Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3749811640_3414523539" --B_3749811640_3414523539 Content-type: multipart/mixed; boundary="B_3749811639_20514946" --B_3749811639_20514946 Content-type: multipart/related; boundary="B_3749811639_1773578142" --B_3749811639_1773578142 Content-type: multipart/alternative; boundary="B_3749811639_878381" --B_3749811639_878381 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable FWIW, I concur with Michael M. His points and refutations appears quite cle= ar and correct to me. =20 --=20 V/R, Uri =20 =20 From: 'Michael Markowitz' via pqc-forum Reply-To: Michael Markowitz Date: Friday, October 28, 2022 at 14:14 To: Mike Ounsworth , "pqc-forum@list.nist.gov" = Subject: [pqc-forum] RE: ISARA Dedicates Four Hybrid Certificate Patents to= the Public, crypto-agility !=3D hybrid certificates =20 Hi, Mike. =20 >I think this will be my last email on this thread because yeah, we=E2=80= =99re well into a holy war.=20 =20 So we do agree on something!=20 =20 >I will say that you=E2=80=99re being very high on criticism, and very low = on any concrete details or examples.=20 =20 To summarize, my =E2=80=9Cdetails,=E2=80=9D now relisted in what might be r= egarded as declining order of importance (but still rather poorly described= ), are: =C2=B7 ephemerality of required hacks to certificate creation/parsi= ng, path discovery/chain validation=20 =C2=B7 complexity of required modifications to revocation mechanism= s (are there any that make sense? See below.) =C2=B7 baroque complications to security policy handling, and likel= y protocol interoperability standards =C2=B7 waste of communications bandwidth =C2=B7 increased attack surfaces=20 =C2=B7 development/maintenance or ISARA code licensing costs =20 (I=E2=80=99ve removed lack of IETF support, not because I agree that it inv= olves a circular argument, but because I just heard the subject is once aga= in under debate in lamps; more on that below.) =20 >Again, I=E2=80=99m not trying to convince you to use any specific form of = PQ migration mechanism. I=E2=80=99m just to argue that there are use cases = for them. =20 And I=E2=80=99m trying to refute the efficacy of catalyst-based use case so= lutions. Our positions are pretty clear. =20 >Ok, let me expand. A server serves a Catalyst cert. If the client (and for= that matter maybe even the protocol carrying it) is completely legacy and = does not understand PQ or Catalyst, then it will treat it as a legacy cert = and everything works. If the client does, then the PQC will be used. You=E2=80=99ll have to explain how legacy certs accomplish the same because= I don=E2=80=99t get it.=20 >It seems like, in order to support parallel PKIs, you=E2=80=99ll need prot= ocols to have some kind of =E2=80=9CI support parallel PKIs=E2=80=9D upgrad= e flag. Some protocols may already have mechanisms flexible enough to accom= plish this as they are (CMS SignedData comes to mind), but many do not. Nee= ding to change dozens or hundreds of protocols to support parallel PKI and = their upgrade flags sounds to me like way more work and risk than doing it = at the X.509 or signature algorithm layer. =20 Speaking generically, since you haven=E2=80=99t suggested a particular prot= ocol to analyze, one might counter by saying that servers generally serve c= ertificates in response to stimuli (requests) and the context of the reques= t is generally sufficient for the responder to decide whether the requestor= is asking for an RSA, ECC, or QS key. To turn this around=E2=80=A6 try hit= ting a website with your RSA cert selected in Firefox as the default for cl= ient auth, then hit it again with your ECDSA cert selected=E2=80=A6 does th= e server care? Do I need a catalyst hybrid cert carrying both the RSA and E= CDSA keys for this transparency? =20 >Disagree. Consider for example PIV smartcards. I am not a deep expert here= , but I have been told that supporting a composite signature algorithm woul= d be a relatively trivial firmware change. Supporting a Catalyst certificat= e (esp. if it creates one composite signature) is also a fairly trivial cha= nge. But supporting two certificates and producing two independent signatur= es is basically a re-build of the whole firmware and communication architec= ture. =20 I really was under the impression that PIV cards already carry two certific= ates=E2=80=A6 one for signing and one for encryption. No? And if they have = two =E2=80=93 handily injected by the issuing software upon initialization = =E2=80=93 they can certainly have four=E2=80=A6 four single SPK certs being= not much larger, but certainly more flexible, than two catalyst certs. =20 > development/maintenance [costs] I find it amusing that you think one change to X.509 is more work than chan= ges to dozens or hundreds of protocols to both handle multiple certificates= and to handle the upgrade / backwards compatibility case. =20 =E2=80=9Cone change to X.509?=E2=80=9D You don=E2=80=99t think any modifica= tion to RFC 5280 will be required (for example)? Thought experiment: you=E2= =80=99ve deployed your catalyst certs; you learn the apocalypse will arrive= tomorrow, so you=E2=80=99ve got to deprecate, if you haven=E2=80=99t alrea= dy, all RSA signature keys; whoops, that means you have to either revoke *a= ll* certs and start over, or you must have carefully modified RFC 5280 to b= e able to kill off just the RSA extensions. This is just a sample of the ri= pple effect the use of =E2=80=9Cpreviously non-standard=E2=80=9D catalyst c= erts will have on your standards infrastructure. Can=E2=80=99t imagine why = this is simply glossed over in ISARA propaganda (cited below). =20 >Also, the farther you get from core crypto code, the less expert you shoul= d assume your developers. Take a UI developer who=E2=80=99s been asked to e= ncrypt credit card numbers in POST bodies; we should not assume that they a= re gonna know how to correctly combine two public keys into one operation. = So I=E2=80=99m arguing that a CA saying =E2=80=9CI issued you two certifica= tes, now go and do something clever with them=E2=80=9D should not be the de= fault solution for the internet because I believe it is actively dangerous.= Go take a look at the [x.509] tag on stackoverflow: and tell me that this = is fine; that we can make this more complicated on end users and nothing is= going to go wrong. =20 You might have a point, or=E2=80=A6 we could simply follow NSA recommendati= ons: forego the hybrid crypto operations and only employ =E2=80=9Cpure=E2= =80=9D key derivation and signature schemes. (Flag this as a feeble attempt= at humor as I wearily try to finish off this thread.) =20 >Doesn=E2=80=99t dedicating the patents to the public mean no more licensin= g costs? Isn=E2=80=99t that what this thread is about?=20 =20 I=E2=80=99m no longer that na=C3=AFve. Four patents have been abandoned; th= ere are dozens more. Besides, you just said you wanted to simply drop in a = library that performs cert creation/parsing. Absent any indication that ISA= RA is giving away their library, I have to ask from whence you expect that = to come. Yes, you can try implementing it yourself, but can you do it in su= ch a way as to avoid all the patents you haven=E2=80=99t yet read. (The sit= uation is vaguely reminiscent of Certicom=E2=80=99s attempts to inject poin= t compression into various ECC standards. Hmmm. Anyone remember MQV? ISC re= ceived an NSA sublicense for that. Didn=E2=80=99t do us much good, did it? = If you don=E2=80=99t remember MQV, let me just say that Certicom featured p= rominently in the nearly 4 decade long Mobius/RIM/Certicom/Blackberry/ISARA= progression. If you try to follow the money there, you=E2=80=99ll end up t= horoughly disgusted.) =20 > ephemerality of required hacks to certificate parsing semantics, modifica= tions to security policy handling >I=E2=80=99m not sure why this is a CON: X.509 is meant to be extended and = we extend it to cover weird corner cases all the time.=20 You=E2=80=99re arguing that hybridization is somehow less ephemeral if you = do it in the TLS / javascript / database / whatever-else-uses-crypto code? =20 You miss my point=E2=80=A6 let=E2=80=99s return to our thought experiment a= nd go just beyond the apocalypse. Are you going to carry forward dead RSA k= eys in every cert =E2=80=93 assuming RFC 5280 bis somehow allows that -- or= simply drop that extension and revert to simple QS certs? Of course, you= =E2=80=99re going to drop the extension. Now everything reverts to the prev= ious X.509 status quo; I don=E2=80=99t see an alternative. For me, this is = one of the more compelling arguments against undertaking the expensive, eph= emeral code and policy mods I=E2=80=99ve tried to describe. =20 > changes to protocol interoperability standards >I think you have this in the wrong column: this is a PRO for Composite and= Catalyst, and a CON for parallel PKIs. =20 Just stumbled across: https://www.isara.com/openssl/2.1/ISARA-Catalyst-Con= nector-MPKAC-Tutorial.html Is there a reasonable treatment of certificate revocation there? All I see,= admittedly at first glance, is a reference to the current RFC 5280. So is = it all-or-nothing? =20 > lack of IETF support.=20 >This is a circular argument of =E2=80=9Cyou should stop working on this be= cause it hasn=E2=80=99t been worked on yet=E2=80=9D. No IETF WGs have yet a= dopted drafts for any kind of PQ/Traditional authentication (signature) sch= eme. =20 In my first message I cited TWO attempts (drafts) to introduce catalyst or = catalyst-like hybrid certs and pointed out that both rather quickly failed = to advance due to lack of WG support. But now that lamps might be going for= a third round, I guess we=E2=80=99re tied on this issue for the time being= .=20 =20 You still haven=E2=80=99t answered by core question: other than the handwav= y =E2=80=9Cwhy standardize 2 solutions when 1 will do?=E2=80=9D, why are yo= u so violently against other people taking a different hybridization approa= ch than you? Personally, I don=E2=80=99t really care if you=E2=80=99re plan= ning to use Catalyst or not, nobody=E2=80=99s asking you to. Why do you car= e so much whether me and my customers do? =20 I have addressed this point=E2=80=A6 also twice. The basic issue is interop= erability. If you deploy hybrid catalyst certs and I stand up two independe= nt PKI silos, our users really can=E2=80=99t interoperate, can they? Are we= just moving into separate bubbles? =20 =20 Michael J. Markowitz, Ph.D. VP R&D =20 1011 Lake St., Suite 425, Oak Park, IL 60301 Phone: 708-445-1704 =20 Web: www.infoseccorp.com Email: markowitz@infoseccorp.com =20 =20 =20 --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/DS7PR12MB5983CE86F64991FA83E8F779AA329%40DS7PR12M= B5983.namprd12.prod.outlook.com. --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/3E7AFF0F-58C1-4B9A-8AAB-8C01D517D8B3%40ll.mit.edu= . --B_3749811639_878381 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable

FWIW, I concur with= Michael M. His points and refutations appears quite clear and correct to m= e.

 

-- 

V/R,

Uri<= /o:p>

&= nbsp;

 

From: 'Michael Markowitz' via pqc-f= orum <pqc-forum@list.nist.gov>
Reply-To: Michael Markowitz = <markowitz@infoseccorp.com>
Date: Friday, October 28, 2022 = at 14:14
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, &= quot;pqc-forum@list.nist.gov" <pqc-forum@list.nist.gov>
Su= bject: [pqc-forum] RE: ISARA Dedicates Four Hybrid Certificate Patents = to the Public, crypto-agility !=3D hybrid certificates

 

Hi, Mike.<= /o:p>

 <= /p>

>I think this will be my last email on this thread because yeah, w= e=E2=80=99re well into a holy war.

 

So we do agree on something!

 

>I will= say that you=E2=80=99re being very high on criticism, and very low on any = concrete details or examples.

 

To summarize, my =E2=80=9Cdetails,=E2=80=9D now relisted= in what might be regarded as declining order of importance (but still rath= er poorly described), are:

=C2=B7   &= nbsp;     ephemerality of required hacks to certificate creation/parsing, pa= th discovery/chain validation

=C2=B7  &nbs= p;      complexity of required modifications to revocation mechanisms= (are there any that make sense? See below.)

=C2=B7&n= bsp;        baroque complications to security policy handling= , and likely protocol interoperability standards

=C2=B7=C2=B7         increased attack surfaces

=C2=B7      =    developm= ent/maintenance or ISARA code licensing costs=

=  

(I=E2=80=99= ve removed lack of IETF support, not because I agree that it involve= s a circular argument, but because I just heard the subject is once again u= nder debate in lamps; more on that below.)

 

>Again, I=E2=80=99= m not trying to convince you to use any specific form of PQ migration mecha= nism. I=E2=80=99m just to argue that there are use cases for them.

 

And I=E2=80=99m tryi= ng to refute the efficacy of catalyst-based use case solutions. Our positio= ns are pretty clear.

 

>O= k, let me expand. A server serves a Catalyst cert. If the client (and for t= hat matter maybe even the protocol carrying it) is completely legacy and do= es not understand PQ or Catalyst, then it will treat it as a legacy cert an= d everything works. If the client does, then the PQC will be used.

You=E2=80=99ll have to explain how legacy certs accomplish = the same because I don=E2=80=99t get it.

>It se= ems like, in order to support parallel PKIs, you=E2=80=99ll need protocols = to have some kind of =E2=80=9CI support parallel PKIs=E2=80=9D upgrade flag= . Some protocols may already have mechanisms flexible enough to accomplish = this as they are (CMS SignedData comes to mind), but many do not. Needing t= o change dozens or hundreds of protocols to support parallel PKI and their = upgrade flags sounds to me like way more work and risk than doing it= at the X.509 or signature algorithm layer.

=  

Spea= king generically, since you haven=E2=80=99t suggested a particular protocol= to analyze, one might counter by saying that servers generally serve certi= ficates in response to stimuli (requests) and the context of the request is= generally sufficient for the responder to decide whether the requestor is = asking for an RSA, ECC, or QS key. To turn this around=E2=80=A6 try hitting= a website with your RSA cert selected in Firefox as the default for cli= ent auth, then hit it again with your ECDSA cert selected=E2=80=A6 does= the server care? Do I need a catalyst hybrid cert carrying both the RSA an= d ECDSA keys for this transparency?

 

>Disagree. Consider for example PIV smartcards. I am not a deep= expert here, but I have been told that supporting a composite signature al= gorithm would be a relatively trivial firmware change. Supporting a Catalys= t certificate (esp. if it creates one composite signature) is also a fairly= trivial change. But supporting two certificates and producing two independ= ent signatures is basically a re-build of the whole firmware and communicat= ion architecture.

 

I really was under the impressio= n that PIV cards already carry two certificates=E2=80=A6 one for sig= ning and one for encryption. No? And if they have two =E2=80=93 handily inj= ected by the issuing software upon initialization =E2=80=93 they can certai= nly have four=E2=80=A6 four single SPK certs being not much larger, but cer= tainly more flexible, than two catalyst certs.

 

> development/maintenance [costs]<= /p>

I find it amusing that you think one change to X.509 is more work tha= n changes to dozens or hundreds of protocols to both handle multiple certif= icates and to handle the upgrade / backwards compatibility case.=

 

=E2=80=9Cone change to= X.509?=E2=80=9D You don=E2=80=99t think any modification to RFC 5280 will = be required (for example)? Thought experiment: you=E2=80=99ve deployed your= catalyst certs; you learn the apocalypse will arrive tomorrow, so you=E2= =80=99ve got to deprecate, if you haven=E2=80=99t already, all RSA signatur= e keys; whoops, that means you have to either revoke *all* certs and= start over, or you must have carefully modified RFC 5280 to be able to kil= l off just the RSA extensions. This is just a sample of the ripple effect t= he use of =E2=80=9Cpreviously non-standard=E2=80=9D catalyst certs will hav= e on your standards infrastructure. Can=E2=80=99t imagine why this is simpl= y glossed over in ISARA propaganda (cited below).

 

>Also, the = farther you get from core crypto code, the less expert you should assume yo= ur developers. Take a UI developer who=E2=80=99s been asked to encrypt cred= it card numbers in POST bodies; we should not assume that they are gonna kn= ow how to correctly combine two public keys into one operation. So I=E2=80=99m arguing that a CA saying =E2=80= =9CI issued you two certificates, now go and do something clever with them= =E2=80=9D should not be the default solution for the internet because I= believe it is actively dangerous. Go take a look at the [x.509] tag on sta= ckoverflow: and tell me that this is fine; that we can make this more compl= icated on end users and nothing is going to go wrong.

=

 

You might have a point, or=E2=80= =A6 we could simply follow NSA recommendations: forego the hybrid crypto op= erations and only employ =E2=80=9Cpure=E2=80=9D key derivation and signatur= e schemes. (Flag this as a feeble attempt at humor as I wearily try to fini= sh off this thread.)

 

>Doesn=E2=80=99t dedicating the patents = to the public mean no more licensing costs? Isn=E2=80=99t that what this th= read is about?

 

I=E2=80=99m no longer that na=C3=AFve. Four patents have been abandoned= ; there are dozens more. Besides, you just said you wanted to simply drop i= n a library that performs cert creation/parsing. Absent any indication that= ISARA is giving away their library, I have to ask from whence you expect t= hat to come. Yes, you can try implementing it yourself, but can you do it i= n such a way as to avoid all the patents you haven=E2=80=99t yet read. (The= situation is vaguely reminiscent of Certicom=E2=80=99s attempts to inject = point compression into various ECC standards. Hmmm. Anyone remember MQV? IS= C received an NSA sublicense for that. Didn=E2=80=99t do us much good, did = it? If you don=E2=80=99t remember MQV, let me just say that Certicom featur= ed prominently in the nearly 4 decade long Mobius/RIM/Certicom/Blackberry/I= SARA progression. If you try to follow the money there, you=E2=80=99ll end = up thoroughly disgusted.)

 

> ephemerality of required hacks to certificate parsing semantics= , modifications to security policy handling

>I=E2=80=99= m not sure why this is a CON: X.509 is meant to be extended and we extend i= t to cover weird corner cases all the time.

You= =E2=80=99re arguing that hybridization is somehow less ephemeral if you do = it in the TLS / javascript / database / whatever-else-uses-crypto code?

&nbs= p;

You miss my poi= nt=E2=80=A6 let=E2=80=99s return to our thought experiment and go just beyo= nd the apocalypse. Are you going to carry forward dead RSA keys in every ce= rt =E2=80=93 assuming RFC 5280 bis somehow allows that -- or simply drop th= at extension and revert to simple QS certs? Of course, you=E2=80=99re going= to drop the extension. Now everything reverts to the previous X.509 status= quo; I don=E2=80=99t see an alternative. For me, this is one of the more c= ompelling arguments against undertaking the expensive, ephemeral code and p= olicy mods I=E2=80=99ve tried to describe.

 

> changes to protocol interoperability standards=

>I think you have this in the wrong column: this is a = PRO for Composite and Catalyst, and a CON for parallel PKIs.

 

Just stumbled across: &nbs= p;https://www.isara.com/openssl/2.1/ISARA-Catalyst-Connecto= r-MPKAC-Tutorial.html

Is there a reasonable treatment of certificate revocation ther= e? All I see, admittedly at first glance, is a reference to the current RFC= 5280. So is it all-or-nothing?

 

> lack of IETF support.

>This is a cir= cular argument of =E2=80=9Cyou should stop working on this because it ha= sn=E2=80=99t been worked on yet=E2=80=9D. No IETF WGs have yet adopted = drafts for any kind of PQ/Traditional authentication (signature) scheme.

 

In my first message I cited TWO attempts (drafts) to= introduce catalyst or catalyst-like hybrid certs and pointed out that both= rather quickly failed to advance due to lack of WG support. But now that l= amps might be going for a third round, I guess we=E2=80=99re tied on this i= ssue for the time being.

 

You still haven=E2=80=99t answered by c= ore question: other than the handwavy =E2=80=9Cwhy standardize 2 solutio= ns when 1 will do?=E2=80=9D, why are you so violently against other peo= ple taking a different hybridization approach than you? Personally, I don=E2=80=99t really care if you=E2=80=99r= e planning to use Catalyst or not, nobody=E2=80=99s asking you to. Why do y= ou care so much whether me and my customers do?

 

I = have addressed this point=E2=80=A6 also twice. The basic issue is interoper= ability. If you deploy hybrid catalyst certs and I stand up two independent= PKI silos, our users really can=E2=80=99t interoperate, can they? Are we j= ust moving into separate bubbles?

 

 

Michael J. Markowitz, Ph.D.<= o:p>

VP = R&D

 

= 1011= Lake St., Suite 425, Oak Park, IL  60301

Phone: 708-445-1704&n= bsp;

Web: www.infoseccorp.com

Email: markowitz@infoseccorp.com<= /p>

 

 

 

--
You received this message because = you are subscribed to the Google Groups "pqc-forum" group.
To = unsubscribe from this group and stop receiving emails from it, send an emai= l to pqc-forum+unsub= scribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/DS7PR12MB5983CE86F64991FA83E8F779AA329%40DS7PR12M= B5983.namprd12.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups &= quot;pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+un= subscribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.c= om/a/list.nist.gov/d/msgid/pqc-forum/3E7AFF0F-58C1-4B9A-8AAB-8C01D517D8B3%4= 0ll.mit.edu.
--B_3749811639_878381-- --B_3749811639_1773578142 Content-type: image/png; name="image001.png"; x-mac-creator="4F50494D"; x-mac-type="504E4766" Content-ID: Content-disposition: inline; filename="image001.png" Content-transfer-encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAPAAAAAcCAYAAABf0zJrAAAAAXNSR0IArs4c6QAAAAlwSFlz AAAOxAAADsQBlSsOGwAAABl0RVh0U29mdHdhcmUATWljcm9zb2Z0IE9mZmljZX/tNXEAABVe SURBVHhe7ZwHeJRFGse/3fQQYKOiYu+KXVH0UA/sclhAUOxixW5EEfDuyAXvDgHBIGIvATue iiX2gt2D48SKYENUwIYREpJNyO79fx8zy+zmS0hCvDt03+d5n5lvyjsz77xtZjbJLCkp8dYE RuUcvFl2XscB4Vh8P+jEwqHXM6qjDxRFy79eE7rpvmkOpDmweg5krr5J4y3GZh1+Zl5+h0mh nHa58boav2FGVu4xXriqpDTc6/yi6qenrAn9dN80B9IcaJoDrVbgUTmH75vbruMdXizmxZZ9 r1FCK0eqWeaFsvPyvdyCyWPDvT8aUlX+r/QmpDmQ5sAvw4FWK3BOZvbgUFauF6/8cZXy+nMM efHaai9UsK6XWbv8jyro+8tMPU01zYE0B1qlwMVduoQjC2K7eVLUhOdN4qW8cbTKC8VD3Ypz uueWRN9cGV+nIc2BNAfalAOtUmBfa0OhcFMziXtxtQplFupY3KYzThNLcyDNgQQHWqXAJXPm 1Jd22P4dLztvG692eaAXDmXlefG6uo+Kom9WtQW/i4uLMQQ9hKQcuF/RDXq0NbRFq6P69RSu K8wWfiucKXq/mptzw68srcmPfvS9gZJdDb8WqHxua3jXln00p61Er4twQ7On7OcXwjmaH2ez tRK0rr018YiR1Ve1FpQkAapvp49qlcfWdIGtUmB/0OzMUi9W38/LyA579XXJ8whLxzIy4xnt C0d7baK+PnmU90Uz0Odm41u8fjFvU3V6Rbil6fyzUhS6l3CtV2Ctbw+to5/wIOGRQnt8uUH5 /mbNJyn9nymw5ri5xp8kPBRJCtjEJWrDC8aw1hrpFgtGG3Uw8jXDkFuiFHnDgGYp6Sk8RRjX uga2xZCtVuCfLtxpl9yDBobz+v+JUNnjPByPx7mB9rxw2Kt5fHyouvz6Am8N35mdRZ7q5G8V A2oNY/JJrZUTo7DmINb8S9f6qY62Vwqt8g5VvkyYp3ZfGnpagN8fpa4XLlLdD0HMNvTcsXdQ u1zhp+pTaerZrGrl26t8MyE8/9p6GNOGTabfdypflDqW2nBc2Ui4Ppsv/D41WlAbFOFw4eOm fzk8oK+x9Pfr+zHT/2F3DLWJmDUzBy42FqsPhq0BBKwZXnYQLlMfDGtz4A41Otg0PEsp8yGy QrElUN6xwiIhe8weJcBET51VwF4uFc7XuCsamWuOyjcWspesa6Ha0selRzTHngMxG7HwobHo z7zAStXBe8oZO6TvKuXZz+2EtJ0jZC4DhbSdh/yZ9iP1fbkZ50KVFZg2Ps1UL23GYV7Mj7Y/ qg3ymAStUmANzqaNq3mpLO512uKy3ANO6iFvvJdGkqDF34m+dt8MKS8TvlltCSG+Sx24Jd+i gYAcZfrAoAfNAvGat5v8e0pRkp2EEdN2gfpeovEfU4pgDBaymRaKlTld9Tupfi/lYfAhwvWc NvWqe1vfN6rdfYmOxcV/Vv48Ya3qURqEbhMhArKVyq5Ryg08/T9VyiYjTAAe5ialnYS9hQgk SorS3630Uo1VZ4zRcH0fL8SoWGBMPOh4tSsz7Wbqex2nzR+Uny3cUfWM8TfmIrzNMX7QRYF6 Cl1P+LP6TFfZ39XWehME9xaV4dWZG+PtItxCiPCuYK+VnhJkhJx5kbUKQ/4AIYo/S/3eUdpP dLorJbz8yfYzazhf34cJ8WYWPlHdneoLv33Q9+5KLhXCA4yehZ9U97I+rlJ7G4FM1jfGBP4f LWRd0CC8f8mM9a5SeEj5RCXsNXv1pFIcC/v4lZDjwHVCZJD576c2zPcBYcSZxzjlkQf6IJPQ PVNzeta20TeOhjUg0/cIi4Rto8AixEYSx48ZvmNogvfj/RNKcy7O8wq9UNHiicuZmjRjC9Wf KbxeeIIz+dZkUVTOq8DLWuh8kz9HKZ4JQLGvFRIeHygsFeLxWDie53UhjL7EtGdzbhMuErP6 KP2HEEvLozaC8r4QZR8mRMjYjBUae6pSBHaQM/YZypcJPxDOFsJo5maV4hnl8SQIE8qOovHE Nk04QMgZ5AUhm0U/2lKGUdlaiBJNFTJnzrLPCVGeGzUXyhGWMUJ4DXwjvEKIp0bZLlKe6ADw 3+VVVqoEAQHeEiJ4C4XwbLzwGOGhareraHymFN6dJsRLAx8KEb4Fpi+Gj7AdgUUpmoKTTZ8j lA40yDz/qTxKMcU1AirHGWAwgVLhBOEy0489H6U2RACTlCJrhN8oOXPjuIBn5FxKP5QPr9df bTGcJwpxZLSdbcYgYV+ICIAb8L5qH1H+dCH7BLCOu4QY6DeEGH76AbPVByVfrDzRzwWmnL2j D4YC+lZ+MSK+AqvPuUpGm/ZPKR1ija4pSyQt9sBYCvXm7PKxcISlVBSdWO0x1VVwmbKEdAMQ Mk3gkdTBW/CN4Fi41ywSQYY+QNi5u8bwLbbG28dp75+bVTdd5ZwNLYzB4qmMEIUQGeXl4qS7 ytkQH1RPHYIFsDkozO+F1pvCh4NSBA4DYJUXz32hoYVwMx4wTeV4aOsxrFd6TuUIJ4AiEgrv LsSIYShsSEX9LGGN2hOmIYAWHlQZVh/aRAXcHwAfqvwNle2rvFXet1WGx7NAPd7hL0JCRQTr MyFztcqLx8Nz+6D2thzDtdof7hgD3Ff9tlD7/c38epo831er7jy1u1MpZ3qrvBhpZJa54zFd +T1Ibe9UGREZysu+7Sca9l5jtupRbDfSIAKxNMowdnZNSlFOgDCeqAgg+rDKS1R2hPokjhqi f7XT348MVf+eyt2IYbTKMMTw7VslOAyMo78HKmNOOEhgmvBYjIdDNynbIgUWcawF7h84R4Q5 ZwaC6paqPYKMx8Ey4jkTIVFj/VLL1Q9FwbIDFYYeeSypf/4V3JVCm3EBNtwKMt70FFOOYkw3 +R2V2tDzA1d5TX1CUPXNpgHuefxKV3lNvd18GM/lkQUU2Sqw5SN1lNu98IVF6x6lBO8PYJnf FOLJzxZaZb9dY9ubTBtZIIRWAOh7nJCIAcATAIR4FhJhmxkX2vayiyLCWsBdMx7aB82TSGA/ 8/mG5oNnDgS1xajjIVH0a41Rn688ISK04AP8QuA5nqCQ7I+F6cpwlmU9KBbtOBrAA0JjlJ3I EHjWUV5oY7SQBwzeB8ZwW3mAJtGYD6rro8Ty6CWHjm1Ps6IU5cWg2EgTer7DEi2OPnh54GOr vHwoj4eerix7tKnyHBMxMgCO54SmlJdGLVJgtb9ZGBESUhCSNglq84QmhdCwADYdD9JSwOtZ C1+Oohrmu4rlnk0JO9lI4HVHIVF45g487Bgfzl//Fu4p7CHahGsIdYFwoNBuytPKX696lN33 nAI8PyFRAlS/sz6sQM/QOIRvbOSmSvxzlACPhkJSzvneKswS5QkhATYVqBSizBgdvDDrs+Uc DayXtUaO9huJbjaCqjwhH4AxedDkCfdqhPCVC5UvlBJ1YKAJ7VkDMEI0ZqoeJcIzApxVXSW1 UQF11lOZpg2SeSrpZkqniC6REmdRlJEzp10zTZA1AG9FaM/ciLo46nwiRMHwzL8Toqwvix4h cYUwIjxE3+wdHo798qMg6KmcszH7a3kJL+AZ9FFSawxpbw0q9z424iOSsVGZIevfI2xjPp53 jDp9GAtYqDHwtDzj2cgAB8e6mTtrI0J4Xnh0Uw7SDtqkAhd3G5FZMmMkVgshgRlYiPnC4ZZA M9KL1YYwbKBoEEqjCM0Co6hcLCw3HcpM2kUpSDkhoCtQMIMNwSrf4QyEAtOect/iA+rLDTGK wYUW60MobMhGExSNM5nv1dQWOjAZWncHMJl6Oz4exAK04SVRy2THc3IcIZKA3n1YZdMBIcJL 7yCcLqQcQ4PRQJgJEf29ESwV4oEQ5kKTH6K5Ur6toT3dGjOlH6uOYwDK2lNYZuiQMM404U1q Z41TH3034Klo4AkRUOZOKPmoQ6dBVvTK1Yf1ch7EyHFR40KFPp4QTlJbPzJAEcxcOa4hC67i YPBo7yuZaXuIstcIURQbcVD9nvm+jj0TTXh3rZDzJjyDLoYCHmNoNhNypOIIA7B/7B3RQ5kp cxOMBJ4XQ+nu+0f6xjhioDCyILy3CgzPqoQ2coDnzVJeBg9U4HHtjuqnvyoaGJn7fpfSjn2j +lXVWxkb3de7fuFchJ+ziRWygHUkF6ntj2IWSvxguPO2k66L9HtU703d9IvpcDwUnhmqrryz KPoszG0A6htXXy4hAJ5jEF6A8x7nNJiFkLrAZQyXFYBtT36QKeOpIOm0ru/vVIcn4haakJ1z DhvMExKb6AKChTUGUKJUwHP45x+BOw7eb5op/9bphIdpQE/jPqX5sJlYdTwlTyDfqYy5gYTi eC4EFx5wBsTLEyHAF7wv/SyfKtyJqg+XKH3Uh6MFBgFlRJB4QrJncNuF8LIsYO7wCAVGLqIB vHKH9PNq84KSFzQuoTqXehHTiDXwjMYckkBlRCynm7WzPxg8DAbPcShVAvQ9Sx9cvq2nlHUR 2v6gcqswdh4oIkYOJSbM5egBPY5+KDTzI9y2Z1zuXvCQgLt/dmxCeSIl1oghsOMQwRAtcGHF vOETBpR9gudEkjbCxIj0TV2TpRWUNlDg8flH3pxRUDhIz0JeqE5yoDfeUE7+ju2HTPWqyyc+ ctUBmyadmZoi7ixi6qjXFpyb2+uig8O57Qev/NPDuBfOyu0eC2WcPy7c6+LLq5++NYiWywyH HgYk0IikKqfTJ8HUxuasvkwMYWkU1Aar31Q9xqABNCbcKudeIPBuQHUoyMcuMaNcqQrmN1Ed zxKgBTyjjV4C52wENHER08jcCUOD1oQSJClGU7xJWQfe6kuDzepm1p7Ej8Y6qi3GNcjAJnVR O5QxSSGD9mR1xqkxuTP7gqEl7PdByos3Jmq0ikvxQ8IzRKfJ/Updb5ICj2vX++zMjusPii3V uuP2bkRd9HNJ/c2v1+64P3Uf+9PPWw6JTuPM1GwojfTfOW9Ahz286mVJf3oYr6n09JPL7Iy8 DreUhnu/V1RV/naziaYbrtUcMN4Uz8cPJNxIyQo551HuB3gKq3AXq754soTwpxpV1UdUj+cF +MkixiIBqre08fhJxmt1tC0RjnfqS4TIRRoREQAtPDdHLOqJPtExoj5fofTNjTORB8cX7jUo /0r1gbKv9ryOQMsel9ylrAqh9RdGGYULQpfH9VdEScrrN1fAW6PynPwNM7LqB+kkMCyJymo+ 5HGvDMXarRNv8Ltp0a1b+aeHGneoyNjLoZaQT7ddizgggeRCjDsGjgB4vnyVcYTgeeV55bnt 5h6BqIRIg8slwuShqv9GeY5Iuwn9y0EUwBwdCG8fEHI04A2fCI2jxPqq/1x9hyo908gYnpmQ HdooBu+sXyvP0YtbdZc2c+PJzz8Wqc32Srh4Wqx8T6VdhacJiUa46yGqwMHxwxbO0qeq7z7K 9yEvZE0cyzBA3G/wc1F+2MPTGHcCnH85BjAWl4l4ZsYJCttXKXDhop02ins1+uOEpCMFdFYC P5esiyoJMRlr3VbVN5abMCFcWB/u5kWJDNizVFCZ6hSo71Uc6ZZdUjHDP9dZaNFYq59NusV/ mQPW8xiB3F3pq8K/CnnJ8MNF7TF3D3sq5eLpImFf1fmvHCpD0LkUetQoDJd7KML9xgNy+cNF 0zlChHdLle/hyA/tJ6gv7biIOlH19gUAT45iTlM9l0uMzS/J/MsvlXF7zI1wEe30zcUpdxY3 CAcL9zKe823VcTan/1kqe8v0p++nqkPB6dNfdf7FoPHMo5WdZYza+crPFT6k765qhwHjsq9O +UDlhU4ihC5csiCvov16mTHfaDUOK+bN6KHa+U02cisvGxyqH/rIJhmd7Q17QM94vUaNF3jV nQg/EgqshUzW9zHNHivd8P+OA3hMCWCJmRiel2eoMe5E9T1O7Qg7UUB+HOErL6B8jeq4d+Hm FgUEegp7IOhKuSh8RThRiOLxoxbkBkHmYmoTIU9pXMQdZpXX0KbtU4YetAlne6rsQKUYARQH JeR3DEQOXAxiTBiHS9EjhXh8gMuoLxzl5SKMOR8mnCq8zCqvGRsPjeFBcbmZxwDg/VkHxgqD wosKxq1RSChw17wFC1+uL/w2lt1ug5V/qJ8K4kdWjle/aC4hB3F880CXYfXfzItnbL5rqNF/ AJCZ7cXq6hZ6W3Vd5s2xt/Y+eT64cU7D2ssBPK4FFKKrhDMiYa6g0CjLeGURZC56DlMZP55A +ajnWahUyBELj4Ry4lWR3QGmrkgpISxtexuZ4btCdPzztejwtHSMUn5sYp9GaY9n5JXkPEOb UBbaKA/KxDeKjVd9REiITNvPzVgi6UekzA1aFlBowmXe3Fn3wWrHM6GvXMrvqwRDwPMlR4Y3 WbPKoUMIjWFh3Caf5hIKvHN0ceXTOV3HZuV3uNa/JdZfFq0C/ZWR/r43VrU0Ft946/1VzrtW syGjU+e9vRW1z3iZujVfgZF1QmlC89wCr7ay8paSOSOdmzPf+mK5wDT8OjgwXMtA2O+WoKII eF0ulMYSiqqsl/I8xdyjPJ6VS6yIcKAQTzhCOBivbNhxh9rxzk0Y/KQQ5UTwgwCvylPPvYY2 F094ScJxwmLq+MMXS/suQ/selVPGH47YSAIF5BxO6E0YjvfEKGBcLOB5eUvH0x6hPOEy62Zd RJqMfYXqKePMTUiOzHOm5y5ohpBjQuCLgx0k6Ra6cljX8QVjZu2R1bHTyV69Ilmdef1npOx8 /clvTbyuatnZwzf4YUbL/0Tws2dLl283OJTfcbyXq6NIFCMkA4FCy6vXLVl8b82wrhO9kiTv G7gL6cK1lwMSRm5pz5OAopggfxySeCtXnie841XPGymKUasy/1lOZdz2bq/vpHdifQ9THcoA 4MkDQe04X/IHDOsaBeI91n8eUxmGZAd9Jz3h6PsqM5eQ8km/B9D3u6rjfRflJkrcxlF+yPaz yqeUJ8xT1T6ilHN14lxrvPfeapN4FlV+vsoJ/f0opClIUuCSkpFx/ZbklNHeUc9l5uScGqqv 206+tzYWq5q5orJi4vD6F/3DeWtA/2L2utLY4bO8/A4XxPWnh7rpzhbteXXRZXcPrS6fnFbe 1nB17ewjAeUGOPUHOInFqJ639qT3dsLLxgRadYHv6EHcSVVE2qiMe5eky1Pb18wlkNGOwje4 +Q3ynCqrECHQXStRZ4PfNJg5rXaDG/yQgx5Dq5+YIkWeUhw5IcfrvN0KhbacJ9YY9IurV3VN 8WpxZATjZpRUjGzkynuNh0oTSHPgN8GBQAVOWJ+KB6LJ9qJteCLF5bwQ+DDdNiOkqaQ58Nvg QJMK/NtgQXqVaQ6svRz4D/Q9a6AAHsVnAAAAAElFTkSuQmCCAA== --B_3749811639_1773578142-- --B_3749811639_20514946-- --B_3749811640_3414523539 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIUfQYJKoZIhvcNAQcCoIIUbjCCFGoCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGgghJDMIIE8zCCA9ugAwIBAgITJgAABVq3kr35c1qYVgAAAAAFWjANBgkqhkiG9w0BAQsF ADBRMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWTUlUIExpbmNvbG4gTGFib3JhdG9yeTEMMAoG A1UECwwDUEtJMRMwEQYDVQQDDApNSVRMTCBDQS04MB4XDTIyMDQwNDEzNTM1NVoXDTI3MDQw MzEzNTM1NVowYTELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRv cnkxDzANBgNVBAsTBlBlb3BsZTEgMB4GA1UEAxMXQmx1bWVudGhhbC5VcmkuNTAwMTA1ODQw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9NYdvY08CoRve6q3AKBgfzmsefk5M zgm1mGRyvBE44NBXZx5FGTzX98vLsn9ZditfBfYtn9qOydXWmFh06/mKZlJN0Bg4nRs466vX cyKyiY1PGgRPSl64CMdpuwt2/Mf1/+6fZta3Ffroz4GSx9sqxQYGB8QLCR1wxNbYcCghhfyW YUb7BBmhkVYEGFzWk5nBQh9Npo6U1qh5+8zQvTbXSv14xlWenQ2FUHxKHbVVYkle6WuKjbrz it+HhcIWf+E77iVw4nh2avF2o3J4U2VBWM53aITRTfKepHA6edHrxYmSNajSsu9TbEAqYZW+ Gfohw9ji4Q74UcWpdwAcug65AgMBAAGjggGyMIIBrjAdBgNVHQ4EFgQUwcUrH0niWJCqOR90 PBc5IX0RWYowDgYDVR0PAQH/BAQDAgbAMB8GA1UdIwQYMBaAFAepY/eqZM/S+hvIfQE1id5I FbRrMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwubGwubWl0LmVkdS9nZXRjcmwvbGxj YTgwZgYIKwYBBQUHAQEEWjBYMC0GCCsGAQUFBzAChiFodHRwOi8vY3JsLmxsLm1pdC5lZHUv Z2V0dG8vbGxjYTgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLmxsLm1pdC5lZHUvb2NzcDA9 BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiDg+Udh+ynZoathxWD6vBFhbahHx2Fy94yh/+K cwIBZAIBCjAiBgNVHSUBAf8EGDAWBggrBgEFBQcDBAYKKwYBBAGCNwoDDDAZBgNVHREEEjAQ gQ51cmlAbGwubWl0LmVkdTAYBgNVHSAEETAPMA0GCyqGSIb3EgIBAwEIMCcGCSsGAQQBgjcU AgQaHhgATABMAFUAcwBlAHIAUwBpAGcALQBTAFcwDQYJKoZIhvcNAQELBQADggEBAJ+zQ365 LelAZV/UiO5ekekrpdjdQJ2pjlicGLhlQ1nBVgk3nLMFfi+MX5MUagzqCxZLXnU4eCbPjrZC MZRrN6/iSGVxEt4zclP82KUbFLxcHTEpglBARmze2eaurPPV5R1qKdVZQDbJE2pt9gyHYKM7 vpXtv+7MalLDzWUVIbeC8bHGr5SOn417R0XANNptDAhI+Y84rXjINWb6Qyc3pCTv2KheGePR ztfOlzJ8yxKwVW8CfqD9GhUr1lBJPu+CMxn7337BlpjRgfOi5FYBsbOPeo+fGosBK+bxDbbK aS5R+4K+irSppZUQL6rbkFs98efVDnNsl/mX7edtERHXnB4wggTAMIIDqKADAgECAgEaMA0G CSqGSIb3DQEBCwUAMFYxCzAJBgNVBAYTAlVTMR8wHQYDVQQKExZNSVQgTGluY29sbiBMYWJv cmF0b3J5MQwwCgYDVQQLEwNQS0kxGDAWBgNVBAMTD01JVExMIFJvb3QgQ0EtMjAeFw0yMTA0 MTQxMTAwMDBaFw0zMjA0MTQxMTAwMDBaMFExCzAJBgNVBAYTAlVTMR8wHQYDVQQKDBZNSVQg TGluY29sbiBMYWJvcmF0b3J5MQwwCgYDVQQLDANQS0kxEzARBgNVBAMMCk1JVExMIENBLTgw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC20qJRmL57N3pdHf9QGwW079emEfyo 8IvWXtCOr13el7DfD2ZEbn7Xr5Ubg6RJ1uDX8L/0btB/gT5vVQFylFPt0xZDj5zMyPmHMkxf xEvu0y/CArI0a8iDpZwubXU1jSvXSx6wFphXB6s1CuQTro8F9N0WrjHravsI7UYeuemTOEim f0aCGwDF5jlXZn42uSCU1dNpJ9SuyvUOJ3oDoVo4epR9fTbNd3lGKnm+8srrLx4mVhxmlFlg Ow/rDA+5KC/yUNr9z/bzLl6CTUQQbfAgFd52C/6adnxkigAiSGt4Jm9asCnw8ui0wFjZijJZ Uqamh5t9e5pQEHXRtUenj3XDAgMBAAGjggGcMIIBmDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBQHqWP3qmTP0vobyH0BNYneSBW0azAfBgNVHSMEGDAWgBT/ycllTFOA8akMPCGu girH7vgy+zAOBgNVHQ8BAf8EBAMCAYYwZwYIKwYBBQUHAQEEWzBZMC4GCCsGAQUFBzAChiJo dHRwOi8vY3JsLmxsLm1pdC5lZHUvZ2V0dG8vTExSQ0EyMCcGCCsGAQUFBzABhhtodHRwOi8v b2NzcC5sbC5taXQuZWR1L29jc3AwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5sbC5t aXQuZWR1L2dldGNybC9MTFJDQTIwgZIGA1UdIASBijCBhzANBgsqhkiG9xICAQMBBjANBgsq hkiG9xICAQMBCDANBgsqhkiG9xICAQMBBzANBgsqhkiG9xICAQMBCTANBgsqhkiG9xICAQMB CjANBgsqhkiG9xICAQMBCzANBgsqhkiG9xICAQMBDjANBgsqhkiG9xICAQMBDzANBgsqhkiG 9xICAQMBEDANBgkqhkiG9w0BAQsFAAOCAQEAk5J8nagkqLkBH8OEa/Xljh61/LR9xNWVyICG YF6au84DtRVPKf+FJMVH4LVpkszkD1jzXvdghP8kTTpxv52zPFY4u7d6DVMhT9uGSQTpnVa8 MrV+H9PWpy/zQFdMbndsagZXLef4OOnbD9QlFLn+uivTbFb2lzDJLBXhhyCaVO1XISZ8LB/G L4EE6cQtkZRYTc7TVrjjN3zVcZL90yAvnThzWUtXVWzbliYu9mEB7ikWMX4VIEF3DPzOEh1q prgEy4TcklpQW1F02zyctHymFSXGGy1RpzvRKG/oUTw+sgXHCSiQDnPLFVbQsPd2lYUu3HXw ZZ+ldq2pGt4yylMZ7jCCA4owggJyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UE BhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAKBgNVBAsTA1BLSTEY MBYGA1UEAxMPTUlUTEwgUm9vdCBDQS0yMB4XDTE2MDQyMDEyMDAwMFoXDTM1MDQxOTIzNTk1 OVowVjELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAK BgNVBAsTA1BLSTEYMBYGA1UEAxMPTUlUTEwgUm9vdCBDQS0yMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAv3WoBEGOOJtm4ucvaf6vKIFPs8watCd6Smwq/XeRNo7P3jPIxNPw F398RGDUmPJIXA7idzD6j0opFIW+kLqYye9e788PV0dqaJlX8818fNDbSE+8B6hieqKTR7Vf OI74UVQEUKVRFuRFw6uVYuvgew2Tj/C2dEee37eruQl5nHkbV2OsWnZ7O+yt+etd6HRcaXLl P9q8WKgA3B7vkOVIMCKoAuaWj+BFq7K+WNkiyi/KdOH9JmOpbyRK4jcA7xbLnF8JFUSNg5c4 Y1BJrFaZtkCeG6Nm9p524GllkRFzPgpj8VicV+AK+9rY07dTx02kYotTnKuy0YxBAwsUXxAQ EwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT/ycllTFOA8akMPCGugirH 7vgy+zAfBgNVHSMEGDAWgBT/ycllTFOA8akMPCGugirH7vgy+zAOBgNVHQ8BAf8EBAMCAYYw DQYJKoZIhvcNAQELBQADggEBAHqYfEf/3J5aMKhlYQ0PnUAbMB8jZSr9/HvjfOF00crFUCfS rqG8JQwo+S/iq66gcp62FEgJ0fQkDgVg6m+C2ETo1LoWiSxhYCfcSIQECljlXwR8wFSayF82 2S69IqvHhdq4d58jU6gYi6ssjU4vwsvsVLRJKk/m/Cg/w8gW6YHM5ahBD6/5Ccel2fI7oSms kO991+otrC11YfDwCFvz7Am0r+K9iVhSWta4hmIuV0YBia07eZKSO02LPgQ8YOz3ku0Yt+mh 8VWRKux2CcYjMpk+WDV0BMp75tqb6pqBFkcKvEBXqxg+8+G/umjii4H0c5kvJhaQyykbmOKm xO9IcJIwggT2MIID3qADAgECAhNZAAUW1xDL1n3IkFBHAAAABRbXMA0GCSqGSIb3DQEBCwUA MFExCzAJBgNVBAYTAlVTMR8wHQYDVQQKDBZNSVQgTGluY29sbiBMYWJvcmF0b3J5MQwwCgYD VQQLDANQS0kxEzARBgNVBAMMCk1JVExMIENBLTUwHhcNMjEwNzA2MjM0ODI1WhcNMjYwMzAy MjM1OTU5WjBhMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWTUlUIExpbmNvbG4gTGFib3JhdG9y eTEPMA0GA1UECxMGUGVvcGxlMSAwHgYDVQQDExdCbHVtZW50aGFsLlVyaS41MDAxMDU4NDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMRXUPN5Fz28jb9GOca2/6HDq5EE4Hu T1enB0TiMEnOTipW88pgPmSZ/AAFyJF7AWX7PYPw94Ed/Bbs7yCCa6WZS7cQzdHOWppx9gRZ AxkR8+TgosxPcHoCMXmI/hXtVdZ7mwZlpBGJvyBe6YRmxOWLl3WiCRi/gBThwEWsiQZOfhEN 7hC2GhgCKetpNlTRPxslLmkStNlnjNAxhet8Vm/KSYJFVPOx3qytdLwnO6sz4AfIJJQkFX26 6oP0F/4bjRGlIZrZpdUPGiydpJl1r5SRcYs1ZE7JHErULWSyiAIzBDHUCTcN2GnFoR+9fz92 q2VIHvNHx7bV1hd0E0zlC9UCAwEAAaOCAbUwggGxMB0GA1UdDgQWBBSQ5IixU+wo9uUYNUB4 G/ea7vuWEjAOBgNVHQ8BAf8EBAMCBSAwHwYDVR0jBBgwFoAUL++7xg0du+lq/qxn8wc7CHb2 S1kwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5sbC5taXQuZWR1L2dldGNybC9sbGNh NTBmBggrBgEFBQcBAQRaMFgwLQYIKwYBBQUHMAKGIWh0dHA6Ly9jcmwubGwubWl0LmVkdS9n ZXR0by9sbGNhNTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AubGwubWl0LmVkdS9vY3NwMD0G CSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIOD5R2H7Kdmhq2HFYPq8EWFtqEfHYXr0HCD6+0g AgFkAgELMCUGA1UdJQQeMBwGBFUdJQAGCCsGAQUFBwMEBgorBgEEAYI3CgMEMBkGA1UdEQQS MBCBDnVyaUBsbC5taXQuZWR1MBgGA1UdIAQRMA8wDQYLKoZIhvcSAgEDAQgwJwYJKwYBBAGC NxQCBBoeGABMAEwAVQBzAGUAcgBFAG4AYwAtAFMAVzANBgkqhkiG9w0BAQsFAAOCAQEAICZO a7qQQMDGZzRUaX+Mm/3meVo0nTEdNby178MGq6uYGUS4keIkljEoI+KiEMbT8rtCOBZwomnO HdJmLuRUEgrVAos27V4yjvoic8QKsz+qEhxslFg/2EYMAbTsyLqg34R+wG5o6K95ohUrgLud fPxAmcLOFBtIZBr/3DUIlzw4xHKiX2ruex7YOrQccgXb2qGtNB7tG6jAaXqFb+NZTJhj+3pd OiZiZanzpZvPLIH6Xe4awqDrok7q9ImwwSSQorNrJxKKtA3vLUW3DGvom3XDiOjDqpzhmqXC u6Wf7JfrSJRaudU2WyvYfPk7NQlkLR/1G6Xz+zKqO/cBt2aNATGCAf4wggH6AgEBMGgwUTEL MAkGA1UEBhMCVVMxHzAdBgNVBAoMFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAKBgNVBAsM A1BLSTETMBEGA1UEAwwKTUlUTEwgQ0EtOAITJgAABVq3kr35c1qYVgAAAAAFWjANBglghkgB ZQMEAgEFAKBpMC8GCSqGSIb3DQEJBDEiBCAXFLbuJFOU9oGl60+uqIYzrnHpW6PYVH9TrbAz 6igwOjAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjEwMjgx ODIwNDBaMA0GCSqGSIb3DQEBAQUABIIBAE+4pb312drSI6nEQbhxAz/DgNfwRJfPrJ7e3JYH aaxwzxJcCLd4mftTPp0rDXAkKSKS3U8D+3gmw8tJogWb6D02SlUjISlxT/mwpK8SwIKra0Du x7ZVM8CjTdcqYd/HkhbhWTuEra1h0HVE8xp57QrgMEJOpXQBKFMQHpU1D6th4GokwXe/DGwF HoFscu41zP2O36DJ8hW/HOc9xXj4yh5IEz5SGkB034WYgQq0MxyTDNMlGDN6cwOwgpT3mpB3 jDZypBOIpXwq0zn+P/yf/ppECTnuUa9uEko5DVf2kOI7h/gUxmwXJyeaX+l2QCvkmm9v2UzK QLeg9IGzYUzwk7Y= --B_3749811640_3414523539--