c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement peer review feedback for draft-nennemann-wimse-ect-00

Browse Source 
Address 11 items from peer review:
- Fix area designation from Security to ART (WIMSE is in ART area)
- Switch inp_hash/out_hash to fixed SHA-256 without algorithm prefix,
  matching DPoP (RFC 9449) and WIMSE WPT tth claim patterns
- Add partial DAG verification guidance for unavailable parents
- Add DAG integrity attacks subsection (false parents, pruning, shadow DAGs)
- Add privilege escalation subsection (ECTs are not authorization)
- Add revocation propagation semantics through the DAG
- Add W3C PROV Data Model to Related Work
- Strengthen Txn-Token differentiation with fan-in/convergence bullet
- Add explicit token binding paragraph to replay prevention
- Switch verification step 3 to algorithm allowlist model
- Add par/ext claim naming justification notes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian Nennemann
2026-02-25 21:59:16 +01:00
parent 1385ec8af1
commit ff795c72e6
4 changed files with 1194 additions and 661 deletions
Download Patch File Download Diff File Expand all files Collapse all files

238
draft-nennemann-wimse-ect-00.html
View File

@@ -1402,6 +1402,9 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
<p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-validation-rules" class="internal xref">Validation Rules</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
<p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>.  <a href="#name-handling-unavailable-parent" class="internal xref">Handling Unavailable Parent ECTs</a></p>
</li>
</ul>
</li>
@@ -1444,13 +1447,19 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
<p id="section-toc.1-1.9.2.8.1"><a href="#section-9.8" class="auto internal xref">9.8</a>.  <a href="#name-collusion-and-false-claims" class="internal xref">Collusion and False Claims</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.9">
<p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
<p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-dag-integrity-attacks" class="internal xref">DAG Integrity Attacks</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.10">
<p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
<p id="section-toc.1-1.9.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-privilege-escalation-via-ec" class="internal xref">Privilege Escalation via ECTs</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.11">
<p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
<p id="section-toc.1-1.9.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-denial-of-service" class="internal xref">Denial of Service</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.12">
<p id="section-toc.1-1.9.2.12.1"><a href="#section-9.12" class="auto internal xref">9.12</a>. <a href="#name-timestamp-accuracy" class="internal xref">Timestamp Accuracy</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.13">
<p id="section-toc.1-1.9.2.13.1"><a href="#section-9.13" class="auto internal xref">9.13</a>. <a href="#name-ect-size-constraints" class="internal xref">ECT Size Constraints</a></p>
</li>
</ul>
</li>
@@ -1517,7 +1526,10 @@ existing WIMSE headers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
<p id="section-toc.1-1.14.2.4.1"><a href="#appendix-B.4" class="auto internal xref"></a><a href="#name-distributed-tracing-opentel" class="internal xref">Distributed Tracing (OpenTelemetry)</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.5">
<p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
<p id="section-toc.1-1.14.2.5.1"><a href="#appendix-B.5" class="auto internal xref"></a><a href="#name-w3c-provenance-data-model-p" class="internal xref">W3C Provenance Data Model (PROV)</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.6">
<p id="section-toc.1-1.14.2.6.1"><a href="#appendix-B.6" class="auto internal xref"></a><a href="#name-scitt-supply-chain-integrit" class="internal xref">SCITT (Supply Chain Integrity, Transparency, and Trust)</a></p>
</li>
</ul>
</li>
@@ -2036,7 +2048,9 @@ a root task with no dependencies. A workflow <span class="bcp14">MAY</span> con
multiple root tasks. Parent ECTs may have passed their own
"exp" time; ECT expiration applies to the verification window
of the ECT itself, not to its validity as a parent reference
in the ECT store.<a href="#section-4.2.2-2.6.1" class="pilcrow"></a></p>
in the ECT store. Note: "par" is not a registered JWT claim
and does not conflict with OAuth Pushed Authorization Requests
(RFC 9126), which defines an endpoint, not a token claim.<a href="#section-4.2.2-2.6.1" class="pilcrow"></a></p>
</dd>
<dd class="break"></dd>
</dl>
@@ -2052,22 +2066,19 @@ inputs and outputs without revealing the data itself:<a href="#section-4.2.3-1"
<span class="break"></span><dl class="dlParallel" id="section-4.2.3-2">
<dt id="section-4.2.3-2.1">inp_hash:</dt>
<dd style="margin-left: 1.5em" id="section-4.2.3-2.2">
<p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>. String. A cryptographic hash of the input data,
formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg"). The
hash algorithm identifier <span class="bcp14">MUST</span> be a lowercase value from the
IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
"sha-384", "sha-512"). Implementations <span class="bcp14">MUST</span> support "sha-256"
and <span class="bcp14">SHOULD</span> use "sha-256" unless a stronger algorithm is
required. Implementations <span class="bcp14">MUST NOT</span> accept hash algorithms
weaker than SHA-256 (e.g., MD5, SHA-1). The hash <span class="bcp14">MUST</span> be
computed over the raw octets of the input data.<a href="#section-4.2.3-2.2.1" class="pilcrow"></a></p>
<p id="section-4.2.3-2.2.1"><span class="bcp14">OPTIONAL</span>. String. The base64url encoding (without padding) of
the SHA-256 hash of the input data, computed over the raw octets
of the input. This follows the same fixed-algorithm pattern
used by the DPoP "ath" claim <span>[<a href="#RFC9449" class="cite xref">RFC9449</a>]</span> and the WIMSE WPT
"tth" claim <span>[<a href="#I-D.ietf-wimse-s2s-protocol" class="cite xref">I-D.ietf-wimse-s2s-protocol</a>]</span>: SHA-256 is the
mandatory algorithm with no algorithm prefix in the value.<a href="#section-4.2.3-2.2.1" class="pilcrow"></a></p>
</dd>
<dd class="break"></dd>
<dt id="section-4.2.3-2.3">out_hash:</dt>
<dd style="margin-left: 1.5em" id="section-4.2.3-2.4">
<p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>. String. A cryptographic hash of the output data,
using the same format and algorithm requirements as "inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow"></a></p>
<p id="section-4.2.3-2.4.1"><span class="bcp14">OPTIONAL</span>. String. The base64url encoding (without padding) of
the SHA-256 hash of the output data, using the same format as
"inp_hash".<a href="#section-4.2.3-2.4.1" class="pilcrow"></a></p>
</dd>
<dd class="break"></dd>
</dl>
@@ -2081,9 +2092,12 @@ using the same format and algorithm requirements as "inp_hash".<a href="#section
<span class="break"></span><dl class="dlParallel" id="section-4.2.4-1">
<dt id="section-4.2.4-1.1">ext:</dt>
<dd style="margin-left: 1.5em" id="section-4.2.4-1.2">
<p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>. Object. An extension object for domain-specific
claims not defined by this specification. Implementations
that do not understand extension claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow"></a></p>
<p id="section-4.2.4-1.2.1"><span class="bcp14">OPTIONAL</span>. Object. A general-purpose extension object for
domain-specific claims not defined by this specification. The
short name "ext" follows the JWT convention of concise claim
names and is chosen over alternatives like "extensions" for
compactness. Implementations that do not understand extension
claims <span class="bcp14">MUST</span> ignore them.<a href="#section-4.2.4-1.2.1" class="pilcrow"></a></p>
</dd>
<dd class="break"></dd>
</dl>
@@ -2123,8 +2137,12 @@ future documents.<a href="#section-4.2.4-3" class="pilcrow">¶</a></p>
"exec_act": "recommend_treatment",
"par": [],
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"ext": {
"com.example.trace_id": "abc123"
}
}
</pre>
</div>
@@ -2251,6 +2269,35 @@ implementations <span class="bcp14">SHOULD</span> enforce a maximum ancestor tra
detection completes, the ECT <span class="bcp14">SHOULD</span> be rejected.<a href="#section-6.2-3" class="pilcrow"></a></p>
</section>
</div>
<div id="handling-unavailable-parent-ects">
<section id="section-6.3">
<h3 id="name-handling-unavailable-parent">
<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-handling-unavailable-parent" class="section-name selfRef">Handling Unavailable Parent ECTs</a>
</h3>
<p id="section-6.3-1">In distributed deployments, a parent ECT referenced in the "par"
array may not yet be available in the local ECT store at the time
of validation — for example, due to replication lag in a
distributed ledger or out-of-order message delivery.<a href="#section-6.3-1" class="pilcrow"></a></p>
<p id="section-6.3-2">Implementations <span class="bcp14">MUST</span> distinguish between two cases:<a href="#section-6.3-2" class="pilcrow"></a></p>
<ol start="1" type="1" class="normal type-1" id="section-6.3-3">
<li id="section-6.3-3.1">
<p id="section-6.3-3.1.1">Parent not found and definitively absent: The parent "jti"
does not exist in any accessible ECT store. The ECT <span class="bcp14">MUST</span> be
rejected.<a href="#section-6.3-3.1.1" class="pilcrow"></a></p>
</li>
<li id="section-6.3-3.2">
<p id="section-6.3-3.2.1">Parent not yet available: The parent "jti" is not present
locally but may arrive due to known replication delays.
Implementations <span class="bcp14">MAY</span> defer validation for a bounded period
(<span class="bcp14">RECOMMENDED</span>: no more than 60 seconds).<a href="#section-6.3-3.2.1" class="pilcrow"></a></p>
</li>
</ol>
<p id="section-6.3-4">Deferred ECTs <span class="bcp14">MUST NOT</span> be treated as verified until all parent
references are resolved. If any parent reference remains
unresolved after the deferral period or after the ECT's own "exp"
time (whichever comes first), the ECT <span class="bcp14">MUST</span> be rejected.<a href="#section-6.3-4" class="pilcrow"></a></p>
</section>
</div>
</section>
</div>
<div id="verification">
@@ -2274,8 +2321,12 @@ payload, and signature components per <span>[<a href="#RFC7515" class="cite xref
<p id="section-7.1-2.2.1">Verify that the "typ" header parameter is "wimse-exec+jwt".<a href="#section-7.1-2.2.1" class="pilcrow"></a></p>
</li>
<li id="section-7.1-2.3">
<p id="section-7.1-2.3.1">Verify that the "alg" header parameter is not "none" and is
not a symmetric algorithm.<a href="#section-7.1-2.3.1" class="pilcrow"></a></p>
<p id="section-7.1-2.3.1">Verify that the "alg" header parameter appears in the
verifier's configured allowlist of accepted signing algorithms.
The allowlist <span class="bcp14">MUST NOT</span> include "none" or any symmetric
algorithm (e.g., HS256, HS384, HS512). Implementations <span class="bcp14">MUST</span>
include ES256 in the allowlist; additional asymmetric algorithms
<span class="bcp14">MAY</span> be included per deployment policy.<a href="#section-7.1-2.3.1" class="pilcrow"></a></p>
</li>
<li id="section-7.1-2.4">
<p id="section-7.1-2.4.1">Verify the "kid" header parameter references a known, valid
@@ -2500,6 +2551,11 @@ with the same action can be flagged as a potential replay.<a href="#section-9.5-
<p id="section-9.5-3">Implementations <span class="bcp14">MUST</span> maintain a cache of recently-seen "jti"
values to detect replayed ECTs within the expiration window.
An ECT with a duplicate "jti" value <span class="bcp14">MUST</span> be rejected.<a href="#section-9.5-3" class="pilcrow"></a></p>
<p id="section-9.5-4">Additionally, each ECT is cryptographically bound to the issuing
agent via the JOSE "kid" parameter, which references the agent's
WIT public key. Verifiers <span class="bcp14">MUST</span> confirm that the "kid" resolves
to the "iss" agent's key (step 8 in <a href="#verification" class="auto internal xref">Section 7</a>), preventing
one agent from replaying another agent's ECT as its own.<a href="#section-9.5-4" class="pilcrow"></a></p>
</section>
</div>
<div id="man-in-the-middle-protection">
@@ -2556,6 +2612,15 @@ compromised key and issue a new WIT with a fresh key pair.<a href="#section-9.7-
ledger before revocation remain valid historical records but <span class="bcp14">SHOULD</span>
be flagged in the ledger as "signed with subsequently revoked key"
for audit purposes.<a href="#section-9.7-3" class="pilcrow"></a></p>
<p id="section-9.7-4">ECT revocation does not propagate through the DAG. If a parent
ECT's signing key is later revoked, child ECTs that were verified
and recorded before that revocation remain valid — they captured
a legitimate execution record at the time of issuance. However,
auditors reviewing a workflow <span class="bcp14">SHOULD</span> flag any ECT in the DAG
whose signing key was subsequently revoked, so that the scope of
a potential compromise can be assessed. New ECTs <span class="bcp14">MUST NOT</span> be
created with a "par" reference to an ECT whose signing key is
known to be revoked at creation time.<a href="#section-9.7-4" class="pilcrow"></a></p>
</section>
</div>
<div id="collusion-and-false-claims">
@@ -2584,54 +2649,110 @@ contents against expected workflow patterns.<a href="#section-9.8-3.3.1" class="
</ul>
</section>
</div>
<div id="denial-of-service">
<div id="dag-integrity-attacks">
<section id="section-9.9">
<h3 id="name-denial-of-service">
<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
<h3 id="name-dag-integrity-attacks">
<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-dag-integrity-attacks" class="section-name selfRef">DAG Integrity Attacks</a>
</h3>
<p id="section-9.9-1">ECT signature verification is computationally inexpensive
<p id="section-9.9-1">Because the DAG structure is the primary mechanism for establishing
execution ordering, attackers may attempt to manipulate it:<a href="#section-9.9-1" class="pilcrow"></a></p>
<ul class="normal">
<li class="normal" id="section-9.9-2.1">
<p id="section-9.9-2.1.1">False parent references: A malicious agent creates an ECT that
references parent tasks from an unrelated workflow, inserting
itself into a legitimate execution history. DAG validation
(<a href="#dag-validation" class="auto internal xref">Section 6</a>) mitigates this by requiring parent existence
in the ECT store, and the "wid" claim scopes parent references
to a single workflow when present.<a href="#section-9.9-2.1.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-9.9-2.2">
<p id="section-9.9-2.2.1">Parent omission (pruning): An agent deliberately omits one or
more actual parent dependencies from the "par" array to hide
that certain tasks influenced its output. Because ECTs are
self-asserted (<a href="#self-assertion-limitation" class="auto internal xref">Section 9.2</a>), no mechanism can
force an agent to declare all dependencies. External auditors
can detect omission by comparing the declared DAG against
expected workflow patterns.<a href="#section-9.9-2.2.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-9.9-2.3">
<p id="section-9.9-2.3.1">Shadow DAGs: Multiple colluding agents fabricate an entire
execution history by creating a sequence of ECTs with mutual
parent references. Independent ledger maintenance and
cross-verification (see <a href="#collusion-and-false-claims" class="auto internal xref">Section 9.8</a> above)
are the primary mitigations.<a href="#section-9.9-2.3.1" class="pilcrow"></a></p>
</li>
</ul>
<p id="section-9.9-3">Verifiers <span class="bcp14">SHOULD</span> validate that the declared "wid" of parent ECTs
matches the "wid" of the child ECT, rejecting cross-workflow
parent references unless explicitly permitted by deployment
policy.<a href="#section-9.9-3" class="pilcrow"></a></p>
</section>
</div>
<div id="privilege-escalation-via-ects">
<section id="section-9.10">
<h3 id="name-privilege-escalation-via-ec">
<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-privilege-escalation-via-ec" class="section-name selfRef">Privilege Escalation via ECTs</a>
</h3>
<p id="section-9.10-1">ECTs record execution history; they do not convey authorization.
Verifiers <span class="bcp14">MUST NOT</span> interpret the presence of an ECT, or a
particular set of parent references in "par", as an authorization
grant. The "par" claim demonstrates that predecessor tasks were
recorded, not that the current agent is authorized to act on
their outputs. Authorization decisions <span class="bcp14">MUST</span> remain with the
identity and authorization layer (WIT, WPT, and deployment
policy). As noted in <span>[<a href="#I-D.ni-wimse-ai-agent-identity" class="cite xref">I-D.ni-wimse-ai-agent-identity</a>]</span>,
AI intermediaries introduce novel escalation vectors; ECTs
<span class="bcp14">MUST NOT</span> be used to circumvent authorization boundaries.<a href="#section-9.10-1" class="pilcrow"></a></p>
</section>
</div>
<div id="denial-of-service">
<section id="section-9.11">
<h3 id="name-denial-of-service">
<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-denial-of-service" class="section-name selfRef">Denial of Service</a>
</h3>
<p id="section-9.11-1">ECT signature verification is computationally inexpensive
(approximately 1ms per ECT on modern hardware for ES256). DAG
validation complexity is O(V) where V is the number of ancestor
nodes reachable from the parent references; for typical shallow
DAGs this is efficient.<a href="#section-9.9-1" class="pilcrow"></a></p>
<p id="section-9.9-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
DAGs this is efficient.<a href="#section-9.11-1" class="pilcrow"></a></p>
<p id="section-9.11-2">Implementations <span class="bcp14">SHOULD</span> apply rate limiting at the API layer to
prevent excessive ECT submissions. DAG validation <span class="bcp14">SHOULD</span> be
performed after signature verification to avoid wasting resources
on unsigned or incorrectly signed tokens.<a href="#section-9.9-2" class="pilcrow"></a></p>
on unsigned or incorrectly signed tokens.<a href="#section-9.11-2" class="pilcrow"></a></p>
</section>
</div>
<div id="timestamp-accuracy">
<section id="section-9.10">
<section id="section-9.12">
<h3 id="name-timestamp-accuracy">
<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
<a href="#section-9.12" class="section-number selfRef">9.12. </a><a href="#name-timestamp-accuracy" class="section-name selfRef">Timestamp Accuracy</a>
</h3>
<p id="section-9.10-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
<p id="section-9.12-1">ECTs rely on timestamps ("iat", "exp") for temporal ordering.
Clock skew between agents can lead to incorrect ordering
judgments. Implementations <span class="bcp14">SHOULD</span> use synchronized time sources
(e.g., NTP) and <span class="bcp14">SHOULD</span> allow a configurable clock skew tolerance
(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.10-1" class="pilcrow"></a></p>
<p id="section-9.10-2">Cross-organizational deployments where agents span multiple trust
(<span class="bcp14">RECOMMENDED</span>: 30 seconds).<a href="#section-9.12-1" class="pilcrow"></a></p>
<p id="section-9.12-2">Cross-organizational deployments where agents span multiple trust
domains with independent time sources <span class="bcp14">MAY</span> require a higher clock
skew tolerance. Deployments using trust domain federation <span class="bcp14">SHOULD</span>
document their configured clock skew tolerance value and <span class="bcp14">SHOULD</span>
ensure all participating trust domains agree on a common tolerance.<a href="#section-9.10-2" class="pilcrow"></a></p>
<p id="section-9.10-3">The temporal ordering check in DAG validation incorporates the
ensure all participating trust domains agree on a common tolerance.<a href="#section-9.12-2" class="pilcrow"></a></p>
<p id="section-9.12-3">The temporal ordering check in DAG validation incorporates the
clock skew tolerance to account for minor clock differences
between agents.<a href="#section-9.10-3" class="pilcrow"></a></p>
between agents.<a href="#section-9.12-3" class="pilcrow"></a></p>
</section>
</div>
<div id="ect-size-constraints">
<section id="section-9.11">
<section id="section-9.13">
<h3 id="name-ect-size-constraints">
<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
<a href="#section-9.13" class="section-number selfRef">9.13. </a><a href="#name-ect-size-constraints" class="section-name selfRef">ECT Size Constraints</a>
</h3>
<p id="section-9.11-1">ECTs with many parent tasks or large extension objects can
<p id="section-9.13-1">ECTs with many parent tasks or large extension objects can
increase HTTP header size. Implementations <span class="bcp14">SHOULD</span> limit the "par"
array to a maximum of 256 entries. Workflows requiring more
parent references <span class="bcp14">SHOULD</span> introduce intermediate aggregation
tasks. The "ext" object <span class="bcp14">SHOULD NOT</span> exceed 4096 bytes when
serialized as JSON and <span class="bcp14">SHOULD NOT</span> exceed a nesting depth of
5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.11-1" class="pilcrow"></a></p>
5 levels (see also <a href="#extension-claims" class="auto internal xref">Section 4.2.4</a>).<a href="#section-9.13-1" class="pilcrow"></a></p>
</section>
</div>
</section>
@@ -3000,6 +3121,10 @@ the "JSON Web Token Claims" registry maintained by IANA:<a href="#section-11.3-1
<dd>
<span class="refAuthor">Backman, A., Ed.</span>, <span class="refAuthor">Richer, J., Ed.</span>, and <span class="refAuthor">M. Sporny</span>, <span class="refTitle">"HTTP Message Signatures"</span>, <span class="seriesInfo">RFC 9421</span>, <span class="seriesInfo">DOI 10.17487/RFC9421</span>, <time datetime="2024-02" class="refDate">February 2024</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9421">https://www.rfc-editor.org/rfc/rfc9421</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9449">[RFC9449]</dt>
<dd>
<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof of Possession (DPoP)"</span>, <span class="seriesInfo">RFC 9449</span>, <span class="seriesInfo">DOI 10.17487/RFC9449</span>, <time datetime="2023-09" class="refDate">September 2023</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9449">https://www.rfc-editor.org/rfc/rfc9449</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="SPIFFE">[SPIFFE]</dt>
<dd>
<span class="refTitle">"Secure Production Identity Framework for Everyone (SPIFFE)"</span>, <span>&lt;<a href="https://spiffe.io/docs/latest/spiffe-about/overview/">https://spiffe.io/docs/latest/spiffe-about/overview/</a>&gt;</span>. </dd>
@@ -3157,6 +3282,11 @@ workloads that forward the token unchanged are not recorded.<a href="#appendix-B
<li class="normal" id="appendix-B.3-3.3">
<p id="appendix-B.3-3.3.1">It carries no task-level granularity, no parent references,
and no execution content.<a href="#appendix-B.3-3.3.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="appendix-B.3-3.4">
<p id="appendix-B.3-3.4.1">It cannot represent convergence (fan-in): when two independent
paths must both complete before a dependent task proceeds, a
linear "req_wl" string cannot express that relationship.<a href="#appendix-B.3-3.4.1" class="pilcrow"></a></p>
</li>
</ul>
<p id="appendix-B.3-4">Extensions for agentic use cases
@@ -3194,16 +3324,32 @@ ECTs may reference OpenTelemetry trace identifiers in the "ext"
claim for correlation.<a href="#appendix-B.4-1" class="pilcrow"></a></p>
</section>
</div>
<div id="scitt-supply-chain-integrity-transparency-and-trust">
<div id="w3c-provenance-data-model-prov">
<section id="appendix-B.5">
<h3 id="name-w3c-provenance-data-model-p">
<a href="#name-w3c-provenance-data-model-p" class="section-name selfRef">W3C Provenance Data Model (PROV)</a>
</h3>
<p id="appendix-B.5-1">The W3C PROV Data Model defines an Entity-Activity-Agent ontology
for representing provenance information. PROV's concepts map
closely to ECT structures: PROV Activities correspond to ECT
tasks, PROV Agents correspond to WIMSE workloads, and PROV's
"wasInformedBy" relation corresponds to ECT "par" references.
However, PROV uses RDF/OWL ontologies designed for post-hoc
documentation, while ECTs are runtime-embeddable JWT tokens with
cryptographic signatures. ECT audit data could be exported to
PROV format for interoperability with provenance-aware systems.<a href="#appendix-B.5-1" class="pilcrow"></a></p>
</section>
</div>
<div id="scitt-supply-chain-integrity-transparency-and-trust">
<section id="appendix-B.6">
<h3 id="name-scitt-supply-chain-integrit">
<a href="#name-scitt-supply-chain-integrit" class="section-name selfRef">SCITT (Supply Chain Integrity, Transparency, and Trust)</a>
</h3>
<p id="appendix-B.5-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
<p id="appendix-B.6-1">The SCITT architecture <span>[<a href="#I-D.ietf-scitt-architecture" class="cite xref">I-D.ietf-scitt-architecture</a>]</span> defines a
framework for transparent and auditable supply chain records.
ECTs and SCITT are complementary: the ECT "wid" claim can serve
as a correlation identifier in SCITT Signed Statements, linking
an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.5-1" class="pilcrow"></a></p>
an ECT audit trail to a supply chain transparency record.<a href="#appendix-B.6-1" class="pilcrow"></a></p>
</section>
</div>
</section>

152
draft-nennemann-wimse-ect-00.md
View File

@@ -7,7 +7,7 @@ submissiontype: IETF
number:
date:
v: 3
area: "Security"
area: "ART"
workgroup: "WIMSE"
keyword:
- execution context
@@ -47,6 +47,7 @@ informative:
author:
- org: Cloud Native Computing Foundation
I-D.ietf-scitt-architecture:
RFC9449:
I-D.ietf-oauth-transaction-tokens:
I-D.oauth-transaction-tokens-for-agents:
@@ -413,7 +414,9 @@ par:
multiple root tasks. Parent ECTs may have passed their own
"exp" time; ECT expiration applies to the verification window
of the ECT itself, not to its validity as a parent reference
in the ECT store.
in the ECT store. Note: "par" is not a registered JWT claim
and does not conflict with OAuth Pushed Authorization Requests
(RFC 9126), which defines an endpoint, not a token claim.
### Data Integrity {#data-integrity-claims}
@@ -421,27 +424,27 @@ The following claims provide integrity verification for task
inputs and outputs without revealing the data itself:
inp_hash:
: OPTIONAL. String. A cryptographic hash of the input data,
formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
"sha-256:n4bQgYhMfWWaL-qgxVrQFaO\_TxsrC4Is0V1sFbDwCgg"). The
hash algorithm identifier MUST be a lowercase value from the
IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
"sha-384", "sha-512"). Implementations MUST support "sha-256"
and SHOULD use "sha-256" unless a stronger algorithm is
required. Implementations MUST NOT accept hash algorithms
weaker than SHA-256 (e.g., MD5, SHA-1). The hash MUST be
computed over the raw octets of the input data.
: OPTIONAL. String. The base64url encoding (without padding) of
the SHA-256 hash of the input data, computed over the raw octets
of the input. This follows the same fixed-algorithm pattern
used by the DPoP "ath" claim {{RFC9449}} and the WIMSE WPT
"tth" claim {{I-D.ietf-wimse-s2s-protocol}}: SHA-256 is the
mandatory algorithm with no algorithm prefix in the value.
out_hash:
: OPTIONAL. String. A cryptographic hash of the output data,
using the same format and algorithm requirements as "inp_hash".
: OPTIONAL. String. The base64url encoding (without padding) of
the SHA-256 hash of the output data, using the same format as
"inp_hash".
### Extensions {#extension-claims}
ext:
: OPTIONAL. Object. An extension object for domain-specific
claims not defined by this specification. Implementations
that do not understand extension claims MUST ignore them.
: OPTIONAL. Object. A general-purpose extension object for
domain-specific claims not defined by this specification. The
short name "ext" follows the JWT convention of concise claim
names and is chosen over alternatives like "extensions" for
compactness. Implementations that do not understand extension
claims MUST ignore them.
To avoid key collisions between different domains, extension
key names SHOULD use reverse domain notation (e.g.,
@@ -472,8 +475,12 @@ The following is a complete ECT payload example:
"exec_act": "recommend_treatment",
"par": [],
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"ext": {
"com.example.trace_id": "abc123"
}
}
~~~
{: #fig-full-ect title="Complete ECT Payload Example"}
@@ -567,6 +574,29 @@ implementations SHOULD enforce a maximum ancestor traversal limit
(RECOMMENDED: 10000 nodes). If the limit is reached before cycle
detection completes, the ECT SHOULD be rejected.
## Handling Unavailable Parent ECTs
In distributed deployments, a parent ECT referenced in the "par"
array may not yet be available in the local ECT store at the time
of validation — for example, due to replication lag in a
distributed ledger or out-of-order message delivery.
Implementations MUST distinguish between two cases:
1. Parent not found and definitively absent: The parent "jti"
does not exist in any accessible ECT store. The ECT MUST be
rejected.
2. Parent not yet available: The parent "jti" is not present
locally but may arrive due to known replication delays.
Implementations MAY defer validation for a bounded period
(RECOMMENDED: no more than 60 seconds).
Deferred ECTs MUST NOT be treated as verified until all parent
references are resolved. If any parent reference remains
unresolved after the deferral period or after the ECT's own "exp"
time (whichever comes first), the ECT MUST be rejected.
# Signature and Token Verification {#verification}
## Verification Procedure
@@ -579,8 +609,12 @@ verification steps in order:
2. Verify that the "typ" header parameter is "wimse-exec+jwt".
3. Verify that the "alg" header parameter is not "none" and is
not a symmetric algorithm.
3. Verify that the "alg" header parameter appears in the
verifier's configured allowlist of accepted signing algorithms.
The allowlist MUST NOT include "none" or any symmetric
algorithm (e.g., HS256, HS384, HS512). Implementations MUST
include ES256 in the allowlist; additional asymmetric algorithms
MAY be included per deployment policy.
4. Verify the "kid" header parameter references a known, valid
public key from a WIT within the trust domain.
@@ -746,6 +780,12 @@ Implementations MUST maintain a cache of recently-seen "jti"
values to detect replayed ECTs within the expiration window.
An ECT with a duplicate "jti" value MUST be rejected.
Additionally, each ECT is cryptographically bound to the issuing
agent via the JOSE "kid" parameter, which references the agent's
WIT public key. Verifiers MUST confirm that the "kid" resolves
to the "iss" agent's key (step 8 in {{verification}}), preventing
one agent from replaying another agent's ECT as its own.
## Man-in-the-Middle Protection
ECTs do not replace transport-layer security. ECTs MUST be
@@ -780,7 +820,17 @@ ledger before revocation remain valid historical records but SHOULD
be flagged in the ledger as "signed with subsequently revoked key"
for audit purposes.
## Collusion and False Claims
ECT revocation does not propagate through the DAG. If a parent
ECT's signing key is later revoked, child ECTs that were verified
and recorded before that revocation remain valid — they captured
a legitimate execution record at the time of issuance. However,
auditors reviewing a workflow SHOULD flag any ECT in the DAG
whose signing key was subsequently revoked, so that the scope of
a potential compromise can be assessed. New ECTs MUST NOT be
created with a "par" reference to an ECT whose signing key is
known to be revoked at creation time.
## Collusion and False Claims {#collusion-and-false-claims}
A single malicious agent cannot forge parent task references
because DAG validation requires parent tasks to exist in the
@@ -796,6 +846,48 @@ Mitigations include:
- Out-of-band audit: External auditors periodically verify ledger
contents against expected workflow patterns.
## DAG Integrity Attacks
Because the DAG structure is the primary mechanism for establishing
execution ordering, attackers may attempt to manipulate it:
- False parent references: A malicious agent creates an ECT that
references parent tasks from an unrelated workflow, inserting
itself into a legitimate execution history. DAG validation
({{dag-validation}}) mitigates this by requiring parent existence
in the ECT store, and the "wid" claim scopes parent references
to a single workflow when present.
- Parent omission (pruning): An agent deliberately omits one or
more actual parent dependencies from the "par" array to hide
that certain tasks influenced its output. Because ECTs are
self-asserted ({{self-assertion-limitation}}), no mechanism can
force an agent to declare all dependencies. External auditors
can detect omission by comparing the declared DAG against
expected workflow patterns.
- Shadow DAGs: Multiple colluding agents fabricate an entire
execution history by creating a sequence of ECTs with mutual
parent references. Independent ledger maintenance and
cross-verification (see {{collusion-and-false-claims}} above)
are the primary mitigations.
Verifiers SHOULD validate that the declared "wid" of parent ECTs
matches the "wid" of the child ECT, rejecting cross-workflow
parent references unless explicitly permitted by deployment
policy.
## Privilege Escalation via ECTs
ECTs record execution history; they do not convey authorization.
Verifiers MUST NOT interpret the presence of an ECT, or a
particular set of parent references in "par", as an authorization
grant. The "par" claim demonstrates that predecessor tasks were
recorded, not that the current agent is authorized to act on
their outputs. Authorization decisions MUST remain with the
identity and authorization layer (WIT, WPT, and deployment
policy). As noted in {{I-D.ni-wimse-ai-agent-identity}},
AI intermediaries introduce novel escalation vectors; ECTs
MUST NOT be used to circumvent authorization boundaries.
## Denial of Service
ECT signature verification is computationally inexpensive
@@ -1087,6 +1179,9 @@ However, "req_wl" cannot form a DAG because:
workloads that forward the token unchanged are not recorded.
- It carries no task-level granularity, no parent references,
and no execution content.
- It cannot represent convergence (fan-in): when two independent
paths must both complete before a dependent task proceeds, a
linear "req_wl" string cannot express that relationship.
Extensions for agentic use cases
({{I-D.oauth-transaction-tokens-for-agents}}) add agent
@@ -1120,6 +1215,19 @@ provide observability while ECTs provide signed execution records.
ECTs may reference OpenTelemetry trace identifiers in the "ext"
claim for correlation.
## W3C Provenance Data Model (PROV)
{:numbered="false"}
The W3C PROV Data Model defines an Entity-Activity-Agent ontology
for representing provenance information. PROV's concepts map
closely to ECT structures: PROV Activities correspond to ECT
tasks, PROV Agents correspond to WIMSE workloads, and PROV's
"wasInformedBy" relation corresponds to ECT "par" references.
However, PROV uses RDF/OWL ontologies designed for post-hoc
documentation, while ECTs are runtime-embeddable JWT tokens with
cryptographic signatures. ECT audit data could be exported to
PROV format for interoperability with provenance-aware systems.
## SCITT (Supply Chain Integrity, Transparency, and Trust)
{:numbered="false"}

594
draft-nennemann-wimse-ect-00.txt
View File

@@ -77,35 +77,35 @@ Table of Contents
3. WIMSE Architecture Integration . . . . . . . . . . . . . . . 5
3.1. WIMSE Foundation . . . . . . . . . . . . . . . . . . . . 5
3.2. Extension Model . . . . . . . . . . . . . . . . . . . . . 6
3.3. Integration Points . . . . . . . . . . . . . . . . . . . 6
4. Execution Context Token Format . . . . . . . . . . . . . . . 7
3.3. Integration Points . . . . . . . . . . . . . . . . . . . 7
4. Execution Context Token Format . . . . . . . . . . . . . . . 8
4.1. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. JWT Claims . . . . . . . . . . . . . . . . . . . . . . . 8
4.2.1. Standard JWT Claims . . . . . . . . . . . . . . . . . 8
4.2.2. Execution Context . . . . . . . . . . . . . . . . . . 10
4.2.3. Data Integrity . . . . . . . . . . . . . . . . . . . 10
4.2.4. Extensions . . . . . . . . . . . . . . . . . . . . . 10
4.2.4. Extensions . . . . . . . . . . . . . . . . . . . . . 11
4.3. Complete ECT Example . . . . . . . . . . . . . . . . . . 11
5. HTTP Header Transport . . . . . . . . . . . . . . . . . . . . 11
5.1. Execution-Context Header Field . . . . . . . . . . . . . 11
5. HTTP Header Transport . . . . . . . . . . . . . . . . . . . . 12
5.1. Execution-Context Header Field . . . . . . . . . . . . . 12
6. DAG Validation . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Validation Rules . . . . . . . . . . . . . . . . . . . . 12
7. Signature and Token Verification . . . . . . . . . . . . . . 13
7.1. Verification Procedure . . . . . . . . . . . . . . . . . 13
6.2. Validation Rules . . . . . . . . . . . . . . . . . . . . 13
6.3. Handling Unavailable Parent ECTs . . . . . . . . . . . . 13
7. Signature and Token Verification . . . . . . . . . . . . . . 14
7.1. Verification Procedure . . . . . . . . . . . . . . . . . 14
8. Audit Ledger Interface . . . . . . . . . . . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
9.1. Threat Model . . . . . . . . . . . . . . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 16
9.1. Threat Model . . . . . . . . . . . . . . . . . . . . . . 16
9.2. Self-Assertion Limitation . . . . . . . . . . . . . . . . 16
9.3. Organizational Prerequisites . . . . . . . . . . . . . . 16
9.4. Signature Verification . . . . . . . . . . . . . . . . . 16
9.3. Organizational Prerequisites . . . . . . . . . . . . . . 17
9.4. Signature Verification . . . . . . . . . . . . . . . . . 17
9.5. Replay Attack Prevention . . . . . . . . . . . . . . . . 17
9.6. Man-in-the-Middle Protection . . . . . . . . . . . . . . 17
9.7. Key Compromise . . . . . . . . . . . . . . . . . . . . . 17
9.8. Collusion and False Claims . . . . . . . . . . . . . . . 18
9.9. Denial of Service . . . . . . . . . . . . . . . . . . . . 18
9.10. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 18
9.11. ECT Size Constraints . . . . . . . . . . . . . . . . . . 19
9.6. Man-in-the-Middle Protection . . . . . . . . . . . . . . 18
9.7. Key Compromise . . . . . . . . . . . . . . . . . . . . . 18
9.8. Collusion and False Claims . . . . . . . . . . . . . . . 19
9.9. DAG Integrity Attacks . . . . . . . . . . . . . . . . . . 19
9.10. Privilege Escalation via ECTs . . . . . . . . . . . . . . 20
@@ -114,27 +114,31 @@ Nennemann Expires 29 August 2026 [Page 2]
Internet-Draft WIMSE Execution Context February 2026
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19
10.1. Data Exposure in ECTs . . . . . . . . . . . . . . . . . 19
10.2. Data Minimization . . . . . . . . . . . . . . . . . . . 20
10.3. Storage and Access Control . . . . . . . . . . . . . . . 20
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
11.1. Media Type Registration . . . . . . . . . . . . . . . . 20
11.2. HTTP Header Field Registration . . . . . . . . . . . . . 21
11.3. JWT Claims Registration . . . . . . . . . . . . . . . . 21
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
12.1. Normative References . . . . . . . . . . . . . . . . . . 22
12.2. Informative References . . . . . . . . . . . . . . . . . 23
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Cross-Organization Financial Trading . . . . . . . . . . . . . 25
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 26
WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . . 26
OAuth 2.0 Token Exchange and the "act" Claim . . . . . . . . . 26
Transaction Tokens . . . . . . . . . . . . . . . . . . . . . . 26
Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . . 27
SCITT (Supply Chain Integrity, Transparency, and Trust) . . . . 27
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 28
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 28
9.11. Denial of Service . . . . . . . . . . . . . . . . . . . . 20
9.12. Timestamp Accuracy . . . . . . . . . . . . . . . . . . . 20
9.13. ECT Size Constraints . . . . . . . . . . . . . . . . . . 21
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 21
10.1. Data Exposure in ECTs . . . . . . . . . . . . . . . . . 21
10.2. Data Minimization . . . . . . . . . . . . . . . . . . . 22
10.3. Storage and Access Control . . . . . . . . . . . . . . . 22
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
11.1. Media Type Registration . . . . . . . . . . . . . . . . 22
11.2. HTTP Header Field Registration . . . . . . . . . . . . . 23
11.3. JWT Claims Registration . . . . . . . . . . . . . . . . 23
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 25
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Cross-Organization Financial Trading . . . . . . . . . . . . . 27
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 28
WIMSE Workload Identity . . . . . . . . . . . . . . . . . . . . 28
OAuth 2.0 Token Exchange and the "act" Claim . . . . . . . . . 28
Transaction Tokens . . . . . . . . . . . . . . . . . . . . . . 29
Distributed Tracing (OpenTelemetry) . . . . . . . . . . . . . . 30
W3C Provenance Data Model (PROV) . . . . . . . . . . . . . . . 30
SCITT (Supply Chain Integrity, Transparency, and Trust) . . . . 30
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction
@@ -156,10 +160,6 @@ Internet-Draft WIMSE Execution Context February 2026
healthcare, finance, and logistics require structured, auditable
records of automated decision-making and execution.
This document defines an extension to the WIMSE architecture that
addresses the gap between workload identity and execution
accountability. WIMSE authenticates agents; this extension records
what they did and in what order.
@@ -170,6 +170,11 @@ Nennemann Expires 29 August 2026 [Page 3]
Internet-Draft WIMSE Execution Context February 2026
This document defines an extension to the WIMSE architecture that
addresses the gap between workload identity and execution
accountability. WIMSE authenticates agents; this extension records
what they did and in what order.
As identified in [I-D.ni-wimse-ai-agent-identity], call context in
agentic workflows needs to be visible and preserved. ECTs provide a
mechanism to address this requirement with cryptographic assurances.
@@ -213,11 +218,6 @@ Internet-Draft WIMSE Execution Context February 2026
* Workload authentication and identity provisioning
* Key distribution and management
* Trust domain establishment and management
* Credential lifecycle management
@@ -226,6 +226,12 @@ Nennemann Expires 29 August 2026 [Page 4]
Internet-Draft WIMSE Execution Context February 2026
* Key distribution and management
* Trust domain establishment and management
* Credential lifecycle management
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
@@ -267,12 +273,6 @@ Internet-Draft WIMSE Execution Context February 2026
The WIMSE architecture [I-D.ietf-wimse-arch] defines:
* Workload Identity Tokens (WIT) that prove a workload's identity
within a trust domain ("I am Agent X in trust domain Y")
* Workload Proof Tokens (WPT) that prove possession of the private
key associated with a WIT ("I control the key for Agent X")
@@ -282,6 +282,12 @@ Nennemann Expires 29 August 2026 [Page 5]
Internet-Draft WIMSE Execution Context February 2026
* Workload Identity Tokens (WIT) that prove a workload's identity
within a trust domain ("I am Agent X in trust domain Y")
* Workload Proof Tokens (WPT) that prove possession of the private
key associated with a WIT ("I control the key for Agent X")
* Multi-hop authentication via the service-to-service protocol
[I-D.ietf-wimse-s2s-protocol]
@@ -325,12 +331,6 @@ Internet-Draft WIMSE Execution Context February 2026
using standard JWT extensibility [RFC7519], and maintains WIMSE
concepts including trust domains and workload identifiers.
3.3. Integration Points
An ECT integrates with the WIMSE identity framework through the
following mechanisms:
Nennemann Expires 29 August 2026 [Page 6]
@@ -338,6 +338,11 @@ Nennemann Expires 29 August 2026 [Page 6]
Internet-Draft WIMSE Execution Context February 2026
3.3. Integration Points
An ECT integrates with the WIMSE identity framework through the
following mechanisms:
* The ECT JOSE header "kid" parameter MUST reference the public key
identifier from the agent's WIT.
@@ -376,12 +381,7 @@ Internet-Draft WIMSE Execution Context February 2026
3. Ledger (if deployed): Appends the verified ECT to the audit
ledger.
4. Execution Context Token Format
An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
as a JSON Web Signature (JWS) [RFC7515]. ECTs MUST use JWS Compact
Serialization (the base64url-encoded header.payload.signature format)
so that they can be carried in a single HTTP header value.
@@ -394,6 +394,13 @@ Nennemann Expires 29 August 2026 [Page 7]
Internet-Draft WIMSE Execution Context February 2026
4. Execution Context Token Format
An Execution Context Token is a JSON Web Token (JWT) [RFC7519] signed
as a JSON Web Signature (JWS) [RFC7515]. ECTs MUST use JWS Compact
Serialization (the base64url-encoded header.payload.signature format)
so that they can be carried in a single HTTP header value.
4.1. JOSE Header
The ECT JOSE header MUST contain the following parameters:
@@ -432,6 +439,17 @@ Internet-Draft WIMSE Execution Context February 2026
ECT:
iss: REQUIRED. StringOrURI. A URI identifying the issuer of the
Nennemann Expires 29 August 2026 [Page 8]
Internet-Draft WIMSE Execution Context February 2026
ECT. In WIMSE deployments, this SHOULD be the workload's SPIFFE
ID in the format spiffe://<trust-domain>/<path>, matching the
"sub" claim of the agent's WIT. Non-WIMSE deployments MAY use
@@ -443,13 +461,6 @@ Internet-Draft WIMSE Execution Context February 2026
identifiers of all entities that will verify the ECT. In practice
this means:
Nennemann Expires 29 August 2026 [Page 8]
Internet-Draft WIMSE Execution Context February 2026
* *Point-to-point delivery*: when an ECT is sent from one agent
to a single next agent, "aud" contains that agent's workload
identity. The receiving agent verifies the ECT and forwards it
@@ -487,6 +498,14 @@ Internet-Draft WIMSE Execution Context February 2026
issuance.
jti: REQUIRED. String. A globally unique identifier for both the
Nennemann Expires 29 August 2026 [Page 9]
Internet-Draft WIMSE Execution Context February 2026
ECT and the task it records, in UUID format [RFC9562]. Since each
ECT represents exactly one task, "jti" serves as both the token
identifier (for replay detection) and the task identifier (for DAG
@@ -496,16 +515,6 @@ Internet-Draft WIMSE Execution Context February 2026
is absent, uniqueness MUST be enforced globally across the ECT
store.
Nennemann Expires 29 August 2026 [Page 9]
Internet-Draft WIMSE Execution Context February 2026
4.2.2. Execution Context
The following claims are defined by this specification:
@@ -526,33 +535,24 @@ Internet-Draft WIMSE Execution Context February 2026
root task with no dependencies. A workflow MAY contain multiple
root tasks. Parent ECTs may have passed their own "exp" time; ECT
expiration applies to the verification window of the ECT itself,
not to its validity as a parent reference in the ECT store.
not to its validity as a parent reference in the ECT store. Note:
"par" is not a registered JWT claim and does not conflict with
OAuth Pushed Authorization Requests (RFC 9126), which defines an
endpoint, not a token claim.
4.2.3. Data Integrity
The following claims provide integrity verification for task inputs
and outputs without revealing the data itself:
inp_hash: OPTIONAL. String. A cryptographic hash of the input
data, formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg"). The hash
algorithm identifier MUST be a lowercase value from the IANA Named
Information Hash Algorithm Registry (e.g., "sha-256", "sha-384",
"sha-512"). Implementations MUST support "sha-256" and SHOULD use
"sha-256" unless a stronger algorithm is required.
Implementations MUST NOT accept hash algorithms weaker than
SHA-256 (e.g., MD5, SHA-1). The hash MUST be computed over the
raw octets of the input data.
inp_hash: OPTIONAL. String. The base64url encoding (without
padding) of the SHA-256 hash of the input data, computed over the
raw octets of the input. This follows the same fixed-algorithm
pattern used by the DPoP "ath" claim [RFC9449] and the WIMSE WPT
"tth" claim [I-D.ietf-wimse-s2s-protocol]: SHA-256 is the
mandatory algorithm with no algorithm prefix in the value.
out_hash: OPTIONAL. String. A cryptographic hash of the output
data, using the same format and algorithm requirements as
"inp_hash".
4.2.4. Extensions
ext: OPTIONAL. Object. An extension object for domain-specific
claims not defined by this specification. Implementations that do
not understand extension claims MUST ignore them.
out_hash: OPTIONAL. String. The base64url encoding (without
@@ -562,6 +562,18 @@ Nennemann Expires 29 August 2026 [Page 10]
Internet-Draft WIMSE Execution Context February 2026
padding) of the SHA-256 hash of the output data, using the same
format as "inp_hash".
4.2.4. Extensions
ext: OPTIONAL. Object. A general-purpose extension object for
domain-specific claims not defined by this specification. The
short name "ext" follows the JWT convention of concise claim names
and is chosen over alternatives like "extensions" for compactness.
Implementations that do not understand extension claims MUST
ignore them.
To avoid key collisions between different domains, extension key
names SHOULD use reverse domain notation (e.g.,
"com.example.custom_field") to avoid collisions between independently
@@ -589,12 +601,23 @@ Internet-Draft WIMSE Execution Context February 2026
"exec_act": "recommend_treatment",
"par": [],
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"ext": {
"com.example.trace_id": "abc123"
}
}
Figure 4: Complete ECT Payload Example
Nennemann Expires 29 August 2026 [Page 11]
Internet-Draft WIMSE Execution Context February 2026
5. HTTP Header Transport
5.1. Execution-Context Header Field
@@ -609,15 +632,6 @@ Internet-Draft WIMSE Execution Context February 2026
An agent sending a request to another agent includes the Execution-
Context header alongside the WIMSE Workload-Identity header:
Nennemann Expires 29 August 2026 [Page 11]
Internet-Draft WIMSE Execution Context February 2026
GET /api/safety-check HTTP/1.1
Host: safety-agent.example.com
Workload-Identity: eyJhbGci...WIT...
@@ -649,6 +663,17 @@ Internet-Draft WIMSE Execution Context February 2026
DAG validation is performed against the ECT store — either an audit
ledger or the set of parent ECTs received inline.
Nennemann Expires 29 August 2026 [Page 12]
Internet-Draft WIMSE Execution Context February 2026
6.2. Validation Rules
When receiving and verifying an ECT, implementations MUST perform the
@@ -665,15 +690,6 @@ Internet-Draft WIMSE Execution Context February 2026
verified parent ECT). If any parent task is not found, the ECT
MUST be rejected.
Nennemann Expires 29 August 2026 [Page 12]
Internet-Draft WIMSE Execution Context February 2026
3. Temporal Ordering: The "iat" value of every parent task MUST NOT
be greater than the "iat" value of the current task plus a
configurable clock skew tolerance (RECOMMENDED: 30 seconds).
@@ -698,6 +714,35 @@ Internet-Draft WIMSE Execution Context February 2026
(RECOMMENDED: 10000 nodes). If the limit is reached before cycle
detection completes, the ECT SHOULD be rejected.
6.3. Handling Unavailable Parent ECTs
In distributed deployments, a parent ECT referenced in the "par"
array may not yet be available in the local ECT store at the time of
validation — for example, due to replication lag in a distributed
ledger or out-of-order message delivery.
Implementations MUST distinguish between two cases:
Nennemann Expires 29 August 2026 [Page 13]
Internet-Draft WIMSE Execution Context February 2026
1. Parent not found and definitively absent: The parent "jti" does
not exist in any accessible ECT store. The ECT MUST be rejected.
2. Parent not yet available: The parent "jti" is not present locally
but may arrive due to known replication delays. Implementations
MAY defer validation for a bounded period (RECOMMENDED: no more
than 60 seconds).
Deferred ECTs MUST NOT be treated as verified until all parent
references are resolved. If any parent reference remains unresolved
after the deferral period or after the ECT's own "exp" time
(whichever comes first), the ECT MUST be rejected.
7. Signature and Token Verification
7.1. Verification Procedure
@@ -710,8 +755,12 @@ Internet-Draft WIMSE Execution Context February 2026
2. Verify that the "typ" header parameter is "wimse-exec+jwt".
3. Verify that the "alg" header parameter is not "none" and is not
a symmetric algorithm.
3. Verify that the "alg" header parameter appears in the verifier's
configured allowlist of accepted signing algorithms. The
allowlist MUST NOT include "none" or any symmetric algorithm
(e.g., HS256, HS384, HS512). Implementations MUST include ES256
in the allowlist; additional asymmetric algorithms MAY be
included per deployment policy.
4. Verify the "kid" header parameter references a known, valid
public key from a WIT within the trust domain.
@@ -719,17 +768,6 @@ Internet-Draft WIMSE Execution Context February 2026
5. Retrieve the public key identified by "kid" and verify the JWS
signature per [RFC7515] Section 5.2.
Nennemann Expires 29 August 2026 [Page 13]
Internet-Draft WIMSE Execution Context February 2026
6. Verify that the signing key identified by "kid" has not been
revoked within the trust domain. Implementations MUST check the
key's revocation status using the trust domain's key lifecycle
@@ -739,6 +777,15 @@ Internet-Draft WIMSE Execution Context February 2026
7. Verify the "alg" header parameter matches the algorithm in the
corresponding WIT.
Nennemann Expires 29 August 2026 [Page 14]
Internet-Draft WIMSE Execution Context February 2026
8. Verify the "iss" claim matches the "sub" claim of the WIT
associated with the "kid" public key.
@@ -778,14 +825,6 @@ Internet-Draft WIMSE Execution Context February 2026
step failed. The receiving agent MUST NOT process the requested
action when ECT verification fails.
Nennemann Expires 29 August 2026 [Page 14]
Internet-Draft WIMSE Execution Context February 2026
8. Audit Ledger Interface
ECTs MAY be recorded in an immutable audit ledger for compliance
@@ -796,6 +835,13 @@ Internet-Draft WIMSE Execution Context February 2026
cryptographic commitment schemes, distributed ledgers, or any storage
mechanism that provides the required properties.
Nennemann Expires 29 August 2026 [Page 15]
Internet-Draft WIMSE Execution Context February 2026
When an audit ledger is deployed, the implementation MUST provide:
1. Append-only semantics: Once an ECT is recorded, it MUST NOT be
@@ -835,13 +881,6 @@ Internet-Draft WIMSE Execution Context February 2026
* Time manipulator: An entity attempting to manipulate timestamps to
alter perceived execution ordering.
Nennemann Expires 29 August 2026 [Page 15]
Internet-Draft WIMSE Execution Context February 2026
9.2. Self-Assertion Limitation
ECTs are self-asserted by the executing agent. The agent claims what
@@ -851,6 +890,14 @@ Internet-Draft WIMSE Execution Context February 2026
ECTs do not independently verify that:
Nennemann Expires 29 August 2026 [Page 16]
Internet-Draft WIMSE Execution Context February 2026
* The claimed execution actually occurred as described
* The input/output hashes correspond to the actual data processed
@@ -889,15 +936,6 @@ Internet-Draft WIMSE Execution Context February 2026
revoked, the ECT MUST be rejected entirely and the failure MUST be
logged.
Nennemann Expires 29 August 2026 [Page 16]
Internet-Draft WIMSE Execution Context February 2026
Implementations MUST use established JWS libraries and MUST NOT
implement custom signature verification.
@@ -909,6 +947,13 @@ Internet-Draft WIMSE Execution Context February 2026
rejected by Agent C. The "iat" claim enables receivers to reject
ECTs that are too old, even if not yet expired.
Nennemann Expires 29 August 2026 [Page 17]
Internet-Draft WIMSE Execution Context February 2026
The DAG structure provides additional replay protection: an ECT
referencing parent tasks that already have a recorded child task with
the same action can be flagged as a potential replay.
@@ -917,6 +962,12 @@ Internet-Draft WIMSE Execution Context February 2026
to detect replayed ECTs within the expiration window. An ECT with a
duplicate "jti" value MUST be rejected.
Additionally, each ECT is cryptographically bound to the issuing
agent via the JOSE "kid" parameter, which references the agent's WIT
public key. Verifiers MUST confirm that the "kid" resolves to the
"iss" agent's key (step 8 in Section 7), preventing one agent from
replaying another agent's ECT as its own.
9.6. Man-in-the-Middle Protection
ECTs do not replace transport-layer security. ECTs MUST be
@@ -947,21 +998,33 @@ Internet-Draft WIMSE Execution Context February 2026
* Trust domains MUST support rapid key revocation.
* Upon suspected compromise, the trust domain MUST revoke the
compromised key and issue a new WIT with a fresh key pair.
Nennemann Expires 29 August 2026 [Page 17]
Nennemann Expires 29 August 2026 [Page 18]
Internet-Draft WIMSE Execution Context February 2026
* Upon suspected compromise, the trust domain MUST revoke the
compromised key and issue a new WIT with a fresh key pair.
ECTs signed with a compromised key that were recorded in the ledger
before revocation remain valid historical records but SHOULD be
flagged in the ledger as "signed with subsequently revoked key" for
audit purposes.
ECT revocation does not propagate through the DAG. If a parent ECT's
signing key is later revoked, child ECTs that were verified and
recorded before that revocation remain valid — they captured a
legitimate execution record at the time of issuance. However,
auditors reviewing a workflow SHOULD flag any ECT in the DAG whose
signing key was subsequently revoked, so that the scope of a
potential compromise can be assessed. New ECTs MUST NOT be created
with a "par" reference to an ECT whose signing key is known to be
revoked at creation time.
9.8. Collusion and False Claims
A single malicious agent cannot forge parent task references because
@@ -980,7 +1043,56 @@ Internet-Draft WIMSE Execution Context February 2026
* Out-of-band audit: External auditors periodically verify ledger
contents against expected workflow patterns.
9.9. Denial of Service
9.9. DAG Integrity Attacks
Because the DAG structure is the primary mechanism for establishing
execution ordering, attackers may attempt to manipulate it:
* False parent references: A malicious agent creates an ECT that
references parent tasks from an unrelated workflow, inserting
itself into a legitimate execution history. DAG validation
(Section 6) mitigates this by requiring parent existence in the
ECT store, and the "wid" claim scopes parent references to a
single workflow when present.
* Parent omission (pruning): An agent deliberately omits one or more
actual parent dependencies from the "par" array to hide that
certain tasks influenced its output. Because ECTs are self-
Nennemann Expires 29 August 2026 [Page 19]
Internet-Draft WIMSE Execution Context February 2026
asserted (Section 9.2), no mechanism can force an agent to declare
all dependencies. External auditors can detect omission by
comparing the declared DAG against expected workflow patterns.
* Shadow DAGs: Multiple colluding agents fabricate an entire
execution history by creating a sequence of ECTs with mutual
parent references. Independent ledger maintenance and cross-
verification (see Section 9.8 above) are the primary mitigations.
Verifiers SHOULD validate that the declared "wid" of parent ECTs
matches the "wid" of the child ECT, rejecting cross-workflow parent
references unless explicitly permitted by deployment policy.
9.10. Privilege Escalation via ECTs
ECTs record execution history; they do not convey authorization.
Verifiers MUST NOT interpret the presence of an ECT, or a particular
set of parent references in "par", as an authorization grant. The
"par" claim demonstrates that predecessor tasks were recorded, not
that the current agent is authorized to act on their outputs.
Authorization decisions MUST remain with the identity and
authorization layer (WIT, WPT, and deployment policy). As noted in
[I-D.ni-wimse-ai-agent-identity], AI intermediaries introduce novel
escalation vectors; ECTs MUST NOT be used to circumvent authorization
boundaries.
9.11. Denial of Service
ECT signature verification is computationally inexpensive
(approximately 1ms per ECT on modern hardware for ES256). DAG
@@ -993,7 +1105,7 @@ Internet-Draft WIMSE Execution Context February 2026
performed after signature verification to avoid wasting resources on
unsigned or incorrectly signed tokens.
9.10. Timestamp Accuracy
9.12. Timestamp Accuracy
ECTs rely on timestamps ("iat", "exp") for temporal ordering. Clock
skew between agents can lead to incorrect ordering judgments.
@@ -1005,7 +1117,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 18]
Nennemann Expires 29 August 2026 [Page 20]
Internet-Draft WIMSE Execution Context February 2026
@@ -1019,7 +1131,7 @@ Internet-Draft WIMSE Execution Context February 2026
The temporal ordering check in DAG validation incorporates the clock
skew tolerance to account for minor clock differences between agents.
9.11. ECT Size Constraints
9.13. ECT Size Constraints
ECTs with many parent tasks or large extension objects can increase
HTTP header size. Implementations SHOULD limit the "par" array to a
@@ -1061,7 +1173,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 19]
Nennemann Expires 29 August 2026 [Page 21]
Internet-Draft WIMSE Execution Context February 2026
@@ -1117,7 +1229,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 20]
Nennemann Expires 29 August 2026 [Page 22]
Internet-Draft WIMSE Execution Context February 2026
@@ -1173,7 +1285,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 21]
Nennemann Expires 29 August 2026 [Page 23]
Internet-Draft WIMSE Execution Context February 2026
@@ -1229,7 +1341,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 22]
Nennemann Expires 29 August 2026 [Page 24]
Internet-Draft WIMSE Execution Context February 2026
@@ -1285,7 +1397,7 @@ Internet-Draft WIMSE Execution Context February 2026
Nennemann Expires 29 August 2026 [Page 23]
Nennemann Expires 29 August 2026 [Page 25]
Internet-Draft WIMSE Execution Context February 2026
@@ -1323,6 +1435,11 @@ Internet-Draft WIMSE Execution Context February 2026
Message Signatures", RFC 9421, DOI 10.17487/RFC9421,
February 2024, <https://www.rfc-editor.org/rfc/rfc9421>.
[RFC9449] Fett, D., Campbell, B., Bradley, J., Lodderstedt, T.,
Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of
Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449,
September 2023, <https://www.rfc-editor.org/rfc/rfc9449>.
[SPIFFE] "Secure Production Identity Framework for Everyone
(SPIFFE)",
<https://spiffe.io/docs/latest/spiffe-about/overview/>.
@@ -1332,20 +1449,19 @@ Use Cases
This section describes a representative use case demonstrating how
ECTs provide structured execution records.
Note: task identifiers in this section are abbreviated for
readability. In production, all "jti" values are required to be
UUIDs per Section 4.2.2.
Nennemann Expires 29 August 2026 [Page 24]
Nennemann Expires 29 August 2026 [Page 26]
Internet-Draft WIMSE Execution Context February 2026
Note: task identifiers in this section are abbreviated for
readability. In production, all "jti" values are required to be
UUIDs per Section 4.2.2.
Cross-Organization Financial Trading
In a cross-organization trading workflow, an investment bank's agents
@@ -1381,6 +1497,23 @@ Cross-Organization Financial Trading
The resulting DAG:
Nennemann Expires 29 August 2026 [Page 27]
Internet-Draft WIMSE Execution Context February 2026
task-001 (analyze_portfolio_risk) task-002 (assess_credit_rating)
[bank.example] [ratings.example]
\ /
@@ -1394,14 +1527,6 @@ Cross-Organization Financial Trading
Figure 7: Cross-Organization DAG
Nennemann Expires 29 August 2026 [Page 25]
Internet-Draft WIMSE Execution Context February 2026
Task 003 has two parents from different trust domains, demonstrating
cross-organizational fan-in. The compliance agent verifies both
parent ECTs — one signed by a local key and one by a federated key
@@ -1435,6 +1560,16 @@ OAuth 2.0 Token Exchange and the "act" Claim
concepts are orthogonal: "act" records "who authorized whom," ECTs
record "what was done, in what order."
Nennemann Expires 29 August 2026 [Page 28]
Internet-Draft WIMSE Execution Context February 2026
Transaction Tokens
OAuth Transaction Tokens [I-D.ietf-oauth-transaction-tokens]
@@ -1450,14 +1585,6 @@ Transaction Tokens
downstream services, each receives the same "req_wl" value and the
branching is invisible.
Nennemann Expires 29 August 2026 [Page 26]
Internet-Draft WIMSE Execution Context February 2026
* It is incomplete: only workloads that request a replacement token
from the Transaction Token Service appear in "req_wl"; workloads
that forward the token unchanged are not recorded.
@@ -1465,6 +1592,10 @@ Internet-Draft WIMSE Execution Context February 2026
* It carries no task-level granularity, no parent references, and no
execution content.
* It cannot represent convergence (fan-in): when two independent
paths must both complete before a dependent task proceeds, a
linear "req_wl" string cannot express that relationship.
Extensions for agentic use cases
([I-D.oauth-transaction-tokens-for-agents]) add agent identity and
constraints ("agentic_ctx") but no execution ordering or DAG
@@ -1480,6 +1611,21 @@ Internet-Draft WIMSE Execution Context February 2026
Txn-Token; a similar binding mechanism for ECTs is a potential future
extension.
Nennemann Expires 29 August 2026 [Page 29]
Internet-Draft WIMSE Execution Context February 2026
Distributed Tracing (OpenTelemetry)
OpenTelemetry [OPENTELEMETRY] and similar distributed tracing systems
@@ -1494,6 +1640,18 @@ Distributed Tracing (OpenTelemetry)
while ECTs provide signed execution records. ECTs may reference
OpenTelemetry trace identifiers in the "ext" claim for correlation.
W3C Provenance Data Model (PROV)
The W3C PROV Data Model defines an Entity-Activity-Agent ontology for
representing provenance information. PROV's concepts map closely to
ECT structures: PROV Activities correspond to ECT tasks, PROV Agents
correspond to WIMSE workloads, and PROV's "wasInformedBy" relation
corresponds to ECT "par" references. However, PROV uses RDF/OWL
ontologies designed for post-hoc documentation, while ECTs are
runtime-embeddable JWT tokens with cryptographic signatures. ECT
audit data could be exported to PROV format for interoperability with
provenance-aware systems.
SCITT (Supply Chain Integrity, Transparency, and Trust)
The SCITT architecture [I-D.ietf-scitt-architecture] defines a
@@ -1502,18 +1660,6 @@ SCITT (Supply Chain Integrity, Transparency, and Trust)
correlation identifier in SCITT Signed Statements, linking an ECT
audit trail to a supply chain transparency record.
Nennemann Expires 29 August 2026 [Page 27]
Internet-Draft WIMSE Execution Context February 2026
Acknowledgments
The author thanks the WIMSE working group for their foundational work
@@ -1531,38 +1677,4 @@ Author's Address
Nennemann Expires 29 August 2026 [Page 28]
Nennemann Expires 29 August 2026 [Page 30]

871
draft-nennemann-wimse-ect-00.xml
View File

@@ -25,14 +25,14 @@
<date year="2026" month="February" day="25"/>
<area>Security</area>
<area>ART</area>
<workgroup>WIMSE</workgroup>
<keyword>execution context</keyword> <keyword>workload identity</keyword> <keyword>agentic workflows</keyword> <keyword>audit trail</keyword>
<abstract>
<?line 53?>
<?line 54?>
<t>This document defines Execution Context Tokens (ECTs), an extension
to the Workload Identity in Multi System Environments (WIMSE)
@@ -59,7 +59,7 @@ existing WIMSE headers.</t>
<middle>
<?line 69?>
<?line 70?>
<section anchor="introduction"><name>Introduction</name>
@@ -460,7 +460,9 @@ a root task with no dependencies. A workflow <bcp14>MAY</bcp14> contain
multiple root tasks. Parent ECTs may have passed their own
"exp" time; ECT expiration applies to the verification window
of the ECT itself, not to its validity as a parent reference
in the ECT store.</t>
in the ECT store. Note: "par" is not a registered JWT claim
and does not conflict with OAuth Pushed Authorization Requests
(RFC 9126), which defines an endpoint, not a token claim.</t>
</dd>
</dl>
@@ -473,21 +475,18 @@ inputs and outputs without revealing the data itself:</t>
<dl>
<dt>inp_hash:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A cryptographic hash of the input data,
formatted as "hash-algorithm:base64url-encoded-hash" (e.g.,
"sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg"). The
hash algorithm identifier <bcp14>MUST</bcp14> be a lowercase value from the
IANA Named Information Hash Algorithm Registry (e.g., "sha-256",
"sha-384", "sha-512"). Implementations <bcp14>MUST</bcp14> support "sha-256"
and <bcp14>SHOULD</bcp14> use "sha-256" unless a stronger algorithm is
required. Implementations <bcp14>MUST NOT</bcp14> accept hash algorithms
weaker than SHA-256 (e.g., MD5, SHA-1). The hash <bcp14>MUST</bcp14> be
computed over the raw octets of the input data.</t>
<t><bcp14>OPTIONAL</bcp14>. String. The base64url encoding (without padding) of
the SHA-256 hash of the input data, computed over the raw octets
of the input. This follows the same fixed-algorithm pattern
used by the DPoP "ath" claim <xref target="RFC9449"/> and the WIMSE WPT
"tth" claim <xref target="I-D.ietf-wimse-s2s-protocol"/>: SHA-256 is the
mandatory algorithm with no algorithm prefix in the value.</t>
</dd>
<dt>out_hash:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. String. A cryptographic hash of the output data,
using the same format and algorithm requirements as "inp_hash".</t>
<t><bcp14>OPTIONAL</bcp14>. String. The base64url encoding (without padding) of
the SHA-256 hash of the output data, using the same format as
"inp_hash".</t>
</dd>
</dl>
@@ -497,9 +496,12 @@ using the same format and algorithm requirements as "inp_hash".</t>
<dl>
<dt>ext:</dt>
<dd>
<t><bcp14>OPTIONAL</bcp14>. Object. An extension object for domain-specific
claims not defined by this specification. Implementations
that do not understand extension claims <bcp14>MUST</bcp14> ignore them.</t>
<t><bcp14>OPTIONAL</bcp14>. Object. A general-purpose extension object for
domain-specific claims not defined by this specification. The
short name "ext" follows the JWT convention of concise claim
names and is chosen over alternatives like "extensions" for
compactness. Implementations that do not understand extension
claims <bcp14>MUST</bcp14> ignore them.</t>
</dd>
</dl>
@@ -534,8 +536,12 @@ future documents.</t>
"exec_act": "recommend_treatment",
"par": [],
"inp_hash": "sha-256:n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "sha-256:LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564"
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"ext": {
"com.example.trace_id": "abc123"
}
}
]]></sourcecode></figure>
@@ -630,6 +636,31 @@ implementations <bcp14>SHOULD</bcp14> enforce a maximum ancestor traversal limit
(<bcp14>RECOMMENDED</bcp14>: 10000 nodes). If the limit is reached before cycle
detection completes, the ECT <bcp14>SHOULD</bcp14> be rejected.</t>
</section>
<section anchor="handling-unavailable-parent-ects"><name>Handling Unavailable Parent ECTs</name>
<t>In distributed deployments, a parent ECT referenced in the "par"
array may not yet be available in the local ECT store at the time
of validation — for example, due to replication lag in a
distributed ledger or out-of-order message delivery.</t>
<t>Implementations <bcp14>MUST</bcp14> distinguish between two cases:</t>
<t><list style="numbers" type="1">
<t>Parent not found and definitively absent: The parent "jti"
does not exist in any accessible ECT store. The ECT <bcp14>MUST</bcp14> be
rejected.</t>
<t>Parent not yet available: The parent "jti" is not present
locally but may arrive due to known replication delays.
Implementations <bcp14>MAY</bcp14> defer validation for a bounded period
(<bcp14>RECOMMENDED</bcp14>: no more than 60 seconds).</t>
</list></t>
<t>Deferred ECTs <bcp14>MUST NOT</bcp14> be treated as verified until all parent
references are resolved. If any parent reference remains
unresolved after the deferral period or after the ECT's own "exp"
time (whichever comes first), the ECT <bcp14>MUST</bcp14> be rejected.</t>
</section>
</section>
<section anchor="verification"><name>Signature and Token Verification</name>
@@ -643,8 +674,12 @@ verification steps in order:</t>
<t>Parse the JWS Compact Serialization to extract the JOSE header,
payload, and signature components per <xref target="RFC7515"/>.</t>
<t>Verify that the "typ" header parameter is "wimse-exec+jwt".</t>
<t>Verify that the "alg" header parameter is not "none" and is
not a symmetric algorithm.</t>
<t>Verify that the "alg" header parameter appears in the
verifier's configured allowlist of accepted signing algorithms.
The allowlist <bcp14>MUST NOT</bcp14> include "none" or any symmetric
algorithm (e.g., HS256, HS384, HS512). Implementations <bcp14>MUST</bcp14>
include ES256 in the allowlist; additional asymmetric algorithms
<bcp14>MAY</bcp14> be included per deployment policy.</t>
<t>Verify the "kid" header parameter references a known, valid
public key from a WIT within the trust domain.</t>
<t>Retrieve the public key identified by "kid" and verify the JWS
@@ -812,6 +847,12 @@ with the same action can be flagged as a potential replay.</t>
values to detect replayed ECTs within the expiration window.
An ECT with a duplicate "jti" value <bcp14>MUST</bcp14> be rejected.</t>
<t>Additionally, each ECT is cryptographically bound to the issuing
agent via the JOSE "kid" parameter, which references the agent's
WIT public key. Verifiers <bcp14>MUST</bcp14> confirm that the "kid" resolves
to the "iss" agent's key (step 8 in <xref target="verification"/>), preventing
one agent from replaying another agent's ECT as its own.</t>
</section>
<section anchor="man-in-the-middle-protection"><name>Man-in-the-Middle Protection</name>
@@ -852,6 +893,16 @@ ledger before revocation remain valid historical records but <bcp14>SHOULD</bcp1
be flagged in the ledger as "signed with subsequently revoked key"
for audit purposes.</t>
<t>ECT revocation does not propagate through the DAG. If a parent
ECT's signing key is later revoked, child ECTs that were verified
and recorded before that revocation remain valid — they captured
a legitimate execution record at the time of issuance. However,
auditors reviewing a workflow <bcp14>SHOULD</bcp14> flag any ECT in the DAG
whose signing key was subsequently revoked, so that the scope of
a potential compromise can be assessed. New ECTs <bcp14>MUST NOT</bcp14> be
created with a "par" reference to an ECT whose signing key is
known to be revoked at creation time.</t>
</section>
<section anchor="collusion-and-false-claims"><name>Collusion and False Claims</name>
@@ -871,6 +922,52 @@ compared for consistency.</t>
contents against expected workflow patterns.</t>
</list></t>
</section>
<section anchor="dag-integrity-attacks"><name>DAG Integrity Attacks</name>
<t>Because the DAG structure is the primary mechanism for establishing
execution ordering, attackers may attempt to manipulate it:</t>
<t><list style="symbols">
<t>False parent references: A malicious agent creates an ECT that
references parent tasks from an unrelated workflow, inserting
itself into a legitimate execution history. DAG validation
(<xref target="dag-validation"/>) mitigates this by requiring parent existence
in the ECT store, and the "wid" claim scopes parent references
to a single workflow when present.</t>
<t>Parent omission (pruning): An agent deliberately omits one or
more actual parent dependencies from the "par" array to hide
that certain tasks influenced its output. Because ECTs are
self-asserted (<xref target="self-assertion-limitation"/>), no mechanism can
force an agent to declare all dependencies. External auditors
can detect omission by comparing the declared DAG against
expected workflow patterns.</t>
<t>Shadow DAGs: Multiple colluding agents fabricate an entire
execution history by creating a sequence of ECTs with mutual
parent references. Independent ledger maintenance and
cross-verification (see <xref target="collusion-and-false-claims"/> above)
are the primary mitigations.</t>
</list></t>
<t>Verifiers <bcp14>SHOULD</bcp14> validate that the declared "wid" of parent ECTs
matches the "wid" of the child ECT, rejecting cross-workflow
parent references unless explicitly permitted by deployment
policy.</t>
</section>
<section anchor="privilege-escalation-via-ects"><name>Privilege Escalation via ECTs</name>
<t>ECTs record execution history; they do not convey authorization.
Verifiers <bcp14>MUST NOT</bcp14> interpret the presence of an ECT, or a
particular set of parent references in "par", as an authorization
grant. The "par" claim demonstrates that predecessor tasks were
recorded, not that the current agent is authorized to act on
their outputs. Authorization decisions <bcp14>MUST</bcp14> remain with the
identity and authorization layer (WIT, WPT, and deployment
policy). As noted in <xref target="I-D.ni-wimse-ai-agent-identity"/>,
AI intermediaries introduce novel escalation vectors; ECTs
<bcp14>MUST NOT</bcp14> be used to circumvent authorization boundaries.</t>
</section>
<section anchor="denial-of-service"><name>Denial of Service</name>
@@ -1432,6 +1529,23 @@ been incorporated into this document. This document obsoletes RFC
<seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture-22"/>
</reference>
<reference anchor="RFC9449">
<front>
<title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
<author fullname="D. Fett" initials="D." surname="Fett"/>
<author fullname="B. Campbell" initials="B." surname="Campbell"/>
<author fullname="J. Bradley" initials="J." surname="Bradley"/>
<author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="D. Waite" initials="D." surname="Waite"/>
<date month="September" year="2023"/>
<abstract>
<t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9449"/>
<seriesInfo name="DOI" value="10.17487/RFC9449"/>
</reference>
<reference anchor="I-D.ietf-oauth-transaction-tokens">
<front>
@@ -1497,7 +1611,7 @@ been incorporated into this document. This document obsoletes RFC
</references>
<?line 986?>
<?line 1078?>
<section numbered="false" anchor="use-cases"><name>Use Cases</name>
@@ -1616,6 +1730,9 @@ token from the Transaction Token Service appear in "req_wl";
workloads that forward the token unchanged are not recorded.</t>
<t>It carries no task-level granularity, no parent references,
and no execution content.</t>
<t>It cannot represent convergence (fan-in): when two independent
paths must both complete before a dependent task proceeds, a
linear "req_wl" string cannot express that relationship.</t>
</list></t>
<t>Extensions for agentic use cases
@@ -1650,6 +1767,19 @@ provide observability while ECTs provide signed execution records.
ECTs may reference OpenTelemetry trace identifiers in the "ext"
claim for correlation.</t>
</section>
<section numbered="false" anchor="w3c-provenance-data-model-prov"><name>W3C Provenance Data Model (PROV)</name>
<t>The W3C PROV Data Model defines an Entity-Activity-Agent ontology
for representing provenance information. PROV's concepts map
closely to ECT structures: PROV Activities correspond to ECT
tasks, PROV Agents correspond to WIMSE workloads, and PROV's
"wasInformedBy" relation corresponds to ECT "par" references.
However, PROV uses RDF/OWL ontologies designed for post-hoc
documentation, while ECTs are runtime-embeddable JWT tokens with
cryptographic signatures. ECT audit data could be exported to
PROV format for interoperability with provenance-aware systems.</t>
</section>
<section numbered="false" anchor="scitt-supply-chain-integrity-transparency-and-trust"><name>SCITT (Supply Chain Integrity, Transparency, and Trust)</name>
@@ -1675,334 +1805,371 @@ tracing is built.</t>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA81963bbyLXm/3qKGvpHSwkhW7bkdst9+hxZltvqY1uKJXen
p5PlgCREog0CDABKZtzOOg8xDzDPMo8yTzJ7f3vXBSApJ5n5MV652CBQl137
fqskSUybt0V2ZAenH7Pxss2r0p5UZZt9bO1V9SErG3td1fZ53rR1Plq22cQe
T7Oyzcf2p6r+cF1Ut83ApKNRnd3QID+dvb48tWtDDcw4bbNpVa+ObNNOzKQa
l+mcZp3U6XWblFlZZvO0LJPbfN5kSTZukwcPTLMczfOmoXHa1YJePju9emHK
5XyU1UdmQgMeGZrzkUnrLKW5L2nSOm9XA3NLK5vW1XLhVjQwH7IVPZ0cGWsT
m/n1jWV9eMpfFVU6sfmEN9iu8DTV3d663crT5SRvbVuneWFMumxnVY2h6b/W
Xi+LQrZ3MqsJcHla2jdui3ijqqdpmf8t5TXQvspJtshKntW+zZosrcezrMaL
9EleHNk8a6//w0Npb5IZU1b1nL6/yXjety9Ovj7cPwx//Tr89Zvw1yf6128O
Hz90f93ff8B/PUue7/EsegK8hA2Pm4dNsqirthpXxZExeXndW8Wjw0M38pPH
3zxykxw83HejlbmbIk8A28SBm9+4vDh78eL0CHt3iIlzzexFXU2WY5zamX5h
X9QEZj4ZIOnpTVavqjKzOzLM7kDGSetp1h7ZWdsumqP795tFfn2d7eXVfULD
5n5BiNS0+jRJR9WyvV/RSDd5dnsfAwDV7HVaNBn9+/zi9M3V6avT16dXb3/u
rvScTvEqK7J51tYre7nIxvl1PsYpb15KRR+07gO/ooY+bO5X9MOm+a0N+MZ/
EsYmQrWiWk7sGxwGkd18QQheTu2LallOsIL4NJtx3rY45LwlYiPwdg674hkS
wu6ySQHxpAUrcC9t+z2hU5BDpVdNkhCdjIhv0DvGXM3yxtL2lnNG80l2nZdZ
s84pHNPZOT25anaHlkiHntIT3kFb2XaWgfGAUD0e5KV9vSza3F6umjab29Py
Jq+rkqeiocACdk28XeDLJGJqa2S+Zy0vwRK63xCGmiafltlkSOyrXmKIia2z
MbGUxlbXdLDNh4it0OOstum4rprGCJa3lUCGWM58viwVLWiWZyvZ4YSPS/jn
2gaNQuU2b2fr3MuOi5RIiqHww+X5G/tTNhIw2p0ffrraNUKkQ4IdHUETY6XN
ynRU0Dk0gFtjCcLEccqW/hvt1ETsDtuVnfiFOFgtm8ymBFYCDGA6Xo2LfGym
dbqY2Z3nx9/vhkF5qjpb1MTvaCjAz3HBcU4rSktixLQ9+rjNDDa+BTgeZX46
u9qlNTAcGU0a4g2Wj40emHk1yQoMOq5Xi7bCmui8F3U+z5lm+MCPbZnd2pdX
Vxd2lqV8hNd5VkyGxqNpomg6tIzNQOIJcAnEsKhqEB2AkRZVOW0YdbKPLAT8
6crQzZ5QyDyfTAri5/dIDLSexdG/79nXFS1MaJfI51/G+2vPJD992sDmP392
ON7Yuhotm9ZLQkg20IVgSzsjoTqdfekIGMruFUNsmxDG/35xtUuAxm4AjIYZ
7Thj8tC/WidgzNpyY/FDy3ZMZFbd+iU3NlozgT4dz2xFDxw12nFaFHY8IwRv
Ilxxy038jmgTxj/FJhKhqQg9+AxfVrcZSYvhuvoADMiI59ESy6q16WRC2N4E
sjHpeEzsuU1HeUHvE1z+s6xueUm3s8ouspoJl+motMJmw1jCesztLKXTSpmx
0kyEhoQQeAYGRKt7m02XLOAmROkRauTlmHQm3n2xYrIrqhXDrSqrebVshLyJ
GdBIZlzRWHlJYzgIxspLWtgRJEydg4KeV3NAtlkS3NPGEJyKdjYmDW1ItFSm
5TgbAj+KaspEMSacy/66JI4RsZuhqFfMmUzEY3mBc+xlQiyMBUIyTz8wuHjA
wIy2yZpYlFgnSoCEHcmAXetZZQ3emqYLO8ra24yOf8Mxx7Ovn6lOEWGlA/BT
4chhUbpZOVZ6n84mnygn7J7rcaPzE4PCr0Ir25Wrz5+Hivqq8dI3azKP2F82
gRAYZfaGQEwngOnBpuubbKKc3ijHIG4/z4iYyryZ82cOxbEvPVicAfh3h/Oa
tGmWNSMEUxFxO6Ixmm5uL1sCEX/E51hnGa24xhEwpAhneLekENY8bLqghRCJ
Z42IE4fsujOjYo2Ukf07T8KSEtAnLutPQZQuwg6CH44EooJYHRgnfTSASUTP
8kaVs/xv2WSAUWlAfO/fEVShRV6xzPvjkAchrs94fL5sSW2z/31vYMxDmuRN
RVSRMnVNIjgDCthwB6BYnCoexLt4ziIvP/RVEyViOjgWHKqTOAygk3gk826a
juFSCpmCLEiTWRQZMYaA/TwrnX1Llh5ItqNjuVkgMEWlWCzrRdUABU6dlKxG
jGtKQDRvVXh+0hmOFUsW7Z8+dVTyIM8EhWUY6HvZaDmdOoYxr8qc1skjyOnj
7N2nXS0hwlUSXjIvq+Upnzif8PpJOH2RB23TOXHzJLsBNQoD5OckcvEWr84o
9jLkBDbNmLSzOq+UPi7HZC3g0+PFgtQqBdAWbsf6N8TsFg0bCvauFdXQ7nz6
xDa3/Ovz5136lrS1SFmDitPR0RTXGBD09SSdJjdpkYupISOcqfbGc4P+A8P1
vNPrJoQ5NIwwrzx8KCMdl12ljG29k6ugc/GnbFIl8oJ+BCAW2WSa1dAk6+uU
tIuIKzX8nbyQ+Bf4Y2hb11VRiDQm6WXJKmSEbvwh8EOiENLdJna0kn0B6F45
6ilPYONu30Az5vmMfon9T7B6RW33Mpn6RJ3ghHSUNStmE4hXS/YqCce8meHE
1949IRnK85BwLvLrjLXwLH6DdE3ChRt+hegZ3z9nrMnxb9n9B1rRLSTv4PW7
y6vBUP7fvjnH39+e/uHd2dvT5/z3y5fHr175vxh94/Ll+btXz8Pfwpcn569f
n755Lh/TU9t5ZAavj38eCI0Mzi+uzs7fHL8aMNNvO3ieiglBggpHRxIKjL8x
RFRjgqOIxWcnF//rf+4fkHj8b29fnDzc3/+G2IP848n+1wf0j1s6I5mtKols
5Z/g+iRcshQqFeRmuiCVpGiGzIYaUjlLQsc6I9r83S8MmT8f2W9H48X+wXf6
gDfceehg1nkImK0/WftYgLjh0YZpPDQ7z3uQ7q73+OfOvx3co4ff/jtJk8wm
+0/+/TvTpxA6ADIe+UjIBJysHRbRBaTfkTliWo40TadNAarOnnLkRDxhi8Uy
hJbmRGkD1iTWMZ9WLM5YyGJapq8xI4kl47sNRiwMI4zGwo2Wy9oxSeFGFR+W
zRk7/SoIZ2bGz52BeywGrv0+GLgyl1i8gX16QxfA2sZHbxmhaCbmSALNYEpD
YliQsupBEJl38HZZSc8h8OmTOgW9+QRwb/AMQA223sfR0yImWcu+ANZEwWZf
gYu6813w3hKmJ7KT5/MlVHlW+QF2IiYYyGvHRZCgGZsMp+OV0qHgVNAZGBZk
cfml0iK2GKRijwogRPCMA2sEC2bu7pHwqyYwaL+4lhkvLUtYbzxXZNmKYRtP
tIDFSP8h9Yb0G7U5+FW/G5ZExMmTguzHwtievGDcBc8Xk6qziYo0kUXbxaq0
3GKYyV5syqCdpey38pvMSa1h05WOmAZaVOKDYj1eHbGEL/KXz5/p8zaSQayT
6HKOY+spFvqf7q3Lc6gy8l3kmjRXm22xbQ6LWMn5gjMCpA09ffNJ0766Z+2E
7M7gzKZziXbYP4KnxT//PNiNJ193c8QzR0jAzsIZOznYtcPUzpKW9MtqnMN0
kcOCdcErYHOtrgp8w28y4uiSsAC4f5JZteirGzd5Kl6wOxwsG/hr18XS5/Ox
GRGbuWo4MssSo4C5PqNeW5mg9XWVp8glIkxoiwMFh/wWbEiYJEFVrbZgk1Ve
w8zrjoXHhpA/agKXOjd5pMiTG/blTPDEviLjCYQ1FjVJPAY0/IJ5CMmEpqqb
DYZtMBaA66feun/NLkhi2sz7xOOrcKG9EyCUiLeCuEhXWW2cG4Kh6uGEnwBY
fpyKeYAx8AtB8O9//zuta5yTwVe35vfJP/3n9+Y3Z0C/wmw7jtx27dY/v/FH
/NnVke1S046EW47u328n93Ga9z/uDuJvLuQboZ+76YA/+pe2tHXZW364+Zch
x+aKwi0I7ePOAe/aX2DJcdjozwoF+oygcBVkL1uUHTf5PCN7sgtu+SNKzH3V
WshUaWbskti02//PYXe+EIF2ZGNdgxDQaxbCHXb9EgCGAQiNNFu2EUQlYadB
BXdqZBsO/m+gQHRlPh3Ze9f5NAGtNRIM/DcfCXfU35GSQIVm8FmN99gDuHRO
R+WZEr+wiF8MlW809oefrjTqY8SJ7f1E/IuOp4wj0vmGaiwKE2xUzVZ9Am7h
Yik6QCTqRBPucefrXNzf9+51RP5FlTNj/nQvkvmkAvFD2izphkwIPqzTfNkv
4GMO9JIJgsi7pyJHB438w7mPr9jBh5zwfZHySGSfWNhkdXZNOjZtV4TwcsTx
KZHBYV80ezUXVsoc5iuG0xWHa2irulDxmcOJAGsRsw9InxrIsVg1zjgi5rfH
qsY6FL0PxitdZ88jvWt3L94gNjHK1LsUwIdYl+oUPY1CFZyN+3HDOixLi2lV
08tzu9MBJT2PQLmLZdC4tOyxDuw/DAZg1tMrZdKfSDSDBMG85+kH8czDv6Ma
sRCpRm2m8Jjx6a8F4dzyco7q1DV7wn3QrYdQRgM2a6IQ877VeXHuzk9Li5C/
PuOw91qA6Ii5xrespgVRdPwdvbm2THmTwVx3tRi2SSffdXhI5MXynARLfClb
vWzTMWslzDoEkhtVUNVA2R19Q3YamOSCtIcvqHtDp1gp9go/IEWjNQGwgs5X
YAq0KYkIdAyy4EkXUWWqUnVetlaI9uAZphU+9aSTM/PxWTCk0cl4CAE5TRYO
d1AsY/ie6KYE0iwXOw5HsKNntqsjwJwXE9tHAa40NCra0e6R/dG9qse4wRBk
BORz7NhAUFM6Wyd791r3SVi70CyeL4B9T7z9DIedbkSI1vZWDXDBGMVNFxa6
FSPd8pRjWLbqCnEeAvbmO3lJKxO2lU1o3GNIRBE1CqqJeFUlMgYRKVEEfA+D
b5vD4YWwsE/3Ii+ysPstHzBmbkxWiKWV5lywayh6+ZIeppCi9MFl+OCQAKl5
COCSxIgMvYBcGNLh7SVtMi3UPGZAZ3aUNtnjg2VdJISWJGAn5i9Ce3uLdMU0
tde4yf6ibHrXNpVYdojPjYl1ETt27CcvTWoRVs06HuubtFhmIi3BV5WaP937
tSJsUK+1IHRfjGEvrP2mylSDEPQMWdnarw2Z0p/ozMCvOaXv8uHh48GQn7Sr
BT/R/Do6ld//etvKTywn6SeJF6YJ0VaST5L9h48G5nOXOcmKlC35hepmTj+m
bPkxZ6Lp2V/hHJ4a8J/kU/agWg/TvtQgzOPfHFPYo8Vh95vEzHYJY+2Zt0DF
csMgzXKBUAFg4pHmCZCGVweY0cc4KuscuHy4g5Ks0AG9drmac6IWm3huHWTr
Z3vTvaF9ycMyOF9ePnpywP8+3H+42xmH9wg/J3DUhb3Txo3KDhoHGsm6pImT
OlsQJTqXEB1jD7JeI8ggN/snzM8mElhb5s1MordWJJ1IWFYYOb+yGcIDSu/6
gG1QzMY+XoBYlcUXkXIFqLE+SMi04eh7+pXTwlz2ReDqWBgP31VW/Hl9jfN6
px4D5Vs1jPOiqj7Y5UI5NRBj3HaGJogG3Ot5EJkyCRAnkklFhHnbJqJgR3Sp
XMGRY2NHlUtLStjvQYOxpO3o4qqld5IE+olbd3pisbh7LPnDoLLMvndmw7wd
h69DFZd0RdyKU1dWMDONIe21d3SXLfulz+t3b88Q8qb/d8e4cmcnPkR1axmr
KsE2RTn3usVINIngkfPZn6z/el4HufIX7y34FvI3Efn73f1vCeSz7/4ydLqo
W9SgWY6cJq4Ot1j15Qh3mTidPFoizEXW2YU0eL/NeJZxUMDROXH1S/rhVSPe
6ndv3xy9e8crDmYRq+wkPrcDkzN1SGKkiJF3gcwnyvYRG6vifs8XOY280+y6
nQiEn2XjlFcKZoLkDGYtQEgExCSyz4DJmiadakadGL7q5BLLZUDPelZLJG68
+0zoTP330I3yTFKEiFfQI9DTKlrgGWcDLDj5M4e5lbOzIuUkUnr+O/rP72As
smMSBiKdQ5EzOv7ud0cIw7FZoLoh0FV4Vil6mKp78FWrwC2ZotRe0E05Om29
0xB4ZtcMMWTqbNInvRbpNFWXW8G4eZuyZpa3TmfSYHPFOsEsLa7diQmN7PmN
SwCJd65fhEz3TZvnH1ux5OiPxISKVUdRc1MrlqbXzJRT+2sF5deqlhgiLZq6
wSrmBmC5nUR6cFi8eJx5Vtbl++uds3o8ilRK4mlASqdAR8fkPZY+SB9ZAG5Z
jmmlpZ476EYXy+ckKB/hqMBA3v7TLwPPOzJRUPZo7+py5KUM9M3N70kC0X31
FP3pz5y8eMo5hU70WGIP4w+KVECznNgIR4eDFxtx5MbxNGwA4CQmKUk4JEdh
u/Bx7Ya8DwkIclwiRAwbxq5YiGOERQFhDJhOg1OCxwuozCl/SHlCliuNEXsG
9GvMdPYcix3Qs4HXjvgsgM6c8eK/B222cFXXLnjEw9VLjlOmI3bespbN0XXd
jiMk5ho0Ah2tEj699L//638wOXWtQUdFsgbRNKznTrpwBgkBlRSlHtt9s5zT
UY2f09Z1L20+J6AS25rlqlZiOcQ9QacTViGdxHfhz9QnO000IDAUQ4CWRXPq
slixKYg4+XBAFK1wFGST0fhyApoUJC90w6qjbJqywM8+9tW89W3QO7l63bCj
SDps0IGVs0NL5COkczrk/9k/tPO8RBBdmAa2wxoYaVScGq17WJCtTEdWTjjX
dpZzXqBTOySWmZLxAT/DuKjGnM7TfCAs0Rg6R0uAHbRQNdw7ysqgHF0P7M4b
AsuzjMbLdlUgSXqVdyoB8Uex5FPo9k+n8WEmZCVxFDpjLTorVmZJ5gKOmmM0
tJpf23yjqIbKMy2qEUJMyzL/6zLr+e1i1qbCAfDCscaCltYOLUEVGmhlXIUD
dfYy52CRtUhWFqxTFY0N+RTMnvN7eVRii7TegUj8xot8WYIEmKMl7sjZ4PAm
GXufmeP3lulf5xwsFHsdf+/IyvtLA0dgFvgWUpKZrXpVf6WhjVrftzMyanWZ
M7bdC8KOCYkBjls1yKH1PpUIi8GNGL/YrcK0QaYM0XveBH+KnEHJGabMeDic
OFGOY4Jweyqk5T9PR2tfO6GScQHTGJLVH7QmSDq+wLmMmerg696MT/eYeLuW
QlDIVQdHJsddKj6pRLdiN7nEmy4SerEdHS1kDYrcmAgK9fTiAEiZitQinwyj
YPXQ9JIVqIlgcMBK5kHZ+D0h3zba4K1qWrpLDoRRGK1RU7E4x836dFqVRiG9
XXWWgfKJ92RlMeMS54QmFWbvm/Q6a1ecMjZOizHyfN9PKtZsgZHEOrIjAa3j
HCyeWJOW6BGdLNfkTezAbWxgCfFmAkpCFzxhwN1U+QQWZFEgRS8ISXln53hM
OOE4VJ1xIjuk12jlgMi1bwAiEUwPfsdO728ASE4ovYhkb6TIQP2PMjyYLOPY
n1NFMmH0/jyxUqY+782Av5VGusmrZeOdq5nz3x6XNpsvWFPB2ogIJTmac1Js
XVW6NIChrPpriNCTrSfVzNjwcJqJHyLaLBB1TrPNUs6PSJEEIPF1Up745Ikz
DCAwnoIOI3GHAHfmIvJd17OwEE7X8uKQNbKsuNZU3AoKGtAKyhnL9j6zA+Zs
5ADPOedXAl4Ird3jJGBNcKEHX2AELrnYv99du0uyNVECmovfMvA5B5UOMaO1
q50rKcjYHsoxF+85zrudkXQTFfhdb6LwlBiPyU7ElCRU2gG/l3iX19Ga1zTh
FwZB7x40szR5ePj4qDwY/WH68+z19U8/pa+Sv04//lj/4UV6/qf3Vx+b+uTg
rHnw437zYvT89mQ6HWhdEH2PdUWuvsBQAssiwGb1mFaiKO5Cdqz6HL85tm9A
62euQJWg+5JHPfajvgXd1ivPfnTRA7+DR08OBvr8cP8h1nenZ9GPwHRDRxeF
AP1PJISKDOn3NHdVstUTbVRIHn7BybbZ2JlI6jbnf3XhBKUzSz84hnb58pin
dPt7/fxwiGf7rgALnytEwe+4ZpQ19RsMQXSb3tpq3GZts44lRA+Ejv8yugla
e3zrFe2plgQVzkOnk7jNaOnQfeCls0ZNGohl/UcgSQ7FdZd6PmK9RTmgj8FX
eCoVA/AzJU5YM5SEkiW4dZfXbu34jNqHWmiwLDnG14pf0E2to+NQ8mlZibk0
Z5VZBRM8mV40Nb4sacLGK7iYBu2HUd0sf8PCr4lxkjlJ3WQun43WpJERIeMB
4cOeN4XJqq/m71ENOdj1UnLDQkw3jDfh3EaoaX41KKGoII5gr45QNVpO6Hxg
Jtxkqsc2+d+yocthQ+iGhkEYyItFWXF1jSSzAVvz7vRCcrTlcenLgwffPKaz
atnR7RRgHs2QRgj5SusmARfppl8Y8NAgc7PZQKn6sujFHa0YQ+KYjQwDTZN+
gbEldTAOG+jYmk1oiONj3ufTWxwqkty9XsK97VKvNUfjxJXqsEDTSE1fSOWx
mdvxdysa9KNMnO5wtMVxIg6WMUkqrocRpsr2+93vOyUPo5MdemT3v/764YPH
B/uHD4ZOKfAPv9aHrOvQuIeHD7InBw8eJNnDb0bJwf7kIEm/3n+cHBw8fnx4
eEC/PNinofmLWw15PRjtjx9OHiXZwfVh8vjrJ98k6Wg8SbLrB/sPHx0c8pOB
zqs6I33FRh2Zk+Xkfcv2fNBV2To6sr/8Webw7OnoiwJxozzEkI7HxoO8Okkf
pA9/ff+xen84f/DuycurZ8/ePHtz8uqPzz5Mv06myc+LLP/+h/nh44N+BI87
U3B3DRfD66DFhZ52FMi7Z+Pkgytfb/PpXlxuo3mO/ewM/eoFMw1NdOqmmLvC
zDYuUwqf98uwjdgn+/sPPn/eUnPtuKE4wdTTEI+h2kIe7Dsumt8WJTaxue5D
zDymDKPxMhWPXKv4bC2iTEjRspOMY2WtSAsyffKK7J7BHvHS8SxlH7lkUx27
vJhG+wGkW3NiXHJGc3duTD9vI66g97ksmh0j9G2+P72y99NFrtSYwMOJ47i/
v7dvXlZNe2T1NyxlLyJksyFRJlv9MBt9P8739vY4+rK3t77czktsldBLa3kx
Ok0nL8al7sA44fMUrPP5MX33qKRHIJsUZYQ+FBebzArzofFfb4WvYFUBPFZm
rAczGcKhYzg3YCVn6bDgi4inGpBPl9KwRFY7Zxpnfn5pbex2ao3oEoRNZHlI
srRGary3aaHqHoaesPAgMfLpU2yaAO/PyIosVw5G/OU1+kF0818YG/1qI++Q
eHsII2oPX6UlLfhwRqnpu6JdxWpRODBMnO/Pu8naqBzV6IA6TrerhE+HAgNZ
D/h81XDboYYXKFYq8l7Y9P7RlzfC7OvUO4IDnmvTGE3x5iOkk7urWEg94jgJ
GH6xu4121cFZlwYFMSMqBADIbNVlshvfySHdUBys6TTqMiUI9RqWEBCGBh1B
AA6OK1X13ZW/3vT3RTkrAy3XmTFxtrwr08pq5xVnfgh/rz+l1oijwBiGeQAx
/IChI8KUVdy2a6IjepDlwiJL04mL6WF3McM5kAWl8pKpWNSl6KzfciRD6TDC
Fb9dTdunsbjWaYPBpqs23dyd3u6aNlu4MvUrQXz7zvsrjyQGA4+qeJ2cIaxe
6V6SmlYAIBcBNRc7LtTe9SJCGkEZGiqE8LlSaQBsft33pu46fqChnCgNVard
sVbn+ZUS8pAo61YvnIEjLkiAc66hj8hBGWdH0tGp7xgjbtu0IckU9GBCaFAT
plxekDB2cU8iPBczgeDlwQCy2x3Fochh5rFVPwhY5dDHSM49aiThU/I+toBs
u4GJxjxOS8glpkxm4Z1w4oS+q2xOWk9a2HOlWsWPKBDFxA3YxRNp1q51CUlT
hKPUXdAPZamh7jotYIBFwc1BMATxA5LLyzqEfCTg01ZFhuIXuxMVmx7ZRw+I
+OijCWdH8ABXchhDMGJwQFnqkf2L/GWPFmO/Jf0oLyb4u9QcYK73PNd7P9df
XGTPT661M2I+heVhhK6S+JTjND5hdbokAU1CFO1IcuJ2HGoiSDv+KKcEX1M+
5zLs+UI6/XBU7qT7roQu8nla54RCUajBissg69XY7+hZZQ7/15yQu+LDHElH
irCCzXhFyIveZuoVBwPnzP+hJ/QtOHbAHhGRVtDfXoQ6X8YI7p0TcdFIZjkH
laaNki0xSgny6qd1qESzftUIh9CFS12rtFRqsQoJyt9BB4doxBDqIzkiI7lr
Y1rxRSw4fcIRq8IhXGTF19Qp6mMmWPULAcHdJFic2muSZj5eZSXywrx+li8Q
7EKQy9fnY6mRs4N4GCl5XBbqavFYqpPKxn4tuEuyBS/ilhV2wo5maPoyRXej
6MR9PNKP+XxJqgYfQStmEXt2UP0/Jw2wS4j7ZAY/IDQiJUH5ERgaQr1o2sLt
VLxYxsEYHzr0gj9i5iGfKzqee1GaLstKyfD9MfZ2f7rX0TBF7sYvXDh9tF80
oDy3CXK37Yjabpqs6fjYIWj7KeGELlqnsV0jJ7zgc0pVA4pSdAVX1VcivqWQ
ZsgAI+7ArIj17NiSFKH3o8ub0ugYMnWddRESLOlo+qmdKg3WBkCxxqYBmHdI
Mqs0o5CsFdRh2mY9t1U5wY8hsUtKataGjjhAaj+U1S2ZAdBtBDDd5E6tbY3c
bL2y4kPEl2kp2U1cpdPNIRXNBcsJqpg7QSFufwQ9uNO5Ci4f7j2k6R5vAKEr
h9k2JRM6GDE7PIUN3BCCT7buaosvH5a153Q021cNhvK4ShuIu5TFY9KrH7Q1
UdTkw3ftUa//OKtbQf4sHpk1qKE9P7m8EOQlrqG5lzLFaMmNTexywaFX5DN+
3cOEzUiGJEz16PRztVVtWK8IetIbOqqiisfbkNNJ34vi1yufDrjaqRf5pr+H
kPjYSX5zuV1fSSKX74YHFS+kC0qSAgbJwYugfw41galZXhPcc4ghxSsMEA2+
liGWNsjz0IDuU7XKfdGMHJXYN5p+59KhvAIjqTHdsCJpu0uOYPLnP7m0JJ/A
pr6w2FwadnMAJSAb9i7IG9qjAAYE3/0Hex34IoKr0XgXU/Ziw9EQ4rqQGfv7
3c+hjHbTgEqfZ0TMRCaX5LVG9OedrrQMHnP2zjWzqiD+HElDLzsVtiEZalc5
5J3TiqtdJu7I2LKyc4ndEFYEzdemTDAhVbqDDF7RJq1uCC1EVNieBsu0uP/Q
A0qcImpqa/RoB6rVMHJaDzVzhzNRjJYLNS4B8zYrikTsah6bRMqFitGejSp8
tN/pib8hMXEmicGSDYl4voTvurW2ouJJDZLXILCioEXEpboBDWkaVXHXxLm4
obZbTS7aY5QQ/AtFNZ12Oov4bmSkGtc1PXa50yaK/kgEnl03oESPYn23lW9W
B/+sU+FxtE4dzKPwNLenKaoGhCr6zlpZnbjbSCNi3tkpmAwpdrEDLqR++niU
mMRgkhjg4MEju/Oiqkf5hIh7ly19/p4ldK5ZEuhi573lrDvhsSg6Osi+2XlX
hs53bhxfW7peciGb0ZC/rIv41qiarPrFh6mlLXDuo81wJspKoCUjJ8KEnAjR
0v2RbEYVxNavYteftOgN8XUFp/oHAWKfWSjJZf2zMdfaDudet0j9zPcd+3Rv
rdOYOgrVbRz7GIhsQt+cDgGBG7ASnqPDRGeHSLasmjaZVaTGlWmxIosIgfhA
fTH3i7rO9RuE8pnnrhuisheeetFJ2TfVQo0h74nsBnicVJpzrid3EA1nw9RA
YDdkWczKikhxtUlL0nKMqKMQUy0RO2cOcCJKYzZ04OD4XI7AnCvfGHY6Bwo4
GnZ6Gbi0ZS1xL0vXuyXXCEvs0ORdc/VDXM18J5PrSiW1VWRwtUCOow023OSd
W6Me2XP4MnwlgEORYPGIJwccdF5NRE1Fp0Mkw6qJ0XUT6SK1sk57PZPJW7Wx
74KElGPNGcdKMnFAp9w2sWqrUl3KoZGsFZ85rVc69Lvi06r6sFyw6sx7OHu+
vgaXPpN5fakW7T8tROG5lvwvXQUr4XAuuprKA9SabEqo6sylXGVD41JRwKtg
RKTctdNPiAQ1mPXSxtEpmVGZATJbtKcwQf91Rgoja+uZ6M7rqxhlHvRiV3Dj
F9fSuZ/4boKTXfvyskOe25IJYuYkcOhNzsVYNlowZt1lCOIXcT6LxsVh1QQK
bW4b9/64837c441WMl2S3FfPFEwq7vcPHYCMd+7WSqDTNjfd3IJWfkvHiChI
nyCZJ5ugg8PrlL1NvvkwaXLys365K43FpGNbz8gyrjmXOng7OZ+u6AHd84FI
oiXtcZ9E4qNkkeaN6xhLZ/qRmDM3z0pbrrRHdXiYGCkc3c5N3udTjbqn2R+I
J1ShoHhUY2hnArQt52BqCQVoeRUoWdHHBGKUZP12lq0iBHX8gee64poAYiT5
QrqK3jGZeymLXIpSAZAWPAstVmMk6wEj7U2aFdfJMSFSjR9fsTfJeXk4OTFJ
3W9J4X9z8o+xIXrJZVT5trJOi3E5x1LMIhWQt1JxwwXxLqsnygDutMlAQC10
yGCma8YRBrC610NCUsCLiaJQ6FmnuKQrcIY2/0tjQU5RSOOQFdSGXLp1Ewdl
voARNR1sQ/cDYUW+vwlm6JyBb39VjWE9TKSJora/1M+QsqdtgKQLUNOLjrSS
yE1DST6pCzG7EQQWpOC0M84fWUWbaqWQI2hHQvcgS+JaTKesRykL99WuvpCp
XX/ZqG3vW5J0KsVC5qy+Nqor+CBCEaeJFBnBzvNuX7wLIj0W5k3OOc5yCqLI
+EBa6scVf4hvR6M46MMEvhP2REWcoDPkOFc70g4IZqEYKHgle836tL+VfE4r
WBSkIeLsuTdsaN5qp5yeiUbqR6hCwEdI2UTTeNdXVlFYuJTYYtwmX/5RSw84
ddZ6vhSAG08SSS8u4eyJLWFJmwWX7Qkunko6WITT6kx1rG3dJB4MBarTsEi6
uZVwepelK4JwzckbzR/321De5O2P2LvsdO8t/XRctXDcUkf8cOxfXM8H2tTT
YFvvAqM6cAgndmuTe8U13cJaE80UBcG7vVGc9z6qvCI116jk2z7DBvdnx9X5
BTen3WkQOCM76/GmHJJdMeLvMghxh8H1xlXEK7jD2JfgdbHyLCO2+o23+nkp
m1yybG1E4RsEBIp8VKe1u5TEB7m8Vm8lPfbO5gJvpQjrGNoAsyBtp6B46Izd
ZgZVuFva1/TcS4dJ7KhqKxMK9bRCLyr7Ev2j6dRxusoViXE2Rl8lWbAsXfF5
KD0nOyQNjbvwW2h59Myg+js+AeIL8tuJmzTy5LkLZ2qPgrT+OE9WSrXR3Lmy
cNgxqBgpGA1XWewxvFqLoYb8l8kkV9aqu1OOB7tA9mPiPhSdXBtZhGYvQL9K
g32OiLTk63T7b6nc154w10UK95JUmFRQSv1qtqFfZJCNORDHnJRBxVpBgto5
qexRty8390BsTod1mVEbC+xceZ1rw6adRidLaReZxXbVppAr30iTlkleJjRu
8hr31nCQTqHa1WewHrZQXI6mtMfzdkanVQ9ZsHhPytxFml29uoRKxv9PwrGU
SRrnd0dFaLdJibmj1emXWjANTWgm702hPNQuxhFdK16v1+IbDPKl0QTVg4f7
0R0ErA8WsAVwMxfbnGVGBJNLCMRboYrOE0LJEj1zE8lHl4uLHF6LNvjq8j7g
shMW7VpZKWfhGm1Wqj5Id2E1OaCvJyws7nPjqp1e070wBm610DTT+EIc6z2O
ztmnLC6R7lV3Ny/td7Pyog93agDBWNkJZpn6fDdKY6Q0eO0dF4U5UwsUSCxq
mpmIpUi4giiGlj2VC220aMj1hpDCBL4OagpjiEwJw9Y1gL4lxZ/lBZh2UsBC
8tpWzfUUUr6BUn3JKCS5tDOrlpJVN0lXjWR0zEmRm7GvICHg+z3GvVLgPIbC
8DKtJ7fMIL2JTxY3yu13Xl6+bnYNwnms4BIlSy4x7s9joKmja693oUCvkKlO
F1poEkKG/Mk7Lpxulqy+MJkG8A/XVQHN/GRprdGO2NZCh0IEWJplpg0JXFSY
kyw4WIOXFmleO0sp1tHSteGkE0kntVB976q8qk4URUHrDEsVL7fcWsJuLV/0
z05QOQET8fNuChgXIsULC8mjxcqHhWl9A7Px0hOUZqjfBhB5AdvS9fc5dtm2
a5YpcZGqFSTvRB5CLN7XyffCOOrI7GWXIr0hClho1IV4nbvfyucbw9E08bZZ
o2ayF3EFaZpiMqdqKge24O6GER1v1Wnr6wM9r4UCQWaqGAkJRhaGgh/yMlu3
VDb52Yz9kqdtk8FywsnHSdet+NqBIl9fEQs+erFRNUARP3UO9HFIU+LRz5ct
ZwONfG+eI5SxiefIJeBKvYB6XFVZ9w4h5K/DalJzgAS+0KffzIL9PXWp+PYc
OUjoPCRC0pg7wjTKZpdt6l1qBEuaouRKLbODG5g+5nO0VrD7c0lz4QHpY5Zd
NR2641i4uIUbpXHmEaGlidBSMos+qtw93/nRZUf/6CLU4ldGMbOmOhmkMUnO
kiR1u8ata7lpTyXhe7UAhTczdK/gHGNNj+Oui84BvUE5U3zixNqVhacAOjeI
QATZ8cWZ9uEmhdYF+EJJG0Dsu/w0sv+YLD3GmijNGU6+LSfji/BuU6lfI5om
ycKUT78uS+VKiJhpN7SQAy73darf1jn9uCH1sk7HK2W4MKOcDSKpjjvQ5YcS
298VmLps1OASPAn5oN1kSxAFEgO5DtstK2RX/rqcTKVqbWtNHQTuqhzP6qpE
RSCan7idqzfuzdXFblyDi9OG0PhC1qq5I2vVCCvoOW7i7mHar0e22izSqPxE
PNVO3IpDMmIe8SYQ9fLtAYllTjnOLG1VuqtlLIqm10ShWAyHdEUnyfwFOuIs
cRBB+sCGLF6xBgIoDaGNuDkKJrKWKIbb3q23jJ5yOVRViqSeA1/dqtVJ2Mcb
SR5gAdRP/WdE4Xc1f8RsXGkvZYLsY5844YpjRSr2SsS4do3TGAmZECyRJFnn
GMRJzXuptXBTFHyX71rZMFDcaFis2wSU61m343Ww4SWhXZLZkY0aslQsF3Rr
CGDPhhu4FV2kUTiXgayl5vqgutwxqrcmaVMcAgYdl4hc4xo1XM3+iZJaeDhN
VKdLAhCluhERRh+yxhcX3VbX5tBKNa04kUhtqMhmW6vihg/pnijJ4/XgluvQ
cPpxgVQK3zNIDrNEIYrkY0vSAPSK49jQYTfPDnLQtAOZcLmePeNUOP5ar+aE
330hZ7oTcm92o/wSXKDrc2jh7U4C+/3HuGsUNPHXxxGWhMwU2ZL486Ven4aJ
6u1dytiOmuiTTZczWhcq4KBvKGWVW7l8Uaq75a0WD7ZXE9z1QCJ8IjxD9i2M
nIpsuQxXhES9VPX1gntoLeWKHg6188UdF1ndOP1DMzK1giOk0OxcnJ3tBiR4
nZdEU38LJVttmsyjZ5+3inl9K9OQQ5jBlfY5vNozSiWuo8xa8/fokpENPerW
et7sdnrSQOxzHndaTpfsa4iRbK9fKc6ZeKDXnY2Ewx+jTaSw7SXxL8OKYSk6
7WxJXC5hbwfgqkiC4HLG1CQhfhoTbgyf+JEWxt0FZUmhzDYSLTDZx45ZO+Hh
zGbYqNdeUzJw3+EY2Tga7XDWoDeI49yL2GRO8VmiJgbf06etmw3CMyFdKWja
rJ7UUE+468I2Xm1c7JpYMcgGxlsLhyq26ro6qrXdv0lctx1Zmhtr8Z6KieTu
yvFdQZGHI77+TtLYi2XhKD50jhGS31m74YkxW0lccXnXrHkbXL1qsQqate5N
rPDgZBVgGxfGGrLhOs4CZLnVD18SFCVaSNaEqIAIE5K9bZDr5cdzK435lqYl
8WBaaoCGLxtEwWvmOvaKm1Jptxd/21R8k6C6tBpt5VS7phLdgJ0FD0OLK+Mq
z8IEzcB9veqFyHhxxJKxCu7BwS1Ioht6jLlcjtr4x26WP1/h7BKPonbfnGNa
kuXm7kbZ+OMpl6BDserAhl94Msrbp1FmUSptoF2BHMIeIe9cKyKM7dZEDDXf
Dl/49B8C3FoVvJ4ddwXcUAjfKYG/3JyIwotm9sLL2ZLb4rNaXJtKd8Jsz7EU
AtNSAb4+usDsYukiP70ObUe2gzXGHIdDVBejXPaBPrcOVXBt29qLIXK0fgVz
0OTiW3V9lbrePRt6+UKnQO+AQIyRyOIFvE6nNIWYzzvNrm7V2hfcxtFz6/iX
1zxLWxF9XvM7wE8+yPCOEYEsl1/PWa3xdz9Xkk2vLXSulzUEWm9NJ7Oau5IT
Br7JypIz3vjuhKy9/o/S/XtvksnBIeS0ZGc7viTz7PwN04WErwBWyBR9QdZ3
DPa+ZSqy5Ui+TjPrhQPePDu9egHOEXe9QP+KDgPh9hf4LYk5xud/ka90Wlw4
zvJyxYoP7ktgFz+p8Yi0IJSxw6vb1XVxnyvfy2pgNvIeedPxl7V2AURzKDTh
H2lWgg/w+7KXyumu8uwRwtD27t7t91LvQU50gv8nkNN8kryU9j+96yRk+i/x
5d/kPYGj+8fzoGbxM0GVE48q9Oytv0foN/PbUZIkR/jf6K9HfA3VbT6hl52Z
pjcUouriNyAb/R/rS6GD5GfcXuX0SfpZrIv7qAmHDLnzQ+Kt9ItWP0odeaR0
3vmp0/H5LegQ0KFf6hP33eZ2dzKCMwvoRb3I/J8eghH+t+jSLGnQ1V34mnL5
G7qEIFdaH7oOIVuwEBdv0RGhOpUViHfsckc/pU/3iIkn6K30mYYVnplN/m0A
R7a/sMtJGpds1SA+HJpS3WS+RxO9MxevAuzdWXVrYm3wzlsIiatrX8tea0h/
w65P5GSXzGjEFesQrpLazbo8xJ105JfLbEVys/8miveKQelznHGxsuG2oK5s
sYMwGriAOyxOriKexK54di8T25rgcvZNMDyDW2jNm8ayTG5HUoJBVC8vb4gX
gC+M0vLDV43xYQf0nHZpW52sS77nlfvvpj59cKwd3t3XLuMrL0Nblq4LywWj
QsVvXO2rHhJ2Vfk7ciX9NHj1Utz6Kc45XGyBXr3xlrUbRmhfrFEqhkQUN9mT
zjydC2EBDdd6h2S23g20T2ZwVbfEJfPKviXzbfcIOcrc5Rh4lDx4sC8FqzU3
q5LKLu4x4ftyxQNrYy62AyUZ3HWFlQKDv2XvF26293ipt0g5gcYNFzJsd/2S
n9GST+S83uLtDSt+ePeKe7O47mMYtL9snMl7+e29fNhf9GbIPqRl+sqLDWt8
FNbo4Dz06/8H4RyVdnSXLTbTe+DF++itsLxH0dWSG1Z3sLa6R//gmmI9NF6S
3kgpa+q2GQMb8I2aNjAKZQ9eNA4+u+u8GvaYS4MU7UflkXZnM8rxvY8eTXY2
nS/j2i/xzv5sN/75pYdHAiD586fNn7g/96NX7c1db96ENz3i7Gw53t141O4O
zPrI227fXJ/xwKVq6OndNc+Gg00m6fSOw6Wjw3my0OLdcfZee1upB11YYdSw
ssN1h6YrL9elBHH3a6QhKQcO0NKUV39lB7ht3OuHGwRxga26TTkabIuKA4Iu
IYF/Ha2M5/qaXOC9Hx2B8lWzfiX2W2nFDcTeLPz8/ddrF1dvUzj+qaux0X4g
JEKZfzYTyismHGgJ93H6u7ot2ueL4e890aNlXrRytx4yi8hkIblmBpySnGuE
FYfz7+pCRmVY3nbi/y7BnQBOr+GSAReHRMOqAZKG+Oq7MB6Bnt4ljX+aqdtU
Lnridhh+9Qn3rUl6Hvxww6gkS7oyOLXIjdz8od7Ic7Ym7cO9B2pbnH4ci1Hg
kkylMzh0zc2nGLUF7/Q93DqyPy/Ou3JNxptosm4bcjUcI43X2T3qo47c064m
ppS6RthNLnrVvVPecPnJVAP0M8hGd6ac7Mh1YvFdN/TTfG/AGXp8dojZa5in
WXJUOx8jPYS5fDZHGmgqw/qieVj0xcpwH6WUr7PhxkCydo1C+Ur9lNOmiPiY
ZHUneHF3aKLGcJ08NRttJ/azd2/hGOKyLrnSj32N69o34hRRWYW3ZgxaI7tU
W0Ac3XI0Xcevy4w4ZonrqnaYmdE4u1ayQ4h7TWFY7giX87c11NAMTcj8QXe5
4+/3fApxXPfkLp6Vu9/GWjADJ0Acr9AueEZSV++HLv7rLX77bfBDBzo66ls4
feQWYRRA1AT2qdzaLK87JRn4E/neGWeGgw2EzoUyEzpcXJ6BJ3CM7w0kaYHd
IppwC8ppNtOd0Nf62zEbrHg5SRveSSQ94vNnru5YpMgG7CKS88dpb0J/m9RY
iuAZQYXurj6WiVD2gKyr97eFI0JiR8v5stAbeThGnibBOcoNOrgSxg2sxkUo
RtbgnUTysdrIG6sx8iZrtJtUJ9MUHjpaZyK46S+lJUTyyV5hsX10s5pWJhlZ
oFoh1qMN25A7DvzNAQHrcXfanFBdElfids4uwzcNUCVKaNi9gGo1zahA1d8t
KwpZOncSr5Gem6FDkM/N9hvyCQ3GagGRW5PUthOuE2fa85vj5AMxzo6krGfz
kYgDwB2JcXexeMVhDQNd9lXcR0PX+NTY/ix62ZjkWeLzZSmCYuIDRHH131nb
Z2CaCDyldXDoj5gVp56uJ0oNtXs9V8B27yuEIz1qso64tvqvfUdqsyOEtY2m
uNOEdI1FTDKdqMQ1cZ5x1KyMg+I6yftx+3Gwi6zMeHEm1CzX3WoAxxnRgGqd
A6Te8EaEr14xBnt6DaTfFyKO9ncG0EMcAuRNxNYQpJPei3/sykiCVG1/Jinl
rlEq44umzNYMapoNPsBuWeFQq+lEFEvuhr3Yx5Yv5M6C49K4tlmyUK1q5La0
oiJHu9ZkhWi7Rtt4oN8rJxb3nFThMhhW/AZtO3P9zUNT8i/qnBx3xS0TnBZP
agcPhdSXcZW4XiV+jU/RqHeeExavp9ED8CIPu3UX2hfd+w81GTLqCnClsZWd
c4LoFZrwkPq0u0WuxO/Q/s4vTt9cnb46fX169fZnp4brIuPWAxrAceql17ar
EbMwr5yi8ne0nE5dsIdsIg6kCrSR0iIGlPivbhAzzTlVpE25UjldkVHv1fO1
VrDuZmXCoyTc7bKl8O2pH8hIGUGS3eSStTarq+V0hmhhuLpW33cd6rrJXAY3
wz11t4f3ElkiVZyzhPW2yqCpmSjvoAuS7nnIvSiNy/csViHQMzFaXUzMuoVY
kzEZ76H2oXhnQzMF327Ed8NzgX3+rn/G2Ub+Ir+YzYcu/KDrHBawbHAM+/tz
POfugQBTrfuMNadLagE1I7l2fk1NvTg5u7qyO5dLJLueQEnwDRaG2gWexcZ4
NVTeSkbwFjphxiADbrNem3Hetkn8a2QipaZrp7V+8jbEQKXRrSw31mkcmJCD
pmtYPxItJJQGt2ogpaVcsGZSUc48hOI2tDSPjHopp8RRtExvuiWV6AMaywjj
jNO/pNF4vNo2gqguXTrJjLmZHidcYNTtABaGDQr50ISCKCgRzEBwTZjT9fM6
subTAt0lcDtj/0ZU3qDcTynMqtMhRhV/r/STZFvzZ3hBW07Cjxd1Re+qyh75
GuwXfA1rlycbFwvPG/U/mP8DO2hh6c+kAAA=
H4sIAAAAAAAAA819a3bbSJbm/1hFDP0jqWpCtmzJmSlXV7csy2lV25baojMr
p7qOCyRAEmkQYAGgZJbTfWYRs4BZyyxlVjL3GRF4UK6qmTNndPIhkUA8b9zn
d29EUWSarMnTUzu6+JTOt01WFva8LJr0U2On5ce0qO2irOyLrG6qbLZt0sSe
LdOiyeb2p7L6uMjLu3pk4tmsSm+hkZ8u39xc2F5TIzOPm3RZVrtTWzeJScp5
Ea+h16SKF01UpEWRruOiiO6ydZ1G6byJHj0y9Xa2zuoa2ml2G3j48mL60hTb
9SytTk0CDZ4a6POJias0hr7P3k1H5g4GtazK7UYHMzIf0x18mpwaayObuqHN
eWj0Kb6Vl3FiswTn1uzo01gmeqcT5U+3SdbYpoqz3Jh426zKipqGf61dbPOc
Z3a+qmDNsriwb3V29ERZLeMi+2uMY4ApFUm6SQvs1b5L6zSu5qu0ogfhlSw/
tVnaLP7VLdBhkhpTlNUa3r9Nsd93L8+/PTk68b9+63/93v/6nfz6/cnTx/rr
0dEj/PUyenGIvcji4xAGPq4f19GmKptyXuanxmTFojOKJycn2vJ3T79/op0c
Pz7S1opMu8giWttIlxufuLm+fPny4pTmrjR5A5tVpfa6KpPtnHbtUt6wLytY
ZtwZos+L27TalUVqx9zMwYjbiatl2pzaVdNs6tOHD+tNtlikh1n5ECiwfpgD
DdWNfBrFs3LbPCyhpdssvXtIDRCV2UWc1yn8fXV98XZ68frizcX03c/tkV7B
Lk7TPF2nTbWzN5t0ni2yOe3y8FBKeKHRF9yIanixfljCF0P9W+vpDX8ipCYg
tbzcJvYtbQacuPUGCLxY2pfltkhoBOFu1vOsaWiTswbOGSyv26nj71v7XmJn
ERB6Uce0+FFDDEEf2vd9BBvC+wuPmiiCIzMD7gHPGDNdZbWFmW7XSPFJusiK
tO7zC2U944vzaX0wsXCK4FP4BCfTlLZZpcR+6Mw6ksgK+2abN5m92dVNurYX
xW1WlQV2BU0RNzgw4cyJdJKAtfVO/KG1OAQLlH8LxGrqbFmkyQSYWLWlJhJb
pXPgLrUtF7DH9ceAw8DHaWXjeVXWtWGCb0peGeA+6/W2EAqBXp7veIYJ7hxz
0d4EjazKXdas+ozMzvMYTheuwu9vrt7an9IZL6Md//6n6YHh8zqBtYMtqEMC
tWkRz3LYh5rWrbawwsB8igb+DWZqAs5H0+WZuIHoWm3r1MawrLAwtKbz3TzP
5mZZxZuVHb84++HAN4pdVemmAtYHTdH6KUOcZzCiuACeDNODl5vU0MT3LI4j
mZ8upwcwBlxHJJMa2ITFbYMPzLpM0pwanVe7TVPSmGC/N1W2zvD44Iaf2SK9
s6+m02u7SmPcwkWW5snEODKNhEwnFqmZiDghWqLDsCkrOn+0GHFeFssaSSf9
hPLA7S43XR/yCVlnSZIDa38AEqFx3A7+fmDflDAwPsZwfP5hul84fvn58wDH
//JFaby2VTnb1o0TiiTk6FwwtTQrkK/L1de2AFdZHzHAwYFg3PfX0wNYaJoN
LUaNPHee4vGQX63KGtMbbiiJYNjKRFblnRtybYMxw9LH85Ut4QM9jXYe57md
r4DA64BWdLiRmxFMwrhPaRIRn6mAPHAPX5V3KQiOSV+TIApIgefBEIuysXGS
ALXX/tiYeD4HTt3EsyyH52Fd/q0o73BId6vSbtIKDy6eo8Iym/VtMesxd6sY
ditGxgo9ARkCQdBnxIBgdO/S5RZlXQInPSCNrJiD5oSzz3d47PJyh+tWFuW6
3NZ8vIEZQEtmXkJbWQFt6AqGekyc2xkJmyqjE/SiXNPK1ltY97g2sE55s5qD
njaBs1TExTydEH3k5RIPxRxoLv3LFjhGwG4mrGkhZzIBj8UBrmkuCbAwFAjR
Ov6Iy4UNema0T9aEosSqKCEibEkGmrXsVVrTU8t4Y2dpc5fC9g9sc9h7f0+l
i4AqdYGfMUf2g5LJ8rbC87A3WSKcsL2vZ7X0DwyKvuWzsl/P+vJlIqQvyi+8
05N5wP7ShITALLW3sMSwA9Q9senqNk2E0xvhGMDt1ykcpiKr1/iakjjNSzaW
9oD4d4vzmriutxUSBJ4i4HZwxqC7tb1pYInwJdzHKk1hxBVtAa4U0AzOFnTD
CpuNNzAQOOJpzeJEiV1mZkSsgTJydO9OWFACuofLul1g/QuoA9aPtoREBbA6
Ypzw0ogMI/gsq0VPy/6aJiNqFRqk990zTCowyCnKvD9MsBHg+kjHV9sGNDj7
Xw9HxjyGTt6WcCpiPF1JsM60CjTh1oLS4ETxAN6FfeZZ8bGrmsghho1DwSE6
iVIA7MQT7neoO1yXgo8pHQvQZDZ5CozBUz/2CnvfgL1HR7alY2kvJDBZpdhs
q01ZEwlcqJQsZ0hrcoCg3zJ3/KTVHCqWKNo/f25p516eMQlzM6TvpbPtcqkM
Y10WGYwTW+Ddp73XV9taQkCrILy4X9TQY9xx3OH+Tqi+iI028Rq4eZTe0mlk
Boifg8ilp3B0RqgXV47Xpp6DdlZlpZyPmzkYDvTq2WYDapUs0B5uh/o3idk9
GjYp2AeWVUM7/vwZLW/+68uXA3gXtLVAWSMVp6WjCa3hQsDbSbyMbuM8Y6uD
W7gU7Q37pvPvGa7jnU43AcqBZph5Zf5FbumsaCtlaPadT73Oha+idRXxA/IS
LWKeJsu0Ik2yWsSgXQRcqcb3+IHIPYAvk7a1KPOcpTFILwsGIhJ07TYBP4QT
ArpbYmc7nhctulOOOsoTsXGdN5EZ8nwkv8j+G7F6IW19GKx+OJ3ECWErK1TM
EhKvFkxXEI5ZvaId7z17DjIU+wHhnGeLFLXwNHwCdE2ghVt8BM4zvf8CqSaj
v3n2H2FEdyR5R2/e30xHE/6/fXtFv7+7+Pf3l+8uXuDvN6/OXr92vxh54ubV
1fvXL/xv/s3zqzdvLt6+4JfhU9v6yIzenP084jMyurqeXl69PXs9QqbftOg8
ZhMCBBVtHUgoYvy1gUM1h3Vksfj8/Pp//o+jYxCP/wUM3cdHR98De+A/vjv6
9hj+uIM94t7KAo4t/0lcH4RLGpNKRXIz3oBKktcTZEM1qJwFkGOVwtn8zR9x
Zf50an87m2+Ojn8nH+CEWx/qmrU+pDXrf9J7mRdx4KOBbtxqtj7vrHR7vGc/
t/7WdQ8+/O2/gDRJbXT03b/8znRPCGwAGI+4JWACJr3NgnNB0u/UnOJZDjRN
1aZoVdWe0uMEPGGPxTIhLU1FaU2sia1j3K1QnKGQpW7xfM2RSCwY3403Yskw
otZQuMFwUTsGKVyL4oOyOUX/X0nCGZnxCzVwz9jAtT94A5f7YovXs09n6NJi
7eOjd0hQ0BNyJF5Nb0qTxLB0lEUPIpF5D2/nkXQcAp8/i3/QmU+03AOeAVKD
rfNxdLSIJG3QF4CaKLHZ18RFdX83OLcIzxPYyev1llR5VPlp2eEwkYHc2y5Y
CeixTml3nFI6YZryOgOuBVhcbqgwiD0GKdujvBAseOaeNRILRu7uiPCb2jNo
N7gGGS8Mi1lv2Fdg2bJhG3a0IYsR/gH1BvQbsTnwUTcblETAyaMc7Mfc2I68
QNolns8mVWsSJWgim6ZNVXGxxzDjudgYl3YVo9/KTTIDtQZNV9hiaGhTsg8K
9XjxyQK98C9fvsDrTSCDUCeR4ZyF1lMo9D8/6MtzUmX4vcBLaabDttg+h0Wo
5HzFGUFHm/T04Z2GebX3WoXseHRp4zXHPOwfiKeFX/88Ogg777s5wp4DIkBn
4QqdHOjawdOOkhb0y3KekenCm0XWBY4AzbWqzOkdfBIJR4ZEAyD3T7QqN111
4zaL2Qt2j4NlgL+2XSxdPh+aEaGZK4Yjsiw2CpDrI+k1pfFaX1t5ClwizIT2
OFBok98RG2ImCasqVpu3yUqnYWZVy8JDQ8htNSyXODexpcCT6+elJnhkX4Px
RAdrzmoSewyg+Q3yEJAJdVnVA4atNxaI1i+cdf8GXZDAtJH3scdX1gXmDgsh
h3jvEufxLq2MuiFwVd060Ve0sPhxzOYBtUHfwAr+53/+J4xrnoHBVzXmn6K/
++efzK9qQL+m3sZ63A7s3p9f8SV8bXpq26dpzJGX04cPm+Qh7ebDTwej8J1r
fofPz/3nAF/6h6a0d9h7vrj9h1cOzRVZNy+0z1obfGD/SJYcRpD+JKsAr8Eq
TL3sRYuy5SZfp2BPtpebf1iJeShaC5gq9QpdEkOz/f987a42LNBObahrAAE6
zYK5w4EbAi3DiA4aaLZoI7BKgk6DktypgW04+j9ZBThX5vOpfbDIlhGdtZrj
gv/s4uF6+ltSkkihHn0R4z30AG7V6Sg8k+MXluIXE+Ebtf39T1OJ+hh2Yjs/
EX4j7QnjCHS+iRiLzARrUbNFnyC3cL5lHSAQdawJd7jzImP394MHLZF/XWbI
mD8/CGQ+qED4IUwWdEM8CC6sU3/dL+BiDvCQ8YLIuacCRwe0/PsrF1+xo48Z
0PsmxpbAPrFkk1XpAnRsmC4L4e0M41Msg/28oPdyzawUOcw3uE5TDNfAVGWg
7DMnJwJZi9T7CPSpEW+LFeMMI2Jueqhq9FfR+WCc0nX5ItC7Dg7DCdIkZql4
l/zyUaxLdIqORiEKzuB8tFmlsjhflhU8vLbj1lLC58FSHtAwoF0Y9lwadi96
AzDt6JXc6U8gmukIEvNexx/ZM0/+HdGI+ZBK1GZJHjPc/V4QToeXYVSnqtAT
7oJuHYIyErDpiULq9530S/uufloYBP/6HMPevQDRKXKN36Ka5kXR2e/gyd4w
+Ulc5qqtxaBNmvyuxUMCL5bjJDTEVzzVmyaeo1aCrINXclAFFQ0U3dG3YKcR
k9yA9vAVdW+iipVQL/MDUDQa4xeWyXlKTAEmxRGBlkHmPeksqkxZiM6L1gqc
PfIMwwifuaOTIfNxgBjQ6Lg9CgGpJksOdzqxSOGHrJvCkqYZ23G0BWPZswNp
gcx5NrFdFGAqoVHWjg5O7Y/6qGzjgCGIBIj72LKBSE1pTR3s3YXME6h2I4Ce
ryz7IXv7cR3G7YgQjO2dGOBMMUKbGha6YyPdYpdzsmzFFaIeAvTmq7yEkTHb
ShNo94wkIosaWaqEvaocGSMRyVEEep8Mvn0Oh5fMwj4/CLzIzO73vICUOQhW
CKWVYC7QNRQ8fAMfxiRF4YUb/8IJLKTgEIhLAiMy8ADBYkCHtzcwyTgX8xgX
OrWzuE6fHm+rPAKyBAGbmD/z2TvcxDs8U4e1dvZnYdMHti7ZsqP43BxYF7Bj
ZT9ZYWJLYdW05bG+jfNtytKS+Kqc5s8PfimBGsRrzQTdFWM0F9R+Y2GqXgg6
hixs7ZcaTOnPsGfErxHYd/P45Ologp80uw1+Iig72JV/+uWu4a9QTsJXHC+M
IzhbUZZER4+fjMyXNnPiEQlbcgOVyVx8itHyQ84E3aO/Qh2eEvBPsiV6UK1b
067UAMrD75QpHMLgaPZDYma/hLH20lmgbLlRI/V2Q6ECWhNHNN8R0eDoaM3g
Zdoqqw5c3NxRAVboCB672a0Rs4Umno4DbP30cHk4sa+wWVzOVzdPvjvGv0+O
Hh+02sE5kp+TaFTD3nGtraKDRpeGsZfQcVSlGziJ6hKCbeysrNMIUpKb3R3G
zxIOrG2zesXRW8uSjiUsKoyIsqwn5AGFZ13A1itmcxcvoFiVpTcC5YpWDfVB
IKaBre/oV6qFKfrCc3UaGDbfVlbcfn1L+/VePAbCtyoyzvOy/Gi3G+HURBjz
ptU0rKinvY4HEU8mLMQ5I6ngYN41ESvYwbkUrqDHsbazUmFJEfo9oDGUtC1d
XLT0FkigC9y61xNLg3uAkt83ysPsemcG+m05fJVUFHQF3AqhKzsyM40B7bWz
dTcN+qWvqvfvLinkDf/Xbdzp3rEPUdxaxopKsE9RzpxuMWNNwnvkHBAU9V/H
60iu/Nl5C35L8jdi+fu7h7+FJV/97s8T1UV1UKN6O1NNXBxuoeqLEe4iUp08
GCKZi6iz89HA+dbzVYpBAT3nwNVv4IvXNXur3797e/r+PY7Ym0WosoP43L+Y
iNQBiRFTjLy9yLijaB+hscru92yTQcvj+kBnwiv8PJ3HOFJiJgTOQNZCBEkB
MY7s48KkdR0vBVHHhq84udhyGcFnHaslEDfOfcbnTPz3pBtlKUOEgFfAR3Se
dsEALxENsEHwZ0bmVobOihhBpPD5b+Cf35CxiI5JMhBhH/IMyfE3vzmlMBya
BaIbErkyzypYDxN1j3zVInALPFFiL8ik9Jw2zmlIdGZ7hhghdYb0SadFqqaq
2AqkzbsYNbOsUZ1Jgs0l6gSrOF/ojvEZOXQT5wASzlze8Hj3ocnjlw1bcvDD
MaF811LUtGuh0niBTDm2v5Sk/FrREn2kRaAbqGIOLJbOJNCD/eDZ44y9oi7f
He8a1eNZoFICTyOiVAU62CbnsXRB+sAC0GEp04oL2Xc6NzJY3Ccm+YBGeQ34
6f/448jxjpQVlEOYu7gccSgjeXL4OQYQPRRP0X/8CcGLF4gpVNFjgT3MPwpR
EZllwEYwOuy92BRHrpWn0QRoOYFJMggH5CjZLrhdBx73wQFBjEv4iGGN1BUK
cWphk5MwpjVdeqcEtudJGSF/BHkilCu0EXoG5G3q6fIFDXYEn42cdoR7QeSM
iBf3Pp3NhlzVlQaPsLlqi3HKeIbOW9SyMbou09GDhFwDWoCtlYMPD/2v//bf
8Ti1rUE9RTwG1jSs404ycFwSWFRQlDps9+12DVs1fwFTl7k02RoWFdjWKhO1
koYD3JPOaYIqpEp8DX/GDuyUSEBgwoYADAv6lGGhYpPD4cTNoUPRMEchNBm0
zzsgoCB+oB1WnaXLGAV++qmr5vWnAc9k4nWjGQXSYUAHFs5OWiJuIezTCf7n
6MSus4KC6Mw0aDqogYFGhdBomcMGbGXYsiJBrO0qQ1ygqh0cy4zB+CA/wzwv
5wjnqT8ClUgMHaMlRB0wUDHcW8rKqJgtRnb8FpbleQrtpQcikBhe5ZxKRPiz
UPLJ6nZ3p3ZhJkIlYRQ6RS06zXdmC+YCbTXGaGA0vzTZoKgmlWeZlzMKMW2L
7C/btOO3C1mbCAdaL9rWUNDC2ElLEIWGtDJMyCF19ibDYJG1BFZmqhMVDQ35
mJg94nuxVWCLMN4RS/zaiXweAgeYgyGOeW9o85IUvc/I8TvDdI8jBotSvs5+
0GPl/KWeIyALfEdSEpmteFV/gaaNWN93KzBqZZgrtN1zoI4ExADGrWrC0Dqf
SkDFxI2QvtCtgmcDTBk471nt/Sm8BwUiTJHxYDgxEY5jvHB7xkfLvR7Pem+r
UEkxl2lOktVttAAklS8gljEVHbzvzfj8AA9v21LwCrno4ITkuE/FB5Xoju0m
Bd60idCJ7WBrSdZQvhseglw8vbQBoEwFapEDw8iyutV0kpVIk4LBniqRB6Xz
D0B8+84GTlVg6QoOJKMwGKNAsRDjZh2cVqSRh7eLzjISPvEBrCxkXOycEFBh
+qGOF2mzQ8jYPM7nhPP9kJSo2RJFAutIT3lplXOgeEJNmqNHsLOYnpfYkU5s
ZIHwVryUQC70CS7cbZklZEHmOUH0vJDkZ8Znc6AJ5VBVikB2kl6znS4ipsHR
IsKB6azfmer9NS0kAkqvA9kbKDKk/gcIDzyWYexPVZGUGb3bTxopnj7nzSB/
K7R0m5Xb2jlXU/XfnhU2XW9QU6GxwSFkcDRiUmxVljI0Woai7I4hIE+0nkQz
Q8NDNRPXRDBZItQ19LaKER8REwiA4+ugPOHOA2cYkcB4RucwEHcU4E41It92
PTMLQbiWE4eokaX5QqC4JSloRFaknKFs7zI7opwOB1ASIx6ocikOt99Z3bhu
wGGdFxyWZJFnc3GqXJ1t4b/XW4zH2jNBi/PgJQ6BCz8GKrLfHz1+Cvo5Kyph
GkORkMk0kUEw36e+hVO9QGwyB+YoBPgAwcoCxIEPvsKwFATtnm+vsYKBTQCU
0zgzThGxskBsKayx2OMMlaZtoAzSzQeMR+9jeNPQNWvJNUswY217w2gJNIjF
VXTz6ixCtx626owuHBz1PCH1gDDjmOPJGk18Z8t5k9Jih29Q/1kti1L76Noi
+5QmkfdAbmKwySok1W2tjD21L67La+ATzUpNamaqx8fogFG5K4ls11PyzIbP
3hsnOHXzzGqReWtUohgz7gam5zQYKlB29klpWp3RsJT/D7aBCUP2oZOcJ9pQ
jHswUqoYOWErQZCapKz84SkXI2vtkV/NUA1htQ3kfBXnkeQXBBH2kh4SLyb7
kSIVxkr/HLq6zydHq0OIOvQpo2BBhgXCISQbYgjecQoLgpH2rE4dm8AXJdUR
5BbqTQWTaJwjbVFebw16+EduXtZjJKOfc2QDNZrDvsZPCoJkNWwLDCg27ITU
bFqr0yXBkS2Lkq0z5CFTkYPkOHWSsHZZUAnaysQ0BSMwCRrGd3hmQRQcGUJV
pwqfg1FJIIat9RFM5tBZ3lvguesPlHw5OnBCeWAgph01TBBKSVqhXy3cq5Kk
H5nHM0pSLRKgH7JKblNhn3X213SikDmKFCFPx6iTk8Kx7CNh2ni/hZw8Ftti
u/Dm8aPvnwLxNOhX13OPrRnYLhLnMG44p4Eq/JUGTwwBRYe2Wh5mNbylhFOT
TG3cDFEmfEO2Hafd6MmAbeOwQ/dU4IrNY8SlCJpGzwaI+cWWvOmK9BZIyLlm
BqH8lMBQV9ZkoVXdcq8LGXSDWoiuON3jp2F/zhwEDqbfsOqI7oL7n1edkloH
s/fUHn377eNHT4+PTh5NVAdxH34rH6JqBe2enDxKvzt+9ChKH38/i46PkuMo
/vboaXR8/PTpyckxfPPoCJrGN+4kwvZodjR/nDyJ0uPFSfT02+++j+LZPInS
xaOjx0+OT/CTkfQrKiq8hTYkWK9F8qFB94FXjVERObV//BP34dgnvFIcz/59
+fPqzeKnn+LX0V+Wn36s/v1lfPVh+qmuzo8v60c/HtUvZy/uzpdLbkpFAb78
+jx+FD/+5cOn8sPJ+tH7715Nnz9/+/zt+es/PP+4/DZaRj9v0uyH369Pnh7L
9JDITu1nTnMLzzFmaKUfZPKzOYUUrf3SCSti5Qws/KGBxRbxXAtNBNHFBzZE
RExdEtDnB2EOkIAvu5AReeslshZBX7Vx76pmNWHulH+9mxtuWL4fHT0C+T6c
CK48kz1z4v4I2xAtPfNGJ2by7wtdm9CH4OLeUxXsGsTjsgSUQPm8F+YG0mnQ
c4cBvIaFHNhjWQnG2OgQOO58FaPjniFeZwrWqaVIQbwXqKOIkfp+wE4XTBKm
9TuAjUB2mAuYHy6m9mG8yeTMRuR2pe14eHR4ZF6VdXNq5TsaymFw3M0Aeifd
/X41+2GeHR4eYkjo8LA/3NZDaCrBQz2wjnTTAusonog0MdxPpjoH2un6bBmz
QRBXym108cHQjpc1nxj39t71ZarKiY6FZcvGJBPyMhkELOx4L5UKvkp4oq45
DJfEStJKPXwIR/3a2NAX1hjWOICawMxgBLeEj5wLbCN6OjWdoIgBYfP5c2iH
EN1fgmlb7HSN8M0FFalog3KQGt1oA5cVu6CAIiq3vnKWJAtFLWXT9Y9rGm2e
6zIk6pB0vrsmyJE10qC00y514TBaxED6UahvaqyIVOMA2XQmMA76A350OZdk
47WSMIkDXklRG8Gd4xbCzt2XwSRuetoJsvJCHyDMqkWzis1iq5gtUDGgHLze
uPIS8UDGsmB8xI8LK9SpogKLMDFUpoSWA4NdZXV/OrLzR7hMoZ0hbVgwF0kI
4dfcsbRSVz3yQ3JCu11qDHsvjME190tMzklfpmGJinDT9htQSCPNmEUWphWs
k81uU4Z6tZmksgJPMStVwV6/w/CKnMOAVtx0JZcA2sIErAE0jIzatAFFndnV
TbrR3PkpE75975yopxwYIjcvm6/qgBJXeQc5J2kJBJCgRJCxxv/brk2SRqQy
TWSF6HU5pX5hs0XXxXug/EDiSwE2lnUTGqu6ozmv3aN3dfTMGTAMRKg89Vd9
ImDMPD3lilNdbx1w27rxyFc6D8bHKwXFpWAlZuzsM6WYYcgEvOuJGuDZjoWG
Ai+eo1Z5wVOVko/hRABK3CRHl3P8eWI78Ew05HGS186BbjAf710nRBlO0zVo
PXFur+TUCn0E0TE83LR2YUcCJbaKklpSjEycst34mvgUtPwDNbDJsWIJNYGO
tmy5rXwciqNQTZmnlJFjx0EG7Kl98ggOH7yUIGQDG5jyZkyIERMH5KGe2j/z
L4cwGPtb0I+yPKHfORGC+vqAfX1wff1Zw42uc0noYSPLD49aaCuJzzB45PyH
yy0IaBCiVCMF/YgY/4KVVv7Iu0SY9WyNueHrDZcfQq/leftZjqdk67jKgISC
+Id1HqxW4v9Y9ipV+u95Rg/YCznjMhl+BMN0BcRLtdfEVU8MPM4U4o0t7KGx
Y/TrsLQi/e2lTz5GisCCPgEXDWSWQvAEywq2xCyGlRfnsZIS9PpNzRxCBs7J
tlznqaFRMFLgnnNwQtUhfNImhokYUDeHEV+HgtOhoFAV9jEsy46xVqYhMsGy
m51I3I0dw7FdgDRzQTTL4SDk9atsQxE4iry5ogE01MAlAjwMlDzMVdUEQZTq
oLJhlQRyqqQbHMQdKuxAHfXEdGWKzEbICYuLxJ+y9RZUDdyChs0i9P9QSYI1
aIDtg3gExvIjICNQEoQfEUOj+DNVksEaL04s08YYF890gj9g5h5kFmwPyNBX
WLEBieZ94RluEJIw5rJoFRlp4dfigG96EuswfWb4GNrAY7FLCQ7T4+5w+uM8
kGYSG8PjY1Dv9FIYFQhiR2xoTGyy1eJpQZrfkuoUmHDoXh6AeY/by8VhBA/m
4FawMIOA2RA16rIO70r2BIlWICuHEyUpwXEPqSVxi8TDkpllgSyexqas53Cu
sA+yC2CT6Jib5e3wy7R97oTSh2S1rrtb9H73GsARXZ15Q8kaKVaDwe1DTPdt
qsv9sUBQT7josIDxrmbB0VtBsLoSJJBwJymFndOyUQSTwU1vtw9DUdo1u2JB
Aj4NRZR5gU1WamqE4OKGoSUo5p2QB1mT5WSi8NRDTT4mdbcucy7q1ObUPkuq
Ssm7a7aFPiwwEYrq0GgwlZ59Bzg99yUzVFwz8qIZwqiMiWOhEoCHFlHOWVU3
B/cqFw8CxD+SFycL/BgGpD4/aNmFrC2HD1yrFdnNPxJNqfbactNSkNuIe9MK
g5F63M0uARKUlK/9djRQE3LXWOyWAO3PEkb8oOw39ohlZHMg01GBQOs49P8w
+f+oEExhJgT6V5+Ax2oD6XdR4qLD9RqgvK9eA21AGw1Z4XDf1E4Jo2wsWDdU
jCkCPcckwzTpJ5vVqnylwRuOuDUJiWH4RGRo8AeoeRvmrYVw/DYYf8Bx7pRP
7YSzAxSpp4N5RvnZUlbBA/aDGVAjHVcL7ZKXH3ZTAuvYiSrjljqVRMXeKoeH
lbnPhJkJ00gbMi8VA4JoQqdYwwmhdmDU6W2Y+9hG5rPpRcPxtqQSM2snjho7
JAgkzsL45PAxdPd0gJp03/d1iZoKaZIY12HufgtnPdk7qz2ZHuQadKoa9PZN
TU25YwsTCGs/hm3Cox+l4FtQOsnVQhPqmqdVw3wgDVtGUpnYq/Obaz7HQKqC
aOcuZlssF2W3GwS0ED//tkMJw+eNoO3iku5mwIjd08+z/K7TdJCbGrY3gJSH
9/lQdYpSeFptZeF9352Dh5O3IMUBi0Cp4GqM0vHzIGyGflEjGbFl0qcmAgut
twtY94z0aKGrLv/p4W7jmtBzApN5Jm5Fl4rIW8UOGgE1K8jUIzgIcNgGQYBu
sUVkGL7+k4I9HSxYnPmhv2cSWOm8CK25M/H6olO0BrC+R48OW+tLuBjBOClS
x8lPPUOEliHxeXTUfp2s6Ta4snDoTWAm3DmtUVyzYjRuq/s+MIjhhXpV5iCq
Ag3GKf+yth5ieqCh7vu65Yji1/Qib7rbGA+MT0BpCyP1FID2MSEzim3wjgmO
Z/HosVso9uqKr1CC5GPSGydBbG4ieEjUpZgnS14NZWameR6xYxDbBul6LRpF
x8nGfLRbPw/fATFxyekWjDEnlBTjWtsVDNhG5cxOp0rRiLwZFBZA8GSIuj9r
fj3Nhv3o+zUzDWobOQjugbxcLlv1mlyNR7Dtq6p0FkhtgiA344XQ90wn0ZFY
1+/uLAUKMKl5QFur9qwrUF+SKQe7XNNBZdWvl6zM8QJQDpF3ttLQPXA5jCB4
QL0Lu7NPj5gkNXD86IkdvyyrWZbA4T5AVyW+jxI6E+wZWRku3Ie6FH3MOp80
cmTGYKa6eqLajsvY7yey8WQEncLjAr41K5NdN6U7ZogMrHBKeyKshMx8gvcY
j+BiN4PbkmFSITNiGsYuuPC5V+RkOSXAQUvs8NoM2e3ujVlIkbEH7dIfl66a
4+cHvfqNEukQZSx0ksKx8dXIWgeIuAF6ETKq29OaIUHYy7qJViVofKAB7uqM
cY/+9IXcL6jl2S27jHueaY1ZYS/Y9aaVCGXKjXhzXCilHaFWqcTgL9xLtzd4
GmDZTQMqS1HCUdwNaUmS5BbUacNTC4cdUVoI+arNQF0jhCFkhD/QpLiJ7fsb
avTaG1LReSxhhWCtiJVJiDiMyOCsMacsrBFxL5NrSyUx27hxMcbOggnWeIsG
Fpw+tVfkjHX5VUoi3vhjm5o46LpMWE2l+rGUYiDWVtvPLYOUfGWpoI/IzCZ0
voKQUtacYrA35QhajMVoy6YsJCbmy3NbDvrBePn2E03pL8uP2w2qzjiHyxf9
MWi6c+r0pYq1/zhnhWfBqFoZBSrh5BdRcOAxZfANwT9bfQlXGSgHzQp46Y2I
GB0zrkOC/ZJfkovjqpIZJG8RilAqtcPqv0lBYSRHB+vO/VHMUrf0bFcQVFYK
5XfTiYyPEkq1c3SpYbFHJswMBA4h9vJ8W0sarqVbSbA9cuyq07VWIImYQL54
eK3Pz1vPh5UzYSTLLch9ca2TSYUXqpAO8OCBxRrYsHRSPKwNoWr4u3hOIVGu
vsb9pAnVxXkTo7vclXQHTY6/ljcPuFwj18HsGFkOHSkRqhaSXlPJ6HoSIiTW
kg6x+izwUbBIs1rrcMOefiI0I9jODdYvoZobvmNCqrXr4TmndTlr72a3IexQ
hILQUUVNqwnQNIhsl8Q0Oss7f5KFfIw/jM59tQsIVPkD9jVFLxYwkmzDtZrv
6UwfSoOYCOdVEbgTFT8J8vYj3lLxOc0X0RkQUkVfvkZ3uDq8EEodxfpdlLvv
VP4hNQQPeYSy9KZajGZycIog55XfcR4jlhlR8GKQV9EqPkSIAF93CJmumQcU
gOpehwhBAc8TISFfCVRoSUaghjb+JcFsVRTiMOZOakPGdyAAB0W+QC0K7nWg
pgyzIlc1inpo7YErKljOyXpIuDStFBWW1wgqLsXVuLZa3QnvNpweA00x+l0x
MtoCrwUoOM0KAXC7YFLkLGlirx3xuadjCVwLzynqUcLCXQ0Blx7a9B82Yts7
31sr/9bj/OWxWVWSD8J7r0ygyDB1XrWrjV7D0UNhXmeYOcK7wIqMQwLErl32
h7giX0KDLs7p7hdIRMQxOZMcxxxymAGsmU+x9A7aTglUqRrIr8MINjloiLT3
WHHbl8S2S0Rd0/UUp5TbRS8REpuu4tBq3ULCzKXYFsPLR/iPiitrit/a8SW/
uGEngfTCxPiO2GKWNCy4bEdwYVdcFyjwNYZdnUmxTAa0kALVKgPHNTILitoV
haaW6ZUPpKdlwTSENzn7I3S0q+69p0qZ1mAIC5WxHw79i31A41ClmH0VYYzo
wD4c16740ElZbJcrMEFPAYqnXXFKw49BPiuouUYk3/4eBtyfLVfnV9ycdlxT
5B/srKdDILgDNuLvMwjpZpjF4CjCEdxj7DP6Jt85lhFa/cZZ/ftiiWhtBPFn
io3k2ayKK73qyUXpnVZvOQvg3pIt7zi19Yy0AWRBkmshdKjGLmdpdBKm6457
6SQKHVVNaXz6s+Q9B8m0rH/Urex4zQdkkEZt5FGQBdtCS3r4gh5gh8S+HCJ9
5wvJPTdUUyPcAeAL/N25dhp48vQar8qRIIw/TAfgAhhUMr+05LDDpUKi0GCp
9xhOeyAQD+DzYRCZnXA8sgt4Pias7tMCC/IgBH5F+lXs7XOC1DDgsF3VUOS+
VNpa5DG5lzhvrySl1I1mH/kFBtkckQTISXGpUCuIKCOZY9Li9sWSSQQukGY1
3jqYtqxJy1rcUuo3J1sOFKehXTUU3jxzS4o1Lxz+FfWtHlaSQseqXGAGu/ey
KBCTgomd0peaQRhElAL+aDp19ayWw1NGRgG9ah2EBal5CQjXeisfRxiU6SJ/
GRPT+o7Nmg7Tmqi7jqR24fQhjGXxqjN/DcDl39ScY19riQ3mAW/iIsqKCJ6L
3tBdahjtFZpsa4PULtp3CtHnkq3OSmuVjwP7n57j0iusC0xf35BCi/+HVSm4
k1qjFpQH2C6cZe4pv/21dL+J8RecOEMy8/n0IaDHss/wjWA7nHSuJT/h+PFR
cC8OatM+wQxtbJgLsJuMA0jOhhdmgHH+guq4R5y0xJfpKVdgXfr1zUNal7Ef
tJZXFL6MdUNQJf3IFe/FYCNrJ0JR+xCLKY47hWB9G3TTkmQZhJe0WeevjcNk
WmyUKireX1C7W2HRHQy654kIDFVFb9SKx3xQlyFEm7N96PJKNVSJfwGDX6Ym
YMgc7IEDBMNe8iVrUntW6xVx9hpeUbgkUxIMMYO+CVr0PXlgKG1J5EU52ZdO
V60w6Y5z/Kh8DAPKgbGMV+WWQdVJvKsZ0LcGNXiFnpYIFt/NMazfRa53Urde
xVVyh+LFOUjelAmVgBm/unlTHxgKhqJ5AHyQHIh8vSsumrgJDzuX3HTK9gEX
lGxEH3DFV95jMY96i8ofHlO//JO+IiXAf9R1JFYUWqpUNZfCU/U2lSI5GlNH
jB2GuuihTZxVameGGm7ca46rY7WQ5RK5ENVfNMoghsyAG4kR8E1ayPxdIRp0
IfMOmEAathHAwCFH4cB87kC+c0F1GN/IDF/EdT4NR+TczeiijYUKXU1m1BQU
MCkoI0b+tKL9tc1jxjSIosnS3p8EWiSXbEG02sHiC4B/eKEQI9dwPc6N3FgK
i7GEU4MXBvbK+4doO9QFXDEYYKNynaNxmQYIuE7v/E0hZHrJIcD1p/CZ5M7I
ghj2aYVLgA6KoX2YhPVEBRhfLkyo23iqUiUoptskiO2/5VJMLTCYkTpDSpac
nBGUvi4dRr43TmAvjHTju5WUWmIpH6XKs6Z5inOUDs5LcuC4CorOcxrBlxF5
d3zy9plm7PScQyCKCE0InLIV/PPKiysA1ImkSiyhk6FCYKsgZiiBT7/TPmeJ
Rpw490gtniq3E/lOVhbZAU3WE5Zeesdm1q51X4GLtb5hNk68WmwT5uOBkS9n
mFTWtO8sGHJ1G/s1Z/eQz+AcE5iitmf/jS5F1h+RQB9rIULNP9cY1txDnbH1
K4aczlzRwVNK6GfnrR4txg2Kciv2svPJUg4cOS7EIgedm5m8m4yUYJCkYyQH
H7Jgm7A2RgslNj2zRjAaDIffBXEqgtuqdoUK6kBOkpPsXMZEnL8dz2/GjkY+
GT1oOt7o06N/LdLGB9TdwuQ09xZxM/SrICwFxxt1bbDkFDmHKT2AS29oYaBB
zigEjHe4to6VsYP3+zmVRJD8s52cv8DqczkDA/VUfFI8J/GwHUv8r+6vlPjN
uyWN2AMosAtSVPjFUoop2vGmQtt7GcYbEPc8I78k+njXZEvQ5blYToOg2Oy1
HcrUcxcDMEtlqDeMbIXXPEv9PwSHUdiEdigrFvlWUOLYE3mMu+U7GUDS9tbD
ou/38X+hpIuAYufkMxT0vc6U7FhYWPKf5b3aQd3jiGcuLtT0dWs428lBd8Vc
uM2ECEUOJzos7zmekb1ZxehCwfSBgM30OO4inlVsNgs74wvRemx2JjEoTWGV
ICm7xCWgsN7iPhrbJyeKbd7HcsWwmPdYJDvjPn++R7h94bKHqPPGUu7QcRjP
/4FleTNbmLrWuvL6gFtqPiTtLEHTwvHpAw1lw4h2NRFPA9X2ocno5pjeogAT
yfl66g3l2HBIQszf2S6MBTgkK13bm91mwFGAlGtg5P7yKU6nCIv09bbxGctK
Mc+pVMqua8V1nBGMCJYLH7tQPofiRrWWktwzrBRWdVIsB4raUV1uQhwEnePF
9S5AFmS4wlKsOXGp0RK4wwmlxkMLqPaUbqu7vpit2fDSYMaowWgLw353vXbQ
dmpF6R3YrgSfTwtCNad1O3VrVnJbFN6ONsEaRBNJ2ujsLsKlz0jxT//WC6bN
2SXvDdVarPjuBb7THq/7Qps/DWgkpbD1MyaUbqF0ut44q+bbNZdtac0guHKc
JT9lMFExZfaxsBGzxyUuVvq2iV08G7Qo4F4FVoMxY7pU+hPJR/jqaM1we2wQ
XkbXRwUErAYv3UWLoPEDlpwmUEg5L+mTuG2uxj9qbvWPqnowqIMplxOlDCVB
ccYTp4SryOkR7zNOF99tyECsVwRXxwxlEcl4kYSiPwY8o8J0MC13ZylMRwKG
OCqT6dn1pRBLUxpF1/myObTErnBx3dMcvK5qgiRpirDv2RlX6AesJRoI+hi3
FSoAJSo5YtQSXE0KvPsMcqriIwQx1Yg73rG1reL5znEiqqUZJkqOyZE+YWDt
Aa+p5rL6ePy5zyZtp2qSzKS0Qiwtp8PyuZm/bJMlV8bZW7eH/DW7Yg5WdcE8
AO1SnbmEwt9Orxk+q/uWkzr/9ZxXc0/Oq2EjoBM1DQuiSwlinmq9iYPiFQwT
UW8NowECqRpOgiBn7sYDYP9L9Opypdj2aJGKgu4FpR96cXyyozpC3J3AzDGD
BJTBHGB2xfulNEA2W9GRWGZkG9YsOrdgLbGYSlmwo2dN9Kqjlgh9l24YuYvs
s1s4AAkFnxXwthkcaQevvM4Kh1rWAlxsD3cKzGDlG0yCBGIipBKn2Ko0ZuWo
k5hLMUIQlct+rTQicSOYtPa9Jlgzaz9d+wBamBlJiryHiFtMuBH8zSHfs0TX
vgbmBGrlA/qKQ7SqiPGyB/XHJWwXK1tGa09OV39H2S4yLkxQCww0BCoHFhzC
4EV0GIaFvcqFObFcsYuVRtARS5CivUp2FMBlPQr4VA9ZpsUcLz5tCMfsyiDz
ZhakdXA2NyN2yeI8C/3kKIjHFJ6RourM5TrucPUA4ttzUTEQ9LLhPR174PtB
AO5G0spdBi5BTSLPfv827hoglqBL5eYBLJynxGYZl3Usq7CwoOZrjCXCkwxc
y2ms4nRQOfXlsviicVcASy+urwrxvImaoDces/AJ6IyyAMlHXoKan9Ktp8H1
MPJ4jmXBt3zrMOJc8S7Sa1BqVf+QdCjJEPb49fH15eWBJ4I3WQFn6q++4EsT
R+vgsy97xbw8lQrex/fgstWErg6NnBItktu7zy64N3Wg7H6vjO9Bq8wuiX3M
Ao+L5ZbTkD2RHXar0WWFnNfx4MHBl+nmC6/qG7Q5C/ZmrbbA5SIMltG6CpEQ
sjPF08T4WmiTomAOdQ02o15vbUGhTAcPLVGyA26idoLNmeG1EciM4KGR4M4o
x1mhRhpMcPGUEPgcRlw4NToS52KOyZTsPTaEjQrMCOdjQ/WkIvUEKzvu49VG
gaNY5xOPDTl1G0Iz0FT1ogoJ1kikVEKAbtpBoGKwko8YfHr9r7vohEDwHIJu
ZWy83OZ64n2RWT7y496l1UjZcsSFlg9ML1il1a7yndesZW7sLQ8SPWmxjWLI
Juh9mqd+ZSnFP2VeJc5LhiyzCkgYvdm2MVKLVNrTkYZ8S3ICsDFJeb48e3s2
JAreINexU6yz/Y4qD0vZBwYgO0VIIqK1lCeutHBlGy1niYdR1W6jJQx8B/VI
39518Gk4OGDJNAqs84llWINLh4252c6a8Mt2trEx7xzqP7jBDBO8CrDc9LrX
wS8vtAptG1CND3w3yzBR18H6Y77ZSsvrEObIJ31KZrax7dxshUrQG6FbqVdD
T/aO/Hb9MnqtAno3wyhwHDSyFxzOHmC5g5TrzRu6w2jPoRQipiUCvN86r9n1
VmFXnaLzp7ZFNcac+U0UvwY7zunqHiUVuom+96CHbZEWCgf5bkCTcxxB/fuf
SIOYa/WqQKeoW9iYUGThAN7ES+iCzedxfSBTtfYl3kzhuHX4zRvspSnhfC7w
GaJP3Ej/jGGBTANBb0quQH7yRWAqK9cNtottRQKtM6bzVYUlM4AC36ZFgekm
eB1k2iz+tdC/D5OUN47wXlvEatCbYJ5dvcVzwdgxWlaSKfIAj48dQHu6AlsO
5OsytU440JOXF9OXXPkkqJlJ1S9bDASLZ9J3UcgxvvyDfKVVIFM5y6sdKj50
BSQiRLA2xrUiYcY4ugMZ11tEfcngdiMzyHv4SeUvvWKDcOYoyxu/RCdmXBB9
33TyqHhWvYMwAYkflhL90r0errNyrBP8X1k5AXNnBZcY7tyQyd1/jS//ys/x
OuofL7yahZ8xqZw7UoHP3rn48K/m19Moik7pv8Gvp3iz9l2WwMNqptlLXwHt
VyI2+B/qS/5SjC90Ibfqk/A1WxcPqaIcyZB7XwTeCt9IYIer0AVK572vqo6P
T5EOQTr0K/lE3xuujM8tqFkAD16x7vF3N4EE/2twDzgXKW8PvKdc/ko1RilR
UT7U+qJ7qJDuEoctotpWqEC8x1A81Wz+/GCLwQn8/Qs0yzwzTf55RFELdwe5
ShrNdKgJnOkLX9+mrg504P+m017emVAbDA2ELvICubpc1dG57YIjhGEWFbpk
ZjOEX5Bw5bxK1OVJ3PElgxsy/Vlyo/8mAFtqjRtRNQjPYPCmEy2f0iIYATSQ
OyzMbACehBEhdC8D20LVY3gNL8kt1POmoSzjC59dXBazUItb4AXEF2Zx8fGb
2jjAAV2jpTkTrZSnOXSIVwrFLndnLpfW6duabpEVvqhr24WlWCZfLyysFSYe
EnRVqRYvuV/eq8fQE3bO0V2ddP1QOGWppelvZFIAD6xEEHA+5Lq+Ybm0U1oN
LdwLMluuOz4CM7isGuCSWWnfgfl2cEoJgnhxE9FR9OjRERfOqbAgNpdVwAqV
rvZ32LAU/0Y7kDMx9aIbzu79a/pho719oIc6g+QdqLU5n9524Ib8HIZ8zvv1
jp4eGPHj+0fc6UUrnFOj3WHTnnzg7z7wi91BD6/sYximS3seGOMTP0Zd54kb
/9+4zkFedXvYbDN9ILr4EDzlh/fEjp1oHxjdcW90T/7GMYV6aDgk/jzlMbWL
lGccGNYa5X1GIezBicbRF72hvEaPOZdXlWrWjmjHwyR3gLmzSibjof1FWvtj
OLM/2cGfP3boiBeIf/5j+BX9eRg8am/ve/LWP+kIZ7xnew/CVtszMP2WLYjC
v63HY0X6yu7d18/AxkZJvLxnc2HraD9RaOHsMHUGi+GxV1qAIf5SjBbXnZi2
vOxLCeDuC0KxCwf2qyX5Zu4WUuK2YaVgRD4ifEXcpogDk9qCimfFb2c747i+
YFOd96MlUL6pu4WjMMmGoUVI2MPCDyRnu4i7dUXc9ygcWvU9ruarDPEm6Nnu
4eHxW7k2J8DRm78XSO8Uk1ZgnAoW8u7SjYBs+DtP9Gyb5Rj7V2A6mCwg18wI
8wEzibDS5vyLuJAJJ5s1LeSfZpfCgsNjdG9iCxExIsx5kiVBe7D08Cxo/MtU
3KZ8dzUCvdzoI6x6G3U8+C6fUjKVtAaFWOSGLzMVbyRfQ/X48JHYFhef5mwU
OFwWeX9J1xzexeCms9atCXtbdvuF6Bq9OKsOOmvfrCaGY6Dxqt0jPurAPa2w
uYKLipDdpNGr1iVqscHc76UE6FckG3VPYwbKtK7vha/WhyNM8MC9o5i9hHnq
LUa1szkBQ5HLp2vKwYq5WVexiiz6fGewCnOMN/Riig+PXaJQrkxWjKh7rJZX
pDoTevBgYoKy8nEHB+KmE/rZ2xeLTghSjUX/MwJz97VvilMEOc3OmjFo3Lg8
N1pxqrUrQF03LjPDmCXdwD1GZgbtHFjGhQL3WpJhOWYu5y6grEgzNB7zS7Xp
z344dPl7YdEBBXFyYdK5ZKu7y5c0XiE19A3njT30FxP2rxHq3uzn69fDVt+R
0wdrFkr2cQXLvsSxnMrjqiQT/QS+d6SZyWjgoCMIPIHNpftA6RNyjB+OGLSA
bhHJdqOTUw+fOz5f/adDNljicKLGPxMxPOLLF+Nh/G1CUn+c3GzgLsiecwUq
JFA+d9NPRcQnewTW1Ye7XA8hsKPtepvLJcMYI48j7xzF6niYhq4N1wrp10pA
ErzjSD6NNvDGSoy8TmvBlbYSlchDB+OMmDZ50bmOgoN5+8F2yc0KoJyx2HRq
+bCeDkyDr210l6x5qmcAKZA6A1fCK6M0QSz2qwongdCgBBgWRAWV3LhDRSGN
1yrxakkKdJVKXWKkm5ADNBgr2fs6Ji4slVEx3UM3OQQfsHF2yjn1w1vCDgDd
EqPXyzrFoUeBir4Ki9jJGJ8Z2+1F7k/nRAx6fVuwoEhcgCgsvXHZdBmY5JEh
Sg9Df8CsCBXbQwpgORnkOFh+xvkjBF7uWm5zs0G2JTedI2cITGICmDarWq4+
RwXN3UQhpm9sA1gM1azHGGmKFwNj4XqRDG4/hcRkTOmnDTuheWsCcz24vItr
yqvr3V3YZcbME/axA6xQxzg+CqfGiSgLbfigr9KO8Xzp5MO8+TQ6oHykcF2N
r3VUteH2ytSphm+fecXOZ0DByWqHh8+xGs+1uvJP2dZ4RCqU0m4LVEnxRc6t
+UNbvMNKVfbnEV+ymbuqUMLZzd7cQeiN3JftciQT2WfWIhh2Yq+PaMrXj+me
2rPCaOVhHqhUQ8H7eJh4glkLziKEpEr5P7rohoqCt/1r/uZG1FmDuyWNv7Pt
q+oyhozR6xlhQihQKDZFqJ15Gen5cGN8RrD8dYYw214CKS08i/J2vrZcG+dc
n4LjDKqJTSUsNL6CFZ1S8U7Q/A72iMTwGZjf1fXF2+nF64s3F9N3P6sFIYMM
S5ZJ7Ek1Y2colDPkvk6vpopBs+1yqXEqMOcwBsyrTWgctv3Y9XZL4d4MUS5N
jBWO4l196i2LXl63EeMN6CjyN+3uKZjxzKcMcAJtlN5mzFkkKw8DnQ5gKfha
V5q/k9xRYZLmM5pTH4MTWBF0w+hW/I+qZJoAMtFekvZ+8O2vtUJV852PUSVG
qhKBnGlIInObVOU50Xy3gSJsrkyhuwZAMQmEZu7scTrIX/gbM7zpzA/afm1e
lgGftrvN2CfZtZeAuuq7uwWOxjVEJI2qUh7PZ+KnJ+ec/Mz+J4YBUf71+Prd
1Y97DgRxAHwTHgnfCS4RvmBDEqMxt/QLsSXYGCobaKTYhbecNn4QQeATS55D
H1z3m5XldbxhVS0nsB+n/IgQgHNAQ5Jes17ZJCwgQXxzIg+qYzx8iH0HTp9g
BDsPAwz0uL4smB8/342cxAyaqHVYncRI2EinLVLnW4yfvHvx8uHVT691ZXDI
rROitSEdDNUDCXKf32MrrMa/TiOwEtOEAUmET2Dph9Rs2uUW/RFmypbzR4eJ
hcaM6lCUlC7UlIaGLJcDLhSmFgIEiK34bYxiQrC3vAI355fTqR3fbAkVfk7a
tMupm8hli6hfzXcTkeSg9dxDhNzgPjdPPc+aJgq/DXwJsWk7NBrXeePBAnyf
FA83VP71UBJYU8bQZwCSkRamoCHLIVCZidmKcecxvO0J+uFWb5gQMNycyi0h
oM59pMIcRbBtjJPkJLZwtE2wojJ0rnc6xzRcRCZRq/sXmNUD4scfa194gk4H
HtslCIWNGsVZFbi94pxqIKJC5MwSp/dlAvSOmDxadUzFQnYHHvSonuPPqXVF
4r8EPgbPim0bOOXsV5xyHa39U2MUNIKZh+SoM/8b45XZ1tG4AAA=
-->