking about is more comparable to an https page > including jquery with an http URL, something afaik is considered not s= afe
> and blocked by browsers.
>
> -devdatta
>
> On 20 July 2011 13:24, Adam Barth <ietf@adambarth.com> wrote:
>>
>> I'm not sure that invariant makes sense. =A0As another example= , it seems
>> entirely reasonable for an HTTP page to include a copy of jQuery f= rom
>> an HTTPS URL.
>>
>> Adam
>>
>>
>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
>> wrote:
>> > Hi folks
>> >
>> > Consider a site at www.alice.com that wants to only be framed by their
>> > friends at w= ww.bob.com.
>> >
>> > Say, a request to https://www.alice.com might respond with a
>> > X-Frame-Options: allow-from http://www.bob.com
>> >
>> > Clearly, the https://www.alice.com has the privileges to act with the
>> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com
>> > might
>> > actually be MITM'ed by Mallory and contain malicious code= . In this
>> > scenario,
>> > does it make sense to allow http://www.bob.example to frame
>> > https= ://www.alice.example? I think this is wrong behavior: a more higher
>> > level invariant that should be maintained (at least in the ne= wer specs
>> > :) is
>> > that only HTTPS content has access to secure cookie privilege= s.
>> >
>> > Thus, I think the right thing to do is :
>> > Enforce https for all the origins in the list returned in all= ow-from by
>> > https://w= ww.alice.com. Even if https://www.alice.com responds with
>> > http://www.b= ob.com in its X-Frame-Options, the browser should only allow
>> > https://www= .bob.com to frame h= ttps://www.alice.com
>> >
>> >
>> > I think this is even more compelling in case alice.com has enforced
>> > HSTS.
>> >
>> > What do others think ?
>> >
>> >
>> > thanks
>> > devdatta
>> >
>> >
>> >
>> > _______________________________________________
>> > websec mailing list
>> > websec@ietf.org
>> > https://www.ietf.org/mailman/listinfo/websec
>> >
>> >
>
>

--00151748e052f5957704a8862828-- From bhill@paypal-inc.com Fri Jul 22 13:31:54 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6FE21F8AA8 for ; Fri, 22 Jul 2011 13:31:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.817 X-Spam-Level: X-Spam-Status: No, score=-8.817 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0fTOQGn5fh1 for ; Fri, 22 Jul 2011 13:31:53 -0700 (PDT) Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id 5699621F8A30 for ; Fri, 22 Jul 2011 13:31:53 -0700 (PDT) DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=O2Xgx3XbZdheL6IlhhFpxOM3YXLtRevFZ4VdOn9GclR7Ow7IwZHPZO66 Ewsjr609DtsxIiUqaRs3Nh6rclB1pFlYJsQjCiUH9DAx20vOphVCNiiY5 pA29089OKOCUSTx; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1311366713; x=1342902713; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=sYTkOWd3oJtR6q6hGPHi8rBkYzzC51t/Qw5MX5ViDmE=; b=FIVvswFofTxhH8zkwXa7DdGtlzblpepp5OsI1FEtsN/DYeInKG/Py6Ae nr9n1v/L5QFD9LvUWJGXnJWkvy5U/i5a5S6K5wMpdAGkyxk2TbBlHNLax stn+52CBVeGkh0m; X-EBay-Corp: Yes X-IronPort-AV: E=Sophos;i="4.67,249,1309762800"; d="scan'208";a="2807645" Received: from den-vtenf-001.corp.ebay.com (HELO DEN-MEXHT-001.corp.ebay.com) ([10.101.112.212]) by den-mipot-001.corp.ebay.com with ESMTP; 22 Jul 2011 13:31:53 -0700 Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-001.corp.ebay.com ([10.241.17.52]) with mapi; Fri, 22 Jul 2011 14:31:52 -0600 From: "Hill, Brad" To: Devdatta Akhawe , Adam Barth Date: Fri, 22 Jul 2011 14:31:50 -0600 Thread-Topic: [websec] X-Frame-Options and SSL Thread-Index: AcxHHIbUWF5ba5TURN+LfIK3d7u+vwBkHGwA Message-ID: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A== x-ems-stamp: 14RQCMcIGnF1GIsWLcBdgA== Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter: Scanned Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 20:31:54 -0000 Devdatta is correct that allowing an insecure page to frame a secure one, e= ven with permission, presents a clickjacking risk in the presence of an act= ive network attacker. Not to gratuitously muddy the waters, but I'm of two minds about the propos= ed measure: 1) Don't add the invariant, because moving the threat from remote to active= is still a significant reduction in attack surface while maintaining compa= tibility with existing usages. If we break that, the alternative is probab= ly to have no protections. 2) Add the invariant because existing uses of this pattern are already brok= en: the user can't readily verify the origin of or that the framed content = is, in fact, secure. This is only a Spoofing risk, however, and so is less= severe than the direct Elevation of Privilege allowed by clickjacking. (s= poofing a "like" or "pay" button doesn't get an attacker much) I guess I'm leaning towards "this is a weakness, but we shouldn't do anythi= ng about it." Brad From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= Devdatta Akhawe Sent: Wednesday, July 20, 2011 2:34 PM To: Adam Barth Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL In case of http bob including https jquery, the HTTPS Jquery will run with = the privileges of http bob. In the other case, https alice frame will run with the privileges of https = alice =3Ddev On 20 July 2011 13:30, Adam Barth wrote: Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just like we're talking about an HTTP page including HTTPS jQuery. Adam On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe wro= te: > The invariant I am talking about is more comparable to an https page > including jquery with an http URL, something afaik is considered not safe > and blocked by browsers. > > -devdatta > > On 20 July 2011 13:24, Adam Barth wrote: >> >> I'm not sure that invariant makes sense. =A0As another example, it seems >> entirely reasonable for an HTTP page to include a copy of jQuery from >> an HTTPS URL. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >> wrote: >> > Hi folks >> > >> > Consider a site at www.alice.com that wants to only be framed by their >> > friends at www.bob.com. >> > >> > Say, a request to https://www.alice.com might respond with a >> > X-Frame-Options: allow-from http://www.bob.com >> > >> > Clearly, the https://www.alice.com has the privileges to act with the >> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com >> > might >> > actually be MITM'ed by Mallory and contain malicious code. In this >> > scenario, >> > does it make sense to allow http://www.bob.example to frame >> > https://www.alice.example? I think this is wrong behavior: a more high= er >> > level invariant that should be maintained (at least in the newer specs >> > :) is >> > that only HTTPS content has access to secure cookie privileges. >> > >> > Thus, I think the right thing to do is : >> > Enforce https for all the origins in the list returned in allow-from b= y >> > https://www.alice.com. Even if https://www.alice.com responds with >> > http://www.bob.com in its X-Frame-Options, the browser should only all= ow >> > https://www.bob.com to frame https://www.alice.com >> > >> > >> > I think this is even more compelling in case alice.com has enforced >> > HSTS. >> > >> > What do others think ? >> > >> > >> > thanks >> > devdatta >> > >> > >> > >> > _______________________________________________ >> > websec mailing list >> > websec@ietf.org >> > https://www.ietf.org/mailman/listinfo/websec >> > >> > > > From dross@microsoft.com Fri Jul 22 13:58:22 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A45021F87C2 for ; Fri, 22 Jul 2011 13:58:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.283 X-Spam-Level: X-Spam-Status: No, score=-10.283 tagged_above=-999 required=5 tests=[AWL=-0.284, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28+38CZmqfto for ; Fri, 22 Jul 2011 13:58:21 -0700 (PDT) Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 3208D21F85B2 for ; Fri, 22 Jul 2011 13:58:21 -0700 (PDT) Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (157.54.80.48) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 22 Jul 2011 13:58:20 -0700 Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC105.redmond.corp.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.1.323.2; Fri, 22 Jul 2011 13:58:20 -0700 Received: from TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.52]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi id 14.01.0289.008; Fri, 22 Jul 2011 13:58:20 -0700 From: David Ross To: "Hill, Brad" , Devdatta Akhawe , Adam Barth Thread-Topic: [websec] X-Frame-Options and SSL Thread-Index: AQHMRxoJ9QCNAgAhlUaOpOSSU4ya55T2HRCAgAAAs4CAAAE0gIAAAPOAgAMj/wD//5BG4A== Date: Fri, 22 Jul 2011 20:58:19 +0000 Message-ID: References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> In-Reply-To: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.90] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 20:58:22 -0000 The draft RFC currently states: > Any data beyond the domain address (i.e. any data after the "/" > separator) is to be ignored and to verify a referring page is of the > same origin as the content or that the referring page is listed in > the ALLOW-FROM list of URI, the algorithm to compare origins from > [ORIGIN] should be used. To address the concern we could add a sentence like: --- Implementations should block HTTPS content from utilizing ALLOW-FROM refere= nces to non-HTTPS URIs. --- I'd vote to add it, just because it's easy, and "should" implies a recommen= dation rather than a requirement. David Ross dross@microsoft.com -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= Hill, Brad Sent: Friday, July 22, 2011 1:32 PM To: Devdatta Akhawe; Adam Barth Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL Devdatta is correct that allowing an insecure page to frame a secure one, e= ven with permission, presents a clickjacking risk in the presence of an act= ive network attacker. Not to gratuitously muddy the waters, but I'm of two minds about the propos= ed measure: 1) Don't add the invariant, because moving the threat from remote to active= is still a significant reduction in attack surface while maintaining compa= tibility with existing usages. If we break that, the alternative is probab= ly to have no protections. 2) Add the invariant because existing uses of this pattern are already brok= en: the user can't readily verify the origin of or that the framed content = is, in fact, secure. This is only a Spoofing risk, however, and so is less= severe than the direct Elevation of Privilege allowed by clickjacking. (s= poofing a "like" or "pay" button doesn't get an attacker much) I guess I'm leaning towards "this is a weakness, but we shouldn't do anythi= ng about it." Brad From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of= Devdatta Akhawe Sent: Wednesday, July 20, 2011 2:34 PM To: Adam Barth Cc: websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL In case of http bob including https jquery, the HTTPS Jquery will run with = the privileges of http bob. In the other case, https alice frame will run with the privileges of https = alice =3Ddev On 20 July 2011 13:30, Adam Barth wrote: Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just li= ke we're talking about an HTTP page including HTTPS jQuery. Adam On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe wro= te: > The invariant I am talking about is more comparable to an https page=20 > including jquery with an http URL, something afaik is considered not=20 > safe and blocked by browsers. > > -devdatta > > On 20 July 2011 13:24, Adam Barth wrote: >> >> I'm not sure that invariant makes sense. =A0As another example, it=20 >> seems entirely reasonable for an HTTP page to include a copy of=20 >> jQuery from an HTTPS URL. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe=20 >> >> wrote: >> > Hi folks >> > >> > Consider a site at www.alice.com that wants to only be framed by=20 >> > their friends at www.bob.com. >> > >> > Say, a request to https://www.alice.com might respond with a >> > X-Frame-Options: allow-from http://www.bob.com >> > >> > Clearly, the https://www.alice.com has the privileges to act with=20 >> > the 'secure' cookie for alice.com. In this scenario,=20 >> > http://www.bob.com might actually be MITM'ed by Mallory and contain=20 >> > malicious code. In this scenario, does it make sense to allow=20 >> > http://www.bob.example to frame https://www.alice.example? I think=20 >> > this is wrong behavior: a more higher level invariant that should=20 >> > be maintained (at least in the newer specs >> > :) is >> > that only HTTPS content has access to secure cookie privileges. >> > >> > Thus, I think the right thing to do is : >> > Enforce https for all the origins in the list returned in=20 >> > allow-from by https://www.alice.com. Even if https://www.alice.com=20 >> > responds with http://www.bob.com in its X-Frame-Options, the=20 >> > browser should only allow https://www.bob.com to frame=20 >> > https://www.alice.com >> > >> > >> > I think this is even more compelling in case alice.com has enforced=20 >> > HSTS. >> > >> > What do others think ? >> > >> > >> > thanks >> > devdatta >> > >> > >> > >> > _______________________________________________ >> > websec mailing list >> > websec@ietf.org >> > https://www.ietf.org/mailman/listinfo/websec >> > >> > > > _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec From dev.akhawe@gmail.com Fri Jul 22 13:59:24 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20E621F8B06 for ; Fri, 22 Jul 2011 13:59:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.099 X-Spam-Level: X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNE0-XCyQygs for ; Fri, 22 Jul 2011 13:59:24 -0700 (PDT) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id E9C4221F89C1 for ; Fri, 22 Jul 2011 13:59:23 -0700 (PDT) Received: by yxp4 with SMTP id 4so1811038yxp.31 for ; Fri, 22 Jul 2011 13:59:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=ZW1W9XX6tr4afCYiWogtb0Ko4cW1HjLQcr+WnFuCG9s=; b=tzcED6QnUQoZhfVFXY1BsoGpynf91xVuoCysbb6tRw5Nk1r7Tyv4y7R/iGYalJfYA+ tH7aYVcKkjis45kYx5alTaQdxdP5ElAxjhkTrREX84Z2kI4wh59uWj7FZMkGMTEae0TS y8V402nONBvuln4QRlix+DoIRUgUDPBitzfiM= Received: by 10.151.60.17 with SMTP id n17mr2358437ybk.124.1311368363069; Fri, 22 Jul 2011 13:59:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.199.9 with HTTP; Fri, 22 Jul 2011 13:59:03 -0700 (PDT) In-Reply-To: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> From: Devdatta Akhawe Date: Fri, 22 Jul 2011 13:59:03 -0700 Message-ID: To: "Hill, Brad" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 20:59:25 -0000 > I guess I'm leaning towards "this is a weakness, but we shouldn't do anyt= hing about it." Say alice.com does care about this. My problem with the above position is alice.com can do nothing about this weakness. There is no flag it can send to say "hey don't allow insecure things to frame me: I am really worried about the active network attacker." It can do some weird haxoring similar to JS framebusting code but it is a pretty bad thing. To me, this is similar to the original motivations for XFO. >From http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016= 284.html ----8<-------- "For a couple of months now, along with a number of my colleagues at Google, we were investigating a security problem that we feel is very difficult or impossible to avoid on application side, and might be best addressed on HTML or HTTP level in contemporary browsers." ---->8---------- My view is that this weakness is similar to mixed content. Modern browsers (e.g., IE9) block mixed content by default while still allowing a click to enable it. I feel in the same style this should be blocked, while still allowing the user to click through. And in the same spirit, if the secure page being framed is HSTS enabled then there shouldn't be an option to the user to click through. =3DDevdatta > > 1) Don't add the invariant, because moving the threat from remote to acti= ve is still a significant reduction in attack surface while maintaining com= patibility with existing usages. =A0If we break that, the alternative is pr= obably to have no protections. > > 2) Add the invariant because existing uses of this pattern are already br= oken: the user can't readily verify the origin of or that the framed conten= t is, in fact, secure. =A0This is only a Spoofing risk, however, and so is = less severe than the direct Elevation of Privilege allowed by clickjacking.= =A0(spoofing a "like" or "pay" button doesn't get an attacker much) > > I guess I'm leaning towards "this is a weakness, but we shouldn't do anyt= hing about it." > > Brad > > From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf = Of Devdatta Akhawe > Sent: Wednesday, July 20, 2011 2:34 PM > To: Adam Barth > Cc: websec@ietf.org > Subject: Re: [websec] X-Frame-Options and SSL > > In case of http bob including https jquery, the HTTPS Jquery will run wit= h the privileges of http bob. > > In the other case, https alice frame will run with the privileges of http= s alice > > > =3Ddev > On 20 July 2011 13:30, Adam Barth wrote: > Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just > like we're talking about an HTTP page including HTTPS jQuery. > > Adam > > > On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe w= rote: >> The invariant I am talking about is more comparable to an https page >> including jquery with an http URL, something afaik is considered not saf= e >> and blocked by browsers. >> >> -devdatta >> >> On 20 July 2011 13:24, Adam Barth wrote: >>> >>> I'm not sure that invariant makes sense. =A0As another example, it seem= s >>> entirely reasonable for an HTTP page to include a copy of jQuery from >>> an HTTPS URL. >>> >>> Adam >>> >>> >>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >>> wrote: >>> > Hi folks >>> > >>> > Consider a site at www.alice.com that wants to only be framed by thei= r >>> > friends at www.bob.com. >>> > >>> > Say, a request to https://www.alice.com might respond with a >>> > X-Frame-Options: allow-from http://www.bob.com >>> > >>> > Clearly, the https://www.alice.com has the privileges to act with the >>> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com >>> > might >>> > actually be MITM'ed by Mallory and contain malicious code. In this >>> > scenario, >>> > does it make sense to allow http://www.bob.example to frame >>> > https://www.alice.example? I think this is wrong behavior: a more hig= her >>> > level invariant that should be maintained (at least in the newer spec= s >>> > :) is >>> > that only HTTPS content has access to secure cookie privileges. >>> > >>> > Thus, I think the right thing to do is : >>> > Enforce https for all the origins in the list returned in allow-from = by >>> > https://www.alice.com. Even if https://www.alice.com responds with >>> > http://www.bob.com in its X-Frame-Options, the browser should only al= low >>> > https://www.bob.com to frame https://www.alice.com >>> > >>> > >>> > I think this is even more compelling in case alice.com has enforced >>> > HSTS. >>> > >>> > What do others think ? >>> > >>> > >>> > thanks >>> > devdatta >>> > >>> > >>> > >>> > _______________________________________________ >>> > websec mailing list >>> > websec@ietf.org >>> > https://www.ietf.org/mailman/listinfo/websec >>> > >>> > >> >> > > From dev.akhawe@gmail.com Fri Jul 22 14:04:55 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA80121F8665 for ; Fri, 22 Jul 2011 14:04:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LjOH62r6t4w9 for ; Fri, 22 Jul 2011 14:04:54 -0700 (PDT) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id B758B21F8658 for ; Fri, 22 Jul 2011 14:04:54 -0700 (PDT) Received: by gwb20 with SMTP id 20so2121252gwb.31 for ; Fri, 22 Jul 2011 14:04:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=SxcWTdH4GlQ5I7xOC4f79EdhKoH+y4x9WEWA+gWp+bg=; b=MyNZUP57owBVQBQwno+2x/SkXYfYp6byFTNMS5EvLEgG/CWtNDF2U6jV8wLhjR6iv2 TsZWKtLXmhvbqFoJCtZaTK+XgsIpwPJbwermqrZRwbILCc73RtVFzA8ErHf0R8baJ6fu HZ26axCMdzwXNJPvdRi8kB+SsfxTAABSou7ss= Received: by 10.151.60.17 with SMTP id n17mr2362673ybk.124.1311368694107; Fri, 22 Jul 2011 14:04:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.199.9 with HTTP; Fri, 22 Jul 2011 14:04:34 -0700 (PDT) In-Reply-To: References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> From: Devdatta Akhawe Date: Fri, 22 Jul 2011 14:04:34 -0700 Message-ID: To: "Hill, Brad" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 21:04:55 -0000 On 22 July 2011 13:59, Devdatta Akhawe wrote: >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." > > Say alice.com does care about this. My problem with the above position > is alice.com can do nothing about this weakness. There is no flag it > can send to say "hey don't allow insecure things to frame me: I am > really worried about the active network attacker." It can do some > weird haxoring similar to JS framebusting code but it is a pretty bad > thing. Err .. my bad. Alice can just say "https://" in its allow-from Directive. Ignore the first part of the message and just see the note about how it is similar to mixed-content -devdatta > > To me, this is similar to the original motivations for XFO. > > From http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/0= 16284.html > ----8<-------- > "For a couple of months now, along with a number of my colleagues at > Google, we were investigating a security problem that we feel is very > difficult or impossible to avoid on application side, and might be best > addressed on HTML or HTTP level in contemporary browsers." > > ---->8---------- > > My view is that this weakness is similar to mixed content. Modern > browsers (e.g., IE9) block mixed content by default while still > allowing a click to enable it. I feel in the same style this should be > blocked, while still allowing the user to click through. > > And in the same spirit, if the secure page being framed is HSTS > enabled then there shouldn't be an option to the user to click > through. > > > > =3DDevdatta > >> >> 1) Don't add the invariant, because moving the threat from remote to act= ive is still a significant reduction in attack surface while maintaining co= mpatibility with existing usages. =A0If we break that, the alternative is p= robably to have no protections. >> >> 2) Add the invariant because existing uses of this pattern are already b= roken: the user can't readily verify the origin of or that the framed conte= nt is, in fact, secure. =A0This is only a Spoofing risk, however, and so is= less severe than the direct Elevation of Privilege allowed by clickjacking= . =A0(spoofing a "like" or "pay" button doesn't get an attacker much) >> >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." >> >> Brad >> >> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf= Of Devdatta Akhawe >> Sent: Wednesday, July 20, 2011 2:34 PM >> To: Adam Barth >> Cc: websec@ietf.org >> Subject: Re: [websec] X-Frame-Options and SSL >> >> In case of http bob including https jquery, the HTTPS Jquery will run wi= th the privileges of http bob. >> >> In the other case, https alice frame will run with the privileges of htt= ps alice >> >> >> =3Ddev >> On 20 July 2011 13:30, Adam Barth wrote: >> Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just >> like we're talking about an HTTP page including HTTPS jQuery. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe = wrote: >>> The invariant I am talking about is more comparable to an https page >>> including jquery with an http URL, something afaik is considered not sa= fe >>> and blocked by browsers. >>> >>> -devdatta >>> >>> On 20 July 2011 13:24, Adam Barth wrote: >>>> >>>> I'm not sure that invariant makes sense. =A0As another example, it see= ms >>>> entirely reasonable for an HTTP page to include a copy of jQuery from >>>> an HTTPS URL. >>>> >>>> Adam >>>> >>>> >>>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >>>> wrote: >>>> > Hi folks >>>> > >>>> > Consider a site at www.alice.com that wants to only be framed by the= ir >>>> > friends at www.bob.com. >>>> > >>>> > Say, a request to https://www.alice.com might respond with a >>>> > X-Frame-Options: allow-from http://www.bob.com >>>> > >>>> > Clearly, the https://www.alice.com has the privileges to act with th= e >>>> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com >>>> > might >>>> > actually be MITM'ed by Mallory and contain malicious code. In this >>>> > scenario, >>>> > does it make sense to allow http://www.bob.example to frame >>>> > https://www.alice.example? I think this is wrong behavior: a more hi= gher >>>> > level invariant that should be maintained (at least in the newer spe= cs >>>> > :) is >>>> > that only HTTPS content has access to secure cookie privileges. >>>> > >>>> > Thus, I think the right thing to do is : >>>> > Enforce https for all the origins in the list returned in allow-from= by >>>> > https://www.alice.com. Even if https://www.alice.com responds with >>>> > http://www.bob.com in its X-Frame-Options, the browser should only a= llow >>>> > https://www.bob.com to frame https://www.alice.com >>>> > >>>> > >>>> > I think this is even more compelling in case alice.com has enforced >>>> > HSTS. >>>> > >>>> > What do others think ? >>>> > >>>> > >>>> > thanks >>>> > devdatta >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > websec mailing list >>>> > websec@ietf.org >>>> > https://www.ietf.org/mailman/listinfo/websec >>>> > >>>> > >>> >>> >> >> > From bhill@paypal-inc.com Fri Jul 22 14:16:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5749921F84CA for ; Fri, 22 Jul 2011 14:16:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.717 X-Spam-Level: X-Spam-Status: No, score=-8.717 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JcveSfSPv-rP for ; Fri, 22 Jul 2011 14:16:33 -0700 (PDT) Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id 6ADDC21F84D7 for ; Fri, 22 Jul 2011 14:16:16 -0700 (PDT) DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=QBpnc5+TrE5JxRuAJScFCYDo4H0WTQDDSB7boTQh5zPwfhZ2nPfmiSQc 22i/oCLDsAs0VOSFugS+BwBkf4U9x1IeAyCd9+5JM3vM0mG70ZkwxMUyS UMyhwUmOwbTNaFS; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1311369376; x=1342905376; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=f9oKHGx4IvAJLfFMsV8iihxgR4VtyqmUP0XEvk4+BJk=; b=tjowz0YZH/QQd4bjpYS2ZRT2tusmVQ2/m4RRQ3PNSqo15rXj1/ed81zn IH7Yw2SimokY1PDUL5zqP8wm7kqYPulhBY0tD2MhE+FBfrTN1PHwERCoq 5gWghIkRFoN+QOA; X-EBay-Corp: Yes X-IronPort-AV: E=Sophos;i="4.67,249,1309762800"; d="scan'208";a="2808351" Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-003.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 22 Jul 2011 14:16:16 -0700 Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-003.corp.ebay.com ([10.241.17.54]) with mapi; Fri, 22 Jul 2011 15:16:15 -0600 From: "Hill, Brad" To: Devdatta Akhawe Date: Fri, 22 Jul 2011 15:16:12 -0600 Thread-Topic: [websec] X-Frame-Options and SSL Thread-Index: AcxIskmEzHaTmuIiTJq0QAYhDnbTKAAABVFw Message-ID: <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A== x-ems-stamp: mdz1qSGMq0IJqnLa+568hw== Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter: Scanned Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 21:16:34 -0000 In this case alice.com can only include http://bob.com. I'm not saying we = should force inclusion of http://bob.com, I'm just saying we shouldn't ban = it, because it's a lot better than nothing. =20 It is alike in concept to mixed content, but on a greatly reduced attack su= rface: Routing a click to a location on a page vs. (in the case of an mixe= d script src) full control of the secure DOM. For a business deploying XFO= , that difference is pretty important. Alice.com may want to be able to ha= ve a "like" or "pay" button from a secure source framed by the insecure bob= .com because the risk/fraud rates from only active attackers may be accepta= ble or amenable to other compensating controls, where those from generalize= d remote clickjacking may not. Brad -----Original Message----- From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com]=20 Sent: Friday, July 22, 2011 2:59 PM To: Hill, Brad Cc: Adam Barth; websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL > I guess I'm leaning towards "this is a weakness, but we shouldn't do anyt= hing about it." Say alice.com does care about this. My problem with the above position is a= lice.com can do nothing about this weakness. There is no flag it can send t= o say "hey don't allow insecure things to frame me: I am really worried abo= ut the active network attacker." It can do some weird haxoring similar to J= S framebusting code but it is a pretty bad thing. To me, this is similar to the original motivations for XFO. >From http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016= 284.html ----8<-------- "For a couple of months now, along with a number of my colleagues at Google= , we were investigating a security problem that we feel is very difficult o= r impossible to avoid on application side, and might be best addressed on H= TML or HTTP level in contemporary browsers." ---->8---------- My view is that this weakness is similar to mixed content. Modern browsers = (e.g., IE9) block mixed content by default while still allowing a click to = enable it. I feel in the same style this should be blocked, while still all= owing the user to click through. And in the same spirit, if the secure page being framed is HSTS enabled the= n there shouldn't be an option to the user to click through. =3DDevdatta > > 1) Don't add the invariant, because moving the threat from remote to acti= ve is still a significant reduction in attack surface while maintaining com= patibility with existing usages. =A0If we break that, the alternative is pr= obably to have no protections. > > 2) Add the invariant because existing uses of this pattern are already=20 > broken: the user can't readily verify the origin of or that the framed=20 > content is, in fact, secure. =A0This is only a Spoofing risk, however,=20 > and so is less severe than the direct Elevation of Privilege allowed=20 > by clickjacking. =A0(spoofing a "like" or "pay" button doesn't get an=20 > attacker much) > > I guess I'm leaning towards "this is a weakness, but we shouldn't do anyt= hing about it." > > Brad > > From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On=20 > Behalf Of Devdatta Akhawe > Sent: Wednesday, July 20, 2011 2:34 PM > To: Adam Barth > Cc: websec@ietf.org > Subject: Re: [websec] X-Frame-Options and SSL > > In case of http bob including https jquery, the HTTPS Jquery will run wit= h the privileges of http bob. > > In the other case, https alice frame will run with the privileges of=20 > https alice > > > =3Ddev > On 20 July 2011 13:30, Adam Barth wrote: > Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just= =20 > like we're talking about an HTTP page including HTTPS jQuery. > > Adam > > > On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe w= rote: >> The invariant I am talking about is more comparable to an https page=20 >> including jquery with an http URL, something afaik is considered not=20 >> safe and blocked by browsers. >> >> -devdatta >> >> On 20 July 2011 13:24, Adam Barth wrote: >>> >>> I'm not sure that invariant makes sense. =A0As another example, it=20 >>> seems entirely reasonable for an HTTP page to include a copy of=20 >>> jQuery from an HTTPS URL. >>> >>> Adam >>> >>> >>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe=20 >>> >>> wrote: >>> > Hi folks >>> > >>> > Consider a site at www.alice.com that wants to only be framed by=20 >>> > their friends at www.bob.com. >>> > >>> > Say, a request to https://www.alice.com might respond with a >>> > X-Frame-Options: allow-from http://www.bob.com >>> > >>> > Clearly, the https://www.alice.com has the privileges to act with=20 >>> > the 'secure' cookie for alice.com. In this scenario,=20 >>> > http://www.bob.com might actually be MITM'ed by Mallory and=20 >>> > contain malicious code. In this scenario, does it make sense to=20 >>> > allow http://www.bob.example to frame https://www.alice.example? I=20 >>> > think this is wrong behavior: a more higher level invariant that=20 >>> > should be maintained (at least in the newer specs >>> > :) is >>> > that only HTTPS content has access to secure cookie privileges. >>> > >>> > Thus, I think the right thing to do is : >>> > Enforce https for all the origins in the list returned in=20 >>> > allow-from by https://www.alice.com. Even if https://www.alice.com=20 >>> > responds with http://www.bob.com in its X-Frame-Options, the=20 >>> > browser should only allow https://www.bob.com to frame=20 >>> > https://www.alice.com >>> > >>> > >>> > I think this is even more compelling in case alice.com has=20 >>> > enforced HSTS. >>> > >>> > What do others think ? >>> > >>> > >>> > thanks >>> > devdatta >>> > >>> > >>> > >>> > _______________________________________________ >>> > websec mailing list >>> > websec@ietf.org >>> > https://www.ietf.org/mailman/listinfo/websec >>> > >>> > >> >> > > From dev.akhawe@gmail.com Fri Jul 22 14:31:06 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC17121F8B78 for ; Fri, 22 Jul 2011 14:31:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.074 X-Spam-Level: X-Spam-Status: No, score=-3.074 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHOVu4zloFmn for ; Fri, 22 Jul 2011 14:31:05 -0700 (PDT) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id BF1CF21F8879 for ; Fri, 22 Jul 2011 14:31:05 -0700 (PDT) Received: by yxp4 with SMTP id 4so1828472yxp.31 for ; Fri, 22 Jul 2011 14:31:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=qK7vJGBqiTwZQ4PfcrHUuYasAJAmdNRaLsfAL2WyAiY=; b=Lyni5RdhZYCFWht+2v4li6LslGlKQ6oaIKSCgIfAMauz3ANU4EfAVLEqWlVLLmDwxG brt/fLHsKuKlDQ9+4cVNMjece9ehbyFJ9LOpBla/AfE3CINUBGYsvXw/2z/ys1RUfE5c 5nlKL3UieSYwuNMIP9f2EvmhEaehVLJuDqJBA= Received: by 10.151.60.17 with SMTP id n17mr2381831ybk.124.1311370265172; Fri, 22 Jul 2011 14:31:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.199.9 with HTTP; Fri, 22 Jul 2011 14:30:45 -0700 (PDT) In-Reply-To: <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> From: Devdatta Akhawe Date: Fri, 22 Jul 2011 14:30:45 -0700 Message-ID: To: "Hill, Brad" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 21:31:07 -0000 Yes, but IE9 (e.g.) blocks mixed stylesheets, frames, objects too. Anyways, the point of the thread was to bring up discussion on this possible weakness. I (really) don't care much on what should be done in the default case. Whatever decision is taken by the WG, I think a note should be added in the "Security Considerations" section to that effect. What I do feel strongly about is the case where the secure site being framed is HSTS enabled. In such a scenario, the browser should block the insecure frame from framing the secure site. Clearly, in the HSTS case, the site has told the browser "I really care about the active network attacker scenario" and as such the browser should be proactive against the active network attacker. Do you agree? -devdatta On 22 July 2011 14:16, Hill, Brad wrote: > In this case alice.com can only include http://bob.com. =A0I'm not saying= we should force inclusion of http://bob.com, I'm just saying we shouldn't = ban it, because it's a lot better than nothing. > > It is alike in concept to mixed content, but on a greatly reduced attack = surface: =A0Routing a click to a location on a page vs. (in the case of an = mixed script src) full control of the secure DOM. =A0For a business deployi= ng XFO, that difference is pretty important. =A0Alice.com may want to be ab= le to have a "like" or "pay" button from a secure source framed by the inse= cure bob.com because the risk/fraud rates from only active attackers may be= acceptable or amenable to other compensating controls, where those from ge= neralized remote clickjacking may not. > > Brad > -----Original Message----- > From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] > Sent: Friday, July 22, 2011 2:59 PM > To: Hill, Brad > Cc: Adam Barth; websec@ietf.org > Subject: Re: [websec] X-Frame-Options and SSL > >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." > > Say alice.com does care about this. My problem with the above position is= alice.com can do nothing about this weakness. There is no flag it can send= to say "hey don't allow insecure things to frame me: I am really worried a= bout the active network attacker." It can do some weird haxoring similar to= JS framebusting code but it is a pretty bad thing. > > To me, this is similar to the original motivations for XFO. > > From http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/0= 16284.html > ----8<-------- > "For a couple of months now, along with a number of my colleagues at Goog= le, we were investigating a security problem that we feel is very difficult= or impossible to avoid on application side, and might be best addressed on= HTML or HTTP level in contemporary browsers." > > ---->8---------- > > My view is that this weakness is similar to mixed content. Modern browser= s (e.g., IE9) block mixed content by default while still allowing a click t= o enable it. I feel in the same style this should be blocked, while still a= llowing the user to click through. > > And in the same spirit, if the secure page being framed is HSTS enabled t= hen there shouldn't be an option to the user to click through. > > > > =3DDevdatta > >> >> 1) Don't add the invariant, because moving the threat from remote to act= ive is still a significant reduction in attack surface while maintaining co= mpatibility with existing usages. =A0If we break that, the alternative is p= robably to have no protections. >> >> 2) Add the invariant because existing uses of this pattern are already >> broken: the user can't readily verify the origin of or that the framed >> content is, in fact, secure. =A0This is only a Spoofing risk, however, >> and so is less severe than the direct Elevation of Privilege allowed >> by clickjacking. =A0(spoofing a "like" or "pay" button doesn't get an >> attacker much) >> >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." >> >> Brad >> >> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On >> Behalf Of Devdatta Akhawe >> Sent: Wednesday, July 20, 2011 2:34 PM >> To: Adam Barth >> Cc: websec@ietf.org >> Subject: Re: [websec] X-Frame-Options and SSL >> >> In case of http bob including https jquery, the HTTPS Jquery will run wi= th the privileges of http bob. >> >> In the other case, https alice frame will run with the privileges of >> https alice >> >> >> =3Ddev >> On 20 July 2011 13:30, Adam Barth wrote: >> Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, just >> like we're talking about an HTTP page including HTTPS jQuery. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe = wrote: >>> The invariant I am talking about is more comparable to an https page >>> including jquery with an http URL, something afaik is considered not >>> safe and blocked by browsers. >>> >>> -devdatta >>> >>> On 20 July 2011 13:24, Adam Barth wrote: >>>> >>>> I'm not sure that invariant makes sense. =A0As another example, it >>>> seems entirely reasonable for an HTTP page to include a copy of >>>> jQuery from an HTTPS URL. >>>> >>>> Adam >>>> >>>> >>>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >>>> >>>> wrote: >>>> > Hi folks >>>> > >>>> > Consider a site at www.alice.com that wants to only be framed by >>>> > their friends at www.bob.com. >>>> > >>>> > Say, a request to https://www.alice.com might respond with a >>>> > X-Frame-Options: allow-from http://www.bob.com >>>> > >>>> > Clearly, the https://www.alice.com has the privileges to act with >>>> > the 'secure' cookie for alice.com. In this scenario, >>>> > http://www.bob.com might actually be MITM'ed by Mallory and >>>> > contain malicious code. In this scenario, does it make sense to >>>> > allow http://www.bob.example to frame https://www.alice.example? I >>>> > think this is wrong behavior: a more higher level invariant that >>>> > should be maintained (at least in the newer specs >>>> > :) is >>>> > that only HTTPS content has access to secure cookie privileges. >>>> > >>>> > Thus, I think the right thing to do is : >>>> > Enforce https for all the origins in the list returned in >>>> > allow-from by https://www.alice.com. Even if https://www.alice.com >>>> > responds with http://www.bob.com in its X-Frame-Options, the >>>> > browser should only allow https://www.bob.com to frame >>>> > https://www.alice.com >>>> > >>>> > >>>> > I think this is even more compelling in case alice.com has >>>> > enforced HSTS. >>>> > >>>> > What do others think ? >>>> > >>>> > >>>> > thanks >>>> > devdatta >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > websec mailing list >>>> > websec@ietf.org >>>> > https://www.ietf.org/mailman/listinfo/websec >>>> > >>>> > >>> >>> >> >> > From bhill@paypal-inc.com Fri Jul 22 15:34:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BC3121F8BB1 for ; Fri, 22 Jul 2011 15:34:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.667 X-Spam-Level: X-Spam-Status: No, score=-8.667 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDaQ706iebnP for ; Fri, 22 Jul 2011 15:34:33 -0700 (PDT) Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by ietfa.amsl.com (Postfix) with ESMTP id EB2CE21F8BAE for ; Fri, 22 Jul 2011 15:34:32 -0700 (PDT) DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=FyhX1uDMMctGYJqaOd/8fjLLI1esDHHQ3FSlEglzFF8HDPCzyqm86/72 vMPYWEl9mjR4q57Sy1Tc28kZN18yhv76rBwvJvUxXANOnpYkHiwbiWr66 hzIlbYJP2mbwE/k; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1311374073; x=1342910073; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RZL3E5uTu+QyqmQlnluCHVKETY+CXi5xKqhG+BOxJfk=; b=L/zxs0HZDXpg40rzOqLKRzTmG/Eare3+tLaCsF/Hi47MdDSPVtgVlo+f tpOjPC/nQuxwywyEwwx7ZPmx2FXnhFTGDkjQ/Gfm/UyC6nnNUt17YZ6v3 TzHCsMNnKDwe3QO; X-EBay-Corp: Yes X-IronPort-AV: E=Sophos;i="4.67,249,1309762800"; d="scan'208";a="2809359" Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-001.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 22 Jul 2011 15:34:32 -0700 Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-001.corp.ebay.com ([10.241.17.52]) with mapi; Fri, 22 Jul 2011 16:34:31 -0600 From: "Hill, Brad" To: Devdatta Akhawe Date: Fri, 22 Jul 2011 16:34:29 -0600 Thread-Topic: [websec] X-Frame-Options and SSL Thread-Index: AcxItrTFEGlzqol7QPyrYq8EuBPXWgABAsUg Message-ID: <213E0EC97FE58F469BB618245B3118BB550CA6E9C4@DEN-MEXMS-001.corp.ebay.com> References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A== x-ems-stamp: joSFVaIaSeG+bDnVDHt3WQ== Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter: Scanned Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 22:34:34 -0000 No, the clickjacking risk against an individual resource can still be manag= ed independently of HSTS. =20 It's not just about the attacker, it's about the asset. HSTS can be used t= o protect high value assets like credentials and sessions without implying = that every inbound click is high value or not subject to other controls. Let's take a purely hypothetical scenario where alice.com wants to put a bu= tton in a frame on example.com. Let's also say that every hijacked click to= alice.com against a U.S. user of example.com can generate a revenue of $0.= 02 for an attacker. Alice.com deploys HSTS but example.com doesn't deploy = https. Alice.com believes it can generate revenues of $500/day from examp= le.com. Example.com believes it can generate revenue of $500/day from the = partnership, but can't be convinced to move to https because that would cos= t $1000/day - more than the total value of the partnership. If we let "https://alice.com/exampleDotComButton" set XFO to "ALLOW http://= example.com", there is the possibility that an attacker can set up in a U.S= . coffee shop as an active MITM. Such an attacker might make $0.50 a day. = This is probably not worth the cost of mounting the attack, and alice.com = might notice the attack and add controls based on the originating IP or add= ress block before any significant money flows to the attacker. Because of = this, alice.com's expected loss with XFO to the insecure site is maybe only= $0.06/day and it is willing to accept this risk. If alice.com doesn't deploy any XFO headers, attackers can operate out of c= ountries with a low cost of living, ensnare many more users, and generate f= raud revenues of $100/day. =20 If we change XFO so that sites that deploy HSTS require https-only framing,= alice.com is left with only bad choices: bear the risk of clickjacking, t= urn off HSTS, or don't partner and forgo the revenue from example.com. =20 -Brad =20 -----Original Message----- From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com]=20 Sent: Friday, July 22, 2011 3:31 PM To: Hill, Brad Cc: Adam Barth; websec@ietf.org Subject: Re: [websec] X-Frame-Options and SSL Yes, but IE9 (e.g.) blocks mixed stylesheets, frames, objects too. Anyways, the point of the thread was to bring up discussion on this possibl= e weakness. I (really) don't care much on what should be done in the defaul= t case. Whatever decision is taken by the WG, I think a note should be adde= d in the "Security Considerations" section to that effect. What I do feel strongly about is the case where the secure site being frame= d is HSTS enabled. In such a scenario, the browser should block the insecur= e frame from framing the secure site. Clearly, in the HSTS case, the site h= as told the browser "I really care about the active network attacker scenar= io" and as such the browser should be proactive against the active network = attacker. Do you agree? -devdatta On 22 July 2011 14:16, Hill, Brad wrote: > In this case alice.com can only include http://bob.com. =A0I'm not saying= we should force inclusion of http://bob.com, I'm just saying we shouldn't = ban it, because it's a lot better than nothing. > > It is alike in concept to mixed content, but on a greatly reduced attack = surface: =A0Routing a click to a location on a page vs. (in the case of an = mixed script src) full control of the secure DOM. =A0For a business deployi= ng XFO, that difference is pretty important. =A0Alice.com may want to be ab= le to have a "like" or "pay" button from a secure source framed by the inse= cure bob.com because the risk/fraud rates from only active attackers may be= acceptable or amenable to other compensating controls, where those from ge= neralized remote clickjacking may not. > > Brad > -----Original Message----- > From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] > Sent: Friday, July 22, 2011 2:59 PM > To: Hill, Brad > Cc: Adam Barth; websec@ietf.org > Subject: Re: [websec] X-Frame-Options and SSL > >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." > > Say alice.com does care about this. My problem with the above position is= alice.com can do nothing about this weakness. There is no flag it can send= to say "hey don't allow insecure things to frame me: I am really worried a= bout the active network attacker." It can do some weird haxoring similar to= JS framebusting code but it is a pretty bad thing. > > To me, this is similar to the original motivations for XFO. > > From=20 > http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016 > 284.html > ----8<-------- > "For a couple of months now, along with a number of my colleagues at Goog= le, we were investigating a security problem that we feel is very difficult= or impossible to avoid on application side, and might be best addressed on= HTML or HTTP level in contemporary browsers." > > ---->8---------- > > My view is that this weakness is similar to mixed content. Modern browser= s (e.g., IE9) block mixed content by default while still allowing a click t= o enable it. I feel in the same style this should be blocked, while still a= llowing the user to click through. > > And in the same spirit, if the secure page being framed is HSTS enabled t= hen there shouldn't be an option to the user to click through. > > > > =3DDevdatta > >> >> 1) Don't add the invariant, because moving the threat from remote to act= ive is still a significant reduction in attack surface while maintaining co= mpatibility with existing usages. =A0If we break that, the alternative is p= robably to have no protections. >> >> 2) Add the invariant because existing uses of this pattern are=20 >> already >> broken: the user can't readily verify the origin of or that the=20 >> framed content is, in fact, secure. =A0This is only a Spoofing risk,=20 >> however, and so is less severe than the direct Elevation of Privilege=20 >> allowed by clickjacking. =A0(spoofing a "like" or "pay" button doesn't=20 >> get an attacker much) >> >> I guess I'm leaning towards "this is a weakness, but we shouldn't do any= thing about it." >> >> Brad >> >> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On=20 >> Behalf Of Devdatta Akhawe >> Sent: Wednesday, July 20, 2011 2:34 PM >> To: Adam Barth >> Cc: websec@ietf.org >> Subject: Re: [websec] X-Frame-Options and SSL >> >> In case of http bob including https jquery, the HTTPS Jquery will run wi= th the privileges of http bob. >> >> In the other case, https alice frame will run with the privileges of=20 >> https alice >> >> >> =3Ddev >> On 20 July 2011 13:30, Adam Barth wrote: >> Why is that? =A0We're talking about HTTP Bob including HTTPS Alice,=20 >> just like we're talking about an HTTP page including HTTPS jQuery. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe = wrote: >>> The invariant I am talking about is more comparable to an https page=20 >>> including jquery with an http URL, something afaik is considered not=20 >>> safe and blocked by browsers. >>> >>> -devdatta >>> >>> On 20 July 2011 13:24, Adam Barth wrote: >>>> >>>> I'm not sure that invariant makes sense. =A0As another example, it=20 >>>> seems entirely reasonable for an HTTP page to include a copy of=20 >>>> jQuery from an HTTPS URL. >>>> >>>> Adam >>>> >>>> >>>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe=20 >>>> >>>> wrote: >>>> > Hi folks >>>> > >>>> > Consider a site at www.alice.com that wants to only be framed by=20 >>>> > their friends at www.bob.com. >>>> > >>>> > Say, a request to https://www.alice.com might respond with a >>>> > X-Frame-Options: allow-from http://www.bob.com >>>> > >>>> > Clearly, the https://www.alice.com has the privileges to act with=20 >>>> > the 'secure' cookie for alice.com. In this scenario,=20 >>>> > http://www.bob.com might actually be MITM'ed by Mallory and=20 >>>> > contain malicious code. In this scenario, does it make sense to=20 >>>> > allow http://www.bob.example to frame https://www.alice.example?=20 >>>> > I think this is wrong behavior: a more higher level invariant=20 >>>> > that should be maintained (at least in the newer specs >>>> > :) is >>>> > that only HTTPS content has access to secure cookie privileges. >>>> > >>>> > Thus, I think the right thing to do is : >>>> > Enforce https for all the origins in the list returned in=20 >>>> > allow-from by https://www.alice.com. Even if=20 >>>> > https://www.alice.com responds with http://www.bob.com in its=20 >>>> > X-Frame-Options, the browser should only allow=20 >>>> > https://www.bob.com to frame https://www.alice.com >>>> > >>>> > >>>> > I think this is even more compelling in case alice.com has=20 >>>> > enforced HSTS. >>>> > >>>> > What do others think ? >>>> > >>>> > >>>> > thanks >>>> > devdatta >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > websec mailing list >>>> > websec@ietf.org >>>> > https://www.ietf.org/mailman/listinfo/websec >>>> > >>>> > >>> >>> >> >> > From tobias.gondrom@gondrom.org Fri Jul 22 16:10:19 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F29A21F8BC8 for ; Fri, 22 Jul 2011 16:10:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.362 X-Spam-Level: X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DqIymXtm8Pl for ; Fri, 22 Jul 2011 16:10:18 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 2136921F8BA4 for ; Fri, 22 Jul 2011 16:10:17 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=poxPnrdbJwr3ipUNBKnj2pPp/DJoX6wraxr2msZ9KqAPpJKHPnLxL5DXHTZutCI6ZXOkz3NP9C/sOE575yIhyYn4wNt8iQUGzfkvFVgJTTuz5tADLUy4vU2by/gO8QYB; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; Received: (qmail 24057 invoked from network); 23 Jul 2011 01:09:22 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 01:09:22 +0200 Message-ID: <4E2A0323.2030000@gondrom.org> Date: Sat, 23 Jul 2011 00:09:23 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] Websec meeting in Quebec on July-25 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 23:10:19 -0000 Hello dear websec fellows, just some final updates for our meeting on Monday, July-25 at 13:00-15:00 (Quebec time) in Room 202: Agenda can be found here: http://www.ietf.org/proceedings/81/agenda/websec.txt For remote participation: - Jabber: websec@jabber.ietf.org (still looking for volunteer jabber scribe who can relay comments from the Jabber room to the meeting room) - Audio: There will be an audio stream to listen in: http://www.ietf.org/meeting/81/remote-participation.html (click on the stream for room 202) - Meeting Materials will be available here: https://datatracker.ietf.org/meeting/81/materials.html (I will upload all the slides Sunday evening, as soon as I receive them.) Kind regards and looking forward to seeing you on Monday! Tobias (chair of websec) From dev.akhawe@gmail.com Fri Jul 22 21:20:33 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F8021F8BB0 for ; Fri, 22 Jul 2011 21:20:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.059 X-Spam-Level: X-Spam-Status: No, score=-3.059 tagged_above=-999 required=5 tests=[AWL=-0.060, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXSDXV-YIQos for ; Fri, 22 Jul 2011 21:20:31 -0700 (PDT) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id A715A21F8BB5 for ; Fri, 22 Jul 2011 21:20:31 -0700 (PDT) Received: by ywp31 with SMTP id 31so1833262ywp.31 for ; Fri, 22 Jul 2011 21:20:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=kKKWOsWJSERgRyi7Z/97PdKY8RY+FsGlmf8gF/f6B3Q=; b=Mb3MEUOrn9BjtddhyyECfDkbZPB4KgVr/iG0LiFc3nT2j+wPBqGlVUesH2XdqXRkJ/ DQPq7tg8nPH5mRsEYMVqEiWCQngHx5D7RdapaXKfJs+E198m3cC4TEtCqIeXfTAxB0gD naw5NxCGwwZE7LMQcqcDIMZLyLVe3l9NmYtbQ= Received: by 10.151.21.6 with SMTP id y6mr2513591ybi.295.1311394831127; Fri, 22 Jul 2011 21:20:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.199.9 with HTTP; Fri, 22 Jul 2011 21:20:11 -0700 (PDT) In-Reply-To: <213E0EC97FE58F469BB618245B3118BB550CA6E9C4@DEN-MEXMS-001.corp.ebay.com> References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E9C4@DEN-MEXMS-001.corp.ebay.com> From: Devdatta Akhawe Date: Fri, 22 Jul 2011 21:20:11 -0700 Message-ID: To: "Hill, Brad" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "websec@ietf.org" Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 04:20:33 -0000 I guess I am looking at it from a more 'what-is-the-invariant' perspective. The fact that HSTS makes everything HTTPS is a nice simple invariant that I feel is worth maintaining. Re. the economics argument: seems to me that you are assuming rational behavior; that Alice.com knowingly (and fully understanding the implications) chose to say "allow http site to frame me." I fear that the reason alice.com said "allow http://bob.com to frame me" might be that alice didn't realize the implicaions. Alice thought HSTS made her secure against active network attacker and doesn't understand the dangers of being framed by untrusted party. This is similar to why people created https pages with http scripts* in them: they didn't do this because 'the total money earned by attackers by hijacking the script to be on the wire is less than the cost of being on the wire'. They did it because they forgot/didn't think of the threat. Maintaining one simple invariant is a good thing. Having a separate mechanism for 'make me safe against active network attacker' reminds me of the 'secure' cookie: one had to use https as well as remember to use 'secure' cookies to really be secure against the active network attackers. --- But the scenario you presented also makes sense to me. I think my confusion was that I thought HSTS mandated browsers to block mixed content. Rereading the draft, it seems HSTS only suggests browsers do this (Section #10) and doesn't mandate any thing like this. How about a similar language for HSTS enabled sites being framed by HTTP si= tes? Thanks devdatta On 22 July 2011 15:34, Hill, Brad wrote: > No, the clickjacking risk against an individual resource can still be man= aged independently of HSTS. > > It's not just about the attacker, it's about the asset. =A0HSTS can be us= ed to protect high value assets like credentials and sessions without imply= ing that every inbound click is high value or not subject to other controls= . > > > Let's take a purely hypothetical scenario where alice.com wants to put a = button in a frame on example.com. Let's also say that every hijacked click = to alice.com against a U.S. user of example.com can generate a revenue of $= 0.02 for an attacker. =A0Alice.com deploys HSTS but example.com doesn't dep= loy https. =A0 Alice.com believes it can generate revenues of $500/day from= example.com. =A0Example.com believes it can generate revenue of $500/day f= rom the partnership, but can't be convinced to move to https because that w= ould cost $1000/day - more than the total value of the partnership. > > If we let "https://alice.com/exampleDotComButton" set XFO to "ALLOW http:= //example.com", there is the possibility that an attacker can set up in a U= .S. coffee shop as an active MITM. =A0Such an attacker might make $0.50 a d= ay. =A0This is probably not worth the cost of mounting the attack, and alic= e.com might notice the attack and add controls based on the originating IP = or address block before any significant money flows to the attacker. =A0Bec= ause of this, alice.com's expected loss with XFO to the insecure site is ma= ybe only $0.06/day and it is willing to accept this risk. > > If alice.com doesn't deploy any XFO headers, attackers can operate out of= countries with a low cost of living, ensnare many more users, and generate= fraud revenues of $100/day. > > If we change XFO so that sites that deploy HSTS require https-only framin= g, alice.com is left with only bad choices: =A0bear the risk of clickjackin= g, turn off HSTS, or don't partner and forgo the revenue from example.com. > > -Brad > > > -----Original Message----- > From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] > Sent: Friday, July 22, 2011 3:31 PM > To: Hill, Brad > Cc: Adam Barth; websec@ietf.org > Subject: Re: [websec] X-Frame-Options and SSL > > Yes, but IE9 (e.g.) blocks mixed stylesheets, frames, objects too. > > Anyways, the point of the thread was to bring up discussion on this possi= ble weakness. I (really) don't care much on what should be done in the defa= ult case. Whatever decision is taken by the WG, I think a note should be ad= ded in the "Security Considerations" section to that effect. > > What I do feel strongly about is the case where the secure site being fra= med is HSTS enabled. In such a scenario, the browser should block the insec= ure frame from framing the secure site. Clearly, in the HSTS case, the site= has told the browser "I really care about the active network attacker scen= ario" and as such the browser should be proactive against the active networ= k attacker. Do you agree? > > > -devdatta > > On 22 July 2011 14:16, Hill, Brad wrote: >> In this case alice.com can only include http://bob.com. =A0I'm not sayin= g we should force inclusion of http://bob.com, I'm just saying we shouldn't= ban it, because it's a lot better than nothing. >> >> It is alike in concept to mixed content, but on a greatly reduced attack= surface: =A0Routing a click to a location on a page vs. (in the case of an= mixed script src) full control of the secure DOM. =A0For a business deploy= ing XFO, that difference is pretty important. =A0Alice.com may want to be a= ble to have a "like" or "pay" button from a secure source framed by the ins= ecure bob.com because the risk/fraud rates from only active attackers may b= e acceptable or amenable to other compensating controls, where those from g= eneralized remote clickjacking may not. >> >> Brad >> -----Original Message----- >> From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] >> Sent: Friday, July 22, 2011 2:59 PM >> To: Hill, Brad >> Cc: Adam Barth; websec@ietf.org >> Subject: Re: [websec] X-Frame-Options and SSL >> >>> I guess I'm leaning towards "this is a weakness, but we shouldn't do an= ything about it." >> >> Say alice.com does care about this. My problem with the above position i= s alice.com can do nothing about this weakness. There is no flag it can sen= d to say "hey don't allow insecure things to frame me: I am really worried = about the active network attacker." It can do some weird haxoring similar t= o JS framebusting code but it is a pretty bad thing. >> >> To me, this is similar to the original motivations for XFO. >> >> From >> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016 >> 284.html >> ----8<-------- >> "For a couple of months now, along with a number of my colleagues at Goo= gle, we were investigating a security problem that we feel is very difficul= t or impossible to avoid on application side, and might be best addressed o= n HTML or HTTP level in contemporary browsers." >> >> ---->8---------- >> >> My view is that this weakness is similar to mixed content. Modern browse= rs (e.g., IE9) block mixed content by default while still allowing a click = to enable it. I feel in the same style this should be blocked, while still = allowing the user to click through. >> >> And in the same spirit, if the secure page being framed is HSTS enabled = then there shouldn't be an option to the user to click through. >> >> >> >> =3DDevdatta >> >>> >>> 1) Don't add the invariant, because moving the threat from remote to ac= tive is still a significant reduction in attack surface while maintaining c= ompatibility with existing usages. =A0If we break that, the alternative is = probably to have no protections. >>> >>> 2) Add the invariant because existing uses of this pattern are >>> already >>> broken: the user can't readily verify the origin of or that the >>> framed content is, in fact, secure. =A0This is only a Spoofing risk, >>> however, and so is less severe than the direct Elevation of Privilege >>> allowed by clickjacking. =A0(spoofing a "like" or "pay" button doesn't >>> get an attacker much) >>> >>> I guess I'm leaning towards "this is a weakness, but we shouldn't do an= ything about it." >>> >>> Brad >>> >>> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On >>> Behalf Of Devdatta Akhawe >>> Sent: Wednesday, July 20, 2011 2:34 PM >>> To: Adam Barth >>> Cc: websec@ietf.org >>> Subject: Re: [websec] X-Frame-Options and SSL >>> >>> In case of http bob including https jquery, the HTTPS Jquery will run w= ith the privileges of http bob. >>> >>> In the other case, https alice frame will run with the privileges of >>> https alice >>> >>> >>> =3Ddev >>> On 20 July 2011 13:30, Adam Barth wrote: >>> Why is that? =A0We're talking about HTTP Bob including HTTPS Alice, >>> just like we're talking about an HTTP page including HTTPS jQuery. >>> >>> Adam >>> >>> >>> On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe = wrote: >>>> The invariant I am talking about is more comparable to an https page >>>> including jquery with an http URL, something afaik is considered not >>>> safe and blocked by browsers. >>>> >>>> -devdatta >>>> >>>> On 20 July 2011 13:24, Adam Barth wrote: >>>>> >>>>> I'm not sure that invariant makes sense. =A0As another example, it >>>>> seems entirely reasonable for an HTTP page to include a copy of >>>>> jQuery from an HTTPS URL. >>>>> >>>>> Adam >>>>> >>>>> >>>>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >>>>> >>>>> wrote: >>>>> > Hi folks >>>>> > >>>>> > Consider a site at www.alice.com that wants to only be framed by >>>>> > their friends at www.bob.com. >>>>> > >>>>> > Say, a request to https://www.alice.com might respond with a >>>>> > X-Frame-Options: allow-from http://www.bob.com >>>>> > >>>>> > Clearly, the https://www.alice.com has the privileges to act with >>>>> > the 'secure' cookie for alice.com. In this scenario, >>>>> > http://www.bob.com might actually be MITM'ed by Mallory and >>>>> > contain malicious code. In this scenario, does it make sense to >>>>> > allow http://www.bob.example to frame https://www.alice.example? >>>>> > I think this is wrong behavior: a more higher level invariant >>>>> > that should be maintained (at least in the newer specs >>>>> > :) is >>>>> > that only HTTPS content has access to secure cookie privileges. >>>>> > >>>>> > Thus, I think the right thing to do is : >>>>> > Enforce https for all the origins in the list returned in >>>>> > allow-from by https://www.alice.com. Even if >>>>> > https://www.alice.com responds with http://www.bob.com in its >>>>> > X-Frame-Options, the browser should only allow >>>>> > https://www.bob.com to frame https://www.alice.com >>>>> > >>>>> > >>>>> > I think this is even more compelling in case alice.com has >>>>> > enforced HSTS. >>>>> > >>>>> > What do others think ? >>>>> > >>>>> > >>>>> > thanks >>>>> > devdatta >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > websec mailing list >>>>> > websec@ietf.org >>>>> > https://www.ietf.org/mailman/listinfo/websec >>>>> > >>>>> > >>>> >>>> >>> >>> >> > From tobias.gondrom@gondrom.org Sat Jul 23 08:58:20 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D833B21F85EE for ; Sat, 23 Jul 2011 08:58:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.362 X-Spam-Level: X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmC3ze4XTXug for ; Sat, 23 Jul 2011 08:58:20 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD1A21F85DB for ; Sat, 23 Jul 2011 08:58:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=KJPxXxOGmA/eWjWNOdh3x9RGh9iYpxaHB1mZC4IUf/MEJf853pojTmryp+NfxfmGvQGi+LTvCjsE2Fmp0h9YWNpXUz3oHEUPT+bb2SevPXjVDO4xgxt3W6UdJfam/vEz; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 26412 invoked from network); 23 Jul 2011 17:57:47 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 17:57:47 +0200 Message-ID: <4E2AEF7B.5010508@gondrom.org> Date: Sat, 23 Jul 2011 16:57:47 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: tlr@w3.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 23 Jul 2011 09:02:23 -0700 Cc: chaals@opera.com, ekr@rtfm.com, public-web-security@w3.org, adrianba@microsoft.com, mike@w3.org, websec@ietf.org, mjs@apple.com, public-webapps@w3.org, mnot@mnot.net, art.barstow@nokia.com, w3c@adambarth.com Subject: Re: [websec] Frame embedding: One problem, three possible specs? X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 15:58:20 -0000 Hi all, sorry for the late answer, a flu and some other duties kept me from answering so far. I agree with Thomas, Adam and David, so please go ahead with the webappsecwg charter. The current plan for #3 is to be adopted in websec (as http headers should be done in IETF) and proceed within a few months to RFC. (main idea is to progress the adopted X-Frame-Options to standard and enhance where necessary). A conflict with current CSP would be bad, but as Adam said, I agree that it might be kept outside of CSP and progress normally in websec. Kind regards, Tobias On 12/07/11 20:07, Thomas Roessler wrote: > So, looking at this thread, here's what I suggest for the webappsecwg charter: We keep the deliverable in there, but make it very clear that the group should liaise particularly closely with websec "and other IETF work around framing policy" (or some such), explicitly to avoid conflicting or competing specifications. > > That way, if the vision of complementary specs that Brad describes materializes, we have the necessary charter coverage, but we're very clear that other work is going on and should be respected. > > If that's ok with everybody, I'll make the tweak before we send this to the membership. > > -- > Thomas Roessler, W3C (@roessler) > > > > > > > > On Jul 8, 2011, at 01:07 , David Ross wrote: > >> #3 is a narrowly scoped effort to standardize something that works pretty well today in practice (X-FRAME-OPTIONS). A conflict with CSP would be bad, but per Adam it seems like overlap is looking less likely. So proceeding down the current path on #3 sounds good to me. >> >> David Ross >> dross@microsoft.com >> >> >> -----Original Message----- >> From: Adam Barth [mailto:w3c@adambarth.com] >> Sent: Thursday, July 07, 2011 3:24 PM >> To: Thomas Roessler >> Cc: Tobias Gondrom; Arthur Barstow; Brad Hill; Eric Rescorla; Alexey Melnikov; David Ross; Anne van Kesteren; Adrian Bateman; Brandon Sterne; Charles McCathieNevile; Maciej Stachowiak; Peter Saint-Andre; Michael(tm) Smith; Mark Nottingham; Jeff Hodges; public-web-security@w3.org; public-webapps@w3.org; websec@ietf.org >> Subject: Re: Frame embedding: One problem, three possible specs? >> >> My sense from talking with folks is that there isn't a lot of enthusiasm for supporting this use case in CSP at the present time. >> We're trying to concentrate on a core set of directives for the first iteration. If it helps reduce complexity, you might consider dropping option (1) for the time being. >> >> Adam >> >> >> On Thu, Jul 7, 2011 at 2:11 PM, Thomas Roessler wrote: >>> (Warning, this is cross-posted widely. One of the lists is the IETF >>> websec mailing list, to which the IETF NOTE WELL applies: >>> http://www.ietf.org/about/note-well.html) >>> >>> >>> Folks, >>> >>> there appear to be at least three possible specifications addressing this space, with similar but different designs: >>> >>> 1. A proposed deliverable in the WebAppSec group to take up on X-Frame-Options and express those in CSP: >>> http://www.w3.org/2011/07/appsecwg-charter.html >>> >>> (We expect that this charter might go to the W3C AC for review as soon >>> as next week.) >>> >>> 2. The "From-Origin" draft (aka "Cross-Origin Resource Embedding Exclusion") currently considered for publication as an FPWD in the Webapps WG: >>> >>> http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/0088.htm >>> l >>> >>> This draft mentions integration into CSP as a possible path forward. >>> >>> 3. draft-gondrom-frame-options, an individual I-D mentioned to websec: >>> https://datatracker.ietf.org/doc/draft-gondrom-frame-options/ >>> http://www.ietf.org/mail-archive/web/websec/current/msg00388.html >>> >>> >>> How do we go about it? One path forward might be to just proceed as currently planned and coordinate when webappsec starts working. >>> >>> Another path forward might be to see whether we can agree now on what forum to take these things forward in (and what the coordination dance might look like). >>> >>> Thoughts welcome. >>> >>> Regards, >>> -- >>> Thomas Roessler, W3C (@roessler) >>> >>> >>> >>> >> From tobias.gondrom@gondrom.org Sat Jul 23 09:18:12 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ABB921F8987 for ; Sat, 23 Jul 2011 09:18:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.362 X-Spam-Level: X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-Zf9+R+7IF2 for ; Sat, 23 Jul 2011 09:18:12 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 869E821F896E for ; Sat, 23 Jul 2011 09:18:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=A1M4xpXfDd0J9BJdcOycRCIleAQ/1udk8K5xGuMU268jhz7vS1AWXTP85RghWkZkIO+ve0aENJgv6ejD9x+cWVmMUS0klDBWnCwtWbx+ag6Vr7jz2a8jRivwj4CMQ4Bk; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 7957 invoked from network); 23 Jul 2011 18:17:56 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 18:17:56 +0200 Message-ID: <4E2AF436.5070400@gondrom.org> Date: Sat, 23 Jul 2011 17:17:58 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org References: <4E177986.2030902@KingsMountain.com> <4E177D28.3070709@stpeter.im> In-Reply-To: <4E177D28.3070709@stpeter.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 16:18:12 -0000 Jeff, actually part of doing frame-option was also inspired by Peter's "X-"draft. You may be right and we could do a two-step approach and first document existing "X-Frame-Options" and then move forward. But actually I do not see much benefit of writing two drafts, the first describing existing X-Frame-Options further as there already is some sufficient documentation. So I hoped to get both steps in one go by getting rid of the "X-" and making this an IETF standard "Frame-Options". Kind regards, Tobias On 08/07/11 22:56, Peter Saint-Andre wrote: > On 7/8/11 3:41 PM, =JeffH wrote: >>>> seems to me, this confusion& potential issues are reasons to /not/ >>>> specify the header name as "Frame-Options" (for now), given >>>> "X-FRAME-OPTIONS" apparent wide use. >>> Sounds OK to me though I'd just want to be careful to do whatever the >>> standards process dictates here. I have to imagine there's a >> precedent we'd >>> want to follow. >> there isn't much "process" wrt which we choose. >> >> In terms of precedent, AFAIK there's examples of both (a) >> documenting/specifying current practice, and (b) documenting/specifying >> how proponents would like various practices to evolve. >> >> Given that there's a fair number of web apps (aka websites) emitting >> "X-FRAME-OPTIONS" (see below), and given its wide support in web >> browsers, I think its justifiable to do (a), then see about (b). >> >> There's a recent I-D, >> 'Use of the "X-" >> Prefix in Application Protocols' (being discussed on >> ), which argues against its use. But in this case >> current practice long predates said "X-" deprecation effort. > Correct. This is a perfect example of how parameters leak out from the > non-standard space into the standard space. Thus "X-" is unnecessary: > someone could've just called it "Frame-Options" to start with. But as > you say, that train has left the station... > > Peter > From tobias.gondrom@gondrom.org Sat Jul 23 09:19:09 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D870621F8A4B for ; Sat, 23 Jul 2011 09:19:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.362 X-Spam-Level: X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4x3dITSbfvd6 for ; Sat, 23 Jul 2011 09:19:09 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id F292821F896E for ; Sat, 23 Jul 2011 09:19:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=H4/C0nEa4Zx2GiXfipyofOEIe0aopi5GYDMe0zii34i73bUk7BfKveNMcdRNm6qzIUBM6xTPLz91y33od44B5mWto+n/tBOc/cNT5cg4MZ6tHUuIoPSjJUnXLKT/MLmJ; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 13713 invoked from network); 23 Jul 2011 18:19:04 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 18:19:04 +0200 Message-ID: <4E2AF47A.6070207@gondrom.org> Date: Sat, 23 Jul 2011 17:19:06 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: Jeff.Hodges@KingsMountain.com References: <4E1689CB.3010504@KingsMountain.com> In-Reply-To: <4E1689CB.3010504@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] specify existing X-Frame-Options ? (was: Re: FYI: New draft draft-gondrom-frame-options-01) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 16:19:09 -0000 Jeff, thank you very much for the review. Will add missing references in version -02. - Tobias On 08/07/11 05:38, =JeffH wrote: > > Hi Tobias -- thanks for working on this spec, it will be good to get > this all more formally documented. > > It appears that the -01 rev of draft-gondrom-frame-options takes into > account the apparently present X-Frame-Options documentation here.. > > > [2] Combating ClickJacking With X-Frame-Options > EricLaw [MSFT] > 30 Mar 2010 2:42 PM > > > > > ..which apparently supersedes the prior nominal documentation.. > > > [1] IE8 Security Part VII: ClickJacking Defenses > ieblog > 27 Jan 2009 9:40 PM > > > > > ..and which draft-gondrom-frame-options-00 appears to have been based on. > > > As Dave Ross earlier today noted in.. > > Re: [websec] FYI: New draft draft-gondrom-frame-options-01 > http://www.ietf.org/mail-archive/web/websec/current/msg00388.html > > ..the -01 spec rev differs from [2] in that it allows for declaring an > origin list as a value for the ALLOW-FROM directive. > > Also, the header name is declared as "Frame-Options" rather than > what's presently implemented and deployed: "X-FRAME-OPTIONS". > > > Why don't we (WebSec) first simply document present X-FRAME-OPTIONS > practice and get that more formally nailed down before we begin > enhancing/altering it ? > > After all, it's apparently implemented in most all major browsers, and > (I hear) emitted by a fair number of web applications. Plus, there's > always the question of how closely all those implementations today > conform to the present de jure specification, especially the "new" > ALLOW-FROM directive in [2]. > > This would be in the same spirit as the RFC6265 "HTTP State > Management" (aka Cookies) effort where we (hopefully unambiguously) > documented the present implemented and deployed cookie subprotocol. > > thanks, > > =JeffH > > > > > > > > From tobias.gondrom@gondrom.org Sat Jul 23 09:28:47 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4575321F86AF for ; Sat, 23 Jul 2011 09:28:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -94.905 X-Spam-Level: X-Spam-Status: No, score=-94.905 tagged_above=-999 required=5 tests=[AWL=-0.458, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, J_CHICKENPOX_42=0.6, RDNS_DYNAMIC=0.1, SARE_UNQBIZ=0.315, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5UruTHfLJfa for ; Sat, 23 Jul 2011 09:28:46 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDE121F86A6 for ; Sat, 23 Jul 2011 09:28:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=v7dtnyuz8lKdOQEHYbRj6Ei4VV1Z1DugyaGTfFBnkZO6O+C9NeAuUPIoiHrsIMiaQ3YAH0SsxyRD9iwkI6RAAfC5NU7S6hTUU8zJlt0fWZmMc/EM895CKi+g/9BMbnE/; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 32608 invoked from network); 23 Jul 2011 18:28:33 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Jul 2011 18:28:33 +0200 Message-ID: <4E2AF6B3.5000507@gondrom.org> Date: Sat, 23 Jul 2011 17:28:35 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 16:28:47 -0000 Hi devdatta, I would agree that it would be a bad idea to for https://www.alice.com to allow being framed by http://www.bob.com as the channel to bob would not be protected. However, I am not sure that we must or even should prevent that behaviour inherently in the standard by shutting down any cross channel framing. From my perspective the standard should provide the tool to secure your application, not necessarily limit/prevent all stupid things from happening. (not sure whether there might be legitimate cases for such a scenario). So Frame-Options gives you the chance to declare this for your web site not to be framed by http://www.bob.com, but if you decide to explicitly do so - well maybe you have a unique business case/reasons that demand that and you want to accept that risk still reducing the CSRF by using Frame-Options. Kind regards, Tobias On 20/07/11 21:16, Devdatta Akhawe wrote: > Hi folks > > Consider a site at www.alice.com that wants to > only be framed by their friends at www.bob.com . > > Say, a request to https://www.alice.com might respond with a > X-Frame-Options: allow-from http://www.bob.com > > Clearly, the https://www.alice.com has the privileges to act with the > 'secure' cookie for alice.com . In this scenario, > http://www.bob.com might actually be MITM'ed by Mallory and contain > malicious code. In this scenario, does it make sense to allow > http://www.bob.example to frame https://www.alice.example? I think > this is wrong behavior: a more higher level invariant that should be > maintained (at least in the newer specs :) is that only HTTPS content > has access to secure cookie privileges. > > Thus, I think the right thing to do is : > Enforce https for all the origins in the list returned in allow-from > by https://www.alice.com. Even if https://www.alice.com responds with > http://www.bob.com in its X-Frame-Options, the browser should only > allow https://www.bob.com to frame https://www.alice.com > > > I think this is even more compelling in case alice.com > has enforced HSTS. > > What do others think ? > > > thanks > devdatta > > > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From tobias.gondrom@gondrom.org Sat Jul 23 16:27:09 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FE921F84D4 for ; Sat, 23 Jul 2011 16:27:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -94.986 X-Spam-Level: X-Spam-Status: No, score=-94.986 tagged_above=-999 required=5 tests=[AWL=-0.224, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, J_CHICKENPOX_42=0.6, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVANFUtza2AG for ; Sat, 23 Jul 2011 16:27:08 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD9221F84FB for ; Sat, 23 Jul 2011 16:26:44 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nT1LMCWJ1tfcTRH1D8pj/7aPq9TmPGQsCUtgm7PQjzS3SKot1cdd+7njaOK0XG5uIOatnoaJFI2k8+WhiiEF1Q8OIB0Rg6rsw6bOLdQ1Ek2ejo+zIW99MlC5c5aDki1Q; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 17905 invoked from network); 24 Jul 2011 01:26:24 +0200 Received: from unknown (HELO ?172.17.9.73?) (207.134.107.2) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Jul 2011 01:26:24 +0200 Message-ID: <4E2B58A2.1040904@gondrom.org> Date: Sun, 24 Jul 2011 00:26:26 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org References: <213E0EC97FE58F469BB618245B3118BB550CA6E8C5@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E921@DEN-MEXMS-001.corp.ebay.com> <213E0EC97FE58F469BB618245B3118BB550CA6E9C4@DEN-MEXMS-001.corp.ebay.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] X-Frame-Options and SSL X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 23:27:09 -0000 Hello, so far I agree with Brad to leave the option open to be framed by a http-site even though you are https. But what I also take from this, is that we definitely should expand on this in the Security Considerations Section and point out explicitly the risks of such. So todo for the next version will be to add an Security Considerations section explaining why you SHOULD NOT (RFC2119) do it and what potential security risks will arise if you do it. Thanks a lot for your reviews and your feedback pointing that out. Tobias On 23/07/11 05:20, Devdatta Akhawe wrote: > I guess I am looking at it from a more 'what-is-the-invariant' > perspective. The fact that HSTS makes everything HTTPS is a nice > simple invariant that I feel is worth maintaining. > > Re. the economics argument: seems to me that you are > assuming rational behavior; that Alice.com knowingly (and fully > understanding the implications) chose to say "allow http site to frame > me." > > I fear that the reason alice.com said "allow http://bob.com to frame > me" might be that alice didn't realize the implicaions. > Alice thought HSTS made her secure against active network > attacker and doesn't understand the dangers of being framed by > untrusted party. > > This is similar to why people created https pages with http scripts* > in them: they didn't do this because 'the total money earned by > attackers by hijacking the script to be on the wire is less than the > cost of being on the wire'. They did it because they forgot/didn't > think of the threat. > > Maintaining one simple invariant is a good thing. Having a separate > mechanism for 'make me safe against active network attacker' reminds > me of the 'secure' cookie: one had to use https as well as remember to > use 'secure' cookies to really be secure against the active network > attackers. > --- > > But the scenario you presented also makes sense to me. I think my > confusion was that I thought HSTS mandated browsers to block mixed > content. Rereading the draft, it seems HSTS only suggests browsers do > this (Section #10) and doesn't mandate any thing like this. > > How about a similar language for HSTS enabled sites being framed by HTTP sites? > > > Thanks > devdatta > > > > > > > > > On 22 July 2011 15:34, Hill, Brad wrote: >> No, the clickjacking risk against an individual resource can still be managed independently of HSTS. >> >> It's not just about the attacker, it's about the asset. HSTS can be used to protect high value assets like credentials and sessions without implying that every inbound click is high value or not subject to other controls. >> >> >> Let's take a purely hypothetical scenario where alice.com wants to put a button in a frame on example.com. Let's also say that every hijacked click to alice.com against a U.S. user of example.com can generate a revenue of $0.02 for an attacker. Alice.com deploys HSTS but example.com doesn't deploy https. Alice.com believes it can generate revenues of $500/day from example.com. Example.com believes it can generate revenue of $500/day from the partnership, but can't be convinced to move to https because that would cost $1000/day - more than the total value of the partnership. >> >> If we let "https://alice.com/exampleDotComButton" set XFO to "ALLOW http://example.com", there is the possibility that an attacker can set up in a U.S. coffee shop as an active MITM. Such an attacker might make $0.50 a day. This is probably not worth the cost of mounting the attack, and alice.com might notice the attack and add controls based on the originating IP or address block before any significant money flows to the attacker. Because of this, alice.com's expected loss with XFO to the insecure site is maybe only $0.06/day and it is willing to accept this risk. >> >> If alice.com doesn't deploy any XFO headers, attackers can operate out of countries with a low cost of living, ensnare many more users, and generate fraud revenues of $100/day. >> >> If we change XFO so that sites that deploy HSTS require https-only framing, alice.com is left with only bad choices: bear the risk of clickjacking, turn off HSTS, or don't partner and forgo the revenue from example.com. >> >> -Brad >> >> >> -----Original Message----- >> From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] >> Sent: Friday, July 22, 2011 3:31 PM >> To: Hill, Brad >> Cc: Adam Barth; websec@ietf.org >> Subject: Re: [websec] X-Frame-Options and SSL >> >> Yes, but IE9 (e.g.) blocks mixed stylesheets, frames, objects too. >> >> Anyways, the point of the thread was to bring up discussion on this possible weakness. I (really) don't care much on what should be done in the default case. Whatever decision is taken by the WG, I think a note should be added in the "Security Considerations" section to that effect. >> >> What I do feel strongly about is the case where the secure site being framed is HSTS enabled. In such a scenario, the browser should block the insecure frame from framing the secure site. Clearly, in the HSTS case, the site has told the browser "I really care about the active network attacker scenario" and as such the browser should be proactive against the active network attacker. Do you agree? >> >> >> -devdatta >> >> On 22 July 2011 14:16, Hill, Brad wrote: >>> In this case alice.com can only include http://bob.com. I'm not saying we should force inclusion of http://bob.com, I'm just saying we shouldn't ban it, because it's a lot better than nothing. >>> >>> It is alike in concept to mixed content, but on a greatly reduced attack surface: Routing a click to a location on a page vs. (in the case of an mixed script src) full control of the secure DOM. For a business deploying XFO, that difference is pretty important. Alice.com may want to be able to have a "like" or "pay" button from a secure source framed by the insecure bob.com because the risk/fraud rates from only active attackers may be acceptable or amenable to other compensating controls, where those from generalized remote clickjacking may not. >>> >>> Brad >>> -----Original Message----- >>> From: Devdatta Akhawe [mailto:dev.akhawe@gmail.com] >>> Sent: Friday, July 22, 2011 2:59 PM >>> To: Hill, Brad >>> Cc: Adam Barth; websec@ietf.org >>> Subject: Re: [websec] X-Frame-Options and SSL >>> >>>> I guess I'm leaning towards "this is a weakness, but we shouldn't do anything about it." >>> Say alice.com does care about this. My problem with the above position is alice.com can do nothing about this weakness. There is no flag it can send to say "hey don't allow insecure things to frame me: I am really worried about the active network attacker." It can do some weird haxoring similar to JS framebusting code but it is a pretty bad thing. >>> >>> To me, this is similar to the original motivations for XFO. >>> >>> From >>> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016 >>> 284.html >>> ----8<-------- >>> "For a couple of months now, along with a number of my colleagues at Google, we were investigating a security problem that we feel is very difficult or impossible to avoid on application side, and might be best addressed on HTML or HTTP level in contemporary browsers." >>> >>> ---->8---------- >>> >>> My view is that this weakness is similar to mixed content. Modern browsers (e.g., IE9) block mixed content by default while still allowing a click to enable it. I feel in the same style this should be blocked, while still allowing the user to click through. >>> >>> And in the same spirit, if the secure page being framed is HSTS enabled then there shouldn't be an option to the user to click through. >>> >>> >>> >>> =Devdatta >>> >>>> 1) Don't add the invariant, because moving the threat from remote to active is still a significant reduction in attack surface while maintaining compatibility with existing usages. If we break that, the alternative is probably to have no protections. >>>> >>>> 2) Add the invariant because existing uses of this pattern are >>>> already >>>> broken: the user can't readily verify the origin of or that the >>>> framed content is, in fact, secure. This is only a Spoofing risk, >>>> however, and so is less severe than the direct Elevation of Privilege >>>> allowed by clickjacking. (spoofing a "like" or "pay" button doesn't >>>> get an attacker much) >>>> >>>> I guess I'm leaning towards "this is a weakness, but we shouldn't do anything about it." >>>> >>>> Brad >>>> >>>> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On >>>> Behalf Of Devdatta Akhawe >>>> Sent: Wednesday, July 20, 2011 2:34 PM >>>> To: Adam Barth >>>> Cc: websec@ietf.org >>>> Subject: Re: [websec] X-Frame-Options and SSL >>>> >>>> In case of http bob including https jquery, the HTTPS Jquery will run with the privileges of http bob. >>>> >>>> In the other case, https alice frame will run with the privileges of >>>> https alice >>>> >>>> >>>> =dev >>>> On 20 July 2011 13:30, Adam Barth wrote: >>>> Why is that? We're talking about HTTP Bob including HTTPS Alice, >>>> just like we're talking about an HTTP page including HTTPS jQuery. >>>> >>>> Adam >>>> >>>> >>>> On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe wrote: >>>>> The invariant I am talking about is more comparable to an https page >>>>> including jquery with an http URL, something afaik is considered not >>>>> safe and blocked by browsers. >>>>> >>>>> -devdatta >>>>> >>>>> On 20 July 2011 13:24, Adam Barth wrote: >>>>>> I'm not sure that invariant makes sense. As another example, it >>>>>> seems entirely reasonable for an HTTP page to include a copy of >>>>>> jQuery from an HTTPS URL. >>>>>> >>>>>> Adam >>>>>> >>>>>> >>>>>> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe >>>>>> >>>>>> wrote: >>>>>>> Hi folks >>>>>>> >>>>>>> Consider a site at www.alice.com that wants to only be framed by >>>>>>> their friends at www.bob.com. >>>>>>> >>>>>>> Say, a request to https://www.alice.com might respond with a >>>>>>> X-Frame-Options: allow-from http://www.bob.com >>>>>>> >>>>>>> Clearly, the https://www.alice.com has the privileges to act with >>>>>>> the 'secure' cookie for alice.com. In this scenario, >>>>>>> http://www.bob.com might actually be MITM'ed by Mallory and >>>>>>> contain malicious code. In this scenario, does it make sense to >>>>>>> allow http://www.bob.example to frame https://www.alice.example? >>>>>>> I think this is wrong behavior: a more higher level invariant >>>>>>> that should be maintained (at least in the newer specs >>>>>>> :) is >>>>>>> that only HTTPS content has access to secure cookie privileges. >>>>>>> >>>>>>> Thus, I think the right thing to do is : >>>>>>> Enforce https for all the origins in the list returned in >>>>>>> allow-from by https://www.alice.com. Even if >>>>>>> https://www.alice.com responds with http://www.bob.com in its >>>>>>> X-Frame-Options, the browser should only allow >>>>>>> https://www.bob.com to frame https://www.alice.com >>>>>>> >>>>>>> >>>>>>> I think this is even more compelling in case alice.com has >>>>>>> enforced HSTS. >>>>>>> >>>>>>> What do others think ? >>>>>>> >>>>>>> >>>>>>> thanks >>>>>>> devdatta >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> websec mailing list >>>>>>> websec@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/websec >>>>>>> >>>>>>> >>>>> >>>> > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From trac+websec@trac.tools.ietf.org Sun Jul 24 18:22:19 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A472B21F85E3 for ; Sun, 24 Jul 2011 18:22:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1Wo-ZgUOv0i for ; Sun, 24 Jul 2011 18:22:18 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 4769321F85F2 for ; Sun, 24 Jul 2011 18:22:18 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1Ql9s3-0007AL-KZ; Sun, 24 Jul 2011 18:22:11 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 25 Jul 2011 01:22:11 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/12 Message-ID: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-Trac-Ticket-ID: 12 X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20110725012218.4769321F85F2@ietfa.amsl.com> Resent-Date: Sun, 24 Jul 2011 18:22:18 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 01:22:20 -0000 #12: Remove dependencies on HTTPbis and depend on RFC2616 only -strict-transport-sec has various dependencies (e.g. STS header field ABNF) on HTTPbis. HTTPbis may not complete in a timeframe workable for having -strict- transport-sec go to RFC, so we should remove dependencies on HTTPbis, and depend on RFC2616 only. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: draft-ietf-websec-strict-transport-sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From trac+websec@trac.tools.ietf.org Sun Jul 24 18:32:33 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F6D21F84BC for ; Sun, 24 Jul 2011 18:32:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VfphMKD0Xu9 for ; Sun, 24 Jul 2011 18:32:32 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id EBCE421F84B7 for ; Sun, 24 Jul 2011 18:32:32 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QlA20-0008FE-25; Sun, 24 Jul 2011 18:32:28 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Mon, 25 Jul 2011 01:32:28 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/12#comment:1 Message-ID: <079.292c5c1f70cade0ee5c1db8fc1ce4a4d@trac.tools.ietf.org> References: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-Trac-Ticket-ID: 12 In-Reply-To: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: draft-ietf-websec-strict-transport-sec@tools.ietf.org, jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Resent-To: Resent-Message-Id: <20110725013232.EBCE421F84B7@ietfa.amsl.com> Resent-Date: Sun, 24 Jul 2011 18:32:32 -0700 (PDT) Resent-From: trac+websec@trac.tools.ietf.org Cc: websec@ietf.org Subject: Re: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 01:32:33 -0000 #12: Remove dependencies on HTTPbis and depend on RFC2616 only Comment(by jeff.hodges@…): This is related to tickets #2 and #3. -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: draft-ietf-websec-strict-transport-sec@… Type: enhancement | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From stpeter@stpeter.im Mon Jul 25 05:26:23 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4B921F8500 for ; Mon, 25 Jul 2011 05:26:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9gZJ6xyvRbK for ; Mon, 25 Jul 2011 05:26:22 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 280AB21F8585 for ; Mon, 25 Jul 2011 05:26:14 -0700 (PDT) Received: from squire.local (unknown [198.135.0.233]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 75869411C7; Mon, 25 Jul 2011 06:27:09 -0600 (MDT) Message-ID: <4E2D60E4.5060800@stpeter.im> Date: Mon, 25 Jul 2011 08:26:12 -0400 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: jeff.hodges@kingsmountain.com References: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> In-Reply-To: <070.539ef13c72e2cb4abcd86533f0e2d81c@trac.tools.ietf.org> X-Enigmail-Version: 1.2 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 12:26:23 -0000 On 7/24/11 9:22 PM, websec issue tracker wrote: > #12: Remove dependencies on HTTPbis and depend on RFC2616 only > > -strict-transport-sec has various dependencies (e.g. STS header field > ABNF) on HTTPbis. > > HTTPbis may not complete in a timeframe workable for having -strict- > transport-sec go to RFC, so we should remove dependencies on HTTPbis, and > depend on RFC2616 only. Jeff, just curious: what do you perceive as the likely timeframe for publication of both HSTS and HTTPbis? /psa From Jeff.Hodges@KingsMountain.com Mon Jul 25 09:12:32 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB0521F84DA for ; Mon, 25 Jul 2011 09:12:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -97.848 X-Spam-Level: X-Spam-Status: No, score=-97.848 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, IP_NOT_FRIENDLY=0.334, TRACKER_ID=2.003, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0S9wsIox2d1B for ; Mon, 25 Jul 2011 09:12:30 -0700 (PDT) Received: from oproxy8-pub.bluehost.com (oproxy8-pub.bluehost.com [69.89.22.20]) by ietfa.amsl.com (Postfix) with SMTP id 7ED3521F8B6A for ; Mon, 25 Jul 2011 07:54:01 -0700 (PDT) Received: (qmail 22347 invoked by uid 0); 25 Jul 2011 14:54:01 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy8.bluehost.com with SMTP; 25 Jul 2011 14:54:01 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:X-Identified-User; b=NoQfmZDZhzYtfSDzqfF7lpAifYPcNV8AxvI33hHWR4qW75IdxJwxt4Xly2ohFodb8YvbRSfw1QeHiVFRsalOLczytSiD67qX6o960R0XP7OITYyZSe+bqRy8arVAdmYN; Received: from [130.129.83.89] by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QlMXg-0006ru-Ci; Mon, 25 Jul 2011 08:54:01 -0600 Message-ID: <4E2D8386.1080004@KingsMountain.com> Date: Mon, 25 Jul 2011 07:53:58 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: Tobias Gondrom , IETF WebSec WG Content-Type: multipart/mixed; boundary="------------070903070103010106080903" X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.83.89 authed with jeff.hodges+kingsmountain.com} Subject: [websec] hodges-ietf-81-websec-HSTS-Status X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 16:12:33 -0000 This is a multi-part message in MIME format. --------------070903070103010106080903 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit pls see attached -- my preso for this afternoon wrt HSTS status thx =JeffH --------------070903070103010106080903 Content-Type: application/pdf; name="hodges-ietf-81-websec-HSTS-Status.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="hodges-ietf-81-websec-HSTS-Status.pdf" JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0 ZURlY29kZT4+CnN0cmVhbQp4nJWSTUsDQQyG7/Mrci50TOZ7YRno9uPgrbDgQbxpFamCvfj3 fTPbKtb2IAtLJvPm2TfJshX6NB/ENGfrKHfeJopdRHx4MnczejdC+hyeDesFvRkV5RbvaYpb 7f4E0WC6fTG7WYPrA8IwGt9BH1Q2PtLNBuhA465nqeOrWY9m+0cfbfxPgXCxhXxOk96RR7S7 RwE79nUuPYfqeo6cOHNpiaiJgERXfc+FFy07IFoiOUDroF22GsSqnkgrXK5btIEkNjGK6sN4 e8mbKw7jdZhZOblzpbkTRl2oktQdeCLXGN5H7Ow3gyeGa5VwlsCr84BWamtX8tS0gI13vMbG CLCdi/6ksUNtrYok2B2uWgzJenJJmz3D5IYp6qWThU47NUuDXB9a8rYj58WGc9pKOeupUyzN acN6WB7tbioOWT+AFSPhuObYOzlO+FvisUiPH8T/eNjSF4lZqaAKZW5kc3RyZWFtCmVuZG9i agoKMyAwIG9iagozNDUKZW5kb2JqCgo1IDAgb2JqCjw8L0xlbmd0aCA2IDAgUi9GaWx0ZXIv RmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVUuL2zAQvvtX6LwQVxq9LDCCOLYPvS0Eeii9dbel bAvdS/9+vxnJiZN03Q0GWZbm8c03D+vWqD/Nb6XVTrekYrJtUD557F+fmk8P6ldjFD+v3xrN F+pnw0JR9i+q7EX3ZTHCm3L7vXl+EOP8wMJwbGyCvGOx41f1YYZpp47PvTb5+KOZjs3jjbxv /T0K5DsoeB1aVzRIOdb43BPlHfVkM/W605RNry05cnxqDPm8w4nnL221N5Me8pfjx3/5cB3g OGvhSFxYgGq3YUXmyVHAWlFZElTQYI8En04Dto4A57EPOuUApHK9l3WoXwdZAwDy22fRj/UY NrK8YFIOxqo7yXuu7qpYMXFhloI5FE7eil+CsUm33XUwYs4UT3uKeRd7APN4uhKoMRXBWF1g EW/UVe+pwibsJWzBE0VuKx/WxXvzYVFXN/lA/OJ1D6hxgakn4BHgJlR0XeVu2OaKUgBNF54o lHocOPiI0jtI6SFsz+W5s5IQw0XpspWUGcmOFSHTkwOilONyRXI4ikBkjVHUAxuE5KGKTeJA Z9fTtEklpbupRNpuqKRZEM0loQLa6xnrRZXIHSrFSaXgFgkoiWd5KkUpUVWm130hK51raSlv SI1nAatZw2/HjPJxd8aMpIarmG1t53zqqnWHjaeGXVioXVkbkEuuds1UOMt2CbIcX9upB0tv oWCNMWVaxDUKV5gRJiC3ngzmP41O2t2k1og1OixdcUL3hqGOQLEJrrUniom526AYwcCtwTg/ DXLqSl1FLmTUFRXugF8aRM98k7ha8DmaYOnt0CTpxnRtui/paEr8M6/YGMqcEobtZYXuT2xP q3WQXK0HyFTky48I74QY6tYsoxsFV6c8uthuDB2hO5olbe9mO/jzSK9kY/J1hehKc8odL46X 4Hvr5HTgVkc9zBrh6pEO1tebkpbN1gursnhfEtIyn66HTScjxNdZzSPBBsLMsbH82Ou/EEKl hJfZBDp5QFk6I31UfwGxp/J9CmVuZHN0cmVhbQplbmRvYmoKCjYgMCBvYmoKNzUzCmVuZG9i agoKOCAwIG9iago8PC9MZW5ndGggOSAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFt CnicrVZNa9wwEL37V+gcWFczkiwZFkPsXRd6S7vQQ+ipbVpKUmgu+fudD9nWZuMFQzA40ng0 ejPvzWxsDeal+mes2dkaTWxd3ZjQBlo//6y+3pi/FRh+nn9Vlj+Yp4qdoqwfja7l7OMUhBf6 9Xf1cCPB+aEI/alyLfl7djv9MB9GCu3N6WFvoTv9qY6n6u7CP9RhywH0sfYm2IbecgKN5xP3 e5dsssE6G7sd7tHTDgAwdDvY28A267ppCUfbd99On966widC450jYHKDI0z1dVSRy+SxoXcG 5VBBtQqmc/QCsN6OggQ7shLQyKDEgx5LXuSjHkd5J3sQuGAjAWZLn+GnYgeUNaoF4CytOgZs /cXfnGjkKnoMtXsFmxLV24PCs5Hq2XRaVsHrCGte+vJGkKqAKWN/f6qAKvOyCufzR1LfDsnn yUBwVH7ZPJovl+TE8Gah3wPxFHnBK88GdA2Kdt7ARxwpfxNzw1a2YqBmdqldhD+lPmTBswgi SSyqhfaB1iqnw7nep6SLoNtYInrDeh2kH1xr6/SeWJeg1xi6jiwhEeSCnapIzY00E681N/Ue X+z9UnlMfAJw7QRELuvFCcrfyzgaaQCADIAgA8CzJiG/bOf3ELI8yBt4bIHLBpQJBjxCtG4D 0ohgaauldImqtNlBrBrUJme7yC607rP/9ZGIREDaNhKxuegDFcDtAvVs3Cn/RR6TQPAw9/cq SuEWqfmajdwi2unMzJS7zYV6VcqpjNzObiqmEz5tytuBPwmZxHTPWfmSWyj4S+rmclD5zVrL D6AlWUHyRYIiRLsqRM9tAgmWeYT6a0mwxk4VJhLk5LI+jh2qpdRkluLA5ibLaAUmtkFgzpf6 +VLhFDVhn6sgJSZzky1xsTt6En9rtcpXiQcSadpIPHhcRtTUon1J+VSDuRupTGNu3NusigM0 pVZwUPQjHKHBQT9piKLdZh3kM1oZ1bizcCYvxTPx5XlCjkuXpyJYT/8ZDHLnmoY0b4ALwedk eomRyi67M/8BjZUsYAplbmRzdHJlYW0KZW5kb2JqCgo5IDAgb2JqCjc2OAplbmRvYmoKCjEx IDAgb2JqCjw8L0xlbmd0aCAxMiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnic rVVNi9swEL37V+i8EHc+JEsGY7Cd5NDbQqCH0lu7LWVb6F769zszkh1vss4SKAFHH6OnN++N JKjR/a3+OHA7qMnFluvGhTZI++Vb9enB/a7Q6e/lewU64X5VGhSt/exy29Y+zyDayLM/qqcH A9efIIyniluJ9xp2+uo+HAXau9NTB9ifflaHU/V4FR/qcM+ChiSlQG3NeQE5bmTB5w7bntoO Iky0h9TvsIPQUwcjIo806AChDEh3IERrTjY68JS7vt+R4uya8mWEAaKOKoyEcLJOgkPZYi9E 9T9JayLoWfH3Evvl9PEt+kTgfGovuSfwPTadfBXdECcIEInzfgJaduSAh7LjCCGTOmoQHzBu 7eqT6Ou5mUVjh1Q3N3WOarxnqP3MlZJxVTHZhENLHZNynulnZjLNKr/2Yi8Ss6Zg9A+9RmgW OYMzkKRR5iWRZRQQUsFVJJE5+2He5uYR9qvYg3mBiyN+BpKwfme9DZUsZW7buRaXlKUwUCuC 84cz3nBmMJYtRstbGUwlJ7ppCVOS6r/LEiYLu7CEX1niwcqoGBCKKWTVve3Z4peE3WWY3zZM xdln487VcDbsHXko0H3ikL+WBqfX9VoSIiEXhMo50+vqMTeNccoWe1mgyhX667pgPYl2W8x1 UFBZ8a53eKcMCX2dLnJZ6WanZNCN1QMaPOLk8VzopMyk+De2SCTqYoyr+wB0uxv6IkShhXG5 dslnUlpK7FVMbEpzKYV8Yu3S7YPMtV7Po6fMfilHwHztUffqpOfzNSM0BXedUh3lJfBX/+Vp kVdFGZcaCo4oZwgkpni5XgkaeS+kAKAV50Y5AmxjKAYFMUqjSBzfeLrsrVsU+e/4TdO+qXjW jKZFM77QkLZrq7jovXwvfFwpryhWQbACenT/AL4kxZ8KZW5kc3RyZWFtCmVuZG9iagoKMTIg MCBvYmoKNjgyCmVuZG9iagoKMTQgMCBvYmoKPDwvTGVuZ3RoIDE1IDAgUi9GaWx0ZXIvRmxh dGVEZWNvZGU+PgpzdHJlYW0KeJy9V0mr3DgQvvtX+PygPbVIlgXG0O7lMLcHDXMIuSVvhpAE ksv8/akqWV7a3Z7uJIQGPy2lWr6qr6QHFZb/Ft9KKHdQURkiV3Xpo5fx94/FXy/l1wJL/X3/ uwDdKL8UKhRs/LlMYzv7OSvRQdr9p3h7MeX6Ew39peAo8k7FLh/KP86i2pWXtxawu3wqTpfi dSXvK//MgdpJSJ4bicMOUMkyenvXYuwothDgQEdouh224KFH7Kjlnva6QDpB5PkED7Tng/x1 omBXt+nLCCYk6kQFN9DAyeYNHMW1YWR/DwRdrVqPYuv95c9bTmMIlStdbCq+9roB12HdypdU 50GcDsTdzstMlJ6gYa928DQE1YNPUZxZXJJRsOk9097h0jA5M0y92DqbxqOaNiOObUGRodM9 ja6RZDkPEpGpZElZtZ20oFXkHM+SRuYFNxoCnBVLjd8CQkFdwISaap1r7ixCEYgdqzRRkg/p HNaTxCEptK/hI+nhVjN8L56GNB7wVRzjgarZjEc8tDI3uQWs3HfJYxSbljerlpTmqGm22jFP E+YQOilG7lxaVnnfSmp9mufsW3nop0/Hkl4+y2ERRi2DYdWnBCZpN5pIabbRZFeAorST9OXa 7gy9rOQ4VkWek9X9cGaqog0GGGIclL1LxNCp99EyOHEvu9oPNvqZO4cBI7prDKOYYa6zMUlp SijdS6hDdY955Z5U6JQwc2nAIUMyT3PaO88WjmkhE2yVn9MSVJwdXaTGK06+XfYorZkZVIQP lcBUZbLoh+wOZaq5IC96k4k0vJ/UhBrUuRWMqE35sha5ST0Kde7+D1OPAq4zpdTjFfWEpc2I //C1Bep27v/oOWC0pOfAuBQcWze+SU+v9PTX9BSAe7PcGMmNwdJsR19+kLybVKCpsB+kAvF4 JV9RYTQqPm4axRhmLfURoxhdPjG1h/No9DRiMLEv52/Cct3Inu2BSd7Kw/ZIc7cCuQqeolv9 zfGQxhMg33i+JL3xWgRgvdiBoAYnjwnSiw4J9Ncjy9pednp0suplfy+/BlU2yrcWoMI2hsKM 32fTCIzy6Hv27kR2t+9ONOrS/qqzZsaN2UiZueLlveuLFjvHWTNPnF123Hk7vN1yU+n46SRP zR4f82bswY+QOEEGzbrnWW9RsIwnBpvDEUY3c2YKjjQseRZtsjfQk+QN8HPtQm7r5wxKBYXr aye1ZCOwPAopD3HZAWTuZS86cKQZzg/MVfddXJHz27Je52uzH+jDR98X2eNMTVBSKgG9kTMo USEK/fR1zraGQkgPJ5MigfPO/1H2xJ4g+eUG5OQtzBWFrSStnwZ0mFjBmQurG3netI31Lj29 RsRfy/8A49Eu1QplbmRzdHJlYW0KZW5kb2JqCgoxNSAwIG9iagoxMDE4CmVuZG9iagoKMTcg MCBvYmoKPDwvTGVuZ3RoIDE4IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyV VkuL2zAQvvtX6Lyw6cxIsmUwhnXsHHpbCPRQemu3pWwL3Uv/fuchOcpjkwaDI+sx880334wC G3R/mz8O3CNsyHW937Qu9pHHb9+aTw/ud4NOnrfvDciC+9XIpk7Hr87Geva1GJGBrf5oXh7U uDxsYdo3vuf9Qbbtv7oPOzYd3P5lABz3P5tl3zyf7Y+beM8BDHHTu+jR9pMLsv/zQASRtpCA RhwQR0wD9qOPA3TjIw2wpXl8xIE3RP2e/FZ+EX2SOfDQUdCVlg3kYSI/6k9gi1/2Hy8Bok4j SLhJJ5BgKx4psG2CDkJBojg8++xgBzNM71kOiVkJ3rN5NeyZm811djpJV6CW3xmLJ8XiJ41W Y+bIJXBYFM5O38weh0gDMcaO0emkbVgY56ynW2MMJtoejqLu4iiRV56MtrwveRh9NsOM8rAD O9mJO+bg6dQOZ0eP2jaDMZnR91OgUfseDhnIUUM/tkMGm3KcGRy78erXL9ixQ6zISOaSZ+dq 9giZTc3rQoZamLoZ+7jSu/J/VQY+dPfKwHNVXZYBpUoGuMv5swhoVIiBBD7HEalOhXGAWh2k hcRFhmV4GhUb5aAJJNW1oHTe8jGJiywAJq0wyuuHTF3NOoSzrNfqhEnYpskAUNBUnGp/VJdG zXI1DdQiN9C70kDxHKGlIYT/T8NcadjeUm6hRKDUY1af6Yx71pJVnap0LVZzPlVpyjVf1Huj I7Gze6VInKXLUgxYd6S1QKTa8Sl/KRdVDKWgMxFLFk/VLEyJWUEl9VKDrUoviPlV2bytqFuk vcpa/d2QH7bpvOmYMaMeVxRT3ctuUIwU75UZ4jmSTHE8o/ggM76TmJYgNXroYvMhAO3SePRt zQO4s2ZmTT5S1VWkoQ1iOnf1aS3rYB6PmopNVS2VvUjnzrfStQQk4n8DJ/wfdeijytmuMHar oyj/GXIMpQDy5XwECHMo5XLTrl8aV+TgpxtQw2kFWIwlEXO5QOyaLSwKOn7KLVHp5tn9A6+I GdgKZW5kc3RyZWFtCmVuZG9iagoKMTggMCBvYmoKNzYxCmVuZG9iagoKMjAgMCBvYmoKPDwv TGVuZ3RoIDIxIDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVU2L3DAMvedX +LwwqSzZsQMhMMnMHnpbGOih9NZuS9kWupf+/UqW7STzVYbAxI6lZ+k9SQOtNX+bPwbMDlo0 oae2M773vH7/1nx6Mr8ba+R5/96AHJhfjRiFtH4zuk6+bwVEFnr6o3l9SuDyMMJ0aqhneydm p6/mwzNDO3N6HcCOp5/N8dS8XNj71j/iYJ1ve+PJqj0aJ/afB0TwOEMEHO1g7WjjYPuR/ABh 3OEAMx7GnR3YwKf9RLO8raUo34AgoEsnHQPkZUQa08sx4pfTx2sBIZFx0bbxLCCY5b4MRIwJ CAF0G/SQL/W8foYDTLK/fYmLgbPeXIOoeU8CzXBugGdZHtIN3hFTyPcfb0My546I6U+IxMy3 97kPUgwOO/7NQZAGQVPiMv0yr0IrJHrRceoSD+c+0gAOwXWJ0mQK8u1YjYIGz857NcA5sydr EmNmS/GYK36xwsUoFmf0LLw4eN2PFScuaJzj8gVTxLeISllTDwv1OetMtQbkNWvMkN4eK3S2 i8u9Gvw+RQkc8WED1Y/dUJKxLqeRU5IvK9OJ772nL7nwqL7EzXhdXxfX+p4pGFRwldmjk7yW 3DNH6qQHmSkkrv+VzKUjciHMqzKIeVfOnDZtYZrPp3yiSHl3X1dwl7rmqlDxcr1V7BxrvnUq hWu7zbl6HTbSz1fy8zKxkEdUqOVfpoIiJJbxrsjYWZ7qD4mM/jLt3MTKcUfzbeZkBl/HuGiJ orgM57XIqxrKPha6zd6XUoJKKlPFn4uslVFavJbRwSu7njxTBpUhvHfsQksv3isQtJEn71mW XjNczxbPz7GUQOqHnMwS8X9ktME/KqPt4m0ZQxGzdGwdszI0XZ223cJnqcBpXbVLf5X01rW5 rfDzyoWpduPhbPxtGijWoX5PC8t/tWdKYL1ZFSmxFtgK92L+AX8G7hAKZW5kc3RyZWFtCmVu ZG9iagoKMjEgMCBvYmoKNzAxCmVuZG9iagoKMjMgMCBvYmoKPDwvTGVuZ3RoIDI0IDAgUi9G aWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVU2LGzEMvc+v8HkhU0m2xx4YDJ1Jcuht IdBD6a3dlrItdC/9+9WHPcmkTSAEHEeW5Kdn6QV6dH+63w7cDnpyafT94OIYef/2tfv45H51 6OTz9q0DOXA/O3FKun91ttfY15ZENnb6vXt50uTy4QzzqfMj+wdxO31x746cOrjTywRYTj+6 w6l7/sc/9vGRAMrYZxdh6INFkAsS8Wkiglh2NNFScIIMhIhJDBAhU4K5fD59+F/KkPn24D0D 0YyeMfT3USShJdDAawXhSUH4UW9EjpTvxHcnOOp+D17hBcYVSKHiyFDrdg0pfgKCrD+Wil+M 5KtxNv+i+S3IDvz1sRlqMjPNLSMFCpyVrTdo0Rr9CEz3tkarBw+W6TKp3bc3Cs7VqAGHWxdl Yv59hPaizD9xm97jHyEJuBDOXUDZHoDpFtqYrz0eS1BueCVpCmaa+UZZUVfzpr34szfK+5F4 0Oqg0eqEmc1hLOM2B7ea5oXFh/slMujx0RIBW8xaIinnGbLdTwwxTgQVzczPikK89WGGuR4E XUntRwuyE5kSXqU6bkgm4j0MnAJnXCoJ2jkW6XHAA3N6o9AYPT/JFjVInXi/TkrpKoLrnBXx QR6HbzTwQ225VKzT2pFtY2l9ftTfFw6zPGSdmtqmqAMWeCSL9bPXtm0Rul0HaZM91+xbL7sz rF7iT8sVBItdh7He3t5LpUsjNnhbrfw7JhUZL8Rs2dnXAtrreyjcF4e7skcsvfiY7BErpb+S BExhgLEM04XU0HIWJdEuk4HgIbLW+Ut50xqbvKkqSTfDwWSG9Wu+EByTOjzrZVWfpZ7PF2tq 0sPeseLhv4K7U4ojPTylmNO1DOUmJoFYhGy4bA7HooIigkTtUcXu5V/DdCoLfumBtVVVP60h dquQLbUVQ9UAT+fKnt1flTCz5AplbmRzdHJlYW0KZW5kb2JqCgoyNCAwIG9iago2OTQKZW5k b2JqCgoyNiAwIG9iago8PC9MZW5ndGggMjcgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0 cmVhbQp4nJVWTYvbMBC9+1f4vJBUMyNZMhhB7DiH3hYCPZTe2m0p20L30r/f+ZBsJ9ukWwKy rY/RmzdvZuL20P5ufrWu3bk9trGnfdeGPvD7y5fmw0P7s4FWfi9fGycL7Y9GNkV9f27tXc8+ VyPyYqvfmqcHNS4/tjCeG+p5v5dt58/tuxOb9u35aXCQz9+b+dw8vtof9uF/DiCxA67be9uP rZf9HwfEvMPBBZxccphhAIBoUy5hdGPeyVz+dH7/N7M+pj1dGsZimE/6wU3ulNnYUYYgtjzJ yDhxwPmm2cSOeSL2Ua0Su7e/72AUxj12PBYghAoEvLpzcn2mgX0il3QCcwgDCg52j1+p12nQ kZBJiLxCRgbpeIROnujNBDq2eIcbTIz5AhJi5YZJPeHEDyWdSRJ7dlfSKGRg231mXJG/0bjr +Inlg+cp8UYXy7lZ9nk9vlhS1HJB0Hmn0b7Ne/RwDVlZFDx3aKfe7dMV7Xyt0m5aygsa5ZdR nwqjQDpPvVdskGw9K82qPzlPnid4uIE7IeuFgqsqZL0gZ+w9vTBvgtz7jXKTCSaqQhmaPIXK wOAFCetndASdS7bGs0dTtYtKskgefdYVsD2A5l4O/VBOHSwMKskkJpNNcGrw6ri9lyXmlUQe Z7tkKuukeKJdJoYgFOpukNSl/tpjSEWPGBxxEQC5E8Cn21YKb4i19CxWWAWzQwA8YJe7AaYc ScZO/Q726gNNMOGBprKJpdCpp/KJyR4dWxl5W7LNiwkCSYjEebEDpmC+rWSAnms4JilPVRJJ BYG3BMHaj3wi1BNLKfMlRa2EiRgyWgUrAVUJcDZboagTJf6nXNdQwyh2JLiAZqjYiJvYrzVT xYSuTFuF0nrg62AHZS8Xp0tEopsKo6JDEY7f3gwKa10vMDfueR11bbkbwh2JGJMhSQpeMOkO ljYC4wpQXDhGizWOG9e2QE4ryNFCkVbmD0aaBmlx3g7CvDQhfpVpNCSz2LqgGC3QZU7PnWo0 ShYuQdl0uJVadFUkK4hrb6pqKiP/JJRgrbKFUNBYMOhOR5QMQVdvmLaaPC59OFVX7tyo6QN9 v+nAb0kf6LtXQSdtaHPe6D2sCq10YDDGJttp8V1VqkY0Ebn7+VpR0CKi0hy3WVcTbNGrmQoX ycbpVlDJ3Hi3uUBHtSe+ublAiJvWX5rLwS5HwyROrqomZ67hOlkbCtZ2NPF/Eyv9qTaC2j+4 sVAtDPb3ZJE1i5Rb1STnFn6X0XrV4v1j+wfLu1o+CmVuZHN0cmVhbQplbmRvYmoKCjI3IDAg b2JqCjk0MwplbmRvYmoKCjI5IDAgb2JqCjw8L0xlbmd0aCAzMCAwIFIvRmlsdGVyL0ZsYXRl RGVjb2RlPj4Kc3RyZWFtCnicrVVNi9swEL37V+i8EHc+JFsGY4hj59DbQqCH0lt3W8q20L30 7/fNSOkm2SawsBjk8Wj0NO/p2aaWw5/md6CwoVZCP2jbhTQkxM8Pzae78KvhYNfzt4ZsIvxs rKj3+CmU2Nc+HUEsKLPfm8c7B7cLCPOh0QH10coOX8OHPaBjODyOxNPhR7MemvtX9alNb1kg CgLUtbHUS4hW/3kUmTYyUpIdZZKJR2buS4qy9DRPG8tNXw4f/wcb+9zqObBUYKyMI+1oPwFs sSEZVlQb0aeMsl6FzSAWVcHRURX02tsEe1M8SoexNqLijejqdDJ1JKQegxZlj2YbmTX5fT3N QoCe9uj8pA5k7ClOvqjoVFI7G2Xh7UluXxYZ9fUlIRG4u9LHpON5IyW11IVX1HGqOlCbL6hW 2LL7YidokZJhpumUwHXwLJBeEx0PFNILzH9LenRtDcV4YoLsDXGEo8S3HtBEidgNUMRbXhKr +0XdhMUqtWbHqxiOz6U4CldP2mgTjs2DQmk6ou1gaIUGC1wcq5xW38EIS7U6aZlydKHbioBj eqsixO1woYgO/jrULhVGLLwz3pT0wgvGiydP6Bin2I9nJStJdfZM+5KTuRrApQXuxTm3fZIh vrrXly4NOEAlOjadgpivRiY0mmEeoY4F50GQcaEtniAmKyIzW3dFjJiy4/J74N5kwJQhu3SX +7Dvk4BpMisP+BbAHLz1vWaebx4jvoLvhKcq+LH8w6umsO/gsf4+/AV6uGGQCmVuZHN0cmVh bQplbmRvYmoKCjMwIDAgb2JqCjU2OQplbmRvYmoKCjMyIDAgb2JqCjw8L0xlbmd0aCAzMyAw IFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCniclVZLi9swEL77V/hciDsaSbYMxhAn zqG3hUAPpbd2W8q20L3073ceejlp0g0GW5bn8c03Dxk60/5pfrfQ7qDDdhht17d+9LR+/dp8 fNf+akzL1+u3BvhD+7NhoUHWL62uRfclGeGFfv3ePL8T43yRheXc2JHkHYudv7TvT2Tatefn Ccx8/tGs5+bpSt53/iEF8mBbD33nVANbxxqfJjPOBsIEJ2NsgNP8+fzhXwZcIF/OQ9K35LG7 73NgEpxj7qJLi+LS4bzDCQJYeSL04OkNcZh3w2TMbILAMpZgsYgNIihrZ2GRvcMtqAEZKthE DkFFxnAHqoGBsNpxSDrYYhCs1sw4mRX8vDMMje4wCJoFFtoPjMaWL3Q7xhdRwQMEjqjniOxI 0YqyhQMeOWZ+U3m31yc6NmLjpx6CbCDMLnmhuyM24Dgzi3dpsD0k+t9Og3d0v6DhxKBWMARM 4pKo+LkAk3CIJBCgVdBxaJmwmG/Or+fQlKbI49H0NWGix/ywxUuOoojoFwHdXG4RYcxI/WxN SFERE0F4wFs8OMM8GF/xELslcN6JdAbONy8hDTPHFbPnp5ixEj0TQtJMgOHss6aSsFmZfq4j TYalVKrwlygiZor1alcBuJKBQ6wq0VCHrqJSP1TknjTAu7zKSEBf99mbRgK6agrFkWD2kuSV wHk8aLnocGAgMh/0lSnkRtAhkPfXNw0FmjQP9gICXHQCCjWnTT3GN9vTxzwm7DBLqjk9Sz0/ jPSSvcyRxfsFbHr3UPlSW5HWtnxtL2xJiuN4KoWzarVqcS+x4o65MEq/69jBKXc9G1pU9IoA oYsqWDOsr6fi1OQGKIVM9VhKEe0cpghmwTWqsZh13CLSM9ZVCHs2hLyN+/9QiqELj5GKPmlk UhFLm0cIVW9pWAtNb23pNBRSSPzhlOd+Fe2jJIbU9+p3r3vq60Z7c56r02uT2ushsS35qp4F uOfzaZx3vS7/V830h+TvMd8NHkd39Uy5QMpCGJOJnAqHOTqdnzdPR03nCOXn5HETI9Ic+4cJ mkKZHPRMCvLT5IZTiu02d4As4Tecl5wazbanWh+JXgeC0+xLEYjCkvuDawe4mFIUOeOlPtR0 OTtcMufzmXAsDlQxnWFrPmb4nLvLcm+vesZot6xztKQ02Jp18usVy2VtRYSbco0Yxzvz7Zgn h4o9MIG2J+y2T26ej/oDBt346JnjL48cL+7yLxf9DVBqh+1cXtNfFo9uElH8dtv1HN+xTtdT +xdd2sOLCmVuZHN0cmVhbQplbmRvYmoKCjMzIDAgb2JqCjk0NwplbmRvYmoKCjM1IDAgb2Jq Cjw8L0xlbmd0aCAzNiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCniclVHLasMw ELzrK3QOWN1dSZYFQpA4yaG3gKGH0lublpIWmkt/v6uVUhL3RRG2R9rZ2RkZDOp39aZBd2BI h2hNr330jI8P6mahXxXqso6PCkpBv6hCCoIPumLpPZxECqjVJ7VfiHhZrLCalI3Md4U23eur LUs7Pe0TYJ6e1WZSuy98b/x/GihGzuShN652kHal4zbZmDtMsOE1wDozRAgWckyI+W66/k7N DTzYWcseRMzyePO7gVBuxFHP7zbfkszHZe4owZYcOdgKjrlPENgMb7BHhFVBXA7sbRCKnHDF AeXSLYSQu8CHGHDAKIRlydNjZY+1Bx15QZGLDbYR4IuYrRA355N+ugrJZSOYYZYLajvxrVbt anxdxcHyE1peOSPMYqTlhrFmzjY1I3imgs0UM8azY6pfKcDpNolFx4tJVv502YdLV/nvpN6Z OE/axoLLcyenLLz7VN3pD1bkt3sKZW5kc3RyZWFtCmVuZG9iagoKMzYgMCBvYmoKMzUyCmVu ZG9iagoKMzggMCBvYmoKPDwvTGVuZ3RoIDM5IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+Pgpz dHJlYW0KeJyVU0trHDEMvs+v8DmwE1myxzYMhszrkFtgoIfSW5OWkBSaS/9+JdnOJpvsQhjw 6PlJ+ixDb82/7q8Bc4AeTUjUD8Ynz/LLffftyvzprJHv5VcH4jDPnQQFlZ9MkTX3qYGIULy/ u4crBZePEaa9o8TxTsL2n+Z6Y2hn9ocRbN4fu3Xv7j7E+95/JcEmqeBh6F3JQIORM76POGU7 wpQPNILPB5YDG9DlA8rJ4pp/7LefgaKPfXoP6pyCWqvpCCtEWBikGGyQQqUc21apHKtiz1Xx BH08ab1UgTm7ETZFXDLW/h2p4Syei8yaI2ICFY6Yu/4ye0Gu0+HAZ+2AsJC3KW8REMlamYSH XO2gfz0h6jmBr1IhwjLtrFBRIOVhxFn9AR1ENt2opgGgHlxwZXtNsUhBRj961b5R0r8/z6cO Q0lIfT8MKEQF9dJeq7Ccw4rIXJKHdjXMJfJTubiJEKS+cx82kRePi5HLhTUnYtkMuc9ZWK6t Ha2UtT0OBuuGXNpnBXMLsRuLzIpPzVBQVt1zWPgLdchyZ47Ze83GqVyKburbfGEfZlwU/qQ1 f/HVFM6YhfRVzsC2nOPr1XuKSG0PpRsqr7dStL7yyR2LUrxtHJw5npoGN3WSTdaYff70cd6Z /4IOF/0KZW5kc3RyZWFtCmVuZG9iagoKMzkgMCBvYmoKNDg1CmVuZG9iagoKNDEgMCBvYmoK PDwvTGVuZ3RoIDQyIDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVU2L2zAQ vftX6LwQd2YkWTIYQWLHh94WAj2U3tptKdtC99K/35nROHGSxrAYbHk0X++9sQwtur/NHwdu By251Pu2c7GPvH771nx6cr8bdHK9fW9ANtyvRpySrl9dXWvs65JEFnX3R/PypMnl4gyHU+N7 9g/idvrqPsycOrjTywBYTj+b46l5vvOPbXxXAEqFCF0bagS5IBGfB59gLjjAWHY40CR3nH1f vpw+/i9RyFwzeM/lNY/nyu127SRkBOr4bqU91dJ92RHHcSQ/0Z6QgCBLP7yOkMgXP0A2lwgz IkXbJEiyufh22BefBzZ7tUx6P8BRn7PeSfwKDZZD89YEWN2oaA+RgFMjPiJCUfke2nyDisZV Ym+Y6hsxgFDTq4HCAr2c+wvI+FSUc2OkOFAtvse4qY0P6b3aeB6kW20WeiiVXRqu+Ixr0g+m i79wd5bKmPAQEb11X2KSPTICOHsYLmuutF/zVVYVppWIcc3YVKk0va7LbqsH4U69Wk70X0NJ 5y4OjyammrvrnrgjbivFgZVH2Jt/XPhSB6s4X1gzMqMWjmsOxlty4oYAm9ip62+RG0g4WJu1 zPJtqi7GsR4QMWzUyMSjSJT53FxGkWS9MYoMVvoiWmI4QdbOcM+4+IiaZUSiVOVDiodQieYn v0QzoY5qEGZxcWQ+hTiWYqweE3a2NfPnuFscUWJI+JZjxFZXtYTcUAOliKdN+JjfCx4z8J/n Gnxt4wh8KSjrJQNab76a5xWsvoRhxQuN1S6nijExoRz6omK/YMQaQZZ+PHMqunvId1RUg3xt 8gkz73Va9IUq/Q/oMbR8XvU3aI1e7SSfhQT0tM727P4BegSf5gplbmRzdHJlYW0KZW5kb2Jq Cgo0MiAwIG9iago2NDAKZW5kb2JqCgo0NCAwIG9iago8PC9MZW5ndGggNDUgMCBSL0ZpbHRl ci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nJVVTYvcMAy951f4vDCpJNuxA8EwXzn0tjDQQ+mt 3ZayLXQv/fuVZMWTme1MuwQSR5al954UBXp0v7tfDtwGenJp9P3g4hh5/fKl+/Dgfnbo5Hr5 2oFsuB+dOCVdP7u61rPPSxBZ1N1v3dODBpeLI+xOnR/ZP4jb6bN7N3Po4E5PE2A5fe+Op+7x lX/s45sOQBZ0MPShniAX5MTHySeYC06wLxuc6CB3nCEDiTGWT6f3f4sXMqcO3jMKDecZQH8f QhJNAg18NwSeKoKxbIjP8Ul+oj0hATGMva4jJPLFT5DNJcKMSNE2CZJsLr4DjsXnic1eLQe9 7+Coz1nvJH6FJouhcWsArG5UFEMk4NCIt4RQVn6EPl+xov0qsDdO9Y2YQKjh1UBhoV4avoDM T2vTgJHywGrJwgDv18eH9Nb6eO6p6/osElEqmzRdaBrXwu+sNv6sXyuXqeEZM3plwFWPSfbI RODoYTqvOdN2rVlZZTisChnXqh2qnFazy7T3KwjhVQVrOumBNZXUUOxudU01D5eYGBHDSnHi 6iNszT8ueqmDZZzPqpmY0d7OyXml99gs+0Wp219tJu4KGsKqK4gn272u4BwsD8W8nOEAWeXB JLMCMiu7qfPDS3OQLRlt29Jxojx0vKgVqyWoR5Jhc8BhmTtH7QVdJhOxnf4HO8J+fCs7HK65 bWvyWToxGuIFSkUbz8C9oOUCLtSYsG8iLNRsa66MTQM5Q9JeMrFsdZGrNIlmSeLpLnlM4zLf /5s8cv+HK/oVyBH4UlqGJgMaOl/N84rYWMK0Uob21S4jzLQ4oP5octHv5KodePzrYbJM+yaw fBy+9ZLpUt+kx2S2Wtvc/saNaqDlh9morhswtzoCelpHe3R/AF2Lt00KZW5kc3RyZWFtCmVu ZG9iagoKNDUgMCBvYmoKNjY2CmVuZG9iagoKNDcgMCBvYmoKPDwvTGVuZ3RoIDQ4IDAgUi9G aWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVkuL2zAQvvtX+LwQd2Yk2RIYQ2zHh94W Aj2U3tptKdtC99K/33lIjpPdNQ2BRB7N85tvxoEG67/VnxrqAzRUd8k1bR1S4PPLt+rTQ/27 wlo+L98rkIv6VyVKnZ6fazur7XNxIge7/VE9Pahz+bCH8Vy5xPpe1M5f6w8Lu/b1+akHHM4/ q9O5enylH5pwlwER6wZoG28WVHux+NxjHA7Y+yTfRDCTJxi+nD++5cVHduJb30Rz4jhssx+4 EyR8iCWqI41KYThQD93geuqGQ8dH8uBUSIgD/xzlAU8qCiZCMwI/YOzBQzR9ubLjvNX2QLCI wCKo0HWqoWKY9FJtcHFpv2qutLuzauiadFM3Jo05ldTt1zsYNQuEBazicm+QBEUqp21F6gV5 FrNVZ/bZyylbF59paAW1QBPiWwCgPr0PQBTuuLZjyhUAiAdiDwBOiRFwLYqeIUCx8I2Tarkb TDhOzQsaTvoVRCJyL8TgS18EfB7BElcliKt5zLpcq1NcYcx3prnkpynfO5ixXe1VR63UCRlg GnbhzBgSxoV2iSGThfcRw2Fo3A0xXDtQbpIlgdEbV8garnPZxZ6nA11pWBBaZ0IsGZ+VPKX9 QQHOg5GJonQKr9g3GfeYd6xKyeLYrDJzMYnO8cJPhuodaLRO6tJl3eQ6cyZzNifdP9RbrTa3 09UABOeHvUhKTnLpTmqSc6VtKzVdB5GcEAWEpEYHcMIX41emhlxywqFw05g5G1/ZCrVKL6QN q0g2GYumTPNT9p6ZSOOgnEPjnG91KYNlITTWSWGH8YqkR90KWXSSPRd6Ou1Cham9e44xQbFZ wSJlmo5Nnkmpr0ybzlk+305dKXNvqjDgvVOF3r+aKlwXI27X6riPELjmXjqlzarPAHGzFoHE urIW360U4oly1sK89Iw/Cy91JsS8pRzIi2H2TjiwXZPKjchwaySGeLamyESNt3iTEWqNyEGW gQoxtZPIAyDRV0rbOn0HLSu9bcuL8VK6u0o+Z2nlxUJ89i6L18GRQ1pvqNQ1wknK2n8hwYYh /zn0vvxhWlP1ObkIuG2QwUX2DgjhuhLG2fC5zLesSRhW/udOXs3qzdawrsjC00nKDZH/MjmD qK81k2/fQY/1PyujRHsKZW5kc3RyZWFtCmVuZG9iagoKNDggMCBvYmoKODUxCmVuZG9iagoK NTAgMCBvYmoKPDwvTGVuZ3RoIDUxIDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSAz ODY2MD4+CnN0cmVhbQp4nNS8d3xUVf43fs65/c69M3d6zWQmk5mUCSSQAoFILtKkhCItAUaC 9E5oAoIEpYkoyCqCDbCCigQIGBAXRNbOgl1xFXYX626U7y6yq5CZ3+fcGRD3u7/n9fz7zM29 59x+yqe8P+Vm/twFE5GCGhGD9PEzx835cM+37yOE3kUI28YvnB968E/zz0D9HEJ8yaQ5k2eO fKLQipCoIcQ1TZ6xeNLzc556GCH1GEKD+SkTx03o2j1uQSjxJjyjYgoceCR5p4DQLbCLcqfM nL9Izx4Shf1ceGbJjNnjx52/simF0NhhcP7hmeMWzZki72Vh/wLsh2aNmzlx8Bsn70aoHt4X f2/O7HnzN6NCuP6e8/T8nLkT5zy2+HEfQuvhHrkNjmFY6E+BKk/3CcNyvCBKsklRzRbNarM7 nC63x+vzB7KC2aFwTiQ3GsvLLyiMF7VrX1zSoWNpWXlFp86VXbpW3dCtWu9+Y4+evXr3ualv v/7o/8kfdxh5YfVxzyIvG0MehFLfwPotLZNTU9/S87Qk38PFLZkVoZ1oN56KdqOj6Di+AHft QYdQM3oTuVFP9Chaih5AaxCPRsGRu9HNsHBw/AHsTTWjYrQDaGkHOgnXjkR3oMPIhT2p79By tIr5AO5ahVSUg7qjwWg2uhcPSC1AY9BZ9i7UCQ1As9Ac3JiqTd2X2pR6Cj2NDjFvptqQCfnQ eFhOpn7gPk39CbWDOx5EW9FZvEk6gHR4SyNc+Riaix5mEixOTU79Ai0Io9ugDSyqQSfxMRKH p09E32APXsr0gKc8mWpKnYCrAiiBpqCH0WFcjvuQMDcmVZM6iVzwjkXw1K1oHzoISwt6BZ3B Cnch9VTqAvKiItQX+tOM/oiPMcm2FclqOtAwSgWoEs7MRr9Hb6DTOIJfJbM5hevI6dyS1IfI gTqg4dDaZ+HOr/G/yB2wLGdeZ3unbkRmGJf76WijP6A/Yx8uxoPwCFJAZpPHmblIhDd2gGUC mgrjvQWe/iWO44NEIaeYJ9nn2ct8VvJcygwzEkOPoMfQq1iFnobwPHwn/hj/lfQgY8kj5C/M A+wu9n1hHPT6FjQT3YueR//CNtwZD8Gj8RS8FK/B9+Ot+CQ+jb8l3ckwMp38yExhGphX2Bth GcrOY+/iVnP38N8ma5Mnku8l/5XqmFqNhgA9rIDWP4geh54dQqfQZ7CcRX/BHDZhMywhHMbD 8e2w3IHvxU/gnXgXboa3nMZ/wd/hf+Cf8GWCYOGJn4RJDiwRMpfcRh4gj5JTsJwmfyc/M24m h4kz5UwVU8fMhlatYTbCcoD5M+tjT7EpGOeO3GZuG7eTe547zl3gFeFOEYnvXnmyrbDtyyRK rk1uTu5LNqf+jJwwhz4YhWxUBa0fB8s0mO/NQHF70AdYgbHz4ULcDQ+AkRmLp+EGvAhGciV+ GD9ttP1FfARG6RP8I7RZJQGjze1JObmRDILlFjKRNJCNZBNpJh+TXxiBMTEWxskUMn2YBDOR mc8sZjYzTcy7zBfMX5hLzBVYUqzMZrM5bIyNs33YsewC9nH2G/Ybbgz3DvcVL/Mz+dV8C/8/ QoXQTRgsDBESwgbhoPChWA/U+Ro6gF66nufxOWYF04s5gO4jpayX/JH8Eeh5LJrA1BCgVLIT ryXLcDPJ5RbxXUlXPBBdYGMw1q+TbeQS6crU4P54KJpGOqSfxjvY56CoYl9DrewR6Nsf4cmL eAXfQX7kFbQPI1IJ7/wDU8LGmXfQGeYsFtgd6HNWxm7cSp5lBgMVvMJ242pRmHkUvcg04GXo AOkFEvuyuB7oeCB+DuTCMNwR/5tJIYYMBCrqxPwV3YWmk09RK/DxWvQQnsBORvehUrwUfYOe Aa4o4GbxhbwTv0WmsuuIHTcjwu6C3lXiXMxwDrQSJ5iH+R/JZ2gBOsXK6EvmBWj9KfIiU8Ne 4G7GU4ADlqHVqCG1Ai3matn38WTE4BEoyp4D6baU6ciGoVwOUmUMyLSDwN2HQQ50Z2rgiAco ZwDQxXCQEA/DsgXkBAsUNBV4fCRIsT+iZn4YaUGTOTMGqYMQ+07yZjQq9QzampqMZqU2oXYg D9aklsITd6Kv0Aa0E69K3o7moCBwzpd4ANebnOJ6p9qRdeQzMpRs/u38wmhHsQd9D8uLqDfq xr2M1rGfoKGoOrU+9RFQdz5I2K3oVtQPnYde/gBvuIk5hkqTA8neVG9mDvT3LBqSejaVjWU0 JTUDDUJH0NMCh8YJcb17d7262w1VXbtUdu5UXlbasUNJcft2RfHCgvy8WDQ3khMOZQezAn6f 1+N2OR12m1WzmFXFJEuiwHMsQzAq6hXpXR9qitU3sbHITTe1o/uRcXBg3HUH6ptCcKj3b69p CtUbl4V+e6UOV076jyv19JX6tSuxFqpCVe2KQr0ioaaTPSOhFjxqSC3U7+0ZqQs1tRr1GqO+ 0airUA+H4YZQL8+UnqEmXB/q1dR74ZR1vep7wuP2muQekR4T5XZFaK9sgqoJak3uyJy92N0N GxXi7tVlL0GiCo1q8kV69mryRnrSFjQx0V7jJjQNHlLbq6c/HK5rV9SEe4yP3NqEIjc2WeLG JaiH8ZomvkeTYLwmNJX2Bt0T2lt0bN36Fg3dWh9XJkQmjBtT28SMq6PvsMbhvT2b3EvOe37d hYfbetSuuf6sn1nXyzM1RHfXrVsTato+pPb6s2G6rauDZ8C9JNq7fl1vePV6GMT+Q0PwNrKq rrYJr4JXhmhPaK/S/ZsY6UWP1E8LNUmRGyNT1k2rh6nxrWtCNy8O7/P59EOpc8jXK7RuWG0k 3FTtj9SN6xnY60Drbl6836uHvL89065or2ZND+xesyVTUdTrKxOvnTNqxuW01v/mayOLaYsi fYEgmkLjQ9CS2gj0qTPdTOyM1o3vDJfBrw7DXU0TYEamNkk96tdpXehxen8TF9UioXU/IaCA SOvff3tkXOYIH9V+QrRK6eQaqcH5q/WmeLypsJCSiNAD5hTa2M3YL29XtLCFRCJztBAUMHxo MIztuLouxTD84TCd4HtadHQr7DQ1DqlN74fQrf59SC+O1zWRenrm2NUzzuH0TOPVM9dur48A JTcb4NfZJMau/Vk0l73XlC5N2PV/OD0xfb7/0Ej/IaNqQ73W1WfGtv+w3+ylz3e+di5Ta7L3 qGX8JFMjfsY4C0Q55trFdKdWaWKj8McbRD2hRRCBKo0jONS7Sau/Kb2tk8Ph/8ubWlIX6F1G 8ettmWY2dYn/dr/rb/Z/0zxlHQMNBiXYf9iodevk35wDUku/sG+mAIpHw2rDoR5NaDhwZhT+ WlLHOtO1zt+kw5D1oBcA/aUPZXZ/c6E/U6+DH6XOdkW9QdCtW9c7Euq9rn7duJZU462RkBZZ d4gcJ8fXzelVf5VwWlKH7/E39V5fB2M1BXdphwg2wCeHAM0K6MZmgs/zQgvZqtsRx55nkCyw 5zHyijx3njBHQKlLAPHaI09cu1TVVjVQu1hV01aFqqGuXYFNh5KwNWyNwgaDSrsSYo5d0Tl0 GYXYY6BcUe/Ut8xZsBmsKAt9rD8vE1aNqmVqT5Urd5QHRpJh8s2OoYHJZAI3URrvqA8cy/6Q +8j+hfcr+1eOH91/836VdS47le3Kzo77qlxVvv6+Odkbs4X2JFdt7+pCytX+pJfa29E3MFIe oU5Wv+K/cf2CL5o17GTMJs2C/AGTYEWyM8CYPKUYRa2WqKadtmLNqlvrrY1W1jrflntUOCWc FVICmy1UC4MERvAGywZ74tDVRENNa1uioUpr1dqqzqPq1uoqulorrbbKDiUogRsSqCFczkdy YrHyMltFaUeX21pqxQ5XaceK8rJYJIdnOk88sfyjBdM+vKt+c/H+ttALCxY+vfP2RTtWP77+ 8pPbMLNuSHdi/qU3sb379quvn3n3BPDcKhi419luMGZ36V2L7VhjcYQtY3sAoJ7Ezmd5ySpK oqTarZKKGBGbArwAtqss5W8UsZgTsmM7ybFGMQKC0Z2lFWUXKB+H0Gl0DmZooK3PCTqXiYZ4 Vdt5LXFxLvSrurrVWlkJfxg6Vom0t9aYl52gHZyLE6XWUmcF9Mwt0O4IvNO66oluU6tH39Lt xhu73uIIsrEdDTd1eTavT3X93LYP6Zz3S33LBqD9+agTztLvk1Sp0Kv6CgvUwsJKtcLZyd+l sG9hQk0UTlOnFtaXrFNXFzzsesS3S3U+430u/6D35fwT3lP57zu/yBd7unC2O9sTLyosq2Qr i/qyNxWNEOvik8Sp8YXKGuUt5Wf157i1U5kZs1pxbpm7Y9jhGVswu4AUBIrN1eYN5m3mlJnb Zt5j/tHMmM0Bxt1CntNdngcdgYCAeuXJHYEyCsZp41A0nNtCRutano5iWiwUK4ntiXGxDpV0 ELODkbKSymOVZHslrnRHPTnFuUf5UzzJ5qt5wnfoTEez9WKrBmN6KdF6sartq68orZyvbm07 DwNaDGcboKRjCwPs/pV0ojwlnfKyiopOxlJelmcMcl43AqTkAsDkdLjckRjDC2biNKgKLmKq JhyatudIn3k3lU8/MxmX9lq7fHFWk2fW6bvXPjdYk9w5RwLuW0/MHtNx5tQpT8Sy7hre+/lV A1cMdJhVX25UntXuhroGT8M9/fVx/dovunB51Q2d8Rf5AS2/pvim+tGDbrgNqMUO09jIfQAW +X496JCwxVvsLfHq3jneR5RH1V2q6FPz1SbvMS/rpeOT78suyxJVRrEEZOwkcYedZYAgtzmw I2XXWXeUBZS+CRsUub9D5zKDMuVAdtlGeNeTHu8RfBjM70sALj1xGMF4vAqkjFbVqrW2JoA4 q6pAzlS3An12KOmxWHdoVl4SeBGGXpNsfmTlLX6wCuKFK1bgOIzq3FJrpLy0vKzTr1TrdJY6 I9Z927bZfXctHDDG37njzT1PnWIeXt8wvaz3SNtjcu/6W9dfmQStyU39gxRyW6HnjYeQDM2N xMok2tzuUGn0YoQVVcYMcmlS3CLzLiAfi5aDcrBqiyo4JYi9pF71whyhUdgosEgICduFJuGY cFrghcNkGvLgir2T0ux38bzWSoXo+YtVhmBpA7ECNFJaqr3VoQTDIETdablCe2PtZKU9cLiA BIjmG1B164yilSv3Hzhgj+cHd2zTuk18goxfj4UZyXvXt/2upshHPVvdcQuZRmaCnC+CqSNz GFKDawjBEUR83By4wMvOuZfKufMJ7WtUXNMKdNmAE/bysLM7KcAtBw5Qbl4Lj6oCCU61xTI9 MUjaKG2XmqRj0lnpgiQgKVuaIzVK2zKHzkkpSc6WYJwEljASz9yBEc/xrMwLUQ6x29jtbBN7 jD3H8sfYCyxBbIg9DXssO1DsMzg9MHOrqH6hktaQRnSlAzK3wV5e6mRAvK5tbm5m/3bq1GUn G7t8hraxP0icIEgcJ2iZL/UJ2SjgJMOZBJeQhpsmMtO52dJEk6ghDWskz/YZ94vjkk/oYOvi 7RDobqvxdQ8MsY3x3hwYZ5vpGxdYxC9yXiKXPBpyYYvqdg921bvmuBhXwLJR264RTWP9AVlA VI5I+EF7gDW5dZVSiJRXWNakYtWXTck8GiujpZ5FZUc2znaVarmCnltYdp2S6ZRWMvGatvMD tQYg/YZ4TSuiUqO6lYqNqraGKmMMbMYIUKExF7upzEBWDZV2RFaHEKYkUYHDMUNyMLccLvrh 0HfJH7HjTx9hM77yrbxv1fj1bWfIEKXziLuX7sIj3E8242zMYAXnJ79M/qyF9hyegh9c3WPK M5RmeMAGL7ExZCN7dc3iwIVsgUz6WUdb77MyVgBOupQdLtMCWXmUKy7ou7Nzy1hekey8X/La OBaxvEkymUWbhuyMQwiIflOWORdFhUIxbi5D5UIXsau5J9OH14Uasb+ph6WPtZ9ttOVm23Rh gjjZtphfIswXD/GHLQdtP/GXpXyTNR/lq3nmfEuerdjRGXWy3SauFrcwDynP4p1kp+kZ5QA6 yB82v8l+zH8mfct+a/nGdpH/RQrYGI4jvCBwkiyLJkWRNavV0pLqv59DtlBLqq8+SbaYQ69Z BTEkWG22OCc4OE4wy4oSVc0OVTWLVoslLosOuB1xhIA6dYAAA/Qk2FjRYlXMqmyVWcamKooo CgKwFW+zWMxmJDsuaSquV+eojSqjtuBndTk0SMaz5eUykVvIcF0aZMWzrcutxEr3TBqH67k5 XCPHcHDxAXzJfmmSQRfemouJhAfgB/z5vG1Q/xpglwZLeksXUCYZAqHaG7ZratrH1yw7saa9 538X8Xh8jVk7IZi1KrrSOl37N2UPrW1WQ0qIHAFzDMNqTp1uRiWWkK0ldQ53zvzq+jeVDa09 hMTU6b1CCTYOhIf2byoFsEyPntsrhNJHbXA0aByFBx20hOizxZbU6X1CCX3iPtSZHE6/6drD r93nNu6zps7tl0NsCNETQPsA7OnDPjxoq0RFsLakPtxrr4QO1YG8gAI1JHAijEvt7opOdtjC BkeYPAb3T758eFc1W7rr0LbyGw7uSTa/vKvgEzbW9sh569tkVtuWd06SSZfPkKUHrpwCObIa 5Eg2yDrNQKsvYE6x5HLlXC+Oq85uyibZ2TmB0sCNAYpB+S52CkgHuAb4EmJCrbUkXLf4pokz 1CmWWa5ZvmPZnyln3Ge8f7H/3f13718NFOsNccWWYkcJV23RuQGWwdwk7kzWT+wvmqI5zSxP AK0CkgOwajZ5ck+bsGbSTfWmRhNrmo+tpaiUiRJyDOONeDtuwhcwm42r8SDgZG+wT0aSgOys 0dpAswDJUEECuK76V7AKpwGtRkCCgmIMEqeGIjl5jMP9K1jF7Z5tnrv31j0NevIfrxyZTsqG 37/whacXLHyBO9z204ZBG96el/wx+fFjePPR4fecfOf06ydBYlQDwt8LsrcEf6bfzuY4crpI /aSeuSNyJuYsle6TVuY+Y3++6DijSm6fx13Sv+hjN+cnwwnROmLZM0YcI42Rx5jGKGPUaeI0 aZo8zTRNmaY2x5rzLHmx3LzcgorcUXKdaUJsQv78yPzcxtzfyY8qm/IfKnqw5Cl5l/Jk3lP5 +2N/iLmyWlJf6rZg5SgxL6rIrC8Uc7Km9lk+KqcD2d5q7yDvWO8e7ykvb/Fme2d7z3rZbO8G L/G+TIaD3kBwmaZhHRMNn8YEYQ0TTOW4w1VGSz1otpZh3H5M1owskhVwCmygvSnbh325Xt3u KfMCdtwn5BbClS8FKk8X4kJfR3pXDHRCfcdjHUl1x8aOpKOGMc5FoVxLzlmEq9EgIDlvh6tq oKEGIGTr3IEGjKSa4GK8dS6dxNYGUAbxOEyfMbFzz6exZAZKAiLS89oFI5yjKGbVbJpdY/gc NeRHUr7gx1w72AQdsBs2R/woJ6IqYoHsx/l5kszHWT/K1rL8GMXjVJqkNxj4KV4YX7FiBYJ3 UsWbsHdypYkkL5bXngBeNbAVAFQhZsAroCFYgKQcBqCt3me5+/ali8qjv3t966DunQvvH7rs lVHWJmXe1KXTXK5i/8qjD42Y+vqyU5/hGwLT507seUPEE+3Yd8XAPovzs+M33T7Zc/OYmztF All2Obe0+9Ixo7aNfIHqpsFAaa1AaT50Uu8jKTg70MPewz3UPtRdb693P0IeYR5Wn9Ke8imi 6pWnkanMNG6BQsUwaAnpoHxAUVzKauWvhDHnjLXMtiy3MBZMyaNvCdLRYFSP5qCNaDtYSReQ hCwWE0KsDexHD6j4gAVbcs05fooQTfFs0AQwk30DztxTAqYKnQgd/GUZu6oVNnMzToRDIOTA am+dezEzlTCT1spiLQGW13nKlDC+DVdVesaAvDqmdMSZqr1ZP754Jvmvud/dvftP2Xu8y0et fe6pldPuw6vcL53CWVh+AZMVe3b4p8947YOPj98J7VsDhv3XMEou9K5u5xjeTnZqLdpfmW/s F5hLdp6laruDSS1brOEt2mnPOU/Kw4ZEh9nhsgU4MCRdqqyaFXOuSQfTMWXC8Gca6KHE7Cur KGvyXPCQOZ7tnibPMQ/rYUip05UxNW3/y9R0Z8zMKkDzhm3UEG8FCgMtZhic2JYmXxdvlWRR FmSG12JW3uzHFtlGiRIosXAFDBClQ8MMzRhF1oi1LD1I1jVPLPiifsdgTW4unH7TvGfZ2EN7 es2p6bisbR5ZPWtm903vth0BJluTnMqGYUxsKIhO6U8rWjvtBq2/xlaHmkIkO1SgRLI6Ojtm 3Zg1J7QxJHZxd/H3c/fz14mjlTHuMf5p4nRlqjbTPd1/LPSB4wvPF74Pgucd54PnQqmQK8LG tbiznO2i9Wb7aaO0r0x/y0pqJqsZEKNhmLtAnCOzN/e0jDVZl+vlRpmV52N7KSm1RRH6rwI9 GwQ6/m8S3RDp1srrBbo9Y5+7XE4HodyXZ2Wu8z+searLpilrT09bcPb2URvaW59ZuOj5Z+fP 25ucyr2ybsiQ9aktTyYv3zOgS9tl5qmTJ9756J23P4Hx6gl6MA/GS0Ve9KqesAmyV+nD3ySO 4OvEyfxUUSzTuti6uMo9vbT+tv6uXp4x3BjpZi1hS7hu9szkZkoTtJm2ma4JntuwU+I5dTQz jBsmj1ZmMBO5ifIMRXYHWMEaMJkcuQIlHXtutKxEwEjQwGJihA5n/dhPj3speIY6QEgdLslG 1dC4Dj4qMYG04q0AmhOXElAxeAtwAjWqASvo0lBuqHQrd6vE4kSdXesE44PSwgnZrxucnk/d /YfPsev2v91zNtl6aN+a1fv2r1qzj9hx3n0Lk39uO/m3O3EQq+++8+57f3jnbSDtTqlvmHGG N6tG1yaSyfx8soBfq64FgxS0BfbpYTZokaQYgMaYKRGy45Bdtw+219tZO46h/raDdbTh1FFw CRiBtrq1ms5kRr5WlINuTovQrnuEOeP7Tss/Xvfqna+exNs9O5f2mHcH848r3pa3p31JbZ6h zD/JKLDRTWCrfqqP2QbKjfwo/GgnZ4WzdnJKOGUnR4WjdrJH2GMn24RtdrJB2GAndwh32Mll 8bKDzBBnOMgocZSDKKLiIA67KLgVkHqM5Wcz8zMxqwQrVSqqUqFng/Vi+2xhubABZgfbOzuq zKpSBXBXd/vKzAuw0FmsIhhVMcwGgonX0/BsWqVR2q3S2s5rl8CkN2qoGqwaatkb+BVKnFZm SHuL2r1obkNDA27I/HACOyPUkO8EElIIX1fHjldDhaOLOpUx+IGrNfbEe0+vrhpc0Ns9euSv NRipuXgH24XlDQu2j57H8ZgVJBRlcJQhQpRl+WgJwdvIKULIUQ75JOwVR44y7OK0WQycR5ta ZbTWANpAaeHysBVWtsuVzsybdGVu2dn2yE6qp54CGyoHqMSEphxCKpBxnt1ZxjJBSd4unwYj AMwJkyhyYHkIfKIRLEZiCuEQyjjs4FqUUEIqDqmDVWpGsF2BahINMIZ06LTEJTqUVIZWVSaK DQ8sjoN0tIZhjcD2qePkl+PH23jAbM+QUb/0JvvbamAU+jDfkYHcWwa9fK4PNOjlgnjBQbCI HeSccM5OTgun7eSYcMxOmoQmO3lCeMJONgmb7ORO4U47mSPMsZOJ4kQHGSoOzdCLRTExyPG8 nVKIogLhmIFksPi8QA+UYCAjgqowNluqFKCaPNXdTVFUSjTqAkKYKgSEk4dCoEunGTQDTF1F ZV2VQTDnNaMOXGI4YFuvlr8lmWvU0tAA1EPdF6VOh8ALeRUVnUqvq498NTs+uqiinPn0aoX9 N5BJ1yEFfVxjh/5ao7x1Y3II8z3IvyAqRBf0epMJwJUp6hhg6uXgpSxvVpEp5iiKVJoqHP1M vR0jhFrTFNMv8k9Oc/tIUV63SLe8AXkbi7YXCRXhioLqot6m3uFeBcPCwwqmCuPD4wvqixqL zuR9G/4h8mOe1e3inS1kb3N+wC4YaEQLoRIDizSiY6BIqadhmd6dCwQscq+cgCK7nKXRUjnq 8Zx2Y82tu+vdjW7WPd+CoygnO/eo5ZTlrCVlYbMt1ZZBgHC88aL5YerOjg803NmAMQ2Pdtv5 S3RkqY8ycZ6WlI5A1SYa3BTMGZ7GPJBEJO3XdpdflUzXy89Je0wde8xfttZjxgubPr8w6717 jyx5ZuLn23///dZnli3duXvJop21viHRjhNGdWq6B1d9sQXj9Vsar0z796lFzzOF7x07+u5r r78GhH8U2GaF4WN64ACAb5FwFHp3vqHMKEvL0mW7knSZX5AuI9F0mRVMlx6fUerFqlYW4jZy eziGCQEe2QCgrgmxxQbKOwvojrOF4OBGeN0T7MeGSE6A0tjXCKAuUUf9T4l45kcdUR1KKHcd Pc4d/qU3tPUJgIXfGtw9WnfyXJBa/4hhgyD4ZCloQqKh0QKarUwYxvQLySGVyD6VldIsnlC6 jr4qG2k05VKi5uL5uBFOoSvAQ8rd9JVhZzizPsHmXnmciV/5iFnJHd6drH4hqe6mcqYEWnIY WiKgQbrKkSDLwNDRoLrUQubtD7GYbcH4JT6ESTGDGagfwGkxA2fFg1vT7EZbAsSQ+FozkFn1 1ZBOOX03sSez2HVJP6fu3v3LP+k7QcCxq+CdEuqvFxq93yDgawMAr380REImQnymaz2Wu475 jx6fT7/HcHH9R293Ml9c+Yo0tQ2mPe2yu20STNLQ1DeslzsGcisCfT6rdyp34QJXX1ff2NfK dyWcVIKXoWV4KTtfbDDNVRaoS9z3oHV4PbtaXGFaqaxW73W/a33dbsuhrodAyEeLUKiYFu1C MSj0YEFIQUEPUvzB9tvb4/a2cJDn8oM2NTjvqIRhNCfrWnyeRQ8BGrFgZNEsxNKC7z/Y0TOv iY4smbwvd56TTrs5HCkLOXUncW7s8MY9GZRyMdFKkZxRyRgBieLWTLClQ8k1Hwg1tVADpqEk iucArwgU1IGVjuDI9XzHOFzXGe3T5sz4+uix76fPXHNv8tJnnyUv3X/r6ulTVt09afLaLn03 Dl2xc/edy59l/AVbpm0/c3b7pIcKik6sPZICYj+24VU8bMrKu8aOX7PySqpm46BnGu98bifM 2VkQgpdhxGU0Tw8xumotm84uJxvIVpF9gcUS4jnCSBxWCH5bTmN/6HcJMubbp3C6aklzIh2O Eg6HOJ0jnNd0GFfhVSjtcW6IZ4JQRjSxmvqxMk7OeDhiBRVfTuU3udzc/YNhD/2leD57e7el 2S/2eXsslc+1qfu4H7gPaeYKtumbxsa2xQB1dHISU4DNZiP+gCPbEeELuXbueKwrV+XuEhvA DXD3jSW44ZHa2GzudmYJt55Zzz2IHmaeQs8zH6GPXF+hr9xfeXwBLo4Kua4cm+A2eTbHPoqx UVdhrMxVGevr6Rvold0r0j82Qqy1DneOCozKGpE9MjQyZyo3yTk9dnvsvsB9sc89f4p5gRY+ 3Oc33FT6Df5KwrjyGSE/5nFxiA8zdh9H6A7icoNBC0PE3KAg+WL2fsQXKmwsJIXhWAiMLm/B +Azj1LQOBLVfczHj0rG6Kw3rvxLsf2QtzajBeDwB+s8wCqLUiKTCO5dK79zSjqwNbAM4WmEt I7Gr3uNOsTz2pzVzKx9/7Mk/vJE8sqcJ93rrHdz7+VltX++c+fzi7+7/LPkX7P/TlDGjJz6W iK+pvH30MTzmzGd4wuFXk0+fOZA8e29x4lFcuQ/Lv0t+koSLk3/M6+oFCrgL7PRzRu7oK4eQ j3rGne4yErK7yizU+CywOcridpwr2l0KtrtMPJKtAcaESl1Rj9swOt34mBu7B/oMPESNTt8F H5nj2+5r8qV8rE+JStdCmxJGUkg6LZ2TWGmg92oIId561d6sajPCtoCVjBEz7E0fq5lVi0p4 QeQBhoHVySp+pIpWP6I2Z2HhCrCtQPhnArt5MQOWu3+F6Ez10o9ueXKQZmo2WWcNGXJf1+ZH m2+aOah8HtnUtv/eDn2GDN2wllRePgNjMSn1DbcQUHoWatHrx5NpWSSEOqrjQb3Pz2pEK7M2 ooe555mn1UNMs/qGehqdz/pnltVsy7JmZTGFfL61MBDK7qOOcIx0jvBO4aZn3W67x/Yws9X8 cGAnforstH5ktiMH8mkOzceSltSX+/IrDXdVXn6lZkGY9duDCuMPspIWs/RDMQq1fNnuWEjE ojd4PX2BWG5NExilrzQ9UTiAacSBvY6UMv4J4nTY6ICwzcdvSL72VWvyk0f24B7H/4SLuh4t Pf67XX8dM/Pr1U/+hZAOP15+Fc96/ys8fO+5d9pt3/RE8sf7X05+t+4IjE4YcNYPQCk+vGa/ JYAt1If3VKAy3zHCskcGuaODoA3ll5RpdCMoks2lemx5pjwlT61QKtRy81arKd+Wb7/JVWer s9c5p9qm2qc6F/ML1cXWJY4lzlXqOut623r73Y4t8k7TEe1l62HH9/I3jp/UNu1nRyoQtFks ima12WTEeB12e9QmO2DHolisStQkO0wm2W6zKYqJZwJeCwpoAVIcOBoggRZSfcBi1226o4UM 003VNt1GxtqO2oitBd940IJzUC+/TE/ZLCGTroeUEmWQwgxWUgpR4Ir9xRboLKlu9oeWTvLE fV6trQE0hM/TCtVWD+BeLxWRrT6P1mrUkIeGCKmKXsO1j4vLtBNQeuJmqCAg6zVmrapKPNG/ yTy0f5NnyKjal5GS+haZUt/i6/znjtSXBztVyjmdKs0tqW8POCutOU7qQ6dOdMOFHgf0nJeG frDgUrvLcKdjXqDIb7mja1HVTW5rjDMlZx7/Ip6THf9rc3JG99ySpSPKkpN3afm5/umWLDa/ beuCFUsXkumX39xzY91QihqeS36J70InQZ8MPCCDGfY8T+2DGGaqCMEyrkIyAT1ahfjOQpdB aCyajZYDZuPQdtOOLcDRFxNGsFRLmwK/GgEAHCjAT+P7gycHj+xYWcGcPNlwT6zGO2406Inx wH1fgJ4wIz9artf7LNihORx+t9/PshrrMLlNfnaX+6D5dTPjdnv8JJSlWwfZB7l1Xy1XK43U hlvH2ke5x3pG+Eb673FvJZo3yDC2oElyxkIAe3yNWTjLEqNazxv4rbBO1FzzSVAuAlayayic FsQGN3VKB/DS8ng8XosrqOxtTh48eip5eOebOOuTz7EfhPAfk5+Qt/FM/Njx5NN/OpvcfuBN POr3yX8lT+Ey7N+PTb9LfkVH2IcQ8y1wkoxveamcwyjHWilTblKtlZLLFigT6QYExPf7ocSZ Eq74VJeC4TKUDxvY+1aXcqJlyAUb2DujH8hvX4ZCsLEoBShfismVqFy+CfWRR+ARpE6slSbh SWSqOFVahG7Dt5HF4iLpNnkNXkNWM3cLa8V10mNoi3S//AJ6Qn4FvSTsld9Cf5DPoI/kv6O/ ypfRRblIRpzsQS45H8XkTvIgpMsSp9tcZZxuUstkQRSjkuyQJODPazE4TpaRLIkiDbkJssQg zBUrWMkRdV2XGiUitWD/AZ1rBMgBNV0KER3nmL5/33C90EBaWwIY7XwiEze7FlOzVlLe+jVc 1qEExeO44ZotQH/ICDJl2AK/mJzx+/PRbE/874eSs9hY28rJs4ctJGtpTBq0IGw6GTbN+kOI A/OkU+e0mVJWni5LOqTLnLQZo0dBS1q4bG4bd5ZjB8HmAsdkG5HBFMeCGQM8kva00icZqMtX Wl62DeFjYNKQ69yu7LVIejyejqUbVDjX6AG1Ze5qztgyYwBZ/w20UwlK6o+OZ8az85j5LBvN K2cqAz2YvsKArF7ZPXN75w1l6oQxWSPz77ab89VYLsll8qIVlrJIz2iv4lGhEZHh0Rmmaep0 8yTHRM9i0xJ1iWWZtiB3XnQ1s850t7rOcq+2Kveu6CZ1s2WzMxjNNasmLhzICvrBWgGjhcfR 3Bw4BuaEv90GH/a1ulA7DYfwYFyP5+CNmMctuEmPtgsGXQwXbCf5Y75+UgwV4AJfx3DMhmO2 YQYPdhifsa1qzrdqv9VpYPRSH+pFGjMB/Wak4mQycagL3t4pSAztXhajUScDgv9nhIN1UzRO JWFubMxL6tg3l81+bujgMV2TM4ZMnXzHPx548ufV3GHL7l1NOyo7489qG5esvvzYG8l/bsWf aLPuHXnjvJ69Jkfc4+Kdnpw4+9UJU99dYb7nvhWjB5WWTs/vemDhglPz5n8HszgcZsQKyJtG IA808yGvFgDMtA9sqt+nziEXrDZYLWC03Mrya8ha01rLW2ZOEkwe0ss+wNnP28M/zD7GOcZ7 s3+6MN003j7DOd1b719MbuMXmpZY1vBbhM3aW54z5GP+Y9PnFp8vyHKOoKq650k6BesUT2nA QxuzrfPQNYsGLGeCNgavWTRpjHW9gENpCwZWu2aEMVw2p0bd0Xkxu0ZVilWDcRT44dM/2L5w 3/wbp32w48PF9x/atXTprl13LO2XIB9gFt/wwtj9ydSZZDL52u4tL+HHkg/9eAFPwdN+mLoa pSMbfIztBlbg64eQBKKrO8iIKHuePS/92f1ViPuIuxQibjEUkTz+kMQwkWCAdwZMJuqFj4Bi lU9H8cbo9iiJut0+c3SjFVtbcOKAJ7qRuptxQvciUhqJ4tMI0zgQoe7mQcC/3txoC160P9zn qhdlLhgt54HMwKBrG9hrYs+vG+YimqUEMLOG+jSt6ah8Bm6aFYc95lCsfmxTnZmwxgrD0Lma WgfyhNp714U1aA0qNMCxo+Mz0xY+lH3H248/tz8yptucB5prJwxY0YWNPThw7K21h/ccbMsj j80Y2+XBp9oeIvsWLRr88P1tn8F0gUZgNZA/MlLRRb3CVqtMUR5WdilvKdwAZoD6AMvYMBGR wjMCJ5sYASmKqr7NsA6GYRkVEUVlBeZl8jISEcHbdRmxLFyC3pbZFjLpJY6T9axs0BK4k64K ek6kTGgMlwsbLYQSjao6yhDRSIgw5IC5Ba/fSynn7wmgnnj8YrxK+9rw61VrF6suVV1NO1zT Ps4CnrFYLFcBiwp41lapUivKVFrJ5LSrZNisrKo0ZEHUZ6M7FN1UqTQOrlT0WKWSE4CynYFp 4nXUiYFLjbwpxorJ5raV5LHfvf56c7Icj32aOXil39PJHYQlD7ZNB9raArRloZF/vEBfjohF dBC/yC5UVitvKoyk9FX6WpgCNqoWmWuZ0exCdZF5jSqaCCdWqhXmQaQ/01PQxRr1RrO8hWxl NgubxZ3MswJvIxazuYQjDo4jIoxvCSdCVVRuttxMY81EpB8amlTVbNaQKJF6WyNAyMNkJ1Jx h31cSGzBHXRZkeSQriwHk/AwGYHM2ARnSAs26ZIFo5Bljoa1FjLipRBXn84iITv3W6nP2EuB U6LK0waIieJKqPuu7ZxPAKYEotWuW3xaa+v/0oH9m0yZdI5XAFReRmLqY0RSH9PEDNy/SYFz +UagU039e69Zpkczc/fhwXCluShszB/gTnPHTkb1QDs4mpmjeN1cGrFJ0CzTMKZqFYeB9nEE W7fgXDy6xOWFycLcy8kRe5K13OHL/7j/psGPMFd+6c2+c7mcPXc5ROVCFVC6ADIziL7RK7py XfmXuaP8y8Ib4lsBoa9SpwwzT1cmmJfYltjvth2xfeX7yn/Bpxw1vWQnfi2gZWlBjf996gIS QLCKUEpgo/qCsiby/NsBnyMQ8IkBHwO84gswahCG+qn9gwzR4TmgBh0cCraQl3ULJoo8z/0B tIfKUfwyWQEKWcOddcV6oJqMJbPJciC2wyQXZeMNe9OC9GKr4eemKsrIcAQdZU1n9LgB0rc3 4H0a56Kr0rUzDfvNjTrDsU40aTTjAqIAOO0xolBdYIUrnYg7+uTDP+7cevudj+JD9n+/98Gl m549/sSY4O7d3avGH7vjxFeTpv/u0XX2U599v7v2uSNPrR3XAUZyaXIIqQc8oKEbdDkPqEuz CaKmteDS/WibGaixVLcK28y3IEZjQgzDvGB9bL3Rk7ZL0JVWIyhBFQKOESsN1ZRCcwTeqWF8 9sE/1ow6smJx3g0RkH/JIUfwv7H5hzNtl0/Xrdv88ivJ7GQoE7umvlUH2nsIlB0IEsBEUbac 6cUcVlmG+upy3d4yt2hVrA4GYK4lwAkOk6xEJcNxIOFjEpYGuqgMclPHgeuCi8xxbXc1uVIu 1kUc/79Z0c5rrgMjxtIQv5jWcFXpDJprsWozbxaiZl7xY1W0XBXmKJ5Ih2DSYdjrpXfzHccW vti/ecH0wfdWcYfb/rEp8dSjbWPJjjW3D71vWdvL0Ia10Od/U38yflf3CfwIfpTEWNR/cpd4 Zjhzm0xsfMgeLhMBBey3pbPumqG0ccaBcDoNbyUc4VmWY/lOUh+Wi/Lt5Fr5NmaBfIb5Ky88 w+MIHxOiYiXfWapWB6l1bB1fK9RJy9jF3Fbpdf599mP+PP+d8C/+Z9Fpk2UOVAABOpIkEXYA akcF3iEIPAPYkJNBgMmyBDsiJsj4WFo0mRCoBWzZx+UAkVj0SMjIifBtVLFqiiJA7qBRrya8 KOqfw30mZVRpWmEO1BquYrUMGAc47jbwOHu9rStoYpVYxRjbtJIAe6Eoq1ISQS3w1P2RVclT 31vIKPaGM6rAkDENAOcN0cSnju0LVwI1HdvnosWX+7RKPl0Ye4pR7DVdlVHUF0RfZfuCxaLD BW9zOKqMDdx1aZ+H3vz3vf705ThRZ0TmKTlgsBEiWLCubcbPfZecho9+mdyxnDt85QhuSi5s m0CylyRH/wfXKfkkXyOSrGFkkyjfydsYTPnOgrYxt1jM2WZifsH237nOHgF7Mg8AbF4pzZLQ SNsKaHrODXlLVhwZVXMqOQSfw38+cmjzulHvX24780PyH0kR3j4TbORD8PYo+lTv5Xf4naQ+ D98i2rGNyc1FYZubRFGQYMy7g2YmHOQljGN50Vxg/xAJ5dWDhp/bmIfzsmIhGcve2DUI3lpD zWAjAkxz4K9mv1QZu1bb9QipJ3XZ+gLeAMMrMS3qjGXHxCgbi0Q9alYYuSz2MFzssIcE2Mvh omEcMLnD2GGFTVAKh1EuAxtkjH4mkenqr9AAWrg8av2NDwtgfXtCORSEk8PGUo+HlRlAZm5I nt7+aXJb8348+PNtGG+K7QnfenD2quO3hTuvweT+Oy50I9Uv4LZzc+cdwrd8+jGe1zy55YGS OY01Q1YOWrvtRPLfjeM6YSvVSRbg6v8Be1zDt71ksWFLjtcgMf2gt3KUZTO7WdxqfthyjDvG HxPesUgW3VXpY+ySU/Vp5biLaQW+zyQW20aydUKdqdb8EN4ibzG9RFqUN01vm9/VzjAfSe+p n2tfyTYbD/hNlCTM8xLHMozJYtHMqootFlUzAZYnqolRNJm3EIusvY5el4gWRZIDIYkh6uvA nlGFcSgKI0sAmAmvqSpgPHmQDdv6qncoObJlHC/doQPM87+k84P5Rp7hW0gP3Rxi7iA5g6Cj fa1LT2SUmWFbg2mtfQUq7evEb5JVKSsnMrgikfFaVVosa0QjBTW9hUIwHFkZ3m42e7IqTXTU TFmA7dyAAN3GPnCvZnxC4KzEOeFKSQ9UXp3wOiNbiLIh8F6pm0KKTpQLmTxswSuTW//8ZPtA UXT/J8n78T1fnOmS/I7k4+TPfUpuLL2cVNr+iPvVJRM0wvA4YIo2kMoq8qCRevlE63QH6a/1 d4zWRjtYkxKkmb5uTzrmZYuJvpAPw5/Po2aCXl4a9KLxNRryakhcou6gqwE+I2QPZAmYp6OR NEfCYSvU09ZnJPw4KdhUM2NT3Q/Jt5Jr8e1HHk8M6LAyeTd32GybeHDmy8m2thcYvH75mLuc ANPRKGipAvwbRDlopV683nePnyz1LfWTW30T/WS6Ms5MRgEEIhXmnmbi94oCi7Q8qxWpBQ4c RC1kjx4J54SrsuXsqpycUFU4HES3BGfJt7in5Wq3hADoTIvQbAjoCxU2F2niRmuV1ma44i5V GTx9Pu0xTsAPJUD5G2ka3cj12ISlbjozEZjyUif+FAddHXJf7vzUbfMe9hzy/uudTzAadVdt hY+0nMRTc23Tarp0jT99a5ep2zZudZ088/0z9U/MH9ivfkbyoZM043QuamW7sAeRCXXWs9Es ifwsMrM4gZdmyaz8M4dnVZNBhBCvks7iAFl0sQoae76qChVfpNloHUqiNMBpTYcdCU424A3P 4Q3Jhla8aSctdyZnwXsOAyOvQSfBAozqHkKdlFVp1+QexG6H89tZwzt5KWGE9dLOyMMnoYkw KzclpzLnwFbVUAD9Xt9iInFS6OlK+pPFCl/trPb2924Mbg9yZfYyf3Wwp72nf6h9qH+8fby/ PtgY/JD/yPY1/53yvUcrIDlK3FlJypW+pLcyikwlnymfe/7q+s77tf8KsWBWdfgCJsHMOwKs CZnd5lJEv3CzYM2iW+otjRbWMt/6X75wywr+JisgnRJAv0T5zwwz1ICtmfTEikwewG8+bysq fGj4K8kfZ39wxx8anmgLv7Bo3jN7Fi54MjmViF0H4vZY2J6865n7funB7D558rU3Pvz4DSod vQgJC4G7PHi93rMAxawFtpinElXAeys8fVEfa19bH08tGmmttY30aFvELRb6b1loQr8ogrGq KJJqtljArrbZ6D9n8ThbUlX7OeQJ0VKxWWmpj3KKUojm7ofSfkMPJ4pBp8fhdHpsiiQFnTao 2qyKxRLSrA5Ns9okRfQ4OYtVUxDhnArHeDSLRUq7GonHZgOuEX1ut0/rLuEhgB0V2Dph1RGH hxwM0eCK19uC79m7M013Pm8NyMO2NhCMHsNP8F/z9zPfuFjTOfz/Fwn8VFhWnbhau34DBpkF DDIrGGT7bLIH0EnaSovCwULDSkM0HTVj05nhyH5F5/R0jGDuNd8mFLa0izMCup4XMH48efsb Z3N9nWXs/v79QZFAu69fS856OflOnuB2JN8CSFP90IN/y2W+bPMl//7Pe5qZF8FCS6wPTexz +Uk635tBRhXCfHOoVFcwYZkgh0QjQYE8q5sFwmSkJv+r1NQMBQJWUTr9IuzcfJy8zx3+5Z+7 09KZGwXPs6AskHmxUDbuIQayqDS2akELEt2xENgBvuwsLfPg4HUPvpRovZZvYcCPCsafjgSy Ist7PT4P4cGkkFWZ4Z0uh8vuYng/A1jDZoaNRwyApSpbw8hAG4XwW4HTohxAF3Xvm0kkGu6Y Mc4MeY5/fn7UHXXz5w1ccv/JVcm9uPL+pzv0qnloxsDdyXe5w86sAbcmT514NpncNa7j7ooO vb575ut/FQZBiqTaoJ91RoaHGQf18cVaiTZZnCLVa2uZjdpb3Ov8Me2CZhK5OjyCDNammJq0 fyr/VP9plliFVVkzY5IBFLCKahZ5QVCgLvKKQM0eQQE8rxDAcKzigCukIMeJQUO5z9ElJCrf 6TCY5DA2IYxNuk0JoYkCc/Ng9hR7lmU2plNLdNNg5ZhwVmE2Klih+5oF5AxZLjQC9v+d5eNP jNBNgxdW+ANcYDgeWpGnusrXWn3e0COGv4FCfKDwjLVrcAEQsxmImkuXQJ2/uiGaWQsjCofB UkepfxtfjuC5DYkIpl98hBl7mKEky5DS90jtF8+3PbLjM/w/W3vnBEqpzxsfSfYko/DmQ7fd ew/QxYjU16yLO4bi6AM9n1Ndai91tcr2so60LvQzN7tmaNMcE1wL1MWO1eo6x93+p1WZCxlW qIn+dyhWwBFVwdQhoMPDXsb0H/qouLxZUZys5zB5CnnJFD3XGQxwbLBAtc0bG5oNmLlRmBcz fK0xTD81JbGN7TwtuPM+7wf4MO5MOVQ3/ep0LWrBm/ZeyyTJeF6vJpKkPy81nNu/fhCAaSYJ /VbsWtY+9bx2+lVmZ7wF1yeYxEY0Zz84ffmeJ5aVDnDYTPNaVk+but7RHP7+xUVvT5804c6N yW8/fjWF7/JsXdN059IdjsfJomXj71y5MnTgjcn7Jox9tH3wlfuOJX/6GlrsTH3D1gEe8aNs 3EFfk5/VOYtIrJRFRlpesr8UeMP+RuDfWTwmTiSxjANJHG9FkihoSDIJml9WBM2jWgTNbbbx VrfZzjjcZhdxus1e4vSoPuL0ywHG4ZezGIdHDfJWj5rNW/2y7PdncK3q8UTdZofbbXaSqINh kCYA+m/BB/XOZkDGYLoiv8fjdiPZ6XBYtW5mASA06YY8D6juB9SoWbdWDjJvAzNrQVh+wC89 AM8FrHnAWplOndqxP7RrSmY6zmvnr5UXDVeasf2tlG8zvuykqO+3pG75j58BoBrc9kh5qR3A ib2UoWupE4jaGWYidkra9vDkkbve6Jf8EReP3DwSdx350Mjd7/THruS7IzePSL4+cgHu0j/5 By9+7kE8/UG8OzmUrg8mH3wwOQI/lxxBqvF0mCHQAng12CY0H7azHmI5BKY+4atYpgrzLKCc YppnTbu7Q8zEX9O55+ls3Uoja8n4GBPWQwB4mLqTJ688e5IipdrUl1wezH42KkIV+Ab9zSXO ua657iXtlxSvdj1T/AUSN2c96SJ3F99VQe4KrAyTZheud48LE5dTd01DzHPBMy4yLzAviyzw zfWTBeh2F1nnvstPdjlfdJG7gutCZJ18V4C8E3o9j5x0HfeTw77XHWRqxWEXmeqeWEomFuMR pWMqSO/SUdmkxnWjn5T4KrNJzJ8bIqhdu2C79rKM/C5XljPkcoVCh+V2DlluFyvQcFlBsAtj 8q/OitxSb59j325niu26ndj/lLXBgz0tZJQe8HYLzg1l4azOnQtu2Q7G0/YOt9A48LRODWkg mEn1On+xNQEF1M+j6vPAp1edeYK56uoXeEYlA5r/44cypfF1eB4NRXX6NSeMwzQDWqCBKXzV /Uc/EgcD/eo3Iyfr3l/y55XT97w4/sZTj20+mvwbFtp5Xy65eWLj4pnJ4IJeY/v0HReJ4Jrk wU2T7rtzyO7d48dvWbp17edD595348rXWla890Byb+38/GNLV4/e0JtZ1WtKdf+xt/TM6V/Y Vo63jnywb92xiUBFO0A37aYYDuXgAbrFZjJjW0VgVPYkcWY2a2tJ/WW/zVdmo16qnLwyK93P yivTMqUlU8L5T/dnxdLn4XotU9Lz+jyoRM39Av1CQ01jAjMDc6VF5sWWVfJay0PqLkuL5Vvz N2DsKkrIanFYrRarRZFsfhL2uWTeZtVUhfNIksvt8waB2cM5hq3m8VgsZjEYMz/KJ0K5c3Ib c5ncHE8GJES67vw1UVFLXPKe9/zqkDJMNzhcVVlsuGjTHlpuWXoSrwsQG04pUbdUWrQuVlsX w4HUkPl+8Uvd56205ngrbbCawWzVchywZsPqvGrC1lEskRHOACnsEaY9ARQRMSxEY8LDO8i6 E+8uefuDmvzhA1IXjw+fNbJduP+f8Y5Vmwc+9GSyhDs86M3Fj36cFc0duABMmw4r13c2CW0L mNJOi/tMMSJpO1LfGBnqDtSgyzFLLVsrviWyhtvUZXeWlbFdxd5sP3Gh5RnuW4sAaNhKfdwB XnLESCLkwiHXYBehn0U3uhiXanh+jC+g4V454aSxBxjGeIK6gBINl9KpEIbRC+ODS62ZFAgj rcpQUVa2/viE5OUP/5j8Zc7xPruXfXwQIOXeL5JXnrwPq98xg67sO3rg1uPYQf9nCcWS32X+ o0ghWqEPZtnekRGRSZF50kqJn+pbwM2R5pnu4u4y8XkuifHkFQZdWZJktwULCwsKUBomZgeD gOU9MX5YNKb4irKCGRKIX2+2X8p4JH+Tmku/36K6Nq1qM1b8r7oUwB8Od0xjP5gpOJc2hKG+ mcR2vjNv0uRVG0Y2vro++Tt8w4rO/fr3vvPx5Od45i2xHqO6DHtwfRJYqu7QxFueKc070jh5 b30H5mara1JN39kFl7cLSufpvW9e3IHalzWgZZ2AXOgY7NPzpntxT0F39vT2DI2yDQtNZyYI E8Rptgmh+eKCwCpxdeBj8UOXVQDo0pwXioTCFMNY84O6Olglqurw4w/GGtptii5xQT+XE3TQ rz466050IDpPM9CKhpGmaUTbWCRTmBLElbpc7R7rnu1e7mbdLSR3fzwTH269ilIyICWR/icY rZlUVwOcCMb36jRYQbGILfNtjtX4UseFr09vZS7v9xT1nT6i+/BbSfcjk5vbbju98s/J84/d /e3uL9o6Dbpv4Nynnrh9yXPsUPO0kpqSbj/8aXx98l/vr2u9A/fHS/GuV3cev/JF4rm6lse3 7NlDaf9RkFvZRgbz93ttJkq25UC2IsXCggioWCQCw4gSS4gkiCwT4nkuETLhkGmwqd40x9Ro 4kxgV6bjCArcmclxTqeRZ6IHF699omH8yw/As2z7dDgNU09ys6j3NvzPB3tXinrHdLVjpQBC gebwHfRCtWO6So9GjKpuilQKZgesdrp/8aAdqlnpahZUnbT6773X5AjOCKSMTCnF9PMQbH30 DYYcfuNKkjt8eQW7HMy0xsuN0INRzH6cZ1hoMZh0jsHcDwQxK0J4IyZ4Gp/5OINOaCZr2U6V P7O2/ckSuNP200/JH+ApNHshzD2Dguh7Pau/b3HWuqzN9mftrykfK5/7RcnuMRf6GKmEKzHR 778ZIELNLjttdvvbZovDbHeYLSqgad1uloNO3bwdQJjZojux0xmwgQB6ycLiDyjSbsEePcIG A6p1rDZbW65t0FgNULXHoFMPWPqah3g2hmxHcDmy4AcBk3feZz7w39B19m/R9a/4mqaaGR9G UMoF+JbQQJmvEdMSHxkxuTQxX/dxbBpb2ylcS39vJtD80eGvOLfOuLN59/qR6/N33Uc+a3tp 0Mr7j2Fx/r0X32zDjdq6e0488fC+QdUu8j8vJBeOSV567437952jlDoOJJ2LexapaI5uPqFi Fv6IyEqMiqg4LiGYlRR1HsMQ2vFBRpCRIT6LOE/6GxqEx+KxhKmGYjZejlnsNWf6anxWWFVz kSbI0PxrLeOapFGudMcajP8BwiOGFyIVNlunccyB9cnW/hWWQ8yd/7yb/WX3+geTtuTlls93 4+/xG4/StqLUN6QScB+Dhh6Cif1ynyNNtCFH5UMMJsw2Zg9DmIWIynCgKLhOZr5F5FuQMrsO QD/3L/FQzz39AtrgG8NffE25OmkkZdfGZK2X+/svDmoZP5EcgrsY2VU2tFWvYbko15Ut5VZz nFvkOIFlCcvZEVZNhHEorJUzCfQ/kZh4IWC1bHRgMA98iqJGZXmjCWebqk2DTIzJa3fs/jXJ w4hcDNSM9A5UXWO4xWyZxOu0s6a0dI0mpl0IZlGzxERN9mPJLKTTiGmOBwXJOG15UV1H6WF1 c3JKTkV2p4rm0u4P9WW/e++9n2/fau67iR1zefuJmgkokwPkNeLZhej3elkX3wCXHhntGhmZ xMxwzfRNjizxLQuu990TfNi1y3fE973r69ClkP0G1+Ou3S6mS8EEnuRR9ooAe3nCIT6UHxxk Hkt5KQByncMfDE6L+mbKQdmHcSUygaS3/gf3FFH530zFv/VaGpBVtxLrxvgb/2mOtl7PLFfF vJFYleYNqgHz+PTHRAjkO6Az40tVfBW9wgDN2e1aOm7ossEVuOLlmQevYOH1Da23L/mfJ144 Q955ev6ifbuWLtuBh2pLZg1Y/ukcxTNiOhY/PYu1h5N/Tf4j+U1y/4tHmbJHDp54dH1ayksg 5Xsb2S8/6TcVc7gQ5TNRuVgpUeqVu8W7pY3KMeWCYgopgxXCEpNIZEkKiZxDFDmEcYhwDkI4 CRPuu5CMRGmiiCcSkQ6EKb9ysIgbxY0i7GOsq0TPrxxL8AayjRBCj1hD/197Vx8dxXXd35td aXcFkhYBkkBCO0LoAwSSEBghsGEFEhjLIIwElYhsGO2OtGP2yzuzWitp7M1JaOw4tmO3x0md Njg+aes4SbNIKRY4PTgmjROaDychzqnz5cTJadw0wU6TJj6to/7enbe7EgLHSftH/xDLfe/O fffde9+9992Znd0dFRwsUNoKjhd8oOCZglcLCgqmlXumFh1/wv5Gxh3itw8CKr12sq9c8fPK nVe8OZS3O5aJG3msFBdXr016yrjo3Muwr34hH5kBtiawbcnf2qOvY91KX1O0v0+xiStdb3zx G/ydLb7VG/j7v/DGs6j8307H77zTuVZ8B3Dmv/lFZ0x5G3ZSjb8UBVNZWUBfpqMtOfvZQA7U BKfT5Bcfekh4uAkXY5fwLrKE3+MvRnn+klsp4+1lFeKj6q/6PUD4jhr64PpZ/01A1ipNnlZv J+8s2sf3KHvc+zx93mE+oAy4j3oOesM8oATct3vewS33Ozz38ZOI0ev8V+IDiwa+1t3s6XT/ jfvb3CU+93nKu3yzsr6s0yO+GNSIHals8xQp7qKieq4s46gu4n6XohU04/KiSCtmxc0lRYhM 6WfcbldBoXjK13rmWl38WAlnJf6S4yXpkldLCkosVnQX559mvI/F2Iz42lep16oVH27lP6gW t8l/TM+mkh+A/ASF8yd0QSi/N+Mt+XwzfXlePImq2f7g+B/W8ga3eJqE7Ra3cBKOnn1KuEf4 yP7o8o4hfiu9T3CjfJaK1cnup09VdXrc5VU3iM/6JysE6bf+ovJOZRlgZXn+s69N1/HCOvHL Le7asql2eZPyMXPwd32O4Bufi03czn/2sMNd+HDqjdve4fkwo5rNlK//+9jLX//KsdLrf+2u ctOTYh9/uXFd9qmxosq6xgsuAfXI56TTPNeO3x1gu/MPl73iEeI3F4LkNNke5Ul2Ev1NSidb CliD4y7+HLsHtN6C51gh+j9zMrYTcBD4eyV047hDPCMY/P3OT7IEeD8GfC/GdoF+vuAIe9z5 MmsDPAFaP+AHhZ1sEP27wTuK+bXgexK0APCV0PluzBnG+OHCJ0nHSvQfQn895P4p6WXsHoFj TgR4Kfg/AvpRoR+yzgG/0XU/toXJHoGOjxQcmXkD+BHAcoyfBf8g6B8lOMIeAX0/8L/i74UM 6AVo9Nzj52YeF8fg8TjNmf+GLuwktoU9z9uUJcoDyq8cFQ7DWVJwf2Gja9h12T3hWeL5a8/L npeL7izKFP3XoocW71t8avGPi2uKB0uWlGilbaVnvD1IweSSfyubWlqw9KvLhpf9x/L3lYcq iiv2VzxX+cUVrhWTKx9e+a9Vx6v+omqyumtV5ypt1bdqTvpaVaa21Nat5quPrf5R3d1ritZs WHOpfl39SP3zDYlGV2Ndk0NG92a2lTkotgrzsla2S3zmWPQGaApoexwHGJPjv6PWnldERw6a VcLdEnew23i5xJ2siFsSL2CV/C6JF4L/EYm72Of5xyTuZg1KSOIe9j7lAYkXOZ91VEp8ERtx vSjxxWzUfb3Eiws/435c4iVsuPRILm/vLp2UOGcF3o0SV5jLu0XiDtbqvUHiTvCEJV7AFnvv kHgh+N8pcRcb8b5H4m62FBXUxj2sx/u6xIsUbckOiS9iG5eeyv0lgk1Ln5d4sePoMofES1hL xa2whDuF1xdX3Ed4gYhIxQcJLyT63xHuIvoU4W7CLxDuETGq+KbEEaPKr0scMar8jsQRo8pX JI4YrdgrccRoxS0SR4xWGBJHjFakJI4YrdwuccRopSZxxGjlzySOGPk+JXHESC2VOGKkJiWO GDWuJbxIrKvxJOGLxFoaHyJ8MdE/SngJ4bZMr1hL41nClwIva3yO8GXE8y+ELyc5PyG8nOi/ JnyFmNvECa8SPE22basET5OPcB/hzYSvIf4OwtcR3kP4BrEzmvoF7ib7JU66mo4JfLFNP0E4 raUpxQbYBIsznY3i6j+AXmUfBwywEOH7cWqKAizJpaIKx1gCuGg10A3iUEEJY34LsG6ia/9L Sa05y1TWj5EwS+Z4TND2obf1bWSdeLWxDRJrJ2oXZoTRH8KcMdhg0axDkGcCEmwcbRBcCYxr 4BQjY9ARxlFinrXbZnGqV/BuY0dIoplbgbBgK1oVlXY/qAGMxjAeg5cttnaWrGvNzHPshx/y R39PHhX+CmJmhPSfAE1I/uN9rYIqVmTAEossEr5RcSx4LCn1MOKgsoM0X2UNpG8/2j7oHiWf a+AX83RIFV5O0UwhreUqNtnxjUGvsCkO3olrcumUV4IvRVaN5fQaMms3UFxibERafYBGQpQ5 GqxZn7M9QSMGZWg/2iRZbcfBziYRgd1kiUVezvotAVtUcGkyB+1MMsj3QcoskWtR0jU7XwJS lka2iZkRkijsDkF/hCTa3lfJao30BWQ07BFhtSnjodEa7XkTufgbMsvjMoI6+cakzLNXl42Q Ju1PkjaVNMy2Kht54RtxnCLZoVnZIHhjJMvWnaXb3rakRwIyU815fBZk6uQVA70tOyApSfK0 yKh8TsdoxybIo2GaLywV8YzIWVkNAZo/LrUacqX23hMS8l4YpT0cltS8Xw3p3ZhciUH8STrK R9WkLA2TdVfPiWxNNXNrEWMRkpeXIWrDCWmtJv0foGqnyl2a9VmQdI8R1Z4vdpghYxiifReX ORJDK3b0uPS2LSFf5TWKlZ0dKvkwINdvUNTCxBOnvWdnY5Rm2iuZnd1GLrPEzr9TRiZC1ojc HJd7y6474ZwdETrKZ691xZnIvGJ9AaljhCQkydPBObmpsztAz3o2SX+TJ7vCUcptlXLgTvKt SXln5eqJHXVhu73fLVk17N1kyizLV097NEIR0djbab5ttZAboNF8ptnag+StOO2Sidwqsrqj VDPFuEaeSEgdYg/ZXrRoftbirPQ45VCE6mbWthY651kY24ZzaSvkilcLcc2usC1UnSLgCNFe CgOLAItShHQ6MtkxygE74i05zv9bDSnKGJtXn6XlACr9AM73ewC7kXkC7wNVnAH2oL2Z6D2g 9KMVubkXZ4IevPYTdYAV02+SiqiWGHJ/XHnVk6Xb+8T2aFz6PJ+jb+0slo9MtiJn4zxCoxPg T+Z0BnK1zc7n/PlodrW0K0e+jtr715A105R7eoyk6LmaKHbrkNQmdve4rKUjubORrdN6E89k a2cqV510ueP0XE4nqH5Ycj+Pyny8mr+yu1B4TJ8lJb+L5+sLyjOgyMARqoy21SMyMlEp+WoR aqRVzfWUXZHnZ8V8zdnaJqqYRtegGrSGpbdNWUOupVt4/zAo+To7MS8WurzKmH3NZVdvjSyK k2cNeaXzVmKuylyMzqptWb2ikgTJ08ass0hi1jXy+hx3Ylbe5s/db+4pYV2E5GfzKjZHXori f4KiOfs6NFsf85wx8NpXqEnyuJAfyq3Htmt2dkdkRbX9b++quMyPfOWdm0NvtqJ8fuyjtc+P XPbaS5xzdHmFZq/Gvt4LUFSjV8QgcYW/85JNuloVVyRBeR4ap2ujFJt9dfX7o5+Vl5DXf4Z8 r3O1q7j5cbS9lb9iDZDM+fs4GzHtCl+P/kHW5r08X8Pc8/1ci3R5FWvh3JOVIN6fdDH7nUAT ruE3sw6811LRbsTRBrxD3AxoY+IuwWHWKznb6O/WbcbLxjvYJoCYtYVdh/cCAoT0P+xc98ef GbNjrVd4L3c+HJiI66NaQFc/rg6EdHV/LBqzQFJ3xxLxWEKzjFhUjYcDLWq3Zmm/h6lVCFP7 Y+GkoJjqvijmbezsbNuApr1F7QqH1UPGWMgy1UO6qSfG9WBXwtDCh/SxZFhLZMVuI6IqqduO 6AlTKGhv2dquNu03AomYGRu11hLX7EEi7B+g7gl1IKEF9YiWOKHGRt/UajWhjxmmpSf0oGpE VQush/vVg5qlNqgD+9W+0dEWVYsGVT1s6qkQ2FpykrDe2FhCi4cmZpN0tTuhpYzomJhrwLUb 1EOxEYg+YARCsbBmrhfSE0bA0NR+LRkNYg1w09b23bGopUeEbYkJ1dTgQTjJGFWDummMRder tl8C4NIMDEZiCV0NJSNaFOargZCW0AJYBg6MgIl1aFEVYxNi/QZcHscC9YBumjGoEwvSID8Z CKmGFCUWn4zqasqwQuSGSCwWFLMFDrMtGBKAU80szUrpUcvQwR0AkkxMtKjk6di4ntAQayuh a1YEQ2JCIIl4m0KZiJ6eIBNGk+EwULIV6iMxKDGiwaRp0VJNayKsz/aEyFRTaNETESNKHInY CYjVYH8gCUV2AIOGNhYT46kQfK6G9HAcHompY8a4TgyU8poahjvUiA7fRY0A2LV4XIcbowEd Smx3G8JZqn4nFhPRwxMq1mYid8JCRsQIk3stuYlMqS+AGSO6mjSRUuRN/Y6kMDYZEP5XR2NY MiRiUZYl8gRLT+iIu4XUQJhMuIzSE4cRbUx7uxGFaN0KrLedhulBw4yHtQmhQsyO6ikzrsVh GliCMNEyTCFYsMcTsUiMpLWELCu+rbU1lUq1RGTCtgRikdaQFQm3Rizx92dbI+YxTSy8RRDf 4oSUHgZVpykH+gb27dm3u2tgX98BtW+PevO+3T0H+nvUrr2Henr29xwYKC4qLhoIwa1ZrwkX i5jAUKzAIo9eZYvRYkQiizWPTKgTsaSYGRDZBj/TPrLTEslBOYr4YvtFwa6NJXRdZGKLOoRp IQ1pEBsR2wgzrTnGiOxMiXTSEThdeDqhByzEeRR+zNslQhgb04mFQpybh9Age0eSFkTDzBh2 1KwFNZpZo5DIOVfkJotsU8e1cFIbQYZpJjJk9uwW9XCUcnYiuwqsSVYupLemmnE9YKDozF+5 Ci9GKdvEXC0YNEROICsTVJHXC3KCfEu7+wqjwkbEEAuCEuJLxRInTDtJKR+JGEuhoCZHwoYZ Enogy3Z3BIkK+xGq+IRqJ6/00FxF5I99o/nFiep1R1I3SQ3qXkBPROUKEtJuYjZDsWQ4iD00 bugpu1zNW77gQyR1VIBgvsTl1gizqLAGrHyMxcI0afXo1cWSybkJct9LQdCjWdsEw+H+LpwE mrZu7lirdmzcuqFtc1ubx3O4F8S2jRs3b0bbsalD7dhyXed1ncVF19h1b7oZxVGrNI/2Id6q xuhNnrgoF2/RJngxTvy34wLgFbpsyI7102WQeJMoLtqCjkcdpx3/6DgPOOs45/jkwi39hVv6 bOGW/sIt/YVb+gu39Bdu6S/c0l+4pb9wS3/hlv7CLf2FW/oLt/QXbun/P7ylP+edfx7XiP9q Yz+8Yo4+554A3RW4hswwZfisY2eNc6Oz17nXeQPazjkaRA2+lpQDtGdE7bFXH+IZ/lEHo31x 7TlXx3Pf5WUzjeLXlvP/ddWxUkcFuwyYATiYD20roA9wDPAg4BSgkPgEJQa4G3Ae8CqN+B0V kw9v8k+ju4+6qdvD7XSo2YfDt9Lh1J8M2f3+W+y+e5/Nts1m27jZJrfssvvG9XZfVt+eFn1R cfszXeWOcva8Q3z5Mo6WK59npZwzH3vMsZxlAIqjUFL8jrKpNQ3tp847nIw7FAeHT30zzzj4 ZPGS9q4iZUa5zMqYT/mF8nN7RPn5VMmS9lNdNyk/Yp8GnAc4lB/h9UPlh+xu5SXxNDC0OwGn AOcBXwNcBhQqL+H1A7y+r3wfXN9jrYCdgGOAU4DzgMsAl/I9tF7lu+LbwNQKfCdAUb6L1qt8 B8v6DtpS5UVgLyovwrRvTnZ0tp8lpLlVIr56iVRUSaSsvH1a+cbk62t908rLU2qz77GuNuUS ywAUKLsE4ZeYCjgIOA6IAwqBvQDsBZYGfADwGCADKMScFzDnBcy5CPgy4AXWBvADDgLcyvOT UDOtfG2yYZevq1z5qvIcq4BTv6J8kfovK1+g/p+Vf6L+S+hr0F9UvjBZ42NdizDOMMeL3ou+ FeMFyuem1pT5ZrqWKOfhHh/aVsBOQB/gGOBBQKFyXlk9GfSVQcjT7KKbgXOSvUL937LH3cx/ u8/fsBs5poqmYdsNwNCcUk81KP6GR/4Sh6JpeOBhYKJpeM/7gYmm4e3vAiaahvA4MNE0BG8H JpqGo8eAiaahbwAYmmnlI0+tafR19J3galepkoKXUvBSCl5KMaeSEi/2ulPY9uHJdevgsUf9 zWvX+dLnePqzPH2Ipx/naZ2n7+Lpd/H09Tx9G08383Q1T9fwtJ+nn+Zb4Yo0939mzmGnv5Kn L/L0p3ja5OkGnq7n6TU8rfIO/7RSO7lvE3U91E11iX2F/oYd7aWwsRYerUVa12Lbn0f7NcAM HfnBpK62mVfUiH711Lqd9nHLtvZY143KBUy8gDBcYD8AOBGgC0ijCxAivp1einYn4BjgGcBl wAygENyrYfiD1JaibQXsBBwD3A24DCgkcy4DFBaTJn6aDGuVRveJI+UCXqvxqlVq/au81d5m 742OB6t5aQ3vq5mpUTpYufh1QtkS95JpXnzmN8W//U0x83R5lAeUB9kqBOIDsn9w8vVVvmn+ ocmGp31dy/kHWY0TWcc7WQOvR7+VmXR8Hat2i34zq1Y+gb59svqITzwqs2G97xwvEbPO+F6v /rHvleppBehPq5/2fVuddvJJ37dA+cQZ36Xqe31fap12g/LZhmmO7pxKrGert/o+dZFY34WB Ryd9d4nujO+d1Xt9J6ppQLcHbjNx5C/1HWo46rsR8rqrR3x+EzLP+HZW3+a73ua6Tsw542uD Cc02ug7Grq0mpXU1JPBwxzQP+de7HnENuvpcW1ztrvWuWpfPtcpV5VrmLnN73SXuxe4it9td 6Ha6FTdzLxM/Nm8WP65YVuilvzHuFK2TcK8iWsX+nYnC3Qq7iWWWOnqV3v5dvDfzTID1jqiZ /+yvm+ZFtxzNFNTt4pmyXtY7sCuztbl32jVzKNPR3JtxHXzb4GnOHxgCNaPcM83ZwOA0nxGk k1WZst3iD7HyJSfvrxJ908n7h4ZYZfn4zsqdZTuWdO7pvkpzXLazHv5fOQdflXmkt38w8+Sq oUy7QGZWDfVm/rxfHR48y3/JX+3pPstfE93Q4FnHDv7LnkOC7tjRPTTUO82PEB9T+WvgQ8a8 RnzuGqYKPqa6a2y+R22+eswH3xrRgc/jYfXEV+/xEJ+TC77T5pqe7tNr1hBPBS49icesUGfz XKwHT3098ZSn2UXiuVieFjyZHcRSXQ2Wmmpi4StZNbFU85XEciTP0ipZ7s2x3EuaHDzPU23z FL+U5Sl+CTzNb/Wfvqu5mU9tHwoM9+h1PcfrenTA8cx946HKTHpEVU8HhsSAmnE0HB8JhESv 6ZmhOr07E6jrVk9vH77K8LAY3l7XfZoN9wwMnh72692T2/3be+q07qGpvQc3d8zRdW9O1+aD VxF2UAjbLHTt7bjKcIcY3it0dQhdHULXXv9e0sUoxw8OnnazXUO7h+1+SllUhHw9XlU7tKvc G99Bybu9tvKuqnO4IHmCLWoeyiyu25UpBoihDV0busQQ9pQYKgG5VA5V3rW9tuocf0IOeUFe UreLNVtJM8kqe4xu+7+JfyBZSeFwu202r/UPYz0Zv9ZtWoz1Ztb192Z23nJ08LTLBepxsaTM tixt0aKe6ZlnbGILiNsE0eHIMQra9YLm8UjG+fFPyp5+F5lWnp7i/hqON3VDjkxN74CCUjBw FGsdPjp4DpdL4vRgDmGBJm/mZlYGmc3k0xDEerNgJSUm/WDJ3p6FKWbWHbl/mINS9T+c/VJy CmVuZHN0cmVhbQplbmRvYmoKCjUxIDAgb2JqCjIzNTMwCmVuZG9iagoKNTIgMCBvYmoKPDwv VHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9DQUFBQUErQXJpYWxNVAovRmxhZ3MgNAov Rm9udEJCb3hbLTY2NCAtMzI0IDIwMjcgMTAzN10vSXRhbGljQW5nbGUgMAovQXNjZW50IDkw NQovRGVzY2VudCAtMjExCi9DYXBIZWlnaHQgMTAzNwovU3RlbVYgODAKL0ZvbnRGaWxlMiA1 MCAwIFIKPj4KZW5kb2JqCgo1MyAwIG9iago8PC9MZW5ndGggNTUwL0ZpbHRlci9GbGF0ZURl Y29kZT4+CnN0cmVhbQp4nF2UzY6bQBCE7zwFx81hBTM9mF0JWfLaa8mH/CjePACGsYMUA8L4 4LcP1dVJpBxs1TQ9zddFz2Tbw+7Qd3P2bRqaY5zTc9e3U7wN96mJ6Sleuj5xPm27ZraV/jfX ekyyZe/xcZvj9dCfh6pKsu/Ls9s8PdKnTTuc4qck+zq1cer6S/r0Y3tc1sf7OP6K19jPaZ6s 12kbz0udz/X4pb7GTHc9H9rlcTc/npct/xI+HmNMva4dUZqhjbexbuJU95eYVHm+Tqv9fp3E vv3vWVlwy+nc/KynJdUtqXm+CutFe9WlhxbGHXSgXkEXzNH8lWq/gy6Z8wr9Ql1AvzK/hN4w rvXfGBfoLeOqd9Tv0O/MyaH3jC9NVS5XHTbQ5PfIceD3udtCk1/A5sgfXqAL5mic/CuwOfIH 8DvyB/A78hfo15E/wAdHftGa5Bd45chfqDZ+rUP+gB49+Uu8yxs/mD39D+jRk7/Eu7z5rzn0 v9A65Bf07s1/9OXJL2D25A8aJ7/Af09+D35v/qs2/9+gye+V0/jhlRg/8oX8BRiE/AJ+Ib9H HSG/xzcVmx/4I+QvtKb5jx7F/Ae/GL/mGz96F+NXbf5jHoT8Hr4J+Qv0K+Qv8C2CzQ/igfyC /GD+gzMYP9gC+UX3kl80bvOPfoP5D4Zg/sO3YPOj9TecPTAHm/+NHlI7jTiuuE/+XANpc5+m 5QrQS0fPPk5918e/99I4jNilv99rChsACmVuZHN0cmVhbQplbmRvYmoKCjU0IDAgb2JqCjw8 L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0NBQUFBQStBcmlhbE1UCi9G aXJzdENoYXIgMAovTGFzdENoYXIgNzUKL1dpZHRoc1s3NTAgNTU2IDMzMyA1NTYgMjc3IDI3 NyAzMzMgMjIyIDU1NiA3MjIgNTU2IDUwMCA1MDAgNTU2IDU1NiA1NTYKNTAwIDI3NyAzMzMg NTgzIDcyMiAzMzMgNTU2IDI3NyA2NjYgNjEwIDYxMCA1NTYgNTU2IDc3NyA1NTYgNzIyCjUw MCAyNzcgNzc3IDUwMCAyMjIgNjY2IDU1NiA4MzMgNTU2IDgzMyA1NTYgMzMzIDU1NiA1MDAg MzMzIDc3Nwo1MDAgNjY2IDU1NiA1ODMgMjc3IDU1NiA5NDMgNTU2IDcyMiA2NjYgNTU2IDU1 NiAyNzcgNjY2IDcyMiA3MjIKNjY2IDU1NiA3MjIgMTkwIDU1NiA1NTYgMjc3IDIyMiA1NTYg NjY2IDU1NiA1MDAgXQovRm9udERlc2NyaXB0b3IgNTIgMCBSCi9Ub1VuaWNvZGUgNTMgMCBS Cj4+CmVuZG9iagoKNTUgMCBvYmoKPDwvTGVuZ3RoIDU2IDAgUi9GaWx0ZXIvRmxhdGVEZWNv ZGUvTGVuZ3RoMSAxOTgyND4+CnN0cmVhbQp4nO18f3wb1ZXvuTOjX5ZsyT9iWXaMxpHtOJZ/ xXHsODGxHP8gwbHzy0ntkDSW5bEtIlmKfvhHKCGU0oATwLSP/mDpEpoQoNAg20mqhJaELhQo sKXdvm5buiXdF1oKBCgLZSnEeufeGcsyCWy67/3zPi9S5s655557zrnnfO+ZGQ0mFAhLYIC9 wIPD5XX6FyTrtQDwIgBJcw2FxD9e9fYDSJ8FULX3+fu9P7nmzGkATQX2V/Z7Rvvue3PVswAG P4Du7IDk7G175QEjQOZ61FE9gIyR6ds12L8N+/kD3tDIA/wnVuw/hv1Cj8/lXGt41oD9X2I/ 0+sc8b+iHuOQfAv74qDTK40feuxpADPKlD/r9wVD3yDWaYAWKi/6A5I/ddt9Ndh/H0B9A/II fukH5Yma9jleUKk1Wh38f/pRnQILO45AtlAIWQCxP+HxOj1Pu2Nv07FpX+zfuX9H4ePKIX9+ CKfhAEzBEfxOgIkI0AujsB+/T8EbMAbfhbvJMQjCbjiM9BPkR5wftiKSzOCHf4IKwsdehsfg RpIMakiD5+El2AJ3x+4i6aAHCzRCAE7yz/H/GnubtJBB4CAHmmAjnODfhl8TgbtalaUKxkpB BTr4CbzErUW/U2Ee1MAaaIdt6NND6Osz8AopUjXGXoU8cMAmtDwKd8Ih+Cm5i5O4MHeYf061 OXZvDK2gJi0UQgu4USoIw3AvruMdkkTSyVPkNT5LuG/6vemPYodx5QuhChqgGcK4mqfhBfgN vAb/STaTPs7OdfB+QSX0xzJjx9DnXKiEa/HbBpuhG74EN2HEvgMT3CH+wPTT0x8iGnn8lqLX NbAc178VY/US/JakEgspIAvJarKJuMlB8jGn4Wq5m7nD3Ie8ii/CbzV/iD/O/xv/Kv8XYbUw IvxRrY8VxVpjA7GR2P2x07E/YEytUARrUec2+CI4cVXDcDPcArdhtu7D73fgfngQTkAUTsIp +Bd4Ff4A78GHJIVUkhWkjvQRDxkhR8lx8gPyM/ILbjvn5L7LvcTb+K1o+7AAQpOwXggKv5iG 6WXTB6Ynpv85lhKbjD0beyt2AaNpxZgXYERLoRMktHwr3A3fRouPwuMQwe8peAV+B3/GyOnw ayIZxEzyySJSSspJNVlPNpCtpJ+EyCj5MrmTjJNvk/tIhEyhN0+SZ8hvyevkXfIeRgbDzOk5 I2flFnAlXClXxrVz/dw+bpx7jDvO/RC/L3O/5H7NvcK9xv2F+4hP5TPwu4Av5Ffz1/LbeB8/ wo/ye/hHMZ4v8GcFAfNnFIqEEuErwoPC48LPhDeFj1R61Z2qr6u+pXpN9Zoa1Cb11er16gH1 Peqo+jcaXrNB06fZo7lJ82XNCS1obdrHYBJ3xwSuNOHDbYMH4F/Ik/B7coTP4B4l67mHyDdI Cp8FO/l/ID9XtcLtXB0XIW1cJv8fZIgMwTz+EfI+vA8nOIH7NbELD5GD8EPcSQe4ndyIYCRf EB4RLpCQ8AuB587BEe5takedITyE1oawvHnJSqT6wQv/yGXAC9xhzMIu+DH8o1rHjWPe74JC bjUsJWtobrh34E3cHamkHq7HfXKBHFKFuAfIbv51zgBbyAXuVbJCFYI+tQluJlNcO/8COYc7 74eIl1YywNWSHrgAfyTfJX/kNkMbdwscEvpVvyT/RuykXTWA+APhLL+G7+PSuScuKkSPwzHc CS/BWv452Ea+hrv/Jc4OazgffIf/EfkzHCNfEvr5AfRyhBPILbgXHoMpfrWgh1VwjD8GT5KH +V8ROzwujJBB8vVY84Xt8IH6iHCUn1BVC/NjP53+HXmQvBw7xf0FamI/5TdP95P7BAvuyy/h 7g1ghPTwKM6/DyvGEdAiVYD78U7E6zysbTrc5S1YudbCF8l7uGNuwShVkyJo5xbATq5BI6oz 8Kq3EMDhcNSvvLpuxfLaZTVLq5ZULq4oLystsRcvKlpYWJBvW5AnWq/KnZ+TbckyZ87LSE9L NRlTkg36JJ1Wo1ZhEgmUNNtausVIYXdEKLStXl1K+zYnMpwJjO6IiKyWuTIRsZuJiXMlHSjZ 9ylJhyzpiEsSk1gHdaUlYrNNjLzUZBOjZOuGTqTvaLJ1iZHzjG5jtFDIOsnYycvDGWJz1kCT GCHdYnOkZWhgrLm7CfVN6JMabY1SUmkJTCTpkdQjFTHb/BPEvJIwgjM3L5/gQJuMXkWybU3N EYutiboQ4Quanb2R9Rs6m5ty8vK6SksipNFl64mAbVXEaGci0MjMRNSNEQ0zI7rpcmC/OFFy ZuxA1AQ93XZDr63Xua0zwju7qI1UO9ptiph3n8ua7aLytMbOfYmjOfxYc5ZbpN2xsX1i5OCG zsTRPNp2daEOnMsVtHSPtaDpAzSKWeXoCHWfLkVelGRrppzu68WIzrbKNjB2fTcmJHssAhtH 8yazsx0nY2chu1kc6+i05UXqc2xdzqb5ExkwtnF0yuIQLXNHSksmTKlyNCdSjAphSE4kpPgY o5g4pVo3xsNJqEe2NQiDiOgS0ZNOGy5kGW2kZTDmWoZi+OkiOCvSi2lwR3SN3WOm5ZRP50dU BSabOPYBYNpt59+ay3EqHHWB6QOgJAVHHGA4PkNH7PZIcTHFhaYRE4k+rmT9paUlQ1Gu2uY3 iXjC8MH6TpzWtbwcY56XR7O6P+qAHuxE9m7olPsi9ORMgqPc3hXhuunImZmReZvpyN6Zkfj0 bhvC9xi7I5wX0RbG/xlNmenNA8sjJPNzhiV5vHWTrXXD1k6xeaxbiW1rx5yePL4sPqZQkfTG Tj6HUyguh2ejiMRtcWHa6TREhAL8p2ZI7o1qtAhFxiFiS8TUvVpuu5Ly8i5zUjT2Lp3FTrPT FDcjy+1z+yvm9Oe4Zxjj0WGhkGvt2Do2ljRnrAXrzthYi01sGesec0Zje3tsosk2dpJ7kHtw zN/cPZPRaOzU/pxIy4EuXMQAWV5KL5I03ir84tVAA9dOcOQJUoZ3iBquZhJUQpSUHeMhSUOJ 4wQsWrWKjnPAk8Yp3XVPZtlNf627UNduer+u7UId1CNt+gSbxRV5qXmpBdgQEOATkT/ziUMF H4MonEGb4Im9LjyP97pGvGt5+CTkxs5OmVKr0qKxs44dKalVOl6dIuRaeLchmnwiRZOZkpG7 SGObd03KF1LUGWa8X8lLKpm3JakvSbWcVCbVzWslq5KunafOMhoNen2GzgA5Vp3GmJKUYeX0 yS+mdBpeNBl3GH3Gg0bBGCX5J/JMoqpQLDxJCiDLjr63nW83/XV727kL56D+fH0dHqlpteX7 TCk3Pr24ArZvJ7u2b7fbC9S2BYVLq9Kql1Sa05cQG8nIzFxSWVO9tKrQtiCF403/8Mg3n7// nZGfSCPHpv/5oemKkuuvvaH3q1/pbdjpXn3v5Ku//DFpOHiaW/G3FvIj397Ne7/3tz13Lt// KxqPq7HJx3hgDki5I+kh/if8n/gPeEEXjZ1xrC1fVrVOt1f3so636sp19+se153WxXRqTI9A eLWGA8IXcRqNTSAZlOPiigio8TGrSEjiOJ1GMyjoTAQ/ujRBoAqzUOFe4WWBExx6Y5UQ1uLt oGDesjLLbrfXEfvudtO79l12LK6I7eOCo62snk3T1RfWC46VBaw31Vooc1Ma8pCbUYRNmk0e yq2Qz/PL5bNZEdVlUNHchaw3acmrtyd+utB2+Xb77jbTX9A07UC9nUKKtuf3qcrsN5qetmNi NKq6Oo2pDjFGtu+y7yI1SzQkfQlPmu3H7NNNvz/+e+H8Sy99nC4Ufvxb+gTajljjhZVQAu8d 1xcbU6us0divpvDMU7hZkLgn+b68+xbwQ/xuyzf09xgEvYgYFHF0Cs95VKoJiVv5/VmH9UeS hRZ+VH+bni825OctsC0zCKJBz+cu0C7As0DM+Zkb0yGfkEXZ1nSNyrpInys6TMQUIiVR7msO HekUAVdGIMplOEylVjMxv6sVocBUwBW8m0mjlJq/qAoyTZnc2UyS+VTZlqcoRP+KK217f/uF c9uRDJw/Z3p/13mK1fOI03OmC+dSzbUktTbNXIt4ZWC1E9am1zCQIkYXFuYvLET4InozzZpC hKx6XoY5k37nZagR2gsLNx+vuHnLyEh+wfQfihqbnjv23M+FCWFv+IsDpVfd+HL1Fuez+6I3 30x26tsHW7obyouLb7As8q3ec+zkNw3d/i2VlYXZ1VurNg2v+9Z1112HCwzG3ua+pnoYsuE2 R/G1xj7jkHGf8Vsp305/SBeZf2b+6+lJQAgPFiOk6UtSDWqLldcb302NkulJUyjtFJmGdC5n KqNTZ4hyOZPJIf0PuRxIwkOHQdLnl1SBzqS7S8frotxdUznLpmgp2m5//9z7GA/aynv5Ql09 xqXW9DxFS4GGrXNpVU26rWZJeg2/RGPjMQwYIfLmVQ1XexwV2TfflXtXzc82TF41cYO5oLju 6/8jdWlRs20P5z5AVDdO7zlw4bg/U1yA62vC++taxJUZ3nGsz9cs1XA2Ll9bzbVot3BfMPRx o9qR1O+lntY+kfqi9vnUFD7TzAlqnjObbYDPXg5TrZ9g7SU6g8GWbMowISNgIsnJpnSrWsNj FBypHEfURQZzcjIkETAlm3RR8oNJQ6cJT47k+mRiSl6XvCPZlywkP8HdiM/wHDk1ae4kUXLK kY6bB9bBDiy+W7LAnKzsbqx1rMzhaRee7KY6E91huJns9XVgMZ3Lqqc7DZGTgpsNqSwkkQLc dvtSnn6aBhG2L0lfoqmmOJqXoeFt6XIBRKebfn944c5Tzpu/nr3v+B3z1jTv/82SfqHwpLf3 QHjFTRdu5B7oKV+66rn/mE5j6HhdyMTo5cABR1It787oz/mmWsiim20zXgpqk/anctty3KYv 6UZN39aq1BmZGYt0jaST69Sqjfkpm/QkvwIf8cexZIKQZtVrLFZ8NukUSQXhyLspmaKmcL6x E1JMKVxKa+6yVnkT0UKP1R6XH9892+n2oevC/QLbiVmtVPl8uj55n3AMIdV83vGmjw9+/1/H CHnw0ecmSfCL3oPXjXR2PkBuSX/2qbPPHyXrH3/qfoMUGJv+05dvu+2ruMq9uMohoRBzM+0I W7QW3T36E5oTSX+a91qWRqfV6b5i+GrWPZp7kh7lH1FrFybVZA1phpJChnCWuoSUm2pT16QK 8/DRxWzLtGRkIkJuwpKQaaGQUWkztBUIGS1RqfAR2JKp05rVRUa84FmyklTZRZkWrcpk7syk YDBmddZbiMmyzrLD4rMIlih341SOrlNLcTTfIFaoyMuqs6p3VXy5ql7FqSxmlVmVnbQMCw8C BEFTvn1XoO38+zRsu/DEUGM3naGl+Tzipq5OhgeFjYrCBoksipoUE7t80tAq184arNPyfquu rqmmPRtvOf3cDd9csPf4nWlrrll7tzsvM7f7+O8fOvPrO/oaD3HSha7N5XWN1+7ZUjNGXsCC zsH1GNMGRI4FFsCZk5CHiNEhYqwiNpkUP530DkJdtGB/1n6LkGW5JpvTwHHLMxa+kC/RD2fv yxaAykJONvBpJNWYC/kmvGHGy6iJrEdCIJuEnOyS1PG0g2lcWpogWg0aM6IrjRbwnAxRW2jL FY0Os1gFRpPRb3wV7ypW5heulCFmlzEm30owgNF7ogu43whGiZbo5+0UboFdrEqb1QJGJg64 DE2eEh+Sp+wrfn2kcPqdHw090/8AgXue/F8pn7wn3O7afmw6n+sgt+0MnSbutFve8r5861Fy zf1vvdi+0Wq55zu7ye75htvuPshup7mfv1V6+ztP7DDWfaC1aNnj/6HAj0/P/hgQe11Ff5nk QKf8Xkuvm6BZOd0OjXGhPLw/TPzgDQje2wXBQ56FqwXAZ/NaCGK/Cekg0nRsL1zPZJfDj4mf K+Hu41fwR/mjQqfwrmwDkqAU7bKfa8AE5dCAxCL1DbitKXeHsBvonSn9TLOWZ/OSWI9nswxE q9A8+pKh0AJkkb0KrUL6WwqthvkkotAaeJq8qNBaKOTGFVoHY9wJhU4Sfsw7FFoPPVpOoQ3Q p+1V6GT1Me1PFToFthn3xKN4k/G3Ck1AZepSaA7Upi8qNA/Vpl6FFsBgulehVUgfUWg1lrFJ hdZAD+48mdZCeuoChdZBc+pShU7inKm7FVoPi9Nfif8KvyTDoNDJ/NaMeoVOgTLzt9ETItCo p5ifVWgBss3/k9Eqxn9HoSn/AqPVNP5ZZoXGmGfZGK1h/BUKTfnXMFrL+DsUmvJ3Mpq+D5jO ukWhMb+WmxUa5S37FRrza/mmQuPcbF6hMb/ZOQqN+c1eotCY3+x1Co35zUlXaMxvTq1CY35z /kmhMb/irQqN+RX/pNCY37w2hcb8FhFGJ9GYFG1XaIxJkbwWPfIzim5VaKw1RXJsDRThRScV WoD5Rc8zOgX52qLXFFrAuecZbaL6FxGFRv2LjIxOZ/xFCk35NYzOoLFatEGhMT6LZN/mMfmw QlN5Oc6ZjP8dhab8RxltYXqeUWiq5+eMzmHyf1ZoKv8ho3OpfHGqQqN8cS6jrYy/VKEpv4HR +VRPcZdCo57ifkYXM/7NCk35dzGa1YfiRxRamKG1LP5xmsr/gNFsXcU/V2jKf5XSBln+I4VG vl3DaJYXe55CY17si6EDRsEPEvSBE1x4FuERPDpggNFt4INBPEKKlIhV0gcBpGnrRL6bSYjI 8eD8MqSaGN/5f6ipPO6ZCJtwxAPhuEwQeWvwLNtbDLX4rcDqKlOVjNuAMzx43ohz+tGHEJu1 EfUF8QjAELa9KBXAcSdKrmE+e7DnusjX5Qlyso5+9MaD/QDzZHYmfdNCtQfjq6HeLMNWhCLU S2UCOBLEow/nLZqjOVHTZ+mZlS/9lM8dCWNHWeRpXHtRj5d5uhN51Op/Pycicuna3ehXiPlH Yyhin8qEFK2bMV8irGfzRShk9tqwXYe2+1hunChP50molWZjmM2k2sou4ZOMAx/aDbB3TQPY /ywpieGPyg0zr/rjdt0KuktZBn3Qo3jdzkYGGMKc6E1J3PcAG3EzJG/CNsy8lrMio47mo5F5 EmJRnolbAH0RUcqpYFVGnJvFvpchkGJykNlKzL9L0eVkvtGZXqaR+j2A9r1Moxx9kXntZPZc SjbkEep1UMmHk61Rnjcaz79b2Q1+JYMSi02QoVJe3UyGnIr/YWZNZBYSvZrJPI0N7Q8z3QMJ aKCyPqZLtj3Dl6MdUiLiUpAavEguhDolFhU3nmXdLoUTZpGmiJrFtI/t7ACLqIfNp57SfHqV WTMWXGz+kGLVraxU3pcS29kzUehju92jcGfj6lai61NW4mbyYdabzWqQodTDvLs0JmZqbzC+ Fom9N6L6ZnXQurFT8dapxN/FqqKo7NKZmPUy2/2MK8+nO8yt5HCA7Tu/ghEftnRHDynRljXM Xg2cLFcyOkQWQ5eyfjfLmofJ+Nnek9E4yGbKK0lEtzuOLLrzR5TMeJk3FJtDyt6S644n7oeX 9WbRG/rUFSv4qfW5FBs9TEOYRbp3DjYl2IX8mchSbLviK+xj2BYZBkZYbIMMd6F4PZGzTn2X 93tIqRrybgoqKJutnvKol2XECbvZfNlrqtfFRmeRJlvvZdHys10yGl/FjO1BVjPpuJNFIqDY oHtIjmKIzZ/xeEa7n2HIy+rmjG9l7NoYwrHleM0tR730W8akEitsGatOXpQYYHvJg5QXqUGW IYn1grCDYUDOeFlc8v+uhWGGGFlWSrDSjpW+A6+JLXg0IvIovQ659ArQgu1axm9GziZsKTav wStBM37bGLcDkvFpix4dDE3BS2BNjPPlfSJH1K/EfBajl3cVm83MTEWeyXMPGx1F+XDcpite 22Q8z16PEqulXDlm66i8f91KzQwqe7qfaZHiNZHu1i7FGt3dQ0ot7YlfjWSboc+JzEztHI5X J0nZcVIc0wFWP0LKfu5T8HipeM3sQhoxKUHL7C6+2F6vcgWkCOxhlVH2ukfJzKCi+VIZWshW NTdSckW+GBUXW56pbbSKOdm9qhOtepRoB5Ua8lm2afQ3I2e2zo5elAtJuctIvOeSq7eTeeRn kXUrdzqXk3NRweJgQm2bsUsrSS+LtDvhKhJIuJcuiUsHEnA7e+3+/EhR77xM/wyufHP0DbP8 72TZTLwPnamPs5I+lJXvUMMs4lT/QHw9sl+J6PYqFVWOv7yr/Ao+ZivvXAx93opm8bGGrf3i zM3ce9FrjqTcocmrke/3XCyrg5/KQeBT8Z7VHGR3q/SOpFe5Dg2xe6NhSLy7+q+zP6MvoNz/ uZVnokvdxV2cRzlas3esLqbz4n08kzHnp2Ld93d5Oxvliy3Mvd7P9UhS7mJDeO2Z0UCfTxpA fhIownv4KqjB5zAR28XYK8UnySo8KoD+erIZWhXJChxdjCNVCl0DS/Cgs6phKT4L0INq//uu df/9K+PMWPmnohe/HnaM+qU+p0sSHxE7BiSxzTfoCyFLbPQF/L6AM+T2DYp+j6tMbHKGnP+F UDlVJm7yecKUExTXDOK8xbW1FaXYVJaJDR6PuNHdPxAKihuloBQYknobAm6nZ03I6XG7ZrQu ZzyU6A97nAFRHly+RQoEqZnKsmWVYlGb2xXwBX19oUWysCyUKMP4pYrmDtZ7WOwIOHslrzOw U/T1fe5KxIDU7w6GpIDUK7oHxRCKbt4krneGxEKxo01c19dXJjoHe0XJE5SGB1CsLK4JY+Dr Dzj9A6OJLElsCjiH3YP9dK4bw10qbvT1oOp2t2vA53EGS6j2gNvldoqbnOHBXlwKhm5ZZaNv MCR5qW+BUTHoxKhi4Nx9Yq8UdPcPlojy+l0o5XTjoNcXkMSBsNc5iO6LrgFnwOnCZWDH7Qri OpyDIo6N0vW7MQ1+XKDkkoJBH5qjC3Ki/rBrQHQrqujiw4OSOOwODbAweH2+Xjqb0uh2CB1x YVCDM7zQsDQYckso7UIiHBgtE1mkfUNSwIn5DwUkZ8iLQ3SCK4wYCFJjNJdSgLnQF/Z4kGS+ onmvD424B3vDwRBbajA06pESI0HRG6RWpIDXPcgkAr6dqNaJ/rvCaEhOYK/b2e+j48MDGHNx QPL4MSI+sd89JDEBtg2cogfDIXoljN2g24XiTr9fwjAOuiQ0IofbTYMlSiO4GK/kGRVxbUHE jofq8Lo9LLwhZWMFFXsunNEjieEgQopFU9oVps6GXTT+Yp8Pl4wacVGhEMUJLj0gYd5DCA1M UxBDxuCJXa+z37nbPYiqpZCrRA4aTu91B/0e5yg1QWcPSsNBv9OPrqFIL7oYcgepYiruD/i8 PqatbCAU8i8vLx8eHi7zKoAtc/m85QMhr6fcG6L/jXu5N7jDSRdeRpmXOWFY8iBXYlPa13Ws aVnT2NCxZl27uK5FXLumsbl9U7PYcM3G5ua25vaO5KTkpI4BDOtM1GiIaU7QUVxBiEX0EluM LYYCma65Z1Qc9YXpTBdFG8aZ7SMZlggOhlHML26/QRR39gckiSKxTOzCaQNOhIGvh24jnBma 4wxF5zCFk4SJk2ikA5IrhHnuwzjO+kVT6OuXmAhLcXwepgbR2xMOoWp004c7KmFBC4MzTiGQ 46GIT6ZoE4ecnrCzBxHmDCJCEmeXiZsHGWZHZ1aBa1IqF8LbKQb9ksuNRefilYsYxUGGNjrX 2dvrpphAVAZYlS6h7ACLLdvdn3LK4/a66YLQCJMb9gV2BmWQMjwypm8YC2q4x+MODlA7qEsO txeBiv5jqvyjogxeJUJzDbF4rOmbXRytXrvCUpCZwbrnkgKDygoCit9MODjgC3t6cQ8NuaVh uVxdtHwqh5mUsAL0zpa4+BrRLVZYXaHZHNOFORWv+y6tlrkcn6Dse0UR2nGGllOBzZsa8CJQ tKyqZpFYs3hZaUVVRYVOt7kVmRWLF1dVYVuzpEasqV5au7Q2Oekzdt3nbkbaK1fcY/sQH2zD ys/F9AEk8WeXuSM7WW83nL9Ibu7IzoRZF0vJ/NbPkEng8wf5J/jH+Cn+JD+RKDOHf+UVxJVX EFdeQVx5BXHlFcSVVxBXXkFceQVx5RXElVcQV15BXHkFceUVxJVXEFdeQfw//Arisn+VSPwl wccyH/6sXxTi47NPnjKqL/0UK481kQ3YC82RmeE1Kk8csu65PiaOzHpMrziXXgsduYxfReL0 KEPzpaTkEbqOPyjR9V20wviIkC00Cg6hQVgmJD6di3P4rZ/5y8/ckcvwn1TE47szUWYOfz34 iJNVhsFP+T53ZJDVFze8wahEubkjl4uly4zZ36XvcnFG/7v42Pt4LIRvwCU+DWlwE3cEHsfj NB7v4CFABbbr8NiBBw8O7sjkXUscUTztYKep9g2Ve+l5bVsl6ztWy+ekZPmsWy6fK5ZQucNT zSO0f3iqcrncL14s9/MLKm9qMHGHgaBh2hqxLcejHo+b8BDQ+OGpebnyNF0GnXZoKjun0nia O4QSh3DeIebiIUcSDqetU6/TcO801JA3Udv9rL2JtTtYW8/actYaldE3qHXWnmbt46wtZ209 a9ex1sdaJk/O4/ct/L6J3zfIG440KCFgJaYSYrISRwlxWMlJoiP6ySrr3VGid9RUWcvERmsl HkvEa6wleLbicUPxamspHnnFTdYagnpBRzjQgtmMmUlL1Tqi5LEfTO9LvrAvGXRRUj9ZvNba oCPL4ZRAzVXjcS8ewmRxwPokzhZZF0DkHp20flwaJVsmrX+zRrVk0vqRNcoRR7r1P63nrB9a n7B+YL3W+nzxo9aTKHXvpDVqjQoodbA4yj3qMFr3Wzeic+esI1aPdVBkQ548PDn0VhdO2lq8 1dopRqmVdpFZucaKak5Ym3GwqThKyAmrw3q7dUkpm1pJp56wLrYGrGVWZq5ENrdI9q2Ink5Y F6KxBcxKs3Vzsi5ZVzP+O834w5rxI5rxPZrxBs34Cs14tWZ8qWa8QjNerhm3a8YLNOO5mgxt mtakTdEatElarVatFbScFrQZ9M+R7PSPPzLUJnpSC7QVGG3iaMvJfwfDES0H10IknW/lWjet Iq2RMy5o7REjf91ki5KkDVsjKtsqEklrhdaOVVmRZfbWqCa2MVJjb41o1l/XOUHInV3IjXC3 RQl0dEaJhbJuzaH/r4WTmFXLrXfk0HPs1ju6uiBzqD6rPm1lam1L0yWabqVN+NvcrDl/qWtv XT96ErPcOaWxXq3B7ibsjtPuOO1m5Ua+0bqpM/K93K5IJSViuV2tka9vErd1niRHyWPNTSfJ 9+mpq/MkX0KONm+kfL6kqaurFVPD5BD2R6ncUXpCOe2voJ7KQb32V0xOILKcjckh7GS5TBFs TM6WKc6Ru4p8n8oV0xPKmc/CVUzuKvPZBLmJU7bmpgmbbUbXKSZzStYVqWMiViuK5FmZCG4V KxOxEo6JtMyKlCoiZXGRMmaJJ7MyVlkmWZyRSaaW7Jf1kVbZ7c1uipX1nRNaWNXVuE0+Z5r8 K1neky0rH8w5Bb/g3wS9vSuSZFsV0dtWQX19lt1UR8rVhogaWRo8qPSKvKw9OacEIA8zaQOy k5Wh0obSBjqE6KVDKfR/C6IMZe1ZkZdzijysDJmQnYo2EvwMhcL4gaxmd1P8X1D5hJVzCFoj xZtaI/UbtnZOaDTNEUd3UxfyKmZ4en1zNHZGZpYhs44yeT4uGOfpdIogRuPEuhKyzkpq0IUu exBdQUOJEQwF4X8DoHUlCwplbmRzdHJlYW0KZW5kb2JqCgo1NiAwIG9iago4NzM4CmVuZG9i agoKNTcgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9FQUFBQUErQXJp YWwtSXRhbGljTVQKL0ZsYWdzIDY4Ci9Gb250QkJveFstNTE3IC0zMjQgMTA4MCAxMDI0XS9J dGFsaWNBbmdsZSAtMzAKL0FzY2VudCA5MDUKL0Rlc2NlbnQgLTIxMQovQ2FwSGVpZ2h0IDEw MjQKL1N0ZW1WIDgwCi9Gb250RmlsZTIgNTUgMCBSCj4+CmVuZG9iagoKNTggMCBvYmoKPDwv TGVuZ3RoIDI2My9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJxdkN1qxCAQhe99Ci+3 F4sm+9dACJRtF3LRH5ruAxidpEKjYsxF3r46blvohfINc47OGXZuH1ujA3vzVnYQ6KCN8jDb xUugPYzakKKkSstwq/CWk3CERW+3zgGm1gy2rgl7j705+JVuHpTt4Y6wV6/AazPSzfXcxbpb nPuCCUygnDQNVTDEd56FexETMHRtWxXbOqzbaPkTfKwOaIl1kUeRVsHshAQvzAik5ryh9eXS EDDqX6/Kjn6Qn8JHZRGVnB/3TeQyc5V4h3zaJd5nRs0ha54SHzOj5oRc8sT3WX9IXGXNAWe5 /ZqmSmv7SUvl4n1MirvFiCmcNvC7fmddcuH5BqLzgAIKZW5kc3RyZWFtCmVuZG9iagoKNTkg MCBvYmoKPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvQmFzZUZvbnQvRUFBQUFBK0Fy aWFsLUl0YWxpY01UCi9GaXJzdENoYXIgMAovTGFzdENoYXIgOQovV2lkdGhzWzc1MCA1NTYg MjIyIDUwMCAyNzcgNTU2IDUwMCAyNzcgNTU2IDU1NiBdCi9Gb250RGVzY3JpcHRvciA1NyAw IFIKL1RvVW5pY29kZSA1OCAwIFIKPj4KZW5kb2JqCgo2MCAwIG9iago8PC9MZW5ndGggNjEg MCBSL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGgxIDI0ODA+PgpzdHJlYW0KeJzlVd9vU1Uc /557b9sN9qMb0y2pwrlchkDbdZuCLgEpIiVjIHMb0Esa9VJO28va29IfhC1BWPwRrcHESEwE lRU0+qI51Qd9UBNUwgOO+Ct70Bh48EEfeNDEByNjfu/tWSG4xD/Adjv38/1+P9/P93tOz7mn mC8xaIITIEM4njFyHYRIAPA1AGmPHynSqmcfmuQaDg8ncsnM059fYAASRR9PpicSJ7vDZwHk bzB+LcWMg62rKmsAFI72hhQ6npnb50H7V7RXpTLFo7H5Ky0Aria0m9LZuHEa9iN0deHQkDGO 5rxSJ0Eb9YFaRoY1vvfBFbTDqKHlsoViBxyaB2g8aMdzeZZL+S+9jvazaPvtRvFrf1CfuG1b gv/95xS8Ai/C+zAI50CHEDwAAeiHp+Bx0OBReARUuAAX4Vv4Et6G5+E1mIIzMA0c3oUw4CPA YdkQXzcc5TuO6By0zV3c7Y9u0h3fMZ3+wMmynq4gJwH6I2/yB7kUGBqJbtN0NcjlgNlFeXg4 qvKwHuRKwE5VNXUy+rNvRvchLzrnu677NJW7/FEeOaI7AV1HPVegObY/yN2B6kryAlanL8Ri Pg4o4wlUVzmucN3VEGhvowOhIG8M0GN2ka9QhnK5e1CjXFm9g8NwtMzKBrXBQz5V1X1lxxqp WXbBJbXuvD6viopLA/Q7ZzpNARriHn8sSul2LWIcolF68EBNwuY125WxNC3T7eWIoZVpWXPK abY4DyMT52c7eJjZBua0OJU2zXapqo/OlnEZMGkQu9kjelMdWmtAo7OiuEajQ6M+lRM9WsYJ DWpljZYHy5phJ9RS7EcQJPz9QJ5yJ/BEe2AdfIg7wM+VGe4JcTJDeEOIw6xtK96qi/i5PFNt JH7o7bu/TW3rVtvUKRnmjktwE9yJv05PuRJgn6qreAaPK9PQDN1C0TOz8CS8JcSVWb50Bv+q rY6YSu9b7X1wg0o77/Z63HLw5u9np6fPklbSfP7cufOVaWn5dKVSmfulUrF3KJm/QS4rWekJ 7Lkdt1wIuyJcCdkNopisrlcVpfD3SXL5Ved8k/Vf8FOXPnuydeOfsKLB2eQX/zj/28KGn79h d+u2O2+AhRcA5nn2zh2/7VyQO86JrABMuWNwVcnbCrh2+yHnsGRoETqS84bx2snSvMhbSd6q ay2v6xJYghYRWR5YI7CM/pDACuIBgV34ztoqsBv9u2sYhy48tTVMoBEOCyxBG0wKLGNHL9VW xuGfEdjmfySwBCvgU4HtVf7JwRIOKlwXGPmkRWAJOkmnwDK0kZ7aSuBwF9ksMIEGMiYw9kNi AsuwjGQcrOBwDzkhsK3/hsAStJN3BJaR8zGuDFEa0d5IvheYQIfUKrAELZImsIz+PoEVxNsE dkGXpAvsRv/hNfG1tL+3d4COliy6y4zns4WJQpFlCnTQivfszjFrdCJzIJseYclS2sjfctxC e1m+YGYt2tfT33fLuyWdpmMTuWwyb+RSZpxGmFEs5Vlhp5msAUFg9cjWbCaDMnVCJGvFiyhc oMW6zuHSbQpj2VKRFWjiv3h0T6HE0mmnJFsgJcxCPMVwzqeTaTOeGmdmkVkLKZbD3FIqTDKM WSUrWTDyGH8sm88YGKnzIiVrEkubdMwUqii6k9WiY6VikVGkL7AWAjRnvklxuiXL/HdLdJxZ GZYfv7MbJLF6aDvLMGYh3cjlWNo8NH5bT3iQ4rAWKF5hvfgdQDQKJbDwuQtMjOUhCwWYwP8i MMjgk+LVZ2GkBw9VDn0WZkxg5AAy0zCCniQqpMHA3MUYi/n2oieP2iZadu0+VO/HcTEu7sja eykJHYtd0J+Q+ec4OQlDvGE4WiXkZb0asW8i7sVLtmMEwQn9XrwxYlEd/gEovwdpCmVuZHN0 cmVhbQplbmRvYmoKCjYxIDAgb2JqCjE0MDcKZW5kb2JqCgo2MiAwIG9iago8PC9UeXBlL0Zv bnREZXNjcmlwdG9yL0ZvbnROYW1lL0RBQUFBQStPcGVuU3ltYm9sCi9GbGFncyA0Ci9Gb250 QkJveFstMTc5IC0zMTIgMTA4MiA5MTZdL0l0YWxpY0FuZ2xlIDAKL0FzY2VudCA3OTkKL0Rl c2NlbnQgLTIwMAovQ2FwSGVpZ2h0IDkxNgovU3RlbVYgODAKL0ZvbnRGaWxlMiA2MCAwIFIK Pj4KZW5kb2JqCgo2MyAwIG9iago8PC9MZW5ndGggMjMwL0ZpbHRlci9GbGF0ZURlY29kZT4+ CnN0cmVhbQp4nF2QQWvEIBCF7/4Kj7uHRWPpTQIly0IO25am/QFGJ6nQqEzMIf++o7ttoQfF x3vf8BzR9ec++CxeMdoBMp98cAhr3NACH2H2gTWKO2/zXdXbLiYxQeywrxmWPkxRaybeyFsz 7vzw5OIIRyZe0AH6MPPDRzeQHraUvmCBkLlkbcsdTDTnatKzWUBU6tQ7sn3eT4T8Bd73BFxV 3dyq2OhgTcYCmjAD01K2XF8uLYPg/nnqRoyT/TRIyYaS6rGjrJaqvGXzULl7okwoX/xpxu2G SK3qHmqdUsQH+F1ViqlQ9XwDLOZv6gplbmRzdHJlYW0KZW5kb2JqCgo2NCAwIG9iago8PC9U eXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9CYXNlRm9udC9EQUFBQUErT3BlblN5bWJvbAov Rmlyc3RDaGFyIDAKL0xhc3RDaGFyIDIKL1dpZHRoc1s1MDAgNzk0IDU1NSBdCi9Gb250RGVz Y3JpcHRvciA2MiAwIFIKL1RvVW5pY29kZSA2MyAwIFIKPj4KZW5kb2JqCgo2NSAwIG9iago8 PC9MZW5ndGggNjYgMCBSL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGgxIDI4MTY4Pj4Kc3Ry ZWFtCnic7X15fFRF1mjVvbf37vR2e+903+5OJ+l09gUSkpAOWdhkEYIQJZKtIcGEhCQQcSOO oyiIorghLsw4roiEABpAhZlBRz510BF1XGZg/NBZNCMzDx3fQNLvVN3bWUD9/N57f7zf79mX qjp16tR2zqlTp6pvh56uNVGkRX2IRZGm9obOVYtWNiKE3kAIm5rW9ghJyx8+DvAphBQ/Wd65 ov13X31Qj5CqGSHZjBVt65ZPat59FKGEZxHKmtsSbWj+uHWaHqHS89DGpBZAbB9+Ro7Q1HzI J7W091z9pPJBDvJLID+lraOpwXPHK/dA/h6Sb2+4ujNVY2Qh/xbkhVUN7VHr2+8mQv4MVJ/e 2dHdU4OSRxBqKiTlnV3RzqfeGZgDeWhP/RzgMDzkowVQTvIMy8nkCqVKrdHqEvQGo8nMW6w2 u8PpQv9ffLg/Q7gbuSD1sI3Ig1DspBQ+GblBLB8ZjsWY94G4Rgripwaee2lcg+eIKWpGJ1A7 ugvdD7g8/Fv0NIogPeBPIBZYvwSVoK2oF72LFsX+AVgfegx9idJREWqJjSAjWo9G8PXoMcwg BmoVondQFG1hStgw9znILQ1nszvxT1AGtFKD7kM2dBxaTIupIb+XSWRKoFYNep1dpkyPZcf+ iY9wx2KN6Oe4hHmPew40dgj7OTRyU2xTbHvsIZSAzrKJw7+O5cTaodYiVI/WoOtgBH3oEfQm rmVKmcOx22BMS2AM69EL6HUc5hBXj0xoAVD/FD2ADqCX0XH0e/QpxliPU3EffgefkKHhoyNH YzNjjbEOVIXmovmoD0oTcRCXM5ezl7O72PeH/3PkVMwDbdegtehqdC26E21BO9H76AP0EWYZ NVPDLGJ3IRcqRZejRuDmVhjT0+gYOomVOB9PwRF8C36WWcuxw0dhXXLIAhycQbl/F9oOPH0c 7UZH0VvobWjzH8BTFjtwGC/CS/H1+GZ8B74HP46fxc/hzxkZ83uWZW/kXuU+H3kvpo49GHsa +nUhNxJQCCRTiC4Beb6J/gbzS8PpuAz/jgkz6SzmtMMjI3mx6bH1sVdi76MASgHaUlQJc56D FsOo16Gb0CH0KtR9E/0WfYb+BVxisRqbgBcCDuAFeCFeA6PYhb/Ew4wV5FfItDEDzAk2zL7J LeaeG943YhkZGPlyJBbbGeuP/Tr2BpXvJOinAiRQhzpRN5XYfujnFXQa/RV9BX3IsRfGOgPP hvk+AO2fxOdBnZTMDcyzTIwtZbewxzgH98DI3JH2kQdG9sbyY3NAt1gkQw6UD88U0KZFqBba /glw8zH0DEhmL2jPe+jv2I49OBvPxJfhJbget+AO3IlX42vxdcDVp/E+fAi/hz/Cf2c4Rs5Y gE9hpon5CbOV2cccZd5jTrOIXcguYVez17Jb2X3sW+xfOAOXzmVzc7h6bh13jQzJWLlV+cZ5 2/n24cbhB4d/PZI5Ujly1cimkV+OvDfySUwTOxz7FMlRNoyxFq2AMV4P878F3YEeBf14Bsb4 J/Rn9DnI/J/ACxarsBNG7KVyq4Bxz4GRL8a1eDk8LXgl8L8P78QD+EV8BP8SH8Ov49/hj/GX DIbRZ8JTDKtgEbMc5vAgs5PpZz6A5yvmf7LJbDqby+axU9l6mM0G9laYz/3sx+ynHMNZuBxu Ibee+42MlTXL7pNtlx2VvSb7m9wgv0KyETXj7Q/7BvNLbirbhnag+QzL/o35HVOCr2fO4SeZ RPxL6C2Rnc/OZyqYYsTgQ6Dl7YhXbJf75D6GRwZFPWmD2cZksIu5ZFaLemC9IeZy5hamHj2B X0TnmBmgaWvZN5kdzDJ2O3c3NxW/j9ZDn4jR4a9ROSrHU0F276DVIKEMdjf3W9KiTMmel7Uz utgG7s8yhv0d2MFS2Cr+A1+Oh/B8xgrcKmbuQAHIG/AQpDNhBX4Amn8AL0aF3Cn2dmYW8xHg 2tBW/EuY4yHUxhzCPwe5FMJ67MLz8UNsDroBrwZuFKGVzD3Iz3QyftDnReh/4J9gC6zccyCb JGY54lgd04ROMLUg9bewicnEN4CetqNNeCNKx8P4CHqDuQtNwlH25fOO4VQGnx/Ce9gZaA8+ xx3jjjEctPRL4GY2WI8IaMhjYCMWwcr0scmgNYVIxqSD/teBBbwEGZmv8HVMG2rFD7B/xY8z 5WgeirLdTDW+b+QrrpzNA44dBGtSIS9SIlmJLJHLB4n/GU0FbVyBkLyFOyn7CYHZd9izsdqY b2SZLGHkY3QNcGcGWLdNsJZmoA+xFV+JL+VizGwuFrsM7WR2cx/HbFiLfejtGKywkf24BCfF BLw6psGXgoZfKX96eBu3ibuZW8NdB3vTObCat6C70YPoV7Cb/AL2rRTg4yXAzaVge1phj8hG uagAZjcVTQOrNBPK5qPLwJ7Wg5Vcjlah1WB5H0bPoj2wQ80GflwJ9ZajlYDvhh3qWnQDrP8N 6HawAfehJ9DbzDPMo6yPuZV5hVnLtKIP0Yfsb9gIvgyd4G7j1qOFKAldis3Q82SQkhfq3R57 B3oLIRdY/3xYpaD3sc9j78WeGj4O7T0BY79bPg19Lq9AKBKJlE0tLSmeUlQ4uSA/LzcnOysz Iz2cFkpNSQ4mBfw+wetJdLucDrvNauHNJqNBn6DTatQqpUIu41gGo/SqQHW90J9c388lB2bM yCD5QAMgGsYh6vsFQFVPpOkX6imZMJEyApTLL6CMiJSRUUpsEEpQSUa6UBUQ+t+sDAiD+PJL lwC8uTJQK/QPUXgOhbdQWAewzwcVhCp7S6XQj+uFqv7qtS0bq+orobk9GnVFoCKqzkhHe9Qa ADUA9dsCnXuwbSqmAGOrmrKHQUodDKrfGais6ncEKskI+tlgVUNz//xLl1RVuny+2oz0flzR FGjsR4Fp/fowJUEVtJt+eUW/gnYjtJLZoE3CnvQjG28fNKDG+rC2OdDcsHRJP9tQS/owhqHf yn7bNaftY1lo3FSxZMP4Uhe7screKpDsxo0bhP4dly4ZX+ojcW0ttAF1mWB1/cZq6Pp2YOLs hQL0xtxcu6Qf3wxdCmQmZFbi/KKBKoKpXyn0qwLTAi0bV9aDaJwb+9GCdb4BpzNyIHYKOauE jTVLAr7+MlegtqHSvYdHGxes2+uICI6JJRnpewxGkbF7EvQSoNWNB6KjZRSi5ASavWCUs5iM KDATFKJfaBJgJEsCMKdCEkUL0camQiCDTy2GWv3NIJHWflVF/UbDFIIn9ftlQUNA2PgVAg0I DH0xEdMgYeRBw1eIgERPRlUNyuNwfzjcn5ZGVERRATKFMU6l+YKM9LWDTGug0yBAAuxD84G3 DbVTsoD9Ph8R8KbBCGqETH/fpUvEvIAaXQMokhWu7WfqScmReIllESnpi5eMVq8PgCbvo+cJ S78yefSf3mA1V7VM6cfW7ymOiuWzFwZmX3r5EqFqY73E29k1E3JieeFomQT1myuWsC5GghgX S0tBKZeOEpPMEm0/F4R/cqrUzYMKJWglxWChut9QP0OMa9U+3w+sNBg7Q2rRZKyaNMz+KeGJ +eIJ+QnD025kYcBcMjO75vKNG9UTyqrBAm3cWB0QqjfWb2wYjPU1BgRDYOMB8DuSN3ZW1ccl Ohg7uMnVX317LUyiBU/JAA+B7N3wwH6mQNV75IpBrN0HWBlHABap5TIAnmdZxqlSENzzGDmU 8661h+cazpbMGS6Za/i6ZI5huASVlQyXkJCT7TP6jEGIMDja5wX2yPmIDJ1DAneEnCYPxE5y PLcLdpiPImmleZe45uXV5fVab7FucN7mur1o2zT1TKG6nLnL+3Pv0+VPTXvX9pntK5vCNRj7 esBsnzQY+2OkNhwJlRY77XoZj/DkhNzsAJuZr9ch1qhxJJeU5BuDFZpNXOamlPygr4LlmBSl T5WQrKyfHFzm6fAwHmc1H4zkJAeSI+UdofWhO0OPhnaHZCFH1cMHsRfZcfrNZG51c04PDRmG YHp1c4aHh1AZfAxD9Bk2FmUNGU22IhKw0VRUROGinGxUWFiI69DqOlyQPykv12qx8PKAPzkl OTngl1t4D2Oz2qxWikwRiwpEQsDm5U4qyAdS8lAku9VmNttsZpMNyx776aZfZF5Sv3xn+eLa z3790U2AtYslhx555IXqquwH3l669J1d/dxUt8fp9LzncdpdNbfc2ZC7IM9rdCembLxyy+u3 ZZOiv3ihaOn9j7RNW+GxOGFXuvmnLxO53A1yKYZzbTo6Fkk658I6l9PF/EK9X/0r9Tvq02rZ 2oRbEu5NeCLhVc17GrlNiRUHmecQh7siFiXHKZR+bOBVFiO5D+BlDm1oED8WMXqKk5IUxRgj udbn0PC3gv48HeHT05UqIdn3KnIb3IK7033YLXMPMp/uzUjbZQ8Du0+DEpUYzp5GZUNlJYah EsMwZbaJshoZhktNRVl2bPjq7NGc7Ip1kQSnS63ROFVepHZpvQiFcfjGG4kI4J8vlzLbZ+QJ eydTkfAKOWW8kUTA5zxJVPggfo0waKRwzepFr07mdQa7TvjX6q3PbSfY7XaT2c422oHvw2/P bMwTdA6jXuebs3ENk0WQ3xAiwsed4PlezvaiMPp3hL8uAaer5qlXmtaZbjPdJ3/YrHD7B5nn IhrvawGv1x/wu10Wwkc7jkRUvN1u4f2ucJBQzEudm5SaGkzyhzUJPPVcZAoduEt8gkGdFCxG Ybm6zODjFJZil7/Y7Xap9YozCkbhzEC8kKQPzA/0BbYEdgTOBOQBR/rwHXS51onr9bM6WKtz iCaXDQ2RFQtsJUosanPRRBZ/dwa0fXa/ceHs/iQwXPvNfILV5Ab1r0Wr4YRnmSTyekz7Fca4 MCS2x/nPML94rGr2jQ6zOsEcyHdM3n4Y93idTu9wu8fp8L6+ncRs44l7FkWdZofCHHAu2TmS T/XfZLQxLxLmwwEGvQR8t8qMYMfcaH0kze/IdUQcCxxNjh7HT6GazrCE5/06uVa1RCbza61u x70Wi9/NvsIM4nued8t1WjWC0+gyqM/gU5EEjpMJlnk85h2Jl64f4x4YOmrqyr4G9gEbTpSg C9KcbFyHLYEC8wXz9Y3Od8t16/EsOkM7URo86yuPy+mVGT/4YOTS8/8kMwNdszEHiMZRjYKV OZvtQ2nozH6fWqMvs4AxjKQD8BvLx8EPUk55T/k+D/4tRZFkSbFWCnOCc1IWCXXBy1NW6lc6 WoO3ObTWwdg/I91mvtZ8meWq4PKUr50yudNhsDhDhpAp6Nxo2G64z36v83HL40AbSDYZ9Q7e BUd8ZYLDbRMtK7rV6AspNHs5ufvnNl9Ak1CsrN3hxVu8R7yM15nO+5IjelXZjmSsT/Ymb4Ft xxE+eod9MG5MV+PwHGpLV885C7YU9A6e06INJeuaLO8io2REV9eBFYXVGw6PmlH5eDM6YS0H /KggH4G1fIXwC9vMoBTy3fcc+tV7zzS+vsBiMNqij732+sg5rHn9l6zOTfj+stdpc03v+9v9 j52YMZ+3GcPTrsLsb17H5IoTHWQUnJlZD3rgjGjREQY5ZYyDa9pJdOC04TOUNWcIRGzxFXDm 808y66++GurcCbpXArYzgO6IpOlV2gKDIVHld3snBQKJbkYpK8A4UWl2WCeZTImOgAnEzaiU Sscg7njeYDASswFgRDC4s9z17uNuTu8uc89zLwPbeKd7t/ukW+n+a/BXHdQ4rj5LdNBwmugg qCI2DCGidZLyTczBOI15Fyw6MIWi9RsFmC0fEjUc/heJPxx5iiggu4tsPdzU89a4OrJ/G/kD 4R3uHbmNpgFYc1tAMy8DzUyFs3Rj5NJnFL/wPpPJJiuC3mKux9zrXOvq42923s3f69yp2MH/ wvlc1n7Fiwl7+H3OA57XE87mWNRwME7D7IPGe5zMtZkbM7dnPpOwM/OVnHdzPs1RplJT6Qxm +YJBv8+fako020KTfGhSCLN5WlX6pEFYqJfjW1OROs/HalQ+lG5I70xn00PFWm0q/5DBl6gg BTokCL6Izlqm9+EsX5lvnm+Z71Hfbt9h30mf0ucstN2Z7ZOT8g75o/LD8pNyTu6YnHZoTHlB d4c/o8qLw8QIkI1paAgM4VBWHVHkkrOwQRWN+gKgxxcbSodkKA8jRewblB87gwogOGJn95qU mcpC+qlFdauBVAOkPJAeQh4gMceOUKNah+t8BXLJhoDDAL5CwK8QEZOl5RCXNptMy6SVwi55 4a37nzn1/pRb5/X1Ne4RVAabOqHpofmPDnQSSb5S/NOZL6yY29vVfqhp3YPbOq55Xm+4tWp5 kdpuMqr1zrSHm4ZPEC3APzca5hUvuKRl8TKyTtpA5xeD7AtxW2Tyu/J3lcxR+VEl85hyQD6g ZFcr+hRMk6JZ2exit7selzPXevfifQzr9q70MghzDONRmuxEvga9xWthLNUOi8Xu8JtCWXR/ TF+anZ6ele0PGTUkn4AScEK1OiFBo/YbRb0woKAhyASXSspRmEuQuoLqnIKC3Bx/bnGhHDb0 U0jATRFzImyUodRUE0xIpRacJx3YMcg8FjFMQT4hZ0v2jmwm21E0vWGcmYeE2nkDPGXDZ0HK 374N1n1P7sIi6q3wLrdMqVDKlYzcLYNl5FImejHxWdLAaZnd75LUZMDLY/B197h4cUtdTfyZ 1XV1deLOSpzIuLDjbowxX9xmL1zxUjlevOSO2vp5hVdMJ+v8T0Ty1T9pX3jN6mXU6fk7iZfR MrZxfW1lyLNp5vCXo5sRW3ttxc3D/xi3OZFtF6PjsZPsCGhBJf5H5Fa+zF3OmC5Btai18lnh 2ck/K3zDfGzaH83vWd+b+tG0z82n8/8y7bz5bP4300was9wqm6qa5jVbrJaprmmb/PfmH9Jr FpsvL2wtXFl8TeENxbcV3lb8OD/Aq+8o3u9lLlWGQ4HknEhpST54/gkKi7YI5YPrz2VO0ido WTXsUY7i0lI4dVSoB3HBPlbIxJmD+L6IO3mSz4eKFYuKfPM85ADAwgEgpyZQHLL4IoOxIxGr 3lEWqe0IYTgBVChYebLap7myT1z91OvH9DRwFofB8z89eh4g/lPd2GGgaNxxQNzVisheBhIv nDzNJLiD5qBtqsWLil1FXjxZgMg0DbLWMrsX2exTS6ckloAyOItLCr2TvIgvNxKtCBP1EyPY DMmHKknc6dpXzOer3S/G/oxssS9QZeyLgan85MHYF3v91hJ3YfxTi8GqrK6DY+oBVBj7IqIC S1fMQ1QIpBG7wQI5iCp5PQ+R1gARuBZu0g5whhC9ACniSRQe/YCtwhOPOCmSzSFHnNFDDi8f d8ghZeIxJyU5KVk65FxHtm073bULF2zYPLe4OvuW3ZUNy377m9+sV1p09JjjsAW2dfxix6UL Rn5z6yUntj7HhhNBfbd4nFZHSUphUbigJNWtN9sD18246smon09wenaB12jJ9GaXXVM5NytL yG8paVtPvMSMkRuo1QqiHJwRKctR64tSIBRkXIoXMXW6ZhxlovKrdD342rSuTM2v5UfUHyg+ UH2Y8kHOZ/JP1UoHm85eq7id3cY+y8qtbmqqHFmJDoc70W+16Gne9FqCyaRP8FuCXpIv92d5 /H6vxx/EulCWvtjiLgbmJGT5NOqQD2/lFMhbHJQn+/RKrHTmpaMEwaNPnJe4LLEjkUt05F45 zokilqmEKiBxoUrKTg+JJyQD0b+i/4bXro1bmVRt9sHYWZQRO7svrNUJ+GDsE5QT+8OelMCY 9qyG8yxxxUSXHoSIQK7faWXyx1w0nDb72TXX/a57ZPilP93+BrUyHSRevZpamYffeWDbiRPb 7j/BNm67YmnP8a79I7EXRuTiyRacj2JiYkZa7zr+1pa73joOsrsLvI0SkJ0G2fCMSKHJyllB odhj+JjmXeYj2R8U72rkVylajQzIkGtVtqpX6tqMUfNym9LiY/U+FbgICq0PwZonik3TBBtN IzpLQT/CBpSN6sHxG2Q2ROwm8AmATB4Bmg5wC47LT8nPyGXyQfzJXjucVKlUQBbAmqHhutVk gZJLAiINymONxONDyAoc5oHDBj6BtxEOm2Of7NV5jJ5RHqM6ymVYohGNlTe4yngSGYmbb9Z7 yjQ8REo1RAoSGcm6TTRpyhS8xgSFEFl5o20qTyIzWcZAcTRiAkCthvWsJBHD6r0lODxuBYvL GBNxih40UowTHlcyMvSroyN/x6ajv8LmRX/aseNPJODdR0bOYOPhI9g4cuaXj/zx5MMPnToJ sukD2WSBbBxIQG9FWtXWbRYml5nGLGCamFeZV83/4fjQ9KHjY9d/2j/1/tuqc7jT3PlMoWeW 6xLvUtfl3g5Xm/cG1+2ube5tnhdk+jXWg+6j7FHTMfcxj1z5itEpCAhjY6LPpuB8Ro22xlm8 A+FO2H8G8acRm18oxsU7eNzBH+aP8yd5jnf40p4dd/iYMzREvLcheqVAHDfY3CUxjS4FKy8f jJ3Z5+K9HgYYPOqQgfXEPuuF1wdxjolHWy7j/FPWT5++8rfl5gSD3ZD91Y2/HzmJ9a/9FqsX O97duvWEEz/82G+m5ukdRqMhdzF2HXsBy0f+x42bnnt2M/GlrgDu1bKNKAXFIlo1t9/KpFqx U6lXUYOizVJqtSqlX++hDpPGNdfmctltfk+Kj+QzUBJOqhaSknyCPwVb9bzgK0Ypapu92Ovx 6JWqYoNezoMbDDxENivxe1Qhg1FQHldgxSD+fG8qOD5xZSZ8OVtCjhFl9GaAbD3ird5EC/M9 jo7k5xhMZk4uC5o5oxeZ5Lx4LyNuX2aJ5S8hC2xbVlgQptgnErepi5sy7nKG3txMHsvGPdxb nn3t2shCakleaZn75k56SfMl9V+ufahiyRrGQ69qNi9Y+aIIiidrwu17YQ94ALidi1+MlNmR 3WT3h3U+WwEuMM7TRWznzP/Tr1GZZ5tn+Vtwi/Fq89X+W823+g8YXzIf9L/qf9+fQN7kyTUZ c81qAxGAR6fLMup0BqNfbTS5/J4+D/Zs83vA6rv8gXAOkOzLzKbeiC2iyc3MzMn1h3PNKoY6 tjLZNiyTMdivwsjJE5TRlm3Dtiyzzcab/U5zbloSwbanpGQFUlKSAv60gN+cmysE/Dy4fkaT CZYGj0xmhHOhwGTESOmRmVRI7S92ufhip9NQrGaK1Sp5UnFaTnE4nJaAPPM9TKfnlOcM8YXy 58swkhlkgqxTdkp2RiaXOfLSDmJf/CL0dN1qw2fgQcSvjEqGyJUc+Vcmndw3KDPDsusNRzdk 2sOQ2JFyVBv+kQW6MS5bd0H+u4rjWcOF1AqloURJDrar63xYVArQCskRxjiuJhQhD+CJu5SP aRu5xuFx6izWz+hGhBfjBVSFPvU6DXzm8Bc30V2KXqFiBauzm3QWFdWjecwektrNOqvi3Cvx PYp4FDfA2t1J3gVCaehPz89Ma0ljlKJokQzLskThKsWla3BlSUtXbfWnqurAU23am+rTWiGN CH4f70FaDa9AoGA2r0roI2/JYOxMD/r6DNgwiG/fG07riy/W1dJ9CrksLSGOKizWodPw7+z3 eAP0GDK73yotwb0JSpOSrLwxQ3gApYEjKfApB+Gcmhz7896AMskxtk+NnjroWVTkf64tvj7N 43cQRjxe3v2nrrfXrXu7++P7aL7z9/fe9/vf33fv77k/n2snjHzytXWneq8+ec1r+EO6Tl/b 8fHHOx79wx9gpb5P7lKBt/no9Ugwop0v65PdpL0xZ4d2QLsv/KvwibDaBkZS+5rB4FflZ4JL B4uNex4hfyajlA3iSMSJgfdJqX4UrAv5EhEyCY7MDLtcpVT7gZsR9SSUjgXnccrceyO6LEvE 0ml5y8JZHAVrDuA3kHginENPgyWGz+ilSwmxiMOn6Vl/4uVf3fhbQHIznRZ2wUaX7kVhV0g8 5d14IwYefsdNqHgTPeo7U1ZaJFomC1NNHaYu1OvPk/j5Z+/o3ZBnsfNK8/0tq3rxbdSv0g1P n3hMW7/yIavSajLZWFtb1Xq7ZAUXAW/bgbeFeHEkY5vznMBw2IKb5WvkW/A9zA78C6Yf72XU j8ufUOyT7Ve8qvi94qRT4VQabeKpnffyDL/UzvM2u9944andoBZXgA7rlqp0OrXKbxBP7ZoL DuyBgizxwF6IhZDbx8EpHbbIQsQpDGqlSnCctGM72bI09Kh+OPs4HNXJplV04aYlntfpIiDP kPGHOcQ/4MRucLpkCnnQJXN4sVPhFuUo7mSm0TUjj53dL2i9vMcqHbnIhY1R8pgvcpbFq5vv PqovmL/1isbbll7pdTi8I1+SVXPlTWuWlme1jT+rU3Xg/jx8bvH0qjvnDf9r7Kx+xTUZQu/w F3EENzV+R54BtmoxyNyNUnHSHp2ZSsSQxRsMZt6vc1tJ3uzIsjgcVovf7VGwWCMka+s0YJ72 J/tUgg8TQ5XGuhFiFSpNok8vPyln5M60QA3SChaeXAHr+Q5wwVjeERp/dBEvzk7HDy9lZSUO w2k7bCWO0/bT4pcP3y2vCY5apGalCmdrspOmp16W2pz6tP/xpBfwAc2LnudTjspeV57gPlae lv1NabRyOThXVqqpwPM0Mz2X4UWyOkWdphkvl7Vp1jDXqq/1rPPe5jnofcm/P2jF4PoNaAyp g7G/7RFFSL9AqgURgpcnHnksge896zzw/iD4dP/a//HWV8Ydch758O67PyQBBPXOqyNfgUt9 5tXHx6Ry/jWwdI+K1u40cPUv3DfIhfYMmJSuwdg3Eb1RjpQqV8Q13zTfxan0B5mnkRZvj6gM Wq3e8LJKyRCMDDAmutG8rJTeeFGYXPxB5n1kZFa8gGQqpdbB8IeYG5ER2ZjfRtRohdGIVyCw ey8xnaAOP8O/Ffd7kA/9ws1AbulLyoaG6A7/vcfJOsKuC22azygbvZpktmCBmq42uq8KI3/n VXoHHKa5b84tHVXS7Mvk5Bs1pQo4YQHbdBhOE9WMPFKin6wvTCjST9GX6Ev1EX2FvkplStZO 0u5zDaRzKXgSZha5GxWN7h5Fj1s2SZHrrlJUuRcpZNnKyaXUCp2cgqdUT50ypXSqf7J4RvcI Jjzf9JbplOmMiUMmgyliYk3VE47tBuQ3+Bl/tXR2n5QtIvMMeUxedVZeXnaWf1J1hCCjJytw RXVZRUWkzJ+RJfckZ2akJrrlWJE2OVKMquVpPtbpU6lYxeRJk4JBi1qXINisEW9BtrXPyljP Jyd6hJRkkk/uS2aSz09FWULZVHIdjaYennp8KjvVMZ18MTq2igAIl4wm8UvKEsk7G72EKkI/ 6Jbyglzd6m81gkJqyO5QazmZJhjiUrxYJneobV6cKkvzYrvWSS+rcNhQQgwjmMa6unF3meVq pI79HXEQFLEPwVR+iHDsHcmjWI1X05spBZzGrc6p8kExhQV5ZABSRM+odWYLvfMWrz7Hbj4v uPIMXGhYL1yxf7mqrbzRV9g95YpJ0+lRYfvcvMzl5dUUnJeTkV5aQdGfkGi6dBm6qLuqurqq +JLLh/cTZWXuj9RURYffofBdFYsTQ81iZty9KIOuhzPGDaDBKSgPeyI5VXwnz3zseyf4he90 8JzvbJL8qlB7RlNWU941uutCq/NuD/XlPRy6K29naEfeQU8CoySK1UgdSJVMplT5GeQJ59gF g02A7THBszXHJ6jDPrQ1WaEsZuRYjlMTBSyo1QbVDlW/itWr5qmWqXarjqtkKmdBpk/8Mrg/ wB0OHA+cCpwJcAFHflrDhCMy9SaJkw+uDljoIXq9dPrb7pfqLjDJh5ArdhY5Y2cH0pS5YLYG PEo0CLl0ZTZJQto8gsywZoF5LRz3Eb/VwAWj4uMVCUxcaDZy4C4gXiZTkG/Kyx3vWrI3ijY2 yd65dA7dDf8xqzfFuuHdXefO7Xp3w+ubN//Hf2ze/Drz2oPUxh6omZZ+ZSo47HZ8ycy08vMH MN6/H6OR2fe88ebWe958EyzO0dgnHIadMR39MeLXuFRuvyrkmGKXZYQuCS0LrQo9EDrm+Mj+ uV3p8LuS8q3kNRQzAC4hoOQNQpLV68TeRB96CV+BgghD7MOnI6rEUo5To+SgeRD/Z0RlK1U7 Sw0K8ubEzSjEtO0HyhXBpEH8hxcMjowgp9Z9cRD3gR1OohfP5Np5zll6UzFcNwRr8rSBnMKz hoZFgYx+2UQXqN3ulqncMmcE21UQueSJEexQ2iKILkzirhRCUrdackokD1N608QmvXwS/0Ip bszx+lm3lj7y7pl9vavmRpLtBqP5/oGtR57ou+kmQWeyMrOoB3L3SNTr/eP+174pCE72WU0O 0+ZjT96xq8pgtzIZ0rcEhbEYdw+cuFPZ9MjjqdYU2y3sM9bHwZE8YN1nUyLGwKy33mndbX3Z etI6YlXuYPqZ4wyr5JQWO2e3pDIhLtWSYivkCi0zuBmWxdxifolliWNJ6nJ8FddiWWFb4ViR ei13teUB6322J5id3FOWHbb9zCFu0NJve8HxQuox629sH1lP2P5qPW0La6wua5gJW8O2DY4N qc9aD1lflb3Kf2z9C/6L7RvmnPUbm1H0jBIMo64Rb/GlEFR6ZxJGSUJSJIk9Q6AdSW8lsZ1J fUmMIWl+EpOUtC01KSkl1e9LRVo5qRBaplqvupMsSC8sSfZLFd6tOqw6SRBYpdomU6nkMr9W xglOevRPTMxyJCY6HX7BYb+XsdqEwdisSK6FYwVexnHgYfEWC5+KkGB38Ha7g8EMiwW7DWBw +xjMChYrUFiZw/gUsuEe0KVTZDvFpyIBDtVgzNZw6pRin7NYMBfr5MVanyDodFp5B3jZv3Zg ciRKRlsdkewCRyQ1nO+IBFMgSvRA5HBCpDfmO4oj9ak49RB+EqycDW+K2KyLmEhOUT5D6BhC x0QMxnxmED8Z0cmEegu2/JrntvLFMmLSswtIsrewKJ9mw2IWuqEptEBTqE9TaIykEZPVli+L WArWy+6UMUg2T8bIXsKfoBAO0nuKZuq31I1eag6dBueyzmkYJplh+2cOw3Cd0z4kFp79jBQi e5l0UBCfsrMlhtMEGB7aIMsMK8l1hizTPgZI9xsbrj8aDn/fDUdWHWyhqy/GXYwkRhSP3RPv T1U6lJxh7Asb3OVTsGwKO+FOIxAwm/PM5gtw7K0tBwZbnguR9fhnEl11797mwTtXkvdKPiPH h1TMuOHIyurESwyTfXg5ww9/wTwYz5MT4WHwuraCDSxg7jmAQmQf1pWFiBh4LU0j80yashXm J8zM0XycxqcFM0Np+akFRUllwdJQWf5KfmVAs9yMA+ZJZibMzwt9EPwg/4vgF/nngufylVOC U/JXJq0s2MnvDMiTCgIBJG5ymtEdjr4ZtQ95sddLOtUaykgaMWj0Zd6l0ttSAZSRR5dmdnZ1 fnZ2Xr4/I79A/IpYk5AlfT/sstBzjN7utTN2+zbptSrenJ5M8NNDoaXBUCg56E8PJgWTkoSC fL6gID/Am01mAQV4hALIXJDEywKYvFhlKXbJk4vT84ozMtLTGU2xyYiUxZhR8+TlA1VHAAce DCYtKjiId6AgYHSd+X35jJCfnV+fz+aTk2viZDNCJtibO1V9KsagElTZAJBdWq5yTDqEH0Z9 ogrTbbhEvM4h4NBZ8MLriBtOL90kZS0jN2/itRuXGaaukzl2Yq+npMw8CKl7spg6csXUlkHT AT5V+vKuFm+QXX90QwLosuy/uKzLuuhw/N20sLdcRK5IMJSUUB0fu1sKxL4Y4JXBg7F/ovzY 16NfMMG+BBRANV+i+mZv0JEvxBcD+ZIljI0XunN5xviFn2/0BvCCIzXGL447jr2Co2F6BtGR RdEwMogfbSDQyBmCLR65H68d2TjucPZvnC5+O2myj/x9pDbu5eFu8o0HeHjPgIcXQFn4kgMo HPt6QF8UIl/ZFOqLnkNPup4LsgvQMmczWuVc6etG1znXZt6ENjtvydyW/FD6/ZlPJz+b/kSm 8RcBvD20U9gZYsX1kDDe6RPfkNBYXpNejhA1fQF5GSKu7MiZkmEvNhHFTMjwudUq4g+mgGfo VyRhh8oh9KmxXn1KfUbNqp05ab4+7xbvDm+/lzvuPeU942W9juz4leJ4P3AOqBlxA8EHHC4p E299f/BXABf6hwNOHh2MfYGyQPhBPn0QklQ+PBj7w57QBd8ziu98jfqDF96PiF+8JF3gDD77 Cr1XpLeLI530emzTJy+ODGP25VObTjzwwAkSmGPbiBjH7m7xv18AN/D52Mjsu44fv+uut94C mX4a+4T9i4z8ri0L79prYtQBoqgs+LAZylC5CuBUcHRTYv9CVgiW2L+edyeoEpQJDLkrNcT+ OZCYkEFqpMX+GQmEZO4Eb4Lf1K70uE0oE6fIdP5Agq/UlF4qM8lkOmcpGmTeeD4nqTTBkf2z g1g++urxnCHD1/HvEsWrEfpmnOjoXc5kGpLtDpvD6rA4eIdM7nYlujwur4uTpySnJoeS05I5 uUar1qq0Sq1CK5OzyX5jUgQJZnALw/JgBGVwWREc0PvAS3RAlKxNj6BMBiJiH8T3DNLgE74R xYWDx3vtheRrSovRY3aU8R6jrcxIIqvHYyrzD8bORSIApPBuI0QuA0QOPUS2hLIAiVJ42FMC JGJ5oGM9sKNkqCGyEiiRd/hII19EbADoeZuX1PKWMWqDcaqNRDh88Uc8IloMCukVQfBpCwyT pZeqbVZFvvRuAgOuE301IS/XVMD+5cbog7Nuykys0tsAmv2TTE+lwVpTkeZILZq+eUdF2J5a NOP2HcxHb43845Hrigt8d5de1v0WNhDYf3fJZet73ywNOAIjp44c6P1tqd+RhH1HyM/gyOv0 zNtffKF86f1l+pKvlCol/c3eY8FLG8Z+wTdygwzJjACopN9W03rk91rjfuaH0cQP5t5EK9AB dDfaiV6CcJD+BrYNHUcZ6C7YQ65A96Ib0PtoEeRPIwu6Hh1FhbCn96FPaf1CzOGnmGbmbfZW 9uecR+aWexW9ykWqgOpX6nWaHdq52vO6rxNe0c8y7DTeZMrlZZaHrLfYnpRG4kbTYX3Qnw4i A8pC5Qixj6ifI2/LAq6anUt+mChOTvyRIq1npTmW1krAvASz6HLsl2AOWfF1EiyDBXC3BMuR Gz8jwQr0BH5VgpUomWmTYBVyM3F6NeNhnpNgDWrj3pBgLVouK5RgnXyf7BEJTkBLtQtGebxe +5wEY6TRZUgwgxS6QglmUYauTII5oGmTYBnS6nolWI4SdDdJsAIt1N0lwUpk1p2WYBXQ/EuC wTAnyCRYgybp+dFf2ufpZ0mwjr1cf70EJ6BM0/swEswRrmvNMgrLiETMRgrLKd5HYQXFZ1BY SeFSCquIjMxzJBhkxM+WYJAR3yDBICO+Q4JBRvwxCQYZ8SclGGTE/0uCQUYWswSDjCwHJBhk ZInTg4ws5yQYZGR3SDDIyH6zBIOM7J9LMMjI+yiF1WReXrGuhsxFUFBYS/CCjcIJFA5Q2EDm ImRR2AywSRDnzlOaeRS20HauoLCV4q+isIPW7aWwi9KIY0ukNPdS2Evhn1E4idLvonAahQ9R OIOsDIHyTUnHL8FiX+8SWCvi/0RhcS5DqAatQ50oipajBtQEqYCehlCDWig8B3WgVRB6JCoB VUCuC2ASNwC+lVIIgGmD+pkAVVJ8w/9hS1mjIxPQQihpQ2tGaboBNxNSsb8cVARPNtghEcqn 2HKo0QbpAqizAsbQQ2stgPa6IXShtRA30zGsgVwrxQloLqS9lGoF4NtgXF0XjXzKd9SaQtvs gvbjM8mFkRRCLKBUaKUVxtsFJd0QlkNroe9o57LvaGUitUg7H3hD/rLDhDKfn/KdcLUZ8u10 FlcBjvT7vy8RAbCEL60wth46BsJBAfKEpoliiNzjeTKiVYARR9UNs7i4R1HGHdAq6bETRrYO zYB8Lx0zaX020PXA00bbr6QtEYmuknpvoHIl2hZvtZf22CPxdEyvl9N5Ec2ZBiNJl+Y7nv+9 UmtdlL6ZjqmXzob8tQSiU82UuoHiqgEWdXLFaF/jeyB6G6XjbpK4QHgoal+cIwJtNT52QtFA tXY5wFdLM+yks2kC3ghUnvH5kxm0j3K0g3IkLo1egON6L9DxNtO+iUY3jhvF8nHy66ArKgr9 9UgjW0Tpmun4OiAmuiSuih7a17dzvINypZPGYzzpoi13UB3ppmPvoWOJrzIy5g5JT+Pj7aG8 a4HcGGeagaoJarVD2SraRlxPM+lsSc9TwHpkQXvkyRzHI3G0mXSu7UBB6Nuh1SyIe4CmgbZK ct1omaTBce1YReeZOVrn/25fvVRTRNrouF7monmwRmaCrs0EbS2n8DzAChBXQ3wJxZO/YrIQ YqJL08F6VdG/8UGwNUiH1DSQVd9KtbvnIosfx4t2oZNaqU5pPa8btRs/bPWOSa9VsrlrqBbF 19A6ytV4n2TGa8fZkjW0rqhH8fGIetVO6cWRkNXeRnUiSneDKMWtoK1ERzWD6HCt1FsLlK+l dB0wjriViuv2d3MmbqtFexSla6BVGlkX1cZWim+iFmod1fcuKsVv41eHNK8OajHGWumV2vy2 /pole0v0sJGuKXHUjZJkVkktf5uEUuisJnJKtDsXa8XFPbeOWta1dO2toeu1TeJ2N22t5zv7 zqT2YxWl76YtrbtIFqKcJu4koqVpoCPqpJxtpdaw6QfJXJB0cRW1CqsgN9Yv2Q2bKadFeyHa k65x/kH6KHXXOL0V59fzX3KKjK5dsoNjNnOsvbh9655gtcYs5Bhlh7TrEBvaSNvtpr2L8xHH NV67yQ5PtEHkv7iqOiX9iGvphTr0fTMa04+ZdO4XS45wmLS/GvBR2nZ8NmP7SBe12+Nl0HUB v8daJvProHtBs7RXrKV2t3ecHfgh0o+3J65JslbXStIYW2Px9i6Wo8gtcQY91Ab0fOs6jkus 4QJeL/9vjXaMyxf30CT5GI1SbvyI4n5PD+w98RYWgf0nfkQGIr5mIfjAk8G/FCDOgRz5Wyv5 ELIROSEtAp9KpMyG0hz6N5VEeDLKg0BqTUIF4EmTQFr/7+11//s7Y7ws6wLuje6HNes6o8sb mqLC00JNS1SY07GqowdQQkVHV2dHV0NPa8cqobOtKVOobOhp+C+IskhjwsKOtjUE0y3MXAX1 coqKsjMgys8UytvahAWtK1p6uoUF0e5o19poc0XHmq7WaJcwN9q7ILpiTVtDV7zxKeOKpqyN dnWTTnIzC3OF1DmtTV0d3R3Le0LjaC4bRyKhATt/4ZwaKfeMUNPV0Bxtb+i6SuhY/r0TEbqi K1q7e6Jd0WahdZXQFO3qaSBpx5pVPdBUd+ZoRZhxx4quhs6WdTM6ehu6moXZ0Z6etmhXZbS7 dcUqqN7QLTQIhLS3qxUaFCivl3d0CTOnzUkX4uPvBbKuqNDc1dC7SmhcJ5Q3d7U2rBKqu4CT K0gtsYKwMNoWbYIhNAnAPjIQQSgnrbc2NbQJy1uvhg47W3uaWoRm2n+60E4G2rEqSqbRGyW8 FxpWNQvdbQ2NtInldH4dq5qinT3Q2KJuaKGnQ4i2gyh6ouMH3rGmp3NNDx1JVxSY1dOdLvQ0 NBKRCb0dwFPSbk+0qWUVHUxzR9Oa9uiqHsrTzJaens4pWVm9vb2Z7RLrMps62rNaetrbstp7 yB81zGrvXtYksmNVtDeTlPzAWr3RNsBGaZW582pmVs+sKK+ZOW+uMK9auGRmRdXchVVC+fQF VVVzqubW6NQ6dU1LazedGhUGgUEXOrs6OkHO64hufIt46fRaQXPXdEeJhNZ1rCE1mzrWUi1Z s6oZeETaAV61d5NGGoS21qboKiBvWNEVjRJmZAq1UK2lYW1U6GgkKkW4PWEwRKtBj6JCtBUa 6xKaW7tA4G3rhOVdHe1j4wIh9HSsiFKSXqAcq9cMetvV2rimB5qGYRLRj5tQSnd8UKA7o6wY rdxKlHVtQ9uahsY2GHZ3d7RnfO1MYdGqtmh3N508nQXMSVokoDQNQndntKl1OWjnRTMXgIur elpXraB1G5qbW4legJ50UXuQTtBdlLfQX8+Fg2prbW/tETWT0hF96xZViyokRXbA0ulc09jW 2t1C+oG2RHa3N6wTYPwgqs51hHFjHJrYEeXHzOVjk2tYtU5YvSbaTbuha6RrlTSDLmnclLi7 pWNNWzOsirWt0V6qAxdPn9CBJKOtYPNEiRG60TnCsKCDnoamnjEZk4k1SKNe/u3N0iGPVmgC i9EYjTdEbE/PFEKwaGG5kCGkFuZPDgmTcwozsvOzs1WqRbMBmZ2Tk58P8eS8ycLkSQVFBUU6 9Xesuu9djCSXJQ2PrkM4KHXQIwZxCckBYR3WwbazErafv9JNK162kG7C5IhCryfYB9k97Evs YQgH2IPssz9epv14mfbjZRr68TLtx8u0Hy/TfrxM+/Ey7cfLtB8v0368TPvxMu3/ycu0Caee MbiB0n9b2Z8uqBOdcB4Sfcxvb7ONavi4POfhcrjZ3HSuFOKiCT0QG/xdrcyla4bYHnH2Lbgf /4xFdF18d51vh6X3h9BIYOLfO49/DsSOsEcGFuVFBiGZQpO9CUm5fSTV6Gg6oMorK89ij6BO CLshHIfAoWUQr5cwLPJCXAaBYO+k5TvYQ6gfwhEIb0EgmIOAOQiYg4A5CJgydhBh9gX2+YEk L3S9b68jKffLcie7F8UgMOxd7Cbkg7avlNJlUnonpGmQbpHSzeymgWKvvlwFeYy+hDgGgYG5 PTQwfV7uAQpMLqHA9jhm+17AeMsd7EMwqodgVA/BqB6CUX0JMYZWtwN+O+C3A347xW9HmDbl C0lNScBDA3qrhAGgXM3WspfB8cvLLpHSxexlA7new+X17CJoejeNd7A15K/c0XgZjefReD0t XU/hDgp3ULiMwmUSTOKscbGXxnoSswvYhbCUveyl7CyazmerUBDSeZAn6Vx2Jk3nsNNpegng 7ZDOBjoTpLPYapqfCflKSGdAnqTT2eqBSm92eSfkl0EZA/0RfCWMoRLGVAlMIpg7IeyAcJJi lkG8HsJxCCylxGwlPBXwlLPlUCMCbUSgJIJYNgJPGTxT2alQUgq0pRBH2BI6xxKgKoGeSoBX JdByCYinBMRTghRsCcQCW4CyIUQgzIdQD0EG7aRDvXQYVzr0kM5moCRoy8fcjnhIBSn1MpuQ B1IPs2nA442Uq5h9aD6EegidEPqYfQMyk76cBzpCmwVhHoRlENZDeBTCbghKVCaWRDRMGVPG zmPmsRxod2hvSUkuTfMmiak7UUy1zlx9eRcbAjaF0KMQWBhyCIYcgqnGc14IDKhOCjoM4TiE kxAIw1OAGSnAjBSYYArUT6FUckr3JYQYBBaUKAXan0gjo7W9ELLGtUKwqYBJhVwq1EkF2lTA noQY0xqkfD6EOyEclsr8VJn9VDn90JYfRpsFcRmF9BB7Wf8Ao9IPAn/xFH35ZOD7PAhQyGwG bm4Gvm0mGsKQRZwFJWUSxZ0QdkOQsQfgCcGTAk8qPH54fPAI8IAEWQ9Ibws8d8JzBzyb4bkd nk0gDX53+HCYWVbQUbC+4M6CRwt2FxwuUBxiGuCpZ+ojamS1gkE0GZXOcgPDoaVIh/9N4100 7qJxhMa2iHOp7vRS3WtLdduW6u5dqluyVDd3qa56qS5rqW4QN0ZsYd1HYd2WsO6ysG5SWFcQ 1uWFdaGwrtyIa/Fi2CFfpvE0GufS2E/jRLx4QIdUL5IfuylB43HKPt+N3k99gxwe8N7kG1RC 8hMxd4WYFBPk895s3wpvuohJFpMk30sctIAW4WeRAocj6YpjimWKiKJIkanIUKQqUhQBhVfB K01KgzJBqVWqlUqlXMkpGSVS8oOxU5EweXOTlxtIIudIzFHYwJCYEV9iZbCSQbNQv5mdzcxe OA3P7j/ShGY3Cv1fLwwMYvWll/fLAtNwv2k2ml0zzd4/OTx7UBFb0F8Ynt2vmn/Fkj0Y31EL uX7m1kGMapYM4hhB3ewif9n+AMI4/ebNLimtrSV1luzh8ObNtci6tsxeZppqLKqu/JaoXorH vdJsH/9+MxlJYv99sxcu6X8msbY/lwCxxNrZwDnyh/APMIXMpKrKA8xkktQuOaDuYwqrFhC8 uq+ydowOCYCvPIB8JKF0SCB0SLiAzsNMJnRBkoh0HkrnmUC3p9RXVbnH54vTlFKa0ok0KybS rKA0KyQaVqTxjaNRnEI+SuNTnLqIxvMDaILfSjOOm9Fp3/IK+egHH0Cz8Ht7Kq4h/4tAfaAq CqG+f9PaFnt/X6MgHEAV+D3pPxhIrm9saiFpQ3QQvxeIVvZXBCqFPbOuubi8/xpSPCtQuQdd U1WzZM81kWjlwKzIrKpAQ2Xt3ukNabsmdHdbvLs9aQ3f0lgDaSyN9DV917cU7yLF00lfu0hf u0hf0yPTaV9U60EtlWhabcVSMd3LaNSgwPUuX+00q6FzKtXmYp/9BtdBDuGnkCZc268NTOvX QSBFGeUZ5aQIVhkpSiD/WYRUZL+h2Oc6iJ+SigyANgamIXtVayX86+6WgB/4r7u7u+fK7iu7 SUr/dfesgUBf+Yczdw+CGZRr6f7mBWtMbPMmCLdTG812d9f2iL946l6DSGs9JBprfBRaAy3j 7gk/KOi+8EN/F4HEAM11r8H0ZwcASGrTjaEQmkFkkGIj6H8Bbg3cJgplbmRzdHJlYW0KZW5k b2JqCgo2NiAwIG9iagoxNTQyNgplbmRvYmoKCjY3IDAgb2JqCjw8L1R5cGUvRm9udERlc2Ny aXB0b3IvRm9udE5hbWUvRkFBQUFBK0NvdXJpZXJOZXdQU01UCi9GbGFncyA1Ci9Gb250QkJv eFstMjEgLTY3OSA2MzYgMTAyMF0vSXRhbGljQW5nbGUgMAovQXNjZW50IDgzMgovRGVzY2Vu dCAtMzAwCi9DYXBIZWlnaHQgMTAyMAovU3RlbVYgODAKL0ZvbnRGaWxlMiA2NSAwIFIKPj4K ZW5kb2JqCgo2OCAwIG9iago8PC9MZW5ndGggMzQyL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0 cmVhbQp4nF2Sy26DMBBF93yFl+kiwoYEGgkh5YXEog817QcQe0iRirEMWfD39czQVuoCdIzv DEcex8f6VNtuil/9oC8wibazxsM43L0GcYVbZyOVCNPpaVnRW/eNi+JQe5nHCfratkNRRPFb 2BsnP4vV3gxXeIjiF2/Ad/YmVh/HS1hf7s59QQ92EjIqS2GgDX2eGvfc9BBT1bo2Ybub5nUo +Qu8zw5EQmvFKnowMLpGg2/sDaJCylIUVVVGYM2/vSTnkmurPxsfoipEpdymZeCEON8gp8wJ 8oY42yFvmSmfEScn5Jz7UO0jZxTyjvmMvOeeVHtglshHzlTIJ+Yt8pkzxBUzOijJGfyXYv8s Q2b/7BGZ/TP0V+yfoo9a/NFZsX+WI7N/iv9S7J/T98X/gLz4Ux/2TyUd8nKaeNx4H37GKPTd +zBCujQ0O5xaZ+H3XrnBYRU930wAqk0KZW5kc3RyZWFtCmVuZG9iagoKNjkgMCBvYmoKPDwv VHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvQmFzZUZvbnQvRkFBQUFBK0NvdXJpZXJOZXdQ U01UCi9GaXJzdENoYXIgMAovTGFzdENoYXIgMjcKL1dpZHRoc1s2MDAgNjAwIDYwMCA2MDAg NjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAKNjAwIDYw MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgXQovRm9udERlc2Ny aXB0b3IgNjcgMCBSCi9Ub1VuaWNvZGUgNjggMCBSCj4+CmVuZG9iagoKNzAgMCBvYmoKPDwv TGVuZ3RoIDcxIDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSAxOTkxNj4+CnN0cmVh bQp4nO18e3xU1bX/2mfPIw+GPHgFAsxJhkAgTwIIxFQmJBPA8AgQMKHeJiczJ8nAJDPOIzEW C15rtUGLt6W29iHYFrVFy2SiNqAt1F/be7UPsK2t7c8K/rTvF7Vq21vN3O/e50wegNbe3/3j 9/n8mJO199prr7322mutvfY5cxii4ZhOU2g/cXJ7e7TQdMYIn+8QsVxvX1R98LmmXODniezf 6Ax19dz1uZtfIEr/ApE10hUY6PzFx99/hCgrD2P6unXN98iq7Klo3432Vd0grB8dsKP9H2gv 6O6J3jiXrU5D+3dopwWCXu1quhpo1msobD3ajaHt2QutaL+Jttqr9ejvfSbrh0TZc4nKY6Fg JOqjBUmiaw6J/lBYD/1lUefraD9q6sBIqo8VEbPJ9v/nH+tHABvJCZjLD1E+UfIlwCuAX41e m3zTuodco7uT5/k0MD9iAlER3UOHaQFdYEvpKTpN19IDVEtNdIjW0Rk6TlNpgH2bLOSienqI ipiTFGqgWcxK99JP6HoK08/pPBVTI73IciHHQyGaSauTv0bZSHckT4Arg+roy3SSBdh2qgC+ XillJZj5YPI0zaLi5HeTz6P1Wfo5W5AcovXAfkE5tIj20b9RLu2mZ5IiShZQBz3I9rJfUwG1 0wHLcstgcg+C6jF6jjUC20QD1ufTH6MARn2ezWKnk+eSv6SvWRjpkPSvdAc0TtBppZzXWY+Q SgvpPbSZNPS+n37CprGl3J1clFybvBfUB+lVpUT5FrdDjxLaQG10F90Pa/yIXqHXWSZbwT7L juF6lv3B+jx0a6QY3YS99VlY70F6mE6wpWypMkuZBWvNosW0A30H6SjmH6azrJG1stPs6/yo tXJ0TXJ6ckbyl8kkLaEWaHiYvo45XmOV4MEMvJBHLfMtUWvVW7dghT76DJ2lZ6HHi7D76/RX tgTXS8oHlH3J65IPJX8OXdLISatoK+2iIPVRP30OXn2KvkF/Yn9X0sF5xvJN603WC8mPwrYL aS103wLu7ZB9AF5K0AiuH2GVOUzFKlaxzWwb62IH2T1shP2E/USxKQXKDcpveJx/m79gucpq TVZD0kyaj3lddB11wwMfgLU/ivU+RN+kp9kMtpCVYUU/wvg3lKuVelyfV84oL/Lb+EHLm9YP jZ4f/e3o35ODZEeUrYMdYvQlWOGPbCZ0WMx2swh7GZrfrTzKp/Js7uIreC1v5q38Dn6I/wf/ niVsOWb5qXWDVbMes2ujvaPPJhuTHySRFWzQaxGV0nJaifjpRDTtgX4hXGHaS7fQIH0E8fJR OkLHsO5T9DQ9Rz+j38EDxAqgsx+z9yDqbmMfwXUve5h9nX2TPc1eYm+ISynEVaxcpaxR6pQG pUu5Ddch5azyI+VXfC738n18P677+OP8JxayWCxJaxWu9dYD1gdt37YX29fbO9K+8+bv31ry VutbL47S6JzR947eM/r10V8mdyYHoH8RlVE5NL0dWt6LGDyK60uIxMfpW8jdP5a6vsoUZkXE 5zEXoqEUXlvD1rENuDaxrbh24LqO7cKlsQ7WjWsf28/+ld3KPsjuYh+X1yextqPsi+xxXF9h J3E9x86xX7DfsFcVBLHCEc1FyiKlQlmNldYp65QtyjZcXUoQV0gJK33w0IPKsHJC+RGfxot4 Gdf4Dfxe/mX+FP8h/5tFsZRaKiw1lp2WLsutljOWZy3PW/5udVo91m7rfdanbPm25bYdtt22 T9qO235le9NuszfZO+x77T+0J9OKkK3+Het+bFLKq7CdYRHrdMuNyjnsizwest7OdsBiNqWZ B/hH+PetnewCV9lP2SD38z3Jz/MG5a88yHYqp1ghd1qreSfdSUl2THlJeU35pWUGa1Z+zYot /8a+ogR5nWKTefUHlhmWW62/IlJ+TNXKzey08k1+K781+VWqtt7HzlnvU54l1XJemUbnsKtv Vz6BQd9T/MoBarEst/6d/LD7F603wt7XKHewJfyHlvvo59yl/JldYPcga3yXXWtZoLxPWc2O IeO+xebT79kNFGIfJzd7gv2MjRBjD/EH2UZlCrwVVxxsJQ677/IC9kOeQa1CR7ZQmcGalAvK Dv6k7SxfgaP9LH2fbmKcVSJ2Up9R6sUOOKQsQk7zIJv8gFVRHn0C+f610SdFxrY+bz2AOLuf l9I2qqR/Ub5N1dgbP8fVQh+iKjqJGLyDKpVP0t7kfuZD3t+E/KnQCNtNFSwT2XIWdNuH82Km Uohc2IZZ/4r8/wyyfiP7A/UzFTvrNBVbRM+dFg8yUzvy7wFcPvoXtD5DH7U9Zv0BbWGziCzq 6H2I8hfofThzXsb8c6gG+u2i+y2l0FpFZr4BIz4zup7cuD5E32YK3Qydr8E+b7KsR+a9J7kb K/TjjNqIM/Fp8ic/QXXw3bbkrckD1Ja8P3k9ddH25EPIv33JBF1Ft1tblZ3WEsty5Nin2Tdw Hv1vdgB5ez39FPmoiOXRb3B9GRpdY32CBi0/Ru5ck7wz+RzNgD0KYaEOnKKvUA/9AXZbz0/T stHNylCygYdwQp2jrckHk06WQd3JADLvk3TUbkXu2U/zrUfdbveaa95Tc3X16lUrr1qxfFnV 0sqK8rLSkiWLixctLFrgKixQnfPnzc2fMztv1szp03JzsrOmOqZkZqSn2W1WC1cYlXpcDe1q fGF73LLQtX59mWi7NBC0CYT2uApSw2SeuNou2dTJnG5wdl7E6TY43WOcLFutoZqyUtXjUuPf rXepI2zX1hbgd9W7WtX47yW+SeJ3S9wBvKAAA1RPXne9Gmftqife0Nc96Gmvh7ihzIw6V52e UVZKQxmZQDOBxWe5QkNs1jVMIsosT/WQQmkOKBWf46r3xGe76oUGcV7k0Xzxpq0tnvr8goLW stI4q/O6OuLkWhvPKpEsVCenidvq4nY5jeoXq6ED6lDp6cE7R7Kpo71kis/l065viXOtVcyR U4J56+Ozbnolb7wJ4bl1LbdP7M3ng548vyqag4O3q/EjW1sm9haIsrUVMuJKUUP7YAMmvhMm bNyuYi7lttaWOLsNE6piHWJNxup0l0dQ2ner8XTXWlf34O52OGbOYJy2DRQk5sxxn0iepzke dbC5xVUQX5PvatXq5w5Np8FtA8Oz3ersyT1lpUPZOYZZh6ZmmcgUx0REH+uTmGQXWOO2Mbsy oZFrA8IhrnpVaNLiwppWiUJfRYPeVWDDp5VhVNwHf/jj6XXtg9nVoGeL8XFrUbZLHXyd4H/X 7383maKZFFtR9uskUBElY4GG/hQeLymJL1kiAsReB49Cx2tke0VZad+IEneFslVUMB81wbZa a3UFjF9QINx7YMRNHWjE929tMdoqdeQnyF1R0hpX2kXP6VTPjB2iZ3+qZ2x4uwtx/Kh8/pgR T1s49peVPXOap7s6zma+Q7du9DdudzVu3dWiegbbTds2Nk9qGf2rxvpMjBkdMHjcUgRLbXAh 9LbtahEE/FmLGlwef/t6bDXoGJ9W18LzlVYDU/K5FIX4vX5Msmi0TBGyLEU2Gf++EXsaAlhS mNoQz25fb5StGQUF73LQSPKCGCWr8WHmmuLVJZPbV09qT1JvyiCHwpaFSmPzrsHBjEl9DUhW g4MNLrVhsH1QG0nu73Cp2a7BE7yFtwyGPO0p948kTx7Ijzfc2YpFdLPqMhzrwjdWXHgyttOm IYU9oXwN94125VSCrJYR5WuPcsqwC+QxRrPTbNZT6FeIs8WUzvaw91FeSfYbNW/VbM5+rWbT WzW0Bnj2myiWVhbkFOQUoWA4Ed9U+ek33Vb6O+4WTpPxxKo8+7vnPv1Ma1tWzetps9PkIf25 l+c9Nem5TmiGB/GxJ1zU9oJRD+60aZwy6aPYVrO5ioEbj91yLjwZGESFsvEcVgvZ38WzNJfU dXwXCQsY9wlk4gx3z6MmrtBUNtfEOYXZEhO30Hz2GRO3Uh47aeI2KmTfN3E7Pc9eM/E0Wqh8 x8TT6UPKqyaeYd3JbzTxTAqnfc/Ep1BnutvEHbZH0x8w8al0ffausbXvy37cxBll5awwcYXs OfUmzml1TqOJW8DzQRO30pScj5m4jXJyDpu4nQI5cRNPo2m5c008nepyK0w8QzmWGzbxTFo9 Y97YtxLLZuw0cQffNePDJj6VyvNehibMIqw+ZXaOxK3CI7PnSdwm6WUSt0v6aomnSXyDxNOF j2a3mjh8NOc6E4eP5sRMHD6ac6uJw0dzXjdx+Ch/monDR/klJg4f5W8ycfhobpGJw0dzG00c Ppr7rInDR4WLTBw+KrzXxOGjwqSJw0eLhyWeIda1JEvimWItS/IlPkXSDR2mSnylxLPFWpbU SXwa8NwlWyU+XfJ4JT5DyglKfKak75P4bDn2gMTzJY+h2zzJ80WJOyX+mMQXSP6vS3yJxM9I vEziPxN4mqH/byVuzPUXgU+R9BIucbmWErnGLBE/VJJPzTSAZ00d990aeVGr9EVAM56SBb4J z+i9gKjJpeI+OYgn05AsNdD9kkMFJYDx5cDqJV37v5RUMaaZivvXIGixMZ6IvLPuNedbSqtx VeI51MCqJLUWIwKot2FMF3SIylHbIC8CCFMfSh/m8OM+WJd9m1H3S54gaBrkC+4uzBtAK3zJ Cqr/wWj1ovHVtFPOHBlbqdB0FUpVPqf4sZ4weiKATsyy+B/Ifztp46OMMeMjmmDJTeh/Z7lf ll4TPvGhr0fqvgc0odV/358qqMIafswalZoL+6toC56oKXUHNFShpxgvvgET821CuQVzd0q/ Cg3FOB1SI1L3blNa+WV0MmIoiHmFTiHwDrwtly5jV/D1S626xub1mzujTMZiVOoQAGXAtENY rkpILQVlp+SPSrqKpzphP2HJXrkmEaPLpJe65SjDLikra3g2C8i5opfsS6FHWFpPlWsRvdpF dkxJT7VT3proccOPG6W+PtNHvdKSEcjUpNywXEmnuYZ+qasXpZAblRRNyvJJmWKH9Uo9hIfE 3hQ83SZPBDugQ/rqBmCGHQLSdh1oeWXc6VKvXrPunBAR/VKHAGQLWT1yf0RNqV5pmQiuTrnL 1Ak+9UrLaBNyhqFbyiKG17qknTQ51jfJ9xE5txFZqvSPT2IxaTVd2uWdY2GRaSG/lOGdsCM6 JPc7x4mxAy7130QLGzbqNTXtHaOJLBKTWU81M5FON8pd1yu91Sdl+s19aNjIoIXk2JRVjSjq k9m3b2xPCFuHzbnDYx7aMxZzF+8vww7vbo8Zq1srI8eI6+CY/kZcGnboNfP5ZIsbMeeT3jei OyYtbEiKybUbczZJWUJiFHRtQl5pktm6V9rE2M/+SdFs5MgBqVlAjojIlQbMqOuWftTMecNm vhOri0jPxybtH6Gt2HEpHUU0qDIqDX+IdXtlrguMeThg5tEOQEBqN2CuOCZzrSGpX/Z0S2lB XEbO9Jq+6cEYw9bXgc8nZxgwbTQxn3TIsXtMXQ0LCQt0AW6SPCJSJuYKEevGGRA1e4KTcqhP xldskhdTkjWZ04MTpPmk/ULSJwOTOH3SQmFp25Rfy+U5HwV/Ne4fKmADcZXLrDExIsvNrFMh +XsgvQJlVGYCoZdoRahNyjZ2nZEfw2NnZPnYyP/ZGfulJ1I5cXyWzdglzdj1DYA63NsIfAuo Yvc0yOwh6B5QtqMUdz/rcKJ75LeogtpMDsqQMH7uXHrCpOjdE3JByLTywFhmfnen7Liv/KaX jdhKZb8BGa+pOb3yXdD4XcHELJvSx9hPPRPOME3uBiOyek3pmtRCl2eqEWEizlvN2cTu7DPz f4fM3n7z5DLmeTvLpO7J+s0TV+wl/4QcODHLGzup04yWy9kraK5LWEyflElTe/bS+XxmJgnL nR8byxgdpmcmnp2Xz8CTLWWcJZdGxaUz+809qsJymrwPH79L0eQ5ocu8dPm5hfV3mGekcaYM XOILw0+T7wmNTKhJjULSsn4zi7wbn6tmLKbyeNeEeUXu8ElLG+excfqHJzwnlI5xhyfE7fh9 yTtbKiCzhv+inD4uL3VeRmT8jd8VpHLeOGcQvMYddExaXMjvHluPodfE6O4xs6Rhf2NXhcz4 GM+mk2PonVY0Hh8b5Nov9VzqLDTu7CITVmOcNF7p1d6LfBC+yN7jksX6gvJezmeeJeK+w3hC SeWBd+P9lDxjT+rmeTr5XEzJu9SPhrWMFUTNs/xy+zjlMe0iW3f+U9qOW/nSGbzm/VuH2Zqo kW6ehFGcPSkJ4vlJvHcSTyrFeBoUb5UXA1+JJ4NVoFaCUolLfGuygxpNzkr0LkXPchNfiWeI lXLUVbQCTxQChPR/7qz775+Mqb6Ki6w3dh42D4T0Ts2rq19Um7t1dVOwNxgFSa0LhkPBsBb1 B3vVUMBbrtZrUe0fMFUIYer2YCAmKBF1Qy/GLV29urIMRVW5WhsIqNv8Xd3RiLpNj+jhPt3X 7O/RI+pmvV/dFuzRerfpXbGAFk5NUH1Rt2r2V+/UwxExaVX5qiq1eJPfGw5Ggp3RxRfxT2ST XeiRHU3bNzVfxPuQ2hzWfHqPFt6jBjvfcZ1qWO/yR6J6WPep/l41CtYd29UmLaouVJs3qVs6 O8tVrden6oGI3t8NtvIxSbBQsCushboHJpJ0tT6s9ft7u8RYP5xRpm6Par0BfQA6hP2RYG+p utPvjQbD6kYt7NN7ozDrsqrmbn8EugiVtY6ArkZTvuz0hyNRVQuFdM3UUbCLWizLWDjWuDHY 68OKevX+SEgL6eFStRMz9Hf7vd2qP6r2axHVp0f8Xb26r1xVN0TVblAisY6IfkMMOgQG1A7d G+zR1WCvLuQJQ/QHwwFfRO0JQoFIzOvVI5HOWECqpnrDurRhBNKEIlhal79XC6g+Y/URtR/G UnvgBjXW69PDF1thERTyh3WvdETHwMU2gQPG1mcoDI16IbRXYOFgrKsbflH1G6N6b8Tfp2OR uvAqsFA4KFSFifqCgT7hic5YGKPDYkF7hOVS/oIOl/EYplurRWDroJAPW0KHXsS5qTgs51O9 MHfMGwVTLCJGNunhkB6NaTJWmgJab9QPP/sNMyMiB9RgwKdGogNwrbdbC2sYC2lRvzeidsQM /2g+LSQkRoNql1iHfqNXDwTEggOI0Q5/wB8dwMSxUABM/f5ot9oVDCIyoUuwZwBaX+f36XBk LGLESUcwuCciFerRurSb/L16xIiKsI4dEEUjaESoL+iNGUsUzFogEpRsPn8kFNAGDKKvTw9H /WKt5d3RaKi6oqK/v7+8xzRkOUKnojvaE6joiYp/FVjRE2mLCtchHsNiR5aLznc5sF8PiEiU QzZvad7QsKGutnnDls3qlgZ144Y6z+btHrV23TaPZ5Nnc7Mjw5Eh987YhhF4t4wCuA4WQzBf ZsvKVfmxZFhLhN9AMCZGeoN9MhUYISvkwE89codpagDG6gW71hXWdWGwcrUVw7o1OCvYEdVg YXhvkjIik/Vj46q6X0agEfJwUifMMq4XrB0NdulGkArPjo2DE6JhP0IEoqGmuTsnBLCpFHbJ mCnGBgPX1D4tEJMpRYtE9OjE0eXqDuxI7JSB1CqwJjMTIgg1NRLSvX6EyKUrV2FFEeNdcqzm 8/nFPsb2D8szoVSQw9K2MpdcpFTA3+M3I13yiX0ZiRo5WUSeJAb7kaBjHQF/pFvMA1mGuXsQ ktAfrgoNqEaYmhaaPJG0x4bO8cWJXYhkF5HTYNN49XCvuYKwqbdkjnQHY9isYb3PjwNFxMCl yxd88KSOfWruRcE3tkaohQmi2OXjPhYL00ytOy8vVqo8NsCL/NahpwRhHi1aLRh2bK/FoVK8 avnKxerKpavKKpdXVqan72gEsXLp0uXLUa5ctlJdedWK1StWOzLeZte942YUrQpTPbkP8bAc lI+Z4rFAPCQOMAduPXbjFuTX8sYl1Zf68s9nfHHHP8WH+Ff5KcAJfpI/fOXFypUXK1derFx5 sUJXXqxcebFy5cXKlRcrV16sXHmxcuXFypUXK1derFx5sXLlxcqVFyv/T75YmfTtxziuSf7L 9b100Rh90vcixp335WUGZIRPaFvmW5ZaGi3rLO9BuXrSDCIHv52UzXLPiNxjrL6bxdn9nOS+ qAVXWJ55Qqe3l3B5fOzfm1OyAOIv8zmRPM1fGvZ4qtwjqEvKZZ0oXlwlOxJz5lZ9lb+kPIxz wgnCucTMfNnzYmLtWhO5apWBDC8pqzpXm8FfpD8CFP4iP4c4k6OGi8urLtQ6QGD8A5TFGDnp CP8ZxQEKuflPhxcsrDp8in8H/c/wp6GpGPZ0wpFTBYH/zr9CueTkj/PHzJ7HhqfmVFFthN9F jE6jPAs4D7gAsFCQP0j7AAcBxwEWykLpBFQAtggKP8aPQc+j4p+yo6wABAEHARZq5l8CfY8o +UN8NxVi7J38EM1AfYB/TNZfQD0H9edAn4/6frRFfdhsfxq16P+USb8X7ZmoP2nWnwA9H/U9 8ofkTv5xs93HY3Jc1KyP8EhivjO7dj76VUAlgAM7BOwQTHdIOBgl47fygJxpCHUV6h6jhrlu ThS4pI9uHp41u+oITHozTH8zLHczLHczWdC1N8Wz1+Ap43vBsxc8e8GzF1ap5BHMFxE/ZUCZ DVABHHaPwO6CHkd5GnBW0j+I8m7AEdHi/bDjYmj1Yb47UexEkHUNr3ZXrXmCd8LUbt45PHte 1cHxVnqGCETUU806S/DqslcfTp8iqPrwnHlGDa49tVO5l94PUGg6ygWA5YB6gIV7EwsqnCf5 ZupJI/dU5z5lH99n2We1VNaz3FO8iprSCCGZy8uoBgyLnW01bGV7eih9fzrPTlfTK9Pd6U3p 1iDfxw9y7uQVfA3fwtu4dSR5OmGvXobKvc5WvezuzCOZ8czTmWczrXHbadtZ23nbBZtVtVXa 3LYmW7stZNtvu9t2xJZ+t+1uu9KeGcrcn8mzM9XMykx3ZlOm1WlnR2pv4x3ipwwoswEhwN0A C2zcBrrK3wdogzfaYIr3gU4oCa1swFng51Fb0coCXxb4skDNAjVL/v4mS/Y0AdoBIbPXNtaT GiP4L4gewCL0TgVV/HjgPMoLAgNci5YDLQdaDnCdVd6EhtkoVUATgEvaeQCiBmWqr9LsbwfY ZP8FyZPqc4uxyptubdHpxSy+mB1ZzO5ezNw1a2qr3IUocnNz21xtRW3FbUctQVewKFgcPGrZ 4tpStKV4y1HLGteaojXFa45aKlwVRRXFFUctTpezyFnsPGo5uPH4xlMbz2y0tG0Mbty3ka+E 64YTJZVVsi4sEvVjidlzqlZm1b5HOY7ltKE8DDgH4JSF0gmoAKwBBAFW5bikPgLqI6A+QlsA bQArRj0iUgxKp9kn6Idln8BEvzKpn2PxDyeql22p3Yi02wY4DOCQ/TD6H5bcBnZc0uMoz0v6 FpP/iKQLLicgNU4kwV0y3e3CNtxFawBtgBDASmf4dXQOAOkonYAQ4DjAwnfhuo5fpzyC62Hl YV7qdiyd4aSZM3F85OakZddmK1MQCw72kCw/KcsPy3KNLBe4p17reONax9eudXzoWsciIEox DjYHOyTLAndmrePRWseWWsfiWgekzaICcigzZGkTJfutLDfLstQ9vcDxtwLHnwscfypwfLbA cUOB4z0FYtxc7GGHMl2WmaJk98jyWlkudGc6Hd9yOq5zOlY6HbUOdh/D7LRWlvNlmS9K9uqj WfVZlP4Ee5XqIYklahY7RxSSFUsmampRjSZq1qF6K1FzH6r/TNR8zPkk+xuTRxt7I7HgFWft DPYa22AR7T+b9Z/YBjqG+gLqLtQPUA0rQv2FRM0tgv/zGP8ptD9HhWmC/35qkuMOsw2S/llz 3GcSpR2Y9dOJ0gHM+ikqlbN+IlH6CqgfS5R+GNVHE6UBVAcTRULB3YmaJc7aHNZFCxTB66Ui RWiy0ZxxPSQHUK8zBnsSpWJUvZhghNUlXEtRLRJaPslc1CSncyZccpHzyCVFzCWXVDqfimQ9 lWVJ5R1UKOu0hOsWSLE9WvSK8y81T4iF0+ssK3Gf8+Unsb6daP4ftiFxzPnsCWGuhPNM6Qgr etz5PdcTzm8uGGE7E87TpSNp6DhVOqKwx5xDMHIcvAp73Hm8tMv5iEv2HnWhF64+XFPm/LRr l/PeIrQTzltKnxRqUA9WvBPdraXXODfWHHM2FI0wdLtrMJk7w1ntCjtXg7xqhG0YPuZcumBE qFIJGccedy7BjAtdUpUdK08qK8jOYu5Se9TeYd9p32q/2r7MXmZX7fPsc+3T03LTstOmpk1J y0hLS7OlWdKUNEqbPpI87y4Rv5+bbsuW/3WGRZQWiWcrolSMnxIqLE3B3olP441K4/a1LJ7b SI3Na+MrSxpH7Mlt8VUljfG0pve2DDH2kVa04sodI4yaWxCggnRbvvjR9AlirOK2u/JFvfe2 u1pbWWP8tJcaO9T4G9uxjoytu+JW19o8mtm3Jm9N7jU5qxvqL1O0m2XJ+CevZOInb178nsbt LfEvzWuNVwkkOa+1Mb5O/Nz6hHKDEvTUn1BComptOcFuUm7wbBN0dlN96xgbFSohsFGNqATb MBUKNipkw5Jto2RDmBZ66ocKCw2mp9gGwYTweUoydRmyFmAKyGoSFdiU+bRAylqgzBdsiAdD WNZEYVOIZUlhWVNICpsrmIaKisBSWiRYhlYWgWGoaKXsPjbe7Soy1GmlIjlPEWuV8zA2zlNs 8CAKTB4lDTwl/5Mffe0/wcyGtRd8XvGj93aXRwe0xw/0defF93eo6pDvBfPX8AvbO7zdotb0 +AsuvT7uc9WrQ5r3Mt1e0a256ofI62luGfK69fqE5tY8Lq2+dfiBfXWNk+b68NhcdfsuI2yf EFYn5nqg8TLdjaL7ATFXo5irUcz1gPsBOVfjtrWssallKI3WttZdb9TDSmYG9kN7fkHr2pnZ oWvk5ri6IO8D+ScthGMrs6Q1PsW1Nu4AiK6y2rJa0YXdKbqmiv/WwOzK+8DVBfkn2UNmVzbI Oa61VEJ5Hn/92F8kEokKiMVKUEZjeZIWxaYt2N4YbxA/wq6J13ji7vb6VibcETM/dS3u7FM1 Z2qUYM2+moM1h2uO11hjsVaQc08VnilU2gqDhfsKDxYeLjxeaBMd17c87q45XPjHQh5DNLEo Pp56OWcMNf5EMxqLiA9hggjAmK4kVlLXUltIXtz1Mtyhl9E0gAuwDLAdYKX/hfIHgJcBfwZY 6FaUHwN8HjAsKLyMl3ny/PVixtYSkXTyeNVw5YqqVSOotU6j3r7LqD2bjbqmtioPdWLNsoza LNyAMzqJ8hnATwG/AfwnwMqreJUUHjOitjVCkRIG9QmNqCgiJVFWAoQJc0cjJSUkQAQ4PADW EjY57olFYgRTwCGowCSpETEsJurU578Ac4A+HgplbmRzdHJlYW0KZW5kb2JqCgo3MSAwIG9i ago4NTA0CmVuZG9iagoKNzIgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFt ZS9CQUFBQUErVGltZXNOZXdSb21hblBTTVQKL0ZsYWdzIDQKL0ZvbnRCQm94Wy01NjggLTMw NiAyMDI3IDEwMDZdL0l0YWxpY0FuZ2xlIDAKL0FzY2VudCA4OTEKL0Rlc2NlbnQgLTIxNgov Q2FwSGVpZ2h0IDEwMDYKL1N0ZW1WIDgwCi9Gb250RmlsZTIgNzAgMCBSCj4+CmVuZG9iagoK NzMgMCBvYmoKPDwvTGVuZ3RoIDIyMS9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJxd kEFPxCAQhe/8ijnuHjbQnpsmZs0mPegaqz+AwrSS2IFM6aH/3ilWTTxA8njvgzfoa/fYUcj6 haPrMcMYyDMucWWHMOAUSFU1+ODyocruZpuUFrbfloxzR2NsGqVfxVsyb3B68HHAs9J39siB Jji9X3vR/ZrSJ85IGYxqW/A4yj1PNj3bGXWhLp0XO+TtIshf4G1LCHXR1XcVFz0uyTpkSxOq xpgWmtutVUj+n3cQw+g+LEuykqQxtSnZ43Sn9rF+2oBbmaVJmb1U2B8PhL/fk2LaqbK+AH1Z bXUKZW5kc3RyZWFtCmVuZG9iagoKNzQgMCBvYmoKPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1 ZVR5cGUvQmFzZUZvbnQvQkFBQUFBK1RpbWVzTmV3Um9tYW5QU01UCi9GaXJzdENoYXIgMAov TGFzdENoYXIgMQovV2lkdGhzWzc3NyAyNTAgXQovRm9udERlc2NyaXB0b3IgNzIgMCBSCi9U b1VuaWNvZGUgNzMgMCBSCj4+CmVuZG9iagoKNzUgMCBvYmoKPDwvRjEgNzQgMCBSL0YyIDU0 IDAgUi9GMyA2NCAwIFIvRjQgNTkgMCBSL0Y1IDY5IDAgUgo+PgplbmRvYmoKCjc2IDAgb2Jq Cjw8L0ZvbnQgNzUgMCBSCi9Qcm9jU2V0Wy9QREYvVGV4dF0KPj4KZW5kb2JqCgoxIDAgb2Jq Cjw8L1R5cGUvUGFnZS9QYXJlbnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFCb3hb MCAwIDc5NCA1OTVdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1 ZT4+L0NvbnRlbnRzIDIgMCBSPj4KZW5kb2JqCgo0IDAgb2JqCjw8L1R5cGUvUGFnZS9QYXJl bnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFCb3hbMCAwIDc5NCA1OTVdL0dyb3Vw PDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRlbnRzIDUgMCBS Pj4KZW5kb2JqCgo3IDAgb2JqCjw8L1R5cGUvUGFnZS9QYXJlbnQgNDkgMCBSL1Jlc291cmNl cyA3NiAwIFIvTWVkaWFCb3hbMCAwIDc5NCA1OTVdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kv Q1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRlbnRzIDggMCBSPj4KZW5kb2JqCgoxMCAwIG9i ago8PC9UeXBlL1BhZ2UvUGFyZW50IDQ5IDAgUi9SZXNvdXJjZXMgNzYgMCBSL01lZGlhQm94 WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRy dWU+Pi9Db250ZW50cyAxMSAwIFI+PgplbmRvYmoKCjEzIDAgb2JqCjw8L1R5cGUvUGFnZS9Q YXJlbnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFCb3hbMCAwIDc5NCA1OTVdL0dy b3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRlbnRzIDE0 IDAgUj4+CmVuZG9iagoKMTYgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCA0OSAwIFIvUmVz b3VyY2VzIDc2IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0vR3JvdXA8PC9TL1RyYW5zcGFy ZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMTcgMCBSPj4KZW5kb2JqCgox OSAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDQ5IDAgUi9SZXNvdXJjZXMgNzYgMCBSL01l ZGlhQm94WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJH Qi9JIHRydWU+Pi9Db250ZW50cyAyMCAwIFI+PgplbmRvYmoKCjIyIDAgb2JqCjw8L1R5cGUv UGFnZS9QYXJlbnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFCb3hbMCAwIDc5NCA1 OTVdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRl bnRzIDIzIDAgUj4+CmVuZG9iagoKMjUgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCA0OSAw IFIvUmVzb3VyY2VzIDc2IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0vR3JvdXA8PC9TL1Ry YW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMjYgMCBSPj4KZW5k b2JqCgoyOCAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDQ5IDAgUi9SZXNvdXJjZXMgNzYg MCBSL01lZGlhQm94WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0Rl dmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyAyOSAwIFI+PgplbmRvYmoKCjMxIDAgb2JqCjw8 L1R5cGUvUGFnZS9QYXJlbnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFCb3hbMCAw IDc5NCA1OTVdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+ L0NvbnRlbnRzIDMyIDAgUj4+CmVuZG9iagoKMzQgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVu dCA0OSAwIFIvUmVzb3VyY2VzIDc2IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0vR3JvdXA8 PC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMzUgMCBS Pj4KZW5kb2JqCgozNyAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDQ5IDAgUi9SZXNvdXJj ZXMgNzYgMCBSL01lZGlhQm94WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5 L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyAzOCAwIFI+PgplbmRvYmoKCjQwIDAg b2JqCjw8L1R5cGUvUGFnZS9QYXJlbnQgNDkgMCBSL1Jlc291cmNlcyA3NiAwIFIvTWVkaWFC b3hbMCAwIDc5NCA1OTVdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kg dHJ1ZT4+L0NvbnRlbnRzIDQxIDAgUj4+CmVuZG9iagoKNDMgMCBvYmoKPDwvVHlwZS9QYWdl L1BhcmVudCA0OSAwIFIvUmVzb3VyY2VzIDc2IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0v R3JvdXA8PC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMg NDQgMCBSPj4KZW5kb2JqCgo0NiAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDQ5IDAgUi9S ZXNvdXJjZXMgNzYgMCBSL01lZGlhQm94WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNw YXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyA0NyAwIFI+PgplbmRvYmoK Cjc3IDAgb2JqCjw8L0NvdW50IDE2L0ZpcnN0IDc4IDAgUi9MYXN0IDkzIDAgUgo+PgplbmRv YmoKCjc4IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1 MDAyMDAwMzE+Ci9EZXN0WzEgMCBSL1hZWiAwIDU5NSAwXS9QYXJlbnQgNzcgMCBSL05leHQg NzkgMCBSPj4KZW5kb2JqCgo3OSAwIG9iago8PC9Db3VudCAwL1RpdGxlPEZFRkYwMDUzMDA2 QzAwNjkwMDY0MDA2NTAwMjAwMDMyPgovRGVzdFs0IDAgUi9YWVogMCA1OTUgMF0vUGFyZW50 IDc3IDAgUi9QcmV2IDc4IDAgUi9OZXh0IDgwIDAgUj4+CmVuZG9iagoKODAgMCBvYmoKPDwv Q291bnQgMC9UaXRsZTxGRUZGMDA1MzAwNkMwMDY5MDA2NDAwNjUwMDIwMDAzMz4KL0Rlc3Rb NyAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA3OSAwIFIvTmV4dCA4MSAw IFI+PgplbmRvYmoKCjgxIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2 OTAwNjQwMDY1MDAyMDAwMzQ+Ci9EZXN0WzEwIDAgUi9YWVogMCA1OTUgMF0vUGFyZW50IDc3 IDAgUi9QcmV2IDgwIDAgUi9OZXh0IDgyIDAgUj4+CmVuZG9iagoKODIgMCBvYmoKPDwvQ291 bnQgMC9UaXRsZTxGRUZGMDA1MzAwNkMwMDY5MDA2NDAwNjUwMDIwMDAzNT4KL0Rlc3RbMTMg MCBSL1hZWiAwIDU5NSAwXS9QYXJlbnQgNzcgMCBSL1ByZXYgODEgMCBSL05leHQgODMgMCBS Pj4KZW5kb2JqCgo4MyAwIG9iago8PC9Db3VudCAwL1RpdGxlPEZFRkYwMDUzMDA2QzAwNjkw MDY0MDA2NTAwMjAwMDM2PgovRGVzdFsxNiAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAw IFIvUHJldiA4MiAwIFIvTmV4dCA4NCAwIFI+PgplbmRvYmoKCjg0IDAgb2JqCjw8L0NvdW50 IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzc+Ci9EZXN0WzE5IDAg Ui9YWVogMCA1OTUgMF0vUGFyZW50IDc3IDAgUi9QcmV2IDgzIDAgUi9OZXh0IDg1IDAgUj4+ CmVuZG9iagoKODUgMCBvYmoKPDwvQ291bnQgMC9UaXRsZTxGRUZGMDA1MzAwNkMwMDY5MDA2 NDAwNjUwMDIwMDAzOD4KL0Rlc3RbMjIgMCBSL1hZWiAwIDU5NSAwXS9QYXJlbnQgNzcgMCBS L1ByZXYgODQgMCBSL05leHQgODYgMCBSPj4KZW5kb2JqCgo4NiAwIG9iago8PC9Db3VudCAw L1RpdGxlPEZFRkYwMDUzMDA2QzAwNjkwMDY0MDA2NTAwMjAwMDM5PgovRGVzdFsyNSAwIFIv WFlaIDAgNTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA4NSAwIFIvTmV4dCA4NyAwIFI+Pgpl bmRvYmoKCjg3IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQw MDY1MDAyMDAwMzEwMDMwPgovRGVzdFsyOCAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAw IFIvUHJldiA4NiAwIFIvTmV4dCA4OCAwIFI+PgplbmRvYmoKCjg4IDAgb2JqCjw8L0NvdW50 IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzEwMDMxPgovRGVzdFsz MSAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA4NyAwIFIvTmV4dCA4OSAw IFI+PgplbmRvYmoKCjg5IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2 OTAwNjQwMDY1MDAyMDAwMzEwMDMyPgovRGVzdFszNCAwIFIvWFlaIDAgNTk1IDBdL1BhcmVu dCA3NyAwIFIvUHJldiA4OCAwIFIvTmV4dCA5MCAwIFI+PgplbmRvYmoKCjkwIDAgb2JqCjw8 L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzEwMDMzPgov RGVzdFszNyAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA4OSAwIFIvTmV4 dCA5MSAwIFI+PgplbmRvYmoKCjkxIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMw MDZDMDA2OTAwNjQwMDY1MDAyMDAwMzEwMDM0PgovRGVzdFs0MCAwIFIvWFlaIDAgNTk1IDBd L1BhcmVudCA3NyAwIFIvUHJldiA5MCAwIFIvTmV4dCA5MiAwIFI+PgplbmRvYmoKCjkyIDAg b2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzEw MDM1PgovRGVzdFs0MyAwIFIvWFlaIDAgNTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA5MSAw IFIvTmV4dCA5MyAwIFI+PgplbmRvYmoKCjkzIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVG RjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAwMzEwMDM2PgovRGVzdFs0NiAwIFIvWFlaIDAg NTk1IDBdL1BhcmVudCA3NyAwIFIvUHJldiA5MiAwIFI+PgplbmRvYmoKCjQ5IDAgb2JqCjw8 L1R5cGUvUGFnZXMKL1Jlc291cmNlcyA3NiAwIFIKL01lZGlhQm94WyAwIDAgNzk0IDU5NSBd Ci9LaWRzWyAxIDAgUiA0IDAgUiA3IDAgUiAxMCAwIFIgMTMgMCBSIDE2IDAgUiAxOSAwIFIg MjIgMCBSIDI1IDAgUiAyOCAwIFIgMzEgMCBSIDM0IDAgUiAzNyAwIFIgNDAgMCBSIDQzIDAg UiA0NiAwIFIKXQovQ291bnQgMTY+PgplbmRvYmoKCjk0IDAgb2JqCjw8L1R5cGUvQ2F0YWxv Zy9QYWdlcyA0OSAwIFIKL09wZW5BY3Rpb25bMSAwIFIgL1hZWiBudWxsIG51bGwgMF0KL091 dGxpbmVzIDc3IDAgUgo+PgplbmRvYmoKCjk1IDAgb2JqCjw8L0F1dGhvcjxGRUZGMDA2QTAw NjUwMDY2MDA2NjAwMjAwMDY4MDA2RjAwNjQwMDY3MDA2NTAwNzM+Ci9DcmVhdG9yPEZFRkYw MDQ5MDA2RDAwNzAwMDcyMDA2NTAwNzMwMDczPgovUHJvZHVjZXI8RkVGRjAwNEYwMDcwMDA2 NTAwNkUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUwMDJFMDA2RjAwNzIwMDY3MDAyMDAwMzMw MDJFMDAzMz4KL0NyZWF0aW9uRGF0ZShEOjIwMTEwNzI1MDc1MDU5LTA3JzAwJyk+PgplbmRv YmoKCnhyZWYKMCA5NgowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwNzUxNjEgMDAwMDAgbiAK MDAwMDAwMDAxOSAwMDAwMCBuIAowMDAwMDAwNDM1IDAwMDAwIG4gCjAwMDAwNzUzMDUgMDAw MDAgbiAKMDAwMDAwMDQ1NSAwMDAwMCBuIAowMDAwMDAxMjc5IDAwMDAwIG4gCjAwMDAwNzU0 NDkgMDAwMDAgbiAKMDAwMDAwMTI5OSAwMDAwMCBuIAowMDAwMDAyMTM4IDAwMDAwIG4gCjAw MDAwNzU1OTMgMDAwMDAgbiAKMDAwMDAwMjE1OCAwMDAwMCBuIAowMDAwMDAyOTEzIDAwMDAw IG4gCjAwMDAwNzU3MzkgMDAwMDAgbiAKMDAwMDAwMjkzNCAwMDAwMCBuIAowMDAwMDA0MDI1 IDAwMDAwIG4gCjAwMDAwNzU4ODUgMDAwMDAgbiAKMDAwMDAwNDA0NyAwMDAwMCBuIAowMDAw MDA0ODgxIDAwMDAwIG4gCjAwMDAwNzYwMzEgMDAwMDAgbiAKMDAwMDAwNDkwMiAwMDAwMCBu IAowMDAwMDA1Njc2IDAwMDAwIG4gCjAwMDAwNzYxNzcgMDAwMDAgbiAKMDAwMDAwNTY5NyAw MDAwMCBuIAowMDAwMDA2NDY0IDAwMDAwIG4gCjAwMDAwNzYzMjMgMDAwMDAgbiAKMDAwMDAw NjQ4NSAwMDAwMCBuIAowMDAwMDA3NTAxIDAwMDAwIG4gCjAwMDAwNzY0NjkgMDAwMDAgbiAK MDAwMDAwNzUyMiAwMDAwMCBuIAowMDAwMDA4MTY0IDAwMDAwIG4gCjAwMDAwNzY2MTUgMDAw MDAgbiAKMDAwMDAwODE4NSAwMDAwMCBuIAowMDAwMDA5MjA1IDAwMDAwIG4gCjAwMDAwNzY3 NjEgMDAwMDAgbiAKMDAwMDAwOTIyNiAwMDAwMCBuIAowMDAwMDA5NjUxIDAwMDAwIG4gCjAw MDAwNzY5MDcgMDAwMDAgbiAKMDAwMDAwOTY3MiAwMDAwMCBuIAowMDAwMDEwMjMwIDAwMDAw IG4gCjAwMDAwNzcwNTMgMDAwMDAgbiAKMDAwMDAxMDI1MSAwMDAwMCBuIAowMDAwMDEwOTY0 IDAwMDAwIG4gCjAwMDAwNzcxOTkgMDAwMDAgbiAKMDAwMDAxMDk4NSAwMDAwMCBuIAowMDAw MDExNzI0IDAwMDAwIG4gCjAwMDAwNzczNDUgMDAwMDAgbiAKMDAwMDAxMTc0NSAwMDAwMCBu IAowMDAwMDEyNjY5IDAwMDAwIG4gCjAwMDAwNzk2OTMgMDAwMDAgbiAKMDAwMDAxMjY5MCAw MDAwMCBuIAowMDAwMDM2MzA3IDAwMDAwIG4gCjAwMDAwMzYzMzAgMDAwMDAgbiAKMDAwMDAz NjUyMSAwMDAwMCBuIAowMDAwMDM3MTQxIDAwMDAwIG4gCjAwMDAwMzc1OTYgMDAwMDAgbiAK MDAwMDA0NjQyMSAwMDAwMCBuIAowMDAwMDQ2NDQzIDAwMDAwIG4gCjAwMDAwNDY2NDQgMDAw MDAgbiAKMDAwMDA0Njk3NyAwMDAwMCBuIAowMDAwMDQ3MTc0IDAwMDAwIG4gCjAwMDAwNDg2 NjcgMDAwMDAgbiAKMDAwMDA0ODY4OSAwMDAwMCBuIAowMDAwMDQ4ODgxIDAwMDAwIG4gCjAw MDAwNDkxODEgMDAwMDAgbiAKMDAwMDA0OTM0NiAwMDAwMCBuIAowMDAwMDY0ODU5IDAwMDAw IG4gCjAwMDAwNjQ4ODIgMDAwMDAgbiAKMDAwMDA2NTA3OCAwMDAwMCBuIAowMDAwMDY1NDkw IDAwMDAwIG4gCjAwMDAwNjU3NjAgMDAwMDAgbiAKMDAwMDA3NDM1MSAwMDAwMCBuIAowMDAw MDc0MzczIDAwMDAwIG4gCjAwMDAwNzQ1NzQgMDAwMDAgbiAKMDAwMDA3NDg2NSAwMDAwMCBu IAowMDAwMDc1MDMzIDAwMDAwIG4gCjAwMDAwNzUxMDYgMDAwMDAgbiAKMDAwMDA3NzQ5MSAw MDAwMCBuIAowMDAwMDc3NTQ4IDAwMDAwIG4gCjAwMDAwNzc2NjkgMDAwMDAgbiAKMDAwMDA3 NzgwMiAwMDAwMCBuIAowMDAwMDc3OTM1IDAwMDAwIG4gCjAwMDAwNzgwNjkgMDAwMDAgbiAK MDAwMDA3ODIwMyAwMDAwMCBuIAowMDAwMDc4MzM3IDAwMDAwIG4gCjAwMDAwNzg0NzEgMDAw MDAgbiAKMDAwMDA3ODYwNSAwMDAwMCBuIAowMDAwMDc4NzM5IDAwMDAwIG4gCjAwMDAwNzg4 NzcgMDAwMDAgbiAKMDAwMDA3OTAxNSAwMDAwMCBuIAowMDAwMDc5MTUzIDAwMDAwIG4gCjAw MDAwNzkyOTEgMDAwMDAgbiAKMDAwMDA3OTQyOSAwMDAwMCBuIAowMDAwMDc5NTY3IDAwMDAw IG4gCjAwMDAwNzk4OTcgMDAwMDAgbiAKMDAwMDA3OTk5OSAwMDAwMCBuIAp0cmFpbGVyCjw8 L1NpemUgOTYvUm9vdCA5NCAwIFIKL0luZm8gOTUgMCBSCi9JRCBbIDw5NzVFQ0M3QjYyOTU3 QUY4MTU0QTEwMzA1MjJERTU2Qz4KPDk3NUVDQzdCNjI5NTdBRjgxNTRBMTAzMDUyMkRFNTZD PiBdCi9Eb2NDaGVja3N1bSAvNDdCNTE3MUVCOTE1ODE4QkIyMkUzRjJFMTFGNEQ1MjUKPj4K c3RhcnR4cmVmCjgwMjQ4CiUlRU9GCg== --------------070903070103010106080903-- From tobias.gondrom@gondrom.org Mon Jul 25 09:50:31 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E2321F88B7 for ; Mon, 25 Jul 2011 09:50:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.362 X-Spam-Level: X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q44WePc+TDDp for ; Mon, 25 Jul 2011 09:50:31 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id CB38A21F88A0 for ; Mon, 25 Jul 2011 09:50:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YgRmcRGwBUuW6wmSVLEllXDT/zzwrF22M/veAPlQgEeKXEkswOp1RqNFpA4r3oAoxxjwGzjCeAC+VrbleNuhPTGruHh+VZ2w/TCcpEVTcBzyveqDS820Xw72qtRIi8oK; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 23757 invoked from network); 25 Jul 2011 18:50:22 +0200 Received: from dhcp-167d.meeting.ietf.org (HELO ?130.129.22.125?) (130.129.22.125) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Jul 2011 18:50:22 +0200 Message-ID: <4E2D9ECB.1090807@gondrom.org> Date: Mon, 25 Jul 2011 17:50:19 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org References: <4E2A0323.2030000@gondrom.org> In-Reply-To: <4E2A0323.2030000@gondrom.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] Websec meeting in Quebec on July-25 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 16:50:31 -0000 Hello, please be informed that all slides for our meeting are now online in the Meeting Materials manager: https://datatracker.ietf.org/meeting/81/materials.html Kind regards, Tobias On 23/07/11 00:09, Tobias Gondrom wrote: > Hello dear websec fellows, > > just some final updates for our meeting on Monday, July-25 at > 13:00-15:00 (Quebec time) in Room 202: > Agenda can be found here: > http://www.ietf.org/proceedings/81/agenda/websec.txt > > For remote participation: > - Jabber: websec@jabber.ietf.org > (still looking for volunteer jabber scribe who can relay comments from > the Jabber room to the meeting room) > > - Audio: > There will be an audio stream to listen in: > http://www.ietf.org/meeting/81/remote-participation.html > (click on the stream for room 202) > > - Meeting Materials will be available here: > https://datatracker.ietf.org/meeting/81/materials.html > (I will upload all the slides Sunday evening, as soon as I receive them.) > > Kind regards and looking forward to seeing you on Monday! > > Tobias > (chair of websec) > > > From Jeff.Hodges@KingsMountain.com Mon Jul 25 10:19:39 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E3721F84FB for ; Mon, 25 Jul 2011 10:19:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.874 X-Spam-Level: X-Spam-Status: No, score=-95.874 tagged_above=-999 required=5 tests=[AWL=-0.658, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, SARE_SUB_OBFU_Q1=0.227, TRACKER_ID=2.003, TVD_SPACE_RATIO=2.219, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J+WPjw+99wog for ; Mon, 25 Jul 2011 10:19:39 -0700 (PDT) Received: from oproxy4-pub.bluehost.com (oproxy4-pub.bluehost.com [69.89.21.11]) by ietfa.amsl.com (Postfix) with SMTP id A19FE11E807A for ; Mon, 25 Jul 2011 10:05:03 -0700 (PDT) Received: (qmail 29562 invoked by uid 0); 25 Jul 2011 17:05:00 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 25 Jul 2011 17:05:00 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:X-Identified-User; b=ejtQ06PvM6QDtusGyEvkzwAnJHqvSKDRK/jO9Ec1oJFa3gy7cSCohISPCvoWWbNtIC0zC+UrepxAAIESN2X5EjFaaz9IlUjED/E6FHFydBH0zI4fpqNj7hZGQonIo28R; Received: from [130.129.83.89] by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QlOaR-0007qJ-BS; Mon, 25 Jul 2011 11:04:59 -0600 Message-ID: <4E2DA239.4040805@KingsMountain.com> Date: Mon, 25 Jul 2011 10:04:57 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: Tobias Gondrom Content-Type: multipart/mixed; boundary="------------090701000204010905020407" X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.83.89 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: [websec] hodges-ietf-81-hodges-framework-reqs-Status X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 17:19:39 -0000 This is a multi-part message in MIME format. --------------090701000204010905020407 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit =JeffH --------------090701000204010905020407 Content-Type: application/pdf; name="hodges-ietf-81-hodges-framework-reqs-Status.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="hodges-ietf-81-hodges-framework-reqs-Status.pdf" JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0 ZURlY29kZT4+CnN0cmVhbQp4nJWST0sDQQzF7/MpchZ2TDL/dmEY2Lbbg7fCggfxplWkCvbi 1zeTYQVr9yALbZp5+fXlzaIl+DKfgNChZUiDsxHCEKQ+P5v7G/gwBPU5vxisB/BuqihpfYJW 6+xpgdSinb6a443C6yOEzWzcIHpfZfMT3O4F7WE+ZqQyv5lpNoc/+mDDfwYSyQYuxSZncFId H6q+o4yMDj2GwhkjJm31SDhoNeJGulv53kk1am+Sjq9ymdTGXo63xclcAxKKgnEkqtOl40xM XB7nu2vuuGexx5JavxjkXg2SE7AvFLN8Cpn8GsO5ILf2m4GNEXRSXEThlc7LToUqkFLWNSip w36N7THK/Vz111ylskRW41q16KN1wLEue4HRqGmsXjakQbbQdjSthhadHYAdWX9J2wuHsW2K u3pPo/6Yml2m4jNz/QPUbNiVFDIvCS8SdBzkzSC54x8PB/gGIwWqKAplbmRzdHJlYW0KZW5k b2JqCgozIDAgb2JqCjM0NwplbmRvYmoKCjUgMCBvYmoKPDwvTGVuZ3RoIDYgMCBSL0ZpbHRl ci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nL1UTYvbMBC9+1fovBB3NCPJFhiBHTuH3hYMPSy9 tdtStoXupX+/MyM5cdaJ6V5KQNHI8/HevJGgtuZP9duAOUCNpolUB+Oj5/3r1+rTg/lVWSO/ 128VyAfzsxKnRvcvJu819mVJIpv89Xv1/KDJ5ccZhrmiyP5O3OYv5sOJUzszP3dg0/yjmubq cePva/+eAPRYO+Mh8KoRaJxEPHUY0sF2gImXHgY1evRi+nTAzjps9FAtoPMHBPb+PH+8Vc61 jMwR1W2uRsZaZrhBWDceo9v85ySNq6NxKEw1iTMYcgpAIHDAdKCBlu0o0Nk68v/Iux4mtpz6 ndg6shda4DOE3lrxtWjxTrMaUc9hEMT/tXDwoJTPldEQSmXr9qBSGzlsHfDUiZKikYo2wikd mg6RkXtGZbOw0KpPkTnxVg8gYEwHx1oz6IC9fkZdp9R4WfdkJxf4tiyyu3p/MDMBnv/2DQFU AjyXOnRnnAv2YnGHd8FgDMv4/CsYbOOb9jOYY/JOqiGSFXXb0tmoa7OPwb0fA93AMGotLw1h EdXIsk6XD0NR1mdtVVXIgZiPcjN5dMNyXqgMTCMH5yRQGuxhKiTL0OCpVOchJx4S68gmlGcj D1spfKclmR/QVnANxCnTIcE1rQALPcTtyE5X5MYcm6hbd2jhVJypJO53ZbMB3iub9bSRjbDU kvqnCzAsvGJpc1GOH4sVxUVo5HubH2L1nVZ3G+VWSyN4MDHk4EvzkLgi09dbw4fDVexwWREF 2nV39xS0ttkoqO9eu7T8Xrjl6xBvxuMa27iaAH5fUxDiYzGHS08XQrkRype4s0xGYshRuQoM Ld6D5D3cBMSTLaMkfSszeE7waP4CwD+8OwplbmRzdHJlYW0KZW5kb2JqCgo2IDAgb2JqCjY1 MAplbmRvYmoKCjggMCBvYmoKPDwvTGVuZ3RoIDkgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+ CnN0cmVhbQp4nJVWTcvbOBC++1f4XIh3PiRbBmOIXzuHvRUCeyh72767lLbQXvr3Ox+S5aSb tCUgK9JoZvTMM5qBDttvzZcW2hN01A4jd30bxyjzr++bv960nxts9ff13wZ0o/3UqNBg84+t z+3sx6JEJ777X/P6xpTrTzQs14ZHkQ8qdv2n/eMiqkN7fZ0A5+uHZrs2b3+Qj138nQMEKLIR +i74CWqDnng3cQ/nGSeG+UQTnOkyy4cpwjafUBYw4FlnPMyjbMCFNgY58vf1z/8zFJLYCczi ntlh8ax77tugYAXqZcyuMZlrtJpPCGzfy3waJgxM9k9ctO+oo3kkX+KZReSRc5SGbrw1RW6K k2BACIN8gHRI2aZioFPRimnCZY6Te0CDIMViPvjU/9PMSWV1lew4bbuHaJdQmHXd/Y++rjb5 Iao9wL3jGSMMEqq0azK83F1IbuExHAY8j9ClO6W82AVXfjEFwgEGuc3iZvSakeMjrYmEARyh ME0YQJI+zxgguKsnIVR2UvLrjco9ioqooxcFPfWEJ1iEjqMy1JkqQESTtvhFDYGwWncAXQaj 32uO45RPreB0SvAyJ1V59gVe9eRytCvkCsYLCe3mRjbfl6QRf3zpbIowPYe+T+P9jTFlJtIg 94oU1KYgvz3WknEjKu/AroVW2oCEHGekuZ9wmwfWsbd7R59S4gtudJbRhYQ0ve3q3wC+Klo4 4RbAhXcV1GsqLJIRJ1TuPmYv4igPKqXU8U6JZISgR4QIKBejFMsJIUR+rl48OY2IRobZKE8l oEYBGOwVqws5TjiXPdIwuh4JHpIrymJ0jL3KkJFeyUScly01TNLWfZM8r+1ZuvMoVTeKd6TE CUfLaKyt+9nNw/V8tLO7bUxPKOJIxqQpeIMkrJ42aubWIaIdY/JYCyn3q904kqqTi6s6V+RX B82CVC/vEEOOoE11meykkEh0HSGWjeiZYMKbnkt7NDwL96BsNVoVWuJCkkqE+9sU1hREfgoo Y301M6CoxUPTobeRNEMIpt21ykl3MBa4PIiPLVr64DgeauqvpA+O/Q9Bl5e9gF9YFytD9wQY HLHNJT2+laWmxBJRal4oL0r0x9ZouxyzLidY5aurSjfJBkvxSk8sT9sLxFQevF9tLxCxvrSl dHo9G0plk9dvzdXZGouyilZQKbcYpQrKqVxg99Mvc89SGgWvKClj4ZU6KRvWuUiJodJKeNeS e5ZSt8n7HIFIexhvG7y0a/WVRdi8x/lJRR9iDXu+KhyUUaRL6Zb2Lmqr/oh2mYbcVOjrL89P 6YJglW25nbdm7qNUmkO83rbfAdHNaHwKZW5kc3RyZWFtCmVuZG9iagoKOSAwIG9iago5ODcK ZW5kb2JqCgoxMSAwIG9iago8PC9MZW5ndGggMTIgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+ CnN0cmVhbQp4nLVWTW/bMAy9+1f4XKAeRUr+AAIDdpMcdisQYIdht60bhm7AetnfH78kO06T ooehQCOLEkW+Rz4JmlD/rf7UUN9Dg3U3UNPWaUg8fvlWfbqrf1ehlr+X7xWIof5VyaJOx8+1 jXXvc3YiA7P+qJ7u1Ln8sYf5VNHA66MsO32tPxzZdaxPTzsI4+lndThVjxfrU5PesyGkJNFB 20TbgXWUHZ934Ygwhh1MMI/3/JsQx3vcQc+TmGwyRJ3a6zqzY5KPwSxoWyed4r+J4/hy+vha ILHnmCMRh69xEEfe3I69EzAjtvzfQye00AeIHADuKIyhlxT2Ek2IEg/Hi6PmIcOHkXYwc4Q6 D7OtEzv51GRT0HNmPCJAsgWylXMmnuJJNLNkDsmc82jmMZvgoLY0lv1XUNCUaICm36RkYfgZ cYk/u/Yor/kN/cAuzxyjOSbhE6LSysAYp3E1Y97DgpJ+UCGeoEAUrWIS/xjMzj1NV1kP1xJW jPHgJWfAe7IKugfjhMHBFhlAeORqJF8RCqWZo7fgT7EZttF0unEWfPRIbMcw6MF6iJoNFEzO 0uRRWyn6Z4LBfnXS3OLi3Ia+BcNi5fNuNQ6FwEr0rsYhiBeg494yMNAkDMY85nJvS5nlTEtV L9Q4ZVRMeU/mcs2jiYt1is5Y4Tim+ZxVV1LWoLIs6JbwILXWL8Y3OMZ2y7BJhLeZFFjuZ48v LGaYOXLM5cU2Q20lC27bF6Qs30PJVsHsrobbdAmHePFrCSQWSeIMusx4KjmEEXPL0qIUlkgL 8RW7ByGKdQWvRIHboQD2fw/jPNeHOTsCz41KRgYkbOkUhNEF3c4VYR4XwDOjVkasYkXwVcG7 M1ldNam25FLOtlmvAq9qGrvEvTPeKkJtWhPldzVt6GmrTJ7h+oIoyfW51HIPrpRJL2OHJWOy KnzVUG9wNtBS1Wnpf++4M7T0dt3iY5J9KH1yqzdD7C7pXB9AZ82IW15XB7MWHx0YSWBLLBzl qotX3yQ9CktQHhjMEkrT3XpPQScpwPqi7bO2aqUE1TNScvR1tGcmBpjtKwQEU0XSXgoiRiJt mHx5DzE/vfQhNgmR5e1lihXdbB4YC8zX+swixCXvbznzQWNZ37H7h7G/9ZLQBNshi8+S30G0 3eWTXeUzppya3dHRSdFTJXRPxBPI16Lcs1zaJBcfwq546DQL0kylPMWHguorqLxYsGwytIXs xGhrdHmritRbyVK/PI49WYkAAg3OCLpMeJZs0/EZHM6FMutLsbyvSS9GCeyoH2cP5cf6H3aA qAAKZW5kc3RyZWFtCmVuZG9iagoKMTIgMCBvYmoKOTY2CmVuZG9iagoKMTQgMCBvYmoKPDwv TGVuZ3RoIDE1IDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJyVVEtr3DAQvvtX 6BxYdzQjWTIYwTrxHnoLGHoIvTVpKWmhufTvdx7yWmS7CWHBO5rHNzPfjAS9d3+7Pw7cAXp0 aaR+cHGMLL88dl9u3O/OO/m9fO9ADO5XJ05J5WdnssY+byAimPVH93Sj4PJjhHntaGT/IG7r N/fpxNDBrU8T+LL+7Ja1u7/wj338SAAGzwERhj5YBLogEQ+Tvy1+QgDkP4jlgBMkOMoBffCj Kk64wBEie83l6/r5fwlC5loCEWdRfOKK+rdrSkJSwIG/tSRCK2muZWTLXg5pAlJZLT4UnGhQ hbkczWhmgnpGdQS0I6sNI5ZzhDc4M5h3qKbbMohFkyOiMsMExC3XHmGo414Oq6+wpC3TCH1+ 1TLjJgUgiJw17V1pDsQtYc0m1VURy+5a6QjiJ0BCRcucghsgnhr8GhfbxArM7prKNHdtDbjY 971uY+jH193OOwAXuFRYSxKKzxM0VSHX1dB9ZmpraJ8Bbi1hrLE2xfP8uGeTeJlZZ0PjNVdE Xjtfdw+H4sd35+gv+mrpI9uujcy2hW1OvKB8s7JtJ8/YGKVCwsayL9RWPRsMTn3qGKyfyuW1 gjPy9cSU+R3brieK/Mb19JC4SUy430/MEuHjtQif+OG8jNAbTfqucOFhojt9XqxiZuTAp5mJ ME2WWyY6lCdJhmQuCLpr4kwExpkMzFRZZmsIVaMYkrOGL+rOY2GqhEdSh/br807fvfsHJNtH fAplbmRzdHJlYW0KZW5kb2JqCgoxNSAwIG9iago1NTMKZW5kb2JqCgoxNyAwIG9iago8PC9M ZW5ndGggMTggMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nJVTTYvcMAy951f4 vDCpLDmJA8HgzGQOvS0Eeii9dbelbAvdS/9+JVnOZHa7Q5eAUayPJ70nQ+vdn+a3A3eAFt0w Utu7buzYfn5oPt25X4138j1/a0Ac7mcjQYPaT67YmvtUi4hRvN+bxzstLh9XmNeGRo4PErZ+ dR/OXDq49XECn9YfzbI296/iu7Z7VwIjkOugb0PJQBck4/Pk5+QhThB9oBli+rJ+/FeBEBkr EDGs5hMjtrcxByEhYM+nQRIqJPXpgBNkPCPCXGw5fUh8jNDT/FYbEbkNij0PU9tA1uZWGx4G 7oAi1Bx0GLUPREGlLpUGgpgHL23wCWojiFPjsDPHAiTBuIBkcgT/cAh7MniLyXBOh24CMgxI 13VhKEU5kMDDXHxoQFqYteDCljQzWobFwhZLjjBz4zepClTp/3+qaGjjC6roWOa7TFgGRh6T pG/1HlO4njImrBeD0pSVCbRBePJskdlGUtq0HtOQ97RAMHHYVAG01J5ZkmWiqVBldfWmJCmf W5U3WDMK+KH0L7flwvpJUavIVSLDJsbOW0em8jVpyyY+66dyFwr8TS1xgHcqiX14OUSvTOwW beO0KnZZupyKIGORh2/GLXG0mLjtcwkp134Qc05M/Vwge0lfhCJG7/DMc1MK+ydzLL+nSh0u uiY3dULCV6vK7EbWR9rUnhfcyLbSJwa3OaS18TKyLZ62t5OlOClKTrA/S+j2j0Kg6+5er3WF HrabTLuXe+/+AobOX74KZW5kc3RyZWFtCmVuZG9iagoKMTggMCBvYmoKNTY3CmVuZG9iagoK MjEgMCBvYmoKPDwvTGVuZ3RoIDIyIDAgUi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSAy NDcyMD4+CnN0cmVhbQp4nO18eXxURbZw1b239/S+d5Lu293Zu7MnkJCQdMgCGFmERAgSSSfp kGA2kg4RN6I+RUHccEdHZlxmFIQmgAZwBpzBhVEHHXEZdR6MD3VmNKMzD535BpL+TtW9nQXQ N+993x/f7/fZN1V16tSpqlPnnDq19O2E+wZCKA4NIRYFWrqCvYH05DyE0BsIYUPLujCf1PbY cYBPISS7qa13dddvv/ldE0KKVoQk81Z3rm/79r2TxxDS7ETIPd4eCra+1TFHi1AO5NGMdkBs G3tWCvnTkE9q7wpfXcK9xSGUK4d8WmdPS3Dk0gXlkM8h+a7g1b1pKjkL+eWQ57uDXSHL2+8m Qv5qqD63t6c/XIdSxhGqP0LKe/tCvT97Z3gB5IE/5S7AYXjIJw5AKckzLCeRyuQKpSpOrdHq 9Ab0/9eH+xzCvSgeUifbjJwIRU+K4ZPxG4Ty8bFolHkfiOvEIHzq4LmfxnV4gZCiVnQCdaF7 0IOAy8e/Qc+gANIC/gRiQfTLUSnaigbRu6g++lfAutET6CvkR8WoPTqO9GgDGsfXoycwgxio VYTeQSF0N1PK+rgvQG8ZOIfdgW9CmdBKHXoAWdFxaDEjqoT8XiaRKYVadeh1dpXcH82J/g0f 4Y5Fm9FPcCnzHrcLLHYUezg0fnN0c3Rb9FGkQWfYxLFfRXOjXVCrHjWhAXQdcDCEfoTexA3M bOZw9HbgaTnwsAG9gF7HPg5xTciAlgD1v6GH0AH0C3QcfYA+xRhrcRoewu/gExI0dnT8aHR+ tDnag6rRQrQYDUFpIk7GFcwKdgX7HPv+2H+Mn4o6oe06tA5dja5Fd6G70Q70Pvod+gizjJKp Y+rZ51A8mo1WoGaQ5lbg6Rl0DJ3EclyAZ+EAvhXvZNZx7NhRmJccMoME51Hp34O2gUyfQrvR UfQWehva/CvIlMV27MP1eCW+Ht+C78T34afwTrwLf8FImA9Ylr2Re4X7Yvy9qDL6SPQZ6Dce JSAepYNmitCloM830Z9hfBnYj8vxbxkf42cxFzc2Pp4fnRvdEH05+j7yolSgnY2qYMwL0DLg ej26GR1Cr0DdN9Fv0Gfo7yAlFiuxAWTBYy9egpfiAeDiOfwVHmMsoL8ippMZZk6wPvZNbhm3 a2zfuHl8ePyr8Wh0RzQS/VX0DarfGdBPJWigEfWifqqx/dDPy+g0+hP6BvqQYhfwOg/Xwngf gvZP4nNgTnLmBmYnE2Vns3ezxzg799D4wvGu8YfG90YLogvAtlgkQXZUAM8ssKZ61ABt3wTS fAI9C5rZC9bzHvoLtmEnzsHz8eV4OW7C7bgH9+K1+Fp8HUj1GbwPH8Lv4Y/wXxiOkTJmkJOP aWFuYrYy+5ijzHvMaRaxS9nl7Fr2WnYru499i/0jp+P8XA63gGvi1nPXSJCElVrkb5yznusa ax57ZOxX41njVeNXjW8ef2n8vfFPoqro4einSIpygMcGtBp4vB7Gfyu6Ez0O9vEs8PgH9Dn6 AnT+N5AFixXYARy7qN4qge8FwPky3IDb4GnHa0D+Q3gHHsYv4iP4JXwMv45/iz/GXzEYuM+C pwRmQT3TBmN4hNnBRJjfwfMN87/YFNbP5rH5bBnbBKPZyN4G43mQ/Zj9lGM4M5fLLeU2cK9K WEmr5AHJNslRyWuSP0t10itEH1E31f+wbzAvcWVsJ9qOFjMs+2fmt0wpvp45i3/KJOKXoLdE djG7mKlkShCDD4GVdyGTbJvULXUzJqSTNZE2mIeZTHYZl8LGoTDMN8SsYG5lmtDT+EV0lpkH lraOfZPZzqxit3H3cmX4fbQB+kSMGn+LKlAFLgPdvYPWgoYy2d3cb0iLEjl7TtLFqKMbuc8l DPtb8IOzYan4NV6BR/FixgLSKmHuRF7I6/AopPNhBv4OLP8AXoaKuFPsHcwlzEeA60Rb8Usw xkOokzmEfwJ6KYL52IcX40fZXHQDXgvSKEZrmPuQh+llPGDP9eg/8U3YDDP3LOgmiWlDHKtm WtAJpgG0/hY2MFn4BrDTLrQZb0J+PIaPoDeYe9AMHGJ/cc4+lsbgc6N4DzsP7cFnuWPcMYaD ll4CaeaA9wiAhTwBPqIeZqabTQGrKUISxg/23wge8FKkZ77B1zGdqAM/xP4JP8VUoEUoxPYz NfiB8W+4CjYfJHYQvEmltFiOJKWSRK4ANP45KgNrXI2QtJ07KbmJwOw77JloQ9Q9vkqiGf8Y XQPSmQfebTPMpXnoQ2zBV+LLuChTy0Wjl6MdzG7u46gVx2E3ejsKM2x8Py7FSVEer42q8GVg 4VdKnxl7mNvM3cINcNfB2nQWvOat6F70CPolrCZPwrqVCnK8FKS5EnxPB6wROSgPFcLoytAc 8ErzoWwxuhz8aRN4yTbUjdaC530M7UR7YIWqBXlcCfXa0BrA98MKdS26Aeb/RnQH+IAH0NPo beZZ5nHWzdzGvMysYzrQh+hD9lU2gC9HJ7jbuQ1oKUpCl2Ej9DwTtOSCendE34He0lE8eP8C mKVg99Evou9FfzZ2HNp7Gni/VzoHfSGtRCgQCJSXzS4tmVVcNLOwID8vNyc7K9Pvy0hPS01J TvJ63LzLmZgQ77DbrBazyWjQ67QadZxKqZDLpBKOZTDyV3trmvhISlOES/HOm5dJ8t4gIIJT EE0RHlA102kifBMl46dTBoCy7TzKgEAZmKDEOr4UlWb6+WovH3mzysuP4BWXLQd4S5W3gY+M UngBhe+msBpgtxsq8NW29io+gpv46kjNuvZN1U1V0NwelbLSWxlSZvrRHqUKQBVAEau3dw+2 lmEKMNbqWXsYJFcDUxGHt6o6YvdWEQ4ibHJ1sDWy+LLl1VXxbndDpj+CK1u8zRHknRPR+igJ qqTdRKSVERnthu8go0Gb+T3+I5vuGNGh5iZfXKu3NbhyeYQNNpA+9D7otypivea0bTILjRsq l2+cWhrPbqq2dfAku2nTRj6y/bLlU0vdJG5ogDagLpNc07SpBrq+A4RYu5SH3phbGpZH8C3Q JU9GQkYljC/krSaYpjV8ROGd423ftKYJVOPYFEFL1ruHHY7Agegp5KjmN9Ut97oj5fHehmBV wh4T2rRk/V57gLdPL8n079HpBcHu0WhFIE49FQhNlFGIkhOodsmEZDHhyDsfDCLCt/DAyXIv jKmIRKEitKmlCMjg04ChVqQVNNIRUVQ2bdLNInhSPyJJ1nn5Td8gsADv6JfTMUERI03WfYMI SOxkwtSgPAZHfL5IRgYxEVkl6BR4LKP5wkz/uhGmw9ur4yEB8aHFINtgw6xsEL/bTRS8eSSA miETGbpsuZDnUXP8MApk+xoiTBMpORIrMdeTkqFYyUT1Ji9Y8j56njBH5CkTf1qdxVjdPiuC Ld9THBLKa5d6ay9bsZyv3tQkyra2blpOKC+aKBOhiLFyORvPiBATz9JSMMqVE8QkszwuwiXD n5QadeuITA5WSTGYr4nomuYJcYPS7f4XK41Evya1aDJZTWQzMss3PV8yLT+NvbhNLDDMpTC1 dSs2bVJOK6sBD7RpU42Xr9nUtCk4Eh1q9vI676YDsO9I2dRb3RTT6Ej04Ob4SM0dDTCIdjwr E3YIZO2GB9YzGarZI5WN4Lh9gJVwBGCRUioB4HmWZRwKGcE9j5Fdvuham2+h7kzpgrHShbpv SxfoxkpReelYKQm5OW69W58MEYaN9jmePXIuIEFnEc8dgY0GuiF6kttBzk4oA/3h+fkZ7Rmw 1RxhdgU0SIIl2VgiYbBH7rQRlC4+2xofb7N6nEqLJ03RqBzBLXvT3HEWSAO8x21yojiVSQZD wFaXgh8ipwqMHf5k95AO60bwHXt9GUO2Eey/xaf7du0osNq4Flgu1QG35eW6Ut3oafg7ozcU F+vGZhuKs21Y982Zo2gy03jmaG5ObcSytDaSBPrZq5Eb5EVFDag2EieiDsB56sth3pR6MPoP lBL9fK9XnmQvop8G1Ij1+XmwAkm93kKp15OSUlgwY0Z+nlUPMID5xoIUr0dqNlny82ZwTK/L 4XC9fO8f+t5ev/7t/o8foPneD+5/4IMPHrj/A+7zs11Wo8H209fWnxq8+uQ1r+EPbZA999r2 jz/e/vjvfw8TZwfsulawg8iH/hkwXafBfsUi5RrDesPthgekjxllCR4iVJXrNa/L5fF6EuLN B5ldyIYDAYXJZjObPPG+ZEKxKG1hUlpacpLHp9KY6KopkalhqTZpdMqk5BLkkyrLdW5OZi6J 95QkJMQrtbKvZYzMkYlMfJLWu9g75L3bu937tVfqtfvH7qSm0ijYymeNYCcLdKO60fLRUWIt IHsifr3BWoz1xcXoO/RwXiY3BzSgFzWw32jSWAwJVOBr4XRhJiKmQvekpKYQAcv0bgHhFsSe H5M/wzz5RHXtjXajUmP0FthnbjuMw0ToY11Oh931+jYSs80n7qsPOYx2mdHrWL5jvIAowWrQ W5kXifyJTd8NNn05O4TSYE/ZHLjsWdmTrmez2BRZsquECxsHHevih0y3OO413e/YIdtuetKx K3u/7EXNHtM+xwHn65ozuWYlbBAzMPuI/j4Hc23WpqxtWc9qdmS9nPtu7qe58jSqNkdytjs5 2eP2pBkSjdb0GW40Ix2z+XEK/4wRfCqwAt+WhpT5blalcCO/zt/rZ/3pJXFxaaZHde5EGSlQ I553B9SWcq0bZ7vL3Yvcq9yPu3e7D7tPuuVuR5H1rhy3lJT3SB+XHpaelHJS+8yMQ8L8ISrE vgVjn9FJhH1EnaicaBGUMprdCFB56ZlR0CXVJKgUFFt8odLsotIOIxnMl4Lo16gQgj16Zq9B niWfmDdrgVQFpCYgPYScQGKMHqEKbsSNbjqXiP7yLNZCMoVkAmLmjJlU9bFJx6bQMmF+zWSX v/DWg8+een/WbYuGhpr38AqdValpeXTx48PCxCv5t/kvrF442Nd1qGX9Iw/3XPO8VndbdVux 0mbQK7WOjMdaxk4Q1eOf6HWLSpZc2r5sFbkde5/MOfBnBej1QHIgbrFkSHJz3I252+OG4/b5 fuk74VNa5VpF3Gs6nUdRkIVyce4Iwz2PkCeLkYNrDQQcGPxdUpoHJTemuxMRMvD2rEybVCFX esCDBZQz4MjCO45Th3Z/QJ1tDph7zW+ZObO9cOAAfgMJ02sBzDDi2T6D+VVeWkp88dhpqgek GwXxnygV0sYYcAIcdeX6gCbDF5+QkeB3IV98ugsjH/bdeCMGv/UdMyafit1qEeZXKnVfZpGW ycZrnQ6Hc6yHxK8/T+Lnd945uDHfbDPJjQ+2dw/i2wmSVY/NJaK0GYxW5gCZRRvWPGqRWwwG K2vtrN4gzCuM7oV5VcLdi/zoWCDpbDxWxzvimSeV+5W/VL6jPK2UrNPcqrlf87TmFdV7KqlV jmXEn3G4L2CWc5xM7sE6k8KsJ3eUJok9Ln0EPxHQO0uSkmQlGCNpnNuuMt0Ga9ozAZPfL1fw Ke5XUIIugU/oTTicIEkYYT7dm5nxnA3WjsbTVLhnThOTh2WjVDc2SlyWgZr6eVZOpOqIV6pU DoULKePjXEiQKrFd+IsJVi9YpeCrZFJqwdOlbDHjg/g1IrDxooG19a/MNKl1NjX/97Vbd20j 2G0gPxvbTKQ19vb85nxebddr1e4FmwaYbIL8ByEicjzIyDgjswHWeEcgDh1hkEPC2LmWHcR0 ToPJZC8Yzc3BZnchZzz3U2bD1VdDnXqw6y6w6yK8LJD5sOMsz3DYjFulA9K78X3MdvwkE8F7 GeVT0qdl+yT7Za/IPpCddMgccr2Vrtxak8vEmFbaTCarzaNPz6Yrj39ljt+fneNJ1ymFFV+N 1SsVarVS4dEJXk6VvFL0ckV5JO8tzM4tLMzL9RRhPj3BzaWnpen1uiLEyXRK0Jj9pA3DTuGJ gGoWcvO5h3OO5zA5I/iLvcVzg7F1n8wLHZ0d4qJPnlH9dy7556//31NEda1zxEtk0uR4id2F HbIEYQ4RdddGDBN7BGn0zH4+zmVyWqiDw43EGPR0oZp0VxNzTXBpsgvwonXgJYu3XtF8+8or XXa7a/wr4ryuvHlgZUV25ypqLH8h8So6FbnPx84um1t916Kxv09MOPaKazL5wbEvYwiuLLaO 3QPzrRTWMRWy4nmBIoOFs5isFvYYPqZ6l/lI8nvZuyrpVbIOPRNiQlyHvEO5Rt2pDxnbrHKz m9W6FbD4yOLcaCR6ZK/WXk5TjZWmAbW5MIKwDuWgJjDDEWZjwGaA1QbIpAGg6YEF57j0lPRr qUQ6gj/Za4N5F9MfSHN0rHEtkeooqJBsHuhSohKlewhZomeQKXpmn86kMVkPRj+BxeKTvWqn 3llUNLkTWwsyh716QGUx6eLLTSTSj0S/DRi1znKVCSK5EiIZiQD/ZSDRoCqXmVQGKITIYtJb y0wkMpq0JkJxNGAAQKmM00FNiBhW6yrFPuSb/mnAJuT1oMIClJ+HZFP3e6Xjo788Ov4XbDj6 S2ys/8P27X8gAe8+Mv411h8+gvXjX7/0o38/+dijp06Cbq4fv4G7AXSTivKxM5Bbbeo1MR+7 30n+0n06+az7TJL0qvSuzJbslvxr1Nelr82/I30o/7H0e/J3pG/PP+jUMHIym5rpFlshkcgV HgY5fbk2XmflYUJpnFtz3bzS50ZbU2TyEkaKpTgtkce8UqlTbFdEFKxWsUixSrFbcVwhUTgK s9zCFi/i5Q57j3tPwV6P89oLMoKTm4W1C4T9Ntntge8ExY2Wn4ZdwmniP3Wj0/fcjeLuIG5C pfGgUkf0zHCGPG8k+o9hpxys6MywX55DkvS4fILMtGSPRP9cNOUj7A9wYWzTrTfJNIxXnDZW 4m0Lyd6BKSww5OdN3XyzN75MpsvaJFvvygV0/vz1ksFUy8Z3nzt79rl3N76+Zcuvf71ly+vM a4/QPfeBujn+K9OsRqMNXzo/o+LcAYz378dovPa+N97cet+bb4K+hmAuZYO+7IhHbwU6lJaH zUweM4dZwrQwrzCvGH9t/9Dwof3j+P+wfer6p0Vth0W4gClyXhJ/qWtl/ApXT3yn64b4O+If TnjY+YJEO2A5mHCUPWo4lnDMKZW/rHfwPMJYn+i2yji3XhVX5yjZjnAv+O0R/GnA6uFLcMl2 E+4xHTYdN500cSa7O2PnNOWMEuWM0gWNbOGIkxydpoNhi0kKp9Z98SaXk4EJMbE1w/Dntpy/ eMUsXNhwc5nnfmb59Jkrf1Nh1Ohsupxvbvxg/CTWvvYbrFxmf3fr1hMO/NgTr5bla+1gfXnL cPyxF7B0/D9v3Lxr5xayYh2PnmTHQXpV+K+B20zlCRWM4VLUgDqqdvI7Z/646A3jsTn/bnzP 8l7ZR3O+MJ4u+OOcc8YzBf+YY1AZpRZJmWKOy2i2mMvi52z23F9wSKtaZlxR1FG0puSaohtK bi+6veQp07BJeWfJfhdzmdyX7k3JDcwuLXDYtBqZOa4YFeTleLmsGVpNHKtErN5eMns2nGYr 4fRZuI/ls3DWCH4gkJAyw+1GJbL6Yvci5ypnj5N1Ompy67wl6WZ3gHg8C/i2QENPOk63V1fK WGmK0q26UjyNkpWoHAv7Nuwb1Y2dJnNlwdjYKCKToxGiMT3sq4XttF7cUlOQbKzpulM0c46B T0g2JlvLzC5UEl/swjN5iAxzIGspt7mQ1VY2e1ZiqQvHO0pKi1wzXMhUoSfrk4+sgUKEBS9F l6vYgWpfialAmfBi9HNkjX6JquB4W2aaCRaw12MpTZica2AHMN3ApR5AReAvFXByKDFBVES8 p01nhhxEVcRdVpnAQVaZVNryBNIOSIYQvUAWCROJprhL8NTC3id2gEsV9/BWC3nEfadJ2C+J 2yQoI+ZYWJCakpQiHAzY68jmyGaEY5q0aMnGLQtLanJu3V0VXPWbV1/dIDer4QhnNNit3od7 ntx+2ZLxV2+79MTWXawvEdbSu50Oi700tajYV1ialqA12rzXzbvqpyGPSeNwPgcnQnOWK6f8 mqqF2dl8QXtp5wZir0XRKHcf24zSWH/gqTRLqvVW9lnLU7AVOmDZZ5UjRsdssNxl2W35heWk Zdwi385EmOMMK+fkZhtnM6cx6VyaOdVaxBWZ53HzzMu4Zabl5uX25Wlt+Cqu3bzautq+Ou1a 7mrzQ5YHrE8zO7ifmbdb9zOHuBFzxPqC/YW0Y5ZXrR9ZTlj/ZDlt9aks8RYf47P4rBvtG9N2 Wg5ZXpG8YvrY8kf8R+s/mLOWf1j1aiPdgOl02SadzmjyqE1mdypB+XuTMErikwJJ7NcE2p70 VhLbmzSUxOiSFicxSUkPpyUlpaZ53GkoTkoqpK9SbFDcRRYIFywR7FcKvFtxWHGSILBC8bBE oZBKPHESjncQan1iYrY9MdFh9/B22/2MxcqPRC8J5Jk5ljdJOI43m0yg+DSEeJvdZLPZGcyw mLdZAYaNC4NZ3mwBCgtzGJ+CTUoY2SDFyAwnYC+H6jBm6zhlaonbUcIbS9TSkjg3z6vVcdIe 2Cf+yo7JgSoFbbUHcgrtgTRfgT2QnApRohMiuwMirb7AXhJoSsNph/BPwYtb8eaA1VLPBHKL CxhCxxA6JqDTFzAj+KcBtYRvMmPzr0zcVlOJBKb9cE4hSfYWFRfQrE/IQjc0hRZoCvVpCo2R NGCwWAskAXPhBsldEgZJFkkYyc/xJygdJ2M3jLGVboQaJ2bJ6Gm77nSjQzdGMmO2z+y6sUaH bVQoPPMZKUS2cnGrKzzlZ0phrw/A2OhGSZZPfr3uKKS2SYCkkGy8/qjPZ0PyicX5r9mw7Z2a bWxsXLv2QtyFSLKo48l92v40uV3O6SZdB+5zy1g2lY0desRF22jMNxrPw7G3tR8Yad+VTlbm z0l01f17W0fuWuOMd7g+IxvgNMwkwIGXVZP1mZ6I2hjT2JfMI7E82d9mwpq8DM40CSgNJ+0R 5oBqYgokWEjeaM822+0WsyfBKWOxik+Ja1SN4Jb9KW4F78bk4jGDTUCIlSlUiW6t9KSUkToy vHUoDmw3oFWUa009sOCyJnv6lXdOvTohFyaClyeb2PJS0JENtGE/bTstXIB993lk2rIcqFuj wDmqnKS5aZentaY943kq6QV8QPWi8/nUo5LX5Se4j+WnJX+W6y1cLs6TzFZV4kWq+c7Lcb2k UdaoasVtkk7VAHOt8lrnetftzoOun3v2J1swLPTDKl0abKf2CEcUelhtgCMKrOlmsoNNNXvP P4ZM2T/hjIfeH4EV/O/7P94q7KTo8YP90Yf33vshCXAQeeeV8W9gw/v1K09NnjrOvfb473// uHh7CdqphTU/A329362EtcJMtud+AF41f5z8u9RTrlPuL5L/nCpLMqdaqvgFyQtS6/nG5BWp a7Rr7B3Jt9vjLCPRvwX6jaYG4+Xmq5LbUr91SKQOu87sSNelG5Idm3TbdA/Y7nc8ZX4KaL0p Br3WborHiJVr7AlWrRrWehW6Te9Ol6n2ctKEn1jdXpWmRN6w3YXvdh1xMS6H3+ROIUrenoK1 Ka6Uu1PYFLvv6BQ9r8U+cd+74AzoeZRci42e1gsrNxauDIr1JANKXdtYVERuBHw+LC5kZunk paV5+v1AbIfFvkwWNmylK9vu+w798r1nm19fYtbpraEnXnt9/CxWvf4Sq04gc+IXLoc1fu7Q nx984sS8xSar3jfnKsy++jomr3IhM5zvD4O0axhpoFQ7U1ukKdbO0pZqZ2sD2kpttcKQEjcj bl/8sJ9LxTMwU5/QLGtOCMvCCZIZsryEall1Qr1MkiOfOZsuJCdn4Vk1ZbNmzS7zzDRrCcrJ G/Biw1uGU4avDRwy6AwBA2uo0RgMWo3HnOyilwTIo/Mwnhqnx+NyepJn5AjIfF0+k1+TnZ+f k+2ZURMgyNDJSlxZU15ZGSj3ZGZLnSlZmWmJCVIsy5gZKEE10gw363ArFKxs5owZyclmpVrD Wy0BV2GOZcjCWM6lJDr51BSSTxlKYVLOlaFsvryMXHWissNlx8vYMvtcctEzOVMB8JVOJEhw pcLJpbx0dGJDVoy+46bge3ONay96kcCnpdvsyjhOokpO51JdWCK1K60unCbJcGFbnINu3DDs 2shuDfZrjY3gFeJFr1ChRMroXxAHQRb9EEkh4Og7sTMRXkt3aTJYcCyOMumIkGKyPkGK6Cm1 0Wim96n0+4nJOwkvvYyYvIvwnn85cb5X+ONVnRXN7qL+WVfMmDuX3lItzM9qq6ih4KLcTP/s Sor+hEQCBdtc319dU1NdcumKsf3kVoJ5MFBXHRp7h8L3VC5LTG8VMpMXhmDBh8GCt4I3L2Tu O4DSyZjU5elkbKY4mgYWwQl+tfFpI3O0AGeYMpKz0jMK0gqLk8qTZ6eXF6wxrfGq2ozYa5xh ZHymRem/S/5dwZfJXxacTT5bIJ+VPKtgTdKawh2mHV5pUqHXi4QjtGri/Ey/TdmHXNjlIp3C BpekAR34K9dK8RsWL8rMp/MjJ6emICcnv8CTWVCoV9GGNNlKjUal9OjjzXTd0dpcNsZme1j8 KsZk9KcQ/Nz09JXJ6ekpyR5/clJyUhJfWGCCfa/XZDQYeeQ1IeRFxsIkk8SLyZcx5pJ4aUqJ P78kM9PvZ1QlBj2Sl2BGaSJfEih6vNj7SHJSfeFBvB0lA0bdWzBUwPAFOQVNBWwBuUlLnGlE yAAn/17FkILRKXhFDgDkDkCqsM84hB9DQ8KGhLq7UuHrNAKOnhmFBJxeKZkisa1H+Sgk1PFt 5LJ81AyN0RN7naXlxhFIE2YKqT1PSK2ZNB02pYmHgga8UXL90Y0a2JlIYIfy/RuT8y/rvpsW fO4F5DKNrrSU7lgmv9vzwuHHJE8+GP0bKoh+Kxx71jaSQzBQANVikeofe5PtBXxsa0Ncug/r z58a+XosQuIdsBfj8674MH5xyvL5Mg75SIrVxJ0Hx0fw40ECjX9NsCXjD+J145umLKb/xH7h 1GOwjf9lvCE2Y3A/uY8Yv4F7Fvy9F2XjSw8gX/TbYW1xOllhi7TFu9BP43cls0vQKkcr6nas cfej6xzrsm5GWxy3Zj2c8qj/waxnUnb6n87SP+nF29J38DvSWWE+aKZeKRnot7Yq82t2s9lm 9xgES1+CNHjC2JEjNdNWYiCGqcl0JygV5LYp1Y22emRJ2K6w80NKrFWeUn6tZJWO3Az3kOtu 13ZXxMUdd51yfe1iXfac2Fe6U2+ZFoCZkUum06PlY6Xl1AAvvGL63pvcqTcfDhM6CCffbFB+ sskPJ9XhNJNvJPr7PeneydPvWnqHS9buCdd4/n2tsGgnnXfVtPNl+r0u/dJpvJd+VbL5kxfH xzD7i1ObTzz00AkSmGMPEzWefZl+22gEJf7zBYz3Px8dr73n+PF77nnrLdDpp9FP2D9KyHuY 2fi5vQZG6SWGykbPDGfK0ysUAKdFz6DU6N+RBYI5+vfnEzQKjVzDkO+qddG/DSdqMkmNDNg2 edMlCRqXxmPokjsTDCgLp0rUHq/GPdvgny0xSCRqx2w0wrzxfG7SbI0958cHsRTcgKCFBaO6 b2M3s8JWlu5whGuKFUyWLsVmt9otdrPdZJdIE+IT453xrnhOmpqSlpKekpHCSVVxyjhFnDxO FieRsikefVIA8UZHAPukyQGUyWUHsFfrDuB4O0Qpcf4AymIgIv5BuL/IgI/vRhRTDp56J1hE Ln3NeqfRXm5y6q3lehJZnE5DuWckejYQACDVlKCHKF4HkV0LkVVT7iVRqgnWFC+JWBPQsU5Y UTKVEFkIlGiyu0kjXwasAGhNVhep5SpnlDp9mZVE2HfhR1huzTqZuNVLTSks1NFtntUCf7IC 8c6DgYMwvfLIzzMUsn+8MfTIJTdnJVZrrQDV3pTlrNJZ6ioz7GnFc7dsr/TZ0orn3bGd+eit 8b/+6LqSQve9sy/vfwvrCOy5t/TyDYNvzvbaveOnjhwY/M1sjz0Ju4+Q1zbJ6x/M2182fZL4 xCpt6TdyhZy+Y/pE8mXByTdOx2+QILAyhBTibwFoPfJ+4ZTXUjGa/sHcm2g1ugHtQHej99G9 6CCqR/eg62H1OI6KUCbgzbCCD6FPgbYIfYZ/wmxnF7J/48ACJCekO2W18ieU61TVqnPqRs0Z 7b/rorQHI5oLdk9fYUU6lI0q4CT2I+UuxFJsDbuQvCArMC28LEs5s9AcS2tpsEmEWbQCe0SY QxZ8nQhLwLDvFWEpSsDPirAMPY1fEWE5SmE6RViBEpgYvZJxMrtEWIU6uTdEOA61SYpEWC3d J/mRCGvQyrglE7LbELdLhDFSqTNFmEEydZEIsyhTXS7CHNB0irAExakHRViKNOqbRViGlqrv EWE5MqpPi7ACaP4uwuBwNRIRVqEZWtPELz7ytZeIsJpdob1ehDUoy/A+cII5IvU4o4TCEqIR o57CUop3U1hG8ZkUllN4NoUVREfGBSIMOjLVijDoyBQUYdCRqUeEQUemYyIMOjKdFGHQkenv Igw6MhtFGHRkPiDCoCNzjB50ZD4rwqAjm12EQUe2W0QYdGT7QoRBR67HKawk43IJdVVkLLyM wnEEz1sprKGwl8I6MhY+m8JGgA28MHYTpVlEYTNt5woKWyj+Kgrbad1BCsdTGoG3REpzP4Vd FP4xhZMo/XMUzqDwIQpnkpnBU7nJKf8iLPT1LoHjBPwfKCyMZRTVofWoF4VQGwqiFkh59AyE OtRO4QWoB3VDCItUPKqEXB/AJA4CvoNS8IDphPpZAFVRfPD/sKXsCc54tBRKOtHABE0/4OZD KvSXi4rhyQFfI0AFFFsBNTohXQJ1VgMPYVprCbTXD6EPrYO4lfIwALkOiuPRQkgHKdVqwHcC X30XcD7rO2rNom32QfuxkeQBJ0UQ8ygNWukAfvugpB9CG7SW/h3tXP4drUynFmgXg2zIL4ym lbk9VO5Eqq2Q76KjuApwpN//uUZ4wBK5dABvYcoDkSAPeULTQjFE77E84agbMAJX/TCKC3sU dNwDrZIee4Gz9Wge5Acpz6T1WqALw9NJ26+iLRGNdou9B6leibXFWh2kPYZFmU7adRsdF7Gc OcCJXxzvVPkPiq31UfpWytMgHQ351Q6xqVZKHaS4GoAFm1w90dfUHojdhijfLaIUiAwF64tJ hKetxngnFEFqtW0AXy2OsJeOpgVkw1N9xsZPRtA1IdEeKpGYNgYBjtk9T/ltpX0Ti26ewkXb FP310BkVgv7CImf1lK6V8tcDMbElYVaEaV8Xl3gPlUovjSdl0kdb7qE20k95D1NeYrOM8Nwj 2mmM3zCVXTvkJiXTClQtUKsLyrppGzE7zaKjJT3PAu+RDe2RJ2uKjARus+hYu4CC0HdBq9kQ h4EmSFsluX60SrTgmHV003FmTdT5v9vXILUUgTY0pZeFaBHMkflga/PBWisovAiwPMQ1EF9K 8eTXdEshJrY0F7xXNf2tGcHWITVS0kBmfQe17vAFHj+GF/xCL/VSveJ8Xj/hN/612TupvQ7R 5w5QK4rNofVUqrE+yYjXTfElA7SuYEcxfgS76qL0AidktndSmwjR1SBEcatpK6EJyyA23CD2 1g7l6yhdD/AR81Ix2/5uycR8teCPQnQOdIic9VFr7KD4Fuqh1lN776NavJi8esRx9VCPMdnK oNjmxfprFf0tscNmOqcErptFzXSLLV9MQ6l0VNMlJfidC63iwp47JjzrOjr3Buh87RSl3U9b C39n31nUf3RT+n7a0voLdCHoafpKIniaIOWol0q2g3rDln9J57xoi93UK3RDbrJfshq2UkkL /kLwJ31T9gf+Ceq+KXYrjC/8X0qKcNcl+sFJnznZXsy/9U/zWpMecpKyR1x1iA9tpu32096F 8Qh8TbVussITaxDkL8yqXtE+YlZ6vg1934gm7WM+HfuFmiMSJu2vBXyIth0bzeQ60kf99lQd 9J0n78mWyfh66FrQKq4V66jfHZziB/4V7cfaE+YkmavrRG1MzrFYexfqUZCWMIIw9QHhi87j mMaC58m67b/F7aSUL+yhRdxjNIu5qRzF9j1hWHtiLdSD/yf7iExE9ppFsAeeCftLHuJcegrP AUwOPOSEVA97KoEyB0pz6W97BXgmyodAas1AhbCTJoG0/t9b6/7nK2OsLPs86U2sh3Xre0Nt wZYQ/wxf1x7iF/R094QBxVf29PX29AXDHT3dfG9nSxZfFQwH/wuibNIYv7Snc4Bg+vn53VAv t7g4JxOigiy+orOTX9Kxuj3czy8J9Yf61oVaK3sG+jpCffzC0OCS0OqBzmBfrPFZU4pmrQv1 9ZNO8rKK8vi0BR0tfT39PW3h9Ck0l08hEdGAXbx0QZ2Ye5av6wu2hrqCfVfxPW3fOxC+L7S6 oz8c6gu18h3dfEuoLxwkac9Adxia6s+aqAgj7lndF+xtXz+vZzDY18rXhsLhzlBfVai/Y3U3 VA/280GekA72dUCDPJV1W08fP3/OAj8f438QyPpCfGtfcLCbb17PV7T2dQS7+Zo+kORqUkuo wC8NdYZagIUWHsRHGOH5CtJ6R0uwk2/ruBo67O0It7TzrbR/P99FGO3pDpFhDIaI7Plgdyvf 3xlspk200fH1dLeEesPQWH0/tBDu4UNdoIpwaCrjPQPh3oEw5aQvBMIK9/v5cLCZqIwf7AGZ knbDoZb2bspMa0/LQFeoO0xlmtUeDvfOys4eHBzM6hJFl9XS05XdHu7qzO4Kk3+ukd3Vv6pF EEd3aDCLlPyLtQZDnYAN0SoLF9XNr5lfWVE3f9FCflENf+n8yuqFS6v5irlLqqsXVC+sUyvV yrr2jn46NKoMAoMt9Pb19IKe1xPbuIh66fA6wHIH+kNEQ+t7BkjNlp511EoGultBRqQdkFVX P2kkyHd2tIS6gTy4ui8UIsLI4hugWntwXYjvaSYmRaQ9jRli1WBHIT7UAY318a0dfaDwzvV8 W19P1yRfoIRwz+oQJRkEysl6rWC3fR3NA2FoGtgkqp8yoNT+GFNgOxOimKjcQYx1XbBzINjc CWz394fCU2tn8fXdnaH+fjp4OgoYkzhJwGiCfH9vqKWjDazzgpHzIMXucEf3alo32NraQewC 7KSP+gM/QfdR2UJ/4fOZ6uzo6ggLlknpiL31C6ZFDZIie2Dq9A40d3b0t5N+oC1B3F3B9Tzw D6rqXU8ENymh6R1RecxvmxxcsHs9v3Yg1E+7oXOkr1scQZ/INyXub+8Z6GyFWbGuIzRIbeDC 4RM60GSoA3yeoDFCNzFGYAs6CAdbwpM6JgMLily3XbxZyvJEhRbwGM2hWEPE94RnEYL6pRV8 Jp9WVDAznZ+ZW5SZU5CTo1DU1wIyJze3oADimfkz+ZkzCosLi9XK75h13zsZSS5bZI/OQzgo 9dAjBtkSkgPCeqyGZWcNLD9/ootWrGwpXYTJEYVeT7CPsHvYn7OHIRxgD7I7f7hM++Ey7YfL NPTDZdoPl2k/XKb9cJn2w2XaD5dpP1ym/XCZ9sNl2v+Tl2nTTj2TcJDSX6zsD+fVCU07Dwl7 zIu32UktfEqec3K5XC03l5sNcfG0HogP/q5WFtI5Q3yPMPp2HME/ZhGdF99d5+Kw+P4QGvdO /797sc+B6BH2yHB9fmAEklk02atJyhsiqUpN02FFfnlFNnsE9ULYDeE4BA6tgniDiGGRC+Jy CAR7Fy3fzh5CEQhHILwFgWAOAuYgYA4C5iBgytkRhNkX2OeHk1zQ9b699qS8ryoc7F4UhcCw 97CbkRvavlJMV4npXZBmQHq3mG5hNw+XuLQVCshj9BXEUQgMjO3R4bmL8g5QYGYpBbbFMNv2 AsZVYWcfBa4eBa4eBa4eBa6+ghhDq9sAvw3w2wC/jeK3IUybcqeLTYnAo8Nai4gBoELJNrCX w/HLxS4X02Xs5cN5rsMVTWw9NL2bxtvZOojvovEqGi+i8QZauoHCPRTuoXA5hctFmMTZU2IX jbUkZpewS2Equ9jL2EtoupitRsmQLoI8SRey82m6gJ1L00sBb4O0FugMkF7C1tD8fMhXQToP 8iSdy9YMV7lyKnohvwrKGOiP4KuAhyrgqQqERDB3QdgO4STFrIJ4A4TjEFhKidkqeCrhqWAr oEYA2ghASQCxbACecnjK2DIomQ20syEOsKV0jKVAVQo9lYKsSqHlUlBPKainFMnYUoh5thDl QAhAWAyhCYIE2vFDPT/w5Yce/GwmSoK23MwdyAQpL6YuZjNyQupkNg87XYEKBbMPLYbQBKEX whCzb1hi0FaYgI7QZkNYBGEVhA0QHoewG4IclQslARVTzpSzi5hFLAfWnb63tDSPpvkzhDQh UUjjHHnaij42HcSUjh6HwALL6cByOgw1lnNBYMB0UtFhCMchnIRABJ4KwkgFYaTCAFOhfiql klK6ryBEIbBgRKnQ/nQaCa3tgpA9pRWCTQNMGuTSoE4a0KYB9iTEmNYg5Ysh3AXhsFjmocbs ocbpgbY8wG02xOUU0kLsYj3DjEI7AvLFs7QVM0HuiyBAIbMFpLkF5LaFWAhDJnE2lJSLFHdB 2A1Bwh6AJx2eVHjS4PHA44aHhwc0yDpBe3fDcxc8d8KzBZ474NkM2jDt9h32MasKewo3FN5V +Hjh7sLDhbJDTBCeJqYpoEQWCzhEg17uqNAxHFqJ1PifNH6Oxn00DtDYGnCsVJ9eqX5tpfrh ler7V6qXr1QvXKmuWanOXqkewc0Bq0/9kU99t099uU89w6cu9Knzfep0n7pCjxvwMlghf0Hj OTTOo7GHxol42bAaKV7EVyC3HCwep+5z3+j61D3C4WHXze4ROSQ3CbkrhKSEIJ935bhXu/wC JkVIktw/56AFVI93Ihn2BfyyY7JVsoCsWJYly5SlyVJlXplLZpIb5Dq5Rh4nV8rlcqmckzNy JDeNRE8FfOTNTZNURxIpR2KOwjqGxIzwmiyD5Qy6BEWMbC1Tu3QOro0caUG1zXzk26XeEay8 bEVE4p2DI4ZaVFs3xxaZ6asdkUWXRIp8tRHF4iuW78H4zgbIRZjbRjCqWz6CowR1Szz5D4sH EMb+W7bEi2lDA6mzfA+Ht2xpQJZ15bZyQ5m+uKbqIlGTGE95Vdk29b1lwkli5IHapcsjzyY2 RPIIEE1sqAXJkX/IeIApYmZUVx1gZpKkYfkB5RBTVL2E4JVDVQ2TdIgHfNUB5CYJpUM8oUP8 eXROZiahSyaJQOekdM5pdHtmu6ur9rjdMZrZlGb2dJrV02lWU5rVIg0r0Lin0MhOITelcctO XUDj/Bdoki9KM0WaoTkXeTV84oMPoEvwe3sqryH/zbLJWx2C0BTZvK7dFhlq5vkDqBK/J/6j y5Sm5pZ2kgZDI/g9b6gqUumt4vdccs2F5ZFrSPEl3qo96JrquuV7rgmEqoYvCVxS7Q1WNeyd G8x4blp3t8e625MRvEhjQdJYBulr7nMXKX6OFM8lfT1H+nqO9DU3MJf2Ra0ezFKO5jRUrhTS vYxKCQbcFO9umGPR9ZZRay5x226IP8gh/DOk8jVE4rxzImoIpCizIrOCFMEsI0Ua8k9LxSLb DSXu+IP4Z2KRDtB67xxkq+6ogr/+fhH4F//6+/vDV/Zf2U9S+tcfHoBAX+WHM3cYwQgq4uj6 5gJvTHzzZgh3UB/N9vc3hIVfMvUPINJamESTjU9AA9Ay7p/2Q4H+8z/09w5ICNBc/wCmPycA QDSbfgyF0AwiTAqNoP8NStyUjAplbmRzdHJlYW0KZW5kb2JqCgoyMiAwIG9iagoxMzIzNQpl bmRvYmoKCjIzIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvRUFBQUFB K0NvdXJpZXJOZXdQU01UCi9GbGFncyA1Ci9Gb250QkJveFstMjEgLTY3OSA2MzYgMTAyMF0v SXRhbGljQW5nbGUgMAovQXNjZW50IDgzMgovRGVzY2VudCAtMzAwCi9DYXBIZWlnaHQgMTAy MAovU3RlbVYgODAKL0ZvbnRGaWxlMiAyMSAwIFIKPj4KZW5kb2JqCgoyNCAwIG9iago8PC9M ZW5ndGggMzA0L0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nF2Ry26DMBBF9/4KL9NF hE0epBJCyqNILPpQST+A2ENqqRjLOAv+vh5P2kpdgM4wd8z1nezYnBprQvbmR9VC4L2x2sM0 3rwCfoGrsUzmXBsV7lV6q6FzLIuz7TwFGBrbj2XJsvfYm4Kf+WKvxws8sOzVa/DGXvni49jG ur059wUD2MAFqyquoY/nPHfupRsgS1PLRse2CfMyjvwJzrMDnqdakhU1aphcp8B39gqsFKLi ZV1XDKz+15M7Grn06rPzUSqjVIjtuoqcJy5y5BV9l8hr4i3yhjRJv02cn5AL0uyQd8Q18iNx gbwn3iAf6JwV8pE4aU6kSR6eiJOmJsZ/SUF8QCb/BfqU5H8l0sXvN8QIcEc/0XJ18z7GmhaZ 8sQkjYXfXbvR4VR6vgHQkpVfCmVuZHN0cmVhbQplbmRvYmoKCjI1IDAgb2JqCjw8L1R5cGUv Rm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0VBQUFBQStDb3VyaWVyTmV3UFNNVAov Rmlyc3RDaGFyIDAKL0xhc3RDaGFyIDE4Ci9XaWR0aHNbNjAwIDYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAgNjAw IF0KL0ZvbnREZXNjcmlwdG9yIDIzIDAgUgovVG9Vbmljb2RlIDI0IDAgUgo+PgplbmRvYmoK CjI2IDAgb2JqCjw8L0xlbmd0aCAyNyAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEg MjQ4MD4+CnN0cmVhbQp4nOVV329TVRz/nntv2w32oxvTLanCuVyGQNt1m4IuASkiJWMgcxvQ Sxr1Uk7by9rb0h+ELUFY/BGtwcRITASVFTT6ojnVB31QE1TCA474K3vQGHjwQR940MQHI2N+ 7+1ZIbjEP8B2O/fz/X4/38/3e07PuaeYLzFoghMgQzieMXIdhEgA8DUAaY8fKdKqZx+a5BoO DydyyczTn19gABJFH0+mJxInu8NnAeRvMH4txYyDrasqawAUjvaGFDqemdvnQftXtFelMsWj sfkrLQCuJrSb0tm4cRr2I3R14dCQMY7mvFInQRv1gVpGhjW+98EVtMOooeWyhWIHHJoHaDxo x3N5lkv5L72O9rNo++1G8Wt/UJ+4bVuC//3nFLwCL8L7MAjnQIcQPAAB6Ien4HHQ4FF4BFS4 ABfhW/gS3obn4TWYgjMwDRzehTDgI8Bh2RBfNxzlO47oHLTNXdztj27SHd8xnf7AybKeriAn Afojb/IHuRQYGolu03Q1yOWA2UV5eDiq8rAe5ErATlU1dTL6s29G9yEvOue7rvs0lbv8UR45 ojsBXUc9V6A5tj/I3YHqSvICVqcvxGI+DijjCVRXOa5w3dUQaG+jA6EgbwzQY3aRr1CGcrl7 UKNcWb2Dw3C0zMoGtcFDPlXVfWXHGqlZdsElte68Pq+KiksD9DtnOk0BGuIefyxK6XYtYhyi UXrwQE3C5jXblbE0LdPt5YihlWlZc8pptjgPIxPnZzt4mNkG5rQ4lTbNdqmqj86WcRkwaRC7 2SN6Ux1aa0Cjs6K4RqNDoz6VEz1axgkNamWNlgfLmmEn1FLsRxAk/P1AnnIn8ER7YB18iDvA z5UZ7glxMkN4Q4jDrG0r3qqL+Lk8U20kfujtu79NbetW29QpGeaOS3AT3Im/Tk+5EmCfqqt4 Bo8r09AM3ULRM7PwJLwlxJVZvnQG/6qtjphK71vtfXCDSjvv9nrccvDm72enp8+SVtJ8/ty5 85Vpafl0pVKZ+6VSsXcomb9BLitZ6QnsuR23XAi7IlwJ2Q2imKyuVxWl8PdJcvlV53yT9V/w U5c+e7J145+wosHZ5Bf/OP/bwoafv2F367Y7b4CFFwDmefbOHb/tXJA7zomsAEy5Y3BVydsK uHb7IeewZGgROpLzhvHaydK8yFtJ3qprLa/rEliCFhFZHlgjsIz+kMAK4gGBXfjO2iqwG/27 axiHLjy1NUygEQ4LLEEbTAosY0cv1VbG4Z8R2OZ/JLAEK+BTge1V/snBEg4qXBcY+aRFYAk6 SafAMrSRntpK4HAX2SwwgQYyJjD2Q2ICy7CMZBys4HAPOSGwrf+GwBK0k3cElpHzMa4MURrR 3ki+F5hAh9QqsAQtkiawjP4+gRXE2wR2QZekC+xG/+E18bW0v7d3gI6WLLrLjOezhYlCkWUK dNCK9+zOMWt0InMgmx5hyVLayN9y3EJ7Wb5gZi3a19Pfd8u7JZ2mYxO5bDJv5FJmnEaYUSzl WWGnmawBQWD1yNZsJoMydUIka8WLKFygxbrO4dJtCmPZUpEVaOK/eHRPocTSaackWyAlzEI8 xXDOp5NpM54aZ2aRWQsplsPcUipMMoxZJStZMPIYfyybzxgYqfMiJWsSS5t0zBSqKLqT1aJj pWKRUaQvsBYCNGe+SXG6Jcv8d0t0nFkZlh+/sxsksXpoO8swZiHdyOVY2jw0fltPeJDisBYo XmG9+B1ANAolsPC5C0yM5SELBZjA/yIwyOCT4tVnYaQHD1UOfRZmTGDkADLTMIKeJCqkwcDc xRiL+faiJ4/aJlp27T5U78dxMS7uyNp7KQkdi13Qn5D55zg5CUO8YThaJeRlvRqxbyLuxUu2 YwTBCf1evDFiUR3+ASi/B2kKZW5kc3RyZWFtCmVuZG9iagoKMjcgMCBvYmoKMTQwNwplbmRv YmoKCjI4IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvREFBQUFBK09w ZW5TeW1ib2wKL0ZsYWdzIDQKL0ZvbnRCQm94Wy0xNzkgLTMxMiAxMDgyIDkxNl0vSXRhbGlj QW5nbGUgMAovQXNjZW50IDc5OQovRGVzY2VudCAtMjAwCi9DYXBIZWlnaHQgOTE2Ci9TdGVt ViA4MAovRm9udEZpbGUyIDI2IDAgUgo+PgplbmRvYmoKCjI5IDAgb2JqCjw8L0xlbmd0aCAy MzAvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZBBa8QgEIXv/gqPu4dFY+lNAiXL Qg7blqb9AUYnqdCoTMwh/76ju22hB8XHe9/wHNH15z74LF4x2gEyn3xwCGvc0AIfYfaBNYo7 b/Nd1dsuJjFB7LCvGZY+TFFrJt7IWzPu/PDk4ghHJl7QAfow88NHN5AetpS+YIGQuWRtyx1M NOdq0rNZQFTq1Duyfd5PhPwF3vcEXFXd3KrY6GBNxgKaMAPTUrZcXy4tg+D+eepGjJP9NEjJ hpLqsaOslqq8ZfNQuXuiTChf/GnG7YZIreoeap1SxAf4XVWKqVD1fAMs5m/qCmVuZHN0cmVh bQplbmRvYmoKCjMwIDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VG b250L0RBQUFBQStPcGVuU3ltYm9sCi9GaXJzdENoYXIgMAovTGFzdENoYXIgMgovV2lkdGhz WzUwMCA3OTQgNTU1IF0KL0ZvbnREZXNjcmlwdG9yIDI4IDAgUgovVG9Vbmljb2RlIDI5IDAg Ugo+PgplbmRvYmoKCjMxIDAgb2JqCjw8L0xlbmd0aCAzMiAwIFIvRmlsdGVyL0ZsYXRlRGVj b2RlL0xlbmd0aDEgMTk1MjA+PgpzdHJlYW0KeJztfH9cXNW179rnnPkFzHD4ORAM55AJhDD8 CiGQIIYhMJiIJCEhEWIwHIYDTDMwk5kBQqxGa72pmCrW+2zt1WqbGOOP6kASJdFq2uptrfW1 9fb1tbW3tfcTrVWj1mrtL5i79j5nhsFEb3rf++d9XuZw9ll77bXXWvu71l7nnJloODiiQgrc ADy4PENKINeabAaAHwKQdM9oWH49/52vI/0qgGFjf2Bg6F8vP/0sgKkS+2sHfOP9B3/w/DGA lACAeWZQVfoOv1IgAmQVo46aQWTsnbvFhP0e7C8dHArv/bsgLcH+52nf5/cof00xor2so9jP HFL2Bs4Yb+Gw/zT25WFlSJ089Ohz2P8VQMX3Av5Q+C4izQG4D9PxQFANpO28pxb7KGO8FnkE D/pJQdJI+xwvGIwmM/z/+jGcglx2HoFFQhHkAER/h+cb9Drnjb5Dx+b80f/g/gOFT+in9nka noWDcAyO4DEFIhGgD8bhVjy+DW/CBHwD7iDHIQT74DDST5FvcQHYgZlkhwB8FyoJH/0xPArX ESsYIR1egJdgO9wRvZ1kQDLkQhME4ST/ff5/R98hLWQYOMiDZtgCT/DvwM+JwF1myDGEomVg AAv8K7zEXYl+p0EW1MIG2Ag70acH0dfn4RVSbGiK/gYKwAVb0fI43AaH4Afkdk7lRrjD/PcN 26JfjaIV1GSGImgBL0qFYAy+iut4lySRDPJt8hqfI9wz9/7cX6I0s5ZBNTSCG0ZwNc/Bi/AL eA3+TLaRfs7JdfABwSAMRLOjx9HnxVAFV+DRBtugBz4L+xGxe2GKO8QfnHtu7iPMRh6PMvS6 Fupw/TsQq5fglySN5JJCsoysJ1uJl9xP/saZuDXcjdxh7iPewBfjUcMf4k/w/87/hv+DsF7Y K7xuTI4WR1ujg9G90fuiz0Z/i5hKUAxXos6dcA0ouKoxuBFugi9gtO7B4164Dx6AJ2AGTsIp +Df4DfwW3oePiI1UkUtJPeknPrKXPEZOkCfJj8jLXDencN/gXuId/A60fVgAoVnYLISEl+dg bvXcwbmpuf8ZtUWno9+Lvh2dRTQlxLwQES2DTlDR8s1wB9yNFh+BxyGCxyl4BX4Fv0fkLHiI JJPYyVKynJSRClJDNpN2soMMkDAZJ58jt5FJcje5h0TIMfTmGfI8+SV5g7xH3kdkEGYumUvl JG4JV8qVceXcRm6AO8BNco9yJ7in8fgx91Pu59wr3GvcH7i/8Gl8Jh5L+CJ+PX8Fv5P383v5 cf56/hHE80X+VUHA+KUKxUKp8HnhAeFx4UfCW8JfDMmG2wx3Gr5ieM3wmhGMovEy42bjoPF/ GGeMvzDxpnZTv+l6037T50xPmMHsMD8K07g7pnClCR9uJ3wd/o08A78mR/hM7hGymXuQ3EVs fA7s5v+F/MTQCrdw9VyEtHHZ/B/JKBmFLP4h8gF8AE9wAvdz4hQeJPfD07iTDnK7ub1CKrlK eEiYJWHhZYHnzsAR7h1qx5gpPIjWRrG8DZG1SA3AEHyNy4QXucMYhT3wHfia0cJNYtxvhyJu PawiG2hsuHfhLdwdaaQBPoP7ZJYcMoS5r5N9/BtcCmwns9xvyKWGMPQbRbiRHOM28i+SM7jz nsZ8aSWD3BrSC7PwOvkGeZ3bBm3cTXBIGDD8lPw7cZKNhkHMPxBe5Tfw/VwG99Q5hehxOI47 4SW4kv8+7CRfwt3/EueEDZwf7uW/RX4Px8lnhQF+EL3cywnkJtwLj8Ixfr2QDOvgOH8cniFH +Z8RJzwu7CXD5M6oe7YbPjQeER7jpww1wiXRH8z9ijxAfhw9xf0BaqM/4LfNDZB7hFzcl5/F 3RtEhJLhEZx/D1aMI2BGqhD3422Yr1lY2yy4y1uwcl0J15D3ccfchCjVkGLYyC2B3VyjSTZm 4l1vGYDL5WpYe1n9pXVrVteuql5ZtaKyorys1FmyvHhZUeFSx5ICWcpffEneotwce3ZWZkZ6 mphqs6YkJ1nMJqMBg0ig1O1o6ZEjRT0Rocixfn0Z7TsUZCgJjJ6IjKyWhTIRuYeJyQslXSjZ /zFJlybpiksSUa6H+rJS2e2QIy81O+QZsqO9E+kvNju65MhZRrcxWihiHSt2CgpwhuzOGWyW I6RHdkdaRgcn3D3NqG8qOanJ0aQmlZXCVFIykslIReyOwBSxryWM4OzuuikOzFb0KrLI0eyO 5DqaqQsRvtCt9EU2t3e6m/MKCrrKSiOkyePojYBjXSTVyUSgiZmJGJsiJmZG9tLlwK3yVOnp iYMzIvT2OFP6HH3Kzs4Ir3RRG2lOtNscse87kzPfReXpTZ0HEkfz+Al3jlem3YmJA3Lk/vbO xNEC2nZ1oQ6cyxW29Ey0oOmDFMWcCnSEuk+Xoi1Kdbgpp+czcsTiWOcYnPhMDwZk0UQEtowX TC9a5DoZfRUWueWJjk5HQaQhz9GlNF8ylQkTW8aP5brk3IUjZaVTYpqG5pQtVSdSrImEGh9j FBOnVOuWOJyEeuTYgGkQkT0yetLpwIWspo26GiY8q1EMP10EZ0X6MAzeiKWpZ0Kso3w6P2Io FB3yxIeAYXecfXshR9E5xkLxQ6AkTY54guF4jI44nZGSEpoXpiYMJPq4lvVXlZWOznA1joAo 4wXhg82dOK2rrgIxLyigUb11xgW92Inc0N6p9WXozZsGV4WzK8L10JHTsZGsbXTkhthIfHqP A9P3OHsizIqYi+J/qWJ2hnuwLkKyP2VY1cZbtzpa23d0yu6JHh3b1o4FPW18dXxMpyIZTZ18 HqdTXB7PRjETd8aFaaczJSIU4p+RZXLfjMmMqcg4RG6JiD3rtbYrqaDgAifNRN+js9hlfpru ZqTOubB/6YL+AvdSJnh0WCjiWjt2TEwkLRhrwbozMdHikFsmeiaUmegNvQ5ZdEyc5B7gHpgI uHtiEZ2Jnro1L9JysAsXMUjqyuhNkuJtwAPvBia4YoojT5FyfEI0cbXTYBBmSPlxHpJMlDhB INdsNNBxDnjSdMxy9TM5TvFP9bP1G8UP6ttm66EBafHv2KyoLEgrSCvEhoAAf5f50393GeBv IAun6VtBE941bxDWQgnZ4LqsJY2UuixJ1feVPuV4tvRH9hccv+OMd9vvdjyW/diSx0ufshvd tu3mbbar0vtt+0uNFrLEvMS2yrzS1mI2ls5ET7s2WcVqfnkJx5WUOACfa2RxTZjgusji/HyH JGfKlCETSZJT09MdGZmZmZSRSTIyMgslY66UkmI0ccXEWCLlZxRDUukMedllzUy1pHdmipAh ZnAZM2S3yyotFvM7ZREkUeIkypGAE0s6iVgBDbAJduFCtzuJCLIoZYoZ29fmOCuc9SR2IkTd eGmbxUYjE6nniHgGGpz1+KEXBFI8K541HCjvdjpt14nPIZWzkETKZKtHoImzGz/O7pUZK001 NSursu2szco08Y6MmlXVRY4lRuNCuunXJwrV+7o9N2e1H/PcfLP99hNfylhX33602+E7cZfY WN320GeWeIWix/ds917T57k+uGLPbAf3zPbC6vre+x6YneVe2iBVu3of/8ZcEmbCjugbQg3G chmsgm+72q8uI4VJhcmOlMLSOnIFMVaY15ivKhgoEKpLS5KFiuIiK58KhfmOYiefYU2qWlTs dJYmWTOTkqzZSyU7sW/JkBaZipKqJD7Z3pmaTbJnyHdd+RWysagmVc6HTtERcHCOaL4rLb0a 8sV8fz6f/zS3Fx/oi7DNcW4UX+92tv2pG+FDyNtmkYKGsw0NZ2e7zxywlTMIIS19zRp6EmzS 0u1r8A+B7Ibu7kKj0bGkaFV1TU1tzdJahGwZxcy0jGJqZ6AaszLtjqIMxNHGZWVmr6yqqeHF ax7z3Hm8/Z+Uy8i2K7LKG8aDdxQ8ufqPJ58PdeZeekn2k6mXFV3V/7XPrfMqO470fL699ZsH um7Zmp5iW3zFioalVWq3+LWj17QEtgXm/nz9pqprqsnrqaLF5rxmzZW9ux6m+wXm2oXr8H0x E77i2ipnVya7UlzZB5IMlpRka7bFnlSSvNpqNJstVpvNBCQLMoiZTxXFlSZbpslks9qSTCJv NafabElJFqM5iZczUlM7RRvBP1tSp4Wc4r4EWYSfOoj7+UzF2YruoAZavYgHQqQhReEz6PCl axxReM5Mc3BPd1otQlFbU1vLr8zItpOVhAKZvHpV7ZLS6rqp6c05aeSVb81e3fsVT8Nc/8Ni bsHVg8Ly2d/ddx9/1d/aIkGsRNCHmbQFM8kGMuw9CWnRV11bbWnVeTI2yyykZ0lgCWc05GVl 5vNdmTuytudvl/xZPZKxyUDC4mjmtYv25R/nDZdIgildSk5OlcFVVlENRQW5MphEUwDfG0JL ilSaIn/qbqPZ4Wxjyzy7ohK695Du7j24rzLEWm37cAImQlEtjfBarlbbPDau78kvf3j6rX+e e/fLn31x94lJf12w150l3TG87eCeVeROUvvDo+/98Mm5549+5jt33PUvFT3XXu65evK+9nt+ RKPYjEX2alxfKnzgutbC/5PlTvMdFsFozbYeMX9P+L3wV95YxBULq0kNtx5fw24hJlsqx+O7 Viota6jB0mk2JktasUrFSsVxFowjuGxiNVgIsaRj8YFKrOQgAteDbwA/hvewKmn1iYftIr73 gf3Fk6QeN4oTC49zn/h+Nz5Fde8J4n3sJED09LHMggagVdViszeAy5rNesfK7Ow6nZ/e4KSf LlbW9onOP+B0577T2GqFi54I6QFDOS1RQLPmObq3uvfECpTdRLcUzzf/+v6yLfduqdl0RcXq Xd9fs0Mo+sW1o8uOLvnp3Nm57TpewhrEyw7vujYvNa0ycQ5uqbmGazFv565K6efGzXvTHk57 1vxU2g/NL6TZ+Gw7Jxh5zm5ndwGXuCbA7gKWlBSHVcwUkREUidUqZiCE/AyZc6VxHDEWp9it VkgiIFpFywx5cjqlU8SLy9pgJaJ1k3WX1W8VrE9x10Eu3i1PTds7yQw55cpIqPo5YLfaacF3 OmmZbzszewYve/DipBuIVvP6emdDPeSKZ3IYNnotR0qv5cD213PPaWUoXssXVHETQnZ42e5T yo13Ljpw4otZG9y3/mLlgFB0cqjv4Mil+2ev477eW7Fq3ff/OJeO6IWi73BfMhyFRfAFV8kV qf2po6kHUr9iuzvjQUvkktOXvJGRBITwkJsK6cmlaSl4H+STU99LQ1ymxXD6KTIHGVzescxO S8oMlzdtDSc/zeVhyuWBBZMjeWkpppxoud3CW2a424/lrT5GHwW6nR+c+eCMOEvbMzQP8FGg IQ2LhfgCXVihCWvCMqyutRmO2pUZWCpMDlpPcYuRt/IbL/O5KhfdePvi22t/1D6dP3WtvbCk /s5/TltV7HZcz3kPEsN1c9cfnD0RyJaXsMdE7idv39T+8P5dqfUfmnO17xQPBb/z7PxL7ly7 8QZEgAOL/j0kq6WmtXMb6ROI/inA557Ej8WIQsaHoUkIwQ6BmlmDeRiCPu5haMZrM/ZDyK4j MnmZc+Nxgm/j3xZ2MhsWqEF77OsH3IQV0IjEcuO1uPsod5ewD+iTFnOOtTzzKYn1eDYrhZh1 mgcf3faMFiCH3KDTBqS/otNGuIREdNoEz5Ef6rQZb4eTOm2BCe4JnU4SvsO7dDoZes2cTqdA v7lPp63G4+Yf6LQNdqZeH0dvf+ovdZqAQezSaQ6M4jU6zUON2KfTAqSIX9VpA9JHdNoINnFa p03QK57WaTNkpC3RaQu401bpdBKnpO3T6WRYkfFK/FvllZkpOm3ld2Q26LQNyu13oydEoKjb 7N/TaQEW2f8Xow2M/65OU/4so40U/xy7TiPmOQ5Gmxj/Up2m/MsZbWb8XTpN+bsZbaHxzblJ pzG+uTfqNMrn3qrTGN/cL+s0zl3E6zTGd1GeTmN8F63UaYzvok06jfHNy9BpjG/eGp3G+OZ9 V6cxvvLNOo3xlX+n0xjfgjadxvgWE0bTZzlbcbdOIybF2lqSkZ9ZfLNOCyAXa9im0AwvPqnT AlxS/AKjbcg3F7+m0wLOPctokepfTnQa9S9PZXQG4y/XacqvZXQmxWp5u04jPss137KY/IhO U3kN52zGv1enKf8RRucyPc/rNNXzE0bnMfnf6zSV/4jRi6l8SZpOo3zJYkZLjL9Kpym/kdFL qZ6SLp1GPSUDjC5h/Bt1mvJvZ3QZrQQlD+m0EKPNDP84TeWfZDRbV8lPdJryf0PpFE3+LzqN fKeJ0SwuzgKdxrg4V0AHjOPTgAr9oIAHrzI8hGcHDDK6DfwwjGdYl5KxOvohiDRtFeR7mYSM HB/OL0eqmfGV/0NNFXHPZNiKIz4YicuEkLcBr5q9FbAGj0oo06kqxm3EGT68bsE5A+hDmM3a gvpCeAZhFNs+lAriuIKSG5jPPux5zvG1LkFO0zGA3viwH2SezM+kvxxQ7aH4aqg3q7GVoRj1 UpkgjoTw7Md5yxdoTtT0SXrm5cs+5nNHwthjDHmKax/qGWKe7kYetfrfj4mMXLp2L/oVZv5R DGXsU5mwrnUbxkuGzWy+DEXMXhu2m9B2P4uNgvJ0nopaaTTG2Eyqrfw8Pml54Ee7QfbbySD2 P0lKZflH5caYVwNxu149u8tYBP3Qq3u9kY0MsgxT0JvSuO9BNuJlmbwV2xHmtRYVLetoPJqY J2GGcgy3IPoio5Si56qWcV6GfR/LQJqTw8xWYvw9ui6F+UZnDjGN1O9BtD/ENGroy8xrhdnz 6NHQRqjXIT0eClujNm88Hn+vvhsCegRVhk2IZaW2uliEFN3/EWZNZhYSvYpFnmJD+2NM92BC NlBZP9Ol2Y7xNbTDOiIePVND58iFUafKUPHiVdPt0TkjDGmaUfM57Wc7O8gQ9bH51FMazyF9 VsyCh80f1a169ZVq+1JlOzuGQj/b7T6dO4+rV0fXr6/Ey+RHWG8+qiGWpT7m3flzIlZ7Q/G1 qOx3EKpvXgetG7t1bxUdfw+rirK+S2OY9THbA4yrzac7zKvHcJDtu4CeI35s6Y4e1dHWNMzf DRQWKy07ZIahR1+/l0XNx2QCbO9p2TjMZmorScxubzyz6M7fq0dmiHlDc3NU31ta3fHF/Rhi vfnsDX/sjhX62Po8uo1epmGEId23IDdV2IP8GLI0tz3xFfaz3JZZDuxl2IZY3oXj9USLOvVd 2+9hvWpouymkZ9l89dRGh1hEFNjH5mteU70eNjqfaZr1PoZWgO2S8fgqYraHWc2k4wpDIqjb oHtIQzHM5sc8jmkPsBwaYnUz5ls5uzeGcawO77kVqJce5UwqscKWs+o0hBKDbC/5kBpCaphF SGW9EL7zKvGIl8cl/+9aGGMZo8mqCVY2YqXvwHtiC55NmHmU3oRcegdowfZKxncjZyu2NDcv xzuBG482xu0AfNdnZwfLptB5ck2O87V9oiEa0DGfz9ELu4vNRyZWkWNx7mWj4yg/Erfpidc2 LZ/n70eJ1VKrHPN1VNu/Xr1mhvQ9PcC0qPGaSHdrl26N7u5RvZb2xu9Gms3wpyATq51j8eqk 6jtOjed0kNWPsL6f+/V8PB9esV1IEVMTtMzv4nPt9el3QJqBvawyal736pEZ1jWfL0LL2KoW IqVV5HOz4lzLsdpGq5jCnlUVtOrT0Q7pNeSTbFP0tyFnvs6OnxMLVX/KSHzm0qq3wjwKMGS9 +pPOhcRc1nNxOKG2xezSStLHkPYm3EWCCc/SpXHpYELezt+7Px0p6t0Q0x/LK/8CfWMs/rtZ NBOfQ2P1cV7Sj7LaE+oIQ5zqH4yvR/MrMbuH9Iqq4a/tqoCeH/OVd2EOfdqK5vNjA1v7uZGL PXvRe46qP6Fpq9Ge9zwsqsMfi0HwY3jPaw6xp1X6RNKn34dG2bPRGCQ+Xf3X0Y/pC+rPf179 neh8T3HnxlFDa/6J1cN0nruPYxFTPoZ1/z/k7TzK51pYeL9f6JGqP8WG8d4T00DfTxpBexMo xmf4aqjF9zAZ2xXYK8M3yWo8K4F+e7INWnXJShxdgSPVOl0LK/Gks2pgFb4L0JNq/8fudf/9 O2NsrOJj6MXvhx3jAbVf8ajyQ3LHoCq3+Yf9YWTJTf5gwB9Uwl7/sBzwecrlZiWs/BdCFVSZ vNXvG6GckLxhGOetWLOmsgybqnK50eeTt3gHBsMheYsaUoOjal9j0Kv4NoQVn9cT01rHeCgx MOJTgrI2WLddDYaomary1VVycZvXE/SH/P3h5ZqwJpQow/hluuYO1jsqdwSVPnVICe6W/f2f uhI5qA54Q2E1qPbJ3mE5jKLbtsqblbBcJHe0yZv6+8tlZbhPVn0hdWwQxcrjmhAD/0BQCQyO J7JUuTmojHmHB+hcL8JdJm/x96LqjV7PoN+nhEqp9qDX41XkrcrIcB8uBaFbXdXkHw6rQ9S3 4LgcUhBVBM7bL/epIe/AcKmsrd+DUooXB4f8QVUeHBlShtF92TOoBBUPLgM7Xk8I16EMyzg2 TtfvxTAEcIGqRw2F/GiOLkhB/SOeQdmrq6KLHxlW5TFveJDBMOT399HZlEa3w+iIB0ENxXjh MXU47FVR2oPESHC8XGZI+0fVoILxDwdVJTyEQ3SCZwRzIESN0ViqQeZC/4jPhyTzFc0P+dGI d7hvJBRmSw2Fx31qIhI0e0PUihoc8g4ziaB/N6pV0H/PCBrSAtjnVQb8dHxsEDGXB1VfABHx ywPeUZUJsG2gyD6EQx5SEbthrwfFlUBARRiHPSoa0eD2UrBkdS8uZkj1jcu4thDmjo/qGPL6 GLxhfWOFdHsenNGryiMhTCmGprpnhDo74qH4y/1+XDJqxEWFwzRPcOlBFeMextTAMIUQMpae 2B1SBpR93mFUrYY9pRpoOL3PGwr4lHFqgs4eVsdCASWArqFIH7oY9oaoYioeCPqH/Exb+WA4 HKirqBgbGysf0hO23OMfqhgMD/kqhsL032xXDIV2KXTh5ZR5gRPGVB9yVTZl46aODS0bmho7 NmzaKG9qka/c0OTeuNUtN16+xe1uc2/ssCZZkzoGEdYYahRiGhN0FFcQZoieZ4uxxdBEpmvu HZfH/SN0podmG+LM9pGWlpgcLEcxvrj9hlFcGQiqKs3EcrkLpw0qmAb+XrqNcGZ4gTM0O8do OqkYOJUiHVQ9YYxzP+I47xcNoX9AZSIsxPF5GBrM3t6RMKpGN/24oxIWtCwUcwoTOQ5FfDLN NnlU8Y0ovZhhSggzJHF2ubxtmOXseGwVuCa9cmF6K3IooHq8WHTOXbmMKA6zbKNzlb4+L80J zMogq9KllB1k2LLd/TGnfN4hL10QGmFyY/7g7pCWpCwfGdM/hgV1pNfnDQ1SO6hLg3sIExX9 x1AFxmUteXWEFhpieGzon18crV57RtQQM4N1z6MGh/UVBHW/mXBo0D/i68M9NOpVx7Rydc7y qRxGUsUK0Ddf4uJrRLdYYfWE52NMF6boXvefXy1zOT5B3/e6IrSjhOuowLatjXgTKF5dXbtc rl2xuqyyurLSYtnWiszKFSuqq7GtXVkr19asWrNqjTXpE3bdp25G2qvQ3WP7EF9sR/Svi+kL SOLXLgtHdrPePjh7jtzCkd0Js86V0vitnyCTwOfv55/iH+WP8Sf5qUSZBfyLP0Fc/Ani4k8Q F3+CuPgTxMWfIC7+BHHxJ4iLP0Fc/Ani4k8QF3+CuPgTxMWfIC7+BPH/8E8QF/ytROI3CX4W +ZFP+kYhPj7/5qll9fnfYrWxZtKOvfACmRivSX/j0HQv9DFxZN5jesc5/1royAV8KxKnx1k2 n09KG6Hr+K2Orv+cFcZHhEVCk+ASGoXVQuLbubyA3/qJ3/wsHLkA/0llHN/diTIL+JvBTxRW GYY/5vvCkWFWX7zwJqMS5RaOXGguXSBm/5C+C80z+u/iox/guQzugvN8GtNhP3cEHsfzWTzf xVOASmw34bkLTx5c3JHp21e6ZvCyi12ObWyvuoFer2yrYn3Xeu2aZNWuljrtWrmSyh0+5t5L +4ePVdVp/ZIVWn9pYdX+RpE7DAQN0zYV2wo8G/Dcj6eAxg8fy1qsTbNk0mmHji3Kq0p9ljuE Eodw3iHm4iFXEg6nbzJuMnHvNtaSt1Dbfazdz9pdrG1gbQVrU/XRN6l11j7L2sdZW8HaBtZu Yq2ftUyenMXjbTzewuNN8qYrHUoJSEQsJaJEXKXEJZGTxEKSp6ulO2ZIsqu2WiqXm6QqPFfK l0uleJXwvLZkvVSGZ0FJs1RLUC9YCAdmsNsxMulpZtcMefTJuQPW2QNWsMyQhumSK6VGC6mD UwI1V4PnV/EUpkuC0jM4W2ZdAJl7ZFr6W9kM2T4t/VWaMZNp6S/SDEdcGdKfpTPSR9JT0ofS FdILJY9IJ1Hqq9PSjDQjoNT9JTPcI65U6VZpCzp3Rtor+aRhmQ35CvDiSpY8OGlHyQ6pU56h VjbKzMrlEqp5QnLjYHPJDCFPSC7pFmllGZtaRac+Ia2QglK5xMyVauaWa74V08sT0jI0toRZ cUvbrBarpXbyV6bJo6bJI6bJ602TjabJS02TNabJVabJStNkhWnSaZosNE0uNmWa082i2WZO MSeZzWajWTBzZjBnzkRfdTnpf/yRaRTpxSjQVmC0yNGWY/9tCHDEzMEVEMngW7nWretIa+S0 B1p75ciftjpmSFL7jojBsY5E0luhtWNdTmS1s3XGFN0SqXW2Rkybr+6cIuS2LuRGuC/MEOjo nCG5lHVzHv1/B5zEqObe/MU8eo3e/MWuLsgebchpSF+btqal+TxNj9465z85zgWf1s3jJzHK ncdM0mUm7G7F7iTtTtJuzuLIXa1bOyMPL+6KVFEiurirNXLnVnln50nyGHnU3XySfJNeujpP 8qXkMfcWyudLm7u6WjE0TA7T/jEq9xi9oJz5Z9BA5aDB/DMmJxBNzsHkMO00uWwZHEzOkS0v kMsn36RyJfSCcvZXIZ/J5dtfTZCbOuVwN085HDFdp5jMKU1XpJ6JSBKKFEhMBLeKxEQkwjGR lnmRMl2kPC5SzizxZF5G0mSsckzGSi05L+ijrnM63V6aK5s7p8ywrqtpp3bNFgNrWdytuWsf yDsFL/NvQbKzK5LkWBdJdqyDhoYcp1hPKowpESOyTHhS6UsLcq7POyUAOcqkU5Bt1YfKGssa 6RBmLx2y0f/NhT6Uc/2lBXmnyFF9SER2GtpI8DMcHsEP5Li9zfG/kP4Z0a9haI2UbG2NNLTv 6JwymdwRV09zF/IqY7zkZPdM9LTGLEdmPWXyfFwwzrNYdEFE44lNpWSTRGrRhS5nCF1BQ4kI hkPwn+KgpFkKZW5kc3RyZWFtCmVuZG9iagoKMzIgMCBvYmoKODQ1OQplbmRvYmoKCjMzIDAg b2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvRkFBQUFBK0FyaWFsLUl0YWxp Y01UCi9GbGFncyA2OAovRm9udEJCb3hbLTUxNyAtMzI0IDEwODAgMTAyNF0vSXRhbGljQW5n bGUgLTMwCi9Bc2NlbnQgOTA1Ci9EZXNjZW50IC0yMTEKL0NhcEhlaWdodCAxMDI0Ci9TdGVt ViA4MAovRm9udEZpbGUyIDMxIDAgUgo+PgplbmRvYmoKCjM0IDAgb2JqCjw8L0xlbmd0aCAy NjAvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZDLbsMgEEX3fAXLdBGBaZqkkoVU JbXkRR+q2w/AMHaQYkAYL/z35ZG2UhegM8y9zIOc2nNrdCDv3soOAh60UR5mu3gJuIdRG1Qx rLQMtyjfchIOkejt1jnA1JrB1jUiHzE3B7/izZOyPdwh8uYVeG1GvPk6dTHuFueuMIEJmCLO sYIh/vMi3KuYgGTXtlUxrcO6jZY/wefqALMcV6UVaRXMTkjwwoyAako5rpuGIzDqX+5YHP0g L8JHZRWVlO7PPDIrXCW+z3x4TLzLzGjih6JpEu+LhiU+lPfnxMfyvsv1b5VSJ2lVPxNiuXgf p8v7zGOlgbSB35U765Irn29JO33NCmVuZHN0cmVhbQplbmRvYmoKCjM1IDAgb2JqCjw8L1R5 cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0ZBQUFBQStBcmlhbC1JdGFsaWNN VAovRmlyc3RDaGFyIDAKL0xhc3RDaGFyIDgKL1dpZHRoc1s3NTAgODMzIDU1NiA1MDAgMjc3 IDU1NiAzMzMgNTU2IDI3NyBdCi9Gb250RGVzY3JpcHRvciAzMyAwIFIKL1RvVW5pY29kZSAz NCAwIFIKPj4KZW5kb2JqCgozNiAwIG9iago8PC9MZW5ndGggMzcgMCBSL0ZpbHRlci9GbGF0 ZURlY29kZS9MZW5ndGgxIDM1OTY0Pj4Kc3RyZWFtCnic1Lx5fBRF+jBeVX3PdM/03Ecmk55M ZnJMgEAuAtEMQsJ9yRkgkgABwpkDEBAElEtARXdFPAFPUJEAAcPhGl1W14OFXY9VXIVdwWs3 yq7IqpCZ31M9k4Duft/f+/n93n/e6emup46u46mnnqtqZlHj4loko9WIQdHp82vqK4I2BJ93 EMLW6UsWaQ/8ZdEZgM8hxOfNrJ81f8ITORaERBUhrnnWvGUz/zC7Zg1CShtC5Udn19bMKO13 wYzQmBVQR9FsSNgau0OAeAvEM2bPX7T0Ed/GnyD+IdTJz1s4vebzsYNGIjQW6kfr59csrd9o eJZFaNxsiGsLaubXjnrj5F0Q34hQ5I/1C5sWbUM5cYTWTKH59Y219Y8te9wLcWjP0AFpGC76 kWn9NE4YluMFUTIYZcVkVi1Wm93hdLk93hRfqj9NC6QHM0LhzKzsnEhut+498nr2yi8oLCru XdKnb+kNN5ZF+6H/yz/cUeSB28s9izxsGLkRin8B95c0jNXFv6T5NCRfQ+HW5I3QbrQX16G9 6BX0Gr4Ib+1DR1AL+j1yoQHoUbQC/RptQDyaBCl3oZvh4iD919gTb0E90C6gpV3oJJSdgG5H R5ETu+NfoVVoHfMuvLUOKSgd9UOj0EJ0Nx4WX4ymoLPsnagYDUMLUD1eHZ8Yvyd+f/wp9DQ6 wvw+3oGMyIumw3Uy/g33YfwvqBu88QB6CJ3F90uHUBRaWQ0lH0ON6GGmisXxWfGfoAcBdCv0 gUXD0UncRiJQey36ArvxCqY/1PJkvDl+Akr5UBWajR5GR3EhHkgC3JT48PhJ5IQ2lkKtD6ED 6DBcrehldAbL3MX4U/GLyINy0WAYTwv6A25jYh1rYmUU0YClbFQCOQvRb9Ab6DQO4lfJQk7m enFRbnn8PWRHPdE46O2z8Obn+N/kdrhWMa+zFfGbkAnwch/FNvod+iv24h54JB5PsslC8jjT iERosSdcM1Ad4Hs71P4pjuDDRCanmCfZ59krfGrsXNwEMxJGj6DH0KtYgZFquAnfgT/An5H+ ZCp5hPyN+TW7h/2TUAOjvgXNR3ej59G/sRX3xqPxZDwbr8Ab8H34IXwSn8Zfkn5kLJlLvmVm Mw3My+xNcI1hm9g7ufXcZv7L2MTYidgfY/+O94qvR6OBHtZA7x9Aj8PIjqBT6CO4zqK/YQ4b sQkuDQfwOHwbXLfju/ETeDfeg1ugldP4b/gr/C/8Pb5CEFw8SSEBkg5XkDSSW8mvyaPkFFyn yT/Ij4yLSWciTCFTylQyC6FXG5itcB1i/sp62VNsHPDci9vG7eB2c89zr3EXeVm4Q0TiO1ef 7Mjp+DSGYhtj22IHYi3xvyIHzKEXsJCGSqH3NXDNgfneBhS3D72LZcCdF+fgG/EwwMxUPAc3 4KWAybX4Yfy03vcX8XHA0p/xt9Bnhfj0PncnheQmMhKuW0gtaSBbyf2khXxAfmIExsiYGQeT wwxkqphaZhGzjNnGNDPvMJ8wf2MuM1fhirMGNo1NZ8NshB3ITmUXs4+zX7BfcFO4t7kLvIGf z6/nW/l/CkXCjcIoYbRQJdwrHBbeE6uBOn+LDqGXrl/z+ByzhilnDqF7SD7rIX8gfwB6nopm MMMJUCrZjTeSlbiFZHBL+b6kLx6BLrJhwPXrZAe5TPoyw/FQPAbNIT0TtfF29jkIStnfonb2 OIztD1DzUl7Gt5NveRkdwIiUQJu/Y/LYCPM2OsOcxQK7C33MGrALt5NnmVFABS+zN3ITUYB5 FL3INOCV6BApB459RdwCdDwCPwd8YSzuhX9g4oghI4CKipnP0J1oLvkQtcM63ogexDPYWege lI9XoC/QM7AqsrkFfA7vwG+SOnYTseEWRNg9MLoSnIEZzo7W4irmYf5b8hFajE6xBvQp8wL0 /hR5kRnOXuRuxrNhBaxE61FDfA1axk1k/4RnIQaPRyH2HHC3FUwvNgDhKuAqU4CnHYbVfRT4 QD9mOKS4gXKGAV2MAw7xMFzbgU+wQEF1sMYnABf7A2rhx5JWNIszYeA6CLFvx25Gk+LPoIfi s9CC+P2oG/CDDfEVUONudAHdi3bjdbHbUD3yw8r5FA/jKsgpriLejWwiH5ExZNvP5xewHcJu 9DVcL6IKdCN3DG1i/4zGoLL4lvj7QN1ZwGEfQtPQEHQeRvkNtDCIaUP5sRFkf7yCqYfxnkWj 48/G07ABzY7PQyPRcfS0wKEaIRLt1y9aduMNpX37lPQuLizI79Uzr0f3brmRnOyszHAoI5ge 0NL8qb4Ur8ftcjrsNqtFNZsU2WiQRIHnWIZglFserKjWmsPVzWw4OGhQNxoP1kBCzXUJ1c0a JFX8vEyzVq0X035eMgolZ/6iZDRRMtpVEqtaKSrtlquVB7XmkwOCWiueNHoiwHcPCFZqze06 PFyHt+qwAnAgAC9o5e7ZA7RmXK2VN1csmb2pvHoAVLffaOgf7F9r6JaL9huMABoBanYF6/dj 141YB4irvM9+gkQFOtXsDQ4ob/YEB9AeNDOh8poZzaNGTywfkBIIVHbLbcb9pwenNaPgTc3m iF4E9debaeb7Nwt6M1odHQ3arO3Pbdu0pVVF06oj8ozgjJopE5uZmkrahiUC7Q5odi0/774W hcqt/SduuD43hdlU7q7TaHTTpg1a887RE6/PDdBnZSXUAe+SUEX1pgpoegsgcegYDVoj6yon NuN10KRGR0JHlRhfbbCcplTP0Zql4E3B2ZvmVMPUeDc1o5uXBQ54vdEj8XPIW65tGjsxGGgu SwlW1gzw7bejTTcvO+iJap6f53TL3a9aEojdbzInAVm5HqjtytMhvTiFht7chVlMexQcDATR rE3XoCcTgzCm3vRR2xttmt4bisGnEsNbzTNgRuqapf7Vm9Q+NJ2+38yF1KC26XsEFBBs/8fP U2qSKXxI/R5RkNJJF6lBfifcHIk05+RQEhH6w5xCH2/U44Xdcpe0kmCwXtUgAPShUYDbmso+ PQD9gQCd4M2tUTQNIs2rR09MxDU0LeUAivaIVDaTaprT1pnjGEdzVnfmdL1eHQRKbtGVX0ez GO76mlWnrXx2n2bs/F9k1ybyh44JDh09aaJWvqk6iduhY38WS+T37spLQs22/hOZFJKESAqj 5wJRTukqTCMT5WY2BF9eJ+oZrYIIVKmnYK2iWa0elHhWGgKB/82XWuMX6Vt6cO21ZDeb+0R+ Hu/7s/jPuidvYqDDIASHjp20aZPhZ3lAaokGBycDoHg0dmJA69+MxsHKDMG3Nd7Wm96VKc1R QFl/WgDoL5GUjP6sYEoSroQPpc5uuRXA6DZtqghqFZuqN9W0xldPC2pqcNMR8hp5bVN9eXUn 4bTGj25Oaa7YUgm4mo37dEME68onh0CbFdBNLQSf54VW8lDUhjj2PIMMAnseI4/Ic+cJcxyE ugQqXnfkjqiXSztKR6iXSod3lKIygNWr8OiZF7AELCF4YBBpVzWm7WqUQ1eQxraBcEUV8S+Z s2AzWFAq+iD6vIGwSkgpUAYoXKG90DeBjDXcbB/jm0VmcLXSdHu1ry3tPe592yeeC7YL9m9d f/dcSD2XFk9zpqVFvKXOUu9Qb33a1jShO8lQujv7kEJlKClXKuyDfRMM45VZygX+C+dP+JJJ xQ7GZFTNKMVnFCzI4PAxRnc+RiGLOaSqpy1YtUQt1ZbVFtayyJrxinBKOCvEBTZNKBNGCozg 8ReMckdgqFUNw9s7qhpK1Xa1o/Q8KmsvK6W3pcRiLemZh6pwQxVqCBTywfRwuLDAWpTfy+my 5Fuw3Znfq6iwIBxM55netSdWvb94znt3Vm/rcbBDe2Hxkqd337Z01/rHt1x5cgdmNo3uR0w/ VRDrO2+9+vqZd07AmlsHiHudvRFwdme0bw8bVlkcZAvY/qBQz2QXsbxkESVRUmwWSUGMiI0+ XgDb1SBlbRWxmK7ZsI2kW0IYAcFEHflFBRfpOtbQaXQOZmiEdeAJOpdVDZHSjvNq1aVGGFdZ WbulpAS+GAZWgtQ3N5hWnqADbMRV+ZZ8RxGMzCXQ4Qi8w7LuiRvryibfcuNNN/W9xe5nw7sa BvV5NnNgWXVjx3t0zofEv2R90P8sVIxTo/dIipTjUbw52UpOTolS5ChO6ZMzOKdKqcqZo9Tl VOdtUtZnP+x8xLtHcTzjeS7rsOdY1gnPqaw/OT7JEgc4cZorzR3JzSkoYUtyB7ODcseLlZGZ Yl1kibxBflP+UfkxYikuMGFW7ZFR4OoVsLunZi/MJtm+HqYy072mHaa4idth2mf61sSYTD7G 1UqeizrdD9h9PgGVZxp6AWVk16g1KBTIaCWTo2pmFIXVsBbOC+8Lc+GeJRSJaf5gQV5JWwnZ WYJLXCF3eo+MV/hTPEnjy3jC9+xNsdl+qV0FnF6uar9U2nHhAqWV82XtHecBoT0gtwFCiltA sOsa6YR4SjqFBUVFxfpVWJCpIznzRgKk5ASFyWF3uoJhhhdMxKFTFRRiSmccmbPv+MCmQYVz z8zC+eUbVy1LbXYvOH3XxudGqZIr/bjPNe3Ewim95tfNfiKceue4iufXjVgzwm5SvBkhw4Ju N1Q2uBs2D43WDOm+9OKVdTf0xp9k+dSs4T0GVU8eecOtQC02mMbV3LtgkR+M+u0SNnt6ePI8 UU+95xH5UWWPInqVLKXZ0+ZhPRQ/Wd60glRRYWSzz4AdJGK3sQwQ5A47tsdtUdYVYkFLvx/r FHmwZ+8CnTINvrSCrdDWk27PcXwUzO/LoFy6I4DBSKQUuIxa2q62t1cBcZaWAp8pawf67JnX f1nUrlp4SeBFQL0qWVOQhTengFUQyVmzBkcAq435lmBhfmFB8TWqdTjyHUHLgR07bN47lwyb ktK7180DTp1iHt7SMLegYoL1MUNF9bQtV2dCbzLi/yI53EMw8tVHkAG6GwwXSLS7/QBY7cEI y4oBM8ipShGzgXcC+ZjVdJSOFWtIxnFBLJfKq4V6YbWwVWCRoAk7hWahTTgt8MJRMge5cdH+ mYnld+m82k6Z6PlLpTpj6QC2AjSSn6++2TMPAxJCrgRfoaOxFFvoCOxOIAGieoeVTpuXu3bt wUOHbJEs/64d6o21T5DpW7AwL3b3lo5fDc/1Us9WP9xK5pD5wOdzYepIPUOG4+GE4CAiXq4e CnjY+rspnztfpX6OegxvB7pswFW2woCjH8nGrYcO0Vo2gKCgXh872n8EOQETisNVEGILwWA8 qrBMa/xcNMPlKXCJFtliZziMzD5OsBsNckiKAvOJS7hNwtIIJ0Wiq6CooNl50UnqnTudzc64 k3US+//IqRwDR3VxqlK6uIAfR9qRzoOBBZdga4IgTLxJCJl4OQUrIpACAlqIrEGRKhwB3mWh TNnpsAQtOjsG9rWh5fa2JS8ObVk8d9TdpdzRjn/dX/XUox1Tya4Nt425Z2XHMeBgA4CDZQIH U8DufzVaZRUMHnkgP0gcz1eKs/g6USxQ+1j7OAvd5epQ61BnuXsKN0W6Wa2yVjlvds/n5ksz 1PnW+c4Z7luxQ+I5ZTIzlhtrmCzPY2q5WsM82eDysYLFZzTaMwQ6dltGqCBPwEhQgWIYoefZ FJxC0z2U8QBsykBRKJKGyqBzPb0FxTpeIu1qQ6TqclUVRUp7GUyfzlRACYpKY7gx0jRumsTi qkqbWgxIQA475TbIdp1wGvDUXb/7GDtv+/vms7H2Iwc2rD9wcN2GA2AcZ96zJPbXjpN/vwP7 sfLO2+/88XdvvwVN3xQbzXwNePGjHHQxWm00cvZcY8g+zFhu56VUT2quMWzPDZYYi+xDjBX2 8cJE42zjT4bvHabuwdzMG4M3Zg7L3Jq7M1coChRll+VWGCsC5dljA2Oz64TpgenZ1bmrc89k fhn4JvhtpsXl5B2tZH9Lls8mYMq0VQ3loWoweVejNqAQAbWSldF+nM9nNpSn+2SD05EfyjeE 3O7TLqy6oq5q12oX61pkxiGUnpbxivmU+aw5bmbTzGXmkWbG7InkLgpQMR8ZoYt5YN+6pO84 f5muR8q7q87TsJSuxgZU1eByAUPWOXAm4JEk5L0L1qaO1/D1eJ25z9ir/6KVG90mvKT544sL /nj38eXP1H688zdfP/TMyhW79y5funuid3So14xJxc2bcekn2zHesn311Tk/nFr6PJPzx7ZX 3vnt678FfA8FOvQDvh2gPX0anZGGfA4yjqniqqRxxlpmLrdQqjWKKlKxSjKtH3E/2S97hZ7W Pp6evn7W4d5+vtHWKZ6bfTXW+d4a31J+qeMyuexWkRObFZdrlLPaWe9knD7zVnWnSlSVTfEZ KFafi0r4AZuPNbqiCiVCKTOnoFnBijeNsu9QuICG0VRKmmk4zZmvZgjRjJyC65Sn4oTyFBne cX4EkGjkckNkOCXRDkAoFYelHQ2luqZBFzCuosKwEbt06rSoCEjVYhcClNUV4UBYl4jMLUdz vznyVexbbP/L+9iEr35pOLBu+paOM2S03Hv8XSv24PGuJ1twGmawjLNin8Z+VLV9R2fjB9b3 n/0M5WJloIfuB0zm4Y+it7Hp9vQ+0hBpQMb49Nr0FdI90tqMZ2zP577GKJLL63blDc39wMWl kHGEqL2wwT1FnCJNMUwxTpGnKHPEOdIcwxzjHHmO0hJuyTRnhjMyM7KLMiYZKo0zwjOyFgUX ZazO+JXhUfn+rAdzH8h7yrBHfjLzqayD4d+Fnamt8U+jVn/JJDEzJBtYrxZ2sMbuqV6KdV+a p8wz0jPVs89zysObPWmehZ6zHjbNc6+HeI6RcUAFiK4DFUcxUfFpTBBWMcF0VuzOAhpG/SZL Acbdp6TOSyWpPofA+rob07zYm+GJ2twFHtBwDggZOVDyJV/J6Ryc4+1F3wrDDFf3autFynqt 7kV6qRjjDKRlmNPPIlyGRgIhenp2TmrDcFgp7Y0jdGWHzuulSHujzn4aYGojkaqGxvN0JTWe T2g8SYUH2HQ0s5s/CAwjbFGtqk1l+HRFS0FSlpCCuW7w8NshGjAFU1B6UJHFbEMKzsqUDHyE TUFpaipl7BEV1ILEA3h8JJITWbOGcnqQWo0NVbZiZ2IJZoYzu8P6LNI1AFCjhLCuBNjpAnb5 SYIRhssOmO+6bcXSwtCvXn9oZL/eOfeNWfnyJEuz3FS3Yo7T2SNl7SsPjq97feWpj/ANvrmN tQNuCLpDvQavGTFwWVZaZNBts9w3T7m5OOhLtRky8vutmDJpx4QXKKXxYF29xIaRleyPqmY7 zmGzDWSIZbLlHgtjAdMzKqUFClRfaibVKy5G96ZlFLC8LNn4FMlj5VjE8kbJaBKtKrIxdsEn phhTgf2HhBwxYipAhUIfsa9pADOQjwrDxaHG/uaBliHWyeabrXOFGeIs6zJ+ubBIPMIfNR+2 fs9fkbKMliyUpWSassyZ1h723qjYequ4XtzOPCg/i3eT3cZn5EPoMH/U9Hv2A/4j6Uv2S/MX 1kv8T5LPynAc4QWBkwwG0SjLBtViMbfGhx7kkFVrjQ+OzjSYTdpvLYKoCRarNQJCn+MEk0GW Q4rJrigm0WI2RwyiHV5HHCEg5u2gAoL9KVhZ0WyRTYrBYmAZqyLLoigIoJjwVrPZZEIG+2VV wdVKvbJaYZRW/GzUoI004IWGVQZiaCXjotJIC15oWWUhFhozqhyu5uq51RzDQeFD+LLt8kyd WD3DL1VVuYEY4ev1dAD8OWgPlHwST3oBdSZZEbV/4LlhePfIhpUnNnR3/2cAJLfBpJ4QTGop vSlM76HNaWMmtiiarJHj8XMIw22Kn25BeWbNCvoR7p38VA5tLhgz8QgS46f3C3lYTwiMGdqc P3qSnnpuv6AlUq2Q6tdToaLDZo3WLbbGTx8Q8miNB1BvcjTRUlflXe+59Pcs8XMHDRqrIZoB XBa0AlrZe4etJSgX7tb4e/ttJTCgSlirEKCGKlwVwPk2V1GxDZ7wwEEmk8FDY8eO7ilj8/cc 2VF4w+F9sZZje7L/zIY7HjlveYss6Nj+9kky88oZsuLQ1VPAKNaDxEoDbVHV7f0XMCebM7hC rpzjytKa00haWrov33eTj1rxfB8bNemHOYd5q8QqZaK5ynmLd444T5ltXuBc4G1L+0g+4zrj +ZvtH65/eD7T/QAejeth7mHP48rMUW6YeRQ3kzuT+j37kyqrDhPLE7D3wRYGc99kdGecNmLV GDVWG1cbWeMibMlH+UyIkDaMt+KduBlfxGwaLsMjQWZ4/AM72Vtj6XC145LOwnStKqFrJs19 yAZ7P5jQKoGRqCiYnsnYXdckP+72bEvj/mn7GqKxf718fC4pGHffkheeXrzkBVA0v7935L1v NcW+jX3wGN72yrjNJ98+/fpJ4BijQDa1g2zyopPRgZKM03z9bf1dY2xjXNW2atcj5BHmYeUp 9SmvLCoewxxSx8zhFst0ccDalQ4bDsmyU14vf0YYU/pU80LzKtBudI1pcB6KolG6zrQV7QSd +iKSkNlsRIi1+oyCG0S8z4zNGab0FGr5GCNpsD6B9w/2OTJOCZgKdCL0TClI+gva4dGYdI4d AdJr613Z3ngpyfyB91tKeqhV5+FLUQUcuaFTpCcdI51cmCKLKd2f+u2LZ2L/bvzqrr1/Sdvn WTVp43NPrZ1zD17neukUTsWGFzBZs29Xytx5v333g9fuSNghfBiwFESvH0FS/MNoP6MCdsh5 9rz0V9cFjXufu6wRl6gFJXeKJjFM0O/jHaBiU+dI0OtRDadDeGtoZ4iEXC6vKbTVgi2tuOqQ O7SVKtu4KupBJD8YwqcRptgiVNkeCbaTJyPUipceDAzs1BWBQjrOA6m0X6rqGFFeO+BzIApq o4KhOlwF2WhJcJRO40S228J22ZKCrYqj0zihOk+k07HidNFHwkLRMXS9rbKr1zNzljyYdvtb jz93MDjlxvpft0ycMWxNHzb8wIip0yYe3Xe4I5M8Nm9qnwee6niQHFi6dNTD93V8BNjaCFbb D7AOjfidqFfgx/OTJMasfMdd5plxzK0GYuU1W6AAWMrFg9aEJGqB0MrpCYGEaFoLKTzLcixf LA1kuRDfzTDRcCuz2HCG+YwXnuFxkA8LIbGE7y2VKSOVSraSnyhUSivZZdxD0uv8n0CinOe/ Ev7N/yg6rAYDxzAs4XlBkkSISKIYEni7IPAMy4Y4AwgPg0GCiAh6jX4EQzQakYFtxeYDXLoI QTSo6RTp3QrKqDGEQKLATHUqKLLy18DAmckpSkwE6J6Xq6hm38X0y0phcjZw3SPsSuDcHDB1 EwCCKpaKpYz+THDKqEHKTS2RxNTUUh40tgOpJRC8d0DTg/0ByjYp46Q8swG0Ep238vG2A4ES sIfbDjhp8OkBtYRPBHpM1oP9xsTLkUqqwNCmrJ+wWLQ7oTW7vVR/wFuXD7jpy//Yn5IoDlac zn6oQYvzMQ5iwbKxBT/3VWwOfuXT2K5V3NGrx3FzbEnHDJK2PDYZMDIoVsecg/WiIh/6TXS7 kURIjrsvGUqWyXyZo8wz1LPVv9PPFdgKUsr8A2wDUoDhpEy3TU+p9q/2v8e/b/2c/0r+2q1m k3Q54ighhfJgUiFPInXkI/lj92fOrzyfp1wlZswqdi9wExNvB36CTC5TPqI+VjNWzVFztXm1 mTUvsvwXH2uq/2f2V8L4or4QnelaSrpYLmrAliQjKUpaXD9zsObmPDju5di3C9+9/XcNT3QE Xlja9My+JYufjNURse8I3B0LO2N3PnPPT/2ZvSdP/vaN9z54g/oox8W/YC1cmy6nDrXwmkf1 AckfIJrxNyBXnXBb4TbHz0WnsfwGstG40fymiZMEo5uU24Y5hnj6p4y1TXGAeZUyV5hrnG6b 55jrqU5ZRm7llxiXmzfw24Vt6pvuM+QD/gPjx2av189ydr+iuJqkaAAsJwkjSZWItDXN0qS7 P0yQqgG/Jmir/43Nnfb95YTHI2HcUysU6ZKeCn2bqrNVp9WhEsBOZtimUqRYVECKwI+b++7O JQcW3TTn3V3vLbvvyJ4VK/bsuX3FkCryLmbxDS9MPRiLn4nFYr/du/0l/FjswW8v4tl4zjd1 66kGWxz/gqnRffbDo2otmcUvIov5jcpGCy+BtYG90QDrN0tSGBS7sLFKs2HNFrWNslXbWBsO o6HWw5W0+9Qderm9VKXdby+jc5nUz4sKLZ02c999Qv30wXOyXqt89Y5XT+Kd7t0r+jfdzvzr qqf1rTmf0nkaw3xHJnHvIiNyoQ+jU3aAcUS+Fb61kbPCWRs5JZyykVeEV2xkn7DPRnYIO2zk XuFeG7lduN1GrohX7GSeOM9OJomT7EQWZTux20TBJYMMZMw/mpgfiUkhWC5VUKkCIxsV7WFb KKwS7gX6xLbe9lKTIpeCShp1eQtMi7HQWywlGJUyzL0EE4+74dmEzkA1Buo4UC9HShMQKgMb l/ovdR0TQpwwhpD6JvXuocaGhgbckPzgKuwIUndlMchLIXAdjO2vajmTc4sLGPzrTog98cen 15eOyq5wTZ5wDQJMNeJdbB+W13d1BkYzOR6zgoRCDA4xRAixLB/KI3gHOUUIeYVDXgl7xAmT dO9fwvkHAp52tVTvra4MA8kFCgMWuNk+V3szv6c3c8vujkd2Uyp5CuycdCph0OwjSAEKzrQ5 CljGLxl2Gk6Dog4qv1EUObAOBL5qNbBsYtSwhpLOPiiLqmRNwZoySqGqPtsXqKaqAXBYpXv7 LlNUUl9faUlVD32fKeHOC8AdhOdTr5GfXnutgwe96hky6acKcrBjOGBhIPMVGcG9qdPLx9ER Or1cFC/aCRaxnZwTztnIaeG0jbQJbTbSLDTbyBPCEzZyv3C/jdwh3GEj9UK9jdSKtXYyRhyT pBezbGSQ/XkbpRBZAcIxAclg8XmBJuRhICOCSjE2mUtloJpMxXWjLCuUaJTFhDClCAgnE2mg Wc3RaQZWdSnVMEt1ggFV4rw+VB39He2d4c9JpotaGhqAeqiTNt9hF3ghs6ioOP86eMKraZHJ uUWFzIedAPsDkEnf0dkDnVPHXIPoDL4CjzUwgwz69SEQuiLhqCuh9w0FephfkAi75SXCrOxE GAwlwlR/InR79TDaQ1ELNG4rtw/kvAZ23r2gRDUjtoeug54F3ZOzapC4FZp7gv1AZxFVIP8O rAaVs6oStKqOqkjyQ4VAzzw626+8xh39qQL6+gQorV/q1DY56uA5P7UYEcP6YSEaJL8Ribof 1adaC4SxzBDNoCnE4FVYKUFyVXLfyZ1rle5hglpw6XxE38SkNyivlNpokwFHIHk/wWZcfZyJ XH2fWcsd3RsreyGm7KVYy4OeHIWeCGhkVOGIn2UAdfQoi9RKmg5qLAaVBb/Ea5j0YDAD8CGc IHvIFQ8/lJh+2hPgE1WfUwZBtziSG6mFtG1ii6Wym2IpnLJ370/f0TZhwbHroE0JDY3m6KO/ V8BdCIDmH9VAchHiNXaN2NB3yi9GfD7Rju6A+8VodzOfXL1AmjtG0ZH22dsxEyZpDEhID0hI F2jceehstLjQibOdg52Dw5/LX+VxUh5eiVbiFewiscHYKC9Wlrs2o014C7teXGNcK69X7na9 Y3ndZk2n5qpP89JA03rQoJsWprsG/mxNRn43klP83Xd2x92tAT/PZfmtir/pFQkDNmdF1UiT OaqBuDRjZFbNxNyK7zvcy93UTDFLZh3IaHJ0yU5H1EEcW3t2yU5Q0FV9wwCApIlS1aM9ucXZ M6/LbqauI1Ax6AaurofbecEJT7DsEKRc79Vl7M7rDL059fM+f6Xt67nzN9wdu/zRR7HL901b P3f2urtmztrYZ/DWMWt2771j1bNMSvb2OTvPnN0588Hs3BMbj8eB2NvufRWPnb32zqnTN6y9 Gh++deQzq+94bjfM2VkQeFcA4wbUFNWYqGIpmMuuIveSh0T2BRZLiOcII3FYJvgtg85FrVST QPp8e2UuqpgTK5GiI4/DGhflCOcxHsWleB1K7PM0RJIbKvoefhm1VJIu2AiYtSByCik/IVda +r079sG/9VjE3nbjirQXB741lcriifF7uG+49+h5MWyN3j81vCMMUrDYQYw+No0NpvjsafYg n8N1c0XCfblSV5/wMG6Ya3C4ihsXnBheyN3GLOe2MFu4B9DDzFPoeeZ99L7zArrguuD2+rgI yuH6cmwVd797W/j9MBty5oQLnCXhwe7BvvK08uDQ8HhxomWcY5JvUur4tAnahPQ6bqZjbvi2 8D2+e8Ifu/8S9jiojp6iuzaiN6SUEMaZxQhZYbeTQ3yAsXk5QiOIy/D7zQwRM/yC5A3bhhCv lrM6h+QEwpoRGz3Z05MLZzgYEFWXh19KugHAcrAmDDtXCbLkJ9lyJFIF/Fj3DISoiUu3BjLo 3kBGfi/W6rATSC2yFJBwp2+7OJzJfr+hseTxx5783Rux4/uacfmbb+OK5xd0fL57/vPLvrrv o9jfcMpfZk+ZXPtYVWRDyW2T2/CUMx/hGUdfjT195lDs7N09qh7FJQew4VexP8egcOwPmX09 QAF3xr8EfZ+e2H75CPJSv73DVUA0m7PATI25bKu9IGLDGaLNKWOb08gjg8XHGFG+M+R26Rt1 Ltzmwq4RXl0+040670Uvqffu9DZ7417WK4ekrm06qr1q0mnpnMRKIzxd23TJHXD9ZIGOtNLE ctMNYS+rmhSzQsCy40EtYHiVlVOQIlpSEDWKc3LWgLYPzD95nCIzrKuJrmsqI1O24v1bnhyp GluMlgWjR9/Tt+XRlkHzRxY2kfs7Dt7dc+DoMfduJCVXzgAuZsa/4JaA1piKWqPV08mcVKKh Xsp0VI8Wpa5Ga1O3ooe555mnlSNMi/KGchqdT/0u1WKyplpSU5kcPsuS49PSBirj7RMc4z2z ubmpt1k3Wx9mHjI97NuNnyK7Le+bbMiOvKpd9bKEGndZJbr7PTOrRDUjzKbY/DKT4mclNWwe gsJU9HvTXGFNxKLHfz19ddqn7Tp9JeiJqvmY7oew15FS0ntCHHYrRQjb8toNsd9eaI/9+ZF9 uP9rf8G5fV/Jf+1Xez6bMv/z9U/+jZCe3155FS/40wU8bv+5t7vtvP+J2Lf3HYt9tek4rOON IFJKdbkvoJXRqpHSVmmn1Cy1SWeli5KApDSpXlot7UgmnZPikiENZhwLLPAfnrkdAyfiWQMv hDjE7mB3ss1sG3uO5dvYiyzY7hp7GmIsO0LsJAyQ7bqQK9OVmpIkAwa+S7UYBqZ2Y0tLC/v3 U6euONjwFfrzERSIjWa+AWr24g0HzT5spvsmT/lKsuzjzfsMwBujIAy0rLwClT4EWbI6Fbc1 05gpZypFcpFSaHrIYsyyZtkGOSutlbZKR521zlbnWMYvUZZZltuXO9YpmyxbrFtsd9m3G3Yb j6vHLEftXxu+sH+vdKg/2uM+v9VsllWL1WpAjMdus4WsBjtEzLLZIoeMBrvRaLBZrbJs5Bmf x4x8qo/08L3iI75WUnbIbItao/ZWMjZqLLNGrWSq9RUrsbbimw6bcToqTzHQLKtZM0ajmpwn j5SZUXJcJjKUONjDDIMlZS0p2oqZ7ojXo3Y0gBTzutsBbHeDruihbLzd61bbdQi56eEBqkZQ v4Z4vV8DAaI3mNTSUvHE0GbTmKHN7tGTJh5DcvxLZIx/ia/zC9vjnx4uLjGkF5eYWuNfHnKU WNIdJQkfR4PuGo6AxpmZ2PyEC+fbnLqbGPMCteNW2fvmlg5yWcKcMTb/tU8i6WmRz1pi8/pl 5K0YXxCbtUfNykiZa05lszoeWrxmxRIy98rv991Uqeugz8U+xXeikyDzRhwyAEE+z1OdOoyZ UkKwAZciAwFZX4r43kKfkWgqWohWgV7JoZ3GXduBuC5V6cco1IT6fE1xBuWGKsUJnfjwyVET epUUMSdPNmwOD/fUTE6eavicvRE50TtRG8fwNrJbbVU/Y76wXWQu23iWssyeRqVgmYq3q6fd 59xxN6uJdpPdafVxAuadikExyaYMo846jRi+xhFuygO8lHW6L7pJvXunu9nd5mbdDMl3OJPH HKz/cczB1XnE4VJpJ/9MjKhU94N0nnJw8hbJIBoEA3DOsIU3pWCzwZp0KOasoc6BiO4fchQl jw5d51Dc8MTiT6p3jVINLTlzBzU9y4Yf3FdeP7zXyo4msn7B/H73v9NB+cLjoGV2AF9QQIZM iBbWWubayVB1qH2yOtnOGmU/3ZtxuRMapzUsejUvhq/XrSRVTg9VOal2SxXOBhCd7V0aZ8KA AzUDdM5e+hYcCQQsAFNtKjMcDDxOsu8fPu/+ym9ib8Y24tuOP141rOfa2F3cUZO19vD8Y7GO jhcYvGXVlDsdCjQ1BXTTvwN/z0Ox6KPTmelsE7OIZUOZhUyJrz8zWBiWWp42IKMicwxTKUxJ nZB1l82UpYQzSAaTGSoyFwQHhMp7TNLGB8eF5hnnKHNNM+217mXG5cpy80p1cUZTaD2zyXiX ssl8t7ou487Q/co28zaHP5RhUoxcwJfqTwF9H9R+Hocy0iENFPKUbvcCJtqdqJuKNTwKV+N6 vBXzuBU3R0Pd/H4nw/m7SSlh7xApjLJxtrdXIGzFYetYijhPz+lJ62T4ed1teZ1UUDuq6F7E JbqLChJCP0KWPEFGXey2Yj/R5SPFYkamrsT+cs+TdVF9lq7TjPCUl5Spv1+58Lkxo6b0jc0b XTfr9n/9+skf13NHzXv3NO8q6Y0/mrh6+forj70R++4h/Gd1wd0TbmoaUD4r6KqJFD9Zu/DV GXXvrDFtvmfN5JH5+XOz+h5asvhU06KvYAw1QDtO7lmgnfqo6YSCWfgSkZUYBQyfY9E8gllJ VpoYhlD310gylSwkDPGaxSbp72gknoqnEqYMgoV4FWaxx9SK79+/ObklUwo6GCCFaq1qkqTo 6R99meMG/bwSjxheCBZZrcU1zKEtsfahReYjzB3f3cX+tHfLAzFr7Errx3vx1/iNRynP2Y4Q b6Z7VHhxdBUiZtFOUkR2ibxe/r3MSPJgebCZyWZDSq5pIjOZXaIsNW1QRCPhxBKlyDSSDGUG CFFxuHKTybCdPMRsE7aJu5lnBd5KYIHkccTOcUSUFSWPEwEU5ZvNN9MdeyLSHxUaFcVkUpEo kWrrahAKR8lupOCeBzhNbMU9owZZMmhReRVwk6NkPDJhI+SQVmyMSmACaeZ6FautZPxLGled 2O8kuw9aqOfEQ1lhVam7A3gglRQAe7si56tASpSVdu150surtrdTiXFtcxNoamizMbnx+DKI iStIjH+ASPwDuoWIhzbLkJelb/4o8R/2mww0VRcfSvy9w4ESU26gRAHdGySJqVexDh7qBqnd Oj3ejQ26x5zyAEzlBw4Ai8JBbNmOM/DkPKenEAiAOxYbvy82kTt65V/3DRr1CHP1pwr27SuF 7LkrGp27UqAzAWwkP/oiWtSX68sf417hjwlviG/6hMFypTzWNFeeYVpuXW67y3rcesF7IeWi V37F+JKNpKg+NVX1q/xv4heRED8Hg7uIJGDzXr9BFXn+LZ/X7vN5RZ+XwUT0+hjFD6h+6uBI faPIfUjx2znkp8RsxkQ2NLnehf5QYsbHyBrg5iruHZUth8p00l5FWHKUZKA0fO/+hEF6qV33 9uibEfQ0I6xrS2Lv2QVCursusBMkjTo9vL2p+7sx5AiEi+kB0aThSUVawk6lwldghavFxBV6 8uFvdz902x2P4iO2H/747uVBz772xBT/3r39Sqe33X7iwsy5v3p0k+3UR1/vnfjc8ac21vQE 3W8bYPKr5MnsHLQmOoplK4LjgzODTdJaia/zLubqpSbjndydRj7TKTHuzBy/M1WSbFZ/Tk52 NgI2CIIgze+3INEd5seGwrI3N9WfFAWR60XB5eQezM+cLXS/kB4P0ZlZp2RwdpnfJhLEgV6J QYN4gLziG0kC3kbCu99umjlr3b0TVr+6JfYrfMOa3kOGVtzxeOxjPP+WcP9JfcY+sCW2lzta eaT2lmfyM4+vnrW/uidzs8U5c/jghdlXdgpy77kVNy/rSelJQoirACwY0PfRQT04nIOymJCh B2hl1fJd4l3SVrlNvigbNXmUDFNqFIlBkjSRs4siB6a8Rjg7IZyECfeVZoBVXSviWiJSOW/M Khkl4tXiVhHiGEcVEs0qmUrwvWQHIYSmWDRuFEfyYCVv5dq4ixwHq3njQWP17sRqbqDWOr3d 1IEM6PN62t1lupZHlTxYs5RiEivWDqvyADIbWuP/PCBZMQ2AqbXGv0keDIBiWVCsSF+8iO7c 6tsJgPUAzk+sxXxM+nX8/k94Zfe09G54y+sdr8ES/PPq+qVL2eyfKoALdACmKnW/lwn7o9N7 qHnqLHG2VK1uZLaqb3Kv823qRdUocpV4PBmlzjY2q9/J3ynfmSRWZhXWxBgNEseysmISeQEU do4VeVmgepAg2yGBMIzGynYoIfmBa/p5hm8l9VEJifJXUaA0chQbAePGqFXWUK3A3DyKPcWe ZZmtCYdb1DhKbhPOysxWGcs0rpqFUwJZJawWiPAr8wd/1pXFBg/c8HW3JxhjO/DFUm972flS qkS2/wK3lsSZkA3qiROmE6BWJ0LA3DU22cKaGVE4CpwExX9IoBq4XBDTsxMBxhZgwpm8AOrf H8nET57veGTXR/ifD1Wk+/KpVxMfjw0gk/C2I7fevRm0rw2xOjYAGqkVeNup6NOy2k29QR2q smVas0bStGw5mNrL0Sv1ptR6basm9nH1SRniGpJSKU6Wp7impMwR58p16nzX3JQ27V37J+5P vO/6z9vP+89pcc0ZZCNqxFHI9lEr2CHqJPWC8e+pMdVoMTFOn/7jAafPZEQmT8ZpA1YNUUO1 YbWBNSzCtnySbw0h9F+PTKQNLHbj/3Zm4pf7d42owda51Q0rm25WhTMtzHWOtQ1P9bl/9sbT cxafvW3Svd0tzyxZ+vyzi5r2x+q4lzeNHr0lvv3J2JXNw/p0XGGeOnni7ffffuvP1ONFzyWD hWjAt7xUyGGUbikxUCtRsZRIoKQXiPQBa+DrgxDiZAglPoxK/kAByoIHxL6MSumhAuSEB8TO RA9ldS9AGjzMcjbKksKGElRoGIQGGsYDWVeKE6WZeCapE+ukpehWfCtZJi6VbjVswBvIeuYu YaO4SXoMbZfuM7yAnjC8jF4S9hveRL8znEHvG/6BPjNcQZcMuQbEGdzIachCYUOxYSSKwrqI Wp0FXBTMDYMgiiHJYJcksDu7zkxxBgMySKJIj0gJBolBmOsBZJ4uRqNRsNSJ1IpTDkVBISAc QFFJI1Gcbvz6T/o2HD341FEFBuT5quQ5p67tcEvJf2gAkQhoVJHrPjqL6DT38Iuxeb85H0pz R/5xJLaADXesnbVw7BKyMWGz3wmPYt2vsOUI4uJtB4t7J7YICgoTYV7PRJie2EKIhhyuAjOX xu3gznLsSHhc5Jg0/SRXnGOBNYDtl7CaaE269eTNLyzYgXAbuggr5poJxXZ5GiKRhK9B52+N +gjoPsKdLcl9BA9CwhLooxtviQ7IRmFLtjXsLkFFQK9F7sFooGWwdaB7IppgmWid4Fa3i9vN 9A8h6EE44PgGoyxLislslu1g/NO/hXA7WuOlBznk1mgoWy00jE5yiJJGz7xpiflzc6Lod7jt DofbKkuS32EF0GqRzWZNtdhV1WKVZNHt4MwWVUaEc8gc41bNZikx5cRttVpAynpdLq/aT8Kj YdwyPB1wRxGHRx/WqIPJ42nFm/fvTujMXs/wDtD/OmDy3foZlf967i3pi+nkc//vB9/oabfS E53Q9Q/giWbgiRYqiKwGMIQvJ8ROCBJzromdpIZpgpSDcpSLJnwQjV00BoE1QWpBTFknxo/H bnvjbIa3twG7vv7TyKCv2+e/jS04Fns7U3DZY29yR6+WPfjA3zOYTzu8sX98t7mFeRH0xaot Wu3AK09SmqRaTg7MN4fyozImLOPnkKhv0pBnoyaBMEmFhb+msKifVyWUlcQWVMCx7TXyJyCf 7/YCzS2MjRbe595HA9EE9O/oBDagas5AIFSo5JvKTYPdAwIVGRWDB44fa1qebXKGsnFYykkN Zxd6i0r6h8a7K1MnB8Znjx9cOb7WXRuamb3Euzy1MWOde613S+rmwIawx6SOMiFmDNUyDebM POMoIzEKzmNkEOqPhpJjLf37MIY0yH2pD9Yi9RESOYqHo0xy7HCPQRlmAQut5M6oWR11I8qw 7jRn5Kn1KlGP4j0ohTzeUtY7JwPKSyhIHgceUYgLPRMnbOn0RXaAjkbPNHVQNt6OerS3V9Gf MIGgLKs6327tdORSjp741VLXD96K85nEqa7iImthAckIprPUTcnmaxnF+bzuxQTLtLCg2IoC vcAYdaiCLgLC+ikOXasLppsIe1e/XaMrd9c9+a/GCY+XpB/c6s9OLRzfuO752N6TX8dWvv8+ /tX3YFFPm3go/4fYc//8NHZX7If+Y2csx6/i6A94c2PNO4c/LB9nV2LOO8b2XtEwaENNtGFO 9Mmhk2d/uGYHLts5ueqRjpot5pTMG0Zh5d5ncfqLH8dmff197PE9zbfXnVnVeOGBlz++9Ak2 Y+3tN/e+Hfv0r2/lZHrwsLu291/79syN2/pt/QOlp/Hxz8HObUMR9G40i1OcSrmyXmHLLRMs S1KYm53z1Dn2Gc7FyjL7emWT/a6UpxUDp+m/kTHS/5NhBRxUZEzNiihUdgzTvwBRcGGLLDtY 91HyFPKQ2dEMh9/Hsf5sxdo0VVuoEW210BTWT42EMf1xGglv7eZuxb0PeN7FR3FvurKixmvH R3KTtnNiFyx5hqRzEyzxgzTdrXDtcDamu2D0FH7XCWp6hqT4moBO2hzXb46Fx7ekPTB31b4n VuYPs1uNTa3r59RtsbcEvn5x6VtzZ864Y2vsyw9ejeM73Q9taL5jxS7742Tpyul3rF2rHXpj 1oEZUx/t7n/5nrbY958DGo4CYjegkyA3QlE3oS6/0oSjbx9id0L+Tlb39V2u0seQcO0dPXny JN2T2gVa6V7Kz1E6HhY1W40mbC3yTUqbKc5PY62t8b8dtHoLrPRUW3pmgYXGUzML1GRoToaQ /+HB1HAiH8qryZDmR5sACJmG+IZoY4xTfPN9jdJS0zLzOsNG84PKHnOr+UvTF2bVJMuaxWy3 WMwWsyxZU0jA6zTwVouqyJxbkpwur8fvcqFAuu49c7vNZpPoD5se5au0jPqM1RlMRro7yYmC fXdf27hVqy57zruvHWDTzSdIBvNJNx4TtiMH2mriN2NdQls/xCZGzSVmtY/F2kc/cNaQPAP8 adTrKbGke0qscJuivhI13Q53GtyOpK0eqbzOHHM5XbYg051khoNB3WenU0VgF9l04p3lb707 PGvcsPil18YtmNAtMPSveNe6bSMefDKWxx0d+ftlj36QGsoYsTjWgHuu3dLbKHQsZvKLlw2c rZ8zMoMG90/Q4FR860tmKzZDb+iBuehhT8kk8zZ2m/iQ6WFzG9fGtwlvmyVz1FniZWySQ/Gq hbiPcQ2+xyj2sE5gK4VK40TTg3i7YbvxJdIq/974lukd9QzzvvRH5WP1gsFq5XlGECUJ8zyY HQxjNMOEKQo2mxXVCCYgUYyMrBp4MzEb1NfR6xJRQ0iyIyQxRHldwUpIZuyyzIDpxzCEVxVF lpFhpBVbByu3y+kGcw0v3R41gOr1UpQfxa/WTZf+UZPG3E7SR8JAB1tWnEg6AXRtDJQx9YJ6 qV0XNNfEMlXGqpIytyrpvy8xmzeIuohNPCEQdJd+8qRii8mdWmKkWDOmlsjprhIGbho/EChR 9Z9ZOkpweqBEgmnupI5K3VdMDxWCRpfvonK3mJ4pZDKB+62NPfTXJ7v7ckMH/xy7D2/+5Eyf 2FckC8d+HJh3U/6VmNzxBzykMlZF529FbDSp5t5FKrohasg0Y6RaBVFVW3H+QbTDBFZvftQi 7DDdghiV0RiGecHy2BYdDR2XgSvpP+TTvcI4TCz0yFM+L9DfF6sYn33gD8MnHV+zLPOGYARH YqOP4x+w6ZszHVdOV27aduzlWFqMLhUU/4KUQPsMGnMEMTBkewndjItq9pIHGUyYHcw+hjBL ELbT//XCUM7AfInIl7gV7zkEesHB5W76W5JLCfM6YVpXdS0lBz1nuWdrbKKH+8dP9l+OV84i WSqRDCpGVomO2LCDwXTEZrSDucVsSjMR0wvW/z5eWxBZ6G9Uwpn51E+vko41OBJJvyFz+Zrj k4afio3G5/Bfjx/ZtmnSn650nPkm9q+YmPDOc5OA05lRKlobDWtpuL+YcMJYVL8Zia6wJmHJ m5aqJhmJ/zqV5nLVNQeMvptQxKQk9mFZkeU9bq+b8EaDbFAMIMuddqfNyfApjCuArSZ4uEVf ADsNlgA1DyKRHPiswQlXPgyA7nKbSDAU6JV0Uun+fPzj85Nur1zUNGL5fSfXxfbjkvue7lk+ /MF5I/bG3uGOOlKHTYudOvFsLLanptfeop7lXz3z+b9z/BTLj8I40/SzLl/vtxopCRfaHAUi 9Q8Iol0QRCIwjCixhEiCyDIaz3NVmhFroCtVG+uNq42cEbTvxGaLDG8mT8MkDhwlf0l6qetw ma7YgO7Ldk8YQJieyW0RoxX6Sd7DFSVitFcC7FUiAIOiBAb8SUjvlQBpajBBdsZgiWCyw22j 8UuHbQCmJsBUAB0U/GF/F4fFSVad5Lb5mB5sw5ZH32DI0TeuxrijV9awq0CZXX1lNYxgEnMQ Z+p6bDjqQByDuW8IYtZoYJgTPIdPHiuj8jF5vsXG0L3Vjd1P5sGb1u+/j32TPPXq0b2nOeg3 0YI+3mHOaHCyc0JwJjPPOd87K7jcu9K/xbvZ/7Bzj/e492vn59plzXaD83HnXifTJ3sGTzLp z06CoM+4AxqvZflHmqYCpZt86X47h98dpZ9zmt3C+n1K2lFcgoy4d9Ti1nUXN9hBqpu4t+bC Oundgg6Fmixdh3csUQuxbI288Uu1Rf/VYFXyZ4PtyVM7+tZHQlWh2mMmn/g5JgINBSSu7l/A Bdd+a1C/17miZszKUUW46Nj8w1ex8Pq97bct/+cTL5whbz+9aOmBPStW7sJj1OULhq36sF52 j5+LxQ/PYvXh2Gew8r6IHXzxFabgkcMnHt2ybx/VOMCSwetBatHd895RjeUQL0iEL2WZUsyz oLv0oL/SpVS3S0zuUSa8IolToCWJ2aGTA/cRUGOYypMnrz4L6gyhPg1W1b2RCroULbJOlGfL D8t75DdlbhgzTPk1y1gxEZEM8gyMUUZAsqwobzGsnWFYRkFEVliBOUaOIWAYeGfUgFgWiqC3 DGDuzHyJ4wzR1LQCEFTFUUWIpgcLhNWBQmGrmdB5UBR7ASIq0QhDDpla8RZdh/xHFUxIJHIp AmaRvmbK1Eull0s7/ypiQ+Iovdls7txKVoAPW3Xnf9SYD9KoWwnDpqaWJg/M63qJXY4aS+TV o0rkaBhklg/C5B5BJT0Ch/P137ozFky2dawlj/3q9ddbYoV46tPM4atDno7tIix5oGMuYGsS YEsGfuxH6cARewDdppAV3hUpZJq3NoXMlWtMZJI81kSKTANMJMUjCixSM8GSVrLt2A90ui8a DKQHStMMaaXp6VppIOBHt/gXGG5xzclQb9Es2DInSE/I0nUF7PsSPczbDoxD32q+XKrT5PnE qY0q+KAqEGT60d2kSZPUmlmqQ5mAacF04w+x39kz41jvp25teth9xPPvt/8MS/vOiUVe0noS 12VY5wzv0zfy9LQ+dTu2PuQ8eebrZ6qfWDRiSPW82INU3dX/j4f88R/Z8S2bp5pLvxdTRP3f vZ74LDOn85++4h1JCxXUl+R/W+rvCTfGRoARia6l/OzTj4cktglVkOfQOgiHkBJkgzsD4v0g vgHuAXDfBPdQFqEy7g3EA7we4FH8c5CP0EaID4J7HMDF9D/e4N0x7AuoEco+BfBASHuFG4+e YD9DeXDvhrJj4D7Ll6CJEN4J5WbiN6AehAJQ9jnaLpR/HO4pANdAO9shLIX4Nrglbny8Q+8b Ql54707hbuSB+DYxDS2EcDzUcRTq3AX5Zmh/RbJPKyDtcbgfBatjEu0vpB+B0EspCj5F6DTO IxZyD7nEuJj72FT2fW45v0/sLv5emiz9y/Cd8Q5ZlcfD9XclqCwwsaZJph2mj8w28zuqT/27 pcGKrDfbKmx32GV7jSPHsdp5i4txrXenuN/2TPfmem9PWZLyuO/x1EGpM/0D0jLSZqQ9mvax NlI7o3UEdgROps9I/yQ5QzehicBn6IeA1tED4kDxhg5II5BWwYxAKJkf05+M/p5BjzH6WyYs JmEG3YKdSZhFBrwoCXPIjW9PwjyU35aEBXQCP5WERRQms5OwhDaRe5KwgX2NcSdhI5omnEnC MpopliZhhW8Rn0jCJjTFPL6L9laZDyRhjDi1ZxImSFCLkjCDeqg3JGEWysxLwhyS1YYkzEP5 lUlYQNPUtUlYRDb18yQsoXL1xyRsIDWWG5OwEfW07ej6B9h82+kkrDCT7EwSNqHuriroCWYp 1mXXZh3m6Iy4HtRhXk9/VocFPf2gDos6/Fsdlugcud5NwjBH7j8mYZgj98dJGObI/VUShjny DEzCMEee0UkY5shTl4Rhjjy3JmGYI2/fJAxz5K1JwjBH3r8nYZijtL1JGOZIMydhmCNtcRKG OcrM1mEDHVfmOh020rFk3qfDsp6+S4dNOpyoU6VjyTyiwzaArZlv6LBdL/ORDjv0ei7osFNP /16HPfTdLKzDKbRMVqJvqbRMVpoOp+lwRIcz9PLFOpyjw+U63I2ujKwxFBb1/idhva2sqRSW E+lzdVgfS9ataCxahupRLZqJatB0CDW0B+6xaLYOD0cL0QK4FyVLacBJF6JGgOmzBtLr9BIa pMyD97sDNEBPr/n/WVOPrp5paAzkzEOLu8o0QdpgCBPt9UQlcOWhbkmol57aD96YB+HN8M4s 6MMi/a2bob4muBvREnjOgFKNkF8DJWnOLGhjHsQa/6O3fa4rqf2ibB80Xq+xqWsEtAe94amh LKipDvrZCDlNcM+EGrOvq+t/evNaieGAh2uxF3WMUnzNgDfn6+3PhTRa8/93XGuQSkdUBz1Z pPeI4kaDOC2zKFnrOJgHDY3S39dQWG9vODxHQtszdZzXQHn6Xi3USrF8q/4mra37f+lTYn4X Qru0T/VQdtn/WKpWpyta7la9V7O62q1LUm03fV4WomnJXo/Qc2brlFMDvcnt6nujnlOnU+gY eC7We52YhwQ10Rnor/dkkY7lTrw1Ql80KFWTpMEEJdXpuJ+hUxaltQV6W9fTy/RkXTV63+ib 8/Uaab9nQ/vz9RoT2Nf0Xtfo7U1PzkYih/a6KTkfNfoYE+8t65r/uiSV1ydnsFbHTZNOeYnR dc5QTbL/i/XWNL2F63vVOfMUNzR+q1737OuogZZdqNeVaLszPYHtRUmMTE9SatN/lFsEddbq WKmDMFH39GTKYh3TlKKu0fRCfcU26hidp79Pe0rnc37yrc4WpuvvL0m2WpccaWLt0RquYWGm vobnJVOv4bUuid2FyZHU6eUX67Frs9qkU+k8vXf/nSY6eWpT11ho3ny9vmt1UN4wN9nbmiT+ p+vcTkuu0k6czdDbnqWnJt6nK6wuOYez9XVXn6SRhfCkK3pJEtuJGq5x+Rp9rhLUoek4nJ4c f50+a/P0MvX62ktQ4wL9zcRIrqfuui7Koit/aXJm5uu9obS5JLm2EnxnXlc/5uuxa9S76BeS qOkX45uebGOaXsNiHdMzfkabtagB0jsxu1j/L/TOEc7UaVvTaWCpjtsmne4WdfGTxKzTvifW +6Ik10ispqYklV3jnonc+fqM1KDl+vuJXtN6p+u51ygt0foMHVv1+ipZ1jWKzrYX6DyT5tfo mGhMtkHXUAKLi/T3O3vcWXu9TkPzdb7Z2bfuusxbBHl9QJb2gHrp1V0vdT2H7a5zp/lQYra+ luYBNB+gBfoM1eqxJjRVp4HEjHfvKvl/toVbdYpJlK29rpURwOnHgryvgLs/UB6FR0IqlQAV 8Bymp5dDyhh4UtocCJKgHK7heupYpOh+BYPOS+qS6+OXWk9nemKdJDBan8T5NRr935Ni12am kyN3zvM0PXcZlF/c1eb0Lt6WoOdr8uh6bpngHNf4aGL91iV5ZlNyTc/Sa6nt4ol0tVYmW6Or e0mSl07rkkaJNhf9LzDTyTtv7eJOtckVV9tF0406/1iUXM8zk/T43/DVuQopxmqvq+XaKv7P 9mYkJSClwGn/T3vXG9zGcd13DwwJSqFJMQ6lRhBvKYqQJVIEBVOGSNkiQBGWGUSiTFKOoKqW joclcRaAQ+4ORJmZ2vBMPVNPEiuTzDiJMxM5+ZBx/k1AMKNAUjpUR2naqGmdaV11xvlnJ/lQ f0gV50MTf2J+u3fgH5FynH7qBwJ8+/Z2f/v2vbdv9/Z2AEKujK7WU97I5DzJG43QXmnVWk+5 K/L6qFjfc21tE6uYJvegGnrNeN62vTXkXn0L759Gyco6O7duLLi3y1i953JXb01qlJeeNbyd znsZc+bFYm7V2lbrV6wkKelpY9VdxFq1R+5ZRlur4nbl3v3unhLaZaX8WlyZa+QV5fhflKO5 eh9aWx9XkCaw7g61ID0u5KeX7XH1Wh3dWW9Fdf3vzqq8Fx8rK+/aGHo3i1biY1Tavn7kansv cc/h3g7Ntcbd7+lyVHN3jYF1l79XJNtytyp2JCnvPjQr90ZFsnp39adHvybP8vZ/hvess9Eu bv04ut5a2bHqUub6eVwbMe0uX0//WdqueHl9D2vv92s14t4u1sG9pyZBPJ/EiPsk8AD28P0k gmcthvQgrg7gCbEf1EfEKcFpkvCQffL3QvrxdvMR8iBItHqIHMKzgCAh/c+71/3f74y1utBd 3lu+H07O5fm0pnP2NTaZ5uyEmTMdFLFjppU3Lc0xzBzLZ/ReNqI52p8AhYQwNmFmCqLEZqM5 tDs4MNB3AEm4l8UyGTZuzKQdm41zm1uzPBWzDC0zzmcKGc2qiR2UhcwrHXyCW7boINx7OMwe OGHolmmb084+iVpdKQtOTEr2Cpu0tBTPatZFZk6/q9bM4jOG7XCLp5iRYw6gpyfYKc1hQTZ5 go1NT/cyLZdiPGPzYhqw3mVJsNecsbR8em51EWcjllY0cjOirQHXHmDj5hREnzT0tJnR7B4h 3TJ0Q2MTWiGXgg1w0+HwMTPn8KzQzZpjtgYPwknGNEtx25jJ9TDXLzpQmoHKrGlxli5ktRzU Z3paszQdZuDC0G3YoeUY6uaE/QZcnoeBXOe2baI7YZAG+QU9zQxPlDC+kOOsaDhp6YasaaZE a5GH2g4U0eFUu1bmFHnOMTjQOjIFa66XSU+bs9zSMNaOxTUniyrRQC9gvG3RmRg9bkkVpguZ DLJSV3SfNdGJkUsVbEeaajtzGb7aEyJSbdELt7JGTiIs8yLEatBfL6AjdwBThjZjivpiGj5n aZ7JwyMmmzFmuQTIkNdYBu5gWQ7f5QwdcC2f53BjTufoxHW3IZzF+F/DmCzPzDHYZiN2MkJG 1shI9zreJLK9/nS0mOKsYCOkpDf5xwpC2YIu/M+mTZgMiTDKcUScwHSLY9wdhAaGyYbLZHji MqvNaB83chDNHb3HdRqapww7n9HmRBeidY4X7byWh2qApKCiY9hCsIDnLTNrSmm9acfJD4ZC xWKxN+sFbK9uZkNpJ5sJZR3xu1+hrH1eE4b3isL32KDIMyjlssnJscnRR0ePxSZHx06ysUfZ R0aPxU9OxFns+Hg8fiJ+crJpS9OWyTTcWvOacLEYEygKCxzp0Q2mmDRGBLKweWqOzZkF0VIX 0QY/y3nkhiWCQ8YoxhfTLwe4NmNxLiKxlyXRLK0hDMwpMY3Q0lmjjIjOoggnjoHjwtMW1x2M 8zT8uKKXGEJzhkuIHOLldhgaRO9UwYFoqGliRq0yaK9dUwqBvOyK5cYi2tisliloU4gwzUaE rG7dy07nZMzO1ayATd7KhfDWmJ3nuoFFZ73lDF7MyWgTbbVUyhAxgai05IrcI4ot6Vs5u+9S KmNkDWEQOpG4omldtN0glfEoC80iFtTCVMaw06IfyHLdnUWgQn8MVX6OucHreWhtR9Ifo9Mr xonV62MFbstusO7p3Mp5Flie3hJsp81CJoU5NGvwortcrTNf4DCSHCtAamWJW7YRasmFVXdW xlgYpnlaT28sVqq83MCb954g9KM5gwJweiKGm8ADh/sj+1jk4OEDff19fY2NpxMo7Dt4sL8f aeTBCIs8dGjg0EDTlnvMunedjOIq5Kkn5yEeVU35kCc25eIRbY424cb/FDYAb8ltQ61uQm6D xEOi2LSlfC/55n1/71sEXfVd831z80h/80ifbB7pbx7pbx7pbx7pbx7pbx7pbx7pbx7pbx7p bx7pbx7pbx7pbx7p/z880l/z5L+S1yR+o7o372rD15wJyFOBe8jMyAhfdV3XXnewLlF3vO4R pANrehBr8L2knJRzRqw9rvVpWqZf9hE5L+7dZuP88md5ydJe8b3l9a9YJ2n2bSd3QEsgH1GR hkBjoPOgS6DLoHqJEyUm6BnQIui3sibq2175zIPRKtgnJFt4KhOWl5p7ee6v5OXCR5MuP/G4 y0dGXdigCzvY7xb3Drt8b4/LW7vCJcG3NIVvxNp8beTHPvHhyzxSqnyfNFNKVPKy74OkDFJ8 9V5J1Ne6sCcYvrzoqyPUp/gofKou3fDRStO2cGyLsqTcIa1EVf5H+Y1bo/xm4b5t4cuxDyu/ JN8GLYJ8yi/xflN5kzyjvCG+YYh0CHQZtAh6FXQHVK+8gfcv8P658nOgfkZCoCHQedBl0CLo DqhB+RnSFuWn4tPAMhX5IZCi/BRpi/ITmPUTpM3K68i9rrwO1f6jEhkIX5WZ7pCXUbu8zPad Xqa1LVxV/r3yzj61qvxqgXWrL8f6lNdIGaSgs9cg/DXCQKdAF0B5UD1yt5G7TUqgT4NeBpVB 9WhzG21uo80t0I9At0kfKAo6BfIrP66gm6ryaiU4rMbalH9T/olsh1P/VflnyX+k/EDyf1H+ UfIfgreD31J+UGlXSWwr6gnatIC3gIdQ/z7lHxb2tKpLsW3KItyjIg2BhkBjoPOgS6B6ZVHZ XUmprRByndzyEyAr5C3Jv0q+4ifRp9Ro8BhijIkkOPgIckgus8tBJRp88Qu4FEnwhc8gJ5Lg 334SOZEEP/4sciIJZmaRE0kw9RRyIgmePY+cSIJjk8ghqSpf+u6evWpk7CJlsWalCC8V4aUi vFQkdUpRvMk7dUK3L1b274fHXop279uvlq7R0vdoaZyWvkJLnJaepqVnaelhWnqSlrppKUBL 7bQUpaXr9DBcUaLR76y5HIjuoKVbtPQtWrJpKUhLXbS0h5YYjUSrSkdl9EHJ4pItxMS8An/k aLgZOnbAox0I6w5M+0Wkr4KW5FUUILbbBf9Fu+C7F/YPude9g2Ez9phyEw1vYhhukl+A6jBA NxFGNyFEfDq9GekQ6DzoBugOaAlUD/RuKH5Jps1IQ6Ah0HnQM6A7oHqpzh2QQkxPxW9LxUKe 0mPiSrmJ9268O5SO6K6WQEt3y2O+SwHa3E7H2pfalQhpE99OaN3m31alTVd+3/SH3zeRxlij 8oJyiezCQHza45cq7+xSq/TzleB1NfZB+jnSXoeoowMkSLvADxNbXh8iAb/g/SSgfAM8XAk8 oYofEwn2qNfofaLVFfWdwK/VtwJVBdn/DlxX/4tV62hF/U+UfOOK+lrgefWHoaofJd8LVinY NSahVwOH1W/dktBnUfFSRX1asCvq3wSOqxcDsoK7FU/auIo2q+PBs+pjkDcSmFKjNmReUYcC T6oPu6hDos0VtQ8qdLvZ/VB2X0B22tkuBZ6OVGk62tPwYsOZhrGGhxrCDT0NHQ1qw66GnQ33 +1v9Lf77/O/3b/H7/fX+Or/iJ/77xb8d6BZfrri/vkX+MlmdSOtkvkURqeJ+z0ShfoV8mJQ/ 4EsoiYlhmijf0EliipX/d6KzSrc8frb8vs5hWm5NkMTkcPlwd6LasDRejnQnyg2n/vLMPKUv JFFaVv6uSsnkmSpdEkXP7RQ/M3+VULrtuU/tFPyB5z6VTJIdbbNDO4Zaj24beHRkg+SCl676 FzQ71uR3lV9MTJwpf31XshwWmaVdyUT5s+J36K/S39Hfxkeu0rcFS5656jtKfxcfF+W+oyPJ ZKJKn5A4wujbwCFi3pY4fzthAkeYv93FveTiutAeuD2CAdfYSLokrquxUeLqqMDN23viI/N7 9kjMdmw9JcbezlZjbnUB09UlMW0lcktibrWVBKZ8VEICAUDaAxJCP0QCEhKgH5KQJ1YgIQ/y /DLkedmTj65gAi6m6Y0apukNYLrf64sPd3fThSNJ/Vycd8YvdMY56EL5E7PpHeXSFGPzelJU sLIveGFKTwuu8XKyk4+U9c4RNn/k3AbV50T1kc6ReXIuPnlm/lyUj1SORI/EO7WR5MLxU/2R NX09v9xX/6kNhJ0SwvpFX8cjG1RHRPVx0VdE9BURfR2PHpd9ERnjp87M+8lw8tg5ly8oW7cg Xi/s7EgOt7Xkj8rgPdKx4+md17AheYVs7U6W3985XG4CiaoDsQMxUYU5JaruQ3GzV7Xj6SMd O6/RV7yqFhRv6xwm3U7BLpAdcWPE/bPxQpFTEA530277Xi/UxctRbcR2CEmU908kykOPnz0z 39CA0gvCpPJgrWzr1nh16YZb2IvCQVHo8y0DRdnDoqyx0QOuH/+Cx+VXOkvK9QUabad4qEv6 yu2JSQVLweRZ91fvr2G7JG4PdhIG2rSb2jUZUm3ifctZ2Fsjp+DlPD84HndboYldc8fyC22w VP0RJAieOQplbmRzdHJlYW0KZW5kb2JqCgozNyAwIG9iagoyMTYzMAplbmRvYmoKCjM4IDAg b2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQ0FBQUFBK0FyaWFsTVQKL0Zs YWdzIDQKL0ZvbnRCQm94Wy02NjQgLTMyNCAyMDI3IDEwMzddL0l0YWxpY0FuZ2xlIDAKL0Fz Y2VudCA5MDUKL0Rlc2NlbnQgLTIxMQovQ2FwSGVpZ2h0IDEwMzcKL1N0ZW1WIDgwCi9Gb250 RmlsZTIgMzYgMCBSCj4+CmVuZG9iagoKMzkgMCBvYmoKPDwvTGVuZ3RoIDUwMi9GaWx0ZXIv RmxhdGVEZWNvZGU+PgpzdHJlYW0KeJxdlM2OolAQhfc8BcueRQdu1QXsxJDY2iYu5idjzwMg XG2SFgjiwrcfTh1mJpmF5uNSVXycWCbbw+7QtVPyY+zrY5jic9s1Y7j197EO8Slc2i5yEjdt PS1X9l1fqyFK5t7j4zaF66E79+t1lPyc792m8RE/bZr+FL5EyfexCWPbXeKnX9vjfH28D8Nn uIZuitOoLOMmnOc5X6vhW3UNiXU9H5r5djs9nueWfwXvjyHEYteOKnXfhNtQ1WGsukuI1mla xuv9voxC1/x3L8/YcjrXH9U4l7q5NE1zX84sxoWAlecO7Mk5OGON1efGsgMXrFmBV+Q9+IVc gDfkDPzKOQrekq1mxxpzeCNbzZ6MZ7mU/AqmfwFPR39NwfT3GzD9xc7hL6nbgumvNpP+Hv5u xRo7p79/AdPfw9/RP0MOjv4e+Tj6q82hv5ob/TOw0L/AHKG/xzsK/XM8S+hfGC/+cBbmn7+B 6Z/hvYT+mc1h/oo8ZfHHuwj9FdkK/b0x/TP4C/29edK/sPn0L1CjS/7wUfpneJbS39v5kj96 lf4KN6W/wF8Xfzgo/QvkpvQXY/oLfktKf0Emuvgjf13yt5n0F/NZ8rd6+it+D57+il5Pf+Wy LFuBtcFe/1nHuL6P47yKtvy2g9i+tgt//x+GfkCXfX4Di5gDigplbmRzdHJlYW0KZW5kb2Jq Cgo0MCAwIG9iago8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9CYXNlRm9udC9DQUFB QUErQXJpYWxNVAovRmlyc3RDaGFyIDAKL0xhc3RDaGFyIDY1Ci9XaWR0aHNbNzUwIDU1NiAz MzMgNTU2IDI3NyAyNzcgMzMzIDU1NiA1NTYgNTU2IDU1NiA1MDAgNzIyIDU1NiA1MDAgODMz CjUwMCA1NTYgNTU2IDUwMCAyNzcgMzMzIDU4MyA3MjIgMzMzIDI3NyA2NjYgNjEwIDYxMCA1 NTYgNTU2IDc3Nwo1NTYgNzIyIDIyMiA1MDAgMjc3IDU1NiA2NjYgNjY2IDU1NiA4MzMgNTU2 IDY2NiA2NjYgNjY2IDU1NiA1MDAKMjIyIDk0MyA1NTYgMTAxNSA1NTYgMjc3IDcyMiA1MDAg MzMzIDI3NyAzMzMgNzIyIDcyMiAxOTAgNTU2IDI3Nwo1NTYgNTU2IF0KL0ZvbnREZXNjcmlw dG9yIDM4IDAgUgovVG9Vbmljb2RlIDM5IDAgUgo+PgplbmRvYmoKCjQxIDAgb2JqCjw8L0xl bmd0aCA0MiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMTk5MTY+PgpzdHJlYW0K eJztfHt8VNW1/9pnzyMPhjx4BQLMSYZAIE8CCMRUJiQTwPAIEDCh3iYnMyfJwCQzziMxFgte a7VBi7eltvYh2Ba1RctkojagLdRf23u1D7Ctre3PCv607xe1attbzdzv3udMHoDW3t/94/f5 /JiTtffaa6+99tprrb32OXMYouGYTlNoP3Fye3u00HTGCJ/vELFcb19UffC5plzg54ns3+gM dfXc9bmbXyBK/wKRNdIVGOj8xcfff4QoKw9j+rp1zffIquypaN+N9lXdIKwfHbCj/R9oL+ju id44l61OQ/t3aKcFgl7taroaaNZrKGw92o2h7dkLrWi/ibbaq/Xo730m64dE2XOJymOhYCTq owVJomsOif5QWA/9ZVHn62g/aurASKqPFRGzyfb/5x/rRwAbyQmYyw9RPlHyJcArgF+NXpt8 07qHXKO7k+f5NDA/YgJREd1Dh2kBXWBL6Sk6TdfSA1RLTXSI1tEZOk5TaYB9myzkonp6iIqY kxRqoFnMSvfST+h6CtPP6TwVUyO9yHIhx0Mhmkmrk79G2Uh3JE+AK4Pq6Mt0kgXYdqoAvl4p ZSWY+WDyNM2i4uR3k8+j9Vn6OVuQHKL1wH5BObSI9tG/US7tpmeSIkoWUAc9yPayX1MBtdMB y3LLYHIPguoxeo41AttEA9bn0x+jAEZ9ns1ip5Pnkr+kr1kY6ZD0r3QHNE7QaaWc11mPkEoL 6T20mTT0vp9+wqaxpdydXJRcm7wX1AfpVaVE+Ra3Q48S2kBtdBfdD2v8iF6h11kmW8E+y47h epb9wfo8dGukGN2EvfVZWO9BephOsKVsqTJLmQVrzaLFtAN9B+ko5h+ms6yRtbLT7Ov8qLVy dE1yenJG8pfJJC2hFmh4mL6OOV5jleDBDLyQRy3zLVFr1Vu3YIU++gydpWehx4uw++v0V7YE 10vKB5R9yeuSDyV/Dl3SyEmraCvtoiD1UT99Dl59ir5Bf2J/V9LBecbyTetN1gvJj8K2C2kt dN8C7u2QfQBeStAIrh9hlTlMxSpWsc1sG+tiB9k9bIT9hP1EsSkFyg3Kb3icf5u/YLnKak1W Q9JMmo95XXQddcMDH4C1P4r1PkTfpKfZDLaQlWFFP8L4N5SrlXpcn1fOKC/y2/hBy5vWD42e H/3t6N+Tg2RHlK2DHWL0JVjhj2wmdFjMdrMIexma3608yqfybO7iK3gtb+at/A5+iP8H/54l bDlm+al1g1WzHrNro72jzyYbkx8kkRVs0GsRldJyWon46UQ07YF+IVxh2ku30CB9BPHyUTpC x7DuU/Q0PUc/o9/BA8QKoLMfs/cg6m5jH8F1L3uYfZ19kz3NXmJviEspxFWsXKWsUeqUBqVL uQ3XIeWs8iPlV3wu9/J9fD+u+/jj/CcWslgsSWsVrvXWA9YHbd+2F9vX2zvSvvPm799a8lbr Wy+O0uic0feO3jP69dFfJncmB6B/EZVROTS9HVreixg8iutLiMTH6VvI3T+Wur7KFGZFxOcx F6KhFF5bw9axDbg2sa24duC6ju3CpbEO1o1rH9vP/pXdyj7I7mIfl9cnsbaj7IvscVxfYSdx PcfOsV+w37BXFQSxwhHNRcoipUJZjZXWKeuULco2XF1KEFdICSt98NCDyrByQvkRn8aLeBnX +A38Xv5l/hT/If+bRbGUWiosNZadli7LrZYzlmctz1v+bnVaPdZu633Wp2z5tuW2Hbbdtk/a jtt+ZXvTbrM32Tvse+0/tCfTipCt/h3rfmxSyquwnWER63TLjco57Is8HrLeznbAYjalmQf4 R/j3rZ3sAlfZT9kg9/M9yc/zBuWvPMh2KqdYIXdaq3kn3UlJdkx5SXlN+aVlBmtWfs2KLf/G vqIEeZ1ik3n1B5YZllutvyJSfkzVys3stPJNfiu/NflVqrbex85Z71OeJdVyXplG57Crb1c+ gUHfU/zKAWqxLLf+nfyw+xetN8Le1yh3sCX8h5b76OfcpfyZXWD3IGt8l11rWaC8T1nNjiHj vsXm0+/ZDRRiHyc3e4L9jI0QYw/xB9lGZQq8FVccbCUOu+/yAvZDnkGtQke2UJnBmpQLyg7+ pO0sX4Gj/Sx9n25inFUidlKfUerFDjikLEJO8yCb/IBVUR59Avn+tdEnRca2Pm89gDi7n5fS Nqqkf1G+TdXYGz/H1UIfoio6iRi8gyqVT9Le5H7mQ97fhPyp0AjbTRUsE9lyFnTbh/NiplKI XNiGWf+K/P8Msn4j+wP1MxU76zQVW0TPnRYPMlM78u8BXD76F7Q+Qx+1PWb9AW1hs4gs6uh9 iPIX6H04c17G/HOoBvrtovstpdBaRWa+ASM+M7qe3Lg+RN9mCt0Mna/BPm+yrEfmvSe5Gyv0 44zaiDPxafInP0F18N225K3JA9SWvD95PXXR9uRDyL99yQRdRbdbW5Wd1hLLcuTYp9k3cB79 b3YAeXs9/RT5qIjl0W9wfRkaXWN9ggYtP0buXJO8M/kczYA9CmGhDpyir1AP/QF2W89P07LR zcpQsoGHcEKdo63JB5NOlkHdyQAy75N01G5F7tlP861H3W73mmveU3N19epVK69asXxZ1dLK ivKy0pIli4sXLSxa4CosUJ3z583NnzM7b9bM6dNyc7KzpjqmZGakp9ltVgtXGJV6XA3tanxh e9yy0LV+fZlouzQQtAmE9rgKUsNknrjaLtnUyZxucHZexOk2ON1jnCxbraGaslLV41Lj3613 qSNs19YW4HfVu1rV+O8lvknid0vcAbygAANUT153vRpn7aon3tDXPehpr4e4ocyMOlednlFW SkMZmUAzgcVnuUJDbNY1TCLKLE/1kEJpDigVn+Oq98Rnu+qFBnFe5NF88aatLZ76/IKC1rLS OKvzujri5FobzyqRLFQnp4nb6uJ2OY3qF6uhA+pQ6enBO0eyqaO9ZIrP5dOub4lzrVXMkVOC eevjs256JW+8CeG5dS23T+zN54OePL8qmoODt6vxI1tbJvYWiLK1FTLiSlFD+2ADJr4TJmzc rmIu5bbWlji7DROqYh1iTcbqdJdHUNp3q/F011pX9+DudjhmzmCctg0UJObMcZ9Inqc5HnWw ucVVEF+T72rV6ucOTafBbQPDs93q7Mk9ZaVD2TmGWYemZpnIFMdERB/rk5hkF1jjtjG7MqGR awPCIa56VWjS4sKaVolCX0WD3lVgw6eVYVTcB3/44+l17YPZ1aBni/Fxa1G2Sx18neB/1+9/ N5mimRRbUfbrJFARJWOBhv4UHi8piS9ZIgLEXgePQsdrZHtFWWnfiBJ3hbJVVDAfNcG2Wmt1 BYxfUCDce2DETR1oxPdvbTHaKnXkJ8hdUdIaV9pFz+lUz4wdomd/qmdseLsLcfyofP6YEU9b OPaXlT1zmqe7Os5mvkO3bvQ3bnc1bt3VonoG203bNjZPahn9q8b6TIwZHTB43FIES21wIfS2 7WoRBPxZixpcHn/7emw16BifVtfC85VWA1PyuRSF+L1+TLJotEwRsixFNhn/vhF7GgJYUpja EM9uX2+UrRkFBe9y0Ejyghglq/Fh5pri1SWT21dPak9Sb8ogh8KWhUpj867BwYxJfQ1IVoOD DS61YbB9UBtJ7u9wqdmuwRO8hbcMhjztKfePJE8eyI833NmKRXSz6jIc68I3Vlx4MrbTpiGF PaF8DfeNduVUgqyWEeVrj3LKsAvkMUaz02zWU+hXiLPFlM72sPdRXkn2GzVv1WzOfq1m01s1 tAZ49psollYW5BTkFKFgOBHfVPnpN91W+jvuFk6T8cSqPPu75z79TGtbVs3rabPT5CH9uZfn PTXpuU5ohgfxsSdc1PaCUQ/utGmcMumj2FazuYqBG4/dci48GRhEhbLxHFYL2d/FszSX1HV8 FwkLGPcJZOIMd8+jJq7QVDbXxDmF2RITt9B89hkTt1IeO2niNipk3zdxOz3PXjPxNFqofMfE 0+lDyqsmnmHdyW808UwKp33PxKdQZ7rbxB22R9MfMPGpdH32rrG178t+3MQZZeWsMHGF7Dn1 Js5pdU6jiVvA80ETt9KUnI+ZuI1ycg6buJ0COXETT6NpuXNNPJ3qcitMPEM5lhs28UxaPWPe 2LcSy2bsNHEH3zXjwyY+lcrzXoYmzCKsPmV2jsStwiOz50ncJullErdL+mqJp0l8g8TThY9m t5o4fDTnOhOHj+bETBw+mnOricNHc143cfgof5qJw0f5JSYOH+VvMnH4aG6RicNHcxtNHD6a +6yJw0eFi0wcPiq818Tho8KkicNHi4clniHWtSRL4pliLUvyJT5F0g0dpkp8pcSzxVqW1El8 GvDcJVslPl3yeCU+Q8oJSnympO+T+Gw59oDE8yWPods8yfNFiTsl/pjEF0j+r0t8icTPSLxM 4j8TeJqh/28lbsz1F4FPkfQSLnG5lhK5xiwRP1SST800gGdNHffdGnlRq/RFQDOekgW+Cc/o vYCoyaXiPjmIJ9OQLDXQ/ZJDBSWA8eXA6iVd+7+UVDGmmYr71yBosTGeiLyz7jXnW0qrcVXi OdTAqiS1FiMCqLdhTBd0iMpR2yAvAghTH0of5vDjPliXfZtR90ueIGga5AvuLswbQCt8yQqq /8Fo9aLx1bRTzhwZW6nQdBVKVT6n+LGeMHoigE7MsvgfyH87aeOjjDHjI5pgyU3of2e5X5Ze Ez7xoa9H6r4HNKHVf9+fKqjCGn7MGpWaC/uraAueqCl1BzRUoacYL74BE/NtQrkFc3dKvwoN xTgdUiNS925TWvlldDJiKIh5hU4h8A68LZcuY1fw9Uutusbm9Zs7o0zGYlTqEABlwLRDWK5K SC0FZafkj0q6iqc6YT9hyV65JhGjy6SXuuUowy4pK2t4NgvIuaKX7EuhR1haT5VrEb3aRXZM SU+1U96a6HHDjxulvj7TR73SkhHI1KTcsFxJp7mGfqmrF6WQG5UUTcrySZlih/VKPYSHxN4U PN0mTwQ7oEP66gZghh0C0nYdaHll3OlSr16z7pwQEf1ShwBkC1k9cn9ETaleaZkIrk65y9QJ PvVKy2gTcoahW8oihte6pJ00OdY3yfcRObcRWar0j09iMWk1XdrlnWNhkWkhv5ThnbAjOiT3 O8eJsQMu9d9ECxs26jU17R2jiSwSk1lPNTORTjfKXdcrvdUnZfrNfWjYyKCF5NiUVY0o6pPZ t29sTwhbh825w2Me2jMWcxfvL8MO726PGatbKyPHiOvgmP5GXBp26DXz+WSLGzHnk943ojsm LWxIism1G3M2SVlCYhR0bUJeaZLZulfaxNjP/knRbOTIAalZQI6IyJUGzKjrln7UzHnDZr4T q4tIz8cm7R+hrdhxKR1FNKgyKg1/iHV7Za4LjHk4YObRDkBAajdgrjgmc60hqV/2dEtpQVxG zvSavunBGMPW14HPJ2cYMG00MZ90yLF7TF0NCwkLdAFukjwiUibmChHrxhkQNXuCk3KoT8ZX bJIXU5I1mdODE6T5pP1C0icDkzh90kJhaduUX8vlOR8FfzXuHypgA3GVy6wxMSLLzaxTIfl7 IL0CZVRmAqGXaEWoTco2dp2RH8NjZ2T52Mj/2Rn7pSdSOXF8ls3YJc3Y9Q2AOtzbCHwLqGL3 NMjsIegeULajFHc/63Cie+S3qILaTA7KkDB+7lx6wqTo3RNyQci08sBYZn53p+y4r/yml43Y SmW/ARmvqTm98l3Q+F3BxCyb0sfYTz0TzjBN7gYjsnpN6ZrUQpdnqhFhIs5bzdnE7uwz83+H zN5+8+Qy5nk7y6TuyfrNE1fsJf+EHDgxyxs7qdOMlsvZK2iuS1hMn5RJU3v20vl8ZiYJy50f G8sYHaZnJp6dl8/Aky1lnCWXRsWlM/vNParCcpq8Dx+/S9HkOaHLvHT5uYX1d5hnpHGmDFzi C8NPk+8JjUyoSY1C0rJ+M4u8G5+rZiym8njXhHlF7vBJSxvnsXH6hyc8J5SOcYcnxO34fck7 Wyogs4b/opw+Li91XkZk/I3fFaRy3jhnELzGHXRMWlzI7x5bj6HXxOjuMbOkYX9jV4XM+BjP ppNj6J1WNB4fG+TaL/Vc6iw07uwiE1ZjnDRe6dXei3wQvsje45LF+oLyXs5nniXivsN4Qknl gXfj/ZQ8Y0/q5nk6+VxMybvUj4a1jBVEzbP8cvs45THtIlt3/lPajlv50hm85v1bh9maqJFu noRRnD0pCeL5Sbx3Ek8qxXgaFG+VFwNfiSeDVaBWglKJS3xrsoMaTc5K9C5Fz3ITX4lniJVy 1FW0Ak8UAoT0f+6s+++fjKm+iousN3YeNg+E9E7Nq6tfVJu7dXVTsDcYBUmtC4ZDwbAW9Qd7 1VDAW67Wa1HtHzBVCGHq9mAgJigRdUMvxi1dvbqyDEVVuVobCKjb/F3d0Yi6TY/o4T7d1+zv 0SPqZr1f3Rbs0Xq36V2xgBZOTVB9Ubdq9lfv1MMRMWlV+aoqtXiT3xsORoKd0cUX8U9kk13o kR1N2zc1X8T7kNoc1nx6jxbeowY733Gdaljv8keielj3qf5eNQrWHdvVJi2qLlSbN6lbOjvL Va3Xp+qBiN7fDbbyMUmwULArrIW6ByaSdLU+rPX7e7vEWD+cUaZuj2q9AX0AOoT9kWBvqbrT 740Gw+pGLezTe6Mw67Kq5m5/BLoIlbWOgK5GU77s9IcjUVULhXTN1FGwi1osy1g41rgx2OvD inr1/khIC+nhUrUTM/R3+73dqj+q9msR1adH/F29uq9cVTdE1W5QIrGOiH5DDDoEBtQO3Rvs 0dVgry7kCUP0B8MBX0TtCUKBSMzr1SORzlhAqqZ6w7q0YQTShCJYWpe/VwuoPmP1EbUfxlJ7 4AY11uvTwxdbYREU8od1r3REx8DFNoEDxtZnKAyNeiG0V2DhYKyrG35R9Rujem/E36djkbrw KrBQOChUhYn6goE+4YnOWBijw2JBe4TlUv6CDpfxGKZbq0Vg66CQD1tCh17Euak4LOdTvTB3 zBsFUywiRjbp4ZAejWkyVpoCWm/UDz/7DTMjIgfUYMCnRqIDcK23WwtrGAtpUb83onbEDP9o Pi0kJEaDapdYh36jVw8ExIIDiNEOf8AfHcDEsVAATP3+aLfaFQwiMqFLsGcAWl/n9+lwZCxi xElHMLgnIhXq0bq0m/y9esSIirCOHRBFI2hEqC/ojRlLFMxaIBKUbD5/JBTQBgyir08PR/1i reXd0WiouqKiv7+/vMc0ZDlCp6I72hOo6ImKfxVY0RNpiwrXIR7DYkeWi853ObBfD4hIlEM2 b2ne0LChrrZ5w5bN6pYGdeOGOs/m7R61dt02j2eTZ3OzI8ORIffO2IYReLeMArgOFkMwX2bL ylX5sWRYS4TfQDAmRnqDfTIVGCEr5MBPPXKHaWoAxuoFu9YV1nVhsHK1FcO6NTgr2BHVYGF4 b5IyIpP1Y+Oqul9GoBHycFInzDKuF6wdDXbpRpAKz46NgxOiYT9CBKKhprk7JwSwqRR2yZgp xgYD19Q+LRCTKUWLRPToxNHl6g7sSOyUgdQqsCYzEyIINTUS0r1+hMilK1dhRRHjXXKs5vP5 xT7G9g/LM6FUkMPStjKXXKRUwN/jNyNd8ol9GYkaOVlEniQG+5GgYx0Bf6RbzANZhrl7EJLQ H64KDahGmJoWmjyRtMeGzvHFiV2IZBeR02DTePVwr7mCsKm3ZI50B2PYrGG9z48DRcTApcsX fPCkjn1q7kXBN7ZGqIUJotjl4z4WC9NMrTsvL1aqPDbAi/zWoacEYR4tWi0YdmyvxaFSvGr5 ysXqyqWryiqXV1amp+9oBLFy6dLly1GuXLZSXXnVitUrVjsy3mbXveNmFK0KUz25D/GwHJSP meKxQDwkDjAHbj124xbk1/LGJdWX+vLPZ3xxxz/Fh/hX+SnACX6SP3zlxcqVFytXXqxcebFC V16sXHmxcuXFypUXK1derFx5sXLlxcqVFytXXqxcebFy5cXKlRcr/0++WJn07cc4rkn+y/W9 dNEYfdL3Isad9+VlBmSET2hb5luWWhot6yzvQbl60gwiB7+dlM1yz4jcY6y+m8XZ/ZzkvqgF V1ieeUKnt5dweXzs35tTsgDiL/M5kTzNXxr2eKrcI6hLymWdKF5cJTsSc+ZWfZW/pDyMc8IJ wrnEzHzZ82Ji7VoTuWqVgQwvKas6V5vBX6Q/AhT+Ij+HOJOjhovLqy7UOkBg/AOUxRg56Qj/ GcUBCrn5T4cXLKw6fIp/B/3P8KehqRj2dMKRUwWB/86/Qrnk5I/zx8yex4an5lRRbYTfRYxO ozwLOA+4ALBQkD9I+wAHAccBFspC6QRUALYICj/Gj0HPo+KfsqOsAAQBBwEWauZfAn2PKPlD fDcVYuyd/BDNQH2Af0zWX0A9B/XnQJ+P+n60RX3YbH8atej/lEm/F+2ZqD9p1p8APR/1PfKH 5E7+cbPdx2NyXNSsj/BIYr4zu3Y++lVAJYADOwTsEEx3SDgYJeO38oCcaQh1Feoeo4a5bk4U uKSPbh6eNbvqCEx6M0x/Myx3Myx3M1nQtTfFs9fgKeN7wbMXPHvBsxdWqeQRzBcRP2VAmQ1Q ARx2j8Dugh5HeRpwVtI/iPJuwBHR4v2w42Jo9WG+O1HsRJB1Da92V615gnfC1G7eOTx7XtXB 8VZ6hghE1FPNOkvw6rJXH06fIqj68Jx5Rg2uPbVTuZfeD1BoOsoFgOWAeoCFexMLKpwn+Wbq SSP3VOc+ZR/fZ9lntVTWs9xTvIqa0gghmcvLqAYMi51tNWxle3oofX86z05X0yvT3elN6dYg 38cPcu7kFXwN38LbuHUkeTphr16Gyr3OVr3s7swjmfHM05lnM61x22nbWdt52wWbVbVV2ty2 Jlu7LWTbb7vbdsSWfrftbrvSnhnK3J/JszPVzMpMd2ZTptVpZ0dqb+Md4qcMKLMBIcDdAAts 3Aa6yt8HaIM32mCK94FOKAmtbMBZ4OdRW9HKAl8W+LJAzQI1S/7+Jkv2NAHaASGz1zbWkxoj +C+IHsAi9E4FVfx44DzKCwIDXIuWAy0HWg5wnVXehIbZKFVAE4BL2nkAogZlqq/S7G8H2GT/ BcmT6nOLscqbbm3R6cUsvpgdWczuXszcNWtqq9yFKHJzc9tcbUVtxW1HLUFXsChYHDxq2eLa UrSleMtRyxrXmqI1xWuOWipcFUUVxRVHLU6Xs8hZ7DxqObjx+MZTG89stLRtDG7ct5GvhOuG EyWVVbIuLBL1Y4nZc6pWZtW+RzmO5bShPAw4B+CUhdIJqACsAQQBVuW4pD4C6iOgPkJbAG0A K0Y9IlIMSqfZJ+iHZZ/ARL8yqZ9j8Q8nqpdtqd2ItNsGOAzgkP0w+h+W3AZ2XNLjKM9L+haT /4ikCy4nIDVOJMFdMt3twjbcRWsAbYAQwEpn+HV0DgDpKJ2AEOA4wMJ34bqOX6c8guth5WFe 6nYsneGkmTNxfOTmpGXXZitTEAsO9pAsPynLD8tyjSwXuKde63jjWsfXrnV86FrHIiBKMQ42 BzskywJ3Zq3j0VrHllrH4loHpM2iAnIoM2RpEyX7rSw3y7LUPb3A8bcCx58LHH8qcHy2wHFD geM9BWLcXOxhhzJdlpmiZPfI8lpZLnRnOh3fcjquczpWOh21DnYfw+y0VpbzZZkvSvbqo1n1 WZT+BHuV6iGJJWoWO0cUkhVLJmpqUY0mataheitRcx+q/0zUfMz5JPsbk0cbeyOx4BVn7Qz2 GttgEe0/m/Wf2AY6hvoC6i7UD1ANK0L9hUTNLYL/8xj/KbQ/R4Vpgv9+apLjDrMNkv5Zc9xn EqUdmPXTidIBzPopKpWzfiJR+gqoH0uUfhjVRxOlAVQHE0VCwd2JmiXO2hzWRQsUweulIkVo stGccT0kB1CvMwZ7EqViVL2YYITVJVxLUS0SWj7JXNQkp3MmXHKR88glRcwll1Q6n4pkPZVl SeUdVCjrtITrFkixPVr0ivMvNU+IhdPrLCtxn/PlJ7G+nWj+H7Yhccz57AlhroTzTOkIK3rc +T3XE85vLhhhOxPO06Ujaeg4VTqisMecQzByHLwKe9x5vLTL+YhL9h51oReuPlxT5vy0a5fz 3iK0E85bSp8UalAPVrwT3a2l1zg31hxzNhSNMHS7azCZO8NZ7Qo7V4O8aoRtGD7mXLpgRKhS CRnHHncuwYwLXVKVHStPKivIzmLuUnvU3mHfad9qv9q+zF5mV+3z7HPt09Ny07LTpqZNSctI S0uzpVnSlDRKmz6SPO8uEb+fm27Llv91hkWUFolnK6JUjJ8SKixNwd6JT+ONSuP2tSye20iN zWvjK0saR+zJbfFVJY3xtKb3tgwx9pFWtOLKHSOMmlsQoIJ0W7740fQJYqzitrvyRb33trta W1lj/LSXGjvU+BvbsY6MrbviVtfaPJrZtyZvTe41Oasb6i9TtJtlyfgnr2TiJ29e/J7G7S3x L81rjVcJJDmvtTG+Tvzc+oRygxL01J9QQqJqbTnBblJu8GwTdHZTfesYGxUqIbBRjagE2zAV CjYqZMOSbaNkQ5gWeuqHCgsNpqfYBsGE8HlKMnUZshZgCshqEhXYlPm0QMpaoMwXbIgHQ1jW RGFTiGVJYVlTSAqbK5iGiorAUlokWIZWFoFhqGil7D423u0qMtRppSI5TxFrlfMwNs5TbPAg CkweJQ08Jf+TH33tP8HMhrUXfF7xo/d2l0cHtMcP9HXnxfd3qOqQ7wXz1/AL2zu83aLW9PgL Lr0+7nPVq0Oa9zLdXtGtueqHyOtpbhnyuvX6hObWPC6tvnX4gX11jZPm+vDYXHX7LiNsnxBW J+Z6oPEy3Y2i+wExV6OYq1HM9YD7ATlX47a1rLGpZSiN1rbWXW/Uw0pmBvZDe35B69qZ2aFr 5Oa4uiDvA/knLYRjK7OkNT7FtTbuAIiustqyWtGF3Sm6por/1sDsyvvA1QX5J9lDZlc2yDmu tVRCeR5//dhfJBKJCojFSlBGY3mSFsWmLdjeGG8QP8Kuidd44u72+lYm3BEzP3Ut7uxTNWdq lGDNvpqDNYdrjtdYY7FWkHNPFZ4pVNoKg4X7Cg8WHi48XmgTHde3PO6uOVz4x0IeQzSxKD6e ejlnDDX+RDMai4gPYYIIwJiuJFZS11JbSF7c9TLcoZfRNIALsAywHWCl/4XyB4CXAX8GWOhW lB8DfB4wLCi8jJd58vz1YsbWEpF08njVcOWKqlUjqLVOo96+y6g9m426prYqD3VizbKM2izc gDM6ifIZwE8BvwH8J8DKq3iVFB4zorY1QpESBvUJjagoIiVRVgKECXNHIyUlJEAEODwA1hI2 Oe6JRWIEU8AhqMAkqRExLCbq1Oe/AHOAPh4KZW5kc3RyZWFtCmVuZG9iagoKNDIgMCBvYmoK ODUwNAplbmRvYmoKCjQzIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUv QkFBQUFBK1RpbWVzTmV3Um9tYW5QU01UCi9GbGFncyA0Ci9Gb250QkJveFstNTY4IC0zMDYg MjAyNyAxMDA2XS9JdGFsaWNBbmdsZSAwCi9Bc2NlbnQgODkxCi9EZXNjZW50IC0yMTYKL0Nh cEhlaWdodCAxMDA2Ci9TdGVtViA4MAovRm9udEZpbGUyIDQxIDAgUgo+PgplbmRvYmoKCjQ0 IDAgb2JqCjw8L0xlbmd0aCAyMjEvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZBB T8QgEIXv/Io57h420J6bJmbNJj3oGqs/gMK0ktiBTOmh/94pVk08QPJ474M36Gv32FHI+oWj 6zHDGMgzLnFlhzDgFEhVNfjg8qHK7mablBa235aMc0djbBqlX8VbMm9wevBxwLPSd/bIgSY4 vV970f2a0ifOSBmMalvwOMo9TzY92xl1oS6dFzvk7SLIX+BtSwh10dV3FRc9Lsk6ZEsTqsaY FprbrVVI/p93EMPoPixLspKkMbUp2eN0p/axftqAW5mlSZm9VNgfD4S/35Ni2qmyvgB9WW11 CmVuZHN0cmVhbQplbmRvYmoKCjQ1IDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVU eXBlL0Jhc2VGb250L0JBQUFBQStUaW1lc05ld1JvbWFuUFNNVAovRmlyc3RDaGFyIDAKL0xh c3RDaGFyIDEKL1dpZHRoc1s3NzcgMjUwIF0KL0ZvbnREZXNjcmlwdG9yIDQzIDAgUgovVG9V bmljb2RlIDQ0IDAgUgo+PgplbmRvYmoKCjQ2IDAgb2JqCjw8L0YxIDQ1IDAgUi9GMiA0MCAw IFIvRjMgMzAgMCBSL0Y0IDI1IDAgUi9GNSAzNSAwIFIKPj4KZW5kb2JqCgo0NyAwIG9iago8 PC9Gb250IDQ2IDAgUgovUHJvY1NldFsvUERGL1RleHRdCj4+CmVuZG9iagoKMSAwIG9iago8 PC9UeXBlL1BhZ2UvUGFyZW50IDIwIDAgUi9SZXNvdXJjZXMgNDcgMCBSL01lZGlhQm94WzAg MCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+ Pi9Db250ZW50cyAyIDAgUj4+CmVuZG9iagoKNCAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50 IDIwIDAgUi9SZXNvdXJjZXMgNDcgMCBSL01lZGlhQm94WzAgMCA3OTQgNTk1XS9Bbm5vdHNb CjE5IDAgUiBdCi9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+ Pi9Db250ZW50cyA1IDAgUj4+CmVuZG9iagoKNyAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50 IDIwIDAgUi9SZXNvdXJjZXMgNDcgMCBSL01lZGlhQm94WzAgMCA3OTQgNTk1XS9Hcm91cDw8 L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyA4IDAgUj4+ CmVuZG9iagoKMTAgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCAyMCAwIFIvUmVzb3VyY2Vz IDQ3IDAgUi9NZWRpYUJveFswIDAgNzk0IDU5NV0vR3JvdXA8PC9TL1RyYW5zcGFyZW5jeS9D Uy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMTEgMCBSPj4KZW5kb2JqCgoxMyAwIG9i ago8PC9UeXBlL1BhZ2UvUGFyZW50IDIwIDAgUi9SZXNvdXJjZXMgNDcgMCBSL01lZGlhQm94 WzAgMCA3OTQgNTk1XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRy dWU+Pi9Db250ZW50cyAxNCAwIFI+PgplbmRvYmoKCjE2IDAgb2JqCjw8L1R5cGUvUGFnZS9Q YXJlbnQgMjAgMCBSL1Jlc291cmNlcyA0NyAwIFIvTWVkaWFCb3hbMCAwIDc5NCA1OTVdL0dy b3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRlbnRzIDE3 IDAgUj4+CmVuZG9iagoKNDggMCBvYmoKPDwvQ291bnQgNi9GaXJzdCA0OSAwIFIvTGFzdCA1 NCAwIFIKPj4KZW5kb2JqCgo0OSAwIG9iago8PC9Db3VudCAwL1RpdGxlPEZFRkYwMDUzMDA2 QzAwNjkwMDY0MDA2NTAwMjAwMDMxPgovRGVzdFsxIDAgUi9YWVogMCA1OTUgMF0vUGFyZW50 IDQ4IDAgUi9OZXh0IDUwIDAgUj4+CmVuZG9iagoKNTAgMCBvYmoKPDwvQ291bnQgMC9UaXRs ZTxGRUZGMDA1MzAwNkMwMDY5MDA2NDAwNjUwMDIwMDAzMj4KL0Rlc3RbNCAwIFIvWFlaIDAg NTk1IDBdL1BhcmVudCA0OCAwIFIvUHJldiA0OSAwIFIvTmV4dCA1MSAwIFI+PgplbmRvYmoK CjUxIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAy MDAwMzM+Ci9EZXN0WzcgMCBSL1hZWiAwIDU5NSAwXS9QYXJlbnQgNDggMCBSL1ByZXYgNTAg MCBSL05leHQgNTIgMCBSPj4KZW5kb2JqCgo1MiAwIG9iago8PC9Db3VudCAwL1RpdGxlPEZF RkYwMDUzMDA2QzAwNjkwMDY0MDA2NTAwMjAwMDM0PgovRGVzdFsxMCAwIFIvWFlaIDAgNTk1 IDBdL1BhcmVudCA0OCAwIFIvUHJldiA1MSAwIFIvTmV4dCA1MyAwIFI+PgplbmRvYmoKCjUz IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTMwMDZDMDA2OTAwNjQwMDY1MDAyMDAw MzU+Ci9EZXN0WzEzIDAgUi9YWVogMCA1OTUgMF0vUGFyZW50IDQ4IDAgUi9QcmV2IDUyIDAg Ui9OZXh0IDU0IDAgUj4+CmVuZG9iagoKNTQgMCBvYmoKPDwvQ291bnQgMC9UaXRsZTxGRUZG MDA1MzAwNkMwMDY5MDA2NDAwNjUwMDIwMDAzNj4KL0Rlc3RbMTYgMCBSL1hZWiAwIDU5NSAw XS9QYXJlbnQgNDggMCBSL1ByZXYgNTMgMCBSPj4KZW5kb2JqCgoyMCAwIG9iago8PC9UeXBl L1BhZ2VzCi9SZXNvdXJjZXMgNDcgMCBSCi9NZWRpYUJveFsgMCAwIDc5NCA1OTUgXQovS2lk c1sgMSAwIFIgNCAwIFIgNyAwIFIgMTAgMCBSIDEzIDAgUiAxNiAwIFIgXQovQ291bnQgNj4+ CmVuZG9iagoKMTkgMCBvYmoKPDwvVHlwZS9Bbm5vdC9TdWJ0eXBlL0xpbmsvQm9yZGVyWzAg MCAwXS9SZWN0WzE0OC4zIDExMS4xIDU0OC4xIDE0MS4xXS9BPDwvVHlwZS9BY3Rpb24vUy9V UkkvVVJJKG1haWx0bzpwdWJsaWMtd2ViLXNlY3VyaXR5QHczLm9yZyk+Pgo+PgplbmRvYmoK CjU1IDAgb2JqCjw8L1R5cGUvQ2F0YWxvZy9QYWdlcyAyMCAwIFIKL09wZW5BY3Rpb25bMSAw IFIgL1hZWiBudWxsIG51bGwgMF0KL091dGxpbmVzIDQ4IDAgUgo+PgplbmRvYmoKCjU2IDAg b2JqCjw8L0F1dGhvcjxGRUZGMDA2QTAwNjUwMDY2MDA2NjAwMjAwMDY4MDA2RjAwNjQwMDY3 MDA2NTAwNzM+Ci9DcmVhdG9yPEZFRkYwMDQ5MDA2RDAwNzAwMDcyMDA2NTAwNzMwMDczPgov UHJvZHVjZXI8RkVGRjAwNEYwMDcwMDA2NTAwNkUwMDRGMDA2NjAwNjYwMDY5MDA2MzAwNjUw MDJFMDA2RjAwNzIwMDY3MDAyMDAwMzMwMDJFMDAzMz4KL0NyZWF0aW9uRGF0ZShEOjIwMTEw NzI1MDk0ODI4LTA3JzAwJyk+PgplbmRvYmoKCnhyZWYKMCA1NwowMDAwMDAwMDAwIDY1NTM1 IGYgCjAwMDAwNjI1NzcgMDAwMDAgbiAKMDAwMDAwMDAxOSAwMDAwMCBuIAowMDAwMDAwNDM3 IDAwMDAwIG4gCjAwMDAwNjI3MjEgMDAwMDAgbiAKMDAwMDAwMDQ1NyAwMDAwMCBuIAowMDAw MDAxMTc4IDAwMDAwIG4gCjAwMDAwNjI4ODMgMDAwMDAgbiAKMDAwMDAwMTE5OCAwMDAwMCBu IAowMDAwMDAyMjU2IDAwMDAwIG4gCjAwMDAwNjMwMjcgMDAwMDAgbiAKMDAwMDAwMjI3NiAw MDAwMCBuIAowMDAwMDAzMzE1IDAwMDAwIG4gCjAwMDAwNjMxNzMgMDAwMDAgbiAKMDAwMDAw MzMzNiAwMDAwMCBuIAowMDAwMDAzOTYyIDAwMDAwIG4gCjAwMDAwNjMzMTkgMDAwMDAgbiAK MDAwMDAwMzk4MyAwMDAwMCBuIAowMDAwMDA0NjIzIDAwMDAwIG4gCjAwMDAwNjQ0MzEgMDAw MDAgbiAKMDAwMDA2NDI5OCAwMDAwMCBuIAowMDAwMDA0NjQ0IDAwMDAwIG4gCjAwMDAwMTc5 NjYgMDAwMDAgbiAKMDAwMDAxNzk4OSAwMDAwMCBuIAowMDAwMDE4MTg1IDAwMDAwIG4gCjAw MDAwMTg1NTkgMDAwMDAgbiAKMDAwMDAxODc5MyAwMDAwMCBuIAowMDAwMDIwMjg2IDAwMDAw IG4gCjAwMDAwMjAzMDggMDAwMDAgbiAKMDAwMDAyMDUwMCAwMDAwMCBuIAowMDAwMDIwODAw IDAwMDAwIG4gCjAwMDAwMjA5NjUgMDAwMDAgbiAKMDAwMDAyOTUxMSAwMDAwMCBuIAowMDAw MDI5NTMzIDAwMDAwIG4gCjAwMDAwMjk3MzQgMDAwMDAgbiAKMDAwMDAzMDA2NCAwMDAwMCBu IAowMDAwMDMwMjU3IDAwMDAwIG4gCjAwMDAwNTE5NzQgMDAwMDAgbiAKMDAwMDA1MTk5NyAw MDAwMCBuIAowMDAwMDUyMTg4IDAwMDAwIG4gCjAwMDAwNTI3NjAgMDAwMDAgbiAKMDAwMDA1 MzE3NiAwMDAwMCBuIAowMDAwMDYxNzY3IDAwMDAwIG4gCjAwMDAwNjE3ODkgMDAwMDAgbiAK MDAwMDA2MTk5MCAwMDAwMCBuIAowMDAwMDYyMjgxIDAwMDAwIG4gCjAwMDAwNjI0NDkgMDAw MDAgbiAKMDAwMDA2MjUyMiAwMDAwMCBuIAowMDAwMDYzNDY1IDAwMDAwIG4gCjAwMDAwNjM1 MjEgMDAwMDAgbiAKMDAwMDA2MzY0MiAwMDAwMCBuIAowMDAwMDYzNzc1IDAwMDAwIG4gCjAw MDAwNjM5MDggMDAwMDAgbiAKMDAwMDA2NDA0MiAwMDAwMCBuIAowMDAwMDY0MTc2IDAwMDAw IG4gCjAwMDAwNjQ1ODUgMDAwMDAgbiAKMDAwMDA2NDY4NyAwMDAwMCBuIAp0cmFpbGVyCjw8 L1NpemUgNTcvUm9vdCA1NSAwIFIKL0luZm8gNTYgMCBSCi9JRCBbIDwxQzkzRkU0OUU4MEQ5 NEI3REMxNDNDQkQyMEFCMkFGND4KPDFDOTNGRTQ5RTgwRDk0QjdEQzE0M0NCRDIwQUIyQUY0 PiBdCi9Eb2NDaGVja3N1bSAvMTM5NzBBRjVDOEYzMkY4NUM2REQwODJCRTUyNDFENEMKPj4K c3RhcnR4cmVmCjY0OTM2CiUlRU9GCg== --------------090701000204010905020407-- From tlr@w3.org Mon Jul 25 10:55:10 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E32421F8B9F for ; Mon, 25 Jul 2011 10:55:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NljGO-gk1cek for ; Mon, 25 Jul 2011 10:55:09 -0700 (PDT) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id 850D45E8006 for ; Mon, 25 Jul 2011 10:55:06 -0700 (PDT) Received: from jay.w3.org ([128.30.52.169] helo=[IPv6:::1]) by jay.w3.org with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1QlPMv-0006Lf-NS; Mon, 25 Jul 2011 13:55:05 -0400 From: Thomas Roessler Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 25 Jul 2011 13:55:04 -0400 Message-Id: <348C1996-A5C6-4C2B-AA5B-B7C549DA3EAB@w3.org> To: websec@ietf.org Mime-Version: 1.0 (Apple Message framework v1244.3) X-Mailer: Apple Mail (2.1244.3) Subject: [websec] Resource Timing draft X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 17:55:10 -0000 FYI, the resource timing draft that I just mentioned in the websec = meeting is here: http://www.w3.org/TR/2011/WD-resource-timing-20110524/ The section with the Timing-Allow-Origin HTTP header is here: = http://www.w3.org/TR/2011/WD-resource-timing-20110524/#cross-origin-resour= ces Regards, -- Thomas Roessler, W3C (@roessler) From yngve@opera.com Mon Jul 25 11:13:40 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C476521F8C16 for ; Mon, 25 Jul 2011 11:13:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.599 X-Spam-Level: X-Spam-Status: No, score=-8.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xi1ZglHhyjfP for ; Mon, 25 Jul 2011 11:13:39 -0700 (PDT) Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1515921F8BF8 for ; Mon, 25 Jul 2011 11:13:38 -0700 (PDT) Received: from lessa-ii.oslo.os (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6PIDYRp019478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 25 Jul 2011 18:13:36 GMT Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: websec@ietf.org Date: Mon, 25 Jul 2011 20:13:38 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Organization: Opera Software ASA Message-ID: User-Agent: Opera Mail/10.62 (Win32) Subject: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 18:13:41 -0000 Hi, As mentioned just now in the Websec WG meeting. At least one client supporting HSTS (maybe more) is using a hardcoded list of sites that are always HSTS enabled, as a method of countering the bootstrap problem. As I understand it, the process for how a website get on such lists is currently very ad hoc, which isn't really a problem at this time, since it is experimental. However, once HSTS moves into standardized deployment, it may be that many websites will want to get listed on such a list, which created a few scalability problems: - Number of clients maintaining such lists - Number of sites that want to get on such lists. While HSTS is not going have the same problem severity, a similar problem exists in a more limited fashion, in the deployment of Root Certificates, where it causes some interoperability problems when sites use a Root Certificate not deployed in all clients (properly deployed HSTS will not run into those, but might encounter downgrade attacks). For HSTS I expect that the number of websites wanting to get on the list(s) is going to number in the thousands (with one million sites, even 0.1% is 1000), which is likely to cause trouble for the maintainers of the list(s). However, the website administrators might also run into trouble locating all the lists they want to be on, and notifying them about their intention. The first question the websec group need to answer is whether or not it should define how such a hardcoded list should work? If the answer is yes, how should it be maintained? Should it be a single central repository? Who should host it and accept applications? My thought is that there should at most be only a few such repositories, and that the process of getting listed should be as automatic as possible, while avoiding fraudulently added entries. A strawman for such a automatic system could be that the website administrator submits a list of servers/domains that are to be HSTS enabled, digitally signed using (one of) the website's own certificate, chained to a list of approved CAs (which opens up another problem area of selecting those CAs). When approved the list is updated with the new entries, and then distributed to the relying parties. Using a digitally signed submission will make it harder to submit a fraudulent application, preventing a denial of service attack. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** From yngve@opera.com Mon Jul 25 11:17:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98EB421F8C02 for ; Mon, 25 Jul 2011 11:17:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.599 X-Spam-Level: X-Spam-Status: No, score=-7.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVI+au6yOfb6 for ; Mon, 25 Jul 2011 11:17:34 -0700 (PDT) Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id A056B21F8C01 for ; Mon, 25 Jul 2011 11:17:33 -0700 (PDT) Received: from lessa-ii.oslo.os (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6PIHTBD020245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 25 Jul 2011 18:17:32 GMT Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes Date: Mon, 25 Jul 2011 20:17:34 +0200 To: websec MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Organization: Opera Software ASA Message-ID: User-Agent: Opera Mail/10.62 (Win32) Subject: [websec] Public Suffix definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 18:17:34 -0000 Hi, This draft, which tries to define the term "Public Suffix", as used in cookies and document.domain, and elsewhere, may be of interest to the websec group. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** From agl@google.com Mon Jul 25 11:20:26 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82A4A21F8B97 for ; Mon, 25 Jul 2011 11:20:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.827 X-Spam-Level: X-Spam-Status: No, score=-105.827 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YMtwgquFA07 for ; Mon, 25 Jul 2011 11:20:25 -0700 (PDT) Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA4521F8B84 for ; Mon, 25 Jul 2011 11:20:25 -0700 (PDT) Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id p6PIKN3B028623 for ; Mon, 25 Jul 2011 11:20:24 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1311618024; bh=Wqz4LOQ+chxXaALJq+/kacS6VrE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=MpoFBolfIylh0rniJ5PKxqtLCCvrYCh5fmPL9nlk2dMc+BJWyRwaIv3CdCGX6lcBX +g4YX8689DdZibW2yFDUg== DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=UMfZYFesBe9HFkCU+DLaorCyHHK8LlLgANwZLnM4P3N1v1vo217M0LpNCzmBdp/Ds F0jX/u1/Rtn+uESOm/C5A== Received: from gyh20 (gyh20.prod.google.com [10.243.50.212]) by wpaz21.hot.corp.google.com with ESMTP id p6PIJu5C018631 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Mon, 25 Jul 2011 11:20:22 -0700 Received: by gyh20 with SMTP id 20so3313698gyh.16 for ; Mon, 25 Jul 2011 11:20:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JDRvI3TLmJG5eWFP9oE4PctZ5sDPsxC5gLGpUClFgj8=; b=Nll21TZoIzWvpu5ni17FTQ4qMKKzfn/RFhffkhABAHAEf71Ak56I9koi6zTA17MaC/ 8YQKlmDrLkozLClwE9ag== MIME-Version: 1.0 Received: by 10.231.63.70 with SMTP id a6mr4109426ibi.20.1311618022626; Mon, 25 Jul 2011 11:20:22 -0700 (PDT) Received: by 10.231.17.2 with HTTP; Mon, 25 Jul 2011 11:20:22 -0700 (PDT) In-Reply-To: References: Date: Mon, 25 Jul 2011 14:20:22 -0400 Message-ID: From: Adam Langley To: "Yngve N. Pettersen" Content-Type: text/plain; charset=UTF-8 X-System-Of-Record: true Cc: websec@ietf.org Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 18:20:26 -0000 On Mon, Jul 25, 2011 at 2:13 PM, Yngve N. Pettersen wrote: > For HSTS I expect that the number of websites wanting to get on the list(s) > is going to number in the thousands (with one million sites, even 0.1% is > 1000), which is likely to cause trouble for the maintainers of the list(s). I maintain one of these lists (for Chrome) and it is, as far as I know, the only one. I haven't had a request for addition in nearly two months. If, as I hope, this becomes a flood in the future, I'm sure that we can figure out a solution. We quite happily manage http://publicsuffix.org/ in common, for example. But, for now, it's such a non-problem that I don't believe that it's worth bothering about. Cheers AGL From gerv@mozilla.org Mon Jul 25 13:28:04 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2969721F8C35 for ; Mon, 25 Jul 2011 13:28:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fpc3QpnXhRh6 for ; Mon, 25 Jul 2011 13:28:03 -0700 (PDT) Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id B4C6F21F8C34 for ; Mon, 25 Jul 2011 13:28:03 -0700 (PDT) Received: from [10.10.25.94] (unknown [67.23.204.2]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id E1C814AEE4A; Mon, 25 Jul 2011 13:28:02 -0700 (PDT) Message-ID: <4E2DD1D2.6040001@mozilla.org> Date: Mon, 25 Jul 2011 13:28:02 -0700 From: Gervase Markham User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110620 Thunderbird/5.0b2 MIME-Version: 1.0 To: "Yngve N. Pettersen" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 20:28:04 -0000 On 25/07/11 11:13, Yngve N. Pettersen wrote: > At least one client supporting HSTS (maybe more) is using a hardcoded > list of sites that are always HSTS enabled, as a method of countering > the bootstrap problem. Is "the bootstrap problem", the problem that on your very first visit to a site, you might get MITMed? If it's your very first visit, then you won't have a relationship with that site, so the risk is much lower. I guess there's also people who clear their history, but I suspect that's a relatively rare action. > If the answer is yes, how should it be maintained? Should it be a single > central repository? Who should host it and accept applications? As Adam says, I'm sure we can come to a publicsuffix.org-like arrangement. > A strawman for such a automatic system could be that the website > administrator submits a list of servers/domains that are to be HSTS > enabled, digitally signed using (one of) the website's own certificate, This seems overly-complicated. I'd accept a email-challenge-response verified request from an email at that domain, coupled with an automated check that the site(s) in question have in fact deployed HSTS. Gerv From gerv@mozilla.org Mon Jul 25 13:41:04 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A222221F8AD6 for ; Mon, 25 Jul 2011 13:41:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUC7gpeG-pKS for ; Mon, 25 Jul 2011 13:41:04 -0700 (PDT) Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id 29B9321F88A1 for ; Mon, 25 Jul 2011 13:41:04 -0700 (PDT) Received: from [10.10.25.94] (unknown [67.23.204.2]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id C1D8C4AEE4A; Mon, 25 Jul 2011 13:41:02 -0700 (PDT) Message-ID: <4E2DD4DC.1090802@mozilla.org> Date: Mon, 25 Jul 2011 13:41:00 -0700 From: Gervase Markham User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110620 Thunderbird/5.0b2 MIME-Version: 1.0 To: "Yngve N. Pettersen" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: websec Subject: Re: [websec] Public Suffix definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 20:41:04 -0000 On 25/07/11 11:17, Yngve N. Pettersen wrote: > This draft, which tries to define the term "Public Suffix", as used in > cookies and document.domain, and elsewhere, may be of interest to the > websec group. > > Hi Yngve, Do you have a script which converts from the currently-standard format at publicsuffix.org to the proposed new format? This would help people understand the relationship between the two, as well as confirming that the new format can hold all the information in the old one. Gerv From ynir@checkpoint.com Mon Jul 25 13:54:24 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA4311E80A2 for ; Mon, 25 Jul 2011 13:54:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.463 X-Spam-Level: X-Spam-Status: No, score=-10.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3ZOsSuG6iJm for ; Mon, 25 Jul 2011 13:54:23 -0700 (PDT) Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E636711E809A for ; Mon, 25 Jul 2011 13:54:21 -0700 (PDT) X-CheckPoint: {4E2DE593-2-1B221DC2-FFFF} Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p6PKsI3q019012; Mon, 25 Jul 2011 23:54:19 +0300 Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 25 Jul 2011 23:54:19 +0300 From: Yoav Nir To: Gervase Markham Date: Mon, 25 Jul 2011 23:54:17 +0300 Thread-Topic: [websec] HSTS: Maintenance of hardcoded lists in clients Thread-Index: AcxLDQWO7GrxgsyLSEevnxYWIU3X4w== Message-ID: <3E70D071-FED8-4DAC-ADC1-40F130F5C32E@checkpoint.com> References: <4E2DD1D2.6040001@mozilla.org> In-Reply-To: <4E2DD1D2.6040001@mozilla.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/signed; boundary="Apple-Mail-1-460091869"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 Cc: "websec@ietf.org" Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 20:54:24 -0000 --Apple-Mail-1-460091869 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Jul 25, 2011, at 4:28 PM, Gervase Markham wrote: > On 25/07/11 11:13, Yngve N. Pettersen wrote: >> At least one client supporting HSTS (maybe more) is using a hardcoded >> list of sites that are always HSTS enabled, as a method of countering >> the bootstrap problem. >=20 > Is "the bootstrap problem", the problem that on your very first visit = to > a site, you might get MITMed? >=20 > If it's your very first visit, then you won't have a relationship with > that site, so the risk is much lower. I guess there's also people who > clear their history, but I suspect that's a relatively rare action. Clearing history is rare, though not unheard of. But using a website for = the first time from a particular device is not that rare. People get new = computers and new phones occasionally. They also change browsers and = re-install operating systems. >=20 >> If the answer is yes, how should it be maintained? Should it be a = single >> central repository? Who should host it and accept applications? >=20 > As Adam says, I'm sure we can come to a publicsuffix.org-like = arrangement. Agree. >=20 >> A strawman for such a automatic system could be that the website >> administrator submits a list of servers/domains that are to be HSTS >> enabled, digitally signed using (one of) the website's own = certificate, > >=20 > This seems overly-complicated. I'd accept a email-challenge-response > verified request from an email at that domain, coupled with an = automated > check that the site(s) in question have in fact deployed HSTS. --Apple-Mail-1-460091869 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPKjCCBN0w ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8 om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59 MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8 NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggUaMIIEAqAD AgECAhBtGeqnGU9qMyLmIjJ6qnHeMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJVUzELMAkG A1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNU IE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVRO LVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMB4XDTExMDQyODAwMDAw MFoXDTIwMDUzMDEwNDgzOFowgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNo ZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYD VQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCShIRbS1eY1F4vi6ThQMijU1hfZmXxMk73nzJ9 VdB4TFW3QpTg+SdxB8XGaaS5MsTxQBqQzCdWYn8XtXFpruUgG+TLY15gyqJB9mrho/+43x9IbWVD jCouK2M4d9+xF6zC2oIC1tQyatRnbyATj1w1+uVUgK/YcQodNwoCUFNslR2pEBS0mZVZEjH/CaLS TNxS297iQAFbSGjdxUq04O0kHzqvcV8H46y/FDuwJXFoPfQP1hdYRhWBPGiLi4MPbXohV+Y0sNsy fuNK4aVScmQmkU6lkg//4LFg/RpvaFGZY40ai6XMQpubfSJj06mg/M6ekN9EGfRcWzW6FvOnm//B AgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSJgmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4EFgQU ehNOAHRbxnhjZCfBL+KgW7x5xXswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw EQYDVR0gBAowCDAGBgRVHSAAMFgGA1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VVE4tVVNFUkZpcnN0LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1haWwuY3JsMHQGCCsG AQUFBwEBBGgwZjA9BggrBgEFBQcwAoYxaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VUTkFkZFRy dXN0Q2xpZW50X0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAN BgkqhkiG9w0BAQUFAAOCAQEAhda+eFdVbTN/RFL+QtUGqAEDgIr7DbL9Sr/2r0FJ9RtaxdKtG3Nu PukmfOZMmMEwKN/L+0I8oSU+CnXW0D05hmbRoZu1TZtvryhsHa/l6nRaqNqxwPF1ei+eupN5yv7i kR5WdLL4jdPgQ3Ib7Y/9YDkgR/uLrzplSDyYPaUlv73vYOBJ5RbI6z9Dg/Dg7g3B080zX5vQvWBq szv++tTJOjwf7Zv/m0kzvkIpOYPuM2kugp1FTahp2oAbHj3SGl18R5mlmwhtEpmG1l1XBxunML5L SUS4kH7K0Xk467Qz+qA6XSZYnmFVGLQh1ZnV4ENAQjC+6qXnlNKw/vN1+X9u5zCCBScwggQPoAMC AQICEBW9tBlVg9WZf9zHij2h3zMwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBT ZWN1cmUgRW1haWwgQ0EwHhcNMTEwNzIxMDAwMDAwWhcNMTIwNzIwMjM1OTU5WjAkMSIwIAYJKoZI hvcNAQkBFhN5bmlyQGNoZWNrcG9pbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxha8w2xboHPbsj9HBz/1LdG2kwp++sXC5I0izECjJRravnWdnlDqTSRx7outPOk4zkfP/jtO ZiFl35/W/ZgiVilKNrCAcIk4J4VYdbhUItos2Z1ydt1JcY6F24faWNNns2hV/cF6pNELNTxPYIsY HrVy7Cq7/oywfHQimKbL4cVZvUF34P57gZKrxKBEkw3cUAzch7bQ8pTtewjvFW+cjpDqPaFSZyGJ VfbBtAg3RBjlOolfp2VlTmLGW3gRxg9hi7XAxjJf417I9b1hz0NpTnhSr7n38zMEyUdhqr2Wb37b yFNmhF+dWeBUX/RzgdIeqO/whtI1+gH8ZNuzpAV1UQIDAQABo4IB4zCCAd8wHwYDVR0jBBgwFoAU ehNOAHRbxnhjZCfBL+KgW7x5xXswHQYDVR0OBBYEFPzBjRi9Qe40hv+WSad/Om18V8HmMA4GA1Ud DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMF AjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEF BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwVwYDVR0fBFAwTjBMoEqgSIZGaHR0 cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVF bWFpbENBLmNybDCBiAYIKwYBBQUHAQEEfDB6MFIGCCsGAQUFBzAChkZodHRwOi8vY3J0LmNvbW9k b2NhLmNvbS9DT01PRE9DbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0RBBcwFYETeW5pckBjaGVj a3BvaW50LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAkLgfz4ztXKON97ZHaqFhBfxO3QGPhx76iB1U 9LevFF/AsfS0ap2IWzGDocGJze17FZTjM41vCpRORCKCAdek+u+6RO95zx8VQaZybicBNCGBb4LP 1h8GvtmrT/+JpdtETJp9i1KIEwn8hn9Q4aMdkk8S2QkemBmhzGXdcQ5nCxyCQHk1hcRSDhC1qfME DPGlKMxqDpMHrFmiI6vdCVBhufX7xECsGXOJDqMWMPg7YE0fubg50T8ehNHJ2Mvm8JpYIGwTIC3v V9egV4ghYxHXm6u1zbXZUD+3pV9cNKbboB1FjuVqzKIiuNnzsZ3StcasZRYaxlwaHAU4uAuNyzbN 3jGCA6swggOnAgEBMIGoMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVz dGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UE AxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAVvbQZ VYPVmX/cx4o9od8zMAkGBSsOAwIaBQCgggHXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTExMDcyNTIwNTQxN1owIwYJKoZIhvcNAQkEMRYEFB6eGchQCtWznDd9ex9L C09k3R9dMIG5BgkrBgEEAYI3EAQxgaswgagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVh dGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p dGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEBW9tBlVg9WZf9zHij2h3zMwgbsGCyqGSIb3DQEJEAILMYGroIGoMIGTMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD VQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNh dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAVvbQZVYPVmX/cx4o9od8zMA0GCSqGSIb3DQEBAQUA BIIBAHCG+NphpuT0255QDeJDpmioUlEZiz9G3fIEFHflMolF+tjGqIE/W5zmSeH3xFMGxENnF3oP 8DxgxWZdRqGDXK7FGpeyXzx9oCoIY1K3ACT02JYwzUz6BevM2hHU/UAxwaXIIsHVdc26GwbpfKXU TwS6BStHTctuffV8a5pnWRQdXljmwXXVBdw5fCWMFsSqI6QExUC3C3cxZ3ug7FAn9MZnJJZExWMn nQq2fe8YPNCUHWJ4oNORmwX8ycHnXRL8Q/SqtKLDD2WckbRn57nTS2cZkGs6r7/QZSNKxqlS6HFR IyvM0YB61xgRFVmDoSvoEF79ikvOB23GvxOzliDecB4AAAAAAAA= --Apple-Mail-1-460091869-- From yngve@opera.com Mon Jul 25 13:59:34 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECAC311E809A for ; Mon, 25 Jul 2011 13:59:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.266 X-Spam-Level: X-Spam-Status: No, score=-7.266 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1VCGZHtx2iT for ; Mon, 25 Jul 2011 13:59:34 -0700 (PDT) Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id D646D11E80AC for ; Mon, 25 Jul 2011 13:59:33 -0700 (PDT) Received: from lessa-ii.oslo.os (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6PKxSdk016085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 25 Jul 2011 20:59:31 GMT Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Gervase Markham" References: <4E2DD4DC.1090802@mozilla.org> Date: Mon, 25 Jul 2011 22:59:32 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Organization: Opera Software ASA Message-ID: In-Reply-To: <4E2DD4DC.1090802@mozilla.org> User-Agent: Opera Mail/10.62 (Win32) Cc: websec Subject: Re: [websec] Public Suffix definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 20:59:35 -0000 On Mon, 25 Jul 2011 22:41:00 +0200, Gervase Markham wrote: > On 25/07/11 11:17, Yngve N. Pettersen wrote: >> This draft, which tries to define the term "Public Suffix", as used in >> cookies and document.domain, and elsewhere, may be of interest to the >> websec group. >> >> > > Hi Yngve, > > Do you have a script which converts from the currently-standard format > at publicsuffix.org to the proposed new format? Not in a public location, at present, sorry. > This would help people understand the relationship between the two, as > well as confirming that the new format can hold all the information in > the old one. > > Gerv -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** From yngve@opera.com Mon Jul 25 13:59:35 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA0311E80AC for ; Mon, 25 Jul 2011 13:59:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.099 X-Spam-Level: X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTswO77nazVG for ; Mon, 25 Jul 2011 13:59:34 -0700 (PDT) Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 5A1AE11E80C3 for ; Mon, 25 Jul 2011 13:59:34 -0700 (PDT) Received: from lessa-ii.oslo.os (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p6PKxSdl016085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 25 Jul 2011 20:59:32 GMT Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Gervase Markham" References: <4E2DD1D2.6040001@mozilla.org> Date: Mon, 25 Jul 2011 22:59:37 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Organization: Opera Software ASA Message-ID: In-Reply-To: <4E2DD1D2.6040001@mozilla.org> User-Agent: Opera Mail/10.62 (Win32) Cc: websec@ietf.org Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 20:59:35 -0000 On Mon, 25 Jul 2011 22:28:02 +0200, Gervase Markham wrote: > On 25/07/11 11:13, Yngve N. Pettersen wrote: >> At least one client supporting HSTS (maybe more) is using a hardcoded >> list of sites that are always HSTS enabled, as a method of countering >> the bootstrap problem. > > Is "the bootstrap problem", the problem that on your very first visit to > a site, you might get MITMed? > > If it's your very first visit, then you won't have a relationship with > that site, so the risk is much lower. I guess there's also people who > clear their history, but I suspect that's a relatively rare action. It might not be your first visit, just the first visit with that particular client configuration >> If the answer is yes, how should it be maintained? Should it be a single >> central repository? Who should host it and accept applications? > > As Adam says, I'm sure we can come to a publicsuffix.org-like > arrangement. My point is that the involved parties should start thinking about that possibility now, rather than scrambling to manage a run-away success. In such a situation the overload of the maintainers might easily cause problems, perhaps leading to inflammatory messages about how "client X's HSTS coverage is better than Client Y's" because one of them cannot handle the update load, or isn't informed about as many sites as the other client. That is the kind of scenario that I would like to avoid. >> A strawman for such a automatic system could be that the website >> administrator submits a list of servers/domains that are to be HSTS >> enabled, digitally signed using (one of) the website's own certificate, > > > This seems overly-complicated. I'd accept a email-challenge-response > verified request from an email at that domain, coupled with an automated > check that the site(s) in question have in fact deployed HSTS. It may be complicated, particularly given the need to sign with the website key, but the intention was to be able to associate the signature with the server(s) in question and confirm control of the server in a way that might be less ambiguous than email. This was meant as an initial suggestion. I'll let the WG discuss other options if they want to take a look at the issues. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ******************************************************************** From presnick@qualcomm.com Mon Jul 25 11:29:38 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF6721F8BAA for ; Mon, 25 Jul 2011 11:29:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.483 X-Spam-Level: X-Spam-Status: No, score=-106.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWWOc77Y8gWp for ; Mon, 25 Jul 2011 11:29:38 -0700 (PDT) Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) by ietfa.amsl.com (Postfix) with ESMTP id 0AAA821F85C6 for ; Mon, 25 Jul 2011 11:29:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=presnick@qualcomm.com; q=dns/txt; s=qcdkim; t=1311618578; x=1343154578; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding:x-originating-ip; z=Message-ID:=20<4E2DB608.3020304@qualcomm.com>|Date:=20Mo n,=2025=20Jul=202011=2014:29:28=20-0400|From:=20Pete=20Re snick=20|User-Agent:=20Mozilla/5.0 =20(Macintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B =20en-US=3B=20rv:1.9.1.9)=20Gecko/20100630=20Eudora/3.0.4 |MIME-Version:=201.0|To:=20|Subject:=20d raft-ietf-websec-mime-sniff|Content-Type:=20text/plain=3B =20charset=3D"ISO-8859-1"=3B=20format=3Dflowed |Content-Transfer-Encoding:=207bit|X-Originating-IP:=20[1 72.30.39.5]; bh=saGiLOuhS8xIcOrce7G+r8aLPVhjYuPZ2bncyV+a+VU=; b=UfwI/vmEnJnQ+CnvCzVXdqVvQhszPsuA1E+SGkh29XxR33qoh1XJkPPZ K+GaKr+t+05RsvofawyXJcFZb1F2yQ+84I7viYBMLCKiEjiL4mR/7JcKA C/w+lFBX2/MFx3wGPhI0ZhVlAL8HJWaR2RtXx/sCIOgQPcX4Wt3b3n642 4=; X-IronPort-AV: E=McAfee;i="5400,1158,6418"; a="105569798" Received: from ironmsg04-r.qualcomm.com ([172.30.46.18]) by wolverine02.qualcomm.com with ESMTP; 25 Jul 2011 11:29:37 -0700 X-IronPort-AV: E=Sophos;i="4.67,261,1309762800"; d="scan'208";a="99315480" Received: from nasanexhc07.na.qualcomm.com ([172.30.39.190]) by Ironmsg04-R.qualcomm.com with ESMTP/TLS/AES128-SHA; 25 Jul 2011 11:29:36 -0700 Received: from dhcp-228f.meeting.ietf.org (172.30.39.5) by qcmail1.qualcomm.com (172.30.39.190) with Microsoft SMTP Server (TLS) id 14.1.323.0; Mon, 25 Jul 2011 11:29:36 -0700 Message-ID: <4E2DB608.3020304@qualcomm.com> Date: Mon, 25 Jul 2011 14:29:28 -0400 From: Pete Resnick User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4 MIME-Version: 1.0 To: Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [172.30.39.5] X-Mailman-Approved-At: Mon, 25 Jul 2011 14:31:51 -0700 Subject: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 18:29:38 -0000 [Same preface I gave when I spoke at the mic in the WG session: I am speaking as an individual IETF participant, not as an AD. This comment by itself will not cause me to DISCUSS the document when it comes to the IESG. If the consensus of the WG is that I am wrong about this, I may validly end up in the "rough" part of the "rough consensus". However, this is a comment that needs to be addressed.] I think this document is real problem and I object to the current form it is in. Having an algorithm without explanation as to *why* one ought to perform the steps in the algorithm is completely inappropriate and not worthy of WG publication. We do not do blind instructions without explanation in the IETF. It also makes it nearly impossible for the IETF community to review the document to see if the instructions given are sane or not. I think the document either needs to be completely rewritten or needs to be withdrawn. pr -- Pete Resnick Qualcomm Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102 From Jeff.Hodges@KingsMountain.com Tue Jul 26 07:16:42 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113EF21F8BA3 for ; Tue, 26 Jul 2011 07:16:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.179 X-Spam-Level: X-Spam-Status: No, score=-99.179 tagged_above=-999 required=5 tests=[AWL=3.086, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEc9VPlhkdx3 for ; Tue, 26 Jul 2011 07:16:41 -0700 (PDT) Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by ietfa.amsl.com (Postfix) with SMTP id 68AD421F8B81 for ; Tue, 26 Jul 2011 07:16:41 -0700 (PDT) Received: (qmail 4098 invoked by uid 0); 26 Jul 2011 14:16:41 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 26 Jul 2011 14:16:41 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=yrC/DuCktXOmvnKChDm+BrR/2XI2KU/X+XvWevzZiMvpEh4SUha2zhcixISIoCXH6GBuXq3E6ZXsJrfguI1eZWRyUO+nBGtFRJndFZJDY7MMByLvinoZbmKNAgkYCDZm; Received: from [130.129.83.89] by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QliR6-0004tC-Sk; Tue, 26 Jul 2011 08:16:41 -0600 Message-ID: <4E2ECC47.40206@KingsMountain.com> Date: Tue, 26 Jul 2011 07:16:39 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: Peter Saint-Andre , IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.83.89 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 14:16:42 -0000 StPete asked... > On 7/24/11 9:22 PM, websec issue tracker wrote: >> #12: Remove dependencies on HTTPbis and depend on RFC2616 only >> >> -strict-transport-sec has various dependencies (e.g. STS header field >> ABNF) on HTTPbis. >> >> HTTPbis may not complete in a timeframe workable for having -strict- >> transport-sec go to RFC, so we should remove dependencies on HTTPbis, and >> depend on RFC2616 only. > > Jeff, just curious: what do you perceive as the likely timeframe for > publication of both HSTS and HTTPbis? As I related in the websec wg session yesterday, httpbis is trying to get into WG Last Call by the end of 2011, which is a slip from what they were targeting as of last fall... So I decided we shouldn't wait for them (unfortunately). And no one pushed back on that in the session yesterday. =JeffH From stpeter@stpeter.im Tue Jul 26 07:42:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95EF21F8CD0 for ; Tue, 26 Jul 2011 07:42:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.531 X-Spam-Level: X-Spam-Status: No, score=-102.531 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jw9B1vpxqZ9v for ; Tue, 26 Jul 2011 07:42:59 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 1240221F8CCF for ; Tue, 26 Jul 2011 07:42:59 -0700 (PDT) Received: from squire.local (unknown [198.135.0.233]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 6B845411C7; Tue, 26 Jul 2011 08:43:57 -0600 (MDT) Message-ID: <4E2ED271.90809@stpeter.im> Date: Tue, 26 Jul 2011 10:42:57 -0400 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: =JeffH References: <4E2ECC47.40206@KingsMountain.com> In-Reply-To: <4E2ECC47.40206@KingsMountain.com> X-Enigmail-Version: 1.2 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] #12: Remove dependencies on HTTPbis and depend on RFC2616 only X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 14:42:59 -0000 On 7/26/11 10:16 AM, =JeffH wrote: > StPete asked... >> On 7/24/11 9:22 PM, websec issue tracker wrote: >>> #12: Remove dependencies on HTTPbis and depend on RFC2616 only >>> >>> -strict-transport-sec has various dependencies (e.g. STS header field >>> ABNF) on HTTPbis. >>> >>> HTTPbis may not complete in a timeframe workable for having -strict- >>> transport-sec go to RFC, so we should remove dependencies on > HTTPbis, and >>> depend on RFC2616 only. >> >> Jeff, just curious: what do you perceive as the likely timeframe for >> publication of both HSTS and HTTPbis? > > As I related in the websec wg session yesterday, httpbis is trying to > get into WG Last Call by the end of 2011, which is a slip from what they > were targeting as of last fall... > > So I decided we shouldn't wait for them (unfortunately). And no one > pushed back on that in the session yesterday. Yep, just checking. Peter -- Peter Saint-Andre https://stpeter.im/ From gerv@mozilla.org Tue Jul 26 11:38:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733B721F8BBE for ; Tue, 26 Jul 2011 11:38:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kf5itNY5P46t for ; Tue, 26 Jul 2011 11:38:58 -0700 (PDT) Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id D771B21F8B8B for ; Tue, 26 Jul 2011 11:38:58 -0700 (PDT) Received: from [192.168.51.33] (unknown [67.51.233.200]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id 6D7D24AEDF6; Tue, 26 Jul 2011 11:38:58 -0700 (PDT) Message-ID: <4E2F09C2.9010905@mozilla.org> Date: Tue, 26 Jul 2011 11:38:58 -0700 From: Gervase Markham User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110620 Thunderbird/5.0b2 MIME-Version: 1.0 To: "Yngve N. Pettersen" References: <4E2DD4DC.1090802@mozilla.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: websec Subject: Re: [websec] Public Suffix definition X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 18:38:59 -0000 On 25/07/11 13:59, Yngve N. Pettersen wrote: >> Do you have a script which converts from the currently-standard format >> at publicsuffix.org to the proposed new format? > > Not in a public location, at present, sorry. I think that would be helpful for people to evaluate your proposal. Gerv From derhoermi@gmx.net Tue Jul 26 16:29:33 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81BCD11E80C4 for ; Tue, 26 Jul 2011 16:29:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.671 X-Spam-Level: X-Spam-Status: No, score=-3.671 tagged_above=-999 required=5 tests=[AWL=-1.072, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCQV-6v+rJe1 for ; Tue, 26 Jul 2011 16:29:32 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id A7B1D11E80C0 for ; Tue, 26 Jul 2011 16:29:31 -0700 (PDT) Received: (qmail invoked by alias); 26 Jul 2011 23:29:29 -0000 Received: from dslb-094-223-187-169.pools.arcor-ip.net (EHLO HIVE) [94.223.187.169] by mail.gmx.net (mp002) with SMTP; 27 Jul 2011 01:29:29 +0200 X-Authenticated: #723575 X-Provags-ID: V01U2FsdGVkX1+Wpi0rTI6WLoQHX1KPumpUPjHDJVkUE0cv8kOEo1 dyY6JDJIFZmxP/ From: Bjoern Hoehrmann To: Gervase Markham Date: Wed, 27 Jul 2011 01:29:29 +0200 Message-ID: References: <4E2DD1D2.6040001@mozilla.org> In-Reply-To: <4E2DD1D2.6040001@mozilla.org> X-Mailer: Forte Agent 3.3/32.846 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 Cc: websec@ietf.org Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 23:29:33 -0000 * Gervase Markham wrote: >If it's your very first visit, then you won't have a relationship with >that site, so the risk is much lower. I guess there's also people who >clear their history, but I suspect that's a relatively rare action. Actually, that's usually the first thing you are told to do when your browser doesn't work quite right with a site and there aren't many de- tails to go on; often the web sites will tell you to clear the cache, http://www.google.com/support/accounts/bin/answer.py?answer=32050 for instance even has videos on how to do it. Users might not do this ha- bitually, but a man-in-the-middle would seem to have plenty of ways to try and persuade users to do it (he could book an ad suggesting to do this to users within the geographical region, for instance). -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ From matt@mattmccutchen.net Tue Jul 26 17:24:59 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD3AB21F8B05 for ; Tue, 26 Jul 2011 17:24:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8bZT-WYTdVk for ; Tue, 26 Jul 2011 17:24:59 -0700 (PDT) Received: from homiemail-a2.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0C721F8AFF for ; Tue, 26 Jul 2011 17:24:59 -0700 (PDT) Received: from homiemail-a2.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTP id BCE4328006D; Tue, 26 Jul 2011 17:24:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=aikGFnrlZ+JG3bpSc9dUX5gMnIL9IgsYux9Gj2czeWM 8c99QJe09IWEzucUwiSAOYQw88SNPZFiOynnkrd7bHkghGEjTHU4IzudLpsORPeY hm47sB8CCuupnzvBl1Fhs7ucuy+Sauuz3cOfX6AAbz59MYFJDVhzfsdWki2WyH9c = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=UM8K6lx231o0s617ot+osgdlEbA=; b=n6S91bEQ1c pHO8wVDrIEo1VyqTWvpBCSl7acHFZ5u544Dv7kU2h9vGZ8jdQ+iKKdh2TBFN8ji/ jSzKCGPD3fCY/QUIlWvSEq/U8unIDrD477fllza0VBvAnqKxOIGtbXhTQgBzh94w fPNFeNN7cJjiPQzGk0KITEfKIGfokYRrE= Received: from [192.168.1.39] (pool-74-96-44-194.washdc.east.verizon.net [74.96.44.194]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTPSA id 14DB5280069; Tue, 26 Jul 2011 17:24:57 -0700 (PDT) From: Matt McCutchen To: Gervase Markham In-Reply-To: <4E2DD1D2.6040001@mozilla.org> References: <4E2DD1D2.6040001@mozilla.org> Content-Type: text/plain; charset="UTF-8" Date: Tue, 26 Jul 2011 20:24:56 -0400 Message-ID: <1311726296.7071.30.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] HSTS: Maintenance of hardcoded lists in clients X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 00:24:59 -0000 On Mon, 2011-07-25 at 13:28 -0700, Gervase Markham wrote: > On 25/07/11 11:13, Yngve N. Pettersen wrote: > > At least one client supporting HSTS (maybe more) is using a hardcoded > > list of sites that are always HSTS enabled, as a method of countering > > the bootstrap problem. > > Is "the bootstrap problem", the problem that on your very first visit to > a site, you might get MITMed? > > If it's your very first visit, then you won't have a relationship with > that site, so the risk is much lower. No... in the general case, you are dereferencing a https URL provided by someone else who expects you to use server authentication. See https://bugzilla.mozilla.org/show_bug.cgi?id=653318#c3 that I just posted; it refers to the risks of not using server authentication at all, but the risks of not knowing about HSTS are analogous. -- Matt From matt@mattmccutchen.net Tue Jul 26 17:37:06 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22D9A5E8016 for ; Tue, 26 Jul 2011 17:37:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNtzaDZBYruO for ; Tue, 26 Jul 2011 17:37:05 -0700 (PDT) Received: from homiemail-a60.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 856235E8015 for ; Tue, 26 Jul 2011 17:37:05 -0700 (PDT) Received: from homiemail-a60.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a60.g.dreamhost.com (Postfix) with ESMTP id 5AFC43BC06A; Tue, 26 Jul 2011 17:37:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=g2xvCm2H11MiKSgBqdf6+mh7T1izDt4Hm5f0rzlKc+p h4PUw8sfGywCsAIL1mRktHhg0C13mCz+Tj19ObaY0c2IewXE4TnheE+SQYucBm2X yUysmeqz3dR6rSSblGnrIvOZdUXRz+jhSnA7Cd/p+1Y5I5wd1Hr8WFXlVfj36+E0 = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=X6DVZXN7mLhKmDYQadtNdFsBe1g=; b=vcU8m0mVjR bhyHx/ktuk+8G7t4Kndjbcdz/Zdx3K1OctRBRSnptbsIaon3i4wypLK+FJaFIwjS 3RJ6PGVqLc8Yr9zlZbytfZiTIo1g3Xp3c5ldHtW+oFkg4yx2tal6HkTL7Q6jVjbr Q4PDYDjG9eeugGTlGiAyzTjEjqfr5fc90= Received: from [192.168.1.39] (pool-74-96-44-194.washdc.east.verizon.net [74.96.44.194]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a60.g.dreamhost.com (Postfix) with ESMTPSA id D0B143BC062; Tue, 26 Jul 2011 17:37:04 -0700 (PDT) From: Matt McCutchen To: "Yngve N. Pettersen" In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Date: Tue, 26 Jul 2011 20:37:02 -0400 Message-ID: <1311727022.7071.39.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: [websec] DNSSEC (Re: HSTS: Maintenance of hardcoded lists in clients) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 00:37:06 -0000 On Mon, 2011-07-25 at 20:13 +0200, Yngve N. Pettersen wrote: > At least one client supporting HSTS (maybe more) is using a hardcoded list > of sites that are always HSTS enabled, as a method of countering the > bootstrap problem. > > As I understand it, the process for how a website get on such lists is > currently very ad hoc, which isn't really a problem at this time, since it > is experimental. > > However, once HSTS moves into standardized deployment, it may be that many > websites will want to get listed on such a list The obvious solution is to put the data in DNSSEC. The problem is that current deployments are hostile enough to DNSSEC to make fail-secure a painful experience. I'm seeing this now using nss-dane ( https://mattmccutchen.net/cryptid/#nss-dane ) for my personal browsing: so far I've poked seven exceptions for broken DNS servers, and on some public access points I cannot get through to DNSSEC at all. If anyone has an idea to make this better, let me know! Ditto the above for the public suffix list. It's currently the only way to really isolate untrusted subdomains so you don't have to make all your applications robust to cross-subdomain cookie forcing. -- Matt From matt@mattmccutchen.net Tue Jul 26 17:50:42 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E72511E80DC for ; Tue, 26 Jul 2011 17:50:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJZha6EsaWrJ for ; Tue, 26 Jul 2011 17:50:42 -0700 (PDT) Received: from homiemail-a4.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id BB9D811E80D4 for ; Tue, 26 Jul 2011 17:50:30 -0700 (PDT) Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id 8DE7251C070; Tue, 26 Jul 2011 17:50:30 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=A1wroYszxXOdQGpWmTi0jqiQcV/vCStK2kqZ6QU0eEe tdShtLYBcCObSN+DW0+gQ6ZQQLRT1sPPGoQl6vvLKYlgDRFxAtfEB46g9hwondiA qiChLIO9vQzzmQpTfjBuSVF0xXISoTpolUPhVA8rwIc8ure/An2EJ3TpDT7g25ME = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=DGI151JZlRf4qnKdaOsy7njm4Vo=; b=HkqIrQTrHx u0x34GRhFFz5OsKOmXoiR63qQd6uu2NGYS/iq1wqIss6Pt+lnGPn+KPFncfrJB3y I+bv2DYLou0GrEFNbHkl++Uuy/BYmEEqTsg8a07II8jMQ0lZCMUxiqulGugnbstW lzKz+x+anv5bnzVDYjCJ3z8yWI6fNfFCY= Received: from [192.168.1.39] (pool-74-96-44-194.washdc.east.verizon.net [74.96.44.194]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPSA id 1EA3D51C069; Tue, 26 Jul 2011 17:50:29 -0700 (PDT) From: Matt McCutchen To: "Yngve N. Pettersen" In-Reply-To: <1311727022.7071.39.camel@localhost> References: <1311727022.7071.39.camel@localhost> Content-Type: text/plain; charset="UTF-8" Date: Tue, 26 Jul 2011 20:50:25 -0400 Message-ID: <1311727825.7071.44.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] DNSSEC (Re: HSTS: Maintenance of hardcoded lists in clients) X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 00:50:42 -0000 On Tue, 2011-07-26 at 20:37 -0400, Matt McCutchen wrote: > I'm seeing this now using nss-dane > ( https://mattmccutchen.net/cryptid/#nss-dane ) for my personal > browsing: so far I've poked seven exceptions for broken DNS servers, I should clarify: these seven are all insecure zones, so if I made the client check whether the zone is verified-insecure rather than just stopping on the query failure, I would be OK. The phenomenon of ostensibly "high-performance" or "locked-down" DNS servers that don't support enough of the protocol to prove the non-use of opt-in schemes has not appeared yet for secure zones. Let's hope it never does. > and > on some public access points I cannot get through to DNSSEC at all. But this problem isn't going away any time soon. -- Matt From ietf@adambarth.com Thu Jul 28 16:45:57 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4BAD21F87AF for ; Thu, 28 Jul 2011 16:45:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.267 X-Spam-Level: X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[AWL=-0.290, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5cVTEiszgPf for ; Thu, 28 Jul 2011 16:45:57 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 312A621F8799 for ; Thu, 28 Jul 2011 16:45:57 -0700 (PDT) Received: by iye7 with SMTP id 7so4074378iye.31 for ; Thu, 28 Jul 2011 16:45:56 -0700 (PDT) Received: by 10.231.34.11 with SMTP id j11mr423649ibd.86.1311896756760; Thu, 28 Jul 2011 16:45:56 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id c2sm949591ibd.39.2011.07.28.16.45.55 (version=SSLv3 cipher=OTHER); Thu, 28 Jul 2011 16:45:55 -0700 (PDT) Received: by iye7 with SMTP id 7so4074349iye.31 for ; Thu, 28 Jul 2011 16:45:55 -0700 (PDT) Received: by 10.231.116.8 with SMTP id k8mr446233ibq.37.1311896755102; Thu, 28 Jul 2011 16:45:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Thu, 28 Jul 2011 16:45:25 -0700 (PDT) In-Reply-To: <4E2DB608.3020304@qualcomm.com> References: <4E2DB608.3020304@qualcomm.com> From: Adam Barth Date: Thu, 28 Jul 2011 16:45:25 -0700 Message-ID: To: Pete Resnick Content-Type: text/plain; charset=ISO-8859-1 Cc: websec@ietf.org Subject: Re: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 23:45:57 -0000 Hi Pete, On Mon, Jul 25, 2011 at 11:29 AM, Pete Resnick wrote: > I think this document is real problem and I object to the current form it is > in. Having an algorithm without explanation as to *why* one ought to perform > the steps in the algorithm is completely inappropriate and not worthy of WG > publication. We do not do blind instructions without explanation in the > IETF. It also makes it nearly impossible for the IETF community to review > the document to see if the instructions given are sane or not. I think the > document either needs to be completely rewritten or needs to be withdrawn. I appreciate your being straightforward on this topic. I certainly understand your point of view, and I don't have a particular desire to twist your (or the large IETF community's) arm in this matter. Rather than fight over this topic, I think it would be better for me to withdraw the document. Thanks, Adam From mnot@mnot.net Thu Jul 28 16:52:18 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FB1011E8127 for ; Thu, 28 Jul 2011 16:52:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.598 X-Spam-Level: X-Spam-Status: No, score=-104.598 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, NO_RDNS_DOTCOM_HELO=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QlmExmEevRYw for ; Thu, 28 Jul 2011 16:52:17 -0700 (PDT) Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 4040211E810A for ; Thu, 28 Jul 2011 16:52:17 -0700 (PDT) Received: from unknown-10-101-30-x.yahoo.com (unknown [209.131.62.115]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 5C49F509DB; Thu, 28 Jul 2011 19:52:10 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Mark Nottingham In-Reply-To: Date: Thu, 28 Jul 2011 16:52:07 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E2DB608.3020304@qualcomm.com> To: Adam Barth X-Mailer: Apple Mail (2.1084) Cc: Pete Resnick , websec@ietf.org Subject: Re: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 23:52:18 -0000 On 28/07/2011, at 4:45 PM, Adam Barth wrote: > Hi Pete, >=20 > On Mon, Jul 25, 2011 at 11:29 AM, Pete Resnick = wrote: >> I think this document is real problem and I object to the current = form it is >> in. Having an algorithm without explanation as to *why* one ought to = perform >> the steps in the algorithm is completely inappropriate and not worthy = of WG >> publication. We do not do blind instructions without explanation in = the >> IETF. It also makes it nearly impossible for the IETF community to = review >> the document to see if the instructions given are sane or not. I = think the >> document either needs to be completely rewritten or needs to be = withdrawn. >=20 > I appreciate your being straightforward on this topic. I certainly > understand your point of view, and I don't have a particular desire to > twist your (or the large IETF community's) arm in this matter. Rather > than fight over this topic, I think it would be better for me to > withdraw the document. That's a bit of an extreme reaction. You could annotate the document with a commentary of why particular = decisions were taken. You could add an appendix. You could even get someone else to do this if you don't have time or = interest. I'd rather see this document published -- even if flawed or incomplete = -- than not published. It represents a big step forward from the current = situation. Pete's just asking for how you got to where you are. Cheers, -- Mark Nottingham http://www.mnot.net/ From ietf@adambarth.com Thu Jul 28 16:59:15 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2EF121F8A4D for ; Thu, 28 Jul 2011 16:59:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.241 X-Spam-Level: X-Spam-Status: No, score=-3.241 tagged_above=-999 required=5 tests=[AWL=-0.264, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJ0N1jZc9Gsn for ; Thu, 28 Jul 2011 16:59:15 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0105D21F8A23 for ; Thu, 28 Jul 2011 16:59:12 -0700 (PDT) Received: by iye7 with SMTP id 7so4086198iye.31 for ; Thu, 28 Jul 2011 16:59:12 -0700 (PDT) Received: by 10.43.50.2 with SMTP id vc2mr527339icb.24.1311897552538; Thu, 28 Jul 2011 16:59:12 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id 3sm959463ibm.10.2011.07.28.16.59.11 (version=SSLv3 cipher=OTHER); Thu, 28 Jul 2011 16:59:11 -0700 (PDT) Received: by iye7 with SMTP id 7so4086176iye.31 for ; Thu, 28 Jul 2011 16:59:11 -0700 (PDT) Received: by 10.231.113.33 with SMTP id y33mr422982ibp.62.1311897551136; Thu, 28 Jul 2011 16:59:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Thu, 28 Jul 2011 16:58:41 -0700 (PDT) In-Reply-To: References: <4E2DB608.3020304@qualcomm.com> From: Adam Barth Date: Thu, 28 Jul 2011 16:58:41 -0700 Message-ID: To: Mark Nottingham Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Pete Resnick , websec@ietf.org Subject: Re: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 23:59:15 -0000 On Thu, Jul 28, 2011 at 4:52 PM, Mark Nottingham wrote: > On 28/07/2011, at 4:45 PM, Adam Barth wrote: >> On Mon, Jul 25, 2011 at 11:29 AM, Pete Resnick w= rote: >>> I think this document is real problem and I object to the current form = it is >>> in. Having an algorithm without explanation as to *why* one ought to pe= rform >>> the steps in the algorithm is completely inappropriate and not worthy o= f WG >>> publication. We do not do blind instructions without explanation in the >>> IETF. It also makes it nearly impossible for the IETF community to revi= ew >>> the document to see if the instructions given are sane or not. I think = the >>> document either needs to be completely rewritten or needs to be withdra= wn. >> >> I appreciate your being straightforward on this topic. =A0I certainly >> understand your point of view, and I don't have a particular desire to >> twist your (or the large IETF community's) arm in this matter. =A0Rather >> than fight over this topic, I think it would be better for me to >> withdraw the document. > > That's a bit of an extreme reaction. > > You could annotate the document with a commentary of why particular decis= ions were taken. You could add an appendix. > > You could even get someone else to do this if you don't have time or inte= rest. > > I'd rather see this document published -- even if flawed or incomplete --= than not published. It represents a big step forward from the current situ= ation. Pete's just asking for how you got to where you are. Pete seemed pretty clear. He asked me to either rewrite the document completely or withdraw it. Rather than fighting about this document, I'd rather move forward with documents the working group and the IETF are excited about publishing. Adam From derhoermi@gmx.net Thu Jul 28 17:25:36 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD825E8004 for ; Thu, 28 Jul 2011 17:25:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.58 X-Spam-Level: X-Spam-Status: No, score=-3.58 tagged_above=-999 required=5 tests=[AWL=-0.981, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HwVE49LrQjmL for ; Thu, 28 Jul 2011 17:25:35 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id E2CC45E8001 for ; Thu, 28 Jul 2011 17:25:34 -0700 (PDT) Received: (qmail invoked by alias); 29 Jul 2011 00:25:32 -0000 Received: from dslb-094-223-181-014.pools.arcor-ip.net (EHLO HIVE) [94.223.181.14] by mail.gmx.net (mp054) with SMTP; 29 Jul 2011 02:25:32 +0200 X-Authenticated: #723575 X-Provags-ID: V01U2FsdGVkX1/teko5C8vtqjqgnqrjICNnvjymyswp4qjSEnulP6 nfB0pfjYrTc+lS From: Bjoern Hoehrmann To: Pete Resnick Date: Fri, 29 Jul 2011 02:25:35 +0200 Message-ID: References: <4E2DB608.3020304@qualcomm.com> In-Reply-To: <4E2DB608.3020304@qualcomm.com> X-Mailer: Forte Agent 3.3/32.846 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 Cc: websec@ietf.org Subject: Re: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2011 00:25:36 -0000 * Pete Resnick wrote: >I think this document is real problem and I object to the current form >it is in. Having an algorithm without explanation as to *why* one ought >to perform the steps in the algorithm is completely inappropriate and >not worthy of WG publication. We do not do blind instructions without >explanation in the IETF. It also makes it nearly impossible for the IETF >community to review the document to see if the instructions given are >sane or not. I think the document either needs to be completely >rewritten or needs to be withdrawn. My experience is that people who are given instructions, but no means to understand why the instructions are given, tend to implement them wrong. My experience is also that people who give instructions, but do not ex- plain why they are giving them, often do not really understand why they provide the instructions either, which often means the instructions they are giving are actually wrong, in one sense or another. You can largely eliminate both problems by having a test suite that can easily be automated: if people use the test suite, they'll find cases where the wrong instructions are given, and they can find cases where the instructions have been misunderstood or incorrectly implemented. So, if there is a very good test suite, I could live with a specification that does not explain rationale behind requirements quite well. (A test suite does not replace rationale, as a test suite would capture only the status quo, which may change at any time; how it may change is dependant on rationale, so even with the most excellent test suite, a specification without rationale is strictly worse than one with as you could not predict changes based, only, on what you know from both.) -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ From ietf@adambarth.com Fri Jul 29 11:28:08 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 363B821F8B84 for ; Fri, 29 Jul 2011 11:28:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.219 X-Spam-Level: X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[AWL=0.758, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHrtCYsY9ICd for ; Fri, 29 Jul 2011 11:28:07 -0700 (PDT) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id A2FED21F8B82 for ; Fri, 29 Jul 2011 11:28:07 -0700 (PDT) Received: by gwb20 with SMTP id 20so3410916gwb.31 for ; Fri, 29 Jul 2011 11:28:07 -0700 (PDT) Received: by 10.236.182.225 with SMTP id o61mr754142yhm.257.1311964087228; Fri, 29 Jul 2011 11:28:07 -0700 (PDT) Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by mx.google.com with ESMTPS id j9sm518480yhn.39.2011.07.29.11.28.05 (version=SSLv3 cipher=OTHER); Fri, 29 Jul 2011 11:28:05 -0700 (PDT) Received: by yie30 with SMTP id 30so3277814yie.31 for ; Fri, 29 Jul 2011 11:28:05 -0700 (PDT) Received: by 10.42.77.73 with SMTP id h9mr1175608ick.210.1311964085143; Fri, 29 Jul 2011 11:28:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Fri, 29 Jul 2011 11:27:35 -0700 (PDT) In-Reply-To: <4E24B10A.1070000@lookout.net> References: <4E248B9C.1070701@gondrom.org> <4E24B10A.1070000@lookout.net> From: Adam Barth Date: Fri, 29 Jul 2011 11:27:35 -0700 Message-ID: To: Chris Weber Content-Type: text/plain; charset=ISO-8859-1 Cc: websec@ietf.org Subject: Re: [websec] lower-casing in the idna-canonicalized host name X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2011 18:28:08 -0000 On Mon, Jul 18, 2011 at 3:17 PM, Chris Weber wrote: > Under the definition of an "idna-canonicalized" host name in section 2.3, > step 2 - is it known that the reader will handle NR-LDH and A-labels as > locale-insensitive ASCII, or should it be explicitly stated that the > lower-case conversion in step "2" should be locale-insensitive, or use > English as the locale? > > Otherwise even with ASCII input a lower-case operation could result in a > U+0049 LATIN CAPITAL LETTER I becoming U+0131 LATIN SMALL LETTER DOTLESS I > under the Turkish "tr-TR" locale. I've added a reference to i;ascii-casemap, defined in RFC4790. Hopefully that is unambiguous. Thanks, Adam From ietf@adambarth.com Fri Jul 29 11:35:55 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE1DA11E8082 for ; Fri, 29 Jul 2011 11:35:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.277 X-Spam-Level: X-Spam-Status: No, score=-3.277 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id on6U-p+1vEkJ for ; Fri, 29 Jul 2011 11:35:54 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id AD72D11E8074 for ; Fri, 29 Jul 2011 11:35:54 -0700 (PDT) Received: by iye7 with SMTP id 7so5178690iye.31 for ; Fri, 29 Jul 2011 11:35:54 -0700 (PDT) Received: by 10.231.43.139 with SMTP id w11mr1135730ibe.82.1311964553149; Fri, 29 Jul 2011 11:35:53 -0700 (PDT) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id y3sm1507486ibc.3.2011.07.29.11.35.50 (version=SSLv3 cipher=OTHER); Fri, 29 Jul 2011 11:35:50 -0700 (PDT) Received: by iye7 with SMTP id 7so5178632iye.31 for ; Fri, 29 Jul 2011 11:35:50 -0700 (PDT) Received: by 10.231.113.33 with SMTP id y33mr1076435ibp.62.1311964550084; Fri, 29 Jul 2011 11:35:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.190.82 with HTTP; Fri, 29 Jul 2011 11:35:20 -0700 (PDT) In-Reply-To: <4E05BCED.8010702@gmx.de> References: <4E05BCED.8010702@gmx.de> From: Adam Barth Date: Fri, 29 Jul 2011 11:35:20 -0700 Message-ID: To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec Subject: Re: [websec] draft-ietf-websec-origin-02 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2011 18:35:56 -0000 On Sat, Jun 25, 2011 at 3:48 AM, Julian Reschke wro= te: > On 2011-06-24 22:59, Adam Barth wrote: >> >> ... >> The new version includes Security Considerations, IANA Considerations, >> and a completed references section. =A0Feedback on the new Security >> Considerations section would be much appreciated. >> ... > > Editorial nits: the references section should cite Internet Drafts as suc= h; > see > > > http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-hybi-= thewebsocketprotocol-09.xml > > and > > > http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-webse= c-mime-sniff-03.xml > > (note you may want to short the anchors) > > For the W3C references I recommend the format in > : > > =A0 =A0 =A0 =A0 =A0 target=3D'http://www.w3.org/TR/2010/WD-cors-20100727/= '> > =A0 > =A0 =A0Cross-Origin Resource Sharing > =A0 =A0 initials=3D'A.'/> > =A0 =A0 > =A0 > =A0 > =A0 > =A0 =A0Latest version available at > =A0 =A0. > =A0 > > > =A0 =A0 =A0 =A0 =A0 target=3D'http://www.w3.org/TR/2011/WD-html5-20110525= /'> > =A0 > =A0 =A0HTML5 > =A0 =A0 > =A0 =A0 > =A0 > =A0 > =A0 > =A0 =A0Latest version available at > =A0 =A0. > =A0 > Done. Adam From duerst@it.aoyama.ac.jp Sun Jul 31 02:38:25 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6754E21F8666 for ; Sun, 31 Jul 2011 02:38:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.856 X-Spam-Level: X-Spam-Status: No, score=-99.856 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ERGWTVbmFYby for ; Sun, 31 Jul 2011 02:38:25 -0700 (PDT) Received: from scintmta01.scbb.aoyama.ac.jp (scintmta01.scbb.aoyama.ac.jp [133.2.253.33]) by ietfa.amsl.com (Postfix) with ESMTP id B11D221F8665 for ; Sun, 31 Jul 2011 02:38:16 -0700 (PDT) Received: from scmse01.scbb.aoyama.ac.jp ([133.2.253.231]) by scintmta01.scbb.aoyama.ac.jp (secret/secret) with SMTP id p6V9cDTX014980 for ; Sun, 31 Jul 2011 18:38:13 +0900 Received: from (unknown [133.2.206.133]) by scmse01.scbb.aoyama.ac.jp with smtp id 57da_4aae_cfa28d8c_bb58_11e0_9a69_001d096c566a; Sun, 31 Jul 2011 18:38:13 +0900 Received: from [IPv6:::1] ([133.2.210.1]:36885) by itmail.it.aoyama.ac.jp with [XMail 1.22 ESMTP Server] id for from ; Sun, 31 Jul 2011 18:38:17 +0900 Message-ID: <4E352282.1000103@it.aoyama.ac.jp> Date: Sun, 31 Jul 2011 18:38:10 +0900 From: =?ISO-8859-1?Q?=22Martin_J=2E_D=FCrst=22?= Organization: Aoyama Gakuin University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4 MIME-Version: 1.0 To: Adam Barth References: <4E2DB608.3020304@qualcomm.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Pete Resnick , Mark Nottingham , websec@ietf.org Subject: Re: [websec] draft-ietf-websec-mime-sniff X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2011 09:38:25 -0000 On 2011/07/29 8:58, Adam Barth wrote: > On Thu, Jul 28, 2011 at 4:52 PM, Mark Nottingham wrote: >> On 28/07/2011, at 4:45 PM, Adam Barth wrote: >>> On Mon, Jul 25, 2011 at 11:29 AM, Pete Resnick wrote: >>>> I think this document is real problem and I object to the current form it is >>>> in. Having an algorithm without explanation as to *why* one ought to perform >>>> the steps in the algorithm is completely inappropriate and not worthy of WG >>>> publication. We do not do blind instructions without explanation in the >>>> IETF. It also makes it nearly impossible for the IETF community to review >>>> the document to see if the instructions given are sane or not. I think the >>>> document either needs to be completely rewritten or needs to be withdrawn. >>> >>> I appreciate your being straightforward on this topic. I certainly >>> understand your point of view, and I don't have a particular desire to >>> twist your (or the large IETF community's) arm in this matter. Rather >>> than fight over this topic, I think it would be better for me to >>> withdraw the document. >> >> That's a bit of an extreme reaction. >> >> You could annotate the document with a commentary of why particular decisions were taken. You could add an appendix. >> >> You could even get someone else to do this if you don't have time or interest. >> >> I'd rather see this document published -- even if flawed or incomplete -- than not published. It represents a big step forward from the current situation. Pete's just asking for how you got to where you are. > > Pete seemed pretty clear. Yes indeed. That's his style. To me, it seems close to your style :-). > He asked me to either rewrite the document > completely or withdraw it. He explicitly wrote that this was his personal opinion. The fact that he said he won't raise a DISCUSS means that he will respect WG consensus. > Rather than fighting about this document, > I'd rather move forward with documents the working group and the IETF > are excited about publishing. Well, come on. There are lots of documents in the IETF that nobody is really excited about. Think about all the NAT-related stuff to start with. And I hope you will admit to yourself that there's tons of stuff within and outside of the IETF that's way more exciting than MIME sniffing. As you probably understand better than others, it nevertheless seems to be necessary. Regards, Martin.