From d90aeda65836590b42e5f455ddfc22dccb8140fb Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Fri, 14 Dec 2018 00:14:03 -0500 Subject: [PATCH 01/21] draft of alternate proposal for cross-signing --- proposals/xxxx-cross-signing.md | 135 ++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 proposals/xxxx-cross-signing.md diff --git a/proposals/xxxx-cross-signing.md b/proposals/xxxx-cross-signing.md new file mode 100644 index 00000000000..a1b3cf5539d --- /dev/null +++ b/proposals/xxxx-cross-signing.md @@ -0,0 +1,135 @@ +Each user has a "master identity key" that is used to sign their devices, and +is signed by all of their devices. When one user (Alice) verifies another +user's (Bob's) identity, Alice will sign Bob's master identity key with her +master identity key. (This will mean that verification methods will need to be +modified to pass along the master identity key.) Alice's device will trust +Bob's device if: + +- Alice's device has signed her master identity key, +- her master identity key has signed Bob's master identity key, +- Bob's master identity key has signed Bob's device, and +- none of those signatures have been revoked. + +If Alice believes that her master identity key has been compromised, she can +revoke it and create a new one. This means that all trust involving Alice +(i.e. Alice trusting other people and other people trusting Alice) needs to +start from scratch. + +The master identity key's private key can be stored encrypted on the server +(possibly along with the megolm key backup). Clients may or may not want to +store a copy of the private key locally. Doing so would mean that an attacker +who steals a device has access to the private key, and so can forge trusted +devices until the user notices and resets their master key. However, not doing +so means that when the user verifies another user, they will need to re-fetch +the private key, which means that they will need to re-enter their recovery +key to decrypt it. + +When a user logs in with a new device, they will fetch and decrypt the private +master key, sign the new device's key with the master key, and sign the master +key with the device's key. + +Users will only be allowed to see signatures made by their own master identity +key, or signatures made by other users' master identity keys on their own +devices. + +# API description + +## Possible API 1 + +Use the same API as MSC1680, but with additions. + +API to create new virtual device: + +`POST /devices/create` + +returns + +``` javascript +{ + "device_id": "ABCDEFG" +} +``` + +Send public key using `/keys/upload` as a normal device, but with a special +"algorithms" list: + +`POST /keys/upload` + +``` javascript +{ + "device_keys": { + "user_id": "@alice:example.com", + "device_id": "ABCDEFG", + "algorithms": ["m.master"], + "keys": { + "ed25519:ABCDEFG": "base64+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+self+signature" + } + } + } +} +``` + +(This may require changes in what `device_id`s are accepted by `/keys/upload`.) + +Attestations/revocations will be uploaded and retrieved as described in +MSC1680. Creating a new master key would involve revoking the old master key +by sending a signed revocation and deleting the device using `DELETE +/devices/{deviceId}`, and then creating a new master key. + +Private master key could be stored as part of the key backup (MSC1219), maybe +as a special room ID + session ID, or possibly in the `auth_data` for the +backup version (the latter would mean that changing the master key would +require creating a new backup version, which may be what users need to do +anyways). Or the private master key could be stored in account data, +e.g. `/user/{userId}/account_data/m.master.{deviceId}`. + +## Possible API 2 + +Treat master key separately from normal devices and adding special handling for +them. This might result in a nicer API, but make the implementation more +complicated. For example, the server could automatically add master key +signatures into a device's `signatures` field, rather than shipping the +attestations separately. + +TODO: write this option out + +# Comparison with MSC1680 + +MSC1680 suffers from the fact that the attestation graph may be arbitrarily +complex and may become ambiguous how the graph should be interpreted. In +particular, it is not obvious exactly how revocations should be interpreted -- +should they be interpreted as only revoking the signature created previously by +the device making the revocation, or should it be interpreted as a statement +that the device should not be trusted at all? As well, a revocation may split +the attestation graph, causing devices that were previously trusted to possibly +become untrusted. Logging out a device may also split the attestation graph. +Moreover, it may not be clear to a user what device verifications would be +needed to reattach the parts of the graph. + +One way to solve this is by registering a "virtual device", which is used to +sign other devices. This solution would be similar to this proposal. However, +real devices would still form an integral part of the attestation graph. For +example, if Alice's phone verifies Bob's tablet, the attestation graph might +look like Alice's laptop <-> Alice's virtual device <-> Alice's phone <-> Bob's +tablet <-> Bob's virtual device <-> Bob's desktop. So if Bob replaces his +tablet without re-verifying with Alice, this will split the graph and Alice +will not be able to verify Bob's other devices. In contrast, in this proposal, +Alice and Bob's master keys directly sign each other, and the attestation graph +would look like Alice's phone <-> Alice's master device <-> Bob's master device +<-> Bob's tablet. In this case, Bob's tablet can be replaced without breaking +the graph. FIXME: graphviz-ify the attestation graphs + +With normal cross-signing, it is not clear how to recover from a stolen device. +For example, if Mallory steals one of Alice's devices and revokes Alice's other +devices, it is unclear how Alice can rebuild the attestation graph with her +devices, as there may be stale attestations and revocations lingering around. +(This also relates to the question of whether a revocation should only revoke +the signature created previously by the device making the attestation, or +whether it should be a statement that the device should not be trusted at all.) +In contrast, with this proposal, there is a clear way to rebuild the +attestation graph: create a new master identity key, and re-verify all devices +with it. From de1173821022d22ea0366231abfcd80363919119 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Fri, 14 Dec 2018 00:25:18 -0500 Subject: [PATCH 02/21] rename to match PR --- proposals/{xxxx-cross-signing.md => 1756-cross-signing.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename proposals/{xxxx-cross-signing.md => 1756-cross-signing.md} (100%) diff --git a/proposals/xxxx-cross-signing.md b/proposals/1756-cross-signing.md similarity index 100% rename from proposals/xxxx-cross-signing.md rename to proposals/1756-cross-signing.md From f3997cd09ef81fe6d9cd97883103426d79c51d52 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Fri, 14 Dec 2018 19:08:37 -0500 Subject: [PATCH 03/21] graphviz-ify graphs and add some more structure --- proposals/1756-cross-signing.md | 30 ++++++++++++++++++++------- proposals/images/1756-graph1.dot | 13 ++++++++++++ proposals/images/1756-graph1.dot.png | Bin 0 -> 30297 bytes proposals/images/1756-graph2.dot | 13 ++++++++++++ proposals/images/1756-graph2.dot.png | Bin 0 -> 29214 bytes 5 files changed, 48 insertions(+), 8 deletions(-) create mode 100644 proposals/images/1756-graph1.dot create mode 100644 proposals/images/1756-graph1.dot.png create mode 100644 proposals/images/1756-graph2.dot create mode 100644 proposals/images/1756-graph2.dot.png diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index a1b3cf5539d..0bb365e9bcc 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -1,3 +1,9 @@ +# Background + +FIXME: something something + +# Proposal + Each user has a "master identity key" that is used to sign their devices, and is signed by all of their devices. When one user (Alice) verifies another user's (Bob's) identity, Alice will sign Bob's master identity key with her @@ -114,14 +120,18 @@ One way to solve this is by registering a "virtual device", which is used to sign other devices. This solution would be similar to this proposal. However, real devices would still form an integral part of the attestation graph. For example, if Alice's phone verifies Bob's tablet, the attestation graph might -look like Alice's laptop <-> Alice's virtual device <-> Alice's phone <-> Bob's -tablet <-> Bob's virtual device <-> Bob's desktop. So if Bob replaces his -tablet without re-verifying with Alice, this will split the graph and Alice -will not be able to verify Bob's other devices. In contrast, in this proposal, -Alice and Bob's master keys directly sign each other, and the attestation graph -would look like Alice's phone <-> Alice's master device <-> Bob's master device -<-> Bob's tablet. In this case, Bob's tablet can be replaced without breaking -the graph. FIXME: graphviz-ify the attestation graphs +look like: + +![](images/1756-graph1.dot.png) + +If Bob replaces his tablet without re-verifying with Alice, this will split the +graph and Alice will not be able to verify Bob's other devices. In contrast, +in this proposal, Alice and Bob's master keys directly sign each other, and the +attestation graph would look like: + +![](images/1756-graph2.dot.png) + +In this case, Bob's tablet can be replaced without breaking the graph. With normal cross-signing, it is not clear how to recover from a stolen device. For example, if Mallory steals one of Alice's devices and revokes Alice's other @@ -133,3 +143,7 @@ whether it should be a statement that the device should not be trusted at all.) In contrast, with this proposal, there is a clear way to rebuild the attestation graph: create a new master identity key, and re-verify all devices with it. + +# Conclusion + +This proposal presents an alternative cross-signing mechanism to MSC1680. diff --git a/proposals/images/1756-graph1.dot b/proposals/images/1756-graph1.dot new file mode 100644 index 00000000000..8a8c96413f0 --- /dev/null +++ b/proposals/images/1756-graph1.dot @@ -0,0 +1,13 @@ +graph { +A1 [label="A's PDP-11"] +AV [label="A's virtual device"] +A2 [label="A's Osborne 2"] +B1 [label="B's Dynabook"] +BV [label="B's virtual device"] +B2 [label="B's VAX"] +A1 -- AV +AV -- A2 +A2 -- B1 +B1 -- BV +BV -- B2 +} \ No newline at end of file diff --git a/proposals/images/1756-graph1.dot.png b/proposals/images/1756-graph1.dot.png new file mode 100644 index 0000000000000000000000000000000000000000..87a78f83727c9174c07f3bc1889fc9f9f66553f7 GIT binary patch literal 30297 zcmdqJcQn_1{Qv(ZMP?+S?4n_oQufMd*hMlz!-&dAHpwcIB+@`a2o18bD=B4 zSt0!H&+EEA-|zXI?>WE!zrS-`=X9Me-tX6VJ|E+DzdxQ~dODg+^xX6m3WZ5qOWgo} zexgvQH_@%Ze`%?6JL8Wv)`v9JDJ$fk#FDgV3WcAdt*&Bp`Tl6Phl%0Y1({#x{htLN zndM=RI+{s$t@2VpPvHG3%BaJ#d4t_1NW3ENE4vum<4i0&4Be^j;nU75Jcd)yu z?_I6F_khu?7{Arpn^%AMuKfD`S}>7jEtQXATg>$>13x^*uTCk5?62`)jtr$^teQ4@ z5nQzMWL!mXP_WhQH>y>V2OACCsdS@Xz1l0icdzOewxs9JS$ExKWMX2v`LVxCJ|ZH* z*1@6AX=HFv+0wGC$x%T;fs>nCm497%b91g`LUq%Ppr2CP*y)XojJ|z-Aot|S6Xl~v zH(XT}$jHdhJAQm^k{(@>Ug*MtCqDjBO3H!LdHD6p`ucV6-o1PF?3sT|%!a2=pPsa{ zt1-{d%L}@GouT&Ar=!QJoBXS1A1d586R#fY%#VtW4jgIANq+Who%?u~ij|eXwQJY- zqqHa#d0rL{4i54`DJfgeojX@Bg3s+bR`LFQXmM6n7SpO#t8o1;OA42Z3k&a#^euOO z`t-^6+&Oha!}a<7_V^DU9|c_PjvYJn%*`W)hwY7y9eY$-`p`iQxA^w$>d&7)U$}U& zqCQEjcW7uW3kyqoXXjj1rtFigFYCL~UcKT-PfvgU{=M?0OM8F+{(UnxmNrbCnm3YG zQ&Y2`pupASTSv}`6DQOTIec>}z<=nQnsx|GkF_z-)AO^_Q&DiWzow_J#>Q@Z{ra`! zrBRb`uHC6sC*GuWHErU)dpLNfaW?(^nQ;?8940A9tn=|NYzfaZ1X? z*sE7*@M9*Xrq+#*wdoib)b#Y~o7f+T$Vpp2=S+!C_(9lpyLY=YuU7w*Ex(L-IWov6e-{twU>IV*} zh{p=y<6fTmR9P9sVCCqTHO`j69TXI_@6srz&i#D>Qv-EXSf%)*Iy0yAT0^pCX7TIN zn~dCV?CtGsn^KSb`0+!XvW=hLzjSe2jx9`mSUf`D(W6I#9l3VvnKtbWr`$|P;KSOD z+`<-CbjWM7cHk~)e17hwG1Fa=l8FLp!SxF>BiltpG`mkrb?a?ocU}JL;n^FsQR~Es zd!wVHgV!ZW6R~gHVp}%_?vy@#`gE@Myz}>|`5)iDDO>u^Z{4$ZZ$`1G#@dvWl(tUcn&4sI}SoC`xJJi>#S@UCb^sv(MA0h1&1Gm_>^1($# zvK_BIc5`ua-wF&|#k22%KRbO;(Z}Ji0KRxU?_0^qLim4;cf?LS!M5$*D&_O!(W5KJ zo|>p|b91wEa%#=b&ku_a>929J-NLrkvHe-VWqDpPvx1x0O3mhM$*NpjTt7xe4p9gA z`~K;rb&H*nT(z6rhV-S;_KIKByL_|+qsSxBR#OY)kgzz6?K&);zEgYExL3TK`#8U- zC}UAkQD|6L#joC~7IU_yI%^x7=O-(u|12){y^j)-l$6wS*Ph#CVnfqaaBD$H43hHwL?(TOHo;%b-oA>IK^td@jZTK}G&e(dk>@4Mps8#hYh zuQ>lBT0HIJsa<%DuHVW7Eb{m^ZTjdl-;w?FX?W`4yQMy3EZ;OzQ(J{se-*J@aruu8`^JqsTV|672M4EX zFMb&3^i_jJ^5~v{m@DX zpKtjgi4qzwFE7NM?|v(be7knwkz8(uWsH@A8c`U0^S80hRNHuBPxtTBCW#Dr~c{v4Z zbLs0`%ueHP-@j8M%u&i6a!S@v+MnBK=0`@=oGS2`5^ij4q;xHYl+LuCP#Bijxs$=l z%8HJW@y(yfJ}X<>P=<}-Czt=uD`bB`fTk4WpY{1NtIWa0753r7!5{to>Ba0bEWNH% zKaX6#eEG>~y=xET+^uJZTe`-6{kl+4R3x}#2YrIiELSiiSL2YBw;~?`VO5da2;y!8 zl9To9=of|Iy6S4$ix)3O9(7rKvWtcHV#h{DmQ!E9e#NGGUsq?mnABq5)0mr^`{eZF z^-)?^k$j$7mhlDz1axs1m8AMC&blqO4-VS??U(SYc&OkdY5j%{DI>e=!_U^-WQ~a7 zNt@62_gDF>H2DsFa@QGtj5M#95c%`x8MoL+%VM8y3aAw=8R*B%j&+705T6|D$m1E8 z*uFggwZ*0JuCV;Co($aF588H`nwo}QyH;6yclRXXr+}a!wQ-I`P)JC~K?h;M&5GWf z-il>aXP;_vArfR;lyvkeZrm7KDz2L{JUq-FbFeVKarp79*r(lf@`0OVoD#FMvwIe9 zA56jPphZ0EvWrJt6%-WIGcgJ6tB!P!7mw0<<~8R;DgXZVder^^xTg%&KakzkO0j^Ty4>!u=#cU{!b9c_OnO(9mF`P%9sb6;DBKaq@I< z*ohR;kZadui|CVU-?F3QW@xr_vQSa}C&oozpY?S~$#Zq>*BncOR|c4K1!4w*3i&!?X6tx7F)?kK{R2S zye!|5e?Fn;P+?E`e9Z2K5}~=DbqTr)3%J^8JGa=XCk?GxC&H@x8U_;lvd0a0rJt#) zsW-Q_YJ7~95OH*LTtHZ+{YbaBS%oxi-o4Akqu^=O-S2w#u zrdbQkbQWjFgd7|kcJ0}dl2f{nQI*uSs=3_Tt2L&p%Pd~eN0usas41;!erkXu<3qdd zhBI&8r>v-`h}!T#PT8_7*42~Zrw_U1lkD7o)^f$~yC_JNc(L!DzN_o>NfS9K*9o;{ zY|5INnlS8s+sW^5122ACsMr{P$XfXCP4SmxoVpV8dwlPq@(-=<(?_Yf^rtV9$5-OrbQ!6| zUO8^^@bF-zAU!^E?0m(Pns3$3#aX5>!hlzSpHzD0x8i$W-h)m3YE85Vi7S`K3kOaj zN~0XSjB7#pp@P-f*wkco?p*kR>l{`{Aiw73jNLta`fK+2d<#T5pz}cX?SsT)q8v7( z?axVFY-_vi%9SgLX=$iXX-hgfOvkV0J%9du+qP}~5fM!8l^ylclu(>!7B^GnJblU-D`ENW?e&eUe0-4( zZP@|UeHCqO8x2zrtDHKu1&^++zad-qrihX>%MLNI11L?t_w`*wZHetpe)iKRCSPA) z+(I=1Rd0X)p1~VVqlbf|K; z;^oVzd-ty2zrPuKfx5u`kNe_>H)u>sOG|ZUKG29tKVW4=#U6+saH9H9Q=?*G!Hf7z z>Dn|>`)?Q4Ww~k7CX*8moImVb7_51kv@C%>RA8Bxh+;n zLx=Y4+4CejJ6LZU`jXY|B}qwCr0d4-qX^^Pw5g%JJ+!s;*!xqvoRpcqeT{RNV{zHJ zj;?%Qs<0Df4YH~kU8e;8OHx|;YE%@fsHo^k8=F;!4jnQvF)43ty;L7LAn*UIo>Bem z=ld$^>NM(t4NbEGUXq-gHZ+p8Co2gBuuih#-1@v;GW?c_EvJUIs5E2p77p%UeKrQB zs%>Ha3l{ue^kb&O;@`A|qqOR~x)`6EFs2(_Lo)?Xf#-;~Rw!&e|4V(9mY{H_As14Fd@#FgETR?=D^! zrv4-|Gf->Guxol|rrM!H48tQM4d`?6WqGaHc$X+0#r2SPC8eYSP>vryd|1{TMYhzb z_v_F}SGKltPzNYy&9I!T(LIfqZjU8<<@Zea{&B)9Y zh^~>9AGcz7h>x0{o<3=9O^phhlZ(r(cr{i6zGTQK_Qnln+>%^(PklY5(CllkVxifM z;NUeB^YaZqocAMO?%a{w zz1!RAtW_7mwo^K{Qwec+-vIUG_|$YQj`xJx_&}PcHh1WD@NqE_w6gM zsacDD(cYIMP!}67pL&P5`1rFHaZyqAiM>|7nDC1|XM~BM1s5GW*#lt8`%bvWToxw+CL3?eX6D29fHj6AaJY9Y))h;X1N1tXrGp7zy?g)TG~PZwy(1$GfJe5rjDL8F&<7*hXdOPR zZeYO1wtjsSs71OFJ)ZkzFE5+sC;DBdZ|3AZltr^lf-<^^i!;MVPn|jQ{pY89z;f8= zZ&1`p`u@F4vu2H;q~yAvKYtF3&#MfxM3{+ddV0!=Tf7cMAttbW`&vBjZ&UM}yU#FE zuUaKV2ov`ndbEG_jn-Z@3DUq}?>~QjhlVNY)~zd#A8#=$^W{;$iidQ8Dqh}W*FWec z+f&u>`0=po8zsJ@kJ#rn%x>@CfP~11#6+`tH32g!Dk`H{Erw4K{eWY@c9cy`x!Ks* zP6M@Pra`}f1qC%k$0PH@kj4HN>(4ksw`)G4jV<83S?v$q7LDr^g3=BbPl z($v$}r;?D6sEyyl(A(P!mSydg9cQsVOg%I*QuEw7(Hne9H(tEhb=lL?8m&;Al3(eL zRn2orSX$NC(X1Ob1fdzin{d&6Q&p8LQEbggnLAb=78bV8b#UFII(;wKsPhKW)2t_q3mi)|tDaIxn=feAV7`C6{_nfk}Rz-Ht zJypY2ba~R+(k*J*B#HI<+v)j%glJR;C<_~(9)CIbCT#td*pG`D%E3c>o|_!@nj24f zZd1)h;ok4OWofqad}Oirthh8Phv}I%OY)0rX{b92E(+m&E9eL?CL5qkNZoqq&Q0w6 zh|T+N-QbbapbvT^b7VVTJQi{k_|DMKP{Y0RrP?hmEhR&7R?UKPa`ztkEqjm~n3&Kt z&NkD374|R$NG_N|+)PWJH`2nRe*>zDqpxzIu8UtHbF(0GDA=t}AQ&rO7(0m{wg zEmUXJW!4n!D{-!zIFe)Y{2&G7AmrvSlv}ND$SMBIKVw>`EbM-)9`}L!I-lCaC zgi=_(kq%_1yIAHuzl%Vsb6;Mp22MMuaOv%}4M1`aZhZ1E`%o&pYIS6FRs0@@3)qIB z5&YY>(GAok_)V|k<4EU`yRTOuV`JLF(Qf-Ai;Lw_Qd4JL zPMa5d&4~vE2hVyGc{!6?rtgXKfiplvtObM7B$VK zLm(QTdX<-#xA^)~+Jo$Dao_p=jfd~;WvWw{+w6W=FSh8~EfY~;IXOAgf(uFZ*4+#! z{*zH5>m#_56^LhEe1BqksHtlP#MboHIWEWUq8I{d=@}SCUM+zmkOq({(eG~`U)K`a z{ZqEKTEJ3@-6dYJxVJ;#4zAOK`htR3FDZZ-x3N*5yn1yfRp-IM8#iv``Yc|;;@}TZ zR^EB+X`)2wpDW}VcS%cc0Z0)P1W`rjDBM_IpXl#T$*#keG<|Np+OZ=yj4(*7snqy* zZYR%6mo7!-OJgO)+vVl&BaiWo z?6GtI{X^SxEU(QL?JxVfb;X%MKWoR&40&pn<2Mgb2b@$M(_v<2 z{>gFw%geLtDMg+$!)kneKYzY+w7+-n-u8X_{v=JUj99J+Qe1z$XB}6(dsqW7k{{oW zbv^y_-g!2PtoI*D)^3J$tOoLQY5Ba#cMALY`R&-bGx_+-Gf^*Jx`Zg=*?b5}eGnO` z8&ZGxp?qN#y#umAuIrG&_$6Jn^&2)E0ESGybB6=Zhd$_(lhaoL=>*?}?Mq-(0)me~ zH9;J=VB4`>e_P^vBsA1_VMxR@*Oqnez;}@ZZ&k`5BIYRW6j@x8vTf_ul*}6Q5Me-U zJkz9(54SJO|2|C^bU`O-MF9#+mi~?yHmq)NY?nEO0%32+3hSA;c3njxs_u6G{$}k0 zLQ!EScEd!j|Lfl$cGCDeeSQ5UsU%x`~G_M~TL3!{oE@>$#~ z6REfDaiPnAfs>O{BuEiln@p^-&1A7d+i#xJWfk< z-=EdQ24xHXo;-K%>F-KUXmSF3_i~_(eUOR}cCx3`r~R3gT5M#*jT`Si#O!>2wvKnR zf+ssI3oqKm_iBqL^6WR1E)4J7yzc_#;~lZU)YLO&d^%#WA19Gv`tTbj#h1j;Cx-m^ zaVn*wz;{X3KV(80YEWQ6fJ%Pxug>j@@u$w7RTGX52rciM^z6=&y&D(jDtE~|t>i2! zEc8+b^!1}YFpPxF>TTJ&)ve%7bv2=_gxsno4gP-qFIZDGGGfQ`0u^sK{bzijw>N+k z0V~T(f5!5Ao+14mmCth8&Q4z&C$$P2B^0;wSUcLYMaRp8ch(P>Srb?wwr7qmNOipE zMNSx68`Bdf&_#CI#j6VrT`U_mGBKf(lPeZab1VF~Us{?SNx;xfUqK+|ATlMhsKx7o zCTUt)T6J~xL@0;Vk$e-<=7Lct=f=A!{%D|u_V4FXzY4ah@S^8v<}m@lQl+Ko^=R9? z%*%pj_?qeMXD7JVq4}71a{5c3Zor>KpSd?#5-qm#<34r&@d1QjS@$n>> z)Z2A{iqTOJ&aM}qA8Jf_(>IBhGP~+EK+X=TM5u`M*fmJg@WSbXj5E^v;{CPGyn%j5pYRAOH+>VRWqR5W^7({lW zBT)<+Ok0%0(B6K>myQlL$^vK_woTaIzklf{pB~7?5~+=Z2fGiqw{KymN8r8t4@Cmz zXhJn&TNTVS{b6U$x`vYOPYPqkJc=uST}WF0@Zm$Yu=`5qOF%GZH@B@(T91o{dB3Ar zN5s=XD@7_E_xOjno~WoO8h=WCW6B{p(OlF*KL!Rgfuu<`Zp=8EXcQXrA9K%r*+od?((>Yjx~s%FToB12NP(`y&D(d$$fN=NJp^;j>3y_X?;9GT6#xEGGtE0}T;cgYUI6Gz8^~i)R=2R^BRJ;)=-2+XM6!h%V;v z-Cd{4y_Ib^k80`aYF@Y?i3`4fhZS-oXRh9Izn6!H0Co*PV^CydoqzlOa!H@CP(rm2 z$4OH0^75j@_M2`KQ}9R-VGFZu$v8^mPxvT)VJzAGCS$T9^!p?%fb|J=Y0yMwreMN95TfZEzokr>oy%WYdX3D?4nzDAR!q>vqDw}x zVXZuBb2g5)e_){L#QBl~C~;5O+aFBu{=F9LboNzY^`^P-&_STwe_$#0hc@Wr9dYxF zS&0K&8p6>Hy;ULGMMc9ml{+KG`b?Je^@XIGBM6Rtc^QI!Z!N{+^5uGx=K&FYT2@!d z-!>CZL)BD|GV*;#N4&JOwC&H@yFLp3r{^r46mOuD=qnFc#q+Mkk+1GcXJ>IvvCTtk z=fce!B`n_H%L)T#JF8jzCf{!C9UbjzGtXEy+JvTSEsH^26inC$jEy9 z-ZK8R`279`pmuT|*f=>e^A@!+D;pcNpWjN_BztGA z5TJ&TloYGq^1KMNR-jv^!I2Rgi2ZT0ZadD@#x*3I)iUfETGd%6L3ljcvF`x7h>%w! zBUwN^*R5OUKiOAp1Hd)BEmD6yxC4ORxX~?bZEXTS(TZq9a0jIurdba+r=v3)zQAs; zWU#VdrV{~10AGzROG`&b11;=hgY8eVvIP?hM2?onYvc~iqVb(=(5ok z7k&h@uWxUs1Eve#B*P4uMH4m$G`d#S){n+-1q86i6Af5UOpFPaK$i5GGr~??1yqG* z%%FRGe0<_sC?zhqxCEAzloWkDQ&bOj1H6GiA|xRZDOc79&3Os zi8hRKHWB$?ys>!K1+}Ia6lG}o_=SW5PwYO8?74-Fib6w870kl-Ip}?NHxB_DuC7;6 zlE-KIy}%zyuV3G1&|K_CCN4l_gWIJ5)^VWez5Mg;S=p!4YZ{Ih(;C|r83J#j_;>wt z*1XKOq)O?KvGGO}&|Plo8=!Fl-XPrqbgZMJsc&lP(`Y?k zHsLGJo72>)0}!2*lw??jOWJfUIX!(X{7s1JfVdGf8Lv&pCfBS3Fk`(}*d_sUz^jd)o6aRa(5lgU;~Fy8L8>R0vqI zrZzExF>O(bnlpHa`~O<_`v1v~?b3_=)2LWguuuvMxxfRScM zR@T@BR{EeWx929|5F=4|LF3Qsv1k8hbp*mHgOH96m1_6ym*NuWA)mc`8JM1KSJpB| zqje^!Fj8Hxg2)Fzdx)$_1qGZSIolwopgo4ag{Z&tfc$czSCMEWWn@Ai&f)q1cOm-F zDkzlbv;}xE>`SPd(5nh$xPa{kkT2KO#`|Vg3@~v$3RyYxjbO*=>AhFXK$Ou9K1xkp zgVk*21u^l$g$w>jhA2d=&Yx#N4U2?b+0wEBZ78Dc=t!*BGf!DHLko)=PoIjOI(<4R zG10&H_U+rsNqQ6t;z2KAk~Ts&B73pE8>q6%sYVil*N_dcM%Z)0N-AZnFhZ=dQO_b7Zxvcs-9c8mjdmzw}B zs5%68?_Q5*OQGNk!a1d=$uI9c$C-Zy&nHNkU(aP`*x1mp$tuMet^#&;c77$L1cuvi zeR+F(!^Rb;pR8duJ=lOREQsG}oG!9c8U%~Tevm4p<@1YujITCyeo(dP9kdP3pLPCHw2-!$Bm7vYd=FXN}T}kN~ z8I=is%V7lt`_R0Qs0U#OMm+U@vj;2k7zpUIxgSf)f>8+Ss|eFXUIMS3Q=0t!yAmq( zI$quz(8QR2=D&hJ3o!*vaP{5YXNjQ>&qW0xiHeHqUz^-I6vge?ZB&mRJ)*`(6c6~j;bgFecr4V; z<#K?StA=ShWaGhb5hv#^{`2z#hO=kSy2ZYqj+&l!RoB!c<|@(_VjW4jkDI;z`}^as znVF;R9_CyoN!!K6-z_gKK8J1!{$&0AO_&KRE@$c<`iot)f6X{6H0iS)vTfgq1Av z4awa=MJ1riv@T`~KZ`{KSc9 zB*>-dCf&z++ZHk%ey(lq>N-ql*wEl${S*Dyw!`99df?A#iHZCmV2{!6&1%MGFh!V%rs8GZMC*sT*f7T2%>mX3BXjfa{#+Cs z&KEBx!BJH`oD4!sDq^f3X~z!fcu6bj1M2F)(IK8)@6c+&-xVjXpum^O;TCr7nxLhn zCE;w?L8uf@mCcAnX$`g*TW;lz)a3L1lax_xXl{!hej9)p%(z2%Um3$cld>(#bSQ(- zx{5>2MTdojP)pM?Zyt2xL#{hzW25G`G-8>amlspK0z)PEfhIw8&?Piq2}ReuudWUO zrSvktUPOFUsl-S?;M)1ulWT@XM%Du{L3;Ad>RX&B6FG9^i08lqccU*6!>Utg5O0Qs ztxZWw%gng03E0CkG(3E(q{JtmkE6T0d;6X}dB$TKH*SmuyoumbD*ZSVD{d}GnSQtF z{PdF&I6zf4#>13H&%`wLi))XRR1|sTC_a}g>aZUO(}v+LCqvw5eLOrzAm7utgv>|t zymn4bsi=S((79_;ihMGqy=KorfEzi=2RtZ1f!$-sX<#iqJ!;D=ULQT4@T9Qo*GHUF z`rvs4Uq7mLKz-u%6fWMH5gA0ID$ z@%tO`fnvXay7%uBPk+2ad?Z6(&L*IWd*;-+@%me`Y*5ftb-tio8awYNM465Re2wzS z4f)ws=tAB*ac+=>j_y}B*W=GGE6=5wwxO*2uf$HWP_49F(E9) z$8`8BiyzDZNzwQt)$w)wL^rXPqOkIJDsogvQ1A*|AA_I@sZD9RO|Kj~i8B^87@)&? z)&>}qv{CO5`0m#?G*qh!VM#+Uj#5oZ#1BXRpPcm|Tr|&~Nm45lr%L~iA9@-ZYslt& zbl`dcx8l;Y;X<9?vYNU&GVqU~A#E^uvlRshxf)3D8Q#~YwZPZ5U}X|jaU^w7QJU;v zn3ks9ULGujd{FYMlA&vC_u0?uDB#ow;Kw^iD2y$-(=H#D&LEFp-&ClTfp5KR#WW*% zw^F3hPifAwva+f`KIP$E8A?lFqjZ$|$U$+8!eS=Tgy-jcZwMb9W$Eu!ox1D9)D}vS z$JCjS`L7-WJk;e`heOA+%+O)zs6!n-jWXZ>WTtz|;1cU83t%LC3-S{id3cUM1+!lg z*TL#j=1)XaD$Tj4Gdxv6?c(ABL9o5l>DYF#yEnrvnT4JBS>#z@Om=jTo&7fdo0VFj zn=gQdfmq+|$Tt=uayuqQA@|O#&CrAU_dT1d18M6^{(Qeq@dxGFA|j$D$^k+5d6hgo z*3=Xj_-=TKBdFlR$0RKm8#3qka;(pvuZy@89T!Ijr#lo#oBj_mCWX#hKYaZ7-1;p& zYCMH$k5`$QnN`(%e&NX1$FpefOwM}~1rxom&(}+ESU15L+p4l1y+6sQv9WD-rpUbi zng3kpiIecDSs@!>bOrPxxH?s?UcKtNKPM!F_Od)LmW2Sv^9diGpkH4tq z-iclh52v93V7Q*pg;EKlLZR5TT|T*elb3(Z&ISV;ynOM3Ir=u zreo4awy`Vzo&<~(!yAeSTQ8z`jK?SC^=q@Oy<=1L@G$c$D&ozLvBC-g(ds1f-hr8=p2NnH*$#*4 zPcl97(=&!KEJ}ZGBCL5%J1}ld|M~F~$%Lr47H9ll{C}G&$DZkdWZc3~!I67=BVIXm zAB0Qzk%HIk^b<^5sG64fDtv;70%1neZ~mjDEtD4U$aLl@g$!a7Ye1m0#cTrcVS4sO z$PB_%|6t*ISXdIt7=TiP2`hg^pa4dkSUdW)QR*#M7K}5p zvr~~l!qDzeC6c>AWlnTGSkG0Vsh+a3QUPE4t`>Ph`^b^4Fg}gDm8?MNP(zcT;K{UT zaPgwlTAC}&JMSspetb)c8fI!qc@Q2^`!-B#5IvoV~AMc*Y0;qwz9{s{I#SRc% z31tX+!bJ#s0Qu=JiciHPC|;Dp$@Xw-Ko=+?K zXrC5uNh5#b?_clHo-#hAzrR+&(zK3~GxYs?t=fAsIZcxSwb4Q%BDBP-ff#l3&YfV; z&Au38i;5SgKdyOWwPudXB(0+$0UbD2<~kmp2y{S+FjB#_7${0nOvI776nKyeV!HX| zeHOkkdo) zE4+fw#$~AOh^g%A+Kd*H&`3ldYD>$W3g6VR3O+E;ygVXj5$36_tpevbMA@}Ls#IW} zkW9lj?`Olu!wD&aV(cHc>kHZ-G#N0R_2LqU4ISHtH29dhgAhpUZ~&8ZbacvSkns~T zocUWKfBy(d-HFLBJihm}wd%M!7@uG^4g+za_@jh@>e@Rzd=2l{r48mLD^Ljhu}3Lz z8QQPDnOQjTxv{fJ9naUDF6DEcXoF6+4JWCz$S>VC!L&_F(EO&Yh91$zYa9# zSk$3}j%H-g6XXFZYG=0{TU^i5vQFW1ZSB*l508CBv*P%6Hk0dItCj5 zg+2wVGeJwXZrw_L6?H*u)hftu2yh`#U&Y!)=sDrqCg@^H=$y0%&aQ~{~D@5+g1TiMnU+Q=4GkI30uWFq=g71KS<={hLKKr}FZM}^Gx9|3ajuBhm>V}4il ztX`fO-Wn?=ixVdp5Y}KSMkkX9yA=T1e`ZsZSNwRemX<7d)fn@!3vjZv^*0kA_@D93 zD*1m6qXcr}{eXcb0au~hMi;3JtPIN|&ntfxi}r_aEo_pwLWwAZ)*)2=k*sDU3+^R1NP7HwCgYj5F0N5B?31lPSuQ!^LvK9sJFbVmrsPSCv*O* zx{3-FreKL(6lONCzeG5nVI1yyjr9j4Igxu3F|Pd08yeza#dYDL^Cd?{Myl{v7@Nhr z#xfYM_gl=pgfNQMhUX`G-e6Qrsoi{^;a?@x6c?*@bAn|S%CubWSzHe+L&R)}{RV1E zK;OTcyuCgQ2#FjCQ4g8G(-3KjOiaiq%Zx?(kO0TbQO*$7>N-jDw~?tgSmi? z5qCMjWc%X01sdZ22C;7b>v%^|s=SR|6b%3D!dxF&TM6GYx8K1#uAa#;|y_$5pIjaUz35W(#@# zTuM+#h!ulnT)WSdgK&1AR{T)TbOb{|%zTQZm*X1v{2&m5Af^W<(cY3qAqcCj=+G%% zLyYktpR*$OBiG@rka=FrU0|Ac?AeG9MSBgCB!F+OQ@1Slu2XdA2;&vJ_97(f`}mX; z9kMZclAC+Gba}x6t51;fV|e%=AbtuQWNxvuiI1t)$Af@2z-vNBDJ&?cCljuZ9;ss5 z#2#a8N3e9a0?}huIThm`4akGd=Evk_f;E!#>R~IvtPKi(Olc2dZVU#^mg5||mC<@M z5t@Xgx&>7l08tW9s#|PIY5kThTk6rIkcl9dIt5MQsWjeROG(q)Hi*9_6&fkjyk_0D zd$<3O7vNlx%fOAI4?`>Ua85S@kC5Mn8*UIC`jR>IZY{WGWG{ZF!Sr`@X{n;m?3c4( zp^L@g%S@lhC1Ma112Kb`%o?l9zAFMgn)K8P^MC&6Vc+^)>QN#i;Q!;W153H9 zE~xM4y4dVsYdaY0i+FeX)G0mS*|O=jY={dWH8u71H!+OeVcDIbNNmH>=fBFMmdtf% z6OWm7!@!Rx#ObvZszh)YeR!@=CES4R&JKu+hvP98$G^CeGiCAGjT@=(0J!*|p)T1L+6z(FTS;^Q_#7mB4Yr3{T3giBw?x;3)(tcTtfKX7 zF-8eM_0OQ~Tv}?X0fr-pu?2;4=Y-d))4RCvylxg3dzDR-S+%^N)NaHSEkna-;@>#x zp3+edr*1F~OBjMLBx5vnJ%SpwtWq8p4lCtaWaPj&W?j>e+%0Adjg5g3&Gz*>?-#Rp z9Y-O{&a-8?4}@|szy4fz(b2Ia0l|)9cM06t0$i|}ADnI(U7~4#qVNoECeru7&T;gp zjQQ~Rz(&{@R#DJ?h7{L9Tn7D`X!4~f{~zPCa~UkD1H`oZ)V!Dj4hRhokHQZN`r5Xk zbmvRwg^Af$)a04+2J`6;2n49I1Asg)&S7FUUhe)JmYYeb_kP92(cSWMT`rh(_ItXF zqJa!ylivPYMIafM$Ng9IP5uHwR@o6lO@TRy#3fM9Z}?T!3iVVhD@N;p3-nuPdLMlK0?`zU$$4ymWVT zO|2Y_|FJAn5PYH_P}O&wa&&SMhSmOGFD?&=i@F&@+y{~0iAB^Y{@b^crY}yd zb@zkqC>H>2+!sv_d^HUiPgWPvefSvdeS<&MDh%H1VX3gPF7>P|@nI7>m$^YaMdIE> zfUq?8k=W|_zMo$}!gT=#N2l|eQlN(3LQn^s9I~D*n%9}a$ZP{Lm7COvxE<3c1S#?` z$tEMtT^N>`BjpL%g1@&j|NKC(g1yWcV^tRnNm46AjaOHPc@NhSdMwA{Q-llBOO}EX znhg<(>G=f!6ym=s=3`@fG-Gau$p2$(>{B-j1A|bQ`lF*Cao=kxr1u3Vtf{RHCsyh` zpD`*7Qu?ck#hg22uqO$9VG_nf6G+IKyxzJBYfF0zTLZSetCUx_cN%_ibaFy!Y#z9j zWE#YM0i3h}0}7dqLm2G{M=T75H@6oAT@|x+<2_}O*sdbkNjUa{0u7jo0{4OmhT{os z!~`0pydseHIqYFh+&K1xVk**z*2r$=stZ;$8F8i$q6S#PYoo+zy?m?=`h9)oq7D)ETB4#+rhfT9SA zediH}&i2w+2RJy5McsjoYnV4b$-6nEBfA!bC=-egtPYV~i0qVd6p)4EVZ6d@VgF%I zWF^!O7x@;dRn&=#2~mWVgX0}j0>(y#kHlXEqWp$olh?7e+!1S#QB~mF!A(iJ4L6JH zV*ZUlBQlgj=@{j-?eFbvNV&*63ye{PX+#naAkf7+GzOu?#N^%3sjs*uurmytJZb5- z*L}pSqfz2Az)V41nDuF>0r`xOS<1;TFHU1HhlbUy=+)4Z2gi`Ss%A#oCSl;Lc>DIi z$a6ehTGaEGAy7TLJo#NyF)hTr#B&1~t%F-m=5V@^;){oHlKLhl?J0Q^HVtoOQbtG55j$jD z9H)70sUZs=E9q33>OOtiDkCF9T|d529TsySRn*)E)LAYu!mwh9vMt0B+6x=S`O>9U z?uW6lnnYv6Y>4O7Cz(zKLFE(!c+GbQg@ojLj7G?OwS6gc5?GKpE7jGp_-Xv%3P=fp6ct@O>u=o!@%Ys9Je(l=c z4l=WZDT~JY`(12t8o@N2@pl0c<+5O@&12``$=V|du?u~`S_iv}P;rk}_Du zqJ%o?0Fl3#Ht)MhW(M%HWGvyut5>8NM1841QU|E89j2Mcx05u=BkTI4dq4`%Z6R{y z56i;0Ko%nGb!Gp^4u@&~tynk_XAy{rg%;*TNLiK7{$0QLqv*#H}U5_|a!s+D#~dai@XA zn+6{h5^i92{BShfxgmB$%Dq%gph_+6*zj~W?G zt4Eg@U~>}v9q;O^P1?a}cMPBiySuxC$PTCb3VV*b4q%EB1)u<|1|@uFDyDr7rrd(0 zr(ylPAZ_D2g-%Un3^-<)JikKGLlw4xoqhV$)L|t+GG&Yn380pPPrydkJv%8u{2!Mr z#4L#8*qSdLy;2XsFGSJ=F^VF&xPl`2+)gUTv zX=FAEJ+X(U=kV}ge|Do^elA>LxsIKC$tfx8*RMCtvpVV_H;B!WD5_DB`I|R9<=cT7W;DAbIU&Bn zboU(_OBso1!cf>#d7?y-iGrq;98>|AstS4;N{5>#b`0#ChYQzhW>13?V3J1!icBE# zTLnZZa-b2U0GLQx@8z6oD^{C&29&f}?h+#*vZyVR^tMUj{X-;KzxzyWIV_@H-C^fz z%VJ_;wBI5Wfb2(s@>sPK$KV6*}uX9fQS z)r1+R>g!jFo)pDAG7b*@`R0u}>DMvE@2|B*6=>1Dq60$$7t$`x3Ha=m_A`RP2{wZ7 z0R3vJs?<*1MXMt;0%2<)GmqfGWU3M8Jrs_|$Bi2TgrG5hoSN#alK%85nS>?|qlt+~ z>;g&i`w|9F?+o#4CypHpMq27Bc4t8hAd)KKrZ_8JiuLojk@mhw2Pp)NtP(BM2Bzla8Ady@9pHH*GxI9K(PV5M3<}P@1IUpZZ$k+L zW69c!vH+)ZG2y<@<)JttL&C)UT8VU=a%4b=k-`x#qNd(uP+U}GI&$pj(UcjL?3^4; zEJJV$J!50qn1d-B{Es;onq_X}!%G9Uv5#otmWGT8>RH~{$VNuzF`OL~w3>ipd;1Sr zOS~5AJKEcGhtzNO1_hIdC30#Ayb*1>Ysp+diCF}*Xa0nv2FzkC~ zm2Euay+aM$P#=pCtCB2bKtm#k|AXjPA3S)FoI!|Vl=eITS1smy)w=SjwwAm^Sf$DF z2*9>bFvtqPK{-fr0&EHPUlamM7k58DPlk8b;3T#J)Vhc=7eEm~4QOFx&`URhSNejp zGui5p_j12>wOZlexE|f)I@lvsG0=T4NFSF7L#6)FqpK-+LcvBmf?%zgbI05hiBf>z z(|<*IPxP!kg1|wV7$mgX+QVJ1J=T+MgB2cKI>3o)Sl}dKo+BgI7-&R8ayF@c6-*x} zy#ycz5}b_+0@cC=Xn4{%h;kcyC5)(q@j~3f5h!&f?mo&BjGvYk=Sbo}KKzTm4dPaS znK-~YiQNC3p2#D|fqH=ibYSKg^Ic7=(bJ#{!y!6qo}RLZ<55r?L6j*hduRSjO`wyQ zUP+S4j`GyB#WnoG2;q0Mj+!Lp^prADaJ^)#03J^A9XL|)d5P?jo}1eqSX7CCiK`(l zQrPYx0l?{?@}G+oqZJ@%KCzhz_0Veg1q7%-M~Twt?7R!FwHM}Eure!n8bO8e(vRrI zzME!4cku`C;vz;diGeChtQ z)%Ap}fuW%tD)cQF3T}`L@VNs4bpG*6pTG5HuP;ZT#rbzc z4W|YEdi+*0T!#=`cw^PU$4L=MMw0QA6vs#Zg#5%wQS2NX8WdumVCUmoDTvs8IMN`q zB^Mr8XLolI44;r;Vm#!j2S?h}k{fIXv4TkBgij*}ER{w`mAtX>)?3(s?gB<60f;&n zY)iq@pSt_nA!$1%r18c;Cm)q9&*Z>6`uB3nZ#WF?OyP#2;-^Tv4I9BZum7{u2Y)ocg_*($2;Xfm^N^OzMN3aPCi;8ZcaxpJ-?yuR|ubtfR&zv`Zp6Ms19=r+! zQ&9Eq51$&OZ^4a|!>~RN!=uVb&@ymH>^mH_Hq<)X*VkwF&-fP^*0*RvwkMq#2AkX+ zj(A%}e?5aaR%ukx@z5G-PQB2K`07FS-usG*0K8HJpp3NFKVd(vHl|r#^lxf6O+N_w|`>p7>>cF|i07N4a|SYJDX5v&q7)mxIa7 zGMa8;qbEl_9XoccXd!4O3R-P3ViO-T<^88m{lS>mA}m02c=#|15R7_VyMO<_Q-X|K z*ONum_G?i19>C*4C)YVtz!Us4IZ{y-1`t@C;iH>!l6WCUA`%%`0A`RmhqVmjCWV5- zv50Z5y~u4Rln!jEaOMFw%n3uZ#*soN!Ew8Op}Va>nS>!9^&>}^(0Jqf&hTUCm!b!e z93b^1)Tjc#6-6BOxEc-)Z?y6Sa8cnQJv;M>+Z+7<5A1``ylP>@6SaE6;2ygf^sL|V+AOMYVni6K`O%KN%tK?t*Kr^UIXYpqGoJ;%#<9z9W?Pjo zg7MEdo!@eyc|&or?A|&Ugov&Kl^}Gm zV$mL_!RC3qg41$gym$hC2opO+nhJDmgwQph~ zX9F3rUr1P)=Nn%JzN>+UsJJJFq@9~Mg^(PIW?HpT)TBHpwV)slzL(rf&;HK&t;kR% zBBLtJIv9Y11g>Ff?2tmiq>VYn$EbzH^D=dDiij}96$kju^6J>;_q@a_B%_|tY`b3# zk1&IrEBrszoq1Hw`P;|8%2Ei!P-A`-4Z@5xGtm$&GP1RxVMu70Q4wicBsW=OFn42_ zOo^hTA!{n-Q7Tqn1dR|xNJm);;Ip_KRIcNTH&Q#y~dw-VedT&>K z3vD=0(uUqhx>0mOMZIrRSxLGs?#c};?0JASLUjZ-^OK_ScxkHz^{*{~CNwNSSVymy)RHo`1C>JkYoF_X65uaEZ)^+G=)~{be(Hju= zM>RL>a!_zrJ=!vqY9+0-Y`aDBE#H-|ubNBVDX7YWr%xkjaOc!`k8V1BDz-fZ(OQ`4 z;*f21RVrsOAtp}MH}efKcbQRoE2`MGoNZgGI$vho2A2=Z@wSgwnHO1bO1RwD$?j>P zvxx#2Jh_G;fL$l9KBHFXY=(3O$~Dbqr+dijtfCP1xi5m zuzkhH1M6&A<@-V9Y@AxW*r%G7m2-Q*e9&yswxxw00hG>VTNAv^%Ag!A;gRwsI)pAg zJ0q+6*m+?-0dZig=32DiPf zW|tzA>tiOo&#ZE3o55QWi!E)BU8V48qX4ix*lVarvBba6m)wc~xBQEU7c%jDR$FD4)c2V%*d?$u&pSLihMvulJ_QE3aD+J;N&vUr^l zYYMMoKrf7&WFQ6v1y@-&K@mA2d^p%CdBl8=5^12V?Ow(E)!*K(IPAG-B`Y!+PLA-= ziQPA^SMr5p2BX3%FjmK2HYot|8g`NcxR3kHnQz7(yGo6wuSkxj;oOxDt!OL)`T_ep zRQk*)edU8zNWeX$urr+w1g;z_>1T*Bohp_UCUR~Tu*=TQzX1#=-e$^UpN6W3R*(_r z;Fr>i27lO5LLJ!=ThbQa9mCZD`FqsjOa_+?DKCE0ZeWYjYfTW~%XEY~>W3*v$6jKZ z5)%^q%Lzo>fdPUO9}1X`B;{wZH>5baH>8&CXs)qq*}>^I(k3Xb=7Kje z2H}{Dn{SNjDX*Hdy6N2^-Pnk6$?j93xi?>W|JBfs;r1==cI85;?WC79zOgj9bo}S6uEL+D;FCb%n`C5*p*taqn_S_ zQ^BEk%In7!;bF1~ektH3hqeTlPjq%xY3_c$)#cDFU%ANh_Sx;DF8Ah?3Vhp8ZT{Qi z9ra&vjo+{up}$SM@-gA;`?HfD0hnzg^I`S^cSl zxp7?7u3fk#R@o!jEEDR4K-=oT@%}J<quKu`J8}bIqW-~1&j7EE*nNV{A$H1xo#IKTQawIqsH0L((rqkxF zCUnpE4fMGfCGLzCmMRg`>{hBMi-DY@#&uH@=4X^g$7HYTvAPuqb%XX{4*}g>Ua#N7 z5=lzMBMDmmuFR-bm-~^$qG`7XOov^?optryrhDg<+Un}(Ln=cn_47=9ta@{GnBi{_ zz3HS$7f^oCoV2Aqpy3ag5mHC$CddKn&g0YCF|eSNFKA3zRRavS6A;kt16KdpcKc~< zVE)=d5vZcde!2H?bRFxgRphWIn3NIjlIyjPht11YI-A-G2a3{4<44v2!m@d53ggi+ z)2DH&8wyAY;30vc_+x>E><<(m!NNhitJC-wc@TN`AJ-I|8B_ENeJj41WlN{OXyJzt zU@28`IY#e?H~3rgBn)w&T*I0FtEclhT^0=R3(MG^85D@O#2`#4qND}b*_n!3ZO~o% z3my!gRQ{~xT&B;(`YB3cX2zTTEkccIs$w{K`ZkvP}%Pp*wFz88J6c6IR1aZxAowc})51?mV`;$xMm)q{54 zdAuXvXk%#j|9=Gcf8x&*5-N4}j^kU1yt;rd!hx3uj0=Ftn3}viM2(6=d_Vxco zW|Wll=1DZsTyQ!Vu_VhEaz`O(!i%`>**2(GQO0p&{s0v1u8^76annkHOu#%PABIXoYW7g{^i`n=nb3+MPh)G0|rMV z^PD)6O-i|qBgBi@D3vF957#!l0nXJ7VgD=S@~@TrlfTyM?}i+ufFg7M(9_?;M)!)Y zLr(hu;#is*V5e{@Cx?{jk|3ptSj^>VWE1=uRfpEoVksgUF`I)DqNVbGRWb}+{-4*b zbq12v)7N((T^eSqPd7cS=aQut#uWVyb%K(^k$aE3tv#@+*M*HD%oGm|J%BDiv??n3 zOWN>1B;FbSJ++@OkA95c|GEh63 zJVam-TefV;oOCmWR!|aPFhEIO3t#&QLcL_L0gZU0h3mfV4zBS4yagg7qI|_Lgia(M znGRIZL=r$J62x^tk^#wtA?=D%Sew<-loi<0tWrfC?5gkjji7?hv1*(DGJY(-LB?*J z3#&hxnfsqzM_{vBodoGe?00o_JYCF=iHU_FGgZ+f z@Q4D67=SBi8PT3i;Cz;!(N^aF{p3mE_WqNkEJ4S?QT;qUVO3IM;szP-0tEgEaMFsF zclF5xH{bvM`P7!q&Io!{4G$w0EM7c$YVuA=yHZ8ntdz(wUWp6M;s9{IMt~Wu=k}x8 ztbEP6pe>R<1=}Djv#*a&LC6HxT`*lMYH!UDE}rGlRDOMJbI)j$Uwc8~8z8zs08uJ!EV*tM86k!yX)Txd?+tf?0~ zQgTNbLnDAoRA#PMvptn5xblR79~M$6X+2#+o;AhaMXC1@f&SFqwVoY|Hj90Zv^_+J z&(n9B-#X)1LvEWmNNF_FJf4RAU-0BMI3w#-;BGJyJ7I}J&(s31itwaOA3+Vt0wgiV zciX9u$~l<51ahs+Y_jmNiVl7{44VD-Lx;TUPq6y7q4mlcoy3AJ0G7)0`}YqtPMwCH zw^yzJ{xsK}$*Nvuq3(_lgA#S;o;{jZH5CpjYbzE5HOV*>Ww)=s9oF06x0sk73Ye{? zO4b7(i*m>pRo(s$F@3oBQkUM(%<+A}pXjehd=x0!s9k3tiM{cbyyOcmsm#DgFEPdnSJrgYouWB)LlLCr1@n*8xQT!AS%d{a%40^4K{R1Ive~ddioW{XE`h0Ok7bfURrrCqir}K z^oqBAz+T^O2QpnT>PT5!<%TCWKfcr*u%{mO%9o> zhFX!S_=$28xnfP)$VQhQxXA@BPbqs2Ve5@pu5CCmA*bt3j-JS63$7zDDTn?q?t@?X z`;cto2m%Z2b}UH#T$?yo+cyapf`1)4*9BE5qlm_};u^48>9e2i0A=XjCXSPxuQo=T zkYmbYJmftbu}2s)K%7|n64 zV^4aq{LyzVKN4}OV?Q-HHE%xnP&4|qfchF{EpdMU1{6FFhUd^%J~A?LBTXp192#i{ zZO%8-r>8YF>}%GV>*PNfxPe|0y2r1_&&7GEpd7(xubWrP3=ULiVF@Wqit8B>g2L4q z;n`0vrOO*Og-5J*yuXY^_a@Tpq-keTQzL;jD~%2DMJCYahcq;x^%{g{ z`a(_?xt|rqrDh*=o7Rx5&~ghGV0rfPP*dF z7a6W`(qobj_#85}O9B-r3%HS@N@AzueE?b$&0FgCxxIecx^?A|17Y>AN^d`msK-dW zz|YSaur5Kufc;F=YW3}r*99R<4SF%1z4frd?yU!XN-s(0(=-s&r3G03&*EuAz`X#x zvY$D2Z(NYIkg840e!~~v2?tSrk^ZlZNgNuV(9p5MRVO;!xM&+1+a4NcCBH}L4DMxa zybF&1gnDyI*I&v;#}`#1mMocI=jFAAj30y^&(ixn`GC_?BI-obi^jhwWQ6+g(vV4E zu&B~UgOPsa|3FF4o-%YmRPN_Qqo7fRF8n}P@&2QaW}Xc#_5~2b0rn^Q;NyhL0xYVc zE~bj75U_jgFy}w*_88`1)f35y=$l1MZ@+Km2eobJB|$GEpS7=82S}A|$4+&g3#_K0Tt& zsqtq&S8q~QP{0MKB8G5bA{@J8c%%2ro>cPBp+H!OxwW0@{Y~}X&2A|hwMacHqbhd`Wt%fqM$RET=4I-lWe>93 z2yTQ>sj8;N5%f>UcGiOJHxW-k&@uZw;EMYy;BP&|7GhE7(vb0TAkoiHb(j_0qgQkU zSHMF-e70@7gfvgW>WS2w96PcnDeBTSP(v6Hd0II&-I;?K&{#mEw;+EsYmy!enhcXj zDZYl$a!I~_R_lFcW!%>c3{Kb3Vz#Kpt4fz<#nX~eXi8Usd_pbJyTo|XzhKQekvVBq zKiUM2;D7vNLRkRJ#Z5nqj%+Jbk^ugw$mrXOL(XROq&a$z@&uTsF(W|i$MJ61x?~vT zd$1$ieefj;>jw;uK!!#tuSxQh#HoZF{tGTvdND#XM1TTqpkY!1>0^q*zzGX2cV;$c z%fm;H3O^ZEr~8?eD_n;eLOLX*#f|=u?}prCn&ogV=mtd6MjID$Dm4}Lcsr^M5%Vb6 z=A^q*>{F&YT14qC?}j;U7Cj8QV*3F*mYr#;uM|5Wf7Oi|a3u^e?s@+EryWG8ij-XI z(=z9Ezi+(*6Vcl6SLCVRj~b=w$WuM=Xn_^r;TR8U5+3Yk(xqF~JOeC?r*#(olZ$xw zu9)b^Wfb`zyc=Li?Q2cb2+@WmFWtBPvSnj7(^f{E$hYk5YNix4TCDYIjC|SBVa$y; WyZl~Ha9~!fGU02Nu}8})G(jZw8Nr)7(Bcl`{%HCve z+4u7}&+B_X?)!)PKe(^!JRhA8eY`*KaU8GLbG_bvnx|FhHnVM}P$+b2s!C@l6e=71 zdubyze!};*U>bi=8=h2AqO6kt$K)r5QYhRMH6?{}4$p^M9d*ymtjLWwz8!ltyqKD? zw_?xB45975PaM7l)aw?!)Z2F`Ir?$yo9Q;Qe-8vi#X z1q`C1v}5gDZv8GCObY9~i>s$5q!_HFY-Pt-<@)WuKez3(bx=~e!s2bPO)K$X-d^%w z3qf8|C87aqjCj6_(#92?>(O)P9U2&rx3v{#V`u+SU%$>z>F&aUQ@A4=8=Li*>4ts# z_Pt6@wq0$gufON*O`ZAveQa_vjh>#~z@I;Kzs;_&D5s}07OI$-2%b23QcG7iAR|NU z+{KG=uU~KO?d^S)n%cM0`s>%mSWVyA*;$3;9Zf31O$JBhb-4OF=OOEGJ`_Y)UZy9&( z+BGmdypAHYcW+5W#m2I-GSNeaywcMT?08Y@{`1EVkJMBVy*jTD#v5bL%fv?`YQ96En{p;7SHP4^-x_^H&K48fj zrxN6ylCp1jc=(E$8O??b8>EgNE&2A1PFY!5aXeLwmQOH}??~zTHB_~=wZY-xn`EPd zo;3!A+LtF=9z{hx zsI5ICw0n2)j~`5ymX(_-om6RA*SnL}+ z!|MGf($LF6Pmkktl(ZjiA1@CNxx*JOT-ZoYuWW5CnxGy*jfd^{G)eQwkt5cBYIpJP z+QqYb_ok$zq=A6}cYlAHYu}&y{eEXsQeJMN&81@)CirWdVdBe|6H5z2X;MzpLMuyC z8hG-2{QT>1HXAo>@(2wL%{#eMOXt!ho0TQU=Z9^nZES3WgoNC^yw<;X@nZZF&HgKc z^+}p%4E6V42{SNs@Xl7^Rk(Rm?Dp_4kL+xzSFd05N=dQ&`0>N{{{6cJ1qFF0T?~7A zdOCV4L#1rG)`?us+h}WRE3EyNa`LIj)$$*#$}8R%eV;yh#4RDg>^wWHfUCdj>6w20 z2X9rB4EwWZ&n892{Or5S=!V<))aQZa; z%1qjw&i?2--hO_Yo`~q(_oCU65o%U)4x7qtb=iJtyo7EuzRzA^Pjs+0#-mJ0f<-`U@sr1Pg)4X$YkCL5*yI^c$V)Wz1ap9uvRoOP(Z*BWex8&Gv znCh=CzhsraUPD7;X=QP2QY6qIYNH}&*W&C*$***yiLd($J0h$Kig9J4wtc5=pE_S0 z9v*Hm)R2OO$RcUEGs>}#RY_U-MMlP%wwDL0d?k!4f1{i{)puh(aNt0g+#T7Qwzlc! zzs2xO8P0F2VzjolE(+mO34ZiwooqA%{`XwgRj2JLe)SMPPgH2=+Wq_YKbLW4E?k~v zFIX7dE73BzQPQI6pz*b9hGhY)4x>5!xOUtTurRv_~hi8pmNV=&)D$znYL}a=k87s*3D*=v}#*N z*?IWpy1E4QwL#_hNAb!P?z?yIirRE3{asu%T3(o`sIDGs%vgMZBE&9XUX(jlu&6yn z`|ph@58^5>_S|s5s!iH5Ti@G&nnJh5LtY+*?x6Fm`3);8t~b{>2l~E6taF#0?+M+o zq9@E8`ug>rk>;#4{jWhmL4uT?v9W3y>^o&#N&M^ACsyaH@A&$@%FKL32}W6{nyRa< z6_S>I{^;@JKlyWQe11xk6<^)Ly32#=@Ypv|Qgm}N+NWqUZTr86BqRt}{CaDk+GG?a z=qsz$5UB9P~LFcK?#Xjwi?%P zlNgKkg2+dY9t{ltey7+VP!e#ZOX2YI45M=TrI|*3DTncn;OHWAGc&~#CpI^v>iMHC zmVW*$V_ks#Fy}n}CQ5nwU3$6)8W-AGO>OODO~@(^_tv6Wf`y&k2#-ccM8qxr>RiJ9 z_UDhvv-UpScgZ`)w!iD=MSU+-ezwV3)@$*sbaCn%#QYCeYg4b zxHF$8d%woMc@vOUxU%3ewNJm`d9Gyd&*Y1w5SahYSg)m}wULHq=wdTE7Ak9)lnw8# zTeqAd_0b6N>&MN^_R@1oOT~QU{4Tq?WLsZfe`Rj8byCF3U|XBJkAtBhFZ$}lT;Zx~ z%#Kz;xs|_smmPbzYwPIniivHxvplmSBO~MEw;i0E-II^DDrR{ z;kj_}qS5b+tD0xdd^$RoSJ&S^zqq)T^4Dd>eZO5rBc;juF;%CU5R zg^oKqI$GP=aSVK(t^8oo{MKdu=4iWtfr0g{Tcs<@i|JRtG6%4VCp6ohJAeLwQ5o%< z%lT}LY5L_@^asou-pIc1A02&g@7}%g*E#9wOcYUUNh%P7|YJixfC6`lSq6%%j zq5+@S#$_fN8ZKNnGh>)GbpBaWpwJqx}AlDjXaffBPb=MDMIDS>Ab zlyQ|CH}?1r#5#9x@moi6;-HDoDzs|-xc&F<-`a(4GUn#y3wh>1Ob$*?UrybZVE*>< z%3NXhNLG8<>+{LuKUBD6 zCNrG*@}KA~d|WtMePw>WKYF4{y!x%pIhH;fy0VMDsI8`79_{u_AFzC|^YAfmZ}0fz z+TJ$ZWjsPc8&QBge{K`6Vq&_Gb~$i=!QVBc323`x$FtQ(9K$B< zDD~SKcF=Uor%#`(Q8S9oAFz7gxN(DV`*tsmqqjQ-e#H6u`Gwf4(TcyIU67G@pP6aB z^w(yTx{_vxh;jE-X`Zg`ZZuX8v&K~1JSxDkNfAE-<>x#(S{WZd9w}H^Fxx5Twlnc` zB-ZR!>*;|XvDcr4c%oAY>lf@4zgAULry&=Jm2NoMQ#mQ(Z=f8{v&kmO*LS0C?rl0Z zH#dh)uN{m#cP+l;x5W|3;pQxc4fH!Z$}CJ+u659v`mS|P zO4{wVGH;@rZB3Puk}^I!TZYz>8@T?H(1Q;jB+Q#X&;eur%C_OVkfP&-RUl){vJUOF zA=oGToV+~c%$YN9t=eVB=Uq_fnQ&#QCr&)Ps8+@IIyt$doa+uPJ3Bk69Qd1T$0-5X zg#o^t0OLwgjTZ{Jr@h+XfO?F9Ax?R~1xy>0UZmSorCi`vhJYV9%~Ey^ywJE6BAvZ9k3#{uS7+I*?H^xp7c}VB>;ppjfW2(#>B>Y z{HaScLM8I`^}W)q$sopi%*p9US63I~jvYSil9omF_1kEeg^OMs_wVTH;vL(<>dpF{ z$1M%Wn><4xYSmMx?kVvW0~9mu+!@f(apmv)yu$hO=i9FCk@k>xkB{f)7ZBi;mF2|7 zdHe2N$(w)PiJCPCpNf(Wr{nl4TH^7^Zse#9MJa|AKsQKtbSKW%2OhV= zmKNRrk%&7h^MZT!?!~R8y?F8B-@kv08XI@CwY6E_zU}rRC~3!z9oa|wj@5ow+Sw|8nUd9`-|hfc)=V0@+Hr{eRO~R{Hds@a0hq9&O$@%7#!S;gJggF z`04j=Lho3_uLb0N+TA$G!TjwYD;`mO?~|% z+g@z#x(b?!MK%5{po%sI0(4neiLr5UXsd~d8!lbC1SeA3lg4IN*_!b2uO% z093i9JEh(GzAFDQJG(<)zJApLQ^ii&hKu?hc~nSPSjoVE=gXHb*_Tqn!@{iDg(W2= zNBgmddl!xX^lS3Tl{(k{{_O`6U2(4?|LpnmkE`+p@%#+T&1w1g_`vBER8%(nN6`CM zQh-ahZ{I#JIC!(VuBImVcU?+a+S4S3BP`mAifiv3<$m)(%hAJ9Qg4&(S^6r+d%PX2aA-|Ey}-f28|N-u05Mzh^XE@+uVc_3 zBoE;LXyj-es7vzB&bd{AA(wP?vSr*lMlTmmZ)V^ODi7TI0yhXf%JQM*>ptD>rUz z-nw-w3oENl;k)hz+7frKzcqhHbH~QPRN@j6l-pi{K4;LjMY=-$2rDi>_S}F)*(06N zgvDFyif}0_#1R%68*c-a^=1G6U;RJsMgs5Hnr&KmEK0mg|2<|NX8#{3zra!9^YKA? zIXBk>cSzkDV04h?gw(Q2JQ_P>dS-@-;^gF11B``T4X6viaKt#x-+)tDXxj^D26(*J zZ``;G_I>gs4Fmw=KC|oBDNL2p3BU`xUamHqU}bnmMR8KDpjiO3-^JR>;uLi)k6UaX z5mdtZ+_PtorjE{i?BDu^h8L-+4==F&wTup5gN{Hs!vwY%(nQ827Y`1AnV8e-Mj*ZOKYWU&w@K7H96NO%O?%c|l zqAU{%vcfgaKZ*7D5vbb>oG5RI@1owv&g<8&cSwlUM(+D_%j!-euJ`fd?Qh<^xngNa z|DWFX3B~dB>C-53toQ7lv^9qr(@+g=-?=!u zCvZ`r-Fpq3>VT!lgR(xJGcmI4G{F*V(UvjfKhD7w4Y+S0NUv|G&Q z@HRDdbvjaZb#<#|?EiSb&dl6qKiZ;j=@PqpF3;G&K!rN6#rXKR`@47VUT|fc3t+SY zH@$XE0L|b5Xc7b^?xRN|n&Yq(iy)okh<=<)%*n}lp3HR_`)qDgZ(DS2`)9)gU_6~Y zJ?l`uvvYGxK7U?+`SRtr@83VRpV#33-`c1^z89d5&9I zSy@|d%}-v<%*s-Pghx+L4*=y23ZSd2OFEykv$Nw<8D7vpuxM^U!43EYh&&aQmBrs8 zB!B$;x!%>)H9IGVV9!uN4e#h^u7JS6UcFggKE{o~5DtMFiN>hA`m|uRwqR^zB+zfG zU`C1Iat+#2SC?UG+Q~&{1qCWfQCk})IRa$J|1^`*&IP~YD?DxZ-1PJ<((Ml)W`$&k z)$f7rke8SDKY^3cw5xdglH*ZQojDjCNy!+_U zHeCoy(8wWZmlGfhq<$(|mZQ5YFw{Qj%;csCJawW};h2Ai(h6%@T4*7HtlO}m`%hxD zcTf<6uAW}>K+xS1JuEGvAwPR|zo*Ao_v5Wi02EkF{}WBI5JU?p?dq3u;6u>FVyp5?QaPsE8}I)Qd&GB9vG4}$7j2ub$gH~F^sF>-MQDf-ZNLd*eoxd)DPOi_`EjqU#Uxb=tPvlOt+ zi)ojSA3L^Y%a$$Ujrw;y%DZ`lg=s++!epE!0ByW8;)`h}P(A=34ciM`r5q>uQD}fd z@4k8^1YN!uQgAk>ks-A_bXJ1=cOJb>Yx4cM0`wCB^=J2RPS9pM{G^6!vA4nQm;QDK z{RP3SX==I;37ed-!^(XBzasUP@N#H*K1SsaI>$RpR8>_eOgxa1i54m2JgccY)3Ax{ z3btjYK?ybF6<(sGX{;_Z779s9+Q&o~Zd1aJkCd{x`$YJkV{yuXyr}F>&>ROK2l8+6 z13q`(x^dlfrC@Y$WF!YwOk$MN{et;EcHq)bd($fJ8`rPLYJorb^q5~VP$$0^?~jnIROwD z9Ch2you^Eyqc{Q*IQN$}H#eI$rt0+!51*3e3<8(_1D;y{`}bkZ^2%=<6D366dG9aK-iO*H4Nh zUxYrijfqKtQqkD>^z?Hn1#}@WMAn2eXV32D<-H5sG5`0k=8YSJ^1`z}6s33V^1@P3 zLgUQ5*?R(wfYtXHi#Pw4O&o`B-g_PysivstDPjIg9@`a1kC>gkz0eb?p^Bc+($X?8 z{ihDhRf`)Hjoh0PCr(T^nWbsDx-NGMr;hQowX~e_-?6{%!5Bnxxzi=Ib#W-E3rkbg zYWn)o=xGCZnm9n{sZCEzoTPfLYf;c-8Nx*z`Rne2C-Ck0+o(ba;W z5n^IuFFZFe%w`?9=8G1lb?sWhr^{4lw6qkU)(C=6EPw^7@rG2qkHQ8E0fAMIJaV3g zelB1g8oy%ggS>{vVA=Qm{CLQR!4ns3rBde@b>~k)j?h=7pLB0XxXW)zuVqRIGSb%5@d{>7d=;Ljj~sE3Jq zEG;b!U?(P^M0>b6y3T%+Y}eG(WX#FVrggehVxTuan4G4HeE?l=?iKq(AD_RYt+{Id z{1bj5Rd;t|P#~0aehS%5(&J->>0!7MQixeHjILiDdcDKmUYe zWz7X|n1={THrMTurbGNAxE{0sPO9MfX(*#qXD(bwAe*wOx!G@EV$sdibT<_@_C1Ft`YsQP-K2qgBcxT0BjeNA*f@$HCRVk>5 zKEkCwUq9aL{IniT>Hh0zeuKi-u0_QRorby0%a0mS1SB)7tXE)7u`UmylV)#fs#E+r*Z)YQa=W)b4( zcJ=Bm;;@kq!pHjzTOsFYvhf!o^OE-C1QXYV{Z{TwQS{`ZqCxP#{7g zB4|2BgI{82dq+gDqeF>;L;U*nt0HqwRPgk3cbMNm`b6cr+)S)I7q&S!I`}sc)*M{husAo$ULg!2+kk+;OK2aO1(^ch-Msa~_k?*4FMo!RD;L z&G{J(I0j;}oSfWf`pWEb0l^!%<3G^dNc~9C(9L(+j$P=9=BuNl^A@HSag-YyFJ4Q0 znPsOkh%1(dd<1vQ6P5W^^Tc77zoJ>`u6^MqZ_(xe_~a&~=bUOjik-XcHh)z~NvQ+- zbhvrzXuD)uQW6jN$pUCK_2k)Og(%NjfGbQ)=vw}i8n_)?3(wPy%4^{c`}w{CP6cFh zdY<+A^?h=zHS%Ad?28Ksphe;5#T8^^WhHLkdx0^!IuTaD`jmRU9S7x&c zZB}Qer{kgIPA5Hq448q#{nKU=?W&w>KPJHY;`{g0H*IWqfbMUYn#R^8YSaOCkZK{j zG_Kf`ZiJn`Fe@cczRbnc?%25h{#a$E@fHF6>ObO01Fr1+wxR|#fR6Ucl;tXUvbpL}@dt3Ju=gYCJtsG-( zWpTS}d^7FzyI9{s;^Lv;cBXB4jxDxMm+Y}iD~pQU z(LYZS6&gMJAsB3UM1<|~l>h#M7@(BVaUI;(!-o(5c(nU$_FkCc}bLc#|KVJzD(e-uj3gdp*>kwAL zLshw4#;K@c)^4C@WcrbuR&au{a4;q;(+C{PsXx+w0C!*P&e%z3^q+Vz-l?c)X~&1M zD}TE$H*=jD%b(+fM@Zi^2~+DN_RG!1jF5w+Muvvhzdt|RvSYZfI$GoDetowN+l9Kh z#VuX6Ga~%__k0%`1W`}*))bAnGqtwz*xtO^wX*!y&S${VHzFe9YyISJlV~Q&{lLJN z&?aje8WMopDypWiTeeV|a_z06`*;Rj^+GnF#X13jI7g%`9w1Ph7%l$kfms&K-Y}zV zSLtbJJmcc{X2;rtpiFI$RXKltJJF;Ee8i(AOw>X*${ovPovmGeB0Gmx|IwUKQt{s3cF#1#bQv2hr-OvO86+g9d%j5WH zw{W;z2FyM--rv3#gx(hdql#s9ZS5As4}M`u&3$Cxl=j7Dn#)-(CWsqcbyPWfZD4hO z$?xAe&5IS>H<^kSz2EH*YTN}O&ps$Ze+wqxib7Koq}5#KUAMD zc{@EbQwe&`+?Y?w(KB=H<~#xd)D&>C;@0)UD?F}zyu1|ozS9N_5&f5CQua;~#{ztH z`iOoOwD0tnJa-ymKeth0@@wCn!AyffWs4aSxsh5j}1L1?};{2B*+ZVk32JmS8gIQ^JL#8!XaTvN?S*H3@py&;^>s3y1GzjbM6Ht ztD*0nVG$9EXU}f6u&@x?vuBOF<u1c-c`%eAPQ9C z!(as0D(JjF7%Is}>F6|#SV8h!PMr$XkS)gEA$BAD|IU!+sfh_9tWRL8cHz$w!~HK& z@nHu-EMR%m%g)LQdDTVp$+8ror4%U5o+QpR=P|nYe>;cd6gcm+$o_b0mnbOB$$)ea zWcao2oN421a&9iseK{93hVDy4lL`w9`}ff@Y}_ah(b(SWt~4|zlH+jfP`M5HE>gBO-51o>UdUPx{ z*f|xU65oxWEl*8RZ@HR3SPa=m!h`>nYrh`~O8TuowQldTu6<*}slX(l#>!t#y&6+m zUS0x7x%f-A2Bl*7h>YsC*gKHNW=bUe-+(5gl`2M{NKrgrT z)w~UP#-}yldqSu@U_Yw6ZrwV04UM$stK~S=>lPNDvBDM)R_8nET=agXEnEhhe_{Gh ze6yc=y7nochUqePE83m|3o0aDuzBOgfr+tp*EtRtes$>hF=)Ppjot^O}Em!eP5h(NtEZW@_co*|O@~{{+6+4|vNJ-@XOn{vzPw zfB*h{PMxo-OVz846aray2?~a43h^VFwMHI?ksfKyeOj`u4XR)>Jj%y9zX{OJ1ZZ;B*Ei&){}=uz~Y zN5R2GG9N5kk2v){zQ}1B)rJ=K0j4)W-QWyu*IdUXC9=;2Xna!b!@5rt;!TpNX5$|7>WG&3pn~4f&OL0%edA zLRRL(hbNbv{_GNykPv`90-Dt+!qWnb0g}i>ahmUa%C)fi4wq)>rC;E3xV6AF0^F2< z5lRhdmCz6vEXLfvKHc9x_$Uzz?jf>-?>~H?zi|{MA?&4nA5r^aKG>#}mMZCF7;kDU z)YH`^nH-R+%Hm=VUS8e-z&r+*(YV=V1hk$>Sg6m9-Y!zIXo zGc`_J^@31XDjFJ|P->tyorbfMX;RHu`{M@>CDW!`d2o2xW#A*fmCIo?E(|AEwEk6Zb(U%#|L0N5UOnxb-4wzfv1Gv%b82wN4`T_{xrs8BR23-~jX zeS%@7DIcD}%3}NKG2W0X*o`umzn4oNhH3?S5wZwf&d;~bbC!AYeGw#nbHH_BTER*K z5NQJg=ep?XaulQ=P$>p1_B`yY5mbIg$1ZVYb!D0KP^c9Pv++L1T_7g@{`D(3H1up5 zS8`ZLKW=AFSJyEV9LOClBU1C4e};$S=h~cupeK-wQ$_PC?w#t%lm6GL!g#V`t$qAE zYjJRNAg7V{jYOkxTbd|WalA3s?RW9~c`d{rO|M^m-%`T3DVBLP(J85!9pzHwX0^iQZW13CRse4wW=v%hrf%1;j1=OS2=h_FXAsS8M% z0d4NJ-M6=7x)H!<_mLydpb%e2^D9}9rUla9eKsK&>?nWo%idc<4f}{F;*OB54q_N+ z`62J#+3G9r9{v^w7v9nFaQ;LYJ9I8}YHI4~P9Ls}(4D6WN%jU&hwS~L04#j}Rl2URY}vRj(`n`g02wb&+VC(%oT22F!A*r{pC8ojg=%)<^${B2u(Ci6UBC-{QD1a775UCc9l+jwjF@ssF zf>0O<1Rxn_Ja|ax%pMVuClCx7VM@heS7DR&%IaCR z7c6Uy8Ma?EX^aFXG~uSXnnAC7IJc8OVABK?pearC2FU zaQeYI&>Oh{|MurkZvg=7)$59Z^FtyD1bw`KcMf#ti^LZ0dG?~Q7@rD4HBjI@2;zi7 zj@1!%$c)+0(2$Xh?MRrqJ^cw^+mmC%N|1OFC$R1+-GsjWtGStP&z{ZIGIKlEtX-QE z!63?~g58J;Wj*}s02F*=q`Q+6qmG?Bw=L?<%Dm;;=^$gM-e5;%h|}GN@(`DlwCR5t zka37xpFV#+-nL6@`P`W^chTcGu+sayE23mwk3co_L}HlXr^B=-d)FKw5Fk<3?+~W`4^-l6xio3 zg@7CL@$h)iOhaiS!8<6|NU4$3ae8`s-dAHMsQLj2S*%4q$2Tab9M2;b;W&ujKpY#G zn3!5el@6}+7AYN@i`lLZ&j#NQLBTUEZ9g2C?B@6bC5q0@M@b4hGxH#}6CZSWXrJbu zOTJJqYwPN4Aoc?q@f|v}9a=gl8dBGH3k&7etXcCbcE{m8`}dP%mxyk*dwu;mTzTxf zcUz;PqFTHqg@jbwRJQi)=$hLrBqR?Z3FO2V-$F8NkW-171``6^26+}LAPVFTGP(y9 z<%PBpIfTF~$UVVNo_M1*0>4~=@-;p);{{(Q;Z*o1`aqckPi(936{GO4g!WO^Vo;CZ(m7gE|C1e(Z&lB*p^nHW6*GUU40w5WA5gq|eegSt3|E z)`(jQ#eh6T=rP%VN%#HzsVF2cZe!yCa5+~8=dhun!Si;M}v#;UT-@vDqWNso&nYQb6C%cqbU{ipUiZe)Jem za7@SuRN2m1R!DI`da@3MB7?RG!@bD?%hj+69I3bP>hU>0yvH`!!remycZg}b$Db1t8qeU zB)_q-F%DZ7Hv(w$_~px-bMHVPl-27U}Wq@-`}xivll9^BHS0rpY`=I85vtZ_*<$`!bRde za_1QH?AHn|>mlO~ZA=;KjO2M-#)~(2x|(hir(hXx-n=*;+Pc@8uE7&jvk!%)>) zriAzHyDD*G?lfP|^KTU!Cwxp{xPs3BT9SyscknW1#)c& z#>9d|0%ruU9okG1!u9o~ue9P~Qd7U%IjO6Evs~LVG&H2B_Gfi8pGa-648k1;hlZ$H z^4B_mVM}VDE`p$f_7fftdH%mZLTa-Zzytt{fuZ4=lP6DxJ$v@)%a_dp0s`bxkx;`~ z8(3Pd)XWV5JpV;yv!3ixLs9N%wQom@S$Fi-3wNw_&2#70Ay!3v(e{&fAjv2K`;;1{ zS4{y=7_ZSoErI<+0ul({9B`VxZplHR$jHcqb8rHW!5Ot#wY0Jt`{1Uw=z^^YVGvh% z52uL~nYC*^03FQ;npJrJUJR4qhGVO~{qUjhc13*QC2j2@7=Q^6m~Qm=IOwZoP1oi( zqX43kLa(L9Jp-jeL>h|MT3kN&7C%jW{rzmkc)TU!kX`ki?Ic7FAGr z_XTEhr;+}SAmL|(B3lH#7Ud2h<9kiMJqQuNE;y*4QTaC`@xN5KI=3on@_i?BAD<>} zHCkX!QQlk~xn@jxb zVPRph4!u>v8>y|ouIQM{b(gtTdk09*SLw}!?xVE1OjZj1MWVbDiDH1rx1uIa=PzBN z0Xe`>3^zZ&Qd@6;aU?@txj>1kqmxrtN3mzcmoInWp~JM;fWZhbVV|RIUql0z-ZGjj zl(x2VkeQGR7nq5%``LfTJ5iG`19vZ}DOJ>%x4`5i-3U`(JI~>Ow6rw&$!$po?~t|3 zU8f33TA?~hCL5atLh3l|5ku5#bh8aKw%)AAgiFKA4WY~<>Q9EFHqz03hLD89bq`9k zSQTJdphU-7jhK-QdPrGf+i8K{{VYBa)Od;W1}pBosgiFO0^nO}eQ7B>Y{=qk3sfq{W^ZI1nsmT}z&XzMs|F4_p<3vU6KcTv3`oHBe9B8r zJ>AxOpz7`CW6xPHfXb%3Ej!^To#2pV@SqHgj6A`FV_&>D_V33^@UbW8f^Tp9+=I-F z0Z1=K5V*-)4u10J>C>;d(%!5Rxc4PZ`355ShrLjrL9KS#uAcLDJcGNv?JhPS37+1) zyT%1}v=l^m6!3IJ-%+P3@#`V%%v}M;v@o)jarG-~GI!A7%^<2>pYk#@&ymvz#_XOD zKf-dtmp+hU|0~B<5R9p_qr*Kcj0N}T-?I=yw#|!B3;c{Udt9&*h9qEvGHu=JiM*ua z({fSI2YAZ7WcCSQ5FLihz=-I5Tn8Y4DWeW7F7gbh$-`6%@ty~CCgF87h$6{(n{eu`o=>_fb|Rtv{TBOf~39=f+H}KNy43c+gfjY+Y7alB|HaTe}6I_mzSRp zpz4QlvI<}B->2>gM*Jp19V7|x z`0?ZMi3tTvqyR0E4@ryRjJB$=^#SJtlc_-V1IS@wX7+~dL+B=w3(7Niuud2!$7_s8RXB89_FspSh@1#+fB^JUdhWO%rbW;dyWQdx0b1-+&*3p<+>t|bg&`d$_ z$1KSjCH}F=Fu|QT)E_=mYm;l&K0yfvLqH7n6I2N8F!7sMcm|w5NPc>}Ljglh05Y5I zEH<~38A0a00A19aFt^F+=~7G#g*<*tCbg;}BpCo~egP9Bl92b+D2fp)qVGUXZmtn( z3#u2%W50EnFl6ql3O2x{t}Vq}BdS(0kWNQ$uNSIT3E&&4V2iWLZycUr#9-Fn$U4TInY*nhDGt*ch}m zHSHlEC?+4M`t^&2fES<>=6yQ%?ksh4k>dacV=R_DBZCJj!_J?A-T+)9#K^eW3-ct3 zP}F@v5%0;X2TGLC z(n&akr1`;0N>IwjG0brcJ<{?J`u6`F!K9*)uTi8^ZS(}@&RZBvCLIhNiymzcfu#!J zvuLYOC5fVqi6=7t3WW)%jp2{kS?frRTO{QL$(mp%V8T}^DaYYSgUjJ-J&}L21jZxL zOiiJkwO>mRcf^R#rvIAfv=l2ldkNyhPFAB}}WgM%NJ%@NYl6oUOQ6@0nCv5EuYQ8O$-KG{gJ zl-k-P^Qm~DTU0DVF%L#G!LrD(fi>c~0O&UVhlY?4{c`KOvu7|DhmbPBUaC@!whfZ5Vk5z?^cnwS8Bm z+`EzlS>X~k4kv+V2m)g06Va&>7|0JEJiuI{`^%TTSMpk`xRX*+J|oH$2wslP(fPjd zGU+e5UQe`zl`-54XrDV{kJCjpvt-bDooM}N))D82Fg1ZpWF25i8Gx!WjhsBfX78#N z8`s7xaynnUxC67;R4uJm*L^X2ofy9 z++;xe1n&+i&0h*(>LTGpWGM+ZdHR&NNazlPA{4dm%LUFydk1x(0wo~v(3Y0xG)G~p z;(IFQA5ZJ!=@AsIt4oWkfOG>r$9k_7uyxi1P-M@VRuC{msJsAz5Ml$=+Sh;a({y}6 z0VlTEUwD#`=KR1OU;IbT5EW4&L(gZ$fK%~(HU`<gY7QQKDjE7@-WEN_LXQPC<^7 z*li?d37QWCZ`r+Txt?lCpZ;Gug%LI6F-YbSc^~QHue5nYw)k12#URbe1EPdsCeXFM z4+DT2ph&|K2%rnyl4p2Cj>Km_M${+3UwIf6NW+d#Ps8ZgfFmA&--Xkv%$*i|h^30q zW@B|4$Rs=r+y2W{-@YM`SvqpHjr}y#%Mja{5+6;W9*JAE8oO&X2L7X(rl$YPS6bWJ zdV-^(yKV1u-Py(?^8X4yl6eAE{<~OX&!0cB(0vSxplw%>5X1q5OE79nEeW?fE-tRy zW4RSr6vSgvk6#e^{&aND+R6iVZqC+1NdCygDPo#Bj~{eJ!{%VnO+=gwiO zZXE;%;Gh+GL?%FKJOBLI^j{Pb1`PxD!lcNIA7)c*;7z0Pb3*_?7?b2CK?#xcfiQHx zrbZJd_n_1$(DMY+hB$xBdq9X%f>?oe3*`xyKt~E)MtXXPeU8R+Yy+T+%2P8lGo%)h zF?d8YaW>rC-12SFlfCR+*bGEuf!Grg9PAE!ODsJNnVD_S1{qmcq;_VxXk?Q4jrjNu za0$}dA^#&h?M1wO=xYwJA<3}(n3&H?;2?|^v*ENLp2?ALHOdgunZ>5>0ZlSyt%X zfF&j-=z<}TK>&Kls5;ac>;a`K80bZc)OFz&ZXm;qqjxL=nKJ}D=t2~bU>vX&xOEjH zKarWJbpBcAI*Kb;y;GDN`GdF0kclFh`kM5pM$ zDDR9tj3~i{Wi8{m*=3@BA;l#sA%R4PI3ou~AYoDJ>K1RmvOHrXGk?G%>GornaV{_L z!UjOqlBsIBpnu+7OE+@nQ$md)auJ`(gN}+2J|Y`Jr-W>n4nP30;B?zAdOz3}-MD9; za3rk@7pS2~fFKY*9O{#ya}(b=>=B~&LCnM6GeG5rVpfE3LO^hEaPh~5ms=0|LVL@H zdT)IFx+;nZN%P4qPj3Ycr@Qv9N))Z+H~?BEV0Xrc4+7Aa&nBFTMON<2zhOdlYqY89 z&pY&kv6-m2O-xLhz#TBP2k@m#4?$r7my`$?wMHIF&~)(zE=>i6VtL73oa2mRgM%-S zOsqMpA#0WU*DS*rdv z&5QXjn;E<5H*5Q(u^NS^AOCB3YSZrROqG{kSnjfWf4$JIy-;rHh@5@X*;bM0{%#vC z%em)M^Lb-4Ib*h?hoh(FMY-Ios!lCHFIVMeL_lQEw{USEh&)$0F2tcg{fJTU+(;qe z605>xWr%MX^!}zLFd8Butb5b49;0AVDTGW{!r>b`Z~l&d0)fXfC^@PM3Ldy}6|@u6 z2ZrGc+Nk4jzynX6I;9G)izGJTbY;*dUj}R?<_hIHMhU0U9V?IUE7KEOj7)>O$VQ{7 z{=vYZ`o6*ChuNA!@fcHNqLA3)Kxc{1*x8*^OvuQ_kq|B@53T~c$VV0N$0KiUAjNG8 zB0wCGniz#!c(KAiKBX=ch`%Q=c1%R`=H>`aX@{C$yw9RaN!$b^lf+GtU$(k&fL2jS z3FSNibm~58A5cZIx}GADjO_+$JTRZv-tX&Ya08cqJl|=Cm!v82pw)z#C2!T02~ME@ z5wC2*L0ad7IqUWvJ0w5&2A#ltd7~J-SJJYDqz7xE_s_5Y1hs}FA9o80)qukNI&5{A zJ497TRyGO&fU6uQ;;_tW0EJ1GmYSBOriNxU@MIT6#`;7JuG;$gcx;}8;|o#V^c*MB zF6Y0t`3IfK?oVxRzR}mp%2;9|f>qM7iroX;P{EMvEoAqopQgJm-kuyE=f>>H-2LMh zh?fA3keCxlqu#>%9WEpvm6MBBey~#wLEucQ_JRw^b9z|B^>Hc;gU}X|mumBn7*~IG z(2v4M8N_0vV>{@J&R+TXvzLTri;$gsjjqMA;?2L~27|RPX{dsSqBMw~jNT)5@L)W& zhlLAP4qK`#D|rAyGTy$u{>3rk+Qh&QzBTf&>XU79w1ow5Uys}x&4u<)jK{$#y*RqF zz)>V1e>sl@;2dMRhf+<9jMnbmn=J5?ykLR|C&*YH5*e#YWLTIT@h6kN*pTY4<5K(s z1CMKJ2G=`qLO%wcQi8RMlQ;al8GVNuJFg{sVxQ^C(mc_~v7N4pJ-KDk{R&W?;&7De z#N#>Bp$vi{fgLQvE+$xF@sU{y^WVY;MkNm_(w2R451O%aJ>dlVU^}z?(FZ zvmU(Wn?Mh%3+7Q&ML(ft;5>yfj5AlGklZJw-=BFOFCG!G>atmYM^f|)qdwY?oyP1E z`7A&a9*#0&=iVN9frc6a2ZQXDC~3zt<$`+RXw%Fx zcVGLf^7BHA)%keK)W2aXJNrpYq$J2_V#(c*-ohn%g@Ov9iT69q>6~qL!k@0l>Kj{F zs3Sgu9;=A2H#Rdn310?o*D(?Y2NgjOA@#O>C$7pAZh0p1GtXdtfhB2Sv*)J+H2A`Q z`9CS{)hW4EMJ2l|NY|^mGx}} zi5@;aDk(!{pFcBEpzOVVSB0eG77CmAwNv?an9T`>kB$)gW55r2j5P40CyR-Sb~qg| zZ_5kEMJeL7QA*RZO=MJTW~@CLdt4843AP&S-MTN2_nJb!AWa61i5Ea;jXcJ75*Fvi z&I0KHfCj@C+d-(9DUtvNOtjr@A5N#3Yw0TQ*4sAw>y21|bc*@$zRn)0cs zsboNdoC87$H4qS9X++E7Ml zX|6_<;-w?XkXcNvUC%dDVsMC?%}@hF06tTqO;1K(y@S;J%zU-N-G0{GdhM9x`l#u;FQt~wQMWE2k!XIG$5SU4KqO;N0ljq%Rxu%22qzT=R5tpL>xa> z78X^DLg217@`zTwgam%0y+DRT%3A(LB;G>tm{J2N$N)Ucl6jj@7pBXT@)$t z4^BX?hI(}0*B4S-67cYu9hDc}Xd{7x4QW?UZNGlQhB`nEW2dbT5No3ByKVCx;aX6x z>qvp^JL9H!e%FLrsK5_6ORwz5+TvfmQr#+WDh8rATb8N$B|%;i;-!iK0~vh}`nZLX zq>zg|_-RVK(>-YKwG47gMavwFjPjUHqr2Zbrk2NJk@;a(KlC+!R7i*d$r?jWQr%~z z>I!U$!wWsuClQlcWL}0+3Sa8x-1MT<-?G$wquuTpj)!&yWGhfEwvN0a!VgN_%{vTi z2RA->@`R|f2t#Og=bS{}qGc5$Xg#Twv}yjXz98RyQuk%-g!8Juwc{_1M`bz|ew z$lLP2-_;^riz* zmf@?CpMmVkWD4!aIFX*~=b??~P+SpK02-kqTdgkk(dKUmEW;3nAE7*{qV*u?sbXipxE>nT)BEsnp z*|O;9>C2$^`vL8fw_*^ZURp-ROqWc;<2`AR*WeqxwriM!97}P}&v%U*qO_g1Oh%|2 zk_w>8nxbab+;)UwXrP4~8ynZ_oK}=}`O64Nu^jJpiqI{)yPgKq0#76k^yNYiLk_!+ z_v*#R$+59NczX*O5IQ&i^_B_}1{o`Oy-OfwV&tvBp^^CH%g%EzbU=IEkhsR{gbaY5 z$VdU;Zm6N@0|}k2_`>1V+#TqCcv+j(Em!i=1g<+v9ssUa@EQh;Lt?VSa|Jx_?cG?z3iT zTOf#xer4j~(l?XFO(bu2`*GZ8@D=3mD<&r8BU)y;I#xzTXH5>zXhFrpYYH@l-h2=~ zdNj9f#2)X%LEN5rTVvZ*Y=c$#$+xFRs-4dn%k4Jb4H8drNBF__bJvZp5w-LYB!mV0 zgSRSCf!6*gyt6uYzt^?-x&><81^`^*ShS?|m(}+V4_D17En-UIQul**hfu;1 zX8RI(z@inDkhM;#A3~FdCt?!WyaH~9m-(g4o|O_79?mzs@fwB#z<<%VZz;#Wka1*W z+N#?0x4*vnA_XtpT1$Zi9e>)MqHZ>%ZU=@zOeq$0>N(^^`?^y1Goy6^6WnYr&|ptF ziT3|LJ-!R1*Zhnt0L3xzb)p_4LMUL^h#hjmw^y*DCfzW?6-q?@*a*_1LJnX;olDD7*+-N@ZGG!H5 z@28Uk86Tw7pqOVjN?5g>qLAjPr1bA7*(?1*H-a<(`S7~Jqe!(TV$P!$J#8@HDsa#` zxZhm^c*)i|KuRn2l$7Ph_`zdu&{8v4~<2VaXMT?qCtuGp*y$ii0p#f`w%68yus+_6P!V$asW$l;GqL}HCxhZ58fhn z^Y-lo9z}05r}i!EfG6Ie*BtXPTJFwi0tb=3elmIzdPv+@QI3`xyV2%12gOI^uIa2K){e3WS{ zxH`a$fg+E!x?GJgAGKf_;5{zLBgdSMJVFEsFtnuaOlz!KvK3HWTKX48713Y>>f8)>? zLovP!70O$QS1U5TCExiekZuJAY}ox@rAp{rT1=}1_{oWEMJVbIl4#`VLlL0VV6bce z@1+S`I9>Jp@H;Idf%oJ+Sdag@xLM?fvfXZWMIHhypef_($tmS>(HThL1aaY=E-AI2 zZ7>NK9}`nV{lpMDf#z6S{?#LbsLl2S12YS2Yc}sOT){i0F8s8YErWjn`k@U1Pn2&H zlg4}Rj?mUgfuMOH)C2N40T%h;#Qxo=&1fiBh;LHj-+wCk4MZf6nmcF$C+YZgCFjm+Ypdd=aXeTgq; z4lVk6kvmoVn>VMRw^|KcQ;#+hhx$$=3d{=&XhfZYexbhazJU-*93dc}TS%(5CJ3B7 zt)>=>S2=XYP=#n!QWEmzQ~dHdVJuUSqrgVZy< z#$kIf79;@o41sbCLO;?;Y%`-FkxM9j@p!Kb;7~krY|wxz(n;)_s9qWx1m-G{S6szY z_uYt@)96yNxc%eJni81UgC~=Tkpv=YP~r6vN3j$9PmRtR8SlpsG?{ot8K^ICbp|m$ zkz!=@H3BnHM^NN22)6}e#>kvP&a}+m`b3n=2NhZeZXM>3w@@%OlZZzv(NCweFSN8B zqSpV_+nI;uocDYDR}nKKBimCFEgHsJOol8qN=nJtD{EP1Fm*Ch8H6_OtSOFZCXv0B zq*9hqqHI}?%2Ft$=uRa}G~#)EnmN}w=ildgt}~Z^=DP0g`?q|T&*!~;C*XZDf@K7k zkcYz$eFoZ^;ajwIE0o(*astSNj69?B0EIa<@YrXD6y#QHiYw~xLmyS$h;hP3zWi#I zi@giV+B6+LD>Bu3Z_BRXF5Hpr~J5p>qJ!ajv=o%Upn1#?EQmAF;DE=cc;)ejf+`WtKsy zNOz$*upbPgE-!!jv@Ms;9(>tk^!>gs&tJQFGoSrI`k9M)c~4;bd5tQzC$6TP1V)xn zc*tDX(cn966T566dY%!ToYOG_hI zU{X?20vVY6T2?iM2E@~cenSq>B!h8@g5SZ##U9T!x0PAV(xn74A`a5Zaq|i}mnC){s`-NTTKZeZnajbc`=s$@kVQp0Yqx!9yp~mZuB?n3(z4Y{K&@({f7xnTg ztDb5}MZ(rkZxykc%^8KV{4xszKzeJMc8rbDjt5yY#;~_rUmbG#?6u36cT9Ay{~`gB z&wC7g6mm3Mz7fHIj6IT<;O(>g=e?Ojx3RH4&Ko|BAK>55EzOpxCr?J8=LHxM4KmUr z8d8YcZ0O*u7btPM*X-JUzl7e~S!7n!acEXw|9v=G(e|SpNK=g`3be8C4YyPjqIuyI-}8 zS{d#$-b5G6+o8ziU}Ar%IIbGL0pFV8lv3YISEI;a1o6qJP!*r~otTmFhM_?Gcs-ZB zKm6^R1yM&34pcvQe`Z3KNrXd<(Sd}RkLL>R{t~NE82yYs9CO_$BrZ;4?vgkL=S2Z^ z3(NPh+W9-ZBk!o9S-?fTkC%Cu--zC+pJt8Kzi8g!)rp0Uk_xx| zL?1%&P4ngB8zUAD+%&91?q!SJk`Y&_=k%mQuKAB!%_J&rWL~6%==c1$|CwvI+nW_d z_qd!9@c;YE|MIVmcWal8>NOs@k0{OwQu_vByAq2Um${$>(#%N81Y4^jJq53d5w9gm zWK>Eti`O6Js{$w3^-&w?ZCpAElJ8~Zl`a%`|7&v7Qu9GkuuyX>Nj%QBCx1-4L8#B31#= z7KAD~vpe+s9RH%^ zdQ!ZW(>^1hw1c+gHf6KN13LJfU+ujq#pT1@VKzXxB>&y}D4VRQoGd_2nAjp38-r2D zp!`{6=#j@T-%SzYh`s-|eb95N}W zX~H&dzCe#72L^!G3k-?@2KmG;zo>$3OsI&J*r+7xRFY-U)ylC3B5TKFvikKiV|BwK zXv4O2(pYZ3q1xhd%md!~ILBCZ1GLcIck>s&u!11@q6w@}?5O$Z(t-hYB?b&ZK@K{9 z53~yEh6j5jj*G(q$c)WK=E!~=Mk~4y+M)5oDw+O`mB=2&%}@KHqv%<$8%<#Z2V-1u zxpD$@)H;lG66nu1s%PcfPjX5qP25z)U3uhNM@tb37#;+ma)IF}xFGHA*o?h;1qqBD z0Zft9gn@8)Hk9SKp7BpUYxe3>|B^AeX&w|?u2?|n3Pm?ri>Dk}N)*`>PG$9uh!O$G zZJ;V$twT!Nv zU`tyNJ={x5WcVr->R$qVClz}*dN4K@)p8?In0bMXLWt6LDK0m+B++ZQv;|01VZrs$ z&74cJeUftL%MPZt=+vUHbdyo6UNWgn!qjPHJ22mSg{w5Qv={J-M9GDU8SzM{?15@> zuP$I(!J_8vI~UV(dETF_Ie8m(3>q4rI>q~u9eo7^VgV({wPIC!}nFcPPHDG2^Hgi2Xy|#%k z=*xDjtI|HAV~)q{aQ_;i^ib7~N*w*;nie{mi`B2<0kf!5?d|L+CYUI|xwexM)S&cj z0;vZGFgum!2S8~DikFbSl|@NcLHjZ{#!nJXB;R^%`eKpjpqjhIdp2m&?%`2>VT1e- zQ6qz9PB0B~V}I0lJL5lyNic;SeM=FGu!E&xBH{8~6wDjd^9bGF50~&&)-hdE`%bNq z9NVs~c~djKss8bCzdxzIr%{hkPla9dT#>APT2&Q^q(&o_5$$vQ=+UEMnxgX@{%*`y za@&Y|cb-4LeoOHk8&4U6i(tPM#K)Xxv1&`l?CB-Dmhe!ON84Y|y2MEGdDTWUsPK)p{(_^^ z^z6IWJvz4qhU%32S|;lS{I`j7$>A zS*{@%H5FN?wX{3L`OS=BZ^ErCaUV*nAwo&v#agKmH|4V0DN1;+F_AT1cY5HbY@LVG zrVcf}Hn)9lz*cO7oAN7e^GMy#9zzhY5+HL2*Z*bz{>42)05&Pln-Qy$Phy#HgTRrE z$}K8}tW@ln?&{|G0WaIGES&s0W7al$t@wn5Vz-s7#bnw<@}Mj?LP;sGfs!WGAVYRko{+&kwY?)XMU$c{Tfv~6VRKv>05a@f-A`Avv=1nJ0&c?VhY<#`qLRL`OtmNKur|l z&)GS2j;(~LZWD-?MP1v3e*I%K2@dWr-r&^)4Z?FUvtnd5$jQXH(?$rDY($IJzhA%a zefHEdk05F1>kiG9DKU<|vgTa;;gN;Kliy>uZxcvEmN;m@ph1VxjICI2z5c@<7N+mn z3w4e)!PB=1q?E#boSf$eItxX$mELRloUuRLGuO0X*Dty{eAuwW-ARcqi2@MktoS`V z;buxraMIQk_Px{w(FY25U;MJpFq(Hzsz%kcXz}9l45r%$i!%6SGth{-!T-g!CIJ(S zG5ex=vJP=trVoCM1PoKe-O~X;S8W1;A1}phcbqtp0(49>aC~BNZ(ZG-meV7May#hh zwYm7M^$&`LfwIM8krAPwc(??qV2l^nK2@nyt&&+9r@&J!36q?i8=BuNrxlZ0?)>{k zr{pdJ2lVgn$$EhB_#y~Q3KTqekY)dkNQOX#4(BaK`E~(Vc?Y1!*HRggtdp8#0VwEFmm5-$7LEE$jsCu z#iL;CSf^DtvFu*9>UktWMEo!mCRm~Irl)q;P*9s|p2}hy$g30Q zG|=!)zY)%+n71Y3mEwN4pJu!4?HBd!kBEC-Tx}F{G^UY!Yz&jnVnMbNcFB`)*^`5u z=M;P~afzPW>Q_}dym%F~4f@v9cVCs5b6^K?%tj_Anglb{Te`Xq^OTijH$F#6I_1z2 z;jwAV)01pHmwgMn$i7*|Qg#u|QOQKE!QNt#-mk-k54Q(nktinc%lqM%avZLZlLNZ% zvTy7*81>wT59byex0VYJ6dbz5NsFfv*0R>~I|C`aK#wY@2{SoqDP&`%mlt)NvjJyW zh(Xcw@(yD?3(q!Urz3UWP4#9<0%@=)5)^olXKJ-6J}R&zq>%Qle<$J8bem=3LqzLc=P$Z93#Lc28I{{wVRZi(2b_xjy4>MHtOJKC8vhSW`JI8M)V-n(s|ID z!oTz2q#u#J^#xC&k z+J>&Xwlu2?dwD)Lw%BmqL79m^dcJKa=dtymIJp%+t*>~F(F};g5kP5(x}g$h$wej# zU!eoA&$JMP6p)EUcKqy2t&_L!8Af+7J<6(n0-Kpsz|3Ueusr5*d3Ci=&~B=`OQ6mw zu;|M&1b)Hs^0Dp@r zeiM~qEc!+C>O1}73hc==pdUjCEpdBvc7zy(13oWg_)3Z(C9psiZmI{JWu5-~KGS*y zAZi^!`upSJ+A}6!*F7{4e>dGCK1Sq{Mrt4R3?O7E>I%L}5MH2o*<@iVS%6@zWAXie-uWqU!e;Lm~$I^=)pV}iGg{x7 literal 0 HcmV?d00001 From 2d3b5f44819f24bbb3673b530503342db11de487 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Fri, 14 Dec 2018 19:11:17 -0500 Subject: [PATCH 04/21] make text consistent with image --- proposals/1756-cross-signing.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 0bb365e9bcc..c6e865542ab 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -119,19 +119,19 @@ needed to reattach the parts of the graph. One way to solve this is by registering a "virtual device", which is used to sign other devices. This solution would be similar to this proposal. However, real devices would still form an integral part of the attestation graph. For -example, if Alice's phone verifies Bob's tablet, the attestation graph might +example, if Alice's Osborne 2 verifies Bob's Dynabook, the attestation graph might look like: ![](images/1756-graph1.dot.png) -If Bob replaces his tablet without re-verifying with Alice, this will split the -graph and Alice will not be able to verify Bob's other devices. In contrast, -in this proposal, Alice and Bob's master keys directly sign each other, and the -attestation graph would look like: +If Bob replaces his Dynabook without re-verifying with Alice, this will split +the graph and Alice will not be able to verify Bob's other devices. In +contrast, in this proposal, Alice and Bob's master keys directly sign each +other, and the attestation graph would look like: ![](images/1756-graph2.dot.png) -In this case, Bob's tablet can be replaced without breaking the graph. +In this case, Bob's Dynabook can be replaced without breaking the graph. With normal cross-signing, it is not clear how to recover from a stolen device. For example, if Mallory steals one of Alice's devices and revokes Alice's other From e9aa4081bc8e379625afe9eed285073e9f4c7886 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Mon, 17 Dec 2018 15:37:26 -0500 Subject: [PATCH 05/21] fix sectioning and add a background --- proposals/1756-cross-signing.md | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index c6e865542ab..5fe52e4a02c 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -1,8 +1,22 @@ -# Background +# Cross-signing devices with master keys -FIXME: something something +## Background -# Proposal +A user with multiple devices will have a different key for end-to-end +encryption for each device. Other users who want to communicate securely with +this user must then verify each key on each of their devices. If Alice has *n* +devices, and Bob has *m* devices, then for Alice to be able to communicate with +Bob on any of their devices, this involves *n×m* key verifications. + +One way to addresss this is for each user to use a "master key" for their +identity which signs all of their devices. Thus another user who wishes to +verify their identity only needs to verify their master, key and can use the +master key to verify their devices. + +[MSC1680](https://github.com/matrix-org/matrix-doc/issues/1680) presents a +different solution to the problem. + +## Proposal Each user has a "master identity key" that is used to sign their devices, and is signed by all of their devices. When one user (Alice) verifies another @@ -38,9 +52,9 @@ Users will only be allowed to see signatures made by their own master identity key, or signatures made by other users' master identity keys on their own devices. -# API description +### API description -## Possible API 1 +#### Possible API 1 Use the same API as MSC1680, but with additions. @@ -93,7 +107,7 @@ require creating a new backup version, which may be what users need to do anyways). Or the private master key could be stored in account data, e.g. `/user/{userId}/account_data/m.master.{deviceId}`. -## Possible API 2 +#### Possible API 2 Treat master key separately from normal devices and adding special handling for them. This might result in a nicer API, but make the implementation more @@ -103,7 +117,7 @@ attestations separately. TODO: write this option out -# Comparison with MSC1680 +## Comparison with MSC1680 MSC1680 suffers from the fact that the attestation graph may be arbitrarily complex and may become ambiguous how the graph should be interpreted. In @@ -144,6 +158,8 @@ In contrast, with this proposal, there is a clear way to rebuild the attestation graph: create a new master identity key, and re-verify all devices with it. -# Conclusion +## Security considerations + +## Conclusion This proposal presents an alternative cross-signing mechanism to MSC1680. From d9eddcf7df0dae23a1ded7281324edf090ece1a1 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Mon, 17 Dec 2018 20:34:27 -0500 Subject: [PATCH 06/21] change language to json in code blocks --- proposals/1756-cross-signing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 5fe52e4a02c..758194dd724 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -64,7 +64,7 @@ API to create new virtual device: returns -``` javascript +``` json { "device_id": "ABCDEFG" } @@ -75,7 +75,7 @@ Send public key using `/keys/upload` as a normal device, but with a special `POST /keys/upload` -``` javascript +``` json { "device_keys": { "user_id": "@alice:example.com", From c0b0db9a55de9969c96759f32440866cd3f5930b Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Mon, 17 Dec 2018 22:33:10 -0500 Subject: [PATCH 07/21] document alternate API, and some other clarifications --- proposals/1756-cross-signing.md | 189 +++++++++++++++++++++++++++++++- 1 file changed, 186 insertions(+), 3 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 758194dd724..11bfe2c15a2 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -25,8 +25,8 @@ master identity key. (This will mean that verification methods will need to be modified to pass along the master identity key.) Alice's device will trust Bob's device if: -- Alice's device has signed her master identity key, -- her master identity key has signed Bob's master identity key, +- Alice's device is using a master identity key that has signed Bob's master + identity key, - Bob's master identity key has signed Bob's device, and - none of those signatures have been revoked. @@ -70,6 +70,10 @@ returns } ``` +The server should not allow any client to use this device ID when logging in or +registering; if a client tries to log in using this device ID, then the server +must respond with an error. (FIXME: what error?) + Send public key using `/keys/upload` as a normal device, but with a special "algorithms" list: @@ -115,7 +119,186 @@ complicated. For example, the server could automatically add master key signatures into a device's `signatures` field, rather than shipping the attestations separately. -TODO: write this option out +Send public key using `/keys/upload`, under the `master_key` property. +(Alternatively, could use a special endpoint, like `/keys/master/upload`.) + +`POST /keys/upload` + +``` json +{ + "master_key": { + "user_id": "@alice:example.com", + "key_id": "ABCDEFG", + "algorithm": "ed25519", + "key": "base64+public+key", + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+self+signature" + } + } + } +} +``` + +The key ID must be unique within the scope of a given user, and must not match +any device ID. This is required so that there will be no collisions in the +`signatures` property. + +(FIXME: how do we make sure that the key ID doesn't collide with an existing +device ID? Just send an error and let the client retry?) + +The server should not allow any client to use the key ID as their device ID +when logging in or registering; if a client tries to log in using this device +ID, then the server must respond with an error. (FIXME: what error?) + +Uploading a new master key should invalidate any previous master key. + +After uploading a master key, it will be included under the `/keys/query` +endpoint under the `master_key` property. + +`GET /keys/query` + +``` json +{ + "failures": {}, + "master_key": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "key_id": "ABCDEFG", + "algorithm": "ed25519", + "key": "base64+public+key", + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+self+signature" + } + } + } + } +} +``` + +Signatures can be uploaded using `/keys/upload`, under the `signatures` +property. (Alternatively, could use a special endpoint, like +`/keys/signatures/upload`.) + +For example, Alice signs one of her devices (HIJKLMN), and Bob's master key. + +`POST /keys/upload` + +``` json +{ + "signatures": { + "@alice:example.com": { + "HIJKLMN": { + "user_id": "@alice:example.com", + "device_id": "HIJKLMN", + "algorithms": [ + "m.olm.curve25519-aes-sha256", + "m.megolm.v1.aes-sha" + ], + "keys": { + "curve25519:HIJKLMN": "base64+curve25519+key", + "ed25519:HIJKLMN": "base64+ed25519+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+signature+of+HIJKLMN" + } + } + } + }, + "@bob:example.com": { + "OPQRSTU": { + "user_id": "@bob:example.com", + "key_id": "OPQRSTU", + "algorithm": "ed25519", + "key": "base64+ed25519+key", + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+signature+of+OPQRSTU" + } + } + } + } + } +} +``` + +After Alice uploads a signature for her own devices, her signature will be +included in the results of the `/keys/query` request when *anyone* requests her +keys: + +`GET /keys/query` + +``` json +{ + "failures": {}, + "device_keys": { + "@alice:example.com": { + "HIJKLMN": { + "user_id": "@alice:example.com", + "device_id": "HIJKLMN", + "algorithms": [ + "m.olm.v1.curve25519-aes-sha256", + "m.megolm.v1.aes-sha" + ], + "keys": { + "curve25519:HIJKLMN": "base64+curve25519+key", + "ed25519:HIJKLMN": "base64+ed25519+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:HIJKLMN": "base64+self+signature", + "ed25519:ABCDEFG": "base64+signature+of+HIJKLMN" + } + }, + "unsigned": { + "device_display_name": "Alice's Osborne 2" + } + } + } + }, + "master_keys": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "key_id": "ABCDEFG", + "algorithm": "ed25519", + "key": "base64+public+key", + "signatures": { + "@alice:example.com": { + "ed25519:ABCDEFG": "base64+self+signature" + } + } + } + } +} +``` + +After Alice uploads a signature for Bob's master key, her signature will be +included in the results of the `/keys/query` request when Alice requests Bob's +key: + +`GET /keys/query` + +``` json +{ + "failures": {}, + "master_key": { + "@bob:example.com": { + "user_id": "@bob:example.com", + "key_id": "OPQRSTU", + "algorithm": "ed25519", + "key": "base64+ed25519+key", + "signatures": { + "@alice:example.com": { + "ed25519:OPQRSTU": "base64+self+signature+OPQRSTU", + "ed25519:ABCDEFG": "base64+signature+of+OPQRSTU" + } + } + } + } +} +``` ## Comparison with MSC1680 From f4fe318a85f4cefe00ca15e49914ea2b7b061bea Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Thu, 17 Jan 2019 23:52:36 -0500 Subject: [PATCH 08/21] update with user-signing and self-signing keys --- proposals/1756-cross-signing.md | 357 +++++++++++++-------------- proposals/images/1756-graph2.dot | 23 +- proposals/images/1756-graph2.dot.png | Bin 29214 -> 49417 bytes 3 files changed, 187 insertions(+), 193 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 11bfe2c15a2..097470110ef 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -1,4 +1,4 @@ -# Cross-signing devices with master keys +# Cross-signing devices with device signing keys ## Background @@ -8,215 +8,188 @@ this user must then verify each key on each of their devices. If Alice has *n* devices, and Bob has *m* devices, then for Alice to be able to communicate with Bob on any of their devices, this involves *n×m* key verifications. -One way to addresss this is for each user to use a "master key" for their -identity which signs all of their devices. Thus another user who wishes to -verify their identity only needs to verify their master, key and can use the -master key to verify their devices. +One way to address this is for each user to use a device signing key to signs +all of their devices. Thus another user who wishes to verify their identity +only needs to verify the device signing key and can use the signatures created +by the device signing key to verify their devices. [MSC1680](https://github.com/matrix-org/matrix-doc/issues/1680) presents a -different solution to the problem. +different solution to the problem. A comparison between this proposal and +MSC1680 is presented below. ## Proposal -Each user has a "master identity key" that is used to sign their devices, and -is signed by all of their devices. When one user (Alice) verifies another -user's (Bob's) identity, Alice will sign Bob's master identity key with her -master identity key. (This will mean that verification methods will need to be -modified to pass along the master identity key.) Alice's device will trust -Bob's device if: - -- Alice's device is using a master identity key that has signed Bob's master - identity key, -- Bob's master identity key has signed Bob's device, and -- none of those signatures have been revoked. - -If Alice believes that her master identity key has been compromised, she can -revoke it and create a new one. This means that all trust involving Alice -(i.e. Alice trusting other people and other people trusting Alice) needs to -start from scratch. - -The master identity key's private key can be stored encrypted on the server -(possibly along with the megolm key backup). Clients may or may not want to -store a copy of the private key locally. Doing so would mean that an attacker -who steals a device has access to the private key, and so can forge trusted -devices until the user notices and resets their master key. However, not doing -so means that when the user verifies another user, they will need to re-fetch -the private key, which means that they will need to re-enter their recovery -key to decrypt it. - -When a user logs in with a new device, they will fetch and decrypt the private -master key, sign the new device's key with the master key, and sign the master -key with the device's key. - -Users will only be allowed to see signatures made by their own master identity -key, or signatures made by other users' master identity keys on their own -devices. +Each user has a self-signing key pair that is used to sign their own devices, +and a user-signing key pair that is used to sign other users' signing keys. A +user's user-signing key is also signed by their own self-signing key. When one +user (e.g. Alice) verifies another user's (Bob's) identity, Alice will sign +Bob's self-signing key with her user-signing key. (This will mean that +verification methods will need to be modified to pass along the self-signing +identity key.) Alice's device will trust Bob's device if: + +- Alice's device is using a self-signing key that has signed her user-signing key, +- Alice's user-signing key has signed Bob's self-signing key, and +- Bob's self-signing key has signed Bob's device key. + +### Key security + +A user's private half of their user-signing key pair may be kept unlocked on a +device, but their self-signing key should not; the private half of the +self-signing key pair should only be stored encrypted, requiring a passphrase +to access. By keeping the user-signing key unlocked, Alice can verify Bob's +identity and distribute signatures to all her devices without needing to enter +a passphrase to decrypt the key. + +If a user's device is compromised, they can issue a new user-signing key, +signed by their self-signing key, rendering the old user-signing key useless. +If they are certain that the old user-signing key has not yet been used by an +attacker, then they may also reissue signatures made by the old user-signing +key by using the new user-signing key. Otherwise, they will need to re-verify +the other users. + +If a user's self-signing key is compromised, then the user will need to issue +both a new self-signing key and a new device-signing key. The user may sign +their new self-signing key with their old self-signing key, allowing other +users who have verified the old self-signing key to automatically trust the new +self-signing key if they wish to. Otherwise, the users will need to re-verify +each other. + +The private halves of the user-signing key pair and self-signing key pair may +be stored encrypted on the server (possibly along with the megolm key backup) +so that they may be retrieved by new devices. FIXME: explain how to do this + +### Signature distribution + +Currently, users will only be allowed to see signatures made by their own +self-signing or user-signing keys, or signatures made by other users' +self-signing keys about their own devices. This is done in order to preserve +the privacy of social connections. Future proposals may define mechanisms for +distributing signatures to other users in order to allow for other web-of-trust +use cases. ### API description -#### Possible API 1 +Public keys for the self-signing and user-signing keys are uploaded to the +servers using `/keys/device_signing/upload`. This endpoint requires [UI +Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-authentication-api). -Use the same API as MSC1680, but with additions. - -API to create new virtual device: - -`POST /devices/create` - -returns - -``` json -{ - "device_id": "ABCDEFG" -} -``` - -The server should not allow any client to use this device ID when logging in or -registering; if a client tries to log in using this device ID, then the server -must respond with an error. (FIXME: what error?) - -Send public key using `/keys/upload` as a normal device, but with a special -"algorithms" list: - -`POST /keys/upload` +`POST /keys/device_signing/upload` ``` json { - "device_keys": { + "self_signing_key": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", + } + }, + "user_signing_key": { "user_id": "@alice:example.com", - "device_id": "ABCDEFG", - "algorithms": ["m.master"], "keys": { - "ed25519:ABCDEFG": "base64+public+key" + "ed25519:base64+device+signing+public+key": "base64+device+signing+public+key", }, + "usage": ["user_signing"], "signatures": { "@alice:example.com": { - "ed25519:ABCDEFG": "base64+self+signature" + "ed25519:base64+self+signing+public+key": "base64+signature" } } } } ``` -(This may require changes in what `device_id`s are accepted by `/keys/upload`.) +In order to ensure that there will be no collisions in the `signatures` +property, the server must respond with an error (FIXME: what error?) if any of +the uploaded public keys match an existing device ID for the user. Similarly, +if a user attempts to log in specifying a device ID matching one of the signing +keys, the server must respond with an error (FIXME: what error?). -Attestations/revocations will be uploaded and retrieved as described in -MSC1680. Creating a new master key would involve revoking the old master key -by sending a signed revocation and deleting the device using `DELETE -/devices/{deviceId}`, and then creating a new master key. +If a user-signing key is uploaded, it must be signed by the current +self-signing key (or the self-signing key that is included in the request) -Private master key could be stored as part of the key backup (MSC1219), maybe -as a special room ID + session ID, or possibly in the `auth_data` for the -backup version (the latter would mean that changing the master key would -require creating a new backup version, which may be what users need to do -anyways). Or the private master key could be stored in account data, -e.g. `/user/{userId}/account_data/m.master.{deviceId}`. +If a previous self-signing key exists, then the new self-signing key must have +a `replaces` property whose value is the previous public self-signing key. +Otherwise the server must respond with an error (FIXME: what error?). The new +self-signing key may also be signed with the old self-signing key. -#### Possible API 2 +FIXME: document `usage` property -Treat master key separately from normal devices and adding special handling for -them. This might result in a nicer API, but make the implementation more -complicated. For example, the server could automatically add master key -signatures into a device's `signatures` field, rather than shipping the -attestations separately. +After uploading self-signing and user-signing keys, they will be included under +the `/keys/query` endpoint under the `self_signing_key` and `user_signing_key` +properties, respectively. The `user_signing_key` will only be included when a +user requests their own keys. -Send public key using `/keys/upload`, under the `master_key` property. -(Alternatively, could use a special endpoint, like `/keys/master/upload`.) - -`POST /keys/upload` +`POST /keys/query` ``` json { - "master_key": { - "user_id": "@alice:example.com", - "key_id": "ABCDEFG", - "algorithm": "ed25519", - "key": "base64+public+key", - "signatures": { - "@alice:example.com": { - "ed25519:ABCDEFG": "base64+self+signature" - } - } - } + "device_keys": { + "@alice:example.com": [] + }, + "token": "string" } ``` -The key ID must be unique within the scope of a given user, and must not match -any device ID. This is required so that there will be no collisions in the -`signatures` property. - -(FIXME: how do we make sure that the key ID doesn't collide with an existing -device ID? Just send an error and let the client retry?) - -The server should not allow any client to use the key ID as their device ID -when logging in or registering; if a client tries to log in using this device -ID, then the server must respond with an error. (FIXME: what error?) - -Uploading a new master key should invalidate any previous master key. - -After uploading a master key, it will be included under the `/keys/query` -endpoint under the `master_key` property. - -`GET /keys/query` +response: ``` json { "failures": {}, - "master_key": { + "device_keys": { + "@alice:example.com": { + // ... + } + }, + "self_signing_key": { "@alice:example.com": { "user_id": "@alice:example.com", - "key_id": "ABCDEFG", - "algorithm": "ed25519", - "key": "base64+public+key", - "signatures": { - "@alice:example.com": { - "ed25519:ABCDEFG": "base64+self+signature" - } + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" } } } } ``` -Signatures can be uploaded using `/keys/upload`, under the `signatures` -property. (Alternatively, could use a special endpoint, like -`/keys/signatures/upload`.) +Signatures of keys can be uploaded using `/keys/signatures/upload`. -For example, Alice signs one of her devices (HIJKLMN), and Bob's master key. +For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing key. -`POST /keys/upload` +`POST /keys/signatures/upload` ``` json { - "signatures": { - "@alice:example.com": { - "HIJKLMN": { - "user_id": "@alice:example.com", - "device_id": "HIJKLMN", - "algorithms": [ - "m.olm.curve25519-aes-sha256", - "m.megolm.v1.aes-sha" - ], - "keys": { - "curve25519:HIJKLMN": "base64+curve25519+key", - "ed25519:HIJKLMN": "base64+ed25519+key" - }, - "signatures": { - "@alice:example.com": { - "ed25519:ABCDEFG": "base64+signature+of+HIJKLMN" - } + "@alice:example.com": { + "HIJKLMN": { + "user_id": "@alice:example.com", + "device_id": "HIJKLMN", + "algorithms": [ + "m.olm.curve25519-aes-sha256", + "m.megolm.v1.aes-sha" + ], + "keys": { + "curve25519:HIJKLMN": "base64+curve25519+key", + "ed25519:HIJKLMN": "base64+ed25519+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+user+signing+public+key": "base64+signature+of+HIJKLMN" } } - }, - "@bob:example.com": { - "OPQRSTU": { - "user_id": "@bob:example.com", - "key_id": "OPQRSTU", - "algorithm": "ed25519", - "key": "base64+ed25519+key", - "signatures": { - "@alice:example.com": { - "ed25519:ABCDEFG": "base64+signature+of+OPQRSTU" - } + } + }, + "@bob:example.com": { + "bobs+base64+self+signing+public+key": { + "user_id": "@bob:example.com", + "keys": { + "ed25519:bobs+base64+self+signing+public+key": "bobs+base64+self+signing+public+key" + }, + "usage": ["self_signing"], + "signatures": { + "@alice:example.com": { + "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+self+signing+key" } } } @@ -228,7 +201,18 @@ After Alice uploads a signature for her own devices, her signature will be included in the results of the `/keys/query` request when *anyone* requests her keys: -`GET /keys/query` +`POST /keys/query` + +``` json +{ + "device_keys": { + "@alice:example.com": [] + }, + "token": "string" +} +``` + +response: ``` json { @@ -249,7 +233,7 @@ keys: "signatures": { "@alice:example.com": { "ed25519:HIJKLMN": "base64+self+signature", - "ed25519:ABCDEFG": "base64+signature+of+HIJKLMN" + "ed25519:base64+user+signing+public+key": "base64+signature+of+HIJKLMN" } }, "unsigned": { @@ -258,41 +242,40 @@ keys: } } }, - "master_keys": { - "@alice:example.com": { - "user_id": "@alice:example.com", - "key_id": "ABCDEFG", - "algorithm": "ed25519", - "key": "base64+public+key", - "signatures": { - "@alice:example.com": { - "ed25519:ABCDEFG": "base64+self+signature" - } - } + "self_signing_key": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", } } } ``` -After Alice uploads a signature for Bob's master key, her signature will be -included in the results of the `/keys/query` request when Alice requests Bob's -key: +After Alice uploads a signature for Bob's user-signing key, her signature will +be included in the results of the `/keys/query` request when Alice requests +Bob's key: `GET /keys/query` ``` json { "failures": {}, - "master_key": { + "device_keys": { + "@bob:example.com": { + // ... + } + }, + "self_signing_key": { "@bob:example.com": { "user_id": "@bob:example.com", - "key_id": "OPQRSTU", - "algorithm": "ed25519", - "key": "base64+ed25519+key", + "keys": { + "ed25519:bobs+base64+self+signing+public+key": "bobs+base64+self+signing+public+key" + }, + "usage": ["self_signing"], "signatures": { "@alice:example.com": { - "ed25519:OPQRSTU": "base64+self+signature+OPQRSTU", - "ed25519:ABCDEFG": "base64+signature+of+OPQRSTU" + "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+self+signing+key" } } } @@ -300,6 +283,8 @@ key: } ``` +FIXME: s2s stuff + ## Comparison with MSC1680 MSC1680 suffers from the fact that the attestation graph may be arbitrarily @@ -323,8 +308,8 @@ look like: If Bob replaces his Dynabook without re-verifying with Alice, this will split the graph and Alice will not be able to verify Bob's other devices. In -contrast, in this proposal, Alice and Bob's master keys directly sign each -other, and the attestation graph would look like: +contrast, in this proposal, Alice and Bob sign each other's self-signing key +with their user-signing keys, and the attestation graph would look like: ![](images/1756-graph2.dot.png) @@ -337,12 +322,16 @@ devices, as there may be stale attestations and revocations lingering around. (This also relates to the question of whether a revocation should only revoke the signature created previously by the device making the attestation, or whether it should be a statement that the device should not be trusted at all.) -In contrast, with this proposal, there is a clear way to rebuild the -attestation graph: create a new master identity key, and re-verify all devices -with it. +In contrast, with this proposal, if a device is stolen, then only the +user-signing key must be re-issued. ## Security considerations +This proposal relies on servers to communicate when self-signing or +user-signing keys are deleted and replaced. An attacker who is able to both +steal a user's device and control their homeserver could prevent that device +from being marked as untrusted. + ## Conclusion This proposal presents an alternative cross-signing mechanism to MSC1680. diff --git a/proposals/images/1756-graph2.dot b/proposals/images/1756-graph2.dot index 6a45abe9ba1..8eaa1df84a0 100644 --- a/proposals/images/1756-graph2.dot +++ b/proposals/images/1756-graph2.dot @@ -1,13 +1,18 @@ -graph { +digraph { A1 [label="A's PDP-11"] -AM [label="A's master key"] A2 [label="A's Osborne 2"] +AS [label="A's self-signing key"] +AU [label="A's user-signing key"] +BU [label="B's user-signing key"] +BS [label="B's self-signing key"] B1 [label="B's Dynabook"] -BM [label="B's master key"] B2 [label="B's VAX"] -A1 -- AM -AM -- A2 -AM -- BM -B1 -- BM -BM -- B2 -} \ No newline at end of file +AS -> A1 +AS -> A2 +AS -> AU +AU -> BS +BS -> BU +BU -> AS +BS -> B1 +BS -> B2 +} diff --git a/proposals/images/1756-graph2.dot.png b/proposals/images/1756-graph2.dot.png index 93379122bb948f3edecd2133c7f34972589825e1..3af9270f094b2361858930630945b05e40b2c6fd 100644 GIT binary patch literal 49417 zcmY)W2RxT;|38kuQAk#i8KKgWky4o%?V>cSWQBz6J+mbw6_QbrmMtTjkWxg2l983{ zy~6K#blso-v3P#eZ~1c-^Y0zuh(J$piY6^u) zhn^Py#?Moz8GoZSJb6@wvO@lwSez0`p$Jfpt0FeUVHpZlU0O0`FMKc zqUghpO_%%n8H9EYiHv#1nONfGL4|*yoWF44QEo2By?ghby?og{LX}ulv{C(ePOa4I z*RP+wcyTSaXyj+%6P>*4r|<9DwM$u9nTC@1_%XGEgMQvviwyc{s8P02HJbC&wpipDWix)4>oIB_H-~kW$=;zPZ z?B2aQCN?aLIp_83Sdpftrta%P5kaH6>;@Iuj*pOSd7_XR`Zr-(P z?dsL5w{PEm$kVgr)cP};nk`q{_U+pj6Ofgbc0H2zbwEHsUBvwTksB*kNeZX8tXDjF z@@4DNcHF*)heu?uny_G~DG$$R!YTFmqV#9a4w;!fKV^7MU0o>qRl(aMdU|@o$Hm3P zy-P~ur>3Vrztj+mj*c$-@`WAOJ#+D*=c5%i++5@R?K=dLLTW#JP(E>jL0w(__JapE zA3oeDO7-s3rz6*|i}I9mtfHp6b?a7sz^fZKZk*cO+|Y35Y1hk_FMk;G=3xQ1i;DK$ zNluA;R$UXi=Hlhc{Ik+){gt?Qc;0VesIIOS-@iZ5-+#4;h={(ve%U1ddL{aSI`Wy3 z2DiGpDg*PqR^-XYK73fWm8!P3_SvgftH$ybieqA8PHoQ7NWaV)QY9`W74ZD|4&1~W zi_N9Q$G5ES>FE)Wl#G4w z;}AY}9X|FQ`B<6{_+FPTZ8S78Dp>rHXY~ZzfRgy~<*ugN?h_^^CPzHlWxRj=G8BF8 zHo?Km8-lfJbALEwYB`)xBG>8xw%hQB(OU#K1%Yw&3s5Gq7$1d=;qCekFopL zZP?)7(xRERsW2vn`&DYHft3}Dxw$#{-S6Ld-n@AudsOxNxwB{2tzW;M6_=lza~_f3 zyqTt~n>%`FXsGkouZo{T!@~nZEcgIn+^|Zycr`00XW+Yc$3&^}?fRLonVUa)^ymf^ z4Xu7dqN26Ey-* zraV#6SNzI5)|Qr*GqanqCcp3zex}pY)5ne-E9?CbwT_=ZtaN#SY)x#EBc+~8`J0RQ z`T4oT^(hW?f?~@**(c#gFRJs21k{J zU)I^1ZJTOmTY+6rP|zVQEpFGDp*2oUPDL}{&Bvyu{Iatp@812bE|j!%ELpwnjl)__ zvCD6(LO9p0TXzFb;HtTKB`)0F-p(cGx>scP?s?{WIG{35lDt_D-afV^-+5d}HC{Ft zpCKS2u};o)$~!8GGk|4NSo38!CPzodFaEw`FCIOjnjQIB+2OSk8p0_iBrCgd>(;Fq zSy>e=nMM-VzHE1Pbyd$gK`$7`x^=Z*4%_qdH=9z_j7Hmw54cQhdH?>szNu;8=O;&v zrhb36c5+HdJEZdHc(S^Rii&lug_07ry}iA->(te{XbEzoQ~bhyw^e=aP%C|J!Dh&G zo4x*bd2tkn+&eIkPFOAe7A{rU*7k68jNZizyZwO8uT{(&4|wm=NGoe-U~PJO+BYF# z)5Ey9dFF6drFXj$vBRX!=<0^X$v7EySBD0LhX>xfx51f`ykA7GWaIkaRV#n{6(meQZM=H*>KGr-KpB@&zQ>{z_OkTh=Gch|TR%U) z&ce|WQe{2=jvqZ0v&Vll13e(;5NQkc?AT&uyjDe2US3|ec=t2Uj&{`istR#YqdyYP zAL`@dW0LUl`STm71Y!JgJDa0%OQO1O{BTQ*DQXG#UBV;+90tD`e0;F)cXRrtzkmOp z(bHS0aM*azcGc6TPqEZiFEe`8XPU?zPYwUz{PgM5_8mLSW*2%C&z)o2o#q@y%E zuibSmwoD-Q9_rW}b10shBo4r_T^ptC>3!)~j<~oSOw%n4NY%-EjP-X9^k1AE?f&xo z9Q~R#W-~6>j#o@f9zTAplxFiY--brUaj0yz!z;Y5?o>>F$?}4ETdCJ3Jejv)d@^UW zwHbm{CMq1z#bvYAd9Q3E3RCAZguP=6H{N^oNRz(V*uE4L@^uFJ~$g?+S^!5Sr%+Sg*9R@EROKudd-?d}MBdd;* z-yNl;m%4eR?YDD?UTPV#)5*2yGPyD_HddBtRCD>o`0(&>=(A_f9Ao-k%YC@6S|2ah ztInd=*4D<#%^mF2?m~x6TZwN!#~h4xIY%n+>Of{br88$(OXhy9y?!S1@w2qF>aQ;~ zGA&y7U?G0Ji`e`z&D7E|)N^T}_Mr5k!-tb=v#(4&|k@vKr+WylUowO}ad9ioMTr{rYuh?DvT1 z=()Nq$C0++0=s@{3OTX(2gBj-uf;BS+1N-ZDJypk5C7c4ee>o`C4GH?r)mkz8X6iF zKXOB5Le{gf`J%E`qA>xV(9_d<$H((u($y_k9{G6h=YwJGb6)0r3Z5H-K^IbW2@d8{nWM(;D{z{b5D8CmIc z0LPq1Lg`rc-=!rj6mCsR%iSH1_I{|W^xeS0v8S4gSHV-3rp(aLP`mA^*UGYpkdTi= zwI+JQDxc}h6doH)X3aiR4UAokAXX{B# zRaNH6i3vkW%isA)Eei{gkgzb5pKlzD&ZVe&n6#$0rtO{p3vbhU(zoEy%lmQhLm3tu2V2{`DQ&fT< zw~L9@+@PV$Fs!<1QdmAV-1jjSAf$icaXlU=CBtR1&-D6cK(XlPpl8pvQ@pXa?u+U! zs1KT&ni?%FOpi@Y(olj_gibv?u&$t>!1CMfq~rxl3k&h(P}!YMcfw# zQYhYKWrtqr8-d=yZ zH*rZ>a5-IEef8&{oY%5D3W~vxT+22`)B53?e3m& zrFQ))TH43Yp3!&LgnOCr?N0T=c|W#g{i@Zg4REPw87I-K?Cf={tdxEGUQ4ys^jE!1 zO8Rmo_SGwqm?KZoXV9>NaiXrr9NTg&t5{P6rOYM7IM1Z;+n0_z^OOBga&p*>YQpYm zwLfUq5#cauOgc`Q2et?m1x2m~B}V5$UeWx*0_qzz`f#@lJ02A2Y9{+WadxzD>P6hW zd$)6_HCr>+f;)hj@8%=rK*N>{0}4NjJTnuMM_(=-3;)|3vnJN{>!|_VFXdZ5s(KUu z+SA=#_RH6=fKiP-Gc!M|N*k6R%6sro-#FCw%~{uod^zc+vR@J3EWktkox@ME%dS z?CsZ3SFgaSkpMUl(S5^SQc@BW9DE}*^mMj^ocR&}<7P=oHh|nV^RLem6DbP|3#si1 z29*JV!oo*Pw7SnHit&uPjTQ%z$Gx~{G&9ut?*03U5|72sk&*U4&X=oRep~tJ)X_CF z{3BY*k_V?cKPl&R`fO*pZ`a63Sc2!mns48}o&I!S`<-gVM)Wh;qgeS>iIS`R_I@ZY zr!vgs0_o|MVduuz1|G1>)>S%n`gGUeU`Qa#CaE9krQlQL<>eH9J@H+8_N>2^Y0B?m zW#&OgM<-s5v&9f&c_%V5)A+-E)9QLI^Q=>7iK?oqd-m_%oyr-;Ik#d%pJ&xky}!fV z7g#i}ZtSf6!z5Vb6N-DdC+6vgfE*hGe%xC7S6_fS6mK?H~#_&;3 zN=o=C`i6$omX?-`8xM@dOv{;jSXo&y^2>6SF3s?^d(7%$zXkI4i{t!J2ri{0W@X*k zl|KHbI+gFzclDysCM^zjcI&}(-9iqpm8Jck;^jgJDBf??u5#_#i&HVl$;lJ}$xY1_7K{>9t10UUF$|GXJ4 zzYvtB1#ooJrzR$x{_It-)w*gUQ zq@b_~#}p;tEuI@8%>Mxkg}dym6B~~oKRz}w;d5sDTRhm$hEBW{2{KM2`lvFOIFq;C zyL(q3D|(vN)amI0uYX`*H?~-Pv35?8ZlNO+(3Vo(^`F)=Ls}!+%-GZHG@&~LdJdv! z+f4SIo*M1g1fZc=)14J$i35=JxLt$b;2?jB4pJz{MwZfj=;Zb_x1qeH;Y^78UW)z9Cx z{)C5z*Pu5Eu+nE3)i8rG0YSX}?XLb5!Jf9Xdq0n11Ps!7z;$rUuaPpHS5% zoy@oCrga=`4~2a2C@X8dr0J)(jmaks%*<+?t`Z7G7)(wCI1YG;KAPFFQ>O^`2L2NF zSg?$AQ$YUb=I2SfZD?-pmytyg7P~&QJl zdGkj4?|gs40oSSRs&Uf(MMbhxBR_ec91X9=CC93Htqz?&9Xcw$#_aKn7YzNM;woz+ zx7kee90%U6XldbkawN0@PqVALo5tAKxTJCmIQ$VjM3pe8Bw!V5HUgfa^4vJK#V0b7 zt*EF7O^8`dP3`yZ-(!5j13o)0(0{^`?97M7M0jzgNbUE0b3rYBmt z^nyu|k3rt!iTnj3PUwE}$*8f;avB1IaMXz^0HO@ccvY6#jB{XMfXFKN8EYIm|RBUd-wW^} z@)CFgD=@r!;Aw1TD#8ir)U~y5{{DSck1Il?`_eLkcj}LUUs4axua&U0` zMgf0oD8b0YWJY=J^DI66DC9g8&hfD>E!b{$mbuHbsnPtSy!f)E`yaZ+}fnT588L;>{-Pl zM`*E6ZbwAiAXhUs7KHu=pbtsu61UQ$+b5ZMte}y$bx2D~H#9c-U_l}38uL3rDXuBD z((>?-QxQ7*@>^S2Hf>=Uw%ckZl@sR?CT!P&z%{e`~UmK6{{o3;__AiB={R2gai zMn*=2yMh9tSCQgLO-V7HAR9FT`w zToTj}j-$m5lp<;Eb#N!-K8aXuv{0*qwi;QTry`^X9tjwp2>y{orHA$GD@nT<5)v!I zM!)Lgr?*?!86Kskew4d@YA?VB9wHU04`d_jV6xv;gd*y=!>g0}2C@Z*r{7#Wf4(!X z!?W_~=~(O0cDek*LZk6tRkrhbM0=Jd5(HatP*52dzfI4(bwo<(=-32tFaSzX$0NDs zVz*gw>&`=er<&A2ksyz#xSTuEv( zRg$*tp%*?CO^GUqwep#7R~Le}ei!Z3BTf z$N0XlCFFdpoNiMmz81>BeYYi?bYEXz8t)p(W&6=~K1g2Gw*{4Z_&zlY#fc1m5VDVV)IeQxk1`ht5$XP z)J8&ZzRkT##0quqU2Sa_KTHFVZgfL~3coc)Rnw23nXiKe9;Fy1zEwpLehg_DfWD;Y zfDQSsUdthXgA1Ao=}jY0jXq7U6cU-EJ}7*V@G6Qv;MgKQ3u|uoe?9V zmS(mIQ)6RehE4YoG?mKQ+BHzP4_J3noDBA2wR?_}2B41`k>NP3t*NP5R#QUgvenlfs2l za=>jyMELZBF9Wn;&>_~@*w_H9vvoY8P|#~;>-xEj<{-ml*!G?{c;t(ttgLK?*NP{p zfu5e8wyZxMGWd58Vkx?PY;lnGQS>WC-4K+py&<$bY!$xM z11hsatuztG{LGr3c2%+{_yIR`JgTiqIv&Z&#}|rq*je|Q{mz{`+Oj$n+4y_MKp(x9 z=Tj=wG`?%^B~PB!8+*P7#Fe%td{Yg+BoQk$b#%IyW;;e3nu1Gi0icm5vrYA3+3(L! z=9vRG-#hW>#fzKZ(!%vScI?0&HK@I_6?eWBGQD$9hDUNz5{Q1Z$!;Ndi#G`hYt4Sj zHoSeZBQN>;ckKfQ4-)O%>+d*SN7vrZDQcU*ENsG|+MU(Y3y0vY55*5a;FpB-eB#>2 z>y(Z)s~9oRo6*5PIpF#CKv8kA@l&>sb#*<>i{w|@HhNc7Ry z=FPu=)dOHI;SN8*Qlh>=fx2@PTFq`|}yWxpb!YA#42 zft{WD8|B@(LlCnhGU%D6RrAPx&o1Rl-L9#_iEUy#w!`YODsX!4E2`Q?1@ zdF1Q(ujQQJ;#>K5GVL$pluXDkmwR7l?hHX@|wauy!-aBz5n*+<(uY__b_N-t)rN2HwEjve68Jam@P-l0y zFX~81rOOVq``!T%2 znQ`vsnAIM6{2i|$JqfOx^i=dsT%q$@s!qPsD8HW)PuO%$N+CxKi;j{w8HNR@Oirx>DtgsF3!S=t{qi9a3&?S=%tH;^*%4iAo-TlB1_zJT zhgHZ~Na`m3U<#pE5c^y5Z8j4v3aG9wPKGnvw0@-F=$qb930f8w7HD#yH;y--3<3-g zzd-bI(L1N@eANH$B?nzSa2|Ca@T62!H4Wds^~pSxdTrJu z{OVG{dT3yPl2}FNkpC`$RkPorrn>D#Qj#Awk72pbYHMrjPMI9lZj>8>{h@;WS8vVi zdV70+e|^bWvN%#G>Lrn#dx-3(AVX{ld)K{j&;H_j65$6W;ecHqBfdf`RE0}#?AHLZ zLtA$bY%=@TV!K$ju1;!tfuQu#1h#ys7eG zj0F}cWj}sG`lyiCUH03m$!TfKFn11HTW8eSKep?ud-No9SY+EaI`nZ6dx?^TKf6jQ z&78o5d;z&}xaXLYn;!qW00f5Hs)B&DgrB3O6P&wl^AQ1Yan{kINoKef9bFDb*N=ae++SF7D!A8QWT^3AYobPg! zZC@St+}s=y6LkBom7=MM@7q^}(>`ABwH!HW{f6;h8y|*I)Yt`ORv%=M>|8ioSEbL! zfBp8Y0^O3CnVEFUj;?oK(adb7exKbUEZpdAbnxGTH0Gj~@g3>5e~cRpfEImv+Y5n< zsoMU8;-hcrjxe4+b&3%tCmJ0U{NR$xfvkTerAYb&Ly*!gAO<|)3^-B5p8+i-Jr-Ih z9hAzF%E1YAjn2+aZ)j>9P+NOtHeSZrGx*)`Xbv2Bo;mr$zuTCYz-=%*w~_vgng?g= zv;AY)5ZI@$UpqvK?jh$)Tblt16jGa zs~sgC5MB;71@EMg*0IdGy+czZvR(+sV%@X&6(DWELZQ2CJ zFu^A@+V0%V#Kp~RfLnpv5r2ammSZ3A9g7kNRAj!R#s(z%D2P_3$w!_O^z04jHdlB~ z0zZMn5FCdu)tm%$OGx5biDj*#O`e9jpJxi>VrH`ga09Q;Dz3cmn8Fn?ZZk44xUtXtn*anZ-u>5A zP>dcvd?$U&VR@mFVXSSpkV_+;+$1joIFcl}_mE08qkFP#1B`hVxfWe-1%J`&2~ zkG7KZ^yvg2gPBq4ur`>D+@%tCZZt6H6*cgrh>VlXvrdVfpK0&NFDRPheX&-LVX*)~ z>}G!Yp}roZMJB`YhZHVT@$)Aim|ry-x0$~2wy)WyYS`>H;fICR!Nax&J^Vd5ILQ@b z_~PYD-?TJQVn6`ZPx3LFnF5s04WuLxNfiCNXtv#roNI`6SKct~*tP2k!WrnPvRLu( zb!(JpFV{JJ_{}) zw+ZjKtb3g1mIT2L3QJRLTW{>$F`(mB)0qHk@L(&9TGkNv~cpBAY{m zgo_t1%Bmcv7u@}1L|OOC^kB1u{qHkSjvy)>+Rko>$VuBIx+rKs-@>OOhYuTou@I{X zpklk=Z)&hAW(w#gYp@DE6BGKI_|{eR;|qi7-4*_8-2)YSo@JVUMsc34bJ((e&BWwn z*PlN(q2?bva+F>$wW+tB9c_ff@lZn`w38?jEZl;A1jvj<-(!y^CMQ?PaWMD;76d>< zft>Z|<;%4whW_zQ3s8><6+&|3&){G|FU}SbM7>rP^#IEFP?1~VJ_*qo2hA&^ z5Z~2XqWY)8d|OlevWNQ}aAmZfSP@S8RR|nJ%r6eODbXuP>#C3a{=69vmIzt!RNsC4 zcvw;KMqLN^7`Z6V`C&yY6tqLKD*q+;46a_KhjKPz#m2^lZvKcw;~0AF8cmScAx^G$ z4O87VvhSdg;%L{Br-`1X|DJgXLz@VyM!pDzlApc0m$Hzx}PH3$1WJwMJ2w=lD zzA$HloQl7Oeim{<74jUA<}KX@Cm5Ia0SLeYc#@wVy|`Grh-?@BpYqOowoFT=`{w4S z?C(JLS%m~8^yEV)Pp;M0*2ZJ$89~1l{QOyUYE)rZD5j?m7hDn)Lx!?5weV+#6Z|2 z!zHZxFbKSrl&sM3ZEVqaw6zZ{)ipGZLL(v$*3_S`YeAuZ|18|UFf+Usoj$0_uwZMM zyRDN`ASgK^1Qn!sKrgUH;NqfQ#;bAZO$hlYA}&Kogar&S?_FJ;3Xl;RQoir1`T6-h zbc}ee#`10y?VrvU)zyEMY(iYjc!Za?8w=fLdO=zFN$YjrP}6s@P0{YM!?hg^)shLJ zv!SNjDXo&6>w|j=YE{vXBAb=Btgqcd4}%jzeNTyz+w`B+kVtWh06P0*mi7qh1}kk_ z4b?IzEDXBVev+7kl>D};%0`a|zm}1c)5FuK)*k!dft1@H^|RnwoA>XJI%&eg7E89p z)~&1IAz%}DqpXrNCZu~eH@5>aGL>JyPWzj9;y_35x8g^BCt=ZdD?7tF9-b3N59sWG zums#+4khsR-MeqMQvWmREe#F-J$(q*SW_stZ5^QsC-9(TM}uE2EV$D9S6n>3Tj%_F zKWHXbu3QoLpGuA8b99s<0(N}-r?`7)lDts@n%dfrVN?O#c>DTRO7e2@eI{k7bY+?M z?AfzGcs(SbtmiSk0qXS`T=VZ=cUjjddOZ2>9`K#~OZW zAfEfLpFJ?3F)*tZ-P6}4?L7K=iUwI&+`N51U_ z6R{g&W0gfX@KDC{1O0Nu{QvVB5ab$cPA6_+zT2!QN->FX9zA+A%>WJ$lbhS3s@zsX zRIC4diJGm-pjNOds3^D`mU%;3S{jm}l?W!p%DpG0*{Q>Wv#YD?blBs)N4K+AK!FA~ zwJcHNi@{k0GeDNX8iX3TQ93+?t}v6B2M-?Wm3m$>nyn46(pY&!%dch{3pM2JTNOY! zn>+wOc$$o;UVVLiBoPbQb0Z%gNIErA870bII}8jA;PNRSKfY#ZrSLY+{gy3T1P&hL zhDwCvcNn$?$sk8Wl*jR*UiW^YMo>Ws;yy{f%DW#x@>u`cH3q2bJYPCKkv=yufuH`| z!+07`7Q7sXx;n1)s_e^-=q-EOXJMy6Hl5Pi#>bz2ToGqSNJxl)o|Wa<(qn3BfvAV% z{$QdZo|m7WUxr+Og%fWLz<8<1c^#_HZ;0_|Nwi=}&d$!AaI2J&A9nZf zSjWq|tLZ}WKDb$HI60#nzpt%|0(FE+JmOH|KEDT;1qF*5hkm5k%+!<)&+MOWX&d;p zg%6qP`)(gc5n#m5B}OQej<(qwfYi+&6(jbk_VcV;r|3H+^9Vhect3O&SRr!$Kme}4 zx(_UbNcV$cWU-p8wCU85L)hx1)&UJEpXNG(85!BxzF+~^AqMzl{0A!eL=l}|PS~YL zAABOgY&fCSNDCj+?v(kE!Jbe%SOi`64>VE!4oxdCv95nCA8?!|c)E$8lC zc2qAxLBSimqs}YK9wUsti1ZO04aZ^R+u3@bJD*a2MpDC_!FTC|ElEsW1_lPWj=s_mc$j_*3>BDXyebZ5EVLB z#jBBEDXHuMQ0L&`;c3aU+JtquctTCB2AKWI9dGOwsQ8d+jlkPUXq*_P2y>!qHYrj! zB6)%>a{KmeZ&JqJz9lMLn-&7jx;O>a$15@nDsj->JGCT*nCB%4fOMfCA`#niV`|DC zSGXe;)uYNo^(Rd3`0)}xn;QImhIdL3JNU&W^INvJdEx`z7O^Up-w>K$UiF()`>4=FgMnvn>8qA zW;(P1KsXx+IDY!~XW!>9UuI)!Asgka;}!NH*X${vL4?yu6|q*umLM=L;|$IHa0Yrk?v_d}jFZXJ9Td0)F6M~s+BZ5{kHUmtsiC~QJTf|#drWO#p0%)teDj zZh=JpJ=vmyM3xuf0mno{tfMJIR;(2!lom#!FzO)0iS}ZF$3;SMj1);JDU$@R<%1ry z?@qcrN+RyF5uk7#C?6vIPl^qN7zAM0<0B+6jf5oqGwYOXlarIJNU%pA63{0>ypZ7F zE}1Qjr3Exx6HGq#8#*O3VCT2KUPlL~(RO1T7elgN;Li^s^=67; zh)x+1CFgs$ZgqvUa9n`pDbbsH!Tsj0=6gL6SC3Ak@n&bPMS$H&LdwAp~*YX{&XUC5#(1g z&H|muvg32TiovN^DJBUC2`KV7kUb8crqSfxv4e@pjk6SxpMRhT5`R(Eli#R`^URNw z;jflq{KOk*hm=0xOjIAs$gJU^A>`CBG1V;G>u>?W3i0I;aSTGMczD2u8sHQW{KSsU zjV3KCqRU!3Ivh{Z1Yr=wvXUT@gaj6Z!9}#PRsn8f!iHVzBsb}UyZ|T2nHWQs zw0(b$pLgH2FOrM%7d12_fioR@-bHYVI;|`(kqjr5K6JF9(EaWDXr31DZVOr<0x2Rd zA1_heg2LAd7w;2AoMHjly6)%CI3_M}7_J4GYVz|*wVzAB-T%o`RaG^VT`zA0+0i}O z;rj`wwYMBR`)Z4*P0-_!T(@Pxmvk!SPL_l}sy#ZTjftphT(_s;oK$EaB z>QNR{zntS*x}U{L|5hO55RDV@1Gzqwu1=XP)zR)HEYdzGx{~NRzkdCaKHsYL11Vm~ z{rgQR(z;%M@i1pl>- zCQ-+rW@N*uEIL1rXKPGpL3|U|c$?0ih zj9z*`1>LjcucPC55-p?}Ny$1&2JF$IDQU}8(0Haz@(;DNwX=}3E%;K~(mle51fDUd zkjT!RC$3M+KQHcxyd~#33JjHveRlinmoL^IFnM7`s*9B8U+0S#E=;%C0&>_{Tk8Yu zi}9`1Tb@i<$-qERNUC0G{O-#|(WFeTSw-y#C{<8BKI*j+yJnS-lv&;4+*}64nG)AC zx~HIw#v-nWUNMB~d4JI9)8xDE#l$DXu;M*nEpYPq@qshO`%Mw@jN7y0>UltINYHPA z^iV;JU`~^YRwo(hlaV1V%u3&a;@Hd0Vl*^j5UqIN1sNJLQS zgV*f&uu0zi9ffq5Z#YW`+i-iE@M^%ywm`lG(;le1dig{BJ9h8(xb9oJZ!qU|QIV{P zg+(1=2wS2S2>gTE8H3rclZbMhjQeOdI(r2W^qhulm%G#7Pdi(#$q8WrD$y2E7?p#flm+Xqzpq= zB!>&~uJ>%H-|XW(hWY#lkMNyIP!u`3UqI-?mpibwlqO`|5$gXKVC$$j&0m= zCjVkHWa^hwi|FJslK!|nU+-n>J49>|*b>M$KS4MN*a5l2N?_Ft_jy}HbqJ8eJP=8& zL18{Me@o);-^qHS@qqJbkkFPvX%3%mfkyFcc~>lDb!9Z+e@IrZGf z8;waS8;1*H(AO*9Nv9*fycq!pq^ORd!p}3O1kWtX6aJHvlS8xt3RIaYOgoUw3#=2{ z!Pn@`tzo7B|42m7ZF8%)>6k|dJZ`Y_xhv5H>6Z}6jVcpC=ucyAF zPX0d=Va+Wi*wTrVvvR|p9T(!V9gzkSZWIW7gKXy3rENQC#HF2tPKeg#gZDgLzWrm6j= zYdHuj(|TiCa?t<1XZ(W)9=73@|Ca@L(C^4}?W6SYR?L)9U2Ps02I@zoGjszxdyWoY z>gV>++SvV8dnl+zd76DtGm!L0u(n{`1P z5Jlp`qcp;O^t8dW!|-r=CY0Qn{sgZ**ozn&Xd$D1NQB2=j63A!O+z>=jFec!D*=3r zp)FxR>$=6CFV8PA!sIoY%&YrF5YHkyuVB@99j<_uF1 z6%F&4`h1kpyKbt%%*^bRu5MiN)2A50o1C3Br9^`$>R_7XLv5|gh|@8<{|2g7MAV!% zX(Ow&mYMm!R=-P!`M;^RD`~ywfl;t~B@kqDdSG@WG_c;vfzo%rN&b*h4 zhD|1pr0B@_KvN1g1>k$E&Jw_$z)LJ)=Y2V=jVeZ!x;i?sp&Jk0VdCE7N7^4u*G!n` zHiNH)cU--NJYuIdC|q19v3ckp{^m`!(eCOCDD&U~t1_-qf(J-2uN@>N8M zqN((0=$PHF^Wpf`L69?9M6MlGA00qMOe~y`BaA@QzRCuCrS*>OGDBHoq?|l;>aN!4 zrj#n}hN&+nR^Y9dm zpguVghoAYlzavL;zaBg($R*r_B*1{(PDxIw-?%rPHajoR>uV&dm<94Uh%Wr%hvZz@ z*tj0^R#hM%hz5rX|3C768Ed;laV^pz7Tl-{{1>5j6-A2aODu3 zc64%IsGUe9=$OPw7*$g!qL=c$5q~0MPiP4c(C=!gZCOu6xqEkcWtWNwhn>et`lSMD zxLcFosSbfWAh4?4R(}L&l=P2roVwftB`L*b*RK6qX(=4dc$W6pt8>)gcQF%RQjq!< zhDP=;$1;@d**;bu$vXb!^eLauDv_g4qYb~DZVG+yEHh8#-1&xA48l7Zb_yImbci)c zQlR)#+5A#ON85%SK6~s8=8ED?<0E#=x|=*KuWF zO%}E1bVUAd9v86%zU!kO-OM4bVJ@@_8a0`=C6gn>NXHQ_zNYgT(gqpuK!AQimw}ri z?a_TjZwvZ{KZiOd^AQ1aa9MAR{2~e9VdOdGL;o^@uVh}0Obi1)Fro1ckGBjhZ+Yp2 z_XreweggKxC8wD4_%K;PvS7{Mdrlucnxe7ow89I(<;(S@XTF#=g4ICO1}!HRMp&3? zR5)q|)tE--kU1|!-`IFHJTtIpK};@{>G?9W)#LRZ;GN+ff87vrhXIg*yE}Th8p56b z=~$`qwzj{S*9ORhc=$fe}8RZiSjD8KC=XCmiMIV8fdD~Gj}VV{&#Ze=f&U3kkNxxC+h{3vu!Lu7yq0|5^a z{}W^N8t>?L|JTDYGBnuq{yLi1u@fi$Sf4!~G@u4J+17uUAJ`wBolst{!mY>hk$A~Q z8~<~ZLwlWi00RMbhJs@I@QDI=uw47Dv2WbCk&@U{>#_$FNlvui06F)wnwmjS232RL zO@3xUi6bHvL^1bQ(hDcgp8ag(&jvPFF!N%^S{H>eC4*QLeg@~1|?hL*x(wpojpYd%m$uPfcZ_@Jp+7R*tOvd6`b$=mG*~t@o^5L`O}H1?6YN z+GXra_>Hv8%yk$x2Iao1!;73S;tEA=_dD1QdkLdSg56#1jI}Bmm>@HNUAP}&bVFL6 zKW5p}+pCD7l!E^FN`$);)6+Z5-V*(1uawj;WFkf!4;I7Wp{nL0V7+Swei$U4)S7;N z$c=D!M>>nAsZYJ{26=DP8dT>`#NW|ce;8c{>$^aj?Au_ zd)a@UL)ull?}_K^n?+sMy9-;_uOZe8OahYALwMri@3Fq{A0^F=j<-9J3x z*=qAC!F}R*6fbD)Xy3(nWGcw3b&xyH8~zEKigE@U!$=q0iPF&3qC$CxkO@{U7_E?` z)-f??lMuBeo>gf(vU1k>Zp}Ne;lDmJGmg+bPG7gIOHkMZGJsK_qPFk9!yYR{Vv?35 z>{JuvL&1jgD)T=hIOjZ&95se?k|URJeu@}tB$$)f`fpL- z*75Ou+&!tVGS70^xoh=xmPZzqJ`VGbM7;`w};II$Vp5X|Ao(IBG`YxY zD{yU=M61EqDG8oDcS?r($ zrIAyv8LG&Oym`gT!yb|=j3DxizdoV2Z?S|uo%80ZnyX2Fpfq=Mb)%>E?Umy zl`e(KEe>T{EdQM+D)A7w3m^Y%h7`=X7N~&r5X-9ZHiP#Sm6bBLItA?@&q_J`IX{EI zPBx4DoVUmHSBb;=Vz#8+>vKbcbC00nrlaURc-w(K3YW{P zUW{*k@SxW-CLI+VUz%xkEvNi9GEX70ckkVSKY#WBuRxn{n8DW0LhdOOYbb9YBjpHMg~B%HOp9J*RBxY7YXPMlnii%7`$$5)~uKaoUoQM`8)LFEq}hbM}!(88=n-U z@$=67RJad4sjI)Aj*<^E6(Zx}Zok{*qY# zh&jutPALY&V;eyrf7Vd!j2deS!-2dkguy(L(GqH(#rwNEAg*U(j?+`?>7z%29s!H` zXi)%~8Cy@@ GQu0Bt7+ePe1W@TYUs^3Vjg81* z8tl;3tJ}#`DDJDvpYw8O;g&rOvLgG)@bL3z&oasfZ6?zX_qgob!$>7a?pD)8!F{KH|D93at$DLsESi>sM(l#H8voT!pI^+ZSj9Nc!WRh z{7z#;j|H)g`jlu`>O{N5?C{xl1qSZ92}p||B@hF9s?d4-@ueSsLZDuedP1bKBA3Y) z1ZU?(gBj1TFs;5Nkqde*%+ApI_;3i`{E}K^E<{s@-cf@s(@H9XwvLWVDl$I1>KYsG z96WgNpOw_C9W-(E+BHM-<}_o}Z`-wTAS4C|WiFMpJt9*e7Qm~7$m6ujH3~4RWa6jt zZ>$Y4TyzJA`zJLc08{tjLx^sPd(7yaca&zcV~uG=NYN4-89pNb!}ErNjPzc>h2m~A z7DdYogUDO)Ccnh#m!CsZSf(01;GRt&Np@)1< zUfyQNWf%&9kF9j=+D?Mik!mploOF*mN}GS#pPE8OKTt=>`24A8aVlb^?!PR4Ruu0z zB0^8R^RG3Cn{<&~h0;Hv`6PX68^RSEq012A1>;lHcv!`+x<-fx2CJ2+W+c}5E0Lu_T&5g&8&DN5G@(W&ga|l$6*qEc0pN_o zlQ9A@CplR>Oq-FmgSZU?GSaA%zHVz%bDBSp1biYXBAO849?EUZ`JMNax6yWyd5~zl zABK&=e<%U(+wxX$EPehw7%!8E0Ckms5jyit$7=cjhrA#edxG|0LP6la8^bdF?2RM1 zDJ}}6PC5Ua{pX4Ew!huk7r$t;l0u*XqWb-XdzE@#fJR!j7sU{Ri&6)V-9Ioe8*?Wm zCpY_^Pf)&52a4NrbHgr-{qn#mF(PjsS#q|U_zk^L6DJS$9NzU4jq$88UG)SQ(HUSX z5)gM#oyv*W4QZ%e&_i~|d;&(@bAh${pc_##NC$>Wyd#J9LD{Ji02LXJg}tP86O#s2 z%K|zjaW)epBZC{U$OeE$S75Ph!E&5ZQwztg&P2?jfmwT^h5sP?JB$`*p{79@sD?Py zs-fpm1qo&0iIk8jHo*{@kcfbQHB^tIVad}7*_+yvi!i6YF9)+8*GTc$- z$+RDr5!o%^G-F@RsWBC>dCKJ2~)YUG1|L$EG8M(k< z5GrUn#$m||v=G4h_ZAix6;<$WlAs_XvH1>z90=$TAo?pg>ax$VEx%q%q2T^q>{zLW z{OpoywB5|gs)oe%@CHJB4G?D~L@de31@r{uSi5SsCmXO)&X7_Q)%l2AON_jJeyw6RRs)yqMF3tYCiIi(0w7l(|z z28qmofeK@ZD)0mrEN!3Oc!76xf;G*-^(Ao$5EVnbj>5Sw##9_AE!k`7eHuO)FF8;| zogvT=?;Arzf(mbo6Y2XDw-!ylAhGB=q#_Z7^noRS>uYkDU{Z zVx(H)XBdgX2raxXg3QU78o|2U5z9&x=M*0bh_X3!>+UFX3GbDn>?|$%Czv ztnX|!P4GwTsl(XO46B6H#l{j4LLj4+4jkotrai6kTEQyR@Q%pq9iX?iRek+>Z>HhS zQK5S$NWv9LAbybs&=PE&L==Ia@QSoh42g(F^Kf&I>+a$9>EU6xfgZsU!TdP0^8LX4m=7`i$u}^V@@T=^8rm9Id+U5I>WrET^Yu4 z^WgyI*>LmnuEj(R(oN(!U_0YgCL}J;M_q&TtS|}xK}iEZ!#kPCWCBj!I(GKA{srX? zY}}~8(2T(U!bjDQ?MK@rA!CwyqY*`(^y9~mWHR#E*(aTSeYB|e$i!59{K$lvC>oP@ zCKY1vG;qeqkOVSXN`S)fj>ubHMkJ@+vZ+}s;@z-pu;0#TX!IA_E3vaNjMQ*dB9>3y z$ANvj8SiL7-y*aLJAy=c5adGgX=m0e#plT5k}YK0%dkAx%|ez0w?hJo$Sad=d@4?Q z1MrA@l=OBoc8LB>CJ?|d$Uru}IAXQraD(cTI2XPHZ58cr{V#aQ0pe98j*br}=}lGD z02Lwf;zYdLgq4-mJ0;$g!3bN>KG3OXtYR(R(W-Lg%9f7g+wxd)1R9T``I0nte0&(F zA$hX}UM{W$-dwvQ+T7#Xq{wY}$q=AgT2%>=jQ2y?FnIa+8WPueQOGg;VC5OQ6vm-R7J1nr|LAd9v7ATzdE{9BYXQgZf#aU~kU; zeCp!tsX07^ckir|q8gcUX>g5i`>igHzx%B-y{O2iNn_w@Bo~HnM_g1)+coS>MZGlo zD=0ifOf4P;|4H4NOBA1cI|BoA_D}?)gtVlY0PQa^EBux4=Ho{-)E7E4x6fLG1gGMq zcO$VoxOMTd+PZZsaFrE$5;#d?=RlIrBp~X8v*Op^>$2kyfPneZJaIM&&B-s3m*VbS zQSD2jks<$oP~7uhQ>IVfj0TI9vE(-|{M(4G1_m}WX1s7P>F~Y$CnSPI+HjxHz2C&P z&bQKD{|vdO#1?0E?O=I9WoYMjW7vy{T`+c@T9BVFu?SgOJB4wZ1-u2Z6MeAI z??vCUo1s27Y>$G=f|reNlD%4D1Sn9&Bm^Vs*1g^Ir-R=8${pE~Lx@Wp6L5W9XssWM zu4l5t)74+Ta%JgF_IbC9TNPBB0wQAUA$HTYB09cq-i-!7Pkfs}EhfQW z)20n?=hZkS@MnZcbpM~fvZnw2xA8)ca@U4GmjAo;qek*~lM44$@kM@*t_`u}b}ow# zGqD5hUhG9`$N338Hhf%Rem8I2dmHlRYYpdEkZg>gpgNEM;37wIuYbPNntksMqR&c0 zUyTf_N9zc9Ql$!1R%BP&_;hYfjEe|xTlxfAnTC0i_vT}+G;W2aYQ2`%I%|^1wjO-c zg3HGvlozXM{>Hq0lUJxFwN;+z`lzY%b9$Cu?7i-7%zOiH@aCy)F?!#youfv$T$1XM zvuC$fV>G&!hK}t%1O*3wwXLsrtnm>3n!F1PN2}jzxwXj6*zyBEuDfFL%9WD2=sf`<}r01={->ElF_k9=L zlx=SfbR8GhT!>|uXXkSUy+hb>dx zF#hlXuAtNZu0UI^=+FP=E#^|kL$gcO%W;}}RKvW=)11Kn&KeDekJuFo;i@&83gitp z&bqBl^=}Suxpm`3{*J=5Q|qR^?$-QA(fwNLzlv2ee>3dQ{b*71q2^&4lvp0YW*f4R zcOmQx;`e*2)qF|B2cQLC?Ns!ZN;W(m8DozPfo6Wymk@}%mBpwvnl#ECF3n0$5bMm3kFTF0?7@96(^XI5{lxig^?O#PJkb-aiK_Oh)9&iM0) z3N!=5OoiYLT{!Blu6gxEZBTEkZ{gKV^WiFaEESxshyl?;5*UaHpa^?8XCP!Yt~kHqW^|otKXkIPBPtthA~;qP~Zb6 zS$IuqY+kj#<|dV~B+DKQEG}IcPq}Af6S)4Ao=<7B|J+;4Y28WLO0w`4z84;-&ScAa zg$-&}3{F#$!CLRzrQsCD00?wGm$DKDQs!|Cb&WPKw_a3p89PQCeKgW^*AoIjpXV1$ zXI}%1DhSj6-w#-~cimw$?r%0Op>vGa+~G_t^xy>;@V^%#2dKoj;mA{b5?J!riH-G+ z^#9+>{ovWNmWY2}uWrCIqd*q}?J_5yzyp8Y1shYp^$3t-6GPgdDbI`HekRuZ5m)Cr zMrqt?@uySIVh%DdXsXf6y5>(g%{-~Ga-B5v-6RZwb&j@)2$n>*zkCAy4-H<(9&m`G zm1QWZ7BdcAijZ`SmHfv({rlId==zTMuobJ}>DAf3jDRvo4!oARhJzyXfE>r*O$twb znqSOi*Wrwiosj=iKetUox%xVM!w)EjTSE^>Oc<~MixGBBYKuS9H@?SSxw89vET$bC z5KwM&ot=kTSR~GV%o((`;DCF?!5Qhlm3=7{r0Q^Vti5K{~wyk-|>pv5o(=l&FkEN!tiU|<%qIk!>KjVb8cYSPeR8qRsf z$=}!QAZKdSoL|2dJbU5(tgoUdt}dW4{WXOj?cs{(b67ShK|>ELTX)X;O#ko;7q)*m z$r1KSr(LWROXj0#&qXTzvwH(`wkGZ8a4DWtT~a$R!h-XJevMb?$>xi6wA>KZPBLC zsw`QznSz;u6VwFv)-{iBJimcCsC6Ia&(4ojdcoyzbl}X4C^!P$l9-DzOD zxnw3vByeRse=$ALV}*o-AOom}KhUs|ufF5?KYLo3r)(Qwp%Rve!oG#VQP1>BT{{ZZ z)?ott5Jv@>h>j|{;RIu~V{WJzq7{!@vmk7BW8{&AO!U4Y_jpvQKR6K#-s4 z1;o-BZwXWzpnOLwFSed}y_N>xT>^XnXnwX+Ewp02kbGuJ0x+HFc8pN`Ce9lRwhF|Y zAJ30_hbxc^GX7{eJo3sF{Z5^ZTWEn*TG3rfZ>*_G!>|F7`c2>^VNrl-%6@3fkaL_NA$qWIX zBfQfbM~%Q;6n1zIB`#NM;EHZ;g@uconqQrOl)0==hnoJBfDwPTAHnbmN+YwSwu(x| zU#gZaH9H><&H<~7gn5BGxL|C`yVFptdK@rM&&{-2wyZaht$F3!8;0Ws^$@5JWpT(Qpr7^e^AopHc6MW*L8>*sm%>J( zaGUp-anG%b#SDr+F&e>vgqXND2gTvG3X%n1@DlSL?g_WOKCU;lELbRfcwl9rU;IAan0qAcpaQgH=!riBN!2zj>O{gii!NY`WII(>h+vxVk@CO_XrN(MdvHZ zbqI)i2TWRvp%e|t$@6(9n5wb4#f+6oXu9ga_#eD`8o*NPGc z$-&Fa+}WVadoSk%QUbW5jfe*A(IM?IUTy$dRbjYQO;NKnKw*$sSSQ-1+`wMlAt#IkM$DXf?x8W-{B44N z3-jmT;NbsVa&LfwUK8Jan`~w3(OMfVGYa}~K9Hl>G5DEVe$2_3Nm6(Z;muDchfnpBeP^UT^HPz5xM^7DWQe7Y%T37WDh) ztzVFON${+K?c2tAv`m;8mO%Oyn7+;2tpIz82-(x~*NA?!g4!zD6 zFSh=?U8hQ%+=lKQo1zVb4!S5@Ae+N$sxOaV%at@x)y<*V?}3;-plc+*5tG_TJ@OF#;j z&~b7e)bm~ct3&h6)jE3HXbtGEH?bl9SK%NiYF-u;B;|+*qNq1h7<@!DDp_A*F(nhJ zH2T^BoiwdPnMDH;)(p^Co+E^0tlbkKix@AVkSQ?y%MSmz<2jKtDU1*RIPm>RLtN=! z0P<*$UPc^P2+A+4`Mv_c&t;Vms}S2#;!K&bst(myNm-eMszjw0-T%5ebM2y`mX?xD zLjZ{|9E#E(YY$@G0%^h^CiIqD#ZfPm))Vq>>&Z2i621g{_ua5>n2 z)~$NY3DeV>eTIsyj*7~+f5(gsAc??4>`k+`7@eG$!l}OpoK{?%TZ~o!NvnANEJo5-2z_|$ezr69(>+j~vwuf!Djr|2(TU@-@{UkM(}{QlhiSsYh@X~}TeW}FL*ih2 zWUNVBj}oP|G7E>9Iusk9zFeT@mKw_1TA`5B=<%sZIfk*vlR%%v!72xbLLMDJGKL7A zqh1mM(obnUr=`Jr@t_YG7f`&XxViG)8ZG!h}2~7WJfPJ051L)vXMcT?S^JNeQJfz z76IVH0v*j>6*Ya?$y2B35UY|ATrGjkMs~Ngc>LAKMY)693|yfm^#cqB?dkoxnyHDV7$En&v7KVwyXGww!N>H_zv*J)Tn4@@Aj zgQlXW7{Wl3t~rXboz26}XMS~Nyp>x1^T+>}6j>5o{z#F(JO59LOnt3Th`NA7_1&bb zO?{l7_u-v)8&K}6*05&p#be0kcgL;e2#52dYZri_L%W(A1g*%bRf5LQo_9fFFNbYw zvvJ6;io;1xE6OW4aq;?y=Qz|5;iT)q_k-Dd`WLVNsK0+o*ts$&#-QqG0~&B-k+YO)?D(1W>z(=1P*ss!d2l$I(4o z0l;x`#@fzs3qX53%)vpALn5Yp_^@ux%L{wUPQ$6YJbH9L&ABr_V13r30nor>8a!il zeZ&C+h*lVEq4{Zn3^x2LB9H*Yf}!J(_$sBB_U z)k-*2Ib-`T3ll-mgv^>tcV+W%EES&cKu9{b7mqh~*s^?;JExB#;n}m83A(I-YDMmk zz79<0K#-eLw5GW5GjyN*7MU}qePHL#o!(ev%TBtG^SnjJz2hoam+yted=Ouwy4}gFR5k`Sa&r z#%hM!*A(PH@9Lb-Rq67GWc!vv2_yS$x4!_Y&+pbwqNPg+txXt=Kg(R982qy|)9_#{ z&f{xU?@uGj7D@%58)B=g&ZlFOzQboh0AX?;MydS^C87-66faGSa0&Ek<>Yv&b?&pk2dygK)HWQ}&+4iS6 z7H~#5)~WTQ!fweg{NJwU&;*%yDK<9OA!BlmR9j zT++XU++a0rlChi=(XTX;^LCCn+O22LKv8B)nmqZ7ow`h&I(O}hYOMqX2tfaS$ofS| zLa#cN;yadUG{I@k|F7b6AumhLm9q0mQzlQoh_evWd2f72G*nv99J99kESnaBuB=u9 zck5q@ps5t8;yD>v`((l|A^R})=+ z>;EsrJ~MHJL!tkki!NPmwU^fp%j1e z$vrg~-S69X@9v5r7JVc7!xGbksr`S3kO*FNpKI4>(quhw2Dr>uyKNb4;=Uv*f(A&@ zX1v{9Awm=m3r;A&Kf(VH&!Z#gdFMO{;YVHCR-EpX{Pd~BK(^Ajv?vvJ&7P-6XJXEg zy(Yk~GjJ+L4_KZBUL<9+A*kOHxTm62xj}n61Vt~^LZ#v6LAvnmICTot$Ms^61K(0% zkBbYPU;Ox}9!-gnK6L1iQnPvywlV8@8O&fsS{T|MGVSS;zVVK{wIDXGgS|o|rIu#c zn;xBwfE=C&+P%lB_#xn=pL>PH+JeoWO#{MC`YfvXdaRL68CTjiZCZmh`_7#2G@x@q8n`4>*Xm$CF_Dj_vq~0ogicycF^Z) zrH{<#0xYXQ4=VFl-8MQZ4lff9<^eB=B%4xQzogJCpgTQx{kpcyEx`d-om&DmC}=AB zUyW9+R3#i|WcwpeDUxL+k(Xdgh7)z37*Hwlh=3n(L_J79z+bBKyVD@k0J;{FPlSDT zd-2k{Yp^Ye5Cqt?&721zX260J{`~4q$a?g2bs;eO9BtHc0K^D%Q?zd2-o5o<1w{%& zs)HF)I*`>0!<}m8)%C#x@~)*JBX3UZ6~#-f`@`)>iW8S6${)0oT%G89BsT=w=V6}m}7e+~z9lDvX+jG#0DXsb3isK?7Mlb%4u1$#udz%DC6MaYwcsgAYn zRS!g1X2k+*G2YXP(JS=a3I)3))5n^$s7-v&s)*gyoE9H~DE2n}&0MWf5)yLL`EGK* z_beX?wSfu*@JK-SL%M^cn-S-GC?ev4+cO_|D|g z-hc_;aw|O2mYR^%yB27A$?beSSddjeI1=s+_dx~F>p2R8c_)lu~WyGB7G z;egd4PDeF#1ng&Dx{D5nmy$6ri|J-+j6MnlBcx+I7ypg~nnl`y-t7L@)4B>Y1_3om ziHlqRE}!}I@na>02)$muOekxzl~+%sKTDQ`z0mJvUtNg*^_BQ;>PZP|7oENJ^y#g^ zy|Ww+fBCfzG1anwzU=gKF-eGBDLi0S?t|mIKYur zODvtB_0=veb25~drWy6>^pBX=IwJ76cW+Ar)f)D|A2bMUKn=gJ1{z4_ zv7)~p(c54$ayN=uSc_CUzLQk<@LYm#!k@!v&>2R@fB5iWV7Dax4)t)h6IwZe%|XsY zI73PyFZF>L9rV7K2}1DZ1jsf2M@jZNRtO!9W9_AyXtAYG-r#P@AkvEzTYqwq3V*>x!l<7J5dV{U#k&eAVp6xA$P2W&qVb7Ih!Bo9k6WQ(rkL18Qe> z9>Gt}8P1H`g60w4CE?B;zv87=C9t?!DocYYDds)mDkLJyBY5bB?2{#S%%AFf39S@0 z#$x}@8cT;@2SFbzBQfQ&K8rY$00*goGU^~Vi0R9&I%rCU2|TroUPg*0(m@UaNfD+l z0~NK5sD9tuy$R}!xGfKFZ-2CLN-87M$eX&hW zq;^)uzIq$j4qZik_zfQhmLU)-&ZxJ&njO`*5}ftYrMy_RUZ!ZoTkF;OuNFWcVdPvg zOIuQ;*i9T{ga!aW?4TG?rFePW@GR=G@*y{sjEex;s>W>N38-E#;5vd-{A$-q@8_oK z<8mAs=0pe3?fQt48kAdl1@gRnK%FE%pKoO0GOO3fk*Q|QR257Pu7ix(g17m_y5DPL zh>7f-*qU++E$5r7bge#0tPuW8dY@=!U9L5odL)4;IWn1Rv$|e^q$2YehSfY!`|&?L z{ghk6b8*tEpav5g$&A&79hlA8u46|(ZpNyG)%*E2q*o`7+i%!z-ChhSk{u>tYd`=b zxV>H7z^|&ZgEvxhiO3_lS9o+bUO5n@%#`%U+@p=Z+^soMg?Xg@c+f>lAFsLO_sEoq zpeZwMz$G9{O(|<07~k2Vb6`tI6^Ty>0VeD3lI@9Q8rU{AwEea~uPxO#FB!9llBc=X zj?*VjBp?T5Fnz$fpC4vcWaa+4)3ED%Xmht!wYH&%&+t*+%g_ycTX~dUw>fz@YkU|C zLt-z&cD?Jvs`sQfs62t)T*r9rNI^da=EAd)A=j_TbSv;{c2xIY6WkGmFo#{g9$GxU zDhO0X4m;lHYhO~jN~wqLZ!xqAYxKyJnr}?5iO`5t<06tw=Tl=Gh6WHE?l5(nVEn1A zOMw0Kwp-We9F~55`DPBUkIef+?@?*EHBhJKph>=e-xudhu2bMz{ej~uHg-B-O8+4< zr-_2p!<1PKy7!-}<~MEY_eAfV2e*>M-*HI0TCJpv-@X%C4mACXoysb;iw;9!k7ZRz zGefej9PfNzFu4lDB@bH~gqh0U^sZC$H!-`a*72SQeNM|I(>(^!S}QzpwTZkIEZb&W z*ugX_CjwZh1mrcd+jR5cn>mg>4@I`3Dm3FvB+#{srdlulym}D<-{8B~;k*)kv)en3 z!nP>`l*cWSzomOv#3DF9%^aUa)i0F#+&5ufLsx{Cu;fMZODnR!_2gY0 zgC|@ITOGbc?txE_nx8~fI@+YppaqK-iCKsy@;`4fyNm52k?zIb(o01#3Mb4>%8%Wp zG_qgiG*n|8$$U3`x0>HW`ECUC8<(oJ!!c2WbhE(3zzdStiRVsDS8_Zt+WwnpuBli} zcOGmUQ~d~j3YUiLL{n9BRKGJPppjYasx`_LUCc*_l(8BWS%e*0#Ak)qlg~PGkjPgh zg|BiQvaS+&Ek!fo!5lA1^rrf|fc~{=h}I#FQg$T&M`!N*42w-p<5aolHqWxYJc_`z zyV0hBCV@tj*lik5LVy{I6J_dWs1jCsNbAXuQc^Y*f3a@Fega%L%%o1hyBo=Ah|9V9 z?Mc<|bJgCD9!yV8aO*Onkf>#ubp?S+7xRoa4@8`X>$+v)j=_WX{n%1kE!N6N18#VC zzS&=ap`AbG=lfFTN}GtnS5^XSWN!ZU!QnO!*YRyL+R93^9&(uf$t|s_tV};2KElu3 z?00x_+TFZrtc5 z&2PQRt_e5ZMRQO%Ot#C^bX<%HU=Xm5wu_X;p>TS$ndP@;sBBzS<2VrL5x_(dN_me! z$l&iV^x&Fr(_E&G1IFfyE=8;AMfr?U;WKyiaB^CWz9(=kZ>tLSGl|i)OF6U{SV%o_ zQ(WcS{o?qRcaDnHZI$IV$EJJI4=kv3U;O0~l;S2nJhYzHnpQmU+-@_jX-UHmRgQ(k zbRe^+iejlIgtIHcuMN|~U7E`JCpbQnIGSC_}AW^2~b}%5w zOkZO1s#{n3JV3ryG7UX==*pUhN*rwq)~O6={bHBmsmUmM0OHq#ol+$v;EF#_!cw)t zrq%XK;DC}kAhVM`PCRaJCVK-H4TliSFHwUPKNHo??d!S{pU_n>b zChX^}3BDF%-F6;i(u|m>syB?nPOJ(5q;Q*(-^u(wRA#awfJOkKGtP%wJi?Ry?O`H3 z%}Q=Yvk4lnT>Dp&?AMy3v`)?1YTvzkL%7rGs_f=zRPi#$9hbeNbRcDrjYZ=AWhCyG zdSj{ns}Tw6<($FCSeB$gOthb5`Sw?G+Kjc8PWyf=toOg)OHF0*t@dyfpAEZK{eB+% zHTuM<-|JqUBYJVSnaVS>?V~jt+w{B9U1R9Tlrx&;)g9Nec^$`@b5{NSRbo_La7*9t-uaM%yd`b1W0fB$S1W%IQcmo` zcd)3Jd*>XGxh^1rnZ->zyp6z|cQ`ZMg<6}V_}HBdd)8eoe>;bj<=B772dk;$6MCwB z-Gh#+ObFJNigRgU(@NC$*<|+OH@fV8#Z*^=nQ2pN zjWhaGS#UoMwZsK@seV2S+uqrs?B}p2>BzbEbp*5nL0~_8Sh$qtRVY82)Fq5Zl<+YK zmL%BV05flulU@Ek7B!7rC&ymX_E!$lX@pecp{eDlIlKA~$%7e!2C@?jjljc*|@Ea(z8tdq&$JlN|N)s8o<%{_%`~o7*k6rP}9A*9F2;2H>gMF>; zmG;Amki;U-+G5;cXY#*gwM{e+rX>-gL9*lTg#JTt(5Ld)`neE2A%)*pgE`*u-@Fx`p3GG zARv?aWRUqEbp~e-snfnIg46Ebm&_j{3{8{^C;s~Tt=XS%MxU)Xm{uIw;t^a~(;nAL zcZ@iFknz%Bwb2ek0e>X92H3<)K5z#;1T%Wbs#8R}o7~_$d-m(mNMNs5pdjM$Jaqc> zW`0I$NT!fXoK{5gq(WhPeRVS|QZ7+hTA9nv*W6J)S4Kw@zjmU~M(1ABH__3uAM+jKO0^@FP_0T@eA}L=8X-qyw_6Z~u?K%;n{qk$2fRvJk&~R9at50Yb zdo90JYOC|^TF^WgF{Li2(04uhBm9{VQZ}<4N3BaJ_g>vh39!gWE#S8f1;v>5qPh_Ek^^e!II<@b$P+ zQ>FyBK6J>$(nlT{MDhIi9(5Ws08tg7PDZW3(@;k%e*Df=IqDvN*wFOh}ZGhuME-$DK=p0^Q?F+*R`% z1#kwbsA(yvjkU0j?}RKu;ydX81Afr6BjZ^%!M(rt`@4eEap=5o>wLqV&MAxmRSo}o zK9)dDQ~m9SsF^qoMbEu0**)OCSV$NH3#>|wHh(kz6*E*m;3|yF9JiO94FXAgDF4+$ zo*Fy({p$5R1EHToXH2|T@HOo4VQ+*=gRdCQ{v$GkLH82%V~Z9N8c4^Cwlr^TQ=Jy< z7k`{WoW0yaA-%S4Z3ylt+C{N!%&L0fDZ9j6pHUqX>27Qwb~%c1P{=3_?iL^M)}Uod z;lZ<|fK8{{v~G#}Vh@C&1Ij`Wy6&Ao8s^Tu8)^FM>o}x&kpq=SSats%+MzYIVs<0? z_G;@&5~|pUpi?n1d%u4_m^@l;{;5+F-$qV(hWuJ<(8``u>NnYZTg*5J;HkO=Bmz(L z`2H!Xg57N5lVwLSqFy_rhSGMY(6v1}oZHR6(4wn|$L4hV3y{8`5uRl0^*_hI-`ChJY^bwy{*2iE zm83@vBl?Q&bkdGy`4fo^2|Z~8J?0IR^=IG)?i70^0O(Tfo(^T@4NI;Qql% zxir_Qj-< z56VQ)9^(VH<|MoX!A~VuQV-R9N4CEW#Y2Nj~+PuC{EFB87v_rcoU&fa^t1oAR5^ zN;+5|_a#63)MZ!UoAP)UpMA_HAXfCjH6#xn6B!^(!}!B-n>Pf)rSqPf8wQJM9PkYv zRra)f)Wi`TCUw?adiGfP7_m_@0e(bktIXbH)C>4ed15_sqqCNFI^#VO^&xi4G>V~v#Pfe

uud2Zki_XHF3;Vjc|~P{e<3QC2?#Q= z6?p->gGOTlnrbV1rR=Re_+S7>GbD;BB`KcC0WhefEpOzA3_}yoDiBRAm3se%I)kQq z7ni<*r_-lkMWIk_7Y9QGG%2a{Sh;GIc%p@@pm{sA{b$WO9bpg@&c4Q~0-1QDL#q_C zDgMHRCHqy6EPe01#^C!Unwg;5#V-n3Beo4r@e&Q&qNN0}hB|!~dAu+flIq}>YxcW+ zaH`0KAxDeuETxyz)h}9?|Ngxy@f=0#Ztp0m`}FzqO;|V4TuAUfe@h0a0JZUTv6LFQ zWDnpfp{fogt!SL?L#0i@xj5OJNeR#)6IE6S1_yn`V;5K-Di0z^mn>Ss_**UdS!~E@ z05_8aQ%Z=pXf-%eMNBJ!28dpt6;0b!lpqUe09drxPuG@WJsxLcqlmFpC*fy#56?%$V37h;k+h!qAccBeX~^N)%GOVVAS4Tb*Lw= zUv!EcNT7wxdn7||7#liGJkiNMR9vm0q}KGSAKiAN<$4Jb7KttzoRx!g(Ep0C4npsz zmrBq|n{Hj~_pCjI9}YhKCUsu4C7idyvNq^5w^`_CxK?q1L-kDkpr5JI_!TV~Z{Zz^ z8!@i)AZ6Ga>icfZPltRdFE96}n>vfnKQR&3IsKg*DcH@0nUtvK?>(h z(A@7%w=YJ`Te$ER&OL~eq~(n;m)?PnG9s4-{a9(GO0cNKk=@>qo*ZeDMA9HxON1=G zvF)d!9HltlCD#!hxyZcH_697s9I#un=cu-nG(J)qgH*}mqRhpNV*FN>)3p=da3uhpK7YT>sX_hC3z~~my*;kZ~>L-dVl}A ztlwK5l#wXxQ{U-8Z=~Ow4HfPCZ5gw}Y*`$pH(8V1gd}e3tNi>rgAbl7w28H2x0NX_ zkjY^Bc_)t_xXEH^+^SVd#Ir()PxE4asYLDplHU>VU-Wgjv8K#yL_$jS5L1-XzW9Kp z@V~def56sq$P!@p0LmcA>kN3*a5HCjW-7_Ux>y51kdk;4mQrotVbHCSOd3K|_G8Bs@wg{u|GpP0I{3353O}C7N6=T7;J*D*%fq^r@c>oYoQV^ z*IXbg%o^rIf`OrAcKucfD*rc$IZB6kDKhC%`f87lhx#u>SKbl9HiP1h)8E#8p(4wo z1(<*u903s@&BwT?~aI)dPkt$;*odxGvuOMQsfXte(~Q#RLR z_7u4;EC#Mjb06)0tJG#`ObGCU6-`+C!3W36nozS?8r zCo`56-SuImS}G5TwkkLMaFL#N^?<#jhKUeumAiXWg(|}xSY?>m9=gs|JG?^GcRk>( z1rkbK3J21C4gnveBdPAA{r7R${LTQR3Q7+xfY^D)?T-b6I9z7`xEK}HiB^n=!vz8J z>+wY5?}AQC2Goibhy2+CFGFF!{=D)s5OpQm{yPpSJZj% z;2D_?Mxz1<8yH1(L+x!zH>1gLExNRQ>ZiA|ayHU8B@;wJ^y!hp#d~J3-*1<@D32VK z5cJAZS8Hn5q5Ox-0CrE7N7j9g0vVz<6Mee1VQ{Y7D%pV=(IZpsIkj8|tmnFr0**$lYts;jZ8)59hTi-;lR;-b{eJ!guc;f+iNlc9T_7S3XB_ z_ITEHYS*?IF=Es6*$6cUpw9PHXejm(;zpUd6Tv;tER$HcQ(q2eJ$ht`wc;pZn-eCJ zmw!hJeE0eDee@FUkFWghVqmbzPhES2f==;FR_cUc+SMv<^=K9{PL;l^m;A#B4__aj zKuC$9%u-)4?fsyC4j(=|4?~3QH10_sDw9@>xv#9KcqqP#3&Xasa`&+@-+lZzGAlKs z)acQ_|5^jUw%1fGL_9muy%J8k1B*blQKNNd>U$ZN=OYW>4nwL$yi51z3}7Vd=~Oom z79DgX`Yc~wYVEkE?A_|IW7wViB)_Q0l{9xT>q+mlI;6t{79dbCH6e(bHk?3;5oKz)vAdiXu>vu+enCjw0|?E z*~p{gc^vP*Z5lh4$?q1_QLb>TGa^5IWBnaV>riI|R;)L9c^2H+BgmspUH^f;kH6cV z{t+v{#lKS~78rHiZe3470e|vdJUN4-Lydz#f3N@imSy)oqGSM5dnnl20gp%SdfIeb z7^4w10+J3xUYk2RrQ|Pd1^-BoA2I!^+R0@z2b033bcnZ<`7V=UQ`zG7k#F_zl}yU3 zuOK7qLgqzEx#0?+y|ech$dE&JtW(p^ZLK1h!rIEppAQ>o>n9s|Ejge1Fl4wDFf#4) zXnzY!OL~GwFHYRo$3`inumjEuriKu7LA9Wna~;j#-J|LDZ7NiE(%!L0gY{?C6M#^-SA`HuAmma54V zrCSAG3pvr}cUgqf1Mhv#+3!)t>(=c$TY+q6Vfpg0W7Edueqe(b1EuH)0TB5s>Nvld zxjE*FcRcsJx7@d#`}a@Ze@Qc7|EP}b-~?6G)r%JIja$|Nfa$0hf6(Y*=z-$E-#H>v zPf4+I(2Urx{>=ST0O-AW%cPcs^z?Dvml%zjg3S08$05mr9$r|Hn{pi!N5;s;FOoOp zD>olMp48pR;N*urpH8$<2xJzw1}ai#i%1&Kf_R+hwI^aa)*Gq7sIKHd&IH?w|FXd_F`SGT&2yD(wcv z3{!x_;L`o+vwj=vNm$*lvUBT1!Yp=l;9`Y9Pb`%?&|FIj9%xhl5wot2@?HDRqjA$% zx&H!3BXiC2_}q!SJ@!-iPLKt{tC@j>Wle{|1~3pKi-^rHukgV;yLaV6R<~~NqMixr89;1Q0T%66B~oCC9_sguHED_Q@un$B4q>0 z){L`G+!?qD`{W%RSeWypc9-eu6c}YS6AO7!Ou@r{|J^Wi-OtF8-$zU-FJ}jFz_K6^ zsc`LVtygpMDyhZzs|G3!TloOd_e&bZ-JP+fY?Az15NnBJ1c~{QkeYq^`fO{vxF26e z;)7bqi#k2El3GRX&ou@wgw#72k1ZXy@*~9Q)19l(Z4{sxkeY^3o5~GXXJZqAR=O>O6WUan_JlSyeo;t(H{BJtlp6KLw-)c7ENcer@?J_0u++%1 zcIz|47LsOX@<2L0XpiU-5?%k}c*v!_7i)@G>dJ?-Whas2ZP*ZN{eXna8S8#7H|XB|D9KUErlKNua&+WuQS zT^+yH>esWfS7)PMgfl(hM7PXmb57gVRRE+c{eaRVFd$&8fByXS=3%3+Q3d*go?crozf;3JwXTPEi`+x_lW^|OUR%iv+8nV?BNj^KGo8qUoT z6yula7_0b`LNlrX$}z)CJ%gfvyY$_tD$F)o=Bxl`9`!bV}``JuG(D%oM7yLoflm@%LB& zmXfQN_3HLc>gHQ{pC=AWl=yPv?wz`IJ2QIxOJw;S>V!I9VrVpQ=S0I{GGx4-;wPdv zOUqI;&rK8r(Zm+J$IbkavN@w@v?{h%3sKW8%O5(Y{MTZ@+HH!(Lv$?N){TOT8kn|Ub}Y6;4A_ebN$8;Msn8q)h~+ zB^2PtE1z-$u5No4(Y_8@&z%&ubuM=0$$TqE34YS{G|KWZVq!fomeUiJ%A{G9EWi4S zHFRCBAD(n?#W1H&&n{Ux?S-k>u6PKe6?<7N{bzvQa^TR83Rl8NUAiXXB$+-esj}1Z zPpL?tM?21%Wez}RyCaIK^zZ1!4*nn7ckFnoedClhzh11l){eYbJq5>3&b*9tZ7{2P zrm;^Q&KFsz9oEBEEW?1I4%>57!2Nyj*Wsq9E!;8*r2linZ_e#`+JFSCy9pz zt*wp7%Vd0IsPk9w4R-UXaUOrkenPh%4g(Ea)kH{+G5};84mu~h$%uI8CtYZd!L!S= ziKt**b~Z40{ZJhB0h$@pi#l}L!P$*+X`Q)GYoCzw5pMT_P2RJY!kF%=0|9PKa|%Xz2N z=64-0s>k0&F)glC!Df-pIj=QsJIpHUUP{VMwj0C`KK_r>`<0cJ^33?>`I!l1m%aMN{t1Y7s@Ld!eG0k9%#sC>5;v_(BV3uc zwf}i6gj-toFWUZM*%Xucm7E$rXzysPz4;n0Yo`ohPF|8ouw=%?wl;r-e}0m&4W8{K zzbEH;3h@HOwr03w{Yo5PZZy(T?5+f(9NiHz_x-HhO*JO`qH zWrnfha!koo^8Swgxyd>72jbHI=btCtv!14>dm%Ok35{A9-}UOUnO81e6qAAtX>@GB z%`s(tT&#IS+`6d1!CR;71(7Cpz!L<(BFyIUv|@TBGs+Xn5hYq6g0LGZ&bt<7xQu-J z>m*B@z2#F!H{eOFhOfR>N_ByUys!3%*bOIgDj{qX3PLO>R8L+LQwS%aLcw+~)1x)U z9Y5O_0Wu5?y>|9B8qT5yk(ZpW#>9AS5FS0qnG8C6-Y@Ol^X%;voOVIU4X?Wl`%%YrUvWt8f z!bqVe3OIs0%LjfxE}IFO)K4pRUcPYQ1{fPTm1X_xLU>a@r(3l>88Q?RmIWc8l1oki zx$9pKtVq~YKjgf$f#=r2w|ee##gfGdRf@D?fw5+@@)zSS#>E}jKXd9-Ya)1Rd#>f+ z>Gz>;|Nc9H?vfpQ>0fn!6+E@uF(y8!r&ckIaHL``1j(+QJ1xis(B**vS%yQpjfpyG z(|IoLjM|Nf4vOsiUv{;aZP4TO$CNpz z+wV-i`{c=Pn!{DOOZ&cJGjHE~a~FO6@ad_;M~u){xYEs2BAL+JqvNJwWgovMQy;HW zol->11?2qnB0c)jn*6oj-ErY59fEpcJoRywdODTFi4~$qFlJbCS+Vo$@7fmcuTW*R8tkz$YTG}TNR(#{PL0|f z_Fzqn2`KteTF2!TRZ>i*rJYNB8ejRgwX!L_cy__Ag9pdr87QT=xiak+r(A7MkiAd2 z@xQ%ht2qxLPZ{Jdj`yD!Ua%(kmj#KD>CF{YX$13J>+M*hx=f?Tj z5vsrF>-aH}Y79t+=OV9YRwe6bzbG%I5CJe$Hl=nPeEZg|%g-pdb|yQPcaJwgUXdN} z0hLG>(o&F+S?g+OC{};I-J(m69_KRCz8xgPBVu>k%XNX!Em5%bK?WJQ<%<#HNx(VZ zl|DEYu-`b~8SUo7Bg1z_Uj(&zhotuqNBcfT#7ZI`(!3}0u6_E{)h;I&;M}QK&z@3Y zbCHL6KHFLLQhCB=bRpW5a=ngf{rX`}sk_sO#Gf>*^lJGUm>XZ|idJ*PODXLYkWU-8Z24Fc`;nul(}k&{D1S>ytdCsv zlgcSudxz3P5W2Zg2-MI?Ch=~M4x%hJjHz86$_EMvqu!{E+mySGy{Ouc(2zuZHx76= zxF82$U@~_HhEl( z5|A}gcA|9&GCF-E_{jN$M1b^5|K#)*i8UC#G%(=*hh2J{iz+<%eZ->4)2BDUF@?|N z75!r9izQV{$Yr=q)e&=};hq<>A+kiX4YeD+V9rF>kp?$=-m3*EeH>t&E68(ce!J9z zPeNb)xM%_Wvq7Fy`Ry-3;J$@8?k0|$W*2nez!+*8M+XNpQ0)2L*|T$aYo9w0|5&{G zbzH`Nrb1;v)R3HWEpvab!DC=Yz%r>LM|96O3b0~-XE51n+EruQVI{=e$DjK)(bqw% z83pp5-gDGp;Sd1Hmv<0rS>L{oUFVMKM4=>6BE%9%8YMF?L0)AXhqSGd z+t#&swC6}qwahxGzrvU}E-3risTbDMxc1R*lBonxOAjQZKvM-d2c39YRXC-yuHU`b zBk17Xy~8Qxw+{8+SNu%T2);0nQW5CsPUDQGu%3FRZH`^BEHsQk&B zEpJ(Z^Ddi56n=SpHY`jD?0UU$~aT~s> z(f+qf&FR0_<0_WKpdWzIxB2`&yEPPUi=MQ=V~L`NfF9=MOqhM4r!!0YHG<6>3=8n2 zKd6kWucSEN8-%lgIObT&Nr1q}Hr8{J$dD>=rlIOPU09+utow#~63|W%)mp+hKoRWI z!-r0doFDZ3TZzLg@Pv`wYK~NX+Syaqa zm!DpY4|S+okLBSSn3aq#B;o(T!65<5KRkKGk5ctcKL@aEPsfk&Facy|n>eK`{M2rU zE)1-5wEvw_Q4wH4AXiT$_2U>e2TQiQp5>fC{?)%wv_BiA$;>;?^g8P^o z-&XuqT)E6K$CAs%i@%qBQ?A^2623mbvuctVN(Hf$7(MtQv6<`{uw>T3Gq%v=vk@(c zbUZL9$d|#7_5xpW1MzY8)z&%O5!JhNg|gG}47fS3X~)d0tv4LAaJL5oU5T#j0^=Zv zsAz>Yz9q%LIqrHlRtQr>hA`X3hw{Sh*h`1%E8oK}5f36uVu0&A4R|$s7nf~(t}dQs z&MMUA?{+rpcC1`N9kI4c5F5^LT11f08%Xt~W}#!&sq#M?1v+z+LQ11$OU9#kfwoB; z7H>P<=_A*b_hzpk`AzP;aJ!I}{D~Ltw7i+WtEL2e&@b&N?rX?Z30J1^5`_g6Pgs#S0PaE-Fdfn%0xqDvZi-ptu6MzcH30meLwTN@g=ax=3Upgo5Z}PW$wv+k{FHcQ4OQ-V1mjQAkr|$-L;; z*w_&}{z4A5c7oD-bu^B$6hslkR!$ENl#l>>Ac6j@d~#Qbi|DI8Ki<+(QZ})Y)3>4d zt|Jf?%39l}_px`b&0WJB98F5&8{q#N*eB69&jzTJ-ERN>{pezhBn$tK2nZ>)7Yasc zlv&ub1?d{!k(KE;&q9Cu;`-*m)9|5~I{evu(1WS9>{VM*_t9ozU1uL?gr*B;;gBbj z8w~pjJi6r5^S+{BL_jE}HT?Lz9O)Su$_g=THnDQjm&Ai_zAnVoY=PGeK~aIufp4VL z_y+Pm#*WEgg_?BBf2YN}i2Sv*)U|!5PVBi#{HQn~>z@V0>Pq>|#uF)nL zBH}_)&bJfPknS*%vU)2EAAM2z>9o;dHo7Jz+Olb^EYUTbajhPxzv!pZOv>9FK+(ZH zcU_<+Aj7edXvR1jqDMH$^JDBI!y^Fl6rR*b_|>A@JJ8>Vnvz#QCZqQ5eQ9lu`IDy9 zp&(JUF-0cSXbkUmP+}KAfKzL6xnUMU1r$2I+`wQ>u+Wg@O7HbJYZ51o$s;!t-4lmu z$;v@$+QynP1)^r`hhO7%!xCP+I8gSXXg$h0=y5&12IYik$mlMkFH}%^snUJ8(7kYl zyZsIq*@4eU5+*&&OT?lg(GmqJ;X|Ou4jD&=v%23;$nD!}uNq5T%5|n-N_L-&G-pE~ zh(hoHw&=f`wgX#N`+Cs#`-95 zskOBDC9^K|>3U)M(^cfQ*txG;^xc$0c{m?JzckcKt|5@lO zb0bJ*kcUNqF9E6mX%quc#FB@^1O%{y0Rsj|JRV287axsPysU;IfZs4sl=tbNgL zM}(jHxG5ZH{bq-H+!nBEkyuOA0HSS_o+#uKIZ~b8kL*62?Ez=n(ErNez44e8twQn0 z(K~L&jBR95EK4H>2>(RPC)Ns^`m*|a(8+e|)=gB}B2*@}ms`2j^zm3pzeOr5FJx+J zo(`oHvf?}4k0b8ISjG=7`Mv>}lUtj8d-g0&V&cmcmE3XPXP zhU0a5fZ1xHk!ho?oi&Q3{BhKAKXf8`Mn>CD+stGj+rSC4K^W!kJ$try>lRWR>e?`7a$N$b~t9|vGXeFJDWEc#e zmV7-b{B+0^!Zm5YRzxKhe610^*9It%EG)8?IcU&PLIyhPG*nZIZmXVOrR`jPkerjO z_I*CxKNk_9(wKk?><{bR5%~Jr8W!kK^~P8py8cO-naAoZq=`E^=1<%0zO#!{K4Y%8 zET3b4^$7Y*-f5W^6nwYq&T=>$aT){a-d|0PM{CT03G*2q5^sT;Psqz(6b*ybqwOwhO5}=r?Myv%h-%S{b&psQADSyL+O2 zU453HjZi)tLTea3xeV>4_0f!e&5G9zHt6~;A*Xlilm+dJ9;bUi2CB6gP!jib;0Wto zL#$J*@}D*0*#!00=u za-3G>G7}J3v0}KT*~DorQ5-~Xx^{7VkDbXfJL0T+@!FM(){8rZyS!}9iJ;-W#DL)T zc;0@`^)lsovg2VaO6)mmNRn}q(SQG4?uM59Q&>=KaI5~ApCK9vYe(0;@#n8>dHZ9? ZwJnJord#H|})G(jZw8Nr)7(Bcl`{%HCve z+4u7}&+B_X?)!)PKe(^!JRhA8eY`*KaU8GLbG_bvnx|FhHnVM}P$+b2s!C@l6e=71 zdubyze!};*U>bi=8=h2AqO6kt$K)r5QYhRMH6?{}4$p^M9d*ymtjLWwz8!ltyqKD? zw_?xB45975PaM7l)aw?!)Z2F`Ir?$yo9Q;Qe-8vi#X z1q`C1v}5gDZv8GCObY9~i>s$5q!_HFY-Pt-<@)WuKez3(bx=~e!s2bPO)K$X-d^%w z3qf8|C87aqjCj6_(#92?>(O)P9U2&rx3v{#V`u+SU%$>z>F&aUQ@A4=8=Li*>4ts# z_Pt6@wq0$gufON*O`ZAveQa_vjh>#~z@I;Kzs;_&D5s}07OI$-2%b23QcG7iAR|NU z+{KG=uU~KO?d^S)n%cM0`s>%mSWVyA*;$3;9Zf31O$JBhb-4OF=OOEGJ`_Y)UZy9&( z+BGmdypAHYcW+5W#m2I-GSNeaywcMT?08Y@{`1EVkJMBVy*jTD#v5bL%fv?`YQ96En{p;7SHP4^-x_^H&K48fj zrxN6ylCp1jc=(E$8O??b8>EgNE&2A1PFY!5aXeLwmQOH}??~zTHB_~=wZY-xn`EPd zo;3!A+LtF=9z{hx zsI5ICw0n2)j~`5ymX(_-om6RA*SnL}+ z!|MGf($LF6Pmkktl(ZjiA1@CNxx*JOT-ZoYuWW5CnxGy*jfd^{G)eQwkt5cBYIpJP z+QqYb_ok$zq=A6}cYlAHYu}&y{eEXsQeJMN&81@)CirWdVdBe|6H5z2X;MzpLMuyC z8hG-2{QT>1HXAo>@(2wL%{#eMOXt!ho0TQU=Z9^nZES3WgoNC^yw<;X@nZZF&HgKc z^+}p%4E6V42{SNs@Xl7^Rk(Rm?Dp_4kL+xzSFd05N=dQ&`0>N{{{6cJ1qFF0T?~7A zdOCV4L#1rG)`?us+h}WRE3EyNa`LIj)$$*#$}8R%eV;yh#4RDg>^wWHfUCdj>6w20 z2X9rB4EwWZ&n892{Or5S=!V<))aQZa; z%1qjw&i?2--hO_Yo`~q(_oCU65o%U)4x7qtb=iJtyo7EuzRzA^Pjs+0#-mJ0f<-`U@sr1Pg)4X$YkCL5*yI^c$V)Wz1ap9uvRoOP(Z*BWex8&Gv znCh=CzhsraUPD7;X=QP2QY6qIYNH}&*W&C*$***yiLd($J0h$Kig9J4wtc5=pE_S0 z9v*Hm)R2OO$RcUEGs>}#RY_U-MMlP%wwDL0d?k!4f1{i{)puh(aNt0g+#T7Qwzlc! zzs2xO8P0F2VzjolE(+mO34ZiwooqA%{`XwgRj2JLe)SMPPgH2=+Wq_YKbLW4E?k~v zFIX7dE73BzQPQI6pz*b9hGhY)4x>5!xOUtTurRv_~hi8pmNV=&)D$znYL}a=k87s*3D*=v}#*N z*?IWpy1E4QwL#_hNAb!P?z?yIirRE3{asu%T3(o`sIDGs%vgMZBE&9XUX(jlu&6yn z`|ph@58^5>_S|s5s!iH5Ti@G&nnJh5LtY+*?x6Fm`3);8t~b{>2l~E6taF#0?+M+o zq9@E8`ug>rk>;#4{jWhmL4uT?v9W3y>^o&#N&M^ACsyaH@A&$@%FKL32}W6{nyRa< z6_S>I{^;@JKlyWQe11xk6<^)Ly32#=@Ypv|Qgm}N+NWqUZTr86BqRt}{CaDk+GG?a z=qsz$5UB9P~LFcK?#Xjwi?%P zlNgKkg2+dY9t{ltey7+VP!e#ZOX2YI45M=TrI|*3DTncn;OHWAGc&~#CpI^v>iMHC zmVW*$V_ks#Fy}n}CQ5nwU3$6)8W-AGO>OODO~@(^_tv6Wf`y&k2#-ccM8qxr>RiJ9 z_UDhvv-UpScgZ`)w!iD=MSU+-ezwV3)@$*sbaCn%#QYCeYg4b zxHF$8d%woMc@vOUxU%3ewNJm`d9Gyd&*Y1w5SahYSg)m}wULHq=wdTE7Ak9)lnw8# zTeqAd_0b6N>&MN^_R@1oOT~QU{4Tq?WLsZfe`Rj8byCF3U|XBJkAtBhFZ$}lT;Zx~ z%#Kz;xs|_smmPbzYwPIniivHxvplmSBO~MEw;i0E-II^DDrR{ z;kj_}qS5b+tD0xdd^$RoSJ&S^zqq)T^4Dd>eZO5rBc;juF;%CU5R zg^oKqI$GP=aSVK(t^8oo{MKdu=4iWtfr0g{Tcs<@i|JRtG6%4VCp6ohJAeLwQ5o%< z%lT}LY5L_@^asou-pIc1A02&g@7}%g*E#9wOcYUUNh%P7|YJixfC6`lSq6%%j zq5+@S#$_fN8ZKNnGh>)GbpBaWpwJqx}AlDjXaffBPb=MDMIDS>Ab zlyQ|CH}?1r#5#9x@moi6;-HDoDzs|-xc&F<-`a(4GUn#y3wh>1Ob$*?UrybZVE*>< z%3NXhNLG8<>+{LuKUBD6 zCNrG*@}KA~d|WtMePw>WKYF4{y!x%pIhH;fy0VMDsI8`79_{u_AFzC|^YAfmZ}0fz z+TJ$ZWjsPc8&QBge{K`6Vq&_Gb~$i=!QVBc323`x$FtQ(9K$B< zDD~SKcF=Uor%#`(Q8S9oAFz7gxN(DV`*tsmqqjQ-e#H6u`Gwf4(TcyIU67G@pP6aB z^w(yTx{_vxh;jE-X`Zg`ZZuX8v&K~1JSxDkNfAE-<>x#(S{WZd9w}H^Fxx5Twlnc` zB-ZR!>*;|XvDcr4c%oAY>lf@4zgAULry&=Jm2NoMQ#mQ(Z=f8{v&kmO*LS0C?rl0Z zH#dh)uN{m#cP+l;x5W|3;pQxc4fH!Z$}CJ+u659v`mS|P zO4{wVGH;@rZB3Puk}^I!TZYz>8@T?H(1Q;jB+Q#X&;eur%C_OVkfP&-RUl){vJUOF zA=oGToV+~c%$YN9t=eVB=Uq_fnQ&#QCr&)Ps8+@IIyt$doa+uPJ3Bk69Qd1T$0-5X zg#o^t0OLwgjTZ{Jr@h+XfO?F9Ax?R~1xy>0UZmSorCi`vhJYV9%~Ey^ywJE6BAvZ9k3#{uS7+I*?H^xp7c}VB>;ppjfW2(#>B>Y z{HaScLM8I`^}W)q$sopi%*p9US63I~jvYSil9omF_1kEeg^OMs_wVTH;vL(<>dpF{ z$1M%Wn><4xYSmMx?kVvW0~9mu+!@f(apmv)yu$hO=i9FCk@k>xkB{f)7ZBi;mF2|7 zdHe2N$(w)PiJCPCpNf(Wr{nl4TH^7^Zse#9MJa|AKsQKtbSKW%2OhV= zmKNRrk%&7h^MZT!?!~R8y?F8B-@kv08XI@CwY6E_zU}rRC~3!z9oa|wj@5ow+Sw|8nUd9`-|hfc)=V0@+Hr{eRO~R{Hds@a0hq9&O$@%7#!S;gJggF z`04j=Lho3_uLb0N+TA$G!TjwYD;`mO?~|% z+g@z#x(b?!MK%5{po%sI0(4neiLr5UXsd~d8!lbC1SeA3lg4IN*_!b2uO% z093i9JEh(GzAFDQJG(<)zJApLQ^ii&hKu?hc~nSPSjoVE=gXHb*_Tqn!@{iDg(W2= zNBgmddl!xX^lS3Tl{(k{{_O`6U2(4?|LpnmkE`+p@%#+T&1w1g_`vBER8%(nN6`CM zQh-ahZ{I#JIC!(VuBImVcU?+a+S4S3BP`mAifiv3<$m)(%hAJ9Qg4&(S^6r+d%PX2aA-|Ey}-f28|N-u05Mzh^XE@+uVc_3 zBoE;LXyj-es7vzB&bd{AA(wP?vSr*lMlTmmZ)V^ODi7TI0yhXf%JQM*>ptD>rUz z-nw-w3oENl;k)hz+7frKzcqhHbH~QPRN@j6l-pi{K4;LjMY=-$2rDi>_S}F)*(06N zgvDFyif}0_#1R%68*c-a^=1G6U;RJsMgs5Hnr&KmEK0mg|2<|NX8#{3zra!9^YKA? zIXBk>cSzkDV04h?gw(Q2JQ_P>dS-@-;^gF11B``T4X6viaKt#x-+)tDXxj^D26(*J zZ``;G_I>gs4Fmw=KC|oBDNL2p3BU`xUamHqU}bnmMR8KDpjiO3-^JR>;uLi)k6UaX z5mdtZ+_PtorjE{i?BDu^h8L-+4==F&wTup5gN{Hs!vwY%(nQ827Y`1AnV8e-Mj*ZOKYWU&w@K7H96NO%O?%c|l zqAU{%vcfgaKZ*7D5vbb>oG5RI@1owv&g<8&cSwlUM(+D_%j!-euJ`fd?Qh<^xngNa z|DWFX3B~dB>C-53toQ7lv^9qr(@+g=-?=!u zCvZ`r-Fpq3>VT!lgR(xJGcmI4G{F*V(UvjfKhD7w4Y+S0NUv|G&Q z@HRDdbvjaZb#<#|?EiSb&dl6qKiZ;j=@PqpF3;G&K!rN6#rXKR`@47VUT|fc3t+SY zH@$XE0L|b5Xc7b^?xRN|n&Yq(iy)okh<=<)%*n}lp3HR_`)qDgZ(DS2`)9)gU_6~Y zJ?l`uvvYGxK7U?+`SRtr@83VRpV#33-`c1^z89d5&9I zSy@|d%}-v<%*s-Pghx+L4*=y23ZSd2OFEykv$Nw<8D7vpuxM^U!43EYh&&aQmBrs8 zB!B$;x!%>)H9IGVV9!uN4e#h^u7JS6UcFggKE{o~5DtMFiN>hA`m|uRwqR^zB+zfG zU`C1Iat+#2SC?UG+Q~&{1qCWfQCk})IRa$J|1^`*&IP~YD?DxZ-1PJ<((Ml)W`$&k z)$f7rke8SDKY^3cw5xdglH*ZQojDjCNy!+_U zHeCoy(8wWZmlGfhq<$(|mZQ5YFw{Qj%;csCJawW};h2Ai(h6%@T4*7HtlO}m`%hxD zcTf<6uAW}>K+xS1JuEGvAwPR|zo*Ao_v5Wi02EkF{}WBI5JU?p?dq3u;6u>FVyp5?QaPsE8}I)Qd&GB9vG4}$7j2ub$gH~F^sF>-MQDf-ZNLd*eoxd)DPOi_`EjqU#Uxb=tPvlOt+ zi)ojSA3L^Y%a$$Ujrw;y%DZ`lg=s++!epE!0ByW8;)`h}P(A=34ciM`r5q>uQD}fd z@4k8^1YN!uQgAk>ks-A_bXJ1=cOJb>Yx4cM0`wCB^=J2RPS9pM{G^6!vA4nQm;QDK z{RP3SX==I;37ed-!^(XBzasUP@N#H*K1SsaI>$RpR8>_eOgxa1i54m2JgccY)3Ax{ z3btjYK?ybF6<(sGX{;_Z779s9+Q&o~Zd1aJkCd{x`$YJkV{yuXyr}F>&>ROK2l8+6 z13q`(x^dlfrC@Y$WF!YwOk$MN{et;EcHq)bd($fJ8`rPLYJorb^q5~VP$$0^?~jnIROwD z9Ch2you^Eyqc{Q*IQN$}H#eI$rt0+!51*3e3<8(_1D;y{`}bkZ^2%=<6D366dG9aK-iO*H4Nh zUxYrijfqKtQqkD>^z?Hn1#}@WMAn2eXV32D<-H5sG5`0k=8YSJ^1`z}6s33V^1@P3 zLgUQ5*?R(wfYtXHi#Pw4O&o`B-g_PysivstDPjIg9@`a1kC>gkz0eb?p^Bc+($X?8 z{ihDhRf`)Hjoh0PCr(T^nWbsDx-NGMr;hQowX~e_-?6{%!5Bnxxzi=Ib#W-E3rkbg zYWn)o=xGCZnm9n{sZCEzoTPfLYf;c-8Nx*z`Rne2C-Ck0+o(ba;W z5n^IuFFZFe%w`?9=8G1lb?sWhr^{4lw6qkU)(C=6EPw^7@rG2qkHQ8E0fAMIJaV3g zelB1g8oy%ggS>{vVA=Qm{CLQR!4ns3rBde@b>~k)j?h=7pLB0XxXW)zuVqRIGSb%5@d{>7d=;Ljj~sE3Jq zEG;b!U?(P^M0>b6y3T%+Y}eG(WX#FVrggehVxTuan4G4HeE?l=?iKq(AD_RYt+{Id z{1bj5Rd;t|P#~0aehS%5(&J->>0!7MQixeHjILiDdcDKmUYe zWz7X|n1={THrMTurbGNAxE{0sPO9MfX(*#qXD(bwAe*wOx!G@EV$sdibT<_@_C1Ft`YsQP-K2qgBcxT0BjeNA*f@$HCRVk>5 zKEkCwUq9aL{IniT>Hh0zeuKi-u0_QRorby0%a0mS1SB)7tXE)7u`UmylV)#fs#E+r*Z)YQa=W)b4( zcJ=Bm;;@kq!pHjzTOsFYvhf!o^OE-C1QXYV{Z{TwQS{`ZqCxP#{7g zB4|2BgI{82dq+gDqeF>;L;U*nt0HqwRPgk3cbMNm`b6cr+)S)I7q&S!I`}sc)*M{husAo$ULg!2+kk+;OK2aO1(^ch-Msa~_k?*4FMo!RD;L z&G{J(I0j;}oSfWf`pWEb0l^!%<3G^dNc~9C(9L(+j$P=9=BuNl^A@HSag-YyFJ4Q0 znPsOkh%1(dd<1vQ6P5W^^Tc77zoJ>`u6^MqZ_(xe_~a&~=bUOjik-XcHh)z~NvQ+- zbhvrzXuD)uQW6jN$pUCK_2k)Og(%NjfGbQ)=vw}i8n_)?3(wPy%4^{c`}w{CP6cFh zdY<+A^?h=zHS%Ad?28Ksphe;5#T8^^WhHLkdx0^!IuTaD`jmRU9S7x&c zZB}Qer{kgIPA5Hq448q#{nKU=?W&w>KPJHY;`{g0H*IWqfbMUYn#R^8YSaOCkZK{j zG_Kf`ZiJn`Fe@cczRbnc?%25h{#a$E@fHF6>ObO01Fr1+wxR|#fR6Ucl;tXUvbpL}@dt3Ju=gYCJtsG-( zWpTS}d^7FzyI9{s;^Lv;cBXB4jxDxMm+Y}iD~pQU z(LYZS6&gMJAsB3UM1<|~l>h#M7@(BVaUI;(!-o(5c(nU$_FkCc}bLc#|KVJzD(e-uj3gdp*>kwAL zLshw4#;K@c)^4C@WcrbuR&au{a4;q;(+C{PsXx+w0C!*P&e%z3^q+Vz-l?c)X~&1M zD}TE$H*=jD%b(+fM@Zi^2~+DN_RG!1jF5w+Muvvhzdt|RvSYZfI$GoDetowN+l9Kh z#VuX6Ga~%__k0%`1W`}*))bAnGqtwz*xtO^wX*!y&S${VHzFe9YyISJlV~Q&{lLJN z&?aje8WMopDypWiTeeV|a_z06`*;Rj^+GnF#X13jI7g%`9w1Ph7%l$kfms&K-Y}zV zSLtbJJmcc{X2;rtpiFI$RXKltJJF;Ee8i(AOw>X*${ovPovmGeB0Gmx|IwUKQt{s3cF#1#bQv2hr-OvO86+g9d%j5WH zw{W;z2FyM--rv3#gx(hdql#s9ZS5As4}M`u&3$Cxl=j7Dn#)-(CWsqcbyPWfZD4hO z$?xAe&5IS>H<^kSz2EH*YTN}O&ps$Ze+wqxib7Koq}5#KUAMD zc{@EbQwe&`+?Y?w(KB=H<~#xd)D&>C;@0)UD?F}zyu1|ozS9N_5&f5CQua;~#{ztH z`iOoOwD0tnJa-ymKeth0@@wCn!AyffWs4aSxsh5j}1L1?};{2B*+ZVk32JmS8gIQ^JL#8!XaTvN?S*H3@py&;^>s3y1GzjbM6Ht ztD*0nVG$9EXU}f6u&@x?vuBOF<u1c-c`%eAPQ9C z!(as0D(JjF7%Is}>F6|#SV8h!PMr$XkS)gEA$BAD|IU!+sfh_9tWRL8cHz$w!~HK& z@nHu-EMR%m%g)LQdDTVp$+8ror4%U5o+QpR=P|nYe>;cd6gcm+$o_b0mnbOB$$)ea zWcao2oN421a&9iseK{93hVDy4lL`w9`}ff@Y}_ah(b(SWt~4|zlH+jfP`M5HE>gBO-51o>UdUPx{ z*f|xU65oxWEl*8RZ@HR3SPa=m!h`>nYrh`~O8TuowQldTu6<*}slX(l#>!t#y&6+m zUS0x7x%f-A2Bl*7h>YsC*gKHNW=bUe-+(5gl`2M{NKrgrT z)w~UP#-}yldqSu@U_Yw6ZrwV04UM$stK~S=>lPNDvBDM)R_8nET=agXEnEhhe_{Gh ze6yc=y7nochUqePE83m|3o0aDuzBOgfr+tp*EtRtes$>hF=)Ppjot^O}Em!eP5h(NtEZW@_co*|O@~{{+6+4|vNJ-@XOn{vzPw zfB*h{PMxo-OVz846aray2?~a43h^VFwMHI?ksfKyeOj`u4XR)>Jj%y9zX{OJ1ZZ;B*Ei&){}=uz~Y zN5R2GG9N5kk2v){zQ}1B)rJ=K0j4)W-QWyu*IdUXC9=;2Xna!b!@5rt;!TpNX5$|7>WG&3pn~4f&OL0%edA zLRRL(hbNbv{_GNykPv`90-Dt+!qWnb0g}i>ahmUa%C)fi4wq)>rC;E3xV6AF0^F2< z5lRhdmCz6vEXLfvKHc9x_$Uzz?jf>-?>~H?zi|{MA?&4nA5r^aKG>#}mMZCF7;kDU z)YH`^nH-R+%Hm=VUS8e-z&r+*(YV=V1hk$>Sg6m9-Y!zIXo zGc`_J^@31XDjFJ|P->tyorbfMX;RHu`{M@>CDW!`d2o2xW#A*fmCIo?E(|AEwEk6Zb(U%#|L0N5UOnxb-4wzfv1Gv%b82wN4`T_{xrs8BR23-~jX zeS%@7DIcD}%3}NKG2W0X*o`umzn4oNhH3?S5wZwf&d;~bbC!AYeGw#nbHH_BTER*K z5NQJg=ep?XaulQ=P$>p1_B`yY5mbIg$1ZVYb!D0KP^c9Pv++L1T_7g@{`D(3H1up5 zS8`ZLKW=AFSJyEV9LOClBU1C4e};$S=h~cupeK-wQ$_PC?w#t%lm6GL!g#V`t$qAE zYjJRNAg7V{jYOkxTbd|WalA3s?RW9~c`d{rO|M^m-%`T3DVBLP(J85!9pzHwX0^iQZW13CRse4wW=v%hrf%1;j1=OS2=h_FXAsS8M% z0d4NJ-M6=7x)H!<_mLydpb%e2^D9}9rUla9eKsK&>?nWo%idc<4f}{F;*OB54q_N+ z`62J#+3G9r9{v^w7v9nFaQ;LYJ9I8}YHI4~P9Ls}(4D6WN%jU&hwS~L04#j}Rl2URY}vRj(`n`g02wb&+VC(%oT22F!A*r{pC8ojg=%)<^${B2u(Ci6UBC-{QD1a775UCc9l+jwjF@ssF zf>0O<1Rxn_Ja|ax%pMVuClCx7VM@heS7DR&%IaCR z7c6Uy8Ma?EX^aFXG~uSXnnAC7IJc8OVABK?pearC2FU zaQeYI&>Oh{|MurkZvg=7)$59Z^FtyD1bw`KcMf#ti^LZ0dG?~Q7@rD4HBjI@2;zi7 zj@1!%$c)+0(2$Xh?MRrqJ^cw^+mmC%N|1OFC$R1+-GsjWtGStP&z{ZIGIKlEtX-QE z!63?~g58J;Wj*}s02F*=q`Q+6qmG?Bw=L?<%Dm;;=^$gM-e5;%h|}GN@(`DlwCR5t zka37xpFV#+-nL6@`P`W^chTcGu+sayE23mwk3co_L}HlXr^B=-d)FKw5Fk<3?+~W`4^-l6xio3 zg@7CL@$h)iOhaiS!8<6|NU4$3ae8`s-dAHMsQLj2S*%4q$2Tab9M2;b;W&ujKpY#G zn3!5el@6}+7AYN@i`lLZ&j#NQLBTUEZ9g2C?B@6bC5q0@M@b4hGxH#}6CZSWXrJbu zOTJJqYwPN4Aoc?q@f|v}9a=gl8dBGH3k&7etXcCbcE{m8`}dP%mxyk*dwu;mTzTxf zcUz;PqFTHqg@jbwRJQi)=$hLrBqR?Z3FO2V-$F8NkW-171``6^26+}LAPVFTGP(y9 z<%PBpIfTF~$UVVNo_M1*0>4~=@-;p);{{(Q;Z*o1`aqckPi(936{GO4g!WO^Vo;CZ(m7gE|C1e(Z&lB*p^nHW6*GUU40w5WA5gq|eegSt3|E z)`(jQ#eh6T=rP%VN%#HzsVF2cZe!yCa5+~8=dhun!Si;M}v#;UT-@vDqWNso&nYQb6C%cqbU{ipUiZe)Jem za7@SuRN2m1R!DI`da@3MB7?RG!@bD?%hj+69I3bP>hU>0yvH`!!remycZg}b$Db1t8qeU zB)_q-F%DZ7Hv(w$_~px-bMHVPl-27U}Wq@-`}xivll9^BHS0rpY`=I85vtZ_*<$`!bRde za_1QH?AHn|>mlO~ZA=;KjO2M-#)~(2x|(hir(hXx-n=*;+Pc@8uE7&jvk!%)>) zriAzHyDD*G?lfP|^KTU!Cwxp{xPs3BT9SyscknW1#)c& z#>9d|0%ruU9okG1!u9o~ue9P~Qd7U%IjO6Evs~LVG&H2B_Gfi8pGa-648k1;hlZ$H z^4B_mVM}VDE`p$f_7fftdH%mZLTa-Zzytt{fuZ4=lP6DxJ$v@)%a_dp0s`bxkx;`~ z8(3Pd)XWV5JpV;yv!3ixLs9N%wQom@S$Fi-3wNw_&2#70Ay!3v(e{&fAjv2K`;;1{ zS4{y=7_ZSoErI<+0ul({9B`VxZplHR$jHcqb8rHW!5Ot#wY0Jt`{1Uw=z^^YVGvh% z52uL~nYC*^03FQ;npJrJUJR4qhGVO~{qUjhc13*QC2j2@7=Q^6m~Qm=IOwZoP1oi( zqX43kLa(L9Jp-jeL>h|MT3kN&7C%jW{rzmkc)TU!kX`ki?Ic7FAGr z_XTEhr;+}SAmL|(B3lH#7Ud2h<9kiMJqQuNE;y*4QTaC`@xN5KI=3on@_i?BAD<>} zHCkX!QQlk~xn@jxb zVPRph4!u>v8>y|ouIQM{b(gtTdk09*SLw}!?xVE1OjZj1MWVbDiDH1rx1uIa=PzBN z0Xe`>3^zZ&Qd@6;aU?@txj>1kqmxrtN3mzcmoInWp~JM;fWZhbVV|RIUql0z-ZGjj zl(x2VkeQGR7nq5%``LfTJ5iG`19vZ}DOJ>%x4`5i-3U`(JI~>Ow6rw&$!$po?~t|3 zU8f33TA?~hCL5atLh3l|5ku5#bh8aKw%)AAgiFKA4WY~<>Q9EFHqz03hLD89bq`9k zSQTJdphU-7jhK-QdPrGf+i8K{{VYBa)Od;W1}pBosgiFO0^nO}eQ7B>Y{=qk3sfq{W^ZI1nsmT}z&XzMs|F4_p<3vU6KcTv3`oHBe9B8r zJ>AxOpz7`CW6xPHfXb%3Ej!^To#2pV@SqHgj6A`FV_&>D_V33^@UbW8f^Tp9+=I-F z0Z1=K5V*-)4u10J>C>;d(%!5Rxc4PZ`355ShrLjrL9KS#uAcLDJcGNv?JhPS37+1) zyT%1}v=l^m6!3IJ-%+P3@#`V%%v}M;v@o)jarG-~GI!A7%^<2>pYk#@&ymvz#_XOD zKf-dtmp+hU|0~B<5R9p_qr*Kcj0N}T-?I=yw#|!B3;c{Udt9&*h9qEvGHu=JiM*ua z({fSI2YAZ7WcCSQ5FLihz=-I5Tn8Y4DWeW7F7gbh$-`6%@ty~CCgF87h$6{(n{eu`o=>_fb|Rtv{TBOf~39=f+H}KNy43c+gfjY+Y7alB|HaTe}6I_mzSRp zpz4QlvI<}B->2>gM*Jp19V7|x z`0?ZMi3tTvqyR0E4@ryRjJB$=^#SJtlc_-V1IS@wX7+~dL+B=w3(7Niuud2!$7_s8RXB89_FspSh@1#+fB^JUdhWO%rbW;dyWQdx0b1-+&*3p<+>t|bg&`d$_ z$1KSjCH}F=Fu|QT)E_=mYm;l&K0yfvLqH7n6I2N8F!7sMcm|w5NPc>}Ljglh05Y5I zEH<~38A0a00A19aFt^F+=~7G#g*<*tCbg;}BpCo~egP9Bl92b+D2fp)qVGUXZmtn( z3#u2%W50EnFl6ql3O2x{t}Vq}BdS(0kWNQ$uNSIT3E&&4V2iWLZycUr#9-Fn$U4TInY*nhDGt*ch}m zHSHlEC?+4M`t^&2fES<>=6yQ%?ksh4k>dacV=R_DBZCJj!_J?A-T+)9#K^eW3-ct3 zP}F@v5%0;X2TGLC z(n&akr1`;0N>IwjG0brcJ<{?J`u6`F!K9*)uTi8^ZS(}@&RZBvCLIhNiymzcfu#!J zvuLYOC5fVqi6=7t3WW)%jp2{kS?frRTO{QL$(mp%V8T}^DaYYSgUjJ-J&}L21jZxL zOiiJkwO>mRcf^R#rvIAfv=l2ldkNyhPFAB}}WgM%NJ%@NYl6oUOQ6@0nCv5EuYQ8O$-KG{gJ zl-k-P^Qm~DTU0DVF%L#G!LrD(fi>c~0O&UVhlY?4{c`KOvu7|DhmbPBUaC@!whfZ5Vk5z?^cnwS8Bm z+`EzlS>X~k4kv+V2m)g06Va&>7|0JEJiuI{`^%TTSMpk`xRX*+J|oH$2wslP(fPjd zGU+e5UQe`zl`-54XrDV{kJCjpvt-bDooM}N))D82Fg1ZpWF25i8Gx!WjhsBfX78#N z8`s7xaynnUxC67;R4uJm*L^X2ofy9 z++;xe1n&+i&0h*(>LTGpWGM+ZdHR&NNazlPA{4dm%LUFydk1x(0wo~v(3Y0xG)G~p z;(IFQA5ZJ!=@AsIt4oWkfOG>r$9k_7uyxi1P-M@VRuC{msJsAz5Ml$=+Sh;a({y}6 z0VlTEUwD#`=KR1OU;IbT5EW4&L(gZ$fK%~(HU`<gY7QQKDjE7@-WEN_LXQPC<^7 z*li?d37QWCZ`r+Txt?lCpZ;Gug%LI6F-YbSc^~QHue5nYw)k12#URbe1EPdsCeXFM z4+DT2ph&|K2%rnyl4p2Cj>Km_M${+3UwIf6NW+d#Ps8ZgfFmA&--Xkv%$*i|h^30q zW@B|4$Rs=r+y2W{-@YM`SvqpHjr}y#%Mja{5+6;W9*JAE8oO&X2L7X(rl$YPS6bWJ zdV-^(yKV1u-Py(?^8X4yl6eAE{<~OX&!0cB(0vSxplw%>5X1q5OE79nEeW?fE-tRy zW4RSr6vSgvk6#e^{&aND+R6iVZqC+1NdCygDPo#Bj~{eJ!{%VnO+=gwiO zZXE;%;Gh+GL?%FKJOBLI^j{Pb1`PxD!lcNIA7)c*;7z0Pb3*_?7?b2CK?#xcfiQHx zrbZJd_n_1$(DMY+hB$xBdq9X%f>?oe3*`xyKt~E)MtXXPeU8R+Yy+T+%2P8lGo%)h zF?d8YaW>rC-12SFlfCR+*bGEuf!Grg9PAE!ODsJNnVD_S1{qmcq;_VxXk?Q4jrjNu za0$}dA^#&h?M1wO=xYwJA<3}(n3&H?;2?|^v*ENLp2?ALHOdgunZ>5>0ZlSyt%X zfF&j-=z<}TK>&Kls5;ac>;a`K80bZc)OFz&ZXm;qqjxL=nKJ}D=t2~bU>vX&xOEjH zKarWJbpBcAI*Kb;y;GDN`GdF0kclFh`kM5pM$ zDDR9tj3~i{Wi8{m*=3@BA;l#sA%R4PI3ou~AYoDJ>K1RmvOHrXGk?G%>GornaV{_L z!UjOqlBsIBpnu+7OE+@nQ$md)auJ`(gN}+2J|Y`Jr-W>n4nP30;B?zAdOz3}-MD9; za3rk@7pS2~fFKY*9O{#ya}(b=>=B~&LCnM6GeG5rVpfE3LO^hEaPh~5ms=0|LVL@H zdT)IFx+;nZN%P4qPj3Ycr@Qv9N))Z+H~?BEV0Xrc4+7Aa&nBFTMON<2zhOdlYqY89 z&pY&kv6-m2O-xLhz#TBP2k@m#4?$r7my`$?wMHIF&~)(zE=>i6VtL73oa2mRgM%-S zOsqMpA#0WU*DS*rdv z&5QXjn;E<5H*5Q(u^NS^AOCB3YSZrROqG{kSnjfWf4$JIy-;rHh@5@X*;bM0{%#vC z%em)M^Lb-4Ib*h?hoh(FMY-Ios!lCHFIVMeL_lQEw{USEh&)$0F2tcg{fJTU+(;qe z605>xWr%MX^!}zLFd8Butb5b49;0AVDTGW{!r>b`Z~l&d0)fXfC^@PM3Ldy}6|@u6 z2ZrGc+Nk4jzynX6I;9G)izGJTbY;*dUj}R?<_hIHMhU0U9V?IUE7KEOj7)>O$VQ{7 z{=vYZ`o6*ChuNA!@fcHNqLA3)Kxc{1*x8*^OvuQ_kq|B@53T~c$VV0N$0KiUAjNG8 zB0wCGniz#!c(KAiKBX=ch`%Q=c1%R`=H>`aX@{C$yw9RaN!$b^lf+GtU$(k&fL2jS z3FSNibm~58A5cZIx}GADjO_+$JTRZv-tX&Ya08cqJl|=Cm!v82pw)z#C2!T02~ME@ z5wC2*L0ad7IqUWvJ0w5&2A#ltd7~J-SJJYDqz7xE_s_5Y1hs}FA9o80)qukNI&5{A zJ497TRyGO&fU6uQ;;_tW0EJ1GmYSBOriNxU@MIT6#`;7JuG;$gcx;}8;|o#V^c*MB zF6Y0t`3IfK?oVxRzR}mp%2;9|f>qM7iroX;P{EMvEoAqopQgJm-kuyE=f>>H-2LMh zh?fA3keCxlqu#>%9WEpvm6MBBey~#wLEucQ_JRw^b9z|B^>Hc;gU}X|mumBn7*~IG z(2v4M8N_0vV>{@J&R+TXvzLTri;$gsjjqMA;?2L~27|RPX{dsSqBMw~jNT)5@L)W& zhlLAP4qK`#D|rAyGTy$u{>3rk+Qh&QzBTf&>XU79w1ow5Uys}x&4u<)jK{$#y*RqF zz)>V1e>sl@;2dMRhf+<9jMnbmn=J5?ykLR|C&*YH5*e#YWLTIT@h6kN*pTY4<5K(s z1CMKJ2G=`qLO%wcQi8RMlQ;al8GVNuJFg{sVxQ^C(mc_~v7N4pJ-KDk{R&W?;&7De z#N#>Bp$vi{fgLQvE+$xF@sU{y^WVY;MkNm_(w2R451O%aJ>dlVU^}z?(FZ zvmU(Wn?Mh%3+7Q&ML(ft;5>yfj5AlGklZJw-=BFOFCG!G>atmYM^f|)qdwY?oyP1E z`7A&a9*#0&=iVN9frc6a2ZQXDC~3zt<$`+RXw%Fx zcVGLf^7BHA)%keK)W2aXJNrpYq$J2_V#(c*-ohn%g@Ov9iT69q>6~qL!k@0l>Kj{F zs3Sgu9;=A2H#Rdn310?o*D(?Y2NgjOA@#O>C$7pAZh0p1GtXdtfhB2Sv*)J+H2A`Q z`9CS{)hW4EMJ2l|NY|^mGx}} zi5@;aDk(!{pFcBEpzOVVSB0eG77CmAwNv?an9T`>kB$)gW55r2j5P40CyR-Sb~qg| zZ_5kEMJeL7QA*RZO=MJTW~@CLdt4843AP&S-MTN2_nJb!AWa61i5Ea;jXcJ75*Fvi z&I0KHfCj@C+d-(9DUtvNOtjr@A5N#3Yw0TQ*4sAw>y21|bc*@$zRn)0cs zsboNdoC87$H4qS9X++E7Ml zX|6_<;-w?XkXcNvUC%dDVsMC?%}@hF06tTqO;1K(y@S;J%zU-N-G0{GdhM9x`l#u;FQt~wQMWE2k!XIG$5SU4KqO;N0ljq%Rxu%22qzT=R5tpL>xa> z78X^DLg217@`zTwgam%0y+DRT%3A(LB;G>tm{J2N$N)Ucl6jj@7pBXT@)$t z4^BX?hI(}0*B4S-67cYu9hDc}Xd{7x4QW?UZNGlQhB`nEW2dbT5No3ByKVCx;aX6x z>qvp^JL9H!e%FLrsK5_6ORwz5+TvfmQr#+WDh8rATb8N$B|%;i;-!iK0~vh}`nZLX zq>zg|_-RVK(>-YKwG47gMavwFjPjUHqr2Zbrk2NJk@;a(KlC+!R7i*d$r?jWQr%~z z>I!U$!wWsuClQlcWL}0+3Sa8x-1MT<-?G$wquuTpj)!&yWGhfEwvN0a!VgN_%{vTi z2RA->@`R|f2t#Og=bS{}qGc5$Xg#Twv}yjXz98RyQuk%-g!8Juwc{_1M`bz|ew z$lLP2-_;^riz* zmf@?CpMmVkWD4!aIFX*~=b??~P+SpK02-kqTdgkk(dKUmEW;3nAE7*{qV*u?sbXipxE>nT)BEsnp z*|O;9>C2$^`vL8fw_*^ZURp-ROqWc;<2`AR*WeqxwriM!97}P}&v%U*qO_g1Oh%|2 zk_w>8nxbab+;)UwXrP4~8ynZ_oK}=}`O64Nu^jJpiqI{)yPgKq0#76k^yNYiLk_!+ z_v*#R$+59NczX*O5IQ&i^_B_}1{o`Oy-OfwV&tvBp^^CH%g%EzbU=IEkhsR{gbaY5 z$VdU;Zm6N@0|}k2_`>1V+#TqCcv+j(Em!i=1g<+v9ssUa@EQh;Lt?VSa|Jx_?cG?z3iT zTOf#xer4j~(l?XFO(bu2`*GZ8@D=3mD<&r8BU)y;I#xzTXH5>zXhFrpYYH@l-h2=~ zdNj9f#2)X%LEN5rTVvZ*Y=c$#$+xFRs-4dn%k4Jb4H8drNBF__bJvZp5w-LYB!mV0 zgSRSCf!6*gyt6uYzt^?-x&><81^`^*ShS?|m(}+V4_D17En-UIQul**hfu;1 zX8RI(z@inDkhM;#A3~FdCt?!WyaH~9m-(g4o|O_79?mzs@fwB#z<<%VZz;#Wka1*W z+N#?0x4*vnA_XtpT1$Zi9e>)MqHZ>%ZU=@zOeq$0>N(^^`?^y1Goy6^6WnYr&|ptF ziT3|LJ-!R1*Zhnt0L3xzb)p_4LMUL^h#hjmw^y*DCfzW?6-q?@*a*_1LJnX;olDD7*+-N@ZGG!H5 z@28Uk86Tw7pqOVjN?5g>qLAjPr1bA7*(?1*H-a<(`S7~Jqe!(TV$P!$J#8@HDsa#` zxZhm^c*)i|KuRn2l$7Ph_`zdu&{8v4~<2VaXMT?qCtuGp*y$ii0p#f`w%68yus+_6P!V$asW$l;GqL}HCxhZ58fhn z^Y-lo9z}05r}i!EfG6Ie*BtXPTJFwi0tb=3elmIzdPv+@QI3`xyV2%12gOI^uIa2K){e3WS{ zxH`a$fg+E!x?GJgAGKf_;5{zLBgdSMJVFEsFtnuaOlz!KvK3HWTKX48713Y>>f8)>? zLovP!70O$QS1U5TCExiekZuJAY}ox@rAp{rT1=}1_{oWEMJVbIl4#`VLlL0VV6bce z@1+S`I9>Jp@H;Idf%oJ+Sdag@xLM?fvfXZWMIHhypef_($tmS>(HThL1aaY=E-AI2 zZ7>NK9}`nV{lpMDf#z6S{?#LbsLl2S12YS2Yc}sOT){i0F8s8YErWjn`k@U1Pn2&H zlg4}Rj?mUgfuMOH)C2N40T%h;#Qxo=&1fiBh;LHj-+wCk4MZf6nmcF$C+YZgCFjm+Ypdd=aXeTgq; z4lVk6kvmoVn>VMRw^|KcQ;#+hhx$$=3d{=&XhfZYexbhazJU-*93dc}TS%(5CJ3B7 zt)>=>S2=XYP=#n!QWEmzQ~dHdVJuUSqrgVZy< z#$kIf79;@o41sbCLO;?;Y%`-FkxM9j@p!Kb;7~krY|wxz(n;)_s9qWx1m-G{S6szY z_uYt@)96yNxc%eJni81UgC~=Tkpv=YP~r6vN3j$9PmRtR8SlpsG?{ot8K^ICbp|m$ zkz!=@H3BnHM^NN22)6}e#>kvP&a}+m`b3n=2NhZeZXM>3w@@%OlZZzv(NCweFSN8B zqSpV_+nI;uocDYDR}nKKBimCFEgHsJOol8qN=nJtD{EP1Fm*Ch8H6_OtSOFZCXv0B zq*9hqqHI}?%2Ft$=uRa}G~#)EnmN}w=ildgt}~Z^=DP0g`?q|T&*!~;C*XZDf@K7k zkcYz$eFoZ^;ajwIE0o(*astSNj69?B0EIa<@YrXD6y#QHiYw~xLmyS$h;hP3zWi#I zi@giV+B6+LD>Bu3Z_BRXF5Hpr~J5p>qJ!ajv=o%Upn1#?EQmAF;DE=cc;)ejf+`WtKsy zNOz$*upbPgE-!!jv@Ms;9(>tk^!>gs&tJQFGoSrI`k9M)c~4;bd5tQzC$6TP1V)xn zc*tDX(cn966T566dY%!ToYOG_hI zU{X?20vVY6T2?iM2E@~cenSq>B!h8@g5SZ##U9T!x0PAV(xn74A`a5Zaq|i}mnC){s`-NTTKZeZnajbc`=s$@kVQp0Yqx!9yp~mZuB?n3(z4Y{K&@({f7xnTg ztDb5}MZ(rkZxykc%^8KV{4xszKzeJMc8rbDjt5yY#;~_rUmbG#?6u36cT9Ay{~`gB z&wC7g6mm3Mz7fHIj6IT<;O(>g=e?Ojx3RH4&Ko|BAK>55EzOpxCr?J8=LHxM4KmUr z8d8YcZ0O*u7btPM*X-JUzl7e~S!7n!acEXw|9v=G(e|SpNK=g`3be8C4YyPjqIuyI-}8 zS{d#$-b5G6+o8ziU}Ar%IIbGL0pFV8lv3YISEI;a1o6qJP!*r~otTmFhM_?Gcs-ZB zKm6^R1yM&34pcvQe`Z3KNrXd<(Sd}RkLL>R{t~NE82yYs9CO_$BrZ;4?vgkL=S2Z^ z3(NPh+W9-ZBk!o9S-?fTkC%Cu--zC+pJt8Kzi8g!)rp0Uk_xx| zL?1%&P4ngB8zUAD+%&91?q!SJk`Y&_=k%mQuKAB!%_J&rWL~6%==c1$|CwvI+nW_d z_qd!9@c;YE|MIVmcWal8>NOs@k0{OwQu_vByAq2Um${$>(#%N81Y4^jJq53d5w9gm zWK>Eti`O6Js{$w3^-&w?ZCpAElJ8~Zl`a%`|7&v7Qu9GkuuyX>Nj%QBCx1-4L8#B31#= z7KAD~vpe+s9RH%^ zdQ!ZW(>^1hw1c+gHf6KN13LJfU+ujq#pT1@VKzXxB>&y}D4VRQoGd_2nAjp38-r2D zp!`{6=#j@T-%SzYh`s-|eb95N}W zX~H&dzCe#72L^!G3k-?@2KmG;zo>$3OsI&J*r+7xRFY-U)ylC3B5TKFvikKiV|BwK zXv4O2(pYZ3q1xhd%md!~ILBCZ1GLcIck>s&u!11@q6w@}?5O$Z(t-hYB?b&ZK@K{9 z53~yEh6j5jj*G(q$c)WK=E!~=Mk~4y+M)5oDw+O`mB=2&%}@KHqv%<$8%<#Z2V-1u zxpD$@)H;lG66nu1s%PcfPjX5qP25z)U3uhNM@tb37#;+ma)IF}xFGHA*o?h;1qqBD z0Zft9gn@8)Hk9SKp7BpUYxe3>|B^AeX&w|?u2?|n3Pm?ri>Dk}N)*`>PG$9uh!O$G zZJ;V$twT!Nv zU`tyNJ={x5WcVr->R$qVClz}*dN4K@)p8?In0bMXLWt6LDK0m+B++ZQv;|01VZrs$ z&74cJeUftL%MPZt=+vUHbdyo6UNWgn!qjPHJ22mSg{w5Qv={J-M9GDU8SzM{?15@> zuP$I(!J_8vI~UV(dETF_Ie8m(3>q4rI>q~u9eo7^VgV({wPIC!}nFcPPHDG2^Hgi2Xy|#%k z=*xDjtI|HAV~)q{aQ_;i^ib7~N*w*;nie{mi`B2<0kf!5?d|L+CYUI|xwexM)S&cj z0;vZGFgum!2S8~DikFbSl|@NcLHjZ{#!nJXB;R^%`eKpjpqjhIdp2m&?%`2>VT1e- zQ6qz9PB0B~V}I0lJL5lyNic;SeM=FGu!E&xBH{8~6wDjd^9bGF50~&&)-hdE`%bNq z9NVs~c~djKss8bCzdxzIr%{hkPla9dT#>APT2&Q^q(&o_5$$vQ=+UEMnxgX@{%*`y za@&Y|cb-4LeoOHk8&4U6i(tPM#K)Xxv1&`l?CB-Dmhe!ON84Y|y2MEGdDTWUsPK)p{(_^^ z^z6IWJvz4qhU%32S|;lS{I`j7$>A zS*{@%H5FN?wX{3L`OS=BZ^ErCaUV*nAwo&v#agKmH|4V0DN1;+F_AT1cY5HbY@LVG zrVcf}Hn)9lz*cO7oAN7e^GMy#9zzhY5+HL2*Z*bz{>42)05&Pln-Qy$Phy#HgTRrE z$}K8}tW@ln?&{|G0WaIGES&s0W7al$t@wn5Vz-s7#bnw<@}Mj?LP;sGfs!WGAVYRko{+&kwY?)XMU$c{Tfv~6VRKv>05a@f-A`Avv=1nJ0&c?VhY<#`qLRL`OtmNKur|l z&)GS2j;(~LZWD-?MP1v3e*I%K2@dWr-r&^)4Z?FUvtnd5$jQXH(?$rDY($IJzhA%a zefHEdk05F1>kiG9DKU<|vgTa;;gN;Kliy>uZxcvEmN;m@ph1VxjICI2z5c@<7N+mn z3w4e)!PB=1q?E#boSf$eItxX$mELRloUuRLGuO0X*Dty{eAuwW-ARcqi2@MktoS`V z;buxraMIQk_Px{w(FY25U;MJpFq(Hzsz%kcXz}9l45r%$i!%6SGth{-!T-g!CIJ(S zG5ex=vJP=trVoCM1PoKe-O~X;S8W1;A1}phcbqtp0(49>aC~BNZ(ZG-meV7May#hh zwYm7M^$&`LfwIM8krAPwc(??qV2l^nK2@nyt&&+9r@&J!36q?i8=BuNrxlZ0?)>{k zr{pdJ2lVgn$$EhB_#y~Q3KTqekY)dkNQOX#4(BaK`E~(Vc?Y1!*HRggtdp8#0VwEFmm5-$7LEE$jsCu z#iL;CSf^DtvFu*9>UktWMEo!mCRm~Irl)q;P*9s|p2}hy$g30Q zG|=!)zY)%+n71Y3mEwN4pJu!4?HBd!kBEC-Tx}F{G^UY!Yz&jnVnMbNcFB`)*^`5u z=M;P~afzPW>Q_}dym%F~4f@v9cVCs5b6^K?%tj_Anglb{Te`Xq^OTijH$F#6I_1z2 z;jwAV)01pHmwgMn$i7*|Qg#u|QOQKE!QNt#-mk-k54Q(nktinc%lqM%avZLZlLNZ% zvTy7*81>wT59byex0VYJ6dbz5NsFfv*0R>~I|C`aK#wY@2{SoqDP&`%mlt)NvjJyW zh(Xcw@(yD?3(q!Urz3UWP4#9<0%@=)5)^olXKJ-6J}R&zq>%Qle<$J8bem=3LqzLc=P$Z93#Lc28I{{wVRZi(2b_xjy4>MHtOJKC8vhSW`JI8M)V-n(s|ID z!oTz2q#u#J^#xC&k z+J>&Xwlu2?dwD)Lw%BmqL79m^dcJKa=dtymIJp%+t*>~F(F};g5kP5(x}g$h$wej# zU!eoA&$JMP6p)EUcKqy2t&_L!8Af+7J<6(n0-Kpsz|3Ueusr5*d3Ci=&~B=`OQ6mw zu;|M&1b)Hs^0Dp@r zeiM~qEc!+C>O1}73hc==pdUjCEpdBvc7zy(13oWg_)3Z(C9psiZmI{JWu5-~KGS*y zAZi^!`upSJ+A}6!*F7{4e>dGCK1Sq{Mrt4R3?O7E>I%L}5MH2o*<@iVS%6@zWAXie-uWqU!e;Lm~$I^=)pV}iGg{x7 From ca0baa54df97eb63e8f6713129f62b9affb7c4b1 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 30 Jan 2019 11:26:21 -0500 Subject: [PATCH 09/21] various fixes - fix typo - make property name plural since it may contain multiple items - mention that users will appear in sync when they upload keys --- proposals/1756-cross-signing.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 097470110ef..f3c13f01696 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -8,7 +8,7 @@ this user must then verify each key on each of their devices. If Alice has *n* devices, and Bob has *m* devices, then for Alice to be able to communicate with Bob on any of their devices, this involves *n×m* key verifications. -One way to address this is for each user to use a device signing key to signs +One way to address this is for each user to use a device signing key to sign all of their devices. Thus another user who wishes to verify their identity only needs to verify the device signing key and can use the signatures created by the device signing key to verify their devices. @@ -141,7 +141,7 @@ response: // ... } }, - "self_signing_key": { + "self_signing_keys": { "@alice:example.com": { "user_id": "@alice:example.com", "usage": ["self_signing"], @@ -153,6 +153,10 @@ response: } ``` +After uploading self-signing and user-signing keys, the user will show up in +the `changed` property of the `device_lists` field of the sync result of any +others users who share an encrypted room with that user. + Signatures of keys can be uploaded using `/keys/signatures/upload`. For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing key. @@ -242,11 +246,13 @@ response: } } }, - "self_signing_key": { - "user_id": "@alice:example.com", - "usage": ["self_signing"], - "keys": { - "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", + "self_signing_keys": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", + } } } } @@ -266,7 +272,7 @@ Bob's key: // ... } }, - "self_signing_key": { + "self_signing_keys": { "@bob:example.com": { "user_id": "@bob:example.com", "keys": { From ca7aa8b0baca2d8b598449b9ab2d33e7a79a2ad8 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 12 Feb 2019 20:12:17 -0500 Subject: [PATCH 10/21] fill in more details, including federation bits --- proposals/1756-cross-signing.md | 37 +++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index f3c13f01696..6d5ddd40248 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -69,6 +69,8 @@ use cases. ### API description +#### Uploading signing keys + Public keys for the self-signing and user-signing keys are uploaded to the servers using `/keys/device_signing/upload`. This endpoint requires [UI Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-authentication-api). @@ -99,6 +101,18 @@ Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-au } ``` +Self-signing and user-signing keys are JSON objects with the following +properties: + +* `user_id` (string): The user who owns the key +* `usage` ([string]): Allowed uses for the key. Must be `["self_signing"]` for + self-signing keys, and `["user_signing"]` for user-signing keys. +* `keys` ({string: string}): an object that must have one entry, whose name is + "`ed25519:`" followed by the unpadded base64 encoding of the public key, and + whose value is the unpadded base64 encoding of the public key. +* `signatures` ({string: {stringg: string}}): signatures of the key. A + user-signing key must be signed by the self-signing key. + In order to ensure that there will be no collisions in the `signatures` property, the server must respond with an error (FIXME: what error?) if any of the uploaded public keys match an existing device ID for the user. Similarly, @@ -113,8 +127,6 @@ a `replaces` property whose value is the previous public self-signing key. Otherwise the server must respond with an error (FIXME: what error?). The new self-signing key may also be signed with the old self-signing key. -FIXME: document `usage` property - After uploading self-signing and user-signing keys, they will be included under the `/keys/query` endpoint under the `self_signing_key` and `user_signing_key` properties, respectively. The `user_signing_key` will only be included when a @@ -153,10 +165,22 @@ response: } ``` +Similarly, the federation endpoints `GET /user/keys/query` and +`POST /user/devices/{userId}` will include the self-signing key. + +In addition, Alice's homeserver will send a `m.signing_key_update` EDU to +servers that have users who share encrypted rooms with Alice. The `content` of +that EDU has the following properties: + +* `user_id` (string): Required. The user ID who owns the signing key +* `self_signing_key` (object): Required. The self-signing key, as above. + After uploading self-signing and user-signing keys, the user will show up in the `changed` property of the `device_lists` field of the sync result of any others users who share an encrypted room with that user. +#### Uploading signatures + Signatures of keys can be uploaded using `/keys/signatures/upload`. For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing key. @@ -258,6 +282,13 @@ response: } ``` +Similarly, the federation endpoints `GET /user/keys/query` and +`POST /user/devices/{userId}` will include the new signature. + +In addition, Alice's server will send an `m.device_list_update` EDU to servers +that have users who share encrypted rooms with Alice, updating her device to +include her new signature. + After Alice uploads a signature for Bob's user-signing key, her signature will be included in the results of the `/keys/query` request when Alice requests Bob's key: @@ -289,8 +320,6 @@ Bob's key: } ``` -FIXME: s2s stuff - ## Comparison with MSC1680 MSC1680 suffers from the fact that the attestation graph may be arbitrarily From 4e95f8062a8a493cb07a89fc53b5dfad9399507f Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 26 Mar 2019 16:51:46 -0400 Subject: [PATCH 11/21] add examples for federation endpoints --- proposals/1756-cross-signing.md | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 6d5ddd40248..68143b87846 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -168,6 +168,58 @@ response: Similarly, the federation endpoints `GET /user/keys/query` and `POST /user/devices/{userId}` will include the self-signing key. +`POST /keys/query` + +``` json +{ + "device_keys": { + "@alice:example.com": [] + } +} +``` + +response: + +``` json +{ + "device_keys": { + "@alice:example.com": { + // ... + } + }, + "self_signing_keys": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + } + } + } +} +``` + +`GET /user/devices/%40alice%3Aexample.com` + +response: + +``` json +{ + "user_id": "@alice:example.com", + "stream_id": 5, + "devices": [ + // ... + ], + "self_signing_keys": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + } + } +} +``` + In addition, Alice's homeserver will send a `m.signing_key_update` EDU to servers that have users who share encrypted rooms with Alice. The `content` of that EDU has the following properties: From 2ae122903f1338ca82362dd89e196168164143e2 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Thu, 25 Apr 2019 20:49:58 -0400 Subject: [PATCH 12/21] Use the right name Co-Authored-By: uhoreg --- proposals/1756-cross-signing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 68143b87846..1772105583e 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -48,7 +48,7 @@ key by using the new user-signing key. Otherwise, they will need to re-verify the other users. If a user's self-signing key is compromised, then the user will need to issue -both a new self-signing key and a new device-signing key. The user may sign +both a new self-signing key and a new user-signing key. The user may sign their new self-signing key with their old self-signing key, allowing other users who have verified the old self-signing key to automatically trust the new self-signing key if they wish to. Otherwise, the users will need to re-verify From 7bad359b0dd774aa8f41f117782d1c65c733a27d Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Mon, 20 May 2019 21:03:48 -0400 Subject: [PATCH 13/21] switch to the 3-key system, and some wording improvements --- proposals/1756-cross-signing.md | 221 +++++++++++++++++---------- proposals/images/1756-graph2.dot | 12 +- proposals/images/1756-graph2.dot.png | Bin 49417 -> 60244 bytes 3 files changed, 152 insertions(+), 81 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 1772105583e..5595b2b4d65 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -19,49 +19,51 @@ MSC1680 is presented below. ## Proposal -Each user has a self-signing key pair that is used to sign their own devices, -and a user-signing key pair that is used to sign other users' signing keys. A -user's user-signing key is also signed by their own self-signing key. When one -user (e.g. Alice) verifies another user's (Bob's) identity, Alice will sign -Bob's self-signing key with her user-signing key. (This will mean that +Each user has three sets of key pairs: + +- a master cross-signing key pair that is used to identify themselves and to + sign their other cross-signing keys, +- a self-signing key pair that is used to sign their own devices, and +- a user-signing key pair that is used to sign other users' master keys. + +When one user (e.g. Alice) verifies another user's (Bob's) identity, Alice will +sign Bob's self-signing key with her user-signing key. (This will mean that verification methods will need to be modified to pass along the self-signing identity key.) Alice's device will trust Bob's device if: -- Alice's device is using a self-signing key that has signed her user-signing key, -- Alice's user-signing key has signed Bob's self-signing key, and +- Alice's device is using a master key that has signed her user-signing key, +- Alice's user-signing key has signed Bob's master key, +- Bob's master key has signed Bob's self-signing key, and - Bob's self-signing key has signed Bob's device key. ### Key security -A user's private half of their user-signing key pair may be kept unlocked on a -device, but their self-signing key should not; the private half of the -self-signing key pair should only be stored encrypted, requiring a passphrase -to access. By keeping the user-signing key unlocked, Alice can verify Bob's -identity and distribute signatures to all her devices without needing to enter -a passphrase to decrypt the key. - -If a user's device is compromised, they can issue a new user-signing key, -signed by their self-signing key, rendering the old user-signing key useless. -If they are certain that the old user-signing key has not yet been used by an -attacker, then they may also reissue signatures made by the old user-signing -key by using the new user-signing key. Otherwise, they will need to re-verify -the other users. - -If a user's self-signing key is compromised, then the user will need to issue -both a new self-signing key and a new user-signing key. The user may sign -their new self-signing key with their old self-signing key, allowing other -users who have verified the old self-signing key to automatically trust the new -self-signing key if they wish to. Otherwise, the users will need to re-verify -each other. - -The private halves of the user-signing key pair and self-signing key pair may -be stored encrypted on the server (possibly along with the megolm key backup) -so that they may be retrieved by new devices. FIXME: explain how to do this +A user's master key could allow an attacker to impersonate that user to other +users, or other users to that user. Thus clients must ensure that the private +part of the master key is treated securely. If clients do not have a secure +means of storing the master key (such as an secret storage system provided by +the operating system), then clients must not store the private part. If a user +changes their master key, clients of users that they communicate with must +notify their users about the change. + +A user's user-signing and self-signing keys are intended to be easily +replaceable if they are compromised by re-issuing a new key signed by the +user's master key and possibly by re-verifying devices or users. However, +doing so relies on the user being able to notice when their keys have been +compromised, and it involves extra work for the user, and so although clients +do not have to treat the private parts as sensitively as the master key, +clients should still make efforts to store the private part securely, or not +store it at all. Clients will need to balance the security of the keys with +the usability of signing users and devices when performing key verification. + +The private halves of a user's cross-signing keys be stored encrypted on the +server so that they may be retrieved by new devices. FIXME: explain how to do +this via MSC 1946 ### Signature distribution -Currently, users will only be allowed to see signatures made by their own -self-signing or user-signing keys, or signatures made by other users' +Currently, users will only be allowed to see signatures made by her own master, +self-signing or user-signing keys, or signatures made by other users' master or self-signing keys about their own devices. This is done in order to preserve the privacy of social connections. Future proposals may define mechanisms for distributing signatures to other users in order to allow for other web-of-trust @@ -71,19 +73,31 @@ use cases. #### Uploading signing keys -Public keys for the self-signing and user-signing keys are uploaded to the -servers using `/keys/device_signing/upload`. This endpoint requires [UI +Public keys for the cross-signing keys are uploaded to the servers using +`/keys/device_signing/upload`. This endpoint requires [UI Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-authentication-api). `POST /keys/device_signing/upload` ``` json { + "master_key": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+self+master+key", + } + }, "self_signing_key": { "user_id": "@alice:example.com", "usage": ["self_signing"], "keys": { "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+master+public+key": "base64+signature" + } } }, "user_signing_key": { @@ -94,24 +108,25 @@ Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-au "usage": ["user_signing"], "signatures": { "@alice:example.com": { - "ed25519:base64+self+signing+public+key": "base64+signature" + "ed25519:base64+master+public+key": "base64+signature" } } } } ``` -Self-signing and user-signing keys are JSON objects with the following +Cross-signing keys are JSON objects with the following properties: * `user_id` (string): The user who owns the key -* `usage` ([string]): Allowed uses for the key. Must be `["self_signing"]` for - self-signing keys, and `["user_signing"]` for user-signing keys. +* `usage` ([string]): Allowed uses for the key. Must contain `"master"` for + master keys, `"self_signing"` for self-signing keys, and `"user_signing"` + for user-signing keys. * `keys` ({string: string}): an object that must have one entry, whose name is "`ed25519:`" followed by the unpadded base64 encoding of the public key, and whose value is the unpadded base64 encoding of the public key. -* `signatures` ({string: {stringg: string}}): signatures of the key. A - user-signing key must be signed by the self-signing key. +* `signatures` ({string: {string: string}}): signatures of the key. A + self-signing or user-signing key must be signed by the master key. In order to ensure that there will be no collisions in the `signatures` property, the server must respond with an error (FIXME: what error?) if any of @@ -119,18 +134,14 @@ the uploaded public keys match an existing device ID for the user. Similarly, if a user attempts to log in specifying a device ID matching one of the signing keys, the server must respond with an error (FIXME: what error?). -If a user-signing key is uploaded, it must be signed by the current -self-signing key (or the self-signing key that is included in the request) +If a self-signing or user-signing key is uploaded, it must be signed by the +master key that is included in the request, or the current master key if no +master key is included. -If a previous self-signing key exists, then the new self-signing key must have -a `replaces` property whose value is the previous public self-signing key. -Otherwise the server must respond with an error (FIXME: what error?). The new -self-signing key may also be signed with the old self-signing key. - -After uploading self-signing and user-signing keys, they will be included under -the `/keys/query` endpoint under the `self_signing_key` and `user_signing_key` -properties, respectively. The `user_signing_key` will only be included when a -user requests their own keys. +After uploading cross-signing keys, they will be included under the +`/keys/query` endpoint under the `master_keys`, `self_signing_keys` and +`user_signing_keys` properties. The `user_signing_keys` property will only be +included when a user requests their own keys. `POST /keys/query` @@ -153,12 +164,26 @@ response: // ... } }, + "master_keys": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+master+public+key" + } + } + }, "self_signing_keys": { "@alice:example.com": { "user_id": "@alice:example.com", "usage": ["self_signing"], "keys": { "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+master+public+key": "base64+signature" + } } } } @@ -166,7 +191,9 @@ response: ``` Similarly, the federation endpoints `GET /user/keys/query` and -`POST /user/devices/{userId}` will include the self-signing key. +`POST /user/devices/{userId}` will include the master and self-signing keys. +(It will not include the user-signing key because it is not intended to be +visible to other users.) `POST /keys/query` @@ -187,12 +214,26 @@ response: // ... } }, + "master_keys": { + "@alice:example.com": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+master+public+key" + } + } + }, "self_signing_keys": { "@alice:example.com": { "user_id": "@alice:example.com", "usage": ["self_signing"], "keys": { "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+master+public+key": "base64+signature" + } } } } @@ -210,11 +251,23 @@ response: "devices": [ // ... ], - "self_signing_keys": { + "master_key": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+master+public+key" + } + }, + "self_signing_key": { "user_id": "@alice:example.com", "usage": ["self_signing"], "keys": { "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+master+public+key": "base64+signature" + } } } } @@ -225,7 +278,8 @@ servers that have users who share encrypted rooms with Alice. The `content` of that EDU has the following properties: * `user_id` (string): Required. The user ID who owns the signing key -* `self_signing_key` (object): Required. The self-signing key, as above. +* `master_key` (object): The master key, as above. +* `self_signing_key` (object): The self-signing key, as above. After uploading self-signing and user-signing keys, the user will show up in the `changed` property of the `device_lists` field of the sync result of any @@ -235,7 +289,8 @@ others users who share an encrypted room with that user. Signatures of keys can be uploaded using `/keys/signatures/upload`. -For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing key. +For example, Alice signs one of her devices (HIJKLMN) (using her self-signing +key), and signs Bob's master key (using her user-signing key). `POST /keys/signatures/upload` @@ -255,7 +310,7 @@ For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing ke }, "signatures": { "@alice:example.com": { - "ed25519:base64+user+signing+public+key": "base64+signature+of+HIJKLMN" + "ed25519:base64+self+signing+public+key": "base64+signature+of+HIJKLMN" } } } @@ -264,12 +319,12 @@ For example, Alice signs one of her devices (HIJKLMN), and Bob's self-signing ke "bobs+base64+self+signing+public+key": { "user_id": "@bob:example.com", "keys": { - "ed25519:bobs+base64+self+signing+public+key": "bobs+base64+self+signing+public+key" + "ed25519:bobs+base64+master+public+key": "bobs+base64+master+public+key" }, - "usage": ["self_signing"], + "usage": ["master"], "signatures": { "@alice:example.com": { - "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+self+signing+key" + "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+master+key" } } } @@ -313,7 +368,7 @@ response: "signatures": { "@alice:example.com": { "ed25519:HIJKLMN": "base64+self+signature", - "ed25519:base64+user+signing+public+key": "base64+signature+of+HIJKLMN" + "ed25519:base64+self+signing+public+key": "base64+signature+of+HIJKLMN" } }, "unsigned": { @@ -322,12 +377,22 @@ response: } } }, - "self_signing_keys": { - "@alice:example.com": { - "user_id": "@alice:example.com", - "usage": ["self_signing"], - "keys": { - "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key", + "master_key": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+master+public+key" + } + }, + "self_signing_key": { + "user_id": "@alice:example.com", + "usage": ["self_signing"], + "keys": { + "ed25519:base64+self+signing+public+key": "base64+self+signing+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:base64+master+public+key": "base64+signature" } } } @@ -343,7 +408,7 @@ include her new signature. After Alice uploads a signature for Bob's user-signing key, her signature will be included in the results of the `/keys/query` request when Alice requests -Bob's key: +Bob's key, but will not be included when anyone else requests Bob's key: `GET /keys/query` @@ -355,16 +420,16 @@ Bob's key: // ... } }, - "self_signing_keys": { + "master_keys": { "@bob:example.com": { "user_id": "@bob:example.com", "keys": { - "ed25519:bobs+base64+self+signing+public+key": "bobs+base64+self+signing+public+key" + "ed25519:bobs+base64+master+public+key": "bobs+base64+master+public+key" }, - "usage": ["self_signing"], + "usage": ["master"], "signatures": { "@alice:example.com": { - "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+self+signing+key" + "ed25519:base64+user+signing+public+key": "base64+signature+of+bobs+master+key" } } } @@ -414,11 +479,13 @@ user-signing key must be re-issued. ## Security considerations -This proposal relies on servers to communicate when self-signing or -user-signing keys are deleted and replaced. An attacker who is able to both -steal a user's device and control their homeserver could prevent that device -from being marked as untrusted. +This proposal relies on servers to communicate when cross-signing keys are +deleted and replaced. An attacker who is able to both steal a user's device +and control their homeserver could prevent that device from being marked as +untrusted. ## Conclusion -This proposal presents an alternative cross-signing mechanism to MSC1680. +This proposal presents an alternative cross-signing mechanism to MSC1680, +allowing users to trust another user's devices without needing to verify each +one individually. diff --git a/proposals/images/1756-graph2.dot b/proposals/images/1756-graph2.dot index 8eaa1df84a0..a8074125ca9 100644 --- a/proposals/images/1756-graph2.dot +++ b/proposals/images/1756-graph2.dot @@ -1,18 +1,22 @@ digraph { A1 [label="A's PDP-11"] A2 [label="A's Osborne 2"] +AM [label="A's master key"] AS [label="A's self-signing key"] AU [label="A's user-signing key"] +BM [label="B's master key"] BU [label="B's user-signing key"] BS [label="B's self-signing key"] B1 [label="B's Dynabook"] B2 [label="B's VAX"] AS -> A1 AS -> A2 -AS -> AU -AU -> BS -BS -> BU -BU -> AS +AM -> AS +AM -> AU +AU -> BM +BM -> BS +BM -> BU +BU -> AM BS -> B1 BS -> B2 } diff --git a/proposals/images/1756-graph2.dot.png b/proposals/images/1756-graph2.dot.png index 3af9270f094b2361858930630945b05e40b2c6fd..e7591f0471c22dda586767c61b87eeab2c0c8f89 100644 GIT binary patch literal 60244 zcmafbcR1JY`}R8`Wm9O_(vXmlUA6{IEt!>+O}41)Eftv+rD-KQd!$IH$X@j3eRevSLS?&~_Q^E|Itz+oLt#x)z(P$(2eZ7sE<6bjW>3S~tB z9WDNZ<6Z#%fI@3>KvRvfME-mKO-dw%!bj0o+jrbKZn(qg)bZxO(%q|8g&QPmAA2g` zueMihp9SBOCzmSL+2_UDfrjPl24vJyRnyV?}ZDS6BONO9~}12&zC!X;)K-K z)a-1I&!0cnO`kk@(t4uc_U*NwK7FE4-o1M_*ij&J{P^+vPoB`7K7G1Ikwrx-Wv{w4 zzjwHmsu0_Q^mLZIygcWL{?+>r95{0H=#9q4qvMaprvn4mD0uu`OLd*1o2WGMG474) z?;FpaZC|@~Ew1FRt_IdpHqThER??TyaXU^fxv`!v5 zeAp{4Zc~4Me|PE4Ra9*PM=(;Gvo*rKR?D_N9H|w3p%_6jflpf=PQ&Us-Q&LuWcz6u{_)&%j*U-=q zmzMU;$dJIj+UCr+co!DYA3x8oLN|1L|Ni}B&4!-*Qc~-%XuS{RI^VdN zmUyioZ+rdvzR0py<7dvE-8eBZu}L{5=cIu_=#3jx{R0Cx>j#3m4)=fiM%FisM^WY4 zHKh%PA6{o=8JU;}?95-qw24kcMC8<&GY_3cJ2xqBP;q70p1GRe+eUTk+TLFs1-VY6 zJV%cn4UdZp?(aXpmV<-JS*iMKZS6sQ@gnD!X=%*cwrvaL-8aC$cFlNqDfM|Xv!JeU zvd)VOb8kO<(6F==O@8#q*u;eD%9SgpPMn?R3h<7r&eEHo~ca?m><-0iqV`18J zZK=n{$9seJ@_D^@vE$&OLzPJ{9UUFhGc#{QM6j-F9N860SIOV-?>6LVy#4(8$ZZ@)HoSZP z{y|dG%?#7(vdT)DazAFj*RQ3{pFf`)y8p}(#FxC&FFs*m+LNjJ`wkvtSV^^_wzgK> zarjj5Mj0k{;e(g5_4)ae*DqhX@Sd+PEqQ~fp(Z+ddQ~jI?c2Az2M6hJ(sJ|j%f5WM z``F#VSRjH9JE?yDypVvPpzXrnt5}@!h6dJSj}MmOr^Z%RAFdu$k^8sqS=^=!M~)n! zTfMsU>9LftnQ>FRf7$!@^v6uv;@ z9e0?`ePoD}X$F7^NjAZl0A(D2L3u2=PA@<~bA(%96L7pke{_h31L-nw;5+;!^G%*>1t zV*PDxZADMHpM=BU;nbvvo%=O3XqA+dwD#{W`})ePbYN2A{9Be625&apxpPOqT2QU` z$y;IXaGryFEZu!!%D!*jD5?ptT6GnLbX}Wctg5Qg*A(pVM!FT&iSy6R-7`NwSx?8r zL>@VmTfXY*ZWW280lNW`nFtLs+_BzGJkl}E95ysw&s&B1%SXmYGNZajUuZHw%#UAt_4waX5F zeU(x<_vq21h^Qz(FG6V)(F|PyG(vJ{$6{JP1aE}R>qnK$M(qa_%XaCLq6uwqs^%XZvv514#vx^LqgWq#B(oKOhvU5C)Qo8i}A7T zt1_+*<&HbZY<~RMv73W~m&k6qxVY@G?NtkEJALX@Np0%<2=2Kg7u*8TH8R zk9v@j;wNeLfh5pVIab`wwsht)q#9^3XP7q$A3u3gaO+mOH?FpGT}vcFN38>C+X?MYY{HJ{cF@a~zD7X0)=hddZ`_c{9z@AI~K}toe=l0aK)~ z!LDNE7cXAee0#T!ZY9+V{X8~dVd25%G~TlE^4MWREZv3oca8BEPi0%If2^Ardg~V3 z_`=Hzve)MKG&VMl_1CcPIGfF|G+XaUQCQ0CO)FjuL{#x2)m3}1W)Ht}hlbKUIZH=J zSAxoWD&@Xq~=#RZ1QS>Q#EWkpfSc$M4T4 zcZiFJ%kJ4Du9Vo-Yf4W?XGA$=Y|M|x`u(%{RY^&SbWU?FGsSV>1NXR+%7bu5UZuj% z1IHUTY}n9(Rs4#5m3_ZgOI}V_5DBi4T1{R30WvgFXusT=-rim#B>#l7^NVw%)D$GP zh962-uU>uo?wyLey8>k|Ak1^UmzS@)iHeHuk&~mMD9w+lwzRgYoIbsthldAISlamL zfW)Pbd|S6|GoGIr$Df#Iz6-d0`*>uN7c-9n*PmY_4XJ=coEjJ<|u23+1XN5xt zTvajDl+x4FvtrAZEu`*LSFd`1SG0VjEeBEE{5O*B{(}cA52_K za+d`}$UqVpzsAbSIyN=sZXSCJsmRBNp0gLJ=hCH1-8)wCkEqA|q#&USjUvi!T)$o_ zLZ1_wZa<)d_z&`QvbVp96v4!!;4gYMn}EW)>4=Dk>jee!O0)g!LR+>7^6^m&3=G69 z{i^#`?2UXXK}$>9+b8t{(N5{EiQMwBv5|_RU*x{NWb(pFyr+Ll%PH}y&aLlXp3OOY z@?>+r1a%2krqWR14z8P(HFf3XRHpl^-PA}MC#tK<$TR~3L-)u?2=yu^qsi}eA3uFk zyL4%5(cd4>rE|nq<49=Q+DfdUrg} z`mGbuGeY?K2L!kz?ZCATA3tt!^=X;Rqx<*06y2svnwvQVHG-W-ru9 zsvzw(`*>C*@&q$IJ$-Gwd`?Y(d24HDx^a1Tf4{fkwOJao4{_$w0v~+v3xf7EHT`~W z^)8h9m%F)S?SuflSvWbXPx}G|47X%ZW4*69CO&w;ub`kXhARgRFcxcVT`PdsE18Up zuBfQ+lJFHdnVRMH0ozJyw`o-{YnR^1lUovYPCVOzw&JoK6*oYtcvXz3Zd81HNW8pL zk*yAZzqhydef*~;Zn)Xp`t!3BZ|m!;pPhJ)tzM`)-FiSxZ6%I+rN}#$#ykH?mlsk4 zEi+I1kE1T!{J=r^`S}P2i}A%Ou?~;9k(}Ne)9P-2eyMwSD0&TC5qbXX8PHqy=jrVt zA}j9K1XyjbcAMxAn8~hsx*Cl{$!wXR8rWx98XxS@Zzb*2sx^#^ z7l6KpTVG${?wm$(jeh)C_?VvFMdgL5W3T3{JMt?ZAG}va5vSBvSNkEO28?pjt+Z%K zH?HmIh^JY(Qe0VCIU6}xudTpgh;8Gp^K{fD-|G|We{~htqp-g7W#WEE5ocy*b{y?g zbnL5Qym;k`h?S(ge5^!OOY!1wvBxi7)NbPDK8;L=Vz8;{)2H*Onddie-YiyU_vhES zi$+EzwRLqUvRp{3C|c5XC=|^CS9s)cz3rEN_Xk!&+BMtX!NW3H<87u3fWj~e%)iZMPkS4%#~M~Qy)>q zI*9xO1n4va-@etNT*}_TJ+$7cJ$D6qIb4=rMDN9=t2JucrosG3dao|l-6$?DcGi*Q z@1P-=xUn3qXYce#TY64T^^+q>=|Bmof)Px~$j;aIdI8)HcfKk3EcS5!QFQo#@8gx6 zhTU_c#nrmX3!i#7eD`*^uzL%^fLp7$ik24L+!uZ~M~fR%Wm~q<+S}Wwnnqad+_8fJ ziA4i3uA-_cVb`yfD#$9Z`rpsCqib|uoE;#o*o?c&Q6WZOHE>JVp7NGA zZZZVXA2@J;0A<|B#?J0x#5TN9$Rs_u9$K0kXp1*(+O*u-a?5iFYKHbt zWp(t|flugtcSof6{leTI{w-Vl0QpVH_2jN@cW`h(>#1d?zI?surZdLhySqR3Hx_$( zrY7CuL@UyRWSHwbE&#yp1C|I~>5b~X()RXEh>{y5p0mNB#?AS5FAQ%>3Ba!v@&uAFB<9#PjMwM%7 zXr(N#4NFZQ0P&hNW!A+DzUV5;N=sMZrv4!zm0g}oj8$Bqwv5cpR})(1^y$*p)(sag zUL-gjASv$}-MJ4a&=Dw4Q&SEE)Bw}h)YJf@?ZYm*{`tj-5;mSfU+&9z)5nL#_4f}S z9A|XawDk#!SB{=9*3#4CD49GmR&`WGM~4aLaJO6oQnEL0k1bVT zU|_V=6^^@NhN1kbzWzCGf2Xz)%#S`PfW8#1Cio?43ZAL~dxB1>q@{%m-GjJ<#C6a$ z4p*5X(I?By!~?mBYnls~`?_S&m{ z007I-eF5wXx;vS+lcW!Jc>n&rDmDmRG9gY0-HEuv8UmEBa8{z}O|)hLn;H{0n~8%? zb^U&gG(r$anPSR-2D{f1g&UmQ5xg3BF0@AeK|efss42Upq`*i~D=I1u4h`)yG~@*~ z5f>NVi$(=h7TvjX=K|`?!a_rRpFbDzRxy6=lbw~dTliqK*DJI7{X*3I=UA5ap|c$) z*0#H3#c)Rfr@Im_**G*%g@uK3mHrurx31+(7Yk*PS!_QwbN9}jeS9qU@sxN#7P^(a zRKOn_UcY{QDD*Xs~Y$y7)R|47ts}Hv2h=HP_ zpeg2BzuuNRt$dTL-AZIYb%c8J5xEMmA3fi{e|hoo?%lh-=<30E`XT3<{`~SXJu9nU zd>em!8O<4y0HB^&be|>*e}7}OO5$YgDGFk{c@Q^kv15k~Rw_5L?#cQw~Wy8wl130a8JZx z#yulqVgl=xmo^nRj@&@*m>&K*`R=ne-H_Gt6{)&s1Gz(zzF?*HxK3>)U892Y*j|Op z3%!9Gk_RTn#!3+GJ->d19!b)WDlkN!Njg2y<>`c%n`+PmIjid6uzQvH>K@vEFr>1& zx{t6~MMX;JBOj!uhWh){VV!$XVtoPTn_0ED>;{7rr{FU2s14E02RIWD5P;*$92Xzo zGddcEjKs8Go6hMUJ@zCslkNKT>x2ddLk1Ef!*S$H|M%~p_}8YUrpB8L?P<*Wja@#} z#<*cO9dL0KAvHlMMc=z;jEbvx@d8Jq}!G&(kx^oOWh zgcgEiksGSzDt`9t+4lUa^zx3w1h4?K-+c09YpN-0mC38DRxq z4lacs`9|ULAuY3p=O@Jo%?Eh_u$WS`SDnXW&J^m6MUB!>ZSj{nY7cdXwf+C z#gc$w7(?i(o;w%+Guk_AzosT>ORK?vAh{OpFwjtn{9C&w2MZ_2A`Q3 zXN$IMMr4Zur%~URFGT@CTtquNJGFFls_yT*NzlOy!(tvV9zRcc7qTuld-UcIWN?lM zqlQvyj6RPkPmISBg17LgC+vtAZ=+&p8b~L;bGt}(3&a+8<%5^2GzoNzxqXGlKQ0X&Fj@yTzS;>Eq-GAVlanc92%PSz>iha8MBaug*900Oh&4xkdnS|G_0luUKtGP>ME2%Rvw;EFqeXgit*Uz-OKRIAsldqY(6-dXnCidly0aG&NE~DR8&+%aj~Li zYxHq;cIM;fUjYbiTMA14kbDsclLw`5+RZ;qg2OjBjiD+rd4LS)5 z0oswm{~&$1RT2ah0@x6vV_(e@`JurT&ri@F$`goNmPT7^0Lg6UXKc|$^6lEi_Wk?! zQw5Hq9AX9xmX?;OeXNZyU!n=PNy}JP=rS1|8yl3KE-p8>t!M2aPV^KxYtbm6LZKiN ze2$6_kiFN{RgN?!G}8Rs=ilAlmg_Ppy!iL0SnwuUHg~1OpIXVQmhauU7bTL4n%elv z6?!)}H~r#k+=-rxvM8D?8#b(gGz9vDoDUu|v^BZc7UUo@k;4cD4;>%RvL@idh_nuB zU}mN-%=q%u46_C8kPl8vIbdv(W|#(4uI30W=H)%l>a9HT^YinQM4f^Ng$FG~ zV*Qw+%bP05redISFhH!m7iR z7yakw-O;#i{P5v}z9!^fUp%KE5f>B8Y%!O&IrxE zlIzq&oy-l@q;oltnVGrAuAk1`-CZ1%eVn`#)6Shcp-^;eB1hQu1$rurubDJ}=Qj5C z1g!n1B6Sov9lL%=OQx)EJRN}rz+!?O1i=3$$2Ro+l29y5V^ZOs%b=cZ3B~&5#c9HU z`ZBC9yQ}{G}xB=23XRN`T_DfEw8U|@+i5}$;->n%+8jA|3hpbO~vaYaDa~a z)~+$k8$p9$Gd0-2q@~_@8vqqc5^?8_4-}M#o=c0^>yCPwn4M6MvVZ*i$+~`h01?U{ zKhK~JNSJ-tbpFBx{+&CSkUEbWMM@tzaiS7eKuI&m8v(4B=VNst2^U(B5J{^)egq&prP^68;y#HCAbsC(!TV`XJ! z_}#}o1^Hl7`3M)ZikTgsYrd0O`M^^xR@%-N0eM~>scgwM{spPhPz6 z4i08OR*bbgcKUPx8b88)bawJUnjqlG&fcE&Uv}JXLN}lh%(a4=ntFT`FL5gC66=Dc zBfFfO+#ZKP7D%VQNT>IH?n$O6=~loN@=kTZXi*USF8*o)U?Gf`78l?Qp&E1l)Y{d> zi!^#F!-VGG!GkQUtPlxyzc`!2bmq*NP0Ca%i<*EJMMXuuCp1vM&7Wz>NM5YvBHY=j zH?C4B)95P zx0WPpN5WOo{=@vq#tj<|!|?O%eN@xY)86c`4?TJL($aCE*JJ6pp`n<;Rj}h6AZ8CA zIkFFgF4`emjmr{|9mQ>@_v4^&o+LD$x(N#V zAiWS{5poNF&c!HX4m^60C+8X;go_$jO2CRUq8sv1B?PY7lJfzV5&CAd-2z2`XT)HF zBi-AEJ%8}@>1uB7cs=@?GK7s^%`SXDHbVV+^l$IM?3&VtF?*@@8S7`>Qs?P3z}UID`IH zMT|wAYySK>ASmc==ic2#8BfyEtQ$k26wlBQpAiDOw+mM!l$WZiD%j+rsRRB|JI~z! zkX%W%?|IVn5@cL&tlieFTeHmF8sCUlfkpI2$sC(?2kK6G^5ls&@3jnF`js~>R?nC< zfUIGFkdC7iXbo&^tye*;8CcHwfC$hE&YcLI9WZ&Et$l&NV(=!RK07!xw921VkfLDN z^ajgR>9Ik1go^Li%@B_qFbH_Oy3UnZzw1;F%%bX4dgNwMnj0Ff!>a+E?qiO%A=ict zD%#pZzZXkgpR~8@!=GY;!?ydXchL<(q5C$qaK{@{! zy3oagB)L2h;D?|B;a0iuI)k}*rT|VMym14N6qeI&W-xaPTLA2A!oSiWkRTX1iX}k& zneXbxmaKemcx$JjwzhVA7>G==pNPja@lw!)nD>p9pT zIMLX`q@}N2{y4Ku1x}^}C6Dc$2FQ-^cl0)>;3@IoAnYjczv00-!g!uR7-?)|Lx=Zm zjP;hx33%^N|M&z2siD-e{OPGm+!$pJHIh&X*xm~3#;M=GE3F$hXzC5IGuF7_{6TrG zT*w_~_pbVh%~ZHHf2#0JYU)l9*Ofj_eZPV3T|Z64fVyE~V!}Z!y(4n+(m98T?Z?kY zh8{V4HVE-Y_~6Z()!pMGBKUb`!Paqx#br70#~-t_eCeEAkePW@|NI+gZCzbX-R2`F zPx_%B!I`OOMi|4X_ie&B{N$78&s70RA{S%9wqW^yS{U~JL~v?dG0$H+6bETw#{F8* zf~=sR>il&03{h4JDx-EO&va97QgmHAG&H2>+RE>; zd3$C}8!O#PKxB1b1P~0w*f%_EAznqSlIUxo>X@LtCRRYC%9L}Cp*DhIV$9?|IyxG# zGUCN66K#+s1L>{s_xH%k{(cgcB438ijFp>P^qOk>%wsMJyq6U;jqp$q4;N@;|Rn=8{Gwc!IL$F*) z(A;p&pxWGk5J8yM71Xpg+&KrfA^l-7&~^oYg6aMcFORC|0}?BDNxCTG!8V0tMSz4p zbkcxItbYbzFv523#cE4SOWQa)5(XE*DZe7?As7e~fC(&>FIab=&jB@cX%|`0f8@$Q z=((=Hw-a@PEx^diitu-(uqy&d9Uo)~c>d%`NytVS8>nMYF$v5^W+jGIPzykFbWTox zc#2yql zrm0Cy0Rp@(VOmvEQ?nY<6!9QcZ(D8t154{47+8jvhXXMH;Yi>!Y?-7z0+MWasuv;W zHoZeZQIYs8gEvS80w+$Q{ZKdwID;#7qbV(cdju=d-P`xs% zN(I4)kT`JuaqYgu(#*PfyPVtxKPK)nEJS!z)G81N2jljz!mfA&td+;UAO~6WeS4sJ zBOv_1^#P6$WD9z}3JeCg%KEEnxdjDD03^1ywjFj->n8M`y!};!yz(JIF$lDM-~8+( z+8^Qu?fLf22k7Oa7UxhV>Fl_XdUX0#pr$iGR> zfeyw_vM;!y1lU=C>xLkuA!!gpWTD6v;EV;Vs(?kbyRYx&ddZ76(udHRyCDlyBE3jh zcPi-Y3fBn=98MU-G7}>adY2;r>o_;0NySA{jt$?kO2P2}&#wxPW+;zhAhF6#^w-Qx zHR<;B_Lf~OY}P|&R$iQ;R$iKyMB+fc@RPOwZnQW*i+g>Oa(zTxdUkddEc@ba z)5BJ_M=2_u$HAv8E{uBiAtJ%pmF9F^3&Pvma6i8XXzBi^!-+f#05h7ZF;JAH@GpXc zbl48ZajEChoFO4K0G($3{!Bw3AIBuSFbmnlcBpYPT*@EiCXyRyHY^TSp%jdh1%vCC zsNQ+@0|X23^73v^uh|Hb0esSgwcTo6+0byr{fjitTWz8;Z(ntoCemti14SY6d#2N< z0ig)dgIAO11md#j$iK73qA@l9Kq8O4;|`rfrI1gbjw5%&ZMh1KYbltN&7ISnhVIu1 zwbNB>*lQV)dNXj?YCBqc4h{}tTuwb#z{1VV$jltZ3q~dl1b)yTFoIkgH}+wp zxMQ@1*!UrofQ{V?5;1a)%akw|tSl@PNl8iM@rOl4i?7>Y%v=ekaP!d;?TMBp2gEv5 zO(XKoVq#IwZrr7{wG70z0}TV%lyL1}MeWbnz^YaX4hyh9TGEUO5GLL3+dG}{3;iEj z{POmCIwCMsGTEg?WH$HnYO+%(+&Cq#UHs-_u&$2c0a<25R`B~B4;%B z7eQL)K$;+`5R3?<>wwJHY^93E87M3~GV)4V3%A{{XACT|7eB;p8+Xj@?(X)&^I3Ei zaTEO~DCoeeV!zO3Yc7`r6*wcUg9j_nCCb-LxW&I_w!i+@VF26g2ad>OwDS!eBcspF zo76Z&o4<4dD-y5|o+9A&zI-l?e8%g0OCIaQze9mK1z^~08#CJwu=!-pBf*NNNH(CdhZgXQFB zx5K6JpzZKChw&}=TaVEQpU@HWL`7NYX?4JO^BqNh^(MKDwkI*p4(tGyoF@it>t3+?# zOJpHH72u*OBni?4uUfSVvmRNl!`Z{lcc*Oc0^%zxCg88bpC3(V+lamjR{COXG=IeC zIV1z(EosTWdZmCj)?r_JXmaHAVNjLC687Ws^Ssc;?Fi^;SemQ2Okosdpd8r0-*rd{ zn>!3EQm{l7W}T|g<#ajEK{tNoF*l9bDfR%h+Q!CPzen1l(1S}>aUIanv64QAw6g_4 z{HtKJb&Bik6=f-@J1_O~Zmlr#T%1jDo`V#-3vV`!kr~_!f{hU+IzFCz4yWQ2ns@uF zS1(XnKu@1WPjukm!Sf(dF4}*uHUHgW`87>+Bk<*q)fS+H~|0%X6JmE{mwd>vN7bfCJT zEX!0V>UW8qTcFy?eP3u$P~_Y3HdW0jh$U3|_{9*(h&?fp9o+3j9vh)ZEDI<5gB*Xguf~BLA0;%jlvE`Q zhVa0*_9~G%1}CTLEs5?_&@j=rV(8}iXB^sve`e!V_!TkML$FlE$kyGR=hnEm%sRRR zr@d=yeCjysu7p?=Ui9cLxeiu*ua#9Q+@dadV!y17jJ)7iFZypGifa)>5Ld2mJN9^Y z-W$>S9B|jrD~WXjn)*r#RH8u4OuT+N5-JUm1JGHkzXc|jk6=pTU2%R8MrB{FLJF-1*%&q+)Ga7bCUDZTf}UNlE^A-gRF)AWEsHobLUZ zNbIBFL80=P0@ZU#n0PyXa7Isi4cHLs}VSGB&rHjZ#kzrne#sReM56|HTEetwBaEvTigiD(!g~h zG3^PlvGjt1g2U~3?8IVk%WaJYmEca?wu(50dwQ-XCkp}OJ*mt-(`JB2#c={*cat1M zkHDay2ag_o{$4E!w|yNy(iHJ`l?flhU2p z3lNTZNK1o84iip7iW|I5&(h&MuT{|WuYpe~ODS7^4}nESk%5EtK>rMkzQkqYBUUs+1w95}B0@_(**+;^ z*vhE4A^>AdYWn({nvcYg^#x%LYcUze#3;cGRBx!%Ll^(h`>3FxQ8{1B^p1|^60bVL zt?l}C8kPg2U}MOPho);je5eA5Ia^oHb;U6j4HzWv7=3V~2J&KK^A-DGzRh*}vs2ot z-5;s2=y&x{TAyWGRAeM+3^4gqA(BCHemUUwf8E(~9hs3KC@>_z(M#>`pMeYr`_Uf9 z;b^tcC26@#X6pK&R)8>JvlB1Tl&h+ii-gUhu>74`n!2sTNWpAmNv>^QtK~bR14IX^ z;$qsghc81~Yd}NYQAQklMC^~aqqW03Ywgt-wn|O4dTw6{5od*h@^g~|G$ZJED#J7( zC*d||M=W2z`I3!6g>pFEZ2&I|Q6Ki$bbC364&j)tpr9?Jc%gwEAKy?v{ik`8C6E$}a z#eCTR@_1irn(Vmr5{{Lw;??S(L3xf=_EeI#X!&^lnx)yt z1`lvA8=&#FV7LXm^Eh1Pm=Pn06l8~(;>ELzzc$d%WG5)aq3#YhkvYM8l4j}f(+6aO zeD_5^(hXE*p5YnJ<8{;eEZb@*5@smR7RVaE0`hWm;Z^VKOgLBQ z907|t$oYF9C1zwV6~colp_EvU_x%cHhKn+dWlD#9`3jx1B#25{FAoSf!(cw@LObp* zs0lQPv{~2uf1TtWMN2h+p*}u7um85&4Z$yXka!Hu7ItjiYJ@$oK$rU>J6rFeF{0?Gql6wGM!%lE}$rHf;>Vx z!X#fXSUoap5G+CdN=Lp&_w4OWz)`p_9Svyj?tvk0`uzDqX=&*TI5~f6_49(L0Q|7+(;xvw zAR(ldTJ)}UdM{4#D+Qf#vQXZ>J@E9IGrQn_k-qftzRp#)N7#k$KYnai66p@w(lxjh z1h@&1tPx(tqB3wDw*gDIjH*Yz{WM9v(&mjq!kaf&;(Dbu4v;&xW8A^L-mCq8ya2Ue z7Y3NDV{HNhhkrfG%DVmXRK|^QX9a1G9;r?KqK%Nuv`71aDp>@ zut75iff|U4bTC?c1vtvFiHV1g%C&MzxysQ2vEpgqWPzY|mtR#-5z@f71u!m*(nlfojVdnTLowd!K^#aSuZ|Uet^M$U z@YKKqt1tqT+Q(9pBv6n-X5uiUPL=?@1mdW?ql0@X?9E(gP;cwps>Rc;s~&AV^lZQ8 z;lSPN4wtaG2{dq-26R3T(6(|nnW*T$eDI-6OvPGuDH-AHjb{&!UskiwT6b9P5`}f> zeq-CtxrK!u>wyT$ns>iSTsza6i@Zc76Flcc^ad&@jIjK0!xb+r%A;uAhwB`EehjjegWg4ZjmvzO-#)pC$V>o` z;C_g51x7~|{Q+DO(Mle2#AO5YU1U1(4By~DAL9?n7sukTp&>K!7Yt3dmMx{F*GKk9 z7NQY{<}}bcSsBDhR2+tl(hTII2S^>_7v8OfMm@p(`(6jeHbCR-@%X!&5K>N?H1bbH z)G4fI#h48v1ne@Xe(+ibfu&T1u@#Oc%r1N7EyVoI^!Rbq`i=}}Mkzru%dkpO^m_=yhw#uLi@+{xNY1H%~wxD3{zMOG} z@;cD+kdiSROuU|5wp>HT>e7OWx60-~q7a=Of-@=*#IXA~MHmYrgft`;GFAjSiCAMm z`4=TgE+j*u0)pF$@5!J^|G!3o-O|!j6j*?Axy7}ON4mR9*8EsO93nDS?L-#tmGXwFOfV|mhmktRx=RE7;>p7U-@o?) zUQ)a;lv9Gof?5snus75|}5`QYs;afP< z(~cD8G`)+KmUZhoZpGsEP^O^$S5Fog2_Z1Z_jfQfnHqh!9Se;iDQXH@Cm87l*6hMU zqwm4g()9&Trd^QBu>$QMZY94ZPA#W(`_cNts&22IgHN5H@RLy{knCU};;S8(Ht1Yj0s@R{h$%<_Oal?M8VJ%cLa)U-C{z>8>GOg_bts zRJ-K^;XE|__VoaKUQo8N%?~U#1b_%7lTM&hU^Mtz^J3vXf`M3D}tSz2}sDS@IwZX-Zp?i>=Vl`99R3na*{AxLBIJMhz7lYA@y zdA4WIeoS4Ur=U&1UXEs|P7dmlz1b)ooZ?i&Kr0a8FY=w(RWO(Hv;>xdY6vh5n4=rI zN`8VH!=Z`S&6^gPU1*qo{_-VpzmP$qlP8__8ZM-zA$Ibl_2GO#3!~%N45182OkYCO zya^<7Untvtl9jPTeyA?X2ZS4I8VrE}CI^f`4h+RBk?&EAy%R|@!pBwIHI0*RuKOB1 zk12FjjG`jF$$69#2!mPximDVY@w{pvKt8sB{Bw8v-=9Iw#_NNC@WQ*Yd+v8|QVHA3 zH|Tgt&E8%T+DCqSS4+#=-}9`jU?JV+w{ZmJ{h7SP-*Ig6?pl5f&HX%{1zS+r+qeD& z^#Cr|WedmE8W$ms<|PT?9e!p}&s-|FJO2Xp8mTPjeIqQ=tr;kH&3Y&Bbt{nK*z8N@ z=C;arZr_#*;l_mdXm+*Up+hg*?pcy2j>A75wcb>2(}Eg+GJi2L%$`E z${HS>vaquH?s`K=8KZ#mzvrc8WJvvg`SPXyzV=U_ym9z{4J6TIXbJsjWM@!_lRjjZ z*_9+@I8#z?l8-G##NcxWqf_ci_ySGp;i&oJ$QWpYPz=cE*o6z%qWvh!pjV!$Ts+Jc6AaLBoZ8&##C03Le4&N0li1Nuy}rDz%QkxP zkKa7QDN`;Aau#epRUlF_&eyQPhQS;|wb9u*6W^2JMAE5tTI*}fr4a}Ro&;D?AgD=h zp9nU+^OAP^gxJVuU2JS^_u)Lkc7ig+WW`lw1fR?e;B21iW0DNz;uHM%N()THgX4u% z7i|EEBnK~Cyhv=D7%eM@hzswd!jlxWHLF+egMNX5iP_LHafWiOBj_#=nwZ6U=d@O1 z4ZsP*8JL8@h*VINb#lbd2b zlhB}OYwon=sjI4}eEjmo7foeR68Y&-n7BzC!Ul|m9Wo{O6c7 zJ!iGkqca}OTRFby!nod;%QwOvhI<%+h&iU~Nc6QTyzAbe;9zfj`9LRL&Ii5=GK7I1 z$G!Si0J^MsNWJdWMp&ZcS~zrpl)lN+{(D?4Fm8nHGH~vpf$^G8M1)vv`{eH)#MCSw zoGI`=ppce}GYG0f-h~9J=H@0(?plGnmdJv?##ac)+#H-3WV8_WU))s|>^)KdBY28U)Pp?9Tb~M&Nwht9wHrc46$LCD#HmC@TY{ z5Pe4mzo4D(x~~kQ{&Zw|3b+SuRsxt|9Nc%{K+x!=LV8>b&KRV^nSY@au$RxMFY_DO zXoGJUbiyY&PQALwNWN4BncdmVZIb&+34~j9e54KHTh)I-Ulqn12Dev{srZ6F?kI-l zJlm>c4f&+Y=g<6@e>sI@ibzm0*v2IcSKmV)=JI4ZlM?%t(^(U=H# z@ENH=$^wX<4V5xFl%Q}AS1uQ~vqA)e$v4s5`Hc>bc@N}GDNvY%Rr?+iR*>E7T(qYa zIdHZBOu<8i{aeu6m<1%<07manBmS-?zlD2@Om>lv0}vIPG-!w;+;8hj8X5q{6%7py z_{$^?-ZnKw{yx9_lt+n`5FC;TU^^&Ub$s^WOX@j#8k+2(-*@2^g;%5{oR#dv0N8u1 z8-#^1#O$gUjmF97Pb2}pmPffkh>&ly5s)PR<^I~`Y_OGu6`2}8-Znlqw%62D5T>UZ zr?roH(}CWdh~^98k9_0`n<0qc!{^Pu8q5T}BH>(J)f z1jUW8k&;30u8e;2nE$bJ{V#t7fH}mMC`z3emfzCl^8ZS;n4AkAJ!K~%B(xIlCiGALov_XDwgI82 zpw8ojnc;*zu1D;Vp&IyPh#rqmoM6z=3l*oUp}!R_rJmv8THjz~l(!kcQ54F?T>`7{ zxKrBLMOc>zu}O+18PFv7>WjUgkdXJk$U6uQ1=St$MZf%-$zbxUz{6WBU=Sd|2g5h! z)3`~bWBs}s5=8K#fY6m__5SB{!5#%$#7tnK5qMB;XG5pkkHYj0 zVqoJgR0qLo>?F2?yraWUgbtVFMF#Tu13XnP%vkVbb<1;1N6dy6u~x*~ zc{>ncG$aOPG8b(fDm-37fqHWhwK(+woPHuJk@+_~dpSrr@^MC|9p72WG#>`pFl-52 z695vY2l0+?W9-FYLUou8eJgI4l99oR?@SCk7~&IF6ttMHn-&1mU_iWkT3TaK%lAC= zbAqP^cGotUs7sdz1P51iEl$he9FZZvXjo9XBBF~4ZiW*W=#qS{0tguKzIW@|8~)-z zAz(~`^?wWwdclUCqZx#>&^$CsgawEmnSoVr`SEEv;3o2!0oWV>q$h8;*s#+6uk0SQ zu7#R>0DZ zVCH8-D;-b>*Av-$?OL8L{ohkl=WqKPC+K45Zu$iyCT=9!cC*wN`5MbQgKYV+jm{aS2AW`x5yv)41D8- zzKr=P*Y{aAP~Ia)1cAwSoXMiwzu%&9=VQ;7mKKsLcKK%roMj?kv&5)7g@@xTQQI*I zLP4Ho1Vh!5Yb!_;M^qj-Dks-RxzHj(|C+XW4TKt76lQ#$Od^RD&+mdzDc2#kcForp z0tbtCp)JJQ%J9ld&ZG;th5sBJgzIb%us=GM6`*Y3AzS`76B=f5nb~K?a=2!JKg4ZnGHzb|DK|FYvd~_2_*4~A~3Wi!cY~X-+ zZPP9(DRscnE{W)riooH0I{>5%-N$K=?DG{KgIL1YQz7P!bmRVptar!kTrhUuwokdz zL?X5f>!F6PQ{Fjg(Bo_QIw$AV1A*Y-LeT#GOOKm|vtYPe2+ zh4mA;gb265K`R618^HUTz$jCN$9V$Y6@00No7qbd!P!U1m5R(1Cg(KypN#S;%`|M zd}(aFfh8?alb_VT<=&|b&pz5T{CX%`bhVEPc%(9r+~n(*KqAoAzkIvYm}IGgxdWU{ zcuc(U$MUP=ht`4qKn&vhxEVwItN2&ce0}6iK4pPvHR6y)9wgZm&1Fj0PlO>l;6wIX z7|At&%F)`PvBK9s{NWie21D6Cif$aW1TkiwR()s`)!uWit;@BL>h}3TFDMaU{77zs zzYWPzaoVmV*dn0P1PAFMb`dut^Yc#N>q&?7$LZKHb~H2v!<7B8+1b*-kT5y;U_tSr zLkjTnIV(bH;LO~+cRETS!Fc8{zF9)3lRI~MprGJd24Tt=miXA(8i*F*-bLJpOr@i& z5epioRq#>KtR~%>I&{nbQ44dMJU@^TLom%SIE*-Cib`&sm)IIK3}*o$LjO%l5%vk& zZ3FsRN0A9}NnGvt>IBrt+%9BReB*)UKX&Ec%oB0-xK0Z#{&hm30F#wlyjgJr82C#T z7X7YOo8R=IktKBuLq9lGhv8<1bb=nz)+ZAvg3KBI`_^*V|Do#4!*brgy?@h|Q05_$ zlz9rtR0)|v)HYKQWr!kDks^{QbI6p6NM;cwC50qJA(a#v8l(&*kW%wxjbK$fY(SiG`AWLJoA0!|v0^5^Z_d6?-=@bU%dLL{~FJ5uhb@n0$zHDMXl17Z`9h}FO$ z_^M>@hVqMnCwG-wbm`d9hJeZJ@>N4CJ;h@4;>9%CkZd935^n zdK5SKyiXLs({J<+m8RhR4j0j;p$s1a9Kh6Gn# zpR6GuIS!ubE3+~);}I{TCSvt}_?g|uvs3f>0H&K*pz~no{yxeU88iu^0H#wy`n?gB z8WseBPy%Q(Ri)Th&@bXQscAy&!t9qW9ldm^u3+Lc@?bP4u3bBzv3Ut-FfAdHW=WYw zBV>JH*uC#sf1PARNonJ-MrS7F4(b+#g4$8^uhWf;XPJg4L^oQK`R&`cFYsX)@dBff z4mH5E1~e_kAp9tZGqDA10Fq&gZ7a#&zHjQZX>SGAN2NqhkbX!oAsTN~9m^dbAc*YI z&e6d^x$Lq1y0aH9e7@Rm(u^7RBQCRT6}hqF+5Azi5FZC?WozG6fDR_$_t`S=^(t?= zu$)p$JAh;%m1!)AP8f>IPn8V-yCyN4V!*}*@g_I7)XMy8&g<6=*AG+h$AD$%Pn0mo zQh|*S&Zb8XA!1O|a|Xnd06__B)5XA8wl{Uy)sgWN-?Hz0HgB%`V|Co7;c82Pka(_=LGb4yj9Qd$Hv(v# ziXYHJqfHFhRMgk}Bdo%!$G#x}^X=>;r9LY|O)Im>MXkL=Dd0c7=8zFj zH@VEt($0+t0qQhVeiBv0c|eL!!#Q*2h=3VJnWr#+;gj-zsREHGZ=rsYTqbd7gJGk& z>bs`gflK7_h%e^CE7DvZ9lEX^M4Sm_h_D0%f})E~V6{*M@p+y($0T&=Asd@83p$hk zylMPZDaLpd;CiD0wBXNXF8iQ(!6k`?dqto*W-~5rajuaK=k~3%)Mm291NA1s9H|&g z@|Hr*3?pR{8zsD3qG#{u$jD2_kBmWqB5-?oNluD<Ar zlO{FI%*tZr#YF((_vT#us=2>llSS8&@P0fqiF-zTBj+-pzBsWPtE+E;%CCW4%c8=` z`j%9oR=sD_9H$LT?GgU%>(^3}1?D34$3VIXO)z<#yMUXUz(1wV=#;iY?3jFAXf@yn zFIs8(6>&CzF#L)#SWHW`fwwERKY1e5?{f9ce#-ls=p58f$&$980#=>{wZ1TK1Wm1a z?S;P1A4nIM4`nTgx8(3v&N2x4srlG$}m3S&Pcmk36=02Z3XMUGHYT}-hpewXC z3!$ML;|$5=X;XFvHT) zmIGPjB!G@TcXss`E51NoXg~x7`_RZ@D7aV<9m!rU$gwkL9-@2bW?*ob+NRR>%l784 zZm#wdKY*UTen-CEEVMZ-nl~@iJez|hI}N#}IR#V~KJ8(n)q2S5BwM{==e_&GaPc_4 zytJOpZ3V9E;H%3~oH-oW*fI-0r0ittO9g0SZu6q%r#{sOPYzIRs=YB`Gl2$aEoROK<{nM?Nh z`6amNM>)N{Q?K?gO7oh>T(HgI@(eSyZk@ST;eSF{Sz9QkD-GLr7=aIpe$^Cd6lto% zQ7i`CyEi)4wrm?83(dyY^776Ki8R}`eS1e59)7igt00(&>@>XWrlUsr5V$yz62c>~ z%_XX`{LsL)$LVYQxaS`o>bDs&aLP^#y^?j%cpVF zUO#NuvYTI&nNL!x8RiGb>|Pv^ZrZ-F1-TDk7GE^CwzdNkEY7(VNHMhtZ`M^bTpwfo z2M`yIt{oryR`Bgd20--UVp|$L3&cD7*1EtFQ}1!;L~8|My9HqIOpDfuj)@6CRXf0@ zf$nJccG;KPbhSOQ?pN`^Hq5LbZsI9rM8(bo)fFuC?;s0%*@LY8`wfpMn=^(8(AQmQPkMa)IZS7&z*zwd2{c6sR4lvpf;?|6ohvgMIhb8|k$TU_<;lhi(?sKtgruU_j;l|;{k*18}YTdl0<7Dt3LnoC|9%@Sj;wI6N3>$Pt-d6 zfscLKsbI+7tVF0^NjgO8UcNdCkE0LC>x4~FQggYe;BpYe0Waim7KTAPmr)3Nw;C+}Zbtw1hIkggpC{j*jF@0t2>UDurkt%$o>-vHX^(M`yQ8Q~PjZWS(%8Lz9SSdf z&$)v>qphHlm}0qt?%Tysa*HJ$$69=Rd@1)rl3k1k9b-I~Gd!+je?Yj5D~{KJj$Va& zGAiYn7???WDlISH1eb^eGkK!nrmE+s-X#T(*o%eTN%o?2JSAgV4l#+9H3FN3!iv=^X6}8oz1}m_8mUl{YshfxXi4MPZJyy z8ISPi&yQPfhtG(1*>3UTaimNir(Ex%JEm*%z3@|bgon7ajP>~W-k(-#G;+=Uq@W!D z@?<|hK{+=6ur0z#Ic>n*^sF!T95s6MUTR!q&8MelOK#Pd^7cH+(T)N;e=YL1o?iDmhU9^VcT+wuV6}g8enDgDJ^DmeJ zeoa>$9g_p=w`|EjfBm%%r4Rj6hhU4B#m>O-`A9I#BYtBd_EYQ*44f1C%Xiy06@?l- zC+O{vRi$2vm6qpN98Z#a-!fC=Ur8}8`W7A-LeH?Z&dO!S(sHQclXxgpMZNvXKtse@ zNyYueAYuL0>q)e8TofI(v;voE?eg{QptuTbKf70Nef^bBT4b=(nyah74D$rDki(o% z$x$Cx$Nv1F(NyK1l>|o}x@egRsWO}k^Qyd2hUYOJC?gwwPASSSa5{}#h$7U2y$Q*h*lxg7 z3yU~N^SO3*8^O9z)hra$C$8(Krxy>5Bk@;Q7fd}pK|f{ok7Nyk&&`6x z-`Vq85`E=ykOJ<@{PN|0TcNkqBNV)!C!et8a5{Zb2g` z>2x`3e>q-Hu|!Eru7pCtxw?wm>XJ**w1-CrH{&2&d&VUPy&-i20dd|34!mdn4p>WsEl2b)dFNs~R>P_Wvkl;gFbSDN`NwX3k zUz=_r4j39Gk=#}?7zu2I2^^oUdg#PUq~5Kn;$^6Q&!zGBGdy^t5cqM1n)982dVZFuRbKx4g*kZvY)3-lb*fb50jM3ikEG2H!ITl=j$c63rq(!6+UVM@D6)2D}mK!lw?F)$=%0!4IV1!vWo zPkL^jUJh3*g55Ef|S79!Wa46*SR&LJE?@bj%7b-=pOUsgOUY|JpKf-g|dnpu~)k#8C5Itc^jeBFlR1a>_Wd9e(l;R9D|d|JEG3n z4Zt?j($dYnijac>QTqIGb#Xa~T)eD%GOb-wYHE1e*LLYG-4`!pjc3PRztynSOtuj2 ztLXG1znjX#LW`_Hivi1~@2WnPO6zqW$FADe{M%(`&^pnMZtjS}!pv;@ z!!+CrX+199jIZ(}I->S43aFAV{egPrx}tty8Mhgu+ifE#Ubn7Yw@`T|acOe+n~S{U zSo#qi%e{TOc0J8OxOe?*JKwwW^!oG(;-!pRTy&7Me6gG^PA*ZK>EH)vsI4&ny}@_O zmiCHwpFjV(<3g(4-mP25hNfc{{`ij<4ES(R^^mZzu|U;D-;W|SXsXD>BGaS^5whDA zPY6iKC|FIEWLzuP)p$$0&)dlf-MgjTu}_9f-I&^QtA-cvK7K^KJ{}!d4Kb7gE0c- zG*eL4=YIah5~`=jj$G~?y$pctpP;m@ZYX#PS6+C8!k-fVEpPU$Ii%IE}IkS4U7Wto|=-Z7yZPlYb7UyS0Y&+ZU z;P5;Le_NluBgTPLRz08jdWj5yqV$Nm#lffwMk+o_QAttAMc*6^HUN9Qs_6W6!5?`_ z-`(3rQI!w~6WGle^g&^RZ?`J;(|RVV#XWucHi2+pDTei$NG6zu2jU)4P9FFR7V2i zxHo8=0*-|uT~`Eb(!ig*+%}ZJLvq;-tFmgvQON?9{dxJLn~YABxL}b>{fvAw2Bugh zt5HJ9X5xRm`t>G@`7aNujvYEA;hRz?QxmW8FPInj!FhK0j_zH5=bSc0%(--R)4c;k zu}dSOh(ils%c$+GwPO5;c2yhseacMtG}$S;t{~(>lzTJz*3@M$7LpuDMJ9Qn6(kFY ztWM%PeUFGZ4&N%uAmiF#&vK1R3&xLZIicFrUg-?_HgNKl#_qh6(}KY1jFsPLKeK ze7%x0u)oxqB4f>4;V!v&kTox14k!1{<3_(Hv^8AUkjV%BK<@Qw)#?ZI_`aXNzs4Xa z*^aY!9`P|1i9`Q9E$-jCGS4|SI-q}&=e)}Yqc0+WtgcMIML^qzfjJ({xY0nxJaUT zWXZX8JFJz6#E?oPU}<<}w|vYZQ(u+qs9`OX43o^Sfg`77g}?z#pMtXfM4}Px;%2yx z^d;r`SuqIFg^@aUP7##oxBXZ|=wv=2o0BrI;OmTK#+K4DNm>zTLdw1qx8R-{Zkbm- zlQLHb1H%l*_RF1}l@wq}Ob>NkZ8a_M8}tdi*(f&FPOYIk$r>`6d|;ttgCRemsIeAo zh7+FH>Qq5-rIC?QWNTk+biLAiAC&<&{6ia)-A>!%_2pxqZikKEgZzl3);jp2lX{8@ zFZS1G!<)2M*6sQc@XB>4iiy^(Gv0pz@)06kQA)yP2MD2&8$mA0B4dGn6uAwn%ifLM zwG7mZ7Jn7JCa~YrqWLrr3D2KLq!nM>TweDEYnm+W6?3+y(hT0!ytcpp%w>LDfSn-o z*4%uM%U;20y-`*GfQfm;PM#q;@tYNIebq@Pr%$+HHimeo4g8>+rST1h=!Oo2n;1S) zexX739Jpm(sBw9OC?js%aQ7ck>Y;Y)K}re}!oCE>Z1`|OM0g^QymP1YKyYZvJ@#L1 z1toZf{h+#~D;*2%xj@zEIs+EyGfBYebC>zdxD|!jkIaSk4R(p~R!A4(hL8oXI#X7a zr&T?SL-Eg-UF#$q$voiXEt+^B1Lt9n-1}JwPhU964tAIk0SZ~Ob}iqsPsEBsp56^l zE4_&;xhk{Q4y)#buv)%^k*;iDgb_a?jgySd!Ncr&)ahr?KGono;^}xz>Iu-r??xbb zS@ug)UhDoE+cBX}$C4uZzz)4Q6E@H2Ioi~8%d;1f2Tp@ZPS>c#MfqFLT^~#7N7#>+ z7?|L049oQCKj#&so)n!zsC|E}>oO{mfIF|O(OXocCX{@9+#lkL;|dssok*CvUf+%^ zi+|M)@UACH0uc;(5~u(CV^&dJIXGqy}g!1A4Y@A}2rF*g#|)eK>z z5cL7dMkgbR*56!q6?jZ{A_{Cbr^^J)|3ic&h3=UBA}5fLy*GJzX?gnlQb&(`b?L~M z&4=M--_UN>_G%ZZT)gDSUJvD=H+GDZ`EGAM`@P#^X5Fo|@mHdc5r8z41S<+N3Bf`( z1j}tafB{tXIBj<$Fckt%`h>{yr~n1mIP`<9+@E*mt{V?T!QP_%BE~Hi6sXB>E6Bodyhc zK9%^|X9PGl{egm!Y7nL`7$2rTC6f=6vKFU?hQ%!v&+k|cTmc8eC7 zDg$vhI%`pAFg6F1&fB9HjDZMFzBd zmY&XWe%BuEo*yNZ`4h;!B?_KH~{rei~&EBUT^|I`4ubS85-> zknJS5Vf$h1GyuMke{=eIKO3XvxskpJBi;GrbKR?Yp`YY>loRje^EmZGtm6%o@|>U~ zpT#|zrrk))j@VQ&(jC$$yl1p-iwXi_i6W$tSd}bFf5u_dr#XMSv#DNyCR7QSM&8cI zKHl+K*|Wb0r+BNXT!UH8&*xjU`sN|y(u{w7>WBVyL}8r)rA{vnFy2I24hYbePGx0% zRZE=;uhBfpxyWPLf3~)UfMx>pd*}IE`R+-ga?*%8(J}tPz z!*8Jo_vy!QD3)B_{JCy4IM)g%r}h+V$n?ee(}BjJ6CUlu$kD;{zqyXGhGYm_TiH!e zJIUWlWcXffFqGe{<^w+~ zW#nrs8ixd#5&>#EJD~lYKAtY*Q=&RPfp3u!*OLNB0#cjNl1;YM;52(ur6rcH_h3XC+$7sA%?ci;;Y}^+*l)c=El28D^ zbJF@}Kc$D%^ut&L(g7}Bw(Mj7@tifSH8lLtRme$_-V>XTy?yXHY}X-Y&WxjMKnHjB zW;5Tr*j78Ec?*&p!7kN(x9d|!?nb?UxKLSWeCZND=<9ij7?nX?0?S$_yV5@4OA`^y9 z1eZiWh(*q==OLm>QI0Bc$9U1)3vO{@mvNzmwr}9LjmaxM_P-H1@zgLlk=5T)OL?1zIQ9=f`L38xPK!kM zEDZGABs+qk>J=Z3ESqupk&z$4dg8he?KR3J7LSCSw3=?QzY|JN^GMTn{o=kylvws` znFho+cFvqYI{pF%4?$ja^qK9tsS)e;B$oRko?Fi1Gf4sQXOvNsc*rt?4 zwTPXej|`bB;W$%kFE77pwu_Ep5qQC?Q5iC4jzZt|uFFt~9PJTaH!!q!cqgR(V_B7* zLFx4d4h)6hW8aKex6wAljE9M|D=9tQUm@s5fU)P{k{KzWLHpNM7Ie9Aunm9`0bBb$ z`wR(%m|jFeL!%~)&3|mreB2%-)!4ACl(yOZ0DO`&Z zfJ43oKw(2y0;IU9 z#DXjQqqYr*i*?ThRu~3%TnypGl_>s9spOK$C!PH>K)}@!-kgTRR3uOEKeFk1DRq3A}hnr zYk*O^%CV?XW#%3~j9+@32w@hnxG^B)8sNK*?eHK1zKx^e3Ke=mwa%}9F%cyKvq=^! zG?AA0`avQEzDLqNZb`($>gkBP_^={T5hV?tNcbyJ9x!Wr$B%-F3K3(7V+o*`vq*A< z@nd5Ah|(}D^0euoBSJQ`9P9w>8N<=}L6P)f&PTaV3d1%wQXu34#>qSn87{5sn!!6kt z#w^yhp*pf#+#gn#4}kMBCWID1L{^|D6i%|#dNf@1jE4dE*s*hG9i|I$Y`}UlUb+_9 zcToWyTtggkF@C(?c7+N&4<-X^%|^8H;@^iTy^0 zzF7K8$JlcKi@nvb(0S}6JO6$AF1^|5z1d;gr!h^MK!GnWeAdk>(y12ad>|$-o*=&) zK?#8ZjS#jZ>%9nK5W+5W=nzDC9HV^mF=&;LV>CgyLn?+)j!6Fb1wkTg#%O271W`$& zMkNI@A|?uMdy!Fb&7sztS0`W}RX;;FW#p|yGIR5@S$Oo~ZkIftzgi?LCJ&trL(6P* zu*&`{2fkWPmVwBvD8JY-kOdnNR6#35t}^hPoI8U z?HaL|abVckkwsyk+|Fx9($Wl&0V(@Iefy^ASu#Z}Ht#{5zmh_Esk{#!1Sb7|n((UX zijESsA~q#dG|Z-6G~ii?Kbl+l#KbP^cflXB*M&UMK^uw`2CkB6feqpE z6bgQpd_|aI*&75Vq2DPzdbD6?$o*LIj?g%uK=|IUdQ|xwl&`Rs`?I0}K<|MbC=@sa z-W#vfsw$bj>D(7X5V=^ulGxx@~*XYMjdWHLi2&Di`U%8C5_fO zxB91f^GH>X*(v=}RNWp_J&b!3TXM)b#q&Gf#d>&wM5hUf66dMRD?ksM>%NZpXTyf5 zX(IAdMY$*{M~XBz%NC7At;Hy(*)i_7>1(0~85$;Vs3T4?y5+r-`Oy-$E;Gz1#@Muy zQ-LFh=$s&nt_q`!C)7TYrz|-%<>jNLOE){xxtAY^D4Gu4#%KQgAQ(Vt)z|7A;%LBS zoLpSq>mq!VJVw&@e`>BYI%Kwqn@4^JxDf9`eh1nnxg}B_qsrz~U_rk#kQK)$tOwr= z+xHq(*Z9oI$F0JT=ym_PPP^ZIr8M7x>mZaqbt z0oiIRqK>XPM~%)Ez^o{V1HlQ(+K$IeKRjCW1LwRS6roa7s*fUG^BPm|nN#)?9^N0q{ zI6#nc``u?wo2>t_x6!%a8+ib940|D-s!@guq= z4oLkQ))cCarBe;pcW1MUM42xm66M@n1<&xmSP{;n#`S%ghm4K3hzMhKaQMmSE6y}# zgji*D*VSG6-H6^EZDt&?C1RG~2I96vLM1|S#KZ_mmOIKEMx_60vlCvvjJ$olm-#Xc zuP&1_YgaE>0t&S|`Tg!BJGt4cbjN@kBUgwTX1&g^mQle-LddxLmC|DovPQM@;G?mI zYl5gy;()?lT3h8#X>)Ocv2E&LMxQE6t~c^rw)0Qj%~!X(Z~pYL8}la+_F#>ZrN)Rm z-X?h=M2)5Ziy!-wY7a2Da`DIC*U%L;LG41)h5;Tgw7SDwZh$4sRXRQdn z9O6*YqLkS3p9efTWm1Sb`@;r@s@ZR8Gx)i~JNqqPKRsf-TrE?&*Rhq+F*|BsGVAO; zDeT?awUx_SDF!~~G-xG{i-Q?c9?rtKOP4h*EFwbtEV+4(PAUcD~d*f<`X0OA=Tl69;i}f zK4(_5(^#^<0HN424Oi4aUns6qJJzM~$u(*#khV&1=se*4PwsX=Lu84tm*bbKsr>hD2q(UX`cTb^o}+mlj$J!=5)` z8rvk|wq>$9ii=zd)a>pyN@DDXiXW?$VEnVVG%d2U-R&K+8bB4 zCcau6(u@w2$(b%$U(S+nFL`a^Eny8)Db1tvA(|>LTK{Y9DcVO)x2n(hc#|9dpf?tO z*0X2LQ4j=0Mbwh9Wq4;LXJOj;Sw2{UYRuZKh3=67oLux*Az<@Z(S;HVo57> z!_rXi&j1%|#}ISgz9huczbsnWr%S<2F0^iTXSHj7=d;5jb#7xk3YyZLhCqxovEvK( z(R(=|^OJl75OPsmNd@6HGo%j9(xPci`j6CRO#PNj2F~9`jQ=m=z6D5q{CH={UW5MV zZlq+F;v6)UE}Jgqcju3VT>|Q=wfgtJPu+<-17B|tES|6>Y?Pc%VQM&%B|Bg6r=4vF z*QPX}S}nD1X|L?#Q1;(1?S{4ih*l0>`K2Pj+xsk4loZf?1Yy|%RLR6M?vV;zUn5*$ z$FnAk%4lIBql}MFV~dIvmV!id-Ei&v>%*KNt|hN`$f$NCg0gavmGQ5iaecmU3_USr z;ooPygZC#zIfBSYU@xLyC>@&AELlXKBFlZKF(1N5dMsk0M?zy3hb`}=h5c%BP`CB)e{r7Ha~~&?DWP&hFNmAdH6qfeCpKX?_)C!B{5|) zS$CrHM*QK8dzxR}KnANp>Z4JuzjfpW>hQF%jMXOEmP2YjaH@S+?Q-g15$Z}ji1noF z{Z^IQK%dwkZ<4S(PB_6G-DYOj|KA%j4Go#n{R`4E8CN0A3>iQ7+{R`ffIyO|=X6No zR$Ev7M@G8wL@IR8TL$&bDBNnoMETtlH}~CyJ(u8OB?-NT2)OMw_8+O`WV8u-hk2X> zR75fWwnF!8@`+>rtqjx9c=ZHyc)|g_MVltN!<fc7U{o0lbO1e&Vp%>5A7G;k7pA@cq=VS}d11S59 zrkl+2{re+C5R%B#y5#(EqV$v{D@=Qk>Lr6iDj-;$keFccd5g&NWAr)QU~E(hXtvwV zokAjNzQUVq$vX7lj6|EHRSE#~)w<#8;S$%zX(g-v*6;VdWp8wBS}$jQm>6yqULbxc z`***nSz#NeqrU2eTA-QieF^R0TZrmiEWt;OJ=;iLR-mz`sIg*`Cs}gTi(is9H|ON; zX@7sjK;duT`!`7HJUTiL{}Gu_&^zpA93s+(x%_`gItG4mK0*K=f$%5t$$U#D{kKix zeL;2dF0QNU!O^!FWax`^L;Jd1IkHlL3kh9lNG&IGI4rvF_wYX@cEd%dw;cYvNfJO* z8i>JJ08{{o4Ln9e4P;#Z{{SC@or4eHgND!`|KACJ*L$$Az#uzsQ6eUQFu27gYir8j zN>s_x9T03Uoz}V8F*0hM{TW8=8T<2pzgogd#2X=oCh-fDtWaqLKJCPSbphSc;l+8? zQmV-;m>Dn)v0Itl*={ulvB4cSCpfZdPpinrGR-pQedBfv+Ys>><1Vzi4@6!F5-}%^@ zrC%c=9adQA7K~)PXV@hXtjE7-u*U*^Qetx$QRd=3a`XaVMLHKW|=j zy#pgLb)g!h}$+LnJ`*H;sE zQk?pdud!HQq=&qC^J{%9MUB=Edvg1E6PE>C!SFUR#zn-~G#|@RY{VuPI`PXjd>l+v zw0ql;`7q&Nq^|a0Z`Z!ST zl3vk!L(R^emJDAp3qY}QEtNUrn`6E|CPA8;zj*L|hh1P0D% z`q&#f&=N8)T4n>WIxBya>|z%)b??GcTQ02alIQ~GVKgOk05vI9#D70_K1T($u-XB< zvcq-#6S(#6+4#8*T=b+p{IFw6o zIFBDw!9988(_j+8WF0dq_|9nUqr0!2I)8o#3|<~jTf#l7|5ROOPne#Z1kvn&#Lqfx zibT#V9;_BLqo+85bLQ`ERZ}>a`a-YP<-mIM`eOY|m_n-d!ng;fZZtGL+^04i8x;VL za!k@MEFEJJY%xq{Pwu0EIqw=inc9lhj#Z;xvub)BpVIv@3|GrXg-!t7%X{P)Z1$jfXu#QmAW z{TEd2K=v}Ri+4T`NtC9QcEMu`HklIy#c?9(*Zy&xjH`b;Qzl*T?y;sX4b8Zddrhvj zIZ?A2NAZi&--SJ$`o@4D7?ccyh~y+?ch%|LD;J_(9S&;cm)PL6Y;m+=I70Iy<7e-l z(NkH`M)&x=nsZ_G1?s8}-MgO|?zP&$D$u}1rmGrF8++p{kSVL<&!Jixt5T0xPo3&R zZEzfH+WX9!zC0g{WT!GlJ^TBNQX*W7XDwZ9Tt7YJN)*m&_aC1hskH$6v@gHR*(pH^ zKyHR-ZngpfVG@k?2X48B7#VkGZQUC6f zCzq0f1k4gSmKX_XLm1N4h{l1ji2AGBd0Ts^K2`|nsj-C+lrt*5x(CL;i2!WWi;{*9D7 zcQ$I=IC;Zy@#6Z(ram7o{oGR)#p-%`hg8u|OKc^bpiD)bHLHHul=_Fv?p0Y~6RzsH zf1EfkFyX_*G5~c$$@QmR-Gk0f?Ad`o!R0D2>aSmje53=Q59iR|Ow;C;1%v`Rfg-=@of2|tutaZ&7o5hgV{~X5>0Q&Bo z1ZUz1WCp3Al|R0v4S5JDn`IHU;dJ4RKcmeENhun9Vcq#c>uJ_Xxu4e@UaXYa{E*p; zcSqyO*4&+1D>yuSZ&8bj^q%d+FilS@_a?%c&DXBEo(NE$s#xvb^BiyHdhj*UNG0)- zzLie~{6}!F43yisb0<${U2sk_?Fq~{-H7T1xiT#`U{Ff2N~`A0Wr!t*3NLWSsY)dU zt^S4cZ8S6nzT7jVSHA%RK4cc8IntHh%Emdzd38F;{YcU3rMfr!-D|&pTvXu6N!`?K zt&Xg#yupdddX=B!`Wu;Ld%vW}0N>D|Trvvap$omZ31kM$ubI3za5r#7T<|`_+An%u za>iG7Wx;GI`}3c6_-~9OTNdr%{Ra=;4tP*D(1E@UsB7`1J!}iduL~PA@a>#%$-s7d zf5T3*Ji!>yiLD>0^QQI$`U>yBPEG59?%=!64*Kz$s0V(XpjH-LHv(J<7F<|ZA4I-Y zEB}Q%FL%lw0}&#Qb|Nv6k}Eq7ghAq$tJOX&a;{IGA~lChjh1+q z*1qV)@XO)hO+}^#+QnN=Ur^+xclrP$zwp91r7(+hBkl#TUOdc=f-PhaI{h+H86^2J zifd=0TlyP0O>P{cWfHs?^brA_RnRn_#ZwzyM6Ty;5n6vWw9G5LHsw!@fx51HPp-D~ zt~4CN+EN@lx@csJ8&hv*{RJKKv#$5%3#?i@Fr*j90&Kw6CDCQQkxTq~aR;vfk3r3S zGD>1ON$L!-w9IN*+;MNK$=24{Hg&r&e(Cmg6};f&{zHe7s&>k!C@A2683N^BRFtflJJz5}*c8T+UgZTqhJeITxYD7MJg~I! zJ@6qh6<3)(L)<#{gl6aGqg*!hfa+55iB~RuiA)s#)ztK5D&6G6jQ}E|rKN`S;f|1a zBrMqcI1r!VROW4}ocU(@4}*M}?P{+V)Tv7snbpj(k35S>&SOZu!o-cecTA31X-77R zM2KcOfhA)lRVXL~7@@OS*a0IW8RyG9tvK|?XUiP+b_U9+nT$zR6}$!nK{7o1#=LsBA^BivN$*tIAY4y z6Fd6WDt))C3kybqw0(W^Tpv(ukV>)@e$IK_P+`PC#6MJbb`%jRlKR}*E{wjU3y?r9 zW6w$_?IfNWlngiw9k$=Z(;SVBw2Vhm^V6tD23!R*;R@sv@5ox+P*rs#lj7Yjt?Duy zTqAy{kI8y&I-!n)ae98-{m6j-X#vho*Y-;y$g4hO6=$_`E3#o@lRGW$+NDeA@cdsi za0mwFu%Yl{NV5uRX$Gkr@B8{Zo>y<7G>Qj;kwbIKN8=GkUemx^)-P$dfB8zwolHC9 z7(@O-)6fU5jfg#g(mc$EoASw0zo^^Fy$Q>`9NiP9#k#CNpm@QfXcC*WZM&UsUuxaG zAYNV$QzIcjCC8d0hnqp2fqAH32?HIsFx)|YlSny4D+DOO?tn{6q&?~5@UoBmV%lX1 zuZW(KI)Smi>T=(pBD#J;hDY-C#YRFao9P_B_ ztuDDPU;ZZAEOiI&Rp<4FaH#AX5L#&kaiNL^Gb48A=f>ksHYFWWBI%tZ1D+8X^1%sh zmQojYzN&g3ubu1K2W$ejLIx7$*ZA(8JCb=LwLcY-u*&S4a$RrvKvgtLQvM5P4Qbro zKe-7LP^O%v_-=mXrLWluG5Ql77lzqrHAC(v826G$OTW;?w z*EeC(x3MT%Ft33$O^JWvN6B!|oK8(s7xQo=_(9rH)DH1r{SqPv8rheUIyQMpKhU*A zroWbgXAbMxGJyn6z((;@YBm~vVxLoOJt}8ftDs;3x1DIqi-S-DwAQU!y); zkJPB1cIF~*A$Cw_G2|_%P%c#sDNl#!asKEav@e&b7Q?9eCrNi2R=sYn`Bz^Zq^bO@QK`04yTG-??$DR>EDK&9q!v49jI76DYmuu zj{{Cr6%rf*@8n#okSxISM08v`anI#Z7ONYr>ceP*qkXA^uAN>ChyX67x3~ z$qQjN0JfF7rm_(f;w?b|brfQ*Iyhv_05JYl7q+i#VI9^> zX&7msh~vC84P6E8lBhLKl3A7Cuk?OaO(k*+txX@IPepDHM#aeFrp#b^Hn)~+$Yn8Q zEz$P}q1b8CVYCg)K!)ckH*C8_)J?Siukzln7>sOFBD1v1!n!uEFH#W^aUo(#&o#cM zF0(ys@S)^GdoclXD;DNy7xOsk*y$+x9nOXuzKaMfXVJ!SuhUil1Qf@{mM(-yL zi>oS1wZ&D8Bu#!l?MZIL1#wgIWh7Bno`XQ7Xk7~-v2-2%8$CN<2xsa3219?mAT-mb z%ak{9=Yj4m%4pEXM8$qR8=ESq--}!8)|GP!eVw*>QkWeTwyFX}Z{C3tjPDdDmpNai zSzA9+w`E4q0o)>25Zt*g+QAKDBMxq*ID|x@%0JG}jye1&aA+VSjWASEI;k^$dU2Tn zC(J=4y5r5wm-!twEQ~l3&LBu-FB(jj`;`W%V3!9Oc|e||4UUxeCpYny`p|F>;Gl1* zp^-dZZF|_5toKS0^UJszGkD4e!REe^MMznYvgSc+*|Q%r8ByL$yksvF7|9P-}O zQVX=k%bnPhvzX-~W`5wc+~}hpZy?S9^zG}EJ8WqNn7Fh#3KTcD4NGo%3n)oqFCvxi z{pOU++_iA~8(Mam*VKo<&r}O#pz}wu$m^p^NhheSkRuqG^pB`Od*`Cw5FRN*tG7!+ zEUQ}WSTo8n0X6wdsC4dNriE3HOef*AH5&yfmpK2e`rfkZVrVA_ z&4)o0Z#X{dmVQe4#g!vbX#fDRRpplShzbRecRk2DMwwolTC}VYaIz>2OEZ^ToQo=v z$e5++Wpu@JK?)>;7(C_4g`&j`95Y5 zD#2K8-PE93`zm^N?!0N#m@!vS2mv;p>dQ8}24=e;Fg@CB85l`_CUH`+_w3p=|4`BD z7kTL*Aq;R#Qnxh=w&;TtX9430cu?xL+tI}bJ$2dx)2-|!&Wc4(e>p6zLJ;AQw6~M0 z!Vo&(M+L+Ur^S7)-#hBI4v0<}&GqBQLTQ%bqXe&_Elc8J%!s!1;{y zrAgmrh5z|rRMp}ezNweo2pUEoRtNsz|4^@)@%ec$u#*GCL$AtnhTF_K+tPD8;EyQ2 zaf}Y&3Wvj~Dc!SNhMa%?ucI5M)5D~su-pHeM%6Or!<9d;!Tu5;g$^Nhvjp(U;)ZCz z05LkQ^A`d$!z-`NubE`JfOGLtRdMP;2NTmYn!|&5zke|e@UC089j6C8!}C8+s)hz+ zV9;3O95|8DcLiLm*@zL|p1|I(!nv4YGF*&`zVM?TGKk~$ZA&gEJH<}SDoYsvuEsVN?YV+w!I9AG0(q5u+JN4Nh zp<2<)#59yJga@82GG~Is`9^D^38B!neG)VrOScMjLmMMTFK7rF34Y^j4LOnT&ercJYq4AM|+A&7wwXWUq6@3%{46rVB=6mBZmJkS`>=WD+? zSE3TTFa?TmMu7VzD-R7?KJRRyF`-EV-7Xa#KdccMQAVNKj>F;AdY4IIR7x#`Jhz;h z=IfqOrlGDbfIq1C0`K>|s&4xCoLM`{YA5ny;5=p42F;@559O>aEKJ4KEUS2a0@tP0 z!NO0OCyK9)w7kA-adLHKz3KE(^U`S8v8_h*?iguO`GpF;Mi&2SuBI?)?JzF{l`fVGjBYr;LCGGU=RQOA6 zdKP6|`PksO2Eu&M1Swu5uauX%mQzl0D({xv-0p8(&1_vCIyce0lFR?9;q384OKK@8 z%dl~&F4>tHWyf7wo@tj*zIZx)6JL}9WbqZhS1%l|cgnosIoa}0;OEo>wb~CJOi1kL zSC5@NpZQU=?FC;!j#m>`)@?_hdxx$5l)f3EFn^p{_I)&)xeZF%ItnSAk+;>hJ(tn$ zT^ zU&4#h)6x=<2}`2&qdT>OrUw21E|tjvpy8rR?EPa?W|GK-+3_&%7p!Nm1OJC;xC`-= zs(Z0o&)|4*ZF3VxKrru_TBIQcPw5``>oCW^Y(Y2sWW^;yKv{|xk_x&Bv~V~Ad4tIE zNl?#?Zr;##yJ6Les>xXk$k6A4QFu|1>i>MjXLQ!E28x5X!?J%d!=?X^ivNfcp>Jw# zCj!l6c9r-UWJf6?FE%Vn@7mJ0R?zJki3?Xxi{Y$R9Q*#~G)C%LGTngV15#vNF7SZb z2TkQ;W($>rZcnko?nIz!VT9$^n+ML_>UJi@G}t0&UG*QS*u`FU&hmOg#jNkE&zc<_ z)CA2>>6b4AFur$A&weU&ADAu*>5%Lfj1SwuE#3;Z;ro7}`->K7X1K=0#LzX!NIY!m zTsIYU1!(8JLRk#`*5C5$k5lzadue_h;TTmEF<((b!D8?5!1O&~Xi#>e=#Cpt_wq5h zjkbFR-*={DSG>Q(MHJ5QqbEZ)NyC$ME>{2)iUU38C(!5##?y8EudpsJ(IJG>#9m=# z$V9;Y(HA}riN%&m!eBq#dNN1|ZS&m;Z(M$rJCdU@NZAX7`7)i}Wmxn9SfiD_%06ZI z@k(}$J(=2SRyBoG24i~E6)hV#j-wvsRt*@md;@j|=fGWsZ-J%o!etPza}at?DGsmD zeL{g=^3)IED^QA)lqddKn;7bpP>Zg|qW_$tdD}&Lfp0Av&enw}2xZ*68H8;u8)mr8 zrCdt+eKT+XN_D1x-d-@&G8Tle4nUB>_vq@Defvs|ouJ>BEzf4R%# zPMdsu`l7R9m}7faRKDeC2CiWK^wS)=_V>xmAN-m_V82RnbP`E?!XFQ3o$lopbBziX zIq^ecVR~6bUW(d$^r_9cLnTX9wEr0fiKeX9<{xShbR%(~vL$;>`%y@50wKpg0>ml* z^=v7MW1H=7FfkUU7S%oW{Q&IpTV74T+fO0gS(=oG`ZyGvptTy>kC9#*c%`pRoI-$V z4u;~`iKzoBmX7zhsFi=yv9&@#c>FFW=GK}5+@>BrWYN`* zqwYg=+tiJmP#^O1U%vAMT~+&#U%aho`rvhcjATl=ft__P7ew73zym4p5&*OfR%V0H z+2Uz?n2_LoH!;yI|3;GUo9JF&V%F||{PI9+Thcik$=wg!L5{WI`icD*vbk~h0W2Q# zWbsL_KzC}^+3$;W)3AjgTB-_5>Oqot=24fOqac?Rf~P2dwT4o}>}pz?L%@GW2&60m zb@emtSbXim3uKK8p@kMwkC46*4r@NU5D0tTh)t?<5o^k?pg-8|Z(y2iVfop^@zCWi z3*Fix!C=~s4ei=I%9oTih(t_Gle_I7ca5DX%Ny)7gHpRfcPrx}eKyE2cPg5`iia?W zM3{%uBIyr`o;BTS9e|?@g(sPjK%;9#H)a)LB{1vST#t;Ca?}y7_e*kT(!68{0}i>t z@bwN6*%P;CuK2h(ncL5SL>nmviK)|H^J!SKMP}ebWk4e$`=D`@;eZvqf$+59rr(~vNtTIexl zT;S{1ujvQs*2rTnX7%gSC)ee~{U4Qvvq;7iI}5OEE_o*spDXk^H@E8it={(hXzc%h_027bOLijkWbeW0W7Nr+Y9mD7{V2WY=L z$x6$cQ(f6gu2}B)c^Fwly8?;+Q+LO1*Jgi*q|61bkUS%7u3N>p2Ih)LU>>K0G%8}y zC(YJY98`39@aXby8%{MCC09nP>$Nvyp zJoPA4%LBKq8?Vj)bomcG6m=C1oP@cGDTSedx<6dp@xh9E2t=y`#sE+cakGO};xc&I z@{M=n*@zpWDRoLE+;?*915d&2eQ|o zvn8mA5-VqZ)A)b8HkX*pR_C;gJycjvH!BOz9>kK(XJ))=irb-LZli`W$wht;FsqUK zcNLk9$4o$hP)SCaIPk;K-Jv+)-lDva&&4KHJ~?UYaBpR?gU}VOKXSx!&G{PGHxE76 z8`hY>zT)2FZerTkJZ=N|P+X6V+qPB3)gC*(Q}z~<;9(Ry^4D2~#BhdiI+IP>|j64LGQ!=Q&nimrq9h8$3tlLj(um~dIC z<`YhbH)yqeigvf5L$!p*0P5q9S**4ANgPW-fW(sZAMFtDjW|}|I$C(~)^LQwzMxR4 zeNSDu#{m835dwJ6cbh3?Fpk}LK#1n^Y;FHVX9brpewn}Y7Zs7PCAn|krncVDBEq6s9(vH0PSGJ;?P))J}6miHMXUKlj~+@2l*)2gzPhfCAWS$_K3qYTYJX&|_sV9yxb^tq z!;L1viqeoO4r9Lt*=#$+Eb>EPdJ7_VOdK6HMTY@i+|gjO!`$5s1c&h{1r2e5(pdUfUt`bwvr1vYxI5g4O)BZ1OeV?RGeg;jD(&ZVdh^3k4^m#BEN;TIl$6gOU z9$d%zh)Hm6=CUfUQ#arZ?hJXsPN&b~R+Qi1^(?%Mo+j*j~E zk$FU2>q!VDT6-QGnJdnQrjVyK488M|>KhFLPj8nm^a}^UCR7K=7+d`o-2t5$C-vyy zMypbbSiwrv@4BljF^^zbLEy`d_xW$GCW3q!0Ki<$Cr@^Vx@BAg{X$g$6ZF7({K-jd zY-|o(9SSZnfoV3)(Ag72HpcBD>9}}c!uj*GTo>a~VW5F3)&k`6-@fZ^HNe&PJ~OQQ ztM?y13{Y9iHF;XgSs;e1S)o~%&%~V3Ez4Rly>e3sPJLVzYPy_7R%@n3WP`csP8kom z->TKXRhqEo%7*%98rBDUyx?d!c(6-)L2qdh?_Yre<`Uc7Ujv|Qaih6iRU#GEkYjY$opS;UV;G-4K&982c6Tb1S&PvRC)O=^ zMY*>JAMDnVsX>p<#M?qXd$;e#2k}on;?au>N7w1dp+m!Ars)-yoIO(%nzf?pGhpYL9jC@Q*Sa32c8bwK zezsEr8-B)G1Kn>m%%YAG>z>zJGoxwHavi#rJFq1s1(UN+eYq6U11!q^$!ugMZOSUg zolG6Q{#w+M{Rn=Rwq4=*sMkP!eTVQLH~)MMRr-^benwNyu?vq5A3D@O|NKCxTKD3y zM`}c{nwXkuDisE^f+1&wC2md|Ju*OahP!tnoJL<*!ztfzIhz*v zuSM9Dx4qZ>Y#`&4#Uw0w=zID5)<>Vei>{4WT6fw7tF01dMNJoAY@_6b1)LhE0pKv5 z_~qLUJux&K+adSwN-yr(x3pUEFgqe9jZL;#orVbE$@D*J7fGKZtd!~fY_O1|}yvrc;`l{DgG9>lOKzKu=pC%e0M-t)Qn zrCPbnvl2h6c&PD#!V#8QH`U%)y7Qi#4C4zQ^xJy%88m$#D0tzsaRI)MZfm0QMpI2* zufO0mLO>G?Kf>Sm$>mOT*i!yrJaUQF?gyi^?~0&p+PzOlKkS$~sj{+C-VoOqN#o0g z1zY_6b(^HGephE@qI^RGgEo{XvWBE7Lan{Av9SgH%f_qI&DweF}1h=s)qq%>VLE}dqQ{5?Q#Du_|EweS42ePN; zm3Da2TGnDGAdStC3O5-ADq`24x?|3B{0h~{I0c!QUNiJVe&}oIMect?dS?SYfdnb! z(8$>q+`b$i8|Nl$63YUr>k%7Nw5{7b(nZ&ta{TbvJM_>Cny#+LB~Gfks75ZYct1{_ z(QelvnD#47>9_)I`r)zfIw7vJB?x8}VTN=CjU-pi!+)fTcJU_J#QL_h&-#9* z8fzr`4|lGhdYD0Fj7UzWCMKrQI5_yE{~R70Qq||42-(Fr!3evNu(P!HjZHG!XjYi2 zXq%rnG%|AzF9&$29;ztR$PB_cTJvOj)$EPRMVS$A1zQk$N*XI8rfRt z&9`h(Y1f^V_2Tb8hc5FW_ekUqU8X>)52P|)mYbFlC+s3cE% zWhcoyVu2Amrm{)3^#*tl=O1v(w(PSRScK#g-T#IY$;8zEI#YdV?*`5|WziL;ezVY@ zzy`UYeNuZ8t+NVu3%f$?K>CXp^I%+%wHZwvt)ks)gfP7)lkD^)TY+u0<1(C<_M4B9@ zXRJ+B8SZD}AD3}mQx%1N`Mz=Ya z60(Qq8FOD9N5|sPdHF>M5)y#*GuPuqG%b?*dF4zV=`y|3oHncxrJ1J}0qyWhAMY^RzQ&aP^F*OO3OnnmzxxH4`uqUl}W8jCI%{q@@-_w!OOi7Al?s7uG zYHR~EL8Q#xx~)fK6!H0>2hev~B7xS^TkQJkv&OQU>m{6#fgTjU6)*)~NJG9>e59l1 zxSlO-A!#L(A4U)M9d+I|8f)b@(Zc77dUi^8Xs|jcvZG!vhvkAo`g|GH`m4u>#K8Lf zyUo(24S`8W5*?1j-t%=w?U1vBL|pLI4A74v8lY1~Lm@DXWK7L)%-=tpsjM*Z@->uw zOrC0&Vbu{Gb#NADVm`MVObSV2UR70=juo^4Dq(RZql`7#+lINyqBuZcs!$93+p*jd*p*lA-~YTG}IvSuY{c zxCDof9<9v6l!!a-HG!Sb=gZgN%=Z4dO-)tRhM7^K^hUjmz5N&coEX4GfWSlf&o?Y` z`qr&$tB-9OL-~2>98>nda@7tnh+QE)CcXMypVioTvuQEKH6l=l05S}NO6Fy2 zoJ->nq6_=mwn#Gx8~Wtz^xg=Djhq)Whz}$uL}vdGY(nDNaMI7zZC|PCfwTYZ3q{(D zC!hApX2F6Nx$~gV(EVSi`@7)Qi03&Ph(*OMz|lqpUZjRbV>l3nDArL)pN;_-3W7G3 zZWkO~C?8!UIWU6-78{67OR5t~0q9WkjUY@xnvSuCAN- z9RJtTxq#(-zkmEIF^6m-w2V=RGK3t;Pzpsk)QII&4jr(fnp1=#DM@3PqB2REN)AOK zJeXgK4jwrsCLNFzD*RtJuK(}ab^SKmRnPN1+@Je?pKbu_&TUG|LS@2VwCGuL`G)DE z{~#^ltIHjqInyebCGvO%>EF*n4?CAp)rJa6Qd&BuNkUVbzo!Zq1AH8e;uFZ@;M6`~ zck=NFr{Sq-3S#nEXa_vSH1&GsAXhEKg&;130WL^$3?kr5kUqEol~_wJp(%UvHaJ@**1^wMX1`<)f{ zC)wIcz=6V|*jN~ivfIag6tsx-NJs%|oLAmvz!E4;^0Y*g1H7f{N>^g_Ra^Y><#$k= zW6f8Grr3|t>z+zT>9 z+)~@e6A>+X=}iDZo$NuOyR(qH-;AGl3Rz$rT`|QDQ8JYj1tGx(vUn+G%;s!lk?7eA zO7C030ElB(jyV(rF^KxVK#JsTi2s?l;TpJTF8~=a#nI6TIxJoXZl6S;e8nd9GOU7E zF=7R0L|lI=a#$9}gu{z{I#>5%gi(lbL(_Msmdtn1ZW^Mo!D5Eh&9==fE_Bejmlt^8 z^!D+NkB7MFoU+R8(aWU#(GY#x!CN1HYrA2K_Pw#)?VMvQbWAsCTesDWZL)W1Swn-t zD37w<&D-4nd)cUGUI!9q7iJcY7v;e?K`QD zGfZd05R){~e9uJw+C*|1II*130MAHXtuf-gi&*aq#`nX>HM$bNNoC{;9s8wzzgk=L#iEmx#2t1ok+3Nk zg`nI6<|^E%c?j11_G+ygvCzI(WC?TTc(x93fhBwbgEu&r3o+^d8an27Q@G;YIDL3v zDSj$CFB7^SQ5sXPUE<%~;|;LjE@yqL_Y^2Kb5*S+U_5>Py(gRfOzJcq>Hn4TtPq2k z_oMSov`;UUnqUv#pzp5tyi&Ptsx3%v|zLCr)_+wekCXFfj<`jp5 z3`})%fqjKiG4m-4K(wV#@Miq+b*=chqj^Lj2HGG%>*H`}F2ZNKx+9}p`zvx;qQRNP zDyK%S#}xf7rS>di%nEkX2pX8+Xyg}C`5Wm<7dXpBM$hra_Prk|k}@+$T!BxedP=2E z=R$sK@|yR{SXviLz^-g1M|u`yGh3a{!ZvGOKA7QPTs~)OZkS77vTny^bw-6Q?YfRI00j=J>| z=Z5$S8Kp&3iEbm!#yRD7PkJbkgrYdI!W)EwRQh28GMp+4bY0hR4@^=7o)kSF(Q}e? z#>?nJd6P|Zt!K?miI1O}@aq2W54&@(W#VowU*NoVy2_mnTl@&%izj8~Bj?LVAP+{fK-d-Vkvo&-^JFCEP2t z1}qOo4ImS>@JhTBdGV8eL~7X)r-)9mu}&+pk4u;n{L7sf1TSH~4s=4i9fWHat^mSg zJ#xsBKj*A<|KCN=WN0Ia0=sx|Oht;&g#d#@Uw1$@Ju`gzZ9#x`?b?Lf9p0e?C68Iy zcM1fUyuP5toll%ES}^AU?gGNch9DWk6Cd_;xjEe5PH5_!@^Kg z#YCl7$O9(PjdY=sxR`G<@x)9!9!kvsj+wxx2#I?pINCx;!-MBdO>IBUcbEq8R{8?9=XLE{*uLD_4jF z`(N)tgB%ulqehhkOr$4CJ3myU_Q!D=qHKqv+PQ1j$dfq`qkVexIQYOHvH4CVkEx~p zk`t7eW&qJpU1yvks<|954UNEv`%MN;Sjy`|T)dY) z1_e>s;FD?`W}FJIynM>m#rm;~-g+EyzU2j5UOYT^EOIv`{1CL;6kp#HMJ{DW`nT5((=!cG z^2kZ7R@aK6b5_=x^aoW8#uH$PC9BzJ=aC0~prF(oLygfG{j*=Qfnhss{e3?1p75CN z=++Z}LDQDp9g?J)7us^$D=%%n57iB?_-0zViuwDN&Z^DPx|6#2k zcmKuylr}Mzh~^-BatGCJKktYfCxhY8%J6|=yda8pY^9GTjkjCT(eF7Z4EiGLXdj&$ z1qv&NE9euC?z_8#-T>a}(bFOBKM&_uO)-q+O`$)e>}I}l)S~72wu{*#?wOQ4v`lmH zn1P@R@(5J~Eqet%G|0ab zv_M_0a0-65792UUs(gqq{J4~VqTM;b>dk*EaWG+?r=J(PpX~4%i75iC5*vbP-!9R+ zJT5G21ZpP+pKfG;@f_qkonpsK;HFJQXR1*9wPlwnF#}x4l0E;`dh=Py&6U0G5~#yF zBnCbz>!*RaDiM~$j_D5{KEtq@41`NryKbnjKPDDEmfyFf<3pZyMKHoy89rMG)3Jm( zlkHZ;00WtKLDVNBThRVs(unh}Vv9GkYJ6M=jTi+#RXge6c;n^1$D@iQ3Sy6?}5QJF=#~B$A zF%aOlZr?UUfos&izoEVy;!}80Z4w;W@1J%?yDFic=SCEpjQi^~;=pPVjDMj7GQ7aTkC>L{d^!`0B@tyEKmp~J_8zpOg;I4d{kX-F;E&ViKO@H+5%hC*Q6+w|%U_R(Q1jg_Ysia5;xB&=4~V@?i8n9%R@l?1aX{8h95{rdE~+G?msMDV;B>vohR%xW2z8WBIdflau}VuoUPhv%ha1LKrEb?QR>3+kQB9wX3<` zQI&TH{Z^2Y$4@zt`iZ_^2Z>XL8pQ__vz(__**pNM?NM1FlC8|D_=$V;olOnvOA~tY zN)QzoXQ=AOvjj0;68YCAou^^$Jc|WKXAD~VZwuGrD?>*PEYe-es##?;xVZHVt4OM{ zq;O#dBXHwW$`a6C8Hf63z0<&tj{4=v!)>dXiHVs?G& z*pNia&w?Ej@5ffWJl3v@m-^$@mo0A;*2cHzJ~dO|2i?-BB%8^|1F-8{aHt;-{F>^^ zop7N~^6eXz=IT_ts+Xx*k>M)d zg2qMksY(EFKJwQQC&Q*DT;jCj0|t&O@~u>B)6!hc$+32EiB*|#a-#k8bbi`(&_XR5 zB}pwpMmu;|?m6h%(unrfs@=PShfNDg`SV|j4;#X!K8wt2>waU$TXqVzzAly{-e5z8 zJr7yqPNJ)LQeJK}u`gjM*I;<&51f&ig2%jta!0Lp>zkXC^EW{Jc8UjCtyi|aC-9*c zqKQ^5TCA9VpIM`8dNpx97v{UTP*lObH3I<9Z2J9~&)rO*DJ@7{Fo9)R2e{9A_=B+}JGmoD=h{}BJ@d_$SNwWH^Rw2pB@w*6E8x|C);;@r7)nH8=sE?4vOk3XozQluF$d))`$ zl55?OSsoz${}#4`+VKrEfju{J*vC&&z+ms%xO1RUMI{T8@6(<4$T%f3PgG zu+?mB+)D~q6E>4oR!-y|u%OHy4eBA%|89W?bUl+~8PkpQZap9}f0$}nXR&HgmVrKN z4LCWPw@g6~;s#TQj??S)+qd!1ar>$K(Yt?ha#9;ymTbhpJFgH<+t7Q(afVE$hP6~a z;Lkir{aVHPh{Lo^PfAKGn7`wGT>EZ4=|g=64A?FekA$Ydkht>O?e>q10%I~=csp_R z58|w4&qIFdg6q8p4tyOkF5%~d92k_q4gG;d_?xlZrye_PTPm5*hdzLMhFRZ*xf8L( zU5u^0W5_ILi;{Wf8F%|X{nJM>L)3OW!*JCD_}!!MNC(!7R!7v1`tT-lz{VcRUT`~bs1H=XvM7^u=) z%&a51>zo`t@3px6adYsa7caKqQG2yJZ|pK@@qnG!5-@XrZ8a^6C}H`(YB&&g(~h3b zR)NU#1A=9jcuM}fqkY~*T%q~}OG``#C`6O7@dSsH$^}Jfb;8EV!m-jP+FX>Ge5CaA zOM4*9`n>#;1Ss4p6Dq1Re4dM#VIEAy>EB;Q7nP={YJdSsIcr50aoIj7rPsz|{En-L zfn-kv;v-3NM_#RM-gC;|2M@}MT|V#_1V^~`+i<~B@>i8~Vevb&xUdY~tp1FOI!&Jw z$0#VJ(#7Sm!O(80&n8h^!J0RVx)pPBC-W|2B!}1|5OXWovv2*i(I~ow&Iglnfd)0(dOg~XW1cOyd5kT+KAj6T znN@0hC)B;A_B^};_?Y^LYZLS3d6f8-Y3kNuBG`>BOqO2}jdtXL%?zIs%E%R>9c3f| zACH|eC~INOS;qHoMf3@6!>_{%Ke6%;T~FJ0wnJQt$qr5?W?o=!re5$nr&CM2AT_&e zAC@_n83a#FQ>1{xr@-aMc2p}OIDnpN4QygTeFeR@&e`nF15XheP3{LL-|6!UCu&mc z4=rGz+vMC&dhledF{p?iL$rrSX>Uu(034Mj|Mu+FZ9q(}#9D7N}YG-VciR~8ozsxFJtXr;wTFa9t) zyD;_hlxK`rZLmykLFhdX@2adr-45YEDZ2ngUioG)hy0jckrqkQ1aW{+|9E}IuswbP zX)-B^@>kN-xPj*(S}N0YJyTC#T{v+w>ak>|Hq3D7dpdye^2}sICBBbvla*kyvW{Gm z0P3lzj3G71QMKd^zGQ!FHkv(p5n0$L+fv9UM=v?6GHtKciJ4)vdF>ed`S*hK^5B8D z_4o4#HFf9P_S!(1&_4wy5VlWL#M z$t3wpAYK+=q6c}GWO758DH#Uh{{~I8Ub{9+ose0;JTHILoi~Q!AB5gDJUm?OZlXF5 zbQjAJb%j@soQ?nxOM0#Ic+@CL?D!Z182qsJ`*u?k3&oVhu6wp6N*soOxd3>qV86)s zxyhuRlE0=GVt2lzWI`}Hw}hMHjD5ADYV0n!Jc8Oj2WXJn2fU( zjk>FE5GChIzbQH1yq=(2;X@y+XbP?&Pl-fL^hsTW_;?G)iUIID1Ez2?8Na{W#yyv? zJI;EScy$?1a0(-&;8u9gvVZ+8Gl(}P7RJjZzRq%LZykQaMZER>uRdLdRZa(gl8UF8 zH^ijw@Q>+N7gi466%`eRN?z8Y3?^T%+`3V?5p(8tClM375XLo=X= zMz)x6yR_GilMHhVV8@RA7P)`B>_xS_;KbuG@8TxO78FwtJ9UlyR^_5p)#}lshjhH~ zqGiP=jO7hMArl9{=MsNKx4~0Bi2jjG+f^(9Ji( z#Oglh94R=0Z&IQ5{k*y(N1@2h`9mPdM_=;C$@6^`-=>xfcPm&7F_R(=fQfliar--z zTAR4yfLePC8gN)|<7NGU^3I*l2GwbWpM!&EE;|pP+H}mVRqFf_*p5FhlPiGq@(bf5 zS?`A(jlfY4$RXhEZ2^B7n0=R2ahnb%^y3nn3scF%P-4t04Zn@divJD_*$@cy(evl> zAgAQ7E#V+3#gS));!6k;c~J;j5}Jq(L;z!-s^Sh)6C5iYJLk~Bdz16AkE}S^H%X5` zQ!T}eaG%gF<{dc{{yR5CHQQOPYU)&@of1X~RVUF@tlxo@r;Aepu%K~JYA_&&y`)u6 zPD@)n@S?pKv9N~;JTFT+_`1RhmMlWYt>ElzD*h3kpIEsWd|?Xh&9f_)M}$9m8apjf z40_g2`CP9s55`2H%#n$X<JcpKsVCj@^hb;jjNF7)8~ zZEU;|9XFx~K&_HQkVd!r8KztcFdU`vX1HgA8#t_2_6)8U9p(WP0^qDf*SF6iHFPr7 zAIAJc+hRdq+(P$jp4Gr{qfsxt8llt8u(FAEJ2Z~j1S36FSKd&Zbxwl(#Wh^4VOmN zub8?@tdh7|YvN2?wS;LSUV+Z{t-++k8~mM#%E_Sg|Nm6QdB-2=x`s{s?tGJ!$hn{Y ep|aT?kR{vPe-SB^6H$>(D literal 49417 zcmY)W2RxT;|38kuQAk#i8KKgWky4o%?V>cSWQBz6J+mbw6_QbrmMtTjkWxg2l983{ zy~6K#blso-v3P#eZ~1c-^Y0zuh(J$piY6^u) zhn^Py#?Moz8GoZSJb6@wvO@lwSez0`p$Jfpt0FeUVHpZlU0O0`FMKc zqUghpO_%%n8H9EYiHv#1nONfGL4|*yoWF44QEo2By?ghby?og{LX}ulv{C(ePOa4I z*RP+wcyTSaXyj+%6P>*4r|<9DwM$u9nTC@1_%XGEgMQvviwyc{s8P02HJbC&wpipDWix)4>oIB_H-~kW$=;zPZ z?B2aQCN?aLIp_83Sdpftrta%P5kaH6>;@Iuj*pOSd7_XR`Zr-(P z?dsL5w{PEm$kVgr)cP};nk`q{_U+pj6Ofgbc0H2zbwEHsUBvwTksB*kNeZX8tXDjF z@@4DNcHF*)heu?uny_G~DG$$R!YTFmqV#9a4w;!fKV^7MU0o>qRl(aMdU|@o$Hm3P zy-P~ur>3Vrztj+mj*c$-@`WAOJ#+D*=c5%i++5@R?K=dLLTW#JP(E>jL0w(__JapE zA3oeDO7-s3rz6*|i}I9mtfHp6b?a7sz^fZKZk*cO+|Y35Y1hk_FMk;G=3xQ1i;DK$ zNluA;R$UXi=Hlhc{Ik+){gt?Qc;0VesIIOS-@iZ5-+#4;h={(ve%U1ddL{aSI`Wy3 z2DiGpDg*PqR^-XYK73fWm8!P3_SvgftH$ybieqA8PHoQ7NWaV)QY9`W74ZD|4&1~W zi_N9Q$G5ES>FE)Wl#G4w z;}AY}9X|FQ`B<6{_+FPTZ8S78Dp>rHXY~ZzfRgy~<*ugN?h_^^CPzHlWxRj=G8BF8 zHo?Km8-lfJbALEwYB`)xBG>8xw%hQB(OU#K1%Yw&3s5Gq7$1d=;qCekFopL zZP?)7(xRERsW2vn`&DYHft3}Dxw$#{-S6Ld-n@AudsOxNxwB{2tzW;M6_=lza~_f3 zyqTt~n>%`FXsGkouZo{T!@~nZEcgIn+^|Zycr`00XW+Yc$3&^}?fRLonVUa)^ymf^ z4Xu7dqN26Ey-* zraV#6SNzI5)|Qr*GqanqCcp3zex}pY)5ne-E9?CbwT_=ZtaN#SY)x#EBc+~8`J0RQ z`T4oT^(hW?f?~@**(c#gFRJs21k{J zU)I^1ZJTOmTY+6rP|zVQEpFGDp*2oUPDL}{&Bvyu{Iatp@812bE|j!%ELpwnjl)__ zvCD6(LO9p0TXzFb;HtTKB`)0F-p(cGx>scP?s?{WIG{35lDt_D-afV^-+5d}HC{Ft zpCKS2u};o)$~!8GGk|4NSo38!CPzodFaEw`FCIOjnjQIB+2OSk8p0_iBrCgd>(;Fq zSy>e=nMM-VzHE1Pbyd$gK`$7`x^=Z*4%_qdH=9z_j7Hmw54cQhdH?>szNu;8=O;&v zrhb36c5+HdJEZdHc(S^Rii&lug_07ry}iA->(te{XbEzoQ~bhyw^e=aP%C|J!Dh&G zo4x*bd2tkn+&eIkPFOAe7A{rU*7k68jNZizyZwO8uT{(&4|wm=NGoe-U~PJO+BYF# z)5Ey9dFF6drFXj$vBRX!=<0^X$v7EySBD0LhX>xfx51f`ykA7GWaIkaRV#n{6(meQZM=H*>KGr-KpB@&zQ>{z_OkTh=Gch|TR%U) z&ce|WQe{2=jvqZ0v&Vll13e(;5NQkc?AT&uyjDe2US3|ec=t2Uj&{`istR#YqdyYP zAL`@dW0LUl`STm71Y!JgJDa0%OQO1O{BTQ*DQXG#UBV;+90tD`e0;F)cXRrtzkmOp z(bHS0aM*azcGc6TPqEZiFEe`8XPU?zPYwUz{PgM5_8mLSW*2%C&z)o2o#q@y%E zuibSmwoD-Q9_rW}b10shBo4r_T^ptC>3!)~j<~oSOw%n4NY%-EjP-X9^k1AE?f&xo z9Q~R#W-~6>j#o@f9zTAplxFiY--brUaj0yz!z;Y5?o>>F$?}4ETdCJ3Jejv)d@^UW zwHbm{CMq1z#bvYAd9Q3E3RCAZguP=6H{N^oNRz(V*uE4L@^uFJ~$g?+S^!5Sr%+Sg*9R@EROKudd-?d}MBdd;* z-yNl;m%4eR?YDD?UTPV#)5*2yGPyD_HddBtRCD>o`0(&>=(A_f9Ao-k%YC@6S|2ah ztInd=*4D<#%^mF2?m~x6TZwN!#~h4xIY%n+>Of{br88$(OXhy9y?!S1@w2qF>aQ;~ zGA&y7U?G0Ji`e`z&D7E|)N^T}_Mr5k!-tb=v#(4&|k@vKr+WylUowO}ad9ioMTr{rYuh?DvT1 z=()Nq$C0++0=s@{3OTX(2gBj-uf;BS+1N-ZDJypk5C7c4ee>o`C4GH?r)mkz8X6iF zKXOB5Le{gf`J%E`qA>xV(9_d<$H((u($y_k9{G6h=YwJGb6)0r3Z5H-K^IbW2@d8{nWM(;D{z{b5D8CmIc z0LPq1Lg`rc-=!rj6mCsR%iSH1_I{|W^xeS0v8S4gSHV-3rp(aLP`mA^*UGYpkdTi= zwI+JQDxc}h6doH)X3aiR4UAokAXX{B# zRaNH6i3vkW%isA)Eei{gkgzb5pKlzD&ZVe&n6#$0rtO{p3vbhU(zoEy%lmQhLm3tu2V2{`DQ&fT< zw~L9@+@PV$Fs!<1QdmAV-1jjSAf$icaXlU=CBtR1&-D6cK(XlPpl8pvQ@pXa?u+U! zs1KT&ni?%FOpi@Y(olj_gibv?u&$t>!1CMfq~rxl3k&h(P}!YMcfw# zQYhYKWrtqr8-d=yZ zH*rZ>a5-IEef8&{oY%5D3W~vxT+22`)B53?e3m& zrFQ))TH43Yp3!&LgnOCr?N0T=c|W#g{i@Zg4REPw87I-K?Cf={tdxEGUQ4ys^jE!1 zO8Rmo_SGwqm?KZoXV9>NaiXrr9NTg&t5{P6rOYM7IM1Z;+n0_z^OOBga&p*>YQpYm zwLfUq5#cauOgc`Q2et?m1x2m~B}V5$UeWx*0_qzz`f#@lJ02A2Y9{+WadxzD>P6hW zd$)6_HCr>+f;)hj@8%=rK*N>{0}4NjJTnuMM_(=-3;)|3vnJN{>!|_VFXdZ5s(KUu z+SA=#_RH6=fKiP-Gc!M|N*k6R%6sro-#FCw%~{uod^zc+vR@J3EWktkox@ME%dS z?CsZ3SFgaSkpMUl(S5^SQc@BW9DE}*^mMj^ocR&}<7P=oHh|nV^RLem6DbP|3#si1 z29*JV!oo*Pw7SnHit&uPjTQ%z$Gx~{G&9ut?*03U5|72sk&*U4&X=oRep~tJ)X_CF z{3BY*k_V?cKPl&R`fO*pZ`a63Sc2!mns48}o&I!S`<-gVM)Wh;qgeS>iIS`R_I@ZY zr!vgs0_o|MVduuz1|G1>)>S%n`gGUeU`Qa#CaE9krQlQL<>eH9J@H+8_N>2^Y0B?m zW#&OgM<-s5v&9f&c_%V5)A+-E)9QLI^Q=>7iK?oqd-m_%oyr-;Ik#d%pJ&xky}!fV z7g#i}ZtSf6!z5Vb6N-DdC+6vgfE*hGe%xC7S6_fS6mK?H~#_&;3 zN=o=C`i6$omX?-`8xM@dOv{;jSXo&y^2>6SF3s?^d(7%$zXkI4i{t!J2ri{0W@X*k zl|KHbI+gFzclDysCM^zjcI&}(-9iqpm8Jck;^jgJDBf??u5#_#i&HVl$;lJ}$xY1_7K{>9t10UUF$|GXJ4 zzYvtB1#ooJrzR$x{_It-)w*gUQ zq@b_~#}p;tEuI@8%>Mxkg}dym6B~~oKRz}w;d5sDTRhm$hEBW{2{KM2`lvFOIFq;C zyL(q3D|(vN)amI0uYX`*H?~-Pv35?8ZlNO+(3Vo(^`F)=Ls}!+%-GZHG@&~LdJdv! z+f4SIo*M1g1fZc=)14J$i35=JxLt$b;2?jB4pJz{MwZfj=;Zb_x1qeH;Y^78UW)z9Cx z{)C5z*Pu5Eu+nE3)i8rG0YSX}?XLb5!Jf9Xdq0n11Ps!7z;$rUuaPpHS5% zoy@oCrga=`4~2a2C@X8dr0J)(jmaks%*<+?t`Z7G7)(wCI1YG;KAPFFQ>O^`2L2NF zSg?$AQ$YUb=I2SfZD?-pmytyg7P~&QJl zdGkj4?|gs40oSSRs&Uf(MMbhxBR_ec91X9=CC93Htqz?&9Xcw$#_aKn7YzNM;woz+ zx7kee90%U6XldbkawN0@PqVALo5tAKxTJCmIQ$VjM3pe8Bw!V5HUgfa^4vJK#V0b7 zt*EF7O^8`dP3`yZ-(!5j13o)0(0{^`?97M7M0jzgNbUE0b3rYBmt z^nyu|k3rt!iTnj3PUwE}$*8f;avB1IaMXz^0HO@ccvY6#jB{XMfXFKN8EYIm|RBUd-wW^} z@)CFgD=@r!;Aw1TD#8ir)U~y5{{DSck1Il?`_eLkcj}LUUs4axua&U0` zMgf0oD8b0YWJY=J^DI66DC9g8&hfD>E!b{$mbuHbsnPtSy!f)E`yaZ+}fnT588L;>{-Pl zM`*E6ZbwAiAXhUs7KHu=pbtsu61UQ$+b5ZMte}y$bx2D~H#9c-U_l}38uL3rDXuBD z((>?-QxQ7*@>^S2Hf>=Uw%ckZl@sR?CT!P&z%{e`~UmK6{{o3;__AiB={R2gai zMn*=2yMh9tSCQgLO-V7HAR9FT`w zToTj}j-$m5lp<;Eb#N!-K8aXuv{0*qwi;QTry`^X9tjwp2>y{orHA$GD@nT<5)v!I zM!)Lgr?*?!86Kskew4d@YA?VB9wHU04`d_jV6xv;gd*y=!>g0}2C@Z*r{7#Wf4(!X z!?W_~=~(O0cDek*LZk6tRkrhbM0=Jd5(HatP*52dzfI4(bwo<(=-32tFaSzX$0NDs zVz*gw>&`=er<&A2ksyz#xSTuEv( zRg$*tp%*?CO^GUqwep#7R~Le}ei!Z3BTf z$N0XlCFFdpoNiMmz81>BeYYi?bYEXz8t)p(W&6=~K1g2Gw*{4Z_&zlY#fc1m5VDVV)IeQxk1`ht5$XP z)J8&ZzRkT##0quqU2Sa_KTHFVZgfL~3coc)Rnw23nXiKe9;Fy1zEwpLehg_DfWD;Y zfDQSsUdthXgA1Ao=}jY0jXq7U6cU-EJ}7*V@G6Qv;MgKQ3u|uoe?9V zmS(mIQ)6RehE4YoG?mKQ+BHzP4_J3noDBA2wR?_}2B41`k>NP3t*NP5R#QUgvenlfs2l za=>jyMELZBF9Wn;&>_~@*w_H9vvoY8P|#~;>-xEj<{-ml*!G?{c;t(ttgLK?*NP{p zfu5e8wyZxMGWd58Vkx?PY;lnGQS>WC-4K+py&<$bY!$xM z11hsatuztG{LGr3c2%+{_yIR`JgTiqIv&Z&#}|rq*je|Q{mz{`+Oj$n+4y_MKp(x9 z=Tj=wG`?%^B~PB!8+*P7#Fe%td{Yg+BoQk$b#%IyW;;e3nu1Gi0icm5vrYA3+3(L! z=9vRG-#hW>#fzKZ(!%vScI?0&HK@I_6?eWBGQD$9hDUNz5{Q1Z$!;Ndi#G`hYt4Sj zHoSeZBQN>;ckKfQ4-)O%>+d*SN7vrZDQcU*ENsG|+MU(Y3y0vY55*5a;FpB-eB#>2 z>y(Z)s~9oRo6*5PIpF#CKv8kA@l&>sb#*<>i{w|@HhNc7Ry z=FPu=)dOHI;SN8*Qlh>=fx2@PTFq`|}yWxpb!YA#42 zft{WD8|B@(LlCnhGU%D6RrAPx&o1Rl-L9#_iEUy#w!`YODsX!4E2`Q?1@ zdF1Q(ujQQJ;#>K5GVL$pluXDkmwR7l?hHX@|wauy!-aBz5n*+<(uY__b_N-t)rN2HwEjve68Jam@P-l0y zFX~81rOOVq``!T%2 znQ`vsnAIM6{2i|$JqfOx^i=dsT%q$@s!qPsD8HW)PuO%$N+CxKi;j{w8HNR@Oirx>DtgsF3!S=t{qi9a3&?S=%tH;^*%4iAo-TlB1_zJT zhgHZ~Na`m3U<#pE5c^y5Z8j4v3aG9wPKGnvw0@-F=$qb930f8w7HD#yH;y--3<3-g zzd-bI(L1N@eANH$B?nzSa2|Ca@T62!H4Wds^~pSxdTrJu z{OVG{dT3yPl2}FNkpC`$RkPorrn>D#Qj#Awk72pbYHMrjPMI9lZj>8>{h@;WS8vVi zdV70+e|^bWvN%#G>Lrn#dx-3(AVX{ld)K{j&;H_j65$6W;ecHqBfdf`RE0}#?AHLZ zLtA$bY%=@TV!K$ju1;!tfuQu#1h#ys7eG zj0F}cWj}sG`lyiCUH03m$!TfKFn11HTW8eSKep?ud-No9SY+EaI`nZ6dx?^TKf6jQ z&78o5d;z&}xaXLYn;!qW00f5Hs)B&DgrB3O6P&wl^AQ1Yan{kINoKef9bFDb*N=ae++SF7D!A8QWT^3AYobPg! zZC@St+}s=y6LkBom7=MM@7q^}(>`ABwH!HW{f6;h8y|*I)Yt`ORv%=M>|8ioSEbL! zfBp8Y0^O3CnVEFUj;?oK(adb7exKbUEZpdAbnxGTH0Gj~@g3>5e~cRpfEImv+Y5n< zsoMU8;-hcrjxe4+b&3%tCmJ0U{NR$xfvkTerAYb&Ly*!gAO<|)3^-B5p8+i-Jr-Ih z9hAzF%E1YAjn2+aZ)j>9P+NOtHeSZrGx*)`Xbv2Bo;mr$zuTCYz-=%*w~_vgng?g= zv;AY)5ZI@$UpqvK?jh$)Tblt16jGa zs~sgC5MB;71@EMg*0IdGy+czZvR(+sV%@X&6(DWELZQ2CJ zFu^A@+V0%V#Kp~RfLnpv5r2ammSZ3A9g7kNRAj!R#s(z%D2P_3$w!_O^z04jHdlB~ z0zZMn5FCdu)tm%$OGx5biDj*#O`e9jpJxi>VrH`ga09Q;Dz3cmn8Fn?ZZk44xUtXtn*anZ-u>5A zP>dcvd?$U&VR@mFVXSSpkV_+;+$1joIFcl}_mE08qkFP#1B`hVxfWe-1%J`&2~ zkG7KZ^yvg2gPBq4ur`>D+@%tCZZt6H6*cgrh>VlXvrdVfpK0&NFDRPheX&-LVX*)~ z>}G!Yp}roZMJB`YhZHVT@$)Aim|ry-x0$~2wy)WyYS`>H;fICR!Nax&J^Vd5ILQ@b z_~PYD-?TJQVn6`ZPx3LFnF5s04WuLxNfiCNXtv#roNI`6SKct~*tP2k!WrnPvRLu( zb!(JpFV{JJ_{}) zw+ZjKtb3g1mIT2L3QJRLTW{>$F`(mB)0qHk@L(&9TGkNv~cpBAY{m zgo_t1%Bmcv7u@}1L|OOC^kB1u{qHkSjvy)>+Rko>$VuBIx+rKs-@>OOhYuTou@I{X zpklk=Z)&hAW(w#gYp@DE6BGKI_|{eR;|qi7-4*_8-2)YSo@JVUMsc34bJ((e&BWwn z*PlN(q2?bva+F>$wW+tB9c_ff@lZn`w38?jEZl;A1jvj<-(!y^CMQ?PaWMD;76d>< zft>Z|<;%4whW_zQ3s8><6+&|3&){G|FU}SbM7>rP^#IEFP?1~VJ_*qo2hA&^ z5Z~2XqWY)8d|OlevWNQ}aAmZfSP@S8RR|nJ%r6eODbXuP>#C3a{=69vmIzt!RNsC4 zcvw;KMqLN^7`Z6V`C&yY6tqLKD*q+;46a_KhjKPz#m2^lZvKcw;~0AF8cmScAx^G$ z4O87VvhSdg;%L{Br-`1X|DJgXLz@VyM!pDzlApc0m$Hzx}PH3$1WJwMJ2w=lD zzA$HloQl7Oeim{<74jUA<}KX@Cm5Ia0SLeYc#@wVy|`Grh-?@BpYqOowoFT=`{w4S z?C(JLS%m~8^yEV)Pp;M0*2ZJ$89~1l{QOyUYE)rZD5j?m7hDn)Lx!?5weV+#6Z|2 z!zHZxFbKSrl&sM3ZEVqaw6zZ{)ipGZLL(v$*3_S`YeAuZ|18|UFf+Usoj$0_uwZMM zyRDN`ASgK^1Qn!sKrgUH;NqfQ#;bAZO$hlYA}&Kogar&S?_FJ;3Xl;RQoir1`T6-h zbc}ee#`10y?VrvU)zyEMY(iYjc!Za?8w=fLdO=zFN$YjrP}6s@P0{YM!?hg^)shLJ zv!SNjDXo&6>w|j=YE{vXBAb=Btgqcd4}%jzeNTyz+w`B+kVtWh06P0*mi7qh1}kk_ z4b?IzEDXBVev+7kl>D};%0`a|zm}1c)5FuK)*k!dft1@H^|RnwoA>XJI%&eg7E89p z)~&1IAz%}DqpXrNCZu~eH@5>aGL>JyPWzj9;y_35x8g^BCt=ZdD?7tF9-b3N59sWG zums#+4khsR-MeqMQvWmREe#F-J$(q*SW_stZ5^QsC-9(TM}uE2EV$D9S6n>3Tj%_F zKWHXbu3QoLpGuA8b99s<0(N}-r?`7)lDts@n%dfrVN?O#c>DTRO7e2@eI{k7bY+?M z?AfzGcs(SbtmiSk0qXS`T=VZ=cUjjddOZ2>9`K#~OZW zAfEfLpFJ?3F)*tZ-P6}4?L7K=iUwI&+`N51U_ z6R{g&W0gfX@KDC{1O0Nu{QvVB5ab$cPA6_+zT2!QN->FX9zA+A%>WJ$lbhS3s@zsX zRIC4diJGm-pjNOds3^D`mU%;3S{jm}l?W!p%DpG0*{Q>Wv#YD?blBs)N4K+AK!FA~ zwJcHNi@{k0GeDNX8iX3TQ93+?t}v6B2M-?Wm3m$>nyn46(pY&!%dch{3pM2JTNOY! zn>+wOc$$o;UVVLiBoPbQb0Z%gNIErA870bII}8jA;PNRSKfY#ZrSLY+{gy3T1P&hL zhDwCvcNn$?$sk8Wl*jR*UiW^YMo>Ws;yy{f%DW#x@>u`cH3q2bJYPCKkv=yufuH`| z!+07`7Q7sXx;n1)s_e^-=q-EOXJMy6Hl5Pi#>bz2ToGqSNJxl)o|Wa<(qn3BfvAV% z{$QdZo|m7WUxr+Og%fWLz<8<1c^#_HZ;0_|Nwi=}&d$!AaI2J&A9nZf zSjWq|tLZ}WKDb$HI60#nzpt%|0(FE+JmOH|KEDT;1qF*5hkm5k%+!<)&+MOWX&d;p zg%6qP`)(gc5n#m5B}OQej<(qwfYi+&6(jbk_VcV;r|3H+^9Vhect3O&SRr!$Kme}4 zx(_UbNcV$cWU-p8wCU85L)hx1)&UJEpXNG(85!BxzF+~^AqMzl{0A!eL=l}|PS~YL zAABOgY&fCSNDCj+?v(kE!Jbe%SOi`64>VE!4oxdCv95nCA8?!|c)E$8lC zc2qAxLBSimqs}YK9wUsti1ZO04aZ^R+u3@bJD*a2MpDC_!FTC|ElEsW1_lPWj=s_mc$j_*3>BDXyebZ5EVLB z#jBBEDXHuMQ0L&`;c3aU+JtquctTCB2AKWI9dGOwsQ8d+jlkPUXq*_P2y>!qHYrj! zB6)%>a{KmeZ&JqJz9lMLn-&7jx;O>a$15@nDsj->JGCT*nCB%4fOMfCA`#niV`|DC zSGXe;)uYNo^(Rd3`0)}xn;QImhIdL3JNU&W^INvJdEx`z7O^Up-w>K$UiF()`>4=FgMnvn>8qA zW;(P1KsXx+IDY!~XW!>9UuI)!Asgka;}!NH*X${vL4?yu6|q*umLM=L;|$IHa0Yrk?v_d}jFZXJ9Td0)F6M~s+BZ5{kHUmtsiC~QJTf|#drWO#p0%)teDj zZh=JpJ=vmyM3xuf0mno{tfMJIR;(2!lom#!FzO)0iS}ZF$3;SMj1);JDU$@R<%1ry z?@qcrN+RyF5uk7#C?6vIPl^qN7zAM0<0B+6jf5oqGwYOXlarIJNU%pA63{0>ypZ7F zE}1Qjr3Exx6HGq#8#*O3VCT2KUPlL~(RO1T7elgN;Li^s^=67; zh)x+1CFgs$ZgqvUa9n`pDbbsH!Tsj0=6gL6SC3Ak@n&bPMS$H&LdwAp~*YX{&XUC5#(1g z&H|muvg32TiovN^DJBUC2`KV7kUb8crqSfxv4e@pjk6SxpMRhT5`R(Eli#R`^URNw z;jflq{KOk*hm=0xOjIAs$gJU^A>`CBG1V;G>u>?W3i0I;aSTGMczD2u8sHQW{KSsU zjV3KCqRU!3Ivh{Z1Yr=wvXUT@gaj6Z!9}#PRsn8f!iHVzBsb}UyZ|T2nHWQs zw0(b$pLgH2FOrM%7d12_fioR@-bHYVI;|`(kqjr5K6JF9(EaWDXr31DZVOr<0x2Rd zA1_heg2LAd7w;2AoMHjly6)%CI3_M}7_J4GYVz|*wVzAB-T%o`RaG^VT`zA0+0i}O z;rj`wwYMBR`)Z4*P0-_!T(@Pxmvk!SPL_l}sy#ZTjftphT(_s;oK$EaB z>QNR{zntS*x}U{L|5hO55RDV@1Gzqwu1=XP)zR)HEYdzGx{~NRzkdCaKHsYL11Vm~ z{rgQR(z;%M@i1pl>- zCQ-+rW@N*uEIL1rXKPGpL3|U|c$?0ih zj9z*`1>LjcucPC55-p?}Ny$1&2JF$IDQU}8(0Haz@(;DNwX=}3E%;K~(mle51fDUd zkjT!RC$3M+KQHcxyd~#33JjHveRlinmoL^IFnM7`s*9B8U+0S#E=;%C0&>_{Tk8Yu zi}9`1Tb@i<$-qERNUC0G{O-#|(WFeTSw-y#C{<8BKI*j+yJnS-lv&;4+*}64nG)AC zx~HIw#v-nWUNMB~d4JI9)8xDE#l$DXu;M*nEpYPq@qshO`%Mw@jN7y0>UltINYHPA z^iV;JU`~^YRwo(hlaV1V%u3&a;@Hd0Vl*^j5UqIN1sNJLQS zgV*f&uu0zi9ffq5Z#YW`+i-iE@M^%ywm`lG(;le1dig{BJ9h8(xb9oJZ!qU|QIV{P zg+(1=2wS2S2>gTE8H3rclZbMhjQeOdI(r2W^qhulm%G#7Pdi(#$q8WrD$y2E7?p#flm+Xqzpq= zB!>&~uJ>%H-|XW(hWY#lkMNyIP!u`3UqI-?mpibwlqO`|5$gXKVC$$j&0m= zCjVkHWa^hwi|FJslK!|nU+-n>J49>|*b>M$KS4MN*a5l2N?_Ft_jy}HbqJ8eJP=8& zL18{Me@o);-^qHS@qqJbkkFPvX%3%mfkyFcc~>lDb!9Z+e@IrZGf z8;waS8;1*H(AO*9Nv9*fycq!pq^ORd!p}3O1kWtX6aJHvlS8xt3RIaYOgoUw3#=2{ z!Pn@`tzo7B|42m7ZF8%)>6k|dJZ`Y_xhv5H>6Z}6jVcpC=ucyAF zPX0d=Va+Wi*wTrVvvR|p9T(!V9gzkSZWIW7gKXy3rENQC#HF2tPKeg#gZDgLzWrm6j= zYdHuj(|TiCa?t<1XZ(W)9=73@|Ca@L(C^4}?W6SYR?L)9U2Ps02I@zoGjszxdyWoY z>gV>++SvV8dnl+zd76DtGm!L0u(n{`1P z5Jlp`qcp;O^t8dW!|-r=CY0Qn{sgZ**ozn&Xd$D1NQB2=j63A!O+z>=jFec!D*=3r zp)FxR>$=6CFV8PA!sIoY%&YrF5YHkyuVB@99j<_uF1 z6%F&4`h1kpyKbt%%*^bRu5MiN)2A50o1C3Br9^`$>R_7XLv5|gh|@8<{|2g7MAV!% zX(Ow&mYMm!R=-P!`M;^RD`~ywfl;t~B@kqDdSG@WG_c;vfzo%rN&b*h4 zhD|1pr0B@_KvN1g1>k$E&Jw_$z)LJ)=Y2V=jVeZ!x;i?sp&Jk0VdCE7N7^4u*G!n` zHiNH)cU--NJYuIdC|q19v3ckp{^m`!(eCOCDD&U~t1_-qf(J-2uN@>N8M zqN((0=$PHF^Wpf`L69?9M6MlGA00qMOe~y`BaA@QzRCuCrS*>OGDBHoq?|l;>aN!4 zrj#n}hN&+nR^Y9dm zpguVghoAYlzavL;zaBg($R*r_B*1{(PDxIw-?%rPHajoR>uV&dm<94Uh%Wr%hvZz@ z*tj0^R#hM%hz5rX|3C768Ed;laV^pz7Tl-{{1>5j6-A2aODu3 zc64%IsGUe9=$OPw7*$g!qL=c$5q~0MPiP4c(C=!gZCOu6xqEkcWtWNwhn>et`lSMD zxLcFosSbfWAh4?4R(}L&l=P2roVwftB`L*b*RK6qX(=4dc$W6pt8>)gcQF%RQjq!< zhDP=;$1;@d**;bu$vXb!^eLauDv_g4qYb~DZVG+yEHh8#-1&xA48l7Zb_yImbci)c zQlR)#+5A#ON85%SK6~s8=8ED?<0E#=x|=*KuWF zO%}E1bVUAd9v86%zU!kO-OM4bVJ@@_8a0`=C6gn>NXHQ_zNYgT(gqpuK!AQimw}ri z?a_TjZwvZ{KZiOd^AQ1aa9MAR{2~e9VdOdGL;o^@uVh}0Obi1)Fro1ckGBjhZ+Yp2 z_XreweggKxC8wD4_%K;PvS7{Mdrlucnxe7ow89I(<;(S@XTF#=g4ICO1}!HRMp&3? zR5)q|)tE--kU1|!-`IFHJTtIpK};@{>G?9W)#LRZ;GN+ff87vrhXIg*yE}Th8p56b z=~$`qwzj{S*9ORhc=$fe}8RZiSjD8KC=XCmiMIV8fdD~Gj}VV{&#Ze=f&U3kkNxxC+h{3vu!Lu7yq0|5^a z{}W^N8t>?L|JTDYGBnuq{yLi1u@fi$Sf4!~G@u4J+17uUAJ`wBolst{!mY>hk$A~Q z8~<~ZLwlWi00RMbhJs@I@QDI=uw47Dv2WbCk&@U{>#_$FNlvui06F)wnwmjS232RL zO@3xUi6bHvL^1bQ(hDcgp8ag(&jvPFF!N%^S{H>eC4*QLeg@~1|?hL*x(wpojpYd%m$uPfcZ_@Jp+7R*tOvd6`b$=mG*~t@o^5L`O}H1?6YN z+GXra_>Hv8%yk$x2Iao1!;73S;tEA=_dD1QdkLdSg56#1jI}Bmm>@HNUAP}&bVFL6 zKW5p}+pCD7l!E^FN`$);)6+Z5-V*(1uawj;WFkf!4;I7Wp{nL0V7+Swei$U4)S7;N z$c=D!M>>nAsZYJ{26=DP8dT>`#NW|ce;8c{>$^aj?Au_ zd)a@UL)ull?}_K^n?+sMy9-;_uOZe8OahYALwMri@3Fq{A0^F=j<-9J3x z*=qAC!F}R*6fbD)Xy3(nWGcw3b&xyH8~zEKigE@U!$=q0iPF&3qC$CxkO@{U7_E?` z)-f??lMuBeo>gf(vU1k>Zp}Ne;lDmJGmg+bPG7gIOHkMZGJsK_qPFk9!yYR{Vv?35 z>{JuvL&1jgD)T=hIOjZ&95se?k|URJeu@}tB$$)f`fpL- z*75Ou+&!tVGS70^xoh=xmPZzqJ`VGbM7;`w};II$Vp5X|Ao(IBG`YxY zD{yU=M61EqDG8oDcS?r($ zrIAyv8LG&Oym`gT!yb|=j3DxizdoV2Z?S|uo%80ZnyX2Fpfq=Mb)%>E?Umy zl`e(KEe>T{EdQM+D)A7w3m^Y%h7`=X7N~&r5X-9ZHiP#Sm6bBLItA?@&q_J`IX{EI zPBx4DoVUmHSBb;=Vz#8+>vKbcbC00nrlaURc-w(K3YW{P zUW{*k@SxW-CLI+VUz%xkEvNi9GEX70ckkVSKY#WBuRxn{n8DW0LhdOOYbb9YBjpHMg~B%HOp9J*RBxY7YXPMlnii%7`$$5)~uKaoUoQM`8)LFEq}hbM}!(88=n-U z@$=67RJad4sjI)Aj*<^E6(Zx}Zok{*qY# zh&jutPALY&V;eyrf7Vd!j2deS!-2dkguy(L(GqH(#rwNEAg*U(j?+`?>7z%29s!H` zXi)%~8Cy@@ GQu0Bt7+ePe1W@TYUs^3Vjg81* z8tl;3tJ}#`DDJDvpYw8O;g&rOvLgG)@bL3z&oasfZ6?zX_qgob!$>7a?pD)8!F{KH|D93at$DLsESi>sM(l#H8voT!pI^+ZSj9Nc!WRh z{7z#;j|H)g`jlu`>O{N5?C{xl1qSZ92}p||B@hF9s?d4-@ueSsLZDuedP1bKBA3Y) z1ZU?(gBj1TFs;5Nkqde*%+ApI_;3i`{E}K^E<{s@-cf@s(@H9XwvLWVDl$I1>KYsG z96WgNpOw_C9W-(E+BHM-<}_o}Z`-wTAS4C|WiFMpJt9*e7Qm~7$m6ujH3~4RWa6jt zZ>$Y4TyzJA`zJLc08{tjLx^sPd(7yaca&zcV~uG=NYN4-89pNb!}ErNjPzc>h2m~A z7DdYogUDO)Ccnh#m!CsZSf(01;GRt&Np@)1< zUfyQNWf%&9kF9j=+D?Mik!mploOF*mN}GS#pPE8OKTt=>`24A8aVlb^?!PR4Ruu0z zB0^8R^RG3Cn{<&~h0;Hv`6PX68^RSEq012A1>;lHcv!`+x<-fx2CJ2+W+c}5E0Lu_T&5g&8&DN5G@(W&ga|l$6*qEc0pN_o zlQ9A@CplR>Oq-FmgSZU?GSaA%zHVz%bDBSp1biYXBAO849?EUZ`JMNax6yWyd5~zl zABK&=e<%U(+wxX$EPehw7%!8E0Ckms5jyit$7=cjhrA#edxG|0LP6la8^bdF?2RM1 zDJ}}6PC5Ua{pX4Ew!huk7r$t;l0u*XqWb-XdzE@#fJR!j7sU{Ri&6)V-9Ioe8*?Wm zCpY_^Pf)&52a4NrbHgr-{qn#mF(PjsS#q|U_zk^L6DJS$9NzU4jq$88UG)SQ(HUSX z5)gM#oyv*W4QZ%e&_i~|d;&(@bAh${pc_##NC$>Wyd#J9LD{Ji02LXJg}tP86O#s2 z%K|zjaW)epBZC{U$OeE$S75Ph!E&5ZQwztg&P2?jfmwT^h5sP?JB$`*p{79@sD?Py zs-fpm1qo&0iIk8jHo*{@kcfbQHB^tIVad}7*_+yvi!i6YF9)+8*GTc$- z$+RDr5!o%^G-F@RsWBC>dCKJ2~)YUG1|L$EG8M(k< z5GrUn#$m||v=G4h_ZAix6;<$WlAs_XvH1>z90=$TAo?pg>ax$VEx%q%q2T^q>{zLW z{OpoywB5|gs)oe%@CHJB4G?D~L@de31@r{uSi5SsCmXO)&X7_Q)%l2AON_jJeyw6RRs)yqMF3tYCiIi(0w7l(|z z28qmofeK@ZD)0mrEN!3Oc!76xf;G*-^(Ao$5EVnbj>5Sw##9_AE!k`7eHuO)FF8;| zogvT=?;Arzf(mbo6Y2XDw-!ylAhGB=q#_Z7^noRS>uYkDU{Z zVx(H)XBdgX2raxXg3QU78o|2U5z9&x=M*0bh_X3!>+UFX3GbDn>?|$%Czv ztnX|!P4GwTsl(XO46B6H#l{j4LLj4+4jkotrai6kTEQyR@Q%pq9iX?iRek+>Z>HhS zQK5S$NWv9LAbybs&=PE&L==Ia@QSoh42g(F^Kf&I>+a$9>EU6xfgZsU!TdP0^8LX4m=7`i$u}^V@@T=^8rm9Id+U5I>WrET^Yu4 z^WgyI*>LmnuEj(R(oN(!U_0YgCL}J;M_q&TtS|}xK}iEZ!#kPCWCBj!I(GKA{srX? zY}}~8(2T(U!bjDQ?MK@rA!CwyqY*`(^y9~mWHR#E*(aTSeYB|e$i!59{K$lvC>oP@ zCKY1vG;qeqkOVSXN`S)fj>ubHMkJ@+vZ+}s;@z-pu;0#TX!IA_E3vaNjMQ*dB9>3y z$ANvj8SiL7-y*aLJAy=c5adGgX=m0e#plT5k}YK0%dkAx%|ez0w?hJo$Sad=d@4?Q z1MrA@l=OBoc8LB>CJ?|d$Uru}IAXQraD(cTI2XPHZ58cr{V#aQ0pe98j*br}=}lGD z02Lwf;zYdLgq4-mJ0;$g!3bN>KG3OXtYR(R(W-Lg%9f7g+wxd)1R9T``I0nte0&(F zA$hX}UM{W$-dwvQ+T7#Xq{wY}$q=AgT2%>=jQ2y?FnIa+8WPueQOGg;VC5OQ6vm-R7J1nr|LAd9v7ATzdE{9BYXQgZf#aU~kU; zeCp!tsX07^ckir|q8gcUX>g5i`>igHzx%B-y{O2iNn_w@Bo~HnM_g1)+coS>MZGlo zD=0ifOf4P;|4H4NOBA1cI|BoA_D}?)gtVlY0PQa^EBux4=Ho{-)E7E4x6fLG1gGMq zcO$VoxOMTd+PZZsaFrE$5;#d?=RlIrBp~X8v*Op^>$2kyfPneZJaIM&&B-s3m*VbS zQSD2jks<$oP~7uhQ>IVfj0TI9vE(-|{M(4G1_m}WX1s7P>F~Y$CnSPI+HjxHz2C&P z&bQKD{|vdO#1?0E?O=I9WoYMjW7vy{T`+c@T9BVFu?SgOJB4wZ1-u2Z6MeAI z??vCUo1s27Y>$G=f|reNlD%4D1Sn9&Bm^Vs*1g^Ir-R=8${pE~Lx@Wp6L5W9XssWM zu4l5t)74+Ta%JgF_IbC9TNPBB0wQAUA$HTYB09cq-i-!7Pkfs}EhfQW z)20n?=hZkS@MnZcbpM~fvZnw2xA8)ca@U4GmjAo;qek*~lM44$@kM@*t_`u}b}ow# zGqD5hUhG9`$N338Hhf%Rem8I2dmHlRYYpdEkZg>gpgNEM;37wIuYbPNntksMqR&c0 zUyTf_N9zc9Ql$!1R%BP&_;hYfjEe|xTlxfAnTC0i_vT}+G;W2aYQ2`%I%|^1wjO-c zg3HGvlozXM{>Hq0lUJxFwN;+z`lzY%b9$Cu?7i-7%zOiH@aCy)F?!#youfv$T$1XM zvuC$fV>G&!hK}t%1O*3wwXLsrtnm>3n!F1PN2}jzxwXj6*zyBEuDfFL%9WD2=sf`<}r01={->ElF_k9=L zlx=SfbR8GhT!>|uXXkSUy+hb>dx zF#hlXuAtNZu0UI^=+FP=E#^|kL$gcO%W;}}RKvW=)11Kn&KeDekJuFo;i@&83gitp z&bqBl^=}Suxpm`3{*J=5Q|qR^?$-QA(fwNLzlv2ee>3dQ{b*71q2^&4lvp0YW*f4R zcOmQx;`e*2)qF|B2cQLC?Ns!ZN;W(m8DozPfo6Wymk@}%mBpwvnl#ECF3n0$5bMm3kFTF0?7@96(^XI5{lxig^?O#PJkb-aiK_Oh)9&iM0) z3N!=5OoiYLT{!Blu6gxEZBTEkZ{gKV^WiFaEESxshyl?;5*UaHpa^?8XCP!Yt~kHqW^|otKXkIPBPtthA~;qP~Zb6 zS$IuqY+kj#<|dV~B+DKQEG}IcPq}Af6S)4Ao=<7B|J+;4Y28WLO0w`4z84;-&ScAa zg$-&}3{F#$!CLRzrQsCD00?wGm$DKDQs!|Cb&WPKw_a3p89PQCeKgW^*AoIjpXV1$ zXI}%1DhSj6-w#-~cimw$?r%0Op>vGa+~G_t^xy>;@V^%#2dKoj;mA{b5?J!riH-G+ z^#9+>{ovWNmWY2}uWrCIqd*q}?J_5yzyp8Y1shYp^$3t-6GPgdDbI`HekRuZ5m)Cr zMrqt?@uySIVh%DdXsXf6y5>(g%{-~Ga-B5v-6RZwb&j@)2$n>*zkCAy4-H<(9&m`G zm1QWZ7BdcAijZ`SmHfv({rlId==zTMuobJ}>DAf3jDRvo4!oARhJzyXfE>r*O$twb znqSOi*Wrwiosj=iKetUox%xVM!w)EjTSE^>Oc<~MixGBBYKuS9H@?SSxw89vET$bC z5KwM&ot=kTSR~GV%o((`;DCF?!5Qhlm3=7{r0Q^Vti5K{~wyk-|>pv5o(=l&FkEN!tiU|<%qIk!>KjVb8cYSPeR8qRsf z$=}!QAZKdSoL|2dJbU5(tgoUdt}dW4{WXOj?cs{(b67ShK|>ELTX)X;O#ko;7q)*m z$r1KSr(LWROXj0#&qXTzvwH(`wkGZ8a4DWtT~a$R!h-XJevMb?$>xi6wA>KZPBLC zsw`QznSz;u6VwFv)-{iBJimcCsC6Ia&(4ojdcoyzbl}X4C^!P$l9-DzOD zxnw3vByeRse=$ALV}*o-AOom}KhUs|ufF5?KYLo3r)(Qwp%Rve!oG#VQP1>BT{{ZZ z)?ott5Jv@>h>j|{;RIu~V{WJzq7{!@vmk7BW8{&AO!U4Y_jpvQKR6K#-s4 z1;o-BZwXWzpnOLwFSed}y_N>xT>^XnXnwX+Ewp02kbGuJ0x+HFc8pN`Ce9lRwhF|Y zAJ30_hbxc^GX7{eJo3sF{Z5^ZTWEn*TG3rfZ>*_G!>|F7`c2>^VNrl-%6@3fkaL_NA$qWIX zBfQfbM~%Q;6n1zIB`#NM;EHZ;g@uconqQrOl)0==hnoJBfDwPTAHnbmN+YwSwu(x| zU#gZaH9H><&H<~7gn5BGxL|C`yVFptdK@rM&&{-2wyZaht$F3!8;0Ws^$@5JWpT(Qpr7^e^AopHc6MW*L8>*sm%>J( zaGUp-anG%b#SDr+F&e>vgqXND2gTvG3X%n1@DlSL?g_WOKCU;lELbRfcwl9rU;IAan0qAcpaQgH=!riBN!2zj>O{gii!NY`WII(>h+vxVk@CO_XrN(MdvHZ zbqI)i2TWRvp%e|t$@6(9n5wb4#f+6oXu9ga_#eD`8o*NPGc z$-&Fa+}WVadoSk%QUbW5jfe*A(IM?IUTy$dRbjYQO;NKnKw*$sSSQ-1+`wMlAt#IkM$DXf?x8W-{B44N z3-jmT;NbsVa&LfwUK8Jan`~w3(OMfVGYa}~K9Hl>G5DEVe$2_3Nm6(Z;muDchfnpBeP^UT^HPz5xM^7DWQe7Y%T37WDh) ztzVFON${+K?c2tAv`m;8mO%Oyn7+;2tpIz82-(x~*NA?!g4!zD6 zFSh=?U8hQ%+=lKQo1zVb4!S5@Ae+N$sxOaV%at@x)y<*V?}3;-plc+*5tG_TJ@OF#;j z&~b7e)bm~ct3&h6)jE3HXbtGEH?bl9SK%NiYF-u;B;|+*qNq1h7<@!DDp_A*F(nhJ zH2T^BoiwdPnMDH;)(p^Co+E^0tlbkKix@AVkSQ?y%MSmz<2jKtDU1*RIPm>RLtN=! z0P<*$UPc^P2+A+4`Mv_c&t;Vms}S2#;!K&bst(myNm-eMszjw0-T%5ebM2y`mX?xD zLjZ{|9E#E(YY$@G0%^h^CiIqD#ZfPm))Vq>>&Z2i621g{_ua5>n2 z)~$NY3DeV>eTIsyj*7~+f5(gsAc??4>`k+`7@eG$!l}OpoK{?%TZ~o!NvnANEJo5-2z_|$ezr69(>+j~vwuf!Djr|2(TU@-@{UkM(}{QlhiSsYh@X~}TeW}FL*ih2 zWUNVBj}oP|G7E>9Iusk9zFeT@mKw_1TA`5B=<%sZIfk*vlR%%v!72xbLLMDJGKL7A zqh1mM(obnUr=`Jr@t_YG7f`&XxViG)8ZG!h}2~7WJfPJ051L)vXMcT?S^JNeQJfz z76IVH0v*j>6*Ya?$y2B35UY|ATrGjkMs~Ngc>LAKMY)693|yfm^#cqB?dkoxnyHDV7$En&v7KVwyXGww!N>H_zv*J)Tn4@@Aj zgQlXW7{Wl3t~rXboz26}XMS~Nyp>x1^T+>}6j>5o{z#F(JO59LOnt3Th`NA7_1&bb zO?{l7_u-v)8&K}6*05&p#be0kcgL;e2#52dYZri_L%W(A1g*%bRf5LQo_9fFFNbYw zvvJ6;io;1xE6OW4aq;?y=Qz|5;iT)q_k-Dd`WLVNsK0+o*ts$&#-QqG0~&B-k+YO)?D(1W>z(=1P*ss!d2l$I(4o z0l;x`#@fzs3qX53%)vpALn5Yp_^@ux%L{wUPQ$6YJbH9L&ABr_V13r30nor>8a!il zeZ&C+h*lVEq4{Zn3^x2LB9H*Yf}!J(_$sBB_U z)k-*2Ib-`T3ll-mgv^>tcV+W%EES&cKu9{b7mqh~*s^?;JExB#;n}m83A(I-YDMmk zz79<0K#-eLw5GW5GjyN*7MU}qePHL#o!(ev%TBtG^SnjJz2hoam+yted=Ouwy4}gFR5k`Sa&r z#%hM!*A(PH@9Lb-Rq67GWc!vv2_yS$x4!_Y&+pbwqNPg+txXt=Kg(R982qy|)9_#{ z&f{xU?@uGj7D@%58)B=g&ZlFOzQboh0AX?;MydS^C87-66faGSa0&Ek<>Yv&b?&pk2dygK)HWQ}&+4iS6 z7H~#5)~WTQ!fweg{NJwU&;*%yDK<9OA!BlmR9j zT++XU++a0rlChi=(XTX;^LCCn+O22LKv8B)nmqZ7ow`h&I(O}hYOMqX2tfaS$ofS| zLa#cN;yadUG{I@k|F7b6AumhLm9q0mQzlQoh_evWd2f72G*nv99J99kESnaBuB=u9 zck5q@ps5t8;yD>v`((l|A^R})=+ z>;EsrJ~MHJL!tkki!NPmwU^fp%j1e z$vrg~-S69X@9v5r7JVc7!xGbksr`S3kO*FNpKI4>(quhw2Dr>uyKNb4;=Uv*f(A&@ zX1v{9Awm=m3r;A&Kf(VH&!Z#gdFMO{;YVHCR-EpX{Pd~BK(^Ajv?vvJ&7P-6XJXEg zy(Yk~GjJ+L4_KZBUL<9+A*kOHxTm62xj}n61Vt~^LZ#v6LAvnmICTot$Ms^61K(0% zkBbYPU;Ox}9!-gnK6L1iQnPvywlV8@8O&fsS{T|MGVSS;zVVK{wIDXGgS|o|rIu#c zn;xBwfE=C&+P%lB_#xn=pL>PH+JeoWO#{MC`YfvXdaRL68CTjiZCZmh`_7#2G@x@q8n`4>*Xm$CF_Dj_vq~0ogicycF^Z) zrH{<#0xYXQ4=VFl-8MQZ4lff9<^eB=B%4xQzogJCpgTQx{kpcyEx`d-om&DmC}=AB zUyW9+R3#i|WcwpeDUxL+k(Xdgh7)z37*Hwlh=3n(L_J79z+bBKyVD@k0J;{FPlSDT zd-2k{Yp^Ye5Cqt?&721zX260J{`~4q$a?g2bs;eO9BtHc0K^D%Q?zd2-o5o<1w{%& zs)HF)I*`>0!<}m8)%C#x@~)*JBX3UZ6~#-f`@`)>iW8S6${)0oT%G89BsT=w=V6}m}7e+~z9lDvX+jG#0DXsb3isK?7Mlb%4u1$#udz%DC6MaYwcsgAYn zRS!g1X2k+*G2YXP(JS=a3I)3))5n^$s7-v&s)*gyoE9H~DE2n}&0MWf5)yLL`EGK* z_beX?wSfu*@JK-SL%M^cn-S-GC?ev4+cO_|D|g z-hc_;aw|O2mYR^%yB27A$?beSSddjeI1=s+_dx~F>p2R8c_)lu~WyGB7G z;egd4PDeF#1ng&Dx{D5nmy$6ri|J-+j6MnlBcx+I7ypg~nnl`y-t7L@)4B>Y1_3om ziHlqRE}!}I@na>02)$muOekxzl~+%sKTDQ`z0mJvUtNg*^_BQ;>PZP|7oENJ^y#g^ zy|Ww+fBCfzG1anwzU=gKF-eGBDLi0S?t|mIKYur zODvtB_0=veb25~drWy6>^pBX=IwJ76cW+Ar)f)D|A2bMUKn=gJ1{z4_ zv7)~p(c54$ayN=uSc_CUzLQk<@LYm#!k@!v&>2R@fB5iWV7Dax4)t)h6IwZe%|XsY zI73PyFZF>L9rV7K2}1DZ1jsf2M@jZNRtO!9W9_AyXtAYG-r#P@AkvEzTYqwq3V*>x!l<7J5dV{U#k&eAVp6xA$P2W&qVb7Ih!Bo9k6WQ(rkL18Qe> z9>Gt}8P1H`g60w4CE?B;zv87=C9t?!DocYYDds)mDkLJyBY5bB?2{#S%%AFf39S@0 z#$x}@8cT;@2SFbzBQfQ&K8rY$00*goGU^~Vi0R9&I%rCU2|TroUPg*0(m@UaNfD+l z0~NK5sD9tuy$R}!xGfKFZ-2CLN-87M$eX&hW zq;^)uzIq$j4qZik_zfQhmLU)-&ZxJ&njO`*5}ftYrMy_RUZ!ZoTkF;OuNFWcVdPvg zOIuQ;*i9T{ga!aW?4TG?rFePW@GR=G@*y{sjEex;s>W>N38-E#;5vd-{A$-q@8_oK z<8mAs=0pe3?fQt48kAdl1@gRnK%FE%pKoO0GOO3fk*Q|QR257Pu7ix(g17m_y5DPL zh>7f-*qU++E$5r7bge#0tPuW8dY@=!U9L5odL)4;IWn1Rv$|e^q$2YehSfY!`|&?L z{ghk6b8*tEpav5g$&A&79hlA8u46|(ZpNyG)%*E2q*o`7+i%!z-ChhSk{u>tYd`=b zxV>H7z^|&ZgEvxhiO3_lS9o+bUO5n@%#`%U+@p=Z+^soMg?Xg@c+f>lAFsLO_sEoq zpeZwMz$G9{O(|<07~k2Vb6`tI6^Ty>0VeD3lI@9Q8rU{AwEea~uPxO#FB!9llBc=X zj?*VjBp?T5Fnz$fpC4vcWaa+4)3ED%Xmht!wYH&%&+t*+%g_ycTX~dUw>fz@YkU|C zLt-z&cD?Jvs`sQfs62t)T*r9rNI^da=EAd)A=j_TbSv;{c2xIY6WkGmFo#{g9$GxU zDhO0X4m;lHYhO~jN~wqLZ!xqAYxKyJnr}?5iO`5t<06tw=Tl=Gh6WHE?l5(nVEn1A zOMw0Kwp-We9F~55`DPBUkIef+?@?*EHBhJKph>=e-xudhu2bMz{ej~uHg-B-O8+4< zr-_2p!<1PKy7!-}<~MEY_eAfV2e*>M-*HI0TCJpv-@X%C4mACXoysb;iw;9!k7ZRz zGefej9PfNzFu4lDB@bH~gqh0U^sZC$H!-`a*72SQeNM|I(>(^!S}QzpwTZkIEZb&W z*ugX_CjwZh1mrcd+jR5cn>mg>4@I`3Dm3FvB+#{srdlulym}D<-{8B~;k*)kv)en3 z!nP>`l*cWSzomOv#3DF9%^aUa)i0F#+&5ufLsx{Cu;fMZODnR!_2gY0 zgC|@ITOGbc?txE_nx8~fI@+YppaqK-iCKsy@;`4fyNm52k?zIb(o01#3Mb4>%8%Wp zG_qgiG*n|8$$U3`x0>HW`ECUC8<(oJ!!c2WbhE(3zzdStiRVsDS8_Zt+WwnpuBli} zcOGmUQ~d~j3YUiLL{n9BRKGJPppjYasx`_LUCc*_l(8BWS%e*0#Ak)qlg~PGkjPgh zg|BiQvaS+&Ek!fo!5lA1^rrf|fc~{=h}I#FQg$T&M`!N*42w-p<5aolHqWxYJc_`z zyV0hBCV@tj*lik5LVy{I6J_dWs1jCsNbAXuQc^Y*f3a@Fega%L%%o1hyBo=Ah|9V9 z?Mc<|bJgCD9!yV8aO*Onkf>#ubp?S+7xRoa4@8`X>$+v)j=_WX{n%1kE!N6N18#VC zzS&=ap`AbG=lfFTN}GtnS5^XSWN!ZU!QnO!*YRyL+R93^9&(uf$t|s_tV};2KElu3 z?00x_+TFZrtc5 z&2PQRt_e5ZMRQO%Ot#C^bX<%HU=Xm5wu_X;p>TS$ndP@;sBBzS<2VrL5x_(dN_me! z$l&iV^x&Fr(_E&G1IFfyE=8;AMfr?U;WKyiaB^CWz9(=kZ>tLSGl|i)OF6U{SV%o_ zQ(WcS{o?qRcaDnHZI$IV$EJJI4=kv3U;O0~l;S2nJhYzHnpQmU+-@_jX-UHmRgQ(k zbRe^+iejlIgtIHcuMN|~U7E`JCpbQnIGSC_}AW^2~b}%5w zOkZO1s#{n3JV3ryG7UX==*pUhN*rwq)~O6={bHBmsmUmM0OHq#ol+$v;EF#_!cw)t zrq%XK;DC}kAhVM`PCRaJCVK-H4TliSFHwUPKNHo??d!S{pU_n>b zChX^}3BDF%-F6;i(u|m>syB?nPOJ(5q;Q*(-^u(wRA#awfJOkKGtP%wJi?Ry?O`H3 z%}Q=Yvk4lnT>Dp&?AMy3v`)?1YTvzkL%7rGs_f=zRPi#$9hbeNbRcDrjYZ=AWhCyG zdSj{ns}Tw6<($FCSeB$gOthb5`Sw?G+Kjc8PWyf=toOg)OHF0*t@dyfpAEZK{eB+% zHTuM<-|JqUBYJVSnaVS>?V~jt+w{B9U1R9Tlrx&;)g9Nec^$`@b5{NSRbo_La7*9t-uaM%yd`b1W0fB$S1W%IQcmo` zcd)3Jd*>XGxh^1rnZ->zyp6z|cQ`ZMg<6}V_}HBdd)8eoe>;bj<=B772dk;$6MCwB z-Gh#+ObFJNigRgU(@NC$*<|+OH@fV8#Z*^=nQ2pN zjWhaGS#UoMwZsK@seV2S+uqrs?B}p2>BzbEbp*5nL0~_8Sh$qtRVY82)Fq5Zl<+YK zmL%BV05flulU@Ek7B!7rC&ymX_E!$lX@pecp{eDlIlKA~$%7e!2C@?jjljc*|@Ea(z8tdq&$JlN|N)s8o<%{_%`~o7*k6rP}9A*9F2;2H>gMF>; zmG;Amki;U-+G5;cXY#*gwM{e+rX>-gL9*lTg#JTt(5Ld)`neE2A%)*pgE`*u-@Fx`p3GG zARv?aWRUqEbp~e-snfnIg46Ebm&_j{3{8{^C;s~Tt=XS%MxU)Xm{uIw;t^a~(;nAL zcZ@iFknz%Bwb2ek0e>X92H3<)K5z#;1T%Wbs#8R}o7~_$d-m(mNMNs5pdjM$Jaqc> zW`0I$NT!fXoK{5gq(WhPeRVS|QZ7+hTA9nv*W6J)S4Kw@zjmU~M(1ABH__3uAM+jKO0^@FP_0T@eA}L=8X-qyw_6Z~u?K%;n{qk$2fRvJk&~R9at50Yb zdo90JYOC|^TF^WgF{Li2(04uhBm9{VQZ}<4N3BaJ_g>vh39!gWE#S8f1;v>5qPh_Ek^^e!II<@b$P+ zQ>FyBK6J>$(nlT{MDhIi9(5Ws08tg7PDZW3(@;k%e*Df=IqDvN*wFOh}ZGhuME-$DK=p0^Q?F+*R`% z1#kwbsA(yvjkU0j?}RKu;ydX81Afr6BjZ^%!M(rt`@4eEap=5o>wLqV&MAxmRSo}o zK9)dDQ~m9SsF^qoMbEu0**)OCSV$NH3#>|wHh(kz6*E*m;3|yF9JiO94FXAgDF4+$ zo*Fy({p$5R1EHToXH2|T@HOo4VQ+*=gRdCQ{v$GkLH82%V~Z9N8c4^Cwlr^TQ=Jy< z7k`{WoW0yaA-%S4Z3ylt+C{N!%&L0fDZ9j6pHUqX>27Qwb~%c1P{=3_?iL^M)}Uod z;lZ<|fK8{{v~G#}Vh@C&1Ij`Wy6&Ao8s^Tu8)^FM>o}x&kpq=SSats%+MzYIVs<0? z_G;@&5~|pUpi?n1d%u4_m^@l;{;5+F-$qV(hWuJ<(8``u>NnYZTg*5J;HkO=Bmz(L z`2H!Xg57N5lVwLSqFy_rhSGMY(6v1}oZHR6(4wn|$L4hV3y{8`5uRl0^*_hI-`ChJY^bwy{*2iE zm83@vBl?Q&bkdGy`4fo^2|Z~8J?0IR^=IG)?i70^0O(Tfo(^T@4NI;Qql% zxir_Qj-< z56VQ)9^(VH<|MoX!A~VuQV-R9N4CEW#Y2Nj~+PuC{EFB87v_rcoU&fa^t1oAR5^ zN;+5|_a#63)MZ!UoAP)UpMA_HAXfCjH6#xn6B!^(!}!B-n>Pf)rSqPf8wQJM9PkYv zRra)f)Wi`TCUw?adiGfP7_m_@0e(bktIXbH)C>4ed15_sqqCNFI^#VO^&xi4G>V~v#Pfe

uud2Zki_XHF3;Vjc|~P{e<3QC2?#Q= z6?p->gGOTlnrbV1rR=Re_+S7>GbD;BB`KcC0WhefEpOzA3_}yoDiBRAm3se%I)kQq z7ni<*r_-lkMWIk_7Y9QGG%2a{Sh;GIc%p@@pm{sA{b$WO9bpg@&c4Q~0-1QDL#q_C zDgMHRCHqy6EPe01#^C!Unwg;5#V-n3Beo4r@e&Q&qNN0}hB|!~dAu+flIq}>YxcW+ zaH`0KAxDeuETxyz)h}9?|Ngxy@f=0#Ztp0m`}FzqO;|V4TuAUfe@h0a0JZUTv6LFQ zWDnpfp{fogt!SL?L#0i@xj5OJNeR#)6IE6S1_yn`V;5K-Di0z^mn>Ss_**UdS!~E@ z05_8aQ%Z=pXf-%eMNBJ!28dpt6;0b!lpqUe09drxPuG@WJsxLcqlmFpC*fy#56?%$V37h;k+h!qAccBeX~^N)%GOVVAS4Tb*Lw= zUv!EcNT7wxdn7||7#liGJkiNMR9vm0q}KGSAKiAN<$4Jb7KttzoRx!g(Ep0C4npsz zmrBq|n{Hj~_pCjI9}YhKCUsu4C7idyvNq^5w^`_CxK?q1L-kDkpr5JI_!TV~Z{Zz^ z8!@i)AZ6Ga>icfZPltRdFE96}n>vfnKQR&3IsKg*DcH@0nUtvK?>(h z(A@7%w=YJ`Te$ER&OL~eq~(n;m)?PnG9s4-{a9(GO0cNKk=@>qo*ZeDMA9HxON1=G zvF)d!9HltlCD#!hxyZcH_697s9I#un=cu-nG(J)qgH*}mqRhpNV*FN>)3p=da3uhpK7YT>sX_hC3z~~my*;kZ~>L-dVl}A ztlwK5l#wXxQ{U-8Z=~Ow4HfPCZ5gw}Y*`$pH(8V1gd}e3tNi>rgAbl7w28H2x0NX_ zkjY^Bc_)t_xXEH^+^SVd#Ir()PxE4asYLDplHU>VU-Wgjv8K#yL_$jS5L1-XzW9Kp z@V~def56sq$P!@p0LmcA>kN3*a5HCjW-7_Ux>y51kdk;4mQrotVbHCSOd3K|_G8Bs@wg{u|GpP0I{3353O}C7N6=T7;J*D*%fq^r@c>oYoQV^ z*IXbg%o^rIf`OrAcKucfD*rc$IZB6kDKhC%`f87lhx#u>SKbl9HiP1h)8E#8p(4wo z1(<*u903s@&BwT?~aI)dPkt$;*odxGvuOMQsfXte(~Q#RLR z_7u4;EC#Mjb06)0tJG#`ObGCU6-`+C!3W36nozS?8r zCo`56-SuImS}G5TwkkLMaFL#N^?<#jhKUeumAiXWg(|}xSY?>m9=gs|JG?^GcRk>( z1rkbK3J21C4gnveBdPAA{r7R${LTQR3Q7+xfY^D)?T-b6I9z7`xEK}HiB^n=!vz8J z>+wY5?}AQC2Goibhy2+CFGFF!{=D)s5OpQm{yPpSJZj% z;2D_?Mxz1<8yH1(L+x!zH>1gLExNRQ>ZiA|ayHU8B@;wJ^y!hp#d~J3-*1<@D32VK z5cJAZS8Hn5q5Ox-0CrE7N7j9g0vVz<6Mee1VQ{Y7D%pV=(IZpsIkj8|tmnFr0**$lYts;jZ8)59hTi-;lR;-b{eJ!guc;f+iNlc9T_7S3XB_ z_ITEHYS*?IF=Es6*$6cUpw9PHXejm(;zpUd6Tv;tER$HcQ(q2eJ$ht`wc;pZn-eCJ zmw!hJeE0eDee@FUkFWghVqmbzPhES2f==;FR_cUc+SMv<^=K9{PL;l^m;A#B4__aj zKuC$9%u-)4?fsyC4j(=|4?~3QH10_sDw9@>xv#9KcqqP#3&Xasa`&+@-+lZzGAlKs z)acQ_|5^jUw%1fGL_9muy%J8k1B*blQKNNd>U$ZN=OYW>4nwL$yi51z3}7Vd=~Oom z79DgX`Yc~wYVEkE?A_|IW7wViB)_Q0l{9xT>q+mlI;6t{79dbCH6e(bHk?3;5oKz)vAdiXu>vu+enCjw0|?E z*~p{gc^vP*Z5lh4$?q1_QLb>TGa^5IWBnaV>riI|R;)L9c^2H+BgmspUH^f;kH6cV z{t+v{#lKS~78rHiZe3470e|vdJUN4-Lydz#f3N@imSy)oqGSM5dnnl20gp%SdfIeb z7^4w10+J3xUYk2RrQ|Pd1^-BoA2I!^+R0@z2b033bcnZ<`7V=UQ`zG7k#F_zl}yU3 zuOK7qLgqzEx#0?+y|ech$dE&JtW(p^ZLK1h!rIEppAQ>o>n9s|Ejge1Fl4wDFf#4) zXnzY!OL~GwFHYRo$3`inumjEuriKu7LA9Wna~;j#-J|LDZ7NiE(%!L0gY{?C6M#^-SA`HuAmma54V zrCSAG3pvr}cUgqf1Mhv#+3!)t>(=c$TY+q6Vfpg0W7Edueqe(b1EuH)0TB5s>Nvld zxjE*FcRcsJx7@d#`}a@Ze@Qc7|EP}b-~?6G)r%JIja$|Nfa$0hf6(Y*=z-$E-#H>v zPf4+I(2Urx{>=ST0O-AW%cPcs^z?Dvml%zjg3S08$05mr9$r|Hn{pi!N5;s;FOoOp zD>olMp48pR;N*urpH8$<2xJzw1}ai#i%1&Kf_R+hwI^aa)*Gq7sIKHd&IH?w|FXd_F`SGT&2yD(wcv z3{!x_;L`o+vwj=vNm$*lvUBT1!Yp=l;9`Y9Pb`%?&|FIj9%xhl5wot2@?HDRqjA$% zx&H!3BXiC2_}q!SJ@!-iPLKt{tC@j>Wle{|1~3pKi-^rHukgV;yLaV6R<~~NqMixr89;1Q0T%66B~oCC9_sguHED_Q@un$B4q>0 z){L`G+!?qD`{W%RSeWypc9-eu6c}YS6AO7!Ou@r{|J^Wi-OtF8-$zU-FJ}jFz_K6^ zsc`LVtygpMDyhZzs|G3!TloOd_e&bZ-JP+fY?Az15NnBJ1c~{QkeYq^`fO{vxF26e z;)7bqi#k2El3GRX&ou@wgw#72k1ZXy@*~9Q)19l(Z4{sxkeY^3o5~GXXJZqAR=O>O6WUan_JlSyeo;t(H{BJtlp6KLw-)c7ENcer@?J_0u++%1 zcIz|47LsOX@<2L0XpiU-5?%k}c*v!_7i)@G>dJ?-Whas2ZP*ZN{eXna8S8#7H|XB|D9KUErlKNua&+WuQS zT^+yH>esWfS7)PMgfl(hM7PXmb57gVRRE+c{eaRVFd$&8fByXS=3%3+Q3d*go?crozf;3JwXTPEi`+x_lW^|OUR%iv+8nV?BNj^KGo8qUoT z6yula7_0b`LNlrX$}z)CJ%gfvyY$_tD$F)o=Bxl`9`!bV}``JuG(D%oM7yLoflm@%LB& zmXfQN_3HLc>gHQ{pC=AWl=yPv?wz`IJ2QIxOJw;S>V!I9VrVpQ=S0I{GGx4-;wPdv zOUqI;&rK8r(Zm+J$IbkavN@w@v?{h%3sKW8%O5(Y{MTZ@+HH!(Lv$?N){TOT8kn|Ub}Y6;4A_ebN$8;Msn8q)h~+ zB^2PtE1z-$u5No4(Y_8@&z%&ubuM=0$$TqE34YS{G|KWZVq!fomeUiJ%A{G9EWi4S zHFRCBAD(n?#W1H&&n{Ux?S-k>u6PKe6?<7N{bzvQa^TR83Rl8NUAiXXB$+-esj}1Z zPpL?tM?21%Wez}RyCaIK^zZ1!4*nn7ckFnoedClhzh11l){eYbJq5>3&b*9tZ7{2P zrm;^Q&KFsz9oEBEEW?1I4%>57!2Nyj*Wsq9E!;8*r2linZ_e#`+JFSCy9pz zt*wp7%Vd0IsPk9w4R-UXaUOrkenPh%4g(Ea)kH{+G5};84mu~h$%uI8CtYZd!L!S= ziKt**b~Z40{ZJhB0h$@pi#l}L!P$*+X`Q)GYoCzw5pMT_P2RJY!kF%=0|9PKa|%Xz2N z=64-0s>k0&F)glC!Df-pIj=QsJIpHUUP{VMwj0C`KK_r>`<0cJ^33?>`I!l1m%aMN{t1Y7s@Ld!eG0k9%#sC>5;v_(BV3uc zwf}i6gj-toFWUZM*%Xucm7E$rXzysPz4;n0Yo`ohPF|8ouw=%?wl;r-e}0m&4W8{K zzbEH;3h@HOwr03w{Yo5PZZy(T?5+f(9NiHz_x-HhO*JO`qH zWrnfha!koo^8Swgxyd>72jbHI=btCtv!14>dm%Ok35{A9-}UOUnO81e6qAAtX>@GB z%`s(tT&#IS+`6d1!CR;71(7Cpz!L<(BFyIUv|@TBGs+Xn5hYq6g0LGZ&bt<7xQu-J z>m*B@z2#F!H{eOFhOfR>N_ByUys!3%*bOIgDj{qX3PLO>R8L+LQwS%aLcw+~)1x)U z9Y5O_0Wu5?y>|9B8qT5yk(ZpW#>9AS5FS0qnG8C6-Y@Ol^X%;voOVIU4X?Wl`%%YrUvWt8f z!bqVe3OIs0%LjfxE}IFO)K4pRUcPYQ1{fPTm1X_xLU>a@r(3l>88Q?RmIWc8l1oki zx$9pKtVq~YKjgf$f#=r2w|ee##gfGdRf@D?fw5+@@)zSS#>E}jKXd9-Ya)1Rd#>f+ z>Gz>;|Nc9H?vfpQ>0fn!6+E@uF(y8!r&ckIaHL``1j(+QJ1xis(B**vS%yQpjfpyG z(|IoLjM|Nf4vOsiUv{;aZP4TO$CNpz z+wV-i`{c=Pn!{DOOZ&cJGjHE~a~FO6@ad_;M~u){xYEs2BAL+JqvNJwWgovMQy;HW zol->11?2qnB0c)jn*6oj-ErY59fEpcJoRywdODTFi4~$qFlJbCS+Vo$@7fmcuTW*R8tkz$YTG}TNR(#{PL0|f z_Fzqn2`KteTF2!TRZ>i*rJYNB8ejRgwX!L_cy__Ag9pdr87QT=xiak+r(A7MkiAd2 z@xQ%ht2qxLPZ{Jdj`yD!Ua%(kmj#KD>CF{YX$13J>+M*hx=f?Tj z5vsrF>-aH}Y79t+=OV9YRwe6bzbG%I5CJe$Hl=nPeEZg|%g-pdb|yQPcaJwgUXdN} z0hLG>(o&F+S?g+OC{};I-J(m69_KRCz8xgPBVu>k%XNX!Em5%bK?WJQ<%<#HNx(VZ zl|DEYu-`b~8SUo7Bg1z_Uj(&zhotuqNBcfT#7ZI`(!3}0u6_E{)h;I&;M}QK&z@3Y zbCHL6KHFLLQhCB=bRpW5a=ngf{rX`}sk_sO#Gf>*^lJGUm>XZ|idJ*PODXLYkWU-8Z24Fc`;nul(}k&{D1S>ytdCsv zlgcSudxz3P5W2Zg2-MI?Ch=~M4x%hJjHz86$_EMvqu!{E+mySGy{Ouc(2zuZHx76= zxF82$U@~_HhEl( z5|A}gcA|9&GCF-E_{jN$M1b^5|K#)*i8UC#G%(=*hh2J{iz+<%eZ->4)2BDUF@?|N z75!r9izQV{$Yr=q)e&=};hq<>A+kiX4YeD+V9rF>kp?$=-m3*EeH>t&E68(ce!J9z zPeNb)xM%_Wvq7Fy`Ry-3;J$@8?k0|$W*2nez!+*8M+XNpQ0)2L*|T$aYo9w0|5&{G zbzH`Nrb1;v)R3HWEpvab!DC=Yz%r>LM|96O3b0~-XE51n+EruQVI{=e$DjK)(bqw% z83pp5-gDGp;Sd1Hmv<0rS>L{oUFVMKM4=>6BE%9%8YMF?L0)AXhqSGd z+t#&swC6}qwahxGzrvU}E-3risTbDMxc1R*lBonxOAjQZKvM-d2c39YRXC-yuHU`b zBk17Xy~8Qxw+{8+SNu%T2);0nQW5CsPUDQGu%3FRZH`^BEHsQk&B zEpJ(Z^Ddi56n=SpHY`jD?0UU$~aT~s> z(f+qf&FR0_<0_WKpdWzIxB2`&yEPPUi=MQ=V~L`NfF9=MOqhM4r!!0YHG<6>3=8n2 zKd6kWucSEN8-%lgIObT&Nr1q}Hr8{J$dD>=rlIOPU09+utow#~63|W%)mp+hKoRWI z!-r0doFDZ3TZzLg@Pv`wYK~NX+Syaqa zm!DpY4|S+okLBSSn3aq#B;o(T!65<5KRkKGk5ctcKL@aEPsfk&Facy|n>eK`{M2rU zE)1-5wEvw_Q4wH4AXiT$_2U>e2TQiQp5>fC{?)%wv_BiA$;>;?^g8P^o z-&XuqT)E6K$CAs%i@%qBQ?A^2623mbvuctVN(Hf$7(MtQv6<`{uw>T3Gq%v=vk@(c zbUZL9$d|#7_5xpW1MzY8)z&%O5!JhNg|gG}47fS3X~)d0tv4LAaJL5oU5T#j0^=Zv zsAz>Yz9q%LIqrHlRtQr>hA`X3hw{Sh*h`1%E8oK}5f36uVu0&A4R|$s7nf~(t}dQs z&MMUA?{+rpcC1`N9kI4c5F5^LT11f08%Xt~W}#!&sq#M?1v+z+LQ11$OU9#kfwoB; z7H>P<=_A*b_hzpk`AzP;aJ!I}{D~Ltw7i+WtEL2e&@b&N?rX?Z30J1^5`_g6Pgs#S0PaE-Fdfn%0xqDvZi-ptu6MzcH30meLwTN@g=ax=3Upgo5Z}PW$wv+k{FHcQ4OQ-V1mjQAkr|$-L;; z*w_&}{z4A5c7oD-bu^B$6hslkR!$ENl#l>>Ac6j@d~#Qbi|DI8Ki<+(QZ})Y)3>4d zt|Jf?%39l}_px`b&0WJB98F5&8{q#N*eB69&jzTJ-ERN>{pezhBn$tK2nZ>)7Yasc zlv&ub1?d{!k(KE;&q9Cu;`-*m)9|5~I{evu(1WS9>{VM*_t9ozU1uL?gr*B;;gBbj z8w~pjJi6r5^S+{BL_jE}HT?Lz9O)Su$_g=THnDQjm&Ai_zAnVoY=PGeK~aIufp4VL z_y+Pm#*WEgg_?BBf2YN}i2Sv*)U|!5PVBi#{HQn~>z@V0>Pq>|#uF)nL zBH}_)&bJfPknS*%vU)2EAAM2z>9o;dHo7Jz+Olb^EYUTbajhPxzv!pZOv>9FK+(ZH zcU_<+Aj7edXvR1jqDMH$^JDBI!y^Fl6rR*b_|>A@JJ8>Vnvz#QCZqQ5eQ9lu`IDy9 zp&(JUF-0cSXbkUmP+}KAfKzL6xnUMU1r$2I+`wQ>u+Wg@O7HbJYZ51o$s;!t-4lmu z$;v@$+QynP1)^r`hhO7%!xCP+I8gSXXg$h0=y5&12IYik$mlMkFH}%^snUJ8(7kYl zyZsIq*@4eU5+*&&OT?lg(GmqJ;X|Ou4jD&=v%23;$nD!}uNq5T%5|n-N_L-&G-pE~ zh(hoHw&=f`wgX#N`+Cs#`-95 zskOBDC9^K|>3U)M(^cfQ*txG;^xc$0c{m?JzckcKt|5@lO zb0bJ*kcUNqF9E6mX%quc#FB@^1O%{y0Rsj|JRV287axsPysU;IfZs4sl=tbNgL zM}(jHxG5ZH{bq-H+!nBEkyuOA0HSS_o+#uKIZ~b8kL*62?Ez=n(ErNez44e8twQn0 z(K~L&jBR95EK4H>2>(RPC)Ns^`m*|a(8+e|)=gB}B2*@}ms`2j^zm3pzeOr5FJx+J zo(`oHvf?}4k0b8ISjG=7`Mv>}lUtj8d-g0&V&cmcmE3XPXP zhU0a5fZ1xHk!ho?oi&Q3{BhKAKXf8`Mn>CD+stGj+rSC4K^W!kJ$try>lRWR>e?`7a$N$b~t9|vGXeFJDWEc#e zmV7-b{B+0^!Zm5YRzxKhe610^*9It%EG)8?IcU&PLIyhPG*nZIZmXVOrR`jPkerjO z_I*CxKNk_9(wKk?><{bR5%~Jr8W!kK^~P8py8cO-naAoZq=`E^=1<%0zO#!{K4Y%8 zET3b4^$7Y*-f5W^6nwYq&T=>$aT){a-d|0PM{CT03G*2q5^sT;Psqz(6b*ybqwOwhO5}=r?Myv%h-%S{b&psQADSyL+O2 zU453HjZi)tLTea3xeV>4_0f!e&5G9zHt6~;A*Xlilm+dJ9;bUi2CB6gP!jib;0Wto zL#$J*@}D*0*#!00=u za-3G>G7}J3v0}KT*~DorQ5-~Xx^{7VkDbXfJL0T+@!FM(){8rZyS!}9iJ;-W#DL)T zc;0@`^)lsovg2VaO6)mmNRn}q(SQG4?uM59Q&>=KaI5~ApCK9vYe(0;@#n8>dHZ9? ZwJnJord#H| Date: Wed, 3 Jul 2019 15:09:06 -0400 Subject: [PATCH 14/21] additions and clarifications - indicate how to use MSC 1946 to store/share private keys - add signing by devices to enable migrating from device verifications - add information about signature upload failures and M_INVALID_SIGNATURE code - add security consideration --- proposals/1756-cross-signing.md | 85 ++++++++++++++++++++++++++++----- 1 file changed, 72 insertions(+), 13 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 5595b2b4d65..ec3edc33143 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -57,18 +57,37 @@ store it at all. Clients will need to balance the security of the keys with the usability of signing users and devices when performing key verification. The private halves of a user's cross-signing keys be stored encrypted on the -server so that they may be retrieved by new devices. FIXME: explain how to do -this via MSC 1946 +server so that they may be retrieved by new devices, or shared between devices +using [MSC 1946](https://github.com/matrix-org/matrix-doc/pull/1946). When +handled in this way, the keys must be base64-encoded, and use the names +`m.cross_signing.master`, `m.cross_signing.self_signing`, and +`m.cross_signing.user_signing` for the master, self-signing, and user-signing +keys, respectively. ### Signature distribution -Currently, users will only be allowed to see signatures made by her own master, -self-signing or user-signing keys, or signatures made by other users' master or -self-signing keys about their own devices. This is done in order to preserve -the privacy of social connections. Future proposals may define mechanisms for +Currently, users will only be allowed to see signatures made by their own +master, self-signing or user-signing keys, signatures of their own master key +made by their own devices, signatures made by other users' master or +self-signing keys about their own devices, or signatures made of other users' +master keys by their own devices. This is done in order to preserve the +privacy of social connections. Future proposals may define mechanisms for distributing signatures to other users in order to allow for other web-of-trust use cases. +### Migrating from device verifications + +Users who have verified individual devices may wish to migrate these +verifications to use cross-signing instead. In order to aid with this, +signatures of a user's master key, made by their own devices, may be uploaded +to the server. If another client sees that the user's master key has a valid +signature from a device that was previously verified, then the client MAY +choose to trust and sign the master key. The client SHOULD take precautions to +ensure that a stolen device cannot be used to cause it to trust a malicious +master key. For example, a client could prompt the user before signing the +master key, or it could only do this migration on the first master key that it +sees from a user. + ### API description #### Uploading signing keys @@ -126,7 +145,8 @@ properties: "`ed25519:`" followed by the unpadded base64 encoding of the public key, and whose value is the unpadded base64 encoding of the public key. * `signatures` ({string: {string: string}}): signatures of the key. A - self-signing or user-signing key must be signed by the master key. + self-signing or user-signing key MUST be signed by the master key. A master + key MAY be signed by a device. In order to ensure that there will be no collisions in the `signatures` property, the server must respond with an error (FIXME: what error?) if any of @@ -136,7 +156,8 @@ keys, the server must respond with an error (FIXME: what error?). If a self-signing or user-signing key is uploaded, it must be signed by the master key that is included in the request, or the current master key if no -master key is included. +master key is included. If the signature from the master key is incorrect, the +server should respond with an error code of `M_INVALID_SIGNATURE`. After uploading cross-signing keys, they will be included under the `/keys/query` endpoint under the `master_keys`, `self_signing_keys` and @@ -287,10 +308,11 @@ others users who share an encrypted room with that user. #### Uploading signatures -Signatures of keys can be uploaded using `/keys/signatures/upload`. +Signatures of device keys can be uploaded using `/keys/signatures/upload`. For example, Alice signs one of her devices (HIJKLMN) (using her self-signing -key), and signs Bob's master key (using her user-signing key). +key), her own master key (using her HIJKLMN device), Bob's master key (using +her user-signing key). `POST /keys/signatures/upload` @@ -313,6 +335,18 @@ key), and signs Bob's master key (using her user-signing key). "ed25519:base64+self+signing+public+key": "base64+signature+of+HIJKLMN" } } + }, + "base64+master+public+key": { + "user_id": "@alice:example.com", + "usage": ["master"], + "keys": { + "ed25519:base64+master+public+key": "base64+master+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:HIJKLMN": "base64+signature+of+master+key" + } + } } }, "@bob:example.com": { @@ -332,9 +366,23 @@ key), and signs Bob's master key (using her user-signing key). } ``` -After Alice uploads a signature for her own devices, her signature will be -included in the results of the `/keys/query` request when *anyone* requests her -keys: +response: + +``` json +{ + "failures": {} +} +``` + +The response contains a `failures` property, which is a map of user ID to +device ID to failure reason, if any of the uploaded keys failed. The +homeserver should verify that the signature is correct. If it is not, the +homeserver should set the corresponding entry in `failures` to a JSON object +with the `errcode` property set to `M_INVALID_SIGNATURE`. + +After Alice uploads a signature for her own devices or master key, her +signature will be included in the results of the `/keys/query` request when +*anyone* requests her keys: `POST /keys/query` @@ -382,6 +430,11 @@ response: "usage": ["master"], "keys": { "ed25519:base64+master+public+key": "base64+master+public+key" + }, + "signatures": { + "@alice:example.com": { + "ed25519:HIJKLMN": "base64+signature+of+master+key" + } } }, "self_signing_key": { @@ -484,6 +537,12 @@ deleted and replaced. An attacker who is able to both steal a user's device and control their homeserver could prevent that device from being marked as untrusted. +An attacker may be able to upload a large number of signatures in a DoS attack +against clients or servers, similar to the [attack against the SKS keyserver +network](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f). +Since clients are only sent a subset of signatures, and the attestation graph +is limited, a DoS attack is less likely to be successful in this case. + ## Conclusion This proposal presents an alternative cross-signing mechanism to MSC1680, From e1b0042e7be20c43908c32845ab0ea513b70b115 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 27 Aug 2019 17:46:45 -0700 Subject: [PATCH 15/21] clarifications, minor fixes, formatting --- proposals/1756-cross-signing.md | 39 ++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index ec3edc33143..34789fb8040 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -27,8 +27,8 @@ Each user has three sets of key pairs: - a user-signing key pair that is used to sign other users' master keys. When one user (e.g. Alice) verifies another user's (Bob's) identity, Alice will -sign Bob's self-signing key with her user-signing key. (This will mean that -verification methods will need to be modified to pass along the self-signing +sign Bob's master key with her user-signing key. (This will mean that +verification methods will need to be modified to pass along the master identity key.) Alice's device will trust Bob's device if: - Alice's device is using a master key that has signed her user-signing key, @@ -66,14 +66,18 @@ keys, respectively. ### Signature distribution -Currently, users will only be allowed to see signatures made by their own -master, self-signing or user-signing keys, signatures of their own master key -made by their own devices, signatures made by other users' master or -self-signing keys about their own devices, or signatures made of other users' -master keys by their own devices. This is done in order to preserve the -privacy of social connections. Future proposals may define mechanisms for -distributing signatures to other users in order to allow for other web-of-trust -use cases. +Currently, users will only be allowed to see +* signatures made by their own master, self-signing or user-signing keys, +* signatures made by their own devices of their own master key, +* signatures made by other users' self-signing keys about the other users' own + devices, +* signatures made by other users' master keys about the other users' + self-signing key, or +* signatures made by other users' devices about the other users' master keys. + +This is done in order to preserve the privacy of social connections. Future +proposals may define mechanisms for distributing signatures to other users in +order to allow for other web-of-trust use cases. ### Migrating from device verifications @@ -134,8 +138,7 @@ Auth](https://matrix.org/docs/spec/client_server/r0.4.0.html#user-interactive-au } ``` -Cross-signing keys are JSON objects with the following -properties: +Cross-signing keys are JSON objects with the following properties: * `user_id` (string): The user who owns the key * `usage` ([string]): Allowed uses for the key. Must contain `"master"` for @@ -149,10 +152,10 @@ properties: key MAY be signed by a device. In order to ensure that there will be no collisions in the `signatures` -property, the server must respond with an error (FIXME: what error?) if any of +property, the server must respond with an `M_FORBIDDEN` error if any of the uploaded public keys match an existing device ID for the user. Similarly, if a user attempts to log in specifying a device ID matching one of the signing -keys, the server must respond with an error (FIXME: what error?). +keys, the server must respond with an `M_FORBIDDEN` error. If a self-signing or user-signing key is uploaded, it must be signed by the master key that is included in the request, or the current master key if no @@ -211,10 +214,10 @@ response: } ``` -Similarly, the federation endpoints `GET /user/keys/query` and -`POST /user/devices/{userId}` will include the master and self-signing keys. -(It will not include the user-signing key because it is not intended to be -visible to other users.) +Similarly, the federation endpoints `GET /user/keys/query` and `POST +/user/devices/{userId}` will include the master and self-signing keys. (It +will not include the user-signing key because it is not intended to be visible +to other users.) `POST /keys/query` From 03ae5614b0daf45e02f87b92f99753bfae85b3c8 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Tue, 27 Aug 2019 17:56:52 -0700 Subject: [PATCH 16/21] remove unnecessary space --- proposals/1756-cross-signing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 34789fb8040..1dbef83c897 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -58,7 +58,7 @@ the usability of signing users and devices when performing key verification. The private halves of a user's cross-signing keys be stored encrypted on the server so that they may be retrieved by new devices, or shared between devices -using [MSC 1946](https://github.com/matrix-org/matrix-doc/pull/1946). When +using [MSC1946](https://github.com/matrix-org/matrix-doc/pull/1946). When handled in this way, the keys must be base64-encoded, and use the names `m.cross_signing.master`, `m.cross_signing.self_signing`, and `m.cross_signing.user_signing` for the master, self-signing, and user-signing From 7644085274e1837b4e5f5701ebcfa8edfb95b425 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Sat, 7 Sep 2019 16:03:11 -0400 Subject: [PATCH 17/21] wording fixes and clarifications --- proposals/1756-cross-signing.md | 50 ++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 1dbef83c897..53690b5fc52 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -2,9 +2,9 @@ ## Background -A user with multiple devices will have a different key for end-to-end -encryption for each device. Other users who want to communicate securely with -this user must then verify each key on each of their devices. If Alice has *n* +If a user has multiple devices, each device will have a different key for +end-to-end encryption. Other users who want to communicate securely with this +user must then verify each key on each of their own devices. If Alice has *n* devices, and Bob has *m* devices, then for Alice to be able to communicate with Bob on any of their devices, this involves *n×m* key verifications. @@ -21,15 +21,15 @@ MSC1680 is presented below. Each user has three sets of key pairs: -- a master cross-signing key pair that is used to identify themselves and to +- a *master* cross-signing key pair that is used to identify themselves and to sign their other cross-signing keys, -- a self-signing key pair that is used to sign their own devices, and -- a user-signing key pair that is used to sign other users' master keys. +- a *self-signing* key pair that is used to sign their own devices, and +- a *user-signing* key pair that is used to sign other users' master keys. When one user (e.g. Alice) verifies another user's (Bob's) identity, Alice will sign Bob's master key with her user-signing key. (This will mean that -verification methods will need to be modified to pass along the master -identity key.) Alice's device will trust Bob's device if: +verification methods will need to be modified to pass along the public part of +the master key.) Alice's device will trust Bob's device if: - Alice's device is using a master key that has signed her user-signing key, - Alice's user-signing key has signed Bob's master key, @@ -41,7 +41,7 @@ identity key.) Alice's device will trust Bob's device if: A user's master key could allow an attacker to impersonate that user to other users, or other users to that user. Thus clients must ensure that the private part of the master key is treated securely. If clients do not have a secure -means of storing the master key (such as an secret storage system provided by +means of storing the master key (such as a secret storage system provided by the operating system), then clients must not store the private part. If a user changes their master key, clients of users that they communicate with must notify their users about the change. @@ -68,7 +68,7 @@ keys, respectively. Currently, users will only be allowed to see * signatures made by their own master, self-signing or user-signing keys, -* signatures made by their own devices of their own master key, +* signatures made by their own devices about their own master key, * signatures made by other users' self-signing keys about the other users' own devices, * signatures made by other users' master keys about the other users' @@ -85,8 +85,8 @@ Users who have verified individual devices may wish to migrate these verifications to use cross-signing instead. In order to aid with this, signatures of a user's master key, made by their own devices, may be uploaded to the server. If another client sees that the user's master key has a valid -signature from a device that was previously verified, then the client MAY -choose to trust and sign the master key. The client SHOULD take precautions to +signature from a device that was previously verified, then the client may +choose to trust and sign the master key. The client should take precautions to ensure that a stolen device cannot be used to cause it to trust a malicious master key. For example, a client could prompt the user before signing the master key, or it could only do this migration on the first master key that it @@ -379,13 +379,15 @@ response: The response contains a `failures` property, which is a map of user ID to device ID to failure reason, if any of the uploaded keys failed. The -homeserver should verify that the signature is correct. If it is not, the -homeserver should set the corresponding entry in `failures` to a JSON object -with the `errcode` property set to `M_INVALID_SIGNATURE`. +homeserver should verify that the signatures on the uploaded keys are valid. +If a signature is not valid, the homeserver should set the corresponding entry +in `failures` to a JSON object with the `errcode` property set to +`M_INVALID_SIGNATURE`. After Alice uploads a signature for her own devices or master key, her signature will be included in the results of the `/keys/query` request when -*anyone* requests her keys: +*anyone* requests her keys. However, signatures made for other users' keys, +made by her user-signing key, will not be included. `POST /keys/query` @@ -455,12 +457,16 @@ response: } ``` -Similarly, the federation endpoints `GET /user/keys/query` and -`POST /user/devices/{userId}` will include the new signature. - -In addition, Alice's server will send an `m.device_list_update` EDU to servers -that have users who share encrypted rooms with Alice, updating her device to -include her new signature. +Similarly, the federation endpoints `GET /user/keys/query` and `POST +/user/devices/{userId}` will include the new signatures for her own devices or +master key, but not signatures made by her user-signing key. + +In addition, when Alice uploads signatures for her own device, Alice's server +will send an `m.device_list_update` EDU to servers that have users who share +encrypted rooms with Alice, updating her device to include her new signature. +And when a signature of a master key is uploaded, Alice's server will send an +`m.signing_key_update` EDU, updating her master key to include her new +signature. After Alice uploads a signature for Bob's user-signing key, her signature will be included in the results of the `/keys/query` request when Alice requests From 60f0ad5b24b8928dff7c246083339c1332b9873e Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Sat, 7 Sep 2019 16:05:46 -0400 Subject: [PATCH 18/21] lowercase --- proposals/1756-cross-signing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 53690b5fc52..2e4f1b4357f 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -148,8 +148,8 @@ Cross-signing keys are JSON objects with the following properties: "`ed25519:`" followed by the unpadded base64 encoding of the public key, and whose value is the unpadded base64 encoding of the public key. * `signatures` ({string: {string: string}}): signatures of the key. A - self-signing or user-signing key MUST be signed by the master key. A master - key MAY be signed by a device. + self-signing or user-signing key must be signed by the master key. A master + key may be signed by a device. In order to ensure that there will be no collisions in the `signatures` property, the server must respond with an `M_FORBIDDEN` error if any of From 3e42cf528ba65f5025e534fac66cbad98529a5a5 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Fri, 1 Nov 2019 15:38:14 -0400 Subject: [PATCH 19/21] Apply suggestions from code review Co-Authored-By: David Baker --- proposals/1756-cross-signing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 2e4f1b4357f..72b74121562 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -19,7 +19,7 @@ MSC1680 is presented below. ## Proposal -Each user has three sets of key pairs: +Each user has three key pairs: - a *master* cross-signing key pair that is used to identify themselves and to sign their other cross-signing keys, @@ -29,7 +29,7 @@ Each user has three sets of key pairs: When one user (e.g. Alice) verifies another user's (Bob's) identity, Alice will sign Bob's master key with her user-signing key. (This will mean that verification methods will need to be modified to pass along the public part of -the master key.) Alice's device will trust Bob's device if: +Bob's master key.) Alice's device will trust Bob's device if: - Alice's device is using a master key that has signed her user-signing key, - Alice's user-signing key has signed Bob's master key, @@ -56,7 +56,7 @@ clients should still make efforts to store the private part securely, or not store it at all. Clients will need to balance the security of the keys with the usability of signing users and devices when performing key verification. -The private halves of a user's cross-signing keys be stored encrypted on the +The private halves of a user's cross-signing keys may be stored encrypted on the server so that they may be retrieved by new devices, or shared between devices using [MSC1946](https://github.com/matrix-org/matrix-doc/pull/1946). When handled in this way, the keys must be base64-encoded, and use the names From 3b2f897c7e7d5a5ff40e99228967c06b762861cf Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 20 Nov 2019 11:48:36 -0500 Subject: [PATCH 20/21] Apply suggestions from code review Co-Authored-By: Matthew Hodgson --- proposals/1756-cross-signing.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 72b74121562..05e02a4fade 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -69,11 +69,11 @@ keys, respectively. Currently, users will only be allowed to see * signatures made by their own master, self-signing or user-signing keys, * signatures made by their own devices about their own master key, -* signatures made by other users' self-signing keys about the other users' own +* signatures made by other users' self-signing keys about their own respective devices, -* signatures made by other users' master keys about the other users' +* signatures made by other users' master keys about their respective self-signing key, or -* signatures made by other users' devices about the other users' master keys. +* signatures made by other users' devices about their respective master keys. This is done in order to preserve the privacy of social connections. Future proposals may define mechanisms for distributing signatures to other users in @@ -84,7 +84,7 @@ order to allow for other web-of-trust use cases. Users who have verified individual devices may wish to migrate these verifications to use cross-signing instead. In order to aid with this, signatures of a user's master key, made by their own devices, may be uploaded -to the server. If another client sees that the user's master key has a valid +to the server. If another user's client sees that that a given user's master key has a valid signature from a device that was previously verified, then the client may choose to trust and sign the master key. The client should take precautions to ensure that a stolen device cannot be used to cause it to trust a malicious From 82260689c946dda84f5dc4231e50755e86226719 Mon Sep 17 00:00:00 2001 From: Hubert Chathi Date: Wed, 20 Nov 2019 11:55:10 -0500 Subject: [PATCH 21/21] add link to migrating from device verifications --- proposals/1756-cross-signing.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/proposals/1756-cross-signing.md b/proposals/1756-cross-signing.md index 05e02a4fade..f4ae60117c0 100644 --- a/proposals/1756-cross-signing.md +++ b/proposals/1756-cross-signing.md @@ -73,7 +73,9 @@ Currently, users will only be allowed to see devices, * signatures made by other users' master keys about their respective self-signing key, or -* signatures made by other users' devices about their respective master keys. +* signatures made by other users' devices about their respective master keys + (these signatures are used for [migrating from device + verifications](#migrating-from-device-verifications)). This is done in order to preserve the privacy of social connections. Future proposals may define mechanisms for distributing signatures to other users in