Return-Path: X-Original-To: rats@ietfa.amsl.com Delivered-To: rats@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B01CC169413 for ; Mon, 25 Nov 2024 05:11:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuB2gSnqr_Ef for ; Mon, 25 Nov 2024 05:11:39 -0800 (PST) Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD0E8C1654F2 for ; Mon, 25 Nov 2024 05:11:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:CC:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nWV/YysYfT1f98BDszCrzg3L26240/C4q5v7GjKG9qU=; b=hr8z2MIJH07ZrpJTN+2qQQBOIV RmdaHnOOsU65szBGpalKvIAxUi3D0L3w4uYLgawUGMVkAzLUx4r+xsVaewdLQHOGlPTjlx6g17D1y QDJADpKMpLHR6KkFihmZMpg4dHFclGjQRLXDLjqooHaeNsvO0R4j7rIVWNI47qwPcD4znMRSo451l Ns4CZVYY3lF7USRwpSgp0PXYKD73tUMgZJKZ/PPUjRwZ1uViUjREJuQ1ikjnxnYy1OJsPQNbysWL/ yVcT7eLH4hghzaQaZhZJd5y6B/K45zzpQId1IspfuEvm0qAtEJYs5Se49ED+vFFAg7SJYxmzEJZCh DBq+Rv6w==; Received: from [172.26.35.112] (helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tFYsH-0077R3-VN; Mon, 25 Nov 2024 14:11:34 +0100 Received: from msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) by MSX-T312.msx.ad.zih.tu-dresden.de (172.26.35.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 25 Nov 2024 14:11:30 +0100 Received: from [192.168.1.2] (77.191.53.8) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 25 Nov 2024 14:11:30 +0100 Message-ID: Date: Mon, 25 Nov 2024 14:11:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Giridhar Mandyam References: <4ffdd034-05ec-4565-9cad-b40ff82f83fc@tu-dresden.de> <9EAF6A12-77D4-40A6-9C16-091FCC2085D1@island-resort.com> <2061c4b5-ce88-47ff-b3d4-253c76bfa998@tu-dresden.de> Content-Language: en-US From: Muhammad Usama Sardar In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms060301030001050204050609" X-ClientProxiedBy: msx-l319.msx.ad.zih.tu-dresden.de (172.26.34.119) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de Message-ID-Hash: AUWWVFNOT2J35BRDFXERXC75ISFOC7KG X-Message-ID-Hash: AUWWVFNOT2J35BRDFXERXC75ISFOC7KG X-MailFrom: muhammad_usama.sardar@tu-dresden.de X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "lgl island-resort.com" , "rats@ietf.org" X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5BRats=5D_Re=3A_Security_considerations_of_remote_attestation_=28?= =?utf-8?q?RFC9334=29?= List-Id: Remote ATtestation procedureS Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --------------ms060301030001050204050609 Content-Type: multipart/alternative; boundary="------------tlqLHyafi71N3z5uOu211Xqh" --------------tlqLHyafi71N3z5uOu211Xqh Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjQuMTEuMjQgMjM6MDEsIEdpcmlkaGFyIE1hbmR5YW0gd3JvdGU6DQoNCj4gPkkgYW0g c3RydWdnbGluZyB0byB1bmRlcnN0YW5kIHdoYXQgd291bGQgYmUgdGhlIGJlbmVmaXQgb2Yg dGhlIGRldmljZSANCj4gZ2VuZXJhdGluZyBhIG5vbmNlIGl0c2VsZj8NCj4NCj4gV2hlbiB0 aGVyZSBpcyBubyByZXR1cm4gY2hhbm5lbCBmcm9tIHRoZSB2ZXJpZmllciwgdGhlbiBhIG5v bmNlIA0KPiBnZW5lcmF0ZWQgb24gdGhlIGRldmljZSBjb3VsZCBwcm92aWRlIHNvbWUgbGV2 ZWwgb2YgYXNzdXJhbmNlIChhcyANCj4gaW1wZXJmZWN0IGFzIGl0IGlzKS4gRm9yIGluc3Rh bmNlLCBzZXZlcmFsIHllYXJzIGFnbyB3aGVuIHdlIHdlcmUgDQo+IGRldmVsb3BpbmcgQVRT QyAzLjAgKGFuIElQIG92ZXIgQnJvYWRjYXN0IHRlY2hub2xvZ3kpLCB3ZSB3ZXJlIGxvb2tp bmcgDQo+IGludG8gd2hldGhlciB0aGUgcmVuZGVyaW5nIGRldmljZSBjb3VsZCBiZSBhdHRl c3RhYmxlLiBVbmZvcnR1bmF0ZWx5LCANCj4gdGhlIHRyYW5zcG9ydCAoaHR0cHM6Ly9kYXRh dHJhY2tlci5pZXRmLm9yZy9kb2MvcmZjOTIyMy8pIGRvZXMgbm90IA0KPiBwcm92aWRlIGZv ciBhIHJldHVybiBjaGFubmVsLg0KPg0KTm90IHN1cmUgaWYgZ2V0IHRoZSB0ZXJtICJyZXR1 cm4gY2hhbm5lbCIgcmlnaHQuIFJGQzkyMjMgZG9lcyBub3QgZGVmaW5lIA0KaXQuIFJGQzQ5 NDkgZG9lcyBub3QgZGVmaW5lIGl0IGVpdGhlci4gSGVyZSBpcyBteSB0aG91Z2h0Og0KDQog ICogSG93IHdvdWxkIGEgZGV2aWNlIGtub3cgd2hlbiB0byBzZW5kIHRoZSBhdHRlc3RhdGlv bj8gVGhlIHZlcmlmaWVyDQogICAgd291bGQgc29tZWhvdyByZXF1ZXN0IHRoZSBhdHRlc3Rh dGlvbi4gVGhlIHNhbWUgY2hhbm5lbCBvdmVyIHdoaWNoDQogICAgaXQgc2VuZHMgdGhlIHJl cXVlc3QsIGl0IGNvdWxkIGFsc28gc2VuZCB0aGUgbm9uY2Ugd2l0aGluIHRoYXQgcmVxdWVz dC4NCg0KICAqIFRoZSBhdHRlc3RlciBzdGlsbCBoYXMgdG8gc2VuZCBvdmVyIHRoZSBldmlk ZW5jZTsgdGhlIHNhbWUgY2hhbm5lbA0KICAgIG92ZXIgd2hpY2ggaXQgc2VuZHMgdGhlIGV2 aWRlbmNlLCBpdCBjb3VsZCBzZW5kIHRoZSBldmlkZW5jZQ0KICAgIGNvbnRhaW5pbmcgdGhh dCBzaWduZWQgbm9uY2UuDQoNClNvIHdoeSBpcyBhICJyZXR1cm4gY2hhbm5lbCIgcmVxdWly ZWQ/DQoNCj4gQSBkZXZpY2UtZ2VuZXJhdGVkIG5vbmNlIHByb3ZpZGVzIHRoZSBzYW1lIGtp bmQgb2YgcmVwbGF5IHByb3RlY3Rpb24gDQo+IGFzIGEganRpIChodHRwczovL2RhdGF0cmFj a2VyLmlldGYub3JnL2RvYy9odG1sL3JmYzc1MTkjc2VjdGlvbi00LjEuNykgDQo+IGluIG15 IG9waW5pb24uDQo+DQpJIGRpc2FncmVlIHdpdGggdGhlIGZvbGxvd2luZyBzdGF0ZW1lbnQg aW4gdGhhdCBzZWN0aW9uIHVubGVzcyB0aGUgDQpWZXJpZmllciBrZWVwcyBhIHN0YXRlIG9m IGFsbCB0aGUganRpJ3M6DQoNCiJUaGUgImp0aSIgY2xhaW0gY2FuIGJlIHVzZWQNCg0KICAg IHRvIHByZXZlbnQgdGhlIEpXVCBmcm9tIGJlaW5nIHJlcGxheWVkLiINCg0KSXMganRpIHNp Z25lZCBhcyB3ZWxsPyBFdmVuIHRoZW4sIG5vdGhpbmcgc3RvcHMgdGhlIGFkdmVyc2FyeSBm cm9tIHJlb3JkZXJpbmcuIEhlcmUgaXMgYSBzYW1wbGUgaXNzdWUgKHNpbXBsZSBBdHRlc3Rl ci1WZXJpZmllciBpbnRlcmFjdGlvbik6DQoNCiAgKiB0PTE6IFZlcmlmaWVyIHJlcXVlc3Rz IGF0dGVzdGF0aW9uDQogICogdD0yOiBBdHRlc3RlciBpbiBnb29kIHN0YXRlIGdlbmVyYXRl cyBKV1QxIHdpdGgganRpID0gInh5eiINCiAgKiB0PTM6IEFkdmVyc2FyeSBzdG9yZXMgdGhp cyBKV1QxIGFuZCBkb2VzIG5vdCBmb3J3YXJkIHRvIFZlcmlmaWVyDQogICogdD00OiBBZHZl cnNhcnkgY29tcHJvbWlzZXMgdGhlIEF0dGVzdGVyDQogICogdD01OiBWZXJpZmllciByZXF1 ZXN0cyBhdHRlc3RhdGlvbiBhZ2Fpbg0KICAqIHQ9NjogQWR2ZXJzYXJ5IHNlbmRzIEpXVDEg ZnJvbSB0PTIuDQoNClZlcmlmaWVyIGJlbGlldmVzIGF0dGVzdGVyIGlzIGluIGdvb2Qgc3Rh dGUgd2hlcmVhcyBpdCBpcyBub3QuDQoNCkkgZG9uJ3QgYmVsaWV2ZSB0aGUgc2VjdXJpdHkg Y29uc2lkZXJhdGlvbnMgb2YgUkZDNzUxOSBhcmUgZ29vZCBlbm91Z2guDQoNCj4gLUdpcmkN Cj4NCj4gLUdpcmkNCj4NCj4gT24gU3VuLCBOb3YgMjQsIDIwMjQgYXQgMTI6MTTigK9QTSBN dWhhbW1hZCBVc2FtYSBTYXJkYXIgDQo+IDxtdWhhbW1hZF91c2FtYS5zYXJkYXJAdHUtZHJl c2Rlbi5kZT4gd3JvdGU6DQo+DQo+ICAgICBPbiAxMS4xMS4yNCAyMjoyMSwgbGdsIGlzbGFu ZC1yZXNvcnQuY29tDQo+ICAgICA8aHR0cDovL2lzbGFuZC1yZXNvcnQuY29tPiB3cm90ZToN Cj4NCj4+ICAgICBUaGVyZeKAmXMgc29tZSBmcmFtaW5nIGluIHRoZSBFQVQgaW50cm9kdWN0 aW9uIHRoYXQgY29udHJhc3RzDQo+PiAgICAgYXR0ZXN0YXRpb24gc2VjdXJpdHkgd2l0aCBh dXRoZW50aWNhdGlvbiBzZWN1cml0eS4gSXQgZGlzY3Vzc2VzDQo+PiAgICAga2V5IGxpZmUg Y3ljbGVzIHdoaWNoIGFyZSB2ZXJ5IGRpZmZlcmVudCBmb3IgYXR0ZXN0YXRpb24uIFRoYXQN Cj4+ICAgICBzZWVtcyBpbXBvcnRhbnQgdG8gZGlzY3VzcyBpbiB0aGUgY29udGV4dCBvZiB1 c2luZyBUTFMgZm9yDQo+PiAgICAgYXR0ZXN0YXRpb24gc2VjdXJpdHkuDQo+DQo+ICAgICBU aGUgc2Vjb25kIHBhcmFncmFwaCBvZiBpbnRybyB3YXMgYW4gaW50ZXJlc3RpbmcgcmVhZC4g U2luY2UgaXQNCj4gICAgIHN0YXRlczogIlRvIGdpdmUgYW4gZXhhbXBsZSBvZiBvbmUgYXNw ZWN0IG9mIHRoZSBkaWZmZXJlbmNlIiwgSQ0KPiAgICAgd291bGQgbmF0dXJhbGx5IGFzc3Vt ZSB0aGVyZSBhcmUgbW9yZSBkaWZmZXJlbmNlcyBpbiB0aGUgbWluZHMgb2YNCj4gICAgIGVk aXRvcnMuIEkgd291bGQgbGlrZSB0byByZWFkIG1vcmUgYWJvdXQgaXQuIElzIHRoZXJlIGFu eQ0KPiAgICAgaXNzdWUvdGhyZWFkL21lZXRpbmcgd2hlcmUgdGhpcyB3YXMgZGlzY3Vzc2Vk Pw0KPg0KPiAgICAgUmVhZGluZyB0aHJvdWdoIHRoZSBwcml2YWN5IGFuZCBzZWN1cml0eSBj b25zaWRlcmF0aW9ucywgSSBoYXZlIGENCj4gICAgIGNvdXBsZSBvZiBxdWVzdGlvbnM6DQo+ DQo+ICAgICAgICogU2VjLiA4LjQgc3RhdGVzIChlbXBoYXNpcyBteSBvd24pDQo+DQo+ICAg ICA+IFRoZSBub25jZSBjbGFpbSBpcyBiYXNlZCBvbiBhIHZhbHVlICp1c3VhbGx5KiAgZGVy aXZlZCByZW1vdGVseSAob3V0c2lkZSBvZiB0aGUgZW50aXR5KS4NCj4NCj4gICAgIEkgYW0g c3RydWdnbGluZyB0byB1bmRlcnN0YW5kIHdoYXQgd291bGQgYmUgdGhlIGJlbmVmaXQgb2Yg dGhlDQo+ICAgICBkZXZpY2UgZ2VuZXJhdGluZyBhIG5vbmNlIGl0c2VsZj8gSG93IHdvdWxk IHRoZSB2ZXJpZmllci9yZWx5aW5nDQo+ICAgICBwYXJ0eSBtYWtlIHNlbnNlIG9mIHRoaXMg dmFsdWU/IE1vcmVvdmVyLCB0aGlzIGRpcmVjdGx5DQo+ICAgICBjb250cmFkaWN0cyBTZWMu IDEwLjIgd2hpY2ggc3RhdGVzOiAoZW1waGFzaXMgbXkgb3duKQ0KPg0KPiAgICAgPiBJbiB0 aGlzIGFwcHJvYWNoLCBhbiB1bnByZWRpY3RhYmxlIG5vbmNlIGlzIHNlbnQgYnkgdGhlDQo+ ICAgICAqYXBwcmFpc2luZyBlbnRpdHkqIGFuZCB0aGUgbm9uY2UgaXMgdGhlbiBzaWduZWQg YW5kIGluY2x1ZGVkDQo+ICAgICBhbG9uZyB3aXRoIHRoZSBDbGFpbXMgaW4gdGhlIEV2aWRl bmNlIG9yIEF0dGVzdGF0aW9uIFJlc3VsdC4NCj4NCj4gICAgICAgKiBTZWMuIDkuMyBzdGF0 ZXM6IChlbXBoYXNpcyBteSBvd24pDQo+DQo+ICAgICA+IEFsbCBFQVQgdXNlIE1VU1QgcHJv dmlkZSBhIGZyZXNobmVzcyBtZWNoYW5pc20gdG8gcHJldmVudCByZXBsYXkgYW5kICpyZWxh dGVkIGF0dGFja3MqLg0KPg0KPiAgICAgV2hhdCBhcmUgdGhlIHJlbGF0ZWQgYXR0YWNrcz8N Cj4NCj4gICAgIFRoYW5rcywNCj4gICAgIFVzYW1hDQo+DQo+ICAgICBfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiAgICAgUkFUUyBtYWlsaW5n IGxpc3QgLS0gcmF0c0BpZXRmLm9yZw0KPiAgICAgVG8gdW5zdWJzY3JpYmUgc2VuZCBhbiBl bWFpbCB0byByYXRzLWxlYXZlQGlldGYub3JnDQo+DQo= --------------tlqLHyafi71N3z5uOu211Xqh Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 24.11.24 23:01, Giridhar Mandyam wrote:

>I am struggling to understand what would be the benefit of the device generating a nonce itself?
=
When there i= s no return channel from the verifier, then a nonce generated on the device could provide some level of assurance (as imperfect as it is). For instance, several years ago when we were developing ATSC 3.0 (an IP over Broadcast technology), we were looking into whether the rendering device could be attestable. Unfortunately, the transport (http= s://datatracker.ietf.org/doc/rfc9223/) does not provide for a return channel.

Not sure if get the term "return channel" right. RFC9223 does not define it. RFC4949 does not define it either. Here is my thought:

  • How would a device know when to send the attestation? The verifier would somehow request the attestation. The same channel over which it sends the request, it could also send the nonce within that request.=C2=A0
  • The attester still has to send over the evidence; the same channel over which it sends the evidence, it could send the evidence containing that signed nonce.=C2=A0

So why is a "return channel" required?

A device-generated nonce provides the same kind of replay protection as a jti (http= s://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7) in my opinion.

I disagree with the following statement in that section unless the Verifier keeps a state of all the jti's:

"The "jti" claim can be used= 

   to prevent the JWT from being replayed=
=2E"=20

Is jti signed as well? Even then, nothing stops the adversary from reorde=
ring. Here is a sample issue (simple Attester-Verifier interaction):
  • t=3D1: Verifier requests attestation
  • t=3D2: Attester in good state generates JWT1 with jti =3D "xyz"=
  • t=3D3: Adversary stores this JWT1 and does not forward to Verifier
  • t=3D4: Adversary compromises the Attester
  • t=3D5: Verifier requests attestation again
  • t=3D6: Adversary sends JWT1 from t=3D2.

Verifier believes attester is in good state whereas it is not.=C2=A0=

I don't believe the security considerations of RFC7519 are good enough.

-Giri

-Giri

On Sun, Nov 24, 2024 at 12:14=E2=80=AFPM Muhammad Usama Sardar <mu= hammad_usama.sardar@tu-dresden.de> wrote:

On 11.11.24 22:21, lgl island-resort.com wrote:

There=E2=80=99s some framing in t= he EAT introduction that contrasts attestation security with authentication security. It discusses key life cycles which are very different for attestation. That seems important to discuss in the context of using TLS for attestation security.

The second paragraph of intro was an interesting read. Since it states: "To= give an example of one aspect of the difference", I would naturally assu= me there are more differences in the minds of editors. I would like to re= ad more about it. Is there any issue/thread/meeting where this was discus= sed?

Reading through the= privacy and security considerations, I have a couple of questions:

  • Sec. 8.4 states = (emphasis my own) 
> The no=
nce claim is based on a value usually derived remotely (outside of=
 the entity).

I am struggling to = understand what would be the benefit of the device generating a nonce its= elf? How would the verifier/relying party make sense of this value? Moreo= ver, this directly contradicts S= ec. 10.2 which states: (emphasis my own)

> In this approach, an unpredictable nonce is sent by the appraising entity and the nonce is then signed and included along with the Claims in the Evidence or Attestation Result.

  • Sec. 9.3 states: (emphasis my own)
> All EA=
T use MUST provide a freshness mechanism to prevent replay and related=
 attacks.

What are the related attacks?

Thanks,
Usama
_______________________________________________
RATS mailing list -- rats@ietf.org
To unsubscribe send an email to ra= ts-leave@ietf.org
--------------tlqLHyafi71N3z5uOu211Xqh-- --------------ms060301030001050204050609 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DlwwggbmMIIEzqADAgECAhAxAnDUNb6bJJr4VtDh4oVJMA0GCSqGSIb3DQEBDAUAMIGIMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkx HjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJT QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0yMDAyMTgwMDAwMDBaFw0zMzA1MDEyMzU5 NTlaMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQD ExNHRUFOVCBQZXJzb25hbCBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA s0riIl4nW+kEWxQENTIgFK600jFAxs1QwB6hRMqvnkphfy2Q3mKbM2otpELKlgE8/3AQPYBo 7p7yeORuPMnAuA+oMGRb2wbeSaLcZbpwXgfCvnKxmq97/kQkOFX706F9O7/h0yehHhDjUdyM yT0zMs4AMBDRrAFn/b2vR3j0BSYgoQs16oSqadM3p+d0vvH/YrRMtOhkvGpLuzL8m+LTAQWv QJ92NwCyKiHspoP4mLPJvVpEpDMnpDbRUQdftSpZzVKTNORvPrGPRLnJ0EEVCHR82LL6oz91 5WkrgeCY9ImuulBn4uVsd9ZpubCgM/EXvVBlViKqusChSsZEn7juIsGIiDyaIhhLsd3amm8B S3bgK6AxdSMROND6hiHT182Lmf8C+gRHxQG9McvG35uUvRu8v7bPZiJRaT7ZC2f50P4lTlnb LvWpXv5yv7hheO8bMXltiyLweLB+VNvg+GnfL6TW3Aq1yF1yrZAZzR4MbpjTWdEdSLKvz8+0 wCwscQ81nbDOwDt9vyZ+0eJXbRkWZiqScnwAg5/B1NUD4TrYlrI4n6zFp2pyYUOiuzP+as/A Znz63GvjFK69WODR2W/TK4D7VikEMhg18vhuRf4hxnWZOy0vhfDR/g3aJbdsGac+diahjEwz yB+UKJOCyzvecG8bZ/u/U8PsEMZg07iIPi8CAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5 v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRpAKHHIVj44MUbILAK3adRvxPZ5DAOBgNV HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2Vj dGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRq MGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FB ZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAN BgkqhkiG9w0BAQwFAAOCAgEACgVOew2PHxM5AP1v7GLGw+3tF6rjAcx43D9Hl110Q+BABABg lkrPkES/VyMZsfuds8fcDGvGE3o5UfjSno4sij0xdKut8zMazv8/4VMKPCA3EUS0tDUoL01u gDdqwlyXuYizeXyH2ICAQfXMtS+raz7mf741CZvO50OxMUMxqljeRfVPDJQJNHOYi2pxuxgj KDYx4hdZ9G2o+oLlHhu5+anMDkE8g0tffjRKn8I1D1BmrDdWR/IdbBOj6870abYvqys1qYlP otv5N5dm+XxQ8vlrvY7+kfQaAYeO3rP1DM8BGdpEqyFVa+I0rpJPhaZkeWW7cImDQFerHW9b KzBrCC815a3WrEhNpxh72ZJZNs1HYJ+29NTB6uu4NJjaMxpk+g2puNSm4b9uVjBbPO9V6sFS G+IBqE9ckX/1XjzJtY8Grqoo4SiRb6zcHhp3mxj3oqWi8SKNohAOKnUc7RIP6ss1hqIFyv0x XZor4N9tnzD0Fo0JDIURjDPEgo5WTdti/MdGTmKFQNqxyZuT9uSI2Xvhz8p+4pCYkiZqpahZ lHqMFxdw9XRZQgrP+cgtOkWEaiNkRBbvtvLdp7MCL2OsQhQEdEbUvDM9slzZXdI7NjJokVBq 3O4pls3VD2z3L/bHVBe0rBERjyM2C/HSIh84rfmAqBgklzIOqXhd+4RzadUwggduMIIFVqAD AgECAhA/YCOTOabjcS/HTP8f2MRxMA0GCSqGSIb3DQEBDAUAMEYxCzAJBgNVBAYTAk5MMRkw FwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0 MB4XDTI0MTExOTAwMDAwMFoXDTI2MTExOTIzNTk1OVowgdoxCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdTYWNoc2VuMSgwJgYDVQQKEx9UZWNobmlzY2hlIFVuaXZlcnNpdGFldCBEcmVzZGVu MREwDwYDVQRhEwhHT1ZERStTTjEyMDAGCSqGSIb3DQEJARYjbXVoYW1tYWRfdXNhbWEuc2Fy ZGFyQHR1LWRyZXNkZW4uZGUxDzANBgNVBAQTBlNhcmRhcjEXMBUGA1UEKhMOTXVoYW1tYWQg VXNhbWExHjAcBgNVBAMTFU11aGFtbWFkIFVzYW1hIFNhcmRhcjCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAKhTeUVDqbjfDFmkVrgQMFC3S4O0vjW9zjlrkD8FrZ2ipCLuiNE2 XHibuTw57N2lrcWMRqjw/Tv7WqpasIHjIlvE5SJ+VuOzu5P0xLqfroT4MSlKIq1LyXkL1u09 A9EuCUxhf4Uc3Ir17VYzjS7meqv4+4yoVhnL9zepze8f0FG3EJmGJlBSJ8sD6dVxGQkDLWMf NNt/I8wkaQSFkzvd+KppPOjc4t4JtQWIHKPMKS3lbXv8RLO1jaPO9Fdfg4D/dq5I8fsnfg6y gmCL+nTsHWAXqgX8vcDVG5tz5ONzHgODtItrQWO+m4d8W16JWCbMMCFIqscZ5weRfS5dSFZk sptipqIm5tzUL3y2/VOFCiL/tofo7yA1bHnFXUGm2LkJVNx6pDZFh1G9OYPqmrjjSxL9E/ed xQ1lIe3GmBJGBUFldlP8STm3WapaatgNcuQ6HXX1HexWF14NBIguNajgOR17JxX0JS4t9o5f 3Po+Nqa/Als1Mm9Q6PACcVRhm7yH4vj3UqGcjAps6YM/HDkNoA2qsHmqZ/ya15eIORADN+ZQ O7hJYBH5TJprVdGXL7aTLNJh6xEn5V9TFcsT017ocQ5bJteN6caUay/0zPenwtabuSLR6y7e gmx8gTF4oPDUlgkaNcKAmkyzwM+IzPNIJvyxq/NI1pQRyTGUQJYyExO7AgMBAAGjggHBMIIB vTAfBgNVHSMEGDAWgBRpAKHHIVj44MUbILAK3adRvxPZ5DAdBgNVHQ4EFgQU4R79RPVSVexS +el1ZxCchmYs1akwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI KwYBBQUHAwQGCCsGAQUFBwMCMFAGA1UdIARJMEcwOgYMKwYBBAGyMQECAQoEMCowKAYIKwYB BQUHAgEWHGh0dHBzOi8vc2VjdGlnby5jb20vU01JTUVDUFMwCQYHZ4EMAQUDAjBCBgNVHR8E OzA5MDegNaAzhjFodHRwOi8vR0VBTlQuY3JsLnNlY3RpZ28uY29tL0dFQU5UUGVyc29uYWxD QTQuY3JsMHgGCCsGAQUFBwEBBGwwajA9BggrBgEFBQcwAoYxaHR0cDovL0dFQU5ULmNydC5z ZWN0aWdvLmNvbS9HRUFOVFBlcnNvbmFsQ0E0LmNydDApBggrBgEFBQcwAYYdaHR0cDovL0dF QU5ULm9jc3Auc2VjdGlnby5jb20wLgYDVR0RBCcwJYEjbXVoYW1tYWRfdXNhbWEuc2FyZGFy QHR1LWRyZXNkZW4uZGUwDQYJKoZIhvcNAQEMBQADggIBAIxymCHDahevSfae44bVKxAKDRLh ZVraNygdRQ2RQOkz8v8b/cl5yuWR/l3yMpIrwiDWT37UQibNuoPxaZeRBjDh8ItcUP51sOAV 7zd3GwfyUJNYKmgd6LjfE8+mkXrVU2JffVjRUgiyy7eBTzvTz5PFUQh2oqWfTh/Oz3pFXV+/ 0K3eP+fNkr0gljmEZi/h0ici5cJ+Q9J/Zx6Vg9ke2qb6PIh+zeb5oL40i7FR875NX/WGKMib ojTopS5xPbo0KmN64FqgasfJW03t0wyTtcYOap6tw2RcfVpjfsXQqEfjdjyrNHH6l/TDxUoL cNlu0zkYHMYmJ6MJ6VwaHWB5hou9N0WWrcQotsfkpf7lGZSlum9jG5/uB+d3FLK00QM99XN7 RhLbLOKKuw2Xri3MEcN/LvIRDIHef4uoONAI+4bOW+1wFmGwqpHYxA/JoUXoRjojuAon8lCF uVf3tFAkQ/V8zuPxCX36gEOsyQuK3IAeS8R8qhV5Cc+dcYDKid61AluluBcUSxfKxmoK19Mm f39FTD+bJpBCiEAdJuZfP6TD0dtBVcgJ4dBLZ4H13WBeVZRDXcxghYJcNWFHPa/qi20jmuUs CvcD4z2+LBFnVrwhOeBefYjm6zy7+9IbuomR11B4+AnLkjzTBZxcX17UMWyqVe4hZN2CsVS0 7doWTJJYMYIEWDCCBFQCAQEwWjBGMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVy ZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwgQ0EgNAIQP2Ajkzmm43Evx0z/H9jE cTANBglghkgBZQMEAgMFAKCCAc8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG 9w0BCQUxDxcNMjQxMTI1MTMxMTI5WjBPBgkqhkiG9w0BCQQxQgRAh327KFCPvodxZPjrTBfI IZ6n7IKNhnpaEaVmiptE8JcWJbu+AeP8C5hPgQn8CE5ttysTZdjlF/Dh7NQixCxUyjBpBgkr BgEEAYI3EAQxXDBaMEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5n MRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBDQSA0AhA/YCOTOabjcS/HTP8f2MRxMGsGCyqG SIb3DQEJEAILMVygWjBGMQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2lu ZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29uYWwgQ0EgNAIQP2Ajkzmm43Evx0z/H9jEcTBsBgkq hkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYI KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0G CSqGSIb3DQEBAQUABIICAFRtQ9wuSY0iHqPzEuPWJQ6vQLQpJKBoqlG1KZrETszedrlQzS3D 6wo7tWIEcXiGqFSszrpO2oYiGzlh70qRBf+oV9mzBirRHJVipx9mMdOFpLtIZkr9PB8MOvqk QGnZKz/czCxwXD5M5qqyMWtV8CZ/ZY7450FXsvAp3ZVinYkewGi/YVVQ9f2nxQlbyH3WT0Xm aw/1AyB4wzqliw7Z8f7xQTBd8h0n3u7upTAMqZ60Ug8DN7HFHUK41Rd9PMQWbE0ITRjfMfY7 cph+r/RjH/f6G6yydct7r/Q0+D1LgwmQS5BIx0P9iVPFOhyGnwD8q7oNGuW/FlPQqrtIujWZ 7isaDPd5SrIT0YzBZkinTxlDFE0yO27+4KQHH8Lkli+TtcJ8LPNxwVkoV6QGMRr/NmMfNzP5 tJdOxFDgGxNAc//NxPPNMMsNVKLh58ZuVfZfeGHvj1BjgSHHb/6d/FpAkO5Vwh/aVHtQf2V/ ul1yb3FxV6NUIv7zd2F54W9TQ2VWR8tBbMTRsw7I04wGpHJR7w2LrQzhLztTyuNsozIwKIsa fGiYh/1MMYiPmBQgs7mq7i8IVvgVfIHQCHSznjdNQnYKkHBKfSkcUQMxEG2pDbZMDreK+W2x b6gw87e0rfjHT0H1Crzp85K5yKj6I98nHE1fef8ISr+55cTnhGT9gishAAAAAAAA --------------ms060301030001050204050609--