<?xml version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 3.3.6) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-x509-shbs-13" number="9802" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true"version="3"> <!-- xml2rfc v2v3 conversion 3.25.0 -->version="3" xml:lang="en" updates="" obsoletes=""> <front> <title abbrev="HSS and XMSS for X.509">Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lamps-x509-shbs-13"/>name="RFC" value="9802"/> <author initials="D." surname="Van Geest" fullname="Daniel Van Geest"> <organization>CryptoNext Security</organization> <address> <email>daniel.vangeest@cryptonext-security.com</email> </address> </author> <author initials="K." surname="Bashiri" fullname="Kaveh Bashiri"> <organization>BSI</organization> <address> <email>kaveh.bashiri.ietf@gmail.com</email> </address> </author> <author initials="S." surname="Fluhrer" fullname="Scott Fluhrer"> <organization>Cisco Systems</organization> <address> <email>sfluhrer@cisco.com</email> </address> </author> <author initials="S." surname="Gazdag" fullname="Stefan-Lukas Gazdag"> <organization>genua GmbH</organization> <address> <email>ietf@gazdag.de</email> </address> </author> <author initials="S." surname="Kousidis" fullname="Stavros Kousidis"> <organization>BSI</organization> <address> <email>kousidis.ietf@gmail.com</email> </address> </author> <dateyear="2024" month="December" day="12"/> <area>sec</area> <workgroup>LAMPS - Limited Additional Mechanismsyear="2025" month="June"/> <area>SEC</area> <workgroup>lamps</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) forPKIXuse on https://www.rfc-editor.org/search. --> <keyword>example</keyword> <!-- [rfced] We have updated the abstract for clarity. Please review andSMIME</workgroup> <keyword>Internet-Draft</keyword> <abstract> <?line 164?> <t>Thislet us know if any updates are needed. Original: This document specifies algorithm identifiers and ASN.1 encoding formats for the stateful hash-based signature (HBS) schemes Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme (XMSS), and XMSS^MT, a multi-tree variant of XMSS. This specification applies to the Internet X.509 Public Key infrastructure (PKI) when those digital signatures are used in Internet X.509 certificates and certificate revocationlists.</t> </abstract> <note removeInRFC="true"> <name>Aboutlists. Perhaps: ThisDocument</name> <t> Status information for thisdocumentmay be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-shbs/"/>. </t> <t> Discussionspecifies algorithm identifiers and ASN.1 encoding formats for the following stateful Hash-Based Signature (HBS) schemes: Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme (XMSS), and XMSS^MT (a multi-tree variant of XMSS). When those digital signatures are used in Internet X.509 certificates and certificate revocation lists, thisdocument takes place onspecification applies to theLAMPS Working Group mailing list (<eref target="mailto:spasm@ietf.org"/>), which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/spasm/"/>. Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/"/>. </t> <t>SourceInternet X.509 Public Key Infrastructure (PKI). --> <!-- [rfced] Please note that we updated instances of MT in XMSS^MT to appear as superscript to match how it appears in [SP800208]. Please review and let us know if you prefer otherwise. Note that the text file will continue to display XMSS^MT, but the HTML and PDF will display MT in superscript. --> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats forthis draftthe following stateful Hash-Based Signature (HBS) schemes: Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme (XMSS), andan issue tracker can be found at <eref target="https://github.com/x509-hbs/draft-x509-shbs"/>.</t> </note>XMSS<sup>MT</sup> (a multi-tree variant of XMSS). This specification applies to the Internet X.509 Public Key infrastructure (PKI) when those digital signatures are used in Internet X.509 certificates and certificate revocation lists.</t> </abstract> </front> <middle><?line 173?><section anchor="introduction"> <name>Introduction</name> <t>StatefulHBSHash-Based Signature (HBS) schemes such asHSS, XMSSthe Hierarchical Signature System (HSS), eXtended Merkle Signature Scheme (XMSS), andXMSS^MTXMSS<sup>MT</sup> combine Merkle trees withOne TimeOne-Time Signatures(OTS)(OTS). This is done in order to provide digital signature schemes that remain secure even when quantum computers become available. Their theoretic security is well understood and depends only on the security of the underlying hash function. Assuchsuch, they can serve as an important building block for quantum computer resistant information and communication technology.</t> <t>A stateful HBS private key consists of a finite collection of OTS keys, along with state information that tracks the usage of these keys to ensure the security of the scheme. Only a limited number of messages can besignedsigned, and the private key's state must be updated and persisted after signing to prevent reuse of OTS keys. While the right selection of algorithm parameters would allow a private key to sign a virtually unbounded number of messages(e.g. 2^60),(e.g., 2<sup>60</sup>), this is at the cost of a larger signature size and longer signing time. Because the private key in stateful HBS schemes is stateful and the number of signatures that can be generated is limited, these schemes may be unsuitable for use in interactive protocols. However, in some usecasescases, the deployment of stateful HBS schemes may be appropriate. Such use cases are described and discussed in <xref target="use-cases-shbs-x509"/>.</t> </section> <section anchor="conventions-and-definitions"> <name>Conventions and Definitions</name><t>The<t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t> <?line -18?>here. </t> </section> <section anchor="use-cases-shbs-x509"> <name>Use Cases of Stateful HBS Schemes in X.509</name> <t>As described in the Security Considerationsofin <xref target="sec-security"/>, it is imperative that stateful HBS implementations do not reuse OTS signatures. This makes stateful HBS algorithms inappropriate for general use cases. The exact conditions under which stateful HBS certificates may be used is left to certificate policies <xref target="RFC3647"/>.HoweverHowever, the intended use of stateful HBS schemes as described by <xref target="SP800208"/> can be used as a guideline:</t> <blockquote><t>1)1) it is necessary to implement a digital signature scheme in the near future;<br/>2) the implementation will have a long lifetime; and<br/>3) it would not be practical to transition to a different digital signature scheme once the implementation has beendeployed.</t>deployed. </blockquote> <t>In addition, since a stateful HBS private key can only generate a finite number of signatures, use cases for stateful HBS public keys in certificates should have a predictable range of the number of signatures that will be generated, falling safely below the maximum number of signatures that a private key can generate.</t> <t>Use cases where stateful HBS public keys in certificates may be appropriate due to the relatively small number of signatures generated and the signer's ability to enforce security restrictions on the signing environment include:</t> <ul spacing="normal"> <li> <t>Firmware signing(Section(see Section 1.1 of <xref target="SP800208"/>, Table IV of <xref target="CNSA2.0"/>, and Section 6.7 of <xref target="BSI"/>)</t> </li> <li> <t>Software signing(Table(see Table IV of <xreftarget="CNSA2.0"/>,target="CNSA2.0"/> and <xref target="ANSSI"/>)</t> </li> <li> <t>Certification Authority (CA)certificates.</t>certificates</t> </li> </ul> <t>In each of thesecasescases, the operator tightly controls their secured signing environment and can mitigate OTS key reuse by employing state management strategies such as those in <xref target="sec-security"/>.AlsoAlso, for secure private key backup and restoration, adequate mechanisms have to be implemented(<xref(see <xref target="backup-restore"/>).</t> <t>Generally speaking, stateful HBS public keys are not appropriate for use in end-entity certificates,howeverhowever, in the firmware and software signingcasescases, signature generation will often be more tightly controlled. Some manufactures use common and well-established key formats like X.509 for their code signing and update mechanisms.AlsoAlso, there are multi-partyIoTInternet of Things (IoT) ecosystems where publicly trusted code signing certificates are useful.</t> <t>In general, root CAs <xref target="RFC4949"/> generate signatures in a more secure environment and issue fewer certificates than subordinate CAs <xref target="RFC4949"/>. This makes the use of stateful HBS public keys more appropriate in root CA certificates than in subordinate CA certificates. However, if a subordinate CA can match the security and signature count restrictions of a root CA, forexampleexample, if the subordinate CA only issues code-signing certificates, then using a stateful HBS public key in the subordinate CA certificate may be practical.</t> </section> <section anchor="algorithm-identifiers-and-parameters"> <name>Algorithm Identifiers and Parameters</name> <t>In this document, we define newobject identifiersObject Identifiers (OIDs) for identifying the different stateful hash-based signature algorithms. An additional OID is defined in <xreftarget="I-D.ietf-lamps-rfc8708bis"/>target="RFC9708"/> and repeated here for convenience.</t> <!-- Sourcecode matches that from [RFC5912]. SG: blockquote not used because it causes margin issues. --> <t>The AlgorithmIdentifier type is defined in <xref target="RFC5912"/> as follows:</t> <sourcecode type="asn.1"><![CDATA[ AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= SEQUENCE { algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), parameters ALGORITHM-TYPE. &Params({AlgorithmSet}{@algorithm}) OPTIONAL } ]]></sourcecode> <aside> <t>NOTE: The above syntax is from <xref target="RFC5912"/> and is compatible with the 2021 ASN.1 syntax <xref target="X680"/>. See <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t> </aside> <t>The fields in AlgorithmIdentifier have the following meanings:</t><ul<dl spacing="normal"><li> <t>algorithm<dt>algorithm:</dt><dd>this identifies the cryptographic algorithm with an objectidentifier.</t> </li> <li> <t>parameters, whichidentifier.</dd> <dt>parameters:</dt><dd>these areoptional,optional and are the associated parameters for the algorithm identifier in the algorithmfield.</t> </li> </ul>field.</dd> </dl> <t>The parameters field of the AlgorithmIdentifier for HSS, XMSS, andXMSS^MTXMSS<sup>MT</sup> public keys <bcp14>MUST</bcp14> be absent.</t> <section anchor="hss-algorithm-identifier"> <name>HSS Algorithm Identifier</name> <t>The object identifier and public key algorithm identifier for HSS is defined in <xreftarget="I-D.ietf-lamps-rfc8708bis"/>.target="RFC9708"/>. The definitions are repeated here for reference.</t> <t>The AlgorithmIdentifier for an HSS public key <bcp14>MUST</bcp14> use the id-alg-hss-lms-hashsig object identifier.</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) alg(3) 17 }]]></artwork>]]></sourcecode> <t>Note that the id-alg-hss-lms-hashsig algorithm identifier is also referred to as id-alg-mts-hashsig. This synonym is based on the terminology used in an early draft of the document that became <xref target="RFC8554"/>.</t> <t>The public key and signature values identify the hash function and the height used in the HSS tree. <xref target="RFC8554"/> and <xref target="SP800208"/> define these values,but an IANA registry <xref target="IANA-LMS"/> permits the registration ofand additional identifiers can be registered in thefuture.</t>“Leighton-Micali Signatures (LMS)” registry <xref target="IANA-LMS"/>.</t> </section> <section anchor="xmss-algorithm-identifier"> <name>XMSS Algorithm Identifier</name> <t>The AlgorithmIdentifier for an XMSS public key <bcp14>MUST</bcp14> use the id-alg-xmss-hashsig object identifier.</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ id-alg-xmss-hashsig OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) 34 }]]></artwork>]]></sourcecode> <t>The public key and signature values identify the hash function and the height used in the XMSS tree. <xref target="RFC8391"/> and <xref target="SP800208"/> define these values,but an IANA registry <xref target="IANA-XMSS"/> permits the registration ofand additional identifiers can be registered in thefuture.</t>“Leighton-Micali Signatures (LMS)” registry <xref target="IANA-XMSS"/>.</t> </section> <section anchor="xmssmt-algorithm-identifier"><name>XMSS^MT<name>XMSS<sup>MT</sup> Algorithm Identifier</name> <t>The AlgorithmIdentifier for anXMSS^MTXMSS<sup>MT</sup> public key <bcp14>MUST</bcp14> use the id-alg-xmssmt-hashsig object identifier.</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) 35 }]]></artwork>]]></sourcecode> <t>The public key and signature values identify the hash function and the height used in theXMSS^MTXMSS<sup>MT</sup> tree. <xref target="RFC8391"/> and <xref target="SP800208"/> define these values,but an IANA registry <xref target="IANA-XMSS"/> permits the registration ofand additional identifiers can be registered in thefuture.</t>“Leighton-Micali Signatures (LMS)” registry <xref target="IANA-XMSS"/>.</t> </section> </section> <section anchor="public-key-identifiers"> <name>Public Key Identifiers</name> <t>Certificates conforming to <xref target="RFC5280"/> can convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. An algorithm identifier consists of an OID and optional parameters.</t> <t><xref target="RFC8554"/> defines the encoding of HSS publickeyskeys, and <xref target="RFC8391"/> defines the encodings of XMSS andXMSS^MTXMSS<sup>MT</sup> public keys. When used in a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contains these encodings of the public key.</t> <t>This document defines ASN.1 <xref target="X680"/> OCTET STRING types for encoding the public keys when not used in a SubjectPublicKeyInfo. The OCTET STRING is mapped to a subjectPublicKey (a value of type BIT STRING) as follows: the most significant bit of the OCTET STRING value becomes the most significant bit of the BIT STRING value, and so on; the least significant bit of the OCTET STRING becomes the least significant bit of the BIT STRING.</t> <section anchor="hss-public-keys"> <name>HSS Public Keys</name> <t>The HSS public key identifier is as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ pk-HSS-LMS-HashSig PUBLIC-KEY ::= { IDENTIFIER id-alg-hss-lms-hashsig -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }]]></artwork>]]></sourcecode> <t>The HSS public key is defined as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ HSS-LMS-HashSig-PublicKey ::= OCTET STRING]]></artwork> <t><xref]]></sourcecode> <t> <xref target="RFC8554"/> defines the encoding of an HSS public key using the <tt>hss_public_key</tt> structure. See <xref target="SP800208"/> and <xref target="RFC8554"/> for more information on the contents and format of an HSS public key. Note that the Leighton-Micali Signature (LMS) single-tree signature scheme is instantiated as HSS with the number of levels being equal to 1.</t> </section> <section anchor="xmss-public-keys"> <name>XMSS Public Keys</name> <t>The XMSS public key identifier is as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ pk-XMSS-HashSig PUBLIC-KEY ::= { IDENTIFIER id-alg-xmss-hashsig -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }]]></artwork>]]></sourcecode> <t>The XMSS public key is defined as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ XMSS-HashSig-PublicKey ::= OCTET STRING]]></artwork>]]></sourcecode> <t><xref target="RFC8391"/> defines the encoding of an XMSS public key using the <tt>xmss_public_key</tt> structure. See <xref target="SP800208"/> and <xref target="RFC8391"/> for more information on the contents and format of an XMSS public key.</t> </section> <section anchor="xmssmt-public-keys"><name>XMSS^MT<name>XMSS<sup>MT</sup> Public Keys</name> <t>TheXMSS^MTXMSS<sup>MT</sup> public key identifier is as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ pk-XMSSMT-HashSig PUBLIC-KEY ::= { IDENTIFIER id-alg-xmssmt-hashsig -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }]]></artwork>]]></sourcecode> <t>TheXMSS^MTXMSS<sup>MT</sup> public key is defined as follows:</t><artwork><![CDATA[<sourcecode type="asn.1"><![CDATA[ XMSSMT-HashSig-PublicKey ::= OCTET STRING]]></artwork>]]></sourcecode> <t><xref target="RFC8391"/> defines the encoding of anXMSS^MTXMSS<sup>MT</sup> public key using the <tt>xmssmt_public_key</tt> structure. See <xref target="SP800208"/> and <xref target="RFC8391"/> for more information on the contents and format of anXMSS^MTXMSS<sup>MT</sup> public key.</t> </section> </section> <section anchor="key-usage-bits"> <name>Key Usage Bits</name> <t>The intended application for the key is indicated in the keyUsage certificate extension <xref target="RFC5280"/>. When id-alg-hss-lms-hashsig,id-alg-xmss-hashsigid-alg-xmss-hashsig, or id-alg-xmssmt-hashsig appears in the SubjectPublicKeyInfo field of a CA X.509 certificate <xref target="RFC5280"/>, the certificate key usage extension <bcp14>MUST</bcp14> contain at least one of the following values: digitalSignature, nonRepudiation, keyCertSign, or cRLSign. However, it <bcp14>MUST NOT</bcp14> contain other values.</t> <t>When id-alg-hss-lms-hashsig,id-alg-xmss-hashsigid-alg-xmss-hashsig, or id-alg-xmssmt-hashsig appears in the SubjectPublicKeyInfo field of an end entity X.509 certificate <xref target="RFC5280"/>, the certificate key usage extension <bcp14>MUST</bcp14> contain at least one of the following values: digitalSignature, nonRepudiation or cRLSign. However, it <bcp14>MUST NOT</bcp14> contain other values.</t> </section> <section anchor="signature-algorithms"> <name>Signature Algorithms</name> <t>The same OIDs used to identify HSS, XMSS, andXMSS^MTXMSS<sup>MT</sup> public keys are also used to identify their respective signatures. When these algorithm identifiers appear in the algorithm field of an AlgorithmIdentifier, the encoding <bcp14>MUST</bcp14> omit the parameters field. That is, the AlgorithmIdentifier <bcp14>SHALL</bcp14> be a SEQUENCE of one component, one of the OIDs defined in the following subsections.</t> <t>When the signature algorithm identifiers described in this document are used to create a signature on a message, no digest algorithm is applied to the message before signing. That is, the full data to be signed is signed rather than a digest of the data.</t> <t>The format of an HSS signature is described in <xref section="6.2" sectionFormat="of" target="RFC8554"/>. The format of an XMSS signature is described in <xref section="B.2" sectionFormat="of"target="RFC8391"/>target="RFC8391"/>, and the format of anXMSS^MTXMSS<sup>MT</sup> signature is described in <xref section="C.2" sectionFormat="of" target="RFC8391"/>. The octet string representing the signature is encoded directly in a BIT STRING without adding any additional ASN.1 wrapping. For the Certificate and CertificateList structures, the octet string is encoded in the "signatureValue" BIT STRING field.</t> <section anchor="hss-signature-algorithm"> <name>HSS Signature Algorithm</name> <t>The id-alg-hss-lms-hashsig OID is used to specify that an HSS signature was generated on the full message,i.e.i.e., the message was not hashed before being processed by the HSS signature algorithm.</t> <t>See <xref target="SP800208"/> and <xref target="RFC8554"/> for more information on the contents and format of an HSS signature.</t> </section> <section anchor="xmss-signature-algorithm"> <name>XMSS Signature Algorithm</name> <t>The id-alg-xmss-hashsig OID is used to specify that an XMSS signature was generated on the full message,i.e.i.e., the message was not hashed before being processed by the XMSS signature algorithm.</t> <t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more information on the contents and format of an XMSS signature.</t> <t>The signature generation <bcp14>MUST</bcp14> be performed according to Section 7.2 of <xref target="SP800208"/>.</t> </section> <section anchor="xmssmt-signature-algorithm"><name>XMSS^MT<name>XMSS<sup>MT</sup> Signature Algorithm</name> <t>The id-alg-xmssmt-hashsig OID is used to specify that anXMSS^MTXMSS<sup>MT</sup> signature was generated on the full message,i.e.i.e., the message was not hashed before being processed by theXMSS^MTXMSS<sup>MT</sup> signature algorithm.</t> <t>See <xref target="SP800208"/> and <xref target="RFC8391"/> for more information on the contents and format of anXMSS^MTXMSS<sup>MT</sup> signature.</t> <t>The signature generation <bcp14>MUST</bcp14> be performed according to Section 7.2 of <xref target="SP800208"/>.</t> </section> </section> <section anchor="key-generation"> <name>Key Generation</name> <t>The key generation for XMSS andXMSS^MTXMSS<sup>MT</sup> <bcp14>MUST</bcp14> be performed according to Section 7.2 of <xreftarget="SP800208"/></t>target="SP800208"/>.</t> </section> <section anchor="sec-asn1"> <name>ASN.1 Module</name> <t>For reference purposes, the ASN.1 syntax is presented as an ASN.1 module here <xref target="X680"/>. Note that as per <xref target="RFC5280"/>, certificates use the Distinguished Encoding Rules; see <xref target="X690"/>. This ASN.1Modulemodule builds upon the conventions established in <xref target="RFC5912"/>. This module imports objects from <xref target="RFC5912"/> and <xreftarget="I-D.ietf-lamps-rfc8708bis"/>.</t> <t>RFC EDITOR: Please replace <xref target="I-D.ietf-lamps-rfc8708bis"/> in the module with a reference to the published RFC.</t> <artwork><![CDATA[target="RFC9708"/>.</t> <sourcecode type="asn1"><![CDATA[ X509-SHBS-2024 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)id-mod-pkix1-shbs-2024(TBD)id-mod-pkix1-shbs-2024(114) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS PUBLIC-KEY, SIGNATURE-ALGORITHM FROM AlgorithmInformation-2009 -- [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } sa-HSS-LMS-HashSig, pk-HSS-LMS-HashSig FROM MTS-HashSig-2013 --[I-D.ietf-lamps-rfc8708bis][RFC9708] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) id-smime(16) id-mod(0) id-mod-mts-hashsig-2013(64) }; -- -- Object Identifiers -- -- id-alg-hss-lms-hashsig is defined in[I-D.ietf-lamps-rfc8708bis][RFC9708] id-alg-xmss-hashsig OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) 34 } id-alg-xmssmt-hashsig OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) 35 } -- -- Signature Algorithms and Public Keys -- -- sa-HSS-LMS-HashSig is defined in[I-D.ietf-lamps-rfc8708bis][RFC9708] sa-XMSS-HashSig SIGNATURE-ALGORITHM ::= { IDENTIFIER id-alg-xmss-hashsig PARAMS ARE absent PUBLIC-KEYS { pk-XMSS-HashSig } SMIME-CAPS { IDENTIFIED BY id-alg-xmss-hashsig } } sa-XMSSMT-HashSig SIGNATURE-ALGORITHM ::= { IDENTIFIER id-alg-xmssmt-hashsig PARAMS ARE absent PUBLIC-KEYS { pk-XMSSMT-HashSig } SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-hashsig } } -- pk-HSS-LMS-HashSig is defined in[I-D.ietf-lamps-rfc8708bis][RFC9708] pk-XMSS-HashSig PUBLIC-KEY ::= { IDENTIFIER id-alg-xmss-hashsig -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } XMSS-HashSig-PublicKey ::= OCTET STRING pk-XMSSMT-HashSig PUBLIC-KEY ::= { IDENTIFIER id-alg-xmssmt-hashsig -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } XMSSMT-HashSig-PublicKey ::= OCTET STRING -- -- Public Key (pk-) Algorithms -- PublicKeys PUBLIC-KEY ::= { -- This expands PublicKeys from RFC 5912 pk-HSS-LMS-HashSig | pk-XMSS-HashSig | pk-XMSSMT-HashSig, ... } -- -- Signature Algorithms (sa-) -- SignatureAlgs SIGNATURE-ALGORITHM ::= { -- This expands SignatureAlgorithms from RFC 5912 sa-HSS-LMS-HashSig | sa-XMSS-HashSig | sa-XMSSMT-HashSig, ... } END]]></artwork>]]></sourcecode> </section> <section anchor="sec-security"> <name>Security Considerations</name> <t>The security requirements of <xref target="SP800208"/> <bcp14>MUST</bcp14> be taken into account.</t> <t>As stateful HBS private keys can only generate a limited number of signatures, a user needs to be aware of the total number of signatures they intend to generate in their usecase, otherwisecase; otherwise, they risk exhausting the number of OTS keys in their private key.</t> <t>For stateful HBS schemes, it is crucial to stress the importance of correct state management. If an attacker were able to obtain signatures for two different messages created using the same OTS key, then it would become computationally feasible for that attacker to create forgeries <xref target="BH16"/>. As noted in <xref target="MCGREW"/> and <xref target="ETSI-TR-103-692"/>, extreme care needs to be taken in order to avoid the risk that an OTS key will be reused accidentally. This is a new requirement that most developers will not be familiar with and requires careful handling.</t> <t>Various strategies for a correct state management can be applied:</t> <ul spacing="normal"> <li> <t>Implement a record of all signatures generated by a key pair associated with a stateful HBS instance, forexampleexample, by logging the OTS key indexes as signatures are generated. This record may be stored outside the devicewhichthat is used to generate the signature. Check the record to prevent OTS key reuse before a new signature is released. If OTS key reuse is detected, freeze all new signature generation by the private key, re-audit previously released signatures (possibly revoking the private key if previously released signatures showed OTS key reuse), and perform a post-failure audit.</t> </li> <li> <t>Use a stateful HBS instance only for a moderate number of signatures such that it is always practical to keep a consistent record and be able to unambiguously trace back all generated signatures.</t> </li> <li> <t>Apply the state reservation strategy described in Section 5 of <xref target="MCGREW"/>, where upcoming states are reserved in advance by the signer. In thiswayway, the number of statesynchronisationssynchronizations between nonvolatile and volatile memory is reduced.</t> </li> </ul> </section> <section anchor="backup-restore"> <name>Backup and Restore Management</name> <t>Certificate Authorities have high demands in order to ensure the availability of signature generation throughout the validity period of signing key pairs.</t><t>Usual<!-- [rfced] Please review some questions regarding the following text: a) For ease of the reader, may we reformat this text as follows? Original: Usual backup and restore strategies when using a stateless signature scheme (e.g. SLH-DSA) are to duplicate private keying material and to operate redundant signing devices or to store and safeguard a copy of the private keying material such that it can be used to set up a new signing device in case of technical difficulties. Perhaps: Usual backup and restore strategies when using a stateless signature scheme (e.g., SLH-DSA) are to: * duplicate private keying material and operate redundant signing devices, or * store and safeguard a copy of the private keying material such that it can be used to set up a new signing device in case of technical difficulties. --> <t>Usual backup and restore strategies when using a stateless signature scheme (e.g., SLH-DSA) are to duplicate private keying material and to operate redundant signing devices or to store and safeguard a copy of the private keying material such that it can be used to set up a new signing device in case of technical difficulties.</t> <t>For stateful HBS schemes, such straightforward backup and restore strategies will lead to OTS reuse with high probability as a correct state management is not guaranteed. Strategies for maintaining availability and keeping a correct state are described in Section 7 of <xref target="SP800208"/> and <xreftarget="I-D.draft-wiggers-hbs-state"/>.</t>target="I-D.wiggers-hbs-state"/>.</t> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name><t>One<t>IANA has registered the following object identifier for the ASN.1 modulein(see <xreftarget="sec-asn1"/> is requested fortarget="sec-asn1"/>) in theSMI"SMI Security for PKIX ModuleIdentifiersIdentifier" (1.3.6.1.5.5.7.0) registry:</t> <table> <thead> <tr> <th align="left">Decimal</th> <th align="left">Description</th> <th align="left">References</th> </tr> </thead> <tbody> <tr> <tdalign="left">TBD</td>align="left">114</td> <td align="left">id-mod-pkix1-shbs-2024</td> <tdalign="left">[EDNOTE: THIS RFC]</td>align="left">RFC 9802</td> </tr> </tbody> </table> <t>IANA hasupdatedregistered the following entries in the "SMI Security for PKIX Algorithms" (1.3.6.1.5.5.7.6) registry <xreftarget="SMI-PKIX"/> with two additional entries:</t>target="SMI-PKIX"/>:</t> <table> <thead> <tr> <th align="left">Decimal</th> <th align="left">Description</th> <th align="left">References</th> </tr> </thead> <tbody> <tr> <td align="left">34</td> <td align="left">id-alg-xmss-hashsig</td> <tdalign="left">[EDNOTE: THIS RFC]</td>align="left">RFC 9802</td> </tr> <tr> <td align="left">35</td> <td align="left">id-alg-xmssmt-hashsig</td> <tdalign="left">[EDNOTE: THIS RFC]</td>align="left">RFC 9802</td> </tr> </tbody> </table> </section> </middle> <back> <displayreference target="I-D.wiggers-hbs-state" to="S-HBS"/> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name><reference anchor="I-D.ietf-lamps-rfc8708bis"> <front> <title>Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryptographic Message Syntax (CMS)</title> <author fullname="Russ Housley" initials="R." surname="Housley"> <organization>Vigil Security, LLC</organization> </author> <date day="19" month="September" year="2024"/> <abstract> <t> This document specifies the conventions for using the Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in RFC 8554. This document obsoletes RFC 8708. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-rfc8708bis-03"/> </reference> <reference anchor="RFC5912"> <front> <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="June" year="2010"/> <abstract> <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="5912"/> <seriesInfo name="DOI" value="10.17487/RFC5912"/> </reference> <reference anchor="RFC5280"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"/> <author fullname="S. Santesson" initials="S." surname="Santesson"/> <author fullname="S. Farrell" initials="S." surname="Farrell"/> <author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <author fullname="W. Polk" initials="W." surname="Polk"/> <date month="May" year="2008"/> <abstract> <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference> <reference anchor="RFC8391"> <front> <title>XMSS: eXtended Merkle Signature Scheme</title> <author fullname="A. Huelsing" initials="A." surname="Huelsing"/> <author fullname="D. Butin" initials="D." surname="Butin"/> <author fullname="S. Gazdag" initials="S." surname="Gazdag"/> <author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/> <author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/> <date month="May" year="2018"/> <abstract> <t>This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is based on existing descriptions in scientific literature. This note specifies Winternitz One-Time Signature Plus (WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers.</t> </abstract> </front> <seriesInfo name="RFC" value="8391"/> <seriesInfo name="DOI" value="10.17487/RFC8391"/> </reference> <reference anchor="RFC8554"> <front> <title>Leighton-Micali Hash-Based Signatures</title> <author fullname="D. McGrew" initials="D." surname="McGrew"/> <author fullname="M. Curcio" initials="M." surname="Curcio"/> <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/> <date month="April" year="2019"/> <abstract> <t>This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.</t> <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them.</t> </abstract> </front> <seriesInfo name="RFC" value="8554"/> <seriesInfo name="DOI" value="10.17487/RFC8554"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9708.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8391.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8554.xml"/> <reference anchor="SP800208" target="https://doi.org/10.6028/NIST.SP.800-208"> <front> <title>Recommendation for Stateful Hash-Based Signature Schemes</title> <authorinitials="" surname="National Institute of Standards and Technology (NIST)"> <organization/> </author>fullname="David A. Cooper" surname="Cooper" initials="D"/> <author fullname="Daniel C. Apon" surname="Apon" initials="D"/> <author fullname="Quynh H. Dang" surname="Dang" initials="Q"/> <author fullname="Michael S. Davidson" surname="Davidson" initials="M"/> <author fullname="Morris J. Dworkin" surname="Dworkin" initials="M"/> <author fullname="Carl A. Miller" surname="Miller" initials="C"/> <date year="2020" month="October" day="29"/> </front> <seriesInfo name="NIST SP" value="800-208"/> <seriesInfo name="DOI" value="10.6028/nist.sp.800-208"/> </reference> <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> <front> <title>Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/> </reference> <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> <front> <title>Informationtechnology - Abstract Syntax Notation One (ASN.1):technology: ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ISO/IEC" value="8825-1:2021"/> </reference><reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references anchor="sec-informative-references"> <name>Informative References</name><reference anchor="RFC3279"> <front> <title>Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="L. Bassham" initials="L." surname="Bassham"/> <author fullname="W. Polk" initials="W." surname="Polk"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <date month="April" year="2002"/> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are used to sign certificates and certificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3279"/> <seriesInfo name="DOI" value="10.17487/RFC3279"/> </reference> <reference anchor="RFC3647"> <front> <title>Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework</title> <author fullname="S. Chokhani" initials="S." surname="Chokhani"/> <author fullname="W. Ford" initials="W." surname="Ford"/> <author fullname="R. Sabett" initials="R." surname="Sabett"/> <author fullname="C. Merrill" initials="C." surname="Merrill"/> <author fullname="S. Wu" initials="S." surname="Wu"/> <date month="November" year="2003"/> <abstract> <t>This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527.</t> </abstract> </front> <seriesInfo name="RFC" value="3647"/> <seriesInfo name="DOI" value="10.17487/RFC3647"/> </reference> <reference anchor="RFC4949"> <front> <title>Internet Security Glossary, Version 2</title> <author fullname="R. Shirey" initials="R." surname="Shirey"/> <date month="August" year="2007"/> <abstract> <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="FYI" value="36"/> <seriesInfo name="RFC" value="4949"/> <seriesInfo name="DOI" value="10.17487/RFC4949"/> </reference> <reference anchor="RFC8410"> <front> <title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure</title> <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2018"/> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t> </abstract> </front> <seriesInfo name="RFC" value="8410"/> <seriesInfo name="DOI" value="10.17487/RFC8410"/> </reference> <reference anchor="RFC8411"> <front> <title>IANA Registration for the Cryptographic Algorithm Object Identifier Range</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <author fullname="R. Andrews" initials="R." surname="Andrews"/> <date month="August" year="2018"/> <abstract> <t>When the Curdle Security Working Group was chartered, a range of object identifiers was donated by DigiCert, Inc. for the purpose of registering the Edwards Elliptic Curve key agreement and signature algorithms. This donated set of OIDs allowed for shorter values than would be possible using the existing S/MIME or PKIX arcs. This document describes the donated range and the identifiers that were assigned from that range, transfers control of that range to IANA, and establishes IANA allocation policies for any future assignments within that range.</t> </abstract> </front> <seriesInfo name="RFC" value="8411"/> <seriesInfo name="DOI" value="10.17487/RFC8411"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3647.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8411.xml"/> <reference anchor="MCGREW" target="https://eprint.iacr.org/2016/357"> <front> <title>State Management for Hash-Based Signatures</title> <author initials="D." surname="McGrew"> <organization/> </author> <author initials="P." surname="Kampanakis"> <organization/> </author> <author initials="S." surname="Fluhrer"> <organization/> </author> <author initials="S." surname="Gazdag"> <organization/> </author> <author initials="D." surname="Butin"> <organization/> </author> <author initials="J." surname="Buchmann"> <organization/> </author> <date year="2016" month="November" day="02"/> </front> <refcontent>Cryptology ePrint Archive, Paper 2016/357</refcontent> </reference> <reference anchor="BH16"target="https://eprint.iacr.org/2016/1042.pdf">target="https://eprint.iacr.org/2016/1042"> <front> <title>Oops, I did it again – Security of One-Time Signatures under Two-Message Attacks.</title> <author initials="L." surname="Bruinderink"> <organization/> </author> <author initials="S." surname="Hülsing"> <organization/> </author> <date year="2016"/> </front> <refcontent>Cryptology ePrint Archive, Paper 2016/1042</refcontent> </reference> <!-- [rfced] References: The original URL for the reference [CNSA2.0] returns a 404 error. We found the following archived URL for this page from the Internet Archive's Wayback Machine: https://web.archive.org/web/20220908002358/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF Is there a better URL, or may we replace the current URL with this archived link? This URL has an archive date of 8 September 2022 (the original date for this reference was 7 September 2025). --> <reference anchor="CNSA2.0" target="https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF"> <front> <title>Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory (CSA)</title><author initials="" surname="National<author> <organization>National Security Agency(NSA)"> <organization/>(NSA)</organization> </author> <date year="2022" month="September" day="07"/> </front> </reference> <reference anchor="ETSI-TR-103-692" target="https://www.etsi.org/deliver/etsi_tr/103600_103699/103692/01.01.01_60/tr_103692v010101p.pdf"> <front><title>State<title>CYBER; State management for stateful authentication mechanisms</title> <author initials="" surname="European Telecommunications Standards Institute (ETSI)"> <organization/> </author> <date year="2021" month="November"/> </front> <seriesInfo name="ETSI TR" value="103 692 v1.1.1"/> </reference> <reference anchor="IANA-LMS" target="https://www.iana.org/assignments/leighton-micali-signatures/"> <front> <title>Leighton-Micali Signatures (LMS)</title><author initials="" surname="IANA"> <organization/><author> <organization>IANA</organization> </author><date>n.d.</date></front> </reference> <reference anchor="IANA-XMSS" target="https://iana.org/assignments/xmss-extended-hash-based-signatures/"> <front> <title>XMSS: Extended Hash-Based Signatures</title><author initials="" surname="IANA"> <organization/><author> <organization>IANA</organization> </author><date>n.d.</date></front> </reference> <reference anchor="SMI-PKIX"target="https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6">target="https://www.iana.org/assignments/smi-numbers"> <front> <title>SMI Security for PKIX Algorithms</title><author initials="" surname="IANA"> <organization/><author> <organization>IANA</organization> </author><date>n.d.</date></front> </reference> <reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/files/document/follow_up_position_paper_on_post_quantum_cryptography.pdf"> <front> <title>ANSSI views on the Post-Quantum Cryptography transition (2023 follow up)</title> <author initials="" surname="Agence nationale de la sécurité des systèmes d'information (ANSSI)"> <organization/> </author> <date year="2023" month="December" day="21"/> </front> </reference> <reference anchor="BSI" target="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.pdf"> <front> <title>Quantum-safe cryptography – fundamentals, current developments and recommendations</title> <author initials="" surname="Bundesamt für Sicherheit in der Informationstechnik (BSI)"> <organization/> </author> <date year="2022" month="May" day="18"/> </front> </reference><reference anchor="I-D.draft-wiggers-hbs-state"> <front> <title>Hash-based Signatures: State and Backup Management</title> <author fullname="Thom Wiggers" initials="T." surname="Wiggers"> <organization>PQShield</organization> </author> <author fullname="Kaveh Bashiri" initials="K." surname="Bashiri"> <organization>BSI</organization> </author> <author fullname="Stefan Kölbl" initials="S." surname="Kölbl"> <organization>Google</organization> </author> <author fullname="Jim Goodman" initials="J." surname="Goodman"> <organization>Crypto4A Technologies</organization> </author> <author fullname="Stavros Kousidis" initials="S." surname="Kousidis"> <organization>BSI</organization> </author> <date day="24" month="September" year="2024"/> <abstract> <t> Stateful Hash-Based Signature Schemes (S-HBS) such as LMS, HSS, XMSS and XMSS^MT combine Merkle trees with One-Time Signatures (OTS) to provide signatures that are resistant against attacks using large- scale quantum computers. Unlike conventional stateless digital signature schemes, S-HBS have a state to keep track of which OTS keys have been used,<!-- [draft-wiggers-hbs-state-01] IESG State: I-D Exists asdouble-signing with the same OTS key allows forgeries. This document provides guidance and documents security considerations for the operational and technical aspectsofdeploying systems that rely on S-HBS. Management of the state of the S-HBS, including any handling of redundant key material, is a sensitive topic, and we discuss some approaches to handle the associated challenges. We also describe the challenges that need to be resolved before certain approaches should be considered. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-wiggers-hbs-state-01"/> </reference>27 Jan 2025. --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.wiggers-hbs-state.xml"/> </references> </references><?line 694?><section anchor="hss-x509-v3-certificate-example"> <name>HSS X.509 v3 Certificate Example</name> <t>This section shows a self-signed X.509 v3 certificate using HSS.</t><artwork><![CDATA[<sourcecode type="x509"><![CDATA[ Certificate: Data: Version: 3 (0x2) Serial Number: e8:91:d6:06:91:4f:ce:f3 Signature Algorithm: hss Issuer: C = US, ST = VA, L = Herndon, O = Bogus CA Validity Not Before: May 14 08:58:11 2024 GMT Not After : May 14 08:58:11 2034 GMT Subject: C = US, ST = VA, L = Herndon, O = Bogus CA Subject Public Key Info: Public Key Algorithm: hss hss public key: PQ key material: 00:00:00:01:00:00:00:05:00:00:00:04:c0:96:12: 8b:ea:38:30:78:eb:f6:fb:43:d7:7f:9f:9e:81:39: e2:7c:b9:34:4e:6e:53:19:f0:ee:68:75:85:83:d3: 2b:e9:7b:14:46:9e:4e:c5:e3:5a:18:0b:30:e5:13 X509v3 extensions: X509v3 Subject Key Identifier: 58:15:AB:F4:CF:03:69:02:60:7A:57:4D:C5:D5:B3:72: 8A:19:21:68 X509v3 Authority Key Identifier: 58:15:AB:F4:CF:03:69:02:60:7A:57:4D:C5:D5:B3:72: 8A:19:21:68 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: hss Signature Value: 00:00:00:00:00:00:00:00:00:00:00:04:9c:37:52:ff:b9:d7: df:f5:5b:01:ba:50:c2:50:cc:6f:f3:b1:73:df:0c:2a:ea:b3: ed:96:1e:ce:e7:58:05:da:8d:a7:77:21:42:32:d9:f9:4a:4d: f7:2b:18:2a:1c:5c:69:03:f3:1c:9c:95:6d:31:9a:c9:ca:84: 4d:ae:b3:8b:c3:71:ac:3f:87:51:be:38:b4:bf:d9:dc:90:1f: 1e:54:bd:f9:1a:65:70:d4:46:b6:ad:4d:6d:16:b9:fb:29:f4: e3:86:42:4a:3f:a4:8f:01:84:9b:44:0b:23:22:9c:97:6d:d5: b9:26:39:11:ab:46:82:bd:10:6c:b4:7a:64:ed:c7:40:b0:33: f0:b5:81:1c:b4:41:54:9c:30:d9:d2:93:ba:48:8c:4f:d0:25: 41:60:7b:90:5e:12:20:b7:30:16:16:1e:b7:ee:d8:4b:ee:ed: 3c:70:fc:ff:36:18:aa:24:23:87:91:65:a8:95:2d:b6:1c:d1: 02:7b:70:81:8a:18:17:c0:45:62:fe:47:a1:3e:69:54:31:67: 58:9a:e1:e3:c9:8d:ee:1e:2a:d1:46:75:e9:e4:90:67:01:57: 92:54:db:b4:ea:de:8b:e7:eb:fc:27:80:9b:d5:da:e0:8e:b0: b3:08:ca:6f:a1:1c:f4:40:65:b0:f6:f8:c9:a7:97:04:c8:7c: 9e:56:ec:2f:4b:cd:45:8b:d7:e6:a7:50:c7:e6:21:2c:17:31: 23:11:7a:ae:9a:b5:84:5f:e6:5c:82:99:a8:3a:a9:91:87:9a: 24:5c:83:01:91:7c:fc:cd:be:2e:92:50:fb:12:11:96:08:0d: c9:24:0d:bb:6f:fb:59:05:af:7f:96:bc:a3:f4:58:e2:fa:0a: 4a:f2:4c:f7:b3:1b:81:dd:4a:41:a0:b1:dd:52:4c:bb:6d:c0: a8:d9:bb:29:c8:fc:e3:7e:f8:6a:e5:5e:c4:e4:e8:7c:0b:00: 87:15:75:a2:06:50:97:c6:1f:14:52:79:04:a8:9c:ec:b1:c7: 6a:46:33:98:b8:63:f7:a7:2c:d4:62:78:94:1c:5d:9d:4f:a6: 0a:ae:39:50:85:b2:09:8d:62:c9:4c:11:9f:0c:91:a5:ac:2d: 11:bd:71:b6:0c:ea:34:98:53:fc:2e:cc:7b:a4:9c:2e:7a:a4: 8d:e2:e8:8c:01:a9:9c:3e:b5:34:77:33:82:01:d4:ef:72:04: d6:5b:e5:f6:2c:1b:ae:86:c4:73:02:44:85:d6:f7:ac:a3:e8: f6:a9:b5:5c:6d:46:88:da:55:b8:2b:7a:4c:0c:9a:e7:cd:5d: 62:8a:ca:c8:96:ce:8d:71:7b:d2:c1:0d:9a:35:55:2b:84:3e: 0e:a5:fa:d6:a0:76:8e:23:b3:df:c9:3b:4f:68:56:1e:e9:3c: 79:5b:d3:25:54:11:ad:a6:ac:58:11:49:8f:4d:c4:c1:39:99: 76:3a:a6:d1:2f:57:ad:bf:7c:9d:57:cc:37:0d:29:84:29:7b: cb:46:85:c3:81:c5:33:9a:65:c3:2f:01:48:ca:44:6c:f1:84: 3d:d0:49:c2:c1:05:db:77:4c:b9:72:3d:6f:ce:69:f2:91:c6: 15:25:8f:da:38:7e:ef:5b:3e:5f:35:ab:a6:78:16:28:42:c1: 2c:2f:9e:11:53:2c:bd:c4:24:7b:e9:c4:ce:3d:d6:41:c7:5d: 92:91:c3:37:cb:72:44:d7:0d:70:85:13:0b:ac:b3:0f:b0:e5: e3:2e:48:b9:9c:b8:d7:3e:7c:50:69:03:7a:5f:ae:f8:6c:09: 61:97:6b:ce:cd:e5:f0:55:fe:05:f8:97:1d:9e:81:65:f5:ff: 9a:7a:8c:96:d8:f8:cf:d8:dc:55:ce:67:7a:00:6b:fd:bb:3f: 1b:3d:65:94:c1:5a:b6:a0:8e:be:a4:be:26:90:5f:1f:06:d4: ea:3f:a6:97:40:8e:bf:18:5c:92:0f:15:e3:05:4a:14:51:1e: 23:81:ef:cf:f7:a8:88:75:f8:2d:28:37:26:87:27:63:5c:01: 53:0e:5e:53:d2:a7:18:eb:2f:c0:82:49:05:b0:4d:33:6f:94: 10:91:77:f8:90:9e:ca:fe:bb:3d:c4:42:d6:89:84:98:42:f4: 24:b3:b4:db:5e:2b:66:a9:ff:6c:18:d4:79:f8:72:73:53:9b: 02:ed:04:73:77:a4:68:cf:4b:be:4b:16:50:62:87:f9:49:99: e3:a1:0c:42:92:bc:a9:e3:2d:22:82:35:7f:71:15:88:70:6a: 01:ab:44:64:ad:e5:52:d4:97:ee:bb:44:7b:6e:08:7f:dd:94: fd:c9:1c:6b:59:d1:92:51:29:03:ce:ec:bf:41:a5:14:69:54: 3a:b4:39:d9:44:5d:f1:b2:f4:5c:6b:9f:c9:5f:bb:fc:c8:c7: a3:8b:e1:ec:e2:d0:69:5a:40:1c:9c:9d:8a:3d:77:3b:c1:5d: c0:72:61:4b:37:c5:96:8c:6d:8b:f8:56:da:ac:3e:3c:72:09: ce:f6:c3:fe:5d:cf:37:d9:68:cd:a7:dd:f7:96:63:da:8c:1d: df:b8:32:cf:eb:97:11:83:fe:6b:aa:b9:e2:4b:b2:ea:62:73: c3:1c:e9:40:90:56:4f:12:c3:ba:f4:2b:d9:1c:50:cc:e0:51: d8:eb:bf:67:28:0c:2d:13:8d:b3:6f:13:6a:1d:a7:54:20:ba: 82:5b:b8:e5:1f:89:f1:67:26:c1:dc:1b:60:57:ed:a6:2c:f2: 17:01:7f:a5:e7:5c:64:c9:3c:08:f2:cf:48:ec:88:84:ef:03: c2:f5:eb:05:31:7d:fe:7f:3c:71:41:28:17:64:5f:b9:ec:54: 79:d0:b3:98:fb:84:9c:36:8b:43:0b:d4:c9:ec:09:4a:70:13: 62:f2:36:c8:b4:75:cc:2a:77:08:a0:9d:ef:19:d6:88:dc:e2: b2:4e:40:61:71:cb:c7:c3:de:16:6f:49:7f:5e:d5:17:00:00: 00:05:79:47:12:9f:ce:eb:1d:a8:fd:0d:b0:18:44:6a:ef:54: 28:46:e4:19:f6:2d:3e:74:bb:9d:36:0a:ae:67:4a:28:7a:1b: 80:39:a0:08:2a:28:a0:ec:55:ee:55:aa:a1:cc:94:d4:36:1a: b3:57:25:30:ad:2c:5e:63:ba:22:fc:aa:7a:59:64:f6:d8:03: 20:28:71:f9:dc:09:fa:4c:81:b9:64:1b:ad:ea:cb:db:18:17: 5d:d8:98:bd:d2:8d:c5:04:7c:5b:92:9a:89:f6:bc:d6:55:c7: 08:5d:3c:58:8e:18:ac:6f:88:a8:d7:9e:d4:ee:5d:f5:21:4e: a5:8b:19:5f:e3:f4:66:f9:25:4d:f9:c6:60:62:31:72:5c:34: 34:67:1a:a7:6a:7d:54:a3:d8:9b:1f:5b:f8:08:41:79:5b:43]]></artwork> <artwork><![CDATA[]]></sourcecode> <sourcecode type="x509"><![CDATA[ -----BEGIN CERTIFICATE----- MIIGnjCCAXagAwIBAgIJAOiR1gaRT87zMA0GCyqGSIb3DQEJEAMRMD8xCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwI Qm9ndXMgQ0EwHhcNMjQwNTE0MDg1ODExWhcNMzQwNTE0MDg1ODExWjA/MQswCQYD VQQGEwJVUzELMAkGA1UECAwCVkExEDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoM CEJvZ3VzIENBME4wDQYLKoZIhvcNAQkQAxEDPQAAAAABAAAABQAAAATAlhKL6jgw eOv2+0PXf5+egTnifLk0Tm5TGfDuaHWFg9Mr6XsURp5OxeNaGAsw5ROjYzBhMB0G A1UdDgQWBBRYFav0zwNpAmB6V03F1bNyihkhaDAfBgNVHSMEGDAWgBRYFav0zwNp AmB6V03F1bNyihkhaDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAN BgsqhkiG9w0BCRADEQOCBREAAAAAAAAAAAAAAAAEnDdS/7nX3/VbAbpQwlDMb/Ox c98MKuqz7ZYezudYBdqNp3chQjLZ+UpN9ysYKhxcaQPzHJyVbTGaycqETa6zi8Nx rD+HUb44tL/Z3JAfHlS9+RplcNRGtq1NbRa5+yn044ZCSj+kjwGEm0QLIyKcl23V uSY5EatGgr0QbLR6ZO3HQLAz8LWBHLRBVJww2dKTukiMT9AlQWB7kF4SILcwFhYe t+7YS+7tPHD8/zYYqiQjh5FlqJUtthzRAntwgYoYF8BFYv5HoT5pVDFnWJrh48mN 7h4q0UZ16eSQZwFXklTbtOrei+fr/CeAm9Xa4I6wswjKb6Ec9EBlsPb4yaeXBMh8 nlbsL0vNRYvX5qdQx+YhLBcxIxF6rpq1hF/mXIKZqDqpkYeaJFyDAZF8/M2+LpJQ +xIRlggNySQNu2/7WQWvf5a8o/RY4voKSvJM97Mbgd1KQaCx3VJMu23AqNm7Kcj8 4374auVexOTofAsAhxV1ogZQl8YfFFJ5BKic7LHHakYzmLhj96cs1GJ4lBxdnU+m Cq45UIWyCY1iyUwRnwyRpawtEb1xtgzqNJhT/C7Me6ScLnqkjeLojAGpnD61NHcz ggHU73IE1lvl9iwbrobEcwJEhdb3rKPo9qm1XG1GiNpVuCt6TAya581dYorKyJbO jXF70sENmjVVK4Q+DqX61qB2jiOz38k7T2hWHuk8eVvTJVQRraasWBFJj03EwTmZ djqm0S9Xrb98nVfMNw0phCl7y0aFw4HFM5plwy8BSMpEbPGEPdBJwsEF23dMuXI9 b85p8pHGFSWP2jh+71s+XzWrpngWKELBLC+eEVMsvcQke+nEzj3WQcddkpHDN8ty RNcNcIUTC6yzD7Dl4y5IuZy41z58UGkDel+u+GwJYZdrzs3l8FX+BfiXHZ6BZfX/ mnqMltj4z9jcVc5negBr/bs/Gz1llMFatqCOvqS+JpBfHwbU6j+ml0COvxhckg8V 4wVKFFEeI4Hvz/eoiHX4LSg3JocnY1wBUw5eU9KnGOsvwIJJBbBNM2+UEJF3+JCe yv67PcRC1omEmEL0JLO0214rZqn/bBjUefhyc1ObAu0Ec3ekaM9LvksWUGKH+UmZ 46EMQpK8qeMtIoI1f3EViHBqAatEZK3lUtSX7rtEe24If92U/ckca1nRklEpA87s v0GlFGlUOrQ52URd8bL0XGufyV+7/MjHo4vh7OLQaVpAHJydij13O8FdwHJhSzfF loxti/hW2qw+PHIJzvbD/l3PN9lozafd95Zj2owd37gyz+uXEYP+a6q54kuy6mJz wxzpQJBWTxLDuvQr2RxQzOBR2Ou/ZygMLRONs28Tah2nVCC6glu45R+J8Wcmwdwb YFftpizyFwF/pedcZMk8CPLPSOyIhO8DwvXrBTF9/n88cUEoF2RfuexUedCzmPuE nDaLQwvUyewJSnATYvI2yLR1zCp3CKCd7xnWiNzisk5AYXHLx8PeFm9Jf17VFwAA AAV5RxKfzusdqP0NsBhEau9UKEbkGfYtPnS7nTYKrmdKKHobgDmgCCoooOxV7lWq ocyU1DYas1clMK0sXmO6Ivyqellk9tgDIChx+dwJ+kyBuWQbrerL2xgXXdiYvdKN xQR8W5Kaifa81lXHCF08WI4YrG+IqNee1O5d9SFOpYsZX+P0ZvklTfnGYGIxclw0 NGcap2p9VKPYmx9b+AhBeVtD -----END CERTIFICATE-----]]></artwork>]]></sourcecode> </section> <section anchor="xmss-x509-v3-certificate-example"> <name>XMSS X.509 v3 Certificate Example</name> <t>This section shows a self-signed X.509 v3 certificate using XMSS.</t><artwork><![CDATA[<sourcecode type="x509"><![CDATA[ Certificate: Data: Version: 3 (0x2) Serial Number: 54:7e:64:70:29:9e:03:c5:7a:a5:5c:78:d1:27:87:8c: 54:35:17:5d Signature Algorithm: xmss Issuer: C = FR, L = Paris, O = Bogus XMSS CA Validity Not Before: Jul 10 08:27:24 2024 GMT Not After : Jul 8 08:27:24 2034 GMT Subject: C = FR, L = Paris, O = Bogus XMSS CA Subject Public Key Info: Public Key Algorithm: xmss xmss public key: PQ key material: 00:00:00:01:2b:eb:bf:66:14:de:6f:96:5b:4d:2a: 50:00:7b:ad:5c:22:b0:13:79:72:02:14:a9:5f:fc: 96:e0:9b:78:8e:d6:be:8c:1c:70:3c:d8:dd:78:b2: 1a:14:47:be:1f:0d:74:72:3f:36:76:c2:cb:19:ad: 29:90:0b:82:de:9b:7f:df X509v3 extensions: X509v3 Subject Key Identifier: 62:CE:35:A5:47:77:FF:21:87:2E:BC:2D:27:E7:8E:F4: 35:6B:CF:D8 X509v3 Authority Key Identifier: 62:CE:35:A5:47:77:FF:21:87:2E:BC:2D:27:E7:8E:F4: 35:6B:CF:D8 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: xmss Signature Value: 00:00:00:00:e5:88:a8:b8:73:ad:4d:92:f8:5c:81:c5:8a:63: 57:6a:a7:3b:54:aa:b6:06:8a:d9:f1:c2:0b:c8:27:1e:4b:a2: cf:e2:da:44:ea:e8:f2:40:a8:b9:54:9c:49:36:12:24:df:74: ad:e5:29:ef:4f:da:88:0d:21:5d:3b:64:63:27:d0:84:b5:95: 7a:30:18:37:cd:34:17:dd:ac:9d:9e:48:db:74:07:79:84:21: 5a:f0:26:cd:21:64:7b:77:33:48:58:67:9b:2c:b2:85:6d:cc: ec:31:4b:2f:51:55:3a:85:e1:ca:04:15:ce:6e:47:39:f5:e9: 31:45:41:ed:71:c6:4f:96:f5:ae:64:6a:bd:72:d0:8c:17:02: 99:10:1d:14:34:ca:e5:47:e3:f7:66:96:96:11:d5:97:76:76: 83:f1:84:a5:b6:00:5e:3e:67:97:7a:32:dc:c8:eb:4c:29:46: 77:99:d6:da:45:e6:7b:8c:45:6d:b5:29:6b:fd:98:a2:89:8d: 0c:30:42:f5:0b:7c:97:c5:b1:1d:e2:da:67:a9:48:a4:9e:29: f4:60:3f:4d:1d:48:83:82:38:ef:fa:cb:1d:86:11:a1:15:94: fb:d5:ee:68:f9:44:b9:3d:54:70:f3:be:17:8d:d7:2e:85:2d: 5c:d0:a0:c5:99:52:cc:79:e7:1c:18:d9:6e:3d:0f:6c:05:51: 33:28:35:e2:02:59:5f:1f:ed:78:0a:c6:62:f0:7d:fe:73:96: 03:4c:b4:42:e3:00:c2:d7:cb:eb:51:10:c4:0c:64:b8:37:fe: 85:d0:8e:11:6d:a6:16:77:b1:1e:01:d9:1e:f3:10:9c:dd:01: bc:38:75:5e:8f:58:9e:5b:6c:7b:0a:41:08:59:35:a9:3a:83: 19:e0:7d:a1:f5:cf:a3:1c:4e:07:e1:ad:03:95:f2:d3:8b:79: 33:f8:52:22:53:1b:1e:32:9a:61:3f:c4:7c:9a:e8:d5:b5:28: f1:84:65:d5:c1:fc:4d:16:93:88:93:69:ca:fa:94:a0:95:4e: 23:ae:1e:60:e0:e8:b4:bf:ff:16:95:71:0f:31:74:bb:be:b8: 5a:eb:24:95:8b:95:28:13:cd:e3:a9:65:f7:f5:6e:9b:a9:a9: 7a:05:ce:ab:f0:54:62:d9:12:f8:a1:1a:68:df:af:15:8f:8a: df:67:27:c9:ed:bd:e1:81:a6:8d:9a:84:f3:91:36:d9:89:74: 8e:ef:84:dc:5c:03:1a:08:e4:d7:f0:72:fc:6d:8a:01:34:94: e5:ff:08:51:1b:80:5f:e7:07:d8:9f:25:e4:1d:c3:f8:e5:d0: 9c:50:cf:66:71:f9:cc:f7:c0:a7:d0:66:01:b7:17:a0:5f:66: 97:a4:ff:62:ac:1c:a0:63:0d:30:28:e9:90:d5:59:a4:48:d8: 07:87:02:4b:3f:68:23:a5:04:dc:b3:d7:45:f6:dc:b0:ec:c6: 90:a6:1c:a1:f8:7e:84:ba:63:7e:5a:64:14:78:58:f5:75:c0: f5:e1:1d:bd:49:57:c0:40:08:07:99:7f:43:2e:e2:25:d8:ed: a3:1a:e3:78:f1:78:af:02:49:54:36:59:8e:d3:72:a5:0b:52: 32:bd:17:a2:cf:e1:47:21:28:3d:ba:b6:24:d9:18:f9:44:73: 35:ed:29:a4:18:bc:ed:68:cd:4a:9a:34:cb:1a:2f:b3:5f:ba: 73:9b:18:ee:7a:a8:92:25:65:25:81:04:63:1c:22:2b:b8:ba: 81:21:bc:f9:9d:a8:78:98:75:bc:ed:4a:c6:b7:6f:c0:91:24: eb:1d:f9:5d:e0:e3:78:4e:05:f6:34:0f:7b:41:54:49:20:a2: 30:66:94:f1:da:c1:6c:3f:5e:10:92:92:a3:0c:7e:e8:8b:26: 11:1c:d7:68:c9:31:79:b3:a4:d5:63:00:68:c3:e3:86:2d:09: 92:4b:2d:63:7d:b8:03:a4:4c:60:b4:2c:12:d5:0b:9f:16:28: ea:88:2f:bb:1c:19:0b:0f:40:3d:67:e8:0b:fa:c6:e3:39:44: b2:bd:8a:3f:21:dd:aa:ec:a3:8c:48:dd:4c:99:43:86:d7:48: 81:6b:e5:b9:bb:59:9f:1c:0f:3f:11:f7:7c:4b:67:a8:95:c2: 7c:cb:3b:66:b0:79:a6:55:6f:6d:b0:29:8a:5e:7b:ee:30:68: f3:dd:41:29:91:f6:79:71:ae:8d:21:70:78:1d:5d:d2:f7:cf: e7:42:38:d1:8c:52:a6:a6:f6:b1:38:b1:2b:23:81:e1:1f:21: 6d:99:3f:10:eb:b1:a9:73:b8:3e:31:99:cc:dd:2b:df:58:27: db:0b:5a:29:99:8f:b1:9f:e9:31:42:d0:26:db:53:b7:7e:30: 41:95:c3:f0:07:83:bb:b0:63:b5:16:48:f2:a6:60:2f:32:5d: 22:a1:da:76:4e:37:26:53:0d:95:7b:2d:b9:05:2f:93:2b:d4: df:c1:02:5b:f7:a5:a2:4f:11:5c:80:f4:f0:bd:c7:ea:3c:db: 6f:e2:eb:6c:7f:c3:58:d9:31:77:4b:4d:f7:ce:bb:d6:c8:64: a3:01:d5:f9:a4:8d:e8:f0:ee:09:06:2c:0b:3c:ac:0a:57:d8: e4:81:79:ea:4a:bd:51:03:88:4c:d0:4c:0b:c4:0c:7e:2d:e7: df:1b:67:62:c0:d1:9c:ad:bb:d3:f0:75:dd:83:aa:70:99:2c: 19:78:3d:26:2b:47:6f:24:c1:60:02:1e:4b:75:04:91:1f:08: 1c:b3:79:a0:9b:db:fb:5d:3f:c7:e3:09:1f:41:3e:64:bb:ad: 19:3d:35:e1:a6:f4:69:0b:a2:04:37:42:95:c6:c7:e5:f4:56: 0e:67:5b:78:34:bb:07:f1:8f:e7:73:5b:87:d7:df:c9:2d:8d: 8c:42:76:87:15:85:4b:23:03:20:34:e1:1b:f6:0c:1e:84:53: d9:1b:4e:d9:31:43:38:3b:88:12:84:d8:2a:38:b1:ce:0f:c7: 07:d4:63:2d:97:89:1c:b3:44:99:eb:d4:df:32:74:be:0d:63: 11:22:fd:fa:8e:e2:0b:56:12:56:0c:46:16:ad:44:10:26:98: dc:cf:c9:95:67:3e:11:c1:76:fa:b8:12:ea:96:f6:d9:91:ac: bf:49:b9:1c:8e:15:05:53:ac:9e:04:d2:5b:b8:87:bf:81:50: f7:02:a4:c0:9c:18:0f:45:ac:7a:82:cf:46:15:42:40:09:32: 89:a5:ea:90:a5:99:68:f9:93:0c:7b:d6:7a:a8:e9:51:e2:90: 9e:b9:ed:21:db:d9:7e:de:dc:62:6b:44:6b:9f:81:c5:77:39: 8e:1d:78:30:de:dc:53:80:e0:c3:fa:fa:94:68:28:91:98:86: ff:86:04:a9:bd:58:7c:31:37:1f:db:9a:29:f3:c1:48:10:20: 71:5f:fc:35:13:eb:7b:12:e2:7d:1c:cc:97:fe:8f:5c:a2:dd: f6:d2:a3:b2:ea:51:b3:ef:b1:1e:79:0b:00:53:f4:f2:52:75: 5a:d7:17:c5:31:a0:54:4e:2b:28:2c:4f:6b:7a:27:3a:2c:04: da:b3:1d:04:4e:a4:4e:94:5c:a8:91:70:ab:c0:4b:75:9f:b3: 6a:a9:4e:8a:22:e9:7f:fd:ec:53:e7:6a:6d:32:0b:8b:ab:4c: e7:7d:72:ec:04:62:1c:1a:45:1e:33:8e:37:ae:6a:2f:c8:fb: f3:69:ed:11:01:f3:f4:57:e9:29:d5:3b:0c:9c:0c:c4:cb:c3: 38:5c:01:e7:d6:31:c3:d8:ce:24:d7:be:71:9b:c8:96:13:ca: 5c:5d:e4:92:40:af:86:a0:4b:ff:a7:55:39:70:fd:ac:0a:e1: 87:c7:01:4b:c3:41:36:c6:c6:33:8f:4f:25:4a:8d:70:92:ac: 7c:95:cc:49:a9:dc:d6:6a:67:52:a5:5b:7f:2f:bb:91:e3:be: d6:28:fc:22:d0:72:66:e8:09:73:a7:23:c6:a6:89:38:0b:e5: d0:b3:f1:40:38:9c:4d:17:96:11:17:44:ef:e3:94:51:91:4c: 5d:fe:d9:ed:c3:76:a0:2d:3b:dc:8d:b9:31:15:f6:75:58:74: 2f:57:b4:29:21:29:6d:5f:eb:06:71:0a:f4:db:ff:c6:2f:16: 73:a7:76:6b:d0:5b:a7:21:5c:fd:f0:11:e8:6f:9b:d0:c9:c9: fe:35:76:4a:4a:63:9b:ba:48:ac:af:4f:91:67:9c:5c:47:d8: e3:2d:03:12:5e:f1:cb:56:34:75:69:95:ad:68:96:6c:e7:4a: 91:72:fb:9b:ba:e8:92:56:fb:9a:5b:5d:3b:9d:d3:c5:c4:52: 42:1b:f9:4a:47:42:dd:77:49:da:2b:bd:d7:94:5f:7b:b8:64: b9:06:32:7c:ea:d1:36:f6:95:b8:57:41:1b:6e:66:31:2c:ee: 87:7a:5c:19:2f:d8:95:4a:16:93:48:f3:97:25:3d:24:61:1e: d0:63:37:ee:3a:c9:a3:46:c5:94:a0:7e:24:cc:7f:72:8d:14: 9e:3c:33:ec:cd:9a:dd:b5:08:90:98:19:95:85:38:ff:ff:d2: 1e:bf:a6:c4:97:13:2b:3d:47:e9:57:59:d3:7d:99:01:6e:53: 4d:c0:82:97:fb:89:d6:7c:b7:23:0e:7d:6e:23:88:53:06:8f: 16:ff:40:0a:1b:cd:d5:1e:91:01:3e:77:3a:5f:c1:57:3a:7b: c6:d5:51:d7:e2:ec:89:12:6b:9d:03:e4:9d:bb:7d:4e:02:bf: 67:8d:03:ca:90:56:f0:9a:97:4b:02:2d:4c:31:89:82:76:97: fe:2f:d5:0a:3d:ea:0d:38:6c:30:75:5f:ae:91:53:d7:45:64: df:ba:0b:22:80:44:85:6d:0e:5c:29:7f:82:9e:54:a3:7a:95: be:96:79:66:9d:5b:a2:d6:2e:47:c6:99:7d:2b:32:dc:f2:b6: 02:91:6d:63:d4:93:45:60:c4:42:71:10:9e:fb:90:2f:e6:75: 71:ce:78:70:c1:da:ff:e1:47:fe:79:2b:8e:9a:81:bf:dd:02: e3:78:39:71:17:b3:23:14:11:9d:29:8e:21:a1:98:b0:ac:03: 5a:6c:9e:62:64:ef:4f:03:ca:37:a6:ed:e4:78:d5:0d:99:29: f5:5c:61:e6:48:cb:97:0e:5e:f9:2c:f6:b6:c7:7c:0c:a4:f7: 1a:f7:67:b5:5c:03:bf:bf:7a:e2:4d:a2:9b:5d:5d:5f:51:d0: d6:52:8f:2a:20:68:08:bb:f0:9c:05:0e:ef:b3:49:0c:2a:1d: 8f:f9:03:b7:61:09:71:88:7d:e2:8c:e4:b8:ac:98:1b:c3:80: 55:a1:6b:dd:13:a2:29:4f:93:93:d3:d5:01:31:3f:7b:39:0e: 3a:57:6c:eb:5c:6a:5f:1b:ad:97:bd:97:23:18:91:05:0e:2b: b4:b1:11:ee:f8:58:c7:08:d0:de:a2:3e:ba:54:8d:3d:63:da: 91:50:3a:24:8d:19:18:23:2e:cf:30:8d:5d:e3:e7:02:93:fa: c8:f8:ea:05:e6:eb:06:80:90:4d:15:58:3d:26:98:13:4b:b0: ac:dd:90:2e:d0:e1:eb:71:32:83:5d:2a:a9:b9:b5:24:fc:e9: ec:18:ca:c9:a1:05:59:3e:fa:af:ed:4e:86:b1:fe:40:47:9b: 42:77:af:9c:2b:a0:e2:3e:fd:51:ab:02:77:e8:f1:39:45:aa: 54:b6:14:d4:14:20:fc:36:81:e6:04:98:8a:a0:c0:8a:cf:ae: f6:b5:dc:b7:eb:26:86:d3:cf:1c:38:65:54:04:b1:b5:09:48: f5:2d:07:ba:f8:eb:49:bd:d9:b1:54:ea:ac:c2:0d:20:10:79: c1:cb:e9:dc:2d:ff:55:50:4f:f6:05:02:78:31:33:6f:15:7e: 24:5a:66:23:70:b3:b2:0c:17:39:ce:15:38:c5:ff:60:16:38: 60:74:72:c9:70:d8:59:b7:80:7f:da:f6:67:3f:d0:ba:be:1b: a1:87:da:92:2d:a3:6c:99:29:57:aa:cb:d1:8d:66:f1:2d:c9: 56:60:24:56:4b:19:9f:f5:65:84:89:86:7d:4d:8b:f8:5b:60: dd:af:2d:66:76:6c:66:d9:c6:f5:39:25:6c:e5:7b:43:97:64: 5c:c5:20:1e:3d:b5:dc:92:b2:9c:d8:1b:1b:e0:bc:44:7b:9c: 95:c5:53:48:91:b2:a5:46:16:bf:50:af:a5:44:cc:54:78:3f: ed:20:d8:2e:0b:41:3d:f1:04:9d:df:3c:4a:d7:81:04:ff:8c: b7:79:f8:51:8d:b7:2e:ac:2c:54:e6:fc:43:76:8e:f9:be:8c: b8:5c:ad:c4:13:af:b0:6e:3b:d1:82:57:1e:f5:52:84:ca:cc: d2:68:f3:2d:04:ff:27:0a:e6:a2:fa:c0:a9:97:d6:64:45:18: 5c:6f:9e:c1:64:22:66:db:56:02:c3:a8:57:fc:87:1b:5c:43: 15:8e:58:fc:f2:00:0b:4f:6a:4b:a0:5c:da:f2:e5:1b:82:4a: 6b:ef:db:63:d7:7d:93:1d:2f:20:78:37:17:22:82:cd:6b:c1: 83:61:05:81:99:0c:25:29:d6:5f:22:bc:06:67:7d:67]]></artwork> <artwork><![CDATA[]]></sourcecode> <sourcecode type="x509"><![CDATA[ -----BEGIN CERTIFICATE----- MIILSDCCAW+gAwIBAgIUVH5kcCmeA8V6pVx40SeHjFQ1F10wCgYIKwYBBQUHBiIw NTELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBY TVNTIENBMB4XDTI0MDcxMDA4MjcyNFoXDTM0MDcwODA4MjcyNFowNTELMAkGA1UE BhMCRlIxDjAMBgNVBAcMBVBhcmlzMRYwFAYDVQQKDA1Cb2d1cyBYTVNTIENBMFMw CgYIKwYBBQUHBiIDRQAAAAABK+u/ZhTeb5ZbTSpQAHutXCKwE3lyAhSpX/yW4Jt4 jta+jBxwPNjdeLIaFEe+Hw10cj82dsLLGa0pkAuC3pt/36NjMGEwHQYDVR0OBBYE FGLONaVHd/8hhy68LSfnjvQ1a8/YMB8GA1UdIwQYMBaAFGLONaVHd/8hhy68LSfn jvQ1a8/YMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCsGAQUF BwYiA4IJxQAAAAAA5YiouHOtTZL4XIHFimNXaqc7VKq2BorZ8cILyCceS6LP4tpE 6ujyQKi5VJxJNhIk33St5SnvT9qIDSFdO2RjJ9CEtZV6MBg3zTQX3aydnkjbdAd5 hCFa8CbNIWR7dzNIWGebLLKFbczsMUsvUVU6heHKBBXObkc59ekxRUHtccZPlvWu ZGq9ctCMFwKZEB0UNMrlR+P3ZpaWEdWXdnaD8YSltgBePmeXejLcyOtMKUZ3mdba ReZ7jEVttSlr/ZiiiY0MMEL1C3yXxbEd4tpnqUiknin0YD9NHUiDgjjv+ssdhhGh FZT71e5o+US5PVRw874XjdcuhS1c0KDFmVLMeeccGNluPQ9sBVEzKDXiAllfH+14 CsZi8H3+c5YDTLRC4wDC18vrURDEDGS4N/6F0I4RbaYWd7EeAdke8xCc3QG8OHVe j1ieW2x7CkEIWTWpOoMZ4H2h9c+jHE4H4a0DlfLTi3kz+FIiUxseMpphP8R8mujV tSjxhGXVwfxNFpOIk2nK+pSglU4jrh5g4Oi0v/8WlXEPMXS7vrha6ySVi5UoE83j qWX39W6bqal6Bc6r8FRi2RL4oRpo368Vj4rfZyfJ7b3hgaaNmoTzkTbZiXSO74Tc XAMaCOTX8HL8bYoBNJTl/whRG4Bf5wfYnyXkHcP45dCcUM9mcfnM98Cn0GYBtxeg X2aXpP9irBygYw0wKOmQ1VmkSNgHhwJLP2gjpQTcs9dF9tyw7MaQphyh+H6EumN+ WmQUeFj1dcD14R29SVfAQAgHmX9DLuIl2O2jGuN48XivAklUNlmO03KlC1IyvRei z+FHISg9urYk2Rj5RHM17SmkGLztaM1KmjTLGi+zX7pzmxjueqiSJWUlgQRjHCIr uLqBIbz5nah4mHW87UrGt2/AkSTrHfld4ON4TgX2NA97QVRJIKIwZpTx2sFsP14Q kpKjDH7oiyYRHNdoyTF5s6TVYwBow+OGLQmSSy1jfbgDpExgtCwS1QufFijqiC+7 HBkLD0A9Z+gL+sbjOUSyvYo/Id2q7KOMSN1MmUOG10iBa+W5u1mfHA8/Efd8S2eo lcJ8yztmsHmmVW9tsCmKXnvuMGjz3UEpkfZ5ca6NIXB4HV3S98/nQjjRjFKmpvax OLErI4HhHyFtmT8Q67Gpc7g+MZnM3SvfWCfbC1opmY+xn+kxQtAm21O3fjBBlcPw B4O7sGO1FkjypmAvMl0iodp2TjcmUw2Vey25BS+TK9TfwQJb96WiTxFcgPTwvcfq PNtv4utsf8NY2TF3S033zrvWyGSjAdX5pI3o8O4JBiwLPKwKV9jkgXnqSr1RA4hM 0EwLxAx+LeffG2diwNGcrbvT8HXdg6pwmSwZeD0mK0dvJMFgAh5LdQSRHwgcs3mg m9v7XT/H4wkfQT5ku60ZPTXhpvRpC6IEN0KVxsfl9FYOZ1t4NLsH8Y/nc1uH19/J LY2MQnaHFYVLIwMgNOEb9gwehFPZG07ZMUM4O4gShNgqOLHOD8cH1GMtl4kcs0SZ 69TfMnS+DWMRIv36juILVhJWDEYWrUQQJpjcz8mVZz4RwXb6uBLqlvbZkay/Sbkc jhUFU6yeBNJbuIe/gVD3AqTAnBgPRax6gs9GFUJACTKJpeqQpZlo+ZMMe9Z6qOlR 4pCeue0h29l+3txia0Rrn4HFdzmOHXgw3txTgODD+vqUaCiRmIb/hgSpvVh8MTcf 25op88FIECBxX/w1E+t7EuJ9HMyX/o9cot320qOy6lGz77EeeQsAU/TyUnVa1xfF MaBUTisoLE9reic6LATasx0ETqROlFyokXCrwEt1n7NqqU6KIul//exT52ptMguL q0znfXLsBGIcGkUeM443rmovyPvzae0RAfP0V+kp1TsMnAzEy8M4XAHn1jHD2M4k 175xm8iWE8pcXeSSQK+GoEv/p1U5cP2sCuGHxwFLw0E2xsYzj08lSo1wkqx8lcxJ qdzWamdSpVt/L7uR477WKPwi0HJm6AlzpyPGpok4C+XQs/FAOJxNF5YRF0Tv45RR kUxd/tntw3agLTvcjbkxFfZ1WHQvV7QpISltX+sGcQr02//GLxZzp3Zr0FunIVz9 8BHob5vQycn+NXZKSmObukisr0+RZ5xcR9jjLQMSXvHLVjR1aZWtaJZs50qRcvub uuiSVvuaW107ndPFxFJCG/lKR0Ldd0naK73XlF97uGS5BjJ86tE29pW4V0EbbmYx LO6HelwZL9iVShaTSPOXJT0kYR7QYzfuOsmjRsWUoH4kzH9yjRSePDPszZrdtQiQ mBmVhTj//9Iev6bElxMrPUfpV1nTfZkBblNNwIKX+4nWfLcjDn1uI4hTBo8W/0AK G83VHpEBPnc6X8FXOnvG1VHX4uyJEmudA+Sdu31OAr9njQPKkFbwmpdLAi1MMYmC dpf+L9UKPeoNOGwwdV+ukVPXRWTfugsigESFbQ5cKX+CnlSjepW+lnlmnVui1i5H xpl9KzLc8rYCkW1j1JNFYMRCcRCe+5Av5nVxznhwwdr/4Uf+eSuOmoG/3QLjeDlx F7MjFBGdKY4hoZiwrANabJ5iZO9PA8o3pu3keNUNmSn1XGHmSMuXDl75LPa2x3wM pPca92e1XAO/v3riTaKbXV1fUdDWUo8qIGgIu/CcBQ7vs0kMKh2P+QO3YQlxiH3i jOS4rJgbw4BVoWvdE6IpT5OT09UBMT97OQ46V2zrXGpfG62XvZcjGJEFDiu0sRHu +FjHCNDeoj66VI09Y9qRUDokjRkYIy7PMI1d4+cCk/rI+OoF5usGgJBNFVg9JpgT S7Cs3ZAu0OHrcTKDXSqpubUk/OnsGMrJoQVZPvqv7U6Gsf5AR5tCd6+cK6DiPv1R qwJ36PE5RapUthTUFCD8NoHmBJiKoMCKz672tdy36yaG088cOGVUBLG1CUj1LQe6 +OtJvdmxVOqswg0gEHnBy+ncLf9VUE/2BQJ4MTNvFX4kWmYjcLOyDBc5zhU4xf9g FjhgdHLJcNhZt4B/2vZnP9C6vhuhh9qSLaNsmSlXqsvRjWbxLclWYCRWSxmf9WWE iYZ9TYv4W2Ddry1mdmxm2cb1OSVs5XtDl2RcxSAePbXckrKc2Bsb4LxEe5yVxVNI kbKlRha/UK+lRMxUeD/tINguC0E98QSd3zxK14EE/4y3efhRjbcurCxU5vxDdo75 voy4XK3EE6+wbjvRglce9VKEyszSaPMtBP8nCuai+sCpl9ZkRRhcb57BZCJm21YC w6hX/IcbXEMVjlj88gALT2pLoFza8uUbgkpr79tj132THS8geDcXIoLNa8GDYQWB mQwlKdZfIrwGZ31n -----END CERTIFICATE-----]]></artwork>]]></sourcecode> </section> <section anchor="xmssmt-x509-v3-certificate-example"><name>XMSS^MT<name>XMSS<sup>MT</sup> X.509 v3 Certificate Example</name> <t>This section shows a self-signed X.509 v3 certificate usingXMSS^MT.</t> <artwork><![CDATA[XMSS<sup>MT</sup>.</t> <sourcecode type="x509"><![CDATA[ Certificate: Data: Version: 3 (0x2) Serial Number: 5c:22:ad:8a:06:51:9e:67:02:6a:2d:43:3e:8b:c7:23: 43:77:80:c8 Signature Algorithm: xmssmt Issuer: C = FR, L = Paris, O = Bogus XMSSMT CA Validity Not Before: Jul 10 08:28:04 2024 GMT Not After : Jul 8 08:28:04 2034 GMT Subject: C = FR, L = Paris, O = Bogus XMSSMT CA Subject Public Key Info: Public Key Algorithm: xmssmt xmssmt public key: PQ key material: 00:00:00:01:4b:a7:89:11:6f:fc:1d:fb:d3:e7:71: 73:b8:a2:48:ef:53:b9:9d:1f:c6:8a:7c:be:4f:8a: 29:fa:41:fd:bd:da:20:7f:f6:3b:b0:c5:b8:a7:c2: f2:5a:f2:26:14:eb:36:f0:26:2f:87:74:fb:0e:d5: 7e:17:a0:d1:4d:b6:cf:51 X509v3 extensions: X509v3 Subject Key Identifier: 7C:7D:59:B8:95:61:D5:03:6A:1E:3D:F1:24:AB:1D:ED: 04:CD:DB:5F X509v3 Authority Key Identifier: 7C:7D:59:B8:95:61:D5:03:6A:1E:3D:F1:24:AB:1D:ED: 04:CD:DB:5F X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: xmssmt Signature Value: 00:00:00:57:c4:98:89:ff:d9:0a:8e:6e:6f:16:95:8c:ec:35: 42:21:c2:ca:56:ed:f8:81:f1:b2:4f:2b:6d:73:f4:37:55:fc: f4:4e:15:eb:6b:90:de:34:fe:d6:96:70:94:8d:c1:e7:4a:32: 49:30:3a:40:a4:67:d2:fb:da:f8:d8:a1:7a:48:22:1c:e3:98: bc:d0:68:85:29:c9:e5:f7:5c:56:d8:9c:80:be:68:ed:11:eb: 39:0f:ef:cb:09:b2:28:30:a6:2b:05:bc:de:11:22:be:c4:dc: 08:9a:3d:b4:49:37:1f:54:5e:5f:2d:93:62:b0:95:c5:5d:23: 92:f3:55:40:78:19:00:56:9e:a2:f1:0e:4b:ae:75:d6:92:09: b1:79:ec:c9:18:67:19:09:86:83:74:5d:0a:06:ab:da:f0:af: 02:97:4d:d7:73:06:8b:a2:84:c7:09:af:dd:8b:15:39:e4:30: 9f:c9:00:25:a8:33:4d:de:e8:25:b6:35:0b:51:bf:7a:34:a7: e8:84:e8:fa:39:5b:aa:37:6e:95:89:ac:26:4a:4e:ca:be:29: 08:4b:3c:28:a7:85:6a:ad:5a:d2:93:eb:12:e1:9a:87:1c:40: 3b:cf:15:6c:43:4e:88:21:54:52:7e:0d:6d:17:29:8d:15:6f: ef:42:5a:a9:25:d0:97:80:61:31:22:a4:9f:25:17:51:ad:0b: a1:cb:93:b4:f5:a6:b0:22:1b:6d:50:64:2a:48:bd:05:16:88: 00:e3:7b:56:d0:03:b3:7a:2d:6a:0b:f3:de:a2:8c:6e:81:80: 2c:8f:e9:d8:78:ed:5b:99:c9:13:d1:b6:eb:78:c3:40:2b:a1: 7a:84:0a:ba:12:87:5e:1d:38:24:22:8f:c0:a3:65:1c:1c:ce: 2d:8e:e5:2f:1f:be:93:5c:fe:1c:cd:a8:9d:7e:7e:cf:18:e2: 9c:c5:54:dc:62:61:74:23:55:64:66:21:96:4c:a7:2e:8a:94: a6:35:10:a5:e8:5e:6e:91:ac:a8:cb:ed:51:2b:66:45:03:f5: 87:ed:4d:8c:4e:6d:54:80:a1:33:8a:84:9d:23:31:90:c6:05: 11:a7:9d:bd:51:0a:73:47:bc:08:49:11:b3:98:ff:01:14:69: d7:c0:a0:0c:55:e4:5e:e2:fa:84:ac:27:b3:85:2c:99:71:52: 9c:33:f8:9d:8c:d2:13:bc:6e:18:79:15:a7:02:ee:15:eb:27: d8:af:24:38:02:9c:ca:30:f3:e2:30:41:2f:62:a2:2c:a5:81: 1b:71:6d:b1:94:bd:c6:3d:9e:5e:51:45:de:5b:f4:d7:e6:35: e7:d8:7c:d5:98:ec:7e:0e:f8:9d:c1:a7:7b:b3:65:b1:a1:4b: 2d:ec:d9:12:45:6b:1f:0b:1c:6b:3b:0a:66:76:39:f4:cc:9b: e1:b7:17:f7:53:fc:c3:a6:18:f7:2e:45:52:b1:18:99:75:d1: 69:bb:77:c8:1a:84:5f:06:b5:8b:cb:02:b0:b2:0f:bf:17:18: 65:3d:a7:72:5b:71:9f:92:7e:3a:df:84:cc:65:5c:c4:5b:70: fd:cc:38:9e:12:6e:f9:ff:1f:02:fc:ca:f5:68:86:fc:ca:71: f1:3d:7b:32:b4:d4:c3:a2:20:16:3f:12:07:71:95:3b:d4:b1: 1e:fc:8c:1f:34:8c:c8:ab:8c:bb:75:93:c1:1a:d2:85:3e:9a: e6:04:86:88:de:27:46:ca:f3:f7:f3:8e:54:18:ea:aa:ae:14: 02:b1:4a:6a:e0:24:77:40:28:8d:37:27:9c:87:6a:81:09:d2: 01:4d:20:7f:de:84:a8:80:8c:8e:63:82:be:66:df:87:30:5c: b8:71:0a:e9:91:68:71:6e:97:97:f0:27:4e:fa:ae:6a:85:ac: 80:cd:38:48:49:c1:2b:9d:db:54:c5:f0:bf:fa:06:e8:96:3a: c0:95:f0:88:bd:8e:80:78:3d:dc:ad:5d:0a:56:dd:c7:80:9f: fc:64:58:4d:6d:27:f6:d7:1a:8c:b2:1c:09:ea:7d:4f:74:99: 0d:4a:0c:b8:b0:ef:74:dd:6f:6f:dc:e5:83:e1:e3:c2:e8:58: 17:b8:44:8a:2d:ec:df:54:f6:1f:67:a2:b3:c5:19:fb:b9:c7: 1b:3c:ea:bd:2c:e1:43:65:d1:5a:17:dc:93:9d:c5:85:0c:55: 34:13:49:15:92:e2:52:14:d1:81:aa:62:02:1a:ba:c9:b0:53: 85:8e:7b:d1:4e:34:76:ac:79:d7:b3:48:92:bf:55:7e:2d:5c: cd:32:9b:c1:41:a7:a3:cd:b7:94:5c:96:1e:3e:27:4d:eb:f0: 61:4b:a4:e3:3c:bb:69:85:37:e9:9c:98:f4:68:7a:61:77:8c: bd:b9:30:d6:f1:fd:69:78:3f:96:99:7b:69:39:90:b3:7c:b6: 88:ed:cd:19:da:42:64:e5:32:4c:a2:30:f7:c4:e8:27:93:70: ed:fa:5e:ca:8e:7a:d1:13:af:15:b1:59:c9:9b:91:61:0b:06: d5:cc:2e:80:bb:49:93:dd:be:53:88:be:af:80:64:7c:5e:be: 7b:8b:e7:5f:39:af:ab:67:42:6b:06:aa:ef:d6:69:af:a9:00: 1f:a0:15:10:04:3e:db:93:b2:37:db:eb:85:59:43:a2:8d:8f: 06:8c:cb:a2:1d:a8:3c:9f:f4:a4:7c:c8:cd:ff:f0:a8:79:0f: e7:d8:94:67:ec:17:3f:fa:6e:04:07:4f:bf:86:04:6c:fc:46: 87:b5:10:85:a4:07:e8:af:a9:ec:5d:28:5c:80:8c:31:cc:c7: b3:81:17:0b:4b:7d:1c:9e:74:02:1e:ef:de:0d:1b:c1:c0:04: 4d:46:fd:dc:0b:a4:c6:33:e6:85:0a:60:39:4d:0b:f9:49:44: 33:e0:15:99:19:bf:c7:8a:c6:96:04:93:37:6b:5d:e8:be:73: d4:80:b8:81:0f:9a:91:44:cf:72:02:d3:c9:f8:e0:7d:d2:9b: 2b:ff:eb:42:6e:38:7e:dc:cd:a7:90:c5:2c:2b:a0:23:37:b9: 64:10:a6:27:68:47:c5:f1:e8:8d:41:c1:49:e8:35:48:ce:c8: 08:4c:ad:f2:ad:5d:e9:62:eb:c9:3c:61:85:18:c6:34:73:fd: 26:a4:f0:50:83:9b:64:54:aa:55:6c:d8:a2:21:81:ff:9c:27: 39:1f:c3:a2:0e:e5:53:b1:d7:fa:1f:ef:29:8b:c2:90:98:ea: 2e:dd:45:bf:c3:6c:a3:93:47:99:03:18:25:e8:a5:ee:2e:77: eb:7f:f4:49:49:59:98:c1:fc:ab:1e:ad:20:bd:f8:24:fd:21: 1b:da:5a:07:55:c8:50:05:31:50:93:b2:f8:6e:db:73:4d:5f: 34:aa:f3:34:83:90:f0:41:6d:c8:43:56:d1:75:07:f5:16:20: b3:99:b2:c7:34:25:c4:0e:74:5a:51:0f:7b:3b:7f:6a:a9:41: 17:b5:47:62:2d:4f:b9:61:97:60:e9:ae:ca:ad:31:6e:4b:0a: 47:9c:53:66:a3:4e:c3:96:7c:01:a0:8e:ae:83:45:42:e6:92: 12:8e:97:6f:e8:a0:b7:7d:a6:74:24:aa:20:b0:fa:9e:98:e8: 7c:b4:da:30:e9:94:08:96:b7:b9:53:4f:75:5f:0c:4d:82:e3: cf:6e:bc:fa:23:4f:fa:33:17:7c:98:b6:1e:47:89:3e:d9:a1: aa:42:19:25:ae:9e:3f:53:44:ac:91:96:d8:55:c3:40:1d:fa: ad:86:38:62:bd:27:2f:26:34:be:ad:9a:01:44:42:c8:54:a5: 3a:e9:0a:ff:f8:41:6d:38:1e:e2:3d:08:3a:94:4f:1e:60:d0: b1:c2:8e:94:34:f0:30:3e:f0:91:25:ee:98:34:b4:8d:95:4e: cf:ed:1d:61:89:c9:59:10:68:f2:bc:2e:5c:bd:c0:0f:1d:9c: 2f:7c:c0:27:25:14:9b:de:a3:74:64:28:14:2c:a2:b2:90:3a: a4:6a:50:e9:8e:ca:78:e5:b6:74:56:e0:92:69:7d:b4:2e:e0: e7:66:92:16:92:a0:c3:db:4f:d3:d0:57:4d:4a:28:ee:b7:cc: 04:ef:17:d9:fc:01:bb:1e:b2:5b:02:3d:1f:5a:85:73:a1:81: 96:b7:33:5d:79:e5:6b:c9:29:73:34:01:69:ea:57:f0:01:be: 4e:f3:5c:f3:0a:a7:37:08:ad:18:9c:c7:4c:59:d0:5d:bb:01: f1:53:76:cb:cd:d9:84:5e:bc:22:11:76:01:d9:e3:af:17:03: 01:ef:38:4c:ad:c1:7d:a9:c6:61:2b:ba:9c:81:95:86:af:bb: 73:90:dc:d9:2f:d1:3f:95:6a:b9:46:0f:fb:84:64:7c:7d:86: 65:aa:10:71:56:19:5f:60:52:7f:19:fa:d5:5a:e0:90:e4:b9: 62:55:71:2a:61:f9:37:2f:5e:07:71:43:cf:06:ca:6a:d5:52: c8:33:e1:ad:b2:3e:a4:61:01:00:bc:55:5d:0a:f3:e6:4f:35: 06:c4:a8:3f:4c:8b:9b:c9:41:4b:f4:c1:57:ee:3c:c0:44:68: 52:5a:2d:b9:a7:f2:41:da:c4:8d:7d:db:40:b6:fc:47:63:5a: 69:a1:c7:8c:cc:3f:af:51:94:37:95:58:82:79:d2:16:4a:bf: 12:0b:59:a5:a5:11:71:e6:1c:63:3b:ea:f0:2f:10:e0:97:9a: a1:04:53:d0:72:f4:3c:77:3b:78:ee:b5:aa:6b:f5:bb:5c:e9: 35:4f:69:65:87:29:24:ec:47:7b:78:5a:a7:c1:e5:f1:73:7d: 4d:79:ef:ef:4e:75:87:db:8f:36:fd:50:3e:74:dc:17:d4:c3: 3f:4f:82:24:51:1b:12:16:26:61:db:93:15:19:39:55:f5:05: 2c:6e:85:dd:b2:cc:4f:c0:09:0a:76:46:d8:e4:f2:11:92:a1: e0:36:a8:25:c7:45:19:6c:98:eb:9a:fa:c1:ec:80:18:ce:d1: f8:c4:23:9a:f9:b8:1f:05:67:8e:45:cb:e6:ee:0b:fa:db:67: 1f:62:2c:49:78:bb:55:98:1e:33:42:63:f2:db:ee:73:f7:60: 80:6d:5f:9a:e8:8c:89:39:5b:b2:84:e2:c3:99:77:f3:5f:19: ec:b8:2b:ce:60:59:2c:66:06:f9:c1:43:b9:fd:94:35:9e:28: 9d:a0:8e:fd:0d:c6:1a:bb:20:93:b0:63:6a:83:2f:0a:db:c2: b3:8e:b1:dd:f5:ab:19:09:53:7a:db:72:3f:1e:25:07:eb:1a: 7d:21:da:88:22:e6:f0:ba:b3:15:6f:95:f3:72:d2:cb:6d:48: b8:ba:7b:aa:40:7f:81:fe:ba:15:c2:77:9d:86:58:bc:7d:89: 2e:7b:3a:96:04:9f:f1:3a:50:48:5a:25:4d:91:b6:ed:de:f6: 2e:4d:e5:77:11:6d:76:f4:23:5f:91:f0:0f:79:59:7a:f3:32: 24:11:c4:88:30:21:26:3b:f1:79:0f:04:06:ad:82:6d:ea:58: 4e:aa:4e:0a:7f:7b:5c:a5:ab:de:76:a9:a9:c7:d9:e3:eb:d6: 84:80:02:ab:da:4c:5b:49:90:29:c5:cb:5b:1c:06:61:e8:9a: cf:a4:ea:9d:31:16:6a:21:3a:d9:22:25:b8:39:9d:4c:e3:86: 76:a8:dd:d8:b4:db:88:f9:5e:61:c3:1d:87:df:a9:31:33:7a: b3:50:3e:f2:cd:ad:a0:9d:98:5f:6c:e2:f0:d8:27:b9:c2:37: 7f:8d:b4:f8:84:13:5f:22:6d:9b:81:bd:1c:e5:75:ae:b5:95: d1:cb:d0:c6:e3:78:ec:8c:71:6d:8c:5d:40:79:7d:58:3d:5c: 63:77:cc:2e:a2:63:a9:71:30:2f:59:2a:ec:82:b1:e5:b9:d6: bf:fb:21:e6:97:fc:70:45:9a:c7:e8:d2:81:73:b1:f5:bc:76: ca:b4:be:9f:39:b5:2d:f2:3e:c5:32:e3:ae:3c:fd:74:a1:36: 5a:5c:4d:f6:de:d2:d5:66:61:74:88:2e:4b:69:7c:29:2f:e0: 2a:d6:d8:93:99:41:bc:7b:7f:fc:c3:1c:84:ed:16:c0:08:78: fb:57:61:9e:83:7a:d1:e9:b7:ad:9a:85:1c:c3:ba:a3:e4:18: b6:00:f6:35:27:e2:27:1d:10:dc:44:1d:11:05:a2:db:df:0a: 59:98:9c:f3:ca:3a:b3:26:2d:d1:c4:3c:fc:21:f3:3c:39:62: 7f:f4:bd:91:74:ef:02:83:da:4a:22:40:60:9f:6a:9f:8b:8f: f1:e4:1e:99:d5:17:55:62:1c:60:01:7d:c7:41:db:19:9e:29: 01:ba:a0:5f:41:f3:61:ed:9d:0c:9c:ef:32:8b:b0:8a:89:b1: e4:06:c9:2f:4d:42:2a:01:84:29:ac:f1:41:a0:a1:c9:b4:83: d9:87:1a:53:1f:7f:d4:85:12:2e:79:f3:2c:88:06:73:62:ee: 16:bc:c7:8b:e7:09:96:ba:02:b5:56:ab:6f:c0:cf:76:64:62: 0e:1e:b5:e4:69:42:4d:ed:56:96:d9:1d:8d:07:40:7a:c5:bd: d3:9f:43:07:e4:9d:b6:26:2b:33:6a:79:d9:8a:ec:ee:51:73: f1:91:b0:e8:90:42:db:11:55:57:1b:01:10:fc:11:ff:77:b4: 09:01:6d:f8:8c:cf:72:16:df:09:12:09:bd:49:ef:33:b9:c5: 8d:35:60:77:80:8f:ee:98:18:be:bb:3a:61:e9:5b:6a:09:b0: 0a:1e:38:80:e9:71:46:77:a1:19:7a:c3:04:57:a5:77:e6:5a: 01:77:d2:92:90:f6:99:50:87:3f:30:8a:37:3d:37:1e:6b:1d: a4:71:3c:6b:15:07:01:f6:3d:43:96:a3:f7:30:cf:08:2c:32: a3:ca:67:6e:59:da:51:2e:96:bc:97:41:4b:7c:5f:97:a3:cf: 46:20:9e:64:96:08:f7:0c:03:4b:b4:83:09:db:6c:bb:94:23: 4e:ff:7b:fb:2f:84:66:0a:96:f9:e1:58:ff:0d:3c:84:62:9c: 6b:60:9f:7e:39:cf:33:f3:03:2f:c7:d0:8b:6f:f3:9a:62:cc: 33:c4:bd:b4:fc:b8:80:9d:fe:9e:c2:f0:d0:9e:07:71:a8:f9: 1f:a7:64:4d:63:f9:6b:ce:3e:44:0a:3f:05:58:90:0d:0c:20: 7d:4e:c7:52:d0:e5:b7:61:d3:6a:52:08:37:91:15:3c:cf:41: ec:ef:88:56:dc:14:2a:12:55:cb:05:01:23:89:c0:fe:ca:de: 40:d2:d0:96:a3:1f:07:4a:58:96:fa:b2:ef:78:96:f0:73:25: c8:2e:20:3b:d8:02:cf:e7:ca:b0:29:1a:25:7f:15:96:2d:fd: 52:bb:29:c3:fc:bf:b1:7c:d8:0f:76:21:05:28:2e:89:d9:82: 0e:cb:cd:03:1f:c3:71:b4:0f:75:52:e5:b4:93:8c:ac:ed:d5: 30:5a:b9:33:84:fd:3c:da:dc:e6:84:6d:c2:66:be:93:ad:67: 7f:db:d0:08:95:64:5a:2c:13:7f:e2:05:b5:dc:d0:bf:4d:6e: 93:c2:3b:8c:3b:b1:5c:3a:28:e8:c3:96:ed:59:e2:62:52:8e: 95:8d:b5:e1:c1:f2:34:5b:bf:5a:cc:f1:ee:ec:3d:6c:61:99: f2:c8:e4:05:5f:ea:d5:74:3c:ff:df:1b:20:bd:35:30:c0:27: f8:a4:6e:73:45:81:e2:b9:15:52:c7:a0:e7:c8:fd:7b:8e:f7: d2:0c:c4:e9:22:69:4e:70:62:c7:8a:a2:a6:61:7c:0b:5a:74: 8d:0f:c0:e5:66:dc:18:7b:74:3b:72:ab:1a:53:b3:49:ef:50: aa:76:80:e7:11:53:90:ab:24:d1:2e:fc:66:41:cf:b3:cc:ae: ac:f9:eb:1e:19:f7:bc:54:00:16:da:b0:d4:2b:74:c7:35:fb: 08:ff:67:14:83:5a:eb:6b:b7:b4:63:28:e2:b6:b8:d4:0c:13: 6a:8c:bb:30:c1:fb:6c:42:df:23:c4:f0:be:25:df:2b:39:11: bb:82:c3:e7:f9:04:48:77:cf:d0:5e:3d:6e:19:7f:b3:c4:2f: c4:ec:51:5f:9d:c7:8f:88:9f:21:79:8d:a0:17:3e:17:73:b4: f5:a2:71:70:e6:99:c4:fd:4c:f2:63:64:23:22:c3:72:71:52: 43:42:a5:90:e3:59:77:50:ff:a1:09:2e:c7:f6:7e:17:f2:a2: d6:7e:2c:75:f2:ab:9e:36:78:ab:57:be:c5:91:71:70:2c:ba: 03:91:80:97:f4:9e:16:bc:fa:80:f4:22:2a:b5:75:15:57:d9: b0:92:9e:b1:35:db:26:96:77:28:9c:89:99:db:9b:55:d4:29: 15:5f:54:8a:0d:58:a8:95:13:95:17:6c:6b:b0:2a:a3:fa:1a: ec:2e:b4:0e:08:ea:8f:e1:8c:59:cf:7d:60:00:f3:bf:b7:e4: 5f:08:a6:02:ef:ce:d7:9c:8d:6f:56:d7:c9:35:e9:e5:cf:d2: f5:28:ca:e6:36:ef:c4:26:52:d5:4d:04:ec:50:73:87:dc:70: 1f:1a:db:07:bf:4c:e9:ec:57:98:7f:bc:c8:31:9e:7e:e6:3a: b4:c4:77:93:39:56:57:67:05:84:8d:03:02:d9:bf:04:6b:fe: 71:8a:be:b6:8a:ae:44:b0:dd:db:1f:6a:26:e5:50:d5:ff:03: 81:d8:1b:9f:3f:a6:bc:1b:52:b5:49:93:b0:27:fd:59:d4:7d: 69:e9:63:35:0b:9b:de:a1:d4:70:0c:08:41:4b:76:d6:cd:c8: 65:8c:bb:9a:6e:e4:f1:e2:30:13:9d:a3:c7:67:16:0f:7d:bd: ac:dc:aa:9c:17:01:a6:27:14:fa:4a:c1:27:3f:07:7b:9f:2f: 47:56:cc:f0:96:38:e9:58:7c:1f:6c:73:10:3c:11:68:2a:3c: 5f:74:fe:37:ae:8b:e9:eb:c6:06:30:6f:62:3c:5c:6c:2d:c7: 5b:24:6d:cc:75:3f:d7:d4:e6:72:64:8a:ad:03:67:ad:cd:cb: 2d:7c:82:49:a9:ef:e8:b9:be:f2:6c:98:42:4e:26:46:04:58: a5:2b:c9:88:9b:a4:91:7f:22:09:12:52:2a:d1:4e:36:22:d8: 53:bc:38:93:ad:11:19:c5:e7:c9:83:00:b4:b6:b0:ac:96:32: ca:d0:08:69:e4:d2:29:86:74:74:49:be:4a:b2:bf:f2:2f:c2: 52:fd:15:3c:8d:07:12:3a:98:c7:49:67:81:1d:b1:5d:e8:f4: 42:79:a0:f7:44:b8:95:9f:e1:37:41:5b:c9:b1:89:90:7b:66: 96:eb:8e:dc:1b:d7:73:b2:eb:c1:42:41:e8:2d:28:ba:74:ea: 7c:77:87:76:5b:36:10:3d:87:08:52:94:e6:60:95:c1:1b:c9: 27:c1:42:aa:32:62:ed:ca:6f:04:4e:11:3a:3d:3d:e0:d8:3a: c0:ff:b9:9a:94:b1:79:f3:01:14:3a:99:34:59:8e:d9:ac:f1: a9:77:b5:2d:59:e1:29:96:1b:13:80:8b:10:94:3e:c2:51:db: c1:24:06:02:47:96:9b:ae:5d:25:34:af:4b:65:f3:8a:eb:65: 7c:a5:5e:7c:a2:d6:1d:41:20:13:0b:5e:ea:67:b2:eb:bf:6c: 44:fb:76:31:58:5e:d2:33:6d:6f:9c:3a:41:70:34:11:6f:99: 8c:42:9d:d6:2b:14:79:b0:ac:d4:de:3a:b0:d8:d2:97:88:9a: 17:68:3e:79:a8:b0:4a:d7:a7:3c:63:c5:29:c1:65:76:74:7e: c2:de:b8:49:ce:26:5f:d2:62:2d:0f:5c:cc:6c:53:c0:a4:75: 05:52:d1:52:38:ae:72:17:7c:02:67:6b:76:38:e7:72:aa:38: 70:5e:af:a2:98:c0:c1:7a:a0:6d:ec:90:51:8d:d5:99:8b:39: 05:6a:eb:0c:87:37:5b:4b:00:91:2c:7d:8a:6d:c1:23:10:44: 26:5a:47:f7:7f:8f:86:1c:c2:a7:9f:9e:48:f6:42:cd:d1:3c: d9:e8:95:de:00:3c:ec:db:a1:a3:c0:7f:f7:17:3b:4a:dc:d2: f5:d4:9b:12:19:0f:6d:13:38:72:06:21:eb:94:88:87:8f:a1: de:f6:d7:a0:88:aa:e3:47:bb:69:e8:30:59:82:d2:3a:6d:c7: 26:95:92:a4:58:07:eb:db:a5:d1:bb:51:00:28:ef:6f:c8:ce: 9c:0f:d9:8d:e0:b3:14:db:90:dd:f9:26:af:b0:88:48:ae:22: 71:26:af:d5:e0:4d:5c:41:e6:0b:f2:5c:9b:bb:69:82:09:5a: 58:63:b9:0c:8a:22:37:aa:a2:71:2a:a5:d9:a7:7b:9f:d5:f4: 17:8d:bd:4e:de:08:6a:a4:20:ce:a6:85:c7:fa:05:c7:d8:03: 77:0c:dd:40:32:11:43:2a:8c:50:22:4b:fa:a1:d1:f1:94:42: 3f:d5:b8:a0:dd:01:71:6e:30:34:ff:a6:76:80:e6:c1:04:8b: f0:c3:38:14:98:ae:eb:fd:05:98:d1:96:7e:b4:bf:51:ce:aa: b4:66:71:30:9f:7a:45:b6:ed:d1:6e:8f:b0:6c:a5:f5:4f:ee: bc:ea:65:5e:24:43:73:4b:50:8e:c8:68:0f:23:48:ed:dd:ff: 84:97:9b:31:0d:bb:2c:db:69:6b:0c:34:73:3e:ae:69:d2:f5: be:a8:99:be:7b:40:82:f4:fe:35:f5:3d:a3:b1:b4:e2:6c:79: b7:0b:29:ad:30:3d:56:9d:bc:24:e9:e6:a5:6d:cc:83:18:7b: d5:98:a3:5f:dd:71:72:29:71:45:8f:41:52:ce:86:99:5c:f1: 40:0c:1e:b1:97:da:3a:14:4a:a7:02:48:d8:4e:63:12:99:da: 28:e9:de:0d:17:90:3a:f5:da:9a:01:7c:15:12:bf:00:48:7d: 63:8c:89:0b:b9:77:95:01:27:b2:33:73:4b:ab:a8:f3:24:ee: c1:d3:0c:a3:9e:26:fe:24:23:3b:82:b4:1a:5e:72:dc:9e:91: 3a:7b:85:64:0d:30:2e:6b:55:53:7e:a2:4f:b7:10:e4:77:a1: 01:4a:b2:d7:7f:1c:94:a6:a7:e5:66:e2:c7:e5:37:6d:89:2c: 72:b1:53:cf:d6:67:0f:77:f8:bf:07:20:98:99:60:ef:2e:72: c0:72:9e:79:2a:ca:a2:f7:bc:82:db:53:f7:68:e3:ed:4f:38: 64:83:1b:dd:a5:78:dc:db:08:a9:34:35:f6:f1:9c:76:85:5e: cd:59:a3:c8:89:50:5b:bd:a0:64:06:b4:d7:db:7a:e1:75:57: 13:90:ce:05:4b:a0:f6:22:70:0b:78:a0:84:46:87:b4:a7:0d: 88:c6:41:c5:93:cb:77:37:d1:af:37:48:b9:47:db:99:7a:98: 36:82:cb:27:6a:9a:de:80:24:3a:29:eb:ab:bd:b0:40:0d:a6: 50:e5:a4:72:a3:19:cb:f3:52:8e:2f:1d:10:ef:7d:0a:15:6c: 49:08:53:55:84:85:5c:73:53:ce:3e:18:e5:04:92:a6:99:db: 4d:7b:c7:a9:99:ce:aa:90:48:73:7a:61:f5:92:73:da:b4:26: 74:a1:39:74:e3:82:f9:32:e0:08:ef:bc:2f:9f:6d:e1:da:3d: f0:a5:46:b6:17:95:b8:6b:13:7d:f3:a1:31:8d:b7:47:a0:45: aa:20:53:d6:f0:3c:eb:a2:e7:7a:26:8c:c6:c7:cb:0f:21:5a: df:46:06:c5:b2:2d:a5:3b:b7:01:fd:0f:55:1b:5e:58:00:70: 94:a3:7f:48:8e:4a:67:a4:14:5d:e0:ba:b6:f9:9b:e7:de:61: d8:67:83:ac:b7:01:eb:62:c5:22:b8:48:3a:96:55:fb:1a:4a: c4:63:30:f3:78:05:a6:ab:0c:e7:33:a0:88:f7:e2:e3:4a:1b: fd:66:3c:14:be:ee:20:d1:32:95:db:97:ff:d9:c2:bc:7a:c8: e4:ba:24:c5:b2:2e:16:f8:53:af:b4:57:56:25:26:f5:36:48: eb:0c:20:f9:3b:73:ff:dd:bd:20:81:0c:f5:55:89:7d:46:1b: 05:b6:25:df:96:99:ea:09:79:60:72:d8:37:92:a8:f1:75:a3: 5c:6d:54:b7:f3:32:17:35:1a:2d:96:e5:5e:fc:cd:54:30:49: af:6f:1a:42:d9:98:52:72:73:74:72:b7:72:95:80:1d:31:5a: e4:83:b7:b6:d4:14:00:0b:59:ce:7c:bc:1d:72:24:ab:74:d6: 2c:9c:20:b1:0a:78:6f:a9:76:8d:6c:37:02:35:bd:6f:99:ee: d1:45:36:f1:34:60:7a:12:57:27:68:05:26:14:75:3c:9f:0d: 3e:b7:5d:b8:2a:6c:1d:a7:b0:41:c4:f4:3d:ae:8e:51:54:37: 65:ad:0a:c9:28:a0:3f:04:ed:54:59:c4:9f:1d:3d:70:97:5f: f9:44:53:ff:15:9f:03:13:7b:41:6b:c0:f7:8f:a3:27:2b:03: 39:37:8f:bd:91:65:4d:74:a9:9f:45:6a:a4:25:dc:4c:f9:7e: 59:fc:4e:93:7c:89:8f:71:8e:a6:99:66:5e:6a:25:a4:c0:a6: fa:25:f7:68:5c:8a:02:f5:7b:49:cd:89:e1:77:78:95:1b:a9: 21:78:6e:f4:7a:e2:04:e5:0e:21:52:bf:04:cd:0c:69:5d:d7: f2:57:71:9f:d8:01:e0:f3:10:cc:15:2d:fd:99:78:ff:dc:1f: 8f:a9:31:0d:0f:9f:f4:2c:a1:3d:4f:b2:51:92:68:f0:ec:d8: 5f:c4:55:a1:4c:c8:12:e9:05:7e:05:93:5f:f9:76:99:85:18: 29:24:60:14:5d:b3:79:f9:4b:7c:e4:22:71:8a:c2:66:45:d2: 41:14:5d:59:4c:0a:b5:2b:ab:bd:c6:50:f8:87:37:42:e6:d4: 96:72:cf:45:f0:d4:bf:0d:c5:17:9f:f1:b9:12:5c:a8:74:89: 9e:56:07:cf:8f:98:9a:da:d7:db:7f:c7:d0:3a:0a:14:cd:5a: 66:0c:eb:02:76:a0:d4:56:e6:e8:be:a1:f0:c7:23:b3:4f:86: 90:1a:5a:16:8e:07:0d:24:d1:ee:03:98:9f]]></artwork> <artwork><![CDATA[]]></sourcecode> <sourcecode type="x509"><![CDATA[ -----BEGIN CERTIFICATE----- MIIU6zCCAXOgAwIBAgIUXCKtigZRnmcCai1DPovHI0N3gMgwCgYIKwYBBQUHBiMw NzELMAkGA1UEBhMCRlIxDjAMBgNVBAcMBVBhcmlzMRgwFgYDVQQKDA9Cb2d1cyBY TVNTTVQgQ0EwHhcNMjQwNzEwMDgyODA0WhcNMzQwNzA4MDgyODA0WjA3MQswCQYD VQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxGDAWBgNVBAoMD0JvZ3VzIFhNU1NNVCBD QTBTMAoGCCsGAQUFBwYjA0UAAAAAAUuniRFv/B370+dxc7iiSO9TuZ0fxop8vk+K KfpB/b3aIH/2O7DFuKfC8lryJhTrNvAmL4d0+w7Vfheg0U22z1GjYzBhMB0GA1Ud DgQWBBR8fVm4lWHVA2oePfEkqx3tBM3bXzAfBgNVHSMEGDAWgBR8fVm4lWHVA2oe PfEkqx3tBM3bXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggr BgEFBQcGIwOCE2QAAAAAV8SYif/ZCo5ubxaVjOw1QiHCylbt+IHxsk8rbXP0N1X8 9E4V62uQ3jT+1pZwlI3B50oySTA6QKRn0vva+NihekgiHOOYvNBohSnJ5fdcVtic gL5o7RHrOQ/vywmyKDCmKwW83hEivsTcCJo9tEk3H1ReXy2TYrCVxV0jkvNVQHgZ AFaeovEOS6511pIJsXnsyRhnGQmGg3RdCgar2vCvApdN13MGi6KExwmv3YsVOeQw n8kAJagzTd7oJbY1C1G/ejSn6ITo+jlbqjdulYmsJkpOyr4pCEs8KKeFaq1a0pPr EuGahxxAO88VbENOiCFUUn4NbRcpjRVv70JaqSXQl4BhMSKknyUXUa0LocuTtPWm sCIbbVBkKki9BRaIAON7VtADs3otagvz3qKMboGALI/p2HjtW5nJE9G263jDQCuh eoQKuhKHXh04JCKPwKNlHBzOLY7lLx++k1z+HM2onX5+zxjinMVU3GJhdCNVZGYh lkynLoqUpjUQpehebpGsqMvtUStmRQP1h+1NjE5tVIChM4qEnSMxkMYFEaedvVEK c0e8CEkRs5j/ARRp18CgDFXkXuL6hKwns4UsmXFSnDP4nYzSE7xuGHkVpwLuFesn 2K8kOAKcyjDz4jBBL2KiLKWBG3FtsZS9xj2eXlFF3lv01+Y159h81Zjsfg74ncGn e7NlsaFLLezZEkVrHwscazsKZnY59Myb4bcX91P8w6YY9y5FUrEYmXXRabt3yBqE Xwa1i8sCsLIPvxcYZT2ncltxn5J+Ot+EzGVcxFtw/cw4nhJu+f8fAvzK9WiG/Mpx 8T17MrTUw6IgFj8SB3GVO9SxHvyMHzSMyKuMu3WTwRrShT6a5gSGiN4nRsrz9/OO VBjqqq4UArFKauAkd0AojTcnnIdqgQnSAU0gf96EqICMjmOCvmbfhzBcuHEK6ZFo cW6Xl/AnTvquaoWsgM04SEnBK53bVMXwv/oG6JY6wJXwiL2OgHg93K1dClbdx4Cf /GRYTW0n9tcajLIcCep9T3SZDUoMuLDvdN1vb9zlg+HjwuhYF7hEii3s31T2H2ei s8UZ+7nHGzzqvSzhQ2XRWhfck53FhQxVNBNJFZLiUhTRgapiAhq6ybBThY570U40 dqx517NIkr9Vfi1czTKbwUGno823lFyWHj4nTevwYUuk4zy7aYU36ZyY9Gh6YXeM vbkw1vH9aXg/lpl7aTmQs3y2iO3NGdpCZOUyTKIw98ToJ5Nw7fpeyo560ROvFbFZ yZuRYQsG1cwugLtJk92+U4i+r4BkfF6+e4vnXzmvq2dCawaq79Zpr6kAH6AVEAQ+ 25OyN9vrhVlDoo2PBozLoh2oPJ/0pHzIzf/wqHkP59iUZ+wXP/puBAdPv4YEbPxG h7UQhaQH6K+p7F0oXICMMczHs4EXC0t9HJ50Ah7v3g0bwcAETUb93AukxjPmhQpg OU0L+UlEM+AVmRm/x4rGlgSTN2td6L5z1IC4gQ+akUTPcgLTyfjgfdKbK//rQm44 ftzNp5DFLCugIze5ZBCmJ2hHxfHojUHBSeg1SM7ICEyt8q1d6WLryTxhhRjGNHP9 JqTwUIObZFSqVWzYoiGB/5wnOR/Dog7lU7HX+h/vKYvCkJjqLt1Fv8Nso5NHmQMY Jeil7i5363/0SUlZmMH8qx6tIL34JP0hG9paB1XIUAUxUJOy+G7bc01fNKrzNIOQ 8EFtyENW0XUH9RYgs5myxzQlxA50WlEPezt/aqlBF7VHYi1PuWGXYOmuyq0xbksK R5xTZqNOw5Z8AaCOroNFQuaSEo6Xb+igt32mdCSqILD6npjofLTaMOmUCJa3uVNP dV8MTYLjz268+iNP+jMXfJi2HkeJPtmhqkIZJa6eP1NErJGW2FXDQB36rYY4Yr0n LyY0vq2aAURCyFSlOukK//hBbTge4j0IOpRPHmDQscKOlDTwMD7wkSXumDS0jZVO z+0dYYnJWRBo8rwuXL3ADx2cL3zAJyUUm96jdGQoFCyispA6pGpQ6Y7KeOW2dFbg kml9tC7g52aSFpKgw9tP09BXTUoo7rfMBO8X2fwBux6yWwI9H1qFc6GBlrczXXnl a8kpczQBaepX8AG+TvNc8wqnNwitGJzHTFnQXbsB8VN2y83ZhF68IhF2AdnjrxcD Ae84TK3BfanGYSu6nIGVhq+7c5Dc2S/RP5VquUYP+4RkfH2GZaoQcVYZX2BSfxn6 1VrgkOS5YlVxKmH5Ny9eB3FDzwbKatVSyDPhrbI+pGEBALxVXQrz5k81BsSoP0yL m8lBS/TBV+48wERoUlotuafyQdrEjX3bQLb8R2NaaaHHjMw/r1GUN5VYgnnSFkq/ EgtZpaURceYcYzvq8C8Q4JeaoQRT0HL0PHc7eO61qmv1u1zpNU9pZYcpJOxHe3ha p8Hl8XN9TXnv7051h9uPNv1QPnTcF9TDP0+CJFEbEhYmYduTFRk5VfUFLG6F3bLM T8AJCnZG2OTyEZKh4DaoJcdFGWyY65r6weyAGM7R+MQjmvm4HwVnjkXL5u4L+ttn H2IsSXi7VZgeM0Jj8tvuc/dggG1fmuiMiTlbsoTiw5l3818Z7LgrzmBZLGYG+cFD uf2UNZ4onaCO/Q3GGrsgk7BjaoMvCtvCs46x3fWrGQlTettyPx4lB+safSHaiCLm 8LqzFW+V83LSy21IuLp7qkB/gf66FcJ3nYZYvH2JLns6lgSf8TpQSFolTZG27d72 Lk3ldxFtdvQjX5HwD3lZevMyJBHEiDAhJjvxeQ8EBq2CbepYTqpOCn97XKWr3nap qcfZ4+vWhIACq9pMW0mQKcXLWxwGYeiaz6TqnTEWaiE62SIluDmdTOOGdqjd2LTb iPleYcMdh9+pMTN6s1A+8s2toJ2YX2zi8NgnucI3f420+IQTXyJtm4G9HOV1rrWV 0cvQxuN47IxxbYxdQHl9WD1cY3fMLqJjqXEwL1kq7IKx5bnWv/sh5pf8cEWax+jS gXOx9bx2yrS+nzm1LfI+xTLjrjz9dKE2WlxN9t7S1WZhdIguS2l8KS/gKtbYk5lB vHt//MMchO0WwAh4+1dhnoN60em3rZqFHMO6o+QYtgD2NSfiJx0Q3EQdEQWi298K WZic88o6syYt0cQ8/CHzPDlif/S9kXTvAoPaSiJAYJ9qn4uP8eQemdUXVWIcYAF9 x0HbGZ4pAbqgX0HzYe2dDJzvMouwiomx5AbJL01CKgGEKazxQaChybSD2YcaUx9/ 1IUSLnnzLIgGc2LuFrzHi+cJlroCtVarb8DPdmRiDh615GlCTe1WltkdjQdAesW9 059DB+SdtiYrM2p52Yrs7lFz8ZGw6JBC2xFVVxsBEPwR/3e0CQFt+IzPchbfCRIJ vUnvM7nFjTVgd4CP7pgYvrs6YelbagmwCh44gOlxRnehGXrDBFeld+ZaAXfSkpD2 mVCHPzCKNz03HmsdpHE8axUHAfY9Q5aj9zDPCCwyo8pnblnaUS6WvJdBS3xfl6PP RiCeZJYI9wwDS7SDCdtsu5QjTv97+y+EZgqW+eFY/w08hGKca2CffjnPM/MDL8fQ i2/zmmLMM8S9tPy4gJ3+nsLw0J4Hcaj5H6dkTWP5a84+RAo/BViQDQwgfU7HUtDl t2HTalIIN5EVPM9B7O+IVtwUKhJVywUBI4nA/sreQNLQlqMfB0pYlvqy73iW8HMl yC4gO9gCz+fKsCkaJX8Vli39Urspw/y/sXzYD3YhBSguidmCDsvNAx/DcbQPdVLl tJOMrO3VMFq5M4T9PNrc5oRtwma+k61nf9vQCJVkWiwTf+IFtdzQv01uk8I7jDux XDoo6MOW7VniYlKOlY214cHyNFu/Wszx7uw9bGGZ8sjkBV/q1XQ8/98bIL01MMAn +KRuc0WB4rkVUseg58j9e4730gzE6SJpTnBix4qipmF8C1p0jQ/A5WbcGHt0O3Kr GlOzSe9QqnaA5xFTkKsk0S78ZkHPs8yurPnrHhn3vFQAFtqw1Ct0xzX7CP9nFINa 62u3tGMo4ra41AwTaoy7MMH7bELfI8TwviXfKzkRu4LD5/kESHfP0F49bhl/s8Qv xOxRX53Hj4ifIXmNoBc+F3O09aJxcOaZxP1M8mNkIyLDcnFSQ0KlkONZd1D/oQku x/Z+F/Ki1n4sdfKrnjZ4q1e+xZFxcCy6A5GAl/SeFrz6gPQiKrV1FVfZsJKesTXb JpZ3KJyJmdubVdQpFV9Uig1YqJUTlRdsa7Aqo/oa7C60Dgjqj+GMWc99YADzv7fk XwimAu/O15yNb1bXyTXp5c/S9SjK5jbvxCZS1U0E7FBzh9xwHxrbB79M6exXmH+8 yDGefuY6tMR3kzlWV2cFhI0DAtm/BGv+cYq+toquRLDd2x9qJuVQ1f8Dgdgbnz+m vBtStUmTsCf9WdR9aeljNQub3qHUcAwIQUt21s3IZYy7mm7k8eIwE52jx2cWD329 rNyqnBcBpicU+krBJz8He58vR1bM8JY46Vh8H2xzEDwRaCo8X3T+N66L6evGBjBv YjxcbC3HWyRtzHU/19TmcmSKrQNnrc3LLXyCSanv6Lm+8myYQk4mRgRYpSvJiJuk kX8iCRJSKtFONiLYU7w4k60RGcXnyYMAtLawrJYyytAIaeTSKYZ0dEm+SrK/8i/C Uv0VPI0HEjqYx0lngR2xXej0Qnmg90S4lZ/hN0FbybGJkHtmluuO3BvXc7LrwUJB 6C0ounTqfHeHdls2ED2HCFKU5mCVwRvJJ8FCqjJi7cpvBE4ROj094Ng6wP+5mpSx efMBFDqZNFmO2azxqXe1LVnhKZYbE4CLEJQ+wlHbwSQGAkeWm65dJTSvS2Xziutl fKVefKLWHUEgEwte6mey679sRPt2MVhe0jNtb5w6QXA0EW+ZjEKd1isUebCs1N46 sNjSl4iaF2g+eaiwStenPGPFKcFldnR+wt64Sc4mX9JiLQ9czGxTwKR1BVLRUjiu chd8Amdrdjjncqo4cF6vopjAwXqgbeyQUY3VmYs5BWrrDIc3W0sAkSx9im3BIxBE JlpH93+PhhzCp5+eSPZCzdE82eiV3gA87Nuho8B/9xc7StzS9dSbEhkPbRM4cgYh 65SIh4+h3vbXoIiq40e7aegwWYLSOm3HJpWSpFgH69ul0btRACjvb8jOnA/ZjeCz FNuQ3fkmr7CISK4icSav1eBNXEHmC/Jcm7tpgglaWGO5DIoiN6qicSql2ad7n9X0 F429Tt4IaqQgzqaFx/oFx9gDdwzdQDIRQyqMUCJL+qHR8ZRCP9W4oN0BcW4wNP+m doDmwQSL8MM4FJiu6/0FmNGWfrS/Uc6qtGZxMJ96Rbbt0W6PsGyl9U/uvOplXiRD c0tQjshoDyNI7d3/hJebMQ27LNtpaww0cz6uadL1vqiZvntAgvT+NfU9o7G04mx5 twsprTA9Vp28JOnmpW3Mgxh71ZijX91xcilxRY9BUs6GmVzxQAwesZfaOhRKpwJI 2E5jEpnaKOneDReQOvXamgF8FRK/AEh9Y4yJC7l3lQEnsjNzS6uo8yTuwdMMo54m /iQjO4K0Gl5y3J6ROnuFZA0wLmtVU36iT7cQ5HehAUqy138clKan5Wbix+U3bYks crFTz9ZnD3f4vwcgmJlg7y5ywHKeeSrKove8gttT92jj7U84ZIMb3aV43NsIqTQ1 9vGcdoVezVmjyIlQW72gZAa019t64XVXE5DOBUug9iJwC3ighEaHtKcNiMZBxZPL dzfRrzdIuUfbmXqYNoLLJ2qa3oAkOinrq72wQA2mUOWkcqMZy/NSji8dEO99ChVs SQhTVYSFXHNTzj4Y5QSSppnbTXvHqZnOqpBIc3ph9ZJz2rQmdKE5dOOC+TLgCO+8 L59t4do98KVGtheVuGsTffOhMY23R6BFqiBT1vA866LneiaMxsfLDyFa30YGxbIt pTu3Af0PVRteWABwlKN/SI5KZ6QUXeC6tvmb595h2GeDrLcB62LFIrhIOpZV+xpK xGMw83gFpqsM5zOgiPfi40ob/WY8FL7uINEylduX/9nCvHrI5LokxbIuFvhTr7RX ViUm9TZI6wwg+Ttz/929IIEM9VWJfUYbBbYl35aZ6gl5YHLYN5Ko8XWjXG1Ut/My FzUaLZblXvzNVDBJr28aQtmYUnJzdHK3cpWAHTFa5IO3ttQUAAtZzny8HXIkq3TW LJwgsQp4b6l2jWw3AjW9b5nu0UU28TRgehJXJ2gFJhR1PJ8NPrdduCpsHaewQcT0 Pa6OUVQ3Za0KySigPwTtVFnEnx09cJdf+URT/xWfAxN7QWvA94+jJysDOTePvZFl TXSpn0VqpCXcTPl+WfxOk3yJj3GOpplmXmolpMCm+iX3aFyKAvV7Sc2J4Xd4lRup IXhu9HriBOUOIVK/BM0MaV3X8ldxn9gB4PMQzBUt/Zl4/9wfj6kxDQ+f9CyhPU+y UZJo8OzYX8RVoUzIEukFfgWTX/l2mYUYKSRgFF2zeflLfOQicYrCZkXSQRRdWUwK tSurvcZQ+Ic3QubUlnLPRfDUvw3FF5/xuRJcqHSJnlYHz4+YmtrX23/H0DoKFM1a ZgzrAnag1Fbm6L6h8Mcjs0+GkBpaFo4HDSTR7gOYnw== -----END CERTIFICATE-----]]></artwork>]]></sourcecode> </section> <!-- [rfced] Acknowledgements: How may we adjust to make more clear the relationship between these various documents (as in, which documents are meant to be similar to each other)? Original: This document uses a lot of text from similar documents [SP800208], ([RFC3279] and [RFC8410]) as well as [I-D.ietf-lamps-rfc8708bis]. Thanks go to the authors of those documents. "Copying always makes things easier and less error prone" - [RFC8411]. Perhaps: This document uses a lot of text from similar documents, including: [SP800208], [RFC3279] and [RFC8410], as well as [RFC9708]. Thanks goes to the authors of those documents. "Copying always makes things easier and less error prone" [RFC8411]. --> <section numbered="false" anchor="acknowledgments"> <name>Acknowledgments</name> <t>Thanks to <contact fullname="Russ Housley"/>, <contact fullname="Panos Kampanakis"/>, <contact fullname="Michael StJohns"/>, and <contact fullname="Corey Bonnell"/> forRuss Housley, Panos Kampanakis, Michael StJohns and Corey Bonnell fortheir helpful suggestions and reviews.</t> <t>This document uses a lot of text from similar documents <xref target="SP800208"/>, (<xref target="RFC3279"/> and <xref target="RFC8410"/>) as well as <xreftarget="I-D.ietf-lamps-rfc8708bis"/>.target="RFC9708"/>. Thanksgogoes to the authors of those documents. "Copying always makes things easier and less error prone"-<xref target="RFC8411"/>.</t> </section> </back> <!--##markdown-source: H4sIAAAAAAAAA9S9WZbjVpYg+I9VoBXnVLkX3YyYB0ZmZHAmjfNopClVKgwP JDiBRnA0hfL0HnoD/dm1h/rq3EmvpO+9AEnQjC65IkKZUR5+XGYk8N59dx5f PDw8cFt/u2AZ/rtByPjA47dTxld6Pd5aufyoAT9UrHD6kLNC5vI9f7KytrsN 47OLSbDxt9NlyPsrvrrass2KbfnRoyqYfHtnL3yHr7ETfONtrHC72Tn42nec Zdsbtofdbrbwgk306necY20ZLH3K8OHW5cItPPOjtQhWACGswvg/8P2pH/IL tg35Xci7Ae9ZK+fEW7tt8DBhK7axtn6wwpNsmMc2bOWwkPPXG3o/3EqCYAoS x7mBs7KWsKq7sbztg8+23sPCWq7DhyPA8RBO7fBBlLlwZy/9MIQVt6c1PF0t 9kscwC9z1oZZACRzuEOwmU82wW6d4evZRrvHP/B1f+lvAWFZ1/URHGvBN5gz tVZ+CBjD47Zr1REhoNeoNorcnJ1gGTdzQeVDAeHi9my1YxmO55MbwK8RNM+w s7+a8GX8Ej5dWv4CYFpb4fLPeKLHYDOBj62NMwWUT7fbdZhJp/Ep/Mjfs8fz U2n8IG1vgkPI0rRA+jvcFUi8s+FdQgrgJB2h64Kj7zgOMD8NNhnuAZ7ngRvC DF945IfWii8zFm7p0wjVBTg/W7z7CjbP8PnNab0Nmuy45XvM2QFnnehLFp3I pRcf99Zqgu/92aHHV/D4Qxg//ugEyyQItUceeHbqb/wEADVrz6Y3n9PuuV41 udscn3q0o6cIQ3+e4Dfvt+g98qXFbrphm8QWPSfYbm8+jw7oh07A907hli3D 5GahFz36ZwefuLNF2XpzrUlyhy0Dln+o7+ZWmPyW9gEJ2Fl8eWlXkptEZ6BH H132boNasAt91w9vtrD2myC8/eouquIH3mOJWwWbJQjinni3+lB4TAjYxnMM XTBsP8Qvu6W8aorS+UfJEDL8H/Yy77DNF34v8c5mEX1lyKYIXx2XYRh/oKoK fDANwwXhtNc2BEESjAxBuLU2E7bN8GeudwOfGF0UHjVBMtLNaq//2Gs/wjsP 8FL0TqQKuwzOsGQrN1IlKK6AEUD7bnFfG/acKVuyCE1nceDpz0P83xjdTSvW BtVVCJvttqRye6jlrI0bkkLog6JYBYtgcuI/IZCfaQmABSCT4HwPIgBswocj DXB196yHw+ERVn/0V9v0hjnp/kO3mH8YPcILyXP+KQYOlHRELjjs9rr7A5+1 QXVbDgjlabW1jnwz2EZPtVaM/5TtNR/Fz+eT9tbM8T3fuahfECAwAqv4ldtD iA+gg99j6yHmsWp/8NCnT0K28VnoA3jnXei7dwTK8NeTwRO9VrpazGd4w5CU BzGDuxGyzN+KLPP3Qxb9xoNtClzU35vdgqEwvkdhjlBYPD/Wxcf4T7li9/OX eKG8tQpW8Mbiw1N5eIr4qeADq60mOz+cAtO+f6wAj/3etDHv0UY904bzzxiN tAVItizp5vlHTdHjHxVTOX9qKKJw/VHEHxv5crf4fJ/EbL0B6j76lrMhHSAJ opaWVT1JX5JwvmGtrAnI8mpLYn9P2r9BzMH+NZzyhh3uf90GpQuaELaax7r1 wyPvbMu97xOq/x4AuR1Q/f63T/itM11aq1uxFLUHMaZ+riJqvwGXoqBIj2vX SyK0FazDL3yVd32X97e8NbHAU/z//s//62LhkcNBNh76/pIl0MvvVi7b8P1D 8NBgYQjk4LPbreXMw8dfx3wdjrbZ+biCv5p/FXeVf/9fC+Ddybvjw6/5Zi8r PX5FVSyZ61tgQT22CtnjJNjD6SUp3WPrtKDDz4Is6KIhK+kHEf8K6Xwv+yOu +CMs+WO2Xm51q/1Ko/fjY7tQSuIqjyKzcXyQ44uJuKDp4mvzvR14lTysBeIN q+JPn/n8yWab8PKwu/dD8J/hiV7282+wSNftwIdw0Pac379oBukBvD4BpabY 71Uf+l0wRfKDZkpfV6zgpkdm12ULkO9NGj/4cbsBjpE1QfgR/2Oa9JsppQXx kf7+qAnp7Sb6UtoLIv5v/Z6/IoFd3gpseLbTeGj48KxMlxfv+9dRUtxtgjUD J7XPFqTMdqt4mTBhqq8W/BNi44MSFdHqVLPN7EO90fsFywPwRw44RBmTFR4k TC+YP5mCg/uwRNXuP4QX4UgnMVA/P9agx5Iy9Ak2/QbqI3xnMDESuw/nXRjR D3sADxw0PXMfpqgobVSUXwP2O1qfL8Zv3Fet330zyBA2PWAM9RsxGy79h9Vu iRKT/PnxON0uF39IfPIgPsqP2qP4qML/9Eft5iiw+VVeLtHcNSb+9mNkm71e 9f4ZHJRrUDK7/aO3SYcg+RB9geu/W2zTnr/A3wJnh8dKe8FiERx+3K1/XAch BZw/rq012/yIPwTh9sfXnbXa7pY/RoHTZGOtp6f38kSg8HufHUIefZsp49vw 7kMnejeO0aJ3IZa2VtFO/Cdgd5mPQOB362/gOtIwDGKNSPUw3mX8wuLDf/+f hNJ//5/wQciHECz9+/8DbjXv/lc/4XR9IkDfyZv8IEoP5OjlvoZP5AkbtJEN 9gV0eLo3hRDeLQROmC4Eh9UisNwwXWymYYF0lMGIZD6d2wTOFLgzHWPxIbQ8 9vBLqOwkHuSTD5L98wAAC+lmLcBAwpE3qL1ctmeLYE1sSn7b5saR+ga9lUPD GVpL0IT//r8gZPEhKtlMGdheMLxoUhOua0iuqz8Hb/IDLkHNg3NmcNzDwwNv xV4tx1He5cxyfBj5qkAd62KefBc1Lny4iU7wzsuNNqf0B4fcddHVV+XBX5QH /6mS633mwyiy4iuwKOUs0NVNBF4UUHOfKr3e5y88G8W6pcE28wX7EKDxn1AH wYPnxNN/b/ThF34JIuU/bDeMcXtrA3pji64JPvAYZZvCG8fcWq8XePBtQELy 1eQXOraJ5Bf/CbTEZ/4AZgneC0Jge3/iAxNcDw1og+d2iIgPWTUOAuJtBASL 0Jv4AJhlH8TgLcDfB1eJqLf0XXfBOO4PuNgmcAESjMW4azib611wHIJPyFsh Zv++RHm5BJ44YEbbh0gmxi1iK+QPQHeKb977cJ9afaAeHCLYIOcBqtabYA8M cj40d6X0ef/t1NrCQZboJ5I/w3iQiVWEsVj2eABjDUYXOMxG+WCctcd0lr1g SCvmb5AmwYaB5ecvThGQ8MAWi8izDLdB4NLRXLYGfkFttzjFKo8LE84pUpde WZyQf5FNUXgJh498NsYYPHXiHQth3uwZItBacf5yHWy2yEn2zl8Q+9uLwJmT tXh/Fjh06If0dFLRAYjcjfuRiDeBvtmrACEVwS3fIyfMERoQcOQCPITFe/4K 3UYHNDRzzqEl0AcfBQWE2dUJR5SkBW9gIJqgApiHETrIH49wE9JmJAfgDyO5 7iEwou4jcAkg2eIWcWY0MrP40DJy8kPCoc1IGlhEIHw/ca7/GsYQLnchIJZx uzUqrehZMHd4ZvzNQ5ziMoh2Yj3kI+StXZTjPh/+keefp/4iAnyDzhQQMYGk q2pbWxtQ2cR3h2C3gE3I3Fk3aIetcFc45d7fbHfwyAn4xw52pJTunPgTBBGP vPTfNQGU0hY1DfxFhE+RXCGpIUAZGrJNQjWG/hujMyPlkkf1EdE55lh4znfI A7Jy4T2x98OE1xwj/QprQjcRL0RE4uJMOyqqkI9p+iVmivPCS+uE9NwBb4DE g4QS8yNoIOA+KjewKxAUcKAatgGwJ9CjEhyAVpsv+EgI4o2Pcw6Yhoj9QGIX wYkMEMJ27zjxrqCkwYsHZb4FlPRQTnHjaCVUsmApnY1vM5cjTeCHzi6M9e5P P8GjD/RoVAfAbPfPPz+iGs0HK2QligUoucJIushAg4WMMI2Z/JD/rjHo9b/7 Ev2Xb7bo526xM6h2iwX8uVfJ1uuXH7j4iV6lNagXrj9d38y3Go1isxC9DJ/y Nx9x3zWy4+8i2/Zdq92vtprZ+nd4nu2N4cbDA6PaLCIByAbJTMhdMILv5PLt //f/FhXAxf/RLeUlUQQExL8Yoq7AL6iVo91IfUa/oi7kAPXM2uAqIAGA8rUf eTqgGcMpeFo8uCUMsPnfvkfM/JDh/8l21qLyp/gDPPDNh2ec3XxIOPv4yYeX IyTe+ejONhds3nz+DtO38GbHN7+f8Z748J/+ZYFmExyqf/kThyyEdbY88WGU +r2ycO8skavYl/jpD/c4EVR/yN9QC0XjEo/kUfm7cR2MNvnpJ1DKl0rJzz9/ wXyMH6KRosf2LJLtG3mCLxcUV8fruAHmcmMdigr0qhliL2lpzVl4q2OsZJkw IZKkCSIdsrgKJllwnh0xiQomzI3lKsoHHcD3m96CeOMRnbVNGOsk5m2Rz5NO 0joAzww9t+/jxOIPj1yscAiFKBCkqmMzcVe/WEnc2yf++3PZ4YezASMQ0A3g Jjsf8x4rluG4nzKvu2DLfub+xIufIwLwK+agKdiQ6bggHKzKB88w3v5M7BUI GOft8Js/8v/6r7Cm9Dk6wg3VwD9boHuNbgkZC1DVHkMz8UeSXHpTJmgiq4YU ttFsoGZGVxt93GuoB78hbB7VVbcfoeRiKAMM7+6AAx4ULM9WsR5nLmiBKqiJ uEr6BVbCN61f8GwAxaRvzgbo6t9cbNbVtQSlc9X6N+khWjfy1MmHAbzecBMo KsRHhDowUMz1nciGbbAIeXZuvm4nCfOAyouh/MJ7oA4x54hR4QKZFT0IXGVp Hf0l+INfX836gITzuoDBweWIB9Ss337Ij6aSd3doHSg827AF6QYANVyiJr8L 3tUROPsO5L9twFezbH+BhVzyDwH7QNmLcwivbje+E6uo1eVFdGPYCtyngBI2 ALKz2LkoPw98yd8sD9bm+uCnXuyqiRBmAlhXUfzC94lY1SF9Hid14eP4DU57 1OkbiH5/+Axr9wJve7v2Vxb4nrIP9E7+gkuEIUuhOZ7tUz77+QbREZczC/TX xXO++jQBKWFgzi06oAvy3iFWW9C3EM9EoZB7Dz3kuyA3gP/lT5B+sWcbq2lQ T2yJkobvhe/zpRjYb9nER6Udh35RXEo+0K3JgHBnEQaRDEWhWZIhbYgPdus4 awHxVWR7vnCWyyDWwV2vzQ8kUrEDctYOcLpPP/0UrfIQrcB+/vkz4K0c2Qjk QXAqsNnhy9f5G+mHGuy9oUEfEs4Euv0BfTcgUZI6X/hpbANi5eqd+QzPE75n DCJcInpN9JyQzMPzjMzAMkBP65amC1B5wGsQtgIddp7lxBUPZAiI9KKgj2LV B8ACcGBUtEMcn7MnC3/OYvcAz0Y8AmGie4UQl4giowTeYwJuSUPgeaKkB8Q1 gI5q0Ochmg7j9oRIjUSYXZyivhmA4maT22xElLUAmkSsHlv2L/wmAHLks5HF xfrdD1fFnVAi6CpG+DrH/QkVgMfxw3DHOI8dgEo3O4N2hEBhZ4PHDQ4GrHqz WdIxicPXj4Y9OidHHEQwJNkHIIvPcGdf//3WNzmaZDCDYfjto5HYWtsogXBV jBj0X5nLgdhx+05Z4loxTF+IBcBhQkHCXWipW5DIWhL+QqLgwz0Kkue+AvQQ /3xNwmIB4d6fJOFixSbl4kBQ0HQtYFXfZQjbl7Ca+OYmUvkCcgCOgofe84od +MCegfK+STJ+alUL4WdCQvwxaTqKFC9eyvkw3N0049VDBQm5uiLg1cDa6KNF EMSB4Vc7WSAgQsptGGgplBWSIITLoYDRx4T3YxQhXrBxRQa1c73b7Pu4MeYH 1MtRdj0EM/hv//Zv8MHqUeTurPPTpcT40B+3i1/4298zl1d6bPszn8n88yWB 3IMYq9jMF/mfLh9RvvlCOf7dWo//xXc//XSz4KUpIfqTSJm8f/fmufjPfyFe CN+t+dOfLyD8/Jk/h1eX939GfHDcP1kY8QDzbeYuBJj//B3l2r77E8bUxQxF FZYdgN0Jo9YMwLS3CZZJHJOSoYwc6HK0/JQQQ07Cal6cyo5f/+knbL3BjECP sTgqxsYlYIJYJfOiaRg3Lz1y/5QmKP8UcQGQa+GS5rvHD5GRxMeI8MjUS2ah 2CIP/Ld7OfdIwSWKDSCz18foNOg7kxAB/q5ihJF4glhf4kgLdXqwjmThS5Q1 QDSGYeD4xOIJ+mJGn4++v1MMONvV63d0+Fgcksvgx2fX+h5aqCXjnJ2+SeNz ST+Asgjo2NohvIoq6A/U0npPD0VAfNAtUUrxqvnunisG51ZwuV/UElGI616z RoTZj2rj0rv6C0oDnwOSIgQJSOnw5/yf7z4A5A/TMHxYLEOq0oLq+3jcR1Is KFZfeYNv5Z6K+T5fLRSb/WqpWuyi+rhoCz8MPkFUu2QYITzYgXv6BAHpLvxk KMJnfhNabuh/EkVZVczP/HruhPg0/tf8ZH6O1wiXEJd+ErXPiOxPEJWK+lm+ mxA4x6norx/qPuthfQr8HsInetEQ3IA+jZdYbi+vnys9p1WwOi3xvchSxLEJ 8OfSj1u9zvUZa8VBGA7WlXpiz3x7SbQRvDZzgLtJ0WC74g9npk9w1ippjvbW Ag312ZrRijd1h0uYNaXi/wUYtMvICViXebzuR48nUhSxPY1ikGizL7y9Qy+L StKAqIkP3saJ+/7cu/ADptYhwIgUTPz9pUUtYTCTlvnsSlOKIpJAqih9XQR/ gcPpzV9hcWpH+Hb+vnn825j7spr7EGwmoIzfCAnIqW7gftI+RwnVFdvC02ee jt26T+rnhC+Ov63n/vGT/jnhf+AKsnJm+d+PSwibCTaRTfFvZhNc8+/JJ6DR /3pWwZe/gVuW29/IL4kX/oE4Rv2P4RhE6j8s09xMnFwf5Lh8MmYDVxyD6Lgo +H3stEVpW3LTT5hnu2IwYqlT4iPugvvIjicjH3/lXmLDpK+znW6C3YScr8uH XILTKOq4Z7puirgrCkeo2hL7ZAnHCVBwVfgRFSIoLq0XsMStmxCFX1dS3nsr PHdBcAlHK7nGI/ccRY2xPeR7OxKkiBpADGw4odjmyzkyvfmaz1X7fK/frTbL lCCx/FXIRexzA8P2hrMf37einGGP3O2zc8638v3iZXkEIkoBX3ByuyplPVaU Pvrl80SUv1mcUgzrNXkXvMV9OOYnKxIHOgtGetdzf05Gd1EyGOu+FKMjY622 nO1ffIubXaMloy6I8O6rfOJV2JJLvvglzm6Bg/NHemDBrK+/ndyYS275i29d j3n1wa+SGhdM37mv73y3d6EvKsn1/AHeQc/kAXsIe6CO24NcvZp/qBXHN2o4 oZ3v+4znPqoHHl9dBTELHSB8WiOLPJw7rNrZbrYB3ku3GAcV5/b7YreP2z4M etly8RrW/nSujVxaYr7A8qsuW+9cP0qO4mlRPeETX3inW8cf+J+T2vw9aq5h xj28vEPKw5X/ECc3FKQdfl1lfAwuogQR2oT/Aaj8MfrmR/jmf/CXPqdHHqPi hF24aBraDGWQ0mzJNpNgxUU9D1iBi/vfom/vwvHI30YEX22Ejfpgsaw0WTDq 8PpYrMKuixV130RxbdQBFUXM15LHAtvzsHpFKfjXXVQbEyPGjjzUD6z93m/9 Jt7Gl347Yyf92X9wrv6AlV9m6yQ+vo2nv2rQYl56D0CCqRGNv5Wrabt7XM3F sePXufodJLf+7112eufbfjNHNfp/HU9dfd7/DbjqPXJ+nbGuaPn7sdY7KN5x 13L7H8xft+CQt4yHHFAjXw487wh/l94H6m51rpOP27ipidRk5OJeek7g82id hCPM0UwATkxfXezYUbxvhL/cD+E3Xwm9ou6iSxBwz0XjLolEC+sTUbEs6atf ACO/NFm1iUmGZ7qegyLI2EHF9rzI6QlW5zYA7pqljcKezG9l6WDDxVydrBpt +XM/1GX3AAt48S5Ay/8stFIxlY+Lqb+GX/4ufrlvxy//DfjlbvGLB/2rMPqH u5ccRDISYioPS05RiIA9O+d4+n5W+kN1mnKRH16O6vwbhm3m1I2VaK2KSBwF RV/ptL+0291JskfUulcr+nKrvwgvAUTiUVz0LimPQY+FLUuRwNxLwETtd5h1 vxaTYHOkIlZV4L9Y0ksQFRHJJQpet4SGICqMejUufH7uEXlXuLtBxru2uPeN jzHqOWfDot6h63oB1aCjzlyUVmQxBmyY2CeMW//dc+t//DhERF5wbRF45G+w xXu7xQKnK6y47SFucMZsc/TTxiIexJoyZ533PaeT4b04afzBIb4C7787+U8/ nVtjtEcJ34jd73MBIlqKS3gh37JW7roWGKWo5BmTLYaMSxidb1kx/27Fx6ga 42wZtafQbDRbgxwgheOY/WZd4l/mcq6/gSUXpyhuT+QV0I0PMAflulFvxCmZ Vbr1YR75Ujyaksgb0SETv9f9cHs12zGJbyBOgBWz9XcXmIeoZ75LAniuhcXx 8R3tExvo+1WPuEp91inRpMop7hp7zyYHK0x0bgerK3teGN9/BFckwdv4DmVF cEPseIxYneIgbNzGBsaoEXIbR6x3RBSO99fEhB+8G+7rIpCoMfwaCm8M4q/g 751s/O4IfLfft2Dwq/7hr2PwdrdYzdxtbTqXVNdsgyugn+g41ARCyVSd5Ji7 gncbynwLRRK+yDfQ5EbBcIji350stzrtP4AyNxv+vYlDQUD5ssZ1eCGxLl3L 9G4O7DdvRg1ApGYbgbtbMP6nP2BroRWuxJ85rpSsdYO7tFkH4Vmp3vRcAD/E diBurl7F3y+jValyfm3MuOaH4FkANemS3jRynQtDv3RLxh/5kDEOFzeFyEb5 4e2ZaMgLFltfCXsZE0k28iX7eqKKMxfDHw2MhXEp6m5/yi83FnAcPMwXC9V+ q5vh2+hDU2PBwgLEfv/VN384u14xHFGjSIImsatDniydAbaJy2MjvAWqV8n1 HiRBUjgM5f+ayley5kVpgft1L9AVAOMn4fzTA34hRnMRuP+nfq7wmQeeKhRL 1WYVO4V6fLXRrlfzYG372XKPIvtcsVxtclxx1G51+z0enNY/chw8hr/B7tfs yBe+Vy03s/1Bt/hw6V8i+ErdViNRhLzK9QPeLkY5kgvluHOS42+oCX5LVfCC netMcIQl6x6cgvRJNQhZsLb1Pp/+5U6O/XrwRv+aj5MEUabjfp2/3iPgb+oR oVNdG0U+sESioYNg+6QpcMo/4jAs/OVbUZ03WSKEL/Cbr3hX71ryfuGU3G9t LPh7SMo3txRwv72M/R8GHxawY/rcvV+Q+kQTudCYYh/Z9rdQC96+SbTfEfUr Kn493X4353lVJT1g//ep/Z/xEbr87yGfbeMTl20KfG5811nFjOcZ9ERG968A /jav++3gJ3b9DQdIsNzPEbXvVfF+A/m+pU7y61T7lVz2XazczWL/TSls7lsr HNy35fK/heD/QCf/thR8rCASfR6fABufkyk6eOKyQHgXM7AAuW7suLZw7j/x OLlb6ECh0f5Klfkv9yp0yQ+vR6FO6MfHR+6XVdsnkOXP+MDlW/gy/GV5fn+I 5KvndT+c5o6y/Ev8+cfTfFAwydMUm4WoHvKHr06cRg7+ZXYoDlyuk1+vO3/D ontOboa2LqHF1pozmhAPKLbYUQ9vNvzqVGB4dyzw400D17TqF97iwPPf8CvG 3DDOy1k05xPn3bYBTjZ+ZSKPRiGwXoK5xMuWkSPtby4zh1+i5PLBj2IMOLsf zoFwU2sXXtJZ1y1a4ICe5/SihRJnfIxipXsjqfE4L+9sdnSDGIbMWwA0qlCd b6Jw6GgQqWGi7MMw2CNXpbjTopvWcNyW5oSwER6WC2xKlSdwQJWhQ5AYszhf ahDnVt1r4SvOm0eTafGkyWXiNGomia/CiC8EAjp6EL5gGz4XlaAwjjtDhkO9 UfoWvpvQLYT893hf3Q90JwfE9LEBiW4EpNiJ+/7djWUQBrLjFtkQKIVjYwk+ OLPf9e4Sax/4UaYTKcidExHnYbvzrCcN3VE8TF4THoRywfG9DjTFkmB/OhdH TTvx5T90vQQuFs/hetbSX/jW5ty+755fDwnq6O6clYtTpcAfQ2vjB7swMdcX tbB9lejngeU4q01DltXEFDLeQLSJSgiLm1tqrrkWG3vmEAdrC/j1Oh0AGiOO JG+HyqnRwmG3g0uwyCKYTM7sckYr3uJ3pOsWrfD9HTkXCOK+7RjUePyIBggB 8N2W5kKwZMEjjn0Qgmi6IZFeusjvTXL5kc9PmTOP2xJpcZB1/nKXyLtByyh7 FJH4JkG9YRSJA5xV7/YlHMJAj2cLpKHx4A1jeK8Hkv9mlURGJk5HJfQC6uYN e7DA3G4JOGSBxemybxJxn9ZBiFJ1ouuC5pcmuOtqCJP3a8vgJQ7wyc1h4kuV 4qQQ9lHi1WGe5S8oWYbQ4ZVEdPnBV3giUuARx0IsF9HkrgLGaVWaN8Eiyzbq 8T9Yp/B2bn3O2JqYn9ooo/tfiI4IqH1RbrDQbmUtbX+yi46Mt90wGmklWlx5 PVmVg6NkQWoickRyhdmpzT6iUyyCp9u6x7nqoZLdi9XTl2hqG8FYgxa8TOqe J0PoVqGoH9HdE55iJqDi0Qb4Ki50AQZuDQrG9gRZeFo5000AgVhsoW22PTDq dlztA5zyXkRljssvEKTjHZLEv+7OoUF9sPi565xvN5rSTV6Y+tMf3k3w3vTf XgakUS/RfNPUn0wBQUtyY5Lq9nqbEB/f7hQNkie5ICkVcYstlnnwnb218F10 NYAb/cA9Mw9i9qypQhqbxyauD6PLLKk/Dx+mIhdoV69QRCaYiy7y6dUrD4Ve 9vP5jhV3F7VS3IgYzXLBzxs01VRAC+IRcMYhslcudlGeAY6UVojlbDLrwXks 2fLYZGchNwOHry+3LcUbce83im+qigQmeU8Frsq2PKLgonauG9OVASD/iPro xjgULjT6voPzwyQKX/dLaFdEJ7bngWQfEOBfwTiaP9A5BBl6RJGCJWNCDLPe BHbMEJQH/rp186MEP6IJUMqQiXu3phGvGkPPhuib4DQCDvVHRPjbHYC43F2x 1t+5s1HO9l8wjo1uzT/4kwleLYkZS1orvlSImuNvnWiOw1vVPo6lnTtybnLf l3l9Sqr/HInt647h1DZ3fuP+nZVx/jo5l/vp9uZL4TN37tsHB+EvfIE5/hKY 4C9xQq5AqKCm9HOOLvqqe/m/Xzh/DG/jpXTRI+efPvz5ylf4dj9XiB+5nwKm r/71+2IhnvusVHsYBv3rD/A2R1jGG0jOt4ZRZfZXr/J8jw/tig8gdnwL6Q/x uCh4xInqMuAUvdP/dLTJyvmRu0lK/pfQ9hdM0H18O5lE/CWkI0wo8MjmWK+N eoX28k2FvRj5gXFff9z2QW4GynfIFt5D3ClxeT3ZUhTpZ1g9Lksklo5uyixY W+t8ZybPD/GiOLyZXOY/CUfpmlruRaqySfbz+jz+YUbGFDOulhE0/EHxMg7L ePL11Y/RfYafhuHlgSoO4G8yfJ7/Z37Q+8JDoPvP/DD7ha/Dfytss3IxU9KC X3LBBHz4fPYKb2zObgBqgmLLkdOZARN84kWFF4yMamREkSdJKDf6H17I0sV4 916Qb1+Iu7/+KnDjd9/9n8AEt/hMfPkVhJ3/wGeJLqrMh+/bHTLqZ0P38QH8 IwiZ+K+Yuf6sJn5WMo6QMbWMKN1fwbAzzMrIRkYWMrqRYXbG0zKenVHkjKtn dC9jwl+WMcSMbN5fgUkZ3cnYZkZWMgrLaCyjyhnRzHhChsGvRkZXMwb8hQXl +ytIAIOZ0e2MCCtouB2s46gZJmdUKyMaGcFG8JiaEa+ciTU6kJdLs114u3b8 9ZlotwNUH8FAflEz2VympGTypYwgZzQzI0gZDbCSzah6Rilk8mqmoGZycka/ g0sji2eWRDjwPTiul+j8Z0MS/V8voFFG92W1DTO8g84r+D8flspnM/3uoHhv mUur7S+9ntBlUZI0363TT/ToL+qW65fUWXQ95pW1v/ZXyZhORtYzqpTxPGRM V7++7noZT82oNkqMbWVUIeNI9K+T0eArOWOLGR1Y1csITkayUDjsBNsyl4SJ oZpkOqoZkDbXyhhuxgJx0RHvipSRpYwLEmBmFCujuNfXPXjARo6GlUUnozpE XBn3hV8BbFPNaG5GFjOmlXHMjAMrK9fXYSmLITwgtQ5QX8xYcFIvYwAkcByG cmwrGdvD3V1YTciI3vV1AFuFb10ETLQymprRhYxLMmdrGctFUGF3UUOkgQ6Q 4N/E7iCOhoang0PBppaSMTxEI0BogsJQUEwlOSNJdBAdl3LV6+uwpqShFhEB bBs3NSQERhQymoNg6wCSkgEMO8DkQsYWMnIC86BObBX1kEgPKyKeBQkt0GFh UxkJqhgZw0E75goZKbE7PI8SZCNOVIbqUIIFdXwdzisSTeFX0FiukVFs/IEl CCc7iCvPQY6SNaSgZWUkBc8LyAfLCci0DCSf5CIyAUhXTDCthFvDCgC/QSpN 1FExK0Bu4FJQeHrGAhXLkB/gXMAAWoJpgc2AH5iIGhG4ApgNwAOAgYtgF8Ak qFjQoEzB08GLQBQ18bop4ZqujXgDfnYZ8g9wLyp7YHI9YwhIQZc4mQGQDJF/ JZycAYsKrAgCYhH+gSuAQHBkeAzNhYFQAf8D0dHgGGgQrrsD12kZBht5iFjH xVMDACCVTMO3UProZ5AdyUHMyAnUAYaBYYA3gPMBCcgDSkb18HkQH2Ah00TM y/CAiYRAciScIqARPiYjTuBbAAyODDCAsEiwIMk+sDrwA+wCog0nFRJ0h3PB CvCJbZN+sDOqiSJveWQbQVKcjCUjQoBGYAk9KyMkdgdJ8UBeYFMdxVa0kQFc l9QCSIGA2gZ+VekZ3MJFrri8DucC3rZJEgGrADkwgM4Q4ZqF9hA42VGQ7oxw DgIoJF4HVIApAd6wJPTv4KRAIEdDnQCWFjbVTaQX8q2DBAJgnATbwBbAWiCD JmgV2FHGUwC9gEagNIBvwV8wFdJjoBVdFDpLS/A8kQzkHfYF+28DDMS68CJg Fc6LCCc1C3SxVFRlUgLz8C0oB1BxIE3wDDopCkICzgUyLUONDTJlkRKAX5FD EsoKZURCtIA2ANIjbzgoX8A/sA4oajgXMA98BWdhHlpSIfE6eMRgIwDDwN7I kzaeBbQfYBusA4gzqDs4FDyGOCEeYEZCWWm4I+yFGt4lXWegcKkqYhJMAEAL GMCzWyiJwJBq4uyAItASIHFAdOAxsDUGoQLOC4rOEZEh4UVZxQVhNZAIOWki GeITWBHAAx7TNZRokCOb7BogX7aRWOCaqaT3QHXICYEFroCzg7MG+hP0Bqpr FykLxyS3OqOYqPnBWAA2HHIMzYRvCNuhMGqomkDkQRHB62CSgD+BSeBXh6wz HAG4GiCXyPW7SlxkGlQ0cCAs4AYiB5K1gk8ksjgKqSMgARgOT7wxkbKLmh8g dCJEqaj3gNwKuahAZXhAoygHNC3IJvCek2BakBc4NZzOJacYZA14A7AB6AWd AwgHywVHA84HkyEZaA2dpLIiLQcaD7AEjAq/2oQl0CE6ObmIMYYwAGkUErck 3c0IHhnxA3jQic1cwpVOQiTKKONACNTJHqpfpt4YaBAEQI5N3A6cBu8C5IB5 kMHI0wDGg4NYkQ5xUCSvXCeS1bYRQmBIZH4BGQzME6ARnodvRTeOBoAc4Ed5 Ce8CaASLg7gBx4INRaPg4Q/gh8AiiHAdHwAFBVt4pFHlpHNiE2lUVCmAUnD8 beJeNEYMRRs1tkbm20MNBgrNTTonkU+iIZBK9JaHdhYEELAKuBIpnoCDgO5F 7Sci5yetDBwKaA0wo0QbKLA6nRqUEhAaKAK7g0YFcwmaUCWtcjXQsDJDbQw/ gISCkhQplgJmAH0OekYhqwH0AqkBfgYONBPAgwuEtkknJAuIYWBvQLtNOAGe ATYDhjFIXkziuqRjBtwF/GCTiQcYQCFopH+AOkBigAQQBUINiwNHgfoCIM2E xIE2A1dHIM0GMACqNaIdGGvAOfwrku1ApaSTT3sr74BV8ApAlQFUgGo0iCai GvEm4dlBasBWgvoCEiBWBTRe190jb1BB388irgPDBACb5IzZ9BXIDoSVYJph HTCXSdQBI4FCAxukkWkGnYM2XUStAtyOXrqDnKCQiQG6R/7VVV1YiDfQYGBn YSMQRtAnNqFXpTVNUpjAcjY5S6CQkybSIlccHTMHzY1LUgasCxwY+/MuanIg Ilocmxg76V0ISBGQO0AyiryKsmOQyYBlPdLPoIgsslzogko3AoupGg3VBbAK LAskg0XgIEg+ikcAV8DMsCZwrEuyKSZ2B1sAKgJCFXgReBWlW0RPCVaDg4N/ C2oEDoVsIKH91Yh5rrtTzAI6DQ6LUqmhTQE/yiE/HBAIfOgSaaLwChxLNSEy LgkIkAbUAsiXQNYf9BtYOpsEBH4GPhHpIEAydNcTbAN8BWoZ4MesgIei4ZHP DEIKSHbJZIPDD+aGkfECVewlgmWRnGRgJ+AKjOMcZD+H7CCwmUc4AUUKZAWO NchDEJJnl1D7Afwg1OCs6i4iDVZDGonIbBJ5+Bp5qohG54brQBiBVWzyrDwy 3+icaEh0hTS8S8Aw0s+gr0BkxMTuGDJI+LxD4R6oKYdiVeAxAB50JnAdACya pDRIA7PE2YGaCiMHXkRowdAASwPVIC4ASQfMg4DDWUCTQESAiBJuvMoowwRH gJgFyG2SMQVUIKUMVOzoLQuodlCoLTKgSWVloH0HlxVTRBoSHS2UgvIFYMOh Ir8RSAkHh4fBZIgJZQWhCkgrnFGgIFqi8zIyMaAu4F/gW1BHgBDQEoBGDNYS bAM4B5YAEw9xH2gb4Ao4pkYcC8oKBNwiKwaaBGjnkSFL0h2YEEESUQ26RB2P HDmwHTa9go6ii8ICWHXtONC7mgkXF0R32kUzAawOIo+K10FmRutvESdTWIEu qHqjbTCv6SKPgRsGBg6DUMpaAIktsvVgONCbJW0A/Im5iISNsyjsEkmbMYpZ wEzAQQAbCuUEwBHSSM8jS0soFHJSVSpIFEAmyCOQFXgeyAoKEE9kowyqpLIA SOD/yIdU5KilCv95wD/Uo04Nd9VSNZ/tF+lTrlGtllezfD47sibZQzWXnVSf si2/K06sbt/Q3xpZoZw/vZZ7VVsudIpPxWyj2ygYx/xb9ik3aQ65XHbczy6G /UYnPOQ748Kw06kWsk/PnX6x08gq5aw4KOYOh0qvPDzZy+7enhW7jaxBn+cn hyrXWZord9SYdITioTJ1mo1Z59DsF4VGYSK2CsXjM3729u6zWTZ93pCDHcvF w9Nw8FasN7LzaOXsIT+cF4/FQraFYOayTiMnTBfOUp3bknIs9rPt6POgweWL T/sXefhWLTZzjaJyKHTG9VrwUp3unWa2M+9kYZl2J4t/cvQP/Qynntbq2mxy 4FhrL6WE9shTU2zSX/lefS70l2q/7BV2VuW5NDEbG20UDrprtXVkTaucDQ9q tzUbv+WmAFaZA5DdwqTznMt1xyVrL7wdmuvsMqcNBbkk2s2TP51PrULWQ5Ar vUaxXMg+TxLPcncepvNVuo1c1jOKuX62kO1U0jFF3MKhmEsfOkUkeW6WbXK5 Sfg6nftl8yDk8t1sodhp5XPdYvbdn+Kq4PbS+mokp4d21l53DotCw063jpxj Go3a7vVNfxmzt507zrmvzbXsTDuz+ktqsG6ap3Bcmx4dq9N+qzydhna/bJ2c 12Lf0t58o3nkNoVUZWAryraefpGfsl5l0TNT3fXCaXbL21exaXctNXVaCYry ku/NUvPZoVxcCp169VRzFpI85Ha9sVq0tuXJRujY9a720pIrnXr2zag/5yr1 bm74dDhIbq2/m/uNvpldALr1eUnpVevOoTQdM26b0se9lL5tVwpG+m08fvU7 s6laWrw+Dbbb6Vs3u9oeJuNgXDJypfFerQR9dT0slFbPT5upYiybnD5VXoXB i6ixXuflUBrNF31729owP+Vt0nmWXZojS6lqh/Awq9la0TGLuUXYtpWTxUa5 xtTgVgs7rAv7Zne8H6mvbueYGk/rOedYPZa0zfpVnJbSy1G19vJaeF3Px8x6 Kp0K2ZeSkW5Iqfr6qcOljtXuYjJpnnqd5k5K68+d572nWkaQ7o6VfVDr7Z8a pt6wJ65Y61j5ozx8auwkOfvaXOo1Z2Zwiqwr1m7Ijq1+4GXD7PQ4FIPJS2dh jL1S6UnN1XxHr1cq1nz8tqxPZ6bmhGL5SVnkju5qkFpy+VdFHVSfT/mx6J8G h+7qcOqurcO2aIvH7eTttfk07afzeoNpPae+ep3PWD2YZcvrVUETmxXnjZtM KgNdrhbFxX5h+gd7E9hF5/BUnLq2vKm1A/N1KY7KYtlvroe7/FbrZ0+Waoju ONjUTk92i5uNSroQFpvL2XBYUzqpwutIE19z0sxvvcnGXO9L0+fKbm6w4b7/ NOx0N5YVPudKTzNBLh76yxfOnb0uhZ452timsRp6jeZBWE/zC/0kWKWDUik1 1PXicDJyvca6aLfLxbabezqExZIku43dqGpytqGujXWlXOo9t6XZNKWLYWr0 9rxZrybPtWI9V8+nWHHYCPdOZ85Sq+LbTH7uOK47X1cKTWN74rpNp+lUB/28 dnor6IWFclKru5eTIr6pxqA8L7BFapcqH57GL+7mLZQXRmmUynn+qPKi5V68 UZpbrl4bi+1MeTNnztBRV2yS26TtMF1+ExeLRsnavuZb+9de6mmd8yoHe6DN UsuFAJ8dp858Ygw55TCslUpFVlUq+7c0C/zKSKn3JvJT4KzG4iE3OKhsYNZW 5Va4P1SfnnJ2rglMOCg+leTUU55xp72mt51uXgyWxWWxLjzVW4IkKpuX11Xa zs0GzJueHLFlZ3dC0ZHZ3GqY9f08fB6Ua5XUAKigaMVGZ10zXlljWw2qoicX h34l95q1tsWXmrwYbHsjfbMtMkmpeqY0SDtzxxJX3fmiuM4aesjthfKiVF4M WpuOKg26rmHXhVF5552GKT3dmFUCZT/VW/WONVxnQSO5/kyUW0bJPVSepr03 r8QtguPWT0+fpddDql2pPr3t7UJ6Ibeb5iJ4szzXVF9mUnBwZX1yekvtRsVx O2Vpr6oy35205dMbdzi+rTtPuef+sV7Y7TsbqXvsvLVyXam1S7+cJo16t9UM JaNvTaXVMJ/XJoudonZTT8azszy4B5sbl7zt2n87lQ6l9Jq5zktjbuTb9Xav dapOW0bhsB9tcv2SmV4ZhjMoBiWp6+3YccDc/NuyvStyq4JV7xz2gxM7PPVW 2f54X5VO9a74ll/L+Vre1Y+rZ7/55odzNTseVepHo81KS/PJE/Vh6ZDNctns UO0ea97bLnRf20IzzE2L1s4c1Ir2vOyNt+1VT1/1x7XN0q3VKoE9KSwn+XwQ BK3jUF88v3KBcxqIhbEVis6iURPC0bKlVfenV7ZYzM3tpFDNT48p9/CUmp9y u+eOvWGbunScjEauP967tSZ37HSNZ7Vm+Z5liItRJV8SjOeqMt6UU9XXJmNi S3XNXqm1Hocvo1RbeNmD2vVW5XG5enQWB4Frlh1rLa3NYa09Xh5NO5Wd5thw W4j8omKz8NErirvRaVD192svoP83yN+tvwBcRJ2hYwwhDITk4KBiVK5Stpay o7pBeUIdcwuG8+FlmSIQ1f3lhgRs3LjbkVDqRpX9trXBSyuudX1C6m/pRXja LXhRQBccYJWUX+9FwBd4I/nCL/UifDOgf0MXwg2Wzn/ww79vHwJW86PAXsOE C0SVGlVKMB5wMWa7u4JKr+sUPgFbQDBmU9CrU9JWkHApi0IXz7m/AmzBqI6l U3QE4ZPNKOVBpTuImjAX6eK39ld6IUTKDEJYCy9ihtHFuBRTxlTz0zXKKVME Zbn3V0AWFzCANyQ8OALjZeL/C1388/dtWoBILV9EEcmqCDWE/6USBn2YpSxm cvmMVEDmK4JkFbGd4MMC8KqWwy6Dwt/YtPB7Q/IP3rRwkaxv6lpgahyx2wYm 1KK6OwT/HmWro5qHYWFW4po4oJDbohwiRt2UHBc0fMylzBdwJnCdQ8pGpKSt lWByTPBJmAFUqADMKMOlCASDGdfRFZNyJRLWKlwPOf+aOKC0LPA286iybiH8 WL+hbCaABPodoIWtXQGTWbaKhfBrtsuiKjvl0B0XcwoipSYtSo+aVLHAIo2S EXSUd6wJJXPrFtYhMK9HO2qUDo4KeAo1emk6ChrWWiSskWANNaEimIPpDIVy 8aqIKRXZwseYiEl2QcGstENtS8C4skl5vUSOFd9VMaPBqALnUJYTVA08ZpFh A7pgnZKSvwZVr4UE5k0T+xtEFxULHNyhqi1sxKiYChrSpL+iiLk2U0cloyfK UZiNpfoWGEukOPUuyJQdM6mago0mlJUGlas4SCMl8TpgyaQkIJJexZI5oA7b IwhLNtE0KsaYBjKMQQXaK9NSd4VCuU7gLp26OoA5bRFPFHEUQAJqGQiBhViG C15T8wqmk2SqFMLz2JlBNVfZQEbyKEcGnxt0fIvKAzeZfepIiFrIPMrOY48Z ZZ2wFUMmLa0jwK6OdS9DvakfgygBRSyBsuomFhWwYGxitleMiiImEh0WFKhM Iqg36WngLqz6qHhMIKhqxmUnRhZEsChZJiFnxslfGel4RZ1MFUeq3GDZidqM XKrqAaWw+CRgXUegvLNNouEl1AWWlqmIBZjRKH8tasjzNlWtsGht4g/YNiSg 8II0JctRtkPFS+oPMDyUEWzCsPGYwAACNR9gMtGkiqZJEpHQNmDgGJ0LiAKk B+1hUa5fYSihjOrBcECQcVAjLpVAdPMGdajKJDTiKjU9AKgyJTc1EfnBoYyn SYoISIx8mKydE8NrKn7liGjuFepJMmVUOyb1w2F5zEJuwWS3epPllGQUTNgR eA9Owc4dUZ5Hi6goxUBxTHFS0hm4yDZutA3W7RR8Es5lEmzgh2BBVEZcYeFT R7RoZN/hE8u80XUC6RPLpuop9UkgsUi9I5NbyM+gYC0qSQJ1jIRH5EblEJ2y /y4qFsA2WARgAINK/oAZILopoq6GZUFgk4raoHI1PONSbxnQCLYDQjOqIntU bfKi8pKFDIMdFckaKhV0kTFEalWhUivICxAdk7weZooxce9SzYlKL26iMGBG lR5y/KIUuUONL45AtSgBP8euOx3F1qLFtYTImFR6xJqlhKYB+A2eAbMChkam tDsj5wq4AvgWnkSrkSCcQCGEQPUqmZobkBMove5SvRwwoFA/B/5KNYNk4R9W tqhtC3meCv9oyMgKw88qtaaBDtfJ4njUVZPs1PHIoIhEMrCkatTdRVUKgZQw +IEKledBnwAasfqVUFYWUQqbewxU+PAvsIdAZWOVahhwZPRpqePTIm2sJqyM HDXS6ajD0daLaGIkqkKBfrPJW0CzbqLei3RpspKHWo66MQCr8ABoD/g1KiIq FjWaKKSrLbShWEHxbkpxOpWTseAddeEY6MzAGbWol0JEEmikQEAhSFS0u6nk iQgqbAqAmVRD0qlGAhiOIFFI2QLbaFRNB+aXkkxLRgTeBVcE5Z1wqEQtCxpC DsIOSi/qFwR8SsKNayQTW4IUANrBnIHC0ailEnsEBSrJSKj9QFFjL4iBOkFK 9otQPxywlkY9cDJVPgBFgElgVI00P34lZ6LuSbBQyQquSewKHyKbuYgZgd4F 2wHqCxQX9h5JuJRApeio6STZ9AAqUaLiNBo1kzrAPGQ87KXQEWD4xCMEAgAy kT5ZCLSj+rSHJECXzEK5wKq2Q/LlIiTAvQoBjxJk3BBOox4pm3rUgEURQoe0 q4eWC2Qf9DwcUNPj5kgngXn4CphKpmYFkEfAm0UVL6CyRhVEbA+ykBA6tWPK hMmrxMkEHlX6gSWA1hgqitSnRY6iTg3tInVWuRIpokS7Cag1hVwRV8TDgjRh h5NGtTeR+mgpko37QkQ0/UmnFCAEtOAxBYp2qcMMBAFNOaP+XdJ+ACFWwckE S8kuZJtE2CLgqZvKpmY4RiykkDMJbIb9HDJyvk7Hv7wOpzapHQpUOuo9mQwZ aUswpsAkCnn4FtXzgD1APyTbDkAMLeJ2cDVBUqLWFpU0LdpHYkibGlawmUmm Iyg3Rgo7q6gAj70y1F+oEMUxfhGwsojdutTIi305Dh7kijoKRljkjXh4CpWc MZk6YBTKEiCxqPnDpSK3ptyoSoG8ZY/0Ffb5GfGsAUiWQJV+nBdw0IiAq6Pq N2YC7JdBQgqAKeS6g7ETyLVQyGNU6PXINwO0AyrYbfu4SPyMXYwCtZs41N9G DXNoYVUkOlDEorI9EFdKBCMgoTrpZEA4YFUhnSZRwxNQCrMcFLvpZLZM4joh AbxIhkyn+rdJBWZsSHXJp6KYAjAgUrOLTLGJbd9kKkTyn2UyVcjq1A0jUKgI 28kkEchXGq2mUhNM0qeluEOlBItMiwPvobdGTgL2FdlogkFLRF2GgLpkNGFQ h5BOTVQijYQoJF+AfNDJsCAjr8Ojdk+R7K+aMFJovGxk14hVQCPh0IqNhAMN iT4PNQREkgvMI3i3tXOdmlapLQk8DYMaUwCZoA+BRow43CVJ0anVTHBvAnDg bewPcFGXGmTEUX4pXlYJYIVcdIzlFdQJ2KmWIBzGaIQT7O+nnjxYEIgO2IAF bToCMKRJ+sclhWYl2MamngybYMagQKVoRaYImpGHc+6GAdzCw8DhatI5Ib/I ikaBKPZBG0Edt9ixFzW7aLisQmkB4CI5oagBV9glY6H3ZVEwFUVkZmQWSUgj uw/qC6QJkGMm3UJGHTCkk11qCQKxchm6YSBEWtT7RdYtSn3o+s2oEZ6XYi5s 9Ke34OAG+faoAM+BAPp7NMsGaDcSTAv+JPwqUPIQhZ36pIF/gNtBUgAek5Qw WBOH+kqRdgngwaBEKUeZmi+BT3RqFsehJxfJ4VBQ7EVxloOi5CbnPTRqB5Tj Dioc0pDRRY/iON2MO7ZV6sYAjY092YnMCRgIl7xlh9qMLAooFOrwg8NKNOeg UTMxGBcI4lD1JRU1za6I1NunUA8l/GtSZ5tFuAIFBXEKeqqkc0zvZtZFo5Z6 eMWg5hhGTiyIACMSMEpJ4bAKyQL4RRalIJIWVqfECCOogNboolAiAuNBGTkZ qIBZFHIsHeqFStp3jdgGJAUUvhc12esIBtAL9D/IvkA9dvCvQw6qk/RpjbhH E8AA/pSprRZUBGgGiaIhkHEgrmnHPdYY4iWcUpWa2nGgIkqUERdZhCjgKOxI U5FLMRHhxoaGJdwDEEOHOswUgkqheM2hv3hwSqNJ1IpqUGuvKd3Iu06DQA4l 5SzqNIIjaJRsUcn/VymxHDl+Jo2F2IkQ2CUv0SN/241aDDVyBclFwQ5+GSGx qKNUJhcx2UYctaaBYkc3kmYDFAouojwV/KBQPxxsalIfLc6NJoBXKR/iEu1w SInwJlGeEA5ikGshU7bHo8EVFMlkfxi1jNvUFy6Rdwc8plKHokBxpUDNhS4R Ak4hkVecDEYsSqOBXMBBAFEWhUJAUNTeAh4BUIElCXoAh6ySOStG7aoaTWhQ 9AePRWNF2OVPhDOp0dCkEFt5512QfcG4W0LH1aPuOpXCEDipRvrfotgKmzId ZE4lwXUm9V2BFESbMoqkVJrHBDWl2nG6FaIkl6pojnITBoL2RgMaTZ2RNXep 8RS4CFQBRl6UKzOpK1Ene5H0rGxyn2Qa52Q0WSSTPTJpaAEnD8lAawzZSaZZ HcZueB475ygMkajz24yarSl1gx6pjKoSe+9clEHttgPbJfdVpq5fmYbfQG2C VXLUOM+jk+Q65DTq1DwnKjdWBlw+EC5G4z2ALpcynELUUW0gVCZ5HcDSHqWD 3GQ/KPWLWzTggY2w5PQCnAopHDg79hZTjAbmD+Q6mnK9Yt6N+7zRFtgoVmgT HXTdJWoNhxc1msEwaIIFU/fJ3ncN4UHLS82ODg3OAUgmqT7sjyT1rpLjrdLP NyMTGmVFRBqpIn1rUMZJI1YBbkQ9Rj4qgIGhsYSHvep5SqIKpACjRl4QE0Cg Sd44PCxRGAgUx/wwuXCmfiMySG4VgZep9xEzNjRdIJM/HM0bmDQRESVhtNto AlgdRwclNOvRXA2IPPbTU0IbyI2IZXG7IfBYsrgAes+k0A+jeJfknXrlJcrn A2Yw90JRWJQqByNrJ31amrjQyNnDpnOZwBPinnud8rSwtUdzgxJNnSUNtE6u pk5N7Q6FVN45/eKRfcfhHJpbww5Ral5PVgeiZIVMcatIE2I47UYjN2Y0HsNQ d1nk1UB8Zzk33aiYlSIPEP0oJa7ORHREw6qhBmaUs0LqEOve5Oej8SQRD4UT NdQCHo0xeBS2eDQX6lAUD0YWs3MJuoMpxxKGHo85wb5wQJzzsahr3EVCmKSy VFLgyJ/CjZEC3QVSgF28FNqDqNqUNTUpGy9QMhNddDOexU02r8OLHrX4Y15I JNMm0nQBFSYg1mCUV0cP2SCZIqfxijoVsYo2gprOAVQsnVC0a9KgOmJMJEeR VCXQSEgoK5niSlTgNuGQZDPq/QUc2vQvkpK8rOgsUkJgMSMtkiWiORyVhgrg +C65uAAMDqpZyPAgmLIbt+8nzQS49zINoKIapLSeRNlFnAEQ8EOV8tWMPH+T /OSruqDhHEaZaiB9ZFgNauJHQ08WOQpRTUp9K/bNOKhFaQ0UB4YA4/CDjcgH +YKwV6USv0XRCib2FZpaTI6LUADiRBqekINlCIYQWlReUWjQDvDjUZO6ot8M q6BU6vgkTv3Z1PxN6PIokLdIX+mU+PJoMk2hjvAr3RWazqXWcJGGCryo856k QKDpGnB3sWwk0Awe6a6kPw+HckmxM8oEYlpMxsdEqrloNDInEH3R+pg3GTOP SlQQiuKARFSzo6gEhzwpP8lo2AOLuS7CJgo3hRWH3AlGDiGsA6oG2Bg4AfgW o2aVzm4Q00YTFCoazatnpVAeW0NW0cnHw5nMaODWRD0mknF0qAqg0Vy0nAAe x6epHcIhv9el+pFNw8M6FYUBBoxtafQac87spnHfom4AeMwkgwKaXHNijYQj glHHvEgDohrSTnJvHDM1ymVRRkKhHgyTJvk1mgdGw6SRdbtMztD4x1XbuMgz Ei2uk+ulUaDtUCVXpiZ4FGdKfynkqCSNFMg4oAUpQhXDiAdw2Ilm3V3SMPAX YlLbiQeWzOQItIqvq+QFmTRfBD58lDEAhalSfIGfkHujksZOjsYxYgbMbzA0 lBhN0JySQGbdpbEThULFKNmOMW8ye6DH018qodemailO29JewPZYYpPjMVFQ qlHbzPV1iqQsmkNDVUljh1g5jeglIfmwFkmDWwbVuJP1d/CyNPL9JDeGDWJV DJc0VHSYmhZoOpfCNMA5hofGDeY1mqh0qPQvUSzjklMt0KyRRa4pHAHTSqSN lWTeRsVDqRQNgekXqDkHo2aLeiQEfN6lIW2cI6K+naRDjvltyhJo0XUoLupS MEPgCUiUXpYpPI/m3MBt0+ybcVDQhxqpOIMSwmjFqOaOts+jHicHda9GK2v6 Nw9L1HuFfD77nDoPSwyGFXXu5Jcsawy19fCoCD1WmZU6YkkUDvnJuFo7jHO5 zqCS86sHrtm/jijkpo18d1E9FmbZxmVEYZibOsvFW6M7PpSyNExRK2TFvC25 onPKjbn+sNmnMYWcMir0q0Kj4BwbhazSmDmnZimAzxr42aF1/eyQ3JT7a3a9 bFpqHLh3Zyp048GIWmqXfpn2ma2+2P3eupOt7LajfO1QlBen7LS3HqVPz8rT VuFmWys1yx0P7ebMZfWqVSqyVOUgCs7MkNywXi9bwnqe3eXl9TYta81Zo1w8 VHCwpCu0crlxkSuV662mNay4aWM6PWlGveetZvuOaBnpcSNHkyVu9dCBn63s vWe5y8PRGIpbjIYhSo0sDUscChParY0DE7lsp5CdFMuNbFDO58NytjMocbnD 2M8q1adjdPasOvaDXaW17b/UlVG1UvKXzZH16ujD2quUCzYvhlOtn/IO62n1 trJdFzltNzt1ar46fDo+NafVuSz3tmpvte+br9VCr+S2pO7sycwXty9DDcgk v/U7I9k6uav5zHazrspN8yXLyNvN6nNXd9/gP2Vm1+u1ku28hY1BuB8MB9qU VWq53Khlzx3VZPNjd1DZOs5Le7F/3nEv5VfT2eYbpUPtpZgTBs3GZtFNteWX tfVcdJ9H7soqGOPeYjvJsfaSjdis7pxa20Zt8CIvXdviuuxFnxWH221vsUm/ +L4/FhqNYl3My6fR0S66cM7V68Cfr/yVMC6YzcrAL0xms30qDN3ptDzlSi99 XWRqkBr01PawezB0ZTRznd20JzpCrVBaDusNxhyn3Fzs2h0zzA2Lb7XCyM8u Fl4lJSpcPnzxjYqcctRxoV/v5pVDIS8a+82gWygWyj2lmdZKQlXp2tb42dWL LOvOmXHMO3KnbLQqQ8bNRJ89S0c9Py9Wn/vP61bQeFEq0tR0UrNKUakollBY ePW+L8/fUqWqPziGrLFeT9tG11juZkNu25sdp+XR8OAdm6V1qzqXVrXUujdZ DJTZZqpOlJYv7NPG82JUbDdGPX2/mVraqTf01UFQNOQZ9/o8ks1nzX61FlrO 0TZGqetL3boSdNeBrBnDmbLxXk7ek27L04llNZdB/23et1/8Ua+lK32HG2Ub Vr7VHxmVumGPg1zzqb9IH6bdspLz1IM3Xp1G84rTVlQ37wwa5tLxVg3TyK+E 8ji3PbIJN5Ks0bpt+pvcaTI+CIdaa9kRh8t5rzmpTA9P9bY0ma07fSc03ZK5 PR30htVZT0/TVEUr7pbNFPe87AxYaSa6TkFUupLZG3rZTnZSWY7MQn1XXUgt aVbeNRVj5O+z88WguVi2BLm2yIvV077LfA5QW6n2JuZuM54D26vdSkPUe8t5 uf62tRpibTnr18t+6m2kr9+Wx9mOvfq9p+fBYtLpzir56obb1V9zVftNXVlT ZVl5NvTBpryV0tl5r7+peAtXaTWV/mQkNbOm3hl2n6q16uFl3T9KYSlsi0qH m69rs0JFD/zTuFtpusGpX1JDrT8cH3LBIdUq1zvLXu8kzjx7UlgXj5Nt/tAT Ozuv5M9e/XxK5yq5eb0gZM2X1KSeCu1Za9A77cdBuupKr3qt1eg1xcZy0CqL gp+zUs/qTlx6layRLnqu0ZNYwC2cJ+P0tl2GleVy+Gxuw/yyNlrtd43y7E0e FNdz70V1LK1ZHeWUylDumUZ61ZnNurNSbbneW0euVS9uqkplWjmVtsu+0dH0 8trRJ6nGy6oh9/bec96z82KwXo5Tx1Vqfuxss0tJbMneLJdbOO0Dl1Naelhu iaX57LReZveNheAH7lrqz5zl4CAN2UlSc71Uv2b2vUPnyTa1Z79/LDmTdv+w d7xXrt3c7pXdNvSM5ljql+SeIMtvm/3zqdybZd2Ruq7KgdFSnnL+od6uHWpD czafjFavvY3YzSrTBicUD/Vj9piqM88rS65/aJadjb3vG5WRO9HWh2Xv8MIK wrImuPunRmmSnap1t9PrVg4TJ5SXE25p7vVRP11RDnOv01fnO014afdH0/W+ u85rYMCE2vAYeguzNG69iFulWQ8rxji9csRdRTTTT1x9LDU6K6tSGg/r1UNj 0mwVbXNyYNNS+6Us6C+NQUNpKZPetDl5bdUrrYLhVMRyY7tQ5k4o9F44DZDT WPVShedGt7qXtdmuWh9On54LxfHzZtDpPK1nzpuxHL68Kd3DyNZ2ufrrYm+/ zK1TugdqmptNB6WBdmIgx/auytKTYUHOvvazq9yk3bWO2iQ0y6XBUzbfrz2t 2Wtn/bIIUi+NBjNftNfWossp6zzbMWEqmYuUvD36ltDdrJRKyX1btiqjyQE+ 609ahUJq/zqw8n53WbXT00lvvR9OjUbf8ThJDdaGUaoW87njKH0Qi6mtXtw9 mZXGaZQOTCfYypLw2jppi/KbDkqVdcLsIN0/DVZDSzx6Ja5h5QZ9PwzqRXPD fEerZ/tWeBSK/ddua1E6BfNRfnMobsWV3nx9HWi16m6RTrNjX5XW28ZkV+de hbeVN6qHuXLVKc8HrKEo8mYZ7E/t/ZvFhG7WawvD1Hwt9sPGKvtWPBkNZZSt rMRZpSA1lDkn6upxafjPRWPtjFiv16mlykFxn16LA9VpS2F+V64cD6X6QShK x3D8NhOMRS8QD/PXo7Fwjk/cq/v2bC3d3nq4Tdf1XVfR9eda++ALlaelll28 rU/t8jqYK/nUqBOmS9nWE6h/ddwtCf29ona73HxwdNPb1fYgW5N6f+/M7Pmx 5L2Iz5XOfqh31lWwq6NUWHY6G0FKp8v148vbWn7ZCKXdqjp8MzkjVwlsdd85 OatUc/RS6y1b9m7uhxsh1X1Rj07XnM3qnUZvtK/Uh7OuaL08b62nl1AVXrvO fmdzu53fG+531rMo6Cu3XTqWnvLl9KLWFequK6ysmi6PFiVT35V7am72ZGjb omSun5WhULTt5fjI1VtahS0OL3XTH/amVr/Xbo2e+sJ83NU74zdv1wqXs274 PAgqyvytYp5m3R5rF9rh28vG3Xb8DrfMLYfT/iydNqtsr9nFxbGxaQ+89VBc 9b2Xec5eNJuHam2UUlbPXt2ZFVbirqpM+7nAeE4L2RpXNuRhZV3MtVeONjJK o9ZqXxaHlZGyOz0Vlzs3m+q5O1lsZTfmatZp1+Yl+7Bcu/WsLzYa42Wec9de qm4Oam0WNFvlw8EdpnbzYXvUfe57u0noT4q9kt1RHYAhv1r0Zmz9nFqsFsvV cOeLvlrhjuuFWXurO8ZmnJ8/izPxqVkaN7p5p5tnKTW7V1fD49tqCitv0srA S7HerrUMymm5U5+xwuLIlfTGrJQru7WxMg1e/MMm27TsJ9V/aZntrBHI6508 Z81Bc9lbiaNyZdlr7EaFha7W25Z0lA8Nbt12LFNi4ijbSu/ljd+3avZoKHoD twCoN16r5Ul1l847uY6+D4V5ozaV2qlOSx53Fke/IvvcrNVTNk8T+6DkhsHz 3i1q1XVfbfUFc5Br9E291VG0ofS2GZXXXlmTRvsXZ1Z+KpYK/k4Iu5UdlyqB kW0WWDDTtGFVMMfma3dQCOaz7nxcPentRlV0lZSTn6c31VQrKKm7sDx5yjVL w4n5tJ70uZ6eD+WX7E5oVTZOHxy43ut6Zw/m6dYqLDc2T0Fn+NLev+71gVYO PTXbVbd5V0s5Na3gt/dil3s9PMlau6h2rfVgO+0PSvmC0Qwqy9yTXwsa+dqb pktb9yRrJ6ssGIbTKg8HuXpZzA9mYr3DNC7V2j7t3eVx2HoNDxNhUqyscqfU yql75nBQTEu5zpPS6Df3pZEyf16OZ069dSrkHPVtOlCOnjnhSrPpxK3Un5zm 9GWr5NLS/mXVNvPafrqbTs3XXt1qhsveYvQa7ruzZ/tYdxbP43z3uXdceubz c5Hzxy9mf7xXnqWCuzmJSwBmKTm22OoNQ3W0LSykrnPsZVnbHjnzTc2RcqGt 1I9Fpp6Gx2Gzys3t2qI7tdKDWmrRbRwHrJDeVpuTXV4omkan58pvx5qoFItp 5SQzb9qd2c5ukz8O1P2x4Aa6yu2DkzKqycWiljrYs313snCYOawVT+Fbz2o3 trm2scrvLD8V5oHpX+bd7tSxVT33kn8CP2Gc5w7adJSuOvao2BjOFjPDmGTr fWldD0pvlrEb2JP5eqOb25koS/1Kz5iwgjOqBvWmZZQL485zjlt2Doua++JV N4fyiyyuvm36Dv/fIX/fATzY4XecwaNCsBU1/WpUsaVOHrxU1KLijowZVIPu AZHe3dGq0J1AhpBxroM5X52BWW4vz3zzFB7g9q+cwzMywm+bw4tf+Kvn8G5B /Rsn8RK4Ov+JPv77TuMpVAA36NZNjTpZsFuWutWwQUO8v0LUyYhtfTSrgU2I 1JwrUskd+AhrmwwTacZX5vmk6GoUkW76cqn+THli7MmleoJDVWWAzfnKNB62 w1BmTqKEPbOpHE2tVRJdeaoreBCB3dwyenMKFnea4yWZdC2ng2Woy7N/32k8 PZ/RC5gTz1HlWxPxjl68vjebEYsZuZApUeNyNpcRC5li4eMCgpLJFzKFXEYt 3YPj26fxfm9I/jeYxoul69fn8bBTP6r60H1prom5aYPmwbTzxIhBt2PKydtk JazL4jioRZebupheN8T48jBs7qG7PHVqWpKpWyg5tupRJ5ZIN0hpVFp2GfaI eDS2ivVsAZse8H4gMe4RSTbk4age1f+wM4lu5XGpa8SlqpJLcyY69axI1HTF 5JtmRJv6XDWDJqao/YXRTAv2PNGNRyZ18do0eRU1YLFEIQdLoR5dlWdjfQvO K1FznkUtrQJ17bvU4IgJbrqg1E2cXaC7bLGIQu34UR+eqtDleVShwQkfmv6N qybujU3COUkZ8alE7d0mEZEuDcdygoj6QKHbOnW6ntO8vTLNjnp/Hbo0jkYH cQWqHhkyahTYTiAzaUX4pNrMTbuAjrrEpYZXga7ssqKyh47rWFTjx2uWqKrE lJu+7egyOYFuJsY7a2VaiuYKJBrwk6PRDjGuowNLWImKO4uuIjNQs8p0wZJF lX6cRFKRgbGoE7Uu0Q2C9u08nkAXG8sOXZqlU5uFRePWVnx9MotaG+nyaYPG 5JQE8Hh9HdUUNSqxYJnWoM6q6CrZqGWWGsUkGiMUqZX/CryHHRUq1YYlGhwy ya/QqMouUX9qNGIk0m3WOGN2Wz7EBgW65hBnL2lmQKKGJ+wPE6g4RDwP1kag JnjDuJF3bLaguhFsLdBlqDp5Pxp1n3hyXHrH6/fohstku4DkUJezidKhk1Dg fV0kO6KM5sWmOrpOkx6ANKxMJ0yrToNbwFe2Rc3KOo2XUJeMRDUtgyZbsCaq Upekg+XY6+4u9RxTOz4IC7a80A2UoC5E6nbCbk4XSaBTB4Bo3Nz3ZlLxUlXO Hbc0+SaREGl0B5hENx8rDrXKUbtncirMIrYUqfcXeE8l3fj/N/Zlz+oqWbrv /hU76unesKtkhrwR9eCEiCOCCnbUA7MD4ixqR//vTX7Jrzael9sRJ06dvcut CJlrrVzrGxhA2QdqJMbonalOSkg0SS1UalDgo3NZEAgVEDjLe+tjSq3hzhDs ccqa4Gh9wdX+nFJDVaCXGFLfp/uOUvQh1CehrqmE9CANyyQef6ePjH7G0dmb DPaaHFc6zZRVC/Vrqqcu02koAYhE/r51jM1IcP3lNikfd4AVUt7kMpKUi9xH JR3/iedfNA/wuMpHTEGWGBWH4EKXi42iFjjQVxjhTaAX4GNS+PvdgaugZBie PhFKqFBo5CRMahTM5AjEzkSq5LTrSSoGNrGs1Ci1GFqGdJPG1dcJcWMpChCr LgDMSAq+Vl35J4y7SEFR0HjjgkprUwSPlE3TRejEUyR07c/jP0w/mlmg2UyH tZBOT7DMJAyMKQ5Gw52XvxTTFXCKyqNHqFHQMNP85gC/oAcV4DzKCBBA25VK vapfY2MFKEP6BYGMV8GuIQhTZd6MQJKkkv+ALlEYJdTZfxM0OOQieLMUSIe5 eMJ0Z0GhpARUGTlUqX6sl9IJJvQqMGcBsCYhwxgxUAVkMjlU3wQ45gh4kToY kc6zQ/pxZQrQQPD2wdwOGFAbaHUecZsiGuMvyXMGZNGY9GNMFySFUfqAUKv0 3xqwdDwwQD7UFutISg4PhYJfIQYvQC1bAgOTopFATyUYtyuAtXHkC0nJodZm xX4EFgcV0wU3XoPUooaqgE7xUcWLmMHX0QYM4xuDBaHgRxpwwHin5b9Kw0ji V8BxTf5CTtODKuKqhOAQIi5RkAR0E0JIGgcgn3OARBOIVf8ibFB1lK/RkEfK C9a4irETAQPBygOaRMBuoqipWo5LQOeWtcpIobzUBKw5HtqrAYoxDtQjFXLp qvSlpMuB68hBuZkyVPGCCHrV5T8R4ClllVL5AEDdXK6zg1T6hxRAibxGNy8q qwSK7wrYoQFwwzzsHcojXZ0hw6M2iMGJotBecGwU7ErqwqIC8iIidABHyyLq b3kAdIiEkEhAkJAh2hIxAjPkYynBCUmwzJsB94Wg1QDUUIEpkVAMq1AcV2Hf ETDoDHCrslzxsurLJgQPgQB+ISGy+eBsB2pFeGCuHSLbDhGsD2r7nUnwlhUI JUkyJX6CnQX4LwGIMAHJRAWJXf0WKwoYqJ2DHjyOvAqpQDyEIVDxhiIIzLTw CL9AqBoqihBIPqrUwNCcMv1GEiglNGXgnBKDRkjEr2AVg5Uko+TTQMEt7yFD 6vAI7DIKFQKqAMWjAPD3m6SYfCyWegBEGgG1MgDEmW6EGPwHlFgqBFPrZAM1 qNwkqD46CmAfBDkJ+GNaSEMCloJ72P9LvtRky5VZZmceBQYHGfuIlXkCxIwh l6ABIyghhJYhqI6c5qCXHKIIZwK05eOjyDCJPk2VCTYDKpdA7kTF4eUvKZLg DBUzJByCgwJWVRmiJSQXxiBS4B1R19fQAH7lIc3u4/WxVn3HGAQSQasokRrw 0+V9ru+4AORSqhgSgIEDQhGBGi6jAsYIoWVY4LGwQ+6L3iPBWCBBaOKwehm9 JIZ8Ps3O0MqVUEgz3e46+5e+EneeapQQ+jVpQANVmDAoJOD4CiC8MZZBnTQe oYoLcOwtbynFi/NAsCWVYFMErxIKc4SWRCR8lQcC+BsUAYn0yrT2o7ASribo Dwl/IJ4CriSoa9WDZUePnKBeS6BIJaB2aGAFh7ApiCHhIYH2E9aPA2B7lvE8 EaqoXm5zBaxUJgJdbhMNQLSQkTdEep9/L14BGJqDtQUoIjTsQ5dHxvkoQvNM QOhLGFa19txFsDRZScChsJfhO0Q1GnyIjCQ4QwU0yDP2Qly3NInBfJbxyACj 9IFaliA0wAF2LKBW96GfIoA/8LvmwR1KcPqm+gKEvj8T2vAh1eEjfQfoaVD8 bvTFfOZxLi4zAoe2RnlXZa6SwaYGI9i51FsAG1nFCVdOvtKEj1KEFjYi/XYJ ymCq2qPRPS7DOIIyYKGyQRnv3140BD2Hcq2W7yCAA8Nhy8jg1zG2v4jvWBHY +O8UCf0dhbEaIM5d+R5wdA34iKI+LJgUdBK+7FwY7UeEvj6OwCFkX1TmMQLF Fso/B4uAKr+g//D76QLIACD9xhCuDoD8o4YS8Ijw0SWlpjo+jQP0udcWrQpB mQgnCJqVJJBboIxAVZxEVBSgW3CgbGmQnvlNkQn9RlRnwacbSkKgK4MAD3w/ JRggRUroFotgcNXPsD4SE4/DO6VzxFBJAIHWh4ULs32Q5eoIzEdfoHMfQj8U IQ3RAaqJl8APCmxbH4wdDgGEWmpo2E316gIFIQd+RaJVC6Z8Nx6nOSriAwug 8p5QIjrEX+pkgwDNOg3sRxE7lzbQYpANeGwW3G16MWi7/UVTJgQwvfxGCjgw IXYNjx5aAhCnALJKABYQ9ZqIvuC/AsxPQtSuAlwIKPcsBpsFvgdUYgZaDz6D FHNfRakPkSkZD13D+lShvRJg2chM9k5AyYGuGhUZ4b5ynIJ1yOPfPnizEVCw lOeAFqgUVWrrMVyw6vhdDsQSHsYCCdZ5gCgR4GDF4ebTDh5KcRVeEPUzLFuf IogBKjqNCmKsAC4ilefgwfMEoSLByKJeXUgQOaK9DhHC8CqsYzS6YHg0KkNY u8gQ1JfBceK+D2IykM0hY1VBXEzGLhDg+KQqlZpSzOol9Ytgw8ESRPyTLEIo /ftMKB0ni7KUJZBso/03BdjoWo5TEd8iHKIpRQpkEoK2WwChLi6p5P9ZZaVG X9RlBdQFygHgQTWHBBX1NBBocOMxYKG8LxzTyg+Kpe8UKaBU5mlbTIEcj4hN J8fV2VMCb4HD2VBhb1XXjEN/kok9BaBY+ODsMafJAMU/Ow0lKDmk5Kv5wIFK 56MGpgL54DSGiMYS+hWMyRaDtheC91VX95DRKmQ6FOVDp3J1TJ8F21PFgY56 xDHwOrNkqeO2EbtCVOkh9Fx8EJAIuvEEFBcN/lcR9gVVgki+AjUHQROqbSFj nYAfQlsfIk0uMdOkY/If6GTWD+A+UPiyWJFv6QggrAxAVLbF8GSp8poM5ZRv hgytWBK6KSi3Ad3UMjXE+Joq3kHGRqCjAdQ8KniJ9bJQhVQf7biiDa6hkNag YpmgWcosFyJUvKw78fvpYJFp0AFkOlA8bpGANc+Kcx5HSNqChgtQvV8nsPYp VDACaK5J6G1yiN6UWIs0EYPuzsOtpZ5lyptZXqSPAiYEV7D8IAXpKQYJNoFG T4yimkddV+8aUdMh9DbpKwmEFRJ6eZTiiI4TbVcq0AqBLE4UfPns8ejFCeBd q2CjyWidMb46rVRFSJ5Bj0ZlEn51vzWu4iozaTMNPEzWqA8wI4jBWKDnQfRh ZOzi3+8eVuZgIfKXDA6eAp3HBK0MCWPYBAY45SKhcnu1LUO1k1CBMAuOEMYX 1DuOVWWg1yoQeqMmWvju9dFrgL4Q86NL4HPFJiMy+uRRUAmhUtdB1GZx8GWs oTJ9ByZIhMonYSwgsRoE0L4K5KsiiKgq0RczimlCqZhoSOgdaSCA0YY5ZINU NIHL8ChDoIqGytqtE9A6EP0/J5cE7C8kTQn7hXlcENaox8wlUb7+XILGpapW insq5FEEPCOqLoS0riLvq6x8rd06AYxNGpowCKOsdUy5E746b9KzJMRBym2l gCJb79tQaQaMbOgGQfkqoxXso0hQlUpjLlSrPBVDceN31eEgRgU+UJlL8BKR 0Gqg0z2seRltWw5bONa+glUIJ0+q7oGil4fQgIC7R9MWlLwCkFQJaMBMx+r3 uWO3RjA2YQ5UGsRB6JgAmgtU4RGKMD6pmGnqX/xYWCUG/owfVfY11OgPsowx NBYj9D0CuLqJtQ1L1wlqngSjMV6seDVUngleiwHO1DFzQYz/qkwaYagUcZU8 lsoMf8Kq667hCC+Bg6dGFSuy3nRSgI1hzRMfwcHHBEFEaqD7F3JaGhqqTCer /uACZH8BmYWAwqTCEZRav6KTQLu7CO8BdBjpsq/9eQjrKjoMQuMlALcwQaYO 0TuKoYQoQvigjPY++Py/GRZcfaq1pEBXBSpjilKNhzSQzSS0rVTQsCn5uT4R g7tgBEFGgrQeQAtGTapWP5WqgZtruaJCCOGpdSZkAAItoEiaWPWsYvAJ2VlA wyCMeUn5YLDX2/tMCzXBvEMA6V2ANx2PckuCRiEP5pWPcB0lX+c4duYlqCrp RAZhSoA6W4SNLKLVI0B2hMoKoDlQX3UJxjEE9yrGUEADR1eCVAr1VkJnuNxK VNcm+OpZ0TaFBHo/qRyWZLmSR1FQAKvMAhfZlid/lVVlxsVMP1HCFSpQp6VU f+ihxJAx0oCy0WAoVB8uxIhFIR4oLfsFukqZi6+ACXLCV96ktIIiOBB9yzBp aGhTZU+YoEZg7FPhYDDeE9geUoFghS5dRfgSieBhbUQLM/QMy/xCDwg+pjky rXL9oJL5o30kEALrd56DsmeAQV65MiXwzOn8ET0rOquC5hSHgUW5qCjIqO54 JtLHQS221D+aCEolxSUiOaowgtOwbWOM2OotrwRaJwFERQmEcekDgqawDPIh B72ABNam5UFVhY7J78Uz5QiGFQmrRhmPOQiHKRtHKvlI+gSR68P6IBXSXZSF i7kDnUfj0MqjNRcg/SnYRJT76uPd6rZdPsoYzGJihCkJkrJUkxRJrdxrHBR2 fORB6q/7bdOnAmdCcD5N0Nam7S+0TEWstDIyi5gQ8XCQq9P1aTOWR2MN0AgO 4jgJppkSWig+qikRz52DtlE9w/rYpwqgDjKa5HTiHFcGvEStjhW0O53QH33x S+xPQhOJQBONefxSSSxoFkhBtcLpGAuadFRSR/rCnNBDKPJyAhVpDUNzjsl1 EXpEktn0Gd5cGlZs/fivBFU0UGGHG+LhJkz4DE1XKvUbVPbjBIOS+gG8fHGI aBOASx/gCRKI7FBaLMuP+HbsWOcj/3412EFmlqAjkJDK4bNMExIwCSIqZBlL mkMM+RLAAiE/hPBQBO1yJrgQYb+Uv+RAgiUQ9BGxqusNtxjhSGNOhiG6HIBA yChLOIgsUFUUQrd8guZGVD/+c0hMXLVCaDEPNJSMxheVThMwJmM/cnS31k2/ Q2Qxqi4XwMmNqaOqwMagOuJRGaoYlBDE/3qbl46nmfcy5tcBdLtUdHc5RCcB KUbAp2gsdHwHK9Z24MSq30vdjJkgKc7a9Gaiza5BrDD+9kung1E0CihMAm1Y EVxlOgdUsMwi+vQVpQKE+NHXWUYFbzlC5iVAesgQCKOeClBg5OSKxx5hJCpB oeb3NIEJo4ihswiBS2oHx3pEWtX2pIEXFpEKhn1a/c9lFGZMZp1HWYIhe4BO UYgsE8Ock8pboN9en4Qm6AHSVIV+ZozuhMryMjVUoMGW9ahFWPmx3lr9GEib FTijScBUlBcZYDQpo3VMZSMALUgwpqeHpjpsQ6g0xWIUwApE0FQ447ERic+0 NfnKc7v8Ruq39TSHFBajoIogeKFC4F7EMcoPqgTKxE3i5Eutz8cxWcMVMhth Apk2AbNUAdgAhbkHQx6lvJl1iQofQroxenS0RwSoDNWkAPYgwsqPYM6pArRW 3sC67BqHUEZxcYiKTA67jBgBcpkCVfQYGjoBfGW58Nua0q9QCiIEcRJEVJoo E4iOMWFQHCEjgCRFAHh+6zow8ENgkxOYk5fHNxXKrRHTvscq5aEKFOANhVqc D9EnkaHZR9iAHsGHQLxVBSyNThuZAiMgfPUEnaBcVKGLFyPBhdh3ErQD6PEZ eUHAFarCX8FCEloEVCERYDMZx3xqL59A6IRAnwWQAAZMToQvJeIIvy93qApd 9fKJ0x47vKZ9VMsBCnvCV1dIDQ/qCRqy4BqaUQm0+FmtRZFOkGQVUOkFOArx qFiiOjCSiR2jAyDCNFtgSFS4sxK0MghSJEFXJJK+ilIe+1QG9oDDWYkJ/vKQ ieehlaOgIhVQz9M5l/+VJsqbE2CUw2HapUFHSUNrl1ZKEWpjpvufQH6lLs+B msGHJEQMP9KIYVSAnZCBwQghdh+jBR1+i38liOEhNCnKGx5DoV6APlGEvgHH 1hXyiwYghPo9wubRIeEgvimhm0dfr0LGOkHFC1kWAoRe/I05Kb91CIwNgUBz ebUyZJU4pmyC9MFBRD5AJ4G2Devzd57ec1oBApjvI63TPY4eKY8zSPldYijF REzhvY674Cv5EpJUBtoBvHNlFOQMDBAguiaI9tRKuu5UTzA5FSvkajXX4PEy gO6YHSitzRSI+UZfc1hFrsIFwcw9hgw3g8bxgJrQQg53g0e3XI2+6nkqRQTL VsKMN/hqIlzGrgRnsRDWUiLKBhXfsR4uJJXebZqMUGCITMAUkDkezQcV/goi 6nmFycuGX6tOBWabqVhqkOahE2S07KhcNdqJIoQCFUj21Kf/MkI6cysptyTV zUEzlkqMAQGi+ZXRgoJDMb113/A8NaysxX3W74WbS4BeCmuZSnD6FdB05aSv plMZpgQ05DXYt/qQG1bRPGGHERnhokLjKJCSrPfnAYMUtarw4HGICOGlTN8T uucBtJaYbBlRvup5WuahMlGAkY4gv6VhnqViME3JJajuaJNEQJ1c+3MZUrys 4GTHvfKCafcPQlrlnyuQwuGBnGTohbpfuiRUGsoJtCwDRCqCgCPiKCHjzgQY 9hG4Un0ZFQDrq8WVyzSDggcMPADxbglNNuYbH6A2qI/vVcwCNIhUyiC18JBr 1zDYKr8awRpQGAAeHfi6EJKgVp/igxSgwLydHo6SSuaVR+9OhHBYjNbZXxBu CabeBNNShodPxAo6S+8hQanG/Ab+NAR+lw2SGus1yTj7CDjC0zEBFNYo9B3k BRFnE5n/0v4OQTzhEKglKIoSYPUpVEYG3B228wp6xRqrPeSvW+fD1EQNK5k/ nknAI1zQSiyGUblaPY4Au/j3uYMwpEK8UgaSuVx49OCPNEFQ30rIraJU8aXq RSkTsKZgQnQMqBsEqZZ3BJ8zkRVXaNxRcPt3o5UHUkVEk8QHwI9pNtGZJuZK IaNj8PQrq2wv1GfQcBQLGKwRm1pGFmNIBg7qwyHiTLk3QxBD6kqFHErfCBVL uW0pP0KoRv+UBwicj8piIECzvv8l/qWi+qLQJgG7DNWdijaUAqgh4Sp5qQiA Ii34EnHmMPSModirYYYrA/LEsfk76+dDTTjEeZDnvqBKAnoRErDEtOULRBYP oTQKFkoqE6myspLQRo74r0AdAQhEAJbmEM9jSNKXecrHvaINPWCVy/pcwgnr L+VBhJE9D/wDB38CHvrjFOmEY2CMpoEGAW4t+RppsVlDhEMH9f2CzwdFsKO5 GmNkIOPkGCGIKd9pQgAFiYAfIWvV5IVePJCZAdgiHPNHAUw01L64AwR+DBFK 3xjgQx5deoIKgeo8KpWklwbQbLkwhHqrk69eQK2YoA9Im8ZMLC+AYjVQ3xVg Ermj3jWi7lxoZNHnjtaoCK03VmYLMIGMSAVEJ/iUeqBm9k4BWhARKkMK6YFs H7XYAc4tBGiKw3/8xa1dRZMnQg9fxLSRWrDghCKDPCJhCEjLFVC3CMAn9Ulo xEiKXGWwxKDIIuJDgmKpOqkpcESQ6LL/XTYAWoiAdhDc2BhWWxxGihEAM2pc uRPJEBL1v8tC5qMjst4RhLOr6RUuQ2NCbAiJCUbG9UZrACivgmhZhlxK40Wz S8aIkHoqoIkhAFhL3xMgyfpQiUB4sQyVHGAVAraMgvYRF1agOBF4JwVj9ORb ldUHqj/AYE6CNm7CiiVcrYjSLkA/JEa5Uhc6DACJFOCzKCI5ylB3pbANnMqp eNwfpzdNrM7XvzsOd9jHMCiCbZuKAkMFY0JDh4r2ASA0SduY3zlO4ioHggDA sAgDAmoM6VdcD+Y8JAHNXsYEQr7UOZlTUYXbVCswD40hfoVxouUlGua0nseA 8quiFqvBMQeEtgq4Aoc6NkC2Ys+xPBL6TFZP+nruIVpzHMMEIk0kWAACcAsa +Ag8c1WBHi4Bl+d3zWMIq6FfVBkvoZcrA6OoxpXVB2V2AHDCGsj1LjEr2yIE agpnlWCsolbNkFiovCUoshQz3Lo9hopJmYzmbQRdPA5d9ETDvVLRxcW6UgCP F/At6rWNijOsitFbiDjDGiCaUJmpJMjCdIoK+N+XwCU6Hjw0YWkPXEMiCHC0 RFEkQrI8geeHiuAj1+88KiKaUEAmlSE+HqDhoKDmCUDSiaDXHwPiKNexB+jz hDAuYtKECapuFZKFKqJQuSsl+GcEIAZydT1cQFUlOCjQ3h2zSFRprCijtwjn Hgo6wgUQNPzrnFAqgYq5vABaB0EbVgP7Q4RBQowlF8CYR0Kj2K8PE9Hs8iEP Svu0hL4VRTigKygk1WwuxgmO8ysW4e+OIyh9QUnTME6ScfiiKwGdah6ANw5y /L5SNSJ+/xxNvBBOhIRUgZSwnSVWiP0EOVTFkC6QvjycqtkorNRi8FMSGGDE OKHEOL9TIxzk/RggBzH6ivNMzZPiJ9VKLV1BPUytAYGIE/8ob0ooA6RaqGSY TwoWQgdbhKZwuW5jyKkLDN8OFeYQ3k4C/5VhI1h3cNBJD5iyKihFAZuwsMoQ 0pYydDCpyW6dkco0tRO4M+LMpcCGjZcqPy1mHpaAPkDR8hjr/346KLQanEjY J9KKXUApK6BY1SpUhow2I+9/yWuG6CgyQhx1VQSv00d+iQEaZCVTwmTNRajJ 1zMs5FxFjBXKRBOj1R9BiZighUVbYSh+QqA06ZDr2woogIZydevQMUuwDmlF hFlYmXeoZCdTiVW+ICusmqUKwgR9XRGfhXKl/CVFxYcQRQUzVwVWv37xHLI5 a4QykkiMmZ2K4KbiuE0HKwLiPMKFX9f+DisqZaBWcBQevVweqDnCGj7oFYd4 GSUb1jKsj1qRB6Y3wjScogqxQZjIb4BTAG3jA8orfq+6GKGS9oSVSkmZKavK 2H0UqAydCRUoMh+t5jryQcCcmjbwGaMTfgz0aAmbQyocjzwrYnrLTmH1HBch j4sIxSJMRlU2VFIrOgAnV6IRqlzxQeqhUgTGVYbdmgAJdR6kgwBAdNrylVCf xCDKgeBcx5wosHDgQGISEJZFHL1j3GcZTWOCiCcybw/1CwDP7PdkrBYebQc6 HhIrjzoFdiwJO0TAUpdy6uvwPMA4ae0H+IGC/qQKexsCU5+qQsZkR8IsoH6K lAHilTAwUlFmlG9FW4hxFVfLDSUzRxa5cgyqx/kEv2c5VEZJz6HwU4E4CpHQ Y0yKVdb+Db7cMQVYG1I2pVTJxHMgOnGQuZeFqsMZYgqpwNIvqo918IgZl5OW +jwNUMwDNURNxeZ3BOC9BIw5vl7T/sEgcYiKjCUkwPFRZFwA9CsIEyyGQ+RX ywttYSYcL6Gjy8MUhwMfjUPalaFKr+JOat9CxgzGSWW1EVqZjxddDBhbx+jP s14uG+pRbm99uMBXf0iZUPCbCdDBY0m5TBB00KBVh2tGPah7thE0FUOskAQD oACbIkRznuHlAtb3A61blb7wdZRxrNACLMTpm6CzEfl/6pk/U+wy1HMolcPo G44Li6yYibPDDyZiwHWlIhb5gNgx+aEA3ATt25uTB+WEh0Q1h8qHjcMokhPs b5L8r9WTl8qn2227s3+rJ7vd0X2Xbhb5Mez6O743Pz2NITcV00n6F/XkSdGY fv636slpoad/dIzJt3qys7JSi+sXxjacTvZWUb5pMeml71mvza3p7z70d23p 37/bt8WJdSu6ltdrlO846BfmYLnvzybtgl1JUejLgf723clr0Guv2dWcJj3O fG7E1Weob6dLfjpddTu9huV0nLqUcKfw9m1uyWSEl498t9CfrY6ocs3oFaq7 nT0jzmPDJa/TWXsemqPGKDl3WoHoD42WMFN7+mOUdLXs+ja3znX6bB/HUsQ1 C3WVbOOUWwrChx/svU95tzoctI4bvdRadzoLLVkdpWxtrNrCKZ4n/cPlJd47 EzFwP+2EfgXDnvTp10n/8trGX148x4sXUE7ud5x2j6omT9oSPq3HlJX79HF3 9u1RJ02vjU7a1ztWOBgWs25fYBLKK832dklr0z3Jj+Dlr/azgrd2RvedBffm 0HjdDto1cOfclHe1BulLK0V4WOLeafLnTZENxY7Mnd6201as0SLnnk+/Od1t 40O6M2Yz7zntnLZ2bspJFK7uu7CRjuWTujCuM6v1fBfH96jXPY6KtSZu+7vn zQm75onc+wfR4Bex+xYc79pdvVbc/vCcriwj3TTauh+fnv2Zrcg8fx6aNze/ vRfbfGAdB6m4iLqpfxWe3Wf7HE15cTLYKaP+qzg+Re+2msVW0ci1Q9v0048T qScz8PguP2jFeztXhs6puc+Cyz56ZN7xZh7Os/dVOnf7N200inX/wvvceX5t 9B8Df/t6tWeatgr609muqy+XuTQNFuF5v1g9Vc70L7ZrZVL57O3RIX8v3aXP jU/hw7nP18fGrTsMglXnMDrsSGfhD9uzqbq6t3s38XT30+dHvIwmwWnQHg9b Z8HY39dybvbJQFDEfc/qPraN+GSNHtuR4W45yeyO5sVomhmdz2zsqdn41Wwe +E/TmAin3JWbn9d+l09WS3FgbqPudLUZeNtGdnjn49Nled4vrXO8jYPz4HaZ PO9L+35cWHN+2+Sn+758Xw2724l06ef25HWYeHrfj6Pnqj9qhFysdfuHxU3e t9qLxZnXumlPdw/uY6xsR0V+k5a3o6vbeW8u5d7H7quvx8A4rM7F+KHHt7wh jLTDrD0K3/veR9p3OmNhtBuP1p2BqN9vG5u89kLsZrouZk+Ob3q8TLYav9nf klSV8nCQN2J1mt18fTyOP5v+YXU1ilvof26jTe7JZPIOpCB0CT/XCsXzyFvW l9e+d3TdhR/cxXfn0m+4hc/vtFv3Nh7On6/Q2zhCHmb3Vy6bzdm92f8MVuFL vxetsJDyrfloJlrSfn5GZL0btCbnV0NzeHVydZaFMkz1vWZ3xMFqRuyX8XxP jI89eY8ek4e4dorF1d46ii+n9mA3lfLF7fohrdmssersL5eLtGxf9ZH/aB8i rn3aO2GeD6NLauV2e8mlCVH6l2F3sj/Ous9jkGw/nfBh9EfKRj81wrXiZq12 7jwvD/+0vqUTTrL7eWcki8Fq4hbP1mmgmJ5SmG6xGwuz1EiJOOKjbhZEL6mb NFqDheesuZzcQ38/Hobd+Ewc0d70lqfJY9x7llvoGZBPljaNffHYerpabtOd eBN5RzCEeNe4actNU82NwedzedqfrSW4i/U2CQ+yqG+t12ramZr6Zrxbbp1F 6p937e1FeQcdZ+vJKreUuEZ0ecm8Oh0ermSV7Pjw44yCYjnIT5ogZvp7beyl 3Imfhbd8HKTPW/W9pahs3h4ZbBXPjSeNZ3Ao+KdBfDdtZedM9Z2jdRPfwm4m TgfRubuZLd/OaFgQzTmZ8rRQk3P8PskKt5g99UDfNN6bx8KzbgM+LB7p+G4e iNBcSrvmVeocEl1pxtIzdz/H50WIun7hX1SyOV+VQ9tQ2qt+22o2BHn2npLn dbvKeqeTMO+cPuPTVjjNzRZ3Nj7DT9IqLsZhLpNdebMKd946PzrtaP6UvH4w fw0aW3VpbX3LUEbNs6pzJ7d83pPwY9ykvtvl7sQwZa69VZ9iygVF2O47y4CI 7cfhtZ8ft9Y5bcyW3Li5zPqTZnt1XBxbL+k6yFLbmQr3SBnLH37YlVKr6R+W zjxMx8472adJNApGrdbVOkpSI7l/pme5p4+7j3T4ieVNp3s0ha3xSozTviwB 7Djl7Yk67Pbfd+3CR8p6fH07r+12sR9MjTlpmBenWA5nwUa3L6v1xzvtBp2W XOSzRat3StVsqRpuc9t6jrxn92DuL+M7rz+16e0kT42jNfEaZrzL1J0sKmKL s5fZ5jgxtMtLuQ/HomTOue2AnP0O7w6X7eVrac7ezYEahByfTEfXz3Q4sxpa X7+/+9M15y4NsvDSm3x8vz5W9mrL3Drrz+PPveVfso6urgxvx88f64HrzY6P 94V7BYfbqLGQX87mMp0V8kZr+93Z9TTVrYdv90+KGzR36V0UjlHXvgzHPSU/ 70/J2PEns+Oya/riYzWdN6KVNnG88f4jKFpzN5039xM3MXeCcYjN+f24vRyG G9NX4jk/7V/NwVrQ3Z7VEZWr50nelcsb47fHlcvMby8X3bduZ7PHoXxC207g pLG054az82JuHHvWLRzNsp5T1k5qcbDdx7Fnc/vNatb4NLnI83JzveictGvx cMdiu/cSwrH4aZvv5fJIlH00sE569727ndvKeXC2FE8dxbO1EOlB2jgcM3Lv qqks+LZ+HqUFuc850nGd5emkXpNJZ6a5QlJ0Hi/lvS6GxOAveqgMOtk1/Lhu njV87XAOP1bHj8+u1h40nec01IpLPi1294H5MRw9t9zg1tFWU+GtiZutrmjD rS60o3x/fYW9RjvWJGckdhI/H3j2Q8mHg9X20lRDuRcKdmsxl1eXx9KbN6XF ITGEwcY/WeHK27hCx05eudLgV9f0MLNlL1u9RkdDnr5J3BH13qcIRv59Zb97 8+01GDbPg36nPX6tXOv6kQ8a37nZpzn3HjeOWtaxW05n1ZS0or84LbPT/eEn byu69veuGFjjQFsIU9/3DWM/KVpXfrCcyisvzXNbP1xajX5635z95SKMvdD7 PC9aV7MkMy4vdOFwxpibG6EazxT+cnzyD/5zni7JeeOFZ3P2MmJx6zfOmpFp 7pQ4bl4WEzK/JY/59Mlb89wJdeL05lyza+r9oL/1jl70cPTFQV4lS308UHQx GE8ajtY2u/lmIMycd38z2ko9/2SGkT5Yvz1FvipF/G4PJuqiObH2x+dRMopV vj+4Y/khjZv3e94whOHNdnfqapPGE87ca/fnI2xFaTrgk+NjN9k5WXA7ObtC zkSN1zbqOL1+jp3NeOANmqHeazwSYTndSKe83EgtSxwMrrf0oHb2/mny7N6f 3ZukvMRkfR1YmRPf7+/5S8o6zZuf2Ia/646PDW18+ejr5koTx/Zb4IeP8Vm9 HDqtNFEUPTTF3Nt4T0Mwx/lNKUNdojlny9ZPmVN+azVShcb4IGZRmb+jp7V3 ZaPoidkmfk7eZsfo73rtrbl/vmKrrJsvQjeIz55zOc+6OVHd0foq5v65cQmT jdR8rrfDdvdCzpM1d7RGoTtev4qBF+/8j+Jccqe/9nd9RbCH2aN3jJzZbBCV BaQwdoLGbp6VK2ASbUnzPHGmyo1vN7WbcD+ZgucKn502TfNHOBQTSeCaQ8tx 3+b9KA2IMVvx1+t61eDCp/V6TCV1+HoF3iuyjIyse3zoiclkfCmjqNsvxvzh og5HLznI18/WbSufEy0sL+rV3NuN1J29SPAS3le7mX+O/DgZNl/OeH/df0g0 6gvr7DUld9Xm15ttNEwftpBpI7uVju6Bd5CzTuNp3FutMhdtZ9y6aG+lJh9t 89NU4eKjeN1cdGMyU05Ny7unPWFqJzvzxVli34r61nonEG3UWG92oaadlNvb u3OhpbW6xmfey8rzhk0OrvNsn+a+vTPbnkkuufSYa7EVH6Olu1oPQ6+tk8aL M4LBRjq3g0vqcsbHi4WoZ36ek9Oj2J2OL7kdmGOO747SQX/kf16W392+A7sn eKG/fJFWgx8u7XGef8bDdBAKZfV5/Ri7Zmhm11P3vvKvgdabR8fFrrdVeHmQ dZ2YX2f3Q7S3onZ8W5MGJ5Nep2lH9513nQhnWfCuNzXTP9pmUChmpyu89NXq dev058WiJcZc19LLc9NnHm6DpLsYmo3nMn9O1FzfO6s0krpz9Zx6z+tN8eIs 8NNj0d1KUjrLXos83g7ca6+jx1nU3PhtN7EP557QOK66xvzTHU0/nGgcb9HZ 6Gv+a2m0E49Ysr8nn9682y3eJ+2cB1nuL21l/TSjji2+kkyZzxuLXTfemN6Q FEXPVu1eN7rfHrK1d55Ebb6b/U16WTdj3WsVnLYdjEJf6CbJPp9PWpPeWEus xk5ofY7H8WSi2WVGeEupKTbz27jgTMkoK0fZUKKDs57LviY1F+1Tq7PaWT2r SJMy7y/vvaxxFwzHz4bDqdxfzSeko86aw9W9WI625updLDtDKW+3btfYmo6t 7DJJOtzZy56Xtyru1poxyRrvsoKZkbT7aSajW/fgm662ynYiWV5v56L1bt3c j9cTvW3HTh+76Njt3Z7T9qvVCwNrHq3G5RWYs8l1Jq4m+kWeSA6ZT6+hfFrc i6PfPCh8npCn1TVXh/WucJLmsAwcH6s8ejwO2lDd9x6vhlsWd8pktlZX+c7L ygzsCbwUGu+p/mitb5+X+ihIMBhstNv+0Fm1LrxbLneiBcNyeU4m7bzRHC0e IbfuSNfDanmLU1nbk1hSRS799BXbPDt5Z/eSLrvzUde6/JnbW622vA7CgXHn ZuLo2hhks48dE+uS+235pTuH0e3A2aq2ORjzm/Z+XOf51djm4lO32vr9UvDd O/f6uGp3TnJ9OPUb5cldvA8mJ+nqS3y7cPzTW51MDDXol5FBc4rnzk1Gn8Oi TAM9uXXo20Yy53SJBNusddOsZ+M1ey1cWSyL8l0ydI/TUyds6uKMI775Cmf+ 5jXnJ9pxehi+x70w122LG2WH2XQT8b3WyTo8Gq/Wpqm3Rjs+l25RMrrm+410 4ePma6O/wu5bacuDdtay43KXKunc2o2uK15fJZubOYpvjhs0zPNGHJlv8xg9 glVknfUVWe5S3ruYSydbRDdfbV9OrZOvdhWul+4v++Zgsg4J8dq9z1NNDuWx b3dsP1ozXn5PAz5w3457lsMyHNn7kbwPnq/uxuaXXF/VO58teRXG6xp0VDJR 4pd7NJpa490bxMnDU+6ThXj4ZOuVEOrbIddr34+tzuDZDL1L8366PBbjXiS8 yMV8rCw+0XpplAb5p3lsPDt3+748OrduQtbRgvhxtp9aj0C8GMuwXQyt5V3g b+Jw473V41E9aPGw6MvCvizk1j1RII3r9H3JO2HnvAuXzcO1Y340I5a154IP JprpScpqqxnC69PvFQu/e9Jc0WlOFWWsxM9BZ995Nrz9Kwy6orF+L+4fY9ni iXMMj/boak3zayiOx+67a/v5Uxkfm9rx7VkH6bhIF97Zfpo783FoHFxt112Y 9uiuz6a7sbdUC+lQHqkGoZu/vUn7PvaLq+m93/f20I8de+RtuKh/bNrXUUvb tbqN5ZNbzYec0d9fvBeX5elCeLnxnrPyY0o4W8o2re2U04N3MDAPxv2YPR4z sfN0Q3V8LZZmp6F0udMjdy6JERtRdhP6PcHo6qOlfOyuisXTNDW9e9mbOzU8 Pzt9aTHbc0Sapkoxb8rHs/1qxGU1q/cum6l+nAll4ri4MT9e5dvRxgv6Unfc N61mkRlBYVuD9iFeHxU5Mh37aQvuZ/e4Z41ktIqT0XhtLPtpv7jHyjF+Kyq5 LeZ3YbLaxtx+eg/kQrHcNtdfNzf7/ijid7dlHHRv/FRSGrfp3s6kna8LaTP2 d4V9j/P5YK6PQj2L8kWzuCuSHUpHl5i7sUXCz+DlFKMF31mNF8v97tEIt5HW PkbXaL/Pw8tJCnXleTrv24V7SYP4bS09cXX0bnJnfb32hqG45m7tg/0iu6PY Gb46/YaZnQ0iNufb7ad7lpuxPd90P1FfK0/2KzFta+r0sT1pnRZ5hap9/9gk ssui8zAPFhMpTL1tQ5HtYVkVbMVn4J6Gu4vExaofp8XaG9uzo2iY57V91lND IY+MC+6Ldnf/DLT9rAz2m33c/TT06cMSk8PxqnaH9kjahbb/5OPO1O0bx27L DI/q/Zymmb8ezOTe8LSbKpfyNZdM8CM1Jy7X0CWBOHdp6F+s9HPx9VfrpL9I 2ouKT2T1hgvrfZmUR7Rx82IstM2iDIVr6TTlOuFaKsoj2rERnXrHwrLH2mQi 6ebuobQ4/TgdrJOr3VqGyuU+2LwmJlEWQXDn1sr8NnhnZNl6PGfnzN0teo2Q u1v72/bUe0+HaiS2tmYcTCxBHU/vZ78ouPCjPPxozD8vu80zv7fTZ7kbkyU5 qQNOKguYxr24na9Om6zOgmbO8uN5LU7S11blN7u9S/hXuCtrA490ljdlcFyV JU67iG+bxJ9tF6NzYQ4bQl/e98+5P5rlcW8RW7On6x9TXdMXo1a7vyWe9Da7 aiZmVj+/7acfW3mctLfzKKLJ5CRLx0ZrZ+1n0ogbZPJbNJXFLH/omzZXjI/3 1VJUdo4aWrIRb9vLy5sXtTAb+XmZmXav5lIsK8VbI7zqzods8l5ZzD6LMD2a Waq+5XdhjOK43PSnZ6yl97tDhP1eXWrSZjgJRH8lidPb8OJYfIM8B2F0WsWf 1XH/HmbWWhXSTdvneFJuAnfl9uXerLN8pGRnFl1xl277vnEfhdPdZNN5bebj RvRJFtdPNHwsk+DoXrzpaTw2hYsvntqH2S6/XlShsNrCcTlbH8LLZPNuTe39 Tov6M0K629WtYVtbZ+XZumtMnc9e8mTLts9lPeW4T+OyyWeXc6fcQuct2Zgf 4Wody/pZjmazbtMZp91ZmRfGMrlL0amseleD+zZePQY3J0lm24kniAulo192 HYd/trUyEOfl8WHyuiXj3lv3Rc4bvILhvXF2HmI74earxT1etztFNpq27KE8 2ijW0o27yv15DGQib4VB3LuOw44ijPXhdTucnTer5us8arwGk0ITU/18uU3k zyzdzZOdxJ2C1trT9LH6GE777yx6uC2Sd5/GdSiPT4fykx/6c+tc1YXbWO2W R+JshkpRpE3n/mkRgQyH/QlZrc1k6QWdwMtE2d8oaSZ7xtibyqMyu6z37oBf 3luTd0P/LP3xJsjc52e66nXMq6D51v3oLXPzExkjMTyv24aj+/JwJt7v1rLd vm8++Vsz3OHhIjrrxtgs0pt1lgIlE/brQmzv1ySQ8we3XAqas0jjremaQqqb 2wU/N7Xp/BpFj+75ZvhxYYUO15j7ymy5ssSNz43e9i6dF859pef9/MWR0IyS 5nLhtF7rpP2aqtb62SZSc2++b72ZE8+fGz1rOK59zrnV5dx1Q2eeNdfJa3YQ 3+ZeHMzO5+zoHk/ZedI9Nneu6OvvUfu5Uu1QMCU3krLF49wYutsHMa67zmw5 G65Grc6Em/gr0dXK42hO0o40n1ifTnm/NpnUIkWyVw6vntVMSPe9nS+b78Zy Y5602cdztcXqtPwM+4+DnqRrx21lQnkrvZG9SHVd+MRJNk5m1i70rt3NwbWt xSJaL4tR424/rs9wYzXLBVvWFcssH88XSW/5LERdl1uvx8IML4Zt5plnfKSm d7xfXUFsGVzvNNInvN/YpJ9rO/dTXg+OZdmw1Sbh/sY1B4fO2ddPktGznYWa zry8+Oc///9mMu3wkJ+KLI7SY5zfb43/+n85/Fri6J9/S/zsFv/tv6mXjJ8f bj/J6fqzeNxuP8bpccvi93/8zP38dPsZ+cezn/sHak8y2YXbsmb6se/maZvf fvw8+umervH7p3PK8zjL8C7bODsnj+zn9kjT+EYtatgrr/FzFxe3f1T2NdEp fNDL+nncYmpfk53uP6fk5x6/7j/J9XT8ue2Ou8y//vuFt5//tOcaxwmc9q// aPyf/1zoXVFQyb/w5vQnTeK5f/3fH//2U9BrKf/3v/5r+PfeP3bxPfl7Vn6P 29+vSaipnBbsbv/93//4qb56evq5l/9s4x8fnhe38joa5X/c4t/P/sfP37qn 85sa6PhZ4b9vP0f/UF73fVv+6vYT+7ddfMWVZHF5E+PrtbwT5+spj//28/dG dXX8v/7R+B8v6jwOKiQBAA==[rfced] Terminology and Abbreviations: a) We note that "object identifier" appears a few times after the abbreviation "OID" is introduced. For consistency throughout the document, may we abbreviate all instances of "object identifier" to "OID" after first expansion? b) We note different uses of the following term. For clarity, may we lowercase "certificate authorities" so that it does not appear to reference the abbreviation "CA"? Certification Authority (CA) certificates Certificate Authorities c) FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review carefully to ensure correctness: Internet of Things (IoT) --> <!-- [rfced] We have changed all <artwork> elements in this document to <sourcecode>. Please review to confirm this is correct. In addition, please consider whether the "type" attribute of any <sourcecode> element should be set and/or has been set correctly. Currently, some are set to asn.1 and some are set to x509. The current list of preferred values for "type" is available at <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. If the current list does not contain an applicable type, feel free to suggest additions for consideration. Note that it is also acceptable to leave the "type" attribute not set. --> <!-- [rfced] Please review whether any of the notes in this document should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> </rfc>