From 7da0131ea72337db0cd2138680446fe12db3ddd6 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 14:45:56 +0200 Subject: [PATCH 01/56] change opening lines/introduction to chapter --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 8583c90..597704c 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -1,7 +1,7 @@ (certificates_chapter)= # Certificates -One central (and non-trivial) element of OpenPGP are "OpenPGP certificates" (also often called "OpenPGP keys"). OpenPGP certificates are relatively complex data structures, so it's good to have a clear mental model of them. +OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often referred to as "OpenPGP keys." These certificates are complex data structures essential for identity verification and data encryption. Understanding their structure and functionality is pivotal for effective application of the OpenPGP standard. ## Terminology: The various meanings of "key" From ab926334bd678823f040ced2dfbcd41b02e5051f Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 14:49:26 +0200 Subject: [PATCH 02/56] edit section intro on understanding keys --- book/source/04-certificates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 597704c..2d856d2 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -3,9 +3,9 @@ OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often referred to as "OpenPGP keys." These certificates are complex data structures essential for identity verification and data encryption. Understanding their structure and functionality is pivotal for effective application of the OpenPGP standard. -## Terminology: The various meanings of "key" +## Terminology: Understanding "keys" -The concept of "(cryptographic) keys" plays a central role, when looking at OpenPGP certificates. Confusingly, the term can be used to refer to a number of subtly different things. +The term "(cryptographic) keys" is central to grasping the concept of OpenPGP certificates. However, it can refer to different entities, making it a potentially confusing term. Let's clarify those differences. ### Private vs. public keys From 4e9ddaee0b9634e4d70c639b226ad98b0adbbfc1 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 15:03:43 +0200 Subject: [PATCH 03/56] clarify in section on public vs private keys --- book/source/04-certificates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 2d856d2..667617d 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -7,9 +7,9 @@ OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often ref The term "(cryptographic) keys" is central to grasping the concept of OpenPGP certificates. However, it can refer to different entities, making it a potentially confusing term. Let's clarify those differences. -### Private vs. public keys +### Public vs. private keys -First, without additional context, the word "key" can refer either to public, or to private asymmetric key material (or even to symmetric keys, which can be used to encrypt private key material in OpenPGP keys). +The term "key," without additional context, can refer to either public or private asymmetric key material. In asymmetric cryptography, fundamental to the OpenPGP standard, a pair of keys is used: a public key for encryption and a corresponding private key for decryption. The public key is shared openly, allowing others to encrypt data meant for the individual who owns the key pair, while the private key is kept confidential by the key pair owner, ensuring only they can decrypt and access the encrypted data. Additionally, symmetric keys may be used in OpenPGP to encrypt private key material, adding a layer of security and complexity. ### Layers of "keys," in OpenPGP From 2beba67d13d796ddf957a41bb964ac5b1f989c3e Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 15:13:58 +0200 Subject: [PATCH 04/56] edit section on layers of keys, integrating previoous Ch2 section --- book/source/04-certificates.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 667617d..a256b8e 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -11,16 +11,17 @@ The term "(cryptographic) keys" is central to grasping the concept of OpenPGP ce The term "key," without additional context, can refer to either public or private asymmetric key material. In asymmetric cryptography, fundamental to the OpenPGP standard, a pair of keys is used: a public key for encryption and a corresponding private key for decryption. The public key is shared openly, allowing others to encrypt data meant for the individual who owns the key pair, while the private key is kept confidential by the key pair owner, ensuring only they can decrypt and access the encrypted data. Additionally, symmetric keys may be used in OpenPGP to encrypt private key material, adding a layer of security and complexity. -### Layers of "keys," in OpenPGP +### Layers of keys in OpenPGP -Independent of the distinction between private and public keys, in OpenPGP, the term "key" is used to refer to three different layers, all related but distinct: +In OpenPGP, the term "key" is used to refer to three distinct layers, each serving a unique purpose: -1. A (bare) ["cryptographic key"](asymmetric_key_pair) (without additional metadata). Those might be the private and/or public parameters that form a key, e.g., in case of an RSA private key, the exponent `d` along with the prime numbers `p` and `q`. -2. An OpenPGP *component key*: Either an "OpenPGP primary key", or an "OpenPGP subkey". A component key is one building block of an OpenPGP certificate. It consists of a cryptographic keypair combined some invariant metadata (e.g. key creation time). -3. An "OpenPGP certificate" (or "OpenPGP key"): Consists of a number of component keys, identity components and additional elements. +1. A (bare) ["cryptographic key"](asymmetric_key_pair) comprises the private and/or public parameters forming a key. For instance, in the case of an RSA private key, the key consists of the exponent `d` along with the prime numbers `p` and `q`. +2. An OpenPGP *component key* includes either an "OpenPGP primary key" or an "OpenPGP subkey." It is a building block of an OpenPGP certificate, consisting of a cryptographic keypair coupled with some invariant metadata, such as key creation time. +3. An "OpenPGP certificate" (or "OpenPGP key") consists of several component keys, identity components, and other elements. These certificates are dynamic, evolving over time as components are added, expire, or are marked as invalid. -In the following section, we'll look at the two OpenPGP-specific layers (2 and 3). +The following section will delve into the OpenPGP-specific layers (2 and 3) to provide a clearer understanding of their roles within OpenPGP certificates. +For detailed insights on structure and handling, refer to our chapters on OpenPGP [certificates](certificates_chapter) and [private keys](private_key_chapter). Additionally, managing certificates, and understanding their authentication and trust models are vital topics. While this document briefly touches upon these aspects, they are integral to working proficiently with OpenPGP. ## Structure of OpenPGP certificates From b353129bcc9a4f21e3d2dc43f6d58d71367f5a15 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 13:42:38 +0200 Subject: [PATCH 05/56] add digital signatures --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index a256b8e..48f943a 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -1,7 +1,7 @@ (certificates_chapter)= # Certificates -OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often referred to as "OpenPGP keys." These certificates are complex data structures essential for identity verification and data encryption. Understanding their structure and functionality is pivotal for effective application of the OpenPGP standard. +OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often referred to as "OpenPGP keys." These certificates are complex data structures essential for identity verification, data encryption, and digital signatures. Understanding their structure and functionality is pivotal for effective application of the OpenPGP standard. ## Terminology: Understanding "keys" From 6f179d2c078f47237d9564644c6e02ff3e1e72eb Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 13:47:43 +0200 Subject: [PATCH 06/56] remove asysmmetric explainer, evaluate for ch3 --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 48f943a..49d50f6 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -9,7 +9,7 @@ The term "(cryptographic) keys" is central to grasping the concept of OpenPGP ce ### Public vs. private keys -The term "key," without additional context, can refer to either public or private asymmetric key material. In asymmetric cryptography, fundamental to the OpenPGP standard, a pair of keys is used: a public key for encryption and a corresponding private key for decryption. The public key is shared openly, allowing others to encrypt data meant for the individual who owns the key pair, while the private key is kept confidential by the key pair owner, ensuring only they can decrypt and access the encrypted data. Additionally, symmetric keys may be used in OpenPGP to encrypt private key material, adding a layer of security and complexity. +The term "key," without additional context, can refer to either public or private asymmetric key material. Additionally, symmetric keys may be used in OpenPGP to encrypt private key material, adding a layer of security and complexity. ### Layers of keys in OpenPGP From 44eba4a6bbbca95e9f62f64ebcf91135ac34e6e6 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 12 Oct 2023 14:06:10 +0200 Subject: [PATCH 07/56] change to 'may refer to' --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 49d50f6..29b2fef 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -13,7 +13,7 @@ The term "key," without additional context, can refer to either public or privat ### Layers of keys in OpenPGP -In OpenPGP, the term "key" is used to refer to three distinct layers, each serving a unique purpose: +In OpenPGP, the term "key" may refer to three distinct layers, each serving a unique purpose: 1. A (bare) ["cryptographic key"](asymmetric_key_pair) comprises the private and/or public parameters forming a key. For instance, in the case of an RSA private key, the key consists of the exponent `d` along with the prime numbers `p` and `q`. 2. An OpenPGP *component key* includes either an "OpenPGP primary key" or an "OpenPGP subkey." It is a building block of an OpenPGP certificate, consisting of a cryptographic keypair coupled with some invariant metadata, such as key creation time. From c592c6c02d52f5e3814ac1037f287d324c73c3aa Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 6 Oct 2023 20:41:18 +0200 Subject: [PATCH 08/56] ch4: don't use title case --- book/source/04-certificates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 29b2fef..52f6026 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -102,7 +102,7 @@ Subkeys have the same structure as the primary key, but they are used in a diffe OpenPGP certificates can contain a number of subkeys ``` -#### Key Flags: defining which operations a component key can perform +#### Key flags: defining which operations a component key can perform Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that specify which operations that key can perform. @@ -245,7 +245,7 @@ Note: certification signatures [can be made irrevocable](https://www.ietf.org/ar This section only contains notes and still needs to be written ``` -### Certificate Management / Evolution of a certificate over time +### Certificate management / Evolution of a certificate over time Minimized versions, merging, effective "append only" semantics, ... @@ -262,7 +262,7 @@ Minimized versions, merging, effective "append only" semantics, ... - Subkey: Revoked/key expired/binding signature expired - User ID: revoked, binding expired, ... -### Best Practices regarding Key Freshness +### Best practices regarding Key Freshness ```{admonition} TODO :class: warning @@ -273,7 +273,7 @@ Minimized versions, merging, effective "append only" semantics, ... Wiktor suggests to check: https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/ for important material ``` -### Metadata Leak of Social Graph +### Metadata leak of Social Graph (unbound_user_ids)= ### Adding unbound User IDs to a certificate From ac070e52296d7c9b65adea9ead4ec411bf9cf57a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 6 Oct 2023 20:39:54 +0200 Subject: [PATCH 09/56] ch4 "zooming in": fix capitalizations/styling - Don't use quotation marks for RFC terms. Use italics, when appropriate. - The word "packet" isn't capitalized when referring to a specific packet. --- book/source/04-certificates.md | 64 +++++++++++++++++----------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 52f6026..4af313d 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -284,9 +284,9 @@ Some OpenPGP subsystems may add User IDs to a certificate, which are not bound t Now that we've established the concepts of the components that OpenPGP certificates consist of, let's look at the internal details of our example certificate. -### A very minimal OpenPGP "Transferrable Secret Key" +### A very minimal OpenPGP transferable secret key -We'll start with a very minimal version of [](alice_priv), stored as a "Transferrable Secret Key" (that is, including private key material). +We'll start with a very minimal version of [](alice_priv), stored as a *transferable secret key* ([RFC 10.2.](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#transferable-secret-keys)) (that is, including private key material). In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. @@ -319,8 +319,8 @@ $ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_ This version of Alice's key contains just two packets: -- The [*"Secret-Key Packet"*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and -- A [*"Direct Key Signature"*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). +- The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and +- A [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). In the real world, you won't usually encounter an OpenPGP key that is quite this minimal. However, this is technically a valid OpenPGP key (and we'll add more components to it, later in this section). @@ -350,7 +350,7 @@ $ sq packet dump --hex alice_minimal.priv #### Secret-Key Packet -The output starts with the (primary) [Secret-Key Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) (the file `alice.priv-0--SecretKey` contains this packet): +The output starts with the (primary) [Secret-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) (the file `alice.priv-0--SecretKey` contains this packet): ```text Secret-Key Packet, new CTB, 2 header bytes + 75 bytes @@ -380,12 +380,12 @@ KeyID: AAA18CBB254685C5 00000040 bd 42 dd 4b e9 a3 36 81 3b a5 cc cf fb ``` -The Secret-Key Packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: +The Secret-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: -- `CTB: 0xc5`[^CTB]: The [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in "OpenPGP packet format" (as opposed to in "Legacy packet format"). The remaining 6 bits encode the Tag's value: "5". This is the value for a Secret-Key Packet, as shown in the list of [Packet Tags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `CTB: 0xc5`[^CTB]: The [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the Tag's value: "5". This is the value for a Secret-Key packet, as shown in the list of [Packet Tags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). - `length: 0x4b`: The remaining length of this packet. -The packet tag defines the semantics of the remaining data in the packet. We're looking at a Secret-Key Packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). +The packet tag defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). - `version: 0x06`: The key material is in version 6 format @@ -396,25 +396,25 @@ This means that the next part of the packet follows the structure of [Version 6 - `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) - `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of the Ed25519 public key -This concludes the Public Key section of the packet. The remaining data follows the [Secret-Key Packet Format](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): +This concludes the Public Key section of the packet. The remaining data follows the [Secret-Key packet format](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): -- `s2k_usage: 0x00`: [This "S2K usage" value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted +- `s2k_usage: 0x00`: [This *S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted - `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`) -[^CTB]: Sequoia uses the term "CTB" (Cipher Type Byte) to refer to the RFC's ["Packet Tag"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) +[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) ```{tip} The overall structure of OpenPGP packets is described in the [Packet Syntax](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-syntax) chapter of the RFC. ``` -Note that the "Secret-Key" Packet contains both the private and the public part of the key. +Note that the *Secret-Key packet* contains both the private and the public part of the key. #### Direct Key Signature -The next packet is a [*"Direct Key Signature"*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.priv-1--Signature` contains this packet). +The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.priv-1--Signature` contains this packet). -This packet "binds the information in the Signature subpackets to the key". Each entry under "Signature Packet -> Hashed area" is one Signature subpacket, for example, including information about algorithm preferences (*"Symmetric algo preferences"* and *"Hash preferences"*). +This packet "binds the information in the signature subpackets to the key". Each entry under "Signature Packet -> Hashed area" is one signature subpacket, for example, including information about algorithm preferences (*symmetric algorithm preference* and *hash algorithm preferences*). ```text Signature Packet, new CTB, 2 header bytes + 182 bytes @@ -486,10 +486,10 @@ Level: 0 (signature over data) Let’s look at the packet field by field: -- `CTB: 0xc2`: The Packet Tag for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the Tag’s value: “2”. This is the value for a Signature Packet. +- `CTB: 0xc2`: The Packet Tag for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the Tag’s value: “2.” This is the value for a Signature packet. - `length: 0xb6`: The remaining length of this packet. -The packet tag defines the semantics of the remaining data in the packet. We're looking at a [Signature Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. +The packet tag defines the semantics of the remaining data in the packet. We're looking at a [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. - `version: 0x06`: This is a version 6 signature (some of the following packet format is specific to this signature version). - `type: 0x1f`: The [Signature Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) @@ -497,29 +497,29 @@ The packet tag defines the semantics of the remaining data in the packet. We're - `hash_algo: 0x0a`: Hash algorithm (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) - `hashed_area_len: 0x0000003d`: Length of the following hashed subpacket data -The next part of this packet contains "hashed subpacket data." A "subpacket data set" in an OpenPGP Signature contains a list of zero or more "Signature subpackets." +The next part of this packet contains hashed subpacket data. A subpacket data set in an OpenPGP Signature contains a list of zero or more Signature subpackets. -There are two sets of "subpacket data" in a Signature: "hashed," and "unhashed." The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. +There are two sets of subpacket data in a Signature: hashed, and unhashed. The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. The following subpacket data consists of sets of "subpacket length, subpacket tag, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket tag). Note that bit 7 of the subpacket tag signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10)[^critical]. -[^critical]: "Critical" here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. non-critical subpackets may be ignored by the receiver +[^critical]: Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. non-critical subpackets may be ignored by the receiver -- [Signature Creation Time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` -- [Key Expiration Time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` -- [Preferred Symmetric Ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): "AES with 256-bit key" and "AES with 128-bit key") -- [Preferred Hash Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): "SHA2-512" and "SHA2-256") -- [Key Flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27) *critical*: `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the "certifications" key flag) +- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` +- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` +- [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): "AES with 256-bit key" and "AES with 128-bit key") +- [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): "SHA2-512" and "SHA2-256") +- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27) *critical*: `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the "certifications" key flag) - [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: "Symmetrically Encrypted Integrity Protected Data packet version 1") -- [Issuer Fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) +- [Issuer fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) The next part of this packet contains "unhashed subpacket data": - `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data. -As above, the following subpacket data consists of sets of "length, tag, data." In this case, only subpacket follows: +As above, the following subpacket data consists of sets of "subpacket length, subpacket tag, data." In this case, only subpacket follows: -- [Issuer Key ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-keyid-subpacket) (subpacket type 16): `aaa18cbb254685c5` (this is the shortened version 6 "Key ID" of the fingerprint of this certificate's primary key) +- [Issuer Key ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-keyid-subpacket) (subpacket type 16): `aaa18cbb254685c5` (this is the shortened version 6 *Key ID* of the fingerprint of this certificate's primary key) This concludes the unhashed subpacket data. @@ -557,7 +557,7 @@ gAIl6FM5SWuQxg12j0S07ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L $ sq packet dump --hex alice_minimal.pub ``` -The output now starts with a (primary) [Public-Key Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): +The output now starts with a (primary) [Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): ```text Public-Key Packet, new CTB, 2 header bytes + 42 bytes @@ -579,11 +579,11 @@ Public-Key Packet, new CTB, 2 header bytes + 42 bytes 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e ``` -Note that the packet is almost identical to the Secret Key Packet seen above. +Note that the packet is almost identical to the Secret-Key packet seen above. -The packet tag (called `CTB` in the output) has changed to the packet type ["Public-Key Packet"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6) instead of "Secret-Key Packet." +The packet tag (called `CTB` in the output) has changed to the packet type [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6) instead of *Secret-Key packet*. -The two packet types are very similar. Compared to the "Secret-Key Packet" packet shown above, this "Public-Key Packet" just leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. +The two packet types are very similar. Compared to the *Secret-Key packet* shown above, this *Public-Key packet* just leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. The second packet in the certificate (the Direct Key Signature) is bit-for-bit identical as in the previous section. So we omit showing it again, here. @@ -605,7 +605,7 @@ The following text is unfinished and still needs processing/writing. **This point marks the end of the material that should be read/edited.** ``` -From here on, we'll look at the dumps in shorter format (you can see more detail by copying the certificates into the ["Sequoia OpenPGP Packet dumper"](https://dump.sequoia-pgp.org/) and checking the "HexDump" checkbox). +From here on, we'll look at the dumps in shorter format (you can see more detail by copying the certificates into the [Sequoia OpenPGP Packet dumper](https://dump.sequoia-pgp.org/) and checking the "HexDump" checkbox). ### User IDs From 5fdb9be451f628918b139c7ada15cbe9b20b23db Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 6 Oct 2023 22:11:21 +0200 Subject: [PATCH 10/56] ch4: minor edits to "Seen as an OpenPGP certificate" --- book/source/04-certificates.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 4af313d..5900b85 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -581,11 +581,9 @@ Public-Key Packet, new CTB, 2 header bytes + 42 bytes Note that the packet is almost identical to the Secret-Key packet seen above. -The packet tag (called `CTB` in the output) has changed to the packet type [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6) instead of *Secret-Key packet*. +The packet tag (called `CTB` in the output) shows the packet type is now [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6), instead of *Secret-Key packet*, above. Besides this change, this *Public-Key packet* only leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. -The two packet types are very similar. Compared to the *Secret-Key packet* shown above, this *Public-Key packet* just leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. - -The second packet in the certificate (the Direct Key Signature) is bit-for-bit identical as in the previous section. So we omit showing it again, here. +The following, second packet in the certificate (the Direct Key Signature) is bit-for-bit identical as in the previous section. So we omit showing it again, here. ```{figure} diag/pubcert-minimal.png :width: 40% @@ -593,7 +591,7 @@ The second packet in the certificate (the Direct Key Signature) is bit-for-bit i A minimal OpenPGP public certificate, visualized ``` -In the following examples, we will only look at OpenPGP keys that include the private key material. The corresponding "certificate" variants, which only contain the public key material, are easy to imagine: like here, they just leave out the private key material. +In the following examples, we will only look at OpenPGP keys that include the private key material. The corresponding "certificate" variants, which only contain the public key material, are easy to imagine: like here, their packet type is changed from a Secret-Key to a Public-Key variant, and they leave out the private key material. ### Subkeys From b1acb31ed0595f7421a67fcb526b7065e7a290ae Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 6 Oct 2023 23:59:23 +0200 Subject: [PATCH 11/56] ch4: zooming in, add subkey dumps --- book/source/04-certificates.md | 208 ++++++++++++++++++++++++++++++++- 1 file changed, 202 insertions(+), 6 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 5900b85..7105b53 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -593,17 +593,213 @@ A minimal OpenPGP public certificate, visualized In the following examples, we will only look at OpenPGP keys that include the private key material. The corresponding "certificate" variants, which only contain the public key material, are easy to imagine: like here, their packet type is changed from a Secret-Key to a Public-Key variant, and they leave out the private key material. -### Subkeys +### Encryption subkey -```{admonition} TODO -:class: warning +Now we'll look at a subkey in Alice's key. In the split version of Alice's key, the encryption subkey is in `alice.priv-4--SecretSubkey`, and the binding self-signature for the subkey in `alice.priv-5--Signature`. -The following text is unfinished and still needs processing/writing. +```text +$ sq packet dump --hex alice.priv-4--SecretSubkey +Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: X25519 + Pk size: 256 bits + Fingerprint: C0A58384A438E5A14F73712426A4D45DBAEEF4A39E6B30B09D5513F978ACCA94 + KeyID: C0A58384A438E5A1 -**This point marks the end of the material that should be read/edited.** + Secret Key: + + Unencrypted + + 00000000 c7 CTB + 00000001 4b length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 19 pk_algo + 00000008 00 00 00 20 public_len + 0000000c d1 ae 87 d7 x25519_public + 00000010 cc 42 af 99 34 c5 c2 5c ca fa b7 4a c8 43 fc 86 + 00000020 35 2a 46 01 f3 cc 00 f5 4a 09 3e 3f + 0000002c 00 s2k_usage + 0000002d 28 7d cd x25519_secret + 00000030 da 26 16 37 8d ea 24 c7 ce e7 70 c7 9b e5 6f 0a + 00000040 c9 77 fb bd 23 41 73 c9 57 5a bf 7c 4c ``` -From here on, we'll look at the dumps in shorter format (you can see more detail by copying the certificates into the [Sequoia OpenPGP Packet dumper](https://dump.sequoia-pgp.org/) and checking the "HexDump" checkbox). +Notice that the structure of this *Secret-Subkey packet* is exactly the same as the *Secret-Key Packet*, above. The packet tag (`CTB`) is set to packet type 7, here (*Secret-Subkey packet*). + +The `pk_algo` value is set to 0x19 (or decimal) 25, which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. + + +```text +$ sq packet dump --hex alice.priv-5--Signature +Signature Packet, new CTB, 2 header bytes + 171 bytes + Version: 6 + Type: SubkeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Key flags: EtEr (critical) + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 2289 + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 ab length + 00000002 06 version + 00000003 18 type + 00000004 1b pk_algo + 00000005 0a hash_algo + 00000006 00 00 00 32 hashed_area_len + 0000000a 05 subpacket length + 0000000b 82 subpacket tag + 0000000c 65 16 ea a6 sig creation time + 00000010 05 subpacket length + 00000011 89 subpacket tag + 00000012 05 a4 8f bd key expiry time + 00000016 02 subpacket length + 00000017 9b subpacket tag + 00000018 0c key flags + 00000019 22 subpacket length + 0000001a 21 subpacket tag + 0000001b 06 version + 0000001c aa a1 8c bb issuer fp + 00000020 25 46 85 c5 83 58 32 05 63 fd 37 b6 7f 33 00 f9 + 00000030 fb 0e c4 57 37 8c d2 9f 10 26 98 b3 + 0000003c 00 00 00 0a unhashed_area_len + 00000040 09 subpacket length + 00000041 10 subpacket tag + 00000042 aa a1 8c bb 25 46 85 c5 issuer + 0000004a 22 digest_prefix1 + 0000004b 89 digest_prefix2 + 0000004c 20 salt_len + 0000004d 0b 0c 89 salt + 00000050 b5 ab 15 e3 7f e4 4d b9 a7 ef 71 48 14 3b ab 26 + 00000060 5f 34 7f 6d 48 2e 9f 78 48 58 6d 9a fb + 0000006d 6d b2 db ed25519_sig + 00000070 2f 97 8e c8 12 fc 57 7f 85 aa d1 59 bc 80 40 0b + 00000080 be 2e f0 e1 23 2d bf 4b 71 7e d0 e4 c0 36 e4 d2 + 00000090 cf b2 9f b4 a8 4f 3e 2a 21 89 74 c2 33 55 af ac + 000000a0 41 36 1b 2b 60 09 f2 d9 19 f4 41 12 0b +``` + +### Signing subkey + +```text +$ sq packet dump --hex alice.priv-6--SecretSubkey +Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 + KeyID: D07B24EC91A14DD2 + + Secret Key: + + Unencrypted + + 00000000 c7 CTB + 00000001 4b length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 1b pk_algo + 00000008 00 00 00 20 public_len + 0000000c 33 8c d4 f5 ed25519_public + 00000010 1a 73 39 ef ce d6 0f 21 8d a0 58 a2 3c 3d 44 a8 + 00000020 59 e9 13 1f 12 9c 6f 19 d0 3d 40 a0 + 0000002c 00 s2k_usage + 0000002d 0e cb d1 ed25519_secret + 00000030 c9 bc 81 82 aa 77 1f a8 12 a6 2a 74 a4 20 c1 74 + 00000040 76 f3 86 24 fb a8 25 a5 62 dd d6 a2 91 +``` + +```text +$ sq packet dump --hex alice.priv-7--Signature +Signature Packet, new CTB, 3 header bytes + 325 bytes + Version: 6 + Type: SubkeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Key flags: S (critical) + Embedded signature: (critical) + Signature Packet + Version: 6 + Type: PrimaryKeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Issuer Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 + Digest prefix: 5365 + Level: 0 (signature over data) + + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 841C + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 c0 85 length + 00000003 06 version + 00000004 18 type + 00000005 1b pk_algo + 00000006 0a hash_algo + 00000007 00 00 00 cc hashed_area_len + 0000000b 05 subpacket length + 0000000c 82 subpacket tag + 0000000d 65 16 ea sig creation time + 00000010 a6 + 00000011 05 subpacket length + 00000012 89 subpacket tag + 00000013 05 a4 8f bd key expiry time + 00000017 02 subpacket length + 00000018 9b subpacket tag + 00000019 02 key flags + 0000001a 99 subpacket length + 0000001b a0 subpacket tag + 0000001c 06 19 1b 0a embedded sig + 00000020 00 00 00 29 05 82 65 16 ea a6 22 21 06 d0 7b 24 + 00000030 ec 91 a1 4d d2 40 ac 2d 53 e6 c8 a9 e0 54 94 9a + 00000040 41 22 2e a7 38 57 6e d1 9c ae a3 dc 99 00 00 00 + 00000050 00 53 65 20 42 03 ad 0c db fc b5 9a 98 a6 15 27 + 00000060 e4 11 5e f5 f2 a0 3d bc ed 8d 94 27 41 09 f6 3c + 00000070 4b f8 8a e5 af 73 e1 7d 54 07 40 3f f3 29 34 c2 + 00000080 e7 60 56 a5 e1 43 cb 08 ba 66 fe 8b 26 ce e7 cb + 00000090 a5 3a 46 bb a5 c8 5d e4 6a de ae 49 e1 3e 07 bf + 000000a0 c4 9e 98 14 2f 3e c5 f7 01 3e 3e 4f f6 18 2a ac + 000000b0 bd ed 52 0c + 000000b4 22 subpacket length + 000000b5 21 subpacket tag + 000000b6 06 version + 000000b7 aa a1 8c bb 25 46 85 c5 83 issuer fp + 000000c0 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 + 000000d0 8c d2 9f 10 26 98 b3 + 000000d7 00 00 00 0a unhashed_area_len + 000000db 09 subpacket length + 000000dc 10 subpacket tag + 000000dd aa a1 8c issuer + 000000e0 bb 25 46 85 c5 + 000000e5 84 digest_prefix1 + 000000e6 1c digest_prefix2 + 000000e7 20 salt_len + 000000e8 23 3d b2 49 f3 02 4b 08 salt + 000000f0 93 af ba 08 89 f0 e0 91 0f ab 22 26 aa b3 56 57 + 00000100 30 ea 95 29 06 60 6f 00 + 00000108 be 44 a1 95 38 a9 6b 3a ed25519_sig + 00000110 3e 51 f0 55 09 b1 e2 91 a9 17 86 fa f5 1e 3f d0 + 00000120 28 46 3c ce 6e 88 14 37 32 ec 3d fa c6 01 ca e5 + 00000130 a9 4b b7 63 94 c3 0d 92 ab dc fa 23 50 71 60 31 + 00000140 a6 73 c8 33 5a 9c d9 0a +``` ### User IDs From 96d9eff25f1ae9eb93ae09320c59d9b0b560a746 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 7 Oct 2023 15:31:30 +0200 Subject: [PATCH 12/56] ch4: zooming in, fix indentation of sq dump output --- book/source/04-certificates.md | 44 +++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 7105b53..aec87b6 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -354,12 +354,12 @@ The output starts with the (primary) [Secret-Key packet](https://www.ietf.org/ar ```text Secret-Key Packet, new CTB, 2 header bytes + 75 bytes -Version: 6 -Creation time: 2023-09-29 15:17:58 UTC -Pk algo: Ed25519 -Pk size: 256 bits -Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 -KeyID: AAA18CBB254685C5 + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + KeyID: AAA18CBB254685C5 Secret Key: @@ -418,22 +418,22 @@ This packet "binds the information in the signature subpackets to the key". Each ```text Signature Packet, new CTB, 2 header bytes + 182 bytes -Version: 6 -Type: DirectKey -Pk algo: Ed25519 -Hash algo: SHA512 -Hashed area: -Signature creation time: 2023-09-29 15:17:58 UTC (critical) -Key expiration time: P1095DT62781S (critical) -Symmetric algo preferences: AES256, AES128 -Hash preferences: SHA512, SHA256 -Key flags: C (critical) -Features: MDC -Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 -Unhashed area: -Issuer: AAA18CBB254685C5 -Digest prefix: 6747 -Level: 0 (signature over data) + Version: 6 + Type: DirectKey + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Symmetric algo preferences: AES256, AES128 + Hash preferences: SHA512, SHA256 + Key flags: C (critical) + Features: MDC + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 6747 + Level: 0 (signature over data) 00000000 c2 CTB 00000001 b6 length From 74e3810e8452cfdb51aff6027d9d2a0380f38b6d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 7 Oct 2023 15:34:49 +0200 Subject: [PATCH 13/56] ch4: zooming in, edits --- book/source/04-certificates.md | 40 +++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index aec87b6..5f51224 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -342,7 +342,7 @@ ECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4gAIl6FM5SWuQxg12j0S0 We'll now decode this OpenPGP data, and inspect the two packets in detail. -To generate the output, we run the Sequoia-PGP tool `sq`, using the `packet dump` subcommand. The output of `sq` is one block of text, but we'll break the output up into sections here, to discuss the content of each packet: +To inspect the internal structure of the OpenPGP data, we run the Sequoia-PGP tool `sq`, using the `packet dump` subcommand. The output of `sq` is one block of text, but to discuss the content of each packet we'll break the output up into sections here: ```text $ sq packet dump --hex alice_minimal.priv @@ -394,11 +394,11 @@ This means that the next part of the packet follows the structure of [Version 6 - `creation_time: 0x6516eaa6`: "The time that the key was created" (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) - `pk_algo: 0x1b`: "The public-key algorithm of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) - `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) -- `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of the Ed25519 public key +- `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key This concludes the Public Key section of the packet. The remaining data follows the [Secret-Key packet format](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): -- `s2k_usage: 0x00`: [This *S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted +- `s2k_usage: 0x00`: This [*S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted - `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`) [^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) @@ -493,7 +493,7 @@ The packet tag defines the semantics of the remaining data in the packet. We're - `version: 0x06`: This is a version 6 signature (some of the following packet format is specific to this signature version). - `type: 0x1f`: The [Signature Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) -- `pk_algo: 0x1b`: Public-key algorithm (decimal 27 corresponds, to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `pk_algo: 0x1b`: Public-key algorithm (decimal 27, corresponds to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) - `hash_algo: 0x0a`: Hash algorithm (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) - `hashed_area_len: 0x0000003d`: Length of the following hashed subpacket data @@ -503,19 +503,19 @@ There are two sets of subpacket data in a Signature: hashed, and unhashed. The d The following subpacket data consists of sets of "subpacket length, subpacket tag, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket tag). Note that bit 7 of the subpacket tag signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10)[^critical]. -[^critical]: Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. non-critical subpackets may be ignored by the receiver +[^critical]: Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver -- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` -- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` -- [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): "AES with 256-bit key" and "AES with 128-bit key") -- [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): "SHA2-512" and "SHA2-256") -- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27) *critical*: `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the "certifications" key flag) -- [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: "Symmetrically Encrypted Integrity Protected Data packet version 1") +- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): *AES with 256-bit key* and *AES with 128-bit key*) +- [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): *SHA2-512* and *SHA2-256*) +- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27) *critical*: `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) +- [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: *Symmetrically Encrypted Integrity Protected Data packet version 1*) - [Issuer fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) The next part of this packet contains "unhashed subpacket data": -- `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data. +- `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data (value: 10 bytes). As above, the following subpacket data consists of sets of "subpacket length, subpacket tag, data." In this case, only subpacket follows: @@ -527,17 +527,21 @@ This concludes the unhashed subpacket data. - `salt_len, salt`: A random [salt value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-advantages-of-salted-signat) (the size must be [matching for the hash algorithm](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#hash-algorithms-registry)) - `ed25519_sig`: [Algorithm-specific](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-fields-for-ed2) representation of the signature (in this case: 64 bytes of Ed25519 signature) +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of this direct key signature packet (up to, but excluding the unhashed area) + ```{figure} diag/key-minimal.png :width: 40% A minimal OpenPGP key, visualized ``` -### Seen as an OpenPGP certificate +### Seen as a very minimal OpenPGP certificate -Let's now look at a "public key" view of the (very minimal) OpenPGP key above. That is, the same data, but without the private key material parts. - -An OpenPGP user might give such a certificate to a communication partner, or upload it to a key server: +Let's now look at a "public key" view of the (very minimal) OpenPGP key above. That is, the same data, but without the private key material parts. An OpenPGP user might give such a certificate to a communication partner, or upload it to a key server: ```text $ sq key extract-cert alice_minimal.priv @@ -801,9 +805,9 @@ Signature Packet, new CTB, 3 header bytes + 325 bytes 00000140 a6 73 c8 33 5a 9c d9 0a ``` -### User IDs +### User ID -User IDs are a mechanism for attaching *identities* to an OpenPGP certificate. Typically, a User ID will contain a name and an email address. +User IDs are a mechanism for attaching *identities* to an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. To look into these, we'll make a certificate that has one [User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#uid). User IDs are *"intended to represent the name and email address of the key holder"*. A certificate can have multiple User IDs associated with it. From 8bf3440373819db24aaf288fc615a51655f33d9b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 7 Oct 2023 16:14:02 +0200 Subject: [PATCH 14/56] ch4: zooming in, write subkey sections --- book/source/04-certificates.md | 53 ++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 5f51224..8d2ae8c 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -599,7 +599,18 @@ In the following examples, we will only look at OpenPGP keys that include the pr ### Encryption subkey -Now we'll look at a subkey in Alice's key. In the split version of Alice's key, the encryption subkey is in `alice.priv-4--SecretSubkey`, and the binding self-signature for the subkey in `alice.priv-5--Signature`. +Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked to an OpenPGP certificate, effectively consists of two elements: + +- a key packet that contains the component key itself, and +- a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). + +In this section, we'll use the files that contain individual packets of Alice's key, which we generated above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. + +If we were looking at a regular (not split apart) OpenPGP key, we would look at the output of something like `$ sq packet dump --hex alice.priv`, and would be shown a longer series of packets. That series would contain the two packets we'll now look at, with the exact same content. They would just be slightly harder to locate, in the larger context of a full OpenPGP key. + +#### Secret-Subkey packet + +First, we'll look at the *Secret-Subkey packet* that contains the component key data of this subkey: ```text $ sq packet dump --hex alice.priv-4--SecretSubkey @@ -630,10 +641,21 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes 00000040 c9 77 fb bd 23 41 73 c9 57 5a bf 7c 4c ``` -Notice that the structure of this *Secret-Subkey packet* is exactly the same as the *Secret-Key Packet*, above. The packet tag (`CTB`) is set to packet type 7, here (*Secret-Subkey packet*). +Notice that the structure of this *Secret-Subkey packet* is the same as the *Secret-Key Packet* of the primary key, above. Only the content of the two packets differs in some points: -The `pk_algo` value is set to 0x19 (or decimal) 25, which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. +- The packet tag (`CTB`) in this packet shows type 7 ([*Secret-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-subkey-packet-tag-7)). +- The `pk_algo` value is set to `0x19` (decimal 25), which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. Note that even though both the primary key and this subkey use a cryptographic mechanism based on Curve25519, this encryption key uses Curve 25519 in a different way (X25519 is a Diffie–Hellman function built out of Curve25519). +- Accordingly, both parts of the cryptographic key pair are labeled with the corresponding names `x25519_public` and `x25519_secret` (however, note that this difference only reflects the semantics of the fields, which are implied by the value of `pk_algo`. The actual data in both fields consists of just 32 bytes of cryptographic key material, without any type information.) +#### Subkey binding signature + +The subkey packet above by itself is disconnected from the OpenPGP certificate that it is a part of. The link between the subkey and the full OpenPGP key is made with a cryptographic signature, which is issued by the OpenPGP key's primary key. + +The type of signature that is used for this is called a *subkey binding signature*, because it "binds" (as in "connects") the subkey to the rest of the key. + +In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supercedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. + +Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. ```text $ sq packet dump --hex alice.priv-5--Signature @@ -691,6 +713,31 @@ Signature Packet, new CTB, 2 header bytes + 171 bytes 000000a0 41 36 1b 2b 60 09 f2 d9 19 f4 41 12 0b ``` +We'll go over this packet dump in less detail, since its structure mirrors the *Direct Key Signature* (described above) very closely. + +The first difference is in the `type` field, showing that this signature is of type `0x18` ([Subkey Binding Signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-subkey-binding-signature-si)). + +The `pk_algo` of this signature is informed by the algorithm of the primary key (`0x1b`, corresponding to Ed25519). The signature in this packet is issued by the primary key, so by definition it uses the signing algorithm of the primary key (that is: the algorithm used to produce the cryptographic signature in this packet is entire independent of the `pk_algo` of the key material of this subkey itself, which uses the X25519 mechanism). + +As shown in the header of this packet dump, the hashed subpacket data contains four pieces of information: + +- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) +- Key expiration time: `P1095DT62781S` (**critical**) +- Key flags: `EtEr` (**critical**) (encryption for communication, encryption for storage) +- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` + +The remainder of the packet has the same content as the *Direct Key Signature* above: +- A 16 bit digest prefix +- A salt value +- The cryptographic signature itself + +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of the subkey's public data +- A serialized form of this subkey binding signature packet (up to, but excluding the unhashed area) + ### Signing subkey ```text From fd2469e0e4762b4d969077edac1b61258a0aa4a1 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 18:57:56 +0200 Subject: [PATCH 15/56] ch4: make links for "more on this below" pointers --- book/source/04-certificates.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 8d2ae8c..e80769b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -93,7 +93,7 @@ In the RFC, the OpenPGP primary key is also sometimes referred to as "top-level In addition to the primary key, modern OpenPGP certificates usually contain a number of "subkeys" (however, it's not technically necessary for a certificate to contain subkeys). -Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this below). +Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this in {numref}`binding_subkeys`). ```{figure} diag/Subkeys.png :name: Certificate with Subkeys @@ -140,8 +140,14 @@ OpenPGP certificates can contain any number of User IDs One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). -User IDs are associated with preference settings (such as preferred encryption algorithms, more on this below). The preferences associated with the Primary User ID are used by default. +User IDs are associated with preference settings (such as preferred encryption algorithms, more on this in {numref}`zooming_in_user_id`). The preferences associated with the Primary User ID are used by default. +```{admonition} TODO +:class: warning + +i think crypto-refresh suggests that the direct key signature should hold the default preferences? +we might need to write a more nuanced text here, about how DKS and primary user id interact in v6, and mention the differences to v4? +``` #### User attributes @@ -172,6 +178,7 @@ Note, though, that there are some cases where third parties legitimately add "un [^flooding]: Storing third-party identity certifications in the target OpenPGP certificate is convenient for consumers: it is easy to find all relevant certifications in one central location. However, when third parties can unilaterally add certifications, this opens an avenue for denial-of-service attacks by flooding. The SKS network of OpenPGP key servers [allowed and experienced this problem](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html). +(binding_subkeys)= #### Binding subkeys to an OpenPGP certificate Linking a subkey to an OpenPGP certificate is done with a ["Subkey Binding Signature"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-subkey-binding). Such a signature signals that the "primary key wants to be associated with the subkey". @@ -852,6 +859,7 @@ Signature Packet, new CTB, 3 header bytes + 325 bytes 00000140 a6 73 c8 33 5a 9c d9 0a ``` +(zooming_in_user_id)= ### User ID User IDs are a mechanism for attaching *identities* to an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. From 74710d804a84934900c5259cb77f5605b02d9d62 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 19:19:30 +0200 Subject: [PATCH 16/56] ch4: clarify the primary key can't confer validity beyond its own --- book/source/04-certificates.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index e80769b..8d5e787 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -83,6 +83,8 @@ The "OpenPGP primary key" is a component key that serves a central role in an Op - Its fingerprint is used as the unique identifier for the full OpenPGP certificate. - It is used for lifecycle operations, such as adding or invalidating subkeys or identities in a certificate. +The validity of the primary key limits its capacity to confer validity to other components. E.g.: The primary key cannot confer an expiration time beyond its own expiration to a subkey. It can also not confer validity to components after it has been revoked. + ```{admonition} Terminology :class: note From 1f89d39740cde88c91f90056deeab21a045841eb Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 19:30:16 +0200 Subject: [PATCH 17/56] ch4: link to glossary for "CA" --- book/source/04-certificates.md | 2 +- book/source/18-glossary.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 8d5e787..3f442ae 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -40,7 +40,7 @@ We sometimes collectively refer to component keys and identity information as "t Typical components in an OpenPGP certificate ``` -All elements in an OpenPGP certificate are structured around one central component: the *OpenPGP primary key*. The primary key acts as a personal CA for the certificate's owner: It can make cryptographic statements about subkeys, identities, expiration, revocation, ... +All elements in an OpenPGP certificate are structured around one central component: the *OpenPGP primary key*. The primary key acts as a personal {term}`CA` for the certificate's owner: It can make cryptographic statements about subkeys, identities, expiration, revocation, ... ```{note} OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidated, over the lifetime of a certificate diff --git a/book/source/18-glossary.md b/book/source/18-glossary.md index 8c69f3b..31d8674 100644 --- a/book/source/18-glossary.md +++ b/book/source/18-glossary.md @@ -9,6 +9,9 @@ Authentication Certification "Third party Signature" on a certificate, making a statement about that certificate, or an identity in the certificate +CA + [Certificate authority](https://en.wikipedia.org/wiki/Certificate_authority) or certification authority. An entity that handles digital certificates, especially by signing or issuing them. + Delegation See {term}`Trust signature` From 66087b3ec93167d2b2f62c3607c225a8c1020d3c Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 9 Oct 2023 19:31:31 +0200 Subject: [PATCH 18/56] ch4: clarify terms, use "identity components" --- book/source/04-certificates.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 3f442ae..bc1335a 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -125,8 +125,11 @@ It is considered good practice to have separate component keys for each type of [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. +(identity_components)= ### Identity components +Identity components in an OpenPGP certificate are used by the certificate holder to state that they are known by a certain identifier (like a name, or an email address). + #### User IDs An OpenPGP certificate can contain any number of [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity. @@ -165,11 +168,11 @@ Internally, an OpenPGP certificate consists of a sequence of OpenPGP packets. Th [^tpk]: When stored in a file, OpenPGP certificates are in a format called [transferable public key](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-transferable-public-keys). -However, the owner of a certificate doesn't want a third party to add subkeys (or add identity claims) to their certificate, pretending that the certificate owner put those components there. +However, the owner of a certificate doesn't want a third party to add subkeys (or add [identity components](identity_components)) to their certificate, pretending that the certificate owner put those components there. To prevent malicious addition of components, OpenPGP uses cryptographic signatures. These signatures show that components have been added by the owner of the OpenPGP certificate (these linking signatures are issued by the primary key of the certificate). -So while anyone can still unilaterally store unrelated subkeys and identity claims in an OpenPGP certificate dataset, OpenPGP implementations that read this file should discard components that don't have a valid cryptographic connection with the certificate. +So while anyone can still unilaterally store unrelated subkeys and [identity components](identity_components) in an OpenPGP certificate dataset, OpenPGP implementations that read this file should discard components that don't have a valid cryptographic connection with the certificate. (Conversely, it's easy for a third party to leave out packets when passing on an OpenPGP certificate. An attacker can, for example, choose to omit revocation packets. The recipient of such a partial copy has no way to notice the omission, without access to a different source for the certificate that contains the revocation packet.) From 134407ee2f232feecc59ac806ce47c2184be8164 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 12:53:23 +0200 Subject: [PATCH 19/56] ch4: add a TODO note --- book/source/04-certificates.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index bc1335a..9f88ca0 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -290,6 +290,12 @@ Wiktor suggests to check: https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key (unbound_user_ids)= ### Adding unbound User IDs to a certificate +```{admonition} TODO +:class: warning + +references/links missing +``` + Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g., Sequoia's public store attaches "pet-names" to certificates, in this way). ## Zooming in: Packet structure From a1fe545e884db81a469fa3950c1ef82aa4d04b47 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 12:52:14 +0200 Subject: [PATCH 20/56] ch4: add a note that the example key isn't password protected Add link to ch5 for discussion of encrypted private key material. --- book/source/04-certificates.md | 3 +++ book/source/05-private.md | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 9f88ca0..7790c74 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -306,6 +306,9 @@ Now that we've established the concepts of the components that OpenPGP certifica We'll start with a very minimal version of [](alice_priv), stored as a *transferable secret key* ([RFC 10.2.](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#transferable-secret-keys)) (that is, including private key material). +Note that the secret key material we're using in this chapter is not password protected. To learn more about encrypting private key material with passwords in OpenPGP, see +{numref}`encrypted_secrets`. + In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. One way to produce this minimal version of Alice's key is: diff --git a/book/source/05-private.md b/book/source/05-private.md index ae4d001..a0bf8de 100644 --- a/book/source/05-private.md +++ b/book/source/05-private.md @@ -12,6 +12,16 @@ https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-transferable-secret-keys +(encrypted_secrets)= +## Password protecting secret key material + +```{admonition} TODO +:class: warning + +S2K, symmetric encryption +``` + + ## Private key operations The core of private key operations doesn't require access to the whole certificate. A private key subsystem only needs to handle the cryptographic key material. From c1acc328d0234adf559681b4a2e9c21f9939a31c Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 13:23:52 +0200 Subject: [PATCH 21/56] ch4: move "criticality" footnote into a more visible note block --- book/source/04-certificates.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 7790c74..841a49e 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -522,9 +522,11 @@ The next part of this packet contains hashed subpacket data. A subpacket data se There are two sets of subpacket data in a Signature: hashed, and unhashed. The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. -The following subpacket data consists of sets of "subpacket length, subpacket tag, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket tag). Note that bit 7 of the subpacket tag signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10)[^critical]. +The following subpacket data consists of sets of "subpacket length, subpacket tag, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket tag). Note that bit 7 of the subpacket tag signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10). -[^critical]: Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver +```{note} +Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver. +``` - [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) - [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) From af355ae81e257fde789904536f2d4c419e1ecade Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 13:24:12 +0200 Subject: [PATCH 22/56] ch4: adjust markup/styling of critical flags --- book/source/04-certificates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 841a49e..370f04f 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -528,11 +528,11 @@ The following subpacket data consists of sets of "subpacket length, subpacket ta Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver. ``` -- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2) *critical*: `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) -- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9) *critical*: `0x05a48fbd` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2, **critical**): `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9, **critical**): `0x05a48fbd` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) - [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): *AES with 256-bit key* and *AES with 128-bit key*) - [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): *SHA2-512* and *SHA2-256*) -- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27) *critical*: `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) +- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27, **critical**): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) - [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: *Symmetrically Encrypted Integrity Protected Data packet version 1*) - [Issuer fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) From 2a3605f7318e1115e8ba820bf1c3c76e081ea220 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 13:51:57 +0200 Subject: [PATCH 23/56] ch4: move diagram up --- book/source/04-certificates.md | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 370f04f..408ccfb 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -343,6 +343,24 @@ This version of Alice's key contains just two packets: - The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and - A [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). +This is the shape of the packets we'll be looking at, in the following two sections: + +```{figure} diag/key-minimal.png +:width: 40% + +A minimal OpenPGP key, visualized +``` + +```{admonition} VISUAL +:class: warning + +This diagram needs adjustments about + - what exactly is signed + - fix naming of fields? + +We could show repeat-copies of the individual packet visualization again, below for each packet-related section. +``` + In the real world, you won't usually encounter an OpenPGP key that is quite this minimal. However, this is technically a valid OpenPGP key (and we'll add more components to it, later in this section). In ASCII-armored representation, this very minimal key looks like this: @@ -556,12 +574,6 @@ The signature is calculated over a hash. The hash, in this case, is calculated o - A serialized form of the primary key's public data - A serialized form of this direct key signature packet (up to, but excluding the unhashed area) -```{figure} diag/key-minimal.png -:width: 40% - -A minimal OpenPGP key, visualized -``` - ### Seen as a very minimal OpenPGP certificate Let's now look at a "public key" view of the (very minimal) OpenPGP key above. That is, the same data, but without the private key material parts. An OpenPGP user might give such a certificate to a communication partner, or upload it to a key server: From bab5e427e97f6ebd18b471841c937bf84ad10f5d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 13:55:33 +0200 Subject: [PATCH 24/56] ch4: add a section to talk about "no more user facing hex fingerprints in v6" --- book/source/04-certificates.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 408ccfb..60da4d6 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -261,6 +261,16 @@ This section only contains notes and still needs to be written Minimized versions, merging, effective "append only" semantics, ... +### "Naming" a certificate in user-facing contexts - fingerprints and beyond + +```{admonition} TODO +:class: warning + +In v4, a 20 byte fingerprint in hex representation was used to name certificates, even in user-facing contexts. + +For v6, this type of approach is discouraged, but a replacement mechanism is still pending. +``` + ### Merging - How to merge two copies of the same certificate? From 69f7eb60e5fd9c057e85f4da93a1b313aab8f918 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 14:46:15 +0200 Subject: [PATCH 25/56] ch4: clarify linking --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 60da4d6..c024a47 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -644,7 +644,7 @@ In the following examples, we will only look at OpenPGP keys that include the pr ### Encryption subkey -Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked to an OpenPGP certificate, effectively consists of two elements: +Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), effectively consists of two elements: - a key packet that contains the component key itself, and - a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). From d1203075d1a8091dfd9eb0e2c11a08114b5a3467 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 15:03:09 +0200 Subject: [PATCH 26/56] ch4: move text into a "note" block And add a remark that a visualization would help. --- book/source/04-certificates.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index c024a47..ea794d7 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -651,7 +651,30 @@ Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked In this section, we'll use the files that contain individual packets of Alice's key, which we generated above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. -If we were looking at a regular (not split apart) OpenPGP key, we would look at the output of something like `$ sq packet dump --hex alice.priv`, and would be shown a longer series of packets. That series would contain the two packets we'll now look at, with the exact same content. They would just be slightly harder to locate, in the larger context of a full OpenPGP key. + +````{note} +It's common to look at a packet dump for a full OpenPGP key (not split apart), like this: + +```text +$ sq packet dump --hex alice.priv +``` + +That output shows a much longer series of packets (as shown in the diagram below). This output will contain the two packets we now look at, with the exact same data, but they would be a bit harder to locate visually. + +```{admonition} VISUAL +:class: warning + +Show a very abstract diagram of packets in a typical full OpenPGP key: +- Secret-Key packet +- Direct Key Signature +- User ID +- Certifying self-signature for User ID +- Secret-Subkey packet +- Subkey binding signature +- Secret-Subkey packet +- Subkey binding signature +``` +```` #### Secret-Subkey packet From 1aa4696f3eb5b603c55bd0d01d2dfd9f7b08d643 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 10 Oct 2023 16:26:31 +0200 Subject: [PATCH 27/56] ch4: add todo notes --- book/source/04-certificates.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index ea794d7..32e2e31 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -721,7 +721,22 @@ The subkey packet above by itself is disconnected from the OpenPGP certificate t The type of signature that is used for this is called a *subkey binding signature*, because it "binds" (as in "connects") the subkey to the rest of the key. -In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supercedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. +```{admonition} VISUAL +:class: warning + +Add detailed packet diagram analogous to 4.6.1 +``` + +```{admonition} TODO +:class: warning + +david points out: "The information on metadata in binding signatures may also make sense in other contexts (direct key signature)?" + +Should this text go elsewhere? +- 4.2.3? +- ch 6? +``` +In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supersedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. @@ -808,6 +823,12 @@ The signature is calculated over a hash. The hash, in this case, is calculated o ### Signing subkey +```{admonition} TODO +:class: warning + +write +``` + ```text $ sq packet dump --hex alice.priv-6--SecretSubkey Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes From 3688054f4fe8259d23779f7ef6c21dfcc526d18a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 11 Oct 2023 20:37:31 +0200 Subject: [PATCH 28/56] ch4: restructure packet splitting text sections --- book/source/04-certificates.md | 48 ++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 32e2e31..83c5e22 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -321,13 +321,16 @@ Note that the secret key material we're using in this chapter is not password pr In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. -One way to produce this minimal version of Alice's key is: +(split_alice)= +#### Splitting an OpenPGP key into packets + +One way to produce a very minimal version of Alice's key is to split her full key into its component packets, and join only the relevant ones back together into a variant of the key. ```text $ sq packet split alice.priv ``` -With this command, `sq` generates a set of files, one for each packet in `alice.priv`: +With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full key in `alice.priv`: ```text alice.priv-0--SecretKey @@ -342,12 +345,32 @@ alice.priv-8--SecretSubkey alice.priv-9--Signature ``` +```{admonition} VISUAL +:class: warning + +Show a very abstract diagram of the packets of Alice's OpenPGP key (above): +- Secret-Key packet +- Direct Key Signature +- User ID +- Certifying self-signature for User ID +- Secret-Subkey packet +- Subkey binding signature +- Secret-Subkey packet +- Subkey binding signature +- Secret-Subkey packet +- Subkey binding signature +``` + +#### Joining packets into an OpenPGP key + For our first step, we'll use just the first two of these packets, and join them together as a private key: ```text $ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_minimal.priv ``` +#### Inspecting this key + This version of Alice's key contains just two packets: - The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and @@ -649,31 +672,18 @@ Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked - a key packet that contains the component key itself, and - a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). -In this section, we'll use the files that contain individual packets of Alice's key, which we generated above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. - +In this section, we'll use the files that contain individual packets of Alice's key, which we split apart above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. ````{note} -It's common to look at a packet dump for a full OpenPGP key (not split apart), like this: +It's common to look at a packet dump for a full OpenPGP key, like this: ```text $ sq packet dump --hex alice.priv ``` -That output shows a much longer series of packets (as shown in the diagram below). This output will contain the two packets we now look at, with the exact same data, but they would be a bit harder to locate visually. +That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's key](split_alice)). Finding a particular packet in that list can take a moment. -```{admonition} VISUAL -:class: warning - -Show a very abstract diagram of packets in a typical full OpenPGP key: -- Secret-Key packet -- Direct Key Signature -- User ID -- Certifying self-signature for User ID -- Secret-Subkey packet -- Subkey binding signature -- Secret-Subkey packet -- Subkey binding signature -``` +In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above. ```` #### Secret-Subkey packet From 7617d7eea66ba0e2956b6e4640d0acb92c7510fa Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 11 Oct 2023 17:59:06 +0200 Subject: [PATCH 29/56] ch4: write "user id" zooming in section --- book/source/04-certificates.md | 195 ++++++++++++--------------------- 1 file changed, 72 insertions(+), 123 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 83c5e22..b1367a6 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -482,6 +482,7 @@ The overall structure of OpenPGP packets is described in the [Packet Syntax](htt Note that the *Secret-Key packet* contains both the private and the public part of the key. +(zooming_in_dks)= #### Direct Key Signature The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.priv-1--Signature` contains this packet). @@ -580,7 +581,7 @@ Critical here means: the receiver must be able to interpret the subpacket and is ``` - [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2, **critical**): `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) -- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9, **critical**): `0x05a48fbd` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9, **critical**): `0x05a48fbd` (defined as number of seconds after the key creation time) - [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): *AES with 256-bit key* and *AES with 128-bit key*) - [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): *SHA2-512* and *SHA2-256*) - [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27, **critical**): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) @@ -665,6 +666,7 @@ A minimal OpenPGP public certificate, visualized In the following examples, we will only look at OpenPGP keys that include the private key material. The corresponding "certificate" variants, which only contain the public key material, are easy to imagine: like here, their packet type is changed from a Secret-Key to a Public-Key variant, and they leave out the private key material. +(zoom_enc_subkey)= ### Encryption subkey Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), effectively consists of two elements: @@ -812,7 +814,7 @@ The first difference is in the `type` field, showing that this signature is of t The `pk_algo` of this signature is informed by the algorithm of the primary key (`0x1b`, corresponding to Ed25519). The signature in this packet is issued by the primary key, so by definition it uses the signing algorithm of the primary key (that is: the algorithm used to produce the cryptographic signature in this packet is entire independent of the `pk_algo` of the key material of this subkey itself, which uses the X25519 mechanism). -As shown in the header of this packet dump, the hashed subpacket data contains four pieces of information: +As shown in the text at the top of this packet dump, the hashed subpacket data contains four pieces of information: - Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) - Key expiration time: `P1095DT62781S` (**critical**) @@ -952,127 +954,20 @@ Signature Packet, new CTB, 3 header bytes + 325 bytes ``` (zooming_in_user_id)= -### User ID +### Adding an identity component -User IDs are a mechanism for attaching *identities* to an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. +Now we'll look at an identity that is associated with Alice's certificate. -To look into these, we'll make a certificate that has one [User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#uid). User IDs are *"intended to represent the name and email address of the key holder"*. A certificate can have multiple User IDs associated with it. +User IDs are a mechanism for connecting [identities](identity_components) with an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. -Let's look into the details of this key: +Like [above](zoom_enc_subkey), to look at the internal packet structure of this identity and its connection the OpenPGP certificate, we'll inspect the two individual packets that constitute the identity component, the [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13), in the file `alice.priv-2--UserID`, and the certifying self-signature a [Positive certification of a User ID and Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-positive-certification-of-a) in `alice.priv-3--Signature` (these packets are an excerpt of Alice's full OpenPGP private key). + +#### User ID packet + +First, let's look at the User ID packet, which encodes an identity that Alice has connected to her OpenPGP certificate: ```text ------BEGIN PGP PRIVATE KEY BLOCK----- -Comment: AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3 -Comment: - -xUsGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT4A7+GZ -tV8R+6qT6CadO7ItciB9/71C3UvpozaBO6XMz/vCtgYfGwoAAAA9BYJlFuqmBYkF -pI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj/Te2fzMA+fsOxFc3jNKf -ECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4gAIl6FM5SWuQxg12j0S0 -7ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L+BXIoY2sIEQrLd4TAEEy -0BA8aQZTPEmMdiOCM1QB+V+BQZAOzRM8YWxpY2VAZXhhbXBsZS5vcmc+wrkGExsK -AAAAQAWCZRbqpgWJBaSPvQMLCQcDFQoIApkBApsBAh4BIiEGqqGMuyVGhcWDWDIF -Y/03tn8zAPn7DsRXN4zSnxAmmLMAAAAKCRCqoYy7JUaFxdu4IIotb9pnNbxdBHe0 -nWeobsXWiFNf4u/5Zgi/wuDbwFYN69QspRkBD7om0IKiz1zreqly2fOyZgeLsro9 -t4nkdgRuNSQrJymDvpGceGrMtNVpR3YsKdZUv0MZBP9TmMDVCw== -=bgQM ------END PGP PRIVATE KEY BLOCK----- -``` - -```text -$ sq packet dump --hex alice_userid.priv -Secret-Key Packet, new CTB, 2 header bytes + 75 bytes - Version: 6 - Creation time: 2023-09-29 15:17:58 UTC - Pk algo: Ed25519 - Pk size: 256 bits - Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - KeyID: AAA18CBB254685C5 - - Secret Key: - - Unencrypted - - 00000000 c5 CTB - 00000001 4b length - 00000002 06 version - 00000003 65 16 ea a6 creation_time - 00000007 1b pk_algo - 00000008 00 00 00 20 public_len - 0000000c 53 24 e9 43 ed25519_public - 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 - 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e - 0000002c 00 s2k_usage - 0000002d ef e1 99 ed25519_secret - 00000030 b5 5f 11 fb aa 93 e8 26 9d 3b b2 2d 72 20 7d ff - 00000040 bd 42 dd 4b e9 a3 36 81 3b a5 cc cf fb - -Signature Packet, new CTB, 2 header bytes + 182 bytes - Version: 6 - Type: DirectKey - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Key expiration time: P1095DT62781S (critical) - Symmetric algo preferences: AES256, AES128 - Hash preferences: SHA512, SHA256 - Key flags: C (critical) - Features: MDC - Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - Unhashed area: - Issuer: AAA18CBB254685C5 - Digest prefix: 6747 - Level: 0 (signature over data) - - 00000000 c2 CTB - 00000001 b6 length - 00000002 06 version - 00000003 1f type - 00000004 1b pk_algo - 00000005 0a hash_algo - 00000006 00 00 00 3d hashed_area_len - 0000000a 05 subpacket length - 0000000b 82 subpacket tag - 0000000c 65 16 ea a6 sig creation time - 00000010 05 subpacket length - 00000011 89 subpacket tag - 00000012 05 a4 8f bd key expiry time - 00000016 03 subpacket length - 00000017 0b subpacket tag - 00000018 09 07 pref sym algos - 0000001a 03 subpacket length - 0000001b 15 subpacket tag - 0000001c 0a 08 pref hash algos - 0000001e 02 subpacket length - 0000001f 9b subpacket tag - 00000020 01 key flags - 00000021 02 subpacket length - 00000022 1e subpacket tag - 00000023 01 features - 00000024 22 subpacket length - 00000025 21 subpacket tag - 00000026 06 version - 00000027 aa a1 8c bb 25 46 85 c5 83 issuer fp - 00000030 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 - 00000040 8c d2 9f 10 26 98 b3 - 00000047 00 00 00 0a unhashed_area_len - 0000004b 09 subpacket length - 0000004c 10 subpacket tag - 0000004d aa a1 8c issuer - 00000050 bb 25 46 85 c5 - 00000055 67 digest_prefix1 - 00000056 47 digest_prefix2 - 00000057 20 salt_len - 00000058 a2 e3 63 81 e3 6b d0 4f salt - 00000060 56 d7 c8 38 80 02 25 e8 53 39 49 6b 90 c6 0d 76 - 00000070 8f 44 b4 ec 4c 42 38 8e - 00000078 4d 3d 10 c2 ad 29 c0 57 ed25519_sig - 00000080 ce 66 01 73 b3 78 81 9e 89 52 cf 43 8d 28 11 a9 - 00000090 77 09 7f cb f8 15 c8 a1 8d ac 20 44 2b 2d de 13 - 000000a0 00 41 32 d0 10 3c 69 06 53 3c 49 8c 76 23 82 33 - 000000b0 54 01 f9 5f 81 41 90 0e - +$ sq packet dump --hex alice.priv-2--UserID User ID Packet, new CTB, 2 header bytes + 19 bytes Value: @@ -1080,7 +975,22 @@ User ID Packet, new CTB, 2 header bytes + 19 bytes 00000001 13 length 00000002 3c 61 6c 69 63 65 40 65 78 61 6d 70 6c 65 value 00000010 2e 6f 72 67 3e +``` +- `CTB: 0xcd`: The Packet Tag for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the Tag’s value: “13.” This is the value for a [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). +- `length: 0x13`: The remaining length of this packet (here: 19 bytes). +- `value`: 19 bytes of data that contain UTF-8 encoded text. The value corresponds to the string ``. With this identity component, Alice states that she uses (and has control of) this email address. Note that the email address is enclosed in `<` and `>` characters, following [RFC 2822](https://www.rfc-editor.org/rfc/rfc2822) conventions. + +So, a User ID packet is really just a string, marked as a User ID by the packet type id. + +#### Linking the User ID with a certification self-signature + +As above, when [linking a subkey](zoom_enc_subkey) to the OpenPGP certificate, a self-signature is used to connect this new component to the certificate. + +To bind identities to a certificate with a self-signature, one of the signature types `0x10` - `0x13` can be used. Here, the signature type `0x13` (*positive certification*) is used. + +```text +$ sq packet dump --hex alice.priv-3--Signature Signature Packet, new CTB, 2 header bytes + 185 bytes Version: 6 Type: PositiveCertification @@ -1151,13 +1061,52 @@ Signature Packet, new CTB, 2 header bytes + 185 bytes 000000b0 54 bf 43 19 04 ff 53 98 c0 d5 0b ``` -Instead of two packets, as before, we see four packets in this certificate: -* First, a "Secret-Key Packet," -* then a "Signature Packet" (these two packets are the same as above). -* Third, a [*"User ID Packet"*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#uid), which contains the name and email address we used -* Finally, a [*"Positive Certification Signature"*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert) (type 0x13), *"Positive certification of a User ID and Public-Key packet"*. This is a cryptographic artifact that "binds the User ID packet and the Key packet together", i.e. it certifies that the owner of the key wants this User ID associated with their key. (Only the person who controls the private part of this key can create this signature packet. The signature serves as proof that the owner of the key has added this User ID to the certificate) +We'll go over this packet dump in less detail, since its structure closely mirrors the [Direct Key Signature](zooming_in_dks) discussed above. +We're again looking at a Signature packet. Its `type` is `0x13` ([corresponding](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) to a *positive certification* signature). + +The public key algorithm and hash function used for this signature are Ed25519 and SHA512. + +As shown in the text at the top of this packet dump, the hashed subpacket data contains the following metadata: + +- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) +- Key expiration time: `P1095DT62781S` (**critical**) +- Symmetric algo preferences: `AES256, AES128` +- Hash preferences: `SHA512, SHA256` +- Primary User ID: `true` (**critical**) +- Key flags: `C` (**critical**) +- Features: `MDC` +- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` + +This is a combination of metadata about the User ID itself (including defining this User ID as the *primary User ID* of this certificate), algorithm preferences that are associated with this identity, and settings that apply to the primary key. + +````{note} +For historical reasons, the self-signature that binds the primary User ID to the certificate also contains subpackets that apply not to the User ID, but to the primary key itself. + +Setting key expiration time and key flags on the primary User ID self-signature is one mechanism to configure the primary key. + +The interaction between metadata on direct key signatures and User ID binding self-signatures [is subtle](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-notes-on-self-signatures), and there are changes between version 6 and version 4. + + +```{admonition} TODO +:class: warning + +- link to a section that goes into more depth about "#name-notes-on-self-signatures"? +``` + +```` + +Followed, again, by the (informational) unhashed subpacket area. + +And finally, a salt value for the signature and the signature itself. + +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of the User ID +- A serialized form of this self-signature packet (up to, but excluding the unhashed area) ### Certifications (Third Party Signatures) From f0959a2b0febd99cdddb9e1c0be36ffd53d4ee53 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Sat, 7 Oct 2023 13:29:31 +0200 Subject: [PATCH 30/56] Adjust to updated RFC terminology Fixes #52 --- book/source/04-certificates.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index b1367a6..c5a1eb2 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -454,17 +454,17 @@ Secret-Key Packet, new CTB, 2 header bytes + 75 bytes The Secret-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: -- `CTB: 0xc5`[^CTB]: The [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the Tag's value: "5". This is the value for a Secret-Key packet, as shown in the list of [Packet Tags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `CTB: 0xc5`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the Tag's value: "5". This is the value for a Secret-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). - `length: 0x4b`: The remaining length of this packet. -The packet tag defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). +The packet type id defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). - `version: 0x06`: The key material is in version 6 format This means that the next part of the packet follows the structure of [Version 6 Public Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-6-public-keys) - `creation_time: 0x6516eaa6`: "The time that the key was created" (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) -- `pk_algo: 0x1b`: "The public-key algorithm of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `pk_algo: 0x1b`: "The public-key algorithm ID of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) - `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) - `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key @@ -473,7 +473,7 @@ This concludes the Public Key section of the packet. The remaining data follows - `s2k_usage: 0x00`: This [*S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted - `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`) -[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [Packet Tag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) +[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). Previously, the RFC called this field "Packet Tag". ```{tip} @@ -559,22 +559,22 @@ Signature Packet, new CTB, 2 header bytes + 182 bytes Let’s look at the packet field by field: -- `CTB: 0xc2`: The Packet Tag for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the Tag’s value: “2.” This is the value for a Signature packet. +- `CTB: 0xc2`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “2.” This is the value for a Signature packet. - `length: 0xb6`: The remaining length of this packet. -The packet tag defines the semantics of the remaining data in the packet. We're looking at a [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. +The packet type ID defines the semantics of the remaining data in the packet. We're looking at a [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. - `version: 0x06`: This is a version 6 signature (some of the following packet format is specific to this signature version). - `type: 0x1f`: The [Signature Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) -- `pk_algo: 0x1b`: Public-key algorithm (decimal 27, corresponds to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) -- `hash_algo: 0x0a`: Hash algorithm (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) +- `pk_algo: 0x1b`: Public-key algorithm ID (decimal 27, corresponds to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `hash_algo: 0x0a`: Hash algorithm ID (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) - `hashed_area_len: 0x0000003d`: Length of the following hashed subpacket data The next part of this packet contains hashed subpacket data. A subpacket data set in an OpenPGP Signature contains a list of zero or more Signature subpackets. There are two sets of subpacket data in a Signature: hashed, and unhashed. The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. -The following subpacket data consists of sets of "subpacket length, subpacket tag, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket tag). Note that bit 7 of the subpacket tag signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10). +The following subpacket data consists of sets of "subpacket length, subpacket type ID, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket type ID). Note that bit 7 of the subpacket type ID signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10). ```{note} Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver. @@ -592,7 +592,7 @@ The next part of this packet contains "unhashed subpacket data": - `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data (value: 10 bytes). -As above, the following subpacket data consists of sets of "subpacket length, subpacket tag, data." In this case, only subpacket follows: +As above, the following subpacket data consists of sets of "subpacket length, subpacket type id, data." In this case, only subpacket follows: - [Issuer Key ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-keyid-subpacket) (subpacket type 16): `aaa18cbb254685c5` (this is the shortened version 6 *Key ID* of the fingerprint of this certificate's primary key) @@ -654,7 +654,7 @@ Public-Key Packet, new CTB, 2 header bytes + 42 bytes Note that the packet is almost identical to the Secret-Key packet seen above. -The packet tag (called `CTB` in the output) shows the packet type is now [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6), instead of *Secret-Key packet*, above. Besides this change, this *Public-Key packet* only leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. +The packet type ID (called `CTB` in the output) shows the packet type is now [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6), instead of *Secret-Key packet*, above. Besides this change, this *Public-Key packet* only leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. The following, second packet in the certificate (the Direct Key Signature) is bit-for-bit identical as in the previous section. So we omit showing it again, here. @@ -723,7 +723,7 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes Notice that the structure of this *Secret-Subkey packet* is the same as the *Secret-Key Packet* of the primary key, above. Only the content of the two packets differs in some points: -- The packet tag (`CTB`) in this packet shows type 7 ([*Secret-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-subkey-packet-tag-7)). +- The packet type ID (`CTB`) in this packet shows type 7 ([*Secret-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-subkey-packet-tag-7)). - The `pk_algo` value is set to `0x19` (decimal 25), which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. Note that even though both the primary key and this subkey use a cryptographic mechanism based on Curve25519, this encryption key uses Curve 25519 in a different way (X25519 is a Diffie–Hellman function built out of Curve25519). - Accordingly, both parts of the cryptographic key pair are labeled with the corresponding names `x25519_public` and `x25519_secret` (however, note that this difference only reflects the semantics of the fields, which are implied by the value of `pk_algo`. The actual data in both fields consists of just 32 bytes of cryptographic key material, without any type information.) @@ -977,7 +977,7 @@ User ID Packet, new CTB, 2 header bytes + 19 bytes 00000010 2e 6f 72 67 3e ``` -- `CTB: 0xcd`: The Packet Tag for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the Tag’s value: “13.” This is the value for a [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). +- `CTB: 0xcd`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “13.” This is the value for a [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). - `length: 0x13`: The remaining length of this packet (here: 19 bytes). - `value`: 19 bytes of data that contain UTF-8 encoded text. The value corresponds to the string ``. With this identity component, Alice states that she uses (and has control of) this email address. Note that the email address is enclosed in `<` and `>` characters, following [RFC 2822](https://www.rfc-editor.org/rfc/rfc2822) conventions. From 83ccdda6b4810e5e007c56de4cc6720eaa7a67c6 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 12 Oct 2023 16:07:28 +0200 Subject: [PATCH 31/56] Terminology fixes --- book/source/04-certificates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index c5a1eb2..7dcf1f3 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -454,7 +454,7 @@ Secret-Key Packet, new CTB, 2 header bytes + 75 bytes The Secret-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: -- `CTB: 0xc5`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the Tag's value: "5". This is the value for a Secret-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `CTB: 0xc5`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "5". This is the value for a Secret-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). - `length: 0x4b`: The remaining length of this packet. The packet type id defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). @@ -473,7 +473,7 @@ This concludes the Public Key section of the packet. The remaining data follows - `s2k_usage: 0x00`: This [*S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted - `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`) -[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). Previously, the RFC called this field "Packet Tag". +[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). In previous versions, the RFC called this field "Packet Tag". ```{tip} From 40ea566e2d24860675fe1711f66273720fe4592b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 13 Oct 2023 11:45:48 +0200 Subject: [PATCH 32/56] CI: only generate sphinx output for "draft" branch --- .woodpecker/doc-pages.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.woodpecker/doc-pages.yml b/.woodpecker/doc-pages.yml index 6f1a4d3..083936b 100644 --- a/.woodpecker/doc-pages.yml +++ b/.woodpecker/doc-pages.yml @@ -30,5 +30,5 @@ steps: fi when: event: push - # uncomment when this is proven to be working: - #branch: main + # only generate sphinx output for the "draft" branch + branch: draft From 13f5cd5d730cfb3376ab01e14ddac34a84eed85b Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 14 Oct 2023 20:11:46 +0200 Subject: [PATCH 33/56] ch4: clarify text in draft user id diagram --- book/source/diag/user_id_certification.png | Bin 78172 -> 83886 bytes book/source/diag/user_id_certification.svg | 160 ++++++++++++--------- 2 files changed, 89 insertions(+), 71 deletions(-) diff --git a/book/source/diag/user_id_certification.png b/book/source/diag/user_id_certification.png index bfa8c06836a53d6787a577e9ef07df2c05574635..5f4c7e5c043e0a79e08b2665e52447dfbc4d3fd4 100644 GIT binary patch literal 83886 zcmbq*Wl&sQ&?X591cHR%?hsr zS6f@PRr_myOfhrst#kXF?$h1R(|rj2svw1lPJ)hvgoG(0{RNDK^xOydAiqKZt~h8H zcmsdX?4>oGkdSc8pFYowH>0|Mi^R?n8qUggX3lPgj;2U%Zf@+Bwh$*{Lwi$pJ4f^M zLtzpmBq}7CFP~K0Gxir<+$S#x+fT0ChF}`)+lPmTSoC=>^6=ise2UGcLZSabLr+BX zM_T5Cv~)qB{~u@DTo{q@{r$ZI*}Unq02?<4y%8r$*EWyC$;C`W=oy#XIIj|j37P=5 zOpB~R{`%in8O3-};0mbF`Q!iJm-gYgXYUf<1_lRLxgKaiLUL3}$jHbnW~-nzU0*>^ z$Fy^%mnr!&_V%3bttQ(0`}^ls-(93+XHzmNWK_5kfeLw_1o(AwdfM63(=%rX+%zPb z!urIND7l^T{}!?LoC&J(c5kkRrM0y+I$KCUVD<1&VYbTDa=w-==rv)jku#|9T>NQn zAS18K{ndd)mine9V65#c7mvrONk&G-_4Qh`W{YP{O_wqV>Htg$nt*QtPl`0`3g&Y7_XWxK?nH`3 zDi0WhcSjk-#8RYP$Bwi$oLTKi2P*ud@FYdmuOB~NAuTK}mXd{nnM=p>6q%qU7AOCD zkS5CYmm9ymgN_MjwiG9T`@2U*qJRFRvR!QKfyySQe6XVkC*)uN=Foh9IX{J^$dm}P z9QzGCNM}Br!BwkTq!M~_wiPep<;wB}5JB-tghG?CVs(!FgM{jZ z8bYj46~P>tY%qvEK9$Ejj`}kSpt1zeZ)chiFkl!efgGyaE;hd_zIRf9eM z^xX8C&%oV8bc?ayD(J2}D-1&HhbvbsZD-LVVi^ri!Smnh*rK>N`}UHOX;Q<#QhUAJ z-6~gH^mggrju{0hu>eX41;kBSRzc9z@3e0_aqW_P5@zyqG=xYC7q1{*tx&DA^Pz#B8R zr$rt1UM%_^z)IT8xb`+QRr<>4#pC9G;Lw(ke+Pqh_I05pJ4!RO!PX?=P4owGbgSXE zk2Uuy_pQviZc)Bg$(6wV`6H!$n@|-8zv4I>`<2Y^v1d}X$iqq#!PNviuDe=hwQVCZ z_u4XPssk2qZ!Ad^TC&nziaYU8=vu|#Jz6SI9Sl1ob-EhWEnd(E*8dbRj6xIFhb0e^ z5xc?nj}Wy;W8j^<+A|UUF-XO*oCGkl$CDbkPkpv!$6v~yU>(=GzC$8wc8F0=ZUNO3 z+a7!c_BB11{A~h=0mtlxh}z{!XUpp;te#Go6De^WB;#pgG9`9DEoZ9StXR;{)(35& z2#v^Pk*vjJH*Fydz%j^314bLyq54=Hu_Q1zXV}fOfbskB_90L*P)i8!>47i*Jy0>! z`RQ!dh&$e8AF#s#T|U>!&@808 zyjdDi9zrJ)#rC6b)yIM_a`S!X zRZe+LmlCKDPv%MNzrlVVgfCKVZ}zGS7HQZqTe<^cvFnA;xx?o<@|C_x_P;TltGe3N zEArJ(G#2eGArAwCp!{5E=U!*R7LR&MfmoMqZL35$i5+*{!imO-CcN z7PTuHPF~K!&+=kx*^Mltrsrg=4^DdkN+P0=``)Y3hPtDgLdAYpP*h zz}PZtA2Mk%7k4*1_TDt!qRdq6^1yWY9s*`wlugxNO9UYwqAo_ec!}0|0I4{rr8_5_w{@TnxOgeq|ZdEatN{=1y#IpK3$j` z6BNw%WVkdAkpl3&q^pLqO|84QQ z+cJTp5ORn&IQHY_dKv=ZBk@ZWzj>$&;(i5TEm|k=X?o7rP^b>sj!{x$2b@}BnsPQk z_7qA7OpTE#DB}9wTOi>wf~IXu>W+FTy8=)vj9xZB2wE>;U{iwXEKR~!DE->w=|jbu38;m=F5HihHQ9kzY`VdyoD7(iM_gdJgM$@6!e-t z>j&c$uYNPp=7`@d1QYF>!`k|V#O)SkgIl@Y@wlR+n13pd;hH4;j8fPihjvALA^rl) z{GW~_cnBk%mZgM5Y3PL4Q_FBka0UvNCF#{PcA`S!QCWn_BdRx4nebnC#rVl9KV%Bx zi{8CqkpI5W(6LBPAriM$XWP%^_sG`&wazw9xUu2WZ-u`($PvWIJz+APDs^Ra!LbaA z!Q;PkzM#EA|E^WD(v3E|wS{Wj3#zL3s9tC?k-5HenyIASB{4MQbS}uC%s#evKX^aW zfNM3KWHVpeFM^3YkQBtx8nga(Wl6;S(FYDG(Lt*=|2&+5=A&N9{xZ5*h1rD#*bIEZ zm^fx%B7CHpqyM_u==)lq(bfjrWK93yq$R5Nr9!nMlNa_VW_c5t>p-STIfI{X!U)_8rWBhXc1E0j?I&Mt{1Eai+bJgUyTR}Miac& z?$+$S0Yb%}y9WAY$_LRxaXIkt<#36Y4f(~{w7GJf{7F*biQ}aaB)W8>Pd9*Vv94Qa z_16z`96q;YxfbsWjb#^~W;XXV(x~5>Ic6N^f@48{10%UqE&mRsbH{ddJS$QU`PV~V z7*?iU{(EF>C`*KS6}c}Nn^~noF6MM2+=~3gPX1yw>gI4_QdbBzG>D_I)yG)$@j|`+ zQQxuzFjgFAr*IK=DJhv<*P~!eQYvG~S>GcHG9i@dvi=rE`MCA5DYe?I0s4NsbuWiA z2J2-kyJnn6M2z@;-lHF9-6V42%>S|g3aTHz$MXV%@; zxOwZh$|c_=>t21toCg%q4WA7!U95`(98rYvBH7~1gw6O`ntzbU>*|JiGvN$jBeHZM zW!u`z84zExHPX|{Bxb6^8s{W?19;Mp+q8abG_ zDI8v#6y=^VHIPq!uQI4K`fsLccA% z0U6`7uQak~z83e$lILRV%&xAkL_(LHSIb7Vw$D6Hjn2K11)am1Cci*MTwT9b7@RJ< z?W*);Xu@VB9$I}LFCyipp`Kr$BipajJp0quF!uweECI3C_6ky| z)~ET}%Ix`))I0VPZAKY=W}6MPPQhk2~~^s2n2qsibWh3PHQpZgpCdRB@8 zjOn~%ft~p8O0Vs#KT7c_k^FLiqcWuWe#*FbqX-t2C6scEctK`OPBd>|oe^(5hX?7p zot`?I)Yp$4q9Wc#PXAZ$-C@*8!ctT zn~>pR#<|!-#UvdV)RU6xijC%9WBVQSC^i@1I^j+Pgi)uPJ~`DYm85gE~?D!2G=-*$%Kvsf%PzGr6- z)t*~3-2Qy32+wBT-Jcv%Pu49zs&XY_CZVLHyxgDtjJP}~CG76UO%dbp_i&<8q=;DZ z$uTzHQBy8l4nXCOVzU#L{i4@M*B@2wG*NqOpPHC1ROcLfi+~db3VZyDYH*SoC^Uf+ z)C|pQM@5tUzBx*H9Z0BFEk6scIB%^S1v7&X^5pi#I%;LNtNP=jInC zW`mD*t<EA{cY;ZQx}w>$;WSgt zfloanEG!u0!4Btmumy>ftr5c{_OKf;u12L?<9PxIT|r^&LeRND4kkSyBUx59_P)hf zYN6Uo83%ABVR=VOk-YaKI~a?+y!~a5!q%ADwHGsz_jebicM>i~qC@wHigokB1~JgdVpa?1(l%y;qqYz?6mJel^{Yt0Hm?GT zumDpb$mh#WyTxriw%4?1kt4QP(ur%`lDYnf;-r{H2j{G@MnhaN+Llp^|O2bNaL8X^n~(ZVaV+`Z^pEesA;Ryiwc)lz19(zvlkm#?*~B^t4Ru4KY> zbaUMFBLaFkH}4}nPG6Yyi>Dwje_wml5E8uLefA7ouQ6?|fC~&hfDWu?E98b8h@-tz zKTI?G>DG5w1^|>Gvxv5QFkiJk)*Z?n#UXHg)6d%Bwj|T)mH!@}#qf@oa_tD0=q0*Q ztp{55C!5sk92tp$^#it^@S~*~S2|`K05>Ki5(Re@2OPV z61(4*#*Iaif;;?1DE1co=6EfZ^}=e30A?YC72&!oEZO!gh3B_%5-SEzJ}Ac^(GicG zHB|rn-vIOE7{F$*6epKcFrsEXIaL6UG4zWF^SE>GK{fA2x3I(931s5D=w9pV7wA(y zR65qJ6si8L%uS;AP{P9cTlg9lB|-#OGo-j7t=8}zH2l1B`yL|o`=eTc#TcCx*=A4p z@$DYBWs#%l_M&#{k8c>&?i={27kbqU&4{uDh3A^GZp)%@NZVDGTzlC15eM6jDO|k9 z3hXT4cp7a9a#)|M*|;4_?>gO(xg8s)c?uQJG7d6RXDnz4gLPIicaK(fSJK{14{gRp zhDI_tI`m1Ps1V2O>-L8ZEK{cO1^GP!3uv?`xV^kQr<6y&!6H3<)Ea=qy;rA>&F|4U z@D1vOP1#v%qtvh68&xHFcz46;QN?P!xr6rYTO8R`85?BY_l|3QfId`2I#Wnr9}b}u zd_l7?dD9iy8%)0eouZt#_5!>{n}B`TbO`gu*Z59BP_X{=$fy2VPI~wuvk4u`$NIkPg&FD9FKZ! z?7C-(%>B&7RHY6hR@3a)dmP6nv14LXXe-nDT`|;-`X4?N=;<<`sum?!a4?CC0ee>4euR`ol;n2jnPg<|88E;4@;dBA|W1{RmiiA_s7G`Axl$9B=Y?J(zaRk!9j$Jgnyj+?Ww zn)x~o>lq}8aPe$WP6MR%zS!$>j>z$45-6Boh*YR(y+k}QLluDfF4wo6$E$!Sw$T(a zEbE7h21HX)30L}`L+m2&fRK%iRl=sO2xnO+!*o@GcSgc5e;#7W2zXEbuQwH=tYzPZC>e5jBa zcQ~_Mdi)Z-596vUWOZ6U*UG}Ik7^B>HYiAjMK8~&XJwe2m~f^tcZ2p6o?s|V)8N8# zcjWgr0Q3gf0$`?Ts4S;jSxv4xU#=9~(Vlr{vM8X^QV6Da#-)BArdjmrj$b>zZ5?l?|8Pr^*}wwma?c431p1f{@} ztxl8i$jE*gbQG}9>H8%*xCB3oB#5<)^kNJu=t*+?)Bt%=;k`OdKw*~?UUnwjTAF!v)ggK^+)n>Xp!1~I(ZyO*ttayn1Y^@`QfswbZem=H(f7hkVhg{YiKR82 z(lz*rr)M+EeL2ZaLzA~>dTCAU@3a1j*Ot{3KkIxu7SC9>f%~4$o9bfFcIl5R-j4dv z91&@qOx;lxeF`+(3a$?hNknj|iz#hw$Klso~97!6Z3AC_hC>wv(%nS{o?jLWY`} zo5Acz&*NdyZES#$R7{MigrwoN2bEGfG~CJ|Mh3{O(e2>`t7_lYBq zB*pL_KblmxH6gKu3Av8=5#(N+x0v1D2daa5A}gDi5UE7RmnZ{8B%_$*=yommXERdK zS$Zs^ywKZ^-V`EX4K|Mtg!*WVbaZA{zV7@lUNq0RC{x{=fSGH&w#b=S;=Tr;%6`bR z%x~^3(F}bQ?b#Yk4a`0}YI9)pDJ$b3h_1pSCEb2#jJSd)zOHr@Na0cq7m}*;s`Fkl z8D=%smQ4&}{`;_*o>Xf4c!vxGwn2AnY+|>CGF_FpTEDiz>&I18V)eaE6amLRlGfPg z$k4;zAt8fVBU$7G>%%MZU4CP)W!WOYJu7i_hA64sh`QO+fgY_-)7c} z?Oo=L)Q`Int%x$~v-5=M+g?gQQms&cn}xcj@&HsEH#-|OEGiLuHsPJy;d;w*5*ym1 z8m0c8_~zi#6xh|(BOGwKT#tGe8i}hV=?_jL&!@D(;XIsQwR-avg2aPNmb*f#$k$(w zLdyFaTig!&X4b0B4KH>JW)BPv?XN3J7M#uttdAD8lk70i%tU=pv`{Pfw z1l@x9Y{uk@v!7=1($*II#-lIBT+CbwogJLMAd}tJhNthV21r8LG{eu|tvf6MWe-9( zE?ErZ@)S0Uo(6n$Qh7~o6+0=ZCX@k~$ZZ;5q>tqvv4@zoe8psf#=%tjPhM4g1(uzG zXfZs$YX?p>!}tKd!!bH=iqGp?nI`d#gSW z-3c02l9;&L5v;Y%-cXm4x74EnUoz7(#aIkhqJd&O=L*T!tw>)VR+RA0@IV@z9P`Gq;hh?WWJC=8##Cv1D1CYJbJGD~pRaEBxBYL6 zs^Y3PI9(6A+)GK#0_IZIq<)X!YwS)ZPt`Sh80$ltzMv8F;rM9w?M<8hk`T9^p{oAQ zqMoD|y4K5fH9yh1iqY}o zy2~Nz8ckDkqj~Iv?81msr%?fZI&bkvkPpUZwF`>{Jf{`yl$s)7A!t>Ktbv7Cnzxhf zOlFM!kI-#=vFuITWeDBku{pUUraG+kc5$@j zwGxDqe)wf}0!86yV_i#8xsBlvgEbCS7!jMzC;hF&h1G|mDO!W$$prE?=9l$hr))Z} zTy}x|*8A%5j>r49&>6X@5wzz~uBT*7U2PH@N<7*tIXBzS=jP^dYE?7(zk2~%En*|e zNrg4ERtVYR`l(~t>;TVo))T%VD4WzrxHMTzKO9R-kF(HBEEyR_Vy9hey{}tKE;KOH zW!ILdd7sMtsZ`4{pQ6YxO;G`=#C(tTf2BRSG(M-H2}v?+d^Vu-B+>uF%-~)$GRNMy z8)K2bU{o}?8j6Ci~!Azi8CQ&D}Mwbrrhny9EUmzVpolYC?CGxZZ7Aabb;@LA!l z!_5!g{ks}q`THxVCig3o#FRA=%alR$C~CDKd5SR8Aw6QO3Rnq(Rw1{%iGf&Jt+BoV zATI$yt%rxXjX9vTzdSram|W0b;Tfw<5X#Lo)fBe$jtj_C)PNwjDToJ`8Z7jmociGe zNv|7z;{{Xixo!3vA4sc!RO?>>xrp&ZS-55{cgggr%z)>ALu27G<~OrXa2e-8)C;d? zW;;+R4NEivZkE0Ru+~IC3>udTxYELjjwK2p-D`PM^8Wk?o6^VR;GK#U7|INz41qSw z-ly3=WYo}t9cEj}Pq#vj?IBWe1^*3C!OmXcQhXts+kDSAm|?j{q_Vrd8C+?P2Kz~! zaslc1CovVZ-DACo-W8%P6xOZ&E0DFHNOSPUQXwm0G8)XU8~d3lvC(Ak6%f+2?fOsU z`umqC7!;EL_(nKdgDTlSma-_+b(l${Y^G6W7E2Ns+_}(TU`#7ZC@3girlW-5(D4r^ z%=!3Cv+dGyI6Jw~SHMxaFnRm#ZYA3(#!)UW{ln@Y@y$J}uGT=;m#`oHPFw4Z zJz@RKG>Yi2{JTOnw#J~Qj!8{Ie=LnXbfkZ?L``u?H6Uj>xf(b2IvBKByF^5TVt5MJUNr_B^ISVTUPA9~!SQpHcpha2;%wl8*e zc1|~^8~s4tR_^Y8=*MB^(2rew`Li(zh*UghS8!^6NQkAUN2(bVls}srV%_F8!n-&9 zLEa50yX;z}WeTO6ef_#W9r}ZFs7O_wN1c7VM7fuDaY62EQa$&wT!(48NK?5inL5DI zc9|W)AQ$6vv72hPGnT)zZ=LqRZlHB{sP^;S zGKgIi)|dSm<6A2@$D8e`cW;vQL2*Poi*EAOE)e+i`K)=qW=RTNN4{lRZ&Yf2W~Sxg zGUXK_rrTLA8_etiPsQCF3Asl=g%~P#Z%q4;0#G{I9tXZ367w(&yCjCmAGH#NCmFQf zpln``o+i@P%vC%?!H(KB8%mN7Hf9Yozcb1aKW#!B=Q!gw)wkC??vfBN(Jb~gxxt-2 zd`QKyA^KWhfziP40=hIEW_=6}>JOvp3jP)!Z_T3drqLxl%y@`Iz_;DMfd8M?<>-`J zW8t&IrJ(&;D4b7JHtFMUh12EJC6S#uHdS;!yQs%zx;y|#G20aAk*k%)od_BC4$Nc( zR#gXhUYO8-gG{d!mxCXysF)85bP0`*^ea4Y&3e^W9(*8D3HBWw+_1y`<@CFoHHA3f zC89obOhsy#o|l0?e-^09wIUQiv^AEr5S?-j9GAn(1Ma8_@s}23Us~^;>9nyMW1Vf) zHLHJnuH*pxLS%1*|NDmQc)!q)qePp+y|EK|Gg*A932tzlSnEJ0Mz*9EeA?-?c&zWB zDx$a2C~8MbY{=~+SugGEi2snkp<;8Rpa5$$SSa1(DitTyZZqu-q`o%ZQy8R1<|3Ww z)Hr2%N-_$vG6MqsOe{8;H{36YSdxbi`9HHq)DHR&CCJ2ym~R!_M@1d){N{9|8_Z%W zb@}v(Tboao;ChEq6X7{VXEF2U@-Px~nH8~ixL6=VMa(0rZA4CnF_b3r?RqGk-g5pA znpRENV{-(t>A`W%=WO3-lP93cd@zuNDd?II0xk@S$A!6xJ=Kr+N&+ekxF+l@4hoF6 zR;cuU(GUm!2`trkMlRULHy*eFUn{Hh*e5#QrAMQbhUi-N6!VxRbVD9}`JMZ!zJM1zA{Dt<^ft?m`2m@IYEiA{V|-iF2$80->Il~`GPJc3p%5}#vDZr z{39xhl~Lzv6WNEB{gS^}k7Ui1k5*92r89^vHy|S}HC?gmtmus&&Z(gYpN)&=g? zW{-`BdxR|ESuE|C(e*mwxQFm~HH3T9{@R}CgTh<5)#M5^Ij`xa{h4KAiPlBWGGgne zF~Iu(QM<^@CSuvQH-k$x$u691D+zpl@LJ!G?K2}yFASf99Ze&WguDBfJgEnTdTA?1 zTf!<4AqU8(d9oNf$zG+lj7r&eIsO}3a}+H`*I!kW2z`V3*=iM^1w|@aauU5n>2p@{ zJL=Hoy>eL*Q4Wq-JE97AuE8{VG!u;!IzOtd2x3~X`T4Fg-M>G-MG)IgNE>DFGVQ)^ zK7Y%q%Uqh3lT*cJt|0RUs52#X{&?knCjU;EVRY#skXw%Dy&?{n*.u)?SZU8~ME zQdXzBE}`oA|H)lS$-}Dho7_0{ZBR9<4DSB4I}WCUN2Gz|@@eA3JUp;lwwMm$YE9(h zlUmm=%=k~_HPAYQNk-1)n}$84WiVBU^;=O>h$eAh`wJGJZ{`|Kj0kM0&#iYU@}vfL zjRa5GkP36+Uw{gDy1Vlr2>Y;X46yFCHkGctz>WVIF;dSqsM6%+=H8;g4HzPo3x4*L zOaQUJ$W=FDsLe3S9osj<=D@<}gINULM>VzIfawD*PicwFk(D-tn+Y78z0tL{tiHZ) zh%6dxZk;tzxGGt7(IvvVTgyKoH|RTFpDAiy^o}cAJxY|JEtF?J!A>n7e3k*Q_0|ZZ zqRz?RP%=;t?YoKf>8@vrVqXit#IVJ)MS?8u-(QfO62^3woAL~<7yzKN6t~y^+27od zlDJqEadEnah@k+~DxfvBKutbOWNVnMIPweo)#Y&xtH1}_3|2hhpE!8BY4!o5(sH7AkY?`>V`Fb!gd#@(95m|e z_D=D6GoU|E#ljbjTV9zg=FtYQs$&oTWt*}Lk?)Tp`Yd0P1bq-n>XI(COV8IqP?<-1 z-~GARW;S03%W(!~2S?|?UlP#C*K`8#B+MwXZ>I3|)qgaLWgNc@KNCA$!AOrs#F7wv zwt>warmTAFA|k>@OHSQCx@E3u1O!225c(&|=%aSBcTacSE-nFqQRV%&Wj0aDnZO3z zTSJJs9dtWxxRjI-4c*(|fRpvbLR*)}^4=8I=fVUgdU{{YDh<)PnxH<8VYfqR8oX3* zHf@xLhrf9;`_o~*hw(HtCU;aHCyVS?{GH)yg*0p)>gAG)XAeGbuQY~7l`&T@ojC9j~eu6*TYun#2U zbmrD0zM`@Qy7rM}NJWJidUo8d(S%m*K|6>+%qdC%$>jeBVFT7=VbOGOvHIQDkFf0< z1UxTVdUe%)CvL+e{9ljZp-u|FlGdG|bIeq8i6*sTmU)}GQOXDGjLaOR-1Vj{+$Y5l z;!zL`>_<1Pc^wFUW+?CEfgEZ?H~5@!`_|bRwQd`%@C$p}V`oFQUSXj}R4!i4d31`e z9f6PAw&10EghnEV1GBUXtsVkPXI)+54SPY_1*>C4`I3pVD-H^6_6V?Ne z@r?~7_m-V&4!*OecsY9&mUv9+;UN!h#Iu!js-$jt^T*|^!(JsUxep#RAPv_&7MLGeUx+CGfAibzb2?`WTzrS(qtiFKS&cc@KmGr&`4R z)DPF3^=k6p*sy1dV)(~bv&c7L#X5 zqX2G$_vI^`)zfD>^>QwrQFl?S0>2u$p5NK>992KdxQ4LgTN)j0e_4wPsBp6nJDI~e z(CN<)(s#V?lmSq%14tDjK7ymawtLvq6OVd*xOTYEwl-u3Z(FU~SVlUYnh8oMACGGi zRo8sDc&BjJkQlQfh2-wOu|C<6t=y^r@4ZU>TgUF!T+Zz}YFM@2M>+3j1RV=z)dMO3 zhI|E)tD7i`o(w}if-c_;yYif6tIhuY9vL5D(jzk)PPp~e_hl-ze|%tBY~nG82`}}_ zFhl_TWGw0f>(RyPtB1O&pU6^Gd@k@=HIOz2fQrI!rlXHP$$OJANqExNhN_4yAr}y+ zID+`hy8Hs@Ut0fY#^47q8cYER9!x6IW;}>n@s97@qfqm=Ek`3yUBr6rMYFjA6+Qy@ zy^nI=;#7_Hm)jh0!duBexlzakqs^q$9p6gsE{)Avm%m~AErhF=eOD=%Px~ySKIU*t zN0#{u{fy%7K%J(ut6=mOq?wB~4o|rHpjA*w~Sf!x1l{h!ZTo{3ARa6}6Vld?jgeLM!=getQ}UO(%zk>ulC* zBhKPBO4+(q{n+=4hPQr=DI>SoAn6IbMv9@%C9SP>JtsTC6nLGmGWyxi zH}#T2%x5k{20rq16A4RUcxG0}0Aik*rU{}i)@k5UEA6#jdez0k!V8JLzDnWx-1xOz zH=J3m*^wTg_B<8{_4~r`W0yQ%>v_ENebgOj!(+xv{MeK4YO^yS;w=3z6!&s>GX8K} zI#*IgeYYpP>b|(#1jQx~hxVuTheC290)}{5X0-$#iEz*k(UyA{)XP)+@!{0J0Mhp8 ztKzt|&${;fH9-VIu>VQnS>u2)8^Srpnbh~_L8{>bD>D&43@)PA-f2Q{$Wi3nn_I4W z#kh)`h+WHWv!ak0!A+BUcQrOlen(pJ7iPK?lvmSJP?I6ul<&}@9?}q521PwDH)fch zv6&!t=HNDk>MLx_)ky5NUKotPzwAhUOQR`LN7U!qVXW>Vc_%O=_^;g^4Y!9G@=uo| zYyrPJ>{_IdkwAG zY(3151mXIP{egcaagD+5%XkTjDK=n|bYUi6d#`Fa@r^lBP($bJZ&YH27(36Nj*f^u z`!1G$afo_E3U|H9FJN|>){v!p5i`GqOwwcpr2=Ocq=%~uSMdPK*ptvaE0yy@5o>H`L>mYmEF$ z>6PuQlL4(<0%(N_Y30+7z%W7*7;oUPdbvkk}@f|dssD%?-Cx2*A%5kGpj zRc<-&Vv5(IlwX#9ZJhLxOuE=VMq!vOHLkPNvWE&VjLfQP6=8J!yo8Hro(#RSU9A71 zKKvXoGGacyS{2CLO`$`*r@N-`2aFqbLTzs2nHeoPx(2^3hELy~0VDgCO#9;5Q`QZh zB(w6@+Tm*ZrNVlYL)KkPouie8H*?zPv?%lhj5Cgs1W2*(Y_+Wska=(|2OhJ8I#{TnuuZ){D=Ldnx)d zd*^TpO`e*%Mws+Z&}W4BN4M4lyhSU}oJ4)%bCjn=ZFR%txCOCqz5~_=<6nmH72%h8 zp0Sra7_$0V>&X>=5M61%G)*X2pqip%g1J~5*;RaS_xz+Jgvtm?C=t(&HZIh_=5MHn zc|DAZ?A=`EmZ<=yZ2OolGnMg@%i3DwW|7hQ#`Jb=jRtq&Z%hhLKv!26Th?Q%E0&m| zM~J7*?O(S+Z{g~V4o-|s`TgD#u{zO<_aetlJ%j=2t4RVv$YR=(-{KN0tKHTYD(}4o z=+I!COo>`92j5oL0%mLJVNosIXKGMO;2g!o>jC9F)&oTJ+OjcXrk={GA-AOAwILDT zLbEr4x%w3mHse-7;6Tr00Q$w8y#d0pEE9pc4B0ANx~rj!7Li)|wb1NL(u=`f2_s5v zmvp5R)3n`OiPEpEcKX?isP0Q@;)MC3ZR=(i6ZCqR#j6F95*oYGFE;vioTjyvQpHQD z31Z%SADlfCZM`BtVySFJ;pybgS4Q=vJ^n^%gNVwPZqSO>Mm=)x)pwLEblzE9{aPbv zHmwdF&IFA=VI7&o4U7;6+ZCR&)1P?-XJ zy20iCIgs=QRTm3wShXaqJ4|~Q3IPdSmF;0S5qv?1J> z4pjSt1u?S4x{iPKM)77$)nB;Mtj(GEiu6*0X~HKgIY7Q_i%lytD+ z%D>%jBdTy0R$B8-6wza^X0~^n{s-{3sFPdlhuZJ*;jP}nmtPCd`%?IDzklbH^1D6{ zP%X-TIvo*b+tv1OpiSy#XIwPm))1S$jKbN+PH=qLD~Rc{UcNygbG>+G>IcVtBi#-=Tfp_ zJiYm|U^%^)AD_1CfTq7{wUpD%;BpEMPV?<0T@l|-_tM2#D(_D&`eNR7ARm1Ysf{KX zYO3kv51B}ZC5otO*h!e4=8t@!iuLL4@B2`j~!e71X~2()Tw2CZq{okg?ms5LnL>mk-1N(1keOJaKXt_3If3b@J*jIruv@LtK& z)#ge?Q`j6(B~;ZOAKNQr3QANO_1N40D4Hc8cqUbjBIaQIE^GGm>o4$q?_w&_Wt0LQ zyEbwcjKB+3s@ajCy?-__jji!1lzo3r`G(|eg!!fLgl7XP{$AVnmVk}!7mr@8cV5mM zx=S~2uUG}Ls1G^A)CzEOE9?PHNWiBVAcx`v^IhWKnN;!x1s+&vY=}@yA+qJd1@_m4P&vJjUqIm-Dtj91s9p|6}wc9Lb2S1xVfY5p8Qfw_=TqrO7;XjXaZBvVlJ z?Tj#!mw1FB!(>U*zA!}859PIxuq+2HitGmhBG*Q1f3%U zG&$&>N_EgTj1O}#0C8AMaK(yd0K`>J8ecDwFkba%Qg@<9!8wBO0Xh0&{G>JuM^mL$ zW0L0=0E-lI)RvqrcCRwkc5xNrww!q3CKVayghd`Exb@(pxw)UHP8TZV#Bj);#2zFO zzP?528*?}XR4CKVHv2D)dkxx=G`}BQOdB396r9Q9`rhHp)g^ziovoTVa@xZ3eh^q_ zd?|KMH{IsEL%hto2XqlKv7lq2n+z#tpTf^qy&q+;(UVI*U6>aP0q5LgHZ!k&st^xS zqg_AW-F}6*0uE;>&6^Fz)YyHnjhN%};C_KJFcMDCPtw%Up|n^Bm4#c8Q&1>vogcEX zxdA*eNt4SS=oeA?vR}xuZ+KY$D9-6-B4l#}dugdEPS zqiFm&FD`bzqFQ1EWX-X zNMS-1`&zLbCqzBy1_(!_iek@9#(M19I*wQ0yrI&q0ooQJQy;g6$8^2!_<12_9$CqR z&O6V6X8T9UqotQJx51e4+4D8=fyXPKWCs3?w+MM(rm}WT)s@(s&d+2)p1MP!Fuy$nsSf&p$q>i&L>#cqI`gePvl~_J)KR&2XvtYqNW&QK2T! zuDQ86a6+R|HCw923SeyMT#!*gb=D>2O}t;a6fuk^JWhN4vy*ZZ&MZ%uIo;b68tjP&x5yn63L z&+mol9*MV8ok6CjlIsy`Qqg(71|(1Cs&_Ih)9$>iDLbOye$ApLzSa|p z9;tBxxL2mcKQz5pk$03C{1lIs^64O%#9Eu&+V{2?z|kdlLAR@!5qN?OgRJxJittJs5Rk zYMi8ngBes>peMC-wKKHs+UTpY-l4$vr1IzrSN>?9g;E-`FE7@771r$@m{NeA8K$}B zY)*59-We|{2Uz`L8%Ix6uKwPVhzH&~D&3Z=BiVnZ5Yk5vpd)Id*&=)G1u8r+LZ@N9 z`R`Ymht5tDZR_cii$uhFA9ZOGP&izlyS%IvQ(S%GvYcsXgd?z<5;n4qT*40kD4Qp< zRadA{9;y0I>trazTK7~n;()CYD_7#`s^m>9m|0E4>r;n#N_M1T#$H21k6gX5a2|Ao z(_}w0B*e6naM~j_Ba;nRG)BuO=(TJoYTVC_e%eq|o$3BGRWnK{#p{n+%(;y2ilU0E zPlwrex*LoU4QoCx$0I6c4%ahcUF{-kz$(XAhwmq>N7-PPBy5dZ)Fe<9@25up;)IZ7 ztxp@wQ&>{;F+h!#KIdmUsvcdLKGo_~ zXIo+TK&L>y@X7uw6+jhy{XI!KVeydG1G%%jOUGkYj?{T6TW$ETr6Y8OP0Zb>R3c8U zbwwf}c{O9+u~_dOX38UF--|$Rn!f8EZ6QV4zFfjM#bbg4oCffJ5k!_ANsx}<<|#a@ zY)>rOgS^<;bS?CSi1)|g=kylyZoGgFO}f5w@Ha#70hF}fryc=tXn6*OMFdwZ0HN&S z#OSzrv=|r^98+iEq1DP2*DR5hgOv*2(Y+)i%2w>yAIDvb?oxs*6sbIQAI3=o)5ylQ z=meupJq zE_cq}X1ee}#y1$P;{j;2smhZ;KV$OeM%Ng@2?O$r4f-$v+X=6&OW!eU@iskMciB4A zp1#FdW3FkaC%OGWrviRz{}3$Q?L#5gQ(Wa_BKZYU_-+Gz*612=*~r2A*B%<5lI`T7 z&zI&i`DjiZpUU5G{mcHz)W#cP&>m+l$f_TZWzSB=M{mf|#4}NjmZd8nx zlM869lnPZi04s^~T!Vp2V}JKGiMq90xu4I^l?P&;3Y&wQDUTzHJR1Fa*_yb5(9?xjh%vRnfI`Pnh51k>glBtV15IdL6} zf4XdMHntY26xPpfeo}|2S*|@Yl+%=W;lp74qcmCSA%al~YhUz70kev}PPqOs7TvYL zX|m&S&+-*}6p%UvBXw3iB3@UtQ)s5i;zgw2Ul-)h3Pcr$yU#-53%9?=#ob9>A!zs& zPPjy?gm&LmA;V3Q6&i01xW^?A_)Nt)?XE^!v=*Z=paAfE5GwtmJP;ef6 zKR5ovXh_F$!x{EfoI|mM#U9A;gnCZO$EEuLm*UR7)Za%W8d1kW6dpbH=Aj_!85L-$h!OPxt}uTg?O0sbKm^BKRKVDE7d$<{;J4< zcjSu*6~c?H@mAVB%1qO4XoP@{8PK`E*Sn~TdbOhvkUJ7~lwsw5@?>8`{;gd zWao`EYjYv+V}XU3=v|d5F)0VlbBesDJ=iS9g1N_C%N$(nSL zOk3@}#z;<-Vs(N{opkAYh>G!Bh*;5fXM%vIN2cOQS2e27(Wpb+2<4~!wL5VZ&ncd1 zDeoqG-aVaKJ|$3oG0a}yTo?FT5VU>_96Yz$WQ=EX8hF#S9zQ1{796f_U)wklj7%~T z6KSek7`);-T#;&UDq5y`p_QP#y!lS|+gx{7$MXrU8uMl$&MiE=TMy743x9jE=M{hV z&geMDCAKn4$Hh%K7bgwo_urn^U`_;RU9kK+i}!GM|DqSc60R&w)n>JMmpVernf<=j zrJf{@nqnLxz6SmJwX3H@^tOzI*xbXoEz2+Crah)GUhhIZ>ibx-gZX6uEtAnqfPMbq zpC)Q-jl|cE=elt#-V?*!*Yz*vDdr5KfhH>(71@Z@{h17ETMS7mziuX*uRkfVEG2^l zx*Wq=M#hK4QkiaV(z^aaS!dOe+dM;kLslq1&s?a;cO`nO^kLDdgf#`U{Mb{q`cst? zGjr=^5FC1Ef4`VY>pN57XaSkT;BuXC{0JAj^lH7n$4WhrPFvoF-ZAf=3d%zK&QS}a zoeb`Z@Af;kYIGcQyd8%uxOC3gn`>6|gSbDS$18H+9AW;qp@MXpfJF^`!rWi=o)cb$ zL^WK9`6u7%+zCe2a(%Eh3Ayve9Pqo+-?&?}p~ z^H<;Zt(3T$sBNoSBY}2Fgl;sqym>-3Y}fnJatl$-u(#~Swk$mI?gD(qvl^~?6exNJmjf&77^R{40&W`i9uufTkeeQ4SbVBn(OjW;l%v-(|X$Oxb8xso$707aenuhlj|yO zOtO>+8g7eHq>>y(@bOLV)pxJSO7qyUCMBtfT#nR^@t|N#$-h@mE&V#RmHY5ej#vKr zV~IVgaFcj#{HT#tQkc>vvfKuZgm!X2{?}_qhL8Q^4-$S==~4>Na(7ODkD9Fd=9W!v zEiEz=xh_5(oA_0^5>+P$f4^2;bR@7()W6u}O2s6er(p<#qi?V;-BOVw7S|T3@?gg~ zy3EVi<>K471$7F_>@VuI51W=ZzqrieJrRirE7kj|cq_lphYhF34LN z_NOpjXl#^m9%T#}dLRRW(a z4MNG!F3Y*KB8u$#6#Py01Z7oy-pXO!qEPNrG%@=X?ZJYjij$a3U;l-VUp5YL1Ln6O z)bgLD(~?AqpUj*;DY5c(<*W%K9a}z;9LAvo^y`k4zkW>%9ZJXWVR$=d(b3($7{T(~_7Go?vFA_1(U^{9*lq^Zj3_!5R&%CI z`s!e&%q^Rxx2&w>WMnuP7*~=nlL#?0EG1YRv=&w~@_U+G5+bNED=R8K28YN93km)H zoGHCy6|lO7ahKP&BgA1Oa9POAxUaN=@9ax=w{{!jq3xuUn!FC+EceA z;-H38=QjqF+AgP3fsN_J!QAkwX~Wh;z&poPbZojwA}T70ZKbbY*&k!yJ=h#epCPFx zd4v|Qyx3-l$8H-`ZIgiM=r+gtaa|4B_bAAST>*ZP>9cH`d%RCY3Jz9G=cZ23OlF)( z2n@^YX2;lnoHmm9L2uFDI3$wE0fBG@)B?y*}e->(l)`nxv3 zy4b$8Nwc@NCWzfb){Hq8!ONb>gT6!An<>1l!jm}ag?NTUH~X`C|0o+~{Iy~D%r zl`pQWuLAu21yxl`d(VZ1^FK*Te^gav?kP1^maG{m=KctcY-Z*a8IAKh<5br=!#Z{gN;7BB* zrTuw&N+Kq9`011FiBZnt;%9UW84A^LB(IMjEG;?N*_AS~o?D(X+J*h{GI_DFQ)*tm_>8fL2C@~bEuzwnJ|KwUhpiAlZr&9#h} zuX3^8$xFpr=c}~7;uY=VEiO-|W|L4BW1l>U$FX=0-!@mVDp`n$wO+nyK(i>eUR^JF zFIr4_j8$FeG85x8Rb`X#cc-47jG7vk?~ctAl*zST4JM>phQ}KEv)z8UX!|t*RACN% z)hC!^8&?l;MiBuLIX(J+A`VfaQ~Ui!MECY;<$2g zN|QA~Y*ofr_N{CHzc*REIHjOcUP&lu5Yj(8)N(1LLL+!Pf5*Txl6?5 zAn~uUF%q9cx4>q{h=x`?L*C{o1H(gYZSA)8w3L)WXjtb!Dq0aIMV9&hF2h_&7gr9>9tB<~Nt|_%Oeel&c@E z(^y4c#NNUMQeb@i#6?(KPgbv+o3^xczji(&WAQH^(G)#N0)K+)#w31Xg>n;gYwK_% zUxFJ}401ZH-C2oPjvH29UYQD*5VX-~q|D5<4LuvXL83@ZCiBu?@X5(>eSIz2Y-evH z;g7S<4(AHSzPk=ksomYxhtVLo!D1!#=@TJ0x0eTs^J3cqMVU$5zsdubfstyI`kT5) zo)x3esfhUaKLhD~jyG2yO{Sh`o$dGKsB%2BuplP1@u{KLJ@S2F}%)dmZ;H`br+d{pD3ueMDgh6oZ%ZiQ|tkDcw%BA8MVXSJZZ6R-a`7HxX3q! z^sv@vG&wO*AX~2K;k2XgD=y{b2{mnP8g#F_j~_4CaF6u&yZ!owjbyoJ)L5W#pnzME zAmA6LV>O)5AtWJzTI*1L`^$8V_(%R`v&B`%_6XL9W~;4nC*3ZkmR^l`bFOl!o`rYL znu$5`*yh;5ZqpOL>aMYi+H9>H3f}M*9lhwM6JMeemfL(ko{vxAW4UPYl*{P{;R8|y z=!*(F>cBbTDzo!JD;!oFu`7F?Z%_y7dLoo6O{ZGL2cOV>IAa*c&eDGJ3PMFp+0kPA zCVmdmFI$|r9j>*tC{BA!N(X#={F_%ht4&vjGUSzRXtTSCqT0H;Qpr_ZXaw9LPGJlk zT+Ta}?lJeuBErL6gM&2_50;pihlItukbZxr6lb^o+8RE)kdms?x_<`9o53~Gmgk|wK^IujODu@ z%)jpaJw!pzEJcJZ`840x1L-#n6=t=HrRJ;{WHiYJAqfvFU;au=l!!lvsg;tFqG4bV zTu#fF?3keOh++11& z1O|H2D87}JBPW`_*Aw6TMS1$5cAiR4HLYRAML5NHFJj;ju}xG=QbAEyWfsl;?-Wap}_=SUGD1Z)QZ!xI9)MvS%pk z5w^FB&?xLumu|e%&`#-S_9-{Z9lE)i5pvzCZ!hPpcc;n67~Gn;`j+vTuE&a&_ULwk z%vjs~?-S*XkHpU58V}F{!gHhV>-QE=EwzW~8qYej+Zc#_nRRAj8r;3y?g~uz_I_LX zm92o~n{?e)^cD3Qol%fPA^QG4S~r1RBv}BNhX>hJPuEj2o>w08& z-t(RL>Dy<|=n)a=)z*4PdxFOb&t=Ta2e*-jYZH%IkYIQS2?=$})DvP|-@N?$x90Ep z9fuCi@gZ2Tz<)|VCJ~Z$*2AV!`xOoP%5r;9K`!n0@Avs?+hQ@#->aw);j-eTX{CFF zQl*}e(Q%08sa5(^R!Y@1m8pl>%LdVnc`pWpy=i~Ec48uwmM?Jr=5|}3XkhgH=ygro z6UOr&F8oj3=zF$A1xM?h^ENly3yqucg9$NLx2MSM&=WT|@t)H?x&PZ5zvcFhm4(gH ztm|WyS{y2BQPGYsZNULI95?oitK};tI@;QAU7SC~SJ~T-YwN8*JzIiy-K%cSZ?iQj zXEk;)+!W#e#A6v488z1jhl-k?=clHntq4=i=xS;GYvA32027)iBe$X`Tw~Lt_|ISU zL#=(-+Gu9tWT~3kwziJW!bWv4jOfF)0fB3KNmjKQTd#l~Z%$!TF|kI6+VY$nqwCmW z*E<(I*lK4oF|2qg4XgKrsGN|)ax|vzN7g)%?tjnwgM^>NDZvN8s~cLcSs*<=^4W8n z7e98@90Te*Igz(uVV;yQF}FTt-u#EOsqdt z#e#$L_4M>GSyvo6Hr6PTU58md-$T>DpwVvw&Gwqp{}C3=G{@`Qt#x} zc|+3ZR@V$LUcT&DlNmwefl@>4Sj?X2BSw04GDeNY87ON_wMTLI{5cen+E`6Jq|*H{ z{wSv{jeQ<#&tgKsm2Gm_W68kvzL-mtBz_szPHn3yP3KA0 zx~Ydn|A1OhSdd3>(P-|qa(Zss_qfc?_A3yp2Jj7{;WwYq*lSA<)AlK^ zuI}@z3%lOtVoGZHZ76lt9ldgCUh6m|>Fo3~n6B|q5rYqskk=;(53DOFyhzT<67%#& z5f<&41-b&*>g{QIx9_U~pUxZ_6;*s4i{bWAh7|iF@4wCD=+BR1_gR()v(@jxKl?*V zK0dy%j8$7rP4o`%q!t($=$n~&i|2YY2&Tsjo1~PmaF9Pf?)>tyH)f_$LX(L9QY2GfOs30|k1~um zcCO310uLKL?(i4XH;~zxRAlKB}izS+hgQ{K=<0Ehg()hUkL-x*qgpC zf3Q0)y~3V36sTr$*10ne4@p10?uh^|1^3IBFJbfFg}FJ`wB?wa_cDyBIoxrlQpP6g zEKyFb7OQ&`j_YOX4;waLn{d`xd6{)cNR4L^Wm0~JrBmvWMJvRZ~rvXuhAbZ zNryZ$yjBHD1=dajUyyH#oj-l*CvDi^;V`IO0RH@VPcN4F# z&NxUOv##V#-fQiCZgI{{yeA{@l=~SeDOP6(M_ZVI{zg(FEl;`7%;=?s2kC>IRD)t1 zH!knR%QIz_N=IxR9a5@M#kcmBl4DYaKX(6+9eZ-6&vk3Hwz=leq~w3>KdJm5L2hko zYoU*rJ!1Hf2~D>8kL$WXtJWGAaX zcU+A7RPs?Wfw1Oh@a@l32L?U&u-ry0ng8z0HJ05t_NWysJ7R*_T>&7BU ztaZIomM=Wq+#O@34s!8a$SuBmdZN1wayfXSaqJTJN(eFUt=XEA-0);cP=%SFY-5lJW5BclYQJ!cCAjnY4bD#A1ornH zf62!54->9Q3IK}?^*;HYAbZTw>h;8TS-h_z#7y_~^=+ia`XDIi6O>%lp{A#|(wo+0 zN~2yDlE}xE`8iW1(YVIRMYz9zBP@oR4Gt5u%&c#n@MA*=pNI*WZrWWL{H@H{mAyjxXJZurP7`>R3xl@Z+DLIK1%eTXl9HDm3v6)Ghv(#&ws-6N3&%6 zm!B{JjfZW(d65ttMZjOB6TiD8xGUs6A4eBL?J*{zzc2srHiefN`3uQ=>s1!3CTRnKEz+!>CZ zBY+oTF=ZYYEjO>p1x1c{WB)fM)a8@^y zgifnJpy7OBfLba&Fm_FavVvBlj-`K>Nu=Y;^Md_Wohl~$4?mwXN0sW|O-noHe`O*3 z8gL}xiRag5@A+L@5buD@{>(@Xt7hk-T*LB2Q`PjkVbSeT6RbW)$&ebj)lrm&6w852 zbiw%EQH2QJPZHmFmXVp+TWO&+uTC~sZ;Km2H~lYBnoaFv%Rr`#7VP0Y4=Hg#AM!GZ87L(QW!Yrm60cza;E&%j+n2|Eu#D1S!NtiL&0dQ9 zJ1I%*=K2){1x115nZ(y>)YF zhU=8HG>f(UM`B{;4ng*ZM#A?db|T;EV7c5}aa>(E6lk8&vE=alMdPs!oT@gNx`l~} zxjNRdRm-W-AUUhyE$5etC2g%q$|HME@Mk>dlI=0~Wa^wX z_k$6PF(NRq^GW@CfdDn%hzNQeT8?k)i_FhyabAy5-|Ow@xca#);B=zOSotwiK->X| zlPjj3)FQtlfzvCv`eutA=@?b+y-Dyci`U1-1Q*n>?EIXZk2~DCWA!^Vlh$utT`xf8 zO!mV(S6H3=e~RQc5Ef4_cD9UWtb+?YdsfGD*;eRjk|QD<;;Uq{N1Z=SJb(VrJYQDU zLb8BT=HHu{eP3T1MMNh56BDpMWwVe8kB7TKH<%m3q4$Pd(79U8=}P*HOycU?E--{x z$GCx;upHY0vIV=P(W%;mz2*93GZYpIS- zt%CpaV2pOLiwhc^T1^+Idr0rhE(u^XtZfZt^}Z9y0*OXx5Wlr|^rLe}`!!8Z$z6ZY z!R-F%F5gt{6>}aKzV@)WH^5o|u;>;fKRqP+m?Su8^l%{SOW-K!Wj| zZZuXD856Uj%*xFjA3`n(vb}p+8W}1oD(LY1Wu_Bh)bhW4d_qcfjE%+D`V({w@2ab- zpC4_Uw2jk0!lqMc=<4#rrdRu&k)bd-=lImZLTh_!=1|Q_R+h&oS%tauGJx{4wEc-* zXh;a(#xU_at9_iG&Z`Y4Q%YZy#=m3t?Ufit*x*L}n5UA@W9o_?flZsZd{4LFECueS zj)=CywW;&k`J1zq?#Rg1VwP`2UD2qCrZYUFg-w#jJA@lIULpg!Lu>tPrag&28e^PL ztDRe{DnIauEfHygKd7WUPh$BK*n@y>7(UwU*ML!e3cL zM~?%CCFfi*;U*Ow)Pzf9IJIG}dZ!MdMt>d33JMNx{LTAQe;^HoS}y0ksOU!VKj1}o zyFpe=O(iWXEOhhq9LSQThGIf;A5uof5Hl$KA5nMF`1;kmw3K;oZ*Q{3E~HSaDZ@%YOU6a`u*s#K!4r~M`lrIu&!QE6_3^D5lE zFfQIYU(Q@I)Bj3r;=J{SnfX0G|4X2LAXZ#5+ZyR(0q(Ie8+$s_1giD+nimCH@c&h~ZE#G;6*xwTuL z!t-j^hIpb8EW@cEANl$B4tjVxN{8S?3{cnpLjCRON`lKf>&+L8dfhbrwqapm4^dE3 zt+&Sc$Mbe|L`B7sTN$;h?GF0TOtNzYxkMsZz8owQZ%$c+tJO}QRK^2D$V$mczed>hD$PmJ4`i( z-HHnK%{VHGveVs}k z{$X=*)!v>kx3o+F0U#Fky_?yvSnkxAs&&7H@_kZ*IJXfi;$NDalF0r?fUti>OVGRS_JvW!u>Ed{4sUt!xh6P1XP!JAQ zc>&9bRVF-9@f!yQFyJM)Fi?)7P5ZB3VQ;(=LP|=n=~@RFSZAo)6EA+S+~wsTuKwnY z;V_Lrz$?|+m0cxAN6t778!`$CA-OWM1%dU!%%5|L;h{cnZ=k>EMKiImdEDc=LzX&Y3UTn85SC)3U~SZ z{sXYdxgohJ6zkpwZOHP*nW(L;@}^9;=lUfI3iH>Y&6Wx?QALoq4wg-l1knh{E^-15 zlYwZz>;n^n!R6X8>*v`($#Gt^yr!}>;;C_CAol&6a{Yni- z+R@X0a5|l1@-UKpt4LUei=ekroU9j+69by0x$btPCq>=>~ESANb zZ?0?<;|9_t2lCZbQ_#qJ?)6`1bNhH}!V^a6 z$@Ua@2}@#;Z(P|dmJ7@lVuZ&bYE@KL7CK+q!=!E894potDK0K%v)v`!8ZT|???-oW zajCM|kpPxtIFc7u8Wa}R+!@6P(a>&XB``Kt43KsVsjBf_prRE8j6qVa3 zgMoc;xPNQ1!Z`tSwr}S4Cl_bYq$DK8_Dd!LsW&GB+TK4Xdx<$b`7LHl)eMEn5CXz~ zVH6G$I#ZMR{5i#Pt^cEdKznTxI&F)w> zArkbj!#TpAKV!npVaB{HVjmwLr%|t~X<$K8tF>=V;`h;RlZVYU73&-;b8JfGa+U7h zzi&R*c(2N8KbKs(R%vkh zl&!t}^B2nY_UwppHaQs!(Wt}Y8RW_CR@ivcj7FgV>CT-ysCck3H;Zxa$cWxRns`wU z>zg-$(2R*$=LRbdT?scE4nxJI%qxw}KkDhhlv`9A$lpNt^;vkc6YAn#mkp-i;I8v7Fsf8$Zc%wWo2cHZc4qkA=Dtc zvD#)QI3$EP;?Q`!#A~YBMoU}!V;Gg}JEwCd$gt^zkd(|VGF4Pn?auZQ@a4se7f8KX zvU5D4LxY2h_7j#?R`4n>|5BHT6c-m)WqfgKtI%+sY6pbzUtV5w^UXeyk*z)07bnFR zhigr44>2li_lV%|Fhb}A(AeN43`hDQ!}j*}Cpb*MAh^Baai&pjj)4dPM|Xj_k4XAO z=Z_veLLk$Oj9=yDtl(O~P>g{ap%QR+61ZGSt?Iq5Nw7O$(a=niY?1KuX7&ej9%kZC zRD4|NsuI`9Qe4(o;M58y)ERqIR`qC2L_0kZp|c$qHv5L;n=0L%P|rVACDDv8QTPl{ zog;~|vNDX2u$@wHt>zaN3X6-Wcdv7DCa>Cyii>r;6p{t}zJ0T0M9vV6pnJzr&lV*u zQ@rcc0${i0$GykM)$Vi465&wl}6d}`Qh0-fM_l+FCRHA8%k$h zPJhjx8JX}}zR0n9`Y{@M}8a<|b1`u>mkY`3@~7 zlP30>i76D;rnD||JtBaWA%Y|jbnFhK%I*?q^(8%PE|Wf zZhdrI>D$hA8fV)V;o$iAwz2F)N3ZIIQX%n`-RlD)sK1$OvRdoECn+fjtwtJ=!MoiX z@8$K-54V17{xuQNkH3FED$+{}2|ZwAV;dbE{hggHy4Igc3A;^CzR{67*xmiI+M9TJ zwvw<@sxZel1*ZXQA02Is^bHUH8y&6q&f)zJ5J@3C^Y&zAQBh>%3z!j)YHem4TrIc8 z!ys^I8X1W}pG+(A5E3GgN?(zV==yN3=)ylg&~yKckK>@A_}#8|SzcbQsID%COoa#v z3Eb`k&&X;fauhcdAm>+ADTzhB{qFj699x+NpTn1oipn44{)edX-c2`>&+TH;(r}`q z`OByJA`p&LWHwc@ve-mPji_HI&F!8^3Rs#IhS0`{tu{x4Ag=YLiQ@v=lQ>!jmsXq< zutS;t!q%D6*w`4z0rZFz3QmOw8Uf4$EA6JpCJz*?_E1XTSOdR#@1SE~u$j%@1(?=R zzOte90&jLGMZeD!XH2j(}qDGpe>ok>0b0*_)1TcksArASWcc@FX=FPX+_s&;G@-SgLAxZcw*1B}a z<-BN$W#j7|x~jR*SYFu+p@qVWu+x;hH;Fb0pMub4=vFKWkhiDpR3wIbht4R0I_U-cJ}?%`4OAdI;O+Pb}FAIs`*j2Y_@>=BdiRyTK1tV*`~jL-4MqC z<=q@lm?D~xLF?ZaU0nfar?EPx>dmUcLbLd=;;O2uP)Zqr<8c^zEH-(BR~ILsSaQL^ zhW%y6%0@;;8S?qBM)FjXVTu*m!^wP*B5&|%myYcDjR4-5+1Ru+HSw8P6}r3g*Bvb7 zD)ErmuCQN2}rct-)-0G;(tCoSYon>r1xB*mR+)@}E96 zjE}R=@MEBRxxv0p7&tiI5fSpPJL2NvD29fHV;j)c(%EvfV{i5Yc&=N)OWZp;YMz|L z1H{f^JWdkvv8u8%C_37^y842A=ju|<@!>;)#rQjyxlmSISorXTjt-U@gyUO*{T+12rq@G2)H6fIR`O9IXS^^upUA1*Q*_SQu$|AVj zJq!#d)K?V^MN6h-b5e40jezrz9jHN;`Q_@`T_1yS{d2!;*^SCE>M`5)?J^ek{8jq4 zx=wBdUJ4Bw8k!8%YHKskJ>jv5iG|fwg-MMXR$5wG99EOdHVkeg4h~Qdj82D09FahV zH$r7^_Y3sAH#}CoLX$3`e&Z{()RU*FNW~VaH8G4aS#kaS{!zAc*5~c`@RJ=ugyuXa zne;0_l8Bu>{wFfsZWCJZ8&<=f&X=y{dhZ_J_|?{8ok$Oy6_x3BTggh@N{>c$m#6uI zAfrEaQChpZHGt%TBPlhRh{>j`Y(XZr=>sJQLx!UV1G5r#ECy;Nr>v-WksYpgEGnNB zg(IW=)SpU2MN}1mC63)&1P8N}44P4y{#k3xcD6%%dTjmkkho4f9kEEsYwLo zDt|{u-}SH%t7k(O0AqO%(^p$L`+<4{#5>*7d;Ljv;zrzaPe-mUBo(o3zk6!*0O?Gw z@neIc1gW~3${YzWOk-GHEiYyoLUxmxC`F%gCl8e~d*-7OpF;`h{ zwFBvV$!R@mh;?I<$4Ze*J2W`&PZ$+VA^! zr0tn{`iV$e*tePA`a>%k&t*e`%QYnjhPe`CO*ZiH;o;yjcoGhzUbsN1RF6ClZ> zI7Kc0!OKf{b~(2}a+qUnUFji+y}1(s+`<<#L?Cr3m1MO2;L>{;Cwu8r9qf9KN(Ar4 zSZxI#r8UBgB``qSctm&1T+uig++3bnTwh<9R$|qsrKJH$eLa)%7Vgm5X=8c{#mamF9+!dA zKF?_j3JSi!Ij}o5szWDkasBeJUy#I<Hf93j@ zCA^oJIUg;}kZ+$-QukHxi-RrnIA5g^QNGLFzrWN0AnS2-bo6AM6E4Ux!1C9Ib8#Ud zX|?#@DzHEL3S1C)+XrRk7@%ftDC)!c>Ip!)drJ-FpFDZ;g56TTt_OI;3($B0_#?P@ zN4RNO-vdw`fqsI7hzdgk(5&_dd@~>>26v*&xT&@EfsBj{KmtLC=yr#z&!9#R%HG7p zp5U?=H4F}7et*dbn;1zF0I&vSp+m1SwM@3D0KnlFE%a?zzIJnSMYDF;24H) zUtiy!#>U$yC@5n=I`a8y&24R7FqBJ5N&vaw@i@ogvYHSE3H|c(3oGR@9%oXV1OV`a zfLn#`j9Mn`2{48f=~R)(s3@o{V%C<6JuSe5% zpF|{&i@HT@Pu5$4&n9oSdt0h$6ju-6C*d1foWY<#GtWb?1J8$rL*Q<1#pFMs09_ai^Pl6txVe^&etbj^E zk%H+Oa=SjARBCJ7|Bzso_vY3s+Y`e(?>FR1b#%5km?(DD+;4VD!;k#uDxv%e6Lb3V zMdqhJKLTT1PcLo+Mw|31s?l01l}t@0ZIK9ZmxubL1tlewx3jHc*bg_C$VTd_sVdtrH5;M1q4CMK0UA7R4*g*rzzIXStTHK&^iP!d}^ zJGDV)DYCNzYF@NqdLl3k=o8TW2R=S9+xs0#37`#krfYTDtWrh7UU1nn0Wk``paIoT zr)iyzj&3kVF$9JgyX7hpA~AoGlUoLDPeDoPdgbJb7Ew>Hsv6c3kg(zaggyj@Hn@_& z0ivTHO<#@oLy0kmO>C0O&6=(C%a$#U4F;C(IGHu+TB67Gf$m&KnlXIa$Wo64oW30&Z;>^d+ zX?k_HtMoGxhYD~G!hO%hB(K1B+FK?qBU8V|bzk;#sF&B2PucNBe$6o~{kXFKiKvcG7CcEY58F?v6InT2+c-VT zO?AGavRpmYRhYKf7unpT$pm@*{{2)qI^m&mIbI9Mr>QpyE$lk&aQ?aHKvDCXe*rr` z#qBIKwJ<8|NijhKwLk2mjvXpVOF>C>s;ROG1DMnjk?DJ@;f8_JOS z2{TP9>oeupFvAX?urOth$OxKjst6XDWPB(19s5Qfon{+ufm%(+;k>;zkZxXUk&n^m z>-&U>nfbuD9&9B%F8j|W?uS9df(6CJ9pyHKgb;2?C@C}l8iijKg313l|M0oq$|F2Z zrT}%9GoJ+KXjVy8T7U1ItD6xc! zV_k}J#RHtp(Yco0xdVeKd$*j)R-uR}Mr4=43#AIe$k%-4D;3*gPWPQ^!=ZHIp{OW^ zVw_a+^S0}peDy~W>sWBUJ*R3lbBF_4V>+S+vxS~+rFyvDY*+D#kBl_sdTzmpD9IBU z8I945SH5^Fq%q1gHUG;;fC|CSbq9~5b-8~@uQl+$%}=(css{iSKuu)h>E6Oi9_LGk zBZ=DOwKYU62f%a*#WdP_dKj->bw@I2yYJm$xQP3q4 zM)mCF%eKq20}$3OGKyW{tOH@l6$WtFB-E}xhT9ap!CdedT|=r^UBFpVh1%h)hKiMjH+0fR5T;q3H&M`Lv+Nt4#^e{lBg zP(C2YghXm5k+!?L+t4`QMfDycJLG3iP<5e479p>mUR)eZnAW$gGnq_Q^xk_7_zqF8 z$ZoYhyR*{+&#Yam1rQY`)t@KVPiuSGL*~J z5jN;U;ZEEDwxF)g>||RtO(L!x42RynzC-{HMJ$_JTL@cHSXdYmBH{zq+mpg8-Elg5 zCB_phJ@dX0-se_VDIDbk1pk9WpygegLbj#;g7U#oX#l2?8>P!y5X-> zPvm5mnRZ{VU^m|ubp=WA@NHlEMb00Us%kY7NB2OX`Z9~8yK|490h$L12-GBpx(UAr z>K>p0w@1+T0O;b*Vm&a__&=TG0^5e-$L=)Lk7#yzs~Rbldam^C4a&$RiHJ}wS)@cF zMZd=hyv=!kJA=wXPS*Wm?PZCPbllE`LvNb#l&Sf)+RgQVVxc28NHyjbu`^H){$rN_ z%#b3>HEHn2qj%bs5>Kz7KrJIH>n%*DdDNv4C_30J_4#G{rwwDI0&D+!LExLD_?F<{ zSnuepx6$J`3Zs!)8`|Q2(WrwNQqQo$emKO|-$N+0yr%*PT2Mzz5OV01_Ykpe5mqC9 zhe-P0pLMtXlW~2Z;JX)M+hyU5nEhJDrj?a za~_rN>D{?(#Cn9Mb^8C^hyv$-mqK_MunZCrRsR3CV9}TmU>Y;e*Pu!aQSYbF6A|48 z^;oUWQSnP02#tAawMv5l*YheB-&`Rj&!aBz`1trV4Ge^U>W_51Io1RQj}LPi0N=iR z_4=N31f2f{=(Xou>^m4)3rkB!-Rv79`7Q7jAQ$L3IOoC(ps?uxtV}q3X$q_h{l67F z{IfrU>wx}|pbNXIgK|s?CiU;%gy5<@GSUN!8cvlv=Rv+9?da@GalSf-;D1=m&C1Rm zT~Sd%WX#CS90s2TV0{Zj*rnM&Kl#sn(O^sJZh&gsiWdM+KwxhTGoGo7`}OOWtK=$(ll;4-c|5!{+%zJYT#zK+yO(~@IZ*X%W2LX-0yLnJn)%WQ< zupP7skaFK2kAoFDR;)JwA~(|E(UINtrCs6{=x2T~nVi04s6!R54m`8~jAEV*3(#N? zUi;d3>4u(@i7=z>?iXMbp4HV3W}ea+#Df046=qt_mwPQlrVh}8uxja_Kfdy!aXtNi zbx)XnXd>s}Fcp-Qh1be~tO*c5Z_}zDRw4a^2wv%O!wp?|xHW+dE0|zw*6NnF5OSS| zQbtBJw{G2N`Y{X5(o!vJ9d2|>@Z zU2B_oLezApl5au5C68eKLSnz|9J-AP zm>7WS8ec!ZgGpFB*9}inX}dI<=9;CL%2D-VFm0vGrP z5fu#TC73rb>3))lM}ysq2aBeuFJh5^2Scf1D$SYm-uyklCkqhG;Su@^wFKeEDvhc? z1hF<#E*Gct>ril5^S^&ZMq_W!57$Cgu2R#}i=k8o=7I=tB5)C42S>i`+S)A`HQ@Y& zz#0Y6HU&Wj)lR4dXRs%MM-Q?nxWaI7gpU33rWe%RY+i%C%VIJqq_0n*tE+psKIHRO zr@b|=CyoOf&R3C$=WGMh0MZR1&^b`alarI15XoA-p4)1D@YZ{xpaPAi`-u9b#KhM? z5hE@x2q1R@W2kgEp@YB=9;~LRDcXDB_h7On0Xau(mIl6}be;+uVxZ;a<>mNQRJ@bR zQxS#=0I(HXdV32RdTt=`;Bi>{!Z+qtRuHuXQ0j#I<>vY-meVd6f35;|Dl_kiiP^z;Ng!lHs1g*>+MZF7_X(u`MC6+5_^ ze};x+x36JB6==1fLZL3Ohjf_8_v!*{5MCcltyAsCY*m(PAHbgy5D-A%MQ~YK$+Xlf z&D{Y3-l=T*4TCA1)D_kn(5O~n-gCd?!{v5-2VQj}n9dwF+q3iYjes-0Prj~4ly2$w z5+d#ov;v%5Sf}a-g)4nv!-3203qJ~8gg%|;7^#J?#?-C;WO$!IoX*(HecaIA>hWtz`y`x_wk|*dn8&&FB9<+&?$~(srw|vXW{^JdQnVqTH0)Jy*3l9450@yu74eF-%J)5u1St6Nx39UR@&Ut|EX0NKQ>{1_kEvQFAQ3jxfE#!^08M2{?rqxVY5+ zBxBzN9jx?#`^pEaS70bC&oy~|pMO_KUw;`4bJ*$f|IsmdYFAZ^}D zLijAOo1UrGWR$P^QZQe=3(5}U!pcaLP4xoy{b$(EVC@59IZXm;old~ytH`i8SVZC# zt}o9{-}r;=9vd6Gti=XzCI^AWG4)o!T^R5XnL18^spCY!%oK&2|1=$2mY3p zX^?n#$G)Ekopp`+{rfhOf{(xd=eoMR3hcFTqN!M>{##nA?d#K9=MJvxEOFvxzWQ9@ z`cWF1t6*ix#2#|-@dX0RHp6^L0$-UVKxo~!Z&K3IPdSv670O&4z+0WtEZn|h#}N_7 z)6)LOC>jVE5)A*?`1rQ($hFXN{c+j#3)XN*R9l|mVzD^_I!X$oM*2NnO2~ z4IUahf<^Pk>e6(;`}bVfWeM$bu;haJdy0Qa<#vNpk`OSFu0#Kv2geA)FE@`m;3bNg zOxW@?bImTv$dD1n8%UkbZf-knTUs`}xgNZSjEr;PQTiFwz)9^T=t`nwdLW;?KrQ-r z8}NDaj~{3ixg_Ot*U>QL{YZ8~xH zLK$&nZ)gc`sT{{!Slm54LPHKqNJxb7=*R$D0pY;K_Y7zaQa!wm1e5||I&}E(qx}5y zfJF)NhKi^e_}rK8Lg_w&aEiUo!@q%@ScG&99E2D-H#aOx0?oe)+b@(VC7=e$qsVER zk%NN+!tyf*8Yygvw@6i>b#KIqN0T081PI(kJv=H$)=dMHfP_Z=0gHmzBS?sKc$_N9 z2OaF~&6*RumrLx1>%R=!1qB6VW@irocc8Ca(|n>3(lddk5K?S^k?yBI#i>3$@a>PL ztgIh$4EstJ*~5!q9bm*c&dvSe*DvkRKl9)C;eSNc(~n(@#uRv0tO1!5PstiL7;YW(MhmQru-Yt+vVQKb^T0Uqtbk3i||{wn(Wj_^N*_=n8Vm2FI}tE)?x z$yszfJ;fjG-k+df^#s6_3B^BW-lP=@(@KP2NGx$G?^RL%zG9P)c{U4JBcq!5&@%qw zV&!Kwo^Y-YJZggbb?Cst%2YtJuUREpIiXGf>z+D!GU2|7w7K=ehZ(;u|tK`1u|3F`|TBhVa_@h(}ByCYYf7{|ZkzHusZ# zM=HU@K5)`A^nQ_%lw=&(F|=g7xxNC=%DuUv>x%huQRhS7?t^`brG|#R!*{u$0WAT9 zwK$g!y9T2>f_{E{s&K0>oL4UfI|n#!?UJwYwxAY-pcAvU%YWJIAPdYxZM!&oa&~c% zXW>L_L`3RBb}u4&0Hc`ebn%Yu+dH$3{e*VG=}p)Pq1{rXq$2|r-R<8Fm>*BrNbO<4 z!T;Oh+6=fnY zX{RshZ@B*4YG`g&G;jWlS}J6fo0%D2!X1kJM7~5s<5evo0g*q3gXjt011oFt_teq< z@q~z|wAlAQ^Dj5N@bRIbB`iJ46`me>el%pvFepJ;)wmT2T2>?f&XMx+^69UZCML-V zXUhHX^N@d}ydmNk;&M{17(*3!4A|{w2=Pi|=vL7MK$}MhcP$pb0GAIlF%c0)_EuQ& zpK%?yKS{v(d=6mBSjbYm8yiY>eH>K(%Vi;Vepx+REZL7eJ<-0@Tn5(G7z87T)%+Rg zm}L?WpOB5r}5Br8i!1h4QdD1(I8 zA7wA>QHd!j(kLEe+rpvE-^$R91|qlw?$!x3V?fJ+LuSdK;jH6dbVGK{HEBSnQ72K2Ws94UFIo0(}z30Z5%kgznzXQdOe8ZD4?rwj#(x zq|iqpbv(tVp2zvRJoy|vh^%pVX!yaWVDdP7j(W$V9>e+@>n#((L&9@LSi$7p_FhY6 z8}k!S|H}rKB-wrDJG3BdyuT4TJTihL0B`8A5SnZFk|DgnfSIUcp~4xWQe$6#g_J63 zZOsEnf7*`P2AEmUrneeB$xcpAN=iz^_JFwzeReV89=>RpYFSW50gB||z1oWk)o!|1 z48I;bN;RU`b#7?y>gs9;x0dQYH@KgOO1i6yn)4636SDI2Kf|huJW7}5W>)bhNh{4T*Tp(az;fha5c?we&3N+;Nuiw4}HVk8C0v+^ydwYALHb?T484QVx zltE1|5PBBWe~uqlkx&G8F_sszy$-8Ozr%Uyk$fDVpCPFIhA& zFo4{10xLaXVADh!sjB_v611vt`~Z9w$VduN=f%Yt0g1Ah@WhJXPhe$bZF{HUmz#U` zV!u3Fa2>>H?zvv)d;6HgT(1DPoDmen93?i+Y}%KvUS0F_EbkVh;MFO9oSx2um0E?Q z_*_}=iMQfiFRBGS=(Db_t}^9M@D_&9k3U5kH`8AVegfJS>UbbpDctN0O4d}0d}Sod(w zh8?4%lsd6zJG8}VF|l>MOGH7jsZ|=#vecF0#Io6whGGs?9kLodC=nJ8cSw^l>;GPD8e;{nU%qS?IF24s zpJ&g8ddt|PlGjT1ia74&{&w|Pr`P5^zqyPNeEI9Ea{q;ev?gxfYcetyG$UWU;`8Vk zr5V<%kx(6%m6bJwS6-%8odMycJI_)XOa(d@E`yywcv(61kNn|B1cn;JrcG<>-qJd3 zS8>^%tt()$P!hC_(hM?v!lr+P>WnReOG9@lp{VG(v{)vDKU6nn1s1njc1nH2F zg}OiGShRStoXs5UfD)dgo~}TBoYLRQuG?k5Q@I|UG<~lpYRd#9t+%#rcB>pn@rL+E zUUTa!vU#&Oppf;#1;(RC+Xb5Z8oJN9;m}HloYkhf$)9}A?FTo18LTtY3BMB|J;;-w zm>86iAhBM%Yu)X}%1)*0r3bh6B=O>^Pe?vt=kS26gHYv1T3cIPjqZ@IXsCnVxwf&< zAJ*1D0A&xVBPbLT?LVi&WQ;a|wsf7f#1K6tqNeg^lGrTh;0Ugx<2Tv^r>&P|8Krj) zM0a?_*EJ@r(U}KDn91X4%=KVaYM1IB)bc8gr#;vHjsf!6B7p>O{@8Ld%GN$zpNnyN z?^)`9)D=*ytgPJWvAbfmzPg_@Rjr9yLDzogkxao&H*<#5aFnbaZrn zc~*c?{5i8=!Az?Lzd%lrrUX{j390WX z3Hb7by-Prur)jXiN(i3XbNm|V-Dhz@SFVbW zjC^}K9U{QS7B1psfVzdEt1Cky_lDdHv)25WZqo-h!Wzol}7QHi;4;f(BvS)NeSmMWG2LUAg0kMoAPZ` z%38amwYc@lUjxbe4v&tEWW%ru-~f9pEy^`Ez$}H*Ye3RwFj)~FhwjK-RIOi#q5~1v zedFH`!k~x90@nReMMXu>xfA^SL7)V1!PmeS-fDai&2LObct{`=po}5db+Ah5cFa^S zBO>bH3pV>z$hV*VEYXATUXA+T5CE2das8hR<|6IJf<8}KI5N!9JdIywfE=B$FCroW zvKs+UuoemO_{R^m8kq$E!4^=!rKP1a|Naesp{RKz3QHLA5a754OH4cj=#fNX!57&X z9)+US!vF9`Ky7sp+CUX4z^I^?)pEb0FLV&J2$C4c3>NzAulj8@H#etVY|jC65FQzyMH@S4Vb;%j=(57) z+CgGKiJuD7GkFlhlbVE|oPZ|HiBDTX(ou*Kj16{Gu0^{qcm$4U`KZ{~CW5O9 zW|bq}CUFajugRR@2?IL7$i47|={_c+YoM=O&e^%J-qszDI}s0nh^9bW1REM^IEleJ zXcYa_&_Iqd-g9kI@S^?)CNKuzW{3_rJljmKEl+9}K;tUBppeF6o~^5*aLePdNCT?2 z=SvR^0`tmPP8UCZ!g$L^R!(koDVl9B+1v>(S%)XbMYKL=>XWmZc0JIX+Q`hAyb=7l z%6a+Bf%~Kf4N|r1VkRdgbm?)4i>H0{=eOWgQLWT>O}w zcJRI0q*AJ7bETDfsB)WfQILd#DCx{l-MvtIlvQ}wd+Cnmy)oD&@jAL#xi|T+*7=If zLW|ZBE|YKC^496vA$7Bi3eo@13-Hq|mrla1WA~kgH3N-~rxxkkLip#C^(r)^INy*2 zFtYsqBf@xiQ1#Zk&K+#E)}3KX#-lcDAuU#2?sU>m({J5ftSU2+sMpM`#s2}womd2k zbGT;4mwG*uz16=f=RA984&TBd$NXs958Y9b)(_M}|9tGs!fYf(Pns`AMK@k$`r3tw z-^%#kXY<)KeA+>#_oe;4V|-HAvl1u0*e*}#O=yJl$x@VkSG-W!m@j|_@w<(qM&z`Z z82M77@iAi$+3H7^MXI}+EHR__45B9GH|ro7D5Hgo#&iwTdn zie(3>UvCI`O|7~`&&=zkRLg*)x1VV9K`0PF?+gO}Bd}wdnwrRBnD}%UXfXm!t@wjp z5S3hY7B)7*Y>ya3&3WrLwrKKYZ!)NO^a`&<=#L$Hjy7zh3{bE;z|z4WS#uUq#}ut3 zB!t+AGG8&j++&R>a|quZ=vEW}@0^V~P%jZ}Iei{W47e0FlyL<8mYa+6b6Xr3BTOP9 zDjN`)a7-Rbi3DVvnVUNapo{%ObXB04J9VK_1U(%n@`=V-qWu;{HDa;a7}WwkiRkx0 ziZ|*=(*W5Lmy$xt?$6}b+9GK9c^}bDRN=XS7TaS;_lDTcze-&WE3lUWjisQ}L=KDs zEntXIJ^=v-p-&m$aNl19PjXtj@Fn=ieu(zaLoxkh4><+!id?cPUs ze6c2K!`Q~A2?MjB-J_YWo}LJA{vH3*gnD^(pGVdyo?hHlB% zgK{6Ns8DZjFAc+nXcF(U`qeUNb=&Cs80Zb#B0w7lZBpQz764_9=|-h z9QToI#clKZTMcCcb%*r6jU>S?BiV<#?OR&6Qu zCZ(^j1;!mQi-*nZ#QhhWR$JQf*ZX+U3~~WJ3Sa3Ehnm@)q;jq_tnN z^oL^1-dZ23=VweuH^ygca6J5E$L!ebG*-dOZ&3$wCP-C`Zxu}`h45IRB+l`1EqwH> z;g79jzW&GiMWSmZT@mN za7_JUYhf922`lqY2ZvR3%Ka1in^p;k+O!f)DmNOfaI$s7}##6|6Yht`5H-mqsO(K%nDs;thdt48a_Spd*-qrV%nGvZ?s>zhsn#>*nskK zoI^h6VoAijQvN38C&2qs3BQ})OY5Z z2ZJ=>L~td(zW?ZXD#VVYkYq%-N}$2^`tRvFBJo(Gmr=3G{K8J%g}yU*NKS}|Xr1BX zqks=Jbcjo*IF}Hva3Om@)^9(KM)GSnn8O=(!5Xd)b;5g55+YyqGFV{p`!9onPJX6+ zE_d^$KV4X0;0Y3Jb6Ucmf{(}5j(k0ml)bUB;r;RB#aSoZK4|FUgaRq$Ph38pU?oC$ zdwnX1B=8~Z-ohdx9=ic zcu#9&UxA;d6H{hM_JG+`wGcdx?y7fIPC$^4A$f9oudJ?;p{|k92N6sS*_UDw*}Vfs|}B2A|AtidHLCbT@$5||KPD^<)qcoByu1da+v zGBuv&-|`A1ev7VdyLah&&Ol$+z4zYj?sfnWI@Pk`9EJ4PMK41=E^}BpRg7#u{oZ#`yP;v%> zyj)~A^6<3U38&i?jt^lyzAHEfo_~JS3+uKmb%)Ha(Jj5r-TVG346R8ru=KuOfk^|D z7{rt`N?Jxn|KodPjxP2VJIK~-tH9P}`H-(}2jZ%Kd_491CgdZ++JWxwU{t4F)z4CPX zHxb%mj~zwP{w~$i8+|y^>v|wh@drix@FB_aApi{O=;&l+ zX8wi*gi>V(q62F3n^1Q<;n&7~ABCraFcg41rT{wu4^e1+K~9eHYBZXdZ?GyKNr9u{ z_@0MKOjxR|nfj7Yi;h1T9~)E1F_BB+zoc))HPz*_YvZ4z9@TQ8PLbU%RBhN&FktOE z4muFLB`VysmW*An>1O^0uMY0U7g7lW{>@B` znhH~{d@Hd^r#_Dd>FEaqZN!HLYJPr=Nc7B-?97rSfpw9Rf+F=6&BtM`C744svVKxB z#a?lDr`$X1J8J&G7~X_OS_KK?5+6x*bQqE_INxRVr~hG2;|GW9_QAqCG#2PrUBhBv zYFg)AVckEX3MgGRV7cS4u%p9UMq`GZp zrru)FcO8slyxj&|7tpN*AQ57{KSXoan24G-qM|oUL`v$PZ2I@diWwRX8iZqVo=!qS z0tOiqQ)*0r-3XnK&<;6tRKpBx-W2>yNl#Ch=z|FZavXF@U+4&^0eMyzLU%g6cWZx< zdV{s<)2BL(Gbxqftux{Pckus( zAY{)E)R1e!v_nGX{1K3L z_7hol$Q||Vq|{~g;@aua!@^B6`tTz?7F`GE#Rn6 zWyIMcCPc6uRGwP9SHGb_i1VA4b18EQ=f-ND;lFn}U_WDcbfU8Lt1h7n%)CQ;!=RvW zi^H_cRZjV+UfgjisT(&$b4+c1|In-a(io<1rL&uxdw7jaSa|=XL)EEGf?4@IiIk3O zj{9;A!Oy$C_hbm)e|s&gKymW0h)9h<+--Lq*pg;ThO>>V_+5 zgeinLh=j@6?DyfeuDFE6R+-*2d=H4m!?d(dU%Yss^b6XQ`OkcA#ANEK-ds_tHodkN z({Ogd4i{R9IQb+wd4x2Y+``DH8tzk~2^3>T452WlX{D5Qy?OL#2R%JKa2KuRpC1Q9 zAqi7{;L(M`2RSMs?<#9>>f}>Frpvo{SH6C|p_p3il;P~A1}$SRhC)4jFUN72j_0RPGvtY5-; zhF?TOGhHzG*w2sLu844`DU_{RRzw06Ar_=8aUP~JR0`r&zSund@VEk$$>!}F@vyn* zqaXwqX5N*ZM5o(%GQ>&ob$A*oX%IV?Sc5r|Y(V04cem^f@)C6TQ#>#+@#V?)NA_c# zFS(-*3fP;4Uykj1vfJ0RHtCsz#RqX{Mx6RKLDAfaQuBdBqoXi*7MwMo@b~vW4}Q6- zE-UI)<1g)5#`>?fbXHdKWAzOTIOU?;AHaBCTN$R9p?eN*52Eh*{iVK3uj$3zPaKsz zm}OKKzOeremuCMj%SA5!zWGsJ^X?(?zklm(*Q@O&Ivk`h)(_36-`~uhNy=?(Jb$O> zLbUY!lWc<;o3vGZ+KNre&$v8n*SPrjPxl`%?3w6`5i4oRy#0x0eIw;ezl9#~=E?en ziO`AjYP;$kFKyAP>k9DuR?N2u>4jBeY_&gF@;DG<+>&yB$FTK0N$EtRV&( zVj+am2mIwO1#d|Y%%;i;ja)L7;+8w#mP zEHEEy6xp$0iJ=bWcbOY9XcvT`2hE^OaHQ3J`SKeVOtfd>YTm!`SQrZ|w4kSI4J2$2 z9Ll8`!UQ*b?_LCYIS74{g@qV;g{fg?Fp-deAO8I1%d=R|RUd3VU#rE11tVaMT+sCD z4ylBa3s@Tl4jLO6t;aN2qy!NRbW-Y61ZYiI_`Vor8}!k_S(FUQftaoqC1`Upya8s? zjo)$v%4z~iAsj_6E-r-D{D@RV&7OuBYY0#Cz`MDG?lyRcsl6+|f1i02V&-#@`AjB* z*RfTP-PDmC?d=rz-2wwRbh@t$H+`SUYgeDOOJ*4<6 zk@?cJDF{DzJ;@oLYUAn*+~kUmF-QdX$<UbuQ2g7LX-;`aPNTpi)BneengmQOA8xo~&AA1U%f#a>_h8H^m%k zrMYRIQn9YZp49@I^;gjSgzVql9f?;%K}ortFccDF`(RgwJWK=g1TnoPQQFtI7yVfw zurC?c$iZAfn7@btPMw{v;J%b)`A}R6AMQYI0^B!vMHre#43oPdCkIWP6?__e*1@R9 zi;9GyCu4zQ5XBX)FxbjKrej{sUbHG_V!{iGJ$96#W{PiB-qR4aPAp(dP9g!{j1g6- zxdtuO)jM%fN%=?U=%_AOIl{ogshai-a2d<2>htF(dk?cdTj{;Us+Oky0Pbg4wXnrz zF>TP7D{`A+Z$S#}x36EXY~_I3K|hlZMyBNF=NA?iQ{rG?%^3h_g0+VE45Kh0AzlU9 zh_SYNZ`(YuDZ za?BbU8o8EBtH$k66##2OE74kU>vY$yAGh@}+jAGn0?7LKS!T2t!@=nrb{kM0pOF+I zt*jgjMU>Wp8{*JD6w5ID`pTrj$JhPm?>F;yVpSef#CjDDTxf`5e2QM072br zb5<_!ls$vKLu~2q-(Nx;@cGF`joLPu|C{xlJ87q;OI_yGbImB=1URi*s{Y|d++8nc zw+q6&yz+CSZt|d6_Z(rmU-qcoEu7+e%KnGP&j49qlC#R2KGmO&|A1Yp+EOJ_*>|AX zP{u7=L;V$n%Ti#FokDT$K(E*Az`r|JR8B7`lv<6iF0^e}B4#$!;mnk?`|puPpwQBLI4E zMx}J=b!DeJR@@r7W=8`U%X))k0JOQ~$|?#v18j1K$6IMZLu#>n@b*5EmDQwDPcIa= zqbY_3V?+B!?oe=x zq2bDka0>)s^2}QsU0cL)pt{ty=)geu9(3cCC7~jst+nhP*E3i>1B!KUP!=be$7(b^ zbu%3Rx_Q9Byur4D#*}{LUzzJaGG^w)%hdZpodd+nY#E!Flov>tAk)JGGW|M?>&{=9 z%ZSAY@SJ2becswUYrt)#p(llagI$*Z~0l%rqI7*r3vhYy{v zyE~8cS7Fg!T3S+)FrJmrEW>aRDGx2ru|=NyAcZMm<{kDzw7k8^W%4`r?f)lqZWq6*QD+@R;x`{rJF^7_J{?&8$Of!G84(W;&7 zKYG!?U|{@v)(Ird*P^x&4<22}HtRos-um_BgI?Zil@MZK6nF-EadUPk4!(PGT5FLy z$JFX}cW&%ktskN9(*21cFzfEyv_xc4_Z<^YE0){GPQ@c1uqo;?_Zrmb$vxYlzMI_5 zuQ6ZWeiPMS?ME0g#6RX0SXX^{cpS7oP3F0A=cM@4+I`gLoW(0|V8w z4eorUT$rvo1PsXw|Gm5w z&hI=^khbPh@m7+G^aEH2d9OaQyu3Ve4UCzASk}dLCJDSS$RHj?R8nk_SE?J+2)WYj47E-ybjYBdIV6kO2TL>Tbh|r zxD<)}g-ON~v?&m~Qonob-}-|{h#Uaj`|nJ1{ny5z=C|=jsr%H0$H&a%2!wti*H37e z>}7DYU&>SRJj)8*XC^j!{&B~d>NO&RL%Aj82EWPs{O4j!aEdycv(-u2&m#jFHw zVSeve)%g)dp$nR=iPExPWusoM&ru`2Kc^qA?aV4;H#T{w_06~QCl?J1)(VGeQ6wEk z!(YdTzB=zfQYCFK$=U!>s9Rk<1atqRV#Kuc&ECq}+0iG-M4T~KlGuH4>T!I$xWgZn zL~Y@FB=w;JDaNvh;%9N>TXky{2F20R3#P*7*Z9WN2zb-4z)4JX^9+r&wB?;N?zbu> z+1=%B?d{2?O&vhhfv;ab0fnxdyp!*)g7m^ahtz2m2HA#|&Y$6lN>W;LbGww31=zLn zsdntPzrEs{MR$Z_-$?+ei}Lc}e_w0c-5Z8D<{ipa+frT@t{xi`b6}fCw?a`6!}!+x zk9qUH`%GSu_i?{6*}_8V%_;In;h*>tScf|I`BYEj;LjpHJen`_b6HS4a2rrdfV`{w zDySjipzhSS)C${0E`8|GZ@F~QfRS&Oe#(8JTt5{HZmJBqxEPr>n6s_Qw8 z??aZi8iH74Ux_&Jpw9dRFb%$33FRJq5%bLwkIBB&*C&880fquKL0}U|?;EEaHh!*9 zg^9zf<;62?I365Q?u8Q>@BW)mA$-)p#vo%XmSjR+E{6~vefT~hdcqn9wr?=_M;E5v z`5(g}^cuo@$9m^s}J>3pUc} zQ5s?@*?``Q|NPnOgOCj~3*+;#T_0Dkome4E+xQ|TU$6=1Xc6C8@fgn#2H9F>IN9)r z$^U=O?rZL6{h#V6317Xz;Nz1@IJsWLKNYvwz~BPnKY;$#(iYhKrD0E6Y@YC%J?RZ6 zI&*Mp4A;iOIC*1i#ccCL&`WlX|M{9v%qkL+9i}Z}@an`$p-pfU7u(5`L608?xTVEt z$4Fnfatgp@`i9#d)w3ToJ?hdlSVXQCHdO5Se_j9uhA2UXWIGlwXyzZAMnG zHzK-YAr|}SKRo{Xc3zI=_hqC7>F0QBE9+d^2mgt(5Bc8AgG3xdD_*ykOulPMyFD7NmhEL5cjQa)X{>ZaDh?${V zar|gTcy-?6BWc6jpu8K(=HcJ*Qgn2s;yeEN_1AMXMxD!$%Nfa&C@c@CgLS~Xy%?hh zyf~4GB>ohQZ|xHQGob^MAF5M{ls)*&EeZfg@q#^DWEjUnlX#WKq_B=Xb>fGtPd%sFLEGUYrHf2Nos{cZw&26pAg2#-Ikx9nd?{V(l z?fU8!Jq1nvjjtJri8a2%6|;i@Zct|v++E057t9;N6Wx$6Jiq4O5&s&(A+h~XrxT7_ za;2l6xHs2UFIeAh(tfZ+y~I%v94fnB`ROt@xA}HDFME5cjPjwOv)%bCIQM8wM!|~- zlOlp5_y$e=8H=u=+$5Sr@};R+Z|(lkjFH)v)oeg8#9ikEyK^&-CqF z81Icfrlfa$R$WcSsg`dzP<;_B_}(7pXOKzQ>xwNL_KY^^m`-+!5fB0@Pz$17IpYtl zJG38h$Q|mLgW=3mltDuv+aW^L6+k&1kZbHm z?BvJS@+@v@S1{I;Z;Xb7lrwq#LR+4wRsn;G(rUiVK{OkLD&lev`8{ z{hx4B#8^un$D-pf4gga0Z!c{Q}nvs{+*}SAGPUK z9(@_|zW2+QBp`rX)|Zbw-CTZu%{yI@S#ad*0b_WBo^KSZ#g8+J-TYl2>L#PF=kZSr zK%Sw3k$c8kCmeAEHWw!p%)Vd0-r>`EkalUqBt9cU_V#TN;zD~pOd~{HxHY^fF&j)4)O@Uc%8ybF^ zF1gu1Di|RbmE0oo@#y`h&9>;lnm^8&|9vxf`7T_)moFz&6D~ju1Z(1cLJ5_Zu%E?h zJ@*m=u7xTWeYlpnI`e0NVWHFXUXL9=v)z7}!y4G!+IoVSIf^h@eNpUb4;yZc-?n$} z^*g=xudI8bQvZ$1-nh|US<`ohU+L@W&P7XUxq^!r->UbvULMRpIJ$anw7 z!Ei;4y^2oQ(yoYGbZ(n!!f`-XlBTUNTd&A|oTtxIw`lM033tG_#f@x*0@2;)w#}vs&1}m>3UeRI3ADQQ>Et726 z`sE7GoL3kANhjYJmj~hRJtE??cmb8V(KXYgneIHU!6{uI#G_ErX!oN&WK8U<4OOk) zI3%$`xzRWDuaNyrlT)%A6W|?Y6~2^No)Sw*RjSdwwM=IAGhe(ldE*LpIrv<3dVDXE z4VFI{Rc(1H;5uO`_o4uCVgOeOWL7>nxaF0kq0{bp__6MA__ofnwX?le6HukLv9Vb$ zPKl6T?3~?$qRzana0JAfmTr3_I_+hx)7Q%ycB00-rJQ~=~4%rg}H6 z7)7+&?>bBt+cKkhwxX)lkYxC@2RwvV#-2RF+>6Hi(t}Vg0I*XZOZZ;@J=G&^W`162 zm22kTt&~m~_Y41RsewnBTWSDX@}1t&2+XO-&hFg^3Sk#FH#fiYt1u8W>)_-h;nPAt zt07EDv2Vl=25{n{YzKynVNW4E^QL+=`K*|kIq-4w-hBhZK~}k*<{w^LI&=&F{B+l6 zdWR>i@^quV`KFKdC&Pc;qpJhp}#U& z&_|HMkWw&saF^Aj{MuMYTiY8cS^378qQ++CevIL2?M>N6!XR?iXeFBgt=wRJr*h1i zzsPeoj3yxb(x0<~vFs=qd|z+!f^1iZYgzMuCMFb8tX0x=+%Cd@`9W!D%xpiq``X{X zA>6_8hJ9X9QPbg*A3Hnm10`{B40%V3CN!?5Bqqu^=HFn!iQnm0vW0|y9&%Zt_@>ns zmT$O1di=$G;+9|}_fYKT!U)L+w7lY*y?3^Dq37upjEZ3M6A%`G*TJhW5T`1{#`dwP zEt3(^zr=|tYwM%1X8t?o)!K8=N+Kfou(jUJOx{t>mC(CX{@CF4OGQfE@Tg^!giTFq z8gWCzD*I6k4GmM5-{s)rQ(+<0F7>Lb)(|(d9Ve}mX4aMr;XPY)%f0yE z_#U8<#P@5(y>H*9;H(TCj%d8)t5;Vout z*OA_pNV#MZi?g(I4A*Rv(8?hmM1+2#35sWNnd*AoJZZps9xvc|6 z{71kAn?RDlAa|VNQH3eyX6+MIDTBS?9lZ{K_8x9coEn8_5j1bjXRMeMdhqBGH4o1L zsj$|}z@r$O@SJf&tm=uw2`;YD==b`5kJKJb5Ev3fAYryg)^FBZ@luH3)qSH-(R&+5 z*IXW!Su`{I_y8>m0OiGw=9*^WaLPJ6--@@RcEh0#=)0+((n+~?)3YWv5k`%o~*kMGW7FL{cYmSK9cn;E`j$e0tn& z0v;LoGm_V$E{?cybEvFV)N3;cjb)@bu=>Sm?aa_Dy`=%zX)4r8SbG0g*|;BCTwKIa zF1qHvU%+U~%GTJ2f)4K~dEeJESb?qN1T%y&_%sAW3Y-!EVTq4l$>G^nNmgFosW|zg zfR$sNseww`xBK!@!nV9inp>m?i${Rsn_An^lN#3N8C5mFQUNOwuaHp4;2+zvzH63A zN=_=Yr2i4G?!)yF^J~-d>X~=Buta^MqgnL)ryfAugV^D_R$X>Iw0=>B&0uVT)99|9 z(wlPv0<4*OBK}XMGQIkQ5$0`EC$4qQ4xhD}(0zOQ-pIcGFU@}1%YSIb$2HV7B3k1O znK6$uJy%W+pBQ>r7)OZt1Sjr~65RTfAocUDLYC;CAMz*d2TwFcdss!dalb!jqugGj zm|Ahwf5IPq4`{CV8gW==m~-(?FF%8ahYmGU6;n_t}s4 zq<-{v^YYRzaxIG+TX-7PwDxcA-<@JNE5#Q-~kU$`hk63RvO2e-dQ6p3=FT# znkJHGysZ;&zZK&o-i$sIi7n@~bRcs>-jR;Ad_4oG3R!k6_G?|>iMuU)^c50MCS$d2Jo zF(W}94HoF|-b%UV-K673V`yt@8|N-;nwECM=lOHf*?~zA-+XpP;R6TcmjnKr^s)uj zUV0BXxw3nhOcLC^JD`reQ_H~6^IY`G>=FbYFameZ*#z0{sA{_D&gr*m6+%`7a;pru7F%2@)^i?_72dii|+AaN|%9;VYc!ib~a ztq0x#4ruy;wUO>q5OGj%9K^hy1dP-NTOv7Li0Svp?YOJgFj(^4{zw8tvR_%*gf;oY zmo{UW2V~aP$tqJ$5i_*JJ0bLwi-m=U*Fuw}?kU|efsCGv@C+6P_^+zk=P-3G{?dg( zB)DK4yb}aX?j95%cpdxfq+lD|lK5}#`XzXAFg?T5G8$cmXyXc~sMuojt7>om7o4BW zaKU~LnoIC4n2%8dxdt;h~1_a^z&TfW}jHCqC?UZ*j{15%pZ;OG5Pm85eW--xG% z=HMp>7&M<#z_D8Te{b-0bTkCBYZ$}cyt1~|ic^=+y^jIfs={bdYk<lp zkxGczgy|c9|J0%C;CC8NxXGKi31=Iun$uH<#NS~`F^ocW816%YQ`;o9w2p%7LotqP zxr(CzKpmrB)AqmS^j(D6T#zA(AiaGXah1IMNA?ALpn zPRK4=`{8es=-3cL_e$M8 zNIhH6$ZlzZuO)c!ZtAV0(rN+ncCqr@tfJ3E!Vm0-OZp&Lfsl?!bx*gQ=gXU_2!G5DREFM8ZF}wQoKV^Qd ze!MF_(X`rMg4Nb}P(F4@H&#z@9Uh|z8cfWzW0y<3S=C!YJ|ks9ze&5;YBR^V`C2d}ZPYJ> z@(n(FF(XQLq4jBJ$Z0>V&{?6i-xY@Z#yO+mj;^vHql)7* z9m4!d!7~gS0wroUq=KTQnx?~V-?83tv90wfaWTtZQpS!(D3o1Sdw1^dvTjolub|*l zEz>1C>uLIypn+GJ>r}VzpJMYf)beEcvL(tNK}8$TeRj+BPT=9oFAIDbyGpOk7PWrw zdZi)4*?wK#XLPxv&zZ)Z^gdZHTGw3IBO_UK%W~$|idK#CdMZ4F-s3q@(fWi+n$tVd`vzMYU+h(K zHdv!{m)?3_9?x;yt5*6v_nQX6`7``^+kdatRTMe8i}3O*WjWf%t4z@A^W|7r&x_m+>T)2TOyiokgt@Nh!U3TujsblNHMM zzpxz?D!X@tum964^=_raR9#b73{+RvUhZ*Rv4F!`K>S?yZcuiOJfzQ?31I>?iG$(H1WD9?|n^NRul# zbLKqh?df+%c4`YWrKCThTVFg@0w>D~CW!$D>NuF{EulmsVb>*$^azprPL27_Lo z#txNL`YX`A7<*$rqhffj`P-eXNjIrzk???Q+fRGmby!MI@0I1t&ou7;Li2{Drd-tX zF}++#w&&Dsi*wUAbEXoz<{An@-gms5IqveuU?#dDEwaOJu2*iT&ntCqo&O!ntfKt3 z73V7vH$IPeCvN)^YLsK$c=3*Gn93>lrF2Ha`O4}B-_pF&>~6)268*E5={Xg*w7RK$*ic<4dsngRlZEw7L5uT$8XJcth$tb& zV5Q^1^H;BF)8U?r`x0lK=3;e8DlfkA{yJ@3O<(?}>PnhEMTy|((7HvI!M)`kM@R&? zNJs7z$!#n?5-KsJmaupEv%n;h)~7zQ5=G$Hu+A zSnynw6KR~epxTtS_*X1rv!6D0frdryMmY(xIj)H}wT1JgnlA)V(O!z%a`9C6*hU&I zBUGfy%DHgj>85s^P~WfoQ;9TFpYrC^NX}04g|(Kb9-^JyS)w$I!*pxEw*_G*okUzq zh!L;udB2UNN9?-4-_GNFtj`f0Ioqv$Qj-`u4)CmJj-2c+UX}9nN5}P-_Cc-G-a>)C z&1}7-VXC;RIo54fKjm%HR2vvy|13%VvP5!*Kj(AKB{%-o;Q0F|9GB9gj|+=G+{<+{ z@k1i%#aN#PXS?a*gvKmxKl3&hx^{Yp?QvEWby&6^|0#=@w;1oVr8seIe(p>Cjapok za2M}OBU8nW9Ptv>8#{hi=d-j~bOmd2m+y{C&ERt4W$LeQ=Fa`IwSz>geC>scB>mm- z8NKSq;+0>%Muv&iatvfT@YKHbc4Jr0N?xb$xoV4lep4;2Z($rz{A72BKhLch>&h3( zB6Ti-KF9(>#jY=p(Qdn69C_i0`E~oF8v?soX@rVY`g`*Z{}L*C^zL6b^>}nlU%`Q> zAY=1Z8%mN6|MbV=g>@?)mSoX8|0P@27Q|cLzEP`x4`8b*|BcAM9UH=BmPG>$5t`l1 z!PobC4As8!UQ)>8wa9y;^kKx=ygfb-8CJ*#5W#PAgJn^?R4!|cmjoM` zQZP|GMCzox;412JSF-s<)G;O>om4xV`_7Sm^f1kr`30)sX^C?X^?o!9-2VQ2|N5$x zmdw}~ze~GI(v{k_7XRa0+9bchz+#z;YzT2KT7v-RqOH*&e?|JkGBZJNk&Bawlfuqvf8<~Eum*+{jX-I{H zb6t{~ocurBz4cdBebhaQiiL!VfJiCb2uP=dNOzZnAV_y(P?8dd4ru`a>5?w#4(aah z=DW`G-gk_9?-=(VxMMs&IPj6P&)%QCVy?O7oKBFUZO&72)}kF!ia_j}e)^V9RKfKR z#=m={tkR)xz3<+6r&vheW*zFE?w;1qYZk9HeR{dPDDk~L?JYUiTbn{e@TN9j_&Sv% z)EHVDlB&;H`MgC_BQ%HiYI%P2F82@id(0Ca3TYNRAPpC1F8D3)961u6@7UJSA$nP& z_Iiqzis3n?BAu_$yc6rzAFXc^)yPVl|IasDSJl)UOOfiMTe}t$>3=~%@A*BOBoGmP ziY@cw`t}_e-4JhcanaLyjQt7+vvD!WGx|-*(8naAM*&iz{f|jby{c4$-vVis#LcWS=U?1Y-`kiBBgYP zu!~HPd`UM@Z)+_~)UXk%9h0%ep3bpaJ;TrX#`~bA@kBs|`f=N_i8w8-WR(K>8{g2l zxYQ3>ftc=1shZ0ldi7qyDTR0IO;2xH-L?!RA}lo4uOJ4ePnLumbHfbES(TDJg$jhbiA7BT zZ`hxqk_d%$66))QU2g0LJYn;sIKtF|Q(xkBuc2OdRqbioKCpoFDKXtfN26U|^|yxx zdOhm%UsN_)d^I>9sZ=4u&n&2j?q-J#=?{2DC$)(?$hVT#Qxe&TmAUGr{k zZ75wE<&pYJ4w)@EQw-*p1<$$ZABxN1GS9w_pDx3d?t1LM>mq8syeDsTl$E?9y2;zm`{5)(Dcb)W7WfKuL41IML-498J|s%Oro^ z)}~P5lbC!zRCXKtXa%?6Q3#IxUTxWhTKGJfxF0437eCr3i4u(;dC6^8Y(>tYp%PFn zYT|l!G{zY}X=_!@b+LBnp@rJnA8?V~$sDOIjZmuN{M3xR;BVdx4(aXKxK05Al=jU< zHCQ+BupV2@{?JEXM*g$Yzq-7CobSXaNjS-&47j-1Y>!ztvtAqya757RCO}5cnEXTo zC;4C5($KR2AIc>Wes@6&3(Q9^j>|ptdEgXoA5MP$v$(gCp$pE5RxG{fv z5G2*sE=ARQ&D)n8^4G1RMK8#x#_R5FE01e#VCTQ}511J#;3qtlw3n_G_GEnb&rlb! zr@`R*nB*|x!QEl9t`5j3?%ms(l2DiVUl2l%0XIs2do9N6_L=Rw%Mim13c6t93<`+z z9S1=ptH+JBp*#0cz@i{3Tls8e8Bc8@nHoZ|$>0Za+vN-OiR60?n(o64?vVVFE#hiu z7jga&7;LUIz$+DTCx66rmn~FwtH^%W5yg&pmn@ICM4h?hu6oQWirOeQ-PH^Bg5R@M z6k>h-!+HlP?i=cC30#*S!|B>W%jl)F^2$raHgW9;x#RfgGO#O{W|jSzTicRr1?(=bt$r zXCNF9;GrA4-Bl&j=38Oj;s|6g8!a=!z0MPY}0PcN#lqU7mxkW^o9SQ)x< z_E7xK%wzREcQKZMFlg$3Ko|3BlfUw9kHS*}TY}~V6qM;c0b8f}o0t~SA*x?7(G!Yd z5Cbj+@6-%3ekofd{~9P|a#fKr?wBh;IUp=U6;s9XINwtK7~!4EI_^n;^(iQvfNbeH z2nvN%yiEgm7@aHg7%cb*)3P4}y{c_0lMa`lgQ0(JIsZ1$-3KZIBHu0*@<%!t+*b30 zGL-q;AtGVOIEz>>ev{)>nsS(ZED%(1>gi_OKO78UC9QYL)aS`w9H<99;A zSr>RX?gol`ECx3C}B9b(}07%Z*`-6zt9x8MI2Q%JtXVMEn7Q%B>hy`f!;F~lSj zRjL!)2ic-6gWn9R-G0vFT*cNm?hbc}YO0dt`w%^tIBfnqh{j4lg|NYXpy_j6o*?Ym zyJ^B9rmEf+gf0UMyh9{{7gsjHY!UqUignWc}x&rZCF>tCriDbQ< ze3I2RMfmE-6HMmBk>WkD@T72RQHws;zwb{*KKlRxXbrSC$tnT)yB7V3;ss7d;!%_x zouZ~|5}9qSZs@_4!j?R9PX1B>rjcy?;bvV%k{D^|g4<5YBF<(>)_k_&Ou_#k{Bc;p zhqlWzGoQl4Y4DhGsloEoAGSWz+cQxQJ{ps3*ncReoc(G#j( zUC`@4uF?8>r^|S9>?>@Q>Khs=rP=bYM}ilTXYX*I!JupvSIs6zr1X)f>U8v45RbgJ z6z<6adnbW^Ud^N2a~bj%Ycw1^8%8q+hs{L8c;Ky+8PByTCLwVL6EhMtBrsswP9COp zv{^0q)h7`=dw<)u;(z(lVA5AeIW@J2vz)}Y-V?Nr1|4>G=Jv4ftT8GiVMeh<=@Qc}R+eF6^6nReH{_>UVcPV?SNzoc7&p7Uxj*SiZ zFRg;8l@*aZovM6l%kezSu`vxoZYO*m*9Y0EQTgQ$iHQTQbDz77jV#uGmBS>d3=|2I z%+6PPW-UXpKLLL{4EG3B&)2&x#3(7OqJ&6^~hwE5Wx8Ye z6fayAl?)LvD&Rbjm72x824l>c8buHwywef63Fg?YFvp!;Fbpblbk_OvH$$_`gpl9P zyYPL&-?mWD3?MmJpN<{Mp`vXW<#&53fwBD=;w+8k@VCK1DIwuh{8!~fbSi&+El-N$ z1mA*ryEtPwWt;E6!7R;~N_)C_$Nfj}X<%!~@k@tN92B+sa>rj`68#B8AZUQm#_Rmp zyUJDkXe%xxpd$x=q1vTO|8MURA+Oc9lanVPL;>Us5ozflf$Mmo%x(;tzp@Y5i(oc} z0?fGXn(E~nA4dOTo0}V)9mYwXV;(*cpKg9owmRv`zQ2rRFjhPSj|n!Vg%lK?O$V(9 zdso~a$jAjci>87Ci(i1Gip$;8p2c;Zpj5HExveeahR1yCb+Ur&Lw^aRmkN_YwY70J z#}=3kyS?(EjI<-ZG62gF6i@oe=4`}y^veP&U^9xqzF={&6bnnlF)K*F+&?66dQ4=C zVry$4dfFMY&grs1D;9DkG*3B%a^l{G*%Ejf^ai8)q|%o+#?g_fttDvS!@q1?I5)t; zc@w13St#JZYB4bae0Hk=OPCy7cIpy@Jia*Dc5LBy-jfI>tZ7f=+yAgkmSjTw__6o^ zW$NxGH)5S*I3;=4bZRa?plp9VKNX)#Vk#Dl7G!f{zs9heODBs@M`XF1^!A3I9r}Q0 zWf|>c)os}40Ivn#?^HYmC2Ul{yDT-YU5*kR2cFkl_hhY=t*r=YTRI$xU+V6kXcW)p zW}cHo@wuNplOe3_-klG?$^BHzIMwYqeJRs;C-KCAZY<$HRGCf*mSsIQK~eV_1%)Vh7_seR|iOP@QfE zvj0bJtb0RDvPVaecB^B45C-6Fp62l>!)O0RR$983OJi>*(VOW=2i;$zuVYh}H2j_l`3w3*XDP z_2(Z&d;1|r+Iyn^8R)=O-^ae1IiL|}UhXrf1pDx8$$fIFTCM)}hJ}O?Pzt0zxF{bb zM;z|ABOF`$_lE4R)hYu_22@}-MY3dV3oP89l!r^o^LaALKG_e?8d)rRLrIZIgYfK3 z+tQYjQl7urJHq4?>0EQ+_>3U+OomR0KB%Nb{dMO322G@M5bCUe>3oZcM6Pj5%h~N= zR`-}_*!jnEy0E{!`CH$DQ8opJZ0%TzXHQ(V5_nz!TZ4|zh23Cttj#~B#JK0IXf@x! zJMozPl-0?=K-nN9SSF&?*yxwiRd7pZkB~>h7|2nB8?kz4-@R*`B<+4Um&cAn7rC_Xjew+hDn2KNY$Qaiu|n39!?KMaos2*t5FRGvvJs`2<#k(OLD8))CF~RkC9#zW zUL)=!(fn5^qoxsSwKGG}BD=ENZQ=Nu+P{Z!HAj1CQ+f(H%W35>3S_!o*7iWgj5j}Zl4DBu+WuSfv!W((e3 zQTm{pha@Jl8_P`V&o(d&TFNP#VAOdw{QHM%Z*PCJ!6zG)7xbiUWu5h_04@v{TY}DG z?_)=TszDF(Jqx2Shp4%9R&w|0vsEA*B0@ZLXKOc$B#|CaUe};5rU`Vb)<4b!h)Rtr z&&h)Xagx8S4~z`|yt}%nRVzFCk)oxj_*FTF5=9wAp?NRQ%8X76`OGf%??GlpY9P6` zg6++z&ZS^RA%=ZLPor1%xk zl>0TipLl)2S!Xu`WgHRBsu_1KfO+^ckbWcPqyEonXo7N7w}4;vwfZa0P`jLp4r}o{Gq0)P zDf{nwKTqm%oo^9-Jg4|mEejotz|ztTA3lEkEiR4>(xJqNw3O81*wFbOr%>sNy>x2b zDRl~d&+F$vxTRL_f0M;aN%`&XUng2s2WR8sBXGaIkA~hl(Eu8>bjV{WDEN|+@{YeY zUszbb)7h(Mj>lmV;q0*7;&h?Lb`==b_~=v}}V z_2^2|wt?vbQNgwMH}atV$jg%f!c_oIpzKm@=`r|7Ssv$)xsHsFSCv~ZAZNEzZo{>MDeXyg>_|FEE<6$Z9!_=P&1!vgW0~vvI(6AdF9erYR z)QXg?Oq$MN2n5Bdz?c|(*mQ?=#+uv^P@M*a1<>P9`EIMpQ!L4NwGhU=t2;^!zGJM3iFZ#2U4t!nv8qe+U0WmC7CXrAWz9*kb|C z%NNk$giUu9LIJB86kw`=1*Lq6sWNQc{^CR$yVjg<@yNt;eg>}r*nA}+^aa`)>~Fn8 zO3B5sL!o#Uk_eYQYs+Rjs4o$bOn>%;T@Jmj;iJL(SGxI;kp5SNu*2Jt|^VXZgE*ub#mRvmC2SKu&# z(K6^@-a(oOfGWg8FoXr!YmmWy59?+~KO(Tm(f|1IJY?Qv>JJyFa*|O~-*a?4_H^Sz zo&;qZ8}3@htGM!V!&o-Y648ltNk?nzg4VII4F+RRd><^`w@{F0_Ru#E4{HG}sIHcG zwFAVmsi^J(odLEkVAnWxZWK0;R={q$rltl3{prh3phQ^kz5~~&ClN!?$%zway7g^s ztEo-%8yo0?T3Ye{InnVy0w>FhTkJC{AJVDA+YIgY6WV<+6h->)PV7BM(>$gG<z>gOKi`y7+adEymIbYjrD!ieVny9&qPHR${Xy=}tc_->}W(&u{+NMw? ziv$<9aen3=deFg7t$#S?<_zic`1nkqQC$y_7p7~un&4&peoi|TG`hJVUQn0lByf5p z{QQZUl8OziEwoPx=}N9v4UGoQ@K%F3S$jl*u=eE;H5L40@Btqki%reR=}HyT6M565 zSQ%K|UqZ}>Mn=gU8rEHUdukrM_U;3})xgyBt&-Bs*PmxsR@Y}1DW*qG?0XWM^$gQ| z3kq)R?$S)u9;4EIWKDPXvb7;cejAWgq*2WyhYmtw1VTS0-zArZMl7;w_wlLh*J%Wg zX&y(Rx8gFHcKEIcxCZ1)>jqZa94p`@<+;%4Q8aXCQ3V z40>?zJqW?xB@K=>%E`$|FSu=_fBeIb4~&}g)Rs+%LBYY8AgX!&a|DXllflQ26;_AM zpDlNv(X~(jV~yF~RDe=?>vGt(u|a=jRPXVP8}%sg>hx8~N=k5zgKmzVP~wK%U{H{B zifj^BJg0}YywUsj?G4`3y{XGNI0Tr)eAT0s=Si8l3BbsMM3#OaxJ~u?_db!LGO>#jS1^FyG6ipu8YiN zMI@%{dlPrYaRf?6ZU6qbtPT|!%GMUeze;mlV&eBt><9W;@R{`=foZbR9}=itf(g|{ z!ZU_$fCAN>TX#CiNQI{AQj(Lq>t1i3Y?d+mZ-a=M>%l5t92~^vlEVW#*q(ZwQSk3d+G0?O#K z))z}#B|9lDPAqPC{&z{y%v#A1>co{|mL$h?)3<7P%-kqdjy+^AcJJN)CPpnkr@TJf zj^hd|r?Xqt(&XgCdac1+$Ss||R8QrKDUcQWsnV6u`hv$Va18c;az{%K$%k?dGxgJ1 zPzA2yqDQ|55)OG2c_uAwZ)Q%NdT?CYM@ZsrTP?1c&S7H$Cr~ym!>E7C_$DAOh_$V0 z&(Lq!QAK9|IEnek+B;+R((5iRzphN2-d!8al~Oyg2vZCOtN525+J6!#YA-SB2D2{j zp^stKInGyxe|Pfo4Jp0(kSO782d)7K(=69FGNc*D8xCZw!Ww$;?))|NPE}zs%VPVG z@?R5x1Cqdd(OJSkT{ydJ?Lb9@PNBr1tB|DTVyBFH%dSNMO<_LB_iS@Rp zPN5;%>+iIoQ$G zB+@EL9dtNAq}mvSfD>XZ8y_I2RW; zVOi$+CeI*{JwX#P0n~VILJ;VTE>KxKTf%KI8)pw#8|skHQou(rilDf=6G88e^73VG z^Wfk^pd+SpXJjB9mK-CPwga=WUVzBK4};7*kZhGI5_5C81gh@$MN3!N|hMAftNLJuUSi>e}p*zyuzC*D<-{jS+ zLFWVNKy99$m+vKX$4&=DRaN8Aa3pp+m{QT)aN+w$GF>P7Gih>r8#kYKFWM~XcACzxo5Uf_m^VupZ_lPT!Jf{MI*6w-9hGA^1iH>fE&)ej?#9;c{ z?UWdvG$hg9-VYNUT(CA5kdbjGU2>e+@PjLC4o&^f>Dtl;$|sbC_29Gt4I?hdryxrf z5LKpO@Q4SsC8R_;>{o%BP4UN(U=Sd@IkULf3{sH58pQ+&Q6W`TJaA?PKY6TA2*eOi zmEK6MW-BaE{M4#o0pV*iaF>OmQ4V~JZr;3k@7}$--rk2mCPjLWhJ?s|z7_^%C^aVX zRd1;_`S`Kg)=W`DgAy3pP0f@bmW?4OA>opIxIKw+<41xlQMwHjVZc)-qosWI5j;r^`$?3GopR0G`!ZAfPwp zoedUxyaNJmMd_~V+2Za@o$L^XdNg{3BIjaGBm#S=8!}g!Bku1{8Ka z?Jq9~;1Tf*dw$$Vm-uJ1-$Isd16!}0s;b2RdYQbERyb>*~SNaIyou~P--j9FaveExpS%kosjc)9T7W3lk?$yXr=h? z67k3=Jd0v?ky7VQaZa3D`OHojj#y|`U zJ6FU?sLO9#T37^@mg2UxwTqXS-^f*fE*;7uqz1!?V|KeWy#FjLI)B(!1A?SUX=#&t z_rVB9r>^pcBYX&Y9Ry*V?d`*l3n8r?s=c<$wS^ZW#CTM-My~~g^IM4@J<|QK0c9P^ zFCFl$=_v%YiUbX|yNX3dw>?ghv2ry=7!SsD!+O|}=F<&SXTL04}l)>c@t9!$)(J}4D$DqcO-C5k(-Y$P;W@_puMM*|ML1b&Y zSSjANciDM(h-ekTW6N@hDw8gzHl6f*+!6PU=+OH_zuCi+zU=Kk$JZ{(+3uN)I&HBMxhV6$5(Yps2@ zF<{Dt0RWU5{C_dYjoiPDkGYn*FT+dCTZ{A>pST=a>~^bNt&8ZUK_BUVxY-$ zvIyF|+r#_&4`3(CyDznhw(F-G;l)P6@!#!2^c_{=V=w`_hl!?2yYKeT-s!O29kH%e z;f4n<8zHE=yk`=SKhts)@%QtiqM?z_+Gt;_f($|%!8C>{j1|HHDliYfksp86HyKwt z{$DP@&xP3rXdB4M(>!`lPnl7)T)5)S46GcZm=YW=$G!@!EA3H#z0UnXYMGe{00R`1 zSOF;hw%>GJN=gB=Tu@14c?khwA-Lb zie`C_!_7?r_eU=@kJ;|S-G&Bz(6FZg+(#6&D%4NT@%aByPS4cy8yZW3-t6aodd+X- zQR^cQWXp9%ek4=9@8D+sILwW3yxh_I@R=cYyT4rA9u~5q1+JOCe9^f~35|_?t)IgC znuxvl7GO((gr@-tb5RIHV{R07kReMyK?Mg(yeKwPa8V4v)tup1O%X?jtUj8I4F(6nUJtkx(QzgEKorCxxl~j z?2Oy&+Le9Nol>qpiwtU7=msgMSMd2a*I7=9)^F4VWo8m6=TyRSf~ibGjkrvyS3;GC z(y9$3qmIsduHV&qJ~_<_Weht>LL`3m9HTwj!tP|}FCl~r9^TSP#Vid*j~%$LSX6Bi;qpF?UWHdT(x zugPwzzZGT0_&(=pt^Jl3O0sNfgi+iVH=+_KUMU&*@i|n*Tn@~-f4ttWusvsfT|bUk zqom3#n%^Gab$aR#OH)D5T>5`nv!!#tco7=UzvwG_UP&8%13He6DkMMj)B8cPSYAFc zHnu*pi|QU4W^4EGm(bM8AE}C807%Rkyj^ZR|Ki3~{Q*hu9SjV6Na!C&2-CvE@IfT* zhmzxErEqyAm%{R5rS&OHt%8GsVk9o|bM}YiP=blB5e#u5w%7HFQqt(Fqgk-qiIC5( zf=h#;TwlujE}?u_FTqB3j&@R{P-&G%F^I$LgBeVYyI`JMsCTKC?NTY98@m<>YLtD* zV!8MCQ|Pp5wA+J+%}r}fcikU1XN7Z^EGuUAGHk+x&uDt;0qO)MC6(Bh>I4c50_WM) zQ`4jE%96X*_O@wT1Robp&+l48CObPY&nk}8hrC?nkhoaimM z_mw-IpI;!DETO34iD{H&<-UEjJ?Yx8YcTRH&|eJ3Duos@c3b^Bx!77)xpy#Pd*DOF zrKOwy{`|nR{2xL%D=?Ep>7Mi@%2=SYGl6!YS`1Jz~y4VvQ$aF2}K=`ufin=^~J&g7Itt1Q!r6 z3JW9}&n<7nMxCYjpDmQ@zZqSuoB-XwkR=tDk;%-?B&c>N`2j`Y%6hH)-S14V8{g<8 zZ7Q%dM2Y?v-5LZGl7(nsFMCYGRyXBe(On$JdtXre{<|c&DqYn7@9mblVw0S#jon!u z{fqI`U=6_V_IjLT~ZzNBz? z<5tG(X<3c_xaQ9uBf`mMVN8VBOBTlMO>RsJ@u*Fa5O0&C89x}2cR5b%Do7pie?dBX z{krqN5nRm&n5EO}Uh(Nx7c`HxzBC_u1~co6y$X@L%@j|C_mW=VEk(>1Q*BAk1Uyh25qqH>7kDi+i2+ z_Rw^{T3**YxE(o?uj>u_dNq!}kfTKi$o^WjzoUQUc0FaQ?9e>UVxZ4U@lZ`!FL(NH zAoQBLcU6&t2Apz159b$kM@Kk|>#)nl=2&w6$UW8pTx2LF#UI^0Hqp|qwAq~_LacB8 zbH@a@1ccC1dtF;vDEo?*rO+{Af51P8V$oJBu}PY90&Ec?60_Zkti&<}dD@(M2@^m9 ziV@CAYt2XIRDgf5o0*U4f9OTEEy4{XCET{g{r{YxJOmA#N=@ar00*9bEQHHk0m|`UfyENZ!*@%*<;U&R~Ea|9)xN1~Xg6 z$94M8D;;6pfeIcM6REG(}9ng`}wfmy0*F|=<#_(2Pm3&lPINEHLiYxW`{rlgz%_W|*q@85cA7h?2jE#4y!+8nHhng? z@}Vm@Ayd7?hUD|-SyX;BgS`cQpe)!dtl&g4jejjD;0J%+pt)!6=iPb`wxweF@hrD( zko~+tiv}s_+-Qxv!)I%>B%l8Y8x&=h0vYCU+a?of&j7oF!v2rqN_WCT_Fn>>Uv4+z ze0!JLGW1>IeIUv8T@aa1(O`3|JYz=!JZgmtnxd+DZfQSj#t#!#OJafGcUuz}=)`kheSEkZeH>?YLg~;+YQA&Z)7c(%G621%ajA>d z3Q+G#BM8PYfHTn3Ll@*ps!U6NU%1;t2J-TF#>V49)50>rUMoLQ8MSr9zddee4uRo6 zSMrb`1yt<)@j&K9s4Yr79UtE?X0ltv~t{nQLmZ+h7iD;qt`kd;f(R`?xW!8oQ_fJe`s~(2Y+r*Oc8m-!{PKPa%7L z9n;nw`4Z?4#8O!4ZqCc3%`Yx&Q(RRc`=AKIU^7!T)uiu2^G|jKsH@V0Aj*?gETTVN zQk1E1=U^6q;|YIt%W82?8|4nx5%|RhKpsvT)Q5B@d(Q>Rnc{ z3(x;0M9engLGvrzybN|uEJsxq-oqoky*~_mzrlomV1C_*mcgb+=gL5*L?Y>CkE~Rf zV~C4uRHg)uD!Un{$n_0#l+nUPPAGzR_GmR%E*l#S?qh{CH~e{DKO!sD*erVG`0*pF z$F(~>aES^ES>CVq7u-$+E7~lDB`t}mO4SI|uFdyRYjNEP4`z<19j)figi}%;f0tMc z=bDmw89>XzLJXCe^ZE<{AoXpUM5)*`Fin-W_-LH0peiZ3pNlQY?^RL~BLPY!cT`j; zZ%^n7uU_@&IOtVHF`O(jGBfAa*~||7x3Jpa84;J0N{W92O^R9vdTWWsH;HN*F)T2U zGab(M1NQb@xsT5u+m($90l*;Txu#*rwR>Fu)%_^|)~{c~kV0;GtmH1e)=5x1SN;GH zy-bxkRPtiwW~`C(+N2P|YJa$l`}eaZ{_Og-NM~ooEB2ZVT%?g-J5MbgMs~aLIL0Rf zDW}+6)i=mfy0NPZIrKu-SF=$Jn%k19ssvD6TUaEv^A*`H7;NlS{oAk3xxHsVBcC#( zG~4Bb2FUnlm@FdsemmN@5fKlPg8z#kSE(&->*qR$fRB%sn&Uz@0_H%ri*OhoiF7jHiX={t|iQEP*L6vJz$%xj+A+}+y zst1mnA|owo84gbyb~{~?xbgO^`!yKlQD@vssSPgepx4Z9^svp#r} zs&}Z%8&0iu72D+kmp9tD&GHd8%y;9BzU(A}#z&#`SE|~JJtEhm#AMa{e-nFCe%{`u zvg1XW9;VAv6_@0TF5Y{dd(T$Y&pTc~-}0~8HBus;1oNW@HFyg*vIpRlfN4RDz_nZ6 z(bQDcF**P?X8kMw&dcbus0GlxZ-UgrBCm9)JBX-16uO5LHtOx|eQv2^>v4JLx;5qA z;`c}r(W+UN(la*U!c>J_e-1SGyDobrZXL;y5d60FR#g&*t*|$H~_9G zdwBAAj>KFIQ0XVlvKQgZ1KrnTBhv17hbVG zLA0#a3XVoy6K^NE7r|zP=IF>7493a7-eE{H!*>M1%`aeKm9Kl(dTqfT!1Ls=QBWrc zdp2}_L{A6L$xr5XJiRDyQ){O4$tl)-P$Y`eS_Ci^kFx;~tTmclIEP>kp zy*n5he{-TNK^2t#_3K$0R|4DugYNhno^->-<(wn$n)j+-IT8f~NMZm3Yed2*-ZPK%8e;oA4wfY=9h!1YRs-<*Pa43pnhy%VbRbM6b=zk zF>yT0)?n-M6g^+kakYO)oQqsL*M+9i&RV}MOq=lh5^G~)pT#!gE@K`WVi}lcy>Ld_ zBd$K4Fx$r=ikBFVR>yC`9NJ-nxB2s}Wg3OSV1w2uq*ty#j;rz-*csmem!~}4Do|U` zM}%33%Nc54!$V|N9L$U4!KWx({kI5s&xYj=lmgq3ts4?nHN-*^Bx4`GL|ox#IHQ zcz*Z=x=jELD~z2%t!F%rr(4if4O?b`y7zNQKqVD zM42hs{=9+t+RqawW`GKQ$Gy;7Z~On>fB3(yscV1v1}Eo&u&^*$mGC27bvL)0bgCQk z{fn+2OicQd-66B-bIz?cmzob0Z7|!Cy6<5=c;QvoW`as4mceW6IM<{M3Zrt)ozvG0 z$~gz}S2@Z>0_Ni~hV2n0F)n##v^``|)LK9J;@FA1_D+f-ljK=qOKn zHv9EE>@~3=dVZTC_$U6H-uv_b&mxD&)<(jad?IFm=X0E2EuWzdsic!y)$Plf& zQet&{q{Aj9v&V(R!J#b-Po;%~NFBHM^?J5gO>~3}`To0gGw0lXy}gboUcO?xd+&ej zscC851VzNAzi*S?1kowh2+60U8pLoMtF|LHyMYAFVjmQij@DlzEKI9Pvn#swg2%~K zVCmHM+Ac)ERg{E>B zm<&8&w@eiB4GyXqz4R|`+sT8+M$aH!P~3T0-;-f#A0MC1Jj>&_xGr#Y67GZH^HQ&& zC!V+BRpZAe^ib9lu@*9Z2sLSGxl?SF6Lji?y|>7k8Dnc-!p&F7Ge35bZ~Pdp&{AvY?bXP=E_uSWQKko|h*y$*&YNtmif)$0{MQf2w)6d0`>4=`*)<7?D z??UE*ts*_k2^l81+tZj1(l-v#dD3M^*Nc?e0_opZnjVF*}&yq2ZM(gO6&ZTOL(S0WQ$|J28OSAIwlun}YUPl1BkiKKuA$-JT3}h_%J&6>7#~xC#pNRu z5LfE>{B@Z|Gvg(gBE2p0P*Wqy+{TOa0^<+Wa z>-+tiSUl10Stez_?O$N?Xk_gZ}MKxST%eMbShYXN`js^W;r z=(~GYSC-b+S+Bb^-rv9H)G_709AOVnH%r&@<^Hl|y4EQva-@Ry(B|gv(*P9d}V1$NquRyFU(>x!}e?t z0}7=S`svC|PGEEvZ}+}zbp89Q8aj9*qt4xVNhOt+p5@>5t}YlRpqQgm^-OjOeDN=tCN{r+}xh&)VsUizHX+%aao8meo|bX_233v%3?mo&21Mgl* z({|Wn`b>NH1nqV}RN!BwhNx^;EaSxNLQkQ#}wj)RNGp%@7O--K0 zw#q*nQKv)N?;%5$a<3_7Z-KEqe`I9Fuj!dAde>|IND%NGsFdb|!kN{b1Pm)m$vHXW z7X>z7Ff)s*U+LW}w`~<)8>Y*bIzbBJei-}p3?K^SisOX^!=-MbgXYIIN|cm7US1+@ zeIL`>5t3pQvtJ`BJ|!n_`}zCdn7QDx1pkDm%qgiX@Y$n33){~rmHzvZZmE&; znGpE|Y`-o-TyndU_LtUhNB}+ul{@{3atn0OPuRcixh<8Rl@+r(tM^u%8Yz9-4&rlt z10Ct?#o75uASo>J#NV*ESmANHpC2{5`GquBCKEmVV}aT-6N?uL6hVkaICtfaj!Vmk z^Lq~hnmRk9h3_&w#y?He;nN;kyT&FHvtQ_*qypwu#OZ!nf2}9o9dxtYKRs#Ww|f## zv2k(5kvX>8{gT@c`h>EHdyYCnTR=v zXby0E3F&94YrLTyVPLgA6$p1SEbK`H^{n7Xp7em(ej`@|ii?ZMw4#bL9H391zDr@8 z8aJ09vCw}WYC8}`V_7SAzy5@DEt zCvhVGuJpc|LfDtq5P$@$evK6rzJE}l*GO*EeegqjTpWn0Nh-PP`etT=iM$nk10&6; zNt(}cJ=_CuH&K3=$DQe3Xmmtv*N<@A+a8ajR?PTbII+J%fpEEvws33aa9t1$w^)Vi zXi54nUdVo}#1cFhuah2^W5#D>WVaArOe}kR#yt~f8>MH?#S43juD^60y`X|cIQy(x zo9l%0I3~_HFNBR1=nfN;l9PXlv?v+i1Hi$5Ycc^ms;IcRkFL#!=Q>vjCaR7%ind?S zfuK8!6^C9ElhZX8}s(@?I8Qm8(9jue#QC%NM`0rbPI+61+V{FxNVoFw4R;d*w zD?IoLkINg69?1iPdk6I56e?`25qc*OcK4Q(dcHZ~HLs7nj^}c}<#}E9%2Ga{D=yRR zi0wL9gRNtyV@w$R>F-a8eA@TW&<#%a_}nIDHHv={X;*R=ICQ;$m)!)4n3)+XT!yjW z&z}>=j(AAD$=!wSz2FBUjt9u*r5V=*3d3CXiAV`u0X*RP!2FJ;`C`^Q{C!gc*g+Eg913V^P z_YgDUPtkn>4OhHs6;}5%ZsdK3J_fd;Qr^A(m?5*-6HA%Q-A-HvPgR% zN6u1}8MM*!RS)*)=%(`??n@E9fyrf{Scq9CxBvX04vb^MJrW@(K zy0H@M-^H)q&-jcox&nUzQ)`dlK%Ky(Lpmw4sMS&-wq}=Y^TWH&iO! zKH&ktq!rXxclQN;PRO0u8ua${DTvGPD|4{!8a2CL;<svGZO>kmJ+2vi$`ZblKHSyrG9BAfu|4Ru zJz4dEQMXd8PygC1{j5ylzlL!^Oj}0iN~7Vl_f*Vl2dSk`> zQgOq+fBzmsEd9=u)QmU%^Q>0pzlM}c10qxr59%%!M9061oGjwFHh}v)6k0$*=7ay= z{b3bcK4+i>M7{0(-jNyw^{%fi#D6z8ogZ@4pkzvcMN-qg^}ET_>%UjIuoEV5tG#+? zvPoy~zpInJd>IJZ0>2H;+cq%0w`+9+%&#J0vK7seUN!5y@R-lFGX+SY|A=BwLjFU6 zL?U-<4x_=v)M|Pe9`2rWg~KL4_%Nja1eB~-yT8+i86T_Cf&9ck2Zy`Qy&leu&rVh2 z+pk4}i!67Q@M*?G#U<*eWZ`je5%$W;l4lnqzY0KRuzU4TPc^kt$(8?R$k(}Tvzd(r zp5=qt+L64@HaUatN1Y@<*Z_m<`{?M+>vKdEQ*=nYZ- zQKPdEPDm;-9X){wvJt#Z-7?j-HxBv(K%4O&eV&dgRBS~6Dt-0Sk))GdmECK61{N><^ z-3*Jr(3C~CD@(xcM-Wj%4L$C4L3|6wp+ zDr`L$&q~hiR(g?E$Iy$4Lx**CR!OhP9yaA3OSdi)TO2z&>U4Hw@;Zu95iAOmp||5? z%WVNLK_~w6P_knJgm(*#4qt-~HMqqzK`u6E#bbp!8eA%J>A|OZ zu520)*0R6u#Xi6@gC%AArluyivcFZ1eL!U`vb-jIpK@?!{~W-Z*^LSudad#xGT&+x zwOS8S7!IYp&#AmPTR)~f2CE%xTGh3#gH`t!-gM)PsT?XF+5 z3{puonBJuLP?m#y=~MocTd)}Y2D$J`Yzy_lvTRZ=?PhaRlYDjTUHf&!@=U!mZL6F6 z*PjX%AvQ0*g%8|AG3wlT*S|n)(!v1%2QpAYWPt{T|r2W35Y#d|{Nfeq4 z7&bJ7Ji_$=KROQByQ>exUmwb2v#Pr}H;-N6{E_VQ>qPJ_@C#0O2K)Y8fF~)fS&Tan zg3#|o6-URQD?FHoGSYA4ehBho631t5WKC4elVelm>0dZGPKhQyXIUdJGCDNw3*j04 zv&w;TcKEUF>s=-=kI0jV6T@`f-O_$l?NXVo-2><16NhgM*TAh$9G}JBDriY@%-;H` zTE^>o+)X(*dB1@y*mmte7J#V^ECDlx;oW0T$>navg3{83t!jp*ro`E$+#oPe`P%6F zM`?_JOP|KbsO998WWoHerHE)!!+ODpiWr0m&`K)vJUcezwQMFWsyaQ>u>-Q#!C!tSJ5CzzPASgyda- zm|B9@h5Aw)eyQ6&{M4--3xocimLM_ZvB|>2r(he~(p>V!huP4lND>3EXZ;U9?+RX? z;rvv}inh^tUKgnw@(2f~aStaI>Yf|$EWrn*sVAo;MUGl&%ypj<6&qWao?e09046`N zT&kIJ$rtL6^G{s<19fWTZ`^nRuPBXfTW4Hwcn4uiFWl!1TMR8Vo8<>Uj8p z>EW2;ho3AXSU&)jQ~D_v5k$bZI#Nr40^oYX2!|h+?H$9Xo;Eft77Q(+5XWMQI+T}o zMc>pcgBKJMi7EMrnH8UzpC8b3t;!M?{j|S8(Ew?OGuQloT08G>s{gQ$YZrc0vPqJ? zvd1wh*|TFiC?wfs6Hdb(DICfyLiQ#yilWHgJ9NzKacs~1^?R=8pXa%r>-ppHS64Xa z_jMwX*JW@UrK7ORZN%+VR zlA**qo8h^pZmEqj;QcyHr^)QsS~D3SB>6g7%q;FH@v$^0w>N**j4OC+!(aASpX@EHQOVhvSa1o zAccE`yG{3dVdyN81E|3GP@)Zw)i_Sw_zinH7J;pZ$v=k-0+Ha zX;fawYhBZB$SYyEBAi2qLzXRF0V07Y{;|7Dp|yt?c-Xr~=OZTlqnFf!FP?gXBIsAT zyj3{Z^Q4g|VgbHE$@y{679kSxd1~&!3Sr|}Ph2fEIi1Z*aq%K#Ax08@aa>YT=rk*m zZi?cthc>>Z`{WRnCxK*D?6v>|sEdNO5NpRwrzO;qjs9{$LGu)|;ZKxyqkHsS83ag; zoRMiM68uZrNQ}4CNQI1Wk#vu10$DS<+9W-la|z}qJxEr|I>x2Xr|~^RexPJq47MYv zQI3Kl65$rz&sZcI8z|clN4d9t%eAz}Pj?rLYtJvv9NGoaPX*}F9u0y#_aP;(P3*XYn4^@A=fXVw zw%W5Wc`1H%Pa|DBo66v)$;8Px|?ONtd;D0^pT znf(csShxF=4L_lBH2LwQ9#;eu`6BWFTn}_Sc`OxqL<~%jAaPu3^za;MDKeD-uHNAe zWN(}wwvb&jR0g%h&UIgI8J$~Pc`OaHI zb`%zd-6+)n<9V86HheW8* z!`(#kq}MDl&^TRwnonJ3SEkd#))tz;A8WGLg-~aE@w4v9lYSq&=iA?30I>`j8$>yM zl7s~zU=b6QkdT8W{4nFkF)zS!JU-_4TT4sy_d)*aBWLkdQGW^u%Bu#IT4iA zsV6%YMut>0S&@>{k0yXgI}7-l;NR&si&d_f8J8xhS3LR0Dw`urgD7o{oSw zC5}(TwFx*F>py={&x!tY0(lQntSZ#^efe=GQD+XvxA3FRUk)mdiF>z=01ef&%Nc?D zj>h0ncKzl&zvAyy>WJC&{EbMo=Z383pm&$QDE1c;&>s7;ODN1S5Qy7cphMDixOU;% zU0Ki$T`6sJd7N=(@H=OVD8!;aTN8y~)4pja>gl9uE^D+$blvH`BF^(cCLFE7*{bUJ zd7B=URS2%hm{zX}uQPrR8R)9Z6$Q^5wo@HL{<|_HZi@-Z+r;uRp2>iy{ccUnaB*() zaFih-p+LSD+RpE#Y}g$;JYnqM%GIlJPI%(UzvvTp z$F9WrtmllH)em)j%Oq~}t-a;q!UMw(GJ>^r8A!^Y09Dm+X(xPxLDr2Dei+0=m|Ni& zYWq*AZq3A)Cd>AuuQ8-&hZ6sl2KS6fV%y*O+YNd|&k!<-#fz}95S0;A&)uk4^_OsY z=v(%Ed`gsT2@~PD=^df+95(`{;dL?FrvAq!Z>2wD-2z!;zSdjt&G#`fU%h&qf+8wR z^I!M#&lS)ep5;59w`g$rSw^Fg^r_)aTQi6*0z(&NVA%`^iRn@$L1--iV^ct^>&|)Y zQ@=gY{CeC3KH^x3nB%S4K1aT(bbOxvwiqGZaMR`d%F@*%&&#HdYq!Or#P;4h z)k5>lOWY6Iz6Fn1kL#f@6CB!uub+xByUhMYekr-M!d0)UqoZN^KomZDK>pqH;3bKR zWUAn@SbLH>nQIsY5!j*T*r5x+9TTMFUjVB2+XF z99dy${z5>8|60^4`VKjx;l`S8sbaAYC!96K@PngO=k~e!nseYF0wAvCFWDqh6tb3Y z#|+diF{COUep|87M_%f^)-^=hwX^ef3ykFT-Fu9Bapo{6-|-;6pUw+IWS6_R18ZqQCWoj*DKF3E!tlB$s$@b5bpgCn9-Q%lh2`gqz z&$%Xzh#@*0mxv*nzDVY#anx^O=}@%A zf{d&e%520&oRJsZUi}B|mrWzY-JOh6vL3&mH+9`W&qBc99LolIRhsAMQ2B+eozt(Q zKlnNr6bT*&_M2~56QU}OvqfZ&D+OgC*?UmB8SK6;Xn z^Deacp+;hrM#ojg!eV>>@KSopCIXCe-sN)L-Asgey0Xh#h5R_~jRx5365_&$zO4O# zkw^(EtCiU~W9cpKKs)-W(?^)c*Rq~s95gpuRLj<*fNjrwTk}alpLbiv-|x)d!i0BbiyBec7JkhB*~J0>8yME**#ehJF185m7lbp=;igR znsV#2Y3PjAw?p_R6~kwJSyfX@@-Yo4lWYXe$2YPT$eL*fQDSZcoHkV~L)d~C39>0%&4|Tl?E-{>?7S`j)+Juqlr{AgI zN1=C&y5S*6-%U$#kjTQHYwp+=cYHHf!l^$L{(A9lOK+g0pX?btDl!wd~jR? zIB(B*3yTE>csy35oH$3s4>^w_isb_z9%}w!m@sPy^#r(3)9n5dYhrkeJ9B20_Vy0q zx+obLn_K9~A3KOfu2O~|`DhFeE!hp=H_Xglb4fpjC);k!?K#*Ut6iF@%atW@0v0Ie zt#)}Ze47A7K~O8xSUn*Ng}cBhpjGQ&kW0E(cqfDS_1GbIQRvxq7Dip?qxm^GgTdZO zS2JwR(%m&IxOespd26agMuSeSUdTW5(mj!Wj6<3i!Rafrr@uev6A~Vtp__e9%4e|Rzi#`=Rgzhv6$1tNWpIgOBHK700F*jmbXU|!4`O%BmCB4ay|O~4EBn3hDD z)emZC>D(lOybro+(B@*)zl>DVQu7`B$}@lA=^48RF?^Fhsyts1&CGW^hZiq$o>p6(ZcDWz)Q|px z6SuDJs`Z?3B$x#!>+j*EKw*8twbiw`mU0Px7(V;>)ua5O5R zQ4NkHGyb$C1lK_gV5)~BUdQ$Gwm#6$%QF9~hH(BI4xt1~ENS&jl|p!@0S5E?k1$jl zkzcn62rPo(yqenwyQ6A}y(n$_K)>6MwtgIk!t--CHs;dA=R9d4kTza7k`Jd#!{HlW znvBmWV%NPkope1-Doa?-kR?qI>h_o_Jq5sQrKb8ENNbjchrYZLAmRWUq!YkhZjXZY z8~%_!8-N)B9TOT~YJUQOrpwAVMd<iF|C5Bh~F;73tur5RA zn|gW?tXuyM&<}iC;Q%Q_JL$9KyZ~4ZfJHuz>kAL_Zu>hB4~YYAwriKGS>2ib&gWjD zvOTY`uX2Ot_ue&5-L1{gYdKJRTNHrcbjhQ|F!6_UvcX;3S_rVsgMEzP13PLOW}KP&fJ>z96C2=ag;Jsc@Ptz#cN-ikPNIKbVf(M4D%T@M+V>*Su7F z2ueu2uXqMOFX%Q6kR9z3+HPv{Qxmz)MYBK&m~~gLfcb4j$hGovm|zuU_w{m4GwWsR zMedTDF0VE1gVxDCw50_K3ht1Z!!(B|oKFAXzFOv7H*dx&3OYW@1Lpz^J~0V3*`1ii zMwmyj;qEc!rPlSJhvku@*AE;Jt3)o=Hl}mi)pUSBOPQDg-2|_AFPE()+o# z<>^EW8#;_+xmxc(4%S6o{LUD?#$1fnX73q`z2&ccz|vlDGflWzyS5L^K;xP{b`e|L zIG|y8D>@n)6_Ajcmelm3kjuQK;JPFe)f{`Ub7HhOgB!ts%4@*70})4$v#Y)ROKWS$ z?<+ljn(FF=M}BTvBiJQ(S7#^sv#Cl&`rx%g(E1BtDy+k>hmyB9Qk{2OvC-TiuO_9l z@SS>`{pR9G0^ls);>F(oX|`&G+FxktkglqqK{`2BGRx7IHP`L{c8ZScB(1KP5~E#4B_)wjv!_D^b~Adj)*j}X|Hu>3*a?oMUH*2Q#QA<`W_Ij zh*%&n+TxyLax9?DX-_n4b}{7|sWx=gwlH?CKD94T`b*>VDe%zj#(bY2JAujAKFBDY z5S5X64P6m5{wXQx9tsT(PIX8`yq6;H?T4_y1O5FuA;3t#z0yis_Ld5I(-Dnk6dot+ z?;1o#Md6e!vm)+dm1nW}vOY;b*W}|1#usQMOR5JStG9$<`45idi3xh#C_|y9=lYBY z;&s%#3<((rRW5nBY*KZoa)YL~mkMg)HCUCs_qmpf2bCF3M+zrTmfFPP;X#h!rGK00 z+!!`{E4hXj^gQ5HD7&*UNdQn2aaKzLl?n(S+sNet9ncyOUIXs@#q;Ou3di!V+qkd` zi*#wGgi;ls`P~x#igYLf+zhzpP}|-Rna1)F+yfyi2d%dxZ{|Ac^)K<-WO(OlaV*zt z1f|F?$a;paBegNGIt@x~5}FA3o@TMxq^LVfcWb<g*Wu(Q+2gv_cWF-Oq+&Xri3@W)?0&SG)mB1M$W<`4=y z8V}Tjj~ixR%E$?LD;RI6G+H$!?3|ahqRa%?o89;J>Y8+YC8f zV`ryW?`Zc}l4*f?>i1Uvh`?^$RsDI5Js$jUaR<{f>n z*Ejs@4@g>GD4|OzmXQP4!U7KLQA(1Kd5(4`R2fE9$x_Y>-rH|1_WKCL;pR#%Q5KhKx zT)Kbd8_A-O$O%^KuehEFde}{C_U}VO8oAdgn-Io;j4zNo)P37yqnL>3biMNJn>rR9 zDP~Qg5bL}MwN(fEUL{cy&tcrZNujT%%vJ6XACTQl(-b>@vwDZJph%GA$`wE8q+Ilb zzymzK@#R==QN-}utCc2T;r?ax&1KTV!*z)^tvq@8Eyo~6q#4+tbs znaIUIO>VtwxTKu5iVxL-s1b>9t7VhlXUB&|vFF{%b~7xctjue%74%%S87xh_-K^&d zg&DsanF7-X7QqFp@Sf${m?KLuOI0y2nrfJzus5yps83gq5)zS0rq$DX(4DFM66R$> zyN0>o2QN$F&{gG?P1G~g&l4do%Jw(csb z(uKqMZcmDQ=yj2v4EN+I?7X*To9ghU@2>?^JQ!OO9jW?IdnjP;p*Z!6_MM<6AG6GB zC?&|$F0V2|0VV*H+r$2XqN3?*GJMa#L`CnX>QgHkVJ zwu=GxBbC#A_e1)Jrca@#+IzBe+3;3A(hS5#huD{9LI9_-2=m}MNnxuHcF$EFt8uUi zHI1bF`FF@Y20|`*(8`2@m@PZ}L3REkDsmNgJP4ER?09I!--)OvWJQACk)+7i@$RNP zj7t5;kkt)?lr<8aKov57_%1^3rY)cGrl=+A*ej)&_b2xd5RPrXAcd&5cap-q~%m^R^{tE*W) z;&Q9Fu<){d0aRFUt$P=8q>X{;J~6lxGue%W9vx(L zEGhj3qZDur*fi9zZMT_gP9EjP_Z(wmiQm4#Y~GE2_3B4QYAiB&zWsL@^o*S>CeZ#O zo^E|YafwESA|nf`KQWek{eAcC?UmD1zITpTXn21@eLb#q!7bOvp#ZN z{LWuJa|BrYfBvJrb&&{cXKz{|D?0=;h|V`jux(GxP!(0U=J!M6Up|tHOA;!cmGJX# z-h8qPQ#kv2{3fthVNaJ z6!UGWf6Ihm1N`8*R>-hXMT)2bx?BVRxQ#B(U8@i|0`lV@ty=!)u~A1%3J1EI z?8FIaDCId0$Pk%Oto1NZiW!OHOg+N|>vj*&+QlR@zVscgM)d2OLI zeqn2`+n&#W0ET<4 zvH2y(EVM3OhyC!YPcn6~&r1a-`09l+n)4I3$g|w0c{zgZwgxl=eg=|Y`kV>^7JHxA zTpH6fHa2z(gaEt=3ZjHe^pB3dv&>FJhCkqg{LjTP|Gix1fBBz1a-mE~G|>z0ULyEX Nme;tQckABs{{VHA+xFoo{J0ZwIu*E`fhv4pzgaE;9aSO7zyKAt;-4}OR92R}U zckiuw_5OWSQEbgJ^Rw>Lr%(3;DJe)}y&`&rf`WntlKBiqL3!#8{62e$3S6<*%JTyL zpxeo4I-;PwEq(lbVze3F30x#}lKkqVVr%N;YT#gk;_B+kVqs(HXk=h#!eZ-SmV78g zgo5$`1@u{5)h%Uz(bX&L62I+ucrg3}dO4-kpXM&zYD<@dYG)<2xg=&NhV{--mh29g zSyFj&&ND=Q;GfL?8(c~b1R{d6zP;q z81FAA9c;nG!GY`P>G^%Kz+^`W!r{0%KuAGJ$xIpmhJE7NQDGpRnVC_lvonwj%zz}e zwTa0E{)JS0NFC1wW=J3V%zW(s`(Zl;m_3YQs#I?{UeCwEWngZO$jr>Fsi|purkv7w zccNU$Nj85#;c;y+iW1#sSO69=uJFUGS^8+BtF6yH(#*>0%oia`?wOIscO7+ltKTo(&Pnw5XT z!)x>(N0Rw(q*Yl6UHf`pjFH|_lY5NibcrS#1yt2E8`uL`lV>a}ET*N^xr+4XRPxsl zFavP{r2U1(@+Ko5hB%nR26gFC<4GHfhK7H1CCWscv&w zP0jy%xL?4})oKXqDk<=tfJ)Ana#ZC$ z1*ia%+4=nVB}&$4?G8>kEq^xQLv&ah|52r==%sol%0n)?vc6RIxI8 zFi$g^MjbWv{&AmEX}o1kjPU(fPuAMWk#{qQltxFE*$V?@gDd!1*JTcCzXHp%HsMl1 zVaCh#$)r*+i*NlIHZUhufzfQme5-A%5lxZ#3qp(tW-1DS)x<+*`gL3tSNV;?MZM!s zNc@Bmr>B#z)a0^c)V`~hXeY88b)zhAZkn!`1A~V>4o-+`vAic_!Di{x%NzSLn8cm0S(yXvRFXAO7EqSXw_2SjR+&iFi0GTA z&2{g<*MP7GBfMI&b}!Xt-;_}6rugU2ZO56q*Yu&m6Z~vIT)TnO;>=W>LEDwbmw-xqk`})dJSM3s}A?-o^ar zlAGgX@@K*zf&f_ zyJYh}|M!GXNpEpR7C_~Vv;_nVBWPgDF zz^lpyR{cSUAth{!mu9wmXfFIGH|kh3*p=a3-jA5#xA=#;`e92%ru)g_Vs>JvlF8?U z?2lHX02k=H#ot;p-ZOsmrrpHHv&Jh!oU~9`?!~z>4lfDccQdxe&mO~GFsjt+n*>Y| z!pbH)6Flu~JOY!7nFQ-YPhE#jU58ug(`xIWoyxNLW|@!M`(yZh`sd+TJC^pTdoB8H zRkl$cY#!{}kz=&Xu+dw$?Vhuj?8@hhd*k(9TbSOavIJpL7rOBNU=_w_E7$G0kGliK zoxx;`d0Is_sFDC)T0A0r#ShNfVJZ(Bg&uwojhFqPIj>*!y=DD72m0bqa&exzuH9TD zF$TkO#dxP$WjnVyRP)-6zG0@VTt>RN?q>yKjD8d=ws$;8| z)f>J!z7v*lDKUwnN8Q2pA+GU%YH1^@X_igdx zgB`=F8pjs>0J$G>j%zne+9?idjc=t3U>rk#`SIMKfVN!`)9#$un9-H*D5-R&X zUrP>EtV#uZqTiEA@i@&#b7)89wcVRfxNssF`dDFtP^qlZF>$)s)GH)%1%XgZ=E+}@ zV5O&SVSaR-XzLTf&D>@U&w_VFzx=|U0nlI3ZHv`oOQJabl>=OVyD`I~pR73#u{CbiROfXG^z)^fH?o`tegz2XC|( zTwCQKhqtyyxpCXn+&magtatca8oP5*@HH7W8TDUP3%Y}#jPKle8(6Une#IqU)fpJa zy{`dMpj&W+yL5=;>En4ksfXTM%wW2^`YmTO>-6el*nl%IWMC>ehkh4IXfL8z4MWYu zWH|OXz*l;LTwKZgbxf^dxbReklbny|POY0nHD_A7xVbT%DCsr*#Y}>fQH5kj{JTy) zMtRnbj^z$_zAc=49|BjzFT_0>KI;!x9Zc)AK%QZVE?K+~4f=DZN5cu()+)BG0O^^k zl#5A{Sd*xDr?%_=1^<-wn!8mA-eOMEPxhI-j_P5-0Y(V|mq4%TW_#)c>S$(Mz^5QL zKF_lKb&l`v^Sc7&MgPI)MB2B8cGv ze{(VWnKw?IkhOeeF}K2%w|mLQ-$d@Of-oj!k60GXu#X;8wPDns1OWauqKHbTm-IZD z_b=tIDk>Y!*#}a>Ru)V!Q+3<;w$(xhi8`*UqNjn$;a2$HqA~V?7vcMK(Is{Q0^$G`KAa0Q~l51*a9JcT2-sw1=dlg7Um(yV$b`V&{kPBg;IdanMB(L51VOtx)x4z50^bBe ztDN`nnDnr-q{MR-l*%dIF+3j{isUWz(rXc_vc;j4YKx|}JI#S+)nEz=65Nvobha$J z;u-nPRgi{)VXGXju0O#H;^f>ne-56^&$`$rLnYW%c=R+)tJ8sCH6|tVlIh!X47|2* z(#VOVTF=YnZY(};qWc@ga6(L_QnIt1XTlyoEISxODvO`KV85-$^hu8>_qN0|>S-TY zi3dh4leMIevx=vgJ>8uj9Dmh|yc5{n2_udISSVF=pSrOU0k_zC8cLB_e z%kAEw#Yydh#Bt#=`6Qsnz*7chfzBXz6+$kq0L&e35ZMDFQ%RShn`t~tyW_BUs}F}S zYqOBoOLAXKEaHxO$DPZRf!;p!PDIE`{bux)PQBI69|+9;zsWJKX#XO8<~mZ~REX*8 za^5jHdvmS3TR+`@WR{!Ato2t4YbNgJDdi<1Fo}C*$(QpmG4W^nkCinL!Sz|sl{O{) zc@6}|_K1#HbsG*w@(AuP-$m#pYGlhfz8=S2YVG?t^8!e^bKm52dbu=GqH}$5NKL~> zAmAEM@5p&S8^>eF6|jOZu$q6$qF3R>CA&fJ_%Qjeghf|>kI_iHPw9$ycP>(#E{8=&pcuaczOe-4(P=WBj4Q^4w1Weh!VE@Uhmy{TDMdoFlo_NS zS(p_-9PlkYOHFQm98@un<1tFi-Ex;|6|pdS6t!(RrxyvQU{p}ldb<7zt#YEOfVqx* z7*}WI@B1@4(on2=e0)+Pr16}!DX8KqIs^l9T)>^T1zro$SlYALox={EsfM-~>lqYn^< zSeuBWX;I%tM+t5&qme$X_Xa!W5ZKh?8HJhDWV4nmm+4>V&h_VOXAq;G21EMw!W#hA9$EMUDxshyMJef zPdzv$p7Z4zg-p0(rs++9t~cQFap6+=R&tCEbg_PX^Md1ZmCg-A$o`4@E6P(EFBH$q zj?1Oak&L)-DkFYA{jX>E-QDMGs-;h`h_wVLpcT}Qc_fVRa4B#!iL-aSeCqm^zMj-tl=nk7KC;_@{~B<9|h8Y`;0%N58mGY8APn zRhC@o#xh_0HYf5Rw9u63rX?z>S+~55;(blktOtiTD`h+-z*M|6F+=rX94`8h9vAHHrlm-;h8Z0_i!FJHULgmR?5t9s?0xDe@}l$f@wY9aeY4K zGDzf3N$n+Bm&0pi)HcciM}R$1hCS{S5Kb~%-`Rzo*h`;LuJuPDkn%f|s0X-r|zV8KjRXuld7foLf7#mYt3{y?eoA!Sg9q&H{RWH~$iww(T} zkXjX_mH*`nfO)E3KY!+YW@bmj7V8P;Ah$i=%|_IIe}9HxJ-{LR(r|zy+E!*TM(lQM zSRgU{j)*JLpnJ9Jt*uH{0H%b88x@?UUbkSsL<^@ko_uo(i+)YRBD@?&$5+J3%FJen@@^Ue)oWv>)ESZ9B9I;>O}_eJk&6~k=}iyuJI9J5qW z95~!zG4kWl{S8MEPPALG4r5<@?0c_U_OtCLvPor0t%3@s;@%7h2d`Thrf@;-c&+W2 zu$SWZDNG`6SvNPK%3;p_muiLL8F8*`sWi2f=rzD;D-#cXr|QJ{^*kWSmS_I2bArONm0PDG_O z5tOztpl=Y{_U>_88XxL@p@@$xV{hx#Q69y#-)jy|kmp0w8qr$GJrBPF{ris2L?7DLu3sGT5MF#6;Awi3|y{0h&YosGaG`(l_$#iuk1RCh~3R(uF}vsnmrBb^G~ zoO9b%YiW#4JYzh>4&&7?O6lzE)aGXQWI#gm)%|3h)}*N2(h|K)D#{|!O({*&)C`Nc zJU@!8_i4SQ@SS4R=ti)I?%jJQJ|n=Rk*H%g+=PoF3! zkY+6qH^%?R54By(wr@3rLelt+jA2nRH2!eO7b;z*E1W2uAjtcUnIS|2mzd~qTpBOW zYL-Gzap+iu|JS3^_QiBSX7=gty8Zp^Knfvknl7`N((L;;@;E`((lL;Kcve(A1MzQT z>ClVQeH&t%b_V-E>Mxh-J~rENn#n2}$yQm?isq*KvK0Ep$em%KCSo5=X;pOG50UcU zU(B1o6l0JV?K0dmU`*g_I`?;ZB1dJ zg-=RqYE?-8=%^R_OPNgIoV-Mh|5%~wG}YZEBClm}x3;hN?EHi%GgeeBEfeRr_838W zhE`SsTbv4s6rG)jX4+Eeh&Tj*=LYLzP=hI^Q)?5rn*m5ee&aSdz-J9OTzo4s zU72g;93$mLrg(CBaiLJ@Y072Ps7|1}gVh`(6Ujs^bh}d{M#wE&<2PIO(R$VGjBbVO zCXCpGy>GIRK6yT`g7lFd1P?FjTukiElK1qkNf=Nz2wpmF!C*^O(MlcoZ=R(4FeLL> zcElS!o`USx5^WAz^N#1U>J<6nKj&+q_~JpFX4wv%w@7gK0Z1xqKZ?g(X>7iN%E?+` zx&SNG1K;J~M?e@e>EO7alT3gy4oM`uw#IrKp?NUZH=LbH>UCvsEi7%~@n29jW0OIM zbp>-E=(r}v-k6YX4fW;p4-3;yzJ)=eR$5hZjp0ixogh71Th@&Q2*2Nx&L7ik_k8#g z>I&Dg@o`=Fk|DCy5oc#Zf+w!^_G=TY6X4lLc_M%Pd>?(Izh9^|K_G|0gvU0nbmIHs zT$Peo;@&(tLtNC|m7#2r3HQ(t{XCrjbCpdh`>=9i+T)#&d}RrkLi3Fc4A0G&CMxRn zYyBNM@K&q_6RG%SENd&~Da$o!K$G<&gX91hq%1V0v2ozE|9hxZp0*~Qg7FLgSBcYB zYR3e+-p|&0UD+O0nBW}|;L-cT`jKN_HM<%SNf&M^=$6+hR-e4666>R6^S?fBheH6o z8Jg#9s*(N2>Y^~(luc~5TZQ`A=^y`s(Rb*5}?c8avyE5#{XV z$j9t*vqQ)3@1~t>76o>~hGL`*i!@aV%&3g-y=G^-3eH$isp{<3)DDRNvf+PJ>4 z{~l7P-X2By8jl9uJy#)ztl`%S69lYHtlsxvu7aEl;4$FA938=<%lO~8%hP%WyQ*JX zb)#WHZ!@%b$6+Te-Ue58LG*MlMQ)gm1!hcOZNsAdO;VzwGtFAMjIq!EBikV{F=uV> z==67FzBp{ft+cJfYVxld&VOw9iaR;2THoK{+bsM@8j%7!lMgPx{)Dhxdt zNW)s|@ypGfP)Xx^W3$L{P`|y831rV9A*u~-NRwGN;&rnDxNdl3gRIsML~CG%1QZSD zubwE9Q?DMZON?oEU4<#S)kg_3G6YE2C13)e?`z$5C&s&?qOns%h zC1ZFrtv9BU4K6K;r&2?^poMSlYl7gog;EA4F93|tU8<)9t!|Gxq~_A97EpDzYm~?& z?@d$FTaAADPStuW)!}%vD&YMMcR0b*!vp5cq8E3{sL?T3y}a@fv^kg@v}8HW0wUU* zjJdhJDLo@&h<&~Yl!#(E-96<>aO${P5+!Kbqw<2o74e?@GiM~m8=$wUuT=KP&`fIiu&xm`6V&A*1+%Vmbz<>2=1x4xzx3>O7U=hfvTr> zg%C{;(hNv;J%muPl>kJg&g0tY>eg{5b$^m^$BfbcF={zf%vBrQxFo(#AC-l$-K`a; z1!Z_kUtOmEBUUZJ+#04`bi|9VtUOCg6`)4fStxCChxQx}5GFcmWcYNks z$<(Z*ArU2eNVAvgBg8xj>8-Jj{!^kuEZXvLALH44-(WGc6f>;B@MP{WLz``CGM?O+ zw>4Y%d=;h+&3d#abpmrAIS4RD~?#nEvtEiK&lwtCf)4-U}9KQU)3Np|Tk~t+JvA!B2De7Ce%l)t-T#M(C7@nmt^_*`;@*d zwQ!7zG<(PgzmG9!Z1Eo7y62Cr=B~0vD}3;8x9t+OHA5rj?Z^gIqz1>n=lV{y^$I^u zl0ea8<2@lPRak3tu8Yd%;v&bN7l`ed>bc=Xy`+LuPIr5ya<8M9v!0 z(6Q+Bbn^TA`znj^?y-!#+&6DN3UlfCB)SxSl#7Efi=$#!nY(kR_uLG)(?Vp7o#pV2 zZoNeUHVTUuR{V;p>~|S?yklc`Q75!BSEJzCLJuFh1Ybvb7LiJez2G zu|F4e`|2CifsGWdCY%5JtEPCR>4^y!ED|x4$`SOiuUY49st;N`A) ztl8YKAYl^fh0IX3m}$k?<*j`nhF4p2PmVy~P%_p8?lmEWCWPY4?^dkj^Rs?F-|Mig99LazLO9Oxm zRJ*0Kx(P1#J+Ajeuf#59R2YcIfCL7rT4Ru>MeZUhF*aTB-f0)&@&x+Xsj3K9gCX^Q zo_>=zEmmV46#At>$F9t(z0xt)9ler4ExSWXJ0k1=Lg`}tQ# z84$Vo2DRvB^tV(|*QbgWjTSKw3q~a|*|hh}3_Xo5v7RX+%o~#d*#3IHu`WRDVcxPB z&$c$shG;c9%N10T@KZp?TOM=|ABF^RrE6`*d}cXjYUFpH>otE5o?jwoQ2oKE@mJ;z z{WJX6AB6qo;>4h`WuCPY2L}t9vfZ@6+K+EF8Fi4mqtG^Y3UKl-~!;)4ehB_0B<~+Z$}sU#$-TrLA%6m~Gus z(G~si&@Jn6n*1Hl9b7J3mOg{Sg)-k(FL$@>+h!JRI&Lq&U+Z@SVc@`8IsBl@ZDj&B zv4Vj-lK<&pm<`U*^$zuPp@p}NzxBC&LpDu8<9q+RFqee?sgKWC2)&dE-rxM?j*#%f5(W|THM&U<4H_x zfvv`r`tv0pjJLF~raAx~yF%7V=bW8m z|1k@ZkdS=oAr}et9Zt|~`He~N0ra<&b$yT#L&9N0_F9+#Gn$~=`QY2F3yJ1`^XKDpheem7Mqty_H{nf4soES18K)+=|C-0>QtJ^;?@wZlm(7QX?N4=o__%UbC z1**?TWNQohj?eO&cj=2x3d8)Ph5%K)P|2bp5sI`Mo33G2Ekp$}<_m`TTDg-;Dqda! zPAQLFY|?0?qg*_Uq;0}{?p@0**yE~1*Pm4IuYNmU`BbEFsjn|+PS*n+h<00mI?vkl zq0s4aA9Sy&pulDnK;`9m(fb_;tl3+(8?cG4;{PG}V1{{i)zY8GM;X5X)t$1lxF;NB zSZ#^VW&UAH*G*h~yE}nTc@ss%?L)Io2p))opzTox`J_~wTLl1Ll9hVTUg zwcpWwV}N^?pk2Sg^GG*@G8$ONNNkxxI}RsXIUo9K33y!v4^0Zb3Xp_Y?r+FIGhIx3 zyvRz`&xg=&s!91n%a<4lu+wGcZ-6C%<~saG%8lmWTKP^nfZuA4getR^pEcsFl8V-N zGN)ta^`}*1RO)nGexUjz$jb^8-8n~eAl+C!!_BxKvLxak|zb#v--|toaAPa}$c`XLkwgH5h5JyJHV` zvjmvO55WQcBFi3s$#D>i^6>t}8@fXJd&Yk4K#-nG-`}1W9dA%<&Q5g$(%;nORIqe;Wdd}XY)_bhH zi@{HC+YJ)#Y$1Y&C&%Bu6~cFHk?A{mcUjbNQcvDRV->qwwLXdCYuq1PUv#&o)$z$B zuPD>i@w!z>@{FlQ2nXTbwW@WMw6y?F|o;6E(g{Z*29#3MH{9^U6xX?c!i2VrZH;FfPVBX36wXPI|54kIGSRz7S8vVbJ2B z9Bn#Qlxp79G;a%T3Zldf-bZ>9^ANr-H;o3F2Fet3(vWYfJXE3IhRfHTOQAFdg7_~1dD&9d3X)qxVpV{c} z4=2aqJza+I>g@}MN>N&SMr1ol+U}D$l-u_)P2JveQ!`HFeCu>Unc?r1YQ#prt*6H* z_=;}o3n=Fh7#D#2unr2!js(sO-uT-HcKrpMbr<`P>2Aa}OE^MD5ir)g`EQ$P@0~8! z;i<&8$Ag|JqU900VSDr&ybDsrL@-@l3n%%oe_^Lm6wfph`(1IOntunFbIi_OllU7X!^ z$7dg9A%#Ds({_O!Tz6*v6R6=_xiv4ixmk@anoMdr?aH+jvDXKjJdj*J0bI1`;nepX zy=K}yc|t&|oJK)^{acZ8VHb97jCUr>SM@p1$aJgrc_2%z9)VgKtV(%qnnFzlF^sjG zJT)%IhELs)gTn*5uH+Xl8r2`V>(@MuVp_tViT<_EeNu-f^H(UoBIVWlmEWa687O7j zyv_+-NC+UxFe)d7bTFQa!-FXREdRQSU-oZ(Sr@mvbvL8Ev_)-$im^W(A_>2%sCIq6 zyt>o*b$$lidca6B-yC=2YTKpTXxnKhtDYwr6}=G?+R0w)Xa)4d=(8(2Y}g0MUl{^M z1d@r&rh&^--1G?RKgq?(JzGOr7PosHKaA|g=3Mf;^|8^u*a9waC%c66 zE|tqR^Bf<()#yzn))v{4n_0_P1IEi`$T^b6smHSmVBAt%jbya7`htS$7fa)nsN4s( zyHq&gHlw73irBbRdJ95WQtf8z{%O}o`yA7SjHih}nTnK-D?)FVh**&1X4kz#x7S_C zP5c&bQ2i`u#un$J^#=*=z`rj4fWnDfwtE^RAB+$IT~*s0zuPLMA5pHf>BhOjz7CI$ z2$29JO7*F08sudaHQfZ(->U2`FVs+SBDPbOo5@9FT1IZp+bWB6kKPB?K1h7segF1W zd^AYAKGpq}k87NPM_1FbS&2Eu^j7^BIC6%XzKUE^%GGvRXr$@l? zyv9a;sSeWhnEU&`cZ!E|mF|X_Pn&TS`XqL2nm7*NJ)fDGGhib~XuA5`^!a7mlx}c4 zKHazA6Yk^+v%yc_oCtpncT>;I2`V)r`}?{Ltc~KAkL&u(46P1G0BlaEIHRhmxd`fx zPe5xI|3W$!AjD#WnRrVJWti%o8v1!k>t(q0?w3W0&P>*b+vT6&P%cmJQvM2=t=JO_aur_u zY{-0#^;qTC9L%ck)R&w@Cd3I6fyRZ21!_=CtpSpS$k$)XKY6S)HT{)9%b$BQU2YWJ zBqb@n0dqjyTz;gJIV3;5oLSQIK(Sp4IN8Y15#+~zM+IHAfkTGd=f1((pZpH&-&#iC znDonr8P4xl`LGiu+~+9-@4+)|RT926TJ=qX?^2EcK$u>&EGl_5dt!G!|8Rfvyg2 z22cx4v#$QmAGtkpRzDwm9C@k`>Cmnd}HlBICDD56pXX!7tg0)cmc?u|Q=CB1Re z)+3smt03ML%;s4`a&u*rr-5_WJzKHU&kEJB?ZKXDCC~X1_4#lev^^!idGT`sVLc*- zJKiSdcIQmMB{Nj4g+{B;>&*Php-B6j06r(W>7bvHJpHIzuIHdEM%pjt9V%PU`BqXt*bd zYC8G#KB}``1IjP5e;jp;B}Q$g$1#eTDH%`cGjP6u6=7G ztlTs5cuF3SaQ_j*_bf6@Za_nKPH?lkQdaoF_Bup;F%X>RHalasuhlwJRJ^$M@7N&a z`GL61Yb}j|4N$$#!b|i9@$I|inf0N$DLlW}*jb-HQdv=x7&%>XuUV1gMi1Ss<_i`d zkQjT}$S+-$m`r*}S4iF^2w4ppj{XqI`0?=?wAQ8{udF=kU%rtv0k^Dd8MX12f(1tO zetmuW;UbvQwGY?r#yWrFCc7)d04}th(suU8b;)1AdAYQeDhdN9P%3OWMsazsl-l5K z`PtWM*n~tP0S-=`*X%o^)6I&VvlRZ3tiTCWc-`o&(YkB2hv60+p(z1Xv;`jEAF)Og-hDj;Yn z0Bfv8ehedVAcgN^-xAPourJ~k>E<6bS(u?p|FvbosYvPLOr>;83)5q#K2zRKNGWaI zZY4N1?u<~_Z|{j2dW$#d)~$cuRGIKwA9yE_3)OoZzf)J|aZ|ID*_x(VP7o}eJ?Bnx zG8{zcsg%kOKQHtU%2x;}`79OCBd80wQ>9t~d%=XIgt)6>r4e^>%MXCQTomc_0zBxe z=B!eQ)LUJ*wX7MnZWLCm`{%Wp&^o&l6o5bTZ883C&U%~GqBR_6;#g;oB&k2C8*|;i zR6Vm%u)(jLArnTq;%;|kzfnh|K`d<$H}#b4ZE83uvV0h!a#mRe4loSPR`0F^D`65v7X4_Xz^b@ zycu)n?d64Xba7GhSq9IDNgbv0XOU6U4e6L@)<%(iuSiyw8AyOjWY7+p%=_BL)C#(;6te41cuI8wp|UC~ZxmZBSOupTAKw zAp%~CQROK=K#-$1koEp#?nlSLfu35De*@kC;XoVaup1&L;!(J|m170jegk@4AlIkE z6?}$!>Um1y0hT!AarKUX?0h7AeHm!bX{=^7AXI;SF2AMcrCjsl_#|4b0S&vC%mZZu z1{%(66a@6jX_punkJo)Ym5W+|OtSaQUtR3uK_9l-_E`!;p&UoEt`2B&6$-$>}tz?J4TsL^=1(R*x%$yZ7qY0))Q5 zf2%yz!9e5m0{{5*VxzJ+ipG2wH^GB908@ruHhi$C|a+}F=+e&isd5^%; zVS4?ZWVR((8VAuMc(|gLim#jgr#RK`MJ6~gz>~q_dMG8Td4F}T{%wgisL_qbIyx-r z?N~0(m*hB?VObbduHsEqZm!kSX7@^xhbtrg%^mvYY@mU!l#EFyiQPWmDI=MaF;?<< znlNn6f5{F$9SEp9C+{!*s$JGTGVq^f5f%D#Y;feRtpeH10FVx?O~qm~A!o_m)bpjC zRNw9454V|h;vT|VWbZ$bae1yd1EIcupAdlHa-a>a&TA+>^6y?9o>Q(*vc@CTLG}9? zl8aOBG{r~u`+51wFyX!qtw{=?SV#l%Kms6$oHXEN-yG$aUxtPU8=ju<1KcWMe)?JO z+P+kEz=8R^<#Rw%Fq}X5dXABcZ3CU3*Q?l#r%ySXl`;Oz*Cnfwx%LBxPPxVOSGpXa zk1^f(2zgH3{%nT@)B7boQOZ^01u~mQwXxEqOFKYOOQA%lg7DDQs1cm2=1StQVQ~J- zVxew7Lhhb|>)@6sOb|=|A*Xew&IymVG^M9njGf4JoBW3GACS=K-=%ZTwC=D1ix1XX z!R7Ki#@emkNmNRJbzmNLv7@3=wTL@v11ve2^m022ZlIY490jJeC5Gs&J_7<3+`g9X zn{8vO{}bJjiSaav?-BaOWtywd3{R-Cx z8JFmMjtR~oIhF3SB;R=vpEeqbd-bxPqnwHmwjB%anctu22Sb>K6Db7~A2zgpFVu@C zYrw<2hYqVTfIQ;!!6xfkO6hB9m;0U$TWNj7_UFYZ;XlEcxq#eq8-AGSHd_FI3O-8D z!Vn4|mPP}{m)Iq8x#shj@LyYdj+W_=A1*WvOtt#1Zy$1pCRV@kl%_>Fgg3yVNFVGE zRtbY+Oa3{swt_x?rPGRgXwyJc8LhJ3^ywGQegHD? zlh-6psXsUagF?9`DVqVSsrL2i%nH0TU$95vak+TZlSEtG@mq}=`OAIZ$_uv2+TinI z+h`hG5dLc^jkvb&Fnc@L*aV8g-Qe>!7i{&pr@1_YX98xNet@G5ZT{qM@X)e8KbS%v zG<3cpq&S(I^JkwnP<>rF%V9E6h1Ws;etyJ`W`a z+EN0rVlLI|jw)MuV>2Er6Bu8)yx$EWF^++Zr5s)T6Ax>0XM!d%J$Ou&Vh7MKN#<&z z?-9e{^51rA4#kZ>6Fl7U#G10Uyh(ODCqs%>!kGX_AY7_^73f-&X|qQLDN&7YLcS`u z8Fhk9TFIWqqtOyxj_MThH+jF;fhTTifkY`EqNbXI0;T zYVFB>;y-p}rQLBw?y6j+>OZpvv?jH=E_KfgBY+%~WEM&OtY2(w|EvdTQaAE>oa@ABBQVku)Y4T`bJIxCVWO1Hd4>I(2C=S)~{rp%md~rR$~OJ zmkmu@Lm*@wjeK^|eC0NfwH+J*zFSh{Sb1hXhvcsO zjkA1oq4vK*hiOm$v^lKhJcQrZK@`X&Ua-ksp#U-^y;2dEtF4ZA!3>VAo_}>1bC}>6 zub^&0CNH2$uC~R!HwBUFPbH%&Wol!g{3^*kfb|2yVbUb6%fP`G02zVD{{tGkU9juv zwh#MKljDsdNZ~E7fP%=x_lwL~;r>bU(BW>VHlOorK&Khw(mfA-^r&rkvnSBI1auo@5BH$mU&{rE80}u7qRC}mF@f~HFfVs80Z{h0-yea9`C_u6Ho zXpHCOD(znexySbrz6_aj<~jlPmy{b^bQm z&||j{4Ee|Is_S!mHmTb6TEoeSOI>{mJ<ni=8NIjkLD^uUbtIR_ixS+J{!jtWg=b z*Ng4T`;_Oy_>4NoiH0gWZIfy>wC-0U5H4t3ax!wSPIwKVuB>0bL=cPlp`OIP_Vm>J z@aFxCDaBjTpis!l*GS!#yBiaQCElgBI(y)K?J8@=VPIHa)Bd=Mm((S;G7+hS6 z&fcJ6A@#&0pr)iL17tkWw$A}M@>ScpSZl6_Ldz$z6yXMpVOi(s6tfxt7+y8RuMC1P z%7afMl(z3)SE|+IEC2m!F@!v%q}W$(`h5n-9IxInzqgg)X9N)14-oF?RO)qq1=YZQ zW1`Z1l?iZ@i&eO}iD#lm-w;H|e2P!0FrnTNbjM}T;316&j)phf-^urokQmP(tEZ`U z_NEo_k|0dzK;QCr2vbe(%kdoXG$D>*C6j>)WY_=o0`NBgEvt#z1~{y*8ayk^4#-VA z+v(MSloP1@d~N=4-=b&lc|_4cz5?M**X(dzS$|@q%Wviqmg>iJUFW(bRWV#Lxi1M+ z%w{fz6-|3sQ-s>ORL}s*qEY~t1MibM*dvApa}Q&`gaOLIoA-q60KNGqh<}L$7~$IT z)O&3qZ@NVzFuf9=|LOI@!t(a$#A2fa8fZu=G?Gj*GObP`=yn!ZatI454yvy&zY8Lb zDr|JLLhKpUlcwV2ApJA5l+J?GI=n6ya4ER;?c(7lQ^!JjMfp?g8C5eR_%5t zEwye&FWJM?ZU40EcL9LK@9M?6=DUC{=07($TfU1Q=X3dlOn34znFmyeY`59(rkDL| zt5U#b))e0cEwI?|@d+rGm~t+V+2Xv_kVI@w*v^LlMXL3=E=~xOo*y89&0b#$y?W0o zmz;*^ZrrqpEuQ-GRwViAu5blXJcmNN<)vCOFEDsWt^shayv19S`@3@tpazg*#jROo ze+uItx;ZpkXgWYi5v@+ICqK_UwR~%cpG}9s0O@$&lqCf!1!}V#xh&KnAGEdgCmD7! z`jhd2)N;Po1Zo-f`F`K`8Z_tW-WPe=8K~4OP^4)@R3Ys48WkI&Ry#HInuvk%mpEQ% zkv4s~LNd+tLOms;ccCh%kCuY*r%`~P=VgFxD>t*gW}`YBt@pJ(AY-{vn^srA9R3Tk zdE1LAQ4d<3j}m(Qu10277M*Gn=J{OH(_Yy4tLmhvo-XG0y_;51w9@Zbvz3R6Jj|*7 zVa38WlCmRzb<$^ebOOF~ba%&f3aZ=N?Y&y)S2Z{?^R?URHc=p7AetZ2XFKZdIo0I3 zk>I)Ie+IB5NRblpkFnUj?vRY(Z9+Fl;Siv;@KLzM=a;8l%Z+1{qBGy(!`SK&9x3!AH$Fga60%dH<;QPEuc`bk{AeF#1j z?xcULIJr!J^*`3x3nN{;Z)7W6ccQHppN<)AZJWbw?!8WtZg6;o9VMGmjWWHi&<LPB30@#Ny;9BhU_ zMc1r4{|`~$9gp?fzOSuPiVztIk*!d65wcRq9!2)bDA^4ZvRBF|Ga)O4Q1*%tlARrq zz4;yY^L(Gz@AJp!Rovb8`+dEy>pYM1IF9qYwF_c>k1x=duS$l>25%(at5EC z!W;cf|LdWB`AwB!p_I0HIqxl{pS)H@Z_qk9tz!V5RM=39&40-a4$l9O8_jRU1Zoa4 z+`iYeZ#Jk94MuE-&0HR7gq`i6E`Rm32yv|>*AZ{7XynH zFtLMz$`G8$@r4-TD=T^=-M{gsN(W>-gtFU zwPF)dn(qBwM2Pw+3a4aWf+{{9*DoR>!QuI zwcH$|(VwexyrxI_E$$YZ{JuKTMT%m!&0=dknl;o;uZ+aQW8OVWU*+|RH`Peo(*p|1 zzroZPesaqC@jKIiA%lJ=tiQaRq@7#m>}++dY-k0mkcdK7LVEg-mDmdh*l)=%GpT7s z{l`{kA1LZPq<=<^;qp{x=*wN`pmA94cdiX5?*DwwVJ40(?|G@1S{C3l!zB^c{`Lc*i?Nq>L4A28 za3h5TR;Po%0#1b!diL_T53TO z?flRzW$_ScnwH`(SB;&uL(qk3};Ev75eutxFa`Ry*}F_$e(Cev49y|LZefrL<{kKbogsVt@@%zmW6K*&Pf{ zQlqHt`7$?~%tTB~dE(S_KSQd+52lYiKcdF}B!{{6T~1e(S;kuQYRX9prD+-doa%l7 z8MPbP9MZvOPCq%3Jm9=@Iz#`Q#S_EdZp}lqGc(i8d9FPU7%Eh@BXQM?_G!>8L><#u*=Yf+0{@0?}`k9>92q9jUjK+& z*=u!`JMwKkE#Lpm1_j}b?axn!C3!y1Xmb1^Bt(4QhDw+5$H-mNkg(X~@cQP4%fweq zWL)l)gfQ2C&mMF(W0|Boy|F0QR{rHhM{0e;waOm}yNO2GwHB(+ddgG3W;fP$qn3i$CYBA|E+x6E5WhGR z8s)?y7nU?zXYY*)V95Wy z>5a4zqHk>?3TNFzndRC_q?Ji?&npNYl5-ipdw@yK<%o)k$|aA@hjPytJBlxR4imG!Y}6uB2E^hV_dP z7T3_k1U+AxER)t}!^9`)Sg?HfOfU$zA(xBwcpqjtm%=)%5giNGh;Y4U{`bN*osq9k z55$N%haMoMzwuUbpYVg}YtiS?<3wwbuRT0tbolULD=RBr0RgV;%}kxbPZ;ZzmX;RI zV-RQZ?bXdR6&9l0+}um||G)xl)t&p}-OZ(2On<5CLl+nOp}U^;*!{up#{1JGJ+Q zeNJ}r3JSw>!?i4QH6;p!9l;ijji_^bxF(?K^~IpSJ%z*5(;1vQTPp*T?Wv?4?{6jI z(b$T9xRtKn`c~?I*Rc$p!a!2-)kn*Jdxi%GFRQ4KUB7<)=dWM(v;AW1YVY1yIjzj- zWn^XwEa%^;+z<2Xjr5Mq)#0EQr!EE_r4znUXwzrtU#Jkpty^TD{BxOgOBPShMYdkt zJ#>*$^YcSKCfUFr*H(#KR%QZ9N<(|%F3sB(a^+1U1z4w;Q-}im7&p5=_32lPxpp) z6Aiep(3zW?Pyfu3Vj9{r&*Ik7*4FlWI7p)A`}boK66L!aKNT1MMz`CuX9w~vyHXs+ zn`187Nop~iI8l{-r}Fvp=eNH++C{kMg)yb(7$K>0kF9WfTceLIq~O@9~Of0Q-H6p z?>p`M_dh>7=lxq)AkQ=TM)vF1FU(rgAZGN6kB{fY&^j*dkH@f+C@_SLjPU+Fg|<|b zl#~q~`;XGHHDNVAJ1>L}tEH(WU`-518zL$O1`HHm@?Ht&*3)J_dzQV&eS2-(aG=cn zcTK>l-+3+KCF=yUAq z8El;yT8VR?2^V73Q}EZj#XDS~FSYQPt5cNY$VMNm?(Ml zGd8#8Y8fP-r^*drajN4zx6h$aplU6?Z`u0E&L|`z;?^MF>z6OhnA5O(Qj|{dS^QvQ zylT^Sz>K+A^7-yC@dF1A1f0M1UhO!8+rP*2m#`Pi%*}oCOj{^VD#*zAd~a(bT#9Nl z%V}=iPj7C1z$grw@gME&s*8v{U);x7+#f%FoPdyP2p+qkSf|kD;AJl_FSbTEY}}BL z5bXC87fhQ^AZDv~T6gD4zkL0gqs4#G@Q(+#G?AE?7&c^9Mv%Wh6C>l}q$K9iqrEZ#H0INl zy}dE`Yk+YWt8&fHpC?b9I)$+Iv-m#8`uaN2#MG2!6{pvifdPg`Mzw*stSeKUnGs7y zH7{;1cjOu?q$tM+23{XxxYD9*JU%h;ZdyXQB~I*cpSUuflmLAcmky7J4Zaym}rnffm1%YtSe(c2yCL~B)4Z|wQ@};~5Vy?^I-%35(-PQ3y?=?>7xuE>~ z{5i}hd1Krdxz@lS@_^*PfoD{m(c^1IO}O@`ljTj>Jo_SA+uJ!lZsr;{Y8E@5!;TYb zZf?dyZGUs+Db?2_v|}T zr&liBcXXT=^Tc|k;6#SA-}2+uE6(=Va!K|aFLD_76Ft!8pvHbIfdKn1UI&6vt5{rG zn(QmNh_3Ws$j*gC2R76B|Lj=dyb&69vsETt5*AiLO6j6p z`SN(r+C*Z|C%a*poc_nJv8hF9g7)m$6Jg{Qi?LVHg4VCj$0(|)h1V$Ydh-bin*1C5 zYSmX9@r;z={N1|XGdky8m;O|*40r}bMpD|?*nnoZS?p;3=SP~9jLiNcrv#J08t=0a z!2vs~^vVmvFdsa4uy0#4*zdH?dXiK4XIG%Q-3pPMjQsp3fQhfi3Rm})I0@PP-Ye#^ zc$$&%%J7WdBSf+6`%~&<_0+NRqapZ>+fHQ7-{a! z!CmQdq_V!=7diW1C8@-{zrO^4L;TSIe(>PIorgP?of$(or=l*4&jlXqaiVo|dt;VX*pXOSx#djbSOC*%hlar&w4v99 zFzqsHOFBp=?0CB_m~nM|os5b~_VVRNHGLg;{CDr({kPO*P#)qiAJ6n3NC$l9a+r{P z@hMH;zS%iB)z;MbFiQE{D0R8t9510P{i{@h2Jzm`n|S5N zkNgr9FJ8QOr=Iz09^i65oJ*(R`*4$ywRNWM4CVyb9z1$91!2x{wm%l9rmfJ{U{n{G z;T8L>_a{y|0Gp+0=9~e%tM8hf*CHf1-iru5$QuF3&ktsL4}QUpgVf818K#(|K!z5iYndAej;3Us5pttrkRaWthX<+Tqd_DmIV|)zq zS-2xx*40dP)pT{Pv&wNz&lo&bwWrpxxu5&`-XxPwJJ#KOY=?+5e)}F-<^IG!{fGC9 zh4H4QJSh_wb*Kzy-s%DdM+p^L-qC*@6INLS1R`)tWt}cI17+VZ<@M!x;|9yjafvIk z2l(u0t9m_)6_ad$Vj#A?Poz&<+!T;{y2NQsUsT?3n%A`;NW9_y0Vnl=0^>5#1M@L#}BAKAZLFv z)g^o4p8``>97T-{vV(|cr}n3$TK+>NSZBB6^0r~g}?NGN}F@H$*pbkXu;GZcp2f(YB~Cmd52kO>2hj-lVeJuXj!|;!YCZ|s z5;O2vV?m@#oL`;kD-rf{Jc*Gbbk}iLI^e^_WXv0igQV zlV)2acB*=Mbc~__>}qK9IW#_0H8l7Q4&F{kNO*@%ekj)WH-DnB;+`X zzMY2y&hk;*N)I1iig%lr%lWJ7@|1?(>&cj|&3EF4aOZ`&YbpnWQIMAI8*7S|LUj?I zgyAKwmuE;wTN)c0exvl``7BDqz@V(IuKsq)!QTGizribyjnAJy|2!y&$9@N;9y2TJ z9x#|DPo6#%=nO)kf?&cHG}~7qi(MA3#jmKO)LmeG3YSRJlh$EDFZ%E@plq3NUS3{= za6E31d-v|${EXft%PpP*W`@~PV=*Q zMVR#lKIIh@q(t;P;kmt*nrj^|?q2o&R(jO|2Dj56^Ygv^{r&&V&#M^jy9$`@eN1xk zZ;yuCd_AjVrn)~80kO5Ub#l`<=A8fr?>j9iDH*=yx$(Dw+S>3s;V!t+Y3I^%VWltKIilAa_IF2IyO zh9dhKcy8U&@?2juznN#El;g5wL8wgLW@Ygp-dCe|;%|;mOiX+!;xv;k{;jR&_Lj1w z^&QS1>m%FLQ-|!vAIQnF$l1P7TxU-6q7!pbBVhH~AO?=cKn4kJHTDRZqJ!jTpa06Y z^zSKjC{MyJWqc735K+a#&Mr@saOLTKLP>Du+&MWUpON$yY}=R7(Z0jALH-!ie4K`c z-O$j`>zJfs%%z+BHocm?<(>v8>T>Q4N!|p#FgH?9PQbw$Ifl}FC=Tp)w%tQwVmQ5y zC16yPA+kEn(g=&Y^L`MdH7}?WMLonPd-5%#2#>eKX_it;OY6*;Gm^a}PRhg~uTReY z%2!BAPCl5g&2?7s<>~3aeZS7aN@oNj?{s4jFB3W(am(`MPM74RmTD+B| z)^;2_lZ9tiUgh9nQqojZLBLP%zn|~!?%rH%S8j?C3PbkW1%!9NhlD!8E^qG_)_6Bb zpjtjYzAIUe#1(N0zP7iMv$C>cSLGBGq~M9m)1ii|0OpU7uU?%S#(3*-R38n?6ddX! zQ(5ITZEY%vE&UStCf{h*S7rgj4+{$m6EZYDo9IneR#1962LSRrHFjM+JwUi-g;^0{ z;aBb(%Q=|Yg_7#Ie6k@R;z!$oIItDxM!k-?t&K(@@+YdKo#Zpzi-Ydv?S0M|Tn|6J z!p@n94Er6TkNIy09)$+ThW7LR2l@I31SB^d77neguEsOVSX^sV1>=C^m6?+v?N2E^ z!@chh-#6&@ed0DtblwGXe0AQe|B!Ym8SPkI$}+w03r?uSxJ6S5{Wmh}6>7CSzdOkzZ1<4e945 zjyUA#c%x|f+@u)@P6DGB!OO(N6dD@p$BC)p)E_^7oR0t%@-2$@&(suE5s#jpUYw}2 z%Aoxt>z;z+WMm1OVs5L!*w*Jp5iR_BcLtKv(-m-B%SJ8oY4DH?jf}cKJ6~{`?KeiH zmGyDcA!yu6oXoBRJ|CH?tDN8!0;W@n|B`}G<^7ZMr!9qf99_+(QX=n$o3C%v$Sh|QAuQ-3DSoFLV?f^9iic8``D{t;O-4Z z2@&*XPmjaIcSfB1o40ps5Q>-YMGmIGJBo-}zJY-?$V@B!u0bH}eq*w{i;J-Jua840 zHe!VD`=Ld+td3F~v`c|aA5xRv z_fa5_^~K4j(b3ccZVN}~>FM|G-3va+$8E_Igd3>D8vy+-i{ELjGz<*l5h^c$F93;} zotta8F!l|E#eAzQL#av(!bmc5bC#Q1n@&X?u|=m$M@wcBQwS;7U`jMgT?CewmoLwJqksGM zE$A;w=cm#jDks1zA{7|zY;RRnSGR)p1fZ5Iby+g&Dd0j#HASHG^6_bVca!N?fwe!% zm*dBeBpH-@5d8r8myy8< zLV)<_Q4iZv4(R|XONrnD# z{pqRq>}8G;UI^-KWMm{9)D*Majtdxh=E+P1fP?m_-xL%T8M*$(E3L4W#)gJ5guQy@ zIb)snkZ?mug|8IX{ZPvts|{Q~e)6R5-J<8uF9p&q4UhOL*s|qDEsV(RH|BE5zWsF_ zWrzV6BV)9(#Fm6jFEPjD4gQZd0K*}Rf(5$RbHm}i=G z{`*#5dFj?va72Vs;RkYrD~J{??l<;pj1+>m>AlM@NM26w%8WI5f=fl%$8Vxeir zu3ZBo-LL5mrmiVgWF??uB_qeE)*fj@vJ1@G1(!uL41UwfF|4)>sBUQqLLe#a6pl+J za9ZnrzV2eDrl;TM*lca@?y~K7B;K<}toVVY{)9N5(eRXOY-7}HaCCHX&h82`gCr^nkaga#E@(`x5>~>8wjlt%c#0f#o~aWMrWW znFA{u@uDu_@)ix`WaO%t-?nqQv$b^&UpVqKJA30@$DcD(92qlJRpGlE0g-I_Nrs!E zFC(35+*atWd?rVD-C-)56E6B*$MCkz44%4-qM~EocKi131#5aMA#pg~R~n+h{f{5j z)(V{GnPby6q=-pK&a#Zkl`ZKAGRP1^*DPwWzQUFI_H8TA3*}68@?*!mvS#mxhK@Y? zZQI7d;*P{7ovcE!UU>WKZp2eW2oYdz?-^5sHo&MUh66i-I=Ocb0^xZMFZGwXm;79D zp6L~0k)x8#cHek_WPf9N>9Zf=C1j4NwT`&3FsXalCgrK8F527!pzBf@@Sh$ik0-#l zPuGdB;0r$V?a2g2x;UdaOrOFEu2JhPPXtjcZ9J6rVA15O{l zR2lXayOZ3T(i|+1BrbcoL9QO5Yu;zUe^lw2kzOeS_Tk%%EK>qAW0}vS={#psiE2sbWo>?jE7A(4Siv!cKW+tdiMbu^F7Gv_8n@j&6EZW`A|hgA zD+j+ioHOdA*eIsww_V;v!4(_LJG2vio}ASqeUW0S*IAVC=E?J}4eLs$NN<*E8@yNZ zAgzr|e0S%H$H-I`FL!Bab(7GpQk$eGPZeZ*e~mNP&gL{fVrRcrO!y;% zRG;wE9Q>;CSu;m1ulv+t*`$BSPbDowW8Zky*eS|qHyBD|byN#7&RzK` zzIWfozrTg?>>Jsccf1Q%93>?S7kGzG8@Ta3F({xn-YQPz3fkT-gd9cRk*+aPQJsHP zdiHCNt8my^_u7R8Sww#$jS_a9!e*w;e%mUspS7|KE2Aa0g&a}YP#G(Bwl7jX8t~A$ zdLx@u%&D|2r|*eDY)sZ#=w&do{JipSL3u;7 z+(WSboUHGQU*F=y6#mUmr~SZ?95yl6>k0M|hhnxIC|XxmvORasOG+h7v^js4v3$Ss zM@%thm8;aH@OQ$1vTk_}HADQ`CyLOfJ(`*?Z<}faxNmIBDo)S#`u~($q34Pgu%zh9 z8s8oSF)7!;a%V?Dg8amEWn5{|o;{{_@3tmxTt)N|a{hB*R8)Vyy!!jwg>VZM`g|75*F(E23QbZ$DGo!_RGX9w=IXf7pWZKYn}%BUMfA%a^?d1i3Lo zJKv8W*ydZ@0#lluolSI_jqN$~i`$l#hrdAH?EYlObmhvG@N=p@NC|C;vZN@U7OIa? zQ`du|Ie6$0WStnGctTBldL{G^1SS;gzfq2lfhWN3e2V~2IcMAM+RZy8aBH{@oOZxg<)iN!}0GQwFtz7SAD zyNWWCUSG65D=bW-pr9b^G@}S1>5ym(0L1X%*QZw@>=_$-gKh*Yz15kTl9CH992#Jt zukS&i#R>rG7V(W2(553fwVnVbqHr0)DM0BQ|9H;<_MU+vhi3$Jlql>4L=bK(=@cy}iWMma6qMZ@$Gqv+8 zzJ0?tS*)Cwd+qiF&mZUt z(h65armCun+QuhR{cHI*LXBAyP-LKw8>#yF^Ce2j1eLT;o;%{F1g!>9_G{|sT(J7d z3&tolCMsDW>b%|Ws|YexU|dg%KI8@WL$eVl<|+tIlT#~q@1r2`^=m?;;9Kr)tuLV# zzGG_o49^V04NXrLbp7mXUL-RDYYcj8AAPNVT~gL6F=KWvyX-jkHylZcVOG&C&W*Kk z_n+Oj5^triXXtH|)I2~k;MD(o{Nl=W#aE)lk8+Kbv`QZAA8lMRT>8`Jw(#wtl@&Xv z{^tb+f`Wn(^Bp^rRgYx&k3&ev!lPS|RHvtb=u*i?#`E*L zjB2?X3tL*m89vOdHuA{M^%eFM-5WY9<|1rpZhpPU-h@akm;E)*hi1K3twjnK0%~#i z$6E3<4oif1MvJWM38-Bd4>GJKEw>x0P%6gkR+Tm*tm@S~ll$2PABZn+tqZ&}DEG-# zx@L9)Ri5KiKN%C#o)<4j-u+ZqD7jM~szhYfeLf1ui|Bi%>tR8w%@;@i)@IL)yT73B zA!Xd_Pig(->({{hQzjhoN)H}%_=z3`yOC=gZ^rprtS2nCJoXIlX<}DbOMK^=GId@X z5z3z97cLkjPd|ts?!}1koZ*4i0&A&JQIGY>%O>BntG~UzgJThkfXyN(_&8Ii{Eb3a zFZbTj#;BoZ6k&E&=S)ML$@O~zXr+8ehQK8dTq*=Pp}<;a^yvonG#F6Su zc`sZD!|9+}m%eD;#=N5DnG!)kWK8+$P_J3rr|p!5SZiE0r-|S zbI~|)cVTL3YIulz5p1TDwTnUALM7)!lv0fpbDsBtOc)#*T5hX=EsYqJdz7^*p5GPRO)*=nC6zfY<4hWtZ85x%VmmwZ9gJr7Q`VFpE`2S=oxGWN~ zva)i5U}cesIa|rm(W# z<3bs%j~{=9OXR?#j~_`qx?Q~PRL<|**z?J8@@No!vPw?EK2&_?JfnE}zE)I>L};7m z<~b0P1`PrH2Qnsd@;MQP@SwyRIgaj)kDLtsfklkDpBY@`=f=juGX%u z(VHq?x26t}pL+eJ+W(@^gCCfItVl+_uyTYmVze9*Jak7Hyd3a(zH4f@ zqWTmPMvNZ6=Y*iGz6O(TxPE+>;E^8W!-&RGJV3QH74Junh~U|Jf0G+J69i-s(AOb6 z9sU*JV;aW7xEDm_DC{xVJVeK+sGh;HQNB6vU-JMd==W>evO5)C2OE$|YY4(N+rbHh z2D^LrZX>J1twnm_!iDQ`qH=H_UAi|&giYC7>KX;|qzw#6Af1R$Y3bJC;j)KwXIxxd z+(6UsE6^8LK&|Uf#ls#1&x|}2FA%9mLHuwUl*Pov(7L(1FSy^_SYHo~iD|+T`DF|{ zgFJ(|!NA!H2OmFLg(<|p_X8+Sd>i8&HgKMm)(p=-P+W=W>Hg{ImSyvRKs2>uLqm^o zI{-AeXxT(7Gcz{Op>Qer_)&0BYI-jH=~#oV`?$C3No*_~3MUg(wy+l+$BFx(TSVZP zh)(j}CQ^DW*fFtDVA?{D1E18o`{AD-=kWW`Sy7*7&&Z+NRvF#71H-W;;j0#j%(^~c zy0%y;M_W~u7ntR2*pZC2Bqetv1W3uUu4GbCQK9G)ndmLLfGtlj;Nb&W%RN1bbaizP zSs%A)PdNfYm%!(|pc9EaM8QtPi?5T!;-G3QQR(dHh=3Mm@tFtL@FYIo;4xRR(kuS2 z)z#i$gU3Wj5feFeKiv>A1@)Q?k{Z&Ik)a_b8!edscy}CX9MSEn=f~C3)dL1RHk1;p z*Ni9OQY&%tkM_6JX=-|*RlZFWaH`9&tGPWXC53NsYi3_$P(c0GT*>BZYtEgsJEWcA zQ6~?v@bP)Kh%cB7`#gn4amV-;rGo=G8JWs_MEZ)Nf+oF!g1=iM;A`}S+SkY>yWZH3 z&cA#`6B4~Sx+%N$rbFU8Zd@ov@BaD0usV@g zMt}iE!@c{x;kX?7kz-zV64eS&UscV>_Nu?X!rnKA)tlq**)H06@tHPTEYGaLEg=SK z@zIBw#?%8jIS20=8@DIcChhKGWgYK75gHu)B08GS$7g-5;l$#meD!QTi#x&gvz>*6 zhT>~qfjm$*CMe4ODzt3@ggzaDk_?x>z06F zOIP|;%N7rZhJ-wZJT){lgr}B}oSaNM477I7-o7E~-R; zP7d%qwZE(VTRS=kq&o=>Kk=TYPsVo?m6gY_TN-lG)ZXu&dJkn3rp#3ACc-y`LYEwI z)f3&IQB6}LR2dt>uy}ykR3{UEg!fY|b8`-)7kkg_4$_q7putUo)IoLw!df!RC1piL z5`>jAAR!Qx-~tiobb_OAxCmr03p4ZHy3)nih=}A6UZ^Ut+b*ljjS3-wK*aCR>@0P4 z3Q(7=E7jddP*~k}Gfj=g_g!Y@UjwH_u?n0t!ivEYrk4=l!9z^%Tk(-2OVMJr zVfCu}^UQ~@Q1bL&d$w!@z5HCC>&LzJI>kq6HEZ%M-vYY|jiESXDMP)+9xku+`?e7>L?kRIfwZj3M8!zg(bm=F`B_9FnKK<{dB3g&liUmQ0)=Q7zA(=Fv@UP3Jg%G z#}Uj4otceEa$&^8#Dl;M`^vs>axDb$8Qa(dBFW6J)`#^P&;$K&p0TY7zhv_CR-ZEfu{h>dM+`W_@H;_mB2MNxUfzkgqH zTfO)8Vi>KM%LzCR%eL1op{L6!DRKQ1*j1F}4|bi`sD`9$V@Bk?dS(Os02w#O*2dSm z70OW^uf^%qxpU9Q8NB(fUiIX};wz8N7t|Nb2r<)X2Fgdu7m=Th;jN!V7p$59bzs69 zSEz~`NMVE2PEct@mdArm9rB3(OoGxjV6W(`=!jTU5WUzL=q_+aj%HyWL#ti2?O+Wn z>l)r#aXrQmU**T(0V=wYWQE=BD#lD@w!#NI9nUi}9vQVM%5mX>f8{go@2R$~>x6Tgr(%qt&~K}ewLA~C8wvC3Ok#>3#H8S zxH#^z@hmFpojh*+Pgkt0c9XLnRY6n;9;|aSUhr{t77tusvV!z5+z=6bX6n6qM`%-1 zhFjiaW>yK0w9Z?T@vhc#1L=#b-#a?08yo#$EQ;hYXnua2Y5oYsE?&=VH+Z^*9L7lC zGP?tSE?w}FA{kOWpd|ZN%se9OjYOH5WN+{f_Fy~=iK8JXO+`g>{jReVKb@>#6MpFIoP$I^))L=>59aUG(bi_?l4{|Yh_N&` zA5CZF9$~-7mPas8k=eWZ{+u|R+dlz>jtWNy? zt)z_WIunO_-jhHECMqGuS=!yVs|x z>I5Z^hs!f-ZSDPssVuIStHU;lAoaR_wvF*<&PiFfz|`= zNF(1qRb}<3mo0FdQ~`z!7*YZ31tA7!1YYq$zhm>WdU^*4`-brPtve64*8ALysK-X$ zA@Ivb=NPTq&FXV1L|LgfKyKl6o?kJuv>aN}sIW0Kyc%Ejw>xKRFKeL0-`qs?bb*>b zu95Wy^)^>W+817ihc|q7mKf)F?IhK-Fm6}(eI}gU_{&ee#^(VYiodtE;*TGWNO_1=5&zSm#_$m9g)P=ly_1-NlO^v;+_tDw>rWMPq} zK71otr8QIMB3^#zvsUtHXQ!iC20M%XXJ%!B1L+Pk6cgFE3XsHB6a4Q@te8kCD09PaZcp%V^=rw0(H=lB*f1X?sceDR2shN}-ak#B(I4;3}& zAQaCd&^sG)y}b4Y++Ds^mo&RXEttVdpz@a|{NnUmqt-P(#K;fVLWyIq2ODF#JzFJ%GNbx9Tbevi~S0J$e#)lYc3ig*Aqd>cJC)+6Et!vFjFF|jA z9cUe}3wfnIBie*vNYMI}p^>WZ+;G(J@ADDOv9)2?&$0~5j2s-VYXW>)%Xc`Tc6_a6 z*a`9t^PBNOPvf~g2kx6Rj#Yj%-+HT37!tAzKw70CIZ5>G&B{AJa!z^qH>&l!+6v>& z;3cYEohypEURt_xBQ4>Ab&s1@$p)>qP@v&VZ$5$C;YjZlnb}yhZV6ALZ+eyQ=dvtC zSQP=Q{r{!{$v6L1GEe`_j1Z3EVF)TM70@eId}B_|^UL|MNdN!503Wx537UjXLH-wf z%TN+!rcRe>Yej(Lj3~Y7c-qg-dx=j~$s4xscV7yca{bGun!@kC(VS#EKuvNoxW~Ba zSMixsf=xpW5w|UV6}L9ng`XF{-6N*t{H8r`oEf6a_+lCnps(79 zP?TS-s7Tg6Ox}jDD}Jub)Q`$@KIzFF*eX z_%TA!Gi>h==S$9d9#qp&deJ)YwuDo*G}Wci3C@ugjSw_~R?kuG!3n-N-A!PohX4F& zK%2_r(o!+_T4_ZdyZ{?K55Mt^k_Xm!cMud``ug;u?rD z=ynniXDZ5%>J93A#Fj{y?}mqmpMvB>&%;{~;XI|Jb)_N0Amy;4My95#JwkCByu7SvIS8xM+F))J%{+7g`guE!O>C@7%Z()%Pxim=Z_X5Y z_=U=SD^)I|tc=@qTeE&l=^63CfCTMZ3g}D0mFyi@=(ig1hzSp8{b=1Dyz*>mus+O@ zGhUAOaIQ_CRq=i6uipL_0kBO+h^btb?eFfCIfSz(XT{`6G=CUbDdbT9c)K+r$ZWkUSr_@|ZDpg@%7VuS z{ljk+quWq>y?pSO=4R~&ng{pab8LLjY<(ipk~!8z$NKz*%jL@b1r5dG?mg{oIrJh0 z46JOI$mr;-*Owd;WR+zDR>k8*Vy?&1{mdIDiH`0jahz@XawS&CK{)$Mw_4KgWHRsj zmmeMkXiNqsr{PkC{|_1F2JnA?$SueM{-9An(c`J&@m)qs-s4{NM-XGs_9ul6={Ic& zcRdqL-OC{pX{>Q2Ld05l$;a06Zv^pgZzbj%0cV)i->VFa-jM{Itn zNB;WtvtU=jvvO=nwzaoM%q>ITxOF=Q#}-1Qf>0#LOPD&*o>AG{{GqOS4JC9h7+#R4 zhB$wyEMd>0$@D|dN^hC_DM*|&7i}_h$F9rCF`hpC2vDdsNsb)l7ZjD%jg7Flxa&|L zkee9KpARK`EM~rE>QvR#5Ze11qIi^{*yW1Ds*3wy(K>YGNHX4nX6^;O*ejI1RLz~o zC@89NRMONlafE)b{redw_N>rmblE8FR(fQO1CTKRe%90|ZwyscRlP|~eO9#APCA9! z=ib)(eOw6Q0!`%<3X9OVIQ`q@Wl!`?QH7|zUvzwt1z!_614Gv54`2^2+Vl=0Xb^lx z(2?$;$Ya1JR zpx&XY$)I!LZUt*8B`6?th5XO+!{Wj8Y;hLMMm36kkm?!dk7Y5J9&J%}U_-lYsW5tl zx2ywBUEJ<5%93kKe;8ddLg++Js3$m<`dxTL)Pm57tVZZB3SI1MYzkLJcRll#s;zZf z6v)Pl18#|YkLI9Oz0=5|2gJFJz=wP=om_KcL&WPC2+B=cQnn3c0^5%#A9bzI_LPCa zK)INIjpsM8nEjeN1@Kyww$bH5np~G1HldV8gDXD5!B(lQ5WT1YdwKZz;TRt~mv;z; zT0Xepff>+0z?Q54eKqnrGou9ssYdDEc%!k8E+w+Y)wtZAq z1m~oAbw5Q*Guv+4WnGYnCvYWE+&egin9$m%Tm8v7p;)n zukey@xYjV}ZFJ?mv&!6V`{PaN#Oy=fyovH(G43s)Qn-Damyhq@n#oN+ ze}%i_wyFB&%k*;Wa<y>1;o&D_UYxvw*nqC6Lul!)Cd8;reWNI-N$H%IJa<=-AObNz? zob@b&^5!p(rIlru-lI{Z7NU(GC&4f&Xw&;HXL@ZdQDSFvAu8^f*7^p$#Pw9!AURBv z9UGqxW1ZaB96>|*AbxeV-19#AW)|J@e2BcB)y@xo^-tZSsN90K8{ZcUJKqjBmeqZT zO-(bO^0~j{!EZk8dy9pNJ$&}tba#5h`Nl}=WX~Nf-D1bo=VGN=-Q7Zne(-^{>HGn& zgoElfS4{;n+6Pf%VdxnHyMs|pRnWVVLhLnV<=VbJI{31{P@wsyrmrs+q93>Z=XZ*X0x(u#Ul6ULgwQNqpFG9O!Qr1( zw(dvhc%GPePH^JcPC{aZAe@992PC5!?I|cE6pc86gGL7*>5JE|Pa)PYLqKwJati45 zLZ1WS0RgB?c4nT^DYR%dzGT`=i*BWs3h%?fCPxT;z$LR~9QOkC>SDPJvHL$-_e28q z%%N`zjwYfnz+x{imVZi$7T<#GQLiPUFypU!dQEl1qCK z;0i1x|DRqoF940zw6-2chu~2Lagved-M`1iWFXmrLP8O4hxRU;{?ERzU%#&5*Mx}H zu&@`#rgLTMe>kv;c;8eU9Qnp3d>Y&<@8mPg zzV+8Ew4oz{MHa*YugB&?h;njZbHcYM&LW?H2K|n=f&ESB-r%E}bv~mSLRg2v@;c7` z1e(B+9=Y!szya|Uj}}j2aBR#6&jk6Yp$P6VwPx5kq!wcRQ4bE!%mhAtx(A;H183s* zPq-O>d{GI%fsYiKq`Rk;6iPHf?jro>-+h5Ez3KKqYw7hpCBT=Rs6C z*Yrw2(a0ID#%&4Lacatr)_sFc=h|Ek-2B>qc)5SyVZ+&LDSht4DQ$^DFa$IBC#K?>SSGnSQaArsxaPeGW5;ghjMYnH=XEqdBLVtZIGoNw82{=B!qE=s98;>7dRt9Mb zW$bxi;22up-k{|eEacfPmI;FO5E1nF?D7hbbU;oEsLoX0-C%?Tr547X7W6v4#2^YP z9{nURog4h{}jQ49?T)*XPoT*z?(hF-coYO?RX#foT@8G!A(jvdXWl0*zY zQ`NU`0nqAzl}c$x%k75uL+Y#i`t>nv_JcDs*FmtLB_Lv9x~Gs7!4ZywXyN@hJKP&63a*3(dSKUV=eZR+fg} z>@qNOU~W8&J$O{PZfo|?!DR_h#yQV@9en_VUP2JZO))~`_*CfGbpT-3u3wLwI&|oe zA;F;s7G-B^))Q@5UYI9AMg-OfttVb+L;;6GfY`Fm=mn)2X3sb z)1T!~FdY97Khd8kbc9ANMQ3GVn(hG2n4_b_Vc~!zKtPn#8Wq z;DFL|?qF~@zQy+ej?uwj$Ug*h2L4L^QFw6h>G8?#yws85VJ7@L)Yi(o3BMXkW557{ zNVE(RAfB|0jQk@4!`Gk})Zs4xD`8n)qx$7nF8wGo>L71koM_niVUM1O2G&0L! zbJgx(FoG0IY9IQ!b|=BUC65b$=QmQj&?Zye2A2O&bo?c$u_q$|T|=8>2tI{g!h@6g zUZFB+NMaOZZDf|Z(ElM*yQTP(0aO_7~4BVF@px39;jy{Y9sFp7-{(nS$byQVfv^9#Lf{F;zA<``kQVIeB z64EKs0@B^00@6x1BHhw`=}zeeN$Ku->;As)jW>pWAlx|T?7i1sYpyxxt_lU!ASdK1 z9e~4VRM|o6sDKrE)~_K{xEqsRb79~+z$7U1P3?Z3b9BsU;JdiCM%R-hEXC~J6MHu_ zCnp7N=1J)Rvu3(e1kI4xw|Fu=Lv*+q*6&{?XA}i4w1-rAU{G( zjQo4Jx-m6K{Y`crvYKp8_$jpbw@^c6-O<_khUnSvym;D-y6I|TX(+oMJsF?SXg~Dv z-u{7n6C)!>*7Yau(1LA)ESsfAq432p{tSnkqZ%&Qm2!Fcoe|QnXFWz0uSjrQ<%!r! zzAVnYr@jF;JcUYi9@Hj%iQ|=>98TY&QuFetscA^NxI)<1b4v_52s(y`-@1^MY07pf zCI0ZZu+CguG@!fzwRjMxdsT?tMe|eSEAo1gUl7MF^8?y9bP>#&Z-B283Tk&4;>iyO z>l25ip^iFOS+D#W|GPG0WBS95VFi~Xt>L5MmFhH=tx_s)5eh=0wJ!Y%_*UdoIqc5 z<{p5_-(y&Vnq`&t>yZ`Si=&Q81>7m_Hr9lSG=+dQv(HH?|Wa^1j<{)!x&_}dKB1WC}7Volx z?HI%p*}>7#47=3kYi_SaVpXGjB}r!NTtG++nNK~PuI(8ylOQrjJ# ztOkYIC#GspKSS|kdTKVDE%y5L9cbs5d>mIeBA$j%gW%K*>jl#5FmQ!{O$JoU=^tfK zhg$iodq&&#>|u)p*5z*v4QO&9S!b|c0a&r9VGPWYV0%PRc~A?4Q?Qv*4x^=}Udj`) zf}E3Y#&sMZlQg&Om7(0X4^Tv#R2zyz$SNBzINR2K8ZurFb1X_Go1F@@^4T@D#|go)qJ`EA!Bi;k7pQ)He z1y&OA-EY$3j|M}C34}f9wX3;O%%akpTd0dZ{83TK9TT;(ijFm8;^mE(3{&};lLJbI zO>2iTAYx5+$5qEfN8fVTh(2W4URV+EBx`B^p-um8%CFjyoI|&f9f;dN@Wu1SSbg@> zQ`15VtMSjD*h2kt6#3nPw3Tn))Di`pm&y}mTwKth&Y-3E8_^>4{COf{)b>E(!u4xu z8RPlpE8yUwKE%b9`f?^p|F+RDg7MlnIavr3&!S=4oin5FLbfM1+ZBk6L}}~+6=PAA z!Nqgiw6jt=(7eg-VgShra>8ByhMK1%j;)A|ho{f7c$`iJ-~1}VMn1yj;;SGY-J@cm^9(a zHMcr=$6<@tTOr09G|8%OBN(V9Wt0UuOoy4|R#;>>_rCfd<~-)edHE+h4~1Ou!1RcO zQc#d`lzPP0*m5AXf89-o>-J;Lw^q&FfbEfw3e_!MR%+_%H@(Eoo#4n z;6v0#F{y{b-i0`s#~jD%07{3&v<+gsxC4p zbhOPcw?H%eoyu=)EULK`K}Ag+kgF zJAZ*H4uCkTB`+M+L<2-tz*_)-7c(_w;IW)pgml|7Z?K`^#wT!QLXG`PxQ8TfB1>ez zRgtuAs1%U3Gvw|7o6|z$p}F}LEOZE6RTInT06{_xI6H9#@CtPCa6u076cD%met8<% zc%*7$cG9I71{R=U^vv*V2n0xX!Mzx;g#rTtkCVT*-_ARF;IW@<*FAi%1CT~0qlvMp1x?Z zd7VFVwiWc?U<`>0Xf!1#Z{R@z!#8F->gy;JXtc0!nbdxNg6o4@Zh&HVPdfzO4m}E> z8C)gI+5#qZe?1HM`mnZ6EspDC!_tQ#GA=JldZIXNJr_M(Go(}L_M(xQ9@~!^aJ(2( zM$ss7^OQDa!@nKGsjVFmny-Yo4sd6~Zz~_l8LEivnJC5CS?mAKrtgvR&Gt6p)JQkD zE1vI9Z?RCD9MgREEQ3bn=yC=*Pk({VR$m=$!(Y#iY(DhfUI)HNYr6rrW#i-ZL&Jqn zpWef6FXO#e%f@Z$Q}~u6T}J!9TkL&GfYQV1Q?5Rfk&?H2b#3}`!v;2p| z=L*eC7u_A@1ICaz!{e?5t!PT*wZ?rKkZ_ zg5m)aT4q3?fBpLP9AL6xQL}b-c1TzSXdr^XHqCukOXMx$1>f@VEmDRA^b=iB_Jhp` z(*L6~lDP}kgyGlSr$+zF1#pJ)mNU}r{=IuP+7E<*R!J=tUfwI! zK_1vpCqCPoa&1sHR_0PZK9W?8NPH{|YoELadHzXL1!43h=7@3<-j&^pQFf#|i^v?=PfK=z>Qa51puMoyFa99`e(Z#}`L7PMr zg2acx^q|>!U(_^O0UD#K*itPQ#hq7H`5HUU9rH%39Bz$@BkmK zuX-(<5s@`}+&Yz54gJp?lLpIm4Gml2M4SrpliQbP*m%^&TlJBo1^ep3c%x|n5w7@&isc8 zkUCwTdwWp){L`BsOz0P{YNQmi?jZ$@dl389iP4B)gl zK(WCuR$N6Tav}sEe9hoLM=#TckP?A31^Urrml=34X5sFF;^dhZpMW4N1x!4tGzE)E zAclgkC1i5_gM)*=$v!a<>_HR;PSuZy5}rwLaUlcr}=@I!i*5f>i6+klzODIe;y}jVUUk8sV9Z?73)U5!14wZSq@lJ6Nst4Wgac|U&+kVaH_F^FUPHD=O^fuNfZ1-ccoLx{O)t}{CPo}s9Rjk z`0h=ZdEnc(JiCjLs;v%l^?G1+e1JT6AND$@EGcS`_gdj8! zzBBVd;~wnZj`Egn@eTeGlQHVmYTMOUg;cgN=Zn;;*OSg`fps9Q}sAo8?$Yc%(5a8F$DBjWQ%{QNRWBTvPYM`~_kiI|LN zxhv|te%(tEw%52e>>`!o&lOrFo5Po$=PNG!v>P}^6JB34mJ zkB%b-11aA)%`KtE&wWu?&wq&O=m@KJ`9eoLA1`nUHp-q-#DzS_SV<gtnKZ4tVP?ZfmGBzC;)R$ zolMSKWcQ^<)U~}vNiI0Cpa(>4{M4${+Z#v-3%hS&k)~d0%KG;0Zi$QUQ-d>AtNHKW z@yV4Ds)vX=n{b?tjy2kQeEgI1^Yh;q{GN_4mR!WaNJ?O{>3AQbIB&%JIE4CI-7tglnaBd^{440f0Qre(r^e z3SO5gc#)G}cz@2Hjks#~aal~b!S$e7^0gF*K9{w0czKoi zHiZcfj|Mygysm>3u`Gwm%mvfmsCz>Z5JaTvZYH?YRV`ofn|Uy!fP(vo8UyVf*?dIG z5~DE0v0M1~w>{2GQ2iw7|9vpy*a>hjjm$evezQt8WGNqGV;BG$&H8a$9zNG28b*~1 z)=~CN!8YJ4$X4#LKuH8pPg4tKIkJ!kzu}aOsQrL&_*&a#x0X*gI85X{?`%#C(^7K< z$si;k%Sa^VA*)d(f9}L(a9T7CoIGaWUsBJDF@Y8<)gb|6W6D~C*|JNeG@8qnbY^BS zQ>`JwW=ZP6I;7kq$bZ@}Y z=B{Vmxl)!!s5hnr>NC6cKJWu2RaB&OIrz96tbyi`x}U^(BJHU47H=Xd$D}h z!`1B01Ft!Kz4!0yfd>i}!<4|3fn^Q?*f3hgL*KGV5Hvum^o@oFkxZtH8bPzICtltEKh1|_!A3HY+;)` zGx?yF-i#Z(eUjnQiVO=3b2LuQWR1r6rgODjKmBUi0QXCh$BYp#BqTJMwR)QUE+O#+ z3<$^RnqDkm0#&|H&-wxRX#}{oeYremf!+3VhB2y7$iMFXWZ{LivrZRvxToj#y{FYi zy1I=m(u^mU<>n*;c7D^|7Nd;r6ErqzKa!-E;W1{VnK0oLYFF6xGC}E z;T@qz5MGVu>b=05XX&3Az5L$|t!RsBVs=-DUSlFmj7SPmqhgEA8=;{g0X+{shcr%b zodb=J21;0Gj~mxdl7zfoJUJNxBJNYkN2R8(@MhT(2Us)6~i?T#4%R!vbII zWMNAs!8L6VvKxFO2~&7-5^sH+nXvxD?B>gtlx}CYZZ;T)$e-N0={48%-zy*9fnRx| zAiwG++|0v^+jP&85MW}uuq#B_A7rwP&EH>iI`dS?k!kT0_oJ^8&@%@KVn^ zdd{jam{%{Mi1!7aGFZ)bLwglNg9N@5OGFKM)3 zWE|;d;fno_66L`bs=j6%=G3%XdS?*W6-F1nJka{ z+wS@!K(xpL4cfYCp#3^IIYD~Z+1WLxXg+zkNWQxWcSQb5UjBRTjv-LUWDN|cpdXD! zH7p#p(w9^W?!jQ`?v@Y+6I5Sq})sB z9$qX&@xkwq9aHGBtN;XwWUV0C8{p9R8BYerG2r2U6X6N6oB=-u=qbr^JbU(?SrITh zXkJ(TY(CGud*{x3K$Veo2XJr!KS5?MNR2*oEL;KpQ-^JgTc5GupeG;TkhXgm!Jj}< z`i&CL7WNV^*hr9R{&*;CsCqaFtjQn2n?(A)=Tr4XDHz*!tl@WVz$zxM?E4jCD9>Le9lK0A5K|2O6Q$ue&;9M7sAwU%H2@58AMB%mFsi9igcS73jqv zD?jCtqK8q8y@OoxJ2SV?(X;8@3T#jJ3_(YIW#lJB3fV0@));WPh=s110vO$vu0tM* z>|y}wIS5W>P+dX40}nnI7X!IQnI1;|_hHbHq#QMqN(%)^QhQg;wEpALJ zq*E`Vf|C@Ia<5==A%y{ekRT2HL0t#V)mA`U0${im!V6Nm3JV||y5C7}9w6hI{C_iW zCLl92({UMTUk9$-u;|^``GkgLbtOZQl`C}XB2Z=4p+bcYKVfIv~sQB4(@=psGd*DxrT#eA8Z9N21Gc+k%KBHk0aGByl zzXgbn_@7cC@_ZNm?*jIM6ta+KB0wlZYJ|wO+5qTAwrpUSOxrqZgTd-PO9_l|>jCwS z0fHCO%ofRSYH0ZT#Sj^l3QjG#p5(;3X0$zy$U}@20 zd1Q5%kU)woreFCz!evys2aEy`{Msl#LQC=~)c0Izwiaf2rx6@EvV!ftu`wQZaG2P- z#Bte z#*EZ9PL1@pW$dOtr!a@#?}t*8lEK&?7jg6nS?I!^3PL z#qzznlp&t`xvYNJHulB_6POmR{7G5SswAohIN-H(7f1@mA!GNN^_&Hd zGh~|Z)u*`{wINVA=Fq!Gu}r6Z z89i=pqg6=$%m}7E9EP0?&mBy=;hLbbN1Iy?x(%x_E;G|9T~0@IcU~5kA+;%pI4+vo zoNJ|*H6o&nhw%AgR&u-V}(&Xc+DTA;;XBKaLYMM z=gV>4B_Gtki2APRnws7MFYM=nRdS7B&x(3`1(`e=rH29^jm>FCj??TNsivm#ll2+* zsnxM8B)JPsNyue*8XbhE8qg4WHC^?%(#?=sC3368Ts1^Fr?pmjYjIJj$}#R6fZsfp zd2JID_dYRul4Th8b#zA;`eZ5I&Wcd~{T{R2!m_?ataSZsCmH-4-I`z=IQNWTCv+1J zzKCe4vs?j)#+hgk5_%4U4rMB$KMdfqd3tL!(n5oB5w72wKZ{;uX*nhmw( za?iP_%2{Zb;_A5mBWh_pqiZi6@N1#rP?Q|a$06YSClSk?!*ZF`P}e; z1`VWp>D|MBTYLFqBHngfxR|!K`apwcWpqRFeemunFK=L$VqJY><1G~UE}#4BuK-td zJ&q6C$D`Myg%_ctyKtIlK*#?3ap-yd6{dhYQNziu`>?_0Kq)=&1$0+K6M%G*9YMIb zKo75H)*Su?!@V`_diIXJCdd!xylVlh!esI$mTp7~P2YxZLHTG7E*sf2SY$OA!r{{e zCWGj@M(NMp#U&)-bafm+kl=lJ-s@?nj&}X->whDDwFFgK0zP)(-pV|6JRI~AE{+%) zvb%{YdSdFd;y5y%niW^06&rM2dXADiYxQlDU$$eFRVO?5YX})Y6rSrNqAc1qqObp9 z!qZ$DXyJ!^Z(m5OZWra#b9+WptsK>I@NSG>fQBE}Y-4AH)Q82=-_M{}+^scezpt;4 zy0OVTJOGyse%L_s6lb2Enu3~}>a_T}^aaXDK7W0ZW^mW)?rye#WpLJu9q#`&rd!uG zNC4+YQ`Ayl6JjkqWgseVqsE+4lzY6ZWNk^=|24E+VB(sNK6f+`i5Xz%dIx5b;8`}` z{+E&Sqmnnfp}(HFd2nIj%NhPd^l|^tw6v_&(v7R;mMliw@sV~pKq;MrSABf8p&ukj zD=C>p1a{UeGIZM6?Y@|FCw>3zG*3>VitX3$m8SLZFx!oTRN|*R9kAHB+tv%h6x&72 z7>A42zzdyD`?;f`!APz>$#W+^{WiS*3P~juGtF^6kb)096_j(~l3p;Cm_7uLxNZUS2qa>L)VD#m_?CjaUZPOEV!5%Cc z=RwWAH$F=@?Tbx%72XuLf?qs)M4v*+_|f@-y$Jl^?z5Dv7g+mw9Wj(K(v(+N-w59&*W`U z#rz(5^Eo#r`C=u(@i=07dQ!pWqdBTSfXx%lYt6@Bmh_a1E8*KW0`b7;wo)^%H_`pu zqCR5U>GR%DQ4i-F!MoCyzZ@5u3{@}$5h;VvdYDP0A|gYM@|&OJ+;Wfa1+N*HY~M}F zHE*a3@eCYrTyLasV2OL9;1<|g8d!p>@UGSRaE$vxcB8#CI6U=M@0Pl#o6<=J?qR}L zp^BDX!?3&VR_h7QIs&fkTM>iT=vf#(CE--ax9$F9<>_4_>kwiS@-KEB`5yg~@0$F} z_n&bW2ZkJtiBnDW?O&PeE<-NYjXXokgt$7p@4?%4PkJ986MCGJ0tB#yam0;TkLri2QN3!K&hn*FI$*uPk|cLA?O02v zGvh6r(3-58iS3;*fvm6Bh8MWjz!dF?pI=8f!}xve1Ro~tB974`9`jg{K_d&Kl9IA1 zo%gv@kwcG%$EhLjjJxoR^B(}rQ%#2zKsrofXHPUx@#lAl%5fZ=Jyd8v`9`BWt7%k+ zwH}(PA9FPUY|)8inWpb`!&}7kR(j#s4RvW2=xWc-*1GOhCbYASSEJMW?Ut-@#il3t zEUK;e@KJWWmQKDtF-&^39MZBzC^WUtFB!8Iv?{!{S%iL)Fju}^UG(qu;w%-+(?@ow zlZ`EZIG**YRz6ld*EcYg40&7U_O!!>R*)-3{R{B|hau^MmQIxKKN35q-kSdtvUwmT zt$I0Wct&uNG~vBnQxH?U|Mq3T-a9Jl=7;2@UMbS!0#VMBek4%(rvZhWT)L+3f$>Ts zm>+!~FBT5I3GlT~o#zuj)-Y=pJ&8)278GRvl9!hRyk$vvWDLMFr{~gD4u0AAr^9C; zEgj6Omg+=yR@xIN8pNdU6cGYDb=u6Sv9;%G{7g!$T-V9t-pQ$9dIw6+fj9^|XI z%%%l@jvz_9HFdwWUY;EONJRV!b~C_lpiPN^ih78nE+VS)GcPab%a>uzHd+qFjs*S? zzdOJXcgBajC}JJDvf)wvO-=fsQyWs#=#{yG1mzv#%?QDl4YpeRhk;a*e8E|BbuIsg z=0wLXUunA~cs7d%OE|LZva|RHf61^i9rf3WKumqRQ2Kc)9x$lxpHs*6~a^kLpM(hEFQcqyCcO(6} z!Z0_6>uX8)D=sv8dJ3QE9HX5JYm^5qQi|C&?m^G<6J~l&FNt5j`PSO{=W)o)Y6FRzgsD_u6hgO%iTxZ~h$HQ$0VD zDvCG@4Pxg&tqbGlt<>jZ)u%l5*tI^mr{q6KG3z{4=YTHR`O6@!s^XX^fz|ujK?C!H zk4|ZK97xz7GrHQ}-u*iEI{0HED^L+fK1db!>io*v?^M5>Se@1qLR5{rqT}GmRH$RlUoy4Y{aKKEFkR^uj(M90!F?@i#iC9quZ|IN zQTS<#(zCVy)e_Sc-1%+p?&L1j;%BAuf;+6_mtoSrJYn$!AqlpU69=RLK`EFh_*mv5 z$?{hF7cawO2<^zY!UM-bX2KCH*kw@qUK( zp3~942W{od6c>_DmPZ~8nT`iZ+3y?Qg-G50M;IR)&y8GBnwVjD_h+yK>*-n8`6#dF zdsOYZvmc^}{R-DZUJP%%+B)q|3AT5gryiKcO1RnGf_c@7_+UadQ}yDU)#C{>SB#iG zzy89a2xS2)+&8Jl#KdXn+np=WwZ1J#G&;dyX3i5JyuCP5Nn2eI`R3)Z~EUVz!{Uwrz2SH8JbWa)}m({F`=T)R^*c2t3$HE#%BrV>k z#N!9+CPiX-tkHF9TbZM;TJu4+Ugulz7u&a14ZYr-ByCq z12u6HZ@r6Zb04R&>>T|Vd^{$`TNSR~dj|_v8+v`E0X3DRUK6n84UAF?P0#RoahaJJ z-O5==^cGlCK8#&qo_W*}n3HPb1#L31_I*X0)o&Y+95SDd!|x+2G7yoAwI>w+*Q8lA zDY97n9yZjbr4-KrlYe$ZCF^}<)Hsz6E{=(9oD@fBb%7s)yn`rb^zq;3y>(TQArCJ& z4GF+lSSir>#;1w)zgz&__XZ-{mMe$arr@72F-$_4ZmpmsowjK;-|4al};aU5`31Y`+C}kLQR8ezNa!p zXFCh-w5p4cPt9kTAG5J5(=)l(T_^BIg*=s1r^D4Cnc+-w$vc;ai$&3JAn$-|tiq~4 z%HeX>L!f^>UikM9q8?>0xg4I&W^YkMkv-M27~S!O9Gk}}Ax2c@H`|U*0Z)>8M5%Dc zQXYvvn@z8*luG{X7dh`z_z>oISw+bI{!_s7j>MzED^toJjXl50xPyt1P%m%AW!4Ug z#?PkP{_|H(QubS#o;DUdgF;)DhOZIE`-WbVMgLq`NG4td86^;MS%&y5;r>+V+Tz?H zd7_guS;dp#z|?0;jA9h&pk%fvw%4WB-XOSn)Y8=a>g(R+`~vQPYRmlE`K2D&OeNI{ z-{Lu=4FCN!mqA&Sl6B!=SbJ7W|5RcfNm~PqL)sM>Bqcp0;hIu2Xu=X>-w>9If7D^e z{sbAQ;%F_t{gkrp@GnhCi$vl2mM@4B;-7n>YnPjDM)xhcPcPT+y4qlIF!BqW)hGy& zYIm~h9Xa@`=H7qNwMEHW=P79Ywy*HFwTQGPvF6I7@PhGp#wG!Lu(dw$wYqd z$j{ARKU9UB5bE2S`G;pWZc0m3*nDJECU#jic_X*2;phHC0l9`yHsYlpxotCKIOcU1 zmu?UI5PrtVowD$Kl@1q!#6KeW?YSArY}qR^N=#x}D*AvqSC7C8LwpSHGydf~Oka6A zT&Mf7fn~ug-T|tMiP!X{0uU*c%!ZIV2hQ0J9&H(`zSL|i=MmA@mHNBRp~}d4#vtUH zwtW^;OF$4SpY1Qzk@Y8+Lle(k?sgJAxp@}tg~<~a? zO(fpt=_@{JOQvdm^|M>a``&9gcYBufm^9P7qxEBN-kEZ8a#M0qzs;}HBXy)X%o0zl zB2&tp_Ls639Eud3Z3(Mi=Z(sI4S{%g(Vdj>{Av6|Y3NGGc4+)VX)U{o*m&|U-@e}- z!*hsuEc8jwaGFkKMCOX*>Ojc*;9z)}1-5bs2cbU_{Vgcm$!2Rsekf%3-+@SIZAb4b zlKi6Yg?+QqN!W`}oQ2^PVG1Aof}XlWFE*Vw8a*`yf`0~i-cJ<`n)(NO2jO^)_F5Tj z6TNFiJP~AmEN^bq(K@7H_?VNOO+rF-$;{w`9vl~4r6Jh5JhEr3Nvmq{jyHOR4bzk8 zHB94D#H+8ju<>J#+pl2pC{(;c2ZQtC6PdtD|H)pf>xJenuliN=k3cBM^#J!1YhosGrHqHu%KEsBoRJPXt7l=GI~gk z(=eUWmMNdJBw->N6SFI8tR@-yn^nQTXqdRm#4v{^GHPqD5d!wx5A@OeMWq^NX-#n^ zgN{sugvi;(WvJ4rFl%gUwV)Mjewo0c)0=8_H=?fR!0T{m&mc;b4wtS(>9X^R=lran zFz(LXDr8vUt*~bCWI0PL@R<56T}kA;*0qyVX1%&&RCdK3%#;>NLwZ{=$Iww7bT59V zvo6WT@86hhZ~rc_Up|WwjGu`pNA2AAH{F`qN_!&tD45025R*7_xwo;^uls!oIQzuBn|f-A6{AZ`%HCpDOffL+pCC}nAZw;aQy}srHhF@y-Q)0u*ed8 zWZODQ1v*$4U=Pw}4v8GeDF8W6@8!TB=F}tgx0GdD}*cb`Dh373=7|qorm`+`r9ZW7=kO5cI}m;}DH2*1n@S7unL2 z-&JRHhiF&nxp@!fO;Bl5&X>yL{Fs&&(Kw;l0poS0_=?PDumc#RQSY7VL%4aNU-0t7 z`aiw(MgK$u#W0a`#}YfofPqn+w*xtiV?xoE=Xr~EbvXPLc1|35wQcV$3_*zB zEH2bEkxcLtV|?#9PapYD*&H%RzDVUyi4a&ZgeJUExnFHNq)Lv+nyQizizj8&_qtOC zGK}B9YC1wS8S{AJHQHxmx`N?Q5c_g7a(b79*Q@y}fyieI_T_TQqNg$B(hBbit?eja zB}190ZgLkB(I$AU$hkH5MI^bt^$!}Velf|4Y-rKzz>vo7&dA@i$3RJi$S0qw^mt2K z@MYy%4@v}=%xwL?y#1t5f<8!VR@pz&{FS?j%w$qlHp3!zAWazfsqN_;bJ|*YxjnoB z52y61_0?BB-F=HT7w7JHEx!PazQNjyjX$K17WC<~OTENNJ!s2v(!{_kriTp35^lCIbC~<6|LZ;=d5Bc`}i8DRh^9%a7x(%;}hE#;0b^RDS@#7aL8 zI|UatHmWENEEVTRP6@E!%rYEt+-8%atlt`>W|$7?e$eaPZ@VE-xgz(f9hEP{bmp_6 zx;|wR_G7#^8#)*UFwcN$syphR1t|*-@hQoybIRQc7cCW`wbHGo4$>}Xr}d|yRJ%JP zVy%uj^$XRi@^mH7${m{jq>;#No$jAsS1IKEz#r|~SUMZ89db}TwHh&>_O(49#hG)w zDcLy>E7#+na?oVdgD!Wq>wPP&&f%ZIuB-yLWuI^e25B?CYwj$KT27dKB)U0Penjg*J}N_5n=fGr3FUJ4*02G6gn+A^?_jk`|CpJ4;`!UG z{M)cMDe`Ka0}Gpg!J(Wov+H>rql00$lU$6&&(ew`&2sXm9%Eu zkCpo_)4*oA)rj1aa!R9}IjtbfkmPTaEViQj-19CZ1;-Hu&35 zIbZR9^45PINq88M6T9LV=Ar8{4z%3 zMBWGYv$P7hs$9;B4s#&mOQoqZXdCEwX=%e!`E@9G|zJhu5d&64xTMKOuh5!v%_7?{;0q7AQF*ilUy& zbm#W-xIF&SQD$Y0u}aKdX#5zGE=Z*pE2dU8^3h8*9E{s^_|tQ^j(#bJyyeAZY>Fzr zdVgItzM;WI>W-?P&9nL%azxIxXNAB2-1!kEII7cou~2ZD;OFPfd|%-92REHOQvVKw zyQQ9iX~(GTv6an=%~9SZHdNPEW>a4E>&90Mnz#T@EUT%=@4OOk{Sh4j+SWX?v4(n#!N{&RG)OcmGs^7jg^ttoMJMD?qFoqR&6Gvb$1JY z#7|eFKhddfzJ7q*)-i8$o6_}MD-|ugB8ts?5TOHW61JZi!V&?VS60g*`0=OO$gYzN z!dKEMrhGV9?j`hUbelYqmAhi?Hik|TPBB-x4gN)u#t2_Gy|cQOM5?%~7a}`XZn0`V z_hCg}GS8@++h5ipj#qzj5{^5-W6->@NirjlG~0Gu4{#(=&+~wuo1UmS#wYJTd=#Jb zxTf4YrM!^+xDp_lgQ>yPAp8|95=U}pBuq_XV+S0MHe{s2>Eg}aFJ5EFC5bc#wwx(%{Y?gR8rp+Gzv_tD#l6HK{P)xw~ixK3QB7bp^ zAALfbT=c?$+0Uqr@j%i{2);9Mk}$Al7D z17b*M^xr?H|GG&n^F*hpH$OW+#PtX58JB5f%h1s4O_z@w(x1OHK_dkh`je^!Gn5<7 zxH7RSO)#zis)5O%!KuUcb7=spvB5jJr8yW|~W4XG(0P)K9 z--=@r%mtVs&BHmzcbth{f;u2uMHwxw4=}^NZJ|C9N_vg%Lk^Uv?S2bOd(qogt&rcGUN$JzxQb3lQCz4p;EI9A&d8f=F60}6@gU7hr zv&Ty@mQT*ks&JW?zvpeD*4c#~+@<&`54QSg>VrSD>aHG|n=>zQdo@Ye8Ej46AQwFD z2#YE) zyL`BQ;E1`uG^l^H;c<^_?}#fF4l7KT(`=injFXgdsea;qePi~woyplP8J*b|0?*$x zcdcW?&{9#?Cfk|NI&8#4(+AD#KvH}wugzx3p9dZNjEX8%?)&;w8aC*^ujY=!@Y`|8 zD84?F0#as0b+z?ntH%7i+(UfN(07TamcKrcfK|KTd&jZcRS2>$7NFc^mFdAMpCG) zLs1$GPmIU5 zYw_Dee}sSGNwO(TtI8;=L^NU&32kXZ&k+XeKvY|pS0T^0?w#Cz=sDW7j zQclkIZ`0tYX^rjq?(IG>cV=^?&nYZ4hS_nEYxe}?$OwqHwyUEetoC=*8m*6(b<`TD+UmFVS#*wcVFgAsdUclT?< zvEh-C&n*GIaNfKR#5Ir#rn>vOXjRVloCl~wAE&RxWLED(G!}RSv<9wXd;*?33{>;L z030)-O(U}g$40Xp*A~x2a&Rd(fF6uaq4@!{TO6w0K|ep5n%xVt9^M0zCD(&?7HR`0LTfY{eN-_jIOTZDA&nX0gusy+?}(q_5w zy*qb+>ldZhGT^8*Fgltho8a$uX+O?Xm&BTIZyST686S=ZeGFgU*#{yUa#EjLcQE|x zM|r-_{j~c0We~q7I7sH?{pIbMK9mn*ukEqTQBmC)RO$Wtk}Q4Q`gC5CvzU+6_(*Br zzkeU-AHDJ8ad$8S;5=F-=Uj>7bn+mc>dr_;{}ESBl8H&p-DMeeKfeODXHMr@Qc?83 zLZ5*k6iECpTBN9zLS zUuf=d-2kX$V}+L`oou2_ZURm_7b&BjR{{i{*AKHt>2e$p-rjey$ORPX2S-MJNsqQN z7+zgbfXW_8Y95++#>1m>#bkg~8s-#8<%Ex4MhN)$qze~+`t&SO80(j&<8U7Rto_lH zIVUG4FohHh606J5M<_C*1pX^+&^#Za*;Xf&t>lbKRUkZ4J`yJ>7St2a#JDt<|ktJ~!T* zm}EP24-DXv&(OGIW3N`z8*;}DO)$9ASiF9nDm9?m{)a}>+MuQ3<)sH_`-Nlgc?V%C zEtuDc$3zYy>vjoRepa)op+7WCI#~so%4;6^R>G zYm4{ubzFZsTujIGqo83#r(|SQu{w(1GnRFwr?sx>g5z&$`&vx}iwXM}QyjTcdIGnF z_s3HH^!LB-#61+8;&73rxD4^b#8+jvT}D4UzW%YhpgQ1L&l5;I%G@RFfUrx_9#BpB zFmomH_2JWup2X>pKPk@{h56l{{D6}*Qk{$6^75+fX7pL&GRF!DEU)0d!OjTjBPzdG z$9Gp!ikB)v|NebPYRR_s;YT2&EH7sVbc#!4&rYK!-Lg`~V&3nh`cKGKZLkRQAHx0^tsu>sOoW#__@*qi-*?I(8LZwdoNER0z(> zZTtx0F1pfZS~$N_v$Sco-=3LF<(@osSI(*W?YOPw=5}$q+m_cITZzqDAVI?W6ESV@ z?x`mpCM=eGy_QEHK2bkSDlR@7aX~4!5PZtc9(i>+NrxkZ0^40tjkx$F@hEwAcm{A~ z5_C2T3?+d1lQGg;xnE8%Umq_Lb6{gAAs!kUd*-~gfs2Qix3Su7_4k4lh@OUBxE*^J zdyfaASov&6*2%SJJ31aHDvI{T*GAYcVOiNReFFb^;b005(3sVajeWxOtc{9_k$Nl* zxB;){mP6U3y#q@#@DK=iGnsv{v}xGhx^ExXP^r3}A^qQFWqW%b!a?vC)G5AO(|7N} z@rQ2Lm#pfEnsqM?Vd;URI;H)3C0L~1sNXZJcDgu8>-=qs%vy_e_RL0!){q!h^DBuq#r&zZ$#$lEaDMykHqOFrF7V5(oD~u` z503_3e*9msZM;dSicA*8FR~ql*@S_*8m2FsR3({E6#;&0^Bd!na2~hTI7g;D9k}eZ zA$K1d$9Lgol1V_6#Ao#&Jom+*5b|_!At!(EXqAIPvn;!#D2<=bbr}!xrm4E^u5kKU zBR)wAPY-u+qI*^CFst~h;&z%eKQtlq*yyl}eH9hN=yDgAq69n^XvIe6N+xjLw~#0QDrz)W4ml{a z4>tI|Kz*xk5T1n3Dzf^gn6N7<1Wt8~PN+8elYIHAGh$QxZzDHse#kF@V;m`j{!&4a za&fYtB1=*yTc~#gN}=5YNfZi-AHW{v))ej0VGk-fUdhCy_DfW6QOnywtKu z)cRi13@8e{Fdq9ecD<{0>DkgYc0M>kE91sH*cc{(y%~%*WPbcQ>eS|9cXAb8`1@t0 z!gC?rZN;+fXb_k6t$ZctYoA)z-Ua!7B2`u6h&|EUthyGuzqq9jwe3x@7GaBG(bDSh zy2JapKf4-*rMzxnw!jE(WG<9tt*yF-Dv!xwSjj*%bXlAMy#6Oof+%O9?#oN@F5CTxX+ zw);`mL(frR$+JBN;f#kO-$-ns0I{6OL}b+JUQ$@hdb~+#Rko#Ppm^oeXVHNNDd@G# z7jza#M;;olh^XN|TlgR5-ZH4lKYSkqQBe_4DJ4~u?vz##X+b&!q&o!ZQc{poO1fLR zTWRU;?ml$K-pB9$XLjfJ-#0t6Gdtr85IE;K&-01=2eZB`! zufYC$51e3xl{hWB?>rD(FsridUOFx?;dMCuk&*GjkASiDcxTdRu#y54aw?qLUM9VB zCM9t)PcEh6_4u1>O}%gG9kZq*XA|@HU>80cHU)m$n_Fc%BRGA-BmAJR4*_v};4}9JY+*kmB}tH;1rB}rg@s9=uL13X zHyBycbRQiZEko#P0*LdFO6IG;mM#XDkDWa|Jy%uqaNU>?(%CYVt6=W)owh5ss`Ju? z;Id>rmfOLD+$ZncWVk)>_isx@x@jrdzUT=oVdrbe&k4qWy&$~;I`j^BT*1+=jkN0Q z2m!0OFxbR7E`*<)oP2J6@G2dLB)0ZQr`Gud1ytboAW~@-e2ifQ4hp4F@Pmk2 z84%E*fFoc)dV0Dz5zK)$H=>6R7YrxBh68EopxxxBr>=7ANuz;YQ(JFi^Ror}s$>yH zFi!sg2h{A)t4jTAe=CYT+r2RCRtK#qq+QCgLyuO+@1Ud88V}LL(|+`oUN0h^f>cjB zNM=x^aCihZ!9lgP{9RpHPNWb+84uBw;9A=Si4CD<$0sMVYin7%@gX7ol)fkM96P|` z60&ggWNAF_X;uQ90hx;Yqo>x)%sb$vwWRC>`Rt9&`f(!)IctI*-U|Ho=CE?Yjsi)w zStQ^5{Mz@yqhB6tqweQwL0%n$1nlno_BA~{R2p?%Q`S=AjzYS+rlo7wHYT0;`>miB z2C3~~uMM7%Q1XDco17e;r}rDZQ`1W^z8xdya4}7=;{hX?bQnMoq~-&I7{aCqZ{B_Q z8_cPgSi})eHA{@~U|vH;8W}j4z~L)F@)qQ={oR>wK^m!PXlQ`+$^+!3VW7Oy<-zh2 zd?h1u4ZWaMCo^{6CO-SggD-B!;Z3EX`1F8|f_Fg-Yy z`IA%;v-UTSj1@PIWIR!?daFPoK*B9qU-4Q5$cqDGCeyA@oBT?z43o;;rf<9#w`rdE zbvunBz%pmx8wSDFwbj2$>q9!!?YYIvoB|q`_OL!fje9bt+2p2w6S>nAV%}_tss^HQIT#8slm7coQqD zJ5o{pAA0KrwvVviHM3dHTtne7f8n1hEa&VzReMLFtm`p&w6u@0qvuoiT!R<>8OhPy zZ;dY|X7Lj)q?Cicpv1^G@s*3?VazM%bK0===9ao7%{qsNkA_-?(w@UDd&p*p3N_5- zhhI;ZUBVlxz|oahz%>R$gDjA!2p+tapFZh=`7O;ivhtGY+mk0{lmQ}JC^2-ISr!~_b>>sl4YCX?mpZmcROb$`3yYo0vKDi zTQOd#skc#X-xee0v+`<>*kb;uEgd7lZH3s9qmWbXkD#%me zz7}qRZP2kRuA*tAK>g#V;@S16MU-1ufhj*s#NGsLx#z?_r<9(UIYYSpX>9x)??&pE ztb>ZrKutHDSfSz~*E8bWc9B(6XpDD*Uv%NmWn zZmZ>h$OO3hsG^8br&G4ijyCAM$p)-%0ybWYi_-wCng$O$)RN)#<`~{UTuxdVMY4zu z#gj`s>G+%ZM*X@dAbdx$zu=C9tzTAdnt=}=Qe43#?N3{qKOXHH9ew@A(rM{@$3gyT z#MuKJobDvy21_c#&Rlf^)|?d%1l2K8@N$cg_2=0r)N2^cJ0q((i*%`G6UsoKlJZ%F zwMQVbCx%z$I7ds(2se2Kx}{hlZw9CWUN$ z{=PW`nS0q0D{PV7d&_^?N|Tf3V1xe5l6Y-psOB~a?;0yez&>rVcwM{E0cPHbkyG7g zf2E>JZF-<5RNqvk!XNZDmPkJ`6s8ce#giF%A38!RrIC^3B6-((QnT0aQvh2G7G?jD1w>pUD9JLEX6iY?3Y499@2AUf1&<*-B(! z)%Y7*gXi(%yPv%TuDa^u-IRE?Rx&CPr?5~`%?$+7DphlR)V}ZSy@sM) zK^p}&21uYU+~96|EyM`Zw%B>oD9gAE)0mN%0oYMgec2wNm6Aq7rBtexX69!2z`xZ2 z+4yQC=mL)RC#0OnlK;$TLRz( z>*d3Fy77*VmLDa&NCtP}Y5Vedlj04}7F2 z@`i?n35khc0RC5Vi*AECw!g`vtk)zdzj}{G9`@Vld^oGJx+gpYp zzBcU;PuI{EmW8ve-#sM?^`}{FW^9emE-B0yfYucBE8@5|y&{Im!yKWNfkc*9`#&E= z%k-z3=z#SY2v>8&1#M3Uq`KnkLX5hX1@sPwt9%fQIlI&l;fw6Az6sLEDt+BPt)eD# zewC6Ar|Cv?h3uvJUn&<5`5dXuOK6xrd?31m%VYp9nfoiuv3(5cmf7m}0gy*R8|M|{ zya$ts8=d{ICPf%vEOm|ghlNphs_9M^f&HK8+Axv7TFxaBSAli}z(5VKem!JK;UgEZ z(Vm*<1n;(pWDz$-EXut1Tv5A=mHpYnl2~LK3B-;7wSNHZ*hKjbCHN~ZUb<+$jVpiE z@)nc7^5I?!Tz)VhY_fGzACPMu939H-XBl!PO)~Eyz(}^QP(kYQ_~IEz>7lLNn25*cz#TgI2|H+hiCg8`;nxi(T-Eb?+D}_5Zm4@qbwGlO?rEwn&i+7z5jT7)x!7XVA(zeKw4@R-6WI z>CekN;2^nkg-lDJl4}Mt(CkaiO*rIy&@vJ%ste~tJ09P|x=~BK|k5!mDC@f^rYx0|P9#4PXS;QP;4A2;aJVE!Ux&1Q} z1PL;+u*?wIae|)G)7$%|(_u`q+AsyQlM;Bldzi@J_C0^`!d=kIG#^GI%rAJ`kDI52 z?jGdjcHIOnE_~kDh}Pm&m!1J<9yX#!_a(kRJp_OA`=SUbf8T&~4L+qib*$ES2}mf1 zYjkIV@n-~MzfTfG5cy=Ah!q!?WE^!>c?A$D3CqcafV<^aK-}LYXW>$Pcx!Ke7Y2MYg&etz>Gvke-GmP%w~VAm{Axk$lb)$l(T|ngeSorXN41WMFZ@X|_xEv|hr| zYiyaUxcFJ))XnO8ZV$E&h5V>JqGx3{4*=kBX1RgEJ=5E}narwV-R`$o^$2Qqjj|y( zw)-cz+;(yGqpTX&ue;hu+<9{OjpLWV{xB93Gi(b6F4uP7#slIc4WaJ7H!w>3GCr2L z@y+50X8f=_1*~DAe7cmh1(vmGHvu@SUFWgwYTFF@>K=O)Q0sz&J$<&q} zIACwS+)cluWyAig=S?)i7+AkKshVATvhD2WZT~wjElY&;J%HFzbmi*xY zFgQjl-<;fOTD>rnm@rmqt=x5M+*^JH$8(o$dl{J*jGCU8-|p+>n)4|Q{fd1F=p~>9 zqxl~nC}f3Rn^Dky04U|aaV4G0X>pp#FhwY>rvLgdX1F+v+qNy)>?QaTo|K0+S`Ro%XoxCVn7Cgk~7!o*OYmAy- zY=4HZ8_ZGx>&odv6h|k45+g5E5WS+_`m&9NZ{b zQok+qkoeXKIU+|Vm5OSV_RcWlM+^)cIy$LB-gFo=wYe&!jErP@qtK~&$g2McC>I@Z zCEv3Y9QS}t^V0FhNJcLc09-l01Pl%-kcVRcmXY-wa^C=SAd-~>5?Jd&3%uH=cZVUB zTkayeRx-LWd^k_R=l;dHdnAVqeP>iaisWkUKqg->*|LQ~=F!@q2_ZXSbB)i*C?NvIA z-!<*>yggZAze5T~S*36_)u<0A!`)xKn#SD>^Z}EHGXvr0lfAM&_}I<WvYm~COxGULd@;Fp?R zFhzh*GE{11=2H0#AG!dxTb*>`FfX|Yx>8{<0V*ge(*?4IWaMsk+kqW|yB+Qzq?jgY z3fTGKmKbb|EK0^ztEzzCei)MVVKS_Ooa)dsHyWzG8TMWxDKqmAun533O2O!8!FL_$ ztCu9aQFQgV$Z}&vA&P@UOqCE=9GE0L94}#A-y@j9`rgv?d`>Z2z{HjBs?qLZ0XW(lJ*h&U$@_yen>}{vvveW^rn&n+b?lu~kG6#Mn_t0=@oldLps9%V`uQ+xJQk z#`Y(?QzTNr?H>6XTlt}!O^(m7s6&kWWn1AFk1>`{%IMI}57qng=l;fsYgC0bdd7Q` zp$<&b5hmZVR

3vZmLmPM!#0bt%?IBtn(b=4N7OIHOwe?6bJlO_|gz3@E~A ziumB*rSO1Xl+4j}=jrQBZV0iJF)0#m&x6yL?&N8i&@TXiHbz|nOE=fFbwdTlkG|uj z*V`ho9-B7R2RMU1w5YbG0>YiDi($9PUS6J`4*XIGWKFLb(68)@IhmxCIA#GVO{V15 zNhs`n@{s%9$MCkXrS2&=H=p-6g00r&;@T50>40k)N!QzMYg z!a;>>5ok^;(hd&~KWA5X1&-jVs;hMy@VJg`4)_@~cbX9n_n_v3EhkYXB~v|H`?*00 z3smQh4jcwk6ZG)^$XXBPi*Jyda1d!{p$pk4v!SILDc_;NQpW+E#yNUijT)1o3=c7h z+2{R|yDlzhVeJdmv`?RgLreGRQ*HSl)qY{(3x@uYzF)s4Dl_{?yOMkc&Fe@D-<{Q!gvx0AD<_<1=WrhQ`uWMZUdnXK+F}wd z{W-#M(p8a$qy72GLD6Jxq85Ki9Ji=+GYhTT@MM*ArkcUyp&@<9Ci4cWtd^Eh+mGkt zqt&a1X~S)jh$;F=Rwo>_GGd((OYBlpzBf>u4|HieJOZy2D9@a??RTSbKiN!Qwt+*2 z)?yno*vAJvmnba)G%TEM>W}*kk4Hc_xFbvm|8m15`s$`RBTG*%ds4r=I*dOM*x69I z2a7R{&~&_Cp2cGT>%g-W3k|(Ab=qzV+Ij|XG^A5Gw=I+coEOE&XwA2VZui&QxUW$0 z%}%)>HYG|7d&wG`DXgZQFo2hJRZapVC_?t!=AoRH6=+LS25K&!A)It0KjG6E26V@} zMv}@=;R5jB-sYC$bHqSNsRl-(w{R#AQ`EHs{JgPdy(~%Fdal5HPu2ak|wA5 z87dp#-Xy>LQq~arsL1mwx7J1VBY+g`5t~n8lpT>u74fFqm~bLjjPTC28ozAUQ3>e6 zn~e{g%$xwt(%zo!F&CHD&!3+A9Fry=XX~LmyK^~y6dVGLQ?TN|tIM4df#m>5UlWvd z`Vi3tWVE(fb5Tw6WoQ`C9AwGUdjX_L#7Xjw8XG%kc4Aa5p113YaCH?2jz95A>9)d1 zIyGXd$Y{8f0T{Yqq=x3?lwCJD-~Y=26QaQ(8Vti`O;KKqmtPk~f$b)@P!K8WNYN4R zU{)nEyu|C9-Dt_)-A=UunaCF`05-#=Wyn_GLfHcitwyjJ%aG5!?uC)AX|by-jYV4i z8UW$d;ptc~YQ2wx69gNip|NqH>1b=+QLyOr$3?hCAo>3Y-SzejH7dK6cYvxePW`gUZw&``!;~KE(G;<&4#|4Fe;Rqt*Qf0Vj*gYMj9b5@1u(T{9uJPD!spVRs-_2T&p7Z~0m_3>-#%@cG$Og0l9pC3 zSK};fwSTz4y5&(g!>DgX#eK-feZ-p)TSyN^7x1=WRl3d{CD~IzUcJdvwSN{5W2QYk zC`mj__F?ox2-ftk(`34I{R5^VT6$(}WiG0a-seKI`1|#De+0h{LD1bpTgCE9?&Qo! zR|E+U`^?GSW5t}Y_CIJ5RPRT;UwMr6!Y~0kv3$j_@HcNQGo+ok&q(Fs&)upztHJ14 z#4l>9m*n(CWn^$nJ5R@@Tlp*^!nxE*^m9DX`M%>(+&_ZFqx@wHsWCA{t6 zofeQZWB?9*{l6|k03z6fMlkDCF4-zSC2~B7@~x?XRtsK3^N@SOZ_B05aX~l)H+b8& zR(|1q{g2}6paBj@C6hOkWT=oe$r*NslG;60=eV|T>bAVPEgb+x+SJ7X2mBLA!fG^< zVay^V`sdv-(uUzOx$eaP(aTqqV#|F&u<+wU)4h)1N}|9$Z@z zU0Z8z?(^gl8_{)(U`_X_&;R4m@P8f_|Nr$rzTYjX{udYEe|NO~zhCWlui?B9E{D0B zz{jc}xdSH@WLpAQ{5#vT)=1LLUmQ+A3)#wqaN@bd{yT>Qgx*`eV_97jzi3Ovg(TO# z3Gjx2ANf9joQlfbO0Q}bYFQ|0EVJ2BpaevoMu0YC&CaoN67uiC1Uj8Q`;60)H-E%S zRVH+j)Dc@1Nhz&iwRL`H>RJ3^*JJ=lCzfrM=L7^@W&fT1fhzc5YKBQ)|4ju+8$r|h zQhX?_l0USPF+Rt}K8HhP1##H%f6IsGkDwp{kW>I~%pIBpmKS5lV4+O)^rygB%^Ik2 znUOZk z9>Fj*5Bd>+!XW}+Yy0@Sz#=U!B?rZqx#xEvW)ro?7WmJz{GSqVR~!GjMM6+BL3e6Zu>Y6U;i(JLV6flEigIMI}tz~0s6 zHIR!(Oe_ZINOSYe7~YR)pV!#ioS91D48AqtP#@C52xOZ`Sq3iwdkapBQ_HgoiHFm@{&LL%(LOEUnGJI`KZiW`r;v}E_SyhDF|XxqI8Q@GmS4=K)jd@q zpLfYofGmXM(te>PyhOEzCN^vdbKBqJ!BYN3a2zqaF`NH<3jxbj%k&H2aiI`#NNTV2 z#Ahniv5c2>%Tyr7%gE$FEt4j-9wiBc zJ3Xz0TC%sjh^y|LB|IgClg)_59X2&q6Gefr!$U;XOE?psTpX<$i%mmQ8_Ce??M0UV zGqcRMKd*BR=@Y5}JywCnY4>MN>;v!nr4U-Rd5#iA$=n{rKafi1<5ex= z*^%Z<@BH-b+kB#yt*A(h_a}3E`KQ%5@kuoe{=1~-IJAoX6cmRqz?t#NaQy60<1q)v zm*5_>>psLYeT$k%4D#*f7b;wUL`j~pZ9Imy$@ibfQSfZDV>E$zdbk-a0SoE*x!vr= z2Mkyx;3%)Usd{nRDIzC_hCo-dzgVJ!hFLFQ>A><3wYT>dp9BOV5n54YTT+Dw{s1W% z_1V8blHZrRBEc*bCEua{oqp%U?~Tz5Uw>{vnQd1Hhv=>>L075J=KR-te5J=>!7Xl_ zC79aTsTK&upd>U226LB3t8OG}p;N1m`GT$l1Raw0jaopG8(h1FYzqLl9$@yj%EwRK zg|L`D%1XOV+q%QaCiFltcce2dK;-9(Ov>-?M0~&U)`RfqA@8vPu3yjEWWS*oGSYW+OCw6=(^bA>~B|Zh%$6*hh+UF%y63W2qgc1)B1({THBwy3u zC>?0*4+)pZ-CQq%N^>9(0#rsoD@2h8R?K4Cb3jueHT{0u>;zC6`!hZ&Tsp6$Te$*t z)Nr6Y%4%1zH|cO78{v1PDb$JR12*?^mr5wz>Q^YIf!?;iIUWTvhf&zj#U;mGd0y3= z=0;+jWtB$qzaB5|WrBiaq|7a@jSqs4>+4CGk#XEmIT=JH_;pA8Csx?nnTHrC3Mv6Lwdi;G2?rwG zz$i;;TL!PAk5+|?Td|ZhixA=gZkd$h1yD>^cG-@wAl*EeyD#{>GMZMyU7v$M<- zbw{|cdq6LH=Lq8o#OJBjK&uCuY}vAkX_EIL4!QmG06omNGqN8LWlv^kUee7=ODXgu zolwDo$Mwk`6;{DE9XJS2RO}(!69sS>3fqHEvc0o|o}iZ<1w6YV+sRi^Y!`PvgW}{V z6!?(%Z1AXI`XlgZ;sh|jD7WjS1D?8q^i;^;C6|xt%CzeWss?*s+T18#{IOlB_1@FSuyFE znXfWs15sdS?Qbu-AwYi|0A(yVFpg9nJcO=Cs%+|p^wSeKW0^CXt_T9fo*E>Bwuj+{ zCfS#5LEvS0u)ZK^pd5X{enQ~^ofCBI%U0xUE#I~ykQ}FaJol{L;Xk0Py+&IkC<3KBn{qmQF7ugf>K}Q??b|K%CxutNI}P&WtnY%Z=fIv zRAR^u`Lm?%h_;}Jrqt_Sx zowvj`uc@nzzT#4zqHQUx!uJxpkKTgKiXyn-~g0|aWEKn_NG(MYdzeb z0#B;AFb;Z@Fv(uO&Ymqz~O^I5cVH|YzP+MvG? z(m{~xk*{-R6i8NuB>wU_vb7IYbVd(?;x)We&2?tBVfilMe#q`mkd1)nbH}Qj1`z37 zi%H;+Ovv`D9>PXOYu4%D2=i&HZ^dG=#RudyF|gfM+F4}%n5ny(N(NOHETJDyYW{Me z*dh2YKAgeG1Jux?-yr;&<+=SKj`{bh|5i19z=5yd^hUc!6#WuVZ(xbG?$~u*VyW?f zg!!q%{>lv$V7US8d`MJxVs3>ji_HN7t0&kxt&)G-hxRXW*+D}2D$#u_lxpjh*Dl`*B&EVa znl(VeU+-ZtHlPnMva%{$YQ7FpZPt*8*=iJUAyrF>J%IiO48b(R?}u#WyfJB=S^Xty zhv5|vFicKQUP6FG3Ka4a&`3!p3)#^QbiD7LL<0G1hh~-S2yte0;KvD%c_33w%uK5M z?8wE}-@mCd$6b|&Z0tKZ^=d$yc6%^?0~_Q`fHFHXRKWQ-CU`~^$+xG&xb3?z(!2j; zR5taFT$#pmXc?9}9Z{Eoh&}%SYZ6smL%oR>UAW4KBi8nU=9mZ z3smjoLMw^v1J>evcmy__+YCXU2jY@} ztkHN99{pXZ=&_fls$f_>^&CVMP$gx^6ui#8ydOMlrtEf0x?2VO?mw8C#vI)K*X`2u zjFCKbRjKe9w&+@t(Tz`sJ(XIq7!5G7LZ_pR_r6bFym*jaZ}y1$7n=3bes|bIe%;Qz zv(<4s2IwKlOY}7@&&EGiXxw&0e z#&4t2Q3?$KIO3!JQ=|XSFIqnWSS=Y_7~a#9F@g15=uhQxR?TJT2zwzbkJ2 z2>1!0{{A;Hvlncs=B@^+g)yPT6`6DlE6hFTJU%{_%ULS}A#=LyRH?eUq*Q>Fo)`(_ zoP|8%EhmYsVv`LAny%Gphb&ZG*2vfW*Ysrxi^@U@Gh2c*f5Z;f#PMOwfeIf5HZ2k8 z>VR!JXnmn03M5TL_cg zK6khWN*`c5EZCnxT?D)za&GSRv+h9HNw=nto-;7K+x(fEiv?TnV<Q6_d z(S!6{fw~VGwRa(!G$VEoSi!7j5&*z}DL-govu!04Wo8g$_0WX|VS31**>`~S;2WgA zv(UWR1#AVF`gPciLlwr|xFKnQ5UJ3FH3O#1;F$CI@uG+u796c1V*9ytT=g?{g$tEM z-2a9j=A&I!_N=2tfIeT~nM>?wlTfWreAgD{u>^umSS4)osZ!B9@KKVTE4FZH$4HNc zu1pYJ4Ov-3=z(sLEhv-}!l?IepyJ_DHa;>C7H*=J>>n?Ywa8oyj*MF5jYwSL4S!(} zweT~_59ih`8VW3>$EeKPOqL?&H0NFR#rBeP^H?TOCU`{} zNldvq1$Nm`Ql@{;wGijo&b4;6*<`Tov~s$vN{KvB+=z*ju(z>qbS#D+!PSk7+CHT-rNJg$ zK(RdDcJRN87RfYAo3m$&IK2&jveZc*74ne81rNS<_2(5zf16y8GvLe3pQodii319Y z-aEX3#9TpNTv5iKUfPpc*SUtQ4w`_o`tbG+sVHXI)cy)T)@QXc+1s}xf18AxS=!uA zR2?LR888JVx}0yj@li_Q72QAH7cNFe)Ni*OsN^zMwtl4;1nX6WME zIVAjSmKx~)s7RTzl}0m{Pm|8~0|*!41JsY3pd8x98jUSzLf2PdXUerko0ESE?H#Vy z7qs+@O~-wb;WF!Zp47dEQ8$l4Z%Q1V_fScDw959fkwEixzQdk; zlFksb_0l*opW~OMFAXX+r#u{{$DThW)|IP|T>{C1v?j_^RhNkf340)0B9QpvN6NYy z2-I}~iTS$$46s={T}jsarFuXDQGMR6tzP@bE=~`E?;VCJ@L3{ zLpR8Gx>@D}EL87-fxCxSOl0UjcTmpv<=7^x+`ejFsK)S>`L*AUzO_Z#ny2HrB)ONEJ-a?13t z^;A2kzX@7x{}s8;<*@reX5ib=kQ%Ge;8@W2WJi;*M-N!;+u2ce#i=#@jgRQ1EM~XX zx6nOJ&yIJ*p3~0jN8YR(LwblQE>A|57%mZ3%qz-cP-ISTksOt||L2Ed_$y%;S8J1IT3ZW)V4N6_jyuGBTnv zuvg~l6#U8~ zt(X2qFg(Yvfhs<3LehYWi^>ly{vi8p9n6K~^%NVjIY6dwOt1z$YKBS?%_6OGFWt;E z^lGHmbI5jf>X@{&A3{zsy~1c@B(`$R5_xq^HrmYUDgXA4Uu2X ze7~Y^)As^fJGe_w3kIn+_MkX zkL1z=i4N8(1P%z5V-Wc#Dr4I^gUbgMH4~t=+OnZ zTvYi6#zrxjDl;LfS$#4x+Sg1*NclUSYp-in+L|B_Z*}Tg^WGPY%^J%yiA~pU4&6x5 zyn39Zlgr{X^aiqV-+~tAcp-$7YrDZ{>LFV|MiH&U(WC?14q(*WcX8RQC9OMUkL0vS zajb?>#h_7M?|wt=A?M}6gXtO~0=w8Cikd$Qe}#(sIy)qli8zup*e44id5>7r1T-{qjV~uAcsb0^ zuM-hTpcoHkHSgds|57iCsIM1{JwusU(3R*^RX_#O2Gs%W?x|<#?BxBL0mnCi8<1VU zw=!6TN9O!uroiOkYgqDpeJkD+>D##0F}54^HAXjmn--Fm#s)QU?MOvk(Iw&5Lfz*AnyT*OV}$9ZoZNWh@6IP z>G_%@?=&J>q%%sPWbD(zwnKHbx^H0Z8~Fjfq$CFGEx;7B$3AYE_KFX>UW{vNX=M$L zmpKhf>+18*1UwkqZursxTR5+HonVMH6;%>a?!X#WYWAkk zp&vDzfkX%%?58%|@(R8C%#f%P5JBx{1 zTI$4|n|Dhz5S57ikfVf9MBx_t6A*2mjXF(kK1iF~yTGSJBrZFh7jDaEu7F~A>Ga|9 zYtc7y6g#(gzu=hnpVT#`a%1?S6ZpH!%QYwCT$y*Od9b;>TF>&etzr`0;3z*B98CdWKbA78);-;xn9k zV-VziFgN#$Rp)|8o^R?*vXdo+Z=>SkNG)ndy>{m7=9&YlRT?B`pIbjpayzZz6l_v^;A!bAqmoj@$JW_ib*ruP?aZGU4O% zyS(cw%8(VVQongq_~86xYHfY}Lc^`s`R{nyw=v?&L9F_^u|&Dt=+P%D^0nRMFV8#upky3RpD@-kX;;Ks*EHcWgjuHvl^Ux4v!Y^paTac$-1V=Vf%4( zXLLG?VGkRGa=(4u_=!CMaCy|3>4qveBIQ45f5cr(L|Zr2kQ>_qah#~r2)@5g2p|4} z&Y-qD`M=)f#{o^Qm&ZkaJDh)4mYn66mM&~3S~oVn?_brr;ivxm!mu_uHC4rTSZ1QA z4)BalG#|NwBuuBec!}gUCCn@=3muWilsB`b_ox!C_S`W)Z@nxtt}%{KEGwTgk%c#;YU5)f?w?On~<;S)vamYcCE( zHa6Q?-7ZCQ_SePi;xdV0b-Hect=k?hs#97L0=x4L(QDQj{cM*4VG-M0UiN zMP5}C+`*;)kPo|yC^);+e4w<-QC+5v<~-ueSBEqUWh3w zmcC`2kFPn~;@z68>h4Yt@8|sV0PWPR9yZ%mQxB_yG5T0*>DWNXr2f1%XyYUv57IH~ zlvF(+LmJvl5%Qiqq89J9rF?#Hy|PNFsiVU)L))9D`@9yS`O3yw%Sv7ZjlGMa_tOZ? z&L&SwYi@k+czU#`_x<0d_6hoLVkQ>1bE;6To zd(irFa@o*?^Cz0E;7@FT(z|u0%en68*(IiT58H2_loXyu4RP((=-86OVA=qDdY8<1 z$#>K^M0PJ%YP)$QF(EznVNzEk@+rSFP=bstb~2a!n+Dw)OPW_vf0Kl#Wg8}eO+}}j zl=on)j2;8uU$z@DEbtYZ|Ja?cDhLO#WV!Whxt0LoZ&NyrUmXT4*8}o2rJ$m!usy)H zLrjrx4%dLhHKJ@fPO5B1-}9pO!XJu4{!9B?I26vpK8FFfjE80Di$3BoITtjsBBNix3H z+xFE}qL~Z?`E(R-b&0e z6b~VkbpsEOve8^fUKqf_) z!hSa*B04Bq4ewg?@E~=1e*V4o;SR&mHfi;h@7aG_pbTr4sxIDLT3nJ#_QpXC!bHEe zu#7jeG57KtzHr{v?)IlNmCx8J*jBB7duP#jXv5|OgyG3(WiIXE(Llu5tVD_NAqtr1K{O{{51J4fn(=^TJUSd?B*L@UuyYPR7Tm1<)cGG-O+FNprG7y5qteg z{u6}K06kahe7Q!(d{TUIRtR&ll6^jV8{5*h^lH8m15dKk->A1wX|gDHB~l@AG+r?S z`dd9PwJDmLQ_}Qg65a9U`H5Te-EQc>{tDIc#^yIg`SG#vWCdCQnD&sllBA(-M|kWc zqnrT|h~n*vu4~%2aB#?P)=rTU7@+sLcBUjGd_LSHDlk2Hu{M;QIOy$zZEZ9*KqM_q zkh6b&er;o;t+&$Vg0hzS=Hqgw$N2dADe2ScvZ+?ZCd)x5h?pDa$%PHnW9hVJ}Ksi@wQ-2Hl>hlu| z+Y_~Qe8!eFg=vVB`^3V^T2M$cdB^e56rSL%cT1+D#DBdol)ipFh9yL+Ya>8c|FU_d z_d-L3==JDR>Q{9PRc%In1!0dXy?oZl}@Z!L9C3SE(iQ$R( z3}q1p!KIH|4c>X#(AC$-$lI>2?1O_@Nv8kKJ3H9hg-h^)mz=y1f<1~v06p&|-3>;+%R_cFb0ZQ4dza?uBZ=`-{FEV zyQ}G&lBO_@*S&5rcjOA6#d%XI*nL1Z`7M8;Nf`aP_FsX@2XhFoX`G5Yw zzgq@zvUWe&*GY1UlUr&BxN{*Q=`Uy5Rcz-2!RqTQ)wFQMx8B_p?Ll7p|LZSWmpYL5 z0u;1X~`tyefJ3~YX~I7 zUg#Z6gVDmm!b07zbCFV5ctk~SK>{nZfp!@4q`w+GL5}j!cMzewzcz?LL_`FRDt=*M zc!OCA^D}=u80EKWoQ_1Lqz1*o<$(-rQ`UBVsT3(gNH3q`eu7vCMGT))I7Ac&$Hra= z+Mwwg7+B9YW9AgYgl5*N_atDbde#y|MhUEP_@$m)bsk71)=(Vq0E?b~245l635NeG=MMZ`3VY1SO&3xh^JQR6(TnMCJj<%?sg~VvkuvfR~ zf14IV4k*1IsKX$X^eIIBHa9k2M?ptN2g{6vFhso`nySw|!NI~-HD8%C$ z_NQS&A)(iwCI#&SGI%r`<`bfDDaf2JNFfG87)yw4HXhCm$jf7de9Fhn%=cMYS&?I) zC6ENNinWGw)gdG|Aw3=arMUPVli}Rw)YP|~oSeXwAwwY>|K#LkW4tT~E_m-hs~%~{ zJqEwsWia)idtZJ}PEHP9>`QVoIhdp@?63AeeE1L>)x|V4G=wryY4eTUWXMoG2xP1%;5-AtpHYz4oo_nI0z>MNfU9%nx~-+< z@4-Pl6l`qlO506wc(2G8ACnYO7&J(bTf$cs3Pwg~kCrljT9IL&p?&-M_4Upuc5+V6 z2yo(L0&k(Tx3O8SwU)Dj{8#6|eiCf``}fblKq$<##9qVJt}Y5bzSwEkGtAGz-|#=e z(}5j_%YOUujT<-MUIoX+1-?msLQU<9EpQ$zQuXyY1qE3CG}%qN_`sBdC-%Ndu^3%T zSNB=G>nSxn9w-KxVd$nwMc@1l0}tNdO>!^1Ocw-Ye@U9EgK3my7SC#c_3G6tc!LjS zW}R?uzlDjZurA4v29UzPh{^+(X)Qz(hA3%)*1g)KFhPSAoX=`9Ap@CU6@iCMM3$&;M|+Hn=9^ z^!`0D7}N(VMsH| z2ip7M!m_W|2G&S;FGs-`2WM|#d6^b`pv3L%%cDwN&TN|+8(;rzZI!_leh20c=`Xms zX<&A%F2jmJBN0y5E53JdprGF!mqW^F*z*!>F47#GkGHjM$lSSe2mU4$7?jkp+%~dz zFfigB`M{(`7V_c;=7WRpEpC=g54Ewv*wlllYgl!~#l`)!b#+rrCo2^$&JQ=o{k*)q z3ayvl3cthEgF$d70nldoPKfDLY?_!j_cbHrvHjHtvmu8CI_QHec*5^~goNP11OyPa z241iYETnK>o~(g?W_7b-jw&_8Y!8YF*lopJ%jiyUJXmW3Uz>0ANa)1riC%EY?Fjf=N0J{LfW&-JO#ybyKr%H~tjUedQ z4`SbAdF&MX!Pv_kBIw`pS=65BXO3(B_~U`j3Jf8Nw=u1q(PMe5V3hqD;@n;0s%$rr zq4qGHvmFT8jXmq?t|W{wa1UtEq@4rj5YPW@N6e6j4f}akLu%9Cj*jb(A@M#VgDNR0 z2^a!24c?eY*BE1dC#SQz6tIJdl%{jqU+FzQJ$-Qh{-4e9vUmqCLt9%82yW-j%PTA? z8Kha?S@#sUMvxlHSlHIp)!f%7OF2_eRMel<($)1gR^s@XH+U+z`?f4DFQa7)vw*DD zc5C7<2<|d8YPexxqJ$Lyb|dgH`VCWVVEGZaTESWgVuLi*I1dk@%-oz}*l>Wc!>g#M z$XN1z$65CYaF|1x_4W0^(kLJ7kz&1wf?xn&V*)oZxUWZc9N1KMD86BcGip?~g4Y)` zr<)-3o+?Vs{&e3c$NBjUeRFejU0q#E#1vm!1Y=&BW{qPQjOff3#xb5n;4XnS=Lj)9 ze8&;$7(tj*@tJgBumjF3HhnreIt9hW1F9tBg?bXIrKV8k62Ma@+1lFjCuF|^spXZQ zR+CDyPV+)TLKfe5Oq;(_%-rvDHzEiEYMK18$92Rb~) zX_q6C@lrFnez5-Ognemsx~`5ef!}r7#o0LnLXx?-xKKbx&f<3IY(80;x&(!c1GN)5 z|JLQj88MfYXF|f`!lI%Q{Hw1@638->%HtXu+GwQ>Z8WDvnr!O-F#C7fV;(k7YpY3{QdPc6If{4+1Y)0cQ^X=oedidl$4c$a}LXa2gX^Y zN=r&^EPERj20Yt+ZPeC`D=P$Jca zZNQ}6tm-}O!PBQ-eNtK3*gm~nKL67Cc>6bR->w9nIijbhcLkU!fk$zz{ApG8rUMv` zpcCNk-km#Vjtm>W9M6F*nU_}p6#^5}mDS<=z;nb_g|GkTBWlE}&6BM}tD?e978J>lZJdQdZOi>=V_``SYh{(c;CPzP`Ys zPzGq?T19`?z#YJa>c9reQsChUz(rc_cY~e)JrWTWwW|7ntsbz_(+*!3usTe4&YU?V zpYH7{1@_^&OCvr#Jlqa!C`8|V{&pg;3<4IRz=Oq(-@YwvYikQE#DNC`swpcsTa~^7 z)oo{In*-14TUB+h{{QcI;6?U@!0P<);pQn*M1bAjEld;c+=)p_N&?l%r%!vowgP2W zVCvm+>de`*Pk}=g7S`6{*6i;C^vZnUJh3us{W=&0b-yt=-+z!vl1jSA|zS zu!*GvJX8 + showguides="true" + inkscape:export-bgcolor="#ffffffff"> + id="g19460" + transform="translate(-3.7041668)"> Primary key creates a issues signature to associate the User ID with itself - Certification for User ID - + width="50.266029" + height="67.318695" + x="83.182564" + y="96.4897" /> Metadata associatedSignature Over:with this Signature:Primary Key,+ User ID+ Metadata associated with this Signature:- creation time- algorithm preferences- key expiration time- "Primary User ID" flag- primary key flags- primary key expiration time- ... + + From 443023b8e96f6fb8fe96c8c620c104f98a003973 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 14 Oct 2023 22:44:55 +0200 Subject: [PATCH 34/56] ch4: fix phrasing --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 7dcf1f3..36ea229 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -172,7 +172,7 @@ However, the owner of a certificate doesn't want a third party to add subkeys (o To prevent malicious addition of components, OpenPGP uses cryptographic signatures. These signatures show that components have been added by the owner of the OpenPGP certificate (these linking signatures are issued by the primary key of the certificate). -So while anyone can still unilaterally store unrelated subkeys and [identity components](identity_components) in an OpenPGP certificate dataset, OpenPGP implementations that read this file should discard components that don't have a valid cryptographic connection with the certificate. +So while anyone can still unilaterally store unrelated subkeys and [identity components](identity_components) in an OpenPGP certificate dataset, OpenPGP implementations that read this certificate should discard components that don't have a valid cryptographic connection with the certificate. (Conversely, it's easy for a third party to leave out packets when passing on an OpenPGP certificate. An attacker can, for example, choose to omit revocation packets. The recipient of such a partial copy has no way to notice the omission, without access to a different source for the certificate that contains the revocation packet.) From 2df7aa779d717e77926022262d0ebc104101f573 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 14 Oct 2023 15:01:52 +0200 Subject: [PATCH 35/56] ch4: Outline how key flags are set (addresses one point of #63) --- book/source/04-certificates.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 36ea229..c083959 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -124,6 +124,15 @@ It is considered good practice to have separate component keys for each type of [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. +#### Component key metadata, including key flags + +The key flags for a component key are actually not defined *inside* that component key itself. + +Instead, key flags, together with other metadata about that component key (such as the key expiration time), are stored using mechanisms that join components together as an OpenPGP certificate: + +- For the primary key, two different mechanisms can be used to define its key flags (as well as other metadata): That configuration can be associated with the [Primary User ID](primary_user_id), or via a [direct key signature](direct_key_signature). +- For subkeys, their key flags (and other metadata) are defined with the mechanism that connects the subkey with the certificate (via the primary key). More on that [below](binding_subkeys). + (identity_components)= ### Identity components @@ -141,6 +150,7 @@ Often, identities in a User ID consist of a string that is composed of a name an OpenPGP certificates can contain any number of User IDs ``` +(primary_user_id)= #### Primary User ID and its implications One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). @@ -227,6 +237,13 @@ Alice can link a User ID to her OpenPGP certificate with a cryptographic signatu Linking a User ID to an OpenPGP certificate ``` +(direct_key_signature)= +#### Direct key signature + +```{admonition} TODO +explain metadata associated with this signature, and that c-r prefers this over primary user id. +``` + (third_party_cert)= ## Third party (identity) certifications From 3ed3d5ed6a7757986cc5d53b7c69fd70df75202d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 14 Oct 2023 20:45:56 +0200 Subject: [PATCH 36/56] ch4: elaborate on user id conventions --- book/source/04-certificates.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index c083959..fc8903b 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -143,13 +143,17 @@ Identity components in an OpenPGP certificate are used by the certificate holder An OpenPGP certificate can contain any number of [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity. -Often, identities in a User ID consist of a string that is composed of a name and an email address (this string must be UTF-8 encoded). - ```{figure} diag/user_id.png OpenPGP certificates can contain any number of User IDs ``` +Often, identities in a User ID consist of a UTF-8 encoded string that is composed of a name and an email address. By convention, User IDs typically consist of an [RFC2822](https://www.rfc-editor.org/rfc/rfc2822) *name-addr*. + +Also see [draft-dkg-openpgp-userid-conventions-00](https://datatracker.ietf.org/doc/draft-dkg-openpgp-userid-conventions/), 25 August 2023. + +One proposed variant for encoding identities in User ID is to use ["split User IDs"](https://dkg.fifthhorseman.net/blog/2021-dkg-openpgp-transition.html#split-user-ids). + (primary_user_id)= #### Primary User ID and its implications From 2b018c73eefd8908c6489d813090cfcb24576140 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 15 Oct 2023 10:56:38 +0200 Subject: [PATCH 37/56] ch4: clarify that this chapter deals with "public keys" only --- book/source/04-certificates.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index fc8903b..3a2ff48 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -50,7 +50,7 @@ OpenPGP certificates are typically long-lived and may be changed (typically by t An OpenPGP certificate usually contains multiple OpenPGP component keys. -OpenPGP component keys consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. These attributes of a component key cannot be changed after creation (in the case of ECDH keys, two additional parameters are part of a component key's constituting data[^ecdh-paramters]). +OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. These attributes of a component key cannot be changed after creation (in the case of ECDH keys, two additional parameters are part of a component key's constituting data[^ecdh-paramters]). [^ecdh-paramters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are part of the component key's constituting and immutable properties. Those parameters define a hash function and a symmetric encryption algorithm. @@ -59,7 +59,9 @@ OpenPGP component keys consist of an [asymmetric cryptographic keypair](asymmetr An OpenPGP component key ``` -Component key representations that include private key material also contain metadata that specifies the password protection scheme for the private key material. +Component key representations that include private key material also contain metadata that specifies the password protection scheme for the private key material. However, in this chapter, we're looking at *OpenPGP certificates*, which *don't* contain private key information. Each component key of such a certificate contains only the public part of its cryptographic key data. To read more about private keys in OpenPGP, see {numref}`private_key_chapter`. + +#### Fingerprint For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and creation timestamp (and ECDH parameters, if applicable). From 0965fa4faed96a172c68abe569536718f0b74b83 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 15 Oct 2023 14:10:21 +0200 Subject: [PATCH 38/56] ch4, zooming in: remove material that involves private key (All of that should be in ch5) --- book/source/04-certificates.md | 250 +++++++++++---------------------- 1 file changed, 83 insertions(+), 167 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 3a2ff48..43e388a 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -333,78 +333,81 @@ Some OpenPGP subsystems may add User IDs to a certificate, which are not bound t ## Zooming in: Packet structure -Now that we've established the concepts of the components that OpenPGP certificates consist of, let's look at the internal details of our example certificate. +Now that we've established these concepts, and the components that OpenPGP certificates consist of, let's look at the internal details of an example certificate. -### A very minimal OpenPGP transferable secret key +### A very minimal OpenPGP certificate -We'll start with a very minimal version of [](alice_priv), stored as a *transferable secret key* ([RFC 10.2.](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#transferable-secret-keys)) (that is, including private key material). - -Note that the secret key material we're using in this chapter is not password protected. To learn more about encrypting private key material with passwords in OpenPGP, see -{numref}`encrypted_secrets`. +First, we'll look at a very minimal version of a "public key" variant of [](alice_priv). That is, an OpenPGP certificate (which doesn't contain private key material). In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. -(split_alice)= -#### Splitting an OpenPGP key into packets - -One way to produce a very minimal version of Alice's key is to split her full key into its component packets, and join only the relevant ones back together into a variant of the key. +Starting from [Alice's OpenPGP "private key"](alice_priv), we first produce the corresponding "public key", or certificate: ```text -$ sq packet split alice.priv +$ sq key extract-cert alice.priv > alice.pub ``` -With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full key in `alice.priv`: +(split_alice)= +#### Splitting the OpenPGP certificate into packets + +One way to produce a very minimal version of Alice's certificate is to split the data in `alice.pub` into its component packets, and join only the relevant ones back together into a new variant. ```text -alice.priv-0--SecretKey -alice.priv-1--Signature -alice.priv-2--UserID -alice.priv-3--Signature -alice.priv-4--SecretSubkey -alice.priv-5--Signature -alice.priv-6--SecretSubkey -alice.priv-7--Signature -alice.priv-8--SecretSubkey -alice.priv-9--Signature +$ sq packet split alice.pub +``` + +With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full certificate in `alice.pub`: + +```text +alice.pub-0--PublicKey +alice.pub-1--Signature +alice.pub-2--UserID +alice.pub-3--Signature +alice.pub-4--PublicSubkey +alice.pub-5--Signature +alice.pub-6--PublicSubkey +alice.pub-7--Signature +alice.pub-8--PublicSubkey +alice.pub-9--Signature ``` ```{admonition} VISUAL :class: warning -Show a very abstract diagram of the packets of Alice's OpenPGP key (above): -- Secret-Key packet +Show a very abstract diagram of the packets of Alice's OpenPGP certificate (above): +- Public-Key packet - Direct Key Signature - User ID - Certifying self-signature for User ID -- Secret-Subkey packet +- Public-Subkey packet - Subkey binding signature -- Secret-Subkey packet +- Public-Subkey packet - Subkey binding signature -- Secret-Subkey packet +- Public-Subkey packet - Subkey binding signature ``` -#### Joining packets into an OpenPGP key +#### Joining packets into an OpenPGP certificate -For our first step, we'll use just the first two of these packets, and join them together as a private key: +For our first step, we'll use just the first two of the packets of Alice's certificate, and join them together as a very minimal certificate: ```text -$ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_minimal.priv +$ sq packet join alice.pub-0--PublicKey alice.pub-1--Signature --output alice_minimal.pub ``` -#### Inspecting this key +#### Inspecting this certificate -This version of Alice's key contains just two packets: +This version of Alice's certificate contains just two packets: -- The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and +- The [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats) for the primary key, and - A [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). This is the shape of the packets we'll be looking at, in the following two sections: -```{figure} diag/key-minimal.png +```{figure} diag/pubcert-minimal.png :width: 40% -A minimal OpenPGP key, visualized +A minimal OpenPGP certificate, visualized ``` ```{admonition} VISUAL @@ -417,22 +420,20 @@ This diagram needs adjustments about We could show repeat-copies of the individual packet visualization again, below for each packet-related section. ``` -In the real world, you won't usually encounter an OpenPGP key that is quite this minimal. However, this is technically a valid OpenPGP key (and we'll add more components to it, later in this section). +In the real world, you won't usually encounter an OpenPGP certificate that is quite this minimal. However, this is technically a valid OpenPGP certificate (and we'll add more components to it, later in this section). In ASCII-armored representation, this very minimal key looks like this: ```text ------BEGIN PGP PRIVATE KEY BLOCK----- -Comment: AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3 +-----BEGIN PGP PUBLIC KEY BLOCK----- -xUsGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT4A7+GZ -tV8R+6qT6CadO7ItciB9/71C3UvpozaBO6XMz/vCtgYfGwoAAAA9BYJlFuqmBYkF -pI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj/Te2fzMA+fsOxFc3jNKf -ECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4gAIl6FM5SWuQxg12j0S0 -7ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L+BXIoY2sIEQrLd4TAEEy -0BA8aQZTPEmMdiOCM1QB+V+BQZAO -=f0GN ------END PGP PRIVATE KEY BLOCK----- +xioGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT7CtgYf +GwoAAAA9BYJlFuqmBYkFpI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj +/Te2fzMA+fsOxFc3jNKfECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4 +gAIl6FM5SWuQxg12j0S07ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L ++BXIoY2sIEQrLd4TAEEy0BA8aQZTPEmMdiOCM1QB+V+BQZAO +=5nyq +-----END PGP PUBLIC KEY BLOCK----- ``` We'll now decode this OpenPGP data, and inspect the two packets in detail. @@ -440,15 +441,16 @@ We'll now decode this OpenPGP data, and inspect the two packets in detail. To inspect the internal structure of the OpenPGP data, we run the Sequoia-PGP tool `sq`, using the `packet dump` subcommand. The output of `sq` is one block of text, but to discuss the content of each packet we'll break the output up into sections here: ```text -$ sq packet dump --hex alice_minimal.priv +$ sq packet dump --hex alice_minimal.pub ``` -#### Secret-Key Packet +(public_key)= +#### Public-Key packet -The output starts with the (primary) [Secret-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) (the file `alice.priv-0--SecretKey` contains this packet): +The output now starts with a (primary) [Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): ```text -Secret-Key Packet, new CTB, 2 header bytes + 75 bytes +Public-Key Packet, new CTB, 2 header bytes + 42 bytes Version: 6 Creation time: 2023-09-29 15:17:58 UTC Pk algo: Ed25519 @@ -456,12 +458,8 @@ Secret-Key Packet, new CTB, 2 header bytes + 75 bytes Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 KeyID: AAA18CBB254685C5 - Secret Key: - - Unencrypted - - 00000000 c5 CTB - 00000001 4b length + 00000000 c6 CTB + 00000001 2a length 00000002 06 version 00000003 65 16 ea a6 creation_time 00000007 1b pk_algo @@ -469,18 +467,14 @@ Secret-Key Packet, new CTB, 2 header bytes + 75 bytes 0000000c 53 24 e9 43 ed25519_public 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e - 0000002c 00 s2k_usage - 0000002d ef e1 99 ed25519_secret - 00000030 b5 5f 11 fb aa 93 e8 26 9d 3b b2 2d 72 20 7d ff - 00000040 bd 42 dd 4b e9 a3 36 81 3b a5 cc cf fb ``` -The Secret-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: +The Public-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: -- `CTB: 0xc5`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "5". This is the value for a Secret-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). -- `length: 0x4b`: The remaining length of this packet. +- `CTB: 0xc6`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc6` is `11000110`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "6". This is the value for a Public-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `length: 0x2a`: The remaining length of this packet. -The packet type id defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). +The packet type id defines the semantics of the remaining data in the packet. We're looking at a Public-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). - `version: 0x06`: The key material is in version 6 format @@ -491,11 +485,6 @@ This means that the next part of the packet follows the structure of [Version 6 - `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) - `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key -This concludes the Public Key section of the packet. The remaining data follows the [Secret-Key packet format](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): - -- `s2k_usage: 0x00`: This [*S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) specifies that the secret-key data is not encrypted -- `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`) - [^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). In previous versions, the RFC called this field "Packet Tag". ```{tip} @@ -503,12 +492,12 @@ This concludes the Public Key section of the packet. The remaining data follows The overall structure of OpenPGP packets is described in the [Packet Syntax](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-syntax) chapter of the RFC. ``` -Note that the *Secret-Key packet* contains both the private and the public part of the key. +Note that the *Public-Key packet* contains only the public part of the key. (zooming_in_dks)= #### Direct Key Signature -The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.priv-1--Signature` contains this packet). +The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.pub-1--Signature` contains this packet). This packet "binds the information in the signature subpackets to the key". Each entry under "Signature Packet -> Hashed area" is one signature subpacket, for example, including information about algorithm preferences (*symmetric algorithm preference* and *hash algorithm preferences*). @@ -631,93 +620,36 @@ The signature is calculated over a hash. The hash, in this case, is calculated o - A serialized form of the primary key's public data - A serialized form of this direct key signature packet (up to, but excluding the unhashed area) -### Seen as a very minimal OpenPGP certificate - -Let's now look at a "public key" view of the (very minimal) OpenPGP key above. That is, the same data, but without the private key material parts. An OpenPGP user might give such a certificate to a communication partner, or upload it to a key server: - -```text -$ sq key extract-cert alice_minimal.priv ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3 - -xioGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT7CtgYf -GwoAAAA9BYJlFuqmBYkFpI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj -/Te2fzMA+fsOxFc3jNKfECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4 -gAIl6FM5SWuQxg12j0S07ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L -+BXIoY2sIEQrLd4TAEEy0BA8aQZTPEmMdiOCM1QB+V+BQZAO -=5nyq ------END PGP PUBLIC KEY BLOCK----- -``` - -```text -$ sq packet dump --hex alice_minimal.pub -``` - -The output now starts with a (primary) [Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): - -```text -Public-Key Packet, new CTB, 2 header bytes + 42 bytes - Version: 6 - Creation time: 2023-09-29 15:17:58 UTC - Pk algo: Ed25519 - Pk size: 256 bits - Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - KeyID: AAA18CBB254685C5 - - 00000000 c6 CTB - 00000001 2a length - 00000002 06 version - 00000003 65 16 ea a6 creation_time - 00000007 1b pk_algo - 00000008 00 00 00 20 public_len - 0000000c 53 24 e9 43 ed25519_public - 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 - 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e -``` - -Note that the packet is almost identical to the Secret-Key packet seen above. - -The packet type ID (called `CTB` in the output) shows the packet type is now [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-tag-6), instead of *Secret-Key packet*, above. Besides this change, this *Public-Key packet* only leaves out the last section, which contained the private-key related fields `s2k_usage` and `ed25519_secret`. - -The following, second packet in the certificate (the Direct Key Signature) is bit-for-bit identical as in the previous section. So we omit showing it again, here. - -```{figure} diag/pubcert-minimal.png -:width: 40% - -A minimal OpenPGP public certificate, visualized -``` - -In the following examples, we will only look at OpenPGP keys that include the private key material. The corresponding "certificate" variants, which only contain the public key material, are easy to imagine: like here, their packet type is changed from a Secret-Key to a Public-Key variant, and they leave out the private key material. (zoom_enc_subkey)= ### Encryption subkey -Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), effectively consists of two elements: +Now we'll look at a subkey in Alice's certificate. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), consists of two elements: - a key packet that contains the component key itself, and - a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). -In this section, we'll use the files that contain individual packets of Alice's key, which we split apart above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. +In this section, we'll use the files that contain individual packets of Alice's certificate, which we split apart above. In this split representation of Alice's certificate, the encryption subkey happens to be stored in `alice.pub-4--PublicSubkey`, and the associated binding self-signature for the subkey in `alice.pub-5--Signature`. ````{note} -It's common to look at a packet dump for a full OpenPGP key, like this: +It's common to look at a packet dump for a full OpenPGP certificate, like this: ```text -$ sq packet dump --hex alice.priv +$ sq packet dump --hex alice.pub ``` -That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's key](split_alice)). Finding a particular packet in that list can take a moment. +That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's certificate](split_alice)). Finding a particular packet in that list can take a bit of focus and practice though. In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above. ```` -#### Secret-Subkey packet +#### Public-Subkey packet -First, we'll look at the *Secret-Subkey packet* that contains the component key data of this subkey: +First, we'll look at the *Public-Subkey packet* that contains the component key data of this subkey: ```text -$ sq packet dump --hex alice.priv-4--SecretSubkey -Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes +$ sq packet dump --hex alice.pub-4--PublicSubkey +Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes Version: 6 Creation time: 2023-09-29 15:17:58 UTC Pk algo: X25519 @@ -725,12 +657,8 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes Fingerprint: C0A58384A438E5A14F73712426A4D45DBAEEF4A39E6B30B09D5513F978ACCA94 KeyID: C0A58384A438E5A1 - Secret Key: - - Unencrypted - - 00000000 c7 CTB - 00000001 4b length + 00000000 ce CTB + 00000001 2a length 00000002 06 version 00000003 65 16 ea a6 creation_time 00000007 19 pk_algo @@ -738,17 +666,13 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes 0000000c d1 ae 87 d7 x25519_public 00000010 cc 42 af 99 34 c5 c2 5c ca fa b7 4a c8 43 fc 86 00000020 35 2a 46 01 f3 cc 00 f5 4a 09 3e 3f - 0000002c 00 s2k_usage - 0000002d 28 7d cd x25519_secret - 00000030 da 26 16 37 8d ea 24 c7 ce e7 70 c7 9b e5 6f 0a - 00000040 c9 77 fb bd 23 41 73 c9 57 5a bf 7c 4c ``` -Notice that the structure of this *Secret-Subkey packet* is the same as the *Secret-Key Packet* of the primary key, above. Only the content of the two packets differs in some points: +Notice that the structure of this *Public-Subkey packet* is the same as the *Public-Key Packet* of the primary key, [above](public_key). Only the content of the two packets differs in some points: -- The packet type ID (`CTB`) in this packet shows type 7 ([*Secret-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-subkey-packet-tag-7)). +- The packet type ID (`CTB`) in this packet shows type 14 ([*Public-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-subkey-packet-tag-14)). - The `pk_algo` value is set to `0x19` (decimal 25), which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. Note that even though both the primary key and this subkey use a cryptographic mechanism based on Curve25519, this encryption key uses Curve 25519 in a different way (X25519 is a Diffie–Hellman function built out of Curve25519). -- Accordingly, both parts of the cryptographic key pair are labeled with the corresponding names `x25519_public` and `x25519_secret` (however, note that this difference only reflects the semantics of the fields, which are implied by the value of `pk_algo`. The actual data in both fields consists of just 32 bytes of cryptographic key material, without any type information.) +- Accordingly, the public part of the cryptographic key pair is labeled with the corresponding name: `x25519_public` (however, note that this difference only reflects the semantics of the field, which is implied by the value of `pk_algo`. The actual data consists of just 32 bytes of cryptographic key material, without any type information.) #### Subkey binding signature @@ -776,7 +700,7 @@ In addition to its core purpose of making the connection, this signature also co Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. ```text -$ sq packet dump --hex alice.priv-5--Signature +$ sq packet dump --hex alice.pub-5--Signature Signature Packet, new CTB, 2 header bytes + 171 bytes Version: 6 Type: SubkeyBinding @@ -865,8 +789,8 @@ write ``` ```text -$ sq packet dump --hex alice.priv-6--SecretSubkey -Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes +$ sq packet dump --hex alice.pub-6--PublicSubkey +Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes Version: 6 Creation time: 2023-09-29 15:17:58 UTC Pk algo: Ed25519 @@ -874,12 +798,8 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 KeyID: D07B24EC91A14DD2 - Secret Key: - - Unencrypted - - 00000000 c7 CTB - 00000001 4b length + 00000000 ce CTB + 00000001 2a length 00000002 06 version 00000003 65 16 ea a6 creation_time 00000007 1b pk_algo @@ -887,14 +807,10 @@ Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes 0000000c 33 8c d4 f5 ed25519_public 00000010 1a 73 39 ef ce d6 0f 21 8d a0 58 a2 3c 3d 44 a8 00000020 59 e9 13 1f 12 9c 6f 19 d0 3d 40 a0 - 0000002c 00 s2k_usage - 0000002d 0e cb d1 ed25519_secret - 00000030 c9 bc 81 82 aa 77 1f a8 12 a6 2a 74 a4 20 c1 74 - 00000040 76 f3 86 24 fb a8 25 a5 62 dd d6 a2 91 ``` ```text -$ sq packet dump --hex alice.priv-7--Signature +$ sq packet dump --hex alice.pub-7--Signature Signature Packet, new CTB, 3 header bytes + 325 bytes Version: 6 Type: SubkeyBinding @@ -983,14 +899,14 @@ Now we'll look at an identity that is associated with Alice's certificate. User IDs are a mechanism for connecting [identities](identity_components) with an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. -Like [above](zoom_enc_subkey), to look at the internal packet structure of this identity and its connection the OpenPGP certificate, we'll inspect the two individual packets that constitute the identity component, the [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13), in the file `alice.priv-2--UserID`, and the certifying self-signature a [Positive certification of a User ID and Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-positive-certification-of-a) in `alice.priv-3--Signature` (these packets are an excerpt of Alice's full OpenPGP private key). +Like [above](zoom_enc_subkey), to look at the internal packet structure of this identity and its connection the OpenPGP certificate, we'll inspect the two individual packets that constitute the identity component, the [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13), in the file `alice.pub-2--UserID`, and the certifying self-signature a [Positive certification of a User ID and Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-positive-certification-of-a) in `alice.pub-3--Signature` (these packets are an excerpt of Alice's full OpenPGP private key). #### User ID packet First, let's look at the User ID packet, which encodes an identity that Alice has connected to her OpenPGP certificate: ```text -$ sq packet dump --hex alice.priv-2--UserID +$ sq packet dump --hex alice.pub-2--UserID User ID Packet, new CTB, 2 header bytes + 19 bytes Value: @@ -1013,7 +929,7 @@ As above, when [linking a subkey](zoom_enc_subkey) to the OpenPGP certificate, a To bind identities to a certificate with a self-signature, one of the signature types `0x10` - `0x13` can be used. Here, the signature type `0x13` (*positive certification*) is used. ```text -$ sq packet dump --hex alice.priv-3--Signature +$ sq packet dump --hex alice.pub-3--Signature Signature Packet, new CTB, 2 header bytes + 185 bytes Version: 6 Type: PositiveCertification From 13a3d8452674d8bc8a99958a2a7665b517a5e0bf Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 16 Oct 2023 13:20:38 +0200 Subject: [PATCH 39/56] ch4: move revocations section --- book/source/04-certificates.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 43e388a..da86d38 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -250,6 +250,19 @@ Linking a User ID to an OpenPGP certificate explain metadata associated with this signature, and that c-r prefers this over primary user id. ``` + +### Revocations + +```{admonition} TODO +:class: warning + +This section only contains notes and still needs to be written +``` + +Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable). + +#### Hard vs. soft revocations + (third_party_cert)= ## Third party (identity) certifications @@ -259,19 +272,6 @@ explain metadata associated with this signature, and that c-r prefers this over This section needs writing ``` -## Revocations - -```{admonition} TODO -:class: warning - -This section only contains notes and still needs to be written -``` - -Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable). - -### Hard vs. soft revocations - - ## Advanced topics ```{admonition} TODO From 86329e757b789eceb6c9b363bf9061e38ff5f183 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 16 Oct 2023 15:15:35 +0200 Subject: [PATCH 40/56] restructure: move "zooming in" texts from ch4 to a new chapter 17 --- book/source/04-certificates.md | 720 ------------------ book/source/17-zoom_certificates.md | 719 +++++++++++++++++ book/source/18-zoom_private_keys.md | 187 +++++ book/source/19-zoom_signatures.md | 1 + book/source/20-zoom_encyption.md | 1 + .../{17-resources.md => 21-resources.md} | 0 .../source/{18-glossary.md => 22-glossary.md} | 0 ...owledgements.md => 23-acknowledgements.md} | 0 8 files changed, 908 insertions(+), 720 deletions(-) create mode 100644 book/source/17-zoom_certificates.md create mode 100644 book/source/18-zoom_private_keys.md create mode 100644 book/source/19-zoom_signatures.md create mode 100644 book/source/20-zoom_encyption.md rename book/source/{17-resources.md => 21-resources.md} (100%) rename book/source/{18-glossary.md => 22-glossary.md} (100%) rename book/source/{19-acknowledgements.md => 23-acknowledgements.md} (100%) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index da86d38..32f3b76 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -330,723 +330,3 @@ references/links missing ``` Some OpenPGP subsystems may add User IDs to a certificate, which are not bound to the primary key by the certificate's owner. This can be useful to store local identity information (e.g., Sequoia's public store attaches "pet-names" to certificates, in this way). - -## Zooming in: Packet structure - -Now that we've established these concepts, and the components that OpenPGP certificates consist of, let's look at the internal details of an example certificate. - -### A very minimal OpenPGP certificate - -First, we'll look at a very minimal version of a "public key" variant of [](alice_priv). That is, an OpenPGP certificate (which doesn't contain private key material). - -In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. - -Starting from [Alice's OpenPGP "private key"](alice_priv), we first produce the corresponding "public key", or certificate: - -```text -$ sq key extract-cert alice.priv > alice.pub -``` - -(split_alice)= -#### Splitting the OpenPGP certificate into packets - -One way to produce a very minimal version of Alice's certificate is to split the data in `alice.pub` into its component packets, and join only the relevant ones back together into a new variant. - -```text -$ sq packet split alice.pub -``` - -With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full certificate in `alice.pub`: - -```text -alice.pub-0--PublicKey -alice.pub-1--Signature -alice.pub-2--UserID -alice.pub-3--Signature -alice.pub-4--PublicSubkey -alice.pub-5--Signature -alice.pub-6--PublicSubkey -alice.pub-7--Signature -alice.pub-8--PublicSubkey -alice.pub-9--Signature -``` - -```{admonition} VISUAL -:class: warning - -Show a very abstract diagram of the packets of Alice's OpenPGP certificate (above): -- Public-Key packet -- Direct Key Signature -- User ID -- Certifying self-signature for User ID -- Public-Subkey packet -- Subkey binding signature -- Public-Subkey packet -- Subkey binding signature -- Public-Subkey packet -- Subkey binding signature -``` - -#### Joining packets into an OpenPGP certificate - -For our first step, we'll use just the first two of the packets of Alice's certificate, and join them together as a very minimal certificate: - -```text -$ sq packet join alice.pub-0--PublicKey alice.pub-1--Signature --output alice_minimal.pub -``` - -#### Inspecting this certificate - -This version of Alice's certificate contains just two packets: - -- The [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats) for the primary key, and -- A [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). - -This is the shape of the packets we'll be looking at, in the following two sections: - -```{figure} diag/pubcert-minimal.png -:width: 40% - -A minimal OpenPGP certificate, visualized -``` - -```{admonition} VISUAL -:class: warning - -This diagram needs adjustments about - - what exactly is signed - - fix naming of fields? - -We could show repeat-copies of the individual packet visualization again, below for each packet-related section. -``` - -In the real world, you won't usually encounter an OpenPGP certificate that is quite this minimal. However, this is technically a valid OpenPGP certificate (and we'll add more components to it, later in this section). - -In ASCII-armored representation, this very minimal key looks like this: - -```text ------BEGIN PGP PUBLIC KEY BLOCK----- - -xioGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT7CtgYf -GwoAAAA9BYJlFuqmBYkFpI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj -/Te2fzMA+fsOxFc3jNKfECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4 -gAIl6FM5SWuQxg12j0S07ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L -+BXIoY2sIEQrLd4TAEEy0BA8aQZTPEmMdiOCM1QB+V+BQZAO -=5nyq ------END PGP PUBLIC KEY BLOCK----- -``` - -We'll now decode this OpenPGP data, and inspect the two packets in detail. - -To inspect the internal structure of the OpenPGP data, we run the Sequoia-PGP tool `sq`, using the `packet dump` subcommand. The output of `sq` is one block of text, but to discuss the content of each packet we'll break the output up into sections here: - -```text -$ sq packet dump --hex alice_minimal.pub -``` - -(public_key)= -#### Public-Key packet - -The output now starts with a (primary) [Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): - -```text -Public-Key Packet, new CTB, 2 header bytes + 42 bytes - Version: 6 - Creation time: 2023-09-29 15:17:58 UTC - Pk algo: Ed25519 - Pk size: 256 bits - Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - KeyID: AAA18CBB254685C5 - - 00000000 c6 CTB - 00000001 2a length - 00000002 06 version - 00000003 65 16 ea a6 creation_time - 00000007 1b pk_algo - 00000008 00 00 00 20 public_len - 0000000c 53 24 e9 43 ed25519_public - 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 - 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e -``` - -The Public-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: - -- `CTB: 0xc6`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc6` is `11000110`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "6". This is the value for a Public-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). -- `length: 0x2a`: The remaining length of this packet. - -The packet type id defines the semantics of the remaining data in the packet. We're looking at a Public-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). - -- `version: 0x06`: The key material is in version 6 format - -This means that the next part of the packet follows the structure of [Version 6 Public Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-6-public-keys) - -- `creation_time: 0x6516eaa6`: "The time that the key was created" (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) -- `pk_algo: 0x1b`: "The public-key algorithm ID of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) -- `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) -- `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key - -[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). In previous versions, the RFC called this field "Packet Tag". - -```{tip} - -The overall structure of OpenPGP packets is described in the [Packet Syntax](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-syntax) chapter of the RFC. -``` - -Note that the *Public-Key packet* contains only the public part of the key. - -(zooming_in_dks)= -#### Direct Key Signature - -The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.pub-1--Signature` contains this packet). - -This packet "binds the information in the signature subpackets to the key". Each entry under "Signature Packet -> Hashed area" is one signature subpacket, for example, including information about algorithm preferences (*symmetric algorithm preference* and *hash algorithm preferences*). - -```text -Signature Packet, new CTB, 2 header bytes + 182 bytes - Version: 6 - Type: DirectKey - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Key expiration time: P1095DT62781S (critical) - Symmetric algo preferences: AES256, AES128 - Hash preferences: SHA512, SHA256 - Key flags: C (critical) - Features: MDC - Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - Unhashed area: - Issuer: AAA18CBB254685C5 - Digest prefix: 6747 - Level: 0 (signature over data) - - 00000000 c2 CTB - 00000001 b6 length - 00000002 06 version - 00000003 1f type - 00000004 1b pk_algo - 00000005 0a hash_algo - 00000006 00 00 00 3d hashed_area_len - 0000000a 05 subpacket length - 0000000b 82 subpacket tag - 0000000c 65 16 ea a6 sig creation time - 00000010 05 subpacket length - 00000011 89 subpacket tag - 00000012 05 a4 8f bd key expiry time - 00000016 03 subpacket length - 00000017 0b subpacket tag - 00000018 09 07 pref sym algos - 0000001a 03 subpacket length - 0000001b 15 subpacket tag - 0000001c 0a 08 pref hash algos - 0000001e 02 subpacket length - 0000001f 9b subpacket tag - 00000020 01 key flags - 00000021 02 subpacket length - 00000022 1e subpacket tag - 00000023 01 features - 00000024 22 subpacket length - 00000025 21 subpacket tag - 00000026 06 version - 00000027 aa a1 8c bb 25 46 85 c5 83 issuer fp - 00000030 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 - 00000040 8c d2 9f 10 26 98 b3 - 00000047 00 00 00 0a unhashed_area_len - 0000004b 09 subpacket length - 0000004c 10 subpacket tag - 0000004d aa a1 8c issuer - 00000050 bb 25 46 85 c5 - 00000055 67 digest_prefix1 - 00000056 47 digest_prefix2 - 00000057 20 salt_len - 00000058 a2 e3 63 81 e3 6b d0 4f salt - 00000060 56 d7 c8 38 80 02 25 e8 53 39 49 6b 90 c6 0d 76 - 00000070 8f 44 b4 ec 4c 42 38 8e - 00000078 4d 3d 10 c2 ad 29 c0 57 ed25519_sig - 00000080 ce 66 01 73 b3 78 81 9e 89 52 cf 43 8d 28 11 a9 - 00000090 77 09 7f cb f8 15 c8 a1 8d ac 20 44 2b 2d de 13 - 000000a0 00 41 32 d0 10 3c 69 06 53 3c 49 8c 76 23 82 33 - 000000b0 54 01 f9 5f 81 41 90 0e -``` - -Let’s look at the packet field by field: - -- `CTB: 0xc2`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “2.” This is the value for a Signature packet. -- `length: 0xb6`: The remaining length of this packet. - -The packet type ID defines the semantics of the remaining data in the packet. We're looking at a [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. - -- `version: 0x06`: This is a version 6 signature (some of the following packet format is specific to this signature version). -- `type: 0x1f`: The [Signature Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) -- `pk_algo: 0x1b`: Public-key algorithm ID (decimal 27, corresponds to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) -- `hash_algo: 0x0a`: Hash algorithm ID (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) -- `hashed_area_len: 0x0000003d`: Length of the following hashed subpacket data - -The next part of this packet contains hashed subpacket data. A subpacket data set in an OpenPGP Signature contains a list of zero or more Signature subpackets. - -There are two sets of subpacket data in a Signature: hashed, and unhashed. The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. - -The following subpacket data consists of sets of "subpacket length, subpacket type ID, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket type ID). Note that bit 7 of the subpacket type ID signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10). - -```{note} -Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver. -``` - -- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2, **critical**): `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) -- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9, **critical**): `0x05a48fbd` (defined as number of seconds after the key creation time) -- [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): *AES with 256-bit key* and *AES with 128-bit key*) -- [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): *SHA2-512* and *SHA2-256*) -- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27, **critical**): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) -- [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: *Symmetrically Encrypted Integrity Protected Data packet version 1*) -- [Issuer fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) - -The next part of this packet contains "unhashed subpacket data": - -- `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data (value: 10 bytes). - -As above, the following subpacket data consists of sets of "subpacket length, subpacket type id, data." In this case, only subpacket follows: - -- [Issuer Key ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-keyid-subpacket) (subpacket type 16): `aaa18cbb254685c5` (this is the shortened version 6 *Key ID* of the fingerprint of this certificate's primary key) - -This concludes the unhashed subpacket data. - -- `digest_prefix: 0x6747`: "The left 16 bits of the signed hash value" -- `salt_len, salt`: A random [salt value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-advantages-of-salted-signat) (the size must be [matching for the hash algorithm](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#hash-algorithms-registry)) -- `ed25519_sig`: [Algorithm-specific](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-fields-for-ed2) representation of the signature (in this case: 64 bytes of Ed25519 signature) - -The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): - -- The signature's salt -- A serialized form of the primary key's public data -- A serialized form of this direct key signature packet (up to, but excluding the unhashed area) - - -(zoom_enc_subkey)= -### Encryption subkey - -Now we'll look at a subkey in Alice's certificate. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), consists of two elements: - -- a key packet that contains the component key itself, and -- a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). - -In this section, we'll use the files that contain individual packets of Alice's certificate, which we split apart above. In this split representation of Alice's certificate, the encryption subkey happens to be stored in `alice.pub-4--PublicSubkey`, and the associated binding self-signature for the subkey in `alice.pub-5--Signature`. - -````{note} -It's common to look at a packet dump for a full OpenPGP certificate, like this: - -```text -$ sq packet dump --hex alice.pub -``` - -That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's certificate](split_alice)). Finding a particular packet in that list can take a bit of focus and practice though. - -In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above. -```` - -#### Public-Subkey packet - -First, we'll look at the *Public-Subkey packet* that contains the component key data of this subkey: - -```text -$ sq packet dump --hex alice.pub-4--PublicSubkey -Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes - Version: 6 - Creation time: 2023-09-29 15:17:58 UTC - Pk algo: X25519 - Pk size: 256 bits - Fingerprint: C0A58384A438E5A14F73712426A4D45DBAEEF4A39E6B30B09D5513F978ACCA94 - KeyID: C0A58384A438E5A1 - - 00000000 ce CTB - 00000001 2a length - 00000002 06 version - 00000003 65 16 ea a6 creation_time - 00000007 19 pk_algo - 00000008 00 00 00 20 public_len - 0000000c d1 ae 87 d7 x25519_public - 00000010 cc 42 af 99 34 c5 c2 5c ca fa b7 4a c8 43 fc 86 - 00000020 35 2a 46 01 f3 cc 00 f5 4a 09 3e 3f -``` - -Notice that the structure of this *Public-Subkey packet* is the same as the *Public-Key Packet* of the primary key, [above](public_key). Only the content of the two packets differs in some points: - -- The packet type ID (`CTB`) in this packet shows type 14 ([*Public-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-subkey-packet-tag-14)). -- The `pk_algo` value is set to `0x19` (decimal 25), which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. Note that even though both the primary key and this subkey use a cryptographic mechanism based on Curve25519, this encryption key uses Curve 25519 in a different way (X25519 is a Diffie–Hellman function built out of Curve25519). -- Accordingly, the public part of the cryptographic key pair is labeled with the corresponding name: `x25519_public` (however, note that this difference only reflects the semantics of the field, which is implied by the value of `pk_algo`. The actual data consists of just 32 bytes of cryptographic key material, without any type information.) - -#### Subkey binding signature - -The subkey packet above by itself is disconnected from the OpenPGP certificate that it is a part of. The link between the subkey and the full OpenPGP key is made with a cryptographic signature, which is issued by the OpenPGP key's primary key. - -The type of signature that is used for this is called a *subkey binding signature*, because it "binds" (as in "connects") the subkey to the rest of the key. - -```{admonition} VISUAL -:class: warning - -Add detailed packet diagram analogous to 4.6.1 -``` - -```{admonition} TODO -:class: warning - -david points out: "The information on metadata in binding signatures may also make sense in other contexts (direct key signature)?" - -Should this text go elsewhere? -- 4.2.3? -- ch 6? -``` -In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supersedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. - -Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. - -```text -$ sq packet dump --hex alice.pub-5--Signature -Signature Packet, new CTB, 2 header bytes + 171 bytes - Version: 6 - Type: SubkeyBinding - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Key expiration time: P1095DT62781S (critical) - Key flags: EtEr (critical) - Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - Unhashed area: - Issuer: AAA18CBB254685C5 - Digest prefix: 2289 - Level: 0 (signature over data) - - 00000000 c2 CTB - 00000001 ab length - 00000002 06 version - 00000003 18 type - 00000004 1b pk_algo - 00000005 0a hash_algo - 00000006 00 00 00 32 hashed_area_len - 0000000a 05 subpacket length - 0000000b 82 subpacket tag - 0000000c 65 16 ea a6 sig creation time - 00000010 05 subpacket length - 00000011 89 subpacket tag - 00000012 05 a4 8f bd key expiry time - 00000016 02 subpacket length - 00000017 9b subpacket tag - 00000018 0c key flags - 00000019 22 subpacket length - 0000001a 21 subpacket tag - 0000001b 06 version - 0000001c aa a1 8c bb issuer fp - 00000020 25 46 85 c5 83 58 32 05 63 fd 37 b6 7f 33 00 f9 - 00000030 fb 0e c4 57 37 8c d2 9f 10 26 98 b3 - 0000003c 00 00 00 0a unhashed_area_len - 00000040 09 subpacket length - 00000041 10 subpacket tag - 00000042 aa a1 8c bb 25 46 85 c5 issuer - 0000004a 22 digest_prefix1 - 0000004b 89 digest_prefix2 - 0000004c 20 salt_len - 0000004d 0b 0c 89 salt - 00000050 b5 ab 15 e3 7f e4 4d b9 a7 ef 71 48 14 3b ab 26 - 00000060 5f 34 7f 6d 48 2e 9f 78 48 58 6d 9a fb - 0000006d 6d b2 db ed25519_sig - 00000070 2f 97 8e c8 12 fc 57 7f 85 aa d1 59 bc 80 40 0b - 00000080 be 2e f0 e1 23 2d bf 4b 71 7e d0 e4 c0 36 e4 d2 - 00000090 cf b2 9f b4 a8 4f 3e 2a 21 89 74 c2 33 55 af ac - 000000a0 41 36 1b 2b 60 09 f2 d9 19 f4 41 12 0b -``` - -We'll go over this packet dump in less detail, since its structure mirrors the *Direct Key Signature* (described above) very closely. - -The first difference is in the `type` field, showing that this signature is of type `0x18` ([Subkey Binding Signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-subkey-binding-signature-si)). - -The `pk_algo` of this signature is informed by the algorithm of the primary key (`0x1b`, corresponding to Ed25519). The signature in this packet is issued by the primary key, so by definition it uses the signing algorithm of the primary key (that is: the algorithm used to produce the cryptographic signature in this packet is entire independent of the `pk_algo` of the key material of this subkey itself, which uses the X25519 mechanism). - -As shown in the text at the top of this packet dump, the hashed subpacket data contains four pieces of information: - -- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) -- Key expiration time: `P1095DT62781S` (**critical**) -- Key flags: `EtEr` (**critical**) (encryption for communication, encryption for storage) -- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` - -The remainder of the packet has the same content as the *Direct Key Signature* above: -- A 16 bit digest prefix -- A salt value -- The cryptographic signature itself - -The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): - -- The signature's salt -- A serialized form of the primary key's public data -- A serialized form of the subkey's public data -- A serialized form of this subkey binding signature packet (up to, but excluding the unhashed area) - -### Signing subkey - -```{admonition} TODO -:class: warning - -write -``` - -```text -$ sq packet dump --hex alice.pub-6--PublicSubkey -Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes - Version: 6 - Creation time: 2023-09-29 15:17:58 UTC - Pk algo: Ed25519 - Pk size: 256 bits - Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 - KeyID: D07B24EC91A14DD2 - - 00000000 ce CTB - 00000001 2a length - 00000002 06 version - 00000003 65 16 ea a6 creation_time - 00000007 1b pk_algo - 00000008 00 00 00 20 public_len - 0000000c 33 8c d4 f5 ed25519_public - 00000010 1a 73 39 ef ce d6 0f 21 8d a0 58 a2 3c 3d 44 a8 - 00000020 59 e9 13 1f 12 9c 6f 19 d0 3d 40 a0 -``` - -```text -$ sq packet dump --hex alice.pub-7--Signature -Signature Packet, new CTB, 3 header bytes + 325 bytes - Version: 6 - Type: SubkeyBinding - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Key expiration time: P1095DT62781S (critical) - Key flags: S (critical) - Embedded signature: (critical) - Signature Packet - Version: 6 - Type: PrimaryKeyBinding - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Issuer Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 - Digest prefix: 5365 - Level: 0 (signature over data) - - Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - Unhashed area: - Issuer: AAA18CBB254685C5 - Digest prefix: 841C - Level: 0 (signature over data) - - 00000000 c2 CTB - 00000001 c0 85 length - 00000003 06 version - 00000004 18 type - 00000005 1b pk_algo - 00000006 0a hash_algo - 00000007 00 00 00 cc hashed_area_len - 0000000b 05 subpacket length - 0000000c 82 subpacket tag - 0000000d 65 16 ea sig creation time - 00000010 a6 - 00000011 05 subpacket length - 00000012 89 subpacket tag - 00000013 05 a4 8f bd key expiry time - 00000017 02 subpacket length - 00000018 9b subpacket tag - 00000019 02 key flags - 0000001a 99 subpacket length - 0000001b a0 subpacket tag - 0000001c 06 19 1b 0a embedded sig - 00000020 00 00 00 29 05 82 65 16 ea a6 22 21 06 d0 7b 24 - 00000030 ec 91 a1 4d d2 40 ac 2d 53 e6 c8 a9 e0 54 94 9a - 00000040 41 22 2e a7 38 57 6e d1 9c ae a3 dc 99 00 00 00 - 00000050 00 53 65 20 42 03 ad 0c db fc b5 9a 98 a6 15 27 - 00000060 e4 11 5e f5 f2 a0 3d bc ed 8d 94 27 41 09 f6 3c - 00000070 4b f8 8a e5 af 73 e1 7d 54 07 40 3f f3 29 34 c2 - 00000080 e7 60 56 a5 e1 43 cb 08 ba 66 fe 8b 26 ce e7 cb - 00000090 a5 3a 46 bb a5 c8 5d e4 6a de ae 49 e1 3e 07 bf - 000000a0 c4 9e 98 14 2f 3e c5 f7 01 3e 3e 4f f6 18 2a ac - 000000b0 bd ed 52 0c - 000000b4 22 subpacket length - 000000b5 21 subpacket tag - 000000b6 06 version - 000000b7 aa a1 8c bb 25 46 85 c5 83 issuer fp - 000000c0 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 - 000000d0 8c d2 9f 10 26 98 b3 - 000000d7 00 00 00 0a unhashed_area_len - 000000db 09 subpacket length - 000000dc 10 subpacket tag - 000000dd aa a1 8c issuer - 000000e0 bb 25 46 85 c5 - 000000e5 84 digest_prefix1 - 000000e6 1c digest_prefix2 - 000000e7 20 salt_len - 000000e8 23 3d b2 49 f3 02 4b 08 salt - 000000f0 93 af ba 08 89 f0 e0 91 0f ab 22 26 aa b3 56 57 - 00000100 30 ea 95 29 06 60 6f 00 - 00000108 be 44 a1 95 38 a9 6b 3a ed25519_sig - 00000110 3e 51 f0 55 09 b1 e2 91 a9 17 86 fa f5 1e 3f d0 - 00000120 28 46 3c ce 6e 88 14 37 32 ec 3d fa c6 01 ca e5 - 00000130 a9 4b b7 63 94 c3 0d 92 ab dc fa 23 50 71 60 31 - 00000140 a6 73 c8 33 5a 9c d9 0a -``` - -(zooming_in_user_id)= -### Adding an identity component - -Now we'll look at an identity that is associated with Alice's certificate. - -User IDs are a mechanism for connecting [identities](identity_components) with an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. - -Like [above](zoom_enc_subkey), to look at the internal packet structure of this identity and its connection the OpenPGP certificate, we'll inspect the two individual packets that constitute the identity component, the [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13), in the file `alice.pub-2--UserID`, and the certifying self-signature a [Positive certification of a User ID and Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-positive-certification-of-a) in `alice.pub-3--Signature` (these packets are an excerpt of Alice's full OpenPGP private key). - -#### User ID packet - -First, let's look at the User ID packet, which encodes an identity that Alice has connected to her OpenPGP certificate: - -```text -$ sq packet dump --hex alice.pub-2--UserID -User ID Packet, new CTB, 2 header bytes + 19 bytes - Value: - - 00000000 cd CTB - 00000001 13 length - 00000002 3c 61 6c 69 63 65 40 65 78 61 6d 70 6c 65 value - 00000010 2e 6f 72 67 3e -``` - -- `CTB: 0xcd`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “13.” This is the value for a [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). -- `length: 0x13`: The remaining length of this packet (here: 19 bytes). -- `value`: 19 bytes of data that contain UTF-8 encoded text. The value corresponds to the string ``. With this identity component, Alice states that she uses (and has control of) this email address. Note that the email address is enclosed in `<` and `>` characters, following [RFC 2822](https://www.rfc-editor.org/rfc/rfc2822) conventions. - -So, a User ID packet is really just a string, marked as a User ID by the packet type id. - -#### Linking the User ID with a certification self-signature - -As above, when [linking a subkey](zoom_enc_subkey) to the OpenPGP certificate, a self-signature is used to connect this new component to the certificate. - -To bind identities to a certificate with a self-signature, one of the signature types `0x10` - `0x13` can be used. Here, the signature type `0x13` (*positive certification*) is used. - -```text -$ sq packet dump --hex alice.pub-3--Signature -Signature Packet, new CTB, 2 header bytes + 185 bytes - Version: 6 - Type: PositiveCertification - Pk algo: Ed25519 - Hash algo: SHA512 - Hashed area: - Signature creation time: 2023-09-29 15:17:58 UTC (critical) - Key expiration time: P1095DT62781S (critical) - Symmetric algo preferences: AES256, AES128 - Hash preferences: SHA512, SHA256 - Primary User ID: true (critical) - Key flags: C (critical) - Features: MDC - Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 - Unhashed area: - Issuer: AAA18CBB254685C5 - Digest prefix: DBB8 - Level: 0 (signature over data) - - 00000000 c2 CTB - 00000001 b9 length - 00000002 06 version - 00000003 13 type - 00000004 1b pk_algo - 00000005 0a hash_algo - 00000006 00 00 00 40 hashed_area_len - 0000000a 05 subpacket length - 0000000b 82 subpacket tag - 0000000c 65 16 ea a6 sig creation time - 00000010 05 subpacket length - 00000011 89 subpacket tag - 00000012 05 a4 8f bd key expiry time - 00000016 03 subpacket length - 00000017 0b subpacket tag - 00000018 09 07 pref sym algos - 0000001a 03 subpacket length - 0000001b 15 subpacket tag - 0000001c 0a 08 pref hash algos - 0000001e 02 subpacket length - 0000001f 99 subpacket tag - 00000020 01 primary user id - 00000021 02 subpacket length - 00000022 9b subpacket tag - 00000023 01 key flags - 00000024 02 subpacket length - 00000025 1e subpacket tag - 00000026 01 features - 00000027 22 subpacket length - 00000028 21 subpacket tag - 00000029 06 version - 0000002a aa a1 8c bb 25 46 issuer fp - 00000030 85 c5 83 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e - 00000040 c4 57 37 8c d2 9f 10 26 98 b3 - 0000004a 00 00 00 0a unhashed_area_len - 0000004e 09 subpacket length - 0000004f 10 subpacket tag - 00000050 aa a1 8c bb 25 46 85 c5 issuer - 00000058 db digest_prefix1 - 00000059 b8 digest_prefix2 - 0000005a 20 salt_len - 0000005b 8a 2d 6f da 67 salt - 00000060 35 bc 5d 04 77 b4 9d 67 a8 6e c5 d6 88 53 5f e2 - 00000070 ef f9 66 08 bf c2 e0 db c0 56 0d - 0000007b eb d4 2c a5 19 ed25519_sig - 00000080 01 0f ba 26 d0 82 a2 cf 5c eb 7a a9 72 d9 f3 b2 - 00000090 66 07 8b b2 ba 3d b7 89 e4 76 04 6e 35 24 2b 27 - 000000a0 29 83 be 91 9c 78 6a cc b4 d5 69 47 76 2c 29 d6 - 000000b0 54 bf 43 19 04 ff 53 98 c0 d5 0b -``` - - -We'll go over this packet dump in less detail, since its structure closely mirrors the [Direct Key Signature](zooming_in_dks) discussed above. - -We're again looking at a Signature packet. Its `type` is `0x13` ([corresponding](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) to a *positive certification* signature). - -The public key algorithm and hash function used for this signature are Ed25519 and SHA512. - -As shown in the text at the top of this packet dump, the hashed subpacket data contains the following metadata: - -- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) -- Key expiration time: `P1095DT62781S` (**critical**) -- Symmetric algo preferences: `AES256, AES128` -- Hash preferences: `SHA512, SHA256` -- Primary User ID: `true` (**critical**) -- Key flags: `C` (**critical**) -- Features: `MDC` -- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` - -This is a combination of metadata about the User ID itself (including defining this User ID as the *primary User ID* of this certificate), algorithm preferences that are associated with this identity, and settings that apply to the primary key. - -````{note} -For historical reasons, the self-signature that binds the primary User ID to the certificate also contains subpackets that apply not to the User ID, but to the primary key itself. - -Setting key expiration time and key flags on the primary User ID self-signature is one mechanism to configure the primary key. - -The interaction between metadata on direct key signatures and User ID binding self-signatures [is subtle](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-notes-on-self-signatures), and there are changes between version 6 and version 4. - - -```{admonition} TODO -:class: warning - -- link to a section that goes into more depth about "#name-notes-on-self-signatures"? -``` - -```` - -Followed, again, by the (informational) unhashed subpacket area. - -And finally, a salt value for the signature and the signature itself. - -The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): - -- The signature's salt -- A serialized form of the primary key's public data -- A serialized form of the User ID -- A serialized form of this self-signature packet (up to, but excluding the unhashed area) - -### Certifications (Third Party Signatures) - -### Revocations diff --git a/book/source/17-zoom_certificates.md b/book/source/17-zoom_certificates.md new file mode 100644 index 0000000..e8324cd --- /dev/null +++ b/book/source/17-zoom_certificates.md @@ -0,0 +1,719 @@ +# Zooming in: Packet structure of certificates and keys + +Now that we've established these concepts, and the components that OpenPGP certificates consist of, let's look at the internal details of an example certificate. + +## A very minimal OpenPGP certificate + +First, we'll look at a very minimal version of a "public key" variant of [](alice_priv). That is, an OpenPGP certificate (which doesn't contain private key material). + +In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. + +Starting from [Alice's OpenPGP "private key"](alice_priv), we first produce the corresponding "public key", or certificate: + +```text +$ sq key extract-cert alice.priv > alice.pub +``` + +(split_alice)= +### Splitting the OpenPGP certificate into packets + +One way to produce a very minimal version of Alice's certificate is to split the data in `alice.pub` into its component packets, and join only the relevant ones back together into a new variant. + +```text +$ sq packet split alice.pub +``` + +With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full certificate in `alice.pub`: + +```text +alice.pub-0--PublicKey +alice.pub-1--Signature +alice.pub-2--UserID +alice.pub-3--Signature +alice.pub-4--PublicSubkey +alice.pub-5--Signature +alice.pub-6--PublicSubkey +alice.pub-7--Signature +alice.pub-8--PublicSubkey +alice.pub-9--Signature +``` + +```{admonition} VISUAL +:class: warning + +Show a very abstract diagram of the packets of Alice's OpenPGP certificate (above): +- Public-Key packet +- Direct Key Signature +- User ID +- Certifying self-signature for User ID +- Public-Subkey packet +- Subkey binding signature +- Public-Subkey packet +- Subkey binding signature +- Public-Subkey packet +- Subkey binding signature +``` + +### Joining packets into an OpenPGP certificate + +For our first step, we'll use just the first two of the packets of Alice's certificate, and join them together as a very minimal certificate: + +```text +$ sq packet join alice.pub-0--PublicKey alice.pub-1--Signature --output alice_minimal.pub +``` + +### Inspecting this certificate + +This version of Alice's certificate contains just two packets: + +- The [*Public-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats) for the primary key, and +- A [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key) (a self-signature that binds metadata to the primary key). + +This is the shape of the packets we'll be looking at, in the following two sections: + +```{figure} diag/pubcert-minimal.png +:width: 40% + +A minimal OpenPGP certificate, visualized +``` + +```{admonition} VISUAL +:class: warning + +This diagram needs adjustments about + - what exactly is signed + - fix naming of fields? + +We could show repeat-copies of the individual packet visualization again, below for each packet-related section. +``` + +In the real world, you won't usually encounter an OpenPGP certificate that is quite this minimal. However, this is technically a valid OpenPGP certificate (and we'll add more components to it, later in this section). + +In ASCII-armored representation, this very minimal key looks like this: + +```text +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xioGZRbqphsAAAAgUyTpQ6+rFfdu1bUSmHlpzRtdEGXr50Liq0f0hrOuZT7CtgYf +GwoAAAA9BYJlFuqmBYkFpI+9AwsJBwMVCggCmwECHgEiIQaqoYy7JUaFxYNYMgVj +/Te2fzMA+fsOxFc3jNKfECaYswAAAAoJEKqhjLslRoXFZ0cgouNjgeNr0E9W18g4 +gAIl6FM5SWuQxg12j0S07ExCOI5NPRDCrSnAV85mAXOzeIGeiVLPQ40oEal3CX/L ++BXIoY2sIEQrLd4TAEEy0BA8aQZTPEmMdiOCM1QB+V+BQZAO +=5nyq +-----END PGP PUBLIC KEY BLOCK----- +``` + +We'll now decode this OpenPGP data, and inspect the two packets in detail. + +To inspect the internal structure of the OpenPGP data, we run the Sequoia-PGP tool `sq`, using the `packet dump` subcommand. The output of `sq` is one block of text, but to discuss the content of each packet we'll break the output up into sections here: + +```text +$ sq packet dump --hex alice_minimal.pub +``` + +(public_key)= +### Public-Key packet + +The output now starts with a (primary) [Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-packet-formats): + +```text +Public-Key Packet, new CTB, 2 header bytes + 42 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + KeyID: AAA18CBB254685C5 + + 00000000 c6 CTB + 00000001 2a length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 1b pk_algo + 00000008 00 00 00 20 public_len + 0000000c 53 24 e9 43 ed25519_public + 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 + 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e +``` + +The Public-Key packet consists in large part of the actual cryptographic key data. Let's look at the packet field by field: + +- `CTB: 0xc6`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc6` is `11000110`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "6". This is the value for a Public-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `length: 0x2a`: The remaining length of this packet. + +The packet type id defines the semantics of the remaining data in the packet. We're looking at a Public-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). + +- `version: 0x06`: The key material is in version 6 format + +This means that the next part of the packet follows the structure of [Version 6 Public Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-6-public-keys) + +- `creation_time: 0x6516eaa6`: "The time that the key was created" (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- `pk_algo: 0x1b`: "The public-key algorithm ID of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) +- `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key + +[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). In previous versions, the RFC called this field "Packet Tag". + +```{tip} + +The overall structure of OpenPGP packets is described in the [Packet Syntax](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-syntax) chapter of the RFC. +``` + +Note that the *Public-Key packet* contains only the public part of the key. + +(zooming_in_dks)= +### Direct Key Signature + +The next packet is a [*Direct Key Signature*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-direct-key), which is bound to the primary key (the file `alice.pub-1--Signature` contains this packet). + +This packet "binds the information in the signature subpackets to the key". Each entry under "Signature Packet -> Hashed area" is one signature subpacket, for example, including information about algorithm preferences (*symmetric algorithm preference* and *hash algorithm preferences*). + +```text +Signature Packet, new CTB, 2 header bytes + 182 bytes + Version: 6 + Type: DirectKey + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Symmetric algo preferences: AES256, AES128 + Hash preferences: SHA512, SHA256 + Key flags: C (critical) + Features: MDC + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 6747 + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 b6 length + 00000002 06 version + 00000003 1f type + 00000004 1b pk_algo + 00000005 0a hash_algo + 00000006 00 00 00 3d hashed_area_len + 0000000a 05 subpacket length + 0000000b 82 subpacket tag + 0000000c 65 16 ea a6 sig creation time + 00000010 05 subpacket length + 00000011 89 subpacket tag + 00000012 05 a4 8f bd key expiry time + 00000016 03 subpacket length + 00000017 0b subpacket tag + 00000018 09 07 pref sym algos + 0000001a 03 subpacket length + 0000001b 15 subpacket tag + 0000001c 0a 08 pref hash algos + 0000001e 02 subpacket length + 0000001f 9b subpacket tag + 00000020 01 key flags + 00000021 02 subpacket length + 00000022 1e subpacket tag + 00000023 01 features + 00000024 22 subpacket length + 00000025 21 subpacket tag + 00000026 06 version + 00000027 aa a1 8c bb 25 46 85 c5 83 issuer fp + 00000030 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 + 00000040 8c d2 9f 10 26 98 b3 + 00000047 00 00 00 0a unhashed_area_len + 0000004b 09 subpacket length + 0000004c 10 subpacket tag + 0000004d aa a1 8c issuer + 00000050 bb 25 46 85 c5 + 00000055 67 digest_prefix1 + 00000056 47 digest_prefix2 + 00000057 20 salt_len + 00000058 a2 e3 63 81 e3 6b d0 4f salt + 00000060 56 d7 c8 38 80 02 25 e8 53 39 49 6b 90 c6 0d 76 + 00000070 8f 44 b4 ec 4c 42 38 8e + 00000078 4d 3d 10 c2 ad 29 c0 57 ed25519_sig + 00000080 ce 66 01 73 b3 78 81 9e 89 52 cf 43 8d 28 11 a9 + 00000090 77 09 7f cb f8 15 c8 a1 8d ac 20 44 2b 2d de 13 + 000000a0 00 41 32 d0 10 3c 69 06 53 3c 49 8c 76 23 82 33 + 000000b0 54 01 f9 5f 81 41 90 0e +``` + +Let’s look at the packet field by field: + +- `CTB: 0xc2`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “2.” This is the value for a Signature packet. +- `length: 0xb6`: The remaining length of this packet. + +The packet type ID defines the semantics of the remaining data in the packet. We're looking at a [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-packet), so the following data is interpreted accordingly. + +- `version: 0x06`: This is a version 6 signature (some of the following packet format is specific to this signature version). +- `type: 0x1f`: The [Signature Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) +- `pk_algo: 0x1b`: Public-key algorithm ID (decimal 27, corresponds to [Ed25519](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `hash_algo: 0x0a`: Hash algorithm ID (decimal 10, corresponds to [SHA2-512](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms)) +- `hashed_area_len: 0x0000003d`: Length of the following hashed subpacket data + +The next part of this packet contains hashed subpacket data. A subpacket data set in an OpenPGP Signature contains a list of zero or more Signature subpackets. + +There are two sets of subpacket data in a Signature: hashed, and unhashed. The difference is that the hashed subpackets are protected by the digital signature of this packet, while the unhashed subpackets are not. + +The following subpacket data consists of sets of "subpacket length, subpacket type ID, data." We'll show the information for each subpacket as one line, starting with the [subpacket type description](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-subpacket-specifi) (based on the subpacket type ID). Note that bit 7 of the subpacket type ID signals if that subpacket is ["critical"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.7-10). + +```{note} +Critical here means: the receiver must be able to interpret the subpacket and is expected to fail, otherwise. Non-critical subpackets may be ignored by the receiver. +``` + +- [Signature creation time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#signature-creation-subpacket) (subpacket type 2, **critical**): `0x6516eaa6` (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- [Key expiration time](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-expiration-subpacket) (subpacket type 9, **critical**): `0x05a48fbd` (defined as number of seconds after the key creation time) +- [Preferred symmetric ciphers for v1 SEIPD](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-v1-seipd) (type 11): `0x09 0x07`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#symmetric-algos): *AES with 256-bit key* and *AES with 128-bit key*) +- [Preferred hash algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#preferred-hashes-subpacket) (subpacket type 21): `0x0a 0x08`. (These values [correspond to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-hash-algorithms): *SHA2-512* and *SHA2-256*) +- [Key flags](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) (subpacket type 27, **critical**): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-flags) to the *certifications* key flag) +- [Features](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#features-subpacket) (subpacket type 30): `0x01`. (This value [corresponds](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-features) to: *Symmetrically Encrypted Integrity Protected Data packet version 1*) +- [Issuer fingerprint](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-fingerprint-subpacket) (subpacket type 33): `aaa18cbb254685c58358320563fd37b67f3300f9fb0ec457378cd29f102698b3` (this is the fingerprint of the component key that issued the signature in this packet. Not that here, the value is the primary key fingerprint of the certificate we're looking at.) + +The next part of this packet contains "unhashed subpacket data": + +- `unhashed_area_len: 0x0000000a`: Length of the following unhashed subpacket data (value: 10 bytes). + +As above, the following subpacket data consists of sets of "subpacket length, subpacket type id, data." In this case, only subpacket follows: + +- [Issuer Key ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#issuer-keyid-subpacket) (subpacket type 16): `aaa18cbb254685c5` (this is the shortened version 6 *Key ID* of the fingerprint of this certificate's primary key) + +This concludes the unhashed subpacket data. + +- `digest_prefix: 0x6747`: "The left 16 bits of the signed hash value" +- `salt_len, salt`: A random [salt value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-advantages-of-salted-signat) (the size must be [matching for the hash algorithm](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#hash-algorithms-registry)) +- `ed25519_sig`: [Algorithm-specific](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-fields-for-ed2) representation of the signature (in this case: 64 bytes of Ed25519 signature) + +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of this direct key signature packet (up to, but excluding the unhashed area) + + +(zoom_enc_subkey)= +## Encryption subkey + +Now we'll look at a subkey in Alice's certificate. An OpenPGP subkey, when it is linked to an OpenPGP certificate (via its primary key), consists of two elements: + +- a key packet that contains the component key itself, and +- a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). + +In this section, we'll use the files that contain individual packets of Alice's certificate, which we split apart above. In this split representation of Alice's certificate, the encryption subkey happens to be stored in `alice.pub-4--PublicSubkey`, and the associated binding self-signature for the subkey in `alice.pub-5--Signature`. + +````{note} +It's common to look at a packet dump for a full OpenPGP certificate, like this: + +```text +$ sq packet dump --hex alice.pub +``` + +That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's certificate](split_alice)). Finding a particular packet in that list can take a bit of focus and practice though. + +In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above. +```` + +### Public-Subkey packet + +First, we'll look at the *Public-Subkey packet* that contains the component key data of this subkey: + +```text +$ sq packet dump --hex alice.pub-4--PublicSubkey +Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: X25519 + Pk size: 256 bits + Fingerprint: C0A58384A438E5A14F73712426A4D45DBAEEF4A39E6B30B09D5513F978ACCA94 + KeyID: C0A58384A438E5A1 + + 00000000 ce CTB + 00000001 2a length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 19 pk_algo + 00000008 00 00 00 20 public_len + 0000000c d1 ae 87 d7 x25519_public + 00000010 cc 42 af 99 34 c5 c2 5c ca fa b7 4a c8 43 fc 86 + 00000020 35 2a 46 01 f3 cc 00 f5 4a 09 3e 3f +``` + +Notice that the structure of this *Public-Subkey packet* is the same as the *Public-Key Packet* of the primary key, [above](public_key). Only the content of the two packets differs in some points: + +- The packet type ID (`CTB`) in this packet shows type 14 ([*Public-Subkey packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-subkey-packet-tag-14)). +- The `pk_algo` value is set to `0x19` (decimal 25), which [corresponds to](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms) X25519. Note that even though both the primary key and this subkey use a cryptographic mechanism based on Curve25519, this encryption key uses Curve 25519 in a different way (X25519 is a Diffie–Hellman function built out of Curve25519). +- Accordingly, the public part of the cryptographic key pair is labeled with the corresponding name: `x25519_public` (however, note that this difference only reflects the semantics of the field, which is implied by the value of `pk_algo`. The actual data consists of just 32 bytes of cryptographic key material, without any type information.) + +### Subkey binding signature + +The subkey packet above by itself is disconnected from the OpenPGP certificate that it is a part of. The link between the subkey and the full OpenPGP key is made with a cryptographic signature, which is issued by the OpenPGP key's primary key. + +The type of signature that is used for this is called a *subkey binding signature*, because it "binds" (as in "connects") the subkey to the rest of the key. + +```{admonition} VISUAL +:class: warning + +Add detailed packet diagram analogous to 4.6.1 +``` + +```{admonition} TODO +:class: warning + +david points out: "The information on metadata in binding signatures may also make sense in other contexts (direct key signature)?" + +Should this text go elsewhere? +- 4.2.3? +- ch 6? +``` +In addition to its core purpose of making the connection, this signature also contains additional metadata about the subkey. One reason why this metadata is in a binding signature (and not in the subkey packet) is that it may change over time. The subkey packet itself may not change over time. So metadata about the subkey that can change is stored in self-signatures: if the key holder wants to change some metadata (for example, the key's expiration time), they can issue a newer version of the same kind of signature. Receiving OpenPGP software will then understand that the newer self-signature supersedes the older signature, and that the metadata in the newer signature reflects the most current intent of the key holder. + +Note that this subkey binding signature packet is quite similar to the Direct Key Signature we discussed packet above. Both signatures perform the same function in terms of adding metadata to a component key. In particular, the hashed subpacket data contains many of the same pieces of metadata. + +```text +$ sq packet dump --hex alice.pub-5--Signature +Signature Packet, new CTB, 2 header bytes + 171 bytes + Version: 6 + Type: SubkeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Key flags: EtEr (critical) + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 2289 + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 ab length + 00000002 06 version + 00000003 18 type + 00000004 1b pk_algo + 00000005 0a hash_algo + 00000006 00 00 00 32 hashed_area_len + 0000000a 05 subpacket length + 0000000b 82 subpacket tag + 0000000c 65 16 ea a6 sig creation time + 00000010 05 subpacket length + 00000011 89 subpacket tag + 00000012 05 a4 8f bd key expiry time + 00000016 02 subpacket length + 00000017 9b subpacket tag + 00000018 0c key flags + 00000019 22 subpacket length + 0000001a 21 subpacket tag + 0000001b 06 version + 0000001c aa a1 8c bb issuer fp + 00000020 25 46 85 c5 83 58 32 05 63 fd 37 b6 7f 33 00 f9 + 00000030 fb 0e c4 57 37 8c d2 9f 10 26 98 b3 + 0000003c 00 00 00 0a unhashed_area_len + 00000040 09 subpacket length + 00000041 10 subpacket tag + 00000042 aa a1 8c bb 25 46 85 c5 issuer + 0000004a 22 digest_prefix1 + 0000004b 89 digest_prefix2 + 0000004c 20 salt_len + 0000004d 0b 0c 89 salt + 00000050 b5 ab 15 e3 7f e4 4d b9 a7 ef 71 48 14 3b ab 26 + 00000060 5f 34 7f 6d 48 2e 9f 78 48 58 6d 9a fb + 0000006d 6d b2 db ed25519_sig + 00000070 2f 97 8e c8 12 fc 57 7f 85 aa d1 59 bc 80 40 0b + 00000080 be 2e f0 e1 23 2d bf 4b 71 7e d0 e4 c0 36 e4 d2 + 00000090 cf b2 9f b4 a8 4f 3e 2a 21 89 74 c2 33 55 af ac + 000000a0 41 36 1b 2b 60 09 f2 d9 19 f4 41 12 0b +``` + +We'll go over this packet dump in less detail, since its structure mirrors the *Direct Key Signature* (described above) very closely. + +The first difference is in the `type` field, showing that this signature is of type `0x18` ([Subkey Binding Signature](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-subkey-binding-signature-si)). + +The `pk_algo` of this signature is informed by the algorithm of the primary key (`0x1b`, corresponding to Ed25519). The signature in this packet is issued by the primary key, so by definition it uses the signing algorithm of the primary key (that is: the algorithm used to produce the cryptographic signature in this packet is entire independent of the `pk_algo` of the key material of this subkey itself, which uses the X25519 mechanism). + +As shown in the text at the top of this packet dump, the hashed subpacket data contains four pieces of information: + +- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) +- Key expiration time: `P1095DT62781S` (**critical**) +- Key flags: `EtEr` (**critical**) (encryption for communication, encryption for storage) +- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` + +The remainder of the packet has the same content as the *Direct Key Signature* above: +- A 16 bit digest prefix +- A salt value +- The cryptographic signature itself + +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of the subkey's public data +- A serialized form of this subkey binding signature packet (up to, but excluding the unhashed area) + +## Signing subkey + +```{admonition} TODO +:class: warning + +write +``` + +```text +$ sq packet dump --hex alice.pub-6--PublicSubkey +Public-Subkey Packet, new CTB, 2 header bytes + 42 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 + KeyID: D07B24EC91A14DD2 + + 00000000 ce CTB + 00000001 2a length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 1b pk_algo + 00000008 00 00 00 20 public_len + 0000000c 33 8c d4 f5 ed25519_public + 00000010 1a 73 39 ef ce d6 0f 21 8d a0 58 a2 3c 3d 44 a8 + 00000020 59 e9 13 1f 12 9c 6f 19 d0 3d 40 a0 +``` + +```text +$ sq packet dump --hex alice.pub-7--Signature +Signature Packet, new CTB, 3 header bytes + 325 bytes + Version: 6 + Type: SubkeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Key flags: S (critical) + Embedded signature: (critical) + Signature Packet + Version: 6 + Type: PrimaryKeyBinding + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Issuer Fingerprint: D07B24EC91A14DD240AC2D53E6C8A9E054949A41222EA738576ED19CAEA3DC99 + Digest prefix: 5365 + Level: 0 (signature over data) + + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: 841C + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 c0 85 length + 00000003 06 version + 00000004 18 type + 00000005 1b pk_algo + 00000006 0a hash_algo + 00000007 00 00 00 cc hashed_area_len + 0000000b 05 subpacket length + 0000000c 82 subpacket tag + 0000000d 65 16 ea sig creation time + 00000010 a6 + 00000011 05 subpacket length + 00000012 89 subpacket tag + 00000013 05 a4 8f bd key expiry time + 00000017 02 subpacket length + 00000018 9b subpacket tag + 00000019 02 key flags + 0000001a 99 subpacket length + 0000001b a0 subpacket tag + 0000001c 06 19 1b 0a embedded sig + 00000020 00 00 00 29 05 82 65 16 ea a6 22 21 06 d0 7b 24 + 00000030 ec 91 a1 4d d2 40 ac 2d 53 e6 c8 a9 e0 54 94 9a + 00000040 41 22 2e a7 38 57 6e d1 9c ae a3 dc 99 00 00 00 + 00000050 00 53 65 20 42 03 ad 0c db fc b5 9a 98 a6 15 27 + 00000060 e4 11 5e f5 f2 a0 3d bc ed 8d 94 27 41 09 f6 3c + 00000070 4b f8 8a e5 af 73 e1 7d 54 07 40 3f f3 29 34 c2 + 00000080 e7 60 56 a5 e1 43 cb 08 ba 66 fe 8b 26 ce e7 cb + 00000090 a5 3a 46 bb a5 c8 5d e4 6a de ae 49 e1 3e 07 bf + 000000a0 c4 9e 98 14 2f 3e c5 f7 01 3e 3e 4f f6 18 2a ac + 000000b0 bd ed 52 0c + 000000b4 22 subpacket length + 000000b5 21 subpacket tag + 000000b6 06 version + 000000b7 aa a1 8c bb 25 46 85 c5 83 issuer fp + 000000c0 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e c4 57 37 + 000000d0 8c d2 9f 10 26 98 b3 + 000000d7 00 00 00 0a unhashed_area_len + 000000db 09 subpacket length + 000000dc 10 subpacket tag + 000000dd aa a1 8c issuer + 000000e0 bb 25 46 85 c5 + 000000e5 84 digest_prefix1 + 000000e6 1c digest_prefix2 + 000000e7 20 salt_len + 000000e8 23 3d b2 49 f3 02 4b 08 salt + 000000f0 93 af ba 08 89 f0 e0 91 0f ab 22 26 aa b3 56 57 + 00000100 30 ea 95 29 06 60 6f 00 + 00000108 be 44 a1 95 38 a9 6b 3a ed25519_sig + 00000110 3e 51 f0 55 09 b1 e2 91 a9 17 86 fa f5 1e 3f d0 + 00000120 28 46 3c ce 6e 88 14 37 32 ec 3d fa c6 01 ca e5 + 00000130 a9 4b b7 63 94 c3 0d 92 ab dc fa 23 50 71 60 31 + 00000140 a6 73 c8 33 5a 9c d9 0a +``` + +(zooming_in_user_id)= +## Adding an identity component + +Now we'll look at an identity that is associated with Alice's certificate. + +User IDs are a mechanism for connecting [identities](identity_components) with an OpenPGP certificate. Traditionally, User IDs contain a string that combines a name and an email address. + +Like [above](zoom_enc_subkey), to look at the internal packet structure of this identity and its connection the OpenPGP certificate, we'll inspect the two individual packets that constitute the identity component, the [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13), in the file `alice.pub-2--UserID`, and the certifying self-signature a [Positive certification of a User ID and Public-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-positive-certification-of-a) in `alice.pub-3--Signature` (these packets are an excerpt of Alice's full OpenPGP private key). + +### User ID packet + +First, let's look at the User ID packet, which encodes an identity that Alice has connected to her OpenPGP certificate: + +```text +$ sq packet dump --hex alice.pub-2--UserID +User ID Packet, new CTB, 2 header bytes + 19 bytes + Value: + + 00000000 cd CTB + 00000001 13 length + 00000002 3c 61 6c 69 63 65 40 65 78 61 6d 70 6c 65 value + 00000010 2e 6f 72 67 3e +``` + +- `CTB: 0xcd`: The Packet type ID for this packet. Bits 7 and 6 show that the packet is in “OpenPGP packet format” (as opposed to in “Legacy packet format”). The remaining 6 bits encode the type ID’s value: “13.” This is the value for a [User ID packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). +- `length: 0x13`: The remaining length of this packet (here: 19 bytes). +- `value`: 19 bytes of data that contain UTF-8 encoded text. The value corresponds to the string ``. With this identity component, Alice states that she uses (and has control of) this email address. Note that the email address is enclosed in `<` and `>` characters, following [RFC 2822](https://www.rfc-editor.org/rfc/rfc2822) conventions. + +So, a User ID packet is really just a string, marked as a User ID by the packet type id. + +### Linking the User ID with a certification self-signature + +As above, when [linking a subkey](zoom_enc_subkey) to the OpenPGP certificate, a self-signature is used to connect this new component to the certificate. + +To bind identities to a certificate with a self-signature, one of the signature types `0x10` - `0x13` can be used. Here, the signature type `0x13` (*positive certification*) is used. + +```text +$ sq packet dump --hex alice.pub-3--Signature +Signature Packet, new CTB, 2 header bytes + 185 bytes + Version: 6 + Type: PositiveCertification + Pk algo: Ed25519 + Hash algo: SHA512 + Hashed area: + Signature creation time: 2023-09-29 15:17:58 UTC (critical) + Key expiration time: P1095DT62781S (critical) + Symmetric algo preferences: AES256, AES128 + Hash preferences: SHA512, SHA256 + Primary User ID: true (critical) + Key flags: C (critical) + Features: MDC + Issuer Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + Unhashed area: + Issuer: AAA18CBB254685C5 + Digest prefix: DBB8 + Level: 0 (signature over data) + + 00000000 c2 CTB + 00000001 b9 length + 00000002 06 version + 00000003 13 type + 00000004 1b pk_algo + 00000005 0a hash_algo + 00000006 00 00 00 40 hashed_area_len + 0000000a 05 subpacket length + 0000000b 82 subpacket tag + 0000000c 65 16 ea a6 sig creation time + 00000010 05 subpacket length + 00000011 89 subpacket tag + 00000012 05 a4 8f bd key expiry time + 00000016 03 subpacket length + 00000017 0b subpacket tag + 00000018 09 07 pref sym algos + 0000001a 03 subpacket length + 0000001b 15 subpacket tag + 0000001c 0a 08 pref hash algos + 0000001e 02 subpacket length + 0000001f 99 subpacket tag + 00000020 01 primary user id + 00000021 02 subpacket length + 00000022 9b subpacket tag + 00000023 01 key flags + 00000024 02 subpacket length + 00000025 1e subpacket tag + 00000026 01 features + 00000027 22 subpacket length + 00000028 21 subpacket tag + 00000029 06 version + 0000002a aa a1 8c bb 25 46 issuer fp + 00000030 85 c5 83 58 32 05 63 fd 37 b6 7f 33 00 f9 fb 0e + 00000040 c4 57 37 8c d2 9f 10 26 98 b3 + 0000004a 00 00 00 0a unhashed_area_len + 0000004e 09 subpacket length + 0000004f 10 subpacket tag + 00000050 aa a1 8c bb 25 46 85 c5 issuer + 00000058 db digest_prefix1 + 00000059 b8 digest_prefix2 + 0000005a 20 salt_len + 0000005b 8a 2d 6f da 67 salt + 00000060 35 bc 5d 04 77 b4 9d 67 a8 6e c5 d6 88 53 5f e2 + 00000070 ef f9 66 08 bf c2 e0 db c0 56 0d + 0000007b eb d4 2c a5 19 ed25519_sig + 00000080 01 0f ba 26 d0 82 a2 cf 5c eb 7a a9 72 d9 f3 b2 + 00000090 66 07 8b b2 ba 3d b7 89 e4 76 04 6e 35 24 2b 27 + 000000a0 29 83 be 91 9c 78 6a cc b4 d5 69 47 76 2c 29 d6 + 000000b0 54 bf 43 19 04 ff 53 98 c0 d5 0b +``` + + +We'll go over this packet dump in less detail, since its structure closely mirrors the [Direct Key Signature](zooming_in_dks) discussed above. + +We're again looking at a Signature packet. Its `type` is `0x13` ([corresponding](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-types) to a *positive certification* signature). + +The public key algorithm and hash function used for this signature are Ed25519 and SHA512. + +As shown in the text at the top of this packet dump, the hashed subpacket data contains the following metadata: + +- Signature creation time: `2023-09-29 15:17:58 UTC` (**critical**) +- Key expiration time: `P1095DT62781S` (**critical**) +- Symmetric algo preferences: `AES256, AES128` +- Hash preferences: `SHA512, SHA256` +- Primary User ID: `true` (**critical**) +- Key flags: `C` (**critical**) +- Features: `MDC` +- Issuer Fingerprint: `AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3` + +This is a combination of metadata about the User ID itself (including defining this User ID as the *primary User ID* of this certificate), algorithm preferences that are associated with this identity, and settings that apply to the primary key. + +````{note} +For historical reasons, the self-signature that binds the primary User ID to the certificate also contains subpackets that apply not to the User ID, but to the primary key itself. + +Setting key expiration time and key flags on the primary User ID self-signature is one mechanism to configure the primary key. + +The interaction between metadata on direct key signatures and User ID binding self-signatures [is subtle](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-notes-on-self-signatures), and there are changes between version 6 and version 4. + + +```{admonition} TODO +:class: warning + +- link to a section that goes into more depth about "#name-notes-on-self-signatures"? +``` + +```` + +Followed, again, by the (informational) unhashed subpacket area. + +And finally, a salt value for the signature and the signature itself. + +The signature is calculated over a hash. The hash, in this case, is calculated over the following data (for details, see [Computing Signatures](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-computing-signatures) in the RFC): + +- The signature's salt +- A serialized form of the primary key's public data +- A serialized form of the User ID +- A serialized form of this self-signature packet (up to, but excluding the unhashed area) + +## Certifications (Third Party Signatures) + +## Revocations diff --git a/book/source/18-zoom_private_keys.md b/book/source/18-zoom_private_keys.md new file mode 100644 index 0000000..f8eadab --- /dev/null +++ b/book/source/18-zoom_private_keys.md @@ -0,0 +1,187 @@ +# Zooming in: Packet structure of private key material + +## A look at Alice's (unencrypted) private key packets + +Let's take a look at the key material packets of [Alice's key](alice_priv). + +To inspect the internal structure of Alice's key, we run the Sequoia-PGP tool `sq` (using the `packet dump` subcommand). The output of `sq` is one big block of text. To discuss the relevant content, we'll only show the output for the packets that contain key data, here: + +```text +$ sq packet dump --hex alice.priv +``` + +### Primary Secret-Key packet + +The output starts with the (primary) [Secret-Key packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): + +```text +Secret-Key Packet, new CTB, 2 header bytes + 75 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: AAA18CBB254685C58358320563FD37B67F3300F9FB0EC457378CD29F102698B3 + KeyID: AAA18CBB254685C5 + + Secret Key: + + Unencrypted + + 00000000 c5 CTB + 00000001 4b length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 1b pk_algo + 00000008 00 00 00 20 public_len + 0000000c 53 24 e9 43 ed25519_public + 00000010 af ab 15 f7 6e d5 b5 12 98 79 69 cd 1b 5d 10 65 + 00000020 eb e7 42 e2 ab 47 f4 86 b3 ae 65 3e + 0000002c 00 s2k_usage + 0000002d ef e1 99 ed25519_secret + 00000030 b5 5f 11 fb aa 93 e8 26 9d 3b b2 2d 72 20 7d ff + 00000040 bd 42 dd 4b e9 a3 36 81 3b a5 cc cf fb +``` + +The Secret-Key packet consists in large part of the actual cryptographic key data. Notice that its content is almost entirely the same as the Public-Key packet [seen in the previous chapter](public_key). Let's look at the packet field by field: + +- `CTB: 0xc5`[^CTB]: The [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers) for this packet. The binary representation of the value `0xc5` is `11000101`. Bits 7 and 6 show that the packet is in *OpenPGP packet format* (as opposed to in *Legacy packet format*). The remaining 6 bits encode the type ID's value: "5". This is the value for a Secret-Key packet, as shown in the list of [packet type IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-tags). +- `length: 0x4b`: The remaining length of this packet. + +[^CTB]: Sequoia uses the term CTB (Cipher Type Byte) to refer to the RFC's [packet type ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-headers). In previous versions, the RFC called this field "Packet Tag". + +The packet type id defines the semantics of the remaining data in the packet. We're looking at a Secret-Key packet, which is a kind of [Key Material Packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-key-material-packets). + +- `version: 0x06`: The key material is in version 6 format + +This means that the next part of the packet follows the structure of [Version 6 Public Keys](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-6-public-keys) + +- `creation_time: 0x6516eaa6`: "The time that the key was created" (also see [Time Fields](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-time-fields)) +- `pk_algo: 0x1b`: "The public-key algorithm ID of this key" (decimal value 27, see the list of [Public-Key Algorithms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-public-key-algorithms)) +- `public_len: 0x00000020`: "Octet count for the following public key material" (in this case, the length of the following `ed25519_public` field) +- `ed25519_public`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the public key material (the format is based on the value of `pk_algo`), in this case 32 bytes of Ed25519 public key + +This concludes the Public Key section of the packet. The remaining data follows the [Secret-Key packet format](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats): + +- `s2k_usage: 0x00`: The [*S2K usage* value](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) of `0x00` specifies that the secret-key data is not encrypted +- `ed25519_secret`: [Algorithm-specific representation](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ed2) of the secret key data (the format is based on the value of `pk_algo`). Because the private key material in this packet is not encrypted, this field + +```{tip} + +The overall structure of OpenPGP packets is described in the [Packet Syntax](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-packet-syntax) chapter of the RFC. +``` + +Note that the *Secret-Key packet* contains both the private and the public part of the key. + +### Secret-Subkey packet + +Further down in the "packet dump" of Alice's key, we see the encryption subkey, which we already inspected in its Public-Subkey packet format, [above](zoom_enc_subkey): + +```text +Secret-Subkey Packet, new CTB, 2 header bytes + 75 bytes + Version: 6 + Creation time: 2023-09-29 15:17:58 UTC + Pk algo: X25519 + Pk size: 256 bits + Fingerprint: C0A58384A438E5A14F73712426A4D45DBAEEF4A39E6B30B09D5513F978ACCA94 + KeyID: C0A58384A438E5A1 + + Secret Key: + + Unencrypted + + 00000000 c7 CTB + 00000001 4b length + 00000002 06 version + 00000003 65 16 ea a6 creation_time + 00000007 19 pk_algo + 00000008 00 00 00 20 public_len + 0000000c d1 ae 87 d7 x25519_public + 00000010 cc 42 af 99 34 c5 c2 5c ca fa b7 4a c8 43 fc 86 + 00000020 35 2a 46 01 f3 cc 00 f5 4a 09 3e 3f + 0000002c 00 s2k_usage + 0000002d 28 7d cd x25519_secret + 00000030 da 26 16 37 8d ea 24 c7 ce e7 70 c7 9b e5 6f 0a + 00000040 c9 77 fb bd 23 41 73 c9 57 5a bf 7c 4c +``` + +Again, this packet consists of the same content as its Public-Subkey equivalent, followed by two additional fields: + +- The "S2K usage" field, which indicated whether the private key material is encrypted. Like Alice's primary key (above), this subkey is not encrypted. +- The private key material: in this case, the algorithm-specific private key data consists of 32 bytes of `x25519_secret` data. + +As with the public key material, the difference between the format of this subkey packet and the private key packet is minimal: Only the packet type ID differs. + +## Bob's (encrypted) private key material + +Now we look at the primary key material packet of [Bob's key](bob_priv), which uses passphrase protection. + +```text +Secret-Key Packet, new CTB, 2 header bytes + 134 bytes + Version: 6 + Creation time: 2023-10-13 14:29:00 UTC + Pk algo: Ed25519 + Pk size: 256 bits + Fingerprint: BB289FB7A68DBFA8C384CCCDE2058E02D9C6CD2F3C7C56AE7FB53D971170BA83 + KeyID: BB289FB7A68DBFA8 + + Secret Key: + + Encrypted + S2K: Argon2id with t: 1, p: 4, m: 2^21, salt: 3B7F4B0EAC8B39625AB4D4BD690413C7 Sym. algo: AES-256 + + 00000000 c5 CTB + 00000001 86 length + 00000002 06 version + 00000003 65 29 54 2c creation_time + 00000007 1b pk_algo + 00000008 00 00 00 20 public_len + 0000000c 47 e7 c2 dc ed25519_public + 00000010 58 8e cb fd f2 49 90 66 ae aa 36 66 ca a9 55 2d + 00000020 71 88 7c 25 91 c3 75 73 1d 07 60 d6 + 0000002c fe s2k_usage + 0000002d 16 parameters_len + 0000002e 09 sym_algo + 0000002f 14 s2k_len + 00000030 04 s2k_type + 00000031 3b 7f 4b 0e ac 8b 39 62 5a b4 d4 bd 69 04 13 argon2_salt + 00000040 c7 + 00000041 01 argon2_t + 00000042 04 argon2_p + 00000043 15 argon2_m + 00000044 21 ff be fc f1 c5 9c 75 9d 1f d1 f8 encrypted_mpis + 00000050 19 e7 fd 47 55 e3 69 ff 2f e8 52 48 66 03 d3 37 + 00000060 52 7b 05 cb fa b1 f8 13 f7 f6 20 88 d6 f5 8b c4 + 00000070 b4 51 52 ba 6d f9 7c 1a ee 9f e6 b1 fb 63 d1 ca + 00000080 4a 3f 33 d9 2c c9 26 46 +``` + +The first portion of Bob's Secret-Key packet has the same structure as Alice's, but beginning at the `s2k_usage`, we see different data. The format of this data is described in [Secret-Key Packet Formats](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats). + +- `s2k_usage: 0xfe`: [S2K usage](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption-s2k-u) is set to `AEAD`, here (decimal value 253). +- `parameters_len: 0x16` (decimal value: 22): "Cumulative length of all the following conditionally included string-to-key parameter fields." +- `sym_algo: 0x9`: [Symmetric-Key Algorithm](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-symmetric-key-algorithms) specifies that AES 256 is used as the AEAD algorithm +- `s2k_len: 0x14` (decimal value 20): "[..] count of the size of the one field following this octet" + +The next set of data is the "string-to-key (S2K) specifier." Its format depends on the type. + +- `s2k_type: 0x04` [String-to-Key (S2K) Specifier Type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-string-to-key-s2k-specifier-), set to *Argon2* here. + +The next fields are [specific to Argon2](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-argon2): + +- `argon2_salt`: "16-octet salt value" +- `argon2_t`: "number of passes t" +- `argon2_p`: "degree of parallelism p" +- `argon2_m`: "the exponent of the memory size" + +```{admonition} TODO +:class: warning + +Where is that IV: + +["If string-to-key usage octet was 253 (AEAD), an initialization vector (IV) of size specified by the AEAD algorithm (see Section 5.13.2), which is used as the nonce for the AEAD algorithm"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#section-5.5.3-3.4.2.5) + +Is the example key wrong?! +``` + + +"Plain or encrypted multiprecision integers comprising the secret key data. This is algorithm-specific and described in Section 5.5.5. If the string-to-key usage octet is 253 (AEAD), then an AEAD authentication tag is at the end of that data." \ No newline at end of file diff --git a/book/source/19-zoom_signatures.md b/book/source/19-zoom_signatures.md new file mode 100644 index 0000000..4de3db3 --- /dev/null +++ b/book/source/19-zoom_signatures.md @@ -0,0 +1 @@ +# Zooming in: Packet structure of data signatures diff --git a/book/source/20-zoom_encyption.md b/book/source/20-zoom_encyption.md new file mode 100644 index 0000000..afb9ae9 --- /dev/null +++ b/book/source/20-zoom_encyption.md @@ -0,0 +1 @@ +# Zooming in: Packet structure of encrypted data diff --git a/book/source/17-resources.md b/book/source/21-resources.md similarity index 100% rename from book/source/17-resources.md rename to book/source/21-resources.md diff --git a/book/source/18-glossary.md b/book/source/22-glossary.md similarity index 100% rename from book/source/18-glossary.md rename to book/source/22-glossary.md diff --git a/book/source/19-acknowledgements.md b/book/source/23-acknowledgements.md similarity index 100% rename from book/source/19-acknowledgements.md rename to book/source/23-acknowledgements.md From 7873c72f970729bda9313d799184149fe10b6924 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 13 Oct 2023 17:08:04 +0200 Subject: [PATCH 41/56] annex a: add a key for bob, with Argon2 protected Secret-Key packets --- book/source/a-artifacts.md | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/book/source/a-artifacts.md b/book/source/a-artifacts.md index ff7e458..18df134 100644 --- a/book/source/a-artifacts.md +++ b/book/source/a-artifacts.md @@ -39,4 +39,51 @@ HLb8jRg6WGcr+XPuQbgdalxjFetO9EbZjOuYl3Jok/zObOgK7bCEoVEs9/UHR/K+ FcsHp6K860qG87pDlk2saQIwzXPmQcQvLokbeQMB =DfxN -----END PGP PRIVATE KEY BLOCK----- +``` + +## Bob's OpenPGP key + +Bob uses passphrase-protected secret key packets. His passphrase is `password`: + +```text +-----BEGIN PGP PRIVATE KEY BLOCK----- +Comment: BB28 9FB7 A68D BFA8 C384 CCCD E205 8E02 D9C6 CD2F 3C7C 56AE 7FB5 3D97 1170 BA83 +Comment: Bob Baker + +xYYGZSlULBsAAAAgR+fC3FiOy/3ySZBmrqo2ZsqpVS1xiHwlkcN1cx0HYNb+FgkU +BDt/Sw6sizliWrTUvWkEE8cBBBUh/7788cWcdZ0f0fgZ5/1HVeNp/y/oUkhmA9M3 +UnsFy/qx+BP39iCI1vWLxLRRUrpt+Xwa7p/msftj0cpKPzPZLMkmRsK2Bh8bCgAA +AD0FgmUpVCwFiQWkj70DCwkHAxUKCAKbAQIeASIhBrson7emjb+ow4TMzeIFjgLZ +xs0vPHxWrn+1PZcRcLqDAAAACgkQuyift6aNv6hmsCBGbcyDxHuoq4DTmpzhwxCo +Pq37LydspnltmjW6ZlSTLOc7dt+MiSxAUIqH9i0CQVV9cyQfc0Gi7YzjnvQ9RxcZ +raou5c0b126fZ6Rt2vzLHICGw3v7dpCAnR0Y2lUvaAXNG0JvYiBCYWtlciA8Ym9i +QGV4YW1wbGUub3JnPsK5BhMbCgAAAEAFgmUpVCwFiQWkj70DCwkHAxUKCAKZAQKb +AQIeASIhBrson7emjb+ow4TMzeIFjgLZxs0vPHxWrn+1PZcRcLqDAAAACgkQuyif +t6aNv6h76CB+0O5ke9ijamCxuAz9FHaMDN+l+mQrTYFTLCpGpkWIta+yHy3YdGog +5o5KzDQPrSART32y2dRKQci/49rafLDEqHfPzhEPwwcKWjJxpEpA+AUR+r0WuAh0 +dRzT5vjPJwLHhgZlKVQsGQAAACAx8dR3SX4a2pudy0Fkzz8IkVhI+iIICfcKe8FC +HBUOFP4WCRQEw0VAyFbfmLAChDiHM714gQEEFcXLCpUyt+CPel5FO0wVibtGYRHr +pFEH/iCz7VYAup7lgerjiqTWdla37S+cAra9XduruJUZ3XS+L4bhYZTiCe2Jn8Fd +wqsGGBsKAAAAMgWCZSlULAWJBaSPvQKbDCIhBrson7emjb+ow4TMzeIFjgLZxs0v +PHxWrn+1PZcRcLqDAAAACgkQuyift6aNv6ggfiDu7s2cKnNx1vn17XV99XFo+DVe +Z/MQBOIbZ7bQz2ufS4PIjnC62/oybvC+GeNcnD8kOYfwtxPtl6DQdbpHYyqgNO21 +RMq9oNvei4tKmh7gg6jXGrmWKT6yOIPZyqpQUg/HhgZlKVQsGwAAACAGelHxA+Uz +4M73R7YTo7Xjg3KKoLmc/BYWA/QZ3noQNP4WCRQEG4OjK8N9PVQioBCJ848J8QEE +FRjFFaC6UN5LB6wyCqvozRo/e069dUiwlnYssBNPINsXQiBPcxmoSbyxVRF7LR9G +BZy9/bVQw9ZyPKtbvBQEQKy4m1qvwsCFBhgbCgAAAMwFgmUpVCwFiQWkj70CmwKZ +oAYZGwoAAAApBYJlKVQsIiEGLJuY+NkqRYws6tuzQ2Bff3TWsiqA7IzIPzpNxQjJ ++pUAAAAA6LUg9nuvXbKHUCoGMAdiVV/ttYcO583925/m/T3nC/CNNShitGiBRNAp +HnGyQKVkROyzYznyA9jCF+Ck1jeOCb5nQ7PwxHxRuP4ZG0uRN23pQh4eM2F7V/2F +iOkRF9lAM0AEIiEGuyift6aNv6jDhMzN4gWOAtnGzS88fFauf7U9lxFwuoMAAAAK +CRC7KJ+3po2/qBhPIIPtGEG7TzgO0gXQjhlx9hNBdKxAzScMwRT7oAT3RZrG5hGH +oyvf2n86URceCnfYSwZSOij7CfD0ZJgDmNmvJ5//yx7I7M4YCCheAd5er3/eaF6O +VJt3Ui/pv5VuXLTRC8eGBmUpVCwbAAAAIFnzWg9EBmVGFMUClhrtT5DNdCf+A4OQ +90WbiTHnseuR/hYJFAT5Ylewq+lINPw46gwA5Z6eAQQViAjElYeZobbZ+D001l/M +QvHaiEbEIXadwP3bbjoM43rFoP+p8cNYYECYAL8sx34uIxeixwrL6aOZ8j6Y1zbP +C8jTYNrCqwYYGwoAAAAyBYJlKVQsBYkFpI+9ApsgIiEGuyift6aNv6jDhMzN4gWO +AtnGzS88fFauf7U9lxFwuoMAAAAKCRC7KJ+3po2/qLHdID+av7QZ75Fq4v9YVHpc +wVXtKDX+MOKJM4xz7RvBWErH2xWyqikNZQVuzz/WqOVH/nT+BcqmLWAe3yjrTE4B +hSfrR38Nk23E4Bu4HobVrg7rlMU6SKHRWKeX/iSUmr6GDA== +=UZBq +-----END PGP PRIVATE KEY BLOCK----- ``` \ No newline at end of file From a40a2654f42abf497c59201296def81cd02d8ef3 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 16 Oct 2023 15:25:24 +0200 Subject: [PATCH 42/56] a: Add link anchor for bob's key --- book/source/a-artifacts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/book/source/a-artifacts.md b/book/source/a-artifacts.md index 18df134..914a1d4 100644 --- a/book/source/a-artifacts.md +++ b/book/source/a-artifacts.md @@ -41,6 +41,7 @@ FcsHp6K860qG87pDlk2saQIwzXPmQcQvLokbeQMB -----END PGP PRIVATE KEY BLOCK----- ``` +(bob_priv)= ## Bob's OpenPGP key Bob uses passphrase-protected secret key packets. His passphrase is `password`: From 5525be4c5ec63f43e6658603f03c9d4f4f5c9749 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 15:54:26 +0200 Subject: [PATCH 43/56] update certificate diagram --- book/source/diag/OpenPGP_Certificate.png | Bin 116656 -> 113045 bytes book/source/diag/OpenPGP_Certificate.svg | 581 +++++++++++++---------- 2 files changed, 335 insertions(+), 246 deletions(-) diff --git a/book/source/diag/OpenPGP_Certificate.png b/book/source/diag/OpenPGP_Certificate.png index a6288ba4e5171c1abbbdcceacbb456da8e152cd0..94fa47ad47f2818b195b364f05aad41d799eacb1 100644 GIT binary patch literal 113045 zcmdq}Wl)@5)GdlO?(QBSNN@=54#7eQ!GgOx!QFyG2o^j9cX!v|65JhvI|Mt6_uG5_ zIk#@zs(XH&s&w&mlkR?&%{k^6V-lvUB!h-bj0}N5(B8>Psz4yniQv(L2oGMVs|tzR|7{Ah^wnBi-oO~laYbF35%VhS?aMM zF$D4o@=j7r)h+FC*;N&Hb`}2A%+xbS4gqBj4>r!Qf5nrNSYCm(?=@|ovyspKwj%ov zOG86!Pu5DtFBOa<@EVx@xpsDMPbdaLObD2uD!oK@-OvS`%yw+CGFoj2Gj_!gDT6S@ z2Yh?Eo#FoH^3gwl=H)fSLL6Ksq?aq%^ep{%|NZhWES$Xf%asZpy$1HnRV=?)=Qr@5 zDTDqXAt%1Pjq;b0a>eWau3Q5C?;nK;zUZ&`T2DVKyCAjYo(HD*v4~*usv`lbTYmNd zxSgATdn%0pGw8ef?MCoR2Gnj(PG>Si$}L?no%R18zTp4Ey&i|rc$Dch&k&2&|G16` zk1%y-bFGjLioO3myCl-z*`-?$6{ja7@EqIGOx~aZCZGl7YK4 zY?pW{m-ChFXM+#ybw_jCHR&dV^ti~k_jf-PQ`M9iaBDL{cin%PrAf(I5+fr==yMQf zs}zp&z9yXbK(@BKd*D3W`K!CZZNF;jOQkGqf?V*psUjvmK60Xg?Lni7UQ5s>-Fs?Q zRtk?+a=BdWPBH(lM}HpBD4^80F}!jUtY&f)4-(zZE8id@ zqni5>Kk?Ae&}g(fIF*`6QepkO*$+P3l$Lmn&381$>x7O%@EA3u?x;=vJiB4Cw^E8i zp3X_`*tpd8ICmD$Yfs-eV|9Obw-F{oM@iMPtSFd@e0K+TYqC!DE6=21soi*9?s9Jh z?<1}7p>k$Z9uHx~mq%KNsA?!;jm7e$L3?T{@&p;R!{P0_p8j6mpuvbF7Ng#xT8Li< z#5btkE~4a6es6_~91hNsRE{4t(PV;;C2!^L$>2_@fU=4fvag89rP7{{Ot~W1*vAr` z=lHnz_y(ggnb{Q;h>%zK5#vQBC~lta+1fds^G>_jQ~PlaJESWO{mHJbOHUmRr{li34ovIdMOTKJKA`cHF*4!kJ4#iyY z2z&$OHwpC2j1qk*PHZU(bJZshmd`M6r2 ze0PrWH9WFm-KilqB{)Xp8QG&13i2vJZldWEid#c-PK$P6WVM+A8)007t4P_7Zufol zYReJ+1PObJ!u5EW3PXATO*fmHO`o$ysTyK%^fT93ngB-D&+XgRdcDx*=2Y*@@)!)C zyYre~ZLrH!YeXX`LY9zVDmH+Rub4qt=nSTSLU`-+82xQ44+bTFGw0FSnJP{GXF z4sqIj{tDKW_sa%ubS7``UUVG94?Mp;^C-ZLkV@t>AoZZTv~P&+)bIK0LIQTYkAjb} zSJbS}{gpZ?G-Ln8T=NOU=jjS#&YGJ^yM{21tcz?=HGkUjtao-*tenTsfDn~L5Hm*_ zHCW;L#LAkJxYF>7|4?oz0%=pa88snTs+XRH#b1>{OkW=o1nvKkDE@cQWR)XCl-iCJ z5f<9KR%?r(01JNs)uVNV+!m_Cx>7WM3I_68CG0T`1Q52*OqdZ;rL$q6`UC9jg?Em79Eurf*B|8F`~&Aokp;k9UZ{(6XN&F3&? zc>iV3=P;~9G?GRO6{qY!@n!K>%kM7YB01eMiid(oN%gu}?4&~cEXD-GK>VS+8(_bu zFv}M8n@cuV_`!y*tDB*;yPD8|VKr+f?yqIDny2!H-B{ljm4suQk{*O53SSmocz;np zzLS>d;0Szb#`~Y%?b-I^{>K5cHt`*f!Zsnt*~k+lY4sCP)M!?N1n zfUrgIke^$I}~oB!`@~&)XSH|G1KUrwGG{xmF%5vOdkTBK7WFVe3QqC#xf!#WA5r zUXL#)$dKFfRQG}5LFv>P=ChT>^3BsYqhx_+x_bxybn^Ft0%W4Sp3g%!t5jTEWO`nY zWDx!9#cEQm-=*9nGo`CRHUh4TdMH^xX&QaoR|vVhzCJoRJ&DuKl&l6#<$pA2UD-f| zh-YIiH}x0|_MBbc9L9(c7^!avd!}5zH9NZci%k(hkS}Dk>UzE8&ZOIfy~|>}&>tEu zN#%S*8Yd8lSAZyb(mS zRP8NsR0tF#hyA<7B7TKdDYOGjz3t(mF9?-!vTS#8p;pX`?Rpf4bF~P3>P`-9Z-_q9 zy|=d{d$@{e*XJZ=9DReYUIUr8=1q1c+&3HD2%NX;?9Y#Dedv<%H9EM~xjt`e69xez zL^`K;60g{S@-0ev%R|7&2$Ft>+tYYf1CCU(x`QkDmw}*yL&|ZQs2j1CC5i|KtzpCc z{kvLF?ze9$zj8C7Ad*tj4X6p9mgNdciY($W@5jKwB`BG<%Z+`MM)c1$fz$d&x0jc=%s1_RReLtu3!U@lfKbl4O{ z`00T$jn8wmO_3p?%b4ROISfu8*l)|Bo3`8vLe|E5hwP8NX#K+33RM}D)zr{I%GsxQJW;cvz^OvLB1I;0FmJ`+S7NgE8xnyIA z{^49@q*kfvA4>{uKE4!oLexm<9K+Vu-blGzLsSl;;vjq)8vH)vs;|Tx8jgZ7!w03_ zHg<;6oI`B0N&dfsb?rotYX$Qm#+<}h^OU3?=|rG?MfA)$wMul_ky7idB`hq6e6&sl zR@|MyAk{htmFESr1@aU~F$z_Yqc@`>@h@&PUj7y@YO^Fp_A)?$8g-Qjpq=*Tuw*B+-{=C+NLQs#l$Wu`~cT`YPac= zyF1)QpT>snlgvag9+uR z-ar?K{%k&n=J}iQ@@eiT0fXELiB(CgyX?GPAt8hD{YrKhgkWn1WS@p zS3~Fvu0kdHvns6m6YPc<5!Rlw`21La6(%R&zNAmV#~#&}N6XVS={@0)>x$d-zRT@; zQgFq*wK+L{I5?v=6p3*^GW^STePW<%iQAtW30YfD579E;OBnDfsSY~SKIhW~#R`aK z;haPC*)-g;m4_HfBHRqzF)_Yh7*-~a4RV|_B!tK-DedIs zYLPgJqr`J98&(eho>VKwgRE`uFG(GR*LzQ*D3?v}9$}!K_7}4%R>y>XEc~7 z{jviQcq0=INeKewlgjmv{waJgohL0+4Y zdVQKfSgh6N%weDmA4Px)=DiPmD$(1;*S{PGo09QNTrkozq4NQDOj=s8M)Nww;ZiHYCOPr;AGxJE7sg?)yWr23^Tk%Q)kFfWM^KO&%L!6e z!JF@`84L;7?-kM`$(Nh5q%PR**=@Ayoihr{RMyW5p$iqPes>;cAw)_H+L^8ei7d_G zGp3<)Qmf5UQ%cr=SR**;43mVk`QiDkHnr5S_&NPpdlidV#heYBJknDw8x8_8vXS7B z5JyI}l7iV-P1epT%jC4TX6V>BIGVK!p(DTjMRQe|Z7pCuMuq#kuq5;r7u=`7xu4MMC$>MZ; z9Tju5<@inNhUH9FP8b^UlFj_uDMs~f>pdO!!>5({&CB%;&J#$J-iGJoq&4Rjm(}hw z+(LI`Z*>ne{s7razO|tN7UW@ZyMpAP$)E1Y-tMVILzhc?Tt(Vy17lzUV? zQPR`^>QFM?fAe1ag|umz<^|2$w&Srp(rT8#pl8>p5c0`tM&L-j7zIj|N$8VuR)}vc z7n|qx-a=M3HiSi|$&lh{ywu7pDgIkg$e6p8vcAE zOUL5}IEbG(OaG3IK-x7)nQt_2hK$;bl;ju0_I;<-ce)J0de7)E8zfESL9qxp-5l3z z>RMW+llz=~^6KT5L-LWP(Fk;ym1>Me)d40Yk-@d$g#LJJTCcIQrHaf-V+lSpf}tv^te?FVB_$A}z|vz0GO&?UB)Oks%?x1N(&A`I+zM_kn@XNB199 zrk*c6!UbGU92#}9V~xPp&heZbttCHM9w6aJ!G#aRdSkI)?`+e3RariJes0&0m#tL|K$w+`}1cSBZ1Qxg@_M_(S2L1CRHLAo4BqSCyAmsmKAh2 zq2>UyqkH9cm6~;Bk?IV{oS$pe6d=z+`ZJmpCDyqw2jnA{GO@8%wj2#^HLZUSqAVZf z7FqXagea1?MZWR0QO&pa_fm+#U5lx|9T0kZC5^6{qUaeJ`)A0S*^Kp{iHGv?Oy&qS zk1;1!Od?FCQ~ExA(otO+nu1{(>grx5136_6bA>$SeY&cZ&?no`<*@oikC|T%h+uIT zN1;RuRRL1Rh$CB|X6tY`yNO+U1qvbR8!hr{GTxxo z0AiB-yeb_oA|~EE6aoef_5B77DW3-^dpiG&M#irD{lV7JcJRgqb`UIr!A|6Ut#1F~ zB45qy%r}pGRkA7v8af2_i4V1jtZ$fWLkFYd$WF)i)=#g`t9<=EOc#dG-}c&t++0y2 zA_tRFjJoH~aB&MAZ~PVjQ_q7PCaLoNy{j*HJjbrBU6Tno6Y?7NylPPqE`8YO9Wql& zQ{ro~zAJk4NN*b$MC9avDxO-j_DF$}P93qVl4UZ5h1aUlDrM&9|3SiSom|SI#rEt} zQ6e1T*c;C2ulmm}Ys;CNhD2LSA9|*#M_(CDgM}a8Tt11%To-5p-)tp(<5l;;%M0y0+PE+gFp-@`WDchAq5)I zxg%F5Mn9>#D;XUqCOJm4N=itXKl6Suz$Zu&rN^GRBdiS~Urw8;EE#EFr#>5Lp)jb_ zIQ>nqx;CAZmu-Qw`vEm!h;e!+*JA8p_joH*8m)Vsx?jIm>#TdM-5(E88y$t$@ep>V zWbx~)sX}OeJ_7hI2LR2>wzPY5hmx>9+i-kS$`4g4Z{AM)T{MLADKl4ZHXsmsefJ>n z0h){3ZrNW~sCjYrBOF81nRsL+RjRIAnn-XpO zgoPfUkib@fO;?Jc?vEBg^8^^YAu%Z?b}j4q)*8@as*a#|Il!C{u9J|wpL58O5zP3O zn9=0%m{PPeS6b>c*X%431_|K)%5xG?QdAYglNJvQNI$QNPEYBYsiWlS> z4Z7j|wMy}CZ$-_&$@Y{a#B-pQ8*2LRmL!>?#zY)&PE1Wzi}lMr5y%BYv$mfy2|sQe zglC-(+08W>5%5dNbS+My5SQZTf1HZ__QUpsC5_{3otUmSc?7>jV3!(|cn(96Bve#K zBZztN%ff5{sbE&7_q&V_-Jw+br|f%I9$uIGNqfu12wJt)P?Z`%!zB@OAeBQuJf0q> zmN#lY?I?xCM0A3*Tj6rgQZOCtcCh?R$xsBdP*;}xPESQGWa^E@0I$<^^dCC5R}hfA zgED;|VLSq%^t`wTK>C&h1X4qDW46M_=yxM8Vh7Ej(NymIc zYE#5`sXie*PG3|f&xKDAsAUf9Mmn>gye9yW_qR*jdZCKU(uES8T&{1aTsYV+A-A;d zWGM>NF$3Ei#(FK0a466A?)NHL8(hMGa!g5?pKE)I6(teiz{Nw*isSK0xDJQgW+h~} z#F|O74jH6XO714=rRC)p%q8%J=I5^()aTSkTIllnNF2Z)3ph4v6BA4oezeZt+l!2> zPEsq=sdt|}UY6-VI@e(9T?@`tV{~Rfi%crjdTVuFS)vhVN+R&3#HKeKuO5%ZPC!E~ zI`^SIfkT-dmspZGBZ+~jWO5iqs85I^?;!a@cmBPbCr|tG!II)ay%i|w+M^p+pM$!( zeiHW!4sLS@vb%6JeTgnU)28ec1F&v-dn~;4@j61{i{Zb&0>N!mS=( zLKSGc16J|Hil-#>hLdN7Dp7m^QLG+|mMY>IlmRPF2S)oUd zYxwuO4B%)elZN8Pb4aiONA`kcec67usTGP-hRWrFC3k6(UR@EY1Wam)8l%r+t6>-3 z5S#gG8Jd^37n@Tb%I*0QFQ?&gW3Q8PhZ&-|*cMcPjSc9ilvil5OV}Q9D%Rs^nTNsQB1eeR)~gHQQRNhq?fh zX=NnQS7=9 zsOh>Gg_7YNqP~*SK{79$nqZwGZNkEhdin%& zob2JEo!NwChyk19oc`tB0+9gD&4#la@t@#e0G`1nGoR#zjl){sTc8=WI4mqLk9k~h zc>^{*Ro9{cIB99TF2w49`ZDJfFI4>rY74_0fuB}MyrD>%V29m4Y~I8*n2EelgDnBj z8q8|9|G33NzuI4(#IKz;z1ec~T+W^R(eD>c$W3T#%Rs8Y9~lrJPM?6>^X0F(o~R(( zIECOCW!6FvE9?6)Vm%V~1goKD+EMwqxtY@Ks~J=9W^+Ayr@uax!+N+UT7gxcXWJ( ziTJ`V-GSoRf!0KXoZql^tnUHCObml?>9F^c4v0Ozgdt**Zq0eC z-WPW$LuzIG6>GCnpLsJ{jW>s92`hgkzcn8kHVqy%G*F<5>#PDnd@+sB$+~`$Yjnx- z#{EjUP_4Mv!(WuDK1?-D;gGM!ZuK@l!|Rd^gQvcOB>ljY>$2pu>073retYibW{i^L zb6YD(gLDukWG>-b^sJBGq2sF2qvvK$ARLV#B!@gxY28Y9zHeOU$NPETn>!u>y5JPo4lxVC8CvvvRJH9wg3-%umdOw~X z_BvtiMfzvzl*#-xsHE?|*i5{T^g_S>lcI>f$ra-Io_8L0uG@Teflf|@ED|!E3?UKm z6n|pc6s)1D?fKnnw9jfRaGu(;;(?gLxC=JD27Lv z_;!@Lhuc~@kFL$0<$w3i3pU!ujafV2X$pZZM^S`4ACv}3|Aio(A)o)qFndWDLI)i! ztrnC$m*P&N0b$7@^m_#b<4+6;kPP@ZRfgDuVfgZ|UuSH{Qw1IJ)@&Q5|I-i=8*PMz zqkcK9co&z)%6ud@@8UQ$fmOpu#Caq2(-8@h9TS7$>8`q$ zr_TQAr@KP4S>UY7$RMB$T4Ki<`SH`Nf8iuw36##^q5VRCEHAFf=I`KwwdR=kQRp~C zJBUiLYXd3zx|DAPq6Y6Vd%CepSasEbPU` zd?@`gBaWGILndAM& zY(f-FPR@|sG5khDb~*FMKMe|242*UXQu+U;_gGBG(;4IR>_fF>?GLfqT4pP>M5mo$f32f#x!hjpoDYmx$jpu;cGr6otyb+G-rWBq zwRV2(rTX&cYc{h+#uYYO2^~zsVo9X-EB)6k^GuWGswLpx<5jd7A$Bd0WvDF)?SGP&^$wolf@ES{k{*Sn`C-L4ZH9 zS<)E#m7B{~qcyW&2m%IClyvWc0&N_eVVG#gpfoxKDI;b@O$+9WB0b>ERAPY>tml_W z;O37km}5vZpgF_zf!(RiD1*JesYlg+|#DgP}p^|{iem7hPxJwU7dWzoswK< z&h6CKH->^LDO{q*^uww~rT#W#Y58bGl7F<&QWDJ+P3>UDxj9_w>^xX zXrLJ%d{B@8jJC1ir~+vE+|bthg1 z2M>$|l5#M@gZDqSgn__tI0h0zIKgg|U@mTMmH#iMga0G5|Nrk__qOI*5VysElXrYysZpBTZh*2= zwg{Uue^|4slP!uvVb|~m_f&b15=+Gu2dL-<+t&0``ycYAvMaO$8UKpk3ztrOl@h?N zG?$@*?|1GAjS+_SWgUYrVWzB)4xni?OB-zqB52q1b5eIAtE;yqjf^|1{Ax1|t@!BG z!KMH+9g8V$s~9I8hyw~Ck1g2iU%$ZgKtZ1P97#PtPO^JW@+$mYuJ*TjH!zZ;|Lz#+ zUS;a+R{bKYn1hn;rzXy@mpN=#Dz`<)4=nM4qYJgdaUKq6Z))l+7RLU7k;O{KXG(iP z3~-N{DERA+Vw5XhZk*m0v^TI|vdZcYjFHKoJ;;ag86l#tG1sQqsoCme2r4ck5<$W^ zb#U!Y-R#$w)uwAXTg+@w(}sp5*FRAZj+j2!4F)u&V{xR9U z?mv0&LAbn7YtccBB`*7T;qcL5<>Gy(B4xdur_s6|JrisBHoZ78Ias9G!G^RzGCHM2 z3XJeD@#nn)_!2CTJNeqkkKOLqC$9T*waA_p8tZ3_So9hLFhuU4<0(Ah-wWMP;j{cB zk;YkO3RvR9W%{jiFqR&M9+OEpUT(ku;t$#{y?$BFv#UyxC#zZVIo?r|c~F503fREE zRIfwoWot`!D7W4dtI2o&1OPGNS~R!?B?AUgi~T---q&{Z7kd}<191h&XpXz=sDbNe z?AQH`QoREWX`5AtHzLe_O64-eiOg(|cV=uZgOUw}sz6=s1~vDIYQk@rXw%^M=5JA( z_O%6bPYv$+qRhESlv_{JZ5BqM{k!G5P79{osSX=k7H;nDhR5oez+V6jS*WuO*0dXu zo?NFU~=kr6L3p<5;Qpl@s{2g(W@0JQ#(h0bo;MN@nU6C|iWltDy2 ztq+xhAfi~oL&m>b{jL8Nr2R6O1cnpg5AW!+Vi+j5I#s<5oJV^J<#~8`Kj@mg^QIpR27no_?yWGbu`P_`9)7+cmdZNoR1fG!Rzt7K> zpLM(3-)vIwUOXSeFVU5dH_2(^B+$Yp;t5C}YGjpY`#TEm$)FwtZJ zP+32l3*usUBH?k+DTD)lZFSF8_)wd+J~6bkf})}hqps$UbBS&%daLJ+^obE4Yprm5suv0AHCqul@}AOIR`xzMOp$80Z#lVOZEZ)=C zr@vT7HZV9WP7g*>U;qVlX$bTqsA-1Ge%&gpGVJaL8TmKZ4gm+I9@G@?p| zttF*hI!ZLl`QcCiyCisZxk)H&NdNHQMRuK#ltlezpRG*05jq1QATVIOQJxg=K4gP< zz_oNRa|C7sO{?BA7zP1-eKJ=b;x}$OGM;Ni0Kns^U<~jJ#D4n*pEH4|r$-?v<0`4F zoYj3-LyY#~GuRoCz`~hAl8GS&mZZ0AsZ6IAH)7h>Ob-t_<-3JEgt2MgBM%Sd*Q~j3 z5pJo4S@5I0i21%x?O$p%e-RRwNTuTDhL?#Z?QML!Yp`7c>~1pF)^zzsMQtph=(L-1 zO6VGiV%4UK6OB$S-At-kKRAXfT;F z>9rB7m+Qho(gacnCr< zD5S*Nh*b(yFZ3t`}+#Iyq27VhBSbFW>UI zpTF+v>cS);2o!grtg~J8#~)!NSJ!GZS}!h18Nj4ds# z5QuvD4i(=%TX=Xl*hSI!r9W~cB!ez`urg#U6j-Rx#euiPtdp@n)Sjc8QhnZBq7>q&?o92akcE*l~f+C?{ zO=rDW2Ll!)S6?$w&*yW{_dlF~;y4vtJI)gaB-hie6MNTUt(1aLT{4bJ7&yDEDI@sS z%T;LDVX$K&&(@`-pMW(YL+JkWARw5HI0}97`N@hsPxz^zo40ji!|)}bzyYV;T|XQ> z6O$vaX?KXC+r^0HEnov;e|+1iu=~AX;&$DbPu2wdP-HWuIx)ASXCMaPjHV0d9VKrQ zzBR=qCl**RxIf#ZW3yX{8Mh=&!qt4ZQ4zcxH;*KLJJ~j(&!)e;aJ4tbj%+n+EBZyP zZj(JCNxv^LDXqyS9-U@Al)@*ZQ$I-gHMHA{J{|F_8=`JDDta)(d}K1EGF1r<>?vs| z^XIxQ>pI@FVyTE7H`nXWv2wW;8a6--rz=Se-_GS=HQqSC(k#u+R;m;)qtOwqFNQ+h%Dbw%iV`<$ydi9}DNw-m@P*i1(eDVkBI&$n@m>WH z3yX-zKS|eTg0jSBv55@Y9|8!Zm*s=7Id0ka^z~*HG{7Frl*zRFc#{Qei=@_f0Slp} z7I8G0(6Mspbn%Sg%t1L77c*J0da26~(y7wV1PZ=_hj zV$!K1JsI^Op``4*-W&t_&Bba~;x+DCrsC%;9>OeT1~!XxYG5$MR?6TF{`%FPv+#OB zHO&r=gJV>GuA&p-w_{)cVK`=yNOKU3u@U$p4t!IcF{=in2$@vEEb!_4(i_1^dfhWe z0&g_F3B2S4)^t86c-nZRGl$C4Q~UNas97=*A83)`XDkLD9>I&@_^*-Su-zQI-hVmq zpZ+2EJXt`gGT<2+3Gk7+?kQu7cZ;8G$WKkwSQr7GU!&m^<5%7$9j

`Q8F+jujH$-ulL^K&8$mX`K$2J*t@T@uMY#%IYm0nEdXv43cB%cju#9ip+2Rh zO#r?C&hZo(OMJbK*+2Mr5Jj=lHM|7BkNqrX_b3s8FSanx$Va1IRiVpX*=a1#U#y$s z_J@u#=llE3F;dt+D ze;z}b#5Y!mI3x*eWhL{b%TODg;5kfyS|fzU0iHEvfAYr{C)EoxEKK99lWj&DeI!qm z58(Clqq?KCQqMJ;6H;zuzWa}>xj>JDJCzyl;XLq46HF*GmO7-Q3*Pl2`L*SWuGwf{ z9!v3r`!BnAL`qk{m0-@d5cJbsp>MB)49?E)f7#tw--KHQI;rr4TB0!Gu{C(qtR^b_ zr0{z-LusIY1HU-7SRpoI{n6Thp3$}tF%jF@{cTGVfRggQz6c5nTY+)*h)O$7%)4lB z7_(fqq04rqdiLzoto!LmuCM?aURQB-^ZWGA1v-^mex0y-p;h8YId#+3eKzl592423 z?~KZIDyUL%7nmPw&Rhh~5%kdX^nK=GFT>06%eo7Y<4mo6+=%HQ`_XtB2wI==YK^Fm zfT|qsB!D%0P0nd>gq$r*7nfF*{T}-}Ik_=*vNgGH>#uxhR+Psoq1RkJM#VVRsxeIUsUVTH{JD zq|K7{(wd9HK?+qV^`ddfG^Vf+!U(&;m0)(+A!ysOm<7^22v2GQ;-TjB)yS4t=Oz<~ z{iY(<2Cw(bfZY~uiGU5BQ&)G+O?jV$-y@n@QPJ(nMXx=8{AlRfd$-9)CWR*{k@Ls! zcg5Q&c5BQof7f;gyY!p?Sz&n{1)@e}4_BB|_+KC324|GG&AP$<9$a3I`|#hNmN7N< z|9JTM`KLcLy?MV!0W0Ew<0z)6QQ|@iE#4Zk`Q2nX`1A96G*>r0*ae40^R%({5kzkN=GtOn$wKQl3vn?h7E*5eLS-Lk;GJC=EMqh9)N2)=wC;zCQrf zXqHQ9Mum0e#^v(LN*H+S?jCGX_c1SSZM`lg)7iM`?nJH<6ne@H8pGs(;|6rkFBOUD5qPx1YK|x_Fp9V!O#tLFLS(`%PVFD`+iJ)C5 zq@9^vrq0!F7ILkOrF!0vhrcmf=d@TaeB1E^MBn$(P_mrxY43D_)%Bo11fjST)f z1fq*pF@rEtJ{6lhZ4X+r{U693M5K_$YOc=b>x*FJQjv2j(j};>lu};~e=_;`3os`< z#*29mO9BC=O^!y_+2hsK!f9UPvJ6EZHe<(wiZDi?Q6;!k|%M`!uye-GFf&+Z5MldU0^BR@sbmU}cZ*aaw(=En1Z& z2GmasGR>2K;~Z}J^z}vAnDx{ACu7CZUheMK8g(SaIg<2d7gO0c`Z`TUx9Y2GMz4vl z9Kt&il&RUwXUtxWL@;=wpqeGJoNn=b1Z)rLq&3YrCilg|p}3+HzNX&~<{UnK5FPh0PJ?OlWM|Bp_xmq7X=x?jx@$l6_5yOZ_mil^ zME%V-r#%@cQg3|{E+%nzYkYV$J@tBOdaJ<=Eg|^Vkq%W~oqS5_e_8T+1 z$L!`Wz%l ze;mc#h11T!0*#Nw3NruiWH`xG%Bx5d9n2qh!07~#ESc9H6VAm1%$Y~etKURbcj3aQ z3u>rn=Dp5Yr#lJRz1X180JAt;6%HX@C`gTO3*D%^HCc=%f}Zj(q)TcQA}b&dH8qc8 zu^V+>b!ZOZN#t0fmd}Cb6Fv$H7nk9?8~F<3I>(JR&<`hYn%;tUqiuW;3(k=gsviY! zBqbM;$nQa=77kse{PVOu#a+lEH+2)8>uQ_l{SvO5t|WrHFx67Y-|Q>XfbD`$?`bFE*&WB^9*)nN9`q1tB5ztxxfqZNPH0 zQNyml&tJciC6~mF`8M1lzkPf67_koro+3@~FF*)too{Z%(5d|`_wqy`9BL+yD{?^| z1Rp*){aQ_aeXj_q>4Z$n39sRmjy>MZykdK>}$H2f!=GCjG_x$gL zlCd7e>{enIOT`RxptZELh<>64xyJ7`k%q^ngL*%qlHJkaGvyZREnT99&Gk=sU0Z)r5#IOY`t_E~ce2(o`IgTTIV`?xybC8l_H^@~M4>MG zD%4C0e#mjl9yuAQMX-eMA02nXL7>K%XtCydyTt& zB0<9gA?p;cPiR@s<(wxH3J|?~nQ;BV8*o!ovFFm#(o(TBap@%FgzsW|h*Go7HpUtw1_s9B zS@%eV#iY!o8?62NozM5@PIurf@`=i%2qXS8ZkZu3D{DNmYK_OF{pM{e;)jxw^8Qgn zNB`TzRmpsh^IWCc45!h=a%b{oIm-hcEvWaGY{UU+MH9yqyzT2mM`O*p7K7YCB z-tfqim&NsSTa(V%K)na!(~4w@A0J=b-}S6(2IszJFf%)7*|&t=YuMI(PO|yP55FpZCZKX;ld6r~kOn`C%X^*eo#i(_^%1xK>$bI( zD5nae(HL5ZF$fO}GXyM@Cirs*6llbw{U!NtUcJKxX5u*m1I)zWL-ufowasqZ_qc4Y zxH3P%3as?T3~Sz^=70X#evNr?m;4PRXb;GRbJ%DIP2cYKb%}-Tjgs=tyZDfh5ZwSX zNg6+Fkq6J(&>I=jqpcJlJoCjCSq`L(hX3b_{agYL(EokK^Bgq``F*}!kN&?u@j4uu zLHOne&+J~~NFjghK_taj1vKPWfh3W>O8@^~_5b^|V(saT%E|k47U2Jgj8xRfibURE z>5Yu!K<^h{?8QO@6RXcDF)y6X4-|iPB#NAGvvPc?LwVLVy%I(pJ?`Pb}{TQ!GkL;j&$kSsraPCWk(m0z|&Dnc^c=G(|4ou zH`qAml&x24tE+hSAAT|E32qfIlyY#o&ptza*2YJ{L>t)^&;8uMV9)hPqgZwApHBdW zZr#_7q$<{?`2dFk9g2wO_#zF1x^G2@aL#@8;tCgsVl3S*=?LgW2K|q7m9z1(bkHTe zpTbl7nWHk1@A_79qi0-y&Vb!$HRZGNx-Au^5;HQLcKM?C4bSn zm9rzw&kKDa<h-St7Kfb=cC>Zu1J|tWquCS4>}twyyI#(N%j~9kTE~YrCXW$L*M`9`3U_dsjbG*TuZ+xdj}wsuNzn)U;>#8y zJRa>&$o%=o1etVdo=$gSWWMvdoZ%0HcXf?>a;n628CwdUE_ZhIk~{hl{rIZB3fw8N zqK7>^u1k-T^_A|rgqT39Yb6#Z6XL4PyQ*XUc)M)D|!s9;o{Dhnz zfH|?DGzi$KYr0Ufx*Zn#7Ilve(WUL>eOOvbrx@GO<%SS7x(>g5iP5I@l>9sdo~+Jo9@0#(xD* zOn>;RvDH*VnCaRJCXFFKT0nZ+X16OlFL+_mJ3s@byTJpKre#w0`RL;qJG$Q73@(Z4 z303XRMCEr^g;nB{AMb#yFq8{>w@O=*#&FRwC#$5gFOE0>ANF?H6E!v7h|Hx$c7|&A zU9Xqd_4u!*O%?CnxqFx0YLxr>dJ_wnAU(^1;?{Y~o9?kgILwfg60*RZETTbc6%T(w zbEatHn?u3C|3BLNcnNKvYDFsQ^iUS}-o4t9NVplVPxx;Hk~MJ;Kq!Z@K2>`glmI@^ zL<6>lY>z*G{>%f*ZW+N@EhZtcA1{XLI;|DZ|Y&_wotV?h0QXk5Nnel@@5=BI>h z5K`S$JF1?#+Odb&OmZSgo~*ceTpMep62Do+Fb$yAk1&@5kx(^a^R zdtg{trtx7mH#gppjraN{(u>CKfwVjz`KTWnx2PooxbQ8i8gNmw21WIlv>SY(s)M+N ziK!`tiZ_qoRS3##o%Zw*+u3h$N;xFp2S}eA{9`>8Gr%Y8)oq4FW!?q}tBcPgw0#>% zm%3o6dGG-U=Dn=wpReU`98AKCX??Vh=;!K zc^dz)4Hl|v-<0>u{}k#}x*O1#r@?rxtGg~XSlwOIQF4>xd7kSm4@{Z81Hu%bgr+D@ z6|o(9(AUUcdVMcv6nu6oEublx*E4pL%Xa_p%Yw&Acc;g}et;{U@#@@^?*W+oFi3g) zCnmTdkz#$Qh!dYax)WxucXhpi84?`>vzHT1_E-@jWbB>?XAPK|M#J-#V@sa9flf`j)TYpPk`!1^HhBR__tf%V|~T`yY{p*EnN){iMy5v zH#R(EBL*T9RN-H?O?DUCgH7rN0Z7hk#xC|LEPN>YgsboU{P=AlNO>hi?629y7Hi9T zx%0u=9{N*wlvcB)W1yp(w#Dy5`ps~OmyZ9<3Hsx~eoM_9Ct0`Ct%1I5?B zLYi+hgoF(jXPKj;qZm2iUH`6UJanPsgeQB_!b?h0ww;@Jt#_c(cul)@0g7;$#Fyyy z>=408Bwv~#rmG=XKTh3tlVsa;{TXoep~knSFRf-kc0luLL+J$}pM^`RN2-0#)KntS z8FqlTTM0BPUO6)dJ-*pLJT;y5_l7cE&P;<4q}bd%yh=q@L_ji115f49lLlE=jML6` zfOUf|>pf6ojl7lTXPLTgv;UlSX9oez+82(n;mFmC0}=20$wNA5Vb1C7L=Tj6ke24T8t@n<0{>T>JJ}S5U0?&3in9_=L>V*LvgIAWr@^}28 z&}K-M-(6kj-BOd;drUg}luS&RK~-OVO@E`? z8x&>wAR-V%-SGgUk7OD0C30FP>t_%ia7Tjz=)>xkD_MZQ0c0*ca^}){X)6Vh9ne1g zp}ko$`O-gIJx%U>rC5mq1;0OSZTWE}`;J-h4{XYkVvH-^#WXq7`pBhK*fbi_4)zmLw zXx_-kwDr)DS6Zm#*rv@*y%@KdtLwL==ujAH_XD2XDDkKFWh?X9#d*2W0txVB-D)!; z4G*CR*tjv*L$UZ%5DpLfj!jWCt@0Be=aL(vIxkPbJ~fdIts3n9M3b2;lkrqfWSF!StxpkM>d%ag5p3BbB>WRj}=V6f?Ez6Fc8q2 zJXR|DH_-&o=gtBwB3Lpm3V&pIY~u8Qm>ypGdq2Mw-)pdA{F>G*)Qouf6+kD@ttmEW zC_*<2+;JDs{XFl_9)dDPLn|^H^u*)tgHlFJd>S$c`O@&7Unx8tj9)k_NGbe}^Is`x0MD=1|z# zDY1cc3bKbHK>No6)VYE%0p8vJd_GTj@3A29leG+2&^nr@<+Qfco3 z;rG>jLHM~ec^2+-9$FwvdP=l>4Z){Z&h4y>** zB&H+?7)lk9oqARRCjxSWb3}R5(N%7BmC{oXIT&`zE0v3LT2BJ}Sq_gC8UbC`87oD_ zu4koIe|G=0M#B*^QVp3HHIt6ZT|u37#hx-9{$V zm5`bJy8J>rrqjOP`kIknzy2zTTzcS2BGr2Dm=Lj4Juzv4QKfud99DacEhQh4`{ ze_l@sO90gbhT6yDwlhXE-}CwscvN>i;)=EZ)O+20eB~eUBp}TjC4b!dZ-8y{@7Vb! zdoDib-7FyJWC;0`-sb13;ekf58{sESC}4wQseTnyTWd4^zxxD-fjGvM*t97t+W{&( zPwj{QIFZPc<_OiTy>rtm6vDkf&LBP-jF|UKF}F5Q16OiPq#@NewR|Ez3p4+2@}CLz z1ZS4*7F$-<2`o-`;P4*b;e&EBDyQE7pxgr8(mN9O@4FqZ_bi*2pE>uQU_^jO&H{#hMXPS-&Nzghv_>!h<%* z{SQiIsOJl~7H1~90?ng37Z$e=iN$a9+{8LU#&QPHYuQR&ZKRro@9OAYiSYvS58!(= zlj`RWnf~Tcv_qj&#C#TnS<*32Sy*UVnF-sVJFt}=0W)gD3V!qKE5B4mq#MfDO47>V}d~= zF`Os*7O1ER=f5R$wJ;bXp7%q+016@4F_6#wt8#>5FVmUe67J9ApY>5saD6_fZQ4% zCl@~R#f>6;a()>Lr?R+MPuvLNDLjyD`D6Us!T80^Qqd8EqHrMqx!r~3{rs7H<4W3g zzbAL|^~UcPhmZ0Zc6=N)XmRY(-H5jh~oUAK64^xrhiSXrK zUHwPkkIm<+DhICZjHROH=X7^nH&DMLy&0)_O!Df$PJ_4(rr!ab@jL%Xb!llfAf`ke z+Qo8=B%~xRAOwM3Hkv^(IV6r_e7IKm5+lt}Utca{Rdxc}MgnHt45_SO-phQ|ykz}j z_er+IP57DY+11TW2@Mx+rhx$s4Gp6joYyPC_{jPd-qtKj(^*$i=@^E{1w3Lubo{od zp5XO(LI`TNt294r@d-e@G{Asv6OZOgT1m-!c&$4#T$?u^&IN~rEWySJC+foLYU09i z*7%$6-sW)D4QJWAUu%^jGx-iiPJJqjt9K^EK%xQ)Mlb5MHQYr_y1$uo0*+N#fane{ zu>ocB-rh0GssD*9t~Qg!d=)1&g-gL}oJG3zP$6=gn3%xKJjH6KLWV+h8}JZMD1sp! zIZMm_<={$ra!T^q>gK0frv_&oH+l^<3m?FT9aC?!>>bL3RB5rTdjv{_CqpXXc=T$~ zAj+-(cp=JttnD44Z~&OLt10g0O?dY6s1W0#>c@6edCyjw(pcqyOR+>YQdi5 z-V*8S!Ucb}iDWNf?gY?pBxMA0;Wus%88KXuy_ObdzH+`vhmK)chSZ7_5Yw~-nK*;e z#ggHnp~ym4TDljbw;cq4kIBM;KDv8wqy8wGIqk)gI2JV!B&q7fA1=cQpg8_8en|$H zOFIBEXPzBK3~49x&JOQk@}MrF`dOynb#}I`3HHF@;u0=09}SFXjXFXnb9KIDK$cHw zc#*~XD-d0WBl@%tZP<7HjHY=Lt* zRp>@5@9_Tb-%9rKvNAG+FPGN{s7|s?Zajs-jRx7y_D(x-b5QZ%RN~^1j zqmI#0%8{i9`$g<*Y#DZ0!86`}TfwDW*&n!D=IeWh%#WXnjyDnD02tF$T3YpMVC=Ce z!J4z%>&qKl*bza{2Tjo$kem)y^DkTNB*IfbLkU_H$;PHD6sVZMsh$jU-0j2Mg~QnXOiZu9>=6Je@Opi7 z**9=gCU2CR)M+YkDtvk*M;cL)|a_%hUfGzlqF}L-NeR6w}A{F#m-SRo{RA*OQ3)|*87!z zoFKL^t;4K_!5uMlu{mK!^kD`w!%j|TfNjfbKE-}E!2_D3Dr`Z z@cxT!Pk?A4xVju}v^1TnG;fDk6C{CrV>2mtT9i_8H3L{(?@0UMA7n}iYwCoCae(*q8-k%4ZOpxa#R@ugUVKk$%R8FP~Y_;Bq+GHS={w{9G zT)8>g;l%+)mcmzMc-7G#`h+hMgwN{*tY{^s^S7Y;8s5xL(7AiC)(K1=pmOD$r&{8k zFY}>{WES!sg!Ut0|B@dn+Sj#ZiH4`^V+pS4*YDu-^rf;AajC1PtfdNge`;%^OcbmZ z5r%#h6b~KnqQ}?2V+A-9GOJwuudMuB2xxRBWHe&*|wN zz?a~~>)v2r;|O`%@ETq!2ya~i%RR%DCH`!k!*}`JRJYBf5Uxzi988%15s8#xT}-FJ z)LGsa!RB<@4ZHK5txIecV(I!mZoGx@-QC?XiEL4@4**;D`rOVK-n!>>y#64)!aiR{ zMb?9IyIgQW)VOZGbZ*!=P;9=%VWELl{mTzb;vGu|_%^dA82~A&A!^sdjuK8!v5Z!? z&ZjzqGhphlAISE-u5Y0r&qP)VuS^HpE3_XCCu&sD9pd6LPlSSpm#99pA3hP42yF-R z7EsVXr>26TU}w^+l>)s8Y`O-9ODM9|qb1LT*liX$R++Vse082y77kqu8mJX&9H-Gm zMMb?XS8}-OzBIrL%a)div#k(Yvx#p^Fglfz=IjxOiC(}a47Z@^VzK!;1Oy*To6Pr1 z%(~gc!%|*DCr=CFZ#cSLwCg^@S+N~>G^265>W11AY75$VagdR@kEeO-pAN zE3QV_drXi<10qY2nmP`90!JDq;p?k9M;a{^_Q-R14{8=&A3_@DzpzQ$HF4C2;eRE#rN{=fw#32kVa}apf%JfGbBW3ACyk@#vQuy?H=Q-q?4qt6X zzX{r#$Qgrp+73=Zc*rbHV`z1PZJVCF$_gfu_qqc8KF>brT@v8j86X~mS{349SV2cR z^+{+0dXr$Fbs=HB8?=5EdKd690E0#9W6C+$Sm{B12VO6<{4qo;$RsLodwo`KPkqxR zZ6f7h8NVQO+@AR~t?SI=u^eADnek4T0D4yY8LoYhLcksi<6tsF3E5KtTs43xqoBB$ zINMc&5Wc=3807guYUCKk2r5E%+(dkorOSq@km;rx{P;sBs3uhD)H95NoQtc(1N(A^ zWD*YfAp)2#mRX|yW#L?%NhN`1oz)9S?CFa!Jm)`JsVDbdIVFm+=g=$aLduW@Zwkn- z1h27+>rWrJA_$RL?@<(4Qn6hnH%)+q3)DNOL$~G2kNM*1QxJ&1CP7=yd7myq6wbrK z$+?jK>FT_}Td1LN_Yv8nAOPOlgYjEl`h2)8o5b;5dy;KZE7b7dY#4%j!8b8oi9B=| zbU2t>*W#0szRu4HjYO?>`;{9W0RF`Mg^$>XhwOi%vRC9JbDot>Ao_l4Yi z)AUfl9ti;z$`!en(rb6nT}gtA)5vN5?yLq!MH%|9q`npdA9rwJVVG_+`jCv?-q1Lf zvT~G66gS}Fiuw3(&SW>5LT>58=B`(^L*7^TCBcHOY%%BmJ2n0lER*ZwNJD!y4NSE2hOUEB&(fOK<*p3~sRINi1UrfhI< zBv6eEvb}scaK!sig-!~OIa>$wz|}%bSTVnn;-YcK&3jK$YR&`daUT;u#jwJrJge?9}l1Wqn)v|r8>>N7w?x{>y?|nE%IVz08-)KZI`u08bX$HVzEUU)_@pf z^{^3-IQnCNS5}?zC+TapT63xKp@D(HUs8<>`M`#!NO?&^4p1>A<&`fEx^c%4<(~i( zzQd83?YuL0|BL0}Y!j2-(Ty+I#=eg0KiHp(qOt|jTRu;P4zm7$3Pz8snBEoIdj=L- z5CC%6Ogt_Ag)7n^`rRL-D07Cu`ALEjCye+ij{7AL3$POpm%GO?Fg88)#YXB@+T8oV zu>lJzVwwc$93Xb?%MA3z-hGY~yetZ2(V!Vp|112KohepM1xBCK{yUT)kB~%)V0LNm zayucG(R%^nB>4i;mwki(`;A-Yj=M`sxDPNeK!pnW#>Lfti4u{h&*onI-@o^~$}-r< zaCMs&DAqCE`|=31WQtV|dHjJg&}u}Q`+$~aJy$93Iqb=lf`Xq!<;Tw-iv$uxK0yj@ z+#oqD5DYjl$Iq2C7<-ZQDJRHw_EXQnTlGIg+rS{(7$^hTYs3jN1BEa4#{Vq^#r{6( z)*6^k@g`u%$k6{}r{?Q^d0o!_GtTMP`P)fH{Cf8fn%3!=q9X~0DLhXn7YZsS6TY&R=0b%=YWq#Aag6fva zo9DE?E{@3Cqg$_1nfQ>5ApV0Hv-)jBIf6fJkHzCx>%{ww|MZgLhZ-#&idSsBGN)b} zC)~bF2T?E-AHgFzg9m`LX*auufMV1hkXCSHWauQRIhf7gv!u^&z*K#(kNE|8Z;Suv z7r#|W<_?ZfXX@uj;NV~xdg(|^WQ3^1OH1zicW9c+qED$;pdfu_2c0jP^HrqxAr*#3X8PRPIV&L0BCzb2uF>T>Bb4l zI(GXL4jq1M5>{HdkdmNQ1y>e;q)*R*4j;@lcR_L2bEib&)imc3gVyskM@UjDq zB>U2mLE!^&2nfl~Bsb&hN;8ZYYdp;cdho_fKZqvEijUpqsDVTC7_FyIC$-EP5t%rW2gEu!A$c(V*d;Y*A9NM$Xrt#zuB) z0_439PD5#9bOJhG(NBnCo{X7FuMrbE^&hW*q@S#_rcOJ#3cM+G9vfC9wI=a$TC#bA z^Yjjm!5y5L*{nCx=~)$iu@R4*gX?i;f-NC61{Isb_rWcZr>~#wB+c$dP@?xTVNYRO zr6Th-_?%64X8U(`2O18qLqq3MFJNlzrvNPS1sLZYOSSP~9XD0*Atdk8XlQ9IpV!^hqY_a-yYtzDf{yi*3A$;1V0Y}! zisp^wsfXk(Bb#?!4ZGgo#U||#Wi~GqgC;*jAIgzR=t%^aTk|2-1e+W{ORzDVua~-c zx;__^=CyuyOCs7E$z)v)=upWM`s9b;zOCLinr~@EOzdx`g@7F$QW5%p)w0v-4Ul%} zDy6dZqw6)h_qf3&Vvvrexj9M|aQVr+`8J-a}H!*D81;RG{>~PO+M;@&BPpSMGErWYlByT3md8ysH$C z*`{~(VLp$m5qa<9K?-nIE@XDl-knUEfaofdRTEIKk{cRQz%{nb-41voE2}yNLFS=E zLVkSCSA;KXgzh`p8g{N8bJ!@PLHOv83R4SQ!9hls( zI7X_sI+!}JVR)b0?HvJbXGFGc%G9o7#9ckI|9kfIf3-9wV__;a?PxVV?&ZBX7}My! z`KWBF*h{f~!8@tjiFePwB`Z3MT%D@~C5IVl46q+oiR6-62 z%%Inw!;pGr&Z{np0b=l3B-g(W+MTKvOFT^2+_UC0Fh~W>@w?HPlr`LZtR~AWWP)fdmp=xHrz1il z)*v3e;xaqNE}^!ydi#x>6m*YXZ9S0?h>obm%golMXT*|J0Ng9m^Bn@XM#J8+_J{i|FZR*4FZybGscRf(ibO z)$>C_LI-jRQBi)o*k=1ksjMEt9@r-;Dk>9L-BYK|mGYu5Td<;g+lql0yoHBmHk}<) zR^Y<=79vV};LSAyZbVB<>yA)YxMN{@dJ5nH?{|KQ#gs_^3kC*w7|TgXWo!!*=?8(S zmCH(f{k)}LmJ_r5_5LDCv?@LGy;mwKcs4}?kj)UiL@l?!G}yeP(s7H6fB;zIH!D5( zk-_t`#fi*P3Qqri$H4lZY|ng7NZ9Bk8&L0@dYCj(V@}`EA-*+PN<_LnxVgkRYss|6 zto1?9)ynwL5KL7WAN8itnvdvff9UfoLCD%jNFeWSU+v$z@Y%bpMeBZsl zd)cfoG2yFx+h3^KZwM>5KUKTQ1rDhH%~9lkyr^%wdkZ%Kl&b;>Czd zC7UXp>T3z=%S$fG<@l{#ri)lB^ zlu=;{Y7EvK_?_n`){>2RKC|yi@@v?gnd?6pv)S;)yOhyt+WY~7OW2hMGovDDbfvW2 z6}oI`_CEgJDtwZRjEs~xs1P4E)8H6@mb&t3E2S6GJ?{M+dgU3go72(c696L^Oeg+c z6PneeNvju_^j7J(K8_|^nVkfU9RZ}dXlltxOH*(%K18>-=kKYvhfIW?+PLJ{is7Nr(-aFp)fptP3Mm`B;*3?L~MZwz>wgZ6v&*p8J{mMkr|1NK^)2*d6 zzb7KKw$7Fz%tUxa^{y05*YL=XBLtyl`d#L#ykfOi7GsI*C_tlQQNMgw4-59kgFfKm zYuU4jK_qKWb#Bzx}&7ar5z)iF3K* zYPgVq+jB#}RsGF0<=)*f=P)HqII>o@y4TtYbJ7td7q%zYlf|!0>^b$VtbCL5(cy*> zy|iP13uvF238h!}bctp!S1q)NiD0X0_(~g9YI*8qF23Wk4OG37kwZl+;ngeb+P8FLYL)0dl?}RIvD)@$RQ@>&(#wS;c667QmwkU zwSo1Z8T1>E8SODQz2%`>LuHoZ>l!4WNIUgvogkc}?LVT1^#shWhs)-Kjo0hf9ZkesKL*QGEn!j> zK`Pk_5vvt8*heANA_5i(3oMmSbEQ5c&vV5b#;=f(}kR3oRAK%=sr(@BURRA_1AB@)%6PRv-g+PUo+g zM)EVbY@zo4feyg{_DP8E)E_z=S;1BBlWj+o=c2BXOs@5C}5Uu-&Vgwh0fc zVy)6$5X;`m)h$GWOuYMLw|@bI65uJx$LlezR@h9yYyj45JP?{d-hh#wZC3DTzOuBn zE6u5{mZs+K?YJ~3F~KCyj2#)Z+uz+C30|>AR@A+GtLfULp`n~)LHBStIsT33`viS( zdXfZ;`{HWimEWfQ6_qJu?;G630#|E3|IPnASliN@vHc~bRjVLDgK8SN(eE3yn~haO z+Ko}b=5I(XzW^>J50C#K3@`&ii&S8QgJx>(x*4S0ib0AWn9*opHVulD_Q zGYc%U8mlHH`d#DNbW*-G#7bo~^TT5{M^;+=dM~A;4wSw?riJR^ygH-8g&3)8QB<{V>LZ6>oM}hz*DkK`E(lA(x4}PX+BI_-EpUeEaXS=iBfnw5eQIV19N=;yU28&*&p6I=doSci>r?ela z)>q2jzNr6dVQ|n9)#;#9jW%y8ui7KAHQSOQr*l?nSNR{&T8?jI5!t2tNzO$0m=1drJg2A+|Dp1+Iq*%IEc7bXtao_4*nhy=2y$(it6sAiqS+y zU6_+|DK7k@xcEjc!kU7DLMqP9dFxwVUS3b@MbgkR%r(!+VGHL9n;aT?l{L5dd}6fi zjxz4?ge)W{RzBoG;hmbY-CDEPjl@|N(rftE;JL;`(IN8`jEmQvZoiwXEmumB2#>)Z zEhH@WCzJ0_zPd1M`p^M0oV&k(Th#%IHz9X~_=*%hjj`U>zxT0JKabl-(&K@Ml-%0d zI!2J=!@oWrlY!KT*U!@p15P;1M^T6^EmQeDd%*rt3%vUw!A*aKfU#Nk=xrtOdoM9Axbv5$%h*-44J&DH^xj*7oh{mLN|2$M{(r{s~LW~Ij?asNqT zrK97cT&-Fh$g%0@@4xFQAOLMgUm1RWEiB+h`6`_=FV^~W$SqHIR*S8+>JEjbZMVi% zrdM<^2ZlMA$i|bNUK#>qjQb&*sm?Q?rB%H2VAsz=?>m$$Fo=&3gca#9?+}ksDIQ=6 zjY=m0Xr2;ad}z{Gp@$&~|IcJi8~h_q)3B+(%p@Kw6t^y3L=ekcb9a7h;+9!2%GNOG|%kocib=G`A~%t^?vOf4l^`j&GEFFEcYP1 zo%rKNm;dO-z~GosTf}!d=ZQR(qPK)h7#=%=-?r+GcP-AXXcVfMNgFNN3%Cv-$TcJ` zrQY_4NVX+uFh}pQioe&`$f(r1lNAi%(?#!R+O(W?89=-P&?BON2r*P{^Zdxpkkv>! zF5|Uut>vQ8zkiEsC)%zqNHT^p*wyCHn%_}z8IOejo6Qc29d z!2*{O1DEe%V6L|#T+{vlFJ;nci+U+v9QhKgGG-3rBvr1qz~r9OfN1q98#c7_+!dUQ zwQoDhn;n=0j9<%!-*R6MC3bYsSf0;jDxe>Yke&v?&<)NbO8k3MYAw5|XwGM^?!$xd zfvPix%bsF1PemnZIMa^$$B*y{6v{4}q=MN6UoHN1!>xN0-^1utcIA>5*W{CGbcR>2 zjCF%a_ynOf_AD()^a@+(x~`k}OLv`|_`$8hKc-+y?hYFoS}?}+^XJCz-p>d3zOsLL zJ~+JMc7NI;prpZ-N#kX#sF4bOZY*KBdhLxJy>wbbWotHX_x=gpc!e^r`er7I?vXaR+P&xeRXEjH4@cXY z!ZGUSa^DKU9+~BplCF#OCz?VkswbG}Fs!|$2-_8=?%k6Ya5y9TY*)-+)5J(+2mN+d zL<8UF$^Fx&1)w7GdhU4-Wp0kv8$aVApS030<9Gqh$OCDXhT>IPE@bh|6A9YPXlV_Y$n)#eG8^sC8FSxXLX__CUEhH6VeR0c@F=_nlJbTs?IqzB zAg~>(ax(*y{4`v=$l@)X@5V>>u$#{Z(GVN&5^JqJcJDqoB>I*4>^aLor%qdlthC|c zsO-TRrZ-iQq59b(Q`fls_j~19yj5?8$)sbqTMKy_cPwOS9^SoOyx-X?rvoOhFiGV_ z$|iC~X>gUe?C68c=i@}9Vr+zpV!fD}%q~(}z|-U6lp|;>Bg?3r!?9&!IKB(GihLJ?yTV*>QK;$sC~)Y#_O;M+AGxw(1TsBbu?+v)ME1}}?9_q1Zq zwU?U&i8RSTq|=M}-ROO$I5PEe#GTN#UX@R9U_Ry+$91v}n{zzxtD= zylQ`vBDNq@9c}Mw?%G%E7FKCB94D<=X$MlR+RI6F0B(T&_YKk@T6m18Z$^GC+X=|^ zeNkP*--(+W0nCs3qYJH-ukhsFc|htl$LIOc!eWef@Gf5SkTkNkbJ#kn=Tsoe_Vhw7ou*;q0PMp(=k;#dEL7ma9qU4H`&!( z&GEWDzFpk(vbYha*yvk_LdPhHsI9jB=VJcR4j&BUgzE}Igab?Xxd^+bD~W?gSW?*K zfWCow%g&64Jl8V$!>`42d|(BVu<~{Ome>3SA{;LQ=9TMHjFIV{z}R7`1*JBx!}3q4 z-fGn*{M2=j7olLA`(q-WwY;K&kd=AowFN%@GMstIEutZICml8@P#LHS^_DW)=*fD$cGDmFkvLUpb#GFst!ouNb zH7KA$+UwBD(#RKv%?Ji{q28HHjnOUuCi60i9zm(&*z0VSTgK2~qXL&Lzqb?%#m~^7 z67?<)Q1|S{#?ZL4P9~C-gU0S-AzBXun1Li%* zIZM3wn~TQH&3%7!E?(Y%irKLl*Yf;quv{MPqeY?fBjWa&gJ`f9`VS(sQaqEB=(czw z7~jF#(93Ruhqf+>7ke?ecWM{s z?u!>oEaB9For>|$3w8htaqp4RSjNr$X=^pz%ntm528(ZfKw$tJ*Gnmu1=%-<3j2qT zAb;HZ*RS(e7So|ZJ_Vr8_!<;niM!AF7{-aUix#AF?W|`&x-c#Hos>F;Be&kUh};3F zexyKtx8@;ytzR$>^#%sQ3N*^R;Mbsr1n@oq=bvAcJNbZcKwP{TtHaXITjaVrHjHL1 z!_{gxE`GNt1sARlVTaHziivdxle*9Jicp08Txw6I{a8TOB|os)U>DwvL(W_-ZdVZa zidw7boFPyW=ZkVzUNoKbsXpbaG1)#becE>Ym3aHomvzu#DvHbA>ps==>Cw1A7l9GB{tzl&H1OmL_aygg? zR66M4-$E^es|?K@YF1LFSN)gQZ(rdt={EcWX1jgZKsQ|vVsr#Y9?# zyHQV4JDks)dz0?Rhcx{$kAwwIY>`ab+;$6T9OG_q%8q~BU;~Y;gXPTb7;hB0|2|?m zmdgTn*tmB=D7e})5^j?Hi1V4K~IXeJcN|PZG^X_B2xiu zdittWEFyTuzob#9xop2OXVQJa$d2A26ZCLTAQ$ORdil@Vq^G82ub-zZp zZq1|l4Ch-@MQ};UBLD+{A%OWASmSw1ikCy2u2&SQMQ1eV2p~D3whPcFdB_RI(uSkN zdqrAD3$X5mP$lTXQa{nU0$K&=%xF`d6Yv^Z)GBSU5z{kYQ!b=V(rz1mvzh{ACv{Lg zLjhg3Eto`P{_?%|7jlKcVYKgWh2Y0>wQ?z<8;a-2pS}eTG%Dbj+uK1Z5*=NXO0hzr z1SLfG!7eyO_#Aot3_P!KhenT)zOz((4qmsrJa?+3@t zn}T3qrH~T}+;b}ybfk;XEJJyVxeo67;cx2?o43c7!h8N8Z z4BW0i1cTyis5fb+igcCne$;d<*&31X{0WZdzi%?|)xEKb^O3de%ga&dKWcX8`Gb7| z=HZMX<#3N^U+1a$xu0D`{xW#%&(aotOf7fq--*aKs;UGvT32l!@93hW+bxY5q?VTC zjE@(BcVL%}{0;0#svzQlB58Wi%!)qSv%>)R9c4z{x zd(?MDBf0;V%y6`gciWpObfoA0M_-&5{M3{~f5x^5hxg-eZCsBH%f&J5Qe=Jpr!Rek z9YMAfcJJP`L`S24Km~TRZ{VNb%-6;%bM4(cOb~n=N*jJ@T=s=y&#Iw*?roM-TWdh{ z;OM9_mbvrQKXlBRTQKpnKNA4D3_J*WD`VKdBr%?$p}AK?21>;S=5){;Vjq^cP~vRl zzo0V8c3`Vw9zT(D21Tz(NU~JZtmjagI$n?kj1msuUhIjvK&t3NLfpHpC?*g&9@f!|4bW5}v}Cm^=-x zWf#x**fCYP5jk*;I(Oq$V+-ATaU4YpCW%!zu#wpMZCP%hp{0zZDcpyDBy(>ylM^ z;~VW;x9vonoLBH*Cz2@^CZu$D_yWK){FmCnN_2>-B5nTTf!p38zRP-T&9vd@3<>+}>B(x-5AyM&06 z=GoZ?*{pfKILY0m2CL!OD36ZkqOzfs{ramZo4cvdiZQ4+`a_OlXxzaKI1##%ug`;` zdgpj=;sS96Tq#-HyPV9Fx?i(Eu;1d&lYF35SF`FCz=49=hrtTi&{M~bz!njQV_QQ4 z`#5-0`fBj%sFRwyc-7UK#)mk|1p7}z7#RTrJ9+-(Hr$jJ}3riPB9 z`=k)Fv20B>mC+Zb%`JMLZ~&xhAD^H~b}?vqz4`fEbDk zd=+ew`=lMf8~59O9~VU|r7f4+Qsrd9okutqDm zvhwxO`k2w1WP!PLdouFmUjQ+2IWFJ=X9X&onNo2VbY`B6RG$5&|m`-q4mm&5fC(Y_53OQRU0B3JA&Fe;4|Tz}JcJq}Muu;7&YpW66>9MVIL zq2Dhzoxueh-?T!rLE}lI=|sZ%Xx@^k!nUN~-7a1T5$(#W*id$}ya~|svncZ0x_q$B zGD2k9arJTC>*2F6__a?{NxReOJ=`wtB1>JUwaHMZcB-fvS8de)`QzCZ&Xw8ZkHK?C zn_tM+Q6eJu%|-$}itl!6eeCU-m`LYvwVX@oAM?B$5RjSYPU|viA(kznJlKCP+J;WQ zHzYFOhKlAh7j=lu?zY8Yx&7aBV_gY?p@j0Ll!*r94bNh=LVa90*bN$pUi$ddoPF%e zh7x`U8sd3~06953lW!jW(%5jFV!0K!y39NM0Wyei_hYUauKx^{yfQU4Ex0zuVl(b< zZ~P!Wt(7=8DES)G$NP~1)x2YWGGii-JnTi`@C9(3evwMr@Ze1O#v$>AYGuWGwR}W5 zee>l!27`8^f0IbC!JhX7O#H{20%GDkJee^h><$#F?v`>ODMc;CfV>b)CLj(#|456aj<J(O^mQ;FpHrt!P(gv@W)XCQ+*5V zSF*{){e;hG4#0x(rX+sP!pK?~uQL%;a~5eLb~*m z2*py6UtyKUxtkV+JQa;x3y-Ml?4H0kMv^;sZ<$({WxbAHm#@DK$o~o~2RQK=y>lCD zvDfp<4|2qWjaA9siYli5iMKNwbF@uu49D^cd-S!vUA`egn5<~G#qRjx-SSJVG!>7< zWeb#|EzMac*)3@VI%1Rxz0rKm_fg9o)1E|AbA#S>M1XQvTku7|>p6#i5LFJ0fmsl9 z!cY1>SeJ#3T?7I#-Hl635CR_$>OSR#Iw$d1kz8BER3uF>H1M9sgnm^>Wt0@GRZ`Vt zuz)3WOKQm-L8QZ$P1E~e2@{>IVfoR;{IgJtTPRCdI7L%s3W-pu4HS658j$ev2A?~1@!WRgTP4(huv7Dp%ZMW zmz|{*qd<-z-_hky%T^EFZ<K=d{frMOAt?Sj^#?Bt6Te4Bb8toSoOsbZYxU^WyJxYCTqHo{YqHd&$OW!N^E2S|z zrVW2cX3rn{C`X(P3K+0pJUmP10jTr+gg-l^BgCg;IOL9A4n6c{4T&ga%3Xf(?BU(g z*dq(k2j{0h;$j6QMD8T2yhIFz%6F;P;`m50u6PoU)3s*6fIf($ZB3KlXk5r4U-EWV zm0aowdzOw$x3wmRz3-hs;)ezE@oThDw(ui*Fs9b3ck@BekK2L-4^%sD`!ZaSbS}^> z-@$l526E!>K#Tq--={5ox5?>IH(=hNClicX9Lp$77ycv_m}SIn3j|1j;lR>ek#-zf zB*v}Ty@r7Axv1rY5|1uGg>@cRF!Bb$SP-!n3Lx;m<>j=036zmyCpC7|56Jn77|P1% zy^3`mj8I%XW;Qm&YDqYqdk4ZcLxI-ua(h8%>Xl6%@)Y`mH+XZj}{bB zFyAD4mD3G=NV^TLvgs-HTdoAq@mNmR_d*O<)$s{qV~NfoIXSi~_=2H^ zqaCrImJTJwKh&{5!R59qpRPc&>6O!o+rIc7mb7gXSw7cnCHSlJ?k^OW^tt4YF2$|NRrwde9J| zF9&QM$7G}Ia*l;fC12=hz|aDPYeXX8zy>4}c+fVsbS(hsd^#;z)HGNDakTRu1wKiN zQ;EJ-&9ZQoRMumY8?X^n?)x6-pC;DF5C;_jxq~r$S*1H$`&_3;j@ka~*aqOi&o5;CJVPH7uJ#T}WKprb4 zqV(w%y-M-o4kADD@}kU?o`2j5SleRU?$<9th^YT>Bvyi02V`6S{{8#jr#{=)(eZw7 z2+@Jq_q02o>ueEyCKbyP4-We9p7t7TgG|eosCL)@e@xa~%vavYq1%;0CB3anj7Qsai2qx(;1Mn&~v{EV1X$O6x4UKl3274abdtjmz6Nblf8@vWMU!~FQOF27VM zo)Sw=x>mI0CHh-T;3bG81O-jNa__&DWRH0W0=PKr-ue6Y@9xE^U01Z7r#WWwwGiZ8 z+`W50O)=WCs}#0ogd8r_8Xpn)-4zuTrwiv+k;Ng2ywadLyF5Sq z1K!d=l#6|3PX$((%44v;hXK`NB=>T=-vNkiB^4z`Q+<38n?U03&PS(wm?7Iwc1X%8 zMM#!XSa>N| zZ(l|mpivW4UR+VXllmItmRL{q8eI0%jpqcvisrOsiNC--L$2kP|93F}#_N9W7&=$M z^^F1C0-@aqz|wF@4~cbRG_L+Y^rnKxpP)sQ~my90XH5GK(ef?Y_Y6*_W@);#oQpb z`981`GBV1jscTR~ccbzgaK$T?w>G-VZEF&MBn|cwzkoneYRM>}hhhvtS|=}`634=y zKfEh8CNvKoWU_Fu2~&lG{^<|umec9M7yULg-Dnprq!J~ecfBir7sxJVMHcPa)3^_}zB`rR*Z`HSxwxET6BOG;9u2r(kR^#WG2 zjUn)BqEmb;i4W7cXE<9AhV}XNe+B!EUw!zV^FNcf7{7vteL`I$@ILLva^CW92dE#y z!e~L_i|iDfv9PX9aGC?AbIi(XFxvUld=6PD5<5xP>5l!^?&T~H$QD$Cg-`FOb*|MUsIRY(RCvU% zdLO$i+O}$EvL$9uabR?`d2sM1tY(v%{6I4vs`4^^@Vq|+IqTL7@;C7K(}9IqKw}aa zG+Cf!RMR9d9IBSr4T|Z(`X>YL6GwuQ$CVL>v{esyOfn=3QgWZ;D)bnw@WPL}IEU+W zgt?V+E;^|vue3l21LV)eLVI4mF4&0dH@Bm}Uf7Z*O`#3qQWg1w_Ls|Bcuq1NA zC-bU|!UwD+!sgRM{eAX7Ge8bN7YZmvn8;U>q%tLy9gNw_+?ih7PsgYi8>^2WSCb7P z$|TKQoPP^XxlKhS?ffIpQ<~3)^yBpvG9laASa0QSm0xCMD#+d1oGuF)D~zL`F>3q- zeI*cHoE^4Kr$Z%Pj1;S`7~m{63=R&aCb+6sSl{-d`=4OtR%_pozZZ5q>rXw01bZov z?w0g_mz9236sp+K@l~j;?J+w$-d-3vp|-ZRq3w!yiu!OHXh&5|*<-@On*9dx)M~AR zC)@6Oz1cN=b~_W=g`CH%ud_n;qDiTdxfGFNoUZ>uCDZ|}o1Gnx0b4xaC6=3oHSrYA zu_p=CIvT9{v2>M!5bPHbSvKR^lo-Z!plU^9z zvC6OWl<5XfF_hcWA&GOKZ08M_?=TLOz?H6lj(P_V?~Ziz+MjS9ihCh1o962B{u14S z$-HgH^RU@`TL^4}u-v5JG2HT_v;q>-iT}O(m@3YRVPU9+K1hSmK1XI|`j+uC0Kd2- z{Yt+pa02qg#nqFbkGlHujmv5EE+bhF6cn|8W6+0ol!Y^s8`ExYk*c=Pyyh z_&2*;fQ_5qIo?oyfBF4?Z}VY}9_Y7#T0|>f|5p^Xrd>c*uCpuQ1I-|_H2=B8rJFCxX%8b5ex)D#sxaG>T5vx1e)CAEhwodmFU5d>HX1*A?M#q(m`TWAeX1Evj-+^_$(;N9gX zlnM-5y%27{Wq;5aokXIGby0sn^Fko*3H-w5rav4nln@mLB}^@iIB#@yb!i#VZ#8EN zHvW-Qaj<=>xnZanefi}N1L`8Xz0i3uqq^Bscq0lCdvxTuoUy0&+GOD_gkSPfYb8)t}_l82V4|Bm*qd4e_>}dP$Yw z7TiZpSn@V|hdSj6Jp~Mg6SCMF3Nx*1&x0l4tzs{klXdM0IR0*4Hk?PM`-wFY^7w>y zi80HO-}x_ zx)7^~u!Ik`n|kseAyWWBss2v&qd<*wob&o(+V1|jhW67sB#mN^@6N_ZMqB_M88C=O zA4UB`{Rra_8(YmK^X;9_|2ZTyN$r+dS8!XHD;Y{a=-R7Cb+zcXP_%rS5ewXwmX>d5 z!_W}>D}B)(Kes+R))pz6=vd4#32L{uFQ-+{V8(B2Q+rCBo_}eo=6(;ZWA>X`DUpx* zxFzD9UqwX2!)S-qia&(?mf9NgxkI*16oLi+$5W6o8u-Qcn18pm8J%sk3!IF+N5gUK zbCzD-tspKCaQ5xK60E1wXJa*-#!>X_`ri#Q1smg$Pxi|zZAYf^nH1c~e#lCw4`(!? z6-J&n#momW|-|p8st@RYUlN4=*J5`7A z|NJjqlc})}`km)_I7(PN?#;3NA>5cMB5qf|tn$qb_R) z+l+$ve2qllr5Bw}|Hnf6$o2dOES}y_gqduz0c{>kkx_eI5E?fjV{QWb6^QM>XJ&$c zrEXOa9hDRe;H3X!+Q9hyfUXjl#9%Clo{>wsR{A|~yV1UzNJDBk6$ zWa2_^dTmxvZ1C};6tE6%KtHt{*Nxxe%C^z6P5kV6yyrw{Ou0-<~ z^|4{YjSixJb{%Q0gBn3I4LX!SGKvq|Rm6H1E$C=tv@i(D^*>507zf$M04w+c0BYzZ z|EX4!_=gWKsM@HM3N`N8l_ASs9o2Y*XJotxYL|#APmgdH|DW;?l_9=37Xu1NWD)tZ z5Mj_2D&?(y52`pKK7Zh`8=5WKk~6>NHPN)2cZ_p)sk!B0X=&*$(3pT}M6~fvwB5QL z$td1Q`?$0;L#21!%$`xZQAk9@w{62E5)8C}pOs&a*5^G zFX*dxkB(Yq8(#qFC;|bk{_d*0pM*AQ2{uxcYfJXIsE83{8(E*$6vXC+qEYuJF+ZVT zEUa!K)^q^IA-n;KPTM?Azl{cu`a$S3hLz!n7v1; z#bND6n)}vUNfHaj_hBk*!lUtrhCI=Xx_ZBt*5Dux47?8slj*=tFp`PSp~$jRzd%X^ zlkf-vb781zoP39USqol4vSU%sV{89;ll|ps&=DA(gVoKH3FyHV+XLmIn6yd*VU-0k z3TULBv9aN)5*S026ac+9LoW?DtUK-k6&c22O2*d@h&72p{PaCC(=e&M)_lhU)GV1Q zI&Fhqk&*bfc6SF2+N9&MRE(3xKQZtsqay_3t88H0rE`ix{ZoY<=uHidYO!zML02p) zAP!h|MK~A4?KW(*4?Hq}mU!WBbF}wutj?b!|gZ}H-ShmtL0YT#x0C-)H0UE z1?p}#`?il@L>95*1LFB%s*v_Fw;J9MyS05~V2t_<%ehvKowmUwK-(Qc z!qW@_5#@CvA|h)}QMo&J(DN^~AHUT2+I)E~S7?Ud4N-^UINM77oW{5>slT;bb#-b3 zN2AIt7}WUxvlw93On^GTYQB97N|5o;*Fh6=(}Q#JhS)l57EmTW`}ZXB%i{7N0^R&Sr~mt_Pv2&yy~EJvRT)0ygt|wDmNoY;Na^ z6qNyl(t#MDKUM75P$n-T*2M|?+I_Iu?(qXbe4Gf z9h9&LaspXKUQ zV1kS+y-nJvb=@9Rb5F4XHg|l0Ux`ws9d2DxgCVW3tSrH)Ir52ZBhTR>MEosYw06Un ze11&+0(9M;P#@rV7BA7SglDpBY3Ip(BJLlN-T3nVt~Y1wofOB3f9+ZQsHJ~0U8t5? zjq~(AIqOq{)%VO#Sw9k^wY9xIS=eTsPF&FVGDP7+_c(idHlueZq&(WUazNqld!FQ# z1?P_5-rnzr%MB~_D}0#}W?PP}y`K3YyKLfQ z#a-un2CnHQ?tTn^8&#SBD1~07w z%3iVSz@R|?Y0FFn@d?&U*q7W$0S4D+s*~QqVk@S&*QTh5L6~)3nJ(RWqoENuW+TDP z4Y9-p_6dOAY^^Bfs+E602M0L8XX9iVjF_q%IEROaC-u7I+uwNSPbFKfQwU47;J<)7 zP^d?QojKei+We<#m~FPce{GwJpoU8YN<&omjaPjB@H!bwE}oc@zET?pE~jh({oAed zh}E2m{%+yjtE-z}b^@m( zrasRPns;X%%?F@Q-x~k;@sDnH|4>e9z~fyIMDF*F>&j<+q6N6hP$D`_E0$Fw`JLWV zVuVFIggoQ`udO1%?3Uc`u_)La{0V+Zj46c<7X1c@A#@NlJp?chz5&yTG(u2_zJ1qj zvPJy#F`$;7gDb;i@65~}fKef=LuIGNUV>KqPft&vgN0^zY-}ey05?(j1mMMhiprIB z{S@hftgeE4;GHsJG6_qp$@dhO8j31J&B<^kWpk`EJflU3$l!1}xysdImr67al5SUqbc zm`)G)tfcCFt&cExoE(Z;jU%_e!C|-PCOhIYSY%<&2v&{pb<~f-!V2c9(M2&_*GCJ( zcdh`1BDvmp1w~n@NK1T!Q?;R<3)qPeR8XK%chj7n9`+JBM<+9`IH3^{J-_JIZPM(86V$eWV>SiDC9Q~`3OBjyt-9>o`Vf9 z{BgQ82oi;(7<7H4sM0S*E#|7X(7%VszM%>ai%5`?+vUT>T*dxmkAyoYX1O;`u12Ai zw^&&-ZD2qGAgz=6IZ4JmBE1aXxq*q_sYrqlcCxfP(;AQRm<$ z{Uh$K=$De+n*ljh&4bNJ+!cw{E?c!@#~`9kfpttsQR0Dn)8gVH@W`l^nuUePco~@I zUUR_R2i&DU5J%D3;dF4|_upM1%bnIxM_4$dtWD5}0djNa>VmhIs1iuMc4#yjWSL#**N%@*F7^-9-;n9;e5s?wwJg@k8YIoP8 zh+}avsSl%Z*!Qn&Z;Yv^ID0tRq4tVkAoU0zACeW>u~vEqKZvs}1Dz7_jA%k7Q z_Vx!EdSA{^Y_4iOv|}<(DR>scs4<_k{dkg}3t7qJV1n}Iy`0y1B9EuIIfXx17{e;5 z%W)3267mpn#CzHZ1l_>oSCQbf3qILTSxs($@id*vIg*U?YfTLyd4+{?!QyT7xy1{g z?oZo?C1c2|`7i@WAwFoD^K51MFGa0C>^WrBx3mWj!-taiYj&&4uY(5aRvnUT9!@h5 zLEz%yNkYcNsX-q@F2U5nqj|9jME6OI*K^wRYC}wlbTxR_vYqb;OhWm zd+RWowi zZhfKAK>(xqYenAvOD0gF_Nnt0EV@=qT=(a|6#J_XFtIf4ERn;f7* zJ%6>?y6f!p_64;}QuElDZ^&dhYW*~G{vb3-=TPSnskSzBn5jp_`mF>tKfc`Y=qr79 z@VCjF-dvS2)8Lx}RHQh_W)?f=_1KR99-UlW6dt@hynrAqHOJj8@oV^s7nip?N6p6x zIgCckk=j)@SO)|z!>_hx9hv7Y!9jGd!7e(9uXedJJe+mY%aC9Erb^%(f@*3%7`0TNuLOZ}lplM*y6Zdt&%7__X;7 zAxDG?A51(!J=l)3gP2d+k~*~{8833R+dot{72t4`-IVyNZ>slQB2paE^=#~2SvCum z=+xoJo~d*2SX{>}PE#<18VLqFIglmGs3QYeraD~e*4qim>P;?$=Z+SJ&C^_erzTje zn)SWCcN+FU12n6lQp_dO?Mk? zVnSI=C!bA-f2i%NP9PG00Sl_qI5m?;Y3Ne50a5weTp+ z>3llHVM}8bf8fhrX+r(aN9paR7LLeziR_T6#TD{j-GK<9D;I(g??gOagxYmmYV+%L;RuvCO-N+P z5b5R|FEbB}8!zoXE3OwXzU2c|Exd`i9c~;Od*p|KU;Q_wf8F>A{~4c2la_C+cjil0 zP{0_^B^?~N4C*Cuuwcg{C6)g4=@o!8U{(Mh#0$t7D#Zgu7Q|SilI4!q&!Fo%kj7?# zml^t6@|g-8YjUr@ke9j(9**bTrvpFyHG zphPz?Jlxvc{J<)ic)D9g6To&6S=r)_hQCnlq%QTS`h{E6c&~9_G|4y*3}UaTeEtn5 zj8TKf@hk>t0I=PA3#B(*2`;!p;?h$63Iw!)laZMkK0`z$t_28!GY@HWq*@Cf?hI8qxTdm zTCMawBdo_@@P(v1n+`I%Ci|&qu*UFxKqfXZlzBr;LT1?$EBfEEhcc#+u8~<9p$4Ob zOw10c05Ch(&csD?t8##c2zg)Mx-H2xZW>yG$XkRee2>BP_nS9z%&@IQ75Z0)W4Q*d zm0Q!jhN?JVcIw^a`QHsVuLilto~Sy)Qx5)S!Mqjt2kE)WtHK*#TQOW(Q|{inepFrK zI<&TU3@hCqnJQ(58xIQGAr!#Q&Yy{RjG@2Eu?=X%xRf8Ak9i*t+;5$!*^s^Ncag+% zG~*ggu@NTFn&I^)k;9MFq5{i5u?;qRJ7fkVPq}fWB$sckeh;s9)ApOj`=VCS_v1x6*0`GuCPv1XT1*Ly;;`ed84GnMk?tzeC!yuUf`i(5yjA< z*_ZntG}Kb3SJX+o?rq*RO^8#E$q7@VfqdPr$UcSq%!{>n4l7_C_xyZ@Myn`cw+%il z`d4X&)y_^5p5G)Q{bS2Khq?QbE-|?5wr_nqHofkB{0{Q!IIPYko2G!Wc0w8)NAqR|bu;6ch&m>I5* z4@b~IX1Hi<>YuT(JJEOgo~~{vmS&`n;Qcfh=l@_rb??6 z17To7@bm+`rJ$n(N5QvX64ZiQsciRXr=YBO6Ya~F%kkd+v%J=k@H9`Uk#a;NgDL#6t_(wj59(1mo9 z;aW-vIU=_!`;ATLqK$-x`3spgk9qGvgH3ldka$C(JheaAG8t0i@wEEAv;$uA_ZQm& zf5Qi=&PXi;=odsolA&Oj-+-MuB#JG~UOtqzcvF)AzJJ>@ID_kaE}CvT z)0r9-c?z;y@HvzC-Kma#wziqsihjF)5P%hew$Kg=r@n zBkG{3TpK+YrNu!?{h@%K}{NN+V>in+?h>9o=X*09D!`LQH$HOtY{xY`n>A`eO0xDS& zQH`Q|X5h@`2I4ARY+|YN%0jG}MXCj3ItKzM1`DJ~Zs` zs+_06#bNw{5BO2n9)6z$if( za*eQIs{aG4yqZrF*w3E}gA4vodOi9`yn8qy@0U0hSvWXa#@c+rIt&URs>{_D7`*KV z5#*V|=anFE#3|n3|9_re>ZR6gv*|7R=9Koisx$kuS0&95&gz%&vEUTQv+Mg87YNUj;xMUV|4; zdb{kv__)E}4y$sqsVrs5Mq&XG34zYN)jfk71%-vWHMYau!2EwPYC^)JS32fiVa~NT zwMhtBHf;a$pA~2|ByG%cpcuCv9cb$#4r%Unm2r08zENW*Y%J#<{jE;L5)CG!rlsZT z-?f$rsr0Fd9l_FgJO>Ofkg`Hlg(Mc1M?9Y}rXPS)p68_a z%gf-t`jGI+|C%u#$KRQa4zq|JT@TSrg;XUvme;KR+IOf4a#tJvyZd{iV?Vx`n23lQ z`(&oCZ#xLT2 zNKjOO#ct;8^lwgwe=mIR+;R3@93C3xvfjN5vcg^tKTekmCU^=f{DBV$hoPs7h;OpidD9^g3>`hQ#i zK-`?jh~VCfdJHdSYwbnhjYu)NjPO+F^CxY<#*f7j&JQvX@K z^Ne6JaTOpRx*Jcu1e>7;&2Sx;-M_t8!-s>t_%D;b`jvH*|H4XCXz1s5WhOFy7b!Si z0E~v`EaMjfLl-qfH_0S*CYeNe%FF`^{2mroe_4ZYT_xN|c0j`gfUW~sg6N9u<L=MFLSzaOkoF7kZy0)g2uMqp%LL)6dUD#Fv^IHf> zKXQ5xmLAi5Mc}p3&8tiU9S~?vZ)0n(6Rcg>?0DQAudlx;z2Gh?iUF9=K^N~TFl_-3 zmwlNXH-w(5QP>93lns6kpr^M^_dJF(RiRhTX|K`SC>CHO*MyBxXT)tWD3lj4(LEv~ zd$8N^<%@7qeFl;)P_^>{wu1dIXDeVT=w(1H z?%m*SZ1i~B-j%oAbJ8cexVyNSWP5kj)jgtt~)n-2|iC{>IM1&#JQU zyl?gWWV~*Fb`J1?mz`Tt&h~3x*}P`UmAc>H11s0^vJofuU&Xl^GHIfk$7+tp?nu2# z4R}i@s$iVwqr@{hwSv!6W!d4Vy`QF#KT5*s7V%Qk(PVV0w?uDP1(dhVf2|tvy%2LR zC@B1YrMSMbe0te+IW#r_2G0M8{Nv1TI_GXIUwEsHy6pzpz!DP}J` z=C!j>2|>uiud1=H^cb{x9Di7vuk*J50|UOnMNgDe#3SyAK3()dw$)BjG3U^^=#!IKmYAegsn#X{tBm3k7JVgxt}dmYCv z0igq;f6PdEdDW;ClnyuoR;>8sPB|pS#NLli2B8u>GbJc3qB}n*A(60+Y z9tT*r7$4OJ6=>HiCGyWr9SYuwfcY|Kw0`i1?R5s+>X1eYlM>{y?_fRwyf#NE_9-#( z6V5t*3RYZ0UtAt=9FUj}3JQ2m$%XFfTIZ%ZP2&%YXjnMj{8>@rVH|lA{wOXZ0WH0P z#uZCbCB*6&SXd63#)| z8XOScTU`FrvYk1tCru7HID7648wB zij!vcFXXAIs0P#fS0L8O!D=c)nV6A<#cFSZWSB}eWw?DyT(&<&c!lhAo6TmL0*ht%=k(yAHO$a z3v`wwd>%i*AnPF++0DMW7vY?J_E~$aImZ}tj0$zxv?mQ) z89m4W^qn5n%EUx`PJ;Ok#i>bhRA8swMglgWi>{~T24f}gJHI?1Ro1TCP8TUH z@?0X1kfE;N=igtM3Wu>V*?vzQeBP1lhWt7-`j|E2LeLa*znPZN)+UBl z*jkSt01*QMdZlhCxQE8?k_x-M2Lu6B!DQpbCjZK8QoqmcJ#9#%=DoXrfS3X#9c-jU zeog?wLz1j=fe4F~>lNX}>0y|4>Dr*)=^gv3Hk=ShMygdvnC-Eu1e|BSe+*aqNK!(g zz_3FD%JRpaN7)*gjr&^}QbqPQXVZr3e&<1d^7P96Kq!b7YjRyPXH4`>ys7+pELYav z0CqTLajt9dSZ&vw?&0&`=wkDs_gW&J*nhevYB~+dB4F_A+Djv=E1SU+lIvH{%YMfWvalzX>4iW z+G<>O6B{tr0^=kTXA-}Sj=JE;q4t-{zpaLdF6-$-NI!hf^(5-G6X_j_U214M`kTzb zvDIO*8%nO70c_RO$Vn98tr34K0p}v?IsD5~Tl1QZYGL=w_$0G)(KTIJyel#o2}b~U zh&a1GRmpHXcFPsMa+a}lPNbe-p6eqtp#5x}j#7^@ruIlP z%;!FGTK%Z@_}kIJ!0ni+2-@}Hk_F~lx-Xn81f*{iILtE^f17~16_R0X-&F@9OeAC& zLmM!=x|xip)V^R}RpkjeT+CmHx&JhdeglRAASwn>ltgaXJKO-LY^?kDmCyGZz!>w_ zs5=s;$C$20zi~7MNdagE7=aE~y)Dr6xJ|my&D%GJkcop>2ex-!{@30+vQdu4jlEBe z=^_F2u-o2N2G6w0UhK>ZUXyJ0{R>xif_)MYD$we_6bXA=MY1J6l4A)Fmcsz@2 zAOA4wpb@bH8lezZO!LXIM@a`K5g?Az$kp!&;qWrNh+X)guUYMofi;+&QvFZ%jV>u5 z#c7ainW5!CXK2~b|6vc94{$jOHt>pTxzy7sb_>pPb4^jngjlO)D9zcE4u<&; zA-L$oY8n-gB;(_+ENtwYkD-goArGy$bvQCU{bhhW`vbK}pJOu34_BX!SAPT~A0Cz% zPyOvd47x}e>H)9#0I-`LN%97pgAhRdIo6_QfE7sFKXriPVt1(|;VR&ul0wLhGH2kD zhFtLNH?z2ag4;k0|FpkbP{Sl%{^v5Uqb)~0Qw=2UOEJm`?&dQcnv+1Pra^{}cAatX zwTmEK%0b+Vq zb5>SiK8&+DoQ5kIocNG~LpA$oV?=A9_%OO-LGIhR5Ueg{N70kNvs9?Qn+UF)Cc;dc zLF^%HONbsqI^dSX)Y)ZlQo(H&{dcs)+$s_8xjhKVB83Ma#uDcNDa>RjC6C9=1zmcc z{J08wnQQuG_1tOo^I#F0?eXYs#37)JEd_=i;)SzalVC_A9ZzX>b=4wgfefF#4i+Ii zL%?6z9xvO$(vRUc7X-h9kZk>ayFeVJL}72CWSc)LQUfPHN zD9=P$%}L02a7l#2mZ2?)WaPEgUd1L=&Uu&)KovIWJ+Tdh{q1MmBEluTkAtKz8P;8?v`xh@>&KYX1dL7x4Lg ze5=VcCk2<2o&bgr$!Jg=RcInpwC!Ch&FB1ur2Iiv4qxG*MO3aXBG8j1=#JDFb}K)+ z&$%SP0a;0&lfgwx%*hD#0A6Eou zYH7uuE$k8yd<(`pgrV95;5P4&vg0hdIU#<|T-ll_5(gIA^fG)xwG8T}HBY`@>lcsr z7JZrMv%3)dvsTsP{i48e#bDe~n>(J;V$`0PcKu@0&_|Wb`PdOBIBJkky$+4sM~@!O zRx6qcdmaitt*etu;?Df@*iO?$5y^`J&IZZcfZME+XI;l}7Y)@HR?P`>ljhgs^*;@d zG+BN?!2khabv-QKdt0uRy*0tN*_7Cpr#}$1`(|{S0Z#G|Yf55mDpiipB zg{I4#0BrgEdC2c_N(eGNFn4ZIj8BbHmEW8`pyH#Z?g{(K2P1x4#)E$1sFm%PDZ)!@D zs0pxYITbY-nO6R5dO#QY-MwLbz+es_Q`?apk82c^lvoW7XFa$azdn$|Zv@QCY^j3N zdbxhH8vWL-TR$WYvi<~N228Fs#Kp!c<-XC{tl2+W2MQ25QnYFV4GltE=SsZkI=e6u zS9E^1#KkRDUchs{vS)sosbJII+L}M=x=s-rpJp1ak9$mOihjtllyt>r29X8pi~BKq zW$wC7Q*#U`ZfE{pjUs4C{|L>A7gxpe3wyRd1gnHDMp==B~Pl=BYtKaKo&9N%sW(nKJ#lh7o zHbwJA$D-RFh5L7WhR%99(WjQJf#=}B0n&>3+jO4RlmB2O&ri_959p7%mf-&O3-^S0 zk>Iai(fi%n;rIi|h3q@oU?_qiZ8g0(M{hy{6mfCD#{iw4pU-O6xNHXnKUH+w>&ey+ z=HaxjtS|q027mfw47R>t>E{3w@^{k0`lyQC6)@(YWI-n9GZd4Mh5|%OvneI9Zg$db zZ7>Lg3||8U1brv+Qc+B?vp^lfg{z3hL`5~n9>ggzL{4J6{_#Z*`L;X7D~h`f^R==` z1BG~&KQ(d~;MjdIBj5tz<@AoC<~C-Mt-k(nR?zzoEHyLz6@QtO6p!hbF?Qm*b34}4 zJFfC8bY8%DE%)X!dAc7(*z-Gle7?w{F9G*`SR?AU&B#YDPq*qKiY(wYaRAW;%T?%? z*v#uoT@OL^I&eDiwZmA&rldN73}IeKNNB5PU~>4T{&g9fe?S*Q1J|D|sc9YuV!q*h zbGbO-pm$;tU|EguTwAr>{lu5mPG?x)HxAOS_bI+;7JsJp7+{aR^}1ifhcfNkd`5l? zKt@Y|{KFRWG)J3@%Usx+9B#+nk%!3qyZveq*!%?-$rno%C}25c)D}3jzcqmgU{4|Y zj0fGZm~zP*q6ZjFBu9@mvXpB6ob4a%C8^Or(C_{*xrX71Zi=oBlDG^TK#$qo=50ZC z(+w_Uw=rt`y+t2-C-8UFHM9U0{+Ucj3^me>)KW z!EE`yL3?()=ZA=tr_NsbYQIgL0A*HWpYOPa5c73)M_T#De8{A-f98yI2$JzTv2>G& zNCp@diLO{KrOZIDFzmZ`=Nb*nJ_QHVfyH->oB}-B5W(HQWcub!XQrxIIc$PVBpSG3 z3Fwh$4(gfg2nj3`*#;mIy=wYz&ROx8aAuG+Uqc6%r5ez?N(Ikc0q9TjVQ11S()M3@vO0+;p&h%(Ynrzr?%;GZ z7>`ZNEebr)Y4-s%Krb7&>re)NX(hBrG8Dd9AWk$M8LoUgh6fVA98p)W@@+L{zq#Kd zpu9cP-Z}UHj_mD<%{_^bo`eSGDo;S%la=Ve!m?51;a8ArERNBF&%aTNBI-$o?>wDq z#REiMs5dbTC6nJyc)B#f)?Gc~e5)n$?sy@^TH)$lGU0B|zAItSS=B+0j#j07?_AL> z549b*RvBDfd(%K5CAJSV#gwy$V85qUjciNJjPytZ)UxyoSk>pldKb8|_BRpzgsI z!D}ljauaJ=5>7qIkgKL2X-~j57}h|2&we6ED|AXW=7+5eKn!*Qio|$+_h1;{*ceeN zk$ZQLXMcH&bV+8O!Z$d>Wj(B?>l;+vUnF~!7yi<(xz!sH3ty+Z*YS!Ocob=;W}i#k zCCRs(kPsaR=UniIDb>fUbN=*%L>6uoRFsr_PN$?ms`;k)R{yrn`p^_K`vm$bb5sR@ z`HPl1O`6wdMt7EO0;voNb3{hj*fy}gJp2LLuD^?$nS2V@8eX2P?Ay76+j>TK;@m$I z&DG&daqy~mQQ)Tc4p$!q?6!Oeq)$P0d#9(n;rjAak$}OM(NXAK62;iEV|EJib;YaH6|dHO;(AG&Ev6JBJ%Dj(#aGI zz{??pJ+S)ho{M>M34-L&r``QF9k8Foz(5G-Jz!V;t>KfW#t>8b@^*sA$v6Ju_}}lJ z)}qK~Np?Rj2kGL^EnRF7Y{*^M(S*}_WplCHt{sv^<-X|pOpzf|J8^X#Vx^P3Q6z&e znvlLFd&pyWNj2yGICdRU^lE^h%GA{K`VGr=LqGxU0ye*EDlBklY_Yxk$$=(b7}`j=sdH<)~=2f3SDVUjooF_dhBP zEO5vRvDSN0ZH){36CV9{Fcz6#%hQi|Eh8;$(iW)h`1+{t33*yquAk{Bk6E)d7AB?x zFw$VJ+FsfiTvJ2Ne2`G?Faj#je4fqrJk^N+Xsx!(?QnbdJ+!p7Z6Tu$ppWD8B4HoX z(HF@|4+w7oYJ%uAKgep9QS72r;*>-DC;m0va-WODg z)6*UHG^HRa(|;NFL^G=u5bsno<9QufrNjiCwIvEEdztnpn!$9;!0;iDWxP)5?K^jx z)7}+18i0xu<9q@Ilp2K^L|O1nUQ;UVj$2UN6tcYqZOeG^P;Q0oY`+PN%R?9`7U;BK zM1jM7F=YS3;~uR-f?+Sg1#+waVnxhjU&k$AGcnm20n~teeq^$cNyI)XOTL^%U)F3KQtvEV9@cU@a{|b??+lz{rU&V+hnCu>j*g+YYZ1ANSdpXC!|3*w=s_Ib)gN8g8+#YoAOTKG(0)iGKQZM3(j)e9p6U4VXdEMFC3bJPrko`$b7)(oMs@P2&F@s`MC2xFU zch~G1i>V6!QY9g{6hbNhoc8r33v|Nnhosmc*&f5Cnu&>J@d2sjlDE{xxC9)8F`)Yg z4Tgx^i2?@nmW5@To@nqR?b0_2h>9`4)NJdW*l)`TZOgHeAE}9OAs++r+8ySXZwsH4 zRcnwtcH0RGRfF!^xbx?IZQL?IXJ!`{>2E}o1DF3xua*dU*|@0KK$NaHuDZIX?yu^? zOtOD&sD;B;`SSJgs`OKe3S}z)(6HEcfCvmK^FTNcG7jyR0 zikEeh27GqAoKVt=z3dfw|DKC45-AHH>le1T0l{$Vi4yYdg-=i=+VME{S5hSmz;>IPyE&BRA8VpL*)04ucy zaaVv8o0W^JZj^WHv67frgNL`6qoX68K`tY}+nlz!lK#$CBBSE0Nc#u7O>E<_-*q^- zpJ^&;GGNYwpoA%dScUbrl&knAxn^-YHf*or*{OF#d#n?Rhs~;?QYq?H%JHmlJbjVv zpH>DeO@I4>N~Rj4ZsD`+U!mER{t=~-I#BsSfZPY@+(0yA5R&jo7R?OODnWd`0OU1j zrv_4VW-$xUpnIEhn(~LbIQMLFzGRE62KGq7o-0Alh?v^*+~ORG!|QlHvtsBw1DyuP z&h-y~6`qaS(gWv(Z~W#}!$zQoiK%@Z!+D$Lc-j+~IhEAEZ+f?t)#x;%!l=pM9C@pM zK*_)#oA%x!0t-Rhwo_!$9|iT0M91qw(kdfp(@Ow-ozeM zXeuMXsqY-Cy$_AsMdq*P7XPOO_=*nF3RZ_xPWoH=)y`-jCNeEm?BZgvNfdU^jm)U9 z+tWBdNByamiE3YtnzuHM$cd$KoALR0TKBRD0CsOW3Qqss37$~}tUMW3Yf&)5lYi1f z_I9RBx;RT6am|^Z70Y#X1!7virg|mMetz^e98&=SUlt}m$o`CA@N&%*)G*u-czfNL z-EC2Ixz;2o9T}eh<=k9&Fc}K3-Rd3K{8a+KWLMIHB4TJY2eJUm$_88JR=F~N4W`~U zisAOeH^4fJh1rQ8d3il4k|E~PzXCLpPewp-Nmvudp8(iKnlu%GoSYoOhr#yE>d_hv z{n9HdlgNx^ouvcXZ;{hD|q`nfyL{SgJHAO8-J6WdF7%J8d5JfO?oq0G&GOk*lhB z=J1XUl)7T2%t=zzH6ZQ-4cprV23ybxgXPd`CX}5DOn#W-6W-{HR4k%htG2$ny10~8 zHo*8!@A7v2Z=%Om+|Jw}5C5Y7JZQAQ$tX3s0H$CdxA^syGD(Hgi66vDg@N`WG7^tW zV4f^$qql|$#EX8y*iGQ##jmi*Y>bkoG9d6Mxh@73c0~s&M7M+W<`%MXyv#0x{jClYkej-?rf6913bcGCe;O{q@)7fi23=3R zYi*HJ3o|HrkQ39vw5ONYo=Gq3F?^dc8wJ1fU#>5QLMq-5g|w6uw4kM{?x-9AUhf_D zsHiA-*PPZSt04<6pk2VehR)EaK~sz?n|NVU$RSHP;pZ|TPIwqSG~#6A<{w)fu$8?B z)A2x1Gg;;u1fw{}`PB$qU3D%L7Pxq14WRxq*`JgpS|>}Zx( zBhwex(PwC>!~#Hq0=~QwIU2}J7>pM!mOp$wRz(l`RAe$2d@VtF$LDz2<+moSmJw-sqVk zikenLaz}4K^mqF*K|J;r?XCLCNU)NA`u{C_iyI=uxIU{VBPI2BrAP@P z)TE@Oo=a+?L){4*IefAEPyDrRJbf#)L+}{H*5^+?086@4t1t`CJK`i&d!MgY?w(zi zRsuAHz2!#eIl7)t?_vB;ZBp9~g)K59W|I_m<7Q|%c*NQPUI*I$eAf(8 z8W((e+;i_5B7NVkBj){1frh?+mJ#>p)|Kn4Rvko01*1Lq|Gfeb{4`Pi=Q`o1$uIu< z-iTyA=syA+_+7tO_y6-!@M=nol>aBi3Kaj3SP1_7S-~eCmH(e#wC^N?1m!#I7|irB zqp6Sk*(0tT9S}7d33$7_h$S{MfA#(u^C`-7fklz**7M^FsQQo3Rtrhw%ry$$H z@$l=~)1z{H!pvWA_r(6sOfUb_<0Ch-YbGC6nhL2}w4CR!6Ujsld(zyz z>1c14Zg;@I`BOJQCit+`xX@+j0rH0WQQGoSuL(y`eRuBM`jZyruI~4l7rs%2 zSAFS}KuX4$eroI0hM-{X?s1!{28%)Cs#Dx(wTpK$YCAN>IQQ?j_12-KS%KoqdNUC* ze+T;xQquL6(PT1{j;iIm3bKkz;0=8|y(0!BSdoO2@X9DTS|1R_Jd&lo#DQHQh=F{T6f4z;tm2APutf0oHWQCtaRcxiFQg z@{s(kmFP)fm$!AxS_L*ohGGg-uqZHaI{a(mlcDqXn%65BI5@atRo2uX=0<_sTej7S z07jkik3=F0oWbYQ85+dp{0Q~{_iFw%O> zFNw6a4%Pgrsj2@~H>Ke>(q7{Hfrk$20{gKcJltYD&{9Vh>_!k`hX$IY-XQ+|I&$^Eg<%`Ago0#w_{#hH|Gm~oukbUA3xZw1d?ow zmn?!IM*krWH+Sp2J(4LgA25Tz`T`8^z<+Zf*>eK*2qqoClO)`UguBSPVbS9Vfb@p$ z+~>;rA0K+;Piu=3ZO;=0VUtE$cNnwd2a{61mxeV~D_z`At;K0i=S#o{3luGX`OkfR zF563J(2q7ncA z7)MBOdE-_+`ex2uR~7+#QWMj3$4Z0j#oyVQXI5nT$l>94*zL4DQ}Mx3Co-lfFva`A zm&xr23U6NMe3K5Bo70MDcj3-i;R0#^IAqP`%dzni>oyo2fdPcyB^1E;!g$0>D9U_K zyOD9q)cMEI(58CBwE4@IuYGjYSngknP0NVJ#7A`-==124s?iwz%b1#OPDWIrl*A(` zMH;LQ^&N2$`}^Mc;#pSOw?T42oAY%Gicxgs+&4sEdRo8E z=KzV2m`1d6hAV+XlNB47e;RjYzAMoY3VLvY0t-=iA{q!l@9k#m7fKILug{8YYoN;H zeSg_+PfanBryCl^tzk3QiyVCSBTI_w%I(EhoGsjLPS+h>)!|p`fV@3jaVs%`aplEd zVbH;)+ouIi9_%4x1=Oxs&MY(oFldC85zCc20j<}s7ZpCC4gU8?2wI>q1XM_i)dma1 zKBypd5F#02%92C7SPBJtX4KV6!`*hlp?|7W*u9Y~XVc5*&Bf?#h zEX@MJ5#LSeQnW+^v}zJ{@`tjBMmpYx$y8}>xtMam(|4EFxeR*^WvN3RJYBF1l<18g`DdV zS#lfvW*8s-S&_mi^YpD4KTCqYfv_Sb{Ia}Faeg^6cL#^u%$~yVu2&pPtIq=xfPlHU zBtc*S1ln~N(Mg9bfsp9pXgKSF1zPfj5Fjg#SI*jCHsfmO0Q;6PY>3M%tL&$1voEwi z6+8a75_PvhYlkxmpHaWLsUuhA-Si~HeAUA?M=0X_AV;UTb?H|9Su3c`pIDP4@jqbr zk9TSZI)R|*T$C%bt(ue{W#cGVSNKtBN5QCpbolFB7VBJx(>PxO*bF!WAbzUa@^e6S z>8NGnw0lGDi)-SkGF$nKl`|Br?K1cAt{n(3%{RuB3+#0>GHy*{7)fGvlzc7?VWE-; zp#|KL9=9dXSmmBDB|vWS`!apcS#D88QpPArv@~w-eVr8q0trUnyUE6tYo`fDCniFH zaSqS$BISMS7oO3>?zE^YQyJCnRByh*W9qI_1-T6!k@Sdf9B>WEA z1aRd~@DM0{c#9&jyqx~BCn>u$SMr%|D~l- zj$M`85QAEt_J@ymS3y8gC{Lr#fXAZmcb|YF1ZLEu@cDXzhzJNmqN1*giHRLJzj(_F z_5q`#6@=llE}egIQmKXP(%gl)hJ1q{a!FV>ef{!znmm7Tz6;()a#816fl zlt|gXSb4>{}6=n?|p!og$ zdM}DmrwhUyq}1t9SXp~B99j;6LZ_8|b%Lx4*VUHAgX~e4ZC0=@SD|H8$&7$-Io9nn z8~WMxhy`H)1YT4cQb`6UDADSJjeeoE$?;*_G|arKrkrzJEqMt1rDdql{0rVnuXYL} zCo7!L7dkdkficXzJpovz+h1ib?tQG!5mhUO77G1U?1^{fP( zTA-zllqD!M9+P3#t@`Cf1AWGC2xq3KS@V~pLHirH#MLbK?T2s+pchEs7>dbMd%nlc zjMl66pg(^ee#D{>gAse*t0T0H@!#Dg@$gU}>U^qrwnC% zGyj5I=+Ja=FktZFhjYo&_-`kH?2*e37^*Bvs8oQB#%yog>>@|N1&jhD9*I-ks-Ngj z1ApZv%}K?sHVfxrVtFi9{($TY_nB^ z21mNXR-Kqa5}$w0m%GK5!++WectKtw=(gSkw=Q#D|C)df$-x>(p@`1cSef1R#WXb~ zzF4T+y0Ac&_H3V#4H%h%HB-tD_ZtV6Ai_EBnM09D!wI=SzwNp6UIuR}b6Niy_}1Cl z-WtiBxgOw`70EU7LIh%_acO$~ioYNPbyu=iH4EM1U!U452WGv)M);^SUxxW$>xAUhIee`5d_BG=xFJp-?#2Zpn=9uuY521l!j8oNtt{&CDd9i5dKLJ>Va)nfw9uDufe3b{wDkCMrZl{I=+0>?jAZ`GD!A zbS(Rqos=t4MMa*GvKz_yx<`i#oeA!%8`{=sLHmu1+S=L>`}VAw3>Q~&DR={ejq>R| zcGXO^$EiI6UiG7+$LDJ;LArMrF3zy89sf|sDfQX_Sij7DOE@=8_ZwsyHgRx$n5l4x zmR2<_gh-vqj_3@hCtb1a&;URKrd95Ejarr$?Ymkgl9wdlvSk8D!fQ)Q4$t=MUoKq{ z&T99!*4uTF){*K8nAC`*&Xo+QMr^}Zrc$yi0=Qti^u}jG;vm3$IjHL@S3;3Th!5n^ z2Ph(*nu3o_WiAmkR z1u*{i%}qc|nXadfYoI z8QC3SH}*Jj>YpTz5JI{TTzi^g-ey^pecf1FCw@mVQj!RRVDWo$RA2U``gnqKTiT(w0!EKbBYu)`cEZ*_9IBu#$x&?vQ|k zR_^oX685WuS|}bKNwyoO@=$wzV>d)zzqf2QdjBk)2MX650cSJ!YQx%#U!iiSj+>+8 zw33o4D)W<-SEAM4AuV1ico;RCLwZy(e*31o$U>E+G#p8+9@Ag*->U6WseDnXaku8} zn6Ag%;>H_;BVp*si1mEH4b>s1mC*^nh3?fKqfOFyXf#~FLo@c#t_s;gH_a_*t z1pns*fz*+}^~r>TM3>DSFwQiV&IJ%m1ah0SD%f&f6i0yz=CeR4*e8|eaoRuE5rIzC z=72x%>8QOC4HkwCWZ=;XS1rJGP@ssXMzjAuZ2<`)&;08^B}vBZ%yV>cY) z`*@KXJMlLI;6`$qPonr#9&MrlWv_<%u(a1%Xo@ixm4m~}h&6wDF4k!Vf;zMKp zbxOSlr+hxoMct??7)tz{7D)}pu*9A!9D_eKs3!Kd zs}#8vzd5VMc)#scbCF(Jk#_TM<_rfoC@O!tfBXGcP4V2eiOjcllvF8YE?3vm^!BE) zIk>s8P&#zeW4_9yeT$6=BRzc&ik2^~7!dBNp)ocRX!_WhdyLZzjc}O+W&T)xyq|sP z{vr_-iP79Y{b@-zhma4h-AAEzH6V=b@9*cl*$Ga0CPa~!tHOoNL?m&-f6ZW5;L~Rj zlaqTB)wi4HlB#L2wy?Z}tz3EU9^vzZajqC{b5c0d7n8(gPt5w*<4J>57m6>FiF%w` za<4`U)@pTo;z9*u2}uUB#5peaq!iW84p(mc$rU0;aaj>0%TOQkHwOv zt4oe6So-f5w6BlDT(WyT@8bts(npg9f4G+SkHF^TSKq7YT-yy??YgSLLai`ZyEowl$a;}Bu%{KNFXf?~1xdh%D8 zoWjX-$6g-D7AWB!hDXc?rdVEDTj%yIRXjwVM`V3Wv}jh_jJ0z?1#JxFeRB4bC;2Y` z#IB?qnV;Is)&R-m>`^D&W=-Qt8HJDFGXf@GD9DitDfe*f9t-XDl$>V{EJ;a+&S|&b zzzu&-qGUI}u+N((3x?ODJE|yZS>LAR68hG?c6RZcHpbT=e*C6raaQDvK*{Gdy;?g= zboWZ#s}A#;uF}xH5Kg1jL>D&mb2_J54WFkXSl_*-_*Z;CH7nAv?Wns1WU2Qj^$lh7 z76`ZX=CVlPvJn{a6 z2b~ajhWy4F_nTMCpZZo;S}@)x<}!1nE421|pF={O$HfLVDZl-lrVjdcXvz5lb?=&- ziU!PnCKU*U6+-oR|Axrjb1c}joQTq7n$l!7kInj2ey6G6cgB4wF2+mX|7`+(SzuTN zVF!|ya)ItEfwY)WjA(z?riC!}6BUw#dfK_xxE8a(F!OJoH~!Ax77?^G3GA3bSYP^f1Q@_*%ljl{F0)7arKZtIX5CJv;ul;>y%9SxOQ1rI^dXRL*e!xNTJi zP0FS(hRa1bC@S~6a}KzJEPVv}PvYav8~AY#J??aNc4BxK`arXQiX7!Ds?8i$a1KHv z3Ri&GAAj=|3jECpyV*UW7~#P^-3=mxod+&VtSrg02mXjayUgQn)N8C9tl(Kvhw`<`hzM zfv%DpPqJugdVDNgcjbx#t(chCNdUA5(*oR(fl3oh(w0ikf!KGFpJD&gsNig-kq~tK z=O40#3n2p)&K8Q`pfGdhwu#qnXlNJ=C423i3$zgx>T=j@!ka^e2@S7GU^D*4XGJM; zAs7KobiVxozZYpQg{P-yx;%Lcg%J%R?^j3=meeX`ho|uVJ;Fv`bZq5oBi56xg%6CO z*0yC@_+jmKmaeGSH%a4R4-Y2D9(V=#A;anI_A(nvio`imV((q*`)v(m+=x{|jiBFX z-)-{du>J><6^~RqMq%N1xU`B6|K?XvzewK`rU7qMv%ycvH=L`XxkmL+uEdAT;a9Mv zRXYj<&Mxo>*lPKnw7tJ(_{w4pX1z-YU#RpkU!FT&hC*m90`&&m` z)+V}p3);v?OagDP$P&xn+!3Kow<$#L`t#@Vkqq6VYV7%SB2_}@5V&oop0?q1|9(B} z2PN8zYL7=y!Pk#D5P+)^nUr@TcwD8>e% za9^2dE^S+G$SYghZMv7~IXPB|!`_JnP6R=M`tlR(J8R_U$Lc}npTqxap%mI?3`58Z zndx-g+)>AV&pYMh9rT{?&xtW)1TTR_8i@1_Uw%*8c$ggVfDeX~^z>pRz=L`7)HM2n->f|jxc0`z59oIvFm^K8S8aVRt}6ar%*xqXb3zLpoti5H zgbQiKe&L{dfB`hBa+cb+xEPB`MN=C$QYl^tZ&Dc6}vds_f$2&Xx`h z*wW3S85f{`BC9y0g!Kq^clJ$t#Ly-bSr4fUTaPwY+>JZ-Y<)pjoqX5^lUiCvSJn3(8syLcO#lkAaD9uw2dDdKAQ>Qz`q z9ghuh-8UU}j1>owMe4etFsa=L!Rl_x=*+K!OT+zcbDjW=)v&z_lSv!PJ>09{(UYYK zU-~URQ5v~hPmPTuPF;b&EbyAchthF*Dn%#J2+uDh z;5lWogTM2ysr&%w4^UoD|6)UdrV^$1#bR+j=o9;DZ75EUHpCz@h{tA%hEec+e*Si8 zV(E)}!cM1dZlKELn+a>HI)05K^YpkEBswRHl@ys;)x-+HO=WM#!T}lJFM+|{uATQv z5eIOX1FA4t<>?QiivA)UH~Gc$a*lG_6`3e%DNLQ6S6EsaVz}3nZ3FyN?&$|AO8w~` zmYC{M2lr}cEA73tzZ95!>`#yLALHDHp^juTmo6H+7&(oJRv^vD9)V~n6@NwcsKm00VbVmW+x-q8s*s5T+_ z4azn6vhv}@1d$hOmo<2vybP#Xk7}*@)8hw7_R&Rimu|;ko{m4Q;>FwjQFI^wkgCk( z#Its7pp*5VKLc8Mn`j_ZCR0Brt63OSdAf-|rnxz|n#S7h3+d_IxdY+h&K?(lHhC=m z@3)KcS(ozo2KLmPkAmf)$*i?2xdlY82xT&OUmV{7ht`MTZN2S-n!9bPB8ZofhX-nR zcQ6>#DjALcj$bUp14i;TLfe?V-sz8ouKv^g+N;nX-J~-6zD7Ua~-}t^YQVlZ&5|p96zon_N)N*gZ^rLNZBmJ%V7O}^O5k(SF zBzv{F4zuEoKh4d=C}Lt=PkD%ZZ5yv&LCqT=g~$?wIiMgxd8=P70c-PMbrALM-{h24 zuZX8l>vU^fA#(#WOCwk9bpdn?cK1@M{___w5Y+@*EcoWvknnzD&&@?fCZWtYPdriW ztV;wZAF!x>4p_{mpdd+bQOIwAk8lf@>%W(jsn*_lzcx7|TUI789=fFP*x2dw3#g1B zD~|@|etkeBdH-qLR+-Rr%mf}6X5WoN479*H7Zfs0_6C&Qy__G7P<#`F@mOjY(I!fqKumAOH z*fU)j_QjhwUl0-++E@f81ehE8AGJ9++Z+G&u?YzA=6XmAZg53QEMX88*1)m`@c^P- z5{>)Tr15BO&Tq!8?w?UsKMk_>(StQ?pUefuWYU9L>R1FDg1rjz#c+@>2U%Yf5jLZk zUQ-1zzWOfqOc{ApVv3Ufqw}e6a1}nNv|Y;+AlnwQq3&+n!%!)V^+aJV=v`iR9O@CD zfrb^dvJm(AD7?)Ur#Kwe@jK)TYjpvq_AQ=VlawXuFBjB|IfQ*xcr$}pL3YfRVsXnW zs#BTQhZ1DARehTqscDNgDrg6=w^~>zNqy!A)x5@P0#rjN3QsC2`XU2Eid+E9tUDm# zaS)t_eS6=rNrn%;e+3Uz%=cgO!c3QNbwe9#-J)5*`t&Z&ZFZ>@?1D;V&d|`9rybe*O!{!-_43M3bckMs3Uu6?|FN zc1)^SFzDIgX{14Rt4A}b^pX48MY>cmj7CN+hu1`u%a6}^;@VSHK60Bs4YJ2uE_Wl+ zfBFuE)YCRZp@YEQc3bIpaU<$Wn-r+jz^$b`zX6s!6|Jx<+!`LE!_9xS6Fh?x#WE4| z|30yugvps|)YT9!`F}~y4a#<#=|evvEVXf|(O+_a$Z;86-Kx{t&OK$*bhS*_oZ})M zxR$iQ{#6x#JVLuop=bJ?LS8Sb_0r04CB2D)Gixr<%M&wegeAR*BnG?}|E?T8@EMcD z?#us8lGCnv{&3{{fh#F*<9qQAdnO0tE9>E3Gp!|Lm7sMe_U?|=5beADe!JivvOiRn zJ}-|?DtRNCrUDieZ|dLG)q3U|v-^hTGFRTb{FS(^3l0x!hh43Bf!J26sNj`?{Z#g_G88&b_$Qb`^Jw}>IxTE#=JPAGDa1I{~;5#*Qv>!P0 z+H7>|v0U!)iUPllz~hGgd&(zkjrS94NImc7FUD=zvR-U=9JJwKeB2n9kxL(Pt}^g@ zbJXY@% z8P-nSXK?`ff(dY`#}OZ1?v;>{3fKkWW_0%!x~l#zF2)o{EiDAIyQ)ngq)UGsVe?3s z`a`WExvGszjW7`a5C zk6}Uz2BCa_&yJddBmgQXQJ_{Jc;-lv*QLpV8+s4hC+d0qpmPGo`ZykGpkZpZ?73uF znC$asf(A^9J!$vn^4ZxLe)A@th%BwBiX4=@OMYj%k^3A{GSxAJS>Zw$U}^8Z8Sy69 z-KlEs%)~8{r?VXT*&TH^8}m_Nl~#c%Os^+{B#UptuTU>;m@>u#eT~IH>8et%i6Nr6 zh$Y`rK<9|PdR??p^0Hj>5lNkPuIAucl%&*;%@fX?o`N!Lcdh@IHv)QC#^lm>8YP2|I8H{Q^4E; z3JUHQrOVd?v+-3JeZrd@ofjA(AWf9h)083E2c})5j&c*&Sfwb^Ac8{%dI||3%vJ`9 z+)GB@E?&jgiG7^aZvRkw)mfbv3hq_MJF4p>?xin7(*@85jp(Uz zcb2uwspqwM?y8wT1mHg#Hzr(GCNqWLxKxj>gjTp~!rA`pP!BXEY;4@=KzQ%343Ukf zFcXi21P9F4R-cu_n7d-4Fcq}^Ao%~VYqBy`L;^>%X0%?JF&{8%59#TNeCRnAA4aD0 zm>;bSCFoC8qS~IctEYFx%H|Lc#jrXXN1X}T@AE?R_H1Y=HncDf92^#Ed60-WWlOL1 zEX4zyelF0l>eGyGLu=eqOHyioST7EY2OI`;YZ?e>*ZFPMSolsZ(#HH z`=i(9X;-u4d>%jDsK1g`UK&A-37B)@)~RQX*M&$>l-+tG=wV5Nb(zi1x`hM}41k}4P#nKGwd8E`%sJxs*UNj>Wz%vOrxH-Oi8+`s!#BG@lx=L_UIiwJLpSOkk zz}y^|=f0m$J>3qL0|N?nNVf7=6THrqgbH9@A+7b2-y`Bno9UH-yl~U0n%;kd`L77Q0&B$ zvm%SGkNZ8puP&7SvcXE;IbpL-ZM+94O|D*6z5 zqS@h%%FiT1?@i^2(^||d#bWx?b`E!_p$UG4bqF{V>PvIOozAOh6ga-10;L5Q@9NBz4oV()9i{fP$B&Ye zC%v~nfkb6*t>-F5w&k!~*e2s&leE0L?Z_Hpw-81h-#aAl?Hm(c6%pN|bvfSHMNd!P z*wj?ybf#cEv-1q5wp;!+A;y>wSwERP8QzBO`_S3>*Odzg!1K@wC8NIg6+7-R0(-ql zld&Hs#9LYj>C>!O2afZOP9|mLkzfLiO_4+kd7HkVTG%~G;wUIB>NvQ>7|8KiTJ;{W zWk@dAH&n@rzvowh9zlfCbp1x~-_2x~)LPs#fY->bmK#Z@_AsO%U3@j^5P8!&Tgp(YfWvXPpsIg#z ziPc6Jm^pDUvlu+@GRP+c82P7q5xLHtXKeWYlp@JgE#KJ8$Q{fS;L$XLN46b| zPI#S88JS|a`pPt*oq`SE56pkVpu-~ZNZ3Ml+1nKipx!>8%(*aBXrlDTB_3`Hw7zfZ zD07}m=TGiL9BXxD%UL~^SpcibB0si=L}DbB0;Yq)X+QV9kl5%f$CQiXi;i(voYhF@ z#5#0_&TgPs6&<1@KsZ2D7%dGkE5xwfcQi9iXjOP{$rJNDm!(X0k5+Kp>JJcUmP07_ znyW*SRWD_Mo~;J3XMi;m{;G+TP{5uL9u!pro3&uQU)n|Q`1UT7{famMRpQboAwER~ z#}iY9gr7C(&yrs*#2$dLQBY*|$Uvc%>gUgehXI|e#~J&?QRD_kw2vQ0^m*S&dCTT6 z*pf7RNX7#0_uXIXuEeeu&I1veb9H}=RLB{}2dHp1yLBliih-7CVFYK+@ajS6s!ctE zyDzj#?C&OmSASnMDsJ=TJAhJA=;`et%((;7gJJ}&xMc}0)#>DuU3cg>UtDbM9>(@K z#?=|@jla{dKW2^cFy} zNpbPIH^1q6TijQrqJ<0dL#I?t$6vzwe2;`LJADEN?TTgUb)#ikz7Eo2G0uF=&def& zfB9UeaJHjwp-DQe#{8=AmCii_L&H0mI8W$!e8ZL7$$&eK2;Krh8t}(g zc}`59mz88qOk*!=9HQx~EIHZ4-Rw`^7P#vMp;j2P%mq7Wlp_NiA0mK+m6BcG ztIJVgm^_v5s*0XpS}TomVv64SdyIHzjKaB4(C;)60AC& zznkvelSt3`q$sU+J;|eDe--(UH8|J9# z)xKC9{7&-~|Q3Q`$w%mG`MBxKJ#x-aqK#f`NN`O#kT z6Z``R{CHCs*e|t@j%;RGdK;f?I4}Z%3%4C9p_$$B z>K^nIIkUe48gyIOg)3*l(T4Ogp15%P`D#ZZNW=a>Dj(pwzP>MlS1e%zJ8Z}qjgQM@ zsfbNTIGeFs@k_QoIu2vArTNBkqm?C;fuL}q`{cCRYmuh5?v#0S!(Zw}jpGl$t-}NH z(}_NH&Fs|tK0%E;!NJR^a`;WMRCw7xH`MhqE(Zq?SAr~{iql13zN)0W{SifiHT{Qj zE@fm}Xm82va0_+fz_|Ot*u!JYWn`%l`K`wQnjY|U)iiuj1dh;QI#}cB*4t&DLs&3& zQ2>^YinbiFhXVmBJxD`oDiCznrAZ{8eURASb&6|fI9qq5_y$~3Q|G(Rfr*AQeK7J(nT49^dZry<(R+gpJ79;4 z#<6-KamSQ4iEQxN#rR+u3mY?go4AbY3~xmeR89fqx=2r4r=4k}G#g1WAqNltX2jzk zW3Kt&7UCmK3iq^l)#mjSO37nYEw>UxLr8N zBbuNiQ`yVnPaHJ*H;NWpUkhBOD0NQw=k=xF#U`bASV&W0n-A3J`7l$$j-y+s_2JvB z%3&SqAt~#3<858reJ%4*Wmw9u(?$ty%@6KNdmSe6I1#v2t#Q2rLN^n}ec_R^0e6Lm zKWHh}8OU1#p*Jy# zab6C3Pw>4kUYR=8NU%&j6U?~A^_dyNPSuE2SQ}jFjz7kQZPS?73-l}CwUR&68#h8L z!Q7{OR50oZt1D{D@dx7|##_)`Ec2FsIS&pFHa^>QrJ|y-AoD)?%hsj#12xTZ6~|R* zr@F|E*MjSD(Hy$KQZw`vRlrdLbFpMz3Zq_scnVbM$3dD0pek=tx|waM=WBO27WMsA z1H@#AY7tBJj296}V}}$joN5g$!3q5hW!(X|2Y0v8F!m-xm`-36w^+`_LxA5#$FMCp zZ~Ynozg2Y|m_sFspbbqUlsdXk5mEU?somk*5`<3C3IYpR%k<9584x1)`!5{2oFGHB>4{0 z{B;(?A8CSxHZRW&|tu8yj`+iM2z>DkbeD1t9KUh#v`GQ8*KbV!U5 zfE3Fb1zoAupGV0j`O-l*f{z_Bvmz?naM(^8bd(7&W0C|rjvecbv^SgxI5;o{MyIa! zPxOhBg~GQI<^d93*(sknP{GtqY?nvQkyF7 zjRrnlw^wzb>kXkm&&6Q&G;^-qX7fBs<*_PSoGoMcwcr|T7nyB-kSOGE@&Je`qvZ%R zV4ar{+yJ2~asrJ8Hdqr&cGzT`zR>y=8BZ#>9dG*k_y{t@GU|cwKS{_v1){KWbu;o9 zGC+oleNm@dzPdS62ELBTC}~=;I5u2G4Ir^0l)cgiJCGy+MZY?0oe=mzWtRcqyyz|JvM2MPW=RQB_t{|d#e{{;8gw6bCyr}8Ke%; zu+qh;j1PrzTTg{Sk+M7H{C?Q-`gPkwLc-(?3No#SmN6_>i4bsQ2b{#ww!33Jh!#L$ znI}S{uno1~%#09H-Up2UDgX{2QD+aCqPz^i()Wk@-g5}IT5d0nB;z@tZ-lcnU4A3x zVkh7V?a}C@nfkXnt#PYeJ#ef&oGz(Vx(g2dL z`)+x{pwVGXjLo8k(XE@$^Hoz`q!*+5}qy^qH+tq0E*YqQvFWQ<7EG?6_=&s}s2fyab>z48WoADm-+A-n36*sD#tPps2uM>LmQLb-Pra%UI$jaJV+OLs# zfgbsJzbDzF)(}o(bl-XFDz6VGHNF1PMLvJ0Vskxp#n5^nM}cy*vEyxf9zqOFcgw`Y zXB&(QUsZbJ!#xSme%;Umc_HK5;soer$7;M@*R{d)ahpW0Djq2*ChG*e=3Qq4sj7FE z6ZvAaw6vDvv`HTP1?bPcyzOzVqVWpvZNOcm0hRD{bM#&{VqdI^W?1%k`?3)2XHmPB zbw~^ltFaNhH2Q_HjtB=;T-8q4^e{9`>6A;0%SYlq@%w~_>&HaDD`8N{Qf_(Pn*B7o zZdaSPWtXNUh}WoESwW$1d}M@X@|2n*4uWyP5jI4Q#(l9C>Kx_%%SCObY@1}ab>F?Y z+G-axw1sV@&AWx26sENltFr8;S(YR#PTRdl8*elaM^qh!ht?zgBiTT$e6gGk!HZc- zeR5}ypw)d-zj1Ambnvn0Sz2cA>+c*nqK2@Ku8<4=4#&_T^?X)V_H%6SGL(WU-XjuF zE)rTX0%H*mN}Y+JYtwuTO?wGJ$O@4_XeXZwGYhs6yNSc! z-*A$rgD?h~3h~5py>(IC5gooznXIqyv5}u5A|^ps@~&~!#c&yIt>wskfc(ZU!nx3l zO0=6B&y7TC(Mg}qB}Oy#)y|1r@!3Vmr^LQ|MHe?)M!Q9?<{DbAw)T&l-*S)D$d%`6s3KX zZNd|0;S@{v&ZKv5<`S4TF1)lT$KJ9*6s{y$TgRbWP@bsNtD66`|4X9^JX2o%cHhBK zGVkJLj>u|)$6F};kgYNda_mmB_?XT7WCO(7w0|JlW3UL$~$|lqpClJW!Z$;`ciCyc0c1!Zx2udQIHBa7jt<9yM`9xu-+J&~pdZ zxDyo@um;xb*AGc!pPkRFI(mvz#>cD52Ki@A@2QUTHvd$Dw*Y6WZULlVP~@?B4DlRZ zy>&k-vFy`1EH5bdaxHK~Jf0MTb4(jm4_kbVIzH|zsG%K@xxXTwt z@s}irfWi%9fh+798?laev!w_V(r_t7v*+bJaXusqJ~f|TTf`nOmJs~YGSck3b<>N! zsFF2CcGscF74my`Cyus?qogZM!V1I_})#jfWcY~ZGOA!QL_b@4;lPeaAU$DO9} z-zWB6=5jcbPGVfVkY9b?ClE&b3=>V<$;#xka&X;~#_epA%y$#MD&2cT(YEz|HR;f`8?|r}wiuI2$-F(n@v&#YlT2R4Hey016?oWfOf1qBU?)FDP)!;@S<q5Y*N*wfK~fBQA6)> zBq8D_EPpW_q~gR^%=n$&r^*ld`T;OB|F{N&%{uIVXAA#FX@mTth8X#~|NHii#DC%u z_~N&FN38GOVZ4AU{cEqJ|E3hB3cYcHNMb=-5w=I2&N(zVI2NMV>6wM~-;??*{c>oG zdt{U)^CkQrWJ|JQYgUH&#h3qFMgH&SLvL`73Ol=P*+clt6X9i9F^!&K2}87?{o_Yr z5eW$t-{8HuH=|sl-RoM2v2G0mI*y~teh(rWXTe-0tKO#}6_MNKb2jhQ}EJBW_+@0=oZgqzYtA&6S4k= zPHJ+33zLl=9y`Wqj1qLYj3=|laU`{xk;lI;0}kRZD#O~U@>5x%hImz3r&`PH93 zhxYBr!ejJ^p)^>GD>tTPYLi=me?RoXzv;;xN-EPNLx{=30~gN_v8h&e2M6a7S~r{> z60#f92n7~lZ*(Tj4~j}ftzK`*$tOk%M32!Ob9Jf+(5tF;9FS?)eXqn2n4^!*ix#IO zj$r00<@>l|tsEOh%!NSMUT=sWK{`AqN>Bxwnb9?vxx1fh6jEI4-J#BOzNcHW!-{qE z=&=TKA42ntqgH#+f@5)`=?JGGADLC1mO=T25YB3re{uR|K;KVr`B;dg+v0o zEHB&vUH+f?w$*BXUuOB;%Z0yE@*Ga<0~IML`en#NTvM*c*$7ECnvBPK(OPS_f4etiOe2oiNgdu;Qp`ik z{A9n%6TSZlW;$tKKL08DKkM)J>i=f}-bV^^kl+9J|6{G1`+&rtU6(nZF4`iaurSq7 z1D=G4-eYrf8ITc)CzuBob+5W6gW?MveQh*qvBK>>EW+);1wx2!A}Ll8qC*r9k^ zB6a^RCJH>Pq@+Le5_w31!-(HIJ46nn)@p!UUCgY(R*81Ell}tiVdC$GwdVGU`4HptBWAm#qvtaIp#5oJkA|Q-T2E%nTiwdWAS(-=N22vMZmS7KM%l`_;MYL`Q2SGMc1#oyP@?0U#4soG8J#C^ZCn|H zZ?DI6HHNUqsA6sXbwi`Ce_gwBomOnf#l@h=;ZfPfa~Qi(1_4dZab>if@!IcG*ARYI z)=wRSrn`TOal=xSyhnE)LU!lZSG~s_DkDG6W3gfj{^Z+Bp`?Tk)QbQa zL&7sR$=G%YTAc0Ko+Lg;e{c?GvuOS!&=McX?_7IwcpUyKim@?)FzCa^8oNk0NF`BFgvJNyfd+b#cD$rGWE#DobC1j(9h&W9;VU_q zEH3?~n60ptK-#t=?9vXxfIFC&=nZ3IpVI5GznVu%uCvcVibGIQ5##FiOjhKXGxw7x z9{?)K_0GPFeSk!6eqMfG)@oyf4JmzTqj`nno5G8fgiaW|89PkH&^g{IwY}1Y$vf~0 zxD)v;1DsYYdmW6}-UoEh;gk1+SMo!kMz7AkT~G~ z@rY9!!ZX@5U{(lhO+ddTpjZrR3>><2;4XcW7;Jq&N>XBR=!Ufagxnh#to{1x3dY!+ zc6Qs9o5Iq6Xpy+p#tgwwzTD*wAVd#%ohXrmpaNc;+}zwSpocb; z6>HZaqF-A+pM$v{7-LaOWuW1XK}w3s5A!mq?d1zYR0A5)9;08|pn!cdH6M+CrT1kM z*u##M+gYa={wHmN>Bp?%LJy7ShxOoO*10Ksoek5aU&y(zWo5e<^GV!~wpVxjWKX_2 zG4VND1pqNrr9#z#_B)j2Hv^uPV@ut5+MEVxP9V+f-Kn2Rb!dnj0C4l^I0bG@0+%P0HG45 z8y6)*(|k+uAr94a<^l~M96v3R(TdL+&~k`(jQW;XM9aVh41&T(TQ=J0DAn73?$3P~ zOK3{wcZMFc;b+Gp$kXWo)Q7|BacmbdLzyY@IZ)!VF)!W$G@bJv=0_|xuf5$@$;VWO zudm+>a85_Y;2in0cS&-$N7V*AmbJwd5qW{yD5XmFzWv@k(Q)^n_g|Qgvi)L)?@pT! zW=kiWpFiEodcySceW;grpX=rDj6GtzqlbLwoHzAV?`$Yd@J&>+sT|Z=4D6@u>o|fk zCj;9{OU>)c!kUca@=2`z&caEpuz@qKJdwtmWzy{IO6IrSJn5ip+drZg4>+<8nx0i; zP&53dwtxAXWqEn;Jzv@9EnVc$=nKi|mFWta{xfR((@xOz&7B3?0_Vhn)oCK1IJdbV zm#QP^nzfT=(8dq`Nqos6yM~g*4ySzpo+*Q?d}XclqNE&|us`bM8LPp;iE>XF9km+7ey<1!91s{x5*JgnUzu{Pa&(Qq#JDapoAmyNOGZY1 z>M}vFxj9sVw$@&}SaaQ*xL0Y+N(z%CWa8+Dra(sCLJQEm-3fst%?2h-p`e_raR21C)K3b3s{+t_Ncd06oWQo|Cs z@4Seh;!KbOoZ!IN-<9Bau?d_MF zbMK-2wwbw+_Kv)?#kfO}0m66a!4lV3YKjqo9Z6LT0ePet++V?+r)7JiQG7q*l{v-j z(DNtDOL4JG$;rt~SD7bGT6>ZVwld` zk6~;=8GOMg-$`~(-dGy)nz~7(^3+GPD=xBgYtsAhyvbHbdB;2DrqaO%4 z+;eiWIPhO+dj^>txat*NPi^GMLXFr3%jz}rO+@Nv!0Ov}dA*GC9DWn_`fM!Js<2Jo z=$4%iJ^#4wz?YPqEF)-|tk8xl%xu{Fr}0;n=JmV#&uw1SY7)Y0lbM-a;xxU(X^r=( z-;9cVy?knCA*;)*wA6h3D+#Mjb)+uTkA&R}oF*dh zzkNjgV^PXR8tmc{Rm1qb!-!H~fd;5rhO#&hQXsP=GWuDK^t>G^D`Cl`b(PiNfD+)N zT3!}77PXw&O?+47%+U>15q*LbBeIf?JI~!KU}hfr{wiZ=9}^QN!#q+%v)l|B5jsDA zAE5<-1bR+4=^8rv!!ZdvwY2jTkvjr2q{~+@Cg!W|8 z!j*v#6GlfEwZ1|ShY~%(uj=aiZfDr~roF`%Z4`0W%cCW@i;KSgDKy|CP(dSKWWi5J zCbQrZ00yIo(@rjs@kkZEsS@7zpq4g(I`Y>qobgh=m&>!#1BRQVPb8&OiqnE_? zgR#?1S6xjjaBIH@*YTKdWRpW9*WmQ4kfuTB={Y1r{Bq@paI)^MGfn_|+ZHzq>SJy?1g$6s_X`1dR`jG)vw((HTh6aWe2*v zb$lu+i1FJ(=OOO_9)9QL$B#WRKN7esL7~k-2rq(KiIJ;JxGV zV*dmd*Me-n+Io5j3)zi7b=9k3^=5I^7p#6;7G7LhdI4_lkRJOZnqnP9Bw#GO2-~Q@ z)O7sWyn7$#Xp>Zk-C{9u7m126Xi-0$T+DLs9a#&-3*sg#1SsbsgZyfQys%N&*w9AR z(Ndb*C_LN0XxKjhFBme)LFn;;KhHZV0Re21c-pm592_toOyNPATF*KUFK>tF?a)%= zbLI;V&wP(O6!y}RPl_+8o<6<#_8qgN;UkTBjXtvCO8tE`FvxBGl1rf}z!{sb?eiv{ zT}^g7)R6N56J<0iZ$kOpgI@vxj(81CP027BUuxIoq^vw>YiCD8M}?g=fbJeJAfZcq z;$3F-?&#cNyoN+JHlK=#>Cz7?5!OkPpz{YVVHT$0RaN@ZYtwh{`ophRgjQ74b$zM1 zp~3SLW=vP>AyvG*d<0subEKfp)!u|KQKCVQb#CczJLnlt_SKCk82sw05`~EdhdWw#SJvg(L1$|9BVyuJ%H!Q1ODpT~*UQhx#^_utl=Rf?2$*Cg+;emACKy5{YvWw*(gxL?ujhW?INU&E_1^v_ zQC_*kl1|L%BZ$k9EuU>M+zG?KX!0gBHVR~5gWyd-VthsQQM{+CfI;o@cY^L{WODLT zEhb%~12Y8$9FQ;T{Y$%2{qfIeqkoa$7rTJ;oKW}9;`X*lu^_0#Iw*QTqw#@dwU7Dr zTqKpW$9YpIB+mS5kBz@UmQ2=f#(7b+M2p$1o0;^<8I$n z>F;2=QqjHDP6CHPhTV%4|3*E%ktEj_Gj&bB(e`)u+z=M@kyPPPNt99_^M);gs*Qq^9Dc#jdb&Ci0F_zcc+NrOK(%|1fD^7tW_bhF$B9VL9 z(_(}bBfW;pTmS=yd}Xr|>!@yNe22)j@#GsBo*z7;dJ*VH; zl7~q7O7~-(+|^3UJ|Qplk}v5#80}rAXi(E(MpEr=2MjWnUzh81)LV~rQ=B_R(Xkl9 zpRKH7MtZFG^#aw#a;J^%oq{F9vE#VQ*} zRdjRGYMca<0;Hv_#(oY{mJx`Y$GSu5h0RBVA9jz_2_2G5nrJiA@7&?PtJl8@%W_9C z{)1TV(z#7t=9h1#b`&fTnM+0xLC@T`yUSb8ZECneL>5~{PsaSV6p}jR# zNP6WNi;OlV3PUqEfdZB21CQSwe)|~slwc-~MoYVocl?dxTYuiQ($OY=`_l0&bH4}Z zdMoXoel+PxXzv=Qi426v`+Edrt)KK)h-ty&BB=XLvE6QS8||NpJ_hQm?d7ic(8a3R z=l%JUU3(F34szH!I$8XMXg5C0?JU{ckAgG0PPc~O;lqcJcZMpWm*Ec#6ulZ9OHlLE zwvdd`4fBgQZ*3?}q^|iyE0~jI37SDtBL;!0sE#rz255S11+|PiRY{|g!ANg(wJqc< zvi@Zi(WFV=c|^Ij&cbrYR*?LY10Fc{f4-ak3>!SM)NTE6cX@;1-`f9a0l0k{l@{zC zNkvepU6(vcR*>r3RwSN5BRKJv_qrxOJMyB6J8%;OmvImzuLer@%8G;Yf1DN_`Q5l_ ztN{+r8ZNtRqwYO~g>>%We}z>PdHZ=s)>(sr%1$7o0rnd$F%6`~$P706-QX9&fy-vuKIJQXNx znIf`vYm7n=-U$*ve-7nqVfcwPrVEF(=ixbT&pc&fdaI*T_%@Gbx$CslbrNTy!qV`5 z+8f(o!e3HGrlwuiax_Eh5xPE5da+64!M1BtT;q)te~JA@MxG9vevy0%`nTU| z*0OC*Ev7y$Nw6Yz4-cPkamfn>yqm3*ebLO+O5Az-G3*uBoGhwJUd4J(a3dpN8IVRw z8%zx0EM}K3=sl9L(YSC{qUJeYa}q_7nc_&4%t~~2hz~qES+>b zmZQOsW!9x;U+0e0pj{)Is&e)^9sum2P)HvX!^YI`>H3Dhuvf^t}Qo+Hk? z6<6_6!(Ilj51$x(FxE^AZ$j@_L!|iDCMORk*+@!48ULf@=#86$A;dLrPE@BNL+`(C z+a8|XrK!Khfd&QaCAOz(O`}!o-icUiztz5tc_#yck70h)4;JNItYbZg)ez76@LiF@ zQT#_PA}$-LIxfSGsAz)#1FK4K}F# zQ`6MBZ4;gB>y2hV(~pAHh$6Uo3aMq->?9l(Ja^YeGoUu98OV5;=dB^toc~flaO!m91!To7q3>CskW-`H znenv5ySno7^-Ym1e2(n=0CS+H)n*ofKG5MGiYsr&4Zq(D>D!x2FThE8Z6wP+_ao|1 zxdp6G6{Ex^{Fq|?pEk0?ZAV~pWj_$~sf3xVdtPNEkxAVqTD`@{fF{t+}(U*Nk(Z-i9S8iUuW^ zbmW^#fYTnkK>_m{1v_P>U>ZK|5bfHOf+#s9B8kf?R5i-nx#zD@taU6T^qS6oT8vM9 zzLppjKHRfuGmq@oc@6F)Ei>6#nevI^#>O#wI&43el{NCYDQF-83ScOSfKK24~} zR}>^aTh!Pa5?sEx4C*m8v$4UsmHSW$W3RA+ugr2!CbR%zT}6o^A%cke2_H?2R(J)h zI@JR0z`(_}_DV(6i88OiFW7gV+ejdFX^D9ckvl=XP|LTiX9yjMPscYfuXR*}Tmmd! z=h-f(vOas3>tHqO57xp9ui8V4Uiq9|)L7kza5U=mqqpp(>@YG+BTt(6Mud!%)^pehOx~1?)>~PYA9zk1i8W%y>V}(1nie-k!?G_5`lUE zCPWLf-aHv-Yx_1-<_d?h$bTEHw?2Ek%fC6)hBhxRFRVv4#1^lR-$%ZZ+P6iY{m*|s zc478SBlz#TkM9W(izz{s|KHE2U_GJxzhBkocQ5LHf9uE91wU$T-MvA~O6|9((7GFS zV(bu%UymL>KW@V zjNut~LM09MkIwT(+Lt}}f=)V8*p@lkrlC4cH@B!^4`)MyqKU^rGbRIHZ9U!#wb)CDqn@1w1v9#4l&E$&qD=cTlNFGe#f**} zEo*ONh@%m7hzEaX{NOC_n&cwAt71x^>*Luf6`8A<#SR}rUd!no8L6a<1-)@?t!tLl zn><7eTr>n6VZgY-ujpN2SZdR{@bo!x5P~7*yaW z=+$ke$!SA>Z3FMtWzTVYZ?DO&v#u8PePQoiJY?RbnpesQDBd~je#a>f$K&1+?3p;M zzo}=K@q0248;sktRoae-qJ0{)RlF|!<&y-x!>z2jb##o)2CJgA<7J_K|IW2>8|SWg zY98(5H10^6FCZwC+J`_I{hop$c5y(xEvAogwOyEtjdf73kQSC;e5E6ozU0Na#Q%nV~ z7P|#irQ(n5{QLpXRD&B3p?tP+$pXlsi`}-|07hetm&?q|im|BEQ}}+--vsBtB5Mx5$##4F5n6$85#D(n7WADGssTW`evJKkUZt4n)owM~5SZ|e;L@1Sqx zDnP4((tNal3l5Qas7h9Pb>9b-a>ysf<#j-%4iUPvwCl`i+PwA3edOKCSdkGbJka)F ziJE69zbciyn|C#T|9N1QCr0(ftz8)WFzCCw2^ONH-om=T$F_r?cu_^gYV@O(vqiv0 z7fLIy(~+S41OCtLIs8A~9`i?ZG(%XpjKCJM-fW|Ej#kZ${iV|u&CFWdAO;m0Y{7*U#LWeXXjQx(}Vm@2Bs=<5M5hb0+b7e*o!j6gRhTGOwjw z@AC38WQ7rc@5ayX+RJWb*$oLVM}&V(}_!iB)~M$OE@M3*mvOyr?jD>Xxc zv0?_4vtEaOj23{#8+9Hi-p0f!D@s9S)T~OP`EWPC_1PV$WS0T^fdq+kt=Qi8m3Upg z&u5nB(uGMl=fZ~>cn&xrvb4%!`=!#$2R8M)ZsCRnr;dWKudxaqy+_{{rz_IG>5ucM zp}9iFX8IGcJ&yy(w3g;cd*}h$kjaCM=V7v1p&&g_5&^mgu@Sw z>KThKp69sfqZ_A38!Sr}GRs}(r4HkLQ`Hpmz)3^pzu$8ll&f5cC(Lx(+lkQ7gw82P zvkV!$ls2c77YiD3ma?BEXT)59S8LEiJZbKn5|-%N!a{eUWsFu05{WN%s62Joh}Q7L zEX1J@+tTDh9s6m_57xjY&^zzdE(TBwrw^Nyy0t`5GNn~eW+30DomxTZ@)GB@p%49w zvwFuVm&i&AwlX9`Hsj)%WYxbtb7(9X9N!+2>>kgfFZX}c4@-9dyLd)pQ`2ScB@Vfe znCcL@|J`Edw?whJp9_F@-7C+QzhP%*w*tEck*AN?Zyqq5E{yr=RnbznkbnF--+~aj zf19%IhXi;sA|lokWuAd2C%2Ft2A2+0F;1HkU5WT@k$GKZ78JZzw^KdYr@v3>o5KL= zXGR)S0m1G96jxW*y>dvz?tuP!dYar%Ouzq|fgff`+$~#2$40O{`q~#nMaP2;B;4OO z0fsiFZMk!QXpe;9O5l}wFjg2^(=#$M@*DAEaQW-##_qAV5nF!L^<2m=S1i_1E=7-j z@An90)HDm<-w<7!f3-Id02n?jq%51A6hudRllLQuTqV|b-FaCP*Fg<4y&)B|F66a3 zec^`QsCs$I#a128*d$~1V|^{uR7$ObgA3YQLv`fuJ;>290>Y!SjF*ZU`s!Ya!DK@i}z5y{R_? zaBhO%|8Ia9*9IyLi@VnBcJH9<1wDRWUrzx;f~y8~U5YhRtNotee^fk2MJ=mz8Q)8x zL!O3IEX`u^v9VHWF)`4#uv;Dp3^_S*TH?I~;Dt%%xdl6iMjhg=p|1O|MJ{HT&3ebP zTpr$d&m4Ak&c6r;Dr(xUO9wvkAaCu~f9XDST1VrzG(X&vRZxhwIf3Fu86ue&4&D!$ znA-0S5VqDH(SHagH8A}KpnMbr5p{XWovMxYCQl5ec?o`TZ8bR7QqApJg{6;=0*zSF zn2>iePau^vCk|s>Uq{-#FOnIrDS#JfQ%ouuQ_EFuQ684Z*!O`hl)R=hD&0;`9E{Kb zAr3P*x0$ZPN-ddD8)*dk4#>IilR4A?9Ez-@dWuUdjdVU|i#`ge5aj0t5UQg?r7`O8 z$mI7}e^!Exq?h&4?DKb$H)=Xv25K#1X*KUv>`eGTpIEEA_Qa;z{`e8hLC?Y4jGT1O zSCfVH6@LIBov}esn(zLb7eDoeMW688TKT)HumZS)+aVm5j<%}Rtd;M_IG`xvI&;Ry z|2=f8eB`-sbH65Hzp$x2XA)&7@8Lh~{hPnMo+d%T2?U*gWX99_ALq#cOaG~fUv{o{ z->Dm}9QzL5J==#+^g$$^>B0#c_&rBM!*(Q%#l`lJL6i zSJwH6rKfpaR$bVg&;f#%lf(Zq;^2k1<>{lS2uho-uCAxgcqP1^Jo8XwY%pR6$odQO z=vm8aXaTOC>3mA#jFuDr?a*Hx{f2GGk-SpVp0M-$6W6=INMQdRO@#9~ z&kjmH|Jr17ta{zwaj%*>22A!R{d>}s)K4<=-&UYz4M1n)AC|>bTTdj?gnnq}Y`@rM z%n;Axh5bL!Vpw8c>DZeOWtp$LR-p7mRt_IOHZgjj9D@ey@~?Vb-1#_1&$5Q}OF5&{ zzIw2*(<|;Ofnz|u%7YMk{Za%8-D9ZbTV!KZzBw^f)mf3yMTMv9AJwohmDh4xyvV&} z+}I`gA-X_fKl`G{hy?QMB+lMXS5x$i?-R%Iczt=zbPAU9?9{>{8DGB98tOhY*C(kc zF4phP2?sa%Nbu?ec~ZQfrDU#WPiHI(66^=cCNeUzNtgB`(l{7y3my9$71Vi`7`TJQ z;#%X!cj1zPqoPztuImCHO;_o$$B)5WXZWiMjZ#D|BN>X9jv+~$O0EIgNWR7^cx^(& z(i=KD0=v5-bZNm=8o6&Xs-N5h&zQMJp8yEXP1h4aVc##TUM<^1y%mrI6O`f5M(Z0I z`UC{<1AwpgaSw_@9ylz6tid0!t+zn#ibo&p5fZqp;edP!1{P20sJdm83N%YY{tTL; zn9Y`RZB3TBZttMXEi8Qj(pfey+OsP4r-e$jn!HD+TPb2#(<+J^0&|NDk97tH2X~Ly zG4Nj(su6m73j>6T!(T>PrrERYiQy6#<(rtNRcwd_ERc61F(n-sD#Z)0zKSXU(&Vb; z4N`&uEsavG=IesDxT_6~O^j#Tc?KEQo}F$S$EEQXzpSVuzj=O4Ok^kwbq`(^E^KU? z_Smn1rKjb*X)v>?SX8PK`MOG-jKtKGcBSt!YKNF*85%)bTU)*6e@`;Avlh3n{z{S) zkbRcPTKE@kh++iz1tEz9#5d2(=)hDw^f_f;+_#2__iUM-b#y$FyE3Bz(`yd_Yecvw zG=TB!TlkRh6@R!ZMI=^<5-iyiWu6K$$}|+KsN7qjg(utC`l#zUwCUof`dOk1I}#;UA5-Sj6qu-?F}Om|P@6refVo zQP+Q=O=e}9d7hvIIY1Yb^*TWx^~kGvGL;ayqsX7x2f`qNY`u@s{aouh+PCTa-#t{E;!sm{TOG3gy_>{C(hROfanD!rvFhuIVX7XJLN57( zbcA}1t!Vg21*mSIllLJ@4w1kjRzFcC3WE)5?`OP`87JeJlW6!_1W;|juk~@wriHN% zS#W_)1GHi&Cf9X0yqnrq9ZuR`K_m1&G10M#40dIJ_U-KL!EKoyly|{E{jfRixdVl# z_Tvol=r5M9g*|qd;GFIPnpSF*nTL;0V9@!Wt@F26O=n5in4%F>Sm}llRFK9g4gx7e zm?Wxkm)qi;9!rq42oW{OZ4^PsV9wvKVDv50%x6A2Avkb$c8+Xg zBi%QOjs87?e8I@b$mlklU@G|O$(+N&U+cOei2G_v{$&&tXQVwwI|W!1vQ#=e|A z)7WS>6F=+9azFDmD$Y6EH02|%w;wq6cRMt%rJyJM98sg$)>#qIx zPH`KEgB#730O$gHU%!r>dL|p)as(F$!bB63t)KjYY`K^33Q|xn-D1ryqJ~se>7$db z6*Kzhc6Lm|af>{7y|E>qj*pM`G1AFLys*+1Fz$5G)Nli_8$N`-{~G;q(*}e)&A^>N zEPF)DpUb}wP+T?kcYYhO7oWu*!Vv+2%4<2poMDT-y}hwtuKYqm#>>Rjpgc?0KH>n} zCey37NE@)x)eQBKmkTa$H0!&3iOlL!EY1QlI6;Hv-;%~02T;Qo*{cjTH&u?uVm*aMVjumg`_UkI?se9ubdy0{4~qT%toBFv++4v z=^ETuZh-Qtqr3Y>VzNB&!sobGqOi`F-zUOqgbE0Bli@9^n%p*>A=B<1odXG;MUP5F z$b=A4(CIJ@V67qSAr2hM(|z#Ono6Q z&oVUc0Oc41qzvccz*j}+WkIEJs@I8)q#uZ@xBYL zQHicwD6QIQ=PBg^4d@P7s$WF0tSZ8T7_YN`PT_g+3;;^WbR`5pb0J%kcw;%Dfh!LQ z$Rv9bxEQA-fX&Q#Q-LG;M4zbbymNR1x*$kVLN?a$ttf_7*xOjKiU8f`2 z%w}T%^$$vl1sMJUpWqp6+7deEU&93j1%7!8CkTgL_)$rZjpv$Ao*}uIudkOs-2k!! z&IYxP&SP>OFV?_< z%zV70@*<2W4N7Y=feTt_T$W9{SS^ihI@pHGDxmsGMcdl zvjMrA(k^x`0*bRpzjRr==AB3~9#$t7G4tZunm%>s#wb<;R8i2}w0~sh+~ll0(+(m_ z^V>b%2i~z3Aw%(om>3;*vu$IswcT^Zb>9&-BlS`zK>+lvUejxqTlHe>)M?N&B%~JN zT8>;v%6#Xo8UdKbrbeijetHe&gs+V9S!mOG&S#Hcb%wQR8@>qeB@r)u2Gp@UBzFi@l_4% z^4ZckG2*V=r1-ugrn(g17s{SK_saA3r6f|x>Cin1EAlWI(Eo}WzL!#R)9PK+lyLI6 zC>oM1Uj5>^Jm;A^o2mi_Lm>Dhx_RX>JfBX_r$L68k=!qs?Fk~B@L0I#tVkqk>FQ!Y zbO;sTtNJY}e1hA?%LeLc6Gr~lHi(PM=#rh2>3GATwK^E3nS$zv&LZ=^+FF1qtK$SR zu1EFbX|&u~v4z66f2lkC`r$bB!<&_?Bh&#=?`^ll#pv`yer>i8$T=mLDS9tv%>_U_ zdFJ&f6w+8@n-UlO!+@|zRXbY$QlzRRm$dg5p#X2z#3{rJb3sPharT$mkU?^G*|JTk$fF9Klmpyvr_QSMMSk+7Rlv$eBq{`Zc^%Kcw>GrufTqRj>dG`u zPfXN(n)$9H@9*n7LP5~l=$IIrD7ljVWiUWgBu5o~zdkkwz*`H&$43yFUbpuWv9qJ2 zK|bJ!{)P;;ASm8n1`%4lhihC$lG%X+2hJ6c)L7hQ=4LBe-_lZJwY1nNg+qVr&XSRl ziAB)n-y$L;tY*Gc9g`d$qc)px9H^t2I)SwsX+({ulZVz{@wEv8ikCs=Lk?&Sx8Ak| z)85$F7@BBmpEbX8U4L6(>-s3G_Xp2?9}(|1z;`f=wG>18g1Irc%#Y!@ENMpssaPb4 zJ7oPn%GkK_#)#O))T4-8x(tV&$!E%F!d+4|Z@HnZy`6w!9}o%_J|HVBJf0RG|5(ww>OH|+9D?R7ipAb^vY;fV+Eh)2?SN+8%gE5yd9k4auG+W4lZn-9 z;qfkf=oQ<#kJCLHD<4UeEc#wnJ`n_(9qD# z;|ZAuH*Gbak(qfCYE=}G@Co1M=4d5FY=dl$To$a*Wx7c0oBn<`;neB-pK^hx*Fe| zj^PDah=YUL)^fNb%e@vARp(af+GT!6Y85sQ8ey@*%+*xDFK`P>OX2Z3S6Ch-S?l

z6P`kqYD-Hit9Oj%X2Ocq5R2a3-sSV`xMfo^z&AL&}wda zRggz?GA^2n=KPn8;0oQao(?b2p2SM8(x<1n6dWMEmsbx>N+?H3bh$+tNYIV}YOE{!rFmCcF z0N^^rKDQl!q4Gm1CfWDc6aK)!yxfD-VIw_y38w~5OBCl^aJ?Ov diff --git a/book/source/diag/OpenPGP_Certificate.svg b/book/source/diag/OpenPGP_Certificate.svg index 363a762..af0bd64 100644 --- a/book/source/diag/OpenPGP_Certificate.svg +++ b/book/source/diag/OpenPGP_Certificate.svg @@ -1,12 +1,12 @@ OpenPGP Certificate- key creation timeComponent Key (primary)AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3certification- key creation timeD07B 24EC 91A1 4DD2 40AC 2D53 E6C8 A9E0 D07B 24EC 91A1 4DD2 40AC 2D53 E6C8 A9E0 5494 9A41 222E A738 576E D19C AEA3 DC995494 9A41 222E A738 576E D19C AEA3 DC99signingsigning- key creation time- key creation timeC0A5 8384 A438 E5A1 4F73 7124 26A4 D45D C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94- key creation timeComponent Key (primary)AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3certification- key creation timeAliceUser IDAlice Adams <alice@example.org>User ID + d="m 1267.0829,530.50891 -5.088,-11.2 h -1.584 l -5.072,11.2 h 1.648 l 1.232,-2.8 h 5.952 l 1.232,2.8 z m -5.888,-9.568 2.416,5.488 h -4.832 z m 8.864,9.568 v -11.872 h -1.536 v 11.872 z m 3.696,-10.112 c 0.608,0 1.04,-0.448 1.04,-1.024 0,-0.544 -0.448,-0.976 -1.04,-0.976 -0.592,0 -1.04,0.448 -1.04,1.008 0,0.56 0.448,0.992 1.04,0.992 z m 0.768,10.112 v -8.48 h -1.536 v 8.48 z m 6.6239,0.096 c 1.52,0 2.784,-0.64 3.456,-1.824 l -1.168,-0.736 c -0.544,0.832 -1.376,1.216 -2.304,1.216 -1.664,0 -2.912,-1.152 -2.912,-2.992 0,-1.808 1.248,-2.976 2.912,-2.976 0.928,0 1.76,0.384 2.304,1.216 l 1.168,-0.752 c -0.672,-1.184 -1.936,-1.808 -3.456,-1.808 -2.608,0 -4.48,1.792 -4.48,4.32 0,2.528 1.872,4.336 4.48,4.336 z m 12.976,-4.288 c 0,-2.608 -1.744,-4.368 -4.192,-4.368 -2.448,0 -4.256,1.808 -4.256,4.32 0,2.528 1.824,4.336 4.56,4.336 1.408,0 2.576,-0.48 3.344,-1.376 l -0.848,-0.992 c -0.624,0.688 -1.456,1.024 -2.448,1.024 -1.68,0 -2.88,-0.992 -3.072,-2.48 h 6.88 c 0.016,-0.144 0.032,-0.336 0.032,-0.464 z m -4.192,-3.072 c 1.488,0 2.56,1.008 2.72,2.432 h -5.44 c 0.16,-1.44 1.248,-2.432 2.72,-2.432 z m 20.896,7.264 -5.088,-11.2 h -1.584 l -5.072,11.2 h 1.648 l 1.232,-2.8 h 5.952 l 1.232,2.8 z m -5.888,-9.568 2.416,5.488 h -4.832 z m 13.712,2.368 c -0.704,-0.912 -1.76,-1.36 -2.96,-1.36 -2.48,0 -4.288,1.728 -4.288,4.32 0,2.592 1.808,4.336 4.288,4.336 1.248,0 2.336,-0.48 3.024,-1.44 v 1.344 h 1.472 v -11.872 h -1.536 z m -2.832,5.952 c -1.632,0 -2.864,-1.184 -2.864,-2.992 0,-1.808 1.232,-2.976 2.864,-2.976 1.616,0 2.848,1.168 2.848,2.976 0,1.808 -1.232,2.992 -2.848,2.992 z m 10.368,-7.312 c -1.36,0 -2.624,0.384 -3.504,1.088 l 0.64,1.152 c 0.656,-0.56 1.68,-0.912 2.688,-0.912 1.52,0 2.272,0.752 2.272,2.048 v 0.304 h -2.432 c -2.528,0 -3.408,1.12 -3.408,2.48 0,1.472 1.216,2.496 3.136,2.496 1.328,0 2.272,-0.448 2.784,-1.216 v 1.12 h 1.456 v -5.12 c 0,-2.32 -1.312,-3.44 -3.632,-3.44 z m -0.352,7.472 c -1.168,0 -1.872,-0.528 -1.872,-1.376 0,-0.72 0.432,-1.312 1.952,-1.312 h 2.368 v 1.184 c -0.384,0.976 -1.296,1.504 -2.448,1.504 z m 17.44,-7.472 c -1.44,0 -2.624,0.608 -3.264,1.568 -0.56,-1.056 -1.648,-1.568 -2.944,-1.568 -1.28,0 -2.32,0.48 -2.928,1.344 v -1.264 h -1.472 v 8.48 h 1.536 v -4.368 c 0,-1.84 1.008,-2.816 2.544,-2.816 1.392,0 2.192,0.816 2.192,2.48 v 4.704 h 1.536 v -4.368 c 0,-1.84 1.008,-2.816 2.544,-2.816 1.392,0 2.192,0.816 2.192,2.48 v 4.704 h 1.536 v -4.88 c 0,-2.496 -1.408,-3.68 -3.472,-3.68 z m 8.736,8.656 c 2.256,0 3.664,-0.976 3.664,-2.512 0,-3.296 -5.376,-1.664 -5.376,-3.664 0,-0.672 0.656,-1.168 2,-1.168 0.832,0 1.68,0.176 2.448,0.672 l 0.656,-1.216 c -0.736,-0.48 -1.984,-0.768 -3.088,-0.768 -2.176,0 -3.536,1.024 -3.536,2.544 0,3.376 5.36,1.728 5.36,3.632 0,0.72 -0.592,1.152 -2.016,1.152 -1.104,0 -2.256,-0.368 -2.976,-0.88 l -0.64,1.216 c 0.704,0.56 2.096,0.992 3.504,0.992 z" + id="path47-6-2-5" /> From 1f9f953aa6ceaf68ae3ba9f8483e1fd5e85300f0 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 15:26:19 +0200 Subject: [PATCH 44/56] use new diagram for ch4 --- book/source/04-certificates.md | 2 +- book/source/diag/user_ids.png | Bin 0 -> 46500 bytes book/source/diag/user_ids.svg | 499 +++++++++++++++++++++++++++++++++ 3 files changed, 500 insertions(+), 1 deletion(-) create mode 100644 book/source/diag/user_ids.png create mode 100644 book/source/diag/user_ids.svg diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 32f3b76..2aaf525 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -145,7 +145,7 @@ Identity components in an OpenPGP certificate are used by the certificate holder An OpenPGP certificate can contain any number of [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity. -```{figure} diag/user_id.png +```{figure} diag/user_ids.png OpenPGP certificates can contain any number of User IDs ``` diff --git a/book/source/diag/user_ids.png b/book/source/diag/user_ids.png new file mode 100644 index 0000000000000000000000000000000000000000..e479b8c4d030f39811fc4e8128c272e160033528 GIT binary patch literal 46500 zcmbrlWmFwa7cO{kcXxMpclY4#?(Xgo9D-}m5IneBfZzdwdvMp_a+~*CcmB`JkE|r8 zPWP$q+O_w7q+&lQ%OJty!-GH|Bsp10H4q3q9s~kQf`tY?Sx^bx1O9?@k=1nvfskW9 z{(vzzhyIJR+3*v)7q#!v-F%6%* z({*nH%{>yB%V|9CANQzWc;M$kF54UadlTI&R<&cSlViqOR^yCHN;TD-stQU}GFInc zPN*6dzdHKX5Arri4$~Q8#-w{M7EkW|*Zt4&HX(3H3JwIP2W3+s#bL=JP{oO(YEHrb z`T2}Orv1Bt<6UzU_ zhKl=S|GU#?ssC>`x=J?$HE206vHJ4cFSh?UAyvVNO<_;vsS(y&_5^;tvVfLVi>lZWTBL!cN)3Yq5?M$4fzEU zwXmQBky2AffrT_RHB~TkqN_DfQj?R1eXN=Wgp-pKI_OW0{^E}sQLR*Z3PCM9lP>=o zMc^tkGqWuJepY(=&od_wS^Sl=Hh?Eg898eoqYMBl~8je zX`1%orO+psGn7@peOk2uI{hl(u-4Croii zrxGzdzZn+U8P>ht6Bcb6+UqfG86-nXyh||6vrW7BOzj4nvOIw^rya`a&4{1H-ii2 z)Db%7q;CA97W)51ZhMlYu0q?+*JKccPCg}`Wwpg$UR6^QDzUE^4hirxzjA&OMxi-4 zutVif8EHTtLhXt|l1j_S#C^<(+j#>q%5$ykBeR+c#R}Iuw)BGl;g+QwJ@N z-8RCM?L80-0f+OftKf8~HJ?lI@-H!FbKk~av4Z0<)UkV1p=iFN?0?eAWF8bIOju2Z z85%*Lvy}+*wJbEL^UT!L&yN?3;2=c2B@&@d@5*|71@fmpvg*wT43NpxNnNp*OVM6q zcH^da3w7sjHuy+zua=g}%I$BjoHQ*t2uF)8(o8l>geIpQG; zu=cE^(IJ&FeYMOaryNWm#lEnGjZt#sN+~CgQgWox!Sf5GqgE{Do`Kl7vH$-5DiL{Y z=g8Q)`58(^7=?)cOYG;*X6x(g%Nj=0u~r;~6zqaDuwAo^nX$#X)MJu(yKYA4klB6m zf(WtJl%X6qTfDL6g6l$>=jT)Ka%Q-ysnvSeRI0@p!!(p~=-1axAW+H7KbjUGQ4yUl&B9rW{-3y0Z8q>|=+VeT^ckM^=IxNfVWw=r7EVZjvUeuwJMys2 z8*`vAKkXY=WN**r8AD3dow}+v;BTHJhO4x)756pt0%e-3l^AQ*>FH_2k`61B9>F*zXNIo{<3pF3hX?1${{Ha( z?xF9@%!IqNGBvDKyUErrIt9H>iuPsow>-hCM{GyE*3&cf5^4W}1IMurYPBF{gRc0G z2~%(&2u}CU4?(>J^}r&*L65jj-$9$$((s=C*6=Xd~sM#0~1*A5BJAQ4Mgnh92iqWKi|4d=TtiD47-E$(I=p1CQkOy5sPW@CELYVFun{E zMw#lSb<0)$L1<`@FD;XbOG!yF(~THrM~at<9OCURI9Q+T62yTIO=Ez>!;Gh-h3d0f zP+)0FI$SdS5#Akm_MJQygWVo0LRrFi+*yl4+LoI^i<=xPbY6U0pDch%hiL= zVyA==>Y3hjHhssx}0HjXZjj@C)6a+|L< z*$ExbmW|732liUcUA<2Yi!sm1f>&AU6!5sF7GPmPXDgab-dUBfYohS*@VEofFhHUZlY?`L}`uJS0AEBJg81 zTRUe+;WIH25t4cQ?#O6ot9o}rey5N<29HFPa$%jh1Oxi5Aqjd3Hw`#0`=`Dy%`Et- zl&04a4Ux6(z=j68o-(yq{0$=)H#f$6fBTtgx&S+$o&6fhJYG-Wn_`$!0UduCO06yW z7KWjTR+>XgN+8_aZ(JUaH4Wn8WO6Sv_KXNV0sv>a(O|vf>-M;?&g|d5?cjT+XPd|A z90NAph~!DwuqbmVBTPJHLok-yLFPoYM=FZCt1ZpJRdj3a1CWjst z4t{ml#Y37o4gv-G-}ki;1)J<7^_m#pf_Yr5!1ZtiR!>pMq33YfM&PN_h}G1#*+SaG z!2AWCb9Z-_T%}6N$_jgygB=8#PQnZIa;z?NoLI2gGEoUn270?MB8fW>iD#=G_MhsM z8>fZe?IwE;A!wwu& zMk6*w4EaCZ9)roqz{sXXyeAeidJv_{$J(k>YuM;OURSKNkJzvdNY}J;_+VL~Cc1L~ouO=wG}0g8fl@yLXOyO|aP_7tKkh zj*hk(qFDXo=P*1q%J08lJ^0sO&EY4Mc#Di#0`6Z?eoagaELJUmK!5DG>|kJuJ;(QL z2sYpeN4D?IEXLVLg72U{KjF=v+*JIdYr7B<=CbQsDE~VmR#sjP2GYrh><$<5NtEbp zsd2shjb_k|9sM5of(Pmwok9Cb)_=HG32{6RS9Qq`ERW!-h2V4op>R`OYi8?WSmcG{ zmZU0~?3PdVFWgB%^G~wq&fE&Fu6~FAoc8@O0(Q>z{v=gZca&ZTx56%1{5ZhkH=6nm z)of7HWWV^`@|9=9=bw7B-kF;8BDrPA0q?hYdYfkc(z12m!=U>x3=l8>nzPi&N;}0% zK;YG4kBvc>2UMl4?Qgqg-oSmrkD|hHV0L*OPp1VoQxV0p>jp(UygJ_ao7>;Nll+d+ zczGE=FR2{_f`zZP#Ea($9Fyd9{DT_(_K1^NXAlmAcDAlAuiGtdBB4-}tGP_E%;FT5 z5etAY&}Vv-8Y2<*ZxC>pHhzX}L#3spkMFYP#;2~4Laa^JPlsXR;Lu1(OT!}$vZ~B- z8Gi56sb|0k<>u#4;$cGLvHY5srZ}~SS*Yf6-&eR$*Qw441BYYb`O_3C;`Bq^DHB#=eKZU`lG4)UdmO5% z_0M&Iygm=GAX3IAZo##6#==5jcjNU0_pT# z(fl;(ve1;!(&ApIUIiJlt^dX9ci`TcSibSGo`KdR%^ zD<>w}Y*fcu=8$x6gt+P5I9^a1d}9XRBJ|Tb_;0+xzVOYrnr3VI(*Nmw)vL_1w){*{PAe)UQ*OY0S4{(eXX^Lw#R(h2`J@k{>xW{dM;&YxZ zYn)ZKqU{3RHRJ{(&f41S&$hNan&TX1&CJ{GP-c0m>Crv-_Jq&s_);aWzf!{WxSf_v zKG{wwjggGAW<8D}=yV2A6r&JEk;2L<%SpM(f43w7TD>eb&*FIx9zH(4%iBv)KR@ZO zuVAFCMcCyk*(SP2WnM0%8@}$`J&#UI=+0|Dfgm?fk!?CP9$ZCueY&MR=yQ!7H7|;VCn}K zAf;ZZ@k5ux_=wN*iQ$NR`ho>i!&u(mis-`Q`QB#uuFAhfB?yd%IyfiN# zKPfLQs;MbihE@xVrG>@czk3X_N}UjCqmbG-*1#%+7WEbP{!69YK5phUXvdER(CyOF z5@}I}h`1e$ZX^fj;b8Nzd#}*D^ClW}s9vzGeo*=N{on1ud{Q zaknsLsrO@{0Yrr&(0dJqZU(KQOH*#)@y$UOdxv(?Im?&Z{Q@XWHrCYRqz{0f95y@0 z;XyH?Xi&$6&wPVgE609^4N)pqHw{(f?e5M2jtT%qM!8f7Z4^ zJ??sKk=505q79FuOnp4X zbZkrUuWuS|Fxm1IChl&hOL=*O`>N}+RM}e5v9YnHP8(gLzJC0T%h1xuu-}8ipIXgy zweAiF|3`gE+0M452n^QWRm1wrnVl*Y8x6(e86Xo~{3Yk%eu89(-{3Hyooz*?vqJ5X;-ljA8)Ld=(c&LWr3&61REb07dmqi7o6B2Id_bU2t7P(VWyL@twX_Z|9#u=@uV2o zOhCw!^YIBVP{P5>p<~6<()+}wHN>ZK;O|w>*jOC@p?iCvL5}x6I2JP^9%qxMpm8l$ ztkGJ@s1EqJ7FBIS1D+2iYMW9k6@n4P=&$e81U!8xTlQ)8+S-~K&42H}sDQ}+3xQ6f zTz><5ispBX@2Q*M{{;=5ihNlr1jSYLPdCIqG4N^DtzGE?fZZAkD$4{yM%sm&-K`{L zkC%f1*Ei8r2R}#dzn_$HWrTr4qyfwO#Y)J)UQG&Hz3gBHCR#DKj*uV~H9~{`&COe$ z2oyp}iyM`RJ45M49+6rr_o|pWzL#zY?h7wuw(bK=ewr5UsXV3w4YnMJ%JI|ntE zi8VW$l@77Mm(TcghQ%q9iPRVnT3~XRcpwwX*dTQwFdUprfIj?Ky=hW_0jXz%0GO9V zYe|T~5H6wXHX0|qE}m08OeyK&qW{QRHKyGI?$}UDwmeFMW9~eB2r`A4$FuzNWwM@yAwKm`8>wFlPx{|h$b$}*XBtBvHC8M_|9zD z-~Iqudax^M&8p?48=;}^hKE97_f58An4DE&jnTkNti; ziPh=wMYzishMDoxf)|&i!&R~>wXhn%|gW$F?v;_>6OH(1^i`u9Ov z%i^&jkZ-&n;Z#4FqfCUsg0}duC+%TMR85#3I@$;NrIGwTM<=I_&KxIyNr`oLh2wSG zM!!ac&P$9NiAWNWX)RB<9Q||U@}n&M^Eko>LrzE4Jrh$o-aA~NZVlRn8A?GrW9x8- zY2#bccJqu7wB(2Ig@$N(y&>sYX+YrPC-N%fO$bF0`C0DEvAuVyv5Y00ZWDJi~Ac3fNjQN6U0N&h*q~3TdgVnEW&_X9<|Vine@TZmJLSdh4TM< zCb}2TW5ytU7hF(L>UhKP{L#0A1N~7=v}*?!_xh3V+U0|b>qsCMW?``L)^nf3H|n(5 z0w!j%kM2|re)DwA(O0P1+Z)oyPs5BWLeSqKUA~LME^F`g-v6%OKwl$()mfJQc5PAvuodpq`S&O||j zBg10U@D#AuYVY!NtBZKJ2&0t4Ik31{JzP0w%~0~k?mxld%O`O={L;>KeXhKGlL|FW zH>n80PI3Du9V25Ex#p+SrPwsw_ZOS4mjMmN!~g`(0rAVtD-0|{v*!PV3whbJisr5s z?K!{72n}lg+~;@b#_Q{9VRJlay2?i~wYo(L27QQ(uXMEqkROXy32BuE*Xl$?Mn?x{ zg+H%rR!mFI!h=#wi~XcnH78cLm^tqGE_BTj^z3P0IrVkk4h^pz_h2fYrR4kA)D%%L zx!>kyx}kLT(Rvlkn~)!3F(nz<6*T)S$M0r^iZSLYy{{i~2$pQs-1e$w6#B8~^m8S>rvy78%SY%C9J(2E5n4UN8|h|3mgxk@0|VjWF} zuOTo|d#ySNB$A8S{20?B4O-H)(XsM+_T7VnxQoTwXsxQi+o}0JfT5{B9lTFYPKKqS zk#W#@W_q#Z4yO^v@Wv3Ag_=3}r}HpHZeh=vC2S6VJYR*7VTnfIkCw~*7GpJ;OU}sH z^kcl5z1CQz&wI00>|lzh@UV?S=56S^bI;%@9|sz~UgyLKzxzI+q7_FDx1-wkn{S%* z6Z!Yjc$%6m$A6H*^=bwh-V;kCB%jBaEB>UWsk8dOfm2d$fIt8(f#+^LUFvj1Bl;0B z^s;|ih-BrI`(?(3BdT(%EdArKCx2J_s*khOb*%|HyzOZlw7I|`Li~Y48r=FCZsLBA zS92!dMb1Ehz}?cq8*s=vVFi|e&(jx!Hh6Wv8GY$}yZH+sZ)s^k6fy}RH|yyv$V5*t z*2;xqCDKR@?gxdy=)mSCN_aG)t>LQnK*e~9??vPCxge)%Cg#~3`t;^ zl~V53Sh{^oY;2@jndpfY(@d)|NxehRNIEI(QbQn3B9QDQ-!OsgD?KQ3>Qa$WbvGy&MsWH*m4VKHtmijP2QfGZcXB^uCBRstYgdC5b{NKy+qd z0rkaVRMZD=1~oZuVha>|6}cZM#~dz!-R$=y9E>DL+t|R?8g+ke-mDub5`$>4JmI#m zvgliErIt>>gHvjO)^B-9EG=Di@pd0fCJRT^qIpk30AN$Tz}wGu_k-m0Y$$;FLB#!y z^6z*N3RGHN{&y!S(|qDk^&wCnGoZ`9Z+;T%>gvj8d+12(zQuJg>C@^rHWN`1PNy~8 z3Y9`%dhi|XDlG|2sXul4FhN0F4I)pZcQPcR2Z==VolSP(9i@N}7DmW-&9WlX)CwPW zzlI74@XKf#tL1g6Ow>>sjmmc89s_IOFej(|#-ATTK%Tm> z>V->Nj)21$`Kn!5u+;s`63}Z!bb5LQkh(EM0`K+wizEWx{d03ApL8HYB2Hp2Z>ns4 z3$s%q!(oukPBI)1XBr8llknigP}vR=9)ZmW2HM@<-I_RR)VY84YqD7eC;LhU3VC?& zQE07Gt{6-o*KY8e)bsd!7{X>Q{Q;IQm;+E0L=2+%O~2yuI583u5!G9aM$4+Gz<}0d zyJE*PnZNqq*JiO>q6-QMUA{dlr1*I!N6*-ZuQmGwJRQM9LjMsTUtpT~CMQ8C=mHDm zI-PTgk{OecM3LY1rVyZz!rr?1gLz%WQ>b`iK0+WcX39Mon(PS@<8WBCfo1@{`J@BE8*+k+0K@-&CZ^0^_q|T?o?5s zq~7QgiB8(OVG#+hszLyfax!8zZe~UIzP}L|c6xz<$D3m)$PMR5|11vcsqJWh2TmLP#L%~S+$i$41cjrG({(xE z!Rjqh;jBb55#Y!TjY1r<5$I=nReaB8cPk5kXL24M92gYBp99{Tbk}+S?Utdn>JO>< z^QCoPr$-o2I|c+0Hin#gUlWfw%0VDRX$tJA9Np8`nA8Ycb(#{VZhjC*g+*n;FAzBj ziRAMe#1j|@pSwBgWZ%{H2v8QUQGkP+NX#SmS{? z>%;kCnjrCieTvvA;b}@vs@AD6+!Y)wQjH^A7^p~tUR9v9MblnIiG-voP*6~)??&*& z?oq$R*Ut|e#Lmvn6gsm!KZK5bVf(vYxcL4cDJCJQH!+cjqFNXQ4gqZXrY%Tl23<7F z9!BqMXKyc7y+Rq{*Tt+AA2LbcZNt1U0QhBTSz(7Zr#I2D!TLI*a3tl#wY17LfBO>J zFIErMZ%ep7P3SVdn&55dU)Po)h_I2N(a}|A@m$o1k5Exl7YDsQeLK>}@b^0F2fo~J zUl#}q3-4o7KX-Ebi5639RZwuP#?A^C8VUc;$Q1?+)2asjo_XYEUlC~h#D8)w=M%KaZrkU>W+RI^91! z4DIjr8X22Lqa&v5f<@V)_N8PN5{Cek^UL9OcrChCLs!nK|77}a0+|8D6o+qTI($tnNSN;lQX-04&3?$ zy$~T26N5}@48^))0JkJo#BMQ!{%LhK1Jyhv@?Kgh7AKH?l7(b>%Q&7^9>@zz=?>R zqs{2{!iz`Y%Z@*rTvVN<>&`in56REo}7-NRf11k^9AByD%i`?dOhPzXRsmMHnyb2_iI$tNn;jUD2Bbd;nJ zFn2KHt~y;05I;wT^jkJN(j%x8ge3!BJe%O0BdfG)_4HmqCKnrlF+d0|)aa*oK!^8- zG}|vqphANB$`rIO7YhPmQKm(_JG~syu$nP|k`I}@>DT+42}2e?t-4k?+r0Lf;d5Cf0m3{|jG|1yWQ<+E{&_X}oub(umx z&9RvYNFG3=XpxP=&P|OS{2mC}-mW2e4pN{$Q|9mL>PAJ?K>#|TUker#T+I&|r~ZET z=dnWmZ{mOM@(-6AJLgFV@s+p<35nmIHPaoR9&xH)ypY~rFL0;wllqUFMSjb(sKn?2 z)}qp|rPWpQnPTtDdF?7z>#5xO233hl4Kg7iA|^fVk4*qXCY$3EX0`6CP|%Al2dNw@ zZi3Htr0pd`xbKdEp`pvoK9gb&Cz6+!m#l)4L{h=}?{3TT6mK3L z3roxX^+6&I!8fuVg^JsTsj`m5)!Pl?NSN+i!WIQxDpx?lYkBDxSHv5ZYbJGM1 zTdn!6d2XZv8c^fNiG8AO#5_;t`=gL@N##;4Q4{3L1_q>3Vv^z{oScY(?7}#m04^FX zjl|j*bHKhCV9)&Wdfn^PY&SmuJhQH+eWPGfE6zlCaA+M9NHOoWtL&|>Pc-0a$jzV= z8wLam2iHGIz+)Qh4NuY9DdLWt7^#oon~g|pRPc?6(BU5kG{|~7Pa?B6AAv}n$WiZ} z2m~a}o!e~ptX>nc9BwC#QB6&j4_jR+dRu2FjzB#S@4_Clwin=Fm&7nIFjXPoyRA7` zd2yG-QKrOv4+En!GxW09m}-(P?q04@jd7ka7P{D608pO1vT2987^o_x-Mtq7cg>z{ zDcoO7n?6QaRIST>p9Hr*<$CfN)LE|Dy8euZ^p-A zG59eN3A?M3fQgH%v&)9^?6**7Jbk^gu+Z|myB<+}_Z12XO1E3PYF_Jr{^3=V7Bh0H z!Fe;Nt+RdS?~sCQTM$uQ@7w43130+Yw*0&>tr~r7Uy*sN=^LAcCN{lhn?yivDc*p9 z2>mtqVI54ijwlJI2#AAqp8m1cWkAS(i^9&qF#~`>M4$LdEe(3AC`5vI3>p=(YGqmg ztZl28d>Mz-s{isu!(p|9$c}(uBAcV?HwghvV&Tue&{yIo841sW-Cal(m83D|lK;W* z>6jMB!I>6EAInVDGDs+>?R6=s=~kUQ;XprKBkxmORU7)^?@m8swsG0a9wbCaIDJH+ zwA9~}^8_Q)H-nP$@?I*VX3tB_-#1}UH#(^Hr~GPCtE!0q=Yia z8D%GCKziF&|5<`oYV$w4%-_IbB2dpV)t7oT%9fQB&~FTlfuqJ7MRBeu$@k$<)xN^7sqw)o25o)E zLasKE4j#vd+8Z1_$BX4^wtXa$c(}rV&?=~)qsNYp?P$I_ljXYA%je#AU7|+w?Oa|$ ze>8=lr+K^QXpG^$k$I?+j3B$_K!*cZ#p4;Mz)jsShnj^S-L{`dg|qpI-L>9BC~%nd zS{N+ZPmQjXBiA-ZdYuLrDlXq%*4G=(6Ea;Ntg^y1P{dl)uzzE8~Ya}EXFD%)SL8x0tp-u?|x@YzkYGLNt;;VrM zhJ9?2t&9I|pg>LVH3^`k=ke_JrB!gyKtNy-2X0N`wlDGq^Hk*2-mwWvvzn@ne{w4g zh_qNtsLK7(zXJ@E1Gx~EfBl9(E;y~V^cwl}RJ5w@6Wn5l1u{8e(RZb0CWg>!{dp4p zEJ2qU`h|&rfS~GrXE;8h&RJ<`bve{DOaA+JKT}FMzgr^^Zj>qDUdx`$HTTh9m85cZ zc4mNBLn6Nr3H*CAI1-QhX27>74`>ZzUvF?&9Y$q9Ay02XI`_ll0AW{|sK(xSxpyam z=6TC29?*3)AE&-;V}El95u0At>o8RQ3Ihgmk4707fA!ZF*1z8VL0&OGW9P~1dX2eZ zOsE^0u9Y}3!8jK}Mu8&V$0cXR{KKR+48ysPcFk1RGqInPgBH`a{P55QEre1C6?Iwu zd+rBG4HC>FY;c)y*I{?UtfgKbuEnTe=q#;JHZmf1b9b+Pvu4FjNzYHXjh`4}uG1@G zwgs*!g+H9BX0vAVgkO>0+FX!vQk^MuOT@~#QRMMZc=Y}M++U03_K`MS{tKpu39UA0h6WrB z{ol|AlXG&S=Iw(;^XorxIxm#|P^jYm-wxN5P1^#2`u6nYEYWej4P*M>@7`i>TAhVF z3PsGO!TdvWl&7*5${~iiossa~ZzUrzDwIFOZCt^65fJIoog?5<$^qZO@bL@6|Byv0 zLUO}}KwHY8>2mUawX~?M95zBq7I&&!o;%wH#y7xfxxId8Betbv$1>Q`p;E!|uyb7Q z-!VO$Z%RD4Ezxp*-`4+*{~f;IAjOA5g!RC-xh<{0^dBLGFXxlphw!2qqgE?Ap1gAD z;YEMNmq=wa5`ko&oRLeyZ|Hc&TBGEDTe*t*##|eDH@#qshUE^uNhlmLUP%|znHJT< zpuIIGM#0*q`p-G?WU~Ut>#dytph)SCxH<8WIy{dwmVqVuFFPjFOV%XsoMcvHJUqC| z@vu4k)Bc^U2nwm(Cc2c)B(B$_CH9LCmrt0P)H9b%%g}kfAYpRRnWs63a>UzibZ8tr|LqGJKbdPqpE(;>k@xHwX?ECRjkjC)t~h;U;+)je?GJb!$o118 zn&lI!8I`h)c5G!nEc9wpj++e_BrN(y%a$77R$J59oK7Y4cwN5_)VW(8yXEt)w20|^Zr zgMpaKDa~J^=3`WP&6n!}O&qK79|Z}&e3vPhlV+Cj5&exZuc`-MF!D2DlVYT3ti-kYovRf3*d#PeJ1U@4>B(20&S3A(|x_KPW!kG`p zLr&lL?CoXSEdPL-%H#XMpVfw~_`n+#d3|626p^?tL8i5}bymAS?f@bV_HufEvw7*E zf*&0n1#+2~nAnGmVYhJG|J_;3e7c|)a1cf%Mudk$XazoFHSrS-C*;RS#o>@sQsROx z?>Au@9uJIDa&q7SLt#dZ{@+Ko5>s<~2$0XebX}X-HZ(J41JM8jLBMC)Xr;vV8d>?N zsybX102CjD7f_66Uq0QfOk{pY1p!x&+Nh9VEWOv{Krgp@WV6{rlt>~H3!I?1WXJ39 zz6e7mS~1^S-2A)JY@cC2>0_EhC24J8W%dscz>fdm!G?wO^??AOxZR+ylwgIyeJ&C+ z913RhkhNY8C1L7r9GnFSrXFly-An{RHt3A^_IgWHff2gjqWd0E;CW2(!#bF8sU55J z2cQM7w=VHNN-g~Ytdb(K&a7J(5Yfp61)FB?s~4)UNREvE*YLw z4!t;$cx2YNh5X!0-ZE3-`&R&o)%(mm+bq?Cl`G~#W|&^S9(%_05+_N;QEUT*nE6Pe z`H;1-iP)|_z!?j8ojyPSq>$Lz%40u+@EiZ%TEoF=-8yXk_Y9`qouvFuR>u{Kh^RsS5aht;Fo4j+fj@^hCC0~Pf!$(Y-@U)#9O=P-~2&;)vP zADPMlJA1hj0R__;vR2Ryk?^Yr)P67D$n46)LG3zl(ghu#%P9tsFdlYy_8!hMnQ(=y zO6MOx5dFa<0h`-Tor%0h_#7^lAj~Uc|2wncxH&X*^!P@=b_N*4&8E+LSsflwCkmeV z)l$_PPD@nkJ;$};aUTgG#rlAJ28Rgzp25vOIOPt&1pPebd9z0b_v*E zU!$fw?%)^hGgqM-WGxcDh>y~ER^j;&^as+V?3?#hY8l}4i2c#fjmv53t@c={lYkU#{R8MF> z&-GNqpk4d-_5M9NgDJ;+>`$x-E;N5W@$>!JNa{V#SF6dFe^L6aPLT?k%;t-=>poXQ zcpv-L>-=F3=w!}cFwRz*BfGmjaSAErVpdup%nL~@;XZjDFZ4$%Wa^wPmOJu3-Hwtd znsR5?Ti+Y|`1c1qJnpfOEEZe3-*&AK1-~^AcpgW5^-rqJFn4rt{N3rT!f4om7)C1C z)cGv78nhW&0AyzgNq<0V%O^4l@`W}Ew8RFSoJ_{8z-H6Gb9HeM1td$?r`z_C4r$j8 zkCQNLrW`O3umi(|I^V-6V-FYW03i%;)Dj7J^+hhd1aIP)vHbO#b!61TgliY!Hl_O&vm!A-%Dq!UjByk4=eAThU>m4A_hQTE>zjTvCVS$jm;Ys7i5v@I1VZIL# z^ZA6%76b}L@t(k6L+Q@p3H|ZKkg@cdh(8!ic8j-#`JQqkFV}XVz` z4{r#lDxy{M1DkaZd`IU{5+K=bcNnWiJd&VGG~9)!CocOxpyW;dhn@1muZu@y+P_TM zb4<8%O@qSvvho55y8ZOu)$Z@^q70ZN+}wUpu`XO*wXBScj>5IKm+8mxz3VNwgY)zA zirSjL$`k+@nA00V&rO~^UYep@IbZeAz+{c7lOIna_b>_xYvJe(pXJ<7ET5^}D*SdkY7n zk;OlmfbtX?Uj8;leY{ahz<)6F{yc$>U2%6D^*D_bb;=g3np&}nz@q41{p!YvFDT-K zIB*=Xea5rdf6*&r+7}XZd3gx}9F;=;*uVg`uY-#VYFHTf~elcu~mwl6dKZpTcXowle3xNqKt92T1#F7 z2M1T)b9$rACl27qL|g(Bx1b1|GH_r=;k&vd3@)Ny9&fgYVOnk#f`&X5;1%sVTcxw{ zZNc!PqjAQy;sI`NH=pB168j>~IU^x_-NgFE4wo5vBOO=bD|N1xabRJ;MM5JT zmnbYMKU`O(XYpI21MG994u1V+*oSc zrs3t~C1qqpT->QMUk4g)PG3TB2nYnC!EuYjnQnrQOUjjU<5!x)fpQ-8&2g2@Y}dWM zxfzNQ&dU7FZx~2i0xcI!{LyJ?6r9WWrKP3fl^T7+w4ptp=ge-=YgVBI#3XJ9sv6Lo@5V=VRZc{*-I zB|rT#&!1!b+?JPv*m!yQh}%q!v9Z~RAyYR32J$kFmn!T)LfhSs0#>yteyzuPXSBqp z!BFPKUkLe`**L<-`^PO-@WoJHlu|v%J|p14_|k=FFQXFCtFRnzX7s}YFE!Ok-;qGb zjaO}M_VS{41hsjug1voeF8*VSn7n7-EcxF*R$i_1tLjivY1Oy3E9EYH=nyI*uY?LB z0VvZ+1mS?L9hD?vln7X7e_60cwAwmybt?njjE10B>0g%YoDMqgUl;Ls>q#sGqgi@& z;1Z-E+6|(n4EYD^vYd`nN}?nzO9rm@0Ox!fM8Uz#cTEIZOn9JmR?KDxnt|GpawQQl zRH-IAMTe4^Pd?@q=lpFdY=GCf`i0jts$TbMW7c}ktXi2TAwpk8+H;qPx%u-mt39SgMIEWJ!cI>zla<+?M74=gsP zloS8+IH$GRbxPFN!02RUNv=>e^w&@To~VK+xBf^nD3foTRfo+3GUqX4{YT)9buTiY zST|434MG5|u_3?omu1fatBLNiWa4&;K~~^w*TnuLTUU)^acXO8YdY9Dbjp39@YUnC zxin&3j`=NIC8W@XUPR*++@*`#&y=Lh-#4FCDkTnBOqNn#(#4LSpH0^ZSTc_u6QnU9 z#p-izK7FA)ylzTnu+X}B-m`HlQlqQchl9L65Y2mBaX`dfLdh5K_NxXC-0g~1s_8aI z**34dJR*_s2KS#ZXnq!VN0v{81Xc|olIj@|^0i=^6ISR?vGR64rBVXa`KRw+BEhwc z3b5(Z(N7`5Nq|0jSI}8AciAFr#v-gE%lhAh700b#V30lS^?@d&3EY}q4YphR+VP1A zD=sK1w79R=ws91)WZA$5o?}0aJb(@FK=;Ot=;; z73>593b?-){lG@8_DnAz;?<8J;yV)xXm7Q{>tVa|&t{jBr5gvF}qhVo*67gXF;CtWH0y4zYzo?3e5e(xJ{_%+kb|hT(>mo>lG|GK) zgnfG6E9m$Eq72OgTtxP8@f54iiHX=?va=9iDFEE3Gk0xOci|R(7x}?*e&HK_KlihLV-!N^}#olOBT!nky z5ORB#hia0WsygCUxQ5~-As9UbOQi^VdS&jOvrJ>GAP z4TZ>l$Sf@<5xL9RksUpqkqc5jHKeEAgmKJdo;CYg4#IAP=P&(O6M;c&OM%Smr%m(e@# z=3%~56TK5|dwvZqAa`N@GI4)%b$AtX@em;5P1<$AvEiJTpO42K@Qb1*AA^OPqd7-q z#q)3XW-v87Td0^w-PU60AR8AuAukR!KVR(3$zt)`(I>j}fc54P3hlrvMos)_wK4=D zYg;pMZIO5J>GoxTEvt*mrNBVUlLhBu$CC_2+w^312&(5Wml9kH4Y-!$ zGd2S!m-Zd;KDC0`K~PNEE-y3k*5^Jxd#9zRLG=BiX7XuWE~yE8<*8C@N3YU)57VmJ zTd2{QDiBgxoFXC#D*2rjq8cMkIZ{YT?}No7u~UTErJl{*@}8nuSwNioIEp2(r-d$hug;nEs{?A8nC6|L{`?#|9* zOG|%EoaFSpuzAePmx6crb6N7ps2J2Yhj;Jt@n$b)7JJ@u69~DplBkupbDeu(w$kq$ zZM}@0RIXgmS>at}w4^C#$n0Z~jil^m%V_K@2;gP@~UYXkbth>dx*lN6?UK2B+Z$Qu>>3Ki3~QU&B<*3Xtrw&Lsp8VJ&k)%Ift zowGgWKkSVLi@z2-jT}Suv=s2h%E{;r<8;neFb&Bxr|he}?k*dkrHa0F!q1`5+L+rd zTWGGMef9{#7h)JD;c+HUoox9d?f29Q*^fKvA6mH34vMLSp;3Q-YMrh?v#TptEpolHYewHXfY@d5MJJS`F4Qk0QKx_^N zV6t)-dYlAkNfV{Smr2&{Ub~xl28S9v>boFjY{W2nlvsS*ICN&IV2{TY^n^nrPQ^ka zWf#a!Ii)^)I0@Ea@{ZuVeAa2U&vV~yPGOaLe$LA?y&&R3!0XjNReM>hl#q#!KN&r= zcev45Rg?Rg#BjpB)n-*7g^p5nj%}maZ&s(VP@MJPxD&J7x1+3xwr`4mam5^aJB5}o zSM}&z(Jr)B;dmldJryIZ7Lsv; zXf~aAjmhw4WnM8dT)0_UKpaAenBq^r~J%=M${Khhc32Xu|_vf>T@2{po?*$5maIv-TU<4a3?Wnb|{$?Xb#E7Sn6L^fI6NDzLKR+#L#OTaS6E z;`M#N6b4%(g@@+yxtE{yNo#B_C)~bg`9axm{qr&0PW)YCDU*$=v?(DZC?1 zdi)b+x9qfp;j#s!AL)M1WJO0F^|i#RD|H{qu;q*obN`Z zIbl89ZEz+y@5ZawZ{Ocpp1UbO6`v^RB3rIdobtoQN@ix#<)PLR zv43bn%>U=m)0I2F8O_wzb)>tox$VwvCw@6QE`Cu_-sa)wecZ|T(H2gRL{7bphfdAV zfQ)S{yBR*i*PD{uxX$Iyga<`*-#AV2GqIjpuh4QOdV6%Itnt)pFB#{i3dIn^gQ6J^ z148R=Aq-l9RGxV_F1$xk80rDk?t z2wU({VIxXFnC7qQGyT0ku+YVCvPU|{@y;HwXQ|4Gpwai157#-FBKzMIyNws;5kVBY^jF&_T28Hq(;}jWL zPW;{5NIr>~G2!I3i9i=Yp-)&eBf`X8g+DALYtmMyjd-ph6pM78eQ4iydk}=dgmRBCUsSfYZJiA3LH;s1G z50cf_)PH=0f)MhyRrOG59vsHsIxfGyE?jB~kG`V$RuH6K-IrL10|7hNlqHV0GL{vNbPcokT1*+&!0soAOUxtYZTja74iSCo3U_&sq4S_CZQRDs1qm%yOw z%|3Q$h-IF_vG`H!8GJq08$TgGyW3Rf`{B0i-z*TGlvvu_rOmE7IVb`s8d9l{iRy(A zxfORCDhe}p4|R?~PJWk-Gv(&x@)TS`jGlp^ElIVvyaLbBVGic$le=mS*B?EM9+72a zk>LD(o?18d%pgM#ik@EYs+ zi>NVWAJ@$4z9VCHxMW^dkcNwuh^T?FsRT8iIk<+m%Z-;=*8YHCp!d5_51o-*5&qg; z$2bRzkSSkjODV7AXB31}G`F9emHxo{o`kES=1rai)@3(cp~s1JHNVbWN{9ubm*=7W z$RIXfKiB^7y|RtLQb5~+}bkP1NQuRrpqa*CNefbv_)m` z#`Y`3!;QvJnz4L>l>_>mX)PD(nH=MIind8 z3noDkr|Y@5m{7M7rz_dmt!E;4uk7r!rh34rl^=*dIs~_*1y@}*xy~sXyMOKsI=VPc zs*$Io<4cAP_5?)vkgdT)CX17K(dMqwllRTHjsnbOKW9UF{(C;R;wz=CD+WJu-juA$?rz0gN0}u8ZUkl2T^(@4@hvv6(^hZSbd9_3GsRcs%U;L5DK2-O4Hpp;UDfFI z2a*;BhK3R*YFrh~Prq(_MdqrkdRuGmUNISLscItCzV_0Yq;WqRg%NEQ^Ga!OtgvdQ z7#kbEbzV?=$iFMs8^^4+dJZluq*Jf57@B{)k4#GHPqIerbvllOKEE;8=XhGEe*+H> zpMR@tI5PiO%EZZd=F(EM+@r($OiW7~>}aVzT4K$JgwHqdv$Ow9>w2{IdUVU|_Abd9 z6~Ki$ghr)sYbiy%)V{E4%WeEBol3!Y`q_s|})oiWoYN780E3 z>N8pL;@!%@l=!oQ(7~&r!{fvf1_x>Y^s?V!#Oy6G4itu%yp~1iR*1U}X1Gy7fQmIT zT9BnyyD|p`_QHBHIfy|vM5j7vvf*03dp_zers-S#qxHKQYoE9Rc$(}FFy^$jRqFa^ zQBb9I)^8P}Lt31UMY9!9vC%`sI~!5Afc6hbW=0(<`oIbCo6EMDQ_$H|TB>`!^mylW zdJMU;A!UjO&&$>pp+rJPT2g;=uj--Pl^Yc`LOS6I8gYM`oQ5V5hqXn2>!MdFf1`bH zCka550Gr3*xv|`vE*gB^qF=ebOu}Z_q1V@6Q+s&Sw6(RvK5y%u_`4;3sQ%<90Mrgf zitNPqCW?EsrY5vu>*6Z3htA{@{AGZzmJ6eyM7I*+ma zLM9N&e0LdyAbYG{t3HJJGWLTRBzuNr$i%4`_u_{B#q6mM_W*=(vwd zgp&S1=EmOsBL_!V=)UKajf&Xt~3;5q19njHOELX1bF>2ftY zO?G7Sn_na89(a4xB~qb#E^Tf`Mijzg&EnvWG#j09miuDjnLO$4uZcF2>dwDaxifc% zrG4+8IvlvOpvlhao3tZ02mZ0QqYyzdyX?t4g~9(Kx>dZMlfwN??serL7G1q7LXK-x z=t;EdFBgJkB*;6PS%DEsEo!)Hu#QW_fEYz2uV6?#y#{rhy2 zPTKufBNr26VWHNZ`xE40C7twQe?C|$?oH3o(7Qjv4IJ(_PYu|3cvvRSpQlt*X4Eu( z94$bHrE!T)(!{))xxKcUt2Fbr-jt-mfa{Cy)v?yhR!IL!1gImL)-`EG9+cO={_nlN}dXRq0s@Jl~vK>w!N~F%~Pw!n;}JeRL5=WfV(e-J~*X_ zUObGDl9qOUWxsG^eQ?%pyABmQ8Y{VO+haybQj&s{)F*4>`{UoK)2Li3onrjKL^e=h zS=&<=TNX4hFaU4o*Md;sLikkH)(<-)3@EuguJElk`}OoKLgsn`)Y%_LLDDBGs#vV~ z4eA40)YpPZ7fZZ?OH0+W)3u9PJIxkPpNR>jzBopWjq{Mu(7aup6wRX8p1&r2%ck=+ z<;YL$`Fi^LA(tL5DsSHSm@Jla3l?koSQ`=*Yc~`_-n<0l};*dI`M~aO66L+Kr&k>PeIR(l6d|074zY8C>pgBd9) z$TWFnQ(yhjCb!O$*ZhY>C?M(M>HswEIAD+$rR?l?PEhxz2YEeLhE9P{!B8^4T*@4K z-kL@NXxHMuI**nlf4sZWzZ)n~tI><{R6kRZrW+cP^;498#WYpVMCX1cndaGgaB&O1d_k z;!;pt=TnJ_h@oMl4=g>xaJgS_9f#jzrxc$YyaC#im20lLCkG6^Fv)&Ozq??BcIxX%_pR$_7-xyBy};Uu@Ds4IoJ21t@QyLUnqTDNHW!c$v21GdH?yNE0D|-I4Q``wy+>g zRLXC1!AlCt{;)09GXvMbvCOwojns45@LPJ8mYrGDtTRv33_MK=_PzZeDCm;8iFOi0 z>Rc@1gCYQ)P58dC}p#|jU7xHD|b;018Ftb z1r_?ULS{%5W6SvgWk1^W%-wz=AJJhIwS z-F9UJHD}=Fr(tmOn=`RuO4-z*+_aGHwk5)zdl3GdvQWt0{Lbu_)%7&?y##?a)bGeh z$!WqS9A=BJ&7<}A)EIDg&9h11oU1yE;o$YjajR+kkZBH4mlYFxcO3foK0FBHulyo% zwq&-Bc|J{+ksT0z0;LeZGRL^ZedVds5L9_#zl8HhOh|}vdAwM*PFY%0G0wONWddws znkP$Y5~nq@%??$y#REpRLhnk={ih>%-n+!> z=;(<2{rijNf@LEgKWun_NWo-eY^<1yN_Cs*3Et<=H^3G7`9V)U=G#7seN;~gtGsB0 zumTA_s;|0MR>z>wMTs8wl1HoOvnN3eDXD&vG@t{cD%`ADSFU8^)D9wno*t^P zv9XaQiCSwA;wjjcw^ak*d0Ma*Tvf%cT%fe&syiyB4L)+Q4AH$%Hw_I zc9v2#Ns*HStoOc7?(37&tB&sZidG6VVB!+1T2>D?{hB;RU#%}z4@%1bo$1jQSuckc z>x}yXEx0B*|FGl*e8B%dy*eXfqtjfrrrpnIiOX>AeV^%Un()naWsf-?IMvH;1+-zi z?{4f1v>pKs$8VLyt}&12xu$Z>d?vFfb=rE1ut0GE&Qi5tkYuIfJ=?c3U;zIu)v;&y zJ5cf)ViwW7Ev4;=b86A~mt%_d63n%4(PzxoN`xFP`4P(Ct{kfWsv-(E9P3L9l#?(# zI{Dl(kQUaUXGYrr&n{dA3V&z#y>K16tpNIPrP%yK_=Vw_g&nQI& zN(#+!aM>+dTZu`*hm_7vGt4k_K#$d6vh}ussorN-*I%B#_8@AvSSm;KQpmTgM|>}uAkA5V@vzp){4IQ0WhEI1MomseLS3GdPsMcfB`e&c$zzgRKN zdQ^bYDGQ2ly_T1+-~SI6V3Gby5U=`5a$o|jHoMX4+EN@$KNRifgX9* zbzMpl#e=_^#dPKZxWcBq8lFoPX?~C=QB4JwOIo+_s?S>WocTH?c)W5chBJ+#-%Z&< z4kl71JhUMj&4JH^p<+ILJzt0lm$E0#dItu^N|+TY95= ze_i6@(>Nhwl#}CkR4FSX(_f>Z5fvpICU!nD_|a(-G=Fc*e*|p!o`D{^lTSU$0q6vz|Sm77zH^pLPivmwQmWdj-f0Qtu zf(Hh^wBOu8gS6YujVbU}5Nkr9i-WeGy+ zJ^wdc#1c-^9^cdw{<~m|X9=^a`jM4Sps90O@Gk{LS2#YM&{FY%I3nh8_47w~yK|B^ z$o(*5(s`jklmj<#(lzYHtArDjb~-*KB^|(yy5k6BC@^b$mhs zMtnL`6D!X>9r&Byq4fQiQnlCLCDj`*CMd!tES|8^Rku*=fAG|C=iLrbb`q?16u+yj zy>73#!-|iuLmyQj1d*fZ692D`8DX-H15#o~L5Z61%<(Pq8OI;?Mvqx#jV%_e;w72} zJB^~wJW0$KF{-8q+ublF4wE(6y@Q+TB4l{T1O|)V?Hv@G*^D?#WdvzgE?PMmekekG zSfCXDiV9tFfi}Fo^HJs}gDg3VO@gNnyq9b)IgK-U%|A$Y(U`x|Ns5<(vi+G(OawU+ z!=a6hDa`s89Frbr;YNyXt$x0y~;$nW@ffaw@vA+bw$|R+Z`qABJ6V#;G_)w z6FeROrygcpHEfeN@*FXzoHtPBWEOE8FBB(Ank1@Ziq_Uy z5?V`h;dPpr-PuCa(0nD&!d;3}cc3u(^XK_Asgq4<`_NP@o_E`An46mmV2}c%Ov*(T zU0!T>Mm~*%1WOK*P9jD|p9X(o>%)cFitVyertTVB^2gJxtnUmubwYLJhSYA9E|*0b z%w!ac^D%onCgFhp0X#lD7Q-tSi6lfBQ3`T$yK~tp5-2HnJ58&K z&1W`PjL^Rm5+p+RJh5?bB2rRhYwdI z79p7}H%5SsURV-oU~Mdwrx51rC;mI)2cuJdL@FV*uO_Og@NI ztOS3T=jw|(fr@rVHzh#a-q)OM+SD^5e+Q7&%ddcoz*v?Pl?_}D3#VjYAOtfe>TC_q zEmZ;oLP$tRKFAFR-P&?%*SUs*03u%{FC#6n+4WGY*^!^7UXV?~1w>&(vf1aChhn-Y zKYrBY$!8`uGk*Ivt6A#|3(Dl~fCv1TEFvO?iisK4(12&C8N^_mH@^G6);0z-Ap+!d zFOCeTP1ta+z`^-N(lp0>rHRSP&PGMWLG&srLIeoa?mR3kA}L7g80C-;2)}${d?}## zQTbMR(C<|Wv=)^v*Eu@kCz#&)cn@6IFc1=aQaXWiHyi34tKO-v6orMoNern(kyaY% zrbWnyk}zch$e?laFypR)Gh901*_3@3Jw zP3)JChN;m6*VeM3wmfT~0DcAJ_1Q@M5pyKge-&!qcDVVkes}jcx8PTXR zksR*|y|M2@u(hkg#w&OM*zB4g3VX7V{KN1KC--ztPETLA_GgkLo!#r##Vmhxv=fFvUyoS$V*t|O{EpN27S=6ckNMEO=}gO{*oP*!5&;Y; zefuW-3xs$s$x(}4K(LX4_MO2j~CX7?sT|Gd1tU08p^m_}7&(vBWMnuTF zKW*ZhO~|iGNpO%f=`8R%y=-zcu(dTjBJn zR?eohhLoT54VnR(k#tH=-8ohQD4%#Ly8~88%-y9KtJw{Tr$$ReyLg!V)MO060ygKl zb@l|&1C6C#ixCH9wdOtSbJaVNZJeq4zIFHG;Di{)-e|aS)wdHF*EEBIxg z0T{SiMSwk_I?ip(~cxLu^oz7k2fryFqay_aRy``znI~xyArO-Ve2Ah%e}aEjiKC zjU8UnbV=vLM6`ADV=Djs)p)bzQdg6>htA;OAP(sBrG?yaFP|=RKD8x(OGCva90DK} zx9bJhU=q9D?oaEo($bHttWmOyOP_dGg@67O<^s8h6y}id zSv&t$!R>y5jkq_tc^CR=%jzx^WS~p#_u9V#`vjKU`8?@BSx!2hEk?fGecaJ5crN^$xSy|DlB2WSQI7QZ9Hdi<*lbDWgY-L|cN^ZL52V`v%R6Z*_*NuQe zy?B%uVqjosd!9XYc}2x+{UIZO&OeKM*PhQa&9j)TPXU#VeeuH}+oyk`i5%2wy*pqF z0ueif!DDTKiL4DWkcr-!4b=dvoFpKBp#|d5g9kUx6hx)+S0mreXX?y3mj_bh(zKyD zk!9oNWG2{975%{kI!ACvbvgJfkruN@W+ zovJC0jb(~d&gTlWZcNtDb38bL<=bKQj{`%3w!#H#PC>oLc~jQ&Yqn4uusz?Jt~ft@ zh(b^qM(untFN6_!F5mJw)I<+e+)B%7Z~Qf*Qd%$V(74J6!)yN*iB?CUJNYK1o1YUD ztlXpKU|Mx98J|8B&6fsF9~G!Yfb#PM4r>CB0mbu z2e87vb z3xt)5Ez!=Y8wFsiMn~s&sB{+@He2FIRcDCF9|T)sxg08Xlf2Ta*Zu zm7ATZQUDe>D>pYPA)!Wvg`7M4Qwvc{cDA1YGFhv2i?v8nLAGJA5vWAoT^@Fp${S$w zdXfNOnd(SN(eB#qyi;|V@5&Br3;_Lm-dge(X|U&N&X$8Y4fncuczE3lF7VioLpC3e z-+WPX<`RZ!5%s^ajK7*KB$-z!n7r6oiqRt#KYywX2UCZ{^1cEQbRg5${qNt;kOAq) zBMsw%QIi)n`OMzlnkNnxnxL5(E)X!*SmPCI(FcV~OTeGTA4qa$YBwk@AbcCFs#xzG z8hDlv;NQeGzH)ehRAK;6(=W8-DOolbMB2=)O@g*LTZTUhE>_R?nw@_QrM7^;zrAFy zNuH5bN-CBvUUg*-RD$x9$J2n8R)xu~Z6e1Ip6LGAE(TO=$xUF<{ImYeZ*M<={@y&c zb1eFFjX2q82YO*JG5{0>xVU4CZiCX|1q?|*>~Jet)ihZm*Gz5dRhB6pksSFGtZ$|m zBtTrW9q%hHr^VNuX!~)BP?LpHfzAHrE7g!n3$M%>=6KTCgCDeYLVEgS>`-5n;yE8?^Xts^X;(1-3v*#s{`KF zjBG&`ySwi|gXujY{J82L7bVcy3`%pswub$$OFhSl@VV@L83ogFmQSVt5(Bsj0Ya~I z+%FMRuPs-o4~!4x7iCsF04$6-kkk&Ko=eirva%l`_cw~aka7O%lMe%D^2q4sWzYEkV76w%OWvtBy}f@E$+g!=nQ$bh>uu z@kpV)uj0(VaG%2C@eA~b1BI`dYJ*%)#3|tXs2y^(Z&owAcc-!yBP;=C1h%h2+hXW4 zr$rY~YvkqC*qg}jO`CVr&0^8N?VChS!E6GeoxRl5FGjkWg9Fr_`MPMEDVdnwlg0!c z@;-NU&w~J!70^aN;JenEP73Ng|9npkfbcu;Dp88L!%%+|@<80XBV$nFc-ZleyuWwS z4A3R?EDc2u6WP_co*_^#kp~bs0>O6pNU05Q#5VRey7OTvN-fs(TcZY)M~wpQ)OnGL z3Nrw_#-Oc5BSe(|y_23!w(jn)#lzEd2O3B(r!~~oK#oGA>`rU9x@Kr$X>sxRWYzZJ zUDG5o6by_T$a8|+t$^oznr(_hOsW~FQWOW=hS^3#TEP;n7sd&y%_f{#RU)Xv*AWoO z2?>#aQ?Nt~*h&G-du9I`A5iSgJ4tt6_sl|_mbVv~EG z%E8*?^c|3BKxOoi;!W;rkrgvT+0DBhSKqO(BkLldxY* zIgokMCvvQUZ635xR;W_&VxSh?uF^+MoUJFA1_lOf9BE`gn*2~j`!o>!_t6Zy_|c~nsI_z}FJTwF7DD7d2 zpu*6V-YyQZ_J07Xz&|*I_b>t~8>6E&UnC`S0C~jzIJQRMY-|&Xj-LJ{wx*+gt^mesU#ZYCKW*YbH;u73 z?){W@vH!0OK~q}g93}IM;J2XZgIN1Lz{unWY#nGE-zppG>`5=scm&LCXgj>i9($W> z%l~)z2_ajPsCh~TobQJ7w+y2YAL%TQdE;YC*Zear%Qz{M!n|%4NAi&He?AZi8gh(f zz4Kh^B9C6g`A<6l8VHV{2w}fqVc-{inZAH9?&X-?@3$c@|3LZo5x^e*IrbS`&3}&h z0DAm?j=hs;rF!`=F#iuJ_b+#jjs+f$^J_`JpIyqdtVW|}ygJKxh0}ZXPz#dMWE{-5&Fks_7*o7! zesbrf1z+GJ2f*?gY|~Qht0zJX5b>Efs6Rq}V=-l{d#|4u1?SwvGOF690I7fCR4=ds ze8hf2Z5K~XguCk5Lf+X4IP0$V9$if@Gc$tHUXJ^LUJaKb`A2_k0F7WzXTl>*sSKy9 zg5x5mFYBFqAyIM^pMahD72Q)CIL6V=z?!*A_hy2Z86ZJ{FQ*^}(*%}4af#PW3vOhu zQu=rrzDn}aotNU}2GL$XuXm(8)tTsV~z`#Iz5G+;Xy<;4gP%%WVE*Kt14?QD(R$aZ+b-_eQ@^+it7iF#G^HT=wDFSwZ z;fXf*GQ|J?{pO|?Cw{U6+r~7{lzb8KG&vzDDP18?vK|lIVj6h8Zsca`9~rk8HHEe(M12`3hD6RDp&--B32?{XA9_y=cE*v3z{4}xlSbivLelI*W$SZ{NjyWdt|UNeXPznqYtTeDJf!BXs+_mQaQC5u)Lqo|UNHaS3Tjnzkia z;*Mb9oGfVdqS$jRMpSfkAy5}mQHce-tP&JpM_R0{d7Lc56{vki*E**f zO$|t35OsUYG42d_ogRh5kF)>_^FMpM1O8KnSDX?c0v$t`yrF~RFu3Wlu$+>tn^T4X z;`lq3B1W+zxWu}I^Q1&x=DA8G*8qf}&*u+En;h3Lb1+f_l#5v0&0;0 zDI8H?_>A!aD{*QQsxVA?t#w`}h#7%TWoRP=H{FsZEz#nuQh1lp|4Nl;KNW5*YL*P9z4d6cy8&N6S8e+3A3vH< z0E7`1TZaY2!-dPWw}D4mkLM+gb5)AoW;6i*X}o{B(I@g&qCs~Tv_=9HPYm-0A%L~% z5HY>R=XTV5aTiRVabdu-sj2Zjki4OTuUiIWhqPEm3Oc^CygARW-&Esrk4jKPdo_ZS;us_Wxgsh` zQP-mwMJRyp15@+&zBt-@`|CKy2TxX3P*>nj%eQ=Sf)BjC(HBxV@;RP;r&t=!JMACf#OQ7Y_7p+Ini+z^(clg6=?yu#msD23vPEEc`*1rW28tYyYG62w^R~+5>ticcyyJK-2EaT=>cAtXj z;)>@LJ&^tYEn=WJjti4F>neG4D z14BbWbz@f7COI|rb88GOND>sPBsaHb+9{&|P836{%FMyhRbm$7z6~r!gi?p?d$2y5 zn#q8q??Jc-;*-+=GF`e?daJ81B>CV*27qt?{*pqo<~Pr~AH8-5t5LA<@Wux>fzb@gK@R4sTfEop z;RS%R=p1oPgAT_>qw)v9)s@!M@2Vmm5R0rFoKU>6Is<>9;S_#|H}~^> znAdNSRiFRi0??}7+WaE}Z~!Tht}jZ)TZz`2$U0|gFEEVG&!AgQz`jDp)%6{qJFeXX zD$?ESk;~w6W<4i0orl5&Mq*)jL=9?Gf587Bsjp9hbalnW%d1!;E3-FQjfoexEo|2n9KNjNsFP*w?S`4Z0i8zwB$I zDTSJO(#2mRk}ltS{T^XbDZ2Fo29LjD8^jJw(yzPXM69eB3Z@?Zun3H3Rx(21l-%_t(=`U!0ekprJqRT#K))dXoy#BwHyfg zK?91lcs@s(M0m(+G&%Bv1`~XHE&qI~ldDs)fm1XTA>H1wO>BPK`1^f6NB=jV=F(Mt z$op!;LsfH{4PU?(omQo&Gk91q7+KJHdR^+1csN0KoA9Vwl_S5=uojfe_}P(R&GMD; z`T4o%GV-$ca=1X(*e31i7GB9{4G6BX0>0`tBG+m%xIfG?JyhH;CpE_v@5eKnBgv-l zgr=t<<&3EL9ys!LJ)NNWqTGD{3aK<%LNBLl&o-T@IfimPx`RO^^6b&_9JpRDv%Hs` z_^XZhcz+?19Tc%5w9*Q6{Ldee)ynO;g@gxoZu+Ed_YyDrHI?!da8h`y#r@6<)SnJ0~aS%l0{FJIqt?E7{(E=;t2LYC$+us+1T zt%`CSK51#z&F9%te(68j{Uf5HeBQtyZ}KkZC`-kMbZI;xObbPxKbcFmc;}&mSI`O( zHsDGL6=m&Rp7Pw2ILU`rD z`*7FLJ!SbKvlyZMeC%(;%gjVX$L5|n8oNEC24B8#AuB7xYj%R^!OA{o zaEElx^eUb@Wr65MZaKm=D3hnkoS3hX4N!}iR&%MLk3#F#kF{>jhX;R?!4{>uj;$|r zuFmz}-rlb5!f%$B7lMf^;ev2P*47q_&1iTWRy3vb5X;4PPeg8ZOVp=eG}5s+(Yo5e z58q$$r$#l?LG=>ghjlUuyY%VE**C)`3?w9)NH5XFBgxVsX{p#uJHRG-kn78Jqywhi zdn6w`|f?0tvzTC2hS>}GDLS21_=F$MW+u8Iub-4_ETDjg)T%vZ+46uM6t zI}ajTHTKA#dB4) zn@NW~S9B}8t#ii%D=Y0qh`56u?~#APgHiNj*z6B>Z{NLLh~NNnywupxUHTT6XF9?4 zup77&kWz+b@IEcOb0UrUhkv{~K@C3#FW1goHY-mhWOTiDd{?Bi2X4k`2h(sL@OfFN4b;G9@SI5S(_jH)S~!;DE=0>CC|N z5o(x!9zaRg>e(zgPi%y_vfZTM(trlnPYDD);&kT~@45Gg%-aoHr{YAP*MA`!EI;`Gut(TR zmf`2mpC`JDJV%d6jMKX@aVHmwgQ%#eo?63bn3zGYJlrt2j!*oy=h6W|0$LmEYsOp2 zI0nBSxJ~|ME&zaJnE<`?4Tf~h8Jl}oER+~V)#}z#C-(e&Z9D#OHdA{o%Q`A>KcGE| z;bfs5ac_BqAJ{l_0`-fRm<~kulg3+s`Yq&%k=icpYHRlYLQW$vlyA_DjZcun`ANHe9lo70!~%e zA`k31Cc_h=_R>;-pxrxO$D{fja{)Y-_x+f|KC}4lNgCUxr`G*ILkiH=gF+!z&6y4_ z2*$?Vjud038W`I#Rs8(My7?6MX|A5&9P2TNA{6gw8x%JvBW#}d2q71!;p<5LXfVj4 zq@XZN?jx1qIEee(a5hsK5M7Z7c@X^Dy=j1nwnzvtH!}w>c1ww7C|0Vq{|wp>wNevU z^=cEOF16-zhB$Z_BvDd+{x`&1x&YwLY;~(=L(G-yUf2BRf{pl2DNhqf&w3LYUOhBm zX=^Y2RjFbDrw@saMt=(flj&H53yhV}d;DPTFgw_7c@`=Zc5@~F{QTQFG>;7`z&S-h z`T9DBgj7Dm_nDoa6YLjT#uwxJSZx9Q{aY8Sr8+Si+go|k<__>yfs;$7PlNg?YJY4= z$2u(|beBw0&C2`_G{EwL7M1^FiYplh*Ba`FZ?I1{Il&_O(e;lw z5Gd2A_D$o}1M7?ZIC%YKxW{YM#0&U=Hr-ZU>t^pOM*d?4PSZVvo4cFV#FWtZ^|GUN zKq3Fv{pNnXzoezJEPnlH-LPLocjILE#kE7dmI8N}_GKX$T_Y z-9+>k3E(~a?FNk~fu#t-EHIAw(|)c-EBIWv;N07EVxs|_n|+7n{nj>N5Q(tm13o-A zYwlV&dq4C3w#3Q#dHbE<(_1L8qX`u~QvDm4U;ix=MM3a`5zS)_+75P^l6=kw zb=bhF0&7`jGlWp6QHS2bm=Nwyl zUY3$Y8c9J|l#=d{5(Q~V38j~Aq*+Q(Is_CElvH5pkZutHX^@f@acQ1w{rx|`$NM~f z@_=3T-us?w=A3iRnYkhp`|vmlxTz&0ErEIe3VMBm_CZIvC2*Ywtracu)m#KNA;*0| zJ5#LOg|>b20_M{6{K2L%pZPed7vFcSk1!!_^xaFWP+oyJds!-Z(xAv z9tHEJo5qd|KA6-%!ESKF=Bwf%)8v;gw|7r$;tMV`M{F>8%`7PQvr<01H<8Q7f&%c_1 zTQ?U=-dOg&24hm|Q{TZrP`ORD#4?#3uPS}N@tXJE^wt4X3``xooIVr+Clv>x^NvP- zUV31_fY(B7A=z*9>s#z6f~d3VF5TqG_w(l(2iS_*(jtpR*T>%5_|ljMJo@EkB;d?< z+9Zj9vc?2i;3KRbd#oH*1^-d&Of;OQ**1+N@hw!z4qP|nz+j5m zaKTzF?MZKS{DZgm3Z`jJ)^|QXn<2F-C?I&;=z4|2gzDQm;4k^ecy&&;=NW=$heYVB zpr1-@dpGv%Wws7><)Fz%(KZ1hPxoQA#;RbZ3h;>Qjo)o=(;aIOFsHw1(m6rN#5(nqNCM+-qV2(qWk3?7O8L8`@ zrpycP=%P^qp+kB>1tTL~!oO#T1uQTeiB9;kypUGVBjvgrCi%J2Z$NDOM>7$noc@Bj z;Iwsn>)GE-Bbl|COi z^0sOA{rJHYdW*H`YTne)`B{x!(h7#I?7%-=$6>sbE7-Ia7dY~ctqO1Dq3aXaIAu4O zg=an)Ho)>0Bmz^1d$LSmUSV%9X$(p#a<5yvzBb)AL1O**H3ovUNKhS(Tuf1rK&}a3 z2c)a9ItFTPVM*{fYTzL3+6%de$;stWJlT&wYn{>O|I05MC>Y0TkH)Y3Mn*?rT5u^s zIjx*{*A_-1^T~qJn^~ekB?_38WsZOA+!lB0n=^MaRAQ^jJmu_5t zEbi-{E>X~ID{JW$TX#H*pXP3EZZ4j2+V5NU(J2#I6b1&Cw=aKJcn7-2a3f*+)E+6k;6xcP}30uJ-@Fh6oDi>*86PHKHA3il0;N}X$G zc6zH#Ko}08T6ccdU zdeyec0eM(}=254vJK`pD<*|MXSArd1>SkD%;+p;9w}+g4Gr!zQ!0^!JADK2|tC53KM{06}-m$Zhn_bqbb4IN9>*>QR0e9Rz3sDhl2b$c?|+sW-{i z=1%Qdel?KaSSd#PX^{XzPN)>dK4mM?VJjGj#Lk8J`B=pqi%P*g{(lFr4@%w+7+S6` zT-AqMq5a5I<4>zZearDf-EVztF7k8=0;zO7 zyoT-OVYcuidBtzgkj_SD=T5t@fuWY(B6mF)!n8@Z1f(d#9L9K!i5vlu}hk=d!?k_^wWF zqS|(>gangL5>lft4R_`)ewlr!wgU@l)DBr3>)yqd@?k4Je7Of{%MK&-mvx@$AHuoKIZEfaQp$G!?gT1aRiukU80{XxH` z&|=wDP&7~rC=%mz!$GEiy$E!xU$f6bFgXi#WY|T3&EKX-ETh7<7ce0tjUk`+JEXu! z3HAaZHDc|I6&AAgp>enNqiLaik`L+myeI^lAY28Bvk3Rt%=P?|IffAa*^C4kKjio2 zh|0UkhLz^JMw`xVZLD2j5fy--FJ8WkuV`gPfeUGv##`C;ylMg5tfpNjPX@vvXoeqMGt}oFZ+@-XjVo|JQHtQ^(g2{9YQ== zme4PSZwjUYS>*54fr81iJr3z6+TmQOBoLC??DcL``Cba`-aoV$=HV^`?eSRP*}Ifq z1R7R=_?Rg;LxLf-Sf>YI(Qd$gVqw1Yr2|dikqYg3U{IBFkB-){BPob#i_LXlgVdU! z@;X%L21s&9NY)R))PVbR1Vh;}IL0Xm`*}t6ln8MD3$`Tv|N0W;J`SOA^$B6Vyu6%h zLDFNr4v-Ehg9zU4AYwhfb}Iu=PXOhl4>OMzT%aUqgW#Pl$E4%j7Z4RanCLRUh|_&m z5V^@AKm0eMB(6?-6i)GJk5F@vEVxO-75*7&L z`^SZtNK{C8=aMp@dxiF!^JAo9!}0?YiMC`z0iCOAX$kSZs3BSj$pPtTY!cDm0iPk@ zfky4yEF+>K7Rz4f#Sl~W#L~DQyZ;smoC*OO;PW6MAt62|j^p+P?nO}>-#?Q*o&124 zJrpI2M|eYgGAilx2-|oHVqLgJh-qSe@%gr%A#kP$`)*n=4uQDrQ3V*Q9@XIlRh<#j zEixFm1|DC1ajON^TSKt`4|{>1{*eFqbpSPyo~A7=UE@ErJuLPG{py%KzzVyzo)F41 zOX311r|9Xcdz1Q;O$4YVkB0rB^cw&}lR}6og%X}ll(tRw5J3<@-_5X;SUx4gPpIk0 z=Vz!{Gsa@={7AsI6BCDRbgJ#2yaV+LIh{Q0;?sPd3rId0#;;k^{?Eq5q`8lqn}&YH zBLcuXs@3qYbpFY#IgsBmfsbO8d~_dy2hVZi4h?c$ND=&3(ZB%fVCI8c#iJ6=N$2P1 zEvY*}2HIHR_#ZCZIdEz43Zg4gO;YGMQC2qFh{Xdfr5%Vr;|jZZZSAZ_UFCBDmNheo zr^om43D*dUdc_yoc0({r3(aR?E_r+V?|HJ9Iw|M9uFB2cb9gw530PE-R`_hjq$nty z%%5$e$zX7J43$!JeE^NA+yyN#@wFNEjlZX5yCJOfLz#6ja`G$23xemGY50(rvBYZ1 z$`bRt2kdDA7tF3rm!*w?pPw2C2X64}Vyd?>uYkXfacyOZJw0OaOfLh+`!?7KKe8Jl z^9v+uF1bIzxEL{iOd#bzutlV!+=!y*AF4p%?V7+5Wf0_dRX}?26nyV%LdH?7!CCP| z!aZZf1_QWwi!FFWU^^oYNWGPa!+_csB7g5*zbH|6cr>)g)Hmp-jT!Ko#t_{`FlDd}G z^YP6u2U9d91~r7-y4g#5x*#6_LzCQpc}m|jEG1@TWhK8lr}?w-YLZOc{k(4f=;)x{ z4kVru@F4j6_kKz<@87@Q^+Ebset1|`+*4WAZYl4(`4#rOv2$7F1zo?*dU=T3TOO7W zk%g)?ZPrc@qul;Dkh3^`1=B@=O)ajjMsC)u`7(|4^+m#P)e^gYp80t2o+7|b%Uvjn z-k=m78?*1m)Zlav2O{G5r?Lm;u^pR=$kg)PZ*MsHaj3qcdV+f+S=`lYuLaNOvmG;F znJB2JmK^4{V*^(KXqcS?WS9~b0t50Rsr70)fsTLjwOU0>$^90lAD>)e!C=v-K8G)Z z(}#$|bhK~v2@Nj|6;$QX>r%fE=HEhl^^)xPwwrR_bx3fA4;Mrc2negeD= z6-bcv8uY<{+>NA^@_p3d_dzCVaqH4&w$t398_rPm8p7x+BXB1WlPf) z?ODW0kMgBtk_Ow5Lt4xIpMEciO31!cd}@-_GwP`0A_%OEO*rb;L>Y&uDDzySH=mm? z6J$6q^~I|vk>i_9qnd`KL{R4L!x33fQCPTCVrd-#!6>-70Whc~aATZ?;RA0>Im;n= zg>BUv%j4dP!>BDfx=z)^?w7GERM)KuA?GdDqIu6I37h9zMYNh$_L{ns>N>ygNR90; zMN20-PuJps8r1{zVzb~g{faoHF|~b@^+d1$x}n(r>7$A$ARAUywJTPmbi=|x5ccwX zw_hk$xPC2R$MTv0OLhT1--lHfj5euW<(KKd1iTX%sg{^n(G&wnkVlr4KyT%-_uAQO z7mq9a`S04IOi|FuMhAf?gyDcKFA+Vp2sxcB?>Wrww*nc6vh>H)v8#XL*l*1V)V$e24-Xb*gR1BLpYdD3ka9CP`;GSq1G?Pza@w9(fLc*qSY9R` zLlrBmPQNyDv^$NLPstid|HCJ$wNGkrhw<&4n4hh4W2ipo{`xq%d($tXid6^H_kEVNkG2!#rn&h9YIhu>pKVM>ASgfGaCEFK9D8Fwz zfvQf24OyY-=FptC8$Sd>d!(VPpzl&))Aw~j7&s%yZ~y3-Pfue(m3psqQomfEsz?pm znX%Wi(ix05*Q2DQgk{?xp@Z>SK>te&+>onx05e^Gdgr7?V%wxmi`s}R-s~he&LlSq zWrxJqtJyC6G0Jm9zbto7}OVlq1QURPOqi6c6~9o`@=& zU0pbymDs^SE$|cy04>Ra=>-F0X7(_uH9f3dGp;Q-Y_4bdH16*# zMXu|8zQ@&DjfG}6dJ@?=CE#y0*YnHXZAn_|<|upD(gCuqKaFpt{Ob6CW*>u5d0&Z0 zdImr-2R}dKD}EKl6wWDTXpXcWDKr`noNP-GI5q(GD@Qa&huY|VXH}Hry{zLBQ_Yu3hscGE4D0|12|x73Cbqoj=+NM3)YZA z^O^6o*MRgQqp-~gAJ8mTB4CWrM@DE9sw+ANy#!t%uJeH>T|&fYH$t}Ejd$UPx2W0c^2@h?#c|k;m~K?5P}`6v$$Z6^5i}*nmLYu$+KiO@m6h2* zh926)-WCF8lfgX0^7Dn}0~)2~cjxIq&iBGeBdmN20cr~XQX5`u&ovjTetvrVck2bO zVXc;)_-YoQF(~H)7+t-#;-+YLEJ1yZBqRijBHi5ju3B)gr|TL)H^*=FRMp)!VhAXF ztA-trRtpsQ156hcg+fttoy)XjcvK*+Q$#}ZK{1Ul*r7v@%I{BHh0h0b3=#D(&o#Yg z|0HNy7zZY=cE%qUajZ?3|tyx0w5=- ziXuqkRW_Eu5}&K~29}=gi+vjJ^X9Vu{WgUaT%DMMJS#q-*$@5cw~og@YnDKzO@pd7 z4$DUUqz3O60BN8F`PrZirRwlqY$_|`f7As4E2`4#A7w=g-y_AkgLNgs4qFj_Cb__$ zaDNPAL|s5&3`m@;7Q(_Md<5H@m#~F2#ok=`GsHX>wip-@#2Tk7%L+wtb*-2Ia^wqB z(yhWYDh~{hd3BAlhwByjAIuh|f*eTfTcP{10s|^@Op3cEfUL-n zcJ}{Q4Bce}S8^K^Y>!J8qBCSy)ugAJ__Vkm>WRlDH$HGbQ3i$aSuzLpQ$d4rCx*bw zK6wytw@-Y8u%!gh9|QJO#l3tfB4I9)^kOz24)1@(kIIvo7yMNWt~w|jcg1|zK?KXc zf<=^8dgA}|_!z$HDOid2|955iTLMw{Y*Pqg_{*)QSfL<5Wjhk^#+Gw$r7%4`TCiW5 z6Ks3>_j5G_p^tZJ`3;fzKgl9^^swg(+d=;xa_{^-E5pB4a1%|kd&V=kU5x;QY46f>*Qr5?{Gx8b&Ig~DUMVc zeGvEf-@CvV_K#UGMMV2u`*s4io4hCN4O*yUX!(Zvg3pInWv#S`#MTXaUp|thXysXUKqsb$q9*pC~5e3FB&FE zpK^!)4i6Y{$$w_Y^6v{q%(9TIQ#)CXvPGas)~K^S3{-c#B|C&SH#N;#RlU|}W4xXs z27eGS=CI7&Ez-@IZkcj8h(06{zl8sL|4;9`zPyrTTJ`v;IVoR6c^lH6t;{-(md|b$ zw>|FOg2vm`7{e1(m-ao}ha;gIS@?5Q$Ujr>8U3)%7~HJ0pKCurmz!`Vt{cQHbiliK zOR#9{eV-WE^6oS{If?l$gMv*OHj%SamE_rEEQk&=E1)|@IVBJJTg{1 z9Cf%eC`O%=(dH>yItZbm0nJGY!f=T|c!_b%+R%tq6C&>x$cp%&tc2(1BIaqL>4hCQ z!_GtinU}!-+PsLmOGS`)(`C#qDa4nY(kzZ4JTwK}+2j)~mNYD9B%$8gOT*w6w$F6S16}91d-h;`RE2yYU@P zV#xFX-Si129`dYQ&EEb>6RbWcc;Ai%D@p(-Ryw+qeNE_iN7{xXJM0OmM*lLkhkQQ@8vS3(Ca*KZay!<6|$YoEjR4ITKowpa}3&% ziNDE+5Eu~D9`W+mtTwPyA5qtpYF(UsE9JU|1DILh9TGI})jG7ESMM{i-R4qvv{biO z9C@IxR4ce>88^QAd!->i|5f%-8b8K*a6KyOO<0rFW(@I$V0!EBsMkA0hKER{mi(K+ zEGgFjKp6b!{kL@eCv+ue<*Z6Br%q~{0atw$#;2v0wMP3$dtIz=(}Sd2I;yCsu&`V* zgsMKQ&G+Q5q`SL&hYNiJL}cyTw$`H>+u~w*wdEMSg%5=V*v;Az$x_e8mY;0S_*|y) z!ga%w1*pd#N+>lHlJWz}I?medbfdxLbJ`;KGs_)ro&`!@KO`gkj!;TtY%Z zcPSA44KBA4Ya`Aa__tB86#e%aorDQd6wF_{9T2_Z$Akaf;_Ex}hZW9?JW5GObInoq zTsxS1^@kqK`_xQ=GOzj?CU}(-%eSE552g>n|wI9^9DU*gv)FFH1&Or1Ue>8kI2qy|_8b8G(uOVkoHb;eYo;KuhNNA?u z>qc1iLDOGCwTG{1Rr6=H_rb@Rpf!0pIfL0^&i!F!uJ4dz6h{c$bbp4KI@b{}Xn-zz zs2DexJHytZ{4TCnB7$4v34~>OcQY;N@8*SqO?c_NzC5>z%d6?HC&WDn_}x;iS}`cT#Pv8b}SGI)D<+^#dZ zs4tu{tCZSF`CyWe{ILDRk8tx3(A|3n3jf+_1(#wjZp!-Kv9<**s^|+sXzajXzYeY& zRK5v6XH`*`aD@T-F0GTZt2m&&ol65LG3XDp*7c)}$N5%N^|36fZ8hmsp-lF5{Dkku zIo*p$vc`2^8NW`pTr-OcEjQ#ftu;F;(It}Ad;j3g0)^o{tWQ$}@|5DCj9git`3|Jz zAO{;YXj<`ZypY43|ND;Y zC(L&}2B(YcTWgT(x1_n?!#K-t@V}67>yYs1rqHF`bhqtm=%v%Dm5Ohm=^a%R(H76X zb-vuc@r(r3rv3NdBLwDO>7e&%d5_{GZjkKL3;tNNA zRC@WhkI&L20pA{DtViqpFo6yGK+%*rni3Twd36YziCeP}(TniP;&^!+rEzy}6_PPpJWJaK zmz11+s_HS_l!(^ygA_%(0&u}=c*52OzY^zc; zQxU>@T4>4u4lQm?=CpcV=Pxu3fn677(XV;he3KyL9r?i`nGvR2x!p&H;TJ$J^ z@p273aOjL?y=hvpi`VY;>)W4OhP5Altv)Ht``0ot>m!gx8~k%acs;NA4Ahw}owe`P z8nq`ABtp$==_f^9ixiHoJwK5opbXWdw64~t z#Aio_}up8)r^@?)9j|0xW6n^9pT#Kbsm-5G*xB7{?S zGjd5@41}7gS9-KpXTs3&?CE4L$hfE5>dix^Gl!jV2g^w%Jk2FU_L_E(q@<|&;Q|LA zDc2{K_@vMT`w_)7&ghOH=F&PleRIJ^g_Ml3F3XqjcxoHf+;(1fyTy10c!Wku#xD=| zA^~9o>y%PtLGSH!g7hcqp|GrgNbywp_J49o3~jqmU~6XIb9ZhD8nZNX@m4kWopKU+ z8bt|)3>3-Ix6Gd@5pJY7MCnV(IMFaSV(w|KcLQ%T7n3~<(qYxzXgyR+XfS^VhZ`ec zU_*3@x~$U%?NGJ|xa}~y(D8Api)X2#cnNh4BY~m5u{|L>@)gn!R(+qYH;y|3SKf-e z`V0CCm&WtnErXYW=MRZvJ2id zcgGmGL|STU4le#Ur+YTHZ5le@hKoaV+z}n{E{f1T0btkYkn=Y+q% zE^F5vdK0R)-4MY|KN1781gdN7*`>mF248mD8oaWN9^>Xir#K->QXaaiS1YBU73{N$ z)#C~^LaB0)-9iz{c#$et)G)h}L$6o__~R5#9EsPCq=vK!nmWcCs^yF#H+&?`%?{TZ zlFGNlvc>C&NajEsu&c@J>FSC#oh$Q2&#=Jf=;%gg96p<5&aw1iE#~v72A8I!QL(^4 zupoWSOhU?Tk#JEb+h#+zr%IkdQm>ZY5}NlCc?vZ<)Y6rY`*#-S7rexu{sK5iN`%`%h4?~+y!CytGc z4O&+rP+bBbco_*?>svzHv9HX1cS%C6fek6IRCcQ}_)PPx=RY5`P~a(m=rGZvu!J6)cR5 zovQvq;h>O%GCsYLL%M;|;=Gei2!(y=8zVlpt)FC1eQt6--YqAMH$=W-)A$#7oaj^# zO<4gP2y7E`L~`Mc3m;G`0B6!euIT@#Li*na{NJfneqAXra1`C*rOJkYe;O(}%H@id G&;JiMJRV{I literal 0 HcmV?d00001 diff --git a/book/source/diag/user_ids.svg b/book/source/diag/user_ids.svg new file mode 100644 index 0000000..8845160 --- /dev/null +++ b/book/source/diag/user_ids.svg @@ -0,0 +1,499 @@ + +C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94FingerprintPrimary key creates a "subkey binding signature" to bind the subkey to the primary key- key creation timeComponent Key (primary)AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3certificationUser IDs From 9be2dfc5394f597fabeb19bf3da7f81d15bcd20a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 17:57:39 +0200 Subject: [PATCH 45/56] ch4: shorten "Linking" section; most of it goes to ch6 --- book/source/04-certificates.md | 83 ++++++---------------------------- 1 file changed, 13 insertions(+), 70 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 2aaf525..5cc3945 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -23,7 +23,7 @@ The following section will delve into the OpenPGP-specific layers (2 and 3) to p For detailed insights on structure and handling, refer to our chapters on OpenPGP [certificates](certificates_chapter) and [private keys](private_key_chapter). Additionally, managing certificates, and understanding their authentication and trust models are vital topics. While this document briefly touches upon these aspects, they are integral to working proficiently with OpenPGP. -## Structure of OpenPGP certificates +## Components of an OpenPGP certificate An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number of elements[^packets]: @@ -176,80 +176,17 @@ we might need to write a more nuanced text here, about how DKS and primary user The OpenPGP standard currently only defines one format to store in User Attributes: an [image](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-the-image-attribute-subpack), "presumably (but not required to be) that of the key owner". -### Linking the components of an OpenPGP certificate +## Linking the components -So far we've looked at the components in an OpenPGP certificate, but certificates actually contain another set of elements, which bind the components together, and add metadata to them. +To form an OpenPGP certificate out of a collection of components, the certificate holder links these components together (using their OpenPGP software). -Internally, an OpenPGP certificate consists of a sequence of OpenPGP packets. These packets are just stringed together, one after the other. When a certificate is stored in a file[^tpk], it's easy to remove some of these packets, or add new ones. +The OpenPGP term for linking components is "binding," as in: "a subkey is bound to the primary key." The bindings are realized using cryptographic signatures (much more details about this are in {ref}`certifications_chapter`). -[^tpk]: When stored in a file, OpenPGP certificates are in a format called [transferable public key](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-transferable-public-keys). +In very abstract terms, the primary key of a certificate acts as a root of trust for that certificate (as a kind of "certification authority"): -However, the owner of a certificate doesn't want a third party to add subkeys (or add [identity components](identity_components)) to their certificate, pretending that the certificate owner put those components there. - -To prevent malicious addition of components, OpenPGP uses cryptographic signatures. These signatures show that components have been added by the owner of the OpenPGP certificate (these linking signatures are issued by the primary key of the certificate). - -So while anyone can still unilaterally store unrelated subkeys and [identity components](identity_components) in an OpenPGP certificate dataset, OpenPGP implementations that read this certificate should discard components that don't have a valid cryptographic connection with the certificate. - -(Conversely, it's easy for a third party to leave out packets when passing on an OpenPGP certificate. An attacker can, for example, choose to omit revocation packets. The recipient of such a partial copy has no way to notice the omission, without access to a different source for the certificate that contains the revocation packet.) - -Note, though, that there are some cases where third parties legitimately add "unbound" packets to certificates (that is: packets that are not signed by the certificate's owner): - -- [Third-party certifications](third_party_cert) are traditionally added to the certificate that they make a statement about (this can cause problems in systems that unconditionally accept and include such certifications[^flooding]), -- OpenPGP software may add [unbound identity data](unbound_user_ids), locally. - -[^flooding]: Storing third-party identity certifications in the target OpenPGP certificate is convenient for consumers: it is easy to find all relevant certifications in one central location. However, when third parties can unilaterally add certifications, this opens an avenue for denial-of-service attacks by flooding. The SKS network of OpenPGP key servers [allowed and experienced this problem](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html). - -(binding_subkeys)= -#### Binding subkeys to an OpenPGP certificate - -Linking a subkey to an OpenPGP certificate is done with a ["Subkey Binding Signature"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-subkey-binding). Such a signature signals that the "primary key wants to be associated with the subkey". - -The subkey binding signature also adds metadata. - -```{figure} diag/subkey_binding.png - -Linking an OpenPGP subkey to the primary key with a binding signature -``` - -The [Signature packet](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-signature-packet-tag-2) that binds the subkey to the primary key has the signature type [SubkeyBinding](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-subkey-binding-signature-si). - -##### Binding signing subkeys to an OpenPGP certificate - -Binding subkeys with the "signing" key flag is a special case: - -When binding a signing subkey to a primary key, it is not sufficient that the "primary key wants to be associated with the subkey." In addition, the subkey must signal that it "wants to be associated with that primary key." - -Otherwise, Alice could "adopt" Bob's signing subkey and convincingly claim that she made signatures that were in fact issued by Bob. - -```{figure} diag/subkey_binding_backsig.png - -Linking an OpenPGP signing subkey to the primary key with a binding signature, and an embedded primary key binding signature -``` - -This additional "Primary Key Binding" Signature is informally called a "back signature" (because the subkey uses the signature to point "back" to the primary key). - - -#### Binding identities with certifying self-signatures - -"User ID" identity components are bound to an OpenPGP certificate by issuing a self-signature ("User Attributes" work analogously). - -For example, the User ID `Alice Adams ` may be associated with Alice's certificate `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3`. - -Alice can link a User ID to her OpenPGP certificate with a cryptographic signature. To link a User ID, a self-signature is created (usually with the signature type [PositiveCertification](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#sigtype-positive-cert)). This signature is issued by the primary key. - -```{figure} diag/user_id_certification.png ---- ---- -Linking a User ID to an OpenPGP certificate -``` - -(direct_key_signature)= -#### Direct key signature - -```{admonition} TODO -explain metadata associated with this signature, and that c-r prefers this over primary user id. -``` +The primary key issues signatures that express the certificate holder's intent to use subkeys or identity components. It also performs other lifecycle operations, such as setting expiration times, or marking components as invalidated ("revoked"). +Binding components together with digital signatures means that recipients of an OpenPGP certificate only need to verify that the primary key is the correct one to use for their communication partner (traditionally, this has often been done by manually verifying the *fingerprint* of the primary key). Once the validity of the primary key is established, the validity of all other components can be automatically determined by the user's OpenPGP software. To a first estimation, components are valid parts of a certificate if there is a statement signed with the certificate's primary key that expresses this validity. ### Revocations @@ -272,6 +209,12 @@ Note: certification signatures [can be made irrevocable](https://www.ietf.org/ar This section needs writing ``` + +In the past, the SKS keyserver network has accepted third party signatures and added them to certificates without any limitations. This has caused problems: anyone can add a large number of certifications to some certificates, which opens the door to a type of "vandalism", by growing certificates unreasonably, and making them annoying to use[^flooding]. + +[^flooding]: Storing third-party identity certifications in the target OpenPGP certificate is convenient for consumers: it is easy to find all relevant certifications in one central location. However, when third parties can unilaterally add certifications, this opens an avenue for denial-of-service attacks by flooding. The SKS network of OpenPGP key servers [allowed and experienced this problem](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html). + + ## Advanced topics ```{admonition} TODO From 9d79096f2498ccfae64a611a199d707239b6cdd8 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 18:08:42 +0200 Subject: [PATCH 46/56] ch4: flatten section structure (And remove todo that was moved to ch6) --- book/source/04-certificates.md | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 5cc3945..55e8bfc 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -46,7 +46,7 @@ All elements in an OpenPGP certificate are structured around one central compone OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidated, over the lifetime of a certificate ``` -### OpenPGP component keys +## Component keys An OpenPGP certificate usually contains multiple OpenPGP component keys. @@ -61,7 +61,7 @@ An OpenPGP component key Component key representations that include private key material also contain metadata that specifies the password protection scheme for the private key material. However, in this chapter, we're looking at *OpenPGP certificates*, which *don't* contain private key information. Each component key of such a certificate contains only the public part of its cryptographic key data. To read more about private keys in OpenPGP, see {numref}`private_key_chapter`. -#### Fingerprint +### Fingerprint For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and creation timestamp (and ECDH parameters, if applicable). @@ -78,7 +78,7 @@ Historically, even shorter 32 bit identifiers have sometimes been used, like thi Component keys are used in one of two roles: either as "OpenPGP primary key," or as an "OpenPGP subkey". -#### Primary key +### Primary key The "OpenPGP primary key" is a component key that serves a central role in an OpenPGP certificate: @@ -93,7 +93,7 @@ The validity of the primary key limits its capacity to confer validity to other In the RFC, the OpenPGP primary key is also sometimes referred to as "top-level key." It has also sometimes informally been called "master key." ``` -#### Subkeys +### Subkeys In addition to the primary key, modern OpenPGP certificates usually contain a number of "subkeys" (however, it's not technically necessary for a certificate to contain subkeys). @@ -106,7 +106,7 @@ Subkeys have the same structure as the primary key, but they are used in a diffe OpenPGP certificates can contain a number of subkeys ``` -#### Key flags: defining which operations a component key can perform +### Key flags: defining which operations a component key can perform Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that specify which operations that key can perform. @@ -126,7 +126,7 @@ It is considered good practice to have separate component keys for each type of [^key-flag-sharing]: With ECC algorithms, it's actually not possible to share encryption functionality with the signing-based functionalities, e.g.: ed25519 used for signing; cv25519 used for encryption. -#### Component key metadata, including key flags +### Component key metadata, including key flags The key flags for a component key are actually not defined *inside* that component key itself. @@ -137,11 +137,11 @@ Instead, key flags, together with other metadata about that component key (such (identity_components)= -### Identity components +## Identity components Identity components in an OpenPGP certificate are used by the certificate holder to state that they are known by a certain identifier (like a name, or an email address). -#### User IDs +### User IDs An OpenPGP certificate can contain any number of [User IDs](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-id-packet-tag-13). Each User ID associates the certificate with an identity. @@ -157,7 +157,7 @@ Also see [draft-dkg-openpgp-userid-conventions-00](https://datatracker.ietf.org/ One proposed variant for encoding identities in User ID is to use ["split User IDs"](https://dkg.fifthhorseman.net/blog/2021-dkg-openpgp-transition.html#split-user-ids). (primary_user_id)= -#### Primary User ID and its implications +### Primary User ID and its implications One User ID in a certificate has the special property of being the [Primary User ID](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-primary-user-id). @@ -170,7 +170,7 @@ i think crypto-refresh suggests that the direct key signature should hold the de we might need to write a more nuanced text here, about how DKS and primary user id interact in v6, and mention the differences to v4? ``` -#### User attributes +### User attributes [User attributes](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-user-attribute-packet-tag-1) are similar to User IDs, but less commonly used. @@ -188,19 +188,14 @@ The primary key issues signatures that express the certificate holder's intent t Binding components together with digital signatures means that recipients of an OpenPGP certificate only need to verify that the primary key is the correct one to use for their communication partner (traditionally, this has often been done by manually verifying the *fingerprint* of the primary key). Once the validity of the primary key is established, the validity of all other components can be automatically determined by the user's OpenPGP software. To a first estimation, components are valid parts of a certificate if there is a statement signed with the certificate's primary key that expresses this validity. -### Revocations +## Revocations ```{admonition} TODO :class: warning -This section only contains notes and still needs to be written +This section needs to be written ``` -Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable). - -#### Hard vs. soft revocations - -(third_party_cert)= ## Third party (identity) certifications ```{admonition} TODO From 2cdcd6aebd9563e47eefbf647575843d51613ba7 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 18:15:59 +0200 Subject: [PATCH 47/56] ch4: adjust fingerprint in text to diagram --- book/source/04-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 55e8bfc..4aab196 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -70,7 +70,7 @@ For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the Every OpenPGP component key can be named by a fingerprint ``` -The fingerprint of our example component OpenPGP key is `AAA1 8CBB 2546 85C5 8358 3205 63FD 37B6 7F33 00F9 FB0E C457 378C D29F 1026 98B3` [^keyid]. +The fingerprint of our example component OpenPGP key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid]. [^keyid]: In OpenPGP version 4, the rightmost 64 bit were sometimes used as a shorter identifier, called "Key ID". E.g., an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referred to by the 64 bit Key ID `C8B8 6AC4 2455 4239` or styled as `0xC8B86AC424554239`. From fbd4126a63328a03248d16001a6148421a9e5c2d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Tue, 17 Oct 2023 18:16:24 +0200 Subject: [PATCH 48/56] ch4: move misplaced text --- book/source/04-certificates.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 4aab196..d7faa78 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -48,7 +48,7 @@ OpenPGP certificates are typically long-lived and may be changed (typically by t ## Component keys -An OpenPGP certificate usually contains multiple OpenPGP component keys. +An OpenPGP certificate usually contains multiple OpenPGP component keys. Component keys are used in one of two roles: either as "OpenPGP primary key," or as an "OpenPGP subkey." OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. These attributes of a component key cannot be changed after creation (in the case of ECDH keys, two additional parameters are part of a component key's constituting data[^ecdh-paramters]). @@ -76,8 +76,6 @@ The fingerprint of our example component OpenPGP key is `C0A5 8384 A438 E5A1 4F7 E.g., an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referred to by the 64 bit Key ID `C8B8 6AC4 2455 4239` or styled as `0xC8B86AC424554239`. Historically, even shorter 32 bit identifiers have sometimes been used, like this: `2455 4239`, or `0x24554239`. You may still see such identifiers in very old documents about PGP. However, 32 bit identifiers have [been unfit for purpose for a long time](https://evil32.com/). At some point, 32 bit identifiers were called "short Key ID", while 64 bit identifiers were called "long Key ID". -Component keys are used in one of two roles: either as "OpenPGP primary key," or as an "OpenPGP subkey". - ### Primary key The "OpenPGP primary key" is a component key that serves a central role in an OpenPGP certificate: From e066c2e7a2bdbcb06fcfb82610fc3735aa6b39b9 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 13 Oct 2023 17:36:21 +0200 Subject: [PATCH 49/56] ch5: writing --- book/source/05-private.md | 64 +++++++++++++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 10 deletions(-) diff --git a/book/source/05-private.md b/book/source/05-private.md index a0bf8de..9820dec 100644 --- a/book/source/05-private.md +++ b/book/source/05-private.md @@ -1,26 +1,70 @@ (private_key_chapter)= -# Private keys +# OpenPGP private keys -```{admonition} TODO +Historically, terminology around OpenPGP certificates and keys has often been used inconsistently. The pair of terms "OpenPGP public key" and "OpenPGP private/secret keys" were commonly used (while the shorthand "OpenPGP key" can refer to both, depending on context). + +## Terms + +In this document, we use the term *OpenPGP certificate* to refer "OpenPGP public keys": The combination of component public keys, identity components and bindings. + +This chapter is about the counterpart to the public material in certificates: Here, we discuss the handling of *private key material* in OpenPGP. + +In this text, we treat the private key material as logically separate from the OpenPGP certificate. Operations that use the private key material are typically handled by a separate subsystem. We think it is useful to think about OpenPGP certificates on one hand, and the associated private key material, on the other, as two related elements, which are usually handled separately[^pkcs11]: + +```{admonition} VISUAL :class: warning -- Consistently consider private key material as a separate thing from Certificates? (like in pkcs#11?) +- OpenPGP certificate side-by-side with the associated, loose private key material ``` +[^pkcs11]: This kind of distinction between certificates (which combine public key material and identity information) on the one hand, and private key material on the other, is also applied in the data model of [PKCS #11](https://en.wikipedia.org/wiki/PKCS_11) cryptographic systems. + +However, there is one exception. "OpenPGP private keys" are sometimes handled in a format that combines the certificate and the private key data: [*Transferable secret keys (TSK)*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-transferable-secret-keys). + ## Transferable secret keys -https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-transferable-secret-keys +Sometimes users handle "OpenPGP private keys" in the form of *transferable secret keys* (TSK). That is: a serialized format that combines the OpenPGP certificate data with the connected private key material, stored in a single file. - -(encrypted_secrets)= -## Password protecting secret key material - -```{admonition} TODO +```{admonition} VISUAL :class: warning -S2K, symmetric encryption +- OpenPGP certificate with integrated private key material, as TSK ``` +The TSK format can be useful for backups of OpenPGP key material, or to move a key to a different computer[^gpg-tsk]. + +[^gpg-tsk]: For example, with GnuPG, an OpenPGP key can be exported in (armored) TSK format like this: `gpg --export-secret-key --armor ` + +(encrypted_secrets)= +## Protecting secret key material with a passphrase (using S2K) + +In OpenPGP format, private key material can be optionally protected with a [passphrase](https://en.wikipedia.org/wiki/Passphrase). This mechanism applies symmetric encryption to the private key data in component keys. + +The symmetric encryption key is derived from a secret that the user knows (the passphrase). + +Using a passphrase can be useful when a third party can obtain a copy of the OpenPGP key data, but doesn't know the passphrase. In this scenario, an attacker may have obtained a copy of an OpenPGP key, but is unable to use it, because the private key material is encrypted, and the attacker cannot decrypt it. + +OpenPGP defines a mechanism called [string-to-key (S2K)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-string-to-key-s2k-specifier) that is used to derive (high-entropy) symmetric encryption keys from (lower-entropy) passphrases, using a [key derivation function (KDF)](https://en.wikipedia.org/wiki/Key_derivation_function). + +```{admonition} VISUAL +:class: warning + +- passphrase --(S2k mechanism)--> symmetric encryption key +``` + +Encryption of private key material can be configured independently for each component key. Component keys that are associated with the same certificate can use different mechanisms for passphrase protection, and/or different passphrases. + +### S2K mechanisms for symmetric key generation + +Over time, OpenPGP has specified a series of [S2K mechanisms](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-string-to-key-s2k-types-reg), following the current state of the art. Of the specified S2K mechanisms, two remain relevant today: + +- [Iterated and Salted S2K](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-iterated-and-salted-s2k), which OpenPGP version 4 implementations can handle +- [Argon2](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-11.html#name-argon2), which was newly added in OpenPGP version 6, and additionally protects the passphrase against brute-force attacks because it is memory-hard (which reduces the efficiency of attacks with specialised hardware) + +### Mechanisms for secret key encryption with S2K + +Different mechanisms are specified [for the encryption of the secret key data](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-secret-key-encryption). + ## Private key operations From f16f4f341d1360c4ad95b6237916b6f90813d281 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 18 Oct 2023 17:57:47 +0200 Subject: [PATCH 50/56] ch4: add "advanced" section about primary key metadata --- book/source/04-certificates.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index d7faa78..644d1a5 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -254,6 +254,14 @@ For v6, this type of approach is discouraged, but a replacement mechanism is sti Wiktor suggests to check: https://blogs.gentoo.org/mgorny/2018/08/13/openpgp-key-expiration-is-not-a-security-measure/ for important material ``` +### Metadata about the primary key: In Direct Key Signature vs. in Primary User ID, in v4 and v6 + +```{admonition} TODO +:class: warning + +write +``` + ### Metadata leak of Social Graph (unbound_user_ids)= From 14de863d53edf4d25e480d482cf71587a9709a96 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 19 Oct 2023 09:26:07 +0200 Subject: [PATCH 51/56] index: add current date; limit toc to "maxdepth 2" --- book/source/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/book/source/index.md b/book/source/index.md index b16a683..e56298d 100644 --- a/book/source/index.md +++ b/book/source/index.md @@ -1,8 +1,10 @@ -# OpenPGP for application developers, an introduction +# OpenPGP for application developers + +**{sub-ref}`today`** ```{toctree} :numbered: -:maxdepth: 3 +:maxdepth: 2 :glob: * From 615ade4cfa8d234d0ada8920a3e946bd46ed0874 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 19 Oct 2023 17:30:13 +0200 Subject: [PATCH 52/56] edit ch4 --- .DS_Store | Bin 0 -> 6148 bytes book/source/04-certificates.md | 38 +-- book/source/diag/fingerprint.png | Bin 20270 -> 53192 bytes book/source/diag/fingerprint.svg | 397 ++++++++++++++++++++++--------- 4 files changed, 309 insertions(+), 126 deletions(-) create mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..eb788aa81b782b77aea7cc134c0e09cd6991f010 GIT binary patch literal 6148 zcmeHK%}T>S5T308EA`N$2PyjiBJ>SniBC|xOB!jV4GI3>(R~bk5f9#d3!g>&W_JkP zq|u9r$V{32lKI)4eEHc95t-S2F(n!k(GbcwIKZ$&*w5OLfmjZKhUeHUr}ITs)}2T- z{8a|{-X(NOOS-1J=>AO}Kel~km1X&+%3;I9;GSPsZ)dT;_|jjmww{fX6sa`Ax(`(0 zS5Qq?w4gP{o2Uv(F8U)|HND&}eN8>{mQ_^YH_=hO{`~+?xvzE|Rd~GrjtU!JtEQ)h zC&_J9(eX#?PAsNYQ3jL&W#Gpdz@E)A90k--8Bhk4frbJ8K3FJYD(C|GPX`9y0ss@3 zz2KO83C^*Csh|r855$C2U`RF6VwjK)yOp?9&;<S eZ^cJYFR)ua0H%U2AS@95Bj9P!K^gc}20j57l4oTA literal 0 HcmV?d00001 diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 644d1a5..0fe1785 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -1,7 +1,7 @@ (certificates_chapter)= # Certificates -OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," often referred to as "OpenPGP keys." These certificates are complex data structures essential for identity verification, data encryption, and digital signatures. Understanding their structure and functionality is pivotal for effective application of the OpenPGP standard. +OpenPGP fundamentally hinges on the concept of "OpenPGP certificates," also known as "OpenPGP keys." These certificates are complex data structures essential for identity verification, data encryption, and digital signatures. Understanding their structure and function is pivotal to effectively applying the OpenPGP standard. ## Terminology: Understanding "keys" @@ -27,54 +27,58 @@ For detailed insights on structure and handling, refer to our chapters on OpenPG An OpenPGP certificate (or "OpenPGP key") is a collection of an arbitrary number of elements[^packets]: -[^packets]: In technical terms, the elements of an OpenPGP certificate are a collection "packets". Each component key and identity component is internally represented as one packet. The other common type of element is "signature" packets, which link the components of a certificate together. +[^packets]: In technical terms, the elements of an OpenPGP certificate are a collection of "packets." Each component key and identity component is internally represented as a packet. Another common type of packet is the "signature" packet, which connect the components of a certificate. -- Component OpenPGP keys, -- Identity components, -- Other metadata (this includes connections between the certificate's components). +- Component keys +- Identity components +- Additional metadata, including connections between the certificate's components We sometimes collectively refer to component keys and identity information as "the components of a certificate." +```{admonition} Warning +Please clarify who "we" is in this statement. +``` + ```{figure} diag/OpenPGP_Certificate.png Typical components in an OpenPGP certificate ``` -All elements in an OpenPGP certificate are structured around one central component: the *OpenPGP primary key*. The primary key acts as a personal {term}`CA` for the certificate's owner: It can make cryptographic statements about subkeys, identities, expiration, revocation, ... +Every element in an OpenPGP certificate revolves around a central component: the *OpenPGP primary key*. The primary key acts as a personal CA (Certification Authority) for the certificate's owner, enabling cryptographic statements regarding subkeys, identities, expiration, revocation, and more. ```{note} -OpenPGP certificates are typically long-lived and may be changed (typically by their owner), over time. Components can be added and invalidated, over the lifetime of a certificate +OpenPGP certificates tend to have a long lifespan, with the potential for modifications (typically by their owner) over time. Components may be added or invalidated throughout a certificate's lifetime. ``` ## Component keys -An OpenPGP certificate usually contains multiple OpenPGP component keys. Component keys are used in one of two roles: either as "OpenPGP primary key," or as an "OpenPGP subkey." +An OpenPGP certificate usually contains multiple component keys. Component keys serve in one of two roles: either as an "OpenPGP primary key" or as an "OpenPGP subkey." -OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. These attributes of a component key cannot be changed after creation (in the case of ECDH keys, two additional parameters are part of a component key's constituting data[^ecdh-paramters]). +OpenPGP component keys logically consist of an [asymmetric cryptographic keypair](asymmetric_key_pair) and a creation timestamp. Once created, these attributes of a component key remain fixed (for ECDH keys, two additional parameters are part of a component key's constitutive data[^ecdh-parameters]). -[^ecdh-paramters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are part of the component key's constituting and immutable properties. Those parameters define a hash function and a symmetric encryption algorithm. +[^ecdh-parameters]: For [ECDH](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-algorithm-specific-part-for-ecd) component keys, two additional algorithm parameters are integral to the component key's constitutive and immutable properties. Those parameters specify a hash function and a symmetric encryption algorithm. ```{figure} diag/Component_Key.svg An OpenPGP component key ``` -Component key representations that include private key material also contain metadata that specifies the password protection scheme for the private key material. However, in this chapter, we're looking at *OpenPGP certificates*, which *don't* contain private key information. Each component key of such a certificate contains only the public part of its cryptographic key data. To read more about private keys in OpenPGP, see {numref}`private_key_chapter`. +Component keys containing private key material also contain metadata that specifies the password protection scheme for the private key material. However, in this chapter, we're looking at *OpenPGP certificates*, which *don't* contain private key information. Each component key of such a certificate contains only the public part of its cryptographic key data. To read more about private keys in OpenPGP, see {numref}`private_key_chapter`. ### Fingerprint -For each OpenPGP component key, an *OpenPGP fingerprint* can be derived from the combination of the public key material and creation timestamp (and ECDH parameters, if applicable). +For each OpenPGP component key, an *OpenPGP fingerprint* can be generated. This fingerprint is derived from the combination of the public key material and creation timestamp (and ECDH parameters, if applicable). ```{figure} diag/Fingerprint.png -Every OpenPGP component key can be named by a fingerprint +Every OpenPGP component key is identifiable by a unique fingerprint. ``` -The fingerprint of our example component OpenPGP key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid]. +The fingerprint of our example OpenPGP component key is `C0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94`[^keyid]. -[^keyid]: In OpenPGP version 4, the rightmost 64 bit were sometimes used as a shorter identifier, called "Key ID". -E.g., an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referred to by the 64 bit Key ID `C8B8 6AC4 2455 4239` or styled as `0xC8B86AC424554239`. -Historically, even shorter 32 bit identifiers have sometimes been used, like this: `2455 4239`, or `0x24554239`. You may still see such identifiers in very old documents about PGP. However, 32 bit identifiers have [been unfit for purpose for a long time](https://evil32.com/). At some point, 32 bit identifiers were called "short Key ID", while 64 bit identifiers were called "long Key ID". +[^keyid]: In OpenPGP version 4, the rightmost 64 bits were sometimes used as a shorter identifier, called "Key ID." +For example, an OpenPGP version 4 certificate with the fingerprint `B3D2 7B09 FBA4 1235 2B41 8972 C8B8 6AC4 2455 4239` might be referenced by the 64-bit Key ID `C8B8 6AC4 2455 4239` or formatted as `0xC8B86AC424554239`. +Historically, even shorter 32-bit identifiers were used, like this: `2455 4239`, or `0x24554239`. Such identifiers still appear in very old documents about PGP. However, [32-bit identifiers have been long deemed unfit for purpose](https://evil32.com/). At one point, 32-bit identifiers were called "short Key ID," while 64-bit identifiers were referred to as "long Key ID." ### Primary key diff --git a/book/source/diag/fingerprint.png b/book/source/diag/fingerprint.png index b462264b79f7fe5d9237b7fa769f76ad96878d96..dd54dc807a5f2a575827f9f62cbce51d1ee80053 100644 GIT binary patch literal 53192 zcmeEtWmHvP^z8)!=@#jd5|r+g5Trr68>FN=r5gn41_f#9?zkW&(%mK94R7Dyf4uMS zeR^Ns7&yG#!991MefC;wt~uulS5lC|KqW?nKp+^>A0$3PAn*|o2%HNt5_rc>b8r#- zhhqOh%LxL(41@iHtMutX1aA^Kzt?nDu`_peGjcS8xVgD8TYk27GBL6@W43d&NIw)L zhCnDG(h{Po?iu@wZtnPM^GL^cLqk)h<2;Ep*vM4DO9FpIC5jnll=oY&e*R=YWt`GL zY(9ODgDj7YEbl4(L5vdd16;g3%e>pxok;@i;O9^9D988Zd#(B$POe)+HZu!ebF9+w z?~tj2u*LdQ8@9?Juvf^IsSFIbVz77X|DU`F0t{c;zLj)g5uC5^+sX$K-KdW{Q7_XLYsUW z_4S)K=LrL*pO4(`)N|AR7XM??qZRAt`d(FznMcFr#)V8ZO^6zyfjoMaE}<-EUw>3z zNYVCpk}62oq_6!9C*n6#S~GD_oHe?O5Z?d6_UU*39%TAudB&}(s>s1jye`+LsWY{LmKONLZA}>|k`=7zK0K#wmX0wKD9&Q}+a=%iO(xauq{5tE z$ad`lFXL%evji**C&F@v^=RwQk)HYL+|#=rErzD0X$J*|tV||n1t&|6FQ_?v)YtzK z&_$gxMCb11@v2y!#*|&lNnf!Wy=vWN((tw#SQq2MP-fkG1zvHW1s zQ7VD=i3q7c)=^a^TS(ZkIw6lMKGNmUUR68T!FKw$o$UgyomRE{2a%s&2I~|mNP6o& zht_Q}shb>#kSt7fE{|e$hhp~0^TdQu{(-Vkec#MiEH3$0SV*reCE2jJy=`r`>HhB| zR9W|9z{<)BlU6MObb9(Z+Ey!8{s6L{NPDF4$ebUy@pzJLgTwiU1vZm8+EOY?8C=)> zISh#VW^myccQHn(IuoHu^10wk>)zt_lffhDI2shxM$)l^IdHe@8$~J%3~#!?Wek@e zpSd6W*v6jdYEMBxL=+=2eCkrt&DV^#iB##OP2t})mzr(Khq755daF)P z@WPwfD`7{`y>fIsjmu03bz6Eu9u>MEY;xV*a3*JoM#8x;U>GvTi->e#U}Ax;i9Cu; zt=hC4FC?sJ_ut7PQ_1J%xF=do*J0>;Uk+3!@p%*zCMG6A2*tz$$mW0l{+)w??9Z(f zX#zb}{`e6-S~8Hk>{a@Hz&Htd|Hw#ir=fpE1=d_`w3xj7Thz#ig%I`h;gE$E69yKR z(2qqDcb~j|eJX8eKxq2=@%rY5ij#)$1~K?gVp6Wx^vKVW@%5cb6D0=xu+P&3y|nzK zqodDFNarLZDJeUa8+|>WoyL&6d}Cp$cy~Bv5*E7$sg()NhsHdM%lTN8qdr@4qBMmw zW1}unZ;d7$Z_g|6oGt-n&L1KnDard7mOe~?PmuY}*7hwVr>Yp$Ln`(eL|ZB(aD7C0 zV%n7Zm4Lv@+S=OVla{OLeTGsTp7gq`rOJnQDf8CpOElkWdH+g+q zAm-IXZEbDHSXfTF^Qq9wlM~UBUrHM<@z;976OPZ%-lZkp)f~i+=iq+@%xD7i=yaANSP*8S;m!KuC^`BgS;Q!>X2=f#J^&ZycH?0_GG8piz{kAJM5hnz8df;gMrj%H_fFP(m!fF99tI3HRqNx8rxl~j;bB(XmpISjaH#+pP6J2CPciI{Woiy*>@6q^E zZi^2wd@MA`X(~X%`%D~JyQcznjO+r#?nQ`2wl}`0=obd&*PVkE?VB_8ws#6P^KE#L zU&ni+Y3S4OG)5Q8Pb;zQNdja#MXGCC4kq?z*Cd^6AtI03G4eWfe3$KyQ_T?nTyZ3$ zsi9`w7#-&|8rY43TXC3UP99{n{YSIF>-pVezFoj=wZ7LcPbYcg=lGt(^@lo>Y)a&Y zgQS55hoKJ{!*)+s^fc09$s=SZe@ead;59>2F5ORN=}%7g?DBu@Ak;lJKNCm7fIz%Y zZ!~_EmO6UHii-!p{uWe?GL!TH)2=QGzs{t$Py9kL<$CiBf~PA!VE-H!=4YLR;URKa z_IT>0wo_k^5et_25#wnxH3nIrgdtdD0cB5z65!zTrZ|KJP*Z*HZ9WX3wk~LE z!J}8;gj%MbAI0clyOaBPUIq1y;}u!%GK}pWw;%bwoBzrE=>-8Q zVz^gF1~M(qY8m!qLG5^3LScl%sVZCE{Cg^HI;0<)o3M+y?k_|a7c;h8o}MWzy3s3U zc7-Rh?BU|=}I3TpTMXydD+l)jp_LBCsyAD z!hMmr5KvodqOH~m6I|;Y%m?E&R3&JOkl4K4(TS zX9|dcGjrs!2M5WQL=P6reb-!PyFjkNoIpj-gJr8Nl_xI8DJUcu=di=dj%Bu5Xh86a zU62&zq*9?`){XK7DKuBAp85FfOk8q{3O|!KJlpS11gsz$lkH$Jt3;yE$vZVgaJ7K$ znX-gC)A|0=i+Q)hzH*^EQqjs2A&|QypW1l**9iewh{dBmbD{cP!dv7-9<99zN821;GBZkDa-1io-jynbHnrZ?b8##$`sX9SU_W$>fcz>yx zVwTV2+I%e5{jdm{=Iuv}hX5y&h)Y*Zv~}CjXmJDw>4+13SX9uqw9ln@O{|CovCr6+ z`9*A{>Ev^X<5>3f``%veziDSBoAb_o2qhaEPI!2De}BLIO~=HpbMl3_YW#QETRxxD zjo0^0*I3C1usu5RsQGA58ai#@0e6spP{xN8h@;qkjLOK!SZOj%E|nDHr>;#%jNbXO)a6xH?fr$kA7&n`v=|UcTuQReYT6OTW zIF8!LUWF{K)Rn&q#p)GuQ*gT%9U0<}nmzIf14r5R55WXbE! zr3MwvWg%ez?~9vAN@z_W(M+3Dy{r;~e_^&eg3!OCM3CiVE84=rcY(xJJ&>cRTl&lp zOWby@MtF~_KH4hqK)@}(p`pjjKuL*m$>U7T-E&6#Z_R7GlUtpmT##2DubGHqMFi16 zcz%$V4Xv+#x#YFy0!3e~%$J1aP2=gTR?UYi{snfkyzxrBHItJyCq>Z}4@gJIx8dt$ zHxa|9FPu9Up2<{Lhu4*9mWZEoPR+4TUty&-N#0N!-FpGoO_mWLjs>)cK@C%v@o2WnxY1P719BP zk_fmSx_Zj{w^KyOIs^Fgep>-0<^aTje24_3!R$9ep?Z1)CfiO5cIZTn^Yq<39PEqC&8m4!E*Vnb!#gsSpyQdC+|3FBuqO_Swp6FQaa7ll}V6U}k8GgFebWs#E*`uDTJIAhI@GBU4X4`k}jbbaeV) zNWH9GBqCB)Nl#_3>PYwBzw_&z^-f7p{2 zFhXC6Fo>tH*RNmee*B2^5=VK^U#YFQIAU`0HDBWIu7PJmfrjZ=3ta`bEjv__k*bxe+jeM~WY&FVrmHJLT?~C%^Zhr`M%nZE($9GY7Xc zN*f=APf?JCS1jubj|`;4Ar2Bv!;}7ApZ0@{S+FK%Dn5a_850v)qAFv_+t;rHN!U%p z0N|qSO9`^3WYw<~t;|j3VPpHsg&IG1Rq^n;a)G}*RD6H>o6CJ`K#HtP9n@6NB=n^ycP}DESKl1oWuI*1V~PH# zQk2uG_kC660&Wr#4L*XIG}54#aPNfjQ^4?2{ZeLRw^Y^1Dm2?@ORru) z`vjnrkwveQgDwgx8Qi@2S{H!?9*fp)`V)uK`EgCnDCeW9-{ju@C` zWRjnkl+X9Z2TyJTcT-mo$sNdyAI~nFcfYN$=l;&b5x47T^5b4pbwDw1zoI&9zEW`B z`#XRmS5jP}tg=4WHA~r|Hp2(4(tnL>HxV}ExM@C$?O0nqqYx?(p3EDQkn)?l^NlpS zbQOvtU7B1=zY}-*uz9s5XGT;Fv=<@Y{5T! z#%K2JE03mHz=90{FH1~)c%ETxk=d^>_zk&V?BSsd$m-_nykECdKAC0Eutr9)iPk)q zpwn+-S>R6ZH;BeEPH{QP{8?Tux|RC|imup#m%0>?h}e3MKt9+3iQFUx)FeT^mFuDdrW1lDwcgTOKzoE3`6 zHl|r?PUd>-@HMMr`&m9^W zXMWZ``|T*pmy-{K^SMHoWFLC}ZX~j%4j-Q@nT)on0yLl>G3bmlE=*i)z7%Ztk3LK= z>lVJNOKf#__X|Lzd~{zVg6g}*6$SU}YD??NF7d~WVj9Nm2SJpCYUS>4JSgbn5@yx_0`CN@}ce6Nx*`kgbe#KuY zw<+z!Q86J(I-Zi}%u$)S--aMEW82nIx@LeTJo)D4uK4zHmxzcMAOGj2s^tcJ1rn6U z^WDLw?eRMA)H&xAfgE6oYLl~iA163TRE(pt+&;)a_m{5U5xgQ zm`aemzdRkwPJQ2`0|B>mb$WHSSD?z+T^{VxGh~kTh5*ey%gM7TQ~)$W>X9!3*?`bo+bA+V77Welc$a)=ojwezD?(q&JmRmtfBR@cOo^ya>kH4ohp*14 zje~D2TlKM|1Ll1IF$N;y`qsVsOfb7w7qlRtfp_=vYSg=xjHlVTK!W(ol<`-vfzydt z7$KXZ)Q|IXvdgNv)0C6%;j`u&f|TJyKLg@R2h#1GDG>_Ed>la6-Kltbdynul-FHH> zB+blT=zAW%c0T;(54d80`Vp@0GM#4AA|hl|)zvzo(D?%)Yj;I8#vg-(a&C8kt)@{1 zK-g&ryB#}^W_6;-SXE6;yiA>nm*LOm6#?(V(V_Qaw7$&x@(uF)&BM_5`|eNj{R>e? zG(oz&2?M&y+S;zaj(fr%WRuGl;@!^OUqhwM!`bp_I!zM{aZ9m%~I zwDmA_bV+TbrKL60G+P+8@kv5^Ha1N4^T&=SC)rbXUjIf&7wuGy$2Di*eaB_KaeOIm zN9Zl}$^MU0*0x#{n>1a5C|v@ZD0au0AfbuIJyFw(7cV|rTcmSq~*m8>S?== zTzb0QP1(%^QTRS$_}raKc-uU`zPZh7$%EhH`78+tvbaGrLe4)AQA)wOhnfv{?fQ|F z$QF8TG21uQb=-~f(-U}V`*&%=Nn*JTD_qAdt*sf_BO^V8%_~#vsd8JYSYNiOG903A zmmla1{Mf!o7pXSM-SZm2J^FTdjL2MFTzsjp8^<_#dGGrKrTxWg?uTE{thE^3c;_~~ zaR2Z?m8|!I;wq?yH=af`o(7O7;D-U9z#v#mnDxyYQ>6;>Me?_d{9o%V=VJg(PJe_D z#J^-!l4#nZ>`ytPIz&_b!91`y>Gd%D;E?K?)n3HslWfvMu{_Zq@ggw~O!1m?fw^HKBjaB;wsM_~XAu0_#bMAB_R>EubvaY6~6z;~o{@lQ`w5h{f*qWJYaYXLv(JGes=0U`{YF1?czE-_fNxdt(!l-SBPQA0@(5u9=sLDmR~^O%zhGOe_r-Mmp?db!mGv27@O!|W z2FnyleEP)dd9mX=rQY~N&HCq&^BbBLZ+eX&9yB&^z*Ou*|4rGEG%}S2TB9x|_+epT zDVW~tBt&a}$`a7uA8&>}+O=!de9+MLMbA?;;vy+FlZkmglu;Z|$>{Q8+^QBduK18o zCq|X;W0g&#Dmip;H*1w8>*9RH8F6EnKVvZVSj zPifpJtJ>cEg9F>KU1wt%nTRj~LG#L9Uq{ZM9|W``KA+=Wh#XViShCA{M)>>t6U;|^03uo39*7xabaYb?fhoT8-=t9!7fc4? zH`L(QJ-%!c;cei`sSivWVl#bvr@w^qnvHF&kI>|8rCMb#=7y}CoP;^uHLmDNnK~BH zs8=y<;BcYca@%5|d@8F{kt$=Y_5rQW8}k43Q9m=kH$@a@$H#^V^idRC#yuFXXz3)S zNhzqchTAe^PX9P%h#}XY5=Vz90u+abho=>p;^P%UFr7EkFsN06NKc4Bq*A0tV16DE z6=CJHoH@SDh>xoF?%g}tmhAtON(h94f+8%h|FFsDc1ER8rg$97e5N!C&jZgcVekbv zp$#>Jjge7isK5UcGS}N;wMyDLhN`G2^nyt%K8Ton^mlwSb;XiYH23q>I|G%XZ%cql zAq|#rINxic0qH;P2_+eN9e=z90zTNyT@>!V3OqS92qH+_9Jd$mQnS zo12rGa}3MRfU>Fd?zIAnbD&gUl6?RLGJ78TWS&e*;c?ULe{@uj7pS=VWqbycSS;(0S7_9aJ;TTy_bMP zvU0Ux$C=-p-O{5&g|7aTG3BlBxLu~8II{)=7qNU~qr-5SM4|XrZa09>Uy_rNG6m=w zd=|7E!ZC?bwSJbB1%vm<@YZy*zQ-FVh3#kPB0NXT1*`|@2U%#5O0QCh+Rop`{QMRL zjfg;^R93<$!0|~yuQdxT79-+=qF<-O!FVL-fJ$$_pfe#*kN{V-Gr`t2Ak}BKy+Osp zf@L0w*eUvDhmhjv^nUeO(Q{>W{g}TFa^C;j3vk__>F)W{f$}Zcix-K5(_l8fsP()BAU;i(fj3($58 zd0npd3?x86eP)NXe2_myDqV;obR#x(hVz$X*za-5y2Jn^pQ}6q0!kI8MYkz86%7M& zCO<7NIYx43Lgamb*!A5_uIzTq=OYVWQ8?-@9jYe1d9-3Y5SOxwMXF-V$tJfoMGxbD zabr(fG!fB?Q+1W0liF_rk|&9Al&wqb)bPi|`WWj{a*$^%_~~iQ?6u2c>Sys$IV55` z)N^xDP8{-ETU)OQ@PDO8&)Rh60o|ftSci%`?fs|&DV=-+iV9uKbBJb{`kVVzi|;m$ z%+NDI$!Nj|qI!k*-BBli2ED$ie-f8-767Otw?Sf?fhA$!xWmUSKPLxypkxXVT2Nuo zJG7j3aUi2%z(GFbh1n52B18HIgd)BT>x{V+5-}7x}x|t)~?#@36jW zghi+j9M@`S`H@pxxuh_qJ#+)y&lNS6G;~Itns721~t`#E}ko z4&mE~qAp+Fa!nUkv}uJ!r`P$HV0i<+{291)~?TxN!=yMhN z#i-`b?HHN-efi}Iu`F$mn1JJHBK3lfECSKDBj|)@E$KBLHYq-GWN$!4n_f_Hv6WP# z-OGm{a12)W_5z!aGGex~eM#5tNS{^DM!~KCvH~-7>GlW{0nv)h?C)@jpo5^dk53K{ z;jfiQJ40?A%48;1pE>-VURMZ^p@Tp$yiO6eMQv&2+A7Pf)EgNXORv418DIyhx?@;|J=KUQ^r1)IK zouXC~UuH=HArInjB>sH8vQXb2U?f1A1JQy@O2g@H#}!7D+FyU*w%Yr*vb(yfIt>)D zwHu2ph{jV}G!Y;AXnTAZV8BatTM4d~xSo-GtXl!R3@5STQ0fB`fW`Y}QW((bW#3qE z@K&aK{c?1sM--r!7bl(1k6Lzjgvr4U!UzpQbjk1Ja?l*O2YVp?foMb$#XjyE9DT*W zfDM81kq8LaMypuuE2BRKm_>`#G#R#re7jGgcE3E_t?h0bh^o18#h6-v9E!OPjTY6* zBu@>k!X_XN0R67+pF2%$^%x+QBhxEnRfYBdw~eF;R`_meXk6A;6gw7{mYccAm;<3E zmoG9uBmjY?*=Ec|p60^R7eyQcq9&;J$);mRxtr|D^J31A^y(|N*oVQj&CT956O(`z zA+9gr%V`Z6aH7>~p0?m(pYn zEk9^!X%YL$HFjtyNe9VsF%44rfUw_LY9dAop2;?~lWeM{w zqe34ls!o_Vp-+qfP9_}0^Kxg4lf073P&z&c#8+}t3>jA!jxOX~u9Bg1Io7i;}W3N^9pz&EleITnGxSZ(G~Qd}1Me zS_V-aqya$$0&cc$y5g}#GJims!p+6Tkd<&{&#CEi^wXWQ&_U;zc{SXx*t2K*Wp3@v zkKI264Jo=mai(R66*haVD7P;!y6FE5iJP{6{4SEb+Ie^6U}OE$%~#YY;i9}`{Mj!z zBXkOWLfNFUj^!ttcOYx(Hj>YdZ<8-AC@grt!ijUiR0Rv^5QtwXaC|c zLlgY5Y%6$9n`!#zUE{0{zK#sUgouc!w5lpzg#jKx-}0-I`2a_;i-gpVkJ6(%CDVU= zJO$e!>Lrs!o3h_%q|o&3?Xe+VGl0a4Nv-l1GR+Y5C~niuIYVJytuS#_V5WZ6m07>J z1qXqz)xNtxu=?u3Fj(1I`RXD;2SL=oy}kWx$1}uX9{{8C!76vN8 z7fNJ8F7F-0=}2H_Ow3g;8O!ylp`aPS%lOVFej3MC-9=f1m?$$!gsyJRN=UeG&B$%7 zX>(b=-8Zbz~RP z0Q>?rKMnW`6_3av{$HN$bEI7z3i!M1@$idj05;(IBzYMQ((2{vhT61Uq5^dXgiJ0_ zK@I$_T2=NeJtgUqDs+7uUaF4{&M#@}=;k?1+<9x0;;pS8_lsZU8)WOJ@IFdHI0|k+W5*UD&0}U z_M-8Hh8yyZUjnY50DLXOSYp>F&aQ584CVM7^`hey zpDUPJY&ckVFjH$m0bdKptELMd*$dyO8xm^17&+)+XTA6D7>Lf)N+gi#*)>87!k6=K z;-TnOPi~=v3xI7@FV~MeYI`CAI~y1pN({twaN>bIr@^VO?4^ruu-KPSi{YM73cnEf z^m-%ch!8UBL|#)tADbkba9!Yd$`IOD?3ZXU>v3-9gjs$!7_5D)#xvMbgN7=AOpQre zew{$SqUj5Fd7#(}%nuzI^~*3@oB5K<^R~xBFJNB^hIxZ9j-|A;_(08~JQn1q>**Xl zI#==^dlhQ5*Dj!>t&QYQR|!(MEI_0n&q|mwWxtYgOpFTsODEbX?I>zQz~{qYI236d z9?rw%rlupQBnR42M@M!+3?zkf6*fWyDhA&EbQ8HxntQP`7l*TCj}>kHBFS{Ggx0Z7 z(NL+92mdr%0G^Z^QS{5@=f%Utrj_Ao1K{j=3k5bw7~4&ioDZ5Jm_-mu^P=N%xDPyo zA0Jm8g@1^lU}15YvQHblz{0wl^EqsCq3}2sw)rp{H6$KN6+sO^3@h+@$PxPGtGsJ9 zx#g^}BnwY0nO+0jFK`)l%nzagLaXbW^m?YbO3Am&rvAk@b7iH=^wylr6;6c+LkixA zvPpEWE)0>tQh^JqPTAIeJUTy9EKlY~al3*WwC>1S_ozS2UXXK7|BZt7T0^}>%#Dp4 zmB!58(odIfCg`!k<^m+s}4nWKRzAC{8BuVhxXT9+6T1u2q;ZeFfkbdWHu0w>ADA z!@oi48Di9s8f%i^9ar10nF)K>c8(8?MT&~5yNgele@zroEVT$tu-|{s77>XhP0EMx zB0?!O*f|Vd@i;xwkuU{R<=Rx27xt%ly@lRx3sisqjxJhMs^sA{=<}v!f{~fA>4?Ox zg_nny_c{O?T`R$#IZ{M&@)09-ed%-{EWL5l`hzvLF$NmF)F=468;ulZy064l>yPcu4Y>Mf^zHZXUm z3D&6ClVoH}!k!f9k9Q)us5D~p@~BVdgGI<^Q>x6Gd#F^tX%ax~b$gj)t*y&yb8}Hu zfFFX3jZN8VBxifXILU8EcXAQ>#h|_p|GkoIIhIWno*^bG9 zl*rp;L$G!6o>lrJ%dDFPGS?O?tpjxprjmI&A4Px`3TSWsfbQR!Z{9X5L4);n5wG!O zL^o)@ghwTxL{&?-7*?k6l_W<`PHAiR3~dwO;B$ah-kH-7(vh0jl9=k=clI{#b5M;0 z$kM%8KF@y@KC<}%a6#_nPT<0ZE7q?Tz=qVv5i?6j@33M^mrjX78c6J4)@bdfEsJb| z4naqHcDBN+PJb$AjQdRDHqtF|l^0V{_?8mV@f79Yyzw{9WqEODy6`1xL`2TXxkT)t z9?K5jI3POGC=zJs*uqV4q0%k=?qhu@=0t@!(L;u{RUuN%+=WTl_?dulagVWhYq&}7 z_=V79M_eyk0|83N?-C_d7;`eL_W~5qC%ET*5_Asn(GKyH?8^9LCWp@ades#_W~j$g zdSs)daWNEVz?b#A44D3{3nQH{4#*oYHC8W4TRj~{qlA$=mdZ3Ja{T!YLsl0yI8->F zL`4C-L#EpBq?RsBcKyohrHTJuClV$69U5uAd)evLRr}9vcs#NGn;b6Si;!_ZCrvP{ zhRdU=OuA%A4On|2HkkC^=dHwdgJCa%8s7iU761Q>|NGsb<#aVuO1dwY z5xo!KYiXIdhx}W{y?<%VRxn=kRJ~;N=*O3eKD@7Aw9jM0C66!&!EpM}$jC7(%>-gjP#Vg2d>oL*_tyO%B^s z=H%63Zr0W^Fuv_Re8o58Mf0*&(j=c<{l3vfK>c7T(t>U|O3Or2Y{jy;cT-aIYaEB_ z)RfWI{b=RGAEUy9C^qzegrUtL%l<}s0-}9q!>Zz9$c>j;w$ycIq+NL~B)@$9h;8za zA*?AwDG%1T@oxKlSEIr)loUti<-4`fV9C+nRMl7OuC`W{M03Y4_1VVU{kAg0EMLsY zalL{OxgAb~3$Muo1$x&t9Z>Z3&(S{q{Y!SIau#E>mhNM)-Il`l04c!S4_(&xCf2vA zHJL9uMHPJPt;ePWp$jkYF>>up+6sQ+kO(udS7)p`lLn_|vY}2QWBZkbUQjzlM z{&r18VZF!Al&tgRKuLO~I?&l8Hkvd{SPhrrO$%)m<%whAPAZ30UxCwVFu6nj0x|b&p71I zMo~OTTehL<-#3FO;;^L+|D5&26fLfwab{4KX!Ub>psYyDNm?_q!^7X7jNMhQy7lcVfQ?>& zEjK(oFRW+Q>6gj&=YCW6p_Xk-xt1F`h8GdzW;7^IrORP}^@;}59jvKC`1s)opz~X6 zelOBFIEY3uk{TViva(fmX?8t&?;wo=3{qd-l@ahYdho`1VgrKt z`0PTozFZF*XX#(*)%St|0=DOO}1UkE+uZ@H)$H_*AH=1xYgnXmyYJ>+=G~}gspbU_Z1O_*=^qJT-RCXab(x_Fu|h#?`BKKKS0XUyKbYs> zPm~Ue?cL`wa6B*oiEH46lKuIfSf}oBuO^!U3i!=OEd@r;QaD%X1l^xnv4h4bd^TSs!afchIPfOu6vGDo|I&yH zr;!k@*AIB~-|O0-|7Qd3zCp_DJLWt{kJzu)mTTZ4}I?^)3F_G zLCWo?{g&uL_`}RB4h5c0kEVG0rjyuQ&p!l(AmmGEM6^$rNr7Pl z_lChrK*XScwD0h=0PQm+vG zy;TOIX0v@xb5&m6fqUusyU9d}3=iz5hsYy$nBR>b`sA(}R#DMV#*rZCeTM20S$@IOsa76r`Fa#&8pw=DB@Y~LS+nHUDa1CO3B#G7hgY=i@TxmE*KI!)@Kjwaleu37dO%Fv9}>66TCHE! zZ(oOa&hn26^LL zv32TfrN9u(^>z0Z7zHCW17m-Y76#rgfInN(S2TA%X$0gkLHlK)6yH5nXx-QDP~)}X z_2U_p(O1Bv+0OF#4A_pIL4LU{`@Yd@gLiBMlUXeX6HWZ)=g3jSZ0Ia4r$_`~f)EhL zU$H6noP`1T-Y|oCz4PFfqn=&9HzAE@KRxtZ8H`oB01`LoWS#VGYvc|eWH&l_!dNJU zN5|MlKKpkf3!Idw%s!X)MG@IS4DBje}Fu_Z}zRHe@9N^=^y#t8raF-tJ zb({wS8qmU+p<%I+E~w%Dt%DapMIjSe_B+y3pu&MM$04q^`49*o$`__sgqf#a({LkW zV06C1TEv2AR^Hk{FTvNt{Q~lr-my@VTQ3-2gM$pJH)ONj193VNwDrKZYrGFg<$c*9 zPF~M_UT`8ipz|bHBJSCP?y`VpgFRV@e`55%*%|R_bN*ln2pEj$lsA!@&Sn`u*n2Di z{&x4xi+aOKO$Y?0`n)NefXyPn<^lKmk%#Qhd|~cFGL8b^gDKUn#)M$MBnfPoAq11T z#wNeb3&F{QvwqZn4w5Qx^XjfKy$aGj`1u}G-w*4S6!~sjDNSczl_~xh&q;}wVA%V4 zN7FYs{|f_j8`Z0`IN6sLDtcL~t41+TpD7k4Qq_(62ZqJf)N1D+o;~Lj!pZYn7GCin z2V^2}(P4u)ijwmRBe73H!GCsl)f@j~@axxIVgmjt7IE<)d22q6Fm zg>v~-INddcRECCvL9$sWp_9NC4y0>ON0X!tSyzUOi_3j=lgE%V6;?y{XPYU~>ukCe z+aF^DEEcvt3UdtlRsfCQm+>U=6|}VO>CudqX7=%E8PzT~k}PRvEyl1HQ5G#yh5x1K ze0+N9Xdr3E@+u;4{y}(2ep)s+4%oVK0XE>`szpA&lCsTg^%b^gB!||jPB-kIot_4W ztv)^$eY>1e*U4|1nwo<9rD$#`SlN@AMm&86eDHeOEF_!@B4b;ROZP7^I0~ULD3 z)YIGd4iwH>8$?2r6lWY0D^S#h|10W1dH(ZB5RjaaYSvTy(b)pYA@6=Ly%n(L)3Yp6 z@u1%(G`KVf$p*8rJdKKgK`j^V;6#wIW3l_T;|$X6`%htaTo9M05Nn5nVz+wL(OGw| z`DgZG-f#3hP8zF|TzD{##75m-V^HuTj0!#Q5}Guaol0zMzohoqv>NiYV{W^*5e5`G znHfpBli^dF`*kM(4-0+q874OW+Y4ZVgDBcDybgt7!_^A2fw0Kv&c|n#ysm;2tzH-J z+)I8{lZInEw&t-Y^V&yIfkX)WO`ivo zlM<=8hL<9oe@r*cH&~+e(De=5F4Pd^(NJ-6_KeBQD79l)M1@j5aa*j2fnQsMM^;`Fj( z4K@6`LWDaXdD&6_`sA(BX^$=J5Fn+&Yy%+dz9nlI4pf;!Ec&h>Q3Ccn z6%yzQ-1i5ze}Q?OdMaZO%7WKB39t}1;!cMR?B(*HhcHCA-z{G0^`ZW|K!WY)kU0nN zY{i5f+b5goD*()T4dx~Fy4Jq#lX_pY2SfbBqqUXj6-lxB2$N_l#6U@BhUx$Z`=kCH z7H{8UcIzFcU9mR_@1uO$SS!!lYJBa>B@)v}h8+Je29^f;ys)+VMtcY~B{eECb=4KY ztk)>B%vHc)CfyN5?w3C`HKhRy*?VhE{d{gC9t!bvR~~eV=q(TCiWGKsbM?0JMn+T= z-sgN8<=>OSW-Fa|bn1^94xC;%IXg?_j{(g{E+Jgwn`C|`n8CJ5m-(@lAbq4Vxg5Kb zqA7fLN;1BuFL(kZTO}NdyNvQc~gUjY!?Qed+SkTq;*glv(ym4u4 zZmcxjMU5d9QV6}Yt*ozJzYoTS%~>iG<~!tv2tI21sdy_b@<$Qha60)JbVz0UiVkiK zf13M_gB19sTPoIRV}}i*Pk2VkWv$x&%FO#NS_1_mc4grP4V{E9ZG>!Ir7TSZ5iyul z$TMS|UeUk&@ms-m^38;%jE&|gF8u;z~5-c-wFzu~_xO0KO39M{(H z!XkMna{ukDbo?qr;@CNXE7;u0$RJH+JMbz{$Q}?8aILcGWvt$=v0aR>*Z2D|p*-d` z{`0FMo&#I_i;^j9a)+@RJz%K=5JI1nqei8J`M$cX9F7jg5! z=kN&6CpRR`(p=nzZrtA?f%;fi86H#=YGm8(sN#m zQN5Lqs`#L_pOqEU+A4Gr7$|d~bM>iR zxaQN;w=}L2orR;Foql=>g?E-}o^}b)+p8Zgky{g`THR~DOiZ*Dt%6Cb;?JG#ucg_m ztLz;davi#n3g8Hm&JSk;fi_~lHKdhiVyw)7e|@8t>uVp^E78~8ovA3Cp|qtvaHPio2RJD z%|t6UJ36`i00xLn zMh&)FnfL3G7?uk^SLIC(Y;5hc)map=S_B96WoIWRgB8f$RD5<6($Psz&l>ISZXF^7 zlakupcIy8g|Nhokn$!&l{D(`bI=$9*+CnfrI5J?g*f;!Bm9e@UUJThNoF+mH`Gmq1 z1gPublGIaM>z_}Y|BJP^jH;^p!bd>_L?omoMY_97LAnv??(R+%0qO3N?&i=3L`u55 zySw`?-rxOyzIWVlKR5=Sv-duGtu^OdGoELz{zQ&I07*nRKMIMc+b|FLiJq1Czw2tR zk2apQ3RIDjYvCtR_4c<->B<#^e<22d3x2Ue%og8padC|mv8}e9u7JR{-kc6sSeS;I zI_J}a-t84YVq*HEZ+rlgktH)4anQC2v?=lv99L#jiXa`1F04il zu6)h~S4d!pK7a5^KkE5Sz@L9VNMijjYc3j1{rbP}LdX@d{`(F`GK>2Ep9dAvHo-in zw|uoVY)}#WV5tZ+V_%CJ)u3d_z{nh7<|NAZBt6iV^uCb*hh6Wfa<%^X@8pRm!Z*IQK zwIfpz5R9v+X!Z1LO1W^FuB~ySzx(uAs%qxUU{uNdF=FX@XX)Vn=3ecE0Q6{LilofHe!=wWLw{TnIU*5-%?yW znuu7sI@nxuF8&4Oy{2GeipckU^6%(>v$%izkEjWOlvemZ*~lVfJv-fIIp7QbESg-) zqcO+4R`~Xft-B}0hc-8QjgNO>;!JR+gn}(l(9k0_Dxr_9b*N2`d4A&TwY|Vj zHg$*h2U_0b^>r*z-90{ur(vO;3kcKv6%=N?9phJ7S695hIv-te{EE|NQ3{Zu3vdaQ zXFA>AWA9uvpH7i%ms6Tr(9y+*`XC9JCU`nLf@!JR1Yn~Ke$+qT|GhFfnEf=ge0#Ni zU)Mg7Fhx$ufvFz*7rEb%IxmZGB-r=BlvmCauJ2 zWoe!bxPGZe$LLCj-rYF1&G#}6!tD&TBXZ+=_ncot)4k2UR8I=<)V1j?kEoBSdG7w4 zxlF(Tp4V2ZwxFCGA>I?|BV$>dHkLg>&W`%4li{9!{p5^--$VOlLhcr{wC!CTMGBQM z@a$}(e+1Kx@B9jp2aN>^#}j8^VPRfQlsc9NUt|~ndV$Fq!q}QcnT^c$%vE}t5bcFj z5c$a`jEr=-r=%}Ey+h^uS-Vdr94M&rkB3^DULi;PuBbqF<>H#Hv5}1FLIE3YUVZfz zV};L}$u9gvu4_3lp^$qp03T;7731-F#LloViHe>Lg{OV)?f?#0fyzXNjW#a;TpCus zAn`ZaJKbM^ghoermAOD{E0hFjneXR5DYwgz=!mWQLVjUFOVzNMrT ztLt{?ZVr+O2>9g(qPES=6?gDtXBkdcI^vFuRDxXD%G!ZwQ*9|ji;4TqjZ6j$0fD8Z zj?c-{FL{aQCLy0iyMK@E9A6a+gU&PsyGO2LQ+$ACKGQl#c4krSF6V-}^mv?Y{`6}_ zer00^_74!&8P{cWS$wV>%>=o;M8Cj@3dboO4TzaolZ*8<)RYOtrDn0)DzD4itP&i)KSbI7<1v8k6vzvq%9+!Kgpwm+A)*yIf z+_QzLr}n-+%x{syc9SJdlUwxk{6B!rf+UFT4uc4ObQk5N8D;>);FI;EQja8$W1 zn=m{)4JK2O2^qGR^#CuJ_xVKF49{}X`eUg|3PteB3hwi0q;jKMA9V%`*-QrpD;+L0 zcx!FD#Yvj`LNk1gZ+a(8zElC4f**Xy<7&tdmRGTzn#8g zAT6`#^MDUMSh@vKeT4Oj?Wxbou?W`0E{5a>$ICKK`x3F1B-WTAwimZ=nwdIJbcj z#D;AoT~nWmCs>V!Kf;tiCVz^5R%+Ej_x2DFJ}8Eh7Zz?$s?&Qr!cyt=aDdg4aSsm@ zfwnCVqEEG&Yum|^xsR=a&}XnTjK$ZR7Sz_XQ!>CzZ=0M9AoU~8H$KY)uB%)IPhVE2 z^bFKh=t%bd7tNBl|89VxiLvQfd(FF-lVzgd5yw|&Yf=`pfI$rUv5k2NT~O`9BPwQl zK$M1#R#pZxkT)@ih}y5Os8;sZJNkEowB~fb=WVVU+5h|fo!w#@CQM@h*e3M`3kCq` z*YB4u$0W9onuUen4Y#5_`g{e3#%Lu&`d4_+#@bMe(FsXw(u7UxfQ)=9b#5g2s@U{Psa0uMMrTk2bKUcz|`AI{j zWROz|Z&GP_tH@m-x4M;fHco4pTeyDfK$jk~f|_#2vaU(RRa($XcTF22^ed8Q8IgbY z2EpW>KafINH8Hv)0Htgo&4uL@15hYCW@nR0@@4WoAVqoJ5IBpG8c8x8uL}mBjMhld z!(eT7zaJBhWaEs9s@iH}7b7SO_>mjC&eT}1)A6p&l8i%|u{yIleY2HmZicQ2kZ$uTixAi$K#U`?|4`Y2uef0#xsE1m z=gact+%yW0y;|~03y(V6w6hs~8jd}qTyNbj+$?=1DYc#r zp@Ws^8_0a>FWmRtf}20+Yk7x#h4}7*zQbFheCpZRl9t7Qt+jeUgtmPI9jykUI}E@| zpGaJlt#52qdqz}#@!66ivU7Ca0C|tWbUs@g-|K%YSy_f=izSjl9eZLabyni#Q)87P zeAVQYiP?T|m`g;alj2p08o8^TEJG<2K`@{JhF_cBZ{H;yoV(o#Fz?fb{>6 zcaR$g5xcO+dr3>n+hrgl3bKsY%$!FWyOvvrn9CAdOIAMMU_@~q!&3Jw*DX~iCG`ET; z$8mIa)}M~?gPpz{3ZHBJ)7K0I zbw@uq1cX@+Nzn@*h&f3v4{d9SUECZn;CvsWywb`rq$zs$R-glKR~glse8`ZWw3H0) zLJTwV4ewkwcmv8RA|r(EqJ3QtV1EO{LlOP?+pyglnv<6oztGUlz-nc5%$Lwg{VpFj zU_fCbE{zY5kkx7pATxhLHi{=<=4&|Lz9*;eSFQ~%QtF&qm7?l24h^Gw@K9pZoLbl{IZ-V(LZtT zl(be+nM|X$Xc#ZhIYod2EjZxl=;(rjg9~&99N66KTL-{=jn%FW8R_UO$_mBkui)A? z%wPSzaD3vKnNB>IBd}*kA{o!&A=7}se=JryS-_O9TJ2EGD%0ZZ6r3zr^`&~E0A`7& zUHolSbbrgMHB%#3H)=zi$HC^PY`QwT)jSY`uA=t#_kLg$%j8kr z&Y7h1bEn4zNZ&FDp&Vt z#&@pQtC?n;AzjL)Du&kHrL9_`I#;LvpviW#v$L`IU+$B!cAd7J8ZrDhr3h$BCh^t| zH+Wm*2IHq_RcPb#K96*EI>?+jYwIqq4y}Xq4Y%W^R?^mBPY;cwuQ45Uqsm-vCF@gR zfAe8ic0kk3){InPPI7SyjbeYj2p0`nW9p9=jJmF0VE+X(p#8T~`vsuB>lh~Wv)RJ~ zJqfPeJkK81nWk&K5gmO}hGI!f75IL~n^z#KM467RZq@zO-=9%5!O-0|I$7TMtX4V@S+;i# z?9Wz56g@u5By%tBU%01z5Tq5_JVJ~nTybWGrR6VTU!>>zFf#VTK*1&T{aLiCcbw?Ix26v zDEf^e*nEEL`g|bYnUy_X&SSVPdHN$oA4kpfUrd@;)G9QVFVi*Eosu6YAbD3?3gkg= zG+!6cpEztMUw#WqsZ&x=P?%kzr?t`1fw~B&tIw1yRlMWV)bzO6w~sN!$L50C%-4kd zRl0qbtIY+GaM$t`;F2Tyl3cwNdPa&$I9&cY`c>|fhB{4{u6JWr@I@3Y<67fIic}g* zgIiJZ>U5K+`vpEw1se?aqndh;0nf|*t=_nCDaL_=hL#2%8n$*T-PYTwyk4Gn1R@z3 zK6(>9hWGY%Bnx>mlvfr8g$mT$OBE+jnq%+%PNA(c`F{|>5sgIOf5Hq}O`ma_ zF}VW~t1agr zWi}-qD-h2{tgL#0(Q~kk4T7xckl^DtTpjlq0ne-I?ef-lkK^c|nvvnn9#yyW@Z2cN zetp^=~ z#?gT-mP_O5OF5Ex|Jy`1oRDwux=uIWChZT#Nhcu@(ap6Vl1%D34V_A<@m3j>-FoyN zdxU|L484^9576*13Z$m{ybtRB0=Er#L_FS`gypRl04`EXM#=)XXYxAk_WjxduIiL6 zT;WrT9tmf-!fr0-A>+tpA%NL1qs~LfXaA$WpB_|o{>vTjZYrqndT6I?F@Z=kGUw$B zfiSr6k_ihH=rO)Pp0~7cz((>}{DkH4Sw+-UP6-!gd}_x(cSmkalD=zVs5{gWtvb({ z8Few~atLShU@1h-w={mXb29uW-7Q)UA}wd^M9T7g=gG!!BFONKRbP*W0#uwqp$NB&wB@~0#xJcqUV;Z;N!mZW`CNz-9jU~`F!M` zS=f74Lr^{$G@Lqwf;H{;xB zSm2~po{GhAlF4eRGUkBK`#!4DTDQ_l+t+~5KRUj357gWy_4<%o@cP>EFB#+M73&(m za~hvB$Zs)*fsDV9e8yj(*j1q9`CQWqiphsHbm05#t1BjS)$g4~{-UN(9hojSI;(hW z*{aoUF_!wp_*LoOC?paV^MTj#gaStR%d30q{nMyv@0PN;CgbMCCqT&VI3*OS`^Yr| z-}PM#QYI41Obq3!}8%g{f@Fn8=ym%hH|^d^IEZd|los?cbpppyNR&U2T+{z*~U zgbn_iaHaw(F~8bdOw4S1r}OHbiLFMO^V?n7WcGd5$I>av>+65}2djrOj+gv?LK#*b zTJ3Wo0!zM%G{%zhL!hr3NGRMXsftRL-DyphJaBzgpH}h+0Yxk?5(Zpxyesq#~ z0}l_cT)Z2Rwg55r4A!+obFEWC%msZMF|e`ybaa1~M?@6%eak(iAjeB#0+k>7OTeh2 ze!p>wJx=?zkgQ#r&jnC7B_(NqJxxxYfMsQ?{@368cW@Giib{O!5_n~-tZbDKNZU-0 z!-1Ta@CyVuH|;dqEipc+-huyv1=!#bQ&fB#m5>FBoZTS02l3H}8F4CQ_ol9QZ&ZN< zOykQ*<2!;ihA!-Fr;fb*%*v|2-90zqlx-u0s%q}5)I8Yxfp01{=GAMpxixnmVbJ8O zkWUBVY3V~Us*&;If`7%Xv#w#ihQHJ(o!LGnK|t9EE8EzE(^m8rx=%HnlC5Lk8c5g~ zTYb!kreiB)ag+|8I)-#;6hpX?oLHbbw(({}AO#2(@wv)aomZy{XJTzFtFTa| zI#W?u+18bJZf-0^_@y{kPVXjO=nE|tV9h0!_PpsTH0za;glNbX%61q-CxHh`+l*IHQ>4WL-qzZh_Gv>W-N^jE#l^u@t@x>Gr{-Yd_TJv2ad$G3mmzJUt~x1}p#zjZ$|?b+r+vswS~#D@esCaIo37v3#&?G^tD+pQ`+Ua=Lq} zW?#?clc01sVb<~Px5C7lXt>ze*YL2!Iwsz1CRlN z!^_Kl!rM1+1RTbTj{;uJHgPk(Y%mZ3=ykymOhB!fu?pF(+|?rgQ@3s2&xXX9FqENM zo1wn6My0v2kO$oMq-J9>I(b5ll()ad6$J8xZqBWB{R;R&jpYP=c*kj9$S$(}`sFiM z8ZRXfWbl7>Qe6K;@5-Ab9nh%SjFQCTxml1{C-#_QBTb62r zBBsi+0-E^Bop!r^saRLGmhp-2;X~9oH;sj3Fm7z-D8Y^*g2LqrY7rx=_MLtr&olUf zHZFL{C#kIkF7Vf{`d=E^d9uavI9tS6!dh&Zrn-;34v`Aygs`tE&X(4oNhL{A0J^}s&eLXm42^#7p_)3Zl-LU{{qy3P6Ry8v{F#( zXJ+DNUMPauQy0lt8S{xyR8am|E!(MTi*bbuvMO#8YMPp3xnB?)l}`)QNQucWyo;G@ zy-iK_=TZL*R-g+mRRl!bq5`{~(PEgQ9z9(ucWg}&H04;s=$oO>%&DJ{kS{XxPzuJi z>j%n|zgWEhjERB(r)#6p{ae>05k>E2b%bhr>bK&%A*|KI$p7x64y+{N zJ-f+{NFm-sK@e1frV@{}RC815i)uHg3WI8iyYB?+STHk8#<^$cmB(en!5XqXoe?u2 z=)O{v!}PppADK<&N?_!qaGYaI&28HvVa@ZVTHF~S5ZX#9=XZks40Xyon(n%qK6<$T?0%sS|Iut?ojoS|!=O0H-ivIP+ z{~JnOrg!PAmAf@z{;I*X_Y$!Rq0ryXKAH`WvV1?X2Lkrh&Twrr70B%ZLjii-$N&8h zs@d{hx2rsV5BMkfS&9{rjEp-0UEXOIyXy3;hmO9Zy$zNLQM{<3afI~!ae65MLr3ZV zs^s=si4plT;k$L1uFE!79el339(GF*7Q9#qlgoGMfzE^gwL&G z-(KOXQ0l%FT_O9E?DG#Ve&b{qARd~lN}Ip`@xNa_r3N_w=P}M|Yq+`EqMXrt*XJjC z`0>?r4ve&&bF(m{9mSUxbzp#gR`p4?k2;b@2GKi}PzXnRlT%3t#sk-X*K=y19HF?+ zTg{a?r%bzDt5L*(epH{;UDA2``XK}ZwX$xzK^SmYod?f#bUm{KR442CKj&(|guBer zs~ia_2jzlOcI>kcy5(7R??^^;xkN;#x=`F|#S^6HCwvn?u^$F__awUbvS3VOwZduP z3Hd{t-Cy^pV{fqi(X*6xP!Kk)=6ef{@>4Fz%2y6LuMEXNd`VmB^rQ{M$v!RwD$pn7 zm0$wPAv+g*?$L5@$pfYI>CKF+kfKjR7v^u4({Aqg7SWe)w?`tu4NmqlGCDV@IB5>#_ zDahJuj@&v#!=JpO>|6V@%UVfFcPI0T0{IwGFY9@yvlV+XV$p?_l{3qJ(Iu&C_4Jcp zo?@eFzgj!bmEI0Mr!Yv{x4N;L)(dbsd_OR7_3ge0Niq2QfyPL#qIX`YM)#_(YfOBc z^{i^nl;frnmMNp?R|6z}bTBME!}dtI1GkG2!O?LqG_aF7M3BLBnzG<-U2zc_~sAVYA zSqQCE^o@$q*BUMIIBuej!+(8>5rmY2@-4=bZoZiW_C1RS&CJeLXyvCh1&tYn$P5{o zZF(5Oh2*uvF@kS7+Z#r?8L+=K7V0XLW)#)z{I?@BLMzK;?XM0jL&MZ1Rc2{miYDEO z;%47!f5KNJ6?(C}Jo+kvHsVDjVN*c=_!`VLV#^PWwI5~7F$Kt90G7WjB7f;4jMD04 zjQz$hmfB0{0*DP3_J-Zgyla%NpVL#`d`mOb zZZ1OQ?4q(TF7gldif#AqO9@dV+p3l6;6Q)3EkEe$7D>L4? z7XO(LjMcv7>KAWrm_kWD3E5frZ?*$bYI7>^?^n-FRSk>RzIgv+;dI9>4B~@1E@XK@ z(6kHleA^oYfyvs(>q##h<|nONWs-m}Zw8nTLq7gGy1yp75@;dmi0=iAg%U7pVV1QI zB&~>EgjH@)W;6AQSgy&&X*?l*?Aj2?>9BqIr+8OypD--@iYe_W{DU?sz9riI3mxVz z9Uft+c@M*qC(LOccsO)t{nw3uWyUqQ?k!tiel*#&k2aiwSq9*r%Rv;FU#K@xe}Ax# zB7IKJHV1;p@Tgx7$reW=<1pt&Y(l5;u!5zBnlMJDsbnk`g)Ec#xZySoWnF`L@0s4_#&JyeEyBL1V*B}1+81_t za{-R(Y7z#>k(7@Op;T`2Zrc%TWD2&N*ZKz-Eojrq{vyt|`d>>ueL-TG6WZ`UDbJp(N-KMvfIyogM|6xHhBH!Lv~*W%}UXGn${oq`SfG0X!~ zkvevLs|$lb5EsTY!lmBB8UFpssDT5kNLXdtQKmvs&rlc@rxz-W++nHx*&*ylgK>;1 zHbxi)0XKfB-1r~OfmP?vmcPw zu*yM{lVbuq4i|=`!fu#jG_QA%uDB1{I0=JKFyEkG1o$6F5Z_byz`aXABQUgV{iU%N zUe5+nB4`3}T}e5K*kEK?$`-OnDqV5ep9Aq*w}YLMs7pgF`MR}JOH~HPC>mkgc>? z6d0aWX6X`RSaJAkVpt-L$<8T=g#)S!jczWS6lzE#zK%B*4y()a=%uA3jX#{elvIl& zmXuSf1u05PhO<#pxyZFmPk+sqNN{GDgraa>a=;p5q+%J$a07*@bbj@*e2A@+x3Tum zWM(Z`Bc32dUjoAeOZ`1HL_ZzVU}rmX3#kf>Y}H6S2p)`Olf^XO1RQhcEFV|L;7Fn# zMR&;uK?hhEjTBn$diF+qJ~+Qmfl$K=nl`C$P3y+YVKvXS?PM1Y7fKIr;#$=2c`xaB zTu>_Cc6EF#brw-gM8bx`8~@0C5Nqy8;j_YP1Jt}*oyX% ziA25Jj&d&Tz_{7;tgQLs?g#(BKd?%yi)`12H}!Z z#Vi@`ILK4;R|02nrT!5Fk_?P<0mmV?u55);jBBz1EHfU^KnkWU3|dGvcxmZH!(a|P zr{Bz+$(^G2Vm2->Y2%>a^H#5AjS@i;e+!qN(nh0cxErNs?d6_*^}WW zVvutki7QZlH8M?a#Ysu{DRtn)af!xShG!cOv^-PUqG#X@^swnYDx?dWc`-CEcONd4 zt44*E&!L)3w$hy^A{nFPS~^5RdJ*MYwI`o4KGms1R{0&{c1YLk-mX1vOmYnzGi9Dd z7#)1W$&@!P|BuNoTxK6zExGyE-?A+o*(cMn)~Qkqw4sfekPEo?G`F^6vSEIXhBdV< zT?A9BM<@}4YI9%Nh`B6iXzVS+HlT+HTJwVbE4w7xx!9o7)&E1r>RQ?2rlXy7tyj^> z{~Z?^K$F_*j%j!rZaF;-ITGOFnyOXU_2gcp)DnKo6jD_-;?7q_FYKaKET78R+A2PS z%&z|>;&a(XK@jN?EkAk-Y9qjr{`K_IujSkJaK^u$H--CI_oe{1MeH$>$;J(}{cMa2 z+5~i1(~fRo67i<(hn~f0$3DH0#Of50S51`rq+{^k1wZSL{=3Nn!lprR)XNwEo;qh_ zY%C2`X-yK#3z?(JPVW>MD!&ZjZiGa)(F08Hw=dKsb`F*dV{7xDl>U1UfIkBf1OGX& zA@&=)MxDShA=cv6ro7`Er{Zz3Hpbl$0zvr6uynYlrAE*5YxxaufA`Fl<-5*!h5&-= zA2G4iR+dLQYVgDAy;&1Q`Oo>i?*1~+D>!XP;jAQtj_qFG)UU1`7}N?0umx5ezXbl) z3plUJ$`LhwfUr@dF2Ncv-_teF6&9wQX@EDGv$AHV82n1CKI5+SDlEG|LjEI)t(NwI zbO(995xP4K5*E5zA1)Qu90m(d1H9I&pxoaI;sd)nZuNZe9)qF%S|6AwR@c@70#ii% z``)0xO_ESiVRU}+Fl-_9)Z5#`@SdI@Ro<1V+1AaQmDLe&4#e~6vXWa7!KoA!>AD4U zAIRC`L;LxQt{asm%2(4?4A+=q67uOP7Z!Cw5&}cU;R=*w>p1gW@S}laui2Vd7@hH#pA~dDNbArJO$6CVxvQ2 zZkb9amNR}t`Ede~laa|bL9yLGD3P68!&K^NSZV4X6f?ZlgnCiL)SMH-j9bw0&l5^N z4AO_h^~NJu;|QSBRr6DmD>h4m+FLyqw(P}j-KFuVt`oqZ_wYrdBMMWyzqnXH$ z*b?rei3%gzrq$}76@@X5LS+?xz7jTXPfj+XE$~U+Lvwm+suxV`Yqt_zIx+rh0# z{+WN@+cQJ)7vse5*vl1?V9!0^GQ1!^fsieFG>{O@A|&AR*^UTVE&BYRx~<#X$>&W@ z7cyN`som!ek~7tkR|6R6Vok%Y&|Q5Go6klcbiL|Q`&3zF=QJR%jOOVcq{(fKlQ=B} zNcB%BYF*7RJ2cDB5to;v6nyU8MS>C=grGk|s@+co_pTUHxv_h)y_4B2+@>&wc-(oT z{e6!p$?3z1wee3zx6?Nmizz%&wU+11i(eJ&w6719$qKg`b?Vd}a;tx6Dazpc(&`gl zQo`Tm&0Idd=JU`q_7dUxdB%M->(gp#tj1dKC-`r+p`_eA@y#@qpKY0A-OH|)JW_E6 zUcmecYU*FjZJKdCe(}|7A@OqH%%oEP?TJhVG)j7;C(oML2G#5O5dFTmK91W3sPU0^ zbL3xPBI(Tt5%aH)N0*89efQUA2*Q6?W#&=|t=*pvx{=--b6EHFFz8)2Gwjbg;y@R# z>&$kb0zS0SOfA|05J#=82-IRX$o-5vtGd7UFOMkP3Xb;gYb7P|u$Snj znU+a+Skbv9XsZ<%PRRviI_ZAkFF1}| zBo$Tmi-v9LpkT_+#YYy2_pF|BHqsJ zDcI$Z*}J19K@UumnzhLRWC2=wg1aZGoP%d)F@4M4|&vY zpEPu`AdyL%?do`_gP$AOLy>uMVb>v+E17Xhya{>S_!GrE3n}`N$*OvGwLDSj-CsL1 zr+cS3@Q-=2-g+sjcw`oBcOt_r-WZ1ahdHHRi+; zQ*sw4=XRUNBg{Uj(C=R@(N6lA`?v_WlxVSVh9E9u`YuO&@}VE~EL$DCm0Ttk$6P>lZb(s>y2;r7zVz z|9UqD67If~myw(x6?zF6Q-HZP=vB>@u@{ojZ7+0G1V^uu)!4lK1x@2<;2Q6MCFI2j zNC;#L>M>8{b`07KvsC9l`rGQ7WD{*8dUB_urq&Vk1y{Y+f`rAM#*4+ATSa9PI;B#= zqgT24E;Qqg62+3)OG12%lMgvVbIl$*wE=xVx9^hmWK7iSs_lcjNVfwy2q87K~Wgo@wpxAgD?0$ zu+8t-iuex8!U=hCY;I5aohgHX5l%EfBSy;AQTPg&sN8n-Mp=nbanjJn$MK>S=e{Xb zHMP&5zK45!dgSKCi}{upW?AL=RJAxgH%~+C_yJ)nyV3 zd#7ihhl+Z5X#CA=vm^tsYLX^-Hz>+JKBSJDw%PJSd4TIX#E|f?9EGl>y}vVC2un9b zoKqnYaT`FApY=hYdebJ)v`)nl_zx$rd*2HZv8s)l9lJfQ@0!N) zMBfj!a6|uYG>>Gpx~}XS1*W9H6&B7=T++q%DwRv;R?${6(eXvZm}YM;He}L7S&#qb z4Z~OF>U267|E7y;MRw!RlXqP;?^Y(P{kB_PbQC5M`&SW8MjIWlg zu&_nYT8*`O;3UHf*;2tW#>;W!Q!0A?%+LGjaJbyK7}7&FVQP>=1^-^;;omx6eQsT9 zcC>8DP}yxYLVR5_atkCP;^Ly&wz9ar_){yhJ%+QT$;KRQOQ7JKU$BH?36~e#ZsehU zfg%i)!7I3!(=`X&@^8!rqBlJ0v`m@W4ME_s=#poS5swC=d758&&VanJ%+@8rT^qnJdc!oH6M;oMrW>=b9`Ea-L8k78F) zRyjg{*YAKFAjI(#F!0syw~lN}GVyo}@Cc?Dw?=%tZ5(O>MF6&Nrox4%yqSBmHoO{~ z7TeW)j?cnU>6)kaQU4R|4Uat++RJdl5SZntvM}kepkFeeg@qf zx$e}a2U|$Ru^T>Df!tUZ2e&I}e91oln2%rEM->&~aJkx?T;r5vPrBYo73l{(-`XQ? zNvnJ8(a|dP>J{d%Uh`7c0i!#?++OsAXs+VT{9%$6QpTcVd9eHQuJOPl1GQb_jYc@P zdLDFzzN!5iX_b9Z^V}TOcjaH)fq4^K3joJ{*Mpuq@Tr2{g`fKyWyKq!<2xg}XBE}l z&XQxmoR63(k2jPxlz%;&O%)(%Us+qh!r28Uq!I&fZU7%~Ugd@XpoBVSdeZ0TUnq@L z4HMA2MhbxSvUntRvLg7YlD)dTqEP(+3@Q*3M1Ns>O%5@={j)mzJ(hHm5o~Q9o%Yk| z(;>;%ubs|!Mry_rV@w&NVl+Rt-%i->X*FG?kufl&EKa2XiOo{IqAZx81$6O3?Jw007kqNw zouHYS(kSPOjEf72$qqYd>K8^Sq+m#aUtYBu$~0VY&Dmd_ln7g8c!pi;=%jOn(aDFY z0*17UOKpKNmoFVFTNs1@6_o;!R4r?4=U?w&*We(kGfy}gcw!h7x*>Pw?(Pm4`OE9d zEvRRrqM}$>SbBzrC7rZGdr?VA{wl?vvKt=qYEG33iAKx>da+X?V-dbZ__v{Vh6a7B zlppAIM(i0JG(G=!2vkPy)|tZ=G2*BG$4}K=95mF!ET)T`s3gewj-G4U9&&Q902k!T zFlX2(g7&)PZ%DSM`o7TDcrM-DZdIX@<*+Ls5ir*#988qqd#YJa3qa9$NbseNlv!aR z%{R+wkv6ee{|5{3iMs60-qYPlz9qdX*q)@nU85MF>%!!zP&q7df`cXXF9OYR;A1@K(+>k=>Wt>3#fM_YPl#HnCku?k z`v^@*vhV^?l!T0&;q*2Q3^(80$@tpA_RN8XlD1mT)^^Y<4_Dh@jnXWAsKvezp@m9_ zcRo0U$YfwaCb0I?%c%?TRtH@gdk?wvaQ3;)%}q6fNO(L;_bFRmskMNKlM5DG(O==v z{tRi?sMu6FF)`Ha0M}g4ErdE}6iZIRJQL?~4DWAryTF0}@B#DPg%fV|0dm6r-!2X5 zCqV`^o!-4Kid&2wcB|u}2$z=Dv+=R1-}9R=WAe*Z|DD*qp{}S>Vs$Vxy}f9hoV7ca zz^moN|FNswrZ-&e(M~EXyjDoycCcyMKABBUk;}HTKuRct?JnN?=C=v~B7|JGWisD$ z=sR*M56M7{Z8{kXOKFE=Rn^%rf!@ecllu9U4a|?d>$A}(0b%Tn(bhfyvS<-3%gKrL zouH@7MQLL&SzGtndQu@)iKbqpcn0g;6$+gI67u$ZAsoyzF)L=M)nL_g?HNA^+2e|e ziUJMBKUBCd0MOT)iywad;a`-MJ62m0DlIN}F=9fA%D|Bdc=y+a-~hpv4BoWDCGTgJ zu0DKy>v8-yR+zxn0UNG)y#K@f)Nw_OmEPzWRS*r zME!WB6ERw4?1+Fu_@{rS6$8Vf+0V(|KF_vX+--A5-wZN^(FnK=dYwg({VzRF%ei0-Y(x%mLK02yajdiv#ZfKatbQIBPiTG zx_a7QaMr^zz5R1?WHG<+9*Oj&?C{6R)lMmzTnFc-*{??yuC2S;b9)mTWrtFlX2`i8 zM^=%L4v~=Tr<_x69xCZA^Xnv z%1+6BpdLmeAxUH9A)3d%i%lQtRZth!;+{K2j{C^+{!d^xNpgf-K47;v)K^58)itgQA!rU7x{gnUuDVsJ12T+4b)u_iA1WE-bE(`w{3g3D5-99ox%haDn?)uP z``*n~Q+_Uz{%XmuTFL!r?JGMwezT8BYiIBTUtx*O`qL~9wo{jltIMlzrZPmmrBm{| z!!CWb?c-dv4tE1z_!criY0Rv)Qoj$D74b61RB6g)Qm*FcBTXj-WZrx3e9YsK1^a7Q z^Tp%q(XrJ;j#BTHxTZR1K6!rrR?Ve`7;`iB<6TYZpb!+($J_&spp@h{v8tTR zhxLenl#_DAu(ifC#mY|iwZ|ngMpa_+4;Daidb33zUrfZLsQ!K#EIT09a_>SmrNg3= zWaE(6pmk_DQ@J?lUM=3ZCF6mF<>zwpIo%B5%5Z8+l!}ka zDZ6qg9@h}g?sB==)aB-QOPvmX)O_`pfq?;>c$W-13WZ}48B5DC`g&bIT_2}$1x2{# z^F|sab*Fngx2nd##2m;?(2@bI)e+H%Hp6_OB34%24aA`9*}U^mMul3b7P~WRkANp= zmN6 zF=*DEfc|$CmP3L%?kh8>#fceix9YpQyFI;xfV-6c2>WDzGQ`f#$!f9wic-EYGI^GF z@}cp2cZNrRs*YE9N&lzMVxR5i7`Un^ObME<_Kg?kdBCw2*#}0sORdrhkwVerhRhm# zP#DDPJ3ZF9>+Q1%atbjP_aA(}xZctC?h1r-4yJokyzkSx^SqjuC?5DE67x2&y|6@& zzvYUaOn^9WtY-^((s5g%p*#3*OktVz%FUF|drvpp!v<>v#{3Xp?}{I|I(Jc9>CMSH zG?h|weGzvf8nqUPM?N*tHREbxsPg%RGyj%!AJcujW899@dHz-PgGPue6TT1N&@LD_ z)@ZeAAErQLI``F;KJffDD;Km}0vQ~O-Q+kd7VW4eD0(_d0>bdq|C(+`+3Q?G$9vIn!p;=AIG(_%$Wx$vRiV$NT8Tr4A%Iw?pMtiCvOHH@c8TglocPCpy10tm^8C*(p zVe+k^d8^eR)7DS%n};tvY^$Ql}&H(Ps5V^mP@$FVJ4 z#$_m)(8^t>kp0v_-HQr`34BiL#omfcKljbT?&AyV*7pyM`k3S|(;=9|!KnD6pcLHQV zkKfYW^V4QI6$QzPWUR40N35*6zI8$K_b-4UpI+e9Jvl0WTt1oKD0ZpxnviSpdJ-%z z{(e`tQAS7OdNrI7JE5pE^XGs|_A3rbe=29}MC&2wMB=@Giq%BNP7YJ5;lHq{Be{qA z3VC~s@B3Skx$?JkDo5m0<;$T6!SLcm%qiAht?b=o97unNu3Fp4u7)T)6FonHBQ6g| z74BF5N}=MaIE-;%$|vE|Gyh2tgsx6kbf#HIO$;a-OiakG+cFs)?nkBN1@80;5__7! z!afS}Uu9aCEYPNE zXbdf!k0O&D>fCJOvW~C29fevnA5mA8nk*O}dm`SfcG3aeM(FTy+JS;M1If9hK4g#u zEi^o9c5@pw1J7^Gtp09~xY_#HoG!gTj`1G~E*xW~K){vYU0@gDVVv`Hi6$0km$kf$ zL-{P6oG(>=wrjSTLv>a~Tf3`l(IbV^C{{cgC3@<80%+M(ZMe&tnwpA=W^p`Am>{rV z5sd;~rmsKFhsW7Fc$(TA4<@I&0I-c$) z-UHCZoyx`QrQ?q**bN8A(BHL$qP=&Nvl&we3qpG4HFIxuXMdFu z8!@U`S+QXThpp7=UF{9@F`J0N_C%^@d)G(2hkBsFY~Iq_JlJ32fgMp#yji?sA#+%9 zJ`$9)_J*6*Vu=hhK{vQF9Ux~J10@Y(O)z|p~iaw zHlmWd-=4(p;!1@-?LsG+-WCcMrML(^AOfq~;xb6V*|;yz-bb&V7+hYSDY4Es%tudK z{FatQfoEG&W9VR3SJG12v@Srzm+E~jD9+Ge`ga%cJV9B8|MEaJ@EgL(byt!L0oBRX zq>HPMO4;I*U+4BvXwk@l@uRZ;&-#dGMED?El&+|uYhS}s3VfV;gY&C22Q0e|lq(L; z^C@A-&zg*|hMVBs1fp#g-J0yN_S+%kKmG4tpRS=~-k!fCgK9Y+(5;2paGk6O06h2L zzPIB2^RS}p6(~nwFrxj}`S07v#~JIDAtfuHsg6B=$IjcN7KOXBa}ba1{{9<}4%WIn z4Xb`z%Eg}HeX;3EDOTe8@iFu;?QOr2#rt*YbW~soFdU3WC}00Dn7;o3rww}}EhBqW z!N5&}A|xb4pLp4W391ra-`>V1V=re5d^rBCL*}P%*1%_?{ScXP_b}|i``gCc{9~dK zDAg$N473sE)194tOB=KDBl1;ObhI8W-Wu)u<78^4drH{(I}WPZ{mY%5&yoYf3wv8^ z9m~tX9>>Z34&|OBi&(AY2s%JN^V=_LA({LdeajMCh{vYhU`+jmzX_7tFF7_wv^7lh z(be^}Y<}2XhA29D?AENqk4feNpD*@xuWXz66NJAdH2>Seb*B_t+b_;8?__5CsiY&izeVs?5Sg{*^=s8Z{j& z0T|j>c@FuQ4oQkr@I1YddjnWfb#@!3469$^4rW!qPwESm_PiApx8VIJh(Vg(%P`%r zeI{@_v5kOygGY!XVp04pwu;w1ubb5?7S_ki)rMU&CqRAfDqN*-?QMoR??U?Z0P)_G zC0YGs@m;E>%*=r-cr9n`$py5JGG$ER$dT$J!d`*C(GJbZ!it?>L6lJiK}eO+{MTR7 zfBvOL-z4}vh!l5x^0cHek4SwhIypni=1onnnb9g3l?3s*fPUJ zMOCZmfWLgR^9uMxsHkV#m2KXer!y1%>cD&q72xa|VoGo2P5T&%wq?$cVq%h&8Q$%9 z|C0>O&g&Um^_OJK+IKS`#UT?J`S}@e4wGF@KU3xJKgCB7%6B5}rIL=U&S@FQ4|gma zP7KLIoD^LFH|ONrv>%s4Q}Dn`i!Oq17`1L5$hfsSENmF4XtNJBROG)DcXZaMM(jsR z!^WtE@>^S92J}mQjuwhq5~|aLYj}>~_Xd7!Pt?4TO%&mK{_5WQZ5Oji2NO@PmMf%m zZfQIMf{;lK{|>#^-1Y0ZoBAJQj>V-eb~7vN_5#-&@I!a;ngpuHF$|+n{H?VGZ>FX^u;SzcV+xO!1pcCV1+$a>yVPDd!z z|E+TJptC#G)wch^KWnB65bm9K>XsYz>}9;DOCV`J8y}NSNiG~@A!dJ_(qxk{?C1X+ zUF>~}2O_J;#Koz3MniXne z@fxcCaw+G27ePL;T8UN#(__|P)@;syp33(=?V)eT<@)U*hM;A^%c ze{X3LuJ*Ul4adXk=tI&*)2+A%&d7Lu7<%L1;F~z|aaTH7;0Z?S)^iFr$PUNOyRL?* zfCE63hAtu+$n0^;+#9i5jzAiN)1l=v8HgEL&Nhyh%;oV@Jl0xBNWk0MJxWI_Vv;bK&7fW!vweNh0ft^{%_ptx^`0@Q`(L3jfl#AQo$4w4 z#8e%#!C$@JbVFnM$)FT9Y$P5pet*n%*wMTC&R()17=W$)zZP)bq_aZx9ZBqPT zN-7cC-2=<0uNP$my!A=3bbqE*#iP1uf(-LAe|LX%G(<@n9)8D~bI)Q9_6xtg9uL3h$n)KzrS^r=me`99O%59mbq5j3kVNTDB2NjUYd zu`dr6`&5_dH)=Jl|GAb_6{UjSTke)p`w9LUrM=d54wEmFGN$B)L+R*>3rb4%nB%on zbU@EP40vS6uQj`EehU&u4N#mHiQnj@v>8{Cj}Ycnb@sgK$rfII?2S4+j)}fZKB;Jz z1r((}pU(Ddp=LWwk=r1u~;__T|TqL5wyht7~Bb`W&kc5wBlV z?i57F9UZ5>?{&K?1$i5?Da{m<>6ADxokbR}zlFhnKuzn8_J<56kyPF>*fuyMemoEY z{Gvr~o2E`pISz9X-dr)q=1Ly1WW}L(>;bQjofk+?I@Y&XNJexKL zupdU=Ixdd*C7GY|<=Lzh62%*T8UQ2We4Ao|^@ZA_{%WM){c!?UZZ*uYiB;axQZ3lv z-xZY2N#8hso3kCbT|vefDQ?@HDO9-DSzTM&_AGXlm7X;#e3@>D!zK^oyp7%fmEm3XSU~goGNEKhDhf_-MpWlVCbJPfx zw`Tj9WclEzC#JB$gwo{rDHa6cP}3-|)OLkcr>LOOtBTfYuvt`N_|NX@ zCn#lf+IneV0~kBa#`=Zia0cJ`8@^v}FJ zT)aabeqdC)h|BK+a@KNRyl6a*9{0$PiCu{E0hku#V;=)2DhkTVkgBd;|M+Ify%RjB zPbyXnjpZ?gBn_twMRy!(Kl=H>fg7Ex&DiG@grJbY2D&_NZ<4@Ut7uJ&AD6??jfawZ zyU_%KZ*p>TcH%O(Vgg|VK0ZR=k!S_{A%cQ};Ow__e?15r$Rt8Z?b+X59duNG5gInp zWz^Gra9&$qJGpwaLNy}2M56ySzWf{OBR0ZEZt}w64Xtu0FC;-yz~{kJ+0Cs%kehpK zghHJ{DK?(p_2dUCmVoU@uAQBUpg@mLTyO8Y&MrRLqS`r2EtmCUGY*2AT^OP^9o&p| z98+U*xZv(n<4hCJe9>~8l7a<0Rsehr zpUWODDxq?s-#Xb#iYZ24c_wzv=xl?IKE+Y8=ZvzeRk*PoraJtn?B^^u7B=YbLd_Eir(5XDYV zS#b)NOkgz~3->WC1ZAD%mx={Jf`C7$7=5}QBtuG;<+{pk-MTtgZENUnYtGq(XQ)mK z=h8^Rh}yq z4^8M(t{Ofi8c7=yKX?mDnzcfWIOl;Kd)&Hr1YLv0i_Oy9wPa7%4P&@eYWHHB6t;X=A!3|B_Sa{m?9Yd;3c4#Il)0tf4EdPw#)8$ zJ1jtU(+=Diw~f$|mWL>iVhZ%T_mI<^?j(Oa3!Ub?TILwYb>8a-NrR*2NA2>cMQ5l| zc^=C0y(=gZcC=Ea$+Q&`=&#d9P*+48{kI<-vyU%&F-j~-9ugnfPiYKen z;=1`s`?a~S%zCXfN~Ov~7qyB$Zk#Puvpj1p#(NXX=hin-MKO4LxY@Ko{5B`G(YW=_ z7~YL9Qm=MKzEH{Ybg4zs_F{BBOI~>qq28yRqBDSijWr+z8szv#!iAO3`PKO$mL|87 zoF8TXQ@{amdNSHbO7*QU#C`SK0cT52+87&YxQsou7^LZsTLmAbp^9)%X;<= z+R}tnBue8!GAYaR{ylK&0nCf^Z@)jIPWmt!dT#smC6>@B;p$hv=Eq)A9cVU#ZcSXz zKrQXIv!x@7>JWKfJzAscE04t>FM5qCfH>&Jbe< zZMxt^JQn$Jt^1muK3)QE*t7MwVhV@BoX?$4CPvNXvP(l?)&SL4cJNx77r|-eDtirq zdW|*Lmxp`JCC^jisIZ&byJwzWPHLr?&PQ}-f9&2#u!_Yc9IWpCygEw{CMG?UReImA z$F5E&NEs3CII`f__jkl8^x#2PJs_5FX5@Tpt-I*?3L~_}d@)njWn1>IRmbv|FV^0E z;y-pAC7u#rv;w){=G=4%e93MgjobWqOR9ZTYF|&8>AuPboIIBWevB5CuAD6U>v^>0 zvtG11n*OXIeBv0KkCLqC2Dd+J+VUqkhWPKgO|EbE8uqFxDZ7IW>Uc)UUe%`!Ij`w= zC3~*ErpM=-cX@Swnq*PQM>5#9vC(iHS*Jh5=*Y{!rOOxU3(-w1UFgsxzxy=ulZL9{ zBsS|@?Kfp`SUy(%7kB>m(?@HYT(9s*-69mu#>}hn2sZi_Qr=d~9gy&9_4|KIGc{+m z?;AQg-uzqBbiLOUp~cP<26p$^ey>;a&5=FDTmPnn?c-dgsS5K&vaKOPiIHv^PHUca zkE{|3N=o0cS+D5%;jRb5Q1t#iQK_&LU9MvT0Q&IX{PCoM^OOoB%6UXtO>Q;i}6Tl3oFDy1E$(L8q?4mGM6@A%#;c!1KpZ9y#%}>^2dxm z2ZwXClPf56#_;FLXO3O7%;^}W*2Q)gA`FXClS0q zQw1BQ<6yT-zF3)ru7L6&5a9qM{hl&Dpn1ZKb~obeA=eME#&?H3$2&0uJpor*(u!fB zh|5-M4N3TCYs+QFqry!VBl5LdWP4L~WFwpGZ=@oj-mNPV2;co}iGqxO#qux{`c7oB z+}$S}^JvNK;?UsX)mQ#MT!5{OSFEq!hTe+7^W1#XiCe`aOFrPJJUT_XICj$r_4_ix zwWuw>W=JWqb%^Ejb?^`Rl=aMh%}{OgryPoa-D&EW^yX)bS@UF{Z+2>$?+!3bWp~VO zwmk-Di%nm@UG(7ji+8xF`pF6CrX@b{LN~q&pD)&JkEB2`9mag-dBb@3vwR<5ZWL0i zkFK|Kn46uEugHmiQ6gkIjmcRzpJ$P9Pqg61Vl8=9_E{Xq5cGrcTFD?>ll)QdC`#59 z{L5~g0}rBB=gkyLS?wq)c(uqQ(&*Nb%g8R%=J0JY?sMlO_JMjcxh|p6T4AY8Q>>GeKQe3vQpgf&Avv zVf!W5)px)bXFzhf8GAAa8h#sU5`DXhNLeb+b_~E?+sPp6%X;LF8hLdmsp!zBvw3O& zW83m?{kzR#Y={JGhrF5=H2d(kgt~~h8@a$!ponU>y5KO64)XA`UGD3#l!@g_9UMtf zhiB1kb;mbCIxxSJlMg{ycKLR+w8g@)hGpqosjXhPaNMr-{ugOjj;_`qZI~-=9G#~7 z`9H;?ro7ml)1%o>mO1?PN;}6gi#6LqqAkkIlJ#uT9|L`FIgXmFMXQi(t2EN(=;q{m&2cDkR6%R^MqeSS#beCK0x$V?$+-s9@;EE|{l?L!jsz+`F8OLBSxy~j*+ z!g$H0$hY-cCRSq_Ner4b8Mp56)%h-&NvvFt%qj4({Y3Gf>?9bRFp#49zM$g{yeA$t z=UCk1Ft=oV=88bFy6OkA7Pdcr?DtO%;q%?_g(dT{ghlH;GWsCJQUdhLKcF$my?@>U zIsVPuZLi865xOC!EwcT*GszpDZJbyS5xW)J?T>}@12d$upZpj53^?a$icR%KKU{fV zlG2-WB?kQb7rwP3ap^!&J@$R^h>|5+z$yU%*Xv;cQ|LM%J(z8c{m6wyB`~V&m zf)v1q!av2gC1atw2WivUY6LFvleJ%26xB%#;&{ zocu^$-)Yo06HIhuydyeqQ&DZ%x2GMH8lNX^^I0PDV=m}#r3> zEAVfkIha#AQfN17YlMs)hTnkwIId3J#=@Tf&L&|DZK$r|i%%BFoYgluZdG7~QL|CL zPXIYV?kGMNqO^$Xn_U5Ody^V3WZ64GCau_j0V)=&wZdW&x7@MYIG!z!&YZ{dT-)vU zW4W$m(MHs=!EmLF2nmwi4~s8J1YgKGSxlbymLl`m{|@?P{C1z~5F|>_kw~V);@Sqh zvPn4WUquYP!)KiR3lbwyXPywgOOiuo5~uz_95P{+rmFD z+W{e>b7TaDZ6~2l3UEoS$0ns)Bg$-rhTxf~Arn61>C9XbhSJ>nl0;Izu1$+6`3z9<0 z_T?m6JS4kGBLn^|@DGGPxxT~2bx6yO356~%A+gI)B=!j<1Jwj%o z!L$PJA|j3;-0YOt!2b%)DmDJwO@HU*rPl13*5|!Ptf~H+5;=IWAB;C#?7hpPeT;|D zkQl&V0o;@%wRZnSh1FO|*PT-2q^FL!VwOZ(;|}k|L9lFoUQv<6?7IP0(H@R^E!-d# zG(W$keOGegcTDA$lpH)kQz|al*LAP(^;y+J!%&TSC$h;}L`$tYHkNg7;HqcEq#aS% zeqrvOdCniPrdV1oxcfHVs?=IB{d6%WIX8|vm=Xk;yn-Tg5DFM^H(nR;eXzV7kDFDN z^63}PRRIyY#}@7J038_$8d7!0SLq-`G4 ze=3KL&&){5RS0=~Nfu5{b4k9gX9jvTB=Y$iK#y5y_Q&*F8`c&*m_JTA@VE?LE#P64 zTkwd759U8^G?69@mxZ<{m+5-d#gw<6mtZ|S5W8TH;l~5?*c=y+B8Ax+QscA~umwOx zM-2?1a!${oafw9YvO0Yq><)i z;h{jjGRIJfRyAJSY-GRT*Uoys>l-JZyo)9HJkN{8cL1gnz75J&%c_tL0C>euZ_o5e12 ziqoA2SVPnx)eR|bvGB{$$kPWd`xEf`(a*cPH!wC$^|So^Nr~9>&Cs999(DXMm>9K% z94m&5n0}71sToH##})RM$8}Az`}I6@@&huBp(nT(wzDH#{YsqMg_p|Pmv8B)B8l5reo5mHe}$?=swz0LE`!_HYV$m&i=L~#&Z0i z7LS~IVn{$77u9wg`2pfoVzyeXOr+*tQ7ENWW<2$5+JsI+)4njW?^fcH(+~>83=Ldu${&`yeMzbzavb^<@Pis>Z;b&7?N#t7A#H{xT35z6RPA&P{3OQ=>dUv%b7}xvm z?eas#w{4w=%=|}BMEF}LtIcZJ;?;ift@GWawkkt6GC#OhE$4nj&uUY=uhjpfBMGL` zgcjNQ_Pq_0ntrq|go!gdq{0LavSR)KdX434UL0OXnZ3Sk45%AFbH{(EPe?0I6Or>}G7iHK5^51= zvOAvO&U9O7iLGmx?T+(#49d@hCD!TQ3$$8IMwy#ys@1!qsSc9LxT?Jdr_?-u)l;VKtai`eI$b>-u2P!hC(J(lwEmy+O97KVuWQFcq8H-qua<>l&ru4<%ssY)e7o3CbBS|DIxa=weF zCQlie4&yu>${7Oc#(p0|@p@mVRk3x1nDcnMJ=b)S?)m9QQ)PmPgD(+MqZXNZm02^un1lEc^r{pHbn zkZtg|Gkw=B4zx6(xYRzs3hE`r=n;NtStK9UnwQ zu!$m4ZG2{=4PCL>@*ChIQ|FBR{qOk(6Zi?qTN3xZxia^?rv>x(LCs85ukkfmBEy44 z-S1%HOOvkl)B&yuP#_Sko!oMNu#F~{K#gH%cU;<%9^L)@?=bF9vOM7v6y9M-wNp== z2B=TYjme^*#S%z|_hBr;vdVh<#Kq0+ui|*6Vh6vxKa=C>HrbV&OqsEk&a zJ&k%!-1N54N^m^Z6w?j$X;m<*E-k%+sWlcG zy?23}Oq?J6Gq|iJj;|Bc>Ue_Q?^bW}?|B24#eldVzO15uBbD)G51%)G>^gfAF{|+_ z_22hI(MIYi0ZD+2;3Fgu^0~w(T1hh1NInWdvkZ@>BDNJ9CyDjc0mpo*c? zI8}4-XYIXOFv1NK0N+*Lk-UAn3_+j-QZT^pAhi3gWoMLd0SFrY@Ls2577|hs>tHSc zn1@)Z5-_v{L=xw=rZiDNThkuP;b(mi-~5)aJNPG6dH*t+gGRkSz-7&3*}Otd8!95^ z4m(Ys={2oVP@nxUvRv`3k!@+XCw83Ik%*(U?Twp3_oGzX^GzO$F4GesM4WFEju>fooq)MAwdf3c#X5r!VtiwI1}rE0=O3)!Y`X2cc1cic=-4qK(2>l z{}Obl?BZq;h@^f30s%TbV<`*x0u?5@v~^lSp);lT6 zA!(4H1E|ea+s4m_gu=4kZ=5bl?;d(-$wp{-HM&f6AHOfIZnS4V{~kGIJK4;lEvN$= zjzuh=_K-JbB4S7&N2cDk31Lhc$mQCr;(6?j zVyn8`r)M{w8w5UH$dW0nU!xTcjh515_^-w(63Z53K_HlBj|m8l`orO?+JeTmO!{+; zhs+wKK_E#{vRILntzIbII?9Ilw-w%~8FnfuIY11e_w=0t?4#y9f$2RqCPqr`nW*|? z<^yNyv|6%uV;5Ez6&Thfi2mV(bOr1xzk-mJbCaagurh?{`OT(|w<)j*MPH@PbQV{aGtlknm zi%D$+KFYJZqLy7y{CjZBiP8+euL2d^B;P3%HaT z5ysw&6;VK-GTr~#Z;Dyo%{-7jHdPdSe`3fMeBE7?tS?otK#j`qU%L9|p@8@Wuy(Mn zk^TW=xHKym{)j3l_{9E@Q-+Et%iw`N3EAo`$so&%YKNnw%7ufE+dd;t8jyq5cWH2V z>jhAUf9@E7Tw5`F2txf!Qxi^2xKWEmD-ulAV9s}8+mgF+V+E6dTJeUS{bV9yo&>hs zx0S_{&Pb1sjMuX9g*am|ICfk^QqlqtSO7`Jwf2}kCvP&mJSr3Hrok+akNLtL89W*q z09v*ZDTYRmzfFDgIAIMkb}NgNIl>Vw?pRp8=Mjv#zH7)mxqzMy>@9BC2z|1&B*0qq z2<`J6B9p+Gn5wC;IF^TWetOmbyMm@Lm+f~g@RF0RGw$>aFZQr+k$ftZk6U>AeZDMf zt@6wT5L_zww15HY10hp)pZH0V(9rpgS!5V$mtF-;A0EL@-_W$ILXisuoqQn-cAVOS zCA4{V_@JO~(CNC-+Mtd3ERrR~3OJN(vGjO&q<;ZUVY2o6&EMy`2^ym1@dT6-IUvjV z6#x}Jli#F?ghq2kRsk)gM5`$bC}{cOiJ$Mp9Yzk>53$ zB`kcmn}F-^S7#k0^uDssqF|uvbzZ{_Ho3<4jXJ4Lau8I^91Nxjj9VNp{8`=Qx1FZ< z)`%Gq&noTc6CW8Z(b4jnRRj7u_&MEY=@31o+HFtS1j(MCXvkG2HleJ_YpL)1aL8Zv ze&=X9FdYIr3EOk^Hw5#;mbW&%L0h<9K9pFQ_dRaG!l*l?4$XE_m|+`S;xGAXzmDJ=3e_t!UOA zI9(s}cBhI=oGVa1|x*@xJJ9Z!m8eyOM9Y+mek3#&0N#XU!;&JsYE||077yU+grpr(S zarBpdYlIZ|)#=nz4B)87I+)>v=6}fN4&gqWV;-siK zFc#`!+jtVL;Z19Pg%^y4?%|QC5(VIX#GPeHvxm1@ig)I0FhIgXZ zw@rB0D)?T3lsuy_5!?*NT|&3={~+)(h`tnbei0K4DrvWGA$hX4w>Jg6Fu=6>X(8hV|2BLl=DoTnp9K}UHec{RH z&z%L)KTOqAN&av(g|%>#BKda(fz<_)$)B%c78;%w8KrwSD;R$sR4{0tX*-uTw&O2X z$nG27wG^)MDo~Q@2r<%x1;5%(qG-DBUn`49w=5NnCG*FxM+#;b$^#YZMUap$EjV&t z>n0U+Pw^lhvr`bhHA(q%sNDNcDqw!l`g>8JM08NgyZ1g3f=$3W+R{m6TA&j;q=ods z@~=~YvIa>l(jMJ{KnGm*Ju0fpbemO)dc>sC+LF!LWWj_W_u`zDjA=8WC0+Y=Ph!g^bl ze=G&oUJ!9jTgkcS=6Vc@7h`m8vIF7afOvmwK?$?JBC4CP0b)10$Z1BVp^X9}MW_BG z$TiY0Y_h{64r{ZSqJPZd)Wf31Si*@1N~HG-i=035$1N7dlLHFf$RYBm4x=|Bulr?- z!h{fkoQH;}x!i9}_40=gHNk~QCr2z%KUYsIpnIqyJ zU^+pRym17rjhkZq7rdV3l7z*&GlXL8*ZTT)tDrKz4|-ML5?9cl>y)E=uscR~7)uFp z_%O(QT+CXE*1p6TQS)Zea?Un*ju__!kNsNqMNK?3$c8@+ut-BH(gB|TOoE}>eRPG)P z@^Q5b#e4u;UiSvi*@B^9qC0y`9&2eZ`fxuS&LR_r=bf3MMkA{oAAA5X9^E zjXZSF%0A{zt^ekt%l!oR<{l-KV0OwGLj@`i(T^(^E4}R4HO;QId;@vtApC0zJ)Mp) zn0}TI{b03QcU1dv_phmS)!MANB%-;S<7C}cx}GinTOY&IQ#k80J$v{!r# z{Eg`NQhe!G-qJmMCd)wgQD zq6A&=uotkB1_nE{u4*fG>?G&6ZX+b;e=fOT6Y!!)R5`r9!iN9_L2IQ+v3w+X;U!g>SA_?1@lO`sHd#$wzxAhZJkcmrljgFW=qykADucy*km9>5-h@ z>E@A~_t(Z+ub5gT9t~JhAAtw*OKbIZ-Gs&}>fiy5Q|hJQ!|6})J9tP_UeWz|ct+80 zhB+9eiXyH1vgs$JHU!@;mE{MwUTLK{{9_m~z5$Mg7q?eX^E2Opv69~yVMN8h1>9HM z21|oScl>wQCIsjxc);MJ|HMen#|krjHD3w_)~mOIYhgRUP;m}P99?lPk<=SQ7|J+d z&fpb%5A_mcw^W`(`i7-4m-y--YzoO`W!dFg(-#&b(tsa$DRk6$%E)kWq$g-FLtLPw z5k7Rd9pGb|b!qW&O#JVqps1o$Qqweh1tBL)3iw@A1+`r`2=-x9HQWrrGRDgw! z_nh=*_~VJ6A&5R;w;fQf>j`tpJ@M@PJB<+!}SCCa(x)Nl(XVqL#|~F+$rk>>)>10lDD9Usb^G^b%}Kw zzTtv6um)g@A@5tmw~y9mtW-!-)xY#69?PY<`%Q+oXw_`g2Q!>dp- z(U087yIux_yk9r}=evEpE`L3~jsjdS@X-l&HpatO7%?if8TYy$Dw)t|9biVpDvjv zFpvDdQJe@##l|R^z+UsZ99_`N4PV0jZyhI zg-i0kL9a?H7Dg-6C6vT2R7Po(^5pCPaCj&8@ATBnBVdBnw`R>tmok#HXtuAui)Uo=3FDDQp};?V33O{67|1j*(N8f&?u2r zGEdTo)iUQ`OwxEe%W)_?0?sfIK;fl+*0a8QfuDqz4;>vhube04%!j(wVoCgOMB#us z7@<*GR8&^``t1Nw0;PpvlGu8zWv%h-4`{!)w|Ad^cQp}xCY#^d!~G8yQ=?Kv>O!gr zN(O}cXaP-%K%hH7>*UYV{*jEb*)^Y{9?ey#0px1#y&hxCF`t*V!7SzRK)Qppv;?c%b?{!{j?|9a<=v|BT<^K+eg(%`|SO8!% zbWM_p2lW+&l>KicIFrP3W1JdQ+#VmQz2dF6MSh@Qzj#5Zh+*&hx9}7?qfFOdlvDai=2b)Hk>|0@vqD#b6W`#0vQO?=?#Y9y$N zr8V*gN>nTk%p-bN|0QWDHS&#Sf91*W3}+Z+CW=esth!q7po-CUqmsOvJm)FM(7;dO7K=o z{(7lirrT;iq!QOp8K%VZzsQ?Q`%31QyAw$lsq*>)z?Ra5ED{n80lRr|KF9t?LY~A1{xN zMaK`y)~~l=0^4pynM-9ygj^hHL$dGEI4OCX2n_H2++)OSC@VgVHsA){k@`DF7ks30 zaesB9`uaD5p?qTf%4aQ6kxzymF8H06&W$F&@-vTiQ_IM|2#h!k-?&$5x18tpMx$ly z&5ocwFKXIbn^;Uc=213b@8oK`a0ysnAJYyXd&Z63v#51%$6;Z<94ezcvAfVsg$4Gt6WBKv8-(~4~TfmRx`wXdx$|uKUY-;r?-k&c5u2y>^pyYGjYcVMF>NL;V zfuuFM;*7y0_$J+_#Dx5RBQy4D`ka>@a+S5f0_KB*gQsc_<8Tglf`Tp#CuE_`$@(Yz^b}o)zV0Jzu?2KA;Qyek{KdWDX>Ri8YJ2pU+s8n)x6NYRCOg>hL+eKyin+26HaQZ= z{kHUsDwQ8Hl!T$|mCH=f%gf7gOFnoh{O{+5YnPX`2}UW9z#@T^O$M&HMQr9Xr_(>MQS)F*|$=X~XD|oKic9X~CxjV_^EvszgHwi^=h|kSY zTAa<@rta}n^<`w}!Lv&;Y3ueitE>iii%x;|h<(}A%R%#Pt%4#tofdbF)c{$oRBp{i zIRse)`7*5riuKbORpkVpZC;iw(eR8 zDRQm;F|khmfmbLzS(3w8R74mdb~>r58=0z$id)35eJ*@2^ZbZN(8y*6BsO>oN{y8TplByYy z1#@B&osw-vG~pDn>-e0l%amRA@%q*!@^SUTr%{pXBAeh6ZdN9zi3r+y?mimmIO5jw zDpp3j?-z#LzHNa zXNk1#dHM`X z42?h2zR3&xWfrZ#d;eJD;xl@;pZ3TJ7Vgnot!_yB8#;QuQTvdg*^eLvkth*M!?oTw zvo8dd-qTKsi;Ff@j$yQ)iBVK^XQO!5BevAkd;=2GR*RH098sNf#)I8R>wvgdPnS~G zJDLfV9wuIJNImfs@mx*O-^62TyBkMK^0}?v7P{%|IXWlzVdV4iUbJic3?@t{a?CXT z()u_!jmsw3rL0A>?P7{=ef6}(AQ?lHnb`q`eL%bhhb}&BBHV3knPY%aDarG0YoP>M zJH(GWP$fO!%6RH6Mf$xxw{qqQodjMNB@Vr~ElE{H~VvhaM}N zaNCVfC~oH1hagmK&5Xhp=@X6`N!Tk!txjR^TDGFMROw6&jH zavH?zR){ADi%wPhQ5%DFOwHgcmw4}Z!@4HL)M5xWk(3kszUY)Ze1@=cVifdbxqsy;1M>ZnL3Q z6j=!urLYwfwmb4c>s_@~_Gt0oO>wND`Nf;d>UQ*oQf0K4RwTO2KQ7mL+&Lz{tc{d1^%g6Km>LM%X zRvbbH(!mrbALyS^chpx`znw1Eou0K6X4EE1kt!czfRdeD!3rL6`zqiNnw>_he6U zz7c$XI_fvJ@PFsw>pw{*&e$h(QSd8;M#%rClON%a_%1wEp;I>y@FyWED^m7J&;S1b Dj{BvR literal 20270 zcmd43bySx7_bvJ&3JQuMDJdXb(nu=ODUGBwNFybUbfbWDOE=Q(i-dqmgER<8hot0L z@Ar3q!h~-`!(xllOT(vDRF3&b8Q~FBGNjV3A-U5QsZ6(&8!z1ezxNdg3Mq z{AiGwnFT-HvX_4O27$mUNBxIpyb{#`fB3*jLd!|j&dkZx(9sm(>gvj7X>0Yy*wEgT z&Cbz0Wm|{@fq00J5r3xUmby7(u8TiDj=4KGWVogf#t_1g{VpW_US~)P^+YFO69-2q z7M*xxmw0xlFjnQmO4rU1a@@*C*+!abVGPvd&thECiO!R{9nccK5^(%E`?qUkzCHa! zP|&0Pjro!OEnHk;c1cI+BKl+f26Il70hPuAKK2teIl83w((=T>I z$IQ^sFN$1n%!xQceX28@$VwpKE>_*u17mr#|L3dPzr}NO;rqri8%HoA=ry~DRS}A1 z5gd7lbDDQonGxr=O$be>iyvYm9;(NSN$Ft{P7>Ha;WMgr4CgvU+bCZ9GHIr`Vb6h-z`^6sPrnncOV#m&~ z8*R**uD{`Z1dWtkuLTv$YNp3FbQT(C368n8+dg}>vb+sllgcw5xm0FgVs$q^GcDm= zSkewJJ-4FuJo-0p`mK-Tmyfjk%~P9=U?K_j*CtmHEkF4i##E>{s7|OivEx)MBfD^2 zL~r}M+!1qNRI=-sD2Bfl%Q_b0IBK7$^B!K$IORH0k{94E%Rh!jLysUTVbPYn=Y<32!J;1dd}G8O84ix661@5| zA)iCdtpp-umkE{)*B1&=akX;;_Vsli`6toK$VDM|PqLeWtYcxK1NC=2QL$F6xNeO1 z3fWbx1a3EYQto*v1h;EN{;s_7+HY~lh^48bB(Ec8${_j*xs%`%9NDU%5KPS%Dt=7| zT}Nv}XWWTl6aCA#8bbcdU49BtAKhU?wZ4FXTRh}qH8KysjPR=NS=AY26@AhkUZ~KH zYJ#V-j@S0+Xm-gSA;4Qq($$B(DKkEE#2 z_PjQlzCKQ8(6PuCzF@s_n;^F;oxSeqOTi6y*_d27 z>G;h&ovfDk$yFqD_04U3wKoGK%!$-r=G9jd4N)U|uC zu`!n+mk$rt4Sg?sUymM|HnGo1N;}H+%DCsB6_>5|->N+t(mt4&_W#c(`VNJU&zJYH z5> z6e2*ld*<5C6CTqVtOU)EPQ@x>v_0%UuIi{R@(US@zo^umUQJB++=bgotxa|b>@!v| zD$*N|H0N{c^7XNNmVd)>PTb_mCRKOt4V_9XR)Q3rxW-w~AfzJf^XjF4G7eIHJPG2p zn3lhx^$*Ddo+A6V%9glh8F4;0k@Y3~C8t)SQ&<~m#Xq7S;w#rSSiZ4dt;?F^!~Nw$ zgnFxg==0nSUW2KKj2v%oV{%lmAF`B2Ig>d!52-gu{#rMgx#gpDLfWO>Wyc~|^6zmf z@!M<3Ov&mWxdtA$w^E(C^AVh&!s)4Gr=jX+An@tnDf>v5fuxD1IojN)z&+bEx6O7#M@)r z6Fe50xuQ5PJ~9}m9P>_)Ok8dpBQJFxi63~&Q=Oto%gc-F>XHe#Y@TRr*tE3@vpv!) zsETN;5|}QXS+L%|ZNprYBqoLO+6@T!a$wOnorO#9E6Qmoj$9>T{p zrhfIw@(~Mm^j)c+tiq<=i<6b!QUQ@S@oKc{W+sAgJ*0Z%)h|{5WX%6rIp&=k^VnGI z41fIi@zWeh0#}L3^@TsWR%mvZJA8EG3AF4E2Va!QyzCFiC33YSlO_4r->Bs=XTq_Q zQFs$mP*EU%TkxLp@~^y+kJIw2VtcnWJGIa(Qf#|}NucgUIzeH+=3Q@F?+UK! z;_CjIIIEMx^YQ`Z@h^3hKG<9~pJn?bABjKQRe8wb%(^i5h0=Z9J^rJx{V}3eZ!Rb= zPl03DnT}hH`*P5uAQIl<;s8|^KVBE@)j-*^31_QuopMdwgOS6S6H{uZQD-Xwe2qJB zT;g@dwemOE^Y=jtEDR!ym^p69pVUyxei1mbdPEacPj+JC-g32%{qP%Y}bddDfNU z(UV?Fd^Uyp1AQmC|2*T=k9e6I%T=Vw|Ggp&flGI5p^R!kG?tY8)x2zehG9hf0+ilD zno@s-3%-S}IMQ8*16b#&PT@Gjf*|Jh*P3tR^R`=;8tW#T&%2-Fc>5+3^F0eOzX>26 zM9$~>YHrIb#2ugZSpNEb>4A}IM)zNb$cmMYd97~cFSuMs3#jLFjc|Wm(un0~7&U2z zn%(y;!9nnlcRO!R!pxhl3abhcC!AlDQ-%&ji<{RrLW8jMRkr%x*N_N~fA)?S(JwSL zq|O?*{=HS}n#J9I^M6yc|1EDy)&2iSwElnofr1ey#1(<~QwPRTpc>C4WUhsN%F8*~ zg&dI@a+Ir}7pMb%avNQ@+OQ}GioEA;y^inyJEi>ZosM10KPr*66)~=evc>fA<|<3*aB&K-k^*LHX+)wp3jo z%iWoZdmdva9n+H(uh)}#?!ElpWN$5){&j|sHD^d=$wZ_hJhh)BlyO;^B^&38>a&n2 zAL)|^g$%5WWqt({Or)n#>tnA`}pzIPZFO`LSY1~ni|TT z?@Bp{IlW{ezdA3hx`+qw#J`+itEW$r#4ZYU9DXB}E!I|Zo(0dvPt__B!(j8v0q~l zAtH0t6b*S?CSj{VVrzgUrLTyA$g~-!dZ9kt9+)%r%0%OCq;`Gix`Lcy`{BM}kD`)a zYvq&FY4?uyuVQK|mxtJHNg3gJHbVASr#GgX95G~jdkdy2o+Q_<2Py-e6E^OM@qy{msTI)ek1!cGT~xa6&OEx+wO zE-?=LNPhOL$m*o+=MsWbh2l&5$bHtCv*$&|4?oZKn@2kwZc+*Tln<;7C z#2u~Lbo&xYQEmS5t@>_o{Dfl)F?%ex8h))2a~R*4bS4d}Ub^1@U^{~Cxk&JzfVbH; zG&m(4N2Xl6%jH=XOXm)OmFHfLM3-7ZcW5Of9+#*Ry?v78EB?+`*fpyt&u^LQ^!d-8 z+jN9uCvQ{{PIoriyRr!Ae$3rQ+?;D7Y|`|>7B=QueUQB1Fs-mks`KiU9rKk|x9r5v zpQ=p{7q$r!wI-g*Nl}I#mx+zHU!S|4=2zRwfn#%i%lv9OVDlhiHy3FORNv?5=huYEDTD3W~l=G>Z&n&}A3w(qi~rerEV*XTXc@S}uvK zeW{}>REwVHO!^SAA*oPlpxMh+UcbH+c|GMX17WczCN=Zntw+7G16rld1%QNtXu^8-JpG3-C!)^n?`ZF@dGFCBFL!R^iRU+w#PPa>(9cx{ z7JAKYxEL5179$19ff>TZ6tKun2P*$boykGv^y$uRgTD)Z(>ZVu^-mb}2o@NNc7; zdi)iWj*Hu6Swr(qpS&^k(L1s*+y%?Dg^t}f)D(S{BoS+h?XrZK8mHuWxw7}Fuo*8& zlhfC7gM+UzYjX3`S$6T=+Y8^@DvSf!;p_r%xirOIN)XU?N=&qR($%tFkT~03u2aws=FB8M>GO=60alb-#oe2*R~xzeD-d@ zZkmkh2i%5~)m^*WSME>Z)YaZ6on8+Y-FO!xp}Nqt@=2GYqAvPO*D7>+le^^9AY4u7 zr*wUZ=jesipS?%hyzY@lc-p+ZOhv0t90|j)uoVM>JT_T z$S90ZmCpRme-*3@jBH;k$`hW!ks}@|tGt6NaVU9dNxW|p!%%sxJ;|RmGb{Jb&s+Ne zUWsEh5>sXV4*TVJ$XsE>1g{nSBMn4_gT)=5?hkjU@Ir;^(O?C;soa$C6SDHb z<2{c8ON+$=kze^7ut5LDJTL>TJk*2LP+k^ygU5DW7@G4 zjeURrp6iC)Am`M|mUwB~crGn{rdRYr=7;;@7Z2Xil?r_6oKaPygM3D`r>zdV;d>}( z>Fa8}(CCikNBA0_Z4Yp9cEEvHjMXyxR%tLJsyBG6hloE=O#9ZRbM&vPd;KafHwik8 zOf&sRKizVT=MHOt?YT_#`L_<8hfETu!{Q5OcX1cKM21VtGzUZMGO&4uCfr~TI9Ab% z-Zlsh&5dL*MEA|BrC=fDmN-xAfA5!!GCVrU%F*lCRXiqV5m{9 z9N1^z6~_$gEwGYxFzGALcKo*Iiio=y<}S55)A()r7t9TGm5i^3{~|84O|k0?hz_5$ z{-}DUdeW~O2(>Px&EtlScM^`32a$5|o`mhM1d(Osl7W29AG4i$^@X`5*;wNgH1?in zSWu6i7FmU~DQ>>g!{#GS887D!BKr9`;JPXSEBOUh!k<58IrRni006@@r5{zeIuKnp zJnHIt^&5Fh+9%mpl2s%~nVi`|+Ig;it_Z)iKR7+hGH|2X>9&csn`|%B&Sp@|$6Ecs zzESR)+4`;UY3mo3p_?2Mzs$?Baxcn%8(-a~A18UG(S}QCP2lrDzwOPHfI80|=|}eq ztSk)Ar(dxoPv0W-CJru7pd>t1$aR-Q`1)nAiU|wmGi{s|j7yXK`pe9gHtCO{Fhvc_ zqA~iUvDfBPBZl;a!Nze0gH`+P!n1ooW;asZn zpr|rw#d`XE-SuKwxv)L%JvI_S*L$>MCDkS-`Jx2z>X&mI%xp}azgtOb?4Pgy4(2@j z;r21$Q!pPCXD{bj+4#7)cxBy_zony^1WhYtJ&HbICxU}JCO-1ssk&B-b+b7G>v-&B zGmZGJ<*8^dKAtC6pI+~FVd-A;de-w@QA)-E7b-awrxQ)p&2@^$H#CXB8$I$~@36aTpQqEGitHs{SLboQ{+&GZZ2U(~{VJ{g z${(tQAEpaQFKA5(h?7P;{5OaKOp-r1QEm`L#IMEjau#ETir>xCte>0c1Gyd|l z(D=$>U}UUgg*M~2<)ZLCT$K;ozoUH%UuY;l`{SoNN8HvN!CLa3nAAV+(;31y+h;n%C9yZmzRY&cq##@d{Bi5WZ!@9bR~d1#$d8;+x%XylSxQ=dC2)_y5(IYHhsI# z%u9<6Qse2=I}^=IZ#H$;!pWJ6!sg!Bu`(~bp=s& z86G{w1cb{566YSB6e$2~#g=aELDH9*H`jpGbsnTUqao(X!b^68Qh>LKU{6FI?sqSq zDcfXzDtR~b!3bEV@!z{Tb8fL^0*!alqM8zD9{s(S6tMnVzcLNS1tD2#4`?R$ z_1<<}GXEbG+li%LT|~$WUEMw3@8Dv)`8L;uL!aSeYHEaDlM6}~UeE*u*`@n__!iv# zUm98Df9fRsx9t00yBxdau~sfFM?Q-SzdwAqFXVIC3_>zu^uD^t9|6~G-BdwWMYD#i zEGn1H2|s4dvP|cVv70wqF74kl>2a7ji^qP9DuCbBPJzQMn zHFslU<7&G(ild_=JK>6Bg{fMb!K~-OKGildGPh0-H-a}eH|xjXD>xX9Pg6_Og9e?BlW8&j)h>D6HtPVc6Xt0~8Kno{gC+sydH}ClQ^KNKpXh=v% z`|4oM!rEGB!<#?U%*=8Ot}Fcy`ct3aAu3*dxpwmJ-@?J#Fv2&USrc~a-$X)uc2AiA z&PGa7QZl}*&EYo&TIOi6CU#$*Qift)UfxL7bIjL+**7A|o_yHc+PZ~cHE7jkNXW=g zf>SmzHhvyX$eL|AocBH~42#ENz}M5ui%~=*JtPE9?5Rp&90|{BaS;&_6LWK^*RNkY zE%o4LmDxrzoDT47XhD- zTfN|a@?`%avHQtMB#N%rwR$Zhi|7v6!xRFflO^r=_JuR+)WIe*gJ1 z*Yck~c(}^?`V_x@{d%94mi8h~s9~&BC&6~6kv6PSs9|z)5*G8Z!V@;idFJZqNbT(G zoXl+08|vIocO%MPY+RXCxatZ@wBsr3yFRBUXDS_a;~=03^b878%~ z2oDVp2a3#YjFqr-a(3kv4{WcUPq_~0o_cX4{?Us_ta+xX_s4}@>yZR}76VTYw3*_;MJD3hfP|f2S;5F;Nm}37 z==l2eIs%o`h^H@J+&kKyVYVivq`aHS;+K?^bgNIN*7~KT5HBw;XF2ean3$M{+P3EA znx!Vk?ky^X_z3Zxc#fmF{jMdZcv)OxVy&&PzF2wF=H})KqfRWhw{H!5VyL8LWWJ;e zdsMg|zRv1Q$;h~ifLr7!DJ>1O>5IK64kbWT*VHi2WK>mEt=2#wtEsEMPe`EG)}PT> zN|^8!FPi23z(tU|Rg_~`k@Mayg* z2_Yc{!eXrCS6kVcLa$C8yFn{HD?0=dsmYLp5zcMomTJB3gU1yB+ zqk-XJe+WX1J0#alO-)zV*Ns;ClM?ytD7vD^!=L$MJd=~duCtqiFXpRoT$XJ(CZeFg zF)%Q=O~!w3Z*TA9Zy&p%sc9e@ItIh8-bco(8#-_gL3b%})Ya7|CMI41p7A@a-lL|W z*&CFiWE8^bnrKorW*x`8OVK_#Ndhs?|Mu@A#Z-Pj(aRI`j-Wdo16j`l9p9|~_GDJ?c>gL4xQXmxrA-HI0 zXwbn;K>mf|^0mABIraPYp`rWh>+6nN%+%D^wzsz@8s5+Y0E8?pncx!=W_w?p+Ff|H ze2eW{%6a$SvjFr;FVxhoGcyCPV5AZhBn4=-m~H+i7#+xwr^PeGYX7_I&Lety9(T z`}g0arjj8{6MEnjzh+B>4^$dUB_=12iCaW)9BGV5JC>^EM=Dwp?v}&n@*JygbFPh2 zr_Q#sKZ$Fw(b+2LP&{DoclUFqc%y%RmkGv{wY9^NxXh71e&7J+7OhMnU^3x95er}S zn1`pc-r@ISi-CvAw_zilM_W_xV`KeSzNd7|%~3{@@LWS|&bE*Wx^Cn50sJKbAvJLxT{CMZn9?W?4|3k*5nC!F>^> z1BI&e^65e^^UD7G%rNeaW3+$srsHcUp2P;P-E0H|AQc}UQCV5p$wDw?W^pmIYbr1R zt$KSZ2=}Z{pRU8iNPoI8X;4rQqPHugU^Vq*y|{d!OivJDnz6AyS`1ggwzRT>92~@* z^Eys@toRiUYWHy5pl@VvEk7e07Vp?iLQWnDYog-iC3JUpCl+#hOb1}w9|%M>tiAmy zYPXO@C`^L#xv;u=GjsEtnA7B@zRzY8oDeaeZR!iU$B*v;p?U7&!V5I!vDH`!*3W-M zsEc^^?3uKpVo*&DPo82L*4?{z4ZYxtyn$S%ig=Oq_V%8v=0rdCII47xoWpUc z=XEsNhq$mgZfbvf3#gWd}uC89|@g`Th2(l;lk9X#}`Q|)n zSjNZ3Bsa!N7k>YyNnUs)EKCj+M?y^vA71|0d0h>#U7c(s#q2S#D?T3UiI|bm(Y3YV ze1eabQ?;zWrly7go|$xgfd3Tf)UjDwS@re*NREkl>T$fC8!d7g0~ ztf~6#zFAmwbiUWw(R(P#Thk4y48M1Fl;E%M@7;SEj6d#)kU(7&z~lR-S zNe{TpVm^K(ya1?oS{=~G zlU*ucT4C#BrE=IrZ1}zXX@Uu;-#})5f>9(AAiuDqn+`zk@DSRy)=3OetE(1SQGo97 z!0g>!d(r_(Vji5YC0L z7kml|#V=pJd@3xI!NtWT=sN6Lnk?32*9O>e-kyHxG|&ro84fIM6^h}foSf%Cg*i>T zA|5<9@Z7s`=K*H`;Dp46kg#we1hdn8I~oa;3Q^gzIqx&phQ`LQk0_Q4n z&lL0z>Q64u_m!xb2>8Z0t zug+s3DVL*)so``?UcYA2J{r|DP=?G47=Ip&LlDJ*t88dURajJnmEq&*DTJ1}w6r99 z{Cj&_k<0uCJ}VahY-{G<-Q#1Tv|w@5;qC->@EvmCDhIx&@C6=9MUhbfMfxvA@GX{J zwa#`%+}X{|Z2;&kTeB?`XW;qj+x1L~TU)H2!6Chud%=N$w}z*8etixOy8VE9as@a# zQRf(76^XFBQ|_4-$e1;tapiChJyTODBz(5=xw*NHoe#*#703mg?nT|j9h|JO`ZhFF zHDvRVO-~j8S4~AlO#CWC7Y`3FkP{P!>|v<5*v|}6`s^y72+(23GkR(PkE4H{xO;c= z7ngjR00Am-gGfA`HO9#WUDOB^bG7SiBLSU0<>euPc(dy_x1)}x4}P%A&dfvry~nFn zR#8C$)G?KQhQdEyrU&%$O|EHnPEJ-yiEe43Q7>jM+wsyjyrn;Xu;08jH8Z=$Kx(uH z)fw2R#b^;hL_~!66fGSc;2CAUQbtgDdAWri+}DQ>9|qv$P(|y(g9r8w4!CB&;)5$I zIjpU%?-3Bt%HRBVJm-@m6HA9YxeM(7F*moknAkOt%UHncs%@qSi;9X6y=)J{!@|V7 z^@C&8zK+h$8!unJL{%)%uCS|jprga{ z?o2j17h9x2mIFP!sak1nYKq1n$c{uJGfPS$K)8jobwb^a1c{jqM4yR?DI_vdLPJ9% z{xeRS?U#2qvd0}99NZ38aZ^)M5eT@kdbhpog8qxMV?zkq2t&_{Q|E*AQ8~3dV7>ef zivha=%*@yV0s^4VpF(Yhj}^^$IUjAlEYYdMG5?YJB~8%vmAQE^B+{)J6LgH*_r5QI z0tto;TKF9;S~ljbpZn=k0Kj-ANZ@*}GhQ+>ve|ltzK^T`AXLq4jEv9J)Zz+?x72~E zCUTkM07}w38K^A{<;qpm)DZkQ{%rm;8=wazg`jK$)d>fX6;o0wU&JapjoyW@Rt0(y z8p0qfoCXYatv8+-d77O~&B@1?KhxxjhdY@17Z<}HnQ;d};i15AdV0F2zdyq4M=ImFCd5Ax8k}v3Y+VNE5-0+HcXu;^6RJRc zu>gS<2Wl%0pok6=6BG4U8l~Fr3kxl4v`fqT`ujh@bt<=cUj&!}w9_L@Y-|)@MfC6w z3d^C=Wyw1@a5zI3c;a|>p+kao9MB*JO2H@5)m|(6{r>?-^ch}P5qS%ig zKSru8RR?KzVO!EtQo+_XHicl%sMXo(IojLbyF9zv>!!T^bR^qtrbxY5nkoJR)RV*Y z(Qp!Oi>Dw*vp=Q?^|J57J`40)+_{}rU%2lr2Ff@5Eq*K|B_-gr8dGr&=>6!ubWc}T zP^0UPVpLQVxDyNln*00vmS00~QBH=ftu5f3tk3zLRLvqwo#imy`mfLQJhsz`V`X|e zmSE!ic;DLEx*Aq!*b#I9(X9$kfT9ZuE7;hB(1c8UE{PG>R zcU2XahfD5YWLfLaj+1;x_xGOcIBj|@>I zFfwpY=l|~S7XraV<}L!x+kt+an zRd|}kaGnA_F77ih9#HXimr^87aLf^4GtaK|U(jT&jU0p^fxdQ7aBwVKm^|M*xWgMa zZVVQx=J#}V1_E`FXuCKfMTKNYFNrWPU3@$|8tXSeBR@z#a@v~YX;@_5@%KIy3XhJa z2L}p96B7$I;q{i6=l_=0)?~)U#!%j#q2A7Hi;RLoB=C1}AJD6hvcqDn-i}XfoV|^W zi^E5;9}s_G{r&x@MRS@`hd#Tqbj)2L&k`k7Ma8>0DE5LO|M#fvE3FBwF zp&?+?_I&$RsJ$oRc@hJ1Y;{;klpxAf-FB{30kH~6guHe6?@vZ7MA*O6(+?2t;NA_s zyMY}NvI=JF^{4eR8khQL17KJzhj9oArN+g_OJt~OYm>-4x{tEKbEi;TeWb$hIb?S< zQ}mfS)G_s={0rCur$K#De=?8UNSmzM$D4< z00hhD`P6`hJOKN-hkRoLQmX*C9JkTen}dI$mb?d!3%Q_RmI83xTP^nId&+T_k2L6A zd@?c?S8Eu1Mygvr0bJH@bh6ByVtH95J~IAtMnsc3J0#@hwcY4T%XmS@rJF#?daLyl zSas;CcMa5)GnjFeQ+RDw``FtaWmlcime;ufcq?s9)s;UEk`*L-=kLF;u;3RFaeHA0 zB#PVR`I9KJC+`jpoC1P^u)N%teNg@pTsGnr1cSYk6Mm_Zfp&u}fr|tKufEC2Bp@ua%FDqtoT#93 za&od?8=}pMf)u*O;6Wxuu^dZRRB-N7*9?wRh_qWLEyhYf$+) zyJsL<-J;=4KCA_M*WkQ0E?wPcXJkaf&4Lxy*4AdX>fgC@hnR$f8l*15e(~$A{uDkX zwQhjr%)C50A$N^IZ^SRg(4s{+H6Wzqgo8mZPC@b0-yjWP~X7KCuG$Q`H}VR-8JyCu>TB9H@q=5 zQ>v|~cnVynhW;L_l(<%-6Qi!K?ki(snsHu0Fu&N?*j10$@VzEL4F)+7zM%QDK}R`u z{{^=*YZjh3|981B`{FA={bgDa!|ztNy>|x?qt+UCA#IymS}Z%m2uy5k72#5{4}nLC zZRCLmM{u<7b@a7l?6$%Op2i;heilYij+7#sE!fUO6iGkmr0|lRxiwjS9 zrUJlSMOirus-%jAMS=a=i&>_(7s@4|x}bzVgfmze+8dRs^gi3-OXf7if)E`7r-My1 zRa~6X>i`!pO>1Q^=dWBnu)X(cOu6i>C-1Vevn}>lzN5erk50az`p04Q;x0F1Gm#6;q-(9kS!hhw0lGjONcWlMVq)D@8Ju&}V~ z4DZuWs1z0ef?~qJ>u7m+c#=hZL;{0?hAIp@dZ2k~q5hw8GCFFxHk6A`Kp+8Zl^%Qm zz+A^}_sjFQDyphE;QI~(4l)2}00$ILsD=kKzSPkfh6SR;DJVl3kXIJpy1#w}-A#uo zAh0KfM~?znSXeB;)fXd&jG}?gh=BJw|4fTV!Zmbs6fXZr7iM-XX}dgS20=3fg%$NU z*s3IeF#i4fV&bL=vnV|de$1PwPr13c%D)J*qM~qshJ=IXV|jY8hAQFJjZovDDf1B} z?C6!!KSA)RLbv7HuU{{>ckposA>Cz|;)j4$F~AEj?o!ADof0GZ0bnSjrnf3en`JovZ8C6*S;!Fzt2fx|{W^M#}2^5)n z;N1u4rb^U3f?UslprL%*PoExvpKG)`|790mwrzdQREZA7_QA`6OJF>|xERcQhK{Hb zrAGPp;o;blQDlrlA?NGSH=!69LWV(|$^oVB*m*NfSV->+l@!Rlz2dzDffH||QjO`Q`4c8EuD$3}7bpICk#S4G_U@9mmG#D$$$|8XZ zunE**3c2kfPyl)ND-i*K;nrl$322e`NlBqlD2*XpM_UD3P5TI~ z=UU03a0TY((t3J&24D`d>oo>s_*^z1w+LCZe4!bD&LAj-ay`NJ?-&~+1jdv7jg3;& zI|A@PTuKTZ0i+xOeUF88Nqsn9txBUCU{lR6Ed@Mzvl7z!lZZ_hb%eX%fGuqQGtcm% z6WXc-BL~${0pplp?CSrz8#}vb=mX({d0eWI3a*(}mB}sJ>3TFsyZXk)Mc5aiuqhPt zFd*qhVO1i$ z{!f$C|7YvoS2q7`Xn1%B*kH`MeBS47FzIv-rgXjgVNw4nbc#YSxNc%&cl_J`115Js zwCE)gZD+FydLZX`kigl z4&d1u0Un`T0VikY!F(l3ZktIpEz0}%sc$##7r|j@C9W?6&O+_Pw4H6f#mdThur;M= zmYgv%qGmnQNT8H1&XCK{cYfs~<=EP{kbmb+)L)@I5iXbQd8>~l?R?MFd&Rzq!znwPk(9kIz!C|K>GmImP7gqETbUFZcYTI#Zirt(c}*|8AuB(t}ZXY zljj5>&tcMY&(Q3T<6R1&c93Wwi*5h_-UjcExMu}AMiXs5Z7*s)kH$648*lhlS94nf z8!XdRx9sDAB0D%ZnB4}U5w>DAS!eg3fd(KZgLB0OA3;bPf=|f6$_gr$4GKG;41Gy- zWMm+;oS_?tW@BSR_Qdfz%n1ElBjD6xN#IP)10;w6 z$A1S(!jg65x_V2`m7Ps9j88kjn{aeWI`Gp0l2(AaDq~Rd^ z7D0D%o`Dt)oUR0$iNt2I`U{LdyoWPpRLy$@{XK%Hb+AJn+}z!%A3l6q?FrqEn>aXx zX;S6slpsJj|NH{FZQA8lDhnpDuAW{c)EkS}uNQ$++PkC`ASER=d{j9<|0*jArVvn53MfNSztuAoNO=~>*pTq>Sivy}Mw*8Y z5h&CGl?07zi8)Nf?*4wq{1<;^Ev=B|W}({@Lc~y|?vZl=S0@v4y9fRKo40QVK>V#{ zpc*Rvu&+MP%b)4Ov4R?z)~5#$OGe0mTaX7)7JA?iH@a+v(aL>%s;5Wpb8$#SMo#W< zysekj4Y{R%CxQ)07eZ|APam#VfTY}i0C4MKbg<`cfq%P z2G4}1Qb24h9%_81MD)$dZE(I~psTN=qeCX@O$LPpxfc>0-3@mJIsPn_-{Bf5pRG8k zcJY5@LYiriMld@80pJfYMIq$&!r{f=s3a|2U3oa3Tpp{jn|&a~0tPRc9bwMq+QVeq zZ1^6#zYc_`VTNSZs_N=EAW5s>n0D;SHLE0H6J@@G13q}J z3}l`PmSmWm0Xv7bQi^>P$b(eCcLp#%Cb}jk8z&w}*ww)bhh}*-3?@()xzWAL%zUV#u1?TZp2qJ$?YuLqr)8k6 zEvt~sodvZ@lQ?18s|-v}f6!W>cOD-5;6W(;SO0Zy)C310$1rsi0v%6H$6s}kPctrpGtkke3skTWxS zYA(=UOysd51hd9;oiT%|wz^uaOk;nfP!+nGs>>x!<)lv>A3w z2kLI7_0c$>xYOE@1jGKRd_A-{#83^Cofzn83JD1K%xHEMI)qXv5q*6R0kzu-QH7NkIT@Md6Opt_6bYYU5~s;a7qtV?xs-gw_N^hBnR8^-zx z#g4DH9HHlpYP(lJ)-dH~mxib@Nj!Uo2Dt7I!Uv+8T&vDDtwJAQ1Y}1@Xy`K&lSeMw z)3>00MNo?BZ+i)Oo#K~j*B~JmQIr@p5KvK3(GEw17N>yA27@v{qfx|^iV98cBa2^P z;Ei;lx76bzpyD6K%kBZwGqm3X=LjDkzei8X`TF(iz9GOh&{0!}_40Jopo>vffK)U^ zC*U~;7&BU0TJs=avIQBreHzd6fM=;yMO~n1sX)SVuRo z2?kXqm`%_q*N@~d?z%Z#S_00e*;5+?zw0&`bjP9s0^XojqIVk`)rj#gPAJ}qowrQLhk${BCf;ps6SKD>iE zlr{H+mKF@e8$CTezVF}TqJ$0%;{oBo$HBqjcV5SLKU}BfQUKLxm6@L({Pn9iiY)=` z<42tpH>|^ACZJsas``ax*#~CTGTnyz(CLx{;%G9a*Wh>qtf}m_aVZs_y~P_Sp#}a( zHXskdEP~(XQV6CxSo#+f?;+O2xSOBz7fzYK!;MtsM0Vp0VnB|M4Mk#5^8iH zbzpW12wN~1M4)~H{}lsY0}<*6J^;)tQGsrPsO8*Qh7Dz3*1{-j5BYECD9!R)p}IXN z<#T>{wnI=xPwlibOYU`g@C6bN$Q?GA$hV0fKV6|Cdhzi9Q0_%3sd#xFmL z2l5nBuzveM_X+x%kA{Cj)Ail-v@UQCtbIC^N9pCbT)I83^WM&1jfvp!*+)4UnP+f% zuS`v8*Za~R8(u?Y7?}KvK$~DtRYG1qqW>+w`46(B{Stv=&erbvG1&?Fs+8#%VKCf%BP5#WfWmLmfJo1?NQwps{{Y`?fYKB2J6`8>so3dv# z9ho6mSP`}uX5!+B1cY7E46NT`R>d0P`xvxqf2F=5nmIlW-khIG{lV7OHhZ_(=Oq2} zzKGz?naH2iKSKLc3Tz4CnsrT0DS!X|T?G}>j56;@AKb=(63Uh&Pj~uv85<@r?^v!R zr>85z%wi^lUQuyz4iLW~=$7r$8A(mX4WLOAeXKd-4W`0=pnQ#t*9PP2K zi+T#GjUG>~rT}7(@FXD)s)x=bgDW z^i|Q7)2%5!aY;$=ajqdURSNCTj%>6_HHaf6>vh=xyB>;)Qnt^9Hk>Y6`*9~U>$8Ie zdLvB{6`EibBzTTXy>Dzg--x(e(>%%b)rlU2?FWc6UO6K5d z6ca!VkN|iu*Ect(=j7y!Nlo4SLkb;Aj3oK4;YE+XOShmH#a7@1fd^m+V1?>&^4d;^ zKwm_RDZc8M0YC?4HA-5?H#)&*uQ2~ffw<__-Et9x44S96+3v9BHU5$MWCD<^ZP`EQ zhJLf#GngX8NpyUa(06fQ;R*0C09mmLE+|VE5F$CKUg+~_hLGzg(l8A{ zT)fX}<*6-*;qNC;hsT~rb{i{@`c=lE6o^>~DXGs9*CHjKgFBTE9f#TgYYU5;#H45B zs3B~GboqF!MzQIiI`BVX#sxK)ff|n<9UoWq@)E{9?5b_^xl%;=k}%R(HMOOtqaz25 z)Y@|S(EZ!*y_3iznEuQIv7_SYc^+fa;<7~odb27`52g;FE#U+S?%1HqA`ux<0Dj0E ze)-CZ8H_QIv8T!83=Tw7imrll|4EIBk&P|tz+HG)fM$JWt*oeM(UjnJAhZt}VQ8G4 zbr;9PZ&so`n7OPO$9ubDW-O-zyX!>qO zQ>r0n+!c`p6?SiNv6UCv4XC$ScP=^!FoI?2I)`BlgYaq^8eNy*E@Z(IS6pvnpxaDT z_{E2dQzru<@lB#|Y)FM`Zl7&hTr`rEmfqc09~~XN;Cnm~Vh`hAKo(l(s=id+@Ra=s zFAAL63hG;arj|u&Y(mwGHNLDlAz#;ki=S3!MS1&+ z88-243`o^x_d_foVq)MALiNT%)I)y?#5>T2fbDJDR8b!akayN2hu?LfNMqy-_6SZ+ zP5IZV7muQRHK6L?Lm}Z7A13s@{rs;L1pjW;jS>xJC_Y)kYx6Em3r+$kPo$?uI`O;N ztoeA!%Z@2i3M?Ri*Sa0*U3VxD?M9UknVI``er>L=zmtB1GGZ3M1o@tUfsUSCCnqCrW8N_>bLsI=YLe{3nX-KbTshj$OU>(*TGPE zHZ?gmh7t99qIVm7j2BGt&FYd+v%n<(Wj$fSX}Hw$-uu@zh~J<=i?4ta_Uj{z0RaJ- zaG?m)cyEn%BqYW)L~=?>)}TcNP$lmzl92`qFs#6&MeBp_48b_}bav)h{QaAXFdRmd z!+@%R4EBu|OjCr-iqXaT{pPnP3qC*hbV2veg(G8%$GRVS9V_q}jJ>SH>#z`-n3+*? zbK@IT5<^qL|I4da%MeLmMxe7vK=05O7ViI>Kcv$LzOL#SwH9h96-EktmqCh#goPP( z7bxdcIIXFqKi_q4nE(gIg!2J-x-i<+M~01n#?;>Ast2%DHVYkALTpDz$A^UB&%_f2 zoL@hEV3?`Ndpd3|Q9e!s{P%wh=qzCC1hitkIH5LjUyWsnRqTare@_8>e*(h7%zcjq zfNPS0(e@aaDE3$ZhrB@6Gyhya$F^DwwDvbAM+exP00nOMmG4$Sf4Z~)>q6k7w%;es z`Huj{Kq|ijM>?)%jEq{f#Mc@&TejO-V=GI0hi{l z2+=z6w1`LAj0c#LpH7{9HVtSBFm(ZIPUn>&Nx<2aoT95YZk*Vx58PhEEv9qe>+9>0 z(tgW@frClBx5EGCzgo}N-t3}uv0=7K*y^bwT&(_l)fyFhSQ&M?DD780_rF*F@+_{?Kxaigs{tcp$Iv=dl=YrEOz - - - - - - - - - Key creation time - Fingerprint:AAA1 8CBB 2546 85C5 8358 3205 63FD 37B67F33 00F9 FB0E C457 378C D29F 1026 98B3 - - - - + id="layer5" + inkscape:label="Chapter 4" + inkscape:highlight-color="#baa600" + transform="translate(-811.81226,-1223.9908)">Fingerprint of an OpenPGP component key - key creation timeComponent KeyC0A5 8384 A438 E5A1 4F73 7124 26A4 D45D BAEE F4A3 9E6B 30B0 9D55 13F9 78AC CA94Fingerprint From 9cfc933e86a25b5d128df02fffb3a39ce8bf4d80 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 19 Oct 2023 17:35:17 +0200 Subject: [PATCH 53/56] edit ch4 primary key --- book/source/04-certificates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 0fe1785..31bdede 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -82,17 +82,17 @@ Historically, even shorter 32-bit identifiers were used, like this: `2455 4239`, ### Primary key -The "OpenPGP primary key" is a component key that serves a central role in an OpenPGP certificate: +The OpenPGP primary key is a distinct component key that serves a central role in an OpenPGP certificate: -- Its fingerprint is used as the unique identifier for the full OpenPGP certificate. -- It is used for lifecycle operations, such as adding or invalidating subkeys or identities in a certificate. +- Its fingerprint acts as the unique identifier for the entire OpenPGP certificate. +- It facilitates lifecycle operations, such as adding or invalidating subkeys or identities within a certificate. The validity of the primary key limits its capacity to confer validity to other components. E.g.: The primary key cannot confer an expiration time beyond its own expiration to a subkey. It can also not confer validity to components after it has been revoked. ```{admonition} Terminology :class: note -In the RFC, the OpenPGP primary key is also sometimes referred to as "top-level key." It has also sometimes informally been called "master key." +In the RFC, the OpenPGP primary key is occasionally referred to as "top-level key." Informally, it has also been termed the "master key." ``` ### Subkeys From 23954ef803f27f1579495ef48039b0584a2c3276 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 19 Oct 2023 17:40:57 +0200 Subject: [PATCH 54/56] edit ch4 subkeys --- book/source/04-certificates.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 31bdede..34c745e 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -97,15 +97,15 @@ In the RFC, the OpenPGP primary key is occasionally referred to as "top-level ke ### Subkeys -In addition to the primary key, modern OpenPGP certificates usually contain a number of "subkeys" (however, it's not technically necessary for a certificate to contain subkeys). +In addition to the primary key, modern OpenPGP certificates usually contain several subkeys, although they are not technically required. -Subkeys have the same structure as the primary key, but they are used in a different role. Subkeys are cryptographically linked with the primary key (more on this in {numref}`binding_subkeys`). +Subkeys have the same structural attributes as the primary key but fulfill a different role. Subkeys are cryptographically linked with the primary key (more on this in {numref}`binding_subkeys`). ```{figure} diag/Subkeys.png -:name: Certificate with Subkeys -:alt: Three component keys. The primary key is shown at the top. It can be used for certification. Below it, linked with arrows, are two more component keys, used as subkeys. They are marked as "for encryption" and "for signing", respectively. +:name: Certificate with subkeys +:alt: Three component keys depicted. The primary key is positioned at the top, designated for certification. Below it, linked by arrows, are two more component keys, used as subkeys. They are labeled as "for encryption" and "for signing," respectively. -OpenPGP certificates can contain a number of subkeys +OpenPGP certificates can contain multiple subkeys. ``` ### Key flags: defining which operations a component key can perform From e7bf063c92d74ead0fce37d4e0c36447e267de40 Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 19 Oct 2023 17:44:47 +0200 Subject: [PATCH 55/56] add warning/task regarding capitalization --- book/source/04-certificates.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 34c745e..795a741 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -110,6 +110,10 @@ OpenPGP certificates can contain multiple subkeys. ### Key flags: defining which operations a component key can perform +```{admonition} Warning +Let's decide whether the capitalization of F is necessary. +``` + Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that specify which operations that key can perform. The commonly used key flags are: From bec23c73f79a646c36d42a5f5f49b2df9c06b60f Mon Sep 17 00:00:00 2001 From: "Tammi L. Coles" Date: Thu, 19 Oct 2023 19:16:11 +0200 Subject: [PATCH 56/56] edit key flags in part --- book/source/04-certificates.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/book/source/04-certificates.md b/book/source/04-certificates.md index 795a741..9b8eff3 100644 --- a/book/source/04-certificates.md +++ b/book/source/04-certificates.md @@ -108,21 +108,25 @@ Subkeys have the same structural attributes as the primary key but fulfill a dif OpenPGP certificates can contain multiple subkeys. ``` -### Key flags: defining which operations a component key can perform +#### Defining operational capabilities with Key Flags ```{admonition} Warning Let's decide whether the capitalization of F is necessary. ``` -Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that specify which operations that key can perform. +Each component key has a set of ["Key Flags"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#key-flags) that delineate the operations a key can perform. -The commonly used key flags are: +Commonly used key flags are: - **C**ertification (issuing third-party certifications) - **S**igning (signing data) - **E**ncryption (encrypting data) - **A**uthentication (commonly used for OpenPGP authentication) +```{admonition} Warning +Accessibility. Is the bolding of C, S, E, A compatible with screenreaders? Is it worth the effort? +``` + By convention, only the primary key is allowed to perform "certification" operations. All other operations can be configured on either the primary key or a subkey. ```{note}

BBiFuq|JArX<;*`i&$(f;H%;9mChjuMmm zV>10>$}vnwJn(E5YC`5MJCD=DH0rG3c6^_4+Mb_2d&+M$I_yo4eS%gi z(++$WPbE07)kV&I7d3BVgIJ2NGQy+a&31N6BqYu{i+WcFw+(e zi=@`+kNkBpU#vsRa64xQN^`e9o8jV&jYgF*pYZd;^XVBKMV5pyEJ&c0cB?*u=L2p9 zORDI*^ABVAAU#|Hhh^VC5FLk-%3tx)V?z6PSoi{)4|mz>S4s(Z1CVV`FVB0n<&!G+ z#(F{YA0T1QOPo`F?6{twUW7HY2dir!6B8^177k%0>sLVPi)o>3To`TOQc=Inq%bvDtyZI)jue7yJbCFIy(& zm@Q=l%wf&c9bri4(A&HmGjR<1@8RM6J-r)IJZ54*W4NnIxSq*1kyq=otX!M77|Zf~ z76#EC`0Ox2v~XQ%adSlLVpo&S?^9av5JS;@K&@Vp}K{|#gEO}08+>%pP zeyAczr_Gv%Hx;dX!~+hb9biuZO#auHnC=>jG4cHAb#VC8GGy*gza(=X@xj8uiBrYB z;$*^oYpQ?%9F$7JUh*d+QKWOem?96SZ-Gt1%d6z01_GqGHz1){t$T5iq_qr{>?>D zf$;i+Iq_?o2Qb;nU&jGKesO((h>Y9=;DXp=We&T=By5fO1nHnYm^jC;9o{W|Jj@r zClL4&`jFu8+Ko%=QuS`i8VU&2%eJyK%?r9;XUZ8E7?@8`p*GHzQHrpx8t4@#mV$A( zxxNC;C!Rc>+Fm77cUrpb(jO8&tE(ZSqKZmNHcVaTDW+yArgGCWGk0$fsq5Ej!~*om z`u=@SKc8Or>@2~D39{^IONS?~yeY09+%_A|3dL%8Itx;>-Hp?hQXU@gUJqUd)eEr+ zDMzPc%gboMv625?0AXu1eKW0Z@9y?r$Iv2*l*?RzBR>t?#m*xHc!&yB!$E@Kce#h| zxI;-9w{S6^5JYuvbXOY7)inPI5tWlehRg+S)|D9lpUcjnhsCP4HXo@8`s6Q(sx z$3=Iq;DSM0z}3O$4@pynO858IM>+>C#YRN%m6a1pi=TCU%Z)bq{Y$TfYpZ;P(^u&t zdLseL{3|yPz$duE!a`t_Uvpb|^BP(-=6IPQ&1SB;9>Ung-a@WZw_25BArG?%xv=1QdRr*=}uDwTNdow5_`Lxo^)k{$&nJm@RBX zZ9eB`w1So{Bim3{`ygM9sco zWOiEE+1xz%Y216DqM-qsv3p>g=L|{@Ra=G@fqQ1qbFdyU_Ke}QJK7ye@i<1ArW%p~ zDkj;Y+}@g+nxAPJOybWz-W8V9TCZuyr0Z>U4m5v=t=e-Hp`(gp^E4EE)({JhPLUU`b@`XWSpsx}QFyzE7BSXf6NgV{3a1q(2atu5D@)%E_f+c^c`xwz&ia zg-%yIPyT3(P7`){XzTR99NOlSwqROC;+%K!eaZYT$UgT+u3k^`Nw>F~7>CQ#3Co)R zY$WsE#SxFuB|HhN=RbEmY1G?NKh4*`EjPJTB4l<-qzArtsXAC6Hs@?y8aosG17~^L zOh~6W&v2|;Dz9fxGDKUcaCCAt;v*dY4Z~=>mUjUp0?k*i>s&2aQLK%#bh%7Lgog z`+YHp{!n;(TuCbAM_*^X8%P(`S>I~wsbcCA7K8`!?x4KQWj-B2wFduq`Ljc+5UU+4 zr!8qfgyuZ2=XJ}+d4O8dL^8uV{2=)$TQ1BzH$Peh>Wbu(Sg5I~VaUmkflM2sOfPx= z--Di zdImZ9-a_qLKqC0PH5)Yq#V8^=I*?tzlFSr4p2zCi6;uu z0tXOkD5x4r>rIVTTvr#LzrIi7g@T-J6X>n4bxN=iMuIvAq`OE~;d^AkvCX)5IDcD@ z!9}Xwj={;w<2VTetsg0$BWkA4IUJDn`-C21y<2lw9?+o)|_M38znSz1>#0Z~fl#{l5k>uf>=gYLm z@-btfFNd(G@YKA~5-YVWsr)maA{Mva#AD*%L|xW6Gd4tU|o-o5s^_E{Uj+PlMMK)43O4xxBD#C_Ep^vD2Jg*Q4-^i>Ba;|}G~phV3z z=uJnxh%Vahp+uf98GWAi)j=x`=QF7o2YJMB6!xeOK1>>V60c$U_kLi z$Xg)t@8$%hRX1jPNNuBftPS?`#3K^aZbp5Pj+*sfjuxqyxyTrJ@S0rP?-nJvEoNZz zl`=wB^!-{E8bm>}3xLapM?bDK+I<2ayCD6%M(e2z-g`YPnlo8wae5nO?xWAy{+FjZLF;S|z|!MiTOoiuso%QCLj= zVwa92jjq^z0Bhx36fXS^zRlj$Fr$^bk>%e0!f*m0a( zlhJtZmm8mNs0!10w3VjI~1K&{;HOywS-F;Ef#LcH#Ozc#B1!f5RM{I*Aq+hhB+PSa%U6$&)uCc?*`hE(OO6S%9iJUb zZ(pm(@+?+kW*ntZy|2=HStcOpf%Z5;HhaGzj{VuBcFXC7yJwWb)2Ro$BazRg_+U}{ z?Ao7^B66re%pjeshq7`u+tL~8j$myIm}?*$PUFh~;!siY<0z@I ziP>iJ-6}sb^QTk*&RQNO6)yiKtW{v%Mkbk2freB0#3xOP>DGK>Q`3!79{Duj_pRUWW}_pMUO8%wys0vpNGK-E%Q*6(UdigRp`Q@$DG1b`J>8HzR_P90%u{S9e)0hZI#Pxr_3#hb(<=r>#_k7qku29t zU42ccr+-%Lz&za-O|n_#<=}v%lrATxsv3&GqWYxH{FxKz5hF)Kp;#)bFMZasT->Q> z1RT}&w40IMpLa*k2whW`!;C1%17k!UP(RmO1N&t?0jCLAq- zo4v%LO4f4~Sm6Ce{VJ}k=w%C-SmfS%o zIca}pada&E33~TLL{>>yLUdDK!o>V8g#^`|tI8l_dE23*!vlhtn;UQ2^O=D5a2q1n z3_ByKv;R^~mYWGYuH-~F`zT#25^wTA6R!P}c;4eow7dJAMvF5Xi*8HMl9l_{@I${f zl1O)&t#+WP4(LeIV^eaLXiBIDW*Kg%%gRW-2khDL@>x4hn#s*^qN@$~x zwA}X0zXSb_TYy{>w6v+pK=WM=t_Qoad!byV5VsU4oz!;aTG6z>j+G-`%tVecMwqS@AC!+ElYlv_u=-U95bTV&G7HmV$&xE zN}m6`c!-S{4-W??1wK5ja!5kW-9uA2Luw`PkjwpPoRK$5@W=n#3$WLA@QeI^+U<{F zz`j9Pv5)mii=Z9&(gUW)ko`3_d*aih z0K_lX)?Vekxf<_(eiVM!C+Lu9;!x1(2q{4Pj?3`Q`zQWO~J0}og*cu#ji3sxxT;eKc_U|+VEvd z?0^1ZKqJPm`z~6(4PWEz=}>ulj_>Nq>GgHjHxtH6yJt$|#9u4_dt6`!1Z;-DnzTa@ zK}q^7+*$$Jvk6f{1oZgMJO0-<<`eUvcdBRl2Ko6x=(ijd(mAlQK_8EE?SOaW|C)HP z`J|%mQKfPC`vJ9CKu8>gzxVfJVUKL#}uf=Lk=BW8}A<-&bD7uat39NU7QVUI@~;Z_209s%CFp{ zF#iafSnv8si7me#e6hF!<5g{7m3=f)q`ny%X6MLH8$C;at4lJgko($tLJ&f%=z(F= zRyHo|tC%Xz6@%PzcN9a~O8Tkbq1C6A=uaMvh|TivF@bAbh7;v-biF8I>Am0xgm#5qaZ1@B9deCdn*PMT}Y_h$5eC@D(5(J6r-QKJduo5t2PSzuIFThn8FWM&B zu6`Dc8u9w;1&USr@W5 zQCh9xF5||~qem}>8MOO7Y>92!Ud01`6Q8wrbnu(QGXK;_yMKWVHnN3s`*C13+Pjuk zhV}gqadH{t08M~QlxbnzH6(GpR!@>*@X13{RMbz9x?5{|&)hUIKK`SU-H#KN+0ACF zgFZV&#ZRUtIAy0*4H@4RHs77dkI`N3brp;rK`C2tZ55)-lBXmm>l+k_r-H>82$1_6z7!L%ZoOM)&~ z>;o0tJQC%z@hS12jZqVKOb1LjIGmg&4v?Rd*wo*ApvT=R;xZ2}kow4gn_T!E2qTVv zesoa|m}sP=fR?M@47Bi!PH%yLM8ww^ywlq(5<*%_T*}?9+$dMrp;{=JGx4qXjc|xp zdi3EEm5;hK`xb7aTzX0&a&FjfY9sn%pSaY4N=`0sbJQ7pxEpzP_Ty+l2wArayk0p1SnW6u8JGc)h+o+caN07arExlZ#ce7}~T8RRwGIXC!q4Ruk^JhbZv6 zbB>cHzjk(AQbK)y6|!+W-@N$1;9hk$Wl@3>w$`lpna}MXsU6cp#`Z^A!E<3OU6wa* zTyI?;X<2mJ0#Z`mjQqHrs&zuxa;zNBIJN%Tqk;*$4wt1&PdMJhcUA0mG4sCN{_g)G z?5o47dV_9JR754D8F#bNrMpWc4|Sv)q`SMjyBqGy@B8k*_xkv#gq(f$ zo_AucH8XD9?%^5PGUcR(_{qnqVq!HN*WwD|(&AB7{(b?dUe|9k2Ch{dGLX~Zqg3Dd zd}{bw5bvyiaxIq{Q7;0`4eR5?Tj4l;h&Ck7%U<5xmDp1r5SJPHKGX#J>UE&qr(if4a(&6ET*y+b8AA@o}y={G8AnvFG{KG)fbfL_H`by~tHE%`4KdOZ8DfIN<_n&xa z&}({Hx+P&$3ltp+)l%fXX~@@mbmS4N_4T*6`#D)^lW#gK;b=Z&4r6->Z5 zm`vq{5}|2hd?`hH#qYvj%QX!fnHYaLUShlB^fKdUw(~G#i{NgWx-!{Y8qe^cNB=xu zDR3vPPGMwmg+hn|rh&zZISD)I1I{oKOs(eNv92%ZanB3#&SDIgc2WCZgD^BUeDSqJ z-B-QPbz3t@M$c6hnW@TJ;O;9zjsR_*m4EO!#nDe^4pC}F$_h?=$P9-N$|Lm;CfeWjt059{h$t&# zYz^vs->XXdK*(BC)P|=0Qm^jwv#rKzL$}=I8K+{RbBwm0%ns8nMZ|Mb!e~+!Q@huH zT*@%F&Q12GVr#jT8MR~WQ&VRjND3mI&aM0n#G~L2KR^Ef#K^9dI)tnx5AV4&G)lDV zrL#m3V19)M(agd4Cj|V@iIP>f1O^Vcq95|1+AU4I0_2rw6ueu2-27TE8-$z zWP~kB-asv+Q1j`n&sQUDg0X7L*z`FK)iSefa?PS*Lc8%b$l+?|DSz8eS)Vf3D^2J(|al?EVihAT~(CA?C=}j;1MUfCuJ0?>vBXr?)Lzo*VjxU==R(R-g~nF6A$t6Av?~K2kI(Ukg_@5;i;Z_;5>k|V zvf8SyW-Q)-i_6R$vd*Z};<`FMn!OMaAL{!;!Q@NQ@^kd8gyr5uX(n$R8k3kLt}3Mn z$*8W_Z*=$>QC&i}M=ud3pZUA28gpzhEmWsC*$_YcI2xHH-sku&Cavc3R!(0M>wy+t zT6>v^%<6uUy~Se1YdAP}aFObhD`{wUMM5k%hrGVwz< zyf=cAHx2S5wYX?ovk`-fF4dEAiw=Q`NZ`c5#y~UVM;YQq>FdK8<;l-)eV(5^IX?Cd zHuat1>x|wHA@d6Yl^d^|eW?_w{zfF5ShpCN zOcq7lw4|V!6RV)|gMc2t%8wbYYT1#+pNA~w3AP4LS_X>DW5$CkalDP&Qz}wN#N3|G zhdonq9Wvn;=&x^VESLfpPohj7*KjJ4Q3k)yn$2bd!2(+z61TorTvw%X)MoGOq8JQdCT+vtlj*jj%XnU?nLe&E%l z<+PB=weB0FeNo?Ay$zz3oo83h{kc-T4X9wcdwMc;nwzF)W?n`{+XceHy$lKo61372 zh%1OQ9V3O2lx)NEN@26!xI7SgCIkQcGWdSBNt2yt%xKVU-l5IK$Cq*Z_pNjqhagbe zI8{|Ko6SdZIv!5^#S3R|?TN|5=3Zw39ZBs`ZK4pRLec>ZW>_#l=OYG23q&EWXK=8y zrza|&CV5S3rbd~8h9+z{lK#)1KRp9|Z7nT7aV9)ZtXCtXNMXNsg==Zndc6K&Z#;B% zHo5`hu(#-cy0I`~#(aOfccci}{We$Csb=iq!Ob7&Q|t8b=DC~Enr`-0Mdxg%3-f7) z_hVREF^%P1rS4M`tdI!y?XIh0k=WO{$?3Tn^gA!0YzX)}+?Ji2^Eu{ohf1}TB@Sj$ zW`pgT5#uNmmfI5X=u?qe2n0fb&*}JmY4JfwJ4k>uMy}Efeb(6`5F#PGdLZ-?iC}eh zVoz07Rkk)5^Tmr|Sqz3PeFsHm{+7?gq@=o5R?-Wcm8P>r@TX7os_nC__dyY_*)wd$ zOnN$v7UMwjTKVDjz?gPXg505hq|o+Ur^)Z1_>sQ8(Pc)-Q$xPSqA#Hierxvx)yU4p zx*1EuV;9r{mkC}b5L3S+nZtey6;0lOZ}U0@zI{pRw|$_~5Ig0HArT6Q5HHo#W;`w? zUY2Nv8;oY3$jiIlU&CY2+=qLlJ@-AHo>lqfw-{qScZgj8KgL;y&#JTEt2un#(164{*4FGA*)trtNCFiOvv6!6D7?VQt z^T{tkQ=+yuEkFO~?hU)tGz1nYwIsFvv^(?!I-Qo88SFqi#8fW#@Pj$0QK+}h?UncI zA2l_F9;YLD;3%cd~3jVYaREh zZzpR`>`c2DitIN5#K7{tFk;`=(B ziOidJQaXYe*!=Vuh_J^7xMFExBqTlkRdy_wUuj&m0?Vte{jtnF?kD*(A7U4OR!M?n>vw|f`h|f%l&di zrTmST7t6`1o2}V*f6N%*X;&B)#J?FHZt2)P+#-<5cu5wVfUy%sBdtd^PELBWa7Pm2 znidv#_Iyv#P)usQ5w`ax3w12sPmS^5A!0~SJ0H&bN|9zsPW{Py1Cj^o+glAi{WYx1 zTjV;YJs(X{!7RD6IcskeTvSPABU0t70UoT6wuvWeUBiEbnb2N8S;Rj!q;^w9NhPv} zPZn#uj7&)AD$7VHzszuSad#j4&Cf%rT=X?>5PxSH(s=GxR$iXO=l!{*CDUPNHmN|V zkY2ByJ~}!Yo9~b&ne}Wdj4gog)RP;~H&iMmt$lML6bhu`XZu?0-ckPVn+;ohggwp< zrsPKvZ4PD~%_a+4_J@r1tc?Rf_R|+%d|$dt_xQL+nA^Yv={B!4841OpNoH^zRgCOO zWIH+&?R1_RNP!>ESM%ktH_|gV4^ht2-5J$kccK3UetH&v+pSb8JAtI+`_pkV4DUN0 zAZH|DC-?ioTKocFo5l}yVE|fA9nlxjH8XqnFH^AP{`x_tNcDsZl{A#bR?2zj!iI-J z&F!A}5RLc=M*3=jtz|?dyX)Xx?n+djK||vq-DEnu*)-YiBJUHO2%EL=e40Ug;OiI2 zNiHcL3swFaT_=(qS{+lbZ$N;zU^bDB2wD@7oTJlhXfNTpGa3F(K-3-`-pceT7Z=5^ zE7FGP=MLe}`fZp?u5=nTN!(ZdgYN`uoe}ZT^gkp3PQdCxUTw9oIbFI2;66?V6H!G) zG)y|}_{+Y&KK-S~hwD4GT+P})DT}l^;p>1Xu0S*q20U~WCbKYA9OWVwN9xdKKeGho zi@K|Ak*_I}^72WksZv5NuZm&SCB;d80MDx5)f7}*Oao+fFTc_zFd1xr%9_&G)%`q? zuibRM9@G&(Fh|e8pxe7%9ZG6lqMe1)Ci;Phiz|hv{t5@5D51w?uNYpwyc$>_P~|*( zrNj9fvhWQ#(ojO*;^NOOO5|}LusOxtxUJ?*ASu2OiH_eburESaXX*^OSXo&^@vm}Y z6<=1EP57`{!oEd(_qjY&S)^xdUZZsDv8QG2kXSNeP7x9SR0*^(Ba78_6+Emr;O5Ji z)vM6E5hO%Qsar{73o9@xE5|ci$VTiob&d(u*3}&!##Wn5wl{}9*TF>@g9&kaF2aY3_ms`G?M)ovz>^w;|i)tI9T5r$2(RC#1zH=otVGYwYH=4mRxRRq^7oZ zb#+%h9|*cRUk}`jh|J-qrP|p1Wt%09>9Mi5-x!B5aU)b!Rk3q$q0btbn*K~n!)Imf zgauvCng9fl{{xDpprD|R&dC7u<`PPW#}qbHFc)UaY+lK1yy!$xyR9v;@Q@^CX4jpl z(lb>v+vvz!h9FC4;SD+ZJ7q#1>VvgCd50-qOf?e+;v*|{DxPXqmbIa&C1&;DQ`d`& z1b_3@gMW4-y;+8yj+Q@t#5#87`=UU}zOE!2_6lETbO)N}+AO2Z|Ex;dJ!?XUlmq9v>R zgndJ2AGCMoD2%B65|}Iho9**X>w=s(!>Bu|Sc!8PQ$2ghzCTb?y+7n-peBBmBt_cD z=H_Bzad>!GQ(v!dslZBc)54F#FNX=5(Aw9j+qU>@#7m##IR(H&*)~e*Hfb(IC{)4Kmot?pXVieMX^Hd2BV3x{kMm(~_+n}03>&q>_zeG@&`fRQ2 z@Pq6cSft1UdCPEU(byhj{RZs~4)7nBa4(zl6J$p}`pbACebjWl>*MU&W z6zWc_*i2?{hF2~3{gQeEyT`KW_+%t+*`y66Bj${b`}mpI(2z0L)tpla>aR&k#K7d+ z()=Jb>**=oygw1~vd1}uNK_{k$A8DIzqe+4jVYYAsa36#I3SkYLVfi)qRewcQ5_?{B%tX`4>1H zvn}H&UFFM_5iSpwWE`ZJ!4m)aG(b2 zNjDROqL9M(7rRp=+p=##hit{su=H(LN@{BV&7L zBC^kbc)sCcc*;g)sw54_a=E;&AIbiU|6!pK5ylX z+Odx<9Wz!dDH?xY5!$iz@NfF=*1)V%oz-euYR<{>9m`3AUr?(bNlYh9z{Xv=5P}Mu z6#BcLm=|$5#;R$#+n?SlDU0~oken=%Ums7K zG~lPXl$%n40NFdiMIk?b9S8n3kpSoHqIg?X_8i^zZEb= z1yxaOB=B43(<41m&WlOysT^mj^xmH{yic$}Uih4p5PGS$jyvbda$Hrh)R8+vsWNA>O zfG5;3e?J00c739s2)?12`Yw(prFwNmE^1zr1q4>19Qn~QVSCL5P1A(}62Oq_5AM^M z0RHn`j!z7kOiaA`bw-UuPPX<#9UhmH&(KzX+kF2AF1UI<(O+z)vwrD3`qK@r?@^bM zr6ziny2sW(x{|!(p|@RC&En_D$qe$=r`4|M?jrOIPH-l%BAM5l+)wJbl%b)qoP7l} zDt#qs?tsjuj-yiP?C*~S;?&6a_<-Ux1bog4@BOo0L&kg0r@7?C+;=38>5F*5j30>S zY;Iq*;oxp^R>~G!|8dvJt=#MH!JPsbG2}p-pzCRP$wpl4Q{k7^k=--GMyAO0l)kk6 zB7r%ZJl)+5F&kp<3;ebK~;i4mb z!M)aQ;~hw1S{D{T2ZsB|AH#Bit&*wV1RK3^Add)fI*^zw+CJRu^mz@&${G{qNvEw` z9?aF$aE_I$u)Tb#E*WE4UsDHWHwVsmWs6Ec~Y>YR@R z@@UgQxExP+Rk>U}8!|5SoI@PUX#N!x6w2v%4^n25KJS}i*;O{%RhP-)xqms52_u{4 zIaV+2YC(UAm*P2n2?;jiIm_-8wCxf0r)IqqtbY*v!EAMo{T8AKOB2jQ;SI*zQfYJ^ zoNMi_Xp?hVy@L>Gg6(>@oK+{8Y@ss3X(i6O1bSSdVs5Ih@5m!>lTrweO4#niU%D+> zgQN@{8p;JWo!x}hL;c>JWG ziaLQmfARpAd--3o9S?{7cnBR&Shnr z50`0#ZkinLsp`h_NhZF8TN3<>4EUyo{ZT6I6x~#<*2WnoCkQ@9y*f*@n6rq>HMGfb zckRGL(|l^Nn)AT3(4O@1O>+R;nQ~#(ke2)nd;G&KE@xvpDE3E-B}GS>7*(6}&`WJq zW-1(Uec_taCqKWVdjZhVR;Jjbs22Y-Oc39YU?y278<-r+m~W~+#m0ROOa4o}k31qC zAlEj=3e5_R36YDr_RbkGORCf_ABhzn1A}cQ+#>iSed8b$s2V(O3+7O}@P@gPF~O@7 zd%B@NO|S%90bAluPKZ%*BZ}llgMnkY5}s6AsajY(UMOTTX#f~Imih%#pp*80wE)1o zq<^L|H{Ya76a^}rq$D*L<9Ll}FuU>#V@c!<@?Vat;zj- zAK&e(2!K*!-%LqB=*YeT>@}Sng7$9Agc*RMrcMF%c>4&2ijbp}du`-&($eg#Pu%); zwRk`=?%`1ooGtHC!VFm-z~s4=7>Z$J+P*n+w%~9-McTy7|e2c|>Ecw$Ksg zPv=6jat68+aRB@ZR3Pn54?khnH#bhsPUB!)+?6N`hy4;l0fYBUtn{qg1vu09U${E6 z{&+Go$;uTXAuS^&M*e{p7BJ!s{UdWw?lGK6MQ|w`;YTOYB;A!E+Llyr95@oo-!xcq zf7Yo=9lIK$WC|vFG>qn9_QgZj%juf*9{+TJ&eaNa8i|}}ZJxS#$6u|I0wDYO^p=j? zKPa`@J>k(KgsJ|rePS{IfT_{YvCOGGHSb+^jlnb{*$0sZ^=5_(N*6S)Cu0d^j6E5A z=RY{I*+}o)Ip< zLnwkP?gXRW-B?aUb>-a}Q#x6Z{&mg7!9U$oOt6|&sC#kYby^3u{Vo6dyGr9VH-4|K zxfOr9vLNtYTUMR+94E?|wUma8*hI<9#>!jiLk1n`2~p2MJo^N2OA&o4Ul>@JI-o`f zrKB~-Qb97+&y1Kv0#tu+*ZalxVvR0@G#&Dye+#-^C$&a`pn{(=6#bXeU)Z)KkG81Sa_ z)Cv?E=BiMAaamWkB7KYa978p*u_L$#g=q7NWmvSW=TobAC(>`rl3sqmVJ(|h3VW$u zZ7_L`lwm8>+9yUF-)i5}*;=zh%ESf@{qphEi+=;1@qmh9Y_vxjTnHum!kSDK1V1k( zNy0>jWS{d6PV&8G@xd{4-M={xvuYE=5dZS&b!DeZ!6$`@nBu?0Z-)RR@4pot=Ks1X z9wXb(5EeNj7LXh8J}{pWdXDYsbSUjL-jSeYMC+Z;ca&_C9?Y+Y1e87hd(U{xY^Wt2;%eb$?`Ek9Dwppazhe`BCUtXdx^lfX16m-h| z1WdT~po+&Nf<6sdAo8`wA7_o8#aEgQXL>E@UFkF$Sw>~G(opwf4?o4_p#bmj-;=Zy z>Z*E`&fB+$n)hPb^PU(mQFNk+{5i-(ME(gW$|*y?=`dd)KMrt9#jP@(Jn31=Vx3JE z#iVnoYMd<8L?Jz#A`ch5zRHVxhl)z6NG@{)@)SEekKmDatvrClNH+(-?NMi#-nPn; z4K*XqkAGvvuAVJ=yspKBEFFx7KA-Lh#e2HHj|9+Igt3!amRDAM-x#m9aczIK#niza z*J}T@g6!Q84;Pi>q{lt&i%N6xIa=-dmcKVk3=dZmso_CXZQHN-kss^lAg1>fj%1!j z-iEP?b<=aDk7K6H=MedT5qN=~ARHj@`L1i$dvw$|aH{35c6=mKW_LEca{*qpbMlwI zOD*TvbTy@8Lqq=hs$W_hiL#MiWW@2)x2#6C*D4}Th-NueAF@75P^x5oW?>4^fIw1% zg4SFVnaQ&BhBx=JJpu9dpw4V~yZp#LI~}WA;dAWr3?9&0O1i>oju;SY8|x#>%IU#eSR{xnAzqHtB(*aav&m8r=Sc2zJpKGLZ07qo zju&d=`f)fTS>Obx@tpk1ZEZ!CE}umK#M&ja6%d6G-2>QTiX&~1jI^SHvg5e5th!9k zqFOriU@~aGfm>Rr!-n;e(wUJF+-+hSD)4H+eUrDhj-$chQuWSE%l3361t?Li-DAb1 zzi&O00;l}x^?L<{l3M`|82lE1AU{+0&mYKAf=m4GU!P*%{SOxj zKArPFzWV?1tqc+18oLJvbtiV4DUJ?Bu1eBE=C`W(z<^9&U0)rlGLOD0d_XyTpI-i% zn394?84*_ByZG>v*?L#z!mKF*T}Ro8wchE7h>{b>-Q8WC)j9wwgP!Hd$jCTTYK|l~ z!jPDpyt=30?_{a2Z)DWjyvG)m8vXJ|P7X<2Bh|`M{%5<|mAj?Ke}bApp)ddS_lE|f z_l`A~qDp;JA_-?8WesnfP=3 z{q!!XE%1-*{GEM#YIJLOn)|PMCj=@aCfv{ zvfG`ruLMRszZrCEYqyK-;H0D^#q{L(&VX+k;$k)ad7{G4pUuh1QEYNr5RpHeXQ(@j zX5 zT`2hJx<|o(aHiB#qX7tXJh!Y$w3=W10JNIp-Z<^Kt4C~XESJSnZT&KDS+?a@s(Z7E zSIfJVdtiq^UiaE;HNrEae20if%t(nt?_mVc{NHM*PXZY;R8ewxAKrmtODHuJ&-E;9 zijYd0-zEJSmeR%Jbqj5NQVRq^pES-2L5LzwoKB-tSX}eNPlC556DSeE=%KwpFwaMQ z;}1CZf}7jnIzxNNzLCJoK9wT9rN^&;C@rBKjEGa+b>Lj|GRA?Jnu2-YU<%sM*;KN( zTEjM#nIe?5gUxj}5acoU_h!-Y@q?Mm$jNNxKwgB+<#fPbJSp2V=DQw?77x8n3qaUq z@IJJFX>CQa2Lmjh|3h+eCt=|f5C*kIA2l;bm<6K}*!m&m4Yg+Jy)IC^G@4p`u$XCz ziR<%n!Uhn;IKl`j^l>NEhG%gIsMf=Q})tn5|VIxyf;S}l$MUAQjzAAhE7RF z45ioqy91>?1QMLgQV`=t7B+nRR=v{X%~x45tUw=ueDw?MXgR3W0kBjsWhGboF7fta zSGH8(werIW+ubGMdZ0Dtr7l67hYPIM7=)iS4S*+ ze@jbSdV1tIq0$L-JdZA&#+r3_;&)ZWLE%9gP?o3D4&#i`B8Yd8-u?a=l-+UjgQNK! zSiFA8{~RdK8TFl?vZLoaJxyK|9WZrrK>A+vvmnU50n5 z-Ui`#p++E}SHK8=VSl2xbRU3MrVEW6wgI*$;L`pv9G_1d^+`lzqvi98i>neCo{WNm z6W;a1OJt)4z?x`_PAyYt*&906LMAUv8~pkV0YZtmYdG! zzW`372{r&31>-YGynVB}pT9o`AC0z8WhMG|F|i}4u-QlhJkVytEN3|4Ua#aC5|fau zZJUVw@hDK%1?l7qcDMak3VELWGiO_-^M6~2^etqYY0G&ZBI5^AKF9R@ifHaJZxgYj zC->uRtb>h=PnXWnUclx)p3oc08r!+PO*w*SRI>sF5k2MI!%#CA6tFp!v$S@2s61LN zgJOG4t{xU}gy99$nA!SwPN87kgk%B{1PI;0mXiH_Jdp-ozaPpp@9;A+GKNxX&rS-! zh%@M>1dHHR^N{Jz4!DmgLq;C=(6R3>2u6h zT7I)^POhoLK`HtBtIgy1L<)!vAe&&yDU^(d$QOQX5xjbp|6oR3+CWrR*Uj<*g~QJL ziyt4Y!?$F`OoCARs+Vv=;&O6g8~SywY3`5+qEY(N7wU%_lK5E672&?$4K8@pF5~Ly ztsP$$v=1)0i;LH`=`_=IEiQ(?4#6lloI^x>MG&ngEh(cv>Q~xPMZnz)ULw6-1Lis5;rUMM4je5p35i^OU$;?K z!VLF}nKsezlf}R>4)?>C2)N^GVB{0EPHAvN?zbEe{~|)gk+om_0ij<2kT+!1tMuO< z5We}eWUlyM!XqN&c{Orgvzdw6n5eFtM%tK76p5GTKKca`e&&19Mu>vSD0w}eXyCA! z{Se7=-M>yvOQUCE0*9{;X1*cmtB6RhqB#zscgz_k?dj|fFL`-*ERr~+vZ@LJ+L%mP zjE9Gz-riwqhT^ONY>S78XA1KyVillD~)E`=Z30R6_oQ0 zjX+xH=6G}~1n5K%Uzyd5$2~wGHbi^(`p~LG-U9~l(n*-W`}7>!ij?^HHj-atAne(C zOn0XFzXQb*=1#5h>Dh=ckqtv+Ze6t5B=c4sa1MZ z?qACh9=?(7PC>GP7$h$4qL?qc{wQoqtumOe#zjOFb9(h44N#oyY?Obqy*4t7jhND@ z++jM!IMZ`;wmWvjVD5eguu@bq8Q6eX5VtOfj^b89__^HY`d0`&r(lGx(%o=CUMJ|jYxUET`ADEXTsu#)_fP(M!HvzNppe_hl~k)kv)<}2nObiXb*RPl zoQ=R(wJ*K;oeUik9I}7B7gh$kfLJbPb{qO%nS$DFgOkdX%^$sECcL2}L`*Timu0~O zG;kWDuNv!@7CnCgkq8c30n%4#X++Qy1k`TjUTYY5c>6nZg>a8yxDs8!Bc1K_D)px^ z#Z1?*XPxC38$_l?`}B^-%IPnCVLhZwCqQ>KZ^hc>9oAG!?L@#GE)-?UZMgb~usgA` zzQZKt?p!u*kQ#3#MveJ&%>)B%;)BNpI%G~j(cuHkgh$8`9hkN$a=k+I9A_~$H!IBN zlEI!3G5Gc@hojk~zrVm2oKTvYlxjUlqLaq>=y#K&VpIDMdG5reBsOJj-YSrWC3r{O^NwTl;B1)g0X2)T(_}bjmD1o-5MJAK6 z(w}6n*@Pl2WkJpK-fSSa%-Q=B?VvOOa9)05pa=pH0!$>ho$;qp}|HoP%7-iZ)BWOKXJ-Jk`6j)2@?K;0`us;q;d`LjEG@MK$dAm|mnW5!> zEuRnx-gVCQ1~+h5jw6lF^hA|fH}N+E@!@zTeznz--f2Cdm^j0a+FFh()+!(}i%yOY zh>2MfG_MXp!N>0dH4`46Ycx>Gy+^>PGY8@6Inhq5CX;~GXU0KLj*s7;uS@`}CDzF; zGFU*8J?p{6#nl-`AP$Ukdmh5mL*blw``D#f=aC~+N`gL51?o8c`R%Ct>xC&$>z(w3 za){8pu~mVV@f{~zGGl9c2hla=K_M@*83jD{yMfHQGzdh$hk zXDo(4B2}$nzK;##w$$Y^eMDs2@WPiq8CmIap3$+`w__sO_19)D@ob{kDII0sLb2 z#$;y6%`;x!Usv3B1$9yMt?C9YkS$t2DLBCm%VxE<%c1EnBC zK2JET+e>NBCw%~Lnaa`2?p5C1J~{0UKj)HvK`B5ParuRV#Q%!#HWmZ{CZqAUv|3HA za2fr?;BbH=mOw7@qp8t-xY`*BRAGGg=S+lNj4|H;7vDdwI7@c?9r-;5jnQh&h=^xA z4K=k`jblpV-AimfC$xAB44@K_s4U6NrF_$L+uL|mstlmT5~#4fHaD9y>AV9ZpavF?9Mj7khG73*1Q^&eh+gx9_*>4xGbJ+b9=e#?eu1_Wn+Vf$tP=<29;Ye=4-d>S> zUWp%1IBE`N_du(a5^3fQcm?HuaI3H!O9nv4i{p!8AOTt1E=5J+2q{%(F^36wOcn+i zaZp^GVdlXv^;K`y{DHNZ0~F1J zq1M~r+84^7HG+)me9@#Yb$kKQJGZZ%yx<2_#qUV^T}%&gcTHew<0pkA-)YAGi+EB0r z&P}Vv6(M$Ql=MGYqP&<*$941J|HTf=A#BRW2mq;tE^?$Z8v00I!AlWC`2{ zq87qfP@?40%=L74Q=iOxFqGO#0RuLh$R7lwD1oY*gosGNESL2IeI3}pA(%I1zx*8; zeA75Yf18cX?wY>J>RR*`o6iW1GA_6n_c7Bj#3)~p66|Oh)G>b~;o-q=)E)`|i!~|H z6rtK>kQ9re;-H|gnA-v2u68>z7KA&W7EYBfS-*n9K#yG3gqd2o6Hjezt^5)%a8LPi zjW~R?T7x@G#v?lp;0fF9R_HGF0w>b?1yORK7?Vzml%2Vu-4phx^BF3mc)@9V%FLOD z=*}e=DjJdYsp+>&F;J+qHx&cwzq+s#aT%Eey}wlq<269I zjYvRS#WH-*>Tzfl@Phm95{~gM1d7GsL7v7{MFz5Skn`+> zsP4rN0D)Bnf{8z%!U0eO{KqKkZ}jgq2_-@zpob4!yTweEZ+5o9?j*&`o$6rA&pJo5 z^4+0kAYA_pJRCrB^nju_u2=iV=aWWv!u9p_zqVt_vF~1^Q`Ye9kBb0O43rnC%{D>L zMJRxkhWTM79QKRng2397m)}~@B%Xys^z5%dV^`M0bLUI@N)||-wgiU~!1L`K(CF#y zZOvO|nrpIz0l*D_9Z@b>SrnAd{rKvpbK z?nxfk+`P&{RZvf!F=pujCP^ybStL9$3W|x_%iR}P$$UqIrj|xV!BR%^)(-tC*7T0E zUFWWjZ^76afQJH0&(7YHd&UNw`L6v`-XOLBxU9XM7%1H&BM!A-1m#(+AHRV5513Y? zbl37vsKnSYs346zZ$D@BCk|*R95!A78P!@|$NLeJivD{GT9AWL#zi-9vw%;>N@ zH`HA8eRH4|*)Z@l1;TTse0i<5n*qn-F0qGq=NX=DJT;I-Q4(h?|8<+qqYycI6rm?>^ zH>UzXKfK98^yR@ziF+Jiv_$pZdb%)4x)ndEKYjX|9;I7s=fKR=*V99h$2Q=cuy?Xh z>9|%6B7gZG8M3!IN2hUOsd)G~>V@^ICE793u=Y$$S?C7;=yzPT)1MoR2iQrM2}@!A?gB1*KBPHNL2^CyUG9#u_(c0sE0_YBBg4CBaC~pdfL1@0xlL3IOc&iHj`3j8`c{ zvvNxpeCF8$f}8pdy%$sBmDPeY$lNi04`T+`gXwdb?>i2JEG&yoAnHmI!R6)lH7MA^ zZX$22N@z#Tz43sTeJ;A^Q#AnykCCjs1CU|OW?j{b4zO?x(|FCR61=cbSNor_y?pf? zyC{W2EVFg%?}n!QKmjDdU5ti>(g?6M(EHjl+A6S{;ilpsMUC@qrKi8Rm^w_mZ^6A1 zzzdW-vI+^Yu~Oh`H+3EbF7CMBF16)dUCjp5xdPR*GL0_GM6SxE^VUW;s6d_$GEiw2 z9l|Un&*yQ2~kQTc-vzZz+ed4AI$Ky$VT!b4Fyx`P|)y{3sXNnR| zNy;xVE@X3VKZGP7J1HDB0*DK!`X!JImO0OjiWoAl}oneJ)ei+OXp3G2NIu zwgccjFSDac&{N$Ipr_Z}r(jRUaskn-&$hF-&#CMQInAGf2^iW)8z1jdS3jrKYB9dm zz0$Q>e44J`J0>ro{n6GOMrHff7Ks-Au%lQk6YZV<7h!di%vgDKa@qMx@Zp~hA9I`P zuQtx_BmI!C_OC>{Tgz~pVBUYWS=`!Da60VYpZUhp1(lWQgHQo-AtAxKP+{(hSd589d?v!0x(0pKZczMD6_IVy4!SC$iRIVg4qh=E7m) zqY9?6*TEC2a5}~zFPP9$ZZx#EfAb#reG7}CorOIOrGu7K_K$ACQTk-a1Oz`bGe29Z zSN^u|x-7Vyb3SCej)>B1wng<9;6F%a*?v;6p4cTytG^hpLm3_{-W!>kB0D_+V02o( zdSh4DT!_xy)qt&Qv~OTU!NhR?so~xb@G?Y51l;Q(PDy>@yA)^utdp%%gm?3rQ&I{% zeSDyQgMi;MVLkw(P{a^51DaD=cjO>XH@>K`8#}DlJjQ1`y^k*I0U9^^&P&Op-*cx+#d6oQRZ&BOi{{DRcb67SR7*)o+1NW~4q(zKF{E>O{{*>`?dCoQxQ0n(WsjwDu1a1=`r4K3 zud6WP_|-<0dSwKqmx+dJo8JYb{R$=q3)O4C45YAnRgKxdp2!dqRVX$yq*Njg1nY(M z$)t4m{d(@Xw&-9$YtYHDO&+j9RSgXW`%6t=VPgJvhU2{ZW#CYBgBfhUrM{YSdM<=N zz#%f34}y7xJc@*01Op>F+uIYpjlPjl@4tWz{E+us|3&3`xxh_Xg_~8Q)mJ4p>-%ie z`Fg@m09yg($>y7=U z#pvi5Hm3;;Oq)oUppH(&jQ2MZVEbP9?6LPZ_}5h$m=h;IU*wq1)#c1`e3J_82?9K< z*Y@4}TQ|4+S%798TFp1QBiY;AS3ZC!o5*fhH)+7a$(bxupt3P0a-lQ_Kxi0p71qcg zebM}bX6L8RtX7M`DJgDgWBctLT?&6(7~C$ONn>n<+#!SZ{F5T>+E+aOK00?#LK3~@ z1UsQ0NW4R_e6PmblCF*d8C-WWDjrVXC$pHg?=Wp)0Wn051cnL;n*C$a&?q{;!}YFY z@0)m15|+3^73kAa_NnW^Tve{i$sf%+2Y=xwnyuc-y$^)ZY6cI>D_I5xbOhQ{$-H7{Tf1VfG1RZv+f zyYm`xi-jtpInLPkm~OKDPE@el+sP z4DU^v@4yygX_a1r^b;5v;QiOUreSZN##6rd--}B~PpWGur*uVRVR2iaO%y1v7Sd_h zuWizFN+*W;`tmF}?85wuHT8~)jQrOy!!$gmK<{vkMJkihG9IL_v_&CbgRI5rB@9{v z_t>nArhhS9-@1TiL@5agNfPsQ8!@gItRZ>58Z6E3? zIXu>}00+S#L5+mZE1;)`0usX3(NUj16%4SuX&R*=4Y0tr51rpYfiV~gNg^DCLn3sY zZ4#s@t*9;^yTt(w`0U_kG&UWGoahO^xXxLMsJJOW1!+sSoQy_1N=L96T8wvka|U5Y zFvgqZ>!29TdN0`S{WK2ml`k<}5uHO*fjND?vM)7!orkl`jnQOKT|r}(g*W2UQ0G94 zpFhv{#eM98*6rDMiBPTPAh3j?7|O*-8Zi6FQqlR{+Bi=x)T6V=JO4ub0uQ=UZAYkQD9k;LdpY6^jXIo@&&svj#KkO+7sEHqPhC1or$@vtRGz#Re5S-6=@LR)BX zZ^H)O#X3A#VDe|f_}k8KN!Ttov}~XFM?wPGM(->65~)wLw1Xe8S%ZN9M7BW4cDCv< zwMu5{3*0sM4|wl6TGHyT$mORqz}5wYCQa;#cMMAx+r61YT>#=iN^5$QxWMy&cz8Uz zot`nhH5CL48d`vLUhB7Gg7+$IPfU5eXSe zE>K=K19EETb{qg8{sB|E_%#zUZIS%h~|48wjG$i4Sx%VjG47DGUPrYfM&awO1(PUQVmpiBP- zC*OdkMQOkE)#Vi;<|3U0DitP`v!1$+gOwF9(l$c1!GHre+f6x_Yssz%LjVN*R@5`Q zrS7ThH4Xw(h87$D;&ogXeEIUF)@FxMI0VgWg{9`>N9>+^VM##Df0X%?74+-Zc#k~+ zsDO0{j}mC>udZ#;>^BFt0@D}7#~9;*`wH;8eifeac7n5F*%b(LH-U)6V{(6NDwvIO z7hc1sS^=VWW1-TihFuX*X82OE+NQCQ`{eR;9jf+Zvv-M~E0qBnIp8M>mESCbZZ!Zx z%QagaOa+Ulm?=@}8X5JDWOe=Q&!Iyfy4YT-^MnJ5$m4yIGYk+W(|aDik4qQ$sq}x? zd#kXlwl8iJbt?iEjii8pgfu9vfOJTAOP6$mib!{NNtb|hOG`_4cXz`X@Be$g>vMme zbG6wj@UFGynsba_4PNn`>Cx$3RYm@&q)ZNbCSKkoWbk*xqzBoYPY1sn&VI|>JHkR8 zo|RWr@6&8HM;fLP1_Zeg21u)^5sVbhc4WS8%3b22`ZqWTWr#`LHv5R;cVR&o+fgOu zTF1#YUS>$*azZrMG4QPX!S2URY7b2zp$EuMh?+V&M9gDH=&Y>v^Cy4#rhPzd7@-m3 zuVwhzF1y4*t5}dBmf?rrwUo%?AZ0$i_$}zZ(Z9;njs1Vi@9C6}NcK@sKs6MSG;6QG zb<-c39)QP#Ae{b2(>8~Ey|y8gQ&;B(iU#JwF&+2C!cA8ARA8;+ddY-o$L`#_!^}V?R@RnD02IK3s9A>U?2Nk7t>z<} zBVS;dBel$(mW7L{wZMZ^;ZTIzMA7LvFF>$J$aqX&PGDrNu@?Y89PbfII z75oLS+1RiJ1Oya|Cg1hLhiq?`t2IJz3n0w3;v&*^>c{uPq0U#m$CU*a_UYiL0TR-) zgpPBMb|=*~-A4;&=N#8Wg@W47vCfIU35=**4M^_qu7aiUg;vQpN+2b9Z?0SWkkbMYIRP^dT-p!Onr4 zoBM8ttZ1+%-@^KQ?{v-Sx#Y3G+>v~4kh zU;YYHIWDx>-DA2!(&zNs%P2Bw4x1BhTzbv4$+IAQa~YX|TomjtLY9h<-cejpvDnls zj983X$dC2AJNV@5i0fx&uFeFc$;imZ%iVB!Ae+0$7_*G>CBwhbQGuLp?cs@I$V%#8 z@sIk?ayDb575-Q_=X=OvD&b>}rf*d&C{Oz&UX)PQzgto6U)5?pEd6?UveVf}+H5>k zi;e2_P3ZB4jt zA89z;E*`m@lFZF=u!xF?AbsST_1B{-9pUdoxp&X4OfwtTi}304-h4V;%o}mj8fZ#P zJ#U)(8zCCKv;H3Pb7nJE{~I-_3i^!(7I?0!{i)=S2>Th@_w}hYYahCKoCWRqh(P6^ zDcx{KBA!(-ebjn6x9lw!mrT97%5XUxYBzWsI9yz6&bFJ~ekp8Myte8tle9KOsq++u&0EcXMPfzDZ1MN>gdG{&7(*M=dJGH1tdN+wj zeo{|Y&k2jTDIs?7GtC-kK2V9OkF>}AUR+$CHQxp{4K^qCCUP?BjSzx>#J{*09nR3D zm4eCK;zEKqmioYX0^jWmyInDv(PN;=P3n3e`OtR#3>)alt(lr+o%A+lw*$xFZ5sxL zr^9xJ?Y%rlSMyW`67gqZi^g8iPwG-1L`3F|KoEW*J3Y1dFiqsyjqz?AJJhSW;F&6V zbM5}Tr9iDhp+aMOds`mU+(fZR$bUr3YH7@>OeJ%?xVU(JzWMV_VnfXPhU)-GX$=hx z9h;ayisfOTrlyvNVNN_TR|}tQ`syD|pZ@XHkVS>kE2SuRK9k;ZuWmK(E}WjlnQKP4 zM_{|s-@XXsNWxCi@BiY?L7=BX$$|ozAs%Oimv6=<#zIo%nGOD6O}OrJNZlvmux1rJ zz9^~f#Ou0yj`kS{Q!|*Bv#MogZhq#_gn?u+RqX{UXOT)Wz3+4u^45b>-z(~7rl>~# zJ-a;5rPx$aEY$RdV6S0KofVI$)%NSC*O>3J3TF`=P1z_BR432@XPT}S4Tmkm0dF(E zK%q#l@ue&h8xY3~)8O4$9tYlQkBz{^!Q`IA8V9W^DmE?|>7>242TXV z85ucwEVI?4^Mhr%G8I)-M)QNW#JsM8fIGoe7#}Z>%D>W5+^*$2+Paz0qtj~pOG9#T zaRGJqQ(P*ljgdmAh*1%2^VnGSiMVK|1kLVrO&|2AznpeX`$tBi$h;nZrinSXfvzG= zgw$hasxEr*El4&#lu8rqzv3p$`W8f|{2L4Y1LJVvQ2P_H&aw`qw7IIjd+6Wf*`$5U zEZI5}{bAhP)pljY0$JZ5lBy;8oAyAt{|B1Uf(?AR3VX@8a-(J_{Ik_+RtRc6`Im^F z>ro#BKv+WYZX+oS1vzM2^$YIXGVUtm)t(ys_mZQ4L^)rCGzq%Al22ANQ4ElSz66E; zuweWjud4yMSB(9mtA|+?e}f1gr-n3W1&JrWTQQe+c%uXam~x5j{rjj(9tFNA9M}Z7 z-u$VJ{ryND9<$v^qmL-G-1j+1*3T`bYFmB#Y4?_$J3tf%p#`s+eq#$n>%tT;M3Bc9uj9<}U! z+XY3zB|TYLS$S+^q$@W!xX8u%^v?yWViFQ$zy^`)Z7*6WG>H3JRtV)kvkX6il9Jr0 zhZDl*{;9-j`KWq}vxrzs0eJsU#zNZ<+l9 z<2~1J!%vExCIkfqF`PHRC7!dz=NLmSEP%(g@pRZ+Km%o_K0G{2%7$<2PSd1=Y>mNV zz!d-uPkmoEu{G@wk}_-xMWKGr#N(rz8?Lg&BK4|Fb}1}`)|*2tWplKk73h|;<5RwD ztqL5#E2nC3g?tx2kx+g*K3U_6>REKa3Rm)p@E3_To}-;z5699Avh9eJfx_{bUcet}xqTrfI# zi0ufToSe{UpbJKdVJj@Y^A5xp@7VviF_P06cTAwLYG-4W`u>^|QE}czA@3g+HOQ3; zvGwv@$Gh%3tm#W7arT5$4a7DZvRky#BuAQL*6V$}a;&UjGCkqe1ZL>#F#d$VBNr zB*E@|us2UWQDK^1b|pQK<|SWhQI?}vhT;8$ME~}y0K8|iu+2=koqN$x=c(r)TGY>E zM=#+G#bVHmus5&o*w6nAfX4v&4@Q?AS18=S2bQrldq0xTYZ$MPW>~qY2{E5^&@nO+ z+12D3axV45qW_*}dQwEnNl96{+S!PtMPg|nk?7Nqyt4IgOIdB1oH50=yfiv6Fc9U@ ztDb3>(<+x;-b~6iNCylx=%dhwE%|-D>-iX1AK+8Cj;7NBclWUj_uzC9nnL`FBo=1t za?U`2BSGMxJ$~?lUn*eL_Xka_Uv4CAiRmdXY=uqz{UKnQ__x!=Fw_>N36ar|`czQ2c_%}h*>&xO zVv$B4-yx2+rDb0q-_1MEi#~T;*nGv@k&#EtrzG}H5|_FRMVI|J#MvJ`ehil-36vcG zus;U>PTzY-%tN$^wxOr5RG=aZaKwEyPUaL3t+KS~l@){k z9z?jOCv8CFMzQnugBLdHJD})bz9mw|=ec(e;i-Ug393EHCC686xeD{~y;^xe6^w7F z7*kk7LuE`Bxl4Z#0aeCgw}7|Oqtya+7APv2;2Qq^x8fSpHhzdZUTKUrGBPrhFB8b1 z>YiDBv$np@q|^Oy<+XB4Nn{>OCW%0y`v7y_OP=p&^bjte&^*l`znHgPB^n8|9xsU4A|5(%g+d{tMe7r z)lEzM_jX!T+V^(kv1ukA0m1d{A9qN2{{DLc~NoCkw_;vz0&rS zSf+Siu(dTbCM;}{6opi<{L%4oaq;iQwm)~3kX>98(bBR$F4-%S1&c~bQaD~prKRgx zb7Ae{!^>M-TH4w)lf-{hkB5)HVlQI(AxVTzZt&lj>(+m2LCH&N8MITut_g@A+hSVE z{3bminL)uHH&s8JQ_GTmKf4W+mG$-WUmXaiB5bfu453x>4e)iFi274f zhpcQj$2d(enl61P&BVm~ciE@)GFzaAp~`_T0B_x>(+2Qhz+F@)dy{J370vJsl!*&Z zxDFf;31_`Z~86TTI2E)Dj)SgfQbj z(8D26AyH9Lq))FRyAyb#<0~u%8?=(Sc^+KW{q0X%STK5Hz??d2kzHQJF~*Xnr)CmK z6Y3v|Li&B@6&5ND_I{Qux<}y@TKX*?+FRFsW~4W;Nw0^gvVdPZATar{ zhsxEgwf*jRw0~$_>}h7Z^`F0G3Dxd$$7iK~v16v{SRP#LO775pe`e_g=wW+boVK1$ zljSY_gE>)k?mB~RopVdR)FP_U_Zl_M+ni8u+w5H3PvZ7%gAEfF@lcLJ_(H4SlD*>s zxon=nV_*-~Zzr{(YxzhMDG|T_2Ad|Lxn=BaMYD@ODDF2F5?!vU+)Fo#lS?rd8`fVS zt|k3nv4y0nLf%hj*R?+sH0;> z)4PsmVnbu65bQaUFBe$XEpC0S=xA+1^ZxQ_4srCs!OQ-3T3m7%pfRPVqsyOX5_#?- z$B2Y$F}vI{y!l^;-F{$?))5J5yMWE_-N?Mr7946dV)aO=M5M)CO21&C z!s`}LmpC1tDD3(SmWk1H?tRRxD-@Vn_cFRjy?M5eDw^Ddttv@*#&ORl=DXnVV%zdP z8zy|x?;UQEv{7;tQApkln!W7BwN{5X@URY{HcLRo`3WUrW%b*JypM+gfJH*Jdo0#& zHc=8-UZ6I=B>&O;@)y*a9(%u}7XI$eH7=Z&GKJOH-py96!U)gm{dk;B!fVaiM-f%! zPJ1Qg_f~JU?HO7WA>WtgLDJS|zr)=5%*emlc*8X4l@D zQCa&F#dB+F4ASq8d@=EOdDtRB(qbcHRP5|QOqi76kcQKc%zy;-6Ue&SvaK-n4?58- zW@?XB+ovm2oe~NHd*Xkjr)6bj4IcW|_BAzW9`APe)GArijaqs&yrowN_0H=-BWXR%9$8$Y-2iQ%FrgoHy}c734NcDls}~@mXH+J8;U^zYbi3| z$$uX__*nUiudPjJs^Rv_J?|%neYIX&e4l+p7lj~p_2yQZW+pBoLLMMdujHbqrMGdp z;Wj&9aTr*noL^q<91Cs!St0BCODvM^Nn`cncCSy^KmcMRGqhC%EC#)8V;y*C_a5B4RkwO@2em z9Ym{CwEnUXAZHZS@(|akC{B*#XI0ytqI7*)l^xLM0;H?=uTo}gOxbixPuHwFnD1z4 zjQIahXDfT5dO%cYLtL$|?g!)H5)LTuO)lwGs=pl*ykYs&j|5$03*dz)E_+CFa&mC< z`_DIvzze#vRRtEZD!)TqhE#bPD+jv_nP%sqi=WjK=Rw{{pRQVRK*J2v1fNFHX*7BH zM}vy9y{E^^+0JAjMU&|0cRqHl%dR`S#RQPVZ@|CN*gEbz0jUVtI&P01CtVw*r|YfF zl)hQ+icI}*m`SHv@;@JULPCIlIHm%P($XPLPyguXsACYo%m_>Y)EJ$)OoM;RIW;e$jPNaE+YA>AdDT#ce&L<QVV^gSR8F?}TJ}=!DfmkL zknPMa#(X$aj)|$K=j!Ih$j-h1+A)bZPEYtyEcQdCla0@xKc9N)@@}nj5Lo?tNS4yl zz{piPo}(J}CawYp2yndgcHOx{lP>gf0adZjDa5gwJH}#44f|LCCTT5WP>d85 zb-mz(aYlWx#+Xg5s;V#`(X2QG6A0e-4I~W+>FCS<%oC>mOq7#+DYmhOA{-^#o0~ zZ^Hv2iwN9aQBhF>pG&qtULXo+uIDW7%s@$mQTXZT>$kRwMa8oHpZ?W0J|7)IFNqvGPk{@LjJ;1A`6SMg9p4n@dINJtLVYu5)u zttk$}V&SFv4Xn=Bj9G9{Lq*1X*w@(|#}f>LvyADsm4T&3xRmDkZ^o0FfoO;H@r{?n zp!k4u_3D-jHB`8ERw+^GGn7S0G<>79C%1qvF@N4;B<2fRsM(qA2i>Sbnk_t?2Tz{& ze(xNFC)C=m<~Hn~H)_EMjdQMI;lp>bvKS4IiG={#$?S>wp#9GH$D@l6$FGl+J5bz- z8GW44a0ZVCf8bZ-z7?zk71~T*SJ!xKX1{U?h2Zr<=y}?Erz7ZO0y2}?WnF?m_c2gzM+>4I zsmO=BlO7@O1%w$*dmDy|)CfQo$Z2OJY;BEdM?jR4l1?sw{J3MkZ`%nNcP6+&04&8a z+JA3DeI7Di!)Sl?$;{j==B>p~6NNA+6>iQQNd2Se^iHPEk1omyUdO#5H9F=*XtY9= zlR(i8uYLQ~{gw*rF9_SZ#8Pk*;w$4y)k`5U{oO(1GOkziB zSgKdx7+6CW@bPp0Q-y}>>*x0eaQPc|_uS3(u1CaUpeXm8b$o3FNL{W%&e8jT`^gP! ze1)@>qO&CRa&GmtMj-7U`X4_#i)!9ZQ?Fnedmn8DpfV#g;s>( z2xL(m0INJYI~OiHxv(?M3ll?v32lg53Cjb%`}*=G#ojdCEEef+)Z-=KuMxua&_7;7 zy@r;C?L{EAt7!zY2+LW;&F{^zNYLRS?4j_DU5bT&0En9PxK!CDGXkoa;rasB?FZn$ zQ!d{m{wjA?eA?CD_(jWoC;dct7bFmdJ@JgEvtA%{D-feoDpW;lv}`z1$SXF`HIull zuj2rOSiy9}^ko#N)xfF!zM#?u7U#oP3So<>R1gE7*&CI`2@1t~4<1u+aM;w!kKAhg zhT|IKoNLp0-V?G8fbZC@k0k++Jod|&cDi9*@V&4wyb>MoHox_lPn+nYHab>4Iyy2M zsP&avz+KQgT^lIH_JZgE=vL+3irsNR^f>%uZ7HHIk%(xb%n1#BStCm-dHKxuqqF@j z<)j8>sH9;o|--jGTayDbw@Zz8JU@7#fdR7!$n-GrD_3y z)TnWlY`(CYwHwfLP-e; zKOd_IlE1SonMSp3Xt+RB zXx2LiLL`e(LRZUJ%+H@Mfnz}wWgwAhgL|%AW%9b=HY!$GNKmK*NQGSa+_QfdvHZ2P z3bab{1ox7Xk`N%@nM-fOnWIac;-4cXgnJ$gvj%{si%FCrKNRfE)R%Q!;3B{7114|vWO3xb@19Dy2jzrE{&rk7E`c1~5f z1Va@8AmVG`_LqD_wdTgDZYRHDbEsh`lF4FB3HK~!48`Wj$)UpG@Fa^NZvER#X$_Gz~+agf(hJN6Gx=wgX%*k($ z#&v#qo~`(mMl=5v?2%)oyGZl%={G2_ITGZK?SJb;6lWYa}`)EJ`|}`e2p1Xo~STy z1_uxazV$aykjYAkuV;@&0tbR9X@$yYj#^AWkk^&SlD!|*=Z%s6R z`*15$rRzl)==9m0lXw>j!UzT>q4aC0U7?$q-?}KSP_LX`@uub-2cdQ-huwT)mULayoC6r3<1Dz1$##Xg3(!?SCp;rt#F=aV@o=?FRS z|BRu?4N;PDVAFNLeziVXLk0KL+V)2Ab=-b?M=?lLz6KFZlvp$yTwS{^r;*OMs0jWM0HVjMxuzygmudnB;mql?L;xL+wX~Q^Dh1IEQb1Hao zef<0khU4szTnEoh6Dgxq5cc@dRhNsC+rZnXf{4C{bKAjT?!q(*bkebn|E4OP{AX|R z-m539ypaWEN&iM!{%qy*FOV^wQdHD;5SizA^;XP$7ID@A!~KQu^h>=jq~ci3rL4SO z1>y|@9bHuW9W{{XV2MqYZ9U+2Cu}Xjj-%~^8^#Y+T4hzWiNsrH?Bt$ttGnZM@;3=3SqT&fX&a28o@$Q~CxlOVa*l(R+E+Z+i~qyp-otg@xFrBJb-LtbFDT}`$-K~Xpr?Yy+ibEJ5pgj; zr!5UG=FiqNA`p&)C~6X`-GnDc3ikF-$e@54-ems_JGmb&?S<5XWqf@6gG&x$i;S(Pk_%HYI8VR8;J$=A|nWx3ukLZ%l<|(vNNr;_{zbec>pEP#mV}) z&}?CY(Rc!=a!Pdu6@j}KUVLy&t=u09(lT~rODZ5&Jfxl{FA~2qhm&pZ;9v<#ap>IQ zzWk$rh^f2D>?V7vECM~<63=;D9|E+Z)5~|bZ|jf+i$K0e(aUeS3sLb^+wQ`cX-OcT z$SEnKcrKqjt97IDM7~L5_Z)#<1*azt@hLNJ*$7-*YEIpM6r5Ei@Y*Ephi4j_+gRDB zsmFeCARM>^bF(%`$Wp>>3N&l(zzC>%lSx&oRm{)3?s&$=##r=AMff#^A78=UlHJ5p z0TLe^7LSNn-yO$-^aDU5GU&6eplgfwtQbfeFZGRtHVEFK|{8E?@3e8^4YyFztzBC4+tq`@N}hy>*#MO_n!T!_lT^be6Y?8k7&2(!_mZ z`{5`v<>62WE0}|G2XXA}U~yCTWwM%94KzZ3z+t+p{fQ&UqvtdrHe@&dk#NQbnv zr0hc4YGz=7bCvS)S<+U4{Jr?t&|pnQTB+2 zSF6mlxyoi01*pQ76yZ_2U% zV&$Eg!8iXQ^h1J>>#m&KHVX>DNRc?;P>!ae9l&UuXK0bs-)xBYCN;c+T?hnAXXoc8 ziTc}6KORvpR>8+tD%6CJa8C&r7Zv+paBTL^zi*(2*VajO%l|Y$<^{d{fA>+daldpJ z8h19{xkgmMy&9Dw(8ZOrk6_U%3NE_QX_Wkj*&dXl&FyD9bN?|>{Y4lHOdAHpE4a^q zSbXTh#Z|Cc{QEZo>!@+q9r!789nG8dYf`Xsa&{(;-591PsixFmvpH}HHES7gbIkOC+Pb8op2eRM0)o;$+hdlw#cE~8v zz52AxbF_l9^0S_?TU0u=zgoF%G6b9tu(wi&%+7mei(X{%R<dKA{0pH!o7# zSw_~n#Dt^P(>oaCF?K*g$C)>2ky=k)!)^*@+>Va+rM}&Fp3Y^RyL-3(t{xrGMc0(% z80}|1A>@SME}2dN-E+%L=CpBl%Oyp9!t?L|CzR+wFf-sa~Y4AdtEU~e>hsM`-$xl?%kT44YCk=P zlgbrln-sR}*Pm;<(0Ms3z&45XYVKYCh8D2)lzw%DI8qfJ|8Ab5lP9` z)^QXDY3V}sI-xO7;n!6lCB3`Pm8+YPa)X6|Q|7Mw+@R27 z@b8eq5zsG}HC|#z0888U=7M&Z>5awA!sM>UPm66;XxSgN-@Om_dTcu8yT)ABf&m>aE#e=Z6#fLX7~~W3^Yqe%EQ_9&vI=V)NF>mJ z8zA}eM3G=45-|UYEGjUjX!le<&fOLg68dd2o}ifQ@!(U?Yy!Iz9dH%eptCm-O@dai zZsy?SBw`uw?a2gg$JRw84`wQ$iP9vK15M8W@YjWri?iU&{+i6&y?kPZPg1gZiUrJo zba|LoeDmrEs;}n-OYu*Qctu1!BLHrUOl(bEg94i|4sa-BNEzS_Tfp2NGd<1>fwHI7(#4u zkOD;!$}0_7b2T^*606mb|k;U5>yH_5oF9 zVlw;?n#j!~m4ZuGxrQe~KOW?dIfMvHr?E}AC8Ej#M+|H*-K@*IO^!H4I&c3vA{VLT z#r&ul6qtuRF`WOTG2l2}#)Lz-_0P?JXO33$CmQxioax6-)k8&r#i^vUr$h_$;Z*qB zyi!3!XmpaFB_VD6#)8Y{2`)vdUp|7$sDbkwd+0I*K$`^jHmq&_-KwslWKX z@@lGA+C(Q(m9S2zWT*;e#v_SL}>y`_n!4A9qmTV#D<1@1(^+RDCO(Uxv5i zXbII;a_Q55hQ2>3o>1-R&^O88@ulC*XHj$ zL9(VSOsp;KIWLCAv4)-V&)x!bedqJamJ_j;H!OmPl;O=v=k02fWB?!f^F_%4P>NC0 zK_#7e2a&OraBhIe07TZ*70piipex|;n4~Y5^!|PMO?D;;p;6!#%S|xSTw9+v3xn^m|3)MeJdF7u9>OX|mGnBr91M8|nTX#Q-B2eT<)6v7RzvVPPON&BL)S6`Ij z=|OC)v6(}8#l4i2#K#K$# z(26G8j)Y2$V7MUPeM*4OHZ?(j|h zibo-ngT8exB14-D8^UYqzqB5_x|%4h0qz z`>y2UdR6^PZXxODY1;MW)C&h33NhFl?*20Ca~~n%{97#`oTHlmP_O29`}MjDDK9-# zdW%9&^$v!fZ;d;=J8mskE+&&NQoZl+W>h`sBkYfIwPTB!9SJ7c|1Ux~V*}hG0de8bLpbK zWTk?Z2;#)yiQTEX_Kh-vvELLi;DJR_*GMo{ZlH%wHHBSj)2$5p+&0OCH0N5Y9#lFy zR<8TspH;0YclgG*H$39Z?(V3}lz+uwutr-LzeX@EDdOwTIy&eN%4G2e|6p`w;+5r9GndM^PO)>M;$4BHwqw=NjrTav7 zlUfj^C6_x{LaFi1o7@fVs0&>YXNY=rrTuGGV!Y&F-9 zjtJu|*Tv>Ly`Imw^cXzfbija|W@KOg;O35gAK=c7E{xM14r&25?h%>Cnn}b+kik%HKHFN1 zNhKmFnjzo0;5w0g=R(?a-N11D;06Ah{9vF>!5_Oa*!FlpE<4zV2Vxq4O+Elihn6J+ zzyN6@P*g~PYCr_7v*_E|Gm6aUuqg4jYKYykmXLD07_mh?V z&P4OfJ#UZ^r3?D%x{e&lJxUt+7wGSA2&J-mt?hFxRPO0%qp=ivAjoYlM*MG!9Y$mn z%rua0r^TaLANt%Sdo||wZF-t_(vYuaF}80f$k2grb6mrRY|QV4vX5WNKMmZSQ)FiA zx)f!Si-cL#{MH1UmF}df)84Idm*hGRs}_ZMGBQ5ul^+kX>s)-6*4y~l}3JN)z z!-1g3a&;qFD*b*gY%B37t2be>qP*a9jxw>h|FiAu2e+AMziY_Cd+?M* z5-@-aaSluz;`g&qCLF{L8usX2XBJ=;muFU{gQu8Se`w5?e`g?}a&@t5kxJTlFqh+X z92+SecLHsa-?G=~)@3v#FocE0@mDctpt$0+jQPr8wGndIhru(_{bcm++*;oeA5ZYM zsTn2M2kG6DO0DYdvxdz57jvXi6n>Zl1nnJ6i_iIt@$*J4(?TLCaB%LA|JFwqk1E1i zA%0_p3c)j(66>-N*7js`^LoU5PH|bA^kjF_T4e>7vOds+YG-G4O|IdkEi5*4F>xnx zFI3pkqWA~PZ4AncHue<0>cvr1UfWF1$dod(#t210nQ}P}i|_OFk(9z{>sq!xnW=7C zN3PG`848rbruD#$^}sHP=tRDG3Zc>U{Wpz#FG{tRN6QEZIb9z?kgPgw&5KYGqtSBg zO?IU%n~L1JG)iGV|j2>Rs!d9wMn{qUBSmXF=_uby7rtK4uSQczG3%eLwh94PhtLN1JPFbDOKl z>AL3&%i^_lMWxo~WU1Q~?621c43X;HZz62zo7@_ZAu0=YjI3Xl;X;qGu*BIE6fCCe zJ$F5k!e*VG$;-<-Ub0K*@KyY!|8tAs`+XtkNp@Zyni$0wITT@VJv&{lyoOv^dF!0U zgmeF@&ja_eFj{kzQxoQHaM3%_(sZfG4lr$uo4R+IcO&$?W84>f_~Y};WfbkV;#S{^ zD&$18^=24tsiV%e72(;aG>&9G+@36(Pp(6*v>gu@ zkLK~JCvI@K(N}t!%ESc-Iu2!IW~$%Wa5y5oR85Vn z=c;~VohGWsZ0Z;BNEKb&MCtAeYwfnJb3Yr=msdclu_RKZW*qNSk`SIWZ-d9*YHyFp z-EVG~3*pp*$e!_wR+FxzPO2e0?#VF868ICc1W% z3GkVUWlD>pE|q@XlGOcTFlnzs+Y$WmLC4HYV)4iEe{WWbgnp>^)y#nH*wfq&=siG-U4Z56K$<8Cii#T*W-k^F+7);iW`wlJrx~?%(@K2~uV00rUpk;o(#TSqa@wU!594d`R0xvk7;QUav9T>y z9Mg(QiQm&c81R&*GZPTV3e$26(0UAS6+mKO(JJq^-~Xo%3Y7Pdg3ZXz{8xDW=2rc< zx-Bo{BTi2;MGKQbmVM90Rq1IX6}C7zxxjHrhhaJ^p3C*8s|8?-Zs;o!)VAuuxPD^?--}=;(NTsJ`G|?mnPN)@N%dCp)*% zq0J8lA>~xDVESESv+&sX_~*X%=#*6ktP^Uv+?U|5YE4Vwh>MFO6#1ou#?gO(ah#3BE*=DaJxS_eBZvS(21z?aVRO;!(<#5DGRY z5EYlkov4qLjZMs?5HGD!;+x1<^Hry(5}?nTEi5>bj`fO~$O`}9UrQxPxd;jLwQdAI zt`bR((k}I3H}m%`MhBTBtMSlWIQ8cn+S*4?GB0-%ZRBb0AoA%>G+Z1BaDLd4(oU(* zw!gqBW$^o2U;k^m#0is-Xo~|%%v0ALh$n8UR_H3Gmc{$h8Qx~Kzd%u2IQ`<~5!;AY z{@STGu%ULhDrK=TqRWQ)wZ)0k@wdDO$r%5R! zK%K6;UPUENcuZ-SY7I##QZCojiU)D zP);Sprj5AFt|cQQ5r8YGM+4UrRNlI#hk8^kLB75epyErjFF$`RRv#7<_czTZ%gfwU zfE=g%oOjq&_7n4itr;P)^5GREQl{C4gqhWTt3?xTp`fe;yZI{|3SsU-_2vEWtn8c| zowy!mY)k^gT)WIn%Iut6ve2t)V{d?+Z*F}Y2(_nL0PY_BURk*tj<%;n&cl4rRT z82puAs*WVG-t)%*;(VN{O`J_zqII#*ST$GA|HYH;WNOP+Fa2DI4I8@~ZOy}3n-_+G z@s}!yJ3Ysag@4)+UtxI%kHz{`O@$@KO&sfAiO|x|I}-Mmvk_UULl7H6Hj6p{_VEu; z6{DYRaok5;qlvr-6U%_4LPScJ``5eYFLfvZ5a)Kfc%(sOo}W(_c~L+|=i~2xYm`%= z^>ur6M(Oq!Gvm)vf775vS^bjWmBMZ`S>Nx6&27K7BDJja=l8`FExv}9#pV86r3etvw&sSU%5API_5);zU;8A)b5Bfi56;5a8 zYK{{_*f=1Jf{;yt4Wt2)VV9IIDZi-)1qD4p0$aXF2F=>W#;ZVo-=OzO(n`u2F_aIr*}~II|zXm7BRou{0(EdTn#(sfM4=Zv|3J97J&K>!ombO@^RFr5_GUnL=+lB zmQtupDBjxUY9&4^7hrEN&%{&kTaNEORXFRaSL*8q&98f?u4%t8YKspq@6)!sxvf=N zvF%e+^Q$#(e!Q#cZM`;QPXFjOoJ{Di)1|us>+sOqAg1YpJ-@6*r4xRGZ8fFF9~3Eyzsx&7je1YJbHCCuh{v^6T6P0OWoz`8SaJU`XhoUO06e%Z+PrHr6_ zZqY{T)xOeDZ`4kML#BaU>(Ac0%g68Kw%2iG7Ej*=TWG9}7oZ`PuFx+*VdQATz95Dfx%9c?bSE}7AO~9m zi~!diBKA@~S3Z=9{Kwr`Urz=X=g<>+l5{s2E}=(6f})14vd%yd0V5br-Y$hf5FKkO zrPY9Bu2z;}y81+`O!ri^kz7`vS!{A5r6~QnbDv{A*_@(MkSsM!a)m#$!m9Xas$AxM zPPde{BVJv(<-%0|z-`rE4$A841U%Ne757VhL^@naRd$_FxG?3~*v!KE{^>8++}=Tp z&hIGm*w9*ZI@@D1?A2)O<9qkNgXV_8$4{R=p<%8Uie2DywLAZC@Tbj#+#Boxl=)~X z0}Yl8pooErW3?rR<&0;~aQd%)Obnh}je#9d*B#IfV$-l7L7^liAwfs}VTRhWio&WrtV^Vd@`XVxrS{`(|{p%ybfC z^e?tbl{3$WZ8PI(=F)FJ1d4U5cES_aOIK103M8{m8d3|=dlZUH9kptjp!-E|Sj^0R zAkEjcun=l&ZdX63{FA(RtGn682J$(iSf->!O3CGw0xoDY-W}&!K*vMx5Fh0sUR&@;g5oqdkr7%xY-V|Oiym|@I3VQNVcsK@Dh`+ zaL_It#kQz>cz5oPfJbc-PljLOH7?PmaAr&_hxf(P)SCk@e&$mY;V0Ury8Pa#k-WvH zr^2xIf}T`qIq+y`h(+1*FMmPJNJz9MqDm71MFQlpe#0e)O_h#L{Z-HEN4wE13nKe~TKcJp@X=$I*D9o`MdQDW34)%qp1G{wZQ7m$fkbYl zqVAuib+d_TPjms~e}(3>h=p_G@s#DJFO;O)<3Ae~Ig?LaYA2)+PJj>=%?mt0MMZyi zIjdUgKB$=S7agpHSPW`$RV-O)u?nk-^oBQS`mkRp7AcdxJh^W)@*Cal;;GJj81~jw z32~16-;g_Q1JFBsJ}oz&{zlr|{&{qjw@<6~r-+Veu997IefDd_A_1HMBEfE!*d(Q- z3}*ghh$#HbSFOjpOxw+Cu{9fwa`*gEY~O58sF(}#&3%6lAOE;=9cDOZpS{=m)+(ob zK**$Ur!PECa=PWM+P)gMomImt)S zX*WZH+fJUc55gi+K%&x8OhdeEr!n>Dyq90X>9!S(Zs(TPWvJ*2y8;!o&fVu;Wq};Y zcQ2t)_+%m+P?|TteK660)^;IvI97>uxBSa#l6Q`?A_rW6^Mz{px0uvkyS@uO&@bPA z!WH%Vu7h4mac|{j9n#?MgSl~)q7TUSH@A7HpD~hhJ9$e8sJtN-eiyi34iPzYP zwTDX~TGJo;H(E>10$fSm6GRUz-vCMqO91amS65fy$2`wVv%f9SuYh~kU^T7giyWF& z)AX%aN#rcX2#X=bDa5=&8YjUNA51CYA@Dh+icip;HKtP?t4C~s)tZNp4yi&1}FwI+|AC3lxH%PwTr9EtiacT(Ay|@tLN(pF>#0s%bY@b*E`NcaXDg&HpIu; z&tZO-&@ryOY-AaoXZmS~-Vbzu&(`dp#Ioo;1axWEV29SrT{icE8<}0{X`S9!Bj>bS zgvob)|NVZYCI}+lRlg&H4x-w15i#w2tk>J%;bkHYkRr}CS3qVfp3G90a-h0de*s#$ zH|EtsLqPOp;ZEr2#WT&fQMwg&%_dh`KctPXp{Rk9$2TA(`%}_W$iCDa7>Xt4cM$Yl zo%Dbqd}`3v3{Wd`X?b~m3k!Q~-Ky*45GGE6y37dH6 zWDEApDM?9M!Kt^QTtW7ym6b}t;zlra4@MNk#M4AaA5_n^cd$Q+VX-y~CVK;AXP0V; zXLM8XV?JG9IS)7=3HR=kG4QUtg7O8g?6!W*ZctF5Cu%@@dplIVx+W%R2Lo7VXY5e- z=H%yMVV@C^n46={i|gy-LfH@#7mJ`<1Lqw1%a;#rZCQba@eK_8)irg$f;WpYATUr+ zQR*-~K)f90_IP^v=$YuIMVPFct32lB=3e<=y1&$|?$!Geq{keVGijNbUeF@{Vh{B9 zZ<+5wZ9mEZb+dK2P)(J6zU&>t9G zGOZ669`=8H((Q=3mZzuzrNciM7h$(KlmrY8Z?W@Wo-iv#=X(dXznjSwXz8NGKNaHshS^aHBPOJJFAAe^q{t zdf9sCVfsJJZ&Q4r2|5jkLiTM?xoreYVD0Q+z3$a!a=9Wu+8DcNmqfibNNW7pUOJ!6 z>9)m-+T9I~99)!EnIyx(C=zfXqP$CabwlLglMGy~2yk9KEl{ibJnwUKBi4Uygrsh~ z>iStb4Go-NQyR3)a0ue|4L*kkSy)2pAMA2+czAYp-wB7VF^NWsFf|CIWP-UzeO5{_**kjNyRpPAbkD0_ceKHi9K0M z@Y7(ZgFHR!4aagy(HZdqAgzXp$v3hSe-CP81CL@d$jp4U9}A8oj5~+dLY$*BE=TEb zN1(nY*C4Ixh`%>5K}TL-v;-dDuU-cGL$_4>GXPU~rj` zuy6-O2yKCCW0)Fy-e7^4P(q?Ob^Eh#9LRMHcu)Zbje6Xk;JnD;sqF$265fS}9X9Kf zkJfi5Dot+aBML!dCG_Qm%&xOsZp4gQ)%#O$`a?C_w@>gadS87VpLDtyt|Fj7$Uqzr zK#0@0z_zf5d!bQZeG7p=K(CWqIjlEV~N`8>a;xu zA!x?$+x8M0O-D-n`tsyc$4iHT?TN2)QQP$0qhFIsC+2TnPt{5jCQe|d|4$1*Ybr8q zDjHvg_byDFYs2>KZ2ho;!q|-CvmShH2g}o^8ix%cu*)I4!LtZI02!dsdCa%P2(bF^ z?n%de+^?tF^B1U&51(@NfQc4>&6feoy-N2QWo2b`PJlOO)W*lljR1W-3xv@@`dM`L z0YqySvI}7fhrfZ*r-EGtx>Q8qTh`y3hxvN>=Ave7t-=R2!YS02T+V zNfvq>=vxB;y!q&?2_8VM2wHV-MA0@udLpk|a3f`4s${MlvL~90SUuR{hyhxW)ot%K zOa`c1&VMkW^(rdS7yLH1UAhdnp)OLs|bN%rJ!qYlD zt1th28)8krd}kws;uPY)Y0RdpMQB>=n&u2{^E!8Z^Rl(JD_NdRr|L>-^d&4`W;R+< z(3t`s$m(GJ6ZU*%p~hD?j<(LD6YGvx42PKVY85GA2p(EsBwGp77-E9Y<)g&a7P)+ zlYKx-E8(y`-P`oL6?aM|B$?NsBarKbfi1;NHj6P7O-+&`AOfKwly5Gy3C4S0mY$a< z-g?xCMS}DDKy}~O*Hv3?t9|fQ?a@Z(k~xon6aO6uoHL&ag&W5N3qx0LrZo;S%UN9h zl0W5hzp1ZwhXNa|c%~kv0tr1nhU4oY34ak=6^QZRvEy~xQ>cDuOgiM=BW?ZmF60-t zcB?z8l)HyBDKSLbZu~KRNX+|1xakXIZS03H12nU`2B)6zzjC8564!b*?xuho2jt}; z290{>i+bHsHQ`lDQ>b8rIZ)guO?-KyIMbHK@_MlX!W07#D(bx_jlDsfY0|fX9}ouz zmHPEjhKc4_Z2#QcmA9(scA6bJ{&^{jVqhp`xR{9n?cB}ZzgHUUZ)F-u8IC@%^xmG7 z>TlOmb>B@umcc+Apxb6K@3u9X9o2s6tY1|~68K90H|a%orZxOOfXU>|Iyfmwc|@0` zO!2hhM(kH#YqpY_8rVne$qpBm{fmka&;0Uj=OrE8jDDw#QsJbiz5?#Pp_IW&in}=T zbP&-{I^ZR6?5F4Ewr^{4!z|gZ@{|;r9um;Z`pFxujAm06MQZl-y=!gAA@N|;d{sy^ zyyNl+$pc89*y6&Shh+fc;=}_CgOFq$O4Zg>W}fMQ6}rD59s)8cT-~AWRdryGz<%lkf8!Cyz?}N6OVTeRrUc{)rv))m6iAmc%6`u zkN5ri_s1`*1-!lQKqK7;Bh$1R-Gx*>R{v_4ZwdU<-}Kbp-X5Vu4daG?a6w-s+utuf zx(BrhCr@MwG+6LlL&pws)5|bX3OK+rnU0z}qcyCK-!JsN2I$GNww60noSRv9Gs!{9`cZS{Cf;7d>lq= z!^pUw6Sa>l|JG9=xM7YB4s4MZ-RndWFR;Na{(CmP6<#d>b_ghuTPmeY8xbD*TBSe% zdX}cgR9T_@771>i>cWK=3JPlD5E2T*)B8oeZ)RxwC>0gQAnmJh!I3Ga)0>|( zIf|H5`(5&FfQB|!v*9OW?!PVUId7)pb){UZLXg1M92oxASK{jI@%Y_TGQ05t;{6LU zo734B*u%DT;S zr!a9cPD~ywx@K>HIL=Ydj(Q)2tYFq(TFf?gzR!^JD|tmp#=IMD>*M7U4#BRb1s`|v zm7hfqX1*o$I{H4u21*{3zs($R$QJ4S`$u2z9wxP2dN4UL30T>bsbDg<(Ye$nDDaL<00$A0_f4?QE; zj((@N%0Rp+{_i`-*D^&t*MEKeDcb<6Jp@u5=CIvNrBF!jZ~ zw+~1`6Vij^O9y`%#XNq(>TqBMPZg)t3bkPtCAw`0Ay*(2RW-KT{Mcx0X78eb7y!JV zTD=w*vMtcXv%oL{Qr&w+A+kk`kunkeiP;gaCL zKp(|P#a&m8?w_f>LJJy#{uIx-Tdi_4C=!>&%1XePQ4;?Rp^G=Tu%$6E5mC^+8HUEy zN>(?HmnocUBl^N>c@g7isy1n!69fs|!4%cIyuLYa7Heu1Yz))}m9*)Wk28QX&dJMz zoxqsiXWj@sc^-D${86`v#`rr`JLKV0kPQJ`Hy%Wg`N(bJWPDN)WEH%bPzBEn1%d2 zQoMh75H=2xQ~`u|e{J-)gfGEG5AjhkpwIX1URPd3B*Wasc7H`&M>_A~WPz<{2KjZ( zjg>t1CxEHyj2;F3`r)wBCJ?!F(zi()Cc0-A($UuT>|~f0UA?gp(}1R472`>{o@~i8 zibM%lHUevWRq^?Kf+lofKCSxr8MeuCG4{zH8Xy^x&tMw0{F??DPl7J4t~W8C-iAWd zFtW6y#LD@C83lTNklSL}8cJWzMZ00imflX0Xg#Vq8ZML%fO&c}-;GT^^yLYc6YHVc zlINdE)Kw;5e?ll%e&1Q_4Qg<6cKxnR9`>%e;+r6`lr)?h(96-@jy1}*qggz8_27ZM z`}RQCOr4#=+WM{q-h~g`i2-m5pkhc^xISKwO_ZZZ^!m9glbV$$4&ZWs?xm%;8&?H8 zJWn7TqOK5Hdb0n$v1NHIJ2yAhG`S|0=7);3#Gxn~DQqC)x$ZSb;) zd0u2ZjI%mHu_uwZR~j&bZI6csqf=-VF4}2 z2Age6tosxq^bJkK8wH#pD%cs$(B(YGtUbC&Q8=})Ib=fi%Tv#aOjHg{6p@_$ZM0Pu zLL|P+#)^ZRBX88R8Enf`Sa7Eko`mHU<)U7KR-KH5jow%hceb z^9_-CfBg5-ZfooziTS4FvF$6sw2z=#4FZ{=d~F6R6bf*vB9UYi>~L(SU6z<%UKnJN zqB)A`M3asihMV5q2Wx-v;PCsR?PUe+VXghDFK9R*kL&hrUfthucvB!faSDjiH8K){ z`InFi!qmt3j5_jj@0X7!D`G`XpBg=dC9VwD7IvXq*@5HR6jW>gwW2mN25?uHSnc#- zIb4>90I{L(t;F{Lcke2zU4LWzm{C!KRtKmK^u^9n*F_>j>2nN#!vEGk(1TyLT7j-O z;*6dLP7#ByYB9i1-WBFOfh^#SX^+qoGset`3AJrqA=~7)FSdcobNr{;XDgk=F9FID zr~Q|K58|ufN55(NK~27wu9KzwNg!`Tf4sTNXQPndHS(6p9um3l>xsR}k9n4b)5!o)UnUKhj@star6C{S~}z zgQcc2NWbU)5`7}~g$UpiLLwJpBF=Z@uZiyJ8*;?Hbh?QVMQ1egSqRcr;in-r5P+VY zoSl|CtxMzg#QTMXksYp&AO*}9?DqJkS6YIjJtQ$~26y<*?!S8bHXg$D3+MzkciU-A z^73#Q%%tEbXJ%u1M$YoBBND-a@Uas^ft`rys#lgyyTY4((lM4*fnc&Y@D1ruEEVKZqSI^xVT=l}P*9?> z87pX)Y}{H|S$Ury?vjNc)+@B9b5ludX}u;xsZed8nv>5S2S=(K2x`3=k=jg!;Q3WO zpD5!GIi^dz)63=iU+(I?G{dXJlpzV}eA^Lmd7qfm&a+Xu0rQH3mEEBKA{L$DCRUi` z>zdc;4Ye71_@J8Plzt*}Qa2>CmY0|Cggb8S=;4f@0_vTs^2Fh%1YVo?nVmM(*L{}m z3CXd7nrHWpLmh_mOUzzv%WUlKTW@`VNz1(im6#jgn3z0J#{os~el#OZO12MxY)QNi z{tTo&1EdmW3huI;;2jCWGzVFvJFjHNDpU9sunJCxh}$p{0q{5)mCEwD+2_yG!H@Q9 zB+FOuT3g;o=R-~}l;Xg^dU|?d19qxDNe;|4%#{!H`1#z-44t-_5}rF==L1mUzwpN` z#gAA5DgXv+r&v`I*MU!x7sL6pmlqcl-yr>-0|Hv~MJxsa6lU)f-6GOWY zejfvaiiS&U_7uEzBLB*lacOjepwWR^MjvRT1RkfD(7sVmZ*N^=otB;5f* zq~H-HB$s!jw}!xehu0$zko~#0q^wNAN}|zeKMG!=qK1n*r&RtC|A6@NCMpw)bF!cm zLo`OJj4DVPxgEEKI+vvQ*Gh5Q7h1X}OMyVOS4;}qRbU9atDhr!lU;G>D~|m9bGwXz zkFkLoT_m!Url9F{ThTJ1gz--`Ut{;FMCi6kPCW6@BZ2w^`R`Jg9~O zw6j`)R!@yidhWZirFasfu0|KU2yqNIw-JY}tL~+1#cBxja5*CFs%TUn4R#7%?P27n zbAN<|b?6~W2SdKR$T2>B;ejD#5;|eN4epQN#ib8(;yBxyew z-zR)&L)YlI^=h02gi_yMQHEO|Cm~a%YrJ3O=H@NM=rL!TJzrZ}LtjoSEX)i&>e{;% zU?7b*ZDXUCpPRd=mVKo+x+t_r%p#O$gJIgSdKMcWPeT)-y0Fl}?{r3oRM7%&R8mea z2$BnkPJ2$t?LEP6)1!&lvq$cgFlI_{^(`&zjDw}R2A~(l#%)~5cw@qt*xQrjW~{Zg zj{o&VW+uz~V~0v-7j$zI1Y%>8b;n1H`-&9{|0&rY%jGxwSvAVXXR@#Y6~^4JE`*EF zJ3Y|o>FEt+k^{3x*&mYd^*~)I8l9P*m*o$}%0|c4&>3=feAp(OI&Q>~g49M5Fh*q8 zp-e{h!9;&VPrLqomA40db8>S^>Xbe5@Gh^Fw@w+~YY!=(&JT`$nBx_{Q#(n#tP6#(4CIL8pi9sRy1v5BIw%S>`K6hG^Ek zUbLwnj--mi*V@7vjKYY>xg{mP@N5=>ASdm**KhPQz6EH2oN4(rQn=u*`{nm@cyxbG zy&~W;F?u%K zuOWsT^bwW6d*3xrj^;9NR99qwg{8cPxDmLvr6M$dDk}xN`2dkeL=_tC>kzDUD^~eM=W1eQTe|O8dOwP#t%7p16gLM zlx!vOvwOAP19ZrB1Y5p*WmhW(?S<&Uc{&xGfU&VeA`C`=5zxhPU}W<~ z6@jn&)EaqjvBG51$Rh{FngB9DmWir)XKGmzFP4k@j%Nfm*uN zKay$iydwYSg#gTS&|fHNiiwYPcizDi1Y*E$bL#UZ&-IOG0Q1At6=s{U6kf$u2xd98 zZgXswyZm}KMPqDy`U2eFqFU7IIZOr^c!p0$fQc7A zk^rUVPPeC7`u*zJ>017duj@DX&VoeA5XVosnSX<~g!d#rN*4S=I6vnz5az4;GcABD zhiSrFN#yHm={__H#OdGB_ zc8bI%(XZ=LKR+{0`=jUSpfN4W(Js2*O{@H;`jeJ>0Qp`}HU5q-Eo5^!U?@jx@9nd{ zWYHbkX(FDe3J{xbeFx(R;N;c$K<%yRdvWpsnxDGm?NfS@h8>}L^vc4emb`Q-CoKGj zKY!hNo1m!Hd$G9IG6 zf9?X2v&hO7r~?Q1Eac?h?z-O#$PCW9Lwo1)b4MMXhcOEw$uiyC5u=F+K2|$ze6Pm) z#s2Vm^pGw~**6W}Ag8;wM?GyvReGf_3cFF%HPhF(&EqSnVCiiu>k=b5NC1C<{cN9d z(zr+Wp^Ij(5t49y)4=GM#GgJMp*q!Z#4`PB*h_#YfQuNejXQ(;J>`%1mvL;b)P=sH z#XE*3g}v60!@i|dV9-k;LuqFwA@-!SvIO}iKB2y%N>BOPN6HD>+oH5`^JN>ApN2tW_WfTq z2^ewCdcL4NijMg6`(K7@#Je{OtxcWRI_?3__E1+onDk}k(N3=qx8(ZTy9dCu8S=g1 zixPhWe0&k_K$FRDvxV`tj7+}qAxT#A{WwqW_&mZRl~K^B7c~3k3l}oPw;}jt3+e&2 zzHT6RNh65^WK&gSzq7OLsk0%kjAaXEv5H|Td88a9DC`|M9GDNhf(MC=IXMG%7OYb? z?zp&|JYQz;Q;}c0xf3<->8-3^I1B%UEB4=)JKG=S5AZMl`wFxC^51R>?+jnAI7l1J z|9vgQKLgGG|Gs8!BQ@>+_jO8%Je&XTtBvEoqv-!$)qwV&LE`_vY)|UH-SmHN^-D(E zi3*5!pwMkr%cuZ!i-`jToe}^)xu~x|Cl_C}`D{n^5y)KZOlI(nva!)^0W4uQUXw(R zi)S@lc<0qnckIgfaiLl;Uc$=;DaPn!;RpR>qfan45TyWjv6;NX9PMBbZ0vQ@en`sK z)cH?&Wo_kMqlGyUM;_xrHguejEIjGB4Q>Z3gls|&$z*DJp@#JeOz+sZFcKh{tb(vC zbf+k+XV8;)NnB@T$Xh!fp74!Yt2=Ihkd%=%OAmG06Z3qo^P!rqb4Zh1{U+Xu^pJr-OwZh07|@SJ)doy1*8|RI25o}_ zUot3@Z~sGLb~S5-Y?W@4N`UOYpI+euVKN@x*;76za00O(*x7pt1o83{-$+YKBV^IN4|NKg z>+ue$fH49rT`0am0eYYlf&>Zq3V+(OGt`(mD>NY2A1$d=7~X7cQs~ z^;dkEkt!mIX7rrA92U0`Uhw?p*;Su6U?MemRTeX3e0-X@0vwP=+?JL}3**hQ{7ns> z3b_C33-iFnBcTuE0@1+bT}&!o@^5j&`4ANi;V|dW8&2)-E-tK=0~56Tu>kN)r6Sc{ zAc8^P-c}xnc|mG(-9QSW75MCn+r#UG7X9X5{-*`t)PDijMqIB~(`p$UQ&WdE#eG}X zJ6IeRQyqs_HqC>u$V35T|9Hw0BhV^i*gw#?PnQl0ukAWMc|z9-3^N#8PbG;2ypdA8 zLl-CQWx)40#>$=od0c5W>33Z5WaIkyk)FsyoE9go!&Y%$`-pZeYid1`z7*R9FK zdS*04jXl4=P=X4X+{@{35iw9&xqapXyd7vX+`9X<`yn9dDW5Y$ zIU6S#6sR>vZfWu?juGJC1car|z7@!aR-X5PtH^p(H`3l0_WLdd3s@JyG79Jw_uUZU z&T>hvQoCk^1|mYaRvHED3pE{MxnI+~*dSJ=e3=n_6NvGR$sdX*4M6EkIBqq89vcRt zpHVFi4E4R^u0&EaN!&u<;<-T$_(^3He!eoD4pjT%wn!T0jGY!NcX##G2zVS;n}kDX zA^cAGF;#fGO8tgqUTw|NM-qPIr$de}FR5Th8P2QiubX*qG1DLc_!l@*jN11U!7Jzg z`SNUmJ7ihW5>cn{^Lq9<2#m7qI}OG4lnT@&PRk4g)I}gl9p}!$=7U!|`H#*XKJJ)! zppMH+y1R>3pi!P=qBs?S+X?3dI$qh?iX+fEWsn1i+V;JmN4*+%R2(l?t@*Hg5!w%| z)4vx(_?-b;Pr)!FTP0mce7=3omy#m<8fX`%%d-a%!ki9fWd38)dwQ_3?lw5wf?Jro zAt&1|MF>|uHMNPLQ)Q?JAE0#xCyg6F2iJ+9W~A`vxu;h~8wo7%8<971T@5*XOA5cj zT=*N_wEhW&(*V5bAV|xxN+4j=E`#BH@ViK@-QAk2e}qR8G;_-X7;r(cWo)im(`!Dv z2oMz$4aqCbv9k@KqCQ}uw}s6+JumKbOD?VY7WTh^#V(&?NH7Aof+A;cF$Lw(U~(i} zKH!~J$BO8|6Lr#9PJ9cnTqdVE6-14~GkW^XfJH0NP69k?Jek!@&>IFW_-qj3;A!-a zH!_CF%DxePE8q2ZD4d}6ZSNvlAfZ;YOlG6&D4qmV#dj!{|~(XVBa;6GKlEC zfk8VcX0_>yk(K@f?A`?Ey!E*J3_VmIx0VoE#Zq^WNXhuKt>wy)AwUSYFdM-+5|kDr7v51iBF@ z--}hsZ|+nYNHf+mGxHB6i(cNmX*dt&Y&Jl|)U$9w&$9RvhNqIUptRSSJ^@2Z7X4%_ z*Cr!&_&1w`d64RB)GsvcFEieV;k7R4TLwAX>sx0mMpwE>a36NXESbbNO<$IhDVBvD zF_Eg^$>8RV)u~dF&{J$svvJW+8mh6;!kq1&S8gB&z;Ds6Sqn0yAOQVCE5I_!Mb5O% zQ|=F7&nr-=h(b!}R=n?qX0`*#;3udq%k$(lS}#mBO!UAcfe8g?A52YY4hm}4Dz}6Lg&b(oU=8m@~wea62Fan!^1b~A|EF5q{%smWc@Iye}gJGkr`l>ne| zm}n-f*6^q}5#Z|E1m0c2(cl;8Pf1T7wA`!x=zu{Qm!;5ecXt=y3#f7g-@JJtD?6^+ z-J=P-^m}K!?LAc+gXIp`0;3qud!#l6p<2fz<-QC^H6VZi)#2;JxyHtC-nNED zBuKtdz^&Sz!Z`yO49FYOQ;UK>H}H$KivcF>URux9UtxO}K+x{*G&n0qE>vJd?Ecfv z>UjktEuaoU!^nnfY}G73?tjP*ehCsYqXmzRY5P}0 z%cMVdkNc+!$EK%AY#pQ%<&C6_x?-ja<&9eH&g6|a(#E{RRX_RX+@pTxJD}M*y&dv3 z97n;*!q-L1!+NH6xxvwjG--L?HOaTFjn~H#C;XeAUl3?TzWyX&yocs=Dz?ezF!zFD zV>4H|>WC_ll!&Nh+mr*M189kcJa}^Te`g7N=r0f}@<`$LA{W>t$7u;tlEx44_ow8& zUf&D*vuMynKN(;(_CZR~TQO z;Z~AQ>luS`!!8(QT@$jdJ?rlq{9Y=&|8$I$Rzd=V=uF+r2McRkuRorcs#Us73a!ko z6?G}o%Gcr=h)3T{QR*fF=VqzfvNl8(ESdUVWaaZrI$kx`&UmC72AQ0I0Bd!Ka12h&9NNX_+tk~-%7Au1uET!YD>Ii0Ieded>s*=F7wV=!BK zE-9Pf#*NRPbfX-b_ZB051cO;B1twsifJq{Dk#@8%#hpZaY!b9?Vm+GGZI#{Y)H;^E zQUn}J^lIJ^SVyZ7c?6XY(>zpc01(JLiQw z`i6!qma}q^`(K0v6}&YC6kq+bl}_O8?tShvySgYPISVl$HbSrw2~s0 z*OvSB91c#z)<*Ncy6x)L97z!g+n%81}$vpsK@oaksCB}bmY+in{S?s{4&OY)EpzTyDFdXtt zMU?k|rVGO6b>T07<48(Lo*czj0z_B&cIgugw(7iZd!d8*JEM^Hxm+Xj=yqxe-s;aXwMYc9EvJ~7MuNC% zycw*cxr12Sh!RHW8Gip~Te~;{X6AUGLp@$So1HC=<+X+sYG+)F+FIMy4)(>2aK}}H z!%)MHJ&xapTYQZE1m*Hk$Pu6{higMkmm{0J`?YX*)5zCGuu!o=lL^0CATj@KpsA4p zxV~#17lf6#dq7BR>zezN+lF|iRc5@}Ve#$c$K@ib)m1_|RZapv&F1LX z`PK63TBn`C5>ltVA!@uBc?L?RC%?!`Ckqob)G%fb~1#fTdk zpeY1N%>AcTTe#FEbobocnq4TOY0}IIl$%SAcgSuyjZRG?8Kv}o94W1;k$BME^Ej4;R6rMxGQrRjnoSVl3e1rxg2+m z+H%fV=|HP{!M4$=5grG#Fo3^>x*e|FjZi~F!4UzaUhUgh_(%Q#Vp89-RX(0fsIv-# zr}E~_m|4O zO9}j*OsBz?nxfR~Vjm5Lx0Ibci4;4h81P8zO|68XS|mTa_p32g^lsF2o&8ev*XOoN zj5=L8STOVyi|7d5-kv>Aq38|l24iLBcNOy$DB(b#tlFM)Uw_#cDC^o(S6vI`$(v~D z8H7&>jQX&)vio&@B?SJAZkp`!p-c_X4AjqfD1vzG@P#k5-4cmpk99qhA4E^8(9^RcpREj_Z~b*S7GLH zB^4m!c<%)VDv65d|+(6I@RD3 zGAndfwyI}RX9jvo+reQzWh=VqPK<>7iBcgKZikO9y~%L(7h=#ZEGH==+Zj%+VN>$Q zD^J(?dWM+1bu$@%d@Gndl}0?^Xl>sLF0-OU9>gsfn1mC| z!#THVpFBbzpWl_{frZ-@^4r6((|Z`Tqox}qO>iF>g@oY#&vmbJbR}}(eNr8yf@oR& z#Zs^=%>SI#OW?N_t?6#+_k%f6AY1hG_-RWllbGsUk%!n86VxTY@wpf6-p8IIzVi}B ztw4rEftj5jusW9&GHywj(n>@zs{RD`2H|DrWINq_>!oC5M`Q^ThtWhaj>->roMi@$ zn<+>eclTNP#@y2D-)DyruPLaVxeDp%YgX5!f7Di3bGy9Gw9xR{TU4OTbd@ZAs#$a0 z=hNRPDX6X<@cp|T*v)%ne*2&x8?Cj&c*V74#asqqnTB9c;AR4$)f9+kY@(F_z|P_CBSz z%eYY&{84ao1a`UvKHU%qeg*G)aByGkrDccX>Bf%^hlT1}Z-aTLNuLlA{adiQ{V5>2 zxXh&c&SFEEfq41*ElGIi3#JBU%!p%i|YjP)FZt+uSJOY|E4@vY{I1v?HT zb%Rj#7+@WF{9fn4nzFLiJ7}A&q0FM7q%1W#bpB>D)KZ{TfsW%rsF|{ioc#nHu+x&| z%|K#Su&Td;J%!8RR~QUI0zWmW_a$d&ehud`Wm zD-WIwollzI7ETecYLoe-%ci@z-I=SAJNLH7c^zg47EGQT9cPIzig(2_3opj#Q9(Y} zFD%enL0WYOWBS{ry1shk-X*oS^#a?Ed|Z4WPm#95^R^H@1_nuDL`8!r%9=Gkj7vvu- z!VpdCLLnsd8(_oV&`7I(%S=H^xAheil1AG?#hp%BB7hsC>*|hdQjvxypVwpe=DXXC zTs}`{@Qx6~IC}G#M{f)|ySf$*n6Bd`3XC1wQb4APBJ1in15Ud8DZSc#R|FnEdib`5GdVt%sS%=#F;NTDn8FC;- zPdq(&d&|qdw;eWQXJuiN-~o;>BM_Z)LBNCFYk_?^fbD?CBKz{gn)r{ZusIu|*3!q)HqN>c4RLB|3J9rN89hBcEU&Hk<3CZ?UoMuvF91W*V>TG&Fbts7d~A$W6T^1nmNNH3ceS0my)N zIB8$@K!XnQo(tYp`|)ea=zU7^FAEFxqfyry!2AfD)FsBm9Q40@BO<&D3HssD;xO^? z`G(?&%gnx~=bz)hZ)-H9p~dv`+rFOmuJULtlh8rCCIKIgw)ysmhaxnztt7;ROdmL< zjd}?jZ29w{uYt@AG-x4iP}jzFcXyp+xjk_wI!YHOOn_^ldNzr44Y4Rc=%}1==sYyg z)zRtM6>_-|!)b6w>o2Aa-*KuNk8Na8d*^1|aSXSfMbRd(EOVo1^9q%)R+z0;L>Fwh zs6w8;8>fmCKehPz9vRN&WCzMSkq$SDr&Xu6tqe(x_io}!Xi6uYNPPAW;YsA{CH1%p zfoB~mIQTs3?ukrFs@z#KKT|z@8hh-udgeB+ZhQu^I}#aS9^IL%RfvcmDZGhGds?7+ zUHLQz(j3jzs{Sn}doQX+t!NU;(bQc}_6wmXLkj zb0bY|yrGN<%;~Y$lvjAEeYfHU4Utk zRXJx$vJFjliSn$gzz3Bg(~&~W0QUT-8~%&@(S<7A>!X(M!a;VLe`kNWtL@lh34%z- zSrCZPqcz3+65}7b!lbQ(Mq{P6m@t$Vki5a~*3S)l6Vl}7cVR=V(E# zb`Rv|;24prxyXWm8+i{BnYx#Sd&51T_8YOB=uljK(($R-c^F})QYC&G>wHD-OZHrZ z*3@cgf%H)uGKK{U_x`I)f4mq0BatM7?jus(U%{F#F=y)^Yh7CoyS*5b!M`(ESwb%d1pqByB=iHLDx&a}7F56d;2WzZu9dBS3 z%viO-6I!LhOlXct3k&c1Ggb|oa_qS^Zm;|;WaSTWRXsiD-UuL&R~0W-3^0TdN6fvZ zuoW0VECoaZM;6A9$aVDue?MT0)U*3uF<#<;2T4s+9y_5h1NFV0xm2>&w7`T2aC2Z( zA>=uu%2O;9)YpGuOTeJFtbHEyQnmErZ&BmXF3b%cDN+me@*-qiqSJ?zijAuorN!v_ z+*~x;CBNp zbCFJ^o)}0VhwYQEP}V3Fs`jR3HtsG*Re4SFxSc=H+RZTUuI2ARO z62nE7f?bI&{=Hc!bUKRPKmPx0QY0SX+VtSog4_JcJ_xl0L{D z$S46BIxOsC@677Z}=i6W|>g$?ES1!mU!61Xc)r^geovK-H?}1x5v>j{X;*j0G zu`17R<o8cy~|k9J#-`bhcM0 zlC6(P>|pWOW?^SO{daYdqg2sx_nMm5X|44%KzRi+jDcq8u9$(I3K5CWwa^I;i1!hH zKc1#4ug2!`h2$6aZ8kigH#Pb9cETXr{(*tHXy)h0)Q{Fy z0!Rz<>QvsxQ}OoxF$YTy8u*kAio}!7$1Tz^l2)R=WuK~QY6zjB%`%DX0QG$$sn2!b z@Ag3$ei~9;FbZM^skNaVm)I7Vz81%3anhdL4&gYE$tTwAzqmS4u3dBqIHO_|`Nlx* zEjR=Hf&%2ZiZp6ioGNEiLl^;|MWP>&sJgLXM#$xQ51=7Rc6L0H#E|HwLfId29eNzc z>Y$kzEO${xfn6lfy1r_)yQ+e_gwpV~h_R)la2P*=_DAHXjbG(xZbu0q@Z;35KD+I>pk z?#kV91P-pHYmOYG0h?Fmz+4+GMrszSZAV#0*O*j;C(QZd+=`2a_sH`aQ zvrho6rs@>$T@r2m-A@Cb)(PMKavSsA$ke9#DUW|b5K1wex8$L@WClMJPBNsew&t&` zq!}Gx%@K4uA(9M6(=GI%=);0V2z&lseG43l$c{;ky?L49->EI!5j+Xi+Uni5V`h?x zs^%F1Chg5{?YK3CwOlu|H;(rWKKwl{gWf++sqj}~T@p&iPig?PCLOnSS=i`CxvY1s zGhSpvz%(C#DD%_85BXch#(d8X*FtG7KQdUTse$o`Q&&$9^sKMaULvyB?KMDMUf?c;fM}O(W~lsl4_!o{w=y0o;b*Y0yuQ-!-5Qpyk@4@9 zPzj#lTYka-SJ0>}<%Tf1Og(jI`{D_|dj~vLHCC(W$D}8&HtvPbT+t!o6Jo=_8&%q2 zqV2IY=H>C~s=>BFLAarnh2do|1K&BIiXw)Fl+V2{a|Y^={oJBB9`nnW$WoY-Gs$q^ zgc(tzq+YrCZpq|JTC3$%0%1ohhlYmncv1MCbq{gZ1-IP-Ct&P|UfG5OU6tOZT{bbX z_Ji%o_}_137PyaNJy42g-t=Y2-U47pR7PeQ5KfqGuJ9BIKSB#F2-$fM;*1oRoLWFA zBp$LYJ3XuVPBQpEEr1jZwUve)H-XC~2^zM@r&;i$bG|e3_{cFtgLBjG_^Xdby=%}w zCLrwdosd>ER<9Gpa`=pbLh)2fEK}|d=0%d_LyhgKjTfAs!ehSpu!I7N=Iwrb%f0wCqQvN+cZfbJ6*nkLw z{WY^D>Vnr}mId=EzZ`!Ncp?wiMzYMt2R@jX*z6q;x)bqxR*!KWk#H7NV_I)FVs6iq zKJtw|z6JP7$`p(sZP}yPCuCkD@D6+&1co{YhI*$u(hrqYs3^EhAA;OrW8A|xG&&VP zFA+&IV!7Od@TlKiN0cnswzm72OK)mwU10R#TX0N?N=VFSq~jn3WU;Yw^(xFj!*aPT z5l14Ts9@88{p{|$qlZ*f*|62T6bT_lj^lBi^JIJd8Z`Ex?l~gm7PPYq?BE9<1<-cw z$3XDAsLH%Pse?!bIP$_(OBOhwAApt(+*73{r*pq7Ca7rlK4&(3=Eqp>c>!gu_y6ewtW9UVhj22>SoVWOxAs3<8d(k&oe0xHr- zN()Grv@}u*5+dCq(k0!OlJ1u7?gpt@*Z1DcpZQDNIA@=|*ZOMRgY%o`2BvM(`w!iK ztq--sytzp3&`{0t55Bv#fYSY)-sjx-^IcoZ8R$MQ>e}QAJx);O4CZRYt;FRqEZ4^A zo4o!0a7|WLfXWwUIp_v_#?!Iu4vJ}fyi`6Ha9)5n|MFIC8jp6{)Ca}lkr zk!w|rHw~d`5EE-^PD0$T_`Pzci62twR(-?6dSeUdV2Sr*R86?H633T^W2QJ zl#A=;C7N_AGyn1N(WHyhmYlS-9#qut_shEi3@~dev7ao7 zjtI$APo1H3*715w{>IeUm~Ov1mdoTf1Uc|5&Ab}t%KfnSI|QJc>Mh~AvwE>-q0{dN zhP0@EopakT8A)Go_KCK)h zl}WOXAd!Mv+|JID>Fa~0>6#xNH!Y3BjdN~BJVHpVLhfJSt5`M;k33KwavBk3HFlQ!u~tX zcI%=cFh30(dUweA-Z*uB*7c64so7o|tDuCY9*KA7NkqmJE@{bDN@UIE&Ud$dwD`kN*J~%sJZW85xhnL#0T_lj=M#r`>GEuf9a)tDjAM zXHN&p2ZSc*>#A2r%ALJ<0e+BLXnT>C%}zZJkksQ}=P)yin%-p;YDi@4)yl`(aIxv^ zVRHZ~yp#Mc-b8mPG3ewm^VutHM~QTw^a%d~(tnuVDePYq&85>n>WbEIm zsjv<8(BWZ~o2L3A?_Q+_jIP~07g$|ieVu0>ljCfWZanxMAxZ!JoCoCRu#k}RYJ0@t z1^^ZRMx8E;5za~lgeIXYnc%HDxM45}b>qtHQ{mviVsn z_yYD>R{1IvBCd>{#EVZnZcFj)(g)@silpY?2upD}q8os~&IBZh2IB$S2d_g=T6-jY zkTlD3YXOc@rse~n{eS#O0r`zs-a5uj$Mqwvcue`X=gB>kkUsfpq&rLb2_SoF#pcvK zMeY6nL0k_={sl-x_JSgp=^OI&qGfp0(#{)p%iY8cnzNxlLq)4jU_Luv(vDw=(j00kH!q~VQStQC> z0+D(i&=~@@6kdY?vAueWYxbHo4&KNTfd4}@l<0Jyj71)F8hU6WdA&zFyucQtemB@R z-1t-S2{?A1gc{HEC~jb2+4R?bx=yzMiw$ukw9JADQmT2@S06(PBaOI{#1Y89_w;-Q z7*Xnc*=B@OJ+w=}>3oIFlp;bBsdIJy>)bvi3EVdC`x83OEY%lcTHYFtTiCcH4Ly|m z_oVk9M@S;srzloD9B;C}0-~^GfCCovNb-z(7OGzvAYmf^clVZvgUQ4 zKD>@A)(f|V-lOFj*ws<7(et*-R-k)@lD-w@=$<-FJRd7F^9FS$;2wkrVppzR_ws?@ zhqr#WKTLY#2I4yeUV;wsJJbdMR=&62{|=NRLq$Fu$NJE8O(51K!14*m#_Z{rN3dEe zKCChzLXv(NG!i`vRrq@0_-Gtl&dB=UbxWbAY@*FyAKUH)45obEX{F(|iz*<}ZD)G> zu3xx4Kv>EUb1U46gqA6O3P*IxOVsDz~Y z`?G=W;`eE@3{*%kEY)Bu$K;gdxrMH!UqbF(*h?tc*dFNX>)*P2p12M3Fv$jX$B%xd zrd$8*bOMwhQz!o(D3MjSxVbq}Kd@;mE;ltycr{@fGJ5M+STIAtY-i*d*6^5FC)6F8Wy z7bAap@iefq#O!s^OU~dVfu_x>M3C(u|A~_^ib3ko*n~lni*Tj3HfkGGE=OcMK6$|` zC8jDy_3?x^6X|TPK4Pgv;Bhd;5!G~BiRma< z^Mr#lRU;}Gpl?_(tG$Ta_FX9Fo?7&O{yy{eJAHjU1yW-4;;l}_<8iM1tGDtR$)Zky zFSc|(!oLXAY!RFYz|jclL&^;HRPJvVi{y4I@@a7`V1%!{6A2-nG8L*+TUDwgRlt^@ z1PmD+#Kyi;!o*}}2Lwgu;#iD>sSShnd%g;74UP4A4pAiUl>8O=*uILE^u?4*q!i$M z8G5;w!DMo#>SJi#?c{)B<*bG^{bmxO=b`cu5fi5;UzYyJC=HUUX1N5m5gC@So2}G) zwCwg0--9cMI~ERp)46e$JcktbTdxul5)3@6Umd@}KvG|yjMt69EsLSKjrVLj0b2vm zha#(Ehlm$ELJ=`BY9BH7Fm-CBYO>`>OcPz0+7y{bC4Prm*@Hn6p}y>v736g6+fl z-!~JTJ?>0G8r~KwU|K}iT13aMLRXJbMu6Dxdy=}iH}?}W6O!tRAMFvD68QX(b)GL4Ycm6DL4;Gx3B(N8(fL!pU~M8EC&G5O=Aiz)>p z(?7Lz(_1sMT!k}UxWnPNLu#XIYo@TX=o%U_M4p|aJotC}t}4yC1E}#ipx&&kykh)F zO@}YK(!V+`r(V+v=ia7=`3ai3vfU|~fYHQnddL>}2swodPSPN3p==3EcPgS`QhTzj zV>$aN0Vc!4qxsTw{dXvH#WbdMCzlz6*&QF1z0G?WrKIG01KTD-PYIC znzXjIH=6Nu4}8d1{#E1D;K9dKAYylv!vI1A_!`dnUBuPb=s$l1LO7m2{r>XM)ODbg zlR1|Ag^Y}}*a`Q~^mH8ZBu{9G(LO~h!t~`YUx2ZHPPnm16(I?s1jva6a4LZMqM*Rq z!%XcrjH6$SA$tG>^gaPIa!mqXK9H_@Eax7aAN1cf7}=B30__tj9P(}lf1pXxoD_hg ztZum3554xBsr}l8cb;Yy`0CM+tP`E&lL!{&Z$g4q$ep--9uq|2}6X)Af|+RwHEZ*wsGvxZ#m?ck*Jc4y6#!HwWU1EhLSCND`k_LjwJ5 zE|7%n2H4=Iokg)p>3k zClYYJDrUd5myEhxj_fK1>5tj66)(VYTV!RhA#MsEX}Ylk@1FfhX6HsuU>8)sSeR`5uzaw6#Q9Qwp3(|2jLHPgjbhDk-(x+kD93&JGZ> zL05Y!!^k}syl$@w4wK2kQ{hWKQ5qiH$gS*RrsN3O*J`qJ|#fDV>?9746TdBc=7Ln4t~{c^U1N2 z%ZTsT&*bC?0Jn-koBB11_1b%$#osV#OO;+yS`tJe z`+Eit(`abgHy7I@PMPwVK@Ldox7pRzbyc!_-tYfUA#h?U;6C@sD1*tn?(Xlri z{o!P6Lhp5As+=vKs?c<-Jw2vg!mX$yw;iSy$7?`L2$T(bsMQj$;q{0jai*ryZ1HwHUbthfUQVJg6EI;-auZ=_qMe!{yXeWfDA8o$%IdVu<`XqiPJCz@2I==v-9P7FtcJC0g#_)SQlpi(Q^E-5ZXHgqss z4XF&`ci2RF$(+pLS|N!OcJ?)$5586)tN=hCrb%+bs;URf9Ry~K~Oq0Y;IZX_hmU7XGfQ^X%KXmMYBl49)`Iittr`K32R;BEAX^w?@NBV^%7@R8X7Kvb6f*@zvR4^Ms-rQuRL%XtoYvWjiCh)G?XF@); z?lRC+K|_&h5vS6gY>fh4IG5F%#>I}2_x8t+&JT%;OG<#b!$F!;mD;e|^&zu6LnEE5 zR87Rh{m$DIN67^RZIXWMopD28WgYjPpW-8zWW9D4*Vk60c8XgzGjFWrFUHNR}!4x*{{{%Ni z6#tG8exBs}?`pvk^XU=& zzdD}(-^+?pD5@&nZ5td6F#N3YRD=27tM1^jad4-AbQ@)59bBh2siKyB>3wt?xBl~< z=OdXCROXsx7;zM zoAyPUxiCfebNJ}nsp%;}X_d~p++y(c$yMK7moiDav+en8>*VJ9mTf|JI8CXj9>j(F zXtJME2A9km0H2pGPB?4^lj4LFY1%s)%-ep2%i7r(`G{ z^Ss4soIup<=Ir`j)2+zeHu@YM8!y4AgtqWDn@#Tifs|-pLc?3PqKSwe(fe>g!MPwV zD#`E~9lhG$f6?AN-p0j7od_+#%BJ^}hS^NX;I#K+cws5S??`vj?u6Rk5DHx3I^=cB zW&OwH$EV1AvEA|hn}d03^E&3qk6ddIt#y0fmfg}WtmN{@+A9}3`qQ2CiBxi)`OZ0H zNId7Ezb)E_jgQxrOWVU^d&WW_SQBc#gjkqEkfgWxlO^s#_p!Sk~>Sp~BRBGLwV!PRYCC0QI*9^?#BblRVpabRJeZFF|6j22S}#&J;z z@cDJgE|0qHGQ_YGX0EO>34XY9)vKEG*W@0*B9nIZv|L<~h#D6NTxtMtOX%Sn zKvdamIzJ5OUk0hG)kFfmP-xM@0x%*l#Sq)}1cbE!Hi-i?5O;YJ2CR}kgxCQM3L`rK zz4m|jaOH}hRpCAY5_NQPh2vSC=r3y<$eUzjcMR*iEU+4T{y+)CYiFo{jl*DfW}CO@ z!@b1~^N4Y*>GuYMe!@zZ_4s?sNMqKSjLX5{;p$`xG01aw4=R(k_gS?nnk(s-wW$<@4u2y#Y{PDY8o34+v+a`Bgo? z+*2sl0*aZSARZw{qDi7<*=l^aVzGmCTHgjRjb7)A@-CLzItq+BFNso=X014_z!cXO zxs`z;VibV%kb#|E0r<%95+0nYv3CjJLlPPX$~a%sL9f@y5WS_9zmm| zq{PO?22sGfl^ODK*k0jixEhqg@p(KC544=5jQ+&ZX1fF*Y-$@xLjIgpC#Og7fcIVc1?R^ot2E^yO zy%ia5(Zb8G*QL+$KHX-xDRR;SNf-w6f09-Tc97&2sLeFuyNgUV!z`hOoIy>36reVdC6-gz#KU7&0{*p-@~MOQl>jF##G09H&odg2=^yOokDa ztPo}gV`A^o(`WL;^U0)Q;2F!;ZV4am-AHbwJ0R)!m0|3veS?ww*ktOVmPNtekB@F& zX$cpbWS;YiF)RigH;S5fMX|yeib=qVEaL@^%gp=k;3(n%EdF<;1liVY#3+u!#1GIt zrD<$$S3u+!z*Q)3fA`iSyC9f~uq(5iXtz2V1=^<+YDC$MYbV#8nY^c-X9(o6s3gJ8 zESx72EFpj*Cnk!SN&UjRG?=T(;rwGsghApNSS|k`3{au{LD@Lbr+ldzyHfmtedUC!p(E874}4kY7^Pxkhh0Ua;o!{HVc;n|Ddq>xHRi)5ut zQ6eMY;CAT=g#+U1E`IY%U`-a(7X9?F!!Rmd=x_ln3{{5EhrrBC|2-pOVzb2_NaJxz z%+AZZtZx&7*Mms+B^-6e+d5^U;-Hq%~;efm%0wHaLfvJHLlNlo%v(yX+ zWE~y~uAb1x$@Zf#+TauruvQ!aQTxQ8nFM+uWU#*7Mla&N`oH7*O2$_R_mcM%xQpHg z`X^@7B0#Xim<2+&Gvw^Fd$1eX{_W&-C%NPR>;m6G@#fo2Kjvcd5%lddETN7=sKKJy zj6nEC&f&h%^EdeXRR{D5_t?Wtik7}bM4)z=1tHny=G5 zgUEK6ACo4NjSmvW>Z51Wc1|FD8!5fyi{r5ngz9f{HlR0QWb{QDS7j|}ckV8l_ zbV3p*`BL)p^KCXDmqA`t)u{dFZoI&v510i2&jL9<%=sibSnI><%JEkd3Lz`n&vygW z7|Jh$@q2gf;O1My-M%TS+}hguw%dyu)IWOA)ZaNrSmo&h^^2@pNAjkrz(Wa{c!L1m zO$k=fW76;^)YO5p6NGe*iBgqq3pV&H+QA?wC^C|!mnTNTIH8dbEwZdkT4?fJh;e)n#9w!XI-y!a+0rI;+D+FXL7U+<;a3o^{%mn>&{yl{=>yIf&E|4#3X4on&m0ClPy<|o zB!7?-<`=&Z$is|O=tCO75&M-sVu|pL^F*ch{#^pUyMza7I^O?kaArh6-QJ}bISTO8 zIoQQ+odD4w!}I~;d^@$V+CIY!T7Lt^;hDLm`lNA3HizOhz8a7fBL#G)wuWyF4KX~u zQ*fX?(}hR|h^}XYG6m@S?CL3)sIcpH?jseI54e?;QXT<0IRG(o(fnpau#aBHt$ELX zHP-S`Ogsim^DYjSVu1HNpz2b4W+#0|IE3V7tx%1;qM{fKJ%Eh_DH_gk`hu)80)v#J zJogVOk;%Y zoMv${z1bu7uvE+MPa%d_hBQAK4|7d1&~&4G02BuKp%GV}Kmr&~mvRnesTcy5ku&+r zH!MB=A&2RW64T+<}jV&mg)Ch>VQfbMK6) zjfNDR_cQrduN$Tk{qC;Kf@Tt~Uxn!)spI?S;NRQQvXvwH=TDerjH$*UB}MfNDpCH} zJ?=8|goucUDVkp~RlK+1ANc{c6)*336YObv*&N7|$bmtq0ENO%k`Y~^{u1cAa1n!} zLq9CiJ9S!e+XCb4uC0#@Gt0MB!uApbt3$wtXe@3~D2L16ln zC@8|pSQ23D0s&|ldH53A4oM(Zdv@GvjNTgvdo85mmDAsc|9DE)*m-6Dc9M9A$w(UB z^x;;rLfUHFk;TeT3L_9nyND#0n2Ozbca>WaC;+$zK1}=`#Q6su@b+=;*#!UWqL>P(fkAPSE|!|O#pRxdA* zH2{vQuCHf)KC1oc-wKvN1dvGy3N}$C{9IUYO+x1Nzxl)19>E;8yoLdXH=7|=UxGq>EG!PzVs?3N3ydcaep;OGloi4UYv6%ql zAM`5V&*8N_a?M+ZVTN?tU-DUzUA<+3dN{pS033jXoO&5HKSun+0yzE7-rY?6*GVrN zf#U_~5~q_Nja|Tfao^O?^zW2@;W0IJ=B*rF7Y5t@?$~Jk#1?l8(k3A_!!5k0gJ4pY z-rKs#(GjZ@79an^SW0E*91*iQYT;7Wg@V7W#-a!(n1Mma#&V_m0G_I2h(Hh9)2ENb zvMNo#<>dvlxAv@xyzGiwfT);2==>k`4R9~SOAh>))OxO9rp;=?@ng%Gx}%9a_MLO zT>k4JhKK@CR9vExS8ofqsv;6ADtMvhs=kc@P~0+a;NSBX_rJP)zOZGTp$zMQo%S_h za1Z{;+)We}H5{|T@x8}%JUx$=Pih=B#J=h!ooz~H8LnIC{w~WxtJgO&fSev$?f)5>A65~32pcHB;}(*7fDn|cz9ZC)DceUQ zr68|>2(@d^!XRJ=0uJa=KqmI`uWU#%h+%s!y-}cLS_m8O2W=%7V8Hh(VenZ%1D0Uk z@+B_liCtR;2aB&Kjl=F4!IugwvcXQ>wtqmd;nDevpK0`YYPqHcV9>Hg%!)pn+1DHa z;T|L<3?!~PBs7E*8xYKrE-tB7fLoiCs-*ZbDy{pq~q7{&Wj(A-R@etdU(39+CJ z4-|em+GYMA^qU1?IqaICrL7BJwMB{Mu`IUn>J)wf)3)Z;njx^a!lmcS%-8#QTD5Jh zY&gg~9%QW!0|Zb8vo+!%b8-%RCDFUJNWsGUSGPf?VbG9205XJ6$ZD(bMUk9k2m}&% zyRXQB`zfX6DggYxH*N^g((&8?&kG^jUjnZ4q?)RGUl?3ac`ix)SgwiOfBpK|@8;(( znl!8QwakJ_+=ufjb@K`;XDdt197o1-Ki{Tv_!1x@f%yuHqgMEqc=NR;lEHnaM7Kzn zo(iKWdMDoF-wo8;=hadXN=M~e6E#t-8OB?aSW8nEGi8?fR@-C{qxYF#X z18gJ@h3xKw@gtCEA2Y6O3ub@`ii$S!xHrVrHzJJs2MLL4J;%#Td=nGNfDV~$3wy=q zXdY#jU;4;c@zpE3?$YAHWh6Y4C3Samd9O)t3eKYxf|{0qUCNJQk;|m^GGC%dZ0!f ziK2aX?RBlTmgQ7s<0ikzZ(%n{3R_zeQYpaWUz98wqO@036dL;4Bs8AYW3_%Wcnx#c zhO#TnHok#VzB79JlOm5xdSn!*$smeRx&jXm?f@MJ7rTOXT*p1`@6{0+FuUU%wfg}9 zxg5M~R;6k^A|v6YmYbVfv#W4?;$)T0Y`?)`H-B21l6}6HSn!LEB(u?KLQqZBmA=~Q zU^_f3jWTWMwgqt&#}$p&nx4>$ywR%iS|R4|?CgQ+J-> z;kEp@#5@+vrOpP{8IojOT~NEtfu$c-SSjlb#fXidpkSIzOdUPB4is7d zrU0%wP_BzAus*odklF#MF^{7P5Fxe_;l#+wYJpA3O7!V`O~+ z!#68kHBbK6eyt#MuG!AzHm`lNRxow&mR zkL`DP3R@Vxc)iX?r`cw9jvD0e#U#2@Oc*gxyxe>yD(V%P^5Dj-+XMg9M<~$ug0U(% zVP|P3IR%={u`&x8;M7Y4d8K9+b$0u_vw#(}}x8NUl1a*52xcgaxzQ#nD4Pqn6G&26T--B5)C-|lt; zZI-14)(|-i3CV2Lt~}GVG?c6=&3*Ms`X^|##%{C8!7BgV*%|)xrx6OA1?c&=4naMr z9xQ#|$B_aXXdoXsrJyzC%-1z*jO#FdBMNp0_n)8l0C$Tj%~dbd-B&>&`{c7To#hJI0)ZDBdH@nmULkJ*4Z+UQ)qwY&W z{ykFO0M!fU!Q6QfLIPR<@cIVuYD;e?gGO6>``lhcHVLo0=yRzEVW)8Geo>8e18vu9Z7^|yGH9Uv$WMkPH+L7ljPy4 zM$8#WQvJKE_hHIgAPJX`6Xq55TpP~NDO4_?CQ@#hN|)uBjVf?eH%a~W{PFAD+8CIr z)jN3xYB@-gk^((QX(Nu0s*SaS^XA{eB#uy|tix4rti;4$yld@7JSG(b->nMGd+)Xp zlr9Bl-RZ*`F~qRtGlV-1I6MSCMe(B)Q`kVin#Y_{o)!d6Aq zdZ*gA0Zyv{o^gVv6m!BKIM}?d6vs8LaY~s!2@%vEMUKmHh|*qLW~9q4JC|Jh<1iL- zpn0jlx-K8MW)Sa$P0&*yfRAsfJxOY2YkO`rIqUu#C&)%oOl)i<^Jbl)mCn08rXapW zsmQv?Ok9dSw)jd1%8?cmts*}BG@29b+NQ<~x}ZH#8k*uvWl~?!dcQECiqhAqcJvH9 zku$pQa1q>=FgihNGd7x#(0Z@kzCll)vpu(~%S3xJp)-f6G=8tEB*>ISwj9rKM*G8! zYh~UxxdWM&7J+vTc%4@r)FhcD zSl$)r3zOuvyToSm_a|BmE`70sTl>a0>dzQ{vR0hR*gfFxL}cLF<0yVRwLTrw?7+WE z{5i$qL9ljZL(XQEZSKB6!MRI|<(A(I3tcCBl zMS^VfQBjrkc=bCR8uaF#uDK5U5+XC`*r8)*=xG_{v%KS=61j0C+|u3{%Wv=|E-o9p zgMPj2epF4mr7UVJcd|2~kypdxJy()4?4|-PZliG%VJ;Ul8g**(9A*E-@*(0^9j(0? z9MxJ<6A6;m^RHhehA4K8qC@)5aMFQp$Q5spjVhXpfgZY3>8^g%J*D?d^-V7IPQ$xQ z+kP>j53)nzXI4@fi59nHQ;p&J21=_XTAYs+5nDEq^0=H?Cfdg;=X!;H6zaG~(#6@9 ztC7bfGszeh9vf*y>~U`;NUGom@{TUp$Jyo%AY_>jek$N^@Ycaw5G~$ih-fLQCbseQ z>XTCGYb)YP#C!gO-czTJSFh-*oSnnX4h03EN4~l=o*=1S|iMN^-!W85-p9s)U{odZdY)4VUw$$k)HmyA}t$}%|U|5 zUNZpiX5GYZo}QM1C!E*nGBdRD>@i{x#;)FPT9aYxUo3Y#Z|s?;Jbz%O zEbTPJ*00J^pfFXyV^VQ2$2ZQXgOeFd)x#BF(4uE#5Nbqvv2nP^5XtcI`Qtu1$m=Z6 z($=;RxVnR1#1d~rsztgucPB!MUr*0CLnV?v>~&uO6-w1bcR|zg9SzrR`C2_*_w5m> zL&R;JG-eIQ_or(mnjH|_`$CWYc7r&rlatXc|2^&uNDh;trEim-9vka@!pT|ktKm_H zw)n^OS+}b$&L_Rxoi!EQWwSn5`ce6>Nw+T#2~5MS-F3P!8;s`RA@eYwY=WHw7vm;8 zluU$dCnX;5(35CBk)eJyx;mRk)h1oKx0?UjsQqBN!fm-pKKLXZ{bw4(6^cFcd_(^W zTVdH>u#uHs2d^{9+5U53Url!%iq{j7Qq=W+3KzZMfkp*1e0)8iYvOyfe{>Xy8gP9? zANblW5{oatKAb%AE4A$Iy(v{ezU!0d(WyJYnv$v5tvo)9uKvWSp@(SM;j%2M0uvvc zk~f*3L!l5Q%k-7yc2aaes$`+Z*oU=nTQJ_)t|FGorDr>a3fzc6@y;`waCU)V^tkT9C$>p?JY=90V@UPC)BHbeGe|s;9CehF2IEXf&xb$ z{*0Dom9T|XrztaoR5?M)jGt+iGFH&>TJmVN&dSQGua9P%yEH%;8ZQ}zEdiwqc>>e{ zvpC!)n=}rI=rd-la-nbBb@Qgnn=WS1h?ei(z4MUI*c1OT_KjI7TBuY`esgB4$0QhC z=W$AK$*cl9Xzcmm`qU$1(5f%v5OzRZo>1 z_-W3|6d0&8o$=MmLcQb>1E0D*lZY3@Pmyt&y=9F20q`N_b66xvJo)YIqqTkL{yxuJ z|s5pRRMAK|%EI^rS^?Fy!Xugx~1VtJ1w$a|w`eaeQzgZL8=xA`#X0 z2gYFXv+8_D*b-iD{E1Kxo*TZX`crlFNMe-VM#7FNIyO3^9rCwKCVpLmf(wV_{OeRr zrM~go@4528eTshmt#Drmb$DrsiYonnTt{irw%99IlIa{xukDMfipZ#925G!c*gW{9 z&GK>~a16{TeybqHYis%{{k z`*3B{)5`RN{21T1wgTw>9D6N>llG1FPm6wbglqU2wk=BY|00-naU2!=aKq4V+d?d# z)$dCY4xIZ$%VFOVVGP@sf1LvEvh^!E2>CUp5QU2KDRRN})Jx@*vw@FrHk9=TG6_|os(Ja znw$BxUGS94Nybc6R*^Qu!y+N|%MvKYC81v@r+`8gVfXLNJYz!pT&(tOR`kcN_;r{w z5A1Ao6|d@f-n>C5$5H2C6jeHU@Kva$Ojkzy7EnC$N_2ZDy=?G>N5HkXocZz=_4wrqa28>>=yN;=Ujhbs4;8Pog6(5n1}G z8vI-bqz59Fuj5vT<;TYS$~S!8B+K_2j6T-1*ql1kugRT@RAD+z!-CQ4rDA=*oF*9* z6coR<6+*K7zkz??HA!%Hb2jDWgA4H-E`(49(gfEjjp@2A0nwR|BP7Pg5kr6Gm`yXh z@`@^FYm$5btN3!3wW`eavQMnUmSWf1=XZzg;z84T{5 z#!6S6{)hxEAUeGGVFE}de|TMtUsA?$cs!VNIi#fFQW;Nn<&sSh607Q-j5%4iv-q?p zDTjl-^0%wZZgZE}-@hV6^-N*H9lJg`ZbZ3ddT^&MC42zQrP}KcW^|nLB|=)bTy3I`#!9pD+QhSS5H5}bM(%j=E@#L*a&QW?+n|Yu(1uVM0B>cK1-JW z8gubQHV*KleuV*~?^H*}O(GFm82AYo3tP7`&h!>FZ{40rH)IxGnZKAqaKMi9oVw;z zR){8G8MMD?bwwur~ z?#LSUXtlxwU$t6i!Y0yy%m_{x&m91Pn13pNMgDM^?IiS|k&A2l`tjnl(u}sGut7z| zT)P$<@~DwrHtuXy=F*%`Zt6|0?Q)gb%XL*H;SoEg7dOucwoM{6yB|XkUxmFl@vJV0 zm6G$qIP_zmwoL47M)EV5>$Q7X-gIP|`D=T5pj|}bEBaA1`8zx`Ja5!rPgew%ilM$; z-5aWqodLDF-R7VO<^%Z5smRYPGCDeH%J1V^K&SL-oT56c7R~*v+u}Dhtu3>FwEaY- zDBe&{sK0;lnPcKu;3irDTYS0gmy&Dl8zfHyvznw3ws&sI^u(4p-N$MC=~jiZ=)O!E z+1X;%d2*etzO_cu00q3`ujv**{_(nVDv>K!9cj^E7N>=?^A%NO{)62G^m!Ut>eW$> zv@5=kg?a6X0WB01IcjD8pt1=2`t{j^@y9Tl@RPP+rLLu=thzHFcM1;e5e|hDF-+=T9{3P1oDUodF5b?LnXld^ox7f1|y;ytl;GWzA(+Suj#Gxo*5A z3fVT&uCRdJ3F0W{H#B46;hLMvA+d5ins7?%IuC;(#wfS$lKKZLp#d=EU@?hO2hsDV z?i;KdU&%}Vrv)gs?2E5Q9ikPA7n<)0)~bR+h6V5k$bU|G-FVAxed2-sJVA{Px7FlQ zi*?w_WD!5t@G#^~e>tnKM_$IPcM^!LVZt6hr|DQFI^5#bKS7<+i<_MhX2S*U1NbOu zGKrop5t1keYy3!go(hXrMx{f4_%zZu#2Cf&ZnT{f08lD6dUVJG87nrIEn^`C4BepX zZ_vrf-v`9RpMpv_m9v!I?KoaM{ieL=@}B2R@I&D9>v;z4y(Nk+Yfi&$`@9R{&ou=I z*$KIPJK5Yj{JFRvHw;>Ok61gimD=<+b2_o09?-Ew=Bu7}ELtl*8TP2Kk_0LoQP$xUA)>c|Ok{&z?6)foVOUB{^BM%E6m9^tDp10wH{fa))^ucsLf1HXlV^ z@asgJ01TDZbN)r2w%VFW%?qd|n9?m#SMiMIoG$?okRJeUI|+RnSrxM7649MyBIWfN zF3GA@Ca!1eGi}K$eQ}M)_KKw{Ut1x;@z<}PS_Y1;+tZ7Z#l9RsF#ZP9UIWj72^na{A( zNiGHy8&63ejv}>=(Z6d2oM77GEn&G6Jm2ev7eWaT|6CRGGu`NkeKYyWnxqu19q9Q;<{a_k)=Wbhc0EmRWt?M@!TpD$#m1)Z97(kWjQAJ`%9 z(3(B*ZicdVVV*(8>s%0HUy5G*O*E~^;lCVjtiE|ws6Rr6AZH8zMjgOm{7gqrfBplc z((5>G{$y)r=XSp|8im=?EZwr_Z2B0!xjErI5-dhA=N6d~$GcC!2HlD2h_8;=D2-XS_?;C7L;76SycTJkgjw&*!`>MJ9%9XA~?gIxBza(b=8oW9Fu4l;c497@##Dm3F7X1bZ(u-wa3|SRA_Hch3kRN%WB7V`e+s$Q{=73= zL@-F_6^x}7c^vv)_(WuiRa0nV$`Qr0KsZpII^z2T^}A=aQ{gsD{$(Ng&0O|*2Ju7R zBt6GUOy`s;ae=she3<%k#cl1%f>l`o{jG&obaPNRx_&l(my!gvCvYJN{KYqC;CUQ6 z1#e+8z~QaB-kj6kq3y>ry`d@O8?Yn4jQqQCv0SzBoQf)=Ta74AenR0CLAbJ}z}3Rj z_}M3&oI-L_q9;5wR)5+K1yg@MB(XYS=ZJ!l5tCrKA5No?vJh52Y;;)0;Jl`VAa;-@ zz~;{n>h&Eqw@ATA*b)q8zZsY=Luf*CuL!EP%Vu(;xEf?DK?lRb&zsqdD@1TUL-CzN z|DoM6qWMsF_5m{ER8*9HUEPl*fp2DWzT+sNitw!QHcBvwpsb!kznPK6l*bOrdV}x& z5YCCFuT3l}By+hUEe{^&g0v%MVEI(;!3-~3g{b>iZ{G0uOY{t`8CKhAoXJdLxdV&+ zz(Dh<%M#Rd8A=5La3$yJ8$W@ET|)V2?`%i&HNOU&6_0p%Z&Id|#l@WS$yQKZIh3|b zNOa4_S_>xq3J*V@D{TF~J{MvnESICm&JbE^M0?}mY$HX_`;C|OHW^EIkqCgsBff3$e9U@ zC=ZE=k%{O_EN|}A)m?L2g-ksZmt*pG!@~RM)gS!vyM%kl-ih4D$m?M*C@y0~!ri9J zHd60wifp=^1NdTL z|KbZ`CA89Rbp7Vi5D)H+|vN_{8H&dZC%?;Sjz-v~2gYz56mACrHU4|BnG( z{xQ<2j?0`iNqF!=TitZkT9X8C<4a%b&|Ob5ls*$nEqxely z7$Yv^i$7djb?a?esc@!WCPS>`<{NL)DMK@}K|^bOZsWI3t(=&SPE!5VSt4nb!@NrA9k6QOsLL$Y zKf01K>9p&XijpObX1{Pe+7kY(G0G0*-RIYhpAbj*u|;7xs`*;9R8Kd8oS8YtK*T}} zvB_m}SS8~<6{D4I1W=ZB#tD+Qe4`$0hYZovVK#x~IVIq+Z6^>oKVzTo$7`}ILkKid zpE0((zjk3`!_Wo!UVDdR#vL6U%bIsFlfB&7HZaw89Mdgb%XIA%NA4Y%d#c71l0QX6 zO@0af0Y$pNXMaPzj?#nN&CJM^$)JFRGO@GrM16E>F+o9^Vq=+o8@!=04A%qCCL!7i zlE2Z(hs1qFh8D_&e1;O?w3bhgp|OB4yd#4 z8I)N2!r2ZMAU`GMwxVR#x^S?De6Ip#y~aGjvp>}qw16rUpJcU}>6=WK;-S=DamJ_31d(mKFkQ2gu6lq zdkB$*hPpaRyFtueiWc#rZR}x>tKPi!2HJ(|UUwr%x)zkLA~+VOVLSshiriz$X|t-+ zA%x74%g%Tb(Kd3<69oSZ@|Rqh#t1Cba8~RVOKpA zfTml@+SAd%K)M{M9lb$dPLh-jO5!@c?Jp-k1!;(M{2s9sL3a~Sk2& zp*TT;JivlOLHY{Rw!WAeyUGL2Sq@O#!hAx5-G00*e_=mAzY4+X*yg*$?>GP6b=aH| z&qsJ?ENK%;NlC#7HAz@45G9W{>B>Y8QIcYL+Ew*nK0T>ag<($l0rt9#qKyqm8Wxt> z;C_xbY|}DCF0)Wbk$c2E2iF+HLNBeA5XbYmy`&tyk)fQzhZKYK)GqhuSW`AMG@1-# z-5knZbk`V6QMn7JbSKOSTAj4IKa{Q91Z`dRNZ$TVpS~n-zLfjWf$8?^U&ILyb5i(TjvoIQ#=gGqL)icFS0r0D{%%bluFzOI^>D^`8RtUM42E_ zxw3RY)1kM|u7u2C9uok}9GA;%;kLF0P2YUY{}e}f+J2mY5Az(&M-gE#llR>_1{c9p1$uaO&?d0{5j?4KN6rSZ;J>1rF@FR* zC~gsJdl|G!_EEv6VehqzLtPpSqAw5Z>0TF4CmTshxZX`rnR8krxr9`B=8>PENx;xIi=lh$P%m3ZnjgJ>T zcniPmzt1UU|;mQst^= z4~#Ym=yLV@QsAL?g8Ca2>`ERPXYEnfMk>tagvxn7KUm)uxZ`ti&!}3xAWxQc>Eovf z?`u{c5q;JbQ*+A~bejAWRrP5>X4BjEY@YZXAKfu%f*$VA%>i9IkrZ8~SDgXQ+KgC5 z22yc7r0>&pZJVYC-{<62MJpta9Z|kg&;4vY(Xk9RR(B9=hCod~`W}AXEdAWo^~h>U z_?5P{)qf30!;kR~MPGa_Q>E9}*B6qJF+U$2efJI!1;KYPwU32xbP0AY?2F#Mz22yq z+JD`0lct@`AWLZWYJ+`vaPgHdjVxq5q8IpIL9j-i0`cir%k3xJ`X&$S4^Y?Aldp7* zFUgI|EPe`4ku03IuI20ZoY+G3&3fchV}$be-Sf+tJW9QSk@>VG=>(t4_f`S7pMLtW za$2q~ye?Fg+pmYOKD+(|@h@XNIWq6=)%viBgDAUAU!S(yXqulQ)xz;7Y<2K0@@tz* zsjgE`w(rU4Kv|wZJaNm@45^Yl_Z#j25+Vw=h##lp<^b^($(u8u;Af6HY_aH+vPY7t zT&ZnI|Ne=5>M~vP@12^`!Do6Fy@K`NQWR~HItLNnBgfy%%mr7DB=lTNv6 zq)YO2{=Jr3iUT-rbqNSeyu(M`|Gr>KD_B$x@Gm7!*zrk56zQ5iojG^TdnNhUks2E4 zJL{tsh@%2Hp0S~~eK}IPapBR71S<%_sN_D(-Y=hQ&|If-)6f$EtKjaXo>*k!D4F z@SNA`ynE{*BtnHO8rd#w-2j;z;WB~iH5Y`o?xR6uqme{IgVR<#P9z+3OY$C{KE}p~ zP0XM@s5wqw`h$UD+O^{Rs+w?T$M2;M>y=*clgOO4T5agm74%2G{&QLQv711KJ{ErC z*+Zfpf?PlWgWrkVlo56_<%aS%X2}hH ze1heOU@@23S)tzbi6fF+ibGu*1+%28q@i!ZkGmVRUWhzlNMv+E7_Yw-g(R-HlFJ_I zpIG0Vy;G;^S1+}j>dAGm@WfB<)R01=hK&J?F_19t5|G49QA?5qd(mKn-GJ4XBWYf|CnGr!%G_;T0T<#u`)5*QJA`>RF zMd@mj-gj{#_t0%XR5V-M2a9NFmESN4Qo6bro~RS*o9^b`7^nT4CX%{}&pV)hJMe80 zTb{7Fou7BU0%ly9BNX{Hy}9{$jIB2CBW(W!+>2)~IlI(GCMOJZbOY93g@h`} z*u~@XdH?B5sYZN50!$+Qdl$dCxn*YswaeLP78~^D#+oH>hK12TSa{S0+TR-+Cbm{# zKD4+ZvVunDr?aka?;vk7N8!Ubb^?$)uVh8uavwdt{8$I?Exrik-dt7M2ydStVgBk$ zmGU9?8-TY6ao#QebY2#`?&RYo60L`XoZ{!KiFW4u$jQByPNv6F53tjU_^3xhBb3sY z<>nqP43UtK7P)R3+7|xz_SuM0VmWCYN*LbB$gA{o%=jInBCLlbdQ@&U=a@O?xK84W zyGOfTq^SxQZD~B0i$UI^yM=Q&{DVVTpK?OhPv7jKu}$NS8b1rzU8^GgZ|L&kMZeF@ z`wK%cpOd;Z(zx@NaH1G;7u96Lq0N1NISsDpKdV6Tps!SVmq1SA<8j!E9J;tNzvZ@Z zQgmAP+6I65y|CS=_QJ`=A&aj3rTRXK*PIkEvE^62Pb3FGg?AO!c|!G+q)jJs8Zn8n z-`a9vA)XYOVMYIF88dL%)Sit5=tent3@q7~M}(majVJe}UXE1#Tz9WP2x9i?pNhK? z-9`t*AxyT*e(jj=SNG*RX_#mCQvRX2SGodES=tBGPg?6T-@YRpNk-n#$4j&8HCb;y z17JsHTPN~r$y2mOKhySw%iOkAQp(DiS^+sxTJ~eu*c5J*z2Zh$v(pa_UZb8$tjFfi4J3RbJl?NYkN|lKuxytbiZ-?TW(`E)!?KkS$ zYni`nPS?Cjoj=2;`HC8=g-T9IUSi&h{VV0zVzRxkm67oVA-QvOW4hO6rSW5RS>cy` zZJ|U`HcU2l?-I2{v`(8x-mnA$Hi7;tefUig3}q`%Ou+rzzJ2mp?j+!5t(TH*06wyn zA*sV}VS1rKzP@4o=p`((o9aA~912i8#?D$RY)IFq|87P^%%`ob-MdJbhoVFl{&woKILLR17;;X@3rQt$ph!=KY?Tuhx;U8$b< zg|?8f5xcLlMQ54(1W+Qtv&y)*zX5uMLXB1Fp%MY?!t#4S$7}XdNhj`E1)RvMv3$ji zS0gvxNBGGqYYCKw%Cw5fk#ctcTyzkYuY`xU39djS_1%%#D&$%3F)57x4rS=$*vra) zHje(0fb$ma2mBQzNmzLYHxB*=DSd%){Qv%WBJm$~3trId^&dtM`I3b?LL}f2`Nmy+ z&Q%BVTudjxaGGCn8@S9iH=_3K|+3vj&q=ba9QLg#~V7Ox8oKa#vAcV|pS7>2@i?phqAW zd1^OZ2_RF_ZFOeuzZVNu#ge`=H8i~^CLO7KA zTDGfgw*2!G{j0&47vq(#7}eG51{J%z*vN_&;CQB{rf}7s3ekoP5ZNe>lw*r8gTC?c zrtniO7`Q_{{CXn!`szHLE{4$k`TOvJ3Y0A{^tvsED5KB$Ib;;n zv1nRQnWr%jdmed~c(Wk_X%mIQYET~cDaZS+pba+AntGE&qZ9qET6$l9g4v|^feTqV zpV<#qQda%2(9k#h;ln?jS4=K>FzE@MPpCnCF9t3|%+#k9Ak~)2T$OI!@ z((9UJvFp?p1MZx>k;tehqpf!e^bd1BBt9B)Pldi2_7&9yO1z_^%2h3BOaUNP5fJrv z#}PW-3;@ySnOiu*x`aX8z?DVJNfH;*I z`1r=QqvHgRC=?&YGk1Bt-@n=y^;pNN_3?gWY$Exm%;GGJg}>|3BcMfo2G$g~N~o=- zJ@E+xzmcm8(57Y%Lj&@x&pJ;y*=3+4r&lV&LtAhoJAf3_Zh7wQ-Y`)?cKGtuixslf($_WrzhwU+z(EtNz;|p z*DDk_WWO?z-M%9>y?P0FEP=fbq~9!0UN?1Z&}NX7j%aVrBn-qnZ2R^8mfOxu&ig`z zdSfrRxz?lhUx9y?r1`Vo?)4-``coeFMPq+j;0!mFx0>K7y4yGyiS z9_6ma<_LHo6?Q+i{6k8MMiq zML!ZXonCYDLSD96Y@P~)$HA!F*>V5M8C2%r1%f7Yq6Q>{;?{3a)ed{&Vt{b+lqot4<0mD7u~ zEbE-(@49tS8~k=J^A^KrmoSe+*T8Fo-)`2tZQaG5YSpPnv#71`J4=O~bv+h{0_U$H z)&Ie-ym^tK=gfBfE1BbP0TNM!gocCS+a(+$!GY?q@N5@t~W|7=5Ca?{yC9Hxzk+}6B`>` zoYwHl7_=13fzPI0ZgV?sBK&GBPmg7;R4|sU?O4HDeV`1g9WW+MVi_wMg1(5lXmk>9 z3CPgG9_~H2coH7Rnj@3-4s`H$d1!A#GbwUszzL~C4|KMClRUK$8eb|UXL*}?NEC5a zX7;@!RtiRq&0cqXpUbg6{D-A zcI_p*@4Y*)y7i?sH38e)3+J$=9BXunfE2v!_3ZbXDE*4x*8bG-2hHp|{y$iNx2xKsYjYIGrY`pm zKi6%bf6rY#g#HY$ShFln>^cpquTF$4(Ae+C_wasPxRf1u0f_|oi{uGe*c*`C3k?G7 z4GQe^{k}0h4n97KxGa9&9N01YJhX4k6)2Y$7kk&ZudP-hYu8o#3t4}BpDrGV26h;7 zU?_=o{E$v`Db__HBJwQ%wMjpw{(aT#vxNV?%@iSot->jB|G!>$?%q)Ve3<=bwRSO| zZWx~5ed7F~-Kmb)nE+%7WJ%Z+-CIFiY9>lE&~v)Ziv|GdOd-6 z_>LLWv7d52i;fHs*SaxiGGSv2NP`|0@>WC`pdg(K3YN$mqGV&4|DGkROm`att!(mE z_cNcZa|M880LiqRKdfzx-JfD4|0R+zbv2L&W@QrMo}NN+g7umj!G#<=T+5D@mi3eM zPAAmn+1W_DZ#eC2g|Ay+*5x6dRx@r7>FSdcl?L=588yre9N-wKO1ZC(1v6)=EslYm?5&$ksp&12lLk+WE0Y zikzI1MgL_R-sT+Ekgn(B)D2;W+*bkI+c}(S-<6{t#>Bw%BDbBW{t>8%K>p{{&h8H< zz;DQW%Dvd3f*!9t^{xPN(bKh;QRAegP0+TDq895yVEW}~@Ad7Q-vQe6W)&{dp6B>j zDu!jbxURh^gB&`4tsSe^BB^urkr5GJB|MI1+dd3()GDQnlC$jzg#)r0=C06F?oK-T zGTco>{Hf%}OGXM@Quc4ax}o6TZ@w6Q4Pnv5&b%G+43K(!*^xyGH>yoe6LJBlzLJ4z z@j!?X)9WJBo@A)NX5trdm999Du2!@=G7?17<$sC`iYx&Q5lF&V{>E*aiMt2n-Bq#b zdQKo9{I}QOg_<)SpdUFditkn(v(|U7yL=h1cdA%FJrn2;0$}mC9H*5@7me@wA+g{Q zyKox-sP7=9M%$(5+K)960bOtppy_9u8t7FC+E`Ls<}ECr-9iPDiC7w z#qR%od>Q{v|0s7u1=pU&0FFQ2YeIn2o_@a5*}8w0Ae^U$!-U9CR8TMheFMDnBKE(3 z|H9o&&&rxWEB9ITgRzfPtn3}$?pHjTv)Q#?J5OMEulntcRK3;YX{2#@csO`?y{?RP z`6ichoPV&vXOj)|FYqlX;xpehd)#0ZmYSNnKF;X1546RnnwtD`pF-bozZo|~VnGT- zi|90&m{zoifPW93^#?QWV9VJRnN<=yM?c^j4GNLoonN4ntrOqbF4&y)@(&7X^^Ual zVdLf|cE9!*{Ce%-K?@=#p$&>1ze|@X8R8&0Y3mq^=4H9=s|!GP{`L~G z^-Bd>8B}-P;5~F;)kal5#z8|8)8>vNLFWod8@f*54bgazs7~%b#mKFvyBR8@r9;*}HekT}*5Tj$4f$k| zl%hHBa3BLgngLX-4kMVT>0b>coMwg|WF6ayV4K#{F~z?NVsK z%dWY(87xwDT&@rAHk^D!)&xInRw$U&nE>?GP5nJ0LLSo6u)I8()H>T}>JX3`50c7| zsEP|Qom*#rHLU2u#>pA;TPzYJuy@CL^Q^iqH+pp{kp+p9$OZ5Fs8CuEMT6PO9)u(& zQ#-}Wp`2cWpFyCF3X0Wz5J>^_smY*QZ*l371a=V_bZT4Y=NN+x_VzFj16u8SccR3d zgnc5Y&^~4NrpvA3d(V^)v1~l?U31~$;Zaivcx2EYXYc@ZVSf4A@7m6}Q0Ozn;O+6XbbSiFs zSKd?QB8&}wGvJaw^h?z(az}j?e+zjd?ChR{*Cv1@v+UDSwY0T~5QmRoOm9^-fD9v8 z7;L4VSxCT1nG*PvFiOG*Md#*L-A12TnZs~`vbNIuj2ZNs1cYNXYFr^@03iI}*U~X- z8f5yS&1Q1EPXvKEms8Bd+`OBnK|y_^6hML*&ab5@{QfDdAsRj8Rh zFoT~1^5yiOW3`*th1rYmxMb~RQ9sC>e}7zoyes$d%ptSIB`Q+evL(sv1%0=Eq2FKj zX2|mDyqx_u5>n*`UUXz=sVpuo?H&u>VzTI+#l>%Ld@43(%E0+3R5B!5rNXsP*Nb)K zjo_5)bqLt5u(5T|HUgsA_tX(wfA9f9cooT*gaQ>%Oj1&27$=-9&~d2sQ5>q%v4Av* z@zL7dIMO)h{_XO5@1rCu(%l37*|i2mfRD+dfKN_n*N{08^&UE~>VU4-e76DR9X|E$ zbJ1?W6x`az)2^Y@YB}liRr0u)c$o1UfvU|>zWSTTN-{DSAPUPd_6AK7?Zb=rUV#~R ziXnLn1wP@c#ZzzhaK~dBfAtxbGV2rlk!N-B(1M8Y`JFjVsuGp+tF$y*S6g!%eZ~IL z7;3VL9du4$?zso2(^IqIG~X|9yOld+UlP_LudKwSoIro(&eUqoWQyCx0YRJc?35A?Q#Hv z301#_AaRwqAQ3S!)MXi((ZvUMEWjB^=|R?qF0Q>JT*Ikjy-NY}&#&zDV0aB*>VsJq z*w(K6ULp(|*D?Vog1ZP5tI^!-xc4Jq4f>kXLKO_#-NBs3b4ygjDzmsax;RZtPuL}WjDJSJ zsXa|4%P(6s*JLatAP}s43ZOfvuKBqd~M zyD&d)+WqS7?>)O7H|_c%j>;BRKd@6>$s=4=WATom%BkBa?g1AUs;z9x&eh3GB(E4E zOjA0dIq+mI{NF#zWWi6Nm`6*$e<@h=*bSqIU0veV8`NPwPI@?h8tQB_SA|O;s$7*v z@F-7*HuOQY>-I8@%s=Q!^%@zCCnvo-t#(mfbUycL0|kvxb~5(1AtikL^Wc?LgHeoF zN~`HyT0o&hR#vWaB+8H1S8h$KRmuK_tNB3@h3KH zQs2V04?RWSMSJ672Hs$a*V9|e*xlXrA2i~jP_Zd9YVVzRA5|34pCYulfVCqzl0c5| zdd0esz_rBvOfxUw{AiKWdGg^khlZ9~gm=Lm&pK+kI5qVJ?X!2E^D$zWr_4h!(glo~AE)Ui1#=m0-u* zzKw*gF)C4oKtw$qSV}g5k6$ve#qp&NjB9cA-H)3y`O5_Hdg6*D?DVP0{ZCJ;$-f-( zQRs^+ePIxxf~=+a_)qLV6y?W!qXy=yze8xAs;F=RMdN04My8C{0#oOwB#WM*;t z?7MsOd9gv>OGOE2|9u&=xt4mZOZ7%;F^4%( zQ1_;NrqU|C6WtUfqsnPKEDW2~eR%=Pp<_$*DK;&FZ*!4|E`k%&AIutXTx+BZ%JYB! zdsAgxDIQ5IKv8(LQ1coyuzs=hM}vQUe!On$p8cEhv9%*lTG>B$Vn=B;*-6r*`vrLv zE~cK0g=JnY$l9x`(_*8J^IpsA72Pwlts3^p?>#7v%Vhe7i;2(;{)LF$F$ntL7riCy zI`O>rOp$r)r*r@5Z3WZ2&sEY^KHppI4VYIZX+wJojwYihyA5?6`?6QX-m3MJ8?_&$ zn3o4&`dVr;vOBl(#%QzHO2nHY z>&ENcXh@`_TF#G9t#tKmPEviqT +#uNuP9I|(#pf7!}#NxqTm#IQNn5+FMl4U_b za@+YCuPI!2W{&_$yi&W+v+4# zBJS8yQf=?U3-pcF60$m?mTc^(AJ9D*tkoX!55@&0%SNeS^!qXo*4xJFGF|^JC$~*Z z>+)EQ6D}-}h4opOn_b|##6Jvsi?J7-_Cng#6+hxR-Kz?#yUxXO$%<5>o>cn9WFTNv zvp5r>_|@X6I@$>*I}2{CeR*aHhkKeQN-mkf!+GC{O;;+xH{XB0_titpxk;sYpyax! zM#^s8vn?l`_s+1Fdse3(vOZ#8YkD=>-27l!2N(6%Csx%(XXBmOs}IgZ6#O>IMw}kn zaiw4pJ#Om?h6Y(OOV2fbCImYHIpw6$xD?%Iw%^peY2^);=)))V_|7Y{bS%PH9v&W+ z)0Ha9;%ED5Yk(uCr{~FYR!6UxiX5`==4HN%maiUOw~Vi(n1c%#>!7J6@$&I}%i-J% zgbz>um2ECO0KqkSDIzWuIZA2bN9!Y?_L`~wxYYoxwm8Oma31sPTdzt$niYgMY!Y{i5a83Xd)?j@dWHQrHLILh@zQ% zdYhUa{s|#fMEB>br{v1M~G>-cxI~Gr!Pi{J1by2gsUDxnT7ce(4bJ_2=F;jG%?( zlQHR7fS88ZgP_G>yYK!?ixtJ6mc8NcoKv;Dyfcr+V*_s~+m!P)RvY+5>;yj4C-_wJ ze%{?b6UVE(lm^dklj3UlUGT!roF%_v!>1O)bJ8N8rY6YDDlk0%x(E9b9|c}XFza!G z_WmQf3gNti0LOm0CbJ%~+7i`3?JgJ3V-77w#5ovv=A01x{Lx)tPbYGwDDl zn6x#t{wZ#F+hq9EGzg<&F6rMKt;IE2chK=}j~B67UpLlTeT)cB2ZffYtmpH8 z?es2JZRSdGX%rHcFDlG98n^b+;U18G;W__d%j&dwdJ~UEkOF*oPwm0*O-jwd_sc1I788Wl|bVK7Y$KDbF zYQWkz=n+#45crHB${We6UDtwcw}hNkB%}Kq`07RHaX*m^9a?K3Ai%4}l1%lYU{HLh z?`QJUo<&_wAS~P#`UnEax^Y2&7k#r5s0PJgqkSEF)O z==%LqTT}uD%m;3*x7ASP3IYu-VXK`_iKqu_%WibvA=NpzrBI51De5`Avn4{Mb3WAM#pSK9Op-C7;qj$ zw<|S6%Wkm3O({X1QHyl};w8)V!N0)wp;7Jov2(_MzYCHNR**p_=YdyV%8GTgW)Cj%Tj67RBn&S904Cj zV$R>cQM{+Z*>viO>?5h7s73AaO0WvWuRIgD9CaH_?rhQdJt{3#-|PD$CE#`~;(Ph} z@!viKDrOyZpln5=JcTfR)!7*grbYR3zG8~RJ4N06l$`-b;pzRgd+#&-m9l#qPi0hp z*Zb&@-@;7p>uZ~mp-ETRh(q4!%8Xa6IQ=OFB_Vs!Hi|NmSDt&Fp!W)3&u75kK#Q82 zF6W+gzZ&uH=w0zFy%$BaIpc={K4l$$hacZ)`T-J(l{=|#|GBJgy)V%!F;c~8uRWpt zWjFQKPESa^Ix1K2kYqV_wV2P zH3=E*cSJADiD${C8vKI$aT^#z8_w7S1R-j#n4T~*?}x2p!DEi1n-HaPoD=ce z5Zhf>g~Ucy=3ob{Pq0I?Mn^PN0$5vnP{Mu;&3sXx*$ROO`k&ulloMGHYW^&I6@ zXrU}_SVTzWTFJ`?x77NXI<1pBuMOV-uM`P*;?kF1uJyw~{JFtG=a+2=y^K2)70|@D zZ&bVasVnGWr)Fv{Yc|(8_sZ&Bq5>l^QmKAS|8Ce77J<<~st<~{*LP`YX_Ij|_H@`s zDEHZls{J;4(6I0`ppdw}fYIT@pEk32uXTQ*?rw=v6W`lHNR^E$@Mjpz>Az5za&5Dv z5Bjh%b99^4mJj@SjDCOoc6xk4^85A5Tzj=rZBQ9 z4>F0l1v+VDSmAK)EEAWkiZ|gn^;9xDYd$d5#za~EyLv%01=St6DP@?1xRwZ0!TE34 zxUo52MG1<-jZR8pDn^uxi}~^RGW+Q!nkIACfv`KD+Khyq?9CcX)`OWuDotW+N+9Gv z!wvu3#hV1FL|vN^4_9rr@07DJxZuJ$7o~V_Qj$pOt8LvO!T24P1}QL}|IL~q)3|h| z!2hw?z$g2JMj$9CJCa>+wS?Uh$ zY_(wl`!&g3KO$-`MRaQq?$QQb4(X9eE*vc_EigT5s=vZ=JndBJO{^gN#OVE=G1BKE z*nXn=p0L|a(;|iwYO`@7%k`nB+zEoTkhq(HXKD!R&l?EEGb18@e;X6PK>}%jJW9>=c z@?k`Vqii352ADLzPxI3b(bV_MXbvU~mXb=~M&M5SS{n!B+IyeaU|P+n5!db1 z(#?uXEME*s=lR!=Su=rE;#c(lU*l0tQB=n5MpPi`SS7) zhw*8Tc!xga86PCa%~YiC;zOQ93w@JZK^gp|z;d`TgxjO(i;GfuQRG`$-tjoriUuVp z)atX>8(h(yAJ-2xxM$BN?~r8)9*|~wl%Y>6 z7gE$~ABlnkYUt}v?H3`#N-0kQEke-sr*;~y-AASzHA43>8W)Wz9TF8iAPpo+;%oY` z!lFV~B*df8a>-5_$cdRVbdt!%%!Z#N>HUo_Cz}?!FklQBpkEB^Q-cShOQww$b{+jQ z&@HGyY*5To^2;6p}Y#98T}sIK_{s)BHM?-0D&lMV^MgrHM-**(NH=5?qQnO?E^Bl zcKAW_)}G;HPTB7A5`?_iT%5p_538vGJuA(^J3iPc^hSd|Xr;xnpT!yr&+T|+lNCiS z=hF+U()5cv#@(b%x(^fGT{}63-xoyH*X^`^NAw>k?Xpvz&sJHpmvcz zOZ0373WB;P4sAzmPOL7~-F^{3UBRxId7C92Z31145@A_~2R>q^+W4Mnb2j?WAP{;tt?#+#xlHY8GdGI=0IcOXG^`dYOPQG2 z+7A=cS~k>~@pA9v!Rr3?ebRz(nH;rscXB2gEmT5kl%w|Ro#=2u@=7j{UW_RHk=o_8 zQ{N*dGF$7RS}Q1YGY5uCnsm9AQ7dT^OLe)O{42B~B9%!JQqLRqC>Ry4NLuv0h>^MX z03E?OGvnuD<)nz`xqgGHI(HvE(jhd*X-Pga@OQ!&CoBmFrxCRkH*vKctE z1`5*BADsBe>?$aAqNs7l$waDU@33CIc@h>DR^rpaR(rZ{eY$(a`R`BFl6txJ5YPA) ze$W@6f&rfsTK89Si8VXxA=9-Y@?SV{e~g7whw^8+6p(&+W^e(f+(F2|#U9Vv0wsz# zcq08iIHo=|o7o{@zDbJ^8k=z|2Xi81w33dxhlOG@{W$=RJ*|TwcCCvZp-Nq9ltwQa z?}#ULo{JzXcmKfy)SXC=9t4Gl$5}#y17}j)u{)biDN%mD@jsSgwB5o7@y~7!;CtNV z&QU5F=09PKq+Do7Q#kRvx>~2n7~4=O{)yiIcbEq%CpzvPe!SOQiO6#D;U8}027QsZ z#|EL0MeDnFouKh>bK_!QtU5qh)0@nsG0#*{gtwE>C`>Sc}^sql08o*C?z`66y?3{Ks6k{I zV_s*N$FuhWa)t|3QYUo{5Ny9ML-gZ^Q$SRq*3rFc=XJu8``>MNog{{ETTaS>&VZ+l zi*woZ!zRis7c^kV89&|RmDTJpP>iH-Oc2?lLyQT#ZDFobMN(dPKC&MD{&wl%pWf~IO>UGk)nr$EK zFS44g^*qah4j|1nmD$##ob~(&C&a&aH1rS;kLHY2$kj50-@uR8lJ-5sybb#Z%+fePgg-b?e%Rx1VLCEUCJU-_7;UDZy2fV@ozk?Zvfp zXT__la3D`QMSUJFgfd>Kk!m6YODwW4@3rOFFWzZ8x5h(s$dRnYZzS={nU&ebK3PB<`> za9<0y@ab^fdE2wHU;G2pyN+pVs-g{2GLgMB>A~WGlpDn-SL?jU*m!ulE<+jFvSo*@OiCU7Y+n*QS}imC$q<7+t&*nX{A0L!Geyr z;~ePKjiXjz!!1L0s@matBie0!oVww=&JIGn&@n1@?wZDKds2|e8@aG)@`-Q%_7M}> z@hx@!HUSowz;iqrOqASLyqJ)CcJxj-eQ?|-f%f%4Ly_b`P`0I7*I9sE!!@SPFFR>y z^3(Qk{rP1l={+MPE^gG8zoQII@Sm^mR4PAvDC2ItOP3%rq8Y$6P4&)YgFn6FG5>|N zEo%M1^={1Dqx&KCyAcQ{A3-=j>>v90CnuK)c=Gp9b3C*;xU+sXadeL+P z*{aVhP-}v*5-tidiW-a-vZtI>-|HuOn5~pJ@8=t>W7odZ^<@`A_UYQH!EH*NI}?I} z|9qV^MV$Q{T;7F$`)Vgu7Q}d?E(VUDcT8a~WM;x@cJ`0{ZB0~&{d-a?e12;=Su{Mr zX%!CK3xAUop`RVueR<@3hZwB7hj#$y9too(S{b5WJL5OiM=p!?v=2zx0y1-740QT8 z88%jy?wp5j&pDl-*eK2fKmn9xyP*Mqv#0G{s_vUHSXWM>7FTZ6=;DpPO&*q5pHSDH z?|<+&cvgRPjfL!a4^$YpwD(nB{i3ei8f|5297Z%b6; zCb^?88t56)tri+4fjs|Kq)-gr_pmehXImlt);%9aUbjdIr3kzFPf)pbE!|m|<`1$P z+<@s7*cHJ;n@Xg8yx4THbIa-gXtyPHSMSoPIZ$A!$c8I(Pu8c;4g?Ieg5n-~WBdpY zw}rNwMs;Mxw63H0aqb_fdwoPnr*gMqHF?`lv|#im_s&*hvTUm2Bt_ipb2E#!UGBJf zi{8}*<`LtJqYlC6&jKo1TJIBJoV&7;p->P9vB65->YVYZH0)UQ-?V5*V#7Bq)p5~U=1O>?+0#WKG$xV3lx zmlfXm$<~%ZgsMI)#cg8ZKxl-t*i|f@S)}4srj9<=Q5!F_%r&()fr~6SSKr4*r5FzH z2pn!2y6}0)#PCP97)8Jy1^XH0e^j)cJf(D zZkz_lcaQaI7FZoK&BFiQXn1-RLusG;4rX+uy9t7r7p3p2W;KWD_ab0w$@|KV1(KFqn?#F*vE__i@ zVs4WjZp{$S*l$ym)I>w~WLT-)Xsfuv2=P{Ox04Izr0>mFvW3QNT*vR>11lP9K=kUF z@)1r&M`Z7Jn`h6pc4reRiaZli2_=f$HW%NJ^`5AH{6CGCo>Y1Y{%>5PIZCmj1(vGJu;L{L62FPq*%X<%E|B7zwXWc5$}-*FDp|NWy6 z>HmkB&;S1-`v1ccgvw%o&bWX{L;(s58TZ)+(OP~2~1h*`-grn-!aCHiT=A-=h3{pc^s}G^L-{=Lbd)X=CGvfp*0>9m~V=Jpg#>4 zqNL-GDVL*HcHkGSghlmqhm`vk=H{!q8{zl=ySQINR!H;&d0_8-_k{bMVXY+i*_F=- z;%$Vesj2lznFW=_OO}(JP()~H-=+x?_dh0;DxcU)(l7R`%JlqYJLPd$Tzen6JcRpW zP6AZx8FbP%@_`{veQ1_;b?s)NtNAjwRQt@`2E(@HjYE@3yjD3Efa7VqX&9n(45=PIHKJ$|X`2YJgHJAHSo-9~YsD`Vkvgjp5eQ43R zc5U;Vug_8GDzsQdKpWPkwPw*!n~y3rAt86ela661EJalPy@!i>hxFG z>xBOI1>+&;ttn3Z5KTkF4|Wtb$=6foCBqBQF_Cvn6nUlgS(2r}0jp9z+U(^^BH*S} zY7&x^X*-7}&E9Me`|*RT>}7?`jGHZcD01u?ba{`IT`!e|!;b8JvW4Ml#!c6(uk0#n zIjk=}^1oCc;kIb*dDq0kPlA8?t|iM%+oeiZUn)TLLmi(&<5}L2m;r2=CA!F4)XX*Z?_P=jCp#Jh@rb05$6-lK=Cwb2*;eqz&Wnvb*thGNpM zuPEw&Uz$N+HG#`k!`0PQks7TB&7ulbwNSnT_ekC)L8`7NW6aA;Tcc2;;Fob*7|Yb3 zy+wVw1bO`mMHf%GO1WQY)3I1OczH*`E6CcuE+NK zJ1+k-9Q|o*l|mEz3Z4{BmuBLl#SM)bb4|JbR=6m1$M3Y%a{qH;h@d+kv6fI^ToJQz z_E*WGse(IqGo0M(dWml@#OkrdCnYC;ckE{|xL+r)O{7<9j8XBbkOBqcw%{JsgnQrr=KZav6FoTt$te}*AvD}5w795ZH~W>W@;^LY`>?T> zFNOIYU*@A81B1Hhms{)U;x}ahNEp-o^^pRp`-&E&?>(bC%tsT0 zvDt^zxh-?^9Q6GLXV5%Fj+W=y{+4j)brwPBgVhUaP3)E5soYcLBA^j`gK4NuaVmr9 z`zr85A#tL*OAnv;;KYr(DLYNGim6;4TO60Rusf6ABp4imn}{k2*)+ckFx`!`>oUH5 zl)uj9SZ8@Vqs@}Jpy}Cgk$Qpafstg|)- zi+EWYb2 ze-(XQwuih>ilxfk=utH_6I3fJDi^yN-qNi)G_0R5EGGr>oiqNI6;!=5)&5J#_YJ6+ z)gtUm%WJyrA8`AB+~1ck+7qeE9r%=}@x4p7G}lT|oTE~gQHnIIx$Z}DMr%ihb?mL! z#x(4>#$XIlfWS-G*nC&k)&1@y18gS-doRl=WT0gTJCLS5@C z`3fJ5h7Kiex^>wx;86#5(0!3-MDE(r20y=}Xwr4HWhD%`d5KCY9!o-DXKZ6w^vB&9 z+^`h)9RjmG6u5pm#N4H$Wl~4aZhKQA5Q#fN**X@vGhFIZXRh$2bvUy4o~uc@mC$-0 zJ#t6qiAbq9Fmm^JUAkA-dJWWn{JABJ6V^{gih7yMSR$fwr~l2{)q;5pPeziwq_O_Q zc|!GV67&?gp@a^zm&-pgcE+^|;*yhfjcy$FoDDVoK}dX)T`v#Caw`oQd&H>&`3Q8xkYAo$o2vhx3Sa0P^%kvV0t93T6Gd zLpPs)QX#^KA$o}1EY}tuwba{3?z|yA-zIGF8Rn86t}ZWEE2VY)^fH}j60o6ArsvX6 ze|yJ4L7<~b<2$i-DVbF$`d`ERe;+aWzKzYRsJr7~7PDdpJP6BtSrktcd+)qnt22PX zA>)MW(W9Giqeu(X3mBK>J~BNDBVp?i(*AfD;gog11?9!_;3gCmZW&#Ud_40QYsOek z+{WgrY$=XLJO?_HOzL?dd`5rk2jt}UIZ)=QNCc42(SC8O*6T)-WT!~Sx8lDWYvq@? z$SURL9VATg)unDOImn{Aeu)(rwVGk&qv`?O-nweHIWW|KOs+4|sGa&boP)g@Crb4Xq$L_=Y^nZe6 zE}7};H)K#N(fb)|fFZ(`xB>1U7$z|Q@cd-Egf)8WedHzUGPO&*Zb z=jJy)6Q9>L$*0Hpn0*%bwOz0#-}e>rBYp5g?Wg^W8y`mRAg<2aj^59!u#}nW*sp#| zH%84;$N__p#8SDkTRn2)Gf{Xx^GEU0@vWp0ih{e5cSS^==wGbmq@DJs2ul(%_2_=0 z?n&pbDtQoci-PC9cAAxxNVtCNxGO#CJr|-qxC-=Q8#_1NM!Xw z@3S-%D%Kq2Ig;4LKm^D(y;U)q`UBG?!e%Y(SUb~92 z(^L1q4yVo8tTlHR{mG+4x_LssPvSSu44f?xc%{7-MtZWrTyh<~GpDTn+4 z;r;;K<;<=BCAkQE64w8s!;2TnCI6iow6x+)AOAbkg3vMk_XZ-O{|{btDMpd)?a%A; SjSB_-$Ve$ZE0Qn__`d+Q;O$!g literal 116656 zcmdSBbx_sc8wPlh?ohgv?vUDG>?j5b5rg?vl84Bi-G5`2J@1@7KJRl3S5lNgMVVjBEFwv+wr z2!UXPJ^zKN@a}>KUlKY=X*hkd{o>?m;9vrAb#-Mix3P3IGO#mYv2`#_ITR#i61*)iR5}4*vh-@~^*g8THXK5Yzi`3BHDJhhX{iYu%n{G3%gGWNWoElhVQe={**q$liNb z2IZ@9A`J_(!L?eX{D1OdxvC$Cf2lAuz1Uu!e5CizhO|7=OoRK-Hc(T`$|_p!SYTl< zo@zR0zJfEz*DceVnS87}`su|{Bq3S%Q-^l+dH!?|n>Q8y-<;Lz-CX?eLpYBXGLeUS z->?t7Ut7IBRttK`xf$c~R4C~AaC37_>|9+XR3tHtw>H-Hfq_5@|hxLKpw~jzxU^THy^Pt2&?%^Gi!3ZEk59 zerEItG*|;zANWHtMIN^Z#>}<(D!3PO&3g+Gxkcr`|V}(z(71g zTxFCJM`-TSQd7q`1krjG?*m&~a^80sOMk&rEB%c5=a?uc#7RQa0|DWD4_4I&27^q| zPm)PGV=0!W_%Xq1sS(y>bMyG*vSX|r)^@ihJS_jhyg-y*xj@DG+{2p~Vht~LJiX)O zLJ=!lIcnyfdiTm&%^ZgO zXC$uePi)65Y9J6qL{F!~N$g7(7dl49-iBYslT%X$%a0nb@bK2#&X&sE4kBQUbaY5h z&rp>sq1~l6 z&ZGs``2`U^hs>X)JtgFKqF<|535&^dJqI~sQV@kQoH=o`?1H-nJJz8`r zal#p#`E}A{sS5w@UC2XzLMpwyyxwYMEAmh)F~rLUzebWc_js@q!@AwOxIKhe!HbQ3 zmCW{tm4y?-f{XQs!$&|h=OmhhLYE^MxaD%jS0-57xI+5d187VEx@ z@@7Xo8H1f*)>X%XYvwZj-Ort-82Z4DSh1bBoHb=}vUl|Ecq)&aoA|M?u<&?ReL4I0 zZ@hrl`fK&<^_Hh_Gjjt`CKi@c8WkSQVAa}Nt`FDW$!6?gO>iW;jRn*l( zD^F1%exXgok`&nBPD)A|K^O<~S-=#hxVU;wFD@?fOSuIT`c1xRyRpi@8&p~zgAfzb zYp14Vjaz)oD-BeR$Al=&%!*MYWHvS;1iTi_D(7mbEsCh>Rx<*b4fqeZt-h%#BI}13 znq}W8wTNax>d9UHK4b3VixX}EQyp(1PIRL61J@EYQ!inh@R_x(`sVBx@bJOq6&3z< zb@*T<@XD6w;M_c%KGD5e)NCY^l*HS1;!l$uo|9Ry4YW}(jdx)y3gx^_jV~EX1Sk>LwbotoqaWL5f%; z2?X>%H@{x(&$>cxZs7a+hb8>l^x}Gp=gSE<@dKuXCTNUyH^RS|SXpnn8TULSy|otv z)1+`oO(GPHTQp4}Knwl#NEw3OzW9l@v*+LPH|P5M81^3PCJ%WV7IbHXr5 ziu()S2sX#dc{*lBjs(3{3+99}O;m{6;|?vmov0qJUp9#S(-Y=638ZpKp01{*TEnF-^~zW%tQM2A+l>U-xMUeQJip-LAr zEmnVOZ8=$Ud}2Qo$oLVEJE%rMPd!B-nyXBIdvRcLnOn?N35+c+?$bN94o92xgo_U1VP+Ku&jiN^=Lefg|AwUbyii1WdHIjJ zAN|`B%cLzV5Om#lK37f4gWzz5@AZ6n+`-fo*K@)Yh4jP_I;)mRiTa69;UIGop$`lU zz(A;}b7ciR$skzcltYF|%`;O${Sh^m^F7y&=H{Q{{FU>dl$ZJ>kUxuy=y5$U)|btR zA^qD5TIEi&3=oh8LlP5d2L>6HRCS`jw|19aIFABH=n*CU8NMxJ*NxR1UfRwV7uUz@ ztaifmv-Juri4rAhIl!M8p~W&THe|Z)tAvn0R|QA-$8f~lLVMuUjfmFm1lc&9;u11BjRMCp-(qdGO!_o;9wAV#x9+D(Iw?5Dkm zS96OJn0u~0Zo~O#9boI7AKLE8mr||k4^r$llGxv4kn`!ENvS*h^WB6I z+joQR@*swNulM)F9*7MmV}VzO`cJLjW@lEmD_&mjY&}VUC^%g@AI44@s&{#L)s2FR zk~MAyfka1RK>Ri)IgR!{sThwk3PYy`Sn1dv7qkb}>_1jiNU>$hBz4bED#*PX?W)`? zLhrpq>*e?$i~x`Tm=BULp&+TY`{<1yD#Z~?L7u-A*acdPi%GDBI@w*$k?M7}18+O) zGIFY`(MDU1-9C_etmsCPd)~ZWZnL#LKbj}@WzmUN(5jWdg1dj{9aTRUOeoQ?MvHs6 zz3hRV$ZH2Sf*T*NQEQ0qaU}*sknh<#9iKp?(_%tBsLe$doS$mg>q_RB1*`(|ziFr}CgKEcvCVtLV|$Il+? z(#Gq)i`II3h`53OYVAtosps9Oh_}=zsDMh-Un7Ai4*nR*$jDS^mL#aDsR`#yS!Ad) z#1BG-nsnR$?uNX|RW1O?;RwKmGv$JFGIe$JiqO!|q3P+%1dKSpEUq&9Z{bBngSe#Y zhyN_@8?v+iTD6tM@aXz(!e6_20{0E@+FwN+V|@DpVz=u=ae9WnYCd?W1M#c1esSDo zgek_ta}M(=qC1J#2krJ^2OctGV9-bodHxl+AiNABVxRHb^SycE92vq}X*E@KN?M+y zujw!K-I#rD9$44c58t$Z867`(TQ=Sqe2d)8T?%7y=Aj~?!hY{u$sG-!Hu9UhQ($kDiTS|fdeUbyb_L}d19}Mvf@>oHe0k5wG zczI=s?>;ZGSmA~!6+`!;U@=+p3LEFHt8(X?yzkB{XDqlu_UIz#LxIRDybDcC%g>S+&E-8$t(0NrVgJbn%t;XuMBE*QszrQ4uwJ~c|Mr$!!jVf z__832Ne76H~`dR~0~q>`S$_OaQWcRCV4gGjWh7g8W$;!O*Hb z;GAFPJq0M{4YLre!6K`O1&C{<19~i`y8Jw?CI=XFoes&0w+LpbY_9J&P?^=t4K7g#$GMHz6-ydc#1G8& zJ7lnLMesjC3#Z1+YRt^o-~uPBoqqk!<#AU?(~U_^CgSDiO|o)zmt~_XKl>&y&d{|zGJfJ6&6)unWzkqQD5Mdk!YLnFxk=S z;g@~ZnQL9`f;mlzWwl&}r%Fc$T|tMY*u=b>Uk5x|>wtzaMTKouPfu$B6t$Pnbx4Sb8BK&blv*PH0IBx| z)~}b8gapp>ZdyorLbJtF%24N==0`%jL2s!L0f&WToXLj_InI!z!>q-~x_s7zG@~2t zvu?_-X=!P1up?GCw!==pq6CEouT_MSTh*pR&%Di`wdl>PD4n2+0!5y<#ue7}-A(cj z>z6B-wyYmO308h2%G47>YBF`O)RXW5@=c!FuG&>pKh$M=mU3uq&z(M8GJwn=i}zKc zADG=vv-9*-bth{c9(6FRECoN2FRiB?CWE?#TwVo@^_J3#iYyeYXAAEJ2adP?ZjS9Z zZ4;7(6nvujvzpCHQ`X8}*3U|&Fx}p*gy<D3=O2o35J%nat!%1;e@j-c4VSMX6i%`0A683)~TtnC|<57^fRDxg|ehU zAgilc;2@qU&S+M4HclG93mc!hoE-fxWtb zghO?GmJCID2WuRV1N2GUt)k3b6~sHn*T>8_HLfRE-F6zDUJEi!7Hfm=!j|d@L5vXu zRR;Ew5FCAhdEZFCRBbSu8W=T5GjSiU)z{V<2#IB`m+4?0eU6XqWDE?jxosEy-vlBM zY)QbQF$$MxHj#azi4Kj3;Ha#0jP$n$pmCev`pC5S*RNM*YeJS@iWbgkv#kI-V|&tJ zfNam}u^%-1nhIc%`vCFln_GxRRuD(?T6mQX z6mv;W0F-xyCQ0*_Y;NQRpC*56o zhHVo@ue|Q;yRNKsxOd#Gw)e;)9$p^Bj}f|u;62?UT3A>dkDKacY1v_QG=~0}?MKGN zjpub)qrw>_(u@;%Skv-4ZmUC^5I$Ip0StuK#Q`P(XC^tQ-m{cuC^#62=WCBbqM}|M zwQ(F3Y6jt=Xn~xR1u%x^WpAcYF9w$Wc8Xie9VSYEA3z12JgC0nQYO@2+HP2SqDYZ_ zMMPfV;TlXN9MCZ_iSK8*d7a(7aI0@3j#;em#Jqp-%2cBJmL414-S%i>e~b;ezV)C4 zxUs-|XQstf#U-1Xh!HyHYd+jDW? zs|hT6CaGoThM-7|5q1)Jg%VuR?d>}xMiRys1j`=!I$nN!Yzz|Ifp>X%nP2#pJY2|d zTfd7eGEh3FJzLKQQ9p^Bk*c0?VR4aduO=}vu7*5XB%t#|=6!VH;3mj*UjSikVPgE2 zFf}br3QThxnActqn>bi~Cvg!5nwy*N;Kkf#$Hz~;CLlGF!aMIomWk;30fNJRV;kAn z*d(j5aIPNB&`kqL8jaLpHoU1fk_f}p)O3HQ0dcmW;hQ{_*~^s}G1xoGO4It!zEvxw zV%Mh=m=yr~+&iAWLP7cZ8p*FN5ud^%#OQjgorbaQ*)9S134w&q+#kdbZuUIjLseN4 z3G4I*jVAze0_tF3*&?7I5B-$)@}q_ZT#Y6=aOY}kV!z|VHw0sCW%iB9(&=P}_@&<7 zGO||(q`~E5So;fA__U9F=()2^Yftd{qUC&hcCqYvs*82w|>8-h-TCrwCK!>DZEJua; zAh+?>Kfp^<=D(8(qYe?XWMLU`J8C<#JGK+V=p`4^O~-L|zOZw47OPu%9ZAadf`x_o zjv90!nBoRE?d+@1%&wrMa3omVL zZPjGLbGtn5?<$Pyaxx{s8U)b`->z;iof`zxP-Km>%2lW5p9k#XKCb7*+@ z0CmL%5fSlZifLTtne(sX20S77g53{Mg+aCK-vIY~s4^4YC@!2>krG`JP08!33Ncxp zPUT?r#vn@2OZoT?a87{m`McxPI1BmBrCQoA`dLW{3t&synfZBC=9bijl98z?c-!HI zY%%5MXOx7zMgq8H4Nx0Rr)OvLp6>3SwHwR&wU#tXT=*gF)6=^b9sdm&&)LAoN~{dJ zyr}Z?pN;#6IQd-u3XO%+y?$)$MTn10X%cs4S+}>)3jvJhx16A0KJ_nZt=!xBotzlzj9e)QknwNTK}Nt0-D zIT)J8uARB1OB`&1{iZFr%JJMUTKvhvbix$dZ`_`6sfG4~Kdn><^1n{gM(j&ddV|hN; zV)ObU6)f%l&pKiM-}d4D?>?Q1SqCONg3F9Ezo5wWxpP)Sq#RCw^0PR%NNkb`LEZwJ zPpUgiBqNeij{cgK88&zmm#(Bxyr!`GGYysshoU?Qy zL?jF@E4N6dOH_{ML%e1b7klW*R;f2{+|Q}MQ*S65O(wZGMOBqiRORS#II1eRxiKIs zs~cf=p=e!^tAVRWhtnN3zXS+jsTb{PoG-2&4iN5Zy`d&rue&L*UpXwzy`ix9Wn(5P z5!kcV+Hs2FRps*%&t@iI9DCKxw5J8>*siUgi^?$b7qJyIJkIT`j=GP5>FqrJWDogA zQdn%f8L~95mQ_PrOvGSo)XDE*`OZZJMKbQrTn=Bq+6!`#(kf5HeoIA(>cQfy;V0#$ zCFx9$%VT$(Grl+7r<3g>aec>w3C6}oUZxRI2DRp#rHPYgZ?Jv!`{F2K`ZA#a3Xb3qX;`lj$McCVO3$Q^Tr&u&$aLMYM6x`pc)1<$dQf746GC@ES9#*_@xa~(PjoCZ*G}127iI7q)+mp%{ z(X{*oCxwg4tRc}D$ENhxna6iW{=UI7lAHA$mDf{;?@V22*f#&CKC9!oYB`Pb zQ%9P`5XIl7Ygr#!r2~5$p5A5eh5LUmErQK^Sz$Jav2Ii$8+1k1NREk4ybw?WT>aq! z$tp%q&l~128l%Vh>6gjMdi{+gosMBA= zwnxUtp~U2ZrDnWYY;6#d3(U@D>Deivg0}MZ$fmJrC``LfRE)ES(B(oc zScoh5wdb3W4baA z+9RJk(Z^UJTltoq>8`eGC!HTEYCi=pom?!kl7UzN;-+(Ybe#L7$TKj?3V}H7OpX)K zzyKWIPe2jRFoj-7y~sj9x6@efl+IBQzu~eTOzRA0l-LzsDV9uwPs1b zFeuZ-37d$OBpTD6qyM7x=@0o|za733G&=Z`&ULo8lQF0Yw|>5kv%gy&R9~Ik;lK)) zL_$S3ZzuX&;^+TeQwUT}`}-uRd}(1D8?SyOCe}H{Z_`YearTX}ii(MeRc$))KldKL zW$5`es=W=L2b(5_c- znYg{D2jPRzBON5uyNSE!;DF`cYx&$9@Z*-@h2zXYfe!go1H;3eb6k6NRG?h4uvECL zv4rBS_r`SpX@^yyInJH`WN(kG>$Qq2o2$(9`L?P1EwHm?)_d%`tKQd~oUa@K^&Dqu zUi#cBo|ftaEtqj5X)ul*=O-41*NqYg-HXmpDv}vj$Y5fbs(ox+@46!4Ev4&FKoE_uwOtN>x;wxGyuR!&<)9#!z@{dFY9jQ%fB(kD z#)b!@`bzG%OSm1>B)&-;)M^}Xf}bw^9Mkrs8!ZPKKs}LnW%KSA9zu8z*BqBeF=C*1 zoy2v=CHw2|Ah}y$H%XY3i4-->djiB@ar@4)t<8hr(bj8%8ZIs*G_>Ybs3p3Ww>S0@ zB}s2IY46Ubyzv%Kvv=w{2~*7VjE}mlC{L;U=xJ)9nJj7S7p37?1b=r>*p!rusywgA z?whaGA%Bu8a@Zfz3(8&X*ytTE_xbM6I}P(KEwY--3S=730LgrRdS*M*;)yxuY8JzH z_C<^)uEq)UqC+uzL9_j8$9tl5XK&qcqI630d}jjnc^FxN_Gmw#`Q_zEtS#KA?gPFu zj^si%EL`rIE_}*wTnUD6!#&3z84i^XkxoJ^5b+`|>aQk~W`N07LOUsB- zu{3N#T;zUgN~yiwy$Xv>B3|AZgTKGRL!eZLNIw{;e;Lxx)mlctz}|_0^95;ym`M>a zyWh~$_uG|pRcTZjgVqYbq@AId)|I-6XT9XU26vZf$5&UKTDBwRmDFrPLa;K?BvODY zc^(HEnq)?6OVsM8qAA18fvGVI=X%Rsb3yF5;l_oDq|B9N){HfU@58c z`1x#0JFIL9%Ga&smGR02;@aARDg$0&-GbQ} zP4V&1k&dEQY}&t=oSmMQn~wTa+b-ih++K9gb~*C;+{0;W>x?zIvRchnq5~z#0++Kx zT-m{Dz1y$fzq0h&gw2*)(^g$ourmx%oPt zo4e;~$WoN$Ww>U4-p3BKOZtm*=wAY()JnCZ z9v|-3c1+XX-c){%j}N}s%l;_fK?Opx|9YLr_K4nz(DLx z>+P=Ax~F>uc*J;~D{J%l04j~1yh@>0F<5sP*xOavj*shiIJmgaN#)HO78rMV>P7@t zDJ3P-sxu2BqT|7}Epwqm;742@AUh= ziP_mzgEJV^iZz0}IKti5qZ*XxRkyKb$l_=}1SRIts@&XYRCsX#g8q1zXL&s*=ATwE zv~Jl86VcOi$nBpT90G!PiQ4*g#rjOS0SCxzm||FV%ia@Fn{^;BX81m$gMQLW+GrU` z;}0{lvu}jBNEy{idSZieG|E?AHs7_?4Qpb4NEbvF@@o%7%+_mbwR3V11+h4RRWCR- zRr~(B^Fz|rKN2H%06ySRg{43!YD7R>J#0D(@D+u~N4zUH>b2QlYC$|(*7N%ytfP-7 ziK=p=(cr+<(b>UfxWQK6)I{0#n!HH8L<-!t_5PID>t-_#E24XQQ2<3uOsCxFPEk_E zwkr&~limI68?>1|tJ2#R1hgzm-~;uI4QmH=TOCu~-G&Xet+#l{$TH)#*2D|0%TCot zV`R9vxM5L3K?=k?>pAcl`j4SUS=RI11Ux=WhDMkMgVWXo95&UTv4%!Q+IJ>Q#|l2l zIJFKj|A{<*4-rk_woYa`+hc8$V8UB}L_Cy`m1XOqV8)wsG#3J@Y;;N}h;@Cp3 zO1SX$yv%CNf(b;x6or=Rj2FbY7u8TxOLc3sc#wKreC--DkXYT=@B@urCaqeWtx;N| z%YApSl0Y8A{Cj~5c}Z6n5Kn&w;w`_Wr3IF?-Qs2VT*g)i*P>|AsordhWRfGGZDRtm zbCQR1WoSo|Nv{G2_}jSsncDkg&h}y!sUGZM_h>8V2`8OPs^cdGN;*1*2M#isX*y2roesLF)yVH5pDZwF=1Lx=+8nR=8! z#FVtq%MBz>hN?ag);aIbVB6T(T<=e?W-1qAVXeg6oIRPM z*^|By$b6SL;&zh@{g#j%Qe13RZT?bUjR&+>m^6-C<@NySgYR^-M0(Wr^d=i>+jR_P zbalsn;Hx~-jU_$M;q1?rQ8vpYog~#-&u6MH>$*7}&dbWn_Z%*IvRh0dRc*1aXCc0S z^g~2I$TsSYPP*vPPUW@7q3))(b9RJ>029Ter>95SB?@|ayi!Cf^v~rsE^auV<5JIw5v|?+46>x;IU8Ro2=5<+FY0ISeE9&}hDA8%>aN^Y(m19`-kefy52-RpBJ>W z6S$vWytvOQ|FqI%+a_bR|0cq}5SJYVPFHY-d1K*ZI>abe2UntodJv53 zYJ6HmtP=a;hzv--;<#Cu&x8-}FHW7R?!d&GH5YVz;sVadNs4d%C4bF3IXw zc}@4Z=MlGH%mX`K##Vhr&TuUv+%<8h&9u~oAc5zYhRnN%9N?pbI0dilPfqXQaE zo?@DqvoktG{~oT>ajx1uLT#a`6L2NlG2hu9=UA{hjxFgpe&lYA zaoU`_CT?U;eJ3yN?hX$TEh+8%s%lx`JdYtug%f07{!#})i>_emn=Dm%Rh^8g2{j5T z>gx8kTX*ljfB#-U_+1YtH(uc%%+&=B^&o(jd46drcf$d5to*8ZR`+`~l_=S!MM14k zQN#Ee5fM39&OH)7JJ#jkE8Hrq;G@Eu zO2Mlk^S8TOJ>}bM#1X1=iS)n60&($aQNbcC2#^Keqs7#jRF(*4fIr||x$d!}VniHN zdkM8jQf??2kviJ$Sk0~D290}S7ZPz$Lk?;c7EZBQ-oLgkm^!O;4$yb7T7OCzM#=6m za{AJgoU*6H^fu`AyPE1xGaVyKBWu2^LLK9Iw&Y=O6Hu8iMn=FK)1=jQ>Tc`{Yb_6}yZs5wO`jJM}I z!MlYP`}3|42!M2vLDz8A*7FE&vKEJ;&ArmPUHgI#q4Nu$%T|j<@d(=bAR(o!qmNt2 zpxI}{tijQ!S|0peGhQqZfkOBZsn&Wn8oM)8=Q2i_vJI88I4({ZBv0mAWEVGZ||1a?0^X0VDiD~LcubhGR62FgMVDXH!+uwuy*Zbe!;^G=M`r#G+859WKA^_-<)!>Og zqsO)Nm#=Zc#~2xKAXtQiFh8TvqsayQySl2r^iD!~^g$^G@dH)GXPr8jhr1ULfJ4nI zqCsYp&%I%WT2i--@m#LWAF4|*#lF7(9{W2h>&^A(rw|wkk%#ITW0VvheBGSwZFD+% z<{Gz=X2G*kSkUH`2*nhWkbnhsNicYMO%kNPBmx2w7L`K)Kx9@P-zEU{;~9+v z`N&d<+pIwRfYQ~YH0#&Y*-+QeM?LXy}pLqU#LL@g%<(a*y&bl<=a5WGZW zqgC%Ly_C4Pm%o=?F`ombaMBYt$e#iE`LZ+fv!L&e4)R;b!h#^E=rJf|bY@GS|Imnq zUwK~c%K-id(1xh4%N)3A{LVqzED~S7;7ym!`<+L=XSzNXa^o7;JGFp=BS1jt?j~&y zi=_ksF(NKc5g@jDRpvJmA?P86ugNXd$~sLmy!_$GheLteQc!rjrl_QiCgTfncUa8^G{?MG33ZZ2dD|s z_I4cr*TK%Pm`{0%>vu;!)wlQSw2|Enj$0?4R}o5|J_ULn{+!-mzUz7H_3=r#S1*%o26D@5_Y>BcX7i$oC#@Vmi0_csLp+U4?h+lQh#)K=J-hHTe61^W zu;3zzxL#lin>GHv=n7v4`w=PtSHYxLi!+#5!Z}O6z)Voqd`j`_uVqTx$+O1b?B6ih z1HsZ2{*v}&7`ps3KK$!fzqqpt_uru;!AhGq<^2rO?ZMV^DR9&`t%e9l!_|{JHdxS;(&H_tx_xT2YLm;VgW-# zLl8qlc9V(f8|x`Rz0{ITF^sS@Gehv3E|#b2(y{H)8<@uUMoG1ePLnvrch1?jI8%%- zyzef1mRjxrZH%0zi|Fes0vOeKWBB9XyV`A(u3pDEe67$U8_g{$|YSMidB5U6+VwS}ZZYfBz07PU8)Zv`(n(g%s*5Cb@SK{e-c>GCZ5)GVpxooiA^fq0!vna;FbLBNxh zJXgJ=Bg4wwg!Dx8o=2L-&m;6<56~MQKYg;SOmC2+Xx!g}0;^TF#&N9U_F1u zB97X(uzoba@0#K@?_)Xb+q!B#NlnhA+zw9?)^^+ zkbCP*!FpVLC)_nQ%U%zphK3kx4O{8lEY@yZcr2h@ae3Ga$haV3eDv0v>-AAPznfb8`b>gZB1r<-EJ%V8+32 zXM>mnzPP7d01=~WO@IH*_3f?UN+wJq-&|#n|0ni}e{pef4PU>aJWm(kD1gN8`tAs~ zufJca&Br?#EzYBbtfB((4G!G-9`uR^dVLAR!ARt`wm{LGDjYZScPdLQx~@4q3<9|2 zPEf>F01gxMY{2d^QI^E@8~pT!?C>FGWK>isP%QG|_`)?bxF1^@{uf zMFeXCnlj(ytyf$O6rA7ITMkgsSy?}Wq}^mqV13vxX(Fv%UhB9hV%(k|1nx{6wT5%G zIC|YZP^8KUM#TF*VFU*}d@3*pyLox~;_&}T|I!MSq-gJprDSt3o}dgblY*|iUgw{Q zqWSRCNvF)d2^2t`ljfgFca!M7n9Cx7TJipV{zz6)Q3|L$>^(u70kRUDs28fi)YD7e z8p;jx$gHYh(f!}9;X{3}F`;Vf0e^?^r$RzMD;*rfjHP%=(TV_~m0iZ%7^|Ew&bgfTRZ(djt0*`V+jESwkga>c(jp7wIf*8=wwMr5 zsD107&HMhoA{cD7-p2TMbQIe5bYC<3wzQPxdE*(_B-fNeyrA7M@bahO|6W#(8YcqQ z0iwTC84q-Y$LDb|Vk~h6Kz_*6;Nn!I|G$%_rl%=R_W2_2Y7b_DBZrtIFVSQGaksFz zVB>JGt=9g(_xiMnzf$wrmRsvz+7-Si7To)EUb3>*^96-M!bN#rx={1|9;4j5n30m{zlmu;}Q?DW8QJrT&}0SSePaC(gp6qSgJ4 zAh4~0&11t(QtHxb$KoU7e@nsqyZARkL3eN;1GAWF8qoz2I>|<@T`kz897x&daVO4z zSLeiKYY8x>EU!cH>|3xe1PSRlG%pVkG(T*Whqu-K+sn=q1-2`DsUb{f@JGYa%gM4Z znbkH&Nd_p9i=Z7&5>9kbU~M0|$60u6)&I`L?-Wl-ZTf!r{&}0bQzuZWXxxl`WLl_0 zEa)B%?TeVQhfZ{Ljdjw1^% zinEt$(Jc}4z|W7Q_vAIzu4%WTK*lns3?FM1!Uo^>uHBLQYg4osjBY8G8$rqL>$lZk z;o`$WfMD?CIP#9&drpU0o1+oeE|&z%ROt`g&7|sUfjG9E_3failoMVx;YTzCIG0AN zq~;%zR2|ngixqd>JjdOWo(8OOgjWZ=iD8JodXc-gw|kc)hnxZ~2krOp8AP2_5TJNA zSjCJuf&Sh6uaJE|vEPe-(IkKa4_;SHduWk&CzSVg0(IBj`S}|vVv~aZ zEj0_ED$}(Zy4>CoL4IF_b&+F=Agc>B?Rk{A*c@uyZJcdSlm^<*Fa0>XcH2tW^GFjA z13dHBuMw-;D}H6dcS!3!k+;5=hXT#N?=V-c@0J$!Td4b@NpU6nS-TAMZcA+{g4{OZ3#1|PZNgW)DR6hb<3#t(fpEWV1P|2A|p+hB7eDAUDN)ZR= zTfDq(E^2r_(m$n@5phUJsI~AAv{|s6w$6rLIr8rJv^lgr6;4iaLIf8U**Ka~u8UL{ zb|*`bMddAaCy*4}qQk`aI(&QjKjk6Mw8Z>YAfCwG8~h-UiXSbVV=$CN-hk_zf=$`l zQG;buSje)`ky&N-}ivXxaaOg$l)n1?h1-oJm4{3(lo zfHK^8>b_oB{ddW>?zT-3~E!1P0u*Tg-gLY_V==f8VkJHiNQ&5g)IitTip@`u0~Z#&us7pK!$SY0Lc^fFfUy#2%FcHG6`v#35w&?AWl18F%90Rd1r+%U#* zTF)hc)e~vYXJFxCjsmlmCTw`MJ5$m5GIG0Zy=;PZ?A3)(4cptbI5k$G3QrzK$KJnv zN!1Ifv@WB))YJkIb&1TzcPm*j-ebxpH`7-J-GAXh%WdFJP-x-C^u{pFJ3xsnRtbeQ zQlP?BR`$JUZr+Cj{u-y~&CN}060fw$AFqanhVnmGA^gMpcY3m)O41=N@v-2%K&NTC zB{89UF`QEP4Ot$8;>_&45F1UDw1k-%!O00S!FEx;W(m<$kvgL)%eDm;JWxmpUwoqq z4?9N6HZn9H&nEQn@NnRhd;UL9HZBj$UZKE)lRKxTawjjoZfonEgle`k~k&vLYm^_xw8MkA;=9iO` zOG-*s-b;smRV$*VqKd4q=T%`40$y35T#X{tT3xRqecTempKoLn~B&%wae`H8{jyjp=v%OL9r8BB>@& z*quTLZXoX4x4w*sL>%%&(K{FG?TIEt$nEW|b_3D-md2V4O{4> zl1)#yl2R5r@PAPDmQhuGU$`(9N{N(6t8_~@h$u*RcXxB>QcAj;Lm!YlbeD8@r*ukp z-o@`f-uLspeqhL8pMCaTG1oJn`OG1$8nj&<~mzjzx!4KuF{f%SA{@MJ(JKjqnUfzTA z2{B1YeUP0%DB$?CQmsgSv2!*_+TWe-;s*$X8r{~29v=aq0{y4>Ko_sCQelIqtE(%K zz!`_nwohReMOJD)MLbzF_gT1Z-`$ZomDv4slAA=_KuKt z4U0v&&(F7}g!8+nZO|vhAMGvT;NZcqtYu_A39cfGd{nm0Z!J`1S<{!#kszg{j3*a= zo6byo>)hYls|OxLp=hT+*}C!1PXXNR+W`d{9Qf&W$1eP0eJ|0TPOTy)n`~h%$K}Kb z^~&K>XJ=ht9GR%aT$K;nE(ees&>tw%U{{zeL5y=&Xp*x184lC(SH zMLuMvweCz2fQ&m?MPGf#v;UGSufg#je!y$u&WQ=XoPi`AYjY7mEdoDmeYSE}0?O@^ zH%7S%fNE(e1_}DTcXm73Bz(y?G?dNbrjaH9_PZtKQ(qiCqkDrGx#es{>%tgxeouoz zqvref?^FWr0%1UbA)70;trpQ72Y=7P677$6_gl6t`KjfT%|Xq-M$?j>K(A-<57}I? zPrjoT`SCl3Ba-))yb#c(owy-DmBY?n?2H)|6Vnf8G1k@B7lLc?F>!E^ld*=3gcp#UzIW9;i|nx@NR7N|LcW?c%D$5GeJtd$mi znpr0fk&~0-w7aANBCS=h!b8#yvHXX+P5zb}Nqnkrb<$B6%WW_J zw4ck)`-9~yOQw)AssiJra^#l`9oGZTuemukdq&GA)m(>98Q3R7_UBgvyRh)^zJbL; zM@MHe+8zEZAgtu!udZ69MHrB+3jUdTg;p;*fGL3aVp)rEvR=h`d2fcOW#yZ=>~_Js z`)2r&rHxbeN}hZ!7g#mmg|1vyIH5*;`wMr8tfn+Sekf0uyD=`*Il)f)pwl(FSl}IW zTfFZR5|el5&AY-hzim3!TT8?dLIf>KNoFVvS>EeOj+$(NK=40B1- zivB*C05qCvZXze6Kw53{P;PpKanTR<>c*QUrd@T6*jB+ zWK3k1@bK@*v_U?=9uCG(k8!ze5Z+u6|NZyFIsxeMzUw95 zSy@XlRa%LsYZ!&AINv>{+3D{f{M3g{N9|Y-DQ6vU6~-cO`jQdmA;zrRbob zKY=}ZEO)33virK}{<_cZz}nLA8@M+UGqcgd{WFk0t3-3JS6f>kn#D;4^K@Qul>g0?jdVw@_vSZ zO33+{GVwV$S5HPnd=NNo{=S!)Zl4AC1RQhE_xRG~`MJpbx3HLT1$_47F;R-(%7fvsS%?|POA);sut_iR zUt0tpnyV`M(W(~Qr8~6W+N1|R`zN1IA)6;N3|}$_0-nf(g!bAKTyf~Z?xwogc%@uM zy7ECP!hFrq8bvAb<)F7*rQd>^WAvul-bB4fUQ;<_XY$WN8&MG%##>kUMUpo%mkkX^ z8@u53upMi`)1iZ0TCm>_wVlbrrBwpS-!}e(h&YB%Hz-jiS{x`wKM74<)p5MIt6E!= zl@gv``(|Kj(Hi6=(Am^}!erLx`r2R1E7KO79?!8I|9H2O=yqs&mzAN^>#ePC#Cnvy z$HribX=MR9vf83lN8~SLip&)GA6CYYq3{Va)f%1Blo~ek5p0sQQS(;;i*&b`D9tX> z(+LT3T~9(nLVg9+Jr+oS$&EAy2;5wd=v)*pobJs?64zjq@E`!(RlToC!Wn6A@?958 zd9@Rb_S9L7roi;VNJTeFC4HpCWh{<)Nd7IG_!265d~zcjKALjza||pZArMCCXvB)f z#Cp>0A(3Sy^aX{)+6AfbOGdh`kalYu=_@p(tSi2rtonNM#7!b=(yv5{9QEADS# za)I^g+bXDNs3m2k6kODJjEqCfgU@qm!sb!yMU6HV?z5J^c~#F|aw7V^$N@o2Zo^ zYIhHj_6e>;>qC6KGV#K`d*Zh&F81L_ub~Cr?TbnxXzF)VkoM`|S^KPD%Bp2x!Y?EQ z)y~dty3T_#;5EsMmY%EoXMN8fkr4|e6H{Of=R)mFNC*x8%h^BAUiJ(r>l+%13JX(+ zye7$#&GN6PF+LR5k{#$NUU;&uB`ysM2<-KppVxTA!AeCmX!w^lM=OR>P+rM`NqX6W z6Qozu;dzPFK!o6-f78uHS>gLUPLxOl0SM*(6V9CNog@t{*B1`EuUoComa6eFB$;&HT z8-};CQQ=!^X^rM;J7^R%5|~?!=r4fNJLslxOV7+mOv-VPC0WKO_Fcb`n%=mF%9jR> zRhS$N-h3Iyh2rB|3SU(#)2gcc?Asg1OZj{d8+yPbIiVJs+C z=CcU6UkIG`T``fr>i9|mT-RLJGqVt)hi4#2;c&1lUGHewJuqN+J)US_yaY|^7=o9; zSF4KV`WoYev#2ZKo*pFm%5Y(TKt6oP*qg5<0Hw^Dy*80Mrb={m#}2~&@$~VgCM7AE z(PZ3E@0Ys({glggi`&8tXKT>4-1+{35U{u3#l`7Q@Q)ipc1DMK?pW!9tkt=~Ie?`F z_zt8>ADXK;mS3)>(}=0DCUvPlyD3?lTB?GsPnN} zWveBG8VhoN$L_)GMV~qp1Vj0)Sl)>h{LR@j&{ytqC{G<;EOqj?%SWK4ZOkWOTIK%I zqj(+_L}H{R1|+!b*4~|LFbs>XfQk^8n`vwzcc#2MnP-8))Y!;%IP~|V97y>aj*#bj+>QZT}WPvyo^D9afF2Q zRRs5(OR?YtC_d=KFNpoZF95dhPdy75?+xk&COg!fN5Tso;>8MkJv12`Pt_ zZ|{%`kc-Y{;%KF^dOa{qtEk&A-+uE<=2AD_?`^nsXSbYfbz1V2b{s5kd>SGjh%}ug zCc$83WzwE*RJ8ujQkii~=Qz9~i7Qe0?JWakypg}Z`*7w!G|DAjRAhXgw;@VRbR@$; z@^B+M)Qo>dv^_L5)O37UdNa-1=enj&!T4nIU%z&ZFQ~loQv17e1|Tq&1*El?yg|&0 z$!zW2U3Nyc0YBgipR6@y4J5O5tUs|=jbpux z4)5;m-&lc(-=2;=mynb!DK96b=JM+gL5&e3XR6j;>*-u_-9@92NN8W_5a;q-c`l`x z0#uPJI}`6ypnb%zbWC(UCs!45Ic&Yk5)SKJ7>J$bu?72S2ms=`gH;)1#L-o(<@26ANh8){MY4xw6}`$>-w1z<~sVG?*9) zN&LHl3x;4|Z?l?iNPuQ}y*)7cQFck7P9PyEQDaZ}8pseTV{!7RsT1A_)bCQc&Cc4g z79Mtq*`)0Mt&)Y_alNq%-97TNm&w`O*a^8-qQVaOH<@gksWTA_Ymh%!wy81#{Jze(ZM%l(K9$iT2_UdZE7+SjXp=1xFTflT8^&+|2 z6*YWgd2M3@6Az+pd^p`XF!$?MNNZmk5iPAapz!>TSZ-ahQy)2*2fQ2#3XsdvU1?1| zGdp{H#vzo*V$A;%ov3pN{sg$gC^G-qKmcU^MQ`&R~>W@h~j1;_pAf!dSJz~EpJZCGZiwB~HJxd@mP2c>=+ zn-bs|zVs{GYcdiR77oF`69A`O$Fh*ft7bgGFQ9B)+*?-D`Ct2dw-B?3oyh_a+!ZJ@ z9aH+)N*WmQtM$*H)FuyYm`iYu#I+0ZMVU5yZkR_X5`l} zP}L)GTPD9bHa;Gg#YjRIcw#9$PCoz-aC&x@r@a(V^>22#PO?DmPH2F>-^RhAWjcG0 zklcuJ*l^eqc~K1s3VJ8bA&+Mn5R^X)yqo17I9f=yM0o@?5aOV7>r z>+|nDgL$=Nv1cB})Lq&BaJqby3-P<{20U~pB#SOr&HCj~6$<&M%+0LiV}{TzC=#*>@ZpMZbh z60y|SdB^+0n;d21@ACfn+Ec7lf}pZR!qU>xEN@Yu2s?Hl{b?gWdro51-fDR4_~2Od z?(DkYf@}4PLw^>Y!V5`)H{T!s=zBnF^-@$2W0uU7jHp&_x?m#e{f?O>7sZ8zCurnJ zykAwt>U8F8LAz$Kv2M#!dQ95U7KM3bdqc6p!Xic_PaWH^Kjk|T*E8PY zEl96sPxCQlEOPmRerkNe=h+9RT!rI;jaGkjfwoH~bayW2E9ABf#>i?ncJuz*3?Z@D zzV7bqCG~?S`5*f@A2Zx-O)J$_R#p(2Aa-_1?gzGy+$c`^gjucU9b#p0&LH6bTJy$? zZEW+T#@sd}v3+p^0Yc;-oOl&Ny?1{!R6Ax!5yLRaUK1m`d-wZe6y`SffwG)9YK@x; zvfmdeLN+ye+94>7V&~*|Nd7mrNF==NW9|*rtE+zgie?2DK3LRG%sYqj;}b}fD6Tod zJ^tk%eQ63>(vQqhpjhJGo&_G)EiE1W{^YE5Dz{JaGR7^lE#2hgqyof~cNdQGzz4i3 zUu3|oAfVi9gd``^0?tLF5#Kj8l^9?eTC*cR+{Inb&~;zCn~6SOO7aye^9%2C;_y`r z-S89%8f@f6)6o=NqPmime$fpQ9u>3N?>sE_{N^W^2W;l#lwMc(XyvaDR;z_>WR_Sy zHV4(du;#G*GbgDQ5fM2!pY?Labscl(=hNB{Sfp)UtX*nYD+BRjYAUN`;aplxO>=fY z00AidE6vNieDwiSOz<~?G&(x|I9&R>$*agnS&-tutkXg;o~I7L6U8g(1%l8dX3GcS zQM)qgVY9>-(4r)K%LaL@9J z^sN4*Of4Bn#1qr;dipjGrM?%*(mnFN5T{qZVjVv`&uo(BONwLS{MUA|^ns6$2n8iL z_f6s#DLjviiPh8hgo8I{1M%HFvkW^drjeFE1Ogo-ox)p1}?2GC^ z)PShJe}?@MMJtI-G1W7-t`d!hA1_Go#bPeSH6nKwJi~@O?V$c#$7a_t0S`Y;jO;+M z?N4MViO1l-@t7O-T^@C{BOfnme~5EpgfAz)60Mu+2;~5%*E_?K8{<-#q3uIS7<$-% z`S@H>-zi>XR1D2FweOtd28vOqXn1X1d%e2c+x7AgdtXF$boEH@aE0wo-juSE@+hp} zi}_`?dVC!~3r$Tlzvk_4P$t%jdMnrMu4)`GXQr)}~e#x>t;dM`mw8 zJzV0%NU=0i53S8m@{$xIJ1F1aK~SX8FDS7y4td{zmw5H_P^IFm@Xzo$ zG{NOPf_H?kvz8`jfZ_pqPSDlrKc8F%DxLO?%3J&WiUzpn#E!(y*-~op-qPcdKY)Lc zCO*~QA43s(t5OOo3p+Y06kM;x`D3S|gWdA@=*bvF^_Y<{-JN~72(Q9|JG=%ZHqJ@D z+jE3>*@Xi}6jiG-M4o)Z&7rzde`e0-lLBAkwo|I|;Gonkm$8yxuhmQmJ|ADB916y( zpWmro2!gV&!g(^FTn&dTuE`9Tc!bhz(}pUO*I*NMJa9ugMz@yZ_Gzh-2<+@yq@v20 z*YEbL94#&nSyIIM)2I|u$$(JIE3)s0GT>d=%$>*bzp+5`M)rwX$X<1{(}Eg_g3g7f ziZmO|Oc800YGr>fb<;oLX*jIBGG|QDl{uM2HJMM@!69sq%2F!dK6ZIaC?GKmRe|c$ z&+}cKggT}Es3lCZ24L3xVeG3^8eeXCvk}@srszOXs+>XV$(P3%;j32t+*}3brW;yT z2t>bq19H5!x?Nj)>uST;Of)OfX2wu)blTZfi=XQFS|u?-Cp-5eHBWSQAst{0?U_HO zv}H_*_DyKMl>q~heJ1WcSDW16SaW!2G;}2|MG-4T?kYxZ7V5vt@g?E1k2Oa!_0XI4 z6(ctQAmF7_a?UzFuP&2@g)Z_Hjsz=5)8L=okQJil1gxgnk5$&T; zlafY5>rr0Hp}AgIF77Si!sL4Py*(t7nSxo2hp>n-0_*3>StcS6_b>!@!F2n2#TMn^ zv1tDr8i5NRNsYy+yu(wx2CM$(Yc{i^sTTC<(~-@OiS8k-t!>mGQ)vRmeel{H<=L}m zfRtajs~^rbIZH90vgTa}E-Cc)e@iI!m6JM8&gp*N<$mLg*DAh)6;uj8+Q5nc59;PJ%zq13Srhy}o{-eg&elvi>w4 zx4W0!SP|k;U)_x;R9$M<%*Lk^l5{0Zwm^4*_y6?>Ft_+9j4kk?c%tCh8%)gJ$gD2Y zu{v@Dz^-!I9%Ca|6*EZF^Dke$Uo3i@OnI0Ll?^M$OM51{8&d$CVJ_tq;4JoM5|Dg+ zK@iTFZ@>#viaNA$%94VrN%Kf7<56D!HyN!cR_!H>c}f#_-rc{|ef<}{(u%66s~_Dt zJz!xaqM(zRJudm@%P&C9q`p>{@|ik)+;~Rq48WzTRhk`(4ehI_@h=*(_&rekZ+3rr zmzFZYnFvTC#T$Y$UTrXP2+U}6Pk@1FuVc~sy;Ruf; z+unZu5sZ+67~oCRs}F!tiW^7{@|CM$1a}Vi3(UwEbd=J%mk;_1wg^IZf6v$qI~#-B z7Z>0Gm&@ZoJ!WROKn=ntf8`qSK}_sHDx%fPA217Dtusnat;@e^d~>k_fwcj0Y!Z06 z=EP)GzuiQEqT$4G2ke|gz&2<^AT0NDLC4(Ou6Cg8<-waVM5ORMG4Kh=|&*PH;(#OpiZISyoT}D!{~4bCG{a0Cq}$Y%=#XBZtL%%2=+eEBA*fnztTj)HJ0OaPS&fM>mtu z=fYom=fWnH+-I}QYuBTrq7vEd9c#N5G&Bz_|DLGmW8b@djjlda8MwUkAQTHhY#=1= zF}8mj6&vrAR{pr-x^zujJmX&M#aG87zbN;2_YSR9g~1JVbUqiv4J5KIQ_51m=Z$do zdlepA7~h%$ z$5cw};VCAMrY2mNR&=k?CQ!NSE;ITO0d+Ra#9M3ap0${R3T>dSlf!+Wf!uGpZ>qFO z?VX)rPbs*#xib}lQskXEe=JA3pY9T7Vq!whlat?#m8=NWzHM(jVl&uo}w?{)ijzryDIRuYo4C zUk%&nMMd?|-PpAu-rg?GDO8qIpVYkPEqqBHlZg&Hgfp|V{;lWG%Cb&=+rLniOiwAj zOV^hW7u&Ji^8WQpM81y4jhw0tEFn8TiE4C1;|ZWu?%(fT3>4N z90^WIfwid-_-oD1nGDHvJKMkrETuqU`8rb#Fs!FP`=#pov)T^mFcQuorYTW zBT>!2>WBs&n(i^><>jIJ)YN%naPd=} zf7g;{HFbew zVQJw|3|U?=bliXao{!H5pRHl*#>|?oe_(wz{u#W)_~3^e6Y8Dbufe6tOa`sG{tVKt zU%}D{e|H%L+6D*TB2)^u?epDmI^917gQZZgApzdSCQnO~-wQBfzP^iekOebEsLSfv z6yRmoFKSV|GZoD&3iGt#uhH(@Y43=~#V|ogVEwX3o{TbAreh>>|6cRAd_4t1t&7Vo z|K^b0kXNHM36N^7Zha8ce?&EIt9AqKVQ;r0iVIN)kN0udKz_A*u>nkCjj|0&4%#ymsCp%-l;I1X4aVum%^vd?!H5iz}ph$I|FEa&29C@E|iPMrG zFgHXXV({CS`EnN0^zK}MkZ3ROKt3G6Fwl5~anoH-a5<~OWDy$$1*LfDmF`WL=H=B@RD8U+g9DxTy_#TkG4#qb?+G( zqU5eBk;r}h@9Mt(L6LI*LLSlXo8<3B4cHMW+S@R z)&Y`%zS&m))C{#wP802KD_2Mmny%enk)QOm&?;Y@-;{oj^40da=A533j*r(~cFy>O zcX?Z|JRcaG3+dZ1Ff?Y_y{HA+lVsKOOXaPiSfRFsrD2|Z5y6KHcNRNTE-tR| z0(Ang&%lak86K9AqIz~t^q!l-KYvi_*u~!;F*XSAZ|+evr|k|Zy*g{#^z^T0rQ5dU ztggg|E;u+BdTKCQzap}+;&Xqd|#lu%+DSKbMs{y01giKcNaBN!>=@R)z{H!>Ghf{ z0|E0mh6JA61==kL z;Qc#yDhW8<0r%~hM%`tzDlk?|$#=Rj+B^4#b9B$`Ry>{|E=^6Eb$AWlbd>gPF{$^`|kQ7$do8RCe>d7J22rEym^tWMt%Qj3rOT%7bx9kg;8C z(+`p*N5MRc?PRKet6@(LJgLsyb~S4yzI@4ie4Pr&&EQKdMh*^XSN*^5O%IK=MJ;)* z#d~_Fk4wRz=Sep|8T~ud6g4_JMoYNb$e@KBGwXO7@3=QhdXUVmA2;44&q4jD(%D=p zfU~*{-rB*llnP)ROIM$F#;m;^fKY1iJ_?>S^|FET?zZnVAWS)m40IWjG@BdIP6F;{ zgEg?~a&uw#a^Fo72K8xO4rc5(#KAM{wqHyf%8uf;3CFlG7Aes}_GZPCKAGk>9JKst zd;Gv?kGwGrj+4wG8?ybk1PJQwBj)ptu& z$_@AN_5GT6*S7$p9`kBEaA^|>i(GWye3tjQAeKxt>MflX#pA2-7mt`^Gd2@bKmKyx zPz&Kv+nI*to{n9Lav$IdIukz5Z9>93YOpM06omJwfZHV90nTe6y43rte%I4GxB+Ah zus+a|r>Tkm0L?wPp}~DHg-<)bzjQShg#Xiw1nHww7YxnPZ+@w#u zjp1(2EG(iQd5ay99FO9yL>rlw7Vg)vVAKeVW#;JEYPmH3xM^p-wxvIy_&~wf-)#8f zW|E19ASR+kObkMf4Yxs4mow8UCq@rVzk~FE(4=c&AQXhEYbDIo)O1zNcVB899K`yu zMKd~CXzxt_5fTvS(PtSg|&Q|X2?cJ~+rSiL_ zZf(5-9=CFF>{FRMg?D)Py>q6f+p$(OP4R(&NQj7t2Ac+bH+J^+Ksl3;oY->%xV~I_ zYkT{XR%UW7A#kmVdMrses0`j!EE1)?mRiYtu?NvS#V&+bcr`S~({ zzj*O4N~TdwF(rS#XoB8Ti;kZ79+Ia(b$D>iOvF<`sdMn;>PXqQ2xR-E5`#c&9+DUg z^VzdDJJ9tZWTn6MI1e@AfUQ^kliT{?V1M2v--;`)kwNNVuQ zUD+y)W;NRqFG^wqWxT;bjs?5EB;@mqLOk1*ZJR?eHl_?C5>U;5SOQDqw|Xu+n5~-n zT078Vhr4N9ioaNahKY%KFDoZDJ0Psu*vX6Ca&ho5Qs4Oi`UKQOf8i0!Z+&(^8DEQu z9a3GboOf?{5#^mQ>K29@skjzke}iE6hH0snUUP1VHd}Oia)Bcs`GHhB{nVD=K+< z@&jhz_cDY-@H?#-6{AL-#PonoVIiIALfN-GGTNO2xhYo27tzV_B92Pz%NQ7i zDwY1O5cAc4>#|l?D7YwImpD#%zv>_ak1fr}L|3YpHb*N&Nkc+IUNw0NZQ7cW2ZA0f zQE6$?Xx5DQ99Ak;WeRa%|F&BBvuri~06@Mg5fofuXV3ANQ-am?1L1jDx&5!OK*Q~0 z9H0>xy-pnp3mD0Ck$-wl^mq0wLhMX*+=LZ$=X-;TJ9HhY{^`?ju5$SC&09F=lmr@0 z)ImH{FTBaNJskTp+w0NMhZXK9WbhIcBMCa|5tK+2`lgUUWEu$zlc4&1>v)9|al|+DR6c z@)~FA2*HC!O_dx~tSXCzA8J`Hzr*e?^eqiL+HIFkW`>tWMFtlMIlnKS7ag=cG~ub`&wD!w#5`zMOIbD%Tn&)&`TL3AgLrl#NmoeB z1>U=Ny_KS7l}TX5_CuS01+IFw3{~^XOw$`}6mqdzj{bT(kW^;XwjnnqB_Z)BQHMWV z5LKE_g8z1`!1}oC_MUt7Cu!v|mdld*AB{vXUO~+Q zUWdN166yLRQX2t^Bx&qh$3;aUdqXX+dK%S=ItM4?B8ESG%*w1GBJyEX?#oSc{|aPj zc{U9Q2TgYrprDbli|oUwqovx>RYbUWEWydD^PpzUtCl_@?Umh(v|U0D4h~Xo_Bc>y z9uu<54qga=*NtH5mwkr7=W7L?(R76&0m7Nb4%5aQMr=^^^q#;*xn&mv0zSv_YJKEV z_W|6EoHDmW=ZF~?LrO|{)o*ODNhPJng>*)cL8s0cf0kSYB)yOe+r-4k=;$`UWwy6> zMnR!MqypNWS1xqd-`IxGfg<#I%MYIbz)+@ZEpR{At{wd9F3M1^uZ+Or zc|(NY#GylIBb zF*pM>n(P#bC!9fdFCY<^eM%2P&4PI{Z`sqd8@`TphC6-L2c}Bc{e};1XDZ8SX#a5w z!yh=3@}fIs!D>S|MWZ?I_??^EH7>e}@T(DPsCU8~@3>=%E`>wgxc#7_2TO(qr@f1^ z%zi{XNAx28XFiqs&Pr0C8N{Aq4iG_cr7VF1UX%F)gLEFzDSA1ef%9W zGxOt2JdWyB?*!G^>00EVqhpnYTD2TMB{f$fya}(vx_Kx|b8a#rDWO|5NJ-tZs3I?q zdRLh-zItqQ6p!Bw_2eyGPMf$TiOQJ9=$a`Dm)8-qkO0XSIXh;cH`BQtl7Dxy@Zb=& z?S$AQdSRvcD_mNquZjru`jTbij!C}QMXS!HSc4rn#3WtPdJFyo4m-nIp4N0K4I$9_ zXO||!^}ydR-8)dcJ(we*iA}-ToyZ~xCAfMNI2QA{xg4}fKW=)MnJKUnK$3L<+#X>x z5{iezu_?w|WKn5pyRl}1E7jxUDmjX7vO zl9qoGtStFte9edj@P|mj#PLzC(3RV|8PvB-lvJS8^MT%Udz+BQHt0hdy8a&e(nx-L zI$seP$Ue`r55IlsK;6?#x5uDop;7urx}$-Y@7>K^wSkeL{gIrm9oOl}htutaEQJ~R zImf8@H0=$hSh0?nw63RhX+*&r4`Gp!7~6PwThy_1DGxkhug?)~nXI3H#kkUTu^1`R ziqhKrsL{hx<|Q9Iu!rRKKKACgg}IzwA|Y(t)vDz7gRJ#+-?B??l=xf49qw?Rj1=ZO zj>4kCgyR!VU>Z$l8mNVu@p`0JDa&2g<$%-&ggED$i0)d<7kKg)K*%gGI@k7m{>5yC z74?Dj_^@&@Ju^GgMwhLCJy`SHjwaf9z*U_efS2F@oltf?TE01$uPy|Q5-ruL4K|Ar z%F4=_nAnX5Z~YW(9Sr)apa>exTAUxx;5Y?`mNIF;Sb-9qKJqvsT#3&Q&**P?7V3yJ zmwoLPItMiB-2JY+Zp8p7*_zLLrkKxJ=Dcl}#BTN5{!Xuoo!#N$pmkmV7X!$(p|h0$ zw>$%0Frqc%5c0y@=;%*nSBP=%>C!6{6u8Y7mz8l-$9-g-@n5=^PSh5eg{p1A2VP0v zv;3RDZ9c}+b9Dq;KO^D4a)0;44LwGc)Xc!(>q8UV?syyza0VFw(9OR>G6Xs6?wnhi zi=HPCgq@r5bF8^?a@7WOHR;32 zNf9IEFF*vP@Hzbe+!;(h2hap|nR$~YoRDie;1f?!kL5tb0eJK~eRW6PXSeIf3W9=t z+6Dk%1H>uf{^cpxw`bq+udgsM@H)UD5?kkJJE~%nMy+s4Ba`#!HR;WUsGc5N;A^|9 z)ge{UsV2^V&97^sGYvd_Fp}_fF^iZ{R>}gIgs1snhsDk zlSOJMj4a-nlR@vR}lQPGsV-fV>eS=jXt=1U%GOoud5$^FT6aGhz$f zu&26Zj;O!{pTE7m6$|%1JwN?Bo@fuwZ7BdOTS-46fnv|`I}_`&^VX+su|)OfpRT)X zQLiqafr1Y}j7fPY_Qtx=*6A?px!oupE=gCEp_jga!6OyMebIn{8T2KC4D5~SS)3e_SG$0pG7TA4Gm!zyN>ES9# zS{H}QG<&0M4JU9|^ry04uNh$c*jRC*9s>3wM(9p3bi3mNqx~B z`+E+pSFQKNf}ie4f&Nmo530dmG9n&QHyJd@*xAGCAZCxtYa-peaH#?ZfRWm~Dqsj$ z&1VxJpwp&_$ss#Aakf2k%;okKG>{@d<#VfV@DYKU3Bv$7z*7k0w(;>2uTC z%jAarT2B>hDjxw?5|G>oHf2^U8P^6lp8@G70gMrdO=6IwwWM4H2bra~|7hisMd%gZyRQ*Q#jMNBlXrGXt<3b_p{Nyc!$n$d}hjuw@Yii1DW<`fj271mS!J^^7m zW@chwPkO;MgaGCO!iJc>!8>~lz|6NVE`n~XU*FQJh5@BJz+pIHsvxtV(w-7v5y1uS z%A=E_Ay}XCBY(%}wDUebna`LXe6D3?1_{!XWXa?7NC@BGX%!s;ewLivmg^81BU094 zwhRig8gg!Vi{++N8XUOJb|x}hEAy#jZ1&nk2ch+!3z!j+iZq*%a%mKMNhByl!O`ed z)G|G-Qhc>Pxo+5b%lg9wBa#5Nms)QLN3P?5Dy0UMP@0t*eWr{4=b63%kgJ+wgD;{n#tB~!GDGf#4l>Ec!4VV z-nyCbB9t3&m5feqFQn0(-acH3_^sX>P2+~#>k_89dsgeaotY_KZQsZqS7l{A8>0x{ z+@xlC$8m(~(hSIbsV{jWCYP6E^+el5M0<&cWAEtb52U7^e!47&uRYAo%rKt^9F&w7 zIY&>NL){|CM2l7FwpY=Y^jiqv(E!w>p~P>6cv~+PA}zU}T{XtnGlD>ku=^c(^I&S< zpEi*nt=mz;UOWwQW5=g^%R>|CI`;|H-U1sq#R_@`27s3oh&Jy6zTG8clH@m=Q?6=0 zH~>k6!$-%Xg>`FLZR*CWWOFTLb`5H z_Ywb^P3NyS2N0v6C0AR$M84^1nrVjfwg?rCl&ryV`V*UF_=mc?e`TbhM`HbXS`^o; zT%>#7N^XY-D&2Y#Uu50R+CcK$xF3xEKP|xErVzgoKx2fw4$rA95dZBj`GKPwZqpy7 z)aNg$u6jL%?2;x1TlvSKohvj#hs5#a%levOr*+){j^CF*AZw(H`?OrT#)BtGm$d0c zP;$jmx@}gyWckf&!j&|(-E~W_WBk!?sD7qOp92A6Hl+t(-})aj90=f|`|h=1U^g{sj{4qLiX;dSe|n zr3k@!36?x)+9^&y@-kg+ds)X?+w9>Euw)StG9VwWw5qCeZmzr^-Lyza9QYi-{+E<| z>gwy0x034b?j|EW+5e2-5sS>jqYnK_#ljMNifR9Cr$AwPc1GzMa{ zA3ksf%!Bk_Mhwf#F zNBMt^`EFpoN&OA1D1#<4-G%e650md#&{_AfyJoX04$Sy19jkYBzo z{C%e2yuxw}8Hk&pJhlMaK11M(MFyP5{DS6sya?@aF#2X-tH(jg<9P~W~hz1;p z3LA~!Ha{a}*C+Yo$O8YGPt^jfAeYw;b7ceQo7R3ZaJVEHcq@`Z&4?;0^U(ZFz_w)P z?alJR{?(|({3>jOxDTo(UrjQyDM|uoH+Lw7l!qsIw$d!lb$>9m{jO?3+nfu_26H8+!u8*Q}MJ~4HFL!h`~uK&6S31{`i1ZQ>@h}r6cnxC^JXa=X%<> ztkA#+Gdc=D>W|CI%bYx1vh_-6jR#@lV0}4jP*735<54Fto666F&Z0Op^Mr(kmX?=i zeLc!_W$J2gU$MPH*414G>qa(L2@SfP?(3{cmVs>@6CTc}Pa)Cc@Q_OM@OUOAd9mB= z-+pVnW6M`IR3aa^uJ2R29S|V6Cud{Bk(b8;#f+%c+MzDxxq#7o(UQ;hP~tiukj*RK zIZ*lOWV63zvXi3EmXe(Oq;EL#aZRzXuwY_gQEL@a*&9htq|%a;`z`s0FOT9#TjBxm zwsFrd$#bzhqEC5B!G$=`5P?=@MzItIYAI}fXghM*3a+i?LPA2S;pAa4-oOS$?#c*H zUWAMHr&d$7dAz)^XlrlxrA?hm;I^+CJ1@1jy4w42=f zllTMW$k}#3FP+yVZ|~N54jiLyF7!zltYHajnIrLoZ-!(~k6o5t0-|!w7jIbx}b&iLS$2tlpAC8~;$kF3khC zcLaEmIZ9bn$Z2Q0ZIm7YPjw!Cv;jQ?Tid2`ox51<7RB@y>UiIx1c)fstbqpg6^I@JU+ObrTP9A z>R7ZD6N7Cuq~5;h@lu8s86-J?eI{4!NKX+;;s;71AaqHk=#7piX2W2*CMMtQ?3gXp ztJkWvJ;y0*gX8aE7itI&7s0J!`0jCoSh@jg1N<3V2p zadFLNl!xs4@1OiYC1y^E=*pNKvJYJ8NZ`{iJAXMG{hP{@kQZB9TL2XAcfrK*^YeRA zZY(jWwFKhgs*R3~gQZ19g_n-QpVg|z3&k8jL;`T|Up3qt&Tj^RkbtW^XXmyBW2I6C z``dxGjLh(Gdir~E5OBo!$N|gAp&1!ra(%c)zZJeZP9~{b_eUiuI=#PSX|y{!I+|rR z9)v1`9;A6+zlqQWWm45&>?`B5Sr>rFh^qQVYlnDm&cIv@rF16tH`y4WfN+}7q-w=` zt&<_zj>hw}P_gK@|6-zZhiJe@Z_o*q9zP0j)_3)dCHlFTPWoBufN)}E@Yyh8o(xvA zMWsZ3^RTLZZQA?)F6BjbDYVxFsAra0KIfsh!emah)@8RUlPburt51D88eNG?EHgsD*VQijA-EGff`R}eEgt`r-{kL6P_EEA(3DM)B ze6&o{c)cZqR7^}P2xJHpYBV}(y4-Rqz;6q=P-3h|+zTJSxz_e1Zm@~C@rD|ULV7BY z{KE&qdI9i*Q7ODnIp*(BT4?E1|r)c{l!Ti>bNeY_zi2?_l6vQGwPTJT!T!65{^ zZd5`-wo~y9x_b--{TwZ=GJH(SZ7ysfmc$D$9~5h)e!Ro+CNfO+q^g&Q(fZ$29KAN| z@ex!T))@cYd2H?G&Nr>bt|x@^dRV7&Icb6BgbKV2no5uJZaP_)WjA$`dS2Hlos?5} zW$Xi5`sIN=LWA;_QSoug2>Bep$YOsB3=dbHb=)grZy3XSt5AJ9&FCSEFNV3kZPAJ61;x|GN&{q0&&PSS$CxIdHu52Lp(SO;}j*Z(InE&$Fzm zKdn!hdSK3Bbg>>d0c5Eq&g_Jkt0=rJfoq#)o9x50nzTOL!ZqD zm0PL#5WlPAZq#yVW@eU+gUxW@`b>@!ILI1RE{HgND=XQ6xgN0V2Ngybuf4v&f^Yyu z)H)9Y@`?o!adE;LDH~_ZY-}SuQ@{sgVr9*izp3&z;%XnSPzb82*VohgDF(}Q*p5OV zBcnh_GNk0NoRR84UcWNa@%ncMak3v!8Y}gyeF5lw01#sFDNVkBLbT^1}gCHH!Al-EXXWZZ4`M-tp=v?~=*Os`~Tx-oa#-~O}MMc}t z(3c3o^&p7F2nZ(`;fYI+jGPm2`BQ{V?lt7|0)36mtM36`rIu}T1`XijUt#T(s$|TO z*&Qxt>m!2;AFOLZ6~=znXqQNUzKy1-pF5CsMFD@S8<%2I29v2sb4$25urVp$!45JYRb){{CRi>1_Uly6!Odz zn&q;Me~+&e>g0>ZM&zsEd5~Q!UOTup1KMPF)xpT?XeQy{z>%)6k1|ugo5^T@(Z|E& zrk!oyc>#+Lz{JCoY zVW2i*WqY|;bSi*6FN3^I0E6RpJGw(URXH$R_EA0~gWKbX`-L=KXLmPiD;vBXTT{qT zvnLkgyj<{@XhwBx3Ax0hlf^wiLo)$X8;^0ZX#3RlaLgJ92gmI2>tz%vtkUQYMbZdq z^&>BoEcYWwz%-SR9S^DC=x57YHMwcjQ>DYl#Jsz=?;5|!%FD~GP#2w@B=&E_ezT1L zN5sl1*@<@GVNw+~DXDCTiR@m}>C=(ZSFc}FN(Ke-7LSWX^l}vF#Z`=QV3PB6l;Y+D zhI$-G?PoiCvv@OoaC%SkN?V&GUH)?KrS%N9=13m2yor6-MAeJc?NgO z=$;9tLjAk7Z6zrqW3)i-{ku?Ff=-R56A(lQY3>+MD<2#fh+SSb0_BZV=ZSUR+j=U% zt|4eS_}Ad5-PW|XLJoT)R8yQkEH8@inbo3u)r)Wl2m-*i4dW`TW=qjOp81|Jbf)Zp zjB;Z7s@kg(21X2^JpE|vMHmVdmZIV?Ac-uV2Y0Nk-#a*9gv*cfr#73Rz6d7B+?60N z0bOcFrlCVPyZ(Vgicw!nItr-hQdcxY;Yxn~eA>!6l~!pyEe9)faCsy-Q{(#9)>|gj z1f}c8pG}QQH&T=$KXg`j>!sr85*Apit>?uOwPfSMx64U(%d-cP`?sfcVM@_(fw^JR zMTU2FrRF6T85PJ5cXW6+tZw$}i-W?07RJ*v;a&V@;Aa;~ETGL-Lcd&^JvPA;^_nvW z?Xd#{iY4Uc(xh+>3bUIn53c0HmiJBgstyIu(Yf>I&yP^#SX}DrHh+lPReDoeGD8ZAnOSWf?_nSLOHW^r`#gFS z3AgCM$Fn=K{r39?VhJoZl$jke%R>u>goK1FPNOVOICG2b8{iob+?pmILZHy;{J_hU zKx8XZv9JVwh|0zxdn5_5_|1qT((UOgFTZ-4*C)vRWpve=54v$6Fy(CZpknF+?Ud;> z!IjXkB#m`JA+632%5coPHLjPK=#LqVVb_~_f`&p*PY<^tC@P8qkQ4od#Vl@Kysq~S zX5zo;IYUFkG#Z@*{&8@ooou%LvE)LL4U=)}4=9a%bYpcE2f6n5j&=i18!xBW1{15_ z2Ms{9$)+W4&vn|-3UoRfhus7cR3=78 zwL(a9Jzxv5)+OQ4HY`L$twfch?G_s^ng{vX)K z%