MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_01C3F7CC.6A53C610" This document is a Single File Web Page, also known as a Web Archive file. If you are seeing this message, your browser or editor doesn't support Web Archive files. Please download a browser that supports Web Archive, such as Microsoft Internet Explorer. ------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii" WS Basic Security Profile WG Security Scenarios

WS-I Security Scenarios

Document St= atus: Working Group Draft

Version: 0.15

Date:  14 February 2004

Editors:

Mark Davis, Sarvega

Bret Hartman, DataPower

Chris Kaler, Microsoft

Anthony Nadalin, IBM

Jerry Schwarz, Oracle

 

Copyright

Copyright © 2004 by The Web Services-Interoperabi= lity Organization (WS-I) and Certain of its Members. All Rights Reserved.

 

Status of this Document

This documen= t is a Working Group Draft; it has been accepted by the Working Group as reflecting the current state of discussions. It is a work in progress, and should not = be considered authoritative or final; other documents may supersede this docum= ent.

 

Notice

The material contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by= any of the authors or developers of this material or WS-I. The material contain= ed herein is provided on an "AS IS" basis and to the maximum extent permitted by applicable law, this material is provided AS IS AND WITH ALL FAULTS, and the authors and developers of this material and WS-I hereby disclaim all other warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpos= e, of accuracy or completeness of responses, of results, of workmanlike effort= , of lack of viruses, and of lack of negligence. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THIS MATERIAL.

IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF THIS MATER= IAL OR WS-I BE LIABLE TO ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOOD= S OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, DIRECT, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS MATERIAL, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.


Feedback=

The Web Services-Interoperability Organization (WS-I) = would like to receive input, suggestions and other feedback ("Feedback"= ) on this work from a wide variety of industry participants to improve its quali= ty over time.

By sending email, or otherwise communicating with WS-I= , you (on behalf of yourself if you are an individual, and your company if you are providing Feedback on behalf of the company) will be deemed to have granted= to WS-I, the members of WS-I, and other parties that have access to your Feedb= ack, a non-exclusive, non-transferable, worldwide, perpetual, irrevocable, royalty-free license to use, disclose, copy, license, modify, sublicense or otherwise distribute and exploit in any manner whatsoever the Feedback you = provide regarding the work. You acknowledge that you have no expectation of confidentiality with respect to any Feedback you provide. You represent and warrant that you have rights to provide this Feedback, and if you are provi= ding Feedback on behalf of a company, you represent and warrant that you have the rights to provide Feedback on behalf of your company. You also acknowledge = that WS-I is not required to review, discuss, use, consider or in any way incorporate your Feedback into future versions of its work. If WS-I does incorporate some or all of your Feedback in a future version of the work, it may, but is not obligated to include your name (or, if you are identified as acting on behalf of your company, the name of your company) on a list of contributors to the work. If the foregoing is not acceptable to you and any company on whose behalf you are acting, please do not provide any Feedback.=

Feedback on this document should be directed to secpro= file_comment@ws-i.org.

 


Table of Contents

1 Introduction. 5=

2 Glossary. <= /span>6=

2.1 Basic Definitions. 6=

2.1.1   &nbs= p;  Discussion. 6=

2.2 Messages. <= /span>6=

2.2.1   &nbs= p;  Discussion. 7=

2.3 SOAP 1.2. <= /span>7=

2.3.1   &nbs= p;  Discussion. 8=

2.4 Sending Messages. 8=

2.4.1   &nbs= p;  Discussion. 8=

3 Security Challenges. 9=

3.1 C-01: Peer Identification and Authentication. 9=

3.2 C-02: Data Origin Identification and Authentication. 10=

3.3 C-03: Data Integrity. 11=

3.3.1   &nbs= p;  C-03A: Transport Data Integrity. 11=

3.3.2   &nbs= p;  C-03B: SOAP Message Integrity. 12=

3.4 C-04: Data Confidentiality. 12=

3.4.1   &nbs= p;  C-04A: Transport Data Confidentiality. 13=

3.4.2   &nbs= p;  C–04B: SOAP message confidentiality. 13=

3.5 C-05: Message Uniqueness. 14=

4 Threats. <= /span>15=

5 Security Solutions and Mechanisms. 17=

5.1 Transport Layer Security Descriptions. 17=

5.1.1   &nbs= p;  Integrity. 18=

5.1.2   &nbs= p;  Confidentiality. 18=

5.1.3   &nbs= p;  Authentication by HTTP Service. 19=

5.1.4   &nbs= p;  Authentication by HTTP User Agent 19=

5.1.5   &nbs= p;  Attributes. 20=

5.1.6   &nbs= p;  Combinations. 20=

5.2 SOAP Message Layer Security Descriptions. 21=

5.2.1   &nbs= p;  Integrity. 22=

5.2.2   &nbs= p;  Confidentiality. 22=

5.2.3   &nbs= p;  SOAP Sender Authentication. 22=

5.2.4   &nbs= p;  Attributes. 23=

5.2.5   &nbs= p;  Message Uniqueness. 23=

5.2.6   &nbs= p;  Combinations. 25=

5.3 Combining Transport Layer and SOAP Message Layer Mechanisms. 26=

5.4 Transport and Message Layer Security Combinations. 27=

5.5 Security Considerations for Combinations. 29=

5.5 Security Considerations for Combinations. 29=

5.5.1   &nbs= p;  Transport Layer Security Solutions. 29=

5.5.2   &nbs= p;  SOAP Message Layer Security Solutions. 31=

5.5.3   &nbs= p;  Hybrid Security Solutions. 33=

6 Scenarios. <= /span>36=

6.1 Notation for Describing Scenarios. 36=

6.2 Conventions for Describing Security Requirements and Solutions. 37=

6.3 Terminology. 37=

6.4 Generic Security Requirements. 37=

6.4.1   &nbs= p;  Requirement: Peer Authentication. 37=

6.4.2   &nbs= p;  Requirement: Origin Authentication. 38=

6.4.3   &nbs= p;  Requirement: Integrity. <= /span>38=

6.4.4   &nbs= p;  Requirement: Confidentiality. 39=

6.4.5   &nbs= p;  Requirement: Message Uniqueness. 39=

6.5 Scenario Descriptions. 39=

6.5.1   &nbs= p;  Scenario: One-Way. <= /span>39=

6.5.2   &nbs= p;  Scenario: Synchronous Request/Response. 40=

6.5.3   &nbs= p;  Basic Callback. <= /span>41=

7 Out of Scope. <= /span>43=

7.1 Security Challenges. 43=

7.1.1   &nbs= p;  C-05: Non-Repudiation. 43=

7.1.2   &nbs= p;  C-06: Credentials Issuance. 43=

7.2 Threats. <= /span>44=

8 Acronyms. <= /span>48=

9 References. 49=

10 Informative References. 50=

1 Introduction

This document defines the requirements for and scope o= f the WS-I Basic Security Profile.  = The document is aimed at Web Services architects and developers who are examini= ng the security aspects of the Web Services they are designing/developing. 

This document:

  • Identifies security challenges. These are general security goals or features that inform the selection of specific security requirements in scenarios.
  • Identifies the typical threats that prevent accomplishment of each challenge.
  • Identifies the typical countermeasures (technologies and protocols) used to mitig= ate each threat.
  • Document potential usage scenarios and the security challenges and threats that might apply to each (derived from the templates found in the Supply Ch= ain Management Use Cases and Scenarios documents).

This document assumes that the reader has at least a b= asic background in security technologies such as SSL/TLS, XML encryption and dig= ital signatures, and OASIS Web Services Security.

This document does not deal with security aspects of attaching material to SOAP messages as described in the WS-I Attachment Pro= file 1.0.  A final version of this document will include this material.

2 Glossary

2.1 Basic Definitions

This section defines vocabulary that will be used to r= efer to the various entities and concepts in this document.  

The following terms are used to describe certain entit= ies.

  • Participant: Any entity that plays some part in the scenarios.  This is deliberately vague. No attempt is made to define entities or to characterize them. A particip= ant might be a person, an institution, a computer, and a network or belong= to some other category. Most obviously it includes the systems that excha= nge SOAP messages, but it also includes entities such as the original crea= tor of content, or HTTP proxies that are not explicitly named in the scenarios.
  • SOAP Node: [Copied with modification from [SOAP 1.1] The embodiment of the processing logic neces= sary to transmit, receive, process and/or relay a SOAP message, according to the set of conventions defined by SOAP 1.1 or SOAP 1.2. A SOAP node is responsible for enforcing the rules that govern the exchange of SOAP messages.  It accesses the services provided by the underlying protocols through one or more SOAP bindings.

2.1.1          Discussion

An alternative is to use “entity” as the m= ost abstract term and reserve “participant” for the SOAP nodes that= are parts of scenarios.  However, “entity” sounds a bit stilted.=   Note that a SOAP node is a participant.

2.2 Messages=

Communication channels are inevitably layered. When, a= s in this document, it is necessary to discuss the interaction between layers so= me care is required to distinguish between events and messages at one level fr= om those that occur at a lower level. In general what appears to be an atomic action, such as message transmission, at one level will have a more complic= ated structure at a lower level.  <= /p>

We are primarily interested in transmission of SOAP me= ssages and the participants in the transmission. However in some cases we are also interested in non-SOAP messages.

Message: Protocol e= lements that are exchanged, usually over a network, to affect a Web service (i.e. SOAP/HTTP messages)

  • SOAP Message:  [Copied fro= m [SOAP 1.2] The basic unit of communication between SOAP nodes.
  • SOAP Layer: The communication layer at which SOAP nodes reside.
  • HTTP Message: The basic unit of HTTP communication
  • Transport Layer: The communication layers below the SOAP layer.
  • SSL/TLS: The communication layer below HTTP where security concerns are address= ed See [RFC 2246]. There are technical differences between TLS= and SSL, but these differences are not significant for this document. SSL/= TLS refers to the profiled choice of SSL/TLS technology produced by the Ba= sic Security Profile work group, and may thus be limited to versions of the technology as well as selected ciphersuites and other profiling recommendations.
  • HTTPS: The combination of HTTP with SSL/TLS.

2.2.1          Discussion

Normally HTTP and SSL/TLS would be considered separate layers. Consolidating them and lower layers compresses the stack. But it is convenient to treat HTTP, SSL/TLS and lower layers together.

2.3 SOAP 1.2=

SOAP 1.2 defines the following terms:

  • SOAP
  • SOAP node
  • SOAP role
  • SOAP binding
  • SOAP feature
  • SOAP module
  • SOAP message exchange pattern
  • SOAP application
  • SOAP message
  • SOAP envelope
  • SOAP header
  • SOAP header block
  • SOAP body
  • SOAP fault
  • SOAP sender
  • SOAP receiver
  • SOAP message path
  • Initial SOAP sender
  • SOAP intermediary
  • Ultimate SOAP receiver.

2.3.1          Discussion

We adopt these terms with the understanding that we wi= ll apply them to SOAP 1.1 messages rather than SOAP 1.2 messages. We will not = use any terms that refer specifically to SOAP 1.2 features that are not present= in SOAP 1.1

2.4 Sending Messages

The participants in a message event are referred to as=

  • Sender: [From [BP 1.0]] The software that generates a message according to the protocol(s) associated with it.
  • Receiver: [From [BP 1.0]] The software that consumes a message accord= ing to the protocol(s) associated with it (e.g. SOAP processors).

In most contexts it is not necessary to distinguish the various layers in the communication, however when it is necessary to do so “sender” or “receiver” may be modified by the proto= col involved, so that “SOAP sender” and “HTTP receiver”= can be used.

2.4.1          Discussion

The use of “sender” and “receiver= 221; is so natural that it would be hard to avoid them even if they weren’t part of the official glossary.

3 Security Challenges

This section identifies potential security challenges = that scenario may want to address.  The following subsections characterize the identified security challenges with = the following attributes:

  • ID: A unique challenge identifier in the form C-nn.
  • Definition(s): One or more relevant definitions related to this challenge taken from = the Internet Security Glossary [RFC 2828]
  • Explanation: Supporting web services contextual explanation and comments. With furt= her review and development, some explanations may be suitable as input to a WS-I Glossary that lists security-specific terms.
  • Candidate technology: Technology solutions that can be used to address security threa= ts and risks associated with this challenge. The suitability of a candida= te technology is discussed in the discussion of each specific scenario, taking into account considerations for that scenario.
  • Threat association: A mapping of security threats associated with the challen= ge, with references to specific threats outlined in Section 4and Section 7.2. Threats that are related specifically to the provided explanation are included within the threat association. Threa= ts that relate to the underlying mechanisms that are needed to address the security challenge are not identified. For example the exchange of aut= hentication data should leverage integrity and confidentiality mechanisms, however specific integrity and confidentiality threats are not identified for authentication challenges.
    Threats enumerated in Section 4 are labeled T-XX. Those in Section 7.2 are considered “out of scope” and labeled T(OOS)-XX.  ̶= 0;Out of Scope” means they are not addressed by any available candidate technology. There is no connection between the numbering of these two groups.

3.1 C-01: Pe= er Identification and Authentication

Definitions:

Peer entity authentication: The corroboration that a p= eer entity in an association is the one claimed.

Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities.

Explanation: Any relationship between entities = can be considered an “association” for purposes of this definition. For example, it does not require that the two entities directly communicate with each other.

Although the term “authentication” is some= times used to include both the presentation and the corroboration of an identifier this document uses “authentication” in the narrower sense defin= ed here.

A participan= t may convey information to another participant to establish identity in conjunct= ion with the use of techniques to corroborate that information. The two SOAP participants are not necessarily directly connected by a single hop, for example the participants might be the initial SOAP sender and a second SOAP intermediary. Depending on application requirements (security policy) it ma= y be reasonable to authenticate the sender, receiver or to use mutual authentication.

NOTE:

It is important for a relying party to ensure the correctness of the identification associated with authentication. For examp= le, in using SSL/TLS a server may present an X.509 certificate to associate identity information with a public key and use the corresponding private ke= y to prove possession of the private key. A relying party should not only rely on the authentication technology, but should also ensure that the information associated with the authentication is correct, thus authorizing further processing based on that information. This may include steps such as ensuri= ng that the HTTP request domain name corresponds to the server certificate name and performing certificate validation. Such care is necessary in light of man-in-the-middle, DNS or TCP/IP attacks (T-05) where authentication may wo= rk technically but does not corroborate the correct party. Authorization is important but not addressed in this document.

Candidate technology:

  • HTTPS with X.509 server authentication
  • HTTP client authentication (Basic or Digest)
  • HTTPS with X.509 mutual authentication of server and user agent
  • OASIS SOAP Message Security

Threat association:

T-04, T-05, T-06, T-07, T-08, T(OOS)-01, T(OOS)-03, T(OOS)-04, T(OOS)-08,  T(OOS)-= 13

3.2 C-02: Da= ta Origin Identification and Authentication

Definitions:

Data origin authentication: The corroboration that the source of data received is as claimed.

Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity and distinguish it from other entities.

Explanation: The provision and authentication of a declaration, carried in a web service message that some entity vouches for certain parts of the message. (Here, i= t is intended that attachments be considered “parts” of a message.) = Note that it is possible that more than one entity might be involved in vouching= for message parts. Also note that it is application-dependent as to how it is determined who initially created the message, as the message originator mig= ht be independent of, or hidden behind a vouching entity. This mechanism does not provide for the Authentication of the Destination prior to transmission of application data. However, the encrypt= ion of the data with a key only known to the legitimate destination can effecti= vely serve as an implicit form of Destination Authentication if that is required= .

This of course does not prevent the impersonation of the legitimate destination for the purposes of Denial of Service.

Candidate technology:

  • OASIS SOAP Message Security
  • MIME with XML Signature/XML Encryption
  • XML Signature as used apart from OASIS SOAP Message Security and SOAP mess= age exchanges, e.g. for identification and authentication of payloads

Threat association:

T-04, T-05, T-06, T-07, T-08, T(OOS)-01, T(OOS)-03, T(OOS)-04, T(OOS)-08), T(OOS)-13

3.3= C-03: Data Integrity

Definition: Data integrity: The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner = (see [RFC 2828]).

Explanation: Data in a web services context is taken to mean a SO= AP message or portions of a SOAP message, including one or more SOAP header, b= ody, or attachment parts. Although data integrity is concerned with allowing a recipient of data to detect changes, whether accidental or malicious, data origin authentication mechanisms are required in conjunction with data inte= grity mechanisms in order to protect against active substitution and forgery atta= cks. When only providing integrity for portions of content, care must be taken to protect against subtle attacks, especially when a message is targeted at SO= AP intermediaries as well as an ultimate receiver.

Note that the term “Integrity” is generall= y used differently in the field of information management to mean that the data is correct, proper, accurate, and consistent with other data or the real world= . In this sense it usually implies that there are well-regulated procedures of creating, modifying and deleting the data. Here we are using “Integrity” in the security sense of not being altered without detection of such alteration even when under active attack.

Threat associ= ation: T-01, T-02. Additional threats associated with sub-categories of data integ= rity are listed below. Note that when used in conjunction with data origin authentication T-04, T-05 and T-06 are addressed.

3.3.1          C-03A: Transport Data Integrity

Definition:

Transport Data Integrity:  Data integrity provided by the pro= tocol layer that SOAP messages are bound to, e.g. HTTP secured by SSL/TLS (HTTPS)= .

Explanation:<= /b> Transport integrity is applied to the entire SOAP message and may also incl= ude underlying protocol layers. For example, with HTTPS the HTTP message is also protected. Such transport layer security is “transient” in that= the integrity is only effective while the transport session exists. Transport integrity is not appropriate for end-to-end security (from SOAP initiator to ultimate receiver) when SOAP intermediaries are present, since SOAP process= ing rules allow intermediaries to make changes to the SOAP message, and since transport protection is not in effect during intermediary processing.

Candidate technology:

  • SSL/TLS with encryption enabled.

Additional Th= reat Associations: T-09, T(OOS)-10,

3.3.2          C-03B: SOAP Message Integrity

Definition: <= o:p>

Soap Message Integrity: Data integri= ty applied at the SOAP Messaging la= yer in a manner that allows SOAP processing rules to be followed.

Explanation:<= /b> SOAP message data integrity is for a web service message that may be processed by SOAP intermediaries and may exist for extended periods of time at intermedi= ary and/or ultimate receiver SOAP nodes before being processed. The intention i= s to protect message data even when not in transit, such as before processing is completed. An example is a SOAP message waiting at a SOAP node for aggregat= ion with other content yet to be processed. Transport integrity is inappropriate for such cases since it terminates with the transport session.

SOAP message integrity should be applied to a SOAP mes= sage in a manner that enables processing by SOAP intermediaries, which suggests = that integrity protecting a combination of SOAP header blocks and the body is preferable to protecting the entire SOAP envelope element or the entire SOAP header element. Protection may also include SOAP attachments.

Candidate technologies:

·         XML Signatures as profiled in the OASIS SOAP Message Security specification.
Note that keys may be conveyed out of band or with the message using a SOAP Message Security token profile, including (but not limited to) Username tok= ens (for derived keys), X.509, Kerberos tokens or others.

·         XML Signatures with MIME, not in the context= of SOAP Message Security (out of scope)

·         CMS (pkcs7) with MIME

XML Signatures not in the context of SOAP Message Secu= rity headers can be used by applications, but that use is not addressed in this document.

3.4 C-04: Da= ta Confidentiality

Definition: Data confidentiality:  The property= that information is not made available or disclosed to unauthorized individuals, entities, or processes [i.e. to any unauthorized system entity] (RFC 2828).=

Explanation: The property that eavesdroppers or other unauthorized parties cannot view confidential message content. Typically this is achieved with encryption. Note that confidentiality is a distinct concept from priva= cy, so in the definition "disclosure" refers to the ability to view or eavesdrop the information when transferred or processed. Confidentiality techniques may be used as one aspect of maintaining privacy, however.<= /o:p>

Threat Associations: T-03, T(OOS)-10

Disclosure related attacks= as well as attacks that reduce the confidentiality strength (e.g. man-in-the-middle SSL/TLS ciphersuite attacks) are relevant.

3.4.1          C-04A: Transport Data Confidentiality

Definition: Data confidentiality provided by the protocol layers that SOAP messages are boun= d to in a transport protocol stack specific manner. An example is HTTP secured by SSL/TLS (HTTPS).

Explanation: Data confidentiality is applied to the entirety of th= e SOAP message as well as possibly other protocol layers (e.g. HTTP when SSL/TLS i= s in use). With end-to-end confidentiality between the initial SOAP sender and t= he ultimate receiver this prevents the use of SOAP intermediaries.

Candidate tec= hnology:

  • SSL/TLS with encryption enabled.

Additional th= reat associations:

none.

3.4.2          C–04B: SOAP message confidentiality

Definition: <= /b>Data confidentiality applied at the= SOAP messaging layer in a manner that allows SOAP processing rules to be followe= d.

Explanation: SOAP message confidentiality supports the confidentiality requirements unique to SOAP messaging, including:

  1. SOAP intermediaries may be present and must be able to follow SOAP processi= ng rules for the message, even when confidentiality has been applied.
  2. Confidentiality may be applied to multiple portions of a SOAP message and be intended = for different SOAP messaging participants.
  3. A SOAP message (or portions) may retain confidentiality protection while= not in transit.

This may include extended p= eriods of time that the SOAP message is queued at an intermediary or ultimate rece= iver before being processed. An example is a SOAP message waiting at a SOAP node= for aggregation with other content yet to be processed.

Transport confidentiality is generally inappropriate f= or these requirements since it terminates with the transport session.

In order for SOAP message confidentiality to be applie= d to a SOAP message in a manner that enables processing by SOAP intermediaries, a combination of SOAP header blocks, body blocks and attachments is appropria= te, but the soap:Envelope, soap:Header and soap:Body elements must be visible to all parties and should not be encrypted. The SOAP message must also remain well-formed XML.

Candidate technologies:

  • XML Encryption, as profiled by the OASIS SOAP Message Secur= ity specification.

Additional th= reat associations: none

 

3.5 C-05: Me= ssage Uniqueness

Definition: the ability to insure = that a specific message is not resubmitted for processing.

Explanation= : Attacker could resen= d all or selective parts of a message causing undesirable side effects. For examp= le, an attacker sending the same valid message moving money from one bank accou= nt to another bank account. The original message request is valid, but not its replay. Additionally, sending the same valid message is frequently used in = many denial-of-service attacks. While an application solution against replay att= acks may utilize message ordering and reliable message delivery mechanisms, this security challenge makes no attempts to address these issues.

Candidate technologies:

·      =    At the transport layer, using SSL/TLS between the node generating t= he request and the node insuring for downstream nodes that this is a unique request.

·      =    At the message layer, the sending and receiving SOAP nodes must do a combination of different things. The sender must sign SOAP message header nonce, creation time[, expiration time] and optional user data. This user d= ata may include critical transactional information and service identification elements. The transactional data protects the actual user request. The opti= onal service identification elements protect the replay of the signature to anot= her service that utilizes the same message data. The receiving node must verify= the signature and check that the creation time is not stale. Lastly, it must compare the received nonce with a cache of previously receive nonces. This cache of nonces must be maintained until the associated expiration time or = the creation time plus a hard-coded delta has expired. Note: when multiple serv= ers are performing this functionality, some mechanism must be implemented to cr= eate a functional global cache across all these systems.

Threat association: T-08, T-09, T-10.

4 Threats

This section details a list of traditional security threats.  Note that in many ca= ses the threats overlap. That is particular attacks may represent threats in several categories.

 

ID

Name

Description

T-01

Message Alteration

The message information is altered by inserting, rem= oving or otherwise modifying information created by the originator of the information and mistaken by the receiver as being the originator’s intention. There is not necessarily a one to one correspondence between message information and the message bits due to canonicalization and rela= ted transformation mechanisms.

T-02

Attachment Alteration

The message information is altered by inserting remo= ving or otherwise modifying attachments intended by the sender.

T-03

Confidentiality

Information within the message is viewable by uninte= nded and unauthorized participants. (e.g. a credit card number is obtained).

T-04

Falsified Messages

Fake messages are constructed and sent to a receiver= who believes them to have come from a party other than the sender. For exampl= e, Alice sends a m= essage to Bob. Mal copies some (or all of) it and uses that in a message sent to= Bob who believes this new action was initiated by Alice. This overlaps with T-01and T-0= 2. The principle is that there is generally little value to saying a message has= not been modified since it was sent unless we know who sent it.

T-05

Man in the Middle

A party poses as the other participant to the real s= ender and receiver in order to fool both participants (e.g. the attacker is abl= e to downgrade the level of cryptography used to secure the message). The term “Man in the Middle” is a= pplied to a wide variety of attacks that have little in common except for their topology. Potential designs have to be closely examined on a case-by-case basis for susceptibility to anything a third party might do.

T-06

Principal Spoofing

A message is sent which appears to be from another principal (e.g. Alice sends a message which appears as though it is from Bob).  This is a variation on T-04.

T-07

Forged claims

A message is sent in which the security claims are f= orged in an effort to gain access to otherwise unauthorized information (e.g. A security token is used which wasn't really issued by the specified authority). The methods of attack and prevention here are essentially the same as T-01 and T-02.

T-08

Replay of Message Parts

A message is sent which includes portions of another message in an effort to gain access to otherwise unauthorized information (e.g. a security token from another message is added).  Note that this is a variation on= T-01. Like “Man in the Middle” this technique can be applied in a w= ide variety of situations. All designs must be carefully inspected from the perspective of what could an attacker do by replaying messages or parts of messages.

T-09

Replay

A whole message is resent by an attacker

T-10

Denial of Service

A= mplifier Attack: attacker does a small amount of work and forces system under attack to= do a large amount of work. This is an important issue in design and perhaps profiling in some cases.

 

Table 1: Threats

 

Additional information on security threats can be found in the following titles:<= /o:p>

  • Stallings, William. = Cryptography and Network Security: Principles and Practice (3rd Edition),  Prentice Hall 2002
  • Fisch, Er= ic A and White, Gregory B. Secure Computers and Networks: Analysis, Desi= gn, and Implementation,  = CRC Press, 1999<= /li>
  • Kaufman, Charlie and Perman, Radia and Speciner, Mike. Network Security: Pri= vate Communication in a Public World, Prentice Hall, 2002<= /li>
  • Ford, Warwick and Ba= um, Michael S. Secure Electronic Commerce: Building the Infrastructure = for Digital Signatures and Encryption (2nd Edition), Prentice Hall, 20= 00
  • Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C, Sec= ond Edition. John Wiley & Sons. 1995

5 Security Solutions and Mechanisms

In this section, we provide a high-level description of security solutions, which are defined in terms of security layers that addr= ess the SOAP message security challenges in Section 3. We then define the speci= fic security mechanisms and associated countermeasures that are addressed by the Security Profiles.

Mechanisms to address security challenges may be appli= ed at different communication layers and possibly in combination. The primary concerns of this document are the SOAP and transport layers. Within the transport layer the focus is primarily on HTTP and HTTPS. Combinations of s= ecurity mechanisms in the layers may be applied to satisfy different security requirements. 

This document focuses on scenarios for transport and S= OAP Layer security. Users may implement their own data (payload) layer security, but data layer security is not addressed explicitly in this document.

Transport and SOAP security layers can be configured to address a variety of security requirements. These variations are enumerated later in this section. We define abstract security functions that may be us= ed to address the various security threats that we previously described in Sec= tion 4.

5.1 Transport Layer Security Descriptions

The protocol layers that provide transport for the SOAP Messaging protocol (transport layer) may be used to provide security servic= es to meet application or SOAP Messaging security requirements. This may be do= ne in combination with SOAP message Security mechanisms or independently. This section focuses on the transport mechanisms only. These mechanisms provide integrity and/or confidentiality for HTTP messages, thus protecting SOAP messages with or without attachments.

Because the only transport mechanism within the scope = of this document is HTTP (optionally over SSL/TLS) we assume that each SOAP no= de has an associated HTTP node, which might be a part of the SOAP node or migh= t be a distinct entity.  We also assume that SOAP messages between nodes are carried on HTTP messages between their associated HTTP nodes. Communication between a SOAP node and its associated HTTP node is regarded as internal to= a platform and we make no assumptions about its nature or the information transferred other than

  • the SOAP message itself is communicated.
  • When an HTTP request containing a SOAP message is sent over a connection th= at was established using some HTTP authentication mechanism, the HTTP ser= ver will communicate to its associated SOAP node the identity that was established by that authentication mechanism.  We do not assume t= hat it communicates any credential used to establish that identity.

Note in particular that we do not assume any communica= tion between the associated HTTP and SOAP nodes with regards to the certificates used to establish a TLS/SSL connection.

In what follows when a word or phrase such as “N” refers to a specific SOAP node we use the notation “N-HTTP” to refer to its associated HTTP node.

5.1= .1      =     Integrity

Integrity may be provided for an entire SOAP message u= sing the transport layer. When SSL/TLS is used in conjunction with HTTP (HTTPS),= the entire HTTP message, including the start-line (e.g. POST),  HTTP headers, and body receives integrity protection. This SOAP message conveyed in the HTTP body is also protected. This integrity is only in effect for the duration of the HTTP session and provides no protection for SOAP messages once received (and pos= sibly queued by the web service consumer or requestor). Note that integrity is provided for the entire SOAP message – partial integrity is not possi= ble with this mechanism. This mechanism is not suitable for end-end SOAP message integrity in the presence of SOAP intermediaries.

 

The basic operation of this mechanism is as follows:

  1. SOAP node A’s associated HTTP node initiates an HTTPS connection to another SOAP node B’s associated HTTP node.
  2. SSL/TLS session is established, starting integrity protection
  3. SOAP messages are conveyed from A to B, potentially a SOAP message or fault= is conveyed in the HTTP response
  4. HTTP and SSL/TLS session is terminated, ending integrity protection

 

Note that the quality of SSL/TLS integrity protection depends on an adequate SSL/TLS ciphersuite and key length being selected. C= are must be taken in selection of ciphersuites and key lengths to prevent downg= rade attacks. Options with inadequate security should not be offered even if they are supported in the code.

 

5.1.2          Confidentiality

Confidentiality may be provided for an entire SOAP mes= sage using the transport layer. When SSL/TLS is used in conjunction with HTTP (HTTPS), the entire HTTP message including HTTP headers is protected as wel= l. This confidentiality is only in effect for the duration of the HTTP session= and provides no protection for SOAP messages once received (and possibly queued= by the web service consumer or requestor). Confidentiality is applied to the entire SOAP message, partial confidentiality is not possible, making this unsuitable for SOAP messages to be conveyed through SOAP topologies involvi= ng SOAP intermediaries.

The basic operation of this mechanism is the same as t= hat using transport layer to provide integrity. [Section 5.1.1

Note that the presence and quality of SSL/TLS integrity protection depends on an adequate SSL/TLS ciphersuite and key length being selected. Care must be taken in selection of ciphersuites and key lengths to prevent downgrade attacks. Options with inadequate security should not be offered even if they are supported in the code.

 

5.1.3          Authentication by HTTP Service

A SOAP node A whose associated HTTP node initiates a connection from SOAP node B’s associated HTTP node may authenticate B using transport layer mechanisms such as SSL/TLS. In the SSL/TLS case the authentication consists of a server X.509 certificate combined with a proof= of private key possession as part of the SSL/TLS protocol. In addition, some clients may perform additional checks such as comparing the service URL dom= ain name against the certificate distinguished name, for example, to attempt to detect certificate substitution attacks. Finally, relying parties should perform a certificate validation check to ensure that the certificate was n= ot revoked, either due to private key compromise or other reasons before relyi= ng on the validity of the authentication information.

The basic operation of the mechanism is as follows:

1.      = HTTP node associated with A initiates HTTPS connection to HTTP node associated w= ith B.

2.      = As part of establishing SSL/TLS session, B’s HTTP node authenticates to A’s HTTP node

3.      = SOAP messages are conveyed from A to B, potentially SOAP message or fault is conveyed in HTTP response

4.      = HTTP and SSL/TLS session is terminated

Note that the authentication is for the session and th= at by default there is no lasting record or association of the authentication act= ion with the SOAP message.

5.1.4          Authentication by HTTP User Agent

A SOAP node A whose associated HTTP node initiates a connection to SOAP node B’s associated HTTP node may authenticate to = SOAP node B. If B’s HTTP node also authenticates to A’s HTTP node it= is said to be mutual authentication.

Note that a web service provider might authenticate at= the transport layer and the web service consumer at the SOAP messaging layer, depending on the desired authentication properties.

An HTTP user agent authentication may be:

  • HTTPS client X.509 certificate authentication,
  • HTTP basic or digest authentication with HTTPS confidentiality
  • HTTP basic or digest authentication without HTTPS confidentiality

5.1.4.1      HTTPS X.509 client Authentication

  1. A’s HTTP node initiates HTTPS connection to B’s HTTP node
  2. As part of establishing SSL/TLS session, web service consumer authenticat= es to provider using X.509 client certificate with private key proof of possession as part of SSL/TLS protocol
  3. Once HTTPS session is A sends SOAP messages and the HTTP response may conve= y a SOAP message or Fault.
  4. HTTPS session is closed, ending authenticated transfer

 

5.1.4.2      HTTP Basic or Digest authentication with HTTPS Confidentiality

HTTP Basic and Digest authentication mechanisms are ou= tlined in [RFC 2617],

  1. A-HTTP node initiates HTTPS connection to B-HTTP node with HTTPS  confidentiality (requires appropriate ciphersuite etc)
  2. HTTP Basic or Digest authentication performed as part of SOAP message reque= st POST

HTTPS session is closed

Note that B-HTTP must request authentication explicitl= y. The SOAP message may be  POSTed tw= ice – once in the original POST that results in an HTTP response requesti= ng authentication and then in the request that conveys the authentication information in the header. This could be an issue for large SOAP messages.<= /p>

Adequate protection against replay attacks is required= with HTTP authentication and POSTs as noted by RFC 2617.   HTTPS confidentiality requir= es appropriate ciphersuites and protection against downgrade attacks.

Using HTTP with Digest authentication provides no real benefits in terms of authentication over Basic authentication, although with the proper cipher suites it can provide integrity.

5.1.4.3      HTTP Basic or Digest Authentication in the clear

HTTP Basic or Digest authentication performed as part = of HTTP session that includes SOAP message request POST.

Despite the risk of insider attack (most attacks are i= nsider attacks) HTTP authentication without HTTPS may be appropriate within an enterprise or other secured environments. Protection against replay attacks= is required as noted by RFC 2617.

5.1.5          Attributes

Attributes may be conveyed in HTTP header fields [RFC 2616]. This may require integrity and/or confidentiality protection using HTTPS, depending on application requirements.

Attributes may also be conveyed in the HTTPS client X.= 509v3 certificate through the use of certificate extensions, although this may no= t be interoperable. See PKIX RFC 3280.

5.1.6          Combinations

The preceding transport layer security mechanisms may = be combined with each other as needed. The following table attempts to identify the combinations that we believe are significant with a unique tag that we = will use in later sections.


 

Challenge Supported

Transport Layer Technologies being Utilized

Tag[1]

Comment

SSL/TLS

BISP1

Confidentiality

SSL/TLS

Assuming that cipher suites NULL-SHA or NULL-MD5 are not being supported because t= hese suites do support encryption.

Provider (server) Authentication

SSL/TLS

&nb= sp;

Assume X.509 certificates being used to identify consumer and provider with mapp= ing to trusted root CA.

Consumer (client) Authentication

SSL/TLS[2] with client authentication

HTTP Basic

BC2

HTTP Digest

BC3

HTTP Attributes

BC4

SSL/TLS

HTTP Basic

BC5

This assumes that BISP1 is also supported. Additionally, assumes cipher suites NULL-SHA & NULL-MD5 not supported, i.e., protection against downgrade attacks.

HTTP Digest

Table 2: Transport Level Security Options

The intention is for an app= lication developer to select one or more solutions that address the relevant security challenges. For example, if consumer authentication is required then any on= e of the BCx solutions would meet this need.

As indicated, a single solu= tion may meet multiple security challenges. For example, assuming cipher suites NULL= -SHA or NULL-MD5 are not supported, using SSL/TLS will ensure transport layer integrity, confidentiality and provider authentication.

5.2 SOAP Mes= sage Layer Security Descriptions

Security services may be provided at the SOAP Messaging protocol layer using the SOAP Message Security specification from the OASIS SOAP Message Security technical committee in conjunction with token specifications developed in that committee. These security mechanisms may be combined with the transport layer security mechanisms discussed above.

5.2= .1      =     Integrity

Integrity may be provided to a portion or combination = of SOAP message payload and header blocks using XML Digital Signature as outli= ned in the SOAP Message Security specification. Such integrity has the advantage that it remains with the SOAP message beyond an HTTPS session, suitable for providing end-end integrity despite SOAP intermediaries, when used properly= .

[The mechanism for providing integrity for attachments= at the SOAP level must be determined. It will take into account basic profile group’s work on attachments]]

  1. SOAP Sender (either initial SOAP Sender or SOAP Intermediary) protects integrity of some portion or combination of SOAP body, attachments and header blocks using an XML Digital Signature placed in a wsse:Security header block targeted at the SOAP receiver relying on integrity. SOAP Sender may also convey key information using security tokens in the message header enabling relying party to verify signatures. Note that = in some cases integrity may be relied upon by more than one SOAP receiver= .
  2. Message is sent, potentially through one or more = SOAP intermediaries. SOAP role associated with SOAP security header for integrity protection determines relying party. Depending on how SOAP r= ole is defined integrity may be verified by multiple SOAP receivers.

5.2.2          Confidentiality

Confidentiality may be provided to portions or some nu= mber of SOAP Message body or header block element or element content using XML Encryption as outlined in the SOAP Message Security specification. Note that encryption must not be applied so that SOAP message processing cannot be performed. Note also that the SOAP Message Security specification is silent about SOAP attachment confidentiality.

[The mechanism for providing integrity for attachments= at the SOAP level must be determined. It will take into account basic profile group’s work on attachments]]

SOAP message confidentiality protection has the advant= age that it remains with the SOAP message beyond an HTTPS session, and is suita= ble for providing end-end confidentiality despite SOAP intermediaries when used properly.

  1. SOAP Sender (either initial SOAP Sender or SOAP Intermediary) protects confidentiality of some combination of SOAP body, or header blocks or portions using XML Encryption as outlined in SOAP Message Security. Se= nder may also convey key information using security tokens in the message header.
  2. Message is sent, potentially through one or more = SOAP intermediaries. Depending on processing roles and rules, confidentiali= ty may be applicable for one or more SOAP receivers. Special consideration must be given to either the replacement of encrypted data with clear d= ata by intermediaries since this modification could break any signatures t= hat referenced the encrypted data.

5.2= .3      =     SOAP Sender Authentication

A SOAP Sender (either an initial SOAP sender or a SOAP intermediary) may provide authentication for one or more SOAP receivers by including one or more appropriate SOAP Message security tokens in security headers targeted at the receiver roles may be used in combination with XML Signatures as profiled by SOAP Message Security to provide confirmation of = the token claims and to bind the claims to the message.

Note that in a SOAP message from a web service consume= r to a web service provider, SOAP sender authentication authenticates the consumer= . In a SOAP message from a web service provider to a web service consumer (such = as conveyed in an HTTP response in a request-response MEP) then SOAP sender authentication authenticates the provider to the consumer. SOAP receiver authentication as such does not make sense given a one-way message.

5.2.4          Attributes

Attributes may be conveyed in application specific SOAP Message Security XML or Binary security tokens (SOAP Message Security exten= sion points), or SOAP Message Security SAML Tokens conveying attribute assertion= s to give two examples.

5.2.5          Message Uniqueness

This functionality is build upon the message integrity mechanisms, digital signatures, referred to in Section 5.2.1 being applied = to several fields with special semantics and a number of things outside the ac= tual message exchange. Depending upon the type of security token being utilized = by the application to authenticate the sender, different elements in the messa= ge may be utilized. All the solutions are built upon the following key types of information being present in the sender message:

Unique message identifier:    =       this element is used to uniquely identify the message. No two messages should ev= er have this value. While this data could be consequently assigned sequence numbers or non-random data, experience has shown that such practices allow = for session hijacking unless the associated authentication mechanisms are very strong. Using true random values for the message identifier is best practice because an attacker can not effectively guess what message identifier someo= ne is using or may use. [Some form of this element must be present in any solution]

Times= tamp:        &= nbsp;    a time that bounds the associated message identifier lifetime. Without this value, the consuming entity would potentially have to maintain data to track all message identifiers that it has ever processed. For some restrictive en= vironments, e.g., single source, this timestamp can be used for the unique message identifier. In general, this is not true. The bigger issue with the timesta= mp is that the sending and receiving systems must be loosely time synchronized= so that the receiving system does not have to maintain an ever-increasing data= base of processed message identifiers. With the availability of clock synchronization protocols and the receiver ability to control the size of t= he time window, applications can control the degree of time synchronization needed. While careful date/time set up could work if an application support= s a large time window, e.g., 5-10 minutes, in general some form of clock synchronization is really required for effective operation. [Some form of t= his element must be present in any solution]

Optio= nal Application Restrictions:   =          These elements allow an application to prevent the replay of the preceding elemen= ts to different receiving systems. For example, to prevent a valid message identifier and application message data from being sent to a different receiving system and being processed, the domain of the target service that this request is intended for could be included within the data to be signed. [Application dependent data with associate application semantic checking.]<= /p>

Of the different types of security tokens that our pro= file is committed to address, i.e., X.509 certificates, username, Kerberos, only username tokens currently have elements defined that map to the unique mess= age identifier and timestamp element just described.

As will become very apparent, no security token pro= file and other standards will deliver a fully operation solution to the message uniqueness challenge at the SOAP message layer.

5.2.5.= 1      Username Token

In particular, the username token profile defines the following elements that the sending system must populate when building a message uniqueness solution:

Nonce= :        &= nbsp;           a random value that the sender generates and uses as the unique message identifier. [The nonce is a recommend element in OASIS Username Token Profi= le that can be overloaded to serve as the unique message identifier. When used= for replay prevention, this element must be present. When used for this purpose= , it must be large enough to ensure that multiple simultaneous requesters do not generate the same nonce value causing a fail positive.]

Creat= ion Time:      &n= bsp;  the time that the associated nonce was created. [The creation time is a recomme= nd element in OASIS Username Token Profile that can be overloaded to serve as = the timestamp. When used for replay prevention, this element or expiration time element must be present.]

Expir= ation Time:       <= /span>the time when the associated nonce is no longer valid to be used. [The expirati= on time is an optional element in OASIS Username Token Profile that can be overloaded to serve as the timestamp. If not present, then the receiving sy= stem must add an internally configured delta time to the creation time element.]=

Additionally, the preceding required and optional data= along with the username must be signed by the sender so that the receiving system= can ensure that none of the preceding elements has been modified by an attacker. This comes with the unstated assumption that the signing key (some function= of the associated password) is known only to the sender and receiver as either= an out-of-band shared secret or encrypted. Otherwise, the receiver can not authenticate the sender is who then say they are.

On the receiving system, the receiver must perform the following actions:

  1. Verifying the signature containing the nonce, timestamps and optional restriction data. Note: this check is completely independent from any other integr= ity checking that the sender/receiver may be performing.
  2. Check that the expiration time (or creation time + maximum delta) is less th= an the current time.
  3. Looking up the nonce value in a nonce cache. If the nonce value is already present, then fail the request. If the nonce value is not present, then add the nonce and expiration time values to the cache. If multiple receiving systems are concurrently active, then the nonce cache must be across all servers in the pool. Independently, the nonce cache should automatically delete expired nonces. Our intention is to describe the abstract processing that the receiver is performing, not the implementation specifics. [This functionality is application specific because no existing standard/protocol cover this functionality.]
  4. Perform any application specific restriction checks, e.g., checking target dom= ain. [This functionality is application specific because no existing standa= rd/protocol cover this functionality.]

5.2.5.= 2      X.509 Certificate & Kerberos Tokens

The OASIS X.509 Certificate and Kerberos Profiles do n= ot have the required elements  for acting as message identifier thus requiring application developer to define proprietary elements to address these needs, i.e., outside the scope of the= se token profile.

5.2.5.= 3      Other Token Types

There are other token types being worked on that conta= in nonce and timestamp elements. However, their detail characteristics may prohibit them for being used to prevent replay attacks.

5.2.6          Combinations

The preceding message layer security mechanisms may be combined with each other= as needed. The following table attempts to identify the combinations that we believe are significant with a unique tag that we will use in later sections.  


 

Challenge Supported

Message Layer Technologies being Utilized

Tag[3]

Comment

Integrity

XML Digital Signature

SI1

 

Confidentiality

XML Encryption

SC1

 

SOAP Sender Authentication

XML Encryption

username & [password|digest]

SA1

Without the ability = to encrypt password/ digest, sender open to=   man-in-middle stealing password/digest and reusing it.

username & [password|digest]

SA2

SOAP Attributes

X.509 Certificate

SA3

Kerberos Token[4]

SA4

Table 3: SOAP Message Level Security Options

The intention is for an application developer to select one or more solutions that address the relevant security challenges. For example, if SO= AP sender authentication is required then any one of the SAx solutions would m= eet this need.

Missing from this table is SOAP receiver authentication. Receiver message layer authentication can only be supported by a response message in which the role of the sender and receiver has been exchanged, i.e., the sen= der is the provider.

5.3 Combining Transport Layer and SOAP Message Layer Mechanisms

As noted above security services may be provided at ei= ther or both the transport layer and the SOAP message layer. The choice often depends on application requirements, based on answers to questions such as:=

  1. Is it necessary to apply integrity and/or confidentiality at a granularity other than the entire SOAP message? This is usually true when SOAP intermediary processing is expected.
  2. Does the protection need to exist beyond the transport session, protecting = SOAP messages when queued at a SOAP node for example?
  3. Is there a need to save evidence such as authentication assertions for subsequent dispute resolution?
  4. Is there a need for transport layer protocol independence?
  5. How important is interoperability of attribute information?

Special cases are noted in the sections above where additional mechanisms are required to ensure security. In general minimizing combinations while following recommended security practices for the security technologies should reduce risks.

5.4 Transpor= t and Message Layer Security Combinations

This section describes a selected subset of common security scenarios and identi= fies potential solutions for various security requirements. The security requirements vary from simple to complex depending upon the mechanisms sele= cted and the underlying need. This approach allows the users to select a specific security scenario and implementation mechanisms that best meet their needs.=

There are three basic categories of implementation solutions:

·       transport layer,

·       SOAP message layer

·       hybrid that combines mechanisms from transpo= rt and SOAP message layers.

 

Figure 1 attempts to depict the potential solution space. = It is organized with transport only mechanism on the left side of the figure a= nd SOAP message mechanisms on the right side. Hybrid solutions occupy the spac= e in the middle. This figure is not bound to any specific scenario. Different scenarios may be able to only support a subset of implementations, e.g., one-way scenario can not support SOAP mutual authentication because there i= s no SOAP response message.

Additionally,
Figure 1
is organized from top to bottom to go from no security to increasing complex security solutions.


Figure 1 Common Security Solutions Hiera= rchy


 

The ele= ven solutions identified in
Figure 1
are a much smaller set than all possibilities of combined security solutions suggested by Table 2 on page 21 and Table 3 on page 26. A basic question is what approach or reasoning w= as used to reduce the numbers? Starting with the four transport entries, the t= wo left solutions: BISP1 and BISP1:BC1, are simply SSL/TLS with and without cl= ient authentication. The BC2 | BC3 | BC4 solution is all that can be done with o= nly using HTTP. The last solution is simply the merging/ enhancement of the SSL= /TLS solutions and the pure HTTP solution. Remember that these two transport lev= el mechanisms: HTTP and SSL/TLS, only work between HTTP/TCP level nodes. No SO= AP intermediaries are allowed. If multiple HTTP or higher nodes are encountere= d, then multiple instances of the transport layer mechanisms between all communication HTTP nodes may need to be used. Additionally, each intermedia= ry has full access to all the data passing by to look at or alter, i.e., no wa= y to insure the integrity or confidentiality within the HTTP/TCP intermediaries.=

Moving = to pure SOAP message solutions, the top solution is identifier of the sender, witho= ut integrity or confidentiality. The next two solutions are message level integrity or confidentiality along with the identification of who the sender (signer/encryptor) is. The assumption is that usually it does not matter if= a message is unchanged unless you know who signed (originated) the data. Similarly, the secrecy of a message is not important if you can not also in= sure that source of the secret information. The two SI1:SC1:(SA1|SA2|SA3) soluti= ons utilize all the SOAP message level mechanisms: Integrity, Confidentiality a= nd Sender Authentication, for  on= e-way and two-way MEP, respectively. Unlike the transport level mechanisms, the S= OAP message level mechanisms allow integrity, confidentiality and sender authentication of all or part of a message to occur between any SOAP nodes,= not just the ultimate sender and receiver.

Lastly,= there is a single hybrid case supported. This hybrid case uses SSL/TLS to insure = the confidentiality and integrity of the entire SOAP message data. The usage of SSL/TLS is a simple solution that also protects against various types of man-in-the-middle replay attacks that would be more complex and expensive to protect against via pure SOAP message level mechanisms. The bottom line is = that this solution allows stricter security requirements to be imposed between a single pair of sender and receiver HTTP/TCP nodes than between other nodes = in the message exchange. This is just the logical extension that each set of n= odes in a complex message exchange may have different security requirements. Transport level mechanisms addresses only security requirements between connected HTTP/TCP nodes, while SOAP message level mechanisms addresses security requirements between any nodes in a message exchange. Each mechani= sm can be used multiple times for each combination of nodes that has specific security needs.

5.5  Security Considerations for Combinations

5.5= Security Considerations for Combinations

In this sec= tion we provide an overview of the issues to consider when deploying the combinatio= ns of transport and message layer security mechanisms defined in Section 5.4. = For each of the common security solutions previously shown in Figure 1, we summarize the properties of the solution, threats addressed, and limitation= s.

These considerations may be used as a guide to select an appropriate security solution for many Web Services application deployments. By matching up a particular application’s security requirements against the solutions = in this list, it should be possible in most cases to select an optimal combination = of transport and/or message layer security mechanisms for that application.

5.5.1          Transport Layer Security Solutions

The solutio= ns in this subsection are based solely on transport layer security mechanisms.

5.5.1.1  &nb= sp;      Consumer Authentication – BC2|BC3|BC4

5.5.1.1.1         Properties
  • Provides authentication of the initial SOAP sender (or prior Intermediary) HTTP Node to the ultimate SOAP receiver (or latter Intermediary) HTTP Node = when they are on adjacent HTTP Nodes.
5.5.1.1.2        Threats addressed

T-06

5.5.1.1.3        Limitation= s
  • Is only appropriate between adjacent HTTP Nodes not from initial Sender to the ultimate Receiver when there are intermediaries.
  • Does not provide authentication of the ultimate SOAP receiver (or latter Intermediary) HTTP Node to the initial SOAP sender (or prior Intermedi= ary) HTTP Node.
  • Does not provide origin authentication for the SOAP message content (only provi= des authentication of the HTTP Node).
  • Does not provide integrity of SOAP message content.
  • Does not provide confidentiality of SOAP message content.
  • Does not provide detection of replay of SOAP message content.=
  • Does not address Man in the Middle principal spoofing attacks.

5.5.1.2         Transport Integrity, Confidentiality, Provider Authentication – BISP1

This soluti= on has the following properties:

  • Provides integrity protection for SOAP message content while in transit from HT= TP node to HTTP node.
  • Provides confidentiality protection for SOAP message content while in transit f= rom HTTP node to HTTP node.
  • Provides authentication of the ultimate SOAP receiver (or latter Intermediary) = HTTP Node to the Initial SOAP sender (or prior Intermediary) HTTP Node when they are on adjacent HTTP Nodes.
5.5.1.2.1        Threats addressed

T-01, T-02, T-03

5.5.1.2.2        Limitation= s
  • Is only appropriate between adjacent HTTP Nodes.
  • Does not provide authentication of the Initial SOAP sender (or prior Intermedia= ry) HTTP Node to the ultimate SOAP receiver (or latter Intermediary) HTTP Node.
  • Does not provide origin authentication for the SOAP message content (only provi= des authentication of the HTTP Node).
  • Does not provide detection of replay of SOAP message content.=

5.5.1.3         Transport Integrity, Confidentiality, Mutual Authentication – BISP1:BC1

This soluti= on has the following properties:

  • Provides integrity protection for SOAP message content while in transit from HT= TP node to HTTP node.
  • Provides confidentiality protection for SOAP message content while in transit f= rom HTTP node to HTTP node.
  • Provides authentication of the ultimate SOAP receiver (or latter Intermediary) = HTTP Node to the Initial SOAP sender (or prior Intermediary) HTTP Node when they are on adjacent HTTP Nodes.
  • Provides authentication of the Initial SOAP sender (or prior Intermediary) HTTP Node to the ultimate SOAP receiver (or latter Intermediary) HTTP Node = when they are on adjacent HTTP Nodes.
5.5.1.3.1      =   Threats addressed

T-01, T-02, T-03, T-04, T-05, T-06, T-07, T-08, T-09

5.5.1.3.2        Limitation= s
  • Is only appropriate between adjacent HTTP Nodes.
  • Does not provide origin authentication for the SOAP message content (only provi= des authentication of the HTTP Node).

5.5.1.4         Transport Integrity, Confidentiality, Mutual Authentication with Enhanced Consumer Authentication – BISP1:BC5

This soluti= on has the following properties:

  • Provides integrity protection for SOAP message content while in transit from HT= TP node to HTTP node.
  • Provides confidentiality protection for SOAP message content while in transit f= rom HTTP node to HTTP node.
  • Provides authentication of the ultimate SOAP receiver (or latter Intermediary) = HTTP Node to the Initial SOAP sender (or prior Intermediary) HTTP Node when they are on adjacent HTTP Nodes.
  • Provides authentication of the Initial SOAP sender (or prior Intermediary) HTTP Node to the ultimate SOAP receiver (or latter Intermediary) HTTP Node = when they are on adjacent HTTP Nodes.
5.5.1.4.1      =   Threats addressed

T-01, T-02, T-03, T-04, T-06, T-07, T-08, T-09

5.5.1.4.2        Limitation= s
  • Is only appropriate between adjacent HTTP Nodes.
  • Does not provide origin authentication for the SOAP message content (only provi= des authentication of the HTTP Node).
  • Does not address Man in the Middle principal spoofing attacks.

5.5.2          SOAP Message Layer Security Solutions

The solutio= ns in this subsection are based solely on SOAP message layer security mechanisms.=

5.5.2.1         Sender Authentication – SA1|SA2

This soluti= on has the following properties:

  • Provides sender authentication of SOAP message.
5.5.2.1.1        Threats addressed

T-06

5.5.2.1.2        Limitation= s
  • Does not provide confidentiality of SOAP message content
  • Does not provide integrity of SOAP message content.
  • Does not provide origin authentication of SOAP message content.
  • Does not provide detection of replay of SOAP message content.=
  • Does not provide authentication of HTTP nodes.
  • Does not address Man in the Middle principal spoofing attacks.

5.5.2.2         Message Integrity, Sender Authentication – SI1:(SA2|SA3)

This soluti= on has the following properties:

  • Provides sender authentication of SOAP message.
  • Provides end-to-end integrity protection for SOAP message content.
  • Provides origin authentication of SOAP message content.

5.5.2.2.1        Threats addressed

T-01, T-02, T-06

5.5.2.2.2        Limitation= s
  • Does not provide confidentiality of SOAP message content.
  • Does not provide authentication of HTTP Nodes.
  • Does not provide detection of replay of SOAP message content.=

5.5.2.3         Message Confidentiality, Sender Authentication – SC1:(SA1|SA2|SA3)=

This soluti= on has the following properties:

  • Provides end-to-end confidentiality protection for SOAP message content.
  • Provides sender authentication of SOAP message.
5.5.2.3.1        Threats addressed

T-03, T-06

5.5.2.3.2        Limitation= s
  • Does not provide integrity of SOAP message content.
  • Does not provide authentication of HTTP Nodes.
  • Does no= t provide detection of replay of SOAP message content.

5.5.2.4         One-Way An= yNode – AnyNode Message Confidentiality, Integrity, Sender Authentication – SI1:SC1:(SA1|SA2|SA3)

This soluti= on has the following properties:

  • Provides end-to-end integrity protection for SOAP message content.
  • Provides end-to-end confidentiality protection for SOAP message content.
  • Provides sender authentication of SOAP message.
  • Provides origin authentication of SOAP message content.
5.5.2.4.1        Threats addressed

T-01, T-02, T-03, T-06, T-07

5.5.2.4.2        Limitation= s
  • Does not provide authentication of HTTP Nodes.
  • Does not provide detection of replay of SOAP message content.=

5.5.2.5         Two-Way An= yNode – AnyNode Message Confidentiality, Integrity, Mutual Authentication – SI1:SC1:(SA1|SA2|SA3)

This soluti= on has the following properties:

  • Provides end-to-end integrity protection for SOAP message content.
  • Provides end-to-end confidentiality protection for SOAP message content.
  • Provides sender authentication (both consumer and provider) of SOAP message.
  • Provides origin authentication of SOAP message content.
5.5.2.5.1        Threats addressed

T-01, T-02, T-03, T-06, T-07

5.5.2.5.2        Limitation= s
  • Does not provide authentication of HTTP Nodes.
  • Does not provide detection of replay of SOAP message content.=

5.5.3          Hybrid Security Solutions

The solutio= ns in this subsection are based on a combination of transport and SOAP message la= yer security mechanisms.

5.5.3.1         Transport Integrity and Confidentiality, AnyNode – AnyNode Message Confidential= ity, Integrity, Mutual Authentication – BISP1:SI1:SC1:(SA1|SA2|SA3)

This soluti= on has the following properties:

  • Provides integrity protection for SOAP message content while in transit from HT= TP node to HTTP node.
  • Provides confidentiality protection for SOAP message content while in transit f= rom HTTP node to HTTP node.
  • Provides authentication of the ultimate SOAP receiver (or latter Intermediary) = HTTP Node to the Initial SOAP sender (or prior Intermediary) HTTP Node when they are on adjacent HTTP Nodes.
  • Provides end-to-end integrity protection for SOAP message content.
  • Provides end-to-end confidentiality protection for SOAP message content across = HTTP nodes.
  • Provides sender authentication (both consumer and provider) of SOAP message.
  • Provides origin authentication of SOAP message content.
5.5.3.1.1        Threats addressed

T-01, T-02, T-03, T-04, T-05, T-06, T-07, T-08, T-09

5.5.3.1.2        Limitation= s
  • None

5.5.3.2         Transport Integrity and Confidentiality, Mutual Authentication, AnyNode – AnyNo= de Message Confidentiality, Integrity, Mutual Authentication – BISP1:BC1:SI1:SC1:(SA1|SA2|SA3)

This soluti= on has the following properties:

  • Provides integrity protection for SOAP message content while in transit from HT= TP node to HTTP node.
  • Provides confidentiality protection for SOAP message content while in transit f= rom HTTP node to HTTP node.
  • Provides authentication of the ultimate SOAP receiver (or latter Intermediary) = HTTP Node to the Initial SOAP sender (or prior Intermediary) HTTP Node when they are on adjacent HTTP Nodes.
  • Provides authentication of the Initial SOAP sender (or prior Intermediary) HTTP Node to the ultimate SOAP receiver (or latter Intermediary) HTTP Node = when they are on adjacent HTTP Nodes.
  • Provides end-to-end integrity protection for SOAP message content.
  • Provides end-to-end confidentiality protection for SOAP message content across = HTTP nodes.
  • Provides sender authentication (both consumer and provider) of SOAP message.
  • Provides origin authentication of SOAP message content.
5.5.3.2.1        Threats addressed

T-01, T-02, T-03, T-04, T-05, T-06, T-07, T-08, T-09

5.5.3.2.2        Limitation= s
  • None

6 Scenarios<= /a>

This section contains descriptions of scenarios, secur= ity requirements that might be imposed by applications using those scenarios and ways to satisfy those requirements (called solutions). 

6.1 Notation= for Describing Scenarios

The content of a scenario and the conventions used to describe them are as follows.

  • An introductory paragraph in English
  • SOAP nodes: A list of  the SOAP nodes participating in the scenario. These are given arbitrary labels.  Some of these la= bels may have been mentioned by name in the introductory paragraph. In describing a scenario with intermediaries it is sometimes convenient to give a single node two names. When that is done it will be noted with a notation such as

Nk =3D B

  • HTTP Sessions: A list of HTTP sessions that will carry messages. The notati= on

S: A ® B

Indicates A-HTTP is the HTT= P User Agent that initiates session S talking to HTTP Service B-HTTP.  Sessions might be created during t= he scenario or might have existed before the scenario begins.

  • SOAP Messages:  A SOAP message= path that might include intermediaries carries a single SOAP message. Note = that this means there is no specific content associated with a “SOAP Message” The notation

M: A ® B ®... ® Z

indicates that the scenario includes a SOAP message that travels on the indicated SOAP Path. Nodes in t= his description of a SOAP message are said to be prior to   Nodes to their right and lat= ter than Nodes to their left in the SOAP message path.

  • Hops: A Hop describes the transmission in an HTTP message of data related to= a SOAP message. This is not itself a SOAP message because in common usage “SOAP message” refers to a more abstract entity that inclu= des all the hops on a SOAP message path.
    The notation

H: A  ® B (Session S, Message M)

indicates that H is an HTTP= Message that is sent by A-HTTP to B-HTTP as part of transmission of SOAP message M. Nodes A and B are said to be adjacent (on Message M). Whether H is an HTTP request or response depends on whether A or B initiated HTTP Session S. If = it is a response, the Hop to which it is a response will be indicated.

H: A  ® B (Session S, Message M, Response to R)

The order in which the Hops= are listed is the order in which the HTTP messages are sent.

  • Security Requirements: This section will contain any Security Requirements that= are specific to this scenario and any modification of generic security requirements (as specified in section 6.4) that are required to make them applicable to this scenario.

[These notations do not take into account attachments.= If necessary they will be modified to do so when attachment considerations are= added to this document.]

6.2 Conventi= ons for Describing Security Requirements and Solutions

The description of a security requirement contains:

  • A short title for the requirement
  • A description of a security related problem that might be solved using t= he technologies within our scope.
  • A list of threats (from Section 4) that might subvert potential solutions
  • A list of challenges (from Section Error! Reference source not found.) that the requirement participa= tes in.
  • A list of possible mechanisms called “solutions” that can be used to satisfy this requirement. Each solution can be qualified by conditions that must be satisfied for the solution to a applicable.

6.3 Terminol= ogy

In describing the scenarios, requirements and solution= s, the following phrases are used.

  • Node N supplies content X: N-HTTP is the HTTP Sender in a Hop whose HTTP Message contained some bytes interpreted in the SOAP Layer as X.  If content is originally supp= lied on a Hop by SOAP node A, and SOAP Intermediary B then passes it on unc= hanged in a Hop to SOAP node C. That content is still regarded as having been supplied by SOAP node A.
  • N-HTTP initiates an HTTP session: N-HTTP acting as an HTTP User Agent created= a session by opening a connection to some HTTP Service associated with s= ome other SOAP node.
  • N-HTTP accepts an HTTP session: N-HTTP acting as an HTTP Service accepts an H= ttp becomes a participant in an Http session by accepting an Http Request.=

6.4 Generic Security Requirements

This section contains security requirements that may be imposed by applications that use the scenarios  The requirements in this section a= re generic to all scenarios and might apply to any uses of SOAP Messaging.

This section only presents security requirements for w= hich solutions are available within the profiled technologies.  Other security requirements that m= ight exist must be addressed by application level mechanisms.

6.4.1          Requirement: Peer Authentication

A SOAP node A must be able to authenticate to any SOAP= node B.

Threats: T-05, T-06

Challenges: C-01

Security solutions:

The following solution may= be used to provide  authentication of = A to B when A is prior to B on a SOAP message Path.

a)      = SOAP Sender Authentication (Section 5.2.3) of the SOAP message.

The following solutions ma= y only be used to provide authentication of A to B when A-HTTP initiates a session= to B-HTTP.

b)      = HTTPS X.509 Client Authentication (Section 5.1.4.1

c)      = HTTP Basic or Digest Authentication with HTTPS Confidentiality (Reference 5.1.4.2)

d)      = HTTP Basic of Digest Authentication in the Clear (Reference 5.1.4.3)

The foll= owing solution may only be used to provide authentication of B to A when A-HTTP initiates a session to B-HTTP.

e)      = HTTPS X.509 Server Authentication (Section 5.1.4.1)

 

Solutions (c) and (d) do not address T-05 (man in the middle)

6.4.2          Requirement: Origin Authentication

A party in possession of a SOAP node’s public ke= y must be able to prove that signed SOAP message content was produced by that SOAP node.

Threats= : T-05, T-06, T(OOS)-13

Challen= ges: C-01, C-05

Security solution:<= /p>

a)      = Digital Signature on Message. SOAP Message Layer Integrity (Section 5.2.1)

6.4.3          Requirement: Integrity

A SOAP node B must be able to detect alteration of con= tent supplied by a SOAP node A

Threats= : T-01, T-02

Challenges: C-03

Security solution:

The following solution may= be used to provide integrity for any content supplied by SOAP node A.

a)      = SOAP Layer Integrity (Section 5.2.1

The following solution may= be used to provide integrity for any content while it is in transit on a Hop to or = from A.

b)      = Transport Layer Integrity (Section 5.1.1

 

6.4.4          Requirement: Confidentiality

A SOAP node B must be able to exclusively access confidential content supplied by a SOAP node A and intended for SOAP node B= .

Threats: T-03

Challenges: C-04

Security solution:

The following solution may= be used to provide confidentiality of any content supplied by Node A

a)      = SOAP Layer Confidentiality (Section 5.2.2

The following solution may= be used to provide confidentiality for content while in transit from A-HTTP to B-HT= TP

b)      = Transport Layer Confidentiality (Section 5.1.2)

6.4.5          Requirement: Message Uniqueness

A SOAP node B must be able to detect that a previous received message or part of a previous message from SOAP node A has been replayed.

Threats= : T-08, T-09, T-10

Challenges: C-05

Security solution:

a)      = The following solution may be used to provide replay protection for any content received by SOAP node B. Transport Layer Integrity (Section 5.1.1)

b)&n= bsp;      Currently there is no application interoperability solution at the SOAP message layer.

6.5 Scenario Descriptions

6.5.1          Scenario: One-Way

A SOAP message is sent over a SOAP message path from a= SOAP node N0 through zero or more SOAP Intermediaries to a SOAP node = Nk using a series of HTTP Requests.

This scenario applies to situations where the loss of = individual SOAP messages is insignificant (for example, in a status monitoring scenario where periodic status update events are provided such that if one update ev= ent is lost, a subsequent update event will convey correct status). No SOAP mes= sage response is generated by Nk or expected by N= 0. Regardless of the protocol implemented by the transport layer, N0 receives no SOAP message response.

The transport layer may not guarantee delivery of the = SOAP message. The N0 or any SOAP Intermediary may not be aware whethe= r a SOAP message was successfully sent or delivered to, received or processed b= y, any other node. Receipt of an HTTP Response indicates that at the very least that the HTTP Node associated with the receiver has received the HTTP Reque= st but does not guarantee that the SOAP message will ever arrive at the receiv= er.

SOAP Nodes:

  • N0
  •  [OPTIONAL] N1, N2, ... Nk-1 (SOAP Intermediaries)
  • Nk

HTTP Sessions:

  • (for r=3D1,...,k-1) Sr : Nr ® Nr+1

SOAP Messages:

·          M: N0 = ® ... ® Nk

Hops:

·         (for r =3D 1, ... k –1) Hr:= Nr = ® N1 (Session S= r )

Security Requirements

None beyond generic require= ments of Section 6.4

6.5.2           Scenario: Synchronous Request/Response

This scenario is derived from the Synchronous Request/Response scenario in the WS-I Basic Applications Usage Scenarios [BPSA UsageScenarios]

A SOAP message (called the request) is sent from a SOA= P node N0 through zero or more SOAP Intermediaries = to a SOAP node Nk. A SOAP message called the resp= onse is sent by Nk to N0<= /span>. The SOAP Path of this SOAP message is the reverse of that of the request. T= he Hops used in the transmission of the response are the HTTP responses to the Hops used in the transmission of the request.

SOAP Nodes:

  • N0
  • [OPTIONAL] N1, N2, ... Nk-1 (SOAP Intermediaries= )
  • Nk

Sessions:

  • (for r =3D 0, ...., k-1) S0: N0 &agrav= e; N1

SOAP Messages:

  • REQUEST: N0 ® N1 ®... Nk
  • RESPONSE: Nk&nbs= p; ® Nk-1 ®... N0

Hops:

  • (for r =3D 0, ..., k-1) H-REQr: Nr ® Nr+1 (Session S= r, Message REQUEST)
  • (for r =3D k, ..., 1) H-RESPr: Nr  ® Nr-1 (Session S= r-1, Message RESPONSE, response to H-REQr-1)=

Security Requirements

None beyond generic require= ments of Section 6.4

6.5.3          Basic Callback

This scenario was derived from the Basic Callba= ck scenario in the WS-I Basic Sample Applications Usage Scenarios. [BPSA UsageScenarios]

T= he first SOAP Message APPLICATION-REQUEST is sent from Node A through zero or more to Nod= e B through a series of Hops. APPLICATION-REQUEST contains information that indicates where B should send the APPLICATION-RESPONSE.

B sends a SOAP Message (acknowledgement) to A through = the Http responses of the same set of Hops

After APPLICATION REQUEST is processed B sends a SOAP Message APPLICATION-RESPONSE to A through zero or more intermediaries throu= gh a series of Hops.

A sends a SOAP Message(acknowledgement) to B through t= he Http responses of the same set of Hops.

The APPLICATION-REQUEST and APPLICATION RESPONSE are related via correlation information that is provided by A in APPLICATION-REQUEST and duplicated by B into APPLICATION-RESPONSE.

SOAP Nodes:

  • A =3D AP-REQ0 =3D AP-RESPl
  • B =3D AP-REQk =3D AP-RESP0
  • [OPTIONAL] AP-REQ1, AP-REQ2, ... AP-REQk-1 (SOAP Intermediaries)
  • [OPTIONAL] AP-RESP1, AP-RESP2, ... AP-RESPl-1 (S= OAP Intermediaries)

Sessions:

  • (for r =3D 0, ...., k-1) REQ-SESSIONr: AP-REQr à AP-REQr+1=
  • (for r =3D 0, ...., l-1) RESP-SESSIONr: AP-RESPr à AP-RESPr+1<= /span>=

SOAP Messages:

  • APPLICATION REQUEST: A à AP-REQ1 à ... &agrav= e; AP-REQk-1 à B
  • ACK-1: B à AP-REQ1à ... &agrav= e; AP-REQl àA
  • APPLICATION RESPONSE: B àAP-RESP1 à ... ® AP-RESPl-1 ®A
  • ACK-2: A à AP-RESPj à ... &agrav= e;AP-RESP1 à B

Hops:

  •  (for r =3D 0, ...., k-1) REQ-H= OPr: AP-REQr &agrav= e; AP-REQr+1
    (Session AP-REQr, Message APPLICATION REQUEST)
  •  (for r =3D k-1, ...., 0) ACK-1= -HOPr: AP-REQr+1 <= span style=3D'font-family:Wingdings;mso-ascii-font-family:Arial;mso-hansi-f= ont-family: Arial;mso-char-type:symbol;mso-symbol-font-family:Wingdings'>&agrav= e; AP-REQr
    (Session AP-REQr, Message ACK-1, Http response)
  •  (for r =3D 0, ...., l-1) RESP-HOPr: AP-RESPr &agrav= e; AP-RESPr+1
    (Session AP-RESPr, Message APPLICATION RESPONSE)
  •  (for r =3D l-1, ...., 0) ACK-2= -HOPr: AP-RESPr+1 = &agrav= e; AP-RESPr
    (Session AP-RESPr, Message ACK-2, Http response)

Security Requirements:

Requirement: Message Correlation

SOAP Node A must be able to securely determine whether content of hop AP-RESPr+1 supplied by SOAP N= ode B was generated in response to APPLICATION-REQUEST. This requirement addresses the fact that related messages may be delivered on unrelated sessions.

Threats: T-01, T-03, T-04, T-05, T-06, T-09, T-10

Challenges: C-01, C-02, C-03, C-04

Security solutions:

Providing a solution for this requirement would require composition of a solution using techniques that are not described in the documents that are in scope for this profile.

An example of a solution would be for SOAP Node A to p= rovide (with confidentiality, integrity and authentication) some correlation information X along with the content C. SOAP Node B would provide (with confidentiality, integrity and authentication) the same correlation informa= tion X along with the application level response.

Requirement: Node Correlation

SOAP Node A must be able to securely determine whether= the content of AP-RESPr+1 was supplied by SOAP Node B in response to content C sent to SOAP Node B.

This requirement addresses the possibility that the credential Q used by SOAP Node A to identify SOAP Node B when targeting con= tent to SOAP Node B is not the same credential R used by SOAP Node B to identify itself when targeting content to SOAP Node A.

Threats: T-01, T-03, T-04, T-05, T-06, T-09, T-10

Challenges: C-01, C-02, C-03, C-04

Security solution:

Providing a solution for this requirement would require composition of a solution using techniques that are not described in the do= cuments that are in scope for this profile.

The simplest example of a solution, based on the examp= le given for Message Correlation, would be to ensure that the same credential = was used to provide confidentiality to, and authentication from, SOAP Node B (Q= =3D R). A more complex solution, still based on the Message Correlation example, wo= uld require SOAP Node A to have access to some mapping of several credentials to SOAP Node B (Q =3D> B and R =3D> B).

7 Out of Sco= pe

This section contains discussions of security aspects = that are not considered in the security requirements of the scenarios. It is included so that the reader is aware that these have not been overlooked.  The primary reasons that they are = not considered is that mechanisms to deal with them are not present within the technologies in the charter of this committee or because in some cases (e.g. Credentials Issuance) the solutions are not technological.

7.1 Security Challenges

7.1.1          C-05: Non-Repudiation

Definition: Non-repudiation: A security service= that provides protection against false denial of involvement in a communication.=

Explanation: Protection against false denial of= an action associated with a Web service message. Non-repudiation technologies = do not prevent repudiation, but rather provide evidence that may be used by a third party to resolve disputes.

Threat association: Accountability related thre= ats along with threats associated with C-01, C-02 and C-03 must be addressed relative to this challenge and needs to be discussed further.

7.1.2          C-06: Credentials Issuance

Definition: Credential(s): Data that is transfe= rred or presented to establish either a claimed identity or the authorizations o= f a system entity.

Explanation: The process of initially providing= a principal with a means of identifying itself, via online or offline mechanisms.  Traditionally, “issuance” refers only to certificates, but here it is used for= any information furnished by an authority that is willing to vouch for the principal. We believe that this security challenge is out of scope.

Creation of a credential via transformation from an ex= isting credential to an equivalent one in another format is not issuance in the se= nse of this section. 

Threat association: Out of scope


7.2  Threats

Note that out of scope threats are designated as T(OOS= )-XX.

 

ID

Name

Description

T(OOS)-01

Key Attack / Weak Algorithm

The algorithm chosen is subject to attacks and/or the key(s) can be compromised. This covers a variety of attacks. Most of these have to do with details of the implementation or operational procedures, which is the reason for conside= ring them to be outside the scope of a specification profile. However some asp= ects of profiles, e.g. selection of cryptographic algorithms, would be relevan= t to this threat. Here as elsewhere there are two levels: some parameter setti= ngs would be universally considered insecure, e.g. null encryption algorithm.= In other cases, the choice would be a matter of local policy. For example, s= ome organizations consider a 1024 bit RSA key adequately strong and others do not. Still others consider it satisfactory for some uses and not others.<= span style=3D'color:red'>

T(OOS)-02

Traffic Analysis

By analyzing aspects of the messages such as its sou= rce, destination, size, frequency, etc., determinations can be made about potential contents (e.g. it is determined that one company may be trying = to buy another). This has many subtle forms= . For example, during WW II, Russian scientists deduced that the Americans were building an Atomic Bomb, because the physicists in question had stopped publishing papers.

T(OOS)-03

Host Penetration/ Access

Information is obtained by compromising a computer s= ystem (e.g. unauthorized access to a computer). Any threat analysis must assume some part of the system is secure. This is called the Trusted Computing B= ase (TCB). If there is no TCB, it is not possible to conclude anything about = the behavior of the system, since presumably an attacker could modify its behavior at will. Thus, in a sense, this threat is out of scope of ANY de= sign or specification, although certainly not out of scope of implementation a= nd operations.

T(OOS)-04

Network Penetration/ Access

Information is obtained by compromising a computer n= etwork (e.g. unauthorized access to an internal network). This threat presumes a topological approach to security, e.g. firewalls or security gateways. If appropriately strong mechanisms are used on an end-to-end basis, network attacks are reduced to denial-of-service. Thus this threat is out of scope because it is essentially equivalent to the standard assumption of an untrusted network.

T(OOS)-05

Timing

By analyzing the time it takes to perform an action, information can be deduced (e.g. validity of a username, or key informati= on). This is out of scope because it is an implementation issue rather than a specification issue. However, it shoul= d be noted that some published cryptographic timing attacks require timing measurements which are much smaller that the average variability of laten= cy in typical networks and thus not of practical concern.

T(OOS)-06

Covert Channels

Information is conveyed outside of a secure perimete= r by means of secret communication paths (e.g. by toggling an externally visib= le flag, secret information is conveyed). T= his threat is usually only consider seriously in military or intelligence environments. Typically the engineering approach taken is not to eliminate the channel, but to reduce its bandwidth to the point of being useless.

T(OOS)-07

Message Archives

By penetrating the queue of a store-and-forward SOAP intermediary, or the store of an archival system, information about a mes= sage can be discovered (e.g. a message in a store and forward queue can be discovered which otherwise wouldn't have been seen).  Note that in many circumstances = this is a variation on T(OOS)-03. The main re= ason for calling out this threat separately is because end-to-end message protection measures can counter it, whereas hop-by-hop measures cannot.

T(OOS)-08

Network Spoofing

A message is sent which appears to be from another m= achine (e.g. BadGuy sends a message which appears as though it is from GoodGuy). Comments similar to those under T(OOS)-04 apply here. If the message does= not reach the application, there is little a profile of a specification can h= ave to say about it. If it does reach the application, it is essentially the = same as T-04 and T-06.

T(OOS)-08

Trojan Horse

Information is secretly passed along with the messag= e that plants a Trojan horse (e.g. a message is added which is detected by plant= ed software which causes special behaviors to occur).  Note that this is a variation on= T-01 and T-02.

T(OOS)-09

Virus

Information is secretly passed along with the messag= e that plants a virus (e.g. a message is added which is detected by planted soft= ware which causes special behaviors to occur).  Note that this is a variation on= T-26. Viruses are usually planted by action of unsuspecting user or occasionally program flaw that triggers execution without user action. This can be contrasted with a Worm, which spreads itself autonomously without user action. Worms typically execute other threats found in this table in automated fashion. Some authorities have abandoned the distinction among various programmatic threats and use the term “malware” to co= ver all types.

T(OOS)-10

Tunneling

Information is secretly passed along with the message (e.g. a message is added which is detected by planted software which caus= es special behaviors to occur).  Note that this is a variation on T-01 and T-02.

T(OOS)-11

Denial of Service

Silver Bullet: specific messages or com= mand sequences causes failure. Almost invariably a result of implementation error, not de= sign error. (Note that this can also result in a system or application comprom= ise instead of merely a Denial of Service.) Inconceivable that a Profile would require dealing with this threat.

 

T(OOS)-12

Denial of Service

F= looding: ­ Sheer volume of message traffic overloads some critical resource, typic= ally server or network link bandwidth. This is usually a configuration issue n= ot a design issue. If the bogus traffic is truly indistinguishable from legiti= mate traffic there may be no defense. It is important to try to

  • detect that an attack is occurring
  • determine the true source.

 

T(OOS)-13

Repudiation

A message is sent and then the sender denies having sent it. Achie= ving non-repudiation requires both technical and business aspects since a party may always claim a disconnect with the technology ("the software did= it, not me, I didn't know").Public Key cryptographic systems have= a special property that cannot be achieved by secret key systems without th= e use of a trusted third party. The property is that it is possible for a party= to be able to verify something e.g. a digital signature, without being able = to produce it themselves. When this technical property was first observed, it was called ”non-repudiation”. Much later it became widely believed that non-repudiation was a well-established legal concept (It is not.) and very desirable for electronic commerce. The confusion between t= he technical and legal meanings of this term continues.

Table 4: Out of Scope Threats

8 Acronyms

HTTP – Hypertext Transfer Protocol

HTTPS – Hypertext Transfer Protocol Secure

IETF – Internet Engineering Task Force

MD5 – one Message-Digest algorithm (RFC-1321)

MEP – Message Exchange Pattern

MIME – Multipurpose Internet Mail Extensions

OASIS – not an acronym

OOS – Out Of Scope

RFC – Request for Comment (Used by IETF)

SCM – Supply Chain Management; the WS-I Sample Application for 1.0

SHA – Secure Hash Algorithm

SOAP - Simple Object Access Protocol

SSL – Secure Sockets Layer

TLS – Transport Layer Security

WS-Security – OASIS SOAP Message Security specifications

XML – Extensible Markup Language

X.509 – An ITU (International Telecommunication = Union) standard for “certificates” Also known as ISO/IEC 9594-8:1988

9 References=

  1. [BP 1.0] Basic Profile Version 1.0.
    ht= tp://www.ws-i.org/Profiles/Basic/2003-06/BasicProfile-1.0-BdAD.html
  2. [SOAP 1.1] Simple Object Access Protocol (SOAP) 1.1<= br> http://www.w3.org/TR/= 2000/NOTE-SOAP-20000508
  3. [SOAP 1.2] SOAP Version 1.2 Part 1: Messaging Framew= ork
    http://www.w3.org/TR/soap12-= part1
  4. [RFC 2616] Hypertext Transport Protocol – HTT= P 1.1
    http://www.ietf.org/rfc/rfc2= 616.txt
  5. [RFC 2617] HTTP Authentication: Basic and Digest Ac= cess Authentication, June 1999, Obsoletes RFC 2069
    http://www.ietf.org/rfc/rfc2= 617.txt
  6. [RFC 2246] The TLS Protocol. Version 1.0
    http://www.ietf.org/rfc/rfc2246.txt
  7. [RFC 2828] Internet Security Glossary
    http://www.ietf.org/rfc/rfc2828.txt
  8. [BPSA UsageScenarios] WS-I Usage Scenarios
    http://members.ws-i.org:80/dman/Docs.phx?Working+Groups/WSBasic+Sample= +Applications/Approved+Materials/UsageScenarios-1.00-WGAD.doc&cmd=3Ddow= nload

10 Informati= ve References

  1. [OW= ASP] The Open Web Application Security Project (ht= tp://easynews.dl.sourceforge.net/sourceforge/owasp/OWASPWebApplicationSecur= ityTopTen-Version1.pdf)
  2.  [SC= M-UC] Supply Chain Management Use Cases (ht= tp://ws-i.org/SampleApplications/SupplyChainManagement/2002-11/SCMUseCases-= 0.18-WGD.pdf)
  3. [SC= M-US] Supply Chain Management Usage Scenarios (ht= tp://ws-i.org/SampleApplications/SupplyChainManagement/2002-11/UsageScenari= os-1.00-CRD-02a.pdf)
  4. [Se= curityFramework] WS-I Security Plan Framework (http://members.ws-i.org/dman/Document.phx/Private= +Folders/Community+Folder/Working+Groups/WSBasic+Security+Profile/WS-I+Secu= rity+Plan+Framework?folderId=3D%2FPrivate+Folders%2FCommunity+Folder%2FWork= ing+Groups%2FWSBasic+Security+Profile&cmd=3Ddownload)
  5. [WS= A] W3C Web Services Architecture Usage Scenarios (ht= tp://www.w3.org/TR/2002/WD-ws-arch-scenarios-20020730/)
  6. Stallings, William. Cryptography and Network Security: Principles and Practice (3rd Edition),  Prentice Hall 2002
  7. Fisch, Eric A and White, Gregory B. Secure Computers and Networks: Analysis, Design, and Implementation,  CRC Press, 1999
  8. Kaufman, Charlie and Perman, Radia and Speciner,= Mike. Network Security: Private Communication in a Public World, Pren= tice Hall, 2002
  9. Ford, Warwick and Baum, Michael S. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption (2nd Edition), Prentice Hall, 2000
  10. Schneier, Bruce. Applied Cryptography: Protoc= ols, Algorithms, and Source Code in C, Second Edition. John Wiley & Sons. 1995



[1]        &= nbsp;       The tag naming convention consists of three parts. The first character is a “B” in the first character to identify that this is a binding l= evel solution. (Note: “T” was not used because of possible confusion with “T” used by Threat tags.) The next 1 to 3 letters identify= the transport challenge: “I” for Integrity, “S” for confidentiality (Secret), “P” for Provider authentication, and “C” for Consumer authentication. The last component is a number identifying the solution instance.

[2]        &= nbsp;       Note: user can support NULL-SHA or NULL-MD5 cipher suites for this usage.

[3]        &= nbsp;       The tag naming convention consists of three parts. The first character is a “S” in the first character to identify that this is a SOAP mess= age level solution. The next  lett= er identify the type of SOAP message level challenge: “I” for Integrity, “C” for Confidentiality, “A” for  SOAP sender Authentication. The la= st component is a number identifying the solution instance.

[4]        &= nbsp;       Kerberos tokens are part of our charter candidate technologies. However, usage of th= is technology in this profile will be deferred until OASIS TC deliver this core specification. Note: as other types of security tokens, e.g., SAML assertio= ns or XrML tokens, are added to our list of charter technologies, they will be added to these security profiles.

------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD_files/image001.gif Content-Transfer-Encoding: base64 Content-Type: image/gif R0lGODlhbQBPAHcAACH/C01TT0ZGSUNFOS4wDQAAAAFzUkdCAK7OHOkAIf8LTVNPRkZJQ0U5LjAY AAAADG1zT1BNU09GRklDRTkuMD1H/5mrACwAAAAAbQBPAIUAM2YAM5kzMzMzM2YzM5kzZmYzZpkz ZswzmZkzmcxfX19VVVVNTU1CQkJ3d3dmZmZmZplmZsxmmZlmmcyGhoaZmZmWlpaAgICZmcyZzMyZ zP+ysrKgoKSmyvDMZgDMZjPMmTPMmWbMmZnMzJnAwMDd3d3MzMzX19fLy8vA3MDMzP/M7P//ZgD/ ZjP/mQD/mTP/mWb/mZn/zGb/zJnv1sbn59b//8z4+Pj/+/Dx8fHq6urj4+P///8BAgMBAgMBAgMG /0CecEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvter/gsHhMLiNvtdmMVjNDcbTWh9VisWZFHO7Go73o di80OEc3MnaIdzx8ODN/iXYfM4RYGQaXmBhSfpB4Q5RCM3WILZ5HMJClQjQwc3Yto4gvpjx6UiQB mJeaUrCJL22nkCwyoEQ2qIAsMDU3oqTDicy1QsZNlroGvFGoLnR1tIs8OY++dDRGzo+IeJzRibGz 4lId2dpTz6+KRiOxieFCUPmbFMIDJA8eXrRAqIwOHj5SsOna9uQGjnV2YNgwEuJdDGs8kskaJHKU KVa/Nn4qYeIJCQLZKCaBSERkIHREOPl7hXOIO/9ExVBKI3SDT45knoraIuFgQ45r9mQuAQUDlouE +4aIgjWKqwc8eoo6elUnRp8/5kCMqLWHD42kNHmYoEC35ZJ6MalchFTsk014LaYJuZFsVAh0OEYY 9PDhEYwncytYoMChhBKJmfSuqyPIZx1v0TpX+wvjKY9nLvxNK1qNki25FjhIpmBhQ5KXeaXw+Zv1 bwi07CjlQ2R2kbNRH0CzkETENaUbkStw4DCZwokjmHdVGavMVGE7MwQC0hgwlSmxOxEJRmIiduwN 8CtQsF0E78QpjDAu2+jIXIu3O3lCGk6snUWWclkVSEh0FjRYgXR0kUBEdvdU0VFDeIiXkR7ffQX/ B1omNdcWDlX5Ys4yEMUV2XQPtigbBRXoIARu91Fx3EAkdlLeL29Bk9VgNMXBQjl1MAbQXBY86OBs k22wgxAUSlWRDQrpo4Z+D8ngTSzhmTjkDHEZgYyPr4TTnmxothjbk0PYl5mNIcXSwmbgAFliICyA NooIjFBTCHfmEcHgg9RVYNeEUV1xCClVdkfEomRWCVASOCw6p3qgnMnBBrORIKMRNL5ZhZDDjCLa KvoNA2YTSo0VDzp8nNAgXbEdakSUeg1RVUP/uLbbO4GoxJYeb01SYDXDOTREdBVs8CkSbmp3BW// iMMapNHQQmxhkwzBWgwGVSvECbRtcN0SuF4B/ygkp/qUapk57ZqnkcL28d2Xy1JAgmlLhCptFNbY NMpXSPDGWU88jOBKQ7PYMIMMmwU7hA5sQpUbwHGJ1Oh/SGD7zX7V1OIxsEMiIkIV0VYYBUTCdWWH B+sVMeaJPyLrT3qQkEeFvwZwkAWVkDCXRAzDtPvJusCWEszOA2TjMxY4XPiK0UXopF4w1sCB9C8w DHIFCvY8jUWxaqjB7xFal73GJ0ikAcPbcMOghrBhPoGDDhmQkDcJJJwL9TxugJSH4JQWwkXdXxzL BOGLMw6wG2ytrJfjkANMeTqVZ6755px37vnnoIcu+uhflHD2DvzmoEMOO5Tgegmot17Cs0Tk4P+6 abLv0LrqJ7j+KcVGqD5O6iWccMKztu/QO+zjFF+xFM3yy4HfJnBQfZINVrYBjJQ9X0KzHFBggg7h SyYf37Qp2XcFEhJBAgc78M2DDttzwDd1EiKppLPbk0AZFRu4wLlO8AD68KA2JbCAp3SnAx3oq4HT edaDGti3HdSGYq0jnwUYSIIKnIA6RCCXk+xXArocLweq6yD6WMdAE1ygJSYwoBQu0D66WGd++oqh ZYjAPiHAiF/b89sO5lOE6QxBVn0johA2YAEe7AA+26OdEChIgSKcoClYiI0O/HeCC9iGia6rTnVO UIEL0OWFRfCfk3iQQBvWpX8k2N4GeRBFHvj/T0JPhOJtHlAdLJaQAjukwlxEmIO5zCV/zToBCUww vlp1sDJFaGPvpGMCvp3giQ16AAl28KkhciAHshFCHuGDhByQwAKVTKUQcrABLFYBRi98yhlbkkBb HbB9PGjWETYwvf8RgTqspMDz3hdEUW4gjlVEgv+S0EVcSmEDCsAlAZ3Cgw8G0ocGrM24prdEfWmT h03MgXwC+b0HiC2PJKDh2Upgv1PW7n3j8mIVEug3HuhrXLSpzaa+58UKOMACO8yBBZpSgQI68AIt chITZaQDCzzgUAEkpza7+AD2ndIB8CNBAWdjgisq0AEUOBsWVrdKHcCud6grXvGkyMZjyoh1/6/z neuGkDyailR4U4wj336H0uK1pJAbsCWcsLCCFQzBBpcTEeAi9wlQvKZwVoAABgyQAXGoAAMTwMQA JpDVABAAAFwlQAAGMMcOEGAAaDVAB3gwAQK4Va0YSCsALJCBsw4gAkYlBAokgAIhoKAAaJXADTIg AQxAoE0GgMAC3FoACShAEzmYgAKooA0DFICa9ZAQBCJgOqkeEQK2qQenCoCBHOBgBxAoAAomgIEb CBQCEBDbASmgAxVMQAKmvQEGwFoLEkigqLDlAAQs8RTdGiAHHTgAZLO6AhIMYK1T0EZWt5qDFEzg OhCYwApwIIEIdKCSGSjAJ806gdgS4QYS4P/qBHRgAthmtwMdIEEJbssDFUDgAlAywAQiUNX2YmCq HcBABLDKB90e1gQGkIAQSiCBAvSsClRFAAbqAYEOTGCtE0iAUSdwgAgcgKoTyIUBSNABCOCSDxJI bwAK8N6pYmIDGPgqVZ+SAwgYQAOJvQEKbFwAAvx3wBCACAkgwN7hUgLBCoawgCewgxU4GALYnUAO alDhZSX4HjqoKBF0EFvWeis23sKqBNSqh6naGAI+NsEEVMADDphTAoSlhGHrG4EJTOy/VqisBJ6k g0tg1wAluEF2V5cDFVC1rq2NKwQsY1YCdCDFNLEABFZwA04alsuOJu8QKqANCcA3AlIN9Qr/VMcB AxSZFzhYAVetkIBHf3KVGGBzep/CYUwQNrQGqMANVHAAAABgAKXlAZ4Hg4EPF+CyHLBzZFNsAZro YL9Z1e8KMnDhAzi4sHY+wQSqCms7k+7bWegiAwSgAGqy0oxm9Fs6GdCABdzQfYfqaBGg2EsbempZ 7WPKZJpCyvlVYAHtFmZJifA9kT7hAg9dpQUYICF9PcUEDkii+JalANrOaAFic6EMH8QpGpOrAkMo 4QWexDpg7iB8dlQAyC/uAFZqMuQ9lAJtnmdHgNJwCPORDc2LMCv6pLOAU9zUZIawUKJfYOjdnBEq lTgx2ZjgATdnowXqeXBn4hw+7aRLAK1e/wTJ6MDrcgkqjGQ0HV4K4ZBD8J8Jvpfvp20vgEe44wuB Ts8pTNwICqQAwitguloSIYAR2oEXcyBCOzprtuTb1Ksl83dADjGZ21si+5JZhLlE/op89+AUBl/5 F1o06vMRaQk7SBkYNegEvHxpdTjVxFP6rZVMuicTx8HEdNIclPpK5hURKtQm6CDiIXz5PZmCR4TS LjZ3JAKM3hfIDRQw9dIJuS+7Sb8m0rGKrazY16vIlCEM8QLXhIJAQWqBCzjALve0I/AbSn4KFFCg MvT3fJ6H9U39czJxrMDZWNmscM7ejg9AGxSARaZkfTnVe1FAUjRVO0WAQlbggFP0UgYHgSGrtH8U OA4sZXBfoIEMCG4e+IEgGIIiOIIkWIImeIIjGAQAOw== ------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD_files/image002.png Content-Transfer-Encoding: base64 Content-Type: image/png iVBORw0KGgoAAAANSUhEUgAAAfkAAAJBCAMAAAByGTxTAAADAFBMVEX///8AAAASEhIkJCQ3NzdJ SUlbW1ttbW2AgICSkpKkpKS2trbIyMjb29vt7e3///8zAABNAABmAACAAACZAACzAADMAADmAAD/ AAD/HR3/Ojr/V1f/dXX/kpL/r6//zMwzEQBKGQBgIAB3KACOLwCkNwC7PgDSRgDoTQD/VQD/bCL/ gkT/mWb/sIj/xqr/3cwzIgBKMQBgQAB3TwCOXgCkbgC7fQDSjADomwD/qgD/tSL/wUT/zGb/14j/ 46r/7swzMwBHRwBcXABwcACFhQCZmQCtrQDCwgDW1gDr6wD//wD//yn//1L//3r//6P//8wiMwAx SgBAYABPdwBejgBupAB9uwCM0gCb6ACq/wC1/yLB/0TM/2bX/4jj/6ru/8wRMwAaTQAiZgArgAAz mQA8swBEzABN5gBV/wBo/x18/zqP/1ej/3W2/5LK/6/d/8wAMwAAUAAAbQAAigAAqAAAxQAA4gAA /wAa/xoz/zNN/01m/2aA/4CZ/5mz/7PM/8wAMxEATRoAZiIAgCsAmTMAszwAzEQA5k0A/1Ud/2g6 /3xX/491/6OS/7av/8rM/90AMyIASjEAYEAAd08Ajl4ApG4Au30A0owA6JsA/6oi/7VE/8Fm/8yI /9eq/+PM/+4AMzMATU0AZmYAgIAAmZkAs7MAzMwA5uYA//8d//86//9X//91//+S//+v///M//8A GjMAKFAAN20ARYoAVKgAYsUAceIAgP8ajP8zmf9Npv9ms/+Av/+ZzP+z2f/M5v8AADMAAFUAAHcA AJkAALsAAN0AAP8XF/8tLf9ERP9bW/9xcf+IiP+fn/+1tf/MzP8aADMmAE0zAGZAAIBNAJlZALNm AMxzAOaAAP+OHf+dOv+rV/+6df/Ikv/Xr//mzP8zADNNAE1mAGaAAICZAJmzALPMAMzmAOb/AP// Hf//Ov//V///df//kv//r///zP8zABpNACZmADOAAECZAE2zAFnMAGbmAHP/AID/HY7/Op3/V6v/ dbr/ksj/r9f/zOYh6LTQAAAAAWJLR0QAiAUdSAAAAAxjbVBQSkNtcDA3MTIAAAADSABzvAAAMCNJ REFUeF7tXQmC6ygOnb7/pecX2llsduNYNT2pXw4I6T1JgEyc//3PfxwBR8ARcAQcAUfAEXAEHAFH wBFwBBwBR8ARcAQcAUfAEXAEHIEnEPjv36B//+ef//4zf5q3oqZP6OtjzkLgj2dNdeIJdqCiV8zS x+XsQgCZ50hHauHv8Aq+8PdPevXQ38XOynECn8huGEezDZyrV/XHSqVc9gYE/oLaME8Rjlc55mE9 IG6wQTcfYiUCMfOaWh3tOP878yvJ2CqbGOUVPc/wwSdwtuesABe2auiDnYOAM38OF0s0KWzsy/v9 JVq40CcQcJKfQP3BMRXhFxW9BxX0odcg8FewUZKd/DUwHySVKE5zvGf9g2iaqUoFsR74MwE/RVbl Js3JP4WwcT0yaf1aaEVyGNfKJSxHIIn1CmI98JfTsnKAMfrGeq+0y2XfIFA5r19IqUgOzsJBCPwL 1quDVk2aeuA3wfVU41uaumL4VupT5vq4hMB4di9h2eUxTswGBNYz44G/gcb2IWqCvabN3SZ/XEa7 bd4ji0B1rFc3vCPfiTgCgQdi0LP+s8xPCuE+Ix4dvE/l9/dC0BtifQlNHvi7XamBcVStvUelTU5+ JVCDzY7EeUk6GQTq17ovi9xBoI50yEGbDuk+AO2miBzQ8BCMj1RjINYHurZCscnHWtV6Z/uXRdLL 1D3YJ8YCdqx3JyxOfidw0O3qxnqt4Ody73Mj12JzYrvfQM0Dv9m3HknQzVrWdHDya1AK+b2yYUWz iaIqRis3mWnTkCInd55I1kl4e+B/OC5OcsSTYn9irJ9kltHFA1/DsQaNY/1ojbnH+npWsYUYnJ1X z9ZuvRMdG5XrTcfnbm0Y6KwhFsb6WYZeavNBFNbG+psy6Zt0HYqpHV6+1q2GzM913gHJdKWbBb6M lGb7Ojv8MPkzbrZ1ovqSbr+X9Xda9O7Qebf2SYDtTO87x1qTSX6C/J2xvoaGZ6S+HrfG+KPPyMBv WhWo34EGCgn8fdOsXsozHJdGPSbwEzI0CRl0ibuIwgJ1aH6jo8yl6tHBd9e0G6BbigsJD18NVJno pA9YkVHw36XoaiL832BLLWtAuED+qITh/iV8aomqVqCWiArmE3/462Pl145WrX5Nw+Dey35qNJjQ JsVyVCh+JVjwKEwA4Zf8G65TasB3qD2tD0IX/I4xpht5FtnQavfPzYi5YKpXsr7lmNkceRFR5BHA GX0HWE0iFyr0F4XZr47S/qZawWX9Gn3HFGgbNdsFlQB9PWI2mOqVrG85hfkYc/7iN5hqA+OV0YXN IM6BJ4jRlFbkkd+BTNDBfI1HjuFket8zD5nL5DxE4VbVB5k3KZaYZ07y6xh1Vb40Tn99nCX0IuYv v1cu9R50KUoFE+m9EFWT7YOqWX1vdJzOfEEgRaUKyIAicaNi/uJbvki4Sg06fKM5H8nFTuwTkBzo ldMFpg3AC6ZQm0P04EcwD1jSUkbsq1uU7GKeyioaTEMUpGvgpKhUDfjVFumEgHxfOF3t7DvTJ+6z PU150QxXY0c1TrUWTReYG/hqkHoForUx559aU5e3q8n2XNlIU9m1fvU4LbfTB4gRWErOUuHO5RgC S8lZKnzMbu+9lJylwqdzd7/kMQsxtSCEvYP6keKeucpLvbLu+yBbOtJ04RG+DGC6kg67p0x9/EKl 67V9aWjkPH37dg+RpX86ZEUnWzrSdOFGoNqgFZm3dtdFdaYVb9Fxt467Q9olZkvzXPpH/8MtMZf2 c4Xxmg3TrFzXFEUpwElY2aQ3S0uSkzIfVIqLLEIUvo07eaqqqvJ+RsOUebA7esVmWNOVN0O2ocoC IgYwIVjkAifF/F0U5TF5aNJK6WB6YrwhIwfrLPqV4ONQtiBPPhcLxXlGZhtNu5I0PSE2hllLFLEj S3XyOoqWGpe5M2LrjYpoStJVzKcI6oDmf5MP1TDPhWQlaSk4FV6gx7+NIt2gJoqWGlfWlu+uCdEJ X3wfrwKjTClePJ6yveQZiHZ8xdlcbiHwzLQUnAqrDPM2ndHEllTtQawsb+wtSTXoSuMIXFCDk7it N4JmKkWpC0xQdhFRAV02N6w0uUunYqe6mM/cl66JoukwTBeocRkVPqU0P6pEvXeoke6jiDMbhlII NgmrBVEUGbIUFxK+dJA7ZvYNvnSk6cKnC8wRsWWQkgfsG3zpSEuF30VP9/uPar1v8KUjLRXezexd xxut5W1cVlp5ycVsqzsdNry/lJylwumMDa3e6ZATnRjUh56StuGoVpd6ttqVikiudI3izF8ggLHE v8JKU6qs8elXfht221TQa96DckfcTqozdbC/1GvesCGOLmwgtWqIK4+kKgQIIujwxG3omL/rwANP d3clENWxN+Ri5llzOTutLkX3R6q0Za8R38lV9Em7kFtqSsZVZE1tdGGuCSJ7+FbFzKXrTFXVbhqD dnxnRDtndJVODeu2ym1ExTrmM8V71EOnEpQlqmiPuUKlSokpsN4wT3nR3KqCDEDGXSfkKUrmkkgm 5iENqdot9kszAWbh/Ex/CX4x5u0kopq1xfwRzOsT4XG252x2C9Nc6m2EclbihFo9z/Pslep3n8Xo /LZ4Gc/mprZF59UxP12MuW6CLOJ/42N42F7N8+ADUst/KnVRtuflBmdWSOu0CIE/kCu+Kp7cxvwq P35A7u08b6LbpFJIY08xXxo7r1LL1QdYeGLIy9TGe149qdJ9MQz8+9y4yqwWNrNto4v7pthViDTJ bTO3rfVdSmhSNDRuHL9tgKXC21TZ0brN3LbW84mSGVzN5FxWUBP8zdvgRlSZoGXBDrzPGaORyzbF lwq/V2Xb8OhysoRnp7pXMmqxTef5Yakt2WdGM8IXHdq1xmUQLnl5GQzVr7af9h5t8qU11DRW/fRq 9Wi/dvAt81Lo7oir9sF3YAXn2XaM9OgY7RaqenHI87Tg6GD+UcsLgxPnH+C+FX6JediAsO+0O1Hr 0BvaKyNexP0e6HPzPGwfNhCzeIiI7PdwvwX7ZG1PbGwZfSX1GaLfwv3rsV/J663sPHo3pzJupf5o g0FXG+w+FdSL6H5L4LfhkdT2+NZfrjKonstV+fZ1szZdF7a+Ifc3uV+IZ170SZEOGlYQW9FkO5B2 wPNgTQA5TsU6hU7nvs6KR93zMBXrGa1v+Qi+h+GaweAoDdvY9IX+mE8fRH27Km2uMgbUwb3bgTuq 2NfHYl+vg1nsUa2P+Z6RFvTpZ7C/5wIznhH5ZuaHdD+T+yGT2jxo41Btit22HqbuyMXee/m4JWxS g2HeawtAk/StFePM3yA1DaA5HlTLq7cbRGAqXVOFDRr2gu7TYq7D1ulUTRfYYdRrujzH/BKalgg9 nMznKOwDZpW+By30V5kYAb5pmD6ak15LY3Op8AYANlGyaZgGw8tNl1OzfIA6GPZwsmeUOot37eQu xjmE+yl4/YqQXZzsGudXeFltx04+do61GrcF8gdmiVWfiozkgtGbBqNnWC1A+jSRY8wHStKVO5KV s9W2/vsr6Z82Ua3CcOmYqSCRkpUH7qRelbIDmEQmz5M0328GdMOHQP2TAB/2UR/oxAhVj4vi53rJ h70FetWbRfGxcutGzLwdE80QPf7+BU6CwvGfeB0v4zOs6Il2CO8AJjFBE0WVuO8dorcfRB79jwKI gogCE0KRX//cg69QEleXzGM9icyI+fyYEr2l4ex1UBj0iVSa+rHEAXhro7x3iN5+mvnoCYbENaaB S+YxKilAiQX8fLhkZJ4T2Ncglilv3DAfQlw7IOSC9czX0kczmORNnNGiz9/o52oHm3s62FiqV5Fb IvQmznHi1DGvgioJMGqHBOqYJ65t6CuyJJtkeudYzaaexTFfD6uEoHL7u+4pOJnpphDcYzEPRKDf 6XkevNGsADDAMExJZ25E17lbKdsXxsQFgGYS/CoaQc//WZWmZvs76vLvV5NyzzwlxcxA1aMkfaOe nHmzDU1jpKcKlsg426c8ZpVs1Uir1A9J66iF9hAyduEM0xMkf4kOUFUtn3FhTK3hrWgFi6P2mxn3 pCkpNce+A8rXgnTJPD9irlZaCWqjUrVuVaN2SFNuaCbAzGJYT692uRo9ODZVo0OxYZ+pQsyO0q9m y2DQdvJY7eKIebUw1atocFPlrHr1ahez2b3LMH/tFrWTwDTsGews5mOGzaa3xDz7bjHmCcp+SPt7 tnjAdbZvkVTddo9hkTp60EzMq5UqzfNhwrfZHhYI9IpZgWbXccZJ5QxAcklNVWJicjHbykIizGfX EVfTV50OlBCNmtVeMq1hlbtVNcL5yrZVWNQKKZuWA52vlVDP0noFHzOPHnwRKsr/KeddOUbRg8eh 6fCHqkGrGoWlir210baovtW+wHxgKLcFkf0F5SPecJiyfyHmyQWyRX4xlWo4tToYrTBV3pr+8QYJ 8xCV/Br9GdXJwTOjwnl5AvlrKfXarOhkbYN5J1kY8fWgg67hity53FbH6txhV0lLmbc7CoQxuSjB 28Y80JTsWuQKprmkRB93kpmIhJEvOPNVzlIf86XSfRPzmpU45mUPXsw7RR12xHxliSBZw6IT45qN WdGLKEmb+m3Vw9IUda0iOmkUMw9/cyWRNpw6SPmeOa4FpIiu7rsV5nlTlwTLoh0Mm9ukA9xtxnop z1d9kIz1Aq/VP/KXua7/INRVN6zw4pUNzI+ZXepNc8Ma6Vmpj8zKZgqSNTI5Jfg5L1uV33OwSdUL HFm6yrybbmF7cN0D0OeYT+crdYX/ybBwtgemMe2GhatpjLlBZ/se0nGA7q4NHZ15YhCWsrIbiU6X 3DNPAhrQzzf1mG+BsAKtKNqjbXAQoJmP/q2Zh6QexTzOAS1KF9pW2DJvlD2DUbacoHciosICffc9 CW7cm8K0bubwsAZQS2SZAGBpoJfCFVrcG58TQvkI3RN+0WYFvJaVhAKjvZiOmmZ7FGekZgZSewuZ nOLReVWvF9VT0Olh/h7zqxYQ4jt+MqPg4CqvKF+UuiqtMCknqW4lwGQwPUbwJA5UMp0igsImk/Z0 02T0PfBNpkjF0Y1kC2WPGgXmMfz0VEPcMEnoD0wNems2i8QZ2CYBW5pVA9nDLDTt6RwKGQfEmXh5 hPl9gy5hnqotksbDv/hWEeV3SAo6H9A79zGvx+Bx1KTBLFIsl0eXCUEEbUuZkaVvZ54CnvAje/5I 5k2JlBz4YrGERzOXBUZyBsm6HKg0ugzvMd+S9QvZnljhKFbzqHoPrurX/PrEJndJzMyVTdc6j+h5 XilhVhm4UNjD/FVcF94zqTlto0MgnbZu2exMNLludm2PsyjndQx8WyfH6qPJt0rlhHnaKui1fWYg ziLl0WmOp80CjdqJxy3OHStv2aSTv9pRElXbdG9rzUNXdcs3ariaMp9HuF1kcaKtMuye50yLZsmt 50zIzeF3cu8vVqlZHxBQ1y3bqv5ifp7PwV4v865lnWFd1Dd2gkmIX6M/4S1M+KC0lHe539WQnZZ2 duswvtrNGmUXmu8xrEZXOXWiiyH6vjczH2hXhf0y88q8TkvDQOt/MMGsH0hGqCFldptiIsrGPK1i dMyHjJCmhUTRceZ7bLdHQnskNPXZPFyTbsVlhryBGZzuyqt6NLtD5qwLF8zBC66Yr5yxR+yKrZkj 605KZzK7EzvyflGlfbrqkfaNunPGPjPgS1hv5WDEdwf67mFkzyjtMHyB4TIqG6zfMEQ7696Db62u guLUgF9l75vkLo3JpcKfQVnf7jL1Oarg4P159PkrBJ5GZ11YrpO8kvQbPnCHxgU72rEppvk9Oa6S Vfhp5murv61ov4D3YtHmwlbLvNyOsnc7UbK6z5MRaYZ/xg1WjLpCZqvz3bXvYh7SfXCAQrbHt8Po 1TBUN7wzqu396fE5XWCbPbWtO+CWmAdiWQTO88B2dLVWnyfadWBwkxKfsGLDmLl5XkW3cowA6Vxc l9g3MUonilpi6pDQZG1P0oBzuhWvj6sMjbej8yz3nCVnh80+BuSrGZxNEfJGQtoNnwH3LKSGdWk3 f5bqnXJSi+kwIOdr2qmnv2Em7+/QqfOSboPUD3ZfYtKN0GNUflqRkaAd6fsE6WpJ/tjwMvDTzA/s Q55X/Sn+plg+RcgYAn2h29drTNMzek+y/ADmu8L+CL3P8IReLY6AsFWJSW7fi9lv9GsFfY3VTVQ2 NV6j75DUfsj7e2YUnipsAJB6PepbDqiztGunBZM9vlOL+chU2lXZbL5+EyWegfkZWlRvdQ9Sd6Ir PCLqJChv4/m2wSMQvnXQk6i/vr2c4f3+88JvpcXqvYSkJUK78b7QJvMW3MLoHuwtHb+R6kpW5q4D 5/9e+dEZwGW4wkfX/lod5x3HKXRCFGRBubj4R7J+lAAcVRH+0QlOME10cOZzfKThXUgEKubxYBJd AVeA+D+S+fOy0BmREUVEKUAi5gPRf+cW4D86xHB9CP0Mg4tafC436CAvr29ogadSO8Q5MU+T/eH0 lnn/HPFqTXa5rpWDqRDiCCHld3Vu9a3cr9T7VLfiVD5s/KkWDhv2qwIoZw/ad+xm+Noh3+2uOx9r lR9r0GvWdr8g91h3rURETIuNjKsr9v2W1peTwtmBc7Z2lRznm7FpycYKKy3czYDQ1Bq3bzcKDJnh nZsRsMyrjwNzjU1vu9XS/G9xLh8evmzNzGMH+sACbO+aVfYOUxBQuyx5JicW1f5+Qc7Xr0QXXaUS 3FVreE+yvqL7jcy/UefEW5h5qKxBEHKJPWKeqm/4FNea1uAnyLvKEflJZIozrxayd2m3zMuuYh7v spiYB1hNDij5iSY3uBN5gUnxyyyb5QAPK7hseBSMtNB6Xv2GSdnO0G2t+Y4s1eveNc8vg77ONZcN nxfcNlx761fN888q2wZunTcVl9ZtE1lba8gfSsFlljWAUNm02dJKuZfNluGzTHCt1Y8rUKvoQ+2W 4bNMcC1QjytQq+hT7VYBtEpuNU6PK1Ch6aM6rhqc5NrJN8zGclhKg/OvA+sC/7aqscAU0aQtbRAr wJ/TBGbq5GFVOIFfPAyF+sHa6L49tpuh9WLm/8TnGSxfly165BnFpWOuVrvKsCzoWwebVJlepTPK pV/hNg2ck+NvYYFL9jqX7FVLwBqf/0Y9KMRAnqoTEjOrDLtjPtwyropJC1HuRkM2mVXJrmhUp2SF oKiJMQsin1/RoKR4z30k28u9O9s/rvnLCI8wb4yvhfSe+SRhtvOwv0cd86qoT+6A4Wu8A2Oe/AfC SruT+uME5jG5UT6TtBZ0pjxHs7okQ5zpVXLMJLP9XLaNqJjPxbaO0WwuuGSeJ3x1L4iyyhHMoxLa cntTAmymaYxd2uZGWuYmhxbaqNjcmlIel+eV5ej5PMXjLA6Bq2Ie4QFRjCJHkop8+rY+uz/YbLL4 XNDYqped4RLma5LZ6VNA7WR3xw4ilmmmwoZD7CnmjbWciNhbo9nKXI8WQMjrRTL7BvNwP6/gHdEa GvfUj2T7DPM65nHHEue/lmQWjXAXMA++Pyvmu03YqkDVYFWNOOa14XHiq5XUDd5Ix8eV26pA1WBV jXCFYHi/SnwDHFXr0zbGIrH1SjyuQL2qv9XSzku5qlZCjVzILuvSi+XV3+mroN/i2lqjec1nq5h5 tWstMR8BdhnWHvMPuVfMPGxw+X4Wr3bVHSouXEgJLC3sF66kxfL9zCf1+orbkuDjmYU7XbJm7Deq 3X3SbA+Rn3+NdrEIRrn4xxtkapmmle0gXalQ5A/eiMAKUYKQZ3tut62F/0wuTwpUUn+HjKCL8egh yUWUq0t9BNSD4aFYl8zG9tAlc1sSsx7ehMSIgJU9vMAvwYT+efoaJs729pMwEvmqfB3fz8MMYcu+ Uc44JOaF+YJ+ca6jWAf9NRzBavwECSCghJPft8Tg7rZRAoscWJ+z1wmPb8KTucbpKQw4GDgwFDpk 6NaMWMF8mr3UHQqeCPEfOeYhKc78mSvtEeBzcKwx6wL4KNo5XuP8hnHMl9OYh0DXDejPuUbNlfZd 5uXmet1tSb1UwZwRqOAJABr8/clrh7lczZX2YeYHEzHG/qCUpu5LqF8itMWsxxVoUZZW9G19hlsv wWiJ0BZTH1egRdnGtrNsmyXHqK+FwjSFc1hope5Uq+0pTGnQgF/DFKjuvbMw3VRGYCWWWFViaOtg 5RMLjQ5UPPnQKqfEvFr0IkLqSuAVeqJ7RM3lqtrcRk31AumRhYYzL+QrLDh+zREjVcKxjgBOELi1 jPItHXYBbopZwiSaIcdt7JxhXi5RwosjI+qUbdaoR2PzJQ5bke25iUrwOA0oJjnboxtIbuCjWn+Y BRmPMZ8iPvnOYyOltc1XUJ84dEyNhUbRFni0HgBZIHeRryZVvBVG1QIqWUtK9eLBsE2X+mPy4SPc wEfu3zB4ddMVIEXZHnnGq1F6l5hX6Z1CHJOgTf18EQu6T2f7BGptYWQBvyVGKE8BB+FAgDYrCKr2 jtaG5WzPzm8W8uQavA0wCz6+0x0CX4dL0Isq2udke6WmuiWT1u4BVl3Oi5mnEn4rAY+173DTfJfs 1YqmHQpMBKsY8613HiX8lXbP2nYDU49y9SRXtOxRoJv6eDCav6j0TrMY5yt1A55jPnvn8RvMdwOf 6/go81MtSYVtta3VlseV26rA1sFaqdjcHpZiT/5sNtiHm4SAR9EkIK/FHAjzgSptocIHeT3ztwbc NvioE7wel1sDbhuUmR/oer47vcs40hbOCRRezUE9Pl2Ax+u5X/KsDW5AXV5WzW31tVcyH1Xu+HxJ cp3rM2kPKgLpo5hydwKrva1ovqn9O5m3hflQsVdlO67Ryy0ZzbMU+qjEy+dw8XYFEfgucBrd7l3G obYpj4WYvoj5P5z0jck/77FH2RqRfFvzdzHPwWgj3Ma8zPP4UaJAsprngXO+Ejin/+h25Gwez8P5 PI1mY36GvPNwPk+jM5iarcV5OJ+n0WzMB+RNBGeiqAGDdNfzNLoybLO2E4ebKMqZn4TAhZiJdE0U Ncnu8zQainnexsV5zdoJa/nbn5o2t0KwwUxZtWNetjtOoTFti8xbsQ9Y/cCQ1w5ynEId/qyPCdPW HnbweD4Pt+tc7LfHiqVO3zF2dZfjgD5OoWoooyiGaKeYp1OW6qKkA/rUmO3SOXBtt+OAPk6hWiTN RE4FOc08HMUXd0BLKUHgVC/O0jNwQ5/jgD5OoQYwqWngNxfz6Agx/9Ux/wvgFPF8l3EFbWk6x8fd hEBXnw/EzxOpQn388aGS3A43fE2Xn2B+FdrvAqcRhXcZt1nbzcM1UjfY/F3GvUvbQWoWd3csFwN8 rHhn/lhqFiv2W8zzFl4dwgkW6s18/N5ihPXec9NQVcOUmcfP6lVJOaUR1um4SsPPfiLmVWWn4p7N b4VFRNKlccdZfqeQZR5jXR5orSo78gCQC6+9G+4Uh+/S44Z5iB6oi4B8viJPH+oauKvTHRVYsQ0O QEcu42xPj4xCL7nS4264LhtO6XRlXCCZCmA0V9ormFd3WXNHhcS8OCn5K0336mFhdwn/brhdZi8Z p4Z5mTZhmsw/KnGJei1zEyd39dAnMi8zz1fE/A6THhvjjnkIcfzYEdzyxivwqba7sNlrWLq2x/Ep Gahj9zKB7dXxlNEumIfZkpmnsLFXaPo/xR7XoxaBO+Z5eo+el8yfUakdyNsdtmoYVWe0/4ccYipU WG159tfvkjeVq7krIq1arGa8drXvt7SGtiUY5sJz7UZYVaCPParfoCJOSdN+z3XqmUgpWckqW55s C/qbcZtaY02kAMNMe+YifZq0mUjFzEMQQLSnZ5DUPgaOolW2Zuaxgz2mPNOe07iaq89MpEQWsg2x jUcMpWBt3qXtOd/OoC50DjVtDZIk61/NMnPR+iVpi5in08SKeX7cL2cBLMXg6URcCfBR1Ih5mkWR dUgSlFGEkZn2/BLPqS0zkbqO+YR5ViaXIS5bI+P6wwwkbKY9znwtAow6JmKMYsrjcpPNztBtrfn2 HNVGfZ6v5SdqNzFISqLahmhv7fN8F/dtQF8OkRfVVktva612zajZRHO64PxmpxNQP0GH77F/Auon 6ODMP4GAM/8s6na9HWZjqtdaanh/RkWfqCBPrTOE6q6P7ufxuF0N4r/ql2ZXlzCcXYKly/J8v8Li cW19oobL0Kaa0OqG1UOf0TDaz2ORDSp19NgIfEYIlunxOpfsVUswKVyAq/r8KvRjqcr8R7ANhQtQ E1/EPnoPKpWPqFfyjnnKRMwHm6lUSwek9RWq6BPHURtknqRE4uRgozFgnjUN0QSqoa+Knny3SgHR IHV503lY1TKvivo4WdMV+lNwVJ5jux3JPIU1ZaiMty7n84kBonn+KuZVOGi2L5nnKZUSiXjFoys8 uW0EmZ0TQOlu4xPcrB1TsgdMaOpmmo5tnA5xFgf6aMIX5EAYgwdRRK+ILqGs0ta8DNaAFZMtMW9u TQgQj6jXYEln03lmoaNk9NBTKk6sZm09T4dOEEy3s7SZYVFexiw7VcJMB4rWx3HbWTrMQeksbebY lJNygp0n6LAO4VMln4D6CTqcyk+i1zSwpgkagO4EHQbU39t1GliRIFqd80JMm8Vt1YYgVwZN13rl 1R9sBvynGoFpYMXMh3U4Xcy6BW3bcAeX4S1V7lrdacZUw/fihtPAKjAPDkCVe3WuHmIUYziqedvC fv4WAH2OMptLXkzIPtVnUZ+EtRyMF4IxvLFt8ApT288W9qGZ9hTOJ4Vcsg+9N4+0mXmOf8wFKfNJ YZ/8RJX6aCZx5gdcbxnz/DkLldRtsb0Y84XCPgvymB8gnLsuZp5uWyeVd5XB4cY2ncw3qwIq7PNq gW/1U3Of53u9YBHzveoM9Ztly5ASr+k8C61ZckaAO0GHEf03950E1yQxQ8afoMOQAXs7T4Jrkpgh 20/QYciAV3Y+AfUTdHgleUNKW9T5IAqftIdKLt1gp9Z/NTx6ogwWa+Aopr6oTrVQRUed+VFaO/ND FHZ2NqirnbriSp1Zo+qMPsamdunQX5d35cwlXMUWkb916u7dRhBImIfYTWs3RKjQh8GeNscm2gVC 4uBibnR7zmN+hMHevlXZnhtJJqDPUHCUq2xPoa9u7EgznD60vs58L3sj/RLUMTLleohp/FHMA5fq sLpEdHpRN02reM58G4Nz8CrM8zYx6yCOgtz8qWZx8hf8Tb9kJeArvDa6p+N1le0hpuO1PSUFesoV Lgwk22NigMgPVKumJNCzfTfxkzp2ZY58p+zVmqZdOkyy/7ti+lCvJ7mmZZ8O3+VsjuUnoH6CDnPQ fJOUMBs//fMmwFzXgMBZTxVwUhyBH0fgwenxwaF/nNQq8xz+Kph+sNF+5n1aP8ON9jIPD5TwnxMQ 2EeEs34C36LDNua3DXQWvudq44Scy81izVZT7xP7YgK7xa9mvlsx77gYgVXMe6wvJm5Y/ArmfRk/ TMsGAbOZd9Y3kHbiELMd6UQbXSdHwBGIPvVwCYicx8RTlv9a8xQhlxzUX0MgnKNFT4F/41+BdHxU 9q8Z/YP2tN+BwYUA8FxmHgTDmWt+kQs/COWLTOpcxSOnyDySL5+fjR6opucROniPPvMiqM5UtWs1 3sk6IqCyvXyUIrxHvONnq+DjFSr8MQ94mWiGL/Uw39NHWNfzPCd8eBt8gj4wSzOC+Viusz6D9VYZ M1A3a3tcy7MnEfOFGd7M+a3Ke/sXI4Abgxdb8DbVZ8T6FJvb9xJThv2mkLHF3Dcxe7/Vzvr7Oeyy YGAJ3zWed9qLgPO7F+9zRkuZP2ZBdw5IP6mJx/xP0lphlDDvsV4B1y81oUKaB/8vsVpjC98xrWns bZ5AAB5IAiPLb35MCb6Bmqmnl5g30ussMZZUfCMZgi6QbkrRJ4D6uTHflY7fpe3ZzgLnU+oQ1Wdf /lJEahndJad35Fsl4yHwYYSJGC2B77LxQHV6no34Kdq13Kq6Zz4ikm+Kp6Oo1b+BQnOLy0T1vjM/ z2+AEzmWhgkgOqiGjxAmKuhde7glhDH1h4UD5QWZ3dW5tzC0HJFhoX+hDpdZNfIoZ34687ycQk9A 4og8fvS/8KkOuEofpouWZWaZpttJJtfPrGeh5DaY/PUj6OfZ/m1JimkIOggvijl7aAn5VAdcVR/q KaEe5LAPqXOxfC6aMw6PTFSjLhHz3+ZqvvUS0Tq2k1iU1M3uIrzqLwRREaqWBrnYzmYYzbYzP59u s24KBOn4pekX52KMV57ncXGg5mmVLWTVrxbwdNg1PhEvA1H80wPIKfNDz9xOYikonxZeu57CPC9Y 1XasR9eZr8dqQstqAm1BoLI60KCgfANBQydv6gg4Ao6AI+AIOAL3CMSzfbyes+83tdab/XtFoNLg P5MQuMUyWVXHyy0jobE1bBonmeJi5iIA22pd04PqCqznVd09DNvYmphnMe4Fc9kbkCZllEA4vpTq e22t5QPO6DWezgeYmt0V7t7j3K7KappjbIO5oa41ZwjKElTcm22Ay+tEIBfFf1OzYZ5lt7Xmj7bz POFLuE6a5nfD1Tet59XvaJ4PDdta4w14dVO/9nDQfDtd4g0CbQuwttY0pTgJ5yHQtv9qax1SRnuX 80ByjZYg0JhFlujwK0LfheW7tD3bR96F5bu0fS/zybzbd0hendFJsYCCoPq5nOud+XnedIElbeFk MGkcsaWZwxqNYRP/yA9mrl4fvnHmtzFPK259GL71kDyemodT/ebxk3RCX23onPl53F5Luon5i6PS oXLDRTuUw/VdfhcqPKadrQCqcmDwsyt9Pebn+UU/8/aofaC2dEheM589oc9na0NSKFvnzG9jfs4h +SQ3cArA0r1h/sI4Z34L8zIldx+Sp0o+ZXSY5+kVl5B4oB5sku1DzkZnfg/zo6MkOzYWeLVt8Hl+ FPe6/uuiyIRyrExUKqgt2K/Ttg6tX2r1Lizfpe3ZfvIuLN+lrTN/NgKunRy2g0W2LaiXog2u07tR K/5TrmdXfenF8uLQiZqOgC6/4Q5LjVFkHko42LLAvCrJlpiPzPG0Pp3fssA/esIpWiiwy9Y7UBuV 3GV/hszDLzmayQf0ISUg4SQdW1MX6iY7fXUFxvafZQjAFhsYwu02X1LUxadjg7+khXnmm+aCy9K9 GTXWA5VZZvjnBfPB+jLzOvIJrxLzHP+YC1Lmk7o/RnZc/XfmF/tmXcwnCwAKV91dp4DLmLdV4TTF 8BrC0/069gFbmOQ526sz9XoK1lHIiRqn8KQwz6fw6YvhjHRkG4eUj+rpeT6kf/85BYFnuHhm1FMw n6tHL5a9/ca0f2bUMZ1P7e1YnsqM6+UIOAKOwGIEsGhm62y0O8MNAC63ZQtOOwP16bi/ZT+W36gd buPUVdw+RE2pGLjYUhdvEZAKnt5hc3VeF/hwLwj7Ltta1QLplF3YGXKFUJX+uACgC72+ldvumJZ5 VcsV4ojq+ArqKuVcqvzEdSJIIew4ckuH/4Uust36Lw8IdVwIYS7gVGR73iaEf8ALH8miayyVCjqq sIO9oAmJ+DITu21X6VxFpmGCAlL2hCpEZQpAD0BX4lSPGUMcTAU/35nzmN/Nu75TJzN30CKZ1dMr whcFrZrYS3cCKfHHawXxKwIhvbIfnl8ZMYNlsrZXuNtkrW67c26ne36S7ROHUffuZWbRF9UsYXF2 5uf53Tos85Ibruaccp7hn5e0jvn8rqye+VzLhdp+zhPeheW7tD3bmd6F5bu0PZz5sMZCROU3XJU3 0Ai+zC3hjfQ6S4wlFd9IhqALeoizwXTt/BDNd33A0/JXuXfmnfmvIvBVuz3mv8q82+0IOAKOgCPg CDgCv4uAr/B+l1u3zBFwBBwBR8ARcAS+ioCv8Jz5ryLwVbs95p35ryLwVbs95p35ryLwVbs95p35 ryLgdjsCjoAj4Ag4Ao6AI/BrCPja/tcYdXscAUfAEXAEHAFHwBHwFd5XfcCZd+a/isBX7faYd+a/ isBX7faYP5/5zCOwkidd0UMNGx6BhYbPfpjW+Xi+R8NXReerlD3dB14F5quUfQHz6pGHd9rScwwp maft/7WI+ZG/M2/qp96TtGyzvzed+TuCGt4PYFYjes98Km3it89X69kAwGebEvN/TzrFb5nA7yCR K/KtJvytU6EpPJNef5ssfok9f1UJuBXGMPX5G5K68pfdX15RyeCzRE03nJnnBB6IMV9XIVc45vmS fg/+rb7EivJJ/7fPGx+abrwLpIkVohL5468xir+PTL59BEKe++SZtw3QU5KL5FMozTiQJ/llLso4 q6+U4chXAcsbe3EGYMVkBZ007FtRQtCJI8odzvwyso3gTMzHcz59jRkSTaELQY+vnC0k6/OsgZO8 yijsUVffPs/t9wDho7QuqZBzBRw50yQsPeFPArJWTDXg/CUIIHn6Nw1WK1Jrmbd7FQLO/0S6HMyJ YLooR+AXEaAvL+Ivl2cjcV+PmzyxXS/24N+eaF7oGfprwiMGhU/LrP5Ltv8vtP3bKhvmwyqed/NU y5NyPlf3qQ0EvKoUfhvMV1kvyR5rOraWm9Ts5IZNmAUk26tbeK8C4KvKhuBlznO1WarumXJ+uJgr ybfh6OuDNrwuWzeCKcuzqNCejWdug91GY75R2Ykw/aCoVjDVAp5uzKvI59jmCA/TOlTfVcyDSzQv 8luV/UG+5pn0HJjO/DwWeyQ9xTysFhpHb2zeg8d3+rwKzFcpe7oPvQrMVynrzE9EwJnfCGYMdrwu s+83tdZ1gTqLnPk6nKpa3YCZVNroXCYJN/0bW8Ner0pNaNTStkHsN5vWMI9H7QL0yLw6Za9u2kGl Bur2Fa2JeXPm74oGZ36ik16DifxBuGEFLnyaAnhVrxSScmqbupRaBwEkrKuwMxEGFxUhoE/TS302 4pKO1Zqz99etMXcj7ypJOAOHIJCLea7GqpiXaTiO+XJrdd/OHvM/xPZPq4Grb1rPq9/RPB8atrWm wznhdj3M+E2rvU8Ts9v4tgVWW+ueGzi77f/qeG0R2dY6pIz2Ll+l4nt2N6aR7wHUYvGrwHyVsi0s PNHWwXwC9cPHTCbe7gP15F4ZN8Nyn0Dhs/3jbkF7OEUK/9NSqP/CrZ3V/oJ53g1iDz+S+zjxdHtk xoF63LPLQXw8lBeSiD1978yfwnxUoZd7MSFY+V2M6sLh2qhhVPGXIcLe7nnLv66B5G1LHBJFR2nl oxTlA/VagO2HJVx0IqjrOfcPu14U7XILhqPdHrfW8W/COJMctGxT/k8WfAYE94mJPnEBJpfThw/U c8yHkC49VydYJfuHjJHO/B7mR0dJNwdmb1DeHxQHduZHOVH9l4F5faA+qhVUzu3LlJ0I6GtEvQrM Vyl7ugu8CsxXKevMT0TAmV8BJq7HuCRjjjiXIJc9f1iX52u26np205ZeLO3tnPkFzOvqG4jXMBeZ D/5C7xaYVwXZEvORQdeONtH6L4sS1qC4/refhj21OjcfF9xld4bMwy/6oLzqCi6EhJN0bE1d5PP1 mSvmdJ7H/ERXleweFeniM/UwGyRhLUfmhWBMGbFo5QIZ4TjbKE/hfOKETyQ8FsUH6yk8Vd0OGePi m6kG5Jnn+MdckN6yScr+5CeUcVABcYiF1n9ZNEd0mXlJ8QIUtL64FYfrhWyLQtnf5h5nfq1bQsDB JE/nn3GGxclZpmDNBTFP99uTsjyfwucW2N2sCmBIOXWvZn5nfi3zrdJ95m1F7FfaO/O/wuRL7HCH m0jUq8B8lbITSVoiysFcAutrhNI6npbYXDnjRX/4B91VJ3eB2l54B0zFBuo0D1yOu8oCn97HFrLI R7nx01leA+lLFCUmbP2GS/LyNu6/kOdAKpDFDHJBQPZjUiPQzXn7GNX2eDDp5olpmR9Z5ol/XaKh 2ruQLVt1004SAAY71QfQNwKfMB6nDk4ZySgozalfRT0Ub6Wgksn2lNdVbofknmZ75kkyAdVpFJM8 BXByMBpQSy1+lfkflqvSuYlGDEb7Ns/q4AQRNcpD0AMktPFJOpxTeAkA5TtJF3jfUE8hH2Znpek2 29sb6sKJDk4KfcO88pDIAew75lYdV4tRpMwEeiUgK8GVOHxJNiZkXI2HxVqc1yEAAy92JRdle07f eJ1mEOnK2Z8cQcYK8w0tF8n14KyATgVfomaxrTwnLxwnP0b26nXTHcouxOEs0VvArCf5uuUWZc/i Z502rwLzVcqu42yO5FeB+Spl5/CzTgqsrOz+C6/JdVWcpfdAI+4oXfAN1DgRRSMlHareWIeDS3YE HAFHwBFwBBwBR8ARcAQcAUfAEXAEHAFHwBFwBBwBR8ARcAQcAUfg9QioM3R8pFZO4b/ePDegiECe ebph58D9LgLm2CQc5ZNTdX5b/XeJp+PU6lk50WnbH7b926Yxz3hwV5688Q8Xj/kfdg5n/ofJvTSN Vnjht3xSi//6Ki7fsdsT+3e41pZWPqb+m+C41Y6AI+AIOAKOgCPgCDgCjoAj4Ag4Ao6AI+AIOAKO gCPgCDgCzyHwfx2dNnQF3dVEAAAAAElFTkSuQmCC ------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD_files/image003.jpg Content-Transfer-Encoding: base64 Content-Type: image/jpeg /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/wAALCAIsAhwBAREA/8QAHwAAAQUBAQEB AQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1Fh ByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZ WmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/APf6KKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKK8+8UeNtS0DUvESlIF06y02OSG5ZSTFcvv2K47qxXGexwO/Gvb+MxJdwLJYSCymu/sC3m8c3 AJUrs6gZVhn2p/ivUdYtJ7WHTN6xurPI9vbrcTZBAA8osPk5OWzwQo71mL8SrRbq3tlt2vjsiaee zVyuZACpRdpLDBB6jFXZPHHl2F1qh0qY6XEk5huRMmZWiDFl2E5XmNwDz0HrUmseMxpd7b2UOmTX VzcxwPEgkVATK5QAk9MYzVCXxZqx1mytLax8xJNYaxuQ7ovlgW4kKr/exknd/skdxWtpXiyDVtVX TYrWVblBKbkMwxCY3MZAP8XzAjj610VFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFZ1/pukPBfzahbWphuIQt484G141BxvJ4wMn6Zqp9g8PQOfEcdrBI3lhxdW8ZlL LgYKhM54xyBmm6tDout6CdRvdNkvreGNp0jNu4mOAchUIDZOOnfiqGl6fZeKLNL7UfDZ065j+SDz O6DlGUDBx04ZQR0xUEWg32i6jLfDSNP1h5Bh7lcQT7cfNlMFGY9sbOnPXNR6cvguwusz6XFot6XR wmoII2LKcptckoxBOcKxIzyBXTTaDpN0weWwgdhdC8B28+eAFEn+9gAZ9Kj0fQo9Knu7p7h7q8u3 DTTuqrnHAAVQAOPTqeTzWtRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR TXkSIAyOqAnALHHNUNS1u00uSOKZbmaaQFlitbd5n2jqxVASBkgZ9xTtSv7uySJrTSbnUC5O5YZI 0KfXey/pRff2pNaRDTjbW07kGR7pTJ5Qxn7qkbjnj7wHfnGClzp81/pkVrdXsqP8vnSWZMJkx1AO Sygn0OferEllby2qW88SzRJtIWX5+VIIJz1IIBz61X0++/tO1lMVrd2cYOyNp4vKY8dQjcjB9QM4 7ipdOsW0+2MT3dzdyMxd5rhwWY/QABRwOAAP1q3RTJYYp0KTRpIp4IdQRWEfCNlbc6NcXOjE8Mti VEbev7tgyZ6fNt3cAZxR53ibTeZre11iI/8APoBbyr6fK7FW9zuX6VLbeKtNmuUtbnz9PunyEivo mhLkD5ghbh8dypI6eoraVldQyMGUjIIOQaWiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii iiiiiiis6XXtMh1ePSnvE+3SfdhAJPTPJAwOB3pxvrk6wtnHp0zW4XMl2zBUU4yAAeW98dKWeXU/ 7Ugit7e3+xAbp5pZCGPXhFA6jAznA5ovLG4ur22lXUZ7eCE72hhCjzWz0ZiD8uM8DH1p17pdjqMs El7ax3BgJaMSjcqnjnaeM8cHGR2q5RQTgZqjpl7c38Mktxp01ku/90szKWdOzED7v0PNGn6YthJc SG6urmWdtzPcSbtoGcKoAAAGT2z6k1eooooooqG6tLa+tntru3iuIH+/FKgdW5zyDweaxX8J21sx m0a6uNLn6gQuXhPoDEx2hfZdv1pn2vxLpXy3VjFq8I/5eLRhFIAOSWjY4J54Ck5x2zVi08WaTcyG GeZ7C4HJgvl8h8Hp97g59jW3RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUEF5a3Us0Vv cwyyQNslWOQMY29GA6H2NQWOprf3NzHHaXUccDbRPLHsSU8g7MnJwRjkD2yOai0671a4uZU1DSob SFR+7kS780vz3G0Y496LSz1VNSlubvVFkt23BLSOBVRBn5Tu+8Tgc84yT7UkPh/T4tXfVSkkl8xO JZJWbaCMbQM4A9sVpLGiM7IiqXO5iBjccYyfXgD8qdRRRUazwvNJCkqNLGAXQMCyg9MjtnB/Kqtn Lqct5c/a7a3gtUO2DbKXeTn754AUEY+Xk9eaTTtItNLad4BI0tw26aWWQuznnGSfTOKv0UUUUUUU UUUVXu7G0v4xHeWsNwinIWWMMAfUZrE/4RJLHnQdRutKzw0aHzYj6nY+Ru4HPoKX7f4k0zm/06HU of7+m/LIvplHOG+oYY9KtWPifSr+5W0E7294TgW11G0Llu6ruADkYOdpI/Stiiiiiiiiiiiiiiii iiiiiiiiiiiiiiiiikZgqlmIAHJJ7VXu9QtbKxe8nmAgQcsPmyScAADqSeAByScVBFqn2rSnvbOz upWAOyCWIwSMR2xJtx9TS2b6rNYSm8t7S0vORGIpWnQccE5VD17frUllHfrZbNQuYJLk5/e20JjU DthWZufxpNN08abbtF9qurlnbe8lzMXYseuM8KP9kYA7AVLaWVrYQiG0t4oIx0WNQo/Sp6KKKKKK rJqNlJqElgl1C15GnmPAHBdVzjJHUCo7NtTe7uDeR2sVsDtgWJ2d2GfvMSABkY+UA4x1OafY6bZa bHIllaw26yOZHEaBdzHqT71aooooooooooooooooqtfadZanbNb31rDcwtwUlQMP1+lZH/CNS2P/ ACA9VubCNeVtWAmt89htblV9kZaP7S1/Tfl1DShqEY/5edNIHHctE7ZGOwVnJweBwKt2HiPS9Rka GK4MVwo3Nb3MbQyqPUo4DY98Vq0UUUUUUUUUUUUUUUUUUVUbU7JdVTSzcxi+eLzlgz8xTON30zxV dPEOkyawdJS9Q34JBgwc8DJ7Y6VKus6e2rtpK3SG+Vd7Q4OQMA59O4obWNPTV00prlRfOm9YcHJX nnpjsail8Q6TDq66TJeot+xAEJBycjI7Y6UXfiHSbHU4tOub1I7yXbsiIOW3HA7etGo+IdJ0m6it r+9SCaYZjRgctzjsPWoNf8S22gm0gaJ7i9vJPLtrdON592PyqOepI5IHeovEOvxaakNouoWtjfXG NhuUZwqk4JAX7xz2yB70ut3NtFDYWF7rs+n3c7AJLahVaZhgEYZWABJHH05pdXbRrPS7Sy1+6M8L sqqbrnz2H98KAG9wRg+lWrm80fwxpsQlNvp9krbI1SPagJycAKOO5p2p69pWi28M+pX0VrDMcI8h wCfr2qzfXsGm6fc31yxW3tommlYDOFUEk4+gqgniXTZNPW6SUl2jDragfvzkZC+X97d7danGrIdG /tL7FfbcZ+z/AGdvP64+519/pSQauk+kyagLK/RUDHyJLZlmOPROp9qWx1dL6wmu1sr+ERZzFcW7 RyNgZ+VTyfb3qTT9RXULL7UttdwDJHl3MJjfj/ZPNM07VotQtHuTb3VmivsIvITCxPHIDducUllq 8V7HcSG2u7VYGwxu4DEG91z1HvUema5FqfnH7Ff2iwgFmvbZoQRz0LdcY5pdN1uPU7qWBLHUIPLG fMuLZo0fnHyseDVLSbzVb3Xb4XDvFaQEosDWDxhuSAyysfn4GThe/XubdrqNimp3lklnLasmZpZp IPLjlPALBujduada60l1qctiLDUY2j3fvpbVlibBxw54Oe3rTf7dhGqSWL2d/GIwxa5ktmWAADJP mHjFPttat7vUTaW8NzImzcLpYibdvYSDgntj1BqR9UVNXTTvsl6Wdd3niBjCOCcF+gPHT6VFLrlr HqsOnpHcTSSEqZIY98cZHUOw+6R6H1FLPrdvba3baVJb3gluc+XMLdjCSFLYLjgHCnrWlRRRRRRR RRRRRRRRVS/0rT9ViWPUbG2u0Q7lWeJXCn1GRwfesk+Gp7EZ0PWLqyz96K5LXcR9Th23A9OjY46c 0h1bXdM51XSFuoP+e2lsZWHYZjIDZP8As5A7mr2neItL1OUwW9yBcrgPBKpjkU/3SrY5GDkdq1KK KKKKKKKKKKKKKKKy0n04+KprdYiNUFlG7ybesJdwoz/vBjj3rUorjfFgtjr1j/bS3LaF9mk3CISF ftO5NmRH82dvme3Xviq+s6zqunCzht5byztvsYkikntTcS3E+SPJfGdpwF5/2uvFR22r+KyJ9TuC yJFqEFr/AGZ9k42OIg7b/vHaZHORx8n1rNh8WeIm1dZfPlmsYrpftQisCY0gydxyVDjHGMbia2G8 RavqGgapd6cZEb+1orWzlNm2RAzQhn2MATjdJyeOPasjU/EvjLT4lMMLXQe6ntJG+y7PJjhOPtHQ 53dcYI9M1d8P614m1q/06CW6WC3AnkmmS1LGYI0W1WLKoQkO/Qdh716FRWdr14un6Hd3bWL3yxJk 2yLuMnPQDvU2p3VtY6TeXl4u61ggeWZdu7KKpLDHfgHiuD1/w7PqPiqx1TSLAww3EFuJLy3jjSRF MwLkEjIbZ364p2tR+KrHxPbnSU1KaASQLueXzYmTKq7EZAU7dxwQTnnuBT7Kz8VafYWFy91qs1xc xT/b0kKTGAhWMflocDJOBjNY8k/iGz06zF6+vx/atTjgIim/fyJ5UrFUVicchSTnnHtzqOnin7PB 9rGsmx/eeQLRkF0DuHl+eScY25zjviqeseHvE+raBqsuqXGpvepNamK1sp1WKQKIWkKL7OJCMkci uy8V2VxqPgbUrK2hkmnmtCiRNjexI6HtmuU1LQ/E1zoFyRdapJc3tzdW81s067Etj5vllR/DnEQz 1wx9apyweNLSLTEsxqEVrDaQrCpTzHSQD5/OUMAwzjAz0qPUNb1eTXPstpf6m+rm8njaKB0+zeUE k8v5D8wPEeWIA3Z5wRm9rXh3XrrQJ7HfqN0ZtBl8xnlQyNdFkPl7sdDhhjpjNWNQ1XULPUobO3v7 n7F9liurtJHD3NskakyhiM7GZfKwD9478V0PiJJNd8L2txYRPPE8ttdtDxulhDq7Lg8ElQRtPBzi sW7hvfIhl03RdT0rS5JXNzBYbI7p2CqEYKDtRchsgHng96rx2HjGW21C8ubrUEvrWxjaxghlURTT fvDh1/iOBGGzgdaXwz4f1nR9RtisU+yW81Ge4e5KPksR5TEjn5sZ4rsP7QvbNtKtr22E1zeStFLJ ag+VFhGfcc84O0Dnua1aKKKKKKKKKKKK5rx/k+DrpQzqHntkYoxUlTPGCMjnkEil/wCEC8Nf9A9v /AmX/wCKo/4QLw1/0D2/8CZf/iqP+EC8Nf8AQPb/AMCZf/iqyvEfgnQrXw/dzWsAtZlUYmkuJiFG 4A9G44yN38OcnpXDBNH03TXMWnT3kj3Cx+dNqD3MMOVZs+crqGB24xkbSR1zTtPXTdVt7rWLnw5p 32HS7uO1ZWu5ZJyXEY3xsHKqCXBxknAweabd/wBmDU7G5Wwt2gVrpn0m3vJjeMI4pCFkXf3Kgjj0 qSzks7+OOCDRLE3U13DbxzNeS+WN4c4KrKzZGzrwDn2r0iPwF4d8pPN0/wDebRu23M2M98fN0p3/ AAgXhr/oHt/4Ey//ABVH/CBeGv8AoHt/4Ey//FUf8IF4a/6B7f8AgTL/APFVB4HgS0TX7SHeILfV pI4kaRn2L5cZwCxJxkn866uiiiiiiiiiqC3kh1+Sy+wuI1tUlF5j5WJZh5fTqMZ6/wAVXyQBk9K5 aDx3pjzXBuVe2tEUvb3LfMtwgfYWUDr82CMZ+VlbjOKm1PxlYab4m0/Qdk013dShH8uJyIQyOykk KRyUIxngZJ4FN03xrpt7dXNrcCWzlgu5rUNLG4icxsRxKVCZIBO3OevpQ/j7w4jxR/a52lmYrDGt nMzzYBJMahcuuBncuR055FR3njrToNQ021gSWdb2Od/N8t1WExDJV/lO05yCDgrjkVcPi3SYoLR5 5yGuIEnbyYpJUiRhkM7BfkXrgtt4B9DjO1f4iaPpmlXV2iXU0sKhlt3tZYml5AO3cnIGckjOPxrS XxTp6291PPJtSG5FsqRpI8rsUV9vl7d27DZKgHAGfXEUnjbQY3iT7TO7yRmTZHaSuY1DbTvAU7MH ghsYrehmjuIY5oZFkikUOjochlIyCD3FVNZm1C30i5l0q3S5vlTMMMhwrtnoTkfzpdYvV0zRL+/a HzltraSYxZxvCqTt/HGKntJhc2UE4TYJI1cL6ZGcVNXJ+KfGTaNa6mmnafNe3djErzMAoigLDK78 sGII5+UGoZPiT4eGoXFqTI5tzLh18ttzxqxdQu7eCNrjLKBx15GYdQ+IMkC6elvol8tzdTwYgnEe TBI4UuCsmM5IABPU8jHNXpvGsFloyajcW8s0TXU9uXjMUIQxyMgB8yQddp6E5wTgdKztM+IP9qWq 3drEs8M15dw2qQx5aZIoy45ZgFbg+xx261c0/wAd2/8Awj2m3+r2s1nPeWK3aoFBEhyqlUwx7umN 2OHHPXGv4j1efR/CWo6vBCvn21q86xTcjcFzhtp/ka52z8WXFs32m+0p7x7iWO3t7i0sGtXlkYMT HsnYHgJndnByB1BrUtvGtnd+U0VhfmO5V/skhVMXLIpZkT58ggK33go+U89Kh1HxfpUFk11ZAStP axXTSi33DyncIm8EqSTlgB2wc+6at4y+xzLBp2nTTxR6hDY3F0QohiLOqsuNwbIDDGFIyRVNPito M91BbWkN3dz3Unl2kcBiZrjqcgb/AJBgZ+faeenWu3jYvEjlGQsASjYyvsccU6s3Ub29ttS0mC2t vNguZ2juZNpPlII3YNkcD5lUc+taVFFFFFFFFFFFFc14+/5FCf8A6+bX/wBKI66WsnWPEVhoc1tF eNIGuCcbE3bFBVSze250Hr83TAJE93rel2VjPe3GoW0dvbuY5ZGlUKrj+EnPDcjj3rHXx54dks9I uZryOG11aB5YZZ3RUG3buRiTgN82Mc9D6VpzX2g2qwWU1zp8S3XzQwO6AS+6r37Vl3XjHwjpuj3F 5FqGnTWsLxiRLWSNuXbA4Bx7/QH0q++raJa3F1c3ElnbCBY2e7kkjUESA7ec5Gcd8Z7ZpP7W8M2U luv27S4HulWSECSNTKDwrL698Go9N8XaVq17La2UolkivHs3xInDqhYkDdkggHGATweMAmrn/CRa L/pf/E2sf9D/AOPn/SF/c84+fn5eeOasWGp2Oq2/2jT7y3u4Q23zIJA659MirVcz4Q/4+vE3/YZl /wDRcVdNRRRRRRRRRVFX1H+3ZEaKL+zBbKUkz85m3NuHXpt29u5qzcRGe2lhWWSEupUSR43LnuMg jP1FclP4G8GRw29vFb2li0amENA6pJIuRlWPVuVU885H1qUeEbC21m31C617UJNR8+OWOSeWIM+x XTZgIAVIlYHAzyORVqTw1o0yf2c9w7EXz6iYvOG4u5YkEYzt+c/pzWTpfgPwzouu2F9bX22e2Zvs 0P8Ao6feUpjKoHYYJHLHkc5NaNx4T0f7XCrX08Mxnup1QTIDJ9oz5i4I5HpjketKvhfTVmjt7PVL u2kitYrW4jt50DzxRjCB8qSMBjyu0/N16YyZfh54Znv5WbU5xNcRPGqrNFvw+Mnds3ueBguW/Gtm Twzpgd4P7RuI9Qluvt0cwlTzkl8sRFlBXGCikHKkcnp2LbwvpGmXM8hupftFxayQzNLKoMgdyzyE YHzFj1GB7Vt6dYxaZplpYQFjDawpDGXOTtVQBn3wKi1mHULjSLmHSrlLa+ZMQzOMqjZ6kYP8qXWL 1tM0S/v0h85ra2kmEWcbyqk7fxxip7SY3FnBOU2GSNXK+mRnFTVi6r4U0bWpnlvbaRmkULL5VxJE JQOm8IwD4980ybwlojTXFw8EqLMriWNbqVISGBD5jDBOQSTx1OevNNOheHdft7e6SNLiOONIoZoZ 3G1UcMoBUgghlB9eKiv9L8MRwGzumS3Fu5uDtuXieMzyHncrBgHfPGcEj2FWNN8HaDpEFtDZWAij tpJJYgZXba8ilXOSSTkEjmqp8F2QfS7aNlTStNGYbVlMjk5+6ZHYkx/d+THVV54AqSxtdNl0D/hH 7/Uv7U3tLaTNI53SNyzISDkEKfXoK2bvT7W+NsbmISG1mE8OSRtcAgHjrwx6+tZCab4c0XVGuAEh uUie4WNpnKxJnDukZJVPvYJUD73vUsXhPQorTULaOwUQajc/a7pfMb95LkNu68cqOBgcUt14T0a8 1Bb2a1fzRMs5VJ5EjaRSCHaMMFZsgckHoKii8GaFDfQXaWsoe3l86FPtUvlRtzgrHu2DGTgAYFb9 FZuo3V/BqWkxWlv5lvPOyXb7SfLQRuQc9vmCj8a0qKKKKKKKKKKKK5rx9/yKE/8A182v/pRHXS1z Gq+CLDXdRvrzUbm7LXNuLVVtp3gCRjd12t85y7HJ46DHHOevgK6WCOzGtRmy+2JezRmz+d5FIPDb 8KDtHGD35rS0nwm2nroHn3y3DaRaS2qkQBBKrbACRk4ICD65PSueuPhSklr5EertiS3+z3AljkKS KCxHypKg6MQc7s+1aN98Pku9D0jTo9R8ptNsvsqy/Zw285iIYrkf88umf4utW7vwfLPrUmsw6ksV /mJoy1tvjVljeNsruBYEOcDIwcdaq6z4EudW0xLRdbaAlZBNsgKIzSElmVY3THJPDFuMd8ky6X4G /s2+t5jqPmRQXbXSR+QFOWt/JYE5/wCBdPaq0vw7NxYQ2M2rZt7OD7PZBbYBkj3IT5h3fvDiNRnC 9ziuls9HWz13UtTWbP22OFPK24CeXu5z3zv/AErTrmfCH/H14m/7DMv/AKLirpqKKKKKKKKKorbX o16S6N2DYNbLGttj7soZiXz7gqPwqHxL9v8A+EY1T+y/M/tD7LJ9n8vG7zNp24z3zXmuvaKb/UoJ 9CsjLZSaUsEM0NglyFm8xydxcho2yQS3XPXkVtjSLizvsaxoU2sNNp9rb27JiQQyorCQl2OY8ll+ ccnGe1Si0jufGsQHh6/sora53i9SAFrmTnJaXdkRDpt7+wArhLbQdU1C3uXsLOQtdWrQWtythHMq yie4H+tYgw4LL8wHHXtXey6Y8PiO/bUNAm1Nro25s51AIgCxqrAyE5j+YE8devei20yY+NbWa30W Wzjgkke4cxqobKv8/nglpc7l/dngdeqCvP8ASvD2rX+mRPYWcoe6tLT7NcrZIy/Kig/vyd0WMEcD +deiR6cYfEmoC+8PzX1zc363FpehV2wwhUGPNJymCjnaOucfxVj3Hh7W7bxJpuo68uk3doPtB1C9 O8ARsmNpDcKvYKOM9eea7Pwd9r/4Ra1+2eb5m6XZ5v3vK8xvLznn7mzrz681c16zTUNCu7SS+exS VNpuUbaY+eoPap9SnubbS7uezt/tF1FA7ww5x5jhSVXPucCprd5JLaJ5Y/LlZAXT+6ccipKKxfFW n3+r6BNpmnyJFJdssUkz4Ijjzl8r/FkArj/arl7fwz4k0LWFu7WWLUbaOY3HkRkWodmjMbKV5HUh 8n+761jDwFrdy+pzXVgnn6lGu93v2fy8XjSFD/2zKgEYwV4xmtXWvCOvD7Va6PMy6Ss0UkdobgsZ BsIcbmOR8+1uW7Ulp4O1meCWXUJLhrqHTfLsS94QYrgPKy8IdpABjAJzwOc4p/h3wlrWk6nG5UQx m/muZ5Fu2fzg9uVBKnuJDnH49qfZ+GdZWzuoJbMC5NuUnuJdQkZL+Xj95sB+TkMcZGN2Oma5ex8A +LIta1W9a2MYn0uS1s3+3kNBKR97AJ4PTrx1rsdX0DW7nX5J4AzM7xNa3ouigskULvQx9H3EOc/7 ftS6D4W1LSZ9Iu9zLcmec6mzXTyCSNhIUADEjgmPoB0rt6KKo3v9o/btO+x+V9m85vtm/wC95exs bffft/DNXqKKKKKKKKKKKK5rx9/yKE//AF82v/pRHXS0UVwHjoOmsW8rPNKPKAgt/wB8gMgY/wCq eLjzD8o+f5RhfeqEWpeJf7Xj17+zr7+zYrhICXnGPsuAru0eNxIJ3EgdU44NaOpRahaav4qkkvbu aN9C82JjlY4mzNhUxwCAFyep61j6XJMmu6ZI73V3cSCBhkzJLHGVXO0/6pogMkk/MRu74qy2peIV 1htduLO9h0me4kgeZJgVS0wVjlEWN4OV3jjOZDngDF/wPc2F5rV3Nps15Db+UR9luRMXmO4fvnMg wp7BV7MSe2O9oormfCH/AB9eJv8AsMy/+i4q6aiiiiiiiiis2fRLefW4dWM13HcRRiLbHcMsbqCS AyA4blj1pLrRY7rU4r5r7UY2j24hiunSJsHPKA4Oe/rT5dIhl1GG8W4u4TFk+TDOyROSSSWQcMee 9OvdLS9u7a4a6vYTbtuCQXDRo/IOHUcMOO/vUeoaLHqN1FcPfahAYgAEtrp4kbnPzKDg03UtCh1H yh9rv7RYs4WyuWhBzzyF6/8A1zSatpQvmtZZNUvrOC03O628/lCXgffPXAxnr9alv7GDW7KILe3U URIkSWyuTGXGOPmU8jnP5U3UNGh1C3hg+1XtqkX3fsdw0JP129adfaSl9YRWjXl9CsWMSQXLRyNg Y+Zhyf8AGn6jpsep2Bs5ZrmNDjLQylHOPcU6409bjTPsJuLpF2qvmxzMsvGOd45zxye9Vb/w/Z6n oQ0e8kupbUhVcmdt8gBzhmzk57+tW9SluodLu5bGFZ7xIXaCJjgPIFJVSfc4FTW7SvbRNOgSUoC6 jorY5H51JRRRRXJeNdU1Wxu9EtNLkuUa8nkSQWkMUkrKsbMNolIXqOfas3TfFer3cel7zDFJJBqQ kW6AQF7d1RGkK5C9y23jk44ArOvfE3iCzsRC17di+uJLcpG1pblyjzKjGAq2xl+bA34PIPrW89/4 otPB2pXboguoVkeCW+VVlWNULFpEjyhbcCAAcEYJ5yK6XR7iS80SwuZjmWa3jkc4xklQT/OrtFFF FUb1NRa+042ckS2yzMbxXHLR7GwF4679p+mavUUUUUUUUUUUUVk+JdIl1zQZ7CCdIJneKRJJELKC kiuMgEEg7cde9U/J8Z/8/wBoP/gHN/8AHaPJ8Z/8/wBoP/gHN/8AHaPJ8Z/8/wBoP/gHN/8AHaPJ 8Z/8/wBoP/gHN/8AHaRo/GKqWa/0AAdSbOb/AOO1gvq3i3Wg1rpf/CP6raSAxzXPkSrbFTwyh/MO 84PQAjqCQQRUk2oeNNFbyLq30eLTowEhuLSynnVVAwAyK+5ewGAw9SK07K58T6lbLc2OseG7mBs7 ZYbaV1ODg8iX1qx5PjP/AJ/tB/8AAOb/AOO0eT4z/wCf7Qf/AADm/wDjtHk+M/8An+0H/wAA5v8A 47R5PjP/AJ/tB/8AAOb/AOO1P4b0e70mHUGvrmCe5vbx7pzBGURcqq4AJJ/h9e9bdFFFFFFFFFFF FFFFBGRg9KyLZ7HQrqy0S3tpYYZxK8T8mMPu3FMk53HczAein0rXoooopkwkaGQQuqSlSEZl3BTj gkZGR7ZFV7GK/jstl9dQT3XP72GAxr7fKWb+dR2cOqx2EqXt9az3Zz5csVqY0XjjKlyTz7jPtRp0 OqxQyjUr61uZSf3bQWpiC/UF2z+YpumQavCZf7Uv7S6Bx5f2e0aHb65y7Z7elSafFqUQm/tG8trn LZj8i3MW1fQ5dsn34osodSjublr28tp4GbMCRW5jaMZPDEu27jHOB0qldaENWu5Brcem6hYK262t 5LLLRN0yWZiDxkcKKLHR7u21FHmk0x7KBHjtYYbAxvChx8ofeRjAAICjOBVbSfCsem396zLpsllP OLiKGPT1jeNwQVy4OG2kEg7QcnrWm1pfTX84uLi0l0uSMp9lNsd/IwcuXwR14296VLW+i1CLybm1 j0uOMILUWx3jAwMPvwB0429qa8GsHVhKmoWi6dkZtzaMZCMc/vPMx15+7Rcwaw+pRyW2oWkViNvm QPaM8jc84fzABn/dOPepJ4tSbUYJLe8to7JR++he3LO556PvAXt/CaLyHUpLu2azvLaG3Vv38ctu ZGkGRwrBxt4z2NZn9o6lqWs6hYWE1tZjTp40kaeEzGdWjV8qAy7cbiM89K07m3v5dSspYL9YbSIs biDyQzT5UhRvJ+UAnPA5wKu0UUUUUUUUUUUUUUUVgS+JUu5ntNCh/tK6RijuCVt4iOoeUAgEf3Rl uRxjmkHh2XUmD+IbtNQTqLJYglsp7EqclyPVjjuADW+qqihUUKo6ADApax7zwxpl3ctdJHLaXbY3 T2crQO+Bxu2kb8dg2R7VX/4qPSOya3aj0Kw3I/PEb+5+TAHQmrFl4p0i+uRardeReYybW6UwzKPd GwfQj1zWxRRRRRRRRRRRRRRRRRRRUdx5wt5Ps4jM+0+WJCQu7HGcc4zUOm3U17ptvc3FpJaTSoGe 3lILRn0OKtUUUUUUUUUUUUVl6Np91p51H7VdGf7ReyXEXJPlxtjCc+mD045rUoooooqobWxTVvtp SNb6WHyQ5b5mjUlsAegLE/jVuiiiiiiiiiiiiiiisS+8S2sNy1jp6HUtSGf9Ft2Hy4ODvf7qYx3O enHNV/7Dv9YJk1+6KxHgWFlKyRY9XbhmPToQOO9dBFFHBCkMMaRxIoVEQYVQOgAHQU+iiiiq19p9 nqVsbe9toriEnOyVQwB7Eeh9+tYx0PVNK50LUt0Q6WWoFpIx/uyffXued2TjpQviaTT2EXiCwksT naLqPMtu56Z3DlcnOAwHHWt6CeG5hWaCVJYnGVeNgyn6EVJRRRRRRRRRRRRRRRRRVB11JdcjdHif TGgKuh4dJAchs9wRxjjGM1foooooooooooorL0a31G3Oo/2jOJfMvZJLb5s7ITjavTjHPFalFFFF FVLqGw+22l3dLALmMtFbSSEBgXHKrnuQvT2q3RRRRRRVS/1TT9LRH1C/tbRHOFa4mWMMfQZIzVH/ AIS/wz/0MWkf+Bsf/wAVR/wl/hn/AKGLSf8AwNj/APiqP+Ev8M/9DFpH/gbH/wDFUf8ACX+Gf+hi 0n/wNj/+Ko/4S/wz/wBDFpH/AIGx/wDxVH/CX+Gf+hi0n/wNj/8Aiqz9T+InhXTBGp1mzuZ5c+VD bTo7PjGedwVev8RHtWYdbsNb/wCQz4q0a1sW+9p9rex5df7skm7J9wuAenNbVl4g8HabbC3sta0S CEfwx3cQBOMZPPJ4HJqz/wAJf4Z/6GLSP/A2P/4qj/hL/DP/AEMWk/8AgbH/APFUf8Jf4Z/6GLSf /A2P/wCKo/4S/wAM/wDQxaT/AOBsf/xVaNlf2epW/wBosbuC6hyV8yCQOuR2yDiqM3inw9bzvDPr 2lxSxsVdHvI1ZSOoIJ4NM/4S/wAM/wDQxaT/AOBsf/xVH/CX+Gf+hi0n/wADY/8A4qj/AIS/wz/0 MWk/+Bsf/wAVSN4u8MMpVvEOkEEYIN7Fz/49WDM3gwTNcab4pstLnY7ibPUY0jZh90tHnawHpjBy aavjuHSflv8AVtH1S2X/AJebK8iWUD1eMtg+pKkey1tWfjrwpfWsdzB4j0wxSDK77lEb05ViCPxF T/8ACX+Gf+hi0n/wNj/+Ko/4S/wz/wBDFpP/AIGx/wDxVH/CX+Gf+hi0n/wNj/8AiqP+Ev8ADP8A 0MWkf+Bsf/xVH/CX+Gf+hi0n/wADY/8A4qj/AIS/wz/0MWkf+Bsf/wAVU9n4h0XUbgW9jrGn3U5B IjguUdiB14BzWlRRRRRRRRVe/tTe2E9ss0kDSIVWWNirIexBBBpbRZYrSGG4uBcXMcaiWUKF3tjl to6ZIJxU9FFFUr24v4ruyis7FJ4ZZCLmZ5gnkIBnIGCWJPGOPrUGpXOtwXKnT9NtLq2C5cvdmOTP cKuwg8dMsOfTrXPHx80gbbp0WnhLprV31e9jgVpF+8ibPMLMPoB71rXvii0PnwaTe6VdXtuWM8M9 75QjRc7ySFYjB9qH8U2V1o097pF9pV21uAZS97siT1y4Vse3HNQz+NdJj0ZLpNW0Y3L/ACqsl8Fi aQAFlD7SeNw529xwM1N/wkQgtIo76bSYNVuQTa2wvtyTf3cOUB59lP41mf8ACwLC1eOz1C60oanL d/ZEt7S/84I+DjzCVUr8ylTwcEip7XXdS0WXy/FjWkQvLiVraW3l3RwRLGXIkZlTGAp55zntUSeP 9PjuYftN1pj2t3eC0tJbO984sxBOXBVdvG3oW5YVq2WvLc67e2DT6Xst1JHk3m+YdPvptAXr/eNU o/G2lvfTudV0P+yogoNwuoAyBm6Bk24GSGx83aqt745Nt4k07TUg08217dG2SeS/AfKruZtiqeME AAkEkjIGc1r3OsXb3lkmlLpd1Bcp5itLfFHYA8lFCNuABHcdavXkuppdWy2dray27N+/eW4ZGQZH 3VCENxnqRWL43/dWek38nFtY6pBcXD/3EG5c46nlh09a6eiiiiiivN/ifoP/AAkmueD9NMXmxtey ySjdjCKmS3UZxwcd6rHwjrf9qNrdzatJqEmnzWbtbCFWUB4xGACwX5sSOSCCA+3IIFVri1vND0i0 k1q3uYbN7h/tCrdlZXG35P3jSssQDdvN+b0zxW9o+mT6p8KbqF7N3vbq2u0gF1gyEM0giy56/KVw 2cYwc1zniLwDrl94Ovkghu31R70LHbpfbYzbAjgLuCD5QfetO60LxMPEsE8MMy2AaHyQoRzDFhQ6 SgzKrNnfltrnkEEkDHPE6nqt39g01b59Z8i6W8dbgLFv2kIRGWzDzjBKpzXSXXgy9S9tmFteXVra a6k8Km9y32YwAMSWbkCTPBOcFscHlNLvDFrrSTyfbdHhvPsls8ChleSaQBMt/GEG4NknBI610Hif Rmkmsr3T9Oma4gEiebY+QJUVtuRtmGxgdoyScjAx1Ncjp3hrxfaatCZ7eGKIS5C2MSfZ0iP8BVpV GeuWEZOTkE8Vfj8K+ILHR9OSxMpu5rA/2ibm5E2Jx5ZwhYnaSPOGVwMkZ6A1mSeFNfWTUrjTNMvL S3nmgLxXVys1xKiowO1xMCAGKn/WLwD16V0HgXw5qkEl/eeI1uHnM2y1SZ12CHYuB5au65BDDcSW PUnmtTwWixt4iVFCqNanwFGAPlSmeC7W3k0m9Z7eJmOqXuSyAn/j4euebwLfyaprIFtDFZazeyJe cI2bcKpVhzlcgPHgYI37u1V7Dwvrlv8A2FaHTrnybW1t4pl+0LHEpVRuAaOUE+5ZHJPfHSLRJpLr xpptqyXk17HcXB1FvNHkGPZJszBuzGM+XyUXn1yM9LJokttr2sKfDsGo2mqTQyIzGMRRBY0QiQN8 2cqSNqt2/DGufD/iZoLxLeCddQMVyJblp08icFXESwpu/dsCY+dq/dbnnmTUvA15JrOlx28dzLpk E1tcyGS8LMsgZhIcs24jbs46cnHU1M2ha0dNsBqNld3iL9o+0QWVykU5kMpMTF9y5QR5G3d3Xjjj EsvCvi2xi0iFYXjigtrdFWARv5JAAkDgyorknPJV+D17Vc1PwTrNz4YeJEuZL+8a7S7ja8yvlkSm IKC21efJHy44yDxmrw8Pax/Y+pRLp8wBW1+xxPd4kjCxASDcrjJ3ZyC4DetZ2n+GvFDwXUt3Zbbi PT7+3sndo/MVnEJiyd7nO5X5LHHqOKlu9Dn0SbxJqMv+hSXItZbW7nuAYmlVAGTbk8lgRjGDwK6T wq6T+fZ6haN/aJRb2XzYgAiSs/lxgfwsqoAwAxnJ5yTS6xbww+OfChihjQlrvJVQP+WVdXRRRRRR RRRWbd2thZ3z6/cTG3+z2rpM+7bGYxhtz+u3BwT0Bb1rRR1kRXQgqwyCO4paKKoXbakNV05bVIjY kyfbGb7yjb8m3/gXWr9c1a+EI7XV4NQF47GK/ub3YYxgmZdpXOe3r3rL1b4dy6vqz3c2uTmImRlj dGZhviePH39mBvOMIDwOepN/UfBgvWikjvUSSKwWyXzYN4GHVt4wykN8vBBGOorP/wCER1y01HRm sdYU/ZYrpZbm4hMoXzDHtRUZ92DtJyWOD7HAlX4exwWktjaanJHY3UCQXsbxB3lVc/cbI2H5j2Pa rx8IFLCxt4NQMb2mqPqKyNCG3FmkJQjI7SEZ9s1N4r8Kp4pt4YXu3txGsy5VA2fMjaPv6bs1Dq3h E6jr1vq8WoG3mg+z7VMIdT5RkPqOolI9sCsN/hfFElzHDeCe3aKdIYJ/MDIZFYH595VfvHkR9Kdp XhfXtU15NY1+VIGt2g8mNY0DN5RkPO1mGD5vXOeOlbP/AAiDRalFfwagVkj1WTUSrQhgwePy2j68 cZw3r2rN0bQNY07U31WC0SB7u82y280qu0VszPJIcrwWMjkjHRSB1FdZqsF9cW0SafdLbyi4id3Y Z3RhwXX8VBH40axpVvrelzaddmQQTbdxjbDcMGGD9QKvUUUUUUVzGuf8jz4U/wC3v/0UK6eqGt6r BoeiXmqXOfJtYjI3BPT6Vyvh3x/HqFxFp915U17JcpFutMmNQ8TyAknHQxyJx12huM4GfrHxC1WL Udci0/TlW206zmZZZip3TRyBCcBs7T0/XpWxfeP4dJikj1TTZ7TUA0apatIjbw+/ad6kqP8AVv1/ u+4ptv4/+3PCmn6Jd3DtA88wMiRiJUbaxyxG4Z6EcGq+j+OLvVb0lrRobGbVY7W0kwrGSN7bzRuG 7Kno2f8AaAxkGtO18Ym8tjeQ6TP9hljd7S5eaNVm2gk5ycp0PLYrmR8U573xA2nWumPFHBplxfXM m9JCoUDaw+YZwQQV75HvXRTeN4reNnFlPcQ2ltFcahcKVQW6uu4HaTluMnC56VJY+MhdXkSS6VcW 9nPeSWNvdtIjCSVGYY2g7lB2MckdveuoormPBv8ArPEf/Yan/wDQUrlrDWdW021uVtCIbNL+9lkm Fqbjn7TLkSBSDGgAzv5zzxxzuRfEbT5NXTTxC83zpDJPB8yiRgDwv3ivzL83TBz2pYPiHANPgvtQ 0q6soLq3+0WhZ0kMy/Lx8pO0/OnX19qpzfEK50vUtQh1jS2tWU28dpbeajM7OsjMWcEqBhCR9Pet bSvGi61qNraWWlXTCSDzp5XZUEI3sh4Jyw3IcFRgjBqPxl4uPh6W0tLd7Zbu4SSYfadwQogGQCB1 Zii+wYnnGKWLx7Y3Ohahq1tazzQ2iQOAMKZvNRGXGTx98dcVj6P428RXsunK+hrPJcQ3byQxTRoR 5U6orBmbGMEgjqSM9Kut8T9Ia8gitoLmeKRInd1XDIJACvydW4IzjpUGqfEO6g8P3d/b6JPHuW4j sZZJY2WWWIPnKhsgARu3OM4x1Iq9D4zaIXS3dpMbtZba3jtFCgmaWIOED7sHvycAU/UfGsmmWkUt xo8kcpkaOWGS5iUxsACMc/MCG6jp3rL07x/canqMrJbNFpkl5Zw2cu1S0izLn5huyM9c9h2zVzUP iJDYW8d3/ZF1LZXN2LGynWSMfaLjeU2bScqMq/LYHy+4qB9ZOq+OfD8M1nJZ3lnLcpPBIyvt3Qbl wykg5HPHSu8oooooooooproksbRyIrowIZWGQQexFZtjeafbX7aBbo0MtrAsiRMOGiPG5Tk5APHP etSiisrVxq5ntv7OaMW2yb7SD98nYfL2/wDAsVxel3H9n6EbjS7bUX19LWMamZElKCUlBI7BuHdc yMAmQcEdxUttq/ibUr6zsLPUZfsctw6jVG07a0iiIsQUYALhgFyRzWQW8QXWq6nq90s8ssUFtaxQ NasEIF6yMwAPUqgc/wC8OwFaGvaprVxr0Fs9xdQPFq8Ii0+GzYrNCrgiRpgOARnIz2xVCz8VeNdQ 1iw05j9je7uNtz/opkazwrEqvyBSMjBZmPbGc0zU73xJ/a+pSTyXMxg027tYYhZN5dy0brhjt6Fg SePTArb8SeJNe0jxTHDZrcT27SQqLZrb5GViFYqyqSQMk5JHIPbrhXC66fB8trCLyKYaHdP5/ku0 pcXHCAnuV6d+4rprHxDqyasthd3KvZWsRvp794BG0lsY1ZCyfwgt5q9M/uunNS+MDqV/P4audBml 3faHuUZCRHKohZlSQ44R+Bk+vHNYcGqeIIPFEmuzLdrYXkVrK8LQuy21tulGAuMhyBGzDBILEdKr nWfEl/4pvtR0+e6aM2d7Fplu1iypIyeWUBLAck5OWx93A61ran4u1C7nvDo8l2LW3tIXMq2DAiYu 4YHzF+7tC5wDj8azfCcmu+LbvW3vWuLQw3VgY5nR1WdInZ2KjCj5h8pwMdM16fcwLdWstu5YJKhR ijbSARjgjoaS1t0s7OC2jLlIY1jUuxZiAMDJPU+9TUUUUUVzGuf8jz4U/wC3v/0UK6eq95Y21/Es V3Cs0ausgVum4cg471hXc3hTX9WNhc+TcXiqYgxV1B5BKrJwCRjoDkfN71Si0vwImn2EyQWQtr8t bWpZm/fmVssoyctkjPNa+sWnh9pz/akcAmvFCbmJDMse5s5HKhdzfNwBu681U0H/AIRWd5RpQQyR QtG3miQP5THJx5nJTPcZFQW8Pgqwtf7XtktFijmjVXiDMfMjQxptUZJYITjA5Xnkc0tkvgprqe6t 1svNmt3ml8wEBY87XJVuE5OCMA881RstK+H8wuNVhtot9vEY5pLjzVkWNgRgq/zFTkgcYJzjmrup HwYn9n3t2sEnyD7MYkeTKLwCVTOVGMZYYHStSzg0C7YW1oltIbSf7YqJ/DJJubzV9Q29uRkcn0rZ ormPBv8ArPEf/Yan/wDQUrP8NaBpWsaZPLf2aTSRape7GJIOPtDnBweR7HitDWbfwrpl/Be6hEIr okFBCJCTt/iKR9hwMkY6D0pL6bwfY22nQ3ItTAluUtFjRpVSFgAT8oOEO0fMeOOvFNXQvBtk0OnL DbLJqpDRKJmMk+xS2VbOcBc8g4wcd6vx2ug+G5oCqxW00ymCNmZmdlBLkZJJ2gkkk8DNGlapoOqa pcT2EqSXvlhXdkZWaMHgruAyuT1Xjke1ZcmleBr20n1J4rFrWzdnmlEhVEIO7LAEAjPI7YxjjFWb ZvCejPFd2/2a3aa2lu4mAbLROyFyo/2mKcDkkjAqC2sfBt5p6X8EcUdvYKEyGkgMQX7oZeD6YyOR jFOv5fB0ei2aXKW8lhIZHt4o4nkJ3hhIQigsPvuDxwWwcGkx4Mj0y+iH2RrVRCs+zc5PyDysEZLN txjbk0qWXg658OCdIoRp1szEvl0kRu4PR9x4+U8n5eDxUCJ4E027tUiS0SQrA0bRqzIgT/VFmGVX HYsRWhb6B4X1W4mv4bG3nk87EhIPySowP3DwrAgHOATnPfmnq9nb2/xB8OXEUSpNcvctM46uVg2r n6Diuuooooooooooqnqc81lp9xeWliby5jTKQqwVpOegJqzDKs8EcqBgrqGAdSpwRnkHkH2NPorM vrTUJtb0m4trny7OBpTdRbiPNBTCcd8NzzWnRWBrvim30O6igNu9wdnnXBjYfuItwXe34nPbhXOf lwZLvxZpFppVxqJuGkhgn+zHy4nYtLwAgABJySOQCOax9O+I2n3bWpuLS7top9OhvvM8iRxHvLgh 8J8qrszvOAQcjitlvFmiLfiz+2gybgvmBGMW4jIXzMbd3T5c55FZGofEjRbXRTqNst3chvLMUZtZ ozMjMo3JuT5gAwJIz1A/iFai+K9PWCeWeTHl3TWyRwpJLI7KASAgXdkA5IAOAOtUJda8KaZZ3Ept pBbX6vNcvFp8sivnIfzCqHDcEFWwR3FN0Pxtpl94f0e/WOOwsrvzERZiyCNI0ZsrlQCNq5zwMdyR irz+NdDjg8ySa6RjIsYheymErFs7cRldxB2tyBjg+launanaara/aLOQugYowZSjIw6qysAVPTgg HmrdZmuaY2rWUMC3HkGO6gn3YzkRyK+3qOu3H41p1zXggtDpV5pjsZG02/mtjKT/AKzJEmcdv9Zj HPSulooooorl9edU8ceFCzBRm75Jx/yyFdJ9oh/57R/99Cj7RD/z2j/76FcjYaPfWfiFZopbW1sU meRxFdu8cobJ2rbsNsTbmyXViSQ3HznFe28JmLw74etWksTqGm3EDyzb+saSb2VTjP8AKpVsPs+v 3zTWlqtrqdn9kjVf30SOHlZvMHBCuHBPbIIJ6ZqR6Drp0+/tYtQhskuIPsyD7e9yYskZlRnUFQF4 EY4PrSr4f1zQGum0C/sb37THGii8KW62rINu9Vjj2sSmFGQMbFzkcVXtNDl/tqS3uLG0RZ9ImjlM spuYZZWmUkyPhCzMBkjjpT/+EZ1q/EdvcaoljZeckzq16b6TKZIG+VBlSSp2kYUx5GS3EsWgaxpu mXGmW93a31q8rNHL9sazmRWO7AMakBQc/KAA2c8dDe0+waLX9FVGi8nR7B7W4nWMQxyu6x7RGo7D aT6DdgHOcdb9oh/57R/99Cj7RD/z2j/76Fc34MYM/iIqQQdan5B/2Uo8EzRLpF6GkQH+1L3gsP8A n4ek8TadNf3NvdWK27zRo0ZdL+S0lUEg/wCsQHK5AyhHJwc8VX/s3VrDUYL+3n02/uX06OxuDM/k KGRmbzAqhsglz8vHTrzxcvdGjn1zQ9TjaxWa0lLXUi/KXXyXQBevAL9CelUHsvs3ima6ktLcWl9a PZqIz5yLIZHfdIOCA4YZxxkEE9DVa10PW4LO+t4L2CyWW1a1hC37ziNmIAlj3DMQRQcRgkHgEjAN Mh8Emza5hXUba+tJ7LyVjnSOIQyopWNwqKA3BC88gAcnpTLrQ7h7vRbMx285tdDaBpHZhF5qPAQA 45RvkJVuoIzg4xUj+HNYv9MWwuNVitreW7SaQG5+1SRxoPuF5F/e7m5+YYXgYOKQaP4j0i3m0/TL yyvLae5aZrqW6FtNHG+C0SBIyq5Ybtw/vHAB5qC00OR31y3j0+ztwstm9vCZmSNSkIB8mVQCpByA 4HBzxVw+HtWvrCzs7rWI7aJLw3blZhcuoVQI4i0i/vcN8+9hkbVAHAIof8IprMdjLof2ywuNO88y QXbTmNkQnOyS3Vdkqr0C5Ax2FdNpA83xRq+rf6m0niht4xIdrO0Zk3Pt9DuABPJ2+mCYdaljfxz4 UCOrHdd9Dn/llXVUUUUUUUUUUUVRtn1H+1LyO5jiNkAj20ynDHOQyEZPTAO7jO7GOOb1FZl9Y3tx rek3cF15dratKbiLcR5oZMLwODg881p0Vg3/AIN0LVr26u9V0+G/muIxDuuUDeXGAflTj5RlmOeu T16Yz5PBOmW0UZl1a/is47hbl4XmjEckoPDMSmc8DoQOOlTaf4U0i30t7ePULi5hudPXSxK8yEmF d+0KQANwDsM+w96pJ4F8NRau15DdBJ4SskyfuGOQANzMyF14A6MPbFWpfB+iavo9hZxXtw0Gn232 SGWCdSwGYzknBBYeUn68c1O3hXTBA9xFfXMEoupL1b1JE3RyOu1yMqVwQCOQep6VT1LwXofiPT41 l1K5nSFXR5xNHMW3csTvVlU85yoXqOwAC6f4G0E+H9P0tbq4v9PsfNSIPMrZV0ZGQlQMgBjjvnvV uHwhYyXVvqE+oXt9dRSxyx3E0iZKpu2p8qgFcux6Z561rabpVvpbXrW5kJvLlrqTec4dgAce3yir 1Zmu6YmrWUEElz9nEd3BOGxnJjkVwvXvjH41p1m6fpC6bqWpXMMx8m9kWYwbeElxh3z1O4BeOg28 dTWlRRRRRVLUdI03V0RNS0+1vEjOUW4hWQKfUZHFUP8AhC/C3/QuaT/4BR/4Uf8ACF+Fv+hc0n/w Cj/wo/4Qvwt/0Lmk/wDgFH/hR/whfhb/AKFzSf8AwCj/AMKP+EL8Lf8AQuaT/wCAUf8AhR/whfhb /oXNJ/8AAKP/AArP1T4b+FtQWOSPRrC1uoMmCaK2UBWP95PuuOOjD1xg81Qi0rw/YTpa+IPCWj2z uwCXcFkrWz56ZYqNhzxhvwJrdTwd4UdFdPDujsrDIYWcZBH5U7/hC/C3/QuaT/4BR/4Uf8IX4W/6 FzSf/AKP/Cj/AIQvwt/0Lmk/+AUf+FH/AAhfhb/oXNJ/8Ao/8K07HTrHS7b7Pp9nb2kGS3lwRhFy epwO9Z8/hLw3czyTz6Bpcs0jF3ke0jLMx5JJxyaZ/wAIX4W/6FzSf/AKP/Cj/hC/C3/QuaT/AOAU f+FH/CF+Fv8AoXNJ/wDAKP8Awo/4Qvwt/wBC5pP/AIBR/wCFNfwd4UjRnfw9o6ooyzNZxgAep4rC k0nw/qE7W2geEtHuWRiJLyeyVbZccHawU7znIwvpyRVvTfht4btZ2vL3StOvL6RdruLRY4gueAsX Kr068tyeccVqf8IX4W/6FzSf/AKP/Cj/AIQvwt/0Lmk/+AUf+FH/AAhfhb/oXNJ/8Ao/8KP+EL8L f9C5pP8A4BR/4Uf8IX4W/wChc0n/AMAo/wDCj/hC/C3/AELmk/8AgFH/AIVYsfDehaZci5sNG0+1 nAIEsFsiMAevIGa1KKKKKKKKKKKKpatbXd3p0kVjdm1ucq0cmMjKsDtP+y2Np74JxVxN2xd+N+Pm x0zS1Qu9NN1qunXwupYxZmQmJD8su5dvzfTqKv0UVyfxD0+61Lw3FFa2r3LpfW8rIkKynYsgLHYx AbA7GsHR9A1aNNPlktpDD/byXSIYEgMMItmQkxKSqfPngdd2e5rLv/DWpvYatY2eizuz2s8e+4hQ SZZTjbMDmfJIGHA49xXb6T4Nj0+C7WW8YvdIsb/Y4VtUCKc8InG45ILdSMDsK5pdLuZfhANItoJ5 Lr7LdQC3tnV03YfCvzjuMDPXGaqWnhzW59O1tre3liingt444WtEsizJKXkxGhIOUIG49fu9BXW2 OmWepaZqEUGiXWj204UNGMQNNgHI2KflB6EjBOfatDwfZz6f4M0WzuYTDPBZRRyRt1RgoBFbVFUN XsLLULSKK+fbElxDMp37f3iOGQZ/3gOO9X6qtbTHVI7oXcghWFozbADYzEqQ5PXIAI/4EatUUUUU UUUUUUUUUyaGK4heGeNJYnUq6OoZWB6gg9RWA+malojmXQ2Sezzn+y5SFVSepjk/gH+yeOTjHFX9 K12z1V5IY98N5CP31rMpWSP8O49xkVp0UUUUUUViX3iW1huWsdPQ6jqQJH2aBuFI673+6mO+efao E0C41V1uPEcy3Cgh47CPKwxH/a/56HHHzccnjmt+GGK3hSGGNI4o1CoiKAqgdAAOgp9FFFFFFFFF FFFFFFFFFFFZlvZ2uj3l5cNeMkd/OpWGVwESQjBCe7Hkjua06o6lo+nawkS6haR3CxNvjD/wn1pm q6DpWt+V/adlFc+VnZvz8ucZ/kKlvtKsdSsPsN5bJNa8fu26cdKWbS7K40v+zZrZHstix+Sfu7Rj A/QUg0qxXSv7LFsgsfL8ryf4dvpRbaXY2em/2db2yR2e1l8lemGzkfjk1W0zS9E0aSWx06C3t5Jl 8x4Ub5mUcbsZzjnGaqeHtDTSLy+eHSbHT4HISMW8jO8oBOGYkADg/dwcc8nNW9L8NaLolzNcaZpl vaSzZ8xoU27snJz+NTpo2nR6vJqqWkYv5F2POPvEcDH6ChtH05tXXVWtIzfquxZ/4gMEY/U0XGj6 ddanBqU9pG95bjEUx+8g56fmaj1Tw/pOtSRPqVjFctECEL5+XPX+VLqmhaXrUcSalZRXKxElA+fl z1/lUl1o+nXsdpHc2cUyWkiS26uuRG6/dYe47VdrA8S3Vxp9xo16szpZx3yxXSIeZBIDGgx3AkdC fYZrfooooooooooooooorP1TRrXVljMxliniOYri3kMcseeuGHOD3HQ1nDVb/Qjs14rPaHiO/toG +XHaZBnacc7xheuQuBnfjkSaNZI3V0YZVlOQR6g06iiiqGp6zZ6Usf2h3aWUkRQwxmSSQj0VQTjp k9BkZIrMNtrGv5N28uk6eeRbwvtumx03SKSFH+yvPH3sEitqysLTTrdbezt44Il6LGuPbn1PvVii iiiiiiiiiiiiiiiiiiiiiquo6da6rYS2N7F5tvMMOmSMj6jkUWmo2t7cXcEEhaW0l8qZSpG1tobv 1GGHI46+lWqKKKKox3N9JqskB08x2ca/8fLyr+8JxgIoyeOc7sdsZqW30+ztJ557e1himuG3TSIg DSH1Y96s0UUUUUUUVleItKk1jRpLaB1S5R0nt2fOzzY2Dpuxzt3KM45xmtRN2xd+N2OcdM0tFFFF FFFFFFFFFFFBGRg9KwJPD76dI114fkWzbO97HAFtOe+RjKMf7y98EhsVY0/xDb3d0LC7ifT9TILf Y7hl3lf7ylSVYe4J7jqDWvVe+v7TTbR7q9uI7eBPvSSNgCsYXmr68P8AiXq2l2B6Xc8YaWZT3jQn 5O53OPT5SDV/TNEs9LZ5o0Mt5KB595LgzTH/AGmx+QGAOgAFS6xqUWjaNe6nMjvFaQvM6pjcQoyQ M9+KwZ9U17S7jS57+ewmt9Qu0tvs0MDK0O8Eg+YWO/GMfdGfamQfEXRGtJru7FxZW8cUkoe4jwJB HJ5bbcZz8xUD13cZwcXvD/jDS/ENvJJDKIZI3CNHK69SMjBBIbgjoTjoeazoviTo00z26RXRuVtZ LkQ7RufbL5QjXnl2boB+OKuap4yt9KvY4JNPu5I2YI8ybMRsVLYILBjwOSAQDwTV3SvEVtrE8UVr DN81nFdyMwAEYkGUU88sQG6ZxjnqM7FFFFFFFFFFFFFFFFFFFZuqXkWkhL42TS+ZJHBNJCgLqpOF JHVgGYcdtxPY1pUUVQm1CWPVYbGLT7mUOu97gACKNef4j1bOPlHrmlOlo2rjUXurpmRdscBkxEhx gsFHUkeuavUUUUUUUUUUVHcJLJbyJBKIpWUhJCu4Kexx3+lPAIUAnJxyfWloooooooooorkdO8Wa 1q1hFf2PhWWS1mBMbtfRKWGcZx26VXXxzqLatPpg8OYuoELyKdRhAAAUsM+oDoT6B19ang8YapdI Xt9AgmQOI90erQMNx6Lwep9KgufHWo2esWelT+Gyt5eF1hT+0YTlkUMVPocMCAeopLHx3qGoWtpc Q+HQi3mfISbU4EeTBxwpOTzS3fjrUbLULbT5vDo+2XEwhSBNTgLhipYZXOQMA8/SrVt4p1m98z7L 4bSfy22v5WqQNtPocHg1ma14lnuruDQtU8Jl5rjDxx/2jGpUndtIYEFSdr4xydrVUs/Eviy1hurW y03Tb1LddyPdaxEZIgCMiTb1AGRng9M1Ddavc+Hby1v9e0S5ur2SdIo5rnU4SsTvnbtjHCLkMAcE jOM1sx+O9Qdbln8OiBbe5a0kafU4Ix5oAJAJPPBo1fx3qGhQ+ZqHh0RH5dsX9pweY2WCjaucnk1J c65qOrJd6RP4WiuN8ZS4thqsJbYRghgDkDn9a55Li8j8QDRL3SdVvNRa0ae2ju9WhPloSULxlQPm Hqckdu9V7LULK70+6lh0B1t4JE08XEurwIIpYTvBjY8btxDE/wATLkg4rVF7HClkL3wtZXc5G+C4 vtUtpZZMnO5Wb1PPy4HoBTNO8OzaXqVpqFv4InNzayXEsTvqkRxJOR5jn1JAx9KXQPD9tceItb1O DTZbTXLaaTdb3k6SQM1wodiSi7ipB6EnFdf4X8PxeHNH+yKweaWV555BnDOx7Z7ABVHsoraooooo ooooooooooooooqhp1xfyzXsV/arD5U5EDocrLEfun13Y6jHXpmlv9UhsJreFobmaa4bbGkELPnG Mkt91QAc8kdDjJ4ou7G4ur+2mXUZ4beI7nt4goEpByMtjOPYcGr1FFFFFFFFFFFFFYvhnUbnU7S+ kumVmh1G6t02rjCJKyqPyA5raoooooooooorl/h9u/4V9pOzG7yTjPTO41kXnw2kn0tlj1q6/tB3 mlbzXZrfdKHDjy852gOcc5+Vc5qTV/BsdvZu1tDI0Z0wWJgsIUVzLvUiYZIXIx16jtU0HgZp4NPe 9nRbiOG6a4MY3Ms87I+5HP8AcK4UnnAFULb4cXdtpyWP9o20yy26W9xcSwEyx7c/PCc/Ix3ZOc8j NWLrwDdXF5HGLuzWzS6luftH2c/bD5iyAr5mcYBkOOOigUvh/wAAT6XLP9p1GTa0KwpNazypLgMD ySxHOOcD9Ks3/gQ6lc6hfTateR3dzcJMiQyFYU8vaEBTvwo3c9WbGKitfBa6TpuluUhnmsPtEl0t tbgNeeYkg2AE88uMBiRwKraR4Ell0mz+3u29byKd47kCRmgjjMSIxzwxXDNyQGLY9aW2+H15pzvN Bf2t9IZpiF1K3MieXIUI4BHzrsCg+hptz8O7oWv2O1vrSaFxbh57+AyTp5QQfu2BAAITJ9yasaL4 DuNI8TR6gb5bi3illkTe8nmfOG4OG2nG7HI6Ad6u+IfB8utavLqMV6tvN9ljghbYSUZXck5BGQVc jHrg9qyrr4d3CxPDY3FmsZuXmRpVkDopRFC5Vhn7mST1OPfOb4i8Ka1Ld3On2lhBdx3ot83k0CYj 2BQdpBHlD5c4Ctyc9+PU65nQP+Rx8W/9fFt/6TpXTUUUUUUUUUUUUUVnabbanFe6lLf3omhlnBtI VUAQxBRwTgEsW3E5J7YqhcQ6voen3l7FqEuruiFxBetHCiqMkkNHFnOPXNYvhTxY9zZX13qMuoTy KElaGK2aeO3VlVwiukKbmxIuR8xAGc9atW3izTILp7htW1S8+1SNHFp/2As8JA3EbEjDj5ectnip D4l0621FbsaxqF7Fcx5jsYLPzVi5xzsj3g5Vhhj13DHHCxeJNPl8RyH+2NQSBJGtmhltNlqJRwV8 0xj5s9t/Wo5/FWl/a/7SOs6jBaQopFr9i+S6BYKHjzHvkGXTlDjlfXmvbao/i7xNdQWd9rmkjSgh 2iDy0n8xcnessfUdh+Ip+oeKon1qWya71OzltLpo1hsLX7SbpVSJ2LARsVA8wDjHXr6RTeM7LVbv UIYNSvdOttPMLLd28IcXfmDhF3xtk54AXk9qv6h4n03UNNjNjqt/bTNKV2Wdp5tyNo+YNEyMQMMp JK91555q3/jPTb3RJ/7N1S8ikitVumu1tWCouMjezRsqk4PG3PoKlg8UQ3iarpstzf2D2F1HZf2i 9vgu7KpDncmwZJx0xypH3hW1p0y6lojJaancSkboRf8AlqGZhwXX5dh57gY4q1bWk8Gn/Zpb+e4m 2sPtMioHyc4OFULx9O1JpcN1b6bBFeX3264QYe58sJ5hz12jgfhVyiiiiiiisjS9Knsdc1u9keMw 380UkSqTlQsSoc/iCeK16KKKKKKKKKK5PwM0i/DXTmhBMotnKYGectisTS9cWz0EX9rf3t/rQtI2 1G0kmeWOCViodnU58rYS52KVyFYduJrfxXrmoahaabYXWmTie4aMaolq7QSKImkIVRJ1BAUncetY z6/rtzquqalNOfJtreC3S0iM0aFvtjQtJw/U7CenQgZwCW0te8U6k2tQ2aXtvZNFq8EK6eEb7Tcx CRfnDbvuMM8bTwDzVKD4ka9PBeYs7KO4WNWWCQqXtmMqJsdFlLPjecnCYK8jnAuajr2vweMdL026 1C1jjt7nZPJFA8aXPmQOyrjecEFcDk/MQe2DFqXjnUtE8NaHfKYR5+nJcSQTxEl225KiWSVck9MY dh1OciptO1vVrq4QJLIsl3ql2sRmMjLAv2Xeo2gjcobsfwwabpXi7WLLwb4fuCY9WlvrPy1mCsGF yCoCscncxBbI4JMbevHT+I9Qd/h9ql9YXoeZbKUpc2hx86qQSuCccg9+K5m/8S+JToNzdJLaLHcX Vxp8CpbSCWEr5gWQtv8AmP7voAOWHPHNE/EHWdOsNITFpcKbGGU3MzLGt45HzKrPKu0rjBID8tnA 6HQ1Lx7qNpqAVZtNRzeSW39mSRsbjaquRJuDgYbaCPl6N171Dq+teIn8PySm6hivZ/Dtxfia3ilR YyPKIULvPzYZsN1B7dQdc+J9WiutN0+Fba9bUIYHt72ONghByJW27juCgBuowHGfU9jbXVveQCe2 mjmiYkB42DAkEg8j0II/Cue0D/kcfFv/AF8W3/pOldNRRRRRRRRRRRRRWXplncaa+qzXt4JIp7tr iIsxxDFsQbeegBVjxxzVsm11XT5EjmSa3nRoy8Lggg5BwRWTa+ENMtNEu9Jja4+zXRUuTJ8wKoiD Bx6Rrwcg85BBxWfoXg3w/ouqLPZ3jy3cc7vtMkY+cxhCNiKo4UDt706fwHpEzWlu97diOBpJY7ct EeWkLuQShdclsZUgjjoeabp3gaOK5u5NRvp7mCS/lvIrMOPJXccqTxuLD/exmnt4M0VIxDc31zIl uIkt0mnUfZYxIjKiYA+UmNB82SdoGetbMOk2un6xqGsi4lRrxEE6O48obBgMOODjjrVW30HSbbxF Lq8c7/bJJJFZTKCu90jBGPXbEhx9fWs5Phxoa2c1oWungljiXy5HVlVoySjgFcbhnvke1U7nwPLY w26eHdQWK7gZ2ZpPLicJIFBAMceACYx1Qk46jGKt6R4F0218OXeky3ctz9qt0tbuVHAJ2Ajj0Pzc 1Lqvhn7VHrC6dcq8upTxPcJcS5S3dFUCRAozvG2M4Jwdo6Vf0DRrnRGntvtSyacI4ltYQuDGQD5h P+8xz1rZSRJF3I6sMkZU55HBFZ3h/R10HQ7bTEmaZYA2JGXBOWLdPxrToooooooqIG4+1kERfZvL GDk79+TnjGMYx3qWiiiiiiiiiiuZ+Hn/ACIOkf8AXE/+hGtLXtbj0KyjneFpnllEUaBggLEE/M7f Kowp5JxnA6kVVj8WadHp8FzqLGwaU7RHIQ5PupTIZf8AaHFTf8JXoX9q/wBmf2pbm8yB5YOeSoYD PTkEHr3FVZfGuirr1tpEd0ss8rSCRlOFhCIWJYnjHGOO9St4y8PJYm9fVYVgEoi3MCDvIyBjGeQD 27GreqazBpunx3QjkuGmZUghiHzSs3QD0HPJ7Dk0208Q6XeWouI7pFAtRdusnytHEc/MwP3fusCD 0INc9B8UPD85V1lcWzXr2f2jGVBWMuG9cMAQK0rzUvC5vNP1W7u4XldP9FcyMygZ+9s+6DyRuIBH IzTLXxF4U0ZZNJtb+2hFpvLQqWIQ8uwzzzznGe9SaL4y0zW7GK9ikSG3eyW7YyyAMgLFSCOvBUjP QnpUw8Y+HzZC8GpxGAyeXuCsSGwTgjGRwD2rnJNb8HxeJriS3ijlvIrZL7eZysOXfbnax2K/IJOA fm9Sa6e+8U6Fpt3Ja3uqW8EsaGRw7YCqAScnoOB061DpFx4e1rUptV02aO6uwAjOXYlBj+FW4XIx kqBnvmtWwsLXTLNbSzhEMClmVASQCzFj19SSfxrC0D/kcfFv/Xxbf+k6V01FFFFFFFFFFFFFcrru j6rPompR+eb0yahFdRQjgrbq0ZaIZ4bIR+Dwd2DWXdwXphjm0zQ9R0rTZJSbqCyKR3UmFARlUHao 3Zzg8jmoI9N8XTwX93c3eopdWunq9hFFMoSWYNKQsi/xNgQhs8ZzUegeH9e0m9jeGKcGe+v553uG RuWTETE9cE+lUH07xXJfC8tIdV/tSLTpYp5r51MIkaSEuLcA5AIWTb06L0q7pOn+K9Qlsba/vNXt 7IXEpldW8qRU8v5QXLMWBf8ALpVSDR/E66rqN3NDqUl3cR2saO7xtEUivGyCCfveVtbp/E56nFV9 V0/xjeNqmnLZ6hLZXEEyuk8vmLnqgVi2OT6AVu6vo2rXOuQXjxX7Q2/iFJo1tnRf3BtgpcjjID5B zzgt2pula/eRa+VvNQe50q3u/skEsDBxNJM+IgzDhtq53ehxU2vaRrieNbrX9IibzksILWMnBSQM 8u/5SRyhaN8nsGA61Q0HTtd8IvdotjqF1Yu9yqRwFZHeVnVlmO5hwQG5zntiq/hzTPE+jLNdzxax LcNeWt1eiSVHNzH9mCuqDPLCTAI44UYJxUuoHxfdWkl3HbaxEz3s7QxiUBkiONisiMPQ87uOmOa6 T4c2urWngq2XXbb7Nqck081xHgDDPK7Z445zmtzRdMGj6TBYC5mufK3fvZjlmyxPP54q/RRRRRRR WRqury6brGkwNEn2O9keGSdjykmAY1A/2ju/KteiiiiiiiiiiuZ+Hn/Ig6R/1xP/AKEa1ta0xtW0 82y3LW7bgwby1kU+zIwIYc9D3we1crc/DKynhtyl9Il1GHV5TGCjByGYCMEBRkDAHArRh8EWsOi3 mmLcusVzNbzHZGqiMwiIAKvQA+UPzqnL8O4LlIrK51S4k0iFJkishGq7RKrK37wfMfvGl0v4ewad eQ3T35lliuI5wywKjNsVwFJySR+8Jra1rwxY+IL2zl1LfLBabmjgBKjewK7iwwfukjHTmsRvh3Fb Q3kOkarPYQ3UbwSJ5Sy4iYsxUFufvSSHPX5gOwq5pngqLTNQt7ldQnlS3umuY4mVeGaHymBPUjGD 9RWdf/DGxvJXmS9kWaRpjK0kYdXWSV5Nu3IHBdh7jrWqngy2TTJbEXUoSTUI7/Kqo2shQhQOy/ux +dVLf4f2yad9ju9QuLlfsEVgGKqhCRSF4zwOoJA98VYuvCVzf6dPDea5cy3MrIWmESIpVc4UouMj knr1we1Zdt8Mre3spbQavcmKaFo5QI0G4mczAj0wzEfSrWu/D6DXLXVLB9TuIdM1OTz7m2RFJM3y 4cORkYKIcdOPet+LRo4vEB1fznaU2SWZQgYwrlt3rn5q065nQP8AkcfFv/Xxbf8ApOldNRRRRRRR RRRRRRVHT7O4tJb5ri8e5W4uTNErD/UoVUbBz0ypP/AqvVy/i/xanhv7JBG1p9sud7ot1MIkKIMt 8xIGSSqjngvnBANEPjvSrjRb/VIY7iWCyhimfy1GZBIoZdmSM9e+KydL8eaveyacr+Hp5GuVvS8M BjEg8mZUUjdIFxhiDzncOOKuT/E7w7DcQRCWSRJY45GcbV8tX+7lWYO3/AVao9S+IS22i3l9b6Pf fL9oitJZRH5c80W/K4D7gP3bnJA4U98A2bXxrH5Vw15BKsyfZUS1SMBzLMm5UDbypJPc4A7nvU+o eM4dLsI7q70q9hzIYpI5ngiMbYBAJeQK2QcgqW75waxtO8dx39/NHbWKxaZ9qs0tJ/JBEvnnrgOM HPIOOB1BrS1H4g6fpsP2mSwv5LR7n7Hb3EaptuJ95Ty1BcMDuDDLAD5Tz0zsaVrkeqNdw/ZLm2vL Tb51rPt3ruGV5VipyB6/XFUV8b6NiEySSRB45nk3qP3BjJDI+D94lXwBndsbGcVtWF2L+wgu1iki WZA6pJjcAemcEjpVmqGi6XFo2kQafBNLNHDu2vK2WOWJ5P41fooooooorB8VafdX1lZTWUXnXFje xXawbgvm7SQV3HgcNnPtW9RRRRRRRRRRXM/Dz/kQdI/64n/0I1W8c2S3S2LyxySwoXDRvYveW5Jx gvFGQ+4YO1hwMtnqKzdD0vUrlNdS4i1DTRNbWoVRKWY4jbciyHJ9ASORnGcitfR4bpPBmjWUsmow XJ0jY8UUeHDiNR99h8kgPTJGSTnOOORg066W0littMmNmJIGvnis5rYyxiQeajxMT5zFNxLJ15Az mujudNt7zwPq1volvqen2xjlaKBVaJpT5Z+VEb5kUt2AUkg9jymr3F7Z+GtKjFxd26mK1jvFEZVY 4S6LK5kxlGClu4wMntms/VtMFt4kjay0+a6KmEWsZtpAUQBRiC5RtkSAAkq4yTu7MKSb/hKH8Qye IY9Pf7HHeCJB5zh/sf3XP2fZknkvjdklFO3sYdXsbvTPD/jATTXkgkv7R47i4Y5kyINxU8ADdkYG AMYqfULeSx8XS3wsLu8mFwJQWs5fOSPjPlzodnlgZPlkbm+YfxCqtrF4i01mvfEGm3Rs9Rgc36WN xJcSiXO5FVEUFeCY+rDaqgkdS3RkiXXNBlt7a50+Oe/kP9nm3kgjgH2WbGA4G5j1YjjIHpkz6Mlz o19cz22mXVxNHBJ5s72c0UzSfwCY7ilyzN/EnA5PQ1SjsNa07y4vEekTz2V/CXmMUkl+iXYBIaWJ ApKHJHG7lE5GMnRsIrrTYfD8kSzQ382oGHyyCN1kWYnER5SMDaQrZKA4JzXo9czoH/I4+Lf+vi2/ 9J0rpqKKKKKKKKKKKKKo6fYS2Ut88l5LcC5uTOiv/wAsVKquxeenyk/8CNXqoXUWm2d0dUu/LjmY JbiaVum5gAq54GWIHHU4znArNm8D+HZwVawZUY5aOK4ljRucgMqsAQOwIwBwOKuWHhzStNuhc2lq Y5VMpVjK7bfNYNJgEkAFlBwOPTqarL4N0KMQCG0lg8hVRPIupYsgdN21hux/tZqxN4Y0afT47CWx VrWOSWVY97YDSBw56558x/8AvqqtnoHhy5tbqC1hSWPesEzCZ2dXhG1RvzuVlHGQc+9Sv4R0R7RL c2sgCMXEq3EqzEnrmUNvOcDqew9BTLXwZ4fs2jNvp+zy/J2jznIBiOYzgtgkHv19aWfwdoN1cNNN Yby0gm8szSeWsgYNvVN21WyM5ABOT6nOpDp9rb311exQhbi62ec+T8+0YX8ge1VptA0u4jvI5bRW W8mSe4G5vndNu09eMbF6elaVFZ+iaba6Ro9vY2UjSW0W7YzuGJyxJ5HuTWhRRRRRRRTZGZInZELs FJCAgFj6c0kLvJDG8kZidlBaMkEqccjI44p9FFFFFFFFFclpXhrxDoumQadZeI7P7NACsfmaYWbG SeSJRnr6Vc/s7xX/ANDHp/8A4Kj/APHqP7O8V/8AQx6f/wCCo/8Ax6j+zvFf/Qx6f/4Kj/8AHqP7 O8V/9DHp/wD4Kj/8eo/s7xX/ANDHp/8A4Kj/APHqQ6Z4qZSreItPIIwQdJPP/kamw6R4mt4Uhg1/ TIoo1CoiaQVVQOgAE3ArP1CXxZY6vpFiNd05xqEskZc6WRs2xs+cebznbj8avz6N4kuoTDca7pk0 TYykmj7lODkcGb1ANSf2d4r/AOhj0/8A8FR/+PUf2d4r/wChj0//AMFR/wDj1RyaN4llkikk17TH kiJaNm0jJQkEEg+dwcEj8ak/s7xX/wBDHp//AIKj/wDHqP7O8V/9DHp//gqP/wAeqP8AsbxJ9pNz /bumeeU2GX+x/m25ztz52cZOcVJ/Z3iv/oY9P/8ABUf/AI9U2g6JdaXd6neX2oJeXV/Iju0dv5Kr sQIABubsPWtuiiiiiiiiiiiiis3SdOuLCfU3nuTMt3eNcRDJ/doURdvPupPHHNcTc+FvFB8V3V4L qWSKWaRo545lTETA7YiDzgcDgZ460248BagNJ06wtlHkyW0A1RJLt282ZJYWLAkk9Fl5GOv5Tav4 P1UR3ttp8KS2Czo9nC90+6Ndg34JPd8n5ieOmKgsPBmvTafdT6rIX1SPThHp8gvHHlTq8xU4XC8B ouSD93vjnQt/D2uLrLTzx77lpC41P7awCRkcReUODjpnv1rBs/BviyC4H2p5LqBcm8hF2I11E4xn I+ZDuO8dOhB610mieHNWsvBWq6dBs0u9urmeW2CzGXyA7ZUF+pOO9VP+Eb1VtMZLfTDZ2vno8umf 2m7/AGlQGB/efwZJQ8H/AJZ+9Ms/BWoXF2r6qGa1jtZRa24vZP8AR3aQGNMgjdtXjcajTw14juNa 0u5vofPeCGAXE813lC6qN5ULgj5s4GDk8ng4q3Y6N4mhuNIspkzbacLjzL37YSbnejBMpjPBYdTx iqlp4L1mxsrX7NIUube0syrG8dsXQf8A0luSc7owBzxxwBWY/gfxXPq8KXVzLNaveo97Ml15YuIQ +4ggHd07DHSvVreCO1t4reFSsUShEBJOABgcnk1neG9NttI8P2thaXIuYIg22YEfNliT046nFatF FFFFFFFZ2haumuaRFqEcLRLI8ibGIJGx2Tt67c1o0UUUUUUUUUUUUUUUUVzXiD/kbPCX/X3cf+k0 ldLRRRRRRRRRRRRRRRRRRRRRRWZpOmPp0+qSPcGYXl41yowf3YKIu3r/ALOfxrTorgfEHxMXw7d3 Mdxpi3EMcwgSS2md9zk4AY+WEU+o3kj0NWdc8Walb+NdL0TTrWFoWni+0zSTgblkSY7QNpxjyt2c 84A75qOx8Y6jbT3r6naRy6curzWMNzFKPMGGIRTHtAwMY3bs+1VLb4n3F9dafbWfh2Z31J8WryyS RR7djP8AO7RYViBwF3Z5545sWPjDVNQ8VXNobSKCytrCYzIJgzLPG+1ip2/MM8DOPXHarOkeNJ7+ yt7iOwElqiwR3U810kcokkRG+VNoVh+8XnK85wOADi6/8Sr+2sL+CzsIEvRFI1rcRzPJEdnLHc0S qeM4ClsnjjrW+PFlxC15E1oZbz+0UsYYGmURiRoFlI8wLkLjdyQST7HiGLxxfXd+bGz0SKS5gjme 6El7sWMxuFYIdh39eDha6nTNQh1bSrTUbcOILqFJow4wwVgCMj1wat0VleG7Cy0zQLWz0+5+02sY by5gwbdliTyOOpIrVoooooooornfCNvNYwarYtDJFa22oyraB1IzEwV8gn7w3u/P4dq6Kiiiiiii iiiiiiiiiiua8Qf8jZ4S/wCvu4/9JpK6WiiiiiiiiiiiiiiiiiiiiiiszSNMXTp9UkW5877Zetck Yx5ZKIu3r/s5/GtOis6bQNHudQGoT6VZS3gxid4FL+nUjNYd/beEvD1zbWY8PRNPOftMcVlphlbM RA3kIpwVLjB/2qtHWfCwTJez8nyv7V8zyhsxvx5ucY3bvxzVCO58IWa3Gu/2ItpdW0is7PpjR3O6 Rtisq7dx3MSMjrzUj654Pt7e41i5ggtJbZmWUXFoY7hDJyQUI3fP16c9a0NUh8OaLGmr3en2oksU jiieK2DyxqTsRUCjdjLYAHrWS934Mkae7k0WNr+dmhlt20wm6k3Lkgx7d5BXJPHSpbzWvCVrY21i 9is0WphitnDYmQv5e1CHjC5BX5VwR2x2rorTTNOt44jbWEEIWHykCwhSsZ52YxwM9qswQRW0EcEE aRQxqESNFwqqOAAB0FSUVleG7TT7HQLW20q4+0WSBvKl3ht2WJPI4PJNatFFFFFFFFRJOr3MsASQ GMKSxQhTnPQ9CeOcdOPWpaKKKKKKKKKKKKKKKKK5rxB/yNnhL/r7uP8A0mkrpaKK5qbxxpsGofYH s9X+0kMyoNNmO5QwUsPl5GSBn3FdEJojj94vOeCfTr+VEU0U6b4ZUkXONyMCM/hR50X/AD0Tv/EO 3X8qa1zAhjDzRqZPuAsBu+nrThLGdmJFO/lcH7309afRRRRRRRRRRRRRWdpWkppc2pSJK0hvrs3T AgDYSiLgev3P1rRoorkfF3ha81zVtOvrUWkgtYZomiuJpos7yhDBoiDxsIweOahsPA0mnJDDFdwS QxaQNOXz4d+WEm/cVzgjtioV8EX9x4evtNubmCKO5lt2FvFNLJGgjlV2YO537mA28HA2gjvWpqvg 2xn8MX2labDFbzXCMqzy7pGUngksxLHjjr04p/irQLjXtKv7OBbONp1g2yuGDMY5Q5VyvO3AwMHI JNYWn+BNR0u5XVbSazTUUn81bdpJZIMeWYz87ZfODn61c1jwjqGqt58yaNPe3Fv9nnupbYiS3GWI MLc8rvOM45UHPPHX2sJtrSGAyNIY41Qu3VsDGT71LRRWfomn2Wl6Pb2WnyGS1j3eWxffnLEnnvyT WhRRRRRRRRVN9Ttk1iLSiW+1SwPcKNvGxWVTz9XWrlFFFFFFFFVdR1Kz0iwlvr+dYLaLG+Rs4GSA OnqSB+NYv/Ce+Gv+gi3/AIDS/wDxNNHxA8LmQxjVMuAGK+RLkA9Djb04P5Gnf8J74a/6CLf+A0v/ AMTTT8QfC4kWM6ph2BKqYJckDqQNvbI/OiP4heFpoxJFqokQ9GSCRgfxC0P8QvC0ZUPqgQudq7oJ BuPoPl5NO/4T3w1/0EW/8Bpf/iaafiD4XV1Q6ph3BKqYJcsB1wNvOMj86xNZ8YaHc+I/DlzDdyPD a3EzzOLaXCAwOoJ+X1IH41tt8QfCyFQ+qBS7bVDQSDcfQfLyfahPiF4Wk3eXqofa21tsEh2n0Py8 H2ok+IXhaFC8uqiNB1Z4JFA/ErXD+INVttV/tW7tdUtotQlurT7CZoZnjiihkVy5+TIJ5yo67FrP 01dJtNG1GxbxDG18kk/9ml0ld44JZMuZDsyWcZBbsMDqDV/RNZsraa7m07WbTw/CSkI063s2ukQI OGJAAVzu5HoF5rLVLeTxEL2bXIUtXvL3zFSKbK2szbsAbMeYxJyey8VamvbG88VW63LWA0G1mjFu 6W7+bFDEoaMKSpZW8wAHAGV6muh+G72V1ezo12s0+mRfY7KJo3RltlYgTFWA+ZyCcr2wO1ekUUUU UUUUUUUUUVRg0bT7fVJ9ThtVS9nXbJKCcsOPw7Corfw9pVrqsmqQ2SJeyFi8wJyc9e+KB4e0kaz/ AGuLJPt+c+fk5zjHrjpxUo0bTxq51b7Kv24rs87JzjGMelJLo2nTatFqslqrX0S7UmJOVHPHp3P5 0t1o2n3uoW1/cWqyXVt/qZCTlOc0X+jafqc9tPe2qzSWzb4WYn5DkHPH0FGpaNp+sJEuoWqzrE29 AxI2n14pdT0mx1m1FtqFss8IYOEYkcjvx9TS32lWOpWH2G8t1mtuP3ZJxx06Us+l2Vzpf9mzW6vZ 7Fj8ok42jGB69hSDSrFdK/ssW6iy8vyvJycbfT1ottLsrPTP7Ot7dY7Pay+UCcYbOR+po0/SrHSr L7HY26w2+SdikkZPXrTdL0fT9Ft3g062W3idt7KpJycYzz9BU9lZWunWkdpZwJBbx52RxjCrk5OB 9SanoooooooormvFH+j6r4d1B/kggv8AZPKP4RJG8ag9yDIyDHqQe2a6Wiiiiiiiiua8eceE5f8A r7tP/SmOukY7ULBS2BnA6mvMbrRPGkS3GuQeSbydrgtDCWFwI3QrGvL+XuXbCTjGMOQTk5t3tprm hWUhGsXEUP8AZ6zfadRvAVW9DrhNzfwkZ+XoaQ6Nr2sXuia2xnW7jjvbqJpG2LCXMfkRunYGMYYY OGyeuKoaZpXi2x0eztjDfw3aW6i0W2nUQQzbmL+eN3zLkjHDcZqzqWl+JLvWrSTydSkv4L+SZZzM v2BI9koiITdncA0YPy9d3WrPhaDxpFNdrdzSJIYgR9uiaSIybhuKkSlgMbsAADv2xTtW0XxRf65d a1a/ZoxbzxfY4pdwm8qP7+NrbPmLSY3A5BXOMDCafp+u2djp95qGoajCtyLj+1DdXg22se1yjA5w hBCcrnHNUF03XvF+lafcX80kq/2jb/vLZwiqkUbB5lHAIMuSGGdyle1LaaX4otTdNqdvqHkzXs8r ro86pI8h2COTJYfIVVsjP3scU3XNK8VahZfZtTi1C7u3Ft5Z0+ZUtRgoZPNUsuTuDkcHjFaOgweM IvGG7VJbk2zSS+aQu6BkwdgXMnyn7vIQcgjvmp/Eek63/wAJidd0iF2lt9Ojhj+YbZSZH3pgnqAU bJ9CB1rCOgeI9HsLmztBqjGTUZZy9swxKCkeXLCRWGW34XJGOvQVB4k1TVLC4lsXu9Wj1FFtlsIb W8DAAhN4kyVaY53fMqtx6YNeu1zKf8lQm/7Asf8A6OeumoooooooooooooormJPEWqweK5tKm06y W0htjePc/a3LCHcVzs8v73GcZx71MPGelnTbfUFh1Nra4/1TjTpvmGAQcbehB4PfnHSksvHGgahK BbXUjQtIYlujA6wO4/hWUjaTweAe1J/wnGi/Z57jN6beHbmYWUpR9zBV2nb8xJYYx1qX/hMNI8jf uuvO3+X9k+yyfaM4z/qtu/pznHTmqWp/EDSLGxuprZLu9lgtGuvLgtZWCgbgA7BSE+ZGBz0wc9K6 HTb1dR0y2vVjkjWeJZAkilWXIzgggGrVFFFFFFFFFFFFFFFFV7+7t7CwuLy6JFvbxmWQhSxCqMk4 HJ6dqmR1kjV15VgCPpTqKKKKKKK5rx7/AMilL/19Wn/pTHXQXM32e1mmxu8tC+M4zgZrl7HxFqEO hQa/qslm1heW8c8UMEbLLG0m3ZHyxEmS4Xd8oHXGDwTeNIzcx6c2hX0mpvL5bWOYdyfIZAxYvswV Unhs1lSfEG7l1e88mzaHS7W3hLSSRK7+c9wYWXiQcAhl6dVJzjGdPVvGkkFzHHp+nyzWyalFY3N4 +3y4yXAdQu4OSAeDtIzVWH4qaJcQXEsEFzMEjEsIiaNjOpdVBGG+Tl14faefY1JceOLseINN0qPR riKWWV0vEmMZaFfKZ0IKvg52k8Z4BHXFOufiBaaZo2lahe28jQXtolwZw8UQAIyfkaTdwOcDd1wC TTbfxlPdO6/Z1mWS/uLe3ijj5mRIPNXJZgFJ9+O2B1p2m+O4Y/DWl32sWctnNd2AukRFBVyCoKrh jj76EZxww54ONzxBqlxpXhTUNVhhVbi3tHnWKXkBgucNg/yNYN54/MOmXdzFo95hHmtreZzH5c1w m75QA+4DKMckDgfSov8AhZun2dtYLqVvJFdy2kVzdRqyDyVcZBALZfOCcJuP48VoXXjq1tpQ/wDZ 17JYG4e1F6nl7PNUNuXaWD8FGGduMiqGpeO7uHRpb+10qdJTpM2oQW04jJZVKYcssmAuHyV68Hoe Dpy+LLOCeCC9sJ4tSdIGigIRmYy5AAYEgYYMDkj7v0rpq5lP+Sozf9gWP/0c9dNRRRRRRRRRRRRR RWbcaHaXWpT38hl86ezNk+G48vJPA9ck81n6j4L0zUtJ0/TpXnSKwjWKFgVc7QoXkOrKTwOcZ9CM nMWl+A9I0jQLLRrV7r7NZ3YvImaQFvMBLDJxjGT0xVC8+HcH9nXkdlf3AvLqWF2uZdikbJVkY/Ii gsdvBYHB+pzo/wDCFWX+u+3ah/aPmeZ/aPmL5+duzH3duNvy/d6VLB4N0q2tb+3j88Jf2n2ScmTl lJkJbpwxMrkn36VsWFoLCwgtFmlmWFAgklILsBxyQBz+FWKKKKKKKKKKKKKKKKKCcDNVNL1K21fS 7bUbRma3uYxJGWUqSp6cHpVuiiiiiiiua8e/8ilL/wBfVp/6Ux10jKGUqwBUjBB71z1xoHhjR7O6 ubu3hhtpAI5HnlYpGGYABNxIjG4r93HRfQYdb6V4b0rUdPijWJL53eS18ydnlc7CGILElgFz1yAO lLPoHhu0/dT2sMf2+VYtrM371w7TgDnru3t+dS3HhPRLvUlv5rLM6yrNxK6oZAchigO0nPciqs/h vw1ZOqXERjW8lWGOF7mXy2fO9VVC20Y2ZAAGMelWNV0fw/HO2s6lDHHJE6ym4MjKQyqVHQ88MRjv noabP4T8P6jp9rAbQNaxW4gi8md0BhxwpZGBZcdiSOT61HaWnhaG8ghtVtluEvJViRXORP5WJAOe vl9R6VGfBdiH0y3hKx6Vp3zRWe0uS2ScF2JOzp8mMfKvoK0LTQoovDZ0bUJ5NQhdJEmecndIrMSQ ec9Djr2qtb6d4b1OyhtreGGe2c/2hGFLFWMm794D77m/OlbwboRht4ltZY1gjEaGK6ljbaOgZlYF gO2c47Vz994S0ceJ5bm+1ZjFE321rIBgRvJTJw20qSWH3M+pzknqpfDukzwCCSyRoxZNYBdx/wBQ 2Mp16HavvxWbP4PhuL5JjdMkVtbG3s0VMtFlcbmcklyDyucYJPPNb2n2rWWm2to87ztBCkZlf70h UAbj7nGawU/5KjN/2BY//Rz101FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFHUVzXgr9zp1/ YZ2rZahcQxQngxQhz5agdl24x6jFdLRRRRRRRXNePf8AkUpf+vq0/wDSmOulrD8X6PJr/hq40yOO KTzpIdySnCsiyozA/VQa4+9+H+tX0sbvfJ58ST2kFy8h3RQGMqhGAOSxBI7YGKk1Pw1ruveKbLW7 7SLeNbOW22W51At8qmXewwoAPzx8Y529amj8OeJGTTNMnjt5LWxW4D3Ut25F15iOFDRgBgMsP4uM cVS0Lwd4kttUtnuhDFYQXkFysHnhsFVlV2AC9SGjH4V1nibRNR12706G2u0tLS2kNxLIyLLvcD5F 2MMcNhs9ivSubh8M+KdGs721tTFqCyWTWFuxufs4iTc7I4UKQNokCYH/ADzznkAVtI+G0sFxb299 ZW7WMeoNdSlblyZVNuUHuCHPryDSar4M8UTiER3RlggMyW8CzgG3XzWMbKzA8hCi+23vV8+Br2SC 8uJTv1Ke/Q+c90+TakIJEOOMlQ4wB37VDpHg7X7LQfsMMkensulRWirHctIvmrKzOw4GN6kDPbOO 1SXXhLUbjQZoLfSba0zMjx2ZvXm24BDMrH5QTkcEEYHrism08BeJES4nlWEX89n9nW4F4waILcFl TgYx5W1eOmPfNaPirwf4h1U6wlg6C9u9xtNUN2yNbR4H7jYB0OGG7/ppntXS6L4ek0TXZWswIdJk s0BgErN/pG47mw2f4dozntXSVzKf8lRm/wCwLH/6Oeumoooooooooooooooooooooooooooooooo oooooooqpENPh1O4SL7Ol9OqzTKuBI6j5VZh1I4wD7VbooooooormvHv/IpS/wDX1af+lMddLXN+ KbzU4JrKDT53jWQO0i2ph+0tjGNomOwoMnd3yVx3rJ0fxHq+qxaybO7trgwW9s9vLLCY1XcjF2Kj knI+6T26gVdj1rVpfAOm6lFNZi7uLCKWS4ncIPMYJnauNuTubGSADtzkGs0eItSh06a1N9cfbPt1 rau13BCJrdJmxvzGTE3GSOOMfMDWpqN5q2n+FtWex1e1v7uzR2+0zIoaECPf8yphWbpgYUYIznHL 73X7+00DS7iNIHlvltoRM7cpLMyruKADKjcTwR0x71nalq+q6bqzifVZPsVq0MRliigkT5goP2hM iQOWbjyxgAqfWoZvHNxH4taFUlOmR3q6cy/ZHILsMb/NxsGHKD733S3GcUXHiLXrbS/E8lzPAt1Y 31tHCIIwViSQQkr8w+Y/O3zHr2A6VZ0nXNR/tyJdSv2Mdy8yxqiQvbSbAxxE6HzFIC5Jk44YdcVn 6P45vdUu2SSc2cGoW8lxZzXNi8aWyoe7PtVv3ZU8Fvm3fw4q1p2uaudV0mMag13pl7dukU88Uayz IIJHJIUAKm5VKnAJGc8EUuk+JL63uvN1i+kdZbeWcIscLwS7BuJt3Q7goz/y15II75rN0zxnqWrT LYzX0tlPewG8tSLLypGUZJhiM4CM2Chz838fI4I1NP8AEepx2+l3dzcLcR3GoNpcsLIqurb2CuWU Y3jbhguUP8OOp7muZT/kqM3/AGBY/wD0c9dNRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRV SSWwg1OBZDAl/coyREgeZIq/MQD1IGc496t0UUUUUUVjeKdKudZ8PzWVm8K3BkhkQzEhCUlV8HAJ 524/Gq3m+M/+fLQP/Ayb/wCNVVvrPxLqkAg1DRfDF3CG3CO4nkkUH1wYuvNPjh8VRNI0ek+G0MgC uVuJRuAGAD+65AHFMNn4mMccZ0XwxsiiMMa+fJhIyACoHlcKQBx04FMh03xBb6e+nwaD4VispAQ9 uksgjbPXKiLBzT4LPxLa2P2G30XwxDaYK+RHPIseD1G0RY5yaivdN8Q3luY7nRvDZRYwist1MrRq CCNrCLK4IBGOhAqO2s9fvBZal/Zfhm8uI4l8i+mnkaUrjghvJyM5J4x1NPs18XT6a9rN4c8O2luS yfZXu3ZGX1wsZGDk8fnTdT0nxLqthc2c+m6AiXLI8zQ3cqs5QqVJPlc/dA+gxT/7K17z7mf/AIR/ wp510pS4k8yTdKp6hj5XzD2NS3tn4l1K2FtfaL4YuoAQfKnnkdcjocGLFUIvDes213Z3NnoXhmze 1lMyC1nkiVmKMnzAQ88OasrpGuo9y6+HvCYe6ObhhI+ZTnOW/dfNzzzUt/YeI9VhWHUdD8L3kStu VLiaSQA9MgGI881AdI8SG5tJf7M0AR2ahba2W7lEMRHRggixuxwD27YrS83xn/z5aB/4GTf/ABqm aVpetHxTPrOrDT4w1ktqkdpI79HLZJZV9cV0tFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF cv4j/wBF8U+GNQk/490nltTjk75lATj0ypye1dRRRRRRRRRRRUL3dtHdR2r3ES3EoLRxFwHcDqQO pxUdxeG3u7aAWtxKJywMsaApFgZy5zxnt1qLVYNTuYY4tNvYrNi37yZovMYDttB46+vasv8A4RRr v5tW1vUr3cMSwrJ5ML+nyL07dD1FdDGixRrGgwqgKBnPAp1FFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFU7/AE211H7N9qQt9mnS5iwxGHXODx169KuUUUUUUdKzb/xBo2lOiX+q Wds7jKJLMqsw9gTk/hU2m6nb6rbtPbLcKgbafPt5IWz/ALrgHHPWp4HncSefEkeHITa+7cvYngYJ 9OcetZV94ci1K8ee71DUWjbAFvFctFFsxypVcBgec5yecdMVY0zw9pGjFjp2nW9szHJZE5/OtKis nxDrX9hact15AlLyCMGSTy4o85O6R8HYvGM4PJA71nf8JXPJZad9n06KW+1CV47dFvFMD7FLlhKo Py7QcHbknjA60o8XCGwvmvLHy9Qs7hLVrWKYSCSV1VkCMQCRtYE/LxhuDisy7+I8UM1nFFa2cbzw yyS/b9QFsI3jcK0Y+Vtzc5A44we9auseL4tH0PS9Vl0+7MV9PFEYSu2WEOpOWX/ZxyO3PpUcnjrS 4/EU+ltnyILP7S16DujZiyqI0AyWb5xwOeQMHNWz4w0MWi3H2qQ5cx+SLeQzBgMnMW3eOCDyOhB7 ilg8XaPc3MVvBJdySyELhbKYhCeznZhD6hsYBBNEXi/RJGmV7qS3MSF2F1byQZA67d6jdjI6Z6j1 quPHnh8yyQ/aLoXEYDNbmxnEoU5w2zZu28fexjPfmt+2uYLy2jubaVJoJVDJIjZVgehBqWiiiiii iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiquo2FpqdhNZ30YktpAPMUsVyAc9Rg9qsqwZQykEEZ BHelorL1PXrTSpkgkiu7id13+VaWzzMFzjcQoOBniqsOra3ezxrB4fe2gLBjPe3CIDHnsqbmDY5w wHfJFat7ayXdv5UV5PaNuB8yDbu47fMpGD9Kde2cGoWklrcoXhkwHUMV3DOcHHY9x3HB4qCw0XSt KR00/TbS0VzuYQQqgJ9TgVeoooooqnqVh/aNr5Iuri1dWDpLbuAykexBBHPRgR7dKyR4OsktYlhu 7yK8juHuVvkZfN8112u2CpTleMbcegB5pp8EaVcKo1FptRzcfaZvtWxhPKFCKzgKB8qjAAAHqCea k0zwbo+jaw+oWETQBo3jFqu0QpuZWZlXGQSVXvjjgCtDVdHtdYFot3uK21wLhVGMMQrLhgRypDHI rCk+HOhS2i20onkRYWjy7KckyLIHPy4ZgUUDIIwACDTB8O9OXSTpq3k6wNN57gW1r8zYAGR5O3jH XGeetT2/gTT7fVbe/F5eu1uAI1Yx5UAcDzAgkxyeN2O2McVn3fwx02Sa6u7e5mN1LFIiCdUKjcQT uZVDucqOWYnvz3pwfDJ9TvrjVPEl+0+pSIkMciCKby41yduXhCnJOfuAjHU5IrvNOsY9N062sYTm O3jWNTtVeAMdFAA/AAVZoooooooooooooooooooooooooooooorB13xbYaBeR2txBdyyvEZj5EYK ogYLliSAOSBV7R9YtdcsBd2pIXcVZGKlkI7MATg9/oRU1jefboWk+zXNvtcptuE2McdwPQ9jWTc+ KTb3MsP9ga5L5bFfMitNytg9Qd3Iq1pWuf2pO8X9lanZ7V3b7u38tTz0Byea0RPm7a38qXiMP5m3 5DkkYz68dPcVnapryaZMsK2F/euRlhZRCQx+m4ZGM9vXBqjF4vWaYRLoOuBtwVs2g+Qn+983HXNb k15HCSqq00isitHFhmUMcAkdh1OfQGo9Sv8A+zbQ3H2S6uvmC+Xax73574yOKxX8ZLGjPJ4e15EU EszWgAAHUk7uBWrJNFq+i3MYEsZmtyskRUebHuXoVzw2D0rM8PPqsHgawjXTvLv4YRAlvcNswqnY rPjOPlAYgfQVlaT4t1OR5Li90/UbqJxtSOwsMxKQcEiQvlvyGK2NH1LTNX1y5nS1u7XU4YRG8V02 xvLJz/qwxHpzjPI9a1473zNRms/s1yvlIG85kxG+eyt3I71m6z4nt9FvEtprG/maRC6vBGpUgZJ5 LDkAZPoKig8WRzTIkmjaxbRseZ7i2CRoPVm3cD3rcmn8l4V8qV/NfZlFyE4Jy3oOMfUiq+qakmlW f2l4J5/mCCOBQzsScDAJGaxk8ZrIu6Pw/rzrkjK2gIyDgjhux4rda/tkQl5UVxtBjLAMGb7q4z1P Yd6Ir1JtP+2RxyMNhYxAAuCOq4z94HjHrxWGPGlulxbRXOj6zaLcTpAks9ptQO5woJycZJrpaKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKw9Q0Bb3XW1OXypohp72n2eSMMGYurhueP4fS uS8M+Gda03w5epLFeQXCWsENtaQ3Yhj4hi3kbOA28Pz1PTODmodG0zxhfXcFnqUuq2umLdbmkW48 uXZ5L5y3mOxHmbOM/pUuo2vi14rW3A1WTypZkHlShA0QlYRl5FkVtxQLkkN64zkU3TJNevNev/sr 6sbi31MQ+ZLcBrKOFVTehUnJbBbB29SDmiay8ZSWM0du2qpeNDtvZJLhdkkpdMNbfMdi/wCsPReC OK2/D3h+fRvHGsTltTntbi0gEVzc3PmqxUtuU5OcjIxxjBbmqc/h7V7rxzeSB7600q5uDJLNaXHl F9tvEq5IOcbg4/Cse10bxhBNrV4i3i6nd2kCiaSZWjKpK4dQAwIk8vbtPHLE5BNMkvtc0rTbZdeu 9UhsGuJAyrIIZ8bFKgTNKQRu3E7nB7AHFS6LZeJtV8OahfPc6s0p0tk06Oa4AEkhM4+dScM2PK5P HQgmm30Gq+GfEOqanFPdxy3U8DRJJOHS6XygrpHFnLOrYwMcKODXYahp2rHwE+n72udRlthHcuJP nO7/AFpjJx8wBbYDgZCg4FR+BbC+0vS7q1u7L7Mn2hpYsgBnD/MWcKSobPUKAAeBnrWVp2l6nZ2E thDoajWYWuZYdVmKeUGcyGMhsl2xvUEEAcH0Gao03xPcmKC3fW7axeeAXJubtfPzvPmsjBjiPbjj IOe1QXvhbX5NcvLoG/n+x2F9BpsstyrElo4vLzk8ksZOT/dXPAFP8WaR4g1K1urSW21S6SW3hS0S znRIlIUeYJwWG75s9jxTJ7bx4urakRLd7pEuRG0IBhKlG8kLmTCN/q8sEzkH1Jpda8M66ZNMiSTW L2zhe1u5gbwNIJlkG8Asw6Lk46Z5HNW9SsPEv/CO2ixxX32tbu6L/ZrgowRpWMeVR0DDbjndx6HP FbStJ8Vsftl9bPHe3Vzpr3TBkBKoCJe5xgenPpmobeLVvC3h+K3tbi5t9SOp3aR295cCU3UcjNse NMncAzRMx4IHmE9eer0y1g8TeE9Fma5uSIpobrzJDl3eN8kEnPBYH8K6eiiiiiiiiiiiiiiiiiii iiiiiiiiiiiiiiiiiiiiiiiiosz/AGoKEj+z7CS+87t2eBjGMYzzn8KloorI8Sa3B4b0G51KUJ8m FRXbarSMQqgt/CCxAyelc/pnxBW9SG1gsm1TUGmlhYafInlnywrb9zsAMq6nGSRnHar6+PNLaKNx HcEzxq9uu0ZmYyiIoOeCJGVctgc5BIyaxB8QryG48m+tYLYnWZbSNjkia2jLh3XB++u3BHPrjBFb I8dWaxo1xYXlu1xGstkj7CbpWZUUrtYhctIg+fb97nocZc3xDSyutQt9a0xrd0uUhtrWR4g7Dylk Ys5fy/4uOenvXQWvjDRLjSWv1uwkcdm15JEVPmJCpIZtvXAIPI69q5vTPiTDdoyz2kV5emWEQQ6f KkhHnZAUsxCgqQVJyM4zgZrbPjjToITJfQXNmI5JYZxIobyZY4/NKHaTk+XlsjI4xnPFYOp/EPUL GXWg1hFBFbx2/wBjkmOczSKrGJ9pxnDZBB56ckVut450+EG4uLe5h00tKkV8wUpK8QYuoUEuMCOT qoB2+4zm3XxCfTtVlGp6ZLZWIs45YRK8ZklkeQquCrlVU/7WMV0nh7xDaeJNOa7tFdRHIYpFbB2s ADgMpKtwRyCR+INcsfiDdQx6/DLYxNe2t1LDpsasQLoKxQbjztIYYOfrwKu6f48W4OkWkthK95e2 0EzlXjiTLqGJUSOGZRzyAehHJBq5p/jODUdR0+3j068S11HzDZ3jGPy5QilicBt68DuorpqKQopY MVBZehI5FRypNsQW7xx4dS25NwK55AwRgkd+3oaloooooooooooooooooooooooooooooooooooo ooooooorPbVo18RJo3lP5r2jXQk424DquPXPzVoUUVif2n4f1nVo7H7VBcXlo/mpFk4DAdR/CxHX vgjPUVbOiaadaXWPsqf2gqGMTAkHBwDxnBOABnGcACufutL0PS9e02Oe7hghtYpbi0sFhJbIJZ3L cllBbdtxw209QK07/SfDlpZLd31rbJb29w12JZc4SWRjubJ/vFjkdDmnw+EtDgiuI0sAVnXa2+R3 KjOQEJJ2AHBG3GCB6CqU3hfwvp0CwzQGL7VcqFka6l815Su0ASbt3IXGM4wK07fT9LvNEjso0abT 84CSSO27a3IYscsMjocgjjpVa9g8PX2rQPcpDJfafPGibd26KRhuQHHscjPAzVWfQNN8QIk9ncQ/ 2dNdtc3Sxx7jPKpCHDk/L9zawA+YZHc1oX+gaHNb3z31jA0NxsluS+cHy1AVvbaAORjpUdnoGgXE g1W2tIpluo96kszxMrjllQnaNwPJABOT6mqmneFfC11aG9srbz4buJQsxuZXJQHK7GLErg8jbjFb Wm6Xa6TbG3s1lEZYuRJM8pz9XJPbpVCfSdAtbmNpraNJXe4nUnd951/et+I/+tUVj4a8PTLZ6haQ GWERRtbj7RI0OwKAhCFtvAAI47A9eayLfwlp3hnVv+Ehv9WbyLQSGEPlQm8EHI3FTx0CqtdlbXMN 5aw3VvIssEyLJHIp4ZSMgj6g1LRWVrurPpENlIkKy/aL6C1ILY2iRwpb8M1q0UUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUVzMn/ACVC3/7A0v8A6OjrpqKK4iw0HxDaaC2gQraWywJP9n1Q SFnDPuKsqY+QgvycngH1rPXwVqN3JCjWUVhphuoWn09L55A4Xfvk3YByQyDb/s5qOb4f6j9v1W4t /KUmxu7TTn+0uGhD7PKHsB+89cZ/KfxR4Q1XVry4Is4L7zmgNvPLdtH9jCbNyhMEPkqzZ/2qoS+C fFJvNUIu2d7mG5QXS3Cp5m9WCK427sLlRwf4Qfarmq+AJv7SsH060hbT7aS3nNs906gyqzeYwznk rs+uO1Lqfg/W7nw9p9s0dvdXcEs5d3mO/DyMy4ZgRjBXIxnpg4By7TPCXiOOKF7+5je5e8spruQT nMixwhJckAZye3eqKeH9S0DQ7DStPD2WrNd3SRG1LyCSGQkby2NqbNyPhuT5WAcmuz05XvfDF7p8 VpJbGHz7KMSk/PtygcE87W6jrwa5ex8AXsGkSmZYv7VM9sscq3L4W3VIUlQdhkLKMY/i7Z4zD4B8 Qw6JpVpAsUcdpC0T2sVyMCTcT5wZlPJHbHFN1Oy1L+2obKfT7y+1M3No8N88zq0MSmMuBtXYw+WU kkrnceOmdq18DXsOl6Vatsz5VyNTH2hyJneMqp9+cemKpRaFqNra6BoNr5lndfYVttRigLvF5auD 5hkICnO2Rdow37/0FdR4v0K91ewsrex2mG3mEjQ+aYnJA+RlkwcbTyRjkcVp+HLO807w/Z2V+0TX FunlEwqFTCnC7VHQYAwO3vWpRXNeNP8Aj00f/sM2X/o0V0tFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFVTp1qdVXUzGftawG3D7j9wsGIx06gc1k+L9dk0PSYmtw5uru4S2hKQtKVLZJbY oJOFDYwDzjIxmuAvPiB4naC9+xpbBrPTLp5WuMwv5sTqPMEbIT91h8pwDk9MCunv/F+pRWurM1lD FHppt45Z4LsMxlkETYUNHjbiTGTzx09EtPF+pW2paoL2CC40+LVjZROk2Jk3bAo8vbgqGblt2cZ4 4qn4k8f30PhbS7vSbaCO91G2+0nzZx/o6gx5BG07id+Ogx1rRXx7I/iI6YmjzyJHcLazSxB2xIQM lfk2FBuHJcHGeOxuaP4rudS12XT7iwhs1QOV8yZ/MbaewMYRsdyrsBxya6Zm/dlge2Qa8oi8feIn 8EWhbyV1pljnmuRD+6+zMy4cDpuIbb027gw7VteIvHt1b+DVv9NtYkv7lrqJFkmH7jyllO8jad3+ qyBjv1q83jZ7TStUnu7OP7Rpy2+5I7jImaREY7TtHA3Y6c47Vl618Rbi0XUrRLaKOUQ3Is7uBnlT zY43cbi0ap/AcgM3IxjqR1mra2NG8JzavMpkaK3Em1VyWYgY478noK5vQvHFyb6HSdTikkupLlEM 8kD2wVHid87XUE4aN16AYK8k5rI1jx7rhv8AXvsC21vaWVnL5DGQOzSxz+XvwU6HpjJwOevFb2pe O7jR2ks7/SV/tMPEEitpXmiIkDlSWEe4f6p84Q/w+pwlv451G+ljitdCVXW0e6nF1cNCVVH2HYDG SwOMjIX8KqaD4z1LVL5XuERLS51dILVY5FLrE1p5wVwU+h4OckjOBzpW3jWa5sxffYrOG0nikltW mvgr4UZ/ertynT+HfisZfiDqmoazpen21hDayG+jS7EsjqGidJSoXzIlbOY2PQfdAycnGlp3jS5u tO01ba0We5ntGvJGvLgRARhyvDKhBbPbAGO9L4e8eza3aaXqUmlJb6Zqty9taOLnfNvBfG9NoCgi NujHHHWuwuLW3u1jW4hSURyLKgdc7XU5Vh7g96mooooooooooooooooooooooooooooooooooooo ooooooqqbe4OqLci8YWwhMZtdgwXLAh93XIAIx05qZoIXnjneJGljBCSFQWUHGQD2zgflVS60fSb ieS8u9MsppzEY3mkt1ZymCCpJGSMEjFc/p3iLwvdac4j05rW0ktvtSJPYGJbiKNQdyAj59qhfoNt ObVfCsGqx38OmJJfSRJcS3lvYbngR14aVwMqCuevYGore+8HXmrzxf2JCkl1PJaPdzaaFjuZQxDJ 5hXDklTx321ft38J6rrNwsVrp097pnlRtM1uhMROdiq5HUYPAPFVbeTwsLq80qw0xbVbvfZy3drZ eXE78qyeYowWB3DB6EGrFn4k8P6b4f0kJdsLWV0sLRZFJkkYN5QGMZ6jk9Kl1O68P6XFFC9hDcPK pgitbW1ErskZyVCAfdUnJHQE1SvLrwqJYtQOix3l9eo5xDpwkuGQfI5Ybd2BkKc+oFR3t/4N32hu NJt5reCNBHdHTg0Nqh5UFyuEHIOPer2oDwnb37XV3Zaa9zJFJJNcfZkcrEqkO8j44XA2kk98VYs9 Z0vVUZZLSaD7IBOqXtqY9qr0kXcOg9RUY1Hw1r+kTajcLZ3FlEDHK91ECFHytghh0I2MB3yp9KzL XU/BBsoporKwhtRp/wBsRmslRVt3fB/h4y38PetJNQ0PVrLUJr6w8mOOINeJqVp5ZMS5ZWYMOVGG I9CDVK21zwvZWcT6bphKOjo0Vlp+TEgb5w4UfKN3UHvTjq/hOxuQ9rZ273LxwTw/ZLQM84ZXERj2 j5iER8Y6KD2qdNQ8N2djPrgsorZ7h/JnP2TZPJIT/q2GNxbPY1Tmn8G6XFC8GjWr20iR3hmtNPVo 4k5KTOyrhQBuIbsAa1LKPw94h06IR2FncW9u/wAkM1sv7lv9wj5T3/GtRbG0VY1W1gCxyGVAIxhX OcsPQnceevJ9aS9slvkhVpp4vKmSYGGTaWKnO0+qnoR3FWaKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKyW1aRfF0WjeUnlPYPdGTJ3BhIq4x6fNWtTZE3xOgONykZrzjRfhncWFuFnns45 otOlso5LfzT5pkQKXcOxAxtBwuOp9q077wXfTjTlgurRGt7aOA3Ox0mhKqBvQqcMeMgOCBj0JrR0 HwbYaTdXF9PGlxfy3c84nJbgPIWHyk4DAHGQKli8Pva61qN9ALQw3X2UJA8XyxiJmLEY7/PkehFU l8K3y+K/7TS5toIfOMrSQK6yyr18t1zs2+pAycA9c0ReDnj8MWWlm4hNzbXiTm48vqguRMVHfnAH 1Gan13w7darZLGkWmbknkkEckbqrBjkHchDBvXBwSTmoV8N6vYnTbyy1CC41C0tpLVzeqxRkd1fj ac5XYqjPbrzSajofiS91OzaW90260+3CEwzxOhkkHV2CnB9l6DrTotGvbTXL+RoIfJ1W2W3328YK W7IZSCyN94MJPzHP3qzo/A+pnTb+yOoQWUF6oieKzMhVVzlpF3kkSYwP7uO1bGkeFBo+q3My3s17 a3UcYeO8O9keM/IyYAHQ88Z+VcGsXTPCN/Y3sNizRvFHoS2f2pog8bSCYtgoTzxUsHgi/fR7nTZr +O0t7qWIyRWbyERqh3EoXJO5ztU5+XaOmc5juvBGsW008el6us9jdyLLdQ6izszkLtChkxhT1PGT 0qS+8NahqGs3/wDo1msbWNmi+Yh8h3QzblXaQ6Y3KQRjsOmakTwRezx6bDe61OkNk0kqrauVZWYY Eals/u1HTOW96il8FasujLokWpW8+npKxje6VzNECWIYFSAzDeQARtwq8da1fDGmXcF/qmp3UbRC 98lI4pAPMCxJs3NjgFuuB0rpaxfEmpXOmW+nvalQZ9Rtrd9y5+R5Arfjg9a2qKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKy9U8OaNrcscup6bb3UkSlUeVMlQeSAfSptL0fTtFt3g02zit YnbeyRjALYxn9BUttp9pZ3FzcW9ukctyweZ1HMhHAJrPv/CWgapePd32k21xcPjdI65JwMD9KNP8 JaBpV4l3Y6TbW9wgIWRFwRkYP6VqPbQyXEVw8atNEGEbkcqGxnH1wKrapo2na1AkGpWcV1Ejb1WQ ZAOMZ/U1lf8ACBeFP+gDZf8AfFbj2dvJYmyeFTbGPyjERwUxjH0xRdWVte2UlncwpLbyLteNhwR6 Vh/8IF4U/wCgDZf98Vs6fp1npVmtpYW8dvbqSVjjGACTk1k+DNKn0jw8ILqHyrqS5nmlBbcWLSsV JOT/AA7afdeC/Dd7dS3Nzo1pLPKxd3ZOWJ6k1PpnhnRNGuWuNN023tZmXYXjXBK5zj9BV19PtJNQ iv3t0a7iQxpMR8yqeoFV9V0DSdb8r+07CG68rPl+auducZx+QrPXwJ4WR1ddDswynIIToa3Li2hu 4fKuI1kj3K21umQQQfwIBpLq1gvbWW1uYllglUq6MOGB7GsL/hAvCn/QBsv++K3bS0gsbSK1tYli giXakajAUegpbe2htYvKgjWNNzNtXpliST+JJNY8Xgzw3Bex3kejWi3McglSTy+VcHIYe+a3aKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKqaZNDPYpJb3pvYyzgTkqckMQ R8oA4II/CrdFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FYHguyudP8LwW13C0MyzXDFG6gNM7A/iCD+Nb9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFVrBxJZqy3q3g3N++Xbg/MePl446fh61Zoooooooooooooooo oooooooooooooooooooooooooooooooooooooorI1vXTpE1hbxafcX1zeyNHFFAyKflQuSS7KAMA 96l0nVm1ONjNaNZyhsCKSeKRmH9792zDHarsMskhk8yB4trlV3FTvH94YJ4Pvg8VkXGtatFcSRx+ FtQmRWIWVLi2AceoBkBwfcVZ0zUr+9ndLvQ7vT0VciSaWFwxz0+R2NXnlkW4ijWB3RwxaUEYTGMA gnJz7A9OaparqV5YNELXR7m/D53NDLEgQ9gfMdc59s1RXXtWMiK/hTUI1Zgu5rm1wP8AyLmte/up bOzeaC0ku5AQFhjdFZsnHBcgfrTrqaWC0kmhtZLiVVysCMoZj6AsQPzNY39vaz/0KGpf+BNr/wDH a1LC9e6thJc2r2U27a0EsiMy+mSjEcjnrWf4Q0660nw3DZ3kYjnWadioYNw0zsOR7MKLvW9TtriV E8M380SMQJluLZVceo3SAgfUCrGm6nqF5cNHdaFeWCBciWaaFwT6YR2Ofw7VdFyTeeQIzs2ZEu9c FgeVxnOe/TFUdR1PULO5EdroN5fxlQTLDNCoB9MO6n9O9Q22tapNcxxzeGL+2iZsNNJcW5VB6kLI T+QrQurySERfZrV7xndQyxSICiH+M7iMjjtk+gpdQuZ7S0aW2sZb2QEAQxOisffLkD9ax28Rasud 3hPUBjGc3Vrxnp/y1rbt5pZrNJpbWSCVlyYHZSyn0JBIz9DSWU81zaJNcWklpK2d0ErKzLz3Kkj3 4NYdx4purK6to77w7qFvBcXUdqtwZYGUM7bVJCyFsZPpXSUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUVm3+kJf6rpd80pU2EkjhAoIk3xsmD6fezXEN4WubPXL5tI086atzrEKG6sYI0db X7Mu/aSpwvmKM8dak1SfxXZ+Lol0+LUpbUzxo3mESRGIkBn4UBeMnBbIP5U62j8V6dpOnyvd6pcT Xenu9950STNbTgJtCKoXBJZxjnp7c5Tahr9tBpcV9P4hiF3fNG3khWnkVYZGwisgIAYAnI5xxWlc TeLBbw+f/aqp5T/YzaRoZGfe3l/aeDgbPLzjHJaqmraP4k1HSbm81G51k3EOq2zLZ2Xl7fKVomZ4 125ODvI57V1Hja0v7vTtMbToJJp7e+SYbQCVxG+GP4kfnXJ63pHiVtJ0uGS51y8jZLa9vNnltLHM k0RKrhR0BkbHPKD0wbkt54zt/FFyzmVLZZZPLBhZ4DCASmSBhWxtyd3BzxWRa6zruq3kNrpmp61L LNbxveErHsiYzwhzEdvACNLjPb6Vq65ousPqBONSmt7TV7KSOWFI/NmjWIB3YhfmIbP057Vet/EF 7beILmK9v/M0myudvmxYdnaZ0jhRiBg4Yy5AwVwmffQ8Y2Or6zdWGm6fbQvaAtPdtcuyRtgYRdy5 JOckrj0rBhv/ABfpGi6ja3llqM92LD7LYtZxecqzoJMPuPJBDQ/M3UhuBg1S0fwrq7apZxTy6zB5 Wp3s0t4SgYB0G1lbbghj146+lS6jd+PVW1YJcoqI6xtFCXZnWVwDKqg5BQRnquct07Xrqw8VT2N5 ObzUzNcahJbfZx5YjS1YkeYo25Bx0JJ+lQ6Fa+I7Hw6yW1teRyxaTYxJ9oiQShldxOqnHLKn3Qcj 7vqczXj+IDobSWR8Qsizjy2nCJOFxzuVVLMuenAx16VjWNp4qnubq/vbXUjfXVraKEeFDDtju2BB BHDCPD88/Mx9AOhuZfFI16YRjUPOF0fLRUX7H9k9c4z5uPfr2qTSZda0C10+91a71C5tX0qS61Q3 QRjbyoqNtXaBjOZOOc7R6c9Rc2dnr9jYyyGQxLLDexFTtJZSHXPt0yK0aKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKikgEk8MvmSr5RJ2q2FbIx8w79c/WpaKKa0aOyMyKWQ5UkcqcY4p1 Rzzx21vJPM6RxxqWZ3YKAB3JPSua8G+KLnxIl613bw2rxurRQZIlWNlB/eI3zAg5XOADjI4qS01n WNR1a9+yW9l/Z9jdm0mSVmEzkBSXVh8oADg4IycHnmoZfiDpMNo13Jb3y27RGa2k8oYu0BGTH82f 4lPzbetZ03i0Wus6bp2k6BJa3l9eKl6k9uqtHGVdg52Ngk7WwcnhWJ7A3X8cxLoVvdW9pcX95NY/ bfKtogAqc4dgzDCkgjqTxVTTvHnh0mysZ4oIZ7kQvOIwgjS4kVWC7Sd5OWXBCnqOeuG6n8S4bfw6 +o2ekX/mSR+bZrcRqq3CgjcRhicAHPOOorWfxfFbWGoXs9rPJHaXYt5EjVEaLMaN85dwvVwMg9SB jvWZJ8Q7ef7TcWXl/YotP+0mV1Lssgm8tkIU4IHsfxNX7Dxl5lzqq6hp9xa29nqS2KTlBtO5V2ls MTyzAcD+NPfG7pWqW+sWK3toH+zuxEbuMeYAcbh7HtmrtFFFI6LIjI6hlYYKkZBFVruOz8uBboxo iyp5QZto8wH5APfOMCrVFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFc1rxI8XeEwCQD c3GQD1/0d66Wiiori5gtLeS4uZUhhjUs8jthVHqTUisrqGUgqRkEHg1HdW8F3aS211EktvKhSSOQ ZVlI5BHpWNotnoNhNFPp12JZdQjykj3bStcqvO7LE7sAgZ7DA6AVPJ4Z0uTUjfGKUO0gleJZnELy Do7Rg7S3A5IzwPSqEPhLw3eQzpGjXEALQeX9qdkt8N8yRjdiPlQCFx0xWlLoOmPrC6xJD/piFWEp kIA2q6jjOPuyP+ftWcnhXw9qOk2iWhkFpHbi3ils7t0Lw/3C6sCy8ngk9amj8G6NBdQXFvFcW7Qh MLDcyIrbAACyg4Y4ABJ6gDNVbjQvCd3pVrp8rQm1tS+nwqt0QVZvlaPIbO75fqMVfl8K6TNaTWzw y4mnFw8gncSeYECbg+cg7VAODzz6mqFr4P8ADAS90+GIyt5ZhukNy7uA7+b8xLZBJ5zU+p+FIrmH UEsZRbNqUySXbSB5cFQAHjXcAkgwpDAHlQSDilsYrDThDqltrEKaFDYiBIg4EIIfPmbgcZ7dK6Gi iiiuZ8a/8emj/wDYZsv/AEaK6aiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiqV3pdve 6jp99KX82xd3i2nAJZChz68Mau0UVzfijSdU1ufTrWymitrWGb7TPLNGJVYr9xdmQSd21s5A+Xv0 rmrHwbrkTXdteTSSRWNiYdLlt7p4IzJvdk/dq3G1Si/Nn7vcVY02LV7vxLHYPfyywQxxXGoorttS dYyGQt6s5RwAduI245wcmy8B+I9MstGg06SG3S206UOvmZaC6k2eZtP91sH6Ek8DGNQaFr/2eQpa XcWmecjNpDakWnkAVwxE+8kAsY2xvHCEd8HGPhLxZDZRLaRT29uZriRbSO6DyQs8zOrs5lUOdpUc luR0rr9W0fxBqPh59MF/G5vBDFJJLCo8mMAeaHw37zeAV+Xbjd1xzWRbeDNZTX4ba+uTcaKZprp2 s5XtAGdANpRX3E7wzZyRz26VD9n15bvTtHOoyi+nRo76JZGYpAJyySFh90eUrR5BDbpFJ6ZDJPA2 tRXf2ix8mIza7Je3KvJnKBm8mUf7QBGR3A6Zqxb6B4nFtKsX2i1cQKl2Zb4yfb5A6Fmj+Y+VlRKP 4ceYOmOMyTwn4lAv5tPsriwt7i6SRrN77zpZVEQUfvPMB4YZxv6flXoXhm3vrXw7Zwak8z3aKQ5m KlvvHAO0kcDA6k8cnOa84Hw81z/hEhomyL7OIBc/Z/MG37Xu6Z64z8+emeMYrYl0bxH/AG5qd9HH dxKIpzbzz3Bcq20hCsaOQ3OMKYxx1JYcs8B3Et54ouJbeC+isksAkxmvHnR7jeCThmO1sZ44r0ii iql/aWd4kC3qIyxzxyxbmxiRTlCPfPardFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF VbiwiubyzunaUSWjM0YSQhSWUqdw/i4PfvzVqiiuH0zxJfLog8UapqUC6e6zu1isI3Kse/8A1bZy zfJkg9ifSprrxveWU8dhPoRGqTSRCK3W7UoySFwrF8YHMbcY9Kx9Q8c6udWuEitTaWun6fdzXqq6 SP50QXhSRyBvXnuT7HOn4l8X6la2t+mj2KyNYtAlzdSyACJpNjcJj5/lcdxyfaoj8TrbN9ImlXcl rbxzskqq3zmIMWDZXagJRgDuPOPWm6n411qG/wBLsE0eO3vJ7qAyoblZFNvIWUYbH3iVP0x71O3j ia20OxvUsxeG4edSHl2SAJIy52IjEjjrjA4zyagtPHMuoXDXFuXNlPfWcVovlqrbJoQ+Hz0ye/UU /SPHdxb+GrXUvENn5Qmku18y3YP/AKou2Nox/BG4z6qP73HZ2M8l1YwTyw+S8iBjHv3bc9s964fT PHuovZ3Mk+li6jsY5Li9uUmWPZEJplG1MEsQsR7jJ+tRWvxEvbawkk1HTd9zPqNxb2ccbkgxxnPz FVJBA46HPtWjN4+lbTpruw0O4nNpZ/bLyOeT7O0SfPjAYZbPlv2HGD3oHjO4ugssenyQWv8Aacdh HKJUYzMWwQVI+Ue/WotK8cXVv4eg1HxDZeUstzdxB4HD48oyMBtGP4Y3GfVR/e42dW8QT2PhNdTj tlF9cKi21qz7vMlf7iAjGSfwo8G6rPq3h8S3dytxdxTywzOsRj5VyACOm4DAbGQGBGTiugoqpqFv YXCQC/WFlSeOSLzSABKGyhHvnGKt0UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUVzevM w8XeFAGIBubjIB4P+jv1rY1LVLLSLX7Tf3CwxFgoJySSewA5PAJ+gJ6CqsnifRop3ha/j3o8CHAJ GZjiPBAwd3r+dX5buGFo1YsTI4jARS2Cc9cdBx1PFZOk2nhu9eTWdNtbRnuQyvOseGYA7WyCPUUx tN8MeHxaRfYrO18+8TyAIus+DtI9DgHmrzaJo8styWsLVpLhHSfKAl1fG8N6g7Vz64FRXvh3QdXu o7i806zupogArugYqAcj8qr6nonhqzivtYv9OtVRYZHuZmizmPad+QOvy5zxUeoS+E7r+zJ737BO dQaOOxcqHM2Mum0jsMk56DNS6vp3hq30uGPU7O0WzWdViVo+BJI+BjHqz8/XJq3BoOjWscaQadaR pG8boFjACtGNqEe6jgelZOqaNodtawl5ls9MF4ks1tbxrsnneRdhYgFgd+3oQDk5yM1qC2s9EuNV 1ie6ZI7kpJL5rfJGEQINvpnH50zTrDQbvTpJbG0tGtb2IxyBYwBIuW3Kw9mZ8g9CTmsy5TwYkt3p 89vZBnvIkuI/JODPIMpkgdSO/wCdRa18P9C1eO2R28iziQxeQioUKE5IUsCUJyeVIP5CugTSdKhi jtxa24VJhcKpAz5o5D/73fNYUel6DrMcEWnSGPT5bmW5mgtoAsdxLHIAxdtuVIdexG7nqM10d3b2 V9ZSW11HDNbONro+Cp9qpJcaLokq2MAigeaJ7hYYYyS6xhVYgKOSAVGOp961FlRlRt2N4yobgn8D Sq6Pna6tjrg5rm/GuPsej5/6DNl/6NFdNRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR VW5s7O4vbO4nRWuLZ2a3YsQVYqVbA7/KTWNr/hu48QapZSPqEtpZWiOQsAVmlkcY5DqygBQcHBPz MOO/GL8LLuKW4aSHRr5lktHguLpT5sghk3MJPkONynacZ+6O3TorbwQ1sbeaMWaXQ1p9QuJkQhpY i0pVCcZJAkA544NY9n8Nr77BJYTHTbINHcpJe2QYzXQlDgCUFV4G4N1PKirGpeCtZ1vX7TV9RttE MlmbdYovMeQFUeRm5KDBO8cYP3eaZp/gHVdP1ue8a6julYTfvTdGGSbeGwsmyLfgEj/locbQR0Aq 3omh6p4N0rUbyPTrK6uX2CO2tEXe/wAwBzIsaZABJwVPQnPPHU+ItNl1jw1qemQuiS3drJAjPnaC ykDOO3Ncjc/DueWWJUvIxb206m0RskW8JVvMCjGAdzYAGBsVQelVNU8Aazq8enR3cOizJpVtHBai V3fzdssTEuCnyZSMg4z97HStObwnrJuIrWKTT/7OXVW1IyOz+Z8xZjHs27SAWx94ZA7VkWnw51qD UHcXOnwWjNEzRQYRZGSeOQNsWNQMKjAAlsbsZ6k9p4n0O58QW1rZR3htLYTrLcSJguwXkKFIKkE9 d3HHQ1hWfhHWtD1g32nXsGoBfOESX8hjIEpRn/1aYGGjBGFGd7E4I5x9K+Fs9nClvcx6TJC81lNc kISZfKH7xSCvIY8jPU9at6v8PL+6LrZ3Nstkl1JJb6e2FgSNkjA4aN1BDK5AC/8ALQ8jkF8fw7mN jqLStavqctvbx2l3KxllgZECsfMKhuTnkAfSpdK8B3mnoYIprOxjWHUIUksgQ4+0OrRvjAwyBcde wwfRR4JvH0m7tvsWhWryRqgSGMukzA58x9y7Q5/vbGI9+lY9p8MtViaSSZtLeV4Ly3jYkk26Sxoq bCsajhg5wAvEh7k519W8DahfGZY5bKRp7SOCO7mLebp7Km0tBgHqfm6rzWh4e8G/8I/Por2i2luL bTzb34t02fapcRhXOB82Cr8tz83ua6O/ksI0gOoGAI08aw+cBjzS3yYz/FnGPerdFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFVLm2sZr6ymuViN1C7G1LHDBipDbfX5Sfwrzzx3rmpWHiq eG0vZoxDpaXEMCX0cAaXfL1VgTJnao2j096svrmrzJrO/URbNHbae+HHlhDIrGQKSD5bN0DNkKcE 9Kyjq2s6hc6Xp2n3upzkvc+Ykd9EGbasbDFwFKyAbz0AwTt/hrpdYm8SaZouiNPqMCSfbraK7aOP 5pQ86rsyeANp5I5JHGM1R8dazfW2u6baRaiILd2n3Jb30ds3ypGQHdwQDliQB1BFQWOt32qWuiR6 3q82k281nPNJcJIsJaVJQiKXYYOUJOB1xkcVsavqGqQt4XnttUVrK5vIIZWWHY9zuDE5B+6uADgc 5qTxVqN7Fp58rUraBBeGNxDcCF2QJkJ5rArG+cE56jgckVm+HNZ1TUtVktba/eTbpgaP7WAwEgnd C2V/1gwMBxw2Ae9W9F1bU5fAVvdPqlt9uY3Sm5ukyWKNKFIRepG0HaOwNYkHiLUbXQ9aNpfXVxdw QLKm6aO8RcuFJEiAAHGfkI4HNatzf6XY6PdE+NrmSyR03SrNG8pZt2I0lxjJIHHUYOcA5pX8Q6lo /gg6i19YXsqLIUzMJHKggIu5eHZc/MR1qn4jvb/Rb6GGXXbiRIIBJ+7njimLZYsxjYfvweAsaYIx j+IU3XPGOqQazLNYQX81hpgi87ybUPHMWwZAzZ+UhTjH8JBzVq61fV4pPGLPqccgt9HS7svs6jZD lZ8Mp53E7FOT+HFU7PXbyPxJbm81eWQSTLHshmQqqnHyvARvGB1kBx36U628Y6lLrJuZhd2ulXks 1rFPNbqLe3Cg+XN5hOCCVc9gweMdua1rr1xJcW0uk+IpL3TpdRtYcyzxySybpcOwCj5IyMjBGT14 qU+J7jStbubm91OW5CPMPJgnQxvtDFY/IIDxH5Qu8kgt0++KTTPEmpuJrDXL6+037TClwl1cWywE EnDxoSTgcgg/wgZNT2eualbeHZdVF9JMLG+jtxFLIsqyxymJSGlUYkILkhlxjlTkg13d/cWNukBv miVXnjji8wZzKWwgHvnGKt0UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUVz3iPT9Tn1P RNR0y2t7mTT55XeKacxbg8TJw21uct6VZsUvb+dpNZ0Oxt2jA8l0uBcMTn3RduK0BGZJ7lJbWLyW VQHzuMowchhjgD6nOe1ZV1JrFnc+Vpnh7T5bWMfupGvfJIzy3yiI459+afZ3Wu3N2keo6HZQW3Uy JfmUqRyMKYxnnHfirt7ZxTGPOn21zvlHmeaB8oxjd0OTwBjj61DrMdwbOJLPSbTUCHH7q5lEaoMH kHY3Pbp3rPa+8UPt3eGtObacjOqE4Pr/AKmteaEvpsoNjbyTOm9rdyNjyY6FseoHOO3SnWySJZRy NZww3IhC+Sj5VSB9wNgcZ9vwrEF34lGzHhfTBsJK41M/KT1I/c8dT+daWjJci2lF3pNnpzF+I7ab zVcY6k7F5/CpYbC3aKSCXTbSOBZSY0VQysMD5iMAA9Rjnp15rM1CPUYna0sPDWm3NiFIUyXflZ3D 5hsETY/PmotJttUjaztLzw/ZR2luT5czaibiSHuNoaMHrgDkYAHpW+weOaOOK3jMEhYzNu2lT1zt x82T15H41l6/bXcthJY2Wj2t5b3UDW9wHuzblUIxgEI3Yn0xVGA69HJGf+EV0sFUEXmf2llwgGMZ 8nJ4rd1CNxpkkdtYwXTBQEtpX2RsMjgnacYHselUr/Q7SaySSHTLc3MMiXMcaP5IaVDlQXUdM+x+ lUDL4hM7TnwnpJlcANJ/aXzHGMZPk+w/IVtWguL2zDarp9vDN8wMSy+cuDx94qOo7YqrBpi3ckbX 2nQ262cz/ZYYpt8ZHaQrtADdeOcZPPNZ2uWmvavfWVsmnWcdjb6jBcm5N4S7JG4Y/u9nU4/vV1NF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFeXaQ3iiVPDqTSrFbPqF4qy/vXmHy3G0y qcKVBxgE/wB3FM1PxLrmqaTb30jNpUdtqNrDI8MTSiOQA+duAOWCtlCvTjOa2NI1vxDq2sWVot0i WQWeQ3n2EgXiI0QGASPLzvcd/uZrLuPEWrxeFtNjkn/siObS/NM5tJJi8xyPKAJ3KQMHJJPNd54a Mp8K6OZ/M842MPmeZndu2DOc85z61qUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUVHcQRXVtLbzJvilQo6nuCMEUyzsrbT7SO1tIUhgjGFRBwKnooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooor//Z ------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD_files/header.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii"





 

 

 

 

WS-I Security Scenarios

 

 

 

 

V0.15 Feb= ruary 14, 2004   = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;   Page 2<= !--[if supportFields]> of 50=

 

© Copyright 2004 by the Web Services-Interoperability Organization and Certain of its Members.  All rights reserved.

 

V0.15 Feb= ruary 14, 2004   = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ;   Page 1<= !--[if supportFields]> of 50=

 

© Copyright 2004 by the Web Services-Interoperability Organization and Certain of its Members.  All rights reserved.

 

------=_NextPart_01C3F7CC.6A53C610 Content-Location: file:///C:/E567E524/SecurityScenarios-0.15-WGD_files/filelist.xml Content-Transfer-Encoding: quoted-printable Content-Type: text/xml; charset="utf-8" ------=_NextPart_01C3F7CC.6A53C610--