From ff795c72e6ef0e6b89feb90b8ed99fa8f1070e29 Mon Sep 17 00:00:00 2001
From: Christian Nennemann <christian@nennemann.de>
Date: Wed, 25 Feb 2026 21:59:16 +0100
Subject: [PATCH] Implement peer review feedback for
 draft-nennemann-wimse-ect-00

Address 11 items from peer review:
- Fix area designation from Security to ART (WIMSE is in ART area)
- Switch inp_hash/out_hash to fixed SHA-256 without algorithm prefix,
  matching DPoP (RFC 9449) and WIMSE WPT tth claim patterns
- Add partial DAG verification guidance for unavailable parents
- Add DAG integrity attacks subsection (false parents, pruning, shadow DAGs)
- Add privilege escalation subsection (ECTs are not authorization)
- Add revocation propagation semantics through the DAG
- Add W3C PROV Data Model to Related Work
- Strengthen Txn-Token differentiation with fan-in/convergence bullet
- Add explicit token binding paragraph to replay prevention
- Switch verification step 3 to algorithm allowlist model
- Add par/ext claim naming justification notes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 draft-nennemann-wimse-ect-00.html | 238 ++++++--
 draft-nennemann-wimse-ect-00.md   | 152 +++++-
 draft-nennemann-wimse-ect-00.txt  | 594 +++++++++++---------
 draft-nennemann-wimse-ect-00.xml  | 871 ++++++++++++++++++------------
 4 files changed, 1194 insertions(+), 661 deletions(-)

diff --git a/draft-nennemann-wimse-ect-00.html b/draft-nennemann-wimse-ect-00.html
index 3272aaf..2161056 100644
--- a/draft-nennemann-wimse-ect-00.html
+++ b/draft-nennemann-wimse-ect-00.html
@@ -1402,6 +1402,9 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
                 <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-validation-rules" class="internal xref">Validation Rules</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
+                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>.  <a href="#name-handling-unavailable-parent" class="internal xref">Handling Unavailable Parent ECTs</a></p>
 </li>
             </ul>
 </li>
@@ -1444,13 +1447,19 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
                 <p id="section-toc.1-1.9.2.8.1"><a href="#section-9.8" class="auto internal xref">9.8</a>.  <a href="#name-collusion-and-false-claims" class="internal xref">Collusion and False Claims</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.9">
-                <p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
+                <p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-dag-integrity-attacks" class="internal xref">DAG Integrity Attacks</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.10">
-                <p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
+                <p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-privilege-escalation-via-ec" class="internal xref">Privilege Escalation via ECTs</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.11">
-                <p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
+                <p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.12">
+                <p id="section-toc.1-1.9.2.12.1"><a href="#section-9.12" class="auto internal xref">9.12</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.13">
+                <p id="section-toc.1-1.9.2.13.1"><a href="#section-9.13" class="auto internal xref">9.13</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
 </li>
             </ul>
 </li>
@@ -1517,7 +1526,10 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
                 <p id="section-toc.1-1.14.2.4.1"><a href="#appendix-B.4" class="auto internal xref"></a><a href="#name-distributed-tracing-opentel" class="internal xref">Distributed Tracing (OpenTelemetry)</a></p>
 </li>
               <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.5">
-                <p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
+                <p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-w3c-provenance-data-model-p" class="internal xref">W3C Provenance Data Model (PROV)</a></p>
+</li>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.6">
+                <p id="section-toc.1-1.14.2.6.1"><a href="#appendix-B.6" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
 </li>
             </ul>
 </li>
@@ -2036,7 +2048,9 @@ a root task with no dependencies.  A workflow <span class="bcp14">MAY</span> con
 multiple root tasks.  Parent ECTs may have passed their own
 "exp" time; ECT expiration applies to the verification window
 of the ECT itself, not to its validity as a parent reference
-in the ECT store.<a href="#section-4.2.2-2.6.1" class="pilcrow">¶</a></p>
+in the ECT store.  Note: "par" is not a registered JWT claim
+and does not conflict with OAuth Pushed Authorization Requests
+(RFC 9126), which defines an endpoint, not a token claim.<a href="#section-4.2.2-2.6.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
@@ -2052,22 +2066,19 @@ inputs and outputs without revealing the data itself:<a href="#section-4.2.3-1"
 <span class="break"></span><dl class="dlParallel" id="section-4.2.3-2">
             <dt id="section-4.2.3-2.1">inp_hash:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.3-2.2">
-              <p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>.  String.  A cryptographic hash of the input data,
-formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
-"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
-hash algorithm identifier <span class="bcp14">MUST</span> be a lowercase value from the
-IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
-"sha-384", "sha-512").  Implementations <span class="bcp14">MUST</span> support "sha-256"
-and <span class="bcp14">SHOULD</span> use "sha-256" unless a stronger algorithm is
-required.  Implementations <span class="bcp14">MUST NOT</span> accept hash algorithms
-weaker than SHA-256 (e.g., MD5, SHA-1).  The hash <span class="bcp14">MUST</span> be
-computed over the raw octets of the input data.<a href="#section-4.2.3-2.2.1" class="pilcrow">¶</a></p>
+              <p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>.  String.  The base64url encoding (without padding) of
+the SHA-256 hash of the input data, computed over the raw octets
+of the input.  This follows the same fixed-algorithm pattern
+used by the DPoP "ath" claim <span>[<a href="#RFC9449" class="cite xref">RFC9449</a>]</span> and the WIMSE WPT
+"tth" claim <span>[<a href="#I-D.ietf-wimse-s2s-protocol" class="cite xref">I-D.ietf-wimse-s2s-protocol</a>]</span>: SHA-256 is the
+mandatory algorithm with no algorithm prefix in the value.<a href="#section-4.2.3-2.2.1" class="pilcrow">¶</a></p>
 </dd>
             <dd class="break"></dd>
 <dt id="section-4.2.3-2.3">out_hash:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.3-2.4">
-              <p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>.  String.  A cryptographic hash of the output data,
-using the same format and algorithm requirements as "inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
+              <p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>.  String.  The base64url encoding (without padding) of
+the SHA-256 hash of the output data, using the same format as
+"inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
@@ -2081,9 +2092,12 @@ using the same format and algorithm requirements as "inp_hash".<a href="#section
 <span class="break"></span><dl class="dlParallel" id="section-4.2.4-1">
             <dt id="section-4.2.4-1.1">ext:</dt>
             <dd style="margin-left: 1.5em" id="section-4.2.4-1.2">
-              <p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>.  Object.  An extension object for domain-specific
-claims not defined by this specification.  Implementations
-that do not understand extension claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow">¶</a></p>
+              <p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>.  Object.  A general-purpose extension object for
+domain-specific claims not defined by this specification.  The
+short name "ext" follows the JWT convention of concise claim
+names and is chosen over alternatives like "extensions" for
+compactness.  Implementations that do not understand extension
+claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow">¶</a></p>
 </dd>
           <dd class="break"></dd>
 </dl>
@@ -2123,8 +2137,12 @@ future documents.<a href="#section-4.2.4-3" class="pilcrow">¶</a></p>
   "exec_act": "recommend_treatment",
   "par": [],
 
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+
+  "ext": {
+    "com.example.trace_id": "abc123"
+  }
 }
 </pre>
 </div>
@@ -2251,6 +2269,35 @@ implementations <span class="bcp14">SHOULD</span> enforce a maximum ancestor tra
 detection completes, the ECT <span class="bcp14">SHOULD</span> be rejected.<a href="#section-6.2-3" class="pilcrow">¶</a></p>
 </section>
 </div>
+<div id="handling-unavailable-parent-ects">
+<section id="section-6.3">
+        <h3 id="name-handling-unavailable-parent">
+<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-handling-unavailable-parent" class="section-name selfRef">Handling Unavailable Parent ECTs</a>
+        </h3>
+<p id="section-6.3-1">In distributed deployments, a parent ECT referenced in the "par"
+array may not yet be available in the local ECT store at the time
+of validation — for example, due to replication lag in a
+distributed ledger or out-of-order message delivery.<a href="#section-6.3-1" class="pilcrow">¶</a></p>
+<p id="section-6.3-2">Implementations <span class="bcp14">MUST</span> distinguish between two cases:<a href="#section-6.3-2" class="pilcrow">¶</a></p>
+<ol start="1" type="1" class="normal type-1" id="section-6.3-3">
+<li id="section-6.3-3.1">
+            <p id="section-6.3-3.1.1">Parent not found and definitively absent: The parent "jti"
+does not exist in any accessible ECT store.  The ECT <span class="bcp14">MUST</span> be
+rejected.<a href="#section-6.3-3.1.1" class="pilcrow">¶</a></p>
+</li>
+          <li id="section-6.3-3.2">
+            <p id="section-6.3-3.2.1">Parent not yet available: The parent "jti" is not present
+locally but may arrive due to known replication delays.
+Implementations <span class="bcp14">MAY</span> defer validation for a bounded period
+(<span class="bcp14">RECOMMENDED</span>: no more than 60 seconds).<a href="#section-6.3-3.2.1" class="pilcrow">¶</a></p>
+</li>
+        </ol>
+<p id="section-6.3-4">Deferred ECTs <span class="bcp14">MUST NOT</span> be treated as verified until all parent
+references are resolved.  If any parent reference remains
+unresolved after the deferral period or after the ECT's own "exp"
+time (whichever comes first), the ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.3-4" class="pilcrow">¶</a></p>
+</section>
+</div>
 </section>
 </div>
 <div id="verification">
@@ -2274,8 +2321,12 @@ payload, and signature components per <span>[<a href="#RFC7515" class="cite xref
             <p id="section-7.1-2.2.1">Verify that the "typ" header parameter is "wimse-exec+jwt".<a href="#section-7.1-2.2.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-7.1-2.3">
-            <p id="section-7.1-2.3.1">Verify that the "alg" header parameter is not "none" and is
-not a symmetric algorithm.<a href="#section-7.1-2.3.1" class="pilcrow">¶</a></p>
+            <p id="section-7.1-2.3.1">Verify that the "alg" header parameter appears in the
+verifier's configured allowlist of accepted signing algorithms.
+The allowlist <span class="bcp14">MUST NOT</span> include "none" or any symmetric
+algorithm (e.g., HS256, HS384, HS512).  Implementations <span class="bcp14">MUST</span>
+include ES256 in the allowlist; additional asymmetric algorithms
+<span class="bcp14">MAY</span> be included per deployment policy.<a href="#section-7.1-2.3.1" class="pilcrow">¶</a></p>
 </li>
           <li id="section-7.1-2.4">
             <p id="section-7.1-2.4.1">Verify the "kid" header parameter references a known, valid
@@ -2500,6 +2551,11 @@ with the same action can be flagged as a potential replay.<a href="#section-9.5-
 <p id="section-9.5-3">Implementations <span class="bcp14">MUST</span> maintain a cache of recently-seen "jti"
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value <span class="bcp14">MUST</span> be rejected.<a href="#section-9.5-3" class="pilcrow">¶</a></p>
+<p id="section-9.5-4">Additionally, each ECT is cryptographically bound to the issuing
+agent via the JOSE "kid" parameter, which references the agent's
+WIT public key.  Verifiers <span class="bcp14">MUST</span> confirm that the "kid" resolves
+to the "iss" agent's key (step 8 in <a href="#verification" class="auto internal xref">Section 7</a>), preventing
+one agent from replaying another agent's ECT as its own.<a href="#section-9.5-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="man-in-the-middle-protection">
@@ -2556,6 +2612,15 @@ compromised key and issue a new WIT with a fresh key pair.<a href="#section-9.7-
 ledger before revocation remain valid historical records but <span class="bcp14">SHOULD</span>
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.<a href="#section-9.7-3" class="pilcrow">¶</a></p>
+<p id="section-9.7-4">ECT revocation does not propagate through the DAG.  If a parent
+ECT's signing key is later revoked, child ECTs that were verified
+and recorded before that revocation remain valid — they captured
+a legitimate execution record at the time of issuance.  However,
+auditors reviewing a workflow <span class="bcp14">SHOULD</span> flag any ECT in the DAG
+whose signing key was subsequently revoked, so that the scope of
+a potential compromise can be assessed.  New ECTs <span class="bcp14">MUST NOT</span> be
+created with a "par" reference to an ECT whose signing key is
+known to be revoked at creation time.<a href="#section-9.7-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="collusion-and-false-claims">
@@ -2584,54 +2649,110 @@ contents against expected workflow patterns.<a href="#section-9.8-3.3.1" class="
         </ul>
 </section>
 </div>
-<div id="denial-of-service">
+<div id="dag-integrity-attacks">
 <section id="section-9.9">
-        <h3 id="name-denial-of-service">
-<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
+        <h3 id="name-dag-integrity-attacks">
+<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-dag-integrity-attacks" class="section-name selfRef">DAG Integrity Attacks</a>
         </h3>
-<p id="section-9.9-1">ECT signature verification is computationally inexpensive
+<p id="section-9.9-1">Because the DAG structure is the primary mechanism for establishing
+execution ordering, attackers may attempt to manipulate it:<a href="#section-9.9-1" class="pilcrow">¶</a></p>
+<ul class="normal">
+<li class="normal" id="section-9.9-2.1">
+            <p id="section-9.9-2.1.1">False parent references: A malicious agent creates an ECT that
+references parent tasks from an unrelated workflow, inserting
+itself into a legitimate execution history.  DAG validation
+(<a href="#dag-validation" class="auto internal xref">Section 6</a>) mitigates this by requiring parent existence
+in the ECT store, and the "wid" claim scopes parent references
+to a single workflow when present.<a href="#section-9.9-2.1.1" class="pilcrow">¶</a></p>
+</li>
+          <li class="normal" id="section-9.9-2.2">
+            <p id="section-9.9-2.2.1">Parent omission (pruning): An agent deliberately omits one or
+more actual parent dependencies from the "par" array to hide
+that certain tasks influenced its output.  Because ECTs are
+self-asserted (<a href="#self-assertion-limitation" class="auto internal xref">Section 9.2</a>), no mechanism can
+force an agent to declare all dependencies.  External auditors
+can detect omission by comparing the declared DAG against
+expected workflow patterns.<a href="#section-9.9-2.2.1" class="pilcrow">¶</a></p>
+</li>
+          <li class="normal" id="section-9.9-2.3">
+            <p id="section-9.9-2.3.1">Shadow DAGs: Multiple colluding agents fabricate an entire
+execution history by creating a sequence of ECTs with mutual
+parent references.  Independent ledger maintenance and
+cross-verification (see <a href="#collusion-and-false-claims" class="auto internal xref">Section 9.8</a> above)
+are the primary mitigations.<a href="#section-9.9-2.3.1" class="pilcrow">¶</a></p>
+</li>
+        </ul>
+<p id="section-9.9-3">Verifiers <span class="bcp14">SHOULD</span> validate that the declared "wid" of parent ECTs
+matches the "wid" of the child ECT, rejecting cross-workflow
+parent references unless explicitly permitted by deployment
+policy.<a href="#section-9.9-3" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="privilege-escalation-via-ects">
+<section id="section-9.10">
+        <h3 id="name-privilege-escalation-via-ec">
+<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-privilege-escalation-via-ec" class="section-name selfRef">Privilege Escalation via ECTs</a>
+        </h3>
+<p id="section-9.10-1">ECTs record execution history; they do not convey authorization.
+Verifiers <span class="bcp14">MUST NOT</span> interpret the presence of an ECT, or a
+particular set of parent references in "par", as an authorization
+grant.  The "par" claim demonstrates that predecessor tasks were
+recorded, not that the current agent is authorized to act on
+their outputs.  Authorization decisions <span class="bcp14">MUST</span> remain with the
+identity and authorization layer (WIT, WPT, and deployment
+policy).  As noted in <span>[<a href="#I-D.ni-wimse-ai-agent-identity" class="cite xref">I-D.ni-wimse-ai-agent-identity</a>]</span>,
+AI intermediaries introduce novel escalation vectors; ECTs
+<span class="bcp14">MUST NOT</span> be used to circumvent authorization boundaries.<a href="#section-9.10-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="denial-of-service">
+<section id="section-9.11">
+        <h3 id="name-denial-of-service">
+<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
+        </h3>
+<p id="section-9.11-1">ECT signature verification is computationally inexpensive
 (approximately 1ms per ECT on modern hardware for ES256).  DAG
 validation complexity is O(V) where V is the number of ancestor
 nodes reachable from the parent references; for typical shallow
-DAGs this is efficient.<a href="#section-9.9-1" class="pilcrow">¶</a></p>
-<p id="section-9.9-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
+DAGs this is efficient.<a href="#section-9.11-1" class="pilcrow">¶</a></p>
+<p id="section-9.11-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
 prevent excessive ECT submissions.  DAG validation <span class="bcp14">SHOULD</span> be
 performed after signature verification to avoid wasting resources
-on unsigned or incorrectly signed tokens.<a href="#section-9.9-2" class="pilcrow">¶</a></p>
+on unsigned or incorrectly signed tokens.<a href="#section-9.11-2" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="timestamp-accuracy">
-<section id="section-9.10">
+<section id="section-9.12">
         <h3 id="name-timestamp-accuracy">
-<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
+<a href="#section-9.12" class="section-number selfRef">9.12. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
         </h3>
-<p id="section-9.10-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
+<p id="section-9.12-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
 Clock skew between agents can lead to incorrect ordering
 judgments.  Implementations <span class="bcp14">SHOULD</span> use synchronized time sources
 (e.g., NTP) and <span class="bcp14">SHOULD</span> allow a configurable clock skew tolerance
-(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.10-1" class="pilcrow">¶</a></p>
-<p id="section-9.10-2">Cross-organizational deployments where agents span multiple trust
+(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.12-1" class="pilcrow">¶</a></p>
+<p id="section-9.12-2">Cross-organizational deployments where agents span multiple trust
 domains with independent time sources <span class="bcp14">MAY</span> require a higher clock
 skew tolerance.  Deployments using trust domain federation <span class="bcp14">SHOULD</span>
 document their configured clock skew tolerance value and <span class="bcp14">SHOULD</span>
-ensure all participating trust domains agree on a common tolerance.<a href="#section-9.10-2" class="pilcrow">¶</a></p>
-<p id="section-9.10-3">The temporal ordering check in DAG validation incorporates the
+ensure all participating trust domains agree on a common tolerance.<a href="#section-9.12-2" class="pilcrow">¶</a></p>
+<p id="section-9.12-3">The temporal ordering check in DAG validation incorporates the
 clock skew tolerance to account for minor clock differences
-between agents.<a href="#section-9.10-3" class="pilcrow">¶</a></p>
+between agents.<a href="#section-9.12-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="ect-size-constraints">
-<section id="section-9.11">
+<section id="section-9.13">
         <h3 id="name-ect-size-constraints">
-<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
+<a href="#section-9.13" class="section-number selfRef">9.13. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
         </h3>
-<p id="section-9.11-1">ECTs with many parent tasks or large extension objects can
+<p id="section-9.13-1">ECTs with many parent tasks or large extension objects can
 increase HTTP header size.  Implementations <span class="bcp14">SHOULD</span> limit the "par"
 array to a maximum of 256 entries.  Workflows requiring more
 parent references <span class="bcp14">SHOULD</span> introduce intermediate aggregation
 tasks.  The "ext" object <span class="bcp14">SHOULD NOT</span> exceed 4096 bytes when
 serialized as JSON and <span class="bcp14">SHOULD NOT</span> exceed a nesting depth of
-5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.11-1" class="pilcrow">¶</a></p>
+5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.13-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
@@ -3000,6 +3121,10 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-11.3-1
         <dd>
 <span class="refAuthor">Backman, A., Ed.</span>, <span class="refAuthor">Richer, J., Ed.</span>, and <span class="refAuthor">M. Sporny</span>, <span class="refTitle">"HTTP Message Signatures"</span>, <span class="seriesInfo">RFC 9421</span>, <span class="seriesInfo">DOI 10.17487/RFC9421</span>, <time datetime="2024-02" class="refDate">February 2024</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9421">https://www.rfc-editor.org/rfc/rfc9421</a>&gt;</span>. </dd>
 <dd class="break"></dd>
+<dt id="RFC9449">[RFC9449]</dt>
+        <dd>
+<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof of Possession (DPoP)"</span>, <span class="seriesInfo">RFC 9449</span>, <span class="seriesInfo">DOI 10.17487/RFC9449</span>, <time datetime="2023-09" class="refDate">September 2023</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9449">https://www.rfc-editor.org/rfc/rfc9449</a>&gt;</span>. </dd>
+<dd class="break"></dd>
 <dt id="SPIFFE">[SPIFFE]</dt>
       <dd>
 <span class="refTitle">"Secure Production Identity Framework for Everyone (SPIFFE)"</span>, <span>&lt;<a href="https://spiffe.io/docs/latest/spiffe-about/overview/">https://spiffe.io/docs/latest/spiffe-about/overview/</a>&gt;</span>. </dd>
@@ -3157,6 +3282,11 @@ workloads that forward the token unchanged are not recorded.<a href="#appendix-B
           <li class="normal" id="appendix-B.3-3.3">
             <p id="appendix-B.3-3.3.1">It carries no task-level granularity, no parent references,
 and no execution content.<a href="#appendix-B.3-3.3.1" class="pilcrow">¶</a></p>
+</li>
+          <li class="normal" id="appendix-B.3-3.4">
+            <p id="appendix-B.3-3.4.1">It cannot represent convergence (fan-in): when two independent
+paths must both complete before a dependent task proceeds, a
+linear "req_wl" string cannot express that relationship.<a href="#appendix-B.3-3.4.1" class="pilcrow">¶</a></p>
 </li>
         </ul>
 <p id="appendix-B.3-4">Extensions for agentic use cases
@@ -3194,16 +3324,32 @@ ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.<a href="#appendix-B.4-1" class="pilcrow">¶</a></p>
 </section>
 </div>
-<div id="scitt-supply-chain-integrity-transparency-and-trust">
+<div id="w3c-provenance-data-model-prov">
 <section id="appendix-B.5">
+        <h3 id="name-w3c-provenance-data-model-p">
+<a href="#name-w3c-provenance-data-model-p" class="section-name selfRef">W3C Provenance Data Model (PROV)</a>
+        </h3>
+<p id="appendix-B.5-1">The W3C PROV Data Model defines an Entity-Activity-Agent ontology
+for representing provenance information.  PROV's concepts map
+closely to ECT structures: PROV Activities correspond to ECT
+tasks, PROV Agents correspond to WIMSE workloads, and PROV's
+"wasInformedBy" relation corresponds to ECT "par" references.
+However, PROV uses RDF/OWL ontologies designed for post-hoc
+documentation, while ECTs are runtime-embeddable JWT tokens with
+cryptographic signatures.  ECT audit data could be exported to
+PROV format for interoperability with provenance-aware systems.<a href="#appendix-B.5-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="scitt-supply-chain-integrity-transparency-and-trust">
+<section id="appendix-B.6">
         <h3 id="name-scitt-supply-chain-integrit">
 <a href="#name-scitt-supply-chain-integrit" class="section-name selfRef">SCITT (Supply Chain Integrity, Transparency, and Trust)</a>
         </h3>
-<p id="appendix-B.5-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
+<p id="appendix-B.6-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
 framework for transparent and auditable supply chain records.
 ECTs and SCITT are complementary: the ECT "wid" claim can serve
 as a correlation identifier in SCITT Signed Statements, linking
-an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.5-1" class="pilcrow">¶</a></p>
+an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.6-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
diff --git a/draft-nennemann-wimse-ect-00.md b/draft-nennemann-wimse-ect-00.md
index f6f6901..f9c736e 100644
--- a/draft-nennemann-wimse-ect-00.md
+++ b/draft-nennemann-wimse-ect-00.md
@@ -7,7 +7,7 @@ submissiontype: IETF
 number:
 date:
 v: 3
-area: "Security"
+area: "ART"
 workgroup: "WIMSE"
 keyword:
   - execution context
@@ -47,6 +47,7 @@ informative:
     author:
       - org: Cloud Native Computing Foundation
   I-D.ietf-scitt-architecture:
+  RFC9449:
   I-D.ietf-oauth-transaction-tokens:
   I-D.oauth-transaction-tokens-for-agents:
 
@@ -413,7 +414,9 @@ par:
   multiple root tasks.  Parent ECTs may have passed their own
   "exp" time; ECT expiration applies to the verification window
   of the ECT itself, not to its validity as a parent reference
-  in the ECT store.
+  in the ECT store.  Note: "par" is not a registered JWT claim
+  and does not conflict with OAuth Pushed Authorization Requests
+  (RFC 9126), which defines an endpoint, not a token claim.
 
 ### Data Integrity {#data-integrity-claims}
 
@@ -421,27 +424,27 @@ The following claims provide integrity verification for task
 inputs and outputs without revealing the data itself:
 
 inp_hash:
-: OPTIONAL.  String.  A cryptographic hash of the input data,
-  formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
-  "sha-256:n4bQgYhMfWWaL-qgxVrQFaO\_TxsrC4Is0V1sFbDwCgg").  The
-  hash algorithm identifier MUST be a lowercase value from the
-  IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
-  "sha-384", "sha-512").  Implementations MUST support "sha-256"
-  and SHOULD use "sha-256" unless a stronger algorithm is
-  required.  Implementations MUST NOT accept hash algorithms
-  weaker than SHA-256 (e.g., MD5, SHA-1).  The hash MUST be
-  computed over the raw octets of the input data.
+: OPTIONAL.  String.  The base64url encoding (without padding) of
+  the SHA-256 hash of the input data, computed over the raw octets
+  of the input.  This follows the same fixed-algorithm pattern
+  used by the DPoP "ath" claim {{RFC9449}} and the WIMSE WPT
+  "tth" claim {{I-D.ietf-wimse-s2s-protocol}}: SHA-256 is the
+  mandatory algorithm with no algorithm prefix in the value.
 
 out_hash:
-: OPTIONAL.  String.  A cryptographic hash of the output data,
-  using the same format and algorithm requirements as "inp_hash".
+: OPTIONAL.  String.  The base64url encoding (without padding) of
+  the SHA-256 hash of the output data, using the same format as
+  "inp_hash".
 
 ### Extensions {#extension-claims}
 
 ext:
-: OPTIONAL.  Object.  An extension object for domain-specific
-  claims not defined by this specification.  Implementations
-  that do not understand extension claims MUST ignore them.
+: OPTIONAL.  Object.  A general-purpose extension object for
+  domain-specific claims not defined by this specification.  The
+  short name "ext" follows the JWT convention of concise claim
+  names and is chosen over alternatives like "extensions" for
+  compactness.  Implementations that do not understand extension
+  claims MUST ignore them.
 
 To avoid key collisions between different domains, extension
 key names SHOULD use reverse domain notation (e.g.,
@@ -472,8 +475,12 @@ The following is a complete ECT payload example:
   "exec_act": "recommend_treatment",
   "par": [],
 
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+
+  "ext": {
+    "com.example.trace_id": "abc123"
+  }
 }
 ~~~
 {: #fig-full-ect title="Complete ECT Payload Example"}
@@ -567,6 +574,29 @@ implementations SHOULD enforce a maximum ancestor traversal limit
 (RECOMMENDED: 10000 nodes).  If the limit is reached before cycle
 detection completes, the ECT SHOULD be rejected.
 
+## Handling Unavailable Parent ECTs
+
+In distributed deployments, a parent ECT referenced in the "par"
+array may not yet be available in the local ECT store at the time
+of validation — for example, due to replication lag in a
+distributed ledger or out-of-order message delivery.
+
+Implementations MUST distinguish between two cases:
+
+1.  Parent not found and definitively absent: The parent "jti"
+    does not exist in any accessible ECT store.  The ECT MUST be
+    rejected.
+
+2.  Parent not yet available: The parent "jti" is not present
+    locally but may arrive due to known replication delays.
+    Implementations MAY defer validation for a bounded period
+    (RECOMMENDED: no more than 60 seconds).
+
+Deferred ECTs MUST NOT be treated as verified until all parent
+references are resolved.  If any parent reference remains
+unresolved after the deferral period or after the ECT's own "exp"
+time (whichever comes first), the ECT MUST be rejected.
+
 # Signature and Token Verification {#verification}
 
 ## Verification Procedure
@@ -579,8 +609,12 @@ verification steps in order:
 
 2.  Verify that the "typ" header parameter is "wimse-exec+jwt".
 
-3.  Verify that the "alg" header parameter is not "none" and is
-    not a symmetric algorithm.
+3.  Verify that the "alg" header parameter appears in the
+    verifier's configured allowlist of accepted signing algorithms.
+    The allowlist MUST NOT include "none" or any symmetric
+    algorithm (e.g., HS256, HS384, HS512).  Implementations MUST
+    include ES256 in the allowlist; additional asymmetric algorithms
+    MAY be included per deployment policy.
 
 4.  Verify the "kid" header parameter references a known, valid
     public key from a WIT within the trust domain.
@@ -746,6 +780,12 @@ Implementations MUST maintain a cache of recently-seen "jti"
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value MUST be rejected.
 
+Additionally, each ECT is cryptographically bound to the issuing
+agent via the JOSE "kid" parameter, which references the agent's
+WIT public key.  Verifiers MUST confirm that the "kid" resolves
+to the "iss" agent's key (step 8 in {{verification}}), preventing
+one agent from replaying another agent's ECT as its own.
+
 ## Man-in-the-Middle Protection
 
 ECTs do not replace transport-layer security.  ECTs MUST be
@@ -780,7 +820,17 @@ ledger before revocation remain valid historical records but SHOULD
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.
 
-## Collusion and False Claims
+ECT revocation does not propagate through the DAG.  If a parent
+ECT's signing key is later revoked, child ECTs that were verified
+and recorded before that revocation remain valid — they captured
+a legitimate execution record at the time of issuance.  However,
+auditors reviewing a workflow SHOULD flag any ECT in the DAG
+whose signing key was subsequently revoked, so that the scope of
+a potential compromise can be assessed.  New ECTs MUST NOT be
+created with a "par" reference to an ECT whose signing key is
+known to be revoked at creation time.
+
+## Collusion and False Claims {#collusion-and-false-claims}
 
 A single malicious agent cannot forge parent task references
 because DAG validation requires parent tasks to exist in the
@@ -796,6 +846,48 @@ Mitigations include:
 - Out-of-band audit: External auditors periodically verify ledger
   contents against expected workflow patterns.
 
+## DAG Integrity Attacks
+
+Because the DAG structure is the primary mechanism for establishing
+execution ordering, attackers may attempt to manipulate it:
+
+- False parent references: A malicious agent creates an ECT that
+  references parent tasks from an unrelated workflow, inserting
+  itself into a legitimate execution history.  DAG validation
+  ({{dag-validation}}) mitigates this by requiring parent existence
+  in the ECT store, and the "wid" claim scopes parent references
+  to a single workflow when present.
+- Parent omission (pruning): An agent deliberately omits one or
+  more actual parent dependencies from the "par" array to hide
+  that certain tasks influenced its output.  Because ECTs are
+  self-asserted ({{self-assertion-limitation}}), no mechanism can
+  force an agent to declare all dependencies.  External auditors
+  can detect omission by comparing the declared DAG against
+  expected workflow patterns.
+- Shadow DAGs: Multiple colluding agents fabricate an entire
+  execution history by creating a sequence of ECTs with mutual
+  parent references.  Independent ledger maintenance and
+  cross-verification (see {{collusion-and-false-claims}} above)
+  are the primary mitigations.
+
+Verifiers SHOULD validate that the declared "wid" of parent ECTs
+matches the "wid" of the child ECT, rejecting cross-workflow
+parent references unless explicitly permitted by deployment
+policy.
+
+## Privilege Escalation via ECTs
+
+ECTs record execution history; they do not convey authorization.
+Verifiers MUST NOT interpret the presence of an ECT, or a
+particular set of parent references in "par", as an authorization
+grant.  The "par" claim demonstrates that predecessor tasks were
+recorded, not that the current agent is authorized to act on
+their outputs.  Authorization decisions MUST remain with the
+identity and authorization layer (WIT, WPT, and deployment
+policy).  As noted in {{I-D.ni-wimse-ai-agent-identity}},
+AI intermediaries introduce novel escalation vectors; ECTs
+MUST NOT be used to circumvent authorization boundaries.
+
 ## Denial of Service
 
 ECT signature verification is computationally inexpensive
@@ -1087,6 +1179,9 @@ However, "req_wl" cannot form a DAG because:
   workloads that forward the token unchanged are not recorded.
 - It carries no task-level granularity, no parent references,
   and no execution content.
+- It cannot represent convergence (fan-in): when two independent
+  paths must both complete before a dependent task proceeds, a
+  linear "req_wl" string cannot express that relationship.
 
 Extensions for agentic use cases
 ({{I-D.oauth-transaction-tokens-for-agents}}) add agent
@@ -1120,6 +1215,19 @@ provide observability while ECTs provide signed execution records.
 ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.
 
+## W3C Provenance Data Model (PROV)
+{:numbered="false"}
+
+The W3C PROV Data Model defines an Entity-Activity-Agent ontology
+for representing provenance information.  PROV's concepts map
+closely to ECT structures: PROV Activities correspond to ECT
+tasks, PROV Agents correspond to WIMSE workloads, and PROV's
+"wasInformedBy" relation corresponds to ECT "par" references.
+However, PROV uses RDF/OWL ontologies designed for post-hoc
+documentation, while ECTs are runtime-embeddable JWT tokens with
+cryptographic signatures.  ECT audit data could be exported to
+PROV format for interoperability with provenance-aware systems.
+
 ## SCITT (Supply Chain Integrity, Transparency, and Trust)
 {:numbered="false"}
 
diff --git a/draft-nennemann-wimse-ect-00.txt b/draft-nennemann-wimse-ect-00.txt
index 6e8809e..9b7e1f7 100644
--- a/draft-nennemann-wimse-ect-00.txt
+++ b/draft-nennemann-wimse-ect-00.txt
@@ -77,35 +77,35 @@ Table of Contents
    3.  WIMSE Architecture Integration  . . . . . . . . . . . . . . .   5
      3.1.  WIMSE Foundation  . . . . . . . . . . . . . . . . . . . .   5
      3.2.  Extension Model . . . . . . . . . . . . . . . . . . . . .   6
-     3.3.  Integration Points  . . . . . . . . . . . . . . . . . . .   6
-   4.  Execution Context Token Format  . . . . . . . . . . . . . . .   7
+     3.3.  Integration Points  . . . . . . . . . . . . . . . . . . .   7
+   4.  Execution Context Token Format  . . . . . . . . . . . . . . .   8
      4.1.  JOSE Header . . . . . . . . . . . . . . . . . . . . . . .   8
      4.2.  JWT Claims  . . . . . . . . . . . . . . . . . . . . . . .   8
        4.2.1.  Standard JWT Claims . . . . . . . . . . . . . . . . .   8
        4.2.2.  Execution Context . . . . . . . . . . . . . . . . . .  10
        4.2.3.  Data Integrity  . . . . . . . . . . . . . . . . . . .  10
-       4.2.4.  Extensions  . . . . . . . . . . . . . . . . . . . . .  10
+       4.2.4.  Extensions  . . . . . . . . . . . . . . . . . . . . .  11
      4.3.  Complete ECT Example  . . . . . . . . . . . . . . . . . .  11
-   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  11
-     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  11
+   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  12
+     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  12
    6.  DAG Validation  . . . . . . . . . . . . . . . . . . . . . . .  12
      6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  12
-     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  12
-   7.  Signature and Token Verification  . . . . . . . . . . . . . .  13
-     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  13
+     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  13
+     6.3.  Handling Unavailable Parent ECTs  . . . . . . . . . . . .  13
+   7.  Signature and Token Verification  . . . . . . . . . . . . . .  14
+     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  14
    8.  Audit Ledger Interface  . . . . . . . . . . . . . . . . . . .  15
-   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
-     9.1.  Threat Model  . . . . . . . . . . . . . . . . . . . . . .  15
+   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
+     9.1.  Threat Model  . . . . . . . . . . . . . . . . . . . . . .  16
      9.2.  Self-Assertion Limitation . . . . . . . . . . . . . . . .  16
-     9.3.  Organizational Prerequisites  . . . . . . . . . . . . . .  16
-     9.4.  Signature Verification  . . . . . . . . . . . . . . . . .  16
+     9.3.  Organizational Prerequisites  . . . . . . . . . . . . . .  17
+     9.4.  Signature Verification  . . . . . . . . . . . . . . . . .  17
      9.5.  Replay Attack Prevention  . . . . . . . . . . . . . . . .  17
-     9.6.  Man-in-the-Middle Protection  . . . . . . . . . . . . . .  17
-     9.7.  Key Compromise  . . . . . . . . . . . . . . . . . . . . .  17
-     9.8.  Collusion and False Claims  . . . . . . . . . . . . . . .  18
-     9.9.  Denial of Service . . . . . . . . . . . . . . . . . . . .  18
-     9.10. Timestamp Accuracy  . . . . . . . . . . . . . . . . . . .  18
-     9.11. ECT Size Constraints  . . . . . . . . . . . . . . . . . .  19
+     9.6.  Man-in-the-Middle Protection  . . . . . . . . . . . . . .  18
+     9.7.  Key Compromise  . . . . . . . . . . . . . . . . . . . . .  18
+     9.8.  Collusion and False Claims  . . . . . . . . . . . . . . .  19
+     9.9.  DAG Integrity Attacks . . . . . . . . . . . . . . . . . .  19
+     9.10. Privilege Escalation via ECTs . . . . . . . . . . . . . .  20
 
 
 
@@ -114,27 +114,31 @@ Nennemann                Expires 29 August 2026                 [Page 2]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
-   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  19
-     10.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  19
-     10.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  20
-     10.3.  Storage and Access Control . . . . . . . . . . . . . . .  20
-   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  20
-     11.1.  Media Type Registration  . . . . . . . . . . . . . . . .  20
-     11.2.  HTTP Header Field Registration . . . . . . . . . . . . .  21
-     11.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  21
-   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
-     12.1.  Normative References . . . . . . . . . . . . . . . . . .  22
-     12.2.  Informative References . . . . . . . . . . . . . . . . .  23
-   Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . .  24
-     Cross-Organization Financial Trading  . . . . . . . . . . . . .  25
-   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  26
-     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  26
-     OAuth 2.0 Token Exchange and the "act" Claim  . . . . . . . . .  26
-     Transaction Tokens  . . . . . . . . . . . . . . . . . . . . . .  26
-     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  27
-     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  27
-   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  28
-   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  28
+     9.11. Denial of Service . . . . . . . . . . . . . . . . . . . .  20
+     9.12. Timestamp Accuracy  . . . . . . . . . . . . . . . . . . .  20
+     9.13. ECT Size Constraints  . . . . . . . . . . . . . . . . . .  21
+   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  21
+     10.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  21
+     10.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  22
+     10.3.  Storage and Access Control . . . . . . . . . . . . . . .  22
+   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  22
+     11.1.  Media Type Registration  . . . . . . . . . . . . . . . .  22
+     11.2.  HTTP Header Field Registration . . . . . . . . . . . . .  23
+     11.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  23
+   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
+     12.1.  Normative References . . . . . . . . . . . . . . . . . .  24
+     12.2.  Informative References . . . . . . . . . . . . . . . . .  25
+   Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . .  26
+     Cross-Organization Financial Trading  . . . . . . . . . . . . .  27
+   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  28
+     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  28
+     OAuth 2.0 Token Exchange and the "act" Claim  . . . . . . . . .  28
+     Transaction Tokens  . . . . . . . . . . . . . . . . . . . . . .  29
+     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  30
+     W3C Provenance Data Model (PROV)  . . . . . . . . . . . . . . .  30
+     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  30
+   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  30
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  30
 
 1.  Introduction
 
@@ -156,10 +160,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    healthcare, finance, and logistics require structured, auditable
    records of automated decision-making and execution.
 
-   This document defines an extension to the WIMSE architecture that
-   addresses the gap between workload identity and execution
-   accountability.  WIMSE authenticates agents; this extension records
-   what they did and in what order.
 
 
 
@@ -170,6 +170,11 @@ Nennemann                Expires 29 August 2026                 [Page 3]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   This document defines an extension to the WIMSE architecture that
+   addresses the gap between workload identity and execution
+   accountability.  WIMSE authenticates agents; this extension records
+   what they did and in what order.
+
    As identified in [I-D.ni-wimse-ai-agent-identity], call context in
    agentic workflows needs to be visible and preserved.  ECTs provide a
    mechanism to address this requirement with cryptographic assurances.
@@ -213,11 +218,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    *  Workload authentication and identity provisioning
 
-   *  Key distribution and management
-
-   *  Trust domain establishment and management
-
-   *  Credential lifecycle management
 
 
 
@@ -226,6 +226,12 @@ Nennemann                Expires 29 August 2026                 [Page 4]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   *  Key distribution and management
+
+   *  Trust domain establishment and management
+
+   *  Credential lifecycle management
+
 2.  Conventions and Definitions
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -267,12 +273,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    The WIMSE architecture [I-D.ietf-wimse-arch] defines:
 
-   *  Workload Identity Tokens (WIT) that prove a workload's identity
-      within a trust domain ("I am Agent X in trust domain Y")
-
-   *  Workload Proof Tokens (WPT) that prove possession of the private
-      key associated with a WIT ("I control the key for Agent X")
-
 
 
 
@@ -282,6 +282,12 @@ Nennemann                Expires 29 August 2026                 [Page 5]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   *  Workload Identity Tokens (WIT) that prove a workload's identity
+      within a trust domain ("I am Agent X in trust domain Y")
+
+   *  Workload Proof Tokens (WPT) that prove possession of the private
+      key associated with a WIT ("I control the key for Agent X")
+
    *  Multi-hop authentication via the service-to-service protocol
       [I-D.ietf-wimse-s2s-protocol]
 
@@ -325,12 +331,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    using standard JWT extensibility [RFC7519], and maintains WIMSE
    concepts including trust domains and workload identifiers.
 
-3.3.  Integration Points
-
-   An ECT integrates with the WIMSE identity framework through the
-   following mechanisms:
-
-
 
 
 Nennemann                Expires 29 August 2026                 [Page 6]
@@ -338,6 +338,11 @@ Nennemann                Expires 29 August 2026                 [Page 6]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+3.3.  Integration Points
+
+   An ECT integrates with the WIMSE identity framework through the
+   following mechanisms:
+
    *  The ECT JOSE header "kid" parameter MUST reference the public key
       identifier from the agent's WIT.
 
@@ -376,12 +381,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
    3.  Ledger (if deployed): Appends the verified ECT to the audit
        ledger.
 
-4.  Execution Context Token Format
 
-   An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
-   as a JSON Web Signature (JWS) [RFC7515].  ECTs MUST use JWS Compact
-   Serialization (the base64url-encoded header.payload.signature format)
-   so that they can be carried in a single HTTP header value.
 
 
 
@@ -394,6 +394,13 @@ Nennemann                Expires 29 August 2026                 [Page 7]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+4.  Execution Context Token Format
+
+   An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
+   as a JSON Web Signature (JWS) [RFC7515].  ECTs MUST use JWS Compact
+   Serialization (the base64url-encoded header.payload.signature format)
+   so that they can be carried in a single HTTP header value.
+
 4.1.  JOSE Header
 
    The ECT JOSE header MUST contain the following parameters:
@@ -432,6 +439,17 @@ Internet-Draft           WIMSE Execution Context           February 2026
    ECT:
 
    iss:  REQUIRED.  StringOrURI.  A URI identifying the issuer of the
+
+
+
+
+
+
+Nennemann                Expires 29 August 2026                 [Page 8]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
       ECT.  In WIMSE deployments, this SHOULD be the workload's SPIFFE
       ID in the format spiffe://<trust-domain>/<path>, matching the
       "sub" claim of the agent's WIT.  Non-WIMSE deployments MAY use
@@ -443,13 +461,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
       identifiers of all entities that will verify the ECT.  In practice
       this means:
 
-
-
-Nennemann                Expires 29 August 2026                 [Page 8]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
       *  *Point-to-point delivery*: when an ECT is sent from one agent
          to a single next agent, "aud" contains that agent's workload
          identity.  The receiving agent verifies the ECT and forwards it
@@ -487,6 +498,14 @@ Internet-Draft           WIMSE Execution Context           February 2026
    issuance.
 
    jti:  REQUIRED.  String.  A globally unique identifier for both the
+
+
+
+Nennemann                Expires 29 August 2026                 [Page 9]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
       ECT and the task it records, in UUID format [RFC9562].  Since each
       ECT represents exactly one task, "jti" serves as both the token
       identifier (for replay detection) and the task identifier (for DAG
@@ -496,16 +515,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
       is absent, uniqueness MUST be enforced globally across the ECT
       store.
 
-
-
-
-
-
-Nennemann                Expires 29 August 2026                 [Page 9]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 4.2.2.  Execution Context
 
    The following claims are defined by this specification:
@@ -526,33 +535,24 @@ Internet-Draft           WIMSE Execution Context           February 2026
       root task with no dependencies.  A workflow MAY contain multiple
       root tasks.  Parent ECTs may have passed their own "exp" time; ECT
       expiration applies to the verification window of the ECT itself,
-      not to its validity as a parent reference in the ECT store.
+      not to its validity as a parent reference in the ECT store.  Note:
+      "par" is not a registered JWT claim and does not conflict with
+      OAuth Pushed Authorization Requests (RFC 9126), which defines an
+      endpoint, not a token claim.
 
 4.2.3.  Data Integrity
 
    The following claims provide integrity verification for task inputs
    and outputs without revealing the data itself:
 
-   inp_hash:  OPTIONAL.  String.  A cryptographic hash of the input
-      data, formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
-      "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The hash
-      algorithm identifier MUST be a lowercase value from the IANA Named
-      Information Hash Algorithm Registry (e.g., "sha-256", "sha-384",
-      "sha-512").  Implementations MUST support "sha-256" and SHOULD use
-      "sha-256" unless a stronger algorithm is required.
-      Implementations MUST NOT accept hash algorithms weaker than
-      SHA-256 (e.g., MD5, SHA-1).  The hash MUST be computed over the
-      raw octets of the input data.
+   inp_hash:  OPTIONAL.  String.  The base64url encoding (without
+      padding) of the SHA-256 hash of the input data, computed over the
+      raw octets of the input.  This follows the same fixed-algorithm
+      pattern used by the DPoP "ath" claim [RFC9449] and the WIMSE WPT
+      "tth" claim [I-D.ietf-wimse-s2s-protocol]: SHA-256 is the
+      mandatory algorithm with no algorithm prefix in the value.
 
-   out_hash:  OPTIONAL.  String.  A cryptographic hash of the output
-      data, using the same format and algorithm requirements as
-      "inp_hash".
-
-4.2.4.  Extensions
-
-   ext:  OPTIONAL.  Object.  An extension object for domain-specific
-      claims not defined by this specification.  Implementations that do
-      not understand extension claims MUST ignore them.
+   out_hash:  OPTIONAL.  String.  The base64url encoding (without
 
 
 
@@ -562,6 +562,18 @@ Nennemann                Expires 29 August 2026                [Page 10]
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+      padding) of the SHA-256 hash of the output data, using the same
+      format as "inp_hash".
+
+4.2.4.  Extensions
+
+   ext:  OPTIONAL.  Object.  A general-purpose extension object for
+      domain-specific claims not defined by this specification.  The
+      short name "ext" follows the JWT convention of concise claim names
+      and is chosen over alternatives like "extensions" for compactness.
+      Implementations that do not understand extension claims MUST
+      ignore them.
+
    To avoid key collisions between different domains, extension key
    names SHOULD use reverse domain notation (e.g.,
    "com.example.custom_field") to avoid collisions between independently
@@ -589,12 +601,23 @@ Internet-Draft           WIMSE Execution Context           February 2026
      "exec_act": "recommend_treatment",
      "par": [],
 
-     "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-     "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+     "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+     "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+
+     "ext": {
+       "com.example.trace_id": "abc123"
+     }
    }
 
                    Figure 4: Complete ECT Payload Example
 
+
+
+Nennemann                Expires 29 August 2026                [Page 11]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 5.  HTTP Header Transport
 
 5.1.  Execution-Context Header Field
@@ -609,15 +632,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    An agent sending a request to another agent includes the Execution-
    Context header alongside the WIMSE Workload-Identity header:
 
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 11]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    GET /api/safety-check HTTP/1.1
    Host: safety-agent.example.com
    Workload-Identity: eyJhbGci...WIT...
@@ -649,6 +663,17 @@ Internet-Draft           WIMSE Execution Context           February 2026
    DAG validation is performed against the ECT store — either an audit
    ledger or the set of parent ECTs received inline.
 
+
+
+
+
+
+
+Nennemann                Expires 29 August 2026                [Page 12]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 6.2.  Validation Rules
 
    When receiving and verifying an ECT, implementations MUST perform the
@@ -665,15 +690,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
        verified parent ECT).  If any parent task is not found, the ECT
        MUST be rejected.
 
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 12]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    3.  Temporal Ordering: The "iat" value of every parent task MUST NOT
        be greater than the "iat" value of the current task plus a
        configurable clock skew tolerance (RECOMMENDED: 30 seconds).
@@ -698,6 +714,35 @@ Internet-Draft           WIMSE Execution Context           February 2026
    (RECOMMENDED: 10000 nodes).  If the limit is reached before cycle
    detection completes, the ECT SHOULD be rejected.
 
+6.3.  Handling Unavailable Parent ECTs
+
+   In distributed deployments, a parent ECT referenced in the "par"
+   array may not yet be available in the local ECT store at the time of
+   validation — for example, due to replication lag in a distributed
+   ledger or out-of-order message delivery.
+
+   Implementations MUST distinguish between two cases:
+
+
+
+Nennemann                Expires 29 August 2026                [Page 13]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+   1.  Parent not found and definitively absent: The parent "jti" does
+       not exist in any accessible ECT store.  The ECT MUST be rejected.
+
+   2.  Parent not yet available: The parent "jti" is not present locally
+       but may arrive due to known replication delays.  Implementations
+       MAY defer validation for a bounded period (RECOMMENDED: no more
+       than 60 seconds).
+
+   Deferred ECTs MUST NOT be treated as verified until all parent
+   references are resolved.  If any parent reference remains unresolved
+   after the deferral period or after the ECT's own "exp" time
+   (whichever comes first), the ECT MUST be rejected.
+
 7.  Signature and Token Verification
 
 7.1.  Verification Procedure
@@ -710,8 +755,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    2.   Verify that the "typ" header parameter is "wimse-exec+jwt".
 
-   3.   Verify that the "alg" header parameter is not "none" and is not
-        a symmetric algorithm.
+   3.   Verify that the "alg" header parameter appears in the verifier's
+        configured allowlist of accepted signing algorithms.  The
+        allowlist MUST NOT include "none" or any symmetric algorithm
+        (e.g., HS256, HS384, HS512).  Implementations MUST include ES256
+        in the allowlist; additional asymmetric algorithms MAY be
+        included per deployment policy.
 
    4.   Verify the "kid" header parameter references a known, valid
         public key from a WIT within the trust domain.
@@ -719,17 +768,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    5.   Retrieve the public key identified by "kid" and verify the JWS
         signature per [RFC7515] Section 5.2.
 
-
-
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 13]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    6.   Verify that the signing key identified by "kid" has not been
         revoked within the trust domain.  Implementations MUST check the
         key's revocation status using the trust domain's key lifecycle
@@ -739,6 +777,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
    7.   Verify the "alg" header parameter matches the algorithm in the
         corresponding WIT.
 
+
+
+
+
+Nennemann                Expires 29 August 2026                [Page 14]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    8.   Verify the "iss" claim matches the "sub" claim of the WIT
         associated with the "kid" public key.
 
@@ -778,14 +825,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    step failed.  The receiving agent MUST NOT process the requested
    action when ECT verification fails.
 
-
-
-
-Nennemann                Expires 29 August 2026                [Page 14]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 8.  Audit Ledger Interface
 
    ECTs MAY be recorded in an immutable audit ledger for compliance
@@ -796,6 +835,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
    cryptographic commitment schemes, distributed ledgers, or any storage
    mechanism that provides the required properties.
 
+
+
+Nennemann                Expires 29 August 2026                [Page 15]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    When an audit ledger is deployed, the implementation MUST provide:
 
    1.  Append-only semantics: Once an ECT is recorded, it MUST NOT be
@@ -835,13 +881,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  Time manipulator: An entity attempting to manipulate timestamps to
       alter perceived execution ordering.
 
-
-
-Nennemann                Expires 29 August 2026                [Page 15]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 9.2.  Self-Assertion Limitation
 
    ECTs are self-asserted by the executing agent.  The agent claims what
@@ -851,6 +890,14 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    ECTs do not independently verify that:
 
+
+
+
+Nennemann                Expires 29 August 2026                [Page 16]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    *  The claimed execution actually occurred as described
 
    *  The input/output hashes correspond to the actual data processed
@@ -889,15 +936,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
    revoked, the ECT MUST be rejected entirely and the failure MUST be
    logged.
 
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 16]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    Implementations MUST use established JWS libraries and MUST NOT
    implement custom signature verification.
 
@@ -909,6 +947,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
    rejected by Agent C.  The "iat" claim enables receivers to reject
    ECTs that are too old, even if not yet expired.
 
+
+
+Nennemann                Expires 29 August 2026                [Page 17]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    The DAG structure provides additional replay protection: an ECT
    referencing parent tasks that already have a recorded child task with
    the same action can be flagged as a potential replay.
@@ -917,6 +962,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
    to detect replayed ECTs within the expiration window.  An ECT with a
    duplicate "jti" value MUST be rejected.
 
+   Additionally, each ECT is cryptographically bound to the issuing
+   agent via the JOSE "kid" parameter, which references the agent's WIT
+   public key.  Verifiers MUST confirm that the "kid" resolves to the
+   "iss" agent's key (step 8 in Section 7), preventing one agent from
+   replaying another agent's ECT as its own.
+
 9.6.  Man-in-the-Middle Protection
 
    ECTs do not replace transport-layer security.  ECTs MUST be
@@ -947,21 +998,33 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
    *  Trust domains MUST support rapid key revocation.
 
+   *  Upon suspected compromise, the trust domain MUST revoke the
+      compromised key and issue a new WIT with a fresh key pair.
 
 
-Nennemann                Expires 29 August 2026                [Page 17]
+
+
+
+Nennemann                Expires 29 August 2026                [Page 18]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
-   *  Upon suspected compromise, the trust domain MUST revoke the
-      compromised key and issue a new WIT with a fresh key pair.
-
    ECTs signed with a compromised key that were recorded in the ledger
    before revocation remain valid historical records but SHOULD be
    flagged in the ledger as "signed with subsequently revoked key" for
    audit purposes.
 
+   ECT revocation does not propagate through the DAG.  If a parent ECT's
+   signing key is later revoked, child ECTs that were verified and
+   recorded before that revocation remain valid — they captured a
+   legitimate execution record at the time of issuance.  However,
+   auditors reviewing a workflow SHOULD flag any ECT in the DAG whose
+   signing key was subsequently revoked, so that the scope of a
+   potential compromise can be assessed.  New ECTs MUST NOT be created
+   with a "par" reference to an ECT whose signing key is known to be
+   revoked at creation time.
+
 9.8.  Collusion and False Claims
 
    A single malicious agent cannot forge parent task references because
@@ -980,7 +1043,56 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  Out-of-band audit: External auditors periodically verify ledger
       contents against expected workflow patterns.
 
-9.9.  Denial of Service
+9.9.  DAG Integrity Attacks
+
+   Because the DAG structure is the primary mechanism for establishing
+   execution ordering, attackers may attempt to manipulate it:
+
+   *  False parent references: A malicious agent creates an ECT that
+      references parent tasks from an unrelated workflow, inserting
+      itself into a legitimate execution history.  DAG validation
+      (Section 6) mitigates this by requiring parent existence in the
+      ECT store, and the "wid" claim scopes parent references to a
+      single workflow when present.
+
+   *  Parent omission (pruning): An agent deliberately omits one or more
+      actual parent dependencies from the "par" array to hide that
+      certain tasks influenced its output.  Because ECTs are self-
+
+
+
+Nennemann                Expires 29 August 2026                [Page 19]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
+      asserted (Section 9.2), no mechanism can force an agent to declare
+      all dependencies.  External auditors can detect omission by
+      comparing the declared DAG against expected workflow patterns.
+
+   *  Shadow DAGs: Multiple colluding agents fabricate an entire
+      execution history by creating a sequence of ECTs with mutual
+      parent references.  Independent ledger maintenance and cross-
+      verification (see Section 9.8 above) are the primary mitigations.
+
+   Verifiers SHOULD validate that the declared "wid" of parent ECTs
+   matches the "wid" of the child ECT, rejecting cross-workflow parent
+   references unless explicitly permitted by deployment policy.
+
+9.10.  Privilege Escalation via ECTs
+
+   ECTs record execution history; they do not convey authorization.
+   Verifiers MUST NOT interpret the presence of an ECT, or a particular
+   set of parent references in "par", as an authorization grant.  The
+   "par" claim demonstrates that predecessor tasks were recorded, not
+   that the current agent is authorized to act on their outputs.
+   Authorization decisions MUST remain with the identity and
+   authorization layer (WIT, WPT, and deployment policy).  As noted in
+   [I-D.ni-wimse-ai-agent-identity], AI intermediaries introduce novel
+   escalation vectors; ECTs MUST NOT be used to circumvent authorization
+   boundaries.
+
+9.11.  Denial of Service
 
    ECT signature verification is computationally inexpensive
    (approximately 1ms per ECT on modern hardware for ES256).  DAG
@@ -993,7 +1105,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
    performed after signature verification to avoid wasting resources on
    unsigned or incorrectly signed tokens.
 
-9.10.  Timestamp Accuracy
+9.12.  Timestamp Accuracy
 
    ECTs rely on timestamps ("iat", "exp") for temporal ordering.  Clock
    skew between agents can lead to incorrect ordering judgments.
@@ -1005,7 +1117,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 18]
+Nennemann                Expires 29 August 2026                [Page 20]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1019,7 +1131,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
    The temporal ordering check in DAG validation incorporates the clock
    skew tolerance to account for minor clock differences between agents.
 
-9.11.  ECT Size Constraints
+9.13.  ECT Size Constraints
 
    ECTs with many parent tasks or large extension objects can increase
    HTTP header size.  Implementations SHOULD limit the "par" array to a
@@ -1061,7 +1173,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 19]
+Nennemann                Expires 29 August 2026                [Page 21]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1117,7 +1229,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 20]
+Nennemann                Expires 29 August 2026                [Page 22]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1173,7 +1285,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 21]
+Nennemann                Expires 29 August 2026                [Page 23]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1229,7 +1341,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 22]
+Nennemann                Expires 29 August 2026                [Page 24]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1285,7 +1397,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
 
 
 
-Nennemann                Expires 29 August 2026                [Page 23]
+Nennemann                Expires 29 August 2026                [Page 25]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
@@ -1323,6 +1435,11 @@ Internet-Draft           WIMSE Execution Context           February 2026
               Message Signatures", RFC 9421, DOI 10.17487/RFC9421,
               February 2024, <https://www.rfc-editor.org/rfc/rfc9421>.
 
+   [RFC9449]  Fett, D., Campbell, B., Bradley, J., Lodderstedt, T.,
+              Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of
+              Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449,
+              September 2023, <https://www.rfc-editor.org/rfc/rfc9449>.
+
    [SPIFFE]   "Secure Production Identity Framework for Everyone
               (SPIFFE)",
               <https://spiffe.io/docs/latest/spiffe-about/overview/>.
@@ -1332,20 +1449,19 @@ Use Cases
    This section describes a representative use case demonstrating how
    ECTs provide structured execution records.
 
-   Note: task identifiers in this section are abbreviated for
-   readability.  In production, all "jti" values are required to be
-   UUIDs per Section 4.2.2.
 
 
 
 
-
-
-Nennemann                Expires 29 August 2026                [Page 24]
+Nennemann                Expires 29 August 2026                [Page 26]
 
 Internet-Draft           WIMSE Execution Context           February 2026
 
 
+   Note: task identifiers in this section are abbreviated for
+   readability.  In production, all "jti" values are required to be
+   UUIDs per Section 4.2.2.
+
 Cross-Organization Financial Trading
 
    In a cross-organization trading workflow, an investment bank's agents
@@ -1381,6 +1497,23 @@ Cross-Organization Financial Trading
 
    The resulting DAG:
 
+
+
+
+
+
+
+
+
+
+
+
+
+Nennemann                Expires 29 August 2026                [Page 27]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
    task-001 (analyze_portfolio_risk)   task-002 (assess_credit_rating)
      [bank.example]                      [ratings.example]
              \                              /
@@ -1394,14 +1527,6 @@ Cross-Organization Financial Trading
 
                       Figure 7: Cross-Organization DAG
 
-
-
-
-Nennemann                Expires 29 August 2026                [Page 25]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    Task 003 has two parents from different trust domains, demonstrating
    cross-organizational fan-in.  The compliance agent verifies both
    parent ECTs — one signed by a local key and one by a federated key
@@ -1435,6 +1560,16 @@ OAuth 2.0 Token Exchange and the "act" Claim
    concepts are orthogonal: "act" records "who authorized whom," ECTs
    record "what was done, in what order."
 
+
+
+
+
+
+Nennemann                Expires 29 August 2026                [Page 28]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 Transaction Tokens
 
    OAuth Transaction Tokens [I-D.ietf-oauth-transaction-tokens]
@@ -1450,14 +1585,6 @@ Transaction Tokens
       downstream services, each receives the same "req_wl" value and the
       branching is invisible.
 
-
-
-
-Nennemann                Expires 29 August 2026                [Page 26]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
    *  It is incomplete: only workloads that request a replacement token
       from the Transaction Token Service appear in "req_wl"; workloads
       that forward the token unchanged are not recorded.
@@ -1465,6 +1592,10 @@ Internet-Draft           WIMSE Execution Context           February 2026
    *  It carries no task-level granularity, no parent references, and no
       execution content.
 
+   *  It cannot represent convergence (fan-in): when two independent
+      paths must both complete before a dependent task proceeds, a
+      linear "req_wl" string cannot express that relationship.
+
    Extensions for agentic use cases
    ([I-D.oauth-transaction-tokens-for-agents]) add agent identity and
    constraints ("agentic_ctx") but no execution ordering or DAG
@@ -1480,6 +1611,21 @@ Internet-Draft           WIMSE Execution Context           February 2026
    Txn-Token; a similar binding mechanism for ECTs is a potential future
    extension.
 
+
+
+
+
+
+
+
+
+
+
+Nennemann                Expires 29 August 2026                [Page 29]
+
+Internet-Draft           WIMSE Execution Context           February 2026
+
+
 Distributed Tracing (OpenTelemetry)
 
    OpenTelemetry [OPENTELEMETRY] and similar distributed tracing systems
@@ -1494,6 +1640,18 @@ Distributed Tracing (OpenTelemetry)
    while ECTs provide signed execution records.  ECTs may reference
    OpenTelemetry trace identifiers in the "ext" claim for correlation.
 
+W3C Provenance Data Model (PROV)
+
+   The W3C PROV Data Model defines an Entity-Activity-Agent ontology for
+   representing provenance information.  PROV's concepts map closely to
+   ECT structures: PROV Activities correspond to ECT tasks, PROV Agents
+   correspond to WIMSE workloads, and PROV's "wasInformedBy" relation
+   corresponds to ECT "par" references.  However, PROV uses RDF/OWL
+   ontologies designed for post-hoc documentation, while ECTs are
+   runtime-embeddable JWT tokens with cryptographic signatures.  ECT
+   audit data could be exported to PROV format for interoperability with
+   provenance-aware systems.
+
 SCITT (Supply Chain Integrity, Transparency, and Trust)
 
    The SCITT architecture [I-D.ietf-scitt-architecture] defines a
@@ -1502,18 +1660,6 @@ SCITT (Supply Chain Integrity, Transparency, and Trust)
    correlation identifier in SCITT Signed Statements, linking an ECT
    audit trail to a supply chain transparency record.
 
-
-
-
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 27]
-
-Internet-Draft           WIMSE Execution Context           February 2026
-
-
 Acknowledgments
 
    The author thanks the WIMSE working group for their foundational work
@@ -1531,38 +1677,4 @@ Author's Address
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Nennemann                Expires 29 August 2026                [Page 28]
+Nennemann                Expires 29 August 2026                [Page 30]
diff --git a/draft-nennemann-wimse-ect-00.xml b/draft-nennemann-wimse-ect-00.xml
index 3bfa42b..367f565 100644
--- a/draft-nennemann-wimse-ect-00.xml
+++ b/draft-nennemann-wimse-ect-00.xml
@@ -25,14 +25,14 @@
 
     <date year="2026" month="February" day="25"/>
 
-    <area>Security</area>
+    <area>ART</area>
     <workgroup>WIMSE</workgroup>
     <keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword>
 
     <abstract>
 
 
-<?line 53?>
+<?line 54?>
 
 <t>This document defines Execution Context Tokens (ECTs), an extension
 to the Workload Identity in Multi System Environments (WIMSE)
@@ -59,7 +59,7 @@ existing WIMSE headers.</t>
   <middle>
 
 
-<?line 69?>
+<?line 70?>
 
 <section anchor="introduction"><name>Introduction</name>
 
@@ -460,7 +460,9 @@ a root task with no dependencies.  A workflow <bcp14>MAY</bcp14> contain
 multiple root tasks.  Parent ECTs may have passed their own
 "exp" time; ECT expiration applies to the verification window
 of the ECT itself, not to its validity as a parent reference
-in the ECT store.</t>
+in the ECT store.  Note: "par" is not a registered JWT claim
+and does not conflict with OAuth Pushed Authorization Requests
+(RFC 9126), which defines an endpoint, not a token claim.</t>
   </dd>
 </dl>
 
@@ -473,21 +475,18 @@ inputs and outputs without revealing the data itself:</t>
 <dl>
   <dt>inp_hash:</dt>
   <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the input data,
-formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
-"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
-hash algorithm identifier <bcp14>MUST</bcp14> be a lowercase value from the
-IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
-"sha-384", "sha-512").  Implementations <bcp14>MUST</bcp14> support "sha-256"
-and <bcp14>SHOULD</bcp14> use "sha-256" unless a stronger algorithm is
-required.  Implementations <bcp14>MUST NOT</bcp14> accept hash algorithms
-weaker than SHA-256 (e.g., MD5, SHA-1).  The hash <bcp14>MUST</bcp14> be
-computed over the raw octets of the input data.</t>
+    <t><bcp14>OPTIONAL</bcp14>.  String.  The base64url encoding (without padding) of
+the SHA-256 hash of the input data, computed over the raw octets
+of the input.  This follows the same fixed-algorithm pattern
+used by the DPoP "ath" claim <xref target="RFC9449"/> and the WIMSE WPT
+"tth" claim <xref target="I-D.ietf-wimse-s2s-protocol"/>: SHA-256 is the
+mandatory algorithm with no algorithm prefix in the value.</t>
   </dd>
   <dt>out_hash:</dt>
   <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the output data,
-using the same format and algorithm requirements as "inp_hash".</t>
+    <t><bcp14>OPTIONAL</bcp14>.  String.  The base64url encoding (without padding) of
+the SHA-256 hash of the output data, using the same format as
+"inp_hash".</t>
   </dd>
 </dl>
 
@@ -497,9 +496,12 @@ using the same format and algorithm requirements as "inp_hash".</t>
 <dl>
   <dt>ext:</dt>
   <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  Object.  An extension object for domain-specific
-claims not defined by this specification.  Implementations
-that do not understand extension claims <bcp14>MUST</bcp14> ignore them.</t>
+    <t><bcp14>OPTIONAL</bcp14>.  Object.  A general-purpose extension object for
+domain-specific claims not defined by this specification.  The
+short name "ext" follows the JWT convention of concise claim
+names and is chosen over alternatives like "extensions" for
+compactness.  Implementations that do not understand extension
+claims <bcp14>MUST</bcp14> ignore them.</t>
   </dd>
 </dl>
 
@@ -534,8 +536,12 @@ future documents.</t>
   "exec_act": "recommend_treatment",
   "par": [],
 
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
+
+  "ext": {
+    "com.example.trace_id": "abc123"
+  }
 }
 ]]></sourcecode></figure>
 
@@ -630,6 +636,31 @@ implementations <bcp14>SHOULD</bcp14> enforce a maximum ancestor traversal limit
 (<bcp14>RECOMMENDED</bcp14>: 10000 nodes).  If the limit is reached before cycle
 detection completes, the ECT <bcp14>SHOULD</bcp14> be rejected.</t>
 
+</section>
+<section anchor="handling-unavailable-parent-ects"><name>Handling Unavailable Parent ECTs</name>
+
+<t>In distributed deployments, a parent ECT referenced in the "par"
+array may not yet be available in the local ECT store at the time
+of validation — for example, due to replication lag in a
+distributed ledger or out-of-order message delivery.</t>
+
+<t>Implementations <bcp14>MUST</bcp14> distinguish between two cases:</t>
+
+<t><list style="numbers" type="1">
+  <t>Parent not found and definitively absent: The parent "jti"
+does not exist in any accessible ECT store.  The ECT <bcp14>MUST</bcp14> be
+rejected.</t>
+  <t>Parent not yet available: The parent "jti" is not present
+locally but may arrive due to known replication delays.
+Implementations <bcp14>MAY</bcp14> defer validation for a bounded period
+(<bcp14>RECOMMENDED</bcp14>: no more than 60 seconds).</t>
+</list></t>
+
+<t>Deferred ECTs <bcp14>MUST NOT</bcp14> be treated as verified until all parent
+references are resolved.  If any parent reference remains
+unresolved after the deferral period or after the ECT's own "exp"
+time (whichever comes first), the ECT <bcp14>MUST</bcp14> be rejected.</t>
+
 </section>
 </section>
 <section anchor="verification"><name>Signature and Token Verification</name>
@@ -643,8 +674,12 @@ verification steps in order:</t>
   <t>Parse the JWS Compact Serialization to extract the JOSE header,
 payload, and signature components per <xref target="RFC7515"/>.</t>
   <t>Verify that the "typ" header parameter is "wimse-exec+jwt".</t>
-  <t>Verify that the "alg" header parameter is not "none" and is
-not a symmetric algorithm.</t>
+  <t>Verify that the "alg" header parameter appears in the
+verifier's configured allowlist of accepted signing algorithms.
+The allowlist <bcp14>MUST NOT</bcp14> include "none" or any symmetric
+algorithm (e.g., HS256, HS384, HS512).  Implementations <bcp14>MUST</bcp14>
+include ES256 in the allowlist; additional asymmetric algorithms
+<bcp14>MAY</bcp14> be included per deployment policy.</t>
   <t>Verify the "kid" header parameter references a known, valid
 public key from a WIT within the trust domain.</t>
   <t>Retrieve the public key identified by "kid" and verify the JWS
@@ -812,6 +847,12 @@ with the same action can be flagged as a potential replay.</t>
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value <bcp14>MUST</bcp14> be rejected.</t>
 
+<t>Additionally, each ECT is cryptographically bound to the issuing
+agent via the JOSE "kid" parameter, which references the agent's
+WIT public key.  Verifiers <bcp14>MUST</bcp14> confirm that the "kid" resolves
+to the "iss" agent's key (step 8 in <xref target="verification"/>), preventing
+one agent from replaying another agent's ECT as its own.</t>
+
 </section>
 <section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
 
@@ -852,6 +893,16 @@ ledger before revocation remain valid historical records but <bcp14>SHOULD</bcp1
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.</t>
 
+<t>ECT revocation does not propagate through the DAG.  If a parent
+ECT's signing key is later revoked, child ECTs that were verified
+and recorded before that revocation remain valid — they captured
+a legitimate execution record at the time of issuance.  However,
+auditors reviewing a workflow <bcp14>SHOULD</bcp14> flag any ECT in the DAG
+whose signing key was subsequently revoked, so that the scope of
+a potential compromise can be assessed.  New ECTs <bcp14>MUST NOT</bcp14> be
+created with a "par" reference to an ECT whose signing key is
+known to be revoked at creation time.</t>
+
 </section>
 <section anchor="collusion-and-false-claims"><name>Collusion and False Claims</name>
 
@@ -871,6 +922,52 @@ compared for consistency.</t>
 contents against expected workflow patterns.</t>
 </list></t>
 
+</section>
+<section anchor="dag-integrity-attacks"><name>DAG Integrity Attacks</name>
+
+<t>Because the DAG structure is the primary mechanism for establishing
+execution ordering, attackers may attempt to manipulate it:</t>
+
+<t><list style="symbols">
+  <t>False parent references: A malicious agent creates an ECT that
+references parent tasks from an unrelated workflow, inserting
+itself into a legitimate execution history.  DAG validation
+(<xref target="dag-validation"/>) mitigates this by requiring parent existence
+in the ECT store, and the "wid" claim scopes parent references
+to a single workflow when present.</t>
+  <t>Parent omission (pruning): An agent deliberately omits one or
+more actual parent dependencies from the "par" array to hide
+that certain tasks influenced its output.  Because ECTs are
+self-asserted (<xref target="self-assertion-limitation"/>), no mechanism can
+force an agent to declare all dependencies.  External auditors
+can detect omission by comparing the declared DAG against
+expected workflow patterns.</t>
+  <t>Shadow DAGs: Multiple colluding agents fabricate an entire
+execution history by creating a sequence of ECTs with mutual
+parent references.  Independent ledger maintenance and
+cross-verification (see <xref target="collusion-and-false-claims"/> above)
+are the primary mitigations.</t>
+</list></t>
+
+<t>Verifiers <bcp14>SHOULD</bcp14> validate that the declared "wid" of parent ECTs
+matches the "wid" of the child ECT, rejecting cross-workflow
+parent references unless explicitly permitted by deployment
+policy.</t>
+
+</section>
+<section anchor="privilege-escalation-via-ects"><name>Privilege Escalation via ECTs</name>
+
+<t>ECTs record execution history; they do not convey authorization.
+Verifiers <bcp14>MUST NOT</bcp14> interpret the presence of an ECT, or a
+particular set of parent references in "par", as an authorization
+grant.  The "par" claim demonstrates that predecessor tasks were
+recorded, not that the current agent is authorized to act on
+their outputs.  Authorization decisions <bcp14>MUST</bcp14> remain with the
+identity and authorization layer (WIT, WPT, and deployment
+policy).  As noted in <xref target="I-D.ni-wimse-ai-agent-identity"/>,
+AI intermediaries introduce novel escalation vectors; ECTs
+<bcp14>MUST NOT</bcp14> be used to circumvent authorization boundaries.</t>
+
 </section>
 <section anchor="denial-of-service"><name>Denial of Service</name>
 
@@ -1432,6 +1529,23 @@ been incorporated into this document. This document obsoletes RFC
    <seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture-22"/>
    
 </reference>
+<reference anchor="RFC9449">
+  <front>
+    <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
+    <author fullname="D. Fett" initials="D." surname="Fett"/>
+    <author fullname="B. Campbell" initials="B." surname="Campbell"/>
+    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
+    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
+    <author fullname="M. Jones" initials="M." surname="Jones"/>
+    <author fullname="D. Waite" initials="D." surname="Waite"/>
+    <date month="September" year="2023"/>
+    <abstract>
+      <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
+    </abstract>
+  </front>
+  <seriesInfo name="RFC" value="9449"/>
+  <seriesInfo name="DOI" value="10.17487/RFC9449"/>
+</reference>
 
 <reference anchor="I-D.ietf-oauth-transaction-tokens">
    <front>
@@ -1497,7 +1611,7 @@ been incorporated into this document. This document obsoletes RFC
 </references>
 
 
-<?line 986?>
+<?line 1078?>
 
 <section numbered="false" anchor="use-cases"><name>Use Cases</name>
 
@@ -1616,6 +1730,9 @@ token from the Transaction Token Service appear in "req_wl";
 workloads that forward the token unchanged are not recorded.</t>
   <t>It carries no task-level granularity, no parent references,
 and no execution content.</t>
+  <t>It cannot represent convergence (fan-in): when two independent
+paths must both complete before a dependent task proceeds, a
+linear "req_wl" string cannot express that relationship.</t>
 </list></t>
 
 <t>Extensions for agentic use cases
@@ -1650,6 +1767,19 @@ provide observability while ECTs provide signed execution records.
 ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.</t>
 
+</section>
+<section numbered="false" anchor="w3c-provenance-data-model-prov"><name>W3C Provenance Data Model (PROV)</name>
+
+<t>The W3C PROV Data Model defines an Entity-Activity-Agent ontology
+for representing provenance information.  PROV's concepts map
+closely to ECT structures: PROV Activities correspond to ECT
+tasks, PROV Agents correspond to WIMSE workloads, and PROV's
+"wasInformedBy" relation corresponds to ECT "par" references.
+However, PROV uses RDF/OWL ontologies designed for post-hoc
+documentation, while ECTs are runtime-embeddable JWT tokens with
+cryptographic signatures.  ECT audit data could be exported to
+PROV format for interoperability with provenance-aware systems.</t>
+
 </section>
 <section numbered="false" anchor="scitt-supply-chain-integrity-transparency-and-trust"><name>SCITT (Supply Chain Integrity, Transparency, and Trust)</name>
 
@@ -1675,334 +1805,371 @@ tracing is built.</t>
   </back>
 
 <!-- ##markdown-source:
-H4sIAAAAAAAAA81963bbyLXm/3qKGvpHSwkhW7bkdst9+hxZltvqY1uKJXen
-p5PlgCREog0CDABKZtzOOg8xDzDPMo8yTzJ7f3vXBSApJ5n5MV652CBQl137
-fqskSUybt0V2ZAenH7Pxss2r0p5UZZt9bO1V9SErG3td1fZ53rR1Plq22cQe
-T7Oyzcf2p6r+cF1Ut83ApKNRnd3QID+dvb48tWtDDcw4bbNpVa+ObNNOzKQa
-l+mcZp3U6XWblFlZZvO0LJPbfN5kSTZukwcPTLMczfOmoXHa1YJePju9emHK
-5XyU1UdmQgMeGZrzkUnrLKW5L2nSOm9XA3NLK5vW1XLhVjQwH7IVPZ0cGWsT
-m/n1jWV9eMpfFVU6sfmEN9iu8DTV3d663crT5SRvbVuneWFMumxnVY2h6b/W
-Xi+LQrZ3MqsJcHla2jdui3ijqqdpmf8t5TXQvspJtshKntW+zZosrcezrMaL
-9EleHNk8a6//w0Npb5IZU1b1nL6/yXjety9Ovj7cPwx//Tr89Zvw1yf6128O
-Hz90f93ff8B/PUue7/EsegK8hA2Pm4dNsqirthpXxZExeXndW8Wjw0M38pPH
-3zxykxw83HejlbmbIk8A28SBm9+4vDh78eL0CHt3iIlzzexFXU2WY5zamX5h
-X9QEZj4ZIOnpTVavqjKzOzLM7kDGSetp1h7ZWdsumqP795tFfn2d7eXVfULD
-5n5BiNS0+jRJR9WyvV/RSDd5dnsfAwDV7HVaNBn9+/zi9M3V6avT16dXb3/u
-rvScTvEqK7J51tYre7nIxvl1PsYpb15KRR+07gO/ooY+bO5X9MOm+a0N+MZ/
-EsYmQrWiWk7sGxwGkd18QQheTu2LallOsIL4NJtx3rY45LwlYiPwdg674hkS
-wu6ySQHxpAUrcC9t+z2hU5BDpVdNkhCdjIhv0DvGXM3yxtL2lnNG80l2nZdZ
-s84pHNPZOT25anaHlkiHntIT3kFb2XaWgfGAUD0e5KV9vSza3F6umjab29Py
-Jq+rkqeiocACdk28XeDLJGJqa2S+Zy0vwRK63xCGmiafltlkSOyrXmKIia2z
-MbGUxlbXdLDNh4it0OOstum4rprGCJa3lUCGWM58viwVLWiWZyvZ4YSPS/jn
-2gaNQuU2b2fr3MuOi5RIiqHww+X5G/tTNhIw2p0ffrraNUKkQ4IdHUETY6XN
-ynRU0Dk0gFtjCcLEccqW/hvt1ETsDtuVnfiFOFgtm8ymBFYCDGA6Xo2LfGym
-dbqY2Z3nx9/vhkF5qjpb1MTvaCjAz3HBcU4rSktixLQ9+rjNDDa+BTgeZX46
-u9qlNTAcGU0a4g2Wj40emHk1yQoMOq5Xi7bCmui8F3U+z5lm+MCPbZnd2pdX
-Vxd2lqV8hNd5VkyGxqNpomg6tIzNQOIJcAnEsKhqEB2AkRZVOW0YdbKPLAT8
-6crQzZ5QyDyfTAri5/dIDLSexdG/79nXFS1MaJfI51/G+2vPJD992sDmP392
-ON7Yuhotm9ZLQkg20IVgSzsjoTqdfekIGMruFUNsmxDG/35xtUuAxm4AjIYZ
-7Thj8tC/WidgzNpyY/FDy3ZMZFbd+iU3NlozgT4dz2xFDxw12nFaFHY8IwRv
-Ilxxy038jmgTxj/FJhKhqQg9+AxfVrcZSYvhuvoADMiI59ESy6q16WRC2N4E
-sjHpeEzsuU1HeUHvE1z+s6xueUm3s8ouspoJl+motMJmw1jCesztLKXTSpmx
-0kyEhoQQeAYGRKt7m02XLOAmROkRauTlmHQm3n2xYrIrqhXDrSqrebVshLyJ
-GdBIZlzRWHlJYzgIxspLWtgRJEydg4KeV3NAtlkS3NPGEJyKdjYmDW1ItFSm
-5TgbAj+KaspEMSacy/66JI4RsZuhqFfMmUzEY3mBc+xlQiyMBUIyTz8wuHjA
-wIy2yZpYlFgnSoCEHcmAXetZZQ3emqYLO8ra24yOf8Mxx7Ovn6lOEWGlA/BT
-4chhUbpZOVZ6n84mnygn7J7rcaPzE4PCr0Ir25Wrz5+Hivqq8dI3azKP2F82
-gRAYZfaGQEwngOnBpuubbKKc3ijHIG4/z4iYyryZ82cOxbEvPVicAfh3h/Oa
-tGmWNSMEUxFxO6Ixmm5uL1sCEX/E51hnGa24xhEwpAhneLekENY8bLqghRCJ
-Z42IE4fsujOjYo2Ukf07T8KSEtAnLutPQZQuwg6CH44EooJYHRgnfTSASUTP
-8kaVs/xv2WSAUWlAfO/fEVShRV6xzPvjkAchrs94fL5sSW2z/31vYMxDmuRN
-RVSRMnVNIjgDCthwB6BYnCoexLt4ziIvP/RVEyViOjgWHKqTOAygk3gk826a
-juFSCpmCLEiTWRQZMYaA/TwrnX1Llh5ItqNjuVkgMEWlWCzrRdUABU6dlKxG
-jGtKQDRvVXh+0hmOFUsW7Z8+dVTyIM8EhWUY6HvZaDmdOoYxr8qc1skjyOnj
-7N2nXS0hwlUSXjIvq+Upnzif8PpJOH2RB23TOXHzJLsBNQoD5OckcvEWr84o
-9jLkBDbNmLSzOq+UPi7HZC3g0+PFgtQqBdAWbsf6N8TsFg0bCvauFdXQ7nz6
-xDa3/Ovz5136lrS1SFmDitPR0RTXGBD09SSdJjdpkYupISOcqfbGc4P+A8P1
-vNPrJoQ5NIwwrzx8KCMdl12ljG29k6ugc/GnbFIl8oJ+BCAW2WSa1dAk6+uU
-tIuIKzX8nbyQ+Bf4Y2hb11VRiDQm6WXJKmSEbvwh8EOiENLdJna0kn0B6F45
-6ilPYONu30Az5vmMfon9T7B6RW33Mpn6RJ3ghHSUNStmE4hXS/YqCce8meHE
-1949IRnK85BwLvLrjLXwLH6DdE3ChRt+hegZ3z9nrMnxb9n9B1rRLSTv4PW7
-y6vBUP7fvjnH39+e/uHd2dvT5/z3y5fHr175vxh94/Ll+btXz8Pfwpcn569f
-n755Lh/TU9t5ZAavj38eCI0Mzi+uzs7fHL8aMNNvO3ieiglBggpHRxIKjL8x
-RFRjgqOIxWcnF//rf+4fkHj8b29fnDzc3/+G2IP848n+1wf0j1s6I5mtKols
-5Z/g+iRcshQqFeRmuiCVpGiGzIYaUjlLQsc6I9r83S8MmT8f2W9H48X+wXf6
-gDfceehg1nkImK0/WftYgLjh0YZpPDQ7z3uQ7q73+OfOvx3co4ff/jtJk8wm
-+0/+/TvTpxA6ADIe+UjIBJysHRbRBaTfkTliWo40TadNAarOnnLkRDxhi8Uy
-hJbmRGkD1iTWMZ9WLM5YyGJapq8xI4kl47sNRiwMI4zGwo2Wy9oxSeFGFR+W
-zRk7/SoIZ2bGz52BeywGrv0+GLgyl1i8gX16QxfA2sZHbxmhaCbmSALNYEpD
-YliQsupBEJl38HZZSc8h8OmTOgW9+QRwb/AMQA223sfR0yImWcu+ANZEwWZf
-gYu6813w3hKmJ7KT5/MlVHlW+QF2IiYYyGvHRZCgGZsMp+OV0qHgVNAZGBZk
-cfml0iK2GKRijwogRPCMA2sEC2bu7pHwqyYwaL+4lhkvLUtYbzxXZNmKYRtP
-tIDFSP8h9Yb0G7U5+FW/G5ZExMmTguzHwtievGDcBc8Xk6qziYo0kUXbxaq0
-3GKYyV5syqCdpey38pvMSa1h05WOmAZaVOKDYj1eHbGEL/KXz5/p8zaSQayT
-6HKOY+spFvqf7q3Lc6gy8l3kmjRXm22xbQ6LWMn5gjMCpA09ffNJ0766Z+2E
-7M7gzKZziXbYP4KnxT//PNiNJ193c8QzR0jAzsIZOznYtcPUzpKW9MtqnMN0
-kcOCdcErYHOtrgp8w28y4uiSsAC4f5JZteirGzd5Kl6wOxwsG/hr18XS5/Ox
-GRGbuWo4MssSo4C5PqNeW5mg9XWVp8glIkxoiwMFh/wWbEiYJEFVrbZgk1Ve
-w8zrjoXHhpA/agKXOjd5pMiTG/blTPDEviLjCYQ1FjVJPAY0/IJ5CMmEpqqb
-DYZtMBaA66feun/NLkhi2sz7xOOrcKG9EyCUiLeCuEhXWW2cG4Kh6uGEnwBY
-fpyKeYAx8AtB8O9//zuta5yTwVe35vfJP/3n9+Y3Z0C/wmw7jtx27dY/v/FH
-/NnVke1S046EW47u328n93Ga9z/uDuJvLuQboZ+76YA/+pe2tHXZW364+Zch
-x+aKwi0I7ePOAe/aX2DJcdjozwoF+oygcBVkL1uUHTf5PCN7sgtu+SNKzH3V
-WshUaWbskti02//PYXe+EIF2ZGNdgxDQaxbCHXb9EgCGAQiNNFu2EUQlYadB
-BXdqZBsO/m+gQHRlPh3Ze9f5NAGtNRIM/DcfCXfU35GSQIVm8FmN99gDuHRO
-R+WZEr+wiF8MlW809oefrjTqY8SJ7f1E/IuOp4wj0vmGaiwKE2xUzVZ9Am7h
-Yik6QCTqRBPucefrXNzf9+51RP5FlTNj/nQvkvmkAvFD2izphkwIPqzTfNkv
-4GMO9JIJgsi7pyJHB438w7mPr9jBh5zwfZHySGSfWNhkdXZNOjZtV4TwcsTx
-KZHBYV80ezUXVsoc5iuG0xWHa2irulDxmcOJAGsRsw9InxrIsVg1zjgi5rfH
-qsY6FL0PxitdZ88jvWt3L94gNjHK1LsUwIdYl+oUPY1CFZyN+3HDOixLi2lV
-08tzu9MBJT2PQLmLZdC4tOyxDuw/DAZg1tMrZdKfSDSDBMG85+kH8czDv6Ma
-sRCpRm2m8Jjx6a8F4dzyco7q1DV7wn3QrYdQRgM2a6IQ877VeXHuzk9Li5C/
-PuOw91qA6Ii5xrespgVRdPwdvbm2THmTwVx3tRi2SSffdXhI5MXynARLfClb
-vWzTMWslzDoEkhtVUNVA2R19Q3YamOSCtIcvqHtDp1gp9go/IEWjNQGwgs5X
-YAq0KYkIdAyy4EkXUWWqUnVetlaI9uAZphU+9aSTM/PxWTCk0cl4CAE5TRYO
-d1AsY/ie6KYE0iwXOw5HsKNntqsjwJwXE9tHAa40NCra0e6R/dG9qse4wRBk
-BORz7NhAUFM6Wyd791r3SVi70CyeL4B9T7z9DIedbkSI1vZWDXDBGMVNFxa6
-FSPd8pRjWLbqCnEeAvbmO3lJKxO2lU1o3GNIRBE1CqqJeFUlMgYRKVEEfA+D
-b5vD4YWwsE/3Ii+ysPstHzBmbkxWiKWV5lywayh6+ZIeppCi9MFl+OCQAKl5
-COCSxIgMvYBcGNLh7SVtMi3UPGZAZ3aUNtnjg2VdJISWJGAn5i9Ce3uLdMU0
-tde4yf6ibHrXNpVYdojPjYl1ETt27CcvTWoRVs06HuubtFhmIi3BV5WaP937
-tSJsUK+1IHRfjGEvrP2mylSDEPQMWdnarw2Z0p/ozMCvOaXv8uHh48GQn7Sr
-BT/R/Do6ld//etvKTywn6SeJF6YJ0VaST5L9h48G5nOXOcmKlC35hepmTj+m
-bPkxZ6Lp2V/hHJ4a8J/kU/agWg/TvtQgzOPfHFPYo8Vh95vEzHYJY+2Zt0DF
-csMgzXKBUAFg4pHmCZCGVweY0cc4KuscuHy4g5Ks0AG9drmac6IWm3huHWTr
-Z3vTvaF9ycMyOF9ePnpywP8+3H+42xmH9wg/J3DUhb3Txo3KDhoHGsm6pImT
-OlsQJTqXEB1jD7JeI8ggN/snzM8mElhb5s1MordWJJ1IWFYYOb+yGcIDSu/6
-gG1QzMY+XoBYlcUXkXIFqLE+SMi04eh7+pXTwlz2ReDqWBgP31VW/Hl9jfN6
-px4D5Vs1jPOiqj7Y5UI5NRBj3HaGJogG3Ot5EJkyCRAnkklFhHnbJqJgR3Sp
-XMGRY2NHlUtLStjvQYOxpO3o4qqld5IE+olbd3pisbh7LPnDoLLMvndmw7wd
-h69DFZd0RdyKU1dWMDONIe21d3SXLfulz+t3b88Q8qb/d8e4cmcnPkR1axmr
-KsE2RTn3usVINIngkfPZn6z/el4HufIX7y34FvI3Efn73f1vCeSz7/4ydLqo
-W9SgWY6cJq4Ot1j15Qh3mTidPFoizEXW2YU0eL/NeJZxUMDROXH1S/rhVSPe
-6ndv3xy9e8crDmYRq+wkPrcDkzN1SGKkiJF3gcwnyvYRG6vifs8XOY280+y6
-nQiEn2XjlFcKZoLkDGYtQEgExCSyz4DJmiadakadGL7q5BLLZUDPelZLJG68
-+0zoTP330I3yTFKEiFfQI9DTKlrgGWcDLDj5M4e5lbOzIuUkUnr+O/rP72As
-smMSBiKdQ5EzOv7ud0cIw7FZoLoh0FV4Vil6mKp78FWrwC2ZotRe0E05Om29
-0xB4ZtcMMWTqbNInvRbpNFWXW8G4eZuyZpa3TmfSYHPFOsEsLa7diQmN7PmN
-SwCJd65fhEz3TZvnH1ux5OiPxISKVUdRc1MrlqbXzJRT+2sF5deqlhgiLZq6
-wSrmBmC5nUR6cFi8eJx5Vtbl++uds3o8ilRK4mlASqdAR8fkPZY+SB9ZAG5Z
-jmmlpZ476EYXy+ckKB/hqMBA3v7TLwPPOzJRUPZo7+py5KUM9M3N70kC0X31
-FP3pz5y8eMo5hU70WGIP4w+KVECznNgIR4eDFxtx5MbxNGwA4CQmKUk4JEdh
-u/Bx7Ya8DwkIclwiRAwbxq5YiGOERQFhDJhOg1OCxwuozCl/SHlCliuNEXsG
-9GvMdPYcix3Qs4HXjvgsgM6c8eK/B222cFXXLnjEw9VLjlOmI3bespbN0XXd
-jiMk5ho0Ah2tEj699L//638wOXWtQUdFsgbRNKznTrpwBgkBlRSlHtt9s5zT
-UY2f09Z1L20+J6AS25rlqlZiOcQ9QacTViGdxHfhz9QnO000IDAUQ4CWRXPq
-slixKYg4+XBAFK1wFGST0fhyApoUJC90w6qjbJqywM8+9tW89W3QO7l63bCj
-SDps0IGVs0NL5COkczrk/9k/tPO8RBBdmAa2wxoYaVScGq17WJCtTEdWTjjX
-dpZzXqBTOySWmZLxAT/DuKjGnM7TfCAs0Rg6R0uAHbRQNdw7ysqgHF0P7M4b
-AsuzjMbLdlUgSXqVdyoB8Uex5FPo9k+n8WEmZCVxFDpjLTorVmZJ5gKOmmM0
-tJpf23yjqIbKMy2qEUJMyzL/6zLr+e1i1qbCAfDCscaCltYOLUEVGmhlXIUD
-dfYy52CRtUhWFqxTFY0N+RTMnvN7eVRii7TegUj8xot8WYIEmKMl7sjZ4PAm
-GXufmeP3lulf5xwsFHsdf+/IyvtLA0dgFvgWUpKZrXpVf6WhjVrftzMyanWZ
-M7bdC8KOCYkBjls1yKH1PpUIi8GNGL/YrcK0QaYM0XveBH+KnEHJGabMeDic
-OFGOY4Jweyqk5T9PR2tfO6GScQHTGJLVH7QmSDq+wLmMmerg696MT/eYeLuW
-QlDIVQdHJsddKj6pRLdiN7nEmy4SerEdHS1kDYrcmAgK9fTiAEiZitQinwyj
-YPXQ9JIVqIlgcMBK5kHZ+D0h3zba4K1qWrpLDoRRGK1RU7E4x836dFqVRiG9
-XXWWgfKJ92RlMeMS54QmFWbvm/Q6a1ecMjZOizHyfN9PKtZsgZHEOrIjAa3j
-HCyeWJOW6BGdLNfkTezAbWxgCfFmAkpCFzxhwN1U+QQWZFEgRS8ISXln53hM
-OOE4VJ1xIjuk12jlgMi1bwAiEUwPfsdO728ASE4ovYhkb6TIQP2PMjyYLOPY
-n1NFMmH0/jyxUqY+782Av5VGusmrZeOdq5nz3x6XNpsvWFPB2ogIJTmac1Js
-XVW6NIChrPpriNCTrSfVzNjwcJqJHyLaLBB1TrPNUs6PSJEEIPF1Up745Ikz
-DCAwnoIOI3GHAHfmIvJd17OwEE7X8uKQNbKsuNZU3AoKGtAKyhnL9j6zA+Zs
-5ADPOedXAl4Ird3jJGBNcKEHX2AELrnYv99du0uyNVECmovfMvA5B5UOMaO1
-q50rKcjYHsoxF+85zrudkXQTFfhdb6LwlBiPyU7ElCRU2gG/l3iX19Ga1zTh
-FwZB7x40szR5ePj4qDwY/WH68+z19U8/pa+Sv04//lj/4UV6/qf3Vx+b+uTg
-rHnw437zYvT89mQ6HWhdEH2PdUWuvsBQAssiwGb1mFaiKO5Cdqz6HL85tm9A
-62euQJWg+5JHPfajvgXd1ivPfnTRA7+DR08OBvr8cP8h1nenZ9GPwHRDRxeF
-AP1PJISKDOn3NHdVstUTbVRIHn7BybbZ2JlI6jbnf3XhBKUzSz84hnb58pin
-dPt7/fxwiGf7rgALnytEwe+4ZpQ19RsMQXSb3tpq3GZts44lRA+Ejv8yugla
-e3zrFe2plgQVzkOnk7jNaOnQfeCls0ZNGohl/UcgSQ7FdZd6PmK9RTmgj8FX
-eCoVA/AzJU5YM5SEkiW4dZfXbu34jNqHWmiwLDnG14pf0E2to+NQ8mlZibk0
-Z5VZBRM8mV40Nb4sacLGK7iYBu2HUd0sf8PCr4lxkjlJ3WQun43WpJERIeMB
-4cOeN4XJqq/m71ENOdj1UnLDQkw3jDfh3EaoaX41KKGoII5gr45QNVpO6Hxg
-Jtxkqsc2+d+yocthQ+iGhkEYyItFWXF1jSSzAVvz7vRCcrTlcenLgwffPKaz
-atnR7RRgHs2QRgj5SusmARfppl8Y8NAgc7PZQKn6sujFHa0YQ+KYjQwDTZN+
-gbEldTAOG+jYmk1oiONj3ufTWxwqkty9XsK97VKvNUfjxJXqsEDTSE1fSOWx
-mdvxdysa9KNMnO5wtMVxIg6WMUkqrocRpsr2+93vOyUPo5MdemT3v/764YPH
-B/uHD4ZOKfAPv9aHrOvQuIeHD7InBw8eJNnDb0bJwf7kIEm/3n+cHBw8fnx4
-eEC/PNinofmLWw15PRjtjx9OHiXZwfVh8vjrJ98k6Wg8SbLrB/sPHx0c8pOB
-zqs6I33FRh2Zk+Xkfcv2fNBV2To6sr/8Webw7OnoiwJxozzEkI7HxoO8Okkf
-pA9/ff+xen84f/DuycurZ8/ePHtz8uqPzz5Mv06myc+LLP/+h/nh44N+BI87
-U3B3DRfD66DFhZ52FMi7Z+Pkgytfb/PpXlxuo3mO/ewM/eoFMw1NdOqmmLvC
-zDYuUwqf98uwjdgn+/sPPn/eUnPtuKE4wdTTEI+h2kIe7Dsumt8WJTaxue5D
-zDymDKPxMhWPXKv4bC2iTEjRspOMY2WtSAsyffKK7J7BHvHS8SxlH7lkUx27
-vJhG+wGkW3NiXHJGc3duTD9vI66g97ksmh0j9G2+P72y99NFrtSYwMOJ47i/
-v7dvXlZNe2T1NyxlLyJksyFRJlv9MBt9P8739vY4+rK3t77czktsldBLa3kx
-Ok0nL8al7sA44fMUrPP5MX33qKRHIJsUZYQ+FBebzArzofFfb4WvYFUBPFZm
-rAczGcKhYzg3YCVn6bDgi4inGpBPl9KwRFY7Zxpnfn5pbex2ao3oEoRNZHlI
-srRGary3aaHqHoaesPAgMfLpU2yaAO/PyIosVw5G/OU1+kF0818YG/1qI++Q
-eHsII2oPX6UlLfhwRqnpu6JdxWpRODBMnO/Pu8naqBzV6IA6TrerhE+HAgNZ
-D/h81XDboYYXKFYq8l7Y9P7RlzfC7OvUO4IDnmvTGE3x5iOkk7urWEg94jgJ
-GH6xu4121cFZlwYFMSMqBADIbNVlshvfySHdUBys6TTqMiUI9RqWEBCGBh1B
-AA6OK1X13ZW/3vT3RTkrAy3XmTFxtrwr08pq5xVnfgh/rz+l1oijwBiGeQAx
-/IChI8KUVdy2a6IjepDlwiJL04mL6WF3McM5kAWl8pKpWNSl6KzfciRD6TDC
-Fb9dTdunsbjWaYPBpqs23dyd3u6aNlu4MvUrQXz7zvsrjyQGA4+qeJ2cIaxe
-6V6SmlYAIBcBNRc7LtTe9SJCGkEZGiqE8LlSaQBsft33pu46fqChnCgNVard
-sVbn+ZUS8pAo61YvnIEjLkiAc66hj8hBGWdH0tGp7xgjbtu0IckU9GBCaFAT
-plxekDB2cU8iPBczgeDlwQCy2x3Fochh5rFVPwhY5dDHSM49aiThU/I+toBs
-u4GJxjxOS8glpkxm4Z1w4oS+q2xOWk9a2HOlWsWPKBDFxA3YxRNp1q51CUlT
-hKPUXdAPZamh7jotYIBFwc1BMATxA5LLyzqEfCTg01ZFhuIXuxMVmx7ZRw+I
-+OijCWdH8ABXchhDMGJwQFnqkf2L/GWPFmO/Jf0oLyb4u9QcYK73PNd7P9df
-XGTPT661M2I+heVhhK6S+JTjND5hdbokAU1CFO1IcuJ2HGoiSDv+KKcEX1M+
-5zLs+UI6/XBU7qT7roQu8nla54RCUajBissg69XY7+hZZQ7/15yQu+LDHElH
-irCCzXhFyIveZuoVBwPnzP+hJ/QtOHbAHhGRVtDfXoQ6X8YI7p0TcdFIZjkH
-laaNki0xSgny6qd1qESzftUIh9CFS12rtFRqsQoJyt9BB4doxBDqIzkiI7lr
-Y1rxRSw4fcIRq8IhXGTF19Qp6mMmWPULAcHdJFic2muSZj5eZSXywrx+li8Q
-7EKQy9fnY6mRs4N4GCl5XBbqavFYqpPKxn4tuEuyBS/ilhV2wo5maPoyRXej
-6MR9PNKP+XxJqgYfQStmEXt2UP0/Jw2wS4j7ZAY/IDQiJUH5ERgaQr1o2sLt
-VLxYxsEYHzr0gj9i5iGfKzqee1GaLstKyfD9MfZ2f7rX0TBF7sYvXDh9tF80
-oDy3CXK37Yjabpqs6fjYIWj7KeGELlqnsV0jJ7zgc0pVA4pSdAVX1VcivqWQ
-ZsgAI+7ArIj17NiSFKH3o8ub0ugYMnWddRESLOlo+qmdKg3WBkCxxqYBmHdI
-Mqs0o5CsFdRh2mY9t1U5wY8hsUtKataGjjhAaj+U1S2ZAdBtBDDd5E6tbY3c
-bL2y4kPEl2kp2U1cpdPNIRXNBcsJqpg7QSFufwQ9uNO5Ci4f7j2k6R5vAKEr
-h9k2JRM6GDE7PIUN3BCCT7buaosvH5a153Q021cNhvK4ShuIu5TFY9KrH7Q1
-UdTkw3ftUa//OKtbQf4sHpk1qKE9P7m8EOQlrqG5lzLFaMmNTexywaFX5DN+
-3cOEzUiGJEz16PRztVVtWK8IetIbOqqiisfbkNNJ34vi1yufDrjaqRf5pr+H
-kPjYSX5zuV1fSSKX74YHFS+kC0qSAgbJwYugfw41galZXhPcc4ghxSsMEA2+
-liGWNsjz0IDuU7XKfdGMHJXYN5p+59KhvAIjqTHdsCJpu0uOYPLnP7m0JJ/A
-pr6w2FwadnMAJSAb9i7IG9qjAAYE3/0Hex34IoKr0XgXU/Ziw9EQ4rqQGfv7
-3c+hjHbTgEqfZ0TMRCaX5LVG9OedrrQMHnP2zjWzqiD+HElDLzsVtiEZalc5
-5J3TiqtdJu7I2LKyc4ndEFYEzdemTDAhVbqDDF7RJq1uCC1EVNieBsu0uP/Q
-A0qcImpqa/RoB6rVMHJaDzVzhzNRjJYLNS4B8zYrikTsah6bRMqFitGejSp8
-tN/pib8hMXEmicGSDYl4voTvurW2ouJJDZLXILCioEXEpboBDWkaVXHXxLm4
-obZbTS7aY5QQ/AtFNZ12Oov4bmSkGtc1PXa50yaK/kgEnl03oESPYn23lW9W
-B/+sU+FxtE4dzKPwNLenKaoGhCr6zlpZnbjbSCNi3tkpmAwpdrEDLqR++niU
-mMRgkhjg4MEju/Oiqkf5hIh7ly19/p4ldK5ZEuhi573lrDvhsSg6Osi+2XlX
-hs53bhxfW7peciGb0ZC/rIv41qiarPrFh6mlLXDuo81wJspKoCUjJ8KEnAjR
-0v2RbEYVxNavYteftOgN8XUFp/oHAWKfWSjJZf2zMdfaDudet0j9zPcd+3Rv
-rdOYOgrVbRz7GIhsQt+cDgGBG7ASnqPDRGeHSLasmjaZVaTGlWmxIosIgfhA
-fTH3i7rO9RuE8pnnrhuisheeetFJ2TfVQo0h74nsBnicVJpzrid3EA1nw9RA
-YDdkWczKikhxtUlL0nKMqKMQUy0RO2cOcCJKYzZ04OD4XI7AnCvfGHY6Bwo4
-GnZ6Gbi0ZS1xL0vXuyXXCEvs0ORdc/VDXM18J5PrSiW1VWRwtUCOow023OSd
-W6Me2XP4MnwlgEORYPGIJwccdF5NRE1Fp0Mkw6qJ0XUT6SK1sk57PZPJW7Wx
-74KElGPNGcdKMnFAp9w2sWqrUl3KoZGsFZ85rVc69Lvi06r6sFyw6sx7OHu+
-vgaXPpN5fakW7T8tROG5lvwvXQUr4XAuuprKA9SabEqo6sylXGVD41JRwKtg
-RKTctdNPiAQ1mPXSxtEpmVGZATJbtKcwQf91Rgoja+uZ6M7rqxhlHvRiV3Dj
-F9fSuZ/4boKTXfvyskOe25IJYuYkcOhNzsVYNlowZt1lCOIXcT6LxsVh1QQK
-bW4b9/64837c441WMl2S3FfPFEwq7vcPHYCMd+7WSqDTNjfd3IJWfkvHiChI
-nyCZJ5ugg8PrlL1NvvkwaXLys365K43FpGNbz8gyrjmXOng7OZ+u6AHd84FI
-oiXtcZ9E4qNkkeaN6xhLZ/qRmDM3z0pbrrRHdXiYGCkc3c5N3udTjbqn2R+I
-J1ShoHhUY2hnArQt52BqCQVoeRUoWdHHBGKUZP12lq0iBHX8gee64poAYiT5
-QrqK3jGZeymLXIpSAZAWPAstVmMk6wEj7U2aFdfJMSFSjR9fsTfJeXk4OTFJ
-3W9J4X9z8o+xIXrJZVT5trJOi3E5x1LMIhWQt1JxwwXxLqsnygDutMlAQC10
-yGCma8YRBrC610NCUsCLiaJQ6FmnuKQrcIY2/0tjQU5RSOOQFdSGXLp1Ewdl
-voARNR1sQ/cDYUW+vwlm6JyBb39VjWE9TKSJora/1M+QsqdtgKQLUNOLjrSS
-yE1DST6pCzG7EQQWpOC0M84fWUWbaqWQI2hHQvcgS+JaTKesRykL99WuvpCp
-XX/ZqG3vW5J0KsVC5qy+Nqor+CBCEaeJFBnBzvNuX7wLIj0W5k3OOc5yCqLI
-+EBa6scVf4hvR6M46MMEvhP2REWcoDPkOFc70g4IZqEYKHgle836tL+VfE4r
-WBSkIeLsuTdsaN5qp5yeiUbqR6hCwEdI2UTTeNdXVlFYuJTYYtwmX/5RSw84
-ddZ6vhSAG08SSS8u4eyJLWFJmwWX7Qkunko6WITT6kx1rG3dJB4MBarTsEi6
-uZVwepelK4JwzckbzR/321De5O2P2LvsdO8t/XRctXDcUkf8cOxfXM8H2tTT
-YFvvAqM6cAgndmuTe8U13cJaE80UBcG7vVGc9z6qvCI116jk2z7DBvdnx9X5
-BTen3WkQOCM76/GmHJJdMeLvMghxh8H1xlXEK7jD2JfgdbHyLCO2+o23+nkp
-m1yybG1E4RsEBIp8VKe1u5TEB7m8Vm8lPfbO5gJvpQjrGNoAsyBtp6B46Izd
-ZgZVuFva1/TcS4dJ7KhqKxMK9bRCLyr7Ev2j6dRxusoViXE2Rl8lWbAsXfF5
-KD0nOyQNjbvwW2h59Myg+js+AeIL8tuJmzTy5LkLZ2qPgrT+OE9WSrXR3Lmy
-cNgxqBgpGA1XWewxvFqLoYb8l8kkV9aqu1OOB7tA9mPiPhSdXBtZhGYvQL9K
-g32OiLTk63T7b6nc154w10UK95JUmFRQSv1qtqFfZJCNORDHnJRBxVpBgto5
-qexRty8390BsTod1mVEbC+xceZ1rw6adRidLaReZxXbVppAr30iTlkleJjRu
-8hr31nCQTqHa1WewHrZQXI6mtMfzdkanVQ9ZsHhPytxFml29uoRKxv9PwrGU
-SRrnd0dFaLdJibmj1emXWjANTWgm702hPNQuxhFdK16v1+IbDPKl0QTVg4f7
-0R0ErA8WsAVwMxfbnGVGBJNLCMRboYrOE0LJEj1zE8lHl4uLHF6LNvjq8j7g
-shMW7VpZKWfhGm1Wqj5Id2E1OaCvJyws7nPjqp1e070wBm610DTT+EIc6z2O
-ztmnLC6R7lV3Ny/td7Pyog93agDBWNkJZpn6fDdKY6Q0eO0dF4U5UwsUSCxq
-mpmIpUi4giiGlj2VC220aMj1hpDCBL4OagpjiEwJw9Y1gL4lxZ/lBZh2UsBC
-8tpWzfUUUr6BUn3JKCS5tDOrlpJVN0lXjWR0zEmRm7GvICHg+z3GvVLgPIbC
-8DKtJ7fMIL2JTxY3yu13Xl6+bnYNwnms4BIlSy4x7s9joKmja693oUCvkKlO
-F1poEkKG/Mk7Lpxulqy+MJkG8A/XVQHN/GRprdGO2NZCh0IEWJplpg0JXFSY
-kyw4WIOXFmleO0sp1tHSteGkE0kntVB976q8qk4URUHrDEsVL7fcWsJuLV/0
-z05QOQET8fNuChgXIsULC8mjxcqHhWl9A7Px0hOUZqjfBhB5AdvS9fc5dtm2
-a5YpcZGqFSTvRB5CLN7XyffCOOrI7GWXIr0hClho1IV4nbvfyucbw9E08bZZ
-o2ayF3EFaZpiMqdqKge24O6GER1v1Wnr6wM9r4UCQWaqGAkJRhaGgh/yMlu3
-VDb52Yz9kqdtk8FywsnHSdet+NqBIl9fEQs+erFRNUARP3UO9HFIU+LRz5ct
-ZwONfG+eI5SxiefIJeBKvYB6XFVZ9w4h5K/DalJzgAS+0KffzIL9PXWp+PYc
-OUjoPCRC0pg7wjTKZpdt6l1qBEuaouRKLbODG5g+5nO0VrD7c0lz4QHpY5Zd
-NR2641i4uIUbpXHmEaGlidBSMos+qtw93/nRZUf/6CLU4ldGMbOmOhmkMUnO
-kiR1u8ata7lpTyXhe7UAhTczdK/gHGNNj+Oui84BvUE5U3zixNqVhacAOjeI
-QATZ8cWZ9uEmhdYF+EJJG0Dsu/w0sv+YLD3GmijNGU6+LSfji/BuU6lfI5om
-ycKUT78uS+VKiJhpN7SQAy73darf1jn9uCH1sk7HK2W4MKOcDSKpjjvQ5YcS
-298VmLps1OASPAn5oN1kSxAFEgO5DtstK2RX/rqcTKVqbWtNHQTuqhzP6qpE
-RSCan7idqzfuzdXFblyDi9OG0PhC1qq5I2vVCCvoOW7i7mHar0e22izSqPxE
-PNVO3IpDMmIe8SYQ9fLtAYllTjnOLG1VuqtlLIqm10ShWAyHdEUnyfwFOuIs
-cRBB+sCGLF6xBgIoDaGNuDkKJrKWKIbb3q23jJ5yOVRViqSeA1/dqtVJ2Mcb
-SR5gAdRP/WdE4Xc1f8RsXGkvZYLsY5844YpjRSr2SsS4do3TGAmZECyRJFnn
-GMRJzXuptXBTFHyX71rZMFDcaFis2wSU61m343Ww4SWhXZLZkY0aslQsF3Rr
-CGDPhhu4FV2kUTiXgayl5vqgutwxqrcmaVMcAgYdl4hc4xo1XM3+iZJaeDhN
-VKdLAhCluhERRh+yxhcX3VbX5tBKNa04kUhtqMhmW6vihg/pnijJ4/XgluvQ
-cPpxgVQK3zNIDrNEIYrkY0vSAPSK49jQYTfPDnLQtAOZcLmePeNUOP5ar+aE
-330hZ7oTcm92o/wSXKDrc2jh7U4C+/3HuGsUNPHXxxGWhMwU2ZL486Ven4aJ
-6u1dytiOmuiTTZczWhcq4KBvKGWVW7l8Uaq75a0WD7ZXE9z1QCJ8IjxD9i2M
-nIpsuQxXhES9VPX1gntoLeWKHg6188UdF1ndOP1DMzK1giOk0OxcnJ3tBiR4
-nZdEU38LJVttmsyjZ5+3inl9K9OQQ5jBlfY5vNozSiWuo8xa8/fokpENPerW
-et7sdnrSQOxzHndaTpfsa4iRbK9fKc6ZeKDXnY2Ewx+jTaSw7SXxL8OKYSk6
-7WxJXC5hbwfgqkiC4HLG1CQhfhoTbgyf+JEWxt0FZUmhzDYSLTDZx45ZO+Hh
-zGbYqNdeUzJw3+EY2Tga7XDWoDeI49yL2GRO8VmiJgbf06etmw3CMyFdKWja
-rJ7UUE+468I2Xm1c7JpYMcgGxlsLhyq26ro6qrXdv0lctx1Zmhtr8Z6KieTu
-yvFdQZGHI77+TtLYi2XhKD50jhGS31m74YkxW0lccXnXrHkbXL1qsQqate5N
-rPDgZBVgGxfGGrLhOs4CZLnVD18SFCVaSNaEqIAIE5K9bZDr5cdzK435lqYl
-8WBaaoCGLxtEwWvmOvaKm1Jptxd/21R8k6C6tBpt5VS7phLdgJ0FD0OLK+Mq
-z8IEzcB9veqFyHhxxJKxCu7BwS1Ioht6jLlcjtr4x26WP1/h7BKPonbfnGNa
-kuXm7kbZ+OMpl6BDserAhl94Msrbp1FmUSptoF2BHMIeIe9cKyKM7dZEDDXf
-Dl/49B8C3FoVvJ4ddwXcUAjfKYG/3JyIwotm9sLL2ZLb4rNaXJtKd8Jsz7EU
-AtNSAb4+usDsYukiP70ObUe2gzXGHIdDVBejXPaBPrcOVXBt29qLIXK0fgVz
-0OTiW3V9lbrePRt6+UKnQO+AQIyRyOIFvE6nNIWYzzvNrm7V2hfcxtFz6/iX
-1zxLWxF9XvM7wE8+yPCOEYEsl1/PWa3xdz9Xkk2vLXSulzUEWm9NJ7Oau5IT
-Br7JypIz3vjuhKy9/o/S/XtvksnBIeS0ZGc7viTz7PwN04WErwBWyBR9QdZ3
-DPa+ZSqy5Ui+TjPrhQPePDu9egHOEXe9QP+KDgPh9hf4LYk5xud/ka90Wlw4
-zvJyxYoP7ktgFz+p8Yi0IJSxw6vb1XVxnyvfy2pgNvIeedPxl7V2AURzKDTh
-H2lWgg/w+7KXyumu8uwRwtD27t7t91LvQU50gv8nkNN8kryU9j+96yRk+i/x
-5d/kPYGj+8fzoGbxM0GVE48q9Oytv0foN/PbUZIkR/jf6K9HfA3VbT6hl52Z
-pjcUouriNyAb/R/rS6GD5GfcXuX0SfpZrIv7qAmHDLnzQ+Kt9ItWP0odeaR0
-3vmp0/H5LegQ0KFf6hP33eZ2dzKCMwvoRb3I/J8eghH+t+jSLGnQ1V34mnL5
-G7qEIFdaH7oOIVuwEBdv0RGhOpUViHfsckc/pU/3iIkn6K30mYYVnplN/m0A
-R7a/sMtJGpds1SA+HJpS3WS+RxO9MxevAuzdWXVrYm3wzlsIiatrX8tea0h/
-w65P5GSXzGjEFesQrpLazbo8xJ105JfLbEVys/8miveKQelznHGxsuG2oK5s
-sYMwGriAOyxOriKexK54di8T25rgcvZNMDyDW2jNm8ayTG5HUoJBVC8vb4gX
-gC+M0vLDV43xYQf0nHZpW52sS77nlfvvpj59cKwd3t3XLuMrL0Nblq4LywWj
-QsVvXO2rHhJ2Vfk7ciX9NHj1Utz6Kc45XGyBXr3xlrUbRmhfrFEqhkQUN9mT
-zjydC2EBDdd6h2S23g20T2ZwVbfEJfPKviXzbfcIOcrc5Rh4lDx4sC8FqzU3
-q5LKLu4x4ftyxQNrYy62AyUZ3HWFlQKDv2XvF26293ipt0g5gcYNFzJsd/2S
-n9GST+S83uLtDSt+ePeKe7O47mMYtL9snMl7+e29fNhf9GbIPqRl+sqLDWt8
-FNbo4Dz06/8H4RyVdnSXLTbTe+DF++itsLxH0dWSG1Z3sLa6R//gmmI9NF6S
-3kgpa+q2GQMb8I2aNjAKZQ9eNA4+u+u8GvaYS4MU7UflkXZnM8rxvY8eTXY2
-nS/j2i/xzv5sN/75pYdHAiD586fNn7g/96NX7c1db96ENz3i7Gw53t141O4O
-zPrI227fXJ/xwKVq6OndNc+Gg00m6fSOw6Wjw3my0OLdcfZee1upB11YYdSw
-ssN1h6YrL9elBHH3a6QhKQcO0NKUV39lB7ht3OuHGwRxga26TTkabIuKA4Iu
-IYF/Ha2M5/qaXOC9Hx2B8lWzfiX2W2nFDcTeLPz8/ddrF1dvUzj+qaux0X4g
-JEKZfzYTyismHGgJ93H6u7ot2ueL4e890aNlXrRytx4yi8hkIblmBpySnGuE
-FYfz7+pCRmVY3nbi/y7BnQBOr+GSAReHRMOqAZKG+Oq7MB6Bnt4ljX+aqdtU
-Lnridhh+9Qn3rUl6Hvxww6gkS7oyOLXIjdz8od7Ic7Ym7cO9B2pbnH4ci1Hg
-kkylMzh0zc2nGLUF7/Q93DqyPy/Ou3JNxptosm4bcjUcI43X2T3qo47c064m
-ppS6RthNLnrVvVPecPnJVAP0M8hGd6ac7Mh1YvFdN/TTfG/AGXp8dojZa5in
-WXJUOx8jPYS5fDZHGmgqw/qieVj0xcpwH6WUr7PhxkCydo1C+Ur9lNOmiPiY
-ZHUneHF3aKLGcJ08NRttJ/azd2/hGOKyLrnSj32N69o34hRRWYW3ZgxaI7tU
-W0Ac3XI0Xcevy4w4ZonrqnaYmdE4u1ayQ4h7TWFY7giX87c11NAMTcj8QXe5
-4+/3fApxXPfkLp6Vu9/GWjADJ0Acr9AueEZSV++HLv7rLX77bfBDBzo66ls4
-feQWYRRA1AT2qdzaLK87JRn4E/neGWeGgw2EzoUyEzpcXJ6BJ3CM7w0kaYHd
-IppwC8ppNtOd0Nf62zEbrHg5SRveSSQ94vNnru5YpMgG7CKS88dpb0J/m9RY
-iuAZQYXurj6WiVD2gKyr97eFI0JiR8v5stAbeThGnibBOcoNOrgSxg2sxkUo
-RtbgnUTysdrIG6sx8iZrtJtUJ9MUHjpaZyK46S+lJUTyyV5hsX10s5pWJhlZ
-oFoh1qMN25A7DvzNAQHrcXfanFBdElfids4uwzcNUCVKaNi9gGo1zahA1d8t
-KwpZOncSr5Gem6FDkM/N9hvyCQ3GagGRW5PUthOuE2fa85vj5AMxzo6krGfz
-kYgDwB2JcXexeMVhDQNd9lXcR0PX+NTY/ix62ZjkWeLzZSmCYuIDRHH131nb
-Z2CaCDyldXDoj5gVp56uJ0oNtXs9V8B27yuEIz1qso64tvqvfUdqsyOEtY2m
-uNOEdI1FTDKdqMQ1cZ5x1KyMg+I6yftx+3Gwi6zMeHEm1CzX3WoAxxnRgGqd
-A6Te8EaEr14xBnt6DaTfFyKO9ncG0EMcAuRNxNYQpJPei3/sykiCVG1/Jinl
-rlEq44umzNYMapoNPsBuWeFQq+lEFEvuhr3Yx5Yv5M6C49K4tlmyUK1q5La0
-oiJHu9ZkhWi7Rtt4oN8rJxb3nFThMhhW/AZtO3P9zUNT8i/qnBx3xS0TnBZP
-agcPhdSXcZW4XiV+jU/RqHeeExavp9ED8CIPu3UX2hfd+w81GTLqCnClsZWd
-c4LoFZrwkPq0u0WuxO/Q/s4vTt9cnb46fX169fZnp4brIuPWAxrAceql17ar
-EbMwr5yi8ne0nE5dsIdsIg6kCrSR0iIGlPivbhAzzTlVpE25UjldkVHv1fO1
-VrDuZmXCoyTc7bKl8O2pH8hIGUGS3eSStTarq+V0hmhhuLpW33cd6rrJXAY3
-wz11t4f3ElkiVZyzhPW2yqCpmSjvoAuS7nnIvSiNy/csViHQMzFaXUzMuoVY
-kzEZ76H2oXhnQzMF327Ed8NzgX3+rn/G2Ub+Ir+YzYcu/KDrHBawbHAM+/tz
-POfugQBTrfuMNadLagE1I7l2fk1NvTg5u7qyO5dLJLueQEnwDRaG2gWexcZ4
-NVTeSkbwFjphxiADbrNem3Hetkn8a2QipaZrp7V+8jbEQKXRrSw31mkcmJCD
-pmtYPxItJJQGt2ogpaVcsGZSUc48hOI2tDSPjHopp8RRtExvuiWV6AMaywjj
-jNO/pNF4vNo2gqguXTrJjLmZHidcYNTtABaGDQr50ISCKCgRzEBwTZjT9fM6
-subTAt0lcDtj/0ZU3qDcTynMqtMhRhV/r/STZFvzZ3hBW07Cjxd1Re+qyh75
-GuwXfA1rlycbFwvPG/U/mP8DO2hh6c+kAAA=
+H4sIAAAAAAAAA819a3bbSJbm/1hFDP0jqWpCtmzJmSlXV7csy2lV25baojMr
+p7qOCyRAEmkQYAGgZJbTfWYRs4BZyyxlVjL3GRF4UK6qmTNndPIhkUA8b9zn
+d29EUWSarMnTUzu6+JTOt01WFva8LJr0U2On5ce0qO2irOyLrG6qbLZt0sSe
+LdOiyeb2p7L6uMjLu3pk4tmsSm+hkZ8u39xc2F5TIzOPm3RZVrtTWzeJScp5
+Ea+h16SKF01UpEWRruOiiO6ydZ1G6byJHj0y9Xa2zuoa2ml2G3j48mL60hTb
+9SytTk0CDZ4a6POJias0hr7P3k1H5g4GtazK7UYHMzIf0x18mpwaayObuqHN
+eWj0Kb6Vl3FiswTn1uzo01gmeqcT5U+3SdbYpoqz3Jh426zKipqGf61dbPOc
+Z3a+qmDNsriwb3V29ERZLeMi+2uMY4ApFUm6SQvs1b5L6zSu5qu0ogfhlSw/
+tVnaLP7VLdBhkhpTlNUa3r9Nsd93L8+/PTk68b9+63/93v/6nfz6/cnTx/rr
+0dEj/PUyenGIvcji4xAGPq4f19GmKptyXuanxmTFojOKJycn2vJ3T79/op0c
+Pz7S1opMu8giWttIlxufuLm+fPny4pTmrjR5A5tVpfa6KpPtnHbtUt6wLytY
+ZtwZos+L27TalUVqx9zMwYjbiatl2pzaVdNs6tOHD+tNtlikh1n5ECiwfpgD
+DdWNfBrFs3LbPCyhpdssvXtIDRCV2UWc1yn8fXV98XZ68frizcX03c/tkV7B
+Lk7TPF2nTbWzN5t0ni2yOe3y8FBKeKHRF9yIanixfljCF0P9W+vpDX8ipCYg
+tbzcJvYtbQacuPUGCLxY2pfltkhoBOFu1vOsaWiTswbOGSyv26nj71v7XmJn
+ERB6Uce0+FFDDEEf2vd9BBvC+wuPmiiCIzMD7gHPGDNdZbWFmW7XSPFJusiK
+tO7zC2U944vzaX0wsXCK4FP4BCfTlLZZpcR+6Mw6ksgK+2abN5m92dVNurYX
+xW1WlQV2BU0RNzgw4cyJdJKAtfVO/KG1OAQLlH8LxGrqbFmkyQSYWLWlJhJb
+pXPgLrUtF7DH9ceAw8DHaWXjeVXWtWGCb0peGeA+6/W2EAqBXp7veIYJ7hxz
+0d4EjazKXdas+ozMzvMYTheuwu9vrt7an9IZL6Md//6n6YHh8zqBtYMtqEMC
+tWkRz3LYh5rWrbawwsB8igb+DWZqAs5H0+WZuIHoWm3r1MawrLAwtKbz3TzP
+5mZZxZuVHb84++HAN4pdVemmAtYHTdH6KUOcZzCiuACeDNODl5vU0MT3LI4j
+mZ8upwcwBlxHJJMa2ITFbYMPzLpM0pwanVe7TVPSmGC/N1W2zvD44Iaf2SK9
+s6+m02u7SmPcwkWW5snEODKNhEwnFqmZiDghWqLDsCkrOn+0GHFeFssaSSf9
+hPLA7S43XR/yCVlnSZIDa38AEqFx3A7+fmDflDAwPsZwfP5hul84fvn58wDH
+//JFaby2VTnb1o0TiiTk6FwwtTQrkK/L1de2AFdZHzHAwYFg3PfX0wNYaJoN
+LUaNPHee4vGQX63KGtMbbiiJYNjKRFblnRtybYMxw9LH85Ut4QM9jXYe57md
+r4DA64BWdLiRmxFMwrhPaRIRn6mAPHAPX5V3KQiOSV+TIApIgefBEIuysXGS
+ALXX/tiYeD4HTt3EsyyH52Fd/q0o73BId6vSbtIKDy6eo8Iym/VtMesxd6sY
+ditGxgo9ARkCQdBnxIBgdO/S5RZlXQInPSCNrJiD5oSzz3d47PJyh+tWFuW6
+3NZ8vIEZQEtmXkJbWQFt6AqGekyc2xkJmyqjE/SiXNPK1ltY97g2sE55s5qD
+njaBs1TExTydEH3k5RIPxRxoLv3LFjhGwG4mrGkhZzIBj8UBrmkuCbAwFAjR
+Ov6Iy4UNema0T9aEosSqKCEibEkGmrXsVVrTU8t4Y2dpc5fC9g9sc9h7f0+l
+i4AqdYGfMUf2g5LJ8rbC87A3WSKcsL2vZ7X0DwyKvuWzsl/P+vJlIqQvyi+8
+05N5wP7ShITALLW3sMSwA9Q9senqNk2E0xvhGMDt1ykcpiKr1/iakjjNSzaW
+9oD4d4vzmriutxUSBJ4i4HZwxqC7tb1pYInwJdzHKk1hxBVtAa4U0AzOFnTD
+CpuNNzAQOOJpzeJEiV1mZkSsgTJydO9OWFACuofLul1g/QuoA9aPtoREBbA6
+Ypzw0ogMI/gsq0VPy/6aJiNqFRqk990zTCowyCnKvD9MsBHg+kjHV9sGNDj7
+Xw9HxjyGTt6WcCpiPF1JsM60CjTh1oLS4ETxAN6FfeZZ8bGrmsghho1DwSE6
+iVIA7MQT7neoO1yXgo8pHQvQZDZ5CozBUz/2CnvfgL1HR7alY2kvJDBZpdhs
+q01ZEwlcqJQsZ0hrcoCg3zJ3/KTVHCqWKNo/f25p516eMQlzM6TvpbPtcqkM
+Y10WGYwTW+Ddp73XV9taQkCrILy4X9TQY9xx3OH+Tqi+iI028Rq4eZTe0mlk
+Boifg8ilp3B0RqgXV47Xpp6DdlZlpZyPmzkYDvTq2WYDapUs0B5uh/o3idk9
+GjYp2AeWVUM7/vwZLW/+68uXA3gXtLVAWSMVp6WjCa3hQsDbSbyMbuM8Y6uD
+W7gU7Q37pvPvGa7jnU43AcqBZph5Zf5FbumsaCtlaPadT73Oha+idRXxA/IS
+LWKeJsu0Ik2yWsSgXQRcqcb3+IHIPYAvk7a1KPOcpTFILwsGIhJ07TYBP4QT
+ArpbYmc7nhctulOOOsoTsXGdN5EZ8nwkv8j+G7F6IW19GKx+OJ3ECWErK1TM
+EhKvFkxXEI5ZvaId7z17DjIU+wHhnGeLFLXwNHwCdE2ghVt8BM4zvf8CqSaj
+v3n2H2FEdyR5R2/e30xHE/6/fXtFv7+7+Pf3l+8uXuDvN6/OXr92vxh54ubV
+1fvXL/xv/s3zqzdvLt6+4JfhU9v6yIzenP084jMyurqeXl69PXs9QqbftOg8
+ZhMCBBVtHUgoYvy1gUM1h3Vksfj8/Pp//o+jYxCP/wUM3cdHR98De+A/vjv6
+9hj+uIM94t7KAo4t/0lcH4RLGpNKRXIz3oBKktcTZEM1qJwFkGOVwtn8zR9x
+Zf50an87m2+Ojn8nH+CEWx/qmrU+pDXrf9J7mRdx4KOBbtxqtj7vrHR7vGc/
+t/7WdQ8+/O2/gDRJbXT03b/8znRPCGwAGI+4JWACJr3NgnNB0u/UnOJZDjRN
+1aZoVdWe0uMEPGGPxTIhLU1FaU2sia1j3K1QnKGQpW7xfM2RSCwY3403Yskw
+otZQuMFwUTsGKVyL4oOyOUX/X0nCGZnxCzVwz9jAtT94A5f7YovXs09n6NJi
+7eOjd0hQ0BNyJF5Nb0qTxLB0lEUPIpF5D2/nkXQcAp8/i3/QmU+03AOeAVKD
+rfNxdLSIJG3QF4CaKLHZ18RFdX83OLcIzxPYyev1llR5VPlp2eEwkYHc2y5Y
+CeixTml3nFI6YZryOgOuBVhcbqgwiD0GKdujvBAseOaeNRILRu7uiPCb2jNo
+N7gGGS8Mi1lv2Fdg2bJhG3a0IYsR/gH1BvQbsTnwUTcblETAyaMc7Mfc2I68
+QNolns8mVWsSJWgim6ZNVXGxxzDjudgYl3YVo9/KTTIDtQZNV9hiaGhTsg8K
+9XjxyQK98C9fvsDrTSCDUCeR4ZyF1lMo9D8/6MtzUmX4vcBLaabDttg+h0Wo
+5HzFGUFHm/T04Z2GebX3WoXseHRp4zXHPOwfiKeFX/88Ogg777s5wp4DIkBn
+4QqdHOjawdOOkhb0y3KekenCm0XWBY4AzbWqzOkdfBIJR4ZEAyD3T7QqN111
+4zaL2Qt2j4NlgL+2XSxdPh+aEaGZK4Yjsiw2CpDrI+k1pfFaX1t5ClwizIT2
+OFBok98RG2ImCasqVpu3yUqnYWZVy8JDQ8htNSyXODexpcCT6+elJnhkX4Px
+RAdrzmoSewyg+Q3yEJAJdVnVA4atNxaI1i+cdf8GXZDAtJH3scdX1gXmDgsh
+h3jvEufxLq2MuiFwVd060Ve0sPhxzOYBtUHfwAr+53/+J4xrnoHBVzXmn6K/
+++efzK9qQL+m3sZ63A7s3p9f8SV8bXpq26dpzJGX04cPm+Qh7ebDTwej8J1r
+fofPz/3nAF/6h6a0d9h7vrj9h1cOzRVZNy+0z1obfGD/SJYcRpD+JKsAr8Eq
+TL3sRYuy5SZfp2BPtpebf1iJeShaC5gq9QpdEkOz/f987a42LNBObahrAAE6
+zYK5w4EbAi3DiA4aaLZoI7BKgk6DktypgW04+j9ZBThX5vOpfbDIlhGdtZrj
+gv/s4uF6+ltSkkihHn0R4z30AG7V6Sg8k+MXluIXE+Ebtf39T1OJ+hh2Yjs/
+EX4j7QnjCHS+iRiLzARrUbNFnyC3cL5lHSAQdawJd7jzImP394MHLZF/XWbI
+mD8/CGQ+qED4IUwWdEM8CC6sU3/dL+BiDvCQ8YLIuacCRwe0/PsrF1+xo48Z
+0PsmxpbAPrFkk1XpAnRsmC4L4e0M41Msg/28oPdyzawUOcw3uE5TDNfAVGWg
+7DMnJwJZi9T7CPSpEW+LFeMMI2Jueqhq9FfR+WCc0nX5ItC7Dg7DCdIkZql4
+l/zyUaxLdIqORiEKzuB8tFmlsjhflhU8vLbj1lLC58FSHtAwoF0Y9lwadi96
+AzDt6JXc6U8gmukIEvNexx/ZM0/+HdGI+ZBK1GZJHjPc/V4QToeXYVSnqtAT
+7oJuHYIyErDpiULq9530S/uufloYBP/6HMPevQDRKXKN36Ka5kXR2e/gyd4w
++Ulc5qqtxaBNmvyuxUMCL5bjJDTEVzzVmyaeo1aCrINXclAFFQ0U3dG3YKcR
+k9yA9vAVdW+iipVQL/MDUDQa4xeWyXlKTAEmxRGBlkHmPeksqkxZiM6L1gqc
+PfIMwwifuaOTIfNxgBjQ6Lg9CgGpJksOdzqxSOGHrJvCkqYZ23G0BWPZswNp
+gcx5NrFdFGAqoVHWjg5O7Y/6qGzjgCGIBIj72LKBSE1pTR3s3YXME6h2I4Ce
+ryz7IXv7cR3G7YgQjO2dGOBMMUKbGha6YyPdYpdzsmzFFaIeAvTmq7yEkTHb
+ShNo94wkIosaWaqEvaocGSMRyVEEep8Mvn0Oh5fMwj4/CLzIzO73vICUOQhW
+CKWVYC7QNRQ8fAMfxiRF4YUb/8IJLKTgEIhLAiMy8ADBYkCHtzcwyTgX8xgX
+OrWzuE6fHm+rPAKyBAGbmD/z2TvcxDs8U4e1dvZnYdMHti7ZsqP43BxYF7Bj
+ZT9ZYWJLYdW05bG+jfNtytKS+Kqc5s8PfimBGsRrzQTdFWM0F9R+Y2GqXgg6
+hixs7ZcaTOnPsGfErxHYd/P45Ologp80uw1+Iig72JV/+uWu4a9QTsJXHC+M
+IzhbUZZER4+fjMyXNnPiEQlbcgOVyVx8itHyQ84E3aO/Qh2eEvBPsiV6UK1b
+067UAMrD75QpHMLgaPZDYma/hLH20lmgbLlRI/V2Q6ECWhNHNN8R0eDoaM3g
+Zdoqqw5c3NxRAVboCB672a0Rs4Umno4DbP30cHk4sa+wWVzOVzdPvjvGv0+O
+Hh+02sE5kp+TaFTD3nGtraKDRpeGsZfQcVSlGziJ6hKCbeysrNMIUpKb3R3G
+zxIOrG2zesXRW8uSjiUsKoyIsqwn5AGFZ13A1itmcxcvoFiVpTcC5YpWDfVB
+IKaBre/oV6qFKfrCc3UaGDbfVlbcfn1L+/VePAbCtyoyzvOy/Gi3G+HURBjz
+ptU0rKinvY4HEU8mLMQ5I6ngYN41ESvYwbkUrqDHsbazUmFJEfo9oDGUtC1d
+XLT0FkigC9y61xNLg3uAkt83ysPsemcG+m05fJVUFHQF3AqhKzsyM40B7bWz
+dTcN+qWvqvfvLinkDf/Xbdzp3rEPUdxaxopKsE9RzpxuMWNNwnvkHBAU9V/H
+60iu/Nl5C35L8jdi+fu7h7+FJV/97s8T1UV1UKN6O1NNXBxuoeqLEe4iUp08
+GCKZi6iz89HA+dbzVYpBAT3nwNVv4IvXNXur3797e/r+PY7Ym0WosoP43L+Y
+iNQBiRFTjLy9yLijaB+hscru92yTQcvj+kBnwiv8PJ3HOFJiJgTOQNZCBEkB
+MY7s48KkdR0vBVHHhq84udhyGcFnHaslEDfOfcbnTPz3pBtlKUOEgFfAR3Se
+dsEALxENsEHwZ0bmVobOihhBpPD5b+Cf35CxiI5JMhBhH/IMyfE3vzmlMBya
+BaIbErkyzypYDxN1j3zVInALPFFiL8ik9Jw2zmlIdGZ7hhghdYb0SadFqqaq
+2AqkzbsYNbOsUZ1Jgs0l6gSrOF/ojvEZOXQT5wASzlze8Hj3ocnjlw1bcvDD
+MaF811LUtGuh0niBTDm2v5Sk/FrREn2kRaAbqGIOLJbOJNCD/eDZ44y9oi7f
+He8a1eNZoFICTyOiVAU62CbnsXRB+sAC0GEp04oL2Xc6NzJY3Ccm+YBGeQ34
+6f/448jxjpQVlEOYu7gccSgjeXL4OQYQPRRP0X/8CcGLF4gpVNFjgT3MPwpR
+EZllwEYwOuy92BRHrpWn0QRoOYFJMggH5CjZLrhdBx73wQFBjEv4iGGN1BUK
+cWphk5MwpjVdeqcEtudJGSF/BHkilCu0EXoG5G3q6fIFDXYEn42cdoR7QeSM
+iBf3Pp3NhlzVlQaPsLlqi3HKeIbOW9SyMbou09GDhFwDWoCtlYMPD/2v//bf
+8Ti1rUE9RTwG1jSs404ycFwSWFRQlDps9+12DVs1fwFTl7k02RoWFdjWKhO1
+koYD3JPOaYIqpEp8DX/GDuyUSEBgwoYADAv6lGGhYpPD4cTNoUPRMEchNBm0
+zzsgoCB+oB1WnaXLGAV++qmr5vWnAc9k4nWjGQXSYUAHFs5OWiJuIezTCf7n
+6MSus4KC6Mw0aDqogYFGhdBomcMGbGXYsiJBrO0qQ1ygqh0cy4zB+CA/wzwv
+5wjnqT8ClUgMHaMlRB0wUDHcW8rKqJgtRnb8FpbleQrtpQcikBhe5ZxKRPiz
+UPLJ6nZ3p3ZhJkIlYRQ6RS06zXdmC+YCbTXGaGA0vzTZoKgmlWeZlzMKMW2L
+7C/btOO3C1mbCAdaL9rWUNDC2ElLEIWGtDJMyCF19ibDYJG1BFZmqhMVDQ35
+mJg94nuxVWCLMN4RS/zaiXweAgeYgyGOeW9o85IUvc/I8TvDdI8jBotSvs5+
+0GPl/KWeIyALfEdSEpmteFV/gaaNWN93KzBqZZgrtN1zoI4ExADGrWrC0Dqf
+SkDFxI2QvtCtgmcDTBk471nt/Sm8BwUiTJHxYDgxEY5jvHB7xkfLvR7Pem+r
+UEkxl2lOktVttAAklS8gljEVHbzvzfj8AA9v21LwCrno4ITkuE/FB5Xoju0m
+Bd60idCJ7WBrSdZQvhseglw8vbQBoEwFapEDw8iyutV0kpVIk4LBniqRB6Xz
+D0B8+84GTlVg6QoOJKMwGKNAsRDjZh2cVqSRh7eLzjISPvEBrCxkXOycEFBh
++qGOF2mzQ8jYPM7nhPP9kJSo2RJFAutIT3lplXOgeEJNmqNHsLOYnpfYkU5s
+ZIHwVryUQC70CS7cbZklZEHmOUH0vJDkZ8Znc6AJ5VBVikB2kl6znS4ipsHR
+IsKB6azfmer9NS0kAkqvA9kbKDKk/gcIDzyWYexPVZGUGb3bTxopnj7nzSB/
+K7R0m5Xb2jlXU/XfnhU2XW9QU6GxwSFkcDRiUmxVljI0Woai7I4hIE+0nkQz
+Q8NDNRPXRDBZItQ19LaKER8REwiA4+ugPOHOA2cYkcB4RucwEHcU4E41It92
+PTMLQbiWE4eokaX5QqC4JSloRFaknKFs7zI7opwOB1ASIx6ocikOt99Z3bhu
+wGGdFxyWZJFnc3GqXJ1t4b/XW4zH2jNBi/PgJQ6BCz8GKrLfHz1+Cvo5Kyph
+GkORkMk0kUEw36e+hVO9QGwyB+YoBPgAwcoCxIEPvsKwFATtnm+vsYKBTQCU
+0zgzThGxskBsKayx2OMMlaZtoAzSzQeMR+9jeNPQNWvJNUswY217w2gJNIjF
+VXTz6ixCtx626owuHBz1PCH1gDDjmOPJGk18Z8t5k9Jih29Q/1kti1L76Noi
++5QmkfdAbmKwySok1W2tjD21L67La+ATzUpNamaqx8fogFG5K4ls11PyzIbP
+3hsnOHXzzGqReWtUohgz7gam5zQYKlB29klpWp3RsJT/D7aBCUP2oZOcJ9pQ
+jHswUqoYOWErQZCapKz84SkXI2vtkV/NUA1htQ3kfBXnkeQXBBH2kh4SLyb7
+kSIVxkr/HLq6zydHq0OIOvQpo2BBhgXCISQbYgjecQoLgpH2rE4dm8AXJdUR
+5BbqTQWTaJwjbVFebw16+EduXtZjJKOfc2QDNZrDvsZPCoJkNWwLDCg27ITU
+bFqr0yXBkS2Lkq0z5CFTkYPkOHWSsHZZUAnaysQ0BSMwCRrGd3hmQRQcGUJV
+pwqfg1FJIIat9RFM5tBZ3lvguesPlHw5OnBCeWAgph01TBBKSVqhXy3cq5Kk
+H5nHM0pSLRKgH7JKblNhn3X213SikDmKFCFPx6iTk8Kx7CNh2ni/hZw8Ftti
+u/Dm8aPvnwLxNOhX13OPrRnYLhLnMG44p4Eq/JUGTwwBRYe2Wh5mNbylhFOT
+TG3cDFEmfEO2Hafd6MmAbeOwQ/dU4IrNY8SlCJpGzwaI+cWWvOmK9BZIyLlm
+BqH8lMBQV9ZkoVXdcq8LGXSDWoiuON3jp2F/zhwEDqbfsOqI7oL7n1edkloH
+s/fUHn377eNHT4+PTh5NVAdxH34rH6JqBe2enDxKvzt+9ChKH38/i46PkuMo
+/vboaXR8/PTpyckxfPPoCJrGN+4kwvZodjR/nDyJ0uPFSfT02+++j+LZPInS
+xaOjx0+OT/CTkfQrKiq8hTYkWK9F8qFB94FXjVERObV//BP34dgnvFIcz/59
++fPqzeKnn+LX0V+Wn36s/v1lfPVh+qmuzo8v60c/HtUvZy/uzpdLbkpFAb78
++jx+FD/+5cOn8sPJ+tH7715Nnz9/+/zt+es/PP+4/DZaRj9v0uyH369Pnh7L
+9JDITu1nTnMLzzFmaKUfZPKzOYUUrf3SCSti5Qws/KGBxRbxXAtNBNHFBzZE
+RExdEtDnB2EOkIAvu5AReeslshZBX7Vx76pmNWHulH+9mxtuWL4fHT0C+T6c
+CK48kz1z4v4I2xAtPfNGJ2by7wtdm9CH4OLeUxXsGsTjsgSUQPm8F+YG0mnQ
+c4cBvIaFHNhjWQnG2OgQOO58FaPjniFeZwrWqaVIQbwXqKOIkfp+wE4XTBKm
+9TuAjUB2mAuYHy6m9mG8yeTMRuR2pe14eHR4ZF6VdXNq5TsaymFw3M0Aeifd
+/X41+2GeHR4eYkjo8LA/3NZDaCrBQz2wjnTTAusonog0MdxPpjoH2un6bBmz
+QRBXym108cHQjpc1nxj39t71ZarKiY6FZcvGJBPyMhkELOx4L5UKvkp4oq45
+DJfEStJKPXwIR/3a2NAX1hjWOICawMxgBLeEj5wLbCN6OjWdoIgBYfP5c2iH
+EN1fgmlb7HSN8M0FFalog3KQGt1oA5cVu6CAIiq3vnKWJAtFLWXT9Y9rGm2e
+6zIk6pB0vrsmyJE10qC00y514TBaxED6UahvaqyIVOMA2XQmMA76A350OZdk
+47WSMIkDXklRG8Gd4xbCzt2XwSRuetoJsvJCHyDMqkWzis1iq5gtUDGgHLze
+uPIS8UDGsmB8xI8LK9SpogKLMDFUpoSWA4NdZXV/OrLzR7hMoZ0hbVgwF0kI
+4dfcsbRSVz3yQ3JCu11qDHsvjME190tMzklfpmGJinDT9htQSCPNmEUWphWs
+k81uU4Z6tZmksgJPMStVwV6/w/CKnMOAVtx0JZcA2sIErAE0jIzatAFFndnV
+TbrR3PkpE75975yopxwYIjcvm6/qgBJXeQc5J2kJBJCgRJCxxv/brk2SRqQy
+TWSF6HU5pX5hs0XXxXug/EDiSwE2lnUTGqu6ozmv3aN3dfTMGTAMRKg89Vd9
+ImDMPD3lilNdbx1w27rxyFc6D8bHKwXFpWAlZuzsM6WYYcgEvOuJGuDZjoWG
+Ai+eo1Z5wVOVko/hRABK3CRHl3P8eWI78Ew05HGS186BbjAf710nRBlO0zVo
+PXFur+TUCn0E0TE83LR2YUcCJbaKklpSjEycst34mvgUtPwDNbDJsWIJNYGO
+tmy5rXwciqNQTZmnlJFjx0EG7Kl98ggOH7yUIGQDG5jyZkyIERMH5KGe2j/z
+L4cwGPtb0I+yPKHfORGC+vqAfX1wff1Zw42uc0noYSPLD49aaCuJzzB45PyH
+yy0IaBCiVCMF/YgY/4KVVv7Iu0SY9WyNueHrDZcfQq/leftZjqdk67jKgISC
++Id1HqxW4v9Y9ipV+u95Rg/YCznjMhl+BMN0BcRLtdfEVU8MPM4U4o0t7KGx
+Y/TrsLQi/e2lTz5GisCCPgEXDWSWQvAEywq2xCyGlRfnsZIS9PpNzRxCBs7J
+tlznqaFRMFLgnnNwQtUhfNImhokYUDeHEV+HgtOhoFAV9jEsy46xVqYhMsGy
+m51I3I0dw7FdgDRzQTTL4SDk9atsQxE4iry5ogE01MAlAjwMlDzMVdUEQZTq
+oLJhlQRyqqQbHMQdKuxAHfXEdGWKzEbICYuLxJ+y9RZUDdyChs0i9P9QSYI1
+aIDtg3gExvIjICNQEoQfEUOj+DNVksEaL04s08YYF890gj9g5h5kFmwPyNBX
+WLEBieZ94RluEJIw5rJoFRlp4dfigG96EuswfWb4GNrAY7FLCQ7T4+5w+uM8
+kGYSG8PjY1Dv9FIYFQhiR2xoTGyy1eJpQZrfkuoUmHDoXh6AeY/by8VhBA/m
+4FawMIOA2RA16rIO70r2BIlWICuHEyUpwXEPqSVxi8TDkpllgSyexqas53Cu
+sA+yC2CT6Jib5e3wy7R97oTSh2S1rrtb9H73GsARXZ15Q8kaKVaDwe1DTPdt
+qsv9sUBQT7josIDxrmbB0VtBsLoSJJBwJymFndOyUQSTwU1vtw9DUdo1u2JB
+Aj4NRZR5gU1WamqE4OKGoSUo5p2QB1mT5WSi8NRDTT4mdbcucy7q1ObUPkuq
+Ssm7a7aFPiwwEYrq0GgwlZ59Bzg99yUzVFwz8qIZwqiMiWOhEoCHFlHOWVU3
+B/cqFw8CxD+SFycL/BgGpD4/aNmFrC2HD1yrFdnNPxJNqfbactNSkNuIe9MK
+g5F63M0uARKUlK/9djRQE3LXWOyWAO3PEkb8oOw39ohlZHMg01GBQOs49P8w
++f+oEExhJgT6V5+Ax2oD6XdR4qLD9RqgvK9eA21AGw1Z4XDf1E4Jo2wsWDdU
+jCkCPcckwzTpJ5vVqnylwRuOuDUJiWH4RGRo8AeoeRvmrYVw/DYYf8Bx7pRP
+7YSzAxSpp4N5RvnZUlbBA/aDGVAjHVcL7ZKXH3ZTAuvYiSrjljqVRMXeKoeH
+lbnPhJkJ00gbMi8VA4JoQqdYwwmhdmDU6W2Y+9hG5rPpRcPxtqQSM2snjho7
+JAgkzsL45PAxdPd0gJp03/d1iZoKaZIY12HufgtnPdk7qz2ZHuQadKoa9PZN
+TU25YwsTCGs/hm3Cox+l4FtQOsnVQhPqmqdVw3wgDVtGUpnYq/Obaz7HQKqC
+aOcuZlssF2W3GwS0ED//tkMJw+eNoO3iku5mwIjd08+z/K7TdJCbGrY3gJSH
+9/lQdYpSeFptZeF9352Dh5O3IMUBi0Cp4GqM0vHzIGyGflEjGbFl0qcmAgut
+twtY94z0aKGrLv/p4W7jmtBzApN5Jm5Fl4rIW8UOGgE1K8jUIzgIcNgGQYBu
+sUVkGL7+k4I9HSxYnPmhv2cSWOm8CK25M/H6olO0BrC+R48OW+tLuBjBOClS
+x8lPPUOEliHxeXTUfp2s6Ta4snDoTWAm3DmtUVyzYjRuq/s+MIjhhXpV5iCq
+Ag3GKf+yth5ieqCh7vu65Yji1/Qib7rbGA+MT0BpCyP1FID2MSEzim3wjgmO
+Z/HosVso9uqKr1CC5GPSGydBbG4ieEjUpZgnS14NZWameR6xYxDbBul6LRpF
+x8nGfLRbPw/fATFxyekWjDEnlBTjWtsVDNhG5cxOp0rRiLwZFBZA8GSIuj9r
+fj3Nhv3o+zUzDWobOQjugbxcLlv1mlyNR7Dtq6p0FkhtgiA344XQ90wn0ZFY
+1+/uLAUKMKl5QFur9qwrUF+SKQe7XNNBZdWvl6zM8QJQDpF3ttLQPXA5jCB4
+QL0Lu7NPj5gkNXD86IkdvyyrWZbA4T5AVyW+jxI6E+wZWRku3Ie6FH3MOp80
+cmTGYKa6eqLajsvY7yey8WQEncLjAr41K5NdN6U7ZogMrHBKeyKshMx8gvcY
+j+BiN4PbkmFSITNiGsYuuPC5V+RkOSXAQUvs8NoM2e3ujVlIkbEH7dIfl66a
+4+cHvfqNEukQZSx0ksKx8dXIWgeIuAF6ETKq29OaIUHYy7qJViVofKAB7uqM
+cY/+9IXcL6jl2S27jHueaY1ZYS/Y9aaVCGXKjXhzXCilHaFWqcTgL9xLtzd4
+GmDZTQMqS1HCUdwNaUmS5BbUacNTC4cdUVoI+arNQF0jhCFkhD/QpLiJ7fsb
+avTaG1LReSxhhWCtiJVJiDiMyOCsMacsrBFxL5NrSyUx27hxMcbOggnWeIsG
+Fpw+tVfkjHX5VUoi3vhjm5o46LpMWE2l+rGUYiDWVtvPLYOUfGWpoI/IzCZ0
+voKQUtacYrA35QhajMVoy6YsJCbmy3NbDvrBePn2E03pL8uP2w2qzjiHyxf9
+MWi6c+r0pYq1/zhnhWfBqFoZBSrh5BdRcOAxZfANwT9bfQlXGSgHzQp46Y2I
+GB0zrkOC/ZJfkovjqpIZJG8RilAqtcPqv0lBYSRHB+vO/VHMUrf0bFcQVFYK
+5XfTiYyPEkq1c3SpYbFHJswMBA4h9vJ8W0sarqVbSbA9cuyq07VWIImYQL54
+eK3Pz1vPh5UzYSTLLch9ca2TSYUXqpAO8OCBxRrYsHRSPKwNoWr4u3hOIVGu
+vsb9pAnVxXkTo7vclXQHTY6/ljcPuFwj18HsGFkOHSkRqhaSXlPJ6HoSIiTW
+kg6x+izwUbBIs1rrcMOefiI0I9jODdYvoZobvmNCqrXr4TmndTlr72a3IexQ
+hILQUUVNqwnQNIhsl8Q0Oss7f5KFfIw/jM59tQsIVPkD9jVFLxYwkmzDtZrv
+6UwfSoOYCOdVEbgTFT8J8vYj3lLxOc0X0RkQUkVfvkZ3uDq8EEodxfpdlLvv
+VP4hNQQPeYSy9KZajGZycIog55XfcR4jlhlR8GKQV9EqPkSIAF93CJmumQcU
+gOpehwhBAc8TISFfCVRoSUaghjb+JcFsVRTiMOZOakPGdyAAB0W+QC0K7nWg
+pgyzIlc1inpo7YErKljOyXpIuDStFBWW1wgqLsXVuLZa3QnvNpweA00x+l0x
+MtoCrwUoOM0KAXC7YFLkLGlirx3xuadjCVwLzynqUcLCXQ0Blx7a9B82Yts7
+31sr/9bj/OWxWVWSD8J7r0ygyDB1XrWrjV7D0UNhXmeYOcK7wIqMQwLErl32
+h7giX0KDLs7p7hdIRMQxOZMcxxxymAGsmU+x9A7aTglUqRrIr8MINjloiLT3
+WHHbl8S2S0Rd0/UUp5TbRS8REpuu4tBq3ULCzKXYFsPLR/iPiitrit/a8SW/
+uGEngfTCxPiO2GKWNCy4bEdwYVdcFyjwNYZdnUmxTAa0kALVKgPHNTILitoV
+haaW6ZUPpKdlwTSENzn7I3S0q+69p0qZ1mAIC5WxHw79i31A41ClmH0VYYzo
+wD4c16740ElZbJcrMEFPAYqnXXFKw49BPiuouUYk3/4eBtyfLVfnV9ycdlxT
+5B/srKdDILgDNuLvMwjpZpjF4CjCEdxj7DP6Jt85lhFa/cZZ/ftiiWhtBPFn
+io3k2ayKK73qyUXpnVZvOQvg3pIt7zi19Yy0AWRBkmshdKjGLmdpdBKm6457
+6SQKHVVNaXz6s+Q9B8m0rH/Urex4zQdkkEZt5FGQBdtCS3r4gh5gh8S+HCJ9
+5wvJPTdUUyPcAeAL/N25dhp48vQar8qRIIw/TAfgAhhUMr+05LDDpUKi0GCp
+9xhOeyAQD+DzYRCZnXA8sgt4Pias7tMCC/IgBH5F+lXs7XOC1DDgsF3VUOS+
+VNpa5DG5lzhvrySl1I1mH/kFBtkckQTISXGpUCuIKCOZY9Li9sWSSQQukGY1
+3jqYtqxJy1rcUuo3J1sOFKehXTUU3jxzS4o1Lxz+FfWtHlaSQseqXGAGu/ey
+KBCTgomd0peaQRhElAL+aDp19ayWw1NGRgG9ah2EBal5CQjXeisfRxiU6SJ/
+GRPT+o7Nmg7Tmqi7jqR24fQhjGXxqjN/DcDl39ScY19riQ3mAW/iIsqKCJ6L
+3tBdahjtFZpsa4PULtp3CtHnkq3OSmuVjwP7n57j0iusC0xf35BCi/+HVSm4
+k1qjFpQH2C6cZe4pv/21dL+J8RecOEMy8/n0IaDHss/wjWA7nHSuJT/h+PFR
+cC8OatM+wQxtbJgLsJuMA0jOhhdmgHH+guq4R5y0xJfpKVdgXfr1zUNal7Ef
+tJZXFL6MdUNQJf3IFe/FYCNrJ0JR+xCLKY47hWB9G3TTkmQZhJe0WeevjcNk
+WmyUKireX1C7W2HRHQy654kIDFVFb9SKx3xQlyFEm7N96PJKNVSJfwGDX6Ym
+YMgc7IEDBMNe8iVrUntW6xVx9hpeUbgkUxIMMYO+CVr0PXlgKG1J5EU52ZdO
+V60w6Y5z/Kh8DAPKgbGMV+WWQdVJvKsZ0LcGNXiFnpYIFt/NMazfRa53Urde
+xVVyh+LFOUjelAmVgBm/unlTHxgKhqJ5AHyQHIh8vSsumrgJDzuX3HTK9gEX
+lGxEH3DFV95jMY96i8ofHlO//JO+IiXAf9R1JFYUWqpUNZfCU/U2lSI5GlNH
+jB2GuuihTZxVameGGm7ca46rY7WQ5RK5ENVfNMoghsyAG4kR8E1ayPxdIRp0
+IfMOmEAathHAwCFH4cB87kC+c0F1GN/IDF/EdT4NR+TczeiijYUKXU1m1BQU
+MCkoI0b+tKL9tc1jxjSIosnS3p8EWiSXbEG02sHiC4B/eKEQI9dwPc6N3FgK
+i7GEU4MXBvbK+4doO9QFXDEYYKNynaNxmQYIuE7v/E0hZHrJIcD1p/CZ5M7I
+ghj2aYVLgA6KoX2YhPVEBRhfLkyo23iqUiUoptskiO2/5VJMLTCYkTpDSpac
+nBGUvi4dRr43TmAvjHTju5WUWmIpH6XKs6Z5inOUDs5LcuC4CorOcxrBlxF5
+d3zy9plm7PScQyCKCE0InLIV/PPKiysA1ImkSiyhk6FCYKsgZiiBT7/TPmeJ
+Rpw490gtniq3E/lOVhbZAU3WE5Zeesdm1q51X4GLtb5hNk68WmwT5uOBkS9n
+mFTWtO8sGHJ1G/s1Z/eQz+AcE5iitmf/jS5F1h+RQB9rIULNP9cY1txDnbH1
+K4aczlzRwVNK6GfnrR4txg2Kciv2svPJUg4cOS7EIgedm5m8m4yUYJCkYyQH
+H7Jgm7A2RgslNj2zRjAaDIffBXEqgtuqdoUK6kBOkpPsXMZEnL8dz2/GjkY+
+GT1oOt7o06N/LdLGB9TdwuQ09xZxM/SrICwFxxt1bbDkFDmHKT2AS29oYaBB
+zigEjHe4to6VsYP3+zmVRJD8s52cv8DqczkDA/VUfFI8J/GwHUv8r+6vlPjN
+uyWN2AMosAtSVPjFUoop2vGmQtt7GcYbEPc8I78k+njXZEvQ5blYToOg2Oy1
+HcrUcxcDMEtlqDeMbIXXPEv9PwSHUdiEdigrFvlWUOLYE3mMu+U7GUDS9tbD
+ou/38X+hpIuAYufkMxT0vc6U7FhYWPKf5b3aQd3jiGcuLtT0dWs428lBd8Vc
+uM2ECEUOJzos7zmekb1ZxehCwfSBgM30OO4inlVsNgs74wvRemx2JjEoTWGV
+ICm7xCWgsN7iPhrbJyeKbd7HcsWwmPdYJDvjPn++R7h94bKHqPPGUu7QcRjP
+/4FleTNbmLrWuvL6gFtqPiTtLEHTwvHpAw1lw4h2NRFPA9X2ocno5pjeogAT
+yfl66g3l2HBIQszf2S6MBTgkK13bm91mwFGAlGtg5P7yKU6nCIv09bbxGctK
+Mc+pVMqua8V1nBGMCJYLH7tQPofiRrWWktwzrBRWdVIsB4raUV1uQhwEnePF
+9S5AFmS4wlKsOXGp0RK4wwmlxkMLqPaUbqu7vpit2fDSYMaowWgLw353vXbQ
+dmpF6R3YrgSfTwtCNad1O3VrVnJbFN6ONsEaRBNJ2ujsLsKlz0jxT//WC6bN
+2SXvDdVarPjuBb7THq/7Qps/DWgkpbD1MyaUbqF0ut44q+bbNZdtac0guHKc
+JT9lMFExZfaxsBGzxyUuVvq2iV08G7Qo4F4FVoMxY7pU+hPJR/jqaM1we2wQ
+XkbXRwUErAYv3UWLoPEDlpwmUEg5L+mTuG2uxj9qbvWPqnowqIMplxOlDCVB
+ccYTp4SryOkR7zNOF99tyECsVwRXxwxlEcl4kYSiPwY8o8J0MC13ZylMRwKG
+OCqT6dn1pRBLUxpF1/myObTErnBx3dMcvK5qgiRpirDv2RlX6AesJRoI+hi3
+FSoAJSo5YtQSXE0KvPsMcqriIwQx1Yg73rG1reL5znEiqqUZJkqOyZE+YWDt
+Aa+p5rL6ePy5zyZtp2qSzKS0Qiwtp8PyuZm/bJMlV8bZW7eH/DW7Yg5WdcE8
+AO1SnbmEwt9Orxk+q/uWkzr/9ZxXc0/Oq2EjoBM1DQuiSwlinmq9iYPiFQwT
+UW8NowECqRpOgiBn7sYDYP9L9Opypdj2aJGKgu4FpR96cXyyozpC3J3AzDGD
+BJTBHGB2xfulNEA2W9GRWGZkG9YsOrdgLbGYSlmwo2dN9Kqjlgh9l24YuYvs
+s1s4AAkFnxXwthkcaQevvM4Kh1rWAlxsD3cKzGDlG0yCBGIipBKn2Ko0ZuWo
+k5hLMUIQlct+rTQicSOYtPa9Jlgzaz9d+wBamBlJiryHiFtMuBH8zSHfs0TX
+vgbmBGrlA/qKQ7SqiPGyB/XHJWwXK1tGa09OV39H2S4yLkxQCww0BCoHFhzC
+4EV0GIaFvcqFObFcsYuVRtARS5CivUp2FMBlPQr4VA9ZpsUcLz5tCMfsyiDz
+ZhakdXA2NyN2yeI8C/3kKIjHFJ6RourM5TrucPUA4ttzUTEQ9LLhPR174PtB
+AO5G0spdBi5BTSLPfv827hoglqBL5eYBLJynxGYZl3Usq7CwoOZrjCXCkwxc
+y2ms4nRQOfXlsviicVcASy+urwrxvImaoDces/AJ6IyyAMlHXoKan9Ktp8H1
+MPJ4jmXBt3zrMOJc8S7Sa1BqVf+QdCjJEPb49fH15eWBJ4I3WQFn6q++4EsT
+R+vgsy97xbw8lQrex/fgstWErg6NnBItktu7zy64N3Wg7H6vjO9Bq8wuiX3M
+Ao+L5ZbTkD2RHXar0WWFnNfx4MHBl+nmC6/qG7Q5C/ZmrbbA5SIMltG6CpEQ
+sjPF08T4WmiTomAOdQ02o15vbUGhTAcPLVGyA26idoLNmeG1EciM4KGR4M4o
+x1mhRhpMcPGUEPgcRlw4NToS52KOyZTsPTaEjQrMCOdjQ/WkIvUEKzvu49VG
+gaNY5xOPDTl1G0Iz0FT1ogoJ1kikVEKAbtpBoGKwko8YfHr9r7vohEDwHIJu
+ZWy83OZ64n2RWT7y496l1UjZcsSFlg9ML1il1a7yndesZW7sLQ8SPWmxjWLI
+Juh9mqd+ZSnFP2VeJc5LhiyzCkgYvdm2MVKLVNrTkYZ8S3ICsDFJeb48e3s2
+JAreINexU6yz/Y4qD0vZBwYgO0VIIqK1lCeutHBlGy1niYdR1W6jJQx8B/VI
+39518Gk4OGDJNAqs84llWINLh4252c6a8Mt2trEx7xzqP7jBDBO8CrDc9LrX
+wS8vtAptG1CND3w3yzBR18H6Y77ZSsvrEObIJ31KZrax7dxshUrQG6FbqVdD
+T/aO/Hb9MnqtAno3wyhwHDSyFxzOHmC5g5TrzRu6w2jPoRQipiUCvN86r9n1
+VmFXnaLzp7ZFNcac+U0UvwY7zunqHiUVuom+96CHbZEWCgf5bkCTcxxB/fuf
+SIOYa/WqQKeoW9iYUGThAN7ES+iCzedxfSBTtfYl3kzhuHX4zRvspSnhfC7w
+GaJP3Ej/jGGBTANBb0quQH7yRWAqK9cNtottRQKtM6bzVYUlM4AC36ZFgekm
+eB1k2iz+tdC/D5OUN47wXlvEatCbYJ5dvcVzwdgxWlaSKfIAj48dQHu6AlsO
+5OsytU440JOXF9OXXPkkqJlJ1S9bDASLZ9J3UcgxvvyDfKVVIFM5y6sdKj50
+BSQiRLA2xrUiYcY4ugMZ11tEfcngdiMzyHv4SeUvvWKDcOYoyxu/RCdmXBB9
+33TyqHhWvYMwAYkflhL90r0errNyrBP8X1k5AXNnBZcY7tyQyd1/jS//ys/x
+OuofL7yahZ8xqZw7UoHP3rn48K/m19Moik7pv8Gvp3iz9l2WwMNqptlLXwHt
+VyI2+B/qS/5SjC90Ibfqk/A1WxcPqaIcyZB7XwTeCt9IYIer0AVK572vqo6P
+T5EOQTr0K/lE3xuujM8tqFkAD16x7vF3N4EE/2twDzgXKW8PvKdc/ko1RilR
+UT7U+qJ7qJDuEoctotpWqEC8x1A81Wz+/GCLwQn8/Qs0yzwzTf55RFELdwe5
+ShrNdKgJnOkLX9+mrg504P+m017emVAbDA2ELvICubpc1dG57YIjhGEWFbpk
+ZjOEX5Bw5bxK1OVJ3PElgxsy/Vlyo/8mAFtqjRtRNQjPYPCmEy2f0iIYATSQ
+OyzMbACehBEhdC8D20LVY3gNL8kt1POmoSzjC59dXBazUItb4AXEF2Zx8fGb
+2jjAAV2jpTkTrZSnOXSIVwrFLndnLpfW6duabpEVvqhr24WlWCZfLyysFSYe
+EnRVqRYvuV/eq8fQE3bO0V2ddP1QOGWppelvZFIAD6xEEHA+5Lq+Ybm0U1oN
+LdwLMluuOz4CM7isGuCSWWnfgfl2cEoJgnhxE9FR9OjRERfOqbAgNpdVwAqV
+rvZ32LAU/0Y7kDMx9aIbzu79a/pho719oIc6g+QdqLU5n9524Ib8HIZ8zvv1
+jp4eGPHj+0fc6UUrnFOj3WHTnnzg7z7wi91BD6/sYximS3seGOMTP0Zd54kb
+/9+4zkFedXvYbDN9ILr4EDzlh/fEjp1oHxjdcW90T/7GMYV6aDgk/jzlMbWL
+lGccGNYa5X1GIezBicbRF72hvEaPOZdXlWrWjmjHwyR3gLmzSibjof1FWvtj
+OLM/2cGfP3boiBeIf/5j+BX9eRg8am/ve/LWP+kIZ7xnew/CVtszMP2WLYjC
+v63HY0X6yu7d18/AxkZJvLxnc2HraD9RaOHsMHUGi+GxV1qAIf5SjBbXnZi2
+vOxLCeDuC0KxCwf2qyX5Zu4WUuK2YaVgRD4ifEXcpogDk9qCimfFb2c747i+
+YFOd96MlUL6pu4WjMMmGoUVI2MPCDyRnu4i7dUXc9ygcWvU9ruarDPEm6Nnu
+4eHxW7k2J8DRm78XSO8Uk1ZgnAoW8u7SjYBs+DtP9Gyb5Rj7V2A6mCwg18wI
+8wEzibDS5vyLuJAJJ5s1LeSfZpfCgsNjdG9iCxExIsx5kiVBe7D08Cxo/MtU
+3KZ8dzUCvdzoI6x6G3U8+C6fUjKVtAaFWOSGLzMVbyRfQ/X48JHYFhef5mwU
+OFwWeX9J1xzexeCms9atCXtbdvuF6Bq9OKsOOmvfrCaGY6Dxqt0jPurAPa2w
+uYKLipDdpNGr1iVqscHc76UE6FckG3VPYwbKtK7vha/WhyNM8MC9o5i9hHnq
+LUa1szkBQ5HLp2vKwYq5WVexiiz6fGewCnOMN/Riig+PXaJQrkxWjKh7rJZX
+pDoTevBgYoKy8nEHB+KmE/rZ2xeLTghSjUX/MwJz97VvilMEOc3OmjFo3Lg8
+N1pxqrUrQF03LjPDmCXdwD1GZgbtHFjGhQL3WpJhOWYu5y6grEgzNB7zS7Xp
+z344dPl7YdEBBXFyYdK5ZKu7y5c0XiE19A3njT30FxP2rxHq3uzn69fDVt+R
+0wdrFkr2cQXLvsSxnMrjqiQT/QS+d6SZyWjgoCMIPIHNpftA6RNyjB+OGLSA
+bhHJdqOTUw+fOz5f/adDNljicKLGPxMxPOLLF+Nh/G1CUn+c3GzgLsiecwUq
+JFA+d9NPRcQnewTW1Ye7XA8hsKPtepvLJcMYI48j7xzF6niYhq4N1wrp10pA
+ErzjSD6NNvDGSoy8TmvBlbYSlchDB+OMmDZ50bmOgoN5+8F2yc0KoJyx2HRq
++bCeDkyDr210l6x5qmcAKZA6A1fCK6M0QSz2qwongdCgBBgWRAWV3LhDRSGN
+1yrxakkKdJVKXWKkm5ADNBgr2fs6Ji4slVEx3UM3OQQfsHF2yjn1w1vCDgDd
+EqPXyzrFoUeBir4Ki9jJGJ8Z2+1F7k/nRAx6fVuwoEhcgCgsvXHZdBmY5JEh
+Sg9Df8CsCBXbQwpgORnkOFh+xvkjBF7uWm5zs0G2JTedI2cITGICmDarWq4+
+RwXN3UQhpm9sA1gM1azHGGmKFwNj4XqRDG4/hcRkTOmnDTuheWsCcz24vItr
+yqvr3V3YZcbME/axA6xQxzg+CqfGiSgLbfigr9KO8Xzp5MO8+TQ6oHykcF2N
+r3VUteH2ytSphm+fecXOZ0DByWqHh8+xGs+1uvJP2dZ4RCqU0m4LVEnxRc6t
++UNbvMNKVfbnEV+ymbuqUMLZzd7cQeiN3JftciQT2WfWIhh2Yq+PaMrXj+me
+2rPCaOVhHqhUQ8H7eJh4glkLziKEpEr5P7rohoqCt/1r/uZG1FmDuyWNv7Pt
+q+oyhozR6xlhQihQKDZFqJ15Gen5cGN8RrD8dYYw214CKS08i/J2vrZcG+dc
+n4LjDKqJTSUsNL6CFZ1S8U7Q/A72iMTwGZjf1fXF2+nF64s3F9N3P6sFIYMM
+S5ZJ7Ek1Y2colDPkvk6vpopBs+1yqXEqMOcwBsyrTWgctv3Y9XZL4d4MUS5N
+jBWO4l196i2LXl63EeMN6CjyN+3uKZjxzKcMcAJtlN5mzFkkKw8DnQ5gKfha
+V5q/k9xRYZLmM5pTH4MTWBF0w+hW/I+qZJoAMtFekvZ+8O2vtUJV852PUSVG
+qhKBnGlIInObVOU50Xy3gSJsrkyhuwZAMQmEZu7scTrIX/gbM7zpzA/afm1e
+lgGftrvN2CfZtZeAuuq7uwWOxjVEJI2qUh7PZ+KnJ+ec/Mz+J4YBUf71+Prd
+1Y97DgRxAHwTHgnfCS4RvmBDEqMxt/QLsSXYGCobaKTYhbecNn4QQeATS55D
+H1z3m5XldbxhVS0nsB+n/IgQgHNAQ5Jes17ZJCwgQXxzIg+qYzx8iH0HTp9g
+BDsPAwz0uL4smB8/342cxAyaqHVYncRI2EinLVLnW4yfvHvx8uHVT691ZXDI
+rROitSEdDNUDCXKf32MrrMa/TiOwEtOEAUmET2Dph9Rs2uUW/RFmypbzR4eJ
+hcaM6lCUlC7UlIaGLJcDLhSmFgIEiK34bYxiQrC3vAI355fTqR3fbAkVfk7a
+tMupm8hli6hfzXcTkeSg9dxDhNzgPjdPPc+aJgq/DXwJsWk7NBrXeePBAnyf
+FA83VP71UBJYU8bQZwCSkRamoCHLIVCZidmKcecxvO0J+uFWb5gQMNycyi0h
+oM59pMIcRbBtjJPkJLZwtE2wojJ0rnc6xzRcRCZRq/sXmNUD4scfa194gk4H
+HtslCIWNGsVZFbi94pxqIKJC5MwSp/dlAvSOmDxadUzFQnYHHvSonuPPqXVF
+4r8EPgbPim0bOOXsV5xyHa39U2MUNIKZh+SoM/8b45XZ1tG4AAA=
 
 -->