Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id C2598D73733D
	for <acme@mail2.ietf.org>; Mon,  6 Apr 2026 15:45:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1775515541; bh=wtGmM4Rlxi/r4+xxPGOEWsshWdw+W5SqJjXSIa20LHw=;
	h=From:To:In-Reply-To:References:Date:Subject;
	b=X1COboHXAE6R9rxevrdN7NbhdtOF2ODlTMOYuekssxdS1pOZgK2jQvKwNplDmP++J
	 M3Al16MMy3D4fyN7PCrWc0uSveDldb2BY4jUkII2grLfvioKd3Uony/AmSy4mpEN9s
	 8phTFwdepdpnB/1gF2zOTCekIZ2anAv8MWS3CfA8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level: 
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001]
	autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=sebbe.eu
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id idH-tv4EiBS6 for <acme@mail2.ietf.org>;
	Mon,  6 Apr 2026 15:45:41 -0700 (PDT)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest
 SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id 30B52D737335
	for <acme@ietf.org>; Mon,  6 Apr 2026 15:45:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu;
	 s=root; h=BIMI-Selector:Date:To:From:cc;
	bh=DKQl0tFvYfhZvX78fziX0aI0yxVlR/OaTpjcHrVIFXs=; b=XLFZzorBapVftQyLFz9jaQhm4R
	I1FmMpLeM9f1/J2iFrPbsVN26GZLj06QeSHeeePOuwMet3qvGjtEfi/wrkxeQUGQNhdgwrgSRCheH
	cl005kfsN0jubva6G3aWsUes1yDkvrlkTv/j9hn7SDAvaWa6SIYcD/qKp9XDdcyusEWNHjNlKRJPM
	iz+M5oH1yXlARyaYPUVlJOPtu/tXYBpXe7Sedi0nWtZX04XyuOO3iGZDhYZRb7TwFnamvPBhMCibW
	WL6bKVeiRwNR+NHEKnAoR0ZEtSM7M5x7RJPlKJuqq0VOE0fd9hYx2GIBEErCcnlmR3CHxRoMQI+gs
	tBI711Qg==;
Received: from localhost ([127.0.0.1] helo=sebastian-desktop)
	by sebbe.eu with esmtp (Exim 4_94_RC0-31-83e8da8c0-XX)
	(envelope-from <sebastian@sebbe.eu>)
	id 1w9shQ-001OCo-9e
	for acme@ietf.org; Tue, 07 Apr 2026 00:45:40 +0200
Received: from [192.168.1.55] (helo=DESKTOPSU6FAEM)
	by sebbe.eu with esmtpa (Exim 4_94_RC0-31-83e8da8c0-XX)
	(envelope-from <sebastian@sebbe.eu>)
	id 1w9shP-001OCl-U6
	for acme@ietf.org; Tue, 07 Apr 2026 00:45:39 +0200
From: "Sebastian Robin Nielsen" <sebastian@sebbe.eu>
To: "'Mailing List'" <acme@ietf.org>
Message-ID: <006301dcc617$17c6bc40$475434c0$@sebbe.eu>
In-Reply-To: <6c26f255-710c-46b3-a859-20185f237c03@gmail.com>
References: 
 <CAFg2froJTxp+kT_VdSuNs9LVqFQhO-WJZBt=-qoVQO9c8M+=Xw@mail.gmail.com>
 <CAEmnErdOBBzj+5nuZBYo0zN64zMXDeX-3sdcFBQqJirmHky2gA@mail.gmail.com>
 <002201dcc5fb$c4ba9e60$4e2fdb20$@sebbe.eu>
 <a28d2d2a-4261-4f84-8a58-093d793a6f77@gmail.com>
 <005001dcc612$fb2a0be0$f17e23a0$@sebbe.eu>
 <6c26f255-710c-46b3-a859-20185f237c03@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-256;
	boundary="----=_Part_186_989877597.1775515540263"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: 
 AQGp7izcEnAnRyYg8hko2wA6TQRkawJxFEKpAaHZegkBp1USRgInQ0SAAYMnrXK17SuVMA==
X-Encryption-Target: external
Date: Tue, 07 Apr 2026 00:45:40 +0200
BIMI-Selector: v=BIMI1; s=default
Message-ID-Hash: VBNF5MRVFO3LJIEPBDF7IOJUHXBKDTXY
X-Message-ID-Hash: VBNF5MRVFO3LJIEPBDF7IOJUHXBKDTXY
X-MailFrom: sebastian@sebbe.eu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-acme.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BAcme=5D_Re=3A_Potential_issues_with_dns-persist-01?=
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/acme/1GBMK4JcgIWw38TCFhql_ahNOIk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

------=_Part_186_989877597.1775515540263
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: sv

since the accounturi is mandatory, it makes more sense to be able to =
*REPLACE* accounturi with the pubkey (accounturi=3Dpubkey:<sha256 of =
pubkey>) instead of having to provision both.
It makes it possible to provision the record before the account is even =
created.

Adding a accountkey=3D parameter, would require the client to provision =
both (accounturi AND accountkey) making accountkey only a optional =
"restriction", not a "replacement".
Thus losing the advantage of being able to provision the record before =
even touching ACME server.

best regards, Sebastian Nielsen

-----Ursprungligt meddelande-----
Fr=C3=A5n: forwardingalgorithm@ietf.org <forwardingalgorithm@ietf.org> =
F=C3=B6r zandoodle
Skickat: den 7 april 2026 00:42
Till: acme@ietf.org
=C3=84mne: [Acme] Re: Potential issues with dns-persist-01

I'm not sure why the accounturi parameter needs to be used for this=20
change given that existing implementations don't support pubkey URIs and =

therefore it would be backwards incompatible anyway. Using a separate=20
parameter would eliminate issues due to lax URI validation.

Thanks - Max

On 06/04/2026 23:16, Sebastian Robin Nielsen wrote:
> Thats not what I proposed. I proposed that the client computes his =
pubkey:<sha256 of pubkey> offline before even touching the ACME server.
> Thats the whole point of the proposed change. You could calculate and =
provision the _validation-persist record even before you have installed =
a network card in the server.
>
> The standard could have a explicit rule that if the server sends a =
pubkey: in any "accounturi" parameter, either at account creation, or =
inside challenge object, the client SHOULD ignore them and always use a =
self-calculated value for accounturi=3Dpubkey:<sha256 of pubkey> in the =
_validation-persist record to provision.
>
> If the client wishes to use key rollover, they could either update the =
record for each rollover, or use the normal accounturi construction.
> So there is tradeoff, either you trust your server to be able to keep =
your account key a secret, and never need to "rollover", thus you use =
the accounturi=3Dpubkey:<sha256 of pubkey> construction - gaining =
protection against online attacks.
> Or you choose to rollover, but then you use the normal accounturi =
system, because you don't trust your server to keep your account private =
key a secret.
>
> The standard must of course explicitly specify that a pubkey: =
parameter is never acceptable in a "kid" parameter either.
> The pubkey: parameter is only permitted inside the _validation-persist =
record.

_______________________________________________
Acme mailing list -- acme@ietf.org
To unsubscribe send an email to acme-leave@ietf.org


------=_Part_186_989877597.1775515540263
Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIG
MzCCBBugAwIBAgIQSHoi64iOHqtqhUD0I0yW2DANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTow
OAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0aWZpY2F0ZSBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIy
MB4XDTI2MDMwNjEzNDkwNFoXDTI4MDQyNDEzNDkwM1owfjELMAkGA1UEBhMCU0UxEDAOBgNVBAQM
B05pZWxzZW4xGDAWBgNVBCoMD1NlYmFzdGlhbiBSb2JpbjEgMB4GA1UEAwwXU2ViYXN0aWFuIFJv
YmluIE5pZWxzZW4xITAfBgkqhkiG9w0BCQEWEnNlYmFzdGlhbkBzZWJiZS5ldTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANe0FlT7iRUwESLiMaEK1ptwoekn5zKpaJ9UO6x2IKI3R5ex
p491mIbcyarIFB974bWkLa7A6bmZ2Un+cIirTzaKWObApc0r7EeB7kg7VaWOvyJk9ACk8UdvgScS
oPFkKeybcszDsWrCyri5QqxQZxGE6V7J7ivnVC/9KRBwG9Cvwt9MM2ERfOpwK3Ne1kf3RvsIDJp7
UIA0x45H93BJGTWMtwOQ4GYUHmUT0gYf0Uos+kO+S/hz0LnBUfKmE3nYt8tSBDIxXIwVvAiqFy8A
l7rZxvm09aA/dGCgwxruKe9Q1UCgpto4IrNtoNHQe1a0TknHRAzXSxSae8kSgN5EJOsCAwEAAaOC
AaswggGnMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUZo+mvLeTLJ35uknlT9zqkFARap0wVwYI
KwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJD
QS1jbGllbnRDZXJ0LVJTQS00MDk2LVIyLmNlcjAdBgNVHREEFjAUgRJzZWJhc3RpYW5Ac2ViYmUu
ZXUwYgYDVR0gBFswWTAJBgdngQwBBQQCMDwGDCsGAQQBgqkwAQMCAzAsMCoGCCsGAQUFBwIBFh5o
dHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwDgYMKwYBBAGCqTABAwUCMB0GA1UdJQQWMBQG
CCsGAQUFBwMCBggrBgEFBQcDBDBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3Jscy5zc2wuY29t
L1NTTGNvbS1TdWJDQS1jbGllbnRDZXJ0LVJTQS00MDk2LVIyLmNybDAdBgNVHQ4EFgQU1Pbg2F/c
jlBCQGjwWNgpyCiFH/0wDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQDVR1L8dtlt
a1JB3m2OngL3XPB5UjXMG7xus4Qg6YYSyKGlV3tQnncGeA3OSm/70s8ypIZdgxTaAthgwuIWt93G
Kq6ihcWmrAYm9+GnvZZI/2VDdfRlnIk6+2QnHCV5mdLJ7YXsj7OlIoW7of2U8UxZ7iZ0FsLQhQ9h
2vRTH7GozFaB8teuHa2YwGNhL4PU1SSmI2TAfAadtir0ft2QRbNSMcyJm0jCWKG+c+2T+bxlwVY5
C1/I5A3AKVGGY7YsJCYZ/Irush4y3dfWEOSMqrby8Er1S5MT/9aouB84+7UmYHBX0ktTGWEpshtq
R+TeuGiYhpdG3tWlfvyqfzvPWzswdD9up1Pb+HVP/UWUlG3SXv5vYD5HeQxEKaLuLX6Bjqmmj5qF
ShBtTTjxOatF5VukNXfM1Q+d1Uzh9WQowKyYk6WK4sr7AGhMywkBFFltqCtq+HwVospEqjjyXWAj
kCrbwAHuxdffoevYVV/j1V3SsKUlNh1CiBxW41PMMI6rg66IpK5ksvjr/UEKtnrAYimGL+f90YNE
N3Aeb7YOyOEej4tTgYA0oplqLGN41xvdCrU724WJpLHSQBc6vG91cU43W32SLY1pFZT3GnwUcixZ
2xzeGsCAlocOjDKrLTv+I93y3LJ0RKF1/M7JYdXA95BTBZkDrGI4KmCfymwFsbI3ODCCBu8wggTX
oAMCAQICEAef3IlASIrx2W/SdApkVWYwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAM
BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24x
MTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTkw
MzI2MTc0MTA2WhcNMzQwMzIyMTc0MTA2WjB+MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMx
EDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENs
aWVudCBDZXJ0aWZpY2F0ZSBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIyMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA5kPt1McFRPXQMe+Q1Ky2cIAEliy6/yA/G2xgn6XK0hyEbK0eLreZ+PSR
lYruQ2BOmnXZKWo24jANiWsNQKeEZ3A42ftH80lm6hihBPrzT1S6CsuzlSK8X//R8xlE+mGhC0ja
xk0dHGDXEfluWxNyU8UzEIizAMAWzFx+Kil0FE/qMiFw9dQiDFLTPBAqKNqO6nacNc2mVsFb4V8v
ZpAGkYK5MNjaXXWVFWyShf7KbCWt5TVXUot8HCaQw0AJeo8bQRf93LZGNTowUM99skZQKxcprD3P
sHvX3xwIL36mx1X174FhvLq1YrYfP+jI5qIxzAiqhaCbni27Uz6DfEIb1YePbqEWGAFFB9BzgGAj
sxgRq3SbzCGGakLF/dF5VO0MadRJ+7zJELMJEE7xpgT1qyvxMEgCXNeQWZvovEAcT6lShTkXyxEy
xAuGa8KJrVv6D8QT/M1z70NCtXUMwJMPiV8Sr/yosA68hRYVOcTDAd8isTuTUWF5Z6lvZ8H4XQUy
UnLYcwLRjvSmUNhj5qtDTFTLl3tV3Qjppz8TqbSpDJXQSLZGmIK5E86j9Z8yAIVX1OLDZxyMSj37
cK2fVTEnOVpM/PGzrQCcs9ykEWNKnALUeC2nkZImWhJqa0APBDqXScbb9N6QWbWlJ502Og7BMBkN
Pj9ppgeSBwe+EpJ8jbMCAwEAAaOCAWkwggFlMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgw
FoAU3QQJB6L1en1SUxKSle44gCUNplkwgYMGCCsGAQUFBwEBBHcwdTBRBggrBgEFBQcwAoZFaHR0
cDovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkvU1NMY29tUm9vdENlcnRpZmljYXRpb25BdXRob3Jp
dHlSU0EuY3J0MCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcHMuc3NsLmNvbTARBgNVHSAECjAIMAYG
BFUdIAAwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3CgMMMDsGA1UdHwQ0
MDIwMKAuoCyGKmh0dHA6Ly9jcmxzLnNzbC5jb20vc3NsLmNvbS1yc2EtUm9vdENBLmNybDAdBgNV
HQ4EFgQUZo+mvLeTLJ35uknlT9zqkFARap0wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4ICAQDCa9dZ3BiDym2mcbrlNj9UxslxfoMvsR9kwTVjZYiVS+td5x9Sey9lnCUM6l2Je+6yk8xn
kHsZynmGddzBcLhPNLyEon/4MCuevVi6MgrzVbxhGdm2fiS+SuPZlYa79YKjvjIDL3PIhBDZdcaF
kaSRg+BApZPLeLuzVAoAb4WDkYssxwmXCCx3BDL3xMJphbITDek6nACXUYxU9EbtISXLOXexBXTP
XQmuXJF1qyiuPXEjauKjmsaqRvfRHw8OlNnO9GHCdfyIQtcC+s/KpRr4WENLyb6hialvw3XrlnDJ
qwfqmS/VmzkUNZ75TYIAerJhJNKV12Aa/B2I8U+u18LQQZpAVxaWuxusuD9ATt5MVhgX70QSR38m
osERIFVmt+lf1o17T5lfFR3L9OEaoJOuBODpUlMYIvZPVQupIr01yTfhoNriSQUHX/qbVYSapJK7
QdIAARfpED9MbGoCpK0tzVa1SqOqXljMdIe5edmxqk/LnLuEHttNCkItsaf6/I6T+tBBPVODPA9Y
Kx9yofTsVTi+MMpHaAv8hiTSyiJdAX7AlVgfxnkquYcXv/OCudThCaqYw5zjK5EXr31c6hgRRQHo
OyoO7ksrFUdOcEfpbad8rWiG4xibSmnfK2iGzNaojRRKxu2Ae7+G2iNwT9bP60w7Ty6LaLWocBz+
yKjhzjCCBd0wggPFoAMCAQICCHssm9MWgDKZMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0
aW9uMTEwLwYDVQQDDChTU0wuY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBMB4X
DTE2MDIxMjE3MzkzOVoXDTQxMDIxMjE3MzkzOVowfDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRl
eGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMM
KFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQD5D92jK33L0Cr+7GeFpucuG7p34eP1r6Ts+kpdkcRXR2sYd2t28v2T
5D0PwhaeC2bDVpSeF4OFzlbv8hb9AGL1IglU6GUXTkG54E9Gl6obyLhuYl5psV/bKgJ+/GzK80HY
7dDo/D9hSO2wAxQdEA5LGeC7TuyGZf82815nAgudhlVh/Xo47f7iGQC3b6FQYnV0PKD6yCWStG56
Isf4HqHjst2RMasrHQT/pUoEN+mFpDMr/eLWVTR8GaRKaMeyqNO3yqGTiOvBl7yM+R3ZIoQkdMcE
PWqpKZPM67hb4f5fJao0WMjBI1SdG5gRwzicfj2GbKUPQIZ8AvRcAk8oy65xnw86yDP+ESU16vy6
xWA92XwY1bKp03V4A3IiyjrDH+8s5S6p+p4stlFG/a8D1upgaOqFFjZrhekewLPdxCTcgCqBQW2U
PsjgyYFBAJ5ev3/FCJiiGCxCQLP5bzgnS06A9D2BR+CIfOoczrV1XFEuHCt/GnIo5wC10XTG1+Sf
rQeTtlM1Nfw35MP2XRa+IXPekgr4oGNqvJaSaj74vGVVm971DYkmBPwlGqYlacvCbcp84llfl6zr
7y7IvNcbWTwrzPIZyJNrJ2MZz/zpJvjKcZt/k/40Z4ROmev8s3gJM3C6ZqZ27Rtz6xqlDcQiEyCU
VgpOLGxOsf3PnAm6ojPthwIDAQABo2MwYTAdBgNVHQ4EFgQU3QQJB6L1en1SUxKSle44gCUNplkw
DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAOBgNVHQ8B
Af8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBACAYEZQp+yadHB4ecGHxlXKTcSStaJNYjjKvG7Nw
A/wlK3SFkD14avS5i6WXO7UYkbsep/lAW5H5VZmvHhHQXB2nZuOxlAcMMjmm6huwedgdnHBE44rd
xPmVH4o4Qz8BhaVHpz1GsrzlImj3e5zYLD4KIcgtM6y/xYGZMXTBdXHFvrHwI0X0nWv8GWOdo7wE
xhgLJbtTiQ+zgFDeRe5Ef6uUeGSY0/Yo3YfYcGV0+w65E+unD2GpMpbM3rvtY0wYu6lA96BUbiCI
cXUY6nq0NHLgIyd3XLaQ6oYlQKvvMw/Ln4K+oiD79rUtGubChbF0D/vIZQKkUgFH3Ukiwb/Y62us
ft7sYzMVtyMIj8YPjUFa3Y7FuY/lRT9427rSG0Cx/nFNP+CBorpetOwV4JPdCB9+4VWZCyHek54K
++ajSb02MP7nd7KgdZe1LYGIF2Ug99qQAJ/JUswyyjV89T0P2CvX9SZsyQY0lhbqcFkaMnl5C7aI
fw9SSD2/bNiiRC7RTrdyWNOJE5X+RKv414sbbpy8LKBb1WoAr1834dX6EAuYnIbnJo/O8OxuilcL
gONOssCgY2GQulVoN3RqtpLbn6GGIrZlJw7stp9CYORnwrXaQQvE04thG7z6H5Er10QHXroprNnF
6e9TSFrrgPEoWCHNsAZV+yc/U5BwqQQeVye5AAAxggL7MIIC9wIBATCBkjB+MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTow
OAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0aWZpY2F0ZSBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIy
AhBIeiLriI4eq2qFQPQjTJbYMA0GCWCGSAFlAwQCAQUAoIIBOTAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNjA0MDYyMjQ1NDBaMC0GCSqGSIb3DQEJNDEgMB4wDQYJ
YIZIAWUDBAIBBQChDQYJKoZIhvcNAQELBQAwLwYJKoZIhvcNAQkEMSIEIEUbuaup9u38d6WWLv4y
Nqw6qS4ARaw4XMbucuFfkQzWMIGeBgkqhkiG9w0BCQ8xgZAwgY0wCwYJYIZIAWUDBAEqMAsGCWCG
SAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA8GCSqGSIb2
fQdCCgICAIAwDQYLKoMIjJpLPQEBAQQwDQYLKoMIjJpLPQEBAQMwDQYLKoMIjJpLPQEBAQIwCgYI
KoMajJpEAQQwDQYJKoZIhvcNAQELBQAEggEAjQt6IH25E3XmLEiynmuw04VhmgzdeXhcrpiQzMk5
/71B9dHvgQBuc67m1czSZmRHw7Syv/lt5e1fqxJZ3o5b7pThFOgwVOEuVu7AVnc4l8EeV/Eg84/w
TwoTMjy4cgVFNGimVT4YkCZwI8nuPHYgmjrKVtpedDriISp7K3kk+iW7znavcdvKMN7D/OfWPyyP
Fo7K2ZOrWEXOVADcrTgUbVLVBNhiKctzmDr0Vb85V7g6RWRe7oo2ba/oJpHxuiMebM/u7IIIV40e
wWjDcHe3x35TcR60Wk4Twd33xrS8Hafmbjpd8F+N3iHWpiQD6DfOzWtEpQbIfHcqRK4LL9UUswAA
AAAAAA==
------=_Part_186_989877597.1775515540263--

