diff --git a/draft-nennemann-wimse-execution-context-00.html b/draft-nennemann-wimse-execution-context-00.html
index f5ccb95..621b7b8 100644
--- a/draft-nennemann-wimse-execution-context-00.html
+++ b/draft-nennemann-wimse-execution-context-00.html
@@ -1249,7 +1249,7 @@ li > p:last-of-type:only-child {
 <div id="internal-metadata" class="document-information">
 <dl id="identifiers">
 <dt class="label-workgroup">Workgroup:</dt>
-<dd class="workgroup">Network Working Group</dd>
+<dd class="workgroup">WIMSE</dd>
 <dt class="label-internet-draft">Internet-Draft:</dt>
 <dd class="internet-draft">draft-nennemann-wimse-execution-context-00</dd>
 <dt class="label-published">Published:</dt>
@@ -1548,6 +1548,12 @@ regulatory frameworks.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.3">
                 <p id="section-toc.1-1.12.2.3.1"><a href="#section-12.3" class="auto internal xref">12.3</a>.  <a href="#name-jwt-claims-registration" class="internal xref">JWT Claims Registration</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.4">
+                <p id="section-toc.1-1.12.2.4.1"><a href="#section-12.4" class="auto internal xref">12.4</a>.  <a href="#name-ect-policy-decision-values-" class="internal xref">ECT Policy Decision Values Registry</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.5">
+                <p id="section-toc.1-1.12.2.5.1"><a href="#section-12.5" class="auto internal xref">12.5</a>.  <a href="#name-ect-regulated-domain-values" class="internal xref">ECT Regulated Domain Values Registry</a></p>
 </li>
             </ul>
 </li>
@@ -1683,7 +1689,7 @@ addresses the gap between workload identity and execution
 accountability.  WIMSE authenticates agents; this extension records
 what they did, in what order, and what policy was evaluated.<a href="#section-1.1-5" class="pilcrow">¶</a></p>
 <p id="section-1.1-6">As identified in <span>[<a href="#I-D.ni-wimse-ai-agent-identity" class="cite xref">I-D.ni-wimse-ai-agent-identity</a>]</span>, call context
-in agentic workflows must always be visible and preserved.  ECTs
+in agentic workflows needs to be visible and preserved.  ECTs
 provide a mechanism to address this requirement with cryptographic
 assurances.<a href="#section-1.1-6" class="pilcrow">¶</a></p>
 </section>
@@ -2088,14 +2094,45 @@ claim of the agent's WIT.<a href="#section-4.2.1-2.2.1" class="pilcrow">¶</a></
 <dt id="section-4.2.1-2.3">sub:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.1-2.4">
               <p id="section-4.2.1-2.4.1"><span class="bcp14">OPTIONAL</span>.  StringOrURI.  The subject of the ECT.  When present,
-<span class="bcp14">MUST</span> equal the "iss" claim.<a href="#section-4.2.1-2.4.1" class="pilcrow">¶</a></p>
+<span class="bcp14">MUST</span> equal the "iss" claim.  This claim is included for
+compatibility with JWT libraries and frameworks that expect a
+"sub" claim to be present.<a href="#section-4.2.1-2.4.1" class="pilcrow">¶</a></p>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.1-2.5">aud:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.1-2.6">
               <p id="section-4.2.1-2.6.1"><span class="bcp14">REQUIRED</span>.  StringOrURI or array of StringOrURI.  The intended
-recipient(s) of the ECT.  Typically the next agent in the
-workflow or the ledger endpoint.<a href="#section-4.2.1-2.6.1" class="pilcrow">¶</a></p>
+recipient(s) of the ECT.  Because ECTs serve as both inter-agent
+messages and audit records, the "aud" claim <span class="bcp14">SHOULD</span> contain the
+identifiers of all entities that will verify the ECT.  In
+practice this means:<a href="#section-4.2.1-2.6.1" class="pilcrow">¶</a></p>
+<ul class="normal">
+<li class="normal" id="section-4.2.1-2.6.2.1">
+                  <p id="section-4.2.1-2.6.2.1.1"><strong>Point-to-point delivery</strong>: when an ECT is sent from one
+agent to a single next agent, "aud" contains that agent's
+workload identity.  The receiving agent verifies the ECT and
+forwards it to the ledger on behalf of the issuer.<a href="#section-4.2.1-2.6.2.1.1" class="pilcrow">¶</a></p>
+</li>
+                <li class="normal" id="section-4.2.1-2.6.2.2">
+                  <p id="section-4.2.1-2.6.2.2.1"><strong>Direct-to-ledger submission</strong>: when an ECT is submitted
+directly to the audit ledger (e.g., after a join or at
+workflow completion), "aud" contains the ledger's identity.<a href="#section-4.2.1-2.6.2.2.1" class="pilcrow">¶</a></p>
+</li>
+                <li class="normal" id="section-4.2.1-2.6.2.3">
+                  <p id="section-4.2.1-2.6.2.3.1"><strong>Multi-audience</strong>: when an ECT must be verified by both the
+next agent and the ledger independently, "aud" <span class="bcp14">MUST</span> be an
+array containing both identifiers (e.g.,
+["spiffe://example.com/agent/next",
+"spiffe://example.com/system/ledger"]).  Each verifier checks
+that its own identity appears in the array.<a href="#section-4.2.1-2.6.2.3.1" class="pilcrow">¶</a></p>
+</li>
+              </ul>
+<p id="section-4.2.1-2.6.3">In multi-parent (join) scenarios where a task depends on ECTs
+from multiple parent agents, the joining agent creates a new ECT
+with the parent task IDs in "par".  The "aud" of this new ECT
+is set according to the rules above based on where the ECT will
+be delivered — it is independent of the "aud" values in the
+parent ECTs.<a href="#section-4.2.1-2.6.3" class="pilcrow">¶</a></p>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.1-2.7">iat:</dt>
@@ -2112,11 +2149,19 @@ Implementations <span class="bcp14">SHOULD</span> set this to 5 to 15 minutes af
 to limit the replay window while allowing for reasonable clock
 skew and processing time.<a href="#section-4.2.1-2.10.1" class="pilcrow">¶</a></p>
 </dd>
-            <dd class="break"></dd>
-<dt id="section-4.2.1-2.11">jti:</dt>
-            <dd style="margin-left: 1.5em" id="section-4.2.1-2.12">
-              <p id="section-4.2.1-2.12.1"><span class="bcp14">OPTIONAL</span>.  String.  A unique identifier for the ECT, useful for
-additional replay detection.<a href="#section-4.2.1-2.12.1" class="pilcrow">¶</a></p>
+          <dd class="break"></dd>
+</dl>
+<p id="section-4.2.1-3">The standard JWT "nbf" (Not Before) claim is not used in ECTs
+because ECTs record completed actions and are valid immediately
+upon issuance.<a href="#section-4.2.1-3" class="pilcrow">¶</a></p>
+<span class="break"></span><dl class="dlParallel" id="section-4.2.1-4">
+            <dt id="section-4.2.1-4.1">jti:</dt>
+            <dd style="margin-left: 1.5em" id="section-4.2.1-4.2">
+              <p id="section-4.2.1-4.2.1"><span class="bcp14">REQUIRED</span>.  String.  A unique identifier for the ECT in UUID
+format <span>[<a href="#RFC9562" class="cite xref">RFC9562</a>]</span>.  Used for replay detection: receivers <span class="bcp14">MUST</span>
+reject ECTs whose "jti" has already been seen within the
+expiration window.  The "jti" value <span class="bcp14">MUST</span> be unique across all
+ECTs issued by the same agent.<a href="#section-4.2.1-4.2.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
@@ -2185,7 +2230,30 @@ evaluated for this task (e.g.,
 <dt id="section-4.2.3-2.3">pol_decision:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.3-2.4">
               <p id="section-4.2.3-2.4.1"><span class="bcp14">REQUIRED</span>.  String.  The result of the policy evaluation.  <span class="bcp14">MUST</span>
-be one of: "approved", "rejected", or "pending_human_review".<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
+be one of the values registered in the ECT Policy Decision
+Values registry (<a href="#pol-decision-registry" class="auto internal xref">Section 12.4</a>).  Initial values
+are:<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
+<ul class="normal">
+<li class="normal" id="section-4.2.3-2.4.2.1">
+                  <p id="section-4.2.3-2.4.2.1.1">"approved": The policy evaluation succeeded and the task
+was authorized to proceed.<a href="#section-4.2.3-2.4.2.1.1" class="pilcrow">¶</a></p>
+</li>
+                <li class="normal" id="section-4.2.3-2.4.2.2">
+                  <p id="section-4.2.3-2.4.2.2.1">"rejected": The policy evaluation failed.  A "rejected" ECT
+<span class="bcp14">MUST</span> still be appended to the audit ledger for accountability.
+An ECT with "pol_decision" of "rejected" <span class="bcp14">MAY</span> appear as a
+parent in the "par" array of a subsequent ECT, but only for
+compensation, rollback, or remediation tasks.  Agents <span class="bcp14">MUST NOT</span> proceed with normal workflow execution based on a parent
+ECT whose "pol_decision" is "rejected".<a href="#section-4.2.3-2.4.2.2.1" class="pilcrow">¶</a></p>
+</li>
+                <li class="normal" id="section-4.2.3-2.4.2.3">
+                  <p id="section-4.2.3-2.4.2.3.1">"pending_human_review": The policy evaluation requires human
+judgment before proceeding.  Agents <span class="bcp14">MUST NOT</span> proceed with
+dependent tasks until a subsequent ECT from a human reviewer
+records an "approved" decision referencing this task as a
+parent.<a href="#section-4.2.3-2.4.2.3.1" class="pilcrow">¶</a></p>
+</li>
+              </ul>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.3-2.5">pol_enforcer:</dt>
@@ -2218,8 +2286,12 @@ inputs and outputs without revealing the data itself:<a href="#section-4.2.4-1"
               <p id="section-4.2.4-2.2.1"><span class="bcp14">OPTIONAL</span>.  String.  A cryptographic hash of the input data,
 formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
 "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
-hash algorithm identifier <span class="bcp14">SHOULD</span> be "sha-256".  The hash <span class="bcp14">MUST</span> be
-computed over the raw octets of the input data.<a href="#section-4.2.4-2.2.1" class="pilcrow">¶</a></p>
+hash algorithm identifier <span class="bcp14">MUST</span> be a lowercase value from the
+IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+"sha-384", "sha-512").  Implementations <span class="bcp14">MUST</span> support "sha-256"
+and <span class="bcp14">SHOULD</span> use "sha-256" unless a stronger algorithm is
+required.  The hash <span class="bcp14">MUST</span> be computed over the raw octets of the
+input data.<a href="#section-4.2.4-2.2.1" class="pilcrow">¶</a></p>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.4-2.3">out_hash:</dt>
@@ -2253,8 +2325,8 @@ milliseconds.  <span class="bcp14">MUST</span> be a non-negative integer.<a href
 <dt id="section-4.2.5-2.3">regulated_domain:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.5-2.4">
               <p id="section-4.2.5-2.4.1"><span class="bcp14">OPTIONAL</span>.  String.  The regulatory domain applicable to this
-task.  Values are drawn from an extensible set; initial values
-include "medtech", "finance", and "military".<a href="#section-4.2.5-2.4.1" class="pilcrow">¶</a></p>
+task.  Values <span class="bcp14">MUST</span> be registered in the ECT Regulated Domain
+Values registry (<a href="#regulated-domain-registry" class="auto internal xref">Section 12.5</a>).<a href="#section-4.2.5-2.4.1" class="pilcrow">¶</a></p>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.5-2.5">model_version:</dt>
@@ -2300,7 +2372,9 @@ compensation or rollback action for a previous task.<a href="#section-4.2.7-1.2.
 <dt id="section-4.2.7-1.3">compensation_reason:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.7-1.4">
               <p id="section-4.2.7-1.4.1"><span class="bcp14">OPTIONAL</span>.  String.  A human-readable reason for the compensation
-action.  <span class="bcp14">MUST</span> be present if "compensation_required" is true.<a href="#section-4.2.7-1.4.1" class="pilcrow">¶</a></p>
+action.  <span class="bcp14">MUST</span> be present if "compensation_required" is true.
+If "compensation_reason" is present, "compensation_required"
+<span class="bcp14">MUST</span> be true.<a href="#section-4.2.7-1.4.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
@@ -2321,16 +2395,14 @@ ledger.<a href="#section-4.2.7-2" class="pilcrow">¶</a></p>
             <dd style="margin-left: 1.5em" id="section-4.2.8-1.2">
               <p id="section-4.2.8-1.2.1"><span class="bcp14">OPTIONAL</span>.  Object.  An extension object for domain-specific
 claims not defined by this specification.  Implementations
-that do not understand extension claims <span class="bcp14">SHOULD</span> ignore them.
-To avoid key collisions between different domains, extension
-key names <span class="bcp14">SHOULD</span> use reverse domain notation (e.g.,
-"com.example.custom_field").<a href="#section-4.2.8-1.2.1" class="pilcrow">¶</a></p>
+that do not understand extension claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.8-1.2.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
-<p id="section-4.2.8-2">The "ext" claim is a generic extension mechanism; it is not
-registered in the IANA JWT Claims registry because its semantics
-depend on the domain-specific claims within it.<a href="#section-4.2.8-2" class="pilcrow">¶</a></p>
+<p id="section-4.2.8-2">To avoid key collisions between different domains, extension
+key names <span class="bcp14">MUST</span> use reverse domain notation (e.g.,
+"com.example.custom_field").  Implementations <span class="bcp14">MUST NOT</span> use
+unqualified key names within the "ext" object.<a href="#section-4.2.8-2" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
@@ -2351,6 +2423,7 @@ depend on the domain-specific claims within it.<a href="#section-4.2.8-2" class=
   "aud": "spiffe://example.com/agent/safety",
   "iat": 1772064150,
   "exp": 1772064750,
+  "jti": "7f3a8b2c-d1e4-4f56-9a0b-c3d4e5f6a7b8",
 
   "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
   "tid": "550e8400-e29b-41d4-a716-446655440001",
@@ -2419,6 +2492,13 @@ Execution-Context: eyJhbGci...ECT...
 <p id="section-5.1-5">When multiple parent tasks contribute context to a single request,
 multiple Execution-Context header field lines <span class="bcp14">MAY</span> be included, each
 carrying a separate ECT in JWS Compact Serialization format.<a href="#section-5.1-5" class="pilcrow">¶</a></p>
+<p id="section-5.1-6">When a receiver processes multiple Execution-Context headers, it
+<span class="bcp14">MUST</span> individually verify each ECT per the procedure in
+<a href="#verification" class="auto internal xref">Section 7</a>.  If any single ECT fails verification, the
+receiver <span class="bcp14">MUST</span> reject the entire request.  The set of verified
+parent task IDs across all received ECTs represents the complete
+set of parent dependencies available for the receiving agent's
+subsequent ECT.<a href="#section-5.1-6" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
@@ -2462,11 +2542,15 @@ recorded in the ledger.  If any parent task is not found, the
 ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.2-2.2.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-6.2-2.3">
-            <p id="section-6.2-2.3.1">Temporal Ordering: The "iat" value of every parent task <span class="bcp14">MUST</span> be
-less than the "iat" value of the current task plus a
+            <p id="section-6.2-2.3.1">Temporal Ordering: The "iat" value of every parent task <span class="bcp14">MUST NOT</span> be greater than the "iat" value of the current task plus a
 configurable clock skew tolerance (<span class="bcp14">RECOMMENDED</span>: 30 seconds).
-If any parent task has an "iat" that violates this constraint,
-the ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.2-2.3.1" class="pilcrow">¶</a></p>
+That is, for each parent: <code>parent.iat &lt; child.iat +
+clock_skew_tolerance</code>.  The tolerance accounts for clock skew
+between agents; it does not guarantee strict causal ordering
+from timestamps alone.  Causal ordering is primarily enforced
+by the DAG structure (parent existence in the ledger), not by
+timestamps.  If any parent task violates this constraint, the
+ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.2-2.3.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-6.2-2.4">
             <p id="section-6.2-2.4.1">Acyclicity: Following the chain of parent references <span class="bcp14">MUST NOT</span>
@@ -2474,9 +2558,18 @@ lead back to the current task's "tid".  If a cycle is detected,
 the ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.2-2.4.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-6.2-2.5">
-            <p id="section-6.2-2.5.1">Trust Domain Consistency: Parent tasks <span class="bcp14">SHOULD</span> belong to the
+            <p id="section-6.2-2.5.1">Parent Policy Decision: If any parent task has a "pol_decision"
+of "rejected" or "pending_human_review", the current task's
+"exec_act" <span class="bcp14">MUST</span> indicate a compensation, rollback, remediation,
+or human review action.  Implementations <span class="bcp14">MUST NOT</span> accept an ECT
+representing normal workflow continuation when a parent's
+"pol_decision" is not "approved", unless the current ECT has
+"compensation_required" set to true.<a href="#section-6.2-2.5.1" class="pilcrow">¶</a></p>
+</li>
+          <li id="section-6.2-2.6">
+            <p id="section-6.2-2.6.1">Trust Domain Consistency: Parent tasks <span class="bcp14">SHOULD</span> belong to the
 same trust domain or to a trust domain with which a federation
-relationship has been established.<a href="#section-6.2-2.5.1" class="pilcrow">¶</a></p>
+relationship has been established.<a href="#section-6.2-2.6.1" class="pilcrow">¶</a></p>
 </li>
         </ol>
 </section>
@@ -2581,7 +2674,11 @@ associated with the "kid" public key.<a href="#section-7.1-2.7.1" class="pilcrow
 </li>
           <li id="section-7.1-2.8">
             <p id="section-7.1-2.8.1">Verify the "aud" claim contains the verifier's own workload
-identity or an expected recipient identifier.<a href="#section-7.1-2.8.1" class="pilcrow">¶</a></p>
+identity.  When "aud" is an array, it is sufficient that the
+verifier's identity appears as one element; the presence of
+other audience values does not cause verification failure.
+When the verifier is the audit ledger, the ledger's own
+identity <span class="bcp14">MUST</span> appear in "aud".<a href="#section-7.1-2.8.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-7.1-2.9">
             <p id="section-7.1-2.9.1">Verify the "exp" claim indicates the ECT has not expired.<a href="#section-7.1-2.9.1" class="pilcrow">¶</a></p>
@@ -2592,8 +2689,8 @@ identity or an expected recipient identifier.<a href="#section-7.1-2.8.1" class=
 15 minutes).<a href="#section-7.1-2.10.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-7.1-2.11">
-            <p id="section-7.1-2.11.1">Verify all required claims ("tid", "exec_act", "par", "pol",
-"pol_decision") are present and well-formed.<a href="#section-7.1-2.11.1" class="pilcrow">¶</a></p>
+            <p id="section-7.1-2.11.1">Verify all required claims ("jti", "tid", "exec_act", "par",
+"pol", "pol_decision") are present and well-formed.<a href="#section-7.1-2.11.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-7.1-2.12">
             <p id="section-7.1-2.12.1">Verify "pol_decision" is one of "approved", "rejected", or
@@ -2611,6 +2708,14 @@ ledger.<a href="#section-7.1-2.14.1" class="pilcrow">¶</a></p>
 failure <span class="bcp14">MUST</span> be logged for audit purposes.  Error messages
 <span class="bcp14">SHOULD NOT</span> reveal whether specific parent task IDs exist in the
 ledger, to prevent information disclosure.<a href="#section-7.1-3" class="pilcrow">¶</a></p>
+<p id="section-7.1-4">When ECT verification fails during HTTP request processing, the
+receiving agent <span class="bcp14">SHOULD</span> respond with HTTP 403 (Forbidden) if the
+WIT and WPT are valid but the ECT is invalid, and HTTP 401
+(Unauthorized) if the ECT signature verification fails.  The
+response body <span class="bcp14">SHOULD</span> include a generic error indicator without
+revealing which specific verification step failed.  The receiving
+agent <span class="bcp14">MUST NOT</span> process the requested action when ECT verification
+fails.<a href="#section-7.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="verification-pseudocode">
@@ -2666,7 +2771,7 @@ function verify_ect(ect_jws, verifier_id,
     return reject("ECT issued too long ago")
 
   // Verify required claims
-  for claim in ["tid", "exec_act", "par",
+  for claim in ["jti", "tid", "exec_act", "par",
                  "pol", "pol_decision"]:
     if claim not in payload:
       return reject("Missing required claim: " + claim)
@@ -2790,8 +2895,8 @@ examples demonstrate ECT mechanics; production deployments would
 include additional domain-specific requirements beyond the scope
 of this specification.<a href="#section-9-1" class="pilcrow">¶</a></p>
 <p id="section-9-2">Note: task identifiers in this section are abbreviated for
-readability.  In production, all "tid" values <span class="bcp14">MUST</span> be UUIDs per
-<span>[<a href="#RFC9562" class="cite xref">RFC9562</a>]</span>.<a href="#section-9-2" class="pilcrow">¶</a></p>
+readability.  In production, all "tid" values are required to be
+UUIDs per <a href="#exec-claims" class="auto internal xref">Section 4.2.2</a>.<a href="#section-9-2" class="pilcrow">¶</a></p>
 <div id="medical-device-sdlc-workflow">
 <section id="section-9.1">
         <h3 id="name-medical-device-sdlc-workflo">
@@ -2981,9 +3086,9 @@ a cryptographic link to the original task:<a href="#section-9.3-1" class="pilcro
           <div class="lang-json sourcecode" id="section-9.3-2.1">
 <pre>
 {
-  "iss": "spiffe://bank.com/agent/operations",
-  "sub": "spiffe://bank.com/agent/operations",
-  "aud": "spiffe://bank.com/system/ledger",
+  "iss": "spiffe://bank.example/agent/operations",
+  "sub": "spiffe://bank.example/agent/operations",
+  "aud": "spiffe://bank.example/system/ledger",
   "iat": 1772150550,
   "exp": 1772151150,
   "wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
@@ -2992,7 +3097,7 @@ a cryptographic link to the original task:<a href="#section-9.3-1" class="pilcro
   "par": ["550e8400-e29b-41d4-a716-446655440003"],
   "pol": "compensation_policy_v1",
   "pol_decision": "approved",
-  "pol_enforcer": "spiffe://bank.com/human/compliance-officer",
+  "pol_enforcer": "spiffe://bank.example/human/compliance-officer",
   "compensation_required": true,
   "compensation_reason": "policy_violation_in_parent_trade"
 }
@@ -3012,7 +3117,7 @@ violation discovery to remediation.<a href="#section-9.3-3" class="pilcrow">¶</
         <h3 id="name-autonomous-logistics-coordi">
 <a href="#section-9.4" class="section-number selfRef">9.4. </a><a href="#name-autonomous-logistics-coordi" class="section-name selfRef">Autonomous Logistics Coordination</a>
         </h3>
-<p id="section-9.4-1">In a logistics workflow, multiple compliance checks must complete
+<p id="section-9.4-1">In a logistics workflow, multiple compliance checks complete
 before shipment commitment.  The DAG structure records that all
 required checks were completed:<a href="#section-9.4-1" class="pilcrow">¶</a></p>
 <span id="name-logistics-workflow-with-par"></span><div id="fig-logistics">
@@ -3179,9 +3284,9 @@ reject ECTs that are too old, even if not yet expired.<a href="#section-10.5-1"
 <p id="section-10.5-2">The DAG structure provides additional replay protection: an ECT
 referencing parent tasks that already have a recorded child task
 with the same action can be flagged as a potential replay.<a href="#section-10.5-2" class="pilcrow">¶</a></p>
-<p id="section-10.5-3">Implementations <span class="bcp14">SHOULD</span> maintain a cache of recently-seen "jti"
-values (when present) to detect replayed ECTs within the
-expiration window.<a href="#section-10.5-3" class="pilcrow">¶</a></p>
+<p id="section-10.5-3">Implementations <span class="bcp14">MUST</span> maintain a cache of recently-seen "jti"
+values to detect replayed ECTs within the expiration window.
+An ECT with a duplicate "jti" value <span class="bcp14">MUST</span> be rejected.<a href="#section-10.5-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="man-in-the-middle-protection">
@@ -3678,6 +3783,120 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-12.3-1
               <td class="text-center" rowspan="1" colspan="1">IETF</td>
               <td class="text-center" rowspan="1" colspan="1">
                 <a href="#compensation-claims" class="auto internal xref">Section 4.2.7</a>
+</td>
+            </tr>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">ext</td>
+              <td class="text-left" rowspan="1" colspan="1">Extension Object</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#extension-claims" class="auto internal xref">Section 4.2.8</a>
+</td>
+            </tr>
+          </tbody>
+        </table>
+</div>
+</section>
+</div>
+<div id="pol-decision-registry">
+<section id="section-12.4">
+        <h3 id="name-ect-policy-decision-values-">
+<a href="#section-12.4" class="section-number selfRef">12.4. </a><a href="#name-ect-policy-decision-values-" class="section-name selfRef">ECT Policy Decision Values Registry</a>
+        </h3>
+<p id="section-12.4-1">This document establishes the "ECT Policy Decision Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per <span>[<a href="#RFC8126" class="cite xref">RFC8126</a>]</span>.<a href="#section-12.4-1" class="pilcrow">¶</a></p>
+<p id="section-12.4-2">The initial contents of the registry are:<a href="#section-12.4-2" class="pilcrow">¶</a></p>
+<span id="name-ect-policy-decision-values"></span><div id="_table-pol-decision">
+<table class="center" id="table-2">
+          <caption>
+<a href="#table-2" class="selfRef">Table 2</a>:
+<a href="#name-ect-policy-decision-values" class="selfRef">ECT Policy Decision Values</a>
+          </caption>
+<thead>
+            <tr>
+              <th class="text-center" rowspan="1" colspan="1">Value</th>
+              <th class="text-left" rowspan="1" colspan="1">Description</th>
+              <th class="text-center" rowspan="1" colspan="1">Change Controller</th>
+              <th class="text-center" rowspan="1" colspan="1">Reference</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">approved</td>
+              <td class="text-left" rowspan="1" colspan="1">Policy evaluation succeeded</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#policy-claims" class="auto internal xref">Section 4.2.3</a>
+</td>
+            </tr>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">rejected</td>
+              <td class="text-left" rowspan="1" colspan="1">Policy evaluation failed</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#policy-claims" class="auto internal xref">Section 4.2.3</a>
+</td>
+            </tr>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">pending_human_review</td>
+              <td class="text-left" rowspan="1" colspan="1">Awaiting human judgment</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#policy-claims" class="auto internal xref">Section 4.2.3</a>
+</td>
+            </tr>
+          </tbody>
+        </table>
+</div>
+</section>
+</div>
+<div id="regulated-domain-registry">
+<section id="section-12.5">
+        <h3 id="name-ect-regulated-domain-values">
+<a href="#section-12.5" class="section-number selfRef">12.5. </a><a href="#name-ect-regulated-domain-values" class="section-name selfRef">ECT Regulated Domain Values Registry</a>
+        </h3>
+<p id="section-12.5-1">This document establishes the "ECT Regulated Domain Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per <span>[<a href="#RFC8126" class="cite xref">RFC8126</a>]</span>.<a href="#section-12.5-1" class="pilcrow">¶</a></p>
+<p id="section-12.5-2">The initial contents of the registry are:<a href="#section-12.5-2" class="pilcrow">¶</a></p>
+<span id="name-ect-regulated-domain-values-2"></span><div id="_table-regulated-domain">
+<table class="center" id="table-3">
+          <caption>
+<a href="#table-3" class="selfRef">Table 3</a>:
+<a href="#name-ect-regulated-domain-values-2" class="selfRef">ECT Regulated Domain Values</a>
+          </caption>
+<thead>
+            <tr>
+              <th class="text-center" rowspan="1" colspan="1">Value</th>
+              <th class="text-left" rowspan="1" colspan="1">Description</th>
+              <th class="text-center" rowspan="1" colspan="1">Change Controller</th>
+              <th class="text-center" rowspan="1" colspan="1">Reference</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">medtech</td>
+              <td class="text-left" rowspan="1" colspan="1">Medical technology and devices</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#operational-claims" class="auto internal xref">Section 4.2.5</a>
+</td>
+            </tr>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">finance</td>
+              <td class="text-left" rowspan="1" colspan="1">Financial services and trading</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#operational-claims" class="auto internal xref">Section 4.2.5</a>
+</td>
+            </tr>
+            <tr>
+              <td class="text-center" rowspan="1" colspan="1">military</td>
+              <td class="text-left" rowspan="1" colspan="1">Military and defense</td>
+              <td class="text-center" rowspan="1" colspan="1">IETF</td>
+              <td class="text-center" rowspan="1" colspan="1">
+                <a href="#operational-claims" class="auto internal xref">Section 4.2.5</a>
 </td>
             </tr>
           </tbody>
@@ -3710,14 +3929,14 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-12.3-1
         <dd>
 <span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>&gt;</span>. </dd>
 <dd class="break"></dd>
-<dt id="RFC3339">[RFC3339]</dt>
-        <dd>
-<span class="refAuthor">Klyne, G.</span> and <span class="refAuthor">C. Newman</span>, <span class="refTitle">"Date and Time on the Internet: Timestamps"</span>, <span class="seriesInfo">RFC 3339</span>, <span class="seriesInfo">DOI 10.17487/RFC3339</span>, <time datetime="2002-07" class="refDate">July 2002</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc3339">https://www.rfc-editor.org/rfc/rfc3339</a>&gt;</span>. </dd>
-<dd class="break"></dd>
 <dt id="RFC7515">[RFC7515]</dt>
         <dd>
 <span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Sakimura</span>, <span class="refTitle">"JSON Web Signature (JWS)"</span>, <span class="seriesInfo">RFC 7515</span>, <span class="seriesInfo">DOI 10.17487/RFC7515</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc7515">https://www.rfc-editor.org/rfc/rfc7515</a>&gt;</span>. </dd>
 <dd class="break"></dd>
+<dt id="RFC7517">[RFC7517]</dt>
+        <dd>
+<span class="refAuthor">Jones, M.</span>, <span class="refTitle">"JSON Web Key (JWK)"</span>, <span class="seriesInfo">RFC 7517</span>, <span class="seriesInfo">DOI 10.17487/RFC7517</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc7517">https://www.rfc-editor.org/rfc/rfc7517</a>&gt;</span>. </dd>
+<dd class="break"></dd>
 <dt id="RFC7518">[RFC7518]</dt>
         <dd>
 <span class="refAuthor">Jones, M.</span>, <span class="refTitle">"JSON Web Algorithms (JWA)"</span>, <span class="seriesInfo">RFC 7518</span>, <span class="seriesInfo">DOI 10.17487/RFC7518</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc7518">https://www.rfc-editor.org/rfc/rfc7518</a>&gt;</span>. </dd>
@@ -3726,6 +3945,10 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-12.3-1
         <dd>
 <span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Sakimura</span>, <span class="refTitle">"JSON Web Token (JWT)"</span>, <span class="seriesInfo">RFC 7519</span>, <span class="seriesInfo">DOI 10.17487/RFC7519</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc7519">https://www.rfc-editor.org/rfc/rfc7519</a>&gt;</span>. </dd>
 <dd class="break"></dd>
+<dt id="RFC8126">[RFC8126]</dt>
+        <dd>
+<span class="refAuthor">Cotton, M.</span>, <span class="refAuthor">Leiba, B.</span>, and <span class="refAuthor">T. Narten</span>, <span class="refTitle">"Guidelines for Writing an IANA Considerations Section in RFCs"</span>, <span class="seriesInfo">BCP 26</span>, <span class="seriesInfo">RFC 8126</span>, <span class="seriesInfo">DOI 10.17487/RFC8126</span>, <time datetime="2017-06" class="refDate">June 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8126">https://www.rfc-editor.org/rfc/rfc8126</a>&gt;</span>. </dd>
+<dd class="break"></dd>
 <dt id="RFC8174">[RFC8174]</dt>
         <dd>
 <span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>&gt;</span>. </dd>
@@ -3783,10 +4006,6 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-12.3-1
         <dd>
 <span class="refAuthor">Rescorla, E.</span> and <span class="refAuthor">B. Korver</span>, <span class="refTitle">"Guidelines for Writing RFC Text on Security Considerations"</span>, <span class="seriesInfo">BCP 72</span>, <span class="seriesInfo">RFC 3552</span>, <span class="seriesInfo">DOI 10.17487/RFC3552</span>, <time datetime="2003-07" class="refDate">July 2003</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc3552">https://www.rfc-editor.org/rfc/rfc3552</a>&gt;</span>. </dd>
 <dd class="break"></dd>
-<dt id="RFC7517">[RFC7517]</dt>
-        <dd>
-<span class="refAuthor">Jones, M.</span>, <span class="refTitle">"JSON Web Key (JWK)"</span>, <span class="seriesInfo">RFC 7517</span>, <span class="seriesInfo">DOI 10.17487/RFC7517</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc7517">https://www.rfc-editor.org/rfc/rfc7517</a>&gt;</span>. </dd>
-<dd class="break"></dd>
 <dt id="RFC8693">[RFC8693]</dt>
         <dd>
 <span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Nadalin, A.</span>, <span class="refAuthor">Campbell, B., Ed.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">C. Mortimore</span>, <span class="refTitle">"OAuth 2.0 Token Exchange"</span>, <span class="seriesInfo">RFC 8693</span>, <span class="seriesInfo">DOI 10.17487/RFC8693</span>, <time datetime="2020-01" class="refDate">January 2020</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8693">https://www.rfc-editor.org/rfc/rfc8693</a>&gt;</span>. </dd>
@@ -3917,11 +4136,12 @@ use cases are distinct.<a href="#appendix-A.6-1" class="pilcrow">¶</a></p>
         <h3 id="name-minimal-implementation">
 <a href="#name-minimal-implementation" class="section-name selfRef">Minimal Implementation</a>
         </h3>
-<p id="appendix-B.1-1">A minimal conforming implementation should:<a href="#appendix-B.1-1" class="pilcrow">¶</a></p>
+<p id="appendix-B.1-1">A minimal conforming implementation needs to:<a href="#appendix-B.1-1" class="pilcrow">¶</a></p>
 <ol start="1" type="1" class="normal type-1" id="appendix-B.1-2">
 <li id="appendix-B.1-2.1">
             <p id="appendix-B.1-2.1.1">Create JWTs with all required claims ("iss", "aud", "iat",
-"exp", "tid", "exec_act", "par", "pol", "pol_decision").<a href="#appendix-B.1-2.1.1" class="pilcrow">¶</a></p>
+"exp", "jti", "tid", "exec_act", "par", "pol",
+"pol_decision").<a href="#appendix-B.1-2.1.1" class="pilcrow">¶</a></p>
 </li>
           <li id="appendix-B.1-2.2">
             <p id="appendix-B.1-2.2.1">Sign ECTs with the agent's private key using an algorithm
@@ -3994,10 +4214,11 @@ latency.<a href="#appendix-B.3-1.4.1" class="pilcrow">¶</a></p>
         <h3 id="name-interoperability">
 <a href="#name-interoperability" class="section-name selfRef">Interoperability</a>
         </h3>
-<p id="appendix-B.4-1">Implementations should use established JWT/JWS libraries (JOSE)
-for token creation and verification.  Custom cryptographic
-implementations should not be used.  Implementations should be
-tested against multiple JWT libraries to ensure interoperability.<a href="#appendix-B.4-1" class="pilcrow">¶</a></p>
+<p id="appendix-B.4-1">Implementations are expected to use established JWT/JWS libraries
+(JOSE) for token creation and verification.  Custom cryptographic
+implementations are strongly discouraged.  Implementations are
+expected to be tested against multiple JWT libraries to ensure
+interoperability.<a href="#appendix-B.4-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
@@ -4012,9 +4233,9 @@ compliance with various regulatory frameworks.  ECTs are a
 technical building block; achieving compliance requires
 additional organizational measures beyond this specification.<a href="#appendix-C-1" class="pilcrow">¶</a></p>
 <span id="name-regulatory-compliance-mappin"></span><div id="_table-regulatory">
-<table class="center" id="table-2">
+<table class="center" id="table-4">
         <caption>
-<a href="#table-2" class="selfRef">Table 2</a>:
+<a href="#table-4" class="selfRef">Table 4</a>:
 <a href="#name-regulatory-compliance-mappin" class="selfRef">Regulatory Compliance Mapping</a>
         </caption>
 <thead>
diff --git a/draft-nennemann-wimse-execution-context-00.md b/draft-nennemann-wimse-execution-context-00.md
index 2ce0549..5f54b70 100644
--- a/draft-nennemann-wimse-execution-context-00.md
+++ b/draft-nennemann-wimse-execution-context-00.md
@@ -8,6 +8,7 @@ number:
 date:
 v: 3
 area: "Security"
+workgroup: "WIMSE"
 keyword:
   - execution context
   - workload identity
@@ -23,9 +24,8 @@ author:
     email: ietf@nennemann.de
 
 normative:
-  RFC2119:
-  RFC8174:
   RFC7515:
+  RFC7517:
   RFC7519:
   RFC7518:
   RFC9562:
@@ -35,7 +35,6 @@ normative:
 
 informative:
   RFC3552:
-  RFC7517:
   RFC8693:
   RFC9421:
   I-D.ni-wimse-ai-agent-identity:
@@ -150,7 +149,7 @@ accountability.  WIMSE authenticates agents; this extension records
 what they did, in what order, and what policy was evaluated.
 
 As identified in {{I-D.ni-wimse-ai-agent-identity}}, call context
-in agentic workflows must always be visible and preserved.  ECTs
+in agentic workflows needs to be visible and preserved.  ECTs
 provide a mechanism to address this requirement with cryptographic
 assurances.
 
@@ -409,12 +408,39 @@ iss:
 
 sub:
 : OPTIONAL.  StringOrURI.  The subject of the ECT.  When present,
-  MUST equal the "iss" claim.
+  MUST equal the "iss" claim.  This claim is included for
+  compatibility with JWT libraries and frameworks that expect a
+  "sub" claim to be present.
 
 aud:
 : REQUIRED.  StringOrURI or array of StringOrURI.  The intended
-  recipient(s) of the ECT.  Typically the next agent in the
-  workflow or the ledger endpoint.
+  recipient(s) of the ECT.  Because ECTs serve as both inter-agent
+  messages and audit records, the "aud" claim SHOULD contain the
+  identifiers of all entities that will verify the ECT.  In
+  practice this means:
+
+  *  **Point-to-point delivery**: when an ECT is sent from one
+     agent to a single next agent, "aud" contains that agent's
+     workload identity.  The receiving agent verifies the ECT and
+     forwards it to the ledger on behalf of the issuer.
+
+  *  **Direct-to-ledger submission**: when an ECT is submitted
+     directly to the audit ledger (e.g., after a join or at
+     workflow completion), "aud" contains the ledger's identity.
+
+  *  **Multi-audience**: when an ECT must be verified by both the
+     next agent and the ledger independently, "aud" MUST be an
+     array containing both identifiers (e.g.,
+     \["spiffe://example.com/agent/next",
+     "spiffe://example.com/system/ledger"\]).  Each verifier checks
+     that its own identity appears in the array.
+
+  In multi-parent (join) scenarios where a task depends on ECTs
+  from multiple parent agents, the joining agent creates a new ECT
+  with the parent task IDs in "par".  The "aud" of this new ECT
+  is set according to the rules above based on where the ECT will
+  be delivered — it is independent of the "aud" values in the
+  parent ECTs.
 
 iat:
 : REQUIRED.  NumericDate.  The time at which the ECT was issued.
@@ -427,9 +453,16 @@ exp:
   to limit the replay window while allowing for reasonable clock
   skew and processing time.
 
+The standard JWT "nbf" (Not Before) claim is not used in ECTs
+because ECTs record completed actions and are valid immediately
+upon issuance.
+
 jti:
-: OPTIONAL.  String.  A unique identifier for the ECT, useful for
-  additional replay detection.
+: REQUIRED.  String.  A unique identifier for the ECT in UUID
+  format {{RFC9562}}.  Used for replay detection: receivers MUST
+  reject ECTs whose "jti" has already been seen within the
+  expiration window.  The "jti" value MUST be unique across all
+  ECTs issued by the same agent.
 
 ### Execution Context Claims {#exec-claims}
 
@@ -474,7 +507,26 @@ pol:
 
 pol_decision:
 : REQUIRED.  String.  The result of the policy evaluation.  MUST
-  be one of: "approved", "rejected", or "pending_human_review".
+  be one of the values registered in the ECT Policy Decision
+  Values registry ({{pol-decision-registry}}).  Initial values
+  are:
+
+  *  "approved": The policy evaluation succeeded and the task
+     was authorized to proceed.
+
+  *  "rejected": The policy evaluation failed.  A "rejected" ECT
+     MUST still be appended to the audit ledger for accountability.
+     An ECT with "pol_decision" of "rejected" MAY appear as a
+     parent in the "par" array of a subsequent ECT, but only for
+     compensation, rollback, or remediation tasks.  Agents MUST
+     NOT proceed with normal workflow execution based on a parent
+     ECT whose "pol_decision" is "rejected".
+
+  *  "pending_human_review": The policy evaluation requires human
+     judgment before proceeding.  Agents MUST NOT proceed with
+     dependent tasks until a subsequent ECT from a human reviewer
+     records an "approved" decision referencing this task as a
+     parent.
 
 pol_enforcer:
 : OPTIONAL.  StringOrURI.  The identity of the entity (system or
@@ -495,12 +547,17 @@ inp_hash:
 : OPTIONAL.  String.  A cryptographic hash of the input data,
   formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
   "sha-256:n4bQgYhMfWWaL-qgxVrQFaO\_TxsrC4Is0V1sFbDwCgg").  The
-  hash algorithm identifier SHOULD be "sha-256".  The hash MUST be
+  hash algorithm identifier MUST be a lowercase value from the
+  IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+  "sha-384", "sha-512").  Implementations MUST support "sha-256"
+  and SHOULD use "sha-256" unless a stronger algorithm is
+  required.  Implementations MUST NOT accept hash algorithms
+  weaker than SHA-256 (e.g., MD5, SHA-1).  The hash MUST be
   computed over the raw octets of the input data.
 
 out_hash:
 : OPTIONAL.  String.  A cryptographic hash of the output data,
-  using the same format as "inp_hash".
+  using the same format and algorithm requirements as "inp_hash".
 
 inp_classification:
 : OPTIONAL.  String.  The data sensitivity classification of the
@@ -516,8 +573,8 @@ exec_time_ms:
 
 regulated_domain:
 : OPTIONAL.  String.  The regulatory domain applicable to this
-  task.  Values are drawn from an extensible set; initial values
-  include "medtech", "finance", and "military".
+  task.  Values MUST be registered in the ECT Regulated Domain
+  Values registry ({{regulated-domain-registry}}).
 
 model_version:
 : OPTIONAL.  String.  The version identifier of the AI or ML model
@@ -527,11 +584,17 @@ model_version:
 
 witnessed_by:
 : OPTIONAL.  Array of StringOrURI.  Identifiers of third-party
-  entities that observed or attested to the execution of this
-  task.  When present, each element SHOULD use SPIFFE ID format.
-  In regulated environments, implementations SHOULD use witness
-  attestation for critical decision points to mitigate the risk
-  of single-agent false claims.
+  entities that the issuing agent claims observed or attested to
+  the execution of this task.  When present, each element SHOULD
+  use SPIFFE ID format.  Note that this claim is self-asserted by
+  the ECT issuer; witnesses listed here do not co-sign this ECT.
+  For stronger assurance, witnesses SHOULD submit independent
+  signed ECTs to the ledger attesting to their observation (see
+  {{witness-attestation-model}}).  In regulated environments,
+  implementations SHOULD use witness attestation for critical
+  decision points to mitigate the risk of single-agent false
+  claims.  See also {{self-assertion-limitation}} for the security
+  implications of self-asserted witness claims.
 
 ### Compensation Claims {#compensation-claims}
 
@@ -542,6 +605,12 @@ compensation_required:
 compensation_reason:
 : OPTIONAL.  String.  A human-readable reason for the compensation
   action.  MUST be present if "compensation_required" is true.
+  Values SHOULD use structured identifiers (e.g.,
+  "policy_violation_in_parent_trade") rather than free-form text
+  to minimize the risk of embedding sensitive information.  See
+  {{data-minimization}} for privacy guidance.
+  If "compensation_reason" is present, "compensation_required"
+  MUST be true.
 
 Note: compensation ECTs reference historical parent tasks via the
 "par" claim.  The referenced parent ECTs may have passed their own
@@ -554,14 +623,17 @@ ledger.
 ext:
 : OPTIONAL.  Object.  An extension object for domain-specific
   claims not defined by this specification.  Implementations
-  that do not understand extension claims SHOULD ignore them.
-  To avoid key collisions between different domains, extension
-  key names SHOULD use reverse domain notation (e.g.,
-  "com.example.custom_field").
+  that do not understand extension claims MUST ignore them.
 
-The "ext" claim is a generic extension mechanism; it is not
-registered in the IANA JWT Claims registry because its semantics
-depend on the domain-specific claims within it.
+To avoid key collisions between different domains, extension
+key names MUST use reverse domain notation (e.g.,
+"com.example.custom_field").  Implementations MUST NOT use
+unqualified key names within the "ext" object.  To prevent
+abuse and excessive token size, the serialized JSON
+representation of the "ext" object SHOULD NOT exceed 4096
+bytes, and the JSON nesting depth within the "ext" object
+SHOULD NOT exceed 5 levels.  Implementations SHOULD reject
+ECTs whose "ext" claim exceeds these limits.
 
 ## Complete ECT Example
 
@@ -574,6 +646,7 @@ The following is a complete ECT payload example:
   "aud": "spiffe://example.com/agent/safety",
   "iat": 1772064150,
   "exp": 1772064750,
+  "jti": "7f3a8b2c-d1e4-4f56-9a0b-c3d4e5f6a7b8",
 
   "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
   "tid": "550e8400-e29b-41d4-a716-446655440001",
@@ -627,6 +700,14 @@ When multiple parent tasks contribute context to a single request,
 multiple Execution-Context header field lines MAY be included, each
 carrying a separate ECT in JWS Compact Serialization format.
 
+When a receiver processes multiple Execution-Context headers, it
+MUST individually verify each ECT per the procedure in
+{{verification}}.  If any single ECT fails verification, the
+receiver MUST reject the entire request.  The set of verified
+parent task IDs across all received ECTs represents the complete
+set of parent dependencies available for the receiving agent's
+subsequent ECT.
+
 # DAG Validation {#dag-validation}
 
 ## Overview
@@ -653,17 +734,30 @@ the following DAG validation steps:
     recorded in the ledger.  If any parent task is not found, the
     ECT MUST be rejected.
 
-3.  Temporal Ordering: The "iat" value of every parent task MUST be
-    less than the "iat" value of the current task plus a
+3.  Temporal Ordering: The "iat" value of every parent task MUST
+    NOT be greater than the "iat" value of the current task plus a
     configurable clock skew tolerance (RECOMMENDED: 30 seconds).
-    If any parent task has an "iat" that violates this constraint,
-    the ECT MUST be rejected.
+    That is, for each parent: `parent.iat < child.iat +
+    clock_skew_tolerance`.  The tolerance accounts for clock skew
+    between agents; it does not guarantee strict causal ordering
+    from timestamps alone.  Causal ordering is primarily enforced
+    by the DAG structure (parent existence in the ledger), not by
+    timestamps.  If any parent task violates this constraint, the
+    ECT MUST be rejected.
 
 4.  Acyclicity: Following the chain of parent references MUST NOT
     lead back to the current task's "tid".  If a cycle is detected,
     the ECT MUST be rejected.
 
-5.  Trust Domain Consistency: Parent tasks SHOULD belong to the
+5.  Parent Policy Decision: If any parent task has a "pol_decision"
+    of "rejected" or "pending_human_review", the current task's
+    "exec_act" MUST indicate a compensation, rollback, remediation,
+    or human review action.  Implementations MUST NOT accept an ECT
+    representing normal workflow continuation when a parent's
+    "pol_decision" is not "approved", unless the current ECT has
+    "compensation_required" set to true.
+
+6.  Trust Domain Consistency: Parent tasks SHOULD belong to the
     same trust domain or to a trust domain with which a federation
     relationship has been established.
 
@@ -685,14 +779,19 @@ function validate_dag(ect, ledger, clock_skew_tolerance):
     if parent.iat >= ect.iat + clock_skew_tolerance:
       return error("Parent task not earlier than current")
 
-  // Step 3: Cycle detection
+  // Step 3: Cycle detection (with traversal limit)
   visited = set()
-  if has_cycle(ect.tid, ect.par, ledger, visited):
-    return error("Circular dependency detected")
+  result = has_cycle(ect.tid, ect.par, ledger, visited,
+                      max_ancestor_limit)
+  if result is error or result is true:
+    return error("Circular dependency or depth limit exceeded")
 
   return success
 
-function has_cycle(target_tid, parent_ids, ledger, visited):
+function has_cycle(target_tid, parent_ids, ledger, visited,
+                   max_depth):
+  if visited.size() >= max_depth:
+    return error("Maximum ancestor traversal limit exceeded")
   for parent_id in parent_ids:
     if parent_id == target_tid:
       return true
@@ -701,8 +800,10 @@ function has_cycle(target_tid, parent_ids, ledger, visited):
     visited.add(parent_id)
     parent = ledger.get(parent_id)
     if parent is not null:
-      if has_cycle(target_tid, parent.par, ledger, visited):
-        return true
+      result = has_cycle(target_tid, parent.par, ledger,
+                          visited, max_depth)
+      if result is error or result is true:
+        return result
   return false
 ~~~
 {: #fig-dag-validation title="DAG Validation Pseudocode"}
@@ -711,7 +812,11 @@ The cycle detection traverses the ancestor graph rooted at the
 current task's parents.  The complexity is O(V) where V is the
 number of ancestor nodes reachable from the current task's parent
 references.  For typical workflows with shallow DAGs, this is
-efficient.  Implementations SHOULD cache cycle detection results
+efficient.  To prevent denial-of-service via extremely deep or
+wide DAGs, implementations SHOULD enforce a maximum ancestor
+traversal limit (RECOMMENDED: 10000 nodes).  If the limit is
+reached before cycle detection completes, the ECT SHOULD be
+rejected.  Implementations SHOULD cache cycle detection results
 for previously verified tasks to avoid redundant traversals.
 
 # Signature and Token Verification {#verification}
@@ -735,30 +840,42 @@ verification steps in order:
 5.  Retrieve the public key identified by "kid" and verify the JWS
     signature per {{RFC7515}} Section 5.2.
 
-6.  Verify the "alg" header parameter matches the algorithm in the
+6.  Verify that the signing key identified by "kid" has not been
+    revoked within the trust domain.  Implementations MUST check
+    the key's revocation status using the trust domain's key
+    lifecycle mechanism (e.g., certificate revocation list, OCSP,
+    or SPIFFE trust bundle updates).
+
+7.  Verify the "alg" header parameter matches the algorithm in the
     corresponding WIT.
 
-7.  Verify the "iss" claim matches the "sub" claim of the WIT
+8.  Verify the "iss" claim matches the "sub" claim of the WIT
     associated with the "kid" public key.
 
-8.  Verify the "aud" claim contains the verifier's own workload
-    identity or an expected recipient identifier.
+9.  Verify the "aud" claim contains the verifier's own workload
+    identity.  When "aud" is an array, it is sufficient that the
+    verifier's identity appears as one element; the presence of
+    other audience values does not cause verification failure.
+    When the verifier is the audit ledger, the ledger's own
+    identity MUST appear in "aud".
 
-9.  Verify the "exp" claim indicates the ECT has not expired.
+10. Verify the "exp" claim indicates the ECT has not expired.
 
-10. Verify the "iat" claim is not unreasonably far in the past
+11. Verify the "iat" claim is not unreasonably far in the past
     (implementation-specific threshold, RECOMMENDED maximum of
-    15 minutes).
+    15 minutes) and is not unreasonably far in the future
+    (RECOMMENDED: no more than 30 seconds ahead of the
+    verifier's current time, to account for clock skew).
 
-11. Verify all required claims ("tid", "exec_act", "par", "pol",
-    "pol_decision") are present and well-formed.
+12. Verify all required claims ("jti", "tid", "exec_act", "par",
+    "pol", "pol_decision") are present and well-formed.
 
-12. Verify "pol_decision" is one of "approved", "rejected", or
+13. Verify "pol_decision" is one of "approved", "rejected", or
     "pending_human_review".
 
-13. Perform DAG validation per {{dag-validation}}.
+14. Perform DAG validation per {{dag-validation}}.
 
-14. If all checks pass, the ECT MUST be appended to the audit
+15. If all checks pass, the ECT MUST be appended to the audit
     ledger.
 
 If any verification step fails, the ECT MUST be rejected and the
@@ -766,6 +883,15 @@ failure MUST be logged for audit purposes.  Error messages
 SHOULD NOT reveal whether specific parent task IDs exist in the
 ledger, to prevent information disclosure.
 
+When ECT verification fails during HTTP request processing, the
+receiving agent SHOULD respond with HTTP 403 (Forbidden) if the
+WIT and WPT are valid but the ECT is invalid, and HTTP 401
+(Unauthorized) if the ECT signature verification fails.  The
+response body SHOULD include a generic error indicator without
+revealing which specific verification step failed.  The receiving
+agent MUST NOT process the requested action when ECT verification
+fails.
+
 ## Verification Pseudocode
 
 ~~~ pseudocode
@@ -791,6 +917,10 @@ function verify_ect(ect_jws, verifier_id,
                                signature, public_key):
     return reject("Invalid signature")
 
+  // Verify key not revoked
+  if is_key_revoked(header.kid, trust_domain_keys):
+    return reject("Signing key has been revoked")
+
   // Verify algorithm alignment
   wit = get_wit_for_key(header.kid)
   if header.alg != wit.alg:
@@ -808,12 +938,14 @@ function verify_ect(ect_jws, verifier_id,
   if payload.exp < current_time():
     return reject("ECT has expired")
 
-  // Verify iat freshness
+  // Verify iat freshness (not too old, not in the future)
   if payload.iat < current_time() - max_age_threshold:
     return reject("ECT issued too long ago")
+  if payload.iat > current_time() + clock_skew_tolerance:
+    return reject("ECT issued in the future")
 
   // Verify required claims
-  for claim in ["tid", "exec_act", "par",
+  for claim in ["jti", "tid", "exec_act", "par",
                  "pol", "pol_decision"]:
     if claim not in payload:
       return reject("Missing required claim: " + claim)
@@ -890,7 +1022,10 @@ The "ect_jws" field contains the full JWS Compact Serialization
 and is the authoritative record.  The other fields ("agent_id",
 "action", "parents") are convenience indexes derived from the
 ECT payload; if they disagree with the JWS payload, the JWS
-payload takes precedence.
+payload takes precedence.  Implementations SHOULD validate that
+convenience index fields match the corresponding values in the
+JWS payload at write time to prevent desynchronization between
+the authoritative JWS and the indexed fields.
 
 # Use Cases {#use-cases}
 
@@ -901,8 +1036,8 @@ include additional domain-specific requirements beyond the scope
 of this specification.
 
 Note: task identifiers in this section are abbreviated for
-readability.  In production, all "tid" values MUST be UUIDs per
-{{RFC9562}}.
+readability.  In production, all "tid" values are required to be
+UUIDs per {{exec-claims}}.
 
 ## Medical Device SDLC Workflow
 
@@ -1059,7 +1194,7 @@ violation discovery to remediation.
 
 ## Autonomous Logistics Coordination
 
-In a logistics workflow, multiple compliance checks must complete
+In a logistics workflow, multiple compliance checks complete
 before shipment commitment.  The DAG structure records that all
 required checks were completed:
 
@@ -1113,7 +1248,7 @@ The following threat actors are considered:
 - Time manipulator: An entity attempting to manipulate timestamps
   to alter perceived execution ordering.
 
-## Self-Assertion Limitation
+## Self-Assertion Limitation {#self-assertion-limitation}
 
 ECTs are self-asserted by the executing agent.  The agent claims
 what it did, and this claim is signed with its private key.  A
@@ -1132,7 +1267,38 @@ The trustworthiness of ECT claims depends on the trustworthiness
 of the signing agent.  To mitigate single-agent false claims,
 regulated environments SHOULD use the "witnessed_by" mechanism
 to include independent third-party observers at critical decision
-points.
+points.  However, the "witnessed_by" claim is self-asserted by
+the ECT issuer: the listed witnesses do not co-sign the ECT and
+there is no cryptographic proof within a single ECT that the
+witnesses actually observed the task.  An issuing agent could
+list witnesses that did not participate.
+
+### Witness Attestation Model {#witness-attestation-model}
+
+To address the self-assertion limitation of the "witnessed_by"
+claim, witnesses SHOULD submit their own independent signed ECTs
+to the audit ledger attesting to the observed task.  A witness
+attestation ECT:
+
+- MUST set "iss" to the witness's own workload identity.
+- MUST set "exec_act" to "witness_attestation" (or a domain-
+  specific equivalent).
+- MUST include the observed task's "tid" in the "par" array,
+  linking the attestation to the original task.
+- MUST set "pol_decision" to "approved" to indicate the witness
+  confirms the observation.
+
+When a task's "witnessed_by" claim lists one or more witnesses,
+auditors SHOULD verify that corresponding witness attestation
+ECTs exist in the ledger for each listed witness.  A mismatch
+between the "witnessed_by" list and the set of independent witness
+ECTs in the ledger SHOULD be flagged during audit review.
+
+This model converts witness attestation from a self-asserted claim
+to a cryptographically verifiable property of the ledger: the
+witness independently signs their own ECT using their own key,
+and the ledger records both the original task ECT and the witness
+attestation ECTs.
 
 ## Organizational Prerequisites
 
@@ -1156,10 +1322,12 @@ ECTs MUST be signed with the agent's private key using JWS
 specified in the agent's WIT.  Receivers MUST verify the ECT
 signature against the WIT public key before processing any
 claims.  Receivers MUST verify that the signing key has not been
-revoked within the trust domain.
+revoked within the trust domain (see step 6 in
+{{verification}}).
 
-If signature verification fails, the ECT MUST be rejected entirely
-and the failure MUST be logged.
+If signature verification fails or if the signing key has been
+revoked, the ECT MUST be rejected entirely and the failure MUST
+be logged.
 
 Implementations MUST use established JWS libraries and MUST NOT
 implement custom signature verification.
@@ -1176,9 +1344,9 @@ The DAG structure provides additional replay protection: an ECT
 referencing parent tasks that already have a recorded child task
 with the same action can be flagged as a potential replay.
 
-Implementations SHOULD maintain a cache of recently-seen "jti"
-values (when present) to detect replayed ECTs within the
-expiration window.
+Implementations MUST maintain a cache of recently-seen "jti"
+values to detect replayed ECTs within the expiration window.
+An ECT with a duplicate "jti" value MUST be rejected.
 
 ## Man-in-the-Middle Protection
 
@@ -1254,6 +1422,12 @@ judgments.  Implementations SHOULD use synchronized time sources
 (e.g., NTP) and SHOULD allow a configurable clock skew tolerance
 (RECOMMENDED: 30 seconds).
 
+Cross-organizational deployments where agents span multiple trust
+domains with independent time sources MAY require a higher clock
+skew tolerance.  Deployments using trust domain federation SHOULD
+document their configured clock skew tolerance value and SHOULD
+ensure all participating trust domains agree on a common tolerance.
+
 The temporal ordering check in DAG validation incorporates the
 clock skew tolerance to account for minor clock differences
 between agents.
@@ -1262,8 +1436,11 @@ between agents.
 
 ECTs with many parent tasks or large extension objects can
 increase HTTP header size.  Implementations SHOULD limit the "par"
-array to a reasonable size and SHOULD set maximum size limits for
-the "ext" object to prevent abuse.
+array to a maximum of 256 entries.  Workflows requiring more
+parent references SHOULD introduce intermediate aggregation
+tasks.  The "ext" object SHOULD NOT exceed 4096 bytes when
+serialized as JSON and SHOULD NOT exceed a nesting depth of
+5 levels (see also {{extension-claims}}).
 
 # Privacy Considerations
 
@@ -1285,7 +1462,7 @@ ECTs are designed to NOT reveal:
 - Proprietary algorithms or intellectual property
 - Personally identifiable information (PII)
 
-## Data Minimization
+## Data Minimization {#data-minimization}
 
 Implementations SHOULD minimize the information included in ECTs.
 The "exec_act" claim SHOULD use structured identifiers (e.g.,
@@ -1293,6 +1470,16 @@ The "exec_act" claim SHOULD use structured identifiers (e.g.,
 The "pol" claim SHOULD reference policy identifiers rather than
 embedding policy content.
 
+The "compensation_reason" claim ({{compensation-claims}})
+deserves particular attention: because it is human-readable and
+may describe the circumstances of a failure or policy violation,
+it risks exposing sensitive operational details.  Implementations
+SHOULD use short, structured reason codes (e.g.,
+"policy_violation_in_parent_trade") rather than free-form
+natural language explanations.  Implementers SHOULD review
+"compensation_reason" values for potential information leakage
+before deploying to production.
+
 ## Storage and Access Control
 
 ECTs stored in audit ledgers SHOULD be access-controlled so that
@@ -1408,8 +1595,39 @@ the "JSON Web Token Claims" registry maintained by IANA:
 | model_version | AI/ML Model Version | IETF | {{operational-claims}} |
 | compensation_required | Compensation Flag | IETF | {{compensation-claims}} |
 | compensation_reason | Compensation Reason | IETF | {{compensation-claims}} |
+| ext | Extension Object | IETF | {{extension-claims}} |
 {: #table-claims title="JWT Claims Registrations"}
 
+## ECT Policy Decision Values Registry {#pol-decision-registry}
+
+This document establishes the "ECT Policy Decision Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per {{!RFC8126}}.
+
+The initial contents of the registry are:
+
+| Value | Description | Change Controller | Reference |
+|:---:|:---|:---:|:---:|
+| approved | Policy evaluation succeeded | IETF | {{policy-claims}} |
+| rejected | Policy evaluation failed | IETF | {{policy-claims}} |
+| pending_human_review | Awaiting human judgment | IETF | {{policy-claims}} |
+{: #table-pol-decision title="ECT Policy Decision Values"}
+
+## ECT Regulated Domain Values Registry {#regulated-domain-registry}
+
+This document establishes the "ECT Regulated Domain Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per {{!RFC8126}}.
+
+The initial contents of the registry are:
+
+| Value | Description | Change Controller | Reference |
+|:---:|:---|:---:|:---:|
+| medtech | Medical technology and devices | IETF | {{operational-claims}} |
+| finance | Financial services and trading | IETF | {{operational-claims}} |
+| military | Military and defense | IETF | {{operational-claims}} |
+{: #table-regulated-domain title="ECT Regulated Domain Values"}
+
 --- back
 
 # Related Work
@@ -1499,10 +1717,11 @@ use cases are distinct.
 ## Minimal Implementation
 {:numbered="false"}
 
-A minimal conforming implementation should:
+A minimal conforming implementation needs to:
 
 1.  Create JWTs with all required claims ("iss", "aud", "iat",
-    "exp", "tid", "exec_act", "par", "pol", "pol_decision").
+    "exp", "jti", "tid", "exec_act", "par", "pol",
+    "pol_decision").
 2.  Sign ECTs with the agent's private key using an algorithm
     matching the WIT (ES256 recommended).
 3.  Verify ECT signatures against WIT public keys.
@@ -1536,10 +1755,11 @@ A minimal conforming implementation should:
 ## Interoperability
 {:numbered="false"}
 
-Implementations should use established JWT/JWS libraries (JOSE)
-for token creation and verification.  Custom cryptographic
-implementations should not be used.  Implementations should be
-tested against multiple JWT libraries to ensure interoperability.
+Implementations are expected to use established JWT/JWS libraries
+(JOSE) for token creation and verification.  Custom cryptographic
+implementations are strongly discouraged.  Implementations are
+expected to be tested against multiple JWT libraries to ensure
+interoperability.
 
 # Regulatory Compliance Mapping
 {:numbered="false"}
diff --git a/draft-nennemann-wimse-execution-context-00.txt b/draft-nennemann-wimse-execution-context-00.txt
index d6d52f6..d4a5926 100644
--- a/draft-nennemann-wimse-execution-context-00.txt
+++ b/draft-nennemann-wimse-execution-context-00.txt
@@ -2,7 +2,7 @@
 
 
 
-Network Working Group                                       C. Nennemann
+WIMSE                                                       C. Nennemann
 Internet-Draft                                    Independent Researcher
 Intended status: Standards Track                        24 February 2026
 Expires: 28 August 2026
@@ -88,24 +88,24 @@ Table of Contents
      4.1.  JOSE Header . . . . . . . . . . . . . . . . . . . . . . .   9
      4.2.  JWT Claims  . . . . . . . . . . . . . . . . . . . . . . .  10
        4.2.1.  WIMSE-Compatible Claims . . . . . . . . . . . . . . .  10
-       4.2.2.  Execution Context Claims  . . . . . . . . . . . . . .  10
-       4.2.3.  Policy Claims . . . . . . . . . . . . . . . . . . . .  11
-       4.2.4.  Data Integrity Claims . . . . . . . . . . . . . . . .  11
-       4.2.5.  Operational Claims  . . . . . . . . . . . . . . . . .  12
-       4.2.6.  Witness Claims  . . . . . . . . . . . . . . . . . . .  12
-       4.2.7.  Compensation Claims . . . . . . . . . . . . . . . . .  12
-       4.2.8.  Extension Claims  . . . . . . . . . . . . . . . . . .  12
-     4.3.  Complete ECT Example  . . . . . . . . . . . . . . . . . .  13
-   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  13
-     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  13
-   6.  DAG Validation  . . . . . . . . . . . . . . . . . . . . . . .  14
-     6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  14
-     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  14
-     6.3.  DAG Validation Algorithm  . . . . . . . . . . . . . . . .  15
-   7.  Signature and Token Verification  . . . . . . . . . . . . . .  16
-     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  16
-     7.2.  Verification Pseudocode . . . . . . . . . . . . . . . . .  17
-   8.  Audit Ledger Interface  . . . . . . . . . . . . . . . . . . .  19
+       4.2.2.  Execution Context Claims  . . . . . . . . . . . . . .  11
+       4.2.3.  Policy Claims . . . . . . . . . . . . . . . . . . . .  12
+       4.2.4.  Data Integrity Claims . . . . . . . . . . . . . . . .  12
+       4.2.5.  Operational Claims  . . . . . . . . . . . . . . . . .  13
+       4.2.6.  Witness Claims  . . . . . . . . . . . . . . . . . . .  13
+       4.2.7.  Compensation Claims . . . . . . . . . . . . . . . . .  14
+       4.2.8.  Extension Claims  . . . . . . . . . . . . . . . . . .  14
+     4.3.  Complete ECT Example  . . . . . . . . . . . . . . . . . .  14
+   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  15
+     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  15
+   6.  DAG Validation  . . . . . . . . . . . . . . . . . . . . . . .  16
+     6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  16
+     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  16
+     6.3.  DAG Validation Algorithm  . . . . . . . . . . . . . . . .  17
+   7.  Signature and Token Verification  . . . . . . . . . . . . . .  19
+     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  19
+     7.2.  Verification Pseudocode . . . . . . . . . . . . . . . . .  20
+   8.  Audit Ledger Interface  . . . . . . . . . . . . . . . . . . .  22
 
 
 
@@ -114,54 +114,54 @@ Nennemann                Expires 28 August 2026                 [Page 2]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
-     8.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  19
-     8.2.  Required Properties . . . . . . . . . . . . . . . . . . .  19
-     8.3.  Ledger Entry Structure  . . . . . . . . . . . . . . . . .  20
-   9.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .  20
-     9.1.  Medical Device SDLC Workflow  . . . . . . . . . . . . . .  20
-       9.1.1.  FDA Audit with DAG Reconstruction . . . . . . . . . .  21
-     9.2.  Financial Trading Workflow  . . . . . . . . . . . . . . .  22
-     9.3.  Compensation and Rollback . . . . . . . . . . . . . . . .  23
-     9.4.  Autonomous Logistics Coordination . . . . . . . . . . . .  24
-   10. Security Considerations . . . . . . . . . . . . . . . . . . .  25
-     10.1.  Threat Model . . . . . . . . . . . . . . . . . . . . . .  25
-     10.2.  Self-Assertion Limitation  . . . . . . . . . . . . . . .  26
-     10.3.  Organizational Prerequisites . . . . . . . . . . . . . .  26
-     10.4.  Signature Verification . . . . . . . . . . . . . . . . .  27
-     10.5.  Replay Attack Prevention . . . . . . . . . . . . . . . .  27
-     10.6.  Man-in-the-Middle Protection . . . . . . . . . . . . . .  27
-     10.7.  Key Compromise . . . . . . . . . . . . . . . . . . . . .  28
-     10.8.  Collusion and False Claims . . . . . . . . . . . . . . .  28
-     10.9.  Denial of Service  . . . . . . . . . . . . . . . . . . .  29
-     10.10. Timestamp Accuracy . . . . . . . . . . . . . . . . . . .  29
-     10.11. ECT Size Constraints . . . . . . . . . . . . . . . . . .  29
-   11. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  29
-     11.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  29
-     11.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  30
-     11.3.  Storage and Access Control . . . . . . . . . . . . . . .  30
-     11.4.  Regulatory Access  . . . . . . . . . . . . . . . . . . .  30
-   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  30
-     12.1.  Media Type Registration  . . . . . . . . . . . . . . . .  30
-     12.2.  HTTP Header Field Registration . . . . . . . . . . . . .  31
-     12.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  31
-   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  33
-     13.1.  Normative References . . . . . . . . . . . . . . . . . .  33
-     13.2.  Informative References . . . . . . . . . . . . . . . . .  34
-   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  35
-     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  36
-     OAuth 2.0 Token Exchange  . . . . . . . . . . . . . . . . . . .  36
-     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  36
-     Blockchain and Distributed Ledgers  . . . . . . . . . . . . . .  36
-     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  37
-     W3C Verifiable Credentials  . . . . . . . . . . . . . . . . . .  37
-   Implementation Guidance . . . . . . . . . . . . . . . . . . . . .  37
-     Minimal Implementation  . . . . . . . . . . . . . . . . . . . .  37
-     Storage Recommendations . . . . . . . . . . . . . . . . . . . .  38
-     Performance Considerations  . . . . . . . . . . . . . . . . . .  38
-     Interoperability  . . . . . . . . . . . . . . . . . . . . . . .  38
-   Regulatory Compliance Mapping . . . . . . . . . . . . . . . . . .  38
-   Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  39
-     Example 1: Simple Two-Agent Workflow  . . . . . . . . . . . . .  39
+     8.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  22
+     8.2.  Required Properties . . . . . . . . . . . . . . . . . . .  22
+     8.3.  Ledger Entry Structure  . . . . . . . . . . . . . . . . .  22
+   9.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .  23
+     9.1.  Medical Device SDLC Workflow  . . . . . . . . . . . . . .  23
+       9.1.1.  FDA Audit with DAG Reconstruction . . . . . . . . . .  24
+     9.2.  Financial Trading Workflow  . . . . . . . . . . . . . . .  25
+     9.3.  Compensation and Rollback . . . . . . . . . . . . . . . .  26
+     9.4.  Autonomous Logistics Coordination . . . . . . . . . . . .  27
+   10. Security Considerations . . . . . . . . . . . . . . . . . . .  28
+     10.1.  Threat Model . . . . . . . . . . . . . . . . . . . . . .  28
+     10.2.  Self-Assertion Limitation  . . . . . . . . . . . . . . .  29
+       10.2.1.  Witness Attestation Model  . . . . . . . . . . . . .  29
+     10.3.  Organizational Prerequisites . . . . . . . . . . . . . .  30
+     10.4.  Signature Verification . . . . . . . . . . . . . . . . .  30
+     10.5.  Replay Attack Prevention . . . . . . . . . . . . . . . .  31
+     10.6.  Man-in-the-Middle Protection . . . . . . . . . . . . . .  31
+     10.7.  Key Compromise . . . . . . . . . . . . . . . . . . . . .  31
+     10.8.  Collusion and False Claims . . . . . . . . . . . . . . .  32
+     10.9.  Denial of Service  . . . . . . . . . . . . . . . . . . .  32
+     10.10. Timestamp Accuracy . . . . . . . . . . . . . . . . . . .  33
+     10.11. ECT Size Constraints . . . . . . . . . . . . . . . . . .  33
+   11. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  33
+     11.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  33
+     11.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  34
+     11.3.  Storage and Access Control . . . . . . . . . . . . . . .  34
+     11.4.  Regulatory Access  . . . . . . . . . . . . . . . . . . .  34
+   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  34
+     12.1.  Media Type Registration  . . . . . . . . . . . . . . . .  34
+     12.2.  HTTP Header Field Registration . . . . . . . . . . . . .  35
+     12.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  36
+     12.4.  ECT Policy Decision Values Registry  . . . . . . . . . .  37
+     12.5.  ECT Regulated Domain Values Registry . . . . . . . . . .  38
+   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  38
+     13.1.  Normative References . . . . . . . . . . . . . . . . . .  38
+     13.2.  Informative References . . . . . . . . . . . . . . . . .  39
+   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  41
+     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  41
+     OAuth 2.0 Token Exchange  . . . . . . . . . . . . . . . . . . .  41
+     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  41
+     Blockchain and Distributed Ledgers  . . . . . . . . . . . . . .  42
+     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  42
+     W3C Verifiable Credentials  . . . . . . . . . . . . . . . . . .  42
+   Implementation Guidance . . . . . . . . . . . . . . . . . . . . .  42
+     Minimal Implementation  . . . . . . . . . . . . . . . . . . . .  42
+     Storage Recommendations . . . . . . . . . . . . . . . . . . . .  43
+     Performance Considerations  . . . . . . . . . . . . . . . . . .  43
+     Interoperability  . . . . . . . . . . . . . . . . . . . . . . .  43
 
 
 
@@ -170,10 +170,13 @@ Nennemann                Expires 28 August 2026                 [Page 3]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
-     Example 2: Medical Device SDLC with Release Approval  . . . . .  40
-     Example 3: Parallel Execution with Join . . . . . . . . . . . .  43
-   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  44
-   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  44
+   Regulatory Compliance Mapping . . . . . . . . . . . . . . . . . .  43
+   Examples  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  44
+     Example 1: Simple Two-Agent Workflow  . . . . . . . . . . . . .  44
+     Example 2: Medical Device SDLC with Release Approval  . . . . .  45
+     Example 3: Parallel Execution with Join . . . . . . . . . . . .  48
+   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  49
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  49
 
 1.  Introduction
 
@@ -214,10 +217,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
       requires financial entities to have logging policies that record
       ICT activities and anomalies.
 
-   This document defines an extension to the WIMSE architecture that
-   addresses the gap between workload identity and execution
-   accountability.  WIMSE authenticates agents; this extension records
-   what they did, in what order, and what policy was evaluated.
+
 
 
 
@@ -226,10 +226,14 @@ Nennemann                Expires 28 August 2026                 [Page 4]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   This document defines an extension to the WIMSE architecture that
+   addresses the gap between workload identity and execution
+   accountability.  WIMSE authenticates agents; this extension records
+   what they did, in what order, and what policy was evaluated.
+
    As identified in [I-D.ni-wimse-ai-agent-identity], call context in
-   agentic workflows must always be visible and preserved.  ECTs provide
-   a mechanism to address this requirement with cryptographic
-   assurances.
+   agentic workflows needs to be visible and preserved.  ECTs provide a
+   mechanism to address this requirement with cryptographic assurances.
 
 1.2.  Problem Statement
 
@@ -270,10 +274,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    The following are out of scope and are handled by WIMSE:
 
-   *  Workload authentication and identity provisioning
-
-   *  Key distribution and management
-
 
 
 
@@ -282,6 +282,10 @@ Nennemann                Expires 28 August 2026                 [Page 5]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   *  Workload authentication and identity provisioning
+
+   *  Key distribution and management
+
    *  Trust domain establishment and management
 
    *  Credential lifecycle management
@@ -326,10 +330,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    Directed Acyclic Graph (DAG):  A graph structure representing task
       dependency ordering where edges are directed and no cycles exist.
 
-   Execution Context Token (ECT):  A JSON Web Token [RFC7519] defined by
-      this specification that records task execution details and policy
-      evaluation outcomes.
-
 
 
 
@@ -338,6 +338,10 @@ Nennemann                Expires 28 August 2026                 [Page 6]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   Execution Context Token (ECT):  A JSON Web Token [RFC7519] defined by
+      this specification that records task execution details and policy
+      evaluation outcomes.
+
    Audit Ledger:  An append-only, immutable log of all ECTs within a
       workflow or set of workflows, used for regulatory audit and
       compliance verification.
@@ -383,10 +387,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    *  Maintaining structured execution records
 
-   *  Linking compensation or rollback actions to original tasks
-
-
-
 
 
 Nennemann                Expires 28 August 2026                 [Page 7]
@@ -394,6 +394,8 @@ Nennemann                Expires 28 August 2026                 [Page 7]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   *  Linking compensation or rollback actions to original tasks
+
 3.2.  Extension Model
 
    ECTs extend WIMSE by adding an execution accountability layer between
@@ -443,8 +445,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-
-
 Nennemann                Expires 28 August 2026                 [Page 8]
 
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -526,11 +526,48 @@ Internet-Draft           WIMSE Execution Context           February 2026
       WIT.
 
    sub:  OPTIONAL.  StringOrURI.  The subject of the ECT.  When present,
-      MUST equal the "iss" claim.
+      MUST equal the "iss" claim.  This claim is included for
+      compatibility with JWT libraries and frameworks that expect a
+      "sub" claim to be present.
 
    aud:  REQUIRED.  StringOrURI or array of StringOrURI.  The intended
-      recipient(s) of the ECT.  Typically the next agent in the workflow
-      or the ledger endpoint.
+      recipient(s) of the ECT.  Because ECTs serve as both inter-agent
+      messages and audit records, the "aud" claim SHOULD contain the
+      identifiers of all entities that will verify the ECT.  In practice
+      this means:
+
+      *  *Point-to-point delivery*: when an ECT is sent from one agent
+         to a single next agent, "aud" contains that agent's workload
+         identity.  The receiving agent verifies the ECT and forwards it
+         to the ledger on behalf of the issuer.
+
+      *  *Direct-to-ledger submission*: when an ECT is submitted
+         directly to the audit ledger (e.g., after a join or at workflow
+         completion), "aud" contains the ledger's identity.
+
+      *  *Multi-audience*: when an ECT must be verified by both the next
+         agent and the ledger independently, "aud" MUST be an array
+         containing both identifiers (e.g.,
+         ["spiffe://example.com/agent/next",
+         "spiffe://example.com/system/ledger"]).  Each verifier checks
+         that its own identity appears in the array.
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 10]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+      In multi-parent (join) scenarios where a task depends on ECTs from
+      multiple parent agents, the joining agent creates a new ECT with
+      the parent task IDs in "par".  The "aud" of this new ECT is set
+      according to the rules above based on where the ECT will be
+      delivered — it is independent of the "aud" values in the parent
+      ECTs.
 
    iat:  REQUIRED.  NumericDate.  The time at which the ECT was issued.
       The ECT records a completed action, so the "iat" value reflects
@@ -541,8 +578,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
       limit the replay window while allowing for reasonable clock skew
       and processing time.
 
-   jti:  OPTIONAL.  String.  A unique identifier for the ECT, useful for
-      additional replay detection.
+   The standard JWT "nbf" (Not Before) claim is not used in ECTs because
+   ECTs record completed actions and are valid immediately upon
+   issuance.
+
+   jti:  REQUIRED.  String.  A unique identifier for the ECT in UUID
+      format [RFC9562].  Used for replay detection: receivers MUST
+      reject ECTs whose "jti" has already been seen within the
+      expiration window.  The "jti" value MUST be unique across all ECTs
+      issued by the same agent.
 
 4.2.2.  Execution Context Claims
 
@@ -554,14 +598,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
       globally across the entire ledger.
 
    tid:  REQUIRED.  String.  A globally unique task identifier in UUID
-
-
-
-Nennemann                Expires 28 August 2026                [Page 10]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
       format [RFC9562].  Each task MUST have a unique "tid" value.  When
       "wid" is present, uniqueness is scoped to the workflow; when "wid"
       is absent, uniqueness MUST be enforced globally across the ledger.
@@ -573,6 +609,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
       collision with the "act" (Actor) claim registered by [RFC8693].
 
    par:  REQUIRED.  Array of strings.  Parent task identifiers
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 11]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
       representing DAG dependencies.  Each element MUST be a valid "tid"
       from a previously executed task.  An empty array indicates a root
       task with no dependencies.  A workflow MAY contain multiple root
@@ -586,8 +631,26 @@ Internet-Draft           WIMSE Execution Context           February 2026
       evaluated for this task (e.g., "clinical_data_access_policy_v1").
 
    pol_decision:  REQUIRED.  String.  The result of the policy
-      evaluation.  MUST be one of: "approved", "rejected", or
-      "pending_human_review".
+      evaluation.  MUST be one of the values registered in the ECT
+      Policy Decision Values registry (Section 12.4).  Initial values
+      are:
+
+      *  "approved": The policy evaluation succeeded and the task was
+         authorized to proceed.
+
+      *  "rejected": The policy evaluation failed.  A "rejected" ECT
+         MUST still be appended to the audit ledger for accountability.
+         An ECT with "pol_decision" of "rejected" MAY appear as a parent
+         in the "par" array of a subsequent ECT, but only for
+         compensation, rollback, or remediation tasks.  Agents MUST NOT
+         proceed with normal workflow execution based on a parent ECT
+         whose "pol_decision" is "rejected".
+
+      *  "pending_human_review": The policy evaluation requires human
+         judgment before proceeding.  Agents MUST NOT proceed with
+         dependent tasks until a subsequent ECT from a human reviewer
+         records an "approved" decision referencing this task as a
+         parent.
 
    pol_enforcer:  OPTIONAL.  StringOrURI.  The identity of the entity
       (system or person) that evaluated the policy decision.  When
@@ -603,21 +666,28 @@ Internet-Draft           WIMSE Execution Context           February 2026
    and outputs without revealing the data itself:
 
    inp_hash:  OPTIONAL.  String.  A cryptographic hash of the input
-      data, formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
-      "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The hash
-      algorithm identifier SHOULD be "sha-256".  The hash MUST be
-      computed over the raw octets of the input data.
-
-   out_hash:  OPTIONAL.  String.  A cryptographic hash of the output
-      data, using the same format as "inp_hash".
 
 
 
-Nennemann                Expires 28 August 2026                [Page 11]
+Nennemann                Expires 28 August 2026                [Page 12]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+      data, formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
+      "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The hash
+      algorithm identifier MUST be a lowercase value from the IANA Named
+      Information Hash Algorithm Registry (e.g., "sha-256", "sha-384",
+      "sha-512").  Implementations MUST support "sha-256" and SHOULD use
+      "sha-256" unless a stronger algorithm is required.
+      Implementations MUST NOT accept hash algorithms weaker than
+      SHA-256 (e.g., MD5, SHA-1).  The hash MUST be computed over the
+      raw octets of the input data.
+
+   out_hash:  OPTIONAL.  String.  A cryptographic hash of the output
+      data, using the same format and algorithm requirements as
+      "inp_hash".
+
    inp_classification:  OPTIONAL.  String.  The data sensitivity
       classification of the input (e.g., "public", "confidential",
       "restricted").
@@ -630,8 +700,8 @@ Internet-Draft           WIMSE Execution Context           February 2026
       task in milliseconds.  MUST be a non-negative integer.
 
    regulated_domain:  OPTIONAL.  String.  The regulatory domain
-      applicable to this task.  Values are drawn from an extensible set;
-      initial values include "medtech", "finance", and "military".
+      applicable to this task.  Values MUST be registered in the ECT
+      Regulated Domain Values registry (Section 12.5).
 
    model_version:  OPTIONAL.  String.  The version identifier of the AI
       or ML model used to perform the task, if applicable.
@@ -639,11 +709,26 @@ Internet-Draft           WIMSE Execution Context           February 2026
 4.2.6.  Witness Claims
 
    witnessed_by:  OPTIONAL.  Array of StringOrURI.  Identifiers of
-      third-party entities that observed or attested to the execution of
-      this task.  When present, each element SHOULD use SPIFFE ID
-      format.  In regulated environments, implementations SHOULD use
-      witness attestation for critical decision points to mitigate the
-      risk of single-agent false claims.
+      third-party entities that the issuing agent claims observed or
+      attested to the execution of this task.  When present, each
+      element SHOULD use SPIFFE ID format.  Note that this claim is
+      self-asserted by the ECT issuer; witnesses listed here do not co-
+      sign this ECT.  For stronger assurance, witnesses SHOULD submit
+      independent signed ECTs to the ledger attesting to their
+      observation (see Section 10.2.1).  In regulated environments,
+      implementations SHOULD use witness attestation for critical
+      decision points to mitigate the risk of single-agent false claims.
+      See also Section 10.2 for the security implications of self-
+      asserted witness claims.
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 13]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
 
 4.2.7.  Compensation Claims
 
@@ -652,7 +737,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    compensation_reason:  OPTIONAL.  String.  A human-readable reason for
       the compensation action.  MUST be present if
-      "compensation_required" is true.
+      "compensation_required" is true.  Values SHOULD use structured
+      identifiers (e.g., "policy_violation_in_parent_trade") rather than
+      free-form text to minimize the risk of embedding sensitive
+      information.  See Section 11.2 for privacy guidance.  If
+      "compensation_reason" is present, "compensation_required" MUST be
+      true.
 
    Note: compensation ECTs reference historical parent tasks via the
    "par" claim.  The referenced parent ECTs may have passed their own
@@ -663,31 +753,46 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    ext:  OPTIONAL.  Object.  An extension object for domain-specific
       claims not defined by this specification.  Implementations that do
-      not understand extension claims SHOULD ignore them.  To avoid key
-      collisions between different domains, extension key names SHOULD
-      use reverse domain notation (e.g., "com.example.custom_field").
+      not understand extension claims MUST ignore them.
 
-
-
-Nennemann                Expires 28 August 2026                [Page 12]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
-   The "ext" claim is a generic extension mechanism; it is not
-   registered in the IANA JWT Claims registry because its semantics
-   depend on the domain-specific claims within it.
+   To avoid key collisions between different domains, extension key
+   names MUST use reverse domain notation (e.g.,
+   "com.example.custom_field").  Implementations MUST NOT use
+   unqualified key names within the "ext" object.  To prevent abuse and
+   excessive token size, the serialized JSON representation of the "ext"
+   object SHOULD NOT exceed 4096 bytes, and the JSON nesting depth
+   within the "ext" object SHOULD NOT exceed 5 levels.  Implementations
+   SHOULD reject ECTs whose "ext" claim exceeds these limits.
 
 4.3.  Complete ECT Example
 
    The following is a complete ECT payload example:
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 14]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    {
      "iss": "spiffe://example.com/agent/clinical",
      "sub": "spiffe://example.com/agent/clinical",
      "aud": "spiffe://example.com/agent/safety",
      "iat": 1772064150,
      "exp": 1772064750,
+     "jti": "7f3a8b2c-d1e4-4f56-9a0b-c3d4e5f6a7b8",
 
      "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
      "tid": "550e8400-e29b-41d4-a716-446655440001",
@@ -720,16 +825,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    This specification defines the Execution-Context HTTP header field
    [RFC9110] for transporting ECTs between agents.
 
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 13]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    The header field value is the ECT in JWS Compact Serialization format
    [RFC7515].  The value consists of three Base64url-encoded parts
    separated by period (".") characters.
@@ -738,6 +833,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
    Context header alongside the WIMSE Workload-Identity and Workload-
    Proof-Token headers:
 
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 15]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    GET /api/safety-check HTTP/1.1
    Host: safety-agent.example.com
    Workload-Identity: eyJhbGci...WIT...
@@ -750,6 +854,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
    multiple Execution-Context header field lines MAY be included, each
    carrying a separate ECT in JWS Compact Serialization format.
 
+   When a receiver processes multiple Execution-Context headers, it MUST
+   individually verify each ECT per the procedure in Section 7.  If any
+   single ECT fails verification, the receiver MUST reject the entire
+   request.  The set of verified parent task IDs across all received
+   ECTs represents the complete set of parent dependencies available for
+   the receiving agent's subsequent ECT.
+
 6.  DAG Validation
 
 6.1.  Overview
@@ -775,28 +886,38 @@ Internet-Draft           WIMSE Execution Context           February 2026
        the ledger.  If any parent task is not found, the ECT MUST be
        rejected.
 
+   3.  Temporal Ordering: The "iat" value of every parent task MUST NOT
+       be greater than the "iat" value of the current task plus a
+       configurable clock skew tolerance (RECOMMENDED: 30 seconds).
+       That is, for each parent: parent.iat < child.iat +
 
 
 
-
-
-
-Nennemann                Expires 28 August 2026                [Page 14]
+Nennemann                Expires 28 August 2026                [Page 16]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
-   3.  Temporal Ordering: The "iat" value of every parent task MUST be
-       less than the "iat" value of the current task plus a configurable
-       clock skew tolerance (RECOMMENDED: 30 seconds).  If any parent
-       task has an "iat" that violates this constraint, the ECT MUST be
-       rejected.
+       clock_skew_tolerance.  The tolerance accounts for clock skew
+       between agents; it does not guarantee strict causal ordering from
+       timestamps alone.  Causal ordering is primarily enforced by the
+       DAG structure (parent existence in the ledger), not by
+       timestamps.  If any parent task violates this constraint, the ECT
+       MUST be rejected.
 
    4.  Acyclicity: Following the chain of parent references MUST NOT
        lead back to the current task's "tid".  If a cycle is detected,
        the ECT MUST be rejected.
 
-   5.  Trust Domain Consistency: Parent tasks SHOULD belong to the same
+   5.  Parent Policy Decision: If any parent task has a "pol_decision"
+       of "rejected" or "pending_human_review", the current task's
+       "exec_act" MUST indicate a compensation, rollback, remediation,
+       or human review action.  Implementations MUST NOT accept an ECT
+       representing normal workflow continuation when a parent's
+       "pol_decision" is not "approved", unless the current ECT has
+       "compensation_required" set to true.
+
+   6.  Trust Domain Consistency: Parent tasks SHOULD belong to the same
        trust domain or to a trust domain with which a federation
        relationship has been established.
 
@@ -828,16 +949,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 15]
+Nennemann                Expires 28 August 2026                [Page 17]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -855,14 +967,19 @@ Internet-Draft           WIMSE Execution Context           February 2026
        if parent.iat >= ect.iat + clock_skew_tolerance:
          return error("Parent task not earlier than current")
 
-     // Step 3: Cycle detection
+     // Step 3: Cycle detection (with traversal limit)
      visited = set()
-     if has_cycle(ect.tid, ect.par, ledger, visited):
-       return error("Circular dependency detected")
+     result = has_cycle(ect.tid, ect.par, ledger, visited,
+                         max_ancestor_limit)
+     if result is error or result is true:
+       return error("Circular dependency or depth limit exceeded")
 
      return success
 
-   function has_cycle(target_tid, parent_ids, ledger, visited):
+   function has_cycle(target_tid, parent_ids, ledger, visited,
+                      max_depth):
+     if visited.size() >= max_depth:
+       return error("Maximum ancestor traversal limit exceeded")
      for parent_id in parent_ids:
        if parent_id == target_tid:
          return true
@@ -871,8 +988,10 @@ Internet-Draft           WIMSE Execution Context           February 2026
        visited.add(parent_id)
        parent = ledger.get(parent_id)
        if parent is not null:
-         if has_cycle(target_tid, parent.par, ledger, visited):
-           return true
+         result = has_cycle(target_tid, parent.par, ledger,
+                             visited, max_depth)
+         if result is error or result is true:
+           return result
      return false
 
                     Figure 6: DAG Validation Pseudocode
@@ -881,8 +1000,20 @@ Internet-Draft           WIMSE Execution Context           February 2026
    current task's parents.  The complexity is O(V) where V is the number
    of ancestor nodes reachable from the current task's parent
    references.  For typical workflows with shallow DAGs, this is
-   efficient.  Implementations SHOULD cache cycle detection results for
-   previously verified tasks to avoid redundant traversals.
+   efficient.  To prevent denial-of-service via extremely deep or wide
+   DAGs, implementations SHOULD enforce a maximum ancestor traversal
+
+
+
+Nennemann                Expires 28 August 2026                [Page 18]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+   limit (RECOMMENDED: 10000 nodes).  If the limit is reached before
+   cycle detection completes, the ECT SHOULD be rejected.
+   Implementations SHOULD cache cycle detection results for previously
+   verified tasks to avoid redundant traversals.
 
 7.  Signature and Token Verification
 
@@ -891,13 +1022,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    When an agent receives an ECT, it MUST perform the following
    verification steps in order:
 
-
-
-Nennemann                Expires 28 August 2026                [Page 16]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    1.   Parse the JWS Compact Serialization to extract the JOSE header,
         payload, and signature components per [RFC7515].
 
@@ -912,30 +1036,51 @@ Internet-Draft           WIMSE Execution Context           February 2026
    5.   Retrieve the public key identified by "kid" and verify the JWS
         signature per [RFC7515] Section 5.2.
 
-   6.   Verify the "alg" header parameter matches the algorithm in the
+   6.   Verify that the signing key identified by "kid" has not been
+        revoked within the trust domain.  Implementations MUST check the
+        key's revocation status using the trust domain's key lifecycle
+        mechanism (e.g., certificate revocation list, OCSP, or SPIFFE
+        trust bundle updates).
+
+   7.   Verify the "alg" header parameter matches the algorithm in the
         corresponding WIT.
 
-   7.   Verify the "iss" claim matches the "sub" claim of the WIT
+   8.   Verify the "iss" claim matches the "sub" claim of the WIT
         associated with the "kid" public key.
 
-   8.   Verify the "aud" claim contains the verifier's own workload
-        identity or an expected recipient identifier.
+   9.   Verify the "aud" claim contains the verifier's own workload
+        identity.  When "aud" is an array, it is sufficient that the
+        verifier's identity appears as one element; the presence of
+        other audience values does not cause verification failure.  When
+        the verifier is the audit ledger, the ledger's own identity MUST
+        appear in "aud".
 
-   9.   Verify the "exp" claim indicates the ECT has not expired.
+   10.  Verify the "exp" claim indicates the ECT has not expired.
 
-   10.  Verify the "iat" claim is not unreasonably far in the past
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 19]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+   11.  Verify the "iat" claim is not unreasonably far in the past
         (implementation-specific threshold, RECOMMENDED maximum of 15
-        minutes).
+        minutes) and is not unreasonably far in the future (RECOMMENDED:
+        no more than 30 seconds ahead of the verifier's current time, to
+        account for clock skew).
 
-   11.  Verify all required claims ("tid", "exec_act", "par", "pol",
-        "pol_decision") are present and well-formed.
+   12.  Verify all required claims ("jti", "tid", "exec_act", "par",
+        "pol", "pol_decision") are present and well-formed.
 
-   12.  Verify "pol_decision" is one of "approved", "rejected", or
+   13.  Verify "pol_decision" is one of "approved", "rejected", or
         "pending_human_review".
 
-   13.  Perform DAG validation per Section 6.
+   14.  Perform DAG validation per Section 6.
 
-   14.  If all checks pass, the ECT MUST be appended to the audit
+   15.  If all checks pass, the ECT MUST be appended to the audit
         ledger.
 
    If any verification step fails, the ECT MUST be rejected and the
@@ -943,17 +1088,16 @@ Internet-Draft           WIMSE Execution Context           February 2026
    reveal whether specific parent task IDs exist in the ledger, to
    prevent information disclosure.
 
+   When ECT verification fails during HTTP request processing, the
+   receiving agent SHOULD respond with HTTP 403 (Forbidden) if the WIT
+   and WPT are valid but the ECT is invalid, and HTTP 401 (Unauthorized)
+   if the ECT signature verification fails.  The response body SHOULD
+   include a generic error indicator without revealing which specific
+   verification step failed.  The receiving agent MUST NOT process the
+   requested action when ECT verification fails.
+
 7.2.  Verification Pseudocode
 
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 17]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    function verify_ect(ect_jws, verifier_id,
                         trust_domain_keys, ledger):
      // Parse JWS
@@ -971,11 +1115,22 @@ Internet-Draft           WIMSE Execution Context           February 2026
      if public_key is null:
        return reject("Unknown key identifier")
 
+
+
+Nennemann                Expires 28 August 2026                [Page 20]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
      // Verify signature
      if not verify_jws_signature(header, payload,
                                   signature, public_key):
        return reject("Invalid signature")
 
+     // Verify key not revoked
+     if is_key_revoked(header.kid, trust_domain_keys):
+       return reject("Signing key has been revoked")
+
      // Verify algorithm alignment
      wit = get_wit_for_key(header.kid)
      if header.alg != wit.alg:
@@ -993,23 +1148,18 @@ Internet-Draft           WIMSE Execution Context           February 2026
      if payload.exp < current_time():
        return reject("ECT has expired")
 
-     // Verify iat freshness
+     // Verify iat freshness (not too old, not in the future)
      if payload.iat < current_time() - max_age_threshold:
        return reject("ECT issued too long ago")
+     if payload.iat > current_time() + clock_skew_tolerance:
+       return reject("ECT issued in the future")
 
      // Verify required claims
-     for claim in ["tid", "exec_act", "par",
+     for claim in ["jti", "tid", "exec_act", "par",
                     "pol", "pol_decision"]:
        if claim not in payload:
          return reject("Missing required claim: " + claim)
 
-
-
-Nennemann                Expires 28 August 2026                [Page 18]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
      // Validate pol_decision value
      if payload.pol_decision not in
         ["approved", "rejected", "pending_human_review"]:
@@ -1021,6 +1171,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
      if result is error:
        return reject("DAG validation failed")
 
+
+
+Nennemann                Expires 28 August 2026                [Page 21]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
      // All checks passed; append to ledger
      ledger.append(payload)
      return accept
@@ -1059,17 +1216,24 @@ Internet-Draft           WIMSE Execution Context           February 2026
    The ledger SHOULD be maintained by an entity independent of the
    workflow agents to reduce the risk of collusion.
 
-
-
-Nennemann                Expires 28 August 2026                [Page 19]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 8.3.  Ledger Entry Structure
 
    Each ledger entry is a logical record containing:
 
+
+
+
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 22]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    {
      "ledger_sequence": 42,
      "task_id": "550e8400-e29b-41d4-a716-446655440001",
@@ -1088,6 +1252,10 @@ Internet-Draft           WIMSE Execution Context           February 2026
    is the authoritative record.  The other fields ("agent_id", "action",
    "parents") are convenience indexes derived from the ECT payload; if
    they disagree with the JWS payload, the JWS payload takes precedence.
+   Implementations SHOULD validate that convenience index fields match
+   the corresponding values in the JWS payload at write time to prevent
+   desynchronization between the authoritative JWS and the indexed
+   fields.
 
 9.  Use Cases
 
@@ -1098,8 +1266,8 @@ Internet-Draft           WIMSE Execution Context           February 2026
    this specification.
 
    Note: task identifiers in this section are abbreviated for
-   readability.  In production, all "tid" values MUST be UUIDs per
-   [RFC9562].
+   readability.  In production, all "tid" values are required to be
+   UUIDs per Section 4.2.2.
 
 9.1.  Medical Device SDLC Workflow
 
@@ -1117,7 +1285,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 20]
+Nennemann                Expires 28 August 2026                [Page 23]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1173,7 +1341,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 21]
+Nennemann                Expires 28 August 2026                [Page 24]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1229,7 +1397,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 22]
+Nennemann                Expires 28 August 2026                [Page 25]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1285,15 +1453,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 23]
+Nennemann                Expires 28 August 2026                [Page 26]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
    {
-     "iss": "spiffe://bank.com/agent/operations",
-     "sub": "spiffe://bank.com/agent/operations",
-     "aud": "spiffe://bank.com/system/ledger",
+     "iss": "spiffe://bank.example/agent/operations",
+     "sub": "spiffe://bank.example/agent/operations",
+     "aud": "spiffe://bank.example/system/ledger",
      "iat": 1772150550,
      "exp": 1772151150,
      "wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
@@ -1302,7 +1470,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
      "par": ["550e8400-e29b-41d4-a716-446655440003"],
      "pol": "compensation_policy_v1",
      "pol_decision": "approved",
-     "pol_enforcer": "spiffe://bank.com/human/compliance-officer",
+     "pol_enforcer": "spiffe://bank.example/human/compliance-officer",
      "compensation_required": true,
      "compensation_reason": "policy_violation_in_parent_trade"
    }
@@ -1315,9 +1483,9 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 9.4.  Autonomous Logistics Coordination
 
-   In a logistics workflow, multiple compliance checks must complete
-   before shipment commitment.  The DAG structure records that all
-   required checks were completed:
+   In a logistics workflow, multiple compliance checks complete before
+   shipment commitment.  The DAG structure records that all required
+   checks were completed:
 
 
 
@@ -1341,7 +1509,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 24]
+Nennemann                Expires 28 August 2026                [Page 27]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1397,7 +1565,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 25]
+Nennemann                Expires 28 August 2026                [Page 28]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1426,6 +1594,48 @@ Internet-Draft           WIMSE Execution Context           February 2026
    the signing agent.  To mitigate single-agent false claims, regulated
    environments SHOULD use the "witnessed_by" mechanism to include
    independent third-party observers at critical decision points.
+   However, the "witnessed_by" claim is self-asserted by the ECT issuer:
+   the listed witnesses do not co-sign the ECT and there is no
+   cryptographic proof within a single ECT that the witnesses actually
+   observed the task.  An issuing agent could list witnesses that did
+   not participate.
+
+10.2.1.  Witness Attestation Model
+
+   To address the self-assertion limitation of the "witnessed_by" claim,
+   witnesses SHOULD submit their own independent signed ECTs to the
+   audit ledger attesting to the observed task.  A witness attestation
+   ECT:
+
+   *  MUST set "iss" to the witness's own workload identity.
+
+   *  MUST set "exec_act" to "witness_attestation" (or a domain-
+      specific equivalent).
+
+   *  MUST include the observed task's "tid" in the "par" array, linking
+      the attestation to the original task.
+
+   *  MUST set "pol_decision" to "approved" to indicate the witness
+      confirms the observation.
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 29]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+   When a task's "witnessed_by" claim lists one or more witnesses,
+   auditors SHOULD verify that corresponding witness attestation ECTs
+   exist in the ledger for each listed witness.  A mismatch between the
+   "witnessed_by" list and the set of independent witness ECTs in the
+   ledger SHOULD be flagged during audit review.
+
+   This model converts witness attestation from a self-asserted claim to
+   a cryptographically verifiable property of the ledger: the witness
+   independently signs their own ECT using their own key, and the ledger
+   records both the original task ECT and the witness attestation ECTs.
 
 10.3.  Organizational Prerequisites
 
@@ -1445,33 +1655,33 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  Agent deployment governance: Agents are deployed and maintained in
       a manner that preserves their integrity.
 
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 26]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 10.4.  Signature Verification
 
    ECTs MUST be signed with the agent's private key using JWS [RFC7515].
    The signature algorithm MUST match the algorithm specified in the
    agent's WIT.  Receivers MUST verify the ECT signature against the WIT
    public key before processing any claims.  Receivers MUST verify that
-   the signing key has not been revoked within the trust domain.
+   the signing key has not been revoked within the trust domain (see
+   step 6 in Section 7).
 
-   If signature verification fails, the ECT MUST be rejected entirely
-   and the failure MUST be logged.
+   If signature verification fails or if the signing key has been
+   revoked, the ECT MUST be rejected entirely and the failure MUST be
+   logged.
 
    Implementations MUST use established JWS libraries and MUST NOT
    implement custom signature verification.
 
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 30]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 10.5.  Replay Attack Prevention
 
    ECTs include short expiration times (RECOMMENDED: 5-15 minutes) to
@@ -1484,8 +1694,9 @@ Internet-Draft           WIMSE Execution Context           February 2026
    referencing parent tasks that already have a recorded child task with
    the same action can be flagged as a potential replay.
 
-   Implementations SHOULD maintain a cache of recently-seen "jti" values
-   (when present) to detect replayed ECTs within the expiration window.
+   Implementations MUST maintain a cache of recently-seen "jti" values
+   to detect replayed ECTs within the expiration window.  An ECT with a
+   duplicate "jti" value MUST be rejected.
 
 10.6.  Man-in-the-Middle Protection
 
@@ -1505,15 +1716,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  ECT (execution accountability layer): Records what the agent did
       and under what policy.
 
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 27]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 10.7.  Key Compromise
 
    If an agent's private key is compromised, an attacker can forge ECTs
@@ -1527,6 +1729,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    *  Trust domains MUST support rapid key revocation.
 
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 31]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    *  Upon suspected compromise, the trust domain MUST revoke the
       compromised key and issue a new WIT with a fresh key pair.
 
@@ -1556,20 +1767,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  Out-of-band audit: External auditors periodically verify ledger
       contents against expected workflow patterns.
 
-
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 28]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 10.9.  Denial of Service
 
    ECT signature verification is computationally inexpensive
@@ -1583,6 +1780,20 @@ Internet-Draft           WIMSE Execution Context           February 2026
    performed after signature verification to avoid wasting resources on
    unsigned or incorrectly signed tokens.
 
+
+
+
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 32]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 10.10.  Timestamp Accuracy
 
    ECTs rely on timestamps ("iat", "exp") for temporal ordering.  Clock
@@ -1591,6 +1802,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
    SHOULD allow a configurable clock skew tolerance (RECOMMENDED: 30
    seconds).
 
+   Cross-organizational deployments where agents span multiple trust
+   domains with independent time sources MAY require a higher clock skew
+   tolerance.  Deployments using trust domain federation SHOULD document
+   their configured clock skew tolerance value and SHOULD ensure all
+   participating trust domains agree on a common tolerance.
+
    The temporal ordering check in DAG validation incorporates the clock
    skew tolerance to account for minor clock differences between agents.
 
@@ -1598,8 +1815,10 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    ECTs with many parent tasks or large extension objects can increase
    HTTP header size.  Implementations SHOULD limit the "par" array to a
-   reasonable size and SHOULD set maximum size limits for the "ext"
-   object to prevent abuse.
+   maximum of 256 entries.  Workflows requiring more parent references
+   SHOULD introduce intermediate aggregation tasks.  The "ext" object
+   SHOULD NOT exceed 4096 bytes when serialized as JSON and SHOULD NOT
+   exceed a nesting depth of 5 levels (see also Section 4.2.8).
 
 11.  Privacy Considerations
 
@@ -1618,19 +1837,19 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    ECTs are designed to NOT reveal:
 
-
-
-
-Nennemann                Expires 28 August 2026                [Page 29]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    *  Actual input or output data values (replaced with cryptographic
       hashes via "inp_hash" and "out_hash")
 
    *  Internal computation details or intermediate steps
 
+
+
+
+Nennemann                Expires 28 August 2026                [Page 33]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    *  Proprietary algorithms or intellectual property
 
    *  Personally identifiable information (PII)
@@ -1643,6 +1862,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
    "pol" claim SHOULD reference policy identifiers rather than embedding
    policy content.
 
+   The "compensation_reason" claim (Section 4.2.7) deserves particular
+   attention: because it is human-readable and may describe the
+   circumstances of a failure or policy violation, it risks exposing
+   sensitive operational details.  Implementations SHOULD use short,
+   structured reason codes (e.g., "policy_violation_in_parent_trade")
+   rather than free-form natural language explanations.  Implementers
+   SHOULD review "compensation_reason" values for potential information
+   leakage before deploying to production.
+
 11.3.  Storage and Access Control
 
    ECTs stored in audit ledgers SHOULD be access-controlled so that only
@@ -1670,18 +1898,18 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    Type name:  application
 
-   Subtype name:  wimse-exec+jwt
-
-   Required parameters:  none
 
 
 
-
-Nennemann                Expires 28 August 2026                [Page 30]
+Nennemann                Expires 28 August 2026                [Page 34]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   Subtype name:  wimse-exec+jwt
+
+   Required parameters:  none
+
    Optional parameters:  none
 
    Encoding considerations:  8bit; an ECT is a JWT that is a JWS using
@@ -1725,19 +1953,20 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    Specification document:  This document, Section 5
 
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 35]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 12.3.  JWT Claims Registration
 
    This document requests registration of the following claims in the
    "JSON Web Token Claims" registry maintained by IANA:
 
-
-
-
-Nennemann                Expires 28 August 2026                [Page 31]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    +=======================+=================+============+===========+
    |       Claim Name      | Claim           |   Change   | Reference |
    |                       | Description     | Controller |           |
@@ -1781,29 +2010,93 @@ Internet-Draft           WIMSE Execution Context           February 2026
    |      witnessed_by     | Witness         |    IETF    |  Section  |
    |                       | Identities      |            |   4.2.6   |
    +-----------------------+-----------------+------------+-----------+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 36]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    |    regulated_domain   | Regulatory      |    IETF    |  Section  |
    |                       | Domain          |            |   4.2.5   |
    +-----------------------+-----------------+------------+-----------+
    |     model_version     | AI/ML Model     |    IETF    |  Section  |
    |                       | Version         |            |   4.2.5   |
-
-
-
-Nennemann                Expires 28 August 2026                [Page 32]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    +-----------------------+-----------------+------------+-----------+
    | compensation_required | Compensation    |    IETF    |  Section  |
    |                       | Flag            |            |   4.2.7   |
    +-----------------------+-----------------+------------+-----------+
    |  compensation_reason  | Compensation    |    IETF    |  Section  |
    |                       | Reason          |            |   4.2.7   |
+   +-----------------------+-----------------+------------+-----------+
+   |          ext          | Extension       |    IETF    |  Section  |
+   |                       | Object          |            |   4.2.8   |
    +-----------------------+-----------------+------------+-----------+
 
                     Table 1: JWT Claims Registrations
 
+12.4.  ECT Policy Decision Values Registry
+
+   This document establishes the "ECT Policy Decision Values" registry
+   under the "JSON Web Token (JWT)" group.  Registration policy is
+   Specification Required per [RFC8126].
+
+   The initial contents of the registry are:
+
+   +======================+===================+============+===========+
+   |        Value         | Description       |   Change   | Reference |
+   |                      |                   | Controller |           |
+   +======================+===================+============+===========+
+   |       approved       | Policy            |    IETF    |  Section  |
+   |                      | evaluation        |            |   4.2.3   |
+   |                      | succeeded         |            |           |
+   +----------------------+-------------------+------------+-----------+
+   |       rejected       | Policy            |    IETF    |  Section  |
+   |                      | evaluation        |            |   4.2.3   |
+   |                      | failed            |            |           |
+   +----------------------+-------------------+------------+-----------+
+   | pending_human_review | Awaiting          |    IETF    |  Section  |
+   |                      | human             |            |   4.2.3   |
+   |                      | judgment          |            |           |
+   +----------------------+-------------------+------------+-----------+
+
+                    Table 2: ECT Policy Decision Values
+
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 37]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+12.5.  ECT Regulated Domain Values Registry
+
+   This document establishes the "ECT Regulated Domain Values" registry
+   under the "JSON Web Token (JWT)" group.  Registration policy is
+   Specification Required per [RFC8126].
+
+   The initial contents of the registry are:
+
+     +==========+====================+===================+===========+
+     |  Value   | Description        | Change Controller | Reference |
+     +==========+====================+===================+===========+
+     | medtech  | Medical technology |        IETF       |  Section  |
+     |          | and devices        |                   |   4.2.5   |
+     +----------+--------------------+-------------------+-----------+
+     | finance  | Financial services |        IETF       |  Section  |
+     |          | and trading        |                   |   4.2.5   |
+     +----------+--------------------+-------------------+-----------+
+     | military | Military and       |        IETF       |  Section  |
+     |          | defense            |                   |   4.2.5   |
+     +----------+--------------------+-------------------+-----------+
+
+                    Table 3: ECT Regulated Domain Values
+
 13.  References
 
 13.1.  Normative References
@@ -1829,31 +2122,35 @@ Internet-Draft           WIMSE Execution Context           February 2026
               DOI 10.17487/RFC2119, March 1997,
               <https://www.rfc-editor.org/rfc/rfc2119>.
 
-   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
-              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
-              <https://www.rfc-editor.org/rfc/rfc3339>.
+
+
+
+Nennemann                Expires 28 August 2026                [Page 38]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
 
    [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
               Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
               2015, <https://www.rfc-editor.org/rfc/rfc7515>.
 
+   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
+              DOI 10.17487/RFC7517, May 2015,
+              <https://www.rfc-editor.org/rfc/rfc7517>.
+
    [RFC7518]  Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
               DOI 10.17487/RFC7518, May 2015,
               <https://www.rfc-editor.org/rfc/rfc7518>.
 
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 33]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
               (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
               <https://www.rfc-editor.org/rfc/rfc7519>.
 
+   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
+              Writing an IANA Considerations Section in RFCs", BCP 26,
+              RFC 8126, DOI 10.17487/RFC8126, June 2017,
+              <https://www.rfc-editor.org/rfc/rfc8126>.
+
    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
               May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
@@ -1881,6 +2178,14 @@ Internet-Draft           WIMSE Execution Context           February 2026
               intelligence (Artificial Intelligence Act)", 13 June 2024,
               <https://eur-lex.europa.eu/eli/reg/2024/1689>.
 
+
+
+
+Nennemann                Expires 28 August 2026                [Page 39]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    [EU-MDR]   European Parliament and Council of the European Union,
               "Regulation (EU) 2017/745 on medical devices (MDR)", 5
               April 2017, <https://eur-lex.europa.eu/eli/reg/2017/745>.
@@ -1899,13 +2204,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
               October 2025, <https://datatracker.ietf.org/doc/html/
               draft-ietf-scitt-architecture-22>.
 
-
-
-Nennemann                Expires 28 August 2026                [Page 34]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    [I-D.ni-wimse-ai-agent-identity]
               Yuan, N. and P. C. Liu, "WIMSE Applicability for AI
               Agents", Work in Progress, Internet-Draft, draft-ni-wimse-
@@ -1929,15 +2227,21 @@ Internet-Draft           WIMSE Execution Context           February 2026
               DOI 10.17487/RFC3552, July 2003,
               <https://www.rfc-editor.org/rfc/rfc3552>.
 
-   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
-              DOI 10.17487/RFC7517, May 2015,
-              <https://www.rfc-editor.org/rfc/rfc7517>.
-
    [RFC8693]  Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J.,
               and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693,
               DOI 10.17487/RFC8693, January 2020,
               <https://www.rfc-editor.org/rfc/rfc8693>.
 
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 40]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    [RFC9421]  Backman, A., Ed., Richer, J., Ed., and M. Sporny, "HTTP
               Message Signatures", RFC 9421, DOI 10.17487/RFC9421,
               February 2024, <https://www.rfc-editor.org/rfc/rfc9421>.
@@ -1948,20 +2252,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 Related Work
 
-
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 35]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 WIMSE Workload Identity
 
    The WIMSE architecture [I-D.ietf-wimse-arch] and service-to- service
@@ -1996,6 +2286,18 @@ Distributed Tracing (OpenTelemetry)
    while ECTs provide signed execution records.  ECTs may reference
    OpenTelemetry trace identifiers in the "ext" claim for correlation.
 
+
+
+
+
+
+
+
+Nennemann                Expires 28 August 2026                [Page 41]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 Blockchain and Distributed Ledgers
 
    Both ECTs and blockchain systems provide immutable records.  This
@@ -2005,19 +2307,6 @@ Blockchain and Distributed Ledgers
    or any storage providing the required properties defined in
    Section 8.
 
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 36]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 SCITT (Supply Chain Integrity, Transparency, and Trust)
 
    The SCITT architecture [I-D.ietf-scitt-architecture] defines a
@@ -2050,14 +2339,21 @@ Implementation Guidance
 
 Minimal Implementation
 
-   A minimal conforming implementation should:
+   A minimal conforming implementation needs to:
 
    1.  Create JWTs with all required claims ("iss", "aud", "iat", "exp",
-       "tid", "exec_act", "par", "pol", "pol_decision").
+       "jti", "tid", "exec_act", "par", "pol", "pol_decision").
 
    2.  Sign ECTs with the agent's private key using an algorithm
        matching the WIT (ES256 recommended).
 
+
+
+Nennemann                Expires 28 August 2026                [Page 42]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    3.  Verify ECT signatures against WIT public keys.
 
    4.  Perform DAG validation (parent existence, temporal ordering,
@@ -2065,15 +2361,6 @@ Minimal Implementation
 
    5.  Append verified ECTs to an audit ledger.
 
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 37]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 Storage Recommendations
 
    *  Append-only log: Simplest approach; immutability by design.
@@ -2102,10 +2389,11 @@ Performance Considerations
 
 Interoperability
 
-   Implementations should use established JWT/JWS libraries (JOSE) for
-   token creation and verification.  Custom cryptographic
-   implementations should not be used.  Implementations should be tested
-   against multiple JWT libraries to ensure interoperability.
+   Implementations are expected to use established JWT/JWS libraries
+   (JOSE) for token creation and verification.  Custom cryptographic
+   implementations are strongly discouraged.  Implementations are
+   expected to be tested against multiple JWT libraries to ensure
+   interoperability.
 
 Regulatory Compliance Mapping
 
@@ -2117,15 +2405,7 @@ Regulatory Compliance Mapping
 
 
 
-
-
-
-
-
-
-
-
-Nennemann                Expires 28 August 2026                [Page 38]
+Nennemann                Expires 28 August 2026                [Page 43]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2160,7 +2440,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
     |            |                        | trail                    |
     +------------+------------------------+--------------------------+
 
-                  Table 2: Regulatory Compliance Mapping
+                  Table 4: Regulatory Compliance Mapping
 
 Examples
 
@@ -2181,7 +2461,7 @@ Example 1: Simple Two-Agent Workflow
 
 
 
-Nennemann                Expires 28 August 2026                [Page 39]
+Nennemann                Expires 28 August 2026                [Page 44]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2237,7 +2517,7 @@ Example 2: Medical Device SDLC with Release Approval
 
 
 
-Nennemann                Expires 28 August 2026                [Page 40]
+Nennemann                Expires 28 August 2026                [Page 45]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2293,7 +2573,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 41]
+Nennemann                Expires 28 August 2026                [Page 46]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2349,7 +2629,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 28 August 2026                [Page 42]
+Nennemann                Expires 28 August 2026                [Page 47]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2405,7 +2685,7 @@ Example 3: Parallel Execution with Join
 
 
 
-Nennemann                Expires 28 August 2026                [Page 43]
+Nennemann                Expires 28 August 2026                [Page 48]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -2461,4 +2741,4 @@ Author's Address
 
 
 
-Nennemann                Expires 28 August 2026                [Page 44]
+Nennemann                Expires 28 August 2026                [Page 49]
diff --git a/draft-nennemann-wimse-execution-context-00.xml b/draft-nennemann-wimse-execution-context-00.xml
index 98edb2c..b356336 100644
--- a/draft-nennemann-wimse-execution-context-00.xml
+++ b/draft-nennemann-wimse-execution-context-00.xml
@@ -26,13 +26,13 @@
     <date year="2026" month="February" day="24"/>
 
     <area>Security</area>
-    
+    <workgroup>WIMSE</workgroup>
     <keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword> <keyword>compliance</keyword> <keyword>regulated systems</keyword>
 
     <abstract>
 
 
-<?line 85?>
+<?line 83?>
 
 <t>This document defines Execution Context Tokens (ECTs), an extension
 to the Workload Identity in Multi System Environments (WIMSE)
@@ -64,7 +64,7 @@ regulatory frameworks.</t>
   <middle>
 
 
-<?line 106?>
+<?line 104?>
 
 <section anchor="introduction"><name>Introduction</name>
 
@@ -111,7 +111,7 @@ accountability.  WIMSE authenticates agents; this extension records
 what they did, in what order, and what policy was evaluated.</t>
 
 <t>As identified in <xref target="I-D.ni-wimse-ai-agent-identity"/>, call context
-in agentic workflows must always be visible and preserved.  ECTs
+in agentic workflows needs to be visible and preserved.  ECTs
 provide a mechanism to address this requirement with cryptographic
 assurances.</t>
 
@@ -413,13 +413,41 @@ claim of the agent's WIT.</t>
   <dt>sub:</dt>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  StringOrURI.  The subject of the ECT.  When present,
-<bcp14>MUST</bcp14> equal the "iss" claim.</t>
+<bcp14>MUST</bcp14> equal the "iss" claim.  This claim is included for
+compatibility with JWT libraries and frameworks that expect a
+"sub" claim to be present.</t>
   </dd>
   <dt>aud:</dt>
   <dd>
     <t><bcp14>REQUIRED</bcp14>.  StringOrURI or array of StringOrURI.  The intended
-recipient(s) of the ECT.  Typically the next agent in the
-workflow or the ledger endpoint.</t>
+recipient(s) of the ECT.  Because ECTs serve as both inter-agent
+messages and audit records, the "aud" claim <bcp14>SHOULD</bcp14> contain the
+identifiers of all entities that will verify the ECT.  In
+practice this means:
+</t>
+
+    <t><list style="symbols">
+      <t><strong>Point-to-point delivery</strong>: when an ECT is sent from one
+agent to a single next agent, "aud" contains that agent's
+workload identity.  The receiving agent verifies the ECT and
+forwards it to the ledger on behalf of the issuer.</t>
+      <t><strong>Direct-to-ledger submission</strong>: when an ECT is submitted
+directly to the audit ledger (e.g., after a join or at
+workflow completion), "aud" contains the ledger's identity.</t>
+      <t><strong>Multi-audience</strong>: when an ECT must be verified by both the
+next agent and the ledger independently, "aud" <bcp14>MUST</bcp14> be an
+array containing both identifiers (e.g.,
+["spiffe://example.com/agent/next",
+"spiffe://example.com/system/ledger"]).  Each verifier checks
+that its own identity appears in the array.</t>
+    </list></t>
+
+    <t>In multi-parent (join) scenarios where a task depends on ECTs
+from multiple parent agents, the joining agent creates a new ECT
+with the parent task IDs in "par".  The "aud" of this new ECT
+is set according to the rules above based on where the ECT will
+be delivered — it is independent of the "aud" values in the
+parent ECTs.</t>
   </dd>
   <dt>iat:</dt>
   <dd>
@@ -434,10 +462,20 @@ Implementations <bcp14>SHOULD</bcp14> set this to 5 to 15 minutes after "iat"
 to limit the replay window while allowing for reasonable clock
 skew and processing time.</t>
   </dd>
+</dl>
+
+<t>The standard JWT "nbf" (Not Before) claim is not used in ECTs
+because ECTs record completed actions and are valid immediately
+upon issuance.</t>
+
+<dl>
   <dt>jti:</dt>
   <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  String.  A unique identifier for the ECT, useful for
-additional replay detection.</t>
+    <t><bcp14>REQUIRED</bcp14>.  String.  A unique identifier for the ECT in UUID
+format <xref target="RFC9562"/>.  Used for replay detection: receivers <bcp14>MUST</bcp14>
+reject ECTs whose "jti" has already been seen within the
+expiration window.  The "jti" value <bcp14>MUST</bcp14> be unique across all
+ECTs issued by the same agent.</t>
   </dd>
 </dl>
 
@@ -496,7 +534,27 @@ evaluated for this task (e.g.,
   <dt>pol_decision:</dt>
   <dd>
     <t><bcp14>REQUIRED</bcp14>.  String.  The result of the policy evaluation.  <bcp14>MUST</bcp14>
-be one of: "approved", "rejected", or "pending_human_review".</t>
+be one of the values registered in the ECT Policy Decision
+Values registry (<xref target="pol-decision-registry"/>).  Initial values
+are:
+</t>
+
+    <t><list style="symbols">
+      <t>"approved": The policy evaluation succeeded and the task
+was authorized to proceed.</t>
+      <t>"rejected": The policy evaluation failed.  A "rejected" ECT
+<bcp14>MUST</bcp14> still be appended to the audit ledger for accountability.
+An ECT with "pol_decision" of "rejected" <bcp14>MAY</bcp14> appear as a
+parent in the "par" array of a subsequent ECT, but only for
+compensation, rollback, or remediation tasks.  Agents <bcp14>MUST
+NOT</bcp14> proceed with normal workflow execution based on a parent
+ECT whose "pol_decision" is "rejected".</t>
+      <t>"pending_human_review": The policy evaluation requires human
+judgment before proceeding.  Agents <bcp14>MUST NOT</bcp14> proceed with
+dependent tasks until a subsequent ECT from a human reviewer
+records an "approved" decision referencing this task as a
+parent.</t>
+    </list></t>
   </dd>
   <dt>pol_enforcer:</dt>
   <dd>
@@ -524,13 +582,18 @@ inputs and outputs without revealing the data itself:</t>
     <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the input data,
 formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
 "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
-hash algorithm identifier <bcp14>SHOULD</bcp14> be "sha-256".  The hash <bcp14>MUST</bcp14> be
+hash algorithm identifier <bcp14>MUST</bcp14> be a lowercase value from the
+IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+"sha-384", "sha-512").  Implementations <bcp14>MUST</bcp14> support "sha-256"
+and <bcp14>SHOULD</bcp14> use "sha-256" unless a stronger algorithm is
+required.  Implementations <bcp14>MUST NOT</bcp14> accept hash algorithms
+weaker than SHA-256 (e.g., MD5, SHA-1).  The hash <bcp14>MUST</bcp14> be
 computed over the raw octets of the input data.</t>
   </dd>
   <dt>out_hash:</dt>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the output data,
-using the same format as "inp_hash".</t>
+using the same format and algorithm requirements as "inp_hash".</t>
   </dd>
   <dt>inp_classification:</dt>
   <dd>
@@ -553,8 +616,8 @@ milliseconds.  <bcp14>MUST</bcp14> be a non-negative integer.</t>
   <dt>regulated_domain:</dt>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  String.  The regulatory domain applicable to this
-task.  Values are drawn from an extensible set; initial values
-include "medtech", "finance", and "military".</t>
+task.  Values <bcp14>MUST</bcp14> be registered in the ECT Regulated Domain
+Values registry (<xref target="regulated-domain-registry"/>).</t>
   </dd>
   <dt>model_version:</dt>
   <dd>
@@ -570,11 +633,17 @@ used to perform the task, if applicable.</t>
   <dt>witnessed_by:</dt>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  Array of StringOrURI.  Identifiers of third-party
-entities that observed or attested to the execution of this
-task.  When present, each element <bcp14>SHOULD</bcp14> use SPIFFE ID format.
-In regulated environments, implementations <bcp14>SHOULD</bcp14> use witness
-attestation for critical decision points to mitigate the risk
-of single-agent false claims.</t>
+entities that the issuing agent claims observed or attested to
+the execution of this task.  When present, each element <bcp14>SHOULD</bcp14>
+use SPIFFE ID format.  Note that this claim is self-asserted by
+the ECT issuer; witnesses listed here do not co-sign this ECT.
+For stronger assurance, witnesses <bcp14>SHOULD</bcp14> submit independent
+signed ECTs to the ledger attesting to their observation (see
+<xref target="witness-attestation-model"/>).  In regulated environments,
+implementations <bcp14>SHOULD</bcp14> use witness attestation for critical
+decision points to mitigate the risk of single-agent false
+claims.  See also <xref target="self-assertion-limitation"/> for the security
+implications of self-asserted witness claims.</t>
   </dd>
 </dl>
 
@@ -590,7 +659,13 @@ compensation or rollback action for a previous task.</t>
   <dt>compensation_reason:</dt>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  String.  A human-readable reason for the compensation
-action.  <bcp14>MUST</bcp14> be present if "compensation_required" is true.</t>
+action.  <bcp14>MUST</bcp14> be present if "compensation_required" is true.
+Values <bcp14>SHOULD</bcp14> use structured identifiers (e.g.,
+"policy_violation_in_parent_trade") rather than free-form text
+to minimize the risk of embedding sensitive information.  See
+<xref target="data-minimization"/> for privacy guidance.
+If "compensation_reason" is present, "compensation_required"
+<bcp14>MUST</bcp14> be true.</t>
   </dd>
 </dl>
 
@@ -608,16 +683,19 @@ ledger.</t>
   <dd>
     <t><bcp14>OPTIONAL</bcp14>.  Object.  An extension object for domain-specific
 claims not defined by this specification.  Implementations
-that do not understand extension claims <bcp14>SHOULD</bcp14> ignore them.
-To avoid key collisions between different domains, extension
-key names <bcp14>SHOULD</bcp14> use reverse domain notation (e.g.,
-"com.example.custom_field").</t>
+that do not understand extension claims <bcp14>MUST</bcp14> ignore them.</t>
   </dd>
 </dl>
 
-<t>The "ext" claim is a generic extension mechanism; it is not
-registered in the IANA JWT Claims registry because its semantics
-depend on the domain-specific claims within it.</t>
+<t>To avoid key collisions between different domains, extension
+key names <bcp14>MUST</bcp14> use reverse domain notation (e.g.,
+"com.example.custom_field").  Implementations <bcp14>MUST NOT</bcp14> use
+unqualified key names within the "ext" object.  To prevent
+abuse and excessive token size, the serialized JSON
+representation of the "ext" object <bcp14>SHOULD NOT</bcp14> exceed 4096
+bytes, and the JSON nesting depth within the "ext" object
+<bcp14>SHOULD NOT</bcp14> exceed 5 levels.  Implementations <bcp14>SHOULD</bcp14> reject
+ECTs whose "ext" claim exceeds these limits.</t>
 
 </section>
 </section>
@@ -632,6 +710,7 @@ depend on the domain-specific claims within it.</t>
   "aud": "spiffe://example.com/agent/safety",
   "iat": 1772064150,
   "exp": 1772064750,
+  "jti": "7f3a8b2c-d1e4-4f56-9a0b-c3d4e5f6a7b8",
 
   "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
   "tid": "550e8400-e29b-41d4-a716-446655440001",
@@ -685,6 +764,14 @@ Execution-Context: eyJhbGci...ECT...
 multiple Execution-Context header field lines <bcp14>MAY</bcp14> be included, each
 carrying a separate ECT in JWS Compact Serialization format.</t>
 
+<t>When a receiver processes multiple Execution-Context headers, it
+<bcp14>MUST</bcp14> individually verify each ECT per the procedure in
+<xref target="verification"/>.  If any single ECT fails verification, the
+receiver <bcp14>MUST</bcp14> reject the entire request.  The set of verified
+parent task IDs across all received ECTs represents the complete
+set of parent dependencies available for the receiving agent's
+subsequent ECT.</t>
+
 </section>
 </section>
 <section anchor="dag-validation"><name>DAG Validation</name>
@@ -713,14 +800,26 @@ entire ledger if "wid" is absent).  If a task with the same
 array <bcp14>MUST</bcp14> correspond to a task that has been previously
 recorded in the ledger.  If any parent task is not found, the
 ECT <bcp14>MUST</bcp14> be rejected.</t>
-  <t>Temporal Ordering: The "iat" value of every parent task <bcp14>MUST</bcp14> be
-less than the "iat" value of the current task plus a
+  <t>Temporal Ordering: The "iat" value of every parent task <bcp14>MUST
+NOT</bcp14> be greater than the "iat" value of the current task plus a
 configurable clock skew tolerance (<bcp14>RECOMMENDED</bcp14>: 30 seconds).
-If any parent task has an "iat" that violates this constraint,
-the ECT <bcp14>MUST</bcp14> be rejected.</t>
+That is, for each parent: <spanx style="verb">parent.iat &lt; child.iat +
+clock_skew_tolerance</spanx>.  The tolerance accounts for clock skew
+between agents; it does not guarantee strict causal ordering
+from timestamps alone.  Causal ordering is primarily enforced
+by the DAG structure (parent existence in the ledger), not by
+timestamps.  If any parent task violates this constraint, the
+ECT <bcp14>MUST</bcp14> be rejected.</t>
   <t>Acyclicity: Following the chain of parent references <bcp14>MUST NOT</bcp14>
 lead back to the current task's "tid".  If a cycle is detected,
 the ECT <bcp14>MUST</bcp14> be rejected.</t>
+  <t>Parent Policy Decision: If any parent task has a "pol_decision"
+of "rejected" or "pending_human_review", the current task's
+"exec_act" <bcp14>MUST</bcp14> indicate a compensation, rollback, remediation,
+or human review action.  Implementations <bcp14>MUST NOT</bcp14> accept an ECT
+representing normal workflow continuation when a parent's
+"pol_decision" is not "approved", unless the current ECT has
+"compensation_required" set to true.</t>
   <t>Trust Domain Consistency: Parent tasks <bcp14>SHOULD</bcp14> belong to the
 same trust domain or to a trust domain with which a federation
 relationship has been established.</t>
@@ -745,14 +844,19 @@ function validate_dag(ect, ledger, clock_skew_tolerance):
     if parent.iat >= ect.iat + clock_skew_tolerance:
       return error("Parent task not earlier than current")
 
-  // Step 3: Cycle detection
+  // Step 3: Cycle detection (with traversal limit)
   visited = set()
-  if has_cycle(ect.tid, ect.par, ledger, visited):
-    return error("Circular dependency detected")
+  result = has_cycle(ect.tid, ect.par, ledger, visited,
+                      max_ancestor_limit)
+  if result is error or result is true:
+    return error("Circular dependency or depth limit exceeded")
 
   return success
 
-function has_cycle(target_tid, parent_ids, ledger, visited):
+function has_cycle(target_tid, parent_ids, ledger, visited,
+                   max_depth):
+  if visited.size() >= max_depth:
+    return error("Maximum ancestor traversal limit exceeded")
   for parent_id in parent_ids:
     if parent_id == target_tid:
       return true
@@ -761,8 +865,10 @@ function has_cycle(target_tid, parent_ids, ledger, visited):
     visited.add(parent_id)
     parent = ledger.get(parent_id)
     if parent is not null:
-      if has_cycle(target_tid, parent.par, ledger, visited):
-        return true
+      result = has_cycle(target_tid, parent.par, ledger,
+                          visited, max_depth)
+      if result is error or result is true:
+        return result
   return false
 ]]></sourcecode></figure>
 
@@ -770,7 +876,11 @@ function has_cycle(target_tid, parent_ids, ledger, visited):
 current task's parents.  The complexity is O(V) where V is the
 number of ancestor nodes reachable from the current task's parent
 references.  For typical workflows with shallow DAGs, this is
-efficient.  Implementations <bcp14>SHOULD</bcp14> cache cycle detection results
+efficient.  To prevent denial-of-service via extremely deep or
+wide DAGs, implementations <bcp14>SHOULD</bcp14> enforce a maximum ancestor
+traversal limit (<bcp14>RECOMMENDED</bcp14>: 10000 nodes).  If the limit is
+reached before cycle detection completes, the ECT <bcp14>SHOULD</bcp14> be
+rejected.  Implementations <bcp14>SHOULD</bcp14> cache cycle detection results
 for previously verified tasks to avoid redundant traversals.</t>
 
 </section>
@@ -792,18 +902,29 @@ not a symmetric algorithm.</t>
 public key from a WIT within the trust domain.</t>
   <t>Retrieve the public key identified by "kid" and verify the JWS
 signature per <xref target="RFC7515"/> Section 5.2.</t>
+  <t>Verify that the signing key identified by "kid" has not been
+revoked within the trust domain.  Implementations <bcp14>MUST</bcp14> check
+the key's revocation status using the trust domain's key
+lifecycle mechanism (e.g., certificate revocation list, OCSP,
+or SPIFFE trust bundle updates).</t>
   <t>Verify the "alg" header parameter matches the algorithm in the
 corresponding WIT.</t>
   <t>Verify the "iss" claim matches the "sub" claim of the WIT
 associated with the "kid" public key.</t>
   <t>Verify the "aud" claim contains the verifier's own workload
-identity or an expected recipient identifier.</t>
+identity.  When "aud" is an array, it is sufficient that the
+verifier's identity appears as one element; the presence of
+other audience values does not cause verification failure.
+When the verifier is the audit ledger, the ledger's own
+identity <bcp14>MUST</bcp14> appear in "aud".</t>
   <t>Verify the "exp" claim indicates the ECT has not expired.</t>
   <t>Verify the "iat" claim is not unreasonably far in the past
 (implementation-specific threshold, <bcp14>RECOMMENDED</bcp14> maximum of
-15 minutes).</t>
-  <t>Verify all required claims ("tid", "exec_act", "par", "pol",
-"pol_decision") are present and well-formed.</t>
+15 minutes) and is not unreasonably far in the future
+(<bcp14>RECOMMENDED</bcp14>: no more than 30 seconds ahead of the
+verifier's current time, to account for clock skew).</t>
+  <t>Verify all required claims ("jti", "tid", "exec_act", "par",
+"pol", "pol_decision") are present and well-formed.</t>
   <t>Verify "pol_decision" is one of "approved", "rejected", or
 "pending_human_review".</t>
   <t>Perform DAG validation per <xref target="dag-validation"/>.</t>
@@ -816,6 +937,15 @@ failure <bcp14>MUST</bcp14> be logged for audit purposes.  Error messages
 <bcp14>SHOULD NOT</bcp14> reveal whether specific parent task IDs exist in the
 ledger, to prevent information disclosure.</t>
 
+<t>When ECT verification fails during HTTP request processing, the
+receiving agent <bcp14>SHOULD</bcp14> respond with HTTP 403 (Forbidden) if the
+WIT and WPT are valid but the ECT is invalid, and HTTP 401
+(Unauthorized) if the ECT signature verification fails.  The
+response body <bcp14>SHOULD</bcp14> include a generic error indicator without
+revealing which specific verification step failed.  The receiving
+agent <bcp14>MUST NOT</bcp14> process the requested action when ECT verification
+fails.</t>
+
 </section>
 <section anchor="verification-pseudocode"><name>Verification Pseudocode</name>
 
@@ -842,6 +972,10 @@ function verify_ect(ect_jws, verifier_id,
                                signature, public_key):
     return reject("Invalid signature")
 
+  // Verify key not revoked
+  if is_key_revoked(header.kid, trust_domain_keys):
+    return reject("Signing key has been revoked")
+
   // Verify algorithm alignment
   wit = get_wit_for_key(header.kid)
   if header.alg != wit.alg:
@@ -859,12 +993,14 @@ function verify_ect(ect_jws, verifier_id,
   if payload.exp < current_time():
     return reject("ECT has expired")
 
-  // Verify iat freshness
+  // Verify iat freshness (not too old, not in the future)
   if payload.iat < current_time() - max_age_threshold:
     return reject("ECT issued too long ago")
+  if payload.iat > current_time() + clock_skew_tolerance:
+    return reject("ECT issued in the future")
 
   // Verify required claims
-  for claim in ["tid", "exec_act", "par",
+  for claim in ["jti", "tid", "exec_act", "par",
                  "pol", "pol_decision"]:
     if claim not in payload:
       return reject("Missing required claim: " + claim)
@@ -942,7 +1078,10 @@ workflow agents to reduce the risk of collusion.</t>
 and is the authoritative record.  The other fields ("agent_id",
 "action", "parents") are convenience indexes derived from the
 ECT payload; if they disagree with the JWS payload, the JWS
-payload takes precedence.</t>
+payload takes precedence.  Implementations <bcp14>SHOULD</bcp14> validate that
+convenience index fields match the corresponding values in the
+JWS payload at write time to prevent desynchronization between
+the authoritative JWS and the indexed fields.</t>
 
 </section>
 </section>
@@ -955,8 +1094,8 @@ include additional domain-specific requirements beyond the scope
 of this specification.</t>
 
 <t>Note: task identifiers in this section are abbreviated for
-readability.  In production, all "tid" values <bcp14>MUST</bcp14> be UUIDs per
-<xref target="RFC9562"/>.</t>
+readability.  In production, all "tid" values are required to be
+UUIDs per <xref target="exec-claims"/>.</t>
 
 <section anchor="medical-device-sdlc-workflow"><name>Medical Device SDLC Workflow</name>
 
@@ -1095,9 +1234,9 @@ a cryptographic link to the original task:</t>
 
 <figure title="Compensation ECT Example" anchor="fig-compensation"><sourcecode type="json"><![CDATA[
 {
-  "iss": "spiffe://bank.com/agent/operations",
-  "sub": "spiffe://bank.com/agent/operations",
-  "aud": "spiffe://bank.com/system/ledger",
+  "iss": "spiffe://bank.example/agent/operations",
+  "sub": "spiffe://bank.example/agent/operations",
+  "aud": "spiffe://bank.example/system/ledger",
   "iat": 1772150550,
   "exp": 1772151150,
   "wid": "d3e4f5a6-b7c8-9012-def0-123456789012",
@@ -1106,7 +1245,7 @@ a cryptographic link to the original task:</t>
   "par": ["550e8400-e29b-41d4-a716-446655440003"],
   "pol": "compensation_policy_v1",
   "pol_decision": "approved",
-  "pol_enforcer": "spiffe://bank.com/human/compliance-officer",
+  "pol_enforcer": "spiffe://bank.example/human/compliance-officer",
   "compensation_required": true,
   "compensation_reason": "policy_violation_in_parent_trade"
 }
@@ -1119,7 +1258,7 @@ violation discovery to remediation.</t>
 </section>
 <section anchor="autonomous-logistics-coordination"><name>Autonomous Logistics Coordination</name>
 
-<t>In a logistics workflow, multiple compliance checks must complete
+<t>In a logistics workflow, multiple compliance checks complete
 before shipment commitment.  The DAG structure records that all
 required checks were completed:</t>
 
@@ -1198,8 +1337,42 @@ evaluating the policy).</t>
 of the signing agent.  To mitigate single-agent false claims,
 regulated environments <bcp14>SHOULD</bcp14> use the "witnessed_by" mechanism
 to include independent third-party observers at critical decision
-points.</t>
+points.  However, the "witnessed_by" claim is self-asserted by
+the ECT issuer: the listed witnesses do not co-sign the ECT and
+there is no cryptographic proof within a single ECT that the
+witnesses actually observed the task.  An issuing agent could
+list witnesses that did not participate.</t>
 
+<section anchor="witness-attestation-model"><name>Witness Attestation Model</name>
+
+<t>To address the self-assertion limitation of the "witnessed_by"
+claim, witnesses <bcp14>SHOULD</bcp14> submit their own independent signed ECTs
+to the audit ledger attesting to the observed task.  A witness
+attestation ECT:</t>
+
+<t><list style="symbols">
+  <t><bcp14>MUST</bcp14> set "iss" to the witness's own workload identity.</t>
+  <t><bcp14>MUST</bcp14> set "exec_act" to "witness_attestation" (or a domain-
+specific equivalent).</t>
+  <t><bcp14>MUST</bcp14> include the observed task's "tid" in the "par" array,
+linking the attestation to the original task.</t>
+  <t><bcp14>MUST</bcp14> set "pol_decision" to "approved" to indicate the witness
+confirms the observation.</t>
+</list></t>
+
+<t>When a task's "witnessed_by" claim lists one or more witnesses,
+auditors <bcp14>SHOULD</bcp14> verify that corresponding witness attestation
+ECTs exist in the ledger for each listed witness.  A mismatch
+between the "witnessed_by" list and the set of independent witness
+ECTs in the ledger <bcp14>SHOULD</bcp14> be flagged during audit review.</t>
+
+<t>This model converts witness attestation from a self-asserted claim
+to a cryptographically verifiable property of the ledger: the
+witness independently signs their own ECT using their own key,
+and the ledger records both the original task ECT and the witness
+attestation ECTs.</t>
+
+</section>
 </section>
 <section anchor="organizational-prerequisites"><name>Organizational Prerequisites</name>
 
@@ -1226,10 +1399,12 @@ in a manner that preserves their integrity.</t>
 specified in the agent's WIT.  Receivers <bcp14>MUST</bcp14> verify the ECT
 signature against the WIT public key before processing any
 claims.  Receivers <bcp14>MUST</bcp14> verify that the signing key has not been
-revoked within the trust domain.</t>
+revoked within the trust domain (see step 6 in
+<xref target="verification"/>).</t>
 
-<t>If signature verification fails, the ECT <bcp14>MUST</bcp14> be rejected entirely
-and the failure <bcp14>MUST</bcp14> be logged.</t>
+<t>If signature verification fails or if the signing key has been
+revoked, the ECT <bcp14>MUST</bcp14> be rejected entirely and the failure <bcp14>MUST</bcp14>
+be logged.</t>
 
 <t>Implementations <bcp14>MUST</bcp14> use established JWS libraries and <bcp14>MUST NOT</bcp14>
 implement custom signature verification.</t>
@@ -1247,9 +1422,9 @@ reject ECTs that are too old, even if not yet expired.</t>
 referencing parent tasks that already have a recorded child task
 with the same action can be flagged as a potential replay.</t>
 
-<t>Implementations <bcp14>SHOULD</bcp14> maintain a cache of recently-seen "jti"
-values (when present) to detect replayed ECTs within the
-expiration window.</t>
+<t>Implementations <bcp14>MUST</bcp14> maintain a cache of recently-seen "jti"
+values to detect replayed ECTs within the expiration window.
+An ECT with a duplicate "jti" value <bcp14>MUST</bcp14> be rejected.</t>
 
 </section>
 <section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
@@ -1336,6 +1511,12 @@ judgments.  Implementations <bcp14>SHOULD</bcp14> use synchronized time sources
 (e.g., NTP) and <bcp14>SHOULD</bcp14> allow a configurable clock skew tolerance
 (<bcp14>RECOMMENDED</bcp14>: 30 seconds).</t>
 
+<t>Cross-organizational deployments where agents span multiple trust
+domains with independent time sources <bcp14>MAY</bcp14> require a higher clock
+skew tolerance.  Deployments using trust domain federation <bcp14>SHOULD</bcp14>
+document their configured clock skew tolerance value and <bcp14>SHOULD</bcp14>
+ensure all participating trust domains agree on a common tolerance.</t>
+
 <t>The temporal ordering check in DAG validation incorporates the
 clock skew tolerance to account for minor clock differences
 between agents.</t>
@@ -1345,8 +1526,11 @@ between agents.</t>
 
 <t>ECTs with many parent tasks or large extension objects can
 increase HTTP header size.  Implementations <bcp14>SHOULD</bcp14> limit the "par"
-array to a reasonable size and <bcp14>SHOULD</bcp14> set maximum size limits for
-the "ext" object to prevent abuse.</t>
+array to a maximum of 256 entries.  Workflows requiring more
+parent references <bcp14>SHOULD</bcp14> introduce intermediate aggregation
+tasks.  The "ext" object <bcp14>SHOULD NOT</bcp14> exceed 4096 bytes when
+serialized as JSON and <bcp14>SHOULD NOT</bcp14> exceed a nesting depth of
+5 levels (see also <xref target="extension-claims"/>).</t>
 
 </section>
 </section>
@@ -1383,6 +1567,16 @@ The "exec_act" claim <bcp14>SHOULD</bcp14> use structured identifiers (e.g.,
 The "pol" claim <bcp14>SHOULD</bcp14> reference policy identifiers rather than
 embedding policy content.</t>
 
+<t>The "compensation_reason" claim (<xref target="compensation-claims"/>)
+deserves particular attention: because it is human-readable and
+may describe the circumstances of a failure or policy violation,
+it risks exposing sensitive operational details.  Implementations
+<bcp14>SHOULD</bcp14> use short, structured reason codes (e.g.,
+"policy_violation_in_parent_trade") rather than free-form
+natural language explanations.  Implementers <bcp14>SHOULD</bcp14> review
+"compensation_reason" values for potential information leakage
+before deploying to production.</t>
+
 </section>
 <section anchor="storage-and-access-control"><name>Storage and Access Control</name>
 
@@ -1582,6 +1776,66 @@ the "JSON Web Token Claims" registry maintained by IANA:</t>
       <c>Compensation Reason</c>
       <c>IETF</c>
       <c><xref target="compensation-claims"/></c>
+      <c>ext</c>
+      <c>Extension Object</c>
+      <c>IETF</c>
+      <c><xref target="extension-claims"/></c>
+</texttable>
+
+</section>
+<section anchor="pol-decision-registry"><name>ECT Policy Decision Values Registry</name>
+
+<t>This document establishes the "ECT Policy Decision Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per <xref target="RFC8126"/>.</t>
+
+<t>The initial contents of the registry are:</t>
+
+<texttable title="ECT Policy Decision Values" anchor="_table-pol-decision">
+      <ttcol align='center'>Value</ttcol>
+      <ttcol align='left'>Description</ttcol>
+      <ttcol align='center'>Change Controller</ttcol>
+      <ttcol align='center'>Reference</ttcol>
+      <c>approved</c>
+      <c>Policy evaluation succeeded</c>
+      <c>IETF</c>
+      <c><xref target="policy-claims"/></c>
+      <c>rejected</c>
+      <c>Policy evaluation failed</c>
+      <c>IETF</c>
+      <c><xref target="policy-claims"/></c>
+      <c>pending_human_review</c>
+      <c>Awaiting human judgment</c>
+      <c>IETF</c>
+      <c><xref target="policy-claims"/></c>
+</texttable>
+
+</section>
+<section anchor="regulated-domain-registry"><name>ECT Regulated Domain Values Registry</name>
+
+<t>This document establishes the "ECT Regulated Domain Values"
+registry under the "JSON Web Token (JWT)" group.  Registration
+policy is Specification Required per <xref target="RFC8126"/>.</t>
+
+<t>The initial contents of the registry are:</t>
+
+<texttable title="ECT Regulated Domain Values" anchor="_table-regulated-domain">
+      <ttcol align='center'>Value</ttcol>
+      <ttcol align='left'>Description</ttcol>
+      <ttcol align='center'>Change Controller</ttcol>
+      <ttcol align='center'>Reference</ttcol>
+      <c>medtech</c>
+      <c>Medical technology and devices</c>
+      <c>IETF</c>
+      <c><xref target="operational-claims"/></c>
+      <c>finance</c>
+      <c>Financial services and trading</c>
+      <c>IETF</c>
+      <c><xref target="operational-claims"/></c>
+      <c>military</c>
+      <c>Military and defense</c>
+      <c>IETF</c>
+      <c><xref target="operational-claims"/></c>
 </texttable>
 
 </section>
@@ -1599,45 +1853,6 @@ the "JSON Web Token Claims" registry maintained by IANA:</t>
 
 
 
-<reference anchor="RFC2119">
-  <front>
-    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
-    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
-    <date month="March" year="1997"/>
-    <abstract>
-      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
-    </abstract>
-  </front>
-  <seriesInfo name="BCP" value="14"/>
-  <seriesInfo name="RFC" value="2119"/>
-  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
-</reference>
-<reference anchor="RFC8174">
-  <front>
-    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
-    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
-    <date month="May" year="2017"/>
-    <abstract>
-      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
-    </abstract>
-  </front>
-  <seriesInfo name="BCP" value="14"/>
-  <seriesInfo name="RFC" value="8174"/>
-  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
-</reference>
-<reference anchor="RFC3339">
-  <front>
-    <title>Date and Time on the Internet: Timestamps</title>
-    <author fullname="G. Klyne" initials="G." surname="Klyne"/>
-    <author fullname="C. Newman" initials="C." surname="Newman"/>
-    <date month="July" year="2002"/>
-    <abstract>
-      <t>This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.</t>
-    </abstract>
-  </front>
-  <seriesInfo name="RFC" value="3339"/>
-  <seriesInfo name="DOI" value="10.17487/RFC3339"/>
-</reference>
 <reference anchor="RFC7515">
   <front>
     <title>JSON Web Signature (JWS)</title>
@@ -1652,6 +1867,18 @@ the "JSON Web Token Claims" registry maintained by IANA:</t>
   <seriesInfo name="RFC" value="7515"/>
   <seriesInfo name="DOI" value="10.17487/RFC7515"/>
 </reference>
+<reference anchor="RFC7517">
+  <front>
+    <title>JSON Web Key (JWK)</title>
+    <author fullname="M. Jones" initials="M." surname="Jones"/>
+    <date month="May" year="2015"/>
+    <abstract>
+      <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
+    </abstract>
+  </front>
+  <seriesInfo name="RFC" value="7517"/>
+  <seriesInfo name="DOI" value="10.17487/RFC7517"/>
+</reference>
 <reference anchor="RFC7519">
   <front>
     <title>JSON Web Token (JWT)</title>
@@ -1786,6 +2013,49 @@ been incorporated into this document. This document obsoletes RFC
    <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-s2s-protocol-07"/>
    
 </reference>
+<reference anchor="RFC2119">
+  <front>
+    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
+    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
+    <date month="March" year="1997"/>
+    <abstract>
+      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
+    </abstract>
+  </front>
+  <seriesInfo name="BCP" value="14"/>
+  <seriesInfo name="RFC" value="2119"/>
+  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
+</reference>
+<reference anchor="RFC8174">
+  <front>
+    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
+    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
+    <date month="May" year="2017"/>
+    <abstract>
+      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
+    </abstract>
+  </front>
+  <seriesInfo name="BCP" value="14"/>
+  <seriesInfo name="RFC" value="8174"/>
+  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
+</reference>
+<reference anchor="RFC8126">
+  <front>
+    <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
+    <author fullname="M. Cotton" initials="M." surname="Cotton"/>
+    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
+    <author fullname="T. Narten" initials="T." surname="Narten"/>
+    <date month="June" year="2017"/>
+    <abstract>
+      <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
+      <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
+      <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
+    </abstract>
+  </front>
+  <seriesInfo name="BCP" value="26"/>
+  <seriesInfo name="RFC" value="8126"/>
+  <seriesInfo name="DOI" value="10.17487/RFC8126"/>
+</reference>
 
 
 
@@ -1809,18 +2079,6 @@ been incorporated into this document. This document obsoletes RFC
   <seriesInfo name="RFC" value="3552"/>
   <seriesInfo name="DOI" value="10.17487/RFC3552"/>
 </reference>
-<reference anchor="RFC7517">
-  <front>
-    <title>JSON Web Key (JWK)</title>
-    <author fullname="M. Jones" initials="M." surname="Jones"/>
-    <date month="May" year="2015"/>
-    <abstract>
-      <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
-    </abstract>
-  </front>
-  <seriesInfo name="RFC" value="7517"/>
-  <seriesInfo name="DOI" value="10.17487/RFC7517"/>
-</reference>
 <reference anchor="RFC8693">
   <front>
     <title>OAuth 2.0 Token Exchange</title>
@@ -1982,7 +2240,7 @@ been incorporated into this document. This document obsoletes RFC
 </references>
 
 
-<?line 1432?>
+<?line 1649?>
 
 <section numbered="false" anchor="related-work"><name>Related Work</name>
 
@@ -2069,11 +2327,12 @@ use cases are distinct.</t>
 
 <section numbered="false" anchor="minimal-implementation"><name>Minimal Implementation</name>
 
-<t>A minimal conforming implementation should:</t>
+<t>A minimal conforming implementation needs to:</t>
 
 <t><list style="numbers" type="1">
   <t>Create JWTs with all required claims ("iss", "aud", "iat",
-"exp", "tid", "exec_act", "par", "pol", "pol_decision").</t>
+"exp", "jti", "tid", "exec_act", "par", "pol",
+"pol_decision").</t>
   <t>Sign ECTs with the agent's private key using an algorithm
 matching the WIT (ES256 recommended).</t>
   <t>Verify ECT signatures against WIT public keys.</t>
@@ -2112,10 +2371,11 @@ latency.</t>
 </section>
 <section numbered="false" anchor="interoperability"><name>Interoperability</name>
 
-<t>Implementations should use established JWT/JWS libraries (JOSE)
-for token creation and verification.  Custom cryptographic
-implementations should not be used.  Implementations should be
-tested against multiple JWT libraries to ensure interoperability.</t>
+<t>Implementations are expected to use established JWT/JWS libraries
+(JOSE) for token creation and verification.  Custom cryptographic
+implementations are strongly discouraged.  Implementations are
+expected to be tested against multiple JWT libraries to ensure
+interoperability.</t>
 
 </section>
 </section>
@@ -2418,447 +2678,525 @@ tracing is built.</t>
   </back>
 
 <!-- ##markdown-source:
-H4sIAAAAAAAAA8192Xbb2JXoO74CTT+EvCEoUYPtolPVLUtyWRXLViS5nOp0
-LTVIQhTKJMAAoGTGcX/L/Zb7ZXePZwBASXaStbpWUiWSwBn22WfPQxRFQZVW
-82QUdo4/JZNVleZZeJhnVfKpCi/zj0lWhtd5ER6lZVWk41WVTMODWZJV6ST8
-kBcfr+f5XdkJ4vG4SG5hkA8npxfHYWOoTjCJq2SWF+tRWFbTYJpPsngBs06L
-+LqKsiTLkkWcZdFduiiTKNH3owm/H21vB+VqvEjLEr6t1kt49eT48lWQrRbj
-pBgFUxh+FMAKdoO4SGJYyQUMUaTVuhN8TNZ3eTEdBWEYhWboUIamb+H3j/M8
-nobpFPdWrenbWDZ6pxvlb1fTtAqrIk7n9HmSL5bzNM4mCX0sktlqHiOcynVZ
-JYsyCOJVdZMXND/8PwyvV/M5b//wpgDAwsvhWwUBPZEXszhL/xbjQmGn2TRZ
-JhkuLTxPyiQuJjdJQQ/CK+l8FKZJdf0fBoqDaRIEWV4s4P3bBOc9f3W4Mxx+
-J38+Hz7bkz93d3f122f7w337p/Ptc/nzu/2nO/rncLiNf55ERwOcW84NF9by
-dblTRssir/JJPh8FQZpd19a2u7+/Y+d7pst8+t2uzre3M9SBs1RnSyM6oUgP
-DZ+4ODt59ep4RMBRzCZUSMKzIp+uJnT2J/JG+KqAc8DzJSw/vk2KdZ4lYZeH
-6XV4nLiYJdUovKmqZTna2iqX6fV1MkjzLcDjcgtPu6zk2yge56tqK4eRbtPk
-bosGIOwMr+N5iThy/D46OIkODi/9VZ4z4uDyusfve+HO9s7e1vDp8+/C/Dqs
-bpLweFXkywRw5SwuAOEWiA5xNtWfD/NVNknn4Txep9ksnOZ3WXgTF4s8S0vA
-xmI1T8oQBo+LKr1OJ2k8D1O4AfN5CkCcwJ4P7A8n7g8Hk2oDIJJVEc2TT4ME
-VxbDf7aSeboFN2DLLN7ZP34XbT+Nhrv0pb0V+E+EOD/auEfdXB0U7zOAFwzx
-6ugg2hkevjofDn2oXuJ/w51hH4aYJvj+q2SaFLBHC++yj9NVIbwbHs+TSVUA
-zCbwwATIRvnC/e4inWVxBdhUtkPk7u5ukEyui8Esv90CrCtgA1u0Flje1uQm
-XlZJEZ1sATHTDwdbS5g8Gg5bUGUDlN4PLgbhqzyfEmyOitUsPJgu0gyJNO0I
-Hj89eXVyFJ2c+OA4SgvYC9w8OI3h3tbT/a3j91+JX4BCi7j4mFQl4E94nWZA
-+hiZYPYVvlWG3dMUZg9PTr4KcaZpsSXL8tBmCGizHw33//loc/Tu/ODBW7iz
-tbO/v4f7nqaztIKtwiAMZ/gbUCGdp3RRkITgNBYmJQAbvuziPN9yh3hq/w7t
-REP4394/HxhAl06Pzh8Cx/DZ1rO9fcKCZJpOYJPT5DadJHjoR+ffsEke0D/w
-Z9E2nvk/f4/vzo7fXh6/OT49vjz/xd/qO2Cxl8k8WSRVsQ4vlskEqSHtvX1T
-MDKSSX7BcIMSXiy3cvihjfZv2M7hPF9Nw7fEE2EPiyWIKEDDX8FupnqhDVMt
-J2lVEa9NK8AvIEbAVKMIJJMx3v9JFQSXN2kJHGBC1xEOCDASDmijhNc9Prws
-e32AIMhHFXyDM1Y5gfCDikaGZ8KtP13NqzS8IAEnPM5uU6COcvNJAuwF7vLo
-YkwdCbIhWOGYRnAKEmfAAeAlLC4E+eEW+Hw4KdbLKp8V8fIGBoBv4aTxsOPy
-o5XtAqDbSdEPl/k8nazDBAWOSSKwmKQl03zEFyu8gVwKk4fxpMjLMmDBospZ
-wsDHFqtMsAGW9HLNgJriKbHM24BTIMC9S6ubptgZTuYxSDG48Z8u3r0NPyRj
-Po2w+9OHy17AIlIfjgBOsnSREbYTj5GXNyTNEI4M5MGsgv8HSIwJ+lNXYoVn
-buIqLFfLZV5U7vZBYDFTDAKC+aoEeMDBIcvAYSbrCcAzJOADTTv4sReaWXDu
-IlkCNUR44XEEKrRO0gSgXRA3NUdyG89XvB0Ql2AZsB9YVxJPbswRBcsc9sLn
-hJIKzAsHRODcAHKDzx9OLnv4XmAeOSNMMb+fwe+rEk8PcbwEAhKWwNrxiwXI
-CXN6uY5r6SLFC4o4eRBmyV34+vLyLLxJYkA2IPrJfNoPzB2L5I71Q7yKdAOn
-zCGKOCsR+jgZwTme59msBOwOkk+oDhic4qHNHQDNBs4DLtVNRoR3vErnhIHj
-eT75SCcbyMkCwOGqAQkAuGZ5FY7h2lZlMr9G/IMpKriHfff4EayBYBSoaeG1
-CsblgInLIp1O56BXPEHh0EjS8PlJeJoDWJhMAeX5ZpJhpgw/f25RLL58USIA
-qJ+PV2Vl1DbSsIikMEpVN0W+mt08AkHMI0ETQQDstBs6ihLl+UmCJEH+DFWl
-CRrLdRUeWLbS35v8ziy5DJ01w8Ej4ufwRSEUKIQDnocgI4JY5WCqLjcyO3Kx
-PKJNRExHHOTEM3yd3yW3SBQbui7hX2JxJZ5O4RqXDjmNJxPgRFU8BkmnWgNc
-/pjld7iku5s8BFkIiRUSCFAuWL8yY+GJJcEd0py7GFlSBmhHH4UQ4LfxErAw
-mfaBF8JvCUHB0aqL5K8roEGMLHdJgfe1Sku4cNMGzQiJZsB2zw1xdLkJIOKk
-SGIE53wNLy3n+RoPIs/yRb4qmTExjQwmOdArkOQMU/C0crx+xJ2LlAgCofcS
-VA17hyxCl0BU6IokdIhZIqTAodGWQTChLJGnE/6BgH6PZgZ3xeiTgGr45ARW
-MdwBiUEAB4iXzm6iIgUWeXDiMosxnHqCdA8WQHR1Ei/5kGFTMABxGjxnBBFq
-7BNZHX4HtwUQii5wZ57Pyk4PDi+d0xbhXZ4GiZ9Iy9lsoFti/eXoAPSyEHQ2
-1b5gL44eB7vRDcBwExKKQF2CneNwiC5VCmyjihfLVh6XWqvJfE3QIAaEB4Ay
-Gb/el9XBYeh1YIbDiAxDxXCX4O3uRcKoPRwOhtvdpNczuzm12tArI/mfONqQ
-VbqsXgRDfv6sOpqzVeAjhc/JFSFIzEHeIUuDEUg7Q1FHtowMolxdI6oQF85F
-VkB+j0SrRMrOAqgeMU4Emi0CwF45s7UjUXjeOQrPuVV4EP9Yt4HN4H83YqBV
-iQjIMDfOfBMDTAB3ZohPRBDoB9wKbxrF3sNLOoxbfovOBm5rPMd7t0nSdQXZ
-UAVZouOeXEr3XMgdTZyEs3gJ16K6S4CCtlDKbHofWZQpHMKuJOUFC3J2UXKo
-TBrheaBGKaA0HDd9IwIszlenliI6JVPY/UEpayNiCC8zK9psIvvypS+cRayf
-8E5TGl8gc43nd/G6RBoBiJMiFuFqSMIrbmF2FkoCFcxj0AeBXWVpuUCIKxOh
-bTsUXOiMK1kFcVmuCsQ7PFCQJ4CLwXSL8AIlcnwJj7lIQPjPCzohBCQISrhh
-sbEgDyly4ASMWFY0ls0FQvWAqg7vPShfbBKaYQ6JNThAHgAhnRiJgiBMMKMr
-ww4Zx+G7tNSL9rdk2qFRYUB63zzDmASLvETt5c/9EPgJsL4zPutf+jgoyFl4
-Od6tKiB/4X8OOkGwA5O+zVFfQfYzdeBOUBEAtEvbbF3eJHEz90SwwmkiQxP1
-RzEDjmeXJ2+b0ztUAhDwjo9EVgDpWTJDaQWXUOTz+TgGodXoYzgCQAtIARAJ
-IXEw37FKxPkY8U7uGjycA50vV7B4FCsc3RI1YHgehDJP17fSI6MzD0OKaTJe
-MQVC/BZiiCMwJhgxpql9OngLoiLPi7wlxtPH025ChJltnwYlzlVEyS1dTr7s
-+L1hybA6VyRnFldOgKYXaS535WICDIxePUApaiIA2kAYrVDRbgogS0AvZOUz
-7H7+DIQy4k9fvvTgXVD6HJ2P1BnEXaPqrZlyISDg7Wk8iwD1UrZh8AiC3XBT
-Jx8Z3axIAa8wxkasHfMbJ6L74WqJelhqbgizEbWQVX/+zNQvtS/ySAeZr7Kh
-yR/Yi9HI8FW07kT8gLxEYJ8n0xm8gkMW1/EkCT2pFN7jByLzAL5M2tA1oDpL
-y8ie4e4hIy/NseGXcJVAt5qilkb7omMyyktNuSF1WPdNiIn3BxE2Cv9IfEQu
-gz68iDO4xkRH4fALpO3THKWLEKUnEPDKG2M/8549BMEU54ELOU+vE1T/E/cJ
-xL/zRGzoN+kSr/C5xddDK8IHrfqrwzCQwE6Aa7cYJmCLcIiLMhjLdglVrOjc
-byE8coEsqxZ2q5q0XGsYEUALqDJH2m0147piDKBZtyrHgAXXoJDAc8R9K/fO
-wf08rA1DxNZ5pbDWVSMp+UpGgHwaiGXZN/IRsQV4G50Q/dBeLyYgM/Q8ZTTl
-AhQdfCgYJ+s8Y8mX8Y6so3W7kqi7zjbNSsugvjk6S8R1uPVTFiIdBYcpmHdF
-+gGRvJztXiKhA3ToV2MJUcWOZLEycQBEvMA1BDLZnNBmaExPiTJUiGQWoimB
-5YK81bWigacpsCFszSvEzcjggR3cCAD5hMSPKfGgpJzAtSO9RF9tTEwCHGAi
-6gOk7ppHmdFex4Am6B5eO2o16lNknFStRE6qwqsMWAgHk6GoBYBAaiaGRd4S
-efxwgJaHCR/E6MXTx4IlTDiRvvBjwRhkK6SYrDETAjhqNXIi5COoDRIrJ68U
-cpyUNRWigx8B4HekyHRO319cdvr83/DtO/r7/PhP70/Oj4/w74vXB2/emD8C
-eeLi9bv3b47sX/bNw3enp8dvj/hl+Db0vgo6pwe/dPh6dN6dXZ68e3vwptO4
-r4TSrBQTEQdJl0BeBuZo8Z2Xh2f/7/8O90DS/jfxqoNowR/Qrw4f7oBa82x5
-BgfJH0l6BCE1iQuSr1AEj5eoXKElGjD/hvy1cN8Amv/nLwiZX0fhH8aT5XDv
-B/kCN+x9qTDzviSYNb9pvMxAbPmqZRoDTe/7GqT99R784n1WuDtf/uHfQT5M
-wmj4/N9/COq8Eg5gwRxjVbYQV+CQJEWPghFydceEo0pbny8l212VsZLW3Wpb
-lFsrInlJYg3b7kkadiRgFNZpWuS0E0QSkNtT4upWWhaOBsi/QkE7zUB6L0WB
-QpmedO+chHqkbEdqYz8QG/uP1sbOc7HR3YpextZOwNokg90hQqEhB2QThqa1
-5pO0GRJTF32KxO175EJeSc1d8fmzBIwYQ+eU+WrDb0HadmjMGb7LBt6tyHZj
-CXabkwB1XpLH3pC4pce/xK1HeN1AhV4sVhVZPeY5WanwrhHraJwmAAotVQkd
-nlF/+4xyKB02pG/fZwQv+26TQKTbQyPdMswcvcrMTWcDX2zcLGgRBlxioMMR
-MtwMTLXBuM22bZ6WheSJFeOIeSK5N9fkd6UVJg18iFnA3CwmunM5VnI2krsT
-kTcugv8tc7SniPEFH3UA+tcVSJ3RPLlNMHzKl23xdpF8ekQTe5vIAd7Lysf7
-ONtgk12L2IanexMjhzabTEFpQ9MKcWGQ+tmHhxYLiR0CjOY/vnxB+5gjLyMg
-0grZJ68MoFVMI4zeWIcyOl17VlXVWFVhdFCpVigrkoaEm3QN+o5gG0+nqWym
-Zl9CLsvAOHCNWK569PlJU/MhMZ3fc/zJwWW7SWyT68VVIB9wqxAMyB7Sjmew
-cx/TVB3pdk7CeMHxheGfiea7P//S6bmTt3j0nJkdFBRRZ1mQgAqzoyQCuns+
-SUmoYlQhKw6uQCRuegefRLSVJdECyNIf3eTLumJ2m8YsU93jKmrhP76zqM4H
-XanTxQZyIjBJJ3pEcjQifpUHVj/21UzHucNEeoMriA753GjlZP0S65i1feVG
-F08Lz5KGBh5z1O44j3D9AlQRwmL59vW8posEHn2TZh/xMc/IhHRG7UvGju9Y
-l4i307U4NvbYU/T6iorBrn0BIYAJryRTm42nMY/XSRGo4ZhkaAUp/WRE65it
-NDQG/QLA/p//+R/Ax0mawmWrgt9HX/3P74O/q03zDc3W1ZvZCzf+83d8CV+7
-HIX+xetyKONoa6uabtHBb33qddx3zvgdvmr3Xxl86Zu2tHHZG364/WbIodYk
-cLPyz4F3wL3wL2RQw7CgXwUK8BoGGFoxBnU/N+gBNHDQ8nxw8z/+VSDXp/B8
-Zfcdfet/OexYDjNoZ2QvvvZN9BMwdA5UKGPZjY0IsWNq63gvfdPy4F4Fn0fh
-k+t0FtFdKznY63sTpq6332OotJey80VsqK7PZqVuIiGvbshIX+hGGf70QbXw
-gD33xlSPv8h4Qjgc8bkvFjgmfqVoLCL4kOt6vmJhxeGKLGTUCPl1yj7/J088
-6eAMpdAShARHPIhINC1hswckWNpIm/JhY6sJtEAbgeVZxq7n2Jth5J/emZCW
-sPMxBRQH0QlGAlUvJPXW2JuYX6/GcEmEXdt9wez5wppMfodwuhy483RAxOuI
-nYnGxTgmu40WWMEkavI2UuDJkSMI9rwJaNBxErqecxNGJGIGrZrEXmDIYahe
-a3/hZ/7CjTFmPkMH7c0i7Howg+8dmPVoHTA2rHvCC7AvWqU5qUm6DK0PwK4p
-XoOo9CL+yE5Tso6LjE4XMpOYlBl5KHC0Cj1xQcViF4kfcVGkZrYUZXzU+8jf
-3QiQKhvsjh45lynpbNU9BvPzny8xWrIR+TJCyvAHlNosuzn4wX3SiYYZwZNn
-l0b/OVCWVeI54UuNuC0eHo+l8CUh1PunP3jExfEZGBJD+3rNW7+oQBSBAToi
-3sGISXpr7W5d2WdP1EmyGLAWbxyWlxyuBJvgeCmWHnojlINR18BQHNf5SPIG
-GxfZ4yYgTp3IowE7E3GTXd8/DeNK+LtsWkYmJ3XNI82JKJaVWac17nOq8YDW
-yIA+RNHf0WtFNBNRSzY/ZacM60suSyANaJOF4hVf4M9PHJcVE7UNLyAgWmMv
-XZocyB2PvYdNFgC+cGFf2AdFycZqofUfo3EvYFvxXHRU2Dq8wkN5P4Rq4UPK
-YvRlZJFMyIkSCD59fvJbDpqDeKkYp+oUloZDLI+FDFj6bEiI3MbfSlAIP8Mx
-EoXBVLCLnf2nnT5+U62X+I3Ny/r9b3cV/4QkHH7iAIM4gosUpdNouLPbCb74
-14NXJBfDLFQ2c/wpRv0F7wZMj5q1mjXFzq1R96WBeo3OAaqQv6FiMAww+wF3
-30YYN9PEMDwxehTrDDSIeqQIJuakn3/5IqsjmKEhCPA/8Q6xk4Eu1YHHLtYL
-jBFHj7GuAzTWZDAb9MPXOCyC8/XF7vM9/Lw/3Ok1kIGsmSQviVMFPuuoaOQw
-aSmENTBxVCRLuDpqVoFjrEHWMLGEKH39hPG7KbveV2l5w7EeIRNo5gkoy2Am
-XtknOyc8a8I7LLOdGK8AebNDesPh+wQ1xHBAppajr7F+FRD0hrGIwCoHLAyH
-9+UCc17P6Lzei94rhKYgtXCe5x/D1VIIpThnvKExUs/gXs3ghzcTAHHIThe4
-mHeVOq/tvVzGa5I45DqW4TjXIOYINVcYjKK0XDFRBEgv4qgePH6vvZUWJ5af
-6NDOwkut2xla5vZMu4ouGuGdZgGGk65JCwqClG1izvFdVGiBfle8Pz+Rw2TL
-m0nNOLxETpLCDZWx5fgci5EVxQwNQ7oOD/63UVH/QNJwxNLwD1t/gG3e/PDf
-NGVa1ulAp1yN8bKycCgr8eVIeAJ3ov6K1p3AM78hktitIItGkUrA01cSBJc1
-Zr3YkUoHmBJaR3dnFjRggFAVk/utBY7idmXjcLrEWL9u2fNXc7leii+cI04/
-iQlHIIk2OGsEp2ckwgGG1hhaoB61Rb5dLQD9J0fA6NUJmYLMi9G9dJIyP7k5
-6binSFf1GqjlPxaTlfVo9sMyFyjFQHuYlsJtx8Q7JDvoQ6PfNSAL3ahFwvIG
-mrX4Ad+jME5mMd6C5FOd9jW3Ac+koiXRjhxYtjAG8ZMR6UQsAyqyj/8a7oeL
-NCP/UXyN5I22w1GWc8wekD0sQXYDSplNyQ2AMbOx3kM2ksfAkUmNnmBkPxL4
-j8mduo8maNdECggLhe39VqWtCEuhaassBbHPU5/kuOn+AWu5Xs2FNDuWZ1ni
-NKk46lVoSVOUMnQPwe4TPktbhJyQ++k+igV05I7ZQPtmDMY62yEZdwZa6BJZ
-41zsj8QpAYnRqk/B3on14NVuqqFscfj+/ckRWWgl2Zl4BmtK49IoQJ0KVVcG
-LLnSnTAHhCIFs5fhbJ6P6f5J8DgZ/2HVRWKl2arB9JzdmgHkDAm7nZ3DRZYF
-i+7qr/sY7an0Dm2QQm1jHYv3QNcM8Zv2CBIAfJeWFjLOHvGo0JY8VblcwflC
-b6d5XWHlvK0glkSsqdkbwsuCx8AFkekKKMMm4CB6SaaBRqCRXOFAR3z2GBYV
-mvhNIYE2tEKEsI7cqitg1HiMLN9KaE1yVcbXSbXG2AKgqBMKLL2a5iUM1ulR
-OCRm+BE6M18hvx1Rab5OcIaY7j8NO7qxTgjE5obRF0BH3yCy3ubplISQ+ZwD
-Mo04xc90DzCftCfzFMkMpa6C7pMiLmbNAwIEAQhZNfgdKE8pCZAYDXUWF6qf
-ubYjYi2Oow3D/lzLpuJXwmTRuUMENFIcEB1IXIwRo27TfFXO1zbmFafENWVh
-slii54EWBzSRw3ERM0LQ32VtBIcsry/CoQmnB7+ofIU2EZOOoUOUQsPUQ6uE
-yw843EC6HkxeA9K1xOIGm/HVwU11SPFomJjPZIx1aaNJC6lOxVXOuIqgncxT
-CqC7wlhTQCdGXRrt6nbYQWMVfLrS0Nr7VgVHDJCqrcgLlBIjExwuJgnl16jx
-LcnwP8UbUSS/UTxBh8KZOkvOiby6WS3i7AqPPbnryHrk9hcPilfG0CjLkk9d
-SSkhZgV3GHikuPwsyJxd6PZbRDPh32gXtCImU1FZq0ktqS32MQJQbX6kPyCu
-LEDZ3ch7RExEH1WYYEazkgYW1VgqUtkRsfgIo4xPTJiWwWbEiMiEbz2A1RpK
-Z8O9XOXGRPcGTvSKhKzQfcRQVjjhJJ6rPsaxz5RnSHU+llc3cXmzmaH74dT4
-rB45TUnj9Q2D42issIPPRUaTHo3jMnm6tyrmEZCFHOTiCB/oOPelvIkj0LJH
-2d74T7Nfbk6vP3yI30R/nX36ufjTq/jdf11dfiqLw72TcvvnYflqfHR3OJt1
-JP0P3qd1ORYEe5EFj1DXlzk6ghX0jtVrJHsJ4HebsPhVxCB4w8WpyuaW4YwB
-tt8MOz4jA7xamqsICwhIPSC8oPg3oAVIllYaa5/6Ug+6RFMhJeasQ/9VDRsM
-ZVOGzZJSTYw0z65TiUphMoI8iQhJT1DczTky+O1UXngkcjtSrVu2QTTpkQgb
-eIuvFmVtz3TBQCJRHcHEKq0Kd5/CPonvpMi5gVtkFGxs+SKaZDJQSMgsnsq4
-QWASVa6mJuRlE9CdYCSJiBBnMioKJJaR4CGM9WeyrLDQDciWCS82iVFkcEiq
-FyFFaQJE2BRDZ4aOJsBpEFkwWBvPh/O3Eo2iXKDzKi7WiDnk/LoCvC4fQBp5
-pIUTHpDKe/qGHWmEsyxpiqRmgNwP02tn12ri4KAciyV3/IXFEPkCwDxe15Z4
-0K5on1hhSMKlNdSH8iI1h80J95mS2k7RPlZMdiKSr2sH5HOCxBWn7uVPiJZO
-gpOb3tq3IdW+poojCQxQsKJFWiI/wWxAruTh5gFxFiL8NFPHFaaQctwSK1WR
-Ri3PS4mTVinr0I3HMOfiRmnYw3G/vRJlqq4FvszzeRJndCdFQjSpwlZEQu1D
-qO09wSC0ZyuU8nk0loEq+GbqS/JNBE9N6fbx40a3dociFceRpTwj2jVSwpbd
-kyJVFaidBaxeeHsSQ7B6S2H/mLKEJ7i08nypAUlBB75V8UFJiclBkDdoyAXc
-BFIUlzGFCLE/L7/LAtBclh2SdV6QKcexl6jCKxjviRBi48ivA7UMsXQgCVA5
-fmSVgYKP0DQk67G7E4OVdQF5cTuOAUK+sohF9N07wXdktxO1w4yRszWPksGI
-sEZqllBTYSmJWfeZWxtmIrJnxiaHjJL7yMzqTC2jyzVNZ1lOaanJguxmohGS
-FdrohKXJT52iCZSgJbEAfad8C/vNUe/0qAAKbEWZKAeBhUl1H6td5ItBwj6Z
-wWQFmLW4ItctMWbyeGBBP6PqwpGRcxuEELstEwEA7KXSbDhHXRVz7snB2wPX
-fM5PAH8bJ5MYV4voUWJNO6BPpRQUkYyG+lEpKCW0MK3YOH8olkZCPnE11SWG
-1DVJegZ7gUPdTYamXNCDjA3agCtfSLyUqmhsSUCr89c8H6+mDzyvJglVDkbh
-8Nmzne2ne8P9bfoS76v58hl+id/eictuezyc7Ex3o2Tvej96+uz5d1E8nkyj
-5Hp7uLO7t4/fiPuPX9jf306e721vR8nOd+Nobzjdi+Jnw6fR3t7Tp/v7e/DL
-9rAj84qFY4RCHdbNgSO7qtBWay0rSI9G4V9+5UWBvoRPG62WiSlqkarT7shr
-jlLb8fRQ/VVVzI3Q4xENuEFlmMGVtgMYvc+B6N4+r9OIy6MHVYpWjYImUcHe
-HeTNYbwd7/x29Sm/2l9sv3/++vLly7cv3x6++fPLj7Nn0Sz6ZZmkP/602H+6
-JyfeENYJgJ5MbQ5DRFt4Ygd3EuK5+EInvmxkPXzAE+ncs4nM2US3ewM8FsYq
-K13huXKWczv2ojt/SySmIhqicfzXmrsY858iJMjiMPau8JncTMdr/CR0Yy0u
-TTLn5yduLqfEe9aiPPStV0jhJODLz1rQkgKVmzVrX68HuARshR0Ot7982VDu
-R8k3h9QKUXXHEP9HWhp/ClaJ+nChEQV+4EDgmn85CEEFbhpGnLMixmIa/cu6
-xoy2QqK06JitmMOB6J3m07DbGXR6WIcGC4txVNmBhg2VUgAr3hgypLoE7aRZ
-G0l3bQogOZ7jRrxP4Jbr8SrdSOQNU+ngx+PLcCtepkIjI8o0poPaGg6Gweu8
-rEah/EaLHDgIGrSEGSXrn27GP07SwWCALsLBoLXejv/cGT3XElTkPITOJXio
-EUgky/ECiTRAiuygiBGMt4j+pEcYe6cnAFKQE+XFG8+x6xKRU+sH5u2NJ8R4
-OaebgJZWSpKjo52y7hJgGNiasUHx6EHUtTa3J2Ri/tkks5Ipy0sep/v7Tsqq
-SqA26YZxeF/2lKTZJOoNCWxSK0kXbQJzWBeYkShoHLoWvCCZYVPisdiLsURO
-IyW1HzhldaZYbMBUbMh4FqNDENUzFm7Ef05ODaRECisLqE4AWwQKLAY7qZJk
-MofGyXVOvjdJcg2sPdwF+TlWiBV8ciLUzKwSA0+Ow7qeSZqNaOuBH22EB2vP
-EQCZLLUMB8VOg2r73riKRhxTQ84DJ4JznKjnSsQ7jWpzLCCc69B1nVNucRQg
-aST+SNotv+455Egd871YaAQ80SwdP9CTmRwtNJ6jIriWUhh9Q7V16Wojl3A7
-8blQZQtExBHXHW44+OYpWRJEViac5D2TxULiuzSMiS82u8IQOUDGgKnZwiC+
-FwkDFKSQYUWt4m1ma/c+iNwORwmqS9/AbMPOMKjvMlkAp8N6QYLrcpyOU5+r
-RhX+RNZQGsKCyBsYZ414ADEWacUXenM5X7HOj1o/iD+zVWH95uw1r/J5QlU6
-wq6TrDoKd7dDMdT1BjRACwQQiuigo1UQXAGWVO9Z/H10ZTFiu09D3HPye6h1
-Mn0irvLKprriprDQG+6wrv6WJhRMoAOyD9kyRN12ofG7khFSkZYLNlD5wYqW
-8eAi96mQic3AQz8/R3ZNYMlnLq00tm/k3bIaGp6szF7iFl64vJ7sRZeJnSZx
-eE01mU2BmsItKmEw2VSroKU+abCMAzXR1/W7ZZmspjlKOiZLn0WrGmkydRUk
-SNm+F1yvMrYdGacwsKcuZfHzDeozyl0hyl0ZlOth5PLWVngBRC8cjhxCxwVQ
-0Np6rXdQo8Nw2EGFgbb4BxCk3kigAvwHwFAUedHtKO30iQ9ea8mf6AXO3Dvm
-9BIlOxwirDdWuRN7WwQNr1KiE7gM8iZT6goP872uepZUXfN0jx5JDRojBQFp
-Xqvd+jtwfc+GzoCyEf4+3DTgAC5i+MP3tCL88/etUH/cdJ6fTa6RD7TdUXhI
-V8jEwWCcJ6ifSJa/R+t5t8cnCDh6RbfNPztYtMUPebH1MA/TAuMKCjeJWy8t
-r0meL1fk7Q0sQtqpuT7xFc1uAFi2L6BxxvaFkQ9y/P3770M7eA26aKVsvpFm
-Op0+jtidZvKs/DaIp9M68nw1fsFRujjmnUYTJPedSXNX8omrN7uCui+cqqhe
-I0hnhn5o4P/ERydUDskcx+SISklhJT5O9sfQBS5xiaS1Ruh5N6VoeiwsfuL8
-5vBd92eVe38WLVIaZVDKsc6S5VRKFUVj4pkmsaZ1KkdwhklfIU3nEEOnbhzR
-9PKGgtmQuJZSvzgtg0SrEjbtpMpKJli+rQEijlAoA8JYG0dicgWYG2nwDDw+
-xRznrFLYwtGRfmFj9pHuseL4s2ur/vzENV2zvuE9cKbsoZ4+w8IyZ9CwdFx5
-ArEffh94FnISh+vZHkCqJGVps+qExR0/UblvftCG/vflHq2lDAZs14YvI6bk
-GaIOrs4zGrB0+nOt/A1lAKgaaAO34VTrIeMiBDYGoLSltgHw6nKQPBe14kwS
-ylIOy2bMvAhRZvxEssgaQzvCUxx+zPK7rG/iksJ60Lhkflu9op7yjzLROS4F
-5NZ61HlNv6DlWIVJT5DFInMENbiHWll0f7AD0z2tbbEdehTSrGSjltwg0nAz
-6etZbWgnT84dj8zVfog0vM+qRy1r3h6CBQpM9Ly+h5VR50wIvPUVJQUQGax+
-Y8o5Ex03QUAFe62XrOObkGdHVYIpv6tNSf4q8VEYj6FKvihSkgiAXiySJofb
-Ax80seviYPeNCcsFxOEqPoQNccllHbu+TmwdE2h0K2/yOdxFRwEBkH9KFysE
-Mb1uY4fRzzIcmvVg+RKj6ouTo0tyft8xt/dZQeyzOZ1JgG8w71EsgLoeKUkr
-mc8jjoTEKXfMlP6LVMOXYr/uCf2SCTeEfw2BMJwJMawL3XQb6pUC8R247Cdc
-vYVk5ZK8kk3t2k0gpuuARhVRlsRlKJpdg/Biva35PQq7Zu0H+BxeXX0Aa9ZK
-gB4nqC1XxTIvOTASRbpwAVIacIcysDWVJFjK+K0Ngrga58mRU9zU+j37FA1R
-UMHl0DRQopYkJYjAWOdt0MKxrAKzWaGhI7+C/aLsevUb1r/RewkSV99IRt4/
-RCPFfXAFl96ImarxMAtj4tcVvmR5kiGGPRD0lvgoTqwLUCFcsJHfFkGb/h4A
-Twr/7fsGB/JEaz7EbuckI8RCccUSUBaq7YBAQ1HKFW6E1aDLK8OCuvahXusU
-IBncpGNSCwwxNqrEG8kvshQyUCaEkAMANIBJQq9M+pGlXpR57TueXlVbzPuM
-WF4td6pTA6o5AR4bKZxgAhzAlfm1cXTt6GD/MW/2nfW2Q00PxrxSX6NlbPDc
-LJMAe2A8ADMU6+GvK7gJOEMTWs7BAqbAowPKLmxZh7EbAAEuOVdImkxc1lck
-KUzKLVFwkFwgOSKG0gCe01kpn6ht9zyUKTXMEzsjNqABhCbholMwk3NFpYah
-mZxyi1pmRArHj0rZRhNfbHhqfU6HSfobhC/DP6iiQC7GbvshK7uVURoAjTHp
-G9ijhCa5MISf6lOEEbLNKyCsV4arbpyWE5CwVHBINqp4ltenr/FVUYxVbAj/
-spHNNq8B890a6/zVKNM8pn9SNU1a136acn6Pvzg2jNCfZhNiiwrdOdlY6oPS
-+53XwFP/ZRNDb+fkv957j5ur6DRWCsyf1GqKOv/et6YZ7iAsbzOpaTW18ZZl
-aMxlRz7cuuCaBILM3cHMA1/gSKYvRMSgLC5aWmBkC/5Fl96zJgOMyl9Wns3A
-Ez+cZOgNLJtd2261O4pH5erDn5806g23Ocg45UqcUlzb0nUAgFxtq+W5mfaU
-EbahOZBU6Cur6CYH7SyL5+syLY2fzHWeB67zHGQmMhfYEsrXfuahV3l9gemo
-VRLEVkxCowXcfC4gnMNw6xZbAjonV2USOCUBcWaQTzBmGWPFy5YS9NTgKaUI
-lbCEwwfprR+4VcV5iWWftZG1WUuthLHxDaLk5vjnMPK4SrW+/bn+cGZ+YK+6
-V2na25jYE3h4sRIcOFs0QVKj8B3bdtn5WprztlYJTiuni7HIp6y9Uh10ysgU
-M4DvwZE1STat9KWIAaMqx3QsBWjVsYaNUcijGmNR9bzKM/GR2h4ssGw0h8N6
-2TyltSFAYgKBabxWkbi5CM3KN2YlvHeoosdzml9q4eoyUDl3U97IkHDSmvbg
-zSXCe0uPA/ak5F614Cw3E1IUJXktuMq7KswmzE7SCqTBD0Y/J6D8ovEhYQ2w
-uYpxYmDP9gZUi7W/ku0QK7H31m0sPW1yso1NbCQvVU7O5/NVaVLZhc4cZ9QC
-z7i8A0r2MgnC+CPFzOmVFne36PaINbWAOX71So+7Mwr3dji+DA746mtjzGhH
-8tbjY+omGid1X1gagkpC0zB+ivURfEnjNt6lP716/7eT4dv0pBwMBn8wbnpQ
-dX6QaD+VZ6/USAkDoEGZswodXPPCzTo72ztPo+2daGfvcrg/2tsZ7Q4HsOn/
-lFGB4iTTR7yxD2/UIqqEV/DJCefxjtqJpuIIT9m4xH14RhsMz7onGokteaKJ
-c6cZTnpgJBGDNccIcUmgsGtPtB/oQfXtefSkzCGWkkglJngKIhk6NosUI+/V
-dB04wZsvUByouLMKqOIY+GRsVrh8I26olU6DPiuqhqTFa6gbzhMsHREeEvf4
-/AT4SzTBv7VEWCkWPOtdNNmTvHeMZaU34JEF+4wpHuwmv6tVNa/XOPQ6I4a1
-zoiXWCQ9EMx3x2ZzhhCrSflCqg7LIrWGNxZLXs2ngSZ8OKky9eBar9tBvZ58
-0F5PXkPX68mlppizgo36AlAH8VTzHgMOrdfGOieZs4M+2YQcem4TjDEhmgzb
-gZsMzU3qpFvpEXUrDS+O3hyaDuZBcEItT7yGpmGZX1d3LEHdJvN8SdKBbYTQ
-xSF6/eDgxBTHLNFXrhnNNiTrhk6ecNSFY6CyU6hl1ApgwXGZcDMb2BpZnlta
-8gW2Fly9ZVa9TRVJa9Qj7PTo3PaZCrx+WVpV20QjKFFzdy450nQ6BjRaZ6zW
-C3bAoXhaNaqLZRNhKyiZiokIHYmEGRGQdWSH6GAGugs/mezvkNWOKxdoV4hj
-AVVQHBG+iW5iY4VJQ/DyX0NVcqRoePgy7FI36B+5KlveXNKOXZIu0l+aEc+u
-QIZazRNdEkjuqDZpOZXy6nZXlJb7l3QYdi8xwI8+NZaz21jOjr8cSau+wsSe
-q3KVVmZB9M0E8w5RazZZwg8u6CjsvsT+khtWtNdY0a6/ImpOeSUYfUVNx2My
-k9Cq+FerhOm5bV7Va1REsd0I3ZBT6kJS1Fe131jVnr8qGU/Xpcsxy5SLJ3Da
-vBz+wWQ0h0YMgYsAd0BDSrdIfd6S4aPFrIj2dtiGZfPRwr9sepujpf8aRzZg
-+lePsUvUdlRO5xNl7PcROmTwkjwkzfBsHKHTX5GvlI0c9HWRgAqraJsLKm5N
-b5nU/niGwgJ7/8yraMeAO8evUYgg4UComEFJ0moPELclN7XjZCtDHLkBTYFl
-XSiWCktsyLGwaMvPiaDhNyxKMuqIApJ6QFSZJi0/pssl60BFQsqMBBg9oR6F
-rIGT6ICDnds4TYRFcLQqNAbarxVP7ZRxAIGmKX5eur1LCBIbyGzoKr9Kcb3t
-MRmXDo0ka61VEULnp9ZYxRroXhKwKgeBE27YpdjHnlNf01VH8TicEFXWcA2f
-AMBI9LUh6d1NxBuNJFiI9jYwtLZbp6aNZ3ZBc2qQuMZTe2G3new0ntwPuzVS
-0Av/QnjWt5fTv2vX0zgSrskXzcEEwB7EDTwzgzJOscfaY8ZK4NsgDFYg2lPl
-VFK7LKKaC8a6n+N8pgrfbg1uFkkGbf229LaamglUQIFCMmkmSlhIWYKLaonP
-Rl/nigZGGe1mOTvU8Pvxmu1mPXxfUyVBmITlRfMc66a71/U65YJDdAh9vmeO
-OmuJpZu2SitTTaj02zKa7Gw2fxl71zXVVpjc0EK1cyT2nHKi5LE/kd+zic7h
-ISFrJD3b3fakXkfSIFRS29qD1GvppVn80pd0QPMb+e0gy5JP4cnJKLw0fbRU
-fIs1pmiSxE6DOw4JuF+aNbO0dJIdAT5r+1dt1uk2ipXyUa1NZtPsNp/f2nDj
-Fkp3z9R7I6Zfk1j1If+SMG7B3DnlKs1uKm1JazozTVeG8ikDMfOiWmA7tl4W
-McdK+EqB7VxayQNKPPsq92uYD20+pr4DuMH+JguqMDcYzrlbbfxK25aF0k3G
-jCb26dpFFm5NA9t2VXVZ/JyOyKzy8dK4LX6EG70C/kt+ZyND4ZdU5ax0hfFH
-SOK6ra+XwsVl6XVkETFcv7kiWLHE+7AMbhJg/gERnMAv6zCnYECye886PHbD
-FReU2WzGU1Oo/LG0zHYdluvV3t3SbTt84zcuMWyg0bfPaVAsBNDl/3zVG42C
-9ZZ7a3f6/q6V7NxPpd4IbYIF266iWHYH+SW8MUVbES2fiZNNEHbbk4bnUi1A
-o/xcKHL0PxWxoK6jpFchradqfwZE/Xtb4wols+1hay1SpWMFnlhQyzHijqoS
-6OL1s3goRXkcZx8d26gphVK2Zyg/8Hg9Qdk8zqDdkhD0WnrycH97v5GePNwf
-as6yZCdPdzEtOX4ajZ9NnkffbQ93omlyvR2Z1GT45iuzk7/7rpmdzHVP9MJe
-aZEIL0P5MUbp3c6vmj7MWbhOPQdblOsfSWA20GVt0uJjlKP7QwHdXknCMT23
-VLjAeXSRittXKSycI64JNHVrsoetTo6uW56iYVG2GXWEw2WjToYW56ghd0BL
-6HO1T8lAI8LCaT6UNkMai5X/xJoW2MuqN3XN1w+NVU793gPbPA5ICNY8npRA
-FqjmuzRLIklgbn60EoAx8jWZMzXRVg0pEN6MGS0k/FiHY6ui6jF+0OOsM9Fl
-/aaM6qjO43OkomfzOENvzONZ/HKOzn582XB1/OCZjR5pX6PKEeU3sHQNCeDa
-E6Xh6PyxZud7mKNfUKbvI9j5BtEiLma5VIA0Zkf61ADKg/a0M64u+Qhb2k4/
-bLeqGaahpSp1TfLRFzM2r+mCS+mh8CVo2FjVg7Y0RuErRWlH9JIhH2Nt9NxU
-5oKpj8p8ocIO64dncQF3IplTAil1akFPgxikKB8AEQ2ZOR40Fds2tUOwbWtm
-LwI19AMdQqQ3SYWh0TVBFQ/I6aaKw/VrfhxUseAC/w7zRrVBufUBmREdIiVN
-x37LU6m2xEkK8DMX9MO8O82JK2tuJu3hRd/w8xPvebePJqxstoIbJaV0yC+y
-u79v/CKXN0hZtf+VnzhX8W/xhJKUxQlH8xDJwU5daIJDyimNLFL+Wd7scXdG
-7opZC7APtL0gH5tfLpVrO5dSWcp2tUUBEFkNEPy0VCsHmoYqbHo8RxMBsHBq
-i2EnvsnLevc3k1OYj313en0gnFA8peLIL2ho0dXRJLFYVtJBkKIp1jaWwkYL
-aVgAy4nklLQRAmqhUKMGWjjTJdsS75lMH+ISlGwJCSgmIZ7jLLBYSktpa4ss
-veOT+XWEmmBBP75B3U0YnokewmpNUUzPaOUjowto/xKtyEvglkg6KrkL4j81
-DGFbrlMf12udQ2n4tmsORraQ5qyHjNHUNTyboN9SsMT29vQKkQVSdLBMKlpp
-LaYdWx4Y8cuUs9T2dqZlszYaIELW0x7UD/WNNm2Pmo2p7+8dLa8168w6faPd
-3tDyPFVZ3JK6jxhXkpS11HCy59LUXLtRbCBmhPvbT4de+2mmEl/Tfbr+cNDW
-fXpABa9MvbmNFeb6Qbs/3K1yRTkcXlkaJ3IHy46Jx9uNm3G7eaq/hToTNsrj
-BWxH5Uv0zm9AegYUAkU1zCssBV1YezK1C+JQ22lzppHx68o9mq2AXQA5TIwG
-SRfPXEniYYskRtBh9XZTHN+mmNW6oppmR9y1HcW8CXd5/CNQInaokFRqu8eP
-qMQ7vUQ1S7G9EK2G1Wo6FiambH69Ad7MHwpudykp5YZ82iKz7iROlFNaNsKb
-gnBzgFNYC3BybN3WR2+3NtIfa4EIUvduyW26+Ir0rR/KLdJMU7Aw5/RBd3dz
-IHEAXGwDnhDTvN0XBqlSqAFI5lq9nqQE6hdbUb09Aymh0iZxzA0UFdTa1IpM
-e1r43cjwrmGkS7NUUFtvnU09dAJxSlmrrttBA0MWiO8UsjonFw6jA52ZHDch
-xr07eXWiLTnNDuJsHYgMsHkGyThUsqKcHmk1clogHLf5R9tKuSXZ7+R6Q6uX
-B1OFEiolMucyRXQbW3OGcI622ilItZwCBxShNE/HRcxyA4xp6kAYZ5noRPc2
-pznnTg4HJM8gdZJ2PII/SgjLG4qm9LtglLWKGfuRk6SGF8b2tJBCj9y9gmZk
-CUoTlN0UQK31WwbyKBDkVWayEkwyQjkyYaxuxoKomMFdOp97J4BWPtb6dFIn
-i49q7lBglqIOrJ9fZRrAmjaaz/M8pGQ9BJXmxqwTN1uwqa/bokCNJhpCDFnt
-of0Ebh8jrwCRqPtc0UFaNhgH1uQG/eVUxMhvOSiWE7TDAjyu5zElp3E1zZzE
-arOaFvQTtumE9XIidn5NwELZJipRTu38VqWdQCKuundO+doedYuilG2Zh5u4
-lW65Hge5GFskLss6B0/T6RSI9pkBmC9u0ciTxFZU46aeRgkaSN8PrSZDzwGC
-mrrbl28uSJjE/wJLzHiSUmvxUiyT378quKeX80OdnPuBWajV0zBsVgt2OOVM
-Qi4kd8pJg5bklxLHtreDbkdjT85YxM84uBDlmgyUy3HKyb5G0hFMnQK2ZdQU
-PAKuBNuj8n4GZVlYfXOxRXDp2kXbBoPiVMsSlOE+cvN20YfEKg/0e8vpTeg3
-P7ZNCqUonOk2nXETI65tprYN4+GlvoT3t1yu9yk03AgVD2ToQDip8KrbtJAR
-D0Ufq0tKkmgr46RCP0YfobgO1Q/p0gFVmiWBQ0WWyyQunJbTlSmuoJ20a8Iu
-VYZGBxodxoYbiiyC6HQ0J7XOyF4FFnHlsrGYwUTwJJWkC0oNVxebxpiiSYkV
-INbdlOSbP7N7dOr5hBxpjLz9dVxMyWds7BKnFJ4B1//1xWmJURXoVAdxF6gC
-5U7gcww0yZAgpdbrV+vF7xfxUurbIm+emKN/v8Rog1UpSd8W/P0G19bescja
-xdftao/U7J1ikssVFWJP7kzCP7p3MYuMHlrGaaEKnitOxY3huFmHV2LNS9ZV
-8cVuCY3OuFROlHLqNaudF3Nf+AQCh4R7NbqoZL+7sHI1Ls1Rq2gD6+sELXnJ
-4uuSaH+CyCtSqrQd3IFWBWzo2kBdqDoPILmXqmzLLARar7eWWSVG61qVPapc
-0chwRhqY32EgimdVn0ucq7jaWfE3XA3ELTECxKIjWnLBUF6bKHC3SbnJDD/l
-G0jXTGQhvoKOviHgJwaZNPWWtuwMwMEH8jPa1JcPzUCXUfjetG+oKbQs11hl
-llSLB9RZsp9hdHLkp7ycKsDT5r6R7cKDpcgXcr3iQsSxia0QhqO/W1VRfh2N
-OSIJUHBExbrZqKblDrm2qKQDifRubGVUqZLUKNEPTOkHA7IlQqjIBKuPkgwF
-HCzhzyyaLvEmOV6I+aqKjbURTuwT+qGAqgYcFvYpBb0HhPlwuOA6KTgg1rUG
-zllgzSWhi9SiFTt4YqFAzG10kP/BmjxhsyZPsLEmT6Mu3AuO7ZEaPFJ0B43Q
-UpoOMyBNzZ2NUh/WT1yHZJ0gYZ6uGrPRg7MT5rEoKWvpgeQTKWS30rB6NV5g
-sioLUbXLb+5FYG1JbP/ccDKmhs9dTH1HUVEA/oX0BX5dZUL7MDk/s7Ywk9yI
-DanFpK320PAAjWzxZG2iXsX6b0PHuqQk9Nkj3WOY1muiDYJDW07Qr95Ll4KK
-8vFFlO6hpprab6vpTLM17mPr62xyU+QZRQNQRyHduVgx316ecSi/nhuVWIof
-LnoY3FP0kO149d2yhxGJc+1AaXv4rJRSCVqLLOIpsqBGwAR1kTKq8UmtV88c
-o1YEGaszA0pdAAjI+8FlFdWERgxvUSvPSHlzcyzx1SjmTwcTSKah34e8hBk2
-n4ZVabngJhfbpPKFTltGHMM9DuwEqfVc6DeOg6LIOClHA5qo9BlwKnnEYzh9
-8vyQLDZpOn6019OxRFupzUrgklHd17hIWQRI4jmxrwNXzkYDQpcCQvqshzOa
-18RplRTwbTebacng6drYiZ5T94TCG40fmmy7xgzX0iYNhmlLk+9JCOGGeDk/
-2PMxN3ZD+rMtwsJQYoM49yiCYZzGSZpY1BWlc9qSNByEamvHLFdbHp5b5JhC
-7z0SJ4QFOqwHFWbKvsnZ5FdwWELCJcFIPM9BC0mwz47bOFoen2NvVFy+ZBev
-8Q1qisY8TcychK5uwZju2clJz+LVaZoBqv5N4xw22Ab4Ibaru4NpDWjFyoE2
-iNA2hyykuJROTSZTzxIrebGNRow9r1EicQ3Y8jzOZitUlF0UlbkRv/xpbSuR
-ZdME7AwfJMCOpyRtyoMiiogdVlK+8XQPqAqjmshVaTB6kxs572pW3KovEkkU
-fue2t3EVkE3fiQgzohLH3UtmgUbCxmRhBP1+UyU9ISIgfhLGksRfkeGN7ovI
-WprEbvN2TU8vv9sU9yR7hYmffFlsKzi+LV2/3Jg4nOR2CG70goaKqYXC52sr
-6IjUyaqXNaYx6AL1ZGAJIcpzVzhh65os4WsuEiUnWDNHJrkalKyA47N1PF2p
-e+W1piQMpoVmnSS8A6m/2aQv13qPgbjLDQcdABv7sa2cs1h0wYF/sGq7UhOP
-XhNHRXSLiQeGWXMxhhq9fcEaDy6vUfCFreyBXzeKO7G08B5MJoqxmXSCQEg5
-4IFdgKnNG7SZLYXzkGo6Np6AKBy1ag20qrWdoOyEpv+L7wjCxQHBplVgQxts
-6iOFv3kxF6tx5f7ol4UKAlNwwdR/ok5vWOwpCN4tBcXafjzOOKGvFmCBDzwf
-p9ULp9BCTJ1sOJiBP104vfckWRp4hpcurS3Q6Q0TVguAa/RosP3Z2to0eA0a
-LtqjQnDRFwkT8Q2BJibERDN69YRRg0DcJlemSAzN0RlmZyt1YtS6O49CD2uC
-4MAeopjO2HmLrkCDKvhe80HrBLHeYJIl04lTkJQNEFzW2FoGTC8EAJneITdb
-A3tcWMrj8Dtcymk8gylYdeuWPdl0GL7CNt5GDHV/OcVZqhyI0TU+Q5iKR2qf
-CZhxcx7LAiUqCfHhIG64CtKe6npVELuqrenwpsA4KcDFt0mWYSkQQCw0TP9H
-pp8HWAPuRAnBCs3M9CaoBu/e4g1hnwwBGLUtfYDXd0CcacNUQXAI3FP4CPE1
-evLk+PIV0RC3Owv1WfFICbZpod8il3Z8+UYK47ViURrzeo0CEp44NYcBaYB8
-DGTE7+LqerKut+hNkcWtO0ErFeInldI0GmbA7QPiv6LrALMCfAjTL/yeMrKr
-xpXoh58/u01ruKiP0yGrBjn2iP5TICeBG2nGCstPF+/ehh+SsVTK5ekfotB/
-5+cYjvrhyMpo+B2jyqFBFfju3Ahofw/+PoqiaET/dv4cwQ9A1afwsIkEtB0a
-4VtENvjP589uH/ovOB7GNMIvXC79ka+o/Ao/sy60Ra8TA7r3RSDM8ItUGq9N
-WT7wKiDj31V1wlYcG1br96s279rKW2aQI/3mnGtiPWIQDT+3gxzrN9oP5zHD
-GPtKy2Iund/uHUj1KXyOhE7SV17LN/pme8NjHkFVMHjwHQurXz1Es9OWv5zD
-xm+PGdXtywUPGyLC4X/dRdlzR2rpecvDuPZgvBliPj6xar8zSq0nKo9Q7wRG
-l9HIukf63cNL8TqG4bU52Tp9w0GlGLZS1oCzcZzWHAYkG26mwKt5PHNHa2sr
-2jocNemsDXau3z44HIYpU9qBfKlRyhvIM8UlA+0KOZkItQgWU5CCwWAsQiTT
-7zvkuegwrfebX5lb1/78pfqpQdSf3KToNUcTUcMxjb/CFqgSuHVoB1/r0Tba
-CRr/jBOX2jYwLFfotWOB1uhHmJCN7k71EAMDvgPds4MBZanYqklw+3cxnFAJ
-uLTy/DUaR/kxWcNjMMM88eoYdMi7O02nznjAAXVIx/eLxuXApEzCA8DgZtpH
-NllLS6nM+Kgj7DAT+baywETsScBLXQD1EszeofAU7gy2hZUef5oQD2w/UvL3
-P3/63S6A262et2kUe3joTNcWm1LIm0ww3QMM3+7ZqpZc76jRdHOgEUFuILYG
-U2ItPFC4K61jiQzeMfNomjFHomxxGyLklsamb9qXOoXDrYVoEFw6iYNsy8el
-8q5NpAT5JLwwAZXlX4gJBt1cTgkbMo0UxrgpMS2U2TNztOmaKdQt4BNxWrtq
-FOJxcioDXooS0X0HROOSOjgDMHvtp+s9A9ft3dnx28vjN8enx5fnv+gNTRcp
-tQJxJhFNJdC0ar2I7Nhzk72nyXjFaZAUeJhnaG3grsVkNmYbPMK2RF8r6jdo
-O62wY8JdvC5H9uY2upsFYukA4h35DbFaoiZemIECjhSJOHW7MtWOUEE2rqBS
-nhcJpOZ7CCj+8gXtqd3yUq++4Rn23MbvHkj88yArENIkdqrN11ajmQYS+r6E
-SYhGaH6+ZpCQA7hZTlFDywPT0UJNPfhe/YwTzbJwkHckvwTth07EsGY8YrA0
-aonJDUdTmbWJ+iCgqZrFusSDwRGY4vYttEsT34mX6OLhfDzcmXtFOAK4bL8S
-L/PqxgJkbEep47qtVKrb4ZKjgd+v06dfSkLJvqqxm0RfpPcgkU1iGVmOqUZq
-EWwU+NRjk6M2xt5vrzRa9gNnuxJc1Swxyvu3RQxYJgpsUVHTl5rSexp1YSXP
-5+Lw5PIy7F6syON7SHOaCph9aZuKistkzQkbFLWzgY6h4MEDbhI8yklaVZH7
-q8PQ4hoHNcmdlVlFZa0y7HHjdROsnLIITEncxWsQAADygu8BKuScf04bCyh6
-eFmV7kXUzSTqY6DL799CCWDmFoHdFj1UeSwlxBMnirmztLkqbr0dpwc7HAUv
-oGXFmC1L5NxW20Ecdt1v3NPTAZADR4xd58KLAfbskcpSfY5Ct5LLIs5WWCiH
-q2XY/FYqmMLB/sQIuQqfaXWD/jFlpyRkYZ7KNM9ggjGSpnzR5/C7wBHBen0h
-WpTnS0xofm/LRuwM4zQPJ6C2wwtNV3ErOgzYKqJhwG7nTXEXUJogO7imKdw4
-9K1ZEYH79HTR04f79tlTTxtFhEgJQLTGVEMPY232Aw3Bq1dE7Dl2Yt5wzAIc
-1m2Cq+4gkOQKSnyz24hdUhm6NdtCL6CyENiclWe1NR2B4sfE8soVHnLZCrfA
-5QWAQLJmJxCFhT8svmKyPBy28GH3UPIW6BofYqtSCt3awA42P+/kU4r+FY8x
-Z0vK5RsfokruffW9iN24p/fdjtOstplfB1p/oXvHfTSRvFP55IxRnFwv/WZU
-aY/iiFEzIUxaUfuLyy2UcmK27jc73/Yl5cOUbyYCZauFkpgjojf7afyq0D9K
-ZudGdZLcu4DI/nvtjx+wn5fzhXB9iJO1MtTlDQbgSQHqQw69g10Kp2tvVeNE
-HvQ5Jl/a06ADvx8+1MqmHiswoPrUePOdzL/7c14oYFqzV6juNWa16JXDaNAu
-RXGFpjQwVa9yull5AWU2NM1PWwEBC+tKb2h0I13sbAPGfjNugQFTa4EGK9k3
-5b5t4zOON85NQQQb1Og4q891Q+LTaz34yCslDjLMCMBLJWUrTtQGJvBC5S+W
-OsdrEb8x5u9I5B0+Cqeu9QhhQZF+m4Ugqd4UjqWnBro5OVuWhm7UYEcPDAfa
-eAuySXMaS0JhjrVEOAIUjvt6PS4w1/11XhlBi1iiym591FinLN7c0m9G/kQX
-nAY3I6zlvClspeZC3QBuRrb2MDjJjd8QgRiE9RhEgpKHaaMHgg1tdKEJOwyl
-GWDXqj7lAm8z0nZt6GeUYAoeJweBR9NGSIojUF5BVacYM103xYBTqfgluXk4
-3B9PHd0c9Q3vR8PtBYpq1EFBAO7bWZyOgzdcB8M6+VMiAHjXKZACZ8F2DbFE
-qOKB1T2Z7cdUj61g0teSqMU03iZrdbEXX4+CsFnTYPFW/HteihbQUE7h8gOL
-6t21ZWrOY6M8lZYANnkIE1+S0i3DaaKp0ehjl4lh2JmElPnwGLC10ijUtkIX
-3L3lEg0RG7UCp3iAyO2LRYwxLSWliBoVyiv25BZKIxpyC69gBHrRVv3YyO2Y
-QxhUpgwelX7EmUmregEIdJMmt+y8N8NrSHrgxJbUiMQiiblKqKlz3VLa2hjK
-2bJ9bqtcoUEf7uqhbpAeCKxHi/8FA2ClyJ1hePjqHD1GVTgcouHcrctshWu3
-WqBaHvqmVFRXCxGi3+DQo7Qu00KFyiX0HGnjl91y9QqvMCyu+Ph9eHp0jt60
-x9Qe7Gqtwh6DpGGgcCJbDk4irp6NJfvUVaTxEGbygxP0x2HRr0E43CFoPVSY
-0C9L+PdGpTGfL9ULjrVOvAfDcDViW3bQTLs2c9xbs/CeioU45Wn66uQIIIeg
-dgyjCjCiyqslSuglW7y4+Cu7fO6p6dZSyVPHxGmxMpsD3bYSbCzsmomaSFQ2
-ire5KOV6UZzLbSqq3kNzuB+O1JXawFqfmAew2zYLMeHlXR5xQKwp7dgu/0r1
-JCkFU4o0YDuLcNoLe1GyaenYk7Tu0YhTD6gZK0c81OuyYTvPUdghCUCKmK2p
-l0OtlR399JHrm5FgG8URiJiRtHzQmlw03Zm2k7q/BFyzQwb5KM322ivBPe6t
-ekG45lsin+SNqnDbT/eGjapw8OUzvyrceDjZwcpwEZWGwypw0XgyTaLrbVsX
-7iurwmk/Ebcq3HUCYujVEmgKLPoKt+oVhPNLvUmDEXrsiiMKv67km4kZRtjd
-xBEgxSjbG/9p9svN6fWHD/Gb6K+zTz8Xf3oVv7u6/FQWh3sn5fbPw/LV+Oju
-cDbjQUyksTPIm8N4O9757epTfrW/2H7//PXly5dvX749fPPnlx9nz6JZ9Msy
-SX/8abH/dM+Bgbik8QykP0vdQYxzSNFxg4Ja88u0QZZ7YfpIojuv714rx7CP
-V4rtjVrzB+PmsX8hjPD1GF3DsoeRufbCfXh8b21DxOKnbVj89F+OxTtNLDZF
-1LhU2VfXNBz6NQ2l4JlTrt9UYXsMltdw6/l3j0atS7J4Y/QKsp5alfHBYBBt
-U6nx5qWtFfyWR3fCbg0yPZ7H4Rs7o9ZWISSWaveBA2kTsNGOYj2Hm3qK2Bol
-d25psyC2xQi1q0g2rVXA1y4FGBOLHGnoNdgwDRvuvzv1VgN0G1DKjbReffsV
-eux79ZvU+h6GQWLJ7G/kCXyXrvej+On4WYSFQSO4TNeRc5mG3m2Kh+OdyS4g
-POIN/mvb/kv+aeEJmyrZb+YMrY1JHnNV7rsU9IAXaKNTCeij293B8H8RYzG3
-GJF0x++5gjLoP4CoPuI8Ckf9Vx6FnqhIR8UKS/W0YOjOdguGPt/+l2NoC72v
-90/wCf6jsL5WxLbRxeZfg714KADq6HZnUMOXXdAfLS30euN8A740TvJRKNN4
-61FYQ3aINnxpkw+eP/2X48tuE1+avTS+GmN2fIzZ0Gbon4I1Nflhb39n10OV
-vXqrom9AEOfQHoUazvMPIEVbC6AW7NgdtmDHd8N/OXbsNbGjvYfKV2NIrTB2
-S8unfwp2tHGp8/Xwl+t3+YedPy8P90//+vz1xx//9vbT7vTNd7cv473y/W/H
-z9I/Vtt3Z/858anOfthtbTRlRL6vxa7Np/8Amm1+8QF8e0hN2W9BtP3hvx7R
-9puIVmvB89UYtudj2IYuXv9Q7fVHn4pXnAPWzy7Or+js1YE3fv12zcgpGe40
-8EPdhfvkSRsq7Ws5rTkZ+nVPrz5HHb7QNal/2BHoRrPyvqFJ1z2tfoJ6p5/2
-Pj9t6t4jO0tZpe+B9lLy4GN6TMmjj200JY9/Rbcp7AONjgEJUKn33EpLOmtK
-LE2KtbqwXQcwV//R1l8EZcycedydpvgDDoihEFnql6QuBKdS/QMtrAJTi5GU
-Z3YKCRZg8AVXuzW9zthv7NvFAxlAMQrrZA08TX13ZAuB2xQKGuunPN0Y5GD1
-bfIdVne5FJNoKQEuuE21dLjyXq0QeLs9gnsAUZscQgi3d/1/IXZ43ezr6Bp6
-SBl0uR6H/tPl03FcZj38ep7CZQAkWDcm3KpN2MBkr3FNz2GG+KvTUPdRLUZ8
-Kcn4G+7pMnLvG62NRh7L6XbaTAjP/8FmI9fDBC7ShNjS3qNFKg/GHp9jPuGO
-unOf2ld7dneT6GWYicrn1OSkpR3Rt8pg0p/IY0jc5YNLpnBYzp1tie61tKAQ
-KadtE+G4Rq0bXPbrA/ktLzZ3u3oSHkw+Zvkd4gWHmGz0VrPjjILEpSUJp9Mg
-jcDVzIp8tdTshrRwcl3iOXVYRzpwp8k6JiUGG+KyCZDbLDTbNmMhAwxvIOdn
-I9uHczzY9Gd+PCtyeJZ/CZxMnPCBTJxG3nOgec9pKdk5wf8HZCjx8gj2AAA=
+H4sIAAAAAAAAA+W92XLbWJYo+o6vQNMPSVYTkqjBA12ZfWQNaWVbtkqS05Vd
+naEGSYhCmgRYACiZ5XTH+Yj7Afdb7qfcLzlr3AMASrKrKqIjjqIqLZHAHtZe
+e81DFEVBlVazZBh2jj4l42WV5ll4kGdV8qkKL/OPSVaG13kRHqZlVaSjZZVM
+wv1pklXpOPyQFx+vZ/ld2Qni0ahIbmGQDyenF0dhY6hOMI6rZJoXq2FYVpNg
+ko+zeA6zTor4uoqyJMuSeZxl0V06L5Mo0fejMb8fbW0F5XI0T8sSPq1WC3j1
+5OjyOMiW81FSDIMJDD8MYAU7QVwkMazkAoYo0mrVCe5gndMiXy50fZ3gY7KC
+TyfDIAyj0MwWymz0Kb41y+NJmE5wu9WKPo1l73e6d/50OUmrsCridEZ/j/P5
+YpbG2TihP4tkupzFCLpyVVbJvAyCeFnd5AXND/8Pw+vlbMYQObgpANbwcvhW
+oUJP5MU0ztK/xbhQ2Hw2SRZJhksLz5MyiYvxTVLQg/BKOhuGaVJd/y8D2I1J
+EgRZXszh/dsE5z0/Pni2N9izvz6zv76wvz6XX1/sPd3WXweDLfz1JDrcwFnk
+0HAJLR+X22W0KPIqH+ezYRCk2XVtFTt7ezry86cvdnSS3e2BjpalOkUa0QFE
+eib4xMXZyfHx0ZD2rrhMh5+EZ0U+WY7paE/kjfC4ADDj8RFeH90mxSrPkrDL
+w/Q6PE5cTJNqGN5U1aIcbm6Wi/T6OtlI803A3HITD7Os5NMoHuXLajOHkW7T
+5G6TBiB8DK/jWYkocPQ+2j+J9g8u/VWeM17g8rpH73vh9tb27ubg6fMXYX4d
+VjdJeLQs8kUCqHAWF4BPczztOJvo1wf5Mhuns3AWr9JsGk7yuyy8iYt5nqUl
+IFuxnCVlCIPHRZVep+M0noUpIPhslgIQx7DnffvFifvF/rhaA4hkWUSz5NNG
+giuL4Z/NZJZuAoJvmsU7+8fPoq2n0WCHPrRIjz8RovRw7R51c3VQvM8AXjDE
+8eF+tD04OD4fDHyoXuK/4fagD0NMEnz/OJkkBezRwrvs43RVCO+GR7NkXBUA
+szE8MAaqUL50P7tIp1lcATaV7RC5u7vbSMbXxcY0v90ErCtgA5u0Flje5vgm
+XlRJEZ1sAvnSP/Y3FzB5NBi0oMoaKL3fuNgIj/N8QrA5LJbTcH8yTzMky7Qj
+ePz05PjkMDo58cFxmBawF7hucBqD3c2ne5tH778SvwCF5nHxMalKwJ/wOs2A
+sjEywexLfKsMu6cpzB6enHwV4kzSYlOW5aHNANBmLxrs/ePR5vDd+f6Dt3B7
+c3tvbxf3PUmnaQVbhUEYzvA7oEI6S+miIAnBaSxMSgA2fNjFeb7lDvHU/h3a
+jgbwv91/PDCALp0enj8EjsGzzWe7e4QFySQdwyYnyW06TvDQD8+/YZM8oH/g
+z6ItPPN//B7fnR29vTx6c3R6dHn+i7/Vd8BBL5NZMk+qYhVeLJIxUkPae/um
+YGQkk/yC4QYlvFhu5vBFG+1fs52DWb6chG+JEcIe5guQQICGH8NuJnqhDSct
+x2lVEYNNK8AvIEbASaMIBI8R3v9xFQSXN2kJHGBM1xEOCDASDmitTNc9Orgs
+e32AIIg/FXyCM1Y5gfCDSj6GZ8KtP13OqjS8IPklPMpuU6COcvNJpuoF7vLo
+YkwcmbEhN+GYRi4KEmfADcBLWFwIQsMt8PlwXKwWVT4t4sUNDACfwknjYcfl
+Ryu6BUC3k6IfLvJZOl6FCUoZ40RgMU5LpvmIL1Y2A0kUJg/jcZGXZcCCRZWz
+hIGPzZeZYAMs6dWKATXBU2IptwGnQIB7l1Y3TakyHM9ikGJw4z9dvHsbfkhG
+fBph96cPl72A5aI+HAGcZOkiI2wnHiEvbwiSIRwZiHtZBf8PkBgT9CeuQArP
+3MRVWC4Xi7yo3O2DwGKm2AgI5ssS4AEHhywDhxmvxgDPkIAPNG3/x15oZsG5
+i2QB1BDhhccRqEw6ThOAdkHc1BzJbTxb8nZAXIJlwH5gXUk8vjFHFCxy2Auf
+E0oqMC8cEIFzDcgNPn84uezhe4F55IwwxXx/Bt8vSzw9xPESCEhYAmvHD+Yg
+J8zo5TqupfMULyji5H6YJXfh68vLs/AmiQHZgOgns0k/MHcskjvWD/Eq0g2c
+MIco4qxE6ONkBOd4lmfTErA7SD6htG9wioc2dwB0GTgPuFQ3GRHe0TKdEQaO
+Zvn4I51sICcLAIerBiQA4JrlVTiCa1uVyewa8Q+mqOAe9t3jR7AGglGgmIXX
+KhiXG0xc5ulkMgO14QkKh0aShr+fhKc5gIXJFFCebyYZZsrw8+cWbeLLFyUC
+gPr5aFlWRisjBYpICqNUdQMK3vTmEQhiHgmaCAJgp93QUZQoz48TJAnya6h6
+TNBYrqvlwLKV/t7kd2bJZeisGQ4eET+HDwqhQCEc8CwEGRHEKgdTdbmR2ZGL
+5RFtImI64iAnnuHr/C65RaLYUGUJ/xKLK/FkAte4dMhpPB4DJ6riEUg61Qrg
+8u9ZfodLurvJQ5CFkFghgQDlgvUrMxaeWBLcIc25i5ElZYB29KcQAvw0XgAW
+JpM+8EL4LiEoOEpzkfx1CTSIkeUuKfC+VmkJF27SoBkh0QzY7rkhji43AUQc
+F0mM4Jyt4KXFLF/hQeRZPs+XJTMmppHBOAd6BZKcYQqe0o3Xj7hzkRJBIPRe
+gKph75BF6BKICl2RhA4xS4QUODTaMggmlCXydMI/ENDv0czgrhh9ElANnxzD
+KgbbIDEI4ADx0ulNVKTAIvdPXGYxglNPkO7BAoiujuMFHzJsCgYgToPnjCBC
+NX0sq8PP4LYAQtEF7szyadnpweGlM9oivMvTIPETaTmbbuiWWH853Ae9LASd
+TbUv2Iujx8FudAMw3JiEIlCXYOc4HKJLlQLbqOL5opXHpdYoMlsRNIgB4QGg
+TMav92V1cBh6HZjhMCLDUDHcJXi7e5Ewag8GG4OtbtLrmd2cWm3o2Ej+J442
+ZJUuqxfBkJ8/q47mbBX4SOFzckUIEnOQd8jSYATSzlDUkS0jgyiX14gqxIVz
+kRWQ3yPRKpGyswCqR4wTgWaLALBXzmztUBSed47Cc24VHsQ/1m1gM/jvWgy0
+KhEBGebGmW9igAngzhTxiQgCfYFb4U2j2HtwSYdxy2/R2cBtjWd479ZJuq4g
+G6ogS3Tck0vpngu5o4mTcBov4FpUdwlQ0BZKmU3uI4syhUPYlaS8ZEHOLkoO
+lUkjPA/UKAWUhuOmT0SAxfnq1FJEp2QCu98vZW1EDOFlZkXrTWRfvvSFs4hx
+E95pSuNIoJRAANakiEK4FBLviluYmiWSQKXyGJRB4FVZWs7xNeUgtGeHfAuR
+ccWqIC7LZYFIh6cJwgSwMJhuHl6gOI4v4RkXCUj+eUHHg1AEKQl3KwYWZCBF
+DmyAscrKxbKzQEgekNTBvafky0xCMMwJsfoGmAPwo+MiORAkCeZyZdghWzh8
+lpZ6y/6WTDo0KgxI75tnGI1gkZeouvy5HwIzAb53xgf9Sx8HBSELb8a7ZQW0
+L/yPjU4QbMOkb3NUVpD3TBy4E1QEAO2iNluO14nbzDoRrHCayM1E91G0gOPZ
+4cnb5vQOlQAEjOMj0RTAeBbLUFTBJRT5bDaKQWI1yhiOANACOgAUQugbzHek
+4nA+QryTiwYP50DkyyUsHmUKR7FE9ReeB4nMU/St6MjozMOQVpqMlkx+EL+F
+EuIIjAlGhmmqng7egpzI8yJjifH08bSbEGFO26dBiW0VUXJLN5NvOn5u+DGs
+zpXHmb+VYyDoRZrLXbkYA/eiV/dRhBoLgNZQRStRtNsByAzQC1nzDLufPwOV
+jPivL1968C5ofI7CR7oM4q7R81ZMthAQ8PYknkaAeikbMHgEwW64qeOPjG5W
+noBXGGMjVo35jRNR/HC1RD0sKTdU2chZyKc/f2bSl9oXeaT9zNfX0N4PvMWo
+Y/gqmnYifkBeIrDPkskUXsEhi+t4nISeSArv8QOReQBfJlXoGlCdRWXkzXD3
+kIuX5tjwQ7hKoFhNUEWjfdExGc2lptmQLqz7JsTE+4MIG4X/TkxELoM+PI8z
+uMZER+HwC9SaJjmKFiGKTiDdlTfGeOY9ewBSKc4DF3KWXieo+yfuE4h/54kY
+0G/SBV7hc4uvB1Z+D1qVV4dhIIEdA8tusUrAFuEQ52Uwku0Sqli5ud9CeOQC
+WT4tvFbVaLnWMCKAFlBlhrTbqsV1rRhAs2rVjAELrkEbgeeI9VbunYP7eVAb
+hoit80phTatGTPI1jACZNBDLsm+EI2IL8DZ6IPqhvV5MQKbodspoyjloOfhQ
+MEpWecZiL+MdmUbrRiXRdZ1tmpWWQX1zdJaI63DrJyxBOtoNUzDvivQDInk5
+G71EPAfo0LfGDKJaHQliZeIAiHiBawVksjmmzdCYngZlqBDJLERTAssFeasr
+RQNPTWAr2IpXiJuRwQM7uBEA8jGJHxPiQUk5hmtHSom+2piYpDfARFQGSNc1
+jzKjvY4BTdD1u3J0alSmyDKpKomcVIVXGbAQDiZDUQsAgdRMrIq8JXL34QAt
+DxM+iMWLp48FS5hwIn3hx4IRyFZIMVldJgRwdGrkRMhHUBUkVk4uKeQ4Kasp
+RAc/AsDvSIvpnL6/uOz0+d/w7Tv6/fzoT+9Pzo8O8feL1/tv3phfAnni4vW7
+928O7W/2zYN3p6dHbw/5Zfg09D4KOqf7v3T4enTenV2evHu7/6bTuK+E0izw
+EhEHSZdAXgbmaPGdVwdn/9//O9gFMftfzo8PtgeDFyBa8B/PB8924Y87oNY8
+W57BQfKfJD2CkJrEBclXKH/HC9Ss0AwNmH9Dzlq4bwDNP/wFIfPrMPzjaLwY
+7P4gH+CGvQ8VZt6HBLPmJ42XGYgtH7VMY6DpfV6DtL/e/V+8vxXuzod//DeQ
+D5MwGjz/tx+COq+EA5gzx1iWLcQVOCRJ0cNgiFzdsd+oxtbnS8lGV2WspHK3
+Ghbl1opIXpJYw4Z7koYdCRiFdZoWOe0YkQTk9pS4upWWhaMB8i9R0E4zkN5L
+UaBQpifFOyehHinboRrY98XA/qM1sPNcbHG3opcxtBOw1slgd4hQaMUB2YSh
+aU35JG2GxNRFnyJx+x65kFdS81V8/iwhIsbKOWG+2nBakKodGluG76+Bdysy
+3FiC3eYhQIWX5LE3JG7p8S9w6xFeN9Cf5/NlRSaPWU4mKrxrxDoapwmAQjNV
+QodndN8+oxxKhw3p23cYwcu+zyQQ6fbASLcMM0evMnPT2cAHazcLWoQBl1jn
+cIQMNwNTrbFss2Gbp2UheWzFOGKeSO7NNfmutMKkgQ8xC5ibxUR3LsdEzhZy
+dyJyxUXwv0WOxhSxvOCjDkD/ugSpM5oltwmGRvmyLd4ukk8PaWJvEznAe1H5
+eB9nawyyKxHb8HRvYuTQZpMpKG1oVyEuDFI/O/DQYiGBQ4DR/MuXL2gcc+Rl
+BERaIfvklQG0ikmEoRurUEana8+qqlqqKgwNKtUEZUXSkHCTrkHfEWzjySSV
+zdSMS8hlGRj7rgXLVY8+P2lqPiSm83uOMzm4bLeHrfO7uArkAz4VggHZQ9rx
+DHbuY5qqI93OSRjPOZww/DPRfPfrXzo9d/IWd54zs4OCIuosChJQYXaUREB3
+z8cpCVWMKmTFwRWIxE3v4JOItrIkWgCZ+aObfFFXzG7TmGWqe/xELfzH9xTV
++aArdbrYIAY6JOlEj0iORsSv8sDqx76a6Xh2mEiv8QPRIZ8brZysX2Ids7av
+3OjiaeFZ0tDAY47aHecRfl+AKkJYzN6+ntf0j8Cjb9LsIz7mGZmQzqh9yRjx
+HesS8Xa6FkfGGHuKLl9RMdivLyAEMOGVZGqz9jRm8SopArUakwytIKWvjGgd
+s5WGxqBvANj//d//Dfg4TlO4bFXwr9FX//xr8LvaNN/QbF29mb1w7c/v+BK+
+djkM/YvX5TjG4eZmNdmkg9/81Ou475zxO3zV7r8y+NI3bWntstd8cfvNkEOt
+SeBm5Z9974B74V/IoIYxQb8KFOA1jC60Ygzqfm7EA2jgoOX54OYf/yqQ31N4
+vrL7jr71Pxx2LIcZtDOyF1/7JvoJGDr7KpSx7MZGhNgxtXW8l75peXCvgs/D
+8Ml1Oo3orpUc6fW9iUrX2+8xVNpL2fkiNlTXYbNUH5GQVzdepC90owx/+qBa
+eMBue2Oqx29kPCEcjvjcFwscE79SNBYRfMhvPVuysOJwRRYyaoT8OmWH/5Mn
+nnRwhlJoCUKCIx5EJJqWsNl9EixtmE35sLHVRFmgjcDyLGPXc+zNMPJP70w8
+S9j5mAKKg+gEI4GqF5J6a+xNzK+XI7gkwq7tvmD2fG5NJt8hnC433Hk6IOJ1
+xM5E42IQk91GC6xgEjV5Gynw5NARBHveBDToKAldt7mJIRIxg1ZNYi8w5DBU
+l7W/8DN/4cYYM5uid/ZmHnY9mMHnDsx6tA4YG9Y95gXYF63SnNQkXYbWB2DX
+FKxBVHoef2SPKVnHRUanC5lJQMqUPBQ4WoWeuKBisYvEj7goUjNbijI+6n3k
+7G5ER5UNdkePnMuUdLbqHoP5+ddXGCrZCHsZImX4I0ptlt3s/+A+6YTCDOHJ
+s0uj/+wryyrxnPClRtAWD4/HUviSEOr9kx884uL4DAyJoX295q1fVCCKwAAd
+Ee9gxCS9tXa3ruyzJ+okWQxYizcOy0uOVYJNcLAUSw+9IcrBqGtgHI7rfCR5
+g42L7HETEKdO2NEGOxNxk13fOQ3jSuy7bFpGJg91zR3NSSaWlVmPNe5zosGA
+1siAPkTR39FrRTQTUUs2P2GnDOtLLksgDWidheKYL/DnJ47LionamhcQEK2B
+ly5NDuSOx97DJgUAX7iwL+yBomQDtdD6j6G4F7CteCY6KmwdXuGhvC9CtfAh
+ZTH6MrJIJuRECQSfPj/5LQfNQbxUjFN1CkvDIZbHQgYsfTYkRG7jbyUohJ/h
+GInCYObXxfbe004fP6lWC/zEpmH96293FX+FJBy+4uiCOIKLFKWTaLC90wm+
++NeDVyQXwyxUNnP0KUb9Be8GTI+atZo1xc6tIfelgXqNzgGqkL+hYjBsYOoD
+7r6NMK6niWF4YvQo1hloEPVIEUzMST//8kVWRzBDQxDgf+IdYicDXaoDj12s
+5hggjh5jXQdorMnGdKMfvsZhEZyvL3ae7+Lfe4PtXgMZyJpJ8pI4VeBvHRWN
+HCYnhbAGJo6KZAFXR80qcIw1yBomlhClr58wfjZh1/syLW841iNkAs08AWUZ
+TLwr+2TnhGdNeIdltmPjFSBvdkhvOHyfoIYYDsjUcvQ11q8Cgt4wFhFY5YCF
+4fC+XGDO6xmd13vRe4XQFKQWzvL8Y7hcCKEU54w3NIbpGdyrGfzwZgIgDtjp
+AhfzrlLntb2Xi3hFEodcxzIc5RrBHKHmCoNRiJYrJooA6YUb1SPH77W30uLE
+8hMd2Fl4qXU7Q8vcnmlX0UXDu9MswFjSFWlBQZCyTcw5vosKLdDvivfnJ3KY
+bHkzeRkHl8hJUrihMrYcn2MxsqKYoWFI1+HB/zIq6h9JGo5YGv5h84+wzZsf
+/oumTMs6HeiUyxFeVhYOZSW+HAlP4E7UX9G6E3jmN0QSuxVk0ShSCXj6SoLg
+ssasFztSqS6OV5GqaC8RHxzoiIfFGgLdKDyVWToqKNaUOKwTWSqeCxS6yORJ
+u1RHa+6c2gbmmdbvmbM9tJyANBeT36/lAMXfy1bpdIERht2y54PhVTKOUeBm
+fy7aQZF0EcKTW41DilBsTcoynqqVlNi82HVY0OzAZ7oLcUw57MwYmfgei5nf
+RhZSuHEKHxl3ri7wBE2vC0ySSUnTSFFPjzPkhWH4B/jfH0hPQvMdm+1Bt0sR
+1f/whyE588QEjwdHV4FpYsZilkh0ZE+mGGOM9f1UqQQtm1I6UBnT2ncsRjVN
+csYt74uMRlCUjZnIKsShuxgFt7RSIUqCV4CAjJKbeHatJ8Y3csNsnN1QuHN5
+w6ZYt20ev6zY4Ac/7FmardokN+V28TUS/Tj8LSf5Nowru2tyirAtE8lXrwVY
+uhPHmGwXz3ZZnBVVyPp656gyjxwZE2gmIaXKx84xGWOdCfpx4gN0WUoQ40zO
+ne6NLJYyMgjlHRxlGPDT//mXjqFgCQtAG7B3sbbhUjryZPtzHM64KaaS//wV
+MxWO0IKqrI0DrASpONoCVH/0MVtbL3mjS6WttAEC50km0X/Ap0k9wePq2cgz
+47py/I4UaOAKCXONhpdB2IDMVxvHs6iM4fgUgEkJNTCGOAiYxfPbNNPJIS22
+A591jPSFZ6HxLPZ9upsVWWkLdfDgcJwCHY/QbjmKURzAoAzajl4kpBowAgXG
+08WHh/7///3/4HUiUm3z7OUW8RpYkgkNdZKFiwAPgliN7L5dzuGoxoewdY3n
+SOcJWsKZKZrlAPWkezpBEVUlCnWixnpjTHBIPyxzYThxJctCwQkTmPFw6FJU
+N2pp5IgUOgEJS+QHfOfsKJnGKFAAk3lwG/BMKgYn2pHDHVpkbKHsJIXiEcI5
+7eF/BnvhPM3IFc9Eg7bD0eozzMKSPSxADYYjyybkUcXcg1hFGvY3xqDckEVy
+jBlSKCt/BCwRT/wYXUSIHbDQDRaJPEGok42uO2H3LYDlVQLjJT3LtBFWamYh
+xB+5nE+gWz+d0jhjKHALndUJSunJbBUsQR2ho5b4+9+qtJVVU8zxMktBn/fs
+YpJ6zEa88P37k0Nr1yJRDks2WDmYwUPwmyQVpzYMhc8guRLrUpGQqMMO9BtQ
+O8MOLKwT3qBKPAP4ToCQotOjpHh5duzxFXAwgU9ILy0N4ChMo0T3I2k2MV1B
+mpNxX0L12MRGZEPE26Z2b0RxRF9fFrfirki4FBFxnxANQsEdayYNgZCOwTAu
+5yCI2lJ9EUSDmbjEeDOZKxiYoJKa8Gh5i56if3xsvBuVxibXqdCayiCk6C4n
+8g6d7JRcVYbTWT4i551AmfzRsOoisQaWqqGHObs1A8hpEZVwdv4A2hGDondo
+g5T6EetYvAdCCqQTtEdQSuGztLSQcfaIR4XuzYnSdgXnS6Vy5nWFlfO2glgS
+gydmbwgvCx4DF0SmK7jD64CD6CWZbxoUTaquAx0JI8NI3dCkFAgPtNF+Iil1
+hDpdge6Ix8gmF4n2TK7K+DqpVhjuNo5nY8p1uJrkKE93ehShjxnnlatkIFNE
++Z1jC+AMsbrMJOzoxjohXNUbRl8AHX2CyHqbpxPSSWYzzhEwrJmf6e5jfQOl
+i0UyRUNAQfdJEReruAACBAHwxBr89lXbKAmQGKB75nB8R3wiUuTEfmAkuuts
+U/xKmL04d4iARrYsRAcSTmLEqNs0X5azlU3DwClxTVmYzBcoINHigHJxhghi
+RljkuayN4JDl9UU4NOF0/xcVCFHfMemBOkQpNEyDhpRw+THwa0jXg8nUQLoW
+WGFnPb46uKkxEjwaSkmiQpF51xh3hcmkEr1lJNrOeJZSTPcVpj8AOjHq0mhX
+t4MO+k/gryvN9rhvVXDEAKnairzYXeFMcLiYtCoPivzlIGBqLIIK4UNNKw/D
+n93Hi5WkHkS6wEi/QN8PSsQpxU/xJIgIVHGBNI8OpR7dJmgMvWxbMaapjJNk
+IkF35ETB5HjWfGI3UQhvHF18Su3i4ZkB3zP8dQxiD2ci2YdFDg7FDlFWqAuP
+Es/d2tDS8HTrQUc0hvgGCeU77kGS7O3MiigvUa64MX5bRGE5DxLfrZkhRj2y
+ROcES8uctU6Rs2wNCUMvuqNvYjsogBqZnJg55U6F7KwwAgz8oCFVwKrXFtjT
+zN5UR9JVpSCWZfMItHuWfvztw1Ww2zdntuC6EFc3y3mcXSGpSe7Wnp/N0cWn
+eb7flpMpkbERiZ26emHEdn+NrYkubnQU9rzAgaazBqiVFtK8Ia9SaoZZBSNz
+ENwmivmWWKUH9SOXWy88tnjQrmZUU7nT8ldXEokJHYBTgkQvsV6WMDm0QhfZ
+YpMTbQOldGtbZFlF1moSimuLfYy6Vps/4Ns9jyfJWglP7IMYnBQmWMdGGTBL
+0KzDsdGQecUhppedmPh8wzOQ7kYmbv8B3qE5FDbO37Vqm7SuwAlbllhlwjHM
+YQJsSeKZGuI56Y2qS1BJt8UVqAc368VmP48OnzUmKZySxusbMZLD8MMOPhcZ
+F8oQr+rT3WUxiwARc6BpET7QcbhSeRNH23tPh9nu6E/TX25Orz98iN9Ef51+
++rn403H87j+vLj+VxcHuSbn186A8Hh3eHUynHSn6AO/TuhzXkWWXVrgAwCbF
+GFYi+oxGJ6Cqu/92P3xLUtaJFrkD6L7GUffNqOeGA4ngJ4vumB3sPN/tyOd7
+g21a372eKjNCwOnhDtKbr4AizFAMjlHwyjMk/s5GWdgiqjRZNxsSHuTzi6oG
+JzIyJPFHxeSL1/s4pe7v9HCvT58NtLoGvW59AJLmDyh3m7BGW8R3YQ4Etiqb
+WALXAtDxm9GN0drgW60ejGgxpLIb6HiJf4iWiu5I/vF3uGRl6WiQ7au61GtT
+osedkttXof+qZt+Esl+jGpBvioT/PLtOJbgb/wbygh5B5EU9IRhu3r6hFk71
+skeSCics2S19Jg6poShISBOv5mVtz0SuQItS+5AJ+V8W7j5F5CdZOUVtA1hQ
+Rjl79rqhZzNLplwlK5Vxg8Dke19NTOT4OqA7Mf0SWCwxmWgkIqmI8F+UAZET
+dQXt4qWtNMKB6+3ypVmkOKs8GTMIKIjsCk0vD2CNPNIivu+TB+f0DQekET6L
+TMnqpYFyP0yvnW2rq5CD2y2a3PEHFkXkA4DzaFVb4n673+jEd9I4IfOoV3ju
+GvVIOJZhXojE00/YY4Dh9BpWVXn4pGZgOTqf4yaucsgkkQHUlARYf9ZFuY46
+ZHARXNGkqFTDNSY38qW8DBVEZThLaaFkXJZMw3EeSaRCWqpF9JirwAgR1pTy
+vjOQ2kjJ3+JaoMXzzxEzZc3bw5Cytu+00Bx6ruVXJgkp6HrI/DwHBRL+qOrj
+VFNwC+kgvUzbrbkIVRk2dIYlwWKMdUdAUwzCWtkBrngCX041To7K1aBtgMxl
+kaZIchk9xg28GwnafMsctuIcD+6C7MSS/m3Mo6WUAZbVC6kl5PRPVzcgE/EV
+OXDjzM09cfUTe1ncT6+UndZuzas8nyVxRnAWM4Opf2Tl6pTl6geC3Fl9M5YN
+vgaNZaA9fD2nJFUgQqsukUN+3MDOHYrsZI5C7gUHXCNratk96UtVwSY+IZEO
+zjjB/q2Os45aFNKcs4Kv0uyKVY2rqgA5u9PzrFjXRZJETPi4ijNhWAZo8Tcf
+w5L5KOEgf+XGyF2MzMZYRreF5GwZw0UtCvsE4X+6TCdsv4cjbYIBwelbNNcA
+KrBQZXgFbNPzcEA8DRo1C/iCpSswtd5xm5WamBKw5m1DEBI3F93xV4HKsmLr
+7CKmVBGhHndZ0Ek+LTqk+rwkqueY+NXKLFTI0yjEQZNfB4ZckrIghTByck6S
+nY4ck6XRvp3diVvBhgJ6+RuO1V8+sheRBBQP499R/IbY+swYOUd1UFEQ5tDq
+CzD0Rgp03Bd205CXA3HACg+gIi/kZXKmltHpyIGi5+yPRKXvUmywFIpkrLCl
+qVA0Qe8wgUoCwvtOAU98B+28pQ2ERsWtKBOVfWBFwg/4kiE6bhhP8xIQan5F
+kbvr9Q7UBGDkYJmhMsvedTux9QihrRm02Vxhf5kTrUI+Fo+o0CSBhHxyt4lk
+DpZwVftCuDlaEkbH6MnAWIM9GdKdI7T5zDQuvLm79eJpMFpViRT/xFcoFjMT
+Xgm8tbpZt+igOeBeSKmMZQtw5GG2DgWuA42GZKGCh9F6B8SxJODzQFyHdF0k
+SLIupKeuB9gLNZMjrAd4YhDScE1MAcceqCVX9M/l6KueR1f4/c+r50KtG8Nw
+8OzZ9tbT3cHeFn2IFMZ8+Ew+RI8hjPvseid+PtoeR5NBshvtXu89jV7EW6No
+vDPZTfaun8bPRs9haHzjTqJTt0aD8fZkJ0rg6ejps+cvong0nkTJ9dZge2d3
+Dz+RSFd+YW9vK3m+u7UVJdsvRtHuYLIbxc8GT6Pd3adP9/Z24ZutQUcWKp6T
+ISpeWB8WpDLgQ0lcWY8Nktxh+JdfeVHAv/BpYy1nhoCWQuVs2x1ldNbIOHRM
+cOZbNaqtBTePaM4nSrIpUC07gLF0OUewu8frNCrt8EEjSqsNhSZRvdwd5M1B
+vBVv/3b1Kb/am2+9f/768tWrt6/eHrz586uP02fRNPplkaQ//jTfe7orKNJQ
+qAmAnt5rDkPUT3hiG3dCxnNfMcSX58kEa9Dwe57W5Z5NZM4mut3d2DZYZRUg
+PNdgfYgOWdY3RXcpogGy9F9rkdFY6iNCSiWx0d6dP5Or7ARIPwndtIJLU7fo
+8xO3bJGkNtYSGvStY6TmktvkJ+hr6Tzi0c3X67kcAXt3B4MtFa8bZW2VSXHw
+j0RYuGOI1Sy1cWxYDfnDhQbP+zHygetW5nh71YlpGIlDFk0TK8a9qtsI0QdZ
+oSKHMcisxKF2nOaTsNvZAPlxfBNjbCAnUO1rhkwphZ7jtdkxGsRJO2nWANZd
+m0K/TpB0I7UlcMvSehVdJcmEyXrw49FluBkvUiGqEcV80UFtDjYGweu8rIah
+fMdBEw6CBi0ZNcnqp5vRj+N0Y2MDo2E3NlrryvrPndFzLfkzzkOo6sJDjZwZ
+WY6XM6O5QOSoQYxgvEX0J42+HljGMi7l81AJOBMk7YZayKn1A/P22hNivJzR
+TUB3FtWD4fhctiIEmPG0YmxQPHoQda2XgaM3TKCNhiFhuuhDawOhJa0CFhIB
+H2/TCSdjS4wrmThICBDDqSkUhVa1z59dkZxuDigocbZSGJFHiGpwuA+S8BWY
+1UqiHolXTvyIwFfjo7mihsZaBvUgPhvlo2CYqC4jMl1p9E0kh4EMKON4Obbx
+LSyZlFXVUmuhst+Vge/2ojQiDB/42dTOIgeKV6uOaOg7aeEieeGkScbhfcVa
+JJYw0UiXwNbQIh2nTS8L63oZEmbVhLW+Jgl66+qcSSwAKrKNClj9wCnhO8Ha
+hqZAZMazeKC2PlGkQYxYgZRjZdUUhXYQTQBlxU0kFZlNoRJxWVorlY11cEF+
+jqGYch2cIzOzSso9uYTrdibCQjFqBpUnEuPB2nMEQCYLrfp5yfiHnSAkDIhd
+shwY4iSM2ng0L54tdC3FXFqh6wYeuYVYga2QCCpVvvh1L9iKrCR+hFJP7qQT
+YKK+CBY0aKEadceVN/uGc1obNbujJbtP4mmokCYi4pB7HDWCt8Rc6XrpAxvY
+LOlkmjXFxJXDnBA5MBqQogBtXE1g3ch2WNHeDelxKYPEVF5jkZK+gdmanWEO
+4WUyB2kDaxMLrstxOoGvXKG68CcygQGSYDWl8FfreK2PQPdD6szSAIvZUj3d
+JIlOl4UNMeUA0yqfJWTIDbtOiaxhuLMVil+jx7EVlxSbDcd4TS5goBu81GH4
+X+JEh8WEfwS5JJ1N6HdO76e5rnCuKzPXf6lr2kwu0RycFmaXRyP4wtlLDHA2
+hW+nS2BrwHrIJpeOsTjjskTfj0CaBmBfp6oR3MQAXd0H/rNs7krncZHOTCcO
+ThqQqE6/qmhXzipRjPWRp9eX2o00gp2+HanYVJhIIWKmeXEqgZP3IdguWoeY
+wJNodGxLkyE6YFV+hyU5ZF5tIjT4DG5qSDZaMYu5ePRdyTdabz0X2KReERUt
+g1MA7rnfe/Z+10Kchm3AoJjdmnJJU/hBPIAq7REs/ZYtMGGyUYRGOhlT2fy1
+sTtO4A5vE2Z1A1Gsdfkh9zMzCSE3ToRgPcgH5cI000KMLIUxdHQXjdAeRDRH
+91avuQsFPJkbSYJeZ/SWHEsx5D6lasG2zBVGLnP65Bjw7MyVEMSENEpQaxAU
+opnIPe1VR0I2k9crKhEL4QCVOLymrmdiuw85NDmVyq2GfpuSsIRfTxqCkglc
+qJuiFmWynOSoY5lSmKW53A5DNjKpVAKw7wXXy4wdGSbMFYSyLpXK5Kvfb6V6
+PSwPsLkZXgCrDwdDh71zEgx6eq6V82g2EQ67UWE2O/4CbLg3FKgADQIwFEVe
+dDsqMfgsF+mRZN70AmfubXN6lnSRkVH5lEM9yWfAnouUuCMug+JjnYi573XV
+06Tqmqd79EhqaA/i6XI2035S/g7caFrDXYdhJ/zXcN2AxGR++J5WRPymFeqP
+m86LaZIr4wNtZxgeEN0zSQhhlyWfIkazDBUfnqcVLhJLHaOM8j3eqG6PolQo
+WPR7ROArop/+wcKOLPLI65JY1fiZx5+uqJo3yMhXZk4Ai0yC9RFwlxx2qB/h
+pW5DnYO0wLjswq/LKPZlzmBh2y/GagSBeZ2CRUsQjM1tsFvj9mNXtDtzeuXj
+Noi7o8kJ0WFX8vAGWti7PTxw80jbfk7jT+l8CfqPQKh+Pu5uWtDbLnfoYxt+
+//33od1aDbEQvs030kzXr48LdedndW/xZFK/N199tQCL/evVwLjmsXh4twbd
+nHX2ndORpx+Pdg6s+GuLS+wrd60uvpardpcajT8zJFkLloxrN1TOXii8QQku
+Uorx7dyXB7lVTeBh+JQiqLLW+YnrMobvuj+rAv2zmASlny8FCussWU79n1BW
+Zr1fCwK1TuVo4BscbFGtFuQjtc0uiN6UN5Q5hvyqlKZraRkk2krFc1gBKLI0
+nmGtSy3xh8p88qlCsYb6CgFpywtMHkpkxDWxEiIPY8eF2g0L6jfM1yQGW/DD
+wBC9kWRkehIWTvCx2nj9BFXfd/RHI2wERsJc69Qa4+CNQRn/yoAd4ibBwuTc
+slCjWSXw+ATrUWaVpSVkJnDqqyD7ZMvnz64/+fMTz5bFpgX3gTOVMuqljsTe
+VFrTQuVZE0LPmhB4XmyyJdQr8wDHk/JS621/2IXnE/Vl5AdtmZa+0KSVlCyG
+7dpSE3hGoFGh+oYWPdfqzar9z7VS5VStRe2YtsgGxqjXynuIBt0YgEpMtQ1A
+kjAVNOEGBCzwUkXJsGzWNxEF6mebfM8VvxpDO4pTHH7M8rusbxJ2wnqBD6nS
+6Xhna+VZUR86x6Ukt24RMb+OCBtnaDnW2qQnyNK1OYIa3ENtAbW3sS2SfB2E
+WsRr3ZQoaZP+miQqh98Cgk/W7mqNAqSiLeuHMNt3JQ1lcBU24LaNc8f8jspe
+sYJqGzuYbgwSZzpOuOcY6nHOyGgn6ofvDi7OjN4mEXQ8xWiJzSzC5QIleLRy
+BM9qmNCOZFSlQzlKrV6PmFqadcye14Z2Sr+547kVMcSgA++zeatWCNbiqsUd
+mOhFfQ+2OIVXoEDz77/jZHvTnpB4ui3pwOmNNAgV62IrW1+SzN0GXm4NL2fw
+RhZ/XFI2lEQ4vhT7PyrD1COBj4rdVVIiQVOmjNGH05f9VIA4nS2LhE1VHzR1
+3BQZEL+dm0TUd0w1DARv74y8thA+wQDgO9ja8OBLcUYSd2ki45RT6R2i6CNS
+VAcD/3WbN2FStTOTCw7EhCcnGMUl5/h0fQZtYn/Ik1je5DOgzw4DNuxaYGsT
+1ntCIe+d9npJ1n2a2GPrGfbS4MZkmWMtDGO8MDYi3EMGI/hQOzvkr2z2q1n9
+8C4Otg2g2P0iRn0JQOpSpEWf7VJ9x67TZ4tw3xhK6BPXXtKjbGoNAaQicMls
+FnFaK868Y2ZuGlokkc+1tViDVD+URLB2qxSODczmTBh43d5AFLzeiQjfAWZx
+wmVjuFYGRbs1zemtGXNi3JNQNDG1NYQFdqett9BrCFIg18w8gA3xJNuS79Zi
+WSzykrNcSRnQ6jluSBLn5Jj4UYPAdfebaZ5m4+n6nHnIwq0T+Ug9DmZ5STSA
+RSncSINGlBjMj2TZqyBpKyy4XkQb320ipNinQPSXBtjd2gm7IKuP0gnQjR5q
+Q/i+WwXR1lDAfEEbhQ2rp49ZmJLRBkH3fWbTLHVAU3WzWdqLdyWpQLxAoI2j
+fLLSVYtTGGQSKu4JcGY1TcgVNjLlXKnA5kqxKc4cTDvCkNx96ToyuRd1LeFP
+7JACa1Nhgi2b9UMKeDstgrI1v603x9GtvQKURePK1W/YIkGpDyjNaxRckgYk
+7OYKmKixU6i9jiVnlrm6Ig5bUdgcSw907QU+ihPrAtSEJASF32a7Bv++AaJw
++C/fNwRfz7TB97DbOWGUQc3QCiRslbEDgkyChgoRgvGgyysj+XbtQ73WKUAh
+uUlHZL0ywo0xhL2REnRW4ghU9kXIAQAawCS7hUz6kQ0XaLaw73hWwdpi3mck
+adfK63VqQDUnwGMjNxNMgAO4Mt82ju4ee0foSdd9Z73tUNODMa/U10hxptSo
+kYRoXikcDHx+JZ85UOo34dg+74UjxBvTuIxXX4KVVWGp00xqbsDdh2NDsxD8
+dgX0FGdrHpiDW4Cs8OgG1cBsWZLNGJyDjE4V7aQP+mV9RVJoTwVgpJpSsU6w
+hA9qA57TWanqXdsB8FBGROSJnREb0BDhUmyMlkpIpy0zORWia5kRKRc/Ks3F
+TMkBU3OuPqcjCvobhA/Rc8rSEUUHdtvPW4VKGaUB0BirvIEQSE6FLses5yGJ
+hLItK9P1akBm7623hjBiY/M0uTLC5dp1SQEcnJC8QPE077TM8UN9jvvM9uun
+8bZSh0NNWhQ7r0rp4V8eJTx6P62S5K/GRMxD+5hTsw/rHk5TLuXkr5E9HfSr
+2Ys4l0J3TtaFfKh63/MaeOq/rBNT2+XTX+8lbc1VdBorBZHW9XV47jHDMB+0
+Nrf6zlo9HK0LrsnVLKmYte77YnQyeSmCMxXsoqUFRmLmb3TpPWuwZo+uZ7H2
+ZCSnhPAaKYajZN0eUZR+yj07Pz9pdOlsi/PiqlASW8UFNN04FtDLbI+pev2M
+wGkd6S2d+1qVVXSTj+GPeLYq09KEe7lxuIEbhwuaABmrbeNRDXOTOb1+xXOs
+XVYlQWxlTLQkA6Hhtps5DLdqsyjt/0IpHE4jLZwZRDbMd8JE+7KlcTMaKOcp
+BbuHJRw+6CT9wO3Fy0ssKQaKAg1lLbXGnybEjXUEE2aGicZVql2hz/WLM/MF
+B+h6/Vm9jYlll4cXe+2+s8UyAYBV6bgchu/YWatKhJ63tQ9zrBBdjHk+YaMe
++fOovJsYZP1AJFmT1KCVVu4xYFTlRsdw20YaOMEY1oQDA2NsRZxXeSahfqBu
+oCWBc9TQvw3rZeeIVlQHIRJkyNFKFb3mIrRCgHFq4L1DYymlY4baQVKXgTZL
+tyoXmXRPWmtGeHOJgtTSGZztlbnXYzPLzYSUc0ayFvdGVpucUzmTkvcp+qak
+XOek+Ijxw0XCpsbmKkaJgT2bYbGNj7QCa9RyDGz0I9dYoUhJ7NfnpQtiGtaS
+SowQZgqdOcow0fvCRG4GVI9KVpPQl5Svo1falAjUkqH1ZB1+9UqPuzMMd7c5
+VQUO+Opr01VoR/LW4/N5xppycV+GC4JKslwwFohVNHxJQ8DfpT8dv//byeBt
+elJubGz80USbgvb3g2QaqYh/pe4iGAC9nFz4zME1L3Ols721/TTa2o62dy8H
+e8Pd7eHOYAM2/R8yKlCcZPKIN/bgjVpyhvAKPjnhPN5RO4kZFHeoG5cQcs8u
+jJke9yQ2iMWQ7Utkpqi4xgEjiRgE2H7LjTTCrj3RfqAH1bfn0ZPmYFiAPZUw
+ugmIZBheVlDItalV4iSOvRTTCPWRjqeYQ2HM4rh8I26ov0QTzirqIaItH8bJ
+et+hii90/YPGAnV/tmq3b/j3C606a6JiPAA4Kc1Tud7acpWNb4pcOwVq7GPQ
+BDgOaPvgIsAmsiJyTb4vk/CA+OHnJ8AxIyz9UmqroFK8QzYAyk1SvKVS/iG9
+AY/MORaRQtVu8rtad+N6rzPcb3sePuMGMG+5y+7YbOES8jsuX0r3UVmk9vLF
+pqnL2SQwFi1b66OWB+sXP6n3lQ7a+0pr6nK9op9p6qpgo/7goxGKzVpsLuBU
+dK5FRsUI7A76ZLt1OBRLbkaAIMktwIKU6j91K4J+Ydp9mkyIGB8m5MW/OHxz
+QJk3yASC4CQj7sWPTPiRMr+u7lhEvE1m+YLEH+tG6+IQvX6wf2J65pUY3adJ
+DzZ95YYQgS6hC9ZAhcNQuysVIGNghSHWOuIZOTmbzcjLwLaI+vz5+HA/2h4c
+HJ8PBo7fcjDYGGx1E3ZRfP589D46PTyH72UBAQtTGCI7s812TdCrUm1352qL
+xMMyoNG6uD7o8AYhgdVmMl3spgZb4bpjpJlj/A8hSgR8C/k9hsQBYwnC0FTg
+lADRKxdoV4hyATVWGxL6ifJl8ypJBfJqEIaqxUkv4fBV2D3A+MUfuVlT3lzS
+tl2SLtJfmpE/r0BIXM4SXRKoJqgXanHh8up2R7Sy+5d0EHYv0ZJOfzWWs9NY
+zra/HClteYUlOK7KZVqZBdEnYyyxhFYIU6nxwQUdht1XyxS4W/uKdhsr2vFX
+NMKXrwSjr2L0MMdkl6JV8bdWy9RzW7+q1xQyfC435BTuDrUF9le111jVrr8q
+GU/Xpcsxy5SLJ3Bavxz+wtS7C42cBRcB7oCm322SfWBTho/m0yLa3WajoS2v
+E/5l3ducWfrXOLLJpb96kotkuEblZDZWyeU+QocSjFu12s33EQbBGT50U01M
+ka9sBVQkXPpoc89besuUV42nKA1JnR99FQ01cOf4NWLHhAOhYgaV0FOJYaJJ
++1iUy0SL89HP+eixRDmF7M9W5ljET0LPiSTlZxwkWUm9c7I8IKpMk5Yf08WC
+lbwiIW1NQqKfhEBbxcRAshEOdm7zqRAWwSG7w+Kw3kIat0ADaL1F9eCUYYKs
+X9z1uOQ1ZDZ0tXuluN72mIxzyhfLNivV9JLS9sPG1shevTPVfgInLahLOUo9
+p+2eq2/jcTipZKzCGz4BgJFMVUPSu+uIN1qBsD/lbWBobbdOTRvP7IBq2CBx
+jad2w2472Wk8uRd2a6SgF/6F8MzWY5r4d+16EkfCNfmiOZiABcEAN/DMDMo4
+PeBqjxkziG9kMViBaE8NFUmvtIhqLhgrt07QEXdWqWxrXi2dHmm6yNg0Ktfb
+aipqUnlNSp2imSi5O2WBLqoVcjMGCa53abTtLuj25NbEz0crNgz28H2tNASy
+JSwvmuXYTtm9rtfUqVcOoc/3zK981VJgilbm5CN5vZO02pxKiWLQM2lXuNAN
+EeTHceZmFIMk6Zj1cC10Dg8JWUNS9pbY9Eb7P2qnG5awglBJrZBdKgmIxJAC
+OUgprJVE5eJ7ebFB8xv5bT/LQHM6ORmGl2jnY6FLxLdYQ3bHibYrvjZJifdL
+s2aW/ZNo/+ASJ4Krg2LuYHsI+FzlGCYwpngFKhoYL3iKlDuRwQQ36fQmIsMJ
+SMRcyJV89Pns1robWijdPVPvDpl+jWNVj/xLYgrp5lTXYXpDmIwono/JSTLR
+aAWHMdh5US04BvTLxljy+bKIOd7MVwquzQOVPKDEs69yv0aU0uZjakeOG+yv
+MxELc8M6VhZt2/hVoDohbdYZTQzwtYss3JoGDuzANVn8nI7IrPLx0rgtQI8b
+vQL+S+EiRobCD7mujSuMP0IS1219vRQubmoLGSuG6ydXBCuWeB+WwU1C/t8h
+ghP4ZR3mFAxIdu5Zh8duCO9MxYT1eGr6Fz+Wlp2eHJ8cRicnX77I9VJbhM+O
+FPe0RLPuBGmJsgHGyzgzBmdiHhKfoq2+LP/nq3747ny/RmD4lntrP8FWV2Mp
+lypk534q9UZoEyxYYctFmZFfwhsTNIbR8pk42epLps4a3stzyVw0BRzcW6z1
+6Ch5My1Jr0JaT51rDIj63CemxS6uGfnFxC0G79V60/4xVOS7VgsAq1WYDFOv
+zf1D9Z9GcfbR6hVkADblXcv2ElCPeKVeBcp7xW9dVasDNdjb2mvUgRrsDbQ4
+lFR1muxgOaf4aTR6Nn4evdgabEeT5HorMiWd4JOvrOr04kWzqlNKZf/18l5p
+8qpX2ekxFvidzq9adomrFzlZorZJwt9T+MmDMGuXFj+jHP09Cuz2HFXH1t5W
+snD4iNqLNfO5h71OfSO3emHDhG4rYRBO2zIgtXtQR/aAltDnTlZSOYIIDefl
+U7Y2aTBWHhTrWmAvr97cFV9Hk5/MFAGlnSyfY2VNICnYGnVcApmg/mKsALNk
+MDNfWonAGP2azNrUOBE2jem4JAdZ52qrzurJANgvyQY+OFKA6T81rLP7HAnq
+2SzO0PP0eG6/mGFgA75sGDz+4VmQHmlqo+KC5Tdwdw1/4PKEpWHu/GfN5Pcw
+c7+gAkmP4OxrpIy4mObSkMdYIOmvBlAeNK2dcbOfR5jVtvthu4HN8A/tHKRr
+kj99iWP9mi645wLKYYKGjVU9aFZjFL5SlHakMBnyMYZHzyVn7pb648wHKvew
+qngWF3AnkhnVfCmRvDglnSkLDREN+ToeNLVqZN2SO49IMxG6CPgQyDIiOSeS
+zEqja00ZPCCnDSIO1695eFDbggv8HZZ6YR2MaIyGy+uIDn2ifUirTNLQOTVO
+yhdz0QBN6C9rDqh4Mim4ppSWO+baaOZ5J3EfV6ZVa3FzlO60s7e3rS6Syxsk
+quEp1RSvZf1X/F08prpC4nCkeYjkROFpjNY4JJrS6j7lr+VN0JFNjbV6AhSg
+i5Qx4P6VXvcqbRpJKa7ESrROc0SyG9D6tFSDB1qJQBJDoSiuKuDg6G1wJqaq
+nFTBl8iaF/WZj/zQgfpAOKF4hSVooaChNT2nwux/LcNNkSMrGzdiI6M0BIJF
+RnLA2mgINVaofQONnemCzYr3TKYPJU6VlIDiL+IZzgKLleJbzbJRfPQXWBF7
+Xwtqh29MQe3w85P1xbadMKp6wXRXZ9A0AO2e5pR8D+64YymwZGPz9eqwc2wW
+W4WqUs+OcrXCcJ80bMUATJaoIeEY3Z2CQtLZEEdiXJIVSBJcmVS00lrKCnZM
+t21xtCkKXAMqyBZodx/tU05UDuNTaDIpBOy1lXVDYujiUHo0LsU7Hp3BWjLi
+0ribJ/Jas8UQNfnkzuazlW02J89Td4lNaYWBATZJWSv1RHZfmpp7VmjNOh1B
+S7MDHDDQwZmCjctVbBMUmITQDQcBCa88WvEk9Mg0NjfEtGo+HIjuqamWBouc
++vHNmvEydj9od6O7dcgphcwr9emEMGG1anGUuwFETmcDbViAFLEyBe9tXyC2
+t8KCX+d3aGLtt024vueAzXXB2OyhpH2XTs36pGw2HLBdoivKsKf8tJoaucAa
+j0qHY7cuoElDtDNYVNT2DHRUpoderZUDRRjgMp1FcllsiQ1H0MEtXWCHJb8f
+xb7TQoC4kNOaotm1gEtmMwNkNPEIVWgJlakZ7UE+IMiv779QaTF07/idPgxB
+W2u1ejcGB2oCMZ0wcDsmwHjMRil8L6kkw1U7XvIbtVxTpze2+6It0YTES169
+cibrhF1yLknMB1pE1M2EqgVQExQCzaB6CRqb0bJWLQ3fUL9EvU4Jo7vVNvOF
+v4P7SDDdSik65YAmkAptxbx0FqpanVhydNFtF3DG9WQxPbHgxEyDF/3AFFTU
+yCYnrNEPWmpxVjAvcHPx3DZ85JLwbzUhiSZ/BFq9rYV00C3TGCYpneniqsJG
+WtK6U9ugyetZTDmIYilXqx0679RLQveNI8wKbg3W7PjBWfs+DSPIBlStqlnS
+ki3ipLZLBLDxffAahy4dqjFRvIWlc0ORdJkUePkMZIR+UOvwrsq0doT3sVAp
+p4dYtVsqZsN3xTTWIDN4+wykQbw7WOWlFO7PxrLEktlRkVMqPKfPm3AeEYtM
+JT5jOCQ5ykhYpK/Mkxg5IfBe29/bFrHI/UWRQTWf8euoXMxizAuBq/bvIHWy
+H50sEFM0hpC5eUjdlekl6soFEjObh9maSiSeBWf2ut2AHsZ/cO/CSgrWGVHZ
+dp5zJ3Gid9OyEbYbhOsDd8Na4K7j4nQqHJitDfXLWjiadL9YcHch5nB9G37g
+9kelKVhxt5F03m6kTSM71/AJ8cjafWHyBUWYxVmmjaNJIyxuE0VjAymRyE22
+qpsAIail6cOueFypePadJybLtcAIzmY1bZsSa5PbJIpdYzLNF4EwCevM09mw
+QgNGqrkNxd1qGxj17szkRIdgfplTucPtgclJPnG2CkwDoHUztBTk8IpvPFB4
+gzoksfv6aVv95B4nft+XPkxZotetq3BXcE+CeEIVYzGWRciPmykemExxXEpb
+kRAUZp2KfhTcOktHRcy6JoxpqlWaWAuxo63ZmOZiUN/4fdKBkcrdsmoeKE9h
+0aC8oWwD2yOG9NBawYO9yC2dABePSxgxraW2MU6neta6tXyUW4VDW99h5SN6
+FPjLMjNZhCZ5sByaNA83w1DMksBXuE+uOQF0ErGlUCd1aktQaWUK81UUhPVL
+dWxuyUXWWfS+ar4ggkrTaVeJW8OiaeO1tZ9tRK7sTogqm8q4AKbbk9WrMy0m
+Yi5hKF3XTfwD1ZXlWtVewWE1tKMbzxEHuDdPTqYYs5p16OckvXDBqPyaQIW8
+OipReqGMwUCid6tcaknJsFoV3LmgDi4xcmwEbm9iEF6X3NMr4aGliG9L6VSM
+/bUBKKfpBIvWnBmo+qo6rWec2A4HES6vMNa1jTB0CXBAzwEWmzaWl28uSIDE
+f4H/ZjxJqZVgKF7WgJ+6AgRSWCyqclNjDA89H+eg/3w+iQ430qS6jji/vdwu
+I/32y5d+YBZqDYCYe6JlLJ0inyHXSDjlehKWv5TS3mF3G0NbjM8yY9tRxvHs
+qBNnIAOOUhZzjZYs6DwBlMxgeQBlLnzIIqPiNRs63lxsEly6dtEE3d5QKQsQ
+7QT1/48RNdsRQ5t4foFZbGJBiC43UzABM3aMnKLeuEmDKZuTTYLQFKpQo7mJ
+IkKM6rpmF7cpthn6XMTGO+U1PMmEqlchdaVeT/w1iw6MeChnWSOl1A9p5dIp
+O4jElkWxg2p4pJsJpGuaBA6p4cI61FCYJNjK1MfDb1sMJdTuEoM06DDWpGxQ
+c7YbwnuyFxpBr8D2UdyrCrOBC66yD/yqe5MvudL8JMbSD5SdCDLkTUka5Jnd
+o1PlNuR0HRQkXsfFhOKSjMH7lEIAgXu8vjgtMXIPtSSjlzKeM9AkzZCspQ5D
+r7XJBZ1DumrZ4lb4yvsFtWxHsaYSJzyDv98UEaQbAnJxiadyLY84Nif2lEtq
+XprcmfplGEKEmd/00CJOCzUOurJb3BiOjtEvt+/VcVFZyanXVSS0VM42dlrE
+GZ1nafphOnTeVwuxza27MNtQYbYyBcxgfZ2gpWSNxFNIyhxB5JgMctyzLQj2
+1dLUsNMCdaGatYDkXhUbWzUO1sxlq2rpyaapus8J87biN64lzvHUziSXQsK5
+2GhsWN8MJFA2IMdiX7TkgqG8MqlUonE5EAWgnPINpGsmAhNfQUe5EfATH02a
+SlJbimMQPpTk2KYrfWjq7sPwvSke12oasYZQ0mMeMIWSYwYzYLyM7mF4qgBP
+m/tGtgsPliKEyPWKC5HZxrZuNo7+bllhQc4RR70CCg6pPyB7a9RSw71+XFvD
+yjphqHMM6WyijIC4wVTAgGyBECoywepDKgNKXW+ZRdMlXqcTCDFfVrFxY8GJ
+fcLYBqCqAYcef0pByUKJfzDntCUcEF5GzllgMWChiwiAo4vtvadY/BMLBDjI
+/2BZ1bBZVjVYW1a1UeL+JcePShlVqZuK3k2pso9lBEzZ1KZoKFiLvTRWIZlC
+SOKnq8ZsdP/shHksitOaxGc7AxKI0RhbliJE1S6/rWRq/RDsWFtzMqYk6V3M
+RlqgHMC/kL7At8tMaB9Vd7J+FFMh4GOiCGGij8N9dNDE45XJrBC3sg1P7pIm
+0edIpx7DtF4pfCM4sD0l/IYNdCmovwBfRF6WrTH+23Iy1QTB+9i6yYzEraBz
+UXcuHrC3l2c9t488V8mNH+58EdzT+SJgUlCzTHkpiYSwstVyETuNn9g7rEy9
+HhrubYIqGwgvwJSRdIoZtLTawF8tYpEzvVgNXWZv6+crv9QIazHVKETIxNnS
+CYR1EQvKgPNOKCHDej/q8yI1wjTcXIIO54SvumrxptXxhoOAkM3VrgYhCj4r
+9RSD1pXWSgiCdm4KCWq/Uea9tfZu2HcOKwljf90D02tDLZ90UvNaUwoyksyw
+gnajEyuheCCFDxKvAR0WLV+P19aCwG1suIUNGZxt1cYQaKe63VEPM9WgGV1I
+ncmxAVOjw4cpAFdRLio3oi84XAxRFo6LGbt0PhK7wcOdSUPqTEom3MBpdwoM
+kHqUOpfQeTGu9S7NrwNtSsomLGmO3WiMSxasJyyKj5sBJcje0Nd7JAHdah+V
+w8yoBRT3dOECdyS97LtqFhqZuuSx6rOthqlcTZtSQRHfdvOnF3ymXeu56jkV
+ESmDwsS3kUnemHwdz3e+rOAZWkd70UrOUlgTku/nkzyGYK8pIWPLMzKU2JdO
+jnfEf/G9k29djCFdsTlMWgqvBKG66bFSiO3WSRhi+272SJoUCciRPNDKYsyT
+LupSgWvSznJQQuGhwilvZh6fzRJevvpn8A2Q8FSkEZM68QW3lGT37OSkZ/Hq
+1GmiTf3X6o2110oOXgtvdwbt06eouiF1GYznkwXXR3cc74jJWUPpau3FSZLA
+6uxxNl2i8cTFW5kbkc6f1na0XjR9EM7wgW1KLg+KeCo0v721OE/V/fy5rSf9
+l14wUe8CMxzqUIEibcbSuGpTXIe41g0ebSbYGlzjTTg4F/tczDGxGUkjCpTG
+Ro1V4HnlJsa2H6AXMUWyT4kifst1E0dOskAlFTjr7bTrNom+e4rSsX5Mwqw5
+xm9sGx80ThizS2MO9/WWlhROv2cqJdV+PHK5qUC+MaK6KAwC3UeYKLBN9EAk
+kbABW/pAfEFSTglv/T51DVE3ndoSjDnFjUVwDS4xvRaJggrfg+DEqbjkV3SS
+EYwGxSmfktSqSVgxeSfmG+uurEYFAsMlSkaGgIqM9gQMUcG0QJStieNgh5NJ
+i8QCYHCMRVWYiOKqXCra9f3vElwgVFPIQy9oWJ60n+dsZfUfUUbZImMN8Qy6
+QL2pWLGUakgpnPCmZAmTf1E0uXgRC+qkbo+WVcCpgTqertRlBdqFhNqrqAPG
+wGJf+sU0+c610ndQoYTyj1ahbdLOCdS64MA/WDVpq+VX75hjOXL7TQZG8uRC
+ZzU+/JINIbi8RnFH9vQFXqXhJ+HJ/tv9NpkE89jj8HK1SBAIKQfYclRZaktW
+2KTqwnlIDSA2fpU4H6qySaDRKnaCsqNvr2rOaFwcMHJaBba5HwZD7Q3Ji7lY
+jir3S78KbRCYYmam3GyJj2Ft2SB4txAUa/vyKONaErWAXnzg+SitXjpFzOLw
+pw8SuiV/XTgNAaQQEcgSXimivhQppjdMRhcArtFKWdCTEr+a3ZS9PsoX7VHI
+uOiLhPnImsBmE9KstWX0hNGwgLhNPEMkyeboDLOzpTpAvco0+ICHNUGwbw9R
+LOocD4jhCAZV8L3mg9aBagMMSTFKx06rGaNcSKD8Ugw20rIYQKZ3yE0UxlbU
+lvI4/AKXchpPYQq26HTLnmw6DI/TmaNTud+c4ixVDsToGp8hTMUjtc8ELNBx
+CvUcJW0TUZczdR4z4b5eFsQ4a2s6uCkwLh9w8W2SZVhmDxAL/VX/K9O/N7Dk
+9IkSgiV6n+jNd6en797iDWF/LgEYjTD6AK9vnzjTmqmC4AD4uPAR4mv05MnR
+5THRELeJOrVD90gJdlOn7yKXdnz5RgrjdUxXGvN6hYIznjj1cAeBkFyP5Nvr
+4up6sq636ImVxa06QSsV4ieV0jR6R8Pto14g+CXMCvAhTL/wW7/LrhpXog+a
+o9tbngtmIl1h630dcixp/kMgJ7HAKVfp6pAK/CEZST8gnv4hCv07P8dw1D8O
+rZiOnzGqHBhUgc/OjYz+e/D7MIqiIf3X+XUIXwBVn8DDJvPkxFbN+J2QDf6p
+FZ3C8TCHBr7h3oKPfEVVGPiadeRNep0Y0L0vAmGGb6QtX23K8oFXARl/V5Ua
+uzWvWS0z+8a7tqrt7/XmpABfqjf7iEE029EOcqSfaNv6xwxjzK4ti7l0vrt3
+INWz8TkSOkmPfS2f6JukyJqoLX8EVc3hwXcsrH71ELgI+KAs7eX1lnPQ+O4x
+oxJ+IZCu5ogVhohwukl3XvbckRw9zR/GdRPhzRCv0ok1BzmjaAi3N4LhnVKk
+nS6jkXUP9bOHl0KRBldUAILAsH+yefpGwsd/Np8+PE5ruiySDTcp9XgWT93R
+WpXvtuFIWa0Ndq6fPmI4ZCG/k5uLDafv2Lzo3eu62Q9exHw6So2VDzWdbg1d
+pwQ6se3Wb8/PrKMojwIWAFcn0ruvjGDVYAI2BkVaNK0fvBMYIs8BFW38oAtr
+73XCaZEvF1wgz+oGamgBddTjelYKp/KA/3J+fPB8sP2UEt84MSYlBd34BYVH
+meXE1Mb2d14ngPsfxllMLZzfW2ya1CIUdcGHCJYJYmsbhQt4P0g8Wyqa4226
+i9ljxzqk+pruH81inYsiblHvNedvse/ciNZCCproZyhIJIkMX4eCa2b4vxAH
+pYocvKC142wNcVIMpKrjo8io1i353SmtI2Ftpal7gwj1KNqO6h4ap2Fp+isv
+iMLNHjGGRcU6urjouA4XAJMASCGXA0FjDD+EgiCMzJpYMvm+Q3Ehgr0cnfZB
+c3RUeGl//lKjAOF0xzcpxiSiQbUR9offwn6obaQNFwy+Nl7QGHnQIWhC5KhV
+NCPpckGNhdAuYMxMWFINg8k0/g70mLukCDqYG5BKJADpv/8mfgmqUp9WXjSM
+Zjh+TFbwGMwwS7xKhJ07TRGz48EF1iGdyDp03Qem6BE8AHdymohRN6GSV3Nb
+Hg3kn8VsWUa+KyowyRcSc1zX470SMe9QBw23N7bk9h99GtNlaz9SiqZ8/vTF
+DoDbLfC/bhR7eGh259tOAcYU94zOjO4+Zl33bP8N/Mrh4EohNjQo282f1jRH
+LNefZuNKW22gnuQ4TLRQGAcDb1LwFZkLTMQExkkxsbbtE62vZSO4dEr/cKQE
+LpV3bQgwRXx4QZhqEnkplmx0WjDG5MbCXBjfoQQWUy2OqWOUrHka3RK8ERem
+U8OMxPM4zQsuxRbTfQc88JL6KgIwe+2n6z0D1+3d2dHby6M3R6dHl+e/6A1N
+gW5hQ3BnEjH4BFoYTS+i5Kk55domyWjJhYwohyTP0GiLESJspw3YL4+wLTGS
+Dc1E6JqssL3uXbwqh/bmNpKuAjEYA62M6Ijvyxx5aQYKOA434uJr6HDnesVo
+ZzSBNqU8r32O/XiEgFJpXtKe2g3Y9fqZnovMdRh5IPHPg4zpSJM4ZGm2soah
+SSBJ6QuYhGiEVtjTwg8UXtfs+GC6u5n2x2oxJ05UO+NEiyM4yDuUb4L2Qydi
+WLPBM1gaxcHlhqPHwXoXfRDQVM3q2xKWwMk0ElRXFMnMyfV4hWEfXEEHd+Ze
+EU7mKtuvxCvMpTMAGdlR6rhum6nodrgrSuAZa2v0S0kouak0fYboS8iGSCKb
+xDKyHCuEqGOl0YNEj02O2vjMvr0ZStkPnO1K6HqzCwrv35YhZDkwsH1PZJMT
+rsrRaF0j5TkuDk4uL8PuxZLi6Q5oTtOko88GRnJ2jldcSoFiotfQMRQ8eMB1
+gkc5Tqsqcr91GFpc46CmHFNlVlFZ4zadecnrJlg5hQ2ZkriL1xBLAOQF3wO0
+a3IFOdpYQIlgi6p0L6JuJlFvPV1+/xZKLhoVFwu7LeY85bFU0o44EaXBOFfF
+rZhrriAdHC+gZcWaBx3bermUZ+pEt1DEkgsgB46Yhsi9IQJsai+1v/qcUGgl
+F9DOlljqlrN4bUUqyi/mvE1ihOxbNn3RMfxE2SkJWVhBYpJnMMEISVM+77Me
+FDgiWK8vRIsyaIkJzWzkbK0ZNgGb+tSzZKO5Re3w4ui3NnTYYKVOM7GM+9V6
+XU1SLyapwI3D0BUrInBT9y4G0uC+ffbUM3l3SAlAtMYKQR7G2kRWGoJXr4jY
+c9xtvOFYShLcYBBz4CCQlPhxQ8WMXEfI3K2ZaHsBFXaMC+w5g7PaJg1A8WNi
+eeUSD7lshVvg8gJAIFmzG+dGwh+WTzUJuw5b+LBzICmodI0PimTC4Qxr2MH6
+550ySGKNikdYTUU6DJowDpXc++rCFvdbT++7HafZPiO/DrSCYpdQ9obIO3V4
+yhjFyYPdb+bs9ChLCzUTwqQlNS293KRGIewkddynwn36EhJqOkwRgbLtP0jM
+EdGb3d1+46ofpSDTWnWSoqcAkf332h/f54gpNiLg+hAna52yMLgAL410yTrg
+1AbYp/C69mbRTmhfnxMjpUE0Rsj1w4f6AUr7v0A7ATpxeRvUTwvJgFOg5/5c
+ZspN06xk6tOF2cp6/zDxpksB86FpZUTFqHdsZ3cvdt9mAfjpyCBtYR+sNe2m
+u8LkKM0Er1G/GSPIG+acdCM9wkr2THsybZwpQjHyAT+Gxw8AOtcNSZxEKxZE
+XuszEGiGAF5qGFOxuRE4wksVxlgEHa1EFsf0ikMRfvgonD5cQ4QFJVWsl4ik
+GHM4kp6kGDoiobc4dKNnHHq1OVDXW5AthqBxm21h5AQoHPf1alRgvbrXeWWk
+LuKPKsj1UX2dsKxzS98ZYRTDGjSPDGEt501GrFpYyhpwM7K1ZxxIfbs1yR5B
+WE/3ICh5mDZ8IK/DJnKYDI8w5ByPrtWDyjlebCT0ksZhNWLK0yMDp0fghkiX
+I9BkQW+ncH5dN6XbUWu7BbnOObMSTx1dx/UN70WDrTnKbdTxUQDuG11s0ARv
+0g2cSokA4F2n4DScBUvLxJIMhAdWjw5pP6Z6vFpMHSsk6wdTyBsZ9Ez5TRZ9
+0P3p3cWRRAOT/sFCrwRPeLnzQFc5t96P5k1b1gAXIs+msxUXJV0iHk5aAt5R
+C3eXi0GZ0g1ciJfJmkDLkM39x0w4yj4gCcaF0wabNI3WbQtxw51cLNBasVZ1
+cAoDinA/n8cYP1hSSRCjZ3k1nd166ERbbuEVTAIs2pocGeEeEyeCylS7pw4P
+ODOpXi8BsW7S5JYDpczwmhUYOHF8NeIxT2JuBmK6W7U0tDJOSTayn9ti1uiN
+gzt8oBukBwJrX+f/wADYEGJ7EB4cn6N3vgoHA3SruO2XrATuNgVQ80TfVITu
+ar8B9NEeeBTYZWaodbkMgKMa/erarvLh9X/BFR+9D08PzzFy4TEtBrrakqDH
+IGlYMZwowv2TiJtkYb0h9f1o7JmZfP8EYx+wtvdGONgmaD3Uf8DvPvB7o6C4
+z6/qdcVbJ96FYbjpkO0uYKZdmTnubU1wT2MCnPI0PT45BMghqB3rqQKMqPVy
+gWJ8yWYx7vHC7vV7Sre3NOzQMXFaLMDuQLet0jpLxGaiJhKVjRrtLkq1+F1y
+21vxXprDfX2lXPQalvvEPBAOVLgJL+/yiJNSTAeHdiFZKiNLmddSpATbIZUz
+j9nVkk1Kx+ikNY2HnP2J/ECiy+rl10E+xVLaJBlIffIV9aT040P5q49cupwE
+3iiOQPSMpHWlltqm6c60Lfb9ld6bnT4pHsRsr73Y++Peqtd7b74lckveKPi+
+9XR30Cj4Dh8+8wu+jwbjbSz6HlHVdyzwHo3GkyS63rIl37+y4Lv2RXULvl8n
+IJ5eYRIe5gbgVr1a734Vd2mUSo9dcfT211VzN3k7CLubOAKkGGa7oz9Nf7k5
+vf7wIX4T/XX66efiT8fxu6vLT2VxsHtSbv08KI9Hh3cH0ykPYrJ9nEHeHMRb
+8fZvV5/yq7351vvnry9fvXr76u3Bmz+/+jh9Fk2jXxZJ+uNP872nuw4MJPwH
+z0D6zNaDcXAO8QobFNR63lICx9yLvuow6PPru9fKsf7jlWKjpNbzxWquUrnt
+6zG6hmUPI3Pthfvw+N62BYjFT9uw+Ok/HYu3m1hsCqRzGfKvblcw8NsVSDFz
+pyufqbD+GCyv4dbzF49GrUsyi2OkILKeWjOxjY2NaIs6ijUvba2vlzy6HXZr
+kOnxPA7f2B62dgQlsVSbDO5LN8C1xhbrXlzXOtTWpLtzy5YHse0xoM1Ds0mt
+0Z02I8T8A+RIA6+PpunLeP/dqXcUpNuAUm6kbenar9Bj36vfpNb3MOQcO2N9
+I0/gu3S9F8VPR88i7PkRwWW6jpzLNPBuUzwYbY93AOERb/A/W/Y/8tPCE9Y1
+rFvPGVr7jz7mqtx3KegBL6hRpxLQR7c7G4P/QYzF3GJE0m2/tSrKoH8HovqI
+8ygc9V95FHqiIh0VSyzN2IKh21stGPp865+OoS30vt4m0Sf4j8L6Wn+aRrPa
+fw724qEAqKPb7Y0avuyA/mhpodcC9xvwpXGSj0KZxluPwhqyQ7ThS5t88Pzp
+Px1fdpr40myZ+dUYs+1jzJpuwv8QrKnJD7t72zsequzWOxJ/A4I4h/Yo1HCe
+fwAp2jr9tmDHzqAFO14M/unYsdvEjvZWqV+NIbWeVy2dnf8h2NHGpc5Xg1+u
+3+Uftv+8ONg7/evz1x9//NvbTzuTNy9uX8W75fvfjp6l/15t3Z39x9inOnth
+t7WftBH5vha71p/+A2i2/sUH8O0hNWWvBdH2Bv98RNtrIlqt0+5XY9iuj2Fr
+mnX/XW3VHn0qXn00WD+7NL+igXcH3vj12zUjpx2YbfpFusuQjNdSlQCrS48x
+c6Dmc+jX3cH6XChdC/r6ix2BbjQr72t6cd/T0TdoVG1qbefbpu49soG0Vfoe
+6CItDz6mlbQ8+th+0vL4VzSVxmK26BiQKJZ6a+20pLOmJP6kWJkuCo5jmAsw
+aodvgjJmKT7uTlOQAkfNUBwttUVWF4LThe6BTtWBqb1NyjM7hQQLMEKDm9WY
+lubsT/bt4oEMoBg11a4gRlPfGdomXzZdjcb6KU/XRkJYfZt8itVdLlWoWtp7
+CW5TOUOukFxr8tVuj+BWv9QNlxAidH7+E7HD/aCBrqGHlEGXC3npT5dPx3GZ
+9fDjWQqXAZBg1ZhwszZhA5O9/rQ9hxnit2hfXjzOvtzSFtT4Gx7dSLT2xrf3
+EUWBu82E8Pzv7CN6PUjgIo2JLe0+WqTyYOzxOeYT7qjb96l9tWd31olehpmo
+fE79S1u6Dn+rDCbpPB5Dcvq8SLjOXW76mnntKimOyunOTDiuoe0Gl/0SjX47
+y/VNrZ+E++OPWX6HeMGhJ2u91ew4o0hy6TTKOTdII3A1lMelKRBp4STExLOA
+Ylzzlq47SEHEBMgtFN0uU0xEsWgMhj2Q87OREsSJIGz6M1+eUWsm/iZw0nXC
+B9J1GjUmAq0xkZaSwhP8H87LKTz1IQEA
 
 -->