Implement peer review feedback for draft-nennemann-wimse-ect-00

Address 11 items from peer review: - Fix area designation from Security to ART (WIMSE is in ART area) - Switch inp_hash/out_hash to fixed SHA-256 without algorithm prefix, matching DPoP (RFC 9449) and WIMSE WPT tth claim patterns - Add partial DAG verification guidance for unavailable parents - Add DAG integrity attacks subsection (false parents, pruning, shadow DAGs) - Add privilege escalation subsection (ECTs are not authorization) - Add revocation propagation semantics through the DAG - Add W3C PROV Data Model to Related Work - Strengthen Txn-Token differentiation with fan-in/convergence bullet - Add explicit token binding paragraph to replay prevention - Switch verification step 3 to algorithm allowlist model - Add par/ext claim naming justification notes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 21:59:16 +01:00
parent 1385ec8af1
commit ff795c72e6
4 changed files with 1194 additions and 661 deletions
--- a/draft-nennemann-wimse-ect-00.html
+++ b/draft-nennemann-wimse-ect-00.html
@@ -1402,6 +1402,9 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-validation-rules" class="internal xref">Validation Rules</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>.  <a href="#name-handling-unavailable-parent" class="internal xref">Handling Unavailable Parent ECTs</a></p>
 </li>
            </ul>
 </li>
@@ -1444,13 +1447,19 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
                <p id="section-toc.1-1.9.2.8.1"><a href="#section-9.8" class="auto internal xref">9.8</a>.  <a href="#name-collusion-and-false-claims" class="internal xref">Collusion and False Claims</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.9">
-                <p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
+                <p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-dag-integrity-attacks" class="internal xref">DAG Integrity Attacks</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.10">
-                <p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
+                <p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-privilege-escalation-via-ec" class="internal xref">Privilege Escalation via ECTs</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.11">
-                <p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
+                <p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.12">
                <p id="section-toc.1-1.9.2.12.1"><a href="#section-9.12" class="auto internal xref">9.12</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.13">
                <p id="section-toc.1-1.9.2.13.1"><a href="#section-9.13" class="auto internal xref">9.13</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
 </li>
            </ul>
 </li>
@@ -1517,7 +1526,10 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
                <p id="section-toc.1-1.14.2.4.1"><a href="#appendix-B.4" class="auto internal xref"></a><a href="#name-distributed-tracing-opentel" class="internal xref">Distributed Tracing (OpenTelemetry)</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.5">
-                <p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
+                <p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-w3c-provenance-data-model-p" class="internal xref">W3C Provenance Data Model (PROV)</a></p>
 </li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.6">
                <p id="section-toc.1-1.14.2.6.1"><a href="#appendix-B.6" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
 </li>
            </ul>
 </li>
@@ -2036,7 +2048,9 @@ a root task with no dependencies.  A workflow <span class="bcp14">MAY</span> con
 multiple root tasks.  Parent ECTs may have passed their own
 "exp" time; ECT expiration applies to the verification window
 of the ECT itself, not to its validity as a parent reference
-in the ECT store.<a href="#section-4.2.2-2.6.1" class="pilcrow">¶</a></p>
+in the ECT store.  Note: "par" is not a registered JWT claim
 and does not conflict with OAuth Pushed Authorization Requests
 (RFC 9126), which defines an endpoint, not a token claim.<a href="#section-4.2.2-2.6.1" class="pilcrow">¶</a></p>
 </dd>
          <dd class="break"></dd>
 </dl>
@@ -2052,22 +2066,19 @@ inputs and outputs without revealing the data itself:<a href="#section-4.2.3-1"
 <span class="break"></span><dl class="dlParallel" id="section-4.2.3-2">
            <dt id="section-4.2.3-2.1">inp_hash:</dt>
            <dd style="margin-left: 1.5em" id="section-4.2.3-2.2">
-              <p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>.  String.  A cryptographic hash of the input data,
+              <p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>.  String.  The base64url encoding (without padding) of
-formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
+the SHA-256 hash of the input data, computed over the raw octets
-"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
+of the input.  This follows the same fixed-algorithm pattern
-hash algorithm identifier <span class="bcp14">MUST</span> be a lowercase value from the
+used by the DPoP "ath" claim <span>[<a href="#RFC9449" class="cite xref">RFC9449</a>]</span> and the WIMSE WPT
-IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+"tth" claim <span>[<a href="#I-D.ietf-wimse-s2s-protocol" class="cite xref">I-D.ietf-wimse-s2s-protocol</a>]</span>: SHA-256 is the
-"sha-384", "sha-512").  Implementations <span class="bcp14">MUST</span> support "sha-256"
+mandatory algorithm with no algorithm prefix in the value.<a href="#section-4.2.3-2.2.1" class="pilcrow">¶</a></p>
 and <span class="bcp14">SHOULD</span> use "sha-256" unless a stronger algorithm is
 required.  Implementations <span class="bcp14">MUST NOT</span> accept hash algorithms
 weaker than SHA-256 (e.g., MD5, SHA-1).  The hash <span class="bcp14">MUST</span> be
 computed over the raw octets of the input data.<a href="#section-4.2.3-2.2.1" class="pilcrow">¶</a></p>
 </dd>
            <dd class="break"></dd>
 <dt id="section-4.2.3-2.3">out_hash:</dt>
            <dd style="margin-left: 1.5em" id="section-4.2.3-2.4">
-              <p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>.  String.  A cryptographic hash of the output data,
+              <p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>.  String.  The base64url encoding (without padding) of
-using the same format and algorithm requirements as "inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
+the SHA-256 hash of the output data, using the same format as
 "inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow">¶</a></p>
 </dd>
          <dd class="break"></dd>
 </dl>
@@ -2081,9 +2092,12 @@ using the same format and algorithm requirements as "inp_hash".<a href="#section
 <span class="break"></span><dl class="dlParallel" id="section-4.2.4-1">
            <dt id="section-4.2.4-1.1">ext:</dt>
            <dd style="margin-left: 1.5em" id="section-4.2.4-1.2">
-              <p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>.  Object.  An extension object for domain-specific
+              <p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>.  Object.  A general-purpose extension object for
-claims not defined by this specification.  Implementations
+domain-specific claims not defined by this specification.  The
-that do not understand extension claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow">¶</a></p>
+short name "ext" follows the JWT convention of concise claim
 names and is chosen over alternatives like "extensions" for
 compactness.  Implementations that do not understand extension
 claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow">¶</a></p>
 </dd>
          <dd class="break"></dd>
 </dl>
@@ -2123,8 +2137,12 @@ future documents.<a href="#section-4.2.4-3" class="pilcrow">¶</a></p>
  "exec_act": "recommend_treatment",
  "par": [],
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
  "ext": {
    "com.example.trace_id": "abc123"
  }
 }
 </pre>
 </div>
@@ -2251,6 +2269,35 @@ implementations <span class="bcp14">SHOULD</span> enforce a maximum ancestor tra
 detection completes, the ECT <span class="bcp14">SHOULD</span> be rejected.<a href="#section-6.2-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="handling-unavailable-parent-ects">
 <section id="section-6.3">
        <h3 id="name-handling-unavailable-parent">
 <a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-handling-unavailable-parent" class="section-name selfRef">Handling Unavailable Parent ECTs</a>
        </h3>
 <p id="section-6.3-1">In distributed deployments, a parent ECT referenced in the "par"
 array may not yet be available in the local ECT store at the time
 of validation — for example, due to replication lag in a
 distributed ledger or out-of-order message delivery.<a href="#section-6.3-1" class="pilcrow">¶</a></p>
 <p id="section-6.3-2">Implementations <span class="bcp14">MUST</span> distinguish between two cases:<a href="#section-6.3-2" class="pilcrow">¶</a></p>
 <ol start="1" type="1" class="normal type-1" id="section-6.3-3">
 <li id="section-6.3-3.1">
            <p id="section-6.3-3.1.1">Parent not found and definitively absent: The parent "jti"
 does not exist in any accessible ECT store.  The ECT <span class="bcp14">MUST</span> be
 rejected.<a href="#section-6.3-3.1.1" class="pilcrow">¶</a></p>
 </li>
          <li id="section-6.3-3.2">
            <p id="section-6.3-3.2.1">Parent not yet available: The parent "jti" is not present
 locally but may arrive due to known replication delays.
 Implementations <span class="bcp14">MAY</span> defer validation for a bounded period
 (<span class="bcp14">RECOMMENDED</span>: no more than 60 seconds).<a href="#section-6.3-3.2.1" class="pilcrow">¶</a></p>
 </li>
        </ol>
 <p id="section-6.3-4">Deferred ECTs <span class="bcp14">MUST NOT</span> be treated as verified until all parent
 references are resolved.  If any parent reference remains
 unresolved after the deferral period or after the ECT's own "exp"
 time (whichever comes first), the ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.3-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
 </div>
 <div id="verification">
@@ -2274,8 +2321,12 @@ payload, and signature components per <span>[<a href="#RFC7515" class="cite xref
            <p id="section-7.1-2.2.1">Verify that the "typ" header parameter is "wimse-exec+jwt".<a href="#section-7.1-2.2.1" class="pilcrow">¶</a></p>
 </li>
          <li id="section-7.1-2.3">
-            <p id="section-7.1-2.3.1">Verify that the "alg" header parameter is not "none" and is
+            <p id="section-7.1-2.3.1">Verify that the "alg" header parameter appears in the
-not a symmetric algorithm.<a href="#section-7.1-2.3.1" class="pilcrow">¶</a></p>
+verifier's configured allowlist of accepted signing algorithms.
 The allowlist <span class="bcp14">MUST NOT</span> include "none" or any symmetric
 algorithm (e.g., HS256, HS384, HS512).  Implementations <span class="bcp14">MUST</span>
 include ES256 in the allowlist; additional asymmetric algorithms
 <span class="bcp14">MAY</span> be included per deployment policy.<a href="#section-7.1-2.3.1" class="pilcrow">¶</a></p>
 </li>
          <li id="section-7.1-2.4">
            <p id="section-7.1-2.4.1">Verify the "kid" header parameter references a known, valid
@@ -2500,6 +2551,11 @@ with the same action can be flagged as a potential replay.<a href="#section-9.5-
 <p id="section-9.5-3">Implementations <span class="bcp14">MUST</span> maintain a cache of recently-seen "jti"
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value <span class="bcp14">MUST</span> be rejected.<a href="#section-9.5-3" class="pilcrow">¶</a></p>
 <p id="section-9.5-4">Additionally, each ECT is cryptographically bound to the issuing
 agent via the JOSE "kid" parameter, which references the agent's
 WIT public key.  Verifiers <span class="bcp14">MUST</span> confirm that the "kid" resolves
 to the "iss" agent's key (step 8 in <a href="#verification" class="auto internal xref">Section 7</a>), preventing
 one agent from replaying another agent's ECT as its own.<a href="#section-9.5-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="man-in-the-middle-protection">
@@ -2556,6 +2612,15 @@ compromised key and issue a new WIT with a fresh key pair.<a href="#section-9.7-
 ledger before revocation remain valid historical records but <span class="bcp14">SHOULD</span>
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.<a href="#section-9.7-3" class="pilcrow">¶</a></p>
 <p id="section-9.7-4">ECT revocation does not propagate through the DAG.  If a parent
 ECT's signing key is later revoked, child ECTs that were verified
 and recorded before that revocation remain valid — they captured
 a legitimate execution record at the time of issuance.  However,
 auditors reviewing a workflow <span class="bcp14">SHOULD</span> flag any ECT in the DAG
 whose signing key was subsequently revoked, so that the scope of
 a potential compromise can be assessed.  New ECTs <span class="bcp14">MUST NOT</span> be
 created with a "par" reference to an ECT whose signing key is
 known to be revoked at creation time.<a href="#section-9.7-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="collusion-and-false-claims">
@@ -2584,54 +2649,110 @@ contents against expected workflow patterns.<a href="#section-9.8-3.3.1" class="
        </ul>
 </section>
 </div>
-<div id="denial-of-service">
+<div id="dag-integrity-attacks">
 <section id="section-9.9">
-        <h3 id="name-denial-of-service">
+        <h3 id="name-dag-integrity-attacks">
-<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
+<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-dag-integrity-attacks" class="section-name selfRef">DAG Integrity Attacks</a>
        </h3>
-<p id="section-9.9-1">ECT signature verification is computationally inexpensive
+<p id="section-9.9-1">Because the DAG structure is the primary mechanism for establishing
 execution ordering, attackers may attempt to manipulate it:<a href="#section-9.9-1" class="pilcrow">¶</a></p>
 <ul class="normal">
 <li class="normal" id="section-9.9-2.1">
            <p id="section-9.9-2.1.1">False parent references: A malicious agent creates an ECT that
 references parent tasks from an unrelated workflow, inserting
 itself into a legitimate execution history.  DAG validation
 (<a href="#dag-validation" class="auto internal xref">Section 6</a>) mitigates this by requiring parent existence
 in the ECT store, and the "wid" claim scopes parent references
 to a single workflow when present.<a href="#section-9.9-2.1.1" class="pilcrow">¶</a></p>
 </li>
          <li class="normal" id="section-9.9-2.2">
            <p id="section-9.9-2.2.1">Parent omission (pruning): An agent deliberately omits one or
 more actual parent dependencies from the "par" array to hide
 that certain tasks influenced its output.  Because ECTs are
 self-asserted (<a href="#self-assertion-limitation" class="auto internal xref">Section 9.2</a>), no mechanism can
 force an agent to declare all dependencies.  External auditors
 can detect omission by comparing the declared DAG against
 expected workflow patterns.<a href="#section-9.9-2.2.1" class="pilcrow">¶</a></p>
 </li>
          <li class="normal" id="section-9.9-2.3">
            <p id="section-9.9-2.3.1">Shadow DAGs: Multiple colluding agents fabricate an entire
 execution history by creating a sequence of ECTs with mutual
 parent references.  Independent ledger maintenance and
 cross-verification (see <a href="#collusion-and-false-claims" class="auto internal xref">Section 9.8</a> above)
 are the primary mitigations.<a href="#section-9.9-2.3.1" class="pilcrow">¶</a></p>
 </li>
        </ul>
 <p id="section-9.9-3">Verifiers <span class="bcp14">SHOULD</span> validate that the declared "wid" of parent ECTs
 matches the "wid" of the child ECT, rejecting cross-workflow
 parent references unless explicitly permitted by deployment
 policy.<a href="#section-9.9-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="privilege-escalation-via-ects">
 <section id="section-9.10">
        <h3 id="name-privilege-escalation-via-ec">
 <a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-privilege-escalation-via-ec" class="section-name selfRef">Privilege Escalation via ECTs</a>
        </h3>
 <p id="section-9.10-1">ECTs record execution history; they do not convey authorization.
 Verifiers <span class="bcp14">MUST NOT</span> interpret the presence of an ECT, or a
 particular set of parent references in "par", as an authorization
 grant.  The "par" claim demonstrates that predecessor tasks were
 recorded, not that the current agent is authorized to act on
 their outputs.  Authorization decisions <span class="bcp14">MUST</span> remain with the
 identity and authorization layer (WIT, WPT, and deployment
 policy).  As noted in <span>[<a href="#I-D.ni-wimse-ai-agent-identity" class="cite xref">I-D.ni-wimse-ai-agent-identity</a>]</span>,
 AI intermediaries introduce novel escalation vectors; ECTs
 <span class="bcp14">MUST NOT</span> be used to circumvent authorization boundaries.<a href="#section-9.10-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="denial-of-service">
 <section id="section-9.11">
        <h3 id="name-denial-of-service">
 <a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
        </h3>
 <p id="section-9.11-1">ECT signature verification is computationally inexpensive
 (approximately 1ms per ECT on modern hardware for ES256).  DAG
 validation complexity is O(V) where V is the number of ancestor
 nodes reachable from the parent references; for typical shallow
-DAGs this is efficient.<a href="#section-9.9-1" class="pilcrow">¶</a></p>
+DAGs this is efficient.<a href="#section-9.11-1" class="pilcrow">¶</a></p>
-<p id="section-9.9-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
+<p id="section-9.11-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
 prevent excessive ECT submissions.  DAG validation <span class="bcp14">SHOULD</span> be
 performed after signature verification to avoid wasting resources
-on unsigned or incorrectly signed tokens.<a href="#section-9.9-2" class="pilcrow">¶</a></p>
+on unsigned or incorrectly signed tokens.<a href="#section-9.11-2" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="timestamp-accuracy">
-<section id="section-9.10">
+<section id="section-9.12">
        <h3 id="name-timestamp-accuracy">
-<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
+<a href="#section-9.12" class="section-number selfRef">9.12. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
        </h3>
-<p id="section-9.10-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
+<p id="section-9.12-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
 Clock skew between agents can lead to incorrect ordering
 judgments.  Implementations <span class="bcp14">SHOULD</span> use synchronized time sources
 (e.g., NTP) and <span class="bcp14">SHOULD</span> allow a configurable clock skew tolerance
-(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.10-1" class="pilcrow">¶</a></p>
+(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.12-1" class="pilcrow">¶</a></p>
-<p id="section-9.10-2">Cross-organizational deployments where agents span multiple trust
+<p id="section-9.12-2">Cross-organizational deployments where agents span multiple trust
 domains with independent time sources <span class="bcp14">MAY</span> require a higher clock
 skew tolerance.  Deployments using trust domain federation <span class="bcp14">SHOULD</span>
 document their configured clock skew tolerance value and <span class="bcp14">SHOULD</span>
-ensure all participating trust domains agree on a common tolerance.<a href="#section-9.10-2" class="pilcrow">¶</a></p>
+ensure all participating trust domains agree on a common tolerance.<a href="#section-9.12-2" class="pilcrow">¶</a></p>
-<p id="section-9.10-3">The temporal ordering check in DAG validation incorporates the
+<p id="section-9.12-3">The temporal ordering check in DAG validation incorporates the
 clock skew tolerance to account for minor clock differences
-between agents.<a href="#section-9.10-3" class="pilcrow">¶</a></p>
+between agents.<a href="#section-9.12-3" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="ect-size-constraints">
-<section id="section-9.11">
+<section id="section-9.13">
        <h3 id="name-ect-size-constraints">
-<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
+<a href="#section-9.13" class="section-number selfRef">9.13. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
        </h3>
-<p id="section-9.11-1">ECTs with many parent tasks or large extension objects can
+<p id="section-9.13-1">ECTs with many parent tasks or large extension objects can
 increase HTTP header size.  Implementations <span class="bcp14">SHOULD</span> limit the "par"
 array to a maximum of 256 entries.  Workflows requiring more
 parent references <span class="bcp14">SHOULD</span> introduce intermediate aggregation
 tasks.  The "ext" object <span class="bcp14">SHOULD NOT</span> exceed 4096 bytes when
 serialized as JSON and <span class="bcp14">SHOULD NOT</span> exceed a nesting depth of
-5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.11-1" class="pilcrow">¶</a></p>
+5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.13-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
@@ -3000,6 +3121,10 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-11.3-1
        <dd>
 <span class="refAuthor">Backman, A., Ed.</span>, <span class="refAuthor">Richer, J., Ed.</span>, and <span class="refAuthor">M. Sporny</span>, <span class="refTitle">"HTTP Message Signatures"</span>, <span class="seriesInfo">RFC 9421</span>, <span class="seriesInfo">DOI 10.17487/RFC9421</span>, <time datetime="2024-02" class="refDate">February 2024</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9421">https://www.rfc-editor.org/rfc/rfc9421</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 <dt id="RFC9449">[RFC9449]</dt>
        <dd>
 <span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof of Possession (DPoP)"</span>, <span class="seriesInfo">RFC 9449</span>, <span class="seriesInfo">DOI 10.17487/RFC9449</span>, <time datetime="2023-09" class="refDate">September 2023</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9449">https://www.rfc-editor.org/rfc/rfc9449</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 <dt id="SPIFFE">[SPIFFE]</dt>
      <dd>
 <span class="refTitle">"Secure Production Identity Framework for Everyone (SPIFFE)"</span>, <span>&lt;<a href="https://spiffe.io/docs/latest/spiffe-about/overview/">https://spiffe.io/docs/latest/spiffe-about/overview/</a>&gt;</span>. </dd>
@@ -3157,6 +3282,11 @@ workloads that forward the token unchanged are not recorded.<a href="#appendix-B
          <li class="normal" id="appendix-B.3-3.3">
            <p id="appendix-B.3-3.3.1">It carries no task-level granularity, no parent references,
 and no execution content.<a href="#appendix-B.3-3.3.1" class="pilcrow">¶</a></p>
 </li>
          <li class="normal" id="appendix-B.3-3.4">
            <p id="appendix-B.3-3.4.1">It cannot represent convergence (fan-in): when two independent
 paths must both complete before a dependent task proceeds, a
 linear "req_wl" string cannot express that relationship.<a href="#appendix-B.3-3.4.1" class="pilcrow">¶</a></p>
 </li>
        </ul>
 <p id="appendix-B.3-4">Extensions for agentic use cases
@@ -3194,16 +3324,32 @@ ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.<a href="#appendix-B.4-1" class="pilcrow">¶</a></p>
 </section>
 </div>
-<div id="scitt-supply-chain-integrity-transparency-and-trust">
+<div id="w3c-provenance-data-model-prov">
 <section id="appendix-B.5">
        <h3 id="name-w3c-provenance-data-model-p">
 <a href="#name-w3c-provenance-data-model-p" class="section-name selfRef">W3C Provenance Data Model (PROV)</a>
        </h3>
 <p id="appendix-B.5-1">The W3C PROV Data Model defines an Entity-Activity-Agent ontology
 for representing provenance information.  PROV's concepts map
 closely to ECT structures: PROV Activities correspond to ECT
 tasks, PROV Agents correspond to WIMSE workloads, and PROV's
 "wasInformedBy" relation corresponds to ECT "par" references.
 However, PROV uses RDF/OWL ontologies designed for post-hoc
 documentation, while ECTs are runtime-embeddable JWT tokens with
 cryptographic signatures.  ECT audit data could be exported to
 PROV format for interoperability with provenance-aware systems.<a href="#appendix-B.5-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="scitt-supply-chain-integrity-transparency-and-trust">
 <section id="appendix-B.6">
        <h3 id="name-scitt-supply-chain-integrit">
 <a href="#name-scitt-supply-chain-integrit" class="section-name selfRef">SCITT (Supply Chain Integrity, Transparency, and Trust)</a>
        </h3>
-<p id="appendix-B.5-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
+<p id="appendix-B.6-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
 framework for transparent and auditable supply chain records.
 ECTs and SCITT are complementary: the ECT "wid" claim can serve
 as a correlation identifier in SCITT Signed Statements, linking
-an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.5-1" class="pilcrow">¶</a></p>
+an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.6-1" class="pilcrow">¶</a></p>
 </section>
 </div>
 </section>
--- a/draft-nennemann-wimse-ect-00.md
+++ b/draft-nennemann-wimse-ect-00.md
@@ -7,7 +7,7 @@ submissiontype: IETF
 number:
 date:
 v: 3
-area: "Security"
+area: "ART"
 workgroup: "WIMSE"
 keyword:
  - execution context
@@ -47,6 +47,7 @@ informative:
    author:
      - org: Cloud Native Computing Foundation
  I-D.ietf-scitt-architecture:
  RFC9449:
  I-D.ietf-oauth-transaction-tokens:
  I-D.oauth-transaction-tokens-for-agents:
@@ -413,7 +414,9 @@ par:
  multiple root tasks.  Parent ECTs may have passed their own
  "exp" time; ECT expiration applies to the verification window
  of the ECT itself, not to its validity as a parent reference
-  in the ECT store.
+  in the ECT store.  Note: "par" is not a registered JWT claim
  and does not conflict with OAuth Pushed Authorization Requests
  (RFC 9126), which defines an endpoint, not a token claim.
 ### Data Integrity {#data-integrity-claims}
@@ -421,27 +424,27 @@ The following claims provide integrity verification for task
 inputs and outputs without revealing the data itself:
 inp_hash:
-: OPTIONAL.  String.  A cryptographic hash of the input data,
+: OPTIONAL.  String.  The base64url encoding (without padding) of
-  formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
+  the SHA-256 hash of the input data, computed over the raw octets
-  "sha-256:n4bQgYhMfWWaL-qgxVrQFaO\_TxsrC4Is0V1sFbDwCgg").  The
+  of the input.  This follows the same fixed-algorithm pattern
-  hash algorithm identifier MUST be a lowercase value from the
+  used by the DPoP "ath" claim {{RFC9449}} and the WIMSE WPT
-  IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+  "tth" claim {{I-D.ietf-wimse-s2s-protocol}}: SHA-256 is the
-  "sha-384", "sha-512").  Implementations MUST support "sha-256"
+  mandatory algorithm with no algorithm prefix in the value.
  and SHOULD use "sha-256" unless a stronger algorithm is
  required.  Implementations MUST NOT accept hash algorithms
  weaker than SHA-256 (e.g., MD5, SHA-1).  The hash MUST be
  computed over the raw octets of the input data.
 out_hash:
-: OPTIONAL.  String.  A cryptographic hash of the output data,
+: OPTIONAL.  String.  The base64url encoding (without padding) of
-  using the same format and algorithm requirements as "inp_hash".
+  the SHA-256 hash of the output data, using the same format as
  "inp_hash".
 ### Extensions {#extension-claims}
 ext:
-: OPTIONAL.  Object.  An extension object for domain-specific
+: OPTIONAL.  Object.  A general-purpose extension object for
-  claims not defined by this specification.  Implementations
+  domain-specific claims not defined by this specification.  The
-  that do not understand extension claims MUST ignore them.
+  short name "ext" follows the JWT convention of concise claim
  names and is chosen over alternatives like "extensions" for
  compactness.  Implementations that do not understand extension
  claims MUST ignore them.
 To avoid key collisions between different domains, extension
 key names SHOULD use reverse domain notation (e.g.,
@@ -472,8 +475,12 @@ The following is a complete ECT payload example:
  "exec_act": "recommend_treatment",
  "par": [],
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
  "ext": {
    "com.example.trace_id": "abc123"
  }
 }
 ~~~
 {: #fig-full-ect title="Complete ECT Payload Example"}
@@ -567,6 +574,29 @@ implementations SHOULD enforce a maximum ancestor traversal limit
 (RECOMMENDED: 10000 nodes).  If the limit is reached before cycle
 detection completes, the ECT SHOULD be rejected.
 ## Handling Unavailable Parent ECTs
 In distributed deployments, a parent ECT referenced in the "par"
 array may not yet be available in the local ECT store at the time
 of validation — for example, due to replication lag in a
 distributed ledger or out-of-order message delivery.
 Implementations MUST distinguish between two cases:
 1.  Parent not found and definitively absent: The parent "jti"
    does not exist in any accessible ECT store.  The ECT MUST be
    rejected.
 2.  Parent not yet available: The parent "jti" is not present
    locally but may arrive due to known replication delays.
    Implementations MAY defer validation for a bounded period
    (RECOMMENDED: no more than 60 seconds).
 Deferred ECTs MUST NOT be treated as verified until all parent
 references are resolved.  If any parent reference remains
 unresolved after the deferral period or after the ECT's own "exp"
 time (whichever comes first), the ECT MUST be rejected.
 # Signature and Token Verification {#verification}
 ## Verification Procedure
@@ -579,8 +609,12 @@ verification steps in order:
 2.  Verify that the "typ" header parameter is "wimse-exec+jwt".
-3.  Verify that the "alg" header parameter is not "none" and is
+3.  Verify that the "alg" header parameter appears in the
-    not a symmetric algorithm.
+    verifier's configured allowlist of accepted signing algorithms.
    The allowlist MUST NOT include "none" or any symmetric
    algorithm (e.g., HS256, HS384, HS512).  Implementations MUST
    include ES256 in the allowlist; additional asymmetric algorithms
    MAY be included per deployment policy.
 4.  Verify the "kid" header parameter references a known, valid
    public key from a WIT within the trust domain.
@@ -746,6 +780,12 @@ Implementations MUST maintain a cache of recently-seen "jti"
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value MUST be rejected.
 Additionally, each ECT is cryptographically bound to the issuing
 agent via the JOSE "kid" parameter, which references the agent's
 WIT public key.  Verifiers MUST confirm that the "kid" resolves
 to the "iss" agent's key (step 8 in {{verification}}), preventing
 one agent from replaying another agent's ECT as its own.
 ## Man-in-the-Middle Protection
 ECTs do not replace transport-layer security.  ECTs MUST be
@@ -780,7 +820,17 @@ ledger before revocation remain valid historical records but SHOULD
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.
-## Collusion and False Claims
+ECT revocation does not propagate through the DAG.  If a parent
 ECT's signing key is later revoked, child ECTs that were verified
 and recorded before that revocation remain valid — they captured
 a legitimate execution record at the time of issuance.  However,
 auditors reviewing a workflow SHOULD flag any ECT in the DAG
 whose signing key was subsequently revoked, so that the scope of
 a potential compromise can be assessed.  New ECTs MUST NOT be
 created with a "par" reference to an ECT whose signing key is
 known to be revoked at creation time.
 ## Collusion and False Claims {#collusion-and-false-claims}
 A single malicious agent cannot forge parent task references
 because DAG validation requires parent tasks to exist in the
@@ -796,6 +846,48 @@ Mitigations include:
 - Out-of-band audit: External auditors periodically verify ledger
  contents against expected workflow patterns.
 ## DAG Integrity Attacks
 Because the DAG structure is the primary mechanism for establishing
 execution ordering, attackers may attempt to manipulate it:
 - False parent references: A malicious agent creates an ECT that
  references parent tasks from an unrelated workflow, inserting
  itself into a legitimate execution history.  DAG validation
  ({{dag-validation}}) mitigates this by requiring parent existence
  in the ECT store, and the "wid" claim scopes parent references
  to a single workflow when present.
 - Parent omission (pruning): An agent deliberately omits one or
  more actual parent dependencies from the "par" array to hide
  that certain tasks influenced its output.  Because ECTs are
  self-asserted ({{self-assertion-limitation}}), no mechanism can
  force an agent to declare all dependencies.  External auditors
  can detect omission by comparing the declared DAG against
  expected workflow patterns.
 - Shadow DAGs: Multiple colluding agents fabricate an entire
  execution history by creating a sequence of ECTs with mutual
  parent references.  Independent ledger maintenance and
  cross-verification (see {{collusion-and-false-claims}} above)
  are the primary mitigations.
 Verifiers SHOULD validate that the declared "wid" of parent ECTs
 matches the "wid" of the child ECT, rejecting cross-workflow
 parent references unless explicitly permitted by deployment
 policy.
 ## Privilege Escalation via ECTs
 ECTs record execution history; they do not convey authorization.
 Verifiers MUST NOT interpret the presence of an ECT, or a
 particular set of parent references in "par", as an authorization
 grant.  The "par" claim demonstrates that predecessor tasks were
 recorded, not that the current agent is authorized to act on
 their outputs.  Authorization decisions MUST remain with the
 identity and authorization layer (WIT, WPT, and deployment
 policy).  As noted in {{I-D.ni-wimse-ai-agent-identity}},
 AI intermediaries introduce novel escalation vectors; ECTs
 MUST NOT be used to circumvent authorization boundaries.
 ## Denial of Service
 ECT signature verification is computationally inexpensive
@@ -1087,6 +1179,9 @@ However, "req_wl" cannot form a DAG because:
  workloads that forward the token unchanged are not recorded.
 - It carries no task-level granularity, no parent references,
  and no execution content.
 - It cannot represent convergence (fan-in): when two independent
  paths must both complete before a dependent task proceeds, a
  linear "req_wl" string cannot express that relationship.
 Extensions for agentic use cases
 ({{I-D.oauth-transaction-tokens-for-agents}}) add agent
@@ -1120,6 +1215,19 @@ provide observability while ECTs provide signed execution records.
 ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.
 ## W3C Provenance Data Model (PROV)
 {:numbered="false"}
 The W3C PROV Data Model defines an Entity-Activity-Agent ontology
 for representing provenance information.  PROV's concepts map
 closely to ECT structures: PROV Activities correspond to ECT
 tasks, PROV Agents correspond to WIMSE workloads, and PROV's
 "wasInformedBy" relation corresponds to ECT "par" references.
 However, PROV uses RDF/OWL ontologies designed for post-hoc
 documentation, while ECTs are runtime-embeddable JWT tokens with
 cryptographic signatures.  ECT audit data could be exported to
 PROV format for interoperability with provenance-aware systems.
 ## SCITT (Supply Chain Integrity, Transparency, and Trust)
 {:numbered="false"}
--- a/draft-nennemann-wimse-ect-00.txt
+++ b/draft-nennemann-wimse-ect-00.txt
@@ -77,35 +77,35 @@ Table of Contents
   3.  WIMSE Architecture Integration  . . . . . . . . . . . . . . .   5
     3.1.  WIMSE Foundation  . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Extension Model . . . . . . . . . . . . . . . . . . . . .   6
-     3.3.  Integration Points  . . . . . . . . . . . . . . . . . . .   6
+     3.3.  Integration Points  . . . . . . . . . . . . . . . . . . .   7
-   4.  Execution Context Token Format  . . . . . . . . . . . . . . .   7
+   4.  Execution Context Token Format  . . . . . . . . . . . . . . .   8
     4.1.  JOSE Header . . . . . . . . . . . . . . . . . . . . . . .   8
     4.2.  JWT Claims  . . . . . . . . . . . . . . . . . . . . . . .   8
       4.2.1.  Standard JWT Claims . . . . . . . . . . . . . . . . .   8
       4.2.2.  Execution Context . . . . . . . . . . . . . . . . . .  10
       4.2.3.  Data Integrity  . . . . . . . . . . . . . . . . . . .  10
-       4.2.4.  Extensions  . . . . . . . . . . . . . . . . . . . . .  10
+       4.2.4.  Extensions  . . . . . . . . . . . . . . . . . . . . .  11
     4.3.  Complete ECT Example  . . . . . . . . . . . . . . . . . .  11
-   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  11
+   5.  HTTP Header Transport . . . . . . . . . . . . . . . . . . . .  12
-     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  11
+     5.1.  Execution-Context Header Field  . . . . . . . . . . . . .  12
   6.  DAG Validation  . . . . . . . . . . . . . . . . . . . . . . .  12
     6.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  12
-     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  12
+     6.2.  Validation Rules  . . . . . . . . . . . . . . . . . . . .  13
-   7.  Signature and Token Verification  . . . . . . . . . . . . . .  13
+     6.3.  Handling Unavailable Parent ECTs  . . . . . . . . . . . .  13
-     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  13
+   7.  Signature and Token Verification  . . . . . . . . . . . . . .  14
     7.1.  Verification Procedure  . . . . . . . . . . . . . . . . .  14
   8.  Audit Ledger Interface  . . . . . . . . . . . . . . . . . . .  15
-   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
+   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
-     9.1.  Threat Model  . . . . . . . . . . . . . . . . . . . . . .  15
+     9.1.  Threat Model  . . . . . . . . . . . . . . . . . . . . . .  16
     9.2.  Self-Assertion Limitation . . . . . . . . . . . . . . . .  16
-     9.3.  Organizational Prerequisites  . . . . . . . . . . . . . .  16
+     9.3.  Organizational Prerequisites  . . . . . . . . . . . . . .  17
-     9.4.  Signature Verification  . . . . . . . . . . . . . . . . .  16
+     9.4.  Signature Verification  . . . . . . . . . . . . . . . . .  17
     9.5.  Replay Attack Prevention  . . . . . . . . . . . . . . . .  17
-     9.6.  Man-in-the-Middle Protection  . . . . . . . . . . . . . .  17
+     9.6.  Man-in-the-Middle Protection  . . . . . . . . . . . . . .  18
-     9.7.  Key Compromise  . . . . . . . . . . . . . . . . . . . . .  17
+     9.7.  Key Compromise  . . . . . . . . . . . . . . . . . . . . .  18
-     9.8.  Collusion and False Claims  . . . . . . . . . . . . . . .  18
+     9.8.  Collusion and False Claims  . . . . . . . . . . . . . . .  19
-     9.9.  Denial of Service . . . . . . . . . . . . . . . . . . . .  18
+     9.9.  DAG Integrity Attacks . . . . . . . . . . . . . . . . . .  19
-     9.10. Timestamp Accuracy  . . . . . . . . . . . . . . . . . . .  18
+     9.10. Privilege Escalation via ECTs . . . . . . . . . . . . . .  20
     9.11. ECT Size Constraints  . . . . . . . . . . . . . . . . . .  19
@@ -114,27 +114,31 @@ Nennemann                Expires 29 August 2026                 [Page 2]
 Internet-Draft           WIMSE Execution Context           February 2026
-   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  19
+     9.11. Denial of Service . . . . . . . . . . . . . . . . . . . .  20
-     10.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  19
+     9.12. Timestamp Accuracy  . . . . . . . . . . . . . . . . . . .  20
-     10.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  20
+     9.13. ECT Size Constraints  . . . . . . . . . . . . . . . . . .  21
-     10.3.  Storage and Access Control . . . . . . . . . . . . . . .  20
+   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  21
-   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  20
+     10.1.  Data Exposure in ECTs  . . . . . . . . . . . . . . . . .  21
-     11.1.  Media Type Registration  . . . . . . . . . . . . . . . .  20
+     10.2.  Data Minimization  . . . . . . . . . . . . . . . . . . .  22
-     11.2.  HTTP Header Field Registration . . . . . . . . . . . . .  21
+     10.3.  Storage and Access Control . . . . . . . . . . . . . . .  22
-     11.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  21
+   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  22
-   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
+     11.1.  Media Type Registration  . . . . . . . . . . . . . . . .  22
-     12.1.  Normative References . . . . . . . . . . . . . . . . . .  22
+     11.2.  HTTP Header Field Registration . . . . . . . . . . . . .  23
-     12.2.  Informative References . . . . . . . . . . . . . . . . .  23
+     11.3.  JWT Claims Registration  . . . . . . . . . . . . . . . .  23
-   Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . .  24
+   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
-     Cross-Organization Financial Trading  . . . . . . . . . . . . .  25
+     12.1.  Normative References . . . . . . . . . . . . . . . . . .  24
-   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  26
+     12.2.  Informative References . . . . . . . . . . . . . . . . .  25
-     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  26
+   Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . .  26
-     OAuth 2.0 Token Exchange and the "act" Claim  . . . . . . . . .  26
+     Cross-Organization Financial Trading  . . . . . . . . . . . . .  27
-     Transaction Tokens  . . . . . . . . . . . . . . . . . . . . . .  26
+   Related Work  . . . . . . . . . . . . . . . . . . . . . . . . . .  28
-     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  27
+     WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . .  28
-     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  27
+     OAuth 2.0 Token Exchange and the "act" Claim  . . . . . . . . .  28
-   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  28
+     Transaction Tokens  . . . . . . . . . . . . . . . . . . . . . .  29
-   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  28
+     Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . .  30
     W3C Provenance Data Model (PROV)  . . . . . . . . . . . . . . .  30
     SCITT (Supply Chain Integrity, Transparency, and Trust) . . . .  30
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  30
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  30
 1.  Introduction
@@ -156,10 +160,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   healthcare, finance, and logistics require structured, auditable
   records of automated decision-making and execution.
   This document defines an extension to the WIMSE architecture that
   addresses the gap between workload identity and execution
   accountability.  WIMSE authenticates agents; this extension records
   what they did and in what order.
@@ -170,6 +170,11 @@ Nennemann                Expires 29 August 2026                 [Page 3]
 Internet-Draft           WIMSE Execution Context           February 2026
   This document defines an extension to the WIMSE architecture that
   addresses the gap between workload identity and execution
   accountability.  WIMSE authenticates agents; this extension records
   what they did and in what order.
   As identified in [I-D.ni-wimse-ai-agent-identity], call context in
   agentic workflows needs to be visible and preserved.  ECTs provide a
   mechanism to address this requirement with cryptographic assurances.
@@ -213,11 +218,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   *  Workload authentication and identity provisioning
   *  Key distribution and management
   *  Trust domain establishment and management
   *  Credential lifecycle management
@@ -226,6 +226,12 @@ Nennemann                Expires 29 August 2026                 [Page 4]
 Internet-Draft           WIMSE Execution Context           February 2026
   *  Key distribution and management
   *  Trust domain establishment and management
   *  Credential lifecycle management
 2.  Conventions and Definitions
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -267,12 +273,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   The WIMSE architecture [I-D.ietf-wimse-arch] defines:
   *  Workload Identity Tokens (WIT) that prove a workload's identity
      within a trust domain ("I am Agent X in trust domain Y")
   *  Workload Proof Tokens (WPT) that prove possession of the private
      key associated with a WIT ("I control the key for Agent X")
@@ -282,6 +282,12 @@ Nennemann                Expires 29 August 2026                 [Page 5]
 Internet-Draft           WIMSE Execution Context           February 2026
   *  Workload Identity Tokens (WIT) that prove a workload's identity
      within a trust domain ("I am Agent X in trust domain Y")
   *  Workload Proof Tokens (WPT) that prove possession of the private
      key associated with a WIT ("I control the key for Agent X")
   *  Multi-hop authentication via the service-to-service protocol
      [I-D.ietf-wimse-s2s-protocol]
@@ -325,12 +331,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   using standard JWT extensibility [RFC7519], and maintains WIMSE
   concepts including trust domains and workload identifiers.
 3.3.  Integration Points
   An ECT integrates with the WIMSE identity framework through the
   following mechanisms:
 Nennemann                Expires 29 August 2026                 [Page 6]
@@ -338,6 +338,11 @@ Nennemann                Expires 29 August 2026                 [Page 6]
 Internet-Draft           WIMSE Execution Context           February 2026
 3.3.  Integration Points
   An ECT integrates with the WIMSE identity framework through the
   following mechanisms:
   *  The ECT JOSE header "kid" parameter MUST reference the public key
      identifier from the agent's WIT.
@@ -376,12 +381,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
   3.  Ledger (if deployed): Appends the verified ECT to the audit
       ledger.
 4.  Execution Context Token Format
   An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
   as a JSON Web Signature (JWS) [RFC7515].  ECTs MUST use JWS Compact
   Serialization (the base64url-encoded header.payload.signature format)
   so that they can be carried in a single HTTP header value.
@@ -394,6 +394,13 @@ Nennemann                Expires 29 August 2026                 [Page 7]
 Internet-Draft           WIMSE Execution Context           February 2026
 4.  Execution Context Token Format
   An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
   as a JSON Web Signature (JWS) [RFC7515].  ECTs MUST use JWS Compact
   Serialization (the base64url-encoded header.payload.signature format)
   so that they can be carried in a single HTTP header value.
 4.1.  JOSE Header
   The ECT JOSE header MUST contain the following parameters:
@@ -432,6 +439,17 @@ Internet-Draft           WIMSE Execution Context           February 2026
   ECT:
   iss:  REQUIRED.  StringOrURI.  A URI identifying the issuer of the
 Nennemann                Expires 29 August 2026                 [Page 8]
 Internet-Draft           WIMSE Execution Context           February 2026
      ECT.  In WIMSE deployments, this SHOULD be the workload's SPIFFE
      ID in the format spiffe://<trust-domain>/<path>, matching the
      "sub" claim of the agent's WIT.  Non-WIMSE deployments MAY use
@@ -443,13 +461,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
      identifiers of all entities that will verify the ECT.  In practice
      this means:
 Nennemann                Expires 29 August 2026                 [Page 8]
 Internet-Draft           WIMSE Execution Context           February 2026
      *  *Point-to-point delivery*: when an ECT is sent from one agent
         to a single next agent, "aud" contains that agent's workload
         identity.  The receiving agent verifies the ECT and forwards it
@@ -487,6 +498,14 @@ Internet-Draft           WIMSE Execution Context           February 2026
   issuance.
   jti:  REQUIRED.  String.  A globally unique identifier for both the
 Nennemann                Expires 29 August 2026                 [Page 9]
 Internet-Draft           WIMSE Execution Context           February 2026
      ECT and the task it records, in UUID format [RFC9562].  Since each
      ECT represents exactly one task, "jti" serves as both the token
      identifier (for replay detection) and the task identifier (for DAG
@@ -496,16 +515,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
      is absent, uniqueness MUST be enforced globally across the ECT
      store.
 Nennemann                Expires 29 August 2026                 [Page 9]
 Internet-Draft           WIMSE Execution Context           February 2026
 4.2.2.  Execution Context
   The following claims are defined by this specification:
@@ -526,33 +535,24 @@ Internet-Draft           WIMSE Execution Context           February 2026
      root task with no dependencies.  A workflow MAY contain multiple
      root tasks.  Parent ECTs may have passed their own "exp" time; ECT
      expiration applies to the verification window of the ECT itself,
-      not to its validity as a parent reference in the ECT store.
+      not to its validity as a parent reference in the ECT store.  Note:
      "par" is not a registered JWT claim and does not conflict with
      OAuth Pushed Authorization Requests (RFC 9126), which defines an
      endpoint, not a token claim.
 4.2.3.  Data Integrity
   The following claims provide integrity verification for task inputs
   and outputs without revealing the data itself:
-   inp_hash:  OPTIONAL.  String.  A cryptographic hash of the input
+   inp_hash:  OPTIONAL.  String.  The base64url encoding (without
-      data, formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
+      padding) of the SHA-256 hash of the input data, computed over the
-      "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The hash
+      raw octets of the input.  This follows the same fixed-algorithm
-      algorithm identifier MUST be a lowercase value from the IANA Named
+      pattern used by the DPoP "ath" claim [RFC9449] and the WIMSE WPT
-      Information Hash Algorithm Registry (e.g., "sha-256", "sha-384",
+      "tth" claim [I-D.ietf-wimse-s2s-protocol]: SHA-256 is the
-      "sha-512").  Implementations MUST support "sha-256" and SHOULD use
+      mandatory algorithm with no algorithm prefix in the value.
      "sha-256" unless a stronger algorithm is required.
      Implementations MUST NOT accept hash algorithms weaker than
      SHA-256 (e.g., MD5, SHA-1).  The hash MUST be computed over the
      raw octets of the input data.
-   out_hash:  OPTIONAL.  String.  A cryptographic hash of the output
+   out_hash:  OPTIONAL.  String.  The base64url encoding (without
      data, using the same format and algorithm requirements as
      "inp_hash".
 4.2.4.  Extensions
   ext:  OPTIONAL.  Object.  An extension object for domain-specific
      claims not defined by this specification.  Implementations that do
      not understand extension claims MUST ignore them.
@@ -562,6 +562,18 @@ Nennemann                Expires 29 August 2026                [Page 10]
 Internet-Draft           WIMSE Execution Context           February 2026
      padding) of the SHA-256 hash of the output data, using the same
      format as "inp_hash".
 4.2.4.  Extensions
   ext:  OPTIONAL.  Object.  A general-purpose extension object for
      domain-specific claims not defined by this specification.  The
      short name "ext" follows the JWT convention of concise claim names
      and is chosen over alternatives like "extensions" for compactness.
      Implementations that do not understand extension claims MUST
      ignore them.
   To avoid key collisions between different domains, extension key
   names SHOULD use reverse domain notation (e.g.,
   "com.example.custom_field") to avoid collisions between independently
@@ -589,12 +601,23 @@ Internet-Draft           WIMSE Execution Context           February 2026
     "exec_act": "recommend_treatment",
     "par": [],
-     "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+     "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-     "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+     "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
     "ext": {
       "com.example.trace_id": "abc123"
     }
   }
                   Figure 4: Complete ECT Payload Example
 Nennemann                Expires 29 August 2026                [Page 11]
 Internet-Draft           WIMSE Execution Context           February 2026
 5.  HTTP Header Transport
 5.1.  Execution-Context Header Field
@@ -609,15 +632,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   An agent sending a request to another agent includes the Execution-
   Context header alongside the WIMSE Workload-Identity header:
 Nennemann                Expires 29 August 2026                [Page 11]
 Internet-Draft           WIMSE Execution Context           February 2026
   GET /api/safety-check HTTP/1.1
   Host: safety-agent.example.com
   Workload-Identity: eyJhbGci...WIT...
@@ -649,6 +663,17 @@ Internet-Draft           WIMSE Execution Context           February 2026
   DAG validation is performed against the ECT store — either an audit
   ledger or the set of parent ECTs received inline.
 Nennemann                Expires 29 August 2026                [Page 12]
 Internet-Draft           WIMSE Execution Context           February 2026
 6.2.  Validation Rules
   When receiving and verifying an ECT, implementations MUST perform the
@@ -665,15 +690,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
       verified parent ECT).  If any parent task is not found, the ECT
       MUST be rejected.
 Nennemann                Expires 29 August 2026                [Page 12]
 Internet-Draft           WIMSE Execution Context           February 2026
   3.  Temporal Ordering: The "iat" value of every parent task MUST NOT
       be greater than the "iat" value of the current task plus a
       configurable clock skew tolerance (RECOMMENDED: 30 seconds).
@@ -698,6 +714,35 @@ Internet-Draft           WIMSE Execution Context           February 2026
   (RECOMMENDED: 10000 nodes).  If the limit is reached before cycle
   detection completes, the ECT SHOULD be rejected.
 6.3.  Handling Unavailable Parent ECTs
   In distributed deployments, a parent ECT referenced in the "par"
   array may not yet be available in the local ECT store at the time of
   validation — for example, due to replication lag in a distributed
   ledger or out-of-order message delivery.
   Implementations MUST distinguish between two cases:
 Nennemann                Expires 29 August 2026                [Page 13]
 Internet-Draft           WIMSE Execution Context           February 2026
   1.  Parent not found and definitively absent: The parent "jti" does
       not exist in any accessible ECT store.  The ECT MUST be rejected.
   2.  Parent not yet available: The parent "jti" is not present locally
       but may arrive due to known replication delays.  Implementations
       MAY defer validation for a bounded period (RECOMMENDED: no more
       than 60 seconds).
   Deferred ECTs MUST NOT be treated as verified until all parent
   references are resolved.  If any parent reference remains unresolved
   after the deferral period or after the ECT's own "exp" time
   (whichever comes first), the ECT MUST be rejected.
 7.  Signature and Token Verification
 7.1.  Verification Procedure
@@ -710,8 +755,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
   2.   Verify that the "typ" header parameter is "wimse-exec+jwt".
-   3.   Verify that the "alg" header parameter is not "none" and is not
+   3.   Verify that the "alg" header parameter appears in the verifier's
-        a symmetric algorithm.
+        configured allowlist of accepted signing algorithms.  The
        allowlist MUST NOT include "none" or any symmetric algorithm
        (e.g., HS256, HS384, HS512).  Implementations MUST include ES256
        in the allowlist; additional asymmetric algorithms MAY be
        included per deployment policy.
   4.   Verify the "kid" header parameter references a known, valid
        public key from a WIT within the trust domain.
@@ -719,17 +768,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   5.   Retrieve the public key identified by "kid" and verify the JWS
        signature per [RFC7515] Section 5.2.
 Nennemann                Expires 29 August 2026                [Page 13]
 Internet-Draft           WIMSE Execution Context           February 2026
   6.   Verify that the signing key identified by "kid" has not been
        revoked within the trust domain.  Implementations MUST check the
        key's revocation status using the trust domain's key lifecycle
@@ -739,6 +777,15 @@ Internet-Draft           WIMSE Execution Context           February 2026
   7.   Verify the "alg" header parameter matches the algorithm in the
        corresponding WIT.
 Nennemann                Expires 29 August 2026                [Page 14]
 Internet-Draft           WIMSE Execution Context           February 2026
   8.   Verify the "iss" claim matches the "sub" claim of the WIT
        associated with the "kid" public key.
@@ -778,14 +825,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   step failed.  The receiving agent MUST NOT process the requested
   action when ECT verification fails.
 Nennemann                Expires 29 August 2026                [Page 14]
 Internet-Draft           WIMSE Execution Context           February 2026
 8.  Audit Ledger Interface
   ECTs MAY be recorded in an immutable audit ledger for compliance
@@ -796,6 +835,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
   cryptographic commitment schemes, distributed ledgers, or any storage
   mechanism that provides the required properties.
 Nennemann                Expires 29 August 2026                [Page 15]
 Internet-Draft           WIMSE Execution Context           February 2026
   When an audit ledger is deployed, the implementation MUST provide:
   1.  Append-only semantics: Once an ECT is recorded, it MUST NOT be
@@ -835,13 +881,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   *  Time manipulator: An entity attempting to manipulate timestamps to
      alter perceived execution ordering.
 Nennemann                Expires 29 August 2026                [Page 15]
 Internet-Draft           WIMSE Execution Context           February 2026
 9.2.  Self-Assertion Limitation
   ECTs are self-asserted by the executing agent.  The agent claims what
@@ -851,6 +890,14 @@ Internet-Draft           WIMSE Execution Context           February 2026
   ECTs do not independently verify that:
 Nennemann                Expires 29 August 2026                [Page 16]
 Internet-Draft           WIMSE Execution Context           February 2026
   *  The claimed execution actually occurred as described
   *  The input/output hashes correspond to the actual data processed
@@ -889,15 +936,6 @@ Internet-Draft           WIMSE Execution Context           February 2026
   revoked, the ECT MUST be rejected entirely and the failure MUST be
   logged.
 Nennemann                Expires 29 August 2026                [Page 16]
 Internet-Draft           WIMSE Execution Context           February 2026
   Implementations MUST use established JWS libraries and MUST NOT
   implement custom signature verification.
@@ -909,6 +947,13 @@ Internet-Draft           WIMSE Execution Context           February 2026
   rejected by Agent C.  The "iat" claim enables receivers to reject
   ECTs that are too old, even if not yet expired.
 Nennemann                Expires 29 August 2026                [Page 17]
 Internet-Draft           WIMSE Execution Context           February 2026
   The DAG structure provides additional replay protection: an ECT
   referencing parent tasks that already have a recorded child task with
   the same action can be flagged as a potential replay.
@@ -917,6 +962,12 @@ Internet-Draft           WIMSE Execution Context           February 2026
   to detect replayed ECTs within the expiration window.  An ECT with a
   duplicate "jti" value MUST be rejected.
   Additionally, each ECT is cryptographically bound to the issuing
   agent via the JOSE "kid" parameter, which references the agent's WIT
   public key.  Verifiers MUST confirm that the "kid" resolves to the
   "iss" agent's key (step 8 in Section 7), preventing one agent from
   replaying another agent's ECT as its own.
 9.6.  Man-in-the-Middle Protection
   ECTs do not replace transport-layer security.  ECTs MUST be
@@ -947,21 +998,33 @@ Internet-Draft           WIMSE Execution Context           February 2026
   *  Trust domains MUST support rapid key revocation.
   *  Upon suspected compromise, the trust domain MUST revoke the
      compromised key and issue a new WIT with a fresh key pair.
-Nennemann                Expires 29 August 2026                [Page 17]
+
 Nennemann                Expires 29 August 2026                [Page 18]
 Internet-Draft           WIMSE Execution Context           February 2026
   *  Upon suspected compromise, the trust domain MUST revoke the
      compromised key and issue a new WIT with a fresh key pair.
   ECTs signed with a compromised key that were recorded in the ledger
   before revocation remain valid historical records but SHOULD be
   flagged in the ledger as "signed with subsequently revoked key" for
   audit purposes.
   ECT revocation does not propagate through the DAG.  If a parent ECT's
   signing key is later revoked, child ECTs that were verified and
   recorded before that revocation remain valid — they captured a
   legitimate execution record at the time of issuance.  However,
   auditors reviewing a workflow SHOULD flag any ECT in the DAG whose
   signing key was subsequently revoked, so that the scope of a
   potential compromise can be assessed.  New ECTs MUST NOT be created
   with a "par" reference to an ECT whose signing key is known to be
   revoked at creation time.
 9.8.  Collusion and False Claims
   A single malicious agent cannot forge parent task references because
@@ -980,7 +1043,56 @@ Internet-Draft           WIMSE Execution Context           February 2026
   *  Out-of-band audit: External auditors periodically verify ledger
      contents against expected workflow patterns.
-9.9.  Denial of Service
+9.9.  DAG Integrity Attacks
   Because the DAG structure is the primary mechanism for establishing
   execution ordering, attackers may attempt to manipulate it:
   *  False parent references: A malicious agent creates an ECT that
      references parent tasks from an unrelated workflow, inserting
      itself into a legitimate execution history.  DAG validation
      (Section 6) mitigates this by requiring parent existence in the
      ECT store, and the "wid" claim scopes parent references to a
      single workflow when present.
   *  Parent omission (pruning): An agent deliberately omits one or more
      actual parent dependencies from the "par" array to hide that
      certain tasks influenced its output.  Because ECTs are self-
 Nennemann                Expires 29 August 2026                [Page 19]
 Internet-Draft           WIMSE Execution Context           February 2026
      asserted (Section 9.2), no mechanism can force an agent to declare
      all dependencies.  External auditors can detect omission by
      comparing the declared DAG against expected workflow patterns.
   *  Shadow DAGs: Multiple colluding agents fabricate an entire
      execution history by creating a sequence of ECTs with mutual
      parent references.  Independent ledger maintenance and cross-
      verification (see Section 9.8 above) are the primary mitigations.
   Verifiers SHOULD validate that the declared "wid" of parent ECTs
   matches the "wid" of the child ECT, rejecting cross-workflow parent
   references unless explicitly permitted by deployment policy.
 9.10.  Privilege Escalation via ECTs
   ECTs record execution history; they do not convey authorization.
   Verifiers MUST NOT interpret the presence of an ECT, or a particular
   set of parent references in "par", as an authorization grant.  The
   "par" claim demonstrates that predecessor tasks were recorded, not
   that the current agent is authorized to act on their outputs.
   Authorization decisions MUST remain with the identity and
   authorization layer (WIT, WPT, and deployment policy).  As noted in
   [I-D.ni-wimse-ai-agent-identity], AI intermediaries introduce novel
   escalation vectors; ECTs MUST NOT be used to circumvent authorization
   boundaries.
 9.11.  Denial of Service
   ECT signature verification is computationally inexpensive
   (approximately 1ms per ECT on modern hardware for ES256).  DAG
@@ -993,7 +1105,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
   performed after signature verification to avoid wasting resources on
   unsigned or incorrectly signed tokens.
-9.10.  Timestamp Accuracy
+9.12.  Timestamp Accuracy
   ECTs rely on timestamps ("iat", "exp") for temporal ordering.  Clock
   skew between agents can lead to incorrect ordering judgments.
@@ -1005,7 +1117,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 18]
+Nennemann                Expires 29 August 2026                [Page 20]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1019,7 +1131,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
   The temporal ordering check in DAG validation incorporates the clock
   skew tolerance to account for minor clock differences between agents.
-9.11.  ECT Size Constraints
+9.13.  ECT Size Constraints
   ECTs with many parent tasks or large extension objects can increase
   HTTP header size.  Implementations SHOULD limit the "par" array to a
@@ -1061,7 +1173,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 19]
+Nennemann                Expires 29 August 2026                [Page 21]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1117,7 +1229,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 20]
+Nennemann                Expires 29 August 2026                [Page 22]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1173,7 +1285,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 21]
+Nennemann                Expires 29 August 2026                [Page 23]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1229,7 +1341,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 22]
+Nennemann                Expires 29 August 2026                [Page 24]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1285,7 +1397,7 @@ Internet-Draft           WIMSE Execution Context           February 2026
-Nennemann                Expires 29 August 2026                [Page 23]
+Nennemann                Expires 29 August 2026                [Page 25]
 Internet-Draft           WIMSE Execution Context           February 2026
@@ -1323,6 +1435,11 @@ Internet-Draft           WIMSE Execution Context           February 2026
              Message Signatures", RFC 9421, DOI 10.17487/RFC9421,
              February 2024, <https://www.rfc-editor.org/rfc/rfc9421>.
   [RFC9449]  Fett, D., Campbell, B., Bradley, J., Lodderstedt, T.,
              Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of
              Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449,
              September 2023, <https://www.rfc-editor.org/rfc/rfc9449>.
   [SPIFFE]   "Secure Production Identity Framework for Everyone
              (SPIFFE)",
              <https://spiffe.io/docs/latest/spiffe-about/overview/>.
@@ -1332,20 +1449,19 @@ Use Cases
   This section describes a representative use case demonstrating how
   ECTs provide structured execution records.
   Note: task identifiers in this section are abbreviated for
   readability.  In production, all "jti" values are required to be
   UUIDs per Section 4.2.2.
-
+Nennemann                Expires 29 August 2026                [Page 26]
 Nennemann                Expires 29 August 2026                [Page 24]
 Internet-Draft           WIMSE Execution Context           February 2026
   Note: task identifiers in this section are abbreviated for
   readability.  In production, all "jti" values are required to be
   UUIDs per Section 4.2.2.
 Cross-Organization Financial Trading
   In a cross-organization trading workflow, an investment bank's agents
@@ -1381,6 +1497,23 @@ Cross-Organization Financial Trading
   The resulting DAG:
 Nennemann                Expires 29 August 2026                [Page 27]
 Internet-Draft           WIMSE Execution Context           February 2026
   task-001 (analyze_portfolio_risk)   task-002 (assess_credit_rating)
     [bank.example]                      [ratings.example]
             \                              /
@@ -1394,14 +1527,6 @@ Cross-Organization Financial Trading
                      Figure 7: Cross-Organization DAG
 Nennemann                Expires 29 August 2026                [Page 25]
 Internet-Draft           WIMSE Execution Context           February 2026
   Task 003 has two parents from different trust domains, demonstrating
   cross-organizational fan-in.  The compliance agent verifies both
   parent ECTs — one signed by a local key and one by a federated key
@@ -1435,6 +1560,16 @@ OAuth 2.0 Token Exchange and the "act" Claim
   concepts are orthogonal: "act" records "who authorized whom," ECTs
   record "what was done, in what order."
 Nennemann                Expires 29 August 2026                [Page 28]
 Internet-Draft           WIMSE Execution Context           February 2026
 Transaction Tokens
   OAuth Transaction Tokens [I-D.ietf-oauth-transaction-tokens]
@@ -1450,14 +1585,6 @@ Transaction Tokens
      downstream services, each receives the same "req_wl" value and the
      branching is invisible.
 Nennemann                Expires 29 August 2026                [Page 26]
 Internet-Draft           WIMSE Execution Context           February 2026
   *  It is incomplete: only workloads that request a replacement token
      from the Transaction Token Service appear in "req_wl"; workloads
      that forward the token unchanged are not recorded.
@@ -1465,6 +1592,10 @@ Internet-Draft           WIMSE Execution Context           February 2026
   *  It carries no task-level granularity, no parent references, and no
      execution content.
   *  It cannot represent convergence (fan-in): when two independent
      paths must both complete before a dependent task proceeds, a
      linear "req_wl" string cannot express that relationship.
   Extensions for agentic use cases
   ([I-D.oauth-transaction-tokens-for-agents]) add agent identity and
   constraints ("agentic_ctx") but no execution ordering or DAG
@@ -1480,6 +1611,21 @@ Internet-Draft           WIMSE Execution Context           February 2026
   Txn-Token; a similar binding mechanism for ECTs is a potential future
   extension.
 Nennemann                Expires 29 August 2026                [Page 29]
 Internet-Draft           WIMSE Execution Context           February 2026
 Distributed Tracing (OpenTelemetry)
   OpenTelemetry [OPENTELEMETRY] and similar distributed tracing systems
@@ -1494,6 +1640,18 @@ Distributed Tracing (OpenTelemetry)
   while ECTs provide signed execution records.  ECTs may reference
   OpenTelemetry trace identifiers in the "ext" claim for correlation.
 W3C Provenance Data Model (PROV)
   The W3C PROV Data Model defines an Entity-Activity-Agent ontology for
   representing provenance information.  PROV's concepts map closely to
   ECT structures: PROV Activities correspond to ECT tasks, PROV Agents
   correspond to WIMSE workloads, and PROV's "wasInformedBy" relation
   corresponds to ECT "par" references.  However, PROV uses RDF/OWL
   ontologies designed for post-hoc documentation, while ECTs are
   runtime-embeddable JWT tokens with cryptographic signatures.  ECT
   audit data could be exported to PROV format for interoperability with
   provenance-aware systems.
 SCITT (Supply Chain Integrity, Transparency, and Trust)
   The SCITT architecture [I-D.ietf-scitt-architecture] defines a
@@ -1502,18 +1660,6 @@ SCITT (Supply Chain Integrity, Transparency, and Trust)
   correlation identifier in SCITT Signed Statements, linking an ECT
   audit trail to a supply chain transparency record.
 Nennemann                Expires 29 August 2026                [Page 27]
 Internet-Draft           WIMSE Execution Context           February 2026
 Acknowledgments
   The author thanks the WIMSE working group for their foundational work
@@ -1531,38 +1677,4 @@ Author's Address
-
+Nennemann                Expires 29 August 2026                [Page 30]
 Nennemann                Expires 29 August 2026                [Page 28]
--- a/draft-nennemann-wimse-ect-00.xml
+++ b/draft-nennemann-wimse-ect-00.xml
@@ -25,14 +25,14 @@
    <date year="2026" month="February" day="25"/>
-    <area>Security</area>
+    <area>ART</area>
    <workgroup>WIMSE</workgroup>
    <keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword>
    <abstract>
-<?line 53?>
+<?line 54?>
 <t>This document defines Execution Context Tokens (ECTs), an extension
 to the Workload Identity in Multi System Environments (WIMSE)
@@ -59,7 +59,7 @@ existing WIMSE headers.</t>
  <middle>
-<?line 69?>
+<?line 70?>
 <section anchor="introduction"><name>Introduction</name>
@@ -460,7 +460,9 @@ a root task with no dependencies.  A workflow <bcp14>MAY</bcp14> contain
 multiple root tasks.  Parent ECTs may have passed their own
 "exp" time; ECT expiration applies to the verification window
 of the ECT itself, not to its validity as a parent reference
-in the ECT store.</t>
+in the ECT store.  Note: "par" is not a registered JWT claim
 and does not conflict with OAuth Pushed Authorization Requests
 (RFC 9126), which defines an endpoint, not a token claim.</t>
  </dd>
 </dl>
@@ -473,21 +475,18 @@ inputs and outputs without revealing the data itself:</t>
 <dl>
  <dt>inp_hash:</dt>
  <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the input data,
+    <t><bcp14>OPTIONAL</bcp14>.  String.  The base64url encoding (without padding) of
-formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
+the SHA-256 hash of the input data, computed over the raw octets
-"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg").  The
+of the input.  This follows the same fixed-algorithm pattern
-hash algorithm identifier <bcp14>MUST</bcp14> be a lowercase value from the
+used by the DPoP "ath" claim <xref target="RFC9449"/> and the WIMSE WPT
-IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
+"tth" claim <xref target="I-D.ietf-wimse-s2s-protocol"/>: SHA-256 is the
-"sha-384", "sha-512").  Implementations <bcp14>MUST</bcp14> support "sha-256"
+mandatory algorithm with no algorithm prefix in the value.</t>
 and <bcp14>SHOULD</bcp14> use "sha-256" unless a stronger algorithm is
 required.  Implementations <bcp14>MUST NOT</bcp14> accept hash algorithms
 weaker than SHA-256 (e.g., MD5, SHA-1).  The hash <bcp14>MUST</bcp14> be
 computed over the raw octets of the input data.</t>
  </dd>
  <dt>out_hash:</dt>
  <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  String.  A cryptographic hash of the output data,
+    <t><bcp14>OPTIONAL</bcp14>.  String.  The base64url encoding (without padding) of
-using the same format and algorithm requirements as "inp_hash".</t>
+the SHA-256 hash of the output data, using the same format as
 "inp_hash".</t>
  </dd>
 </dl>
@@ -497,9 +496,12 @@ using the same format and algorithm requirements as "inp_hash".</t>
 <dl>
  <dt>ext:</dt>
  <dd>
-    <t><bcp14>OPTIONAL</bcp14>.  Object.  An extension object for domain-specific
+    <t><bcp14>OPTIONAL</bcp14>.  Object.  A general-purpose extension object for
-claims not defined by this specification.  Implementations
+domain-specific claims not defined by this specification.  The
-that do not understand extension claims <bcp14>MUST</bcp14> ignore them.</t>
+short name "ext" follows the JWT convention of concise claim
 names and is chosen over alternatives like "extensions" for
 compactness.  Implementations that do not understand extension
 claims <bcp14>MUST</bcp14> ignore them.</t>
  </dd>
 </dl>
@@ -534,8 +536,12 @@ future documents.</t>
  "exec_act": "recommend_treatment",
  "par": [],
-  "inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
+  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
-  "out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
+  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
  "ext": {
    "com.example.trace_id": "abc123"
  }
 }
 ]]></sourcecode></figure>
@@ -630,6 +636,31 @@ implementations <bcp14>SHOULD</bcp14> enforce a maximum ancestor traversal limit
 (<bcp14>RECOMMENDED</bcp14>: 10000 nodes).  If the limit is reached before cycle
 detection completes, the ECT <bcp14>SHOULD</bcp14> be rejected.</t>
 </section>
 <section anchor="handling-unavailable-parent-ects"><name>Handling Unavailable Parent ECTs</name>
 <t>In distributed deployments, a parent ECT referenced in the "par"
 array may not yet be available in the local ECT store at the time
 of validation — for example, due to replication lag in a
 distributed ledger or out-of-order message delivery.</t>
 <t>Implementations <bcp14>MUST</bcp14> distinguish between two cases:</t>
 <t><list style="numbers" type="1">
  <t>Parent not found and definitively absent: The parent "jti"
 does not exist in any accessible ECT store.  The ECT <bcp14>MUST</bcp14> be
 rejected.</t>
  <t>Parent not yet available: The parent "jti" is not present
 locally but may arrive due to known replication delays.
 Implementations <bcp14>MAY</bcp14> defer validation for a bounded period
 (<bcp14>RECOMMENDED</bcp14>: no more than 60 seconds).</t>
 </list></t>
 <t>Deferred ECTs <bcp14>MUST NOT</bcp14> be treated as verified until all parent
 references are resolved.  If any parent reference remains
 unresolved after the deferral period or after the ECT's own "exp"
 time (whichever comes first), the ECT <bcp14>MUST</bcp14> be rejected.</t>
 </section>
 </section>
 <section anchor="verification"><name>Signature and Token Verification</name>
@@ -643,8 +674,12 @@ verification steps in order:</t>
  <t>Parse the JWS Compact Serialization to extract the JOSE header,
 payload, and signature components per <xref target="RFC7515"/>.</t>
  <t>Verify that the "typ" header parameter is "wimse-exec+jwt".</t>
-  <t>Verify that the "alg" header parameter is not "none" and is
+  <t>Verify that the "alg" header parameter appears in the
-not a symmetric algorithm.</t>
+verifier's configured allowlist of accepted signing algorithms.
 The allowlist <bcp14>MUST NOT</bcp14> include "none" or any symmetric
 algorithm (e.g., HS256, HS384, HS512).  Implementations <bcp14>MUST</bcp14>
 include ES256 in the allowlist; additional asymmetric algorithms
 <bcp14>MAY</bcp14> be included per deployment policy.</t>
  <t>Verify the "kid" header parameter references a known, valid
 public key from a WIT within the trust domain.</t>
  <t>Retrieve the public key identified by "kid" and verify the JWS
@@ -812,6 +847,12 @@ with the same action can be flagged as a potential replay.</t>
 values to detect replayed ECTs within the expiration window.
 An ECT with a duplicate "jti" value <bcp14>MUST</bcp14> be rejected.</t>
 <t>Additionally, each ECT is cryptographically bound to the issuing
 agent via the JOSE "kid" parameter, which references the agent's
 WIT public key.  Verifiers <bcp14>MUST</bcp14> confirm that the "kid" resolves
 to the "iss" agent's key (step 8 in <xref target="verification"/>), preventing
 one agent from replaying another agent's ECT as its own.</t>
 </section>
 <section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
@@ -852,6 +893,16 @@ ledger before revocation remain valid historical records but <bcp14>SHOULD</bcp1
 be flagged in the ledger as "signed with subsequently revoked key"
 for audit purposes.</t>
 <t>ECT revocation does not propagate through the DAG.  If a parent
 ECT's signing key is later revoked, child ECTs that were verified
 and recorded before that revocation remain valid — they captured
 a legitimate execution record at the time of issuance.  However,
 auditors reviewing a workflow <bcp14>SHOULD</bcp14> flag any ECT in the DAG
 whose signing key was subsequently revoked, so that the scope of
 a potential compromise can be assessed.  New ECTs <bcp14>MUST NOT</bcp14> be
 created with a "par" reference to an ECT whose signing key is
 known to be revoked at creation time.</t>
 </section>
 <section anchor="collusion-and-false-claims"><name>Collusion and False Claims</name>
@@ -871,6 +922,52 @@ compared for consistency.</t>
 contents against expected workflow patterns.</t>
 </list></t>
 </section>
 <section anchor="dag-integrity-attacks"><name>DAG Integrity Attacks</name>
 <t>Because the DAG structure is the primary mechanism for establishing
 execution ordering, attackers may attempt to manipulate it:</t>
 <t><list style="symbols">
  <t>False parent references: A malicious agent creates an ECT that
 references parent tasks from an unrelated workflow, inserting
 itself into a legitimate execution history.  DAG validation
 (<xref target="dag-validation"/>) mitigates this by requiring parent existence
 in the ECT store, and the "wid" claim scopes parent references
 to a single workflow when present.</t>
  <t>Parent omission (pruning): An agent deliberately omits one or
 more actual parent dependencies from the "par" array to hide
 that certain tasks influenced its output.  Because ECTs are
 self-asserted (<xref target="self-assertion-limitation"/>), no mechanism can
 force an agent to declare all dependencies.  External auditors
 can detect omission by comparing the declared DAG against
 expected workflow patterns.</t>
  <t>Shadow DAGs: Multiple colluding agents fabricate an entire
 execution history by creating a sequence of ECTs with mutual
 parent references.  Independent ledger maintenance and
 cross-verification (see <xref target="collusion-and-false-claims"/> above)
 are the primary mitigations.</t>
 </list></t>
 <t>Verifiers <bcp14>SHOULD</bcp14> validate that the declared "wid" of parent ECTs
 matches the "wid" of the child ECT, rejecting cross-workflow
 parent references unless explicitly permitted by deployment
 policy.</t>
 </section>
 <section anchor="privilege-escalation-via-ects"><name>Privilege Escalation via ECTs</name>
 <t>ECTs record execution history; they do not convey authorization.
 Verifiers <bcp14>MUST NOT</bcp14> interpret the presence of an ECT, or a
 particular set of parent references in "par", as an authorization
 grant.  The "par" claim demonstrates that predecessor tasks were
 recorded, not that the current agent is authorized to act on
 their outputs.  Authorization decisions <bcp14>MUST</bcp14> remain with the
 identity and authorization layer (WIT, WPT, and deployment
 policy).  As noted in <xref target="I-D.ni-wimse-ai-agent-identity"/>,
 AI intermediaries introduce novel escalation vectors; ECTs
 <bcp14>MUST NOT</bcp14> be used to circumvent authorization boundaries.</t>
 </section>
 <section anchor="denial-of-service"><name>Denial of Service</name>
@@ -1432,6 +1529,23 @@ been incorporated into this document. This document obsoletes RFC
   <seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture-22"/>
 </reference>
 <reference anchor="RFC9449">
  <front>
    <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
    <author fullname="D. Fett" initials="D." surname="Fett"/>
    <author fullname="B. Campbell" initials="B." surname="Campbell"/>
    <author fullname="J. Bradley" initials="J." surname="Bradley"/>
    <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
    <author fullname="M. Jones" initials="M." surname="Jones"/>
    <author fullname="D. Waite" initials="D." surname="Waite"/>
    <date month="September" year="2023"/>
    <abstract>
      <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9449"/>
  <seriesInfo name="DOI" value="10.17487/RFC9449"/>
 </reference>
 <reference anchor="I-D.ietf-oauth-transaction-tokens">
   <front>
@@ -1497,7 +1611,7 @@ been incorporated into this document. This document obsoletes RFC
 </references>
-<?line 986?>
+<?line 1078?>
 <section numbered="false" anchor="use-cases"><name>Use Cases</name>
@@ -1616,6 +1730,9 @@ token from the Transaction Token Service appear in "req_wl";
 workloads that forward the token unchanged are not recorded.</t>
  <t>It carries no task-level granularity, no parent references,
 and no execution content.</t>
  <t>It cannot represent convergence (fan-in): when two independent
 paths must both complete before a dependent task proceeds, a
 linear "req_wl" string cannot express that relationship.</t>
 </list></t>
 <t>Extensions for agentic use cases
@@ -1650,6 +1767,19 @@ provide observability while ECTs provide signed execution records.
 ECTs may reference OpenTelemetry trace identifiers in the "ext"
 claim for correlation.</t>
 </section>
 <section numbered="false" anchor="w3c-provenance-data-model-prov"><name>W3C Provenance Data Model (PROV)</name>
 <t>The W3C PROV Data Model defines an Entity-Activity-Agent ontology
 for representing provenance information.  PROV's concepts map
 closely to ECT structures: PROV Activities correspond to ECT
 tasks, PROV Agents correspond to WIMSE workloads, and PROV's
 "wasInformedBy" relation corresponds to ECT "par" references.
 However, PROV uses RDF/OWL ontologies designed for post-hoc
 documentation, while ECTs are runtime-embeddable JWT tokens with
 cryptographic signatures.  ECT audit data could be exported to
 PROV format for interoperability with provenance-aware systems.</t>
 </section>
 <section numbered="false" anchor="scitt-supply-chain-integrity-transparency-and-trust"><name>SCITT (Supply Chain Integrity, Transparency, and Trust)</name>
@@ -1675,334 +1805,371 @@ tracing is built.</t>
  </back>
 <!-- ##markdown-source:
-H4sIAAAAAAAAA81963bbyLXm/3qKGvpHSwkhW7bkdst9+hxZltvqY1uKJXen
+H4sIAAAAAAAAA819a3bbSJbm/1hFDP0jqWpCtmzJmSlXV7csy2lV25baojMr
-p5PlgCREog0CDABKZtzOOg8xDzDPMo8yTzJ7f3vXBSApJ5n5MV652CBQl137
+p7qOCyRAEmkQYAGgZJbTfWYRs4BZyyxlVjL3GRF4UK6qmTNndPIhkUA8b9zn
-fqskSUybt0V2ZAenH7Pxss2r0p5UZZt9bO1V9SErG3td1fZ53rR1Plq22cQe
+d29EUWSarMnTUzu6+JTOt01WFva8LJr0U2On5ce0qO2irOyLrG6qbLZt0sSe
-T7Oyzcf2p6r+cF1Ut83ApKNRnd3QID+dvb48tWtDDcw4bbNpVa+ObNNOzKQa
+LdOiyeb2p7L6uMjLu3pk4tmsSm+hkZ8u39xc2F5TIzOPm3RZVrtTWzeJScp5
-l+mcZp3U6XWblFlZZvO0LJPbfN5kSTZukwcPTLMczfOmoXHa1YJePju9emHK
+Ea+h16SKF01UpEWRruOiiO6ydZ1G6byJHj0y9Xa2zuoa2ml2G3j48mL60hTb
-5XyU1UdmQgMeGZrzkUnrLKW5L2nSOm9XA3NLK5vW1XLhVjQwH7IVPZ0cGWsT
+9SytTk0CDZ4a6POJias0hr7P3k1H5g4GtazK7UYHMzIf0x18mpwaayObuqHN
-m/n1jWV9eMpfFVU6sfmEN9iu8DTV3d663crT5SRvbVuneWFMumxnVY2h6b/W
+eWj0Kb6Vl3FiswTn1uzo01gmeqcT5U+3SdbYpoqz3Jh426zKipqGf61dbPOc
-Xi+LQrZ3MqsJcHla2jdui3ijqqdpmf8t5TXQvspJtshKntW+zZosrcezrMaL
+Z3a+qmDNsriwb3V29ERZLeMi+2uMY4ApFUm6SQvs1b5L6zSu5qu0ogfhlSw/
-9EleHNk8a6//w0Npb5IZU1b1nL6/yXjety9Ovj7cPwx//Tr89Zvw1yf6128O
+tVnaLP7VLdBhkhpTlNUa3r9Nsd93L8+/PTk68b9+63/93v/6nfz6/cnTx/rr
-Hz90f93ff8B/PUue7/EsegK8hA2Pm4dNsqirthpXxZExeXndW8Wjw0M38pPH
+0dEj/PUyenGIvcji4xAGPq4f19GmKptyXuanxmTFojOKJycn2vJ3T79/op0c
-3zxykxw83HejlbmbIk8A28SBm9+4vDh78eL0CHt3iIlzzexFXU2WY5zamX5h
+Pz7S1opMu8giWttIlxufuLm+fPny4pTmrjR5A5tVpfa6KpPtnHbtUt6wLytY
-X9QEZj4ZIOnpTVavqjKzOzLM7kDGSetp1h7ZWdsumqP795tFfn2d7eXVfULD
+ZtwZos+L27TalUVqx9zMwYjbiatl2pzaVdNs6tOHD+tNtlikh1n5ECiwfpgD
-5n5BiNS0+jRJR9WyvV/RSDd5dnsfAwDV7HVaNBn9+/zi9M3V6avT16dXb3/u
+DdWNfBrFs3LbPCyhpdssvXtIDRCV2UWc1yn8fXV98XZ68frizcX03c/tkV7B
-rvScTvEqK7J51tYre7nIxvl1PsYpb15KRR+07gO/ooY+bO5X9MOm+a0N+MZ/
+Lk7TPF2nTbWzN5t0ni2yOe3y8FBKeKHRF9yIanixfljCF0P9W+vpDX8ipCYg
-EsYmQrWiWk7sGxwGkd18QQheTu2LallOsIL4NJtx3rY45LwlYiPwdg674hkS
+tbzcJvYtbQacuPUGCLxY2pfltkhoBOFu1vOsaWiTswbOGSyv26nj71v7XmJn
-wu6ySQHxpAUrcC9t+z2hU5BDpVdNkhCdjIhv0DvGXM3yxtL2lnNG80l2nZdZ
+ERB6Uce0+FFDDEEf2vd9BBvC+wuPmiiCIzMD7gHPGDNdZbWFmW7XSPFJusiK
-s84pHNPZOT25anaHlkiHntIT3kFb2XaWgfGAUD0e5KV9vSza3F6umjab29Py
+tO7zC2U944vzaX0wsXCK4FP4BCfTlLZZpcR+6Mw6ksgK+2abN5m92dVNurYX
-Jq+rkqeiocACdk28XeDLJGJqa2S+Zy0vwRK63xCGmiafltlkSOyrXmKIia2z
+xW1WlQV2BU0RNzgw4cyJdJKAtfVO/KG1OAQLlH8LxGrqbFmkyQSYWLWlJhJb
-MbGUxlbXdLDNh4it0OOstum4rprGCJa3lUCGWM58viwVLWiWZyvZ4YSPS/jn
+pXPgLrUtF7DH9ceAw8DHaWXjeVXWtWGCb0peGeA+6/W2EAqBXp7veIYJ7hxz
-2gaNQuU2b2fr3MuOi5RIiqHww+X5G/tTNhIw2p0ffrraNUKkQ4IdHUETY6XN
+0d4EjazKXdas+ozMzvMYTheuwu9vrt7an9IZL6Md//6n6YHh8zqBtYMtqEMC
-ynRU0Dk0gFtjCcLEccqW/hvt1ETsDtuVnfiFOFgtm8ymBFYCDGA6Xo2LfGym
+tWkRz3LYh5rWrbawwsB8igb+DWZqAs5H0+WZuIHoWm3r1MawrLAwtKbz3TzP
-dbqY2Z3nx9/vhkF5qjpb1MTvaCjAz3HBcU4rSktixLQ9+rjNDDa+BTgeZX46
+5mZZxZuVHb84++HAN4pdVemmAtYHTdH6KUOcZzCiuACeDNODl5vU0MT3LI4j
-u9qlNTAcGU0a4g2Wj40emHk1yQoMOq5Xi7bCmui8F3U+z5lm+MCPbZnd2pdX
+mZ8upwcwBlxHJJMa2ITFbYMPzLpM0pwanVe7TVPSmGC/N1W2zvD44Iaf2SK9
-Vxd2lqV8hNd5VkyGxqNpomg6tIzNQOIJcAnEsKhqEB2AkRZVOW0YdbKPLAT8
+s6+m02u7SmPcwkWW5snEODKNhEwnFqmZiDghWqLDsCkrOn+0GHFeFssaSSf9
-6crQzZ5QyDyfTAri5/dIDLSexdG/79nXFS1MaJfI51/G+2vPJD992sDmP392
+hPLA7S43XR/yCVlnSZIDa38AEqFx3A7+fmDflDAwPsZwfP5hul84fvn58wDH
-ON7Yuhotm9ZLQkg20IVgSzsjoTqdfekIGMruFUNsmxDG/35xtUuAxm4AjIYZ
+//JFaby2VTnb1o0TiiTk6FwwtTQrkK/L1de2AFdZHzHAwYFg3PfX0wNYaJoN
-7Thj8tC/WidgzNpyY/FDy3ZMZFbd+iU3NlozgT4dz2xFDxw12nFaFHY8IwRv
+LUaNPHee4vGQX63KGtMbbiiJYNjKRFblnRtybYMxw9LH85Ut4QM9jXYe57md
-Ilxxy038jmgTxj/FJhKhqQg9+AxfVrcZSYvhuvoADMiI59ESy6q16WRC2N4E
+r4DA64BWdLiRmxFMwrhPaRIRn6mAPHAPX5V3KQiOSV+TIApIgefBEIuysXGS
-sjHpeEzsuU1HeUHvE1z+s6xueUm3s8ouspoJl+motMJmw1jCesztLKXTSpmx
+ALXX/tiYeD4HTt3EsyyH52Fd/q0o73BId6vSbtIKDy6eo8Iym/VtMesxd6sY
-0kyEhoQQeAYGRKt7m02XLOAmROkRauTlmHQm3n2xYrIrqhXDrSqrebVshLyJ
+ditGxgo9ARkCQdBnxIBgdO/S5RZlXQInPSCNrJiD5oSzz3d47PJyh+tWFuW6
-GdBIZlzRWHlJYzgIxspLWtgRJEydg4KeV3NAtlkS3NPGEJyKdjYmDW1ItFSm
+3NZ8vIEZQEtmXkJbWQFt6AqGekyc2xkJmyqjE/SiXNPK1ltY97g2sE55s5qD
-5TgbAj+KaspEMSacy/66JI4RsZuhqFfMmUzEY3mBc+xlQiyMBUIyTz8wuHjA
+njaBs1TExTydEH3k5RIPxRxoLv3LFjhGwG4mrGkhZzIBj8UBrmkuCbAwFAjR
-wIy2yZpYlFgnSoCEHcmAXetZZQ3emqYLO8ra24yOf8Mxx7Ovn6lOEWGlA/BT
+Ov6Iy4UNema0T9aEosSqKCEibEkGmrXsVVrTU8t4Y2dpc5fC9g9sc9h7f0+l
-4chhUbpZOVZ6n84mnygn7J7rcaPzE4PCr0Ir25Wrz5+Hivqq8dI3azKP2F82
+i4AqdYGfMUf2g5LJ8rbC87A3WSKcsL2vZ7X0DwyKvuWzsl/P+vJlIqQvyi+8
-gRAYZfaGQEwngOnBpuubbKKc3ijHIG4/z4iYyryZ82cOxbEvPVicAfh3h/Oa
+05N5wP7ShITALLW3sMSwA9Q9senqNk2E0xvhGMDt1ykcpiKr1/iakjjNSzaW
-tGmWNSMEUxFxO6Ixmm5uL1sCEX/E51hnGa24xhEwpAhneLekENY8bLqghRCJ
+9oD4d4vzmriutxUSBJ4i4HZwxqC7tb1pYInwJdzHKk1hxBVtAa4U0AzOFnTD
-Z42IE4fsujOjYo2Ukf07T8KSEtAnLutPQZQuwg6CH44EooJYHRgnfTSASUTP
+CpuNNzAQOOJpzeJEiV1mZkSsgTJydO9OWFACuofLul1g/QuoA9aPtoREBbA6
-8kaVs/xv2WSAUWlAfO/fEVShRV6xzPvjkAchrs94fL5sSW2z/31vYMxDmuRN
+Ypzw0ogMI/gsq0VPy/6aJiNqFRqk990zTCowyCnKvD9MsBHg+kjHV9sGNDj7
-RVSRMnVNIjgDCthwB6BYnCoexLt4ziIvP/RVEyViOjgWHKqTOAygk3gk826a
+Xw9HxjyGTt6WcCpiPF1JsM60CjTh1oLS4ETxAN6FfeZZ8bGrmsghho1DwSE6
-juFSCpmCLEiTWRQZMYaA/TwrnX1Llh5ItqNjuVkgMEWlWCzrRdUABU6dlKxG
+iVIA7MQT7neoO1yXgo8pHQvQZDZ5CozBUz/2CnvfgL1HR7alY2kvJDBZpdhs
-jGtKQDRvVXh+0hmOFUsW7Z8+dVTyIM8EhWUY6HvZaDmdOoYxr8qc1skjyOnj
+q01ZEwlcqJQsZ0hrcoCg3zJ3/KTVHCqWKNo/f25p516eMQlzM6TvpbPtcqkM
-7N2nXS0hwlUSXjIvq+Upnzif8PpJOH2RB23TOXHzJLsBNQoD5OckcvEWr84o
+Y10WGYwTW+Ddp73XV9taQkCrILy4X9TQY9xx3OH+Tqi+iI028Rq4eZTe0mlk
-9jLkBDbNmLSzOq+UPi7HZC3g0+PFgtQqBdAWbsf6N8TsFg0bCvauFdXQ7nz6
+Boifg8ilp3B0RqgXV47Xpp6DdlZlpZyPmzkYDvTq2WYDapUs0B5uh/o3idk9
-xDa3/Ovz5136lrS1SFmDitPR0RTXGBD09SSdJjdpkYupISOcqfbGc4P+A8P1
+GjYp2AeWVUM7/vwZLW/+68uXA3gXtLVAWSMVp6WjCa3hQsDbSbyMbuM8Y6uD
-vNPrJoQ5NIwwrzx8KCMdl12ljG29k6ugc/GnbFIl8oJ+BCAW2WSa1dAk6+uU
+W7gU7Q37pvPvGa7jnU43AcqBZph5Zf5FbumsaCtlaPadT73Oha+idRXxA/IS
-tIuIKzX8nbyQ+Bf4Y2hb11VRiDQm6WXJKmSEbvwh8EOiENLdJna0kn0B6F45
+LWKeJsu0Ik2yWsSgXQRcqcb3+IHIPYAvk7a1KPOcpTFILwsGIhJ07TYBP4QT
-6ilPYONu30Az5vmMfon9T7B6RW33Mpn6RJ3ghHSUNStmE4hXS/YqCce8meHE
+ArpbYmc7nhctulOOOsoTsXGdN5EZ8nwkv8j+G7F6IW19GKx+OJ3ECWErK1TM
-1949IRnK85BwLvLrjLXwLH6DdE3ChRt+hegZ3z9nrMnxb9n9B1rRLSTv4PW7
+EhKvFkxXEI5ZvaId7z17DjIU+wHhnGeLFLXwNHwCdE2ghVt8BM4zvf8CqSaj
-y6vBUP7fvjnH39+e/uHd2dvT5/z3y5fHr175vxh94/Ll+btXz8Pfwpcn569f
+v3n2H2FEdyR5R2/e30xHE/6/fXtFv7+7+Pf3l+8uXuDvN6/OXr92vxh54ubV
-n755Lh/TU9t5ZAavj38eCI0Mzi+uzs7fHL8aMNNvO3ieiglBggpHRxIKjL8x
+1fvXL/xv/s3zqzdvLt6+4JfhU9v6yIzenP084jMyurqeXl69PXs9QqbftOg8
-RFRjgqOIxWcnF//rf+4fkHj8b29fnDzc3/+G2IP848n+1wf0j1s6I5mtKols
+ZhMCBBVtHUgoYvy1gUM1h3Vksfj8/Pp//o+jYxCP/wUM3cdHR98De+A/vjv6
-5Z/g+iRcshQqFeRmuiCVpGiGzIYaUjlLQsc6I9r83S8MmT8f2W9H48X+wXf6
+9hj+uIM94t7KAo4t/0lcH4RLGpNKRXIz3oBKktcTZEM1qJwFkGOVwtn8zR9x
-gDfceehg1nkImK0/WftYgLjh0YZpPDQ7z3uQ7q73+OfOvx3co4ff/jtJk8wm
+Zf50an87m2+Ojn8nH+CEWx/qmrU+pDXrf9J7mRdx4KOBbtxqtj7vrHR7vGc/
-+0/+/TvTpxA6ADIe+UjIBJysHRbRBaTfkTliWo40TadNAarOnnLkRDxhi8Uy
+t/7WdQ8+/O2/gDRJbXT03b/8znRPCGwAGI+4JWACJr3NgnNB0u/UnOJZDjRN
-hJbmRGkD1iTWMZ9WLM5YyGJapq8xI4kl47sNRiwMI4zGwo2Wy9oxSeFGFR+W
+1aZoVdWe0uMEPGGPxTIhLU1FaU2sia1j3K1QnKGQpW7xfM2RSCwY3403Yskw
-zRk7/SoIZ2bGz52BeywGrv0+GLgyl1i8gX16QxfA2sZHbxmhaCbmSALNYEpD
+otZQuMFwUTsGKVyL4oOyOUX/X0nCGZnxCzVwz9jAtT94A5f7YovXs09n6NJi
-YliQsupBEJl38HZZSc8h8OmTOgW9+QRwb/AMQA223sfR0yImWcu+ANZEwWZf
+7eOjd0hQ0BNyJF5Nb0qTxLB0lEUPIpF5D2/nkXQcAp8/i3/QmU+03AOeAVKD
-gYu6813w3hKmJ7KT5/MlVHlW+QF2IiYYyGvHRZCgGZsMp+OV0qHgVNAZGBZk
+rfNxdLSIJG3QF4CaKLHZ18RFdX83OLcIzxPYyev1llR5VPlp2eEwkYHc2y5Y
-cfml0iK2GKRijwogRPCMA2sEC2bu7pHwqyYwaL+4lhkvLUtYbzxXZNmKYRtP
+CeixTml3nFI6YZryOgOuBVhcbqgwiD0GKdujvBAseOaeNRILRu7uiPCb2jNo
-tIDFSP8h9Yb0G7U5+FW/G5ZExMmTguzHwtievGDcBc8Xk6qziYo0kUXbxaq0
+N7gGGS8Mi1lv2Fdg2bJhG3a0IYsR/gH1BvQbsTnwUTcblETAyaMc7Mfc2I68
-3GKYyV5syqCdpey38pvMSa1h05WOmAZaVOKDYj1eHbGEL/KXz5/p8zaSQayT
+QNolns8mVWsSJWgim6ZNVXGxxzDjudgYl3YVo9/KTTIDtQZNV9hiaGhTsg8K
-6HKOY+spFvqf7q3Lc6gy8l3kmjRXm22xbQ6LWMn5gjMCpA09ffNJ0766Z+2E
+9XjxyQK98C9fvsDrTSCDUCeR4ZyF1lMo9D8/6MtzUmX4vcBLaabDttg+h0Wo
-7M7gzKZziXbYP4KnxT//PNiNJ193c8QzR0jAzsIZOznYtcPUzpKW9MtqnMN0
+5HzFGUFHm/T04Z2GebX3WoXseHRp4zXHPOwfiKeFX/88Ogg777s5wp4DIkBn
-kcOCdcErYHOtrgp8w28y4uiSsAC4f5JZteirGzd5Kl6wOxwsG/hr18XS5/Ox
+4QqdHOjawdOOkhb0y3KekenCm0XWBY4AzbWqzOkdfBIJR4ZEAyD3T7QqN111
-GRGbuWo4MssSo4C5PqNeW5mg9XWVp8glIkxoiwMFh/wWbEiYJEFVrbZgk1Ve
+4zaL2Qt2j4NlgL+2XSxdPh+aEaGZK4Yjsiw2CpDrI+k1pfFaX1t5ClwizIT2
-w8zrjoXHhpA/agKXOjd5pMiTG/blTPDEviLjCYQ1FjVJPAY0/IJ5CMmEpqqb
+OFBok98RG2ImCasqVpu3yUqnYWZVy8JDQ8htNSyXODexpcCT6+elJnhkX4Px
-DYZtMBaA66feun/NLkhi2sz7xOOrcKG9EyCUiLeCuEhXWW2cG4Kh6uGEnwBY
+RAdrzmoSewyg+Q3yEJAJdVnVA4atNxaI1i+cdf8GXZDAtJH3scdX1gXmDgsh
-fpyKeYAx8AtB8O9//zuta5yTwVe35vfJP/3n9+Y3Z0C/wmw7jtx27dY/v/FH
+h3jvEufxLq2MuiFwVd060Ve0sPhxzOYBtUHfwAr+53/+J4xrnoHBVzXmn6K/
-/NnVke1S046EW47u328n93Ga9z/uDuJvLuQboZ+76YA/+pe2tHXZW364+Zch
++efzK9qQL+m3sZ63A7s3p9f8SV8bXpq26dpzJGX04cPm+Qh7ebDTwej8J1r
-x+aKwi0I7ePOAe/aX2DJcdjozwoF+oygcBVkL1uUHTf5PCN7sgtu+SNKzH3V
+fofPz/3nAF/6h6a0d9h7vrj9h1cOzRVZNy+0z1obfGD/SJYcRpD+JKsAr8Eq
-WshUaWbskti02//PYXe+EIF2ZGNdgxDQaxbCHXb9EgCGAQiNNFu2EUQlYadB
+TL3sRYuy5SZfp2BPtpebf1iJeShaC5gq9QpdEkOz/f987a42LNBObahrAAE6
-BXdqZBsO/m+gQHRlPh3Ze9f5NAGtNRIM/DcfCXfU35GSQIVm8FmN99gDuHRO
+zYK5w4EbAi3DiA4aaLZoI7BKgk6DktypgW04+j9ZBThX5vOpfbDIlhGdtZrj
-R+WZEr+wiF8MlW809oefrjTqY8SJ7f1E/IuOp4wj0vmGaiwKE2xUzVZ9Am7h
+gv/s4uF6+ltSkkihHn0R4z30AG7V6Sg8k+MXluIXE+Ebtf39T1OJ+hh2Yjs/
-Yik6QCTqRBPucefrXNzf9+51RP5FlTNj/nQvkvmkAvFD2izphkwIPqzTfNkv
+EX4j7QnjCHS+iRiLzARrUbNFnyC3cL5lHSAQdawJd7jzImP394MHLZF/XWbI
-4GMO9JIJgsi7pyJHB438w7mPr9jBh5zwfZHySGSfWNhkdXZNOjZtV4TwcsTx
+mD8/CGQ+qED4IUwWdEM8CC6sU3/dL+BiDvCQ8YLIuacCRwe0/PsrF1+xo48Z
-KZHBYV80ezUXVsoc5iuG0xWHa2irulDxmcOJAGsRsw9InxrIsVg1zjgi5rfH
+0PsmxpbAPrFkk1XpAnRsmC4L4e0M41Msg/28oPdyzawUOcw3uE5TDNfAVGWg
-qsY6FL0PxitdZ88jvWt3L94gNjHK1LsUwIdYl+oUPY1CFZyN+3HDOixLi2lV
+7DMnJwJZi9T7CPSpEW+LFeMMI2Jueqhq9FfR+WCc0nX5ItC7Dg7DCdIkZql4
-08tzu9MBJT2PQLmLZdC4tOyxDuw/DAZg1tMrZdKfSDSDBMG85+kH8czDv6Ma
+l/zyUaxLdIqORiEKzuB8tFmlsjhflhU8vLbj1lLC58FSHtAwoF0Y9lwadi96
-sRCpRm2m8Jjx6a8F4dzyco7q1DV7wn3QrYdQRgM2a6IQ877VeXHuzk9Li5C/
+AzDt6JXc6U8gmukIEvNexx/ZM0/+HdGI+ZBK1GZJHjPc/V4QToeXYVSnqtAT
-PuOw91qA6Ii5xrespgVRdPwdvbm2THmTwVx3tRi2SSffdXhI5MXynARLfClb
+7oJuHYIyErDpiULq9530S/uufloYBP/6HMPevQDRKXKN36Ka5kXR2e/gyd4w
-vWzTMWslzDoEkhtVUNVA2R19Q3YamOSCtIcvqHtDp1gp9go/IEWjNQGwgs5X
+Ulc5qqtxaBNmvyuxUMCL5bjJDTEVzzVmyaeo1aCrINXclAFFQ0U3dG3YKcR
-YAq0KYkIdAyy4EkXUWWqUnVetlaI9uAZphU+9aSTM/PxWTCk0cl4CAE5TRYO
+k9yA9vAVdW+iipVQL/MDUDQa4xeWyXlKTAEmxRGBlkHmPeksqkxZiM6L1gqc
-d1AsY/ie6KYE0iwXOw5HsKNntqsjwJwXE9tHAa40NCra0e6R/dG9qse4wRBk
+PfIMwwifuaOTIfNxgBjQ6Lg9CgGpJksOdzqxSOGHrJvCkqYZ23G0BWPZswNp
-BORz7NhAUFM6Wyd791r3SVi70CyeL4B9T7z9DIedbkSI1vZWDXDBGMVNFxa6
+gcx5NrFdFGAqoVHWjg5O7Y/6qGzjgCGIBIj72LKBSE1pTR3s3YXME6h2I4Ce
-FSPd8pRjWLbqCnEeAvbmO3lJKxO2lU1o3GNIRBE1CqqJeFUlMgYRKVEEfA+D
+ryz7IXv7cR3G7YgQjO2dGOBMMUKbGha6YyPdYpdzsmzFFaIeAvTmq7yEkTHb
-b5vD4YWwsE/3Ii+ysPstHzBmbkxWiKWV5lywayh6+ZIeppCi9MFl+OCQAKl5
+ShNo94wkIosaWaqEvaocGSMRyVEEep8Mvn0Oh5fMwj4/CLzIzO73vICUOQhW
-COCSxIgMvYBcGNLh7SVtMi3UPGZAZ3aUNtnjg2VdJISWJGAn5i9Ce3uLdMU0
+CKWVYC7QNRQ8fAMfxiRF4YUb/8IJLKTgEIhLAiMy8ADBYkCHtzcwyTgX8xgX
-tde4yf6ibHrXNpVYdojPjYl1ETt27CcvTWoRVs06HuubtFhmIi3BV5WaP937
+OrWzuE6fHm+rPAKyBAGbmD/z2TvcxDs8U4e1dvZnYdMHti7ZsqP43BxYF7Bj
-tSJsUK+1IHRfjGEvrP2mylSDEPQMWdnarw2Z0p/ozMCvOaXv8uHh48GQn7Sr
+ZT9ZYWJLYdW05bG+jfNtytKS+Kqc5s8PfimBGsRrzQTdFWM0F9R+Y2GqXgg6
-BT/R/Do6ld//etvKTywn6SeJF6YJ0VaST5L9h48G5nOXOcmKlC35hepmTj+m
+hixs7ZcaTOnPsGfErxHYd/P45Ologp80uw1+Iig72JV/+uWu4a9QTsJXHC+M
-bPkxZ6Lp2V/hHJ4a8J/kU/agWg/TvtQgzOPfHFPYo8Vh95vEzHYJY+2Zt0DF
+IzhbUZZER4+fjMyXNnPiEQlbcgOVyVx8itHyQ84E3aO/Qh2eEvBPsiV6UK1b
-csMgzXKBUAFg4pHmCZCGVweY0cc4KuscuHy4g5Ks0AG9drmac6IWm3huHWTr
+067UAMrD75QpHMLgaPZDYma/hLH20lmgbLlRI/V2Q6ECWhNHNN8R0eDoaM3g
-Z3vTvaF9ycMyOF9ePnpywP8+3H+42xmH9wg/J3DUhb3Txo3KDhoHGsm6pImT
+Zdoqqw5c3NxRAVboCB672a0Rs4Umno4DbP30cHk4sa+wWVzOVzdPvjvGv0+O
-OlsQJTqXEB1jD7JeI8ggN/snzM8mElhb5s1MordWJJ1IWFYYOb+yGcIDSu/6
+Hh+02sE5kp+TaFTD3nGtraKDRpeGsZfQcVSlGziJ6hKCbeysrNMIUpKb3R3G
-gG1QzMY+XoBYlcUXkXIFqLE+SMi04eh7+pXTwlz2ReDqWBgP31VW/Hl9jfN6
+zxIOrG2zesXRW8uSjiUsKoyIsqwn5AGFZ13A1itmcxcvoFiVpTcC5YpWDfVB
-px4D5Vs1jPOiqj7Y5UI5NRBj3HaGJogG3Ot5EJkyCRAnkklFhHnbJqJgR3Sp
+IKaBre/oV6qFKfrCc3UaGDbfVlbcfn1L+/VePAbCtyoyzvOy/Gi3G+HURBjz
-XMGRY2NHlUtLStjvQYOxpO3o4qqld5IE+olbd3pisbh7LPnDoLLMvndmw7wd
+ptU0rKinvY4HEU8mLMQ5I6ngYN41ESvYwbkUrqDHsbazUmFJEfo9oDGUtC1d
-h69DFZd0RdyKU1dWMDONIe21d3SXLfulz+t3b88Q8qb/d8e4cmcnPkR1axmr
+XLT0FkigC9y61xNLg3uAkt83ysPsemcG+m05fJVUFHQF3AqhKzsyM40B7bWz
-KsE2RTn3usVINIngkfPZn6z/el4HufIX7y34FvI3Efn73f1vCeSz7/4ydLqo
+dTcN+qWvqvfvLinkDf/Xbdzp3rEPUdxaxopKsE9RzpxuMWNNwnvkHBAU9V/H
-W9SgWY6cJq4Ot1j15Qh3mTidPFoizEXW2YU0eL/NeJZxUMDROXH1S/rhVSPe
+60iu/Nl5C35L8jdi+fu7h7+FJV/97s8T1UV1UKN6O1NNXBxuoeqLEe4iUp08
-6ndv3xy9e8crDmYRq+wkPrcDkzN1SGKkiJF3gcwnyvYRG6vifs8XOY280+y6
+GCKZi6iz89HA+dbzVYpBAT3nwNVv4IvXNXur3797e/r+PY7Ym0WosoP43L+Y
-nQiEn2XjlFcKZoLkDGYtQEgExCSyz4DJmiadakadGL7q5BLLZUDPelZLJG68
+iNQBiRFTjLy9yLijaB+hscru92yTQcvj+kBnwiv8PJ3HOFJiJgTOQNZCBEkB
-+0zoTP330I3yTFKEiFfQI9DTKlrgGWcDLDj5M4e5lbOzIuUkUnr+O/rP72As
+MY7s48KkdR0vBVHHhq84udhyGcFnHaslEDfOfcbnTPz3pBtlKUOEgFfAR3Se
-smMSBiKdQ5EzOv7ud0cIw7FZoLoh0FV4Vil6mKp78FWrwC2ZotRe0E05Om29
+dsEALxENsEHwZ0bmVobOihhBpPD5b+Cf35CxiI5JMhBhH/IMyfE3vzmlMBya
-0xB4ZtcMMWTqbNInvRbpNFWXW8G4eZuyZpa3TmfSYHPFOsEsLa7diQmN7PmN
+BaIbErkyzypYDxN1j3zVInALPFFiL8ik9Jw2zmlIdGZ7hhghdYb0SadFqqaq
-SwCJd65fhEz3TZvnH1ux5OiPxISKVUdRc1MrlqbXzJRT+2sF5deqlhgiLZq6
+2AqkzbsYNbOsUZ1Jgs0l6gSrOF/ojvEZOXQT5wASzlze8Hj3ocnjlw1bcvDD
-wSrmBmC5nUR6cFi8eJx5Vtbl++uds3o8ilRK4mlASqdAR8fkPZY+SB9ZAG5Z
+MaF811LUtGuh0niBTDm2v5Sk/FrREn2kRaAbqGIOLJbOJNCD/eDZ44y9oi7f
-jmmlpZ476EYXy+ckKB/hqMBA3v7TLwPPOzJRUPZo7+py5KUM9M3N70kC0X31
+He8a1eNZoFICTyOiVAU62CbnsXRB+sAC0GEp04oL2Xc6NzJY3Ccm+YBGeQ34
-FP3pz5y8eMo5hU70WGIP4w+KVECznNgIR4eDFxtx5MbxNGwA4CQmKUk4JEdh
+6f/448jxjpQVlEOYu7gccSgjeXL4OQYQPRRP0X/8CcGLF4gpVNFjgT3MPwpR
-u/Bx7Ya8DwkIclwiRAwbxq5YiGOERQFhDJhOg1OCxwuozCl/SHlCliuNEXsG
+EZllwEYwOuy92BRHrpWn0QRoOYFJMggH5CjZLrhdBx73wQFBjEv4iGGN1BUK
-9GvMdPYcix3Qs4HXjvgsgM6c8eK/B222cFXXLnjEw9VLjlOmI3bespbN0XXd
+cWphk5MwpjVdeqcEtudJGSF/BHkilCu0EXoG5G3q6fIFDXYEn42cdoR7QeSM
-jiMk5ho0Ah2tEj699L//638wOXWtQUdFsgbRNKznTrpwBgkBlRSlHtt9s5zT
+iBf3Pp3NhlzVlQaPsLlqi3HKeIbOW9SyMbou09GDhFwDWoCtlYMPD/2v//bf
-UY2f09Z1L20+J6AS25rlqlZiOcQ9QacTViGdxHfhz9QnO000IDAUQ4CWRXPq
+8Ti1rUE9RTwG1jSs404ycFwSWFRQlDps9+12DVs1fwFTl7k02RoWFdjWKhO1
-slixKYg4+XBAFK1wFGST0fhyApoUJC90w6qjbJqywM8+9tW89W3QO7l63bCj
+koYD3JPOaYIqpEp8DX/GDuyUSEBgwoYADAv6lGGhYpPD4cTNoUPRMEchNBm0
-SDps0IGVs0NL5COkczrk/9k/tPO8RBBdmAa2wxoYaVScGq17WJCtTEdWTjjX
+zzsgoCB+oB1WnaXLGAV++qmr5vWnAc9k4nWjGQXSYUAHFs5OWiJuIezTCf7n
-dpZzXqBTOySWmZLxAT/DuKjGnM7TfCAs0Rg6R0uAHbRQNdw7ysqgHF0P7M4b
+6MSus4KC6Mw0aDqogYFGhdBomcMGbGXYsiJBrO0qQ1ygqh0cy4zB+CA/wzwv
-AsuzjMbLdlUgSXqVdyoB8Uex5FPo9k+n8WEmZCVxFDpjLTorVmZJ5gKOmmM0
+5wjnqT8ClUgMHaMlRB0wUDHcW8rKqJgtRnb8FpbleQrtpQcikBhe5ZxKRPiz
-tJpf23yjqIbKMy2qEUJMyzL/6zLr+e1i1qbCAfDCscaCltYOLUEVGmhlXIUD
+UPLJ6nZ3p3ZhJkIlYRQ6RS06zXdmC+YCbTXGaGA0vzTZoKgmlWeZlzMKMW2L
-dfYy52CRtUhWFqxTFY0N+RTMnvN7eVRii7TegUj8xot8WYIEmKMl7sjZ4PAm
+7C/btOO3C1mbCAdaL9rWUNDC2ElLEIWGtDJMyCF19ibDYJG1BFZmqhMVDQ35
-GXufmeP3lulf5xwsFHsdf+/IyvtLA0dgFvgWUpKZrXpVf6WhjVrftzMyanWZ
+mJg94nuxVWCLMN4RS/zaiXweAgeYgyGOeW9o85IUvc/I8TvDdI8jBotSvs5+
-M7bdC8KOCYkBjls1yKH1PpUIi8GNGL/YrcK0QaYM0XveBH+KnEHJGabMeDic
+0GPl/KWeIyALfEdSEpmteFV/gaaNWN93KzBqZZgrtN1zoI4ExADGrWrC0Dqf
-OFGOY4Jweyqk5T9PR2tfO6GScQHTGJLVH7QmSDq+wLmMmerg696MT/eYeLuW
+SkDFxI2QvtCtgmcDTBk471nt/Sm8BwUiTJHxYDgxEY5jvHB7xkfLvR7Pem+r
-QlDIVQdHJsddKj6pRLdiN7nEmy4SerEdHS1kDYrcmAgK9fTiAEiZitQinwyj
+UEkxl2lOktVttAAklS8gljEVHbzvzfj8AA9v21LwCrno4ITkuE/FB5Xoju0m
-YPXQ9JIVqIlgcMBK5kHZ+D0h3zba4K1qWrpLDoRRGK1RU7E4x836dFqVRiG9
+Bd60idCJ7WBrSdZQvhseglw8vbQBoEwFapEDw8iyutV0kpVIk4LBniqRB6Xz
-XXWWgfKJ92RlMeMS54QmFWbvm/Q6a1ecMjZOizHyfN9PKtZsgZHEOrIjAa3j
+D0B8+84GTlVg6QoOJKMwGKNAsRDjZh2cVqSRh7eLzjISPvEBrCxkXOycEFBh
-HCyeWJOW6BGdLNfkTezAbWxgCfFmAkpCFzxhwN1U+QQWZFEgRS8ISXln53hM
+qGOF2mzQ8jYPM7nhPP9kJSo2RJFAutIT3lplXOgeEJNmqNHsLOYnpfYkU5s
-OOE4VJ1xIjuk12jlgMi1bwAiEUwPfsdO728ASE4ovYhkb6TIQP2PMjyYLOPY
+ZIHwVryUQC70CS7cbZklZEHmOUH0vJDkZ8Znc6AJ5VBVikB2kl6znS4ipsHR
-n1NFMmH0/jyxUqY+782Av5VGusmrZeOdq5nz3x6XNpsvWFPB2ogIJTmac1Js
+IsKB6azfmer9NS0kAkqvA9kbKDKk/gcIDzyWYexPVZGUGb3bTxopnj7nzSB/
-XVW6NIChrPpriNCTrSfVzNjwcJqJHyLaLBB1TrPNUs6PSJEEIPF1Up745Ikz
+K7R0m5Xb2jlXU/XfnhU2XW9QU6GxwSFkcDRiUmxVljI0Woai7I4hIE+0nkQz
-DCAwnoIOI3GHAHfmIvJd17OwEE7X8uKQNbKsuNZU3AoKGtAKyhnL9j6zA+Zs
+Q8NDNRPXRDBZItQ19LaKER8REwiA4+ugPOHOA2cYkcB4RucwEHcU4E41It92
-5ADPOedXAl4Ird3jJGBNcKEHX2AELrnYv99du0uyNVECmovfMvA5B5UOMaO1
+PTMLQbiWE4eokaX5QqC4JSloRFaknKFs7zI7opwOB1ASIx6ocikOt99Z3bhu
-q50rKcjYHsoxF+85zrudkXQTFfhdb6LwlBiPyU7ElCRU2gG/l3iX19Ga1zTh
+wGGdFxyWZJFnc3GqXJ1t4b/XW4zH2jNBi/PgJQ6BCz8GKrLfHz1+Cvo5Kyph
-FwZB7x40szR5ePj4qDwY/WH68+z19U8/pa+Sv04//lj/4UV6/qf3Vx+b+uTg
+GkORkMk0kUEw36e+hVO9QGwyB+YoBPgAwcoCxIEPvsKwFATtnm+vsYKBTQCU
-rHnw437zYvT89mQ6HWhdEH2PdUWuvsBQAssiwGb1mFaiKO5Cdqz6HL85tm9A
+0zgzThGxskBsKayx2OMMlaZtoAzSzQeMR+9jeNPQNWvJNUswY217w2gJNIjF
-62euQJWg+5JHPfajvgXd1ivPfnTRA7+DR08OBvr8cP8h1nenZ9GPwHRDRxeF
+VXTz6ixCtx626owuHBz1PCH1gDDjmOPJGk18Z8t5k9Jih29Q/1kti1L76Noi
-AP1PJISKDOn3NHdVstUTbVRIHn7BybbZ2JlI6jbnf3XhBKUzSz84hnb58pin
+5QmkfdAbmKwySok1W2tjD21L67La+ATzUpNamaqx8fogFG5K4ls11PyzIbP
-dPt7/fxwiGf7rgALnytEwe+4ZpQ19RsMQXSb3tpq3GZts44lRA+Ejv8yugla
+3hsnOHXzzGqReWtUohgz7gam5zQYKlB29klpWp3RsJT/D7aBCUP2oZOcJ9pQ
-e3zrFe2plgQVzkOnk7jNaOnQfeCls0ZNGohl/UcgSQ7FdZd6PmK9RTmgj8FX
+jHswUqoYOWErQZCapKz84SkXI2vtkV/NUA1htQ3kfBXnkeQXBBH2kh4SLyb7
-eCoVA/AzJU5YM5SEkiW4dZfXbu34jNqHWmiwLDnG14pf0E2to+NQ8mlZibk0
+kSIVxkr/HLq6zydHq0OIOvQpo2BBhgXCISQbYgjecQoLgpH2rE4dm8AXJdUR
-Z5VZBRM8mV40Nb4sacLGK7iYBu2HUd0sf8PCr4lxkjlJ3WQun43WpJERIeMB
+5BbqTQWTaJwjbVFebw16+EduXtZjJKOfc2QDNZrDvsZPCoJkNWwLDCg27ITU
-4cOeN4XJqq/m71ENOdj1UnLDQkw3jDfh3EaoaX41KKGoII5gr45QNVpO6Hxg
+bFqr0yXBkS2Lkq0z5CFTkYPkOHWSsHZZUAnaysQ0BSMwCRrGd3hmQRQcGUJV
-Jtxkqsc2+d+yocthQ+iGhkEYyItFWXF1jSSzAVvz7vRCcrTlcenLgwffPKaz
+pwqfg1FJIIat9RFM5tBZ3lvguesPlHw5OnBCeWAgph01TBBKSVqhXy3cq5Kk
-atnR7RRgHs2QRgj5SusmARfppl8Y8NAgc7PZQKn6sujFHa0YQ+KYjQwDTZN+
+H5nHM0pSLRKgH7JKblNhn3X213SikDmKFCFPx6iTk8Kx7CNh2ni/hZw8Ftti
-gbEldTAOG+jYmk1oiONj3ufTWxwqkty9XsK97VKvNUfjxJXqsEDTSE1fSOWx
+u/Dm8aPvnwLxNOhX13OPrRnYLhLnMG44p4Eq/JUGTwwBRYe2Wh5mNbylhFOT
-mdvxdysa9KNMnO5wtMVxIg6WMUkqrocRpsr2+93vOyUPo5MdemT3v/764YPH
+TG3cDFEmfEO2Hafd6MmAbeOwQ/dU4IrNY8SlCJpGzwaI+cWWvOmK9BZIyLlm
-B/uHD4ZOKfAPv9aHrOvQuIeHD7InBw8eJNnDb0bJwf7kIEm/3n+cHBw8fnx4
+BqH8lMBQV9ZkoVXdcq8LGXSDWoiuON3jp2F/zhwEDqbfsOqI7oL7n1edkloH
-eEC/PNinofmLWw15PRjtjx9OHiXZwfVh8vjrJ98k6Wg8SbLrB/sPHx0c8pOB
+s/fUHn377eNHT4+PTh5NVAdxH34rH6JqBe2enDxKvzt+9ChKH38/i46PkuMo
-zqs6I33FRh2Zk+Xkfcv2fNBV2To6sr/8Webw7OnoiwJxozzEkI7HxoO8Okkf
+/vboaXR8/PTpyckxfPPoCJrGN+4kwvZodjR/nDyJ0uPFSfT02+++j+LZPInS
-pA9/ff+xen84f/DuycurZ8/ePHtz8uqPzz5Mv06myc+LLP/+h/nh44N+BI87
+xaOjx0+OT/CTkfQrKiq8hTYkWK9F8qFB94FXjVERObV//BP34dgnvFIcz/59
-U3B3DRfD66DFhZ52FMi7Z+Pkgytfb/PpXlxuo3mO/ewM/eoFMw1NdOqmmLvC
+fPqzeKnn+LX0V+Wn36s/v1lfPVh+qmuzo8v60c/HtUvZy/uzpdLbkpFAb78
-zDYuUwqf98uwjdgn+/sPPn/eUnPtuKE4wdTTEI+h2kIe7Dsumt8WJTaxue5D
+jx+FD/+5cOn8sPJ+tH7715Nnz9/+/zt+es/PP+4/DZaRj9v0uyH369Pnh7L
-zDymDKPxMhWPXKv4bC2iTEjRspOMY2WtSAsyffKK7J7BHvHS8SxlH7lkUx27
+9JDITu1nTnMLzzFmaKUfZPKzOYUUrf3SCSti5Qws/KGBxRbxXAtNBNHFBzZE
-vJhG+wGkW3NiXHJGc3duTD9vI66g97ksmh0j9G2+P72y99NFrtSYwMOJ47i/
+RExdEtDnB2EOkIAvu5AReeslshZBX7Vx76pmNWHulH+9mxtuWL4fHT0C+T6c
-v7dvXlZNe2T1NyxlLyJksyFRJlv9MBt9P8739vY4+rK3t77czktsldBLa3kx
+CK48kz1z4v4I2xAtPfNGJ2by7wtdm9CH4OLeUxXsGsTjsgSUQPm8F+YG0mnQ
-Ok0nL8al7sA44fMUrPP5MX33qKRHIJsUZYQ+FBebzArzofFfb4WvYFUBPFZm
+c4cBvIaFHNhjWQnG2OgQOO58FaPjniFeZwrWqaVIQbwXqKOIkfp+wE4XTBKm
-rAczGcKhYzg3YCVn6bDgi4inGpBPl9KwRFY7Zxpnfn5pbex2ao3oEoRNZHlI
+9TuAjUB2mAuYHy6m9mG8yeTMRuR2pe14eHR4ZF6VdXNq5TsaymFw3M0Aeifd
-srRGary3aaHqHoaesPAgMfLpU2yaAO/PyIosVw5G/OU1+kF0818YG/1qI++Q
+/X41+2GeHR4eYkjo8LA/3NZDaCrBQz2wjnTTAusonog0MdxPpjoH2un6bBmz
-eHsII2oPX6UlLfhwRqnpu6JdxWpRODBMnO/Pu8naqBzV6IA6TrerhE+HAgNZ
+QRBXym108cHQjpc1nxj39t71ZarKiY6FZcvGJBPyMhkELOx4L5UKvkp4oq45
-D/h81XDboYYXKFYq8l7Y9P7RlzfC7OvUO4IDnmvTGE3x5iOkk7urWEg94jgJ
+DJfEStJKPXwIR/3a2NAX1hjWOICawMxgBLeEj5wLbCN6OjWdoIgBYfP5c2iH
-GH6xu4121cFZlwYFMSMqBADIbNVlshvfySHdUBys6TTqMiUI9RqWEBCGBh1B
+EN1fgmlb7HSN8M0FFalog3KQGt1oA5cVu6CAIiq3vnKWJAtFLWXT9Y9rGm2e
-AA6OK1X13ZW/3vT3RTkrAy3XmTFxtrwr08pq5xVnfgh/rz+l1oijwBiGeQAx
+6zIk6pB0vrsmyJE10qC00y514TBaxED6UahvaqyIVOMA2XQmMA76A350OZdk
-/IChI8KUVdy2a6IjepDlwiJL04mL6WF3McM5kAWl8pKpWNSl6KzfciRD6TDC
+47WSMIkDXklRG8Gd4xbCzt2XwSRuetoJsvJCHyDMqkWzis1iq5gtUDGgHLze
-Fb9dTdunsbjWaYPBpqs23dyd3u6aNlu4MvUrQXz7zvsrjyQGA4+qeJ2cIaxe
+uPIS8UDGsmB8xI8LK9SpogKLMDFUpoSWA4NdZXV/OrLzR7hMoZ0hbVgwF0kI
-6V6SmlYAIBcBNRc7LtTe9SJCGkEZGiqE8LlSaQBsft33pu46fqChnCgNVard
+4dfcsbRSVz3yQ3JCu11qDHsvjME190tMzklfpmGJinDT9htQSCPNmEUWphWs
-sVbn+ZUS8pAo61YvnIEjLkiAc66hj8hBGWdH0tGp7xgjbtu0IckU9GBCaFAT
+k81uU4Z6tZmksgJPMStVwV6/w/CKnMOAVtx0JZcA2sIErAE0jIzatAFFndnV
-plxekDB2cU8iPBczgeDlwQCy2x3Fochh5rFVPwhY5dDHSM49aiThU/I+toBs
+TbrR3PkpE75975yopxwYIjcvm6/qgBJXeQc5J2kJBJCgRJCxxv/brk2SRqQy
-u4GJxjxOS8glpkxm4Z1w4oS+q2xOWk9a2HOlWsWPKBDFxA3YxRNp1q51CUlT
+TWSF6HU5pX5hs0XXxXug/EDiSwE2lnUTGqu6ozmv3aN3dfTMGTAMRKg89Vd9
-hKPUXdAPZamh7jotYIBFwc1BMATxA5LLyzqEfCTg01ZFhuIXuxMVmx7ZRw+I
+ImDMPD3lilNdbx1w27rxyFc6D8bHKwXFpWAlZuzsM6WYYcgEvOuJGuDZjoWG
-+OijCWdH8ABXchhDMGJwQFnqkf2L/GWPFmO/Jf0oLyb4u9QcYK73PNd7P9df
+Ai+eo1Z5wVOVko/hRABK3CRHl3P8eWI78Ew05HGS186BbjAf710nRBlO0zVo
-XGTPT661M2I+heVhhK6S+JTjND5hdbokAU1CFO1IcuJ2HGoiSDv+KKcEX1M+
+PXFur+TUCn0E0TE83LR2YUcCJbaKklpSjEycst34mvgUtPwDNbDJsWIJNYGO
-5zLs+UI6/XBU7qT7roQu8nla54RCUajBissg69XY7+hZZQ7/15yQu+LDHElH
+tmy5rXwciqNQTZmnlJFjx0EG7Kl98ggOH7yUIGQDG5jyZkyIERMH5KGe2j/z
-irCCzXhFyIveZuoVBwPnzP+hJ/QtOHbAHhGRVtDfXoQ6X8YI7p0TcdFIZjkH
+L4cwGPtb0I+yPKHfORGC+vqAfX1wff1Zw42uc0noYSPLD49aaCuJzzB45PyH
-laaNki0xSgny6qd1qESzftUIh9CFS12rtFRqsQoJyt9BB4doxBDqIzkiI7lr
+yy0IaBCiVCMF/YgY/4KVVv7Iu0SY9WyNueHrDZcfQq/leftZjqdk67jKgISC
-Y1rxRSw4fcIRq8IhXGTF19Qp6mMmWPULAcHdJFic2muSZj5eZSXywrx+li8Q
+Id1HqxW4v9Y9ipV+u95Rg/YCznjMhl+BMN0BcRLtdfEVU8MPM4U4o0t7KGx
-7EKQy9fnY6mRs4N4GCl5XBbqavFYqpPKxn4tuEuyBS/ilhV2wo5maPoyRXej
+Y/TrsLQi/e2lTz5GisCCPgEXDWSWQvAEywq2xCyGlRfnsZIS9PpNzRxCBs7J
-6MR9PNKP+XxJqgYfQStmEXt2UP0/Jw2wS4j7ZAY/IDQiJUH5ERgaQr1o2sLt
+tlznqaFRMFLgnnNwQtUhfNImhokYUDeHEV+HgtOhoFAV9jEsy46xVqYhMsGy
-VLxYxsEYHzr0gj9i5iGfKzqee1GaLstKyfD9MfZ2f7rX0TBF7sYvXDh9tF80
+m51I3I0dw7FdgDRzQTTL4SDk9atsQxE4iry5ogE01MAlAjwMlDzMVdUEQZTq
-oDy3CXK37Yjabpqs6fjYIWj7KeGELlqnsV0jJ7zgc0pVA4pSdAVX1VcivqWQ
+oLJhlQRyqqQbHMQdKuxAHfXEdGWKzEbICYuLxJ+y9RZUDdyChs0i9P9QSYI1
-ZsgAI+7ArIj17NiSFKH3o8ub0ugYMnWddRESLOlo+qmdKg3WBkCxxqYBmHdI
+aIDtg3gExvIjICNQEoQfEUOj+DNVksEaL04s08YYF890gj9g5h5kFmwPyNBX
-Mqs0o5CsFdRh2mY9t1U5wY8hsUtKataGjjhAaj+U1S2ZAdBtBDDd5E6tbY3c
+WLEBieZ94RluEJIw5rJoFRlp4dfigG96EuswfWb4GNrAY7FLCQ7T4+5w+uM8
-bL2y4kPEl2kp2U1cpdPNIRXNBcsJqpg7QSFufwQ9uNO5Ci4f7j2k6R5vAKEr
+kGYSG8PjY1Dv9FIYFQhiR2xoTGyy1eJpQZrfkuoUmHDoXh6AeY/by8VhBA/m
-h9k2JRM6GDE7PIUN3BCCT7buaosvH5a153Q021cNhvK4ShuIu5TFY9KrH7Q1
+4FawMIOA2RA16rIO70r2BIlWICuHEyUpwXEPqSVxi8TDkpllgSyexqas53Cu
-UdTkw3ftUa//OKtbQf4sHpk1qKE9P7m8EOQlrqG5lzLFaMmNTexywaFX5DN+
+sA+yC2CT6Jib5e3wy7R97oTSh2S1rrtb9H73GsARXZ15Q8kaKVaDwe1DTPdt
-3cOEzUiGJEz16PRztVVtWK8IetIbOqqiisfbkNNJ34vi1yufDrjaqRf5pr+H
+qsv9sUBQT7josIDxrmbB0VtBsLoSJJBwJymFndOyUQSTwU1vtw9DUdo1u2JB
-kPjYSX5zuV1fSSKX74YHFS+kC0qSAgbJwYugfw41galZXhPcc4ghxSsMEA2+
+Aj4NRZR5gU1WamqE4OKGoSUo5p2QB1mT5WSi8NRDTT4mdbcucy7q1ObUPkuq
-liGWNsjz0IDuU7XKfdGMHJXYN5p+59KhvAIjqTHdsCJpu0uOYPLnP7m0JJ/A
+Ssm7a7aFPiwwEYrq0GgwlZ59Bzg99yUzVFwz8qIZwqiMiWOhEoCHFlHOWVU3
-pr6w2FwadnMAJSAb9i7IG9qjAAYE3/0Hex34IoKr0XgXU/Ziw9EQ4rqQGfv7
+B/cqFw8CxD+SFycL/BgGpD4/aNmFrC2HD1yrFdnNPxJNqfbactNSkNuIe9MK
-3c+hjHbTgEqfZ0TMRCaX5LVG9OedrrQMHnP2zjWzqiD+HElDLzsVtiEZalc5
+g5F63M0uARKUlK/9djRQE3LXWOyWAO3PEkb8oOw39ohlZHMg01GBQOs49P8w
-5J3TiqtdJu7I2LKyc4ndEFYEzdemTDAhVbqDDF7RJq1uCC1EVNieBsu0uP/Q
+f+oEExhJgT6V5+Ax2oD6XdR4qLD9RqgvK9eA21AGw1Z4XDf1E4Jo2wsWDdU
-A0qcImpqa/RoB6rVMHJaDzVzhzNRjJYLNS4B8zYrikTsah6bRMqFitGejSp8
+jCkCPcckwzTpJ5vVqnylwRuOuDUJiWH4RGRo8AeoeRvmrYVw/DYYf8Bx7pRP
-tN/pib8hMXEmicGSDYl4voTvurW2ouJJDZLXILCioEXEpboBDWkaVXHXxLm4
+7YSzAxSpp4N5RvnZUlbBA/aDGVAjHVcL7ZKXH3ZTAuvYiSrjljqVRMXeKoeH
-obZbTS7aY5QQ/AtFNZ12Oov4bmSkGtc1PXa50yaK/kgEnl03oESPYn23lW9W
+lbnPhJkJ00gbMi8VA4JoQqdYwwmhdmDU6W2Y+9hG5rPpRcPxtqQSM2snjho7
-B/+sU+FxtE4dzKPwNLenKaoGhCr6zlpZnbjbSCNi3tkpmAwpdrEDLqR++niU
+JAgkzsL45PAxdPd0gJp03/d1iZoKaZIY12HufgtnPdk7qz2ZHuQadKoa9PZN
-mMRgkhjg4MEju/Oiqkf5hIh7ly19/p4ldK5ZEuhi573lrDvhsSg6Osi+2XlX
+TU25YwsTCGs/hm3Cox+l4FtQOsnVQhPqmqdVw3wgDVtGUpnYq/Obaz7HQKqC
-hs53bhxfW7peciGb0ZC/rIv41qiarPrFh6mlLXDuo81wJspKoCUjJ8KEnAjR
+aOcuZlssF2W3GwS0ED//tkMJw+eNoO3iku5mwIjd08+z/K7TdJCbGrY3gJSH
-0v2RbEYVxNavYteftOgN8XUFp/oHAWKfWSjJZf2zMdfaDudet0j9zPcd+3Rv
+9/lQdYpSeFptZeF9352Dh5O3IMUBi0Cp4GqM0vHzIGyGflEjGbFl0qcmAgut
-rdOYOgrVbRz7GIhsQt+cDgGBG7ASnqPDRGeHSLasmjaZVaTGlWmxIosIgfhA
+twtY94z0aKGrLv/p4W7jmtBzApN5Jm5Fl4rIW8UOGgE1K8jUIzgIcNgGQYBu
-fTH3i7rO9RuE8pnnrhuisheeetFJ2TfVQo0h74nsBnicVJpzrid3EA1nw9RA
+sUVkGL7+k4I9HSxYnPmhv2cSWOm8CK25M/H6olO0BrC+R48OW+tLuBjBOClS
-YDdkWczKikhxtUlL0nKMqKMQUy0RO2cOcCJKYzZ04OD4XI7AnCvfGHY6Bwo4
+x8lPPUOEliHxeXTUfp2s6Ta4snDoTWAm3DmtUVyzYjRuq/s+MIjhhXpV5iCq
-GnZ6Gbi0ZS1xL0vXuyXXCEvs0ORdc/VDXM18J5PrSiW1VWRwtUCOow023OSd
+Ag3GKf+yth5ieqCh7vu65Yji1/Qib7rbGA+MT0BpCyP1FID2MSEzim3wjgmO
-W6Me2XP4MnwlgEORYPGIJwccdF5NRE1Fp0Mkw6qJ0XUT6SK1sk57PZPJW7Wx
+Z/HosVso9uqKr1CC5GPSGydBbG4ieEjUpZgnS14NZWameR6xYxDbBul6LRpF
-74KElGPNGcdKMnFAp9w2sWqrUl3KoZGsFZ85rVc69Lvi06r6sFyw6sx7OHu+
+x8nGfLRbPw/fATFxyekWjDEnlBTjWtsVDNhG5cxOp0rRiLwZFBZA8GSIuj9r
-vgaXPpN5fakW7T8tROG5lvwvXQUr4XAuuprKA9SabEqo6sylXGVD41JRwKtg
+fj3Nhv3o+zUzDWobOQjugbxcLlv1mlyNR7Dtq6p0FkhtgiA344XQ90wn0ZFY
-RKTctdNPiAQ1mPXSxtEpmVGZATJbtKcwQf91Rgoja+uZ6M7rqxhlHvRiV3Dj
+1+/uLAUKMKl5QFur9qwrUF+SKQe7XNNBZdWvl6zM8QJQDpF3ttLQPXA5jCB4
-F9fSuZ/4boKTXfvyskOe25IJYuYkcOhNzsVYNlowZt1lCOIXcT6LxsVh1QQK
+QL0Lu7NPj5gkNXD86IkdvyyrWZbA4T5AVyW+jxI6E+wZWRku3Ie6FH3MOp80
-bW4b9/64837c441WMl2S3FfPFEwq7vcPHYCMd+7WSqDTNjfd3IJWfkvHiChI
+cmTGYKa6eqLajsvY7yey8WQEncLjAr41K5NdN6U7ZogMrHBKeyKshMx8gvcY
-nyCZJ5ugg8PrlL1NvvkwaXLys365K43FpGNbz8gyrjmXOng7OZ+u6AHd84FI
+j+BiN4PbkmFSITNiGsYuuPC5V+RkOSXAQUvs8NoM2e3ujVlIkbEH7dIfl66a
-oiXtcZ9E4qNkkeaN6xhLZ/qRmDM3z0pbrrRHdXiYGCkc3c5N3udTjbqn2R+I
+4+cHvfqNEukQZSx0ksKx8dXIWgeIuAF6ETKq29OaIUHYy7qJViVofKAB7uqM
-J1ShoHhUY2hnArQt52BqCQVoeRUoWdHHBGKUZP12lq0iBHX8gee64poAYiT5
+cY/+9IXcL6jl2S27jHueaY1ZYS/Y9aaVCGXKjXhzXCilHaFWqcTgL9xLtzd4
-QrqK3jGZeymLXIpSAZAWPAstVmMk6wEj7U2aFdfJMSFSjR9fsTfJeXk4OTFJ
+GmDZTQMqS1HCUdwNaUmS5BbUacNTC4cdUVoI+arNQF0jhCFkhD/QpLiJ7fsb
-3W9J4X9z8o+xIXrJZVT5trJOi3E5x1LMIhWQt1JxwwXxLqsnygDutMlAQC10
+avTaG1LReSxhhWCtiJVJiDiMyOCsMacsrBFxL5NrSyUx27hxMcbOggnWeIsG
-yGCma8YRBrC610NCUsCLiaJQ6FmnuKQrcIY2/0tjQU5RSOOQFdSGXLp1Ewdl
+Fpw+tVfkjHX5VUoi3vhjm5o46LpMWE2l+rGUYiDWVtvPLYOUfGWpoI/IzCZ0
-voARNR1sQ/cDYUW+vwlm6JyBb39VjWE9TKSJora/1M+QsqdtgKQLUNOLjrSS
+voKQUtacYrA35QhajMVoy6YsJCbmy3NbDvrBePn2E03pL8uP2w2qzjiHyxf9
-yE1DST6pCzG7EQQWpOC0M84fWUWbaqWQI2hHQvcgS+JaTKesRykL99WuvpCp
+MWi6c+r0pYq1/zhnhWfBqFoZBSrh5BdRcOAxZfANwT9bfQlXGSgHzQp46Y2I
-XX/ZqG3vW5J0KsVC5qy+Nqor+CBCEaeJFBnBzvNuX7wLIj0W5k3OOc5yCqLI
+GB0zrkOC/ZJfkovjqpIZJG8RilAqtcPqv0lBYSRHB+vO/VHMUrf0bFcQVFYK
-+EBa6scVf4hvR6M46MMEvhP2REWcoDPkOFc70g4IZqEYKHgle836tL+VfE4r
+5XfTiYyPEkq1c3SpYbFHJswMBA4h9vJ8W0sarqVbSbA9cuyq07VWIImYQL54
-WBSkIeLsuTdsaN5qp5yeiUbqR6hCwEdI2UTTeNdXVlFYuJTYYtwmX/5RSw84
+eK3Pz1vPh5UzYSTLLch9ca2TSYUXqpAO8OCBxRrYsHRSPKwNoWr4u3hOIVGu
-ddZ6vhSAG08SSS8u4eyJLWFJmwWX7Qkunko6WITT6kx1rG3dJB4MBarTsEi6
+vsb9pAnVxXkTo7vclXQHTY6/ljcPuFwj18HsGFkOHSkRqhaSXlPJ6HoSIiTW
-uZVwepelK4JwzckbzR/321De5O2P2LvsdO8t/XRctXDcUkf8cOxfXM8H2tTT
+kg6x+izwUbBIs1rrcMOefiI0I9jODdYvoZobvmNCqrXr4TmndTlr72a3IexQ
-YFvvAqM6cAgndmuTe8U13cJaE80UBcG7vVGc9z6qvCI116jk2z7DBvdnx9X5
+hILQUUVNqwnQNIhsl8Q0Oss7f5KFfIw/jM59tQsIVPkD9jVFLxYwkmzDtZrv
-BTen3WkQOCM76/GmHJJdMeLvMghxh8H1xlXEK7jD2JfgdbHyLCO2+o23+nkp
+6UwfSoOYCOdVEbgTFT8J8vYj3lLxOc0X0RkQUkVfvkZ3uDq8EEodxfpdlLvv
-m1yybG1E4RsEBIp8VKe1u5TEB7m8Vm8lPfbO5gJvpQjrGNoAsyBtp6B46Izd
+VP4hNQQPeYSy9KZajGZycIog55XfcR4jlhlR8GKQV9EqPkSIAF93CJmumQcU
-ZgZVuFva1/TcS4dJ7KhqKxMK9bRCLyr7Ev2j6dRxusoViXE2Rl8lWbAsXfF5
+gOpehwhBAc8TISFfCVRoSUaghjb+JcFsVRTiMOZOakPGdyAAB0W+QC0K7nWg
-KD0nOyQNjbvwW2h59Myg+js+AeIL8tuJmzTy5LkLZ2qPgrT+OE9WSrXR3Lmy
+pgyzIlc1inpo7YErKljOyXpIuDStFBWW1wgqLsXVuLZa3QnvNpweA00x+l0x
-cNgxqBgpGA1XWewxvFqLoYb8l8kkV9aqu1OOB7tA9mPiPhSdXBtZhGYvQL9K
+MtoCrwUoOM0KAXC7YFLkLGlirx3xuadjCVwLzynqUcLCXQ0Blx7a9B82Yts7
-g32OiLTk63T7b6nc154w10UK95JUmFRQSv1qtqFfZJCNORDHnJRBxVpBgto5
+31sr/9bj/OWxWVWSD8J7r0ygyDB1XrWrjV7D0UNhXmeYOcK7wIqMQwLErl32
-qexRty8390BsTod1mVEbC+xceZ1rw6adRidLaReZxXbVppAr30iTlkleJjRu
+h7giX0KDLs7p7hdIRMQxOZMcxxxymAGsmU+x9A7aTglUqRrIr8MINjloiLT3
-8hr31nCQTqHa1WewHrZQXI6mtMfzdkanVQ9ZsHhPytxFml29uoRKxv9PwrGU
+WHHbl8S2S0Rd0/UUp5TbRS8REpuu4tBq3ULCzKXYFsPLR/iPiitrit/a8SW/
-SRrnd0dFaLdJibmj1emXWjANTWgm702hPNQuxhFdK16v1+IbDPKl0QTVg4f7
+uGEngfTCxPiO2GKWNCy4bEdwYVdcFyjwNYZdnUmxTAa0kALVKgPHNTILitoV
-0R0ErA8WsAVwMxfbnGVGBJNLCMRboYrOE0LJEj1zE8lHl4uLHF6LNvjq8j7g
+haaW6ZUPpKdlwTSENzn7I3S0q+69p0qZ1mAIC5WxHw79i31A41ClmH0VYYzo
-shMW7VpZKWfhGm1Wqj5Id2E1OaCvJyws7nPjqp1e070wBm610DTT+EIc6z2O
+wD4c16740ElZbJcrMEFPAYqnXXFKw49BPiuouUYk3/4eBtyfLVfnV9ycdlxT
-ztmnLC6R7lV3Ny/td7Pyog93agDBWNkJZpn6fDdKY6Q0eO0dF4U5UwsUSCxq
+5B/srKdDILgDNuLvMwjpZpjF4CjCEdxj7DP6Jt85lhFa/cZZ/ftiiWhtBPFn
-mpmIpUi4giiGlj2VC220aMj1hpDCBL4OagpjiEwJw9Y1gL4lxZ/lBZh2UsBC
+io3k2ayKK73qyUXpnVZvOQvg3pIt7zi19Yy0AWRBkmshdKjGLmdpdBKm6457
-8tpWzfUUUr6BUn3JKCS5tDOrlpJVN0lXjWR0zEmRm7GvICHg+z3GvVLgPIbC
+6SQKHVVNaXz6s+Q9B8m0rH/Urex4zQdkkEZt5FGQBdtCS3r4gh5gh8S+HCJ9
-8DKtJ7fMIL2JTxY3yu13Xl6+bnYNwnms4BIlSy4x7s9joKmja693oUCvkKlO
+5wvJPTdUUyPcAeAL/N25dhp48vQar8qRIIw/TAfgAhhUMr+05LDDpUKi0GCp
-F1poEkKG/Mk7Lpxulqy+MJkG8A/XVQHN/GRprdGO2NZCh0IEWJplpg0JXFSY
+9xhOeyAQD+DzYRCZnXA8sgt4Pias7tMCC/IgBH5F+lXs7XOC1DDgsF3VUOS+
-kyw4WIOXFmleO0sp1tHSteGkE0kntVB976q8qk4URUHrDEsVL7fcWsJuLV/0
+VNpa5DG5lzhvrySl1I1mH/kFBtkckQTISXGpUCuIKCOZY9Li9sWSSQQukGY1
-z05QOQET8fNuChgXIsULC8mjxcqHhWl9A7Px0hOUZqjfBhB5AdvS9fc5dtm2
+3jqYtqxJy1rcUuo3J1sOFKehXTUU3jxzS4o1Lxz+FfWtHlaSQseqXGAGu/ey
-a5YpcZGqFSTvRB5CLN7XyffCOOrI7GWXIr0hClho1IV4nbvfyucbw9E08bZZ
+KBCTgomd0peaQRhElAL+aDp19ayWw1NGRgG9ah2EBal5CQjXeisfRxiU6SJ/
-o2ayF3EFaZpiMqdqKge24O6GER1v1Wnr6wM9r4UCQWaqGAkJRhaGgh/yMlu3
+GRPT+o7Nmg7Tmqi7jqR24fQhjGXxqjN/DcDl39ScY19riQ3mAW/iIsqKCJ6L
-VDb52Yz9kqdtk8FywsnHSdet+NqBIl9fEQs+erFRNUARP3UO9HFIU+LRz5ct
+3tBdahjtFZpsa4PULtp3CtHnkq3OSmuVjwP7n57j0iusC0xf35BCi/+HVSm4
-ZwONfG+eI5SxiefIJeBKvYB6XFVZ9w4h5K/DalJzgAS+0KffzIL9PXWp+PYc
+k1qjFpQH2C6cZe4pv/21dL+J8RecOEMy8/n0IaDHss/wjWA7nHSuJT/h+PFR
-OUjoPCRC0pg7wjTKZpdt6l1qBEuaouRKLbODG5g+5nO0VrD7c0lz4QHpY5Zd
+cC8OatM+wQxtbJgLsJuMA0jOhhdmgHH+guq4R5y0xJfpKVdgXfr1zUNal7Ef
-NR2641i4uIUbpXHmEaGlidBSMos+qtw93/nRZUf/6CLU4ldGMbOmOhmkMUnO
+tJZXFL6MdUNQJf3IFe/FYCNrJ0JR+xCLKY47hWB9G3TTkmQZhJe0WeevjcNk
-kiR1u8ata7lpTyXhe7UAhTczdK/gHGNNj+Oui84BvUE5U3zixNqVhacAOjeI
+WmyUKireX1C7W2HRHQy654kIDFVFb9SKx3xQlyFEm7N96PJKNVSJfwGDX6Ym
-QATZ8cWZ9uEmhdYF+EJJG0Dsu/w0sv+YLD3GmijNGU6+LSfji/BuU6lfI5om
+YMgc7IEDBMNe8iVrUntW6xVx9hpeUbgkUxIMMYO+CVr0PXlgKG1J5EU52ZdO
-ycKUT78uS+VKiJhpN7SQAy73darf1jn9uCH1sk7HK2W4MKOcDSKpjjvQ5YcS
+V60w6Y5z/Kh8DAPKgbGMV+WWQdVJvKsZ0LcGNXiFnpYIFt/NMazfRa53Urde
-298VmLps1OASPAn5oN1kSxAFEgO5DtstK2RX/rqcTKVqbWtNHQTuqhzP6qpE
+xVVyh+LFOUjelAmVgBm/unlTHxgKhqJ5AHyQHIh8vSsumrgJDzuX3HTK9gEX
-RSCan7idqzfuzdXFblyDi9OG0PhC1qq5I2vVCCvoOW7i7mHar0e22izSqPxE
+lGxEH3DFV95jMY96i8ofHlO//JO+IiXAf9R1JFYUWqpUNZfCU/U2lSI5GlNH
-PNVO3IpDMmIe8SYQ9fLtAYllTjnOLG1VuqtlLIqm10ShWAyHdEUnyfwFOuIs
+jB2GuuihTZxVameGGm7ca46rY7WQ5RK5ENVfNMoghsyAG4kR8E1ayPxdIRp0
-cRBB+sCGLF6xBgIoDaGNuDkKJrKWKIbb3q23jJ5yOVRViqSeA1/dqtVJ2Mcb
+IfMOmEAathHAwCFH4cB87kC+c0F1GN/IDF/EdT4NR+TczeiijYUKXU1m1BQU
-SR5gAdRP/WdE4Xc1f8RsXGkvZYLsY5844YpjRSr2SsS4do3TGAmZECyRJFnn
+MCkoI0b+tKL9tc1jxjSIosnS3p8EWiSXbEG02sHiC4B/eKEQI9dwPc6N3FgK
-GMRJzXuptXBTFHyX71rZMFDcaFis2wSU61m343Ww4SWhXZLZkY0aslQsF3Rr
+i7GEU4MXBvbK+4doO9QFXDEYYKNynaNxmQYIuE7v/E0hZHrJIcD1p/CZ5M7I
-CGDPhhu4FV2kUTiXgayl5vqgutwxqrcmaVMcAgYdl4hc4xo1XM3+iZJaeDhN
+ghj2aYVLgA6KoX2YhPVEBRhfLkyo23iqUiUoptskiO2/5VJMLTCYkTpDSpac
-VKdLAhCluhERRh+yxhcX3VbX5tBKNa04kUhtqMhmW6vihg/pnijJ4/XgluvQ
+nBGUvi4dRr43TmAvjHTju5WUWmIpH6XKs6Z5inOUDs5LcuC4CorOcxrBlxF5
-cPpxgVQK3zNIDrNEIYrkY0vSAPSK49jQYTfPDnLQtAOZcLmePeNUOP5ar+aE
+d3zy9plm7PScQyCKCE0InLIV/PPKiysA1ImkSiyhk6FCYKsgZiiBT7/TPmeJ
-330hZ7oTcm92o/wSXKDrc2jh7U4C+/3HuGsUNPHXxxGWhMwU2ZL486Ven4aJ
+Rpw490gtniq3E/lOVhbZAU3WE5Zeesdm1q51X4GLtb5hNk68WmwT5uOBkS9n
-6u1dytiOmuiTTZczWhcq4KBvKGWVW7l8Uaq75a0WD7ZXE9z1QCJ8IjxD9i2M
+mFTWtO8sGHJ1G/s1Z/eQz+AcE5iitmf/jS5F1h+RQB9rIULNP9cY1txDnbH1
-nIpsuQxXhES9VPX1gntoLeWKHg6188UdF1ndOP1DMzK1giOk0OxcnJ3tBiR4
+K4aczlzRwVNK6GfnrR4txg2Kciv2svPJUg4cOS7EIgedm5m8m4yUYJCkYyQH
-nZdEU38LJVttmsyjZ5+3inl9K9OQQ5jBlfY5vNozSiWuo8xa8/fokpENPerW
+H7Jgm7A2RgslNj2zRjAaDIffBXEqgtuqdoUK6kBOkpPsXMZEnL8dz2/GjkY+
-et7sdnrSQOxzHndaTpfsa4iRbK9fKc6ZeKDXnY2Ewx+jTaSw7SXxL8OKYSk6
+GT1oOt7o06N/LdLGB9TdwuQ09xZxM/SrICwFxxt1bbDkFDmHKT2AS29oYaBB
-7WxJXC5hbwfgqkiC4HLG1CQhfhoTbgyf+JEWxt0FZUmhzDYSLTDZx45ZO+Hh
+zigEjHe4to6VsYP3+zmVRJD8s52cv8DqczkDA/VUfFI8J/GwHUv8r+6vlPjN
-zGbYqNdeUzJw3+EY2Tga7XDWoDeI49yL2GRO8VmiJgbf06etmw3CMyFdKWja
+uyWN2AMosAtSVPjFUoop2vGmQtt7GcYbEPc8I78k+njXZEvQ5blYToOg2Oy1
-rJ7UUE+468I2Xm1c7JpYMcgGxlsLhyq26ro6qrXdv0lctx1Zmhtr8Z6KieTu
+HcrUcxcDMEtlqDeMbIXXPEv9PwSHUdiEdigrFvlWUOLYE3mMu+U7GUDS9tbD
-yvFdQZGHI77+TtLYi2XhKD50jhGS31m74YkxW0lccXnXrHkbXL1qsQqate5N
+ou/38X+hpIuAYufkMxT0vc6U7FhYWPKf5b3aQd3jiGcuLtT0dWs428lBd8Vc
-rPDgZBVgGxfGGrLhOs4CZLnVD18SFCVaSNaEqIAIE5K9bZDr5cdzK435lqYl
+uM2ECEUOJzos7zmekb1ZxehCwfSBgM30OO4inlVsNgs74wvRemx2JjEoTWGV
-8WBaaoCGLxtEwWvmOvaKm1Jptxd/21R8k6C6tBpt5VS7phLdgJ0FD0OLK+Mq
+ICm7xCWgsN7iPhrbJyeKbd7HcsWwmPdYJDvjPn++R7h94bKHqPPGUu7QcRjP
-z8IEzcB9veqFyHhxxJKxCu7BwS1Ioht6jLlcjtr4x26WP1/h7BKPonbfnGNa
+/4FleTNbmLrWuvL6gFtqPiTtLEHTwvHpAw1lw4h2NRFPA9X2ocno5pjeogAT
-kuXm7kbZ+OMpl6BDserAhl94Msrbp1FmUSptoF2BHMIeIe9cKyKM7dZEDDXf
+yfl66g3l2HBIQszf2S6MBTgkK13bm91mwFGAlGtg5P7yKU6nCIv09bbxGctK
-Dl/49B8C3FoVvJ4ddwXcUAjfKYG/3JyIwotm9sLL2ZLb4rNaXJtKd8Jsz7EU
+Mc+pVMqua8V1nBGMCJYLH7tQPofiRrWWktwzrBRWdVIsB4raUV1uQhwEnePF
-AtNSAb4+usDsYukiP70ObUe2gzXGHIdDVBejXPaBPrcOVXBt29qLIXK0fgVz
+9S5AFmS4wlKsOXGp0RK4wwmlxkMLqPaUbqu7vpit2fDSYMaowWgLw353vXbQ
-0OTiW3V9lbrePRt6+UKnQO+AQIyRyOIFvE6nNIWYzzvNrm7V2hfcxtFz6/iX
+dmpF6R3YrgSfTwtCNad1O3VrVnJbFN6ONsEaRBNJ2ujsLsKlz0jxT//WC6bN
-1zxLWxF9XvM7wE8+yPCOEYEsl1/PWa3xdz9Xkk2vLXSulzUEWm9NJ7Oau5IT
+2SXvDdVarPjuBb7THq/7Qps/DWgkpbD1MyaUbqF0ut44q+bbNZdtac0guHKc
-Br7JypIz3vjuhKy9/o/S/XtvksnBIeS0ZGc7viTz7PwN04WErwBWyBR9QdZ3
+JT9lMFExZfaxsBGzxyUuVvq2iV08G7Qo4F4FVoMxY7pU+hPJR/jqaM1we2wQ
-DPa+ZSqy5Ui+TjPrhQPePDu9egHOEXe9QP+KDgPh9hf4LYk5xud/ka90Wlw4
+XkbXRwUErAYv3UWLoPEDlpwmUEg5L+mTuG2uxj9qbvWPqnowqIMplxOlDCVB
-zvJyxYoP7ktgFz+p8Yi0IJSxw6vb1XVxnyvfy2pgNvIeedPxl7V2AURzKDTh
+ccYTp4SryOkR7zNOF99tyECsVwRXxwxlEcl4kYSiPwY8o8J0MC13ZylMRwKG
-H2lWgg/w+7KXyumu8uwRwtD27t7t91LvQU50gv8nkNN8kryU9j+96yRk+i/x
+OCqT6dn1pRBLUxpF1/myObTErnBx3dMcvK5qgiRpirDv2RlX6AesJRoI+hi3
-5d/kPYGj+8fzoGbxM0GVE48q9Oytv0foN/PbUZIkR/jf6K9HfA3VbT6hl52Z
+FSoAJSo5YtQSXE0KvPsMcqriIwQx1Yg73rG1reL5znEiqqUZJkqOyZE+YWDt
-pjcUouriNyAb/R/rS6GD5GfcXuX0SfpZrIv7qAmHDLnzQ+Kt9ItWP0odeaR0
+Aa+p5rL6ePy5zyZtp2qSzKS0Qiwtp8PyuZm/bJMlV8bZW7eH/DW7Yg5WdcE8
-3vmp0/H5LegQ0KFf6hP33eZ2dzKCMwvoRb3I/J8eghH+t+jSLGnQ1V34mnL5
+AO1SnbmEwt9Orxk+q/uWkzr/9ZxXc0/Oq2EjoBM1DQuiSwlinmq9iYPiFQwT
-G7qEIFdaH7oOIVuwEBdv0RGhOpUViHfsckc/pU/3iIkn6K30mYYVnplN/m0A
+UW8NowECqRpOgiBn7sYDYP9L9Opypdj2aJGKgu4FpR96cXyyozpC3J3AzDGD
-R7a/sMtJGpds1SA+HJpS3WS+RxO9MxevAuzdWXVrYm3wzlsIiatrX8tea0h/
+BJTBHGB2xfulNEA2W9GRWGZkG9YsOrdgLbGYSlmwo2dN9Kqjlgh9l24YuYvs
-w65P5GSXzGjEFesQrpLazbo8xJ105JfLbEVys/8miveKQelznHGxsuG2oK5s
+s1s4AAkFnxXwthkcaQevvM4Kh1rWAlxsD3cKzGDlG0yCBGIipBKn2Ko0ZuWo
-sYMwGriAOyxOriKexK54di8T25rgcvZNMDyDW2jNm8ayTG5HUoJBVC8vb4gX
+k5hLMUIQlct+rTQicSOYtPa9Jlgzaz9d+wBamBlJiryHiFtMuBH8zSHfs0TX
-gC+M0vLDV43xYQf0nHZpW52sS77nlfvvpj59cKwd3t3XLuMrL0Nblq4LywWj
+vgbmBGrlA/qKQ7SqiPGyB/XHJWwXK1tGa09OV39H2S4yLkxQCww0BCoHFhzC
-QsVvXO2rHhJ2Vfk7ciX9NHj1Utz6Kc45XGyBXr3xlrUbRmhfrFEqhkQUN9mT
+4EV0GIaFvcqFObFcsYuVRtARS5CivUp2FMBlPQr4VA9ZpsUcLz5tCMfsyiDz
-zjydC2EBDdd6h2S23g20T2ZwVbfEJfPKviXzbfcIOcrc5Rh4lDx4sC8FqzU3
+ZhakdXA2NyN2yeI8C/3kKIjHFJ6RourM5TrucPUA4ttzUTEQ9LLhPR174PtB
-q5LKLu4x4ftyxQNrYy62AyUZ3HWFlQKDv2XvF26293ipt0g5gcYNFzJsd/2S
+AO5G0spdBi5BTSLPfv827hoglqBL5eYBLJynxGYZl3Usq7CwoOZrjCXCkwxc
-n9GST+S83uLtDSt+ePeKe7O47mMYtL9snMl7+e29fNhf9GbIPqRl+sqLDWt8
+y2ms4nRQOfXlsviicVcASy+urwrxvImaoDces/AJ6IyyAMlHXoKan9Ktp8H1
-FNbo4Dz06/8H4RyVdnSXLTbTe+DF++itsLxH0dWSG1Z3sLa6R//gmmI9NF6S
+MPJ4jmXBt3zrMOJc8S7Sa1BqVf+QdCjJEPb49fH15eWBJ4I3WQFn6q++4EsT
-3kgpa+q2GQMb8I2aNjAKZQ9eNA4+u+u8GvaYS4MU7UflkXZnM8rxvY8eTXY2
+R+vgsy97xbw8lQrex/fgstWErg6NnBItktu7zy64N3Wg7H6vjO9Bq8wuiX3M
-nS/j2i/xzv5sN/75pYdHAiD586fNn7g/96NX7c1db96ENz3i7Gw53t141O4O
+Ao+L5ZbTkD2RHXar0WWFnNfx4MHBl+nmC6/qG7Q5C/ZmrbbA5SIMltG6CpEQ
-zPrI227fXJ/xwKVq6OndNc+Gg00m6fSOw6Wjw3my0OLdcfZee1upB11YYdSw
+sjPF08T4WmiTomAOdQ02o15vbUGhTAcPLVGyA26idoLNmeG1EciM4KGR4M4o
-ssN1h6YrL9elBHH3a6QhKQcO0NKUV39lB7ht3OuHGwRxga26TTkabIuKA4Iu
+x1mhRhpMcPGUEPgcRlw4NToS52KOyZTsPTaEjQrMCOdjQ/WkIvUEKzvu49VG
-IYF/Ha2M5/qaXOC9Hx2B8lWzfiX2W2nFDcTeLPz8/ddrF1dvUzj+qaux0X4g
+gaNY5xOPDTl1G0Iz0FT1ogoJ1kikVEKAbtpBoGKwko8YfHr9r7vohEDwHIJu
-JEKZfzYTyismHGgJ93H6u7ot2ueL4e890aNlXrRytx4yi8hkIblmBpySnGuE
+ZWy83OZ64n2RWT7y496l1UjZcsSFlg9ML1il1a7yndesZW7sLQ8SPWmxjWLI
-FYfz7+pCRmVY3nbi/y7BnQBOr+GSAReHRMOqAZKG+Oq7MB6Bnt4ljX+aqdtU
+Juh9mqd+ZSnFP2VeJc5LhiyzCkgYvdm2MVKLVNrTkYZ8S3ICsDFJeb48e3s2
-Lnridhh+9Qn3rUl6Hvxww6gkS7oyOLXIjdz8od7Ic7Ym7cO9B2pbnH4ci1Hg
+JAreINexU6yz/Y4qD0vZBwYgO0VIIqK1lCeutHBlGy1niYdR1W6jJQx8B/VI
-kkylMzh0zc2nGLUF7/Q93DqyPy/Ou3JNxptosm4bcjUcI43X2T3qo47c064m
+39518Gk4OGDJNAqs84llWINLh4252c6a8Mt2trEx7xzqP7jBDBO8CrDc9LrX
-ppS6RthNLnrVvVPecPnJVAP0M8hGd6ac7Mh1YvFdN/TTfG/AGXp8dojZa5in
+wS8vtAptG1CND3w3yzBR18H6Y77ZSsvrEObIJ31KZrax7dxshUrQG6FbqVdD
-WXJUOx8jPYS5fDZHGmgqw/qieVj0xcpwH6WUr7PhxkCydo1C+Ur9lNOmiPiY
+T/aO/Hb9MnqtAno3wyhwHDSyFxzOHmC5g5TrzRu6w2jPoRQipiUCvN86r9n1
-ZHUneHF3aKLGcJ08NRttJ/azd2/hGOKyLrnSj32N69o34hRRWYW3ZgxaI7tU
+VmFXnaLzp7ZFNcac+U0UvwY7zunqHiUVuom+96CHbZEWCgf5bkCTcxxB/fuf
-W0Ac3XI0Xcevy4w4ZonrqnaYmdE4u1ayQ4h7TWFY7giX87c11NAMTcj8QXe5
+SIOYa/WqQKeoW9iYUGThAN7ES+iCzedxfSBTtfYl3kzhuHX4zRvspSnhfC7w
-4+/3fApxXPfkLp6Vu9/GWjADJ0Acr9AueEZSV++HLv7rLX77bfBDBzo66ls4
+GaJP3Ej/jGGBTANBb0quQH7yRWAqK9cNtottRQKtM6bzVYUlM4AC36ZFgekm
-feQWYRRA1AT2qdzaLK87JRn4E/neGWeGgw2EzoUyEzpcXJ6BJ3CM7w0kaYHd
+eB1k2iz+tdC/D5OUN47wXlvEatCbYJ5dvcVzwdgxWlaSKfIAj48dQHu6AlsO
-IppwC8ppNtOd0Nf62zEbrHg5SRveSSQ94vNnru5YpMgG7CKS88dpb0J/m9RY
+5OsytU440JOXF9OXXPkkqJlJ1S9bDASLZ9J3UcgxvvyDfKVVIFM5y6sdKj50
-iuAZQYXurj6WiVD2gKyr97eFI0JiR8v5stAbeThGnibBOcoNOrgSxg2sxkUo
+BSQiRLA2xrUiYcY4ugMZ11tEfcngdiMzyHv4SeUvvWKDcOYoyxu/RCdmXBB9
-RtbgnUTysdrIG6sx8iZrtJtUJ9MUHjpaZyK46S+lJUTyyV5hsX10s5pWJhlZ
+33TyqHhWvYMwAYkflhL90r0errNyrBP8X1k5AXNnBZcY7tyQyd1/jS//ys/x
-oFoh1qMN25A7DvzNAQHrcXfanFBdElfids4uwzcNUCVKaNi9gGo1zahA1d8t
+OuofL7yahZ8xqZw7UoHP3rn48K/m19Moik7pv8Gvp3iz9l2WwMNqptlLXwHt
-KwpZOncSr5Gem6FDkM/N9hvyCQ3GagGRW5PUthOuE2fa85vj5AMxzo6krGfz
+VyI2+B/qS/5SjC90Ibfqk/A1WxcPqaIcyZB7XwTeCt9IYIer0AVK572vqo6P
-kYgDwB2JcXexeMVhDQNd9lXcR0PX+NTY/ix62ZjkWeLzZSmCYuIDRHH131nb
+T5EOQTr0K/lE3xuujM8tqFkAD16x7vF3N4EE/2twDzgXKW8PvKdc/ko1RilR
-Z2CaCDyldXDoj5gVp56uJ0oNtXs9V8B27yuEIz1qso64tvqvfUdqsyOEtY2m
+UT7U+qJ7qJDuEoctotpWqEC8x1A81Wz+/GCLwQn8/Qs0yzwzTf55RFELdwe5
-uNOEdI1FTDKdqMQ1cZ5x1KyMg+I6yftx+3Gwi6zMeHEm1CzX3WoAxxnRgGqd
+ShrNdKgJnOkLX9+mrg504P+m017emVAbDA2ELvICubpc1dG57YIjhGEWFbpk
-A6Te8EaEr14xBnt6DaTfFyKO9ncG0EMcAuRNxNYQpJPei3/sykiCVG1/Jinl
+ZjOEX5Bw5bxK1OVJ3PElgxsy/Vlyo/8mAFtqjRtRNQjPYPCmEy2f0iIYATSQ
-rlEq44umzNYMapoNPsBuWeFQq+lEFEvuhr3Yx5Yv5M6C49K4tlmyUK1q5La0
+OyzMbACehBEhdC8D20LVY3gNL8kt1POmoSzjC59dXBazUItb4AXEF2Zx8fGb
-oiJHu9ZkhWi7Rtt4oN8rJxb3nFThMhhW/AZtO3P9zUNT8i/qnBx3xS0TnBZP
+2jjAAV2jpTkTrZSnOXSIVwrFLndnLpfW6duabpEVvqhr24WlWCZfLyysFSYe
-agcPhdSXcZW4XiV+jU/RqHeeExavp9ED8CIPu3UX2hfd+w81GTLqCnClsZWd
+EnRVqRYvuV/eq8fQE3bO0V2ddP1QOGWppelvZFIAD6xEEHA+5Lq+Ybm0U1oN
-c4LoFZrwkPq0u0WuxO/Q/s4vTt9cnb46fX169fZnp4brIuPWAxrAceql17ar
+LdwLMluuOz4CM7isGuCSWWnfgfl2cEoJgnhxE9FR9OjRERfOqbAgNpdVwAqV
-EbMwr5yi8ne0nE5dsIdsIg6kCrSR0iIGlPivbhAzzTlVpE25UjldkVHv1fO1
+rvZ32LAU/0Y7kDMx9aIbzu79a/pho719oIc6g+QdqLU5n9524Ib8HIZ8zvv1
-VrDuZmXCoyTc7bKl8O2pH8hIGUGS3eSStTarq+V0hmhhuLpW33cd6rrJXAY3
+jp4eGPHj+0fc6UUrnFOj3WHTnnzg7z7wi91BD6/sYximS3seGOMTP0Zd54kb
-wz11t4f3ElkiVZyzhPW2yqCpmSjvoAuS7nnIvSiNy/csViHQMzFaXUzMuoVY
+/9+4zkFedXvYbDN9ILr4EDzlh/fEjp1oHxjdcW90T/7GMYV6aDgk/jzlMbWL
-kzEZ76H2oXhnQzMF327Ed8NzgX3+rn/G2Ub+Ir+YzYcu/KDrHBawbHAM+/tz
+lGccGNYa5X1GIezBicbRF72hvEaPOZdXlWrWjmjHwyR3gLmzSibjof1FWvtj
-POfugQBTrfuMNadLagE1I7l2fk1NvTg5u7qyO5dLJLueQEnwDRaG2gWexcZ4
+OLM/2cGfP3boiBeIf/5j+BX9eRg8am/ve/LWP+kIZ7xnew/CVtszMP2WLYjC
-NVTeSkbwFjphxiADbrNem3Hetkn8a2QipaZrp7V+8jbEQKXRrSw31mkcmJCD
+v63HY0X6yu7d18/AxkZJvLxnc2HraD9RaOHsMHUGi+GxV1qAIf5SjBbXnZi2
-pmtYPxItJJQGt2ogpaVcsGZSUc48hOI2tDSPjHopp8RRtExvuiWV6AMaywjj
+vOxLCeDuC0KxCwf2qyX5Zu4WUuK2YaVgRD4ifEXcpogDk9qCimfFb2c747i+
-jNO/pNF4vNo2gqguXTrJjLmZHidcYNTtABaGDQr50ISCKCgRzEBwTZjT9fM6
+YFOd96MlUL6pu4WjMMmGoUVI2MPCDyRnu4i7dUXc9ygcWvU9ruarDPEm6Nnu
-subTAt0lcDtj/0ZU3qDcTynMqtMhRhV/r/STZFvzZ3hBW07Cjxd1Re+qyh75
+4eHxW7k2J8DRm78XSO8Uk1ZgnAoW8u7SjYBs+DtP9Gyb5Rj7V2A6mCwg18wI
-GuwXfA1rlycbFwvPG/U/mP8DO2hh6c+kAAA=
+8wEzibDS5vyLuJAJJ5s1LeSfZpfCgsNjdG9iCxExIsx5kiVBe7D08Cxo/MtU
 3KZ8dzUCvdzoI6x6G3U8+C6fUjKVtAaFWOSGLzMVbyRfQ/X48JHYFhef5mwU
 OFwWeX9J1xzexeCms9atCXtbdvuF6Bq9OKsOOmvfrCaGY6Dxqt0jPurAPa2w
 uYKLipDdpNGr1iVqscHc76UE6FckG3VPYwbKtK7vha/WhyNM8MC9o5i9hHnq
 LUa1szkBQ5HLp2vKwYq5WVexiiz6fGewCnOMN/Riig+PXaJQrkxWjKh7rJZX
 pDoTevBgYoKy8nEHB+KmE/rZ2xeLTghSjUX/MwJz97VvilMEOc3OmjFo3Lg8
 N1pxqrUrQF03LjPDmCXdwD1GZgbtHFjGhQL3WpJhOWYu5y6grEgzNB7zS7Xp
 z344dPl7YdEBBXFyYdK5ZKu7y5c0XiE19A3njT30FxP2rxHq3uzn69fDVt+R
 0wdrFkr2cQXLvsSxnMrjqiQT/QS+d6SZyWjgoCMIPIHNpftA6RNyjB+OGLSA
 bhHJdqOTUw+fOz5f/adDNljicKLGPxMxPOLLF+Nh/G1CUn+c3GzgLsiecwUq
 JFA+d9NPRcQnewTW1Ye7XA8hsKPtepvLJcMYI48j7xzF6niYhq4N1wrp10pA
 ErzjSD6NNvDGSoy8TmvBlbYSlchDB+OMmDZ50bmOgoN5+8F2yc0KoJyx2HRq
 +bCeDkyDr210l6x5qmcAKZA6A1fCK6M0QSz2qwongdCgBBgWRAWV3LhDRSGN
 1yrxakkKdJVKXWKkm5ADNBgr2fs6Ji4slVEx3UM3OQQfsHF2yjn1w1vCDgDd
 EqPXyzrFoUeBir4Ki9jJGJ8Z2+1F7k/nRAx6fVuwoEhcgCgsvXHZdBmY5JEh
 Sg9Df8CsCBXbQwpgORnkOFh+xvkjBF7uWm5zs0G2JTedI2cITGICmDarWq4+
 RwXN3UQhpm9sA1gM1azHGGmKFwNj4XqRDG4/hcRkTOmnDTuheWsCcz24vItr
 yqvr3V3YZcbME/axA6xQxzg+CqfGiSgLbfigr9KO8Xzp5MO8+TQ6oHykcF2N
 r3VUteH2ytSphm+fecXOZ0DByWqHh8+xGs+1uvJP2dZ4RCqU0m4LVEnxRc6t
 +UNbvMNKVfbnEV+ymbuqUMLZzd7cQeiN3JftciQT2WfWIhh2Yq+PaMrXj+me
 2rPCaOVhHqhUQ8H7eJh4glkLziKEpEr5P7rohoqCt/1r/uZG1FmDuyWNv7Pt
 q+oyhozR6xlhQihQKDZFqJ15Gen5cGN8RrD8dYYw214CKS08i/J2vrZcG+dc
 n4LjDKqJTSUsNL6CFZ1S8U7Q/A72iMTwGZjf1fXF2+nF64s3F9N3P6sFIYMM
 S5ZJ7Ek1Y2colDPkvk6vpopBs+1yqXEqMOcwBsyrTWgctv3Y9XZL4d4MUS5N
 jBWO4l196i2LXl63EeMN6CjyN+3uKZjxzKcMcAJtlN5mzFkkKw8DnQ5gKfha
 V5q/k9xRYZLmM5pTH4MTWBF0w+hW/I+qZJoAMtFekvZ+8O2vtUJV852PUSVG
 qhKBnGlIInObVOU50Xy3gSJsrkyhuwZAMQmEZu7scTrIX/gbM7zpzA/afm1e
 lgGftrvN2CfZtZeAuuq7uwWOxjVEJI2qUh7PZ+KnJ+ec/Mz+J4YBUf71+Prd
 1Y97DgRxAHwTHgnfCS4RvmBDEqMxt/QLsSXYGCobaKTYhbecNn4QQeATS55D
 H1z3m5XldbxhVS0nsB+n/IgQgHNAQ5Jes17ZJCwgQXxzIg+qYzx8iH0HTp9g
 BDsPAwz0uL4smB8/342cxAyaqHVYncRI2EinLVLnW4yfvHvx8uHVT691ZXDI
 rROitSEdDNUDCXKf32MrrMa/TiOwEtOEAUmET2Dph9Rs2uUW/RFmypbzR4eJ
 hcaM6lCUlC7UlIaGLJcDLhSmFgIEiK34bYxiQrC3vAI355fTqR3fbAkVfk7a
 tMupm8hli6hfzXcTkeSg9dxDhNzgPjdPPc+aJgq/DXwJsWk7NBrXeePBAnyf
 FA83VP71UBJYU8bQZwCSkRamoCHLIVCZidmKcecxvO0J+uFWb5gQMNycyi0h
 oM59pMIcRbBtjJPkJLZwtE2wojJ0rnc6xzRcRCZRq/sXmNUD4scfa194gk4H
 HtslCIWNGsVZFbi94pxqIKJC5MwSp/dlAvSOmDxadUzFQnYHHvSonuPPqXVF
 4r8EPgbPim0bOOXsV5xyHa39U2MUNIKZh+SoM/8b45XZ1tG4AAA=
 -->