rfc9788xml2.original.xml   rfc9788.xml 
<?xml version="1.0" encoding="utf-8"?> <?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.14 (Ruby 3.
1.2) -->
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?rfc comments="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" number="9788" docName="draft-ietf-lamps-header-protection-25" category="std" consensus="true" submissionType="IETF" obsoletes="" updates="8551" tocInclude="true" sortRefs="tr ue" symRefs="true" version="3" xml:lang="en">
<rfc ipr="trust200902" docName="draft-ietf-lamps-header-protection-25" category= "std" consensus="true" submissionType="IETF" updates="8551" tocInclude="true" so rtRefs="true" symRefs="true">
<front> <front>
<title abbrev="Cryptographic MIME Header Protection">Header Protection for C <title abbrev="Cryptographic MIME Header Protection">Header Protection for C
ryptographically Protected E-mail</title> ryptographically Protected Email</title>
<seriesInfo name="RFC" value="9788"/>
<author initials="D. K." surname="Gillmor" fullname="Daniel Kahn Gillmor"> <author initials="D. K." surname="Gillmor" fullname="Daniel Kahn Gillmor">
<organization>American Civil Liberties Union</organization> <organization>American Civil Liberties Union</organization>
<address> <address>
<postal> <postal>
<street>125 Broad St.</street> <street>125 Broad St.</street>
<city>New York, NY</city> <city>New York</city>
<region>NY</region>
<code>10004</code> <code>10004</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>dkg@fifthhorseman.net</email> <email>dkg@fifthhorseman.net</email>
</address> </address>
</author> </author>
<author initials="B." surname="Hoeneisen" fullname="Bernie Hoeneisen"> <author initials="B." surname="Hoeneisen" fullname="Bernie Hoeneisen">
<organization>pEp Project</organization> <organization>pEp Project</organization>
<address> <address>
<postal> <postal>
<street>Oberer Graben 4</street> <street>Oberer Graben 4</street>
<city>8400 Winterthur</city> <city>8400 Winterthur</city>
skipping to change at line 50 skipping to change at line 47
<uri>https://pep-project.org/</uri> <uri>https://pep-project.org/</uri>
</address> </address>
</author> </author>
<author initials="A." surname="Melnikov" fullname="Alexey Melnikov"> <author initials="A." surname="Melnikov" fullname="Alexey Melnikov">
<organization>Isode Ltd</organization> <organization>Isode Ltd</organization>
<address> <address>
<postal> <postal>
<street>14 Castle Mews</street> <street>14 Castle Mews</street>
<city>Hampton, Middlesex</city> <city>Hampton, Middlesex</city>
<code>TW12 2NP</code> <code>TW12 2NP</code>
<country>UK</country> <country>United Kingdom</country>
</postal> </postal>
<email>alexey.melnikov@isode.com</email> <email>alexey.melnikov@isode.com</email>
</address> </address>
</author> </author>
<date year="2025" month="May"/>
<area>SEC</area>
<workgroup>lamps</workgroup>
<date year="2025" month="January" day="06"/> <!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search. -->
<area>Security</area>
<workgroup>LAMPS Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract> <abstract>
<t>S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic
<?line 88?> protection of email message headers.
<t>S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic
protection of e-mail message headers.
However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message.</t> However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message.</t>
<t>This document updates the S/MIME specification (RFC 8551) to offer a di
<t>This document updates the S/MIME specification (RFC8551) to offer a different fferent mechanism that provides the same cryptographic protections but with fewe
mechanism that provides the same cryptographic protections but with fewer downs r downsides when handled by legacy clients.
ides when handled by legacy clients. Furthermore, it offers more explicit usability, privacy, and security guidance f
Furthermore, it offers more explicit usability, privacy, and security guidance f or clients when generating or handling email messages with cryptographic protect
or clients when generating or handling e-mail messages with cryptographic protec ion of message headers.</t>
tion of message headers.</t> <t>The Header Protection scheme defined here is also applicable to message
s with PGP/MIME (Pretty Good Privacy with MIME) cryptographic protections.</t>
<t>The Header Protection scheme defined here is also applicable to messages with
PGP/MIME cryptographic protections.</t>
</abstract> </abstract>
<note title="About This Document" removeInRFC="true">
<t>
The latest revision of this draft can be found at <eref target="https://
dkg.gitlab.io/lamps-header-protection/"/>.
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/"/>.
</t>
<t>
Discussion of this document takes place on the
LAMPS Working Group mailing list (<eref target="mailto:spasm@ietf.org"/>
),
which is archived at <eref target="https://mailarchive.ietf.org/arch/bro
wse/spasm/"/>.
Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/"
/>.
</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://gitlab.com/dkg/lamps-header-protection"/>.</t>
</note>
</front> </front>
<middle> <middle>
<!-- <?line 98?>-->
<?line 98?> <section anchor="introduction">
<name>Introduction</name>
<section anchor="introduction"><name>Introduction</name> <t>Privacy and security issues regarding email Header Protection in S/MIME
and PGP/MIME have been identified for some time.
<t>Privacy and security issues regarding e-mail Header Protection in S/MIME and Most current implementations of cryptographically protected email protect only t
PGP/MIME have been identified for some time. he body of the message, which leaves significant room for attacks against otherw
Most current implementations of cryptographically protected electronic mail prot ise-protected messages.
ect only the body of the message, which leaves significant room for attacks agai
nst otherwise-protected messages.
For example, lack of Header Protection allows an attacker to substitute the mess age subject and/or author.</t> For example, lack of Header Protection allows an attacker to substitute the mess age subject and/or author.</t>
<t>This document describes how to cryptographically protect message header
<t>This document describes how to cryptographically protect message headers, and s and provides guidance for the implementer of a Mail User Agent (MUA) that gene
provides guidance for the implementer of a Mail User Agent (MUA) that generates rates, interprets, and replies to such a message.
, interprets, and replies to such a message.
It uses the term "Legacy MUA" to refer to an MUA that does not implement this sp ecification. It uses the term "Legacy MUA" to refer to an MUA that does not implement this sp ecification.
This document takes particular care to ensure that messages interact reasonably well with Legacy MUAs.</t> This document takes particular care to ensure that messages interact reasonably well with Legacy MUAs.</t>
<section anchor="update-to-rfc-8551">
<section anchor="update-to-rfc-8551"><name>Update to RFC 8551</name> <name>Update to RFC 8551</name>
<t>An older scheme for Header Protection was specified in S/MIME 3.1 <xr
<t>An older scheme for Header Protection was specified in S/MIME 3.1 (<xref targ ef target="RFC8551"/>, which involves wrapping a <tt>message/rfc822</tt> MIME ob
et="RFC8551"/>), which involves wrapping a <spanx style="verb">message/rfc822</s ject with a Cryptographic Envelope around the message to protect it.
panx> MIME object with a Cryptographic Envelope around the message to protect. This document refers to that scheme as "RFC 8551 Header Protection", or "<iref i
This document refers to that scheme as RFC 8551 Header Protection, or "<iref ite tem="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>".
m="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>".
Substantial testing has shown that <iref item="RFC8551HP"/><xref target="RFC8551 HP" format="none">RFC8551HP</xref> does not interact well with some Legacy MUAs (see <xref target="rfc8551-problems"/>).</t> Substantial testing has shown that <iref item="RFC8551HP"/><xref target="RFC8551 HP" format="none">RFC8551HP</xref> does not interact well with some Legacy MUAs (see <xref target="rfc8551-problems"/>).</t>
<t>This specification supersedes <iref item="RFC8551HP"/><xref target="R
<t>This specification supersedes <iref item="RFC8551HP"/><xref target="RFC8551HP FC8551HP" format="none">RFC8551HP</xref>, effectively replacing the final two pa
" format="none">RFC8551HP</xref>, effectively replacing the final two paragraphs ragraphs of <xref section="3.1" sectionFormat="of" target="RFC8551"/>.</t>
of <xref section="3.1" sectionFormat="of" target="RFC8551"/>.</t> <t>In this specification, all Header Fields gain end-to-end cryptographi
c integrity and authenticity by being copied directly into the Cryptographic Pay
<t>In this specification, all Header Fields gain end-to-end cryptographic integr load without using an intervening <tt>message/rfc822</tt> MIME object.
ity and authenticity by being copied directly into the Cryptographic Payload wit
hout using an intervening <spanx style="verb">message/rfc822</spanx> MIME object
.
In an encrypted message, some Header Fields can also be made confidential by rem oving or obscuring them from the outer Header Section.</t> In an encrypted message, some Header Fields can also be made confidential by rem oving or obscuring them from the outer Header Section.</t>
<t>This specification also offers substantial security, privacy, and usa
bility guidance for sending and receiving MUAs that was not considered in <xref
target="RFC8551"/>.</t>
<section anchor="rfc8551-problems">
<name>Problems with RFC 8551 Header Protection</name>
<t>Several Legacy MUAs have difficulty rendering a message that uses <
iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>.
These problems can appear on signed-only messages, as well as signed-an
d-encrypted messages.</t>
<t>This specification also offers substantial security, privacy, and usability g <!--[rfced] FYI - In the following sentence, we have updated "page 5"
uidance for sending and receiving MUAs that was not considered in RFC 8551.</t> to "Section 2". Please review and let us know of any objections.
<section anchor="rfc8551-problems"><name>Problems with RFC 8551 Header Protectio Original:
n</name> In some cases, some mail user agents cannot render message/rfc822
message subparts at all, in violation of baseline MIME requirements
as defined on page 5 of [RFC2049].
<t>Several Legacy MUAs have difficulty rendering a message that uses <iref item= Current:
"RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>. In some cases, some mail user agents cannot render message/rfc822
These problems can appear on signed-only messages, as well as signed-and-encrypt message subparts at all, which is in violation of baseline MIME
ed messages.</t> requirements as defined in Section 2 of [RFC2049].
-->
<t>In some cases, some mail user agents cannot render <spanx style="verb">messag e/rfc822</spanx> message subparts at all, in violation of baseline MIME requirem ents as defined on page 5 of <xref target="RFC2049"/>. <t>In some cases, some mail user agents cannot render <tt>message/rfc8 22</tt> message subparts at all, which is in violation of baseline MIME requirem ents as defined in <xref section="2" target="RFC2049"/>.
A message using <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">R FC8551HP</xref> is unreadable by any recipient using such an MUA.</t> A message using <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">R FC8551HP</xref> is unreadable by any recipient using such an MUA.</t>
<t>In other cases, the user sees an attachment suggesting a forwarded
<t>In other cases, the user sees an attachment suggesting a forwarded e-mail mes email message that -- in fact -- contains the protected email message that shoul
sage, which -- in fact -- contains the protected e-mail message that should be r d be rendered directly.
endered directly.
In most of these cases, the user can click on the attachment to view the protect ed message.</t> In most of these cases, the user can click on the attachment to view the protect ed message.</t>
<t>However, viewing the protected message as an attachment in isolatio
<t>However, viewing the protected message as an attachment in isolation may stri n may strip it of any security indications, leaving the user unable to assess th
p it of any security indications, leaving the user unable to assess the cryptogr e cryptographic properties of the message.
aphic properties of the message.
Worse, for encrypted messages, interacting with the protected message in isolati on may leak contents of the cleartext, for example, if the reply is not also enc rypted.</t> Worse, for encrypted messages, interacting with the protected message in isolati on may leak contents of the cleartext, for example, if the reply is not also enc rypted.</t>
<t>Furthermore, <iref item="RFC8551HP"/><xref target="RFC8551HP" forma
<t>Furthermore, <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">R t="none">RFC8551HP</xref> lacks any discussion of the following points, all of w
FC8551HP</xref> lacks any discussion of the following points, all of which are p hich are provided in this specification:</t>
rovided in this specification:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>Which Header Fields should be given end-to-end cryptographic in
<t>Which Header Fields should be given end-to-end cryptographic integrity and tegrity and authenticity protections (this specification mandates protection of
authenticity protections (this specification mandates protection of all Header F all Header Fields that the sending MUA knows about).</t>
ields that the sending MUA knows about).</t> </li>
<t>How to securely indicate the sender's intent to offer Header Protection and <li>
encryption, which lets a receiving MUA detect messages whose cryptographic prop <t>How to securely indicate the sender's intent to offer Header Pr
erties may have been modified in transit (see <xref target="hp-parameter"/>).</t otection and encryption, which lets a receiving MUA detect messages whose crypto
> graphic properties may have been modified in transit (see <xref target="hp-param
<t>Which Header Fields should be given end-to-end cryptographic confidentialit eter"/>).</t>
y protections in an encrypted message, and how (see <xref target="header-confide </li>
ntiality-policy"/>).</t> <li>
<t>How to securely indicate the sender's choices about which Header Fields wer <t>Which Header Fields should be given end-to-end cryptographic co
e made confidential, which lets a receiving MUA reply or forward an encrypted me nfidentiality protections in an encrypted message and how (see <xref target="hea
ssage safely without accidentally leaking confidential material (see <xref targe der-confidentiality-policy"/>).</t>
t="hp-outer"/>).</t> </li>
</list></t> <li>
<t>How to securely indicate the sender's choices about which Heade
<t>These stumbling blocks with Legacy MUAs, missing mechanisms, and missing guid r Fields were made confidential, which lets a receiving MUA reply or forward an
ance create a strong disincentive for existing MUAs to generate messages using < encrypted message safely without accidentally leaking confidential material (see
iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>. <xref target="hp-outer"/>).</t>
</li>
</ul>
<t>These stumbling blocks with Legacy MUAs, missing mechanisms, and mi
ssing guidance create a strong disincentive for existing MUAs to generate messag
es using <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551H
P</xref>.
Because few messages have been produced, there has been little incentive for tho se MUAs capable of upgrading to bother interpreting them better.</t> Because few messages have been produced, there has been little incentive for tho se MUAs capable of upgrading to bother interpreting them better.</t>
<t>In contrast, the mechanisms defined here are safe to adopt and prod
<t>In contrast, the mechanisms defined here are safe to adopt and produce messag uce messages with very few problems for Legacy MUAs.
es with very few problems for Legacy MUAs. And <xref target="RFC8551HP"/> provides useful guidance for rendering and replyi
And, <xref target="RFC8551HP"/> provides useful guidance for rendering and reply ng to <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</
ing to <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP< xref> messages.</t>
/xref> messages.</t> </section>
</section>
</section> <section anchor="legacy-mua-risks">
</section> <name>Risks of Header Protection for Legacy MUA Recipients</name>
<section anchor="legacy-mua-risks"><name>Risks of Header Protection for Legacy M <t>Producing a signed-only message using this specification is risk free
UA Recipients</name> .
<t>Producing a signed-only message using this specification is risk-free.
Such a message will render in the same way on any Legacy MUA as a Legacy Signed Message (that is, a signed message without Header Protection). Such a message will render in the same way on any Legacy MUA as a Legacy Signed Message (that is, a signed message without Header Protection).
An MUA conformant to this specification that encounters such a message will be a ble to gain the benefits of end-to-end cryptographic integrity and authenticity for all Header Fields.</t> An MUA conformant to this specification that encounters such a message will be a ble to gain the benefits of end-to-end cryptographic integrity and authenticity for all Header Fields.</t>
<t>An encrypted message produced according to this specification that ha
<t>An encrypted message produced according to this specification that has some u s some user-facing Header Fields removed or obscured may not render as desired i
ser-facing Header Fields removed or obscured may not render as desired in a Lega n a Legacy MUA.
cy MUA.
In particular, those Header Fields that were made confidential will not be visib le to the user of a Legacy MUA. In particular, those Header Fields that were made confidential will not be visib le to the user of a Legacy MUA.
For example, if the <spanx style="verb">Subject</spanx> Header Field outside the Cryptographic Envelope is replaced with <spanx style="verb">[...]</spanx>, a Le gacy MUA will render the <spanx style="verb">[...]</spanx> anywhere the <spanx s tyle="verb">Subject</spanx> is normally seen. For example, if the <tt>Subject</tt> Header Field outside the Cryptographic Enve lope is replaced with <tt>[...]</tt>, a Legacy MUA will render the <tt>[...]</tt > anywhere the <tt>Subject</tt> is normally seen.
This is the only risk of producing an encrypted message according to this specif ication.</t> This is the only risk of producing an encrypted message according to this specif ication.</t>
<t>A workaround "Legacy Display" mechanism is provided in this specifica
<t>A workaround "Legacy Display" mechanism is provided in this specification (se tion (see <xref target="hp-legacy-display"/>).
e <xref target="hp-legacy-display"/>).
Legacy MUAs will render "Legacy Display Elements" to the user, albeit not in the same location that the Header Fields would normally be rendered.</t> Legacy MUAs will render "Legacy Display Elements" to the user, albeit not in the same location that the Header Fields would normally be rendered.</t>
<t>Alternately, if the sender of an encrypted message is particularly co
<t>Alternately, if the sender of an encrypted message is particularly concerned ncerned about the experience of a recipient using a Legacy MUA, and they are wil
about the experience of a recipient using a Legacy MUA, and they are willing to ling to accept leaking the user-facing Header Fields, they can simply adopt the
accept leaking the user-facing Header Fields, they can simply adopt the No <iref No <iref item="Header Confidentiality Policy"/><xref target="header-confidential
item="Header Confidentiality Policy"/><xref target="header-confidentiality-poli ity-policy" format="none">Header Confidentiality Policy</xref> (see <xref target
cy" format="none">Header Confidentiality Policy</xref> (see <xref target="no-con ="no-confidentiality-hcp"/>).
fidentiality-hcp"/>). A signed-and-encrypted message composed using the No <iref item="Header Confiden
A signed and encrypted message composed using the No <iref item="Header Confiden tiality Policy"/><xref target="header-confidentiality-policy" format="none">Head
tiality Policy"/><xref target="header-confidentiality-policy" format="none">Head er Confidentiality Policy</xref> offers no usability risk for a reader using a L
er Confidentiality Policy</xref> offers no usability risk for a reader using a L egacy MUA and retains end-to-end cryptographic integrity and authenticity proper
egacy MUA, and retains end-to-end cryptographic integrity and authenticity prope ties for all Header Fields for any reader using a conformant MUA.
rties for all Header Fields for any reader using a conformant MUA.
Of course, such a message has the same (non-existent) confidentiality properties for all Header Fields as a Legacy Encrypted Message (that is, an encrypted mess age made without Header Protection).</t> Of course, such a message has the same (non-existent) confidentiality properties for all Header Fields as a Legacy Encrypted Message (that is, an encrypted mess age made without Header Protection).</t>
</section>
</section> <section anchor="motivation">
<section anchor="motivation"><name>Motivation</name> <name>Motivation</name>
<t>Users generally do not understand the distinction between message bod
<t>Users generally do not understand the distinction between message body and me y and message header.
ssage header. When an email message has cryptographic protections that cover the message body
When an e-mail message has cryptographic protections that cover the message body but not the Header Fields, several attacks become possible.</t>
, but not the Header Fields, several attacks become possible.</t> <t>For example, a Legacy Signed Message has a signature that covers the
body but not the Header Fields.
<t>For example, a Legacy Signed Message has a signature that covers the body but An attacker can therefore modify the Header Fields (including Subject) without i
not the Header Fields. nvalidating the signature.
An attacker can therefore modify the Header Fields (including the Subject header Since most readers consider a message body in the context of the message's Subje
) without invalidating the signature. ct, the meaning of the message itself could change drastically (under the attack
Since most readers consider a message body in the context of the message's Subje er's control) while still retaining the same cryptographic indicators of integri
ct header, the meaning of the message itself could change drastically (under the ty and authenticity.</t>
attacker's control) while still retaining the same cryptographic indicators of <t>In another example, a Legacy Encrypted Message has its body effective
integrity and authenticity.</t> ly hidden from an adversary that snoops on the message.
<t>In another example, a Legacy Encrypted Message has its body effectively hidde
n from an adversary that snoops on the message.
But if the Header Fields are not also encrypted, significant information about t he message (such as the message Subject) will leak to the inspecting adversary.< /t> But if the Header Fields are not also encrypted, significant information about t he message (such as the message Subject) will leak to the inspecting adversary.< /t>
<t>However, if the sending and receiving MUAs ensure that cryptographic
protections cover the message Header Section as well as the message body, these
attacks are defeated.</t>
<section anchor="backward-compatibility">
<name>Backward Compatibility</name>
<t>If the sending MUA is unwilling to generate such a fully protected
message due to the potential for rendering, usability, deliverability, or securi
ty issues, these defenses cannot be realized.</t>
<t>The sender cannot know what MUA (or MUAs) the recipient will use to
handle the message. Thus, an outbound message format that is backward compatibl
e with as many legacy implementations as possible is a more effective vehicle fo
r providing the whole-message cryptographic protections described above.</t>
<t>However, if the sending and receiving MUAs ensure that cryptographic protecti <!--[rfced] Should "highest" be added to this sentence to describe the
ons cover the message Header Section as well as the message body, these attacks "extent possible"?
are defeated.</t>
<section anchor="backward-compatibility"><name>Backward Compatibility</name>
<t>If the sending MUA is unwilling to generate such a fully protected message du Original:
e to the potential for rendering, usability, deliverability, or security issues, This document aims for backward compatibility with Legacy MUAs to the
these defenses cannot be realized.</t> extent possible.
<t>The sender cannot know what MUA (or MUAs) the recipient will use to handle th Perhaps:
e message. This document aims for backward compatibility with Legacy MUAs to the
Thus, an outbound message format that is backward compatible with as many legacy highest extent possible.
implementations as possible is a more effective vehicle for providing the whole -->
-message cryptographic protections described above.</t>
<t>This document aims for backward compatibility with Legacy MUAs to the extent possible. <t>This document aims for backward compatibility with Legacy MUAs to t he extent possible.
In some cases, like when a user-visible header like the Subject is cryptographic ally hidden, a Legacy MUA will not be able to render or reply to the message exa ctly the same way as a conformant MUA would. In some cases, like when a user-visible header like the Subject is cryptographic ally hidden, a Legacy MUA will not be able to render or reply to the message exa ctly the same way as a conformant MUA would.
But accommodations are described here that ensure a rough semantic equivalence f But accommodations are described here that ensure a rough semantic equivalence f
or Legacy MUA even in these cases.</t> or a Legacy MUA even in these cases.</t>
</section>
</section> <section anchor="deliverability">
<section anchor="deliverability"><name>Deliverability</name> <name>Deliverability</name>
<t>A message with perfect cryptographic protections that cannot be del
<t>A message with perfect cryptographic protections that cannot be delivered is ivered is less useful than a message with imperfect cryptographic protections th
less useful than a message with imperfect cryptographic protections that can be at can be delivered.
delivered.
Senders want their messages to reach the intended recipients.</t> Senders want their messages to reach the intended recipients.</t>
<t>Given the current state of the Internet mail ecosystem, encrypted m
<t>Given the current state of the Internet mail ecosystem, encrypted messages in essages in particular cannot shield all of their Header Fields from visibility a
particular cannot shield all of their Header Fields from visibility and still b nd still be guaranteed delivery to their intended recipient.</t>
e guaranteed delivery to their intended recipient.</t> <t>This document accounts for this concern by providing a mechanism (<
xref target="header-confidentiality-policy"/>) that prioritizes initial delivera
<t>This document accounts for this concern by providing a mechanism (<xref targe bility (at the cost of some header leakage) while facilitating future message va
t="header-confidentiality-policy"/>) that prioritizes initial deliverability (at riants that shield more header metadata from casual inspection.</t>
the cost of some header leakage) while facilitating future message variants tha </section>
t shield more header metadata from casual inspection.</t> </section>
<section anchor="other-protocols-to-protect-e-mail-header-fields">
</section> <name>Other Protocols to Protect Email Header Fields</name>
</section> <t>A separate pair of protocols also provides some cryptographic protect
<section anchor="other-protocols-to-protect-e-mail-header-fields"><name>Other Pr ion for the email message header integrity: DomainKeys Identified Mail (DKIM) <x
otocols to Protect E-Mail Header Fields</name> ref target="RFC6376"/>, as used in combination with Domain-based Message Authent
ication, Reporting, and Conformance (DMARC) <xref target="RFC7489"/>.
<t>A separate pair of protocols also provides some cryptographic protection for This pair of protocols provides a domain-based reputation mechanism that can be
the e-mail message header integrity: DomainKeys Identified Mail (DKIM) <xref tar used to mitigate some forms of unsolicited email (spam).</t>
get="RFC6376"/>, as used in combination with Domain-based Message Authentication <t>However, the DKIM+DMARC suite provides cryptographic protection at a
, Reporting, and Conformance (DMARC) <xref target="RFC7489"/>. different scope, as it is usually applied by and evaluated by a mail transport a
This pair of protocols provides a domain-based reputation mechanism that can be gent (MTA).
used to mitigate some forms of unsolicited e-mail (spam).</t>
<t>However, the DKIM+DMARC suite provides cryptographic protection at a differen
t scope, as it is usually applied by and evaluated by a mail transport agent (MT
A).
DKIM+DMARC typically provide MTA-to-MTA protection, whereas this specification p rovides MUA-to-MUA protection. DKIM+DMARC typically provide MTA-to-MTA protection, whereas this specification p rovides MUA-to-MUA protection.
This is because DKIM+DMARC are typically applied to messages by (and interpreted by) MTAs, whereas the mechanisms in this document are typically applied and int erpreted by MUAs.</t> This is because DKIM+DMARC are typically applied to messages by (and interpreted by) MTAs, whereas the mechanisms in this document are typically applied and int erpreted by MUAs.</t>
<t>A receiving MUA that relies on DKIM+DMARC for sender authenticity sho
<t>A receiving MUA that relies on DKIM+DMARC for sender authenticity should note uld note <xref target="from-addr-spoofing"/>.</t>
<xref target="from-addr-spoofing"/>.</t> <t>Furthermore, the DKIM+DMARC suite only provides cryptographic integri
ty and authentication, not encryption.
<t>Furthermore, the DKIM+DMARC suite only provides cryptographic integrity and a
uthentication, not encryption.
So cryptographic confidentiality is not available from that suite.</t> So cryptographic confidentiality is not available from that suite.</t>
<t>The DKIM+DMARC suite can be used on any message, including messages f
<t>The DKIM+DMARC suite can be used on any message, including messages formed as ormed as defined in this document.
defined in this document.
There should be no conflict between DKIM+DMARC and the specification here.</t> There should be no conflict between DKIM+DMARC and the specification here.</t>
<t>Though not strictly email, similar protections have been in use on Us
<t>Though not strictly e-mail, similar protections have been in use on Usenet fo enet for the signing and verification of message headers for years.
r signing and verification of message headers for years.
See <xref target="PGPCONTROL"/> and <xref target="PGPVERIFY-FORMAT"/> for more d etails. See <xref target="PGPCONTROL"/> and <xref target="PGPVERIFY-FORMAT"/> for more d etails.
Like DKIM, these Usenet control protections offer only integrity and authenticat ion, not confidentiality.</t> Like DKIM, these Usenet control protections offer only integrity and authenticat ion, not confidentiality.</t>
</section>
<section anchor="applicability-to-pgpmime">
<name>Applicability to PGP/MIME</name>
<t>This document specifies end-to-end cryptographic protections for emai
l messages in reference to S/MIME <xref target="RFC8551"/>.</t>
<t>Comparable end-to-end cryptographic protections can also be provided
by PGP/MIME <xref target="RFC3156"/>.</t>
<t>The mechanisms in this document should be applicable in the PGP/MIME
protections as well as S/MIME protections, but analysis and implementation in th
is document focuses on S/MIME.</t>
<t>To the extent that any divergence from the mechanism defined here is
necessary for PGP/MIME, that divergence is out of scope for this document.</t>
</section>
<section anchor="requirements-language">
<name>Requirements Language</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP&nbsp;14 <xref
target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
</t>
</section> <!--[rfced] To reflect how their usage is described in RFC 8126, we
<section anchor="applicability-to-pgpmime"><name>Applicability to PGP/MIME</name have updated "key words" to "policies" and "SPECIFICATION
> REQUIRED" and "IETF REVIEW" to "Specification Required" and "IETF
Review", respectively (i.e., we capitalized only the first letter
<t>This document specifies end-to-end cryptographic protections for e-mail messa of each word and removed <bcp14> tags around "REQUIRED" in the
ges in reference to S/MIME (<xref target="RFC8551"/>).</t> XML). Note that all occurrences of these terms have been made
lowercase.
<t>Comparable end-to-end cryptographic protections can also be provided by PGP/M Additionally, may we move this text from the "Requirements Language"
IME (<xref target="RFC3156"/>).</t> section to the "Terms" section as the first paragraph since these
terms are not key words?
<t>The mechanisms in this document should be applicable in the PGP/MIME protecti ons as well as S/MIME protections, but analysis and implementation in this docum ent focuses on S/MIME.</t> One example
<t>To the extent that any divergence from the mechanism defined here is necessar Original:
y for PGP/MIME, that divergence is out of scope for this document.</t> The key words "SPECIFICATION REQUIRED" and "IETF REVIEW" that appear
in this document when used to describe namespace allocation are to be
interpreted as described in [RFC8126].
</section> Current:
<section anchor="requirements-language"><name>Requirements Language</name> The policies "Specification Required" and "IETF Review" that appear
in this document when used to describe namespace allocation are to be
interpreted as described in [RFC8126].
-->
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUI <t>The policies "Specification Required" and "IETF
RED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL Review" that appear in this document when used to describe namespace
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO allocation are to be interpreted as described in <xref
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", target="RFC8126"/>.</t>
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i </section>
nterpreted as <section anchor="terms">
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and <name>Terms</name>
only when, they <t>The following terms are defined for the scope of this document:</t>
appear in all capitals, as shown here.</t> <dl spacing="normal" newline="false">
<dt>S/MIME:</dt><dd>Secure/Multipurpose Internet Mail Extensions (see
<xref target="RFC8551"/>)</dd>
<?line -18?> <!--[rfced] To match use in RFC 3156 and the companion document, we
updated the expansion of "PGP/MIME" in the Abstract and Terms
section as follows. Please let us know of any objections.
<t>The key words "SPECIFICATION <bcp14>REQUIRED</bcp14>" and "IETF REVIEW" that Original (Abstract):
appear in this document when used to describe namespace allocation are to be int The Header Protection scheme defined here is also applicable to
erpreted as described in <xref target="RFC8126"/>.</t> messages with PGP/MIME cryptographic protections.
</section> Current:
<section anchor="terms"><name>Terms</name> The Header Protection scheme defined here is also applicable to
messages with PGP/MIME (Pretty Good Privacy with MIME) cryptographic
protections.
<t>The following terms are defined for the scope of this document:</t> ...
Original (Section 1.7):
* PGP/MIME: MIME Security with OpenPGP (see [RFC3156])
<t><list style="symbols"> Current:
<t>S/MIME: Secure/Multipurpose Internet Mail Extensions (see <xref target="RFC * PGP/MIME: Pretty Good Privacy with MIME (see [RFC3156])
8551"/>)</t> -->
<t>PGP/MIME: MIME Security with OpenPGP (see <xref target="RFC3156"/>)</t>
<t>Message: An E-Mail Message consisting of Header Fields (collectively called
"the Header Section of the message") followed, optionally, by a Body; see <xref
target="RFC5322"/>. <vspace blankLines='1'/>
Note: To avoid ambiguity, this document avoids using the terms "Header" or "Head
ers" in isolation, but instead always uses "Header Field" to refer to the indivi
dual field and "Header Section" to refer to the entire collection.</t>
<t>Header Field: A Header Field includes a field name, followed by a colon (":
"), followed by a field body (value), and terminated by CRLF; see <xref section=
"2.2" sectionFormat="of" target="RFC5322"/> for more details.</t>
<t>Header Section: The Header Section is a sequence of lines of characters wit
h special syntax as defined in <xref target="RFC5322"/>.
The Header Section of a Message contains the Header Fields associated with the M
essage itself.
The Header Section of a MIME part (that is, a subpart of a message) typically co
ntains Header Fields associated with that particular MIME part.</t>
<t>Body: The Body is the part of a Message that follows the Header Section and
is separated from the Header Section by an empty line (that is, a line with not
hing preceding the CRLF); see <xref target="RFC5322"/>.
It is the (bottom) section of a Message containing the payload of a Message.
Typically, the Body consists of a (possibly multipart) MIME <xref target="RFC204
5"/> construct.</t>
<t>Header Protection (HP): cryptographic protection of e-mail Header Sections
(or parts of it) by means of signatures and/or encryption.</t>
<t>Cryptographic Layer, Cryptographic Payload, Cryptographic Envelope, Cryptog
raphic Summary, Structural Header Fields, Main Body Part, User-Facing Header Fie
lds, and MUA are all used as defined in <xref target="I-D.ietf-lamps-e2e-mail-gu
idance"/></t>
<t>Legacy MUA: an MUA that does not understand Header Protection as defined in
this document.
A Legacy Non-Crypto MUA is incapable of doing any end-to-end cryptographic opera
tions.
A Legacy Crypto MUA is capable of doing cryptographic operations, but does not u
nderstand or generate messages with Header Protection.</t>
<t>Legacy Signed Message: an e-mail message that was signed by a Legacy MUA, a
nd therefore has no cryptographic authenticity or integrity protections on its H
eader Fields.</t>
<t>Legacy Encrypted Message: an e-mail message that was signed and encrypted b
y a Legacy MUA, and therefore has no cryptographic authenticity, integrity, or c
onfidentiality protections on any of its Header Fields.</t>
<t><iref item="Header Confidentiality Policy"/><xref target="header-confidenti
ality-policy" format="none">Header Confidentiality Policy</xref> (<iref item="HC
P"/><xref target="header-confidentiality-policy" format="none">HCP</xref>): a fu
nctional specification of which Header Fields should be removed or obscured when
composing an encrypted message with Header Protection.
An <iref item="HCP"/><xref target="header-confidentiality-policy" format="none">
HCP</xref> is considered more "conservative" when it removes or obscures fewer H
eader Fields.
When it removes or obscures more Header fields, it is more "ambitious".
See <xref target="header-confidentiality-policy"/>.</t>
<t>Ordinary User: a user of an MUA who follows a simple and minimal experience
, focused on sending and receiving e-mails.
A user who opts into advanced configuration, expert mode, or the like is not an
"Ordinary User".</t>
</list></t>
</section> <dt>PGP/MIME:</dt><dd>Pretty Good Privacy with MIME (see <xref targe
<section anchor="document-scope"><name>Document Scope</name> t="RFC3156"/>)</dd>
<dt>Message:</dt><dd><t>An email message consisting of Header
Fields (collectively called "the Header Section of the message")
optionally followed by a message body; see <xref target="RFC5322"/>.
</t>
<t>Note: To avoid ambiguity, this document avoids using the terms
"Header" or "Headers" in isolation, but instead always uses
"Header Field" to refer to the individual field and "Header
Section" to refer to the entire collection.</t></dd>
<dt>Header Field:</dt><dd>A Header Field includes a field name,
followed by a colon (":"), followed by a field body (value), and
is terminated by CRLF; see <xref section="2.2" sectionFormat="of"
target="RFC5322"/> for more details.</dd>
<dt>Header Section:</dt><dd>The Header Section is a sequence of
lines of characters with special syntax as defined in <xref
target="RFC5322"/>. The Header Section of a message contains the
Header Fields associated with the message itself. The Header
Section of a MIME part (that is, a subpart of a message) typically
contains Header Fields associated with that particular MIME
part.</dd>
<dt>Body:</dt><dd>The body is the part of a message that follows
the Header Section and is separated from the Header Section by an
empty line (that is, a line with nothing preceding the CRLF); see
<xref target="RFC5322"/>. It is the (bottom) section of a message
containing the payload of a message. Typically, the body consists
of a (possibly multipart) MIME <xref target="RFC2045"/>
construct.</dd>
<dt>Header Protection (HP):</dt><dd>The cryptographic protection of
email Header Sections (or parts of it) by means of signatures
and/or encryption.</dd>
<dt>Legacy MUA:</dt><dd>An MUA that does not understand Header
Protection as defined in this document. A Legacy Non-Crypto MUA
is incapable of doing any end-to-end cryptographic operations. A
Legacy Crypto MUA is capable of doing cryptographic operations
but does not understand or generate messages with Header
Protection.</dd>
<dt>Legacy Signed Message:</dt><dd>An email message that was
signed by a Legacy MUA and therefore has no cryptographic
authenticity or integrity protections on its Header Fields.</dd>
<dt>Legacy Encrypted Message:</dt><dd>An email message that was
signed and encrypted by a Legacy MUA and therefore has no
cryptographic authenticity, integrity, or confidentiality
protections on any of its Header Fields.</dd>
<dt><iref item="Header Confidentiality Policy"/><xref
target="header-confidentiality-policy" format="none">Header
Confidentiality Policy</xref> (<iref item="HCP"/><xref
target="header-confidentiality-policy"
format="none">HCP</xref>):</dt><dd>A functional specification of
which Header Fields should be removed or obscured when composing
an encrypted message with Header Protection. An <iref
item="HCP"/><xref target="header-confidentiality-policy"
format="none">HCP</xref> is considered more "conservative" when it
removes or obscures fewer Header Fields. When it removes or
obscures more Header Fields, it is more "ambitious". See <xref
target="header-confidentiality-policy"/>.</dd>
<dt>Ordinary User:</dt><dd>A user of an MUA who follows a simple
and minimal experience, focused on sending and receiving emails.
A user who opts into advanced configuration, expert mode, or the
like is not an "Ordinary User".</dd>
</dl>
<t>This document describes sensible, simple behavior for a program that generate <!--[rfced] FYI - We have moved this text to the end of the Terms section since
s an e-mail message with standard end-to-end cryptographic protections, followin it does not match the definition list formatting of the other terms listed.
g the guidance in <xref target="I-D.ietf-lamps-e2e-mail-guidance"/>. Please let us know of any objections.
An implementation conformant to this document will produce messages that have cr
yptographic protection that covers the message's Header Fields as well as its bo
dy.</t>
<section anchor="in-scope"><name>In Scope</name> Original:
* Cryptographic Layer, Cryptographic Payload, Cryptographic
Envelope, Cryptographic Summary, Structural Header Fields, Main
Body Part, User-Facing Header Fields, and MUA are all used as
defined in [I-D.ietf-lamps-e2e-mail-guidance]
<t>This document also describes sensible, simple behavior for a program that int Current:
erprets such a message, in a way that can take advantage of these protections co Additionally, Cryptographic Layer, Cryptographic Payload, Cryptographic
vering the Header Fields as well as the body.</t> Envelope, Cryptographic Summary, Structural Header Fields, Main
Body Part, User-Facing Header Fields, and MUA are all used as
defined in [I-D.ietf-lamps-e2e-mail-guidance]
-->
<t>Additionally, Cryptographic Layer, Cryptographic Payload, Cryptog
raphic
Envelope, Cryptographic Summary, Structural Header Fields, Main
Body Part, User-Facing Header Fields, and MUA are all used
as defined in <xref
target="RFC9787"/>.</t>
<t>The message generation guidance aims to minimize negative interactions with a </section>
ny Legacy receiving MUA while providing actionable cryptographic properties for <section anchor="document-scope">
modern receiving clients.</t> <name>Document Scope</name>
<t>This document describes sensible, simple behavior for a program that
generates an email message with standard end-to-end cryptographic protections, f
ollowing the guidance in <xref target="RFC9787"/>.
An implementation conformant to this document will produce messages that have cr
yptographic protection that covers the message's Header Fields as well as its bo
dy.</t>
<section anchor="in-scope">
<name>In Scope</name>
<t>This document also describes sensible, simple behavior for a progra
m that interprets such a message in a way that can take advantage of these prote
ctions covering the Header Fields as well as the body.</t>
<t>In particular, this document focuses on two standard types of cryptographic p <!--[rfced] For clarity and consistency, may we update the phrasing of
rotection that cover the entire message:</t> "Legacy receiving MUA" and "modern receiving clients" as follows?
<t><list style="symbols"> Original:
<t>A cleartext message with a single signature, and</t> The message generation guidance aims to minimize negative
<t>An encrypted message that contains a single cryptographic signature.</t> interactions with any Legacy receiving MUA while providing
</list></t> actionable cryptographic properties for modern receiving
clients.
</section> Perhaps:
<section anchor="out-of-scope"><name>Out of Scope</name> The message generation guidance aims to minimize negative
interactions with any Legacy MUA recipient while providing
actionable cryptographic properties for modern client
recipients.
-->
<t>The message composition guidance in this document (in <xref target="compose"/ <t>The message generation guidance aims to minimize negative interacti
>) aims to provide minimal disruption for any Legacy MUA that receives such a me ons with any Legacy receiving MUA while providing actionable cryptographic prope
ssage. rties for modern receiving clients.</t>
However, a Legacy MUA by definition does not implement any of the guidance here. <t>In particular, this document focuses on two standard types of crypt
ographic protection that cover the entire message:</t>
<ul spacing="normal">
<li>
<t>a cleartext message with a single signature and</t>
</li>
<li>
<t>an encrypted message that contains a single cryptographic signa
ture.</t>
</li>
</ul>
</section>
<section anchor="out-of-scope">
<name>Out of Scope</name>
<t>The message composition guidance in this document (in <xref target=
"compose"/>) aims to provide minimal disruption for any Legacy MUA that receives
such a message.
However, by definition, a Legacy MUA does not implement any of the guidance here
.
Therefore, the document does not attempt to provide guidance for Legacy MUAs dir ectly.</t> Therefore, the document does not attempt to provide guidance for Legacy MUAs dir ectly.</t>
<t>Furthermore, this document does not explicitly contemplate other va
<t>Furthermore, this document does not explicitly contemplate other variants of riants of cryptographic message protections, including any of these:</t>
cryptographic message protections, including any of these:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>encrypted-only message (without a cryptographic signature; see
<t>Encrypted-only message (Without a cryptographic signature. See <xref sectio <xref section="5.3" sectionFormat="of" target="RFC9787"/>)</t>
n="5.3" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>.)</t> </li>
<t>Triple-wrapped message</t> <li>
<t>Signed message with multiple signatures</t> <t>triple-wrapped message</t>
<t>Encrypted message with a cryptographic signature outside the encryption.</t </li>
> <li>
</list></t> <t>signed message with multiple signatures</t>
</li>
<t>All such messages are out of scope of this document.</t> <li>
<t>encrypted message with a cryptographic signature outside the en
</section> cryption</t>
</section> </li>
<section anchor="example"><name>Example</name> </ul>
<t>All such messages are out of scope of this document.</t>
<t>This section gives an overview by providing an example of how MIME messages w </section>
ith Header Protection look like.</t> </section>
<section anchor="example">
<t>Consider the following MIME message:</t> <name>Example</name>
<t>This section gives an overview by providing an example of how MIME me
<figure><artwork><![CDATA[ ssages with Header Protection look.</t>
<t>Consider the following MIME message:</t>
<artwork><![CDATA[
A └─╴application/pkcs7-mime; smime-type="enveloped-data" A └─╴application/pkcs7-mime; smime-type="enveloped-data"
↧ (decrypts to) ↧ (decrypts to)
B └─╴application/pkcs7-mime; smime-type="signed-data" B └─╴application/pkcs7-mime; smime-type="signed-data"
⇩ (unwraps to) ⇩ (unwraps to)
C └┬╴multipart/alternative; hp="cipher" C └┬╴multipart/alternative; hp="cipher"
D ├─╴text/plain; hp-legacy-display="1" D ├─╴text/plain; hp-legacy-display="1"
E └─╴text/html; hp-legacy-display="1" E └─╴text/html; hp-legacy-display="1"
]]></artwork></figure> ]]></artwork>
<t>Observe that:</t>
<t>Observe that:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>Nodes A and B are collectively called the Cryptographic Envelope.
<t>Node A and B are collectively called the Cryptographic Envelope. Node C (including its subnodes D and E) is called the Cryptographic Payload <xre
Node C (including its sub-nodes D and E) is called the Cryptographic Payload (<x f target="RFC9787"/>.</t>
ref target="I-D.ietf-lamps-e2e-mail-guidance"/>).</t> </li>
<t>Node A contains the traditional unprotected ("outer") Header Fields. <li>
<t>Node A contains the traditional unprotected ("outer") Header Fiel
ds.
Node C contains the protected ("inner") Header Fields.</t> Node C contains the protected ("inner") Header Fields.</t>
<t>The presence of the <spanx style="verb">hp</spanx> attribute (see <xref tar </li>
get="hp-parameter"/>) on the <spanx style="verb">Content-Type</spanx> of node C <li>
allows the receiver to know that the sender applied Header Protection. <t>The presence of the <tt>hp</tt> attribute (see <xref target="hp-p
Its value allows the receiver to distinguish whether the sender intended for the arameter"/>) on the <tt>Content-Type</tt> of node C allows the receiver to know
message to be confidential (<spanx style="verb">hp="cipher"</spanx>) or not (<s that the sender applied Header Protection.
panx style="verb">hp="clear"</spanx>), since encryption may have been added in t Its value allows the receiver to distinguish whether the sender intended for the
ransit (see <xref target="avoid-summary-confusion"/>).</t> message to be confidential (<tt>hp="cipher"</tt>) or not (<tt>hp="clear"</tt>),
</list></t> since encryption may have been added in transit (see <xref target="avoid-summar
y-confusion"/>).</t>
<t>The "outer" Header Section on node A looks as follows:</t> </li>
</ul>
<figure><artwork><![CDATA[ <t>The "outer" Header Section on node A looks as follows:</t>
<artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:08:43 -0500 Date: Wed, 11 Jan 2023 16:08:43 -0500
From: Bob <bob@example.net> From: Bob <bob@example.net>
To: Alice <alice@example.net> To: Alice <alice@example.net>
Subject: [...] Subject: [...]
Message-ID: <20230111T210843Z.1234@lhp.example> Message-ID: <20230111T210843Z.1234@lhp.example>
Content-Type: application/pkcs7-mime; smime-type="enveloped-data" Content-Type: application/pkcs7-mime; smime-type="enveloped-data"
MIME-Version: 1.0 MIME-Version: 1.0
]]></artwork></figure> ]]></artwork>
<t>The "inner" Header Section on node C looks as follows:</t>
<t>The "inner" Header Section on node C looks as follows:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:08:43 -0500 Date: Wed, 11 Jan 2023 16:08:43 -0500
From: Bob <bob@example.net> From: Bob <bob@example.net>
To: Alice <alice@example.net> To: Alice <alice@example.net>
Subject: Handling the Jones contract Subject: Handling the Jones contract
Keywords: Contract, Urgent Keywords: Contract, Urgent
Message-ID: <20230111T210843Z.1234@lhp.example> Message-ID: <20230111T210843Z.1234@lhp.example>
Content-Type: multipart/alternative; hp="cipher" Content-Type: multipart/alternative; hp="cipher"
MIME-Version: 1.0 MIME-Version: 1.0
HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500 HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500
HP-Outer: From: Bob <bob@example.net> HP-Outer: From: Bob <bob@example.net>
HP-Outer: To: Alice <alice@example.net> HP-Outer: To: Alice <alice@example.net>
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example> HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example>
]]></artwork></figure> ]]></artwork>
<t>Observe that:</t>
<t>Observe that:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>Between node C and node A, some Header Fields are copied as is (<
<t>Between node C and node A, some Header Fields are copied as-is (<spanx styl tt>Date</tt>, <tt>From</tt>, <tt>To</tt>, <tt>Message-ID</tt>), some are obscure
e="verb">Date</spanx>, <spanx style="verb">From</spanx>, <spanx style="verb">To< d (<tt>Subject</tt>), and some are removed (<tt>Keywords</tt>).</t>
/spanx>, <spanx style="verb">Message-ID</spanx>), some are obscured (<spanx styl </li>
e="verb">Subject</spanx>), and some are removed (<spanx style="verb">Keywords</s <li>
panx>).</t> <t>The <tt>HP-Outer</tt> Header Fields (see <xref target="hp-outer"/
<t>The <spanx style="verb">HP-Outer</spanx> Header Fields (see <xref target="h >) of node C contain a protected copy of the Header Fields in node A.
p-outer"/>) of node C contain a protected copy of the Header Fields in node A.
The copy allows the receiver to recompute for which Header Fields the sender pro vided confidentiality by removing or obscuring them.</t> The copy allows the receiver to recompute for which Header Fields the sender pro vided confidentiality by removing or obscuring them.</t>
<t>The copying/removing/obscuring and the <spanx style="verb">HP-Outer</spanx> </li>
only apply to Non-Structural Header Fields, not to Structural Header Fields lik <li>
e <spanx style="verb">Content-Type</spanx> or <spanx style="verb">MIME-Version</ <t>The copying/removing/obscuring and the <tt>HP-Outer</tt> only app
spanx> (see <xref section="1.1" sectionFormat="of" target="I-D.ietf-lamps-e2e-ma ly to Non-Structural Header Fields, not to Structural Header Fields like <tt>Con
il-guidance"/>).</t> tent-Type</tt> or <tt>MIME-Version</tt> (see <xref section="1.1" sectionFormat="
<t>If the sender intends no confidentiality and doesn't encrypt the message, i of" target="RFC9787"/>).</t>
t doesn't remove or obscure Header Fields. </li>
All Non-Structural Header Fields are copied as-is. <li>
No <spanx style="verb">HP-Outer</spanx> Header Fields are present.</t> <t>If the sender intends no confidentiality and doesn't encrypt the
</list></t> message, it doesn't remove or obscure Header Fields.
All Non-Structural Header Fields are copied as is.
<t>Node D looks as follows:</t> No <tt>HP-Outer</tt> Header Fields are present.</t>
</li>
<figure><artwork><![CDATA[ </ul>
<t>Node D looks as follows:</t>
<artwork><![CDATA[
Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
Subject: Handling the Jones contract Subject: Handling the Jones contract
Keywords: Contract, Urgent Keywords: Contract, Urgent
Please review and approve or decline by Thursday, it's critical! Please review and approve or decline by Thursday, it's critical!
Thanks, Thanks,
Bob Bob
-- --
Bob Gonzalez Bob Gonzalez
ACME, Inc. ACME, Inc.
]]></artwork></figure> ]]></artwork>
<t>Observe that:</t>
<t>Observe that:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>The sender adds the removed and obscured User-Facing Header Field
<t>The sender adds the removed and obscured User-Facing Header Fields (see <xr s (see <xref section="1.1.2" sectionFormat="of" target="RFC9787"/>) to the main
ef section="1.1.2" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/ body (note the empty line after the Content-Type).
>) to the main body (note the empty line after the Content-Type).
This is called the Legacy Display Element. This is called the Legacy Display Element.
It allows a user with a Legacy MUA which doesn't implement this document to unde It allows a user with a Legacy MUA that doesn't implement this document to unde
rstand the message, since the Header Fields will be shown as part of the main bo rstand the message, since the Header Fields will be shown as part of the main bo
dy.</t> dy.</t>
<t>The <spanx style="verb">hp-legacy-display="1"</spanx> attribute (see <xref </li>
target="hp-legacy-display"/>) indicates that the sender added a Legacy Display E <li>
lement. <t>The <tt>hp-legacy-display="1"</tt> attribute (see <xref target="h
This allows receivers that implement this document to recognise the Legacy Displ p-legacy-display"/>) indicates that the sender added a Legacy Display Element.
ay Element and distinguish it from user-added content. This allows receivers that implement this document to recognize the Legacy Displ
ay Element and distinguish it from user-added content.
The receiver then hides the Legacy Display Element and doesn't display it to the user.</t> The receiver then hides the Legacy Display Element and doesn't display it to the user.</t>
<t>The <spanx style="verb">hp-legacy-display</spanx> is added to the node to w </li>
hich it applies, not on any outer nodes (e.g., not to node C).</t> <li>
</list></t> <t><tt>hp-legacy-display</tt> is added to the node to which it appli
es, not on any outer nodes (e.g., not to node C).</t>
<t>For more examples, see <xref target="compose-examples"/> and <xref target="re </li>
ndering-examples"/>.</t> </ul>
<t>For more examples, see Appendices <xref target="compose-examples" for
</section> mat="counter"/> and <xref target="rendering-examples" format="counter"/>.</t>
</section> </section>
<section anchor="specification"><name>Internet Message Format Extensions</name> </section>
<section anchor="specification">
<t>This section describes relevant, backward-compatible extensions to the Intern <name>Internet Message Format Extensions</name>
et Message Format (<xref target="RFC5322"/>). <t>This section describes relevant, backward-compatible extensions to the
Internet Message Format <xref target="RFC5322"/>.
Subsequent sections offer concrete guidance for an MUA to make use of these mech anisms, including policy decisions and recommended pseudocode.</t> Subsequent sections offer concrete guidance for an MUA to make use of these mech anisms, including policy decisions and recommended pseudocode.</t>
<section anchor="content-type-parameters">
<section anchor="content-type-parameters"><name>Content-Type parameters</name> <name>Content-Type Parameters</name>
<t>This document introduces two parameters for the <tt>Content-Type</tt>
<t>This document introduces two parameters for the <spanx style="verb">Content-T Header Field, which have distinct semantics and use cases.</t>
ype</spanx> Header Field, which have distinct semantics and use cases.</t> <section anchor="hp-parameter">
<name>Content-Type Parameter: hp</name>
<section anchor="hp-parameter"><name>Content-Type parameter: hp</name> <t>This specification defines a parameter for the <tt>Content-Type</tt
> Header Field named <tt>hp</tt> (for Header Protection).
<t>This specification defines a parameter for the <spanx style="verb">Content-Ty This parameter is only relevant on the <tt>Content-Type</tt> Header Field at the
pe</spanx> Header Field named <spanx style="verb">hp</spanx> (for Header Protect root of the Cryptographic Payload.
ion).
This parameter is only relevant on the <spanx style="verb">Content-Type</spanx>
Header Field at the root of the Cryptographic Payload.
The presence of this parameter at the root of the Cryptographic Payload indicate s that the sender intends for this message to have end-to-end cryptographic prot ections for the Header Fields.</t> The presence of this parameter at the root of the Cryptographic Payload indicate s that the sender intends for this message to have end-to-end cryptographic prot ections for the Header Fields.</t>
<t>The parameter's defined values describe the sender's cryptographic
intent when producing the message:</t>
<table>
<name>hp Parameter for Content-Type Header Field</name>
<thead>
<tr>
<th align="left">hp Value</th>
<th align="left">Authenticity</th>
<th align="left">Integrity</th>
<th align="left">Confidentiality</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">
<tt>"clear"</tt></td>
<td align="left">yes</td>
<td align="left">yes</td>
<td align="left">no</td>
<td align="left">This message has been signed by the sender, wit
h Header Protection.</td>
</tr>
<tr>
<td align="left">
<tt>"cipher"</tt></td>
<td align="left">yes</td>
<td align="left">yes</td>
<td align="left">yes</td>
<td align="left">This message has been signed by the sender, wit
h Header Protection, and is encrypted to the recipients.</td>
</tr>
</tbody>
</table>
<t>The parameter's defined values describe the sender's cryptographic intent whe n producing the message:</t> <!--[rfced] May we update "non-encrypted" to "unencrypted"?
<texttable title="hp parameter for Content-Type Header Field"> Original:
<ttcol align='left'>hp Value</ttcol> A sending implementation MUST NOT produce a Cryptographic Payload
<ttcol align='left'>Authenticity</ttcol> with parameter hp="cipher" for a non-encrypted message (that is,
<ttcol align='left'>Integrity</ttcol> where none of the Cryptographic Layers in the Cryptographic Envelope
<ttcol align='left'>Confidentiality</ttcol> of the message provide encryption).
<ttcol align='left'>Description</ttcol>
<c><spanx style="verb">"clear"</spanx></c>
<c>yes</c>
<c>yes</c>
<c>no</c>
<c>This message has been signed by the sender with Header Protection</c>
<c><spanx style="verb">"cipher"</spanx></c>
<c>yes</c>
<c>yes</c>
<c>yes</c>
<c>This message has been signed by the sender, with Header Protection, and
is encrypted to the recipients</c>
</texttable>
<t>A sending implementation <bcp14>MUST NOT</bcp14> produce a Cryptographic Payl Perhaps:
oad with parameter <spanx style="verb">hp="cipher"</spanx> for a non-encrypted m A sending implementation MUST NOT produce a Cryptographic Payload
essage (that is, where none of the Cryptographic Layers in the Cryptographic Env with parameter hp="cipher" for an unencrypted message (that is,
elope of the message provide encryption). where none of the Cryptographic Layers in the Cryptographic Envelope
Likewise, if a sending implementation is sending an encrypted message with Heade of the message provide encryption).
r Protection, it <bcp14>MUST</bcp14> emit an <spanx style="verb">hp="cipher"</sp -->
anx> parameter, regardless of which Header Fields were made confidential.</t>
<t>Note that <spanx style="verb">hp="cipher"</spanx> indicates that the message <t>A sending implementation <bcp14>MUST NOT</bcp14> produce a Cryptogr
itself has been encrypted by the sender to the recipients, but makes no assertio aphic Payload with parameter <tt>hp="cipher"</tt> for a non-encrypted message (t
ns about which Header Fields have been removed or obscured. hat is, where none of the Cryptographic Layers in the Cryptographic Envelope of
the message provide encryption).
Likewise, if a sending implementation is sending an encrypted message with Heade
r Protection, it <bcp14>MUST</bcp14> emit an <tt>hp="cipher"</tt> parameter, reg
ardless of which Header Fields were made confidential.</t>
<t>Note that <tt>hp="cipher"</tt> indicates that the message itself ha
s been encrypted by the sender to the recipients but makes no assertions about w
hich Header Fields have been removed or obscured.
This can be derived from the Cryptographic Payload itself (see <xref target="ext racting-headers"/>).</t> This can be derived from the Cryptographic Payload itself (see <xref target="ext racting-headers"/>).</t>
<t>A receiving implementation <bcp14>MUST NOT</bcp14> mistake the pres
<t>A receiving implementation <bcp14>MUST NOT</bcp14> mistake the presence of an ence of an <tt>hp="cipher"</tt> parameter in the Cryptographic Payload for the a
<spanx style="verb">hp="cipher"</spanx> parameter in the Cryptographic Payload ctual presence of a Cryptographic Layer that provides encryption.</t>
for the actual presence of a Cryptographic Layer that provides encryption.</t> </section>
<section anchor="hp-legacy-display">
</section> <name>Content-Type Parameter: hp-legacy-display</name>
<section anchor="hp-legacy-display"><name>Content-Type parameter: hp-legacy-disp <t>This specification also defines an <tt>hp-legacy-display</tt> param
lay</name> eter for the <tt>Content-Type</tt> Header Field.
The only defined value for this parameter is <tt>1</tt>.</t>
<t>This specification also defines an <spanx style="verb">hp-legacy-display</spa <t>This parameter is only relevant on a leaf MIME node of <tt>Content-
nx> parameter for the <spanx style="verb">Content-Type</spanx> Header Field. Type</tt> <tt>text/html</tt> or <tt>text/plain</tt> within a well-formed message
The only defined value for this parameter is <spanx style="verb">1</spanx>.</t> with end-to-end cryptographic protections.
<t>This parameter is only relevant on a leaf MIME node of <spanx style="verb">Co
ntent-Type</spanx> <spanx style="verb">text/html</spanx> or <spanx style="verb">
text/plain</spanx> within a well-formed message with end-to-end cryptographic pr
otections.
Its presence indicates that the MIME node it is attached to contains a decorativ e "Legacy Display Element". Its presence indicates that the MIME node it is attached to contains a decorativ e "Legacy Display Element".
The Legacy Display Element itself is used for backward-compatible visibility of any removed or obscured User-Facing Header Field in a Legacy MUA.</t> The Legacy Display Element itself is used for backward-compatible visibility of any removed or obscured User-Facing Header Field in a Legacy MUA.</t>
<t>Such a Legacy Display Element need not be rendered to the user of a
<t>Such a Legacy Display Element need not be rendered to the user of an MUA that n MUA that implements this specification, because the MUA already knows the corr
implements this specification, because the MUA already knows the correct Header ect Header Field information and can render it to the user in the appropriate pa
Field information, and can render it to the user in the appropriate part of the rt of the MUA's user interface rather than in the body of the message.</t>
MUA's user interface rather than in the body of the message.</t> <t>See <xref target="ld-text-plain"/> for how to insert a Legacy Displ
ay Element into a <tt>text/plain</tt> Main Body Part.
<t>See <xref target="ld-text-plain"/> for how to insert a Legacy Display Element See <xref target="ld-text-html"/> for how to insert a Legacy Display Element int
into a <spanx style="verb">text/plain</spanx> Main Body Part. o a <tt>text/html</tt> Main Body Part.
See <xref target="ld-text-html"/> for how to insert a Legacy Display Element int
o a <spanx style="verb">text/html</spanx> Main Body Part.
See <xref target="dont-render-legacy-display"/> for how to avoid rendering a Leg acy Display Element.</t> See <xref target="dont-render-legacy-display"/> for how to avoid rendering a Leg acy Display Element.</t>
</section>
</section> </section>
</section> <section anchor="hp-outer">
<section anchor="hp-outer"><name>The HP-Outer Header Field</name> <name>HP-Outer Header Field</name>
<t>This document also specifies a new Header Field: <tt>HP-Outer</tt>.</
<t>This document also specifies a new Header Field: <spanx style="verb">HP-Outer t>
</spanx>.</t> <t>This Header Field is used only in the Header Section of the Cryptogra
phic Payload of an encrypted message.
<t>This Header Field is used only in the Header Section of the Cryptographic Pay
load of an encrypted message.
It is not relevant for signed-only messages. It is not relevant for signed-only messages.
It documents, with the same cryptographic guarantees shared by the rest of the m essage, the sender's choices about Header Field confidentiality. It documents, with the same cryptographic guarantees shared by the rest of the m essage, the sender's choices about Header Field confidentiality.
It does so by embedding a copy within the Cryptographic Envelope of every non-st ructural Header Field that the sender put outside the Cryptographic Envelope. It does so by embedding a copy within the Cryptographic Envelope of every non-st ructural Header Field that the sender put outside the Cryptographic Envelope.
This Header Field enables the MUA receiving the encrypted message to reliably id entify whether the sending MUA intended to make a Header Field confidential (see <xref target="status-overestimation"/>).</t> This Header Field enables the MUA receiving the encrypted message to reliably id entify whether the sending MUA intended to make a Header Field confidential (see <xref target="status-overestimation"/>).</t>
<t>The <tt>HP-Outer</tt> Header Fields in a message's Cryptographic Payl
<t>The <spanx style="verb">HP-Outer</spanx> Header Fields in a message's Cryptog oad are useful for ensuring that any confidential Header Field will not be autom
raphic Payload are useful for ensuring that any confidential Header Field will n atically leaked in the clear if the user replies to or forwards the message.
ot be automatically leaked in the clear if the user replies to or forwards the m
essage.
They may also be useful for an MUA that indicates the confidentiality status of any given Header Field to the user.</t> They may also be useful for an MUA that indicates the confidentiality status of any given Header Field to the user.</t>
<t>An implementation that composes encrypted email <bcp14>MUST</bcp14> i
<t>An implementation that composes encrypted e-mail <bcp14>MUST</bcp14> include nclude a copy of all non-structural Header Fields deliberately exposed to the ou
a copy of all non-structural Header Fields deliberately exposed to the outside o tside of the Cryptographic Envelope using a series of <tt>HP-Outer</tt> Header F
f the Cryptographic Envelope using a series of <spanx style="verb">HP-Outer</spa ields within the Cryptographic Payload.
nx> Header Fields within the Cryptographic Payload. These <tt>HP-Outer</tt> MIME Header Fields should only ever appear directly with
These <spanx style="verb">HP-Outer</spanx> MIME Header Fields should only ever a in the Header Section of the Cryptographic Payload of a Cryptographic Envelope o
ppear directly within the Header Section of the Cryptographic Payload of a Crypt ffering confidentiality.
ographic Envelope offering confidentiality.
They <bcp14>MUST</bcp14> be ignored for the purposes of evaluating the message's Header Protection if they appear in other places.</t> They <bcp14>MUST</bcp14> be ignored for the purposes of evaluating the message's Header Protection if they appear in other places.</t>
<t>Each instance of <tt>HP-Outer</tt> contains a non-structural Header F
<t>Each instance of <spanx style="verb">HP-Outer</spanx> contains a non-structur ield name and the value that this Header Field was set in within the outer (unpr
al Header Field name and the value that this Header Field was set in the outer ( otected) Header Section.
unprotected) Header Section. The <tt>HP-Outer</tt> Header Field can appear multiple times in the Header Secti
The <spanx style="verb">HP-Outer</spanx> Header Field can appear multiple times on of a Cryptographic Payload.</t>
in the Header Section of a Cryptographic Payload.</t> <t>If a non-structural Header Field named <tt>Z</tt> is present in Heade
r Section of the Cryptographic Payload but doesn't appear in an <tt>HP-Outer</tt
<t>If a non-structural Header Field name <spanx style="verb">Z</spanx> is presen > Header Field value at all, then the sender is effectively asserting that every
t in Header Section of the Cryptographic Payload, but doesn't appear in an <span instance of <tt>Z</tt> was made confidential by removal from the Outer Header S
x style="verb">HP-Outer</spanx> Header Field value at all, then the sender is ef ection.
fectively asserting that every instance of <spanx style="verb">Z</spanx> was mad Specifically, it means that no Header Field <tt>Z</tt> was included on the outsi
e confidential by removal from the Outer Header Section. de of the message's Cryptographic Envelope by the sender at the time the message
Specifically, it means that no Header Field <spanx style="verb">Z</spanx> was in was injected into the mail system.</t>
cluded on the outside of the message's Cryptographic Envelope by the sender at t <t>See <xref target="compose"/> for how to insert <tt>HP-Outer</tt> Head
he time the message was injected into the mail system.</t> er Fields into an encrypted message.
See <xref target="crypto-summary-update"/> for how to determine the end-to-end c
<t>See <xref target="compose"/> for how to insert <spanx style="verb">HP-Outer</ onfidentiality of a given Header Field from an encrypted message with Header Pro
spanx> Header Fields into an encrypted message. tection using <tt>HP-Outer</tt>.
See <xref target="crypto-summary-update"/> for how to determine the end-to-end c
onfidentiality of a given Header Field from an encrypted message with Header Pro
tection using <spanx style="verb">HP-Outer</spanx>.
See <xref target="avoid-leak"/> for how an MUA can safely reply to (or forward) an encrypted message without leaking confidential Header Fields by default.</t> See <xref target="avoid-leak"/> for how an MUA can safely reply to (or forward) an encrypted message without leaking confidential Header Fields by default.</t>
<section anchor="new-header-field">
<section anchor="new-header-field"><name>HP-Outer Header Field Definition</name> <name>HP-Outer Header Field Definition</name>
<t>The syntax of this Header Field is defined using the following ABNF
<t>The syntax of this Header Field is defined using the following ABNF <xref tar <xref target="RFC5234"/>, where <tt>field-name</tt>, <tt>WSP</tt>, <tt>VCHAR</t
get="RFC5234"/>, where <spanx style="verb">field-name</spanx>, <spanx style="ver t>, and <tt>FWS</tt> are defined in <xref target="RFC5322"/>:</t>
b">WSP</spanx>, <spanx style="verb">VCHAR</spanx>, and <spanx style="verb">FWS</ <sourcecode type="abnf"><![CDATA[
spanx> are defined in <xref target="RFC5322"/>:</t>
<figure><artwork><![CDATA[
hp-outer = "HP-Outer:" [FWS] field-name ": " hp-outer = "HP-Outer:" [FWS] field-name ": "
hp-outer-value CRLF hp-outer-value CRLF
hp-outer-value = (*([FWS] VCHAR) *WSP) hp-outer-value = (*([FWS] VCHAR) *WSP)
]]></artwork></figure> ]]></sourcecode>
<t>Note that <tt>hp-outer-value</tt> is the same as <tt>unstructured</
<t>Note that <spanx style="verb">hp-outer-value</spanx> is the same as <spanx st tt> from <xref section="3.2.5" sectionFormat="of" target="RFC5322"/> but without
yle="verb">unstructured</spanx> from <xref section="3.2.5" sectionFormat="of" ta the obsolete <tt>obs-unstruct</tt> option.</t>
rget="RFC5322"/>, but without the obsolete <spanx style="verb">obs-unstruct</spa </section>
nx> option.</t> </section>
</section>
</section> <section anchor="header-confidentiality-policy">
</section> <name>Header Confidentiality Policy</name>
</section> <t>An MUA composing an encrypted message according to this specification m
<section anchor="header-confidentiality-policy"><name>Header Confidentiality Pol ay make any given Header Field confidential by removing it from the Header Secti
icy</name> on outside the Cryptographic Envelope or by obscuring it by rewriting it to a di
fferent value in that outer Header Section.
<t>An MUA composing an encrypted message according to this specification may mak The composing MUA faces a choice for any new message: Which Header Fields should
e any given Header Field confidential by removing it from Header Section outside be made confidential, and how?</t>
the Cryptographic Envelope, or by obscuring it by rewriting it to a different v <t>This section defines the "<iref item="Header Confidentiality Policy"/><
alue in that outer Header Section. xref target="header-confidentiality-policy" format="none">Header Confidentiality
The composing MUA faces a choice for any new message: which Header Fields should Policy</xref>" (or <iref item="HCP"/><xref target="header-confidentiality-polic
be made confidential, and how?</t> y" format="none">HCP</xref>) as a well-defined abstraction to encourage MUA deve
lopers to consider, document, and share reasonable policies across the community
<t>This section defines the "<iref item="Header Confidentiality Policy"/><xref t .
arget="header-confidentiality-policy" format="none">Header Confidentiality Polic
y</xref>" (or <iref item="HCP"/><xref target="header-confidentiality-policy" for
mat="none">HCP</xref>) as a well-defined abstraction to encourage MUA developers
to consider, document, and share reasonable policies across the community.
It establishes a registry of known HCPs, defines a small number of simple HCPs i n that registry, and makes a recommendation for a reasonable default.</t> It establishes a registry of known HCPs, defines a small number of simple HCPs i n that registry, and makes a recommendation for a reasonable default.</t>
<t>Note that such a policy is only needed when the end-to-end protections
<t>Note that such a policy is only needed when the end-to-end protections includ include encryption (confidentiality).
e encryption (confidentiality).
No comparable policy is needed for other end-to-end cryptographic protections (i ntegrity and authenticity), as they are simply uniformly applied so that all Hea der Fields known by the sender have these protections.</t> No comparable policy is needed for other end-to-end cryptographic protections (i ntegrity and authenticity), as they are simply uniformly applied so that all Hea der Fields known by the sender have these protections.</t>
<t>This asymmetry is a consequence of complexities in existing message del
<t>This asymmetry is a consequence of complexities in existing message delivery ivery systems, some of which may reject, drop, or delay messages where all Heade
systems, some of which may reject, drop, or delay messages where all Header Fiel r Fields are removed from the top-level MIME object.</t>
ds are removed from the top-level MIME object.</t> <t>Note that no representation of the <iref item="HCP"/><xref target="head
er-confidentiality-policy" format="none">HCP</xref> itself ever appears "on the
<t>Note that no representation of the <iref item="HCP"/><xref target="header-con wire".
fidentiality-policy" format="none">HCP</xref> itself ever appears "on the wire". However, the consumer of the encrypted message can see the decisions that were m
However, the consumer of the encrypted message can see the decisions that were m ade by the sender's <iref item="HCP"/><xref target="header-confidentiality-polic
ade by the sender's <iref item="HCP"/><xref target="header-confidentiality-polic y" format="none">HCP</xref> via the <tt>HP-Outer</tt> Header Fields (see <xref t
y" format="none">HCP</xref> via the <spanx style="verb">HP-Outer</spanx> Header arget="hp-outer"/>).</t>
Fields (see <xref target="hp-outer"/>).</t> <section anchor="hcp-definition">
<name>HCP Definition</name>
<section anchor="hcp-definition"><name>HCP Definition</name> <t>In this document, we represent that <iref item="Header Confidentialit
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con
<t>In this document, we represent that <iref item="Header Confidentiality Policy fidentiality Policy</xref> as a function <tt>hcp</tt>:</t>
"/><xref target="header-confidentiality-policy" format="none">Header Confidentia <ul spacing="normal">
lity Policy</xref> as a function <spanx style="verb">hcp</spanx>:</t> <li>
<t><tt>hcp(name, val_in) -&gt; val_out</tt>: This function takes a n
<t><list style="symbols"> on-structural Header Field identified by <tt>name</tt> with the initial value <t
<t><spanx style="verb">hcp(name, val_in) → val_out</spanx>: this function take t>val_in</tt> as arguments and returns a replacement header value <tt>val_out</t
s a non-structural Header Field identified by <spanx style="verb">name</spanx> w t>.
ith initial value <spanx style="verb">val_in</spanx> as arguments, and returns a If <tt>val_out</tt> is the special value <tt>null</tt>, it means that the Header
replacement header value <spanx style="verb">val_out</spanx>. Field in question should be removed from the set of Header Fields visible outsi
If <spanx style="verb">val_out</spanx> is the special value <spanx style="verb"> de the Cryptographic Envelope.</t>
null</spanx>, it means that the Header Field in question should be removed from </li>
the set of Header Fields visible outside the Cryptographic Envelope.</t> </ul>
</list></t> <t>In the pseudocode descriptions of various choices of <iref item="HCP"
/><xref target="header-confidentiality-policy" format="none">HCP</xref> in this
<t>In the pseudocode descriptions of various choices of <iref item="HCP"/><xref document, any comparison with the <tt>name</tt> input is done case-insensitively
target="header-confidentiality-policy" format="none">HCP</xref> in this document .
, any comparison with the <spanx style="verb">name</spanx> input is done case-in
sensitively.
This is appropriate for Header Field names, as described in <xref target="RFC532 2"/>.</t> This is appropriate for Header Field names, as described in <xref target="RFC532 2"/>.</t>
<t>Note that <tt>hcp</tt> is only applied to non-structural Header Field
<t>Note that <spanx style="verb">hcp</spanx> is only applied to non-structural H s.
eader Fields.
When composing a message, Structural Header Fields are dealt with separately, as described in <xref target="compose"/>.</t> When composing a message, Structural Header Fields are dealt with separately, as described in <xref target="compose"/>.</t>
<t>As an example, an MUA that obscures the <tt>Subject</tt> Header Field
<t>As an example, an MUA that obscures the <spanx style="verb">Subject</spanx> H by replacing it with the literal string "<tt>[...]</tt>" hides all Cc'ed recipi
eader Field by replacing it with the literal string "<spanx style="verb">[...]</ ents and does not offer confidentiality to any other Header Fields that would be
spanx>", hides all Cc'ed recipients, and does not offer confidentiality to any o represented as (in pseudocode):</t>
ther Header Fields would be represented as (in pseudocode):</t> <sourcecode type="text/x-hcp" name="example_hide_cc.hcp"><![CDATA[
<figure><sourcecode type="text/x-hcp" name="example_hide_cc.hcp"><![CDATA[
hcp_example_hide_cc(name, val_in) → val_out: hcp_example_hide_cc(name, val_in) → val_out:
if lower(name) is 'subject': if lower(name) is 'subject':
return '[...]' return '[...]'
else if lower(name) is 'cc': else if lower(name) is 'cc':
return null return null
else: else:
return val_in return val_in
]]></sourcecode></figure> ]]></sourcecode>
<t>For alignment with common practice as well as the ABNF in <xref targe
<t>For alignment with common practice as well as the ABNF in <xref target="new-h t="new-header-field"/> for <tt>HP-Outer</tt>, <tt>val_out</tt> <bcp14>MUST</bcp1
eader-field"/> for <spanx style="verb">HP-Outer</spanx>, <spanx style="verb">val 4> be one of the following:</t>
_out</spanx> <bcp14>MUST</bcp14> be one of the following:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>identical to <tt>val_in</tt>,</t>
<t>identical to <spanx style="verb">val_in</spanx>, or</t> </li>
<t>the special value <spanx style="verb">null</spanx> (meaning that the Header <li>
Field will be removed from the outside of the message), or</t> <t>the special value <tt>null</tt> (meaning that the Header Field wi
<t>a sequence of printable and whitespace (that is, space or tab) 7-bit clean ll be removed from the outside of the message), or</t>
ASCII characters (of course, non-ASCII text can be encoded as ASCII using the <s </li>
panx style="verb">encoded-word</spanx> construct from <xref target="RFC2047"/>)< <li>
/t> <t>a sequence of whitespace (that is, space or tab) and printable 7-
</list></t> bit, clean ASCII characters (of course, non-ASCII text can be encoded as ASCII u
sing the <tt>encoded-word</tt> construct from <xref target="RFC2047"/>)</t>
<t>The <iref item="HCP"/><xref target="header-confidentiality-policy" format="no </li>
ne">HCP</xref> can compute <spanx style="verb">val_out</spanx> using any techniq </ul>
ue describable in pseudocode, such as copying a fixed string or invocations of o <t>The <iref item="HCP"/><xref target="header-confidentiality-policy" fo
ther pseudocode functions. rmat="none">HCP</xref> can compute <tt>val_out</tt> using any technique describa
If it alters the value, it <bcp14>MUST NOT</bcp14> include control or NUL charac ble in pseudocode, such as copying a fixed string or invocations of other pseudo
ters in <spanx style="verb">val_out</spanx>. code functions.
<spanx style="verb">val_out</spanx> <bcp14>SHOULD</bcp14> match the expected ABN If it alters the value, it <bcp14>MUST NOT</bcp14> include control or NUL charac
F for the Header Field identified by <spanx style="verb">name</spanx>.</t> ters in <tt>val_out</tt>.
<tt>val_out</tt> <bcp14>SHOULD</bcp14> match the expected ABNF for the Header Fi
<section anchor="hcp-from-addr-spec"><name>HCP Avoids Changing From addr-spec</n eld identified by <tt>name</tt>.</t>
ame> <section anchor="hcp-from-addr-spec">
<name>HCP Avoids Changing from addr-spec</name>
<t>The <spanx style="verb">From</spanx> Header Field should also be treated spec <t>The <tt>From</tt> Header Field should also be treated specially by
ially by the <iref item="HCP"/><xref target="header-confidentiality-policy" form the <iref item="HCP"/><xref target="header-confidentiality-policy" format="none"
at="none">HCP</xref>, to enable defense against possible e-mail address spoofing >HCP</xref> to enable defense against possible email address spoofing (see <xref
(see <xref target="from-addr-spoofing"/>). target="from-addr-spoofing"/>).
In particular, for <spanx style="verb">hcp("From", val_in)</spanx>, the <spanx s In particular, for <tt>hcp("From", val_in)</tt>, the <tt>addr-spec</tt> of <tt>v
tyle="verb">addr-spec</spanx> of <spanx style="verb">val_in</spanx> and the <spa al_in</tt> and the <tt>addr-spec</tt> of <tt>val_out</tt> <bcp14>SHOULD</bcp14>
nx style="verb">addr-spec</spanx> of <spanx style="verb">val_out</spanx> <bcp14> match according to <xref target="matching-addr-specs"/>, unless the sending MUA
SHOULD</bcp14> match according to <xref target="matching-addr-specs"/>, unless t has additional knowledge coordinated with the receiving MUA about more subtle <t
he sending MUA has additional knowledge coordinated with the receiving MUA about t>addr-spec</tt> equivalence or certificate validity.</t>
more subtle <spanx style="verb">addr-spec</spanx> equivalence or certificate va </section>
lidity.</t> </section>
<section anchor="initial-registered-hcps">
</section> <name>Initial Registered HCPs</name>
</section> <t>This document formally defines three Header Confidentiality Policies
<section anchor="initial-registered-hcps"><name>Initial Registered HCPs</name> with known and reasonably well-understood characteristics as a way to compare an
d contrast different possible behavioral choices for a composing MUA.
<t>This document formally defines three Header Confidentiality Policies with kno
wn and reasonably well-understood characteristics as a way to compare and contra
st different possible behavioral choices for a composing MUA.
These definitions are not meant to preclude the creation of other HCPs.</t> These definitions are not meant to preclude the creation of other HCPs.</t>
<t>The purpose of the registry of HCPs is to facilitate <iref item="HCP"
<t>The purpose of the registry of HCPs is to facilitate <iref item="HCP"/><xref /><xref target="header-confidentiality-policy" format="none">HCP</xref> evolutio
target="header-confidentiality-policy" format="none">HCP</xref> evolution and in n and interoperability discussion among MUA developers and MTA operators.</t>
teroperability discussion among MUA developers and MTA operators.</t> <t>(The example hypothetical <iref item="HCP"/><xref target="header-conf
identiality-policy" format="none">HCP</xref>, <tt>hcp_example_hide_cc</tt>, desc
<t>(The example hypothetical <iref item="HCP"/><xref target="header-confidential ribed in <xref target="hcp-definition"/> above is deliberately not formally regi
ity-policy" format="none">HCP</xref> described in <xref target="hcp-definition"/ stered, as it has not been evaluated in practice.)</t>
> above, <spanx style="verb">hcp_example_hide_cc</spanx>, is deliberately not fo <section anchor="baseline-hcp">
rmally registered, as it has not been evaluated in practice.)</t> <name>Baseline Header Confidentiality Policy</name>
<t>The most conservative recommended <iref item="Header Confidentialit
<section anchor="baseline-hcp"><name>Baseline Header Confidentiality Policy</nam y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con
e> fidentiality Policy</xref> only provides confidentiality for Informational Field
s, as defined in <xref section="3.6.5" sectionFormat="of" target="RFC5322"/>.
<t>The most conservative recommended <iref item="Header Confidentiality Policy"/
><xref target="header-confidentiality-policy" format="none">Header Confidentiali
ty Policy</xref> only provides confidentiality for Informational Fields, as defi
ned in <xref section="3.6.5" sectionFormat="of" target="RFC5322"/>.
These fields are "only human-readable content" and thus their content should not be relevant to transport agents. These fields are "only human-readable content" and thus their content should not be relevant to transport agents.
Since most Internet messages today do have a <spanx style="verb">Subject</spanx> Since most Internet messages today do have a <tt>Subject</tt> Header Field, and
Header Field, and some filtering engines might object to a message without a <s some filtering engines might object to a message without a <tt>Subject</tt>, thi
panx style="verb">Subject</spanx>, this policy is conservative and merely obscur s policy is conservative and merely obscures that Header Field by replacing it w
es that Header Field by replacing it with a fixed string <spanx style="verb">[.. ith a fixed string <tt>[...]</tt>.
.]</spanx>. By contrast, <tt>Comments</tt> and <tt>Keywords</tt> Header Fields are comparati
By contrast, <spanx style="verb">Comments</spanx> and <spanx style="verb">Keywor vely rare, so these fields are removed entirely from the Outer Header Section.</
ds</spanx> are comparatively rare, so these fields are removed entirely from the t>
Outer Header Section.</t> <sourcecode type="text/x-hcp" name="baseline.hcp"><![CDATA[
<figure><sourcecode type="text/x-hcp" name="baseline.hcp"><![CDATA[
hcp_baseline(name, val_in) → val_out: hcp_baseline(name, val_in) → val_out:
if lower(name) is 'subject': if lower(name) is 'subject':
return '[...]' return '[...]'
else if lower(name) is in ['comments', 'keywords']: else if lower(name) is in ['comments', 'keywords']:
return null return null
else: else:
return val_in return val_in
]]></sourcecode></figure> ]]></sourcecode>
<t><tt>hcp_baseline</tt> is the recommended default <iref item="HCP"/>
<t><spanx style="verb">hcp_baseline</spanx> is the recommended default <iref ite <xref target="header-confidentiality-policy" format="none">HCP</xref> for a new
m="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> f implementation, as it provides meaningful confidentiality protections and is unl
or a new implementation, as it provides meaningful confidentiality protections a ikely to cause deliverability or usability problems.</t>
nd is unlikely to cause deliverability or usability problems.</t> </section>
<section anchor="shy-hcp">
</section> <name>Shy Header Confidentiality Policy</name>
<section anchor="shy-hcp"><name>Shy Header Confidentiality Policy</name> <t>Alternately, a slightly more ambitious (and therefore more privacy-
preserving) <iref item="Header Confidentiality Policy"/><xref target="header-con
<t>Alternately, a slightly more ambitious (and therefore more privacy-preserving fidentiality-policy" format="none">Header Confidentiality Policy</xref> might av
) <iref item="Header Confidentiality Policy"/><xref target="header-confidentiali oid leaking human-interpretable data that MTAs generally don't care about.
ty-policy" format="none">Header Confidentiality Policy</xref> might avoid leakin The additional protected data isn't related to message routing or transport but
g human-interpretable data that MTAs generally don't care about. might reveal sensitive information about the sender or their relationship to the
The additional protected data isn't related to message routing or transport, but recipients.
but might reveal sensitive information about the sender or their relationship t This "shy" <iref item="HCP"/><xref target="header-confidentiality-policy" format
o the recipients. ="none">HCP</xref> builds on <tt>hcp_baseline</tt> but also:</t>
This "shy" <iref item="HCP"/><xref target="header-confidentiality-policy" format <ul spacing="normal">
="none">HCP</xref> builds on <spanx style="verb">hcp_baseline</spanx>, but also: <li>
</t> <t>avoids revealing the <tt>display-name</tt> of each identified e
mail address and</t>
<t><list style="symbols"> </li>
<t>avoids revealing the <spanx style="verb">display-name</spanx> of each ident <li>
ified e-mail address, and</t> <t>avoids leaking the sender's locally configured time zone in the
<t>avoids leaking the sender's locally-configured time zone in the <spanx styl <tt>Date</tt> Header Field.</t>
e="verb">Date</spanx> Header Field.</t> </li>
</list></t> </ul>
<sourcecode type="text/x-hcp" name="shy.hcp"><![CDATA[
<figure><sourcecode type="text/x-hcp" name="shy.hcp"><![CDATA[
hcp_shy(name, val_in) → val_out: hcp_shy(name, val_in) → val_out:
if lower(name) is 'from': if lower(name) is 'from':
if val_in is an RFC 5322 mailbox: if val_in is an RFC 5322 mailbox:
return the RFC 5322 addr-spec part of val_in return the RFC 5322 addr-spec part of val_in
if lower(name) in ['to', 'cc']: if lower(name) in ['to', 'cc']:
if val_in is an RFC 5322 mailbox-list: if val_in is an RFC 5322 mailbox-list:
let val_out be an empty mailbox-list let val_out be an empty mailbox-list
for each mailbox in val_in: for each mailbox in val_in:
append the RFC 5322 addr-spec part of mailbox to val_out append the RFC 5322 addr-spec part of mailbox to val_out
return val_out return val_out
if lower(name) is 'date': if lower(name) is 'date':
if val_in is an RFC 5322 date-time: if val_in is an RFC 5322 date-time:
return the UTC form of val_in return the UTC form of val_in
else if lower(name) is 'subject': else if lower(name) is 'subject':
return '[...]' return '[...]'
else if lower(name) is in ['comments', 'keywords']: else if lower(name) is in ['comments', 'keywords']:
return null return null
return val_in return val_in
]]></sourcecode></figure> ]]></sourcecode>
<t><tt>hcp_shy</tt> requires more sophisticated parsing and Header Fie
<t><spanx style="verb">hcp_shy</spanx> requires more sophisticated parsing and H ld manipulation and is not recommended as a default <iref item="HCP"/><xref targ
eader Field manipulation, and is not recommended as a default <iref item="HCP"/> et="header-confidentiality-policy" format="none">HCP</xref> for new implementati
<xref target="header-confidentiality-policy" format="none">HCP</xref> for new im ons.</t>
plementations.</t> </section>
<section anchor="no-confidentiality-hcp">
</section> <name>No Header Confidentiality Policy</name>
<section anchor="no-confidentiality-hcp"><name>No Header Confidentiality Policy< <t>Legacy MUAs can be conceptualized as offering a "No Header Confiden
/name> tiality" Policy, which offers no confidentiality protection to any Header Field:
</t>
<t>Legacy MUAs can be conceptualized as offering a "No Header Confidentiality" P <sourcecode type="text/x-hcp" name="no_confidentiality.hcp"><![CDATA[
olicy, which offers no confidentiality protection to any Header Field:</t>
<figure><sourcecode type="text/x-hcp" name="no_confidentiality.hcp"><![CDATA[
hcp_no_confidentiality(name, val_in) → val_out: hcp_no_confidentiality(name, val_in) → val_out:
return val_in return val_in
]]></sourcecode></figure> ]]></sourcecode>
<t>A conformant MUA that is not modified by local policy or configurat
<t>A conformant MUA that is not modified by local policy or configuration <bcp14 ion <bcp14>MUST NOT</bcp14> use <tt>hcp_no_confidentiality</tt> by default.</t>
>MUST NOT</bcp14> use <spanx style="verb">hcp_no_confidentiality</spanx> by defa </section>
ult.</t> </section>
<section anchor="default-hcp">
</section> <name>Default Header Confidentiality Policy</name>
</section> <t>An MUA <bcp14>MUST</bcp14> have a default <iref item="Header Confiden
<section anchor="default-hcp"><name>Default Header Confidentiality Policy</name> tiality Policy"/><xref target="header-confidentiality-policy" format="none">Head
er Confidentiality Policy</xref> that offers confidentiality for the <tt>Subject
<t>An MUA <bcp14>MUST</bcp14> have a default <iref item="Header Confidentiality </tt> Header Field at least.
Policy"/><xref target="header-confidentiality-policy" format="none">Header Confi
dentiality Policy</xref> that offers confidentiality for the <spanx style="verb"
>Subject</spanx> Header Field at least.
Local policy and configuration may alter this default, but the MUA <bcp14>SHOULD NOT</bcp14> require the user to select an <iref item="HCP"/><xref target="heade r-confidentiality-policy" format="none">HCP</xref>.</t> Local policy and configuration may alter this default, but the MUA <bcp14>SHOULD NOT</bcp14> require the user to select an <iref item="HCP"/><xref target="heade r-confidentiality-policy" format="none">HCP</xref>.</t>
<t><tt>hcp_baseline</tt> provides confidentiality for the <tt>Subject</t
<t><spanx style="verb">hcp_baseline</spanx> provides confidentiality for the <sp t> Header Field by replacing it with the literal string "<tt>[...]</tt>".
anx style="verb">Subject</spanx> Header Field by replacing it with the literal s It also provides confidentiality for the other less common Informational Header
tring "<spanx style="verb">[...]</spanx>". Fields (<tt>Comments</tt> and <tt>Keywords</tt>) by removing them entirely from
It also provides confidentiality for the other less common Informational Header the outer Header Section.
Fields (<spanx style="verb">Comments</spanx> and <spanx style="verb">Keywords</s
panx>) by removing them entirely from the outer Header Section.
This is a sensible default because most users treat the Informational Fields of a message (particularly the Subject) the same way that they treat the body, and they are surprised to find that the Subject of an encrypted message is visible.< /t> This is a sensible default because most users treat the Informational Fields of a message (particularly the Subject) the same way that they treat the body, and they are surprised to find that the Subject of an encrypted message is visible.< /t>
</section>
</section> <section anchor="hcp-evolution">
<section anchor="hcp-evolution"><name>HCP Evolution</name> <name>HCP Evolution</name>
<t>This document does not mandate any particular <iref item="Header Conf
<t>This document does not mandate any particular <iref item="Header Confidential identiality Policy"/><xref target="header-confidentiality-policy" format="none">
ity Policy"/><xref target="header-confidentiality-policy" format="none">Header C Header Confidentiality Policy</xref>, though it offers guidance for MUA implemen
onfidentiality Policy</xref>, though it offers guidance for MUA implementers in ters in selecting one in <xref target="default-hcp"/>.
selecting one in <xref target="default-hcp"/>.
Future documents may recommend or mandate such a policy for an MUA with specific needs. Future documents may recommend or mandate such a policy for an MUA with specific needs.
Such a recommendation might be motivated by descriptions of metadata-derived att Such a recommendation might be motivated by descriptions of metadata-derived att
acks, or stem from research about message deliverability, or describe new signal acks, stem from research about message deliverability, or describe new signaling
ling mechanisms, but these topics are out of scope for this document.</t> mechanisms, but these topics are out of scope for this document.</t>
<section anchor="offering-more-ambitious-header-confidentiality">
<section anchor="offering-more-ambitious-header-confidentiality"><name>Offering <name>Offering More Ambitious Header Confidentiality</name>
More Ambitious Header Confidentiality</name> <t>An MUA <bcp14>MAY</bcp14> offer even more ambitious confidentiality
for Header Fields of an encrypted message than defined in <xref target="shy-hcp
<t>An MUA <bcp14>MAY</bcp14> offer even more ambitious confidentiality for Heade "/>.
r Fields of an encrypted message than defined in <xref target="shy-hcp"/>. For example, it might implement an <iref item="HCP"/><xref target="header-confid
For example, it might implement an <iref item="HCP"/><xref target="header-confid entiality-policy" format="none">HCP</xref> that removes the <tt>To</tt> and <tt>
entiality-policy" format="none">HCP</xref> that removes the <spanx style="verb"> Cc</tt> Header Fields entirely, relying on the SMTP envelope to ensure proper ro
To</spanx> and <spanx style="verb">Cc</spanx> Header Fields entirely, relying on uting.
the SMTP envelope to ensure proper routing. Or it might remove <tt>References</tt> and <tt>In-Reply-To</tt> so that message
Or it might remove <spanx style="verb">References</spanx> and <spanx style="verb threading is not visible to any MTA.
">In-Reply-To</spanx> so that message threading is not visible to any MTA.
Any more ambitious choice might result in deliverability, rendering, or usabilit y issues for the relevant messages, so testing and documentation will be valuabl e to get this right.</t> Any more ambitious choice might result in deliverability, rendering, or usabilit y issues for the relevant messages, so testing and documentation will be valuabl e to get this right.</t>
<t>The authors of this document hope that implementers with deployment
<t>The authors of this document hope that implementers with deployment experienc experience will document their chosen <iref item="Header Confidentiality Policy
e will document their chosen <iref item="Header Confidentiality Policy"/><xref t "/><xref target="header-confidentiality-policy" format="none">Header Confidentia
arget="header-confidentiality-policy" format="none">Header Confidentiality Polic lity Policy</xref> and the rationale behind their choice.</t>
y</xref> and the rationale behind their choice.</t> </section>
<section anchor="hcp-expert-guidance">
</section> <name>Expert Guidance for Registering Header Confidentiality Policies<
<section anchor="hcp-expert-guidance"><name>Expert Guidance for Registering Head /name>
er Confidentiality Policies</name> <t>There is no formal syntax specified for the <iref item="Header Conf
identiality Policy"/><xref target="header-confidentiality-policy" format="none">
<t>There is no formal syntax specified for the <iref item="Header Confidentialit Header Confidentiality Policy</xref>, but any attempt to specify an <iref item="
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> for
fidentiality Policy</xref>, but any attempt to specify an <iref item="HCP"/><xre inclusion in the registry needs to provide:</t>
f target="header-confidentiality-policy" format="none">HCP</xref> for inclusion <ul spacing="normal">
in the registry needs to provide:</t> <li>
<t>a stable reference document clearly indicating the distinct nam
<t><list style="symbols"> e for the proposed <iref item="HCP"/><xref target="header-confidentiality-policy
<t>a stable reference document clearly indicating the distinct name for the pr " format="none">HCP</xref>,</t>
oposed <iref item="HCP"/><xref target="header-confidentiality-policy" format="no </li>
ne">HCP</xref></t> <li>
<t>pseudocode that other implementers can clearly and unambiguously interpret< <t>pseudocode that other implementers can clearly and unambiguousl
/t> y interpret,</t>
<t>a clear explanation of why this <iref item="HCP"/><xref target="header-conf </li>
identiality-policy" format="none">HCP</xref> is different from all other registe <li>
red HCPs</t> <t>a clear explanation of why this <iref item="HCP"/><xref target=
<t>any relevant considerations related to deployment of the <iref item="HCP"/> "header-confidentiality-policy" format="none">HCP</xref> is different from all o
<xref target="header-confidentiality-policy" format="none">HCP</xref> (for examp ther registered HCPs, and</t>
le, known or expected deliverability, rendering, or privacy challenges and possi </li>
ble mitigations)</t> <li>
</list></t> <t>any relevant considerations related to deployment of the <iref
item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref
<t>When the proposed <iref item="HCP"/><xref target="header-confidentiality-poli > (for example, known or expected deliverability, rendering, or privacy challeng
cy" format="none">HCP</xref> produces any non-<spanx style="verb">null</spanx> o es and possible mitigations).</t>
utput for a given Header Field name, <spanx style="verb">val_out</spanx> <bcp14> </li>
SHOULD</bcp14> match the expected ABNF for that Header Field. </ul>
If the proposed <iref item="HCP"/><xref target="header-confidentiality-policy" f <t>When the proposed <iref item="HCP"/><xref target="header-confidenti
ormat="none">HCP</xref> does not match the expected ABNF for that Header Field, ality-policy" format="none">HCP</xref> produces any non-<tt>null</tt> output for
the documentation should explicitly identify the relevant circumstances and prov a given Header Field name, <tt>val_out</tt> <bcp14>SHOULD</bcp14> match the exp
ide a justification for the deviation.</t> ected ABNF for that Header Field.
If the proposed <iref item="HCP"/><xref target="header-confidentiality-
<t>An entry should not be marked as "Recommended" unless it has been shown to of policy" format="none">HCP</xref> does not match the expected ABNF for that Heade
fer confidentiality or privacy improvements over the status quo and have minimal r Field, the documentation should explicitly identify the relevant circumstances
or mitigatable negative impact on messages to which it is applied, considering and provide a justification for the deviation.</t>
factors such as message deliverability and security. <t>An entry should not be marked as "Recommended" unless it has been s
Only one entry in the table (<spanx style="verb">hcp_baseline</spanx>) is initia hown to offer confidentiality or privacy improvements over the status quo and ha
lly marked as "Recommended". ve minimal or mitigatory negative impact on messages to which it is applied, con
sidering factors such as message deliverability and security.
Only one entry in the table (<tt>hcp_baseline</tt>) is initially marked as "Reco
mmended".
In the future, more than one entry may be marked as "Recommended".</t> In the future, more than one entry may be marked as "Recommended".</t>
</section>
</section> </section>
</section> </section>
</section> <section anchor="receiving-side">
<section anchor="receiving-side"><name>Receiving Guidance</name> <name>Receiving Guidance</name>
<t>An MUA that receives a cryptographically protected email will render it
<t>An MUA that receives a cryptographically protected e-mail will render it for for the user.</t>
the user.</t> <t>The receiving MUA will render the message body, render a selected subse
t of Header Fields, and provide a summary of the cryptographic properties of the
<t>The receiving MUA will render the message body, a selected subset of Header F message (as described in <xref section="3" sectionFormat="of" target="RFC9787"/
ields, and (as described in <xref section="3" sectionFormat="of" target="I-D.iet >).</t>
f-lamps-e2e-mail-guidance"/>) provide a summary of the cryptographic properties <t>Most MUAs only render a subset of Header Fields by default.
of the message.</t> For example, most MUAs render the <tt>From</tt>, <tt>To</tt>, <tt>Cc</tt>, <tt>D
ate</tt>, and <tt>Subject</tt> Header Fields to the user, but few render <tt>Mes
<t>Most MUAs only render a subset of Header Fields by default. sage-Id</tt> or <tt>Received</tt>.</t>
For example, most MUAs render <spanx style="verb">From</spanx>, <spanx style="ve <t>An MUA that knows how to handle a message with Header Protection makes
rb">To</spanx>, <spanx style="verb">Cc</spanx>, <spanx style="verb">Date</spanx> the following four changes to its behavior when rendering a message:</t>
, and <spanx style="verb">Subject</spanx> Header Fields to the user, but few ren <ul spacing="normal">
der <spanx style="verb">Message-Id</spanx> or <spanx style="verb">Received</span <li>
x>.</t> <t>If the MUA detects that an incoming message has protected Header Fi
elds:
<t>An MUA that knows how to handle a message with Header Protection makes the fo </t>
llowing four changes to its behavior when rendering a message:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>For a Header Field that is present in the protected Header Sect
<t>If the MUA detects that an incoming message has protected Header Fields: ion, the MUA <bcp14>SHOULD</bcp14> render the protected value and ignore any unp
<list style="symbols"> rotected counterparts that may be present (with a special exception for the <tt>
<t>For a Header Field that is present in the protected Header Section, the From</tt> Header Field (see <xref target="handling-mismatch-of-from-hfs"/>)).</t
MUA <bcp14>SHOULD</bcp14> render the protected value, and ignore any unprotecte >
d counterparts that may be present (with a special exception for the <spanx styl </li>
e="verb">From</spanx> Header Field (see <xref target="handling-mismatch-of-from- <li>
hfs"/>).</t> <t>For a Header Field that is present only in the unprotected Head
<t>For a Header Field that is present only in the unprotected Header Secti er Section, the MUA <bcp14>SHOULD NOT</bcp14> render that value.
on, the MUA <bcp14>SHOULD NOT</bcp14> render that value. If it does render the value, the MUA <bcp14>SHOULD</bcp14> indicate that the ren
If it does render the value, the MUA <bcp14>SHOULD</bcp14> indicate that the ren dered value is <tt>unprotected</tt>.
dered value is <spanx style="verb">unprotected</spanx>. For an exception to this, see <xref target="fields-added-in-transit"/> for a dis
For an exception to this, see <xref target="fields-added-in-transit"/> for a dis cussion of some specific Header Fields that are known to be added in transit and
cussion of some specific Header Fields that are known to be added in transit, an therefore are not expected to have end-to-end cryptographic protections.</t>
d therefore are not expected to have end-to-end cryptographic protections.</t> </li>
</list></t> </ul>
<t>The MUA <bcp14>SHOULD</bcp14> include information in the message's Cryptogr </li>
aphic Summary to indicate the types of protection that applied to each rendered <li>
Header Field (if any).</t> <t>The MUA <bcp14>SHOULD</bcp14> include information in the message's
<t>If any Legacy Display Elements are present in the body of the message, it d Cryptographic Summary to indicate the types of protection that applied to each r
oes not render them.</t> endered Header Field (if any).</t>
<t>When replying to a message with confidential Header Fields, the replying MU </li>
A avoids leaking into the cleartext of the reply any Header Fields which were co <li>
nfidential in the original. <t>If any Legacy Display Elements are present in the body of the messa
ge, it does not render them.</t>
</li>
<li>
<t>When replying to a message with confidential Header Fields, the rep
lying MUA avoids leaking any Header Fields that were confidential in the origina
l into the cleartext of the reply.
It does this even if its own <iref item="Header Confidentiality Policy"/><xref t arget="header-confidentiality-policy" format="none">Header Confidentiality Polic y</xref> would not have treated those Header Fields as confidential. It does this even if its own <iref item="Header Confidentiality Policy"/><xref t arget="header-confidentiality-policy" format="none">Header Confidentiality Polic y</xref> would not have treated those Header Fields as confidential.
See <xref target="replying"/> for more details.</t> See <xref target="replying"/> for more details.</t>
</list></t> </li>
</ul>
<t>Note that an MUA that handles a message with Header Protection does <em>not</ <t>Note that an MUA that handles a message with Header Protection does <em
em> need to render any new Header Fields that it did not render before.</t> >not</em> need to render any new Header Fields that it did not render before.</t
>
<section anchor="identifying-header-protection"><name>Identifying that a Message <section anchor="identifying-header-protection">
has Header Protection</name> <name>Identifying That a Message Has Header Protection</name>
<t>An incoming message can be identified as having Header Protection usi
<t>An incoming message can be identified as having Header Protection using the f ng the following test:</t>
ollowing test:</t> <ul><li>The Cryptographic Payload has parameter <tt>hp</tt> set to <tt>"
clear"</tt> or <tt>"cipher"</tt>. See <xref target="rendering"/> for rendering g
<t><list style="symbols"> uidance.</li>
<t>The Cryptographic Payload has parameter <spanx style="verb">hp</spanx> set </ul>
to <spanx style="verb">"clear"</spanx> or <spanx style="verb">"cipher"</spanx>. <t>When consuming a message, an MUA <bcp14>MUST</bcp14> ignore the <tt>h
See <xref target="rendering"/> for rendering guidance.</t> p</tt> parameter to <tt>Content-Type</tt> when it encounters it anywhere other t
</list></t> han the root of the message's Cryptographic Payload.</t>
</section>
<t>When consuming a message, an MUA <bcp14>MUST</bcp14> ignore the <spanx style= <section anchor="extracting-headers">
"verb">hp</spanx> parameter to <spanx style="verb">Content-Type</spanx> when it <name>Extracting Protected and Unprotected ("Outer") Header Fields</name
encounters it anywhere other than the root of the message's Cryptographic Payloa >
d.</t> <t>When a message is encrypted and uses Header Protection, an MUA extrac
ts a list of protected Header Fields (names and values), as well as a list of He
</section> ader Fields that were added by the original message sender in unprotected form t
<section anchor="extracting-headers"><name>Extracting Protected and Unprotected o the outside of the message's Cryptographic Envelope.</t>
("Outer") Header Fields</name> <t>The following algorithm takes reference message <tt>refmsg</tt> as in
put, which is encrypted with Header Protection as described in this document (th
<t>When a message is encrypted and it uses Header Protection, an MUA extracts a at is, the Cryptographic Envelope includes a Cryptographic Layer that provides e
list of protected Header Fields (names and values), as well as a list of Header ncryption, and the <tt>hp</tt> parameter for the <tt>Content-Type</tt> Header Fi
Fields that were added by the original message sender in unprotected form to the eld of the Cryptographic Payload is <tt>cipher</tt>).
outside of the message's Cryptographic Envelope.</t> It outputs a pair of lists of <tt>(h,v)</tt> Header Fields.</t>
<section anchor="headersetsfrommessage">
<t>The following algorithm takes a reference message <spanx style="verb">refmsg< <name>HeaderSetsFromMessage</name>
/spanx> as input, which is encrypted with Header Protection as described in this <t>Method Signature:</t>
document (that is, the Cryptographic Envelope includes a Cryptographic Layer th <t><tt>
at provides encryption, and the <spanx style="verb">hp</spanx> parameter for the HeaderSetsFromMessage(refmsg) -&gt; (refouter, refprotected)
<spanx style="verb">Content-Type</spanx> Header Field of the Cryptographic Payl </tt></t>
oad is <spanx style="verb">cipher</spanx>). <t>Procedure:</t>
It produces as output a pair of lists of <spanx style="verb">(h,v)</spanx> Heade <ol spacing="normal" type="1"><li>
r Fields.</t> <t>Let <tt>refheaders</tt> be the list of <tt>(h,v)</tt> protected
Header Fields found in the root of the Cryptographic Payload.</t>
<section anchor="headersetsfrommessage"><name>HeaderSetsFromMessage</name> </li>
<li>
<t>Method Signature:</t> <t>Let <tt>refouter</tt> be an empty list of Header Field names an
d values.</t>
<t><spanx style="verb"> </li>
HeaderSetsFromMessage(refmsg) → (refouter, refprotected) <li>
</spanx></t> <t>Let <tt>refprotected</tt> be an empty list of Header Field name
s and values.</t>
<t>Procedure:</t> </li>
<li>
<t><list style="numbers" type="1"> <t>For each <tt>(h,v)</tt> in <tt>refheaders</tt>:
<t>Let <spanx style="verb">refheaders</spanx> be the list of <spanx style="ver </t>
b">(h,v)</spanx> protected Header Fields found in the root of the Cryptographic <ol spacing="normal" type="i"><li>
Payload</t> <t>If <tt>h</tt> is <tt>HP-Outer</tt>:
<t>Let <spanx style="verb">refouter</spanx> be an empty list of Header Field n </t>
ames and values</t> <ol spacing="normal" type="a"><li>
<t>Let <spanx style="verb">refprotected</spanx> be an empty list of Header Fie <t>Split <tt>v</tt> into <tt>(h1,v1)</tt> on the first col
ld names and values</t> on (:), followed by any amount of whitespace.</t>
<t>For each <spanx style="verb">(h,v)</spanx> in <spanx style="verb">refheader </li>
s</spanx>: <li>
<list style="numbers" type="i"> <t>Append <tt>(h1,v1)</tt> to <tt>refouter</tt>.</t>
<t>If <spanx style="verb">h</spanx> is <spanx style="verb">HP-Outer</spanx </li>
>: </ol>
<list style="numbers" type="a"> </li>
<t>Split <spanx style="verb">v</spanx> into <spanx style="verb">(h1,v1 <li>
)</spanx> on the first colon (:) followed by any amount of whitespace.</t> <t>Else:
<t>Append <spanx style="verb">(h1,v1)</spanx> to <spanx style="verb">r </t>
efouter</spanx></t> <ol spacing="normal" type="a"><li>
</list></t> <t>Append <tt>(h,v)</tt> to <tt>refprotected</tt>.</t>
<t>Else: </li>
<list style="numbers" type="a"> </ol>
<t>Append <spanx style="verb">(h,v)</spanx> to <spanx style="verb">ref </li>
protected</spanx></t> </ol>
</list></t> </li>
</list></t> <li>
<t>Return <spanx style="verb">refouter</spanx>, <spanx style="verb">refprotect <t>Return <tt>refouter</tt>, <tt>refprotected</tt>.</t>
ed</spanx></t> </li>
</list></t> </ol>
<t>Note that this algorithm is independent of the unprotected Header F
<t>Note that this algorithm is independent of the unprotected Header Fields. ields.
It derives its output only from the normal Header Fields and the <spanx style="v It derives its output only from the normal Header Fields and the <tt>HP-Outer</t
erb">HP-Outer</spanx> Header Fields, both contained inside the Cryptographic Pay t> Header Fields, both contained inside the Cryptographic Payload.</t>
load.</t> </section>
</section>
</section> <section anchor="crypto-summary-update">
</section> <name>Updating the Cryptographic Summary</name>
<section anchor="crypto-summary-update"><name>Updating the Cryptographic Summary <t>Regardless of whether a cryptographically protected message has prote
</name> cted Header Fields, the Cryptographic Summary of the message should be modified
to indicate what protections the Header Fields have.
<t>Regardless of whether a cryptographically protected message has protected Hea
der Fields, the Cryptographic Summary of the message should be modified to indic
ate what protections the Header Fields have.
This field-by-field status is complex and isn't necessarily intended to be prese nted in full to the user. This field-by-field status is complex and isn't necessarily intended to be prese nted in full to the user.
Rather, it represents the state of the message internally within the MUA, and ma Rather, it represents the state of the message internally within the MUA and may
y be used to influence behavior like replying to the message (see <xref target=" be used to influence behavior like replying to the message (see <xref target="a
avoid-leak"/>).</t> void-leak"/>).</t>
<t>Each Header Field individually has exactly one of the following prote
<t>Each Header Field individually has exactly one of the following protection st ction states:</t>
ates:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t><tt>unprotected</tt> (has no Header Protection)</t>
<t><spanx style="verb">unprotected</spanx> (has no Header Protection)</t> </li>
<t><spanx style="verb">signed-only</spanx> (bound into the same validated sign <li>
ature as the enclosing message, but also visible in transit)</t> <t><tt>signed-only</tt> (bound into the same validated signature as
<t><spanx style="verb">encrypted-only</spanx> (only appears within the Cryptog the enclosing message, but also visible in transit)</t>
raphic Payload; the corresponding external Header Field was either removed or ob </li>
scured)</t> <li>
<t><spanx style="verb">signed-and-encrypted</spanx> (same as encrypted-only, b <t><tt>encrypted-only</tt> (only appears within the Cryptographic Pa
ut additionally is under a validated signature)</t> yload; the corresponding external Header Field was either removed or obscured)</
</list></t> t>
</li>
<t>If the message does not have Header Protection (as determined by <xref target <li>
="identifying-header-protection"/>), then all of the Header Fields are by defini <t><tt>signed-and-encrypted</tt> (same as encrypted-only, but additi
tion <spanx style="verb">unprotected</spanx>.</t> onally is under a validated signature)</t>
</li>
<t>If the message has Header Protection, an MUA <bcp14>SHOULD</bcp14> use the fo </ul>
llowing algorithm to compute the protection state of a protected Header Field <s <t>If the message does not have Header Protection (as determined by <xre
panx style="verb">(h,v)</spanx> (that is, an element of <spanx style="verb">refp f target="identifying-header-protection"/>), then all of the Header Fields are b
rotected</spanx> from <xref target="extracting-headers"/>):</t> y definition <tt>unprotected</tt>.</t>
<t>If the message has Header Protection, an MUA <bcp14>SHOULD</bcp14> us
<section anchor="headerfieldprotection"><name>HeaderFieldProtection</name> e the following algorithm to compute the protection state of a protected Header
Field <tt>(h,v)</tt> (that is, an element of <tt>refprotected</tt> from <xref ta
<t>Method signature:</t> rget="extracting-headers"/>):</t>
<section anchor="headerfieldprotection">
<t><spanx style="verb"> <name>HeaderFieldProtection</name>
HeaderFieldProtection(msg, h, v) → protection_state <t>Method signature:</t>
</spanx></t> <t><tt>
HeaderFieldProtection(msg, h, v) -&gt; protection_state
<t>Procedure:</t> </tt></t>
<t>Procedure:</t>
<t><list style="numbers" type="1"> <ol spacing="normal" type="1"><li>
<t>Let <spanx style="verb">ct</spanx> be the <spanx style="verb">Content-Type< <t>Let <tt>ct</tt> be the <tt>Content-Type</tt> of the root of the
/spanx> of the root of the Cryptographic Payload of <spanx style="verb">msg</spa Cryptographic Payload of <tt>msg</tt>.</t>
nx>.</t> </li>
<t>Compute (<spanx style="verb">refouter</spanx>, <spanx style="verb">refprote <li>
cted</spanx>) from <iref item="HeaderSetsFromMessage"/><xref target="headersetsf <t>Compute (<tt>refouter</tt>, <tt>refprotected</tt>) from <iref i
rommessage" format="none">HeaderSetsFromMessage</xref>(<spanx style="verb">msg</ tem="HeaderSetsFromMessage"/><xref target="headersetsfrommessage" format="none">
spanx>).</t> HeaderSetsFromMessage</xref>(<tt>msg</tt>).</t>
<t>If <spanx style="verb">(h, v)</spanx> is not in <spanx style="verb">refprot </li>
ected</spanx>): <li>
<list style="numbers" type="i"> <t>If <tt>(h, v)</tt> is not in <tt>refprotected</tt>:
<t>Abort, <spanx style="verb">v</spanx> is not a valid value for header <s </t>
panx style="verb">h</spanx></t> <ol spacing="normal" type="i"><li>
</list></t> <t>Abort, <tt>v</tt> is not a valid value for header <tt>h</tt
<t>Let <spanx style="verb">is_sig_valid</spanx> be <spanx style="verb">false</ >.</t>
spanx></t> </li>
<t>If the message is signed: </ol>
<list style="numbers" type="i"> </li>
<t>Let <spanx style="verb">is_sig_valid</spanx> be the result of validatin <li>
g the signature</t> <t>Let <tt>is_sig_valid</tt> be <tt>false</tt>.</t>
</list></t> </li>
<t>If the message is encrypted, and if <spanx style="verb">ct</spanx> has a pa <li>
rameter <spanx style="verb">hp="cipher"</spanx>, and if <spanx style="verb">(h,v <t>If the message is signed:
)</spanx> is not in <spanx style="verb">refouter</spanx>: </t>
<list style="numbers" type="i"> <ol spacing="normal" type="i"><li>
<t>Return <spanx style="verb">signed-and-encrypted</spanx> if <spanx style <t>Let <tt>is_sig_valid</tt> be the result of validating the s
="verb">is_sig_valid</spanx> otherwise <spanx style="verb">encrypted-only</spanx ignature.</t>
></t> </li>
</list></t> </ol>
<t>Return <spanx style="verb">signed-only</spanx> if <spanx style="verb">is_si </li>
g_valid</spanx> otherwise <spanx style="verb">unprotected</spanx></t> <li>
</list></t> <t>If the message is encrypted, <tt>ct</tt> has a parameter <tt>hp
="cipher"</tt>, and <tt>(h,v)</tt> is not in <tt>refouter</tt>:
<t>Note that:</t> </t>
<ol spacing="normal" type="i"><li>
<t><list style="symbols"> <t>Return <tt>signed-and-encrypted</tt> if <tt>is_sig_valid</t
<t>This algorithm is independent of the unprotected Header Fields. t> is otherwise <tt>encrypted-only</tt>.</t>
It derives the protection state only from <spanx style="verb">(h,v)</spanx> and </li>
the set of <spanx style="verb">HP-Outer</spanx> Header Fields, both of which are </ol>
inside the Cryptographic Envelope.</t> </li>
<t>If the signature fails validation, the MUA lowers the affected state to <sp <li>
anx style="verb">unprotected</spanx> or <spanx style="verb">encrypted-only</span <t>Return <tt>signed-only</tt> if <tt>is_sig_valid</tt> is otherwi
x> without any additional warning to the user, as specified by <xref section="3. se <tt>unprotected</tt>.</t>
1" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>.</t> </li>
<t>Data from <spanx style="verb">signed-and-encrypted</spanx> and <spanx style </ol>
="verb">encrypted-only</spanx> Header Fields may still not be fully private (see <t>Note that:</t>
<xref target="encryption-vs-privacy"/>).</t> <ul spacing="normal">
<t>Encryption may have been added in transit to an originally signed-only mess <li>
age. Thus only consider Header Fields to be confidential if the sender indicates <t>This algorithm is independent of the unprotected Header Fields.
it with the <spanx style="verb">hp="cipher"</spanx> parameter.</t> It derives the protection state only from <tt>(h,v)</tt> and the set of <tt>HP-O
<t>The protection state of a Header Field may be weaker than that of the messa uter</tt> Header Fields, both of which are inside the Cryptographic Envelope.</t
ge body. >
For example, a message body can be <spanx style="verb">signed-and-encrypted</spa </li>
nx>, but a Header Field that is copied unmodified to the unprotected Header Sect <li>
ion is <spanx style="verb">signed-only</spanx>.</t> <t>If the signature fails validation, the MUA lowers the affected
</list></t> state to <tt>unprotected</tt> or <tt>encrypted-only</tt> without any additional
warning to the user, as specified by <xref section="3.1" sectionFormat="of" targ
<t>If the message has Header Protection, Header Fields that are not in <spanx st et="RFC9787"/>.</t>
yle="verb">refprotected</spanx> (e.g., because they were added in transit), are </li>
<spanx style="verb">unprotected</spanx>.</t> <li>
<t>Data from <tt>signed-and-encrypted</tt> and <tt>encrypted-only<
<t>Rendering the cryptographic status of each Header Field is likely to be compl /tt> Header Fields may still not be fully private (see <xref target="encryption-
ex and messy --- users may not understand it. vs-privacy"/>).</t>
</li>
<li>
<t>Encryption may have been added in transit to an originally sign
ed-only message. Thus, only consider Header Fields to be confidential if the sen
der indicates it with the <tt>hp="cipher"</tt> parameter.</t>
</li>
<li>
<t>The protection state of a Header Field may be weaker than that
of the message body.
For example, a message body can be <tt>signed-and-encrypted</tt>, but a Header F
ield that is copied unmodified to the unprotected Header Section is <tt>signed-o
nly</tt>.</t>
</li>
</ul>
<t>If the message has Header Protection, Header Fields that are not in
<tt>refprotected</tt> (e.g., because they were added in transit) are <tt>unprot
ected</tt>.</t>
<t>Rendering the cryptographic status of each Header Field is likely t
o be complex and messy -- users may not understand it.
It is beyond the scope of this document to suggest any specific graphical afford ances or user experience. It is beyond the scope of this document to suggest any specific graphical afford ances or user experience.
Future work should include examples of successful rendering of this information. </t> Future work should include examples of successful rendering of this information. </t>
</section>
</section> </section>
</section> <section anchor="handling-mismatch-of-from-hfs">
<section anchor="handling-mismatch-of-from-hfs"><name>Handling Mismatch of From <name>Handling Mismatch of From Header Fields</name>
Header Fields</name> <t>End-to-end (MUA-to-MUA) Header Protection is good for authenticity, i
ntegrity, and confidentiality, but it potentially introduces new issues when an
<t>End-to-end (MUA-to-MUA) Header Protection is good for authenticity, integrity MUA depends on its MTA to authenticate parts of the Header Section.
, and confidentiality, but it potentially introduces new issues when an MUA depe The latter is typically the case in modern email systems.</t>
nds on its MTA to authenticate parts of the Header Section. <t>In particular, when an MUA depends on its MTA to ensure that the emai
The latter is typically the case in modern e-mail systems.</t> l address in the (unprotected) <tt>From</tt> Header Field is authentic, but the
MUA renders the email address of the protected <tt>From</tt> Header Field that d
<t>In particular, when an MUA depends on its MTA to ensure that the e-mail addre iffers from the address visible to the MTA, this could create a risk of sender a
ss in the (unprotected) <spanx style="verb">From</spanx> Header Field is authent ddress spoofing (see <xref target="from-addr-spoofing"/>).
ic, but the MUA renders the e-mail address of the protected <spanx style="verb">
From</spanx> Header Field that differs from the address visible to the MTA, this
could create a risk of sender address spoofing (see <xref target="from-addr-spo
ofing"/>).
This potential risk applies to signed-only messages as well as signed-and-encryp ted messages.</t> This potential risk applies to signed-only messages as well as signed-and-encryp ted messages.</t>
<section anchor="definitions">
<section anchor="definitions"><name>Definitions</name> <name>Definitions</name>
<section anchor="def-from-hf-mismatch">
<section anchor="def-from-hf-mismatch"><name>From Header Field Mismatch</name> <name>From Header Field Mismatch</name>
<t>"<tt>From</tt> Header Field Mismatch" is defined as follows:</t>
<t>"<spanx style="verb">From</spanx> Header Field Mismatch" is defined as follow <t>The <tt>addr-spec</tt> of the inner <tt>From</tt> Header Field do
s:</t> esn't match the <tt>addr-spec</tt> of the outer <tt>From</tt> Header Field (see
<xref target="matching-addr-specs"/>).</t>
<t>The <spanx style="verb">addr-spec</spanx> of the inner <spanx style="verb">Fr <t>Note: The unprotected <tt>From</tt> Header Field used in this com
om</spanx> Header Field doesn't match the <spanx style="verb">addr-spec</spanx> parison is the actual outer Header Field (as seen by the MTA), not the value ind
of the outer <spanx style="verb">From</spanx> Header Field (see <xref target="ma icated by any potential inner <tt>HP-Outer</tt>.</t>
tching-addr-specs"/>).</t> </section>
<section anchor="def-no-valid-and-correctly-bound-signature">
<t>Note: The unprotected <spanx style="verb">From</spanx> Header Field used in t <name>No Valid and Correctly Bound Signature</name>
his comparison is the actual outer Header Field (as seen by the MTA), not the va <t>"No Valid and Correctly Bound Signature" is defined as follows:</
lue indicated by any potential inner <spanx style="verb">HP-Outer</spanx>.</t> t>
<t>There is no valid signature made by a certificate for which the M
</section> UA has a valid binding to the protected <tt>From</tt> address.
<section anchor="def-no-valid-and-correctly-bound-signature"><name>No Valid and
Correctly Bound Signature</name>
<t>"No Valid and Correctly Bound Signature" is defined as follows:</t>
<t>There is no valid signature made by a certificate for which the MUA has a val
id binding to the protected <spanx style="verb">From</spanx> address.
This includes:</t> This includes:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>the message has no signature, or</t> <t>the message has no signature,</t>
<t>the message has a broken signature, or</t> </li>
<t>the message has a valid signature, but the receiving MUA does not see any v <li>
alid binding between the signing certificate and the <spanx style="verb">addr-sp <t>the message has a broken signature, or</t>
ec</spanx> of the inner <spanx style="verb">From</spanx> Header Field.</t> </li>
</list></t> <li>
<t>the message has a valid signature, but the receiving MUA does
<t>Note: There are many possible ways that an MUA could choose to validate a cer not see any valid binding between the signing certificate and the <tt>addr-spec
tificate-to-address binding. </tt> of the inner <tt>From</tt> Header Field.</t>
</li>
</ul>
<t>Note: There are many possible ways that an MUA could choose to va
lidate a certificate-to-address binding.
For example, the MUA could ensure the certificate is issued by one of a set of t rusted certification authorities, it could rely on the user to do a manual out-o f-band comparison, it could rely on a DNSSEC signal (<xref target="RFC7929"/> or <xref target="RFC8162"/>), and so on. For example, the MUA could ensure the certificate is issued by one of a set of t rusted certification authorities, it could rely on the user to do a manual out-o f-band comparison, it could rely on a DNSSEC signal (<xref target="RFC7929"/> or <xref target="RFC8162"/>), and so on.
It is beyond the scope of this document to describe all possible ways an MUA mig It is beyond the scope of this document to describe all possible ways an MUA mig
ht validate the certificate-to-address binding, or to choose among them.</t> ht validate the certificate-to-address binding or to choose among them.</t>
</section>
</section> </section>
</section> <section anchor="warning-from-mismatch">
<section anchor="warning-from-mismatch"><name>Warning for From Header Field Mism <name>Warning for From Header Field Mismatch</name>
atch</name> <t>To mitigate the above described risk of sender address spoofing, an
MUA <bcp14>SHOULD</bcp14> warn the user whenever both of the following conditio
<t>To mitigate the above described risk of sender address spoofing, an MUA <bcp1 ns are met:</t>
4>SHOULD</bcp14> warn the user whenever both of the following conditions are met <ul spacing="normal">
:</t> <li>
<t><tt>From</tt> Header Field Mismatch (as defined in <xref target
<t><list style="symbols"> ="def-from-hf-mismatch"/>)</t>
<t><spanx style="verb">From</spanx> Header Field Mismatch (as defined in <xref </li>
target="def-from-hf-mismatch"/>), and</t> <li>
<t>No Valid and Correctly Bound Signature (as defined in <xref target="def-no- <t>No Valid and Correctly Bound Signature (as defined in <xref tar
valid-and-correctly-bound-signature"/>)</t> get="def-no-valid-and-correctly-bound-signature"/>)</t>
</list></t> </li>
</ul>
<t>This warning should be comparable to the MUA's warning about messages that ar <t>This warning should be comparable to the MUA's warning about messag
e likely spam or phishing, and it <bcp14>SHOULD</bcp14> show both of the non-mat es that are likely spam or phishing, and it <bcp14>SHOULD</bcp14> show both of t
ching <spanx style="verb">From</spanx> Header Fields.</t> he non-matching <tt>From</tt> Header Fields.</t>
</section>
</section> <section anchor="from-header-field-rendering">
<section anchor="from-header-field-rendering"><name>From Header Field Rendering< <name>From Header Field Rendering</name>
/name> <t>Furthermore, a receiving MUA that depends on its MTA to authenticat
e the unprotected (outer) <tt>From</tt> Header Field <bcp14>SHOULD</bcp14> rende
<t>Furthermore, a receiving MUA that depends on its MTA to authenticate the unpr r the outer <tt>From</tt> Header Field (as an exception to the guidance in the b
otected (outer) <spanx style="verb">From</spanx> Header Field <bcp14>SHOULD</bcp eginning of <xref target="receiving-side"/>) if both of the following conditions
14> render the outer <spanx style="verb">From</spanx> Header Field (as an except are met:</t>
ion to the guidance in the beginning of <xref target="receiving-side"/>), if bot <ul spacing="normal">
h of the following conditions are met:</t> <li>
<t><tt>From</tt> Header Field Mismatch (as defined in <xref target
<t><list style="symbols"> ="def-from-hf-mismatch"/>)</t>
<t><spanx style="verb">From</spanx> Header Field Mismatch (as defined in <xref </li>
target="def-from-hf-mismatch"/>), and</t> <li>
<t>No Valid and Correctly Bound Signature (as defined in <xref target="def-no- <t>No Valid and Correctly Bound Signature (as defined in <xref tar
valid-and-correctly-bound-signature"/>)</t> get="def-no-valid-and-correctly-bound-signature"/>)</t>
</list></t> </li>
</ul>
<t>An MUA <bcp14>MAY</bcp14> apply a local preference to render a different disp <t>An MUA <bcp14>MAY</bcp14> apply a local preference to render a diff
lay name (e.g., from an address book).</t> erent display name (e.g., from an address book).</t>
<t>See <xref target="from-rendering-reasoning"/> for a detailed explan
<t>See <xref target="from-rendering-reasoning"/> for an detailed explanation of ation of this rendering guidance.</t>
this rendering guidance.</t> </section>
<section anchor="handling-protected-from-header-field-when-responding">
</section> <name>Handling the Protected From Header Field When Responding</name>
<section anchor="handling-protected-from-header-field-when-responding"><name>Han <t>When responding to a message, an MUA has different ways to populate
dling Protected From Header Field when Responding</name> the recipients of the new message.
Depending on whether it is a Reply, a Reply All, or a Forward, an MUA may popula
<t>When responding to a message, an MUA has different ways to populate the recip te the composer view using a combination of the referenced message's <tt>From</t
ients of the new message. t>, <tt>To</tt>, <tt>Cc</tt>, <tt>Reply-To</tt>, or <tt>Mail-Followup-To</tt> He
Depending on whether it is a Reply, a Reply-All, or a Forward, an MUA may popula ader Fields or any other signals.</t>
te the composer view using a combination of the referenced message's <spanx styl <t>When responding to a message with Header Protection, an MUA <bcp14>
e="verb">From</spanx>, <spanx style="verb">To</spanx>, <spanx style="verb">Cc</s MUST</bcp14> only use the protected Header Fields when populating the recipients
panx>, <spanx style="verb">Reply-To</spanx>, <spanx style="verb">Mail-Followup-T of the new message.</t>
o</spanx> Header Fields, or any other signals.</t> <t>This avoids compromise of message confidentiality when a man-in-the
-middle (MITM) attacker modifies the unprotected <tt>From</tt> address of an enc
<t>When responding to a message with Header Protection, an MUA <bcp14>MUST</bcp1 rypted message, attempting to learn the contents through a misdirected reply.
4> only use the protected Header Fields when populating the recipients of the ne Note that with the rendering guidance above, a MITM attacker can cause the unpro
w message.</t> tected <tt>From</tt> Header Field to be displayed.
Thus, when responding, the populated <tt>To</tt> address may differ from the ren
<t>This avoids compromise of message confidentiality when a MITM attacker modifi dered <tt>From</tt> address.
es the unprotected <spanx style="verb">From</spanx> address of an encrypted mess However, this change in addresses should not cause more user confusion than the
age, attempting to learn the contents through a misdirected reply. address change caused by a <tt>Reply-To</tt> in a Legacy Message does.</t>
Note that with the rendering guidance above, a MITM attacker can cause the unpro </section>
tected <spanx style="verb">From</spanx> Header Field to be displayed. <section anchor="matching-addr-specs">
Thus when responding, the populated <spanx style="verb">To</spanx> address may d <name>Matching addr-specs</name>
iffer from the rendered <spanx style="verb">From</spanx> address. <t>When generating (<xref target="hcp-from-addr-spec"/>) or consuming
However, this change in addresses should not cause more user confusion than the (<xref target="handling-mismatch-of-from-hfs"/>) a protected <tt>From</tt> Heade
address change caused by a <spanx style="verb">Reply-To</spanx> in a Legacy Mess r Field, the MUA considers the equivalence of two different <tt>addr-spec</tt> v
age does.</t> alues.</t>
<t>First, the MUA <bcp14>MUST</bcp14> check whether the <tt>domain</tt
</section> > part of an <tt>addr-spec</tt> being compared contains a U-label <xref target="
<section anchor="matching-addr-specs"><name>Matching addr-specs</name> RFC5890"/>.
If it does, it <bcp14>MUST</bcp14> be converted to the A-label form, which is de
<t>When generating (<xref target="hcp-from-addr-spec"/>) or consuming (<xref tar scribed in <xref target="RFC5891"/>.
get="handling-mismatch-of-from-hfs"/>) a protected <spanx style="verb">From</spa We call a domain converted in this way (or the original domain if it didn't cont
nx> Header Field, the MUA considers the equivalence of two different <spanx styl ain any U-label) "the ASCII version of the <tt>domain</tt> part".
e="verb">addr-spec</spanx> values.</t> Second, the MUA <bcp14>MUST</bcp14> compare the ASCII version of the <tt>domain<
/tt> part of the two <tt>addr-spec</tt>s by standard DNS comparison: Assume ASCI
<t>First, the MUA <bcp14>MUST</bcp14> check whether the <spanx style="verb">doma I text and compare alphabetic characters case-insensitively, as described in <xr
in</spanx> part of an <spanx style="verb">addr-spec</spanx> being compared conta ef section="3.1" sectionFormat="of" target="RFC1035"/>.
ins any U-label <xref target="RFC5890"/>. If the <tt>domain</tt> parts match, then the two <tt>local-part</tt>s are matche
If it does, it <bcp14>MUST</bcp14> be converted to the A-label form is described d against each other.
in <xref target="RFC5891"/>. The simplest and most common comparison for the <tt>local-part</tt> is also an A
We call a domain converted in this way (or the original domain, if it didn't con SCII-based, case-insensitive match.
tain any U-label) "the ASCII version of the <spanx style="verb">domain</spanx> p If the MUA has special knowledge about the <tt>domain</tt> and, when composing,
art". it can reasonably expect the receiving MUAs to have the same information, it <bc
Second, the MUA <bcp14>MUST</bcp14> compare the ASCII version of the <spanx styl p14>MAY</bcp14> match the <tt>local-part</tt> using a more sophisticated and inc
e="verb">domain</spanx> part of the two <spanx style="verb">addr-spec</spanx>s b lusive matching algorithm.</t>
y standard DNS comparison: assume ASCII text, and compare alphabetic characters <t>It is beyond the scope of this document to recommend a more sophist
case-insensitively, as described in <xref section="3.1" sectionFormat="of" targe icated and inclusive matching algorithm.</t>
t="RFC1035"/>. </section>
If the <spanx style="verb">domain</spanx> parts match, then the two <spanx style </section>
="verb">local-part</spanx>s are matched against each other. <section anchor="rendering">
The simplest and most common comparison for the <spanx style="verb">local-part</ <name>Rendering a Message with Header Protection</name>
spanx> is also an ASCII-based, case-insensitive match. <t>When the Cryptographic Payload's <tt>Content-Type</tt> has the parame
If the MUA has special knowledge about the <spanx style="verb">domain</spanx> an ter <tt>hp</tt> set to <tt>"clear"</tt> or <tt>"cipher"</tt>, the values of the
d, when composing, it can reasonably expect the receiving MUAs to have the same protected Header Fields are drawn from the Header Fields of the Cryptographic Pa
information, it <bcp14>MAY</bcp14> match the <spanx style="verb">local-part</spa yload, and the body that is rendered is the Cryptographic Payload itself.</t>
nx> using a more sophisticated and inclusive matching algorithm.</t> <section anchor="example-signed-only-message">
<name>Example Signed-Only Message</name>
<t>It is beyond the scope of this document to recommend a more sophisticated and <t>Consider a message with this structure, where the MUA is able to va
inclusive matching algorithm.</t> lidate the cryptographic signature:</t>
<artwork><![CDATA[
</section>
</section>
<section anchor="rendering"><name>Rendering a Message with Header Protection</na
me>
<t>When the Cryptographic Payload's <spanx style="verb">Content-Type</spanx> has
the parameter <spanx style="verb">hp</spanx> set to <spanx style="verb">"clear"
</spanx> or <spanx style="verb">"cipher"</spanx>, the values of the protected He
ader Fields are drawn from the Header Fields of the Cryptographic Payload, and t
he body that is rendered is the Cryptographic Payload itself.</t>
<section anchor="example-signed-only-message"><name>Example Signed-only Message<
/name>
<t>Consider a message with this structure, where the MUA is able to validate the
cryptographic signature:</t>
<figure><artwork><![CDATA[
A └─╴application/pkcs7-mime; smime-type="signed-data" A └─╴application/pkcs7-mime; smime-type="signed-data"
⇩ (unwraps to) ⇩ (unwraps to)
B └┬╴multipart/alternative [Cryptographic Payload + Rendered Body] B └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
C ├─╴text/plain C ├─╴text/plain
D └─╴text/html D └─╴text/html
]]></artwork></figure> ]]></artwork>
<t>The message body should be rendered the same way as this message:</
<t>The message body should be rendered the same way as this message:</t> t>
<artwork><![CDATA[
<figure><artwork><![CDATA[
B └┬╴multipart/alternative B └┬╴multipart/alternative
C ├─╴text/plain C ├─╴text/plain
D └─╴text/html D └─╴text/html
]]></artwork></figure> ]]></artwork>
<t>The MUA should render Header Fields taken from part <tt>B</tt>.</t>
<t>The MUA should render Header Fields taken from part <spanx style="verb">B</sp <t>Its Cryptographic Summary should indicate that the message was sign
anx>.</t> ed and all rendered Header Fields were included in the signature.</t>
<t>Because this message is signed-only, none of its parts will have a
<t>Its Cryptographic Summary should indicate that the message was signed and all Legacy Display Element.</t>
rendered Header Fields were included in the signature.</t> <t>The MUA should ignore Header Fields from part <tt>A</tt> for the pu
rposes of rendering.</t>
<t>Because this message is signed-only, none of its parts will have a Legacy Dis </section>
play Element.</t> <section anchor="example-signed-and-encrypted">
<name>Example Signed-and-Encrypted Message</name>
<t>The MUA should ignore Header Fields from part <spanx style="verb">A</spanx> f <t>Consider a message with this structure, where the MUA is able to va
or the purposes of rendering.</t> lidate the cryptographic signature:</t>
<artwork><![CDATA[
</section>
<section anchor="example-signed-and-encrypted"><name>Example Signed-and-Encrypte
d Message</name>
<t>Consider a message with this structure, where the MUA is able to validate the
cryptographic signature:</t>
<figure><artwork><![CDATA[
E └─╴application/pkcs7-mime; smime-type="enveloped-data" E └─╴application/pkcs7-mime; smime-type="enveloped-data"
↧ (decrypts to) ↧ (decrypts to)
F └─╴application/pkcs7-mime; smime-type="signed-data" F └─╴application/pkcs7-mime; smime-type="signed-data"
⇩ (unwraps to) ⇩ (unwraps to)
G └┬╴multipart/alternative [Cryptographic Payload + Rendered Body] G └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
H ├─╴text/plain H ├─╴text/plain
I └─╴text/html I └─╴text/html
]]></artwork></figure> ]]></artwork>
<t>The message body should be rendered the same way as this message:</
<t>The message body should be rendered the same way as this message:</t> t>
<artwork><![CDATA[
<figure><artwork><![CDATA[
G └┬╴multipart/alternative G └┬╴multipart/alternative
H ├─╴text/plain H ├─╴text/plain
I └─╴text/html I └─╴text/html
]]></artwork></figure> ]]></artwork>
<t>It should render Header Fields taken from part <tt>G</tt>.</t>
<t>It should render Header Fields taken from part <spanx style="verb">G</spanx>. <t>Its Cryptographic Summary should indicate that the message is <tt>s
</t> igned-and-encrypted</tt>.</t>
<t>When rendering the Cryptographic Status of a Header Field and when
<t>Its Cryptographic Summary should indicate that the message is <spanx style="v composing a reply, each Header Field found in <tt>G</tt> should be considered ag
erb">signed-and-encrypted</spanx>.</t> ainst all <tt>HP-Outer</tt> Header Fields found in <tt>G</tt>.
If an <tt>HP-Outer</tt> Header Field that matches both the name and value is fou
<t>When rendering the Cryptographic Status of a Header Field and when composing nd, the Header Field's Cryptographic Status is just <tt>signed-only</tt>, even t
a reply, each Header Field found in <spanx style="verb">G</spanx> should be cons hough the message itself is <tt>signed-and-encrypted</tt>.
idered against all <spanx style="verb">HP-Outer</spanx> Header Fields found in < If no matching <tt>HP-Outer</tt> Header Field is found, the Header Field's Crypt
spanx style="verb">G</spanx>. ographic Status is <tt>signed-and-encrypted</tt>, like the rest of the message.<
If an <spanx style="verb">HP-Outer</spanx> Header Field is found that matches bo /t>
th the name and value, the Header Field's Cryptographic Status is just <spanx st <t>If any of the User-Facing Header Fields are removed or obscured, th
yle="verb">signed-only</spanx>, even though the message itself is <spanx style=" e composer of this message may have placed Legacy Display Elements in parts H an
verb">signed-and-encrypted</spanx>. d I.</t>
If no matching <spanx style="verb">HP-Outer</spanx> Header Field is found, the H <t>The MUA should ignore Header Fields from part <tt>E</tt> for the pu
eader Field's Cryptographic Status is <spanx style="verb">signed-and-encrypted</ rposes of rendering.</t>
spanx>, like the rest of the message.</t> </section>
<section anchor="dont-render-legacy-display">
<t>If any of the User-Facing Header Fields are removed or obscured, the composer <name>Do Not Render Legacy Display Elements</name>
of this message may have placed Legacy Display Elements in parts H and I.</t> <t>As described in <xref target="hp-legacy-display"/>, a message with
cryptographic confidentiality protection <bcp14>MAY</bcp14> include Legacy Displ
<t>The MUA should ignore Header Fields from part <spanx style="verb">E</spanx> f ay Elements for backward compatibility with Legacy MUAs.
or the purposes of rendering.</t> These Legacy Display Elements are strictly decorative and unambiguously
identifiable and will be discarded by compliant implementations.</t>
</section> <!--[rfced] To improve readability, we have updated "at all" to "completely"
<section anchor="dont-render-legacy-display"><name>Do Not Render Legacy Display and reworded the sentence below. Please review and let us know of any objections
Elements</name> .
<t>As described in <xref target="hp-legacy-display"/>, a message with cryptograp Original:
hic confidentiality protection <bcp14>MAY</bcp14> include Legacy Display Element The receiving MUA MUST avoid rendering the identified Legacy Display
s for backward-compatibility with Legacy MUAs. Elements to the user at all, since it is aware of Header Protection
These Legacy Display Elements are strictly decorative, unambiguously identifiabl and can render the actual protected Header Fields.
e, and will be discarded by compliant implementations.</t>
<t>The receiving MUA <bcp14>MUST</bcp14> avoid rendering the identified Legacy D Current:
isplay Elements to the user at all, since it is aware of Header Protection and c The receiving MUA MUST completely avoid rendering the identified Legacy
an render the actual protected Header Fields.</t> Display Elements to the user, since it is aware of Header Protection
and can render the actual protected Header Fields.
-->
<t>If a <spanx style="verb">text/html</spanx> or <spanx style="verb">text/plain< <t>The receiving MUA <bcp14>MUST</bcp14> completely avoid rendering th
/spanx> part within the Cryptographic Envelope is identified as containing Legac e identified Legacy Display Elements to the user, since it is aware of Header Pr
y Display Elements, those elements <bcp14>MUST</bcp14> be hidden when rendering otection and can render the actual protected Header Fields.</t>
and <bcp14>MUST</bcp14> be dropped when generating a draft reply or inline forwa <t>If a <tt>text/html</tt> or <tt>text/plain</tt> part within the Cryp
rded message. tographic Envelope is identified as containing Legacy Display Elements, those el
ements <bcp14>MUST</bcp14> be hidden when rendering and <bcp14>MUST</bcp14> be d
ropped when generating a draft reply or inline forwarded message.
Whenever a Message or MIME subtree is exported, downloaded, or otherwise further processed, if there is no need to retain a valid cryptographic signature, the i mplementer <bcp14>MAY</bcp14> drop the Legacy Display Elements.</t> Whenever a Message or MIME subtree is exported, downloaded, or otherwise further processed, if there is no need to retain a valid cryptographic signature, the i mplementer <bcp14>MAY</bcp14> drop the Legacy Display Elements.</t>
<section anchor="identify-legacy-display">
<section anchor="identify-legacy-display"><name>Identifying a Part with Legacy D <name>Identifying a Part with Legacy Display Elements</name>
isplay Elements</name> <t>A receiving MUA acting on a message that contains an encrypting C
ryptographic Layer identifies a MIME subpart within the Cryptographic Payload as
<t>A receiving MUA acting on a message that contains an encrypting Cryptographic containing Legacy Display Elements based on the Content-Type of the subpart.
Layer identifies a MIME subpart within the Cryptographic Payload as containing
Legacy Display Elements based on the Content-Type of the subpart.
The subpart's Content-Type:</t> The subpart's Content-Type:</t>
<ul spacing="normal">
<li>
<t>contains a parameter <tt>hp-legacy-display</tt> with value se
t to <tt>1</tt> and</t>
</li>
<li>
<t>is either <tt>text/html</tt> (see <xref target="omit-html-leg
acy-display"/>) or <tt>text/plain</tt> (see <xref target="omit-plain-legacy-disp
lay"/>).</t>
</li>
</ul>
<t>Note that the term "subpart" above is used in the general sense:
If the Cryptographic Payload is a single part, that part itself may contain a Le
gacy Display Element if it is marked with the <tt>hp-legacy-display="1"</tt> par
ameter.</t>
</section>
<section anchor="omit-plain-legacy-display">
<name>Omitting Legacy Display Elements from text/plain</name>
<t>If a <tt>text/plain</tt> part within the Cryptographic Payload ha
s the Content-Type parameter <tt>hp-legacy-display="1"</tt>, it should be proces
sed before rendering in the following fashion:</t>
<t><list style="symbols"> <!--[rfced] To make this sentence more concise, may we remove "of the part"?
<t>contains a parameter <spanx style="verb">hp-legacy-display</spanx> with val
ue set to <spanx style="verb">1</spanx>, and</t>
<t>is either <spanx style="verb">text/html</spanx> (see <xref target="omit-htm
l-legacy-display"/>) or <spanx style="verb">text/plain</spanx> (see <xref target
="omit-plain-legacy-display"/>).</t>
</list></t>
<t>Note that the term "subpart" above is used in the general sense: if the Crypt
ographic Payload is a single part, that part itself may contain a Legacy Display
Element if it is marked with the <spanx style="verb">hp-legacy-display=1</spanx
> parameter.</t>
</section>
<section anchor="omit-plain-legacy-display"><name>Omitting Legacy Display Elemen
ts from text/plain</name>
<t>If a <spanx style="verb">text/plain</spanx> part within the Cryptographic Pay
load has the Content-Type parameter <spanx style="verb">hp-legacy-display="1"</s
panx>, it should be processed before rendering in the following fashion:</t>
<t><list style="symbols">
<t>Discard the leading lines of the body of the part up to and including the f
irst entirely blank line.</t>
</list></t>
<t>Note that implementing this strategy is dependent on the charset used by the
MIME part.</t>
<t>See <xref target="example-legacy-display-plain"/> for an example.</t>
</section>
<section anchor="omit-html-legacy-display"><name>Omitting Legacy Display Element
s from text/html</name>
<t>If a <spanx style="verb">text/html</spanx> part within the Cryptographic Payl
oad has the Content-Type parameter <spanx style="verb">hp-legacy-display="1"</sp
anx>, it should be processed before rendering in the following fashion:</t>
<t><list style="symbols"> Original:
<t>If any element of the HTML <spanx style="verb">&lt;body&gt;</spanx> is a <s * Discard the leading lines of the body of the part up to and
panx style="verb">&lt;div&gt;</spanx> with <spanx style="verb">class</spanx> att including the first entirely blank line.
ribute <spanx style="verb">header-protection-legacy-display</spanx>, that entire
element should be omitted.</t>
</list></t>
<t>This cleanup could be done, for example, as a custom rule in the MUA's HTML s Perhaps:
anitizer, if one exists. * Discard the leading lines of the body up to and including the
Another implementation strategy for an HTML-capable MUA would be to add an entry first entirely blank line.
to the <xref target="CSS"/> stylesheet for such a part:</t> -->
<figure><artwork><![CDATA[ <ul spacing="normal">
<li>
<t>Discard the leading lines of the body of the part up to and i
ncluding the first entirely blank line.</t>
</li>
</ul>
<t>Note that implementing this strategy is dependent on the charset
used by the MIME part.</t>
<t>See <xref target="example-legacy-display-plain"/> for an example.
</t>
</section>
<section anchor="omit-html-legacy-display">
<name>Omitting Legacy Display Elements from text/html</name>
<t>If a <tt>text/html</tt> part within the Cryptographic Payload has
the Content-Type parameter <tt>hp-legacy-display="1"</tt>, it should be process
ed before rendering in the following fashion:</t>
<ul spacing="normal">
<li>
<t>If any element of the HTML <tt>&lt;body&gt;</tt> is a <tt>&lt
;div&gt;</tt> with <tt>class</tt> attribute <tt>header-protection-legacy-display
</tt>, that entire element should be omitted.</t>
</li>
</ul>
<t>This cleanup could be done, for example, as a custom rule in the
MUA's HTML sanitizer, if one exists.
Another implementation strategy for an HTML-capable MUA would be to add an entry
to the <xref target="CSS"/> style sheet for such a part:</t>
<artwork><![CDATA[
body div.header-protection-legacy-display { display: none; } body div.header-protection-legacy-display { display: none; }
]]></artwork></figure> ]]></artwork>
</section>
</section> </section>
</section> </section>
</section> <section anchor="implicitly-rendered">
<section anchor="implicitly-rendered"><name>Implicitly rendered Header Fields</n <name>Implicitly Rendered Header Fields</name>
ame> <t>While the <tt>From</tt>, <tt>To</tt>, <tt>Cc</tt>, <tt>Subject</tt>,
and <tt>Date</tt> Header Fields are often explicitly rendered to the user, some
<t>While <spanx style="verb">From</spanx>, <spanx style="verb">To</spanx>, <span Header Fields do affect message display without being explicitly rendered.</t>
x style="verb">Cc</spanx>, <spanx style="verb">Subject</spanx>, and <spanx style <t>For example, the <tt>Message-Id</tt>, <tt>References</tt>, and <tt>In
="verb">Date</spanx> Header Fields are often explicitly rendered to the user, so -Reply-To</tt> Header Fields may collectively be used to place a message in a "t
me Header Fields do affect message display, without being explicitly rendered.</ hread" or series of messages.</t>
t> <t>In another example, <xref target="avoid-misdirected-replies"/> notes
that the value of the <tt>Reply-To</tt> field can influence the draft reply mess
<t>For example, <spanx style="verb">Message-Id</spanx>, <spanx style="verb">Refe age.
rences</spanx>, and <spanx style="verb">In-Reply-To</spanx> Header Fields may co So while the user may never see the <tt>Reply-To</tt> Header Field directly, it
llectively be used to place a message in a "thread" or series of messages.</t> is implicitly "rendered" when the user interacts with the message by replying to
it.</t>
<t>In another example, <xref target="avoid-misdirected-replies"/> observes that <t>An MUA that depends on any implicitly rendered Header Field in a mess
the value of the <spanx style="verb">Reply-To</spanx> field can influence the dr age with Header Protection <bcp14>MUST</bcp14> use the value from the protected
aft reply message. Header Field and <bcp14>SHOULD NOT</bcp14> use any value found outside the crypt
So while the user may never see the <spanx style="verb">Reply-To</spanx> Header ographic protection unless it is known to be a Header Field added in transit, as
Field directly, it is implicitly "rendered" when the user interacts with the mes specified in <xref target="fields-added-in-transit"/>.</t>
sage by replying to it.</t> </section>
<section anchor="handling-undecryptable-messages">
<t>An MUA that depends on any implicitly rendered Header Field in a message with <name>Handling Undecryptable Messages</name>
Header Protection <bcp14>MUST</bcp14> use the value from the protected Header F <t>An MUA might receive an apparently encrypted message that it cannot c
ield, and <bcp14>SHOULD NOT</bcp14> use any value found outside the cryptographi urrently decrypt.
c protection unless it is known to be a Header Field added in transit, as specif
ied in <xref target="fields-added-in-transit"/>.</t>
</section>
<section anchor="handling-undecryptable-messages"><name>Handling Undecryptable M
essages</name>
<t>An MUA might receive an apparently encrypted message that it cannot currently
decrypt.
For example, when an MUA does not have regular access to the secret key material needed for decryption, it cannot know the cryptographically protected Header Fi elds or even whether the message has any cryptographically protected Header Fiel ds.</t> For example, when an MUA does not have regular access to the secret key material needed for decryption, it cannot know the cryptographically protected Header Fi elds or even whether the message has any cryptographically protected Header Fiel ds.</t>
<t>Such an undecrypted message will be rendered by the MUA as a message
<t>Such an undecrypted message will be rendered by the MUA as a message without without any Header Protection.
any Header Protection.
This means that the message summary may well change how it is rendered when the user is finally able to supply the secret key.</t> This means that the message summary may well change how it is rendered when the user is finally able to supply the secret key.</t>
<t>For example, the rendering of the <tt>Subject</tt> Header Field in a
<t>For example, the rendering of the <spanx style="verb">Subject</spanx> Header mailbox summary might change from <tt>[...]</tt> to the real message subject whe
Field in a mailbox summary might change from <spanx style="verb">[...]</spanx> t n the message is decrypted.
o the real message subject when the message is decrypted. Or the message's placement in a message thread might change if, say, <tt>Referen
Or the message's placement in a message thread might change if, say, <spanx styl ces</tt> or <tt>In-Reply-To</tt> have been removed or obscured (see <xref target
e="verb">References</spanx> or <spanx style="verb">In-Reply-To</spanx> have been ="implicitly-rendered"/>).</t>
removed or obscured (see <xref target="implicitly-rendered"/>).</t> <t>Additionally, if the MUA does not retain access to the decrypting sec
ret key, and it drops the decrypted form of a message, the message's rendering m
<t>Additionally, if the MUA does not retain access to the decrypting secret key, ay revert to the encrypted form.
and it drops the decrypted form of a message, the message's rendering may rever For example, if an MUA follows this behavior, the <tt>Subject</tt> Header Field
t to the encrypted form. in a mailbox summary might change from the real message subject back to <tt>[...
For example, if an MUA follows this behavior, the <spanx style="verb">Subject</s ]</tt>.
panx> Header Field in a mailbox summary might change from the real message subje Or the message might be displayed outside of its current thread if the MUA loses
ct back to <spanx style="verb">[...]</spanx>. access to a removed <tt>References</tt> or <tt>In-Reply-To</tt> header.</t>
Or the message might be displayed outside of its current thread if the MUA loses <t>These behaviors are likely to surprise the user.
access to a removed <spanx style="verb">References</spanx> or <spanx style="ver
b">In-Reply-To</spanx> header.</t>
<t>These behaviors are likely to surprise the user.
However, an MUA has several possible ways of reducing or avoiding all of these s urprises, including:</t> However, an MUA has several possible ways of reducing or avoiding all of these s urprises, including:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>Ensuring that the MUA always has access to decryption-capable secret key ma <t>Ensuring that the MUA always has access to decryption-capable sec
terial.</t> ret key material.</t>
<t>Rendering undecrypted messages in a special quarantine view until the decry </li>
ption-capable secret key material is available.</t> <li>
</list></t> <t>Rendering undecrypted messages in a special quarantine view until
the decryption-capable secret key material is available.</t>
<t>To reduce or avoid the surprises associated with a decrypted message with rem </li>
oved or obscured Header Fields becoming undecryptable, the MUA could also:</t> </ul>
<t>To reduce or avoid the surprises associated with a decrypted message
<t><list style="symbols"> with removed or obscured Header Fields becoming undecryptable, the MUA could als
<t>Securely cache metadata from a decrypted message's protected Header Fields o:</t>
so that its rendering doesn't change after the first decryption.</t> <ul spacing="normal">
<t>Securely store the session key associated with a decrypted message, so that <li>
attempts to read the message when the long-term secret key are unavailable can <t>Securely cache metadata from a decrypted message's protected Head
proceed using only the session key itself. er Fields so that its rendering doesn't change after the first decryption.</t>
See, for example, the discussion about stashing session keys in <xref section="9 </li>
.1" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>.</t> <li>
</list></t> <t>Securely store the session key associated with a decrypted messag
e so that attempts to read the message when the long-term secret key is unavaila
</section> ble can proceed using only the session key itself. For example, see the discussi
<section anchor="automated-message-handling"><name>Guidance for Automated Messag on about stashing session keys in <xref section="9.1" sectionFormat="of" target=
e Handling</name> "RFC9787"/>.</t>
</li>
<t>Some automated systems have a control channel that is operated by e-mail. </ul>
For example, an incoming e-mail message could subscribe someone to a mailing lis </section>
t, initiate the purchase of a specific product, approve another message for redi <section anchor="automated-message-handling">
stribution, or adjust the state of some shared object.</t> <name>Guidance for Automated Message Handling</name>
<t>Some automated systems have a control channel that is operated by ema
<t>To the extent that such a system depends on end-to-end cryptographic guarante il.
es about the e-mail control message, Header Protection as defined in this docume For example, an incoming email message could subscribe someone to a mailing list
nt should improve the system's security. , initiate the purchase of a specific product, approve another message for redis
This section provides some specific guidance for systems that use e-mail message tribution, or adjust the state of some shared object.</t>
s as a control channel that want to benefit from these security improvements.</t <t>To the extent that such a system depends on end-to-end cryptographic
> guarantees about the email control message, Header Protection as defined in this
document should improve the system's security.
<section anchor="interpret-only-protected-header-fields"><name>Interpret Only Pr This section provides some specific guidance for systems that use email messages
otected Header Fields</name> as a control channel that want to benefit from these security improvements.</t>
<section anchor="interpret-only-protected-header-fields">
<t>Consider the situation where an e-mail-based control channel depends on the m <name>Only Interpret Protected Header Fields</name>
essage's cryptographic signature and the action taken depends on some Header Fie <t>Consider the situation where an email-based control channel depends
ld of the message.</t> on the message's cryptographic signature and the action taken depends on some H
eader Field of the message.</t>
<t>In this case, the automated system <bcp14>MUST</bcp14> rely on information fr <t>In this case, the automated system <bcp14>MUST</bcp14> rely on info
om the Header Field that is protected by the mechanism defined in this document. rmation from the Header Field that is protected by the mechanism defined in this
document.
It <bcp14>MUST NOT</bcp14> rely on any Header Field found outside the Cryptograp hic Payload.</t> It <bcp14>MUST NOT</bcp14> rely on any Header Field found outside the Cryptograp hic Payload.</t>
<t>For example, consider an administrative interface for a mailing lis
<t>For example, consider an administrative interface for a mailing list manager t manager that only accepts control messages that are signed by one of its admin
that only accepts control messages that are signed by one of its administrators. istrators.
When an inbound message for the list arrives, it is queued (waiting for administ When an inbound message for the list arrives, it is queued (waiting for administ
rative approval) and the system generates and listens for two distinct e-mail ad rative approval) and the system generates and listens for two distinct email add
dresses related to the queued message -- one that approves the message, and one resses related to the queued message -- one that approves the message and one th
that rejects it. at rejects it.
If an administrator sends a signed control message to the approval address, the If an administrator sends a signed control message to the approval address, the
mailing list verifies that the protected <spanx style="verb">To</spanx> Header F mailing list verifies that the protected <tt>To</tt> Header Field of the signed
ield of the signed control message contains the approval address before approvin control message contains the approval address before approving the queued messag
g the queued message for redistribution. e for redistribution.
If the protected <spanx style="verb">To</spanx> Header Field does not contain th If the protected <tt>To</tt> Header Field does not contain that address, or ther
at address, or there is no protected <spanx style="verb">To</spanx> Header Field e is no protected <tt>To</tt> Header Field, then the mailing list logs or report
, then the mailing list logs or reports the error and does not act on that contr s the error and does not act on that control message.</t>
ol message.</t> </section>
<section anchor="ignore-legacy-display-elements">
</section> <name>Ignore Legacy Display Elements</name>
<section anchor="ignore-legacy-display-elements"><name>Ignore Legacy Display Ele <t>Consider the situation where an email-based control channel expects
ments</name> to receive an end-to-end encrypted message -- for example, where the control me
ssages need confidentiality guarantees -- and where the action taken depends on
<t>Consider the situation where an e-mail-based control channel expects to recei the contents of some MIME part within the message body.</t>
ve an end-to-end encrypted message -- for example, where the control messages ne <t>In this case, the automated system that decrypts the incoming messa
ed confidentiality guarantees -- and where the action taken depends on the conte ges and scans the relevant MIME part <bcp14>MUST</bcp14> identify when the MIME
nts of some MIME part within the message body.</t> part contains a Legacy Display Element (see <xref target="identify-legacy-displa
y"/>), and it <bcp14>MUST</bcp14> parse the relevant MIME part with the Legacy D
<t>In this case, the automated system that decrypts the incoming messages and sc isplay Element removed.</t>
ans the relevant MIME part <bcp14>MUST</bcp14> identify when the MIME part conta <t>For example, consider an administrative interface of a confidential
ins a Legacy Display Element (see <xref target="identify-legacy-display"/>), and issue tracking software.
it <bcp14>MUST</bcp14> parse the relevant MIME part with the Legacy Display Ele An authorized user can confidentially adjust the status of a tracked issue by a
ment removed.</t> specially formatted first line of the message body (for example, <tt>severity #1
83 serious</tt>).
<t>For example, consider an administrative interface of a confidential issue tra When the user's MUA encrypts a plaintext control message to this issue tracker,
cking software. depending on the MUA's <iref item="HCP"/><xref target="header-confidentiality-po
An authorized user can confidentially adjust the status of a tracked issue by a licy" format="none">HCP</xref> and its choice of <tt>legacy</tt> value, it may a
specially formatted first line of the message body (for example, <spanx style="v dd a Legacy Display Element.
erb">severity #183 serious</spanx>). If it does so, then the first line of the message body will contain a decorative
When the user's MUA encrypts a plain text control message to this issue tracker, copy of the confidential <tt>Subject</tt> Header Field.
depending on the MUA's <iref item="HCP"/><xref target="header-confidentiality-p
olicy" format="none">HCP</xref> and its choice of <spanx style="verb">legacy</sp
anx> value, it may add a Legacy Display Element.
If it does so, then the first line of the message body will contain a decorative
copy of the confidential <spanx style="verb">Subject</spanx> Header Field.
The issue tracking software decrypts the incoming control message, identifies th at there is a Legacy Display Element in the part (see <xref target="identify-leg acy-display"/>), strips the lines comprising the Legacy Display Element (includi ng the first blank line), and only then parses the remaining top line to look fo r the expected special formatting.</t> The issue tracking software decrypts the incoming control message, identifies th at there is a Legacy Display Element in the part (see <xref target="identify-leg acy-display"/>), strips the lines comprising the Legacy Display Element (includi ng the first blank line), and only then parses the remaining top line to look fo r the expected special formatting.</t>
</section>
</section> </section>
</section> <section anchor="debugging-and-troubleshooting">
<section anchor="debugging-and-troubleshooting"><name>Affordances for Debugging <name>Affordances for Debugging and Troubleshooting</name>
and Troubleshooting</name> <t>Note that advanced users of an MUA may need access to the original me
ssage, for example, to troubleshoot problems with the rendering MUA itself or pr
<t>Note that advanced users of an MUA may need access to the original message, f oblems with the SMTP transport path taken by the message.</t>
or example to troubleshoot problems with the rendering MUA itself, or problems w <t>An MUA that applies these rendering guidelines <bcp14>SHOULD</bcp14>
ith the SMTP transport path taken by the message.</t> ensure that the full original source of the message as it was received remains a
vailable to such a user for debugging and troubleshooting.</t>
<t>An MUA that applies these rendering guidelines <bcp14>SHOULD</bcp14> ensure t <t>If a troubleshooting scenario demands information about the cryptogra
hat the full original source of the message as it was received remains available phically protected values of Header Fields, and the message is encrypted, the de
to such a user for debugging and troubleshooting.</t> bugging interface <bcp14>SHOULD</bcp14> also provide a "source" view of the Cryp
tographic Payload itself, alongside the full original source of the message as r
<t>If a troubleshooting scenario demands information about the cryptographically eceived.</t>
protected values of Header Fields, and the message is encrypted, the debugging </section>
interface <bcp14>SHOULD</bcp14> also provide a "source" view of the Cryptographi <section anchor="RFC8551HP">
c Payload itself, alongside the full original source of the message as received. <name>Handling RFC8551HP Messages (Backward Compatibility)</name>
</t> <t><xref target="rfc8551-problems"/> describes some drawbacks to the Hea
der Protection scheme defined in <xref target="RFC8551"/>, referred to here as <
</section> iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>.
<section anchor="RFC8551HP"><name>Handling RFC8551HP Messages (Backward Compatib
ility)</name>
<t><xref target="rfc8551-problems"/> describes some drawbacks to the Header Prot
ection scheme defined in <xref target="RFC8551"/>, referred to here as <iref ite
m="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>.
An MUA <bcp14>MUST NOT</bcp14> generate an <iref item="RFC8551HP"/><xref target= "RFC8551HP" format="none">RFC8551HP</xref> message. An MUA <bcp14>MUST NOT</bcp14> generate an <iref item="RFC8551HP"/><xref target= "RFC8551HP" format="none">RFC8551HP</xref> message.
However, for backward compatibility an MUA <bcp14>MAY</bcp14> try to render or r However, for backward compatibility, an MUA <bcp14>MAY</bcp14> try to render or
espond to such a message as though the message has standard Header Protection.</ respond to such a message as though the message has standard Header Protection.<
t> /t>
<t>The following two sections contain guidance for identifying, renderin
<t>The following two sections contain guidance for identifying, rendering and re g, and replying to <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none
plying to <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551 ">RFC8551HP</xref> messages.
HP</xref> messages. Corresponding test vectors are provided in Appendices <xref target="smime-one-pa
Corresponding test vectors are provided in <xref target="smime-one-part-complex- rt-complex-rfc8551hp" format="counter"/>, <xref target="smime-multipart-complex-
rfc8551hp"/>, <xref target="smime-multipart-complex-rfc8551hp"/>, and <xref targ rfc8551hp" format="counter"/>, and <xref target="smime-enc-signed-complex-rfc855
et="smime-enc-signed-complex-rfc8551hp-baseline"/>.</t> 1hp-baseline" format="counter"/>.</t>
<section anchor="identifying-rfc8551hp">
<section anchor="identifying-rfc8551hp"><name>Identifying an RFC8551HP Message</ <name>Identifying an RFC8551HP Message</name>
name> <t>An <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">R
FC8551HP</xref> message can be identified by its MIME structure, given that all
<t>An <iref item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</ of the following conditions are met:</t>
xref> Message can be identified by its MIME structure, given that all of the fol <ul spacing="normal">
lowing conditions are met:</t> <li>
<t>It has a well-formed Cryptographic Envelope consisting of at le
<t><list style="symbols"> ast one Cryptographic Layer as the outermost MIME object.</t>
<t>It has a well-formed Cryptographic Envelope consisting of at least one Cryp </li>
tographic Layer as the outermost MIME object.</t> <li>
<t>The Cryptographic Payload is a single <spanx style="verb">message/rfc822</s <t>The Cryptographic Payload is a single <tt>message/rfc822</tt> o
panx> object</t> bject.</t>
<t>The message that constitutes the Cryptographic Payload does not itself have </li>
a well-formed Cryptographic Envelope; that is, its outermost MIME object is not <li>
a Cryptographic Layer.</t> <t>The message that constitutes the Cryptographic Payload does not
<t>No <spanx style="verb">Content-Type</spanx> parameter of <spanx style="verb itself have a well-formed Cryptographic Envelope; that is, its outermost MIME o
">hp=</spanx> is set on either the Cryptographic Payload, or its immediate MIME bject is not a Cryptographic Layer.</t>
child.</t> </li>
</list></t> <li>
<t>No <tt>Content-Type</tt> parameter of <tt>hp=</tt> is set on ei
<t>Here is the MIME structure of an example signed-and-encrypted <iref item="RFC ther the Cryptographic Payload or its immediate MIME child.</t>
8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> message:</t> </li>
</ul>
<figure><artwork><![CDATA[ <t>Here is the MIME structure of an example signed-and-encrypted <iref
item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> messa
ge:</t>
<artwork><![CDATA[
A └─╴application/pkcs7-mime; smime-type="enveloped-data" A └─╴application/pkcs7-mime; smime-type="enveloped-data"
↧ (decrypts to) ↧ (decrypts to)
B └─╴application/pkcs7-mime; smime-type="signed-data" B └─╴application/pkcs7-mime; smime-type="signed-data"
⇩ (unwraps to) ⇩ (unwraps to)
C └┬╴message/rfc822 [Cryptographic Payload] C └┬╴message/rfc822 [Cryptographic Payload]
D └┬╴multipart/alternative [Rendered Body] D └┬╴multipart/alternative [Rendered Body]
E ├─╴text/plain E ├─╴text/plain
F └─╴text/html F └─╴text/html
]]></artwork></figure> ]]></artwork>
<t>This meets the definition of an <iref item="RFC8551HP"/><xref targe
<t>This meets the definition of an <iref item="RFC8551HP"/><xref target="RFC8551 t="RFC8551HP" format="none">RFC8551HP</xref> message because:</t>
HP" format="none">RFC8551HP</xref> message because:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>Cryptographic Layers <tt>A</tt> and <tt>B</tt> form the Cryptog
<t>Cryptographic Layers <spanx style="verb">A</spanx> and <spanx style="verb"> raphic Envelope.</t>
B</spanx> form the Cryptographic Envelope.</t> </li>
<t>The Cryptographic Payload, rooted in part <spanx style="verb">C</spanx> has <li>
<spanx style="verb">Content-Type: message/rfc822</spanx>.</t> <t>The Cryptographic Payload, rooted in part <tt>C</tt>, has <tt>C
<t>Part <spanx style="verb">D</spanx> (the MIME root of the message at <spanx ontent-Type: message/rfc822</tt>.</t>
style="verb">C</spanx>) is itself not a Cryptographic Layer.</t> </li>
<t>Neither part <spanx style="verb">C</spanx> nor part <spanx style="verb">D</ <li>
spanx> have any <spanx style="verb">hp</spanx> parameter set on their <spanx sty <t>Part <tt>D</tt> (the MIME root of the message at <tt>C</tt>) is
le="verb">Content-Type</spanx>.</t> itself not a Cryptographic Layer.</t>
</list></t> </li>
<li>
</section> <t>Neither part <tt>C</tt> nor part <tt>D</tt> have any <tt>hp</tt
<section anchor="rendering-responding-rfc8551hp"><name>Rendering or Responding t > parameters set on their <tt>Content-Type</tt>.</t>
o an RFC8551HP message</name> </li>
</ul>
<t>When it has precisely identified a message as an <iref item="RFC8551HP"/><xre </section>
f target="RFC8551HP" format="none">RFC8551HP</xref> message, an MUA <bcp14>MAY</ <section anchor="rendering-responding-rfc8551hp">
bcp14> render or respond to that message as though it were a message with Header <name>Rendering or Responding to an RFC8551HP Message</name>
Protection as defined in this document by making the following adjustments:</t> <t>When an MUA has precisely identified a message as an <iref item="RF
C8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> message, the M
<t><list style="symbols"> UA <bcp14>MAY</bcp14> render or respond to that message as though it were a mess
<t>Rather than rendering the message body as the Cryptographic Payload itself age with Header Protection as defined in this document by making the following a
(part <spanx style="verb">C</spanx> in the example above), render the <iref item djustments:</t>
="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> message's <ul spacing="normal">
body as the MIME subtree that is the Cryptographic Payload's immediate child (pa <li>
rt <spanx style="verb">D</spanx>).</t> <t>Rather than rendering the message body as the Cryptographic Pay
<t>Make a comparable modification to <iref item="HeaderSetsFromMessage"/><xref load itself (part <tt>C</tt> in the example above), render the <iref item="RFC85
target="headersetsfrommessage" format="none">HeaderSetsFromMessage</xref> (<xre 51HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> message's body as
f target="headersetsfrommessage"/>) and <iref item="HeaderFieldProtection"/><xre the MIME subtree that is the Cryptographic Payload's immediate child (part <tt>
f target="headerfieldprotection" format="none">HeaderFieldProtection</xref> (<xr D</tt>).</t>
ef target="headerfieldprotection"/>): both algorithms currently look for the pro </li>
tected Header Fields on the Cryptographic Payload (part <spanx style="verb">C</s <li>
panx>), but they should instead look at the Cryptographic Payload's immediate ch <t>Make a comparable modification to <iref item="HeaderSetsFromMes
ild (part <spanx style="verb">D</spanx>). sage"/><xref target="headersetsfrommessage" format="none">HeaderSetsFromMessage<
<!--RFC Editor: the section references in the above bullet point are for the sak /xref> (<xref target="headersetsfrommessage"/>) and <iref item="HeaderFieldProte
e of the text/plain version. The text/html version doesn't need them because it ction"/><xref target="headerfieldprotection" format="none">HeaderFieldProtection
has automatic internal hyperlinks. Is there some way that we can keep them, bu </xref> (<xref target="headerfieldprotection"/>): Both algorithms currently look
t only for the text/plain version? --></t> for the protected Header Fields on the Cryptographic Payload (part <tt>C</tt>),
<t>If the Cryptographic Envelope is signed-only, behave as though there is an but they should instead look at the Cryptographic Payload's immediate child (pa
<spanx style="verb">hp="clear"</spanx> parameter for the Cryptographic Payload; rt <tt>D</tt>).
if the Envelope contains encryption, behave as though there is an <spanx style=" </t>
verb">hp="cipher"</spanx> parameter. </li>
<li>
<t>If the Cryptographic Envelope is signed-only, behave as though
there is an <tt>hp="clear"</tt> parameter for the Cryptographic Payload; if the
Envelope contains encryption, behave as though there is an <tt>hp="cipher"</tt>
parameter.
That is, infer the sender's cryptographic intent from the structure of the messa ge.</t> That is, infer the sender's cryptographic intent from the structure of the messa ge.</t>
<t>If the Cryptographic Envelope contains encryption, further modify <iref ite </li>
m="HeaderSetsFromMessage"/><xref target="headersetsfrommessage" format="none">He <li>
aderSetsFromMessage</xref> to derive <spanx style="verb">refouter</spanx> from t <t>If the Cryptographic Envelope contains encryption, further modi
he actual outer message Header Fields (those found in part <spanx style="verb">A fy <iref item="HeaderSetsFromMessage"/><xref target="headersetsfrommessage" form
</spanx> in the example above), rather than looking for <spanx style="verb">HP-O at="none">HeaderSetsFromMessage</xref> to derive <tt>refouter</tt> from the actu
uter</spanx> Header Fields with the other protected Header Fields. al outer message Header Fields (those found in part <tt>A</tt> in the example ab
ove) rather than looking for <tt>HP-Outer</tt> Header Fields with the other prot
ected Header Fields.
That is, infer Header Field confidentiality based on the unprotected headers.</t > That is, infer Header Field confidentiality based on the unprotected headers.</t >
</list></t> </li>
</ul>
<t>The inferences in the above modifications are not based on any strong end-to- <t>The inferences in the above modifications are not based on any stro
end guarantees. ng end-to-end guarantees.
An intervening MTA may tamper with the message's outer Header Section or wrap th e message in an encryption layer to undetectably change the recipient's understa nding of the confidentiality of the message's Header Fields or the message body itself.</t> An intervening MTA may tamper with the message's outer Header Section or wrap th e message in an encryption layer to undetectably change the recipient's understa nding of the confidentiality of the message's Header Fields or the message body itself.</t>
</section>
</section> </section>
</section> <section anchor="rendering-other-schemes">
<section anchor="rendering-other-schemes"><name>Rendering Other Schemes</name> <name>Rendering Other Schemes</name>
<t>Other MUAs may have generated different structures of messages that a
<t>Other MUAs may have generated different structures of messages that aim to of im to offer end-to-end cryptographic protections that include Header Protection.
fer end-to-end cryptographic protections that include Header Protection.
This document is not normative for those schemes, and it is <bcp14>NOT RECOMMEND ED</bcp14> to generate these other schemes, as they can either have structural f laws or simply render poorly on Legacy MUAs. This document is not normative for those schemes, and it is <bcp14>NOT RECOMMEND ED</bcp14> to generate these other schemes, as they can either have structural f laws or simply render poorly on Legacy MUAs.
A conformant MUA <bcp14>MAY</bcp14> attempt to infer Header Protection when rend ering an existing message that appears to use some other scheme not documented h ere. A conformant MUA <bcp14>MAY</bcp14> attempt to infer Header Protection when rend ering an existing message that appears to use some other scheme not documented h ere.
Pointers to some known other schemes can be found in <xref target="other-schemes "/>.</t> Pointers to some known other schemes can be found in <xref target="other-schemes "/>.</t>
</section>
</section> </section>
</section> <section anchor="sending-guidance">
<section anchor="sending-guidance"><name>Sending Guidance</name> <name>Sending Guidance</name>
<t>This section describes the process an MUA should use to apply cryptogra
<t>This section describes the process an MUA should use to apply cryptographic p phic protection to an email message with Header Protection.</t>
rotection to an e-mail message with Header Protection.</t> <t>When composing a message with end-to-end cryptographic protections, an
MUA <bcp14>SHOULD</bcp14> apply Header Protection.</t>
<t>When composing a message with end-to-end cryptographic protections, an MUA <b <t>When generating such a message, an MUA <bcp14>MUST</bcp14> add the <tt>
cp14>SHOULD</bcp14> apply Header Protection.</t> hp</tt> parameter (see <xref target="hp-parameter"/>) only to the <tt>Content-Ty
pe</tt> Header Field at the root of the message's Cryptographic Payload.
<t>When generating such a message, an MUA <bcp14>MUST</bcp14> add the <spanx sty
le="verb">hp</spanx> parameter (see <xref target="hp-parameter"/>) only to the <
spanx style="verb">Content-Type</spanx> Header Field at the root of the message'
s Cryptographic Payload.
The value of the parameter <bcp14>MUST</bcp14> indicate whether the Cryptographi c Envelope contains a layer that provides encryption.</t> The value of the parameter <bcp14>MUST</bcp14> indicate whether the Cryptographi c Envelope contains a layer that provides encryption.</t>
<section anchor="compose-legacy">
<section anchor="compose-legacy"><name>Composing a Cryptographically Protected M <name>Composing a Cryptographically Protected Message Without Header Pro
essage Without Header Protection</name> tection</name>
<t>For contrast, we first consider the typical message composition proce
<t>For contrast, we first consider the typical message composition process of a ss of a Legacy Crypto MUA, which does not provide any Header Protection.</t>
Legacy Crypto MUA which does not provide any Header Protection.</t> <t>This process is described in <xref section="5.1" sectionFormat="of" t
arget="RFC9787"/>.
<t>This process is described in <xref section="5.1" sectionFormat="of" target="I
-D.ietf-lamps-e2e-mail-guidance"/>.
We replicate it here for reference. We replicate it here for reference.
The inputs to the algorithm are:</t> The inputs to the algorithm are:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t><spanx style="verb">origbody</spanx>: the traditional unprotected message b <t><tt>origbody</tt>: The traditional unprotected message body as a
ody as a well-formed MIME tree (possibly just a single MIME leaf part). well-formed MIME tree (possibly just a single MIME leaf part).
As a well-formed MIME tree, <spanx style="verb">origbody</spanx> already has str As a well-formed MIME tree, <tt>origbody</tt> already has structural Header Fiel
uctural Header Fields (<spanx style="verb">Content-*</spanx>) present.</t> ds (<tt>Content-*</tt>) present.</t>
<t><spanx style="verb">origheaders</spanx>: the intended non-structural Header </li>
Fields for the message, represented here as a list of <spanx style="verb">(h,v) <li>
</spanx> pairs, where <spanx style="verb">h</spanx> is a Header Field name and < <t><tt>origheaders</tt>: The intended non-structural Header Fields f
spanx style="verb">v</spanx> is the associated value. or the message, represented here as a list of <tt>(h,v)</tt> pairs, where <tt>h<
/tt> is a Header Field name and <tt>v</tt> is the associated value.
Note that these are Header Fields that the MUA intends to be visible to the reci pient of the message. Note that these are Header Fields that the MUA intends to be visible to the reci pient of the message.
In particular, if the MUA uses the <spanx style="verb">Bcc</spanx> Header Field In particular, if the MUA uses the <tt>Bcc</tt> Header Field during composition
during composition, but plans to omit it from the message (see <xref section="3. but plans to omit it from the message (see <xref section="3.6.3" sectionFormat="
6.3" sectionFormat="of" target="RFC5322"/>), it will not be in <spanx style="ver of" target="RFC5322"/>), it will not be in <tt>origheaders</tt>.</t>
b">origheaders</spanx>.</t> </li>
<t><spanx style="verb">crypto</spanx>: The series of cryptographic protections <li>
to apply (for example, "sign with the secret key corresponding to X.509 certifi <t><tt>crypto</tt>: The series of cryptographic protections to apply
cate X, then encrypt to X.509 certificates X and Y"). (for example, "sign with the secret key corresponding to X.509 certificate X, t
hen encrypt to X.509 certificates X and Y").
This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resu ltant MIME tree as output.</t> This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resu ltant MIME tree as output.</t>
</list></t> </li>
</ul>
<t>The algorithm returns a MIME object that is ready to be injected into the mai
l system.</t>
<section anchor="composenoheaderprotection"><name>ComposeNoHeaderProtection</nam
e>
<t>Method Signature:</t>
<t><spanx style="verb">
ComposeNoHeaderProtection(origbody, origheaders, crypto) → mime_message
</spanx></t>
<t>Procedure:</t>
<t><list style="numbers" type="1">
<t>Apply <spanx style="verb">crypto</spanx> to MIME part <spanx style="verb">o
rigbody</spanx>, producing MIME tree <spanx style="verb">output</spanx></t>
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> in <
spanx style="verb">origheaders</spanx>:
<list style="numbers" type="i">
<t>Add Header Field <spanx style="verb">h</spanx> to <spanx style="verb">o
utput</spanx> with value <spanx style="verb">v</spanx></t>
</list></t>
<t>Return <spanx style="verb">output</spanx></t>
</list></t>
</section>
</section>
<section anchor="compose"><name>Composing a Message with Header Protection</name
>
<t>To compose a message using Header Protection, the composing MUA uses the foll
owing inputs:</t>
<t><list style="symbols">
<t>All the inputs described in <xref target="compose-legacy"/></t>
<t><spanx style="verb">hcp</spanx>: a <iref item="Header Confidentiality Polic
y"/><xref target="header-confidentiality-policy" format="none">Header Confidenti
ality Policy</xref>, as defined in <xref target="header-confidentiality-policy"/
></t>
<t><spanx style="verb">respond</spanx>: if the new message is a response to an
other message (e.g., "Reply", "Reply All", "Forward", etc), the MUA function cor
responding to the user's action (see <xref target="avoid-leak"/>), otherwise <sp
anx style="verb">null</spanx></t>
<t><spanx style="verb">refmsg</spanx>: if the new message is a response to ano
ther message, the message being responded to, otherwise <spanx style="verb">null
</spanx></t>
<t><spanx style="verb">legacy</spanx>: a boolean value, indicating whether any
recipient of the message is believed to have a Legacy MUA.
If all recipients are known to implement this document, <spanx style="verb">lega
cy</spanx> should be set to <spanx style="verb">false</spanx>.
(How an MUA determines the value of <spanx style="verb">legacy</spanx> is out of
scope for this document; an initial implementation can simply set it to <spanx
style="verb">true</spanx>)</t>
</list></t>
<t>To enable visibility of User-Facing but now removed/obscured Header Fields fo <t>The algorithm returns a MIME object that is ready to be injected into
r decryption-capable Legacy MUAs, the Header Fields are included as a decorative the mail system.</t>
Legacy Display Element in specially marked parts of the message (see <xref targ <section anchor="composenoheaderprotection">
et="hp-legacy-display"/>). <name>ComposeNoHeaderProtection</name>
This document recommends two mechanisms for such a decorative adjustment: one fo <t>Method Signature:</t>
r a <spanx style="verb">text/html</spanx> Main Body Part of the e-mail message, <t><tt>
and one for a <spanx style="verb">text/plain</spanx> Main Body Part. ComposeNoHeaderProtection(origbody, origheaders, crypto) -&gt; mime_message
</tt></t>
<t>Procedure:</t>
<ol spacing="normal" type="1"><li>
<t>Apply <tt>crypto</tt> to MIME part <tt>origbody</tt>, producing
MIME tree <tt>output</tt>.</t>
</li>
<li>
<t>For each Header Field name and value <tt>(h,v)</tt> in <tt>orig
headers</tt>:
</t>
<ol spacing="normal" type="i"><li>
<t>Add Header Field <tt>h</tt> to <tt>output</tt> with value <
tt>v</tt>.</t>
</li>
</ol>
</li>
<li>
<t>Return <tt>output</tt>.</t>
</li>
</ol>
</section>
</section>
<section anchor="compose">
<name>Composing a Message with Header Protection</name>
<t>To compose a message using Header Protection, the composing MUA uses
the following inputs:</t>
<ul spacing="normal">
<li>
<t>all the inputs described in <xref target="compose-legacy"/></t>
</li>
<li>
<t><tt>hcp</tt>: a <iref item="Header Confidentiality Policy"/><xref
target="header-confidentiality-policy" format="none">Header Confidentiality Pol
icy</xref>, as defined in <xref target="header-confidentiality-policy"/></t>
</li>
<li>
<t><tt>respond</tt>: if the new message is a response to another mes
sage (e.g., "Reply", "Reply All", "Forward", etc.), the MUA function correspondi
ng to the user's action (see <xref target="avoid-leak"/>), otherwise <tt>null</t
t></t>
</li>
<li>
<t><tt>refmsg</tt>: if the new message is a response to another mess
age, the message being responded to, otherwise <tt>null</tt></t>
</li>
<li>
<t><tt>legacy</tt>: a boolean value, indicating whether any recipien
t of the message is believed to have a Legacy MUA.
If all recipients are known to implement this document, <tt>legacy</tt> should b
e set to <tt>false</tt>.
(How an MUA determines the value of <tt>legacy</tt> is out of scope for this doc
ument; an initial implementation can simply set it to <tt>true</tt>.)</t>
</li>
</ul>
<t>To enable visibility of User-Facing but now removed/obscured Header F
ields for decryption-capable Legacy MUAs, the Header Fields are included as a de
corative Legacy Display Element in specially marked parts of the message (see <x
ref target="hp-legacy-display"/>).
This document recommends two mechanisms for such a decorative adjustment: one fo
r a <tt>text/html</tt> Main Body Part of the email message and one for a <tt>tex
t/plain</tt> Main Body Part.
This document does not recommend adding a Legacy Display Element to any other pa rt.</t> This document does not recommend adding a Legacy Display Element to any other pa rt.</t>
<t>Please see <xref section="7.1" sectionFormat="of" target="RFC9787"/>
<t>Please see <xref section="7.1" sectionFormat="of" target="I-D.ietf-lamps-e2e- for guidance on identifying the parts of a message that are a Main Body Part.</t
mail-guidance"/> for guidance on identifying the parts of a message that are a M >
ain Body Part.</t> <section anchor="compose-algorithm">
<name>Compose</name>
<section anchor="compose-algorithm"><name>Compose</name> <t>Method Signature:</t>
<t><tt>
<t>Method Signature:</t>
<t><spanx style="verb">
Compose(origbody, origheaders, crypto, Compose(origbody, origheaders, crypto,
hcp, respond, refmsg, legacy) hcp, respond, refmsg, legacy)
→ mime_message -&gt; mime_message
</spanx></t> </tt></t>
<t>Procedure:</t>
<t>Procedure:</t> <ol spacing="normal" type="1"><li>
<t>Let <tt>newbody</tt> be a copy of <tt>origbody</tt>.</t>
<t><list style="numbers" type="1"> </li>
<t>Let <spanx style="verb">newbody</spanx> be a copy of <spanx style="verb">or <li>
igbody</spanx></t> <t>If <tt>crypto</tt> contains encryption and <tt>legacy</tt> is <
<t>If <spanx style="verb">crypto</spanx> contains encryption, and <spanx style tt>true</tt>:
="verb">legacy</spanx> is <spanx style="verb">true</spanx>: </t>
<list style="numbers" type="i"> <ol spacing="normal" type="i"><li>
<t>Create <spanx style="verb">ldlist</spanx>, an empty list of <spanx styl <t>Create <tt>ldlist</tt>, an empty list of <tt>(header, value
e="verb">(header, value)</spanx> pairs</t> )</tt> pairs.</t>
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> </li>
in <spanx style="verb">origheaders</spanx>: <li>
<list style="numbers" type="a"> <t>For each Header Field name and value <tt>(h,v)</tt> in <tt>
<t>If <spanx style="verb">h</spanx> is User-Facing (see <xref section= origheaders</tt>:
"1.1.2" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>): </t>
<list style="numbers" type="I"> <ol spacing="normal" type="a"><li>
<t>If <spanx style="verb">hcp(h,v)</spanx> is not <spanx style="ve <t>If <tt>h</tt> is User-Facing (see <xref section="1.1.2"
rb">v</spanx>: sectionFormat="of" target="RFC9787"/>):
<list style="numbers" type="A"> </t>
<t>Add <spanx style="verb">(h,v)</spanx> to <spanx style="verb <ol spacing="normal" type="I"><li>
">ldlist</spanx></t> <t>If <tt>hcp(h,v)</tt> is not <tt>v</tt>:
</list></t> </t>
</list></t> <ol spacing="normal" type="A"><li>
</list></t> <t>Add <tt>(h,v)</tt> to <tt>ldlist</tt>.</t>
<t>If <spanx style="verb">ldlist</spanx> is not empty: </li>
<list style="numbers" type="a"> </ol>
<t>Identify each leaf MIME part of <spanx style="verb">newbody</spanx> </li>
that represents the "main body" of the message.</t> </ol>
<t>For each "Main Body Part" <spanx style="verb">bodypart</spanx> of t </li>
ype <spanx style="verb">text/plain</spanx> or <spanx style="verb">text/html</spa </ol>
nx>: </li>
<list style="numbers" type="I"> <li>
<t>Adjust <spanx style="verb">bodypart</spanx> by inserting a Lega <t>If <tt>ldlist</tt> is not empty:
cy Display Element header list <spanx style="verb">ldlist</spanx> into its conte </t>
nt, and adding a <spanx style="verb">Content-Type</spanx> parameter <spanx style <ol spacing="normal" type="a"><li>
="verb">hp-legacy-display</spanx> with value <spanx style="verb">1</spanx> (see <t>Identify each leaf MIME part of <tt>newbody</tt> that r
<xref target="ld-text-plain"/> for <spanx style="verb">text/plain</spanx> and <x epresents the "main body" of the message.</t>
ref target="ld-text-html"/> for <spanx style="verb">text/html</spanx>)</t> </li>
</list></t> <li>
</list></t> <t>For each "Main Body Part" <tt>bodypart</tt> of type <tt
</list></t> >text/plain</tt> or <tt>text/html</tt>:
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> in < </t>
spanx style="verb">origheaders</spanx>: <ol spacing="normal" type="I"><li>
<list style="numbers" type="i"> <t>Adjust <tt>bodypart</tt> by inserting a Legacy Disp
<t>Add Header Field <spanx style="verb">h</spanx> to MIME part <spanx styl lay Element header list <tt>ldlist</tt> into its content and adding a <tt>Conten
e="verb">newbody</spanx> with value <spanx style="verb">v</spanx></t> t-Type</tt> parameter <tt>hp-legacy-display</tt> with value <tt>1</tt> (see <xre
</list></t> f target="ld-text-plain"/> for <tt>text/plain</tt> and <xref target="ld-text-htm
<t>If <spanx style="verb">crypto</spanx> does not contain encryption: l"/> for <tt>text/html</tt>).</t>
<list style="numbers" type="i"> </li>
<t>Set the <spanx style="verb">hp</spanx> parameter on the <spanx style="v </ol>
erb">Content-Type</spanx> of MIME part <spanx style="verb">newbody</spanx> to <s </li>
panx style="verb">clear</spanx></t> </ol>
<t>Let <spanx style="verb">newheaders</spanx> be a copy of <spanx style="v </li>
erb">origheaders</spanx></t> </ol>
</list></t> </li>
<t>Else (if <spanx style="verb">crypto</spanx> contains encryption): <li>
<list style="numbers" type="i"> <t>For each Header Field name and value <tt>(h,v)</tt> in <tt>orig
<t>Set the <spanx style="verb">hp</spanx> parameter on the <spanx style="v headers</tt>:
erb">Content-Type</spanx> of MIME part <spanx style="verb">newbody</spanx> to <s </t>
panx style="verb">cipher</spanx></t> <ol spacing="normal" type="i"><li>
<t>If <spanx style="verb">refmsg</spanx> is not <spanx style="verb">null</ <t>Add Header Field <tt>h</tt> to MIME part <tt>newbody</tt> w
spanx>, <spanx style="verb">respond</spanx> is not <spanx style="verb">null</spa ith value <tt>v</tt>.</t>
nx>, and <spanx style="verb">refmsg</spanx> itself is encrypted with header prot </li>
ection: </ol>
<list style="numbers" type="a"> </li>
<t>Let <spanx style="verb">response_hcp</spanx> be a single-use <iref <li>
item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref <t>If <tt>crypto</tt> does not contain encryption:
> derived from <spanx style="verb">respond</spanx> and <spanx style="verb">refms </t>
g</spanx> (see <xref target="avoid-leak"/>)</t> <ol spacing="normal" type="i"><li>
</list></t> <t>Set the <tt>hp</tt> parameter on the <tt>Content-Type</tt>
<t>Else (if this is not a response to an encrypted, header-protected messa of MIME part <tt>newbody</tt> to <tt>clear</tt>.</t>
ge): </li>
<list style="numbers" type="a"> <li>
<t>Set <spanx style="verb">response_hcp</spanx> to <spanx style="verb" <t>Let <tt>newheaders</tt> be a copy of <tt>origheaders</tt>.<
>hcp_no_confidentiality</spanx></t> /t>
</list></t> </li>
<t>Create new empty list of Header Field names and values <spanx style="ve </ol>
rb">newheaders</spanx></t> </li>
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> <li>
in <spanx style="verb">origheaders</spanx>: <t>Else (if <tt>crypto</tt> contains encryption):
<list style="numbers" type="a"> </t>
<t>Let <spanx style="verb">newval</spanx> be <spanx style="verb">hcp(h <ol spacing="normal" type="i"><li>
,v)</spanx></t> <t>Set the <tt>hp</tt> parameter on the <tt>Content-Type</tt>
<t>If <spanx style="verb">newval</spanx> is <spanx style="verb">v</spa of MIME part <tt>newbody</tt> to <tt>cipher</tt>.</t>
nx>: </li>
<list style="numbers" type="I"> <li>
<t>Let <spanx style="verb">newval</spanx> be <spanx style="verb">r <t>If <tt>refmsg</tt> is not <tt>null</tt>, <tt>respond</tt> i
esponse_hcp(h,v)</spanx></t> s not <tt>null</tt>, and <tt>refmsg</tt> itself is encrypted with header protect
</list></t> ion:
<t>If <spanx style="verb">newval</spanx> is not <spanx style="verb">nu </t>
ll</spanx>): <ol spacing="normal" type="a"><li>
<list style="numbers" type="I"> <t>Let <tt>response_hcp</tt> be a single-use <iref item="H
<t>Add <spanx style="verb">(h,newval)</spanx> to <spanx style="ver CP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> deriv
b">newheaders</spanx></t> ed from <tt>respond</tt> and <tt>refmsg</tt> (see <xref target="avoid-leak"/>).<
</list></t> /t>
</list></t> </li>
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> </ol>
in <spanx style="verb">newheaders</spanx>: </li>
<list style="numbers" type="a"> <li>
<t>Let string <spanx style="verb">record</spanx> be the concatenation <t>Else (if this is not a response to an encrypted, header-pro
of <spanx style="verb">h</spanx>, a literal "<spanx style="verb">: </spanx>" (AS tected message):
CII colon (0x3A) followed by ASCII space (0x20)), and <spanx style="verb">v</spa </t>
nx></t> <ol spacing="normal" type="a"><li>
<t>Add Header Field "<spanx style="verb">HP-Outer</spanx>" to MIME par <t>Set <tt>response_hcp</tt> to <tt>hcp_no_confidentiality
t <spanx style="verb">newbody</spanx> with value <spanx style="verb">record</spa </tt>.</t>
nx></t> </li>
</list></t> </ol>
</list></t> </li>
<t>Apply <spanx style="verb">crypto</spanx> to MIME part <spanx style="verb">n <li>
ewbody</spanx>, producing MIME tree <spanx style="verb">output</spanx></t> <t>Create a new empty list of Header Field names and values <t
<t>For each Header Field name and value <spanx style="verb">(h,v)</spanx> in < t>newheaders</tt>.</t>
spanx style="verb">newheaders</spanx>: </li>
<list style="numbers" type="i"> <li>
<t>Add Header Field <spanx style="verb">h</spanx> to <spanx style="verb">o <t>For each Header Field name and value <tt>(h,v)</tt> in <tt>
utput</spanx> with value <spanx style="verb">v</spanx></t> origheaders</tt>:
</list></t> </t>
<t>Return <spanx style="verb">output</spanx></t> <ol spacing="normal" type="a"><li>
</list></t> <t>Let <tt>newval</tt> be <tt>hcp(h,v)</tt>.</t>
</li>
<t>Note that both new parameters (<spanx style="verb">hcp</spanx> and <spanx sty <li>
le="verb">legacy</spanx>) are effectively ignored if <spanx style="verb">crypto< <t>If <tt>newval</tt> is <tt>v</tt>:
/spanx> does not contain encryption. </t>
<ol spacing="normal" type="I"><li>
<t>Let <tt>newval</tt> be <tt>response_hcp(h,v)</tt>.<
/t>
</li>
</ol>
</li>
<li>
<t>If <tt>newval</tt> is not <tt>null</tt>):
</t>
<ol spacing="normal" type="I"><li>
<t>Add <tt>(h,newval)</tt> to <tt>newheaders</tt>.</t>
</li>
</ol>
</li>
</ol>
</li>
<li>
<t>For each Header Field name and value <tt>(h,v)</tt> in <tt>
newheaders</tt>:
</t>
<ol spacing="normal" type="a"><li>
<t>Let string <tt>record</tt> be the concatenation of <tt>
h</tt>, a literal "<tt>: </tt>" (ASCII colon (0x3A) followed by ASCII space (0x2
0)), and <tt>v</tt>.</t>
</li>
<li>
<t>Add Header Field "<tt>HP-Outer</tt>" to MIME part <tt>n
ewbody</tt> with value <tt>record</tt>.</t>
</li>
</ol>
</li>
</ol>
</li>
<li>
<t>Apply <tt>crypto</tt> to MIME part <tt>newbody</tt>, producing
MIME tree <tt>output</tt>.</t>
</li>
<li>
<t>For each Header Field name and value <tt>(h,v)</tt> in <tt>newh
eaders</tt>:
</t>
<ol spacing="normal" type="i"><li>
<t>Add Header Field <tt>h</tt> to <tt>output</tt> with value <
tt>v</tt>.</t>
</li>
</ol>
</li>
<li>
<t>Return <tt>output</tt>.</t>
</li>
</ol>
<t>Note that both new parameters (<tt>hcp</tt> and <tt>legacy</tt>) ar
e effectively ignored if <tt>crypto</tt> does not contain encryption.
This is by design, because they are irrelevant for signed-only cryptographic pro tections.</t> This is by design, because they are irrelevant for signed-only cryptographic pro tections.</t>
</section>
<section anchor="ld-text-plain">
<name>Adding a Legacy Display Element to a text/plain Part</name>
<t>For a list of obscured and removed User-Facing Header Fields repres
ented as <tt>(header, value)</tt> pairs, concatenate them as a set of lines, wit
h one newline at the end of each pair.
Add an additional trailing newline after the resultant text, and prepend the ent
ire list to the body of the <tt>text/plain</tt> part.</t>
<t>The MUA <bcp14>MUST</bcp14> also add a <tt>Content-Type</tt> parame
ter of <tt>hp-legacy-display</tt> with value <tt>1</tt> to the MIME part to indi
cate that a Legacy Display Element was added.</t>
<t>For example, if the list of obscured Header Fields was <tt>[("Cc",
"alice@example.net"), ("Subject", "Thursday's meeting")]</tt>, then a <tt>text/p
lain</tt> Main Body Part that originally looked like this:</t>
</section> <!--[rfced] The <artwork> in Sections 5.2.2 and 5.2.3 includes the
<section anchor="ld-text-plain"><name>Adding a Legacy Display Element to a text/ following attributes: charset=UTF-8 and hp-legacy-display=1.
plain Part</name>
<t>For a list of obscured and removed User-Facing Header Fields represented as < Should quotes appear around the "UTF-8" and "1" values in these
spanx style="verb">(header, value)</spanx> pairs, concatenate them as a set of l instances per other use in the document? And should "UTF-8" be made
ines, with one newline at the end of each pair. lowercase for consistency, or are the lowercase instances different?
Add an additional trailing newline after the resultant text, and prepend the ent
ire list to the body of the <spanx style="verb">text/plain</spanx> part.</t>
<t>The MUA <bcp14>MUST</bcp14> also add a <spanx style="verb">Content-Type</span Current:
x> parameter of <spanx style="verb">hp-legacy-display</spanx> with value <spanx Content-Type: text/plain; charset=UTF-8 vs.
style="verb">1</spanx> to the MIME part to indicate that a Legacy Display Elemen Content-Type: text/plain; charset="utf-8"
t was added.</t>
<t>For example, if the list of obscured Header Fields was <spanx style="verb">[( Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; vs.
"Cc", "alice@example.net"), ("Subject", "Thursday's meeting")]</spanx>, then a < Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1
spanx style="verb">text/plain</spanx> Main Body Part that originally looked like -->
this:</t>
<figure><artwork><![CDATA[ <artwork><![CDATA[
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
I think we should skip the meeting. I think we should skip the meeting.
]]></artwork></figure> ]]></artwork>
<t>would become:</t>
<t>Would become:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1 Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1
Subject: Thursday's meeting Subject: Thursday's meeting
Cc: alice@example.net Cc: alice@example.net
I think we should skip the meeting. I think we should skip the meeting.
]]></artwork></figure> ]]></artwork>
<t>Note that the Legacy Display Elements (the lines beginning with <tt
<t>Note that the Legacy Display Element (the lines beginning with <spanx style=" >Subject:</tt> and <tt>Cc:</tt>) are part of the body of the MIME part in questi
verb">Subject:</spanx> and <spanx style="verb">Cc:</spanx>) are part of the body on.</t>
of the MIME part in question.</t> <t>This example assumes that the Main Body Part in question is not the
root of the Cryptographic Payload.
<t>This example assumes that the Main Body Part in question is not the root of t For instance, it could be a leaf of a <tt>multipart/alternative</tt> Cryptograph
he Cryptographic Payload. ic Payload.
For instance, it could be a leaf of a <spanx style="verb">multipart/alternative<
/spanx> Cryptographic Payload.
This is why no additional Header Fields have been injected into the MIME part in this example.</t> This is why no additional Header Fields have been injected into the MIME part in this example.</t>
</section>
</section> <section anchor="ld-text-html">
<section anchor="ld-text-html"><name>Adding a Legacy Display Element to a text/h <name>Adding a Legacy Display Element to a text/html Part</name>
tml Part</name> <t>Adding a Legacy Display Element to a <tt>text/html</tt> part is sim
ilar to how it is added to a <tt>text/plain</tt> part (see <xref target="ld-text
<t>Adding a Legacy Display Element to a <spanx style="verb">text/html</spanx> pa -plain"/>).
rt is similar to how it is added to a <spanx style="verb">text/plain</spanx> par Instead of adding the obscured or removed User-Facing Header Fields to a block o
t (see <xref target="ld-text-plain"/>). f text delimited by a blank line, the composing MUA injects them in an HTML <tt>
Instead of adding the obscured or removed User-Facing Header Fields to a block o &lt;div&gt;</tt> element annotated with a <tt>class</tt> attribute of <tt>header
f text delimited by a blank line, the composing MUA injects them in an HTML <spa -protection-legacy-display</tt>.</t>
nx style="verb">&lt;div&gt;</spanx> element annotated with a <spanx style="verb" <t>The content and formatting of this decorative <tt>&lt;div&gt;</tt>
>class</spanx> attribute of <spanx style="verb">header-protection-legacy-display have no strict requirements, but they <bcp14>MUST</bcp14> represent all the obsc
</spanx>.</t> ured and removed User-Facing Header Fields in a readable fashion.
A simple approach is to assemble the text in the same way as <xref target="ld-te
<t>The content and formatting of this decorative <spanx style="verb">&lt;div&gt; xt-plain"/>, wrap it in a verbatim <tt>&lt;pre&gt;</tt> element, and put that el
</spanx> have no strict requirements, but they <bcp14>MUST</bcp14> represent all ement in the annotated <tt>&lt;div&gt;</tt>.</t>
the obscured and removed User-Facing Header Fields in a readable fashion. <t>The annotated <tt>&lt;div&gt;</tt> should be placed as close to the
A simple approach is to assemble the text in the same way as <xref target="ld-te start of the <tt>&lt;body&gt;</tt> as possible, where it will be visible when v
xt-plain"/>, wrap it in a verbatim <spanx style="verb">&lt;pre&gt;</spanx> eleme iewed with a standard HTML renderer.</t>
nt, and put that element in the annotated <spanx style="verb">&lt;div&gt;</spanx <t>The MUA <bcp14>MUST</bcp14> also add a <tt>Content-Type</tt> parame
>.</t> ter of <tt>hp-legacy-display</tt> with value <tt>1</tt> to the MIME part to indi
cate that a Legacy Display Element was added.</t>
<t>The annotated <spanx style="verb">&lt;div&gt;</spanx> should be placed as clo <t>For example, if the list of obscured Header Fields was <tt>[("Cc",
se to the start of the <spanx style="verb">&lt;body&gt;</spanx> as possible, whe "alice@example.net"), ("Subject", "Thursday's meeting")]</tt>, then a <tt>text/h
re it will be visible when viewed with a standard HTML renderer.</t> tml</tt> Main Body Part that originally looked like this:</t>
<artwork><![CDATA[
<t>The MUA <bcp14>MUST</bcp14> also add a <spanx style="verb">Content-Type</span
x> parameter of <spanx style="verb">hp-legacy-display</spanx> with value <spanx
style="verb">1</spanx> to the MIME part to indicate that a Legacy Display Elemen
t was added.</t>
<t>For example, if the list of obscured Header Fields was <spanx style="verb">[(
"Cc", "alice@example.net"), ("Subject", "Thursday's meeting")]</spanx>, then a <
spanx style="verb">text/html</spanx> Main Body Part that originally looked like
this:</t>
<figure><artwork><![CDATA[
Content-Type: text/html; charset=UTF-8 Content-Type: text/html; charset=UTF-8
<html><head><title></title></head><body> <html><head><title></title></head><body>
<p>I think we should skip the meeting.</p> <p>I think we should skip the meeting.</p>
</body></html> </body></html>
]]></artwork></figure> ]]></artwork>
<t>would become:</t>
<t>Would become:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Content-Type: text/html; charset=UTF-8; hp-legacy-display=1 Content-Type: text/html; charset=UTF-8; hp-legacy-display=1
<html><head><title></title></head><body> <html><head><title></title></head><body>
<div class="header-protection-legacy-display"> <div class="header-protection-legacy-display">
<pre>Subject: Thursday's meeting <pre>Subject: Thursday's meeting
Cc: alice@example.net</pre></div> Cc: alice@example.net</pre></div>
<p>I think we should skip the meeting.</p> <p>I think we should skip the meeting.</p>
</body></html> </body></html>
]]></artwork></figure> ]]></artwork>
<t>This example assumes that the Main Body Part in question is not the
<t>This example assumes that the Main Body Part in question is not the root of t root of the Cryptographic Payload.
he Cryptographic Payload. For instance, it could be a leaf of a <tt>multipart/alternative</tt> Cryptograph
For instance, it could be a leaf of a <spanx style="verb">multipart/alternative< ic Payload.
/spanx> Cryptographic Payload.
This is why no additional Header Fields have been injected into the MIME part in this example.</t> This is why no additional Header Fields have been injected into the MIME part in this example.</t>
<section anchor="step-by-step-example-for-inserting-legacy-display-ele
<section anchor="step-by-step-example-for-inserting-legacy-display-element-to-te ment-to-texthtml">
xthtml"><name>Step-by-step Example for Inserting Legacy Display Element to text/ <name>Step-by-Step Example for Inserting a Legacy Display Element in
html</name> to text/html</name>
<t>A composing MUA <bcp14>MAY</bcp14> insert the Legacy Display Elem
<t>A composing MUA <bcp14>MAY</bcp14> insert the Legacy Display Element anywhere ent anywhere reasonable within the message as long as it prioritizes visibility
reasonable within the message as long as it prioritizes visibility for the read for the reader using a Legacy MUA that is capable of decryption.
er using a Legacy decryption-capable MUA.
This decision may take into account special message-specific HTML formatting exp ectations if the MUA is aware of them. This decision may take into account special message-specific HTML formatting exp ectations if the MUA is aware of them.
However, some MUAs may not have any special insight into the user's preferred HT ML formatting, and still want to insert a Legacy Display Element. However, some MUAs may not have any special insight into the user's preferred HT ML formatting and still want to insert a Legacy Display Element.
This section offers a non-normative, simple, and minimal step-by-step approach f or a composing MUA that has no other information or preferences to fall back on. </t> This section offers a non-normative, simple, and minimal step-by-step approach f or a composing MUA that has no other information or preferences to fall back on. </t>
<t>The process below assumes that the MUA already has the full HTML
<t>The process below assumes that the MUA already has the full HTML object that object that it intends to send, including all of the text supplied by the user.<
it intends to send, including all of the text supplied by the user.</t> /t>
<ol spacing="normal" type="1"><li>
<t><list style="numbers" type="1"> <t>Assemble the text exactly as specified for <tt>text/plain</tt
<t>Assemble the text exactly as specified for <spanx style="verb">text/plain</ > (see <xref target="ld-text-plain"/>).</t>
spanx> (see <xref target="ld-text-plain"/>).</t> </li>
<t>Wrap that text in a verbatim <spanx style="verb">&lt;pre&gt;</spanx> elemen <li>
t.</t> <t>Wrap that text in a verbatim <tt>&lt;pre&gt;</tt> element.</t
<t>Wrap that <spanx style="verb">&lt;pre&gt;</spanx> element in a <spanx style >
="verb">&lt;div&gt;</spanx> element annotated with the class <spanx style="verb" </li>
>header-protection-legacy-display</spanx>.</t> <li>
<t>Find the <spanx style="verb">&lt;body&gt;</spanx> element of the full HTML <t>Wrap that <tt>&lt;pre&gt;</tt> element in a <tt>&lt;div&gt;</
object.</t> tt> element annotated with the class <tt>header-protection-legacy-display</tt>.<
<t>Insert the <spanx style="verb">&lt;div&gt;</spanx> element as the first chi /t>
ld of the <spanx style="verb">&lt;body&gt;</spanx> element.</t> </li>
</list></t> <li>
<t>Find the <tt>&lt;body&gt;</tt> element of the full HTML objec
</section> t.</t>
</section> </li>
<section anchor="ld-main-body-only"><name>Only Add a Legacy Display Element to M <li>
ain Body Parts</name> <t>Insert the <tt>&lt;div&gt;</tt> element as the first child of
the <tt>&lt;body&gt;</tt> element.</t>
<t>Some messages may contain a <spanx style="verb">text/plain</spanx> or <spanx </li>
style="verb">text/html</spanx> subpart that is <em>not</em> a Main Body Part. </ol>
For example, an e-mail message might contain an attached text file or a download </section>
ed webpage. </section>
<section anchor="ld-main-body-only">
<name>Only Add a Legacy Display Element to Main Body Parts</name>
<t>Some messages may contain a <tt>text/plain</tt> or <tt>text/html</t
t> subpart that is <em>not</em> a Main Body Part.
For example, an email message might contain an attached text file or a downloade
d web page.
Attached documents need to be preserved as intended in the transmission, without modification.</t> Attached documents need to be preserved as intended in the transmission, without modification.</t>
<t>The composing MUA <bcp14>MUST NOT</bcp14> add a Legacy Display Elem
ent to any part of the message that is not a Main Body Part.
In particular, if a part is annotated with <tt>Content-Disposition: attachment</
tt>, or if it does not descend via the first child of any of its <tt>multipart/m
ixed</tt> or <tt>multipart/related</tt> ancestors, it is not a Main Body Part an
d <bcp14>MUST NOT</bcp14> be modified.</t>
<t>See <xref section="7.1" sectionFormat="of" target="RFC9787"/> for m
ore guidance about common ways to distinguish Main Body Parts from other MIME pa
rts in a message.</t>
</section>
<section anchor="ld-other-content-types">
<name>Do Not Add a Legacy Display Element to Other Content-Types</name
>
<t>The composing MUA <bcp14>MUST NOT</bcp14> add a Legacy Display Element to any <!--[rfced] As "Main Body Part" is a term used throughout the document, may we
part of the message that is not a Main Body Part. update this sentence as shown below?
In particular, if a part is annotated with <spanx style="verb">Content-Dispositi
on: attachment</spanx>, or if it does not descend via the first child of any of
its <spanx style="verb">multipart/mixed</spanx> or <spanx style="verb">multipart
/related</spanx> ancestors, it is not a Main Body Part, and <bcp14>MUST NOT</bcp
14> be modified.</t>
<t>See <xref section="7.1" sectionFormat="of" target="I-D.ietf-lamps-e2e-mail-gu
idance"/> for more guidance about common ways to distinguish Main Body Parts fro
m other MIME parts in a message.</t>
</section>
<section anchor="ld-other-content-types"><name>Do Not Add a Legacy Display Eleme
nt to Other Content-Types</name>
<t>The purpose of injecting a Legacy Display Element into each Main Body MIME pa
rt is to enable rendering of otherwise obscured Header Fields in Legacy MUAs tha
t are capable of message decryption, but don't know how to follow the rest of th
e guidance in this document.</t>
<t>The authors are unaware of any Legacy MUA that would render any MIME part typ Original:
e other than <spanx style="verb">text/plain</spanx> and <spanx style="verb">text The purpose of injecting a Legacy Display Element into each Main Body
/html</spanx> as the Main Body. MIME part is to enable rendering of otherwise obscured Header Fields
A generating MUA <bcp14>SHOULD NOT</bcp14> add a Legacy Display Element to any M in Legacy MUAs that are capable of message decryption...
IME part with any other <spanx style="verb">Content-Type</spanx>.</t>
</section> Perhaps:
</section> The purpose of injecting a Legacy Display Element into each MIME Main
</section> Body Part is to enable rendering of otherwise obscured Header Fields
<section anchor="replying"><name>Replying and Forwarding Guidance</name> in Legacy MUAs that are capable of message decryption...
-->
<t>An MUA might create a new message in response to another message, thus acting <t>The purpose of injecting a Legacy Display Element into each Main Bo
both as a receiving MUA and as a sending MUA. dy MIME part is to enable rendering of otherwise obscured Header Fields in Legac
y MUAs that are capable of message decryption but don't know how to follow the r
est of the guidance in this document.</t>
<t>The authors are unaware of any Legacy MUA that would render any MIM
E part type other than <tt>text/plain</tt> and <tt>text/html</tt> as the Main Bo
dy.
A generating MUA <bcp14>SHOULD NOT</bcp14> add a Legacy Display Element to any M
IME part with any other <tt>Content-Type</tt>.</t>
</section>
</section>
</section>
<section anchor="replying">
<name>Replying and Forwarding Guidance</name>
<t>An MUA might create a new message in response to another message, thus
acting both as a receiving MUA and as a sending MUA.
For example, the user of an MUA viewing any given message might take an action l ike "Reply", "Reply All", "Forward", or some comparable action to start the comp osition of a new message. For example, the user of an MUA viewing any given message might take an action l ike "Reply", "Reply All", "Forward", or some comparable action to start the comp osition of a new message.
The new message created this way effectively references the original message tha t was viewed at the time.</t> The new message created this way effectively references the original message tha t was viewed at the time.</t>
<t>For encrypted messages, special guidance applies, because information c
<t>For encrypted messages, special guidance applies, because information can lea an leak in at least two ways: leaking previously confidential Header Fields and
k in at least two ways: leaking previously confidential Header Fields, and leaki leaking the entire message by sending the reply or forward to the wrong party.</
ng the entire message by sending the reply or forward to the wrong party.</t> t>
<section anchor="avoid-leak">
<section anchor="avoid-leak"><name>Avoid Leaking Encrypted Header Fields in Repl <name>Avoid Leaking Encrypted Header Fields in Replies and Forwards</nam
ies and Forwards</name> e>
<t>As noted in <xref section="5.4" sectionFormat="of" target="RFC9787"/>
<t>As noted in <xref section="5.4" sectionFormat="of" target="I-D.ietf-lamps-e2e , an MUA in this position <bcp14>MUST NOT</bcp14> leak previously encrypted cont
-mail-guidance"/>, an MUA in this position <bcp14>MUST NOT</bcp14> leak previous ent in the clear in a follow-up message.
ly encrypted content in the clear in a follow-up message.
The same is true for protected Header Fields.</t> The same is true for protected Header Fields.</t>
<t>Values from any Header Field that was identified as either <tt>encryp
<t>Values from any Header Field that was identified as either <spanx style="verb ted-only</tt> or <tt>signed-and-encrypted</tt> based on the steps outlined above
">encrypted-only</spanx> or <spanx style="verb">signed-and-encrypted</spanx> bas <bcp14>MUST NOT</bcp14> be placed in cleartext output when generating a message
ed on the steps outlined above <bcp14>MUST NOT</bcp14> be placed in cleartext ou .</t>
tput when generating a message.</t> <t>In particular, if <tt>Subject</tt> was encrypted, and it is copied in
to the draft encrypted reply, the replying MUA <bcp14>MUST</bcp14> obscure the u
<t>In particular, if <spanx style="verb">Subject</spanx> was encrypted, and it i nprotected (cleartext) <tt>Subject</tt> Header Field.</t>
s copied into the draft encrypted reply, the replying MUA <bcp14>MUST</bcp14> ob <t>When crafting the Header Fields for a reply or forwarded message, the
scure the unprotected (cleartext) <spanx style="verb">Subject</spanx> Header Fie composing MUA <bcp14>SHOULD</bcp14> make use of the <tt>HP-Outer</tt> Header Fi
ld.</t> elds from within the Cryptographic Envelope of the reference message to ensure t
hat Header Fields derived from the reference message do not leak in the reply.</
<t>When crafting the Header Fields for a reply or forwarded message, the composi t>
ng MUA <bcp14>SHOULD</bcp14> make use of the <spanx style="verb">HP-Outer</spanx <t>On a high level, this can be achieved as follows:
> Header Fields from within the Cryptographic Envelope of the reference message
to ensure that Header Fields derived from the reference message do not leak in t
he reply.</t>
<t>On a high-level, this can be achieved as follows:
Consider a Header Field in a reply message that is generated by derivation from a Header Field in the reference message. Consider a Header Field in a reply message that is generated by derivation from a Header Field in the reference message.
For example, the <spanx style="verb">To</spanx> Header Field is typically derive d from the reference message's <spanx style="verb">Reply-To</spanx> or <spanx st yle="verb">From</spanx> Header Fields. For example, the <tt>To</tt> Header Field is typically derived from the referenc e message's <tt>Reply-To</tt> or <tt>From</tt> Header Fields.
When generating the outer copy of the Header Field, the composing MUA first appl ies its own <iref item="Header Confidentiality Policy"/><xref target="header-con fidentiality-policy" format="none">Header Confidentiality Policy</xref>. When generating the outer copy of the Header Field, the composing MUA first appl ies its own <iref item="Header Confidentiality Policy"/><xref target="header-con fidentiality-policy" format="none">Header Confidentiality Policy</xref>.
If the Header Field's value is changed by the <iref item="HCP"/><xref target="he ader-confidentiality-policy" format="none">HCP</xref>, then it is applied to the outside header. If the Header Field's value is changed by the <iref item="HCP"/><xref target="he ader-confidentiality-policy" format="none">HCP</xref>, then it is applied to the outside header.
If the Header Field's value is unchanged, the composing MUA re-generates the Hea If the Header Field's value is unchanged, the composing MUA regenerates the Head
der Field using the Header Fields that had been on the outside of the original m er Field using the Header Fields that had been on the outside of the original me
essage at sending time. ssage at sending time.
These can be inferred from the <spanx style="verb">HP-Outer</spanx> Header Field These can be inferred from the <tt>HP-Outer</tt> Header Fields located within th
s located within the Cryptographic Payload of the referenced message. e Cryptographic Payload of the referenced message.
If that value is itself different than the protected value, then it is applied t o the outside header. If that value is itself different than the protected value, then it is applied t o the outside header.
If the value is the same as the protected value, then it is simply copied to the outside header directly. If the value is the same as the protected value, then it is simply copied to the outside header directly.
Whether it was changed or not, it is noted in the protected Header Section using Whether it was changed or not, it is noted in the protected Header Section using
<spanx style="verb">HP-Outer</spanx>, as described in <xref target="new-header- <tt>HP-Outer</tt>, as described in <xref target="new-header-field"/>.</t>
field"/>.</t> <t>See <xref target="reply-example"/> for a simple worked example of thi
s process.</t>
<t>See <xref target="reply-example"/> for a simple worked example of this proces <t>Below we describe a supporting algorithm to handle this.
s.</t>
<t>Below we describe a supporting algorithm to handles this.
It produces a list of Header Fields that should be obscured or removed in the ne w message even if the sender's choice of <iref item="Header Confidentiality Poli cy"/><xref target="header-confidentiality-policy" format="none">Header Confident iality Policy</xref> wouldn't normally remove or obscure the Header Field in que stion. It produces a list of Header Fields that should be obscured or removed in the ne w message even if the sender's choice of <iref item="Header Confidentiality Poli cy"/><xref target="header-confidentiality-policy" format="none">Header Confident iality Policy</xref> wouldn't normally remove or obscure the Header Field in que stion.
This is effectively a single-use <iref item="HCP"/><xref target="header-confiden tiality-policy" format="none">HCP</xref>. This is effectively a single-use <iref item="HCP"/><xref target="header-confiden tiality-policy" format="none">HCP</xref>.
The normal sending guidance in <xref target="compose"/> applies this single-use <iref item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP </xref> to implement the high-level guidance above.</t> The normal sending guidance in <xref target="compose"/> applies this single-use <iref item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP </xref> to implement the high-level guidance above.</t>
<section anchor="referencehcp">
<section anchor="referencehcp"><name>ReferenceHCP</name> <name>ReferenceHCP</name>
<t>The algorithm takes two inputs:</t>
<t>The algorithm takes two inputs:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>A single referenced message <tt>refmsg</tt></t>
<t>A single referenced message <spanx style="verb">refmsg</spanx>, and</t> </li>
<t>A built-in MUA function <spanx style="verb">respond</spanx> associated with <li>
the user's action. <t>A built-in MUA <tt>respond</tt> function associated with the us
<spanx style="verb">respond</spanx> takes as input a list of headers from a refe er's action.
renced message and generates a list of initial candidate message Header Field na The <tt>respond</tt> function takes a list of headers from a referenced message
mes and values that are used to populate the message composition interface. as input and generates a list of initial candidate message Header Field names an
d values that are used to populate the message composition interface.
Something like this function already exists in most MUAs, though it may differ a cross responsive actions. Something like this function already exists in most MUAs, though it may differ a cross responsive actions.
For example, the <spanx style="verb">respond</spanx> function that implements "R For example, the <tt>respond</tt> function that implements "Reply All" is likely
eply All" is likely to be a different from the <spanx style="verb">respond</span to be a different from the <tt>respond</tt> that implements "Reply".</t>
x> that implements "Reply".</t> </li>
</list></t> </ul>
<t>As an output, it produces an ephemeral single-use <iref item="Heade
<t>As an output, it produces an ephemeral single-use <iref item="Header Confiden r Confidentiality Policy"/><xref target="header-confidentiality-policy" format="
tiality Policy"/><xref target="header-confidentiality-policy" format="none">Head none">Header Confidentiality Policy</xref>, specific to this kind of response to
er Confidentiality Policy</xref>, specific to this kind of response to this spec this specific message.</t>
ific message.</t> <t>Method signature:</t>
<t><tt>
<t>Method signature:</t> ReferenceHCP(refmsg, respond) -&gt; ephemeral_hcp
</tt></t>
<t><spanx style="verb"> <t>Procedure:</t>
ReferenceHCP(refmsg, respond) → ephemeral_hcp <ol spacing="normal" type="1"><li>
</spanx></t> <t>If <tt>refmsg</tt> is not encrypted with Header Protection:
</t>
<t>Procedure:</t> <ol spacing="normal" type="i"><li>
<t>Return <tt>hcp_no_confidentiality</tt> (there is no header
<t><list style="numbers" type="1"> confidentiality in the reference message that needs protection).</t>
<t>If <spanx style="verb">refmsg</spanx> is not encrypted with Header Protecti </li>
on: </ol>
<list style="numbers" type="i"> </li>
<t>Return <spanx style="verb">hcp_no_confidentiality</spanx> (there is no <li>
header confidentiality in the reference message that needs protection)</t> <t>Extract <tt>refouter</tt>, <tt>refprotected</tt> from <tt>refms
</list></t> g</tt> as described in <xref target="extracting-headers"/>.</t>
<t>Extract <spanx style="verb">refouter</spanx>, <spanx style="verb">refprotec </li>
ted</spanx> from <spanx style="verb">refmsg</spanx> as described in <xref target <li>
="extracting-headers"/></t> <t>Let <tt>genprotected</tt> be a list of <tt>(h,v)</tt> pairs gen
<t>Let <spanx style="verb">genprotected</spanx> be a list of <spanx style="ver erated by <tt>respond(refprotected)</tt>.</t>
b">(h,v)</spanx> pairs generated by <spanx style="verb">respond(refprotected)</s </li>
panx></t> <li>
<t>Let <spanx style="verb">genouter</spanx> be a list of <spanx style="verb">( <t>Let <tt>genouter</tt> be a list of <tt>(h,v)</tt> pairs generat
h,v)</spanx> pairs generated by <spanx style="verb">respond(refouter)</spanx></t ed by <tt>respond(refouter)</tt>.</t>
> </li>
<t>For each <spanx style="verb">(h,v)</spanx> in <spanx style="verb">genprotec <li>
ted</spanx>: <t>For each <tt>(h,v)</tt> in <tt>genprotected</tt>:
<list style="numbers" type="i"> </t>
<t>If <spanx style="verb">(h,v)</spanx> is in <spanx style="verb">genouter <ol spacing="normal" type="i"><li>
</spanx>: <t>If <tt>(h,v)</tt> is in <tt>genouter</tt>:
<list style="numbers" type="a"> </t>
<t>Remove <spanx style="verb">(h,v)</spanx> from both <spanx style="ve <ol spacing="normal" type="a"><li>
rb">genprotected</spanx> and <spanx style="verb">genouter</spanx> (this Header F <t>Remove <tt>(h,v)</tt> from both <tt>genprotected</tt> a
ield does not need additional confidentiality)</t> nd <tt>genouter</tt> (this Header Field does not need additional confidentiality
</list></t> ).</t>
</list></t> </li>
<t>Let <spanx style="verb">confmap</spanx> be a mapping from a Header Field na </ol>
me and value <spanx style="verb">(h,v)</spanx> to either a string or the special </li>
value <spanx style="verb">null</spanx> (this mapping is initially empty)</t> </ol>
<t>For each <spanx style="verb">(h,v)</spanx> remaining in <spanx style="verb" </li>
>genprotected</spanx>: <li>
<list style="numbers" type="i"> <t>Let <tt>confmap</tt> be a mapping from a Header Field name and
<t>Set <spanx style="verb">result</spanx> to the special value <spanx styl value <tt>(h,v)</tt> to either a string or the special value <tt>null</tt> (this
e="verb">null</spanx></t> mapping is initially empty).</t>
<t>For each <spanx style="verb">(h1,v1)</spanx> in <spanx style="verb">gen </li>
outer</spanx>: <li>
<list style="numbers" type="a"> <t>For each <tt>(h,v)</tt> remaining in <tt>genprotected</tt>:
<t>If <spanx style="verb">h1</spanx> is <spanx style="verb">h</spanx>: </t>
<list style="numbers" type="I"> <ol spacing="normal" type="i"><li>
<t>Set <spanx style="verb">result</spanx> to <spanx style="verb">v <t>Set <tt>result</tt> to the special value <tt>null</tt>.</t>
1</spanx></t> </li>
</list></t> <li>
</list></t> <t>For each <tt>(h1,v1)</tt> in <tt>genouter</tt>:
<t>Insert <spanx style="verb">(h,v) -&gt; result</spanx> into <spanx style </t>
="verb">confmap</spanx></t> <ol spacing="normal" type="a"><li>
</list></t> <t>If <tt>h1</tt> is <tt>h</tt>:
<t>Return a new <iref item="HCP"/><xref target="header-confidentiality-policy" </t>
format="none">HCP</xref> from <spanx style="verb">confmap</spanx> that tests wh <ol spacing="normal" type="I"><li>
ether <spanx style="verb">(name,val_in)</spanx> are in <spanx style="verb">confm <t>Set <tt>result</tt> to <tt>v1</tt>.</t>
ap</spanx>; if so, return <spanx style="verb">confmap[(name,val_in)]</spanx>; ot </li>
herwise, return <spanx style="verb">val_in</spanx></t> </ol>
</list></t> </li>
</ol>
<t>Note that the key idea here is to reuse the MUA's existing <spanx style="verb </li>
">respond</spanx> function. <li>
The algorithm simulates how the MUA would pre-populate a reply to two traditiona <t>Insert <tt>(h,v) -&gt; result</tt> into <tt>confmap</tt>.</
l messages whose Header Fields have the values <spanx style="verb">refouter</spa t>
nx> and <spanx style="verb">refprotected</spanx> respectively (independent of an </li>
y cryptographic protections). </ol>
Then it uses the difference to derive a one-time <iref item="HCP"/><xref target= </li>
"header-confidentiality-policy" format="none">HCP</xref>. <li>
<t>Return a new <iref item="HCP"/><xref target="header-confidentia
lity-policy" format="none">HCP</xref> from <tt>confmap</tt> that tests whether <
tt>(name,val_in)</tt> is in <tt>confmap</tt>; if so, return <tt>confmap[(name,va
l_in)]</tt>; otherwise, return <tt>val_in</tt>.</t>
</li>
</ol>
<t>Note that the key idea here is to reuse the MUA's existing <tt>resp
ond</tt> function.
The algorithm simulates how the MUA would pre-populate a reply to two traditiona
l messages whose Header Fields have the values <tt>refouter</tt> and <tt>refprot
ected</tt>, respectively (independent of any cryptographic protections).
Then, it uses the difference to derive a one-time <iref item="HCP"/><xref target
="header-confidentiality-policy" format="none">HCP</xref>.
This <iref item="HCP"/><xref target="header-confidentiality-policy" format="none ">HCP</xref> takes into account both the referenced message's sender's preferenc es and the derivations that can happen to Header Field values when responding. This <iref item="HCP"/><xref target="header-confidentiality-policy" format="none ">HCP</xref> takes into account both the referenced message's sender's preferenc es and the derivations that can happen to Header Field values when responding.
Note that while some of these derivations are straight forward (e.g., <spanx sty Note that while some of these derivations are straightforward (e.g., <tt>In-Repl
le="verb">In-Reply-To</spanx> is usually derived from <spanx style="verb">Messag y-To</tt> is usually derived from <tt>Message-ID</tt>), others are non-trivial.
e-ID</spanx>), others are non-trivial. For example, the <tt>From</tt> address may be derived from <tt>To</tt>, <tt>Cc</
For example, the <spanx style="verb">From</spanx> address may be derived from <s tt>, or the MUA's local address preference (especially when the MUA received the
panx style="verb">To</spanx>, <spanx style="verb">Cc</spanx>, or from the MUA's referenced message via <tt>Bcc</tt>).
local address preference (especially when the MUA received the referenced messag Similarly, <tt>To</tt> may be derived from <tt>To</tt>, <tt>From</tt>, and/or <t
e via <spanx style="verb">Bcc</spanx>). t>Cc</tt> Header Fields depending on the MUA implementation and depending on whe
Similarly, <spanx style="verb">To</spanx> may be derived from <spanx style="verb ther the user clicked "Reply", "Reply All", "Forward", or any other action that
">To</spanx>, <spanx style="verb">From</spanx>, and/or <spanx style="verb">Cc</s generates a response to a message.
panx> Header Fields depending on the MUA implementation and depending on whether Reusing the MUA's existing <tt>respond</tt> function incorporates these nuances
the user clicked "Reply", "Reply All", "Forward", or any other action that gene without requiring any extra configuration choices or additional maintenance burd
rates a response to a message. en.</t>
Reusing the MUA's existing <spanx style="verb">respond</spanx> function incorpor </section>
ates these nuances without requiring any extra configuration choices or addition </section>
al maintenance burden.</t> <section anchor="avoid-misdirected-replies">
<name>Avoid Misdirected Replies</name>
</section> <t>When replying to a message, the composing MUA typically decides who t
</section> o send the reply to based on:</t>
<section anchor="avoid-misdirected-replies"><name>Avoid Misdirected Replies</nam <ul spacing="normal">
e> <li>
<t>the <tt>Reply-To</tt>, <tt>Mail-Followup-To</tt>, or <tt>From</tt
<t>When replying to a message, the Composing MUA typically decides who to send t > Header Fields</t>
he reply to based on:</t> </li>
<li>
<t><list style="symbols"> <t>optionally, the other <tt>To</tt> or <tt>Cc</tt> Header Fields (i
<t>the <spanx style="verb">Reply-To</spanx>, <spanx style="verb">Mail-Followup f the user chose to "Reply All")</t>
-To</spanx>, or <spanx style="verb">From</spanx> Header Fields</t> </li>
<t>optionally, the other <spanx style="verb">To</spanx> or <spanx style="verb" </ul>
>Cc</spanx> Header Fields (if the user chose to "reply all")</t> <t>When a message has Header Protection, the replying MUA <bcp14>MUST</b
</list></t> cp14> populate the destination fields of the draft message using the protected H
eader Fields and ignore any unprotected Header Fields.</t>
<t>When a message has Header Protection, the replying MUA <bcp14>MUST</bcp14> po
pulate the destination fields of the draft message using the protected Header Fi
elds, and ignore any unprotected Header Fields.</t>
<t>This mitigates against an attack where Mallory gets a copy of an encrypted me
ssage from Alice to Bob, and then replays the message to Bob with an additional
<spanx style="verb">Cc</spanx> to Mallory's own e-mail address in the message's
outer (unprotected) Header Section.</t>
<t>If Bob knows Mallory's certificate already, and he replies to such a message
without following the guidance in this section, it's likely that his MUA will en
crypt the cleartext of the message directly to Mallory.</t>
</section>
</section>
<section anchor="fields-added-in-transit"><name>Unprotected Header Fields Added
in Transit</name>
<t>Some Header Fields are legitimately added in transit and could not have been
known to the sender at message composition time.</t>
<t>The most common of these Header Fields are <spanx style="verb">Received</span
x> and <spanx style="verb">DKIM-Signature</spanx>, neither of which are typicall
y rendered, either explicitly or implicitly.</t>
<t>If a receiving MUA has specific knowledge about a given Header Field, includi
ng that:</t>
<t><list style="symbols">
<t>the Header Field would not have been known to the original sender, and</t>
<t>the Header Field might be rendered explicitly or implicitly,</t>
</list></t>
<t>then the MUA <bcp14>MAY</bcp14> decide to operate on the value of that Header
Field from the unprotected Header Section, even though the message has Header P
rotection.</t>
<t>The MUA <bcp14>MAY</bcp14> prefer to verify that the Header Fields in questio
n have additional transit-derived cryptographic protections before rendering or
acting on them.
For example, the MUA could verify whether these Header Fields are covered by an
appropriate and valid <spanx style="verb">ARC-Authentication-Results</spanx> (se
e <xref target="RFC8617"/>) or <spanx style="verb">DKIM-Signature</spanx> (see <
xref target="RFC6376"/>) Header Field.</t>
<t>Specific examples of user-meaningful Header Fields commonly added by transpor
t agents appear below.</t>
<section anchor="mailing-list-header-fields-list-and-archived-at"><name>Mailing
list Header Fields: List-* and Archived-At</name>
<t>If the message arrives through a mailing list, the list manager itself may in
ject Header Fields (most have a <spanx style="verb">List-</spanx> prefix) in the
message:</t>
<t><list style="symbols">
<t><spanx style="verb">List-Archive</spanx></t>
<t><spanx style="verb">List-Subscribe</spanx></t>
<t><spanx style="verb">List-Unsubscribe</spanx></t>
<t><spanx style="verb">List-Id</spanx></t>
<t><spanx style="verb">List-Help</spanx></t>
<t><spanx style="verb">List-Post</spanx></t>
<t><spanx style="verb">Archived-At</spanx></t>
</list></t>
<t>For some MUAs, these Header Fields are implicitly rendered, by providing butt
ons for actions like "Subscribe", "View Archived Version", "Reply List", "List I
nfo", etc.</t>
<t>An MUA that receives a message with Header Protection that contains these Hea
der Fields in the unprotected section, and that has reason to believe the messag
e is coming through a mailing list <bcp14>MAY</bcp14> decide to render them to t
he user (explicitly or implicitly) even though they are not protected.</t>
</section>
</section>
<section anchor="e-mail-ecosystem-evolution"><name>E-mail Ecosystem Evolution</n
ame>
<t>The e-mail ecosystem is the set of client-side and server-side software and p
olicies that are used in the creation, transmission, storage, rendering, and ind
exing of electronic mail over the Internet.</t>
<t>This document is intended to offer tooling needed to improve the state of the
e-mail ecosystem in a way that can be deployed without significant disruption.
Some elements of this specification are present for transitional purposes, but w
ould not exist if the system were designed from scratch.</t>
<t>This section describes these transitional mechanisms, as well as some suggest
ions for how they might eventually be phased out.</t>
<section anchor="dropping-legacy-display-elements"><name>Dropping Legacy Display
Elements</name>
<t>Any decorative Legacy Display Element added to an encrypted message that uses
Header Protection is present strictly for enabling Header Field visibility (mos
t importantly, the Subject Header Field) when the message is viewed with a decry
ption-capable Legacy MUA.</t>
<t>Eventually, the hope is that most decryption-capable MUAs will conform to thi <t>This mitigates against an attack where Mallory gets a copy of an encr
s specification, and there will be no need for injection of Legacy Display Eleme ypted message from Alice to Bob and then relays the message to Bob with an addit
nts in the message body. ional <tt>Cc</tt> to Mallory's own email address in the message's outer (unprote
cted) Header Section.</t>
<t>If Bob knows Mallory's certificate already, and he replies to such a
message without following the guidance in this section, it's likely that his MUA
will encrypt the cleartext of the message directly to Mallory.</t>
</section>
</section>
<section anchor="fields-added-in-transit">
<name>Unprotected Header Fields Added in Transit</name>
<t>Some Header Fields are legitimately added in transit and could not have
been known to the sender at message composition time.</t>
<t>The most common of these Header Fields are <tt>Received</tt> and <tt>DK
IM-Signature</tt>, neither of which are typically rendered, either explicitly or
implicitly.</t>
<t>If a receiving MUA has specific knowledge about a given Header Field, i
ncluding that:</t>
<ul spacing="normal">
<li>
<t>the Header Field would not have been known to the original sender a
nd</t>
</li>
<li>
<t>the Header Field might be rendered explicitly or implicitly,</t>
</li>
</ul>
<t>then the MUA <bcp14>MAY</bcp14> decide to operate on the value of that
Header Field from the unprotected Header Section, even though the message has He
ader Protection.</t>
<t>The MUA <bcp14>MAY</bcp14> prefer to verify that the Header Fields in q
uestion have additional transit-derived cryptographic protections before renderi
ng or acting on them.
For example, the MUA could verify whether these Header Fields are covered by an
appropriate and valid <tt>ARC-Authentication-Results</tt> (see <xref target="RFC
8617"/>) or <tt>DKIM-Signature</tt> (see <xref target="RFC6376"/>) Header Field.
</t>
<t>Specific examples of Header Fields that are meaningful to the user are
commonly added by the transport agents that appear below.</t>
<section anchor="mailing-list-header-fields-list-and-archived-at">
<name>Mailing List Header Fields: List-* and Archived-At</name>
<t>If the message arrives through a mailing list, the list manager itsel
f may inject Header Fields (most have a <tt>List-</tt> prefix) in the message:</
t>
<ul spacing="normal">
<li>
<t><tt>List-Archive</tt></t>
</li>
<li>
<t><tt>List-Subscribe</tt></t>
</li>
<li>
<t><tt>List-Unsubscribe</tt></t>
</li>
<li>
<t><tt>List-Id</tt></t>
</li>
<li>
<t><tt>List-Help</tt></t>
</li>
<li>
<t><tt>List-Post</tt></t>
</li>
<li>
<t><tt>Archived-At</tt></t>
</li>
</ul>
<t>For some MUAs, these Header Fields are implicitly rendered by providi
ng buttons for actions like "Subscribe", "View Archived Version", "Reply List",
"List Info", etc.</t>
<t>An MUA that receives a message with Header Protection that contains t
hese Header Fields in the unprotected section and that has reason to believe the
message is coming through a mailing list <bcp14>MAY</bcp14> decide to render th
em to the user (explicitly or implicitly) even though they are not protected.</t
>
</section>
</section>
<section anchor="e-mail-ecosystem-evolution">
<name>Email Ecosystem Evolution</name>
<t>The email ecosystem is the set of client-side and server-side software
and policies that are used in the creation, transmission, storage, rendering, an
d indexing of email over the Internet.</t>
<t>This document is intended to offer tooling needed to improve the state
of the email ecosystem in a way that can be deployed without significant disrupt
ion.
Some elements of this specification are present for transitional purposes but wo
uld not exist if the system were designed from scratch.</t>
<t>This section describes these transitional mechanisms, as well as some s
uggestions for how they might eventually be phased out.</t>
<section anchor="dropping-legacy-display-elements">
<name>Dropping Legacy Display Elements</name>
<t>Any decorative Legacy Display Element added to an encrypted message t
hat uses Header Protection is present strictly for enabling Header Field visibil
ity (most importantly, the Subject Header Field) when the message is viewed with
a decryption-capable Legacy MUA.</t>
<t>Eventually, the hope is that most decryption-capable MUAs will confor
m to this specification and there will be no need for injection of Legacy Displa
y Elements in the message body.
A survey of widely used decryption-capable MUAs might be able to establish when most of them do support this specification.</t> A survey of widely used decryption-capable MUAs might be able to establish when most of them do support this specification.</t>
<t>At that point, a composing MUA could set the <tt>legacy</tt> paramete
<t>At that point, a composing MUA could set the <spanx style="verb">legacy</span r defined in <xref target="compose"/> to <tt>false</tt> by default or could even
x> parameter defined in <xref target="compose"/> to <spanx style="verb">false</s hard-code it to <tt>false</tt>, yielding a much simpler message construction se
panx> by default or could even hard-code it to <spanx style="verb">false</spanx> t.</t>
, yielding a much simpler message construction set.</t> <t>Until that point, an end user might want to signal that their receivi
ng MUAs are conformant to this document so that a peer composing a message to th
<t>Until that point, an end user might want to signal that their receiving MUAs em can set <tt>legacy</tt> to <tt>false</tt>.
are conformant to this document so that a peer composing a message to them can s A signal indicating capability of handling messages with Header Protection might
et <spanx style="verb">legacy</spanx> to <spanx style="verb">false</spanx>. be placed in the user's cryptographic certificate or in outbound messages.</t>
A signal indicating capability of handling messages with Header Protection might <t>This document does not attempt to define the syntax or semantics of s
be placed in the user's cryptographic certificate, or in outbound messages.</t> uch a signal.</t>
</section>
<t>This document does not attempt to define the syntax or semantics of such a si <section anchor="more-ambitious-default-header-confidentiality-policy">
gnal.</t> <name>More Ambitious Default Header Confidentiality Policy</name>
<t>This document defines a few different forms of <iref item="Header Con
</section> fidentiality Policy"/><xref target="header-confidentiality-policy" format="none"
<section anchor="more-ambitious-default-header-confidentiality-policy"><name>Mor >Header Confidentiality Policy</xref>.
e Ambitious Default Header Confidentiality Policy</name> An MUA implementing an <iref item="HCP"/><xref target="header-confidentiality-po
licy" format="none">HCP</xref> for the first time <bcp14>SHOULD</bcp14> deploy <
<t>This document defines a few different forms of <iref item="Header Confidentia tt>hcp_baseline</tt> as recommended in <xref target="default-hcp"/>.
lity Policy"/><xref target="header-confidentiality-policy" format="none">Header
Confidentiality Policy</xref>.
An MUA implementing an <iref item="HCP"/><xref target="header-confidentiality-po
licy" format="none">HCP</xref> for the first time <bcp14>SHOULD</bcp14> deploy <
spanx style="verb">hcp_baseline</spanx> as recommended in <xref target="default-
hcp"/>.
This <iref item="HCP"/><xref target="header-confidentiality-policy" format="none ">HCP</xref> offers the most commonly expected protection (obscuring the Subject Header Field) without risking deliverability or rendering issues.</t> This <iref item="HCP"/><xref target="header-confidentiality-policy" format="none ">HCP</xref> offers the most commonly expected protection (obscuring the Subject Header Field) without risking deliverability or rendering issues.</t>
<t>The HCPs proposed in this document are relatively conservative and st
ill leak a significant amount of metadata for encrypted messages.
This is largely done to ensure deliverability (see <xref target="delivera
bility"/>) and usability, as messages without some critical Header Fields are mo
re likely to not reach their intended recipient.</t>
<t>The HCPs proposed in this document are relatively conservative and still leak <!--[rfced] Is a "mail transport system" the same thing as a "mail transport
a significant amount of metadata for encrypted messages. agent"? If so, may we update this sentence to use "mail transport agents"
This is largely done to ensure deliverability (see <xref target="deliverability" for consistency with the rest of the document?
/>) and usability, as messages without some critical Header Fields are more like
ly to not reach their intended recipient.</t>
<t>In the future, some mail transport systems may accept and deliver messages wi
th even less publicly visible metadata.
Many MTA operators today would ask for additional guarantees about such a messag
e to limit the risks associated with abusive or spammy mail.</t>
<t>This specification offers the <iref item="HCP"/><xref target="header-confiden
tiality-policy" format="none">HCP</xref> formalism itself as a way for MUA devel
opers and MTA operators to describe their expectations around message deliverabi
lity.
MUA developers can propose a more ambitious default <iref item="HCP"/><xref targ
et="header-confidentiality-policy" format="none">HCP</xref>, and ask MTA operato
rs (or simply test) whether their MTAs would be likely to deliver or reject encr
ypted mail with that <iref item="HCP"/><xref target="header-confidentiality-poli
cy" format="none">HCP</xref> applied.
Proponents of a more ambitious <iref item="HCP"/><xref target="header-confidenti
ality-policy" format="none">HCP</xref> should explicitly document the <iref item
="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> an
d name it clearly and unambiguously to facilitate this kind of interoperability
discussion.</t>
<t>Reaching widespread consensus around a more ambitious global default <iref it
em="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref>
is a challenging problem of coordinating many different actors.
A piecemeal approach might be more feasible, where some signalling mechanism all
ows a message recipient, MTA operator, or third-party clearinghouse to announce
what kinds of HCPs are likely to be deliverable for a given recipient.
In such a situation, the default <iref item="HCP"/><xref target="header-confiden
tiality-policy" format="none">HCP</xref> for an MUA might involve consulting the
signalled acceptable HCPs for all recipients, and combining them (along with a
default for when no signal is present) in some way.</t>
<t>If such a signal were to reach widespread use, it could also be used to guide
reasonable statistical default <iref item="HCP"/><xref target="header-confident
iality-policy" format="none">HCP</xref> choices for recipients with no signal.</
t>
<t>This document does not attempt to define the syntax or semantics of such a si
gnal.</t>
</section>
<section anchor="deprecation-of-messages-without-header-protection"><name>Deprec
ation of Messages Without Header Protection</name>
<t>At some point, when the majority of MUA clients that can generate cryptograph
ically protected messages with Header Protection, it should be possible to depre
cate any cryptographically protected message that does not have Header Protectio
n.</t>
<t>For example, as noted in <xref target="mixed-protections"/>, it's possible fo
r an MUA to render a <spanx style="verb">signed-only</spanx> message that has no
Header Protection the same as an <spanx style="verb">unprotected</spanx> messag
e.
And a <spanx style="verb">signed-and-encrypted</spanx> message without Header Pr
otection could likewise be marked as not fully protected.</t>
<t>These stricter rules could be adopted immediately for all messages.
Or an MUA developer could roll them out immediately for any new message, but sti
ll treat an old message (based on the Date Header Field and cryptographic signat
ure timestamp) more leniently.</t>
<t>A decision like this by any popular receiving MUA could drive adoption of thi
s standard for sending MUAs.</t>
</section>
</section>
<section anchor="usability-considerations"><name>Usability Considerations</name>
<t>This section describes concerns for MUAs that are interested in easy adoption
of Header Protection by normal users.</t>
<t>While they are not protocol-level artifacts, these concerns motivate the prot
ocol features described in this document.</t>
<t>See also the Usability commentary in <xref section="2" sectionFormat="of" tar Original:
get="I-D.ietf-lamps-e2e-mail-guidance"/>.</t> In the future, some mail transport systems may accept and deliver
messages with even less publicly visible metadata.
<section anchor="mixed-protections"><name>Mixed Protections Within a Message Are Perhaps:
Hard To Understand</name> In the future, some mail transport agents may accept and deliver
messages with even less publicly visible metadata.
-->
<t>When rendering a message to the user, the ideal circumstance is to present a <t>In the future, some mail transport systems may accept and deliver mes
single cryptographic status for any given message. sages with even less publicly visible metadata.
Many MTA operators today would ask for additional guarantees about such a messag
e to limit the risks associated with abusive or spam mail.</t>
<t>This specification offers the <iref item="HCP"/><xref target="header-
confidentiality-policy" format="none">HCP</xref> formalism itself as a way for M
UA developers and MTA operators to describe their expectations around message de
liverability.
MUA developers can propose a more ambitious default <iref item="HCP"/><xref targ
et="header-confidentiality-policy" format="none">HCP</xref> and ask MTA operator
s (or simply test) whether their MTAs would be likely to deliver or reject encry
pted mail with that <iref item="HCP"/><xref target="header-confidentiality-polic
y" format="none">HCP</xref> applied.
Proponents of a more ambitious <iref item="HCP"/><xref target="header-confidenti
ality-policy" format="none">HCP</xref> should explicitly document the <iref item
="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> an
d name it clearly and unambiguously to facilitate this kind of interoperability
discussion.</t>
<t>Reaching widespread consensus around a more ambitious global default
<iref item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP
</xref> is a challenging problem of coordinating many different actors.
A piecemeal approach might be more feasible, where some signaling mechanism allo
ws a message recipient, MTA operator, or third-party clearinghouse to announce w
hat kinds of HCPs are likely to be deliverable for a given recipient.
In such a situation, the default <iref item="HCP"/><xref target="header-confiden
tiality-policy" format="none">HCP</xref> for an MUA might involve consulting the
signaled acceptable HCPs for all recipients and combining them (along with a de
fault for when no signal is present) in some way.</t>
<t>If such a signal were to reach widespread use, it could also be used
to guide reasonable statistical default <iref item="HCP"/><xref target="header-c
onfidentiality-policy" format="none">HCP</xref> choices for recipients with no s
ignal.</t>
<t>This document does not attempt to define the syntax or semantics of s
uch a signal.</t>
</section>
<section anchor="deprecation-of-messages-without-header-protection">
<name>Deprecation of Messages Without Header Protection</name>
<t>At some point, when the majority of MUA clients can generate cryptogr
aphically protected messages with Header Protection, it should be possible to de
precate any cryptographically protected message that does not have Header Protec
tion.</t>
<t>For example, as noted in <xref target="mixed-protections"/>, it's pos
sible for an MUA to render a <tt>signed-only</tt> message that has no Header Pro
tection the same as an <tt>unprotected</tt> message.
And a <tt>signed-and-encrypted</tt> message without Header Protection could like
wise be marked as not fully protected.</t>
<t>These stricter rules could be adopted immediately for all messages.
Or an MUA developer could roll them out immediately for any new message but stil
l treat an old message (based on the Date Header Field and cryptographic signatu
re timestamp) more leniently.</t>
<t>A decision like this by any popular receiving MUA could drive adoptio
n of this standard for sending MUAs.</t>
</section>
</section>
<section anchor="usability-considerations">
<name>Usability Considerations</name>
<t>This section describes concerns for MUAs that are interested in easy ad
option of Header Protection by normal users.</t>
<t>While they are not protocol-level artifacts, these concerns motivate th
e protocol features described in this document.</t>
<t>See also the usability commentary in <xref section="2" sectionFormat="o
f" target="RFC9787"/>.</t>
<section anchor="mixed-protections">
<name>Mixed Protections Within a Message Are Hard to Understand</name>
<t>When rendering a message to the user, the ideal circumstance is to pr
esent a single cryptographic status for any given message.
However, when message Header Fields are present, some message Header Fields do n ot have the same cryptographic protections as the main message.</t> However, when message Header Fields are present, some message Header Fields do n ot have the same cryptographic protections as the main message.</t>
<t>Representing such a mixed set of protection statuses is very difficul
<t>Representing such a mixed set of protection statuses is very difficult to do t to do in a way that an Ordinary User can understand.
in a way that a Ordinary User can understand. There are at least three scenarios that are likely to be common and poorly under
There are at least three scenarios that are likely to be common, and poorly unde stood:</t>
rstood:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>A signed message with no Header Protection.</t>
<t>A signed message with no Header Protection.</t> </li>
<t>A signed-and-encrypted message with no Header Protection.</t> <li>
<t>A signed-and-encrypted message with Header Protection as defined in this do <t>A signed-and-encrypted message with no Header Protection.</t>
cument, where some User-Facing Header Fields have confidentiality but some do no </li>
t.</t> <li>
</list></t> <t>A signed-and-encrypted message with Header Protection as defined
in this document, where some User-Facing Header Fields have confidentiality but
<t>An MUA should have a reasonable strategy for clearly communicating each of th some do not.</t>
ese scenarios to the user. </li>
</ul>
<t>An MUA should have a reasonable strategy for clearly communicating ea
ch of these scenarios to the user.
For example, an MUA operating in an environment where it expects most cryptograp hically protected messages to have Header Protection could use the following ren dering strategy:</t> For example, an MUA operating in an environment where it expects most cryptograp hically protected messages to have Header Protection could use the following ren dering strategy:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>When rendering a message with <spanx style="verb">signed-only</spanx> crypt <t>When rendering a message with a <tt>signed-only</tt> cryptographi
ographic status but no Header Protection, an MUA may decline to indicate a posit c status but no Header Protection, an MUA may decline to indicate a positive sec
ive security status overall, and only indicate the cryptographic status to a use urity status overall and only indicate the cryptographic status to a user in a m
r in a message properties or diagnostic view. essage properties or diagnostic view.
That is, the message may appear identical to an unsigned message except if a use r verifies the properties through a menu option.</t> That is, the message may appear identical to an unsigned message except if a use r verifies the properties through a menu option.</t>
<t>When rendering a message with <spanx style="verb">signed-and-encrypted</spa </li>
nx> or <spanx style="verb">encrypted-only</spanx> cryptographic status but no He <li>
ader Protection, overlay a warning flag on the typical cryptographic status indi <t>When rendering a message with a <tt>signed-and-encrypted</tt> or
cator. <tt>encrypted-only</tt> cryptographic status but no Header Protection, overlay a
That is, if a typical <spanx style="verb">signed-and-encrypted</spanx> message d warning flag on the typical cryptographic status indicator.
isplays a lock icon, display a lock icon with a warning sign (e.g., an exclamati That is, if a typical <tt>signed-and-encrypted</tt> message displays a lock icon
on point in a triangle) overlaid. , display a lock icon with a warning sign (e.g., an exclamation point in a trian
See, for example, the graphics in <xref target="chrome-indicators"/>.</t> gle) overlaid.
<t>When rendering a message with <spanx style="verb">signed-and-encrypted</spa For example, see the graphics in <xref target="chrome-indicators"/>.</t>
nx> or <spanx style="verb">encrypted-only</spanx> cryptographic status, with Hea </li>
der Protection, but where the Subject Header Field has not been removed or obscu <li>
red, place a warning sign on the Subject line.</t> <t>When rendering a message with a <tt>signed-and-encrypted</tt> or
</list></t> <tt>encrypted-only</tt> cryptographic status with Header Protection but where th
e Subject Header Field has not been removed or obscured, place a warning sign on
<t>Other simple rendering strategies could also be reasonable.</t> the Subject line.</t>
</li>
</section> </ul>
<section anchor="sensible-default-hcp"><name>Users Should Not Have To Choose a H <t>Other simple rendering strategies could also be reasonable.</t>
eader Confidentiality Policy</name> </section>
<section anchor="sensible-default-hcp">
<t>This document defines the abstraction of a <iref item="Header Confidentiality <name>Users Should Not Have to Choose a Header Confidentiality Policy</n
Policy"/><xref target="header-confidentiality-policy" format="none">Header Conf ame>
identiality Policy</xref> object for the sake of communication between implement <t>This document defines the abstraction of a <iref item="Header Confide
ers and deployments.</t> ntiality Policy"/><xref target="header-confidentiality-policy" format="none">Hea
der Confidentiality Policy</xref> object for the sake of communication between i
<t>Most e-mail users are unlikely to understand the tradeoffs between different mplementers and deployments.</t>
policies. <t>Most email users are unlikely to understand the trade-offs between di
fferent policies.
In particular, the potential negative side effects (e.g., poor deliverability) m ay not be easily attributable by a normal user to a particular <iref item="HCP"/ ><xref target="header-confidentiality-policy" format="none">HCP</xref>.</t> In particular, the potential negative side effects (e.g., poor deliverability) m ay not be easily attributable by a normal user to a particular <iref item="HCP"/ ><xref target="header-confidentiality-policy" format="none">HCP</xref>.</t>
<t>Therefore, MUA implementers should be conservative in their choice of
<t>Therefore, MUA implementers should be conservative in their choice of default default <iref item="HCP"/><xref target="header-confidentiality-policy" format="
<iref item="HCP"/><xref target="header-confidentiality-policy" format="none">HC none">HCP</xref> and should not require the Ordinary User to make an incomprehen
P</xref>, and should not require the Ordinary User to make an incomprehensible c sible choice that could cause unfixable, undiagnosable problems.
hoice that could cause unfixable, undiagnosable problems. The safest option is for the MUA developer to select a known, stable <iref item=
The safest option is for the MUA developer to select a known, stable <iref item= "HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> (th
"HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> (th is document recommends <tt>hcp_baseline</tt> in <xref target="default-hcp"/>) on
is document recommends <spanx style="verb">hcp_baseline</spanx> in <xref target= the user's behalf.
"default-hcp"/>) on the user's behalf.
An MUA should not expose the Ordinary User to a configuration option where they are expected to manually select (let alone define) an <iref item="HCP"/><xref ta rget="header-confidentiality-policy" format="none">HCP</xref>.</t> An MUA should not expose the Ordinary User to a configuration option where they are expected to manually select (let alone define) an <iref item="HCP"/><xref ta rget="header-confidentiality-policy" format="none">HCP</xref>.</t>
</section>
</section> </section>
</section> <section anchor="security-considerations">
<section anchor="security-considerations"><name>Security Considerations</name> <name>Security Considerations</name>
<t>Header Protection improves the security of cryptographically protected
<t>Header Protection improves the security of cryptographically protected e-mail email messages.
messages.
Following the guidance in this document improves security for users by more dire ctly aligning the underlying messages with user expectations about confidentiali ty, authenticity, and integrity.</t> Following the guidance in this document improves security for users by more dire ctly aligning the underlying messages with user expectations about confidentiali ty, authenticity, and integrity.</t>
<t>Nevertheless, helping the user distinguish between cryptographic protec
<t>Nevertheless, helping the user distinguish between cryptographic protections tions of various messages remains a security challenge for MUAs.
of various messages remains a security challenge for MUAs. This is exacerbated by the fact that many existing messages with cryptographic p
This is exarcebated by the fact that many existing messages with cryptographic p rotections do not employ Header Protection.
rotections do not employ Header Protection.
MUAs encountering these messages (e.g., in an archive) will need to handle older forms (without Header Protection) for quite some time, possibly forever.</t> MUAs encountering these messages (e.g., in an archive) will need to handle older forms (without Header Protection) for quite some time, possibly forever.</t>
<t>The security considerations from <xref section="6" sectionFormat="of" t
<t>The security considerations from <xref section="6" sectionFormat="of" target= arget="RFC8551"/> continue to apply for any MUA that offers S/MIME cryptographic
"RFC8551"/> continue to apply for any MUA that offers S/MIME cryptographic prote protections, as well as <xref section="3" sectionFormat="of" target="RFC5083"/>
ctions, as well as <xref section="3" sectionFormat="of" target="RFC5083"/> (Auth (Authenticated-Enveloped-Data in Cryptographic Message Syntax (CMS)) and <xref
enticated-Enveloped-Data in CMS) and <xref section="14" sectionFormat="of" targe section="14" sectionFormat="of" target="RFC5652"/> (CMS more broadly).
t="RFC5652"/> (CMS more broadly).
Likewise, the security considerations from <xref section="8" sectionFormat="of" target="RFC3156"/> continue to apply for any MUA that offers PGP/MIME cryptograp hic protections, as well as <xref section="13" sectionFormat="of" target="RFC958 0"/> (OpenPGP itself). Likewise, the security considerations from <xref section="8" sectionFormat="of" target="RFC3156"/> continue to apply for any MUA that offers PGP/MIME cryptograp hic protections, as well as <xref section="13" sectionFormat="of" target="RFC958 0"/> (OpenPGP itself).
In addition, these underlying security considerations are now also applicable to the contents of the message header, not just the message body.</t> In addition, these underlying security considerations are now also applicable to the contents of the message header, not just the message body.</t>
<section anchor="from-addr-spoofing">
<section anchor="from-addr-spoofing"><name>From Address Spoofing</name> <name>From Address Spoofing</name>
<t>If the <tt>From</tt> Header Field was treated like any other protecte
<t>If the <spanx style="verb">From</spanx> Header Field were treated by the rece d Header Field by the receiving MUA, this scheme would enable sender address spo
iving MUA like any other protected Header Field, this scheme would enable sender ofing.</t>
address spoofing.</t> <t>To prevent sender spoofing, many receiving MUAs implicitly rely on th
eir receiving MTA to inspect the unprotected Header Section and verify that the
<t>To prevent sender spoofing, many receiving MUAs implicitly rely on their rece <tt>From</tt> Header Field is authentic.
iving MTA to inspect the unprotected Header Section and verify that the <spanx s If a receiving MUA displays a <tt>From</tt> address that doesn't match the <tt>F
tyle="verb">From</spanx> Header Field is authentic. rom</tt> address that the receiving and/or sending MTAs filtered on, the MUA may
If a receiving MUA displays a <spanx style="verb">From</spanx> address that does be vulnerable to spoofing.</t>
n't match the <spanx style="verb">From</spanx> address that the receiving and/or <t>Consider a malicious MUA that sets the following Header Fields on an
sending MTAs filtered on, the MUA may be vulnerable to spoofing.</t> encrypted message with Header Protection:</t>
<ul spacing="normal">
<t>Consider a malicious MUA that sets the following Header Fields on an encrypte <li>
d message with Header Protection:</t> <t>Outer: <tt>From: &lt;alice@example.com&gt;</tt></t>
</li>
<t><list style="symbols"> <li>
<t>Outer: <spanx style="verb">From: &lt;alice@example.com&gt;</spanx></t> <t>Inner: <tt>HP-Outer: From: &lt;alice@example.com&gt;</tt></t>
<t>Inner: <spanx style="verb">HP-Outer: From: &lt;alice@example.com&gt;</spanx </li>
></t> <li>
<t>Inner: <spanx style="verb">From: &lt;bob@example.org&gt;</spanx></t> <t>Inner: <tt>From: &lt;bob@example.org&gt;</tt></t>
</list></t> </li>
</ul>
<t>During sending, the MTA of <spanx style="verb">example.com</spanx> validates <t>During sending, the MTA of <tt>example.com</tt> validates that the se
that the sending MUA is authorized to send from <spanx style="verb">alice@exampl nding MUA is authorized to send from <tt>alice@example.com</tt>.
e.com</spanx>.
Since the message is encrypted, the sending and receiving MTAs cannot see the pr otected Header Fields. Since the message is encrypted, the sending and receiving MTAs cannot see the pr otected Header Fields.
A naive receiving MUA might follow the algorithms in this document without speci A naive receiving MUA might follow the algorithms in this document without speci
al consideration for the <spanx style="verb">From</spanx> Header Field. al consideration for the <tt>From</tt> Header Field.
Such an MUA might display the email as coming from <spanx style="verb">bob@examp Such an MUA might display the email as coming from <tt>bob@example.org</tt> to t
le.org</spanx> to the user, resulting in a spoofed address.</t> he user, resulting in a spoofed address.</t>
<t>This problem applies both between domains and within a domain.</t>
<t>This problem applies both between domains and within a domain.</t> <t>This problem always applies to signed-and-encrypted messages.
This problem also applies to signed-only messages because MTAs typically do not
<t>This problem always applies to signed-and-encrypted messages. look at the protected Header Fields when confirming <tt>From</tt> address authen
This problem also applies to signed-only messages because MTAs typically do not ticity.</t>
look at the protected Header Fields when confirming <spanx style="verb">From</sp <t>Sender address spoofing is relevant for two distinct security propert
anx> address authenticity.</t> ies:</t>
<ul spacing="normal">
<t>Sender address spoofing is relevant for two distinct security properties:</t> <li>
<t>Sender authenticity: relevant for rendering the message (which ad
<t><list style="symbols"> dress to show the user?)</t>
<t>Sender authenticity: relevant for rendering the message (which address to s </li>
how the user?).</t> <li>
<t>Message confidentiality: relevant when replying to a message (a reply to th <t>Message confidentiality: relevant when replying to a message (a r
e wrong address can leak the message contents).</t> eply to the wrong address can leak the message contents)</t>
</list></t> </li>
</ul>
<section anchor="from-rendering-reasoning"><name>From Rendering Reasoning</name> <section anchor="from-rendering-reasoning">
<name>From Rendering Reasoning</name>
<t><xref target="from-header-field-rendering"/> provides guidance for rendering <t><xref target="from-header-field-rendering"/> provides guidance for
the <spanx style="verb">From</spanx> Header Field. rendering the <tt>From</tt> Header Field. It recommends a receiving MUA that dep
It recommends a receiving MUA that depends on its MTA to authenticate the unprot ends on its MTA to authenticate the unprotected (outer) <tt>From</tt> Header Fie
ected (outer) <spanx style="verb">From</spanx> Header Field to render the outer ld to render the outer <tt>From</tt> Header Field if both of the following condi
<spanx style="verb">From</spanx> Header Field, if both of the following conditio tions are met:</t>
ns are met:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t><tt>From</tt> Header Field Mismatch (as defined in <xref target
<t><spanx style="verb">From</spanx> Header Field Mismatch (as defined in <xref ="def-from-hf-mismatch"/>)</t>
target="def-from-hf-mismatch"/>)</t> </li>
<t>No Valid and Correctly Bound Signature (as defined in <xref target="def-no- <li>
valid-and-correctly-bound-signature"/>)</t> <t>No Valid and Correctly Bound Signature (as defined in <xref tar
</list></t> get="def-no-valid-and-correctly-bound-signature"/>)</t>
</li>
<t>Note: The second condition effectively means that the inner (expected to be p </ul>
rotected) <spanx style="verb">From</spanx> Header Field appears to have insuffic <t>Note: The second condition effectively means that the inner (expect
ient protection.</t> ed to be protected) <tt>From</tt> Header Field appears to have insufficient prot
ection.</t>
<t>This may seem surprising since it causes the MUA to render a mix of both prot <t>This may seem surprising since it causes the MUA to render a mix of
ected and unprotected values. both protected and unprotected values.
This section provides an argument as to why this guidance makes sense.</t> This section provides an argument as to why this guidance makes sense.</t>
<t>We proceed by case distinction:</t>
<t>We proceed by case distinction:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>Case 1: Malicious sending MUA.
<t>Case 1: Malicious sending MUA. </t>
<list style="symbols"> <ul spacing="normal">
<t>Attack situation: the sending MUA puts a different inner <spanx style=" <li>
verb">From</spanx> Header Field to spoof the sender address.</t> <t>Attack situation: The sending MUA puts a different inner <t
<t>In this case, it is "better" to fall back and render the outer <spanx s t>From</tt> Header Field to spoof the sender address.</t>
tyle="verb">From</spanx> Header Field because this is what the receiving MTA can </li>
validate. <li>
Otherwise this document would introduce a new way for senders to spoof the <span <t>In this case, it is "better" to fall back and render the ou
x style="verb">From</spanx> address of the message.</t> ter <tt>From</tt> Header Field because this is what the receiving MTA can valida
<t>This does not preclude a future document from updating this document to te.
specify a protocol for legitimate sender address hiding.</t> Otherwise, this document would introduce a new way for senders to spoof the <tt>
</list></t> From</tt> address of the message.</t>
<t>Case 2: Malicious sending/transiting/receiving MTA (or anyone meddling betw </li>
een MTAs). <li>
<list style="symbols"> <t>This does not preclude a future document from updating this
<t>Attack situation: an on-path attacker changes the outer <spanx style="v document to specify a protocol for legitimate sender address hiding.</t>
erb">From</spanx> Header Field (possibly with other meddling to break the signat </li>
ure, see below). </ul>
Their goal is to get the receiving MUA to show a different <spanx style="verb">F </li>
rom</spanx> address than the sending MUA intended (breaking MUA-to-MUA sender au <li>
thenticity).</t> <t>Case 2: Malicious sending/transiting/receiving MTA (or anyone m
<t>Case 2.a: The sending MUA submitted an unsigned or encrypted-only messa eddling between MTAs).
ge to the email system. </t>
<ul spacing="normal">
<li>
<t>Attack situation: An on-path attacker changes the outer <tt
>From</tt> Header Field (possibly with other meddling to break the signature; se
e below).
Their goal is to get the receiving MUA to show a different <tt>From</tt> address
than the sending MUA intended (breaking MUA-to-MUA sender authenticity).</t>
</li>
<li>
<t>Case 2.a: The sending MUA submitted an unsigned or encrypte
d-only message to the email system.
In this case, there can be no sender authenticity anyway.</t> In this case, there can be no sender authenticity anyway.</t>
<t>Case 2.b: The sending MUA submitted a signed-only message to the email </li>
system. <li>
<list style="symbols"> <t>Case 2.b: The sending MUA submitted a signed-only message t
<t>Case 2.b.i: The attacker removes or breaks the signature. o the email system.
In this case, the attacker can also modify the inner <spanx style="verb">From</s </t>
panx> Header Field to their liking.</t> <ul spacing="normal">
<t>Case 2.b.ii: The signature is valid, but the receiving MUA does not <li>
see any valid binding between the signing certificate and the <spanx style="ver <t>Case 2.b.i: The attacker removes or breaks the signatur
b">addr-spec</spanx> of the inner <spanx style="verb">From</spanx> Header Field. e.
In this case, the attacker can also modify the inner <tt>From</tt> Header Field
to their liking.</t>
</li>
<li>
<t>Case 2.b.ii: The signature is valid, but the receiving
MUA does not see any valid binding between the signing certificate and the <tt>a
ddr-spec</tt> of the inner <tt>From</tt> Header Field.
In this case, there can be no sender authenticity anyways (the certificate could have been generated by the on-path attacker). In this case, there can be no sender authenticity anyways (the certificate could have been generated by the on-path attacker).
This case is indistinguishable from a malicious sending MUA, hence it is "better This case is indistinguishable from a malicious sending MUA; hence, it is "bette
" to fall back to the outer <spanx style="verb">From</spanx> that the MTA can va r" to fall back to the outer <tt>From</tt> Header Field that the MTA can validat
lidate. e.
Note that once the binding is validated (e.g., after an out-of-band comparison), Note that once the binding is validated (e.g., after an out-of-band comparison),
the rendering may change from showing the outer <spanx style="verb">From</spanx the rendering may change from showing the outer <tt>From</tt> address (and a wa
> address (and a warning) to showing the inner, now validated <spanx style="verb rning) to showing the inner, now validated <tt>From</tt> address.
">From</spanx> address.
In some cases, the binding may be instantly validated even for previously unseen certificates (e.g., if the certificate is issued by a trusted certification aut hority).</t> In some cases, the binding may be instantly validated even for previously unseen certificates (e.g., if the certificate is issued by a trusted certification aut hority).</t>
</list></t> </li>
<t>Case 2.c: The sending MUA submitted a signed-and-encrypted message to t </ul>
he email system. </li>
<list style="symbols"> <li>
<t>Case 2.c.i: The attacker removes or breaks the signature. <t>Case 2.c: The sending MUA submitted a signed-and-encrypted
Note that the signature is inside the ciphertext (see <xref section="5.2" sectio message to the email system.
nFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>). </t>
<ul spacing="normal">
<li>
<t>Case 2.c.i: The attacker removes or breaks the signatur
e.
Note that the signature is inside the ciphertext (see <xref section="5.2" sectio
nFormat="of" target="RFC9787"/>).
Thus, assuming the encryption is non-malleable, any on-path attacker cannot brea k the signature while ensuring that the message still decrypts successfully.</t> Thus, assuming the encryption is non-malleable, any on-path attacker cannot brea k the signature while ensuring that the message still decrypts successfully.</t>
<t>Case 2.c.ii: The signature is valid, but the receiving MUA does not </li>
see any valid binding between the signing certificate and the <spanx style="ver <li>
b">addr-spec</spanx> of the inner <spanx style="verb">From</spanx> Header Field. <t>Case 2.c.ii: The signature is valid, but the receiving
MUA does not see any valid binding between the signing certificate and the <tt>a
ddr-spec</tt> of the inner <tt>From</tt> Header Field.
See case 2.b.ii.</t> See case 2.b.ii.</t>
</list></t> </li>
</list></t> </ul>
</list></t> </li>
</ul>
<t>As the case distinction shows, the outer <spanx style="verb">From</spanx> Hea </li>
der Field is either the preferred fallback (in particular, to avoid introducing </ul>
a new spoofing channel), or it is just as good (because just as modifiable) as t <t>As the case distinction shows, the outer <tt>From</tt> Header Field
he inner <spanx style="verb">From</spanx> Header Field.</t> is either the preferred fallback (in particular, to avoid introducing a new spo
ofing channel) or just as good (because just as modifiable) as the inner <tt>Fro
<t>Rendering the outer <spanx style="verb">From</spanx> Header Field does carry m</tt> Header Field.</t>
the risk of a "temporary downgrade attack" in cases 2.b.ii and 2.c.ii, where a m <t>Rendering the outer <tt>From</tt> Header Field does carry the risk
alicious MTA keeps the signature intact but modifies the outer <spanx style="ver of a "temporary downgrade attack" in cases 2.b.ii and 2.c.ii, where a malicious
b">From</spanx> Header Field. MTA keeps the signature intact but modifies the outer <tt>From</tt> Header Field
The MUA can resolve this temporary downgrade by validating the certificate-to-<s .
panx style="verb">addr-spec</spanx> binding. The MUA can resolve this temporary downgrade by validating the certificate-to-<t
t>addr-spec</tt> binding.
If the MUA never does this validation, the entire message could be fake.</t> If the MUA never does this validation, the entire message could be fake.</t>
<t>If there were a signaling channel where the MTA can tell the MUA wh
<t>If there were a signalling channel where the MTA can tell the MUA whether it ether it authenticated the <tt>From</tt> Header Field, an MUA could use this in
authenticated the <spanx style="verb">From</spanx> Header Field, an MUA could us its rendering decision.
e this in its rendering decision. In the absence of such a signal, and when end-to-end authenticity is unavailable
In the absence of such a signal, and when end-to-end authenticity is unavailable , this document prefers to fall back to the outer <tt>From</tt> Header Field.
, this document prefers to fall back to the outer <spanx style="verb">From</span This default is based on the assumption that most MTAs apply some filtering base
x> Header Field. d on the outer <tt>From</tt> Header Field (whether the MTA can authenticate it o
This default is based on the assumption that most MTAs apply some filtering base r not).
d on the outer <spanx style="verb">From</spanx> Header Field (whether the MTA ca Rendering the unprotected outer <tt>From</tt> Header Field (instead of the prote
n authenticate it or not). cted inner one) in case of a mismatch retains this ability for MTAs.</t>
Rendering the unprotected outer <spanx style="verb">From</spanx> Header Field (i <t>If the MUA decides not to rely on the MTA to authenticate the outer
nstead of the protected inner one) in case of a mismatch retains this ability fo <tt>From</tt> Header Field, it may prefer the inner <tt>From</tt> Header Field.
r MTAs.</t> </t>
</section>
<t>If the MUA decides not to rely on the MTA to authenticate the outer <spanx st </section>
yle="verb">From</spanx> Header Field, it may prefer the inner <spanx style="verb <section anchor="avoid-summary-confusion">
">From</spanx> Header Field.</t> <name>Avoid Cryptographic Summary Confusion from the hp Parameter</name>
<t>When parsing a message, the recipient MUA infers the message's Crypto
</section> graphic Status from the Cryptographic Layers, as described in <xref section="4.6
</section> " sectionFormat="of" target="RFC9787"/>.</t>
<section anchor="avoid-summary-confusion"><name>Avoid Cryptographic Summary Conf <t>The Cryptographic Layers that make up the Cryptographic Envelope desc
usion from hp Parameter</name> ribe an ordered list of cryptographic properties as present in the message after
it has been delivered.
<t>When parsing a message, the recipient MUA infers the message's Cryptographic By contrast, the <tt>hp</tt> parameter to the <tt>Content-Type</tt> Header Field
Status from the Cryptographic Layers, as described in <xref section="4.6" sectio contains a simpler indication: whether the sender originally tried to encrypt t
nFormat="of" target="I-D.ietf-lamps-e2e-mail-guidance"/>.</t> he message or not.
In particular, for a message with Header Protection, the Cryptographic Payload s
<t>The Cryptographic Layers that make up the Cryptographic Envelope describe an hould have a <tt>hp</tt> parameter of <tt>cipher</tt> if the message is encrypte
ordered list of cryptographic properties as present in the message after it has d (in addition to signed) and <tt>clear</tt> if no encryption is present (that i
been delivered. s, the message is <tt>signed-only</tt>).</t>
By contrast, the <spanx style="verb">hp</spanx> parameter to the <spanx style="v <t>As noted in <xref target="hp-parameter"/>, the receiving implementati
erb">Content-Type</spanx> Header Field contains a simpler indication: whether th on should not inflate its estimation of the confidentiality of the message or it
e sender originally tried to encrypt the message or not. s Header Fields based on the sender's intent if it can see that the message was
In particular, for a message with Header Protection, the Cryptographic Payload s not actually encrypted.
hould have a <spanx style="verb">hp</spanx> parameter of <spanx style="verb">cip A signed-only message that happens to have an <tt>hp</tt> parameter of <tt>ciphe
her</spanx> if the message is encrypted (in addition to signed), and <spanx styl r</tt> is still signed-only.</t>
e="verb">clear</spanx> if no encryption is present (that is, the message is <spa <t>Conversely, since the encrypting Cryptographic Layer is typically out
nx style="verb">signed-only</spanx>).</t> side the signature layer (see <xref section="5.2" sectionFormat="of" target="RFC
9787"/>), an originally signed-only message could have been wrapped in an encryp
<t>As noted in <xref target="hp-parameter"/>, the receiving implementation shoul tion layer by an intervening party before receipt to appear encrypted.</t>
d not inflate its estimation of the confidentiality of the message or its Header <t>If a message appears to be wrapped in an encryption layer, and the <t
Fields based on the sender's intent, if it can see that the message was not act t>hp</tt> parameter is present but is not set to <tt>cipher</tt>, then it is lik
ually encrypted. ely that the encryption layer was not added by the original sender.
A signed-only message that happens to have an <spanx style="verb">hp</spanx> par For such a message, the lack of any <tt>HP-Outer</tt> Header Field in the Header
ameter of <spanx style="verb">cipher</spanx> is still signed-only.</t> Section of the Cryptographic Payload <bcp14>MUST NOT</bcp14> be used to infer t
hat all Header Fields were removed from the message by the original sender.
<t>Conversely, since the encrypting Cryptographic Layer is typically outside the
signature layer (see <xref section="5.2" sectionFormat="of" target="I-D.ietf-la
mps-e2e-mail-guidance"/>), an originally signed-only message could have been wra
pped in an encryption layer by an intervening party before receipt, to appear en
crypted.</t>
<t>If a message appears to be wrapped in an encryption layer, and the <spanx sty
le="verb">hp</spanx> parameter is present but is not set to <spanx style="verb">
cipher</spanx>, then it is likely that the encryption layer was not added by the
original sender.
For such a message, the lack of any <spanx style="verb">HP-Outer</spanx> Header
Field in the Header Section of the Cryptographic Payload <bcp14>MUST NOT</bcp14>
be used to infer that all Header Fields were removed from the message by the or
iginal sender.
In such a case, the receiving MUA <bcp14>SHOULD</bcp14> treat every Header Field as though it was not confidential.</t> In such a case, the receiving MUA <bcp14>SHOULD</bcp14> treat every Header Field as though it was not confidential.</t>
</section>
</section> <section anchor="caution-about-composing-with-legacy-display-elements">
<section anchor="caution-about-composing-with-legacy-display-elements"><name>Cau <name>Caution About Composing with Legacy Display Elements</name>
tion about Composing with Legacy Display Elements</name> <t>When composing a message, it's possible for a Legacy Display Element
to contain risky data that could trigger errors in a rendering client.</t>
<t>When composing a message, it's possible for a Legacy Display Element to conta <t>For example, if the value for a Header Field to be included in a Lega
in risky data that could trigger errors in a rendering client.</t> cy Display Element within a given body part contains folding whitespace, it shou
ld be "unfolded" before generating the Legacy Display Element: All contiguous fo
<t>For example, if the value for a Header Field to be included in a Legacy Displ lding whitespace should be replaced with a single space character.
ay Element within a given body part contains folding whitespace, it should be "u Likewise, if the header value was originally encoded per <xref target="RFC2047"/
nfolded" before generating the Legacy Display Element: all contiguous folding wh >, it should be decoded first to a standard string and re-encoded using the char
itespace should be replaced with a single space character. set appropriate to the target part.</t>
Likewise, if the header value was originally encoded with <xref target="RFC2047" <t>When including a Legacy Display Element in a <tt>text/plain</tt> part
/>, it should be decoded first to a standard string and re-encoded using the cha (see <xref target="ld-text-plain"/>), if the decoded Subject Header Field conta
rset appropriate to the target part.</t> ins a pair of newlines (e.g., if it is broken across multiple lines by encoded n
ewlines), any newline <bcp14>MUST</bcp14> be stripped from the Legacy Display El
<t>When including a Legacy Display Element in a <spanx style="verb">text/plain</ ement.
spanx> part (see <xref target="ld-text-plain"/>), if the decoded Subject Header
Field contains a pair of newlines (e.g., if it is broken across multiple lines b
y encoded newlines), any newline <bcp14>MUST</bcp14> be stripped from the Legacy
Display Element.
If the pair of newlines is not stripped, a receiving MUA that follows the guidan ce in <xref target="omit-plain-legacy-display"/> might leave the later part of t he Legacy Display Element in the rendered message.</t> If the pair of newlines is not stripped, a receiving MUA that follows the guidan ce in <xref target="omit-plain-legacy-display"/> might leave the later part of t he Legacy Display Element in the rendered message.</t>
<t>When including a Legacy Display Element in a <tt>text/html</tt> part
<t>When including a Legacy Display Element in a <spanx style="verb">text/html</s (see <xref target="ld-text-html"/>), any material in the header values should be
panx> part (see <xref target="ld-text-html"/>), any material in the header value explicitly HTML escaped to avoid being rendered as part of the HTML.
s should be explicitly HTML escaped to avoid being rendered as part of the HTML. At a minimum, the characters <tt>&lt;</tt>, <tt>&gt;</tt>, and <tt>&amp;</tt> sh
At a minimum, the characters <spanx style="verb">&lt;</spanx>, <spanx style="ver ould be escaped to <tt>&amp;lt;</tt>, <tt>&amp;gt;</tt>, and <tt>&amp;amp;</tt>,
b">&gt;</spanx>, and <spanx style="verb">&amp;</spanx> should be escaped to <spa respectively (for example, see <xref target="HTML-ESCAPES"/>).
nx style="verb">&amp;lt;</spanx>, <spanx style="verb">&amp;gt;</spanx>, and <spa If unescaped characters from removed or obscured header values end up in the Leg
nx style="verb">&amp;amp;</spanx>, respectively (see for example <xref target="H acy Display Element, a receiving MUA that follows the guidance in <xref target="
TML-ESCAPES"/>). omit-html-legacy-display"/> might fail to identify the boundaries of the Legacy
If unescaped characters from removed or obscured header values end up in the Leg Display Element, cutting out more than it should or leaving remnants visible.
acy Display Element, a receiving MUA that follows the guidance in <xref target="
omit-html-legacy-display"/> might fail to identify the boundaries of the Legacy
Display Element, cutting out more than it should, or leaving remnants visible.
And a Legacy MUA parsing such a message might misrender the entire HTML stream, depending on the content of the removed or obscured header values.</t> And a Legacy MUA parsing such a message might misrender the entire HTML stream, depending on the content of the removed or obscured header values.</t>
<t>The Legacy Display Element is a decorative addition solely to enable
<t>The Legacy Display Element is a decorative addition solely to enable visibili visibility of obscured or removed Header Fields in decryption-capable Legacy MUA
ty of obscured or removed Header Fields in decryption-capable Legacy MUAs. s.
When it is produced, it should be generated minimally and strictly, as described above, to avoid damaging the rest of the message.</t> When it is produced, it should be generated minimally and strictly, as described above, to avoid damaging the rest of the message.</t>
</section>
</section> <section anchor="plaintext-attacks">
<section anchor="plaintext-attacks"><name>Plaintext Attacks</name> <name>Plaintext Attacks</name>
<t>An encrypted email message using S/MIME or PGP/MIME tends to have som
<t>An encrypted e-mail message using S/MIME or PGP/MIME tends to have some amoun e amount of predictable plaintext.
t of predictable plaintext. For example, the standard MIME headers of the Cryptographic Payload of a message
For example, the standard MIME headers of the Cryptographic Payload of a message are often a predictable sequence of bytes, even without Header Protection, when
are often a predictable sequence of bytes, even without Header Protection, when they only include the Structural Header Fields <tt>MIME-Version</tt> and <tt>Co
they only include the Structural Header Fields <spanx style="verb">MIME-Version ntent-Type</tt>.
</spanx> and <spanx style="verb">Content-Type</spanx>.
This is a potential risk for known-plaintext attacks.</t> This is a potential risk for known-plaintext attacks.</t>
<t>Including protected Header Fields as defined in this document increas
<t>Including protected Header Fields as defined in this document increases the a es the amount of known plaintext.
mount of known plaintext.
Since some of those headers in a reply will be derived from the message being re plied to, this also creates a potential risk for chosen-plaintext attacks, in ad dition to known-plaintext attacks.</t> Since some of those headers in a reply will be derived from the message being re plied to, this also creates a potential risk for chosen-plaintext attacks, in ad dition to known-plaintext attacks.</t>
<t>Modern message encryption mechanisms are expected to be secure agains
<t>Modern message encryption mechanisms are expected to be secure against both k t both known-plaintext attacks and chosen-plaintext attacks.
nown-plaintext attacks and chosen-plaintext attacks.
An MUA composing an encrypted message should ensure that it is using such a mech anism, regardless of whether it does Header Protection.</t> An MUA composing an encrypted message should ensure that it is using such a mech anism, regardless of whether it does Header Protection.</t>
</section>
</section> </section>
</section> <section anchor="privacy-considerations">
<section anchor="privacy-considerations"><name>Privacy Considerations</name> <name>Privacy Considerations</name>
<section anchor="leaks-when-replying">
<section anchor="leaks-when-replying"><name>Leaks When Replying</name> <name>Leaks When Replying</name>
<t>The encrypted Header Fields of a message may accidentally leak when r
<t>The encrypted Header Fields of a message may accidentally leak when replying eplying to the message.
to the message.
See the guidance in <xref target="replying"/>.</t> See the guidance in <xref target="replying"/>.</t>
</section>
</section> <section anchor="encryption-vs-privacy">
<section anchor="encryption-vs-privacy"><name>Encrypted Header Fields Are Not Al <name>Encrypted Header Fields Are Not Always Private</name>
ways Private</name> <t>For encrypted messages, depending on the sender's <iref item="HCP"/><
xref target="header-confidentiality-policy" format="none">HCP</xref>, some Heade
<t>For encrypted messages, depending on the sender's <iref item="HCP"/><xref tar r Fields may appear both within the Cryptographic Envelope and on the outside of
get="header-confidentiality-policy" format="none">HCP</xref>, some Header Fields the message (e.g., <tt>Date</tt> might exist identically in both places).
may appear both within the Cryptographic Envelope and on the outside of the mes <xref target="crypto-summary-update"/> identifies such a Header Field as <tt>sig
sage (e.g., <spanx style="verb">Date</spanx> might exist identically in both pla ned-only</tt>.
ces).
<xref target="crypto-summary-update"/> identifies such a Header Field as <spanx
style="verb">signed-only</spanx>.
These Header Fields are clearly <em>not</em> private at all, despite a copy bein g inside the Cryptographic Envelope.</t> These Header Fields are clearly <em>not</em> private at all, despite a copy bein g inside the Cryptographic Envelope.</t>
<t>A Header Field whose name and value are not matched verbatim by any <
<t>A Header Field whose name and value are not matched verbatim by any <spanx st tt>HP-Outer</tt> Header Field from the same part will have an <tt>encrypted-only
yle="verb">HP-Outer</spanx> Header Field from the same part will have <spanx sty </tt> or <tt>signed-and-encrypted</tt> status.
le="verb">encrypted-only</spanx> or <spanx style="verb">signed-and-encrypted</sp
anx> status.
But even Header Fields with these stronger levels of cryptographic confidentiali ty protection might not be as private as the user would like.</t> But even Header Fields with these stronger levels of cryptographic confidentiali ty protection might not be as private as the user would like.</t>
<t>See the examples below.</t>
<t>See the examples below.</t> <t>This concern is true for any encrypted data, including the body of th
e message, not just the Header Fields:
<t>This concern is true for any encrypted data, including the body of the messag If the sender isn't careful, the message contents or session keys can leak in ma
e, not just the Header Fields: ny ways that are beyond the scope of this document.
if the sender isn't careful, the message contents or session keys can leak in ma
ny ways that are beyond the scope of this document.
The message recipient has no way in principle to tell whether the apparent confi dentiality of any given piece of encrypted content has been broken via channels that they cannot perceive. The message recipient has no way in principle to tell whether the apparent confi dentiality of any given piece of encrypted content has been broken via channels that they cannot perceive.
Additionally, an active intermediary aware of the recipient's public key can alw ays encrypt a cleartext message in transit to give the recipient a false sense o f security.</t> Additionally, an active intermediary aware of the recipient's public key can alw ays encrypt a cleartext message in transit to give the recipient a false sense o f security.</t>
<section anchor="encrypted-header-fields-can-leak-unwanted-information-t
o-the-recipient">
<name>Encrypted Header Fields Can Leak Unwanted Information to the Rec
ipient</name>
<t>For encrypted messages, even with an ambitious <iref item="HCP"/><x
ref target="header-confidentiality-policy" format="none">HCP</xref> that success
fully obscures most Header Fields from all transport agents, Header Fields will
be ultimately visible to all intended recipients.
<section anchor="encrypted-header-fields-can-leak-unwanted-information-to-the-re <!--[rfced] To improve readability, may we update the phrasing of "may not
cipient"><name>Encrypted Header Fields Can Leak Unwanted Information to the Reci expect to be injected by their MUA" as follows?
pient</name>
<t>For encrypted messages, even with an ambitious <iref item="HCP"/><xref target
="header-confidentiality-policy" format="none">HCP</xref> that successfully obsc
ures most Header Fields from all transport agents, Header Fields will be ultimat
ely visible to all intended recipients.
This can be especially problematic for Header Fields that are not user-facing, w
hich the sender may not expect to be injected by their MUA.
Consider the three following examples:</t>
<t><list style="symbols">
<t>The MUA may inject a <spanx style="verb">User-Agent</spanx> Header Field th
at describes itself to every recipient, even though the sender may not want the
recipient to know the exact version of their OS, hardware platform, or MUA.</t>
<t>The MUA may have an idiosyncratic way of generating a <spanx style="verb">M
essage-ID</spanx> header, which could embed the choice of MUA, a time zone, a ho
stname, or other subtle information to a knowledgeable recipient.</t>
<t>The MUA may erroneously include a <spanx style="verb">Bcc</spanx> Header Fi
eld in the <spanx style="verb">origheaders</spanx> of a copy of a message sent t
o the named recipient, defeating the purpose of using <spanx style="verb">Bcc</s
panx> instead of <spanx style="verb">Cc</spanx> (see <xref target="bcc"/> for mo
re details about risks related to <spanx style="verb">Bcc</spanx>).</t>
</list></t>
<t>Clearly, no end-to-end cryptographic protection of any Header Field as define
d in this document will hide such a sensitive field from the intended recipient.
Instead, the composing MUA <bcp14>MUST</bcp14> populate the <spanx style="verb">
origheaders</spanx> list for any outbound message with only information the reci
pient should have access to.
This is true for messages without any cryptographic protection as well, of cours
e, and it is even worse there: such a leak is exposed to the transport agents as
well as the recipient.
An encrypted message with Header Protection and a more ambitious <iref item="Hea
der Confidentiality Policy"/><xref target="header-confidentiality-policy" format
="none">Header Confidentiality Policy</xref> avoid these leaks exposing informat
ion to the transport agents but cannot defend against such a leak to the recipie
nt.</t>
</section> Original:
<section anchor="encrypted-header-fields-can-be-inferred-from-external-or-intern This can be
al-metadata"><name>Encrypted Header Fields Can Be Inferred From External or Inte especially problematic for Header Fields that are not user-facing,
rnal Metadata</name> which the sender may not expect to be injected by their MUA.
<t>For example, if the <spanx style="verb">To</spanx> and <spanx style="verb">Cc Perhaps:
</spanx> Header Fields are removed from the unprotected Header Section, the valu This can be
es in those fields might still be inferred with high probability by an adversary especially problematic for Header Fields that are not user-facing;
who looks at the message either in transit or at rest. the sender may not expect these Header Fields to be injected by their MUA.
If the message is found in, or being delivered to a mailbox for <spanx style="ve -->
rb">bob@example.org</spanx>, it's likely that Bob was in either <spanx style="ve
rb">To</spanx> or <spanx style="verb">Cc</spanx>.
Furthermore, encrypted message ciphertext may hint at the recipients: for S/MIME
messages, the <spanx style="verb">RecipientInfo</spanx>, and for PGP/MIME messa
ges the key ID in the Public Key Encrypted Session Key (PKESK) packets will all
hint at a specific set of recipients.
Additionally, an MTA that handles the message may add a <spanx style="verb">Rece
ived</spanx> Header Field (or some other custom Header Field) that leaks some in
formation about the nature of the delivery.</t>
</section> This can be especially problematic for Header Fields that are not user-facing, w
<section anchor="encrypted-header-fields-may-not-be-fully-masked-by-hcp"><name>E hich the sender may not expect to be injected by their MUA.
ncrypted Header Fields May Not Be Fully Masked by HCP</name> Consider the three following examples:</t>
<ul spacing="normal">
<li>
<t>The MUA may inject a <tt>User-Agent</tt> Header Field that desc
ribes itself to every recipient, even though the sender may not want the recipie
nt to know the exact version of their OS, hardware platform, or MUA.</t>
</li>
<li>
<t>The MUA may have an idiosyncratic way of generating a <tt>Messa
ge-ID</tt> header, which could embed the choice of MUA, time zone, hostname, or
other subtle information to a knowledgeable recipient.</t>
</li>
<li>
<t>The MUA may erroneously include a <tt>Bcc</tt> Header Field in
the <tt>origheaders</tt> of a copy of a message sent to the named recipient, def
eating the purpose of using <tt>Bcc</tt> instead of <tt>Cc</tt> (see <xref targe
t="bcc"/> for more details about risks related to <tt>Bcc</tt>).</t>
</li>
</ul>
<t>Clearly, no end-to-end cryptographic protection of any Header Field
as defined in this document will hide such a sensitive field from the intended
recipient.
Instead, the composing MUA <bcp14>MUST</bcp14> populate the <tt>origheaders</tt>
list for any outbound message with only information the recipient should have a
ccess to.
This is true for messages without any cryptographic protection as well, of cours
e, and it is even worse there: Such a leak is exposed to the transport agents as
well as the recipient.
An encrypted message with Header Protection and a more ambitious <iref item="Hea
der Confidentiality Policy"/><xref target="header-confidentiality-policy" format
="none">Header Confidentiality Policy</xref> avoids these leaks that expose info
rmation to the transport agents, but it cannot defend against such a leak to the
recipient.</t>
</section>
<section anchor="encrypted-header-fields-can-be-inferred-from-external-o
r-internal-metadata">
<name>Encrypted Header Fields Can Be Inferred from External or Interna
l Metadata</name>
<t>For example, if the <tt>To</tt> and <tt>Cc</tt> Header Fields are r
emoved from the unprotected Header Section, the values in those fields might sti
ll be inferred with high probability by an adversary who looks at the message ei
ther in transit or at rest.
If the message is found in a mailbox, or being delivered to a mailbox, for examp
le, <tt>bob@example.org</tt>, it's likely that Bob was in either <tt>To</tt> or
<tt>Cc</tt>.
Furthermore, encrypted message ciphertext may hint at the recipients: For S/MIME
messages, the <tt>RecipientInfo</tt>, and for PGP/MIME messages, the key ID in
the Public Key Encrypted Session Key (PKESK) packets will all hint at a specific
set of recipients.
Additionally, an MTA that handles the message may add a <tt>Received</tt> Header
Field (or some other custom Header Field) that leaks some information about the
nature of the delivery.</t>
</section>
<section anchor="encrypted-header-fields-may-not-be-fully-masked-by-hcp"
>
<name>Encrypted Header Fields May Not Be Fully Masked by HCP</name>
<t>In another example, if the <iref item="HCP"/><xref target="header-c
onfidentiality-policy" format="none">HCP</xref> modifies the <tt>Date</tt> heade
r to mask out high-resolution timestamps (e.g., rounding to the most recent hour
), some information about the date of delivery will still be attached to the ema
il.
At the very least, the low-resolution, global version of the date will be presen
t on the message.
Additionally, Header Fields like <tt>Received</tt> that are added during message
delivery might include higher-resolution timestamps.
And if the message lands in a mailbox that is ordered by time of receipt, even i
ts placement in the mailbox and the unobscured <tt>Date</tt> Header Fields of th
e surrounding messages could leak this information.</t>
<t>Some Header Fields like <tt>From</tt> may be impossible to fully obscure, as
many modern message delivery systems depend on at least domain information in th
e <tt>From</tt> Header Field for determining whether a message is coming from a
domain with "good reputation" (that is, from a domain that is not known for leak
ing spam).
<t>In another example, if the <iref item="HCP"/><xref target="header-confidentia <!--[rfced] May we update "genericize" to "generalize"?
lity-policy" format="none">HCP</xref> modifies the <spanx style="verb">Date</spa
nx> header to mask out high-resolution time stamps (e.g., rounding to the most r
ecent hour), some information about the date of delivery will still be attached
to the e-mail.
At the very least, the low resolution, global version of the date will be presen
t on the message.
Additionally, Header Fields like <spanx style="verb">Received</spanx> that are a
dded during message delivery might include higher-resolution timestamps.
And if the message lands in a mailbox that is ordered by time of receipt, even i
ts placement in the mailbox and the non-obscured <spanx style="verb">Date</spanx
> Header Fields of the surrounding messages could leak this information.</t>
<t>Some Header Fields like <spanx style="verb">From</spanx> may be impossible to Original:
fully obscure, as many modern message delivery systems depend on at least domai So even if an
n information in the <spanx style="verb">From</spanx> Header Field for determini ambitious HCP opts to remove the human-readable part from any From
ng whether a message is coming from a domain with "good reputation" (that is, fr Header Field, and to standardize/genericize the local part of the
om a domain that is not known for leaking spam). From address, the domain will still leak.
So even if an ambitious <iref item="HCP"/><xref target="header-confidentiality-p
olicy" format="none">HCP</xref> opts to remove the human-readable part from any
<spanx style="verb">From</spanx> Header Field, and to standardize/genericize the
local part of the <spanx style="verb">From</spanx> address, the domain will sti
ll leak.</t>
</section> Perhaps:
</section> So even if an
<section anchor="status-overestimation"><name>A Naive Recipient May Overestimate ambitious HCP opts to remove the human-readable part from any From
the Cryptographic Status of a Header Field in an Encrypted Message</name> Header Field, and to standardize/generalize the local part of the
From address, the domain will still leak.
-->
<t>When an encrypted (or signed-and-encrypted) message is in transit, an active So even if an ambitious <iref item="HCP"/><xref target="header-confidentiality-p
intermediary can strip or tamper with any Header Field that appears outside the olicy" format="none">HCP</xref> opts to remove the human-readable part from any
Cryptographic Envelope. <tt>From</tt> Header Field and to standardize/genericize the local part of the <
tt>From</tt> address, the domain will still leak.</t>
</section>
</section>
<section anchor="status-overestimation">
<name>A Naive Recipient May Overestimate the Cryptographic Status of a H
eader Field in an Encrypted Message</name>
<t>When an encrypted (or signed-and-encrypted) message is in transit, an
active intermediary can strip or tamper with any Header Field that appears outs
ide the Cryptographic Envelope.
A receiving MUA that naively infers cryptographic status from differences betwee n the external Header Fields and those found in the Cryptographic Envelope could be tricked into overestimating the protections afforded to some Header Fields.< /t> A receiving MUA that naively infers cryptographic status from differences betwee n the external Header Fields and those found in the Cryptographic Envelope could be tricked into overestimating the protections afforded to some Header Fields.< /t>
<t>For example, if the original sender's <iref item="HCP"/><xref target=
<t>For example, if the original sender's <iref item="HCP"/><xref target="header- "header-confidentiality-policy" format="none">HCP</xref> passes through the <tt>
confidentiality-policy" format="none">HCP</xref> passes through the <spanx style Cc</tt> Header Field unchanged, a cleanly delivered message would indicate that
="verb">Cc</spanx> Header Field unchanged, a cleanly delivered message would ind the <tt>Cc</tt> Header Field has a cryptographic status of <tt>signed</tt>.
icate that the <spanx style="verb">Cc</spanx> Header Field has a cryptographic s But if an intermediary attacker simply removes the Header Field from the unprote
tatus of <spanx style="verb">signed</spanx>. cted Header Section before forwarding the message, then the naive recipient migh
But if an intermediary attacker simply removes the Header Field from the unprote t believe that the field has a cryptographic status of <tt>signed-and-encrypted<
cted Header Section before forwarding the message, then the naive recipient migh /tt>.</t>
t believe that the field has a cryptographic status of <spanx style="verb">signe <t>This document offers protection against such an attack by way of the
d-and-encrypted</spanx>.</t> <tt>HP-Outer</tt> Header Fields that can be found on the Cryptographic Payload.
If a Header Field appears to have been obscured by inspection of the outer messa
<t>This document offers protection against such an attack by way of the <spanx s ge but an <tt>HP-Outer</tt> Header Field matches it exactly, then the receiving
tyle="verb">HP-Outer</spanx> Header Fields that can be found on the Cryptographi MUA can indicate to the user that the Header Field in question may not have been
c Payload. confidential.</t>
If a Header Field appears to have been obscured by inspection of the outer messa <t>In such a case, a cautious MUA may render the Header Field in questio
ge, but an <spanx style="verb">HP-Outer</spanx> Header Field matches it exactly, n as <tt>signed</tt> (because the sender did not hide it) but still treat it as
the receiving MUA can indicate to the user that the Header Field in question ma <tt>signed-and-encrypted</tt> during reply to avoid accidental leakage of the cl
y not have been confidential.</t> eartext value in the reply message, as described in <xref target="avoid-leak"/>.
</t>
<t>In such a case, a cautious MUA may render the Header Field in question as <sp </section>
anx style="verb">signed</spanx> (because the sender did not hide it), but still <section anchor="bcc">
treat it as <spanx style="verb">signed-and-encrypted</spanx> during reply, to av <name>Privacy and Deliverability Risks with Bcc and Encrypted Messages</
oid accidental leakage of the cleartext value in the reply message, as described name>
in <xref target="avoid-leak"/>.</t> <t>As noted in <xref section="9.3" sectionFormat="of" target="RFC9787"/>
, handling Bcc when generating an encrypted email message can be particularly tr
</section> icky.
<section anchor="bcc"><name>Privacy and Deliverability Risks with Bcc and Encryp
ted Messages</name>
<t>As noted in <xref section="9.3" sectionFormat="of" target="I-D.ietf-lamps-e2e
-mail-guidance"/>, handling Bcc when generating an encrypted e-mail message can
be particularly tricky.
With Header Protection, there is an additional wrinkle. With Header Protection, there is an additional wrinkle.
When an encrypted e-mail message with Header Protection has a Bcc'ed recipient, When an encrypted email message with Header Protection has a Bcc'ed recipient, a
and the composing MUA explicitly includes the Bcc'ed recipient's address in thei nd the composing MUA explicitly includes the Bcc'ed recipient's address in their
r copy of the message (see the "second method" in <xref section="3.6.3" sectionF copy of the message (see the "second method" in <xref section="3.6.3" sectionFo
ormat="of" target="RFC5322"/>), that <spanx style="verb">Bcc</spanx> Header Fiel rmat="of" target="RFC5322"/>), that <tt>Bcc</tt> Header Field will always be vis
d will always be visible to the Bcc'ed recipient.</t> ible to the Bcc'ed recipient.</t>
<t>In this scenario, though, the composing MUA has one additional choice
<t>In this scenario, though, the composing MUA has one additional choice: whethe : whether or not to hide the <tt>Bcc</tt> Header Field from intervening message
r to hide the <spanx style="verb">Bcc</spanx> Header Field from intervening mess transport agents by returning <tt>null</tt> when the <iref item="HCP"/><xref tar
age transport agents, by returning <spanx style="verb">null</spanx> when the <ir get="header-confidentiality-policy" format="none">HCP</xref> is invoked for <tt>
ef item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</x Bcc</tt>.
ref> is invoked for <spanx style="verb">Bcc</spanx>. If the composing MUA's rationale for including an explicit <tt>Bcc</tt> in the c
If the composing MUA's rationale for including an explicit <spanx style="verb">B opy of the message sent to the Bcc recipient is to ensure deliverability via a m
cc</spanx> in the copy of the message sent to the Bcc recipient is to ensure del essage transport agent that inspects message Header Fields, then stripping the <
iverability via a message transport agent that inspects message Header Fields, t tt>Bcc</tt> field during encryption may cause the intervening transport agent to
hen stripping the <spanx style="verb">Bcc</spanx> field during encryption may ca drop the message entirely.
use the intervening transport agent to drop the message entirely. This is why <tt>Bcc</tt> is not explicitly stripped in <tt>hcp_baseline</tt>.</t
This is why <spanx style="verb">Bcc</spanx> is not explicitly stripped in <spanx >
style="verb">hcp_baseline</spanx>.</t> <t>On the other hand, if deliverability to a <tt>Bcc</tt>'ed recipient i
s not a concern, the most privacy-preserving option is to simply omit the <tt>Bc
<t>If, on the other hand, deliverability to a <spanx style="verb">Bcc</spanx>'ed c</tt> Header Field from the protected Header Section in the first place.
recipient is not a concern, the most privacy-preserving option is to simply omi An MUA that is capable of receiving and processing such a message can infer that
t the <spanx style="verb">Bcc</spanx> Header Field from the protected Header Sec since their user's address was not mentioned in any <tt>To</tt> or <tt>Cc</tt>
tion in the first place. Header Field, they were likely a <tt>Bcc</tt> recipient.</t>
An MUA that is capable of receiving and processing such a message can infer that <t>Please also see <xref section="9.3" sectionFormat="of" target="RFC978
since their user's address was not mentioned in any <spanx style="verb">To</spa 7"/> for more discussion about Bcc and encrypted messages.</t>
nx> or <spanx style="verb">Cc</spanx> Header Field, they were likely a <spanx st </section>
yle="verb">Bcc</spanx> recipient.</t> </section>
<section anchor="iana-considerations">
<t>Please also see <xref section="9.3" sectionFormat="of" target="I-D.ietf-lamps <name>IANA Considerations</name>
-e2e-mail-guidance"/> for more discussion about Bcc and encrypted messages.</t>
</section>
</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>
<t>This document registers an e-mail Header Field, describes parameters for the
<spanx style="verb">Content-Type</spanx> Header Field, and establishes a registr
y for Header Confidentiality Policies to facilitate <iref item="HCP"/><xref targ
et="header-confidentiality-policy" format="none">HCP</xref> evolution.</t>
<section anchor="register-the-hp-outer-header-field"><name>Register the HP-Outer
Header Field</name>
<t>This document requests IANA to register the following Header Field in the "Pe <!--[rfced] We have included some specific questions about the IANA
rmanent Message Header Field Names" registry within "Message Headers" in accorda text below. In addition to responding to those questions, please
nce with <xref target="RFC3864"/>.</t> review all of the IANA-related updates carefully and let us know
if any further updates are needed.
<texttable title="Additions to 'Permanent Message Header Field Names' registry"> a) In Section 12.1, does the "Author/Change Controller" information
<ttcol align='left'>Header Field Name</ttcol> only apply to the "HP-Outer" registration? If so, may we update the
<ttcol align='left'>Template</ttcol> text below to reflect "this entry" (instead of "these two entries")
<ttcol align='left'>Protocol</ttcol> as shown in option A? Or if it also applies to the "Content-Type"
<ttcol align='left'>Status</ttcol> registration, may we move it to the end of Section 12.2 and update
<ttcol align='left'>Reference</ttcol> the text as shown in option B?
<c><spanx style="verb">HP-Outer</spanx></c>
<c>&#160;</c>
<c>mail</c>
<c>standard</c>
<c><xref target="new-header-field"/> of RFCXXXX</c>
</texttable>
<t>The Author/Change Controller of these two entries (<xref section="4.5" sectio Original:
nFormat="of" target="RFC3864"/>) should be the IETF itself.</t> The Author/Change Controller of these two entries (Section 4.5 of
[RFC3864]) should be the IETF itself.
</section> Perhaps A:
<section anchor="update-reference-for-content-type-header-field-due-to-hp-and-hp The Author/Change Controller (Section 4.5 of [RFC3864]) for this
-legacy-display-parameters"><name>Update Reference for Content-Type Header Field entry is the IETF itself.
due to hp and hp-legacy-display Parameters</name>
<t>This document also defines the <spanx style="verb">Content-Type</spanx> param Perhaps B:
eters known as <spanx style="verb">hp</spanx> (in <xref target="hp-parameter"/>) The Author/Change Controller (Section 4.5 of [RFC3864])
and <spanx style="verb">hp-legacy-display</spanx> (in <xref target="hp-legacy-d for the HP-Outer and Content-Type Header Field name
isplay"/>). registrations is the IETF itself.
Consequently, the <spanx style="verb">Content-Type</spanx> row in the "Permanent
Message Header Field Names" registry should add a reference to this RFC to its
"References" column.</t>
<t>That is, the current row:</t> b) FYI - We removed the blank columns from Tables 2 and 3. We also
removed Table 4 (in Section 12.2) as one table is sufficient to
show the addition of this document as a reference to the
"Permanent Message Header Field Names" registry (see Table 3).
<texttable title="Existing row in 'Permanent Message Header Field Names' registr c) We shortened the title of Section 12.2 as the hp and
y"> hp-legacy-display parameters are mentioned in the introductory
<ttcol align='left'>Header Field Name</ttcol> sentence. Please let us know of any objections.
<ttcol align='left'>Template</ttcol>
<ttcol align='left'>Protocol</ttcol>
<ttcol align='left'>Status</ttcol>
<ttcol align='left'>Reference</ttcol>
<c><spanx style="verb">Content-Type</spanx></c>
<c>&#160;</c>
<c>MIME</c>
<c>&#160;</c>
<c><xref target="RFC4021"/></c>
</texttable>
<t>Should be updated to have the following values:</t> Original:
12.2 Update Reference for Content-Type Header Field due to
hp and hp-legacy-display Parameters
<texttable title="Replacement row in 'Permanent Message Header Field Names' regi Current:
stry"> 12.2 Reference Update for the Content-Type Header Field
<ttcol align='left'>Header Field Name</ttcol>
<ttcol align='left'>Template</ttcol>
<ttcol align='left'>Protocol</ttcol>
<ttcol align='left'>Status</ttcol>
<ttcol align='left'>Reference</ttcol>
<c><spanx style="verb">Content-Type</spanx></c>
<c>&#160;</c>
<c>MIME</c>
<c>&#160;</c>
<c><xref target="RFC4021"/> [RFCXXXX]</c>
</texttable>
</section> d) FYI - In Section 12.3, we ordered the notes to match the order
<section anchor="new-registry-mail-header-confidentiality-policies"><name>New Re in the IANA registry <https://www.iana.org/assignments/mail-parameters/>;
gistry: Mail Header Confidentiality Policies</name> please let us know of any objections.
-->
<t>This document also requests IANA to create a new registry in the <eref target <t>This document registers an email Header Field, describes parameters for
="https://www.iana.org/assignments/mail-parameters/">"Mail Parameters" protocol the <tt>Content-Type</tt> Header Field, and establishes a registry for Header C
group</eref> titled <spanx style="verb">Mail Header Confidentiality Policies</sp onfidentiality Policies to facilitate <iref item="HCP"/><xref target="header-con
anx> with the following content:</t> fidentiality-policy" format="none">HCP</xref> evolution.</t>
<section anchor="register-the-hp-outer-header-field">
<name>Registration of the HP-Outer Header Field</name>
<t>IANA has registered the following Header Field in the "Permanent Mess
age Header Field Names" registry within the "Message Headers" registry group <er
ef target="https://www.iana.org/assignments/message-headers" brackets="angle"/>
in accordance with <xref target="RFC3864"/>.</t>
<table>
<name>Addition to the Permanent Message Header Field Names Registry</n
ame>
<thead>
<tr>
<th align="left">Header Field Name</th>
<th align="left">Protocol</th>
<th align="left">Status</th>
<th align="left">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">
<tt>HP-Outer</tt></td>
<td align="left">mail</td>
<td align="left">standard</td>
<td align="left"> <xref target="new-header-field"/> of RFC 9788</t
d>
</tr>
</tbody>
</table>
<texttable title="Mail Header Confidentiality Policies registry"> <t>The Author/Change Controller of these two entries (<xref section="4.5
<ttcol align='left'>Header Confidentiality Policy Name</ttcol> " sectionFormat="of" target="RFC3864"/>) should be the IETF itself.</t>
<ttcol align='left'>Description</ttcol> </section>
<ttcol align='left'>Reference</ttcol> <section anchor="update-reference-for-content-type-header-field-due-to-hp-
<ttcol align='left'>Recommended</ttcol> and-hp-legacy-display-parameters">
<c><spanx style="verb">hcp_no_confidentiality</spanx></c> <name>Reference Update for the Content-Type Header Field</name>
<c>No header confidentiality</c> <t>This document defines the <tt>Content-Type</tt> parameters known as <
<c><xref target="no-confidentiality-hcp"/> of RFCXXX (this document)</c> tt>hp</tt> (in <xref target="hp-parameter"/>) and <tt>hp-legacy-display</tt> (in
<c>N</c> <xref target="hp-legacy-display"/>).
<c><spanx style="verb">hcp_baseline</spanx></c> Consequently, this document has been added as a reference for <tt>Content
<c>Confidentiality for Informational Header Fields: <spanx style="verb">Su -Type</tt> in the "Permanent Message Header Field Names" registry as shown below
bject</spanx> Header Field is obscured, <spanx style="verb">Keywords</spanx> and .</t>
<spanx style="verb">Comments</spanx> are removed</c> <table>
<c><xref target="baseline-hcp"/> of RFCXXX (this document)</c> <name>Permanent Message Header Field Names Registry</name>
<c>Y</c> <thead>
<c><spanx style="verb">hcp_shy</spanx></c> <tr>
<c>Obscure <spanx style="verb">Subject</spanx>, remove <spanx style="verb" <th align="left">Header Field Name</th>
>Keywords</spanx> and <spanx style="verb">Comments</spanx>, remove the time zone <th align="left">Protocol</th>
from <spanx style="verb">Date</spanx>, and obscure <spanx style="verb">display- <th align="left">Reference</th>
name</spanx>s</c> </tr>
<c><xref target="shy-hcp"/> of RFCXXX (this document)</c> </thead>
<c>N</c> <tbody>
</texttable> <tr>
<td align="left">
<tt>Content-Type</tt></td>
<td align="left">MIME</td>
<td align="left"> <xref target="RFC4021"/> and RFC 9788</td>
</tr>
</tbody>
</table>
</section>
<section anchor="new-registry-mail-header-confidentiality-policies">
<name>New Mail Header Confidentiality Policies Registry</name>
<t>IANA has created a new registry titled "Mail Header Confidentiality P
olicies" within the "MAIL Parameters" registry group <eref target="https://www.i
ana.org/assignments/mail-parameters/" brackets="angle"/> with the following cont
ent:</t>
<table>
<name>Mail Header Confidentiality Policies Registry</name>
<thead>
<tr>
<th align="left">Header Confidentiality Policy Name</th>
<th align="left">Description</th>
<th align="left">Recommended</th>
<th align="left">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><tt>hcp_no_confidentiality</tt></td>
<td align="left">No header confidentiality</td>
<td align="left">N</td>
<td align="left"><xref target="no-confidentiality-hcp"/> of RFC 97
88</td>
</tr>
<tr>
<td align="left"><tt>hcp_baseline</tt></td>
<td align="left">Confidentiality for Informational Header Fields:
<tt>Subject</tt> Header Field is obscured, <tt>Keywords</tt> and <tt>Comments</
tt> are removed</td>
<td align="left">Y</td>
<td align="left"><xref target="baseline-hcp"/> of RFC 9788</td>
</tr>
<tr>
<td align="left"><tt>hcp_shy</tt></td>
<td align="left">Obscure <tt>Subject</tt>, remove <tt>Keywords</tt>
and <tt>Comments</tt>, remove the time zone from <tt>Date</tt>, and obscure <tt
>display-name</tt>s</td>
<td align="left">N</td>
<td align="left"><xref target="shy-hcp"/> of RFC 9788</td>
</tr>
</tbody>
</table>
<t>Note that <tt>hcp_example_hide_cc</tt> is offered as an example in <x
ref target="header-confidentiality-policy"/> but is not formally registered by t
his document.</t>
<t>The following textual note has been added to this registry:</t>
<t><spanx style="verb">hcp_example_hide_cc</spanx> is offered as an example in < <blockquote>Adding an entry to this registry with an <tt>N</tt> in the "
xref target="header-confidentiality-policy"/> but is not formally registered by Recommended" column follows the registration policy of Specification Required.
this document.</t> Adding an entry to this registry with a <tt>Y</tt> in the "Recommended" c
olumn or changing the "Recommended" column in an existing entry (from <tt>N</tt>
to <tt>Y</tt> or vice versa) requires IETF Review.</blockquote>
<t>Please add the following textual note to this registry:</t> <t>Note that during IETF Review, the designated expert must be consulted. Guidance for the designated expert can be found in <xref target="hcp-expert-gui dance"/>.</t>
<ul empty="true"><li> <t>Additionally, this textual note has been added to the registry:</t>
<t>The <iref item="Header Confidentiality Policy"/><xref target="header-confid <blockquote>The <iref item="Header Confidentiality Policy"/><xref target
entiality-policy" format="none">Header Confidentiality Policy</xref> Name never ="header-confidentiality-policy" format="none">Header Confidentiality Policy</xr
appears on the wire. ef> Name never appears on the wire.
This registry merely tracks stable references to implementable descriptions of d istinct policies. This registry merely tracks stable references to implementable descriptions of d istinct policies.
Any addition to this registry should be governed by guidance in <xref target="hc Any addition to this registry should be governed by guidance in <xref target="hc
p-expert-guidance"/> of RFC XXX (this document).</t> p-expert-guidance"/> of RFC 9788.</blockquote>
</li></ul> </section>
</section>
<t>Adding an entry to this registry with an <spanx style="verb">N</spanx> in the
"Recommended" column follows the registration policy of SPECIFICATION <bcp14>RE
QUIRED</bcp14>.
Adding an entry to this registry with a <spanx style="verb">Y</spanx> in the "Re
commended" column or changing the "Recommended" column in an existing entry (fro
m <spanx style="verb">N</spanx> to <spanx style="verb">Y</spanx> or vice versa)
requires IETF REVIEW.
During IETF REVIEW, the designated expert must also be consulted.
Guidance for the designated expert can be found in <xref target="hcp-expert-guid
ance"/>.</t>
</section>
</section>
<section anchor="acknowledgments"><name>Acknowledgments</name>
<t>Alexander Krotov identified the risk of <spanx style="verb">From</spanx> addr
ess spoofing (see <xref target="from-addr-spoofing"/>) and helped provide guidan
ce to MUAs.</t>
<t>Thore Göbel identified significant gaps in earlier versions of this document,
and proposed concrete and substantial improvements.
Thanks to his contributions, the document is clearer, and the protocols describe
d herein are more useful.</t>
<t>Additionally, the authors would like to thank the following people who have p
rovided helpful comments and suggestions for this document:
Berna Alp,
Bernhard E. Reiter,
Bron Gondwana,
Carl Wallace,
Claudio Luck,
Daniel Huigens,
David Wilson,
Éric Vyncke,
Hernani Marques,
juga,
Krista Bennett,
Kelly Bristol,
Lars Rohwedder,
Michael StJohns,
Nicolas Lidzborski,
Orie Steele,
Paul Wouters,
Peter Yee,
Phillip Tao,
Robert Williams,
Rohan Mahy,
Roman Danyliw,
Russ Housley,
Sofia Balicka,
Steve Kille,
Volker Birk,
Warren Kumari, and
Wei Chuang.</t>
</section>
</middle> </middle>
<back> <back>
<references title='Normative References' anchor="sec-normative-references"> <displayreference target="I-D.pep-general" to="PEP-GENERAL"/>
<displayreference target="I-D.pep-email" to="PEP-EMAIL"/>
<reference anchor="RFC8551"> <displayreference target="I-D.autocrypt-lamps-protected-headers" to="PROTECT
<front> ED-HEADERS"/>
<title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Mes
sage Specification</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<author fullname="B. Ramsdell" initials="B." surname="Ramsdell"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="April" year="2019"/>
<abstract>
<t>This document defines Secure/Multipurpose Internet Mail Extensions (S/M
IME) version 4.0. S/MIME provides a consistent way to send and receive secure MI
ME data. Digital signatures provide authentication, message integrity, and non-r
epudiation with proof of origin. Encryption provides data confidentiality. Compr
ession can be used to reduce data size. This document obsoletes RFC 5751.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8551"/>
<seriesInfo name="DOI" value="10.17487/RFC8551"/>
</reference>
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="S. Bradner" initials="S." surname="Bradner"/>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to signify the
requirements in the specification. These words are often capitalized. This docu
ment defines these words as they should be interpreted in IETF documents. This d
ocument specifies an Internet Best Current Practices for the Internet Community,
and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protocol specif
ications. This document aims to reduce the ambiguity by clarifying that only UPP
ERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8126"> <references>
<front> <name>References</name>
<title>Guidelines for Writing an IANA Considerations Section in RFCs</title> <references anchor="sec-normative-references">
<author fullname="M. Cotton" initials="M." surname="Cotton"/> <name>Normative References</name>
<author fullname="B. Leiba" initials="B." surname="Leiba"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<author fullname="T. Narten" initials="T." surname="Narten"/> 551.xml"/>
<date month="June" year="2017"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<abstract> 119.xml"/>
<t>Many protocols make use of points of extensibility that use constants t <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
o identify various protocol parameters. To ensure that the values in these field 174.xml"/>
s do not have conflicting uses and to promote interoperability, their allocation <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
s are often coordinated by a central record keeper. For IETF protocols, that rol 126.xml"/>
e is filled by the Internet Assigned Numbers Authority (IANA).</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
<t>To make assignments in a given registry prudently, guidance describing 045.xml"/>
the conditions under which new values should be assigned, as well as when and ho
w modifications to existing values can be made, is needed. This document defines
a framework for the documentation of these guidelines by specification authors,
in order to assure that the provided guidance for the IANA Considerations is cl
ear and addresses the various issues that are likely in the operation of a regis
try.</t>
<t>This is the third edition of this document; it obsoletes RFC 5226.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="26"/>
<seriesInfo name="RFC" value="8126"/>
<seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC2045"> <!-- [RFC9787] draft-ietf-lamps-e2e-mail-guidance-17 companion document RFC 9787
<front> ; in EDIT as of 05/12/25. -->
<title>Multipurpose Internet Mail Extensions (MIME) Part One: Format of Inte
rnet Message Bodies</title>
<author fullname="N. Freed" initials="N." surname="Freed"/>
<author fullname="N. Borenstein" initials="N." surname="Borenstein"/>
<date month="November" year="1996"/>
<abstract>
<t>This initial document specifies the various headers used to describe th
e structure of MIME messages. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2045"/>
<seriesInfo name="DOI" value="10.17487/RFC2045"/>
</reference>
<reference anchor="I-D.ietf-lamps-e2e-mail-guidance"> <reference anchor="RFC9787" target="https://www.rfc-editor.org/info/rfc9787">
<front> <front>
<title>Guidance on End-to-End E-mail Security</title> <title>Guidance on End-to-End Email Security</title>
<author fullname="Daniel Kahn Gillmor" initials="D. K." surname="Gillmor"> <author initials="D. K." surname="Gillmor" fullname="Daniel Kahn
Gillmor" role="editor">
<organization>American Civil Liberties Union</organization> <organization>American Civil Liberties Union</organization>
</author> </author>
<author fullname="Bernie Hoeneisen" initials="B." surname="Hoeneisen"> <author initials="B." surname="Hoeneisen" fullname="Bernie
Hoeneisen" role="editor">
<organization>pEp Project</organization> <organization>pEp Project</organization>
</author> </author>
<author fullname="Alexey Melnikov" initials="A." surname="Melnikov"> <author initials="A." surname="Melnikov" fullname="Alexey
Melnikov" role="editor">
<organization>Isode Ltd</organization> <organization>Isode Ltd</organization>
</author> </author>
<date day="16" month="March" year="2024"/> <date month="May" year="2025" />
<abstract>
<t> End-to-end cryptographic protections for e-mail messages can provi
de
useful security. However, the standards for providing cryptographic
protection are extremely flexible. That flexibility can trap users
and cause surprising failures. This document offers guidance for
mail user agent implementers to help mitigate those risks, and to
make end-to-end e-mail simple and secure for the end user. It
provides a useful set of vocabulary as well as recommendations to
avoid common failures. It also identifies a number of currently
unsolved usability and interoperability problems.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-e2e-mail-guidance-1 <seriesInfo name="RFC" value="9787"/>
6"/> <seriesInfo name="DOI" value="10.17487/RFC9787"/>
</reference> </reference>
<reference anchor="RFC5234"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<front> 234.xml"/>
<title>Augmented BNF for Syntax Specifications: ABNF</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/ 322.xml"/>
> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<author fullname="P. Overell" initials="P." surname="Overell"/> 083.xml"/>
<date month="January" year="2008"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
<abstract> 652.xml"/>
<t>Internet technical specifications often need to define a formal syntax. <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
Over the years, a modified version of Backus-Naur Form (BNF), called Augmented 580.xml"/>
BNF (ABNF), has been popular among many Internet specifications. The current spe <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
cification documents ABNF. It balances compactness and simplicity with reasonabl 864.xml"/>
e representational power. The differences between standard BNF and ABNF involve </references>
naming rules, repetition, alternatives, order-independence, and value ranges. Th <references anchor="sec-informative-references">
is specification also supplies additional rule definitions and encoding for a co <name>Informative References</name>
re lexical analyzer of the type common to several Internet specifications. [STAN
DARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="68"/>
<seriesInfo name="RFC" value="5234"/>
<seriesInfo name="DOI" value="10.17487/RFC5234"/>
</reference>
<reference anchor="RFC5322"> <reference anchor="chrome-indicators" target="https://blog.chromium.org/
<front> 2018/05/evolving-chromes-security-indicators.html">
<title>Internet Message Format</title> <front>
<author fullname="P. Resnick" initials="P." role="editor" surname="Resnick"/ <title>Evolving Chrome's security indicators</title>
> <author initials="E." surname="Schechter" fullname="Emily Schechter"
<date month="October" year="2008"/> >
<abstract> <organization/>
<t>This document specifies the Internet Message Format (IMF), a syntax for </author>
text messages that are sent between computer users, within the framework of "el <date year="2018" month="May"/>
ectronic mail" messages. This specification is a revision of Request For Comment </front>
s (RFC) 2822, which itself superseded Request For Comments (RFC) 822, "Standard <refcontent>Chromium Blog</refcontent>
for the Format of ARPA Internet Text Messages", updating it to reflect current p </reference>
ractice and incorporating incremental changes that were specified in other RFCs.
[STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5322"/>
<seriesInfo name="DOI" value="10.17487/RFC5322"/>
</reference>
<reference anchor="RFC5083"> <reference anchor="CSS" target="https://www.w3.org/TR/2016/WD-CSS22-2016
<front> 0412/">
<title>Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Conte <front>
nt Type</title> <title>Cascading Style Sheets Level 2 Revision 2 (CSS 2.2) Specifica
<author fullname="R. Housley" initials="R." surname="Housley"/> tion</title>
<date month="November" year="2007"/> <author initials="B." surname="Bos" fullname="Bert" role="editor"/>
<abstract> <date year="2016" month="April" day="12"/>
<t>This document describes an additional content type for the Cryptographi </front>
c Message Syntax (CMS). The authenticated-enveloped-data content type is intende <refcontent>W3C First Public Working Draft</refcontent>
d for use with authenticated encryption modes. All of the various key management <annotation>Latest version available at <eref target="https://www.w3.o
techniques that are supported in the CMS enveloped-data content type are also s rg/TR/CSS22/" brackets="angle"/>.</annotation>
upported by the CMS authenticated-enveloped-data content type. [STANDARDS-TRACK] </reference>
</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5083"/>
<seriesInfo name="DOI" value="10.17487/RFC5083"/>
</reference>
<reference anchor="RFC5652"> <reference anchor="PGPCONTROL" target="https://ftp.isc.org/pub/pgpcontro
<front> l/">
<title>Cryptographic Message Syntax (CMS)</title> <front>
<author fullname="R. Housley" initials="R." surname="Housley"/> <title>Authentication of Usenet Group Changes</title>
<date month="September" year="2009"/> <author>
<abstract> <organization>UUNET Technologies, Inc.</organization>
<t>This document describes the Cryptographic Message Syntax (CMS). This sy </author>
ntax is used to digitally sign, digest, authenticate, or encrypt arbitrary messa <date year="2016" month="October" day="27"/>
ge content. [STANDARDS-TRACK]</t> </front>
</abstract> </reference>
</front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference>
<reference anchor="RFC9580"> <reference anchor="PGPVERIFY-FORMAT" target="https://www.eyrie.org/~eagl
<front> e/usefor/other/pgpverify">
<title>OpenPGP</title> <front>
<author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/ <title>Signing Control Messages, Verifying Control Messages</title>
> <author initials="D. C." surname="Lawrence" fullname="David C Lawren
<author fullname="D. Huigens" initials="D." surname="Huigens"/> ce">
<author fullname="J. Winter" initials="J." surname="Winter"/> <organization/>
<author fullname="Y. Niibe" initials="Y." surname="Niibe"/> </author>
<date month="July" year="2024"/> </front>
<abstract> </reference>
<t>This document specifies the message formats used in OpenPGP. OpenPGP pr
ovides encryption with public key or symmetric cryptographic algorithms, digital
signatures, compression, and key management.</t>
<t>This document is maintained in order to publish all necessary informati
on needed to develop interoperable applications based on the OpenPGP format. It
is not a step-by-step cookbook for writing an application. It describes only the
format and methods needed to read, check, generate, and write conforming packet
s crossing any network. It does not deal with storage and implementation questio
ns. It does, however, discuss implementation issues necessary to avoid security
flaws.</t>
<t>This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("Th
e Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in
OpenPGP").</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9580"/>
<seriesInfo name="DOI" value="10.17487/RFC9580"/>
</reference>
<reference anchor="RFC3864"> <reference anchor="HTML-ESCAPES" target="https://www.w3.org/Internationa
<front> l/questions/qa-escapes#use">
<title>Registration Procedures for Message Header Fields</title> <front>
<author fullname="G. Klyne" initials="G." surname="Klyne"/> <title>Using character escapes in markup and CSS</title>
<author fullname="M. Nottingham" initials="M." surname="Nottingham"/> <author>
<author fullname="J. Mogul" initials="J." surname="Mogul"/> <organization>W3C</organization>
<date month="September" year="2004"/> </author>
<abstract> <date day="12" month="August" year="2010"/>
<t>This specification defines registration procedures for the message head </front>
er fields used by Internet mail, HTTP, Netnews and other applications. This docu </reference>
ment specifies an Internet Best Current Practices for the Internet Community, an <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
d requests discussion and suggestions for improvements.</t> 049.xml"/>
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
</front> 376.xml"/>
<seriesInfo name="BCP" value="90"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
<seriesInfo name="RFC" value="3864"/> 489.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC3864"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
</reference> 156.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
047.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
929.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
162.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
890.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
891.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1
035.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
617.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
021.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
216.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
751.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
851.xml"/>
</references> <!-- [I-D.pep-general; Expired as of 5/14/25] -->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
pep-general.xml"/>
<references title='Informative References' anchor="sec-informative-reference <!-- [I-D.pep-email; Expired as of 5/14/25] -->
s"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
pep-email.xml"/>
<reference anchor="chrome-indicators" target="https://blog.chromium.org/2018/05/ <!--[I-D.autocrypt-lamps-protected-headers] draft-autocrypt-lamps-protected-head
evolving-chromes-security-indicators.html"> ers-02 IESG State: I-D Expired as of 05/14/25.
<front> -->
<title>Evolving Chrome's security indicators</title> <reference anchor="I-D.autocrypt-lamps-protected-headers" target="https://datatr
<author initials="E." surname="Schechter" fullname="Emily Schechter"> acker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-03">
<organization></organization>
</author>
<date year="2018" month="May"/>
</front>
</reference>
<reference anchor="CSS" target="https://www.w3.org/TR/2016/WD-CSS22-20160412/">
<front>
<title>Cascading Style Sheets Level 2 Revision 2 (CSS 2.2) Specification</ti
tle>
<author >
<organization>World Wide Web Consortium</organization>
</author>
<date year="2016" month="April" day="12"/>
</front>
</reference>
<reference anchor="PGPCONTROL" target="https://ftp.isc.org/pub/pgpcontrol/">
<front> <front>
<title>Authentication of Usenet Group Changes</title> <title>(Deprecated) Protected E-mail Headers</title>
<author > <author fullname="Bjarni Rúnar Einarsson" initials="B. R." surname="Einarsso
<organization>UUNET Technologies, Inc.</organization> n">
<organization>Mailpile ehf</organization>
</author> </author>
<date year="2016" month="October" day="27"/> <author fullname="juga" initials="" surname="juga">
</front> <organization>Independent</organization>
</reference>
<reference anchor="PGPVERIFY-FORMAT" target="https://www.eyrie.org/~eagle/usefor
/other/pgpverify">
<front>
<title>Signing Control Messages, Verifying Control Messages</title>
<author initials="D. C." surname="Lawrence" fullname="David C Lawrence">
<organization></organization>
</author> </author>
<date year="n.d."/> <author fullname="Daniel Kahn Gillmor" initials="D. K." surname="Gillmor">
</front> <organization>American Civil Liberties Union</organization>
</reference>
<reference anchor="HTML-ESCAPES" target="https://www.w3.org/International/questi
ons/qa-escapes#use">
<front>
<title>Using character escapes in markup and CSS</title>
<author >
<organization>W3C</organization>
</author> </author>
<date year="n.d."/> <date day="16" month="April" year="2025"/>
</front>
</reference>
<reference anchor="RFC2049">
<front>
<title>Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance C
riteria and Examples</title>
<author fullname="N. Freed" initials="N." surname="Freed"/>
<author fullname="N. Borenstein" initials="N." surname="Borenstein"/>
<date month="November" year="1996"/>
<abstract>
<t>This set of documents, collectively called the Multipurpose Internet Ma
il Extensions, or MIME, redefines the format of messages. This fifth and final d
ocument describes MIME conformance criteria as well as providing some illustrati
ve examples of MIME message formats, acknowledgements, and the bibliography. [ST
ANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2049"/>
<seriesInfo name="DOI" value="10.17487/RFC2049"/>
</reference>
<reference anchor="RFC6376">
<front>
<title>DomainKeys Identified Mail (DKIM) Signatures</title>
<author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/
>
<author fullname="T. Hansen" initials="T." role="editor" surname="Hansen"/>
<author fullname="M. Kucherawy" initials="M." role="editor" surname="Kuchera
wy"/>
<date month="September" year="2011"/>
<abstract>
<t>DomainKeys Identified Mail (DKIM) permits a person, role, or organizati
on that owns the signing domain to claim some responsibility for a message by as
sociating the domain with the message. This can be an author's organization, an
operational relay, or one of their agents. DKIM separates the question of the id
entity of the Signer of the message from the purported author of the message. As
sertion of responsibility is validated through a cryptographic signature and by
querying the Signer's domain directly to retrieve the appropriate public key. Me
ssage transit from author to recipient is through relays that typically make no
substantive change to the message content and thus preserve the DKIM signature.<
/t>
<t>This memo obsoletes RFC 4871 and RFC 5672. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="76"/>
<seriesInfo name="RFC" value="6376"/>
<seriesInfo name="DOI" value="10.17487/RFC6376"/>
</reference>
<reference anchor="RFC7489">
<front>
<title>Domain-based Message Authentication, Reporting, and Conformance (DMAR
C)</title>
<author fullname="M. Kucherawy" initials="M." role="editor" surname="Kuchera
wy"/>
<author fullname="E. Zwicky" initials="E." role="editor" surname="Zwicky"/>
<date month="March" year="2015"/>
<abstract>
<t>Domain-based Message Authentication, Reporting, and Conformance (DMARC)
is a scalable mechanism by which a mail-originating organization can express do
main-level policies and preferences for message validation, disposition, and rep
orting, that a mail-receiving organization can use to improve mail handling.</t>
<t>Originators of Internet Mail need to be able to associate reliable and
authenticated domain identifiers with messages, communicate policies about messa
ges that use those identifiers, and report about mail using those identifiers. T
hese abilities have several benefits: Receivers can provide feedback to Domain O
wners about the use of their domains; this feedback can provide valuable insight
about the management of internal operations and the presence of external domain
name abuse.</t>
<t>DMARC does not produce or encourage elevated delivery privilege of auth
enticated email. DMARC is a mechanism for policy distribution that enables incre
asingly strict handling of messages that fail authentication checks, ranging fro
m no action, through altered delivery, up to message rejection.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7489"/>
<seriesInfo name="DOI" value="10.17487/RFC7489"/>
</reference>
<reference anchor="RFC3156">
<front>
<title>MIME Security with OpenPGP</title>
<author fullname="M. Elkins" initials="M." surname="Elkins"/>
<author fullname="D. Del Torto" initials="D." surname="Del Torto"/>
<author fullname="R. Levien" initials="R." surname="Levien"/>
<author fullname="T. Roessler" initials="T." surname="Roessler"/>
<date month="August" year="2001"/>
<abstract>
<t>This document describes how the OpenPGP Message Format can be used to p
rovide privacy and authentication using the Multipurpose Internet Mail Extension
s (MIME) security content types described in RFC 1847. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3156"/>
<seriesInfo name="DOI" value="10.17487/RFC3156"/>
</reference>
<reference anchor="RFC2047">
<front>
<title>MIME (Multipurpose Internet Mail Extensions) Part Three: Message Head
er Extensions for Non-ASCII Text</title>
<author fullname="K. Moore" initials="K." surname="Moore"/>
<date month="November" year="1996"/>
<abstract>
<t>This particular document is the third document in the series. It descri
bes extensions to RFC 822 to allow non-US-ASCII text data in Internet mail heade
r fields. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2047"/>
<seriesInfo name="DOI" value="10.17487/RFC2047"/>
</reference>
<reference anchor="RFC7929">
<front>
<title>DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPG
P</title>
<author fullname="P. Wouters" initials="P." surname="Wouters"/>
<date month="August" year="2016"/>
<abstract>
<t>OpenPGP is a message format for email (and file) encryption that lacks
a standardized lookup mechanism to securely obtain OpenPGP public keys. DNS-Base
d Authentication of Named Entities (DANE) is a method for publishing public keys
in DNS. This document specifies a DANE method for publishing and locating OpenP
GP public keys in DNS for a specific email address using a new OPENPGPKEY DNS re
source record. Security is provided via Secure DNS, however the OPENPGPKEY recor
d is not a replacement for verification of authenticity via the "web of trust" o
r manual verification. The OPENPGPKEY record can be used to encrypt an email tha
t would otherwise have to be sent unencrypted.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7929"/>
<seriesInfo name="DOI" value="10.17487/RFC7929"/>
</reference>
<reference anchor="RFC8162">
<front>
<title>Using Secure DNS to Associate Certificates with Domain Names for S/MI
ME</title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="J. Schlyter" initials="J." surname="Schlyter"/>
<date month="May" year="2017"/>
<abstract>
<t>This document describes how to use secure DNS to associate an S/MIME us
er's certificate with the intended domain name, similar to the way that DNS-Base
d Authentication of Named Entities (DANE), RFC 6698, does for TLS.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8162"/>
<seriesInfo name="DOI" value="10.17487/RFC8162"/>
</reference>
<reference anchor="RFC5890">
<front>
<title>Internationalized Domain Names for Applications (IDNA): Definitions a
nd Document Framework</title>
<author fullname="J. Klensin" initials="J." surname="Klensin"/>
<date month="August" year="2010"/>
<abstract>
<t>This document is one of a collection that, together, describe the proto
col and usage context for a revision of Internationalized Domain Names for Appli
cations (IDNA), superseding the earlier version. It describes the document colle
ction and provides definitions and other material that are common to the set. [S
TANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5890"/>
<seriesInfo name="DOI" value="10.17487/RFC5890"/>
</reference>
<reference anchor="RFC5891">
<front>
<title>Internationalized Domain Names in Applications (IDNA): Protocol</titl
e>
<author fullname="J. Klensin" initials="J." surname="Klensin"/>
<date month="August" year="2010"/>
<abstract>
<t>This document is the revised protocol definition for Internationalized
Domain Names (IDNs). The rationale for changes, the relationship to the older sp
ecification, and important terminology are provided in other documents. This doc
ument specifies the protocol mechanism, called Internationalized Domain Names in
Applications (IDNA), for registering and looking up IDNs in a way that does not
require changes to the DNS itself. IDNA is only meant for processing domain nam
es, not free text. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5891"/>
<seriesInfo name="DOI" value="10.17487/RFC5891"/>
</reference>
<reference anchor="RFC1035">
<front>
<title>Domain names - implementation and specification</title>
<author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
<date month="November" year="1987"/>
<abstract>
<t>This RFC is the revised specification of the protocol and format used i
n the implementation of the Domain Name System. It obsoletes RFC-883. This memo
documents the details of the domain name client - server communication.</t>
</abstract>
</front>
<seriesInfo name="STD" value="13"/>
<seriesInfo name="RFC" value="1035"/>
<seriesInfo name="DOI" value="10.17487/RFC1035"/>
</reference>
<reference anchor="RFC8617">
<front>
<title>The Authenticated Received Chain (ARC) Protocol</title>
<author fullname="K. Andersen" initials="K." surname="Andersen"/>
<author fullname="B. Long" initials="B." role="editor" surname="Long"/>
<author fullname="S. Blank" initials="S." role="editor" surname="Blank"/>
<author fullname="M. Kucherawy" initials="M." role="editor" surname="Kuchera
wy"/>
<date month="July" year="2019"/>
<abstract>
<t>The Authenticated Received Chain (ARC) protocol provides an authenticat
ed "chain of custody" for a message, allowing each entity that handles the messa
ge to see what entities handled it before and what the message's authentication
assessment was at each step in the handling.</t>
<t>ARC allows Internet Mail Handlers to attach assertions of message authe
ntication assessment to individual messages. As messages traverse ARC-enabled In
ternet Mail Handlers, additional ARC assertions can be attached to messages to f
orm ordered sets of ARC assertions that represent the authentication assessment
at each step of the message-handling paths.</t>
<t>ARC-enabled Internet Mail Handlers can process sets of ARC assertions t
o inform message disposition decisions, identify Internet Mail Handlers that mig
ht break existing authentication mechanisms, and convey original authentication
assessments across trust boundaries.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8617"/>
<seriesInfo name="DOI" value="10.17487/RFC8617"/>
</reference>
<reference anchor="RFC4021">
<front>
<title>Registration of Mail and MIME Header Fields</title>
<author fullname="G. Klyne" initials="G." surname="Klyne"/>
<author fullname="J. Palme" initials="J." surname="Palme"/>
<date month="March" year="2005"/>
<abstract>
<t>This document defines the initial IANA registration for permanent mail
and MIME message header fields, per RFC 3864. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4021"/>
<seriesInfo name="DOI" value="10.17487/RFC4021"/>
</reference>
<reference anchor="RFC9216">
<front>
<title>S/MIME Example Keys and Certificates</title>
<author fullname="D. K. Gillmor" initials="D. K." role="editor" surname="Gil
lmor"/>
<date month="April" year="2022"/>
<abstract>
<t>The S/MIME development community benefits from sharing samples of signe
d or encrypted data. This document facilitates such collaboration by defining a
small set of X.509v3 certificates and keys for use when generating such samples.
</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9216"/>
<seriesInfo name="DOI" value="10.17487/RFC9216"/>
</reference>
<reference anchor="RFC5751">
<front>
<title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Mes
sage Specification</title>
<author fullname="B. Ramsdell" initials="B." surname="Ramsdell"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="January" year="2010"/>
<abstract>
<t>This document defines Secure/Multipurpose Internet Mail Extensions (S/M
IME) version 3.2. S/MIME provides a consistent way to send and receive secure MI
ME data. Digital signatures provide authentication, message integrity, and non-r
epudiation with proof of origin. Encryption provides data confidentiality. Compr
ession can be used to reduce data size. This document obsoletes RFC 3851. [STAND
ARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5751"/>
<seriesInfo name="DOI" value="10.17487/RFC5751"/>
</reference>
<reference anchor="RFC3851">
<front>
<title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Mes
sage Specification</title>
<author fullname="B. Ramsdell" initials="B." role="editor" surname="Ramsdell
"/>
<date month="July" year="2004"/>
<abstract>
<t>This document defines Secure/Multipurpose Internet Mail Extensions (S/M
IME) version 3.1. S/MIME provides a consistent way to send and receive secure MI
ME data. Digital signatures provide authentication, message integrity, and non-r
epudiation with proof of origin. Encryption provides data confidentiality. Compr
ession can be used to reduce data size. This document obsoletes RFC 2633. [STAND
ARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="3851"/> <seriesInfo name="Internet-Draft" value="draft-autocrypt-lamps-protected-heade
<seriesInfo name="DOI" value="10.17487/RFC3851"/> rs-03"/>
</reference>
<reference anchor="I-D.pep-general">
<front>
<title>pretty Easy privacy (pEp): Privacy by Default</title>
<author fullname="Volker Birk" initials="V." surname="Birk">
<organization>pEp Foundation</organization>
</author>
<author fullname="Hernâni Marques" initials="H." surname="Marques">
<organization>pEp Foundation</organization>
</author>
<author fullname="Bernie Hoeneisen" initials="B." surname="Hoeneisen">
<organization>pEp Foundation</organization>
</author>
<date day="16" month="December" year="2022"/>
<abstract>
<t> The pretty Easy privacy (pEp) model and protocols describe a set o
f
conventions for the automation of operations traditionally seen as
barriers to the use and deployment of secure, privacy-preserving end-
to-end messaging. These include, but are not limited to, key
management, key discovery, and private key handling (including peer-
to-peer synchronization of private keys and other user data across
devices). Human Rights-enabling principles like data minimization,
end-to-end and interoperability are explicit design goals. For the
goal of usable privacy, pEp introduces means to verify communication
between peers and proposes a trust-rating system to denote secure
types of communications and signal the privacy level available on a
per-user and per-message level. Significantly, the pEp protocols
build on already available security formats and message transports
(e.g., PGP/MIME with email), and are written with the intent to be
interoperable with already widely-deployed systems in order to ease
adoption and implementation. This document outlines the general
design choices and principles of pEp.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-pep-general-02"/>
</reference>
<reference anchor="I-D.pep-email">
<front>
<title>pretty Easy privacy (pEp): Email Formats and Protocols</title>
<author fullname="Hernâni Marques" initials="H." surname="Marques">
<organization>pEp Foundation</organization>
</author>
<author fullname="Bernie Hoeneisen" initials="B." surname="Hoeneisen">
<organization>pEp Foundation</organization>
</author>
<date day="16" month="December" year="2022"/>
<abstract>
<t> The proposed pretty Easy privacy (pEp) protocols for email are bas
ed
upon already existing email and encryption formats (such as PGP/MIME)
and designed to allow for easily implementable and interoperable
opportunistic encryption. The protocols range from key distribution,
secret key synchronization between own devices, to mechanisms of
metadata and content protection. The metadata and content protection
is achieved by moving the whole message (not only the body part) into
the PGP/MIME encrypted part. The proposed pEp Email Formats not only
achieve simple forms of metadata protection (like subject
encryption), but also allow for sending email messages through a
mixnet. Such enhanced forms of metadata protection are explicitly
discussed within the scope of this document.
The purpose of pEp for email is to simplify and automate operations
in order to make usage of email encryption viable for a wider range
of Internet users, with the goal of achieving widespread
implementation of data confidentiality and privacy practices in the
real world.
The proposed operations and formats are targeted towards
Opportunistic Security scenarios and are already implemented in
several applications of pretty Easy privacy (pEp).
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-pep-email-02"/>
</reference>
<reference anchor="I-D.autocrypt-lamps-protected-headers">
<front>
<title>Protected Headers for Cryptographic E-mail</title>
<author fullname="Bjarni Rúnar Einarsson" initials="B. R." surname="Einars
son">
<organization>Mailpile ehf</organization>
</author>
<author fullname="&quot;juga&quot;" initials="" surname="&quot;juga&quot;"
>
<organization>Independent</organization>
</author>
<author fullname="Daniel Kahn Gillmor" initials="D. K." surname="Gillmor">
<organization>American Civil Liberties Union</organization>
</author>
<date day="20" month="December" year="2019"/>
<abstract>
<t> This document describes a common strategy to extend the end-to-end
cryptographic protections provided by PGP/MIME, etc. to protect
message headers in addition to message bodies. In addition to
protecting the authenticity and integrity of headers via signatures,
it also describes how to preserve the confidentiality of the Subject
header.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-autocrypt-lamps-protected-head
ers-02"/>
</reference> </reference>
</references>
</references> </references>
<?line 1917?> <section anchor="pseudocode-listings">
<name>Table of Pseudocode Listings</name>
<section anchor="pseudocode-listings"><name>Table of Pseudocode Listings</name> <t>This document contains guidance with pseudocode descriptions.
<t>This document contains guidance with pseudocode descriptions.
Each algorithm is listed here for easy reference.</t> Each algorithm is listed here for easy reference.</t>
<table>
<texttable title="Table of Pseudocode Listings"> <name>Table of Pseudocode Listings</name>
<ttcol align='left'>Method Name</ttcol> <thead>
<ttcol align='left'>Description</ttcol> <tr>
<ttcol align='left'>Reference</ttcol> <th align="left">Method Name</th>
<c><iref item="HeaderSetsFromMessage"/><xref target="headersetsfrommessage <th align="left">Description</th>
" format="none">HeaderSetsFromMessage</xref></c> <th align="left">Reference</th>
<c>Derive "outer" and "protected" sets of Header Fields from a given messa </tr>
ge</c> </thead>
<c><xref target="headersetsfrommessage"/></c> <tbody>
<c><iref item="HeaderFieldProtection"/><xref target="headerfieldprotection <tr>
" format="none">HeaderFieldProtection</xref></c> <td align="left">
<c>Calculate cryptographic protections for a Header Field in a given messa <iref item="HeaderSetsFromMessage"/><xref target="headersetsfromme
ge</c> ssage" format="none">HeaderSetsFromMessage</xref></td>
<c><xref target="headerfieldprotection"/></c> <td align="left">Derive "outer" and "protected" sets of Header Field
<c><iref item="ReferenceHCP"/><xref target="referencehcp" format="none">Re s from a given message</td>
ferenceHCP</xref></c> <td align="left">
<c>Produce an ephemeral <iref item="HCP"/><xref target="header-confidentia <xref target="headersetsfrommessage"/></td>
lity-policy" format="none">HCP</xref> to use when responding to a given message< </tr>
/c> <tr>
<c><xref target="referencehcp"/></c> <td align="left">
<c><iref item="ComposeNoHeaderProtection"/><xref target="composenoheaderpr <iref item="HeaderFieldProtection"/><xref target="headerfieldprote
otection" format="none">ComposeNoHeaderProtection</xref></c> ction" format="none">HeaderFieldProtection</xref></td>
<c>Legacy message composition with end-to-end cryptographic protections (b <td align="left">Calculate cryptographic protections for a Header Fi
ut no header protection)</c> eld in a given message</td>
<c><xref target="composenoheaderprotection"/></c> <td align="left">
<c><iref item="Compose"/><xref target="compose-algorithm" format="none">Co <xref target="headerfieldprotection"/></td>
mpose</xref></c> </tr>
<c><iref item="Compose"/><xref target="compose-algorithm" format="none">Co <tr>
mpose</xref> a message with end-to-end cryptographic protections including heade <td align="left">
r protection</c> <iref item="ReferenceHCP"/><xref target="referencehcp" format="non
<c><xref target="compose-algorithm"/></c> e">ReferenceHCP</xref></td>
</texttable> <td align="left">Produce an ephemeral <iref item="HCP"/><xref target
="header-confidentiality-policy" format="none">HCP</xref> to use when responding
</section> to a given message</td>
<section anchor="possible-problems-with-legacy-muas"><name>Possible Problems wit <td align="left">
h Legacy MUAs</name> <xref target="referencehcp"/></td>
</tr>
<t>When an e-mail message with end-to-end cryptographic protection is received b <tr>
y a mail user agent, the user might experience many different possible problemat <td align="left">
ic interactions. <iref item="ComposeNoHeaderProtection"/><xref target="composenohea
derprotection" format="none">ComposeNoHeaderProtection</xref></td>
<td align="left">Legacy message composition with end-to-end cryptogr
aphic protections (but no header protection)</td>
<td align="left">
<xref target="composenoheaderprotection"/></td>
</tr>
<tr>
<td align="left">
<iref item="Compose"/><xref target="compose-algorithm" format="non
e">Compose</xref></td>
<td align="left">
<iref item="Compose"/><xref target="compose-algorithm" format="non
e">Compose</xref> a message with end-to-end cryptographic protections including
header protection</td>
<td align="left">
<xref target="compose-algorithm"/></td>
</tr>
</tbody>
</table>
</section>
<section anchor="possible-problems-with-legacy-muas">
<name>Possible Problems with Legacy MUAs</name>
<t>When an email message with end-to-end cryptographic protection is recei
ved by a mail user agent, the user might experience many different possible prob
lematic interactions.
A message with Header Protection may introduce new forms of user experience fail ure.</t> A message with Header Protection may introduce new forms of user experience fail ure.</t>
<t>In this section, the authors enumerate different kinds of failures we h
<t>In this section, the authors enumerate different kinds of failures we have ob ave observed when reviewing, rendering, and replying to messages with different
served when reviewing, rendering, and replying to messages with different forms forms of Header Protection in different Legacy MUAs.
of Header Protection in different Legacy MUAs.
Different Legacy MUAs demonstrate different subsets of these problems.</t> Different Legacy MUAs demonstrate different subsets of these problems.</t>
<t>A conformant MUA would not exhibit any of these problems.
<t>A conformant MUA would not exhibit any of these problems.
An implementer updating their Legacy MUA to be compliant with this specification should consider these concerns and try to avoid them.</t> An implementer updating their Legacy MUA to be compliant with this specification should consider these concerns and try to avoid them.</t>
<t>Recall that "protected" refers to the "inner" values, e.g., the real <t
<t>Recall that "protected" refers to the "inner" values, e.g., the real <spanx s t>Subject</tt>, and "unprotected" refers to the "outer" values, e.g., the dummy
tyle="verb">Subject</spanx>, and "unprotected" refers to the "outer" values, e.g <tt>Subject</tt>.</t>
., the dummy <spanx style="verb">Subject</spanx>.</t> <section anchor="problems-viewing-messages-in-a-list-view">
<name>Problems Viewing Messages in a List View</name>
<section anchor="problems-viewing-messages-in-a-list-view"><name>Problems Viewin <ul spacing="normal">
g Messages in a List View</name> <li>
<t>Unprotected <tt>Subject</tt>, <tt>Date</tt>, <tt>From</tt>, and <
<t><list style="symbols"> tt>To</tt> Header Fields are visible (instead of being replaced by protected val
<t>Unprotected <spanx style="verb">Subject</spanx>, <spanx style="verb">Date</ ues)</t>
spanx>, <spanx style="verb">From</spanx>, <spanx style="verb">To</spanx> Header </li>
Fields are visible (instead of being replaced by protected values)</t> <li>
<t>Threading is not visible</t> <t>Threading is not visible</t>
</list></t> </li>
</ul>
</section> </section>
<section anchor="problems-when-rendering-a-message"><name>Problems when Renderin <section anchor="problems-when-rendering-a-message">
g a Message</name> <name>Problems When Rendering a Message</name>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>Unprotected <spanx style="verb">Subject</spanx> is visible</t> <t>Unprotected <tt>Subject</tt> is visible</t>
<t>Protected <spanx style="verb">Subject</spanx> (on its own) is visible in th </li>
e body</t> <li>
<t>Protected <spanx style="verb">Subject</spanx>, <spanx style="verb">Date</sp <t>Protected <tt>Subject</tt> (on its own) is visible in the body</t
anx>, <spanx style="verb">From</spanx>, and <spanx style="verb">To</spanx> Heade >
r Fields visible in the body</t> </li>
<t>User interaction needed to view whole message</t> <li>
<t>User interaction needed to view message body</t> <t>Protected <tt>Subject</tt>, <tt>Date</tt>, <tt>From</tt>, and <tt
<t>User interaction needed to view protected subject</t> >To</tt> Header Fields are visible in the body</t>
<t>Impossible to view protected <spanx style="verb">Subject</spanx></t> </li>
<t>Nuisance alarms during user interaction</t> <li>
<t>Impossible to view message body</t> <t>User interaction needed to view the whole message</t>
<t>Appears as a forwarded message</t> </li>
<t>Appears as an attachment</t> <li>
<t>Security indicators not visible</t> <t>User interaction needed to view the message body</t>
<t>Security indicators do not identify protection status of Header Fields</t> </li>
<t>User has multiple different methods to reply (e.g., reply to outer, reply t <li>
o inner)</t> <t>User interaction needed to view the protected <tt>Subject</tt></t
<t>User sees English "Subject:" in body despite message itself being in non-En >
glish</t> </li>
<t>Security indicators do not identify protection status of Header Fields</t> <li>
<t>Header Fields in body render with local Header Field names (e.g., showing " <t>Impossible to view the protected <tt>Subject</tt></t>
Betreff" instead of "Subject") and dates (TZ, locale)</t> </li>
</list></t> <li>
<t>Nuisance alarms during user interaction</t>
</section> </li>
<section anchor="problems-when-replying-to-a-message"><name>Problems when Replyi <li>
ng to a Message</name> <t>Impossible to view the message body</t>
</li>
<t>Note that the use case here is:</t> <li>
<t>Appears as a forwarded message</t>
<t><list style="symbols"> </li>
<t>User views message, to the point where they can read it</t> <li>
<t>User then replies to message, and they are shown a message composition wind <t>Appears as an attachment</t>
ow, which has some UI elements</t> </li>
<t>If the MUA has multiple different methods to reply to a message, each way m <li>
ay need to be evaluated separately</t> <t>Security indicators not visible</t>
</list></t> </li>
<li>
<t>This section also uses the shorthand UI:x to mean "the UI element that the us <t>Security indicators do not identify the protection status of Head
er can edit that they think of as x."</t> er Fields</t>
</li>
<t><list style="symbols"> <li>
<t>Unprotected <spanx style="verb">Subject</spanx> is in UI:subject (instead o <t>User has multiple different methods to reply (e.g., reply to oute
f the protected <spanx style="verb">Subject</spanx>)</t> r, reply to inner)</t>
<t>Protected <spanx style="verb">Subject</spanx> is quoted in UI:body (from Le </li>
gacy Display Element)</t> <li>
<t>Protected <spanx style="verb">Subject</spanx> leaks when the reply is seria <t>User sees English "Subject:" in body despite message itself being
lised into MIME</t> in non-English</t>
<t>Protected <spanx style="verb">Subject</spanx> is not anywhere in UI</t> </li>
<t>Message body is <em>not</em> visible/quoted in UI:body</t> <li>
<t>User cannot reply while viewing protected message</t> <t>Security indicators do not identify the protection status of Head
<t>Reply is not encrypted by default (but is for legacy signed-and-encrypted m er Fields</t>
essages without Header Protection)</t> </li>
<t>Unprotected <spanx style="verb">From</spanx> or <spanx style="verb">Reply-T <li>
o</spanx> Header Field is in UI:To (instead of the protected <spanx style="verb" <t>Header Fields in the body render with local Header Field names (e
>From</spanx> or <spanx style="verb">Reply-To</spanx> Header Field)</t> .g., showing "Betreff" instead of "Subject") and dates (TZ, locale)</t>
<t>User's locale (lang, TZ) leaks in quoted body</t> </li>
<t>Header Fields not protected (and in particular, <spanx style="verb">Subject </ul>
</spanx> is not obscured) by default</t> </section>
</list></t> <section anchor="problems-when-replying-to-a-message">
<name>Problems When Replying to a Message</name>
</section> <t>Note that the use case here is:</t>
</section> <ul spacing="normal">
<section anchor="test-vectors"><name>Test Vectors</name> <li>
<t>User views a message, to the point where they can read it</t>
<t>This section contains sample messages using the specification defined above. </li>
<li>
<t>User then replies to the message, and they are shown a message co
mposition window, which has some UI elements</t>
</li>
<li>
<t>If the MUA has multiple different methods to reply to a message,
each way may need to be evaluated separately</t>
</li>
</ul>
<t>This section also uses the shorthand UI:x to mean "the UI element tha
t the user can edit that they think of as x".</t>
<ul spacing="normal">
<li>
<t>Unprotected <tt>Subject</tt> is in UI:subject (instead of the pro
tected <tt>Subject</tt>)</t>
</li>
<li>
<t>Protected <tt>Subject</tt> is quoted in UI:body (from Legacy Disp
lay Element)</t>
</li>
<li>
<t>Protected <tt>Subject</tt> leaks when the reply is serialized int
o MIME</t>
</li>
<li>
<t>Protected <tt>Subject</tt> is not anywhere in UI</t>
</li>
<li>
<t>Message body is <em>not</em> visible/quoted in UI:body</t>
</li>
<li>
<t>User cannot reply while viewing protected message</t>
</li>
<li>
<t>Reply is not encrypted by default (but is for legacy signed-and-e
ncrypted messages without Header Protection)</t>
</li>
<li>
<t>Unprotected <tt>From</tt> or <tt>Reply-To</tt> Header Field is in
UI:To (instead of the protected <tt>From</tt> or <tt>Reply-To</tt> Header Field
)</t>
</li>
<li>
<t>User's locale (lang, TZ) leaks in quoted body</t>
</li>
<li>
<t>Header Fields not protected (and in particular, <tt>Subject</tt>
is not obscured) by default</t>
</li>
</ul>
</section>
</section>
<section anchor="test-vectors">
<name>Test Vectors</name>
<t>This section contains sample messages using the specification defined a
bove.
Each sample contains a MIME object, a textual and diagrammatic view of its struc ture, and examples of how an MUA might render it.</t> Each sample contains a MIME object, a textual and diagrammatic view of its struc ture, and examples of how an MUA might render it.</t>
<t>The cryptographic protections used in this document use the S/MIME stan
<t>The cryptographic protections used in this document use the S/MIME standard, dard, and keying material and certificates come from <xref target="RFC9216"/>.</
and keying material and certificates come from <xref target="RFC9216"/>.</t> t>
<t>These messages should be accessible to any IMAP client at <tt>imap://bo
<t>These messages should be accessible to any IMAP client at <spanx style="verb" b@header-protection.cmrg.net/</tt> (any password should authenticate to this rea
>imap://bob@header-protection.cmrg.net/</spanx> (any password should authenticat d-only IMAP mailbox).</t>
e to this read-only IMAP mailbox).</t> <t>Copies of these test vectors can also be downloaded separately at <eref
target="https://header-protection.cmrg.net" brackets="angle"/>.</t>
<t>You can also download copies of these test vectors separately at <spanx style <t>If any of the messages downloaded differ from those offered here, this
="verb">https://header-protection.cmrg.net</spanx>.</t> document is the canonical source.</t>
<section anchor="baseline-messages">
<t>If any of the messages downloaded differ from those offered here, this docume <name>Baseline Messages</name>
nt is the canonical source.</t> <t>These messages offer no header protection at all and can be used as a
baseline.
<section anchor="baseline-messages"><name>Baseline Messages</name>
<t>These messages offer no header protection at all, and can be used as a baseli
ne.
They are provided in this document as a counterexample. They are provided in this document as a counterexample.
An MUA implementer can use these messages to verify that the reported cryptograp hic summary of the message indicates no header protection.</t> An MUA implementer can use these messages to verify that the reported cryptograp hic summary of the message indicates no header protection.</t>
<section anchor="no-crypto">
<section anchor="no-crypto"><name>No Cryptographic Protections Over a Simple Mes <name>No Cryptographic Protections over a Simple Message</name>
sage</name> <t>This message uses no cryptographic protection at all. Its body is
a text/plain message.</t>
<t>This message uses no cryptographic protection at all. Its body is a text/pla <t>It has the following structure:</t>
in message.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴text/plain 152 bytes └─╴text/plain 152 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="no-crypto.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="no-crypto.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: no-crypto Subject: no-crypto
Message-ID: <no-crypto@example> Message-ID: <no-crypto@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:00:02 -0500 Date: Sat, 20 Feb 2021 10:00:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
This is the This is the
no-crypto no-crypto
message. message.
This message uses no cryptographic protection at all. Its body This message uses no cryptographic protection at all. Its body
is a text/plain message. is a text/plain message.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-one-part">
<section anchor="smime-one-part"><name>S/MIME Signed-only signedData Over a Simp <name>S/MIME Signed-Only signedData over a Simple Message, No Header P
le Message, No Header Protection</name> rotection</name>
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The pa
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a yload is a text/plain message. It uses no header protection.</t>
text/plain message. It uses no header protection.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 3856 bytes └─╴application/pkcs7-mime [smime.p7m] 3856 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 206 bytes └─╴text/plain 206 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-one-part.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
Subject: smime-one-part Subject: smime-one-part
Message-ID: <smime-one-part@example> Message-ID: <smime-one-part@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:01:02 -0500 Date: Sat, 20 Feb 2021 10:01:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 2991 skipping to change at line 2884
UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a
qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMjEwMjIwMTUwMTAyWjAvBgkqhkiG9w0BCQQxIgQgrhyFjywc hkiG9w0BCQUxDxcNMjEwMjIwMTUwMTAyWjAvBgkqhkiG9w0BCQQxIgQgrhyFjywc
FLYzlCbb/xsgb5+a0sgYLUg094upq1ZXLWswDQYJKoZIhvcNAQEBBQAEggEABOi5 FLYzlCbb/xsgb5+a0sgYLUg094upq1ZXLWswDQYJKoZIhvcNAQEBBQAEggEABOi5
kcjRmMF4LK94svcfl92padnfUTSyjJtrIf6R6C7xy87VzsmPOPCmHgZOmTCuvY2D kcjRmMF4LK94svcfl92padnfUTSyjJtrIf6R6C7xy87VzsmPOPCmHgZOmTCuvY2D
iKuMId6WPVdjuRUaW6xkgYtgYjPDhy80NY0a9wXEQtjn448G0UHdM21cJyu9LTAg iKuMId6WPVdjuRUaW6xkgYtgYjPDhy80NY0a9wXEQtjn448G0UHdM21cJyu9LTAg
orSzcT2pwEuGzNdsHW8LB5GtJKYct3RS0+jlbSr7WpZFY1mUrwpsm2r8za2KoOcy orSzcT2pwEuGzNdsHW8LB5GtJKYct3RS0+jlbSr7WpZFY1mUrwpsm2r8za2KoOcy
t/E7Qz/8hT4HU52Na7pS1ZnxrasLr5prSjDSSKs4QK3ncJR8jhF9by0pDCoYgswy t/E7Qz/8hT4HU52Na7pS1ZnxrasLr5prSjDSSKs4QK3ncJR8jhF9by0pDCoYgswy
zYaeJt0N+8uv7ab/kBaE3wfZlipMSFRJIlh+QeXCkIHo5fW5bn/REZHxMMdMfdPh zYaeJt0N+8uv7ab/kBaE3wfZlipMSFRJIlh+QeXCkIHo5fW5bn/REZHxMMdMfdPh
bqYT1i46156CSOqyxA== bqYT1i46156CSOqyxA==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-only-signeddata-over-a-simple-message-no
<section anchor="smime-signed-only-signeddata-over-a-simple-message-no-header-pr -header-protection-unwrapped">
otection-unwrapped"><name>S/MIME Signed-only signedData Over a Simple Message, N <name>S/MIME Signed-Only signedData over a Simple Message, No Header
o Header Protection, Unwrapped</name> Protection, Unwrapped</name>
<t>The S/MIME signed-data layer unwraps to:</t>
<t>The S/MIME signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-one-part.unwrapped.eml
"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part.unwrapped.eml"><!
[CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
This is the This is the
smime-one-part smime-one-part
message. message.
This is a signed-only S/MIME message via PKCS#7 signedData. The This is a signed-only S/MIME message via PKCS#7 signedData. The
payload is a text/plain message. It uses no header protection. payload is a text/plain message. It uses no header protection.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-multipart">
<section anchor="smime-multipart"><name>S/MIME Signed-only multipart/signed Over <name>S/MIME Signed-Only multipart/signed over a Simple Message, No He
a Simple Message, No Header Protection</name> ader Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 detached signature
<t>This is a signed-only S/MIME message via PKCS#7 detached signature (multipart (multipart/signed). The payload is a text/plain message. It uses no header prot
/signed). The payload is a text/plain message. It uses no header protection.</t ection.</t>
> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/signed 4187 bytes └┬╴multipart/signed 4187 bytes
├─╴text/plain 224 bytes ├─╴text/plain 224 bytes
└─╴application/pkcs7-signature [smime.p7s] 3429 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-multipart.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-multipart.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/signed; Content-Type: multipart/signed;
protocol="application/pkcs7-signature"; boundary="253"; protocol="application/pkcs7-signature"; boundary="253";
micalg="sha-256" micalg="sha-256"
Subject: smime-multipart Subject: smime-multipart
Message-ID: <smime-multipart@example> Message-ID: <smime-multipart@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:02:02 -0500 Date: Sat, 20 Feb 2021 10:02:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 3118 skipping to change at line 3004
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa
MC8GCSqGSIb3DQEJBDEiBCAB+IATfw3+2kO9hwjUYxzW+Z12sfFp2dTb1pmXGS+7 MC8GCSqGSIb3DQEJBDEiBCAB+IATfw3+2kO9hwjUYxzW+Z12sfFp2dTb1pmXGS+7
DzANBgkqhkiG9w0BAQEFAASCAQANJdfU8DtOpINW4FeIWpdexndYvHYy7jFg5ICy DzANBgkqhkiG9w0BAQEFAASCAQANJdfU8DtOpINW4FeIWpdexndYvHYy7jFg5ICy
wIkh1DcqmbdvB4PXcksbJ0zKSVjdjXPdYQYRS4E5ClAEevEe+OkFd16UoGaadoaq wIkh1DcqmbdvB4PXcksbJ0zKSVjdjXPdYQYRS4E5ClAEevEe+OkFd16UoGaadoaq
OjyGnuiEJJbRG2UUZZWMyJW2g8OZRAGZjYgEgvbVflmxqRjFRaeLGUorHaHoxk40 OjyGnuiEJJbRG2UUZZWMyJW2g8OZRAGZjYgEgvbVflmxqRjFRaeLGUorHaHoxk40
LomKSVRTUG11eEhmRmxIY4wKhwc0U9PKjCQFrhu3t1ZkGSfPn9jvdNTJkg85WUpk LomKSVRTUG11eEhmRmxIY4wKhwc0U9PKjCQFrhu3t1ZkGSfPn9jvdNTJkg85WUpk
WqmOyrup6DH4Gb84By+0IMk3vflrOyAw3kbsj6Ij+zymAlH61YypnAvddFBIuZPL WqmOyrup6DH4Gb84By+0IMk3vflrOyAw3kbsj6Ij+zymAlH61YypnAvddFBIuZPL
2LYdIHPLmq8KGrzcgjkjP+Y58hf9U+6gp0KPuS8DAGOvxYs0 2LYdIHPLmq8KGrzcgjkjP+Y58hf9U+6gp0KPuS8DAGOvxYs0
--253-- --253--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-enc">
<section anchor="smime-signed-enc"><name>S/MIME Signed and Encrypted Over a Simp <name>S/MIME Signed and Encrypted over a Simple Message, No Header Pro
le Message, No Header Protection</name> tection</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a text/plain message. It uses no header
nd signedData. The payload is a text/plain message. It uses no header protectio protection.</t>
n.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 6720 bytes └─╴application/pkcs7-mime [smime.p7m] 6720 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 3960 bytes └─╴application/pkcs7-mime [smime.p7m] 3960 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 241 bytes └─╴text/plain 241 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc.eml"><![CDATA
[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: smime-signed-enc Subject: smime-signed-enc
Message-ID: <smime-signed-enc@example> Message-ID: <smime-signed-enc@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:03:02 -0500 Date: Sat, 20 Feb 2021 10:03:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 3252 skipping to change at line 3133
dIZQkGYe3KJhMvHvkA40IEjGljU95Bx+bFoojWUaMUI4wlhhz0bppZF/bkENLhGq dIZQkGYe3KJhMvHvkA40IEjGljU95Bx+bFoojWUaMUI4wlhhz0bppZF/bkENLhGq
IXVMYUfa0GFSvfhfXN7r3VvRpzkh7mgJrsIFwG035ZhZq904Z1Yw11N9pns8X2s6 IXVMYUfa0GFSvfhfXN7r3VvRpzkh7mgJrsIFwG035ZhZq904Z1Yw11N9pns8X2s6
PsSOZAO/E0NOMLSrOonmHy2wqGY7kSMprd9FI7ESe1hwLgqh2pVNesYGqx1Aw0AD PsSOZAO/E0NOMLSrOonmHy2wqGY7kSMprd9FI7ESe1hwLgqh2pVNesYGqx1Aw0AD
9rDktHKChXqAQDYElV/D1239rxc3tVFzoXtkk6BcNlwq/hvksAjk1/sMNA9x7OAf 9rDktHKChXqAQDYElV/D1239rxc3tVFzoXtkk6BcNlwq/hvksAjk1/sMNA9x7OAf
gfE/zFZQNhWFNzuGd6ADf4Io+Wg9+L60JZmgBx6A9IiTygG9D38yREzQl0BgfGx4 gfE/zFZQNhWFNzuGd6ADf4Io+Wg9+L60JZmgBx6A9IiTygG9D38yREzQl0BgfGx4
xlkbs830dOgKafDVTMWCNomvOqIcU9kdirLuaOYl7N5yIR3TMH8p2kkkyYH0hMdX xlkbs830dOgKafDVTMWCNomvOqIcU9kdirLuaOYl7N5yIR3TMH8p2kkkyYH0hMdX
TQ5v4K/OUYQteADMquJIJQiIfsOEdfd6to46yWIWlCQSJpN+M2iw0QoOPOjevCkC TQ5v4K/OUYQteADMquJIJQiIfsOEdfd6to46yWIWlCQSJpN+M2iw0QoOPOjevCkC
RVZ0xXALDuEEuUJLjlSrwRVOx5drsqLoClAeH1Li/ZFm+I6qA2pVKrxohwndGimR RVZ0xXALDuEEuUJLjlSrwRVOx5drsqLoClAeH1Li/ZFm+I6qA2pVKrxohwndGimR
3FVKgLzC1srGGXsIGqoq5ueeN2ZTIQ6OyJh/ERLFd0uEeVCv7UIBRwQ9WrNaaFY1 3FVKgLzC1srGGXsIGqoq5ueeN2ZTIQ6OyJh/ERLFd0uEeVCv7UIBRwQ9WrNaaFY1
1OtoJc+0XZ617xSFoKWnyA== 1OtoJc+0XZ617xSFoKWnyA==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-simple-message-no-h
<section anchor="smime-signed-and-encrypted-over-a-simple-message-no-header-prot eader-protection-decrypted">
ection-decrypted"><name>S/MIME Signed and Encrypted Over a Simple Message, No He <name>S/MIME Signed and Encrypted over a Simple Message, No Header P
ader Protection, Decrypted</name> rotection, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc.decrypted.e
<figure><sourcecode type="message/rfc822" name="smime-signed-enc.decrypted.eml"> ml"><![CDATA[
<![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIILPAYJKoZIhvcNAQcCoIILLTCCCykCAQExDTALBglghkgBZQMEAgEwggFlBgkq MIILPAYJKoZIhvcNAQcCoIILLTCCCykCAQExDTALBglghkgBZQMEAgEwggFlBgkq
hkiG9w0BBwGgggFWBIIBUk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6 hkiG9w0BBwGgggFWBIIBUk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F
bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYw0K bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtc2lnbmVkLWVuYw0K
bWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlN bWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25lZC1hbmQtZW5jcnlwdGVkIFMvTUlN
RSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2ln RSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2ln
skipping to change at line 3323 skipping to change at line 3202
VQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZp VQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQME Y2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQME
AgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0y AgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0y
MTAyMjAxNTAzMDJaMC8GCSqGSIb3DQEJBDEiBCDlUvgsJW6j30yo/fAeR1vd2Kst MTAyMjAxNTAzMDJaMC8GCSqGSIb3DQEJBDEiBCDlUvgsJW6j30yo/fAeR1vd2Kst
erfZdXyjSKu5gnNGRTANBgkqhkiG9w0BAQEFAASCAQAYPeerPzpSeDL0FAep2p3r erfZdXyjSKu5gnNGRTANBgkqhkiG9w0BAQEFAASCAQAYPeerPzpSeDL0FAep2p3r
y/xmN2pXvMsg1OQI/r6H/WIUpXga0Z3Z5Ml/VsZtKIbFGv/3en7GoqKc0w7/R26B y/xmN2pXvMsg1OQI/r6H/WIUpXga0Z3Z5Ml/VsZtKIbFGv/3en7GoqKc0w7/R26B
qKvtjt+0K7CW1BaWKRqcx7hTIVJXQhT7UnQLnT5daf/BiPbf73FEKoOE4N0cvsVY qKvtjt+0K7CW1BaWKRqcx7hTIVJXQhT7UnQLnT5daf/BiPbf73FEKoOE4N0cvsVY
237ni7VR/Rz/uz3TnheOsBk7H/AEmKIaPBnJj8wFoc6E8Vtusy5ZIrhX6YEq6e3A 237ni7VR/Rz/uz3TnheOsBk7H/AEmKIaPBnJj8wFoc6E8Vtusy5ZIrhX6YEq6e3A
YIJ01cm+cNWBa7kORT2pyKZ3yF2IIcoqyEfw/QkPkh6KM5hKSOUhvbQRPdKOv5u+ YIJ01cm+cNWBa7kORT2pyKZ3yF2IIcoqyEfw/QkPkh6KM5hKSOUhvbQRPdKOv5u+
r/KmOuAbX04XzLZY+RYFdPG/grj+YxeJEgZlUfLgx8pJET9J0RkTImNh1zVVU+r4 r/KmOuAbX04XzLZY+RYFdPG/grj+YxeJEgZlUfLgx8pJET9J0RkTImNh1zVVU+r4
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-simple-message-no-h
<section anchor="smime-signed-and-encrypted-over-a-simple-message-no-header-prot eader-protection-decrypted-and-unwrapped">
ection-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted Over a Simple <name>S/MIME Signed and Encrypted over a Simple Message, No Header P
Message, No Header Protection, Decrypted and Unwrapped</name> rotection, Decrypted and Unwrapped</name>
<t>The inner signed-data layer unwraps to:</t>
<t>The inner signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-signed-enc.decrypted.u
nwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc.decrypted.unwra
pped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
This is the This is the
smime-signed-enc smime-signed-enc
message. message.
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses no header protection. message. It uses no header protection.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="no-crypto-complex">
<section anchor="no-crypto-complex"><name>No Cryptographic Protections Over a Co <name>No Cryptographic Protections over a Complex Message</name>
mplex Message</name> <t>This message uses no cryptographic protection at all. Its body is
a multipart/alternative message with an inline image/png attachment.</t>
<t>This message uses no cryptographic protection at all. Its body is a multipar <t>It has the following structure:</t>
t/alternative message with an inline image/png attachment.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/mixed 1402 bytes └┬╴multipart/mixed 1402 bytes
├┬╴multipart/alternative 794 bytes ├┬╴multipart/alternative 794 bytes
│├─╴text/plain 206 bytes │├─╴text/plain 206 bytes
│└─╴text/html 304 bytes │└─╴text/html 304 bytes
└─╴image/png inline 232 bytes └─╴image/png inline 232 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="no-crypto-complex.eml"><![CDAT
A[
<figure><sourcecode type="message/rfc822" name="no-crypto-complex.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="e68" Content-Type: multipart/mixed; boundary="e68"
Subject: no-crypto-complex Subject: no-crypto-complex
Message-ID: <no-crypto-complex@example> Message-ID: <no-crypto-complex@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:00:02 -0500 Date: Sat, 20 Feb 2021 12:00:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
--e68 --e68
skipping to change at line 3422 skipping to change at line 3294
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--e68-- --e68--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-one-part-complex">
<section anchor="smime-one-part-complex"><name>S/MIME Signed-only signedData Ove <name>S/MIME Signed-Only signedData over a Complex Message, No Header
r a Complex Message, No Header Protection</name> Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The pa
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a yload is a multipart/alternative message with an inline image/png attachment. It
multipart/alternative message with an inline image/png attachment. It uses no h uses no header protection.</t>
eader protection.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 5253 bytes └─╴application/pkcs7-mime [smime.p7m] 5253 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 1288 bytes └┬╴multipart/mixed 1288 bytes
├┬╴multipart/alternative 882 bytes ├┬╴multipart/alternative 882 bytes
│├─╴text/plain 260 bytes │├─╴text/plain 260 bytes
│└─╴text/html 355 bytes │└─╴text/html 355 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex.eml"><!
[CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex.eml"><![C
DATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
Subject: smime-one-part-complex Subject: smime-one-part-complex
Message-ID: <smime-one-part-complex@example> Message-ID: <smime-one-part-complex@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:01:02 -0500 Date: Sat, 20 Feb 2021 12:01:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 3535 skipping to change at line 3402
UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1 UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkq dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAx hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAx
MDJaMC8GCSqGSIb3DQEJBDEiBCDw/DGldVr1aM/U2iIYH8C6YHSKLUihv8FIEUZC MDJaMC8GCSqGSIb3DQEJBDEiBCDw/DGldVr1aM/U2iIYH8C6YHSKLUihv8FIEUZC
JPECvDANBgkqhkiG9w0BAQEFAASCAQA/sn8ReNdvJH8O3Ejzs7eF6tBy6DYD5dFE JPECvDANBgkqhkiG9w0BAQEFAASCAQA/sn8ReNdvJH8O3Ejzs7eF6tBy6DYD5dFE
aLVxB6o3G6qHcupmwvHvL6zouALUoh+zkYRxuWNcPQGfbUqXoAC2cQ6ejwtz3Qnm aLVxB6o3G6qHcupmwvHvL6zouALUoh+zkYRxuWNcPQGfbUqXoAC2cQ6ejwtz3Qnm
4L6amZZQC3NnwFfytOrIvGrMdT1M/39igmep2ZUq9BQS7vq0mYQzSgkGm148yOfI 4L6amZZQC3NnwFfytOrIvGrMdT1M/39igmep2ZUq9BQS7vq0mYQzSgkGm148yOfI
QDeuJZGcw1EcFZuFUZPX4J9kvUu5twvDQoPnTitPVGJ9C2lB6PRkYjKW7JAmNtBL QDeuJZGcw1EcFZuFUZPX4J9kvUu5twvDQoPnTitPVGJ9C2lB6PRkYjKW7JAmNtBL
qRbwZbtOjbrhAszzkRG5P8jR+35FIkG6abSF8hwYix0fJokUn3YnU7G6pRM7DSGg qRbwZbtOjbrhAszzkRG5P8jR+35FIkG6abSF8hwYix0fJokUn3YnU7G6pRM7DSGg
S9MtDUy34GTkdUQ7OXFlLa5kpQfUFBbQ5qflKUvIrBsYX6qjWAVs S9MtDUy34GTkdUQ7OXFlLa5kpQfUFBbQ5qflKUvIrBsYX6qjWAVs
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-only-signeddata-over-a-complex-message-n
<section anchor="smime-signed-only-signeddata-over-a-complex-message-no-header-p o-header-protection-unwrapped">
rotection-unwrapped"><name>S/MIME Signed-only signedData Over a Complex Message, <name>S/MIME Signed-Only signedData over a Complex Message, No Heade
No Header Protection, Unwrapped</name> r Protection, Unwrapped</name>
<t>The S/MIME signed-data layer unwraps to:</t>
<t>The S/MIME signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex.unwra
pped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex.unwrapped
.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="533" Content-Type: multipart/mixed; boundary="533"
--533 --533
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="931" Content-Type: multipart/alternative; boundary="931"
--931 --931
Content-Type: text/plain; charset="us-ascii" Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 MIME-Version: 1.0
skipping to change at line 3591 skipping to change at line 3456
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--533-- --533--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-multipart-complex">
<section anchor="smime-multipart-complex"><name>S/MIME Signed-only multipart/sig <name>S/MIME Signed-Only multipart/signed over a Complex Message, No H
ned Over a Complex Message, No Header Protection</name> eader Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 detached signature
<t>This is a signed-only S/MIME message via PKCS#7 detached signature (multipart (multipart/signed). The payload is a multipart/alternative message with an inli
/signed). The payload is a multipart/alternative message with an inline image/p ne image/png attachment. It uses no header protection.</t>
ng attachment. It uses no header protection.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/signed 5230 bytes └┬╴multipart/signed 5230 bytes
├┬╴multipart/mixed 1344 bytes ├┬╴multipart/mixed 1344 bytes
│├┬╴multipart/alternative 938 bytes │├┬╴multipart/alternative 938 bytes
││├─╴text/plain 278 bytes ││├─╴text/plain 278 bytes
││└─╴text/html 376 bytes ││└─╴text/html 376 bytes
│└─╴image/png inline 232 bytes │└─╴image/png inline 232 bytes
└─╴application/pkcs7-signature [smime.p7s] 3429 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-multipart-complex.eml"><
![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-multipart-complex.eml"><![
CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/signed; Content-Type: multipart/signed;
protocol="application/pkcs7-signature"; boundary="4e5"; protocol="application/pkcs7-signature"; boundary="4e5";
micalg="sha-256" micalg="sha-256"
Subject: smime-multipart-complex Subject: smime-multipart-complex
Message-ID: <smime-multipart-complex@example> Message-ID: <smime-multipart-complex@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:02:02 -0500 Date: Sat, 20 Feb 2021 12:02:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 3737 skipping to change at line 3597
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa
MC8GCSqGSIb3DQEJBDEiBCDQTcb+2QaMhBSlslOnLpojyHSnq4gNzFYU45gwqAHj MC8GCSqGSIb3DQEJBDEiBCDQTcb+2QaMhBSlslOnLpojyHSnq4gNzFYU45gwqAHj
7jANBgkqhkiG9w0BAQEFAASCAQCYM1/HD0Ka4aZwwLS4xMGoyFzGn5G2C3ph0jKS 7jANBgkqhkiG9w0BAQEFAASCAQCYM1/HD0Ka4aZwwLS4xMGoyFzGn5G2C3ph0jKS
mCVbpfAxeHnsnuFjdCYzgN/mdBCOQs4P2/rBGWy3DpDHnKdaB+Q2/IZmI1UgyRTM mCVbpfAxeHnsnuFjdCYzgN/mdBCOQs4P2/rBGWy3DpDHnKdaB+Q2/IZmI1UgyRTM
oclbWWQfTLX1BuI/mJKqHBhJn0y17UXCUAnvSoYGFhjmqTQStR3k4PsdJod78pEa oclbWWQfTLX1BuI/mJKqHBhJn0y17UXCUAnvSoYGFhjmqTQStR3k4PsdJod78pEa
9+Yx6lBGVyznuhHaGuB7lh/S9pxAYtoJFUuIVq+frSN5xhmisPXluFHC3UPu3Hyb 9+Yx6lBGVyznuhHaGuB7lh/S9pxAYtoJFUuIVq+frSN5xhmisPXluFHC3UPu3Hyb
3w6gm+bTL4NDNWwXXSn5wfm9Ru05b3eAEv9pADPZ2TKZPxzrfe4wPNzArgYwdn3k 3w6gm+bTL4NDNWwXXSn5wfm9Ru05b3eAEv9pADPZ2TKZPxzrfe4wPNzArgYwdn3k
6NdLvgw4mZmSSiOyOlfKo3cgo4rZuN6CeLCgqZ0GjIJS43v+ 6NdLvgw4mZmSSiOyOlfKo3cgo4rZuN6CeLCgqZ0GjIJS43v+
--4e5-- --4e5--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-enc-complex">
<section anchor="smime-signed-enc-complex"><name>S/MIME Signed and Encrypted Ove <name>S/MIME Signed and Encrypted over a Complex Message, No Header Pr
r a Complex Message, No Header Protection</name> otection</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a multipart/alternative message with an
nd signedData. The payload is a multipart/alternative message with an inline im inline image/png attachment. It uses no header protection.</t>
age/png attachment. It uses no header protection.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8710 bytes └─╴application/pkcs7-mime [smime.p7m] 8710 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5434 bytes └─╴application/pkcs7-mime [smime.p7m] 5434 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 1356 bytes └┬╴multipart/mixed 1356 bytes
├┬╴multipart/alternative 950 bytes ├┬╴multipart/alternative 950 bytes
│├─╴text/plain 295 bytes │├─╴text/plain 295 bytes
│└─╴text/html 390 bytes │└─╴text/html 390 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex.eml">
<![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex.eml"><!
[CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: smime-signed-enc-complex Subject: smime-signed-enc-complex
Message-ID: <smime-signed-enc-complex@example> Message-ID: <smime-signed-enc-complex@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:03:02 -0500 Date: Sat, 20 Feb 2021 12:03:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 3905 skipping to change at line 3760
cKwLe/UamiqdfPOVQeeN/BkXXaqr2EPDKUSeaShDrui+VKTvgKbJDbImWJjdhjQd cKwLe/UamiqdfPOVQeeN/BkXXaqr2EPDKUSeaShDrui+VKTvgKbJDbImWJjdhjQd
6ugnYd3ahi8Zk3+v6Taz0a7ZUtnGqvarOX6S4EH+h8H+CnLyuOPron5wJIssCMD2 6ugnYd3ahi8Zk3+v6Taz0a7ZUtnGqvarOX6S4EH+h8H+CnLyuOPron5wJIssCMD2
cNDVB8a/n26EiQUG+fsakGyCIEqin5nSSdzgBlDiM0ghav5onizmKyqxHtHjZvRP cNDVB8a/n26EiQUG+fsakGyCIEqin5nSSdzgBlDiM0ghav5onizmKyqxHtHjZvRP
/1tGNa0yDwgfSDycM5QGsMD4JUFmozQ/NZsNeGfJEjyZpsI4v64jzcs4QxEbJoDP /1tGNa0yDwgfSDycM5QGsMD4JUFmozQ/NZsNeGfJEjyZpsI4v64jzcs4QxEbJoDP
/K8v9kiCQZ3NtkHGDRcUBWNDbKij8wgOPAJmHweFIA6UnHoqJdbPzNwsAAjMVN2Z /K8v9kiCQZ3NtkHGDRcUBWNDbKij8wgOPAJmHweFIA6UnHoqJdbPzNwsAAjMVN2Z
vtvsfFtuDu5BALHyKAlf67WbdKfFYqfktnmR2rPXa5U/3WWiS6cOLly6h+cseQvS vtvsfFtuDu5BALHyKAlf67WbdKfFYqfktnmR2rPXa5U/3WWiS6cOLly6h+cseQvS
bPn77hbn6y2tRQOIMstJ7pBIlim6m/duKc7PZz1u/tANP/gKkHzthMyAErEOPmqM bPn77hbn6y2tRQOIMstJ7pBIlim6m/duKc7PZz1u/tANP/gKkHzthMyAErEOPmqM
Plfvt8ju0UpwGpiF1T1E3SRodx5/q8NV6TSKANWeKN7nahusiB5CVO2EclhjATXR Plfvt8ju0UpwGpiF1T1E3SRodx5/q8NV6TSKANWeKN7nahusiB5CVO2EclhjATXR
XmPo08kyxwYYK7P+oBOXsE2gM/uZy3If5hIEfmxxJ+5F19cNiotTQwJM7Jmbag1O XmPo08kyxwYYK7P+oBOXsE2gM/uZy3If5hIEfmxxJ+5F19cNiotTQwJM7Jmbag1O
MtW7IWC7g+sDYln9L8hCxnCjoH331ss7c3470XB9pTy8EBnRdX5IRW9QuoRcMcZw MtW7IWC7g+sDYln9L8hCxnCjoH331ss7c3470XB9pTy8EBnRdX5IRW9QuoRcMcZw
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-no-
<section anchor="smime-signed-and-encrypted-over-a-complex-message-no-header-pro header-protection-decrypted">
tection-decrypted"><name>S/MIME Signed and Encrypted Over a Complex Message, No <name>S/MIME Signed and Encrypted over a Complex Message, No Header
Header Protection, Decrypted</name> Protection, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex.dec
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex.decrypt rypted.eml"><![CDATA[
ed.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIPaQYJKoZIhvcNAQcCoIIPWjCCD1YCAQExDTALBglghkgBZQMEAgEwggWSBgkq MIIPaQYJKoZIhvcNAQcCoIIPWjCCD1YCAQExDTALBglghkgBZQMEAgEwggWSBgkq
hkiG9w0BBwGgggWDBIIFf01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6 hkiG9w0BBwGgggWDBIIFf01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjUwOCINCg0KLS01MDgNCk1JTUUt IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjUwOCINCg0KLS01MDgNCk1JTUUt
VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2 VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
ZTsgYm91bmRhcnk9IjgwNCINCg0KLS04MDQNCkNvbnRlbnQtVHlwZTogdGV4dC9w ZTsgYm91bmRhcnk9IjgwNCINCg0KLS04MDQNCkNvbnRlbnQtVHlwZTogdGV4dC9w
bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
skipping to change at line 3999 skipping to change at line 3852
UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a
qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMjEwMjIwMTcwMzAyWjAvBgkqhkiG9w0BCQQxIgQgXYQxbGVS hkiG9w0BCQUxDxcNMjEwMjIwMTcwMzAyWjAvBgkqhkiG9w0BCQQxIgQgXYQxbGVS
YbD1RRyrYjMaj8vm0wJceMeGDm9qv/JsQlgwDQYJKoZIhvcNAQEBBQAEggEAbtxK YbD1RRyrYjMaj8vm0wJceMeGDm9qv/JsQlgwDQYJKoZIhvcNAQEBBQAEggEAbtxK
BK0ie88UC9KGR0/nHIWpXJOnN1/tXtEWsLoypwYiw8XKgcN8zgZ06RikcGX12ijW BK0ie88UC9KGR0/nHIWpXJOnN1/tXtEWsLoypwYiw8XKgcN8zgZ06RikcGX12ijW
Gz2wgA2yIRfnzWBvS6zmBc9r37klP8uhB0GgPrPFTtq+GeLn9hUApYQTb20HlSKM Gz2wgA2yIRfnzWBvS6zmBc9r37klP8uhB0GgPrPFTtq+GeLn9hUApYQTb20HlSKM
e34oCU7qv0lYFfN0sDlwxkha1X3AAg4QFcUrnLJRkYFWDH6XvxsHNiLznwsF/+B1 e34oCU7qv0lYFfN0sDlwxkha1X3AAg4QFcUrnLJRkYFWDH6XvxsHNiLznwsF/+B1
uNiPIi7rhKgG3oLYu4H8qGolM5H+gyl7+h4t8hUHZVTxZ6QyTO0K+D2JO8aazcor uNiPIi7rhKgG3oLYu4H8qGolM5H+gyl7+h4t8hUHZVTxZ6QyTO0K+D2JO8aazcor
PgJsa85BUfcx0JXsixcqtLzTAfsPOAQBl1CUHEied1qX6nlMb2gCxP6psFEXPRGM PgJsa85BUfcx0JXsixcqtLzTAfsPOAQBl1CUHEied1qX6nlMb2gCxP6psFEXPRGM
rxSLzwv5QtKJCaDfYw== rxSLzwv5QtKJCaDfYw==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-no-
<section anchor="smime-signed-and-encrypted-over-a-complex-message-no-header-pro header-protection-decrypted-and-unwrapped">
tection-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted Over a Comple <name>S/MIME Signed and Encrypted over a Complex Message, No Header
x Message, No Header Protection, Decrypted and Unwrapped</name> Protection, Decrypted and Unwrapped</name>
<t>The inner signed-data layer unwraps to:</t>
<t>The inner signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex.dec
rypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex.decrypt
ed.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="508" Content-Type: multipart/mixed; boundary="508"
--508 --508
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="804" Content-Type: multipart/alternative; boundary="804"
--804 --804
Content-Type: text/plain; charset="us-ascii" Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 MIME-Version: 1.0
skipping to change at line 4058 skipping to change at line 3909
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--508-- --508--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> </section>
</section> <section anchor="signed-only-messages">
<section anchor="signed-only-messages"><name>Signed-only Messages</name> <name>Signed-Only Messages</name>
<t>These messages are signed-only, using different schemes of header pro
<t>These messages are signed-only, using different schemes of header protection tection and different S/MIME structures.
and different S/MIME structure. They use no <iref item="Header Confidentiality Policy"/><xref target="hea
The use no <iref item="Header Confidentiality Policy"/><xref target="header-conf der-confidentiality-policy" format="none">Header Confidentiality Policy</xref> b
identiality-policy" format="none">Header Confidentiality Policy</xref> because t ecause the HCP is only relevant when a message is encrypted.</t>
he hcp is only relevant when a message is encrypted.</t>
<section anchor="smime-one-part-hp"><name>S/MIME Signed-only signedData Over a S <!--[rfced] What does "the draft" refer to in the sentence below?
imple Message, Header Protection</name> Should this be updated to "the draft message"? Note that there are
other occurrences like the example listed below that are used throughout
the appendices of this document.
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a Original:
text/plain message. It uses the Header Protection scheme from the draft.</t> It uses the Header Protection scheme from the draft.
<t>It has the following structure:</t> Perhaps:
It uses the Header Protection scheme from the draft message.
-->
<figure><artwork type="ascii-art"><![CDATA[ <section anchor="smime-one-part-hp">
<name>S/MIME Signed-Only signedData over a Simple Message, Header Prot
ection</name>
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The pa
yload is a text/plain message. It uses the Header Protection scheme from the dra
ft.</t>
<t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 4189 bytes └─╴application/pkcs7-mime [smime.p7m] 4189 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 233 bytes └─╴text/plain 233 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-one-part-hp.eml"><![CDAT
A[
<figure><sourcecode type="message/rfc822" name="smime-one-part-hp.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
Subject: smime-one-part-hp Subject: smime-one-part-hp
Message-ID: <smime-one-part-hp@example> Message-ID: <smime-one-part-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:06:02 -0500 Date: Sat, 20 Feb 2021 10:06:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4158 skipping to change at line 4016
bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi
XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MDYwMlowLwYJKoZIhvcNAQkEMSIE BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MDYwMlowLwYJKoZIhvcNAQkEMSIE
IHBk91pcJj0zJrTyROHOdfUnQMoctIHVb6WXTpS3gYxlMA0GCSqGSIb3DQEBAQUA IHBk91pcJj0zJrTyROHOdfUnQMoctIHVb6WXTpS3gYxlMA0GCSqGSIb3DQEBAQUA
BIIBABWhy/yIy9RLS3OdZZTlUNChBhzNHjpSSoL3v0JmzOHeYJVblzBgpyPU33Tu BIIBABWhy/yIy9RLS3OdZZTlUNChBhzNHjpSSoL3v0JmzOHeYJVblzBgpyPU33Tu
JALxlGuGp4ybO16yQREHMXNFZJkrqWcIAMZG/4tG7WIHXm0AGIcxl8BKKEpn8t1m JALxlGuGp4ybO16yQREHMXNFZJkrqWcIAMZG/4tG7WIHXm0AGIcxl8BKKEpn8t1m
kiOO/NWzFY9TW1pYd/+CC7Q8Asc+S2Nd269HGrFFpL36r74Gt2xJDxn11N3coBh3 kiOO/NWzFY9TW1pYd/+CC7Q8Asc+S2Nd269HGrFFpL36r74Gt2xJDxn11N3coBh3
khaFt+p5GkqqrNUtfGeo0ifF+66x/oW9A/AtNE+iKwx7mEtukOhBgTXgyr3bi+ev khaFt+p5GkqqrNUtfGeo0ifF+66x/oW9A/AtNE+iKwx7mEtukOhBgTXgyr3bi+ev
sEQzWYVLyVS7TCsCM5A1LxHZHv5gVcX1EMTZi7rRaNKKEmUcA9vbJYBSOWlmR/o4 sEQzWYVLyVS7TCsCM5A1LxHZHv5gVcX1EMTZi7rRaNKKEmUcA9vbJYBSOWlmR/o4
FeLYNUvUvFXvV9YCb/0R0pgp9Aw= FeLYNUvUvFXvV9YCb/0R0pgp9Aw=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-only-signeddata-over-a-simple-message-he
<section anchor="smime-signed-only-signeddata-over-a-simple-message-header-prote ader-protection-unwrapped">
ction-unwrapped"><name>S/MIME Signed-only signedData Over a Simple Message, Head <name>S/MIME Signed-Only signedData over a Simple Message, Header Pr
er Protection, Unwrapped</name> otection, Unwrapped</name>
<t>The S/MIME signed-data layer unwraps to:</t>
<t>The S/MIME signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-one-part-hp.unwrapped.
eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-hp.unwrapped.eml"
><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-one-part-hp Subject: smime-one-part-hp
Message-ID: <smime-one-part-hp@example> Message-ID: <smime-one-part-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:06:02 -0500 Date: Sat, 20 Feb 2021 10:06:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
Content-Type: text/plain; charset="utf-8"; hp="clear" Content-Type: text/plain; charset="utf-8"; hp="clear"
skipping to change at line 4186 skipping to change at line 4042
smime-one-part-hp smime-one-part-hp
message. message.
This is a signed-only S/MIME message via PKCS#7 signedData. The This is a signed-only S/MIME message via PKCS#7 signedData. The
payload is a text/plain message. It uses the Header Protection payload is a text/plain message. It uses the Header Protection
scheme from the draft. scheme from the draft.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-multipart-hp">
<section anchor="smime-multipart-hp"><name>S/MIME Signed-only multipart/signed O <name>S/MIME Signed-Only multipart/signed over a Simple Message, Heade
ver a Simple Message, Header Protection</name> r Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 detached signature
<t>This is a signed-only S/MIME message via PKCS#7 detached signature (multipart (multipart/signed). The payload is a text/plain message. It uses the Header Pro
/signed). The payload is a text/plain message. It uses the Header Protection sc tection scheme from the draft.</t>
heme from the draft.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/signed 4435 bytes └┬╴multipart/signed 4435 bytes
├─╴text/plain 250 bytes ├─╴text/plain 250 bytes
└─╴application/pkcs7-signature [smime.p7s] 3429 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-multipart-hp.eml"><![CDA
TA[
<figure><sourcecode type="message/rfc822" name="smime-multipart-hp.eml"><![CDATA
[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/signed; Content-Type: multipart/signed;
protocol="application/pkcs7-signature"; boundary="78f"; protocol="application/pkcs7-signature"; boundary="78f";
micalg="sha-256" micalg="sha-256"
Subject: smime-multipart-hp Subject: smime-multipart-hp
Message-ID: <smime-multipart-hp@example> Message-ID: <smime-multipart-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:07:02 -0500 Date: Sat, 20 Feb 2021 10:07:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4298 skipping to change at line 4149
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa
MC8GCSqGSIb3DQEJBDEiBCAIw1Q7hUXhrDaz3lXMFP0A3q3nvlhWh9ejLg/g9kjk MC8GCSqGSIb3DQEJBDEiBCAIw1Q7hUXhrDaz3lXMFP0A3q3nvlhWh9ejLg/g9kjk
vDANBgkqhkiG9w0BAQEFAASCAQAcl0M6ZwFAzFvsP+/siWSN0EM0YWxuOzvCmSWC vDANBgkqhkiG9w0BAQEFAASCAQAcl0M6ZwFAzFvsP+/siWSN0EM0YWxuOzvCmSWC
0QwnAQ/dSwXcKMcej0wWMKTDTQSYBUjxFVE0chcK6FMH2gHDVb/PztWrSECmvh6F 0QwnAQ/dSwXcKMcej0wWMKTDTQSYBUjxFVE0chcK6FMH2gHDVb/PztWrSECmvh6F
utJ2SRxs0uGrFkee3hR0kowuOu9pDXasLtWP2MnB5pSMWX5QMpya1UxYcbIoaUOx utJ2SRxs0uGrFkee3hR0kowuOu9pDXasLtWP2MnB5pSMWX5QMpya1UxYcbIoaUOx
Jeu5zjbYf/Oo2tINvZHP+r+wxQZ7qTaEzviQ+IV0KoJanfU3Qd/giS6MuySwozwP Jeu5zjbYf/Oo2tINvZHP+r+wxQZ7qTaEzviQ+IV0KoJanfU3Qd/giS6MuySwozwP
r3E7YAy3O9dZT7zL6AR5CsC1I0coo7X1PRNnBXXLMEcR/v5cXniGV+GNf8xYaiGA r3E7YAy3O9dZT7zL6AR5CsC1I0coo7X1PRNnBXXLMEcR/v5cXniGV+GNf8xYaiGA
iT9IwijZa6psfTSFjzUWTIc0jGx3GcLZr+BIm+MEBCSRzDum iT9IwijZa6psfTSFjzUWTIc0jGx3GcLZr+BIm+MEBCSRzDum
--78f-- --78f--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-one-part-complex-hp">
<section anchor="smime-one-part-complex-hp"><name>S/MIME Signed-only signedData <name>S/MIME Signed-Only signedData over a Complex Message, Header Pro
Over a Complex Message, Header Protection</name> tection</name>
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The pa
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a yload is a multipart/alternative message with an inline image/png attachment. It
multipart/alternative message with an inline image/png attachment. It uses the uses the Header Protection scheme from the draft.</t>
Header Protection scheme from the draft.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 5647 bytes └─╴application/pkcs7-mime [smime.p7m] 5647 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 1570 bytes └┬╴multipart/mixed 1570 bytes
├┬╴multipart/alternative 934 bytes ├┬╴multipart/alternative 934 bytes
│├─╴text/plain 287 bytes │├─╴text/plain 287 bytes
│└─╴text/html 382 bytes │└─╴text/html 382 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex-hp.eml"
><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex-hp.eml"><
![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
Subject: smime-one-part-complex-hp Subject: smime-one-part-complex-hp
Message-ID: <smime-one-part-complex-hp@example> Message-ID: <smime-one-part-complex-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:06:02 -0500 Date: Sat, 20 Feb 2021 12:06:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4417 skipping to change at line 4263
TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgG QXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3 CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3
MDYwMlowLwYJKoZIhvcNAQkEMSIEIGbRm8jphDRUXRWIk4vxhAup+YZsmtrednWv MDYwMlowLwYJKoZIhvcNAQkEMSIEIGbRm8jphDRUXRWIk4vxhAup+YZsmtrednWv
3iPoigWSMA0GCSqGSIb3DQEBAQUABIIBAEHG833PIy7iky9Ok2pN22fjSF6xtjlt 3iPoigWSMA0GCSqGSIb3DQEBAQUABIIBAEHG833PIy7iky9Ok2pN22fjSF6xtjlt
h1Pi4Eh9PSjQ5Rdrsv9pJFFsBhSLOXv+O8fwYfS1rUrgwsCVMO64zz5MT1Kj4Y4Z h1Pi4Eh9PSjQ5Rdrsv9pJFFsBhSLOXv+O8fwYfS1rUrgwsCVMO64zz5MT1Kj4Y4Z
a6ztE9weXTlciQydOWER6lV1BDP4GwUaz+BBCoKKB0DTHq+nPNo97XtTCUfo55Vz a6ztE9weXTlciQydOWER6lV1BDP4GwUaz+BBCoKKB0DTHq+nPNo97XtTCUfo55Vz
55vmNXxqWQ952hzw+qxxTxKzdYApFd9cZYzvV4otZgtvZDu3sn6GWFCtVpN4+6TR 55vmNXxqWQ952hzw+qxxTxKzdYApFd9cZYzvV4otZgtvZDu3sn6GWFCtVpN4+6TR
xClE93q+LZwvJyXFRFWHcKqpUfQ16ZAomBadrJ1RU3BmRXnC6DAI/J/yhm7OegdN xClE93q+LZwvJyXFRFWHcKqpUfQ16ZAomBadrJ1RU3BmRXnC6DAI/J/yhm7OegdN
0Or/+EuyWAzp0r/GCsSGXt2owaAkGPuZf6kPc0mLhb/VFdeY16wy9J0= 0Or/+EuyWAzp0r/GCsSGXt2owaAkGPuZf6kPc0mLhb/VFdeY16wy9J0=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-only-signeddata-over-a-complex-message-h
<section anchor="smime-signed-only-signeddata-over-a-complex-message-header-prot eader-protection-unwrapped">
ection-unwrapped"><name>S/MIME Signed-only signedData Over a Complex Message, He <name>S/MIME Signed-Only signedData over a Complex Message, Header P
ader Protection, Unwrapped</name> rotection, Unwrapped</name>
<t>The S/MIME signed-data layer unwraps to:</t>
<t>The S/MIME signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex-hp.un
wrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex-hp.unwrap
ped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-one-part-complex-hp Subject: smime-one-part-complex-hp
Message-ID: <smime-one-part-complex-hp@example> Message-ID: <smime-one-part-complex-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:06:02 -0500 Date: Sat, 20 Feb 2021 12:06:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
Content-Type: multipart/mixed; boundary="e2e"; hp="clear" Content-Type: multipart/mixed; boundary="e2e"; hp="clear"
--e2e --e2e
skipping to change at line 4481 skipping to change at line 4325
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--e2e-- --e2e--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-multipart-complex-hp">
<section anchor="smime-multipart-complex-hp"><name>S/MIME Signed-only multipart/ <name>S/MIME Signed-Only multipart/signed over a Complex Message, Head
signed Over a Complex Message, Header Protection</name> er Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 detached signature
<t>This is a signed-only S/MIME message via PKCS#7 detached signature (multipart (multipart/signed). The payload is a multipart/alternative message with an inli
/signed). The payload is a multipart/alternative message with an inline image/p ne image/png attachment. It uses the Header Protection scheme from the draft.</t
ng attachment. It uses the Header Protection scheme from the draft.</t> >
<t>It has the following structure:</t>
<t>It has the following structure:</t> <artwork type="ascii-art"><![CDATA[
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/signed 5520 bytes └┬╴multipart/signed 5520 bytes
├┬╴multipart/mixed 1628 bytes ├┬╴multipart/mixed 1628 bytes
│├┬╴multipart/alternative 990 bytes │├┬╴multipart/alternative 990 bytes
││├─╴text/plain 304 bytes ││├─╴text/plain 304 bytes
││└─╴text/html 402 bytes ││└─╴text/html 402 bytes
│└─╴image/png inline 232 bytes │└─╴image/png inline 232 bytes
└─╴application/pkcs7-signature [smime.p7s] 3429 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-multipart-complex-hp.eml
"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-multipart-complex-hp.eml">
<![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/signed; Content-Type: multipart/signed;
protocol="application/pkcs7-signature"; boundary="ba4"; protocol="application/pkcs7-signature"; boundary="ba4";
micalg="sha-256" micalg="sha-256"
Subject: smime-multipart-complex-hp Subject: smime-multipart-complex-hp
Message-ID: <smime-multipart-complex-hp@example> Message-ID: <smime-multipart-complex-hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:07:02 -0500 Date: Sat, 20 Feb 2021 12:07:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4633 skipping to change at line 4472
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa
MC8GCSqGSIb3DQEJBDEiBCDKNV54rM1AYevevF+c3DI/JjX14STIx3nsp5B95mHf MC8GCSqGSIb3DQEJBDEiBCDKNV54rM1AYevevF+c3DI/JjX14STIx3nsp5B95mHf
gTANBgkqhkiG9w0BAQEFAASCAQBWQxNUY6IG27ju4XS4aApRfPoBUjk6m7uUMIQF gTANBgkqhkiG9w0BAQEFAASCAQBWQxNUY6IG27ju4XS4aApRfPoBUjk6m7uUMIQF
/VC9EpXLvWRkn6B9k7L9MMrMJPRKR03oCzimaPjTKH3JKTxdj0gWtb2eELmIaRWY /VC9EpXLvWRkn6B9k7L9MMrMJPRKR03oCzimaPjTKH3JKTxdj0gWtb2eELmIaRWY
nOTaAK/3/h2dqMbPXYXgmWRQPsgFs42m6zWF4CH3YpurTvQC5gB0PSEPF0BOHdcm nOTaAK/3/h2dqMbPXYXgmWRQPsgFs42m6zWF4CH3YpurTvQC5gB0PSEPF0BOHdcm
77bRs4AcPf1mfGThUG3YUNXuJ99BKb3Zz3lQiTohvhti9eHRYAMXL/XdP7TLiGVm 77bRs4AcPf1mfGThUG3YUNXuJ99BKb3Zz3lQiTohvhti9eHRYAMXL/XdP7TLiGVm
Ee7uoUREekXvLmj8C6B3z8fiTfiWlqENU7J2BkrVF0KgW5X9ANwhekNROEx6X05R Ee7uoUREekXvLmj8C6B3z8fiTfiWlqENU7J2BkrVF0KgW5X9ANwhekNROEx6X05R
NVcBYNKNxCxuKMbHcE47Ytt8AuV4NoDWk2yumc8T6sM0Wkue NVcBYNKNxCxuKMbHcE47Ytt8AuV4NoDWk2yumc8T6sM0Wkue
--ba4-- --ba4--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-one-part-complex-rfc8551hp">
<section anchor="smime-one-part-complex-rfc8551hp"><name>S/MIME Signed-only sign <name>S/MIME Signed-Only signedData over a Complex Message, Legacy RFC
edData Over a Complex Message, Legacy RFC 8551 Header Protection</name> 8551 Header Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The pa
<t>This is a signed-only S/MIME message via PKCS#7 signedData. The payload is a yload is a multipart/alternative message with an inline image/png attachment. It
multipart/alternative message with an inline image/png attachment. It uses the uses the legacy RFC 8551 header protection (<iref item="RFC8551HP"/><xref targe
legacy RFC 8551 header protection (<iref item="RFC8551HP"/><xref target="RFC8551 t="RFC8551HP" format="none">RFC8551HP</xref>) scheme.</t>
HP" format="none">RFC8551HP</xref>) scheme.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 5696 bytes └─╴application/pkcs7-mime [smime.p7m] 5696 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴message/rfc822 1660 bytes └┬╴message/rfc822 1660 bytes
└┬╴multipart/mixed 1612 bytes └┬╴multipart/mixed 1612 bytes
├┬╴multipart/alternative 974 bytes ├┬╴multipart/alternative 974 bytes
│├─╴text/plain 296 bytes │├─╴text/plain 296 bytes
│└─╴text/html 394 bytes │└─╴text/html 394 bytes
└─╴image/png inline 232 bytes └─╴image/png inline 232 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex-rfc8551
hp.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex-rfc8551hp
.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
Subject: smime-one-part-complex-rfc8551hp Subject: smime-one-part-complex-rfc8551hp
Message-ID: <smime-one-part-complex-rfc8551hp@example> Message-ID: <smime-one-part-complex-rfc8551hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:26:02 -0500 Date: Sat, 20 Feb 2021 12:26:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4754 skipping to change at line 4588
VQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3 VQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3
QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzEL QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzEL
BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MjYwMlowLwYJKoZI BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MjYwMlowLwYJKoZI
hvcNAQkEMSIEIPo6cfj2PNIuP7W8SRv7KpxepLUu9zPgalLeN0BNuSo/MA0GCSqG hvcNAQkEMSIEIPo6cfj2PNIuP7W8SRv7KpxepLUu9zPgalLeN0BNuSo/MA0GCSqG
SIb3DQEBAQUABIIBAIB0l2cJSO2iAJg5nB/+gal+wZn3hOPlWW6n8YQ957q/TxIj SIb3DQEBAQUABIIBAIB0l2cJSO2iAJg5nB/+gal+wZn3hOPlWW6n8YQ957q/TxIj
Iny59ctj4CokVaRb3uAm50r1TpK1h1x/hse1MsZgWQ0ew+omUQQkJg3RLZ9R8wsv Iny59ctj4CokVaRb3uAm50r1TpK1h1x/hse1MsZgWQ0ew+omUQQkJg3RLZ9R8wsv
Ol8SN5WMNdiNSRNC9a3MFtSVPEOCt90XdQdQ2kqeRkL/fthatcF8gI+p4+pOP2+U Ol8SN5WMNdiNSRNC9a3MFtSVPEOCt90XdQdQ2kqeRkL/fthatcF8gI+p4+pOP2+U
dOfnKCjP9nPobyBcXkljv0pRriu7snqQi1O0I1aqd4VwocIm8YV65la0/9522f6e dOfnKCjP9nPobyBcXkljv0pRriu7snqQi1O0I1aqd4VwocIm8YV65la0/9522f6e
/4Zi30oBLuIz1+pT2z6frPzUJfd6UbGtSiAwRHyfIJHZ2PAYt94iMv7U0VmK3GmJ /4Zi30oBLuIz1+pT2z6frPzUJfd6UbGtSiAwRHyfIJHZ2PAYt94iMv7U0VmK3GmJ
TkzFm1if4dpFLofdkEtUX8Is+DPf+/ZB1MvrrQk= TkzFm1if4dpFLofdkEtUX8Is+DPf+/ZB1MvrrQk=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-only-signeddata-over-a-complex-message-l
<section anchor="smime-signed-only-signeddata-over-a-complex-message-legacy-rfc- egacy-rfc-8551-header-protection-unwrapped">
8551-header-protection-unwrapped"><name>S/MIME Signed-only signedData Over a Com <name>S/MIME Signed-Only signedData over a Complex Message, Legacy R
plex Message, Legacy RFC 8551 Header Protection, Unwrapped</name> FC 8551 Header Protection, Unwrapped</name>
<t>The S/MIME signed-data layer unwraps to:</t>
<t>The S/MIME signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-one-part-complex-rfc85
51hp.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-one-part-complex-rfc8551hp
.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: message/rfc822 Content-Type: message/rfc822
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="e68" Content-Type: multipart/mixed; boundary="e68"
Subject: smime-one-part-complex-rfc8551hp Subject: smime-one-part-complex-rfc8551hp
Message-ID: <smime-one-part-complex-rfc8551hp@example> Message-ID: <smime-one-part-complex-rfc8551hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:26:02 -0500 Date: Sat, 20 Feb 2021 12:26:02 -0500
skipping to change at line 4821 skipping to change at line 4653
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--e68-- --e68--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-multipart-complex-rfc8551hp">
<section anchor="smime-multipart-complex-rfc8551hp"><name>S/MIME Signed-only mul <name>S/MIME Signed-Only multipart/signed over a Complex Message, Lega
tipart/signed Over a Complex Message, Legacy RFC 8551 Header Protection</name> cy RFC 8551 Header Protection</name>
<t>This is a signed-only S/MIME message via PKCS#7 detached signature
<t>This is a signed-only S/MIME message via PKCS#7 detached signature (multipart (multipart/signed). The payload is a multipart/alternative message with an inli
/signed). The payload is a multipart/alternative message with an inline image/p ne image/png attachment. It uses the legacy RFC 8551 header protection (<iref it
ng attachment. It uses the legacy RFC 8551 header protection (<iref item="RFC855 em="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>) scheme.
1HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>) scheme.</t> </t>
<t>It has the following structure:</t>
<t>It has the following structure:</t> <artwork type="ascii-art"><![CDATA[
<figure><artwork type="ascii-art"><![CDATA[
└┬╴multipart/signed 5624 bytes └┬╴multipart/signed 5624 bytes
├┬╴message/rfc822 1718 bytes ├┬╴message/rfc822 1718 bytes
│└┬╴multipart/mixed 1670 bytes │└┬╴multipart/mixed 1670 bytes
│ ├┬╴multipart/alternative 1030 bytes │ ├┬╴multipart/alternative 1030 bytes
│ │├─╴text/plain 324 bytes │ │├─╴text/plain 324 bytes
│ │└─╴text/html 422 bytes │ │└─╴text/html 422 bytes
│ └─╴image/png inline 232 bytes │ └─╴image/png inline 232 bytes
└─╴application/pkcs7-signature [smime.p7s] 3429 bytes └─╴application/pkcs7-signature [smime.p7s] 3429 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-multipart-complex-rfc855
1hp.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-multipart-complex-rfc8551h
p.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/signed; Content-Type: multipart/signed;
protocol="application/pkcs7-signature"; boundary="a61"; protocol="application/pkcs7-signature"; boundary="a61";
micalg="sha-256" micalg="sha-256"
Subject: smime-multipart-complex-rfc8551hp Subject: smime-multipart-complex-rfc8551hp
Message-ID: <smime-multipart-complex-rfc8551hp@example> Message-ID: <smime-multipart-complex-rfc8551hp@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:27:02 -0500 Date: Sat, 20 Feb 2021 12:27:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 4979 skipping to change at line 4806
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzI3MDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzI3MDJa
MC8GCSqGSIb3DQEJBDEiBCAYyptCVBhIbjLhlQOKunV/81vEiJSGLmos08/AoumM MC8GCSqGSIb3DQEJBDEiBCAYyptCVBhIbjLhlQOKunV/81vEiJSGLmos08/AoumM
FzANBgkqhkiG9w0BAQEFAASCAQCSBglwkJFZNTXSwtDjldQxDo4n3twmJl9VyZSO FzANBgkqhkiG9w0BAQEFAASCAQCSBglwkJFZNTXSwtDjldQxDo4n3twmJl9VyZSO
AlO0EiVW2+9Tqu06G+mTSePraLq4L2BvutQ1rKW9jVXJXJ8klx3Y8aY6TGvJ5/RH AlO0EiVW2+9Tqu06G+mTSePraLq4L2BvutQ1rKW9jVXJXJ8klx3Y8aY6TGvJ5/RH
3GpwQPjfjauEVAplxnIeLdtUbwJJvaColBr6bPHUibtvXS14JqfHvEu7uTgHlxpv 3GpwQPjfjauEVAplxnIeLdtUbwJJvaColBr6bPHUibtvXS14JqfHvEu7uTgHlxpv
KFZ/VEXf+Lx62gINfpie22d6UC3Nxif6EwPEDLmIjOYILjfMf9McQ2KzAPr6t6x/ KFZ/VEXf+Lx62gINfpie22d6UC3Nxif6EwPEDLmIjOYILjfMf9McQ2KzAPr6t6x/
hrz6NDG3LeTeLegQ4+onLotaBFsa0QPat0nSFjcaH8j9hFb4RB4avMbT1/5nRR6/ hrz6NDG3LeTeLegQ4+onLotaBFsa0QPat0nSFjcaH8j9hFb4RB4avMbT1/5nRR6/
B49YO28fRuAztMvesvs4M8kW6DAJjYj2fFAgT87CdWErzM7r B49YO28fRuAztMvesvs4M8kW6DAJjYj2fFAgT87CdWErzM7r
--a61-- --a61--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="signed-and-encrypted-messages">
<section anchor="signed-and-encrypted-messages"><name>Signed-and-Encrypted Messa <name>Signed-and-Encrypted Messages</name>
ges</name> <t>These messages are signed and encrypted.
<t>These messages are signed and encrypted.
They use PKCS#7 signedData inside envelopedData, with different header protectio n schemes and different Header Confidentiality Policies.</t> They use PKCS#7 signedData inside envelopedData, with different header protectio n schemes and different Header Confidentiality Policies.</t>
<section anchor="smime-signed-enc-hp-baseline">
<section anchor="smime-signed-enc-hp-baseline"><name>S/MIME Signed and Encrypted <name>S/MIME Signed and Encrypted over a Simple Message, Header Protec
Over a Simple Message, Header Protection With hcp_baseline</name> tion with hcp_baseline</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a text/plain message. It uses the Heade
nd signedData. The payload is a text/plain message. It uses the Header Protecti r Protection scheme from the draft with the hcp_baseline <iref item="Header Conf
on scheme from the draft with the hcp_baseline <iref item="Header Confidentialit identiality Policy"/><xref target="header-confidentiality-policy" format="none">
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con Header Confidentiality Policy</xref>.</t>
fidentiality Policy</xref>.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 7825 bytes └─╴application/pkcs7-mime [smime.p7m] 7825 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 4786 bytes └─╴application/pkcs7-mime [smime.p7m] 4786 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 329 bytes └─╴text/plain 329 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline.e
ml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline.eml
"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-baseline@example> Message-ID: <smime-signed-enc-hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:09:02 -0500 Date: Sat, 20 Feb 2021 10:09:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 5136 skipping to change at line 4957
PcL0faa1xbpEUTfWv6Vviq9VCVkc5q/wxdL1irkqLNR5Ht8PyZUjCH9GsVntgPu+ PcL0faa1xbpEUTfWv6Vviq9VCVkc5q/wxdL1irkqLNR5Ht8PyZUjCH9GsVntgPu+
UDswKkNICxi0rUppHp0Nzr7HRH1Y76htABrX+wyFVtA6ttwbm8nNqSVof7wb0pYa UDswKkNICxi0rUppHp0Nzr7HRH1Y76htABrX+wyFVtA6ttwbm8nNqSVof7wb0pYa
cHYMfJDCVJvCLCLy/sePxzwGbH8bW/Va4ebVQfNBgS49ATHNbv2HfjROYqgWAINJ cHYMfJDCVJvCLCLy/sePxzwGbH8bW/Va4ebVQfNBgS49ATHNbv2HfjROYqgWAINJ
l8L3IqyUROBveA+3+a0wEZ/kJnlIJppNGqIhuS7SiKUBXN+lHvxoGAfeJFN8uQ2B l8L3IqyUROBveA+3+a0wEZ/kJnlIJppNGqIhuS7SiKUBXN+lHvxoGAfeJFN8uQ2B
C5KuodUGgcTbVsxkVDweTfBdS8bG06OIAklSXvgE614E146DNKKlqD3nc8xDCzbN C5KuodUGgcTbVsxkVDweTfBdS8bG06OIAklSXvgE614E146DNKKlqD3nc8xDCzbN
+YZ9VjShMxepn6pJ06xOKW54NVTa3zy/R+HZ+/WixdzkAcn8gog93ybxg/9PhAi4 +YZ9VjShMxepn6pJ06xOKW54NVTa3zy/R+HZ+/WixdzkAcn8gog93ybxg/9PhAi4
VauRPmbhrasLdiZwGyQ65shkUaJMwkjY+BpTK40M5KUV4yLr0ddkzbmKWo4Q50FY VauRPmbhrasLdiZwGyQ65shkUaJMwkjY+BpTK40M5KUV4yLr0ddkzbmKWo4Q50FY
NMc2AtCg1A8e9ziRU4Y2MD8abcs5S8rOKk5/R7o5gJGNHjlHpn9Xz+7fTpqtYqIf NMc2AtCg1A8e9ziRU4Y2MD8abcs5S8rOKk5/R7o5gJGNHjlHpn9Xz+7fTpqtYqIf
UY+YJhE+LyJW2uu8Gu1tTe05BSdy13E367FpALD0ZTeQHQWKmAckvwjsQ29YcKFM UY+YJhE+LyJW2uu8Gu1tTe05BSdy13E367FpALD0ZTeQHQWKmAckvwjsQ29YcKFM
n5+AmwDhDdpWKXih4nxFgQ== n5+AmwDhDdpWKXih4nxFgQ==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpbaseline-decrypted">
ion-with-hcpbaseline-decrypted"><name>S/MIME Signed and Encrypted Over a Simple <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
Message, Header Protection With hcp_baseline, Decrypted</name> ection with hcp_baseline, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline.dec .decrypted.eml"><![CDATA[
rypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIINkgYJKoZIhvcNAQcCoIINgzCCDX8CAQExDTALBglghkgBZQMEAgEwggO7Bgkq MIINkgYJKoZIhvcNAQcCoIINgzCCDX8CAQExDTALBglghkgBZQMEAgEwggO7Bgkq
hkiG9w0BBwGgggOsBIIDqE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggOsBIIDqE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LWJhc2VsaW5lDQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNl LWJhc2VsaW5lDQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1ocC1iYXNl
bGluZUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+ bGluZUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+
DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmVi DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmVi
skipping to change at line 5220 skipping to change at line 5039
bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9C bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9C
qaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 qaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUwOTAyWjAvBgkqhkiG9w0BCQQx DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUwOTAyWjAvBgkqhkiG9w0BCQQx
IgQgX3dswDsmGjwXzejaB+kh8kzNOiNjkHpEtBXbJ8gjT5UwDQYJKoZIhvcNAQEB IgQgX3dswDsmGjwXzejaB+kh8kzNOiNjkHpEtBXbJ8gjT5UwDQYJKoZIhvcNAQEB
BQAEggEASC6sf2ioO3Y7yVOzy/6sbjR6suLfigryPkvaOvuh1aHCP/I071/j3LYL BQAEggEASC6sf2ioO3Y7yVOzy/6sbjR6suLfigryPkvaOvuh1aHCP/I071/j3LYL
nER9aCGoEFXzxXzI1aiTjwlQp+Fg6qNz8avFRbSvecUpAsbihlRbbOSirvNwW6F4 nER9aCGoEFXzxXzI1aiTjwlQp+Fg6qNz8avFRbSvecUpAsbihlRbbOSirvNwW6F4
McP6cbA4UR6M52M4mE8buxvDtwf6caf8gwtx9XbZy9a/FSr1YqQoB9ebotZDadDy McP6cbA4UR6M52M4mE8buxvDtwf6caf8gwtx9XbZy9a/FSr1YqQoB9ebotZDadDy
sh0hjzMTjvHbq6DTPytem6Dy7rBP7F32Z1SHNC1Wc2MaW4NKejRxubh4kKpopRvk sh0hjzMTjvHbq6DTPytem6Dy7rBP7F32Z1SHNC1Wc2MaW4NKejRxubh4kKpopRvk
diHHADbm6WUwa3IsgU65HV7X/BkE4vQcYsWzYjqyA3WjpZZWlYus023kqug5sHX5 diHHADbm6WUwa3IsgU65HV7X/BkE4vQcYsWzYjqyA3WjpZZWlYus023kqug5sHX5
G5uhNtW6SURCQjN+d6PNa182OqCW3w== G5uhNtW6SURCQjN+d6PNa182OqCW3w==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpbaseline-decrypted-and-unwrapped">
ion-with-hcpbaseline-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
Over a Simple Message, Header Protection With hcp_baseline, Decrypted and Unwrap ection with hcp_baseline, Decrypted and Unwrapped</name>
ped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
<t>The inner signed-data layer unwraps to:</t> .decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline.dec
rypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-baseline Subject: smime-signed-enc-hp-baseline
Message-ID: <smime-signed-enc-hp-baseline@example> Message-ID: <smime-signed-enc-hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:09:02 -0500 Date: Sat, 20 Feb 2021 10:09:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <smime-signed-enc-hp-baseline@example> HP-Outer: Message-ID: <smime-signed-enc-hp-baseline@example>
skipping to change at line 5256 skipping to change at line 5073
message. message.
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_baseline Header Confidentiality Policy. with the hcp_baseline Header Confidentiality Policy.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-baseline-legacy">
<section anchor="smime-signed-enc-hp-baseline-legacy"><name>S/MIME Signed and En <name>S/MIME Signed and Encrypted over a Simple Message, Header Protec
crypted Over a Simple Message, Header Protection With hcp_baseline (+ Legacy Dis tion with hcp_baseline (+ Legacy Display)</name>
play)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a text/plain message. It uses the Heade
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou r Protection scheme from the draft with the hcp_baseline <iref item="Header Conf
nd signedData. The payload is a text/plain message. It uses the Header Protecti identiality Policy"/><xref target="header-confidentiality-policy" format="none">
on scheme from the draft with the hcp_baseline <iref item="Header Confidentialit Header Confidentiality Policy</xref> with a "Legacy Display" part.</t>
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con <t>It has the following structure:</t>
fidentiality Policy</xref> with a "Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8085 bytes └─╴application/pkcs7-mime [smime.p7m] 8085 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 4968 bytes └─╴application/pkcs7-mime [smime.p7m] 4968 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 414 bytes └─╴text/plain 414 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-l
egacy.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-baseline-legacy@example> Message-ID: <smime-signed-enc-hp-baseline-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:10:02 -0500 Date: Sat, 20 Feb 2021 10:10:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 5412 skipping to change at line 5224
WhVik6d6oJaGviNjcZaw4C5kuZ5bKHUCiMLv05uAtQOOyPiddgfZXymBoKCjndge WhVik6d6oJaGviNjcZaw4C5kuZ5bKHUCiMLv05uAtQOOyPiddgfZXymBoKCjndge
MNRBo4MxXU9cYHzi0umhauiw9I3UG4HAKH75L+1DFf1wbbgu165dCSIo2wVTIgOt MNRBo4MxXU9cYHzi0umhauiw9I3UG4HAKH75L+1DFf1wbbgu165dCSIo2wVTIgOt
zr3Y03kTJJidclkYzP7o2d80EMGftQQ4uGyEtowWJbEn0yWhss35Vs3Fyy10mwGM zr3Y03kTJJidclkYzP7o2d80EMGftQQ4uGyEtowWJbEn0yWhss35Vs3Fyy10mwGM
pncS4Tc1dVGyddkDXyAZ1JvfFzsXnoX+38R5lI25aYHAbfij582/hv48FU1I3XoB pncS4Tc1dVGyddkDXyAZ1JvfFzsXnoX+38R5lI25aYHAbfij582/hv48FU1I3XoB
WXR/gIKr/hQ2cFLwHsiJlGRw6smfBGOzk/x4JhG7sCR2E0QmM9CYzmyhZAKXORaX WXR/gIKr/hQ2cFLwHsiJlGRw6smfBGOzk/x4JhG7sCR2E0QmM9CYzmyhZAKXORaX
Ur75d8x99mIJdEO4uu4avHvaRouG6D9tPJWYIRioVDTPD1AU6qirN32hOupGwcz7 Ur75d8x99mIJdEO4uu4avHvaRouG6D9tPJWYIRioVDTPD1AU6qirN32hOupGwcz7
t8q70Jbv/tDpcLmLNX5VxsQzUfjpsGGvuz/Eq77raPG/TByissRMTjUuFv4BxS0x t8q70Jbv/tDpcLmLNX5VxsQzUfjpsGGvuz/Eq77raPG/TByissRMTjUuFv4BxS0x
wh//p9l2sJA4FWCA+Sr5YLFublQqRF1C3Vv0h2YEEz+sFA44u4VMmcCrwGBoJob1 wh//p9l2sJA4FWCA+Sr5YLFublQqRF1C3Vv0h2YEEz+sFA44u4VMmcCrwGBoJob1
4we46RXwzH3K7gRV/1tv2QB9pK4G8KxsbHXNV5RwVJ6xXI6JRvIJru3/w4nRPnrA 4we46RXwzH3K7gRV/1tv2QB9pK4G8KxsbHXNV5RwVJ6xXI6JRvIJru3/w4nRPnrA
lRXXfx7senJDd2tXmXvYkA== lRXXfx7senJDd2tXmXvYkA==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpbaseline-legacy-display-decrypted">
ion-with-hcpbaseline-legacy-display-decrypted"><name>S/MIME Signed and Encrypted <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
Over a Simple Message, Header Protection With hcp_baseline (+ Legacy Display), ection with hcp_baseline (+ Legacy Display), Decrypted</name>
Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
-legacy.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIOFwYJKoZIhvcNAQcCoIIOCDCCDgQCAQExDTALBglghkgBZQMEAgEwggRABgkq MIIOFwYJKoZIhvcNAQcCoIIOCDCCDgQCAQExDTALBglghkgBZQMEAgEwggRABgkq
hkiG9w0BBwGgggQxBIIELU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggQxBIIELU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LWJhc2VsaW5lLWxlZ2FjeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMt LWJhc2VsaW5lLWxlZ2FjeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMt
aHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VA aHAtYmFzZWxpbmUtbGVnYWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VA
c21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0 c21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0
skipping to change at line 5499 skipping to change at line 5309
UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTIxMDIyMDE1MTAwMlowLwYJKoZIhvcNAQkEMSIEIBmb56ZODWgP hvcNAQkFMQ8XDTIxMDIyMDE1MTAwMlowLwYJKoZIhvcNAQkEMSIEIBmb56ZODWgP
A1SVa8da67RsNicfHZ2zJVUWYLTKrF07MA0GCSqGSIb3DQEBAQUABIIBAAou3+Ck A1SVa8da67RsNicfHZ2zJVUWYLTKrF07MA0GCSqGSIb3DQEBAQUABIIBAAou3+Ck
FB6wTfWUVq1ABIBF3AFS+wBR2+mDSQKXxlVCnt/cfY07qKDX2YsVkj1uXq3I1Ptw FB6wTfWUVq1ABIBF3AFS+wBR2+mDSQKXxlVCnt/cfY07qKDX2YsVkj1uXq3I1Ptw
6RHEtqtbY3iwAqB5pzgfcw7qZHDpRMMEwobNLzHBdSZwW+ljkQ3LvDAZao5c+Cmt 6RHEtqtbY3iwAqB5pzgfcw7qZHDpRMMEwobNLzHBdSZwW+ljkQ3LvDAZao5c+Cmt
gSUCdnQ9Kvzdkl+xgtJQnjGGGNBiiWDb7NkZhlHYesV7QKNHTP+qP+awE1ZMrOP3 gSUCdnQ9Kvzdkl+xgtJQnjGGGNBiiWDb7NkZhlHYesV7QKNHTP+qP+awE1ZMrOP3
qBgIS1UH9nSNSmOfyTprD8MWoUKPkzFI1YUyPByE/QKjdV245YvYuZjz0cqn4VvV qBgIS1UH9nSNSmOfyTprD8MWoUKPkzFI1YUyPByE/QKjdV245YvYuZjz0cqn4VvV
2Y6t9DI4EmJJhay+P4EJwiggTjH9mJeeXIHyKpyELVSC5KCaIghQpTHV/pIH+fNs 2Y6t9DI4EmJJhay+P4EJwiggTjH9mJeeXIHyKpyELVSC5KCaIghQpTHV/pIH+fNs
WxxyPU2C+RwECSI= WxxyPU2C+RwECSI=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped">
ion-with-hcpbaseline-legacy-display-decrypted-and-unwrapped"><name>S/MIME Signed <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
and Encrypted Over a Simple Message, Header Protection With hcp_baseline (+ Leg ection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped</name>
acy Display), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
<t>The inner signed-data layer unwraps to:</t> -legacy.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-baseline-legacy Subject: smime-signed-enc-hp-baseline-legacy
Message-ID: <smime-signed-enc-hp-baseline-legacy@example> Message-ID: <smime-signed-enc-hp-baseline-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:10:02 -0500 Date: Sat, 20 Feb 2021 10:10:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: HP-Outer:
skipping to change at line 5540 skipping to change at line 5348
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_baseline Header Confidentiality Policy with a with the hcp_baseline Header Confidentiality Policy with a
"Legacy Display" part. "Legacy Display" part.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-shy">
<section anchor="smime-signed-enc-hp-shy"><name>S/MIME Signed and Encrypted Over <name>S/MIME Signed and Encrypted over a Simple Message, Header Protec
a Simple Message, Header Protection With hcp_shy</name> tion with hcp_shy</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a text/plain message. It uses the Heade
nd signedData. The payload is a text/plain message. It uses the Header Protecti r Protection scheme from the draft with the hcp_shy <iref item="Header Confident
on scheme from the draft with the hcp_shy <iref item="Header Confidentiality Pol iality Policy"/><xref target="header-confidentiality-policy" format="none">Heade
icy"/><xref target="header-confidentiality-policy" format="none">Header Confiden r Confidentiality Policy</xref>.</t>
tiality Policy</xref>.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 7760 bytes └─╴application/pkcs7-mime [smime.p7m] 7760 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 4732 bytes └─╴application/pkcs7-mime [smime.p7m] 4732 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 319 bytes └─╴text/plain 319 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.eml"><
![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.eml"><![
CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-shy@example> Message-ID: <smime-signed-enc-hp-shy@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 15:12:02 +0000 Date: Sat, 20 Feb 2021 15:12:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 5691 skipping to change at line 5494
lprC6izOj7CUE+UyPUBDn1nIqWRclShIyUIvkGkvsqCPRseMR/K0ObLk7PgHuq7G lprC6izOj7CUE+UyPUBDn1nIqWRclShIyUIvkGkvsqCPRseMR/K0ObLk7PgHuq7G
VfDTvOyeMGVjrJUPxsydbA9zF6GzTmT6PWNfsLlr4wX38CQkKQzG/8IEGvYQ6xWT VfDTvOyeMGVjrJUPxsydbA9zF6GzTmT6PWNfsLlr4wX38CQkKQzG/8IEGvYQ6xWT
kADeNyrFvVVE0diZgyCcybjTAI1LGj8n36DQBmfpYp1w6T/EyrznwS7PtRftaTm6 kADeNyrFvVVE0diZgyCcybjTAI1LGj8n36DQBmfpYp1w6T/EyrznwS7PtRftaTm6
bI3eXQqnO+I1HCR6+1gqcS70LK+bX+Cw0sNzLaUy66XVm7/CxYJrohRkNRxTGkHy bI3eXQqnO+I1HCR6+1gqcS70LK+bX+Cw0sNzLaUy66XVm7/CxYJrohRkNRxTGkHy
cqFFL/wBx1TK/jhARfxm4kWkW7Fsmo5t/ZRAv6jMAlYMjHdBF20HKMNDhZWtf/bC cqFFL/wBx1TK/jhARfxm4kWkW7Fsmo5t/ZRAv6jMAlYMjHdBF20HKMNDhZWtf/bC
mEV4/BERSfbHB60aM6ZXWUzBlf486ffAvxsQy5qGjQ/yJIwAMN84qHZvqoA3NwIs mEV4/BERSfbHB60aM6ZXWUzBlf486ffAvxsQy5qGjQ/yJIwAMN84qHZvqoA3NwIs
JThbTIFM0Xtux76AITxAYIhtB07ChxXrXC/owJ35oFve+sq1HQGh0fQIGTgTtv60 JThbTIFM0Xtux76AITxAYIhtB07ChxXrXC/owJ35oFve+sq1HQGh0fQIGTgTtv60
tq82T7KLO6ervK1UVL6oxHkt/xbr3c6wu4wd2Vh+Kk3xn3wp7ShpT6sopk4GCdBv tq82T7KLO6ervK1UVL6oxHkt/xbr3c6wu4wd2Vh+Kk3xn3wp7ShpT6sopk4GCdBv
mxxbUu50F7e7tlc/sxvCIU1ObwiF6WOJH+7RUJEGmWpvt7eGFZSo/h8oLjnxxvmK mxxbUu50F7e7tlc/sxvCIU1ObwiF6WOJH+7RUJEGmWpvt7eGFZSo/h8oLjnxxvmK
Qyus5nGIIWDZgKWYxxIGpQ== Qyus5nGIIWDZgKWYxxIGpQ==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpshy-decrypted">
ion-with-hcpshy-decrypted"><name>S/MIME Signed and Encrypted Over a Simple Messa <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
ge, Header Protection With hcp_shy, Decrypted</name> ection with hcp_shy, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.decr
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.decrypte ypted.eml"><![CDATA[
d.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIINawYJKoZIhvcNAQcCoIINXDCCDVgCAQExDTALBglghkgBZQMEAgEwggOUBgkq MIINawYJKoZIhvcNAQcCoIINXDCCDVgCAQExDTALBglghkgBZQMEAgEwggOUBgkq
hkiG9w0BBwGgggOFBIIDgU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggOFBIIDgU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LXNoeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1w LXNoeQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5QGV4YW1w
bGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2Ig bGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2Ig
PGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDox PGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDox
skipping to change at line 5774 skipping to change at line 5575
BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkC BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkC
EzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkD EzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxMjAyWjAvBgkq MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxMjAyWjAvBgkq
hkiG9w0BCQQxIgQgL6N313auMszx5Byu+sPmUUoQvZ6glyBIgh0k1qycdmUwDQYJ hkiG9w0BCQQxIgQgL6N313auMszx5Byu+sPmUUoQvZ6glyBIgh0k1qycdmUwDQYJ
KoZIhvcNAQEBBQAEggEAmHzQqLkVTKl8TKMaeYFFuU9fLrHZbg3aZ5eP+Zt3OkIN KoZIhvcNAQEBBQAEggEAmHzQqLkVTKl8TKMaeYFFuU9fLrHZbg3aZ5eP+Zt3OkIN
ErSsCBXE2V0u7yCmxk/PdfkTzOoSI9PW/seA5dd/W6yrCVX7EhqWWQx1vA+s+jtx ErSsCBXE2V0u7yCmxk/PdfkTzOoSI9PW/seA5dd/W6yrCVX7EhqWWQx1vA+s+jtx
oZ+Fh5a1GO9W7XmcQBvpjJQL0hyt78UzZt+CL0K5E5oueKj9CxCBkuKlgzzvwtpX oZ+Fh5a1GO9W7XmcQBvpjJQL0hyt78UzZt+CL0K5E5oueKj9CxCBkuKlgzzvwtpX
CAK6iYUzwGRWkxqdBaClu1xi2OCEzu5mbpAUY8ra26hGGaExYIZRVbwNZ5uGjfCI CAK6iYUzwGRWkxqdBaClu1xi2OCEzu5mbpAUY8ra26hGGaExYIZRVbwNZ5uGjfCI
lsrsd5wFdxQbcWOF/M5QIjbed1Gz862IZxaOA/fRY126jdeJyG2VKdD/3XglLNx4 lsrsd5wFdxQbcWOF/M5QIjbed1Gz862IZxaOA/fRY126jdeJyG2VKdD/3XglLNx4
+6kU9F3BYb7itpwqnkY3MiKxLuofNQVx/ZQ1m9arww== +6kU9F3BYb7itpwqnkY3MiKxLuofNQVx/ZQ1m9arww==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpshy-decrypted-and-unwrapped">
ion-with-hcpshy-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted Over <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
a Simple Message, Header Protection With hcp_shy, Decrypted and Unwrapped</name> ection with hcp_shy, Decrypted and Unwrapped</name>
<t>The inner signed-data layer unwraps to:</t>
<t>The inner signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.decr
ypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy.decrypte
d.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-shy Subject: smime-signed-enc-hp-shy
Message-ID: <smime-signed-enc-hp-shy@example> Message-ID: <smime-signed-enc-hp-shy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:12:02 -0500 Date: Sat, 20 Feb 2021 10:12:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <smime-signed-enc-hp-shy@example> HP-Outer: Message-ID: <smime-signed-enc-hp-shy@example>
skipping to change at line 5810 skipping to change at line 5609
message. message.
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_shy Header Confidentiality Policy. with the hcp_shy Header Confidentiality Policy.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-shy-legacy">
<section anchor="smime-signed-enc-hp-shy-legacy"><name>S/MIME Signed and Encrypt <name>S/MIME Signed and Encrypted over a Simple Message, Header Protec
ed Over a Simple Message, Header Protection With hcp_shy (+ Legacy Display)</nam tion with hcp_shy (+ Legacy Display)</name>
e> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a text/plain message. It uses the Heade
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou r Protection scheme from the draft with the hcp_shy <iref item="Header Confident
nd signedData. The payload is a text/plain message. It uses the Header Protecti iality Policy"/><xref target="header-confidentiality-policy" format="none">Heade
on scheme from the draft with the hcp_shy <iref item="Header Confidentiality Pol r Confidentiality Policy</xref> with a "Legacy Display" part.</t>
icy"/><xref target="header-confidentiality-policy" format="none">Header Confiden <t>It has the following structure:</t>
tiality Policy</xref> with a "Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8170 bytes └─╴application/pkcs7-mime [smime.p7m] 8170 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5046 bytes └─╴application/pkcs7-mime [smime.p7m] 5046 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 502 bytes └─╴text/plain 502 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy
.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy.e
ml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-shy-legacy@example> Message-ID: <smime-signed-enc-hp-shy-legacy@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 15:13:02 +0000 Date: Sat, 20 Feb 2021 15:13:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 5967 skipping to change at line 5761
HQHjNSzIa8APRIxE5jVMvzOfyvc6KtPLLgbOmvLmgyDC9rUVAuceVO9oyLS1MsCV HQHjNSzIa8APRIxE5jVMvzOfyvc6KtPLLgbOmvLmgyDC9rUVAuceVO9oyLS1MsCV
g3j4RmMIswPdagpYELQcwuek5e5ffD5bidL2Xn5BOXkMK7N2S1lXlmWn215NZG55 g3j4RmMIswPdagpYELQcwuek5e5ffD5bidL2Xn5BOXkMK7N2S1lXlmWn215NZG55
PoIAeXjgNDjdMmCXSt/frUvTsFOPtcCA2JAcI/e2dsyAF3iIRvPpDPRfUsvEzSQe PoIAeXjgNDjdMmCXSt/frUvTsFOPtcCA2JAcI/e2dsyAF3iIRvPpDPRfUsvEzSQe
gB6OEFYkDOqcG7Lk9Hx5d78ZpJst+XViQAIDlgLHBpPuwkIvh9OOdeP/XKLH/1lJ gB6OEFYkDOqcG7Lk9Hx5d78ZpJst+XViQAIDlgLHBpPuwkIvh9OOdeP/XKLH/1lJ
yOQ9mQCfuTx6rBtj2216o2L92OKFI27F/Ns4Lcir5VX0/6hrNe4/BlkAnexKnOgs yOQ9mQCfuTx6rBtj2216o2L92OKFI27F/Ns4Lcir5VX0/6hrNe4/BlkAnexKnOgs
Ok3hIuQnB6C9Z2vtWt1P0lnsemX+AhIJPtgRs6aGhMUnIwtvb8aZwFsS8WvaA6PG Ok3hIuQnB6C9Z2vtWt1P0lnsemX+AhIJPtgRs6aGhMUnIwtvb8aZwFsS8WvaA6PG
uLKBUfuv5V+mjt5vNNlnkaaF9bMGQVk9NmK6mgkqmjmoaXP+8MbKHJ7cf2Kt1Bpc uLKBUfuv5V+mjt5vNNlnkaaF9bMGQVk9NmK6mgkqmjmoaXP+8MbKHJ7cf2Kt1Bpc
PJ8uPBQ302Qv3PjpFk/YYdi3tmmvaxbOlDkNCJ87xjN7Tlgd5jmBZRCDzxDBmbOs PJ8uPBQ302Qv3PjpFk/YYdi3tmmvaxbOlDkNCJ87xjN7Tlgd5jmBZRCDzxDBmbOs
1USxLB1yDN/k4soKAKL/Ze6rVusjC+GJ02TcWFQkS5eQjxoHNKIkU4fMDggw1vzJ 1USxLB1yDN/k4soKAKL/Ze6rVusjC+GJ02TcWFQkS5eQjxoHNKIkU4fMDggw1vzJ
m5kyP5p5DST0+cko42Ae0yjn05T75MdYP0/l/I8YBes= m5kyP5p5DST0+cko42Ae0yjn05T75MdYP0/l/I8YBes=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpshy-legacy-display-decrypted">
ion-with-hcpshy-legacy-display-decrypted"><name>S/MIME Signed and Encrypted Over <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
a Simple Message, Header Protection With hcp_shy (+ Legacy Display), Decrypted< ection with hcp_shy (+ Legacy Display), Decrypted</name>
/name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-lega
cy.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy.d
ecrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIOUAYJKoZIhvcNAQcCoIIOQTCCDj0CAQExDTALBglghkgBZQMEAgEwggR5Bgkq MIIOUAYJKoZIhvcNAQcCoIIOQTCCDj0CAQExDTALBglghkgBZQMEAgEwggR5Bgkq
hkiG9w0BBwGgggRqBIIEZk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggRqBIIEZk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LXNoeS1sZWdhY3kNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLXNo LXNoeS1sZWdhY3kNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5jLWhwLXNo
eS1sZWdhY3lAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFt eS1sZWdhY3lAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFt
cGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIw cGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIw
skipping to change at line 6055 skipping to change at line 5847
bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi
XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTMwMlowLwYJKoZIhvcNAQkEMSIE BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTMwMlowLwYJKoZIhvcNAQkEMSIE
INdmPheiziYcbAwKeKaDpmuOQFmVMdAqPn4+xeOFjp3NMA0GCSqGSIb3DQEBAQUA INdmPheiziYcbAwKeKaDpmuOQFmVMdAqPn4+xeOFjp3NMA0GCSqGSIb3DQEBAQUA
BIIBAD0aQzYiNU8AycDkBbQVbuAjHzerZmO27QlIZ47Cw9QfNcJ3w40RJAohR487 BIIBAD0aQzYiNU8AycDkBbQVbuAjHzerZmO27QlIZ47Cw9QfNcJ3w40RJAohR487
1NpkFskR79WY6aHuiLxClWV0Jw/iuieAFfBZ8Z9t2hOt+F93M+9v1eoLzrgA7YZG 1NpkFskR79WY6aHuiLxClWV0Jw/iuieAFfBZ8Z9t2hOt+F93M+9v1eoLzrgA7YZG
itp6r5zToKCdwNOc2futk/+dutbrTqYlFI8nnjLNqegBiGMMzVfateMc2fVnIVN+ itp6r5zToKCdwNOc2futk/+dutbrTqYlFI8nnjLNqegBiGMMzVfateMc2fVnIVN+
7/4fyA8ASzseEis/HQTN7sEjw0pUCvU4JvQy2klVYsaTZO4bdKXW86DHEWjoiweF 7/4fyA8ASzseEis/HQTN7sEjw0pUCvU4JvQy2klVYsaTZO4bdKXW86DHEWjoiweF
liiKSueA3WB1jeJRse2/g33dL+5++UUtQLY3kdknM78705WOaFg03V57abGCp2r+ liiKSueA3WB1jeJRse2/g33dL+5++UUtQLY3kdknM78705WOaFg03V57abGCp2r+
bgcHQNhfe0MXoJHKqYrnG++22tA= bgcHQNhfe0MXoJHKqYrnG++22tA=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-simple-message-head
<section anchor="smime-signed-and-encrypted-over-a-simple-message-header-protect er-protection-with-hcpshy-legacy-display-decrypted-and-unwrapped">
ion-with-hcpshy-legacy-display-decrypted-and-unwrapped"><name>S/MIME Signed and <name>S/MIME Signed and Encrypted over a Simple Message, Header Prot
Encrypted Over a Simple Message, Header Protection With hcp_shy (+ Legacy Displa ection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped</name>
y), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-lega
<t>The inner signed-data layer unwraps to:</t> cy.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy.d
ecrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-shy-legacy Subject: smime-signed-enc-hp-shy-legacy
Message-ID: <smime-signed-enc-hp-shy-legacy@example> Message-ID: <smime-signed-enc-hp-shy-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:13:02 -0500 Date: Sat, 20 Feb 2021 10:13:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <smime-signed-enc-hp-shy-legacy@example> HP-Outer: Message-ID: <smime-signed-enc-hp-shy-legacy@example>
skipping to change at line 6098 skipping to change at line 5888
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_shy Header Confidentiality Policy with a "Legacy with the hcp_shy Header Confidentiality Policy with a "Legacy
Display" part. Display" part.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-baseline-reply">
<section anchor="smime-signed-enc-hp-baseline-reply"><name>S/MIME Signed and Enc <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Header
rypted Reply Over a Simple Message, Header Protection With hcp_baseline</name> Protection with hcp_baseline</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a text/plain message. It uses the Heade
nd signedData. The payload is a text/plain message. It uses the Header Protecti r Protection scheme from the draft with the hcp_baseline <iref item="Header Conf
on scheme from the draft with the hcp_baseline <iref item="Header Confidentialit identiality Policy"/><xref target="header-confidentiality-policy" format="none">
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con Header Confidentiality Policy</xref>.</t>
fidentiality Policy</xref>.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8300 bytes └─╴application/pkcs7-mime [smime.p7m] 8300 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5136 bytes └─╴application/pkcs7-mime [smime.p7m] 5136 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 335 bytes └─╴text/plain 335 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-r
eply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-rep
ly.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-baseline-reply@example> Message-ID: <smime-signed-enc-hp-baseline-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:15:02 -0500 Date: Sat, 20 Feb 2021 10:15:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-baseline@example> In-Reply-To: <smime-signed-enc-hp-baseline@example>
skipping to change at line 6259 skipping to change at line 6044
BAhaHwg47t/5F7I1m7CpkdlXuI+ByZiYaCtAZbkYElVYPpNLzvFmblwqA7UjPrL5 BAhaHwg47t/5F7I1m7CpkdlXuI+ByZiYaCtAZbkYElVYPpNLzvFmblwqA7UjPrL5
RzA9qsqEXuJBLqP13d0iciEa3AexWFU9om+lDNHc8bIoZfxk3wW4BITDoM7CwO9k RzA9qsqEXuJBLqP13d0iciEa3AexWFU9om+lDNHc8bIoZfxk3wW4BITDoM7CwO9k
M3mPHTwIU0zwauzqgWkBS7XNWGuFdyphRf8Oos9nlDfZr5hnQsRDKwusMxQQMpyK M3mPHTwIU0zwauzqgWkBS7XNWGuFdyphRf8Oos9nlDfZr5hnQsRDKwusMxQQMpyK
aamXq/Yhcr2flUZ9hffQwVffGlLT/4h4WhKrDcYlO4XwY85AOB+9MouvPIgUt5Pa aamXq/Yhcr2flUZ9hffQwVffGlLT/4h4WhKrDcYlO4XwY85AOB+9MouvPIgUt5Pa
fyWG4tqcFy5DSKTiGpoO4Y5N51tQqnO0X6j8fd4DuI/WkMfib+84Os+ZnfQ4BM+b fyWG4tqcFy5DSKTiGpoO4Y5N51tQqnO0X6j8fd4DuI/WkMfib+84Os+ZnfQ4BM+b
AnGWAqHzU2mwg1vSR1nBoLNERKLnsTUM8OX0qkhqo4hxCjdh+Dc7gqbCNVtUfBbe AnGWAqHzU2mwg1vSR1nBoLNERKLnsTUM8OX0qkhqo4hxCjdh+Dc7gqbCNVtUfBbe
fqdfr1EdJoe+GEdrT8J3NVl1AYzS3t3zTQdQ5yNzrP0kVyOUIbiyd5MpNBxLquLS fqdfr1EdJoe+GEdrT8J3NVl1AYzS3t3zTQdQ5yNzrP0kVyOUIbiyd5MpNBxLquLS
TwpOTnEcj+46IC6cXcIeVmTWtEmnGvGcQHdw95waGV0BrpAyPjyEfZ48ubfY7i6x TwpOTnEcj+46IC6cXcIeVmTWtEmnGvGcQHdw95waGV0BrpAyPjyEfZ48ubfY7i6x
eSC4YX5vzM0DEfkz8tXrEkA0PHbOvuEJgJE0iX52fYc4vnMquiEY4GDIc7WRJ62H eSC4YX5vzM0DEfkz8tXrEkA0PHbOvuEJgJE0iX52fYc4vnMquiEY4GDIc7WRJ62H
j4nVpvjAa34DWgZ+RgQCXF95kSztyoSAL3Jnq1fQOZ8= j4nVpvjAa34DWgZ+RgQCXF95kSztyoSAL3Jnq1fQOZ8=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpbaseline-decrypted">
rotection-with-hcpbaseline-decrypted"><name>S/MIME Signed and Encrypted Reply Ov <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
er a Simple Message, Header Protection With hcp_baseline, Decrypted</name> r Protection with hcp_baseline, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-rep -reply.decrypted.eml"><![CDATA[
ly.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIOkgYJKoZIhvcNAQcCoIIOgzCCDn8CAQExDTALBglghkgBZQMEAgEwggS7Bgkq MIIOkgYJKoZIhvcNAQcCoIIOgzCCDn8CAQExDTALBglghkgBZQMEAgEwggS7Bgkq
hkiG9w0BBwGgggSsBIIEqE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggSsBIIEqE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LWJhc2VsaW5lLXJlcGx5DQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1o LWJhc2VsaW5lLXJlcGx5DQpNZXNzYWdlLUlEOiA8c21pbWUtc2lnbmVkLWVuYy1o
cC1iYXNlbGluZS1yZXBseUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNt cC1iYXNlbGluZS1yZXBseUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNt
aW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6 aW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6
skipping to change at line 6348 skipping to change at line 6131
IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0 IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqG aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTUw SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTUw
MlowLwYJKoZIhvcNAQkEMSIEIKHPvLfnw9dsDhrKZlaFW3+cbW6ewBQ6mkp22q7y MlowLwYJKoZIhvcNAQkEMSIEIKHPvLfnw9dsDhrKZlaFW3+cbW6ewBQ6mkp22q7y
BhI9MA0GCSqGSIb3DQEBAQUABIIBAH3cRn5LOa7nqW8Z/czFCRpkU6j2e8xqaw7/ BhI9MA0GCSqGSIb3DQEBAQUABIIBAH3cRn5LOa7nqW8Z/czFCRpkU6j2e8xqaw7/
eCh6GvC4emq/eAgKhqpbhw+QwEOYZCMmTe7GFb/eSl82QjB+zYaR+pGgVhBH57Zp eCh6GvC4emq/eAgKhqpbhw+QwEOYZCMmTe7GFb/eSl82QjB+zYaR+pGgVhBH57Zp
IOtobnzbOEsgzmUKakI2iaAuQBtOxMPqDRTRjMPLMhc6ddIRBqNeDpC3hm+sOXrj IOtobnzbOEsgzmUKakI2iaAuQBtOxMPqDRTRjMPLMhc6ddIRBqNeDpC3hm+sOXrj
r8rQAMDBJTck7psP72DTyDWDeVPw7BRMSnxz7FwSbW1CXFeiJ6mWhZ0Va1YgDpJK r8rQAMDBJTck7psP72DTyDWDeVPw7BRMSnxz7FwSbW1CXFeiJ6mWhZ0Va1YgDpJK
Ic2uW2Tq/ob8jTjnPrVIQhq0ZxKOiWsHTMfzxRnH3xyYt/c/huuoDtcf9P3j9GWa Ic2uW2Tq/ob8jTjnPrVIQhq0ZxKOiWsHTMfzxRnH3xyYt/c/huuoDtcf9P3j9GWa
a23tU+PDSpfcpG5MJPe9DBzExWII7Z50Om8g6tZETD0+pOjNTAg= a23tU+PDSpfcpG5MJPe9DBzExWII7Z50Om8g6tZETD0+pOjNTAg=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpbaseline-decrypted-and-unwrapped">
rotection-with-hcpbaseline-decrypted-and-unwrapped"><name>S/MIME Signed and Encr <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
ypted Reply Over a Simple Message, Header Protection With hcp_baseline, Decrypte r Protection with hcp_baseline, Decrypted and Unwrapped</name>
d and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
<t>The inner signed-data layer unwraps to:</t> -reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-rep
ly.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-baseline-reply Subject: smime-signed-enc-hp-baseline-reply
Message-ID: <smime-signed-enc-hp-baseline-reply@example> Message-ID: <smime-signed-enc-hp-baseline-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:15:02 -0500 Date: Sat, 20 Feb 2021 10:15:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-baseline@example> In-Reply-To: <smime-signed-enc-hp-baseline@example>
References: <smime-signed-enc-hp-baseline@example> References: <smime-signed-enc-hp-baseline@example>
skipping to change at line 6389 skipping to change at line 6170
message. message.
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_baseline Header Confidentiality Policy. with the hcp_baseline Header Confidentiality Policy.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-baseline-legacy-reply">
<section anchor="smime-signed-enc-hp-baseline-legacy-reply"><name>S/MIME Signed <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Header
and Encrypted Reply Over a Simple Message, Header Protection With hcp_baseline ( Protection with hcp_baseline (+ Legacy Display)</name>
+ Legacy Display)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a text/plain message. It uses the Heade
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou r Protection scheme from the draft with the hcp_baseline <iref item="Header Conf
nd signedData. The payload is a text/plain message. It uses the Header Protecti identiality Policy"/><xref target="header-confidentiality-policy" format="none">
on scheme from the draft with the hcp_baseline <iref item="Header Confidentialit Header Confidentiality Policy</xref> with a "Legacy Display" part.</t>
y Policy"/><xref target="header-confidentiality-policy" format="none">Header Con <t>It has the following structure:</t>
fidentiality Policy</xref> with a "Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8625 bytes └─╴application/pkcs7-mime [smime.p7m] 8625 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5368 bytes └─╴application/pkcs7-mime [smime.p7m] 5368 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 426 bytes └─╴text/plain 426 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-l
egacy-reply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy-reply.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example> Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:16:02 -0500 Date: Sat, 20 Feb 2021 10:16:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example> In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example>
skipping to change at line 6555 skipping to change at line 6331
1Q8k6PKznMicR0M8cummltrtNcwk13470zy0VCisjIq4j7YLfSkUH2Wo+3WgHdpN 1Q8k6PKznMicR0M8cummltrtNcwk13470zy0VCisjIq4j7YLfSkUH2Wo+3WgHdpN
wUAsTXpE2HR9Amg17uOU7qBqBkCC4nbArddaw9d/Jv6IxfsGx5kyDK1X8Nkalqvh wUAsTXpE2HR9Amg17uOU7qBqBkCC4nbArddaw9d/Jv6IxfsGx5kyDK1X8Nkalqvh
wT59cOw3GXzOeS3eIfvu5RO9o+d2mfRH+77sRkvPIXOkM/bDwZH3cPtT+YEveqOK wT59cOw3GXzOeS3eIfvu5RO9o+d2mfRH+77sRkvPIXOkM/bDwZH3cPtT+YEveqOK
8RJTDQeLMqSX7lo1+VC+975x2Wsv1z1LBpWiw68tXLj4De9Pp8O5BXnfBS80vJFY 8RJTDQeLMqSX7lo1+VC+975x2Wsv1z1LBpWiw68tXLj4De9Pp8O5BXnfBS80vJFY
JMBtAg6MIVIQyblv+QxnYX09CGCxjqjka1PehmYpafcP10OUfU5tSqJb4kB7MyUj JMBtAg6MIVIQyblv+QxnYX09CGCxjqjka1PehmYpafcP10OUfU5tSqJb4kB7MyUj
NRn6yYcJXJBAt1lMRGlLDkUTN/mswR5Bzy4NnzThZb62sUZ23xwKJVOoApexfBVK NRn6yYcJXJBAt1lMRGlLDkUTN/mswR5Bzy4NnzThZb62sUZ23xwKJVOoApexfBVK
rJRaeuUaDx1upyGfMEVuIlmCT1aYIXBb3f/W2zK5219f2dbAFU0goYTKJoohBzGL rJRaeuUaDx1upyGfMEVuIlmCT1aYIXBb3f/W2zK5219f2dbAFU0goYTKJoohBzGL
tJ3/dO5jLgje9H1AgZS22UVUI+FQo8uG8ApPJgts3AW91fjohjzzYCp7T/zR7x4h tJ3/dO5jLgje9H1AgZS22UVUI+FQo8uG8ApPJgts3AW91fjohjzzYCp7T/zR7x4h
UERWGfMG2fHYje5/QuyobVCKt8QfG2DhvSIMDPBY7KHO7bXJdEmUwb/aSeggmDCp UERWGfMG2fHYje5/QuyobVCKt8QfG2DhvSIMDPBY7KHO7bXJdEmUwb/aSeggmDCp
LHK2foRU983nLGdDrp2q4TWCoMGVSmOwBasUjVHiUA8= LHK2foRU983nLGdDrp2q4TWCoMGVSmOwBasUjVHiUA8=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpbaseline-legacy-display-decrypted">
rotection-with-hcpbaseline-legacy-display-decrypted"><name>S/MIME Signed and Enc <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
rypted Reply Over a Simple Message, Header Protection With hcp_baseline (+ Legac r Protection with hcp_baseline (+ Legacy Display), Decrypted</name>
y Display), Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
-legacy-reply.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy-reply.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIPOwYJKoZIhvcNAQcCoIIPLDCCDygCAQExDTALBglghkgBZQMEAgEwggVkBgkq MIIPOwYJKoZIhvcNAQcCoIIPLDCCDygCAQExDTALBglghkgBZQMEAgEwggVkBgkq
hkiG9w0BBwGgggVVBIIFUU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggVVBIIFUU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LWJhc2VsaW5lLWxlZ2FjeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25l LWJhc2VsaW5lLWxlZ2FjeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25l
ZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBB ZC1lbmMtaHAtYmFzZWxpbmUtbGVnYWN5LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBB
bGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5l bGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5l
skipping to change at line 6648 skipping to change at line 6422
TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phq TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phq
zpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG zpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE2MDJaMC8GCSqGSIb3DQEJBDEiBCDlm+B5 CSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE2MDJaMC8GCSqGSIb3DQEJBDEiBCDlm+B5
0QBs78N2wRl0kf1Exib4redr1foUWvF3vmcyCTANBgkqhkiG9w0BAQEFAASCAQBc 0QBs78N2wRl0kf1Exib4redr1foUWvF3vmcyCTANBgkqhkiG9w0BAQEFAASCAQBc
m0fLRAACOYr8JymCYS4CYBWzMuTqh1DOat4MTroQLeNXvV8NijRWYdbHFcL1hrdy m0fLRAACOYr8JymCYS4CYBWzMuTqh1DOat4MTroQLeNXvV8NijRWYdbHFcL1hrdy
uLBoqHTkv29eG3Lp5+Ah+uYLcPeamzoxWgfiLgPBaFSQU8ZyxPqVRj2xLq2EqG16 uLBoqHTkv29eG3Lp5+Ah+uYLcPeamzoxWgfiLgPBaFSQU8ZyxPqVRj2xLq2EqG16
IW5DfieHgVN0bv9P+gmRdKdzG8+hiZcZXBm2aJtN8oifP/ahgTzePiBiHK4Qvecy IW5DfieHgVN0bv9P+gmRdKdzG8+hiZcZXBm2aJtN8oifP/ahgTzePiBiHK4Qvecy
q+Cr1gFwVlT+1t/2MO1tGqif6R14NCmUaHzeOvzEpJs1HlE8W7yUjBdrS3my9KW1 q+Cr1gFwVlT+1t/2MO1tGqif6R14NCmUaHzeOvzEpJs1HlE8W7yUjBdrS3my9KW1
fAv+chp5rIXeSrZGTg7ZhNLcq/uq1H9IpgnYvRXN/f6WhggdVUZ5BJwPqbNcCJFl fAv+chp5rIXeSrZGTg7ZhNLcq/uq1H9IpgnYvRXN/f6WhggdVUZ5BJwPqbNcCJFl
zAP8CJk3IK1fzZulSebk zAP8CJk3IK1fzZulSebk
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped">
rotection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped"><name>S/MIME <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
Signed and Encrypted Reply Over a Simple Message, Header Protection With hcp_bas r Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped</name
eline (+ Legacy Display), Decrypted and Unwrapped</name> >
<t>The inner signed-data layer unwraps to:</t>
<t>The inner signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline
-legacy-reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-baseline-leg
acy-reply.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-baseline-legacy-reply Subject: smime-signed-enc-hp-baseline-legacy-reply
Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example> Message-ID: <smime-signed-enc-hp-baseline-legacy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:16:02 -0500 Date: Sat, 20 Feb 2021 10:16:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example> In-Reply-To: <smime-signed-enc-hp-baseline-legacy@example>
References: <smime-signed-enc-hp-baseline-legacy@example> References: <smime-signed-enc-hp-baseline-legacy@example>
skipping to change at line 6695 skipping to change at line 6467
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_baseline Header Confidentiality Policy with a with the hcp_baseline Header Confidentiality Policy with a
"Legacy Display" part. "Legacy Display" part.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-shy-reply">
<section anchor="smime-signed-enc-hp-shy-reply"><name>S/MIME Signed and Encrypte <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Header
d Reply Over a Simple Message, Header Protection With hcp_shy</name> Protection with hcp_shy</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a text/plain message. It uses the Heade
nd signedData. The payload is a text/plain message. It uses the Header Protecti r Protection scheme from the draft with the hcp_shy <iref item="Header Confident
on scheme from the draft with the hcp_shy <iref item="Header Confidentiality Pol iality Policy"/><xref target="header-confidentiality-policy" format="none">Heade
icy"/><xref target="header-confidentiality-policy" format="none">Header Confiden r Confidentiality Policy</xref>.</t>
tiality Policy</xref>.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8190 bytes └─╴application/pkcs7-mime [smime.p7m] 8190 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5054 bytes └─╴application/pkcs7-mime [smime.p7m] 5054 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 325 bytes └─╴text/plain 325 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-reply.
eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-reply.em
l"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-shy-reply@example> Message-ID: <smime-signed-enc-hp-shy-reply@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 15:18:02 +0000 Date: Sat, 20 Feb 2021 15:18:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-shy@example> In-Reply-To: <smime-signed-enc-hp-shy@example>
skipping to change at line 6854 skipping to change at line 6621
kb9o2JKJmBKTHOPHFOI/dDXfm4kbHvn6T1y70Vke3ORySdHxxTXoEEchkJ65rT01 kb9o2JKJmBKTHOPHFOI/dDXfm4kbHvn6T1y70Vke3ORySdHxxTXoEEchkJ65rT01
gJ/cA7EJSIzJ4DpcUlKk+HBVmvl0HX63NSTBEEfWrsWdoEUAktVHmTTMfxnvrtoh gJ/cA7EJSIzJ4DpcUlKk+HBVmvl0HX63NSTBEEfWrsWdoEUAktVHmTTMfxnvrtoh
LPnNUdEXJae+0kE+EyEWce9MbSPjsNFddHAdNpxthy04hbvQx6/YrUrk0BHGtzDI LPnNUdEXJae+0kE+EyEWce9MbSPjsNFddHAdNpxthy04hbvQx6/YrUrk0BHGtzDI
lIdeatVgxlIb6XS3UzfS/DqHx6+FCGZ75ZYM5/IwlYXkNzXXibin6xqAL3UFAGob lIdeatVgxlIb6XS3UzfS/DqHx6+FCGZ75ZYM5/IwlYXkNzXXibin6xqAL3UFAGob
kGeAoKE1bo4d4TJdoYafa+9KxU8DH8fQvMrfFBtS9327I4qWFv4fzPG81opU/+d9 kGeAoKE1bo4d4TJdoYafa+9KxU8DH8fQvMrfFBtS9327I4qWFv4fzPG81opU/+d9
kkKOvewfx99h4aMfflT0Y1bs8/mLMABnZiiyPdE4ZDIwoicqGsQgO1u/dRD7pHWt kkKOvewfx99h4aMfflT0Y1bs8/mLMABnZiiyPdE4ZDIwoicqGsQgO1u/dRD7pHWt
J9Hv77iPBZMmURHGiRkK0hBxYlRGUFZm/6/Y/aX4vG/1K+A8l2ksWdLpqXRQpcuD J9Hv77iPBZMmURHGiRkK0hBxYlRGUFZm/6/Y/aX4vG/1K+A8l2ksWdLpqXRQpcuD
kqIBlcn++x8pyWyY1STAOF9w1IFp5wBHH1fy07yNBDj/xKMufz9j6hrYWQV8bjWV kqIBlcn++x8pyWyY1STAOF9w1IFp5wBHH1fy07yNBDj/xKMufz9j6hrYWQV8bjWV
TK3cb8Ar2Qr80TrUUCjyu+d+37kcsi2uMDkiRD/avJbLPwePFTuJZe7nZYdA1A2s TK3cb8Ar2Qr80TrUUCjyu+d+37kcsi2uMDkiRD/avJbLPwePFTuJZe7nZYdA1A2s
hxnJyBasTI4iMlxH11JYuMGHouu24u5BbCILf654lR+BIQ1d2ogA41eHPlZ7x3H7 hxnJyBasTI4iMlxH11JYuMGHouu24u5BbCILf654lR+BIQ1d2ogA41eHPlZ7x3H7
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpshy-decrypted">
rotection-with-hcpshy-decrypted"><name>S/MIME Signed and Encrypted Reply Over a <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
Simple Message, Header Protection With hcp_shy, Decrypted</name> r Protection with hcp_shy, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-repl
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-reply.de y.decrypted.eml"><![CDATA[
crypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIOVQYJKoZIhvcNAQcCoIIORjCCDkICAQExDTALBglghkgBZQMEAgEwggR+Bgkq MIIOVQYJKoZIhvcNAQcCoIIORjCCDkICAQExDTALBglghkgBZQMEAgEwggR+Bgkq
hkiG9w0BBwGgggRvBIIEa01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggRvBIIEa01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LXNoeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5 LXNoeS1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLXNpZ25lZC1lbmMtaHAtc2h5
LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBs LXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBs
ZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBG ZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBG
skipping to change at line 6942 skipping to change at line 6707
KFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXnt KFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXnt
dX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG dX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxODAyWjAvBgkqhkiG9w0B SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxODAyWjAvBgkqhkiG9w0B
CQQxIgQgMahPfXeRTJKDWjCE/0llScBMuyD7DptAxoKsAmAzBdgwDQYJKoZIhvcN CQQxIgQgMahPfXeRTJKDWjCE/0llScBMuyD7DptAxoKsAmAzBdgwDQYJKoZIhvcN
AQEBBQAEggEASJuMfoErHP+bowktPN/yJIltnTlZUibkbJxhHPhR5EgNnn3JyMoW AQEBBQAEggEASJuMfoErHP+bowktPN/yJIltnTlZUibkbJxhHPhR5EgNnn3JyMoW
l0yP6nJyH3sBQ2/CIBkmMSXmg+A0PFv3w40fUtX2oKVzT5TKnNsIDtv2Z7J5JRI3 l0yP6nJyH3sBQ2/CIBkmMSXmg+A0PFv3w40fUtX2oKVzT5TKnNsIDtv2Z7J5JRI3
TbATMRmw8VItmPGFCJsD9nXRc4cEgvrvojXSfv6bWp5hCO+8WNadiiGZNdoZduiL TbATMRmw8VItmPGFCJsD9nXRc4cEgvrvojXSfv6bWp5hCO+8WNadiiGZNdoZduiL
rWNSwO9nQSxuNkqNo+wwaXF9Rynh1ZcazsVopBB4s5XuJ/Zcbbsaci1w34ywNCHw rWNSwO9nQSxuNkqNo+wwaXF9Rynh1ZcazsVopBB4s5XuJ/Zcbbsaci1w34ywNCHw
5xx9Cgj+6+yUsFp33P2YVgdfK4beyoOZK27Rm9e7Mpi6QxUi+BCR/8DB9svZBwob 5xx9Cgj+6+yUsFp33P2YVgdfK4beyoOZK27Rm9e7Mpi6QxUi+BCR/8DB9svZBwob
K7iaKJzRBDxl4Qt/m6VHxtvkTXjkOOD+7g== K7iaKJzRBDxl4Qt/m6VHxtvkTXjkOOD+7g==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpshy-decrypted-and-unwrapped">
rotection-with-hcpshy-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
Reply Over a Simple Message, Header Protection With hcp_shy, Decrypted and Unwr r Protection with hcp_shy, Decrypted and Unwrapped</name>
apped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-repl
<t>The inner signed-data layer unwraps to:</t> y.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-reply.de
crypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-shy-reply Subject: smime-signed-enc-hp-shy-reply
Message-ID: <smime-signed-enc-hp-shy-reply@example> Message-ID: <smime-signed-enc-hp-shy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:18:02 -0500 Date: Sat, 20 Feb 2021 10:18:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-shy@example> In-Reply-To: <smime-signed-enc-hp-shy@example>
References: <smime-signed-enc-hp-shy@example> References: <smime-signed-enc-hp-shy@example>
skipping to change at line 6982 skipping to change at line 6745
message. message.
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_shy Header Confidentiality Policy. with the hcp_shy Header Confidentiality Policy.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-hp-shy-legacy-reply">
<section anchor="smime-signed-enc-hp-shy-legacy-reply"><name>S/MIME Signed and E <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Header
ncrypted Reply Over a Simple Message, Header Protection With hcp_shy (+ Legacy D Protection with hcp_shy (+ Legacy Display)</name>
isplay)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a text/plain message. It uses the Heade
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou r Protection scheme from the draft with the hcp_shy <iref item="Header Confident
nd signedData. The payload is a text/plain message. It uses the Header Protecti iality Policy"/><xref target="header-confidentiality-policy" format="none">Heade
on scheme from the draft with the hcp_shy <iref item="Header Confidentiality Pol r Confidentiality Policy</xref> with a "Legacy Display" part.</t>
icy"/><xref target="header-confidentiality-policy" format="none">Header Confiden <t>It has the following structure:</t>
tiality Policy</xref> with a "Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 8690 bytes └─╴application/pkcs7-mime [smime.p7m] 8690 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 5418 bytes └─╴application/pkcs7-mime [smime.p7m] 5418 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└─╴text/plain 514 bytes └─╴text/plain 514 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy
-reply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy-r
eply.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example> Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 15:19:02 +0000 Date: Sat, 20 Feb 2021 15:19:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-shy-legacy@example> In-Reply-To: <smime-signed-enc-hp-shy-legacy@example>
skipping to change at line 7149 skipping to change at line 6907
r7Cp3Z7TW2emivxYYCk7airndOWeIdZrwxoACNTQ+6IeD0LSet6iMP2EiLRRgfOB r7Cp3Z7TW2emivxYYCk7airndOWeIdZrwxoACNTQ+6IeD0LSet6iMP2EiLRRgfOB
2eU6X7yMWvTwRYbByybrKpqsM2moy4IpMS+DgaThSVxVHf3RbFvIXPUmhRCFFkS4 2eU6X7yMWvTwRYbByybrKpqsM2moy4IpMS+DgaThSVxVHf3RbFvIXPUmhRCFFkS4
lmmm2czKN9wUaBLKcmeynBpRaunt9n0uFyWJgSbekqw3cet82vu9MOPSmM2h36UV lmmm2czKN9wUaBLKcmeynBpRaunt9n0uFyWJgSbekqw3cet82vu9MOPSmM2h36UV
WgJDktehhr/gi23ON4kavEwGngVIvlq+Emm0SuUmKacqdaOmATxUhL92IA93L9pm WgJDktehhr/gi23ON4kavEwGngVIvlq+Emm0SuUmKacqdaOmATxUhL92IA93L9pm
RvT6xARWsy0DrG/r362C6PDwp1fsTOQju6LkhFAOAvqDPKk+HOIjgBtkynHUPGwv RvT6xARWsy0DrG/r362C6PDwp1fsTOQju6LkhFAOAvqDPKk+HOIjgBtkynHUPGwv
8EN9Gx2SWwDJahAjPoz2t9kByC7PdG9qyGAAAEU6G/wXjshmzgw3jdw/PRmfSdNs 8EN9Gx2SWwDJahAjPoz2t9kByC7PdG9qyGAAAEU6G/wXjshmzgw3jdw/PRmfSdNs
gbky/4GGewNl06WC9c+6qN4ldDff+m83ABgWonCuamerjlaIFFbfBJEGX/CBz7GQ gbky/4GGewNl06WC9c+6qN4ldDff+m83ABgWonCuamerjlaIFFbfBJEGX/CBz7GQ
QpfxuAEbhi11UloM77povWS5Cl8e0GSD2t2mt7E0aLgMT+L2TZXQx8lZmN8sWQq7 QpfxuAEbhi11UloM77povWS5Cl8e0GSD2t2mt7E0aLgMT+L2TZXQx8lZmN8sWQq7
cP6aK8FpkDhidLIc9fneWucvMH5BKXx8em3ug4Bl8MUABR4K03ebuTLfDH+FGkD0 cP6aK8FpkDhidLIc9fneWucvMH5BKXx8em3ug4Bl8MUABR4K03ebuTLfDH+FGkD0
HNeqqUVBSzDveFdaylcw2HkJpm8D9BoC3Y0n/WMW5VE= HNeqqUVBSzDveFdaylcw2HkJpm8D9BoC3Y0n/WMW5VE=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpshy-legacy-display-decrypted">
rotection-with-hcpshy-legacy-display-decrypted"><name>S/MIME Signed and Encrypte <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
d Reply Over a Simple Message, Header Protection With hcp_shy (+ Legacy Display) r Protection with hcp_shy (+ Legacy Display), Decrypted</name>
, Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-lega
cy-reply.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy-r
eply.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIPXgYJKoZIhvcNAQcCoIIPTzCCD0sCAQExDTALBglghkgBZQMEAgEwggWHBgkq MIIPXgYJKoZIhvcNAQcCoIIPTzCCD0sCAQExDTALBglghkgBZQMEAgEwggWHBgkq
hkiG9w0BBwGgggV4BIIFdE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z hkiG9w0BBwGgggV4BIIFdE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1zaWduZWQtZW5jLWhw
LXNoeS1sZWdhY3ktcmVwbHkNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5j LXNoeS1sZWdhY3ktcmVwbHkNCk1lc3NhZ2UtSUQ6IDxzbWltZS1zaWduZWQtZW5j
LWhwLXNoeS1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGlj LWhwLXNoeS1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGlj
ZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpE ZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpE
skipping to change at line 7243 skipping to change at line 6999
ZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFl ZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFl
AwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X AwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
DTIxMDIyMDE1MTkwMlowLwYJKoZIhvcNAQkEMSIEIDUClbNj9mKYodH3vCGfNVpZ DTIxMDIyMDE1MTkwMlowLwYJKoZIhvcNAQkEMSIEIDUClbNj9mKYodH3vCGfNVpZ
jSSWg3QZ6u/dLxbyfbvEMA0GCSqGSIb3DQEBAQUABIIBAHqRG2dp61WFSKrkBcj7 jSSWg3QZ6u/dLxbyfbvEMA0GCSqGSIb3DQEBAQUABIIBAHqRG2dp61WFSKrkBcj7
sVy7SmsllIQUOl3EO23T5h4PcL8PjggAJi/GHWaEsGviQEdS0QAbljEnzd2wjgn0 sVy7SmsllIQUOl3EO23T5h4PcL8PjggAJi/GHWaEsGviQEdS0QAbljEnzd2wjgn0
QDtLBAfpQtQR0byQGTzpg7y9Lt5WnuxQaZxsBPvENqeYSFesUVlW1JrJGXcqLH7U QDtLBAfpQtQR0byQGTzpg7y9Lt5WnuxQaZxsBPvENqeYSFesUVlW1JrJGXcqLH7U
cu1+bdDLEe0p2ITtazvmgJ5NvoHkucBk1v8fwW6uliGJCZC0Gf9WJDP1qay2Jexy cu1+bdDLEe0p2ITtazvmgJ5NvoHkucBk1v8fwW6uliGJCZC0Gf9WJDP1qay2Jexy
/TUzmr2Egnxq71WlAVql2kfUOfZkgALFRzhaHtonrST83I1sLK9ZxB8ZX8vJX56v /TUzmr2Egnxq71WlAVql2kfUOfZkgALFRzhaHtonrST83I1sLK9ZxB8ZX8vJX56v
5hHRzhuQQyAVgOeVz7skKIb5ODfBHqJ1vEzvCjf72BgQLYGEzR6hmPXW1Ml4vXtV 5hHRzhuQQyAVgOeVz7skKIb5ODfBHqJ1vEzvCjf72BgQLYGEzR6hmPXW1Ml4vXtV
lIw= lIw=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-simple-messag
<section anchor="smime-signed-and-encrypted-reply-over-a-simple-message-header-p e-header-protection-with-hcpshy-legacy-display-decrypted-and-unwrapped">
rotection-with-hcpshy-legacy-display-decrypted-and-unwrapped"><name>S/MIME Signe <name>S/MIME Signed-and-Encrypted Reply over a Simple Message, Heade
d and Encrypted Reply Over a Simple Message, Header Protection With hcp_shy (+ L r Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped</name>
egacy Display), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-lega
<t>The inner signed-data layer unwraps to:</t> cy-reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-hp-shy-legacy-r
eply.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit
Subject: smime-signed-enc-hp-shy-legacy-reply Subject: smime-signed-enc-hp-shy-legacy-reply
Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example> Message-ID: <smime-signed-enc-hp-shy-legacy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 10:19:02 -0500 Date: Sat, 20 Feb 2021 10:19:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-hp-shy-legacy@example> In-Reply-To: <smime-signed-enc-hp-shy-legacy@example>
References: <smime-signed-enc-hp-shy-legacy@example> References: <smime-signed-enc-hp-shy-legacy@example>
skipping to change at line 7291 skipping to change at line 7045
This is a signed-and-encrypted S/MIME message using PKCS#7 This is a signed-and-encrypted S/MIME message using PKCS#7
envelopedData around signedData. The payload is a text/plain envelopedData around signedData. The payload is a text/plain
message. It uses the Header Protection scheme from the draft message. It uses the Header Protection scheme from the draft
with the hcp_shy Header Confidentiality Policy with a "Legacy with the hcp_shy Header Confidentiality Policy with a "Legacy
Display" part. Display" part.
-- --
Alice Alice
alice@smime.example alice@smime.example
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-baseline">
<section anchor="smime-signed-enc-complex-hp-baseline"><name>S/MIME Signed and E <name>S/MIME Signed and Encrypted over a Complex Message, Header Prote
ncrypted Over a Complex Message, Header Protection With hcp_baseline</name> ction with hcp_baseline</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a multipart/alternative message with an
nd signedData. The payload is a multipart/alternative message with an inline im inline image/png attachment. It uses the Header Protection scheme from the draf
age/png attachment. It uses the Header Protection scheme from the draft with the t with the hcp_baseline <iref item="Header Confidentiality Policy"/><xref target
hcp_baseline <iref item="Header Confidentiality Policy"/><xref target="header-c ="header-confidentiality-policy" format="none">Header Confidentiality Policy</xr
onfidentiality-policy" format="none">Header Confidentiality Policy</xref>.</t> ef>.</t>
<t>It has the following structure:</t>
<t>It has the following structure:</t> <artwork type="ascii-art"><![CDATA[
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 10035 bytes └─╴application/pkcs7-mime [smime.p7m] 10035 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6412 bytes └─╴application/pkcs7-mime [smime.p7m] 6412 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2054 bytes └┬╴multipart/mixed 2054 bytes
├┬╴multipart/alternative 1124 bytes ├┬╴multipart/alternative 1124 bytes
│├─╴text/plain 383 bytes │├─╴text/plain 383 bytes
│└─╴text/html 478 bytes │└─╴text/html 478 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-ba
seline.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-complex-hp-baseline@example> Message-ID: <smime-signed-enc-complex-hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:09:02 -0500 Date: Sat, 20 Feb 2021 12:09:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 7481 skipping to change at line 7230
u/kW8TwMOBveXstkJUm8TBhX5TDEFtg+Y+tyDNb4n4xwpuishLd/pMck6LNK3fO3 u/kW8TwMOBveXstkJUm8TBhX5TDEFtg+Y+tyDNb4n4xwpuishLd/pMck6LNK3fO3
cOaqQssUWkpjJSzSeedcA4oonnq833DXP6SPF1ksXlArsDVWB4atlFRqbaUKKrpv cOaqQssUWkpjJSzSeedcA4oonnq833DXP6SPF1ksXlArsDVWB4atlFRqbaUKKrpv
Hinhb+MUjANUW+TcAEznbTyHFvEuNCIX7WU7SlOglcrEjJzGnJZC24+l0KzxF3ed Hinhb+MUjANUW+TcAEznbTyHFvEuNCIX7WU7SlOglcrEjJzGnJZC24+l0KzxF3ed
7PndgDslLmJc4ExhALrKGFw57Muvy1UNd4f6W7AEraj/54FIoZzDRH+R/owcjuiK 7PndgDslLmJc4ExhALrKGFw57Muvy1UNd4f6W7AEraj/54FIoZzDRH+R/owcjuiK
Pza8vs8W8792ds1ewGcLs+B1g+l79IbO0+zR4eio1f+6kSsRf+EucrH4RF+lU+ba Pza8vs8W8792ds1ewGcLs+B1g+l79IbO0+zR4eio1f+6kSsRf+EucrH4RF+lU+ba
w56nBq1EMoBJFuzPrLdAOD9vRVwi8cmKYYf/VgriDvZxqsDsdjC81fUEesG8/iVS w56nBq1EMoBJFuzPrLdAOD9vRVwi8cmKYYf/VgriDvZxqsDsdjC81fUEesG8/iVS
axpAOFhCp8oUQZVg8yRsR7x/m0EjFWZPu9JZwAge76HhwpSu+yg55m5ndeXEy55p axpAOFhCp8oUQZVg8yRsR7x/m0EjFWZPu9JZwAge76HhwpSu+yg55m5ndeXEy55p
ss6t9jHwuFu7F8q75xTTVE+jBZomyxfYQV0qFvvelF86Hrc+FTobS2AzPRzhwj+p ss6t9jHwuFu7F8q75xTTVE+jBZomyxfYQV0qFvvelF86Hrc+FTobS2AzPRzhwj+p
Wfh8ORVoQaHb/BuAREB/xXCLhzDsirqoUKDcVATLnBUvZIawptgC1OjIaAX3Xgn0 Wfh8ORVoQaHb/BuAREB/xXCLhzDsirqoUKDcVATLnBUvZIawptgC1OjIaAX3Xgn0
VQXDSeABdtUDVBgI67OgFw== VQXDSeABdtUDVBgI67OgFw==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpbaseline-decrypted">
tion-with-hcpbaseline-decrypted"><name>S/MIME Signed and Encrypted Over a Comple <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
x Message, Header Protection With hcp_baseline, Decrypted</name> tection with hcp_baseline, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base baseline.decrypted.eml"><![CDATA[
line.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIISMQYJKoZIhvcNAQcCoIISIjCCEh4CAQExDTALBglghkgBZQMEAgEwgghaBgkq MIISMQYJKoZIhvcNAQcCoIISIjCCEh4CAQExDTALBglghkgBZQMEAgEwgghaBgkq
hkiG9w0BBwGggghLBIIIR01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGggghLBIIIR01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUNCk1lc3NhZ2UtSUQ6IDxz ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUNCk1lc3NhZ2UtSUQ6IDxz
bWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmVAZXhhbXBsZT4NCkZy bWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmVAZXhhbXBsZT4NCkZy
b206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNt b206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNt
aW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA5OjAyIC0w aW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA5OjAyIC0w
skipping to change at line 7590 skipping to change at line 7337
cnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCG cnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCG
SAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF SAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTIxMDIyMDE3MDkwMlowLwYJKoZIhvcNAQkEMSIEIFPOmRBiI1gpSbRbrEhT MQ8XDTIxMDIyMDE3MDkwMlowLwYJKoZIhvcNAQkEMSIEIFPOmRBiI1gpSbRbrEhT
xW8uQ+V/G/cmOB6495mnsKVeMA0GCSqGSIb3DQEBAQUABIIBADgh7UBYrX+esUzQ xW8uQ+V/G/cmOB6495mnsKVeMA0GCSqGSIb3DQEBAQUABIIBADgh7UBYrX+esUzQ
I9zNqk4LnbgdQoUdeJtdY2Jvyl6dlV8cfIFNgng8IluuuJI48a5yJwYG3060AkvF I9zNqk4LnbgdQoUdeJtdY2Jvyl6dlV8cfIFNgng8IluuuJI48a5yJwYG3060AkvF
JC/hq7sSBCLzNVb9UioTixGi+4nGB2iRb7TKsfamuyh5Zdjg4OrN8N1H4rwUQ1K4 JC/hq7sSBCLzNVb9UioTixGi+4nGB2iRb7TKsfamuyh5Zdjg4OrN8N1H4rwUQ1K4
Sis2TCi5/TSc+UYG7rH+YyIRSeVxNCII3rEA8E+dDRg6R5bqOTHxInQbBvG9q19e Sis2TCi5/TSc+UYG7rH+YyIRSeVxNCII3rEA8E+dDRg6R5bqOTHxInQbBvG9q19e
pelntJeSxvRSOSYwcoNGXenZ6S7eqfB3iln65d0gURSV7hPSfZwh1QSZa47egE7V pelntJeSxvRSOSYwcoNGXenZ6S7eqfB3iln65d0gURSV7hPSfZwh1QSZa47egE7V
9Dgce5pbZYQgeB27mLBCpsgRgYKbQ/+NBPBexT6Kxixd4sND++AZ6kUie+AvUpXo 9Dgce5pbZYQgeB27mLBCpsgRgYKbQ/+NBPBexT6Kxixd4sND++AZ6kUie+AvUpXo
+kGun/Q= +kGun/Q=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpbaseline-decrypted-and-unwrapped">
tion-with-hcpbaseline-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
Over a Complex Message, Header Protection With hcp_baseline, Decrypted and Unwr tection with hcp_baseline, Decrypted and Unwrapped</name>
apped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> baseline.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-baseline Subject: smime-signed-enc-complex-hp-baseline
Message-ID: <smime-signed-enc-complex-hp-baseline@example> Message-ID: <smime-signed-enc-complex-hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:09:02 -0500 Date: Sat, 20 Feb 2021 12:09:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: HP-Outer:
Message-ID: <smime-signed-enc-complex-hp-baseline@example> Message-ID: <smime-signed-enc-complex-hp-baseline@example>
skipping to change at line 7664 skipping to change at line 7409
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--e03-- --e03--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-baseline-legacy">
<section anchor="smime-signed-enc-complex-hp-baseline-legacy"><name>S/MIME Signe <name>S/MIME Signed and Encrypted over a Complex Message, Header Prote
d and Encrypted Over a Complex Message, Header Protection With hcp_baseline (+ L ction with hcp_baseline (+ Legacy Display)</name>
egacy Display)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the Header Protection scheme from the draf
nd signedData. The payload is a multipart/alternative message with an inline im t with the hcp_baseline <iref item="Header Confidentiality Policy"/><xref target
age/png attachment. It uses the Header Protection scheme from the draft with the ="header-confidentiality-policy" format="none">Header Confidentiality Policy</xr
hcp_baseline <iref item="Header Confidentiality Policy"/><xref target="header-c ef> with a "Legacy Display" part.</t>
onfidentiality-policy" format="none">Header Confidentiality Policy</xref> with a <t>It has the following structure:</t>
"Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 10640 bytes └─╴application/pkcs7-mime [smime.p7m] 10640 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6856 bytes └─╴application/pkcs7-mime [smime.p7m] 6856 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2367 bytes └┬╴multipart/mixed 2367 bytes
├┬╴multipart/alternative 1415 bytes ├┬╴multipart/alternative 1415 bytes
│├─╴text/plain 476 bytes │├─╴text/plain 476 bytes
│└─╴text/html 636 bytes │└─╴text/html 636 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-ba
seline-legacy.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-legacy.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-baseline-legacy@example> <smime-signed-enc-complex-hp-baseline-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:10:02 -0500 Date: Sat, 20 Feb 2021 12:10:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 7864 skipping to change at line 7604
BysnpeELKcGGHjdUovPTWk7v/ewl/dJ1dVgEiRsnSU7G4bMhR1OY3lRER902wjLm BysnpeELKcGGHjdUovPTWk7v/ewl/dJ1dVgEiRsnSU7G4bMhR1OY3lRER902wjLm
6zdOuNbd7LrTimhtu6lWIFtSgrJpPNKpDTgjGn5X8R8MuAFJFibkS4uMbL1Fty32 6zdOuNbd7LrTimhtu6lWIFtSgrJpPNKpDTgjGn5X8R8MuAFJFibkS4uMbL1Fty32
bESHzoLqSLRgWgLpZQjmrTyvOgvYyauKjZYslBnVqjd+oBq9JUgxh7xKsG+z2KQo bESHzoLqSLRgWgLpZQjmrTyvOgvYyauKjZYslBnVqjd+oBq9JUgxh7xKsG+z2KQo
V4QC4M3z0ppx76fYMETfOMjp9Pm8KyuhEHXIbAXoVE1rer2m1ptaJGZF7wUJAqEL V4QC4M3z0ppx76fYMETfOMjp9Pm8KyuhEHXIbAXoVE1rer2m1ptaJGZF7wUJAqEL
uJiKSztN5S5sFe+a87BsIlDWkCLZRuDb04aO+ndSd343yK9CMfYKbknZXtC/cAVd uJiKSztN5S5sFe+a87BsIlDWkCLZRuDb04aO+ndSd343yK9CMfYKbknZXtC/cAVd
2cwFAg+qix+351gdmGd5L8tQC9V4FO3uy0JQU90g0Twq0nE45fvLj0J4rnivuQkD 2cwFAg+qix+351gdmGd5L8tQC9V4FO3uy0JQU90g0Twq0nE45fvLj0J4rnivuQkD
NMypJdswmGcd8TWFdb8kQMtZPNWuupbV5w1lF3ibGEhGqtO+4/gu1ua3jg+cHI3o NMypJdswmGcd8TWFdb8kQMtZPNWuupbV5w1lF3ibGEhGqtO+4/gu1ua3jg+cHI3o
oKBzUuvYGLXrbrYnPE1b3HQXvxDVd8m/+KLDNiwyQ7UT676iJn7ARCYZCwP/D3g6 oKBzUuvYGLXrbrYnPE1b3HQXvxDVd8m/+KLDNiwyQ7UT676iJn7ARCYZCwP/D3g6
zMc3NXJkUZ8KFOHqokaaJ3jleLoMi6JB23bhiv/RRJuYk+TCwX7uBKF8fnt+E802 zMc3NXJkUZ8KFOHqokaaJ3jleLoMi6JB23bhiv/RRJuYk+TCwX7uBKF8fnt+E802
YOhbKcnThdDUreGM2QrsjZeHZQ6qgIkLUedro8EsPI8= YOhbKcnThdDUreGM2QrsjZeHZQ6qgIkLUedro8EsPI8=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpbaseline-legacy-display-decrypted">
tion-with-hcpbaseline-legacy-display-decrypted"><name>S/MIME Signed and Encrypte <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
d Over a Complex Message, Header Protection With hcp_baseline (+ Legacy Display) tection with hcp_baseline (+ Legacy Display), Decrypted</name>
, Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
baseline-legacy.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-legacy.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIITdQYJKoZIhvcNAQcCoIITZjCCE2ICAQExDTALBglghkgBZQMEAgEwggmeBgkq MIITdQYJKoZIhvcNAQcCoIITZjCCE2ICAQExDTALBglghkgBZQMEAgEwggmeBgkq
hkiG9w0BBwGgggmPBIIJi01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGgggmPBIIJi01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVnYWN5DQpNZXNzYWdl ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVnYWN5DQpNZXNzYWdl
LUlEOg0KIDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVn LUlEOg0KIDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGVn
YWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4N YWN5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4N
ClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIg ClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIg
skipping to change at line 7979 skipping to change at line 7717
TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgG QXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3 CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3
MTAwMlowLwYJKoZIhvcNAQkEMSIEIDe7/NLwTkHNon7IR1M1xiObMU+8qMIZ1No5 MTAwMlowLwYJKoZIhvcNAQkEMSIEIDe7/NLwTkHNon7IR1M1xiObMU+8qMIZ1No5
ANcjz5C9MA0GCSqGSIb3DQEBAQUABIIBABi/HvXTe3Z+LaltuFv57ZaUvY6kegwe ANcjz5C9MA0GCSqGSIb3DQEBAQUABIIBABi/HvXTe3Z+LaltuFv57ZaUvY6kegwe
OGiZ5UPa5FBpQxoE/1vp8xG+UVIUnpdV/1THKPjKFr6bZZff1/4u4NFeBYwI9yg+ OGiZ5UPa5FBpQxoE/1vp8xG+UVIUnpdV/1THKPjKFr6bZZff1/4u4NFeBYwI9yg+
tK1cYz+B2cscX6FDAGjUr/6QxMOwd+ol7bnlzJJDrXvv8B5AOdHFosyOrDSrvn2k tK1cYz+B2cscX6FDAGjUr/6QxMOwd+ol7bnlzJJDrXvv8B5AOdHFosyOrDSrvn2k
Pzc6ush4JvS3aee5QFEgtd1bQx9fx3t/QhBsn5kGMC+3FzvKtmAYUlz0unqvk4HV Pzc6ush4JvS3aee5QFEgtd1bQx9fx3t/QhBsn5kGMC+3FzvKtmAYUlz0unqvk4HV
I40Goh/Fm3uzNxwTQ3/rzE7ws1Qkrp0VlBxVGgUa4dZ1VXVIizkRz1PRtis66F73 I40Goh/Fm3uzNxwTQ3/rzE7ws1Qkrp0VlBxVGgUa4dZ1VXVIizkRz1PRtis66F73
EXJlygf9Btm/TJDUivXGr7fCI2i+njByX9vqUf/0UANsPevCy0HQWCY= EXJlygf9Btm/TJDUivXGr7fCI2i+njByX9vqUf/0UANsPevCy0HQWCY=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped">
tion-with-hcpbaseline-legacy-display-decrypted-and-unwrapped"><name>S/MIME Signe <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
d and Encrypted Over a Complex Message, Header Protection With hcp_baseline (+ L tection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped</name>
egacy Display), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> baseline-legacy.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-legacy.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-baseline-legacy Subject: smime-signed-enc-complex-hp-baseline-legacy
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-baseline-legacy@example> <smime-signed-enc-complex-hp-baseline-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:10:02 -0500 Date: Sat, 20 Feb 2021 12:10:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: HP-Outer: Message-ID:
skipping to change at line 8064 skipping to change at line 7800
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--308-- --308--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-shy">
<section anchor="smime-signed-enc-complex-hp-shy"><name>S/MIME Signed and Encryp <name>S/MIME Signed and Encrypted over a Complex Message, Header Prote
ted Over a Complex Message, Header Protection With hcp_shy</name> ction with hcp_shy</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a multipart/alternative message with an
nd signedData. The payload is a multipart/alternative message with an inline im inline image/png attachment. It uses the Header Protection scheme from the draf
age/png attachment. It uses the Header Protection scheme from the draft with the t with the hcp_shy <iref item="Header Confidentiality Policy"/><xref target="hea
hcp_shy <iref item="Header Confidentiality Policy"/><xref target="header-confid der-confidentiality-policy" format="none">Header Confidentiality Policy</xref>.<
entiality-policy" format="none">Header Confidentiality Policy</xref>.</t> /t>
<t>It has the following structure:</t>
<t>It has the following structure:</t> <artwork type="ascii-art"><![CDATA[
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 9925 bytes └─╴application/pkcs7-mime [smime.p7m] 9925 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6342 bytes └─╴application/pkcs7-mime [smime.p7m] 6342 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2003 bytes └┬╴multipart/mixed 2003 bytes
├┬╴multipart/alternative 1104 bytes ├┬╴multipart/alternative 1104 bytes
│├─╴text/plain 373 bytes │├─╴text/plain 373 bytes
│└─╴text/html 468 bytes │└─╴text/html 468 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-sh
y.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy.
eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-complex-hp-shy@example> Message-ID: <smime-signed-enc-complex-hp-shy@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 17:12:02 +0000 Date: Sat, 20 Feb 2021 17:12:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 8252 skipping to change at line 7983
x8uzVRuOsCSgLpo9Ljgp56ly2vEr7gDSWgqIit0cVIwXZlUcOzzaVrDWtDDfmXYF x8uzVRuOsCSgLpo9Ljgp56ly2vEr7gDSWgqIit0cVIwXZlUcOzzaVrDWtDDfmXYF
stpjIHk4BsJGwoqJN8Gf9IGV6Pi6DlpUtifBcDEpCoBt7wkMUCHp/Bjq5lEsTtZA stpjIHk4BsJGwoqJN8Gf9IGV6Pi6DlpUtifBcDEpCoBt7wkMUCHp/Bjq5lEsTtZA
86yRqNOZKLuyW7tqDfOPYQUsUpbAM4E8hrN84EDgLYMCg6AC/Qs3H/wDO7cJ4LCk 86yRqNOZKLuyW7tqDfOPYQUsUpbAM4E8hrN84EDgLYMCg6AC/Qs3H/wDO7cJ4LCk
M5Hph06hiyehanuMCtUVyvyfSb1hWY5LELyr9UKLYHXMdCRm6SI4lhkcD/yd7YRc M5Hph06hiyehanuMCtUVyvyfSb1hWY5LELyr9UKLYHXMdCRm6SI4lhkcD/yd7YRc
8xXJwFVSBSXcuRFQD8ViGo84HNNw45Oa/kcT0tfJLNDk2psDgMICjWkiZDcOJ0fF 8xXJwFVSBSXcuRFQD8ViGo84HNNw45Oa/kcT0tfJLNDk2psDgMICjWkiZDcOJ0fF
ExXO65SCDaVSK2a2hScuhLb4o87nkHPTtmCwse92gYQlgEJqhAUCe4tupS3Tlced ExXO65SCDaVSK2a2hScuhLb4o87nkHPTtmCwse92gYQlgEJqhAUCe4tupS3Tlced
rYx5p0TRq0a4saxyQw3KOkvCYb00vr3e5ywj+I7FJmdT/3FRepXHAdJgeymSmelh rYx5p0TRq0a4saxyQw3KOkvCYb00vr3e5ywj+I7FJmdT/3FRepXHAdJgeymSmelh
MUnQVvRetUv+tbsHk96DXjMHUfvCArWcjf4NfuweEud6JAtmIxZhmBFTlg/j+oB7 MUnQVvRetUv+tbsHk96DXjMHUfvCArWcjf4NfuweEud6JAtmIxZhmBFTlg/j+oB7
L3+nunA6/dDrIlBNCCQ/WWW3STpAhFC7jBCzIZMJMwyP7tRk6KL+PptfMMWD2rJy L3+nunA6/dDrIlBNCCQ/WWW3STpAhFC7jBCzIZMJMwyP7tRk6KL+PptfMMWD2rJy
QpFXwNDVCKOca+JCuhJ3lhlfjrexPJKD5/hhqGdKqc8= QpFXwNDVCKOca+JCuhJ3lhlfjrexPJKD5/hhqGdKqc8=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpshy-decrypted">
tion-with-hcpshy-decrypted"><name>S/MIME Signed and Encrypted Over a Complex Mes <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
sage, Header Protection With hcp_shy, Decrypted</name> tection with hcp_shy, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy. shy.decrypted.eml"><![CDATA[
decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIR/gYJKoZIhvcNAQcCoIIR7zCCEesCAQExDTALBglghkgBZQMEAgEwgggnBgkq MIIR/gYJKoZIhvcNAQcCoIIR7zCCEesCAQExDTALBglghkgBZQMEAgEwgggnBgkq
hkiG9w0BBwGggggYBIIIFE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGggggYBIIIFE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5DQpNZXNzYWdlLUlEOiA8c21pbWUt ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5DQpNZXNzYWdlLUlEOiA8c21pbWUt
c2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeUBleGFtcGxlPg0KRnJvbTogQWxpY2Ug c2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeUBleGFtcGxlPg0KRnJvbTogQWxpY2Ug
PGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBs PGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBs
ZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTI6MDIgLTA1MDANClVzZXIt ZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTI6MDIgLTA1MDANClVzZXIt
skipping to change at line 8360 skipping to change at line 8089
ZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFl ZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFl
AwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X AwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
DTIxMDIyMDE3MTIwMlowLwYJKoZIhvcNAQkEMSIEIOk6rjm9vW4yAFhPqraTwTSM DTIxMDIyMDE3MTIwMlowLwYJKoZIhvcNAQkEMSIEIOk6rjm9vW4yAFhPqraTwTSM
poDXdAk+kSVCc47Smx1DMA0GCSqGSIb3DQEBAQUABIIBAAURi5oouLYIh9YruNpF poDXdAk+kSVCc47Smx1DMA0GCSqGSIb3DQEBAQUABIIBAAURi5oouLYIh9YruNpF
Se6sDsPTGmIcZsDjQ/MZV55S4pmhVBQu4SoVZDVM9KHKxqfBbj+aTs1Cyas8R88h Se6sDsPTGmIcZsDjQ/MZV55S4pmhVBQu4SoVZDVM9KHKxqfBbj+aTs1Cyas8R88h
cWqd8xhiU9ufoC7p6qEMVIyMvyppeupRyjQWUCH+2XtQ5sAVmr+F+l/Valuj7JZw cWqd8xhiU9ufoC7p6qEMVIyMvyppeupRyjQWUCH+2XtQ5sAVmr+F+l/Valuj7JZw
JU8XS84oinCF6uApu7eucGblt8t7ek7j3JXoFVE7g8a/O1JKg4ezNV2RduQeNXLT JU8XS84oinCF6uApu7eucGblt8t7ek7j3JXoFVE7g8a/O1JKg4ezNV2RduQeNXLT
m/lBVIfeiiOsmgmJa5RTgbgAakJtdo3odHj0cI31eANSbQlE3XENz2E9L8JWxYNP m/lBVIfeiiOsmgmJa5RTgbgAakJtdo3odHj0cI31eANSbQlE3XENz2E9L8JWxYNP
bBceEhIvu2AOtV2PYCBfrVp0WTVwWHorm8GG/DyvsAsa6eGJI55hA8VeBg170gT5 bBceEhIvu2AOtV2PYCBfrVp0WTVwWHorm8GG/DyvsAsa6eGJI55hA8VeBg170gT5
nzc= nzc=
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpshy-decrypted-and-unwrapped">
tion-with-hcpshy-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypted Over <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
a Complex Message, Header Protection With hcp_shy, Decrypted and Unwrapped</nam tection with hcp_shy, Decrypted and Unwrapped</name>
e> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> shy.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy.
decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-shy Subject: smime-signed-enc-complex-hp-shy
Message-ID: <smime-signed-enc-complex-hp-shy@example> Message-ID: <smime-signed-enc-complex-hp-shy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:12:02 -0500 Date: Sat, 20 Feb 2021 12:12:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy@example> HP-Outer: Message-ID: <smime-signed-enc-complex-hp-shy@example>
HP-Outer: From: alice@smime.example HP-Outer: From: alice@smime.example
skipping to change at line 8433 skipping to change at line 8160
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--1fa-- --1fa--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-shy-legacy">
<section anchor="smime-signed-enc-complex-hp-shy-legacy"><name>S/MIME Signed and <name>S/MIME Signed and Encrypted over a Complex Message, Header Prote
Encrypted Over a Complex Message, Header Protection With hcp_shy (+ Legacy Disp ction with hcp_shy (+ Legacy Display)</name>
lay)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the Header Protection scheme from the draf
nd signedData. The payload is a multipart/alternative message with an inline im t with the hcp_shy <iref item="Header Confidentiality Policy"/><xref target="hea
age/png attachment. It uses the Header Protection scheme from the draft with the der-confidentiality-policy" format="none">Header Confidentiality Policy</xref> w
hcp_shy <iref item="Header Confidentiality Policy"/><xref target="header-confid ith a "Legacy Display" part.</t>
entiality-policy" format="none">Header Confidentiality Policy</xref> with a "Leg <t>It has the following structure:</t>
acy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 10920 bytes └─╴application/pkcs7-mime [smime.p7m] 10920 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 7072 bytes └─╴application/pkcs7-mime [smime.p7m] 7072 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2519 bytes └┬╴multipart/mixed 2519 bytes
├┬╴multipart/alternative 1597 bytes ├┬╴multipart/alternative 1597 bytes
│├─╴text/plain 564 bytes │├─╴text/plain 564 bytes
│└─╴text/html 736 bytes │└─╴text/html 736 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-sh
y-legacy.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example> Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 17:13:02 +0000 Date: Sat, 20 Feb 2021 17:13:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 8636 skipping to change at line 8358
3q2Yerkjrz+/Lnbc+XJgtNYErzK00b2Yl+wSivCvgs2CZwHAWagb40ycaJcp1rGs 3q2Yerkjrz+/Lnbc+XJgtNYErzK00b2Yl+wSivCvgs2CZwHAWagb40ycaJcp1rGs
SHSAyMEe3+9g2Xd9Y5UyhPCePnIFtfvThUUWDMBbl4NkTZhci2Q+NGhwSfd//i/q SHSAyMEe3+9g2Xd9Y5UyhPCePnIFtfvThUUWDMBbl4NkTZhci2Q+NGhwSfd//i/q
0dCdTZHj3ucJsNkCtfW7DtIykpy6Vld5smayE1zu5WjE2EzfumQHHqkOrfCNBBbi 0dCdTZHj3ucJsNkCtfW7DtIykpy6Vld5smayE1zu5WjE2EzfumQHHqkOrfCNBBbi
plJwXI0WLdVCJrSAUoOTlZbE22r4tJnar1DA+V3Jep/VPZ1mNxa5Dh0fseI4h63q plJwXI0WLdVCJrSAUoOTlZbE22r4tJnar1DA+V3Jep/VPZ1mNxa5Dh0fseI4h63q
eudtLO5NBMLMQxz762u9uB0y1vuFmKOX0VWz2aXZ6jHmN0z4zuwrqbS6yHYqEX3Z eudtLO5NBMLMQxz762u9uB0y1vuFmKOX0VWz2aXZ6jHmN0z4zuwrqbS6yHYqEX3Z
4NzaoFOD7eRJbH92yFb1owGjPsb7QcRykQfBhmiIHeNJUoja5xZdk9M7vX5ygB8w 4NzaoFOD7eRJbH92yFb1owGjPsb7QcRykQfBhmiIHeNJUoja5xZdk9M7vX5ygB8w
AIk33yHYWOumHHFeSPvHlTTsNvLel422gDyiDO0fXmJfGAsauqcX11jNB7RI+HM3 AIk33yHYWOumHHFeSPvHlTTsNvLel422gDyiDO0fXmJfGAsauqcX11jNB7RI+HM3
HnXNeubb3y3aA1bl1djZxngAwOQ1Sr9aLobmpbL/zsKrFXG7/fiz2DmachOLJL97 HnXNeubb3y3aA1bl1djZxngAwOQ1Sr9aLobmpbL/zsKrFXG7/fiz2DmachOLJL97
PU1j9MTspdH8VtBXX1KFyOSQKBRoGtYmG/OK5gilSXSSevz84KJiZw1ReIMXCa77 PU1j9MTspdH8VtBXX1KFyOSQKBRoGtYmG/OK5gilSXSSevz84KJiZw1ReIMXCa77
8Qxgzs7bIccDSBVzfzxjFADQxFY2jm+g8mr5b17byqO5wiNlLaGyneQeGMsI6H4Q 8Qxgzs7bIccDSBVzfzxjFADQxFY2jm+g8mr5b17byqO5wiNlLaGyneQeGMsI6H4Q
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpshy-legacy-display-decrypted">
tion-with-hcpshy-legacy-display-decrypted"><name>S/MIME Signed and Encrypted Ove <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
r a Complex Message, Header Protection With hcp_shy (+ Legacy Display), Decrypte tection with hcp_shy (+ Legacy Display), Decrypted</name>
d</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
shy-legacy.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIUEgYJKoZIhvcNAQcCoIIUAzCCE/8CAQExDTALBglghkgBZQMEAgEwggo7Bgkq MIIUEgYJKoZIhvcNAQcCoIIUAzCCE/8CAQExDTALBglghkgBZQMEAgEwggo7Bgkq
hkiG9w0BBwGgggosBIIKKE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGgggosBIIKKE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeQ0KTWVzc2FnZS1JRDog ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeQ0KTWVzc2FnZS1JRDog
PHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5QGV4YW1wbGU+ PHNtaW1lLXNpZ25lZC1lbmMtY29tcGxleC1ocC1zaHktbGVnYWN5QGV4YW1wbGU+
DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJv DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJv
YkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxMzow YkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxMzow
skipping to change at line 8755 skipping to change at line 8475
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglg ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglg
hkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ hkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ
BTEPFw0yMTAyMjAxNzEzMDJaMC8GCSqGSIb3DQEJBDEiBCBllHSf7b+HyaqXmEwT BTEPFw0yMTAyMjAxNzEzMDJaMC8GCSqGSIb3DQEJBDEiBCBllHSf7b+HyaqXmEwT
DQLFcyd845Y683fln5KaB6NJmjANBgkqhkiG9w0BAQEFAASCAQCRRSDM+MtNb5av DQLFcyd845Y683fln5KaB6NJmjANBgkqhkiG9w0BAQEFAASCAQCRRSDM+MtNb5av
W1U6o2LxrDXrrIy7lb8Vw1D3gHSgEaeZ3ZvZ6OefQPh4OkHNy/oescj+rKZzcLHB W1U6o2LxrDXrrIy7lb8Vw1D3gHSgEaeZ3ZvZ6OefQPh4OkHNy/oescj+rKZzcLHB
s3RZ9Tnybr7p3kawIEFv1DW3aiyXQ49gQyPHn2Nwi6hK7Gn5d7rjSFuzprWYACg7 s3RZ9Tnybr7p3kawIEFv1DW3aiyXQ49gQyPHn2Nwi6hK7Gn5d7rjSFuzprWYACg7
hAVWBd4/prAE1mNMR4DOOXoPYZn+ggJb/oaagcbdEy3WrznO2n6TW6Eb7bBoUT4t hAVWBd4/prAE1mNMR4DOOXoPYZn+ggJb/oaagcbdEy3WrznO2n6TW6Eb7bBoUT4t
IrZRWxPrdP30T7N1eHMmCDNGSXt/fC9rgcRLz+cj+1czfU1Gf+qIxg05HyrVMrkL IrZRWxPrdP30T7N1eHMmCDNGSXt/fC9rgcRLz+cj+1czfU1Gf+qIxg05HyrVMrkL
+XiCEoOck2+pbpz5WFPcmnRXLgH2FMlSNWU5RwbRu5YZejoKBiUZNlUmlA08d5JV +XiCEoOck2+pbpz5WFPcmnRXLgH2FMlSNWU5RwbRu5YZejoKBiUZNlUmlA08d5JV
U3Zqnl/G U3Zqnl/G
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-hea
<section anchor="smime-signed-and-encrypted-over-a-complex-message-header-protec der-protection-with-hcpshy-legacy-display-decrypted-and-unwrapped">
tion-with-hcpshy-legacy-display-decrypted-and-unwrapped"><name>S/MIME Signed and <name>S/MIME Signed and Encrypted over a Complex Message, Header Pro
Encrypted Over a Complex Message, Header Protection With hcp_shy (+ Legacy Disp tection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped</name>
lay), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> shy-legacy.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-shy-legacy Subject: smime-signed-enc-complex-hp-shy-legacy
Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example> Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:13:02 -0500 Date: Sat, 20 Feb 2021 12:13:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: HP-Outer:
Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example> Message-ID: <smime-signed-enc-complex-hp-shy-legacy@example>
skipping to change at line 8845 skipping to change at line 8563
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--cd5-- --cd5--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-baseline-reply">
<section anchor="smime-signed-enc-complex-hp-baseline-reply"><name>S/MIME Signed <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Header
and Encrypted Reply Over a Complex Message, Header Protection With hcp_baseline Protection with hcp_baseline</name>
</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the Header Protection scheme from the draf
nd signedData. The payload is a multipart/alternative message with an inline im t with the hcp_baseline <iref item="Header Confidentiality Policy"/><xref target
age/png attachment. It uses the Header Protection scheme from the draft with the ="header-confidentiality-policy" format="none">Header Confidentiality Policy</xr
hcp_baseline <iref item="Header Confidentiality Policy"/><xref target="header-c ef>.</t>
onfidentiality-policy" format="none">Header Confidentiality Policy</xref>.</t> <t>It has the following structure:</t>
<artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 10575 bytes └─╴application/pkcs7-mime [smime.p7m] 10575 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6820 bytes └─╴application/pkcs7-mime [smime.p7m] 6820 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2345 bytes └┬╴multipart/mixed 2345 bytes
├┬╴multipart/alternative 1136 bytes ├┬╴multipart/alternative 1136 bytes
│├─╴text/plain 389 bytes │├─╴text/plain 389 bytes
│└─╴text/html 484 bytes │└─╴text/html 484 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-ba
seline-reply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-reply.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example> Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:15:02 -0500 Date: Sat, 20 Feb 2021 12:15:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-complex-hp-baseline@example> In-Reply-To: <smime-signed-enc-complex-hp-baseline@example>
skipping to change at line 9045 skipping to change at line 8758
AV7phEbm4W0BSBdNJmnzLQipGKzszyTd4XlgaXB2HqxFlWbKWJdAdHkFK8faN4SK AV7phEbm4W0BSBdNJmnzLQipGKzszyTd4XlgaXB2HqxFlWbKWJdAdHkFK8faN4SK
ztxxOBngAlBMdPtxEi4tev7S93SFKoqMwY18vHlLOHi/oFpaWMjJsE4uxdqvtz/x ztxxOBngAlBMdPtxEi4tev7S93SFKoqMwY18vHlLOHi/oFpaWMjJsE4uxdqvtz/x
aeZMmgstD1ZYRykBqGzjm8cMeoQawJ9HF6AkNFPo9+AsgXCuPNhutGZuCv3vAWTg aeZMmgstD1ZYRykBqGzjm8cMeoQawJ9HF6AkNFPo9+AsgXCuPNhutGZuCv3vAWTg
yXAiMHDuzahSggfr7r2ixkDUxD12/5RSeSDvCkeCWsjBKVpyzoWn2QksAMBoETyN yXAiMHDuzahSggfr7r2ixkDUxD12/5RSeSDvCkeCWsjBKVpyzoWn2QksAMBoETyN
F2gcjouX2Cp+OkOQV0e8Y6zIOWE/SGUkFkUDRJUSA8gkpfXWDPV8MN6rAMULWUGP F2gcjouX2Cp+OkOQV0e8Y6zIOWE/SGUkFkUDRJUSA8gkpfXWDPV8MN6rAMULWUGP
jYcRtabSgnlXKn6VivRiBlGXvp7iOXpsoGtMwof9hUcoo/HYMAvdsd5anaIZU8tA jYcRtabSgnlXKn6VivRiBlGXvp7iOXpsoGtMwof9hUcoo/HYMAvdsd5anaIZU8tA
g+c+8OHky2OJ5mzUWmk1CcBIWO9yyAHsy7ivSVzJtxDuTrQAuuH92MZgyvGnoioM g+c+8OHky2OJ5mzUWmk1CcBIWO9yyAHsy7ivSVzJtxDuTrQAuuH92MZgyvGnoioM
uaKOwNzrmhAAhBruv0XpMd/RBIu5+e8EM+fIuYwwwYDWIpn9vMbkKiBv4h5PQ8+T uaKOwNzrmhAAhBruv0XpMd/RBIu5+e8EM+fIuYwwwYDWIpn9vMbkKiBv4h5PQ8+T
cunAwgNdg0qVFeZ96Gu1sIHttbexEvSADg9fplx7TG+DZgSrDkxhnJ80a0hZhZ2F cunAwgNdg0qVFeZ96Gu1sIHttbexEvSADg9fplx7TG+DZgSrDkxhnJ80a0hZhZ2F
CYJJrvEcQn+/ItTftmmV5tpG2r/LCufYFL26h0RXdD8= CYJJrvEcQn+/ItTftmmV5tpG2r/LCufYFL26h0RXdD8=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpbaseline-decrypted">
protection-with-hcpbaseline-decrypted"><name>S/MIME Signed and Encrypted Reply O <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
ver a Complex Message, Header Protection With hcp_baseline, Decrypted</name> er Protection with hcp_baseline, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base baseline-reply.decrypted.eml"><![CDATA[
line-reply.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIITWQYJKoZIhvcNAQcCoIITSjCCE0YCAQExDTALBglghkgBZQMEAgEwggmCBgkq MIITWQYJKoZIhvcNAQcCoIITSjCCE0YCAQExDTALBglghkgBZQMEAgEwggmCBgkq
hkiG9w0BBwGggglzBIIJb01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGggglzBIIJb01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHkNCk1lc3NhZ2Ut ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHkNCk1lc3NhZ2Ut
SUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHlA SUQ6IDxzbWltZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtcmVwbHlA
ZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86 ZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86
IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIx IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIx
skipping to change at line 9160 skipping to change at line 8871
UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a
qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMjEwMjIwMTcxNTAyWjAvBgkqhkiG9w0BCQQxIgQgzz6zrLzs hkiG9w0BCQUxDxcNMjEwMjIwMTcxNTAyWjAvBgkqhkiG9w0BCQQxIgQgzz6zrLzs
Pn86IlgrGm7Fheev5QucTU+VJZWxIIrBFk8wDQYJKoZIhvcNAQEBBQAEggEASITl Pn86IlgrGm7Fheev5QucTU+VJZWxIIrBFk8wDQYJKoZIhvcNAQEBBQAEggEASITl
JnQGy7Cb5U6BdSMX3mnksCOX8mvaxy3o0QqNUbUGhNNPKI0LIWOdjHUL2Eq8+99Y JnQGy7Cb5U6BdSMX3mnksCOX8mvaxy3o0QqNUbUGhNNPKI0LIWOdjHUL2Eq8+99Y
2+WvVn3ZkAJ7KF/89ja3u4NTiwu30wWsd7DL7t1z8DJBK6JuyaY4xtohUPVa2gL2 2+WvVn3ZkAJ7KF/89ja3u4NTiwu30wWsd7DL7t1z8DJBK6JuyaY4xtohUPVa2gL2
1atPowCt0X5RF7lmihqZnDGGUAzjfLpVsFnyIVAL3QG4/vW609d+aeO+ccdwzzUh 1atPowCt0X5RF7lmihqZnDGGUAzjfLpVsFnyIVAL3QG4/vW609d+aeO+ccdwzzUh
lE03h3qpHK9wX5pWBNZCfdmjdXUFacU+fMe1mG9I8A1HMY09zj+rNz3onoIHJWJ2 lE03h3qpHK9wX5pWBNZCfdmjdXUFacU+fMe1mG9I8A1HMY09zj+rNz3onoIHJWJ2
FBWS2tqK2eW8yCf/LSq9M5k86VbTjPjvjPz8FqupzugC5sUAx2JMUfUOq4A9hW+j FBWS2tqK2eW8yCf/LSq9M5k86VbTjPjvjPz8FqupzugC5sUAx2JMUfUOq4A9hW+j
g8PEOcwaEeYOMdSeKw== g8PEOcwaEeYOMdSeKw==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpbaseline-decrypted-and-unwrapped">
protection-with-hcpbaseline-decrypted-and-unwrapped"><name>S/MIME Signed and Enc <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
rypted Reply Over a Complex Message, Header Protection With hcp_baseline, Decryp er Protection with hcp_baseline, Decrypted and Unwrapped</name>
ted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> baseline-reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-reply.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-baseline-reply Subject: smime-signed-enc-complex-hp-baseline-reply
Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example> Message-ID: <smime-signed-enc-complex-hp-baseline-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:15:02 -0500 Date: Sat, 20 Feb 2021 12:15:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-complex-hp-baseline@example> In-Reply-To: <smime-signed-enc-complex-hp-baseline@example>
References: <smime-signed-enc-complex-hp-baseline@example> References: <smime-signed-enc-complex-hp-baseline@example>
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
skipping to change at line 9240 skipping to change at line 8949
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--b2f-- --b2f--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-baseline-lgc-rpl">
<section anchor="smime-signed-enc-complex-hp-baseline-lgc-rpl"><name>S/MIME Sign <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Header
ed and Encrypted Reply Over a Complex Message, Header Protection With hcp_baseli Protection with hcp_baseline (+ Legacy Display)</name>
ne (+ Legacy Display)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the Header Protection scheme from the draf
nd signedData. The payload is a multipart/alternative message with an inline im t with the hcp_baseline <iref item="Header Confidentiality Policy"/><xref target
age/png attachment. It uses the Header Protection scheme from the draft with the ="header-confidentiality-policy" format="none">Header Confidentiality Policy</xr
hcp_baseline <iref item="Header Confidentiality Policy"/><xref target="header-c ef> with a "Legacy Display" part.</t>
onfidentiality-policy" format="none">Header Confidentiality Policy</xref> with a <t>It has the following structure:</t>
"Legacy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 11205 bytes └─╴application/pkcs7-mime [smime.p7m] 11205 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 7278 bytes └─╴application/pkcs7-mime [smime.p7m] 7278 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2666 bytes └┬╴multipart/mixed 2666 bytes
├┬╴multipart/alternative 1419 bytes ├┬╴multipart/alternative 1419 bytes
│├─╴text/plain 478 bytes │├─╴text/plain 478 bytes
│└─╴text/html 638 bytes │└─╴text/html 638 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-ba
seline-lgc-rpl.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-lgc-rpl.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-baseline-lgc-rpl@example> <smime-signed-enc-complex-hp-baseline-lgc-rpl@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:16:02 -0500 Date: Sat, 20 Feb 2021 12:16:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 9453 skipping to change at line 9157
NBr1VhambZliGNjAF7gS+AoyZdSFHvjyUZ8dx0Tw4qEGvUparsp2MKHqmF0+29Ty NBr1VhambZliGNjAF7gS+AoyZdSFHvjyUZ8dx0Tw4qEGvUparsp2MKHqmF0+29Ty
GkOgetOL6bcoW29PkhnodKSscod7sk4C70hJBJ7RrJNlA5YuwrWzokeD3rjEzqlj GkOgetOL6bcoW29PkhnodKSscod7sk4C70hJBJ7RrJNlA5YuwrWzokeD3rjEzqlj
dmRN2m9DQnXNeHKsxEsCkgIeLZVsrCxMVONTCrdfQnKnzZDgtoI4EYFfEElN6qQ7 dmRN2m9DQnXNeHKsxEsCkgIeLZVsrCxMVONTCrdfQnKnzZDgtoI4EYFfEElN6qQ7
v8LtiJyqtmYSPU3c3xb+zsWtElso+HfHELrwsY8ge485xBwtGTGKZtCcxsKtj97X v8LtiJyqtmYSPU3c3xb+zsWtElso+HfHELrwsY8ge485xBwtGTGKZtCcxsKtj97X
gb/4pfvziajCLU/MWnE4fzQXPjXk8NEQRdk+EsgoCOxnTPShAnW+MDN143ndDN+J gb/4pfvziajCLU/MWnE4fzQXPjXk8NEQRdk+EsgoCOxnTPShAnW+MDN143ndDN+J
+BuTpFVF/duO+Vobv3N+3dH+Qd1qhui+q7R+ojXyp516X0IZCKr6211hAGgI7i+y +BuTpFVF/duO+Vobv3N+3dH+Qd1qhui+q7R+ojXyp516X0IZCKr6211hAGgI7i+y
Z2RGCHIF3AA3ncH/An0X0RHgQi7ZIoSGDoHR2v0blOXDBNlzRXXiVEUGu1XuBp/o Z2RGCHIF3AA3ncH/An0X0RHgQi7ZIoSGDoHR2v0blOXDBNlzRXXiVEUGu1XuBp/o
BDnnXqcLT2Nng2tgdu6XvbIfgdr15/zrwKEAbG3yJa2iGsotgdiu1DgU7lfktlPq BDnnXqcLT2Nng2tgdu6XvbIfgdr15/zrwKEAbG3yJa2iGsotgdiu1DgU7lfktlPq
ftTzg2nvDkTGT86AsTQNM2ClARtAmQnul5v/Oo926jCr+471rEXfN6Gm6zkwwoAG ftTzg2nvDkTGT86AsTQNM2ClARtAmQnul5v/Oo926jCr+471rEXfN6Gm6zkwwoAG
ZyE19pnIaF/p7tczePNgug== ZyE19pnIaF/p7tczePNgug==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpbaseline-legacy-display-decrypted">
protection-with-hcpbaseline-legacy-display-decrypted"><name>S/MIME Signed and En <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
crypted Reply Over a Complex Message, Header Protection With hcp_baseline (+ Leg er Protection with hcp_baseline (+ Legacy Display), Decrypted</name>
acy Display), Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
baseline-lgc-rpl.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-lgc-rpl.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIUpgYJKoZIhvcNAQcCoIIUlzCCFJMCAQExDTALBglghkgBZQMEAgEwggrPBgkq MIIUpgYJKoZIhvcNAQcCoIIUlzCCFJMCAQExDTALBglghkgBZQMEAgEwggrPBgkq
hkiG9w0BBwGgggrABIIKvE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGgggrABIIKvE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGdjLXJwbA0KTWVzc2Fn ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtYmFzZWxpbmUtbGdjLXJwbA0KTWVzc2Fn
ZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxn ZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLWJhc2VsaW5lLWxn
Yy1ycGxAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxl Yy1ycGxAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxl
Pg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZl Pg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZl
skipping to change at line 9575 skipping to change at line 9277
U0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcw U0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcw
CwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG CwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
9w0BCQUxDxcNMjEwMjIwMTcxNjAyWjAvBgkqhkiG9w0BCQQxIgQg4f753q+skjOT 9w0BCQUxDxcNMjEwMjIwMTcxNjAyWjAvBgkqhkiG9w0BCQQxIgQg4f753q+skjOT
bEsl5q6WUySCAbgxotWkN7Ci2/Q7J9cwDQYJKoZIhvcNAQEBBQAEggEAiUGuCHAe bEsl5q6WUySCAbgxotWkN7Ci2/Q7J9cwDQYJKoZIhvcNAQEBBQAEggEAiUGuCHAe
JkzXXnkH3k8yFGtEkkMscuC0JOPwqnxHzILBDYt9udpeParT/drO0VgRKxCQ0mxT JkzXXnkH3k8yFGtEkkMscuC0JOPwqnxHzILBDYt9udpeParT/drO0VgRKxCQ0mxT
sz0D65erzo+ZXfuXC5+Q4hzqdNkQhC8Vi7H2NL8KLsBrXNLZtG82xco08fTKTWVq sz0D65erzo+ZXfuXC5+Q4hzqdNkQhC8Vi7H2NL8KLsBrXNLZtG82xco08fTKTWVq
c2HwuAPL0+Yh+fTfqrr5oRnJvPVkTxl97KxTA1YNQh/s+Uuacumnmr/3iuHwjubd c2HwuAPL0+Yh+fTfqrr5oRnJvPVkTxl97KxTA1YNQh/s+Uuacumnmr/3iuHwjubd
+iesA8wZ9RWsmeg4FGUzaVrTRIHj8p6YQQYJcOomV9GuRbjUzMVTL/fOB0G6Jho1 +iesA8wZ9RWsmeg4FGUzaVrTRIHj8p6YQQYJcOomV9GuRbjUzMVTL/fOB0G6Jho1
aq6nGVcsoVTMIrH8nJv54eHQtWtYFBJI855oDbkIS4DxH0wR5121BayRN7MgC6q+ aq6nGVcsoVTMIrH8nJv54eHQtWtYFBJI855oDbkIS4DxH0wR5121BayRN7MgC6q+
H+cJTAZUD2IF7Q== H+cJTAZUD2IF7Q==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped">
protection-with-hcpbaseline-legacy-display-decrypted-and-unwrapped"><name>S/MIME <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
Signed and Encrypted Reply Over a Complex Message, Header Protection With hcp_b er Protection with hcp_baseline (+ Legacy Display), Decrypted and Unwrapped</nam
aseline (+ Legacy Display), Decrypted and Unwrapped</name> e>
<t>The inner signed-data layer unwraps to:</t>
<t>The inner signed-data layer unwraps to:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
baseline-lgc-rpl.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-base
line-lgc-rpl.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-baseline-lgc-rpl Subject: smime-signed-enc-complex-hp-baseline-lgc-rpl
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-baseline-lgc-rpl@example> <smime-signed-enc-complex-hp-baseline-lgc-rpl@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:16:02 -0500 Date: Sat, 20 Feb 2021 12:16:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: In-Reply-To:
<smime-signed-enc-complex-hp-baseline-legacy@example> <smime-signed-enc-complex-hp-baseline-legacy@example>
skipping to change at line 9668 skipping to change at line 9368
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--63c-- --63c--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-shy-reply">
<section anchor="smime-signed-enc-complex-hp-shy-reply"><name>S/MIME Signed and <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Header
Encrypted Reply Over a Complex Message, Header Protection With hcp_shy</name> Protection with hcp_shy</name>
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou dData around signedData. The payload is a multipart/alternative message with an
nd signedData. The payload is a multipart/alternative message with an inline im inline image/png attachment. It uses the Header Protection scheme from the draf
age/png attachment. It uses the Header Protection scheme from the draft with the t with the hcp_shy <iref item="Header Confidentiality Policy"/><xref target="hea
hcp_shy <iref item="Header Confidentiality Policy"/><xref target="header-confid der-confidentiality-policy" format="none">Header Confidentiality Policy</xref>.<
entiality-policy" format="none">Header Confidentiality Policy</xref>.</t> /t>
<t>It has the following structure:</t>
<t>It has the following structure:</t> <artwork type="ascii-art"><![CDATA[
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 10445 bytes └─╴application/pkcs7-mime [smime.p7m] 10445 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6716 bytes └─╴application/pkcs7-mime [smime.p7m] 6716 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2273 bytes └┬╴multipart/mixed 2273 bytes
├┬╴multipart/alternative 1116 bytes ├┬╴multipart/alternative 1116 bytes
│├─╴text/plain 379 bytes │├─╴text/plain 379 bytes
│└─╴text/html 474 bytes │└─╴text/html 474 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-sh
y-reply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
reply.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: <smime-signed-enc-complex-hp-shy-reply@example> Message-ID: <smime-signed-enc-complex-hp-shy-reply@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 17:18:02 +0000 Date: Sat, 20 Feb 2021 17:18:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-complex-hp-shy@example> In-Reply-To: <smime-signed-enc-complex-hp-shy@example>
skipping to change at line 9866 skipping to change at line 9561
+Dq4AptNdZliJTVrkKKw0buQJMrcUvWKKxkUC9/N5DeNVV7yVuyVBUOk1Q9Zub8X +Dq4AptNdZliJTVrkKKw0buQJMrcUvWKKxkUC9/N5DeNVV7yVuyVBUOk1Q9Zub8X
SNFkFDZ4I+CfQDrN9YedY+lAMjcmiYIDn9s2RmYnGgAVlYweN7y8hE36sNAxDUKq SNFkFDZ4I+CfQDrN9YedY+lAMjcmiYIDn9s2RmYnGgAVlYweN7y8hE36sNAxDUKq
AEgC8bJrTAy7axaqj2m8c/F1nXzmKBn1+Q4zSW8oeNjvfSpfS5ZeljHnyHrZrUN5 AEgC8bJrTAy7axaqj2m8c/F1nXzmKBn1+Q4zSW8oeNjvfSpfS5ZeljHnyHrZrUN5
fVyet/3gok33Qqh58j2kXSVgWJrtbsIk1x5Zu2Q+QeUmMykA2ltAe//NbcRm5NzW fVyet/3gok33Qqh58j2kXSVgWJrtbsIk1x5Zu2Q+QeUmMykA2ltAe//NbcRm5NzW
fdAyOP3IIvpwp6wOrtDxyBeDDmPS6Jkthp/3A9CmD7jewnt2D3f9OG1jlZI1nvvi fdAyOP3IIvpwp6wOrtDxyBeDDmPS6Jkthp/3A9CmD7jewnt2D3f9OG1jlZI1nvvi
VxqKkC+yHGxYKC1kdvZnkoVPS5sGA3STRxzWgfzZOrnvyNjKneokJY2CMA89A8wm VxqKkC+yHGxYKC1kdvZnkoVPS5sGA3STRxzWgfzZOrnvyNjKneokJY2CMA89A8wm
cdAbA8WTxoLo7ObjelYiyPgB5BWUqWvRbrVUYS6lrgLToUIfVSS/beNyjwwmjHgR cdAbA8WTxoLo7ObjelYiyPgB5BWUqWvRbrVUYS6lrgLToUIfVSS/beNyjwwmjHgR
C3a2iQQ74kYyMr1iBj9K0cUeyVSBHOMvwG5Xv0Phovz6waVZdSWOcxjDslz+Ghg/ C3a2iQQ74kYyMr1iBj9K0cUeyVSBHOMvwG5Xv0Phovz6waVZdSWOcxjDslz+Ghg/
c74x37hFQSAiIUt9ZzrE569QNP6wcGe/S0MxL5MG6bqu5BH8MGrBeQ0IPRCwXFwI c74x37hFQSAiIUt9ZzrE569QNP6wcGe/S0MxL5MG6bqu5BH8MGrBeQ0IPRCwXFwI
+Hvwh/mIF5Uc0hssRDYNn9YxYA0jCLsjpxjMcDJCMUA= +Hvwh/mIF5Uc0hssRDYNn9YxYA0jCLsjpxjMcDJCMUA=
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpshy-decrypted">
protection-with-hcpshy-decrypted"><name>S/MIME Signed and Encrypted Reply Over a <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
Complex Message, Header Protection With hcp_shy, Decrypted</name> er Protection with hcp_shy, Decrypted</name>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> </t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy- shy-reply.decrypted.eml"><![CDATA[
reply.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIITEAYJKoZIhvcNAQcCoIITATCCEv0CAQExDTALBglghkgBZQMEAgEwggk5Bgkq MIITEAYJKoZIhvcNAQcCoIITATCCEv0CAQExDTALBglghkgBZQMEAgEwggk5Bgkq
hkiG9w0BBwGgggkqBIIJJk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGgggkqBIIJJk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LXJlcGx5DQpNZXNzYWdlLUlEOiA8 ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LXJlcGx5DQpNZXNzYWdlLUlEOiA8
c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1yZXBseUBleGFtcGxlPg0K c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1yZXBseUBleGFtcGxlPg0K
RnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JA RnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JA
c21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTg6MDIg c21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTg6MDIg
skipping to change at line 9979 skipping to change at line 9672
RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE4MDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE4MDJa
MC8GCSqGSIb3DQEJBDEiBCD0vcxZnCjxaOpfz5cIo9Maa0SVODPCXLJlV2Wbq4Z6 MC8GCSqGSIb3DQEJBDEiBCD0vcxZnCjxaOpfz5cIo9Maa0SVODPCXLJlV2Wbq4Z6
7zANBgkqhkiG9w0BAQEFAASCAQB3m6q708hB5tmuz6jzSJ+nCR7C0BRbfKypEnSP 7zANBgkqhkiG9w0BAQEFAASCAQB3m6q708hB5tmuz6jzSJ+nCR7C0BRbfKypEnSP
k2tdLaOAJWrHqljSd4klEJWy3x2SvLL9q+rSbmIWpK34PWVL1E7gbbJIBjfpoIUo k2tdLaOAJWrHqljSd4klEJWy3x2SvLL9q+rSbmIWpK34PWVL1E7gbbJIBjfpoIUo
+YMSIkhKFaKfUgulEi0zQG/HgnMENl6CDXa5ZrbW53SEpNpYgchUcqpg6Z0yOB07 +YMSIkhKFaKfUgulEi0zQG/HgnMENl6CDXa5ZrbW53SEpNpYgchUcqpg6Z0yOB07
oH7YOqF2111RRSzsjNMMDAm/1LvOFBR+nUERAhHvq1dpGpNuvbtAh4itWLLbDLlR oH7YOqF2111RRSzsjNMMDAm/1LvOFBR+nUERAhHvq1dpGpNuvbtAh4itWLLbDLlR
gIvrihHbqaUhf4VDQNg4MWjdHGATgPHNAb4hpfaxHxGEv+NYB/65VQWKGKMZujqk gIvrihHbqaUhf4VDQNg4MWjdHGATgPHNAb4hpfaxHxGEv+NYB/65VQWKGKMZujqk
aLH9nVThiAlEOyirAA7VlmvlUQgBem0pjh6ixnwK9HfPb7pG aLH9nVThiAlEOyirAA7VlmvlUQgBem0pjh6ixnwK9HfPb7pG
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpshy-decrypted-and-unwrapped">
protection-with-hcpshy-decrypted-and-unwrapped"><name>S/MIME Signed and Encrypte <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
d Reply Over a Complex Message, Header Protection With hcp_shy, Decrypted and Un er Protection with hcp_shy, Decrypted and Unwrapped</name>
wrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> shy-reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
reply.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-shy-reply Subject: smime-signed-enc-complex-hp-shy-reply
Message-ID: <smime-signed-enc-complex-hp-shy-reply@example> Message-ID: <smime-signed-enc-complex-hp-shy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:18:02 -0500 Date: Sat, 20 Feb 2021 12:18:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-complex-hp-shy@example> In-Reply-To: <smime-signed-enc-complex-hp-shy@example>
References: <smime-signed-enc-complex-hp-shy@example> References: <smime-signed-enc-complex-hp-shy@example>
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
skipping to change at line 10057 skipping to change at line 9748
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--46f-- --46f--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-signed-enc-complex-hp-shy-legacy-reply">
<section anchor="smime-signed-enc-complex-hp-shy-legacy-reply"><name>S/MIME Sign <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Header
ed and Encrypted Reply Over a Complex Message, Header Protection With hcp_shy (+ Protection with hcp_shy (+ Legacy Display)</name>
Legacy Display)</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the Header Protection scheme from the draf
nd signedData. The payload is a multipart/alternative message with an inline im t with the hcp_shy <iref item="Header Confidentiality Policy"/><xref target="hea
age/png attachment. It uses the Header Protection scheme from the draft with the der-confidentiality-policy" format="none">Header Confidentiality Policy</xref> w
hcp_shy <iref item="Header Confidentiality Policy"/><xref target="header-confid ith a "Legacy Display" part.</t>
entiality-policy" format="none">Header Confidentiality Policy</xref> with a "Leg <t>It has the following structure:</t>
acy Display" part.</t> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 11505 bytes └─╴application/pkcs7-mime [smime.p7m] 11505 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 7508 bytes └─╴application/pkcs7-mime [smime.p7m] 7508 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴multipart/mixed 2832 bytes └┬╴multipart/mixed 2832 bytes
├┬╴multipart/alternative 1621 bytes ├┬╴multipart/alternative 1621 bytes
│├─╴text/plain 576 bytes │├─╴text/plain 576 bytes
│└─╴text/html 748 bytes │└─╴text/html 748 bytes
└─╴image/png inline 236 bytes └─╴image/png inline 236 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-sh
y-legacy-reply.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy-reply.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-shy-legacy-reply@example> <smime-signed-enc-complex-hp-shy-legacy-reply@example>
From: alice@smime.example From: alice@smime.example
To: bob@smime.example To: bob@smime.example
Date: Sat, 20 Feb 2021 17:19:02 +0000 Date: Sat, 20 Feb 2021 17:19:02 +0000
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 10272 skipping to change at line 9958
3eZo3Nm+bwWzJzlo4yogzlTgH0SGnxyoibzOXzMqFgLkVbWvqTnw9UZASvoLAyrS 3eZo3Nm+bwWzJzlo4yogzlTgH0SGnxyoibzOXzMqFgLkVbWvqTnw9UZASvoLAyrS
SFctnufOoPlH9JrL+mfoU83prsRDMmOqudzyi5/xWh4IvamvvQsq5+3xsQr1duA+ SFctnufOoPlH9JrL+mfoU83prsRDMmOqudzyi5/xWh4IvamvvQsq5+3xsQr1duA+
W/HeZ8jx5hgO5UfexS5hAcgNs4Wz2NVCCl9fProSuYh9Caoz2PwlK87c/MliEqWc W/HeZ8jx5hgO5UfexS5hAcgNs4Wz2NVCCl9fProSuYh9Caoz2PwlK87c/MliEqWc
jZ5oSk0+zwLXTp3xpv4MHwDzHwqV6Sdg+cOUtl6wlZp0vJVxPD5tljBU9EW2vjfF jZ5oSk0+zwLXTp3xpv4MHwDzHwqV6Sdg+cOUtl6wlZp0vJVxPD5tljBU9EW2vjfF
Iq19LN50RLPQ7RpfCtJAIYUAuYGz0mwd66Q71d39Wx56wHA9TqQBTzNqI0CK6/mX Iq19LN50RLPQ7RpfCtJAIYUAuYGz0mwd66Q71d39Wx56wHA9TqQBTzNqI0CK6/mX
sRZKrMvLBTdHKk4Capu6ehFJgUt3Oifib6DWV6v5HUG14Dt4z8Bj9a3R66NBLWlR sRZKrMvLBTdHKk4Capu6ehFJgUt3Oifib6DWV6v5HUG14Dt4z8Bj9a3R66NBLWlR
K+2PoBYdd942K9XlMGBn3LJl4ALdvIcPBWj3GF+uGyuVe7wBlSx9CflX2WSI5YSg K+2PoBYdd942K9XlMGBn3LJl4ALdvIcPBWj3GF+uGyuVe7wBlSx9CflX2WSI5YSg
UDSpg+5kGBqjvtMlI8+4lfWZWKxub8YY4IMzkQxJcbvfqIwwjrevtIArQbtPlZDG UDSpg+5kGBqjvtMlI8+4lfWZWKxub8YY4IMzkQxJcbvfqIwwjrevtIArQbtPlZDG
q5zPmbmEot+ceJepsSmSeiEXJoDQJgbl6ZodjzNaAzLdOcGZI+qvi9m1S95VDfVG q5zPmbmEot+ceJepsSmSeiEXJoDQJgbl6ZodjzNaAzLdOcGZI+qvi9m1S95VDfVG
qrLl6hDxECQwnHKXwGrH6Qt4lftSzDHOnWKRERbiAgu9JPEuek4MY4C3u6dteyC+ qrLl6hDxECQwnHKXwGrH6Qt4lftSzDHOnWKRERbiAgu9JPEuek4MY4C3u6dteyC+
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpshy-legacy-display-decrypted">
protection-with-hcpshy-legacy-display-decrypted"><name>S/MIME Signed and Encrypt <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
ed Reply Over a Complex Message, Header Protection With hcp_shy (+ Legacy Displa er Protection with hcp_shy (+ Legacy Display), Decrypted</name>
y), Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
shy-legacy-reply.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy-reply.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIVUAYJKoZIhvcNAQcCoIIVQTCCFT0CAQExDTALBglghkgBZQMEAgEwggt5Bgkq MIIVUAYJKoZIhvcNAQcCoIIVQTCCFT0CAQExDTALBglghkgBZQMEAgEwggt5Bgkq
hkiG9w0BBwGgggtqBIILZk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt hkiG9w0BBwGgggtqBIILZk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KTWVzc2Fn ZS1zaWduZWQtZW5jLWNvbXBsZXgtaHAtc2h5LWxlZ2FjeS1yZXBseQ0KTWVzc2Fn
ZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3kt ZS1JRDoNCiA8c21pbWUtc2lnbmVkLWVuYy1jb21wbGV4LWhwLXNoeS1sZWdhY3kt
cmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxl cmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxl
Pg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZl Pg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZl
skipping to change at line 10397 skipping to change at line 10081
RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE5MDJa 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE5MDJa
MC8GCSqGSIb3DQEJBDEiBCDmeJ6lsrSkjN4AZBIkFqDsd0GBqHEAIhAZzSPkodWm MC8GCSqGSIb3DQEJBDEiBCDmeJ6lsrSkjN4AZBIkFqDsd0GBqHEAIhAZzSPkodWm
CTANBgkqhkiG9w0BAQEFAASCAQA8+6A0jm2WrDdfvFYh0OQ4Rpy+6ofiRnx5jI8I CTANBgkqhkiG9w0BAQEFAASCAQA8+6A0jm2WrDdfvFYh0OQ4Rpy+6ofiRnx5jI8I
a0iD6U77+KS/1W9c4rm5Sk2ElE7gZb/XL5D7l9X5aoiuF6KgyPrzNCL4G3Zz9zLY a0iD6U77+KS/1W9c4rm5Sk2ElE7gZb/XL5D7l9X5aoiuF6KgyPrzNCL4G3Zz9zLY
1l+7Cc+VsR8HcY9mgI5U34bmT1xZCHk3V+hTSUn+zE2XV5khxX0E5OxGzkrSz39Y 1l+7Cc+VsR8HcY9mgI5U34bmT1xZCHk3V+hTSUn+zE2XV5khxX0E5OxGzkrSz39Y
TReERGZGPPXorUIc/MPPKVNE0uhlVUY3WVp9oECnYOBnZ8Ed91rzJWH9hbvUq+jx TReERGZGPPXorUIc/MPPKVNE0uhlVUY3WVp9oECnYOBnZ8Ed91rzJWH9hbvUq+jx
22s5mbPGSi5napgEIr/vv66CuCSBK9oqUG4/dyd/hvLVgtZ3knoxn8VPXUgf8Yw6 22s5mbPGSi5napgEIr/vv66CuCSBK9oqUG4/dyd/hvLVgtZ3knoxn8VPXUgf8Yw6
my5/oStqcO3Q9Sd176LsZ4Otgc4kG789qHAlTax4HGqU3bAi my5/oStqcO3Q9Sd176LsZ4Otgc4kG789qHAlTax4HGqU3bAi
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-reply-over-a-complex-messa
<section anchor="smime-signed-and-encrypted-reply-over-a-complex-message-header- ge-header-protection-with-hcpshy-legacy-display-decrypted-and-unwrapped">
protection-with-hcpshy-legacy-display-decrypted-and-unwrapped"><name>S/MIME Sign <name>S/MIME Signed-and-Encrypted Reply over a Complex Message, Head
ed and Encrypted Reply Over a Complex Message, Header Protection With hcp_shy (+ er Protection with hcp_shy (+ Legacy Display), Decrypted and Unwrapped</name>
Legacy Display), Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-
<t>The inner signed-data layer unwraps to:</t> shy-legacy-reply.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-signed-enc-complex-hp-shy-
legacy-reply.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Subject: smime-signed-enc-complex-hp-shy-legacy-reply Subject: smime-signed-enc-complex-hp-shy-legacy-reply
Message-ID: Message-ID:
<smime-signed-enc-complex-hp-shy-legacy-reply@example> <smime-signed-enc-complex-hp-shy-legacy-reply@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:19:02 -0500 Date: Sat, 20 Feb 2021 12:19:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
In-Reply-To: <smime-signed-enc-complex-hp-shy-legacy@example> In-Reply-To: <smime-signed-enc-complex-hp-shy-legacy@example>
References: <smime-signed-enc-complex-hp-shy-legacy@example> References: <smime-signed-enc-complex-hp-shy-legacy@example>
skipping to change at line 10494 skipping to change at line 10176
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--d37-- --d37--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> <section anchor="smime-enc-signed-complex-rfc8551hp-baseline">
<section anchor="smime-enc-signed-complex-rfc8551hp-baseline"><name>S/MIME Signe <name>S/MIME Signed and Encrypted over a Complex Message, Legacy RFC 8
d and Encrypted Over a Complex Message, Legacy RFC 8551 Header Protection With h 551 Header Protection with hcp_baseline</name>
cp_baseline</name> <t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelope
dData around signedData. The payload is a multipart/alternative message with an
<t>This is a signed-and-encrypted S/MIME message using PKCS#7 envelopedData arou inline image/png attachment. It uses the legacy RFC 8551 header protection (<ir
nd signedData. The payload is a multipart/alternative message with an inline im ef item="RFC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>) sc
age/png attachment. It uses the legacy RFC 8551 header protection (<iref item="R heme with the hcp_baseline <iref item="Header Confidentiality Policy"/><xref tar
FC8551HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref>) scheme with get="header-confidentiality-policy" format="none">Header Confidentiality Policy<
the hcp_baseline <iref item="Header Confidentiality Policy"/><xref target="heade /xref>.</t>
r-confidentiality-policy" format="none">Header Confidentiality Policy</xref>.</t <t>It has the following structure:</t>
> <artwork type="ascii-art"><![CDATA[
<t>It has the following structure:</t>
<figure><artwork type="ascii-art"><![CDATA[
└─╴application/pkcs7-mime [smime.p7m] 9580 bytes └─╴application/pkcs7-mime [smime.p7m] 9580 bytes
↧ (decrypts to) ↧ (decrypts to)
└─╴application/pkcs7-mime [smime.p7m] 6082 bytes └─╴application/pkcs7-mime [smime.p7m] 6082 bytes
⇩ (unwraps to) ⇩ (unwraps to)
└┬╴message/rfc822 1876 bytes └┬╴message/rfc822 1876 bytes
└┬╴multipart/mixed 1828 bytes └┬╴multipart/mixed 1828 bytes
├┬╴multipart/alternative 1166 bytes ├┬╴multipart/alternative 1166 bytes
│├─╴text/plain 392 bytes │├─╴text/plain 392 bytes
│└─╴text/html 490 bytes │└─╴text/html 490 bytes
└─╴image/png inline 232 bytes └─╴image/png inline 232 bytes
]]></artwork></figure> ]]></artwork>
<t>Its contents are:</t>
<t>Its contents are:</t> <sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc85
51hp-baseline.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc8551
hp-baseline.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
Subject: [...] Subject: [...]
Message-ID: Message-ID:
<smime-enc-signed-complex-rfc8551hp-baseline@example> <smime-enc-signed-complex-rfc8551hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
Date: Sat, 20 Feb 2021 12:28:02 -0500 Date: Sat, 20 Feb 2021 12:28:02 -0500
User-Agent: Sample MUA Version 1.0 User-Agent: Sample MUA Version 1.0
skipping to change at line 10679 skipping to change at line 10356
xAmFAXgfuNc18ZkVtSLPjJ418cSe+VOlQ3WH2Os2N3PP6UqR7hlgymJeisV80C0N xAmFAXgfuNc18ZkVtSLPjJ418cSe+VOlQ3WH2Os2N3PP6UqR7hlgymJeisV80C0N
kuu0AYauvHf6mDPhbsvdtTLQUY9cQ991c1XFB3NZwZa1GL9BtYpLU9xsd4k+qyzI kuu0AYauvHf6mDPhbsvdtTLQUY9cQ991c1XFB3NZwZa1GL9BtYpLU9xsd4k+qyzI
5zW1UEG0B265+FhYBMz12KRvjfTMegaMCqo3WKG0p/HfdGRFXzYScZCDKe/n7pDW 5zW1UEG0B265+FhYBMz12KRvjfTMegaMCqo3WKG0p/HfdGRFXzYScZCDKe/n7pDW
45+PhVyrxqQpsdyxTHb0qetjbYM/OlydenM47tvb9D+UIpRjYLmk3RCMKfbAd6nE 45+PhVyrxqQpsdyxTHb0qetjbYM/OlydenM47tvb9D+UIpRjYLmk3RCMKfbAd6nE
ctVLhUHswCMx4lnVRdIXuIc4yQrquAVPvlfzBVIxDeemkf2kmrA1P5aYZniflr7i ctVLhUHswCMx4lnVRdIXuIc4yQrquAVPvlfzBVIxDeemkf2kmrA1P5aYZniflr7i
SRG+XntvfKyyKqr09A605hOz8GyDSOIDRq5SykbeuUZd2MkhMHiqn3pkgWxfFADH SRG+XntvfKyyKqr09A605hOz8GyDSOIDRq5SykbeuUZd2MkhMHiqn3pkgWxfFADH
rptkhjQytcY4j8Znqg8O70da9J4G4sbILV5OgKaTt/7okM+rQ8ikzR9UJsAAgewn rptkhjQytcY4j8Znqg8O70da9J4G4sbILV5OgKaTt/7okM+rQ8ikzR9UJsAAgewn
DrnutsyrGrSmz7wIFkexxWnM6NZYMcJpdy0KXuctfBWIQs+ZyYrsd4pH3MP/hc+1 DrnutsyrGrSmz7wIFkexxWnM6NZYMcJpdy0KXuctfBWIQs+ZyYrsd4pH3MP/hc+1
t2W57Gm57dXBh0lqxDnaGFGVBlYioWj/v1s0EoaVUM+XCYEsRKge45drULGh0qAZ t2W57Gm57dXBh0lqxDnaGFGVBlYioWj/v1s0EoaVUM+XCYEsRKge45drULGh0qAZ
sG1/1VBptLyt3UY3jh1tUw== sG1/1VBptLyt3UY3jh1tUw==
]]></sourcecode></figure> ]]></sourcecode>
<section anchor="smime-signed-and-encrypted-over-a-complex-message-leg
<section anchor="smime-signed-and-encrypted-over-a-complex-message-legacy-rfc-85 acy-rfc-8551-header-protection-with-hcpbaseline-decrypted">
51-header-protection-with-hcpbaseline-decrypted"><name>S/MIME Signed and Encrypt <name>S/MIME Signed and Encrypted over a Complex Message, Legacy RFC
ed Over a Complex Message, Legacy RFC 8551 Header Protection With hcp_baseline, 8551 Header Protection with hcp_baseline, Decrypted</name>
Decrypted</name> <t>The S/MIME enveloped-data layer unwraps to this signed-data part:
</t>
<t>The S/MIME enveloped-data layer unwraps to this signed-data part:</t> <sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc
8551hp-baseline.decrypted.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc8551
hp-baseline.decrypted.eml"><![CDATA[
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="signed-data" smime-type="signed-data"
MIIRQAYJKoZIhvcNAQcCoIIRMTCCES0CAQExDTALBglghkgBZQMEAgEwggdpBgkq MIIRQAYJKoZIhvcNAQcCoIIRMTCCES0CAQExDTALBglghkgBZQMEAgEwggdpBgkq
hkiG9w0BBwGgggdaBIIHVk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6 hkiG9w0BBwGgggdaBIIHVk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
IG1lc3NhZ2UvcmZjODIyDQoNCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlw IG1lc3NhZ2UvcmZjODIyDQoNCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlw
ZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iMjY2IgpTdWJqZWN0OiBzbWlt ZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iMjY2IgpTdWJqZWN0OiBzbWlt
ZS1lbmMtc2lnbmVkLWNvbXBsZXgtcmZjODU1MWhwLWJhc2VsaW5lCk1lc3NhZ2Ut ZS1lbmMtc2lnbmVkLWNvbXBsZXgtcmZjODU1MWhwLWJhc2VsaW5lCk1lc3NhZ2Ut
SUQ6CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXJmYzg1NTFocC1iYXNlbGlu SUQ6CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXJmYzg1NTFocC1iYXNlbGlu
skipping to change at line 10783 skipping to change at line 10458
dGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZI dGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZI
AWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx AWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMjEwMjIwMTcyODAyWjAvBgkqhkiG9w0BCQQxIgQgzbXAB7rXfNs26yYOHvuE DxcNMjEwMjIwMTcyODAyWjAvBgkqhkiG9w0BCQQxIgQgzbXAB7rXfNs26yYOHvuE
D4KQ9RzsSF5fL55lZZY7AjgwDQYJKoZIhvcNAQEBBQAEggEAAs1y7DQLS7S+Vh2b D4KQ9RzsSF5fL55lZZY7AjgwDQYJKoZIhvcNAQEBBQAEggEAAs1y7DQLS7S+Vh2b
Ju5W9UwkHp6lUk/F7mJE80FRc8K6z8pcSn4xTrlCaLgL7azQ0o/iNQEh2EVJqdy6 Ju5W9UwkHp6lUk/F7mJE80FRc8K6z8pcSn4xTrlCaLgL7azQ0o/iNQEh2EVJqdy6
huwwtlaeiPa2gXwIHCKcLGhA2bW3/R+sEsJZi7FryqTakOZ9eXcYRXoPWv6ncf+I huwwtlaeiPa2gXwIHCKcLGhA2bW3/R+sEsJZi7FryqTakOZ9eXcYRXoPWv6ncf+I
eA7jlQX3Z4Ln5pP9p+Uw7H1oroH2Y4e0yAqIMtYXnS+GKALTtbxTa1p2Y9dsHQLS eA7jlQX3Z4Ln5pP9p+Uw7H1oroH2Y4e0yAqIMtYXnS+GKALTtbxTa1p2Y9dsHQLS
2cXbfUsU2zc5bstgKXZyTkjuKJ8ivbYJ2ttk79AOMosWkDBmgzKTTS/0HptfO9SD 2cXbfUsU2zc5bstgKXZyTkjuKJ8ivbYJ2ttk79AOMosWkDBmgzKTTS/0HptfO9SD
mX58BvQt6GHQZ4TR2NVDvq3z+/CAlzsR5xmNH1C+uDH99ORoy3w6CHmv4aTTmRM9 mX58BvQt6GHQZ4TR2NVDvq3z+/CAlzsR5xmNH1C+uDH99ORoy3w6CHmv4aTTmRM9
S+uZXg== S+uZXg==
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> <section anchor="smime-signed-and-encrypted-over-a-complex-message-leg
<section anchor="smime-signed-and-encrypted-over-a-complex-message-legacy-rfc-85 acy-rfc-8551-header-protection-with-hcpbaseline-decrypted-and-unwrapped">
51-header-protection-with-hcpbaseline-decrypted-and-unwrapped"><name>S/MIME Sign <name>S/MIME Signed and Encrypted over a Complex Message, Legacy RFC
ed and Encrypted Over a Complex Message, Legacy RFC 8551 Header Protection With 8551 Header Protection with hcp_baseline, Decrypted and Unwrapped</name>
hcp_baseline, Decrypted and Unwrapped</name> <t>The inner signed-data layer unwraps to:</t>
<sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc
<t>The inner signed-data layer unwraps to:</t> 8551hp-baseline.decrypted.unwrapped.eml"><![CDATA[
<figure><sourcecode type="message/rfc822" name="smime-enc-signed-complex-rfc8551
hp-baseline.decrypted.unwrapped.eml"><![CDATA[
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: message/rfc822 Content-Type: message/rfc822
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="266" Content-Type: multipart/mixed; boundary="266"
Subject: smime-enc-signed-complex-rfc8551hp-baseline Subject: smime-enc-signed-complex-rfc8551hp-baseline
Message-ID: Message-ID:
<smime-enc-signed-complex-rfc8551hp-baseline@example> <smime-enc-signed-complex-rfc8551hp-baseline@example>
From: Alice <alice@smime.example> From: Alice <alice@smime.example>
To: Bob <bob@smime.example> To: Bob <bob@smime.example>
skipping to change at line 10856 skipping to change at line 10529
Content-Type: image/png Content-Type: image/png
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Disposition: inline Content-Disposition: inline
iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg== vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==
--266-- --266--
]]></sourcecode></figure> ]]></sourcecode>
</section>
</section> </section>
</section> </section>
</section> </section>
</section> <section anchor="compose-examples">
<section anchor="compose-examples"><name>Composition Examples</name> <name>Composition Examples</name>
<t>This section offers step-by-step examples of message composition.</t>
<t>This section offers step-by-step examples of message composition.</t> <section anchor="compose-example">
<name>New Message Composition</name>
<section anchor="compose-example"><name>New message composition</name> <t>A typical MUA composition interface offers the user a place to indica
te the message recipients, subject, and body.
<t>A typical MUA composition interface offers the user a place to indicate the m
essage recipients, the subject, and the body.
Consider a composition window filled out by the user like so:</t> Consider a composition window filled out by the user like so:</t>
<figure anchor="example-compose-interface">
<figure title="Example Message Composition Interface" anchor="example-compose-in <name>Example Message Composition Interface</name>
terface"><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" ve <artset>
rsion="1.1" height="336" width="472" viewBox="0 0 472 336" class="diagram" text- <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
anchor="middle" font-family="monospace" font-size="13px"> "1.1" height="336" width="472" viewBox="0 0 472 336" class="diagram" text-anchor
<path d="M 8,48 L 8,320" fill="none" stroke="black"/> ="middle" font-family="monospace" font-size="13px">
<path d="M 96,64 L 96,128" fill="none" stroke="black"/> <path d="M 8,48 L 8,320" fill="none" stroke="black"/>
<path d="M 368,64 L 368,96" fill="none" stroke="black"/> <path d="M 96,64 L 96,128" fill="none" stroke="black"/>
<path d="M 448,96 L 448,128" fill="none" stroke="black"/> <path d="M 368,64 L 368,96" fill="none" stroke="black"/>
<path d="M 464,48 L 464,320" fill="none" stroke="black"/> <path d="M 448,96 L 448,128" fill="none" stroke="black"/>
<path d="M 24,32 L 448,32" fill="none" stroke="black"/> <path d="M 464,48 L 464,320" fill="none" stroke="black"/>
<path d="M 408,48 L 432,48" fill="none" stroke="black"/> <path d="M 24,32 L 448,32" fill="none" stroke="black"/>
<path d="M 96,64 L 368,64" fill="none" stroke="black"/> <path d="M 408,48 L 432,48" fill="none" stroke="black"/>
<path d="M 408,80 L 432,80" fill="none" stroke="black"/> <path d="M 96,64 L 368,64" fill="none" stroke="black"/>
<path d="M 96,96 L 448,96" fill="none" stroke="black"/> <path d="M 408,80 L 432,80" fill="none" stroke="black"/>
<path d="M 96,128 L 448,128" fill="none" stroke="black"/> <path d="M 96,96 L 448,96" fill="none" stroke="black"/>
<path d="M 8,144 L 464,144" fill="none" stroke="black"/> <path d="M 96,128 L 448,128" fill="none" stroke="black"/>
<path d="M 8,320 L 464,320" fill="none" stroke="black"/> <path d="M 8,144 L 464,144" fill="none" stroke="black"/>
<path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stroke="black"/> <path d="M 8,320 L 464,320" fill="none" stroke="black"/>
<path d="M 448,32 C 456.83064,32 464,39.16936 464,48" fill="none" stroke="black" <path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stro
/> ke="black"/>
<path d="M 408,48 C 399.16936,48 392,55.16936 392,64" fill="none" stroke="black" <path d="M 448,32 C 456.83064,32 464,39.16936 464,48" fill="none
/> " stroke="black"/>
<path d="M 432,48 C 440.83064,48 448,55.16936 448,64" fill="none" stroke="black" <path d="M 408,48 C 399.16936,48 392,55.16936 392,64" fill="none
/> " stroke="black"/>
<path d="M 408,80 C 399.16936,80 392,72.83064 392,64" fill="none" stroke="black" <path d="M 432,48 C 440.83064,48 448,55.16936 448,64" fill="none
/> " stroke="black"/>
<path d="M 432,80 C 440.83064,80 448,72.83064 448,64" fill="none" stroke="black" <path d="M 408,80 C 399.16936,80 392,72.83064 392,64" fill="none
/> " stroke="black"/>
<g class="text"> <path d="M 432,80 C 440.83064,80 448,72.83064 448,64" fill="none
<text x="184" y="52">Composing</text> " stroke="black"/>
<text x="240" y="52">New</text> <g class="text">
<text x="288" y="52">Message</text> <text x="184" y="52">Composing</text>
<text x="420" y="68">Send</text> <text x="240" y="52">New</text>
<text x="72" y="84">To:</text> <text x="288" y="52">Message</text>
<text x="128" y="84">Alice</text> <text x="420" y="68">Send</text>
<text x="232" y="84">&lt;alice@example.net&gt;</text> <text x="72" y="84">To:</text>
<text x="52" y="116">Subject:</text> <text x="128" y="84">Alice</text>
<text x="140" y="116">Handling</text> <text x="232" y="84">&lt;alice@example.net&gt;</text>
<text x="192" y="116">the</text> <text x="52" y="116">Subject:</text>
<text x="232" y="116">Jones</text> <text x="140" y="116">Handling</text>
<text x="292" y="116">contract</text> <text x="192" y="116">the</text>
<text x="44" y="164">Please</text> <text x="232" y="116">Jones</text>
<text x="100" y="164">review</text> <text x="292" y="116">contract</text>
<text x="144" y="164">and</text> <text x="44" y="164">Please</text>
<text x="192" y="164">approve</text> <text x="100" y="164">review</text>
<text x="236" y="164">or</text> <text x="144" y="164">and</text>
<text x="280" y="164">decline</text> <text x="192" y="164">approve</text>
<text x="324" y="164">by</text> <text x="236" y="164">or</text>
<text x="376" y="164">Thursday,</text> <text x="280" y="164">decline</text>
<text x="436" y="164">it's</text> <text x="324" y="164">by</text>
<text x="56" y="180">critical!</text> <text x="376" y="164">Thursday,</text>
<text x="48" y="212">Thanks,</text> <text x="436" y="164">it's</text>
<text x="32" y="228">Bob</text> <text x="56" y="180">critical!</text>
<text x="28" y="260">--</text> <text x="48" y="212">Thanks,</text>
<text x="32" y="276">Bob</text> <text x="32" y="228">Bob</text>
<text x="84" y="276">Gonzalez</text> <text x="28" y="260">--</text>
<text x="40" y="292">ACME,</text> <text x="32" y="276">Bob</text>
<text x="84" y="292">Inc.</text> <text x="84" y="276">Gonzalez</text>
</g> <text x="40" y="292">ACME,</text>
</svg> <text x="84" y="292">Inc.</text>
</artwork><artwork type="ascii-art"><![CDATA[ </g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
.------------------------------------------------------. .------------------------------------------------------.
| Composing New Message .----. | | Composing New Message .----. |
| +---------------------------------+ | Send | | | +---------------------------------+ | Send | |
| To: | Alice <alice@example.net> | '----' | | To: | Alice <alice@example.net> | '----' |
| +---------------------------------+---------+ | | +---------------------------------+---------+ |
| Subject: | Handling the Jones contract | | | Subject: | Handling the Jones contract | |
| +-------------------------------------------+ | | +-------------------------------------------+ |
+--------------------------------------------------------+ +--------------------------------------------------------+
| Please review and approve or decline by Thursday, it's | | Please review and approve or decline by Thursday, it's |
| critical! | | critical! |
| | | |
| Thanks, | | Thanks, |
| Bob | | Bob |
| | | |
| -- | | -- |
| Bob Gonzalez | | Bob Gonzalez |
| ACME, Inc. | | ACME, Inc. |
| | | |
+--------------------------------------------------------+ +--------------------------------------------------------+
]]></artwork></artset></figure> ]]></artwork>
</artset>
<t>When Bob clicks "Send", his MUA generates values for <spanx style="verb">Mess </figure>
age-ID</spanx>, <spanx style="verb">From</spanx>, and <spanx style="verb">Date</ <t>When Bob clicks "Send", his MUA generates values for the <tt>Message-
spanx> Header Fields, and converts the message body into the appropriate format. ID</tt>, <tt>From</tt>, and <tt>Date</tt> Header Fields and converts the message
</t> body into the appropriate format.</t>
<section anchor="compose-example-unprotected">
<section anchor="compose-example-unprotected"><name>Unprotected message</name> <name>Unprotected Message</name>
<t>The resulting message would look something like this if it was sent
<t>The resulting message would look something like this if it was sent without c without cryptographic protections:</t>
ryptographic protections:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:08:43 -0500 Date: Wed, 11 Jan 2023 16:08:43 -0500
From: Bob <bob@example.net> From: Bob <bob@example.net>
To: Alice <alice@example.net> To: Alice <alice@example.net>
Subject: Handling the Jones contract Subject: Handling the Jones contract
Message-ID: <20230111T210843Z.1234@lhp.example> Message-ID: <20230111T210843Z.1234@lhp.example>
Content-Type: text/plain; charset="us-ascii" Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 MIME-Version: 1.0
Please review and approve or decline by Thursday, it's critical! Please review and approve or decline by Thursday, it's critical!
Thanks, Thanks,
Bob Bob
-- --
Bob Gonzalez Bob Gonzalez
ACME, Inc. ACME, Inc.
]]></artwork></figure> ]]></artwork>
</section>
</section> <section anchor="encrypted-with-hcpbaseline-and-legacy-display">
<section anchor="encrypted-with-hcpbaseline-and-legacy-display"><name>Encrypted <name>Encrypted with <tt>hcp_baseline</tt> and Legacy Display</name>
with <spanx style="verb">hcp_baseline</spanx> and Legacy Display</name> <t>Now consider the message to be generated if it is to be cryptograph
ically signed and encrypted, using <iref item="HCP"/><xref target="header-confid
<t>Now consider the message to be generated if it is to be cryptographically sig entiality-policy" format="none">HCP</xref> <tt>hcp_baseline</tt>, and the <tt>le
ned and encrypted, using <iref item="HCP"/><xref target="header-confidentiality- gacy</tt> variable is set.</t>
policy" format="none">HCP</xref> <spanx style="verb">hcp_baseline</spanx>, and t <t>For each Header Field, Bob's MUA passes its name and value through
he <spanx style="verb">legacy</spanx> variable is set.</t> <tt>hcp_baseline</tt>.
<t>For each Header Field, Bob's MUA passes its name and value through <spanx sty
le="verb">hcp_baseline</spanx>.
This returns the same value for every Header Field, except that:</t> This returns the same value for every Header Field, except that:</t>
<t><tt>hcp_baseline</tt>("<tt>Subject</tt>", "<tt>Handling the Jones c
<t><spanx style="verb">hcp_baseline</spanx>("<spanx style="verb">Subject</spanx> ontract</tt>") yields "<tt>[...]</tt>".</t>
", "<spanx style="verb">Handling the Jones contract</spanx>") yields "<spanx sty <section anchor="compose-example-payload">
le="verb">[...]</spanx>".</t> <name>Cryptographic Payload</name>
<t>The Cryptographic Payload that will be signed and then encrypted
<section anchor="compose-example-payload"><name>Cryptographic Payload</name> is very similar to the unprotected message in <xref target="compose-example-unpr
otected"/>.
<t>The Cryptographic Payload that will be signed and then encrypted is very simi
lar to the unprotected message in <xref target="compose-example-unprotected"/>.
Note the addition of:</t> Note the addition of:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>The <spanx style="verb">hp="cipher"</spanx> parameter for the <spanx style= <t>the <tt>hp="cipher"</tt> parameter for the <tt>Content-Type</
"verb">Content-Type</spanx></t> tt></t>
<t>The appropriate <spanx style="verb">HP-Outer</spanx> Header Field for <span </li>
x style="verb">Subject</spanx></t> <li>
<t>The <spanx style="verb">hp-legacy-display="1"</spanx> parameter for the <sp <t>the appropriate <tt>HP-Outer</tt> Header Field for <tt>Subjec
anx style="verb">Content-Type</spanx></t> t</tt></t>
<t>The Legacy Display Element (the simple pseudo-header and its trailing newli </li>
ne) in the Main Body Part.</t> <li>
</list></t> <t>the <tt>hp-legacy-display="1"</tt> parameter for the <tt>Cont
ent-Type</tt></t>
<figure><artwork><![CDATA[ </li>
<li>
<t>the Legacy Display Element (the simple pseudo-header and its
trailing newline) in the Main Body Part</t>
</li>
</ul>
<artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:08:43 -0500 Date: Wed, 11 Jan 2023 16:08:43 -0500
From: Bob <bob@example.net> From: Bob <bob@example.net>
To: Alice <alice@example.net> To: Alice <alice@example.net>
Subject: Handling the Jones contract Subject: Handling the Jones contract
Message-ID: <20230111T210843Z.1234@lhp.example> Message-ID: <20230111T210843Z.1234@lhp.example>
Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
hp="cipher" hp="cipher"
MIME-Version: 1.0 MIME-Version: 1.0
HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500 HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500
HP-Outer: From: Bob <bob@example.net> HP-Outer: From: Bob <bob@example.net>
skipping to change at line 11017 skipping to change at line 10692
Subject: Handling the Jones contract Subject: Handling the Jones contract
Please review and approve or decline by Thursday, it's critical! Please review and approve or decline by Thursday, it's critical!
Thanks, Thanks,
Bob Bob
-- --
Bob Gonzalez Bob Gonzalez
ACME, Inc. ACME, Inc.
]]></artwork></figure> ]]></artwork>
</section>
</section> <section anchor="external-header-section">
<section anchor="external-header-section"><name>External Header Section</name> <name>External Header Section</name>
<t>The Cryptographic Payload from <xref target="compose-example-payl
<t>The Cryptographic Payload from <xref target="compose-example-payload"/> is th oad"/> is then wrapped in the appropriate Cryptographic Layers.
en wrapped in the appropriate Cryptographic Layers. For this example using S/MIME, it is wrapped in an <tt>application/pkcs7-mime; s
For this example, using S/MIME, it is wrapped in an <spanx style="verb">applicat mime-type="signed-data"</tt> layer, which is in turn wrapped in an <tt>applicati
ion/pkcs7-mime; smime-type="signed-data"</spanx> layer, which is in turn wrapped on/pkcs7-mime; smime-type="enveloped-data"</tt> layer.</t>
in an <spanx style="verb">application/pkcs7-mime; smime-type="enveloped-data"</ <t>Then, an external Header Section is applied to the outer MIME obj
spanx> layer.</t> ect, which looks like this:</t>
<artwork><![CDATA[
<t>Then an external Header Section is applied to the outer MIME object, which lo
oks like this:</t>
<figure><artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:08:43 -0500 Date: Wed, 11 Jan 2023 16:08:43 -0500
From: Bob <bob@example.net> From: Bob <bob@example.net>
To: Alice <alice@example.net> To: Alice <alice@example.net>
Subject: [...] Subject: [...]
Message-ID: <20230111T210843Z.1234@lhp.example> Message-ID: <20230111T210843Z.1234@lhp.example>
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
MIME-Version: 1.0 MIME-Version: 1.0
]]></artwork></figure> ]]></artwork>
<t>Note that the <tt>Subject</tt> Header Field has been obscured app
<t>Note that the <spanx style="verb">Subject</spanx> Header Field has been obscu ropriately by <tt>hcp_baseline</tt>.
red appropriately by <spanx style="verb">hcp_baseline</spanx>. The output of the CMS enveloping operation is base64 encoded and forms the body
The output of the CMS enveloping operation is base64-encoded and forms the body of the message.</t>
of the message.</t> </section>
</section>
</section> </section>
</section> <section anchor="reply-example">
</section> <name>Composing a Reply</name>
<section anchor="reply-example"><name>Composing a Reply</name> <t>Next, we consider a typical MUA reply interface, where we see Alice r
eplying to Bob's message from <xref target="compose-example"/>.</t>
<t>Next we consider a typical MUA reply interface, where we see Alice replying t <t>When Alice clicks "Reply" to Bob's signed-and-encrypted message with
o Bob's message from <xref target="compose-example"/>.</t> Header Protection, she might see something like this:</t>
<figure anchor="example-reply-interface-initial">
<t>When Alice clicks "Reply" to Bob's signed-and-encrypted message with Header P <name>Example Message Reply Interface (Unedited)</name>
rotection, she might see something like this:</t> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
<figure title="Example Message Reply Interface (unedited)" anchor="example-reply "1.1" height="432" width="488" viewBox="0 0 488 432" class="diagram" text-anchor
-interface-initial"><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2 ="middle" font-family="monospace" font-size="13px">
000/svg" version="1.1" height="432" width="488" viewBox="0 0 488 432" class="dia <path d="M 8,48 L 8,416" fill="none" stroke="black"/>
gram" text-anchor="middle" font-family="monospace" font-size="13px"> <path d="M 96,64 L 96,128" fill="none" stroke="black"/>
<path d="M 8,48 L 8,416" fill="none" stroke="black"/> <path d="M 384,64 L 384,96" fill="none" stroke="black"/>
<path d="M 96,64 L 96,128" fill="none" stroke="black"/> <path d="M 464,96 L 464,128" fill="none" stroke="black"/>
<path d="M 384,64 L 384,96" fill="none" stroke="black"/> <path d="M 480,48 L 480,416" fill="none" stroke="black"/>
<path d="M 464,96 L 464,128" fill="none" stroke="black"/> <path d="M 24,32 L 464,32" fill="none" stroke="black"/>
<path d="M 480,48 L 480,416" fill="none" stroke="black"/> <path d="M 424,48 L 448,48" fill="none" stroke="black"/>
<path d="M 24,32 L 464,32" fill="none" stroke="black"/> <path d="M 96,64 L 384,64" fill="none" stroke="black"/>
<path d="M 424,48 L 448,48" fill="none" stroke="black"/> <path d="M 424,80 L 448,80" fill="none" stroke="black"/>
<path d="M 96,64 L 384,64" fill="none" stroke="black"/> <path d="M 96,96 L 464,96" fill="none" stroke="black"/>
<path d="M 424,80 L 448,80" fill="none" stroke="black"/> <path d="M 96,128 L 464,128" fill="none" stroke="black"/>
<path d="M 96,96 L 464,96" fill="none" stroke="black"/> <path d="M 8,144 L 480,144" fill="none" stroke="black"/>
<path d="M 96,128 L 464,128" fill="none" stroke="black"/> <path d="M 8,416 L 480,416" fill="none" stroke="black"/>
<path d="M 8,144 L 480,144" fill="none" stroke="black"/> <path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stro
<path d="M 8,416 L 480,416" fill="none" stroke="black"/> ke="black"/>
<path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stroke="black"/> <path d="M 464,32 C 472.83064,32 480,39.16936 480,48" fill="none
<path d="M 464,32 C 472.83064,32 480,39.16936 480,48" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 424,48 C 415.16936,48 408,55.16936 408,64" fill="none
<path d="M 424,48 C 415.16936,48 408,55.16936 408,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 448,48 C 456.83064,48 464,55.16936 464,64" fill="none
<path d="M 448,48 C 456.83064,48 464,55.16936 464,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 424,80 C 415.16936,80 408,72.83064 408,64" fill="none
<path d="M 424,80 C 415.16936,80 408,72.83064 408,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 448,80 C 456.83064,80 464,72.83064 464,64" fill="none
<path d="M 448,80 C 456.83064,80 464,72.83064 464,64" fill="none" stroke="black" " stroke="black"/>
/> <g class="text">
<g class="text"> <text x="60" y="52">Replying</text>
<text x="60" y="52">Replying</text> <text x="108" y="52">to</text>
<text x="108" y="52">to</text> <text x="136" y="52">Bob</text>
<text x="136" y="52">Bob</text> <text x="196" y="52">("Handling</text>
<text x="196" y="52">(&quot;Handling</text> <text x="256" y="52">the</text>
<text x="256" y="52">the</text> <text x="296" y="52">Jones</text>
<text x="296" y="52">Jones</text> <text x="364" y="52">Contract")</text>
<text x="364" y="52">Contract&quot;)</text> <text x="436" y="68">Send</text>
<text x="436" y="68">Send</text> <text x="72" y="84">To:</text>
<text x="72" y="84">To:</text> <text x="120" y="84">Bob</text>
<text x="120" y="84">Bob</text> <text x="208" y="84">&lt;bob@example.net&gt;</text>
<text x="208" y="84">&lt;bob@example.net&gt;</text> <text x="52" y="116">Subject:</text>
<text x="52" y="116">Subject:</text> <text x="120" y="116">Re:</text>
<text x="120" y="116">Re:</text> <text x="172" y="116">Handling</text>
<text x="172" y="116">Handling</text> <text x="224" y="116">the</text>
<text x="224" y="116">the</text> <text x="264" y="116">Jones</text>
<text x="264" y="116">Jones</text> <text x="324" y="116">contract</text>
<text x="324" y="116">contract</text> <text x="28" y="164">On</text>
<text x="28" y="164">On</text> <text x="60" y="164">Wed,</text>
<text x="60" y="164">Wed,</text> <text x="92" y="164">11</text>
<text x="92" y="164">11</text> <text x="120" y="164">Jan</text>
<text x="120" y="164">Jan</text> <text x="156" y="164">2023</text>
<text x="156" y="164">2023</text> <text x="212" y="164">16:08:43</text>
<text x="212" y="164">16:08:43</text> <text x="276" y="164">-0500,</text>
<text x="276" y="164">-0500,</text> <text x="320" y="164">Bob</text>
<text x="320" y="164">Bob</text> <text x="364" y="164">wrote:</text>
<text x="364" y="164">wrote:</text> <text x="24" y="196">&gt;</text>
<text x="24" y="196">&gt;</text> <text x="60" y="196">Please</text>
<text x="60" y="196">Please</text> <text x="116" y="196">review</text>
<text x="116" y="196">review</text> <text x="160" y="196">and</text>
<text x="160" y="196">and</text> <text x="208" y="196">approve</text>
<text x="208" y="196">approve</text> <text x="252" y="196">or</text>
<text x="252" y="196">or</text> <text x="296" y="196">decline</text>
<text x="296" y="196">decline</text> <text x="340" y="196">by</text>
<text x="340" y="196">by</text> <text x="392" y="196">Thursday,</text>
<text x="392" y="196">Thursday,</text> <text x="24" y="212">&gt;</text>
<text x="24" y="212">&gt;</text> <text x="52" y="212">it's</text>
<text x="52" y="212">it's</text> <text x="112" y="212">critical!</text>
<text x="112" y="212">critical!</text> <text x="24" y="228">&gt;</text>
<text x="24" y="228">&gt;</text> <text x="24" y="244">&gt;</text>
<text x="24" y="244">&gt;</text> <text x="64" y="244">Thanks,</text>
<text x="64" y="244">Thanks,</text> <text x="24" y="260">&gt;</text>
<text x="24" y="260">&gt;</text> <text x="48" y="260">Bob</text>
<text x="48" y="260">Bob</text> <text x="24" y="276">&gt;</text>
<text x="24" y="276">&gt;</text> <text x="24" y="292">&gt;</text>
<text x="24" y="292">&gt;</text> <text x="44" y="292">--</text>
<text x="44" y="292">--</text> <text x="24" y="308">&gt;</text>
<text x="24" y="308">&gt;</text> <text x="48" y="308">Bob</text>
<text x="48" y="308">Bob</text> <text x="100" y="308">Gonzalez</text>
<text x="100" y="308">Gonzalez</text> <text x="24" y="324">&gt;</text>
<text x="24" y="324">&gt;</text> <text x="56" y="324">ACME,</text>
<text x="56" y="324">ACME,</text> <text x="100" y="324">Inc.</text>
<text x="100" y="324">Inc.</text> <text x="28" y="356">--</text>
<text x="28" y="356">--</text> <text x="40" y="372">Alice</text>
<text x="40" y="372">Alice</text> <text x="96" y="372">Jenkins</text>
<text x="96" y="372">Jenkins</text> <text x="40" y="388">ACME,</text>
<text x="40" y="388">ACME,</text> <text x="84" y="388">Inc.</text>
<text x="84" y="388">Inc.</text> </g>
</g> </svg>
</svg> </artwork>
</artwork><artwork type="ascii-art"><![CDATA[ <artwork type="ascii-art"><![CDATA[
.--------------------------------------------------------. .--------------------------------------------------------.
| Replying to Bob ("Handling the Jones Contract") .----. | | Replying to Bob ("Handling the Jones Contract") .----. |
| +-----------------------------------+ | Send | | | +-----------------------------------+ | Send | |
| To: | Bob <bob@example.net> | '----' | | To: | Bob <bob@example.net> | '----' |
| +-----------------------------------+---------+ | | +-----------------------------------+---------+ |
| Subject: | Re: Handling the Jones contract | | | Subject: | Re: Handling the Jones contract | |
| +---------------------------------------------+ | | +---------------------------------------------+ |
+----------------------------------------------------------+ +----------------------------------------------------------+
| On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote: | | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote: |
| | | |
skipping to change at line 11157 skipping to change at line 10829
| > | | > |
| > -- | | > -- |
| > Bob Gonzalez | | > Bob Gonzalez |
| > ACME, Inc. | | > ACME, Inc. |
| | | |
| -- | | -- |
| Alice Jenkins | | Alice Jenkins |
| ACME, Inc. | | ACME, Inc. |
| | | |
+----------------------------------------------------------+ +----------------------------------------------------------+
]]></artwork></artset></figure> ]]></artwork>
</artset>
<t>Note that because Alice's MUA is aware of Header Protection, it knows what th </figure>
e correct <spanx style="verb">Subject</spanx> header is, even though it was obsc <t>Note that because Alice's MUA is aware of Header Protection, it knows
ured. what the correct <tt>Subject</tt> header is, even though it was obscured.
It also knows to avoid including the Legacy Display Element in the quoted/attrib uted text that it includes in the draft reply.</t> It also knows to avoid including the Legacy Display Element in the quoted/attrib uted text that it includes in the draft reply.</t>
<t>Once Alice has edited the reply message, it might look something like
<t>Once Alice has edited the reply message, it might look something like this:</ this:</t>
t> <figure anchor="example-reply-interface">
<name>Example Message Reply Interface (Edited)</name>
<figure title="Example Message Reply Interface (edited)" anchor="example-reply-i <artset>
nterface"><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" v <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
ersion="1.1" height="400" width="488" viewBox="0 0 488 400" class="diagram" text "1.1" height="400" width="488" viewBox="0 0 488 400" class="diagram" text-anchor
-anchor="middle" font-family="monospace" font-size="13px"> ="middle" font-family="monospace" font-size="13px">
<path d="M 8,48 L 8,384" fill="none" stroke="black"/> <path d="M 8,48 L 8,384" fill="none" stroke="black"/>
<path d="M 96,64 L 96,128" fill="none" stroke="black"/> <path d="M 96,64 L 96,128" fill="none" stroke="black"/>
<path d="M 384,64 L 384,96" fill="none" stroke="black"/> <path d="M 384,64 L 384,96" fill="none" stroke="black"/>
<path d="M 464,96 L 464,128" fill="none" stroke="black"/> <path d="M 464,96 L 464,128" fill="none" stroke="black"/>
<path d="M 480,48 L 480,384" fill="none" stroke="black"/> <path d="M 480,48 L 480,384" fill="none" stroke="black"/>
<path d="M 24,32 L 464,32" fill="none" stroke="black"/> <path d="M 24,32 L 464,32" fill="none" stroke="black"/>
<path d="M 424,48 L 448,48" fill="none" stroke="black"/> <path d="M 424,48 L 448,48" fill="none" stroke="black"/>
<path d="M 96,64 L 384,64" fill="none" stroke="black"/> <path d="M 96,64 L 384,64" fill="none" stroke="black"/>
<path d="M 424,80 L 448,80" fill="none" stroke="black"/> <path d="M 424,80 L 448,80" fill="none" stroke="black"/>
<path d="M 96,96 L 464,96" fill="none" stroke="black"/> <path d="M 96,96 L 464,96" fill="none" stroke="black"/>
<path d="M 96,128 L 464,128" fill="none" stroke="black"/> <path d="M 96,128 L 464,128" fill="none" stroke="black"/>
<path d="M 8,144 L 480,144" fill="none" stroke="black"/> <path d="M 8,144 L 480,144" fill="none" stroke="black"/>
<path d="M 8,384 L 480,384" fill="none" stroke="black"/> <path d="M 8,384 L 480,384" fill="none" stroke="black"/>
<path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stroke="black"/> <path d="M 24,32 C 15.16936,32 8,39.16936 8,48" fill="none" stro
<path d="M 464,32 C 472.83064,32 480,39.16936 480,48" fill="none" stroke="black" ke="black"/>
/> <path d="M 464,32 C 472.83064,32 480,39.16936 480,48" fill="none
<path d="M 424,48 C 415.16936,48 408,55.16936 408,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 424,48 C 415.16936,48 408,55.16936 408,64" fill="none
<path d="M 448,48 C 456.83064,48 464,55.16936 464,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 448,48 C 456.83064,48 464,55.16936 464,64" fill="none
<path d="M 424,80 C 415.16936,80 408,72.83064 408,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 424,80 C 415.16936,80 408,72.83064 408,64" fill="none
<path d="M 448,80 C 456.83064,80 464,72.83064 464,64" fill="none" stroke="black" " stroke="black"/>
/> <path d="M 448,80 C 456.83064,80 464,72.83064 464,64" fill="none
<g class="text"> " stroke="black"/>
<text x="60" y="52">Replying</text> <g class="text">
<text x="108" y="52">to</text> <text x="60" y="52">Replying</text>
<text x="136" y="52">Bob</text> <text x="108" y="52">to</text>
<text x="196" y="52">(&quot;Handling</text> <text x="136" y="52">Bob</text>
<text x="256" y="52">the</text> <text x="196" y="52">("Handling</text>
<text x="296" y="52">Jones</text> <text x="256" y="52">the</text>
<text x="364" y="52">Contract&quot;)</text> <text x="296" y="52">Jones</text>
<text x="436" y="68">Send</text> <text x="364" y="52">Contract")</text>
<text x="72" y="84">To:</text> <text x="436" y="68">Send</text>
<text x="120" y="84">Bob</text> <text x="72" y="84">To:</text>
<text x="208" y="84">&lt;bob@example.net&gt;</text> <text x="120" y="84">Bob</text>
<text x="52" y="116">Subject:</text> <text x="208" y="84">&lt;bob@example.net&gt;</text>
<text x="120" y="116">Re:</text> <text x="52" y="116">Subject:</text>
<text x="172" y="116">Handling</text> <text x="120" y="116">Re:</text>
<text x="224" y="116">the</text> <text x="172" y="116">Handling</text>
<text x="264" y="116">Jones</text> <text x="224" y="116">the</text>
<text x="324" y="116">contract</text> <text x="264" y="116">Jones</text>
<text x="28" y="164">On</text> <text x="324" y="116">contract</text>
<text x="60" y="164">Wed,</text> <text x="28" y="164">On</text>
<text x="92" y="164">11</text> <text x="60" y="164">Wed,</text>
<text x="120" y="164">Jan</text> <text x="92" y="164">11</text>
<text x="156" y="164">2023</text> <text x="120" y="164">Jan</text>
<text x="212" y="164">16:08:43</text> <text x="156" y="164">2023</text>
<text x="276" y="164">-0500,</text> <text x="212" y="164">16:08:43</text>
<text x="320" y="164">Bob</text> <text x="276" y="164">-0500,</text>
<text x="364" y="164">wrote:</text> <text x="320" y="164">Bob</text>
<text x="24" y="196">&gt;</text> <text x="364" y="164">wrote:</text>
<text x="60" y="196">Please</text> <text x="24" y="196">&gt;</text>
<text x="116" y="196">review</text> <text x="60" y="196">Please</text>
<text x="160" y="196">and</text> <text x="116" y="196">review</text>
<text x="208" y="196">approve</text> <text x="160" y="196">and</text>
<text x="252" y="196">or</text> <text x="208" y="196">approve</text>
<text x="296" y="196">decline</text> <text x="252" y="196">or</text>
<text x="340" y="196">by</text> <text x="296" y="196">decline</text>
<text x="392" y="196">Thursday,</text> <text x="340" y="196">by</text>
<text x="24" y="212">&gt;</text> <text x="392" y="196">Thursday,</text>
<text x="52" y="212">it's</text> <text x="24" y="212">&gt;</text>
<text x="112" y="212">critical!</text> <text x="52" y="212">it's</text>
<text x="36" y="244">I'll</text> <text x="112" y="212">critical!</text>
<text x="72" y="244">get</text> <text x="36" y="244">I'll</text>
<text x="112" y="244">right</text> <text x="72" y="244">get</text>
<text x="148" y="244">on</text> <text x="112" y="244">right</text>
<text x="176" y="244">it,</text> <text x="148" y="244">on</text>
<text x="212" y="244">Bob!</text> <text x="176" y="244">it,</text>
<text x="52" y="276">Regards,</text> <text x="212" y="244">Bob!</text>
<text x="40" y="292">Alice</text> <text x="52" y="276">Regards,</text>
<text x="28" y="324">--</text> <text x="40" y="292">Alice</text>
<text x="40" y="340">Alice</text> <text x="28" y="324">--</text>
<text x="96" y="340">Jenkins</text> <text x="40" y="340">Alice</text>
<text x="40" y="356">ACME,</text> <text x="96" y="340">Jenkins</text>
<text x="84" y="356">Inc.</text> <text x="40" y="356">ACME,</text>
</g> <text x="84" y="356">Inc.</text>
</svg> </g>
</artwork><artwork type="ascii-art"><![CDATA[ </svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
.--------------------------------------------------------. .--------------------------------------------------------.
| Replying to Bob ("Handling the Jones Contract") .----. | | Replying to Bob ("Handling the Jones Contract") .----. |
| +-----------------------------------+ | Send | | | +-----------------------------------+ | Send | |
| To: | Bob <bob@example.net> | '----' | | To: | Bob <bob@example.net> | '----' |
| +-----------------------------------+---------+ | | +-----------------------------------+---------+ |
| Subject: | Re: Handling the Jones contract | | | Subject: | Re: Handling the Jones contract | |
| +---------------------------------------------+ | | +---------------------------------------------+ |
+----------------------------------------------------------+ +----------------------------------------------------------+
| On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote: | | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote: |
| | | |
skipping to change at line 11262 skipping to change at line 10937
| I'll get right on it, Bob! | | I'll get right on it, Bob! |
| | | |
| Regards, | | Regards, |
| Alice | | Alice |
| | | |
| -- | | -- |
| Alice Jenkins | | Alice Jenkins |
| ACME, Inc. | | ACME, Inc. |
| | | |
+----------------------------------------------------------+ +----------------------------------------------------------+
]]></artwork></artset></figure> ]]></artwork>
</artset>
<t>When Alice clicks "Send", the MUA generates values for <spanx style="verb">Me </figure>
ssage-ID</spanx>, <spanx style="verb">From</spanx>, and <spanx style="verb">Date <t>When Alice clicks "Send", the MUA generates values for the <tt>Messag
</spanx> Header Fields, populates the <spanx style="verb">In-Reply-To</spanx>, a e-ID</tt>, <tt>From</tt>, and <tt>Date</tt> Header Fields, populates the <tt>In-
nd <spanx style="verb">References</spanx> Header Fields, and also converts the r Reply-To</tt> and <tt>References</tt> Header Fields, and also converts the reply
eply body into the appropriate format.</t> body into the appropriate format.</t>
<section anchor="reply-example-unprotected">
<section anchor="reply-example-unprotected"><name>Unprotected message</name> <name>Unprotected Message</name>
<t>The resulting message would look something like this if it were to
<t>The resulting message would look something like this if it were to be sent wi be sent without any cryptographic protections:</t>
thout any cryptographic protections:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:48:22 -0500 Date: Wed, 11 Jan 2023 16:48:22 -0500
From: Alice <alice@example.net> From: Alice <alice@example.net>
To: Bob <bob@example.net> To: Bob <bob@example.net>
Subject: Re: Handling the Jones contract Subject: Re: Handling the Jones contract
Message-ID: <20230111T214822Z.5678@lhp.example> Message-ID: <20230111T214822Z.5678@lhp.example>
In-Reply-To: <20230111T210843Z.1234@lhp.example> In-Reply-To: <20230111T210843Z.1234@lhp.example>
References: <20230111T210843Z.1234@lhp.example> References: <20230111T210843Z.1234@lhp.example>
Content-Type: text/plain; charset="us-ascii" Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 MIME-Version: 1.0
skipping to change at line 11294 skipping to change at line 10968
> it's critical! > it's critical!
I'll get right on it, Bob! I'll get right on it, Bob!
Regards, Regards,
Alice Alice
-- --
Alice Jenkins Alice Jenkins
ACME, Inc. ACME, Inc.
]]></artwork></figure> ]]></artwork>
<t>Of course, this would leak not only the contents of Alice's message
<t>Of course, this would leak not only the contents of Alice's message, but also but also the contents of Bob's initial message, as well as the <tt>Subject</tt>
the contents of Bob's initial message, as well as the <spanx style="verb">Subje Header Field!
ct</spanx> Header Field!
So Alice's MUA won't do that; it is going to create a signed-and-encrypted messa ge to submit to the network.</t> So Alice's MUA won't do that; it is going to create a signed-and-encrypted messa ge to submit to the network.</t>
</section>
</section> <section anchor="encrypted-with-hcpnoconfidentiality-and-legacy-display"
<section anchor="encrypted-with-hcpnoconfidentiality-and-legacy-display"><name>E >
ncrypted with <spanx style="verb">hcp_no_confidentiality</spanx> and Legacy Disp <name>Encrypted with <tt>hcp_no_confidentiality</tt> and Legacy Displa
lay</name> y</name>
<t>This example assumes that Alice's MUA uses <tt>hcp_no_confidentiali
<t>This example assumes that Alice's MUA uses <spanx style="verb">hcp_no_confide ty</tt>, not <tt>hcp_baseline</tt>.
ntiality</spanx>, not <spanx style="verb">hcp_baseline</spanx>.
That is, by default, it does not obscure or remove any Header Fields, even when encrypting.</t> That is, by default, it does not obscure or remove any Header Fields, even when encrypting.</t>
<t>However, it follows the guidance in <xref target="avoid-leak"/> and
<t>However, it follows the guidance in <xref target="avoid-leak"/>, and will mak will make use of the <tt>HP-Outer</tt> field in the Cryptographic Payload of Bo
e use of the <spanx style="verb">HP-Outer</spanx> field in the Cryptographic Pay b's original message (<xref target="compose-example-payload"/>) to determine wha
load of Bob's original message (<xref target="compose-example-payload"/>) to det t to obscure.</t>
ermine what to obscure.</t> <t>When crafting the Cryptographic Payload, its baseline <iref item="H
CP"/><xref target="header-confidentiality-policy" format="none">HCP</xref> (<tt>
<t>When crafting the Cryptographic Payload, its baseline <iref item="HCP"/><xref hcp_no_confidentiality</tt>) leaves each field untouched.
target="header-confidentiality-policy" format="none">HCP</xref> (<spanx style=" To uphold the confidentiality of the sender's values when replying, the MUA exec
verb">hcp_no_confidentiality</spanx>) leaves each field untouched. utes the following steps (for brevity, only <tt>Subject</tt> and <tt>Message-ID<
To uphold the confidentiality of the sender's values when replying, the MUA exec /tt>/<tt>In-Reply-To</tt> are shown):</t>
utes the following steps (for brevity only <spanx style="verb">Subject</spanx> a <ul spacing="normal">
nd <spanx style="verb">Message-ID</spanx>/<spanx style="verb">In-Reply-To</spanx <li>
> are shown):</t> <t>Extract the referenced Header Fields (see <xref target="extract
ing-headers"/>):
<t><list style="symbols"> </t>
<t>Extract the referenced header fields (see <xref target="extracting-headers" <ul spacing="normal">
/>): <li>
<list style="symbols"> <t><tt>refouter</tt> contains:
<t><spanx style="verb">refouter</spanx> contains: </t>
<list style="symbols"> <ul spacing="normal">
<t><spanx style="verb">Date: Wed, 11 Jan 2023 16:08:43 -0500</spanx></ <li>
t> <t><tt>Date: Wed, 11 Jan 2023 16:08:43 -0500</tt></t>
<t><spanx style="verb">From: Bob &lt;bob@example.net&gt;</spanx></t> </li>
<t><spanx style="verb">To: Alice &lt;alice@example.net&gt;</spanx></t> <li>
<t><spanx style="verb">Subject: [...]</spanx></t> <t><tt>From: Bob &lt;bob@example.net&gt;</tt></t>
<t><spanx style="verb">Message-ID: &lt;20230111T210843Z.1234@lhp.examp </li>
le&gt;</spanx></t> <li>
</list></t> <t><tt>To: Alice &lt;alice@example.net&gt;</tt></t>
<t><spanx style="verb">refprotected</spanx> contains: </li>
<list style="symbols"> <li>
<t><spanx style="verb">Date: Wed, 11 Jan 2023 16:08:43 -0500</spanx></ <t><tt>Subject: [...]</tt></t>
t> </li>
<t><spanx style="verb">From: Bob &lt;bob@example.net&gt;</spanx></t> <li>
<t><spanx style="verb">To: Alice &lt;alice@example.net&gt;</spanx></t> <t><tt>Message-ID: &lt;20230111T210843Z.1234@lhp.example&g
<t><spanx style="verb">Subject: Handling the Jones contract</spanx></t t;</tt></t>
> </li>
<t><spanx style="verb">Message-ID: &lt;20230111T210843Z.1234@lhp.examp </ul>
le&gt;</spanx></t> </li>
</list></t> <li>
</list></t> <t><tt>refprotected</tt> contains:
<t>Apply the response function: </t>
<list style="symbols"> <ul spacing="normal">
<t><spanx style="verb">respond(refouter)</spanx> contains: <li>
<list style="symbols"> <t><tt>Date: Wed, 11 Jan 2023 16:08:43 -0500</tt></t>
<t><spanx style="verb">From: Alice &lt;alice@example.net&gt;</spanx></ </li>
t> <li>
<t><spanx style="verb">To: Bob &lt;bob@example.net&gt;</spanx></t> <t><tt>From: Bob &lt;bob@example.net&gt;</tt></t>
<t><spanx style="verb">Subject: Re: [...]</spanx></t> </li>
<t><spanx style="verb">In-Reply-To: &lt;20230111T210843Z.1234@lhp.exam <li>
ple&gt;</spanx></t> <t><tt>To: Alice &lt;alice@example.net&gt;</tt></t>
<t><spanx style="verb">References: &lt;20230111T210843Z.1234@lhp.examp </li>
le&gt;</spanx></t> <li>
</list></t> <t><tt>Subject: Handling the Jones contract</tt></t>
<t><spanx style="verb">respond(refprotected)</spanx> contains: </li>
<list style="symbols"> <li>
<t><spanx style="verb">From: Alice &lt;alice@example.net&gt;</spanx></ <t><tt>Message-ID: &lt;20230111T210843Z.1234@lhp.example&g
t> t;</tt></t>
<t><spanx style="verb">To: Bob &lt;bob@example.net&gt;</spanx></t> </li>
<t><spanx style="verb">Subject: Re: Handling the Jones contract</spanx </ul>
></t> </li>
<t><spanx style="verb">In-Reply-To: &lt;20230111T210843Z.1234@lhp.exam </ul>
ple&gt;</spanx></t> </li>
<t><spanx style="verb">References: &lt;20230111T210843Z.1234@lhp.examp <li>
le&gt;</spanx></t> <t>Apply the response function:
</list></t> </t>
</list></t> <ul spacing="normal">
<t>Compute the ephemeral <spanx style="verb">response_hcp</spanx> (see <xref t <li>
arget="avoid-leak"/>): <t><tt>respond(refouter)</tt> contains:
<list style="symbols"> </t>
<t>Note that all headers except <spanx style="verb">Subject</spanx> are th <ul spacing="normal">
e same.</t> <li>
<t><spanx style="verb">confmap</spanx> contains only <spanx style="verb">( <t><tt>From: Alice &lt;alice@example.net&gt;</tt></t>
"Subject", "Re: Handling the Jones contract") -&gt; "Re: [...]"</spanx></t> </li>
</list></t> <li>
</list></t> <t><tt>To: Bob &lt;bob@example.net&gt;</tt></t>
</li>
<t>Thus all Header Fields that were <spanx style="verb">signed</spanx> are passe <li>
d through untouched. <t><tt>Subject: Re: [...]</tt></t>
The reply's <spanx style="verb">Subject</spanx> is obscured as <spanx style="ver </li>
b">Subject: Re: [...]</spanx> if and only if the user does not edit the subject <li>
line from that initially proposed by the MUA's reply interface. <t><tt>In-Reply-To: &lt;20230111T210843Z.1234@lhp.example&
If the user edits the subject line, e.g., to <spanx style="verb">Subject: Re: Ha gt;</tt></t>
ndling the Jones contract ASAP</spanx>, the <spanx style="verb">response_hcp</sp </li>
anx> will <em>not</em> obscure it, and instead pass it through in the clear.</t> <li>
<t><tt>References: &lt;20230111T210843Z.1234@lhp.example&g
<t>For stronger header confidentiality, the replying MUA should use a reasonable t;</tt></t>
<iref item="HCP"/><xref target="header-confidentiality-policy" format="none">HC </li>
P</xref> (not <spanx style="verb">hcp_no_confidentiality</spanx>). </ul>
Also recall that the local <iref item="HCP"/><xref target="header-confidentialit </li>
y-policy" format="none">HCP</xref> is applied first, and that <spanx style="verb <li>
">response_hcp</spanx> is only applied to what is left unchanged by the local <i <t><tt>respond(refprotected)</tt> contains:
ref item="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</ </t>
xref>.</t> <ul spacing="normal">
<li>
<section anchor="reply-example-payload"><name>Cryptographic Payload</name> <t><tt>From: Alice &lt;alice@example.net&gt;</tt></t>
</li>
<t>Consequently, the Cryptographic Payload for Alice's reply looks like this:</t <li>
> <t><tt>To: Bob &lt;bob@example.net&gt;</tt></t>
</li>
<figure><artwork><![CDATA[ <li>
<t><tt>Subject: Re: Handling the Jones contract</tt></t>
</li>
<li>
<t><tt>In-Reply-To: &lt;20230111T210843Z.1234@lhp.example&
gt;</tt></t>
</li>
<li>
<t><tt>References: &lt;20230111T210843Z.1234@lhp.example&g
t;</tt></t>
</li>
</ul>
</li>
</ul>
</li>
<li>
<t>Compute the ephemeral <tt>response_hcp</tt> (see <xref target="
avoid-leak"/>):
</t>
<ul spacing="normal">
<li>
<t>Note that all headers except <tt>Subject</tt> are the same.
</t>
</li>
<li>
<t><tt>confmap</tt> contains only <tt>("Subject", "Re: Handlin
g the Jones contract") -&gt; "Re: [...]"</tt></t>
</li>
</ul>
</li>
</ul>
<t>Thus, all Header Fields that were <tt>signed</tt> are passed throug
h untouched.
The reply's <tt>Subject</tt> is obscured as <tt>Subject: Re: [...]</tt> if and o
nly if the user does not edit the Subject line from that initially proposed by t
he MUA's reply interface.
If the user edits the Subject line, e.g., to <tt>Subject: Re: Handling the Jones
contract ASAP</tt>, the <tt>response_hcp</tt> will <em>not</em> obscure it and
instead pass it through in the clear.</t>
<t>For stronger header confidentiality, the replying MUA should use a
reasonable <iref item="HCP"/><xref target="header-confidentiality-policy" format
="none">HCP</xref> (not <tt>hcp_no_confidentiality</tt>).
Also recall that the local <iref item="HCP"/><xref target="header-confidentialit
y-policy" format="none">HCP</xref> is applied first and that <tt>response_hcp</t
t> is only applied to what is left unchanged by the local <iref item="HCP"/><xre
f target="header-confidentiality-policy" format="none">HCP</xref>.</t>
<section anchor="reply-example-payload">
<name>Cryptographic Payload</name>
<t>Consequently, the Cryptographic Payload for Alice's reply looks l
ike this:</t>
<artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:48:22 -0500 Date: Wed, 11 Jan 2023 16:48:22 -0500
From: Alice <alice@example.net> From: Alice <alice@example.net>
To: Bob <bob@example.net> To: Bob <bob@example.net>
Subject: Re: Handling the Jones contract Subject: Re: Handling the Jones contract
Message-ID: <20230111T214822Z.5678@lhp.example> Message-ID: <20230111T214822Z.5678@lhp.example>
In-Reply-To: <20230111T210843Z.1234@lhp.example> In-Reply-To: <20230111T210843Z.1234@lhp.example>
References: <20230111T210843Z.1234@lhp.example> References: <20230111T210843Z.1234@lhp.example>
Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
hp="cipher" hp="cipher"
MIME-Version: 1.0 MIME-Version: 1.0
skipping to change at line 11401 skipping to change at line 11131
> it's critical! > it's critical!
I'll get right on it, Bob! I'll get right on it, Bob!
Regards, Regards,
Alice Alice
-- --
Alice Jenkins Alice Jenkins
ACME, Inc. ACME, Inc.
]]></artwork></figure> ]]></artwork>
<t>Note the following features:</t>
<t>Note the following features:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>the <tt>hp="cipher"</tt> parameter to <tt>Content-Type</tt></
<t>the <spanx style="verb">hp="cipher"</spanx> parameter to <spanx style="verb t>
">Content-Type</spanx></t> </li>
<t>the appropriate <spanx style="verb">HP-Outer</spanx> Header Field for <span <li>
x style="verb">Subject</spanx>,</t> <t>the appropriate <tt>HP-Outer</tt> Header Field for <tt>Subjec
<t>the <spanx style="verb">hp-legacy-display="1"</spanx> parameter for the <sp t</tt></t>
anx style="verb">Content-Type</spanx></t> </li>
<t>the Legacy Display Element (the simple pseudo-header and its trailing newli <li>
ne) in the Main Body Part.</t> <t>the <tt>hp-legacy-display="1"</tt> parameter for the <tt>Cont
</list></t> ent-Type</tt></t>
</li>
</section> <li>
<section anchor="external-header-section-1"><name>External Header Section</name> <t>the Legacy Display Element (the simple pseudo-header and its
trailing newline) in the Main Body Part</t>
<t>The Cryptographic Payload from <xref target="reply-example-payload"/> is then </li>
wrapped in the appropriate Cryptographic Layers. </ul>
For this example, using S/MIME, it is wrapped in an <spanx style="verb">applicat </section>
ion/pkcs7-mime; smime-type="signed-data"</spanx> layer, which is in turn wrapped <section anchor="external-header-section-1">
in an <spanx style="verb">application/pkcs7-mime; smime-type="enveloped-data"</ <name>External Header Section</name>
spanx> layer.</t> <t>The Cryptographic Payload from <xref target="reply-example-payloa
d"/> is then wrapped in the appropriate Cryptographic Layers.
<t>Then an external Header Section is applied to the outer MIME object, which lo For this example using S/MIME, it is wrapped in an <tt>application/pkcs7-mime; s
oks like this:</t> mime-type="signed-data"</tt> layer, which is in turn wrapped in an <tt>applicati
on/pkcs7-mime; smime-type="enveloped-data"</tt> layer.</t>
<figure><artwork><![CDATA[ <t>Then, an external Header Section is applied to the outer MIME obj
ect, which looks like this:</t>
<artwork><![CDATA[
Date: Wed, 11 Jan 2023 16:48:22 -0500 Date: Wed, 11 Jan 2023 16:48:22 -0500
From: Alice <alice@example.net> From: Alice <alice@example.net>
To: Bob <bob@example.net> To: Bob <bob@example.net>
Subject: Re: [...] Subject: Re: [...]
Message-ID: <20230111T214822Z.5678@lhp.example> Message-ID: <20230111T214822Z.5678@lhp.example>
In-Reply-To: <20230111T210843Z.1234@lhp.example> In-Reply-To: <20230111T210843Z.1234@lhp.example>
References: <20230111T210843Z.1234@lhp.example> References: <20230111T210843Z.1234@lhp.example>
Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-mime; name="smime.p7m"; Content-Type: application/pkcs7-mime; name="smime.p7m";
smime-type="enveloped-data" smime-type="enveloped-data"
MIME-Version: 1.0 MIME-Version: 1.0
]]></artwork></figure> ]]></artwork>
<t>Note that the <tt>Subject</tt> Header Field has been obscured app
<t>Note that the <spanx style="verb">Subject</spanx> Header Field has been obscu ropriately even though <tt>hcp_no_confidentiality</tt> would not have touched it
red appropriately even though <spanx style="verb">hcp_no_confidentiality</spanx> by default.
would not have touched it by default. The output of the CMS enveloping operation is base64 encoded and forms the body
The output of the CMS enveloping operation is base64-encoded and forms the body of the message.</t>
of the message.</t> </section>
</section>
</section> </section>
</section> </section>
</section> <section anchor="rendering-examples">
</section> <name>Rendering Examples</name>
<section anchor="rendering-examples"><name>Rendering Examples</name> <t>This section offers example Cryptographic Payloads (the content within
the Cryptographic Envelope) that contain Legacy Display Elements.</t>
<t>This section offers example Cryptographic Payloads (the content within the Cr <section anchor="example-legacy-display-plain">
yptographic Envelope) that contain Legacy Display Elements.</t> <name>Example text/plain Cryptographic Payload with Legacy Display Eleme
nts</name>
<section anchor="example-legacy-display-plain"><name>Example text/plain Cryptogr <t>Here is a simple one-part Cryptographic Payload (Header Section and b
aphic Payload with Legacy Display Elements</name> ody) of a message that includes Legacy Display Elements:</t>
<artwork><![CDATA[
<t>Here is a simple one-part Cryptographic Payload (Header Section and body) of
a message that includes Legacy Display Elements:</t>
<figure><artwork><![CDATA[
Date: Fri, 21 Jan 2022 20:40:48 -0500 Date: Fri, 21 Jan 2022 20:40:48 -0500
From: Alice <alice@example.net> From: Alice <alice@example.net>
To: Bob <bob@example.net> To: Bob <bob@example.net>
Subject: Dinner plans Subject: Dinner plans
Message-ID: <text-plain-legacy-display@lhp.example> Message-ID: <text-plain-legacy-display@lhp.example>
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
hp="cipher" hp="cipher"
HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500 HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
HP-Outer: From: Alice <alice@example.net> HP-Outer: From: Alice <alice@example.net>
HP-Outer: To: Bob <bob@example.net> HP-Outer: To: Bob <bob@example.net>
HP-Outer: Subject: [...] HP-Outer: Subject: [...]
HP-Outer: Message-ID: <text-plain-legacy-display@lhp.example> HP-Outer: Message-ID: <text-plain-legacy-display@lhp.example>
Subject: Dinner plans Subject: Dinner plans
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
]]></artwork></figure> ]]></artwork>
<t>A compatible MUA will recognize the <tt>hp-legacy-display="1"</tt> pa
<t>A compatible MUA will recognize the <spanx style="verb">hp-legacy-display="1" rameter and render the body of the message as:</t>
</spanx> parameter and render the body of the message as:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
]]></artwork></figure> ]]></artwork>
<t>A legacy decryption-capable MUA that is unaware of this mechanism wil
<t>A legacy decryption-capable MUA that is unaware of this mechanism will ignore l ignore the <tt>hp-legacy-display="1"</tt> parameter and instead render the bod
the <spanx style="verb">hp-legacy-display="1"</spanx> parameter and instead ren y including the Legacy Display Elements:</t>
der the body including the Legacy Display Elements:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Subject: Dinner plans Subject: Dinner plans
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
]]></artwork></figure> ]]></artwork>
</section>
</section> <section anchor="example-legacy-display-html">
<section anchor="example-legacy-display-html"><name>Example text/html Cryptograp <name>Example text/html Cryptographic Payload with Legacy Display Elemen
hic Payload with Legacy Display Elements</name> ts</name>
<t>Here is a modern one-part Cryptographic Payload (Header Section and b
<t>Here is a modern one-part Cryptographic Payload (Header Section and body) of ody) of a message that includes Legacy Display Elements:</t>
a message that includes Legacy Display Elements:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Date: Fri, 21 Jan 2022 20:40:48 -0500 Date: Fri, 21 Jan 2022 20:40:48 -0500
From: Alice <alice@example.net> From: Alice <alice@example.net>
To: Bob <bob@example.net> To: Bob <bob@example.net>
Subject: Dinner plans Subject: Dinner plans
Message-ID: <text-html-legacy-display@lhp.example> Message-ID: <text-html-legacy-display@lhp.example>
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1"; Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1";
hp="cipher" hp="cipher"
HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500 HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
HP-Outer: From: Alice <alice@example.net> HP-Outer: From: Alice <alice@example.net>
skipping to change at line 11516 skipping to change at line 11239
<html><head><title></title></head><body> <html><head><title></title></head><body>
<div class="header-protection-legacy-display"> <div class="header-protection-legacy-display">
<pre>Subject: Dinner plans</pre> <pre>Subject: Dinner plans</pre>
</div> </div>
<p> <p>
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
</p> </p>
</body> </body>
</html> </html>
]]></artwork></figure> ]]></artwork>
<t>A compatible MUA will recognize the <tt>hp-legacy-display="1"</tt> pa
<t>A compatible MUA will recognize the <spanx style="verb">hp-legacy-display="1" rameter and mask out the Legacy Display <tt>div</tt>, rendering the body of the
</spanx> parameter and mask out the Legacy Display <spanx style="verb">div</span message as a simple paragraph:</t>
x>, rendering the body of the message as a simple paragraph:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
]]></artwork></figure> ]]></artwork>
<t>A legacy decryption-capable MUA that is unaware of this mechanism wil
<t>A legacy decryption-capable MUA that is unaware of this mechanism will ignore l ignore the <tt>hp-legacy-display="1"</tt> parameter and instead render the bod
the <spanx style="verb">hp-legacy-display="1"</spanx> parameter and instead ren y including the Legacy Display Elements:</t>
der the body including the Legacy Display Elements:</t> <artwork><![CDATA[
<figure><artwork><![CDATA[
Subject: Dinner plans Subject: Dinner plans
Let's meet at Rama's Roti Shop at 8pm and go to the park Let's meet at Rama's Roti Shop at 8pm and go to the park
from there. from there.
]]></artwork></figure> ]]></artwork>
</section>
</section> </section>
</section> <section anchor="other-schemes">
<section anchor="other-schemes"><name>Other Header Protection Schemes</name> <name>Other Header Protection Schemes</name>
<t>Other Header Protection schemes have been proposed in the past.
<t>Other Header Protection schemes have been proposed in the past. However, those typically have drawbacks such as sparse implementation, known pro
However, those typically have drawbacks such as sparse implementation, known pro blems with legacy interoperability (in particular with rendering), lack of clear
blems with legacy interoperability (in particular with rendering), lack of clear signaling of sender intent, and/or incomplete cryptographic protections.
signalling of sender intent, and/or incomplete cryptographic protections.
This section lists such schemes known at the time of the publication of this doc ument out of historical interest.</t> This section lists such schemes known at the time of the publication of this doc ument out of historical interest.</t>
<section anchor="original-rfc-8551-header-protection">
<section anchor="original-rfc-8551-header-protection"><name>Original RFC 8551 He <name>Original RFC 8551 Header Protection</name>
ader Protection</name> <t>S/MIME <xref target="RFC8551"/> (as well as its predecessors <xref ta
rget="RFC5751"/> and <xref target="RFC3851"/>) defined a form of cryptographic H
<t>S/MIME <xref target="RFC8551"/> (as well as its predecessors <xref target="RF eader Protection that has never reached wide adoption and has significant drawba
C5751"/> and <xref target="RFC3851"/>) defined a form of cryptographic Header Pr cks compared to the mechanism in this document.
otection that has never reached wide adoption, and has significant drawbacks com
pared to the mechanism in this draft.
See <xref target="rfc8551-problems"/> for more discussion of the differences and <xref target="RFC8551HP"/> for guidance on how to handle such a message.</t> See <xref target="rfc8551-problems"/> for more discussion of the differences and <xref target="RFC8551HP"/> for guidance on how to handle such a message.</t>
</section>
</section> <section anchor="pretty-easy-privacy-pep">
<section anchor="pretty-easy-privacy-pep"><name>Pretty Easy Privacy (pEp)</name> <name>Pretty Easy Privacy (pEp)</name>
<t>The pretty Easy privacy (pEp) <xref target="I-D.pep-general"/> projec
<t>The pEp (pretty Easy privacy) <xref target="I-D.pep-general"/> project specif t specifies two different MIME schemes that include Header Protection for Signed
ies two different MIME schemes that include Header Protection for Signed-and-Enc -and-Encrypted email messages in <xref target="I-D.pep-email"/>:
rypted e-mail messages in <xref target="I-D.pep-email"/>:
One scheme -- referred as pEp Email Format 1 (PEF-1) -- is generated towards MUA s not known to be pEp-capable, while the other scheme -- referred as PEF-2 -- is used between MUAs discovered to be compatible with pEp. One scheme -- referred as pEp Email Format 1 (PEF-1) -- is generated towards MUA s not known to be pEp-capable, while the other scheme -- referred as PEF-2 -- is used between MUAs discovered to be compatible with pEp.
Signed-only messages are not recommended in pEp.</t> Signed-only messages are not recommended in pEp.</t>
<t>Although the PEF-2 scheme is only meant to be used between PEF-2-comp
<t>Although the PEF-2 scheme is only meant to be used between PEF-2 compatible M atible MUAs, PEF-2 messages may end up at MUAs unaware of PEF-2 (in which case,
UAs, PEF-2 messages may end up at MUAs unaware of PEF-2 (in which case they typi they typically render badly).
cally render badly). This is due to signaling mechanism limitations.</t>
This is due to signalling mechanism limitations.</t> <t>As the PEF-2 scheme is an enhanced variant of the <iref item="RFC8551
HP"/><xref target="RFC8551HP" format="none">RFC8551HP</xref> scheme (with an add
<t>As the PEF-2 scheme is an enhanced variant of the <iref item="RFC8551HP"/><xr itional MIME Layer), it is similar to the <iref item="RFC8551HP"/><xref target="
ef target="RFC8551HP" format="none">RFC8551HP</xref> scheme (with an additional RFC8551HP" format="none">RFC8551HP</xref> scheme (see <xref target="RFC8551HP"/>
MIME Layer), it is similar to the <iref item="RFC8551HP"/><xref target="RFC8551H ).
P" format="none">RFC8551HP</xref> scheme (see <xref target="RFC8551HP"/>).
The basic PEF-2 MIME structure looks as follows:</t> The basic PEF-2 MIME structure looks as follows:</t>
<artwork><![CDATA[
<figure><artwork><![CDATA[
A └┬╴multipart/encrypted [Outer Message] A └┬╴multipart/encrypted [Outer Message]
B ├─╴application/pgp-encrypted B ├─╴application/pgp-encrypted
C └─╴application/octet-stream inline [Cryptographic Payload] C └─╴application/octet-stream inline [Cryptographic Payload]
D ↧ (decrypts to) D ↧ (decrypts to)
E └┬╴multipart/mixed E └┬╴multipart/mixed
F ├─╴text/plain F ├─╴text/plain
G ├┬╴message/rfc822 G ├┬╴message/rfc822
H │└─╴[Inner Message] H │└─╴[Inner Message]
I └─╴application/pgp-keys I └─╴application/pgp-keys
]]></artwork></figure> ]]></artwork>
<t>The MIME structure at part <tt>H</tt> contains the Inner Message to b
e rendered to the user.</t>
<t>It is possible for a normal MUA to accidentally produce a message tha
t happens to have the same MIME structure as used for PEF-2 messages.
Therefore, a PEF-2 message cannot be identified by the MIME structure alone.</t>
<t>The lack of a mechanism comparable to <tt>HP-Outer</tt> (see <xref ta
rget="hp-outer"/>) makes it impossible for the recipient of a PEF-2 message to s
afely determine which Header Fields are confidential or not while forwarding or
replying to a message (see <xref target="replying"/>).</t>
<t>Note: As this document is not normative for PEF-2 messages, it does n
ot provide any guidance for handling them.
Please see <xref target="I-D.pep-email"/> for more guidance.</t>
</section>
<section anchor="draft-autocrypt-protected-headers">
<name>Protected Email Headers</name>
<t><xref target="I-D.autocrypt-lamps-protected-headers"/> describes a sc
heme similar to the Header Protection scheme specified in this document.
However, instead of adding Legacy Display Elements to existing MIME parts (see <
xref target="ld-text-plain"/>), <xref target="I-D.autocrypt-lamps-protected-head
ers"/> suggests injecting a new MIME element "Legacy Display Part", thus modifyi
ng the MIME structure of the Cryptographic Payload.
These modified Cryptographic Payloads cause significant rendering problems on so
me common Legacy MUAs.</t>
<t>The lack of a mechanism comparable to <tt>hp="cipher"</tt> and <tt>hp
="clear"</tt> (see <xref target="hp-parameter"/>) means the recipient of an encr
ypted message as described in <xref target="I-D.autocrypt-lamps-protected-header
s"/> cannot be cryptographically certain whether the sender intended for the mes
sage to be confidential or not.
The lack of a mechanism comparable to <tt>HP-Outer</tt> (see <xref target="hp-ou
ter"/>) makes it impossible for the recipient of an encrypted message as describ
ed in <xref target="I-D.autocrypt-lamps-protected-headers"/> to safely determine
which Header Fields are confidential or not while forwarding or replying to a m
essage (see <xref target="replying"/>).</t>
</section>
</section>
<section anchor="acknowledgments" numbered="false">
<name>Acknowledgements</name>
<t>The MIME structure at part <spanx style="verb">H</spanx> contains the Inner M <!--[rfced] FYI - We alphabetized the names listed in the Acknowledgements
essage to be rendered to the user.</t> section. We believe that was the intent as only two were out of order. Let us
know if you prefer the original order.
-->
<t>It is possible for a normal MUA to accidentally produce a message that happen <t><contact fullname="Alexander Krotov"/> identified the risk of
s to have the same MIME structure as used for PEF-2 messages. <tt>From</tt> address spoofing (see <xref target="from-addr-spoofing"/>)
Therefore, a PEF-2 message cannot be identified by MIME structure alone.</t> and helped provide guidance to MUAs.</t>
<t><contact fullname="Thore Göbel"/> identified significant gaps in
earlier draft versions of this document and proposed concrete, substantial
improvements. Thanks to his contributions, the document is clearer, and
the protocols described herein are more useful.</t>
<t>Additionally, the authors would like to thank the following people
who have provided helpful comments and suggestions for this document:
<contact fullname="Berna Alp"/>, <contact fullname="Bernhard
E. Reiter"/>, <contact fullname="Bron Gondwana"/>, <contact
fullname="Carl Wallace"/>, <contact fullname="Claudio Luck"/>, <contact
fullname="Daniel Huigens"/>, <contact fullname="David Wilson"/>,
<contact fullname="Éric Vyncke"/>, <contact fullname="Hernani
Marques"/>, <contact fullname="juga"/>, <contact fullname="Kelly
Bristol"/>, <contact fullname="Krista Bennett"/>, <contact fullname="Lars
Rohwedder"/>, <contact fullname="Michael StJohns"/>, <contact
fullname="Nicolas Lidzborski"/>, <contact fullname="Orie Steele"/>,
<contact fullname="Paul Wouters"/>, <contact fullname="Peter Yee"/>,
<contact fullname="Phillip Tao"/>, <contact fullname="Robert
Williams"/>, <contact fullname="Rohan Mahy"/>, <contact fullname="Roman
Danyliw"/>, <contact fullname="Russ Housley"/>, <contact fullname="Sofia
Balicka"/>, <contact fullname="Steve Kille"/>, <contact fullname="Volker
Birk"/>, <contact fullname="Warren Kumari"/>, and <contact fullname="Wei
Chuang"/>.</t>
</section>
</back>
<t>The lack of a mechanism comparable to <spanx style="verb">HP-Outer</spanx> (s ee <xref target="hp-outer"/>) makes it impossible for the recipient of a PEF-2 m essage to safely determine which Header Fields are confidential or not, while fo rwarding or replying to a message (see <xref target="replying"/>).</t> <!-- [rfced] We have some questions/comments regarding artwork and sourcecode:
<t>Note: As this document is not normative for PEF-2 messages, it does not provi a) Please review each artwork element and let us know if any should be marked
de any guidance for handling them. as sourcecode (or another element) instead.
Please see <xref target="I-D.pep-email"/> for more guidance.</t>
</section> b) Some artwork elements are marked as type "ascii-art" while others are
<section anchor="draft-autocrypt-protected-headers"><name>"draft-autocrypt" Prot not. Please review and let us know if there are any artwork elements you would
ected Headers</name> like to have marked as "ascii-art".
<t><xref target="I-D.autocrypt-lamps-protected-headers"/> describes a scheme sim c) Since the sourcecode type "text/x-hcp" is not part of the list at
ilar to the Header Protection scheme specified in this document. <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>,
However, instead of adding Legacy Display Elements to existing MIME parts (see < may we update to sourcecode type "pseudocode"? Note that it is also
xref target="ld-text-plain"/>), "draft-autocrypt" injects a new MIME element "Le acceptable to leave the "type" attribute not set.
gacy Display Part", thus modifying the MIME structure of the Cryptographic Paylo -->
ad.
These modified Cryptographic Payloads cause significant rendering problems on so
me common Legacy MUAs.</t>
<t>The lack of a mechanism comparable to <spanx style="verb">hp="cipher"</spanx> <!-- [rfced] In the html and pdf outputs, the text enclosed in <tt> is output
and <spanx style="verb">hp="clear"</spanx> (see <xref target="hp-parameter"/>) in fixed-width font. In the txt output, there are no changes to the font,
means the recipient of an encrypted "draft-autocrypt" message cannot be cryptogr and the quotation marks have been removed.
aphically certain whether the sender intended for the message to be confidential
or not.
The lack of a mechanism comparable to <spanx style="verb">HP-Outer</spanx> (see
<xref target="hp-outer"/>) makes it impossible for the recipient of an encrypted
"draft-autocrypt" to safely determine which Header Fields are confidential or n
ot, while forwarding or replying to a message (see <xref target="replying"/>).</
t>
</section> In the html and pdf outputs, the text enclosed in <em> is output in
</section> italics. In the txt output, the text enclosed in <em> appears with an
<section anchor="document-changelog"><name>Document Changelog</name> underscore before and after.
<t>[[ RFC Editor: This section is to be removed before publication ]]</t> Please review carefully and let us know if the output is acceptable or if any
updates are needed.
<t><list style="symbols"> Additionally, we note variances with <tt>, for example, Bcc'ed vs.
<t>draft-ietf-lamps-header-protection-25 <list style="symbols"> <tt>Bcc</tt>'ed. Please review let us know if any updates are needed
<t>Address editorial clarifications from IESG review</t> for consistency.
<t>Update acknowledgements</t> -->
</list></t>
<t>draft-ietf-lamps-header-protection-24 <list style="symbols">
<t>Deal with <spanx style="verb">From</spanx> spoofing risk: when inner an
d outer <spanx style="verb">From</spanx> differ with no valid signature, render
outer <spanx style="verb">From</spanx> and warn</t>
<t>Add test vectors to show historical 8551HP variants</t>
<t>clarify PEF-2 and draft-autocrypt commentary</t>
</list></t>
<t>draft-ietf-lamps-header-protection-23 <list style="symbols">
<t>normalize on "signed-and-encrypted" across the document</t>
<t>replace <spanx style="verb">hcp_strong</spanx> with <spanx style="verb"
>hcp_shy</spanx></t>
<t>Remove "Wrapped Message" scheme</t>
<t>Rename "Injected Headers" to "Header Protection"</t>
<t>Add guidance about From Header Field spoofing risk</t>
<t>offer guidance on handling <iref item="RFC8551HP"/><xref target="RFC855
1HP" format="none">RFC8551HP</xref> messages when received</t>
</list></t>
<t>draft-ietf-lamps-header-protection-22 <list style="symbols">
<t>Reorganize document for better readability.</t>
<t>Add more details about problems with draft-autocrypt.</t>
<t>Rename <spanx style="verb">hcp_minimal</spanx> to <spanx style="verb">h
cp_baseline</spanx>: in addition to obscuring <spanx style="verb">Subject</spanx
>, it now removes other Informational Header Fields <spanx style="verb">Comments
</spanx> and <spanx style="verb">Keywords</spanx>.</t>
<t>Add an example message up front for easier explainability.</t>
<t>Unwrap sample message test vectors.</t>
<t>Name pseudocode algorithms, number steps.</t>
<t>Reply guidance also applies to forwarded messages.</t>
<t><spanx style="verb">hcp_strong</spanx>: stop rewriting <spanx style="ve
rb">Message-Id</spanx>.</t>
</list></t>
<t>draft-ietf-lamps-header-protection-21 <list style="symbols">
<t>HP-Outer mechanism replaces HP-Removed and HP-Obscured.
This enables the recipient to easily calculate the sender's actions around heade
r confidentiality.</t>
<t>Replace Content-Type parameter <spanx style="verb">protected-headers=</
spanx> with <spanx style="verb">hp=</spanx> and <spanx style="verb">hp-scheme=</
spanx>.
The presence of <spanx style="verb">hp=</spanx> indicates that the sender used H
eader Protection according to this document, and the value indicates whether the
sender tried to encrypt and sign the message or just sign it.
<spanx style="verb">hp-scheme="wrapped"</spanx> advises the recipient that they
should look for the protected Header Fields in subtly different place.</t>
<t>Provide a clear algorithm for reasonably safe handling of confidential
headers during Reply and Forward operations.</t>
<t>Do not register the example <iref item="HCP"/><xref target="header-conf
identiality-policy" format="none">HCP</xref> <spanx style="verb">hcp_hide_cc</sp
anx>, rename to <spanx style="verb">hcp_example_hide_cc</spanx></t>
<t>Rename <spanx style="verb">hcp_null</spanx> to <spanx style="verb">hcp_
no_confidentiality</spanx></t>
<t>Provide a clear algorithm for the recipient to compute the protection s
tate of each Header Field.</t>
</list></t>
<t>draft-ietf-lamps-header-protection-20 <list style="symbols">
<t>clarify IANA guidance about registration policy and designated expert r
eview</t>
<t>emphasize that Content-Type parameter hp-legacy-display=1 belongs on al
l main body parts with a legacy display element</t>
<t>clean up/normalize pseudocode variable names and text (no algorithm cha
nges)</t>
</list></t>
<t>draft-ietf-lamps-header-protection-19 <list style="symbols">
<t>improve text, capitalize defined terms, fix typos</t>
<t>Clean up from AD review:</t>
<t>updates RFC 8551 explicitly</t>
<t>add "Legacy Signed Message" and "Ordinary User" explicitly to terms</t>
<t>tighten up SHOULDs/MUSTs for conformant MUAs</t>
<t>expand references to other relevant Security Considerations</t>
<t>drop nudge about non-existent Content-Type Parameters registry</t>
<t>clarify IANA notes to align with table columns</t>
<t>explicitly request <iref item="HCP"/><xref target="header-confidentiali
ty-policy" format="none">HCP</xref> registry</t>
<t>add references to other header protections schemes, but move all of the
m to appendix</t>
</list></t>
<t>draft-ietf-lamps-header-protection-18 <list style="symbols">
<t>only allow US-ASCII as modified output of <iref item="HCP"/><xref targe
t="header-confidentiality-policy" format="none">HCP</xref>, adjusted ABNF to mat
ch</t>
</list></t>
<t>draft-ietf-lamps-header-protection-17 <list style="symbols">
<t>More edits from WGLC:</t>
<t>clean up definition of "Header Field"</t>
<t>note leakage of encrypted recipient hints</t>
<t>clarify explanation of LDE generation</t>
<t>clarify how some obscured headers might not actually be private</t>
</list></t>
<t>draft-ietf-lamps-header-protection-16 <list style="symbols">
<t>correct variable names in message composition algorithms</t>
<t>make text more readable</t>
</list></t>
<t>draft-ietf-lamps-header-protection-15 <list style="symbols">
<t>include clarifications, typos, etc from comments received during WGLC</
t>
</list></t>
<t>draft-ietf-lamps-header-protection-14 <list style="symbols">
<t>provide section references for draft-ietf-lamps-e2e-mail-guidance</t>
<t>encouarge a future IANA named <iref item="HCP"/><xref target="header-co
nfidentiality-policy" format="none">HCP</xref> registry if <iref item="HCP"/><xr
ef target="header-confidentiality-policy" format="none">HCP</xref> development t
akes off</t>
</list></t>
<t>draft-ietf-lamps-header-protection-13 <list style="symbols">
<t>Retitle from "Header Protection for S/MIME" to "Header Protection for C
ryptographically Protected E-mail"</t>
</list></t>
<t>draft-ietf-lamps-header-protection-12 <list style="symbols">
<t><bcp14>MUST</bcp14> produce HP-Obscured and HP-Removed when generating
encrypted messages with non-null <iref item="HCP"/><xref target="header-confiden
tiality-policy" format="none">HCP</xref></t>
<t>Wrapped Message: move from forwarded=no to protected-headers=wrapped</t
>
<t>Wrapped Message: recommend Content-Disposition: inline</t>
</list></t>
<t>draft-ietf-lamps-header-protection-11 <list style="symbols">
<t>Remove most of the Bcc text (transferred general discussion to e2e-mail
-guidance)</t>
<t>Fix bug in algorithm for generating HP-Obscured and HP-Removed</t>
<t>More detail about handling Reply messages</t>
<t>Considerations around handling risky Legacy Display Elements</t>
<t>Narrative descriptions of some worked examples</t>
<t>Describe potential leaks to recipients</t>
<t>Clarify debugging/troubleshooting UX affordances</t>
</list></t>
<t>draft-ietf-lamps-header-protection-10 <list style="symbols">
<t>Clarify that <iref item="HCP"/><xref target="header-confidentiality-pol
icy" format="none">HCP</xref> doesn't apply to Structural Header Fields</t>
<t>Drop out-of-date "Open Issues" section</t>
<t>Brief commentary on UI of messages with intermediate/mixed protections<
/t>
<t>Deprecation prospects for messages without protected headers</t>
<t>Describe generating replies to encrypted messages with stronger <iref i
tem="HCP"/><xref target="header-confidentiality-policy" format="none">HCP</xref>
</t>
</list></t>
<t>draft-ietf-lamps-header-protection-09 <list style="symbols">
<t>clarify terminology</t>
<t>add privacy and security considerations</t>
<t>clarify <iref item="HCP"/><xref target="header-confidentiality-policy"
format="none">HCP</xref> examples and baselines</t>
<t>recommend hcp_minimal as default <iref item="HCP"/><xref target="header
-confidentiality-policy" format="none">HCP</xref></t>
<t>add HP-Obscured and HP-Removed (avoids reasoning about differences
between outside and inside the Cryptographic Envelope)</t>
<t>regenerated test vectors</t>
</list></t>
<t>draft-ietf-lamps-header-protection-08 <list style="symbols">
<t><bcp14>MUST</bcp14> compose injected headers, <bcp14>MAY</bcp14> compos
e wrapped messages</t>
<t><bcp14>MUST</bcp14> parse both schemes</t>
<t>cleanup and restructure document</t>
</list></t>
<t>draft-ietf-lamps-header-protection-07 <list style="symbols">
<t>move from legacy display MIME part to legacy display elements within ma
in body part</t>
</list></t>
<t>draft-ietf-lamps-header-protection-06 <list style="symbols">
<t>document observed problems with legacy MUAs</t>
<t>avoid duplicated outer Message-IDs in hcp_strong test vectors</t>
</list></t>
<t>draft-ietf-lamps-header-protection-05 <list style="symbols">
<t>fix multipart/signed wrapped test vectors</t>
</list></t>
<t>draft-ietf-lamps-header-protection-04 <list style="symbols">
<t>add test vectors</t>
<t>add "problems with Injected Messages" subsection</t>
</list></t>
<t>draft-ietf-lamps-header-protection-03 <list style="symbols">
<t>dkg takes over from Bernie as primary author</t>
<t>Add Usability section</t>
<t>describe two distinct formats "Wrapped Message" and "Injected Headers"<
/t>
<t>Introduce <iref item="Header Confidentiality Policy"/><xref target="hea
der-confidentiality-policy" format="none">Header Confidentiality Policy</xref> m
odel</t>
<t>Overhaul message composition guidance</t>
<t>Simplify document creation workflow, move public face to gitlab</t>
</list></t>
<t>draft-ietf-lamps-header-protection-02 <list style="symbols">
<t>editorial changes / improve language</t>
</list></t>
<t>draft-ietf-lamps-header-protection-01 <list style="symbols">
<t>Add DKG as co-author</t>
<t>Partial Rewrite of Abstract and Introduction [HB/AM/DKG]</t>
<t>Adding definitions for Cryptographic Layer, Cryptographic
Payload, and Cryptographic Envelope (reference to
<xref target="I-D.ietf-lamps-e2e-mail-guidance"/>) [DKG]</t>
<t>Enhanced MITM Definition to include Machine- /
Meddler-in-the-middle [HB]</t>
<t>Relaxed definition of Original message, which may not be of type
"message/rfc822" [HB]</t>
<t>Move "memory hole" option to the Appendix (on request by Chair to
only maintain one option in the specification) [HB]</t>
<t>Updated Scope of Protection Levels according to WG discussion
during IETF-108 [HB]</t>
<t>Obfuscation recommendation only for Subject and Message-Id and
distinguish between Encrypted and Unencrypted Messages [HB]</t>
<t>Removed (commented out) Header Field Flow Figure (it appeared to
be confusing as is was) [HB]</t>
</list></t>
<t>draft-ietf-lamps-header-protection-00 <list style="symbols">
<t>Initial version (text partially taken over from
draft-ietf-lamps-header-protection-requirements</t>
</list></t>
</list></t>
<!-- LocalWords: utf docname ipr wg toc sortrefs symrefs Gillmor TW <!--[rfced] We note that the figures in the sections and appendices
--> listed below are either misaligned slightly and/or have broken
<!-- LocalWords: Kahn Hoeneisen Oberer Graben Winterthur uri Alexey lines in the PDF output (the html and txt outputs display correctly).
--> To avoid this issue, please let us know if replacing/redrawing
<!-- LocalWords: Isode Middlesex DKIM DMARC cleartext DomainKeys ld the non-ASCII characters with ASCII characters is possible
--> (this is commonly done for structure in YANG trees; see
<!-- LocalWords: Crypto crypto origbody origheaders hcp pseudocode Section 5 of RFC 9731 as an example). Or if you have a
--> different solution for a fix, please let us know.
<!-- LocalWords: ldlist bodypart newheaders newval pre renderer decrypts
-->
<!-- LocalWords: affordances subpart's stylesheet FIXME Berna juga
-->
<!-- LocalWords: Bernhard Reiter Rohwedder Housley Balicka Kille TZ
-->
<!-- LocalWords: Volker Chuang Betreff signenc UI lang IMAP md bcc
-->
<!-- LocalWords: Roti Changelog dkg gitlab newbody
-->
</section> Misaligned:
Section 1.9
Section 4.5.1
Section 4.5.2
Section 4.10.1
Appendices C.3.1-C.3.8
</back> Broken Lines :
Appendix C.1.3
Appendix C.1.5
Appendix C.1.6
Appendix C.1.7
Appendix C.1.8
Appendix C.2.2
Appendix C.2.3
Appendix C.2.4
Appendix C.2.5
Appendix C.2.6
Appendices C.3.9-C.3.17
-->
<!-- ##markdown-source: <!-- [rfced] Please review whether any of the notes in this document
H4sIAAAAAAAAA+y9zZIb2bUeOsdT5AEHLLQBkMX+Vam7pWKRVNNqNnlZpHhk should be in the <aside> element. It is defined as "a container for
haKRALIKKQKZUGaiihDFEx4dz2/IMw88czjCQz+BH0VPctfv3mvvzEQVu3V8 content that is semantically less important or tangential to the
497widDpIpDYuX/WXv/rW5PJZLAol3lxeZLsmovJV4NBkzfr7CQZfpely6xK content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside)
XlRlky2avCySi7JKzqr9tikvq3S7yhfper3XB7Jl8niySfP1cJDO51V2dRI+ .
mzx7+uxx0hp0sCwXRbqBFy6r9KKZ5BnMYp1utvVkRc9Otu7ZyYPPB4u0yS7L -->
an+S1M0Spl7UWVHv6pOkqXbZYLddwvfwr68+//x4MMi3FX1RNw/u3//F/QeD
tMrSk+Q8W+yqvNkPrmHV358+e3GevCmrt7AJyW+qcrcdvL0+SZ4WTVYVWTN5 <!--[rfced] Acronyms
hPMa1Lv5Jq9rmMWr/RZm+/TxqyeDQd2kxfLHdF0W8NE+qwfb/CT5Q1Muxkld
Vk2VXdTw137DfyzKzSYrmvqPg6us2GUngyS5xPfBZtMshvBBQ6MPg/ng57iz a) FYI - We have added an expansion for the following abbreviation
8Hm9TevNr3GTpmV1iV+k1WIFX6yaZluf3LuHz+FH+VU21cfu4Qf35lV5XWf3 per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each
aIR7+Msq25bml5dw7ul8CpO8t3x7ea/nDPCHa9zjxvwUnp/Kz/Oy75fwzsHb expansion in the document carefully to ensure correctness.
Kt0sy+vix3KLH9W4BQWMlS1/LNc/4trh7I7HST5O0nHydJycDgbprlmVFT45
gf8lSQ4/Sx5Nk99Ok9/k6/WmrOhjJqJHaZFn6+S36aoIvoVdOElON1kFRFsk man in the middle (MITM)
Z/lVvk6+z+dZ1eRZnbwukBLxuRrOLIOlHT/4PHlYlekyOW+m9M0CCOYk+SG7
Tn4PZzNOfvg9f1wu4bXH9+/f/0z+vSsaJM/X56f0QcYnB1v064v8olnBWmr4 b) For the following terms, both the expansion and the acronym are
rJgCbYVrejhNviuzIsuBpM2SHgIZ5ln0Fa1n+3iLN+lPsL/B5J/DuuCS/aZK used throughout the document. Would you like to use the expansion
51mRfGam/9Vn9+8nb3Ik7Wa1q8IZn1/nzV+yag0kbWc+p/czza10EtPFip6B upon the first mention and the acronym for the rest of the document
e3SSKBlssy2eN86HyC5c3uk0eZati/xteWVWd7rO3mX78Bta3NMadjb5vlmG for consistency as recommended in the Web Portion of the Style Guide
5/JZcpbWwKDgF9e1Wdl3QHRNWYyTZ/lyuc7q7J05nldvjh8kD354EZ3Qb+0y <https://www.rfc-editor.org/styleguide/part2/#exp_abbrev>?
U5rIdCMT+XWO78fbAGykAM63SRu4U0iGi1VVbrJJXiyBmBo4zhMap0mrS5yi
7sZ8XV5O6dl8t6H9eHD/+Kt79z+/l12V6yu43RMeqZ7UwpDMmNNVs1nzuMyP Header Confidentiality Policy (HCP)
H8uPkjP60d060V8l/lf0A39h/DY/3uTAqs8Xq2yxgsOn75BVniQ4qcn9z+GT Mail User Agent (MUA)
s/Pz7pVcX19Prz+lJbx6iav44t6bRxN4/MGDCf7r/mfHD+7ZucIRLVIUKnB7 -->
9nBW5ys4vDr5PruCu/kgeZld5chJ4c8jGCV5MH0wSs632SK/wHXoXQzXQUQB
bHG9BAIGyniTzZMzYCHAZmF/wwV9Mbn/2eT4AXz44jcvzp7/8Orl8++7l3bR <!--[rfced] Terminology
bKd5vaC1bXfze9vLLciUpirXwYJOYSrAuWV2SXmRvIZLkDXMn+FI0uIy69p9
mvXr1z88fpW8gq0vSiAK4DjA24rFNJ708f3Jgy950r97/PLpk99Pnjx/+ez0 a) Throughout the text, the following terminology appears to be used
Vf+pZPsqz2jy/5Kll+vs3q7OgFbvlTDdChdzBRzvYm+Xcp5fFkRGvEy4R3Wd inconsistently. Please review these occurrences and let us know if/how
XuKUfkfPdn3XS1aP0qt8mZwl36fXVVYsMvjyu1fPvp88Pj87ffH4ZnJiIUub they may be made consistent.
mq7v/XkHogDFwr0/p5MMSAjEwR1YkZ3+6xonuFilVQo6R5XIY3AHQERWb+Ew
gH0hKfeS0Kdng8lkkqRz4CkwxmBwfo9UE9gqIspPp8cwGqx/uVuAUpMmGzg4 Legacy Message vs. Legacy message
ECv1JmnKBPjbFZJfViwnTTmB/ySLQM3xAg/JJCOVCIagjUxYKNbTwXflNVyG Method Signature vs. Method signature
apxcgEDJN9t1hpoBbUSdXAJpVUAW+rM62dGqm1Ve+9mMaaU1DpOuk3V2mS72 Non-Structural Header Field vs. non-structural Header Field
raFW6VUGgv4qA/a2hD8KeD0OBZqcZx91DRufXAOFw/PFco0P1LvFitZOM5gO Outer Header Section vs. outer Header Section
Bq/w5aCs7XD0RBQtmBLcbt6/2l7g5OjlkzNUwka4aeXFBRxVmixz/AN/b/Z0 user-facing vs. User-Facing
lTa6qzxeDaTVu6l1Mt81CUiqFW4djIrqRE2/9QuApc73uiWLdY5K13TwZFfh
tQCVIAMNo+FZwYbCv5Ps3XadgySBnU7n+Rq2ZQwvza9gAN1n2a3LXb5MgdRJ b) As the following terminology appears to be used inconsistently
G5ax+dVybLK9bidDEqh57odopkUssPdZW3NOauDmsFPL7CIvYMWwtAzOEgRZ throughout the document, may we update to use the form on the right?
XSbpFteTzoH5wv6H7wb2wifWu8fwSrwiGxKlg8EdVIbpPtB739/JzT8/DAYv
eKPCfRKqquAQqqXZh/Y64OoKCeEAbnZEuvMMNhZOF3jvRQ6LxE2vQfwBO9gA header protection > Header Protection
VT4r6yaBFxJNxbQPW7loWStbZ61ka/hvVRawdJqYfJOUBTyGdDgvl3scBP+W
HRzDSedwMdYZTA4kMPJSJHl4e1WWG5pe2jTp4i2cw2UKeg+Mh0R3DUrTxL9b c) In this document, "Header Field" is consistently uppercase; however, it appea
DwSIEn6RvUtx6mNQrBdv8Y3tPYK5g/YOGyTDw7dwrmCUAMNsdsAqzCTxY9TB rs
cDvv4YSICbauMFyZRQUqMDCJ8hpH692smCL5Rrg7G9wInIc7CJglrCZNnuH+ as "header field" (consistently lowercase) in the companion document as well as
gsSsktNLfPXRs9enI775yutgUFJLtxVoCvwCsE/WqJ3TQkNu9BQvqrAL+NEG in
DCi+7DDwEH8ABhdvEewYfMbvWpbwk6I0lMIsNeBc02ibmvQt/Gqbgpqx2IFp RFCs 2045, 3864, 4021, 5322, and 8551. Please let us know if you would like to m
lSzAiMSR0e7Ev3Bkd8FoDSBVYAJpDUJtDrt4na3XfPP8JPGK3bmTvCY2iqMB ake
uxSj9RSYwBqPX+437mqbIK5TN2+gJ3+FUHodvX//T8J+P3wYKc3mBWqQyATg this term lowercase to match the companion document and referenced RFCs or if yo
hLd4I9NkJhO/V10svnrwYMZGesnkQ1NOIyv+cQE6XLnNwO4EPXoZ0B2LR5xh u
vIl0HHSStF2yMliCLru9wjEy0aEs47sXw+ngHKkdrloO4g4NUFzCCrcB6Lfg would like to leave it as is, which is also acceptable. Note that this document
gd3j5qz1RPwxEAMxZ5Ec1VmWvH+PmwC/xnsKjHNTw+bprQmFW73bwnIyJH73 uses "Header Field" about 451 times and "Header Section" about 42 times.
xnGSgTxZoJEAZ460my5YaMMR5gXO+bpEOkppK4k9vX9/LseJxwYfuFOD9z4t
OqhzjJxAN+sJmLpLuH/AZ/r1EVz/JXFkvFOpKrL4AcjIeUbqVLlFKlrmFUxn d) Please review instances of the term "NULL" used in this document.
jQYFnVQWnf2LdL9Gkxg3sdw1opWkBe/xVUZ65SGSmuKiUpwszdEzwjGfSbgu Should they instead be "NUL" (that is, referring to the specific
tNRJmM2BxOALmGZxwbIAdnOOm7wpr0TclvMaBQ9vODBisJFoBTDPzN0f2e3u ASCII control code), "null character", or just "null"?
Q6VXiU5QG1JTiRYpBE5RCPkfmAVL3hVkYIsspwkSlRGF4r1FskTPFayl4sur
14C4wh28BUSATK79dwREcYtmQZ8VldBSOAlTVL+QiTV7owmm/vri/IitOqLG
ewy2dKKj85lstxnwQbwHIP+y5YQk5sbZEbBCumtprQ/AZkxaZ14zjdPBL9Ia
f0l/kzDeobBIL0m5gnfijvGU2/RlpB5yaRCSDV4SlCfJVV6unck2h5eARpYx
RVbZn3dA7+SQw6mqGgXPbnG4z/mC/gr24sH9z36BV/LUvYsp33MbIKZdASx/
SRrXHO8a7vEi3+akLddepSZ5xEsnzUDXjsRKqwZe5AX9ithnvbu8FIaXIpVd
g0qFGkygWSqfB8UNVn6BLA/+RGsW9RAa3yg/oV3CXBkuNVjX80y22nAEurgb
VLZYH6qz1rSRMkAdRgWmoE/N/IGbXOVg6IRz8LaFs4bwKWWarQfxlMJ9gXXm
tZ7wJt2jmyjfsm5PRxC7SFAvHJP2pm+hue8K1ZTTGlbFm9XSjrfiLQxVwung
DXr0xnT720Q+dgII30j3uXtxrbXALN/S8RGFyksX8GnVZO8aeZ9qjjl/jWIH
VW9iMcTQ3IxgmwMDyBPvmtVV2K5lDkyUnNz6vosSFU+c+raEhdQsf+BLpjVU
hUQPJD7WFlgnYEokb+jhkLt7arsEkfnTBJg1C4/a74ZtLNhMDQ2stggl+ifb
U9g36oxvC1K55yBCQA+YJN+xmkw0la0dTWXuh1l1lzVAJnm2ejt0eViGHAtJ
dDUpkA+FMgOYktW/0c4s6wOUiWTjzaZNuXTaYVOlIG8a1XRW2wlqIhsYviIt
52eekZXM8cHkfSIf9wFND50TBwyioSbbEpjKXiZ5uyNYrMp8kcnRyfaGC7tG
W7mlUxw8Cr5acOeE/3YuKqnTC5yXakjpYkGDkzWFF5q1LaPGbGD2Ff7hT4ZU
FtU9kdXWzW4zJ1/CfF3iXY2NiXFCsSl4wPlVxIbSz52OsgApBfuVIqss4Qu4
8jl8XqDeKiwlZ0nDOkvZ640ySsLDbJECIyVnlnvKE+JWfGkkLWDjUWmnL+CA
0ZUfTqAhGqe3L9ItMWa4s7st0BpdTZjSnCWnMxid2jfPGviIpSv5cdO6GQu3
1o0JHSbIwfDQiPkvy22jti3OOHKcgIja0xqdOoTzDYy60wJW+f6925sPH7yd
jL7Z3TpUF40eJhbvXtbo+bPRl0A3fJnXb+tuJ0E4m+Sl6h816InsDJtsdumk
whHIbYOLZKWiQ5OzTseQrcIHOMbkosoyNMusbQ47BdxVdLW88A69a+BNxPz2
do4o0vXf5zQHdTojQwemnCMhy/TMO/h6tbZghCdAA+Mlw6ANs+KORdDocIEx
GsQqf3sZwPhUMSAji7xCcB0ucpbIP0VmkYsoFkBTMvvb7GTrvNCLRVkp+fet
hoxhVKFRqZlcsP0ZMj4ymVDLVYsJXwYnYxRs0oXrXCyT1JwWaYHeEzKWq9oh
Srv5K28qvgo2FkNAsrdODyNnkX3fkw4dZ3bO7q1Z8GI09NCg6jBbncsC6Zbs
8oxt2GT2h+l0+sfZOHhrQMH0Qn4KSfeaeEY4C9K2gNKQxQMPVwdSzlok3Si8
Lbi4rb9xXad9wyEjkSTXZfVWXC/q83qU17Co/dA41fP6BrXMiBvhDEseheSO
tRztbkRvTB6zF60e2lNEFXGega7B3hfPAUB2GWJtVjHlXJOy4fbS2CG48jVH
ikC6Okpggc+6fsd25tZtBwMCKS4wpWMpigEOkb0D3SnH0BUTX2yzWcJgiQq/
2pPUwI2Rs4KDy0ByqIDXnei8gmMeAc2lGv2QexE7+KMfSn32LFKoXpAWpKdW
lC01abXY0tGdKq80WqbZk0W52cKdXTrmfouXik+kKI3PgyiaWBl6OvHHffsF
4pnsz5+o36tq28k2+VMytYM5GOZPbOT5BUb9yUqL2DyyTEegR0VZTEj/gRmM
upTaw7Oxwuyx2/oOedZFrcQtDwk2FP7PSlCTOEI+QH+6xgrxvixLunE7vBOU
l0QLW5I2x/oBaEfXZBjIKynAQVpi4N8HixbDWTjLKHoJC+yPy9HyFiBdqsAp
jC8ZU9AOZ9e69WMXwdS4yTxboAwDMiUBgXarlQJ96sKKdh+JP22cX56mU/to
Tu80SG9woRW8nKSqXmBskOyofQfDOoKNXe+WepFEIsgujtxh5sUVENAyVTXV
TxKUJ9R92bPCNFw7z6ChUpq7sFLyCLxrIi8EWD3h61XrTckpGz6cgPqSrelO
AMNdUPICpt/VjcR9jnZO+Ome3K0TSYwYoZW0RquEJQNeb7eydujWJ6fgLPov
OyvtacGqffu42xcKTxwVMdod63xf5Uu4tuwDRofREokgrfbi5irKclurl8p5
cR7iSV10nDLy+rY7ZRwE/1yGEGq4Trjodh8x06mDD+W4RixgydkjQhS45TZj
f5GbunWSGenX42m2oan+C9u+q6Gb3Dpy2zeavYAu2FlRIBpty6U4sR/CF2Qo
n4HMga1hyQGnHE4fNS5ynxp56kxO4dZgNgWhW53Jcuf0x23ZiJIZmFVjG9Bf
ZusceY3+u50EocvCpRToCRffM+kicIn/Qqt75XUP+R5dRXAtUpI3yREMjOcw
Ep+cqhR00mgnw5w5TyEkwVerHUsHIKA5qXi6UKauRCRIMtetXcjWrjOJ1qEP
qNj3ZYPA18pWKVNAch/06oCBCzSyZsuU9Ue92Nercg3SQLWIXprSoDLpWFft
vJE0F6u5tQTWK2LPhh4vcDz8uRcKUeRgnb/NOAsjZdVLzQvmhvy9ZdJ53RHv
ZsbRZQ4IEag1KPowURqqcDJL3R/gXhRHC4xfkk+hZsIqL/MeVP43IGr0qOhC
6WaK2UEWK11tULvK3eUqoVRSYKAJRjNAzGTqWDALyNB1x9JD/fZyRR8FF2Jg
Ahx0DqDtIGXcKPPdHZELhkZHDTRYO58HPFcExjWMDsR56/GDwUFq0vYDdyLz
fpXllffU0Omki5Ww0gYfXfpLiEv/DTkzSZhK6gjoS02mUlIzvzkSBdpIvQeN
cDPu8O7jtgapAbQT9YosUvGU8/wivRVFE5Eokz1lzjTicrjcpRUsLMP4C69Z
CSyvOlbUvmMLcmrU4k3La7V8MDDlr7VNbDu62f2qiVp5CfwSGCGuPSeGG7LV
5EiMu4WEi+ia6jUEMQf7pioE2kfwG9aMLnaktymNXKVVnuIqJDZFW0r8Ssba
gOYBtyXlzQSy3sFcVHaStQwU/py0CdSjy0W5JuoQpTp5PHlm8pH4YPAK1Bm6
xoEctmleidUuvyYVwPnzmP/0JXJpMkxnBqDXg06SRyU8UPw229fJU5/oRHM7
evTbp89GEoX84tMvv/jwgcKru5rteuAY85zTJ/lO8VgTjHR6PSlMXh0nL7Mt
Js2icKRcSWVJwDmOHj07fXmmb/zys68o7knk1d4NtxEp0J55L7DEXSMBmDDN
T24yTR/T0oB+LknMl5znsiEdcVfUJSXj+TjlUb1NNyOrBOHW4u78O5oxKAp5
k/kZ9Z4KxoZNGmK9AJOOtjQnkbBDIkKTHNPnOIuQ7GjgrDtUbegD5gsUUcGN
5DB1cvTs1SnM0Myp2W99HhUljcIjaAPDf8ycMOqQYbpQl5vGrQgYOf30tf2p
dzXNxQNvXk9pSm4KuiKbDTjHy1osvR+dFjjCadZ2VoH3XN1Jnt10vqc9rqY9
nUaBFaKMKqNUL1ixWYHmU2RV6BaQsBSwWnSG4PWfpMtlNYHjKC9gWEqfCYKd
ndRCrrkekumxU+QGIZP3ETyQR+UN8TCNyF5hdQ7qEJKfgpwN5yJKZWuK9sKI
89yFz7zx6Q4UrxDuvY9xxKdFCR0Y8nCRvaKk2cKFa5yDwFKR+BFCssQxaM6k
hJDMa6qcdB6+sWgebbASKRDnJqWzIEUYhpJEejprSU3Hd1Liusm3j1IQ6fl9
lmJ67Dn5xHym/4cPNAJ9FOTRwxf4MxIiS7Rb1/Dr71EzxAWr7i8TEms3mD9H
dIlubiaQiAZYHp1KXi6LSpRGku4aC3HN7TvgOLMzo8hdlGgMe0x5d6QTwqsk
Q/DIhac4xkjmWUVUeatX2bQs52SG6+0Sd49Yenx6/PkXLop5kIN4YjRpy+Lu
cKPaKRjD9Lz1LTub0iJd72s0cpARBXZQewIX8EfN7IfHw0kHhgddVU6RAMq8
ZDVbc8y8lItzsQvgdDW5HvCAdC1jHs4MBY+i0wC1JZRIXnPz95ZifzZn6fu0
AE3xMuP9fZvtMTYAuuXw2evzV8Mx/zf54Tn9/fLx//X66cvHj/Dv8+9Ov//e
/TGQJ86/e/76+0f+L//Ls+fPnj3+4RH/GD5Ngo8Gw2envx+yKjF8/uLV0+c/
nH4/7BETRDRWLKT1wFs58JuHZy/+1389/izhDNYHx8eggMg/vjr+8jP4Bxp5
/Da6h/xPdKkPJC8tp2xpjB2DZrnmfDROERWu9ckfcGf+eJJ8PV9sjz/7Vj7A
BQcf6p4FH9KetT9p/Zg3seOjjte43Qw+j3Y6nO/p74N/676bD7/+FeW6TY6/
+tW3gxaNnL94fPb0ydOzU/xd4qiDTxFrW+Gz3z19/GYolO+2NjxUsrhVndOD
pNogUNiArjFtXdMre84/Cc5fj/rBFyTEgeZfgQyvef4+GQlzvp3TiW6cqtt8
f8jsMhM9gVOXqy3lv9m9Z7t1k293FcZDvM1HevdjvPQ1pxVxxMVzTBxJL/IJ
pxJqPTHr4M+3WQEPmF8KJ8Rfik5+kpwWaoComk5+X0698NF99TSDwr12/k3U
tGDJQ+OrVJdd6OgdjmTP0F/JJbeopI1ZjX1YLve/TNwsP//0wQPa9CT5ocSa
NOCA6VWZwyGBlXG5I5dZdKfx69rEkvhcpHR8SBnc/Hc9DBLcmEdjeQR8C1Ry
ne5rTj0d2oWHqfxs0APXzJdo6l2wkY0EG25C+1cohCvcYd5EMg4/CbYYDiQM
J7N2RcYNvwiJeuy2k3cQBsRQ6vBkOIq/4h+Ra/oIrYdsJOFD2CE02fi5s5ff
P9Ej0CN8MH0gqeB8Ih06i5+8/AgOq00L5OGrQWRoeBMZApfFaPmcJLaQsoGp
znsQke8i/TEgjqTrRVzj4cnYJ5zG8bG6hPc0Gn7HJ54FIYmDLyA5n4LBFWSG
cNYvPyJkPzL2iJvOTVNB54b35LiX0WbjTeEtfkiRGMmmde/VRdAoTAfB+p1D
vSDPmHoYll6FiB4kuzPJNltgKsTG7ZLpA5o1BksoNxMtKuerRaIadVzsJHna
6NyP5mXTlJsROsB7z9Bl4krev32GTkp3mQ0s2hvhYjU/fCQOWzBbiNvCjo14
b0XA3//sc6Bw/FFT7RaNJW2T2HT03YvRyW3qLMNtrMkTz0nhGHuCd8/3FBOj
f7swXK2VUtamg4mEaSTfp3t0PHSWRMQfa8pJ/Pn5brMBbXCcnNNydxj3jMKh
zzDRiLbyBUx8TGVTkyediQRITpREVZGkZUEcX95/ejp5NDWoGtkD3quJ5qF9
+IBr9f7ik+6aKRNX7khpPWRxJsBbZfgfymLCO6JxH+CzPslvWbL5t++3RDAE
n0qRohk4HLQ1ZN8YLIe61gjU0E58pEvXWv3U7F8YlD7pCKK7KhDJ0yBp0ZFk
IsHnFdWLRAsIvCGl8SaG1mpB4dE40eyT3ojqbaYbppX83MmP/dQpHHcoj1j8
H3SRu1Z1Q+bMd2fIQzCWyNkQKO4Cn4ZLau/Lge7KnSMFmJNqetO6+qgmQSUQ
ppXkPuifiY97SMg21RWBTgz5NXkjU6jNFGopg472I0neHPgJvUJ+cSHMhB2g
/HJU+GCOu3qII53fJj0bH4RDeI75a2jvIts6kWCcZGhRwGtVOgGZcgJUJonK
Rb6BM/EJWWMxy8nz1R3sZloVTkBvwvFB0a25hC1dXiGHWzJdXe4qUT7pJQ0m
dmREdii9KEKofroCTFm7kiHbIo9U8T1HK6O/oBYxiTD6ONYVzrNVepVz8jis
G8gaboM4AF0FbMftY+0MGRKGSm/jnhlbK2mV+WxjEgY3ywJKhIn8JR25tN4C
xKBVK11a0lGvDsRH4vwcn8jSSqpSX48me0j08mnRfQ7knPqJh+FrkKNMsTEn
w2Ig14UysDSYaazBw3KlUa0kCz2M3pVpgpJzlvHxK6IAbJc7R4qgU/AELkz+
F7C2gf1S9N4VGuF7OR3AJ1uHPncOv5lYILNElJm9xSVshiwxjugHc+AK7dTg
HgcbVsE6iibEp1ahfjeZWEtONoiKi059UVR4b5C/FJdrk29F8ol+08Wn5VVi
L7hfh1MzuVtEhM/ZbecI0R+eSIXw9FoelCO6l5KWiWFWPV+NGSljXOZ1tdu6
0GKURy9BFDyWLCZdgzYSJDaA8CaljafYURwv4jZgI+xDe6UinjV/zwJ1kLRp
0HqxCwnqHmyKhy8yjIM2AXfVoRWqQ4w7eM2agvcU6XVR4xZNmZR6zyt9DMWv
tWayctpRWBRx9EZLe3oJQwSm2nKfTz/FkW/Bekfw2ldVDts/oRp9T5vwxXm7
BEKMKkvhtZ15fB16Jhykzgcm0ClwJ6Ilx9hTftx7qmNPGwvKx5y+p3XWshOX
RJyY3wTESAWhYUJCoWl/OCpWhpGleIP2nazL8i1Jb4plSO5kE7gL7ThwuP/y
L/8yOE3+/re//f1v//Hv//l/StCBMOq2bxf1l5NNvsnAgMb/TJBFfTPMxKBb
TjDlAEHwkr//639LjpYZbRfe2NHgYfJxg0rRjRsx+ft/+u+Ye4mHzyOeJTLk
/4AhnQl9L5VkeNjPXyar7TfDRb4F6h8OHtEof/svPAdkiffgduQFPhUl+n8z
PB4OHieJmTM9j7hjfY/jxg2ez1ExZXZJN+UHBGo7JdXsIRFIl7OyvyxjSg5H
GOLMJtTmJIHnk6JEJ9wjGv3xiI27ngEVnuDoNnoOxqXc1AOfVYN1ZmIh7Aqf
dHg0pMK84aita8v0e2qtj4Z5UXT9EK87PQk8R1x0VFqy2s6QgYL6gsgu3SWb
mr86O+MK4QnCUs5wiIInk3ovlMgFcodSpmJQ7orRdQnadxopT+EkyIPZNySn
mMPW1is0VIgPm8FdxpK66A1cyDwqEDqaGWqejVA3R5YvH6OYh09RkcPt8qwq
KnxNl1r3Ela9krt6UrMPhiyZHTr5fZBSTrjlfix4U0+J15DiJjaMMJNHhOH2
Br3sx8fJvwdG9uD+g0+T4y9O7n918tmnyeT+5/fvD55U5eYkeVjOk6/n5fzX
wusQB/LbwasSoRBzWNXXKf4n/FaSFk8SqkQaiLk+efroJPka33T/+Pj41YPj
+1999ul/mB4/+PSzX69X26kM8e3AkshJ8lPYHTLQye8YIO0kOZ7eZ1ZAe8bE
3bdnZ/+v79l3CsSFtPfvS3SBc2noohn8NttTQOyEIe/go3HyGmOyzc/c5Fvw
6vaefvdi8hwJEHH1brM5/vlD2+SfOrxh/rmI3PwXH7sn3fLioWSZKKMqlnK9
OlFgWKAQPk1aT4D/H81wd2bjZIarxv++KvH/+8kRi8CRSFtRV82RK9mTUIx7
RB07RzOlh9nIceeZLn8WTaxdsG24r4gCNi9FDsAqnD4dDpUrg9H4Bz3aw24r
rI/ZomRAhtrlsjLM1yVoxJ61g/A5bvE4D/jwnj56zz+niUFmf0hRRvZCmS3o
6+13c1MVTtnrB2d3TCzcKjhlc2tmegbKdI4ZRem20v/pRVtO1ZoQZTcL14r2
R3HX5X1ZSUbOM/2eicm429rqAqrVh3anRfOsY/STIsNwoBaB+jdpI4/6+G7I
p6yKiFHBOmu+Ge7qSVov8nzYowf+cvCzuevgBQjzmqAp0Q6gHKotEivtHGjV
FOQCIn212lX1MkVPcYM1SJh8DBrgP6HwSYu39XgAXA/hCvG/yW/K4i/pOvvL
4PQM02wIZLWbCZkaDlAX9JYxHyD/v7KN3vhLB/Fx5PYW5OcKBpBHcJCYshnJ
AvNRv/SiEV3KntqIuQQnfhptuLs4V+J+CiAoblI2CG2VA/ERJeIIIM+D4ZVx
faEH8CKdrM3btJCeU3DS2oVNg/V7dttJcd36cKty2eGB1G0Vl3TC9MAm0Y7K
Nim/lXEObAdy48sir7MDR8D8w2jJwC4o8kuVKjwzAfpRAeAZPoGaOmzUQy+Q
s5PtwJeYquwDG0wl7DwL+QEJI/hbgAMbMRCEbWsghpDV2D47yqaXU8fUWQaO
pHJT8FVJJaByz8w7vCb6ucvZdJVb5qupQJBKho6YD0+4Jsrk6ry/E0R0PkTu
B+8SrrJ1hl7bsStDmphKqsyPKPvR9+4jE18fMUAhpVs0+k5NGcUCDEx4Cp1g
Gmct4R68zTghVn3IFsjFW8UcbUH+mPMEJR5CjQXwALd1tgPyROhycsRYvpE4
+7GOXeYO77h2KIX8oDPaIlFs77jC5gjGHNcbu8qkWtDywsqj7nmdgLyBUwxM
3U6sPg42IztzD95mppTEs2QD+6gTV3Pkqh10WEzNJAwHoZkewzt4jbCeqiwd
p+t0VZAjNbL/g5ffdqADjE/VGpdSasxvOrFb5xe3eLtYzW66d30WADkMfG6f
mdDdrlR7TSX0ABlGtoC8fn/C+N/fDIFAwiMPKClIHvswoIP+Hfku/urLYFCj
+yvdaY6Z/7UVM/5r8ogmTs4FhELW//tr+Odf7YeDmXoo4Pd7WLz+f1Ao/8rS
xRbSk6fC5wCYE+v2c+Lw4heJxuf/f/sXjHveMNb8JB8aEf7nq+e4QIpjsVGU
UHNoXTQwho618KHmEAOXj8TkCIih5cb2SVCMwwJPZd3XgnJ1as0h74GDiYri
PbK7upVGXB2A2M1UdZ32LZ2ETLH8yAwAMhto17JNTkHncCvcFo0FRZsqKnvS
FLoRd8gaaCS0FY7ewTEieABHREG+hyHUFnVwOs2GEJMLBlOsJGO/F4rNu+06
8iuEG7sK0Cq/sllzPbyQpy96IkhzQV+UljQC62vLkPooeQPCLJXCYcul+4+q
m+R0ZspFYT6YwRoM2UXBSQiOH8RmDkvRSMVjoRrpy/0ouE68Fp3q4kfJXJZx
JEID4eAFUiBrZ8czLWg9LINTLCa94NAOKZywidE0Zi6gwb4Db+zO6EpyRD9b
rydSOBXc19vIRUQir/05dtwpPz9OsGH0UmatJtYMGl1ZcRi/B2RpyBvZYwAI
zedSG2or7K1qa0qOBSG1K6mpz+Rt44Ep+FvPrAqsYXb4CYIpGwN+mWRDdw+7
aiHHrsiR9hXzHteImbIXoM6G/FUVxpLjWTtwDhZxyE4UoS4wkvT2kitiW+Vc
BezNVXjp3VqfBMK8wBoHODaOeKRaZd/VOQD3ivjRGqgK6HBCdCjZ3QLAn2PK
V9O/nZzTFNJxmC46jV6CtP8z3sFXp/sVSyDeCe9iyxC3L+QSAos33WeCU7UH
6pji5QpPkTgYe1o7E358wRyoD9l1lN3vXWfKXUISqbXGcu2AdrorK7oZew8E
GTUqkJwyx7u00jEGzqaHdU312KfId4DqOIgAzE9MKy+ZgRPF0EDjSPkOwFGD
XWhVLD6VtAss9tuDljLPlktF2NrulYceVrEywi9Aha7udne2LJYt5hfciOY3
7TjGjFKYascgvIQ3qQ0246ekwmPq0iBNRvatEKYDqdE4ptrraf/uqfKBuBK7
eoL5DojfzUzIxxt7Hbq5QcuAM+smOvT6Cr4GY0/X6sGXWsVgRsFcA0yTXVPi
xBYOpFazuAVuWgGHiO+ZphweC7cOOd0rBLjDkKyWiZpZBuzeiMus5XTnvVM5
xQDEId0E3q122qLkc5GjyRo1kmNJWp6U+ShFCzj0AWqtCe5iThmbWO38juH0
ZC5Ktp3Mwt0KhamrMdOVVthLCL1XzHoQ6oCSbJ/NMIeZ2A3eR63ncw0fzGs+
lu31X/0LZvgtrkLkQbuPxYCXRVmZ5AApyGN4VYZdiNwBPkPU9hCiae5NoSLn
gxHaJzoqHqfUAgUd16xwmx0zetghPoXOIxf2Yh1WWFfMhyhfPnPol+wpPTLJ
JKNom6eH2IFtuuAyvrD/Ud0vqnps7ynBb91imbP/MGMQUQoq4Xs+gi58VQX6
o01ZbtG7REkwkc4N5PS2Pqw6wHcTu1JZHUuY4Gxh9teEhdXXNQTrB9WKfN7Z
IsT1I6T6pryRuiF6Y1GGs9f3CTdZqo8wYgd9DN3dmdC8FqmIJx2Y5/ymP3FQ
2bVqIZ7GSEVO13RppR0a4AHZw22TOrQZGZUm7/JouBVc+A7Ercc6R80p9JZU
xOSJVDt4u2L33daXIjzVqnnnJucHpZqZoQghwmBlwHYH43XkpdqofwKoOnXC
uYdbyRm2KdxZMdi7VdtHPgv3/R3QXbV3LpVmfBC8OS7NVBdxrL2qae1LcX32
4+nDH55Ivd3nDz79DDGE2H82oxdM8MJjAsWb8xf4n9+dfXf6csaW0uzJm/NZ
UGftarQ56nEyoMRFVc2pzeI38L+hSxoZJn+AQf6Y+Hclw5NkKC0Z2/+nQ02Y
JWAxY/gO+YJec/TJEY9Okx4ln8AaRpHPy/5qpvWPpFPDPZrtCuWD2XLGZGe7
Mj2Yfh4U445d+0EFeQSruVxjaGcGf010uJmUW1Po6nBlEhg2B0trELDg4Ah/
PEkOD4EDnL24+TGPnX6wnukmLHLU/FhB7tbbets4aVg0FjU32gJUxAMj+ewU
GIpGvsZ8Af432bUe+ompKBc1sbtNFKfA6Gbg1qDFTzh+ZEW5TPzCNz44uaGK
rKPrhDTC+FUrXsleOFz38CAFDIltYYUbowyST0tvrDY6JZW4ZMj7Cs+RG4zw
DnJzNq1CGzs7VDKlVpwmJS3tMo5Dkq29qErtl1NuNrtC7UYwd+DJvF5l3Erj
ModZEL9Hbw3VvdVjE8erN6R478DGrLg4lxLB8TF3SDqKtLYgN3Pqw5+pL46w
c/Uc2LMFKZCQcKq6F9FdpTV9kdwKG5qwzWDyT4+iGwUG3g8lQ1tWfsMYB4pf
gtMUqNvbxN+O+oFzR2OpIGJYcgEVh5NAr5dB5Kql+V4bt5pPJFQ+yC3fxOVM
6jxJ6z1sOR5oLqiWFmcA173O3uVUNoS96bSliMNtVVhD1le085cLbSAHqTLU
cIBEqnI75qQg9BaZVjiZlD23c6HUqelUvKZELzZ2nw660RmKKNAVIOpuajVc
KtBk76oxnepkKDreNdhQw2kITIf7Aden0jE6cNhR9ciYp/loftQ7ITgRNHtg
Kld5yh7326clsmcNfxwoGqvFduLrfz74hoP+7l9nflN4codFGTEfLbAF2bvY
zijZCv86YgANYLs/5sUo+fu//t/0N0xydsLvdT9s5GYfslJMT1jYphnpMIIr
KrCUzOBn/MIZza26VOeaINPvqoJZCNmJ5EwUgEbza5wiZVFd+H87PUKQM+Tx
Yrdez2JrIY6b45XQVtcd5cWOaNGCbCHBKK7tbRxkfKKZSQqRgPxWc1OoXqrc
ea8gvg8JvkUK7E9CfpbXijZJdMg7nxfotaNfFJzpMUE7A7PvyWbzSIXWt25S
MLztyYhNESqQxaex2h1QmGPfBuLwkANH4O2NkuM9pQczMpdZupauqIrggaZh
e7LO7EK3VG3qmsaB+8uVY9M+dnc1mdtWonnj9x2uHaHmI+4efDWUJiXDsSSL
IWM8W9wNoG/HLk+M87g0NSm4ymT87UU2Rc4oT6rCFBhvAmsYPY2NOF+jBi1j
keEHpPR/M5Q9+BHn9+NiMYWzG37A7ExOQn2HLSwG8L8fowf7GQf3dc8vEsTd
qeg5qhC6Kw2Q7544K4PvenKXdukufZytQbZ1/HixaP8O77X7Uetbnhonmj6h
zhD5ZSHV0djrG3GdMbcFlbBFFtf9knlGdNMy/dhi9ax+bBiQOtBMDoQz+Yjp
8qEusPFs6dggSlL4ro91JUfaMaCbc2kyZ4tXdXs6RvK6EIYILn/RkFaE5AgS
vxG0MJ/fwf9Gl2A6HyVfTuZA+uiLLpLT87OnTy2A0VHpm3vgtecHqBpY0gZQ
410ypfKX3kieyXcTzFOeeRwaNQSl++eXhN71SrQB6nQpKfj+PLQZLtygbLEq
cliv8gXFM/R3RPuQ1JphT4hR71BL4/tMoB5Xgp1GbFn8mZ6Vq7jEwNEFJWmu
Gy2mpzP1+SWYy6Baq+Jawht+eP293UmYoZF3fmWCW7dJG0HVRvgEcj4R6Xal
hnWKZ/WBwBaeMnDYGbaewOU+IXcPY7hmC1FOLLBrthA/CBd9hC8TGarRhoZa
3C2VwNd7VaTgzWM2gdQwQJB/16jdQeNLgABfjRk3CiurqlUX4Oyo1RuLbi7q
PUOc8dAxsBmriDO3MCra82qKllV0fN8+jcAUf/+ePsRMF/fjGl0Wu4Iyh+KA
FnVMWbpaR7QC1tmSKtdp0BCoKwQQ4OghpfYCs8UmfnbCFoweUV3QW3vBjRqp
FYqDQ30qutpLsuwoPQAtvjjAe6E9obxJXGXZQWU014JhNm5Y3wtask8kk70s
l/4WoKGykE4+hPWgVhwzK+0paPwIjmoUVgKWo9oU26KBB0EDNl7z9h1GkPdK
yXzGl5WMCSRnMUhEKsMWae6l4BeW2v/V29lsOpNd73DWmYFlV+V65wHJMJOB
IJEkM8R0gU03petE6hwFBDv16lRglEqE4B0cvVq5JO9ktd/iRFn44Asj/Siy
PD5wr4gxXZdY+qM2HcXccKscRVSOchTGeyUdtjl1zSF3514CT0faoUQaQt/k
oNPO0dRlS1AeEN3egvQEadiHB4yAp6OHkGie+pQV2EKH9xVBe3k35ReRm1Kp
7MJrr0N662q3SYuJ61QtVQdDYTs7YhJ5pZ8bpG2W+pLCgH6/EP68DloZ+Q4K
vivDMqUWVeRXSHvUXVOXd5GjNCOQHxQRCFqUX64aMd3ZmRd75M2wgh7h3S7B
UXHPK+oga5TwtLmF7h3JaVG7p4OHe9NwdHZGlNDUzM99WaFUdpFbSIJZVYpY
F+SciU5MlSzGPIFHb4hYdWrdSrr96rY+8b9ZzwYK/sPdhezT3XFy961s0t0/
/gz1e2ZX5Kx0ezXFHUh8SZKNs+sodUBZibujohVjEsMhiDLJnwZ5m7/NOJ7E
GWtRi4yyMq30tJmsqEfnq/2N/Khe7YUVBW0RQc1e4yXBpCKUzA7Gi2H+G9PR
jAoGQUYv9hMy5SqU7KMbXsw3kBO6NPrFDMXBJrFihV056D5hJ4GgRR0GhBck
TVGBYA+70UF8sSyNkUtF5TptgtYF2PymETXZMSIOzVACMs2zAomFBrI6IXqa
dGkTyUpYH70NT3OVb9sZzuLHGMIJDImE5rsc76u4uzzpCQo5qKRkjAlSLs/J
WR+SMMcROMp4oCwFrzuHmijDF7nBbLtJ5yNEvGXY6okinuG+YQD5L2gnSroA
F1BHWbqd3AOW2c844MsbeEYHy0Ae5vhFfiE/JcdQgfIrQQFGwex5+c5fdb3r
OH33lDcYNElTWEHHq5HbNCXyGbDv/3jbCUzWoFyYWayzRhdIqVOK0Wof909T
VlZK/mz6GmfBrzsJwp/oUha1/8DadBCgSZlCa3fM5x1bj2H6m7cen5ogydg5
mt1//Yoac2zC7e5zpsQSoi0ffrp4iIRDnzQAMp3Bl4ScLwCHdbldkaZPfAU2
uNaK9kABAM6Wb3drkznscjm9PEk5fTsUKm2Rouz9xm6r7+/0dHcdBG15xbdB
nZ22WE2AvelwMi7vKk2GvS8bytu0dM+3eO0Xb+oZDBJru9lGUf4YZ331cpH2
szcpIh0HHfT79vmFfFrUv1M8EcQeVS1UwFEFhvTOEpTZs+7ZzeKsDoyq8OHf
cK7yI5Xc7AmmV4pSvLzVQOw75gPrsh0OeJNTylqpYd7f231IiwghU5I3ufic
s0twYizTNLnWtzPQ2+WzRIFUQA6iop5SqHfa0swOmj//SIc4RaPDxl19r2Tr
mnwl4rMN7bAo0Nar5Y+CrAYYdNOhw/dlHEiUxMFWOqrQ6geysHbU/Jc8XTRa
l8EYYKInR0EvbPyN60DqEmIcuiVFk/3o3PEz6H5d70DfyyX1FWxSk8atLRYP
9OWWKJaPTD5Wl0QLVFWjFRuEjGw4qcQAtR+8K9ShHjsU5e7GBAXYlNatbFpc
oEy3pFwWgppqLy6Y1k+4UZ1L1ZdwtYgE5Co61zDNwKQ/e9T9i3xBKQFoQPPT
UT4DK7OYOMK9n5mPxXE8bYY30Ro5aczKTU4boEAiPFT10wpfw/67MB5vG6P6
Zh4gyggqkLuz2rp04QbU0HRLbrMYHbC7j82d5LkKqWcojk+dndJ9mp5Znv5e
olbU0zIycrqudXhl+yiSancC14paWHjctvt0rtaFRckkCpYMFQZbJgb2qhTG
cLaIg/TKDrCyc71nYuO78+zVi0TRt9hXTf0+GYdV7Z7p4HnlpyKIM7OX2uxJ
GdLTYvIS8xonOBNN//BrRi8QcVG+YBpZFjEPphtiAbdMScl80lfXyJryokVC
pgNvYO1yn13Hcp1LST1F7ArJOF+Ew5VMOdrlkANQ5NaT2V5mkoNd4ZzEMYoZ
MtJzOsTsWNHGBtVmrg/GEnar3NNjHoea3+kxP9hBtiprn9fWlw4hSn0lfJl8
xMwqZQx0RvKNeMyQ1L+x7Em94qYOr9fXzSETBrb2SDMDafdGRyxOU00l1YKp
ZRzB6eOl3FZrb7FdeYy93oELClst1gSrp9am80kTmzOIsGwYJzU7DXyrMrfV
VH1CBVlUJ6K2roOYoGRSVzgAN4RKMWAiMK4JlLHCRLI9OHKK48krCKOi4EY3
QOXS4I1cGjRJLoRB6Nm0MHDxe8nGZRB3HxTg9GXs/0qvraLwxkRKL4X2Ne1O
gn3G32EI0qQjEXSFY0kc4KBPJCx3+C6K3wdjHut1Vlxy+wsfx5CunDiV0YBz
JeL91RL/mpMfy2Ii4WNgT5gHwn61jtRP1uw/MrQY+WWn2kE8mJHREz5irBC+
OLUZOQZm2JWGBRxrkVfwMy46kC0UBIE0+dOubnxCrJLoMrvKU4XWRTmEtyJ0
sW/S6i3bccOX3sgcaghPwhsM7UCASliH1ZnHYU4aqB6RtVhZcVDaUl/1513J
CahogyjYNOowTAZ0Nz3E+GabLqj82vZbdjBBnN6DSThjR9TU2hd+hMxYg97d
egc7/6WXFog4jFegDsb7JNyEJ3QUWhPiMaBYIjo/uzdxqvlQ3Gl4zJKNZL9/
Depy/edA6dwvXSTUcev3d1x4dIKr9vZdCMyddjQd9z5P8faRvPH1yUo9Uuf2
qhWLtc/bOhHR2kWjxZgF4hO1c8pYsz9q5zG5+NJtUc38BZDiEOVavaDyrSLp
Z2jdkIdDKv65FKZv7oExHmhqGzeQjBHBRZ5haFGhJEld6jQ4HQYUbj/LwAvQ
iHVMBzq5ZIgBpo1sOZuGFMAl6lIds0LMvCzuh96uaeEM57CY46LcoeaQFnL3
qCeCNjSgzGVbam1x8p+6GnYqz1loa20qWwcStwm6yGQ8XQb7gT6YSUJpTh1l
vGHNmHDpcJhzRT+JHAmGgv1vJJGFfG9UKUgSx8IyU69zkNTU5Yk1XL7COo8j
bQYg+U7ZO/SYWb7clVOiabQCbzjZgMmDkmVSXnBiyuqCgURuuRu2stxO/4ZN
Ye+KbEwqVQtTcoNx0g/JPbN1smHRMFpp6410B8cgdRBUCuOmNeNXPGGL1e+Y
FHwoihsHKxnBbpIXE8Fblry11GYSaCN4Z/TGkKUptwhlbYahoWMc57i9kOZN
OEH/MZBWU8HDC3aJsy5soEiOrK90Txp6cV2d2+PMN7aIW1mYJFUKDbhzCKkv
p6rn0ZTvrWn2EKEmBNifB+AnHESp+K+VXjb4hjfMNrZsibZC6wcq3MZCS/JT
ygwKg1OuPtE36XC5KltSvPcRKbA2QVnwwYu1mBasvLxAaCPCtaQ1kRJOLoGc
u0NRhclB2+zaaV1c6SA5Yw3ade0+LSGmkrZE0nV392j0aco26Zd5f30z86eF
fQIT/IRhVAirgIWhFBx13CA85Hxpz3hOV0WyrUSP9SABDtAQGX57Du/v5P4n
mprqKZq1nJbwkNCECWOmBPNkzNhW4WYo5ND+dyit3aXnq7QOMcRmlC+Pqa4O
hg0FssNosscmAlLOzQtM1WWmA80RxzqOKEc8NY57kUkkRHAKfkY4kRCNSHt4
UQGWuBvJoOZKFrYUSRul22Eg/24AgtCWG4pzpbsrSLavgx4Gz7t6GMBBd8Bk
ySak1nHrfWckkhtu2toJJUe7JMPW1LaSoUl69IqEwj5sSDF6IBc2aaq0H6CD
7olbsLiQXE9lE27yDg4xEL8UyewGb7ipWnsaNyVO15fw1ma1cQUs3qehs5jB
R5v6kspRqGZCI3DB3vawhFhDjzoJuezp/poQ29b2Y/DGnOSNyfw2oJuHgStB
8eAripjrTxvjWqjVnYAon3nFHWyltejsaDW+GkWquiYY02fnWVOjXicczlfR
Rl/4sljgHzWqdtpzZ/AsA3GwpM471CgHWNJsNht0DnPEB8vhSvwHxXfQ93Lh
UR/o5wM40UW25PGOpyDYGyILmcQsEbhMJXddat+9gTcVDrDlRqRQ+8aS68ds
IkPXHUvii2nH8CrjTxvnieZI6DIxC93sBoV84TksvlpRQpcvh9BEAPj6HLQq
mNDVjBUOGOx4fHU8mqlf/SKvKF+T+jWf+LbY3Gl3j4muO3ay+XqEqR/+lDM0
/LD4DreDMsXHJjkt+A2tS37h9wtX/5JD2X6ocfyQUSMaBqhWJkMuj2WGLzH+
wQ7bQi8HaksUHeJOenK5yDBxUcmCXcSRAtSG+o+0wHnJaiLCqBBv6qlNCyTW
awSOcE2LO9Xq93e6wSYGg5cRIiZjNh32r9zCuu1inuehL8MJFF/SrQkG1gq4
FlbqkgPjGgmGvpSQL6MjzPdc+KO+OcpbpVpayT7BdLgiW+AMqlyc1IpJ5U1e
lg4Xu/U6xEh6SUh1Y+4KKs/WzhfYAkQlDzg1jLf4QK7Nq5jZu1oXfrHmEh/n
jqAeDtausKMHPXkYn2OkOD1RtaS2fMf8ZTi67F1KoEVdlU/W3qJF1VyAam3b
5Ej60rYkLDZgmxlsthn2yWbuKrOnMDnVMHCJieuhJsVcsAFrzvV3+qLmAboA
mzdo6X1Z0GgOXqnFjFRmfBMA1C/ZuELcw3pbcnEHAphXccICwcZkucQjWqCP
dulwuh59F5tsCFhGOFNZmUveXO8595X9dR17NBqo5975f9UgJRusrfCwT1Kg
ZIhXv39/2CL5MBL0IAq+dPVaQXs57HwYOT7iSXaaRk7BFdeBwlJ2aoOlKxcz
zi1HoZym0c2PnPQw/d9BxErkGZWDUARL2Von5u2J1Y5odAMu7bSj6AuvHRFj
2ppfiHZUd2pH0TBHoBqNk9U4uWIFyY/zI+1Bv2KE/lhRiNqtzm6l8dA2oc49
xUHP5CSO+mXuyKKQxGoejTSioZ6ybpaQ1iK9M4t4LNVfTueUokwairTI5Dti
0HCl9Bz0HLf8vP4RNvhHepI2YnYBvCSbyfsDdq09uvWV3QOw64XC9pzBmRsp
7A6ze3zHAMQje8HnQ4VkfYje/lFV8IKtKr0mZ/ShbkaEg4TrIaMZ8blbbHTQ
Ho3Z68FBLCcwqpf4In6e+sXuKlHAuhmBU8V0r1TzktDHDQqYw89AHterg3n7
1XdAcmLsAp1XjiqsQ5ryc3niKWGxZUuZNmq2gXxFv0ss1VyNDirbPuH/Oq0K
oxxwkCWtTXICMX1f6XTLBk+4uEdYQsDb2U1PFPWJJxpKC1Ry6sagZaJWtefI
qu9F4w3lyVU9kbAr6TOuG6tmVR7oUsiwa+q4gLd0oMROsSGSxMY0wtqOV8Vt
FfOo0ZXCbtr8yR5Ac3WTd0utKF2aFMJrRBB1nqw09mJJux8OLnhchOBrdSF2
n5soHt3xFmmbtSusUn446EJGpeURt9YBemIYnZJAe+QYEOu99VsZrXBMo8Rq
yUvnpmxHVD1WatbWn7mZGpcjzbPAosD17ZPJZCIJpXiEOHvT5ClvFMV4nu1L
5UedvX8pI2h3eYkYxHjPXazHmWPIOspqySkTlBeWVSbVyuVWXpfVWzWwHNyS
9AOiUNJugUYQ1mN5761Ox4RvJMFUe5Q9kyAePvrEII05L+jhcB9YJz6wdARM
Ef+G/4w6VFeYxyVWFlMgzKA1jROH5DT2idc+PsHEjbVnZcMfspmnXjGqLOAc
OnIoixrKgojqkNC2x/JcZCf6YgUyryOdOEA6W2NiF4FtNvutGM9EatioLS+0
+btkKQh0U7vz+83TkpxGF4uM6u3F3AnxUrtitCiPdYVhbjoTRd01enlhhW+2
7ByZpsbpXLV3jugQJlOSXvjqVMpNF0SwVLCN4f0qr98StboWZB+DJ8A9EJQK
eDDpw0UXrQNC3PrLu1inwRonW8DjQdX0wZ32rfB3hgoY9DK4CwKXYti1g/qz
oUWnDJoRIslFKAe4m9ROtvNQFFDWZ3h1/JzT6g9E9DsxEkYSrzshWWdFRddI
5PJQ/7sBRZJqU+nuUbaBPo8IFzhzWGtAOSPpmqaheyednWvSk4BsjYWyvyM1
Rb8jUwL5yRm3QACqeEiuC+e9lgMsygmpd0QZC314Qn6OiVME8VhvN+zBA3ap
p2zqeD1T8c3SABzCNzTVi8ymBf96nhdLoyu2zkjulxZRSKSDdPdYlheln4uB
xLGPpMm8Kt9KC6XDD0aL86wozNNy3g4kRDzZcFlzaYurCjlhy5rN6UEGOXhn
LFlLwsSGaUqSPa/TvU8DYuxPYmGrsqS0fufHCU8KBZ+yM5l/lH6lB8jjOY6f
BUuiWheQZUTr4s5L1dhpql1NCT7uBxQDo7xughYkRyaPz6X8hbMhKHeW8hjS
Qu4iSvI5C1y9sB0DpMmjH87PH59JyQN2+EMMoC9/8eAXHz6gxsL//ur4iwfk
a2K8ggRF6EcoSa64Ar1U4VnIMXB6vdv8aOM6tp9Se9HTxCfHwB2c4EGs/o0Y
WnjFDjJ5sciY0Rsu/6rUlFCeDmF2mHjkDcIudpjha/xxoc5A6Ipqx4a+tAU6
Nj1WChgm7NU9IHfEd2hKOjqll5whDHZLJto57C15KoNIAS2o1etDCAYqVLUK
6jWjTwb1OsbUEM2+3qYbyviF0Vey2xSel93GXOFgbzFnWyVh1z6qhtAmFW+G
vL/D22kQyyY+t2IAunyFnhVMixlzXZNhhqxh3ay1xqbbEYnVbn2wnUh4QBtI
647UNtOgU3OpMrDGCzEvMHckSPNF8gHj+v/3VGvqr7i/d6qVtD7FwSQomUoI
bUBGtRpiAiu4u2NhZfl25EDrabW+DSyjNvlsHarUwhyrbBnXY3ARUFc2zx1r
Bfr0mDZ1k/Hy0oVSJAXGxFZsdpzjaagG+CWzTC2BsVPxuLpcFULCXUGPGT0d
PKKbIIVgGs2UjPqEirjG+sfkFFskUH7lEwaqd/NA8z14qyBRVgl12da+I/Dp
PLfbZqpvlibvpTNj2lWUwd/P0On2hAh+t6Uqs8gtKfDYnNvEIrWeHt7UA80p
fd4VWT0ac+lLjOCOorwd6ja54RgE3ZhTGHHzYANyhtdy2W1RPiGbu8mzp6+e
SdFlVmlEuG6xr1BV7StIHGuNlWwO5rNJQx4OgRACGlW2ptikkPu4ENbnFrFW
fc6AgW+Lr4WibsVzp7Io12ftJluIfUpyy7lh467WRHQ9YFYHlTKXUhope4BE
y5fHW9ouKzZW7Q3MMtpelAdPrUX4gay29TRaL12JloFHx6VpLs1OJyEj0S/Y
8jKUHva9M7FL4SzPVJB6kxKEY5ehKaTPiDh0ukcMhxZhHX4YCTiBpB8e3ZyJ
HsQQO07KquTsNxb3iMXqu6D2z56VWVuDc3awqTfm0vjh6EIuVtnibdA6a7Ys
N9ShTvFLsPuLGW6esYwkcL2l6cED/OL1ZJ3Os7Uo259/9Yv76NH3Ce8e2ZI9
3UARplvtqfyacvvyVlWLDHmMQ77BI0d/ScKzNYOpfY818UcKEKBJhfz0mNON
MeWWcI14CXYFo2RIMyLYUewnb1husEFD7FeCCkO8rwI+eLtR9EM8RLPXVCVD
3lwQFmjgGBvoBLvpgGGSeNxU9UsK7OF6u4KlgDpmsULbCM9dQMhR2AZ3/vj+
p5/LYbamX7Nrx/T/oYWQpoEdwZuZaFL4FHobBLiTfN4kY9iRyb0DyAm9VKA+
gnMwvhqXuGhGJ2mLmRqKMzvBCjOsZYtWyzNwi1AVQCtMPJKmh5lyC02LpfhI
HS4k26HUlNIhVHJNQ9uLULsiB5eOEvS3xIsBWprxkdkFqgbQgYLDUJBUu6sL
DNIY0NF7ewvXwyH81JfduWNMDZ+o3pMaiwV43vJwRaudCQGo2YSpBCvJ3vmo
hPKxd9p1eJXbSSfLKr0uvIhrIRP0ztcn31JsTCNdTkaK2/FQM2RXZM4AnefG
d+zyY880nBipYtzhRZvkaO8gpXu8MmK1ht6KMD5lkkQQsOc0+fvf/vb3v/3H
v//n/0kubXbu3Nu+XdRfgoDbZL9MavzPBOtovhmKLxsBLqhx0N//03/H8MA1
jI73YTR4mPCA/wMG5BZpQO73UgHHQxr7Q/f2/DshMthG7HD6x8EZDv+3/8Jz
841WB4+SxM/ZNUdl9KFXUXQzAPXXrrcrg7GSSsmKL8/DcR7esAacW8/UDs0M
T0kmJPZZFLZM0ctJdEkyZPaQAqBNX6mTC8vFJWW2P5n0nadeJa46ta2hk4NY
m6bl3vdJtAKzeOiCpaa5vUt0kTQ0bQOPLgQWI1QRK6BKvd1mo72RUo4ot9rv
yumss0ehYzvdVwxN68dOvVcmhuUW9NikK0rz4X/vXXz8cXdRwUnsdfzX/5Yc
LTN6Dd/HJ8nPu+DtG/6b5B92xb9Leu740+Tf/pL/5qZL/l3v3Ppm9rT5uPv9
m595v026RJiY4S17m6kQvcV3dY2wyYplpBZJYxa44e2kBlf0AKsJ3Kh8b4xy
iOynt1mOHYbUuQMtKnN9XIqMUQet2fVHfgTtDmoqcO3v26WjLscb0SLCDJQx
VzMKelWw+a7Re98ZwCqK0utUNy3no2bal5BDmd6sq7b6T0vP0cIl0Pe1lw9R
j01usjZVEl+W6pu6JS6tipr4LHsrZfNCxMN3dE5PP14GPL6dDHhUJj+UjbCd
3um8v3OghTo1jolh07etRuvjWECErP4AmCMaCZpZ0zdDXOs8XbxFH+OEbKcm
F6gOepnBo1TA8UNVyojMR95pEBUl41+PY9AdqRlFMcZqrwI+YSk5TIOdM5TC
lCMISxtk81Ur7kqGdNyGnsKmvkK1b94mL9F1p60J6Fycs9eEeXbRYZKQEZ0W
NhwhmQG9KaLcnHfm+DtbHF4KiJV/c991DKwG5bfim8CV9yyVsPLgBDNduvpX
VvkShmphS2ATAHkCW7RtM2HfxreVos1z0UilN2FDEdy+9FfNTGfZNxoA9JYe
4vNhszbsL4HdHjD/+B0CPSNDWJbXBUp3/Fs76VEK7wUHnXCPMUMMv+fsR5eK
4Kup2VsjYfgeJYl5j8GNopuDK6YvejZTMzNsxXUKGokc3gGeoOUNHQwhbsGh
KIWGB0jLc+dKcyWc8GBXvacjkprcwLzbh2nMdZ+/DVEl5EDRyLw1ulUYyPvE
ccP/QAFkHqWomenRHVjp0T5JDzhOpVH7/Xim4bLclcDYSyaZQeUmbyb4SYvN
jlr30P6EPmr/ZhrW7sEfWbVJhrLGoQTQsWSm9saPYKUT+md2oom7vaWzKTKj
yzUn9435VXR8oiagaHRuyZ5DEicmClQGPbIpwdGyvjkOUoOZyJ/DJjSHiIB9
Hm73gMr79y3ggbdiehYRoEVlh2jlm+HxkJv1eQXSsQ0BTjAcT15uoHjSegWM
nsjzEYsnemItuIpralshdG4xOWg9uy0nfGuCq0NBoEpVhxc7X6fFWxoqoCfH
kPhnbBWCtn65Z4+3K0uQsNEqxfLmRKMbZDHidee7J5FXNUrDbeJz8tFXeeon
nD7eLT38rnvWIf/+P3D0otyaoixSqF89+z6ZfY3H/i07luFfy/zqW+FQs8U6
rRGoswGtaE6txFrVbDFvkwvOtOFe6FeAG9tgDI7DmNQwDchsod9jb0ZuTOXz
7gmTDOwPBIfdrV3aA2ef0CLqFFNE/0KFoxeMlIb9XGtEB41QFQVATylRCAZH
mSzSLfkmCLBMJ4QXYLlkOdUwig6+/P37s/NzILi62a+zepVlDIKmaLpAEmJM
06WCTZ3etHXJew1RnpC76JfJB7adUUZvHNBfj5sKpLJ7ZqLPkJs5X2fdUXLf
h4aKTNoNFwQs96LBJkXv2jMICmIIOSn8NWa3URmOL6bkBY5dqQ1H2DoGnw7C
XD2LYjYOcGTHHUCy7QKZBdwL3HbqZ2NKgskes/ghKISGDDw7JGBizPuvTXRd
0slTISw3Q60TNrHuCWqV8GtMy5tjAxNNi3JeeRci83Pn6uoFQZ5puTI+YvVU
p5OeE7Lh2sCaU3kEqanau3fWvS8JzxJ9FyxaPQElQz2Goe80TaNTvTWBpTgJ
7BxO+6COGmsyAng5k0iFvCi/gaT5JG4AICLtXtMApEhRgxfdFgxTi0Euw19L
oiuVOKL3xDau7QPnMnCXeR1CgkVOozZCmK0dI7O5F6QsKg55XYgLk/mUEKTb
ZwU8Jnw/yl7aYny0wE3uRJRuJKpHmQi7Sh6Vd0TZskHNRFAUXWWXhHOeUsGL
soUaRgGu+DZDwEpECAaV0TQWl5doQFAmgfvY3vYIIyEKSwnStg3sB7nP2BX4
tqOhnkEsvKD6onjLfG9RoVjVU9DWiQGztJSwRbaS/R21X3aYDeLjxItMhRKS
94HpkXkYVYvuJkI0cFWeutjrHWXChccRs9Yw9UYZUndrA76U0uXFzZTITqbJ
xYzc2MD3JrIgRwK97yZvfLZuxwk93HwJgt63v85DcxJZdTiH/ALkEYqZAG8c
7aNASvg6xw6HnppPXWKVDKdTgyqgBnx4OdR6D66F0j2m1rojcbmwaLTX9jnF
f7J9EsbRzvjDY5R/zA7R1/lrj8PESPEXeqGlIoLVdAXHGP8DKKH3+NFpR5av
dqcLD9z3FHB5Wxb8CuNowrCUAswJrMnr6fc9dQd8A0HQAtlBV3uQkNqmMdOt
4r4S7uqZnC+TbVnjJ2mcPE++2OWOPMuoe6LOwHkFCgZR+84VmEWklhcp8o+x
SMFh4znWs6ahidu5RXsG6xTbDpY8xVF9EkMH06v5qDVx5M87sFnQpsskYRP+
XgeUffiFZGdcAd2k3FzjVcn7kbndEJ+L7ADm/pSL3Dd6TZMuvtysOi9xBMSb
CQzgzsrRuBDENUQ7R5xnPPNFuiDK5P4VkhvcnsbdXsge19kA6dZfV60WkwsD
+p3ILzaw/YZOg+mAJSQRVdgfSrTCDb7FPo3dPCR3s2YnY7oMg+PKmddlcTkh
l5A5SLwLu8IdIWmqZJdiSXPN7j4nc/z0NMmDEA4jC4+ox3R0pYykukmpTsCO
Uoc5W7+4fak9qlFB44LTHdiTqY14Oy3r/Z1Uv5zInkw0tRFMqnO0dNwTWmSq
sXztXY1nWmRrlwrDnWhZZeD5RczYYhxLPajP50W6RHhpLslBWwuNXM5JhifZ
lYMZj4wwrjAuuwqmUWvNkpY6M3wdKqJbAl13toy+jxEnsYcB2f2ko+HtXFIU
kE5W6+sZMHdF+ZHc95TvNMmedw3zZ9gBMYx5s6wt0IuDe8mMJkMW4FLUZGN0
kx1d9wARumqCMPlLQ2mMOc8LoondrQ24OylptQznAAdDhOCgVY9SAi0Y7Yrw
GKVlcyeBXEvL2nlWwKQbJzvrzE0ogMiXKN5TbQCREBL9i27uY3I1OHml2Umn
Eq6403ppTiVsTdAcVqh39IQjXCpYKpjCFNw3o7RcBR3RWK1chRkxf4gvHNt+
WhNn4ZA709fcPfQcWnR31y2ol16obs71XXNleBEqcIft2AcsF9x7B5FB1SbY
3YCcU9wNFI73IhXyCq86lg3CXgkeJuNxLbBQqI5vhynFkpQnX8mI8si8lBpl
vxFDLy8YWMxyBZIK+Pa0IpAY9R38eZdhieTRdZo3WsIXLYaZTboeecQYPkiJ
xgnsIo6eFdJ9hxK9pZNKWCOfBT1IcDSZgs52MqE1KqB15XoemcKYpX+kyv5E
cPMEJXERnQW5gZB4U93BaIt1DrpG3w2V3miPDXRCLbsQDc6kxLd8NBqB6n6r
Czh1vVtdxPy5uu6jXWpzetu6pHdazsTRwA1vsy6aCcVFMw+MZPKog11al5dk
2VcZRlOlCqCqyFlrXi+NPlxI0WyOckhOl+hx/P9MzsgJ0KJEOaeLkWhtpwuQ
5UXkVdGi4/jWUhA4To8wUnEy0YQkGaGP3+roWlJE/NeFVmzoIsS/uQ0XFtee
5tWtshbWNl/repEW2uhamtP4GTBOtXawceqnf8BEVnsChGqt94SmtQ5aazKw
n2rWNx3n2ux5lxgaP4mRkyYWAh9hdTk6BxcERl+XFw0mbGDoQivJ/0KqtdY9
mR8j0w+VMs1bo/Eo8RpHp2IhseDWe26y1ZBTgAwNynjogECKujjNyKJFKrxz
/NWn5BkvdzUizb2xjqi7NcNqF0IUacIhVQLW72ScWmMvswYzemlrDU2w5+yF
HKNr8oaQY3zYM01ry7m/BoVtenNrTWuKujRs6IYdIQ+gD1f7NCFEdfK9ZOwB
dztQOJug5/B7blRL7TW5ESpOmOv2B9Kl4wnS+S3uDMoFcUhxqJgKDnOHh993
G7vixT5MPFLhy3ZiwddR2cNG8jWacsvngNWFZfnWKSCul4b6JISeNbstOTUI
TvijR9l8d3mpKUGvqnI3x6BdWTZs7i31e0oabMLvPwRtEpZXKVWgMhZV6Rxo
HHbBRKbA2xdDvAeGLz1kXoaCEv7e1F0lkZQ8TTa0dEiLH6W2jK7TPGwpfk6i
wCm6KhhtWMbB9ZCxEZZgZnzmEi2JIZEIvNctkBssx3cmZQC3tFYBuZQDNk4g
dqmReUhMjqMD9sSiE9EktOhjkDFZkQJPgl9jd9MAZcvYkIeCAb5UJqoSVp21
G2mS3V86Zc/tZedsa18ML/JeDdmBdhh6Xk48RVeMsytuufO65VEQCbFBPv/8
+LsXLoCUHD2UFErCHnUplCO4G+7pDwjA6v6FoKvuH4PB+/fVxQL/MVHC/PDB
5YaK0YzFRej1dZejbbTXi1W2yUIYAHkLJpJSBbhEnllBq/1qpkG7arTU1LBI
uHe8LNpdA+eztTmkSZhDmnpQAQn+S6ok6aZUO2zI1+x9R1o0+YS1wrEjKBS1
akDjp1ZgbpU4gb/BwAybBopEqjYS21o62HhnARgz9jIBw4Qb4HGzHqJVbTRL
VRBgKlGF3kTA+SZy4qstHo0+5QoGuh/DuemjcH+0tqT17ET75pHvbtDKUyza
VBx1gvGvJX7XfrzdAma+Z4gPyjH0BSzcI5KZpUdsvhFD42kj0EsYxJsgI4JX
9OTCkurI/WRRpEgLdLJOu1IiJZWIkEO4hxxOWd1vh1rS2Hy8mZDDPdyqBw9m
MoD8Pk7XhNk1uyY7VMfnzDLJ7BOP6M3r/6V6Z8aK+t9el4ck7tiRKcOMRCWT
PrsKlcTV9htKciLopkJzLHtXQ1IWZ5NvYOLkUqXZLFY5YVZ9J5qWM1QcxShi
ggj5TpC71p38aUWHtyp0evgPL3Q6CwqdAirqqXD6IxUn3lgdFVVBPU76yqCe
JIfroCi8njUaSnU46nw0rd1XxFO6uB30VVNtHeUZPZxJQ54W4VjQ4t4bOCYw
cOasXLBxxrW9Ae2eJNHdxDEpNXv2iIDWheY6OjAh94Axud0o38PD10YugptM
Ueo/HkmIHD2dUU8duUQNNYkOr504XnxMkbpEBzgqXSdgqqMnXjQFbPyNdKfi
3hig+teZqcfIlqEE7nrL2Ar0Tkke9B/3cjzX/k03ZSQdCjvMMQr61hlFHoaf
THhySBEBcg+MhABAwmqQwBRND/FiOfojd6xi+ClXoszukaoN9FVrt+7WwYuC
Sgd1p/fO4K7lnMQ0dTKPZgQ6/QxsEwb6UVQxRqQREL1Ge19E6PaEM9LVC4nw
RQrVrCJwf/+rqEcANh3gAjlX2F+bVKjA7uzNQDqU9+tOYOQwF039Yt1g8JXe
IlbVT9nMJPn6nyYTOL/kMWgiZXUi0VdeusNNcrC1nNY/BysiQxBfsFdIc9F1
1ngyCtPhU+IF1WOaEHfz2dKK9qHRbC5eAUXe4UjLnRXnISxL27YkK+AYFeh5
b2sY9mktDgwyF7A+VRqnka72NsuonmXD+8hA9DLj9ix/lSSTybcePr6/CCmo
06aUj0iBF49KIfDjgrPQ7i/W0/tE8lKsrse+TNu67Bbv7YA9x5NQvam4UCc2
3ehWeI7a8PjAYqiuBO6Bm/ascwFa00R3eN9zdSkrBeNGtrWXhy62mLTK6aL+
e1z/5UpiXdl7H3cznBQvmYameottnTeFA+IHGiVEOx+ER2KnfVBhZNGqhJGJ
7UcjdVxUyxdrh97uBiUY86ZCME0TevCBgil3wGww/5gca4hhiP6qBjYLgS2j
TN67dYgLrNkWCHwLtBC6QQpbwQUPrblHX0kpNrhKQoqRBBf2aAm62d3aQLib
zMNWk/i41WEr/bMlGQ2giNFDntORnpOLoQ70DTrsCTsfEACLnyQkG1e4q86E
pYGecncoyA8XUzHf+Mb3t2n2KyJV6l37kkadMiHmUMEOrivl3ng9ZCEu4gGP
ojvk5eOz58+ePf7h0eNHODPnHWHPn+DfuZ/WLKmQ84qGSNugS0av6zq9pv0n
LCPXB31blhVHyIPaW8L0Indc0XigRk5Dkt5cnuSM4G7VdHJphwkwOT8mNaNC
0qtFhNg10W7p7tHVwxjLizLnNqfoxMGfcCJ3sBnqKXBc5/37kGAovQiuCZOx
ZhkNwgQS7wwTVYLcxKKOij6wYzxjhq/sTTxnDTpKEepWR32TWI9XEPziNoQZ
w+Ly9HrfZYprQ7dYCI+I0Rnciciw0J7m24n7jGobi7UrvTnUx1M7h39MZ1pk
vUExhp8NByZ9uzyfYX6TbEyVE/Z0K2XmdGbOJRiR3NI+nUcF6BtJK+8ClxLs
AYnifODgJEWMUkwMu/YNJk3EW7oomIwCmpCmPBGNUjxR7jJPkiukCATd+Xyc
e7s7411aBciQbcQ7FTKf3z6l7w037hOY7oY9wpzQIHJUYmzYw9Y5nX13pLRi
e3+GnnSUGzPWm2HDXO8fK6xj4yv0bJF1RKbRkST87hk0w/nb6AnQHi9IbSG1
/bR3lLGZFswZczT34kF2DDjSjdy9+ASsf2mdONX1uV6lElGUnoyIsdw74kUo
W8e+I6Pwz7DnsWsCmwKdaWaDNESNamIcEIn0GqOD8fmrdBtxf4Li5JrB4Tsa
2kiAWJal7YWiFhhO8WgpvGB5hO1BTCr5TuOSs4eLRZwFw6nY5s6waYKAvzQJ
LHZMTDafIyHhch578IvppzgthH389AHDtlPjI9/UCQFg7EHSyTLPnnFLCF+p
dkDHUOkSRvbJ5+cVQZPtG3ZthJ//8/Tz+78IEPL/WaLnwtw6H6qTf6bz/v1w
xMozhfwxMR/YWe7ytCSBLTW3SZtQs9erk4XDZolvUm+7058x92lbkdnczbHH
Ei7BLmwagMbGcy4jRCfBrWhFU/dMRH+ZBr5qj3+H15bJMS/+xHzENeo0PWrE
acbyIPuhZDoLmx/2fomxOOH+Rcn00dEEMW4R3TvckTKecWIIbixUxc0R0V38
o1BzZ2PEU6IyJVDcAp9f4znbWHKRySpxuz3jvZ4FvZe7+QfLbduXOWB22thw
GbesXHGzY3mRBWQAjmT78ulUYml9I9ajHAh3JZB/GO2LM+U7IKTZBNIXBSzI
ewxZpJH0Ol2vPd23xGqkFHxAprFabIFjOI58FtlbL0oQqQqVauKwUr8cmWeT
LT3OIwunmDlQCANcLdednhA1N8o6F+T1IdXjDPUPXCD+Q3DE4c+sWYx8zcbF
ruAtb3GqxucjSWZcVz/fse2tWOzW6xmvBDul/7SFBOVZUuEsM6PQdfcbJYcJ
D2ZellgW79KZWP/EYVwP6WLfK88Y/3SdZ1cSKA8wBmHLSOBdCOahgxpH0eqq
WF21fOjBHvtUK1/Rrwgm3PQTBz/6rrz23bWkNS6TsNOz3UA5sVZKSySkVlY6
zEt/ybnIOSfLhWX8aJmJ9YnT4AaFM9BnstmILl5WkGeZVIFc3QkW3AvlNdac
Sk7fvZ7KobBi1dU3GQu3jVFWS49LgY4kXcnki/UnaPlEPUE7CdqiRTpEB+LW
KPYVOKTbmrIKXMZ7bTELzNR8QOKEYtCcfW4xL56hqxWDdByVkqmFNqnPsLa/
F7yUcIB4wqaE0mH0LrlMrm/f6B4qjL9AhrzAMHqWhMrWl7e1MGjaLuECiwxM
BoLYiU0dVGYmLtM+ba3QCnhjrjlV4oOR8Uai+wdukuSH5faYQrn4f8D/x8qQ
KKeGGh8zEY044HsbCU+te4Evsoky51gOp0B6Aa89iFUP6PQdkyFg+AFfYBXe
Z9yqbrZeoqEx4+7Smy1cZWN40FrHzF7UBJHf/3wNgsfBZbAxY/lHpMkfT4+n
D25HXqMTdyJu+MU2bEAMyoh5yiszOl3kdrIvAz+MfKKD0GbZhWiiNe0KGaRe
N8PtdIcqlRFi9DEHHxIGPX4/7DCkkmjPh+EtGCYz/CUDfeOvEQQn4AtlAHsV
btEppzqbITBjB4Rw1RxkDXyYTC5+cwoCqag1M57J0HGZ3lSSG/C8ZscOeGu9
nOBKAmyiYK2cDKWP4YKDp2gHRv/mSrDRy93Bt/Vhe4lb1R/+MuvLzrOmy7sn
IZB2l/SuSSBxU7RNaVs5jq6sg+noVzjlx6CPJEf5Ye4z+ofPmOJ09jqKLunu
NKl8Y68tx18QO3Q/cliqPnmITkeI2ht65obTRqmG+iPq+7xV7IiaoJsZM+k5
FrcUyAY3neD9XSqzrM3tryTwS55JqBnbLNkQAcl71EZm6uftqeOuwh8/FuWP
kfExC0UEKumhZGjdl9pfmDqgpX+wsFBShR/Q3nvWHgoUfQSl3lXE7lpj2G25
YTBPT6OYh7L04GdFhPwD9sEMEW0DlhAgxi+qctWSViJhPnQM+RZPwI7G5E1s
CDVhODv5X/91NkyOuOnHolyjAXf/3aenIzGEOWOTv663mG4NXz+4P5LqAmRc
wbKDpQx9CHh4Gy4os7/RtaE//jfwbMRb/A9ybHgfK6XB4CVy7A+9ynQHrYo2
IgU3I2QvxtNiTGKC4LiNkNDup9TzZZmh7zHqOU6GU+VKs8hKMf0gev2bomWf
3sJWsDkjZMO8vxMKbA6gePe2swzZYchYE/040dZXjul93Trq2NyDjJNmyE6U
/qJUf8FoaWRIweFQRYw2pS6Wrp86DjdFUBrpWqcRjKaSukr3W4cy4T2dvqUO
TBorr2R4AvGjDRB/ioWIbOFfGrBqDvFRnxqqwrohM/cmjUr7Tbp7RgFjC/7e
e9ZYe0K4WnG5nnh2WscbJYTg2f3haHi2QCcUSJ1F9mtFlyyyZgjM5mgoBV74
xKvVrqqX6f4uJ6DCxg9Hf5yJh/ygDczr0KoOyT3LlopbnteSIhzmifrxfqkI
mt+8fvVk8tVg8BR/VbzFyJ94a+q3uaZvZFxIQ+myb8SVAxZn9nEv+WXSAb+K
EFq0HxiWiHdjcLY4SVrb+BGTDfFq++rPGlew5ptjMqalzk14GkxHGJptTmXJ
3BMdnNafQW+wAU2XcEQNqmw4Kjxb81MVz3Gcuic6/YQwqTFJZpGZZsCkz5Ht
Rv6HWWdC9aw/5M3893q1xwJtwy5C6vcIWe3oRbAvjdmMj2bClEUY8WCyhhhk
68ZBWmCslNW3yRGTDh2gDjiNofjMbyx4b7fVNpoOnkqWJm700tU0On5BAeeb
pAG9c74uF9R/mCphsbpuk2sTdVMd2RUD4O2vWUJw0pWgtzJeqwKtEoqexQBq
Y7gSx70JxlVYudjGdFV8kaXvpuVdhjoRohhsXU5A+rAzf96BDBH0dpf/Ktgd
IiHJFR3s6e1ELFXgYoiNfLGCd4uZRtxcjaN/KBtzPoC6zjZzwcqkI9BuPqYd
SosAOLZIBERA7Fk1hxWDvfQ1zN7vvEjPnbDxLCy39cci+6RxxPhzi/XLnSIQ
w3wtjc45b9PwKQfeixnxAjOmkXeNH5tIOOVSYdGhpw9fkIbkJAh31f+R5LeU
5J3e8J8uyHG4lhz/Gj/99mu8s99+3eTNOvv263v6X/6UqGDw9fbbW4jRr+9t
4dF79JOv6Y3ffowa0DHFHi3g9vMG0k+IT30zvIkzDXGZcPE+WsWAZVf4Yrxm
P3en/o/oPyj67yTnTbadzPcTEJxb124MrbinzlvbL9B9MRcljVoxyB1hasK3
7Nf+0mLPLND1qsy6QE6AH2BVtdSob6scwyz5X+AoTbhQc6Aq3hxtTilv7ggJ
UoD1lUjHnAojONf6bcYbmC7gGDF5WMALFGHOYYoRJzbSluEOJPvbpCbZ1i6o
F5iKZkZ40fxlB9RLmeLyWthGQth0hyqh8q0rso7mwRIO6BhkisKVyVn0o2wE
KbCUC43WLWaducTlsYhrHh9hUzZY1G4pyAlyDiSGNEH3DjPjgJoF692U/RNU
gi+AgTlfoLZB6KOu6FrTEufZGiPXrQtNEJs+BY9yMbAEn3YoSPlpbA4aVmIY
AE9bPUzqB6Hz5h6JjKFEycXUUlXgglFfogA7uhVR6NVhYcw3nLufNk736ddm
oh9E3/Jvb1A9SYdFnn4rbRP9Ybm4HZxSE7UriLecfvXUc4PWhOSkOOuViqZi
tcktlywWwtA7PYAaQ76+gLvXbLJgTGyCY5J/SjEiXUFA2OLkQLzLtbbRBLJP
YE8/6Qgmx8iRUTa44PC6Zs/cOR37EdPZXyBiPF0l36MIBCG8GqN4p/qshuNr
14+IWlBkhGS/5Mw8ySMV1krwI5uc8Do9yL+tX3GGRcDWFbHhEGSPRvitnR5C
mWsEIt6sdnZn6uzEiGqddosvl6TOE9k9nMSMy8I9dhBVFWSIPLIEsZF2UZy0
lcNYo5HVm/xdtuTz9x8KpB36JoAhIRyDAux1rWzsO1zh5s21Uog05POfkfRA
3ZBd5gMjp0h7agIabhSWD56pV60rQfEkZsVOU6gD1O6wCd1NV47LcawuKteO
yzDESKXqdazeIY7Ore9o30l9OehFIBlIXlS/FKPj0IIlkygASvd5XD02Rx4U
wfjsEFUWfNVQgIePdvKyxFpKwsNHBwYKLop6qOfW3QF3Tm3YSrYxCUOsVtxe
1RiQKv3ceGrXtkMnPmDMNOqH1bhqulYg23IxLRjWzUSb3JSFmFqS2176CJzN
Z/q0a8+Tl4p9gtOStEFbmEOlX/zIh6h1woIDiWmY71fclO23q7XTGVcSc4Jg
0AitWKpjn/MTSU1swfDvpHekJM+hqc4L2QsKScjgSalE7s6XnAzMG9MnMZaC
0skUXqeusIi9C8b/5FAT7JZwXYXdI964JRMgulJseMjqX6s2JpbQXlqra0J7
keWbTE39GEcR+KIqsp5PMZKVDyVZPRAzBTF8TWxI8VUwGQ4Z2gl9hTsN0u0q
5z6PAYZbBxqU/sRESlzO596dM99W6S0oTQXVCXJNNZtI1XvBLSP48+9lYN+T
ucVUXnJfGUvhyBJNlJ6acxaKNGHraz67nSBw1VrKVhw1OIFD+2l2zJ+S+g1F
LaAsDhYAzMQmu21IS+SCQ0Zb7dhQ7O/P8TsO3jMIe4zB60gpbC2pDfXcDLmF
LUnfznaxYckuGiGUprqmdGiuyrVyV3x1sEJaKilZHGDtaDgZoBxHionHCsRF
mNwJX8q5KLe5Nca5L5Dfe+lH7AgvULJETjGzMbVNR27eo168QiklxNcpZbeT
ZNMWtVv4+bZjW+TABjnZrvb9kHq7IeOx39xcVIZxnMfiTVocu6hhlU2I6f79
siRVTFmJ22XYnudI3ytgzHADYRrjRLBTqXgUlAvOyE5rbbZxYluot3trBJ2e
nIbry5Apdg7zNaDX7WE6F9EheNoQv3gZuThwvb/FxtytbZ8pvFfUciy+vXGF
KMkDKja38JkthOCIaFjBVuRCgoy6Lg7XMzhYYzs2TJo903hOVKLubPHvzl6I
q1dCR2KqK66joHxrx5AbBt8VMnzXaqps4iGw41HE49S+bOL2WLKPThiV6ZDS
KWkRiF8FE0nXV1RWp1BohXh+3DH3XsN1uXBG08G2h/FFNP10ac9gRm6XJNfN
19eTptmsshig8SecjHuJC/ik9Y1DS2mBcNzOF7guakTb7H5iCaQEBXcBOIax
47y53BJyKqX50P3uSzVOUNoD6tdEPCuEaUNl6Gz1EeuYyAXXrpgaFbsuqaZA
3dcayxMfGIzxkLxg15l7If52t0VUUfZiae0bFZcUy3XGfYMIJp+znjJbF9pB
t6YfZEcYVXbH6pfU4Ut8nx7gxCEAH7z6bNYQMg2qg2vSSPFNplNM+94FwX51
mlutNk6nFKWYXuFumTXOXDUWnIhHXSUyC9Iyo/qbzMiUwCi/UjPa9TSCXxNI
p/k3VhK4y7dabOP6RTQhuCrE1pRpyXL72rrMUG1XfArWar5uJnkRlmOZfNKo
MY1xNqdSHZ6Yx3lGruzT05Ekv6mo65gbKkmmm4D7pVYPLRBpZIkWXhe8TDtB
1Nnrrltkud2ttbtKV828g36lRjdgZjUrxrSX0J/fH3Uoc6NSpA9GPJRSIkUd
Q9chM0TYrKqsa7VFqU5Hs96SpC3R3Ya6V4ZdeWtrISJx+wZXdOU9G/biwB9S
51DDKZkdwLRZ+R1zYEU5QpFkW0TMoObRhuYP1yG6uIhChb/NOe3NGuV8j/RJ
r2FLxUwdVczYG3KkFTCyOC5wdTPFZNvO+peO1O4oRbtV3alpm5qD2ZPVTOlL
rnuCyJkYFqdPueOjQYdtbTIjqYzg8TsEGm8M+BJloV84MTRzqeC8rLbQyXgI
BM2R6/jhgysGgqtnhuIwZRc2QKjEKlEd2ZmMZnZUQYr6KSPST0dhwq1Nqg3m
fGKy9n0hjjzGkzDJzS9ZiOiTtHXk/4k2grxjfhVHRKvd7TQYQdyHZKNDH7lN
wS82qeb1w19bgrbqMAJ6EorRDmKjONUMbUV/E7+KPE9J5DJpfQ9tSi4NCCjj
ftS5wR7LvXerNd9/t25cckjXDOK8dHjF8fjq2J9i63iooOqYU+tXUWp9/NbZ
1bGr2OCAEi8hmXyb6GNkcLuNN6nU7BpDyc23x52NBNuQvWvh7uwIz2MMK/sx
L2DyXCHqf0NwcdiPoBIWIV/8IfjdH+E553v2z/K3szhHkrqvLbM0UaZCKNba
NZcbKzhMpbbYmEYaA6iRJANr9kuvbL/sLdgyTkaqCYunel0GsCouMnZNgFUd
mQdOZ68tVpyWppjbhfN1OtkRiAbfV/6i3fvVJotTmSzr+q7EXoXewoLVpZh7
PUGDSfW8nFtRsKoSRPWJAXRbPNRcTFRXG5NWaHlvzYvmgWbZCnGtDBqm3GrZ
GgHH0qr3qTl5bgvNMFjaVtK+gdpBYXI4OpLVMSkl+GFXTLRf613bD+Bbcj+a
aRm9wtNhC+P8ivpLtjUT9gxomyLUcOZZNLTpU46eJFVAmFjR+PRtjvxWwvR9
6bTvIkMmtjQf6D4ZitwRwAvQxDlnjqIPjbwiB+YnXdXhAO+hx+NsEZvJXW1M
4hp2amhkn7MwU9z1BRQhNNlu49r3kZHUKH1WKQ5iGV5Vepl5T8ONPIFaklTb
0vksYLhixw03NOrLqZ8aviDFgeXZ5a4SnzzZbzW3FvS8IaWoMlk5810FV9k6
x5/57urOC66O767O6+K1tHj4UR/dszCbxPi8FoTZBSxKkzmMNx+1ZHERk8lE
hO3uDParR3f6E/L07bb8WY9XDH5dbn0nYfIxsLBQV1qbsI7EFmb6WEl+6JDn
BuMMR7JwX5qOmSs9eCNtP3Fg6CzRDJZCrQtBXbwwvucQ06TTsWEDJ1wtRFRh
XdCxn59BvIEqLplwL7Fys3HJDG8lzfUZrLas9kDiTW2qQW3loe92hnf3FDMD
cbcelnPX14MphGLbq8BZDA9pyNESKR0JZYPQ2++yBzJsUacqegyreWRWPYo8
P9zaBF+Kkd/ajG8Rl8R25NnL+eWc3RR1otDLaNpKdIWMa6WGHGE51RAkD2PO
3ZwoldghPGlMhwMdYS6GOsTM9lBY9nXfWWP8n+2LV9z2Hi40k9mE0n0nOUoT
+kYza9owG+vsEs4GW5NRTyzNSZEBcZ84edLlwpHb1AGeeL9SYvC/rWUv0UjU
hchQl3wIJ1vbUwJ2wFJH9JZHv336bOKwG4AfFKKBwxgMpoe/8gxI242PVVPP
3mkrckpCcY3JtR9OGHJepcYixoWus+WlZnOkEk8OPe22a1PaOL4WaB7XN22j
70tD81c/UWsg1+DbtbPvW994MGisNMcsUObOBLLGjXVVwhokxyi+49WIDrZz
rjcg42Yfnd1bunEN/aRYFcFJUZfHvdfBWxFclxLMiZlBvR6S7ET1jX4sN+nv
aDJSKk1D4L2I273r/vFNkCkabaOTihdg41ZSpFIEgGpiVIJQnp2+PJuc7vCQ
GsnzAv0Rzaba5ST+CuHlvzj+ktA8q9Zt0MfgqS8+/fILfCqKPp4rLct6SAih
/JtsshSNzItdnMPMd9QxBAztuP5YcKYEe0SwsZz5yXrGM9uHMhjvJPkePpt8
Qis/rRYrPKDJaTPQIIPzQ3JzVPisIjqKmzTjs0EPV4l8oKrJ6UqxuCeWI0hO
M5rFjKgtfzeKxAxDWtIjMsWZ++BcO0j7j14XdfvDp0v/93fZeuv/9aJEqBH4
l1n+jHM0XM7xuJeW/JU2zG2+F+xQgWNqSun+Kt5NSWtxc0eV93fYOEunkPyO
Id+9YoxTxX/hf8GgvygZNSzqfCZGQX1zUwfXX1SbrbZWl7exvZ1MZRVDkpQ5
JZ2drITRFRAOhfc3zIC7SCdifb55w8YCnoEd1MNJRzF72zs4cTdxEtaPWZN5
vCilz+fjq3K9YzxB5Hii6WTue42scd0yWCyYk1UzICzuRXWFgMn4b9fjkAqm
0Mmbt1ztmjeCWUWspQaJpZgZKYCkwvtEs4R/vZPcvGwNq6nKAt3BOFVkYzQo
9cwuskZVTIuo7fJZHXJ3U5ZSPZ3J50HXcG2D3nTuCarfro2BBFnB1FuXe3ER
U5974IGk2CHuVV5XO6mRJ0UnUwe7hulUoovtWGWK9MqVCiw8WJJIDqTU3Xm5
TXadC6bxVKm5CZfiq40Lty1tFqvpIRzrOgtf6ZHFKGKJyLaUsU4903eXlyzz
+HqL92gvigASZsNeBkyoWbFxtePc7OQRSJ1tf9kI2oBLeSRKLp/oFlKu3/4W
CGy+SrTLhtDm7h3aALcX59Pg+kdpUUG5o3H9oq0yYf4OlAWSKcXGIywjJBEn
+NnIezYM1wiL+g4i1cGGPnZ7ze9ZSSsMbn6DU+kubKld+1NugVR20KQzqarM
1R8WJXu2qWkdp+Oy6tx3mp3tiE+BhICNkHl3jc0p98ws+ubqFExtMgnUh+dQ
r3gLaaFSO4N5PRLj7lgTCg7JyaduKeNWEQqrVLViCCmYma+ODKA0fRzYAydy
Ps9FCkpTQsDdOCBx61VaYYe8Zab4hvyDcbJHepCcMjT7OMBfGfOlYGxn3O2a
ON5rUNDW4UqoYTXLDd4xLe6hoNna6bB5FRoYqh46UH8lB8dQa2mnlCbbjCJY
bRB6llobBnJEp7zunEWUPNWpGCRMOmmH6LjS3pbesdwtyR1N+Iw9E44OdW1j
cXPWP4U159QFwHdS7EMuNK0N+OyF3YIS8Y5ycLFHKWjL3JGbrXZepqihqNuf
bubIWnd18khI42CwtDUZejEqOBegL5mALpxYfWPehGuo6RyW0oCBQh0SLeJU
LPKNSyofCzgObmoXx5m0I2UsR70GQu4TeBKTV5xbXerEmtDUxlCTNv413RCO
OINDXRs9LFN9knlNqbVYew/6gKOgylhR1JJZW7LAdCiMite1o6NXSvbXOpXw
A1440HQERNNVy1GyYBoI+nRD0QLK/29SbLUngiLOc/a5J+u0usSXLMvCpjFG
SxEzKvxUW2PtavmApHNwV0gTobRwLIJctMpBqbNlSWgwmiXA+JwYjGPu4JQn
hyqrLeSxdot7adIrSE3ylhirIBwIYARw8YnTEqIrTRxxTX7/HfDyBUxFq9t1
J6eDZ1Qy8OpUfAMl9fdYppIJBGvnnl7G6vbdcsRBEvnRYLmE1sDuUqCiupXW
ks53lJSBd3ubbjZ7WqdTnwK9zVC4XKYN3Lx6o4YgdxdIWXtgGF1ObK04XBSv
zadq8VEEJaNpZVlWRDCwWeHwyImF4HH95Kl1XEgFFGVHck3D22gyR74hDIY+
R9bBADODh2s5hrklJj1tuop0g81dQHqR1KG04SbwnPQ3xaSMLVyIwgGxhhPG
ZyXZzNhE7v7qAeBSKFCORdbo2ESfAV6YAoe63HF+OxWPLnDb2DNuclEo74c2
Qe4haJ+LHZkrQAEv8ZYwBA0c1Badt8wr4Aq782nN/XJdzoE0zZ4z9DSo2Ot1
VlxyvQJ1WyabqyyxzoXF4wZvgGf4KbX2RUkK93IBvBzjZ1pU62Qivf8CDFQL
I8G6OwkmkbCi4mOYAV3U/pK4ez8OaGLMmQU5aDFU68A7DGPBuWhJTQFbsECA
Cjhf3FOWTsh804DnzA39rhVYmF2ZhusA03ESFfRcH+iwe0m/tcU/eQE27hWr
TViRJxJF1p4thTnRi2lqNEKAoj0WTzOcYSG/3yRH1Lzb6+Y8BfwxqaGF07S8
+UBOHe2Cx+7dQEVge408AHiC/w93b7LruJqli80J5DtsRwJVEVd7h6heiqzM
C1KkJKrvu7qFCoqkKEoUSbERJZ3Mgkc2PK8788Azw4CHF34A3zfJJ/HfspG0
94kT1VyUs+ogIiSKf7/+1XzrW4ltFXhJqgDE27GJ8WuoqHsyLR4asDDKp9xt
NBqaw+VUIpJwNIaow/92yo8AqWEiWRnXKX+3/g1S0NGEEbU2NpLkPQQuIDUR
aeqmQbhsiU0e1cH6qC78r+iVaMoT1C2EigWPHw9FewQjPG8D9yyaSuT0e+Z4
TqcAp5J9UG5pIt/ag+k8KLQT9Syx+2NHkhxlw+D0mFSPSIr9M+9YjKiGmYFB
EvwUxZc5JOLeyba5D1c9NoL3MxQEKN8SSivMjY5HjpLDrykn1hS5J7AdDt7l
BtBlHDNoqDa6W6KymsRUh+c51r0G0SRFNyR5hWtjzqIjYq9/eAtY6gR8GXtg
sDLoQ58Wgkia8ZJ/TqUbCXC3pFwF8kN9rgjRiHRvD5by+0IUNM0yUPFSaLXG
JBQxBBV58q8kxHtn1JHRqRj3ouK4dOx8omRBiJAxzmT0cICPapcvNK+FKCC/
/D5SPN+U1Fd/ede5BGkRNZe4itLJs+iuBUPGux3Ismuqp497Z3OlsGxo53ko
k8kwE1ST1P9pK7ZJgNYwLQtc9n7kzY46dLR9CKLRokA3/BW8NnEhwBRg8j4f
F8LzkUyGv43nC9tFvuxe08l6P8gkTgxGeOgTw8bSEvkgabESDpZPgus3tV9m
Ue1FsD6PAiPCTUSF9+5sdjSX+FaF4DLzRTFcME7MVkNQZhG/F8WT3+1hcPkE
XnRgUhmuCTIT7Kx5Wg804f+ktsXT50jWVoQsQ+Lq/cgaSQ1BTOcxlnhM+cqM
RGk7NOnE652wSvHQNGS4gUFgXQzm+eE70b7zDcsvA6S7gQdnCNEB5ENcHBPh
1Fxc/SrOXd1BQllIPAB0KTtxPFLKEjadCTkZLsxI3mvbaoT1R07fVAzkmaD/
mnj6rpz9v9pvHw/vBwW1Uyrq+zRxaNUfSrJSexdvjTg0RG5xEmtLqUpQS9Cx
gKdGApzfwKJOKaSMRYiAxNrEJ+aRugM2ilVlApRFHrmz4doWpj2jbG7YqPOI
T+RHlBVa/eW965RiQGN0SHze6XDRJnlXFmDSjJTS8PSM4zIrzxQnqoLLyDWP
GGqTlHAyyTs+o6pkAdLkyDthRAeMnJYZgTzEMZHcO7IGwb+QrzNJR4EMXujt
w2A0cJPrlg21YuRXT1X7TbqlkcMCx4/x1oJaNI4bBNbdqdIuyLGBuEdQ+yj8
bsTlQGn7icCfZgUEGfb1h9fgTrGynyQ9/8YFgtMMnfNQXLnIqtmacgRopAUk
n76UrId9V6oazgH93a8ohCSIg5J5IHmmocAukU+TH1LzivYRFbQjcFZUM1YB
1yc2KHDBc7T+QDmU4cX0hYzSUFHeDiy/mKqPh0BTeGweceGDZTpqb9EIURXY
f+NFen3X+tgEVE685wMl6ruPATs00y5OgFNfsUv8fgrJMtNXwvP5lRZIJgmF
DzLDiBRtan/GYhTrKlBYey8TLGohBUwLiimgldR3NnY8fZzR98vvoe8EGjJv
SSfye/5vOAJ54+HUFcpn8XELhNWLurk9mJ+OnCyRvIeKpeaHiCGPOsipfw77
wFEsCyYhQYFNosNIAyVcLPFNHd/1+FC5oGv2dutFLcSuHBoxf6A1QnLE9glh
haXp2A2NYu44b9GjBwJqAnd+wC8RUxxYLugCgh4wwhmLrj9EUptQo7EojTuA
ofFYU4G4pNd06ACOOjaQU45yHIMx3EQ+54OfkfwUu5wRpSwab1prAj06EkYU
iE8+AnVtR7YJfTdBcsB3YY6QAKz+RUb+LrAIWPCj8RLPmkf5KbaIcsehcV66
MdK2IcIJQ+ABmBoEioNYBeowIkk0z6py3QVLHqMjX6Lq8ThStdF2MqxwnlZa
cHQfuW6fzs49AJsMJ5Ic2BqKoixoPi0ckyfD+mxqkK4XhiDw4fpCAkKkBDa5
odMGIMM8CZVjFAVFjZDf3dcuvVNs0ixnHtSlPoS1xtAO2lrUElw/fBbBxkZ2
c4RbBXJAp947fDIxODrtA0JnIO1nJzxZKXnyiviXkHKA/4VgKkBIusj5zvSh
jQMegCENWCHFdKKWPZRdHtNsUVnwvt0Cpu8MNc4gEdzBOViYeoiMnTqQtci4
TmQ4X2RX0TY0lQ5phzKlNzxiJH+6/DqZj/d7RYwv7Yjigk9MA2TegwsQhsQ0
GsnzEvx5RGwRKjsM+/pCquMSZjqciA6dKppL4puf3/UmfUEDB2LEJ8YD9KG8
UucY2hxwWUgMMJ63tFsDoWRiY71MCvhWS6XcX/6C4GKGFSQKulM7NwKgkSjQ
JIvYrT6qvx5DaRJFg2F7/xOsGMxWC6DBzwkAJlAjKBWK+ibA6CKYu3pv8oXU
nIrKlRWjl5RLefgS8BA+DhvXllXz+uUr0yVOt9f0Wf14NqpkNgq5Uvk3zcaw
Ofy5+chFE1IrVVk4loGjWeB1JKiGmNyjmB916yTO93sjwx6ikJBgO6jieKKu
NOE6eqjPSOt9wL2P6pY9IlqgKtRAOQkkY2ACbuYt7Msvv4fzCfHv7ptHPvxL
hDN9kkVCIgKEhouc3LRrD3kAEzUSn6LxCWuNp8D0ZxKoI9R3FB9P+kq79RUV
2oQ0UAjzgR+iX75imXEHHEnhQCFGkWoAieemHCGYdTC76keobQxFvoNcP5sk
GD+jp+TrM9B8wt64S1OLvPKQSOIIkXHJVlJPpaeeZIdF7lIYAN0akKkZeXxj
WDZJNDsHpkXCW1CdiGc5wRYEo8UKkvPR8fE0/75KcNoNYlvPAW3vpaoDawaR
j3zDY/z28ndpTm2gvPwJQoEly0IPUbKSby8/9Dh5aGNvokdsVwePMAJGc5AJ
I/MD44lbYCbFb/uOweckA41Me8IpTRfbdo0bviNQChfO33vo23eY+IfSPtPA
ugQFV/L9uEBBYrOiwDk86hB/QT3DTxObuBdLhmpveuMdSR5mRPEYJdx6j+pM
BNggidIpgRWppk8OABgk8lsmw57UmEYQVpy/FKGQ8WTdrdH3tAcY50dT3xXe
sDiL3cV8MlNCL4MC1ZT4BOXJRtaNTXQUK2IUksmHD783EQNpxJ9if+hUpIpN
/GsqwlO/Rc6jSNug9IFoVRP5gIT5y7YPlKHwvYQm5LFGiqCLpvFOSCQ1QhQU
eCpXcf34RAUsmESN9UHFjy+r2HWEjix9WaKJb+nXxOZ6cqt/JhlIVI7Z0KYI
o2X+z1+gd4PGEe503EQD4bvJli+fk/ngO8p+SBuM+BmTnaJX6xdCdIPuynHU
/zHyKiSuy2hoby79Clyav/yCvkxyJcVPAj0BZx+AhY/sh8dpenqWpJQNd3+V
4AsDJfYi4QtpysitJic0tYer7TOmrHh6f6Uw/ySd8MlzyMeGThilzo7uBAVm
isd6zVHDaV7PGusZHr7nPt+Xggf/eMNzuoVJt+gpWBfy7aVvv8xRShA8ynVY
kR2ZVDxCuETZPs/faNlvSKKjo6zQ374hwOVbFO+E7aA0d1j6AamjNoJckGGl
KJpgYlDicjDg1YOSIyL7dpM4xM+nHDt4Y186kFMBDOWgyutOwoohCasytJWB
qPEC13ENDzvSkFHqY5eDF134ycD70bjAxUKLFu8FjEG6oyjz7mj1o/2LjCM9
iMjPbVTkAV0d0dY+IsoC6D2DrrgF4b7HKqMCi2VTCUN1gDr8MPcNpnISlSNF
Yfvy8vbC4XzcCGvz7eEqhsxSKUohvBTvbHEkAaN3xKIRtyaR2xD2lrKqfQI3
CTgLn9L8/viS/vXjkqg9SGtjPGhx8ORCGUV1DlzsGPlBESDh7oJGejOw8zH3
EaEIoYA+PCovPdS7O+KxtPLbC3FuEmAIhJXAyvIQ3YvQlXHz6NoOHJVyLCa7
hhqFWEToz4vD16BbcQrtvaq/MzC7BNkN+Se7IUvzQMBf07P2GRt60GV01FQM
06YXP7xiv7y3iSBGwnpzZOjXR1+iVHdIquf9ynp+jix5XDnRx3zNpHF47F16
1URy5RVpbigP8Ate3CkySXQbI7Mgekp72BX4FKOrMrm9H60C61E9pXDZz6g3
5OM3335DHr3He5xMFF6CrzKVf/EbvWBzNHwsN+IIVBJWnNJ06EWMlT6MwsUj
Tx8xnMtB0pcs+1nXUMkViFRLdHDzYQefqV7vdyh+6VcDvzbaETiUgeJ2aB69
9LLSouQPQ0rsKSg3oWKI2POviaviHfmEbVVgTqNDcd8/0sEYoGN4WGpE9c/u
bU56ouEGhNYyTqrdGHji6Fmhw0K3eJIMgJbNIM4CTflOpce7o3h3Vn5woT1c
YTHZDSUOm6MQU4qRCx3Xu7P8hXZiSnuAM/ASLk+M8cSkVsdn9w/0mJK79d1b
IKbtjOciLu3yVKy/vMQ8OjY1Cul60OVEY6MRRlRTFfPevdnbtw2BgToyUAFs
6wul2aAqJSoIgkQZybXbxV7sVEepBPmMwNY0NPeFCh36G7TQr8hLFfct/YrE
kmOcv4xSA5MjIw4IXHIKqm3xuxDsHvNyR3TfQMIgd3S8CWJPLd5/yf2BblYv
IJnkkOgbIbjiR5AfB9vr97JO+SFR8hxW8usyRflZmZKm2UodeAMZ5HgSUEF4
xJRBkjNiLvYfBHgljkqA3J9ecKRLH5dVxnyB1hukONVwSAt5+x7uUOyoeHIH
EtIolFlCWSBSBhmGMJKEOw+CoCBnLMJePk7qfyRBCIF5SizCMY8lWr07nRgd
O3Ju3ldAjIhyHrsJaEktKJWQUPps3AVvgVGI+I2ozojRA1BrjPwBUGBYmvkF
J6MhiYf8ykDV120b6hFEjaWf4mowcCd8oZC2DyaCGacs3vcHh5ZJkV2XOJkN
74Aj6p8g6Nt2YcQR1hXSYRSbbLtPiBsfihwyw2i18DahMK6UWxPI5YMGWffv
jpblw2jUJqoq9Gu64NeIoAOKeSAIEcQfXXrPeruJhB6dh8QOg7pZcnORjRlx
TMNWLBg4wlOEGqFvo47eu0oRER55C+yyr9TBD08inpFE4gVZ/gTOg15evkbq
pyKinpiFOulmUN9zY0QIrCQkDLNeQo9FfGdRJPFXmtMlbzx0+d5D+HGQE3mC
wI/hpEG/a0qLQJTo8hlIOSyn0iYKPi/er1/j9wttxBlKEOecxFQjmenEbA6Y
bBd6+HA4Ct2J2C2PZE3ytx8YGkmuNrocKe+O4RMC8C9f7w5Y0q7/oAUjrj6c
djnio2zDEDw5WyQDirptXI3yVUBPeKKeIRx2tNcIggFznaHilHYyKPOuy+oj
5xOmLaZsOL8idiJqtzSB/CQ4HuHZhPicACHYkaa0c2CRKZJUTYnfPPwsBJfj
Zyl8GYjYdMIxVcRIRgsxxOJ004iq664zBKlMCYTS33blq+Z6zzja6U1f/Fr+
YSj39J33k32LCmU4T3oR1b6Iadth+UNMrURZcx+CqhR2KMfUBfdlMpFua+AE
EKTaE+QQzLLgcWE7V6a0Nt93TjLtnZzau6LBqR0e8apQhno3yvOGXoDkCSMG
SaK0ru8SZv4kNRntOT54D0ApnDT2cfjr9ckE05IGaYTw3YBhkAprfN+pFvws
moQUABqLjiMRX7Ds/I7gxegFln2n4dFV+uw/g6RCstskGvfL1/tCQDvnLeot
TAtKq2F33JQJXBE4JSYWaB4kUjCOUXaWv3uEV9/FwpHC4t1FSdIldigzKnKL
+K+kxh7mBUho2dGyETgj0AYwQCmaWsoX8OBcwElMkE419ubCfKUPFtAjGm/i
fTgQC7a/p0H6DC8KGtJlArP45Pim66nQGhJp5cZED/60kfCKD3x0Np5Nwr2V
DmubO3hrxMFhlC6E+oJJv1DCDTAAUcIpyuCMqMfAvnH8V4LqgEDoxDLg+Hok
RmI/+kb7lXZfY10+vTiJ/Q9VQIOaC5gXgyxbqoRHksvwzlzCQ4w2UkQRtnvg
sMOg/XRKOGHxQnVkMdHwO8VSqDy9gyx8VPo5VVuK5m6iawoPBCpFdxFHXO4Y
o3qjaypRj+zpqOI82dgtljbJCKcDTlrTUCZLOjoCryVaq4BOZVIY4Au+LgfY
vkcQuZhxFQnfd0hgaL2pR9aQp7mMHxQQpHVQoaUClH0Ih0rgQMEVokMONmCh
wfx1UnuJamo4XfSdivOYaxA3f+8kRI4U5KAn9Zzeq2pP4904/QkCg3Chw+he
3NqY5QUY577mOTIpBh6jaT8FFnxGUz/Rg3lXYel509/QPkLILJTh/qShRCOI
H1WJOYZIRhd+DJaDl2GaZRItRiaJ1C/AcwW3SEJEQdCfSt+JOQLzbLGC01UT
jUPSJvgcYRuxEWk9yUUk7PU42PNG3xhz0ZJS9SnqQqKW+JBSw0fTTcubJao1
v18t9OWuiC9ar3dqL0fzQMfwFJ2fUIJgQQMoHYDtbyL0euxTwyJt49oHyOyL
y4Hg4rGm9oIf3sSTSl/w5ZXmo6LsGiRbNjgzFsngSFy8V8SbGAoPHaPil7zo
9XkInFQ7Q69Il8OxjwaZpzvOrr/8hWBTgBpEMvag7uGmav++vzqxr1VLlJv6
mfXF5UyfLS/8hty5kOgDmo2IoOhhyydh7wkKClTHGijqskO4xpAJtNHiJCyc
25wcMfwNLM+MjDzLOAbH12iHo9MHlL+/g9zTf/pO9Mi/+Z5sPW7t+9+Y/h/g
k3+joz/xw0C4wX+kGfXhsBO5MGAKYDfexEmdG4oT5JsE+yOw6NsTnUEb60mq
yd38IPoph87d80X5ub0FF+m9rbVFJDQ2LRSJb0iENZBdQ/M+3mWvL0rgY6ZV
5InC5QStWGghHx3cvXg9j5YMEaKEqYYmwyfK71JD9Y52BncVWPSJMDbxIKEN
5MGLGeyCB555WoAzKr/2K4tA7M73ToSHSeUocV5kuHi2STJYCEY0wWkH6yM/
Ke71wJv5IVkdLRmIJR8pJaTe3Q5xqAkdC3SzYPYlzMF3Z5mj0lkJl6sqH2Wd
3hbJysrJYtUvQxPx0l98Eqn2UMZobNDdVWDH9w+BdoPhR7BmH+GBqP2B3E4x
GRRQboHlizNGHNrgExbf6PJDr6SFsT5UKe2UMo5qQPuIHz7ZpqedAurT21x9
GCBCkZ93kfQx0caVpmBiUALsyASRzwXuA5nUd9jtN0LbStix7+o403wEOZHT
hDzNUBah1Jq3aIKIjxn5tCLx/h4274N8Yth5CByjGWPRsmB+68SCYKhoXFwD
ZtzQVUgU76T8h+p9+cxIMSfynlYwJJ5QFI3GJZXfmQFE+f9kCnCSRMKv8P5U
9YCS4MaJ9QnDKGbxfMgH2pAEAC3i40eIpXdawbwV73Q1Sl5KaPjP8MmUvilR
tRVLgyAtMUmf4f2lg6NhEhRNwh+OvPLPqFTA6YaFUZTHxCVw8LsoAIikEK0s
Tjhw36nPnDpphNQM3TJIMCGQ4wNMMiVuJgRCnL7RoprlhO/hvfLQkOQBplRy
GCmLRubDoufxCr+dvTcHj/gv7xfYfrhUIh8NSsvzHon4EwnRaFv8ep1enLpN
HcrJ2qURbJSUpIGkKN8pVyxmsKU510jsEOgctFEgpOiXX7CrM/INIzgUpNyM
KkN7dO/cW7QpDxqtkfqEGZ1wAPwnoAT/pxeHzDM2z+HseY6BEthRSQp80hNh
4ecTgjhb0nkdSLjcVfGipCXI0a+h3IcN2LJHyu3ynisiEkCIAAPplkhGobvo
N1THxvnIXxk+wMS9994IUuYR8+/YFjSvEa2K9+iDvvccJkg08GKTnFTkoCZT
jOUzSpALI14gQq+CVCTKEE9p3THEBDO4pMqMo4S2aO9D10C6CgLO1Lnbk3c5
PWmOeCZVpRQ0BvNFFLBg28BM+2rjxCEICURccbBWVwILDelHYA9DXJiEEHxs
tKtN3GOeEhW7ThHNTBPNxMEOwuAUIpZ5OJuWgixHKH9gCDHpagfHWEZQtiee
3ZisBbHJIbbth9LvUbSAmKuwxBIJYcaQ3CsFIziai8jYwaUQkTIixc1CNPBn
wvqDWJZcsMdDrMGkozl/S0khUckzDOtCU0eDA3KiaknkMY+rhECIn0HszXjW
5BfEQ4sxsyjYSaD3BJT+nhyug/bh3fEysyCjLvhewlS59GqGzYxpM++L4UgB
Q5ORYjbEiT8JEAbVuAlJSLpDGEhlmg9FEF4fji9WW6BngVRUoRybUGk2zSdU
nxSUTNBjiUJcJPdChnQa8Mil24p2NdwFqJrDFnG4vJKSKImjRBPUsT4S+dj2
WDnBPk7DxbDkKFcKuXkQVU6MgafiAeGbKTwgUXsBWP+ITYaDs3MP/8OofkpT
Rfg6oQGEnKMJCsT7QiJ3o8Asy6mdRtQ1KsJAT85YRSY7HQxuMHlFfNBo/4PL
zoc7ChmbaNjp4dAIh6Eatne1IJ87WAN4/MH7Ei5COVXKLUpcxAtAiKiPGwIh
iJP0Ef5Oxty/N9uCcKMXcFn5qFIhMjWRNPGCjW+i4uLJzS/HJWmQ5ZFgb0wP
ArplLQ0jzqhxQYq1PXWzf4fuRaKLf8e6WFQTKtYpNcpXja9WNblwwDzQYt8p
YdHHxUZQMg9qOhGWR7WgiHtooyik3jbOKYcheJOmhmPeWMQXTNwwpOQcU8eq
xCsO90WYifdSYKkQvldc3jVs8CWPqi8QpIZmEVadbVoxeEbiK+GxPqtd/1gs
LD3/KO5ML9p79myCzsZmY2J3pA5FKtqKJB2Yudg+jG7yBzbjj2o/0gziV8zp
EbieRlLzkWWBRa7tYh4FV/tGpw3fyh4hWYhKwj9WlYkTlFOj+Zr2Gfwa9dUz
VtiPaUuwRwOrXiYyXFBXse75cPs89BsG1ciNDE8BbJ+YeckJIL9O0jz/2kXI
w7obBASHsrjEC6zCAUxasHS4Igf4e48wOD+PtqByeNhX8FAPT34W/vqozFMU
viHplfCIk9p2WO3EgV90w5B+o1WCtdjRlUYBNaQukgpFNVRNYLlAmCPovdxF
rAkgMKFv2KjYGPQ4fb2vIIQYRgLEFYFEKTYfIuAFyawDsmVjX9D2f0jSfFLL
DdWyQ4XVaWeSFQa/Mo0AMlG4R8Te8rhLE0BWdLtAFiX57g7zvqHeEL9XrMSg
9YuUHagIEa/zNukbi4nLdrhsrSRQsT7Eil0HfBjvswnRmuGnn4cdcdL5Aowa
5aD5RImRkdjD/ZTjamiEry+pvDyonQj3hCEDkFkiXRgQGboqIjSNi7ylcVu0
IhK+BBVgLIBdmWalR6/HpxQ9mjyh+MbA9xMCB9CKi3gL/Jry2QMdhE4AcO4a
SDHsyd4Ba0lAcUS07LKFu3Z/zKBimcJWEtOb+IsRKQxEfAY+OgxvCFOJw7tI
FUBcpFHUCnFbJ50cUC+FnnxoIgDB++X1o7GrpLwOHTVe1ehoIk/SLpbD2Af7
FRfr0DDxImJLJMF6oFvFvX2lBNtpJQu3SVVgijawU5io++2SnnvEs5DYF5GK
iyEGKsZW39GxXyMSaqziwKkFKujd5OK5xfGDO3SRKVsqcT5SuUAQQhEIDKrI
BnZZRsgNdNVBbA7ynCQjaPQtFIoBoeWRQ5/siQfHF1J0Azda9ehEE/5eDDlH
8NJovb8+LeqIZxEjBmliwjFJrJwyeHBBAxSLS7s1o+mlVQawVwuxIVAqTZxp
ntqCVJl8gsjcIu4saIxijm9qNctJ4Z3Mn6ep7PgC+YSw2q7mBBhj9SmB5Eo/
TpcP3sbYA42z9HCuGKwxAKsV22QJt4/moQ0x+gjOeaQFq3YBmCSYHa3iGAP0
AOFWodfoOToY52SSiINx07LIdDAU8FdyrCCRXzJQmc48IdTrdA6iAwxHQvCf
L31EiTCOcZlgxQdnRPOLMxIfXWYEk5nkcosMATAVsWSkWeu//B67rd7s+MUJ
rGjK+YyrGDy6vr4kFzm+yt91VCD8GoyPIw58cHihywrb8tcnhiUFSSXxYe85
CrlnAVFELYH1aVTM4SnfLlzvuNB5TDKH7U6ii93pV0gIICWJqCUfeXUjVDsM
wB2QQQILqiWm3UrVCcbp6NstFFR4tz3Ig3cQOHeQJuybBnvR8xJUmmhL3uuM
QDvEGVgItwD9QhYq+kw1rEg3J6m8EbMopZd5eOEOVe14OuXQSsTb6Tt2muLj
mvZp0fwcUj2DJiHduxh/RL+lOCBS1/2O7IEA5LByQahIyLmjtSBoaUIy2O2P
D/DOVfxQI4DQPCVtsZSJEZV33lypqwJN93OPdoLHf0P3pv1sb5IwKCH9+TDD
H3kto5tuc6UkRAkdAYPfU+zuEEn6jtcde+k9zOErK1F5tzvmdbQh6DZLVHN8
WkT2JVlDlvqU4u7fQfDugX7wz8CPCITg7xMIg3fbiWMj3+Nso4RvSzVIZWAD
FSv78sh7b/jJAMtdVIFoRijQlYjPx+EzdGUgPDFBHUfeXBwWibA/Tgx5fQbL
x1kD8GU0mEbjf1DOCemKSmPktUFCm1cU9MTD3QI57qHr5x5sTY9j7Wvhx0C8
r3EpM9gYihMmPXUfIA7IGYiR7hgerxyArbB4H+SO8/LS1c1DsA4HiFN5vBjv
Gn3Hc4ElBRjB36Zda1SXTDuRErAoov5iqXf/eyDd06XVIWco8e2lQoaUg+kT
YQc5Ag3NVj+l16TwtYxXBbLfFfJ5hOZCZ+2Jc5FYkyiasNGS7vBnHaV1rxCR
GiYBfyWu4GdONDhbkB4hsQLYy5rIfrDxoUKi8LF76EpIwrQj0PuDq38Djzqw
KNFj3y2gRH+Pi6WQGkOwEg68tpFjAbYW+SdSHQfrgQPlMgHhJsB1VrSqkcOU
vOBxvZLeWLjr4+sI8y48r3QGA0ryewMlyjMW3BEbZvrqINcghi9GRD+os/i+
I/IoiYyAeduR1EtO+EP79gssSJr2ACHkFkwhmEZEI1c6PR6NbdCjEOEzDeuO
HxZB61+juDnaIFBsvN5PEfISofentidtTKYh0dfYNCewgDdk+LrocopJb1Ge
ClJObFoL7b3NmNDuHrUTshcwmhcZnl9TlZlRHAlDwaitSqn0MF+N9wwshy/Q
CCQfZWYYLmXNpdKDAtVRTUPbonkI15Q/7IEWUbtimD1xqdEgRPLUD6FBSUp8
pNM4fvgGSAQPohJixCNCr59nNGfM718krs89AFjSyper6YZHWKqpKE8PMw5t
RVkXMdnxB2lcWLZHFVY1zIcFW3OvybDfU781YWNLFFeDgkijJafxFT0mfceC
imhaqT48jhZpLh6eGWQIJ17xnCeR7s1PQw1WNUW26BPhAQxWMPef4iESqMun
9MMeunOAAgMsG4TkIUB3yFJaqJaLSP345duLD0689sdP1KuEZuNvf6QHfxv1
4NNfmIevX/78MoW0u3BG/4zuZ0T282dqO/8ZTCqxApm3h//9+eO/Jj5jEprv
n8H/oX315xil+GcwZEsLUxRsYKfju3cJ/ocBVRxif8jWMTEG3GuwyhLOycIh
DUiBByYEAXQ/J9MrS5RuFk3qlwQ4FC6mJE4bJFRL+OcRGCgePdqhyc19l/GO
iWt3DtrkO+cOUxxnpD4cOCQJkjT0d0cocciwiwdqxzDn6fOTZD3M3vv9of3E
0/dg5y84FI5gnZHdcdcH1w5/dteTacaucDeaTZ9UAgYLgiDW4Ah+iuYa/B5s
wuCIKdMSOYzA3kKIE9Cfb8lTIVLCadLR/1AHIz3V8HCgSMef0ZmA+S5FNp/7
CzAcJtGOxUg1NbJH08IKB61SEzTWYuft/4/n6OW//D0RF//lH9Ap7mshuRXc
K6Qkiy+z926Zp8fz4ZrAyFtCvxHtdXJE/v4Taig+8p9iFjXdtQPnHz7vfN/x
vmWzYRh+NWRLhvG4rOxBoxdltmXRlR8f/ewXvJLgbP/IIL5H+Lo0ryOcw9S+
+JGXPdkC74SWyZ4QkIKAVcLEFkB/j+o7P9kQH+2Qu3+lv2GQ8mvZ/3iHRIM7
pW/TsNQ9TA1dOfbb3ce4mEJ88dyVZPgCX8ncFWP488OEbFHMOgoW3DtLv718
Jzlej6wwcbWV7x3tGgK1wIvw76gGHPxnIpYNh0G78gOdX+HOezs0OwPcWNyd
VxoKeLfx12SwIEL2EB5gFPMh5Zboq8lN8wZRNN891F/Q+g/NM+4r8ej+IzRv
/5FYQshHiPOfkCGJM4/wHYdViPt1RVVRYHJPIi0YV1VGnlSs9lGUWLomH9XZ
VfXuSEHHUgBLqdh+fKXR4wIO2p8QTukHDg3mhIl8+1iOhAYkkvoTZj+LhMxR
Q9wbsFLNwaO1Q6KLFemFcYo+/E6NjyPywkYEwXGdmD+9cNY1lRSQGkkykQa6
6C08TWnwOVipN4i7c/2kqYLX9+XJAkMcsxp5AizYzEO7FNP4vR95Bz4lZAhV
E1JJXuTHtJATLtWzfZkMxbrUkOrcVBr0X8biaCaNReHrj/bh5fvq4y7YhHmS
egmePkRy2am2glv8jI9OH5Fmw2bAq84QQIfwIl9oNRsP66hjcS6Ji6+UAj3x
Ga1fjNkCNFTOGqzGyxFxPZEyS6RyMUy+bya5jJ//NOU0f3+VkW3JKRSuR3Kz
ORMcS+T07cDb7xzD6vExoqxQdzx2EZkVwcs9qXJA1FxYCkVTKbltvB3BNJKK
o9MdtJKb//3/2WhmsnnEDQYZm8AFr8sOxrvIrmloLo31ew+Y6VfqXMDALugY
cTVCKuYFG8SIhzI8cSWZI4W8ytYBRw4wwBwXTMJVKnDUk6YWedhbnSQ3oHpD
0j8NHbJwI7mkHHfgQeA4OU4x4gD+HJPleQkIPN7foEt3kszRbChAITQJaZRk
UvEkg9fTAqQeGa6uY4c/tfwT8/SN4WF88IUznVf0V4hGfRG//r//x1gzgIwF
H7rgaDZtSw2B6vPK1MHMvyxAr2HeOlM35UA17JduoBxeGUG2wMX40goMXQMz
Bv4NuvWyMMB2tl6Z//6/uYbyMr9aygH8sgWbtQyg5rlQXXtl9oEOXt8BG82X
X3jNsjTfB//WoMTn4ae2+cp0ocQd27tQUyGmlekZ4ByDJid+297BJvsGWABw
z3QN9bYBs3kwXpkBsC/BE5pmgnaHMpifBQr4gMeHiIZipcEvdoZpGs7LVLZf
mbG9gUdqAT+Sjx78AOaD9uTdFf4dqOIvYLBX0wjBPwNwEFoQ0aqBLydg14P+
Q+azAxgPaBYsUAe8BzQxt00YEOQNF0zWQobm0UsnOMqugTYRs9CMl/oukFF5
CKAqIaYseFyn1Hc29LQALJ0NTlAXyyUYqnCiT99M8ulD7bQoIz06eUhWxj9N
XT1fGRHWvoyKFmDqDcTwiEIMKIMYVuqN7rKU4+Oj/gLF9M8QGbiz1V/VQcGT
+D6eaL4HJQ81fuBvUE3jT2glP6GN/ilyUH7C5TPi6sEpyHy6Mi3ScQjAFfwI
PkK+ATdi3AP0hkRIBKiRsqlgnOz7tZKecEkkyCEee4BcKfELSA+iGYFuNGS7
YRZqIAcdWNcFZWTC/AEb8b2RbDQggSOo1rMWo6XDyh1sCDN5aH0b9zg1XJLE
G2e7HHElT1qr8Qdwzt7LZ1KXkmj58VdfUJfwSzXLxt8/TATp30v8tzvipx/q
RBzWeOhGshdv0e5HrcOsQgpXGpJicinCE3iNJbAnTwJrPwIFR9oMhpphZtWo
zCCORLzGgWSaPAcueEPDZPDWNVVakHQ3mbKBghy4biIqXvIrkT+cRkF5z6EB
jYtxIfi85iZbhxn4iE01DpYl0bn0etOs4IjSuxM9PRgWxpuRd0C4Nb7agGEC
YzIq3dSwgCtKJ4koXV4JVUicfJkuZBa3EvX8cZhGsiRjKl1dePYxkJVHMH/+
3TCgYqFFlaO8ZNFBhkMmLTRhCE1dmCjxtzM2Bka4P/kplypImeSBh6GQBOlA
VCLaAZcWoaIhC0GQsikWMCWRU5MsiI7UGaxcR/DzI+ITVVC2EfTxJUVtzO6I
VGnEDfiJ+LVeXzBsFOv6sD5sbLsikZ3AvDy8iYj2xzepwfF4jV9FQ/7kTM7x
Folj+ZiuB2YuwK9gktAsgbRJ9IhaxFjJfcXho0dgOo0WJ7kc48xvRKqzSZY5
xAP4ghJhIFSPsE7DpSevSg8gxLnJcdFZMpJ3e46YeMmb3ui2Tj3wmRQssUMg
aeOnqZEEkyKf//JxUpCD4XFinr9xhkszRyIH1ffDvlB4kqEKa0YB1R94Pllv
7Qcej+fKw+OBBatSqNO7x6Jxw9ongeEhRUk2ZSg4SPg4uGvz+SvvOsoRZwHC
URAUVxzvu3uAQKZ28MCjEkCkNFBcnDi1d54/QcobRXQoD8XsH7QjOp8QvhCx
EMXCDYMuCAAVxowpIpwWAULHNfFvJAi+0LcC+9B7ES0dRhNfPpFp/vYJZ3qr
1yi/OsJj4kw8mmeN4Mrk5/+aI36gL0GdIeApJEAxHDalwkHnWISIp7ztn3jN
BwJs+ymZS0YH+gkbwbi62efp+hW/Vvvy9OQnyy1FZz/NTg71PMQRSxA/KPcR
TTTcfl4CGoiFKS6SnagMi+mTZZgiRX/pUxYDEr+NEVfYwMXlZOF4k7XW04qg
pdohTTWEGwkhP2fSi0ZZ4MBpiXlqf3SrJQtPgYsAmiYQS4hwclrEZKFBQYs8
Ip4GvfEw05VJ19ZBnpWoaA8YigvtaxX08NsFDxlMyyf4Xdzn1KTj8hKaasQf
IxekhWkDvZfL108fymmwxUBjRBx9QAcc/ejLOyIdvOsUUGgaeCXauNg99Zz2
570X4YyVCDOEZxzNGeTAMjyK94VBnPf7ggAo1hXvMNSjRIEx1DfwEKZWIIIr
+9B9uhFJyhohXUEc9kTvS0xQLDvHtMdImYrAFJtrxB79mbiRSVkcODkflpl7
nyDny/3aYn8YxJigbrzd34zxmk/tj5b7195DBSnMAUOi4+WzKUPtd7r+QpYQ
QTvRlJLJTAs3XGQoKkuGKxenmHQfFpSGN74kJhP5IyCr0hw8aUchcnrCIj+D
h7380ZTGDH5pbZQmuSIaJ+J3IL9NsOhh3iXUO5SkTHz5SKgaMrCjjti8QZev
vUXKjkf4iogEi1gkwNeowE+yaiKR+IZPmLPetx4D71lGLsWQkUw5CpXALR80
XHCa0sohGp1kmQ0FsZXjirswQFrL58qUPDpZODl27ePU2SiHH1gOUo8bEnpL
mArz3TjKzrdsFuYRkiBLorqZcnT1r5bmZ7/DjXBFCHsYQIoQACl68MjLLhP6
WdQWSSiCsYGVHcRldyD7PqKoUmwnZl6D8wN3zRnvmoSIRr2lMdb3u/qdMNBa
93hDL2oRZmOhS4Ri1nCiNw4+QcF0z0xv0KIQQLuAzDPgugpchTCE8SROFxkS
D8uBXv3UnRHRxqClxo55tHGQAkgjgIjYA9+qkQv3YWdhkD6upU0TQim6LmkX
wlbILkz2ESqkd5V0gVwF955274QgzDr3aE6KYfeeDhRMFc5c7Nv3CP3EmRmg
gNnLBPU3kcADI7roR9RdGdOt4fbeT/hG8/v15UWCac7kesFyAbN4JtjeJMxe
kvahR8IBaE7/9E//BKZZMYw3IAyZv/7zP//1n//nv/7X/5Z4Wa6UxwRq8Fn4
Ri+me5HRO375RjYPcsNCDfGPn6LhfdWO5qe/oHZIt7LuVqnm80ySOe3bS+4r
yyTRE98SA/oDZT7946fA375VP8VPQqwq2IlAPwaNg8F9e6lsgFpHleyXqB9M
zAvx7eXvoo9povGfGFzFl4PVdGnBX+9oHLWv0RNT+xtKPEaVfu++g5bit5eJ
DER0nn1paBvwRz73kmO/seD/8y9vbIllmZiLAz6LdwTYy2QS0BzEdAA7jYl7
Hy/pv3CzMO9vlre3FwaNn3kyfLz6cLsTOT9JcHJjjQJVZ3+631/hGXl0Pf3y
e9QEeIcGMST+X5gEWV6S8zudhI3w0sNOffL7SqLlr6jMHRDnmCTwvWGCiYhm
7dmR/tkTQ6qpw7dknYPiVd7g0F7+Hk+iUzn+w0uhWiqTo/Ty1//1/3r5HFiQ
PBwKqi/gkydnL8+Wf+LspSf1/QP4wSGCYrpcvDuQz4f4h5dEq3Cgn/7AvOAu
+OBn4Au8kJAN4VN8MNOdTJ/O9Hf/Dkc099uOaE+Sus3Rqt2x19LurPS5kVK3
wWf1fb1eD1d1biRehCnX5XVT3x10fj3qiZwuhrreqPP64cTsDkazFrI8HzZ1
XRdvvCTxXTbXns5m/vw4vyp587zZ23pvUgyFkSNs8iV2vSix3fm4pDRnZUZq
jU2tNTorzctOXhQrUrNvr5bt23o5qknWnF0bbFHS2c4oXwvU5jxQ67mZcmwE
Sn5tKkauwWyO/fO6aQbrm633821H5dgOaGkmN82bBP9rje31iO0o+ZyzWcx8
0AOzu+R3ijXq1485k1EK/d06PwuEkd2vm2NbXvZ0+N9qwt/khRqsFyP4I0+b
8FMyNH2zmN+UfMNaT/g8Iy9EfSb6wuzaK0itvrMGLazF8U5tioFU50FPZv26
xe+0xeW8Wozoy9n1csd2C7zHrBZmIDVzJu2JJJqs1JqDOejpm2NVl5vz3bo5
v0ot/ropjM1VYexs8kXcY4P1GQmMebS4OKs8aOnY8ORF3xy1+r68yJnd47y4
WuTCDezFqV7nyyuwfMMhWPq6X+YEsJx1htv1ht3JoiZOj8uJV6rPJW1X2bMs
b5/YHsc265NTcyJtCsJI5IXRjOs1ZmRf9Oc8Z08ZXjQbc3F1EafcEH/oTevi
hZ/O+anUUFu9qRh2w5UwH40E8bqbkh7pU7HRnzV6OjMz+7wk9k3FGjvro7lf
LdEY9dFyzsrN2lVejku9OrcUpmIJvOzaE7h8fzq6DBr2SrhJIdOfSuFgKhV6
wirXF8TiYs9VeiM2rONWO2I4bo/n42ZvLIYC/qwrhrveaJYbza78khnfxGWP
nzW53EzkLr0BmVB92qzl14vLDvwdTJxo3M8HB+aDK0o8I4QcfKDD2RL4sC6b
E6tsVJtGsZi1uTlnlZpW/VActlr9vTvZLmaQdq1fzHWk41ye1gsCU7s16u6k
YBSHcm2tt65cabSttheF9dGa30qnSq9qW+tj5bjen0baptyYtYpGvtnzi3tP
ywsnj8mVS5prTWuDUr/b2Jqt2X42VuTC1TqJPD8vCsedtXaqmrA7F/yyurzW
9/3WtJqflAW9PtbWATP1e0ruds1kepeReVKt2mLd3Q24gaP1153mcR7utfk1
U20crrd6Yb/MjpRjZt2tn8zuaceHQotR16WTMJWk/HC+zC0LnUpWGfQvuzO/
kWdm9pDzQtW7zfz9bmteG+sqOw5GhVOjXj53s8Omtrgy5Ul9W6qqwSnLDcSD
V+cW5ibTE6qjVm21r9Qbk+Mpx+k9nuOae12uhrochgIHlnPMTrlRK8vwnBSC
Xb2Eu7A14URR4AY9LmzWj/XmhGuYXCjxPU4MWzr60ZjnlbCxEsGOhMs95xgi
KAJwPHebJe+tp9wUv2wmCgLX4XXd5XWxwY8UgQcvR9+Nqjy3rYLN0Ksz/IQL
WyP09gHPr8RGpz0dqXNxKHFOYxnyUlaw9qdsv1pQhj2+CjecKoWjVY+XuUZb
DJm9FbYa4dWqjg72erqS15eLrZ7H62cnEe48sNn4yRJcTl3xavHygRE6s3LV
tdmxd10uuOFhu9RHXf1aabqLysRda7xSkkRlb/dr26zuDS7Zll+TjPLtyq/n
e1W2mUu5WBQ8ozsYicPiqjepXIunWnHcaKhH9SZuhO7qUvO2s91ZnV6E/mBg
t26lwnAl8LviTSz2ZcbNG1adFTLzXnncFK7lcqdmZoTMxqwu9rX6tTlTco7T
68/G2mWqZ26FUNtkNWGgBplGvjf3TSboGjtLY3kn15xNDy57bPO2qZfVyUo2
q62wmuX6LecqXsxSmW9z/KZSLOonWwuE2mrS2nc6TLGWOa3qta3cOI4yx06V
NXe5Xm2s9qWK5+4ttttxAntTDtnyXh7fFmpfW95MUcn7M4dzi+cxs1vv50K5
sQKCUrjd6nXO1XS4eThdmvZZsaFpudyW7Ti2GZZrw93p5pyc3I3rw3sRXosM
vBe5EdvgBH7+WyQREESXXr3aZIgksmf5hg/uR1OKBCrYUBNeWC/brLxYg23b
AH/WwL3RyKlNcI8fTVabcjrTCNnLYAretufC/n7G9qY7uclVgfAEd5VwuPZv
kRANBzex3+M8JP7qu544mc1nzHgvjntcFX946UlUXM9Z5dK4cXMs6ntT4YAv
HdDDs3qceyvwdzBvPCPt4wnB8yE2OG4AFIsqBx+o6x2oZHD+cNIuN/RiY1/q
H63a8OCubHY/PTDb+rk43XJZRx1kO11nvWkPONFlPanC7eVBhc81g96s0dYm
08CUj/1tPRQU4bAqF4ajBdhxEtP1Ks3LPFwG7m6lrk15Xtops9OcUw7DM9C3
eSVbcG9FIat5ja2XESujXsM/qpkOW/QyXHVaZ/qDXF4Yz3nB2QyL7YZQ23lK
1XEF32keG4eKq7Knqn6ydhd+kR+vOa17urUHPflaH/mhlztVmIN/6PPjfLhe
lqQ60BkbuVW7sVsW967VCp2sIXabp5PcX6qF7Ip1mpVRQ1P6lWqhLA2H6nba
YybGcJxxtLq7a6/D7kQLN4tlt60V5r3z5jza23zPEVem3OZnUucwyN1GueGp
xlp702t3B6EkMNyI4+1i89yTmh6UhVDiiKHIZ8NRvcdxYSNE0krneS4U9lyP
1x2q7tW5KcczPb6IfzQagTtywYv5d5WMUMQvM8G7wrq+kjrhimf40azFhaNQ
wFJ3CEU12AxA+9iA5lj0ckEfLXh+Uql512t3zDbF3XXpGubpwAtTRmquj8qN
22JJ3BObArfQ+cm4J5Wq/EXpOVmx3WnO8s2jositDbuYpjceg04i2nkipxSP
Rv+0HZxk3pEK20zdaQu7ix+s88Naaz8SR5lzmVeHlWannatZsuQV+D3THqjl
omtznRbnZJR8tTg/X+fLRbtWa/SW1VN+PRv1Lq3MZVe2ue1NsW9HSy0v5fmi
pRe1lrRnJna+MjzuOmLO5tqdzk7YqBtRWS+7+cwlN8+oQfN6XPiywOaE9To4
dFZuRdavLXlnLMdWtl5jlGsBTPGp711rF3a7H470ckY4ATNm5PRuNVGStbJc
b7X43cAYzirS8CDf9OFKP3SFUm0LNA+m2bJWFy/X2KmD8m19qInVW2gqOa6r
r+WsMdkoN8M7KYd+4dTUdkLey5X3vV3YAJvN541+JmDqgt5vZgX2dJ1uVsWt
3jG0WeuS9VvBbebd1pf2vlnndKgGtapAseR7zTCcT2PBwlDJ8pFg6U25MxUs
nUYfX8ITHslHBgjIyYwV9VF+flWb5hHsQqBoAyPD4Hl1ObY3BWACtA518aby
/NLy1WWtfpLbyuA8LcpeWWZOqgIlcXslrSVuMROAvsDbzQM4FEkz6CD0Rl7y
sm2Bc6CkTJ76COjAF6Xf24thby+FvekM/MddgeJ5Tu68+mh0kfSR7u6ujf01
VJhGd3Uz65tN9uLpm1JGZj191Z3pbK0YOKcc2A8LD9hKyd4A7W3EiUC35PiB
UWIOyn587DWK3U6t6J2VrVnLO7JqbWfTyXXf9l1pWx6X65XLtVqZ37zjcDCs
H1v6enCc1oPzKi8wRifoSWp5MZyr+2A8kxfly0Ff+fpqPxR21yrbX7FyLVyK
I39vFYvVJjtrqb18Tmlfg1oXXiy2O7kp07wTikHz1le91qLa5UtNv91ZKX5h
PGEze3MzcSsLZ91Y5Y4zN3S8Y96t3uR8xx4oV8bPAkl7y1Z302JrVsr35Yoz
ya2tiyt7XbfkuJO9MJl0vOKoU7CU9ri63zVqmyvrCHV7pXvhlbmtZK3ts/1M
NThX5E32wMtiIdyuTcPpTRrjtmTuMiNtWT9ILbu0XZQ2VnYsrluXXk/tbdXh
jtmcVtOcUSznSuX6ZHC6Xrg//jFyDf0r+oZeIdcwrqyGoxI0uhA7E0jVs9iJ
8mPukIC+9zd4Jn/3467J3/2ab/J3zO+SPr7fMen+/S5y9SUf/Fl32O+Yf5k/
DPbh7e3ld9gv+LtnjsHf4eV/zzWIY9xgYFnct59yEEYv+QkPISSuRcx6cXXC
z/ed+vI/0Hn4f//1v/63h0kq5qqVyFX4z//7o2MwX4y/ftcDGY84ckN6//BS
KOZrP+1VjHr68379+8H+gYnSB/746YNBfPoDLWp0/eOnfKkA/YxHGLrSQed2
8lu+VH7wL0ZtPXMwRl/+O3gY87/Nw/gGRlP4N42QpOIM95N1F234idPG/Pxp
Y370tH0cryBz+C93ckcjufd0e5+QK7hd5B5cwW12Wq/XFfZdVzDUpeBvGPIj
Hvyo5eyBvVytAj2wU7A5YESMpLoYVv32hh0P1mrndmjPduVWMJyOmoY7QuoO
k9B3+kDfSSmOP6I3Mh8pjj+iNzJAcQQGPlDppgeghQKVjvoSd/oQ2NA58F+p
t1ciW7oneL/RDTpWwsaIuEHDEr9pmnvYw01hbW6ajT2zBrPNTaRn+p8A9L8h
J4DvR3Yd/J3n2qd5Z3vqhnJ3v8/o/Ky+PTCy0pnqVUXJD/x2bT3R1PKssJ/Z
xnru9LrKsNCbdfyu1tVrbu7IbSXBBEaguVGPsrocHl3vxlwN9bgJ1seBw5fO
9ny0Nbqr1bVgDC6V1eB0W7pmOVCHbOXAevPMTJ30x42Lu+1oNrDsl/pAZprq
0boUB82sVnByW6nTY9Xhbd21B1y7UTqWBuzlthx2K8Vbo75w8tvc+hCIRa5s
FnMHW14vgcFdWnYr4WLa7XW1/rbGXzelg9c5zYIT0MJ7as462v2evl/V5tv5
VnHPtbBYaDarDd+ZLDPTxY3h87f+JD9oZJbS3LqNmyVBs2fdU/Vcra5Lm64j
tbPWJV92q1xxMgELLs/PxXB44bY5Y+hJ8w4ju7M6F4ocJw9491bnXQHaxMDw
HPeQm4/bc+ADBXvuuNGoxxWhE7JDbQoGHgxgMGj4R6IIfSX6GOxIuN4z/rZZ
mP56UjK1Jvbs9IClBF/WBu/qcXaTqdfBvh/NGnzYE8HbsX2MLXaRC6WGJHAq
djwWxYY+mtlmn8/NRlW9fphvOXHPVAfawK0WbmpYDVvYIt/zvB42bG52mNYH
W05ZCp3tpT7Zmf2dY7Wau3ytcYg2HpM4iQLabVKjrXXqijftKI3TqOdM3Wuw
HzdvbXXFZcY1jecCoevJ/sbv+GaxwdwO+vg60Au5bKYeVlpVrcAaXXcoNcxF
P3fat9y9PrhKXokbZXf6pXvuGm5hJ87m+XWhN/Z6PrNv5S+1SbOWG4o9tljW
t0NLqem9Zmvfm+q501nuKN3RsDS7OeJq2HVtN78sDkvB8iIP2a60HjO3xfEQ
5saNSmMgVIZbsJ9rxV4pXykuV5dFflEMOk21Mmpas/V4MDlPVoemsRCcXHt3
WoZb4VZlOFazpGlzadnigWucz3ujftqVi8PcTtJ6trsvlB29m6vZi7VQXrm3
yaI1u+UaLLsPrsFgO/KY07G8O7vC9NR3Wv01myttB7PxTc5NDvWzUWs2jv3Z
0J7rDwEZbtcrjEbzElNZzrOj09FYCi6babqD48la/khAhgoi5mcDMjQew/xs
QIbGY5ifDcjQeAzzswEZGo9hSECGrUmWvRD0xfCQl7dsZuIb+0l/MK52srt+
VciYbKVqB6bpHYoc2A7h3qv37YrXmjFy8TKamaX2oDw/rXLVLtcPB+O9q9R4
eVns6cHN2zSWvFYOGrvcce4sj43LxJnx11GmVmJ7jRuT1c5DfVgrh/PMrTj1
uXABdnnRnRq3ogBuMbayXPUbM3Fgeln9MBvmm5fb9egN8gd5tZgGfoGZuNf6
SWuJjc26ceCLgds7FC+u1K4X6reFG0zyI7bR2vDm9qB3+qVwOdcPi8bWGATK
tm5lpBHjySfHzqmFbW0/OWx8bl4KC+fb1tartVytd+lItRYQwZ1ANC3Ob1d4
f614ZkWdXWtBrT7QReZ6GBtz+9AY6adRZdkXZhm3MNEGi/DgVT4KyNB4DPOz
ARkaj2F+NiDDezgew0QBme45f+tKPvhw0mprQWdxAoKup6+P69uzgAyNxzA/
HpDhb4Ys5Z1q2bGbh72aLXYOh0GLaeZL1irLan1uLJSzdoPNeivbWuZV27gp
zd6hVHCNQOdspW6VbpvbbpFtz9WVVWBnl+3VXZvMmLuJ20qzddL5bP+6H8hq
wVGd+UoTdkXF6Hf2Gy8ji/Z0oXMH+yT2/Zw3vpjKeVNpzZelfJHZdNZyzh5O
Z33zWB45xtk/CZJ6arbV5rbazd262yUf2GB6Cq1xplerC25x4Jzy7frhNmRH
O4epOLakKE2xLNWmnp4ZuwOuZtRH3tDKZYDmsdLUffM2WzTYits/TtnpbVif
32ZcwJtupt32b8ygc3Wuo4Jmr8viUL4tT71ri5sr3pFtSoVyURpw7KY6nLjt
vr/fZbhTuzTatjKsVulPbn1LPDK9lVRHetA2hFppuPmN8RWGBlh+Nr7CoADL
6MMw0J2e3NTlKbdKhYbqo96FKs9Ud+7xYXJDtfmpOGyE7BX6FYHyeenDP4W2
zMDupx4URIOvc3xG4qbbsJDJHwa1XbifrS63RWady3vbhpNXp5ucc1w2J5kK
I9yeBWYmYEK5flvdzqqCP3Ck/qLY0KSFo2oXS12dW6trZd/QS1L9yoTSYZcT
lNNxo5754nCpHLxNm711JvO9ul8O1dVoNZ4UxVLd5ETtLGqZwaGh5sozuynL
qi2fmMH+2rQCQ2y3N+NmfjZbrxe9a3uR16uD9ZhrrvcrXdTPm/nWPF5O431j
LGvd5sx2W3LLvhyKLNO1j6C18XTWzOU0cXccHy/Sqhh2dqHCzmrDzr4+ari7
oOADFbM5AdpDbX9W+9P2Qa+WFjPnwCxOx8HVDZyy0Co2N9Uif82wUu9QOG9N
d3DlwsJh4+3L0j4DhDFntsq51dWxuLOqNngpWA+7TL67UqXWsHs8VTtN96bo
+8N+mFmVqrttbZYp6w7bGQaTqsA1B+fLyqPm8NvbOxi0OyLbn3EwEeNWs5Rn
HqY0Uv7O+MXgbmL+aoQ3HPs7ZVQ84D8URq1cybORZ+l/+T9fPpOaxvcgtR+B
u9XK0aue4N2eA96KuZ92TcVr+D8c8hZtg+eot7inz9xS8bf/Dn6pwm9Gvk2X
aXeHYIPPpsAAF9kDlIMXXe+NYJB6x4ErXeC9pJLNJLXsn1GymaSW/ZGS/R42
i3kGzoK6L8TgcU2jUp1Km0uZbwzPanuRmW/05apcyG0co7r0WjuBZc7TS6sx
N8KxfdavrfI5dz7bG0HMXc7lubq53ubTYlf0jOZGuLmsP8jn7eWEnxfah1tb
u5W2IRMcZ/1lsba9FHLyUq40BdNhm5VV67a9TOrewa+4Y1HR5reNUziNi2Wr
2dy4mu3pm/nJMYLZkjkWMvruMuteGmugxQltrrFbhK2csvBHJdMp3zjDsN1M
Q2G5YnXQEl21Xz+Jg0w+ty9kC6E0ZOzRuMydLrWNJp9z+7a3n86bxzwv1536
uSsVZdt2/GOxe+pdlpJWKDQOt5mgXdqKGS7b+qV6ZdzqdVHoueAxQajc2qNe
I6h0wcKs1vn5aWpu2vzZmUxzhXV/lAkvi9b4Br1aTej64mB0k/mtXqp7JxXz
W71UOLrJV8csN9wZqzLTanYn5WLvbHrCcueM3o0dAvUiOxJ6/fOVG7bMJutc
q5x9XleYfssJnOXMGPfL3JqX+stNzd3ovdLmXFhywaIjaX29qkhFKTNtZMfL
VdcKp251NdlPd46ZzYwY4azMS9OccG3zZmtWmlTmjXXL67ntRljL5IqWVS0Y
apm1Sr2JePKtjKiUhLWsdezBYqlulxdmBIzcrj2aX8zBsiSH1/qudSh7WVtS
9eWQMxqVdfswLZQaXDM4Z4VLzc4rO7Ni5yaSom8H2p6pdlj/cjzmtbx2q27M
YLcOc4LcFHhj5c2kfViYN2rn0Wlm7UTDG60vA720H1yaSv4gVsCNf2JCo1W9
XFW+fuuMR9tT8aZljmYhuA6HOlC4jNLAaZ8GrCu7XudWVOeZ1WJzy5ZW845l
9tb7ep0R68X7eLGa0gFHkijy4369fsnNelJu0OnUTmvlUNvLnL7jOEYBKp1f
XuubujMvtBaDzdVkLbEYZua7i1ddZ3MZq2/qri93y9m10FoftqqSMXeHWnem
cS5bY4CafNiemr3VZdEo8afZoWCWeKk4EK/d6mGWVZXTtOEs/GxDLl4Xtrrt
N7vT3d6ebN1rq93Q6syZ3/OKPDgY3ZroNRytwRdHWklYVbKuwjWteq/UL/cL
2ng69KSbHnCuuFiWtrdKYHYDqaD6TFYpdD0Z7FutVedrm85OC3cnObvfF7YX
y+er9bFgT7hZ6LN+zrxdss19C2w2+5Y7t8r5wsBm5kOO32+y29O2bN4GBd27
rfJjsRxKlVvrqpq3vKAfnIa6v84PuXawyWdGB3fEVXjXquniJCsxurfbA9Gb
GXQLR6044y8h0G0vvl8sX2/VhjOfDzrFXmCtNLM4Kzq5yTi3ENfNcXcodDOb
q9pnzkvV85eFmghMmfqOU/2SXXKGo8pmZhdGhwO7rOlmW73O+97UWYzFfaaR
yZZVO9seTvz2ZOQz05VuLdX9oTUsZsNy5nIaKLa+FedO2bAqnUO4XbPnzERd
dzIZaXjMur2BtzaHtd6mV+seBlyOKV84vtg7Ds3BTPBKnRFf6q8WZ58tFIej
c7U/Pm29ytGcVBpF/VyXZY7LTdbqaWxVDpJq9E86M541VtPDrlHK6hmnnV15
Yc2cS2dusGz5lrvxpoPLxgUr2C2Fm8O5LizK6+lIGhUPw5rA9qcmk2srl/58
n2Objju7+ceVfhpcM6HU3hcEc9maTNRAvxYm2ZO4N+r1ddiv3ri5mVGqQFxv
9e2QuTlSEYizUikv1qutqy3N1pPRsDTIqtK1zPFdUVDCdaddtYDZOekGriOw
83LVye4Wh8yofAwYqSKcDNXsT9mrtuM75/VYrO7dSqiYs2OlcFlmh7vBaZUr
VfvlsO9ph1lr0FqJ486M5W/jiTJiMqt2zQc25dBUxfKeu7X57Hm/122je5F6
isEOueVcbe4N77IqjHbdXVFoT8NOuJPc4qF3OLPMQFWMReGUz9S8y7S43TR6
7kBadmfyTiydmhvpej07Qz0cH4dZ2x8W9+K1rrcC/tLqyG65wLaZU6Gac4/W
plw/XTdKtnncXjbsblmpClOrtlvIemW72pUD9rrtBa38ZnFeLjLbbeaqcVc2
O6yPmd3lzO7XGa1wvbDrolodFduH8mFazrTkYc7neue2UlSDzXnIZqxRY+21
lIva7blHXjMzF0cvMcIwpzTnfjgylPmmvloMD22pLyhWbSte1Bxv2HajfN3K
o7Kc39VuDUfWzkFJPF3Gnl2q3Jwusz3Xhs7QCKa1y+jcuK6mOltRhKql6dOw
fZmvw90wM1yqih8G4eCwq8uLqlQuTayOcr6u1k6TYf3M2C3OTNZeellWHK+7
l9Fo0+5KY+kSAq31EJ4b/Lo6WjoF9rgdZYq9olkfZLdlpT9gp06D6Zr9Xnl1
3S9Wo0J1JjiGe9FdJ3OdDI71egMc8/28XuJa3iQzcO3buSoNFs0qV+10dPe6
7fc8xu+6XcWXBstut8ay7aIwGBYs+ySOrNVAqo1OtWVlm1+fM9tcM+857Mnl
qpmt616ufK2Vm3cCpn+yM5P86QREm5oTz4I/b1ZXq1lRrze09W12yluct1Yk
W8iBOav0Srm8MnLr8qarrLlVszhlssNwPHI2NfE0DG+ByA/Xp1qtMt/cbovO
7TQI2sNLcapNqwevLYfr29ljs02jtOpWDas+Z1sX5nzLn4/ewuzmPUGoB175
rJiVZckZQKTWosRV2tmgOVhezcMmv75Mx+xlmAvV4rDQV0J2Uj0yhelcMiYd
ry+01EJ2LfKHqTaXlOPBcfsa56zLvj1VClnj1h7kB3pX8NX9NqiWLHE+lTzZ
1JnJ9VQNmrLOS6Oh099kxaNUb+S8SjW7qfSGQbbvN4qVNbuvdiVzPyldZCXn
ZY/T2nIgDsN89casj+DOKkmZWafX8dqBDC6BdmmqdHKF6aBfVwe+xvuseumt
W5uwKF2yq444OdQbQY0vSFe7e2IOQb3jB81mudO/SsJqd3C7La8YnkfAvj9c
S24mDG6SmG0pvepRWEzkZeYkek1nwM/ODVkYrRm7fwkCxzPDztITBwUpv1gN
psXzPCg3NofRZR54x0u31FGWp/ZNHgaVzVbmaitHvCrshnW8OrNa9q4z2zE5
vzlqhI7f6Vw2uz3ft2Wpky/vrN1YbOnyQBFyq8WUm+UcdhNOp+P6yVsZ7Nyt
MUbruNwPXKnQut1K/YNXHBgNcIyns+6uW1D7N2e9l7bqtrfwVmW3IW3tTF2u
Z+fOstE4m7WZwOSmQEPtr46Tbr+jt3qj4lXgByO7Nr1uDXCX5TnvVJhmDg1l
Ul6WFid1qfXynVAWhsGsaxbaWaYcAOlZ8o+Zqjsq7baF/eYyOdr1SqG1uoY9
1lGtc5EP9Z2g+WLhqCpzZbJYTQrVFthr6+2uzPR3086qNpxWHFtb5GdZ92hu
g0HYGdYqG2kxXxmzXgbshG1w2DSvx+bNb7bnp5U/aNvdeqE1zTLKfL2bydyp
cdA3Au80ucyG6x9uQm7fMgvh+ioX3U2+e9ytJute7tI/HTq2Ocr4hfluXWs4
usA0Glxltrg0m/tFvp8/ZG/trrrqd/c9nx9v8oYq7tjO8niR1fFiLN+kTU5q
h01jOfY7x+H4vJgw0rCfK1QX/qKR3U6deWk5zHSsQ2UirFe3U55bV7e16kgw
jkfbubH9vMILo3FvJhTyfnHXuLVuTKcCjKtLZnsYqWG1fVgW20J70rz1Or2q
bg5KqjPor1eT/qYYKKJyVHZGpmKBTQ/WnGP73t5lcvPsYeesZcee7pVpq7ZY
a7rR7nmyMct4hpubgM5PVWt1McJDu1XSs0ug4GYK2UwuwwvDTYGRFfbMV8uh
fQzr9kwfW1Zjvxh2BxUBnISMU+NPq3PncGwFu9uhmx9UM1n9mlln5aG1Xecm
V59Rb6x+m+jnhnscDzvc5DgsdIDV1CuH2Vko7kx1UGjt+/ZAPZdP15F3zamr
cq8ocXnfq587K5051UPzdlv3vCyQ/5PD2g9Db1RbH6zcJhueclxDOF32XkG5
eiON7/psyDV5aexbmn/2Fju/xlwvXK8rW90lm1vsqkO/r4XtVb67Xh92h8Gi
fhkW2Pnk5N6O4a55XZbNsNfKc9w5cwzKO6GgGIx/3QnF4uQ8mgGNbj6pT65D
YAoIa09tdTPLfbCqLITAaOzK51p7U+h01qdNYC9tzS8Wed8OVsx4avjV2ajN
N09jbVJbtZu7XHGWd+Wceu507XVLWqvXi73J5bdBcXSYCty+KZ2F2yq4BHN5
3WUWbF9uOXxfMgejmeFfSlq5fb7upY4fghsrW8iyds2RrN1S0G6Hgl+p9leK
3xiz1UtjtCp024zQL0zyor7c5/aLo1oS2ewtM1UUvaJWd6KVYc/z+ng8Ongn
YyiJyjq3zV707ZHNNQZbS8oNN8ygvZ1NgrUzPVsL/1yfDqxyfnlc7DPF/e3C
gw0sB9xpW1vehH2577WaB3c4d1XbF3cNe7UaB8ygNWA7RXU22pYq7cP8XCr7
AbAtueZspp/m49u2tsuHynJYqZy92YXVnf1y0jkXJ71LRZqZC5bZ12+5Rf80
Wg4b1rW8L7N8+7auhmrZani7lrLanOvDDN+5XCoLvrAvDU8Xt5D1apOaKtd1
IMAYfWEMe4NbMNHt6S2v6/vTuZAb9bjl+cBPxIwgycGuxg/DkhPaPU/traY1
bZ4R3E2/qO6uZZ8ZZou3Ol/sj5TrLH8eVoc1x+C7O2UfWLI6UaXp1JILQnbL
lefqzlCPQaNkaPWbnfOmXLNVbjHZ+Xi4v5y5ms5rgn+wc3n2Ykty1+EbFalS
mgWNmyHdgmYwEXMmt81NMlKxPxBqfsg2w8xlxmTN8+10KPZb6+y+lmuex+AG
3rNaYzEOpp2lcJ7vy2u2cl7kzKrf9jISuIPktW6Xsp5Y6fuXLHOYOlxDUQ7T
7a1oNFlL35ub+bki2LVtL2ep19mtCmbwZl34w6R0WITlguvZm6PZdbYHr3YT
mJOkXCRTDa1NRwi2R7V86OhBuRzu/e2lozQ7mfaIrbn5ZkZkz0KrOyjUZ639
XN52xX5uHILTWKzL++JiUQISf7TLuAVl1dd6JXbR8jqjoqnxF3Xe6nqh1ZWL
wPBrlbqnmSBvG7O5OFhuhIHETKyT1OvV1VPTazY9XhKFve0M3NW+6p6us2G1
tC8WstpUzLfPlePIOytAyT21StvBbVPtHZoCU+U8dXCZSxt9tZJNmWdzzkIZ
idn9+FwUKsqAFfKDXk4Y3UShtlJvZ7MEbgwxU8l157PN5MAx3RFKGu3297my
MF5tJldruWwY4+FR5041bzsUt5m6PS4CtRaIjCVXHw+7hjaeCPLetPbZGbOU
7e683J43uqtKpjHSFtnF/8femy07imTbou+YrX8o2686dUQvOFanzOgb0SPa
NzrRIxBICB7vl18UXa5cEZEVKyJrV+17K83SpBUCx5k+fXozh48BBlwjragF
a7Kf0v4UaRpdKd3V3hGjR5KJG+yXVXWq8VIsI4C5m88RguFagbtQDxBEZCxO
1+xsKI+LUywH/YzijfxQwJrmlNWjJkZtd+pMx1eZ6QsbAI1mLak2uGKc4HAF
BfftHdMxvSaQ8MCgTZvGV4u9RvNup4Hn4dDaLRnmsjXHY3M1diyQnRWPO3tS
pq8IgvhjG8t2CXF7tZCRlMnuboIgV26OnLsuH4let1WzAs9TgyxGMO5cCAic
/dibfDD6asETEhoezVngrpLJBVh2PSlxVzDW9sh8ykyQqUtzpncOKbtdJNNL
dZoBtg9gqJ3OR+mupQl2vZ6KnmUl+MaV9u6GwivmPMLSL0/BVHj36+MgmhHD
k7KBShqTYQdgut8En03PGizesODc3XAmPQ3Xy72OuTWY4JpbGf9410Ih6be1
XxEv8YQb25SxumH+SO2AuJ8W89zatocbBZ76t5h0ZfPY8DrYFcsy4LtTsWP9
SMuszn80cHVean/XOg6v4UexPgLkKcXq3bJIuuBl+IXLBLSb52WK2CG9HcmK
5roIxxKdLjDr1jD3KGY4fxRPyOWe3vOrAlxkR8e8ihKEPhV73zk1zByKygVe
c5ZUCHyNwrQEzxnJJdZD2qNaEnu1VdiX8ETfruAOOM43VcTKym8klI7xQJiI
kHSd8WRe92aVNp3g1pJn60M97xDOvYkjvbvVD4gsTn5ZMCtwYo2cjiRimlMW
c86PrsmbViUIBEStCZXHa6TESDD5hM3CPZijAn+uOfeoyn5QeSuuAslpYR26
Wxa7sMRJ6uiq6/CoUel6ACfofmus1pn1IoWc6HAtexFHB5nPSISwZfqGLAxw
SMt7awsFgmcdWD7wfTFvC4jAveugVS431WyFcZtyuBK9SAqKWG7RTMU9SXQd
l/AGGQEHBekxZfarL6BleMWME6gUlJO3Pq4nxgJLGv/YcXspXVBs1MC+Oqzn
k/245lh8PWzjCJBKoVkLQYYc5UK9i/eaQkGJq4SmckiMfuxi/nKpPCdSHQmd
m6JYwbjvQ34f15ymFMIASL6rBs45AgXevp+Ls68droh7t/q1Lg5tLl9HiZ8F
EMHCYlvPgWgIBTMEaWTfjYQPjzhgjLYeUvqeAzVdVeyrfulacYHnQQgOta32
15TkpQNnZ1AxK/lQwL2rZWMgDA+ImkGKBcgrW0/ikSn8gTLZLRa5exaCEfL6
SJDJ5deLP9U1TidaMw/74l6PVFVD+1HVKPJx0KkzkJ+5/cqHplZ4vLYNYSlO
sWdUuuy8nNwpOCiHbU4/cIqUytOSCySLEIvFrWYD0vlZeKDAY1tRjpvbpHp+
jM6se1I9Rru0d30bcRyyTsurcov0oDlo2CJZyEkViR6u63oJRLBQUx84mdgd
Pe51JzCnjGLV4SZLsllK51Hn0nO6rTtRfPEkr2FMW+61nQqXM2hedEOvsjtT
M4DlhuDDpxT2xnE3R1aqxr7Olqs/sPQ6DsqFaahMhJRyH/LtTsKHLWi6x+vj
UsxdKpStBSC8e8yVlYHGqyD4oyQMlwG7ZZkGhyfJxPVFLvacpfApeOMyl7kf
HIm2ZpP0rloU8QEEQPp0kZMd6Ic4dHjY/OXodcsfnBT5+Qzu//oLm3267Xfn
RH6fgfvqqMgnbthXh0me+OQfTS+mnx/5C4nGt0dKfjjT+PJ9do3naY0nN4Xx
NSBZUZ6A5KX+I26K5olseHlDTsF7z8SYU/84OcXLL7NTvLybnmKrUxe3bq14
7i2YweNWwheuCVRjtme5QtEnC/38v/hCN8FARdya01b7KumaOX0OErx6PzmN
9gJYNj2FvrYGXto8eSUiD+sknlZMSK207RnbXU9A3faWbm0JPBjYdJG0JLSV
mD/r83yLz7+gucRvNbbpOfCbMYb5+sNbCFy+PRNNGXKOBb6Pt3q+qnf+Ati+
mae+1my1vsULfQk9vg59KU9E+b7dWX3Mcn18Q8UG881GH9HRm22eSLAX4DUW
7AsUbPv1R/Hmmz+8QZy/F3C+efo7jip+K5f3Anwjm/cuyPnWL96Azt+LOd9a
8w3q/L2g8xfgLez8vajzF+At7vy9sPMX4C3w/L248xfgLfL8vcDzF+At9Py9
yPMX4C32/L3Q880f3oDP34s930p4gz5/L/j8BXgLP38v+vwFeIs/fy/8/AV4
C0B/L/78BXiLQH8vAP0FeAtBfy8C/QV4i0F/LwT9BXgLQn8vBv0FeItCfy8I
/QX44dj0HYDMC/AWh/5eGPoL8BaI/l4c+gvwFon+XiD6C/AWiv5eJPrmD2+w
6O+For8Ab8Ho78WivwBv0ejvBaO/AG/h6O9Fo28++QaP/l44+gvwFpD+Xjz6
NgN5g0h/LyB984c3kPT3ItKfsfr3mPT3QtJfgLeg9Pdi0rcI8waV/l5Q+taa
b2Dp70WlvwBvcenvhaW/AG+B6e/Fpb8Ab5Hp7wWmbz75HeqfH0WmP2fF3+D+
eQc0ffPJN+D092LTX4BX6PT1iU7/NjidbZx7PsoeXiHgctmfqcyC7il8HKdt
7L6ew9RfKvt4w/JOE6zTd9HpgZFlV2Pt7YxVQJ7KerhHri/Asn+0Gtz7d3XM
Id2U9ldc3HuS0/t5BIZIiKnN3h3D6SjFvHDfI1l3EC7DMQHnw96C8a1vDsf7
VE078HhgPIiOvKM1JI9DcZJc2TeL08HpTKU7YWl03tOlEZ8PCM8dLzqHamBy
H92tb8LIoSsPrrW31v1tRU5dkekjXR/EPcW1Ryky6E6uiG0SlOAc4U63ccFC
6Vr4eMANeIZQW2tKMggl7S7RPDo61Lp1gvvlGCILD0tSchkW7jzvzdqoC/yo
YsXR1p3iHpuWkR71O3bbbTOQ/bHVb1Tsg6i/KmGwswI+NYR9fq12wSOTuTxs
nLOSP4he5k6kDFr1SWq1Alpdd4uh6Ms/dWfjQyFv+DA+SEz8PB3GN3cz/k2p
MX6r6z8gx/hhnP7WdX4FqP/yg0fU38me8SM80k/xryZ7fItI+q/Jx9/+LELp
347tR830lCycnqpzvxPNip7yUR+Iwsv26ST9U7Pni4DLn0KI0ZaPrS0hFIR/
x4fx+4teV/BAvqLG+H++SZ4B4r+74vUxhGJqm78g4NfsGr+94Kc3hpFf4sX+
3Fp/Bo/GBxu9ZsfIcOK/vsGB/fmZ3+HC/vzzP/vYAfxuTuy//nV7o3cY5JU/
vDbL+QA+FUr+un3+UNQa//rBNf/rj578I/QaXzfAn0zn/XNdFfhdV/1jNo3v
Gu3ZYf4sm/3tWdjf//YMpH//2wc9zb//bf/58+O/Pt/578Df+r+/tu/f4r9/
ZeK/7eO/fzHz3/b9bzf96439uTp/m6a/b2b/W3zd//2D6T98+4b5NytMf3/e
tb3V0wB/+2D2v39slb/+9XMH+X3z/PboHz/19NTN+aRo9H8+vQIAlC6tWzN4
FPILtf2n2U7BOfn2jTaffzsMFWwfjFZaoPb8h4RrONO1UPjmPkHTFKBSuX1A
yE5HTr01w2A69PGZskyu0pe5nIOOmWr22MWJUuP4ODSn3TqRSZnW3A4/znUI
jPl1PSeDq/YKXF1AFD1sq8w+o671Tu9ksZYK6nwyrDIpty9YIF/nw726g6Fn
eer+1pTAPTXOkBnCNcuSj75PiflZUVq2HIy71nKe5//3/36y4nePGX6PzuzN
kPyDXPdvR+s/jfP+14ftf+HxQwzGkH9Akf/N6QFMEL8dNfzj+QFBwK8u/fYE
4fXBxW/PEDDs1RXfnyL8On3/P54n/BvR+H97gvHta/4bZhnvp/U3pPmr1KnB
swzDPqg/SJ266jdo/R2SliRed95D6y9AUCxafSLwS8qQU+QXTciOefAhrWgV
SVeTUuWs6iJ9TvlB6qpqzKf0LPAjT3nzkGL73iQt9jwxBwPh6e3T6lW1vzwN
U1due5p2jzuriTtzcsVmDk+XL2lM4EMes9oKgYutAK1JWbBMfXUKfK2KvLrc
arQNIBCvuGGz/f7clcYllrup1Md8MPCthPB70sHAG7mCKYDJD7tBGfW77Op3
s8JAyED3uH1gn1PBv08Eh31g06YNaidpTfLPiefXaV7gQ1UEHosFsgiZT6X/
gdXD3z0g7Tcb5HngoXnkYeP2f7O9ax97z2qTc9wmeeBbYOBpl+11Nluh+ds0
MfDePPHb/Vngc5r4B9r8kgrQqC90FW2vlsAuaNgyBCQLVCSw1kdP5/kx9MAS
eNgabtcojnsDtmarnyl3vaSQoG3AD7IN1ePD04zt8/mK2ycY+dYYnlBCQaw+
3ZrZqOb7U/oBCFmU2Fy5zk7o88bZeKVSkQrFZtQLEVTYp8zes8md6WPrQFUM
Q09XdlGDIUvj92n57UnU7nlzwmK/eaDA5b+BEMhbLNY54CzkB19/pVKRp21T
fEERLJ+1Mixua9JCKanc/VCz/gNOAHgNFIh9d9yacftBBhWY3767S9zy2/uH
ze8eADdgxNBFXNJbX2gf/fZeGtM209O7FIS+hZs3pqJVbD10+mD5kpZThoa2
ptsehN2lrQaBt3lnSc9A0pJb82gfNkuVzbIJ+8mYm+VTFp0UmyKCTrobn6jM
DUFelBX7kjYF3uZNN4M+b/xgxKdxY9jCPjSZaE3xs/ASnPST+tgc74O3Ar/F
uK89MPKg5zvfEwHrvudMwNObfnMmutwiUaNV5u8KtDYjJwK5Rh/zZFuMbG7x
M+BsXQB49j63lg2nS2YbTLsY5GnTeUZ292K5bvfM+ZrNh3+jXUejveffjqZH
rjSfap4Gth8qy3vwjhvaGitDbmMZmSDTz1hoeulJW1UsronVFWk7XaU5FPk5
aEPaaXg+qkkM2NoU8TyMTYWJs2GsDMDHVavCNfEezhHpQd3bQpcw8cc1VFJ4
iraC1xCR8bDVHm69ufKJlYd4pUCNTTvPsebQ4ZdomYy47qUIbC6mFzoOL29x
4Pk9gDynX9I1haMumL0mtQEXBO/pFii2kuGQp1vV5SO1nTiLbdBEpGtdTD+8
v1n3tnty+aSdjiGcdsbp9804Ke/AnrxGngA/Az15DTwBfgZ58hp3AvwM8OQ1
7OTHyA/+gOsQ+BnYyWvQCfAzqJPXmBPgZ0AnryEnwM9gTl4jToCfgZy8BpwA
P4M4eY03AX4GcPIabgL8DN7kNdoE+Bm4yWuwCfAzaJPXWJO3rKPv5joEfgZr
8hppAvwM1OQ10AT4GaTJa5wJ8DNAk9cwE+BncCavUSbAz8BMXoNMgF8Rn3pi
TIBfEZ96QkyAXxGfeiJMgF8Rn3oCTICfQZi8xpcAPwMweQ0vAX4GX/IaXQL8
DLzkNbgE+Bl0yWtsCfAz4JLX0BLgV8SnPi/7flp86gksAX4GWfIaVwL8DLDk
NawE+BlcyWtUCfAzsJLXoBLgZ1AlrzElwM+ASl5DSoCfwZS8RpQAPwMpeR1Y
gJ9BlLzGkwA/Ayh5DScBfgZP8gVNslIP4A/gJPOeFZrUvUKRunfgUgpEgsED
0T4qTlncCV7inJABZINj7ux30ST7sSOsTEvvskjoCFet4yHj8YlecDZgsZTn
gEhxHzR+QQR8EJNb38538a7g6+VGKc6l2K11YD1unpYYpnCOncG/UAycmHhW
zdOKmF0LoAoetWFoMojWzfx5mfSrdBeuanqC1D1ClnmbbSsRZyBp0z7cB7AN
zNXOa6GFUGLRzxJgstlNDoVkhriED2+8Exo+KpP13blh03zfFvBGdyonwxVk
koEbGjesOqiO3kGmWm2iFWCw4jmMJ72KrwU1rmu9TRMNorJ2CMZLtYBHsc0T
xRyUD/AsX2qnQ4LOOQh4b6kH1hZywCbVp7wlggqnOnXMg+7zjRJhdW+et2lb
bGLDuTk6d+lKj4GPD5VHueN7tVR+KPnwTxNT+bI5/WcgR/4gn40hyH99BFNs
317eU9R3MsEkAn0qcPv2YxCWz4nNP378T2m+fDbjP1X75T15oRfgJxJDP4R2
+b7Bv5dI/ll7/2gy+eVNNvnlmU7+dvs8c8ovv0sq/+7m/ykN9aXiv5p//tSc
f/3rq775nRz0HzbZ2xNx38hCP5/wq3nol19ORL/8cib65YdS0V/s+TTtT8kr
vS8p/aWUX8hK/7TO0r9nwvqbskwYjIB/AEP7lIxG0K8QaN9PR5MI8buLv52Q
Pnx10dcp6cM3UW1/gFv7V0lH/ZnQt1+QkEIz7F0SUn+U3P7qov+G7Pa7JaW2
F/4VUCEYZx/Qc9vnr0Pxkhj/UNj2+d8Kxftem/73K14Bv44j+zWBrO8a/98E
0vedpvo+sO//C432J0IDt9b9CA18dtj/QAN/FRq4WfGjOZ9h9D+qcv9RlfuP
qtx/VOX+oyr3H1W5/6jK/UdV7j+qcv9RlfuPqtz/z1Tl1j9UlWPNUxLvYDNS
C9puxkbvlP5SLaLdDWiurXzgoFg+D5RYAYfqe5lWJlChvciCxwiNwnlWbPSh
CpeFX4UOE2AG6QuwOtpAy7hxf6YemdiN3Y2vUiZYc23fpjSjmyNqwPsrLXgL
wvas2B3TiN6Z8F4KWwly8sU6qcAlaWLPM88nxYfom7Rv5eMg0oXcgQt0cHzG
obq7fQkEvqjaYWuPyUJq1BhT+ZIeiJ6LAHIXPPCGFtxl7W6FGAk3+tAUe5vs
H1QwXWTeuUnusDtfbQ17FG05Gn5z40UGcYwbIi4xgMx43u7ik4JqrObNvm93
2HxuSesGYjGSUdyd7CnWCOHTMTQe6/WcbdPErQmueTCnHVIDuJYq93xG27C1
7VJf9OZ8vCBJfkGv4U3DmUxh8iEEhUqSbRS57z4t5d6pKve+ffXfTq7/0cb6
P1Ve7t9zd/0Hj4MRB+jPUqPDUAT9h2p0397Ox75srP/Dw2XbFOP1td/ezCex
N9d8vZdP/q6Yf8b5sq9d819+wuyHVfP+aCf+66v+G7bi36+iF4pfq+iF7Ilh
BPN/vooe5WkG1otkGrOGk4qmb1/AfZeLzYEVbiJ4s3gbKHHi0RNwq+j7prw0
8Xq9dJdp4stevLeqGIS7VMHPg6s0Q0Bg/MT0e/yKl3XT3szVQHLgJFhTGWD2
XaO7lowHW03O+ixaUTQd8qN7VOqJ9zNTw+5OGz08VNxZPm2KvN9fTk3FH4B1
v8IX46EEZbQu7m68ztfG5g8aod1nP5+yuXD3AmuGRyHkBrPxUd+wFshnjbTc
3cXZAcD8MczWShVUrREjJY07Al5U/rzTORw8D9KuN7zH1QIDifO5456lGzSD
Fgq87ersss9YQPP4I3fIYbosvKSHwJnlQnHgbr1haBisMGJZLGtPpwJ4i+1+
CFqE+p+qosdRisEKcFOixJ2WdNaN2RsVdjJASbIh3FyydykHp8wB2XmekR7q
B5FMsCcbXu/ol+N455dFG08J0eGNe7rO58aCqEQoKqCu/YMrxAeo6TuGWPLI
HgweP061KjGJh3Rauk2ih8CCO7zrBRZaD8zKNWas5gyGcE0DuAOD4YtYZXa5
KPJxWUJ62IMxW90zXuxSkfEukikczpCYUAQToLGmnRg8WM3C1OIEJ4HC3tk7
b670qW81X3HDASUha4RWQ3c02K9mDkeIqzNkkLpXE5qaKZ83dwFtpJVXlGy+
LSipSiMe3WkpUV+W0igeMUty853mseKtSMtTszqEitUBbBfUTRADkNdRFGv2
2Z7ZJt8An/2Aip4wdh6UmxIK69fq8UD4juwXm8oLnwKMA3R+1HYpFyZZbJO1
GnKnh6EE7oPFrevlMp4kpae7fUbDxFlfKGjFeqlYHzgjIph9UwB1vfFjp5Hk
XmnvekauJJtADnP1FKe4pNjNNcvmml5uD7+p1DRsNIGtoDWBwK3PRAVlAMfL
FDh7gmonRywFYURp90pODXamebg5wMegaApIFSWHeIAMSd4HfUChOz1MDJm0
zGoDxUSeHs1sUYyZUw+KXVb7qCbwdRpqihsES6PFxwCSx4dE9jI+1BVyNbFI
2WV9VwcXQQNobCokk7kIh8e+0lZt11rpdC8RpVAPTpJBJwfUCMS90I++FJEL
iF4zjHFiglO4YBxbHUBDbY9RvIlY5hLa4ApNubdGxXW9kJDL3OO0U8HyOvmh
UfX2XrtYezC81BWHSTNid3IIIFie3m8okQn21B5ZvjyN+5Nf3wwzUVM40vfV
hWV3e1+bbvY2RPpevzPunKIGFhaiRrwCR/UCVWqFdUi113e4xxN8DrEP4n4l
5Vk8GXuU56sCGRgoUsNHgRqVwtFoyhJXTzZTmQL6PTLbyC7dgbVdF10lwOkJ
2+PqZM0+JvJmc3U5Kk5pSc4yUDhRjdKRB1QpSbm8Td66AqP7OC3sDpfoU2Bf
jqYbK8SpgEkZJKCxwHQXjsMDx/cOXs7eNkRVR5NWFdJQxj2tIyoHhPqYEkqB
7CxFbZFiZAq8fFALS/vgQ3Z6D0vjuDuq5/PozKn1oOmLTlxVvnIs2z7LqACI
6+AXkHLFfO5yFA6O+fD2cHxVH4f8jOj+eBzAwDMPE551pVpL022/jYDpMmcY
MZBdyAMFprWtLx688z4oEnFbncy8b9334GSPCJf3lZTPQpzl+XzVWEI5PiCs
Tq3+RGT5DR/1KxCjLGEUazAfV+Lg7vBzil9Z+h5dPRbXy91EoIfMTSPBCJHB
dSO1MUesaahVMZxxqJ09sCqSAiWQ/WDsC+9lcUpAjLzH62IkJq+/lJx5y0X1
Wi3KUsfRY1eJGXVwWHTnh0Ue0RpQ4a78yEoT4W7RMG4rIzfDjopguklvRcul
PMejtDlg7gSwp4L9OUkEcVIo6BiHeYR1PhBHeH3ZQrBi52d4RmmYEbYl6dLs
F8aX7lwsczsFu6uBkmLp5MHOaGFixmIloYXwrggY4MIORJFogc1MEOPD9Ck9
xMyV0SMDIfoGNnc16Lq4DC+7ZlF2Bla4UxLofqSfzcGrijNwmHrVb1VhKCPR
2KtZPj2wB9nf0itnKWIvax2PbaPEPriUrH4+GvZDaze3YLxa5vXrXgRIwwg4
qymvGGTjcGDeB48c4etcVIxdKvvAdP1euFgQLlttItG6q44nNCKpq8076VGb
gMMDAb0dY4LnM+rsGnA8c/vqrMyTQcNkAZWYzN/j65qQl6XcPdgIlZa9PaFx
bOPzrTFJoLkcjNxQ9/qF2DPX6I7eUxicjoVmmjeLDCKG2GyNnLuk4WEMn5Lw
1jk5LKCq20KhPB2Aizs2t30VLfP2aXppTxFNas8dO6CzzmvYQj6YCnRyJgoG
y55pLLpRDeNcCM9fpHrpgGuh706zXuZX+R7CVC5XjwKBmIFpKHbW4IoO6suF
5Q5QcNZ1v7LwiFBo72qjFbNI3XADljrlUja5QlCfaRq4TQeP9JnFD6DZ7zPT
m5Jr5d1UZNDH8GzzeHA7mnIMTeBimduKoL8AqceLM2ZpEtZjzQONGwTyz725
S3Nc5pg+zrUqMUBkci11pZp7UxEtaCDpeiV8+roneCCBIJi4tuNdEjTPmBxC
w0dqpe8egxTdbQDPbbncm45Hd02NsbJ39l1DnNRTAqMPvQdXYIVy9bB77O87
WzJvIuLeW24yGeY4cb4jzrvRDqyCamYBKgipJAhLy3P81J+GMvFhvfcBT2JG
zFDmiKS7oEYkKl+8s1gE3BCgYRAPSKN2dcSEoICAjW8NUjjdWvXEH8GKsPgJ
BwLpME+9L22raS0InxpddmNjxaxcAwuhq0fl6gTxlHi7wAm1S3ZCepmfEfy+
o/tazs8ARt215IGuMHmR22DYN0wiOpAjSrdjetuvi5o3VS5fTvF9Uui9eJGC
CqKZXLrUXXH1VgKwHuMjbXYnp09XDTybM1m162imcx81J4XMy2mosnpBlIlo
z/Pu2kDRqTRsG8cPfZjFA3Cm02LHN5f6OBT9leGDMGaJxkXwqFNFr47ZR4Xu
OYiOMKIKYwaacYFNTexmK7afx8IM3GMYw4o28ZILoR0IAelGb7ovuUUa6GpV
59v+qJKSsVqZmJk1BzHl2KvM+RA+8J0iX3lgbjzUbQ4NRqbY0Bx19phLndNX
wpUOLyC+v8Z7Uw7aAmTulBAfXafzD6O3XgQpXk/atl5YBc7dL1Rj6dt6iOpa
5iIdy8xtTkXFnne7zDmWbJzGdWEZqG6guxhnC9tOa+TSaIy5FwBDh8Sz20Vk
WnqaEyPYaXQWED9wo9ZrfBNTMrpH9hmK7wpCftglSx5ubcazmcYxOrgNrqCR
HP3DA6/TzX4HeypNT8rrI9H4V/sOw/cqvYqU8wB5A26JNu9q76qfMt7q7lSY
BlkLDM7JwvNdNgz4TiQTbucGt6la7en8wGJiQVCXu+J2O4ggudB5fhIIeA3K
ErxgKTy0MQdcy5slRrHJTeQSU1mA0lVEW/sLUopb3MGOrutcdaO5+/fnAdMk
XxlVHCwGWvVwTVgdAc4+Cyu2IQ5nVEoGMzGyKatOWzyt0rWq6XEmuJBmztwU
asie5pfQag95WSrooMR4qu6AHl3WmYEHMSNyiOIL50HS89JpRGlbOW2ujJRT
OEXUqe/PHiXIzJKPCO8cQ7SldVCxgG3B2wQSmUc6XZ55T2/TVoluWoIoCbnq
VpsSPnmvlJHzkgC7m54JUZd9cK6wJKXPSGMD1ZWdj+YZpHdiNpEBjj7IWbyu
42nhEeSwMwx3mnFDut4wWKDrfZh0+5FR2zyxUetQbr0xkxYvypV2mo/XJrSE
mDgGC9eorIrlJwLvJ0FeLgtVWCucNvebSPu3RxAazRY4IGsaGkDfXas9mOIx
GJ5ljzgrRRyR2EE4gw+lSf3bLZTUYZF3i36Ewevoekuwja8Fh9b+4OfFCERS
yMfSGNvSubDCS18dG+fmPnDJuCYmMqjt3BRdK5xOLWvt9xopWFFG6NuY1Hp1
9ki3deNqnBuuiuH81NOFti0R7wZ6zIyWvhwn3q3Ots7v9Gzl8OjIXiFLYsHb
A6shMe/tLZwaAHPk5TZnRvAQH/POK6kg58rgKF0SX73LlB52a+O7t2bB/UdY
72xxcPKc7STtcbyN3rwA0c6+uug93waRERlOvHA/HS3hZp2X3MiueUrBxd6K
SNeWXcq6g4R0vpDZXsRrZtiHUaQCg3zx3aPl9KhpTWLKuUgGD04i0DYIckLz
4HqNPpF1D1liJ6ymcGQNUzj1mT3X4XV7f0CjvF2SWxEzIFl8E7wwSFOnt0Q8
cYo7udsLwYPa5bCiTccbhKHovY2uOxLv3Eqpx2TGAa7Z5kOPBB0wig047sps
Mfj0gGKBFvfNMRWFqGNA2T026W6U2sYXFph2qdXanZnApiQJCAmvDpPb3q/v
SO8G0mM/dQ2hPIi6nuRmWh51ixJw4XRruMA6UXd3vJGvOzpe63vrkizQmnJf
XebLIBzISRki2b3JE9+SUpOdVEsp1YcJHk652Kf49uoLrttOPe55JOi2gUuP
MABrDPZ8G474QmPo4FcMIxxvlleV+xWmd0PK7QqFsBjHp5vj+Yox9xG0e+3Y
oUnCX10qAmwfhQjXFO1GDqe5tdxs8THlxqwdv8t3967b53ixO8/CsLqKg3ZR
f4el1AEd5WHTSOYAo8etRSIdZMsZl1znsjEz99s6y1vSYA4cgrGFdslPm7uS
tqRfqvAyJ0QaQkvkgMhBMIB9sDvoB2XRxdB/FJnq0pc2PGXdfdn6xiiWmp8H
lmTVCrLNRd12LaDLSdtJun9RgofnHoFeLFZ9zJo7ekoWcjbWY6rqxT6gG0hR
lrFu8LvPNcoFxarTtm65ErYJ6dJDJLIsc84zARgyvmzj10zkc41b8IN0Y/l0
DcSbhGLQ5aiFBFmJRWGI0GNnsJXuIrf8GMWaCsoseYMEYMLO2q7mV4JCqqNK
TXVEiyLf0jJLBFDTWka0WrZPcPyhuE/OLsilBF6xxVHmboEVTwHc07biFC7V
XmNZy5pIdTTOYEgrd5c2xET2Ui9Aa8VkDYbDmKtI8OR5lG4FQZYJ66iOASx6
JR2uzJL2SSand/2OY7Y9JmccUa10DO/BrLeQnFupPdQlke2G5XC4QPDgz1h2
yiQXOJx2gWfFOtZ4N1cPddm4H6Ybck1PjDA244nKIF6yHYRarzR51gQsE7XW
6KqtIQe96RVAJmnfvWutp8GJq9wm7ly2iWt5+yjzbgGyE3NbFfWiHCwSbi0N
dwPciFNzdz2REHp2VsBtF0yRtH0dVmlWruZySvPz1RLIXmC5sk0bwyi36Tbz
KJjNGx+1YGRrtWqct4qXPYN6QN2dLVXu1diRh3BbL910m0NxvCv0o8QTXWvB
Z3UNgr6LFmaULwVI5XkhUQWJ6ryw7k8A3xPFcanLKyrf1rFnJBQZhXkIeVdi
zoLOTeUoVWFhOB3qnu6P1B8r9cIQWew6famOM7CXyoLiKzXBhNTBYmPPwxex
tIodjW7hu7NP6WofDD/GpxDKD0kSrSGWrT1y5fQEM0EfWOS9Q5cLTLrtXdEM
F5OfJE7pwOi1Lp5XbFsZD12opD3pVzdvz7LoLSrS/XQ4e/VTBw2QNALWW0I4
qdX1aMdNfLdFy/fNGh1Z5rBDj0SEq3iRsH6IQVtAT+V6yAU2Wy7DjYLDCNhR
PuibxmUdrsv5mOfDoChg3dLT9nRDXtk69y9nyL3GY0NVJuqOfDVKxyxGyzxB
pMQGxs6oDAa8Ve5x7/RHvUvKJ+85zl0zbnzcL1bbQJUTwlq4JKm8G4SHQhZH
TPDOA/8Q2B7As2HC/H0sKuOOPmIWLhyG0MprCFpHVdrpSkXOtWadcWx5pF5p
cfp+B+bZTPnQ6MUPCRgvFL4a632zR9Gtu6sudmW/j+qdKSUpR6ve2ZF62U9J
WPWwgyRiOYkwCg7f9f0MHy8tQF1oNxbteOUr8nCPE/zWnmDmpEL8QdvmEI+Y
eNxvc65QW52UkjTpQk1a9HCDGgKVk9sNQCQP7xjoTtji4ZBmbHamg9CUo4wW
IbGkLwymppCSzwbMHQODo5iuAy+G76GFXtHWCQUWzb2XXSkd9qgxp7cHQiZs
5ueoEKsIz1oTu0fHK82DcN+QFOmMFKtxeEEgMUOfrqEfA6StZXqsFyE6ur5J
6OfqcL1iF4nQ2oTPJGxOLvnSp2Q2euXkCQmHldjM7JCO7G78/XwCfGLRa471
Z3a1iMHLBeja4BQuhx2jQBp8DmSxLvX+ttduT3Y9/9pQ6HSXiD0Hh22wHABj
SrjbCmpt/TjCRP84+k0m+OChvLiuuuClWHCTcLtMJe9XJ9yxBRw/Zh2b+L5l
N9lOB07ItmwTl0MMkwLJ4uHxkRsUfGz0iLic7vcoi7B+Shox2bzHYxYruaf9
JSshdz1gRwzuAfFUDLNSW+whbrh9Kd0j2EJxLC88U3H3TYIraGVIPh6YPre7
KRN28szaC9FcG2n3mI7AUc0dM132+2Voh0cltdZI75HZTXoSPQT6Gt9M7SiK
aNDByXm8nLubZ26RTQfzhpn8QwmIIuSdbmgK4SV8YVevzunifs5ldbZ4/7xM
7D2BqUjM6Pt6GqVp8fDUhYPa3xsI88CgDCDWk72q+12obG2t5rs6AHeCE23B
q3qAeDqh2GPr5U4woHHGwbDrhjqK6vGNzbUtfscLkPYEblj8elgU7XjPm4FF
fD5HtvXzKMDBtog99YI4mBkcPoJD2TX8mnb19Aios3z15zoGFEFxjW2k08t+
PvVGR1F2sc7LAUd0f68UmH47qCeYPjAgMTFlEXUNkpvDPbybh9tZc3gAydI+
pur7HUYa15dUg2fGMVd7gec7gdQu+eCLcoIZ64mzr7v+sK3wd/l9scV7ENS3
pgDmQzhpzwzGYbjh5TWDytyPAg3M3XK9SAtbdpPgPcRTpOBnDaSCM8zI1nq/
RnkHIhOBA1LtSvZ0taJjAWdL2MytQKCzhrq36pBqlOUmyxEST1K57tbKygr4
ss2g8FCdUdulML4GUqcxKVFtVVQTdrSd1cTwkAQQdv06Ynf0TIbkRUkqDm6s
82ML5EECjq3DolC7T4d4JICaDRJCgnStOUMkeECKsKXuQ89uE6K9Bes8foev
Yv+whPwSIIKwIvcVcnYjtS200hOMUcB1MOY7JdnIJTEcP15jH6b7izRJhbqt
DXbrArLuIySuqXArx0ttaVGEH5qVGztkOYlTASDn8uqyIknZTXsM5IOUn/cY
pI7wUWtJ8IEdSDTh0KMs4DUuwdmDUq6e7HNV2u4oOL4iwDZ7PQvBoS1x41of
F15JTw+8JdDYrm/SOKVn/z7A12tqQ9lpaLm+l7ib/cBKBFVIqgkIYFBLJzad
/lQoxcUEz+n5eqSoVLYMLhCJroOXSxl2LXeMREQjD4lVBmyoRNs0LvSFrlsA
Hb8VyJytshVEpNnbpoi1t7jUGOhMX8RVFExuOXGhEwXyMFRUgsYPZFmiJOj4
E2dMPtDqJ9hGL6SxIvAZn+86fcIf8qrznHopYCx3rHZpJTs8qg7U85mhaae2
NfAHdER7CTZKwKVk57bYB52y6rSrjnNSGrxzcOltvhAb9zHVT31ZOKi6drl9
uxTUcyFi8QGrbf1jzh2gzJdtBm857gxanTY2jC0/uqh59Fl3vtw0/H6+cSgx
1/o07O9CJ9dl1t+WG9se4t2ggwFQIeVpkOTAZZsLOWoVtFa8djjtVy+/YTMC
n5wDmMkEbPT0VOl87i2RXRKpKYT5Gb08JkAv1GNlmZRvyCN53mvherUI8BKB
KBdeT8IluKG7E3nIMBsiy+VxZNFEScphVFzKkOy4AOhtMr7blhuisa2U78XQ
oKl+zcFDQ7LBhAiQVbLilckgOKCw8qbRNA97j3jC5rCBySS9AgbfivI9yHeV
xCAHJ9i6z3CHKXp0JIJy5ITI1eG+NJp0K5uZNla0CM6XPUUFYba7oGAJJMdZ
yfZO1JZDejZ018wybU/Xvh8NV5gz2KNjZ5FdsNdbuXOPp3t+jGU2llpPrtKi
MlMAv+VdkCJRURJhjezu+ClawegQOlMnDPfoqvu4jXLiriDEHdMpy003rpcO
m2VpHBmVhYFEY12aiPYdjHOl6Qi78xjVwsJI3FB2WGfb6ZrTDVuqYF5Ed+zS
lWt7XIaHOIlVeLe2JQ80CVoELuycn212SVTMFEaVRWWHby+ruTXLqGXCWeaq
JexHCb3jaLUmI2o+uFi+sFsBR+JO1iVjhog21aLAWolDexobH8uKmHPdoORW
nDNeonCnEy+DnMbGqs0jRVWqq8EhcJ/u45mfbuwNoylFXI5Uc8YPXpwez3ww
nOvpOV2+Gn6EOXvE80obT3SlWbalYLKt7+42EBvd4VDEHb7Ak2XqkjpO8qGn
paZs8S3s3Y7JwQhX6LafKM3Y58daXKdCXShum+sa7aACRnO+T0R1A51+FvqS
h04Qh9jWJX1g+4HQXPxkHynNy47aoYuK21jSGOPqMJc0RUWdfAvwW+MCEvXy
mIPgeDB2F1r3Rw7O1f0tXBDpjBUSd24fD3mH8RCZaOVlOpmzrB7kNo5ySAfU
yTtIHnPIdyMbNB2pEAXz6JjqIiIINI6HBEEPoE+T/WkhOLqzUh+TLI80bxcr
UZNwfp9izA/yfPz3i+F+QQ/9m4viGpH5NbOzVzEMCwV/wOzs2d8SxfXYJ7Xz
GXyXKO6PcTvPOvOK23mbiX0mz335ZXLnl2+wO+ez9tvzUJU1/5Dd+eWX6Z1f
fpnf+QX4SvB3+UjY++Tr3e76QqWs5G9K+cTR+1GYV/H4W8hAzfbsJfPpzYpm
/k3CXn97izbJHe5J5qMiW4nNVkL3PCRGzp+pe6XN3jHibiV+m9JXEuki8x73
YHvKk4D4BQi29/kZTt9PlL5bCW/Yb3+Y1Pczp++zBPL20UqXJ5Pv1vYfWXyf
pX3veNSHa0+b31BPmeXXEs6bFRu93CzpF9vbFGDszW+ln9fN6msAN/1T/vmz
zDLkhdsVz7roJfVQKuqND8rbQKG1oS9NlodtLW0922PzqrSMfHMr4em9hvDh
eTvjw3uaO0P8jQ16szAYC86Tbvgza/RH2uHnfSK123rWbzTgYCQ4T4bj0ui0
abNwo/hfxKI3X1F/oxNn53tQoRrTQps/fGqp2/aM+XO575GcfgG+Zhp/n+T0
VodvcJF/Q3L6WeNvxogPMstfkZG/5SLfSvmNSnqr02su8q2Eb7CRf4eM/BWP
Nkqkorl7EpO/AJ8YpD8exzw9yqQkdt+XkNxad7vzg9W3ln7Sfb8A2ZMN/KP/
7b54KwNOHxjES3DSThT67dj58c1egM/v9j2B8tfxKmj5NTwF4OsStxKczb4I
va3QG/CjZ3/puR+ibeSGzAmSEZWbxBAmP3AnnxrNjbhtFQ7y9FNGVbY+MCq7
Lmu6zfMK9tQ2tsphH64OQHe0XN5zKnNJ3dA5IUVpms9exXfOmqwvgO5hhgpZ
s9MliypYj0SQW9OVLcvrjczfWhZqbiZiXS1uugWtpkZbz0wQfnSZCU/ZpnrG
h+1Xe4RtJL16+TP+pkvWhlXihlrCzUvUErPGmkgINdzmk3TSjtdtxXm0hUmO
OL7dehZP21tE6Z9/aW5zTLoESdseVvned5pUUxB3jLZap61lhhVveZW81cfE
MpGeQ7ZAnnZ4smnLR6dxIMuXr3abduEKkq9b8wNZ+MAwNB58dXzvBfgeiPVb
GNZvnd97+cdHif/BAb4X4GcFeT+f4HsBflaQ9/NJmxfgZwV5P5/hewHeCPJG
jd3hJSGUKLq/UC7VYULH1Kghilp1tc+e03VZo6HQUWrd6MQg7AtArjxztZES
NSIyzMWFwswzIXtI2G6DAzYcVOLShe1h87HBzGKcd0S0hAV1Qqsxg9lhfAEg
HMuu3YnUMU3hz43oVI6VRMjSDRxNbxOAtujCnsjY4o5sbuwvTKWJJwK2cTZn
rCzcYtRpUhNoXXY79WE2Q9qRXqgUOqX3mRYehdadq8xddgRfLyuDVP7eTNpd
qDBDowwFPbPiFuVCbGBP0rasd33IR46HfaJrj+JOx5HT7GtonNNxdaaqODcL
HxKgtfWzgWfwu7I3hMxbXgDcZs4Ykd6GPaVz9chQXhPvVJYwRTKoDgxvtwP0
Ryf5Np/8SUHez7H0OV78nCDv57N8Wx3sN4K8R/lkpi5nSFTP+zMt7dmuGvYa
gSTGtw7zvQDvF+RlaNvfpvcKt3R0tEX7bcWOE9cLaI2L71FGffZzU8mXg3D1
DvY1zOgEk7ikumjkeZ+P+mMvTqRU4utCh9tQFF1egAeOouxYKrrJGWig2ocF
HUjU4vm0TVcuZpXgQY5np7inpwer6fpFXDHECFi6QFcO1aKngHnZMSC7c1Xc
EtgFx49ks2N3cUN4FcksgpNAfa9qjpU9TvluReYs3mesnt52PKy60zbi3JSy
6DKQ7iHBOdVXsJXpS5PjqR1EDSHOxJ7SxH7hHg2G0zJFxwcUzYdLdmPJwBar
4zYTQ8ndEDDkOeJbc9ceCfCJlyWtVJMO47XqQOXY3y4xPoN4FVmrl2qZv25R
G56cnrqid2tb44SVy+J8sEVPdl0Zhrpm+dOLqPwPT9d9Obr2Anw8vAby1DtP
AX4+BPgC/OwxwA+nAE/UFmn5GXzop628ivrCDSFQxBZRt9k7Wy/a+iWyzvr6
NX5+i5N/gKB/kgd8RtCzn2bLWx3vaeuO2yyoeR7Z2NZ63zzQp2/rTIJ6XsHk
x+eak5oMW8b5HOUrTGs70qivwQWsTptXn5k7ejpT+z7V90elD2NZp7grOEoH
qor0Aw0JN9Xh5cw+3Zqo1c7MzCZsHeCIYXqb60nbDGQ8CA939m/XIkjDJnKx
InGGbQ5VG/csZelkj1xXlN1nI38ed9zBVPmpTXdHEB13FHHaeremQzBruTTb
xwYq8yxZjAnRX9mpF1q+PlxTcCDyoSsetAdbIZUpwyrrarQw5jSP0HB4Aeqp
1mgLnkMfk5gqS3gokPnCR6trJ879vuQUYRgizU+RfQD2wsHks0Q7EAguGUZ6
PqkvgF0a1q7PmGshh7NiZ3Ps+YqcIa56j+9mdaHVnguaSKYd6Vjr0GpCxkCC
XdWMsqLPEvsUk6foCyrcVUkYn/HxGYO4j+wNjEpRM/+RkCGnaWpmqye3RP95
D4ChThT9FA//yPnAmeY2fno0B39sd1P8tEJoXfTTiD9zH0trtsJmJg+k4xxs
JWwTGJGazZn9GIuNj2exzW1+Em8PBD8ySuSmR9P2gRyXRbFAgSsW/1o2Q02z
p+fuQdgmK3X+GJ9VTmApL6dtS5Uwgn4kar/n5KPgwEKbJJEYg94bKeinHcBP
PshRCdqW2nDWh4juJeS8Y3qZLR7TLYQNUqxMztzdcTo1DsJRhsgukkaE3maD
sp7i6PVCHUWq3yUwgbr3xfU9mSR51ScGOHRM9SHuHgV+oc5rclnbLsX9yPXE
HM1EaSvBvsAHoy2OHHSh5OOxeALuuCT0FXj3gNxdehOW1psiFoTYMLzVx+B6
iPJFjIrSt7o9Q25j1oJshh60cSEf4LkyzBzfsUM0lWavriQnRRkeMeK22NZL
wzlIRh2tuRHktcJi5HmbmrwAgtgFjxHii1TH17AmOWKdmwSilDyM9qUdJ2s5
DkmtIYOQFSw8QnilFjO/ed1El9pumz8wbK4JexYcllMcoOf8WGaO+NhP4m11
xjV8yJXAUPlzpiQS2wyUfh7VeX1SZyvhJ87qvD6q8wL8+GGdlKb9bkp9khki
OdHvJzQa8W3MGtLkA1/QZ56UbT5BX4R66yCv98lqVjXHt2dLkt/viTHmNl9+
JJpacbNaSbN6SmZ1pZZthnr/vTy6+ZByM/cD8xELrv0CBDELWdZyDSo1qoh7
C85ykqmZwLbkcN/Lo9nk3z1RFE+PbdSjj2CZEYTDkEfBAvedKHm9L+udBu0n
f+K8Ubks/RyUM+Ef80Qj1jwEcausE8GH4LLyNn9Y4Tmn4EWyzt3q0XcbX1s6
Ia/IoW4M4lZs3TM3rgZ/moadkCkdWThUH5inGAbFxj5uMSpD0AvjHIY72AT8
WQNHtpkfdRFtM0OKylGTT5xrp8hWHfAeK+L+/TGKWqms3Tzy+x0NbaO/VhpS
ebgWx1xALkpwQ0ViEC6Niom7fGkOuwKdiMIRQ/f0CHFzOengccfCsk5E0dbR
rtuqOZfHiMBo55w8QNkfy0cyTMp6os6joVMm3UCMI3JllkKDj3eNGsM58zDw
fuQ539gG5m0O87CVdb5j5nSUmYg9B/OTh/Sfukn9T9U1/8bG9D+bpRokPrNU
g8SfwVJNgOinArdv/zKW6q9N+q+UYX/5SQq+lx/n4PtBIuvvtcm/IZH11034
o1TW/9Pb8k/lut5a/AvX9bOH/4fr+s/jugaJ11zXv+O4/jScjB8GiPGLe3zg
OHjN9/m/PjlkWp43m2/G/cuYFNl29V8u569d48Pg89ulnyURPvNW/O8Po9Hm
WE+/+jSIbW12LtPt6nLzm2n5i3HZ3Gf5S5wl0fPCJwNGkfRP1/5Q72vWZPdo
K3susu5JxfHJrbffv3Sp//19au+vxR7s8iOfwOfh9QdUpov+TxeYfkVl8Tl+
fOmDTxN8XauPzfCX8/XSfrgivUbn6Z/LHIJCBPkPhKTf0nIgyK+LNRf9v5xF
44d0mov+DyWai/6fTZoB/h8Qfzdphsp9zYmqUk9O1P33OVHzXMK+oc4sDbQk
MfI7lGmBz9K0XyvT9qfUk4dnTlUv6W8Jyl4SCjwCpy8ispBssZfc+LyB4JG3
7d8+poG9YjaFLxsKu61wIWnJaSuYBj5SlFLE9/NhqMY01n27mIlhKTcE+R7U
v+VwgS8qrDl4fKYJn8l9B+ZBhaEWlaGF0JNytdq+29RDZS+zVl1mtaQmlXXm
ZwofcJ95vRKiQ9i9peyHmz/t00GuadNfMrmvc/6v88PAlwQxQo+B19zeCgen
QjDpjHSQhGLe/q62hWKRlNIXtWbgd3na7tsG/CMUAPAtqd73KPUC35Lqfa3U
+xkt8QErUf6WTf2ckwc+JOXFD8lZ6XNy1HmdHP2QatMu4fZqkhAu21Lzg2Kx
JDw9MQSB9+fsh83ls/bzzi7wemuXXcDmbnFYA151s7HFS4aSGhUdp6/0n37b
2AXeu7P7dl8XeO/G7tttXeC9+7pv91qA927rvt3UBb63q9v2Tr+73OnLTTdw
ijflndXPvc4+HmuAgx3UyBjSnzINsEu58ep5mvfJwxzACb2x8N0LaCLXHXHP
uBMc9lCyi26rcZTh8Ia1AV6L7a5w6Z00FRWgZNJBnHL8qmU3f8DA/el2sh8+
ZkESxPnCRPR4QZluRmGXEI7OYo7G5CHrXCK/rBa414D6lqNU7bdxfTiJWkLc
75XqyFEX7t3WRk85O/iVZxd9k0hIk9zvdKiO84RCe3Bz19aegaG38YuZUA/E
y6IcXBitglzSJZfbHmGrJIhnD27kM6bFqhirkBKgPpYU3lnj4lrDCxO4XZf9
+uia8Vbn3e4sxsN9ZgtZ2Vq89/YVtefovSft5sLph8mU2LfbucB793Pf7uYC
793OfbuZC/y2m+vkb3ZzSwcUXYtdqKPlEpRtzBiK39ezhrCv9nKB927mvt7K
zZ0GBS7y8lD72euppfl/2XuTJUfVLd9zjlm8w7Ec3TLdk6ITgrqWA1qJvm/L
ysroO4GQQCAY3kG9Sr1moWj29vDw8HCPvffJczJjEBbuLkCwvoa11rd+/08d
RWy1rnyCcmZ3hFCWRuXb/QLdwAvs5Z5qUkceYzJvi0pMn933mcnfgB7PXcdH
3Iuc3lRyz5dLTTGbwzqJ4zdxTFnD8II2vh+mGZaz6AjxEWLj+mJVFwrfJAsM
kJOfyneVcS/EuZsGcnuy1NrI8dutHIMs3za7jDtv9b44HZUwtBiH9Xob1XoC
PzZbJF+ANhqLpOKiICrRc4AMZJgYJ3YnEkKph4KvtnZz6DIK17SJMbC4kIM0
zU2ddDcblRcvR+Cab122QOfypmWXhhw9uAhqrStHRfATS7M9y1T3Iroj6PkS
XQ6bXlHPcB1DreWd8J1xBJSrI+riRgJ914f0TeEyL+imfyed+kim/tqh+md2
qJYssEwLX6X8jRV0W8DaibCo8ODuOF03LDJpmGeNc4m57mzllEhItDrxcHWb
EuNacZTp1fW+c7vKm3oSIXcHQB0WkOuyfKb36r13Ym5/Qd2jG7in1Pc4cR3m
ArNHWn3yNALDN+QWuVLeXitUkKGioM2AclAlLdfYqbKGJAfXx8TcZUMb+taP
jpoYTvvQ6IpAxZBEHHmxQ2PdGWpXP5ZYP1vVYY2baymWlPC2kwJGt5P+4GxM
8oy0VOLShu9seGx3x8UMLej75dJUDpJsYUU0buDatZh0CyibklkQD1zYcwVm
Fy+/oKYb02Dbr+7JPHsDZEnwHuQx8gFNC26pOzTdMUMMKhY2JgKA7iLaXPp/
7h2qD9Mz3fTbNpL7Ekyogo+BE4Z2YbfOdDPVBK38J+1QfVSFcxW2y6XJQ1NB
tvnF1NE4ipqk2hooSLHadZN71uZelkCSBXApKZM/W216EzGSLiYxa5VR5SL8
5EBllhkWtxWHxmEZ2dj2fnohjzgiyrsOSU8wcHIKVD0WMw9elNuyO5uFEpK0
WZ51GHHvx4MzE2OfOFkbFX13uro5oeiwG3V0I27gs1wA8Nk/gcF2Gj15IOID
VkXyGCdHdAF5dcyx5urXoiVvDfrQ3pq8uE++da4gdWZ2hx5lYB4Q6GmTebvV
9Sh2sBwphu9Ztx4ONEOTccFTdBo9uCNaN4iMXsVWYBKsaM86sfoT54WPKcCZ
50j3q+ya5yhjjBMh9jUMq0d0DVVPFJ7tjX0PSTIcm/59jak+ukHbh2Kh9Umx
EHhJB/09VVTASzroP1AsRJ5uiw18rdbeH2j3S32MTpMh1a2D4iv1XnJhpa/c
PGr1Ar5Wa6w5Wcc9xuLXGIlfnU8WWifZST6dH7f/9DhWNnkW4I9UTUBdLFTg
Ilyt2VCPapLZrS6f44E/OhHmelZnIrm/DqIXaq+Aj6KKlFvM25mfCUMyETUJ
Auu0BkAFVSzKsepM8ywhIyg0i3pMfcGJTsvq+MyajSDWDRBI6X463A4dOkcq
hM26wR5lT+ECob5e3Hhtt+CwRYfD3uWPXgOSBz6+n3BKFNmuxQeoAepSVbeK
u3A+YblQ5yfbDU3vV7+3jzcmrCQwRhwPV47rJAS77tHDAN8F5t5CkILEZ6pA
gLoIuWHT7Q715XJV7CE7pGewzLgNht23Z5cgt+SgsJtSnO77hh1utVpQueXl
8xWJyk06Aj2rL67vSLNj7i26p+UdCUn3Y3Acd7kTexArW0G5vxqhst51Y8ck
MUaCT5mqe2qM7RkFuFTyFXu0R84bHcKnoy1ogF3eEeT0H+/ddfWHibi/bsfV
ovujy1jfW2n4fq7ow1uTRR9+nC368Fq66MPb8kUf3pAwetty2ZD9Hf+3//W3
ovuPf4tPaXj9tx/t1Powxl+4Seu7c6vrDb6YXH3TGtZP7Sz59iT071t3/VQW
+qc3lPzPTVC/uHEkiiK7rzaOfJ583oH/2Zsyvpa6/ofsx7jHs/ftx/hyEvvp
5/+ALPb+vbswro/5Exvp/Vcywk9NzK9v47ha4R+/g+OTWwf+4ETz+k6Nn3vN
r03nfm0692vTuV+bzv3adO7XpnO/Np37tencr03nfm0692vTuf9mm85ZJPLK
pnPrUIP0fWF7xZUJF+TkyZwGksgFacdT4RZEWkn5NifqqgbGb8o7vmw6R8Yn
UMaCiSMXbuy1zRoCueb6pDK4jsibuox0Y7o0AOpTu766E3PyYlGO0wqcXFm0
mNVyPmVX9/X1A8ZFLGKcfITzI+NEW20Z3KvJ0s1YYBxwGwTYNO49eDtcuTpN
kcIA6/N0U29Ex3hhLw2uBssttetM2fV2q8cxh5B99+OIP4e2egfWkbtbqsjP
tuoZHnhlDI7a5rqZ7nqwv1ghu4ylvuEdUDwLYZvZiJ5s89LE5NtsTudl0oAr
wu59ckZUIgms/SJhpLGjexriwfh83nuQZigt5XmSzMbGdtzFXlsenM1ByfC7
H5YHEigtgp/KKgixrs8sk6vWjm/xMVgd7sghloLrhuKbjcxStGkszK35HMp9
d9O57yWcvyEr3lD6+bnS+68oAf0TN5X7p6kY3WHo/gcVoy9uD7fb/75X2492
h3u6Bd13NofD918f8u3ecDj85Ii/Ymu4F3rQv0ZV6+/3++qCxe+H/QO2hnt/
latufKtUpSsVTbMM/0qVa3B7oco1yCieP7jfF6r6pnAVeFa5+puy0ue6SuW3
akb7xKoliX/2zoYI3p0kjyrWeEH/XSTnUfrKUqev6k5bYYysc/7Fm9cOX9df
AU8KsB7lr3a0rAc3RMkzD90e4eWq19ookoeGy2NXs4SeHlWsudE460n8JFds
Lls8tgYi6z8+lywSWqMVhT45y0NWSF8fJ2r1jyc/LrjagFIcm81/M9iLukSf
tLG+1nCCuvTg1IA6U+VHOajViKkFloElnPiqz8MjSfCN0gcuN/Nfijhdew70
T3JIX8SQgO+rIb30rV8rRz2+HHj67Y+ayd++7ZHVeqEw93ldLvC8MDeeoSKG
lS40+d80yV4rmwa+1E1/v2z6/ChWPj/ksB7/kk/ltL+VTwOv9MIfanw9inuB
n6nufVrcC7xU3fsezS7gmWiXQjdPxJNm6vuSXZ+rg4EXy4PXobqedFrHQB48
BtNDP+dJefDT6mDg7ZJeL/cL4L2KXs/1vID3Cno9l/MC3qvn9VzNC/hKzuur
UvH1rh4TiJcP68jEJZjffNW51i+LGfTjBSbtSVf1zS8dRn/Me31qUpb0aZLN
o9+K/Ck4dNmPunHAQzjuNwkw9jFVsTeepuxPRexfS8OtFx8S9752KKpY59L1
73dwDX2F2yMBkzRffQMSesaZP3C3tXfeooci1doXnurCrZ+BySOvHK5dc7X+
GsKcwIe0WPB5xPHsb8Jw+hdhuI+hzlFZh7+z9hOqefAHj7HwsGYerM0XrBd6
qnS2tg6oleDwmKEfel2fp3bcb/lRaz51QOCF+lpcQtYTP1l5tb6wOvD1x2ZN
DlCvfRIlfOSVBml9LODpZPnC9LW+Ex42Iaa1M73Y4YBvetxBWKc0G1a+7vds
6ClThCjdx8G2Tm1fpM+Aj1NWc3L1mjCThZIMOBk/6VPtLMctOMdNHtpctP3x
b5yjg1zw8XNw19kVpX4Ss3IVLmIdwznxoNw6rsMSqF+zj0mVCiAZkZfTzVoU
O+YERK6oOvaoMqg507adC2Ahp7XNkyCq12YCDSlqhMo69LDSKveI069pq+/W
0ViHoH1V6gFZQ/0HJdHGbdf4COcClkfJctONMqODCpwExpE66Z5wFUHiZtbF
1XQLKjgZut2cqvDxc+UEZisgChJckooKAQcSPMskoOhQr1cOavvg323nPK93
w6peMcUHHU3Aj89PmyfBUWxn/axrAzgmtK+a0XxIsn0NJryFSwBeAxPekgIA
XgMT3pICAF4DE97CJQBvXdH6HpcAvAYmvIVLAF4DE97CJQCvgQlv4RKA18CE
t3AJwGtgwlu4BOA1MOEtXALwGpjwFi4BeA1MeAuXALwGJryFSwBeAxPewiUA
r4EJb+ESgNfAhLdwCcBrYMJbuATgNTDhLVwC8BqY8BYuAXgNTHgLlwC8Bia8
hUsA/ogczWNpHXiDGs2rS+vAj9bWf7S0Dvxobf1HS+vAa2DCW7gE4DUw4S1c
AvAamPAWLgF4DUx4C5cAvAYmvIVLAF4DE97CJQA/Wlv/0dI68KO19R9xCcBr
YMJbuATgR2vrP+ISgNfAhLdwCcBrYMJbuATgNTDhLVwC8BqY8BYuAXgNTHgL
lwC8Bia8ZWIB3rtU/nylHHgNTHgLlwC8Bia8gUv4uPb+XTCBP0RGg1ddwRi2
Z7h8jY73grx1Gz/om+GaJq07AkipncvcNV9aY//IJbDHA44gGj/vy3om1Bru
FBjOKpPD7kN1GoAC0kqULQjNrPSdkVz7kegEjuupwpRUb9yoeDb5mQld7Ws+
9bQjqxi6LDvZgsQK9dEACLFlYIkp9aw1SNXnRHVZA1v7OcVo6GGyw2VDUfRZ
FCmQsY6XTaspZ2LvDRZtZ+fdzlmA3W5sFO9+cXViBxfLtLnc79ZdXBKf7LiE
iAN/GR30PAT5MAbMDelb7OBy9OB0CrrBLAO40yeWQC4bKZhGYfY4g3OPsXjp
7EyHsIA8N1SYXAXIsBGqMbyWxhiS3wrbuWj2aponCgCq1+2Gvc0uuXTgdXug
e/PgDfB5Csn6oN2CDKu1GGykIto6XJL6EDbNhAC+m0v48TLRXwcmPFks+DlA
4cdZ/dc5hBfS+n8djwD/UR7hFR2xFE6/YRL+/vf1r3+GphgMgp8vCINvhCT+
Ak2xFxv3L+Qq3rNg+QH4gyuWH4B3chjfb4t/Qi2xF5rurWJi/6Jt+KdqiK0t
/UVD7OOI/qUh9qdpiK32fKoh9i6q6R0FFr9TB3+owuKn8aZ/qeKLF2mo3Q4G
v6KhXiyswGD894P+949KKwjwq4NfLK5AQPT5Qd+UV6Ag/NUx3y+wgP+zia23
lGf8Q8itKETfR269Xqjx0nH/gEqNd5Nc62O/YN//yg/9Zhc2gtBn9NZqLugl
c73Tfc2g8OPF1v/f5bv+BHL3KnD2pDH/8eDZT8qmvqia+mdyat9tlu+5sT/T
Km91YZ95sL87sC814sOD/cqB/Rn/9V+tOb885x91az+1+9///mWQf8elfUep
4AsOLfCH3dk/7M3+YWf2Tb7sZyt+NmeI/sI+f2Gfv7DPX9jnL+zzF/b5C/v8
hX3+wj5/YZ+/sM//btjn8ir2yYiKs0OvMkT66ZiO3CZGGH4rVB6EmhZ/R9q+
21HErjlmQP6NlvAX7JNy9bti+xh/gPfVDfVMNCQ7I9POlF3VWLO/2TKvc8DW
oQm286TRNeoWo4h6LxGyfJUFzRANEDnTyxrxaZUlHhFBtO5JBebuEMEpKzV8
aLg+0KpWSIpbZFvAyUWONM/38sY1dK3PuR6FG2xxOZQ+In53u1qjTu9yCtTM
1R4gpR6TuAH2+8joUTJeY6kmO1iFfUB8W/FuAkFQ4upRL8hJL61zMRZDSaRH
wydlT9p6iba3pPLgNACb7m9n22DT2hulpsJpjEIWPCutrHRP6+Cx9wJM1VeH
A8Xc3XnEOu0Xaa0YKnvHPHBnAIoTU74iKnf6fhPl6Biz6N4fBpy8OahyZtwa
nm9NjFtYL4NufUs/h3J/HPuU0jyM578ZHP03fLeD3oOBPhLC6yn//DTo6dkz
frtzy/9YP3t8dNT+j8+pjb8aDSWwt6ChX6Xe/wZhGPg1qfnyMgf0O8/5Q4B0
jz499mWC9Pd7/S5CSnx1mR8vcfwJDOlv3e9fCyX97bbfVHry29F/feYe/gmw
NHwBLHUfYCnnvwKWhuYLYGnIPMDS7Ptg6dPtU3bxwcaAJ3DcGDdBpTL8/BGo
+Q5M+Bx7BL5HW34LW/oon78HbfWExl9ySLG4c0x+H3EFvjCuzxDXOWhkVLHs
e3ikyCdU6jeoK/CcdX2Kur62ccuXfAGg5d0DUXzwTpbv6f0Db+XZ4OSXq6PA
8Hd+DerUiofVipx5GlyjMXJ6irkCTznX72CuIl2Cw8OIL7UM8FLTvIVI/dJC
wKOJ/EYo+PwsSia0/sz+kEZ9CqMCz2jUF6nDx2M8vWjccLcYDh5713BA1Chj
8IDllnOuwEKXkGfxGTQoPseanzY58HWbk+LvRB4q0m/gBIHvgYKvcILi2mt3
0YEoApr6uAtOsQ4oKDoa3afuTBTrz6e42T3Sm/B60d8wRv6YdMk6aH0X/R1l
eyeJ2gduUvhIndt1wPBMDgGKxebhwSmCtZ3plpojxDj5yKdcgcgJB/3TgOJt
us6/bGYjfWxyMH9AqcBjHNDNd8fDD/sG8GMitfuI/UrO2u6t8rgz7NO+RJ9m
J+Dp7k7fo5Tp/IyHR2OIGBT/+Ljr/18AVECjibV/G4+xjq93c/pIqh4+YYzP
mdEHbPkcRAVeIlE/zY02JLvFtH5BuQ7550Tqb5jrl92Qit86Df2Y4u47npPH
T+PiaT9YQxqT0k1Qsfgl/shJAw9Q+rETlG+iOc+tbf1O5Bl4zjw/Q55fpFGf
wqjAVzTqOroCmKvWgWIatZx/tINJnT9j0GL8FQZNnh+9Efh4kF3oovkbF/2Z
Tj3jD7A0OeqbR69bW2aWls/Jd+sTqfpINgAvb6U1jY8TP15otbrfEHX6qZk/
ksmPOfIxi60XFoHfJ8xv58Wnz/89DBp4mUp98hK112GOUGP8MPDHKe53Az+A
VOBnidQvQCrwApG6Tqxcay/xoro7TYaMyW7jWT4Y9/ggNLojGIbbaam3Ti7Q
6QboiHE12OHmN4ocru0QI1zv0AOWMA+QdP3M7GETSa5u3i0BImBBo9ydGpos
RrhECwkCCpO0rm1Mgc3N4TxoUd3xIXg6626w3r2wvkAfP/uQa3dzsiRw2PqT
e0pMBwTH5NGM76dRP76ATkqVD5J+yYH3kqjPQVTgvSTqcxAV+JmsxFMQFXgv
ifp8jQ14L4n6HEQF3kuiPgdRgfeSqM9BVOC9JOpzEBV4L4n6HEQF3kuiPgdR
gfeSqM9BVOC9JOpzEBV4L4n6HEQF3kuiPgdRgfeSqM9BVOC9JOpzEBV4L4n6
HEQF3kuiPgdRgfeSqM9BVOC9JOpzEBV4L4n6HEQF3kuiPl/tB95Loj5f7Qfe
S6I+X+0H3kuiPl/tB95Loj4HUYH3kqjPQVTgvSTqcxAVeC+J+hxEBd5Loj4H
UYH3kqjPQVTgvSTq89V+4L0k6jfR+3tJ1OcgKvBeEvX5aj/wXhL1OYgKvJdE
fQ6iAu8lUZ+DqMB7SdTnICrwXhL1OYgKvJdEfQ6iAu8lUZ8v3gPvJVGfg6jA
e0nU5yAq8F4SVa6+BlGBr0hU7YzFWQVrCn/T9i5uGuNe7O5pJ9k3YtHy8CSl
CkgpN/O8/bL2CnxDovIUeIJjwVThkhTyXUttN+uZmylokULVTq6LtbivE7v9
ZWvd+Qrg23lHxEO1NlXthEaE3MhmB14hqxOhArpviz6F5D7IXR1Mp825sXW9
FnLEkALCwKd+BNQTbio7V1aSUjENhSZCROYG09FYlR4I0Ev0RIfrS2rU0jYb
inCIOTznNx266VQN3thAomatSFca0WrnaKZirz5VI9gZ1/K279uLXkIqyEPr
qxN1pnPMN7jvYLtTCG6JHQxnWLp6KEGJgGdKuvELtOkseMGyq7bYQpZgdnQY
zJKcjOOc8cIxgDXSHwi0lMe9DTqNiBwaAbDqhWvWgYomHSeds6RmB9vD+X7D
aNlmG1CQPF6vev3HSdQfrlz99WTq70sQf3AHrU+l6l8d/yCQ3l7c/i3yieH/
jdYi/v739Xn/OAsQRZ9YgPX//wQW4JXm+Xki4PlC688TkG8AIF9eaAV+tND6
IwbgO83xT8UAfL/x/hQS4J+/Gf/E2v+1vT8Vqz8G9a/a/z9a+79a8UudyB+G
WN9eLvItFPNH6kX+WdjWf2ApycugKwaj34Kuz8pE9hD+nDh9uVBk/xRx/VGp
CAQizw5/GYl9eoP/+zv1IigMf33QvwAU+4Z6k38IGxti0M+xsa96e68c/g9w
995Nyq5G+LG1v26cP+JNE1D838zA6xP/Cf40vv/kT+P7fwq29s9wqP9ZmMwf
vomAn/O1X26qfypf+5WG/S+F3f5UE/+Zfji+/+SHPyaDX374H/XDVyt+Mufj
5fWLwf3F4P5icH8xuL8Y3F8M7i8G9xeD+4vB/cXg/mJw/7sxuPyrW6/6czfQ
DlXwUSUVJ10Vb62zxaGRLQXzIDXnHsS35PnWyMDqkXyHwaXN9danWuACxfLM
aWCqU6LfmTPaIsPUCCfCmQNTBciTCrKl48IbwrrcQOywaSwz1a6hdEElmBpv
gw5dRZeoHE/wBLw+3REfD33MOozCbmscAeTQTbpWZVV4Yx2yO91bPpWSwY4m
QRhD+nyirlikHe0yGkbPhFDhkh1H9ra/WfnxdO9GQOSCrcN62Ua6Y3DOK1lX
pjC8Orw0otzLDGMnjWWkhq9Un5eqTM4IOdZhcSG1KzZg9y1QXBdMYQ6IlFqp
lOY6ujm30nkIKa4PQV0LB7A1uSoOj3hFFFyEGhQajnJkQdtdaxjYFqBQwldh
PDNu5DLIY9qPPSrjtYsxpFD5FZxxZG7hezpx2esi76+fQ7nfGdwvSyphmzzC
uevafGnyZe2k/1iD0P+WDviYgv6ckPjbesbf0i9n/PvjwPmRBvh29W+Nm/sy
SdeDx/R07j798X9+Si0kZbYGkmvI+MKqxKfkQP/xi34/7vPqzRppZutF26EM
T+Uw/007r6Fmmfb//tKC0cdL/P50nxeKzPJTIvH7Yqfu4xaLuPt/HuHtxwTI
l5Wiz0mZ9fn/XnR///LxS4tED8P+ZqbnCZxb/1hU+Wyxr+yzWvqRkvwBdPxk
DeNLAulnRNA+tcXj168e9jVTz38tbLzH4d1viyj/7//3t/+RpB9N+JQ2fuOl
0D3+Owv8Lbj8t6+Xer4sCP38KszLXeM/Hfj9rXc9Z37/r3//93//v1/K/r/8
IH914h/8P0Hi3VDv6tl/9RpjzuvfMoumubZ+7OV9z3NZfxQdFo+aQ+brmkPg
PUWHL0UrwDuKDjXJdAnWajyz39EOnxb7an1M6nwBv7+3hGFUTSlcFRwPnQNn
wnPY1+fbOaWnYLOJNt4dBTpBhyL+sNOW2q5L8sK4YpFMpGBtsj16Ffg25Yvc
12sJUtw0y+mburcpaxOXx9VnZAsN2CBVXKqcoSHHdm7vSTlhTHcI7Wyea8Jt
1UOVaiTDl914ZGpD8Fz+djtytNfpmj4U1AZoJv82Yoed26zO/NHsyDLZ2p5c
26QvwkvtyOaZkVEqOxBW1/D2paKaze0MJkhQ8XxMysC0MHLHssEcxEig7quE
3jM0lOpUAxLxeWu0xdTxO6xmO/g6rBGpUUJT6JlIdTmubnZKA7ett7uvlhFO
TlgXyXFITVmNLgI0grHS9qbsR8cIsSTd4DZUofHu8EgPHh45RFI+TBPw3nTf
82wf8N50X3KsaXahcAMktaL0MeB4kEwMlcdTz3hFp7+UhGPXgJK0DRkbhbGh
knkC60ncI4eipikLYBQYq0x70qIgJ2Tf42nNUEnFQc82kXMWB7JbmkSFhdYK
LeXny4EkxKPLduyVSE4VlwPHiePzTXUGHecSEvNx9ZOVUVMIqmngLCYELiYK
uiLWxkV2A5vRjoon9gSL8aCHrCYygDqehex4vexQbopod3fb8Fu9X24KbBO7
/KJ4OWogBwZRuJzajYOt1dvCgbHjrgVtAndrAOMuyR4r9cgnzOiiXu56l0RM
rEwJ4/pHjTnPN69p+vzAz3QL7bXEilnbuGoWbYI7QpWAsybM+2KNkQldStQq
R6CW2/fe0AvXkuY7AaG5YgAzIykhOHHkdCysO2KCsS5CJ2f16gEWQp+OxCNp
PVJdT5xpnWdZuo9UTYSo+Yz7axzq2Kl5IFUyL+QJEBOoUG+VO6ijuLqjMb47
RvpOuhMBhibX8wZhhWq/KHal3RGk8O1NA+8YL08qahP0JBwAkD7YKiaP0qUX
xIqGAqJF5qsc7/P+3OBaxcEiWYYYR9xRhJ2VcV+EeauN4XQRWU6jO0CXOMSy
pB6CS/zKxy3OTdWVOckXs3FOFL9AySgxhCCWqqijvHA/YWrFWm0ZjFyQ94YA
bDUv8JfLZR+757kJrprpbe26t7nrFu9imJx1A5RmRBiZQF+fZ66PsafnxnIZ
LNzyZwU4UmC64dIztuuru6+Pk+wLQiob1ZJeYyYnp4uvI97heuYGxpo2AyMk
BW/g27V1j6l7swFcu5NtKEN6ew46YzwmfIssEoNR4SmXXQJ3zAMn7dCjLuEa
puI4Lt2psR+y0+5ksXM6Amyr2lOI6fcNtd/vpWUgWuw68ldB31mbK+9RxXFr
Q0am6oN8zwJ6N5gxIt3uO0ljzEMSA/HuKsNtAWMCzXbnNQarkmtZ84JKiRvF
Tur5tm1OdFPRnIrE+0pfw9m9wCXdAbw01VmfgTw4446E5lh+v4DNKVQPm84X
t4huU+T6Mru3d7wWiEWHlcSh2Cox7vVeYHbZxXHD3RBEgOGgPIlFzabJgoUc
yzJqPX63azAW3E9qdjw222gjinYzU9DeTcVRaZAAKa1aHZzycmuBIWi9ai4c
ksgOyRQqfo+1Va2bt0mvDk3VSMO5NsCkwCRZ9XI8zj3s1iModcw0cFbSdUay
F6+QwEmU9Ma6jZFEXQIjVoK7k6emYjiltG23Ks6cpBapPaFTpA3k2kKgF5Tk
OXwNWHvuFkcgXDMF492yvjLSZHuTyyXxsJNyrAxOjQ6kEXRbk8GuLeJt3EVw
YGry8HvHdgVQstc10i+uDjMPyXmNjA7DdiE4RwbReuo2LWaDcNmVtaMnojZA
dNdTD9GIKWNCjVMbE6ij6SYFRQC1FTLU5DIS/X0Xbpc9NBKwuZecIzPHrR3f
RkVEyYDCp2A0vWWLu9p9qhEVWJokTc2+xZI52OnEGQaR4IJt9zXhF7XPIBJj
Ip5r1J0gZ0pTMdJujbZ2ZXZ3rvwFEWVAJlm1h4ZLRskuh5IpCYrq+RgSClks
Ei332V1hBy/Zn3D7CgtibR/uQ0OLzBZJu126M4G+4c2tNSMhg+4l3WfAunKL
0Wp1DlvfbqN+vLKi1GT76+nakpMEZ+yUtfKoBJZVWgrKA20mQQ1K0Pf7kmXm
eFJZ2jqJ/dYILnvhHmfjzUUvCjJXsjhDyTQYQUN09m5jgB18bAkOoNE20FHm
msKxlsiQ0Ixlo7YOO8fIXkXkcl9wiHLL9ke4AnN0tuQbbt3qDS6AqnirdQZI
lIXYUUuFEzEdEZwwX3YFatYbK3UuwlKoSieBOpbt71chFQInzS6oUcjykHF+
rpBpAGwPUIbejwePu+XEuRY8zgzo+Cz5I3pJ651aCdfIlZFD6u9PFUGf7lzU
g9HlOlAeyTe3E4CBh/2NFZKeM+CJkuYRK4kTPZGOmFKmcMe4JFvExbj0R9/m
etlJlQmpfS2Kem+uEPkOaBJ9pfCTtoeU48CzR60WudzSRjZ03MWTxwXzSTDH
GvHuVDxeOpzJYgIlHIfQ8lCiFoAJ9jxzm/Iow+DzLr0LzgAZEXba4nhaEHyp
YKDtRbbXDEyzjcW2ldf35IAewWl9V+ejDVBH2ZmQTYfZ52rLIieGvZsH3oMo
a0yNwDksEESq4YIh9vojLtKLWpynjSdcJV4STu0RwGWJ5bZUeG2O6W6jEt6R
w89Dp/pakxQSbrRcNg7mYA3Fvejgvkl2PB+dGggpKoi+OXtAtFonmqm76BG3
oeGN5mTOajKSsgFvquV0VmjbWlyfvsFbPvYnGMldFO04PbHPvdjMGQDmM2cq
uqMLG1okGZZniP7oNvuZcutaYetdxd6ZFgQvs41RoHsFS9Tw/a2ASVf9ILsH
wD+V+tDMjpoVTLXYpMWSh1tzdyg3oueYIU8Q07MdWJhxnZ+nGg+tk3fGBldL
vXFXyhcgorO7fZB8PG+ObLZvNyM8S2daaAJz7bcWSBWgVvFKq/iGq7d9Ymxo
VjLveROx2A4SYSCMQp/1thUVjPSY85J2I48chLqOc6y2VJTJgZXdLcNsq4AX
i1hDYKpG4dVjPm+OdTHUQH/A7r1UYhDqkJfLYIwds8ji5tiLuN/MtLVDErCJ
CIE9181NddBDKBunW5hSh7uD47YIDOBg6RTkBJttHZvz3qSo22FQFrg2w85g
7MrNvdZdL5roqby+xngIc1PayCfHKg3KiADWvfZXbTjsbtv6ajbbaaKSBGkI
h1Gbk1VtTvb5uPYPLzXSoIrAPt3f9AF2t86Wd7uDPAOsuJW3V6uQ0AsuVD5i
Ks1p8UeiGa72vEnPXJ5t0kwtD2ZGz23WrjMrBIuEpHFjqLUmAlxi64hyTrW+
ElDrSGZ0t7uy5zDN7IX1IZih/ERyLEXOxOsO2kct3aNTh8PeYczQ+iiYwLwb
5O0R3WG3EZp0g1EEHYEhLiqxe03TW/FWGbLfM30m5as3a57EcjM5Kn/cxWOX
Nrs9EIvXnJqU2faHGj1te2w4ma4yM/rI+Rf6Wig7iz3eNoJLi/vufKASWlps
a3gk7GX1CN4B4UqIG6mk2j5ucqYfLtj+Dl6lqUiRK6rJuBrn5s3ZiAsBVTBi
DHVv5kWXuikx3um2vgNKH2yDJPHwIFHq/a0shEDYysSWcdnDHV2tINc7jwfN
Itoha0ypIuJNOtXK/lLhTaJ2EIAM2XXLUTi8eOfdsQbpvY0oaUXkzeWKmSpR
m/fpooUgem4QFOaEm++s7l02qSCRmzIEAcEu8sWrDjenzfZshJMh3WwQyWgZ
HpzNUOQlLhMmP50Qzg7aQzrOt8N8S6J6iGsjRDkOmA41a5BLR4Y5jmDTgCy2
G2moOwedD96w/pySxhiGqX/s7oqLHPCW3yFZMYmnYyqCYQzk6YUmgv2S1Exg
SFh+YapLUNmbXg+YM6fxRoEQC40gfq06zRZcOzEIKybv63saHvL7DNxYZPWV
HUhaA3IvpmpW0LEdshX8i11LpBogkWh0e67IBSo6SflGT1fnN98tnHZWKYMx
gWhvKHO84wdSaOPy0h13IIpr42jnyuTjmXITz5WSilsihA5SyRI+lZ6vrhNt
rkudtvcSUPPMBKUk75funvn9Psy3MyodaGXPqyFyDWCxL+oLeGM2lh3FSVuC
o6s58RnUQ8LRKhqwndM8d4uQWFgcnlLclMT9bktSJX/GTfZ2yXUpWjZJedmQ
rOZD1olxt2WfrJHYgUnv3AVY/XN/e6U86UKiyGnDTpeMThTwFEhqyI60gFh7
iJsGUDi7m23b7soDcskqfN8sh0iW1iltYpf7XWg53yWmHe9W0tY/dSfNaJXA
brClPwRMsrtD4OCuk+GGO9en3Ma7rRynBnhmpzOwent1SzFVeAFZRjrHaw/k
7as5DqLaMvk9X+Oqy4xsGGXA9/50aw+uzRVVOW3NyTzumRhQlXG0nF6IZMfE
r/sDfhY8+SBsVLHrT06hg2Xg8xJzTD28ONv+TM+LvhphyElnfTeMNyBbXfVq
AlEmR0+Jf6A0J++qSVP3iR+GWtOCnbG/RKd1mG24uzQdxKBEKL0GC4K0/dWJ
Bah6HntTyO+oxUroARecnG3wTbBsZqZRbtuJud71a8IXS7KZepwhala5xelN
hu7yDkVaoJXVEUtgkJtzgQslVnfy9ZW8OZ76LDkewz0xLqaG1QuBbKA2NJFq
C5aKVcxIur1eSfICqEZ/mi9p119xbwhO68R5F6/NQe2Yo8utoZzoCclVwXw/
zwoqVzztVkwnZ/2l1NoZITZABZkUPnqdr8GsC7Jl6RPlVG/V3r9f+mDZG+vb
3T9HgUPRMHnzufvarbmM6kl54HgfRIHLgm/H67QXx5Iks21EkibFk4fsmhLd
xCIT7nO4muhOvUWaI9MjwZYYUUvd0aJBrUGQD+yy2+bQmZRJsMtNHJlGUnk/
ueDmfFC2Opg2IsKss1FZ1qcsWw7HrVZhjxEn0T1NFRMDaG04FCdyXwXoGmQZ
3jqU8P2E5qRVWSNUbhUon47386Ce2l1C77xtcLVcKZ4nc38grfoMwNt5g3s7
nt2CiVuO2EDVhqXwCXUr+ttNZFP8CF0FnjzLWTFDd5fPD9cscQMlT1U8ElKA
DqiM4VGFPatwq/bE2odc5VjXoXXbJ4Yljneu1C7RFIHiXoV7cDwMrRRhlntJ
HBalFkDcMY3unaPVifE2/bWHbUkMWcIpRDTMl5I5UPy8r+YdpjWMpe4h97Br
Dn6gSq1TlWRkAEk7luFuox/ouJmUo5Lv2FB01cvtBKf1NVL22BRbm3RXtkk7
kCIEIu11wmHT2FYCf6QZgNpEJsHJZw0L+QJEbddAFB306eiuL+TF0BtB3Idc
SonQGnBu68UDazZkYuN0SbgRznpAn0uuXTsEs7oCfXboEg25WncizkpsE8mg
46Mhc245yA96FIskBb4msjge9kjGBSXdXgADnx0Sz6lritx38GCNxkW/H0nx
iNOrG0OpOz44+BG5TaAb15V3KKbSDM87Bl64a2ZAAsCCcYJg6AFCO2JkNvzA
boqjs6HWydlumHRW8CtE0nasxb43KcTNnS4FpJC9puXkHr7jQOTQcKEcjgu5
Dv29t6cZcSdUEHqa7olRq5fVcikTyKGfiEthYrJjOI7X7tItmMOdt10AB76O
IaNRbinmki7UGKoK6707ntpKpGBfZjHZCjU33UBVgbDTfADrYOtTyU0SkXt+
Wz3Vsre8pfaDc7JB+0jNz+UdxnWo9Bd5HKZLgKMXd+fElYy0dWKHoF2Os+5N
s+cJW3f1lV1XqCNJzI6BOgjaRscNRfYr4qx3F+UEk0oCbTQqxrFBE8vtDXLg
HRszXC4jHLf6HlcIoERlDWIMwqU9odB2cwOdO6TQx23Ob9BdOS+9Bh0IdpDj
YxFWMlTUYd6Jsku0oQWF3AycS6xAKjkctA2r1yqUMb5+3kVknY2OsL0wpVNJ
9bLaVtF7Ks7vW69w9lAp1HahRyi6BUTncCPJW+if82ngYxlHk7Mw3tn0plmm
Gon2rfWVI4MPZHWNG3EqimIf78uiPvAt0oE+0DLi6n9eS3DWi7KfFNY+o9tT
UJtn2rfvyN2f70JoJ7UsgOONIXAyW3YFPzGg21q+rliABfvJOVA3OuyehzHm
5tTJwyZeIrztZQ/sIJ1rIvWcsup0Hl1XSnzyCN94nk1jsYelMwAJmbYzVRGn
BhnEu2Qd/HPcZDDSs7XuOPyGLbRAiRrddq5+0PjmMQ0FLb56FSPCOc8CBLE/
mR3OT0QU3PRjjrFoECFkzk/6qSYFeS+VW4drCwS677RytIhzAzHMRWftk94X
wRHgbslVFk4CarVgCU1FgyBXGpIeaxbFLkX3SHnd1xxTXPXTMqh5BM7GMlhp
PNf4DoI1CbBvRw806cakq+UsDV0yj9PZUarzTQyHu7Z39qfrOePh4+pAOHSk
JkNyWMNktkXjQ1GCVyDfnqDraXMPY3wnOhlUE6YC0ji6dUOznU+OvduOysIQ
cxxe84a3EYMFmcnGvfUgln5ofkIpNiXd7dL5IhTlw4k4HTZw0p+51bG+oBF0
Ma4zdk15/C4LUxIbBOU6Yt0bpByZGlUAu5wrWANNDngsliqoHG4SiDd71BZz
Elvf2wtyFYSdMnujdRigUVvfruzNVe1I5RbVHBHAuuwvqILMbC6Z4ZyDPjuq
uOBvwDVyhVhdtm4ET/QjntDGtCElYyPw2CiAuW9J8p6EYeCEjPsI4lbn63yz
Nsbheq6l7VZrB4K4+ecTLbbGkG6k1VeCtkuN7907Ut0T7ThfXU9bLgPg2Nfb
Tt3c4PvmzpD9LJbsOhFcMJOnDzvZInajonOlHMtbKDavZn/apWFRlHm82k3c
ID2Q07U8m/FxnMHycK03DhmG12tiTp1s7bqzFkRrRwHFjYjIzN6H6I447wPK
gq7VKNIK7wJjN+lJ5piBs4GEctdnMw0b0rzfwONk2Ht4phBG6IkrJ9WEl1XS
sRw3VOO4mH5Ch/PoA02L7oZiaNHF19khIZXawMNbpucguaEYPUc8Ui9jOoKL
Yj5i1c7hSLpAZI2poKGaN1fAV8p1xjtWUBy3Xl/DbOi78Lwx6zw+rG7z1GjB
DqS2PH6QBFdJoz25Hk95tJvJKc0vIKDw2nKfEmXTxKmIyhnFPZI+TAkWgbyH
i0VW0I5TtughlTQ2CWzlpNaKa+GFyF5Tb+MCWiyBWRhC96hjbStzR8wZywvh
0E4d7y7b9e0gQeW1vkiKsTsOuDYHdkUfiUPvtEOu3TaAzfSTWCs8fV9Hht11
xw5Uluv+aBwhf48VA0ldvc00c85AYsMwRQ3eKhfTOWf71WXo/BCIj76cCQzt
CCMt0dK87VPtvkyH6IhHa4gdomnk6JlC5SZKkNZRiUb4mFWG6l9yl+QVATjh
EsJfZttQqTElN8gmBCc22NZCe+KFrlMOF764mXuzFG3KUzan43g/H8gsFTgF
v+kwBdA78XZO7EMeW5HT32uHmVIroxITjw4gpvJkfTK9MWcxCGUhFGMUUTxd
GKSN8TtDL5ECbPyAcCqzkO9p12KdAGJ3VXR3qOJYIbLMW2NzDDZbt7wnS03G
LZ6fcwKZo3u+JbSCLFHACW+G1kTFNeylpAymw7xGbWuYZIeCPNWVv6E6S0RB
eSfaDjpLVzBJ6iVqRPeM6juQ8wFFjmFyoHOIxFNiKQ0b9WGZwcMo7ndrAKGK
9W5r7M+7XDgox+p07FrCWzb7zOoug3/hM8D2N75QsBtpFlz4dsMPN2idM8Ed
ZSYzhLAItuc6UmLAwEr1o+6KDRnX41T1Okz4scjJQLvbkM3EFEzSuaJXFmh7
53L9P76rEvKnVaH8z78x6eerfCUS8vUS/zc6IX8bHrUpT5VEHtjPz9QyJF++
/g9UNTxXEnlzWcOH7wuZf9If4ZU6/4YiUfKFphkPf0XiW90/ytE+PNP4VnuK
55kL+yaN748iuh+A78norkd/o8cdmNBv6sjrVSrJLaYPgOQ+5E+djyrF61nf
FeN+qNc+xGsld/22GTrH9Opdesrpw0Nt7RbY1G8F/loOfqPE/ZoQ9wdg/V47
WtajG6LkmXsZwcILArGoQtcPiWb7o6B2Qk+5XJG50TjlB+Chyy1XbC5bJCYz
9fqPzyWLhGSGVJ7qcX9PjvsD8ESQe/2eQpdsAnoI7z6Uv59YMpJK9ObpoGhy
5GAhDrheGeNZaLXDZ1XewbTX72Du37X5U4vrh2d24G0a0hLPOMVru7/Hio9z
PwBPz3YO+Hpnwuivreivlv3eWU/P+QA8xIkfOro2zK2hMjnLNHUI1tB1tfUs
m+RdZs6Tap0nuSQHmbEnmfzaFmtbcD+299fW/lrF98NH5fnV9mhCE+tdcl1U
9bm/vujjVjklDFiud9tIVl6qM3WO1999+DSFa1vxa8979KUPQPhRSvn0SU57
ba0f9eKPfXg97otI+HoP5trf1us9ESp/qvpcrF74xxaN29O03mv9XAH6A/BJ
A9pZHuOS5yhJh+RKmUBxPetR0z/Ghy9S0FQRNwS0XjH/cn+Pv69X+CISbVLf
iER/ZZ8cfKqJnpuenicfx+ZnefXc/Kwcvt7HV8rhX5TC+UMwRzD4WRT6MbsE
jzkEWS3pGefPouRnH6Eyv+GW9e4fUsi/X5VdW7AJuuAhG344PdAfMDUpPYLv
3foUSH37uPFACQ782ls+92blFTFyhb7QNIX5H2GRjzPtU1zkxcqmlwqbvtAi
68j6CdW3pwVYj1nufbJvz3mRD8BLxMh7gJEPwEvIyHuIkccM8y0z8hkZCU9m
i5X4oVyD6TPpkO3u0NI1qh2PSnU1M9du23TtUQoKiXzjhBaNMMTC0VcTKVEt
JIL8OJM7PcMFFwma1ll2l72Mn9ug2TdBddHTCOPsI7rO1fBBHtCqT2Hm0kPY
Lr22FqHuFInLTke7so04ROb2wlKUgzJN0QYdnjLFiAxY4s10pRw/ABYOmxiT
00Ya3KxBjqFl3mzku366JC3hBlKhkmqXKoF4aJypSp15g3P1vNBI5W31uFln
2kCiLyfpUlATc0yC3YWxeB7WHA/yEHG/jVXlXoxUFNqnbQ31U9Iv9lAV2Wnm
Ahw0bvpqyQtHY6O01Q6pO2Mmne3w5HbZkipb9zTpnqLN6iLqR8Kv9jRnNhfo
OTeytsUL5Mh7wJEPwEvoyHvIkQ/AV+yI+Ykd+Q0dEQVLTxxW48mO8yaK3zJt
ddkqOBJrX9CRdbZ/AR55OztCUx8A01sdK4mdWyqsGdHG8OsZNPrZc0mtzrxc
l/J5f7i6e/MapFS849n1RaUQ2Tbv1fv2OBDrPZTYMlOBUyXh+Y6hKNOXkqqz
GurL5n5GLwRqcFzSJAsbMZJ/J/rMLsbEujOKqp6Py+4DgGg+QxXowqJKeIXL
lgaZjSNjxoGZMUwkThtmE51wtyLo+WDHUNfJim2kdyvfLMiURtsPQMqoyW3D
wbIznG5SWbQpSHXQwbbqK9gI1PmUY4nphyf8OOFbUjl2M3s/7TBKIKloj6Lr
m/dyTm8M4ZvHShRRYnPxaSILuUbfNCIOngpIJoxE4ff9tWpBSexu5wibQKwK
jcVNlNRb3zgnNoYHuyOv6GgUQeUwGOe/JLD+PZbjAwB9g0q8T2F99UCeaay/
Fzr5ADwXWX+vxvoH4K1lld8TWV/v4ZnM+ltU1gfNFDAuR7lqp3wAmpbQ6qt/
BiurzugRtTJy2yXqVpS6IBJUkr2CPb8nq3ANBqDDTbY5ITWt2ylslIyemHid
H2ofQzTdXTsfL/X7w92ZvNu18JPgFDq7IrYv66ivtTFNGCreItcFZbZpz2X9
ht3rMjes95BsRBDtNyRu0YoKwYzhUEwXaajAMUTRx3h3ZYbu0HD1/pqAFzy/
tMWdcmEjIFPpsggfAFUOZ1ofph667OuhVigDngJvx9NVGnOQL3CFh1bX9jh1
25KVDpdLqHgJsvXB7rDXuXR9CmWPIxivaUlmyWapGZsupa+FEEySmU6R60lC
ijjyGI16dabkjvVPoUDZvFir0KJD2holEWBbnXpBUqdPYuvv1Vp/xFlfq62/
V2z9A/Bcbv1ltfWIfKa2vif6eZYMcO2TbDF71/J0qan1XXMImvidcusfgG/G
5We99RhtSuWSqZeQ6ngk29CdwBT34RbAGnGsdFbfjBiVaPsPwEEUIKIN+R6h
KkFNMPR6JsUj2W1iGEedcXY8VyAITvbwCxzYunw/bu4FdiazJT4vTbvO9pgX
Ou4xR9MjX5lneK81hchCZ1IQxYKJkoiNA0+CN3fI2SS3w9y4Q8iAEBMEt1r0
r/vwA5DPx7AoPaPd0kQ8I6uhL0o/E3cwqzQ9xzbMZY3M9U5eCJYPUyykj0eq
UEvN3vNaHS5ra2p+XkvMjshW5+RwbP17D3FFomJLUBMsvkynGCKlPAi3pRnF
S9lf4lpBLoe0YODV36jktT9M3NrvBqpUNjeayZXDlgEvsxX5aJaLZWof79vh
eFvsfgnuQnWgyfzhKR3x1f+kHvXbH/5wAfeHn6zg/l3sfX1fhEL8VO39Adh9
ofIf6rznQ70OkK9kghlZ77/2Bh8lx/HTnkXr9p25x8oaTa8R9RpVW/bqqZLz
6qGOXx+nr341n+u5hyT9xPTNoZq8Ja1CalMXeL0oaqlU9bFjB8qLBDyvrJ39
TZn52qs/F5qbNNZncHlWEX8/O+oyb7E+qgysv0lZmV9nrR5DdbwVUHiktS0P
7qFthUj+6hW3rEGE9OHMct5y9xYeCkurmk56t+Fy7KIseDhyRmSOaby+Gvuo
LE5GFKlmeR2VycU4dI0vYg2LIxK1DUzewTLasHh0u4/MMGVYHGZ4Pg13wouC
mQi3nHmF/It+pog0Og8BEybM/AHoC7CoFtmqxmN0wRhLm4e0wZh5f6W0PYfA
AWQeFRpyY1gOXVQR08q436ICrdcXcGeM9frGKY9HkokazLWnEOH73MZ2R2fv
bamaRUc99nt38avLTCJu1QWBe/JvPQgj9eWW7/qjt/owh92tUAYXM22D1itl
k2CaEkI4rF5oF5n+4z8+/CPThR+v+UxhuFwjiOvPCwz/MEX4B2WGX1Zk+vBc
2ezl2/jwE1zThx+DTR9eI5s+vA1t+vAGtmmNBLS/q7chva5HfMVrPf3kZx7x
97Pf8LC/H/zqY/9+2BsN8PsJbzHFW8TYhuzv+L/9r78V3X/8W1x2RXr9mBJ+
Isj1AXi9u3yhKJ+e9n6Uc407/gjL+ftt/AzM+QH4GZrz8cB///vfPnwSWvvw
ktLah+/psf55eO3/2HxRa30Ib63z0P/xA+L275/0xv47gbefNdn+9m9fW+rf
Pq7m/LVULg7ifxqVS2D4e6lcFEL/ZCr3c/f5LwPnfn6ev57RfUzl72R0Petb
RtfTHozu8q/P6HLD1pQ2cBj7UdSyp9Cb+mBGWpPYb0aUq9LIvQMSrm8pTxN0
nSMv2uSVlJzBY9RRZ2fZNpe9qk5aSdtRfsB4C05RBDaFPaxsuD4o6JN0BFzT
uO1A/XKpOetqLuemAUs61tjUxhJVgq1jwhxBSBq63WKEV25hucVrKpa/ONnR
4/QjABeNug8z1O7vAx4Lbi+FOt7dsaJBxYvZTaIpsakn7uuS8UWB6aWTk5pH
JruUQlaf6QEow8qFaFDOKsoaGezWmadbz0sdsp2qGxgYCHmvrkQ/1vOButST
frcHxU5HWPDu5XlDNACJ3H27P0o5UznKiW+oNQZEZz2brXxPzaddaG7dKjGC
BK0pQjtXCET+qzK6XQntJ41RpGhU2U3fWkl1zY+zDjgoc6CMrWvJLm4tyT5o
sLbACrTy9neE83ClnlkEB481ly/Bbi6HZVNTe3eI5St8KCsYcKhEKIl0Rrpg
tgLIouup5XYXNC8uDDhmZ60RPf6sqbNua3uyJjasRxKQrvmhHFvGXQaqsYzI
pY/aSW+asb3dxpNUHC4XphrR6WwJOLed1fvVDcskw9vMbVYLyBpW+ye0Z+6c
BdzvDQITlcfq4Pl08Y/LzOd+YdQnyQWJArY6em/t/PO4VzI3mPWABDm0Qi2X
yOmsibMI6CZtN8TRUt+7+FTXJ4o6tVG6dA4rR3IfSnTs7+KdwRiSJmhJ4Yux
vQx0GohRWoIVTQMc9QZG9ygvILURSSOPFJeOojqj6suFzAttAoT9kAdCefPG
dv0+F7x0QmZlCaS4EORjN7vRDlHUYbea4krUKDfx2bsNpHk8xniX63IC8C06
8j2Ke65knQz7dh58WMgo93rB9h1d9dm47XfWbCxs+P+T9yZLEmJJuuYekXiJ
3iItzFOL9ILJmMGYhx2DMWOAMRk8feNRmVmZkRGVmdX3Vt3bvfCVuZlx9OhR
/dWdj58TeKg/4gAeKL8Im24kmDUGwNOK5gt2iAly2pbySef1NLkdtFfbhK8o
E3n1qyKMIolfHcGvpiiqSHq1dm5Y6vbtGIBhyzFfi/XlGQEtY9qrAnWpzvz6
qBd5B0eGt8twhLo7GIz1RuGkzijLqSped1S3wnJAQrpiB6ca24YGyqQk2Ka9
mLSZs1/E21XT64uKLdN2OReBIUHny76+DBHM4tf30qgIBXaigLYV6ocCZGvw
aXU+mASxwj5lkbAc4aO7Sbv5PDZ91m6R3y9z/oLCwTLGuz2cFJ+A5aUnocOP
4lVtWbkaHXJpnOD4KhPy8jfbNarWh0lytMmUT9lnV3zjMjkUnYibd1eigM+w
mPSnh6kpfRuvsjYTtkQ/yJFjhRisxxhgCOE8snEsieV5BmnjRd0T03qJx9WX
trwB7D03T3qpzL6L6Ifeog0pCWpc5D5/XqXvGNJDMuZjX+eHUpmIF6shRlQP
vlnVmGf3EDDquwGakn31c1N1mdVu8tddKmmFLP9QS4gYao3IA0rz4mV9Zw96
3b+SNxLGI3VUcamBBQrdr2vnH+aJeFiDZbqN9bFFYi1K5+FuXJ8V2hOSQsL3
1OzP9Jhcuzdez6emydbcMkCiryXaKDkWvymy+WA77brhJC0WJ7r0gvS1AbXi
iqyETH/9MjAvMDzr+v3WIawr6h0FvtH03twl/zZ2mzIKrln1fBCVHMIrBO1v
M3EcPqrDJtCJj/iFOw3z/Ts/BhLrujdow8AJiWd3atii854r2MpRZC+MH6MZ
XIZ0IpFZsF9yNXFvy71gyJ2Q5/50YaYiSyt8k0MLjHmUfZoyhE5oS0se5Rb0
o4trOVPeusAeQ24f0eIUhsjEB4FZW9wyXz2tWf0xKHJDT4BQyWZqnYOdR0c3
jrzHqBJR4zk0JblBBlnxQnY4xc2NeY0RDyWKR139GATUi0rjXbwAO0pZThyG
QWZPd3hOHE8R7qty9btdHU42uRAr2Rmtu2vCRthQY+UilPKch43Gds0bAuwE
9Q4hfe9GnjJC3IePCAtf4fqCSrvDt0gU7eL51jcyJ2cM7BdseaVbPJUVNb0/
YCYBBDwsIe9WhCxwydwvB0xB+UQHkRvFvQJ/rUZLyCp8rN2cCx0rRjj+ikPG
suEAw8uLBs5XDqme7+16MAaO09r8UtGM/MWLV+sOKZppSqsUnwcp36XurhFg
lAnG9ydMKwqCkAtoj4ewDM81bqs8s8V0gUVdM4rYW73wJNoZ1dF3oLv3JPM5
S8VE9hk50d4XJw3DctyngZ2frDRInf3s+Yb00lBra1rtS5V8Qe6XhELJiuFj
MJkpfnGZs/iD27VrQHpjaY2FVALM+kSDaIXQdrFQJxN4bcJyHgrMal0DH+tJ
GXQQYU8XS1XyIHgJAW9LjfbW9A87+qMNkIkl6XVZe/DX3Urj6Z974s9Dle3h
G7dy242NtB1X0uMPm4zd0aT1Xsb4CNkTB1l5CXDvAiHaDKfopHfYdn5+Umfj
/Hea7djo4oRsKslIbuGXE0qXauW4KvZVDbqR/Gg5eHLAOxo5xtjKpNRgJ+3d
h0S8ybomj5oQNAQiOD0L93OAo2MiiLJuXj2NttspkQsx4PqtVIPpJbBIdG7U
qSvyURofLdW2a0Ti0PTxwWtPJAZ3OhyCR19hbSPoqsSZTKQtesCs3ATkdWYS
/c8zU9SaYtGEePg+hSz648i4aXCLVsMgmWnXikTsYx4v7VDY/LmCJu8XTSJC
gOBfjI5sPT6HBfHoxrtLBivVkNBD9evVCD9P5Mutj0gVvsgdovhZnYzpXCpM
CZMUGhoQxRyaBkqJVpIcjG5vYbJUzIYKvfImdUzfg/sXRhidMuk1Zpw7Vu30
V5HQ7QVuTaMywCrB65BNi4Q7GHJXIS2AdIJhUysiT7pYP/xoKadAuwphZ9sn
qJlHHvnfqTa+lda/mLuo5oE8gVrs6hOZf5GrF3HL8HWsme4WpU+CxhsIGtgu
eW8f/T0/GJ2jilShmM13dFAegMANWqti6CN9qI+qNbT8Lc6Tq/LogUENORZP
VTD5gOgse7NJx/NTdTL0OPc9pQ/WZgaIQwr66AE/HXJPKQ5VRPz6tMuKTjby
6o/VFloHyw7FrnQKWnLz5V1DdeXeET4pRO50APy6I78RGf9l9VmyrmTq8x7a
IZSBDfruervAIZZD0bEBFtn31ZI4d6VSaklC81bUlwyMTN22TWn5+fHRtsBp
yskr8hX8PCct6qJMgZTzYYivQP8iauLpDdpQXM7X6wmqru8HgJ7RjiyeTpJ/
IQtrLLAL5lLy21Q8MJdAWZJhYRha94dwiWD8fUGIQTrJR6KC9F2vBw+EPhZd
Wl2hbjfQmunlEpRTuXNQ65UEhzxFco2Q6Qoy0qgst0hdG4/oXg9N3c0wLAIE
8ClxOT4hQVDqe3ZTOGDCow7TZX1iespKwmJsy0txBL4iCd43xIBHMWYmX1FE
xpxIW8Dj3X9NMOy3wJwIGzXu2v32VjjBOcKhRHR+Ei2nIzq5zBdfnwpnUBzX
kAkjvi+mn68YqPTEC6kFvrX3lyEQbB8vgsuep0G7TAlGl+/IsM5ln3pUHObs
SHs5zNilnFRSHVHQGeDaYeVTkMPuXQ5PSzjVZ1aMzqR3+aBrBhviBLcobOmI
xNzUxyb6rs/PuVBWpXzmKM0D5qQK08to2NG4x8ykYF6H4Gd8gKdP493Evmlz
dbCXEcg/stWNMfNNG4FARybe8ozPYQC4iHz6Qi4BrFmJaql93j+n1i2vdonw
Vf+YdKvo4LOefDxbvIInugrz2MBu3veoOOQQ4OR+mhqJsnrbCT4knF5ex/Xm
C0SEyBdnfyNHK0eZfy+cWzVDc8wReuwFOO9TJV4fagd8T61O0DJeXp4Nb+cC
/Vi5fPsTx5K0VtD+iBuNMxDi623w3EtSOPMg2BMBxJYI0k8kgB9xZEruYXb+
cO/WPtvq854l1AXXwfHtOJf+uYKO0+wyCdzlLsv+2bhMs4+x9wQVCgSuugnh
KO7suESKXIkOaQhigaLXYqeaiXHhRfU8uwXDIiyL0Hzi3JOSMUHSZuzjZ+sC
nODaEBCjEAnY0TjPTa5F5gU5otz5kV/se7Ypr6GlykCVeG+b1sLjh/DVJERU
2d0OVMCItMYKlJrAPx5E7RTR4UIObufCYx+IGhHOFt2vxTMyqVKFLPWfp8Wq
NUZ+6oxg3N4HVOKVEkryWe4hRndB7GucVN0HeVDWm7bR+HUIFOyUa+TPI483
lMkPQyUlYv+xEXyxSoDrmkaZvUoW2Q/G0ln8mCA7KL64H9js8Vy8zoRBaenr
lgzV6QPqsiHS62t5VOgU4+sKxIHhhC8CHQNXhh/aUF8k75BC/fLd5plxjJTc
YmoaCzPp/Uri0Obsybnn5GSX4SV/2MC6TU6M3boukV4o6dTonbDg9+MeU828
UQhNJwFr+ydfqF2LnD6LNcGZtQKsLYTJLx4HULUFBsQ3M/hayJhnJH/phmFo
JNaVt96WnVQJLBHgcnl4r8R0DTmeNN2O04fzON/wVgCvvLL5QI7ePJwOlQ9m
dvl5/bi7gk+FHrfvPZfjrfIZ9y/asB8puKd6vehJUtktC5IeEMAdKflW0WBk
yyGTceEB24RP3q2i6z1eJEdpgjUEt0ztJLSDfAfssCu5ZS6xrAsBGzNAloKw
1473RJmwm6YPGl5Et6BGS8PKwPU5z+NwpD9kWZYyD7r34yKijvMIvCOfBReK
gLpn+PAZYrrWh7BeGmI5h97R0pTLjx5xPKC1zuH3QEoeqx3i8GRwNvMfa0Z3
s/9lhRk4533TtZFZizQDXzV7EQFqJyllZce2D+EQSoZPVkyDX2Kk44IXfFRV
Y7KNhd29SXIG2EFLycFSbB6Yxsn0Pmel3MUFy79psc/Y+DkIyi25TcnEwcUc
3IkPPXB/rcw39/zcJwGEqmj6Fpn4LoppaCEsS9+zaH05qmlen+yRbIvgSk8R
5p1na4kjdm0M9C5ZEzwjbeNq4KrYyMACdeCzPCgYwkzTOD0ggYGGAcy2pMSY
1Qj6Z+HHGDllR2WvHkPU5XgesMsqBlCOuHQq4lTgWmUnRXTmPKyqBebh4TO4
I9mnpPgpNuNQqZlLKUNivrRcRnD3NCVFajYgQP2wqRn/u8fUYerl/I5QPgAj
PQSbI32p9zXHl3YLq+0hXgTxEHsQHESdh/HqGNiuAMTXd9xoKGgqhN/pE3JB
MHPR+IgHZk4ejtwh2GW4qH1PoveBv5vdA4SKkutSvBd6OWiAdlZYhSiINXrO
BIJaAZap693QbDNDpN04LET+RHplgtaYj0NS+loMRq9WQYdP9UA/DmDXz1ho
/HKsoLWdljFJdLd9lks++3cHqPg5Oyg+sqrTB+0GG6kNmpA8enGFJMTZXIpA
QBcSMR78DOp9o9HPJzQ0mMHU352nzeYKh02BjcVxki6XOOzut4RxX8hXa/q6
TCpXAVRneQpxMnzv+fpZBCPd2c8p2LNBXfR6IlkRn8d7WJDSgW7F6aEJRLsh
2ihJLxOPP58dwBAK8SVDoINCVaHUDLdcCxofa2Pe7HMdOi3jxGED0gQPn9SV
bKaxhy0yiRwh198RB0TEnfPQOyDXHLJTugtpHS7mXD4FBofkc0WLtXtNduBi
MWcVzbBfSL1Ga585dGTAlAY0cf8gyR9b4qIuAwYTajU/lbdaG47Jt+7HS7Al
Fey74KnPy0rRTiEIMmbTq+3NirUhAIRKHRqEvtDAiXlth/LaK+z7snoEbudi
8uYXI8DPdm3bdxCKIXOC8LXj60N0jZquiBWYmZBxVGI0IR7ZxYdLMtyjc80n
XUmN8a52bPuKkTD8PCDF58tjdNdeWb/KNw9AoR1dChAFBZt9uMb5oiSwES3K
KcfBs812013SZXE+NFHIhDRsxhjbKUOcMBXXTfJwrcBJFxfIptzMvPUzx5W+
9mh4nve0NWguDirJ86W8nsXbWjcMe9e0NW4ivHws0xTsu1XSXChCCfB8OJH8
vK9L+DznvJEkBFve3CiVF59Jyt1RP5xlVqno7Vx/n0Y2gJo3raDjk+9DbzA/
gP691EuherJxZO3rMe6gm2yCdv577EWYg2lQCMPzTYJZMHy4HSGjLE2GEVbf
nprxbgcoiipd4Cn1kZwqT/3nYXPQuFlacQgr5xy8VIikUOUy7PGSasEshe1L
pJzDPRB+Ewp/A8aODMWnOLe7Q1O0ahCi1QtIfs3LlPMGhUXJ26k8RGBLdRVa
RP5xqW6XT/+aVJm9viMwcR+16bqeQJRO6NUJVq71cFI0xcwlLz6IphXQw9ds
cWwpvEox/aBzd7Besc+MmGa/gFuEw+gneGTFY6/SoZ7joXCaU/s4ke4PCqxM
1gKWKxs9wwE1hA8cG/3DU+RpSgOPHDlA4XOESIR7jhYKneOOx7WaAyrTfv6e
+ruUKIktylb8dglioVDnafRhrhRKUCQrBFoFAnBCtRpcM0gq9RxM3K4XlEy+
dsemCbft+SvsGp1JrkYRbCm7VCI/JCP1Jel6MO/6wxUAls1w+WnsTqG0XNCO
4H3W1BJyVaiWBgauhWM8+TQUKpWkA/qYfjRm4NqP73hNAcGEgPt67pRx2EUx
7GwwruB9VIu0+ZwJyvT2mkvPr/K0r3MeuxdUUrQD+9osMVulwDkHcyfgO6iX
s/2Ufw9rEtnJ5rLxavTpk1bKXBeEuYot6tzy+oUUqxXjvAC13yawtfnWj5/t
DbxDjgtCI7E4cjKOcRZUdm5b52ltqSdzRqUw2N72vVbGipB/4TZ5owKKvE5a
hXRbbd/AR9ah6KtuWdrg4ll3X2/4pOWCB0mfrGOOTifDJClyRQxcbkjBRZ6N
mQWPzkNCYe7ZAW5jnlRnPeiU5/JgcLMyl0s+eWnbwksvSPNfUib68ix/x4r+
wk81gpOJyY0zp8O+bjRAO8kvzRleTUKSJo8NflaCAR65B5NjTUwV7YOV+hI4
CxwgL7A7YWDaMH8+5sYbyKnPAJzWts1H2tfXYqAwUqQ2fhKf/hM0nKPYSMfx
7gIlUuWBX/nUIR+i48tckxGnJ30ttS/w0kwKJTT1K16NE0mt5rSC36zqmsMa
H7+iMOyqfkFr27wb1f5YwWHUq4D0g3dyVKA3AVrXEew9fXO6YPu2rCQaFyvk
MFzqezWMetVXkZod2MWQw9Ltb+VA2s73h4ojRjlHXxdwa7etNiwZ2O2Ne0pO
iB/6K686Wh44mZ+0abBsZySV5LCEnsNtnlVGWMwXTdL+uA1vgGe5JjWg/LjL
u5Iz0D2SPT6cAQ6UdMsp9QXSoJTGzBqA0/IdYTeQTAXt5jEKFPj8eCoQ1kHT
kfeEoabS3phtnqQHfs9mW0JkmuzzjaHvMLGxq21Z5/PnvwNlEp0DN2p8+y6q
F2CYDjfixjfymTyWrwbehjrdmoNRMF/Cf57FQRE6iAiPEjmyrNoQkih4VxnR
W2sqlbUC1weLYazzVLUp8r6Lryd1NwcaFg2pXG0b36RTXMcjVDPxDZ9hvSwY
ESzY4zwReLiPNjC9cxf3cqQIpLMoOiE62QRR9/JxLdF7jECMdoheQYk0ltms
bFqCRqF6x+mHjyhYdFekMHKgStE+UG2j+UM/5KVRe8k5yGUoOcm6OuiLq7VE
LbyDirA9GAwfX8NZJ6wWWU4aAf6HIgr6yzCDohaihW8bnu7ynjrjJpECsz7V
MFacZgwE7ykgrE/OzcfE0NraJunILwpY6ZmC1WyHVmHK9burRETwXezLL2/F
JEn7dkHiTFGf9ClBHnc2d7c0vNbfHjvOfV34Cxw1BE1Mjy4qiz9CngXdDxHr
jy3r7dl5IDwW7HCNxqJ4gcuDxfEND4wh5z+HxI3qmCH36PvCSSc6LhnTqMoJ
IGTdUZtjJg2XaO27ZHJkBoRzBCr5jRRSdXZF/WwYdOBv5/n+sEDvRFH5pZbX
WxUKdI2GaI879r+AU/6d23n+u9HlP9/w8b84wWw9jr8jmC1e4Hnhnl7/mGB2
2N8jmO0vpyii7v/3Ecx6+O0T9NG+bFjz/kJEIqojjNXzz3f4R3+hOPtsMNZf
gFRm17/iGtdMCt5xaBJ/Tefe1yPlA7Pe1/InKzuW/jN79UMP/w6t3Dv7/dt8
hirVU1L3n2fF/tYM7VdW+lfW8x8wt79yt3/N3AbRPXY0CJegwVYIP+Tuv1M2
SGC7XJhE6vUrVSOI228pXeVhIvF9zGLsh89dNr0hir/jj02+4f4lHvwX4C8s
rYssSVjUMdazf0tw/w1Z/XcR/aFm/4hn+7t3/y4z/gvwD94lxvfqfqjuOLKX
H25cEZM+bu5IC8r3jtWdUVYrHtYde4WHD9Njj99S0r+N/W8jf+/mb2Jvo8xW
/NCxPOK/Iu7n++99qGEd45Y47Dfr5NpUetznJYCfrvorBRWvFq9Qgj1WP/n5
55zUQ2fKf94VdYzSin/EQHv3J/wTp+ePzs7/C4r6LzvfmXfdGpD+T1z8vzHA
vTOmkVH9/MQu95fruWvBv30admt12bnPJufpMKL+AtyVpPp3tplD7u/ekpOz
Xdj0lCs3+eGO6hAsGcb1ifjzfACxiiN1L+5P/OG17734Oev/9sqm8Jz/w0Pn
0oPIJKa+v+dPZLfTv2R7v3ex/rlB/6+v+xdAEXv4h+RO7qv+lZAW6z4O71xo
OPvOYPgnyr/utmzeuxjckeaGn8z+Ezfd3fVheAzFnQcF2sO3WP6VyU4l84jQ
f4//X33qT50c0vCHiXemnxPxy49fZ+VLzA+rRChyMRV3wY3vPVG6P+2ay4lp
ZP7w4ITS/PDiKqz/mgvjqrs//BD/J8Lt3ts/NGcU7Pmu46/h96jBuz6ccL87
ItHDH8vuXXl84YzJptoq/HPU4C/APzDB+4fU4C/Af2RW9c9Qg3fX+wNu8J+9
0esX4I+4wX+WGvy18/6FGxwmfwLHnRs360myD1sFnemYLOH7vWISfiO9SmCT
9zLdW5GG3bEe0M812DO84puA7mHM0ZXlyxAfrGgyITmYbtdTU9FkI4aY7OQB
rAMOVNa61V8KJa8V+TFfd1ZHMwFD3ua534hwEAURI2mlJ7Jm7eDFEmOCpqVc
4RlDvd4BXY2XA0Nmt1U420VD1lH3XshmTu97a/hq+k6gewDEvUqYozZ066nP
FazP951LjOVYcQSCZXUf3GOeXHK0c/aLhT83f1fwyZstEjABc24QJrR5nB0h
2qslYWaGnBmIHuMRkddhaYpZZ5K1vX1O6Pq++2Xr7q73Bks5m/dDqFX93vkp
hFoWEjkoVMCj9qd5tf9javDeiz/gBv9ZavBexR9wg/8cNejfq/gNN9j4sBw4
wslqTkCz7vMgcHK/ShMT/oAa/AX4I27wj6jByu/xUT2/xnSEE3v2d9fbNfKO
sdEjlUDICC7yuLF9Z2SDZzSqIsvlZIUUygjCdWG5ZX7pKttCV2EQY+Fs/GSU
xVJKc3WcAEp336M3bX+JjhMl7/wrHSdqlJmMKBnm0/bltTNHg8WFskf8Mr6W
EM7M+AswHSsL9Z7VORW9bc2elBU0EOVjhOyl7mUzTT0hEKPFx58LQ8sDhFXX
O9vron1kSdbcSnlMsJVNC6cXCY1RGztVY+vtD9JUcvTzeQgOmddG8npVrs2G
IGgp2ix/KigUa/xstmf5CzAP7B6hddI9p2Y31bjwnn7kuRal4QTDn3M2S+Bi
WiPa5cjbi3qacGTzE2i2BupwHMa/AIgN1qHwO7bQf8Xv/Zbe++ubO38B/rO+
0H++CfWHWP3PGUP/2Rf6zsn/pDP0n2+e/uWPDVn/gTX0n52hfxTpP+ENrXtw
86pji4tBL5kgj9BQzVRgQj4+vwCgiB1PMvL2syHD8PQqTmN03joUtN2Owvm0
D86Nuo6awqmNjoXFWEKy1gt+TGV18pT1C/BdgvxBzXgoh0nYv+Lood3nXhUo
7G0f0ZMhaZCFsA8XUc/aggUuS95ls1r6s3qKR+vd9aGo4HupZHiBvGNDcSY/
tfSgUmeqE4vECm1XtAnP7WDtQltuyOX0WmmpOj3XzXQj9OQnDn6xSAHosiP2
5oqQd+IAVEjiS2slXvPfeR7aACsg1NScDb5zTHhBJtgIFxbBlzi2vwBwOUfV
jLthzsPvRUL684xWxNNRClZI1runEDVs7IDnJ2HNb21F7oWKExnvXsuv/tB3
Tv4nHaL/bBD9C/CftYj+s0P0/Qm/7xEtHb/xiN6gzFgauLiVXd6T+JROd+07
ueFWg2/jP2US/WeP6F+J1X9ziZYtdWzT9zUPVeqaGFTNro3nWTYULeTgMCc+
P2AVeeC3aYoyQRvdPOLTe/8CvDaNZPn60Mq3uVuPjO4DpClLx3tA2joEomA4
0BK/ZlamMc0gJuzVo31Q45Zcnwo839ewXcTo1mbK8m4z2igWfuVb+zP7UgTl
O6uXqf+EFWPaaJhN/KCB6GjU6Bj3cAIde/Qz8zK5RLaZseeFjF+wYu0VOXzi
TvMMyOGl9zZU9feIvbFFrFMgpAUXUEXlD7CMiFua1MQvAGpkphNH3ragydN5
GrQamTaPS+GOdwNm4B/t589AZP0ebeZWHOOl5Fxwnpkdt+Wnqu5aLTj7wWhL
h6KWjPPju+foknKoBdENNHfjb1Upvz5hAfrhNLy/5TR+Ks0v/9iE/h9YP99T
8z9HavxqUf17DtU/+mGR+PDPz2mxeTb9+S9/9Teepewl6n/diblbI8h/olR+
+ZP/ePcwbDoSPOWe9ZVbq4rIXc0Pox9/VvDXFLdouIqocENGkMndOKvnzxMv
3CCli5SknMVs8lJO0EsN/DDWPe3zgKk/xEnYccNA/p5QHhx5eGXoBzNyv8I9
MPbhggfnoOAguLYWffuAf69QXsYwNWtChMZL0LXIFs2YgjzXu1aTjiyu85rF
WHOwM0dMV1XmBzUnsjA5hiEeY2bql8wVbnKEYN92NqbvApukI5GD/HDnZOX6
fPG2GW2/iq4Hv9Wq2u9WkiSTa5pQyCizS24VEL+WgLI1U/ae4PwE00NEEuNj
PX+eysNViov4MvN2TXewytObPgJthKOvPbvroSCxfz65U4RsrS0CFCfiPd6S
9oLz+Y0H+9030ZhcGUHBxUFV6/QEn7ioHk1Vea3MDOrrFSnyqU2nqAcuT2h8
qlT1PW3LATQpMliayy9A+P2eTx/lQecQeVf5L+Cu/+M/f/6Xodh//yfP/04i
+09X8y+A2b9l2v5n8tl/hbX9D+OzfwH+eUL779f63wVq/00k/meB2ndo7sX/
25r/z+Lfzsj//X8gf09w/2up9S8Q3395z/9fwe8/0cS/AL+PE/+3YuFLff4B
/n2/8v8N5Ptnif+dNssUCf8Ps1nG0H/ZZhn5H2WzfMfxf3uI+17Db8Ht3zlu
v7a2v6vqf9jTiP8LQX8qOQjD/4KdcvQ7dsreD6rd/e+PavPvsLueCqYisaxe
FXjSSDAKmkJdxF6hOYVvIlBxy3f87DVD6EvBQVfK4W+94Cu7DsAoJBZk+cyO
ZjVjY8eZ3TDrdzesi8vookheynwACC95+oeyoi/hegte9ofqxQ8ustxPxlrx
U/qEk+whBngql2BhIxuqzgnb2MtRQ8aCYyDjCTB22dYrrqI23m8YpzHPNk92
e2N8gBTebj/F6pP4yc9d6Rgaiya4iCxMuuIzpYUcmOlUhmkcS711fY9OIg2g
IYXWgemhANGoeDj1lu/6s963ZdQkZZY28b0XsOiV3gvTA4A/xnsHx7UiKNBG
lJAo9mYkyyHado515OBpiSWjIeqEn1qlwnw3wv+7otpKfA8hzpqLR8dQ9wxc
WVnyJv0GkCefclMoCPBXMXwLrrUK7otw6r1n9WEgnR+587Oykt25mFftSlv7
eg08s8VlVEcjogJsWJJJiDY0fg121OUopvb+Eabt9UmDciZ7FaGqE2x2CBJX
f+9SaKIpPHa0d0h+BLcHnslVxN9c0moaKYThcMJ83007Ow0PRcRqb8PvQEB8
SlGpu7xEZ0X19j2+P5qzu+WxpEBLmonAM8SzYKSpX/YqERCpNIfneg52qiFB
7ZwEJmCg+UK+8oeheIqK4kK1X2WayFANzAqHPrW6HbFan554we+coCuod/Do
oUy1TaTXLGN6vkPNwMVbMCcG4XtqP2kEPXk/dsrnP4FqP4g5fEOOenwGtXmG
zOtoXg36Y6fMAnrMqtBG/+SWmpWPLbK8twlfawj6sojdxzkLB7NEP3Hh8N5n
JSHhLeMYiqMrpHdiVgNo2aEv6yxL//H+yFWfLE44l2/c98hiNh7lYApXxStf
POlnw886ztnfJOmikA65H6QxgENKuFJktfox0nBfXF0PpXxq+3Fgl0k3Kkje
CxWRfH3JCwKC6JrP7i0w+Hw2HzQJeA9I/XpPlOS5hHCpsrPUCt8ZZbhTeKG1
+43LdWrm17yBT9neHF1RKE8s/Hey0B9r+ixhC1RviOuefhNr7HYo96TMVwVS
cSHoPRMntmjPeCVy+oi/zAM2ZmGy9HaqZGJYHi1DYZoG5MUCf9QgQXNMbCA0
2L7+bsJvMXeWgjTLDuzfJ8rU0abzoqnLRAvqvYWgb4KRaeRBcMAFgyiTIofj
qeZKNVlwfQyIaxlXcJ+PK/ysacLQfvtmh9r7QniEW0zkUpWYcEW2v+ITAHMy
mSAs9/PwIU8kXpnM49wqMPcC0ofxmI5A4fpmD/FltVr5Jd4Xf8IDmsM4kee1
9AUIfF8fR1MbHxdleMyNysRzHjLnQZcn4c+om7XqAJPMjiWaQahXi/qzWRKg
KBQaQuUx8CFkqb8omKkFle6NUrjKK4SfCUTCqQha514miqdbyTpipS8bNAp2
yQozEyMVNFIGGzDiw8fxDoJnH9lr3mFrUrSXnOPcNsP827JPVlGZEGXFq/4g
mLCJssxxHFx3yAz6Vl8DbCnzMHzrzVHhiZk6cnrhdLXdMIK1mGGJ2hc5xJL5
Oq6kC5JQj2O5P3xnjTOxG99qDbzzFU5YjKp0RhyOBspO383v6tp/SaV+fsL7
CLBb44WpWg6xA4rvmaQO6SM9Ox/1sZcMEJGlryONEOw6jlv0RHnmze6FVB6n
fBfmXUBpvqZHoRhL6JvinySRCp1duG/jF5SlLgDPcWXmbos6j8+dx8/y5YAk
KenrHkyPdQgScPCaD5JEa951b0J4g2balQF6hLst3YUdgO7zQ1p2v0E5Px/c
ikLOBwN580TcStXjZTWeofq6Qo1gvWtYPS1JmOV9NtmydGHUh4AttImF030V
pi8Nq2tQTBgOeVLrXd0cSMTGQ04t4fMdvMqRvhDPz/07+cDyc7i1CFGjQOYa
8ePMvh+Uf1Y93H56M9zPZGYq+v14BRWWzfw73waLI6gWcTK8XdOitx1W3vZ+
yixgkPIe0q54jv1gpiA2DyCMsSCYGULqq1/VJDAPSnMnHtO+zrYmTwksiRFk
Jc+jhvErAPUcrEf8Trjz1ZmODxV52knNK8O7pT1fAY/DOcZEJW17pR0O6Ebl
YvsuExoTyO74FAFAwYjJ7wsW8Kea1ufS+u+LxSsn2rTLU0BJ3d5V+ySevQUJ
Dspjn2Yo51E8QJYcJq9Kb3XqqTapfDalT7xvWbEijvQPwtG7k12M7mHJ+iYo
ZdqSDbVBXyQV2BhiFKE/RHBiyQVQtC9Z8OeKR8ru6abQ5XbX6kbRgw3OIRb8
0tVv+laLAXvWYEfAUY1c5ulm5wmb3SAywMapm0hUbavz4z4jI/N5OkRPxG6y
w86XFFFpe3R51vJijYe51XwzgneFuEpcKRF1qQGoZUiYkAkN5J6gMrribWWC
4asYEZZa+vcgwWhZwljIslGASPH1o+78orKLud506KUANvRKaun1eBwsOqAv
VEZXXrlSRLyGq7iz/zXzddnO3zZ9i/7Btau47ffi6FqSIhyE34BKQ1SmdeZx
l0M7lgvxBKmSoxDSVOWP5ClUcb125ZytcEl05RlvSv1G3CcEozwY09kE8HWx
2Vk4+zMkWgM4NIGooBeCNdAROsjuIZ9mUp+Mj6+VaF55ezYJV1+soqPKPS6i
BGAgVNfKdv11CVyQEvXblCWRf7lQluB93zY8ZAwQu6Sn6OBnmBg6SAQfjTjM
V3shz2cIEN2KNagdE2lP+K2ro6aiKTSSmCqjdKbkYbScga07Zgs27d2zePtZ
D4Jey0aIc8SVDHDVB4kmAXx19HdUBt3MzyFVhZmdQohf7pRBpD3oI8UjObvB
Xiy8nZQ+pSLfoFVoOCqQwg7cmyuG+JLsvC7ys9MSEqz1FeimFcW9own0hEJm
a0JSk6bIqT4ldgMvmpJgvIWeQFLdlZp2w9jAWDz/SFrbMRnH9gMld9jsBRvi
vk6OhYvcPLdA7vVYeQ9Xt4+gJtVC3QMfaTMwN3DsIkhPlCbZOUIp2W9OOcGY
VzarhxHG4MwFmtsenKWQF8KoFvcxtpOziisAPBnNO6bQHyRY2lep68v05trs
U+SUdmTtpkSoeRcSRrB1gyfV+8VTeo1Mvn6CF48lFKCJhJFNkytRVR55RjGP
dZtuG+3ckqD9PqvqrkCXfw7aKI6G+ojhLj0OopineHt+11YEYqeKT6N0HrFF
zW/Wp8ChCNHo2iWVPQOLHnEnl99pE73et/wBPba0YWncLVY7ueOzHsCY0RxG
JFD0nLD10zubdJdXgfKE2H0y7oW5+7NWpqef3e3m0csHOBLS8iBeoyCJJAZW
gAk1WZu2gilPmNAhg1IaETuInyedzc3X1aLt2a8l7hM6CU9zrSxDR37MYn1p
Ra9x93GGojemRh5ut+izuQf0KxRUoUnvwsfYWv+wz3uacvnCo8WB6MpplfO8
dxqzWlLla+3TAWCOszzNVqLoJrS3u7BHrAbKtv9Ete8pHaEdwaPoUQbx1Oun
VHdnCtYegr83DWvg9DoBX384/Pp2H+MRgjONzIMa+375yRPYVkuY5YJn9g4G
PWY6q5RgjDRRc3l6iE2nvXgFHADxw+gM67tU35rqJ1uWVd5ezKn9lqGB8yr6
0bB0gxsJ+3pwjpq7ji6CdakT+Hb3XrMEyO8HF4hXqBjRsPeh1tiFZcFCSNzN
Eutf4RWc9mMeIP4g6Dx6D95DJG+99Qm7tXv04xdwYcvmoPIqNW9Tt2/DwcXj
85Q3VnHoZfCbMGnOizKviEd5yldIeGUe9VTaSi+3rAI2QLd+B0YspJnImy/u
rBI50v260J3aQx2ne8OmyMyPc5zZZbKNFnGD6+3ToZ4axyatGgD++VDIh7Ar
luGnpKeWGtydGXaiL28CG+fazgW55zMxRhd26XR0htGEv7y+kE21PAwMmCct
b04J1r2KwFG35FFJgV1XFmui5QL5Vql9kx6IQ71yA3a79qQTxOCaRn68CdiO
BoCoVdBDvwqEIvjH30WX+/BT3BmeR2/am13I1vmOj33TCPubb1agpBnSsuAa
LeUdjRC+a6Ir6lj+LbkxcvqwzPXJW0/MH0h26wTJGPrXOBlkYxsjN738uQif
w90YXI5uDXXcYOCjo0OS38cNO9DVf4GvZj36N8kqI5FZxo7gZhfmjxf7eetn
te1tl8CpJaLvx54q0Ccnbqlr8yEDBY4PahvkUlTVv3jTPS3oYViicjyU8Mph
K8bLt/11pWFi4BhhB46AXvNTIAoAKanjgVsv0/LdTuOzyGKRoBy2QQW5SyuO
5Gy/y61JhMswytSth3e9ahfdL2VTyWKTAwj/uLbSOrz2wIpbPpnDQ3nUIffJ
zXX7YBvNGuL8GYaQl+Q36311ivMtr3nsazcjrp8CUDBbHVVle852mF+49xCt
fD8Ya2JHE8ppBD2GNcVNNTbwb99+hvCpI+/Il2Hznp6oNAC+8FeuLssW6XKt
lKvTW3Pe7XNz0ov4qMk1yAEKL99T27S7MUx8Tu9fpDM/g++1Suu5AAwxr9M+
GAV8lW/uOgvVuQRx9A63phJop95qZQTM8pVOxlAikrqYcOJnWMe8TQI/SAFk
KX8OYvu4UwCCe+LdmU27HNEpVv2n+px80oWwLI/V4d2FhniVPBhRSQDfjWOl
QflubSCJJRxNVt6mNXRl0NgEbW3fuO2r4wf49X3695jH6JeSP0uw60TBTxRu
1GqCoGsIfe8AF2ogH8yw9AjBa630UcqE0oEaA4JjxR8pBKwUB5WEZAvyxpAH
5OA+toYhnAEtJZ8LwL31fFxiqaU+rY0RcXy9zzmCTfLJFPDmyDK765/n1zH4
SugEtwG/5kd6RXAhRGXNVw3QGHuFFt83xsPMs7usOPLt5776WwrNWWJGSYii
S4VsWKOlNnzhn8rUXwXZ4K28MRrnAlIrf0y4x2ft86F4eBHgoscMV2cMTHF6
Tn2pnH7gmBlSIBzRokjQfihzyK6/BpvZdRdgo+UdGUQsaxx3fPX5W0WPpVVc
C+9X7/VBpx5Fb9EH3scz5za8xgaXYUeBrrR6hmcaBgyf7At+ONPkBBkRgeWX
aZ7Gikv+PSV+wHgTZ4bnM4pdp3BVx87juR0OPtSqrzg37hTQNe/wzT8g1d++
X8YuWtGSL8Xs7Eacyej8et3o521ogI/CiR6IpuUEqk6pEV8vIwD1NxC46tYd
acAPoeGKd8ezJH9EB0izLbKKYMF5jRLFvplceHvxk9BT8/WENK9vGq7Tz9QF
2qLYxZfXXPmsPeRHm6bv6yXGQbq/H6z7HYpeQNodJkXOTl7jLv/8T57wMLt+
Od2HpAfgnu45YcEd5Ku7Bfh0krp4VMQPeVwVV8wPsbmRT/BzVIs92cnkZvmG
ftgNxUsxkxnBBBzlhYbjha6G8iVbb2EtTnAWYY2M8A1lcwL1ORGnwSYtDrw/
SvIVakyryljQJXyswSJwB+DxERPJ5cPgCRfWa4p7ZlUsnxpR7m2/Ao610gVp
3x+yUsPtNaZXsla2rK1NNBI0CrwvnYcuF6TQFGLUdOTrvDcYShQIDC/nzhRQ
N5CfHd9/P9DhdPA1u5lldSxU6VezgAvgSIlkWMvOpLxiGP54GBwWae6bnMVI
3c07LdBNpicihcWhJ6uBaM94VvsAnokU6WseIHcve2aPiA+/qosU6dwk4VoE
E+Fo1Dz6agzzEv1aY1vyBW3Z/fmDqgTjRKrG4gPnUACdvWydcndhb8ZU1qml
GmPa/DJLxa/HQRsiq+3O2+pKgVxL32mbfaPnC1kl9gEppg0Czi5tB4HgI101
Ehj6uJqPF2j7xnR/LOe+ukZ6P0WyuYhKViJzNbCH71Wyl/JBSlOpDsg11BSB
BkNbgHEtReGlWnOfUne+Umk9m/R5tMVbJMM7DPnYR5N/4MZSC+jVodQLzWUg
pOrJ7amHgqPU7mobyPCxMLwp5HELAkx1nqh74hsXSly5WtmgasG+HaI5NTot
oLYpAyW07jFyeZHq6dcRNgGzdzQ6ISinOSRX6DFSn74glitoWFsfOUT9GLZn
kb3FQvAjRgKmfY/3jDkZtzja+hXnXYHdgyvheaLsycJZ0uAVi9nKp5dpDtmo
VdNeMBcenajjqxoM4CDHDzyPvvFAMJlkTUv6Ct4cz5L7lyvpzuWV8XEaUXrx
WxchyCSY1FzvnS2B3DgcKsBqsB+j8FyX2sQ5/NBIXdVPbcq9TmGJaK5AqX77
eM4WfE4Sih0kP5iLrUfr+ZxFLHsD5+PjdrZ5F4SJHWcO8ZuVp83QXAreRmsG
Pwi2wXBqt0vStRzKnTz8KgjHDKMjsPqHB/gd1415KTGq8tAWK52sKXo5OaVi
85aI50hT64j7IIL60opUFGXD6dOD3qC7JmpuvjfA0Oy+JX0OPe27bjxCbm2P
b3riwhvhtazSH5xHzO81f3IqVjkzhIcpblh9lwlOEQZfC9BHna9UJ1Sw1HOY
x96yA6vY7dbvB5/Srfk+tsgi5RLmq9c9vW3m6x4AueuNM2j2sf0agPIpQXT4
3N0YrniBk7QyH/Tomw1kG7A0Rng2TpB2jhkRKYqBut9F+RrnGhPnWSpQFwBL
TZGOsf9sLfncqJcjXApx6xTlmVU/Xu2B8Ja/Gi/DbR08uC6UXgol3vkS4kxG
SU8dOJAnthg9C5GUFD1VkpqZDhYS4yl8L487oEZ8Hx5G7Fz6nBCnCqEiiq7i
Q9Yu1a3kpwD8b0aAeadcfBRB3APpauhMo9oOWcm0T4ysiG2+pVsYE+eUMveX
jO2WtvPU6p/pKY0D8GS8sP8gaSTToXU90iQyUuKbYvEoMNvbVq7QMULsXMas
tXZlAh9Di1SL0lefMjMVxAIcNeXhMCojCAu3ats69eLpN3t6gQGyLZT5yWN8
Vh6fJhilRepJW07S1v6QUIeRhDUM9NOHv8uF1VK8L4L++fS5OwXeyhw6ee/W
yukreyd1+zLzT2d5GQ6kwVamd9Szku/FSUBQCt5unS9DCtqP6j+/y1lkLHM9
SOnyBo98hma56P0HPyKM5u1Osy8JohVR2mOb/IYe0LHCyzw/jz0IRLhokurk
8zNrPVZBdKml3xgp2NxQTvGEHKQHiefneh8u9Vydck29gQQyBXtF9vy2QAWR
eYcEkWrOXQrWNTCLQP6AF/PSU/8kySgYKIj/xupnrJ3OdL6e1MknkM+Phw4d
3BfxNKitWaf8DngXdiH1WIaRWKHEYXeyNdg+Nlq54B4oLGuGKdR39S+hjAcG
McAhTnTcMpM5Ek4NMolC/+L6EqfJsmT372KfxCy1NnSqysEaJo3PcrLPI4uZ
h7IAqldnnvIw4GjdvtQ9J3hfNlbqlYMpvv5Gn4iHxkPFiHtqeYHLjMi2VMP3
0CZ5lbfuJAysM416lKZb5Ouza4gf6OT4lbsV+mYfLCePDT8KNKhBrcNuKXdM
lFtPHrmMU4dLfMHtwPD9Zv5GwA/qRa19Di3fnVd8xMqO5kGGliqD1F08RWkI
p32lXtIjcUeopke9fX+/+6ABtzBfiLekKKGQVFoYf7+KNP3PdENe6vO/iyb+
udvgf3GC2Ez/niA2ox+COKj+Iw9k/3c9kB8/HsjVfzVBHJnjv0IM//CYOVr/
hQ/+1R30PySE/xEf/Avwjwjhf8QH33vR/seE8D/ig38B/hEh/FsO9rfxulfx
T0bs97yHf9yO70je6/zDqP3Wd/nxawT/xi/6h739g98Wf989+t+9o33S8H4c
jH/co7WLPX51j/5bejjI0Z9su9d85+CvFPGf7ycJAk55JH3+/mFOf24g+Z2M
JfKf7/9b1pRSJHOM771IIptR3ve1NvB9XpV2+eF+GWUwp1yq751UfutH/EOR
mv8Pd++17ap2JWrf09p6EtppJAHikihyznfkHCQQQU//M7dd3tNVtmt7nvJf
p+p2TYEGI/TRuxbf+NjxH1HtX31+tWH9C8X9Z0PyX8jeB1/9TvMK7z9drZ9F
yHwx6YFVeSelOx4iSI+/ELFfbuE5HbLK49cvDyN23bFPxy92h9rjwP4irGvp
IZxXP2D+dc9/43z/9Be1oSv/i6IVmboIji26vuXPPPBfMdFf7f4azT+3vGHk
nP3if/3Pn7laKQ6E7hrZyhPl7Rqf9s+vaXwitO6vuVDFf5pRzp9421iU63i0
rh77Ez37J9dx3WYC9UnE7u/ajH8znP/FZ/wTm/EVfb/5jH9iM/6TuffffMY/
sRn/Av4eA/FHbcZfFuXffcY/sRlfK+vvs79/yGb8RVv8x7et/hmb8Re1+rvP
+Cc242tOfvMZ/8Rm/EV8/O4z/onN+Bfw3Wf8E5vx1YZvPuOf2Ix/Ad99xj+x
GV9j8c1n/BOb8ReN9bvP+Cc241/Ad5/xT2zGv9F5f/EZ/8Rm/Av47jP+ic34
F/DdZ/wTm/Ev4LvP+Cc241/Ad5/xT2zGv4DvPuOf2Ix/Ad99xj+xGf8WJ//p
cwm+n0rwC/jJuQTfTyX4BfzkXILvpxJ82YP/+XMJvp9K8Av47jP+ic34yie/
+Yx/YjP+BXz3Gf/EZvwL+O4z/onN+Bfw3Wf8E5vxFaO++Yx/YjO+7vCDcwm+
ZyG/VSj/5LkEf20z/mrD7z7jn9iMfwF/5FyCf2QzvvaLbz7jn9iMr13vm8/4
JzbjK0Z98xn/xGZ8teGbz/gnNuNfwHef8U9sxr+A7z7jn7w//Sea+//ilAH2
F/CPzkP4IzbjKxv85jP+gzbjr+j7F5vx778/fPmMv2zGKqFjCJa8teVz4Mz5
Bhdz8LzJ2mKi6k9Gqmq4Q55nlg9/shn/Av7We96D+LGeaue7Sn93FS0pIkF4
e1SpvsQ4rbAkxgsTjFfM6KRrNPmXs7BMyKM+/CZPdjg66IownfsxJkeizABa
ChrPcyggzhfrhyRfP4PAOpCNBhewXY+vUy9AocYT5GFQARkOmcVscytbKlyf
K3n3PvEKsiqs4Dw+vQvl2vgPluneSl99Ptu+zleUY2mFaCLvsz/soDueOZOw
/Rs5GtRg+c8bH9KZ9qL7K0GJ+vFI+OMaG9tPdz3G34+2ZKVr919eS47vQn5Y
aRYYAqThltSmRY48PncCleIjMWiotCMEJdq8kM8H6is5B2Fh1av6cdW8INF5
lIAxUUo267w/xy7CtEY51PdU6pZ/QLGFDFTy2v+lNuO//rnvX07P/vVPfP8d
xOzVgj9AyX6Hhv6lZCz632Eu/uun+/cs7N+EEf+agf0PD/lH6Ne/Yqb+H9IU
/zYj/veBqv85A/nfTqH+YS/x9eH/VUri/3Rs/jttxAj5XwWv4vCN+GfhVRxG
/+vg1f8tIuLfH+VfgrJi/zTKGrZ/wzpcfqGs2P98lJUbLHNP9s/+MRVJTt+q
jKhFodli2EvTg2yhFwKsWydqE5V6Xu3erwTv6OmqR1SSVXJrKNMw1Z5QT2te
cSdRkuFZ2oNi+7lTMQ0mJBJRgF5yzZWV2/kbDpBnr8J5Zjc2VnmQm24HXlEd
n1qHe1vo58v3ZYE5zEMRER7TzSYTOg1A2bJA7mCpgRMB3vAjrpSXj62uAR7L
JBcwbDBGVQu8tM7oTD0pUFoNc2TYl9AjWntldwyEc4PINVXmQ0omP2eriB9N
yVJPCHu7OC89J/6JotXp0hX4BB2Rdub05eWrS0uw8dSuaev0uPEmwxc50SA4
4uOIKY8B1p20eQUW1L8f7H09BD7hNSRiafGT/U9FWUWh1M472ia2c7/TeVG4
c+hmEg4UUmCFfTXNaunGvh5M7+fEwZ6+8wQ16J4deIz31DnwisUtmvAZ4vSf
Tzx1gfYp6fTuAaAo6Tx5n6NszG+myKL8qJXEXCTLUMq7WL30opaf501Ggzqx
ZosjioF00N0KS7Y9qgDw4ly7T+8z3Elfi3KS5awtwm7+42gDZZrcfXG4V8Or
EGshxY6u7RKen1HkujIVyvmwgHD1ssa2QjAQR+Idi5z7iHHIpF/lDNbtIg5F
NUjraujwo+pw41UTwk6goIET3T3AWgtwqrVPn02136DH2PERE9+bSKBy+W3N
mn9DHGzVsviza4jAuLs6ByRcaQW3zq0ha9yXdVj4AyjrA8wRUzEpZsP2NqpN
orOah0NXtbUDZqU3M10bCJ0yEnea0H6tp2oJdhZSRGd6BzbvFO/1g05aqAXE
h9sFcQ98WvTC29seXACMY5/fGwfcPyXm0mVuhAvaRWJZJ43QvWTviJpXfibP
z9tFkMX/KOqKCgj4Pp7vnJI9YFP3eCIlXW4aL5pfRS5hcx98RjbOYV2rPbEJ
xI14umjJeIhiMnxjwFOM6fFqQPFI+0CbawZqirS35+PwNFVOX9RxSfSYbMAU
ftkCX7nIs4hvR23P8MdZ2n2zRvKqkxlW52YWoBSFNikTZF8I2hOm21qjcNz0
F6c/3/OO0gQNPjdMt5/QOYz3j30fB+LzUNu2wO2yXGkg8B+Wk7Syrrpc88Jd
j15TrJ9IdkPi9O5bcf08XFl+7QE2N4Hn+tTRao2vgjW6PPMYBdTaGC1GlwdB
NOt31+Vbx5pHqoHb2csefPNAfEjAeOYMhq1OfAzsKrVS4chMPJ8fnQjk8ZyV
CHErUCxXHvorChSwan0BzmbUn/mmr2J2l1U5qo5xFsE1mxxJI8NSL1DJRgoD
UMlrFrw+7ssPGqYY5voKvj0dyhqyBnVdCSr1EIIu7axCfqLj9aX7h+iVG9Pd
7QakWhIou3C6P9fb8eAznqzbUjQlMQtfN6FuI/vVoTWapjfVpIuU5HEi5Xsy
dF2qDlh6ol1EAvqsjO5V81zGkzq4Ir0z+w41ZO6zn1mIWUdXjqv738GZus/3
vRvG+iZY67rLwrZx7GQDYY22xKAZJDd/Hge+3Xny1pe3LNwjJe+N4gWr5Ith
XXKfXhtuZCIolndCrCpc/2yBOwJxzjZTU283vUZ3nB/UMlCz3aTWUWNBAm11
gZVqqrvzlrEQb97lWx3eTiEKNI1MWMkC5Eq4lx0/0AtBwZNHknqC+zf79di2
s1biDeXNh+fme9P1CxEtUcWLdmFYWM34z9cI4QBkDviAqUpBwRzWLcMVy1pX
ZdgSpWwX3KJZ7FUz0nu5RAbXVeKBJoRrJmFn2zOnXCCAm77qcB6co59CohQL
QxuflKw/Lb56Lejri+3XPNU+ODvzM2efxUjq6HZo17O0ez+lADwsFQoi012n
Rfg5hRYErfMsasJ0KjgVnRyUGP4m0sIpbsIRQTaByV2Uo32I0UKx+YAhdmBy
J5w79OozJ8B1TdH4h2QTObakXje5Su2vdw8ydc2qXD+1jY2YLKskdgb0NTIF
itUxTTlrFDaBPwI0oIIHESLv3ReEk+C+mbRqAi0kkl/PYKQfvYyjdyfP0Idr
wqryTgHwo9lsvLyijyl2/Q6bxztMsDo/uwLKCCf+3ClYr+uaaoO670CkaN+k
PuhR/cFWSmuZK8cc6G0QDW1SjZNCcmavM3acwfIWQcKB67nUtaQv+2PFWo1p
idDcoGpfnVGZDU+7z4HxFu/sTY6rdvsgXkOY+a1RCdctxMLiIGPdj8/6FJ6N
FcbyaevPNIrk8xGnzAf7CFvzBJIgqW2FeomR6HPPQGFOyhnOthGH1o/7dxDm
yu3DdZ+geGZ7JC6z4kTjOWRM9mLGQo4BcT6hVFFI29dPz+BvPpK/6+RDbF7e
hQ9MEaWALUzzhWWv3hMFBhJB1rEwM7RomnzqJ8BtGXdvrZt7cFrdYmngJLRy
RSwnblzG8f0wxGnQ6B7iVOCky0nUR3nKVxtrJH8R/t0E1EbInXJ4KDS+BG93
WRPK0ZY+mFK/eofvLXIPHvWvHe4ziRUDz0hRyrCU6CLcgNVTtoEr+D7Qsv36
Wdzyo3N+ENQNZQk71D0PSdQK60QE4VXXGHSb3Ql+VMkjosFj3wNrJ1ELICbq
8M5XSNFPfrtn4k3Sil6aO+ZdIHVdInghzBuDn2Dm9eNGGC2bSHr4CPlMN/vX
TgLwsLnFJ5BD6TQRHjxu2D12hE6/8yrOPbd0XbuPCMLPzGOVfUYhm+amkl7s
ncu5t2QIgGelJzFxn6fqxqIebC+5Ubvq+ZaRJgwahQ9Mep4rNUPm6PNhOOFt
SEp6LbjW+4wz3ONAf7L63CWfd4sKj4LL8w/VbgHv4G+spd3X447vyi1wRXRr
pRoh3A5DEWPew0I2CQ0hDSB7gPrb8k0bfREKwiFS7DyMkoLGhfPXkcHVwgzP
7COZqznJ0eNAYWVFJe9sZQiGh2MFmkeHQUq8+HL+7l53h/CgGvdJmIcafMIe
UfXAyUYNcW6iibfm9keDOzy/Ic9Iy6FyvwMTbLLxfteRruvUw7ylyqrJckYn
y7gQd9Z5493Bkil7ji3v2xCfwJFBpnRJ+ODMRREN0Iyqq3nMWO9Ixl+3B+46
DhFZFvSukY9hVPiaeQ4mmynmR37orPU6H4lNxHCqbfiqsECW3Kq+UI9jw59B
sR6Z7io2jN9WVrL5R0g9vZAUaynwySzH1ibRMf1mix5CjuWJDi8cqIrTykvL
zjr38xYJAkrI7OM+e1/zdgibQn1/+v55VGd1c2UyE/cyOK7tg/DZ3KOL6xFe
0Hxkmtbv6cRVWLV473pnTGl8vNKFLK29QFVa3uFPKLU7geQPU/h6m04W47ez
XpuHAGAP0SAhD1IC0sSSxM8Z+3a/vRO2RKyHX3VlHKmxvua0W2PvM+detTqt
IBd5GQfbEs4CkfSKPx5vw8EThcSl45gaNTD1eBw0A4p0Wn2knZxyFKOlz8vd
drc4HxEsTOv4up9EUgEJ6rY0Lx6OtMYkFLmQ09ii7Jtc08/3ZF5NhbO8WHbu
pnEe7Il9dIXWPxnXLXOeuYgO2Cg+MA5GTXiSkk+iUBpdIIbpYR8PJPaQqg4j
wXBnohfD7Rb5czIaCqooNlaU/ZUQ3IFk5nAmSaYJXY3BIsOUyEHddgl7fF2l
J9p659NzXJqzR9/il/SDjkdOIaAo0GydgesbINORWnbxlVUJs7HkOQoLokjS
AXqC+eQTw9w/KQ+P+PF4tgkG+sLEy1h9GhZ+13H6mspzZSabFqdBwYj7+55N
Cyg07movuhiRyhGFZtu8IlvwkBzGWilw693EpqEtHSLbYAcGdtre26RRm6Ua
btW9bsFrpgdXWRHpYfqon8Uz/WBzFEQizlg87EqPPM+vu9KCvNzrpgbWEU2N
0Ho673Nv3iFo+6EHv0xz0u9pEkvPp9odBd1Ui/65UrbamhqHQuthYpej2qdQ
AXjmEedefnOfN//GtLUdPnOhhA2eamt8jm7HZ+nHqDucoRicx5NPI++ULcUa
189BOTkLVPm+6A/jhZMfGD6dSdSCja2rnbKVOMxVAdHMGWNaKTHC3ast00gs
sw4P55yqCL37INDessdU2bfcyW04qn2XFIvk2bK+mM4HSzEyRxohj1Am710p
gSONlr/n+RSJ1SEffO0AE/TwPYPqrofFzsoncW0tacO5gidpV50VQVXhWGuu
EyAXY4Sam+hh594NSyR2PsXuDZSpN9OndMxKxIx5THcl9Nk4JyRIZ7vCwEtb
3ht2FYSxQ78CKgiacrMszF6inoiReloBPZXPyTaLGs5B5P5oIf3M0cruXfMj
LeUHanPrWV4RQqHye7G7LG31SJ67SfHpX4ML9sBDGhuOonipnt5cIVLkdiNe
sr067tPecH51hW7tLXGaRDnQoNEeNl7gCTR6aq/SRbIb4Dk3uWOku8ao0MQg
EizADjP1iBMUB0XQKeISYR43tXzFQxWtHnJl6RZopC11RZMykoE3v4GqZ97v
V4miBaJ/FaesFw7e+E4eLWGrGkqOKjEPoWsx96y8s3tH95F5n9UPP5ISDMhN
ZWcRGxFFsb2yNZHMbhg80lRoBrEFSLzS3K24yjidgFsBbfJYGWEjg7sFnO6S
N3PAe6qRW7BvdDyGqRIzQbKY7x3zaYXVG/louptwh0gH20k8D1DaG/ZkcIRA
Z2ePYHAwBKgdvmOjtoxcutlJQzKiOczLY5jnt0jZoqBdhWrjE4RnYxacXNFj
SnqaCCfiLWiYclVt53rcr40qeQ4SFZ6BgbLnVUlrNphD/huZ5nf1urfSS2Yn
RHhcCWOL3UmBLeKFeSwKPUGA+ia4aqtGH+KyZuaTskGM+1t+6dlTw27XNepd
enBZQMePw7B16ZRi7CDzUZ3PLpkcEGA7mlEM7ap7xZ1/8jbCzGtWW+QnwcYa
lT6REKbmAuVlp/Imj2OgrRWk0nDTVbYSt6t6t17x073P015LMe8vSeYrTHFv
GmMRIgVR3rSKIJ9ycxghKEOZxWYxNuTgWfdRu9DuwAFC0qnKiAv6u0lvZjjh
aJk9PyBf98/jONqwMNtVorErcfgYpUhKU8mGUPZKxoQ09cfHA3BICa8UGlle
dO1o77M3I6eVhUKyQLElrlJmhvdmEZwnXtCFUxNMaj/ZZEVvx/QptAUB9it9
x8dhr3pGDG0qTyT+NOJUJ0g6gSDKB2k9OU90KbrbnC+udhY9u0ZjBWFFD2Kn
A9yL6ChUIbi9IeqQlysh+Cj7rnRH4CW5Hb+MiGGYNr6qb6sFIRaK8h462DBn
X58qxFcNKEi9fL6Wns9vZ0LTD1gp7cr4DHUzuqNIHbvWUSiVQ58qi9ZsZmpD
Dccl1dg5MxamrwAqEiyXlnStkELbw+XQW4zjXaacDYVmqp5UWp0K43mbs53z
zif3c/OTSd4MRDgG9qYAegHeb1iwwbZ912CrcE3szZVXak/aGdKUNyuByywO
Zu5RZPj5nBr1bh9EOGtefTzjeQCUx07uiXZUJrSH03sPZV3Yai/r0a73HzCc
lOXWr7h0yEJ/EnXWdY9q0RLupefvT2OOQAvD72pNUL7yRzohS66gNDsUbrDp
7DbaEagLGvnxslf2Lmw7vvdWQxVr8ID9x3s/TB3oNNcPVkO0zSQ5HTvcjXpH
WvSqdxlGplMoFcqraBRFtdAwGtUw9Ai6zp9uJ5HqD/sJATgc2pJDz7sfp7Pj
DdTN5xAQVKOX3UFvOPQYHt5ErzARQmIVJQg7IrgtQkk/m+Vtug4gf54vKbEy
g+ez8Z5B0BWkb+I6CMOTy/0iOYi+0wur6E6ZmzLKu5OPpqD4eyoHMSVQM9CG
U37lYKRjtQ4oPEMa28zCaQ7uiYK3l1x7n0W4J+YxYJDYvtdJ7c8+dBvSRwIE
n2oUKK/9hTGd+bopjsRqX4IZbIQGjYplc7htRao+s68l2bpx7a2USeGmFFmy
/oaZmi3QHXANLdt1v6lSZYdjn8BGZ8E/hkzGrea/0II2dCliD3x9fRwknXtP
y5dZ9jvXm2/pmW3As6LD6m202vMYHZxm3w9JaB62dAZaQ0z+ClEUtc/OLpPI
7kOvIHarhN48pCb78qlBLfA4XHF8P/1+jsz37M16IvIUeaTXljcJrkSS/Ph+
qfFyLUcOJtr+w79WvjM2Jh5aQnkJgLPK2ptVeBhT4olgBiOpmoXjCFsgb+U1
QS1UO1lMKYK5TXnQnzQ+1a8Bs6KAQLrTOwGrWiH3HcHBoJ2v8ozlkoCuRA7+
6PdVtZ/FdhM2YzWPUuRvT/7x6e0KkzRTeeUrrEKOBDDEKBzqXi+Kyn7K6RH1
6Dh3t2tqLB664VPakmnvVLpaPx7cNUusLt31aMa8yp3cJVYBq587fqSH5JWz
fHub+r0xnjt3hXGDzZprMzSzLY7st9vfz/jqqTE/8OKxDWzOn3xyegCqsiUm
NclUpHglUExgrVQGj1cwvzVcm2bKrWm1dN5xKbJF+lMg0EMb006W9490dR8K
qGEqO6fP3rnNi9pTXpg3yT7kOcexvltQ7QljD+HhT9jCzXe7p70rSzSe46a0
VFvgVgHMZ7UlTEoLI3WNoG4ZIhzZVwXO8XP9eGqf1q3YNbeCmhNpL4ZNDClt
tMoq5lXkBPs2gCtbbEL5cM/6uPnPIiUfYP48KMidhUqHIa1HZwRmPvgZvjmT
NiEOk8a22Fmn2m8v48UABBQgmDBa5TxWQYRZkLhZtt/TLy+1jRN6lmQyjBZJ
seYnUjwpuB8j8eJu5LLoLkQ1OJCM5vr2XiGM8vegwh8Fg71HZnsudt8o2Jpe
NfBtZlheDF6baL05WcD8YjRzOqngWYMSwLG15SXdnSxcPnhYxLvNst0hMdD9
oe/WW1waf1QsZB2YispHhDsPqxRPHcXl24R3TgpgdQtFa9zhc2rwa7Cpxqot
4IdJ7pidOEGUKCO4yLzzOsD59MhIPQRFH7pUusozcsB64HaNIzXAO96Cn9A2
H9sU3eqP/0FSV3jWIasY9si2cj5AqIxsutaykNBM1yrPoemxMwcAdeMH9wNu
To+shz9Fs75FF4qoJoZdb+fG7OoTB1qCERHwk5eEV5XfimFtUt41HDhMgWQv
RMY9jhiW3mxUr+n5FMwNNDE0vZJTejHIymfZ6nUFXsQdXInKbVsmDx4y0ZvB
ODEQ9yh0v3ZVrU0ObsscAqvLoOhT2XYwD7HtmdpiO+2qanyv2ot5E4iuQudV
57MObtjEExD9HTVfsLZ19hYfoC1aJTW59zWjpj2qj/1R74VAoYSh9eK+RAF6
VyBJOQUp0YK990QgO6IxQ08z61gdL0uXzq2Qvnu6wEjM6FyLdPUfD/xzZIg5
yayfHFj4Id2qBTfJYZKCBkRLbHXnIyV32rSlg8dbX9uubObcMkJZTVWtUmPY
1KE6OZZ6eT79zgrfoKZTdRBtYX2gwtqbPWjSspt5Us0Rr1rZ/i46vLjaw+Fp
k6toOOKMEXaaQuqog/RhPwQjiuB6/MBxwJwkugjbSufaXBvYKyeHype3uYtg
mGvG0l9YmgQVaL6ctIA1kr2ZM2fapbds/Me5lnPFEAYvRB1nPLMHqXaUeOA5
eY9neVnB0G8sWuL6ShWZ+UqhO2mrKcPICxMKFVWEkF4GriKWGiy2fLsH8WLW
FkURYkJVCjUUQUJJAdKXm5o1L9wPYYioX3pxg5i+o8fiUEajWgCjw2rpbY0M
wVIxuq3BiphwPy7FEIJ0LcnmWtkLkTxqzRulfd3SexLvwuLcgy2hCfMBvNUr
AyrfG+6DQ7vim673Y5ckApVqD8vvKH1QiKHqnkM7TElognctVUSZzEpUWa+0
OANM+f42GQuDUWvDzHYWOiiK8gZbh2FLjtTouU5n5Tt5tDrp9lWOtwMT2yz3
OThmSI0FQDznUBnk5HSouy2TQisqFBfEy38vLQs+ZBh1s0CwOgcvrPaYRF2R
Ou/as7iq2pHtIwMD3p0mPuOc48Jg1k03lC7gsx1h3L2K0DwyYaiHpHvEFMu/
FDL+f8hi/O1Fkf/H8WPDo/+jwNhyWZZr4X8kMMb/Fn5sP78ExnH334Aff9Om
st1fUMvV8SxC4o6/L3C9rv0FFH9XtxufKQoTEv9nGIQ7/qZ06xfwb6ix/7hf
n5a3qKHv0UA1fwNn/AJ3/4NE90uS+tcaXaPlP/9OovsP4dnrDn/GZ7/Bs38F
CHuY3ySD337BzMF5e6s9/Fd47i/A+OeExV/Y51/Jnr/0w38fTv4jaPIv4B/B
yX8ETf4F/H04WSP+CJr8Be7+fTj5j6DJv82HvwsnS+3ypYb+6sF/m7Nr/Og/
X9cULtxojkReo3llAKYjt0nITNczNn/S/36Dyv8TVPxL7P27kPjf+v/fwFDz
8Xdx26+x+00N/Qv493Lo/6iG/sdI+JcEkf5Lv6sujfzW7z/CsL8/ze9C49u/
v1v9JS3+8x3qdLDW30azzcZ+v8a5kwRtc71etx3mL1D3l5r4K/JIAqNaiNbq
O6xc13yBs1t2XfML+DpAIHKYOhso5LrnX5DvP/37rbrm6hdQvUdhv6So0P0b
Gn594y1nqd/wIWFOq79qeeWE1hcK3v+5D34HqAXmTDH7GuU/vX6WoV8xKr56
R3r8Fo/+jF5/RdD4K05iSWhPf4a6pwhjyq/++vc65C/N6u9C5L+pQ3boxv3z
av6KUf9eh3zNqG9C5J/okH8B38HDn+iQr53w74CHfxQ7/Iq0fxs8/KPY4des
/tvg4R/FDq8o93fAwz+KHf6mOP2b4OEf1SH/Ar4LkX+iQ77mwzch8k90yL+A
70Lkn+iQfwHfhcg/0SH/Ar4LkX+iQ/7SB/5t8PCPYoe/gL8HHv5R7PBrPvwu
RP6JDvkX8PfAwz+qQ/4FfBci/0SH/Av4LkT+iQ756odvQuSf6JB/Ad+FyD/R
If8CvguRf6JD/gV8FyL/RIf8H9S//7QO+Rfwt96P/Wdej/06vuR3IfJPdMi/
/th73f9Ah/zbzvsXIfJPdMhXrP4mRP6JDvnKq78JkX+iQ/4FfBci/0SHfK2s
b0Lkn+iQrzn5TYj8Ex3yL+C7EPknOuRrdX8TIv9Eh/x1AMrvQuSf6JB/Ad+F
yD/RIf8V8qr/RId81TjfhMg/0SFfT/FNiPwTHfIv4LsQ+Sc65F/AdyHyT3TI
V4z6JkT+iQ7561Cef/4woO8EyW9HA/xThwH9ex3yL+C7EPknOuQvsffvQuS/
r0PW/q4O+cqK9Xww66L5NFGW0rtSKAk3D2/DEgZfy+mnOd7AozCEdsb0v8W5
XG34jXSBE+sTNbp3p8+M65jU8tM33Yqf4hUPBkpavRTfSHanrFLPZGy/wbZM
T7V9u181L6LPV/7b2SQVREQivhv1YPvAh+Udat5NQQslE99jakVrYwUFCtNA
akOKSf28KpqM4sdXnJyJF/5xJ4XNd93I0PK9dhCYv9f05T6jXpDu49iq+rOo
mOahaR+/TNZCuz7nj5Kvg78AErqVJ32lSZ+l4JsFEi1XJxe+3eHZYzfvJm/W
+fW/x9GSuLFxS3MlDO4EJ/JBOzV7IVwrq2kU513QWMAgbSHbS4FCFYblKoiD
oOetlnpV/Hk3auSdhPHASIQKxq7pkKQPdkZfVxvSKhMtvS4LWAsnWVSe0Wt8
gCCKrvS/Ftz+bzYh/82fTf+bkO4/7j/+GyjdvxTwxv6bAO//3Hn8L+S8sf8f
OO//Gsvx97nz/9Ms+GNI+v9ihfI/Sz9fPfuvsifbxdyf/zcy+r/Nq//Fg/36
uv//Dmb9j4mv/8VsOgb/l7HpCPZPs+kYhv8Xsel/PUH+x/Ppf/04/55R/wcR
9R8F1H8UT/G/xNM/QqxL4//5baH/n69v+4cP8HvT7eLq7uuvxfKHL/kNjCf/
BhiPfYHx1P98MP4x29UbAunFRu9kHmBRdbY1kqwaKBqSdiKq3wAVrLzuB3Mu
263CuTcdlLqHa+wNrl2LhfwPo1t89KRCRY2ndpdZh/5A+XRWS6FE4dNHAInS
9hpbg2QSxUq1jslEPhFIS2Qb6NLupO46UgEaPdaYLWJ48iHSipD7WCwokehc
lQGJnfP1gbaDqhxb7bKzcJJLJrGMw9tFgjuVTr1t2mvqfeE32a5DamvH6tUr
Vzcq2ocEin0u4CibIrB62NHTi1RF2t5Ee+Y4DeVciLrZ/YPG24ZqRzRouQlP
XUE3TUHmjStWIJAUFOvGOiGa5JYq4hVKq0zJTFJ2qQM1y8lWmaQ6kUN4UMsJ
c9kznf6ngvE6fE+fKLYW4raXPMtBmYE4dPwEDPmezLUZlx38up2lWxXg21Ez
yPM6vJlHwRVfXjmU5B1irOHplIlp76JdqzafxIXAEEASVLEOcU5xZ+auLgIQ
jUgVRvRtsHkrVk2CGnazQgILnGsvg3TW2z5UyGpc+pqaEI+BcE/e9K1sFcWu
RxTf81cK84Wf4KZdoWzbzpnwUgPPw92NS3kGsZYFDm8EafPnVeNZPjA4XUGt
uVuDGimp6IpO442T+kM+KRrM/XXXqs/9mUPpTiT488GCYkew1bx0fFkctG4C
5/wUqEawAgjpX4hec8ZwNyy1Gm7mA4RUfAyhY5Ewq6uYdGZJnZgnmACDO7/g
ffUbGK/+ATCejlRLHYeJ40FEpTRwvnl4/wXGOxbw7ho7arZ9THmr7Bj9Pkl7
mxM88xC5UsGxqq3Nw06S6IZpu/wMJqdlrVWmPxm1TihHA5VwqtAC9tojPJI5
v3PizoVvypnWBN5j6lbJkVPoGiOfoOVeZfere2qv98t/uq+eW8ANwPHj3T+1
KDN2Irjamsu7FlOuuSRiSiUl2YGKXtUu412JEAeKj+kTPHLDhAKdkMDP85qJ
9d6GCZ9duYZ0VBja3k8XTjlxxvrPDS2ETy/orJjf0DQTV54THorguXHsGyiD
3+psAzibe6qOJO30cnOHgExaDnxmpYa9K7y3W0yXeTuNT6Ztjz1kOTpBTBDj
bSYjlWl7BiwA60bFqNlhqRTJ01dkGKM3Qz3jRGdvUEyto5lPGctqod8E3fNR
l4nds6LqKOnp+IZlA1h/NeB1d64WW7hKgQ9hh6YBYq4u9uUZocUgIfc87iiW
y2NF7Cis4B+mOGtu+skCKAJUvEs4NNrBzRYk7RZHV+RNwKALa8KxoqEHc1rp
l5BHkocxLm7UEVM+JSNLyBtFf+AeoIRCd4pGvHrEOTk94drM2x6GNNxT4jbH
bBMbGYI8m00xhgyCRowePNfoMPDY3pCUDYAOyhua9mPEC3hbkphYbtAhDFT8
5staXQ52bVcvYwbvVGoE27JJ2+8N5+FV6U3uyt2BrNDxsHMFXtVutyyjNFwp
MvReBWLkaTC1z+ejeVJQjFj3pwPalR37KAJHTfe53wnaTYHtBg5ElzWJROFX
I0KSgj9Vr7YGZ9/lCK8co0zZR55St3A1p/eDdhJUhl3DwEqKpnkSePXnalem
qMlnRD7QXp8d4Y74td+XEWLL8WwyaXy/r/am8fpyBlYKEuCgBZD50s87pgLx
YSH8vfrQ6HQa/d2R3rZWlVHmSA/tjiFPSGo0V5bgjL4bId743E0ZGXWKe599
W96uAXCgQM2jlaUq5NxFU0X91Vdx8e67K1GGXmfgIRrI7rJTrM/pxWMBc97E
Y/OS931DYdYAZprpuBilim0r0CtWKf7AceFDYnnKAJ9gmYxDeIuFj7b4g+nc
kQWTrZpnmyqSCVQyJaDucQLpQ/nTsfc+m1HczeYka9txYzD/UeZPrnLbgVZl
7lZxXFU8nCAWleDgc+n1KcIXQJ7SpLA3Eb2fxsruMezpVlpI/kQ8M7nd3Jcj
QzFHkSrYqhZua/a+PvzJqHsHX12bvQE95gx+SD7lNMQkKEBohXkI7LpFaAfp
z48mXyOQw7Y9pP6m7wJLNs0URB47eBBFJsQBIBuJKc85IzGV5NxuKq+V8KGr
VXxmdm9scYzRc4M5c3LHysjK7p1H4yNkPkkTUdk0fQLna7v2EpSUSjANYFYX
TPAm36FayF8Wz7pMzVUlbq5j81ENOxQOdovTp5/vOvlsp+wZAB5UNeQNLzPe
kFtJK3g2r+fotmgLnSzzIYgoMr+d3Nug9IAajE8+Nwadq1WFVgonZxeYaJfT
32mvCuZdgDoQ1npQFYS+IqMltR5Ef1caAjnEU58JcVSosD37t+pJlav5pPJi
AC7en2fVk56cI5J07QUqsTr4EBrsBnWYWVCvxLLv2sCauvS2zpFhKLltpDv3
zFgeIVVgaWxhTWHHtG3koQ+SNIAYLBoMIiXm0+RvJCxT9PwyC3Ct0PegjByi
Oe79aXgWmkH9ChQO8xlkRpSV2XDQhyhKpTFxH2K8Qo6PcJ636g2pHrIxQFn7
co9pazQbT+91Zrjbu6iBUVzfa6yg7ev5KLWztw+Tg4nVtqjM3qBl0/oyvIrE
HknmrICfO/fwPc/3D+l+bvxeqYCmqdTTX+/X7McO7fTuXtjrNc1SjYf54ttD
Gmj4SLlvDUd4Kh+IXcZtL7A2ut2aAIc/QG4rwyt94bJS4qLw2N4Zvwwfym0+
9+PTvKfDs+liXGL3rifLGqGvYRSftOSmcoZcCfsEZOK0w9qVQZRna1uVMDn+
YpW4OhvS5hwtmsdwR90QjWsHEdWQeECajtKsNeWC4/bBJmAnrpjEjN6Tqq70
21pv+Kgg+fmevCR5F8bkPxExXNFnjO73EubeL5sI3wX/Trq5x9cTAfTXwTXY
pOgZcV+IlhnFNLPbfngyWIWwUEND3L1SYzvzuVS7dyOoPLhrr4ZliBPjEUeA
YuzpPB/DSkIWfur1R/8I/Gsmuqz1jucdtafazUwEAomTw1wHYZKu3Yvmyt7p
WtH5EVhvZ3BYzeP92l0DzmH/8KR1hXNyuTe5eJuPNjkzAkdZBaWMDec+93NR
zqcLvqXTMWUGOK+oZy/D/IzWyb8bB7IjyBQ0C5NA+dwRVq04ftKHhgfa8qtA
ZpwKVJKZPmuBIjFMxVfB8bb44pPY2P3FnGXxuJ7keCCW/Mic6uRV34t8Q8hy
jXjhWSn2y1OXdTTU/L2PXycUAHIlK28x2QmVZb8sV8NV183ho8tmUxVgNL5K
My5lUVqJbfdeYC7cgg6PY4IlnWdspi+AbWO4b9cleL3BIqD7JOlWebTLqWNm
nZXxB39epUOyxG9wkq9oLcSW7ltRgQhPNX0xERDf7DLP3mCmbR/Ub3aqJLqK
nm4jxzNiN8kfWiNBpIYTfHiUicW/VbDLNMk2fT6VqW4GskCbHB7WKHdUZQol
ynr9Qtwtg5fW0gDDBT8JxZBdtT9hVMkTdunOU3q2b5SOaKOWAc/Pz8+Vp22e
7Um7pLHt6dVI+xpmlif11TswqAqzY+PXibLb4ugjcQdBha0mKcb52xMooVhu
be3JcO87K88uOYr6Bs+Vfcy9Vd0ODKGpmBuIOQ+FuwfFuvwqncQZE8bwXion
AHta6OSWy0sAkfKyMO/TtyW+PdBNKq9dBj/R84TqVG3rGkbaFf10csyi+aEy
InHzBA6YH4sK9oMlOtasYlkJw7l+vg68hndu+tyhF4vvNyg5OBJWmlZKlWxZ
Kkf02Pyab8wIARnYIHX+DEsXmlKP5epKMLQ+faUs1b4n54MxC8KPbSCs9/c4
gPrdS/R3VbkpW7zbaMsBrarxIvk4U2bd0eM574N0bMWHTGr91sCpKuH3mCcN
5xQ0HjkFFYbKkSMZiDvh6doSXGAXAgGsmWsOJ0Ee5qaUjkbrhi0/R1l91UM6
NXrTSHGPXomS8+bNnjNeWdf4lCBW5n0J8HDBD5iEw5kIHO1z6NyQOo83c8M/
EN0cG6dFzEhQkDpkWS3RkVX0uSbuy0kgSLOCLpDFnrbOxWBNj+cjP0zorXQs
bJa4KxRPcgORgLLwMz0OucbHl+jS2XsWcUFmlud4OhUCtEaOHZIBLZbulmzA
SK0OR+8iN2yvy5vCjt4ycVbJlX8wFvtCOhJ6XZ9tDFDATQ5RGUBGicWE1RMM
wtfbguGTpq7EIWrsan8e0NJmG8L1d6JTtEFhdNZXTy8XzKVq3Umql7UBONrh
7Djkgz4sadnZXTA/E+4Dioax7oZISOPd0V+EZ47OMoVTyaNKffNITnenleow
ClgQ2mIehLBGpcBfwRd8kVMiskHZvTrPYyvG8+RMSR4bOcTzWmKMQwV854hM
nE70sRTAaZTLRx+TijGevqkQUUPJal+EPKM7CXxF1uOtch8+yTld7deMV1aI
DYIwyp43rXsWLSCcD33UH5NgyyfEHyoopYnmV9Q+0HWkhi9yG0zBgocCp9ho
TRP9hZ/3O3K/9jCcF9MEqMiYf6fJtTCF8RGCrYWvBZlVk3xLrgq/eBJl5l/l
M6Ng7ELARTuzGwGrUcuFrxBPoB0wtfp6/muB+8ZZVtKDoDbuKoMdZ7GVgrx2
4WR35fOroG0EsAkglb59ZCWsuNwJO3hnAPBKOxW2ZtyeeQqoI/LgfbnDU69s
2J7qM4Vk0W24aT4B2u2EHHhhovf1YRkPaDyuRt2vgPLeDnczmpbObliDGaTY
I6LsRnBX8B/ez4awJgu+pp1IPmhenVUzZH1ueE/1KNGSCPgee4BtE/BO35/Z
QFkDW5LS2o5X5AMzS2g/Dl77Fjc7vjpcRaBvY3UmF+cdNqQbJgRA5c7MtXvb
VOtzOlRY4CcBXWrXdYQ4FV15IUGYubeYaG+l9pm8nB4cX3Lbx+N5opseEkAb
C76EImNxR6q4KZO0m49huLJxYuY6t68XkaZyBu7PnXkaE6ZYBE+uhCs1MoJ7
6gsB7BeyHTx1ldUUdwX0p1wqBAlDvC2vkm/vIlucTKV+yM2HpCCLimj1T0mu
39ocrOZ7UgHGKyFuHHIULeUamu5l9NIfkCHsQXiH8eq5mFS1f3TSPZ1jx/tx
KHiqql6Idrcp8HhGX+oeXUEl/JWl1Su59j8spJ7vqhEEa5XoEXbiwUTFYsIi
+cpsvFfyGrZOM8JzVWpGIhMADOgB84/gdnsjzpS/OatfO8XvU35/cp8vx6+j
vXVpNGxHN0FbjQZLmJW7x92yOEX7HXjzw0G+ts3S1GUoh7bmR6usCQRmwxV+
QtU6brHeZyltdteMQl04+0RvmspU9NzpV6wBUXK/bcdzY7dwf/a7pCB376iN
81FGvMd6pZmh20s0gxVu3lDuql/e5ulelTSZBAqqsQDnVQThdOXz6FFyFiTP
+1CEnYanDa8PSvg6rC0PqvP9jL0a1143Bz65U0JeIHKOlk+kQHHkrDelug6y
iX1K5LNbfYxAH0yRFkbDFzCxt6+rRO3D51Wh8EsfVvhw9nDrD+AKIgqA2lf1
ff9kwuKxVzUgJApkoNST7+PYzEgET7PQAYV3d5Y2tStbYisZ8SYCW+ZhVP34
MQCvJ36WtHEInNIeaeRDR5l7b19SfBqJyUFTuqqjcOTD3U5PjsrKvOnKjkp2
6Ep8A8IA59jlwJtSawjiiNMFlSzKEM5gW44bbWzUohSf4fVaBm0JZmES6Mf5
dk48PsOqlfhxANwxQDr5GvNIa/Tq42pQCD5eSUZOYRQ/KXW/bxvnmPmI3eL3
dpXEqEU8eom6e0KGG8a1nCGSWIZuHOeaw52hI3yZN8l0Kze3lDfTkmHokCbz
2joEIcHBJr4deLiMYlfroaumGEAs3BIjfgi15hDbBhzOqXFrdcm/FT2riwnT
kaDH4nByTVZl1dbicROQQVOha7WD5U0CCAPxuIbPjsPc5NLj5q52TKecApW/
YYVcpS+Yfg23SGlz9aTRFmxpDkmeob5d67++l8AVwWy/Bs8mBlOaa8EITSOT
us/zrr0p8KPzD09jIjJ/oC80SD/ii2OyxlWs7cTi5RAcYAsz4zaTEQjGzWs5
3gM4IdASNpj2ub+lpvrwWOn5Q3ouvnyLo4CpHRDS981YsXd5bBMQYfpCMUkv
c1DfpvHD4Tehniu2P/VA/KgnLAhzbG8z+wk2/z4rQ5cut/w0BXsGs0oRgDwc
uqB8lgir18iDq0B4CAzQR/S1yTINTdw8aAP71qzbzJhXI29IVDhSxLpk2n8m
9gD0tXfGQ2862E8i+qG3kYpjooN15UN++/Ob2PaDDWTClOpuk7UAhsZXmb9e
jNrZLW4bgE7ro5rdEcnIGoN/8uSDM+/ZTeRQ8XgJUUSxz9dDlhONE941zYCs
vt0yfHxGzNBFRfkGeihAdKzrq/OQp8hEBpiSyfuHq7d77FAaRkwlvZ8JGWx3
mSc8kYcQHnlWR0VsZybwIvBZ4Uoj3h2ZTzh8ijwW+W9hWN69Eir5J2f54XGs
ncCzt9nTEXekFrvAcpQNbpqwvhoBuH+QQcQ07N0RDG90tFels3Anb7RAfx4n
9MLFwNzuVu5w/hI/+bKC47FGs/jRhUHIew3QOmKfeJvPXpWBGPqDqKtkpD5V
w4OTWEMN/a6LE7344eAgNSY9dElcJ6SXhGDDPb2gALr2bceEeq/OQ6kkn6Qn
Qp1+etFsLLzDYEkDrbd3ut6KKeCIEWQcjWDNx4fzPVsl7Q4ooxC9c272gsoN
F1ky9FXnzCxy4D+g5QthTVSH4LrvY34wNi43G5Z89kwfHK9n8363AT3Ha8W7
PwSh3FDLsK7hYJryNpRy+hDlLMrfUyMtrrpZohavI2nx1oF1UL8ZZxvNTx54
9OZLvp3NWLzTqyh60OIdLeOsfX0WXpidxoK8gzPY4ypcg5KV9PgZDhj9tLgO
4/JAMwGm7WNZTi2j5zBSfZrtzCCfDlI10pR1Xhb6PHNExVpgF+usUzN0SSaa
Go+mfYJWg46BHumUx1ZbWzSAgmhNO1Kgoytc+4lKWuLADyv8lmWNhxHEjO+t
DaVZtlOw5opvw7TMFfBkdqYzXewNlCOyxX5U8O6KEBumgt8xpXZV4uaYh9gI
beeciq6tg9DDUMldaJwbA/LAfuVyyD5F+NtXd4zXjL1V7inN+0E9LHFXETwc
irvubeKVXJS1DZEQqsES2cpdQt9QF5BeCVmRZmNRwWfoDal0mNwS0365quGG
otwnhWbsvNGstw93LPMUTMEodwmrZOr0qMWB+kgDNNZq8X20AvTK4itBt1ka
+oxZiBp8ouL3NqhtZvjMnwJlMdaUB3pACi//BOr7NQPybcwre3JqCbU6m3rN
p95rPHPHzHvZQxCxiTe5hSrFoeBaY11nvBq23Sye/twyOeYPwFad3OON7M3n
1fpUaCQUybRorjgHEYRE4vgDDm84JzVOFziTvkzllZvhD81q7opYvhJA3bq9
hdaNGmXwROxcL3OEGtBzxq/96nzKW3x7UuyobNaIPENRj9JMLFhB7cayB6NP
BDB0nYh7dSNXCBdICRlIdu7yPnxLIHPGTZSwKx2nXcT3fmTOuvrZhCHt9ydN
eq35UnHA/tDUc3ny4VtmromIYDncZA2fYHRxBIJHTQPYc7qY3VNpisujw/bg
xkguN2kkuxtUB2jYYIruLnnwZ0/en2cVdIxDhnrweAv5Odd2eTemhRp7roxf
eD1ai80p+3vRDsvS5v+PvPdYkhRd1nbnmNU9HDtTBoEM4JidAVprzQyCAAIR
iCBQV/+T1WJ1V3f2yt57r61+KysrkQl8wt0/90ie13cVSNMuGi9xdZuQovUT
qioKew2KQmw174JVWFipE3eLWxOL1pjEaZMBKb1/L5Zc+jNupUCxhyI2jzdh
xzlX9R7i0JtYjBs4PH+0EIeia00WOca95UvY6MUjA0nMfIHJs7AxRgczgH6K
IT1Kh490awkvrgM/mV4zeEfVni/P10kzgsamGnus2tg6r0DuRpRjxhrB7BdM
dgeKMS8mmM+V/g6KfD55pIIaQQvT8eGiM3p4dn5WrsYxWVAT7KYvZ489x/XB
YDZtfGsu4K2D6T35Ww1iV5m93qKbfA86L5z57iku4s2W8pXC11QMIGYa6N2q
d75IMPKdFTHxuG7A3WWxOMKXQ4c4vmgOco4mvqEhS8rM5c0r5ZmOPSIcKeIb
tjz18f3gY0zk5BtxZmpXRAJq7BkMS02nKMaFZQI6pc1GAoU37jHvvUtrqPIc
4cI2E/KraP6/9/2m/yok/4f3Y/67Y/lN+UcsvzxYlnuSf4Hlu8SfYfnu6wPL
H/n/ZCw/VKobErzOq1stUtqbuH1gpV8GzL8BNxZ+xJHRZmL7Pp+xJxHzuvvM
73t7/wXY/IG8/jna/FWw+QOq/6zb9QfY7P8ebG6DI4nk2T5nlz3tn3H0n1+c
MAKfL39d+we9afUHRNu+teCntTnXfvmz9fhYyV+R+3+sxw/r4HdBl5yrnHVn
6Xr8vvf6uZs/AOJxJxzJuWLn/X8QPPgdEv/rTn+XBsi0B/aOfkDvOfuPfcz/
rIv5uQ5/ePY5xy5YM+lH0YXfjeHXnvDf+0j/867wv7/6d7v90Vf8s/3+3VV/
kGf4RZzhe2/zX+QZ4B/kGX4nePBZ9/gP/PjP+8f/XtDgc7s4/eKPUgyf2sXv
+70r7Ydf/4TEJ5H+19IYv/HfH/rOcx8r+fe7sv+2J/uHRMLf78r+W/v5sKhf
LKgx2O5X0Y+f+ou3Tv/RFf3nzui/zu6Mbj+tG6rg5xjOUScs42nQ99hY/gPP
/+iUfq7mztguZHjycTufcO5kF7wylGmT74ITHwIH5xyX/Lznr7IDP33lLbOM
/wH130QBz0SqOp/yszzB79bpo7f5b0Z+7jv0IUdw7s1PkP8/IH779APowxe/
24xk1GfacO4b052zOD3kZ/y/uXVCl5/WlCMtlLI/CQukorFGyD928+vSAF8F
/r8BnyH/XwX+P/ph/r1Owz8C/9+Av9tp+Efg/2Ml/16n4R+B/3M3/2an4R+B
/w8Jlb/XafhH4P8b8Bny/1Xg/xvwGfL/VeD/G/AZ8v9V4P8b8Bny/1Xg/xvw
GfL/VeD/zKM+Qf6/CvyfkfZvdhr+Efg/Leqfdhr+a+D/3ItPkP+vAv//yCd/
RP6/Cvx/Az5D/r8K/H8DPkP+vwr8n7P4BPn/KvD/DfgM+f8q8P8N+Az5/yrw
f8bJT5D/rwL/Z5z8G+/9/tlrv9+Af/Li7z8F/s886hPk/6vA/zfgM+T/q8D/
h2TGnyP/XwX+T5v8BPn/KvB/3uET5P+rwP834DPk/6vA/zfgM+T/q8D/OYZP
kP+vAv+nPXyC/H8V+D8j7SfI/1eB/586cv8Z8v9V4P8b8Bny/1Xg//SsT5D/
rwL/34DPkP+vAv8fAih/jvx/Ffg/z6xPkP+vAv/fgM+Q/68C/2cu9wny/9VI
81H7/zUb88/QmDOv/gT5/yrw/w34DPn/GvDvn3HyM+RfViVr0YrnSuUvrprU
pE2FEAVvWXi9r4x97ZoBQUbirBZPH6A+JXgk9OY8cc1MiecYksnldgisMzT+
tUbu5DaegepyVgdsdRUXFrt34+VOl2o1Dlm1gvbKm3HC6p13J0Qhu9zdlkTs
mgGPOHXAQSyDipFwIjmzQdmc++x5ZCb/Ko/OV9NGRh4p/baZ2dx0a+Qcz6l1
S9Or2zXPZYcZjTs3sGjVgS8zmupvwERONq1zjOLdzmD9sgiE83Yu5O6BtRKM
o7vP7SCE1c1CmI2E+0O5dmGVQEEKxyU3KKdnyTfkHSLeeOkzsvbqpzUFsl2N
ULKp5iN8SZ5eHJvzlNBtj+fL7VK93/0ZCwvKQmtKDM+8OkXQ2Qctzh2K2yDi
umLdKY45y5ZQlokEh8yOLK9zwnscBA5mbZylyJeB///AD2b/5aD/px/G/lfA
/r8fzBeA/0/YxH8p7o3/Tej/3wAofvs3EIpfUhf4BvxzfYFP1/RHjYG/XN3f
aw18us7/XHHghxX/e4oD//juf9Mu/OPyf8t+/Avb2v/oKP/7dAS+SKT/d5IL
+HLH+19372eBi//rhAR+0ID4f34vAfGvVRm4Ivh/lMoAeiX/rsoAhlz/o1UG
fmtE/3vEBn47q/8EzYHrv0hz4Eelnq8f7H+48uOH0TH6RwWC+PBYVtT/5ysQ
sPVuTFsQ13CUgTQ7bVAjvDnLqPitPSulOlNqgE9Q+kBL9TqFqnyTC9eX27Ua
Q+WJBWNKQpdCcqHQadL4rTkOGDJMH70O51qDN76S1hTQpTg4C2EsZksKpDsx
8+EXIhrutI2W4AjZpAUSK+U6cgWJbqjD7WpUWTBb3iu5gHrBAozVqe9WICa5
y99dRz6bdDwDXLYMIF1bNIlYKElXV8HT/TuLy7M7TlD4XIKzQNeuBk0AJBNd
wnbj46C7yRrFXPjC6ViqwJ5c/M7XQt9nidfy3KPEhdDvNT+aDMkgYIaoEHjW
RQA3boyvohWeR6XM9Vaai83yfo5PTxPSBlaUXb5HxWypsMg+yzaSUeh/qgIB
s8hhM9E60fG1LexMZdyVtR8egOrfNGTlpURp1GSzbxv8PMLciMRKABU2xiVI
7ZIVLbKbhAVP0WKgvh1ZeE8n96G9JRPIizRhoEfvr4fmq3224G+0VHB0yQlt
5ZbkmeYRHearG723bMAj1nmqqC/wEHTJ6+TaACqEEj4+7/mhzOwDI7E4x5ki
tVeB9K0QvSjGJgovSl3BugvEOlROP+wTumpV45C1rgGeNWLek5u/2z07d0fU
DZ7E8cZxhWQlUSh1ybSKHZRrv646QcJkYz4vV6oovNgh8wClAO2xQ6ovu6zJ
0cHs0Wd42m07uKxMuTYdjz88WUuvoWr15Svbwk70annO7Q73dtT4rkCQfkGB
QE60IGpWWV5az1li5hUuRh7SZRXSwMVUJ64Y2uI5ksoYiSGyYTciLanMT+/N
s8nGuyHcw2yO/ejtvy4jX8f8c32L/fbC1N4CYEyodRbG+4sscIfvvETnimH8
km+16pX5wckKhLq9Lx+gU+ZGKbKNmIk9k7XojFh2AFwxPAKJt1v4IzsM3u2u
4Iewy4nax22TW+Bz1F3VlufI2vMuXSH4MdyDx/EupAyihPEAhGRL5sonTQw+
ELGdqJ3cSYuTOIIfymQwUviJLUOXglcYEaFrKr8DoZe3rtYfYJJlGbA7hXJb
Bsu5PGJIhyWIShYHPVIU79Di451LHrMuzB1GWabizWvj2GQ4LEeJSg2+qD0K
mBdB9yiQfwgYk0Ct3Bz+phIMn0DBS1NJSmWpqwUrr4GyuDtMXqJsD+FMe721
/IxHbQ5E3AiaWT4vCHrtnIG70w7uGfNNuLcTiidJgaibID2fRtBeTBn0+Y1o
ZHjFyI5k3UXtAPWt206Hg709c3LsjR1UPeS+NLuVQEd8cMk+ypwzWF5f4vtS
ZDP2vvHUOPhQ3UByI2kANmkSXWNeiRjm/SYwHs8uBsjeL7Zu2e5odsyrt56K
CeXhjC33fRNaeavbZt5R1HrZC/Bub7RwvV2t4F5cW8GVtiuuKoHvz0eWX68V
ctHiDD+agDRlNoV8exMjvNJLWOe9KtgzAIZIebWRu5ixu8S0/LSGLz/GttvH
u94eb3axzN34WVZXDZXi9O3VT2T0m+ooojO+ODJwfxy15zWbhRSWwOqONekc
Qj45M1NHl2SrODLLHfGxMKa4/ZGQD/V9ZdHHHLFCSCxNAlg9KL9u7Rp1Kz/q
/Wzpr3p767OLad5OhtlF9RusjAnTvjP8AL7RQ2Z8o0UyUrOviTYBRDNPHCVO
/Ia32F0seiNJDJYAEUKSemg9hFrS3CctmRT+eLSqp+3EY61u7zeWScZu8sA0
XtFazdMPHYG+melUv2UUHzcRo28ofIakSZxVFTWetfzoXse8vTEs9W7iXGUC
Cs09kN/UPZlU5HW5XjQuLtZ9Ro62TnsbFsD+YIfbhmgL1DsXe8R0hIup+N4o
KJrSHGq/choAlcoLjCFcor2xh4t/SEddCLiCRIaYTMp8EKp0RB7tNVCGPrpx
a28zjCpEs79T1bt3gBS3Et7699LZz0TJDGrapaZixors3rJnqI5I/dZmmkRl
b46BZjlJC03i6rZ6aFIavwTA6mLB5XbCeGmWX0/Sexv2GMXx+wtJ1dPt0DeI
kga2N8udjmGnqrCEkgz96b5e7nNn7oAXPkmtL2lWl8SBsJN3NFY3SdGVRJYo
O0K7M3JVU9Q+osdiX5fhZTwTjmfSgR9uxa1xgOnxrrlrZwfXHe14cK29h5ay
VJI2av9iqPCKXfFbSgpg1rXqO00laFJMrcBkqlNWvAgAQhaM6zvSNT7DUeTm
83j22PxJHkNrv0dEJxXTlTcXCsu025t+vagzU3juFy9q44vgdhSAcXWWphah
zwLumJB+HtDoAFFYzgvX1m1uyd7IoT4rrzElRnl/JiZjmWotltOqN8b9DrTt
KggcCbtnZsBeRNcMpquMhqU+EMmepwmhOsRAXcWNIOvTdGFKemWnS/WmcfXk
yzsEGs9VgyMJydfgHxg+HCIXqMxz4YiKR3ITHXpbga+BS8a0NVllRt/XbnTp
6xL7lPf2d4AjWzHb7qAnMYRP3GOTnC+WxL44XM8Ug7l1W4RYjFJa/hjK9YH1
71dFpgpMHDBSN94T2KP7x89h6abBWImwR6mNyzntMLBTLzQV7zlnmRn7tGz1
qtKLqBVGr/DNdsdVv2AsjAPA9+E/vPclfLX0BwvLOOZrep6l7FoNd39lk3jB
S6S8XR7oa25wrr7oeEXnoMf1VRjDFEA1seXoC1+4euBA5rSuLrwuxHmyPvcd
NJdsh16NaZV9Xz+zyd4zcnYhz7uzRbTbiEcBsCQfDnzL2QtOBqlOQoftv9M6
3vWUUF5V3F62A4L3pwbHMfxm3uLAyCEaZqDpefMzqwBWYnvsYixPN0funGLd
yMuztY8dwhxC16DVpj2GnrQ5RzSEGznFg9UVS5wpiohxWfsYYLDAr2d6ZZ+9
g0DdYd0fvUzksVtccrkoYVjuOYmdQbBErp5jhVcn6NOgsXSBH/tUGADNfPYT
4ff2ecAPKeyUPJZBdq4glpNc+CWl0+5FaI00ZRdUCivGTaAEbWCD0HFBqK0A
4N/3g8C2yFKr+DlognEjEEdB57FuaD+rsnIZKGMjWBb1TAp77DvsEGZSOc+k
mm4L6ACU9eoXzgGlZRKWTbafAsPi09Qwm3qzdLnPrJbj+nR9P2FN4UeYQ0no
TcGM/x4avVkOoMgbZ8IOsQjxzRQesqTP/buZQuu1pTkh7lCdXebKMUMrd5ds
fvLqUCzhzMv98pT7iwQw1V3r9cs1z5olT0t1LTGnkq8ExkUSbLWxWnqxpda3
XpyeaBprdMOpKg7x8NWwXYMWAKy+sI3Ck5wU7HeC3Yh7ZRRjxxQlF7EPakiG
8a6MmG+y9GQE6OXodLqx9UrYI/E4hhE4rSU5IN5Uq9UipTN6voLz9B7xxK8T
dH0u81scIeZ+ecwLyXkyfj/e5hCht3v32CnZ8IDzfBichbuL0n2k2nUum1to
JLILbwQzL/HtTuYvLtGp2bjMSH5VYG4e5Iyg6yF8Es0dAcLWM1qKRfVAZ6In
iXaruEvCHCJrkZjKdq6eUXCvFysWLsQ4fa6/OkxzRvt5I3VDBTGAvlxLZNC3
GlofDc0wenO/gHG5tjQ/g4Eq3uT71l80k+5tbhDBSkZyRyyS56QehHTDJsCB
l2uZsuPIT0H/lATLiMhMjH1r4ldms9b8qGsyy+jbsbJQjKmvZCxoZn9F/mFD
T/MJYIqNUfD7veeKy9SlBdkTkryZ4e2oxaUjjbSLUI1P/OL+2BbXOCr4bgTa
hSL5Ku/59AU8PTgrBMPNShz0u/RhKy/koGZR6Rs/mq2htWJVK6crV/TW6N+R
3fAm5gm5G6clqwFVgOMTbL/1qirZMWnPcb5G9sOscEsURPZw2v7up/GIqVwc
T9fc5BCzweI3ZGzjFk/NgAPOzkS0fBnQdWBUeLi2T6nbs+ys3svBPUsmsVO5
fMSxXUtqTtIvFxqTrx6KGxtGvEMXBuTtgus39kgsuBSkqH7mjg8Sen4WMg3z
coc8SCDQvHcTP9eK6A+R0rP4JhmX26bZZE0DpTJn6jV8J4Rb0cL9slPYNamI
Cd+EmauMUfBadCR7qX8IFhdiY1pMu3o7a+OUbdWHRQIexzR2go7ls3x4/OJO
QVPQrsKrglQYbovlZaBicNz43plSn4GOhaZFZzZJrMqNDwQWuDvvMGKCi2Ol
+BksPMKAH6nOza05MFOI2OOF0Va47lIMOUNyx1WvQpzLB2UiBmPluwi4dfnS
Dbt3JMPGcr8CG+/FbekBUS/K5mhXTC93K8j4M/1jgmLO5KE6rbtZ1oG9gg0M
Ab2SlNs1HzenVywt0gRyzNNgpF6JolGym2rKKCRR0W4kjsGvat/Nw4LQFzkc
tFhRdxB4U308tyC3LgwDir04Mip2rCLn3COmtfFUyUbSro5esp5VOxTRa3m9
rEhOnIjwphHOgYNQ0IeupAuVcSmdvcVwsfA60xVcDPbhWZdZyolnOI23xr31
b2QPwflKXR+BkupBmttA1oEGMpQK92CRnWWPjH+EonfX+xB+TJKlPZl3aW32
48lgqg0+zfK6YCocZGXShO+0uANaZmcUmK3VI4Fi4/E8UhuBCr4gxpn3l1mB
LdRvkiO86Bx4FxxNUnoDg5yz/IGs1EImINXNlSaFV40Ig3kh4+vciu4HseO7
98djmfLrsiJK+CJrNQBx3nSV9biz3fK4vg37TmrAQ2ka+kpiF34bKCi80K7d
wE9+J/WFm/ZBwvzcthFQ3u8F9W5MDV5ljnijDFuljybLVwBpYauibqlkiK6+
TSir+BTZ2T1h7DPrSgs1c1dGuYNyO4Mv3Fi3oKQUDgQr3ricp4ALGK9YcHKT
Dq+RlbgGjh80vA+vQBJFP0xd3V3ONHRrA649mGN4etHrkUvp4q+SDFHF6wlo
E4cLEVfXDfo469dLOqVY0JTEjvsy6bi4+/QvBqLHwWLBZy5Iopd0gzhQAatI
dRSMBIqG9CwSp/gbVSKanlg++1IhlcTTXK3wC+/VRk++5rwKG7PI0+Hxckt0
aXLWg5l5QoozzZs84iC76IpAC2/IGH8mkugcXQNqTcO7HdFEX3IJmE71able
lbugndSoOzS0Ze1oBFyEzGJToYNl3yQC0sDPIl5vM+RxXrGIQTYbQuv1r4yJ
7bdyOWZ3SG4C2drgu/FWyjzPRmtLOnH2L6eriuXluXayfPjtg1YZm9S94BHe
sWdznbAin4jbYAwV4T2cSiQLnTrWIAbsUbGgedkxHBsJlBsrOdOTx1bLxn0f
MZaQBmEg8UsHXW5uKeZjsXN14AVY09vZGUREIOL5wXQ3AmkgPfB7R4Ark0SL
i/2IkjAvZM5jsrLeEn0OsZ4cRXx7lEJBr4N37AguRkAL8nq2lRx4plVnNDry
gDhC5iw1y4Ayc6EJ4xxXUMirUk4B6yv34px0PWAUkQ0/pCEICAUmlC71aygP
OWO9ygpnnKfgoq06GP5oON8oD+qxBLVlJqEYdKCGEixNWpuK38IziwMWEE9B
6e3jDSLjK4Sw13EZtYqubKqOkGBe3ua9Ru+a0QuZGU8KqRNJ5ty722N+9dfz
cL1OeSY8CURYvYdo56U6EANYN64s5yooht61DQMbSSxpd/jE1C3xnnCzF5LK
UdTu9ZYC3LD5TnDAgc+vdrzl1Jud6/rVdvIznRnV78K9dzpdf8chf7ymq9PU
SW+aowWxh+HqB2Ap4tthJ598L+b1sglvYn02MIWb0GukXeQJSfcr36Axgin3
yYzXd2q+tDu/d+EMqm7yBN4iroVLMJT9TO3FzsOSQmXyYrcXYtzULGrUtiVu
sA+Ghz4IdiuHsFnKDwR/QpA+gRIQ385TV82jx0FXb4uuHbslfEGVK4/goHGT
KvJOgCVfRRQWWRHMUJbyyt0RaTu0WVTkCRTkRXfUEHaGakzySGp4wp6d9Lkn
+paxEKgfJO6jD7ZplLE4vGcU99MiGLnH4jGj2S5gCXk7VbPPlBuJiK3OXswn
V54l4Co7TPJqwT7BrrdS2YJ6gmhoCLs4KGyk87vgWo72BjSmGa6O+GpvkQGp
auHInpVNcnmmWlcyX2cHKuZ3rFsJvnYs+0wRLVvsWLypCWk4s/0GbPRScKKb
6LrdowILR1LABS3jlMiopYNyp4JEh0gn2JCFuTG4LAe3u2GtTcJZtDfrOdBa
TGAMq/TMcEXWye3BSX1XV5ZGWhD9fus6d+v8V92ayqv8wHfpSb4obdULL92v
KEMDiNq4Dfu7QeLjcbA4bcZ+n2KROaxa0DluZePT/Z4/yQXp5VtFqW/Zu54l
3Y3XRFvKJQeAYsJnV/Nlx+HGyvEbNerm9TIJcJu6cSqKvFTykXgV5BwlAzNW
ps3M3TTuefbcqKtiA5IzJ8PagBGi3eAcqXO8Luxub8DuehbiMDzpLkaw4gul
xnCPXvikT9ebsEtPOy7SyMGAnpw0D6bhAlQJiL4qE69fcTUl4+buH+7DULnS
Gi+mV8nzmUJBmCih/pAzQ//wkP5+7MBkaUiea4U+mf0jliVldSOLa6Vcjpes
2JZ74is9ndx4yHet7XlXgz2DaUgkJqeG02oFMie3L0s/mppdga7nsMmjkNbX
VcnEQng0mgRdPYZACbvHeCzakntpC3K2liUhT7dL5APCGW7n+4oPesUPIkvK
HYTUV5t9IdqLuil80kMaPe51HHlbWPq0t+xUKffihaLot0iawCo+R93u4ikC
X2tB2rRKrdrGY6v7ghNxv5F9OO4C1RVrrrkbdivS1qEwCoXYUr6eZSSg8wLd
ekzAqQs/ITBHYAXsnnlCCg4+R4rb9hwwnQtniX+1L2oFzRvmc+V4dbHypus0
D7y8aUffF+5SCcnoRKSO7ERI0GeqCwv7wpJ6h5oxm0WmKAlw9rhjtA2v7sMF
i5oPgmAGIvdw+uPtaz4lyfW9yy691gXHC2W2i48/TbnA3zc28zfWpEGzvU6S
oetdbEvr8Mam7A2AObHqzjQHoca71Y6na9zPARVpMnGrEp8Bh6gymbYWaarC
OLbiqdu6SIrI8mthvucOuKKXq0e+jVWmTPlccCs76xvGdchnSo3HNASQ621v
EfFsyq6IGys5T7ngQdtR3vs1Km7AFFRawiCY2LK8VUDN/sIcq5huksAU7GWi
84dwUeWaQ5YV7aP8dsuRMn9CwqRQhWAVOpDooSokqstAiy/4Ar2XFFTrLqhA
ei/C3LNrqGTO80qrq4v88OSnl0+hD3oQEonXoM2Ay2jwQiOv1yVLrbXXjn51
78MUhMPcl6P3LNjUtizBXwgIhLHO8LTr+oDexeO5VtIs4ECxvCu/uTeP7Ynr
Vxh888TtKIp2T55bH3mHTMaVmzvPgL1NCkjRAZ7vG8FOKK89BlFjAMRUQ0M6
yOAi5rmqGUj4BtsXxFqP1+uSsWoI+kqGrfOmHJdCGvCyka7jDeXHhHjg5z2B
/oipJ+EP19BNyqU8Vt6DFDa7SS8NAVd3btzUaStvvx0MjtwMxaPZM0mN+Hhv
qb4jdYBgwhERFs67+wqXrgw4MR0YHbtG4bs7RZVWeQZlEOfRpDQwy2XF5VCi
IHuDBmed7hcDROWVF+vyJlHuPMd8h1whJYWfbk2Txx0UthktzkTLcg/xnBDh
z+AkNsrreTBMPHh+PQN5xvV8XtfQrUYOkiE0V8v5fG7fd03VZjmPz2Itv6U4
W/f8UacgJqOd4ZPCJlxYlmAfgCqLqXMGbFgJKe31QBPI1uH6+S4dyClf2uMl
+9geUUNfmhS/hF0PQWtNNG8dM4MPahrYkcuNjFtFeaDKsjPprtcIch73M7Pg
VGEdYPYQ2j6+w0+putaiwoDH9uozdeATyNfFBoBtsrla6vHUHzcH0snbu+va
eZqN29rAKEZAxw4F7ONVyyNWE7FWuI0vIWEPomEp5YMBrD798qKBRySHorsS
Jt6mT4zMyDQsiz0zesrzdKXyi7Jc5a14iRve7JwKR6TRpO24VMDq4dTNXFEx
Osy7i97l0zRxx6R6MEe6wpFAgng5zWLJkdnol4xbEwm9WbMHxvxyH00VIB3F
4+y7po9uRLQ9DAYsSBH4hoSvBT5gjRnCx3o9zyWtxrg7ZQ2kiTPRs2BcEloU
IQYUnZnp8qrLgXyWtu0C2tszjiCKFdmtHusmha171cVDWtwsGDL9wsdndzyt
u2EIffdrwHCe1z2+KZHC0DPc6o7YatxZahuX7rU6OHPsmPE8vCrJrsjLTxB0
W1UlMHt6uG8FE6jApDjp/e2n3Aa/h10sdD54y2131hNpLEdMdqbNIXKoOAJT
BZJntOBDZR97qtL3FXOIGjAr6CU38Vor6zslwXSZuAjiB74MCnZPnkcHPVhK
Ob9QOjwT4Lqv6uOI2YHwLodDbFgF+LwTns8VkUKK6zt+sd97nwWsOpN2ISJc
tbiyzllMTKiSSWSRkvOdv2aX1L2XZcexA6BJKlL0zlnroU9NzLlpQEbMC9le
FwO3M1cmffl1ID18+j9NxuGvO4X91yg7/O6dpP/mAg+Wuf5B4MHSOJbl9vIv
BB6C5s8EHj7a08uC7/8XCjz80p39F5kGG1L/mSzAOYY/lSTw5+znLuS/yEb8
gJ//XUmA9gOgZ9gMkUtLVJa4+TNw+buYhChAifcd1oc0lt51lhGTUP4Qf9h1
l950rt+Mul/1Bz3rnL9+YPvfgM9Q/09B/xCb/Z+w9TkQyQ+RiS9i+L+u8g+Q
/zfgr+QfPhd/+MdKfwN+WOPfiRn4aPBIu6D+mF24Y2+thX4vmfB9DOd8fwHZ
Z9e3vywu8Muszr34ROTj99IIyZ4h0Pnnz+A0t/0Kgp328EPv1z9KIHxuCx/X
fMgS/Nkzf5ID+WsxkPi7GMjpF7/IgfxeVCI453t63OkPpx9+F5f45SW3D/cV
kvb2NL6/03bGh5+89rd7YLAPRskesPt9fVz4u7DFZ7v8Dfhsn/9ilz+e4Cbh
OY4ueH8DTm86/kqe5QdxllcS5lWM/kPK4/Tu78IaxpI9P8QF7DmQ2vXDu871
wHKWOscgDFn9KmOkqs65tzkHPc6xdJpXPsz1u0WJH5bya2Rp0sj4uAq3XHn7
rZjEb6UkfmurH1IZf2f0zT/kJH4WpTjv8DdlKX6MX98t6kP4Zv5V+Oa7qMLg
p2J7yN9/8+U/xie8f7qrsd8j5ozZ9jkLf6cM14cFWfzVw8r8HEPW3Uqfnz9E
CdDzjucqf+Cv1JqEzoeESSWLwp6hH7uZsL9IYPz0Fe1Bl8GHwITEVPdwW+Lz
OT9LZZwWX0EayrzisH3/Mu4PWYJz5KcN5uyHNEZw/Cw4ISeh0Jw+UvqSspw7
W//8Ft5x7mp7rnyZfAj0nHf9gOHOf0lKlTztcyXzIT+Pru8iF2JV3wTqN/vx
j7vaCPVOurb58JkPmYrT5yMHlwVm+fD5+4ewYOT05wqe1qvoP+9ieeaIx4fA
xt2VPwQ49pzFvu/o6ZsuVJ5z+gkYPs+oT8+N82vniSwN9e8x7A9oWD6LXXJW
Msgxk1w9GsWvrtLb8mzxMf3hpcI/YNhfk4j4Kwz7wx6+9Pbjpxj2B379153X
vwhH/kXn9X+GYX8D/tB5XRkDtRi1NdXqGiwZny2a9KZ6JXm7IeasUIl7z68+
Wvv9IwkG/dzNm4Xqvjprd62kJrijC5lrmcvaZnmX5pHVTa9jf+RddtqQOTD4
0gd28dDieEcf5kbE3wBzPKKpvb5zCyIa6BWAfu4ajrBNhXrvbV6ISjMV8+65
YaZ4uaMDXMiqDuXWkWi9SSvCNwDvcBPajsjSCOwQ2HBACjhp3jxGX1sMbvo0
iVgDjzRiDT1N1+5GQTF7hjcvdfTfIy+dFqXn8LPrDb2sYyooguI2LdSKoaJI
CvPgRqAXHgxyGC5iCmAkB8/DEXHu3vvaSC4kmZxjyLRBVi7PDblOJI257rnz
abBgq7XRBfywXnKgppP/KYZ9juGfdF7/Zxj2GWH+Sef1f4Zhn2NYZUH+ofN6
3xoM7NtkyTZBQfM1ad7NiUSPfCX/gGF/A/5Z5/U/xbBlQbmr7O3lqbdvgDDa
+uBN+7t2xEPJYxp0qDtDvzntlc7ZrM4tJhxngDlTHhS+gOxKSOQdhR7aZMlC
GxrfAHispakuzV1+4bR9qcpNW7THhFa8HyAJqjsvfa4lZKNckYItXoewa1lY
zxtV6qJU66dnlfC4pOpNsy3cPwY+trSpn5AIs/B3tKUWpMmJc4Rds8KOQAgm
R1jFadoUpuMIgUXx9g0IkRB7q2JO2OLTTxzTXdy4ER8hN8BKNUZrwR0kDd2f
sidGz55vaGFZ6gc7VlfMgiv5fsaHfqrR61BqMNWHCXeNp8MNJf+ABQiq3/vb
LOzX2F2rZeK80RgkI4FgvDB950hht2GXb8CDEoXO8K0+KM/oaVlnzcPOV/rD
iti/xqGh36PPDGf79N8Bt38BCs748G8Et38hCs51YOmI83j8vN9+5nS/iP7E
3CGvxhlVTU9Gf42sNU38KFj0DfgrySLn4COd8X8RLDJ/EbHzRAo5c4nq/Pv6
PU4+/gxfoDGZ4Vb6XF1epXv5/D8WouRnH3JlaDVIWkCgOz9q9xtgmA6pXiqD
5MAWIsj+3bavBqNPs1jrF2v0xEvyU2yz/RZXzGswxjCp0cZqOvV0o5g0+gZg
evk+XpkQMffrW6jgLhiiTtjcwWd2G6RwSBeOy32xSou6rgF4YN5Mr+Fp79jk
PQ7sjPbnAQcRUWwIPm+2r0vZ+BYibsfevUykSePQe8+oO+3seJd4IUuEhsHe
k95g2yQrLMqeGUg4vV3EhgQpY9qiKVUDX6OgbEKheJjvW8E+Qdl+pePQwzla
ULXbZDMd4Cu6HEVfkhT8DaD0TZUp6QzM6ptvn/SsEMyc3F4tkZ8p1ptizZLf
G+cR9I1gl6NNRAbngxPq3s1wbV7EGaNKnaFpsS7TMydI14/4+BGDvJ/EeOT1
tO/oJ3kdmuc52vwQC2K7X+B++Yy0Os2v0k8SPg7DnOdnzHufV6+099PdfJ7j
aJUpy+lDpoIXGPvGMef9f4qV5HchjTNXYJkXvUr297ubDBPzgrYghybP5/+5
knJ/q+F45g9nNlImXXLoDPlTtF/tWGdSWlD4tX6ukrDuT9Ju+sSL02Tb+nxx
kt9a4DfgF7/8sEHaZo5HKiMDeR16sanzC6Y2jSmJCP6ML9DdoB3ueukF6PKK
+2eE5P3j+MiK9QZHp8e7pM9s/Ikf2VGFFyXI4ycK+VuxT0nr0AdfEKI0lszF
2GszzdEhH4L4zlXYeYeHodbZC0z53gtLuulH3pjhl7O1tyUjpCDCESxTkxTu
Lc832u5qD49lHjk5H0UlF4tvAKnBh1ZEzLs/FwmVHFCnWG7CzGFEFLY5LMiu
BmLo5dtN5K8y5b1K0JlMmnqw9st6wuA34ExO4ntei4cfChAxGZ0HeYfFBodP
v5l2AhVlPkx1H3YbvffJlbfSIxr1XaKD26uDRPkbgF4x2aShjLTcSTHmugLp
UcHtQgKhO2G4h/HkOz2W2e+ZUrF+fDa0Zr+RRvsGfEUc7a+k0c5ZfEEc7bs0
mi17BsQL9zsMF5A69O16paxq/AYcwzjAx4+fWIll6tHxb2UrWFvf2N9/8sXo
zHpG+99EN4XxeEtYof3MgvczS90Mj0d0Tkk/ZvC77+P4s5bn2g5kzlgN2cyL
IA1kdVqoKWB+e2TYdM8nuOj9cBHQpbvtrPdnomruuarMefp3UKE5NM2a8UQq
e8fGLsbGTHjob2+sYM5MZ0z3pt4+s7hoCUjjUTthnGeScNPgasr3b8BbY/pR
8poFoe4iqg04SFfgOz4T1XvaHf0Wlmf+WVpMKri2Tyb7Zo2BUyObNiL8KMIf
nwWFOFc87lIZGFC2UBZYdk6u5odIgtUjuZ3lf4ekymyQ/aOwLmlVesfdejAP
ScXs5f7R2nwE2QkuhTVoPRCeL4huwrM4PoqrA59lUOen0nE3l4MflBcstTwZ
ErtfM/nkot1OqeEZJwt6AW/VgE9ydHenRPRKIqkM7TZe3iMsUfJQPuPFiYxL
cT3LiTIP/ARnlNUaM+PGKsJZ8x60RbJKg8oqXBzJu3XvWfOfJWTx1x9N/+dp
W3zycfR/qcTFb8f0d5Qu/hSM/ZcKXlz/ZYIXPzKuf0P34o+X/kfLX3yy0P9l
KhjXf78Kxjn/f8/m/PY+/46N+rouxvmc804/b0T+UwT5//9f+I+CGf8Wl/s7
Mhu/v/L/VrWNn2UbvgF/rtvw30CL41Xtn2hunF/536Sz8THRv1ZG+deqaMAU
9B+logHh2N9V0UB/1fD496po/GoW/+OVM36dyY9qGX/iht9TgT8cRJ/mAPj/
B5Mfhw8IQf9R+hjnaP+GJsbvvvvjZ/bR8486GFHtsayA/c/XwRDoBldWrBNY
0GdJrFiGJQzeQZwS7XHpRt9aYaAOGFKRX960iDQf9CGudNTt/iDRvsQUTfdN
edOpkH4rvJ/59ODeDIcpQ2hx9xYaGZIHsCA3olCjIelVIVq8u49pgfYtg27i
e+nDvDxL0rH1u7KX9Nt6m9AeEqiYlO7P0W74iwakpysmBA97IWaKHde9t82X
fMniHdy+uaivClJnTnaZEvztmZZHuxKu9mh7wVhNodIzoB/pTKW5TM/LJ0J4
ldlP/eahB4SInCxpaZxe3xYlB/fL/hIs2xtrNaly8OrxnlbBlwGAXP2xEQaX
+s+Oih9JLB+v8WWvqseG8VgyVUu8E0ifpr5PDNt4wpP9P1UHgx0CWWZRhNBR
SrduA9QfbP5cWeCujcKNy3BKzO8HXVbFc8E1HiUTJiVvLSaNEAztMg+xdpsN
IWQ4mY2N6RWxeOnlpBILVErLVI15Wue2XtjWJB3HetkHBM9IjVc0LFBqdScP
0GRBL9UYIaijjliurvkcIFFyH4Bz2xHb8lgf2eoL9oZW0bBxV9/0klogp3uq
L0LGC01SOK9kbGQAY00ccFyjZcuWadQGbA7z6vaVTGzMqrCjXsYauUAD2LYF
FeFtYPl3qJlnBRnfYGuFSmQjoBAzl6NCMGzBVaB4cjgn9g1iqNR1mFDJ6xXP
Kb3zN31dVeFynVsegphEcsYJ3ipfu+RYojfFqx7y7zoY4hd0MJR3il16T8UH
5slAQjCBArcg55I7NGAUhXnVy7sfxVeot+qansNOzWdtilGWnS6PR2/1ELY+
mWfpFLyk2EYzKhBcmu5tbMEVuAsW/gaJ49l5Gks8MiomwntOqoOZbZ7sFrvW
5ZeN2Q24kN/cnoPdvdbQG25S2vPWyhdAfZZQILZbZt+bRvZcGHsw01rKy7mz
BsfQ6isYdptbRqRszN0B72jh0aowcwPfL68rCmDkQ12SN4UgXpNvXr0Pl9Wu
Z4ZqgzYcLe4pTWDWK4hXi0nf8TK9pjPa0RjIn6tmNg4AjVZdasL4buFOukQ0
kS8hvhPWaJDhw1eLa8487y9HrhcqqEYoRU1hzI84V3dKHZ6RDxwy2iNiyKJb
LipIWEWQBip4tYQI0oCsXE4MhMQgnOe827FY+ZowbTTdg4DvUzsRNwcY3Rvh
O/Ro34scwaCHkSqFuqBD4x1+HDEfC9Uvj/pezge4D0e2UBXG19OV3XmPHdcA
ACWDpRD4Osy0WIlY2p/OcuNLfbvScRmEDQKX0Z28JK/TBbawa/KRXlnDYHx+
y03bWIGbK9CBDELya7fc3me8naZYDe/txuTq5bFj7fJambFW4rfNi/bTSIpC
f78NlXeVgUYhoFkZaw4qPkuvhQpJQ4hE7hwc1VCa9XRRSFMaixVLvVB4S+Yt
yczRsDEEE1w6yY3slQGdb4cmay1HrmOzqJ9xFdEzFjou742yImfs2xS/xDet
qTuofuDVc5Y9rmO8GInKhS9ZYJ9Iv/cFBd/4UBBt/bb7jXEJDYHSc9FZ9FEd
dvXROeMTbGP00cWcabcil0Wvd6HQfA1Qs5BtIk4+nlZht1QH9jamPnVRgi9r
8nhtingkHtY1TEvAOA6uBe2lSNCgePmUEgXCAJKd8hBr0B3SUHrB31yDRXIf
MpPT4JvuC6fF3e42ihhifrGi9FFwd9LCjefGxCuIuxMAomD4arEFZv2k52h+
YR/DaKiyh+sBuU4uzfFkyFItF7+8uxNuRL7dvfwhm/ahVqmvAeRUl10oIKCr
d5CkkfcIfWSOGRxGi03XAGVUUZmyY5Y8qlEjh7VeZjfQeKS9zMxgIwtYxpul
yue4m0NbrDK5HE85pbLqaakxyoxDtWucHvj4cIHDAfPlY9a6x8iLidYM0sDq
wJDiR45OF5bQGpIfTVGmSa9bY+jxfoRJhILJvXy1OG7HL5PpXBe5IJG6W6JM
gbbVP3PANe87r6SbX83KHM1UN6Z3Ku83DasPrbghcki66RsMuzyIuj2ZN2vj
BqpIbvig85ecA94a5fAEgTXTYs3iMsgYzsh0qwabNXxklLzvFIhP2gPH3Fja
RKuupZ4xOeNPSwzgZweUTXDlgkeoNJrFui2aXlu0SGXbD50L72jNG+q7N34I
Xn+Ho5HsN+NS2PeA93QjfT08G3iCzp0VlvymZw6actDes0ifHecwukWO1vxO
eCsRhLHzfpvls2zfxZWFXwv4XnxHqqnzbHwT6cs47mTF5tXS3IOBh5B+Bfs3
+nzN+ivzemTL68gSWzltBfPSZElt0m1wufLUGQCA690N0KvTEkRWXwclBCO5
iXXoTHMMI+ndaVujK//WLqAFPQOaQObdunpQ8s7eyuy6DQXI91AmvPnaYpaY
CzXkewiykHaUFa4QuRJKg/SV8yPTfiJCfwcHBn9pNpNPHPpQOmZYgPpaGciU
sDlo4GHt0IY/eD1HFSTC8ChVdCS7Xbi8TTz3xeyETePpReoxvnuj3QyZBw2U
vmWV0xsjPfAyJi/EoxPogboL7CxIP0VT5oeUH+7LxSMzDpfZspQCp3u8hCw5
D5vqAiRMk5z7Cy3BSFSZZdI722b4RbiRmRQ12ENtQ3aGQezM8OiLV1tJZ4DX
AOOEXGG0AtUA3lrCECXhe83L8l3cqLXUwwe33Qg7SWVRFogntavT7N/F8iA5
xBCuFn5b7w9BgX38OICgH+V9W3lo313raOXZaa9Tc8zPK7VzTHH4iZdGWB9u
2h6EhLaAAi49YUJiMekik8wOoGloSdmHBJUbLecvFnQQknBqczce0L0Q7Q5s
VNp8XlHyWrxWQl8UaGZF+dDCvAr1AvCSWXU90yYIHN22mx1sIBZzw9VLrQ0c
yzOu1O41S6Ug9R0ijsBesJszEciqCsWK7liBEQ9pSLclEIUhPavS3FrYK3vj
5vxAiYdUpWKmF9TplqYSI4GuK9vl/fQo1Zvj6pIuCWByF+KlnS7FNo2WzYN0
qwppEBdbaTyaum3QpT1rGdXL8EDrwYHFwY1i815c3vKlCpc78Ch3nBHQdStK
Q73Cw/vFRu41cFjlLYJ9NZfww1Zxw1FoKESU6Aqdrp4+HCVdGUgW7DcQ+dP0
gNv7g+WwQ5GMx8bpTbr2DyLCvfm2qLVZVA9HfBSOrz0J1Bc07TrTPSns5whE
FhhjWaBZn3TqqV04K6i1x5nVsy/ubU3bHTfcmchkkCW14z7KBDrEYqpijWvM
rh43EE8A2guuN/XmBNUVQkoaeRm942yPyb3ZLwHxQ4hRw0GN5PfzWDTMLY/T
E/a3C/mwhGE6xQNN5pBX8aK2daQyz+AZwtKlf1PmCxdLNlOexNXbAucYzjOB
Vs3orN58xLRjVskgfUtaClgdjuCr13Il2YMnuRULGLnWmzfGIbXTL2jxRjSx
m+62iOkKb9erb2zYtkuGV0wEww0AnpDEeJnY9CIaSUQeXPQAhYnfL5hS62RN
BgGhs9ebqD8zOieL0bYCy9bmm+TbpZi9F4DLqNIWcAJ1X+R85pjXJ44PGX73
fWLVyptExVmUa5rNG/NH10lvu6vxReIQ6JqxvF3QwDFm6EUPz5KgXfyHfHtQ
lZiw/XrcvI4CFXba0YvCTGjVJCRouks/XTZYcmpnnNs4RG8Av7z3OBIU4jwk
rrs0jfmqiARdKdkxjBgRY67vhQM3DzoYSmJqCzXMEEpgIY943l5cCjw9rSTi
7ipKs4Qn6+Oom6TlHCpkwtS0yqF5npWSnsnIEGsHOXxI3uVmo6/vvMUePAUC
D6/KqGeBJNdHUCXHNrj3B8yL1QXnTxcTNbm4Tckqvy/Lu7mKoizGwqWZfTqX
mPz+LF+ANTqxBc18atgCBj1F0rE062FaD7/dFlP1Wwwk2IqDXj0ek0XAOW2p
EiKrkG3xwLTeBzhNFNDX3BNXGnXKoWNrtyIKtyHk2HkkHYWoqye+Xk5VWE+a
GV/NthJTNHM32izJt48DZ0qO5xiczd5VHGlbCh/xVNC2Qd7kJEdCxn2IiQiv
xEW1nO3WP9K5Ebk2VnIIJvY5kwBbRli0oxZYHPYmQjPsFRuo20g+JbrNnVYk
KUWzZ9Qe2at75xWtYWcqFqd7WtJMltM4EKyHKMjJBUP3bAB1O97wJ9NSO+Gs
G5cjxqVJkihKxxGkUkbVgmowh2fJZNu0mPXjLQF3zE11g0rNTYH7R/wu3gSY
HqV8Gx/p9cZ5rUPWZRzRrPVekiax6bXp6MVu5UWrqwWJABN+9qW8h0VlxJsy
DtsU3rdsLikvlrjnRCkbnT+gvJh0mdvA6QycnQC5OcgOF03QNw6oUwdKYPFd
Yiz93od8H4LnowBTVHi0M7fMdbumx0MVSQW3bx0cESBRLqAzjzft+Uq3BSAg
MSd6OMoedGUsvB9mOrJurg56xFEKuSSTN772W1ynPTQokFLdxMJ+ZDl5UEsX
UhMgJQF1N1BibO0Y1l1wMhHujteslj+u4U23MHazUifLjsjq/A7NuPvLLBA2
eVQFKGnTG3AsQ/4/5J230uPImqZ9RtQ9rA8DkiBojAGtCK3hQWtBgIS6+gWr
uvtUazFzdmZ3rWLETyYTmZ9k5fMmphTAtsPq3U0U1/Jb2GpVeMJ2RUqNd5we
1g1BivXGj2K0ubVtxBP+JF8stA09dBmdLjJXksom8kyYDg6/gDfJZ/otpfnr
2eE+8HswUZSbA/USZsKR9JT6ot7qQpXGfs+miyU8cH5+gc4ep3ECuHQ8MD7E
qfGNK5iDuc8q8WqoUkeWgH3DY6Y9w8wNKXGRxmqMLO2iS5obPTsdD4mgBqOc
FfP2ygc3oIVecpVnK1bYYkC+UtZ5Jnf0utP3dBGQtXYXUHOt92XPxXGLBohM
ap42U2oXwL1skWRd9tRtkzp1656riAlSvfpNDYec1NT9PY21m9ZDPIQXXmCJ
B6Hyc80b22HfBrKyg6ubB32ntHpWzrKvSgQWBLO5yJAO51wDBGfIIm15MgyT
vsigSSy3vcv0Z04TBELAddi45D3N1EEozLROQ2Y7i+2lFq4A46O4TDAvqyXV
R7T04aO6vJf2JbTQaEOHnhaoP3L784CrMHTCDFBQ7cpSY8z0NzfaldtVWTkN
KaSy3RuW1yiOJC+Iv09sSyAv40o8odEM92vtEXUShWVPYOpb4sW17MhhfyXe
NX26PbPISmyE8bNSwb48F7G+3jKlJ3MTG1tUOVswET/I8DT0EDEzqIPsQm1w
hLsZJjAW6E1TAnUZQR3nh74gjvmCAiUjjzXR5DzMF0wO6eqR9iY/92wiM9uV
GbPIvA0YqhukXosLwVrDcjvrxxQ4qtZALixcRpFbYqo36fa95cixYh5GcJc5
ixeyGPTf6AyMty30umehnG1IwfhHItOybr9l5gFdngVAu2TGPTT+fh35KbUH
FKocF0ERFmJcQDtKjcNv1JWPmTd2drYJGdHSEKrofW2Pa3ihCSgO6hT1SSnn
K8r0TGuq3oDwLmzGESzsNmRoLCmWmQLPyYgcbb8nZ9uvscVyVoD392Xq4Let
oFHGSIdBDPbgXl/JDdG2RTXTBUrxOdQ16+Uw0O2Ni76lAhaSWdsK1FQL1QZ2
aa3Gp2R9rBDBu4dLB+pvJvXIaxKcKWTKgGlbjldc3GTlMMtMltj767ginL7H
Uv5a9vACS2gNFPibYOi798heNAmBgr+iUcVzwPKmskhSMKJWVHML+RRNzW4l
H8Jsule046KrdUmxnOCwxn7505OKIKa6P3VFPvqRCAEq9l/iWTo9FlRMdTaK
h52jXGnnFW4TVaZ77+LrQqG5F7M0Ec4hTm6hCvdZlzQ5rLDNXqo0Nq7h9rku
C3yqbWa6c1z7to8/K76d7EiGkoseXlNd4qS3mg20/RrWZz/Lt4xtY/Ape9Pd
imvnCcpd356B2tsGDNDhYuD6KOyiJGeFS1fO2GIzwlzIHUWdlb6YOeS2DW2M
28eDacOnY4GsF0nn4hS8ZNGvtLx58I1eX+b7gd8uy16stvHMZLXC9BvI8AN2
PUq61maSokgjBKDqnrsrqd8nO0EVrohvSG2fget4MlZ+DJcS4ljg7l/n+R2E
zq47FepytNZhxraAj/OlI0coPTfJPNelYzSx7/pYceacqtBNrpsvt829X7c7
qLAabh5saO9X0ew8VzxDzFvub60A2PRgS8w2CjRAdfz2PqtIC3oG1mNtz9S2
vjWNuOGxIwhpHkmAlJMznMARfVYc3QPDyFyEMkoZnvoW0QzgpnTDzHbsAAtL
aqGeXYoKz/FXhDGqkjJ8g7z758TzQUQHeE+EmjesIgaBxmt/YmRhPGzYfp39
HR08URlYVDe5LOYSz8/VEFyZXS3yWrnurDUxHjDAEx5iNikkUwUOQaURqOaY
UNEj3ZSq97VsQOlhb5cbLJpy3G5R8MxjDbQtdW3N7Bh6RvLO3VnE1zWbBL+u
+c4K7DSN0hxI3Tl6xG9jub3vFw/0ufDsKY/wALqSF4KsMjslhOBs33zarx7y
kiBM7682DijK0GrWWKRCQY75mEJvV7vsWbW+Wpt3GCCRpKR/Ng06pdpCTN0N
z1bUHqtND0psK+4ClWWSXDaj6A5rca/KwimyC/hADwGulMpqYCDX4yfHd7kf
PyRo3hGeQGexWFgMJAhlIj/CkjxFHJoplUEaEvb2Di8TwaseWg5+iQ/LdcFr
NhhOt/Ulbw7OKdkvT33pqxK+I+CNoNi7N5GZ3NZgRZ/ASuz+5VHP8r3X/HeZ
hKod7rzosJKrUWyM33pFBp1SrTgzMEiZ9SV70YiFLIHiOFN3K0wY0FwOBA3v
Cx4iC3ysG1lmXhKorAlIewNhXKUTr4GEn4FebnD9ekVVnvtbKpzzA+bBqBf0
AnY8Qyz2ULhSytd7JHVRfKsfdjwix6IoD/nZqHC813EdmmUk3Kb8pWwDA+EH
f6ejK3LJSrLk8rk6K6k6PBJnu+/9Qvkzu7vYNJoHbbIOiavz43ZMgSfylps9
emJkqHO3iqrgLpJbIJ1617UwsNpQTF7rXSs1xy9ptxKUK5Am2a4kIut0ys4V
KrEzGYHPutX7TwlPAuOykRRoH+I8eGkaPxxVPWTY680omvzt9nJApGKFe2Wi
JHxHYmwMYRjBpdwxubVkaR1ULkkAG2grWAqFaMPdNL1gaceZTxoIhtlEWdsg
EM/m+wqZr7kbHjedgzVOhrugtxfd3uOL2r8GCeyyDrTRqe82m+V02Ba2+Ypd
qcHhaiSng9qbN59sJat8XYtzIY1bwnGd+kbN5YKlgcdB5p2Or4A0BjdlIEu/
uTeY/iyM9SwRfOf9TMVAVx1Q7yiE0GI+RjP0WKoyXOTrpRfqiJzBBg8xqDDC
iGQpjoGIXW4VOwgEiANFDSSzHeikDO4Ja/Fsl4d8mwuFDrvej7N3vg+IJEsd
JduCpgucJp4NoJ93WBMLS4/b8H6D3CZDNXO3UmHbbH9g2aRsJPw62RB8KSQw
IW+sZImHhDFj4rRyAwiU2y0tJPg4qlo2xbK5N81eOpwm0bxcobNtJd/6ZXoN
5eWh96qTnnYeZQDUsAC7s16S3ZXY0utZ5dJUIFN13F7lDmFlvBgbDgaTMzUQ
JfCvgxEvrZhm0csttlaMcd9CnSO3QOYpbDjA0Xx4u4aBcgXFczv9Rj18v4qr
Ht+e5AN1OJIf4kvDZ+Qgs3A8YClmS+kQRHkE3OXNIRiByI1FmXKOell3FLmJ
2NPjFiw/dJ6Ah9EBgfR+aRpZW7I13+73EouUPG9tKIDjmQC7h0JSfVhVu56y
WMiI61AlT342Cg1+g6nJ3EbBe12ku7DcbpVOhUrnmAJfmY0MldQWtCbvcGEH
ns8MRj628CAsAyTRIs25nI/x6ZvGmLyZS/MUqTbpAWAjxt3bA9iySY27r7DI
jdeVEgQ436HbrlJMDW6y8s6Pe42Xp2MaLhHXnnuxZTSJCXJCjImA7Mlx6Hp/
AymA3s50WCFvhWkqkwGjRYof+prpnP2WwuzWh0FKwiQyX8qtl3Yqmm0Rq5R2
E2BYCt4KLwzvN4K9r1RMi48cv2KtCVCiAafIUJAYnAl6G942VLj9m0+uzuX+
3yWe8K+jKP/DBRM01/iVYIJm1jTNNOIfCCacG/obggnmQokiG0H/hwUTfHX4
OwIJ3+PFCVJePyP8sSDCn8kh/ABl/4Egwp/JIZwj/EIQQWN+LojwZ3II5wh/
Iojwh8IB5xp+ufxSIODvyB98W8n/lNxBRamfp/gB53Za9k9A+SMSfkTLfw3I
/2zcH3fyZ3fbfr8v38/1y+Uz268r9ju7+Msn++WOfgC3n0tcqPZPOzopDPl1
R38uoOAe578v43zyuDc+wMK/8GTVddjiJ2+qyO1R/0oG4VciBl8uf7Zbf7hX
585/tai/vPe/GO2rp3+s+quvX5OPzINgtplgLB+EPPKwm8irQ3DabOgbd7E/
16GCsF/KD3xwJPEn2YC/Khrwmc+PPv2Bqv65SMBHIuDL5T8jEvCRCPgg9v9c
JOAz7zNG/SdEAj4SAede/L5IwMeTCot3y/C0JpFVl7gLx/P1+xzx4zNQZlHG
l0uMnPEPbc6ZfWQtoJd4WvEPcKVKd9+EQ4wf7aT7yR5U+knTFB58hS5/haz+
5qG63zpT9wHjTs/6B8jq92f/PpILfx9Z/R5YPefwD5DV7zGyr3DZ30ZWvwdW
/4Xx/g6yGrVWj1cEX2EYOJAu2V/5nj57DEFQ68nKPefLpe+zVsVgWezcyKZR
5n5w9GShFaZH97AQdvJq5ITkoWHXu8f1eVOIoQ+7WxfWTyOLce7LxRGwCuGV
F1bPGcI8Zxi/ZlNv37Wr+uDyVnBqx0widO+fLEW5GNOVfTgSGVMu6AtP/XMl
6VoVbAKxcKagzSx82y8lgY8dAJTNaJ9pf/fCR6mR2pipocyfob7O3B0guGY/
aLT2wTPjJB0QPuhn+3iW1MoIaXh9MrYoIrrrwz4q38BEU7dyoeLIacEGntd0
PpxXXebtzoXEGaPMt4E+ORpfHqDOZ96OW3R+JdL3EyQ1tplp0mtjQGEIQ7gH
9Y3mrO4Jfw+snlb9D5DV74HVL5d/gqx+D6z+eMv6d8iq9QtkVZZsI3VZXSRH
zl8pEWT6+gmqBJroH2D1y+WfIKvfA6sfEY/za/2zyHywe09FDSM7ODENkDnv
vkfqTe4XxqPYb/zk3awpzKjkKrIfjZx7Dhaztn25gMLrLlb4sVPhGc6iYcMx
jJmrh2awOhYo1m3HnnfM5Li0Sw82Zh7Bdp9zp1xSe2NU7VyHQTiuqB4wVIkd
LKZGE1L1NMQAroKbPLPjuHxvAQaIW8Kr7/TOOwk8jorqmNlmF8CBfrmsWQxm
jJa+AQ5R3Ff7flRln0HUCPOO3UxQJ1FDW+CpFUQtIawESKrCuLNbe8UpiaTi
L5cbhhXPIXsz98ASalnG7sAz+Cjfc50BdDIBtSWs3M1UFW/zVPfQQx7fQ4yv
EF5H5uGlXy5q5h8tmyAvZyQnbDHLsHYZnAvO2MkcB02TU1Z8rIgs/gQd/QWW
CXHkd5DrHyGup2f9Bcj1jxDXj3TVd5CrTRbcCm2afY5Wkz/Jo/AksSufLMo0
u3r8FFdX7WDVD9b910/0foQzfjzRyzTfstFnDtuSdu6ZUdX2c4hcrH8LVdXO
Xof4eqc9Xcifvod86ZaEc8XZe3H1Ve36u95MwQDVdpPTC2bnJDimGig/xjCW
NJKdoFm8kXWk3SiYfysOJ2WW/W6jTs3PKLcyCdMEOKob3ml84mO+8Zu7+u/p
8/tiG7nXMnGep9c3+pKlDJWA6HRgDJjNXD4D7O3cC4V7dSkgQ9gMkIRNqxqM
MKZLMWOsYxLH3Ms5IcaJeY18xzW3KYWeRPHsy43yEDMks7N+eB6SpkQ7bbzW
GX7emlejUiayhv5VpOss4eBA4kofq6deWEewYh/88xmpfoqCATTynzlwWaLe
CBQXdT3NbcWqdBMYM3oqpXB9WNkae/5DylBXWeLFqAdKGdmgjSTKEeVGg88q
yID15x3q63aWHtoqMqRBUgPGL4rIz5/4+IlA7DfhElohyZX7JkVSUBS5MjWp
fKLc+GMnSpM2SSnUN7kT1jDO/OlRLPK7VcjKfsu8JtSew610EYjyGlCU4Qjk
aqzMt1isf4vfxlmdxKRCQd/EVArDoyjrdp/3M2c9TIhny92fqvbZUGeu4cMu
Ocj8W3xWWJ4hvYKyTEW8EtSWKCPISjLvIHyXJJEQnxnH+xUuDf1ggyyZYF2l
PnPtGVGjiOYAPUpMub3eIaLfhdpgDWA5uwMq1W+8LMH3PhJnlKolLcWxaSBl
gRyBBCEwd9ld35Pud07xiScSOoayCcBW4gOZH8nZ6x1dn+J+5HpCgWWCWFsD
ctO7UmbhgZRkuWTiNGaT0H8gwAa7QPrmPwLrEQPBTBi+G/mso6ZbVOxCVFa+
2YP0PdnRc6Gf6rzfNyivdaPAAeYZvSpjVI47K0YZHtHCWfRqle7cRP3LpYmO
Qg+K5sFc7/lZnPBCH2wzzJWphh9hc2eJY20TmHwUYQRWVpwc1fxMGhV98lnJ
IGevB+O1Uq7caXcvqlKBN80UKg8y0HO34wDLC7nKHGEDX8L7cOYj3KSap8ni
UykJxFl/foQj+HX9z7ADXy6/FJL66/BASlF+//pySf07/YykRFtsLJrx6Jkm
n/gs/SgRdNYT1MA3p4N8/1tNwyjG/PNq8HPaPfm5MMBZLW+JqtTsqtTiqtjO
2YeS+1mhLt+/74xRhrGJhVEoUannfmbaksx4Nc2CUNtaCaW8d+bGjC9yG+SZ
7MiDSoufEQ6f7P8vxsGS3ko+sJOgA/GwNi9dBXdJbF+93YZOFTextJWCXppX
tlD7HpV2ZfC+XFpo1/Fe2gV0pgwEpEWq6RTL7wqAhHRuQVcMyp2Xjwyye9hX
W+7VWWReCxLepKtkimfutmPSVsxuJVzx1ek8R0szc+99M/mc/V6mZah9K1/w
2BuvJa0BhKdGaVXxoZoOYfquHl8uk6daq3bvDWt7q81THYB1jXzubu59CYdJ
dMzuMFIUNl/9twSGSRzPUVLBK4rtq0oLZzV43bY7XdQADuzOzI0oqiOBW6S5
jMXZPmihjNzM7p7dlLHCjc2pAIo2QYKh7vMSUutw1g/yrYpk6TApZmsx4wV2
uCtsr6Wx/brRNAa4Ff/xH/9u7P/nP57+2/H+3/rB9L8D6f9pHn8B4/81pfdv
RfeJ/3J0/3sU7y/g+j9/+19A9P8c0P+tJfwllP+b6PHPYfxfreRfwfB/RkL+
Ywz/L0D4v7duf3PB/zpq/0ui/k/Z+O+s/v89Hv7P8er/IbD7rwVW/oB//17F
4P8TDP4HyYL/9duKBf9eRh7/r2PkMZj4u4z8Fcb+Cxn5nyno/L+Ayv+must/
JTF//68n5n8ppfKX0u+vPvT5L9yQ+TU/H4A2TfP6//38PJ0ukD+JVbBqT66i
Q2yMMXcLjVxvgOImx7eYuWDXBT4QpPG5do5HbUqDWaLzvc1oViUIs3TA4mDG
/SEEGGv5pITn7CJ7Ug/CjRmyvnZ5cO4Rs2h+5WAV2qDkIUe36Ua+oWkPCJ3I
F0qBQnguQnvQHjB6lapK7lCTuYmyTz+24jL0x60peHpq4v0Kz+lHj7WQ8Gnh
pLZbdOORdtU90LRglCvRxNecdN5IJ2gFlbKveXhdmpuTk+1gAGTokzjsWlnN
USvrrbJiNbBakTVu3dVx7IFYO1gRhJ/G7EqJqiYpeW3YcxE98zC4GckJ4YiG
6hVlD+MtYo5e99G8E/jso00LbPJdobN7ZZFWuP5fy89z1H51cncBiKpSewUO
p1YRLemyF9R7b5E0gndmX9D0Kt3ZFoUL3BgkvW27xqKJdtjEQDf4lAxhTWQZ
ynPxuCl0vg/1y+sB3cwmaFSbdNaHdHUK5CWTjJo3sqeFWKxGhBVvMtMV25V+
tRmPgG/Ux7cVYljyquKXDprvCxMhMMF5cpxdV0smyWtnD/Thbax2PB6tLDzA
CLyN175+BVufmTVSmbpFalzn4Jd3CCeIIzFdeiViRGonZ7O3IIeBWireWQ2B
NRJEfe+Z0Eo8Eg6sWX9SnB7H6femPYbwIqWcnVytbhJ6aarfLORA9YpbHmiC
osihiO+z/g3EXK59xfXBEP4EKtmQCO2ttNP6w8+nf4GfF+Coez0mhu7aQcHH
eO75h/omi9JbLxsRs8xLSTrZ5KKknUPDGobMueqs/LmEfosKbpjSvOQdhXg1
RQeEIv+8de+6s4872ZmXaV0G2XZuNYb66RrbmKEf3KqecQWJ9tuBPo0ORp+t
Ca+qahRdL4CyVzVvtOKCY+HuxUWDb+IAQw2ZF4kAIf5L33SnlDdV2iYPya2R
fVDY0Fo7a8PPUTD2ic4BrMMoGb4r+BxdyPVJaUBRg+WCPK62+kTg9DmfQTG7
vdVRgQCgkMJnRyiGlna2MaVaDq/bhEq4bIrUdbhIJHeGm6phrrm8H4/Iyx+R
o48o3k6iFeqaMKS9sAaB4bzNMApRaCepCrzKnb697zeCvETpzSIL6lmgfUW4
kysL+nGLCasvat31Aq1v6dqh77XR+qF2IB2fRfrdKisPArQSE+gLfXT3Azcl
AKOQsWmYV68vW9jH1M3NlO4tBR5B8DnZRJiwWanioJhuVMMOZEWdJnrXXrRV
NKDrnQS6kGJKNkgjdXvUwhI/bhY1uQA55++105yOL2z/I54dp+jTfJovwhEd
GAIuArgoKuyBgpx5Sz0XqEnWHB1cKQimJQ0E4hESbxJlhD0yInIGl6rN26VD
R27sAxCJXu7VsmrrOmOEN+y9PeEK8h5fONKO3FPEuMhfFxxUbs4wTt70GkdL
Sc8/LVf63ROmHiOXsNX4JpmEjQ2lOqbJ6/vQ3+dqUmR9z6FRwUYx2X3qNcaD
SZle8mo5AbipuMepUDrUzWV/a8xrv41mH49RuLctztcHtedQ6cz724v18ebe
uuFpB09RyZtJ87yWqO88aFbX0x/ASzG+eWpiqdJDXabbIzjaPFTJCpJ7I1fP
3l4S0YoZC1CiXKUvlkXrkhtbDJdn/i7qyfWC068Ya/gOmUUA1nB2aXSMXpSB
AEN+pa3gQc+PtcI1vzVJ7BGTQrHSG+jMvpqcOZi0LgPbuWWr3mks29jF9VBC
o+4yL9b+za3orV4jf9TLqX+o/fbwjAdFjsqVADCmYCOwbtXLJDzQBIYtCBS4
WAJQcyPRz8+CtMtlWj7Mx+SoB/iyHs9seGx7xlebyL5f9ipGBXA1/Yv3FiNw
eVHifejwBXGea7FUdTXSbcStVEjVoW8yW1hr2BozxdH59v3Ny9ZjLaZeW03l
EoANZIm28DZlJSB782nX0GY/08o5elF5yLRpt9Mzq+mHyfLO2x7WQeKLMXh0
Bqylo3kxNhh6Ti+WJ0Za4TqQt5AmVfzF6luVCTi5kpzGHUSGPeoOQ5lyFNWr
zBtrktMlyfvIpcgxG9J1XnCHxp/f0/QcH8nN2dHCiuo8uZ/x1JvIB2PmlF7e
1NkvvLxVEmi8ZqJDcPylQsdjLEEJuVuWCgMSWYl5Zg1iembl6yAohbCWcoAB
ws2BTR/02VSdFfC1GmNGX80Kvtw9fbuFSWTIpmvY0EJ1YltIXEBJAXbNujDR
I1lJVKDU39k9eCHAWXoxxCb3JSbycbhfIlwGlrYZ2DG+u5NZ8rUVTT5BH3PP
tLwd1GzOTW/gGQcq4Qc20b0sZ4sfwdybAzg3/YVKbPQlHFhZoYqFy7XUJL2/
3ol0F2CxkYqApK0F4eud5dlwNNE1SiUdl5KquG8+wUeXHNbe+86stoKFs1IT
ekUBawrJKih1Be9cY3ht7CQhErc16a5SIef9VElhpjVs7BGjvOxlnoaOdm2J
Tku6M6/guflGndh9w0IdhgKc8fVW6euLd17UQHSlZqgaHeqxhkXIfEQXg9KU
7fp253B4UiA44oPBGWG6wESvRSVmE1I5WIPVa/GEqIUUWMWDNUHveCc6djTX
+TLcHsVpbDEg5nbQr3fu4Sya8GBngqQI27PPQEvorwGQUTpxdkmRgzouwOvt
lQU2ZIPOBYwCCqDfZPRSboKWQCgN+cmSS+9w9tnDSt+Q+l5BN7DWKvat26sQ
3+BK2HPOh08yZY9LA3Q0s6FqRr+bAnxh4K1+o6qeEeazdNCWyiZsumO1Oug8
7Da0m2n32DFWENdJtxsz68I1sTSTFOzYFl11UxG2zmaQfZ8yXEinDjh1CTEU
5wYIr20qDn4XXgSE1mnLUsYZjMDLFGN6MrxEwSAf5pyg6f4gqGbdPEgF+jeF
Wu2WT9gwaMutZTNyCXuwrw6eb7e95/aeujBW5lfwWbe9ACLMfKA2Yp0x1J7U
1KM1+Ntj2N6cb4E3Usw42L0qnTcXGdRD1gNGiFd9ITb3XDZYdRabd+XEu6Gk
HxLubRBvs5tl4BqZw81KbWw/Cqi12GM5uzE1SygYmru0Vy7hzdX9ITrc0pDU
qzFOZ8ucTg8tNZmrvFZ5Mb1baWZUYZuVFkgewd4R03aL6r0ccm1qLloiILpq
7m8YG+6v+VafIbQo9+fKQzpCwoSpCtQtSGa92mHFyV+iyW6HEyIuvQemjGkX
xqYb/Ihee+9TbDzdh9ZIM0MSyMDhAOaKmo50MAy42Axsjx56ZfAtuM43fYvq
R7THyQXzlCRcpeTxQt6Ae/RysZ5eQzKsRbGw/7SS963LBwqtxwQdszElRyFR
a8wGFsoHtdW7PK5iot7WRDGPNMl12G+FqgK8qZIajFcIvyfObqmS4Wsy0zB3
tbdYF218wiw3NQea8y/HuLFDEKHSMpI6kjXXhw/0dorYoYN5SWw9eFDt8R2T
UVlSTcB6V/36eKrT6sf+S34TF0q5AfFcRgd6zfCmlf1dbk4voHULeOq125yd
jxsMzwIvBtgVtyez6OWrne7iIteefKMuWGd5Dhba0YrDsW2udzwm66k2yKsG
jsENMPltIx1cRnmYko8HdGATT5P00Di3CuyB9vIpvXcOiu5Gjt7oR3G1Df85
MBZwFBvyjJHAHua7YtREbaV3QbaQs3gSfU8qbCmHQpa4TO0Who6zQdSalR41
3HMJ3mfKAEN6f7jXCiqDK3hHpflFGBgylDYo1QO4bHMQT28nNS8vvs70QZyh
I0AqfCTLfCNgHNyuzmNoR5kiy5erUnulI7bChATnWgoudUmlzgTc9617IWum
2qa6vepnZTXnHvjkS3cESlx3BrO2fQvY41gij8btbxQptBUyp95NW85Ga5fy
rb8gQF+jEuCOytQLUBBHzCEmMs7DCa3enCgcWifJCz0NDDk9hmI3NyooJjQj
FdZZu9MX+DdsP6zp8WoHKwZWEOgagymuj6ZKn64+msdNfLZM6bnv0Bev/etg
ywC4MZ7EDolsNfmlJ5ZRzJKH119XwY74ubaPZS3CLgIHzGCkSRWAMeHqK85Q
m2tC1J3ZncqitCnkHbBpLq8Z5rSIC3iqwLflrBXuTy7PluowQ4yxA8ANqddj
bMDXEjgEjnH9+a05Os6oB8Rs18YXpVhc0sOc8VG4fIZALnLgRud0AGN2HAYq
vtWZki2yC5INPRMafoiAMC5H2wM3HVvVLykQFg4cSnm6ZLNbDCEdGiCHno1s
a5nakyneufGh1OMDylzaLix2EO1cBe53ksTH2+uydVTcThEp5tEGXw8ecg1y
+ZSN4fFspCOVzel6Mx0PdFztSclFkBXyRr3sOvWFwmSxy7hOcOO1NPPkCN6p
aUzy8SE5M48BeDnOQ2l8PXvIsw8G/GyTHbrYJa6+Y8jtfmXe2I29vI6HBfDz
2jBQwyASddxzv75XZAHh5qLiSSuV1svWuPomthGIM9wD4Af3mqI2rbYhVlza
YAFKp6u8s/YeQ8Xi6dJLbXEaYRzKX+wtHwUTVKBEpTT8oDBEePleIZ0JZkLt
8Io9LlyXO2zftPHCbmkXqiDE3zIRwkIxXAw5NIKWOEt8A2tCkChZIb9RTSYc
fXQ+GsePFn4BQlvewdG+gu92zHbFYdo3lKEjFm3lyvOR07OjaqaOVnI2VldV
C5bhocG8eja8FDNLF61BrsTpxZsraNnO9Jngxj3OyV5TkBbPU0csSSu9xxUr
iQpYbV6Ronhd3MQx1tArV18CPQyGM2AE/L6/n4A+qPrZp+ENXjvoGoixOaij
Pw94FiXkEz7OVgZpPcag0rMqNDP6eSn8zAcJC3y6PsuTJibXb1CpTG143/eN
sBeP7KSrKUSV1jBCyi2bycV+nWP85CrBGB2Xwn0U3HvpUbF73Qgx0N7QFF9R
PjqcoNruTzbC89QjBRkx/amQPCiQX+1Zt4Z2UNSuFlySNL82RhmYFtm8GM2i
sEefPGg7wGWmnJpJmUuvoLWgqJpyyDAs61ndl0tPue8w5draJVzoOjCRt4FN
u+j2Y9VzpV7aRBOuZ8keIV1eSaPfMQrdMj7gu+hZN82KN4VIcke7arlAch4p
EqNVnCcDR9kak4RG8hjBlQkCChQ00yZvG/zU+AN7eNBE93CMlELt4Vj+fILX
z820XELDlqGAS/B8NZCD704mdm0uDqYoOgIA5MSSgjdnwclO0+ZCZoMRGJsz
vSC9blyUVwirwnob1K5/VJidSfHrYTqIAt46upwedxqnXEbH6XC7cSgMmWqz
GbdViEbXqhyAvDy6x/X+3rzDt3bWMoKhjlysTM6Gk6kP/U74oAo+1VXS+wCT
wYcbJTJ1EHy4VaissVR06b3NbbWcMM1xqSDSiM9S74z+POkeNGIueYEqyjJ1
srIQll+Cbo2Ic/AuGYW99zOsA5dMmu8M/RjvwSoFYz+/LFwx7fuW6Ou5+/ZV
X434abc2t5BSIT9Ap96Cdq5XHeIiMKKby+nVluIKbmFYFhlHJk6rxD0YGujV
M9LVtXjsbB7k2DWWLEVgBnEoX7cGeu7fS7Gi4H6pk3t/Y3cGkOaiE8MxXoxO
SobnosHFVneb3nFvBTcwUyNcMbhywmCEIjkJAwbFZ1m6nr1zj3n1yDe7R7nv
np/PysVjy7O0bcdFZULB6gQErOGEvxre5EIbFJqzAUpgMlaaVUMX9sCqGNyN
KPRSOXjx6d2iqEXvMGtutejR4Zn12AkiphiJNlOivt1MpahDNzhYpalp9wKR
d16gfHjXk+Dqo/FmoQBDGPNeO7rKMA08rQGmqPGOKzM7p+sQAk+O8x5+fbQP
Dx4vqxDQCqAIwOKvartRBnuGCVoc1IkqjvnNn9lkqKL1lYTw7UH1wuN914Au
1NYrS9zfTX1RlycVnCE7gusENuv1TPdgpAC8/IDdmzhoM7cKYWC5JJMsU+2d
teTzTThRVMa3gC4B5nJNAhQ/I7a8eNWUTDWPhebjEG/3DGjfLwaXPNKKDCUf
pc/WTwFqvgA5tXJ4OStwNgovHxkntMSl7awINA9uJYGH3sTkuarRqLd34M7r
VaSYwrHESWuv6nAtEy5Wprnlrv7VNy4tCWIvXqpt4hW672ZuEEAnrCcBhTN+
o+YnIt2zflENMQMPv6KiRMvHV+b0hkbVws3ALql9AGqvQbGA5cZaILWu1OTk
LGZRZxsPMSMNljFl+7DOltmBpHXt1/Ecs4N1VW/KKl70xyTC3H2nSgcTwVB3
3Sfrt9pkxYW87/J2+Pdr7U85N7ac6wFJiZqbzvFuAxfuYjrVhe9Wlaxd43CI
6ZBeBy+LROT1hpOv48K61Oxz3tGfhdtgbGsemnAkCoJsGkBk+/sxQZc3gEAO
xEj6tYrd1SJVJ47Z5Jz8UsKlxMQ6H52RbgciT/Risgq5UBdYVeexAgSrdSUu
Q3tXoyVfllApI0/1r3VOTWiNdQodm7mSP8GweLwqOjccX54i15iYzXK957FZ
vMJ30KUyhEGWWQ0iGGfhDDw4G5wMVnFlM/oH/HJkWc9s9g51fjYnj3B2CrzN
4RBRI0p01YG/YI4i8xIcpUevyZ57xipqAnkqMRjyrgW2pj3BvT2fqAyzF19t
Gm8E1CxtqHPPU8YLugs2AH3HcqUAz9PVWCySPRMI8T5jqO1v6LGVV+zWHwdd
xW8ewd8lP4bgFnMkqI/c0kTVBX/5zJFBbxmZ2gMocmI3ezhoAeDxRC1OnWSw
rGaSDxAdXQIruo1oc0tErM3nKPFvpHkpumak8wAtHsxDyF8DC/iCwPHqOngD
1DUVBxZuZS7AVCMdgtavY0ZMOWkqZhT0aaeYCx41r/PlfKsyAMswvgaJB5uO
YHJoPDwBRloqAalaPWK3M9Ya6vuGVBClUdlpIocTiRcSjtmPrl2m+cYOp0+7
Ke2Gw4Ji8OKtgjB4hFm4rPkZbRvzHVlN/Lm7iZGA0WM7ad0urH+9E3lhqmDe
ZynLts/+fh9irKpyPTa9FisaqMf5GDFhZD/OXsKBSSmbdVI/VqbS08uUj6Ck
4HejMB12hqJ0hyG/Ah+an5UFTlHPZHQfuv8y9kaG3RLpka7lofmoRYQUNq+9
NFeWeYjJQK1OOuLO8xmKL8TTXjo8gLJ91t/xbXCoWLAZ53UtgonSVnUDOIv0
UIUVweZykNgRmkV7T3Tb4lGtu6bpzctqd1tvwYNOUcF5eBodxChRpXcQNDpW
38gwYrPTeuZWvngku8rxc6i4CskbW6/D1gWwCF2HCQjH2iSqV9/03FNpTD5b
m7YjMQMuBSLxsAdgS/LlqpGwIBKLnVXFG12GAupT4myfJ7TcoUN9TNcYNl4j
mS9AhxbRs0eYWlB9wblFwdxH4AXIw6uIyBtWR9iyM8kGLCKrVZIbQlYUiyqH
lTO57xxMbOlw1zZwika55DAhTGy+umGXQFhRqCqANH0tL3NKx/wdyh6hTaxb
dEspJnhQg4ObgK2dt9KVYkMSHB3smgqo+vC84VJ4z2p5Qtc+MYv4qbuqtNcB
7lPs56+9kc1vyLafmM6z1ibzmUWx9xKzEPgVqGWHO/3FYjoUpVGcNF9aW7+X
lH1EC0HB61NS6fqjPEDrjoigry1QDB1rFdxsdK9W03t4vYdjfykLwZ+xnruF
Xq9ubNnzhKLeGKDxeeJz7ZGx7iS/NpvTQqvOxkqyNjUUd5TbsYvncMXlqgxS
/bpfkbhQ7Qh7qW/IYQ65ALNqevhK327Fyt6uoZApXlDfNKljWuTmMCRy7MgA
OpfCudbwsEyvVHnOj1eKFDiSJDLTHmc+d/t7oeO9Csp+KVOGWT5IuxjwCG67
PUV5lYSRC81Xx/yoC8ARu1hqOMcbsYwNpzt7M5NUwlsa5Oc7KmPRE/TjUlLS
Ojd876FAaJ9yd/Ay3egRDW+2h2Rn4boFAd3comrqU83LxDSc1m0gadU2AFzM
GOhhZS+8UnSErR6mWeQadUEyB/dvu+It9moGMbXv8SSPz1lBumHHxFGxAKaI
7NJyz5YkR82YW0Rfd7rSpDmusbBL23Udkhyyel+diHrISZftPTWa0bt/3Xvo
ze2eVFhx1jxXNMleBLK874qmW52ClCjuuJezBWOaV1aWE1hUCKqpWBMt7Mr3
hSsu7RNguw6y3k4nR8kzjbSOtDenfNwRkbyjj/vYXczldHrS9OYdYiYenFAc
oXGdWUc4n23NqN/4oyk5UiOXJ6N/VCI0sS6oV7P3gqPz63IhWPXOb4jlrYwU
lWStDwfyujfUTt/0lL8/d54kSdbBeXD167nsjrO8rNMV1M0ut1J1vhRxs4MY
f/q62kK4R98TAH+qWJsyeQ50BEpSxekT9DvqsqluI5Hj4pySWN4Haeq48cbF
GPPtTbJxWcGw0w7K7TYOi2dd6ZbIIN5ikBdyNlMsFD0KxQYeiB36xka0YacS
s2c8b5dExyOZ4MaGKav0DI73Mzh772RRhCsl+xuRdei7wKiWUBySOps6CM3i
t/3IGQHg+LPhvghq9nw6LmUdzJJxabS3yYoIjTR2BHOnBhoNoB70FO/qsv/x
7z/2+8cXff0fl1H4nfu+/keqKeh+8Ss1Bd0+aJqB5j9QU/CE31JTcDFKFLmU
/W9RU/j11e3NT/zzy3KM31UTOEf4QU/g16P8i9L/xuiHe4xAuMh+Y3bOEf/g
0mP9KwNOnO+WlqAiiaC7V79B+XzYc/bLJfDN9nxOO/CNWWTEVWTD9vzUrjDi
JjLsqtXsVavJXaShVbXJz2q6CfJZO67/din610//eM7JdSmRC9ukV78ea/ph
/X/F3H/PyJ9P8VtUure1IcLVf0Vp4UON/wHf/jsjfa8q8FVFAA5O5w/Qc8e4
+f2orukvWH+Vrij191QXvlx+T3ch5t0+8NTr72hn/EJNwfyQ6PZQ/NHF8D/X
Q/iqpVHFiER+5vAn72bNMv0oDHBqmdLrR3WhMDu3+uy8UrPF6Zu2gyt2g5/7
X8gHuSrMrxQUfrb/v9z9z0r+av9/ppjwZ2obHy2En+tt/Ms/fukXP5uXFXrn
N3fuOcK5csdf0cT4cW9+qcnwIfh/ihh/R5PhYyOf0T/qGj94dMi3x+dTmQ1V
iiWenyxX3ZLqyKeGc0+qrxoB7XfW94NvfI0wf2zR32m5/Gg3P/LwOs/NH7/4
TcLv84xf/dA4Y8O5/l+t59ckNaaeGaD5Y4tRbPIne3nYJPzVXr5ToTht8q/q
UPzGU8We+7mq96tGDfZLdYvyXKkfRyrj7pvNJH27nvbQiJyy2E6rmhb1+pdW
iii4xyfaixz1MGClVldIPj/1UQ44d9ZtPvokgUWVSXeHzxF/Urz4cvn2F6w4
/e2jKLEGfjvHCNf8qI1xfieW0vdzdbkxLr7N/Id5F5ZvFB927YxY39biXwoS
HLXHqHnu+7djoAmiDuG5RiL/NeL/oDzxyVkh9FWfA418c/hB1WIIUCr/rJzI
lm3gnd5VUZ9M10Xn67g3x08MSYWmcPj7J29cT98UvilaBBZZ2T/Y/icPRL76
mflVrD5PJkHf1D+G18P6eP+3rHO+rzz94nd1YZ5nJs663+KumR1qF5O9ttCk
fbkYrSUMGXZXyUh+MX+fu/5NTYi/xV1/4sNvXC78N7jrM+v9QF7/U+763M0f
1vWfctdfLt3ojMCwUMNb03GSMyTAHNdRY7btCHCoh8+OGB3tTLUqqfWa9bWC
yWY8oRf2ZpDFC85YTRSaI4C0+0LCEU6A6H3osoSE72sX4I3QAaVLAeKrrB+Z
eBNeBT6p2dt/XiHQftvW5p8WZcIizPr8ixjxkjTcjLwOIRLlQoHF91vWu0Qx
HCYEqs1Z2JON38XNzRbUhFiWWnGkqD99E3Q7C7ML5unXnlWObSKibbIsVKjM
6wuDQUiQls5an6OFD0ZCbqiXRQW002oNu3f3/uWyv0GUqZMgXj2klfKrGitC
rMCPAPOvSenlKhs3Kl4a72kHj61v53dT9EAuxM9lZUrp8blWnRs9sCZBlgI9
EVhLZ3y+jL/OXX90Kb6R1/+Uu/541jfy+q9z107xPXf9mYNVOZDgmsxOyqZL
kJa+XjF8OXIVZf4Cd/3l8iN5/UfcdeG02CDtmzKu3kjurbbI+LnCSgsXp29e
BRhjaUx5b0/4DT0Rv/A1ixJEnMl9EHswc77dckt8z0ThuQHqPZXsrZE3sToa
igH4cwT2TbzlJWNN0w/7ZOPXHVHyWIDFGHUI47DrJ0UA6YGQa5Apm8Z4z/sw
ri8SbG2tMQviy+X9rpYwL8DumnMDaMxlK6hRZDMu688Ops93QuhAtDj6eCnT
movDuMKGEH2RUWq27FX+crlLlRFJgdY7HT/mFKHrK2PiSamEWVZYBukBgCbK
T2EqPv/Tgu3VW8+fHbn4SBk2+lh9uSyqFKS27vi2pd1k7Hqn92f85IFZ1Qak
SeDe9lviagrq5MqGDDygwAtgAyi9zzXrxFetlEJGB/K0IkP8iYD+Lf75F6e/
Vcogv3Laf08T4pen1H9QCPt7x9TPeJ+oZzVwjnZWB0wAf7l8Vfkpi89/RZz5
lrwqdfJTZFWY+U8Vis4K5Hu+wkxWzviBr1ivP+jNUUqMfjSluDq0z9WzxN/m
rZmiYPWv19gbA32+psjHWZJlZaBRAWCHI2hfZURWRegqrBPAoquO+/ayV2d3
4Hm7XVDy/UFrq4jU7zU1p5qjLL9pbqM31v46kyh55bXXAXFjXuz0TdtmN+Fu
T8wTvPAcoc0Cn5NPv5eYj5T06ut3nABIEJ0o/6aXGsRQcdjn1Ut76IXOrrX9
SgvofFDcOwDaPPMmGMSCLkfrLTLHMtRwNJUXUR6xxHBfjWcIFT7vds3PRfNI
Hmr0vj5CxnDSmXcBixzQL5eeSj3aDFxAxK8bIedYSW/PZ1e7aAoiqmy+odPG
mAxUgYo5UB862KGG8qdfPDHLS+izAulnHm733X/B9gO5QSJO2rLJS15luDQ9
Mq8EUm18SSXsGtPWcXbyK0uSkUZNB01NzDddijMGmcpX9R2yJs+AmXyNYCJp
GAqJfdSB5B9p/k/Pf8bQ7NtnWPaTP0+/MNXfVadTKOXraNI5mEIOPE1/ABOH
o1aFPUf/+rcz836L4OxZn/DnF6bfFIEwlisM5w3GylxB6VldJi2OjdF4xr6d
6sJeWYVv0bn+RNpi5QbSaWxay8nEZ+R8o62yVcuxF/gSuXPNb/kl89XqBE36
chnqqD+eXRFZKgoWT8vAkjju0ho0MYhi9QkofBvYqirNQ6R6qGuw2332lnGS
Llc570+rXjQuJloXrvLctDlQfnUuyygmOAfZkxQIVFauI5q1SOuWmCaUuwg9
1fdxHaxSjUjaOmPUYCCotwlnHXpf5tTN+7icx3byirtqIF480p0MIINSIkPQ
QiG4Lr7yuic8XsfKkqQC9uVyQKK2FHg3BY1sK6BJ8/27K8ptDeyhhrWdufIz
xiCiRK9A7l/P0qS8IkqsmoFvv2fk9Avd1BVC8lWDxnhvwZoOVbBJ7iUmxct+
MO5nxTEcYkK5+x4bQZ1PRYEx5rLe5blBEE34csHooW8pIr+Ztxl+KEhiBVtR
iF9rJfADctk/B7l+GWm+2eTfIbl+CXJ9fk36XZQLNQz3evNd0Hh2lc9MEMBP
Wvfs/U90pr1vOldnjDorCjKixrOA+J4qkciDfXyfiamzRhB+rm7BKQbhn1Zt
i9vZhZ11KgufMXhV2uHzBN+/kz37T1ZkHLqN1freycGQCuhC87nqjude1Jbl
FagR4m8wfWzxnscL+7u8mfA0eSQdcdjjLHlqqKS+fbnM7n6zurltRcPRWpTV
ENS+lpiePAi9LgpSqkBe8CJ25pfKYFMLMsi4rdn+SJG1LvozwhjM63EGh9F4
GSYU7wZvH2Nx2++P19Xr35sRhdtM6QurPrPA4rLZcVsPliaJ95PnQ7g5Z7f4
hoE4ZR5sBo2IaL+iY+kK6aoug9C8E6qBFyJfPfzdVrxEhzTE53dPYnT4Ge2I
lG37lwtoO0c3IWzRb88b7LWk+2yRJne0PGwK8sGZRxkJr6GfLJtARXh+yPdw
o4jQJxbJv+LLWQWVwvmmt2HspFtomXvc5kYW49MBckr43+y92a6s2LmoeY+U
73B0btEWPQFV3paCPoCg7+9oIui7oOeynqMeoR6ymCu9bWc6M53by96ntupM
aSlYTBjNP/52BuNjlJGVP1e2et9QJjfVUORPiyxaI/CRZ4OvwXx5ueax/VeQ
K377T9j/JTCLX/mz9f8qpsVPX3r/j++q/ZcSLuh/BeHi53tmfx/o4m/v+h28
ix+A30e8+BXJ/heCL+j/KvDFb8nxH1uH34/BuJbjauRPws5+9AP//j+Rv+Vj
/Cet57/IAn4nt+OnY/v/Ib7jZ1iIS74/4UL8E+Eef4pFbP910/67gtHXV45N
2b1+ieSR/tjO10L+x2X/5SSPdmnm8ktOUNxcRtnFc7m+/tz6j5Ltruj4bQ5l
+xWmhqvDeJ7jtGivpfgngD/+LKPfprT8SwEfCAxjxD+J8EHiCPp3CR//z9XW
X4Tflvu1tihM4H++8brs//75ZX+9RgiC/uTi/+vb9T8Dh2AU9rNr/houUsxt
8z/wG/XXl/zp939Z6j+tPYqR/wwEyS/o/H9vBMkvTOjnCJLfiBS/FSh+NU6g
/wf8lzjxe4AkX48mpLe/pYSkmMOykvbfnxLCcUbUgpnnkogSgE0bqPyiPEAf
KhbE3WCzlUbAKwnp/aSXnr4/P4HX3AwRDc/7jXjMe5HKz+pNOVunNHc4TD6b
2BXy/dI1+imxFtiNWQjccQT77IrkItflakf1flpTxxBu54RpDCeXNwGkYqZ9
830jUnuHoz3BIEKjsJ3ybLQc0BjHHMbPomZgR5ZlB6+iYDiydzMYLkt52PNe
Y/noufsUxc6AEkY48oo9dayOwKclEAC1ogx/D8iC4odq5AkjIAlZWSZUu1ed
XPYa/XIr1iTbDgkMZsPdUP56UyOF4SByk1IREKqNCx69HN6CxdYyNPm0tCyE
dtscFpmfJ5ZY+cMd/TCvzGJcGtaa/rtSQto9WG+rGtu3NZ2K6OifxJZbUwg8
XAEvDYXsEGY5EzbqXrux+YQj5kU+6dS530kcKs5z5LfE617R4532/aOs8CQz
ox25AV0SDirDskiIEWA+T6Uq5uzhruPRSnSV385uJJGboI05R66gvpQ3XcCj
AJvhG/oA8QcgcdVbUD9HR2P06m7PoXUM1yRCJBoVR6ueaJVxJgE1MtFlYpiy
0FYiRRnNRHviuLoKQDeI9yDwrO6WpKE7c9YkLIvdSklas13yeuAserh6iork
uz2kRe+Gg1BVwrXhQufSmAaGp0dnHZnKEuHQST016CssDdGm2U+56yrkgu9A
aj1lOs6WSC0XYhnss7lcp746+GRZQEx+ByWEOZ9RI+6JmseLQE+PMqaVj3jP
i9YE4rUOGpNEVe2Uyps2a7OhTuX4+FTlZbGc/6LS0FiGaQGxYjcjy3tyUsUi
R65NCsX4d8CgyJnI5Vi3Pg/8vh46BOEJf0ZPlLyFll+ymJXvT3DAOAYhkZV3
UiQNqmgBb6MiPzMeUBNbokt1eUGlVoK7uXPwLIbeuYTGJn0Ffir5gOyEhVmM
xb6ClINsugv7UBOOFdfmBkQs8SrPTVzeDF9UL+RWynXucYdLTvcQgXmMCgUV
muJr4PPnkNUBTOHUu1kw6vItZ7CA/IaYd8bWHZv1t5xf8CYq56ZOP6iDFAT5
uB8KTpaHoQZRHC0xYVHSi4SefMYS4YTGNyDfMGGz87Nym10/H9YsbuzI1USW
Iu5wM1S9fUWEocZm3mwM9Q5Crl7pN+RAdgEvMg4DewoNqUIc1ScdhA88eGdq
eMvnZAZ/VjZLq0qr2wSxkOO38W6yXX7TpD/ndR2lssa1PoAgh07Ymy9Zbkbo
g7e+39lYDi1FdSo9e+8BQ+QDqxLBAm+BYxnugZky0twy+hbr2AACcaQqQZGv
T1+jLeR5jrNAbmUxtEaaqnqAMRmVPLZFFF5HdMcFiyyDMs3G5tYFPmefG4BE
cf1OXjifKFYOHx8roQO6fMYu09vpxhx8Pwx41YivHS5EjujbpUrWTwbNg0XE
7agBJpiGkIxhfU+tRLywvlky2QfTFLoSyex+vINPka6DV0L3g57sp/ja7gPr
BLVllUmi2UAVguh0zhSy9Kj2HnDB/2Dk5621/E1pGSnwnYl2b5FPHKG8Mp5I
exEn1uBtnSFl18YCkPkgMxsfyqmgXUJunLud9lRwvUejtCo1M652NE7Ohy/0
h0zSL3xzFhCF3oSyElzYbMAQT6Cj7JaGelEuxuqOwPKA6E59hBROzni5ZNTg
WciKPfflaZ82JgukBYZdjSxOO3PAzqG3RREcQt1sAqxWVT+gmDxrBMaHD2Gv
d4jvRPnjdTqng9Z0bqjs71ZW8ij7qmokAM4gVx8Zt1oCNB+zpWmoqxfHsE5Z
HWWV5YDPj4OSx1DLtsHf6RiC1aw8mtqSF8GHhQIQuPAR4U5TCc/6lTn1zIE6
RjmaJ/A4qjICkTktdHdOmHnBcGjmFguaNk/quMZ3bFQEQDAMdY1MQm/I6526
36O7Zh4RAm/mIkT3r02VZCtDCCEU0PChUkhzce14QiuLOKSRE28gego7FHef
+Fa6rH105HPpbzO2Hq+1AM0A3joylnz/RcOaMS2qkKEEz4X+p68/Rk/cZgAi
MGoxXPxmGaylzCI8j+2iDU0BUdJUFAZ23UqhvmIcQiyUuxh7Xls8q9OlQVYQ
zRjIyF6Oc3RZsmoFX2g7bAERtXhj6c1Dh00JW5Iilk46Yl3CJqS03hL0eKw1
heTC2LYYAB215QcYnDeIjM/vBAf9IUllP5yua1OqXcXy5HjTWcjenpOGY0Y5
OF8MaGRBo0ZmBOxTck/J3RIOjmLly63d+XMzoeMyZREr1EQrcuphIsGT/XgD
xh/DxlkZxz+47mGgkmsDjyVBSSjq7sF2ss6tmglfrKbnDQuk52cpVQjvNltc
wWG/RRtBuyB327Bk79IxliXXeAGVuzMPOc4s260V2M0fz3oq7ubEMqR4OOma
ZX0jRAJYv3gwPdYO2ZQYGlyDCQtE2toDUCNCK+sercZjWZa3c88ZcCEpMrql
GMljGojsomuTjPnoHWVp+MvkVjbbWGSvWpaWSmCRlISa10aIpfc0QI+mR1dK
zB8qeGnvFL2kbSPTJwWP8yIrz6d4YoT9zD7P5NGFCoi7gJ6VFTMxDDqz9a0l
YqsjJe/9RnCLibhp1EBinxcjjHnCb8sXpD0dvVGKdUnpcACDBgE+6+MFo7US
EUJlhD7BmPJSYbncYOI1jYgeP/yQjwoZzPVz5avdTc6MMJZC4OrGyOgRMJKA
wymOUnVsRD6qnS5S/rGc2A4OOniH1srE2iJ+xPfX24/TJ62ONubmC/k0Dg/f
jAlAk9Wsj0Rql3glnuB0Gt3hel242rTaGg2bY4/gikHFhz288EQ38owsAZfB
4oGdj7qJgWKRc7cXl1a1m1d8G53tg4g2+lxi9/0ijOjZIeSox2PgPGuSOvgn
vuQPOiZ1DHvKCtIDl/PyzTUQLHNIMFLz7560Ex+xqQlQFeEy20WhOh7Q3U2H
/oXgBU2Zc2jpVTyRrv7gWgBivUpQps/JTodvVM2uIq3av0BYpviPEBIBHEli
eKntfc0H5xmJ1oulA0KIlNd9QrQD8KtydKtq2v3bGyGOzrtyUQmNbk/iE+VO
xjYsOO0dORojusT6XXw9Q6IwLer5NgIw9msAf5Do4hTvBm84nl06MUDR7pFO
+WC9F588mvaazqBFnCa+oS7/8LXJV/ii3FhmvxERDVTakmQNKIW+a/K8cCWP
4kCSRPIKL5+Gz0P7QJmCcBzhEAgQdiuIe/EMpjdkP1y1DV0ClwNIFyUQEgEX
ULuYlfHQYQxbvZevtNzBIM47bX15JyPo/TKVj2cp8qQ/hitNmzQv7AEF3JlZ
krrOWOTSfJKSO91v82wMDluZ9dM/EXT+3FdR51MlDu53521Cy+AwS41pfXnv
gZGEE5uCy8+zRSCfxIrceKhLUgbNU4AlZDAhpCaF/kosHKpq0uBJ7Ye2L+9l
h3VoOXEgduz57foUYZ0CE9NU0XtXIMqhRAkkRHinFB6haXrznuN0j6L0UKpT
fDBTDz8F56mhPCBPTghLs4AVp5t6kPLhXRBvsda248Udluyw8EN9Ca2hEUKK
N/gzLApwdUEbqvG7ufGAyRbzXIRR66dt4SyY1ibU46H56uA6VEsuQ3jQUNh4
98E08ASX+knJhISOHJ8SgqJggLt9zsQbF6FULjbQQ524WAXt8MXnVN8/vD59
1pud06JmrbcHY4ssc8vBlLhjqc/44kwC++MApUa67GyPH+UA3m/Wu9ngoYmq
eLdGumDnJx88b8OICwr5dM8JPD3rFlUCdwsGhABsplHrD20X755GiFZM7mvl
wNCpVdTtMBaIfJQRxgSOgLeBLBSUWln2G/NjQW058RXNQBmQB+zetklNalGV
dGndnhzb3uKOersH65yDzpLWVnpk7mCmLhR7hRL64ZzbY+GdwAewXrNH7Nap
W7QHZ0VQVT5xaWUc07vLRafJbsbOnZaNMfqjxsKEK9g8DMLpgCIcO1sOuI/c
mPUFFSfIu1fnpRSS0GRBvZvo171K1HPMrDOQn8ep+GZQt6f2hDEn3Al77kGR
4oC5XtHESB7tm8P5pvxwzq0bl5AsGBG7cqXb6JbCpFcjadn4lkAr5fioNgab
2LNDY0sKcOb0czkdcPpwbEiO9v1ljAcqRZjc3cOpxpgJ7pkbffihGtThmb+e
0Z0zMBZ8vaZbrxDAZToBqHrXeMHscUk4C6Z7051ryRfP22mPIIV6JCGO6app
QhSO9T41JXlT0vJA0GB3gUEJ7ymBP7P1Iy8f1r9C8OyvyjRuWRA00fHZMSiG
3tk5lQ6H1CBo8WFhOfwm1kc0KTegr+3eAqPauz+sFV/nnqS5oTZaNwCfIEH6
HdS1HhZE5u1hEuwiIMEys7QWCES7dl33AKrH/X3FyOzuUcEbAz8L7J/PXTy/
ntShxvMkqlGeuSF8xNBD5iyW5izVj0eZjDEwvTEgcCZjnpsZYpd1EdNkP/bm
pTlLk1b+DD4XYT2r9MHyVl0JA3vPJ/Z+nykWiUHi0XYNNwOe9o62tSi694Pd
PJSxTC5qYPjdmJvsNHZZKVhq6bCe5n2uolSMH5k/epx+i9oBgpMJYC03rd2s
aNUMWkc8nQWwmyw9aefQpEDmAM1eQrXWr8vHocRzV0Yqo3W935oe/hnrEwjw
p7zLjVlLZzfse+jJ2roybdXXG60LL7ve3v2d993zUWJ+HqKOcn8+kFqp4ICd
DLsAXkLaFTdQEiTxzrZMOsiDfut880wekWaegXDP2gdUqY6MEPabK+US2t+K
mlAl6X3e8AiQcw3SsGQdOP7sSnJj15x6ezL4DiFXEoct81MM+xA+hDSqnPSo
ueSTWGuMDrcI9TxJ4PH6JB+DJGhtGsP8HbwR8QxM4rDrWlKhkIHnuKmGZymA
z9BRE3GBuGZ/iiTRiYd25zhgSxw9hCfSeL0UZU1JWj2rJZeaO13kQpGJn1gb
YfVRBTRs6HrtJ5tgt2XFq3yeJNOwAu7jph8gfFLlML9tjTZgwiOSxg75HVau
CEiTsxKkcs62UeN0iy7Jy6uPXR+hJqxhjBrwhYDCYd16p7sm7V5HorYZyapB
v1v9LvnEhuORxhEdhrqQe8tHbTeijU6SYnr4y7tKAXeSIrOb0Kg/6BNEOeRN
noHVLy7O7XUhz2rELUk4HoIOHUv4Em8GhHTt40xbM3ADUgZEhLEjMe2F+7J8
1res66xSkjwND21gCHumN3D9fAa+kHVceY8RjcOlwVfYnrZfazTtAJztDbkL
CaO14OeonBYexnOQjJ7m9c3N6r6B1SVUoUEVeHpG1UZcUPihWgOUR5MGt4Co
DU5UG1isRdSVoufQQ8e5ZEuyMZSFg1fayK32PdsP5gv95eOPApLKyXtPzGHJ
Hf4CjquY3bn2+dkD5zWz7+f9YTuGWMNwYQiRxahu0MG1nr/eQdOhxF6jwTjk
kjAqAnXaUg3Qyguteq3fPLMa110GYS/MAzgG5UqzoZ0ayBxDJYmMq1PaTe70
aE8YpTErQ4G5/NADICPHVqPX1OnVNRA/lFDODGR10wmBeZW9KnelO2LMmXhp
2fBRTr8+V3bCLk8qi8i2NoG+iYL2figi4dkfQtgwTXDYWYhQOhfuSd3eAynu
umgS+/ze33XHe+VOblEtDVaaxjfJFRsVd+e7A+HdWW0kXIl3LhpPyZy3Sm2y
EUxuQUSYky4ScT/e3CIZajPp5WvQ4TzyKwAG8ZimG/XobO10i+DyPKjeIiR7
05e9YQoBJ+s9Ta9Eq4JFdFLuKjVfyRuFEskqP6+K5c1jCchJCAqfnkne3wEe
WUPF1XCwpxBRYHaAsm1S68RVGPfypwBdW0cXL3w6kHOPtw1gmiTcPpgFl7Ut
3LJIgW9rx01r4CFPLgLJ0pQ6tQ6s1tyf4Zo++2MgFiWz0xgrEiq9Ac3nZbzj
B2WIBGiZ+E1OwqrKaSS1zjslslBzgxUX7uI9bvL1TQv21FCGyl4Fk7b0NnED
BAYHZRZdsFspthO30PjL1bltOz/Mfj6xBylF3L0pRudzZ9Rz3jaah8AxxTEB
UsE2X4EuK1NCWoTpxUpW2STqCNkfMzt9CZpvQrjUL7rdRpl4P/vThxzxIcoH
WYfp099xTUwnwM5HXKK3+DV62eCyYYl+OqZP3vtmDGApnLIqpOGhhpXC4I1x
j7IOp42rqu7RNAieyh1oQIYYn1e+0hovYt4RmHfc10RtPvmMUWZZriUJ6FCB
2u3B3g+dbT+uSRtYwcZKttZLBPQ+XNBJFi1zq9DQizlq6pVWKRKH6iKk93NR
U9SVtGLVhpHrZr5Id0FXi1wnBcb0PgfQ3aqbZqfY7FiQ0R/Plgukq57mSuoK
EwhKVgtR9oe3v4YbxLnn+8q3gxAMHohXO80T5IB9E0E9MhWkaEhdF8ZjaKur
m7u6uymHVbuctt0d1vtQ88AKZM0K3UvQ6a+4geRPx6EAkmFzMnNQb7vLfejF
+skInbCaKELrq4Xygt/Ji8rkKBXwez/hEP606Yic6bnw0wWWgcXrOa+qxexl
psciYvyBhJvdKXs8VGA0m92tvX0sNHTELuNGTz2GIOpg2zw+adw2OQewMASW
V8GVdO5rjT8LdxxBfILPZl9RhTUKg0TH1/3RJZv/zPbaY9Rb6qtH60YJWYJ3
GJDqTxykahJnoli12W3K+8jyOPPcK7jvEAYvH7lf5hFm2SBuqm9KJbj2g83d
OjXHS6QBfZ2nTI4dGazE2eURJiK7Q1+md6NeKdUMGeKnZuYVuQuTuqChv+6d
QegJIk0chYfBCgT3W/nipjwIOHvrSMy7u0UfPz9IUfBCA6KysI3cTq9I9Ny6
Vrtrsms4mAxzoeJVzKsBOit66S/jHEJTDHY5HqLiKrWnp1aZg1S+xhY6DpdE
SlALlngg2WMs33Fy2y07RR3zjIF5f9j3xdpzZHg7Cxh3ditgWEPcNiwU5lne
IeWs7o9WWz0pXO85dg8zBJnQPH7cJDQpgKe01sGEbilTtoo91nH3bM8I5SZK
QfRw4tl0HcNbc0N3ft1F9Ch4576VSxDklnRQlAr43XvuDBncqdh/2D7bh5dj
eGS+E9DdmGfoezX2Gxk9c4ULw8IVXLIqrK+XaZpmf74mBUDH/Bkc4Dw9W50c
HgqYzZMcEOv8wQXJGxE04yHUm6TxfOsLlL1lu3ZCAx8n9YrylhUA2ltg750H
RvaHfZ6mZqMMhGTkPaZRg8VRM9zF2XwlrdGd9soMdiLeY6E3OU/ANzYOSaC0
3FfO4DGBnu+KF1u20sOmaXSfol8DgmDvD/sZsyVuiNFQzA0L1vts5vQcO+IT
sXwIqEe72VCnaFsjK2sckj9l4MghY1BwQsGCyYTCnnx0TALJdOdogQrTkO1M
k7S6/E7uKhAZogTmcfMIhW6gJz2gy3yxwQ92G5je8N/uO3h8zmjoQ11R0W7I
qzcNjZeQBeR5Xo4fMJJ49dnM12s8cuvpTZlNHfB9TFlxfxV+brGvR/9OFa0P
bi6PGkzcLTBzWYIoR+YIHQC50N2VnMQMldunGLOQYBKtFayuC2J2q/p07390
DqMk3nzdttlz0+J1gpq51NGbe1MisOgLT67MHMxSuXfYGsUoEg7gxx+sW4ky
+qSIz5d7KuqU0+4a1et76wwcPJdofb8tggIotHsmqj1XDqNH3ahxtVo8ouUV
iHJ+GYdOE3U99lvjr5QZXmEtMK+SLBar2FVFBg6veuFgBfBm8Z8xWDXuSLtH
isVLK98OmdiOvP9g0AnaOT96Oo+XfF3F9jpZSvzJyNXLWAVQTBFTVfKtbLnI
OZkBwpSiBOpRRM+ppJxZVKvjdUNR1iS25pa9zdeOqNDaSRpxSZ9iAPPKIRze
7Ldj9mWWGJ0Xys9ba5VsyqSIob0SU3hiqYN+ApxIG7K8ohV2PlE+XJ1LSd6A
qtTqkq0ShK8Z1Qu+TfVKSLanMUeKH+FB/qTznZ00gpYiCGSnjyb0/I7UjuFZ
w5uDgU/+gaa3NniKbd94vIjzp5vwje3SYpMee0ByYT8e8LSjGP9J9RK80n36
qWr37qDBXQeBx9AcBp15yctlbZVJTvMhETdBI/ECK6VgJ01I1rq6VTVlewba
owRfNU++oLKOVJspciB9fpw50kGRNKBbYiq6Eu6POot7wVLJsR6V8XQSKXjS
Ahw0e1oxBs4Xb/u08dOpUcMAenOiy1fi9OeVCaE7uVdXwQlx6O3d+kLiZxWr
VqyGRvju121dB323fbLXVG24bon7VgP3yUa8qy6I6+AVfOBd2smtsumDnMT3
HPoP4p0Xjezs6xrbFROCCMasapT0inrfYAiuAEIuD/POQDOKnm4srSUU8puK
xNI85CFkuHw8J1LrwnQ934wQxKrStXZDquIXzr6aUQU4LBNk6EFyorGohXot
mVs7XCByifVa8isQ0J8nfEKxDR3mslkFqJeaOskZWF7uPSAGwGu4wxrJXK+t
V4UhlU69DYWXNE7NHaeXEu7kCtdhFDGtXkbxlGDo8jl6LWHl6Qy2bwHkg38/
SbmnpDWNRGPUYSsmJFtnjNSEPvyHEEt+Tnh3rGXM6LsnH74aBU2WB6FuxOTO
wCXybaavfCaIB1RX8arz7vLnrb6vOuutGy0u0C1rsCfDaiezoi6YLnfbK2jp
jvMUmImAMlq4wI/jenv2BKdrUvYOa8rONuIR7mAgxsVYQ+P6GS3QDAwm0cn+
Faht8mhuTqQsE9CN95w0el7r9jdFWlhlbJ9ITxGkiqcTVsnTJA/PdPZmh+QK
Y5OzqENeKsjJJXij9hdAQhmqEcr3lTx0FPuYwPSqlu0rq5Kb0HKpcRszd8mm
IGHfGpn4OAJ5OHZ8TpzpT29hKEDDVt0Zey56qZZ1fyVsLIhW64q+D2OQv+rj
mJ3PFHOFnSmf3FXDiccHwmbl/UbrN5SFgBJL02SGjweLFgX4JhqQrwcsqOKA
FIX5Xj2hKZUbFn7Py3DW9CyL2JTyrpMo1HNzdwcYZIIG02t2cyZL+9N7pDSM
G40xTn0qnQrBDqPJEWyzjhVSCSn4imjmwUbgRFHw40UzQCIMPmJTd412D6kh
OzZpGk6PT/dRZFZB5D23IoK14jd//oBnxE4v8XzIt5698xilXIFlIc3s/kJj
hBzLRBFfuhJHvNciHPf1kteQfbiuHG2QwbU6wbwprbbsE43nkHLPY7f3ElBo
KVQMrjmuevYpgLF5juuBkY951kITRS9HjwQe24YCLAlGZ5NfX0gFLujHtHV3
VGQAFuiyf2d76sz6Cqa5lt2WcpgiIByOF+YcDMH54LQE7/B9G5ZyKtQMGp5p
TV4u6lJVDEj1eDSnyfXroZIvR/N6Zekd7/uuGykM4wKDtA0BqaeguX8mzvOv
TGBuBGtMYldRPsMKSGVXJODTre6a64NOeufPLnEOSVj5RWMfwc13b3aj5036
4Sv5FDs5YlEcbGDl3AXslQE3o8tybmrUVk5xfi/u6kcRhY24PZf1QFwtw9+k
f7vzn7iCCFx49NHJWRJoQf2WVkupAMYZU+tE+dSNRrMJeW1iqk4gg+Rgc6Mf
iQ6Dp4VfRTTyBsnanqw3yC/pR8ItAWxcMImBjSA7ZkT4Z8/IwnIaHzW76xy9
Wt5WUmmrhOEb8vJPya3RPk7cdHlZCnm7/GsSKaj0bCDeh7suFOxA9a4ZeTl1
WJN126EW5ivBj4yFvtTgnr9upFRsg72AR04QLdFlr4A/iMulTdNVPFTStgjL
TaDGG7E7jseDFRP17bG/Q9ODR2FdX41AkdInBQWnT2z0fhrWWWwVOAD+u6B0
y+vNWEogZrlbPAPtAasWJzeVn7F3FS71LpXpmCu9eMTbMOcsoleP+B5gQd7B
gGdeafrrzmSzy3lM/iBvei5s//57MUvf8UTw/xKm0i89fvn/caaS/TT/hqlk
PyqW5Qv8N5hKRfxLTKVCZR6PhwX/KlPpbyhJX7uFf85J0tZvj7EF+TfKR9gK
Z+TvQ9K6v0hJ+gH4ZdrSr7Xi/Q0l6Yvb8recpP8MJelPLKGfcZL+DiXp0Kv7
nylJPwC/xEn6HZSkn5GAXMwr49arMq7P/QNf1Ab+KfHmmsGD/2XW1H9mLX4u
xR97+AH4E1VHTFt6vj7/tNf6ktSvkYl+RuT5Rob6XZSZn3F8/iztLzrV35f3
n6T9E8aQ98VaKRHmiy3lLV8S/AsTBPFMm/GjQD6/EUA4fnneYcVE6eXqf8lY
xH0FzFf/c+bv8KUPAVOknblecsUvad4eorxmPlGHgUwYttw8uWepH0yfcnAZ
os0Wf3Fd/oOf4ruXPjw3WPmRRYP8uV+9vO9q9UVXudal++K1mLMnNVvk9HkS
eFMmNj+SWNAvjs+XZJJWgOMgaq6+ygTzlkgUji+mkHbWxJ/7c1JCN/92Nt/W
Ar5kDqsYM4V+s1ytVPHVwqWj8DULJD2QIkW1IbYfX7b5N1Z/zeJXWGq/TlL7
4hpZfRw8869/X7Movigyv8JU+w1f0f6o5V+r6S4/bze0mT+3dI3nR8YTJhOp
ZDURyzjqjz4s/2uWEINc81qigzFtWHMeZ3r1cUmr9aYEY5roGyWLzy/5f1vp
P3OGrvNfs+CXB8u4XxyfVBSIRKSLq59vRKJrdt+05j905rKVS+ry8vUAd9b+
bAw/snxEYXmIzXJZ13Kdu2zj63f0lrRfYxLgTBSudUK+9GN58A38RTD64hk9
f2QD/YX8Y152Cn/5429aLWnXXd4lZab9st8/EYPqtBXa7NL2axZoA8fsjzSi
WNS2AJWv9fcuv0k0v4cn9I0tRfwaJ+jXKUF/0dEfgF+wuR91FC3gxN9+ztg6
VV84LwsbvrT9y55+AP6+RclF0mltFDxm69KyBLUujUovP5mVcWB+8a2utgzx
W3/g9XnN2wQN6VqtrxhRbetlh/BXFDBYuo98oTaqLz9mEV/xw5Du4A/AXxGp
fuRcfb1b6VdYV5eNfJPDi/3GICvDy099YyotkbOtYYX/Wde/NP3qc/uPfn6L
e/XFGvtl8tXv5V79B9/qb8lXf4d79TVeJJG+9sBftnBkLF1c/2vSlvh6QB2N
fjKGP7GnfDy/xvKjponN/I2mhzFf3LdrVJelwKGv9ZelXHrxIzvr95KzvuTw
y+ysXyJn/ZWH+XOrPwAP/tKeNhqiL70Umy9Nhl82YyboFfWw+idrcukJbJTw
/BXb0pICv9hrX2wplwq7x2q0v0z6ubSJUrHrzku7Ug6nVFReI6n+pmGZ+EWO
+2pftWFMd+pZNf8SSb7iyC/YzE99xqX9l0b9Pf0Xv6zdRbWfRr4fOWDYF5Px
2/aCy+//x0p987pt45s1bWcno1potn6BNUyXcDy/EDw/u44F1v12TvAu64aF
6NsVMDG4FaN/O/Y1IeE9y2se8LPzfI+n8bDmvyIOEyFP7Hk2i3NqbirI2BVx
qstjBUwZ1YLtut7oYM21ilmU1JeXgy01aeXKESdU67Q9EczPqzOJyz/UMex+
tHq+WoiR/os716Xd0IaY4DsB83y2w/rkTFhDs8iSmMYM5I8C04tdFx/bL5io
sUy3bar4Or40qvIiu5MxDYvGrGJiD5EDx75sRKyvlqPaFcPd9frjGg+vB8WW
iiaewd9kwNqNfMlBc73rt0P39d4O469X84Dn30NN+wH44qZ9DzXti3jy7ew/
TE378vbR8D3UtK+s2Ny/h5r2A/C1N+Z7qGnfSED376Gm/QB8cdO+h5r2A/DF
TfseatoPwBc37XuoaVfMoj36e6hpl0YVsvo91LRrDBacfw817fK0P3rTf5ia
ds0iN/3voab9AHxx076HmnZZN5Jz30NNu2YBitz3UNN+AL64ad9DTbtmwRPK
91DTrjEYQ/k91LTLuilq+x5q2g/fvWvvh39k295PqGlX1ONC5HuoaV9+8mf7
Tf+T1LQfgL/aI/gPUdMuP3mU5PdQ034Avrhp30NN+wH44qZ9DzXt8tX3Hvse
ato1i5SFv4ea9gPwxU37HmraD8BXBP0eatplWV+Mye+gpn3z9tX3UNOuMUi6
/D3UtMtXvzvte6hp1xhYu/weatpVJWUS/j3UtB+AL27a91DTfgC+uGnfQ037
AfhHdrb/9cb2Sw6/vbX971LTvmxTaL6HmnZ5WpMK/oqahl256q9T0wRDby2m
fCD5YCdW8uGLay12n1pM0INEKG11hsRpou0mxXv9+v77vLi5TPgJwNfknuZV
b9KnNta42iV5ZvZu9pLnLLwqwqMhs8aj0vdD0PIupx7NsizyA6di4pC3UMRg
Er7X6zULmYWK8TbZDKuempfQbtk75S6WIN6JDFpayc1RpnfcLkdBRFmV4/pH
ozREwj+bayLK5WntckIdtiQgx05BNxRvHwkMj4dlv7xdYx8P7MPfKR7MOCsn
LSIZdUfaH52ZMKtIjwj9+gEYXk03yy97Xy1bt8Mt7TUxeHURad9e45vByqYj
iQzOXcv2boVhv6OtQEw7ivHbK+dvV8yiuTx9EUMShWb+YtBbqzLsMOVWHiqJ
CYEaYzCv3SGVvdwzfNI4ELxHZO2WL/C+ukNw1f5gLS4dZP5uato/5xupfy0i
7be/hfrHEGm/znD6hd7+HgHtt6Ae/zr+00+4Hr+PgPbPgJL99mR/DiX7zWn/
FE72qwL4+4iyn4niP4co++lXkT+D7Pyf/yP5wiLFn+Pf/+cLxv4WBvZv/3ad
/uE3KXw/a/evqDx/3fqNpv/U4HX0+7hl0799oxf9z9/u/tcggH8PGPaLhvC/
Dhh29f0Pwad+AL6TPvUzwNjvxE/9Lo7Yr6/1F2vpn7nUf/hq8I9/KK4x//EP
czlfhvUH6D8+fzyb9NlxWdsfhj/+RC/+kPzx96jGH6Dkj39Rjz9Aw0+b+t86
8gs68mcp/WGe/3gpyx+SD/THb/ry7egXVOZas/mPX7dd4v5arj98U5Q//kmT
/u3f/soj/VSp/mqq/4mnM77QeP1Uzt9U7UehffVQeoxubbAi5v39+tFst+Dd
/Dq66pTrx2Xv4fXBaqUFa18nUr7hTc/C0cVz9D25f0HZc/uG0Z2OOYO1oXA2
Dsn7bpl8pR9buYUdO9ec0iWpWpPkNDYOeF7lQ5nVPEgqWx1d7ir/nO909J6D
ilY9jOO3POSG1/1Tg3onS/WjuL8dwyrT8jogQvmz3dZqhSPf8p/Q0nzB6TPj
jZgRWnMcvQ9DRm1fY2VkyyX4Ty3nef7v//5neX6J9l9P/ftbDu3vBAH+Cev4
v3mAvxf7+D9+Sn38F8MCSRz+Z8ECKYL8x2CBGHn7/bBAHCH+LiwQv5F/DxZI
YuT/Wljgn+zivxEzEPh9KffPQbf/MnYgAv+n2YGvz9+yA1/dFztw+O/PDmTV
PHg34Q0nBWfM1C5UfZOHlpDA4vSe2FovboAeUmQmePM7w+t2VnqBTMbD6lsE
m6wKRSlmM1rcgOzyqTgzDtPkLXCWZQmF0w/1R0MApof4IEFb1ifqtCd3Qz4i
yR7QjFZpRxClWA1C4bk5R6tPDg9zHVXl96r3pipw3PqAN8CE6fwAcfDIUpJ4
KDU+RmmH+m9HQZzD66T7vUrpVX3MDawZEfsxpvenvcmlos4H40AIwE6xN9zi
WfqwWtS6dgJvn/SdBbUVts9woZxtgkC2hgiVUVJSsL6e/6b6MVIHg6KYugCw
my6g9/HzltdMNSPBfo/7y4sSidHJab8d9IO7RKoRI3vc0I101f3x35UdqC8G
1MlbVzslnSjEWoq54ptEc5k1Uecu+x5KQ/go77OjKb+H/JdVaMu6ete1DIg7
zs1HHZYWOPA09UyZe5cuUT5hmksGUGcnnty7VSccRmildyXfKJSy3uYTMcSI
GixXZ55NtNSgU7NG5t4fsjg9MGr+qLeUAIbHPG6KzPN9NH7Q8YVBnxl9+fYc
ckkkkRE7EHY996cSKmjVqHsYIYSCjCY9d90bHTyAe7hvynWkBtWEkbZ9FvK6
FCnf/b098xUyMTYkhk+DuelJ0uogPoj1bqIEWEa9dZynA1STcduTh9SFNshK
ik1N+oNT0fWNQQmU2vpwI8h58S5LEZkgNLM7oXlwXqxGENAM98UOxH4HO1Cg
9VLEKn31j68dh5tb5BTZ3vNiNgGZ3swtswzDelRjLFhXHmnQPPtkkTnYsEWT
qqlq6Dl38tOB/T3fFuUjceIZHptlzAIHDHxoBEmotJVEbtT7g8Y4uVKd6eT8
Jyt0ODfMKYUEznjgE7JYYMxmiIQNHsegkow3PrDIxXzETZoIDn2fqFar6fKU
1AxScEMPlBT3b1mxkiSTvJinx0wvgUvEfjTiJmksaXoA6W2qRtWd2ob3H7VL
vhAKUiRh2X2ovQ2gZDzmVAOfZzE9Pvr9HO5fSKqDivHzJrAfawaYRlOrU7Rr
ZHxMW+kOdeHnK01EVSmjVUCDzKKLgc91VIprWnOYpm3r+U2kJTy36RYBjh3j
EPcp1T3YjeIiZDwb4AdPk2qnCApSFL6yPCwWVenEi58M1hRvkoMUsL7dCYSL
dqD96F1Cjsinvtvk/oEejcsaa5/31A4mvEK9l3f0pGDyHqtUahm7KO1NMXmI
4rGwI9YxMIktVvdR9LED3ISfQmhODSlJd6HpWI2Mc094tTE5JSOLor02V5OT
3Wj+BdukdzzXggBgvJLlMckuj9YWN9VwCiO8XZnnR96eB+3lfoGN0pMaYVxW
M1Ofpn2aUP+Bm0JcCPpNBUg1W/BDYYshePJkti5H8rpXrZKVLOPON5oJCh5/
fzpMVVrK9c3A9eDO/YhW1gvT+YYBAmxAm/+8ILxXZ2aFHg9FoMHPFp12qq5F
pBVxNELkR0EnhIXc5gp+ikG/DETFnPuAtUAX05t8q9vY2Xp6V4QmNOjDXfHp
+aKG7PmIRlEsULSs5g0+qVEpSvoe92Mg4chBbu0d+NCvCJIeRTA7zJsdrF0a
Xfy25RnOdjBa11Q54dj+gM2Kbe5vbfB5MRbXIaqOA1vxigcs3oR3uVyQrnXr
w+0/O0RryBL2SPDiPwLRRwEqw7BvQaFrRkW1qgqySFTJZ8FA0CYEMGp/OxSu
niFnCyHskVXctKO6nXvqq1Y+emqycHlPiycc5diNEx+mFFl1936j8V0sKgXo
/SBo3gn+RI8WhJmJqXNZ+kgkJtS3es812tvcIySk/fBZk1Pi5bm5ykZjD3TW
WgwugZvx7mqusWGzZbB0w4PVFHPTf7cMP1AGfa2/6Z2vMlr1A3/0wljAVamr
TR0vA+gvegGcNYE2LlS26J1+no1P3VxNm4TBObHBwGs4uiNN7dkSJIkF+1il
ccD37VE+ePaYSZcgAfuGBvjkvrKeET5RHoW8UJdUIOexYEqV0Hi2MyZM+TYT
n1djqiFT+SMeNx8UEiRD+wdAFqppGsQHgio4Nd6TEx8fj+pv5n45GR9NzMmo
2XmuGHp+0k9us5AHh5fHJlLwS4DeHCAgEgySQ7umr9zis9a+CmTczLsxJOei
OximFLzMFp+uAWImVUWjtJeyW4UhyoSdpiJAXT1eIPzE+dcBuThUu/un0apz
X4MMvCl+7FVyrG7G4I3JmxmplNlhzESOyBCtHd09DcAjik/su470xpTJ9qd6
50+yD7eTqCEavdHER2OoLribzpjyIqMkcSUnI5+gj0oN2NMCkjVilo232205
x7Fkh/fNDw/Z0/m3GfCZcQYz87rs5sBwGbbUOFDebKZERC/gaV+QDeALTYuY
o/z+TPdlS3CVMF+6BAemyoqdblni/FYpyhHUPaPGxe12Kc/hptZv7uJQ3t0G
yA7TKAplBQ1FWZrRaosAsSQbMjPS7/sihxBRhYZnvwN6QA8yb2VQUZcAWcOD
IdnKBKY7mJjW6L9GaSNqDcydwIFd6anfs3GjOOppSIV7uz0364yFhOQUPIRV
g4n6K/cL9hwGqOdKoMdIpJ+YQlOKviEo+JbiEMf6jhflEfVapVPrkk1MfvdS
PCULkLx3ZvOKTHiqc4AwqfUUdE16lNJLTJY707FS296ZibIOv0Wcvfncnq6c
trfcogh4ivQXooyW4jci/8Q7gOAkVPYbOA193TSHbnN8p6GOWzGinzNVTX44
33MhmTR/LpjIMeWr5LI2Vbh9HlHh4wNujwugl4zd5XQ5qADNPhK1lL2EEjEv
u8WvvoSCiVgn4G8DT3J6LC9bYxf9CqqviiKAPQWFZ0Ihed+JtxTTzLh6sjp7
VK/NdFULGp+ua8VRYtbmCopcVZ/3zKoiBUlTUHZjG2jJtEL2KXpsx86rc6Ax
73Uejbr6VOupmX08m8X9jsGEY9NmY94VGbm67swE7GeuFQ2gMN14I7gE2sim
eDH7WPjQx2QRv0ZCKXWa22p+8NpVYNKpLJO2Hh6ZTahH+Nyn4IWkA3RIESXt
VoO+Fnf7sy0ODfOGrjlJmdb5WHBaAqf4xnQ7XnqZ6EkPcko74v1+fuy47iDA
z/1r+k+lDhbTa6kqgdh6CP1PYEuks/bv6tmhm0raL4aIdzJtfUjHECoWZbqf
32nwAuD60EQlKUsH/MRRM9+0rr8xtCypcky8pnnAsj3BVkRGGu2WlbzlgCAl
jj2CpC1CLB6Q5hnTGnCBFIJll80Hj0CEk2RMtCqp52zieD6Imza0Cqvj9+mJ
61agP20za0Hr/LjvO0BVtOpjEPGcVN16aVrZP04Mik6U2Ier2Jsor2ENPKd8
pUs/SrNUQooyPBvfKcVhubgEXs2Dq8qdjFm6RudbvslK7HNt41Zi+pG1bp9w
El3xhybHNXWVb5ldUh8/HDohHNIGSgHf4KWgzTzucUV3O+vbslrgWSkM0PyI
rW6Zi8VK72ObqFRVuftxyHubmXuJR0kdg9kLWJhGrrs5XHOqFVrirRwRWrp3
4xQGUfP2O/TiQsXg8X5QlUz/aLMU1wL6Lo6RbFH1LgODmOGGfIWIYmEEJI/P
1H5yk54a+CqQLZO7PNNwjlsLbDnZuSq1XL9EKKtmU5DKdOQCfnI5yaCBIieg
PT/NKOwu+5hkcvoqSLXmqZT4qiRTzVT269togkMeN4zlrqw0fGjGLAHMxBbW
it4X+BUO23LwfcNIAWGeAu96Bb6JxMjlJ8OcO0pNDcqKyipM8X334w7SsvsC
5FibPpkXM5fd09gNtHyPcbxPVm95VcUmhXO7hvycjDmX0V6Q6UD0GBlMkQZL
dq5rF6Dlk1JpmxPNQeddTaN6Ex9DOpvKSWoLXXyIKUSgaD1x72Purp4NkK+C
T3wVZUtipzkAOrBWQ7t7Da9V5Q1Dr26TSz/7eiYqT9uRkt9kzMUNOgfVB9wr
H9eO0rOPQA8Cn/paYkDP2AhVOm/BulE4fPoqR3C+gjTj49Pxp2p7HjREZNR6
u6BgZ6xB9yceUuhjPZ/UmpYIAL20B+J0WYbI98glTjWuYXohXnHaUGJ4JVk4
3I+7pAfkNj0LZHzPV2Bh7kzvordUxjjgti9Be+P91A0+5tMbNFGHXiLtyVA5
U5r7GZCaMg1YMRzzStcq+d5LFh8mZPY6+C13ZgBTwWPksb13Gdg22Sk96zQQ
89udXaEpgdOmcPsON7q8cqgXmKek/UTCtDYdQrnM23kBPoLbTb3Q42A/PflB
gMGxzgquB6iqLkrlXpnVic5O4S3gvcjeuTsez9KWPwj0ZjnugIANa0yz7IMg
cOFsk4v8bCURhBGyxxdd2jW8DMvqXZs+GJUNfhefArlrYbJRpVK0MPUB6mnN
rkIQzVl7Kx92IN2S99H5AYeYH85OPjhn+LB7g/j3KkGbGBDoVtz44cMZzjOm
gwKIX3WyK5hZ8qgFqcbnCmEu3pSg0PIblJGprdDiC5XC5V2RZ2MMSoDMh8qB
btpPFXhwQLa89zlTHn1wx8rwYaspTQx+el9oD/R0vLFWUGckbA1xZVLVEiNi
4SZQe1yhVw4Xljpgkm7l2Ltv6y0vtJbZIopQ0cmH8YVX5O4gC9UCl81WTkdG
4Sp7ZV8l5XOR++gQRpIBgfXxaU2nh2+WE5t5FHEcmYRo2i7m/d3w8lVGTOex
2eDxKo8GVVbN9RbTicj+zUapExXArdTrqpaoYnzSeyiskgv11NFeJWcjc1zO
Se9cw0lN0wpYeI0ECZXDUKpq8zjZD7HNIhCmOMXifsGzu//47Ljj1bMribki
i6oZPtCxLNF6WUeFjdf6jZ43Tb7SYQrZI/XM9ZUDSBChJdgrvM9L2oShyrF4
/8h6ecc5BJXHm3XFjdEpGfDjjLvj2NP6bDI9zhDqkQvuYQBZTdeGQRQvdnag
WuvH13N12HBeSVvM+8udBDcyd/VTWpvEH4mupYZb+2hAdmnzF9NLwF4Ibqw+
BtF7dZno399j2+3cQ6oinJTWU83R++Wc31eAWKXA0yRfP/TiJo511979Pvl/
2buvHtextDHU9wTqPxi+JQzmdGAfgGISo5jTnZjFKFIMEn/9oXaH2VPdM9NV
nu+zjWP0xQ5dRVFrrTftKj6FAdIkioybMZA3iDwGRsiEi7Z3P4feZbwqIznL
EUq487xHQboqw66IkKRCFBX68mhB7QyU2rU2isBRjUuwgkiL+40D3YZXe8Sk
qs9mED2E6sVl4+z0Y0GmazoI8utVn1pN4WTGAYYSES8doy4tfr6xc7iZlaMJ
w+1emLIvuxc3vdz5OxzPvIqJ125q5Xv1OuX0vF4RB67OAKNftDnbjiSc6N7q
SC+0vJSBv97z0j/PkqHAfZc591UXhGaug6OdmX2rb04BtwpX5WoByZNMzmgR
FJf1vM7wVeMbkEDy1eaHVWOtoSAfBF6tWUBvLmo7+NE60L7Y6TqarSrYLMAM
kWzF3SdK4jKQ0YZMwpBQcF9Nsal1ij3Au2pBuTW3HB4iw9bPjOxQM2MjJAXf
bUgBqDGno+WBpWPoIKTZBYod6BMJjrOhXtzNsFV/KhmuDESHfc2puyGXjp9s
TXb51dpBBlDccj3CqGDJC2iN/utV3iBl9agpN26iEuOSU2xQsd6PjToGqOVM
nYPuAeOZROE9GZ9E4IbhMNXQ54eRkaZ05q1jRuzUduu7iWIS5t7FxXahUOvU
icj+jFEEVNH5wTh4XGfd/Rg4fGFeA3Hq6mCHYqyCXk+rGYcW9GPMI7VEq0hd
wazMP8YAbjyGzjRBqweNXXsGZxTGcYBULG7Jg6LSsLPvknQjLa2yX85WcMY8
JWJYrp0S5ti1I+fWZNdlA7GqpJR95G9HoeqfwKuzaGQs75SMQs9zhFDFVXqp
66U/rZvnpsqb60p67qUl2F5pZhlgQX7cLKXLJOTD1/AoLOT1qO/460j3cCu9
rIx7vtJUn8ZnvRHtiDS6niiG7PBuw8mjB9oXy593vCDcuMHZAvBA1vVfjhSj
GM8GD5lq6TXEsc2e9R62iN1peBVaWlcqKpqZnKQB8WRkuoTbA0OrJRIo7qFr
P+E0oO/mxDGKdIwS9eOBZGykosRRBxC0JLESLAM7FXZPMN36HuF0VAtpMfTL
A3DlQFjLKRumPH3Y3fY6XVYzaoQXgSq9Wif3+1FB0CAfNizHSd9/TF2Znhhh
RZEgOcoQYI8qLswlf+dVQ5m7+wa1+NaC7mtC5aO2hcGlK4LG2XFFi3myuCgO
tJL8GHn0417Ymw+MBtKW65p220yeiqc6vDpE0XW4SVriJj6dRnRiLS/5yI67
U3NHFFu8Bzo8zjfIhvtSBwrIKqrL/UEoWr/fSjNoiDCTbQE1IAJbeIUQK+nh
vSixj6Nj6rw5YXq5Poy+PPpV5hIPgGhBy6027HyAhl2s2lKQTx6ND/h49fgo
e/HsOGI409/jmQifyfmeniNc3OLqdpzuCwsC1CT3p+xcTOLNRuJGiOdemlrJ
R9UwbuiraT0SS98jQTuuitTOfenaDTJaNyuTfZHeu0BbZ7qxk1jb5Fm3iqEY
CNA3lcFc22yhOyrfb8+COhNYUZk341KzfdPqrA52nCkdo/bRoUiU5LMxS+fy
aA+mn/kVKXGn66JPk6Zd1loKoU0EgwSZbYIbkiIQTetF0A2GFIxDA2z/Cr1k
eQrjeUe82IdKh8YfAmw8pxOVSDUB3sXkwj4oXELH+6T6y42zoAtrXKkJl5EW
mEAjr1Z7QQr8fkzYDVEus4igza3E78J93bPCcmQs7ukI6vWa6pfdqptmGCpk
y24bEgI0X7tpaliJsBje9ZTiuziUylm21pyWlpCN18ppsysTBfGskUpx2sBH
7ZH0EYxeksIlUD7ax/2mYKDAP0Of9l4uDRrLBsEw3Em3TN7y/iwYy9z0LUpM
pXZznTU7sc7jGGkGkH4CU7orYz5eK1rXIVnDA9uQCUnnX5IY80Hin57LRCqL
70D7GLnHCWiIY4LMW27JtX0IUIASNZCRVc3PHoxlStJzx/XhkiA6uTS92rbc
7OlPfJUR/0IrsAit823nFlob9Y6JZLoHQPASyrnpQ7eHCRXX6CFeNTYFnRW+
nvobF6jPRr6QIe2Q+j31H5u6i+59tSgjX259cquB/OK49z695YnaqOxG9Kc5
gR9kaS6rUsLsyeePbjLKb7T9vNN48MboTKzf5ZVwZonPboCOOQq4Or4bhxHG
WZLAUeTlRkbiwxJdnr4YO7JmSVXmItOcrNhjU1OpiqrIGqXq6/4GSIEdMO7w
ulDyUmSofRSqMb63EHEUrJyrp6sA0mJU2mxncLLZt0y2nly4sR0kQ64+ygC3
2Do6h2M+4TztlXODBVq3haLQuC3dQdUdMjNpe19gTm20wTas/ZG46SxoIL3J
Ohh1wEK8oJ4/U3K5FohseOZyhB1XVlf7Ohw1o3NF6mYeh/kxosFpJKp1lkJ7
rMCGWe8j9aqBTd6TAdMS89pmmY8ipVjdM4p1SnqhE7YUmutUgByT5rXMzw0I
BfutjZYQeu0rTV9vIaBuWThtDSxpp/PVfhiBebtfvGfV5q+CvZS743QEtUon
nB4fNoLcoTgPDEe7JiKTaqoiA7l7o05CiWt1p0XqohkPtyauVVJP+aQFN70M
wcJrHg+sS6A5SglIdEBJw2aivM/QDq4Au10XkVOJamo7dZx30Z5g03iloV31
p51Wjlxtc311hqj7nuNwfH1i3L1vWxVyO8esBeCBhfhqiyla95jKJ1tGdjnG
ss351kRdr7UCJePB+ZUiuDrL60bGXnpeI2PXLpOneNkGSD0DbWmra8otgdFY
7hglKkPZj3LNzdB9FDLXoxsWjh0PP+o48xIdc3+4Y6EiYmCNCaA+JURoVD13
Lpc4tG55nkygT4jPY/bIjoHdqU7cc1j41vHVSHA56gJx3YjjGs/PPAdtR3nP
whlqbHeFTjX+6lxO3fW7GnNqNQfcVVisJTVSP/cvyFqDt/OziBc5fCoCFKb4
MdMA5QW69FchBWGDwqDCaHzIEqdLf+GgBalz23QCL2gEFSO8iJOfCLQtStiH
PB/rfvTCYUBS3s+2Xbj6SNiuYaMdbV6nbnptqwjKgrXKxo5KhM+++Hxo7fGq
EdedZ6l1cZALMeQLIMBJTHolo3plZyNoLCwgSg9CPYnayeBN+IGeLEt5Xlik
saMbkVzhKR0vgxfwfRL6R0bSX8dhto2ZsEv3aQlhRZnX6xLpHDw6wzOBmPa8
30ls7ofNIjenQEDmQc5NN17S8bxsHHAnnRUsrsbokv7VwWgtt1QSqcqZ6U+X
y4Re9jRFx2hICeupnGEo2++mYS/zeC0orcOONdBW5cbWPULyBBh0iA6Vo8t1
Ei3aSwGq18vdF/Mh1I1K9GvDnBWTpJ8tEfCXW949du7oD9xaOCZuKL40+dnI
zKUyWfSUSpc27a/DllaCeUtC8XQ22+A5DhRR4IkWLxLV8c2amQCJxZhxoUNX
H4Nb8FpSUrhvcoWEcUSrZ2pX2Hu7cNmw8rWIcd2yGaIJE6uULejePNEY8PVL
juGK96LfP6qiCDtcw4+ZL6nr0ytYzvDzGPeMy9lueseM7WoqjSC2cBRzo2Ou
sp8ekBCnvYQSIYz7uQiUB1STHeeeJy+/n9gjPVNEXz+MIhtuSkA525WxOyic
417NZ8M51QtgpXzZSmPYaVWOC9pCbtqD6tFSHs+sBof5ubskp4STeORaYU7v
3iOjaVTVTpMS46klAFLi8v45d4QQ3rT9ij639v1kOgIzpwmPAvQ66FRA0FqC
sBa88E9s02UnC7jUWTyLItwaoEORPWtn/Ca72yNY9dQwSVB4sugws6lYLTr3
0M+a1+HdMfNU1FBmUxNXT3HKGJ2BrAXQEzkZHYzMxbmOH1V48sjbK1vgmgvO
Oz6h17Al6XBbeoM8O+dK6B4eCQbqORFUoxEYDTCOhTPbeuYXncHZZz0VhK4t
ZVzmTERxl0ZbO9/rmTsctQwXCqx0l8Rz4piRxTlNWFyAKH56OBFvjiqbtElb
16FzeOyFPn1x9O4V/OwgTjP5rXHijgxaLI501Vgq+6I+cxOfU4D3DLGxm9ca
P+GLDl/ndH7CeioajDL1eXLRKxCFDSFq8+J2lkmqtT3z4peLflGhUHZxYMsv
oKbdCuXEJKLGhxl5vSWYEmG1X0BIv0vqQoHWRIa9BtoVMj5O84xcT0Fl1lvB
kDCAJKCZCKc2NkCFFoSpSq6GcrLEW+kwxUmA9gaSGRgqvNF6ViHCDoWyncE6
POMhWwTuBMD4lcx8xa1G4mXQTTBlnkm4fARnXkGXq66hD+Y0+53N2uNinizp
6NqLqgLJpxJmNyIFkPHKRU+DlLcoRVbqWAFrvlaOf3SpjBVKkPPcukZbVjnR
ikrRe+Hi7ODzcvOv6Kwp4g6g0ktJSKNpt61po1VCLVYTrkZL1ZqJRqnlZeVx
Dp9q2ZkXsbJtM562dQ/TqZyOXhBpAGPAYy44NecHfI6F087mkmrCcWa7R3m9
tBJol81ZMMvrQmRa3/ZXtVU9ud9//OyEo9QC/ECad8QG891t9IEXu9vFK6Xp
3Fe3IJke6S3KR+56/OeeV27EoxTLphfY+2L71MeRIYCQ0Za0OIKDZVcetlg8
TwtSu2eufDdWXEuzVhxtOr+Sy4bNFlKOT8/05cF9XNfCB40eeHJSynPDxRrV
LtovQS00d21UjsKJn2i/ycpa3hEIbHiYj9VgGahAut2ranz/OClfsSeAqFr+
yet29boaKuuQzpV+GdgcnKMh7M5m6SGhhukubLmoZBOIlQQjQoLtg2vyq6gR
CQDXqzUGPXkf+MSCR2PnGnAcb0rN095+EZu7QZLX7j4/clINy5RCnnfiOGBU
R/reeQVzgHxVCsgYKceS+DEOjKfn8PAvr4R4O1rSUIjtvewSZ55BpFpTk6Vd
B4kwrfUzWuIMEwNOr0d/zwVNTSXpXGfesJpu0FArlG8tlCnIMfgLN/vROx4l
4Yle2cc0jrW2YDMwutVaB5B7dlmMJKO0yb111byQbSCLs1NOylGC1DvvlrXU
EyFt0/rCiop4SxoHX/REQ8T5haFAIjjnfdBGR7PLoNTusVV3k/taL+Uava6L
WsfRoz31/lhn4HAaGcUrnxX1VB8SuKOqNQA+bnG4ju3w/f6kyCLSBbe46PWd
MTtafS2VcA7lhA0HX0COvg3tkPt8VaRYpDZPYUdBAxblpjr7bBAO8RBz8EpT
p4fc8kHDabG98MkRrRewz5wMw7GXynB6EalJ08fhzEEp62cAmm4iW4Lj7Qli
BFJmnZQRGj1bHOPj4gVbXrBieQxcwu42wr2AE8Wq1bCCT/1tXayGBwz9dVey
x9ZJaUa7gZgldGPpc2wawbLcE5/YkFbEbokkVNI4X0AcKhdkuWJ1CaZnGRuA
QT3t3rJGkhZOyRT1poAk2NkK1yd/bHUHgarGG7ftZVGeS1LkTekp1uaimNtM
iMdKEnh7r0aoNF5Mq+LlPA7N9apgdZtrg34jlROKJdVthWxbWaIGdLktpJaT
KtJFP4MCDaNAdKkSNe3dKuO9KZd01JoedZyfY4scS7nRvDybBlp4mDL9nwBT
/sk3rf/vYlX+9t2//5uTlW72R7LSjd9kJSr/E7Kyy/+MrOzMkywrt/8osnJO
JL+PAoM4rmT8hlp9AJp3tFdvivFXevGrV3wzJgZhSX8HTn4JXTz2p7XX46O5
BJVLU1LWqPlz8PKNeb2BQQ8VYY1jXzp3kuJAfuN+9fEnh33q9fDU+WHTb+ys
8972phF/wxT/GaX4BoL+hik6Iju7mA/HoUzKooFEx/mMMOv4/WPRbkT2mWt0
f2LxEMXmB4O7sfSv73X+jSL7Afu9kDpB3+vk41pQbVrwN7bu2Ivg2caoWOfe
6e/e99/dj/CDB/tTJPQ3gJT4x58t/vOVfjNof/aab1DQe69FlXFbeax2aXf+
7U1b6rVQ6q5M6i5L6vx7LzSXRXSe/cxi/mVO9E+pRiJ9v770C9b2K9U2X8Oq
jflHGf1A3+wq7RtGrvXtA7hwMiVL1WY6Sn0NT8PxLm4/CLAbPOs7i79jwPEQ
UfN/f13yZ0rzB1n5B0zzH7CIn0nNLu6i2wfw2+vFx5//1ev99mppJy4pGr/P
q3jsZmes8RvX24fSQJV79ufQ5z+EMT+ATzQmddxT+Y7i33KBFhyr+f7M8L1y
wi9r1P7txH8A8vmvU4C/IJDIIw6yKsIa440T/gkw+AVc8H3FH1nub9f8CRj8
q5Tmcar/BNP8CqX5plz/iGl+hdJ858k/YppfoTTfZ/KPmOZXKM1jHf4E0/wK
pfnOk3/ENN+U5u88onXUkubXPOacfiH5jrWRb6cfIOyRH76DbgZHFP072cw/
YWuPqMKzXxHDf8LL/oihYx3+VRTVzx9XMo9ff4U3j7Ngvyvem0/8QRT+QnRe
33gjj78J5yZ/c8L1s7mGURmhzyrFdEbuftsDZPt5Z3+qFw7S/L7O9Y8rHB/5
oxL/oWf4ub7/Am/+tZ5hOO769PrBHR/3fGQl9HhHR6Y1f4q/X4DcgY5q4i/3
Eu97+PvXMjnm9q5Af4uP94qx4PvKKU8c0famO3/wnT+Yz3eefFdXcfklkxiv
Iy8eq2SV3ov5kXWPuvFbznhjnO+zUHrC/Ob9sGON3oRp/6akmC0O7DffXB2x
+PqBFHO/ZZRf/l67saX/jrbzqcqD51EJrF9x4Pe5/wwf/8we/909/BJxVfLG
L7tfCM8fcPf7/66pRPTveMjOdhWh1fyjAt5OSsa9c5W//xq/8vtUHSe89M5H
ZpL8+lf08tjn47Pao/Mo415ZE+eXyI6PmIh768i+v8TpL7xoVaci83eZ9m/X
fVeauGub9+tfgyNOQ5uQxdP6jtP895wlHDVO0X/NzuUbYm33I2qr3JHLX+r0
z7uH09nZAjUHfncfL/PX6P/x+1+50Q/gq+DoL9wo8q66P7jRH5V31lx9u/x5
vfwDOPo5b7yB4q+Bo5+50V+r/xfA0c/c6LEOXwRHP3OjH8BXwdHP3OhxhS+C
o5+50aP6fxEc/cyN/rSb3F8DRz9zox/AV8HRz9zoB/BVcPQzN/oDD/8SOPqZ
G/2BmH0JHP3MjR738EVw9DM3+gF8FRz9zI1+AF8FRz9zo28E9Wvg6Gdu9AP4
Kjj6mRv9AL4Kjn7mRo97+CI4+pkbff/rwdfA0c/c6Bta/Bo4+pkb/QC+Co5+
5kaPe/giOPqZG/0AvgqOfuZGP4CvgqOfudEP4Kvg6Gdu9AP4Kjj6mRv9AL4K
jn7mRj+Ar4Kjnx/0/QC++qjv5yd9j0z7RXD0Mzf649+CvgSOfn5E/bjCF8HR
z9zokaO+CI5+5kaPufuL4OhnbvQ4D18ERz9zo8eZ/CI4+pkb/QC+Co5+5kY/
gK+Co5+50WMvvgiOfuZG//ivav8KHP3MjX4AXwVHP3OjH8BXwdHP3OgH8FVw
9DM3enSDXwRHP3OjH8BXwdHP3OhxD18ERz9zo0fl/SI4+pkbPXqYL4KjnzPN
8S6+CI5+1jCO6eCL4OhnbvQD+Co4+pkbPfKky/5jcJTPKcjQNrc5G0NPyTai
I8/bJdE9kB51OUaM4cgPrJHWO8Ex/xDtON2g8xq6ORaD2rWdF3ElqPjqrUfj
mJdb/gFcpFtMeOaVEE936zkIELLe6acEer7s9ffMhxD3rJq1Kk5kEsdFgUD4
ghtifoo2mXmV4DEdqEga7eAJTR9pSIo8K9XeBJHWU79sGTi0VNK3u6LwU7iu
9IlgL9lZHB6vy8Q709qjzQdg7im5PCpcWR3smueEJQrlnCGJ9WSKJzZDVnV6
9EQj6RyIift6xBAbee0OL/24NvjZP7I9DktDBYkdtuzGc3MtDJp2gdoeiNVM
d9hvT09fKr0rnsWIH/rvPsbeEdOebw+SFKljL4RQaV9lwZzmDnIV3rutoTRR
BSejN7CvT6+QWUevgGCPNR5mvnIv+GwFXPSfwY3+868z/qcLpH/82uJ/AkT6
64v+nUf68U0x6D8SJv0JDfq3waT/5d/ynv9X+aR/tyL/QT4pBtN/5pMef/3v
8EmLovj1gsfvvsdQfsU0fX/d/NjJXzbwv2W/RPz/+K/Ij3v4XtB8Azz9/XP/
r3v6JWbvA/hzZ+8vqqj/zhP2jyTVf3rAvsClZrf1v6Tt9fH4H/+1+rEy/+3+
+8J+uvp//aF9Tu+c8b0T/N+hXz77v0PHq/6/35Raf73a/wVb/92H+0841981
1y9irkcA/Ia5/kjf/xdz/bdhrsd6/odiro/q9S/Q1uMj/n8Jtb5X5p+DyP+h
DCvDoMS/S2HFcPR7CisMY39dYUVg/F8qrBiF/SuFFSfp/zUK67Hh/wfJq/98
pDjey2ds9U9S+o+B6Q8zwj+clKj/5/2jC9D/AsLwX+dV0/6PvGpav3lV+f98
XlV2oZdwo9jheTljQXbyGLHAypww45egnm/hxt2B/OkLsV2qHdoh5nlNacfV
cuZx85uduZxBPTEL12LsyN7A5+3SrSrYbXfOLNiCsXgu2AA88yhi506+dTFf
UEeCDm/Z83p+5Q8hx+erUPcyTPGpVBOCMQj0UnJpPWH4uTs9ZFkTAfCiKRZT
uKEb1XloJWFtwnJv1laDSOW5L4ywnOXU1fFQYCFBqE1nulfh41aU/amA+e6Y
PU4Fp+ZU4ZgGOQu5CfKy1SyWH8vTKc6oAux3nWFuT/1MNXcZxaQWPHFa7kyk
jhd1AZT6oOHzUtNB6dLNhATkEyNorLgMfWA8fD4AGVG5E7e8KIlhYUrohf+f
yqvKBl4R5X6zqePFCJoShVKoXdgEdNpSdr04mW0Za5B5yU65seqjprMnIb70
VxQ36mJm442mqapaV6I/L7V8moULlu8G6QNb3MPzvvfLqIcn4XkcuRGscMq/
Vp7RlcQ+tX508kviAiNrGJr+IAd1gOLrFg+MhVR3ALZGiYN1edYMGrHvm8SI
brnOkv6EFv6BUfLzbPH8mUb80VkI+JQsvBCZJU96mDHvDQcsfhswV2dk4Ucq
bbeESnwt6+RBwwoQPHsBD0a8eu5jTIdpAV2geYrcFBuKm8fYcqcOgFPrmmr5
khWFJUw8woSUvcAJn+oNx05FLiNRaj3OAunqXHoyiBXPHxY18S9ZbffQffOq
wV/gVaV6HNgNFDICmc73PSij9ajvbFm1LBC5PN7I9arDWoq4OrEhU1YqeDVo
bkieeFH2zFeO6c2lROEwasFQFRy8CEiYg9drBtcAypIG6SbK8JzOlvjCZofr
NSf1RhG+4KcIjugFg+EHddbV4yBaoiqy+3rE/Hxf0OXisQB6V6dahU5cZNGM
tEtr5ci9AWpPnCLOFd0iyIn2ckyZnjL0pLDUWIrocTW9zrb66Gn6gAi7Mv7W
I6+Cph51PPOhYeOVfmkldSTpOSQgyR4svRLZ+DxF/Ivf11aixLPtW086VQH0
FOecIKacn9wjccGQyu8W0D6hui06nTpTYp4ZfYqmo6G5V07xbIEcHT19nIrn
IOkC4Nax4vnzCRUfQw6j3urvF2sdFGbITuRwq1T7cRW8HME38irfy01y6IrW
lNsiES+x7WqghhsJf1hLi28ps5+l1sT0GL6t0+pxz2vJXC4RNMrYVTFqSC1f
0uuJ9ukS3R8ksuFMwwKk5fSreZrTwZeOe/fbbnYcgn2k67n3xHSqyXMkX0i6
9DNFJPaApkeRGg1msq4aiU4ioLUz4YY76V71I6HCFoJbIQv3UkMJx2j1YnKC
7ReUNzu4tuNiqbdhWfcarE5z3uohKAHNkyro8+3qxCa1cWyzoQhT9lfbSl7e
yl8jPmhZB2z5RG3gOgT3M4a5CCNC0FXdiHKKgJFNuQs9hRFJEQS7JEXlNciz
W2y053NDVp/QCC4TdPKqKTwzDEXTbstIZ8XnRt/bmwtgkxvraS1KNqNHnINJ
fFrzTr7qIeDAyMPnWLGmSIy7l0eeVkepUjVtMLrdmnlaw2VNAOlkMfyxevDo
NQTmhMKc9M/yfiFw5WXYp3sIise+BONNT62sjcCbjOSOMVznUMi1yRUAeddv
XFQ+SaqWsalkH9V24o9DUoX92CZZ8mIgWQkeXRG1fXVbkqyNoU3R+d7UE4Gm
J+Cub4ScpryN1jphrtbDVqbOLDy+EcPTbUBVw/N15YWxwZ3z1AWHlGdvg5cS
KR5QUSQ50CEJxeBuK6SzSt9Ce+fvCKdJont/nGcWs6Pz2cwwXkdtM49aRIwC
WXstZzeJT9RjUCUgU2y4vGukD+3350C9CGalXu2RtdeRBi+b36jlk75LE2ua
GWNDlAPX7fh0Yt/ZS1kIWIAprtvLp+T06pxJsToqS5lYdgfW19XG7dI8u855
ynvR62CoMl3E1GhJ5LNY7I3qHIMb0Mwi82RorYDs1tlGF4SRc1ZmyLkhhdcc
LZpduWRFRc+TnMA31czRI159uBbHnh3ZVgai6hh4IwtDHUWK2cK0EHA2yZJJ
pKcaJGT17MFNqAwbP7mJs9STTWaNKFsBJRaneOMFwNTdmJ4V2kcFhC89uORR
W7kmMSiqV5hn2cnFM/FB2I+OU07caXpls4BYPWIdR+2RcShAn0WZqWiqeKbs
g5wd15h9MtPkozXluQVtToEq6Fc2WS6UAF8806cpmA6SUHrhNM1wAoA7i9Rm
uhtCFTxB2+7cOvAs9kfsgkOqaRBlQ6/eJ30K3qKH9MKs5Irwk0Sy54u1y3oE
LJdZRY8PIlX+qbqWd7HuM+6edl5ZGJLH6QQ8PWXrfmLU0EmMh2Et59PYMiwG
i21cPROgEbQoPibH7kYzj7azy6y2yIkgKWxCG4nlCRJGQq2aXZKyHtPJ0HNC
DJmjyZPV7No5EXCltzxpNX66n2VapeZ+UW4nUxZhaGVvit0oKGvz6VIJ7Nlf
yIsRYiCcvdrnbdMbm4YG4JpTmQzaVlC2DF6STYawqkvdLy8WN6/XCi7iGHai
rbPhY530mcLDFobYoNRgFZKWXgbwnJtOnIvkm3fNEZgR8SWH0LW7INtMMLDE
3mOdMHBaW91aGyhKjVRkI+xWvG4B10sdoJ83YngYgpD2s5EuzdJZzWD4yRE4
pn9GKY1AzEdHluQjVtpruIg7NiAN1YWeV2ejGQOumXeQMl6SqVlkNoSRhCyi
66PD8yjGlRqW1gB+xo5vYlkq1DDYBLelZCDa82tzzDAakNjrk++ZcTjjD78Q
S9jqmLPWx3ieOLmZEM8cahKkmImbuZKYCyFzkBPypRnttnHVxAGCsbo1D9mU
VrSfFn1orpt7ycF2AjlOIPH8XnCtQUa7QOzpk4n3I/nePKOtJTQ9RaFqAzBK
yw1zfY31sl2iRDwJLvqact/FJZUKe6wI2GY8eqHan2EZ3tASvms4WY14OcwQ
D0HA04WeOiccPcHOVPEJVtntQojsVdsT4W4mDnl+FCZb3uYq4c7ORWNDAwJH
a/YmB13n2wmITiLxKL2jYbgMUXZZiGDsFyhMzt15vYHLSdYHN2GdCwHyBNOl
8uZL2TLXCtxugexaDXBpbydry8CLmKP2cAwoKN0/5BJ86Psa+Wei7Eu2cxiw
7DbDmMga0vU8dpVczsZ7Uyt3gKFTVsFvhr3myMuNljPbn4bn1hK0bdxbUDpJ
J9gwUUIP/Ad8dxcnJfT2NSyFfiKYqq4BR0+GvJZUNDk97cJxpZg6ZbxOgceZ
IzprmC/GhbvrVsAsSdNWl8bznNbLr5t9TAz3qAHErqU6L9A9E8VMweGF0hjp
mrxIj9h3iUJ7DqjTM5RfeWEfmhwroJTUGrgfLYyHcqoISNTV8Cgp6DvwvkOn
AvSP9GbL6iBukeGc2WvdVcVtr3bcGW/3TasKW79jtRSytIinnQ60pjqOXkzm
bW6f8STwJLNDq1evoywzixIZwFgOxrT54PpHxZ7UEQpPe3PkfK5VQfsFAtMZ
4jENtdvFPyd5bQQ2MyZLx7LrZhUkF4fwK05p0Q/VOGMeptNjFbGQ3pJAMNK0
EAs0pgFfQ6LNEDCWSBS7IMuFvohizQi6ylwIU2Fut37POVE9+3WR2Sh2O2I9
uIiY5diyDty8lymNj77l0FcJcSzSxW5X9GpJTpt3weMqo5KCQWmqFi5yr2xT
JcpxSVxFpycrmzQAhMgNkeQirCNvaX11QbWjYTiqn6lubITeleYCj2HEkQpq
SPT97txtMt2vaawEpam2EhBmolhcLDd9VSipHk2eiVP8HYpVKL3xFh0PzlOu
XCqnS5lGMCfbGtd5UTk6Xffkhq4sED/566jdDeQxP8FsuMhmHdzE6eitAm3b
U4e5XdhYP/N9GBF4S+9GKB0lYrutNTxjvdwC+A0SrJB0RCrAB2ardWySsolp
01a927pNZMEJ8m/FcXpzkPGyG4fnXR8Oj8x+qrDX7UCvQHkNDrH0cC3Uispg
1cVStaeLSc88pZEtouluFQprXRTg2Ze1M9Wa8W3QNXTv854DatyRqnW0KBpa
S1Z15EfIGS+SSoyIPgngekxNzhDdLUxxl5W+FuSwkJrvmF0tW/bTBAGfG16+
A7+6cYaas1heDZnwdN7iJjWkSp7HBdgedGrGBwzXDey8Gb473XbC6cfaejYz
MIHY1Qv6zEor78x2Z8yZckydQI8AfclZbNu/wpQ4quGUXCWekiOjK07L1b9c
WZpTxhCA4PVprZiI7UYnchV9HTq/s46esJTh2C4eAzVDj8QFIfFe6j7zDJ39
TjLaNt15XaAoBHAFE1NwDXGIojWWF4Lq0YRxRTnCBJ1PfPJgnqSGUGhv4kFp
efxLYWwb3oK7cUxjY6sDaNSLM3LbHpJzPhqvFUNfTVKcx9Rc6qaNzx0ydA38
BFHVa9whijf3Cl70laOW0HxKjQPQ63Lald1qQ6yIo+Rxvb0UlVisp16j0R0N
XO1hikJTwk9HbYkbtnZcMELNK9a3fvInCHBf0PN8fSxOe7rq4BIL/jAZ8EvM
5C0WqWvO3tHXDamRVt4rAn1GULVdUr4aBvgSEld6B3y0fGSWpRCig6i1shcP
uH+oxbOxOK3ZFZPLXvvbeL96yzBLq49R48CNp4DV9sfGtBhA7yeidCWeXeW4
KS44dNaOqQCJ08dzMfduWpmFMQYHb20dvyzS0d5U/jXsTdN11IDiJWDfjoqS
ckFVKQLhTRX/DLj4HPHd6zQ+G4papB6hvd2zLISaKRgS4iXXZCu2L7EEUTAC
yNJ1SUC9jcL51JqhmdFbxT0ykjJ8px31RmP5ZIEc0JhoC1Lhwfc5tNmmMcGz
4lzgKxCgKK4IWNCL9bw2KbnyJ1l4glZ2QV8b0dtUPIDh6L8GcTiXifeqkjxw
E52uRln01iIDOPAUIZtH12vA6QhhHDFko/Hmla8iP4aPe2d4yVIu24vkZO/o
8ttNuUenDamXS1mGdwYYBafnr49iiYlM3pdAfz7tTe0hae7EvI6WApcI3R/L
/UxL2olKzvoykS/Br+K6MtjgCTRVyvPogILkuhT7M0ku3bN4SPCq6qW7sTh2
jN1K1G/ENSRvjXXjzZY+362rosUEi/k5UDJsfnT+Y3+i7u4O4XH4oihSZdhj
G55OyO8QwypFJoxIYh15zmmzkPGuVm3IFXdX5RnYiqVdsyeeMGI2jQMudowP
I4t8GywSfr6u1eSAeXOqTbelh3Hha0QuizwIYuuMwqTvA2kFMZ3SjYqmLqMu
NNXud6htPRJuW1nNQZOwO/XyQtIPNpvUCJRws4KsfZDuEgrXCgmEpiTzqHMW
kSJSq5FO7mM5732qhXPB3R/oSmQTFeu56p8kDt5tCA4nKBLPXAAKMJcKgC6T
pjKFyVZj/kBOkkCyzXpjZurE+SUowaiWVFCquT3XdnlyDY9BkOJ8jEGwWUzy
cAPEo7eLk86jr33ezoLrTGf8xGv0vY/LqrKsE0jur148U8hue5XnxFKLNQMh
KVDY1b0XAK1uNVevCHot8CxjW22+h18XckSrxmyMXakqb9tNpeAwswqVUywY
vun4u5OGCCZ1LA/YoqLR53F1My7029cOn6+pSlr7i7BshERLES5AGWYp2LJ0
Wu1tNV7vucZO4IgJ6QrtQMAF6g1KCXtwHyLpETNCD74bxXfFXMJqb4PSNlPh
SopnGOuNRstC7hHdMwySsfNoO2cAvqUMuvCmlAo6A+6rj8vClj/YQm3K871I
jHBtMUtusErPqlqhYxi/XATDrXgpvHU3F1CfYSGnS310b5JkPhxObuyrBd8v
kWw1J5CXX0KmnNcnGvECbInBYnf40oiBQaBaeY1w4EE63PmRi+nux4hXgVmo
3MjsmkUFtU/HFBEHL2tAuz0az+ODahkduyzcZepchG2GlhSAfCt1sRIMFa12
7smZ1qpyBvGIT9lIeWE0sdq1fVb+bpoITjv4KxrEJ2VjlBSfTrTWrUDGnQUn
l4XQAvUGKc2BdOWypyFYkVKxiE5tGPC74RjzvZJ3gxkwV3x0t1RDhyIobtkN
0HDrcsXGamV5B6ImH0oXWOolxPCuml+KBIYG5E0XzvoroGn0/aPMYB6bjI5+
8E+wtmVAPCU8K0+r2J6PqlM4IbLCS+dwAnXFb33H9MzTC8zVkARkl0tJQV4Q
0qo81lsP0qcZHxhIhcLH56TEdx3sJqfZzTRc5OGK4yt3M9JXwaW549Sc4fio
aj2O0wDfuISjziLU8ke3flJsGunTdMRY9MZ4yqOCuxWdzZn3xUBQCP5i94iQ
zfqCTOcSP0eKyOKxIMQsy5mDOgH+uvmtdI0cQY8EiMNX/Ty9SGJsMOV2bkwN
THNxbffnS8MxEXkuMTwJhfdq7vLCVZzOAjJpOEUAvRo3y9UF23LR5TkhhI2n
W1RjpNVe3x3t5XnLZN/eWlWFb0/+SM6GyucFvPQAbh/dggH24b1LrOiO9aAn
n0arx8CEoc/4dHJfvDlicNXsKho3/qPoz2pOBCz5ZAjb6oB9WvaIuOK0uUhs
aieSN9NGDrUrzhKKmLY3wW1OXHjZHT4LpvjObvwxOWxRvXkpcx564BpwaMnA
peui/CaesktwVgZ+gp1iXIzHjUO0IM9Rwhok5mWC7On1vN8VhXdf4TVHTZUE
Zo7enheCNnCtj+S44mBh8ISQkMfEGAwxcGsjZ500CLNTb4BGuUZNZNoQ6/pn
hiGvNeDfL1mtSD4n+lf3Xo3TMOYTWDCm16DUGCZXFZ/v7dYbCQruKin71kOl
EZA63Wj/FKkrgNWXckAx7g6iFNlbSTxXe3FBXJpvogci4K2Ok7yYH0HijqLb
MxEDcS/xacEqBC4uFgEvfmy7UpE4u6a05nUp01gKqIvblK/4OhH+0fYEjE6y
zpgbNYmcpzimcsTQl/No5PCGAaks2OLFJUeor3cYyQn/GgTjdDRp2QXmzNQN
d7GQjkuUQunVu9YIJSXgcGjeDLGYpBjAbFsTTXKMFEgT09R+8EcitUSpu4hd
okKTL5k9kxJdXVwo3B2TlvHXXTJf0Tk+Mbh2BsgqGU48Xh6zl68qndm3BKXF
VY285kcnEbMUnfbTVTpyNMihfhttxkmcHgxLd3D1kK0FeExLn+2zQ2u3tJHJ
3CYr/w4zSdqGR51noSgyrQd99+Qbmq9s3mWheSWb+OitPSy51SzQt4+uxdku
MkRkQxh0492YGfycPToKtnYku6xs9opOkERRw6vMcaHrqnELTs/sUS23G2BA
aHLPbkt0kZpeEYaL83QXJiOFPnWe2+ZX7JLFaPfqJZCNSuUJajoeTzc/pvh6
MQcQKD0q1LaHEEf0PGzrwsePakYh0lPc+erNE4Takhed0X154QWX24KiLvh2
ezxKZmVJOAeWlJUuSomtfR+rL6J6loZSK5XCLRFmxZMwJo/guo7ckkJynkPT
ScgsojRinI3lo7Ydg2c2htUdLTXnUaIXsPcE//m4WTZnxaN13jg7rK+3vG/S
WX8KMzr1Ur1yOxTzvXBbtYIHruRquzGPw9L+LLuGSKa0ncX1yG0MGzFZIQhH
F6rnRZ5Q9J1P6u2UwJxBsqBJMNUxlQOku9Oew9haoMLTRNHr4NImvJKw6J9v
VsWqfs2eK+RsF1IO3VJsmdkIj1w4ejIn2pI1YHDE+M45r4Z+zBdYmbs0zBA4
UI4KvZn7IM42Ihwjqr7ao6p6Z9Vkl8V/NPCDjL3XcbKBHcX4caGwYp3xlveP
VHQOB3FxL1ka+KCP7QNUjCSWFzwWq+O84bkwnFbSt2fyeTezF4DgkXTpZMZY
pMfRwriPzPCx0+1Vq7R6cnDMv9PH+fNvenH14You67JjH1gzk56pGa33Ap5F
VqSs0lpgfeRnyn9Y5PVoQPmRvHTY2EMryLG2JFaMI0GPCiymJpm1jNzYjIcx
TKABHIwgTQmEtnlcoiKOG4U+wg9/CVCz2potLzf8SCYPpdG7pUqhivPg/Cm2
zW28ZLYi0sD4YM742M3CmZN17shfLYRBHotkGw7iZ1h6EiJEd2cycFnHKazW
lPbkVBjnUxhVAq50gBJl1f2601NEZLUgTVvGlE9YgZ7w0cBbjqtbLM6zrwRq
cjGOImhIwoG7726CLazTdTTgSOxtmY5Oatovbeid9ndEa1JHgG6kPAp8DkXq
1Xr2U0cZdnJo8TowKvg+e3YVPDAEWKLrU0pekCV26rDel+zqQoZZ+vN9xS63
yisnodfXiupX1kGnBkLBmX1orHx/dlALnjkA3/NuBevh5ug7pwqC9CJPNXXt
onvQeuClmoi58nAD1Y/qKtmv95fgi1dxHZ0jTaQTKwLXiKvCtbhZuI+2GUFB
Jhl6V7XH954Rn7udQAnyQuPLyAndSUZ6+OHMV/N2jcIikZOZAYz5yC7UXVyz
bdtp3AozYRfUQsdOtoib8GUVXtE4XcWZ99JKu+F1jXCvBnLv7TGTz3kEjAzR
b7jaQElE2mkOpfa+KeqpLSAMq7ajx72enkPfz88WGR/yQujqdbhRz6q0TArj
GAh4WnXrPVRZtsKNWWiJluFTFVxYSRTtqhgiud7CiKd9Nc32I9wenG3q8c04
PgUUWgejAWPkBgaEGSNeX6ZILidhinUTIrg0xCZy2JwidZpLHIprYrFerL9O
/UsaJovWHZy1IAdg7M3g8Sv76B96bshB6F5Xg+fO8jXfifPjJm3V/T5GTIXm
XJCXxZTbOZzdTJoAnwMxDQBIqZonw11An8jdJFzUdzIxspKShmsZf9jqFRbO
QYnkYjupWBheXjS4Egthez5tpm0KcBA5ENyA+8Jw9M5EVx0t+L6K1AJvPtWq
hipZ3noaH0mY43p9qmnqnqdvJpFSGL3JA2BKJNodGzp+ilK+YMH9aH92OfJJ
mj6yxxTDJ6i29MdaB9Cy5H5osPj80vQiWgRx4uvuCGfEcI8urV9vFyaeh5SY
WLdGma4YnZC8y93dhLhcwwan133HAZ0iugQudMdnNUohgQdemfryqgkrzlT0
6Dmwg5/35+18oXzah++EbqJgMaJ4p6cDdkGu8XhOhnMHphx+w+DRUIAZfq1P
jhdnynNLQcFFoRiRI1aMmUXCOXSJVXP6UxOi3mWsNUJsqk0wzzkZjBvSktQJ
eNLL7tvLcUKcUrsPjFaXd4JsX+gqTFTJO0E5yrcZTn15C+PWSy/7fvUnPph5
vujCSAQe872Wzw1+eijSNoyKQUsFI0s+ad5Ivr178604pbxw54bTTG2N7nHn
O3SqR6IVHu4cswBNvuzRuMSqtrwCah754mJGlvfw7gmr4wJdTQaNC3ypRTpX
kiwHWQ/sDG38hUoVXOMaQCfO9womq9srr679onOz57/WV+EkSBVEhCZor4nx
VC06h3rG2R3pyHhbNSkPvTIqslOAfobKJvrOyQnTxRatI25u0kDjZ8PYcOJy
hZrUhedC0Qy+Qe8PvtRlrg6aW8ynFwUuREB4hheScDj+6jsqekUrJ10qLcEH
muqbs+nOHbc9cgYtI6s9dmmsWI/L8Xm5O5jbpnkGTNGTuMOuPcJX/HF9vqwN
Uy/NykUJDK8TlhOvrQZlSlS6zIUw0c7v4ZnNlDJ/dU6XtxWge73lr3Y+eys4
J49zw5B8WOtnr1g5dgrSusCNYtlyYclIhZ07+RlX3Ul02xKqweFEARoG9kvP
klDGT3J7MjjOgoIgwBz3zlYiR9UnbpdjXdG3l0nNdkOqGmje50LXAx6dlBdg
3cXwyAg+p17SK3h0NpWCtVVb1FP+NBWVJ6CqGqVMHdP/SJPyUb3+V9uT7+95
/N/cm7Sh8g/epE3tHCfkj3/iTZb9n3mTZXSSZVkU/p3eZIpWf+dL/tAlf7IQ
30riP9EQQ2P4bB/ab8PIHUrrhyD5dpJM6R/aFm/xykv246M75ibzz1uCKn8w
J4938Vasmr9iGso/TMPfRcP27a3Jx7uwjveW9NaPz/712+kM3xPK31fxd5Xs
7wzE31f0Azj+lBwdxhJan63F352o2fGOV/gHLudb//rj2n9yOP9OqfxtJX+z
ON978Unj/Hwvv2iRf7qK8Q+b52tKZPr7iqo7u71X9C2xfU+J/M2I/AC+p0SK
XeT8YkT+UBL/qEQGcfVX1cYP4OtKpIzqvPD7q30ARs0+/9S8PNttfrbWt6l1
DfDjKsZwXOE4hxYj9/6uBeIeoe39A5B/9fG+q+MdV/jVx3u7jd9RG48TxR2n
9Pw9pfFtNB6x+T+hNL6Nxg/gf0ZpfO/ZW//6vtL4Nho/gP8ZpfFtNL7dzX+h
NGJHrvwnWttxD3/nteE/dvUtrx3v+RfR5Ijgf+jy/oju46Pfp9T4rpZ43IMj
v62yf1Rhfj7tr+Ms7HH3jv7jPKBMcw2I/p0nWSzqWvivmIp/JioesfmLqbh9
Vyr8xXp8Z9evyoS/uYTvU/09mfA3l/CtJH5PJvzNJfyhA35LJvzNJXzbwN+T
CX9zCT+AL8qE71xSOu/dPO5XFoz1bT3G9/idd6X2LbTARwxYCXqcYqxZjv3Z
3vtjnlnQPNuweWTWdxeQ3mjw1/6BPu6hl9fftMHvWIO/x8UPbfAXne6oJtZf
twbf3uQ/UUr/gjV4XOEnbfA71uCvvuCv2uB3rMHjPPykDX7HGjyq/0/a4Hes
waMD+Ukb/I41eET3T9rg77vp/HVr8FjJn7TB71iDH8DP2uB3rMF3ZP1NG/yO
NXhk2p+0we9Ygx/Az9rgd6zBD+BnbfA71uAH8LM2+B1r8AP4WRv8jjV45Oqf
tMHvWIMfwM/a4HeswQ/gZ23wO9bgB/CzNvgda/DIUT9pg9+xBt/38Ddt8DvW
4Afwszb4HWvwA/hZG/yONfgB/KwNfsca/AB+1ga/Yw1+AD9rg9+xBj+An7XB
71iDH8DP2uB3rMH3A+vff+7t19n/aw++/cEaPCa1n7TB71iDR9X7+YnNb1iD
bwP1b9rgd6zBD+BnbfA71uBxhZ+0we9Yg0fd/Ekb/I41+AH8rA1+xxo8rvCT
Nvgda/AtmP5NG/yONXjExU/a4HeswaPy/qQNfscafGfav2mD37EGP4CftcHv
WINHhvlJG/yONXjcw0/a4HeswQ/gZ23wO9bgB/CzNvgda/AD+Fkb/I41+MuZ
/Mqz4Z8fDT/y5D9+OPwvWYNHjvpJG/yONXic6p+0wR/59x9Zg5eGnOqOWQP8
xYqVOU5Xd3OdIzbvAx9mbAM2js+lOOV0T4T/h0+ws559I4bh/2PvTpodxbIF
Uc9lFv+h7A5qgl0TPciq6pnR930nmNGLTnQCBL/+IfeIyIwIjy4rI1/dejk7
LtdBsPfaa691JD4taig9buG06AN/9hc5PrOz6QqdlEYzW1tXLfIxzEGH7iwl
rQV1ej9ife2miMp7LOikBmJ3hpg9nkmbJB9nlxSMGfl+VN5tKXqGGPCR0/zz
otZ9GPJlsPfaCjxGBOD7y8Jmyu8mgAfaqx+3S03I0blvyh55d0i0r54Mjy/U
sBD5kgpJ+yJfRN4QNSLf+3PyiZKMrwYkKyWaH7oP29li5fpdPXec7trSvlTk
VWXMXdnJMWa7ZVJScSO/sh7pM7EGzyIVyindSayWQ+6cfsDcTSXl4B3qZ0Ql
dJpzD2ldYMp4+bAZMnQx+cNZV/lbIPZTRwrCld3XmZpjPBdkCcMeFOmfmQ4i
wNI96+rnkf6V2uBP30H6l6mCP33X6C+UBM8X+u4fQy/+Ui8Q/mu9wD9zlT8X
Ar9JlP1UBvzFxf4RE/An9sdfZgJCRfwtE/B8+J9hAuIg9P0Bz5/+nO/3j/lu
f4Lw+xLp/2b7fh9d+oMm36/N8K/5ev/oBP8Jeu/P+XfnSPzbvPtTkfEN0O76
o2h3/ZOk3Rk/P5B2X7LPv0m7fxppd47nX07a/VJf/n3l7ntp8t/Y3W9gkv/t
25bkXyrhQeDtLEX+ORQeARL/IIWHQbc/TuFhN+J3KTwM/zmX9wsKj/jRuPvX
U3g/iOH/F4l4P/e1/5kwHvKnYbyi+CWMVyQfGA/+rw/jMSX9fBKMubyCHaxe
RY5lzBSbLXunOSBYV1G6X7iHe9TFVpPGjuN4EgVsT/rMROKSAnktcjVsvIDi
K7+rMojuagBA0ZMI/PfbIU1FmIxLH3MYfu3ldznatoqMzxCEJk16jAU/CTCr
P/Cptp8ZiJy5K0hiAq+KIwsy5kBkm5kn5oI82gfmaI4aipgBuizPybeXwArd
m48w4I3yMs4CrUwYqt3j6PQaxNdjXwxMh/S7Sd+9iy69HZ+30IKsMcohIrLv
r8RN6u/Q5rUrIXHNCHbF9Cbn+5SOUdJ02y0xbSGaAjtS2eJCcCGTghIPzE/c
c+4F/sxwAVptqgxiL4OaKmIetW9vZY859kw1t6f3XxXG4w0l312yDY7RtHi0
zdWHbUyUdBncBIbiR6XadXFHu2DpXyECN2TxEQS5TsQScaqz1xPjdelaqwzy
uiXUi9e45iB8MwIufFm3tIvSr3zZ0JLsKj2VPOC9EKWKPEmxbdy3YTRUJ5hR
ee1AOpSj0OPvjGPRkCHU8WVuBf2lOqDSQVBxXSBkABnV9kHgGc9tFr01wn4R
UQZ61QyabFRouR+4DjmT7a0qhpq6hIItD8p2vHaU9rT1nZQefexOX0giOKRX
tk15iQbmqwOyZUq8KY9k3h7xXnsEz6q0VC5jh7vjHlrsStP34pmSWlD4HYej
cyBZDvAMZGlY3eP+QIcIPK9XeeheZoScD0UHWTPMReT+AIyn+ZPDg5oJ4jpu
QIMd6aJ776jysZUXWRiGWQMOFGZYP5iuaZR1MsWDo/vAyDCJsSL3FMV/xIDj
i8WjLuMAXWHi7iKN8pxi8UK8Gv693e3VjK+jEypOyTikGuUiV4PdAxfvRCfX
SSDlXF/S240Ricbz5hEI2S5C7Zy7AK88DKoeE2MTj+99tZOjsy9wkxzHlesk
781J4sYKryQ615s4Dv3tWsPpmaJub2EeSvICLhhJzsm9GoKDXqHyrcNobJcD
3a8o2ZJ3cdxu8qH2x2EIYBJtmaBtUa5ML8esXxymXKwXLPTPBgHtClE71fRF
i3SVlYhyztuQLrzesGdPwxO7SkWHzPdrQkuB+3oFNTw8D2u9ZEFLJnsE9q83
ZNVyGqtJp0L+O4M9XO0xW593UQXoueg5fOodemsIL05Z8GWfPaOmWJeYzY3Z
oiZNZEjAEHxiUXxwwIclciFb4BpfDW7mgWirGBa+xTwJz0PF4EDW2usZhn9e
FLvGGYF4K55IZRbrdq9CKSAefyFnArSQWahgdSN4EbaF20I6Bmh71hq676AH
+yaBrIsI4UhBsOohlXtVGXHUvSbH4KBJVB4zsrysJRxX+mUTxeoFPIMKr/Hu
cu5jC3kSDdXqsq7hw7dGE3MDnljeb9nbAzItw5Gq9edYoVJVAOqdfU1JcSMK
k0ipLuWQSX+v7JMg2vASwTmgPB5Xvow1jrcPXSfNW/U6WwoiFEKg27IcSegN
KbLDl555C5V8/B5aIU/iZByW4TI1/Y0bFqAib5DuNNtTCTV2TJD4MLyAMA4h
CYwN5tcn5p9jzyvX3PXVbXjigfgoiaO9vOE9Ei3C0jzmpVTUSpBNrS5Llx9p
dUfYAlW8Oqwyk+ehVpVu0KuLqCeev43b+hox7HkJbhRWHE8jGXP9+n7QK0pI
QSy6YX+UCRNCTj/qo9MNY/wGAgHiqtW4JcSG1k9gf/NNcpm7CAhkudcOeVg9
pogwK+fwxI8ePa+ZMxvEqHccwaPa3vwEtzVWLnEwytlilSsyitxl5Em4XwXU
QksbwUpBzBMZz94+xhsBe0UiDImmUIu86J1tAZAEEwaiXsmLBkU8yzVeLqtY
Grv7fL5X+1iVz2eRkMWWXhNZayiwGzFEiqpndBUIXFUUe8vyVpDnnqOoIM3o
cSJcysoVF+CKKaGA1PgZ8WRXoG/Io3wByt4DbhXcPRKgjvdB+LqhqyC7B/gy
ptAxZSS58xdAjB9xBDqEch90/DbZ486nj5fLQH7SEQmBjQgBtIcqVrOfJ8ea
9jfY3Zk27pW+V4voMleFbBeksmScu+mNLvBSjfRs1zneJANgWNHIgzjkQKh8
odKzm0ffjQ5HroQzuFIcRpfc8BJGA54WdnV4t0TLsbZg03wQltMbR9VXrbb3
s0FtgYVwN/fBPRT16GPhMN/XTJ2qi6hCEV2fm5fAQK3D8GmdhSpDzCYSwM/k
udOagGfjusVNILQxtdzNCNpbCKufxC6Ppnoxn8M19z3g5rResYx0EVmJH5gP
yevCElJUGBEPH0xaaVbGpILm+t2faxe1JwaK3za/XDisVGjIjz2mYpvoUSk1
vppW/ooZFkncCo+m67uuyUnEBdCeyDiQEFHyS/61Ta+Fej8uLBjqLYRGHazA
eIrx6eT69wd0Z4bEZuoatMdx9r070p91/FsEn1z2dhQjycuxoK3t3BunJ1kH
Tk/UHQpu3VBxdQk7R4Ui5Y1BoHrThhnkFuigSpy4GuDzWryuAIFdd7w+xyyB
L6+HPOAqfIC+q8msnkgEZhqPENLNfhQDKTL8m9kaqvEU8UfqldjxIuX1Tuf9
28q0tBYuS3hrd2gDSlVbeIpQMs24zpxICBpsbIPEeVg5Hj075bPgMdytpBiy
Oa4aZhkbmhldcHmRmNzO7tZ5SRIKaVDXUcW6sJDg2qR7MYTeITCZTQN+pGm+
rCu3qmeNQpfhvvlyahuXhSPmJyXd7yJ37zOt2aj39nBaS03pmnV8z+rgM9+3
/mODAhyH+zJBd17W5RQUiRS4NZfRNeFadp1dewtYlXQHD8RDSixIrmJXw7sO
k9c9I5lqJ5JtChrqh/B9nRnaGmVN3iX5cq3e2izuY6p7AsOCLAqMVRI40Jp4
FnKPjC7TkVHysnU7SpMIhzukcV74TJBbgw45RF4KkSy2xhkUpIZH2cLP7ZHX
bFtSwaMCn43BvfiYNDyrFEB1iBQRBsSx2ici6s72uAWNS5Ai7FUDlWYeUHTH
HuELEfP388BfQLF4eZagOu6jiFLzCsBSi4c4UQQRIE2upm3pxesyo+8rFWpU
Oo9ClbvxAi0+9xw3j+7FsiMluyiFlNqeIHznm5sDeXfnWvGdwrRExhWzeDEm
adWgDLWvQAzDYD4wnsCl3YThGKK+NKO3NMRdhqx6YaT9XlFkKBHFWA9X2UsZ
lYMLCI/0or9SgAbatlHO9f+0oFCWxgbnH0RncAg09nA1Zyqdgc+KHZC1sFi6
4luXFqUrc8mv2DlRm87CS4IMGQji6U7chInzZtbJs0da6fjSztPd0B/0RPAv
hewNTNp1n/dFCSYullMZmKsrbbvuPvEIxrMfkxbDDzduXWJOurqG1jeEWRC7
95R10ALRF5n2MO0SbiVeyYue7tGrE+S4QDD7rGBDTX0mJaF6yW0be8jHOfOp
FkzzIjWySJ+DcV4iCYTPIV7Xg4Qely1DV/TGGAWGQfDwYsqsxMLIvlq3FXDB
FCiyPOaR+mET19W/sqh+bt/q/HoY7GjhVIpdmuNA7WRW1Xui3CJOrct63yUa
9Poux/bXuR4WyszHoOR6mGRnVwZXiWPsqISx6KHkwSXVyWVRJDzIj/qdS7Z2
xhirI9uaIXFXGw67KmczNrexgTC7EAwRYsug0zwZm+lvxru7xM7zdiyiwELR
K1RJE2sKV+8ezAihzYvKRBhRH/W4TWfDkTw4QbpNb5dk5ru35fFoL8pFye+I
lwVGpdLukD7TONavSPO8k1yY7caqP6x5pF/jgpfRw3KliCatas/4tSCPF8OW
yQWTipztI29aSPF4aPcOBhjjPWoMwCs9X/spAM8kpEnTY9Ce/F3FtFtlPj1F
xQsYGm/dJUWVWrUyEwbpV5mPYKCYWT/fosAV9wTdAj16JM1IUhYEa437mMS9
qyj4eeNi3yDw+XFJc2szbLV6FpZ/PrOOgZcOLnDNFoo/JRIMPW5Is54TpJrX
FJK411kULoiMKiUz3bDGuji0fu5ow0GpVXyYTkCjTDKBpsJ7QNcf7ZOUVroP
5WDa+xQdkjuEwxSfEZl33EMjMLoLCj3v61zCtfLqPwol40m51JeAMJltUyz5
zCvVY88YvGe4ehAknBw9QBZI6qGhEbO+L6hf0AS2y6JMpA/4sb+2q8cRCu7X
B9ly8duB1Qhix0rs6R4jra00k64LPe+qFZjZmuJlTyZIcZ1c33kX0podELoh
1bHXHYtDYMxVi+gWfCpC1W/IjQLjPkV0cLYFAyDzqoyfFxCSR9TK6c5Ozv6c
TXLSXOxRWIQXc+7FHrqeIU6vtPwCWS8CFiJ1FTGLYHAGyaus+uslnAEnNHHD
2cpnKQEcmJLY3WhsLh1ACLL27m1UskssrSeLkkPfzKvO9xTer0xIR7t9zkKR
hZyyBgCoDP5Mq/75z36RX3mQQd4rxcXqhnP1+QJA8OJ3Hw09jtRe7KE2ULLs
OHcJJYOXq36jgpD3N93fcNnUeHDvxaxBz3rp2nLMg1EV3StVsKLosgkNenCe
734FvOmmX0Cf4K2XK+PXDJ0PKogSavByfry3lZFch/3GtVfWcIUd71XvqV4r
wS/cAqDqEgPyjnlcUJR69AnsiQToW6A4aefGymrVIazl4ZhPrYFhkwrT3Fxt
rlrQTW7g15KjJHP3Gv9x9kwtSmheRytPBi/Z517PlkoTQUSYTXUkncAgGb46
qI4waT9wO6sQBx0Hw5BvflxKSoZeRkN74uGtUjpwvxFsn1530qfY0NWvHGut
dYXWpFOS0g1L39DZcjxRPGRXERcjET5k4byEt3eWMlRhTLSfX1esPxtwNmVq
PlJiAl5TtMopfbTMOyrANejm5RnG8vFWn2JVLBlxu2SAYb7Tt0Z60AaTe2Lr
QWMCbsVGkYWreMtUCQkXu5be37lXCXZoUw9HN6zwSFqWLsRLBIlEqfFxUMhU
jN3ll+wMssjNr6QKfGPijPDa6BzddFnGmRi6uNckfTeVNV8L8sYU/EW5OY+R
SgiB6zJLa5/rGfhI5lYCKQg6PR+vOKLe6FVVMCnvQ8tznakRzg7tAY6zZdyk
ixtzjqWgZ7tRMznG38x7PZgKdgwRBboVuNMya1LQA1jhQ68xs2l1xEfP0r8P
mE0gz+V832IeCzkkU1IHp33t+d6RlrLfymtANSmy70PZxfiYSyrGTtSdNVSt
d8eIQopKL5dFu/jPqypx1ntI3g9hOPwKqVOWeT3WI/PP+W4BvxAwcs+eZfqA
zCXQi6ahwJ57YdiSEKR0oQTLfnRXSyvDJr8bwRTlbTFIiuDxr2vQdA/NHFoQ
ne1YVmtb6oFWufvIzQ2nNi+L63yB5RkV7QOVpCxYCs8SsxfYWY2uPOdZk3wJ
AdW2b6sraAMPc4VmKiXu86MwjzE5a8MMu7gP695XzmzSvrujuyhhGQCq6vxG
jsKhgPuI3m2eSN4j+u5jVqFDkOmjHB7Pa8XEA6sus5nAlOjeRjHifBwJIwwD
BqYTsaby53Jqa3CwetLyjrBmEmHE78aGg05Ce2JXgNcreIlFGgCOhJDmZyjq
OSfzTGUz8jukUtH1gxS21b14y2fV9saFKkufj5LVxu36wNgFvQPjBQlc+60V
vOzrtdiIFXuTZ93TLaitFkDCVZsLYEIS47eMLFMhl+XArcRTj5Tegvnt2VzE
6vlMoSCFontE9/ehn/HDajo6eRvGLa1kxVwLD1sfTV0asBwTufZcYyHvkPeG
L4kaXzKNCcjDBUKiNagQUbG6CHAa3ZRzolPwKXOqx05PdbRxyZWAs+wcSUBb
TFNo1rvUz/5l6SJ8LkEtMK2iF0obrECeBK3zavZWo24qmbr3ikFpvM0rTFhd
sejjDCAM6WDxvTzMCyq5ZZw7DEYMNIBE+lTrT8iFK05t71GUoPP43t5sQXQb
xmephNiwrwsiLC5oMzHBmF3Q/Y21sd2gGPPgb2GZEX7+VghOdWwqu1oItTY8
tddnSiWleUeocVrOrnNVz47IEiZ3vSwuycY1ZbwKn5xwTiyuVYdD7PZq4DQV
Fro3kTG8n1OgjmfQ7/cAUyaTy0fYe7eJM8WXJyuEpkUABk3DWYnmbwvPN4am
ZlyM70ghzpQipwbPFOhNZVqd2BeCstd7dN29WIjF8VJNXFAULSoxIL+Gh7Zi
Wmimh0wBKSkAqxzFyHjunEhERQGvReCRNfVxq3sONd7kvHMXQuPg+LbQ2zNX
RfcNCoJhR/Okojr/fmEbI4C3Z40iabX6Ja1uST3v8TlTV1sEcKIt/EvdzWsE
aXh1U4+HuayskhPia13x6yYLI+1Qc4iYfM9pikU8CUBObn4DwDcDl9YKA6Lh
4vhbJ4qEohIRcSUQDzOdujs3991sV8slbHu6NWND0MnKJdmwS4KoTprpFiD8
kNgUxi/0vPhNBA7sFILU7ImrFHNRsJRdUPDnekmwfi4JB2gjLo4E6Dndzr4/
avid3p/MLU+ry2jlD4gw6dgxVTqn+HKdi17E9iddyWfhvgTbTeu2qwB0G2xr
XO6jmyaPe0tjnQk/bPBisAisBCn7er9J3RQ9NeFfFRWBODHFghA0QSghlZTT
4TAyjtyDCf9Oz+zIFArp29dAvIQsv0mvlV4trLk+X+uzYs5TkmMTPqvh1vfx
Li5EYpy6e7eOrxG2ON5PfBqI6aetwMrZ+vJKcm9iwEwiKCEQCBLf1AG8Z47K
zw6tfSoVEFNOC1hPYHCQUNkXETxK6DYYVMcU0OuCGQ+HqAGQpUsx5ONaL9SE
aOUdAbWzKCDKpsbLAFpFTRFtR/QNBlTaRNstUqZKTfbqC7kXxm0sk3twaO+d
f8ureMeYXQYVkYLkwtJ5aG8RrcXI2hO90byFM3wmNXOSV/ztzuPFhV7rm1dd
UKoMgwhmzzgrKZURKmB7Tl6DZcmj2PyzBcwiRR8K/rkNWa7GzfVca5qmdRfD
iYiA5nlFpLsu0Ir+GDEEuxmlwCFzQVwZFHtfbw5bSXMRWNEyUzB2r2TwOcnv
rX/0F6zTbwTAem/s+UiUg73GtVuiSOO0H2lrfSWsyMDPMJZa3FHvJS5uD6bB
xyf1TFD+HS8XRLtp2D1a2O1ugREM7fUDDdOmqPCb4Bn4qCBsmd62pVy7Aw4k
vHWxnoON7IqKmVvc8ouqc8Fh48S47t6OvyQ1qm42omaUjohLU3RyfWeSWDLO
rdKyvNIuGS7TMD1xBsR7uJFxQV7TPbvHYFsVtoz5xSx3glfF0cgCe3UdgDlc
NpvVluvsmLHD0AUBGq/3rNqTk8ooQF/2sQQow3u/g5ARrxTRUBZGv/e9vopv
2z6XaSvb7tt9R8xjiTMChlgSDQnD4OvYpt6YcNmXEj1bUbyWl7JHyTQHDz9S
WCsM8JTqlyIF3gdKq1GfjL1UC094XYDbIK0ciwP0kkGXAd3m0nfAQoOj5kVL
GnKz2TxLgBuov1dlA3zjJmQ9fO9SzXpVJdy7mtp4iZ5UJoMZ0yWr+obZuM2h
uiuw3D2YBIUH35OHuEnakBbHTJKNIjLSc3JHB+x0/nnvoETYMzZ7aeP9oh1g
ihEAuTCTtfJUfNvvaQhkjPTWzqLqhrVtRmt3xj82L5Z5RHIZGZSXBoxkjiBR
gLrkgOaMBt1BginuMVEQ2xkj3IFk0BhhO1/SPkijTXofqM89tuXr9g4a0o1A
BeivgI05Z9NlA1tCpNZZHli6n2iTyfA35Ox2NzC7FTzbdGv9pgqBlHZT2xfu
LFzs8SGCo3dV0BC9FElZngUMhMHgGr+Bog+uT0tXeJWga1QYVcVVMwdkHtbb
hcLnxi0WmEpwb5HH0Z/HZy5UxYbTkh4ZmVFEZy4MylsTY9X6fSCKo4IFhSMn
HYoZ/MrNkcBHS935I0oCu2bhXrFekn3vopZ6UAl/1+XWqq0bOTV73ffWBFlS
LQ78E99E3CicFwA9U8NXIVazNYBUBnO4ARcPaB7iAm8K++J747FBADTnUqeB
6SK9BbWgLaRw26G9DTcz1a9sAuRnfVHfV6i61uZeXA6kIznJKKFwnJ37TVra
6WwnjMfcOhivOutbAF4ucPOgYX9VVS2SGnRmJia0MwwA9gi4+JuDOO0u8NO+
ocuZ/CDGRSYvCYd34jcNGAdgDol8IjsuHqxOQ6NG9g67RwyLCtopySU2UsLi
2Y1d83wzCiPm7pXq77PycM70083S6mDttaciNssZYOxyTrzt6cuWZAe5QSB3
YRsJFAcNsrglvcbJIclv5Kp0iiZ2vlIk/roNx1Jt9L6+G2kFw2v+DCSVDu5W
oB5DlV0eEHUoVb4NbJTP2f3ObPBgl3FhRvZUL9QmPYe4WTycWryb2z3EPCht
9ma8hjbfJew+X/yqa1QSmtKFodccy+6vo+IjI6wh96zz/SOgKudOvOK6xV5r
+3AqprP0W3iQzDIbhXm7THDDUlO/S68ZNrqlGe2wj1eDQdbIHxBw9eL300zt
jegBcDaGhAlsK38Spv9yCWw9wAsRRup01+GCfhxvrHk/aZMlvXTFXrfqnQ87
eB2c/XhleS0Wu8u4t9em5z2rFGNzyFftfRGDs3Y7Wn1wFhelp7Ge65hgIUvO
n+zCjKk2H/j7S/ShGyA7mKtVRl4Hi7RgTHPL9wtsSZY2clnYSfbOgEe+bjAO
BnPCZJupdaH09Lbe5asiXV8MIKvRWvADoZaHEuN3RmrOWhnCD7wxzkSouLVX
yPlGZwKeH1KeGlaUKW2Y1o65kza0cOY6pjdUc2Vscc89D5uX7sKFUuPiD5wV
g7qg655xwyHh43WYnuO9M0x/7d20Khov7x7IbCw3sW1BIya3l0RFA4RcSn+0
7g7ETevB486OeoozUgvZVhoceE4kokkXIPjM0ZyxN/fH9QrdtlEMIEIfBXEq
hQvla51No/DZPsauus/v665v+/QcdF6yrd5WqhtbFvzKMssNta5oWAR9rZdp
34cM5lDTpXXUFz7XUuAM+DM3cRCxWeM+nmHeJZOGZ/xNplSEpjwFNJ/YFTji
2F9jTAr2WL0ps3iBO5leGSCQGhRcbw3wvLUimEK51MgRy4h+PhbalefiInuw
xCtfZjpd36z5iHyLbMFOvAyP1MuQBRS4iEFVo+DCeIKoG20oXDi3TJ89WQZO
FRcZl/EVrI8tr2/+6xVZpaAbZ666CGpuzLSJvqHBwuIhdhQ5Rhq/BYQROKKZ
oIDX3CIRTLeNfB4kHOgmIK7ITXED81lR14vzBgDHzV9urwohRXiL/8w4p3cT
UStrIXGM5w19xabejXntYrGjXlfUUTbk6QlPKU/QS5MsDsGcxYJJpPrQIyxD
3uH3MMkyUhSRZIrQWf2OtUvBRFvOOIwT+F12BIKWSmmiq/1S4nXgPrA7cAhw
Zqe1Gxe76RwBUBeQB6Q+364BfE0j5bhem4UIrpBuLFq9ykLiJXVVXKAOs2Gz
qdeNCiu2Xn3S6lgUv++PWystnQGF4eApUfxwGUAhNmScb2Ww5SYQe6GhktYF
fBM2nzJdoKwdDiywYxTpawmD7JZjhA2MGIaZ8VN17Xx3cD4W2Wwc1qV/v6fG
9GgXuJSvA3pmixm/QEfpQACEMYTqeX7sj10etIo1Oi5hlc4yMFOkCuNOIJFU
eW+q20V+19MLL1tbWO1XurMQ8RPntysYO90LYRQQ7xfPXF36wVjdtmwwmhN3
WH2HpAxNRmY4yguYL5IwD1Dmaw8o6SrG4rAK8iL63dOiqr1RPH7EWplmMEkD
A9Pbje1p3iO6pzR2kwv4OkqXg+RKbxTSPNQ6Cr+7EMKvwtikV03ob1rAXIUX
sd8NiJonvAqODNmY1341MzLvNgXZxssUjAh9dDMz8vUr01qax85s7lF48NBS
RCxqzD5bt1Kc4MK/aehtCZfoqAQg9vdBUjbpUmQp8FDR+6QBd/VqFakPtYPV
34BzHIBKFbek3ZsssGlT8WRUuUs2Vst5e0NaFoKPRblkFuPl04g8WH+bMywI
SquNz3JkK9Cums2eorohGpIBvN0ph1EgBs6s6TbfSQhAqNx6XFzTijvAOtrZ
vrUKK7YdFD9RnmjAFwy87TRagHDw+3QOc5o5ujfOz4rCy0QuMLdt5aeLe717
VPaYBz3pYaO1rWVHq/e5Ikr9rS38Nbd6iYDyVHQelTPTyOA+7rcImA1mDBeS
ji7ICIf51NTTAVzVZ5ICd7l86SE3HQoIJnDYAptTrcxazjATbSIVxGWCgnsa
y+kATcJ8cUSH2s9+EAFuJXzPbiHm7Q+Tyc2nxL+K1X14XsBqdNKieuNGj7SC
LUAXHptTZNdrdR0vYMZkbiTWyJLKs94wryIg2Je0N8OO+22GzV28c9CxYEHN
wWeNt3SWKI6NMRWMTtNJdRlaebtLYKBmPiNPDuX1httGCQfDE/qSn2d+YynA
R+R8uPpmBHX6O8bYB1ichRT6wJHxki/ZSzUwndZUzXofBA4vt4UGd2hd+E4x
7qAfHHB8j/Ba7HTwQI/l800jDr6L4cjdkeiC6kfc8wZL5LaciDd45xOo34Ta
nBPCSu29sc59u6skMddlr69j7B1lzU0j1ju2lzS5XSipQZDzcIGxdKLI5465
iq3rzvqq5i0Knz3ifi5psLh3ciFQc7yM6R2Cap0mbAkQNeQiPu96viQJsiMx
BSUtlNXR+1lSm2FBznSL1T7phkS9HrMy8XeBuBbVAbNdnD4MVVZvxMX0oPqm
ufOQiaT/ou93SOF3w7EU2u6FV9gJV0PByqp17o6TrweJKnIVbZCdS2cTEBPE
hbTe5TETyec7Fh3aP4rjXfMUa735EK47oCS7CUsgItlHA9sqvVVjYX/mVi5o
s4SLqPWX3rn4jQ/p/x/AYf7wuef/w1VMj/uliulRHxXzSv6GitkT31Ix+5mW
JEX5p6uYavBuI5ivcws8K40f/DBIttn+Y1qKv6/rfW/rvRLBf4aB/hPr8bvL
eWbCR447z+p7Q4Iif1V3+4ho7RfbkUlgqTSFj5sXNr/UB74InAIPfsQ3D+ZB
lTlzKUMLUSB9fMddc6i3Vvdv7ei3cy4q6qWx3vbxEf273qYVREewv2Tsl9/+
XjCCfMuhfxQKf/AUP5Lkd5e/yZM6FJ6hGCIfY3Ne1ArLfuZZ6kxF/8IZ/dG0
fP2uM+pAcxRkjxBpqb8fl1+IlD+M6q8KDT93Nr+7+AL5UbzWb43oL1TOb4zu
R3v72/jqx9fxPUd30lhq+2G0/jZWX1XSvzdJv7v8tkr6S8/vY8T9TYiDhu8u
ueA3xk5XX7Q5gd9zF6xC2IKkei7PqL5JnT6kwuOcZel7WxCqI9b70fs7x+G3
xb9vaZ2P8+c27bDPZ63hj9T6c7fTQ7UfXw+EDPa3fcGf6KDfFAb/5gt+2948
x+EP6JvnmHzi8bNGv4+q5hUJ7fH5vY9ACFaa8/WsPcSv4s6vP2vij8bqeYQf
o7U5rzfaExjEJe57bYt9/2psml8kT/Jje3JnPJ4r5BzN6lfk3I8j2H4xV+/W
/FFbJS5qz9/ZNVZ6f3RQbjdq7jDOuJQYcNNdavu57fnVVRz+hFj793nx71zF
nxukj4/oecbD19z4SLqvx0yf7Xau00bitfWrfUq/fsgJH3fzM8MST6sWpNX6
9rH7zt+Co+B9zqjffNZe6NCP9EuEWT+ajV8fR0uJ/+IZnmuinROYbz624zkO
AvfxTX81aqOfnMNX0zAM0B+1vs8R2teXrIXQS3Se1Tnu4JnR+/P6l4xBS+du
fTTI9nt79W8CIk/vCfKJyRD5endKCut9dM6kJHyJie/txE+kR5+I/iqWflUZ
+xChi8+IfwzS8whfFdJPzHdx8MkF9vDZLzKxKT3h9oks7Mezd6jK/X7X+cTJ
RyL86F48JlX014xRfm/nOZ/s8jUuP1Lkr+fM/swPqnuu5v8NtfajQab4j2rt
P6CUfvYLfYgdiTjP6JPVftxd1eCcXYSew/sn63wv9X7DH/3irP6mQPq9P9rE
97AM4fcjRbQzd/7gwH6ctL+XYH9cDw7UfBEfP6NcfxVM0+7LOv0nVCC/VLXl
7g0avyK5nfmhixCL+ImuzURzxr5+tKHPufj7CsOJnhk7/0FlW/tiQn/i4Xtn
+6NvivKX7GUyt8/IAR/T8xcmcf2uzL9ziX/MD79bO/2a5Pqpo37bcv09yfVz
Dr9tuf6e5HqOw+9Yrr8nuX5/Dr9huf6e5PqjP/yrluvvSa4fb/a3LdffkFy/
nPu5ss6zlxhZ+9vO9+OarD5jkz6tXzdfa4z+5Kgz/7hf/vXreyRzAzP26/x/
4uLMLNiXNSza58pKWPSL0K275X5WHD+rdH6ZcX42wn+oAqGr8Mz2ev3THGZ/
qR9ux5cM89Ue/8Gd/iKVDoPfyKb3TDcHzJ7JV9fU8CC/t33/+UV0bb88do6D
7+l08EV/1Y3Ylza3+fI/tR28ec+PHJ2VIb+1zVyQ6Y96ftaSrn5oWNKQhy/S
zjmbh7RFIr+FXUR7Lc/HzQ07ZwkJAozNhBfnwFgVgu9Jr6MjDd6eggygEZzd
jPDilSNSzyPAr/hTG0SIjEed/vYbaHNZeUwOCtTZ7Bl49hZ5/B7vLzNpBikG
294KIs/j5TNHtf1H3Q+hwBv27Mjg+BluQZs5Pgiu2ZnFziPDEU93ms/HWvfi
bLZFU5FuDPGLfUtbzXBehe/6fNq9lAjOnqb7k9n8ovmenaM41F+9wp9ohRv5
khPQ/u5iRJlyNLL3wMXFdC2hmn5xm9+PXuG3bkb8CAV/3Cv81t2IXyTnP+wV
fksr/Gjzf9wr/JZW+EWs/cNe4be0wo8GydGUPPpKMapbrNY1UNIeUzRxqrgl
maaw8ZJvkZNnuIfUXl9F/qCpqYlonvJSc/XcL24T1FGFxLb0dWuTrIuzu9lN
87FXWZcsUWcMNLb2vlVUahjuSGW8idAYj/vU4ktmgsR3lwacfcDLHN3m31Oh
5L3F8ffSiIWse75RQ7jmyAAVkqKBmXkGcW9QMo91mAG+j7upEh8vjmeCAS6g
qFk4lMJbFGr6OLozOnZXiS1wVU3N9eJ2Fm5YMyujt4ycSGkZ9Ox6XSvr8LwK
v/CLdFpvG4oIAsm/BucOuMFBw4fuwAYP3CX/edgCxua9p47kSpIRlqiDJF+f
bxifvruQFOo458zH/opu5psqoMqcJV+JJ+8XXuG3tMLvLn/GK/yWVvjpFv+4
V/h3WiEvfa8Vfnf5wSvsW52GPIssmcYvKK4mjdyYSOTINvJHr/BbWuHZuf9R
r1Di5Vxh0tlVUn60tMGd9qW2z3E45CykAPuW09TCqnP8Sl7Kq0X5oynt3SgR
6AowGyGSOQJW6mRKfBvo0FiLU10auzRjH5nz+ijf6qpWE/LgPB+OEM2etVct
wu+bI9wgk9NAFC8L85neSk0Qa80toXGNlVS1TMw7z+FsxEx16if4jprYcn/H
JqhKkX0EXbNBNk98/pBrFmdo31ANgwn0Hr4DOEAXRcgIS3h+d/Ei23BWJ2yE
KmAHSH6M961gD5IC86fkCvdnzzUUv651xYwPHDWhh5Rr/VQj+FCq0O3MtEHE
4uF0OIHoHRAPgvWyL0ZhzWOHP9aJdUd9EPUIhLDC8OwjhpyGWaubwHe6Z/Z+
+cV6NU1NkpgXTn2iiPltN/Cnt86zlveRXH5DOPwjt/h/epxfFw5/7R7/M9/f
WZfDzqN9vDX2q45t8H3InjugfmZVw5WQHzNrTRF/Wva+a7T3g+xt/FCBu8Lt
05ee1djnrnau+mFMvrv8PShAoRLNbtTnGQrVS+djDHiTnn3AloHZwHEBAs6r
qh3dsEnl+tBJFjjXJkiQ/dK2c4NSZ1hs9czoPTGLXoy+La/FZAP3xxAiVUrf
DLue0hsd38/GbDnmhL/TOf7dZeEfUOcP945/O4NH7xZww0CNP675apbmDd98
4EDdF7UFZ7yjk1sdKHtubyBxD3Xe44zvLu18LRvPhIX3sXezATdxGLjLC3Gm
nRlzkeOTiG9odJm0Bn1PkswgzBFMiwNbIC8m9HkVRVMqOrbd/bIJ+KIylrRg
noBkzfE49FCGFLfaaZIX5WMbsh5FX5I36Ka9FekmnmlZWb67cO2TesnE2Z6n
c0tkZ+m+3Bij5PbGrvy+4a1ytIi7znrAhDi5EWzNTFDlmSspoS7jL4JxvH3y
4ycHuV/Vamk74/v+1aGmOI6ljI+qzXRfFcyPF69R3CZ+la7tj7N67qAh5/76
32Yp9+vRPI5lKYUuy4kuubOASVn6PPr33qxFfsngZ63A0DO1idaX4xs0HXK8
usKHKr3OxxxRzhclGM/cp5VRFx0aTf6Q7Tcr1OiY4mVuq5/bWdntT9Jq+sgN
4+h99rmrHX1rXX4i8JPl6KOKJXgg8aEXmjq7okpz1loCjD3DK5jrlM3i154H
r3PYP+9w1ldnLas1GDJVS0l9+aaYJ3YkxyO4yn4WPhHQexf7FLU2dXAFIYhj
SV/1vTbiDBmywQ9z9oGmla7UyQzEXH+u7qCkmn7k9Bc02+82XRNC9O8YjCZK
FEO96Xp62+HWUK2vkZWyUZAzoSBV6FCLO7308FlXq4hoA9qNYSfUGEZYZprD
BK3HQAy9lKYCh0s3dy4BezKoW8VYs/mEgLM0CfOsFg4v4D8ra9I7F3QPk/EP
j1rodgJk+XUYyj7sFpL3Ec6Z8XEftV2k/HTuQEFCcFQyKDAhTefcu2X9VT8A
apQxqxABMCd059CfXKeFEvOlViq2z3sYW/Ir3yFw5qjvc80/+h0CX77v5su3
CHzzOwQsydVBjs9zCCpAZejbDb+Zj/EYxgE6vr6v8nkP5Yd3VoQydqnw731X
xtLezE/U1pTW6O0nJuwZ1S5n8hu4n1Xwftapb/3gDo2V488V/P0zaZaraIZu
W9EpiAQQ93i8d9z2+fYBS+XTPSNRLMRJpGifmBLTuC533/z2AeccVca2HVYD
tJeeYPF6RhTk4T2svif2Pk3STrQJ6W8Qi5SiU3JxHiHRGuFGXljmAzUaUd+v
fT6nNTApZ8+jiue6mBE7urnPPZmIAWni7RzJFWIDJK72u4XeSms3xSesbxX+
UAjhiWXEVDv8cgxTEFJMeVakD8oP6Ay9DhPFQZ2u2ShrGPfeDKMnUJZycu3j
uEyTjNuRYDqeBvzE3QDnEiKhe89FP98cNEVnW2dOmYmALqFDuah1DKsLzv11
LZjbVKa2egDnaUPpUXiQUACj9C5BTNwnX5uas1MD7hXD9UbawMCQDAcW8Gba
Pe27Woowr7WOHniYvSX2goVRXvcKXXmR3npdS4FkhslnLech0fhsr8Jf673+
9rum/0oC9pfvlP61Euz3r/fnQNifm09/qQuL/PNd2O8uf0qG/eXl/guBWOSv
B2LTDPsWEHs+/M8AYjES/v6A50//mAj6Z1DZz9v857R9nbL/zL6u5v/1H1+R
2j+9Kv5Fcf3nTNsfz+7ftO2fJRbPGfmJsfgH4dt/ZuT+Gpb7m4H7J0TcrFr/
W9rG8/y//uPxZWT+c/hxTH929P/4QrtOn0D931oZ/719/Y9vjNx/L1//42/r
4/OkXyyRr0/5g6vkf16/nuv/vJ7X+P/8efr3+3P/twD8T1xA3/CBf+SB/6QO
fC6yH3TgL1vPv3Xgf5oOfI7nH9eB7Xxo93+kkP4M/pdo/W0V+Ien/ef0eaH/
X8rAP47Ub+Pbf7EAjBHYP0kAxsm/YcJ/TgBGUOyPC8DQT+nebwrACHn7PQEY
JdH/bwTgn0b+/zUK8E8v6+cS8G8Uz79VO/9WUYD9WBT8ERdYev7nl5T2n59X
+0MX8rdLsPNz+M9n5fOf/tXPB4rzb3DE+ReOuPuvzxHTKDB5+xZunxsofWdI
eqanwehpO29ZgvsnT6+XptUW7F0hdyW8Gxrdv582c4z3ScA8DC+eoy7oOFTs
L0sPjcV0wyMhTQ59wzAHsYIrtBfAnHJH5ZLr0OtgemtQoyDgja4Q6KXfcjzV
ZQnF4qUdSqKd92K0YfEBzbrXGMB1zM8zYFAAf682dCxZRNm8ydN+4pRYSJCd
SKc4t+fLjR2mFZk1Ka+vLzhQm+KY98iikWrAs8tOTKg4tejTfSJ6UEAuZlaq
R2gZWFH37t6gABZpvlgu4zWkLOgOo/rY9tUDteUEBV70RVbWaNnaTEDJibg/
EB2d2SUvDl3eo2lhcBdPVLxXpD07S4vildAK9V+VI+7ZdyZlPmfEdmVZJCgY
VwI4sulyj1U4vqqjZFhlzjIEoMeTqLwlUzhzxBsThPkKUoSYQkHneRTXwvgV
2T21CyFbsgjevlhJ4R1Z5nnti3g6HdKg8u18Ib0sHsMo1VE4oO9x7mQ9DBNa
BAFBJTFa20htoJFntnKXjBgOgRGD8KVfic4MuwJa5a5gYGxBmqZr0oUP4kKh
mSKu8MLJScyzSljAwquFoi89udCYddMRK+H3+Q4sWP5StqeZgeTEqQROFy1D
P9wFL43YQMQ+U68UVgsL2ZQ35j42zhZcVhl4+WVpW653jYjHO17Pyi0Gt1yZ
mcx4OIyZKC2a3zigxZMUttQSF57SAnMLkIQfjlgA/whHLLGb8Gp2QDJuookv
JuplJU6Vj7m8rNfcTR/ADcAOT3qHkiDIog3a8HMvSzkV7ytFOh58H4/5lQlI
QlDHdGYsO1XqsWJ8h7+gVV/z1EhtIAVOfJ46fROU4mtUEZbaUNptpfTcsR/E
E5UWTpe4IbuTm8Qhd/Sd3Z4DdPGrFFHQfES4CQl6UZ9niizjYzpftXoWr/EF
YQ4+Mzs2OAph6lDzDjyPHiC0DWyNt4VLFUy4VOx+d6N3eHs8SHAlhmtijwyA
TlsnjZaHOEtwaDXZ79PUUe0LoJCDM+1tq2tsuDxsyvNzKtr4SCdoX3+Ngo6g
Kp+1szqD4T24B8304HmUfKo3Yn8vRYjn8gurrxKgonhzgcul2OrG10hZt2A1
lzK5pAuZfe7X4y6AXtWhhtFBAupPW9GrNlsmVeYLQeg8qj3MoEt8LNjg1o+n
AvTg63l1LHDHt87ZvJc47dhBURLRV1pPFZaxhrYYgRUHFpq3oVgWELV4YQze
kQz8+bhVOeWZfZYC9AT1gMSsLCxBvnCXuJfXINcnA1f3NNbeK+Xpvk4UeDhq
qHgBAYp274jshesGCqsZ5KVmR178RgmSGaUAl+AbRT4SmYOvTwoJuRVwK7ss
aV4pZMW5XW5MqbLgLQc7liQBPbID8v6AvEIQSwwhFQXvIhfX+57OXMDC3fLx
+XhQIBaR4GpDnEYX0bdAyVwZCEVyg6Wta/aQsKqmwFceJ1fO9KElX1MyP0RF
3jtauwO+/KQLgr1K5l7W2SVF4fClLgEhnDXPFDQPuWL1Tb6GXuN5ztOWEFkR
xmJ5W5iFPaVisvijshVX5FYVuVfThUBrGzBqTFxU336EPrBQCMCyZLblJCcs
gGiyRXcIDRUIQay+pr422306Um6G4NrUxouFZgPvFpw8Kz681qDW9Ao+OGdq
oVJ5jm1l9/cm2iTViDADxbnrFkaA7AMJTazl8wZdiAXA+5STk1w/2l5qhobF
8JU1uUN32fl2CEaUUegI8xoCSa5yLbLydTytZYGuIB+CxQUziOLx9CSp4IWG
m3qQ7yBmRPm6rWdZsnjyyKUnDiMZXwQYh21Vuqh3OkjeQOu3qQRcSAy1U96b
qFohGfDttbKIvJQrqyBmnoOWX8HglqRZGNChdesECm6MWDbAFGWyW1He/EsF
+f343gLYNhCHpqo2pLvIsLi43w1XrdcJdhkFUi2LX68TUwHaikJlyV9vCiUY
MU9dyAR+9CEbmLAmRXQSae0AOGdat/2uznysbwA9uD75lrnmLIHRIkZF+9HE
r4JDHai/1xer3dscKISDRaoYfC+HUQGAOWfelXDse1485b6EHoPST92kcmhA
MXFXqD7DmxWXD6Z2MUKm2gE4rHKgtl2uEjasdExcUEXEIi3WvBNhmhEJ674I
ZYUm+XZd8KeG6AQ8Fh44Gxfl3A2La0JiSploGNtCXkAL1z7oXKdKR2wqFLt5
7rLkLW3RQIj17s4abW+QyDGdlsLfl37QHr2gGg1Ay3MXBL4ZLlFC3AEvGbp4
NKn7rX7kxzEIPYZHV7THWwU49+4ZlmjNRs+d6S70x8MegJe7AbyP6Xn0JOik
LpfBnrRmT1QTqR5UpZmDQtctBESBT9yc52Z1sz115zQKuZrdJhGlrsGAqjmp
kWSUMMs0u4mgRQSVutGaZ6iQ6XyFvaijynevWIwyt3JTceyLUMlkaiRMqMDI
iz1oDU2P4f3qXegR76JU5vakHBzp57iCFxmGh2m8XansSQP9JA0peYkYYmcV
5tZ3rRQ+ZmBFq/D/Ze89lmXFsnTdPmbxDrePXUM6onEbaOXgCEc4PRytwdE8
/WHtyIwTsTN31I7Mqjr3mFVvKSaTOcf4xz+Ww8dwOinTNCEi6C/IdGNG06Wh
qjA0W5OQR9rsAd6kJXDKCR+BdvhQecnxhclNN8XwWfEQPebAk0B1pvPRZcM8
FA9WB/kgd+F+CM8SJzr7Oin+kZEgAFJGrW5Bh1818KP3pR3W55ONOn3hOV0m
UzabT4+YBeS+qas0TI/5OTXLq33RnAblxFsCmMAoMT4UiQ9uviZnLRicXx+8
Vyx4eLyWaO1Jjd0GkKT7k4Z6G4z83sKPw5QJYn5YBLCCZtKERAVp7V3kk7CW
DB4G8V0dPxlxvxIkxTRQErOF80GLpc8FHD4+gZK52N0pIWUAnRJ4VSGVV8+N
cXwbqmdapQ/h8J6P6rIbz/k9avVrXsuE361L+5vdYy9P1KwQuzwKqQQouZt5
Xzafspjxq5b6Kn6th848/dOfG6FnDn0eGP/dGzT3WhHau0nZ5iRW8hKsJ0et
gMcEa4YusULaoqWglLtSOaLISQFetX6krekFJujVSG+nqtnF23URKaD74GPf
pu7SZhUIJajpBXh+nHkbBBQjtAvZd+bMFCJcfTqVoASG86whxlc/VqkdvbZ5
y1zr2cbvUTRj4OUq/BHeVaT3sDQwOef5YmP4zolNHUUnFQTO/SFsLBu364IF
t7QzSyyKqXtiyuRaCR8gXN9vSzbycw0ga3mz0sBg+esNT5q+knM49xaFh/fV
LKexN7ZTeFq2vTVV37dpXWPcAOTO3TmofYxxZbgxS4bc2AXz9AFR0WAWhyJz
lKhHxVdQN2XJPG2PyzzqPmm+f2SPV3gA/aZ+Xuysgg5c2xoVIPeYFl4D+1TB
dDWCSn6gM+wQLF6hB+GJqekNzSkEfoeR1wTPBZgWjCm25huBJwpf8s49HbRu
xCY1q029u2J7x8fmIKrL8UuVru+hP+UdpOsMp7IvXwbGd8Gt8Z41GE8whcDj
MMR3xo08CqRT+YrovJyaR1R7KP3VApO3LugfwqPVydq5Oh3FAZKrZSrsGg2b
8zAD7POJA+rm6ZJbmVGp4JCANXDml3Bb46HNlMVlbzAl08UU9pMNfYAAvbTP
jVmV19UIEeEolOpJLdoQ1iA8jHtwXVbzggsUxjQ5xyaE1WL1nYUP0wyJOUt3
BIDZiWRxDTvpaVPiGVnG3hPJj1yFsPdQjPr+xKhyrz91TUKqZG7BsWweG5qI
6qv27C4AXPChqwcayF6KRvmIDt9Hat5h3WHNDGMVk5pn33m5TUwq1kuypxtq
9rrBDP5Gwd58AG3Fb1oIfRyKeKLb112hGMPCxdXPxIcelDia+BPvyEpyVun+
UO5JkvNvR1dLH/W6NIeAhxDSsO/uTknT6XYvWcqvmuJG0zi6K30/G4W2VNlb
fOWzy7ybEseulBkf5zDFN+/tbQAZ32TtBucEd3tavARHxosdl9nEEjLJqOid
Ip95CtlYQtusAM29gO/X95/nWfbLx50F4I3tXYEK9WNYEum5PLiKqQ9JVt66
WdTBoF4Ovq8qghCp8tnLVHVH0meRsp3fQIZvYQ/AhZBqXLyJiGDprSttfoPW
XVF8aOz68+Czzza1opMpxQTHxqESg+ukhv6yPVeYLzfVAQTGB7RgwWwLfbSw
iM5ul686tcBvMmo5agk0WdAwWg0jLYdz1xgqP3h7tbqzjTE/7By492x4ztcB
qtEbDXYmvA6iEKgaJiyNNOxcvqVmXpfB6mqncliaerDqi/DADITRq71zAKtn
QV4MZqa+CR7Nv2LVFhVk4+6cUkh6fNw6uDE/1RJHrrldu5FgKn8FFXMaMztY
Fgz4EBvMx/okJHH1uxg1qbjTPsEqxW/itRpgSbYFrb4Vjv4oDbWDpU70gUDH
ZLCfSANRgI160XzYmEOuaH7VKLR4jyey56G8BGAYBS3RLv3ZTsOho7Oh981r
WIcAqlvZgGzzNID1jMjglIM4TEbD32RteVPPBgoVNWUQVNc13h4Em++SyMYr
uDzG8Km71Mh9ZrNoW4UAmBtyr+61QXgHTDN+ezXo2E0GHzP/qLdRwASCl3OH
OrsG79nsBaKgMYuJ1XLaS4QE7QNMlCGlZ8/M5j7CzlZA8SfL26zG+kex0qKk
Iwg9ui58Z/SD7lxthY0pLkESjlkbdZYJ8K/MVnnVR9DL1YI98zSfNzCohEk6
W4SJfcfLcFNC5sZpWbMjbb91GIHEn4iwwMKaBQDurRQOsff42WOIDMWR8gQd
pdtTnnkYaCTuYG7Yc6r0oK5bqWy4CAeWctiFE3GkiHcAh6OSASqXVVdOO6vX
OtzcTtUgb1rCD9YnnOGYhuoeBBlJGV6xcz+nY7/fzMV6MoEvMQBS9pxCMlgZ
X+6gOUjn7oZWwIh67BG7F9zxc8cZri8EMT8Shp5I3eiWVw7xHImM81UbS39+
8JaGxp1JfobZxW16oW4ozmyf8P0c1khNo+AMbzl7I8/SoFXxaZSx62cU5dZq
HANhVSPyPiftPJh4PZZPShdUS3hRL9yCn58Ov0nROYVdFoZ7sGuowMEbpFck
ZKtky5kL4AiPF58xC2rOfIFUPqJW6kow6dhPvTOYy7La4UzlrIBRvVbKjZ3X
mi0n1WVBphw+KuAy8aNXk/z5OsEpLGzrKKXwBQ4IAxXKbNUdI77vpcMSARxy
SttAYAdDDUsWNe9ETzIAttdTSwYGeXM5i0D0SfmMu/VVNC7oxvGsdNtWLZyy
1Cudpt+9fE/PY1pVzhNLOck7CqCYy7TVQ0Hrn8pedSIdkTcf+hZs7m+49pBb
/xa0570mZ/G9JFEvtC8FnqS3Bd99yeZ4gBcWYsrm9h1oFvdcD0yugsuu585M
0V6oiKq3IAg6uniwv0yfg9Zo4lQwmpncqm9cBwIcT5b0MGWmQAvGo9OTneMX
QpJr5VW/htftaiu11Na18vxQq/bRPzB+aZb3MG4Qm6fmCjBzrgS7tVhVExcn
faIQczWh+b1LIAKp1ttlHWZEZKFWz9pwtPcST0+70+jZKfX7nfeAFxFW+Ng6
4f45+slYa7ccsYAoY/jDjU2MnwgZW8at8TSVrsH2Tej8wLvBtLwRROzUN+Ah
W6R7/jqYbHjw7efJQvZclt2ZIwNRG0vv0ChfkodkDKFrPao9I29bEtxbOva9
mdcBem+mq4SWz1k5Dx+8RO+lsIto3ecCzpF0fQWtG+KsR8OFjh2TJuMEuZJe
nCjFoOYfEdDSQSxy8CqFHz9gciZFIlEoxtubzd0rfcZDBY2booTu0g1F0icf
I3f8y5XKlpr59RwARwmy73jyX/5rX/vFx1yF+aD4Qxx8Eop1s7c3aiNmc7Uo
k1u9rE4lKthzyN9Lbx4WB+CUdGZGlvVxXSE5uIxXunmWp6tTSMF9YveRxONs
Job7CKyzlMYI4hROlAMInx66CWuAq7/Nm4W8KBxGKWyMqr0mJ0+IJtws+YhB
sqt5x9hC3+rIDLImtZ1mjR/k1bjZxVVFWuBgl/jmvrPciUILzu+QP4Xu614T
HjPj7/eDQD/drHR0Ej6juLIbbDGteTEs/P2RCEUnAJiaMlGwE2WzRW93jicY
FwKKxXqecNMZosI21Py7SeBuTrRZS26oKAn5WmfPyxEvVyAFRxhDCKks9Ieo
eVTHoaSDfFSh15adzhg0iqBgoExAwYAYwpw7nmL7rmX0ZmEdz1cn4MbvimlX
XZA8hYav/roeCHBUktrlaoapypxBBjzAcdV58Xbl9KvySU2Ki7YlWxiQlr7+
p3pjDrFLd7vGD06KQEW42fNtecZzLAdvIrS0tCGQmvDvYXPPVGT7nO7jXQ2x
kBsOBpgqTHaEVe8lO4xbF1N0y6iPx8dhXruUItgqD0+cqgOCk5PRA+/8B0QR
3WhYvQlYKVCA0Z6J4JZI5JkVBtdLlsIxCXZUVC35NO0VV6uBWuGqkYLrqSJ5
Z8Z3djqo0IU3CY8aGghH5DZ3Vh2r52I81i1ya4tZJPFT3lL0bqvKvW62qR5V
E4p0NwpcOrhnGdhBzdWQnwMBtGCW8y7RtnXhR9NLnSsbdZ/JvKAeiwi98ig/
RV907pEdkfgeH7VQR+DQEOCt/pDJRAMZ836qRuJVBwfH+p0kX/7Idknm4DW0
ThQ/p3q35Vf7/gzFGBdlNrPvPPFxz/2u1fcPARCz+PDfg9wEXdsT/X3aOusK
zuPuxmHAh6ipVU4jv4cO6wkxcBLXfB7wOIM5FJEGNUKAxSE3cSJJia5jMLkP
wjPg3ICCIflBkStEXoUxFtPOSSXGf24alk/nu02P9TjHntJDAqD2cO/Nd4bW
eaM7FPvubjDP5y7dSNDNm2YSdm/2evZsKTsF+7DuxnN5dbck5CJ19rEBcG/O
zERew/XsO1lrTia+jl2cXri84DA0oQG5t/WFmt0sFELpxs/tqcjPNFXbIWDk
F6B9tieUROoVVAWDCMHV9VvKDtJUI6RFUQtjuARFC4oEE/pcChllozAZ/Upe
H4Ucgv0BCDFVdfSnFx9OhAZkzfsq5n7Y6pIUMmtd/BjMkljlRhZxmydmUHm0
jNnWRqknyWPncoAfBM+nuUrn4lCBfXwC30OlVJuv0xX0dA7jow+E4H4wiyvy
vOASbzUw8+Z71cxLYeECmuFfZRkeWPLUhYrSvXS52ecDEmCVVoNDuKu1vpYj
Z2dMO6r4I63DaA7wUDVeShKtBMBhoxeVbLy0ntxbhs4w1oHe68QjDv4040KP
iaU9uTQ9lqyWJtxufTHyynSuFoEkugDIpGzyqjiHuRa8sedr5bTWgHZBeM16
dQgNe9zPLeav1rxLkyn00OFY8vwVjlXMQeOLA5BJdlijyj3fKrsXL7zn9F0R
Cl5CMASn9oqvWZwI5Idqxfbm1juumrSuilpkWKZ/RSoQH0E4yRRU4iC0gCZN
992GHBgyJkPsksF89qirDYnRRLhUNdmjrMgSfC4ZfCMhBPMZILDYeGVYF5bp
Bj55o+TK/gUyMDjKDz936JuVn2PWgNsmhOKTu30QDz3GB5mm5sd/QDoQHrCc
mJ5rtEK0ejQXotxKadZlIe7Icq83FK8M+ZWhYofoXfJGwdIJ6GY0UTGLLsUr
gMA5Jz1e9+p2KxmkbVhGvBo1Gz0K1VUd0J1ZjPL25n34zad153AZCKSkN7Gn
6Plj7yjgQHuW2tSQzDmKhcu8Ck8vq8TWMCRyo147cmhXBQh7KJXgqfm8yMKG
fAbtGDu+3TKGBYT7Li2hOqAyRapI17sQfidwRZIdw7nV5+HMztqXBZNTEfpu
PbSiRZ710cPVk9EtgwfQD280i3VYhUXYETijPfEOEvhTa8JKbTcqifS30Nhe
iIonIfTu2bYvS4LZe5qKJ0Y2gFDC72rRVKaJ3IHN+inaoAwUZ8h0X82g3orA
FFdqVK8UaWURZTjDPD7ti1fh5nmu+gRY196pbjjpjmC8UVzkbCLV7zqbM6Bb
oOVOilFmPscdGUiWgkUowz79IcNGrshn3WIU4LzW7T4R+ktryl4nwe2rpeIf
ry0tECW3iZ7lxyjlqOYjylFJxkRBkFbuoSPfRJVyPIC06p/vzl9svn1+riJt
PO2hSzHH6rWocU43u5b7vfi9x93idk/u4Na8npipI60f0njsA4FRSOKbGOON
nbWb6e/7plSEvX82QUNDCBQyX5bLq7V4UuJMYrlyH/WXHqfwmoIUk+xAjqts
Bw3a+oyE+cuJx67aGMhZ09yQIfSSUwdJU6vO46ulUspK7zV4RkaIOx/bW0MO
qN6lEDDestXSqdj92+U5PBcgs+tMlijehapjifOWiwy8R2Fmo02BZXjUWe+l
66CJL4C+uAf1yZ+0BtK2gZrw4oCwjihyx44BeYmh4wbDhk1wQ6meIFJ5mQfi
TfLIq+0M/EYH0LuwfrwqULBH48nOuzD7nOMvVZ7aiOkUd2Et8vkB4c5RdO1y
nPFMVceOcUjShDWG7ECAex9Bv0dz2gq74tXKWJMeR0egS53ebR0O9YE4vNrT
bAu1772EdZLfnHe0q5+Ha5sKkIvqml5e8X7VByMd4Wi59FEKqsPyEsOa70pw
JKz0PHPCrmgfho5Utl5hQSluY7G4MgNP9tmV5vM1ZG7ppUQUZzyvpYKTgA7h
yHRoREEXslcoDqqcei47i91VrqK8asJSu9QNgDmbOeJpu+q28qRZSfngfdKt
j5qO/DJjZX6sJBUPpKjUHCuE9yW0w0Qwj97OaXFiGKBtDl0E1YQxDrqQkrcz
8w7W1+islbZ5Mp+hcKNpok0M1j8DWAxFWjQVv92o1doPpUKBq0FIVlrCGSoX
MLLoEIbe+itOYQHW0O7eQJxnGuEV+Ov96cc7ZHN3N3/O+XO1JsH2IoCr54mh
xYSoXA19j6ESrw7e2IEtH/58ty0e8t+GTZSSOGL9QlwX4pcPZtlaPc/ibnoC
hy340fN1GQckVWTO1l1kzPaT8NOY01F+yAXLu8NxyPKqwRIJqk98VccS95lK
ujCTCFhN3tD0aWeYqxVwn3hnIeK7lkQDobdMX+UzTCpsRrsVpR72EX0euk2q
SXhQy7VFHLoDOuu6Q0Ql8X3MuEm5Dhplp5W3XiCjtcdZsKLzy549jMP9DA4d
lKsZ2TgHecmwXqGHA4vJWfHDwIpunydchi+Ps39uBOnZd5nWr9yhb4trBzlq
fXreCFitfL+MuxB8pG5aLvUCJASUzD3w6tudxaxorWfTpV23454udBTkQ3Vd
lbsMqhI/6sXKJMqHYs+PaDQJeklUYmBKTRmR9BvTStjlIdMvgNItf6K5RDio
SvhZ9PFUp141lL/TBOrd3jNDj+K6ULdirzgQgIJ4id3mHQtmuX9WOMyCVEuP
+lEjhqaVKvb2OikcLGVsoOSJ3HdTFOlB4C39MS9xGgPxwr+9tiBopJtv/k4J
bQ3TbGD7j2kfr+JqD3DYvRoagrnXpvoyQl4tjp0t4cpJ+P1yKO8EiUCGggth
Kh7FGO6BEDYfRzIcbyMrxbhxShDA8URcVX7aIdC0LMWjbCuMsgNd3ydgkKZx
g5FX8hbIzq4UXdLteLrN5XtZ6o6GZPuFg8YU3csa7BufxEdEkAfEgPPZZsuX
Dmyr+PS755gvfa4J/hu5knM6YtNdnteJ1k4y6Ntxo2J86IbnFtriRn0KqRPg
S76e3kgBBEkT0qK9YmGPMLsPUNN1cZEflmyE64yzG39fF1e/tWjzIbEngxbv
q7UPislQqYcgRQCTLZlVgrZMYyDhis9P6zfTrhf2bqPG4O+BIbAQOddHNWi3
qgB7A85QkjajQcXE7P4AGI8cCuHd4j7MOmxiqG133q1ykLRzOo9nggdNHgUs
Ko+72Phvzb+kI5FrUaOyyMAdDTjnfX+wXc5cbVRizrtQ4nO6kg6NOaLWj/r2
QqhL3O8PuYR6cYh8vVInAV/2ZFznE9qBKA31Np9mHglf9lGzo3RWLRXraW9F
m0rLl8uuDdHsaZCZ8oBbTKNYZilcuBVbrw4iB46AKXWZX86ocPI8+5Cfq6bX
vLvzCArdbCd1+JWrU86fKlbzhuPs/Q616onR2V54HgYgonlc9UuAcgP4qB+W
B6fUiziVhy9AjuTWYu3ytuo6l+TVQxb4vOlRukF8GN29+65kAtUrtufo7eRd
E2gd4ZWrXbKNFKwDWT6CYeqlWd/6jC7cuO8h+aUzazIlt6iLlNClZgbIwRik
HnJ9oA/11p6u39YIF7OK/6CPg5GngyxXxzvVeeeX5+dqKS8lQvUwP1ap6y9L
AiyR9tiM89MWDFOwn2WFg0FPIJtVlhuYUoIOZsry2rbtxfvK0NGr/q61kl3x
4mZaFPi8srFjttxIcnj0xDT8CktkUuR5fqe7sDoMn9PZ0OzkUwL5MHc+fL0X
nUrBEVyExWXdAO6lqp9ViK0OhJT5mc1t693mQUI/0J1bspd4R4kCtoOEp/6/
n3z+89++ef3/NC33u3uE/39OzH361j8Qc59OxXEC/PoTYm7L/TNibnOyiqK+
4f9MYu6rFc/Q/8Ysm+PW297yF/3rV7pZiH6xRR3XIhR+/6ekyf94tIb5eur9
dzTc/7NMTeSPTM3Bi9EvRpjYfXHDvh399/uDPY9VxLCJO+Pb7cDXbv66xuq7
RJzwuprUQb4x+n6SKFz+Anyxx75RxVz2D9fotl4bBuoX7a6J/2TEa4TvxvzR
iH+k1v5vwu+1Dv+c8Zt/R0o2uGu1/xk19ZrD99xUXy2uVfxG3LxfV3HN4Q/E
5H+k9n7PRDSlH9IQ/+Hon46HP2X/Xrv5T9jKxvMb+/c3svKfsX+/VvI3ctgP
2L+/oxtfe6IIzXL3fl2fu2evvwCPH6zxn63wP7Covyc1O6F/RW37Rb3zzv/o
DF/cvj8/x39EEv4FSDh6joKiCfnvCMKtcoSlQipSsZmOWl2Op79W8Fe+ZwnP
r0ptvwh4XwqDiHfvt1wj/k6qtlB6Sb64hRzipgH7ld1z4u/wNdIXkXB9XV9f
efMVk4E9JK1LfrGgE/9WvwL1ZjoKGj7z385ntC7+b7KH/4Sg+kWz/nOG6h8I
qn9k7n5jbF4jdD+nJL9lvYMc35Tob0TfL8bqj5m+P0P0/dLqHzN9f4boe2X3
nzB9f4bo+/s5/CPT92eIvldM/gnT92eIvt8y6x+Yvr+rbv8hX/OLRvmNsLn8
Pf6Ur4j+VfGuNfih4v0Wq9/m8E+j9StWv5iZ76+MQ4srF4wm4eEyCa5YCYwq
8uvy5zMrbsUlRsMvQq54VaA1/IqsqwoZqPrFFmW+8YapX8+HU3/n7V7XCn/p
wxfT8zcuL/rF2rXAL8p9KNfg13FXTP6e8fq1mle0mpIC/qzyfUX1H6vLj5iy
PyLKftGLf44p+yOi7DXCTzJlf0SUvTTqJ5myPyLK/gL8LFP2R0TZbzzLn2LK
fkeU/U1xvvzk/x73K4rCtqm/zh/5V0QH9u3KsvXLz6V/2JMrXmQLvDvw1xsY
JPW4n3/jWX4RY0sK/DGja1u/jvzGnq229Yvy/EV5/xZr8NvfwG8s7GfYPDh4
/q6y/JO69at2fPGoflWPn8mDb1n/fP2BW3+N4H4j5K7x1059qwO/7dQ39Y28
kHsiKqYLsxyi9Dcy6rMxvEjwvBD+IsVarmp/46V6Hm95zddf8M+2cXTh9u2v
X7A32Z7ou5V1JF7oPrGitL7eaXG5VfeML7V/+DdTR+zN7eJDl+w9ltTW8lTb
9gczDa5dRJrFwuyPLczLqzX06Nr3GBMnj5uJhG+qr4i6futMqIMlH/+adYwm
R9qGVeyFRixsR9RSm8FbWIg0wqX6bNxOnyd60xxpViNBbH8BPJF1LiUbvr4z
vEaLuxhL2gHVxSFwm8S4Y1fuXrNOWtsKK9H2K/Waj3VLZXYL+QL7WocvQq6q
uY2L2IH6cdqkC0+Y/v1ufuMBjxzHEq/te97hL8CPHs/7Z0/nfZHVvucd/gL8
O08Rfj1V9gvwV4mH3/MOfwH+KvHwewrZVXn/IvHwe97hVXH+SDyMGqcjSkoq
cRzqGY/pblLH1bgpy0b1cTLf7bq0MXBEU1ovenIY/wtAnyL3cbASNyM6zOWD
uVkZpfpY2F5G6jaSOtV3YUteMTZa6ZsQXRkvUUmf8WpKUX6cfgEQ4pZ+uif9
uBl3MWtkt3LtOMKObhRY1sP5tujCgUr5YsWuMA4OrjLkJ4U6BJ9zdhpeGvWc
9Rg5DxDUd6sZk472w3vxYB5DaoSadLWlVeodICXWx8lhVQBZcQuGd25s7mPB
brx86WR4G/mnoqCmFyABppFQ/DD2YmXfkdtANTJtyXS6c1VkzSGGFGxfeTaK
HLHeIVNK/csVEw6X3ahkGSHmIdQTx/jNG9R5ypLpV0VyotOOyO+Jh9/zDq+Y
/IvEw+95h7+9oeWniYff8w6vOTjfEQ819WklnmAqzCAGG6tAfFeNkEFhsflF
PPyed/gL8FeJh1fUsU5Q5t1dODo2utSe11yC+vSwPR2Bz5h1FuTWPT9I6eOT
zidM2fimCF/ND51B+fTYIXmmlZI4Dzb0qiTqfwF2Asf5qbw/LMHEX7pDHvhI
47YoJm1yCm/+/trpKXOLNXnuvPF49PJ5w8wXzxb4KeBG9AvwQcuOg3nQ0wlb
4g+C0OgG5MF3Q/kVzR2SGyPDoBuune7PHDyxLX1DKf9IFlBEdW++Ks7VdBdd
CrMDIrnP+gO3Kts3OZE4r6ih5I2CGEMeDmFvbgSrMuybxPF87NOFp1+OXGna
LwBOg+OLo7NIbC2w1Si4KRCdthNDIadP1cF3bVj6N7HBRBXZp58YaXBeqo3O
7sB88NX+BSjCyuMJ8XWpJ3+eHMd80vwripj8T8mDvzH9ruz+RvWDReYHjMT/
iJD4jYj5p4zEPyUkPplLacUN3h/Pa7yK2f5O15YY6lLUy63x9WGcvynr9jj/
8cngSyf/5NngL+7y358N5v/2fo1rjmvSetPVZzRfD6Nfvf8/JR0+OMaimK+/
4HLt6797zHw1voSY42J1M9qONuvPq4er5xXVGbfiz4yBhuQBafchfKsPRvjA
k0IyVfQgWURadFdUU+e5NFFrZNzGx3z9IjDT8q/QUy4HMpHS7m3B8ileSdhE
3q2I3fHyULW5pgnPxhD2OXEeSicxm0CBtHRxbhNQg/EJZKjnld3GA0F522P5
4W3iqsjTxRRTw4efB6kVa/KTwCOVj12xsz5qh0x6H0/1oUcHZ83bhIxfVO+5
Nlgb3cLgpnBVGovISxWLAK8+nbwNUCncpXGMjCDBoBc8SKQlprFBUhihmGaS
PfWrQylNGxxS7lOo4XZ30u3tB3c1xTx9fa9W1bP6ILyaSGVdRasfyGkh5kjD
XdVM6v2xKfwXIZVhe1xadUWavvTxS4OEX7nXnM4wm/gryTpnWWbjqy8u9/D3
/7ZyzJO5dlNnf6VlC5Z11U+fFX78do5N+HW05hps4/KXom2va4TLwMjMZm38
r1ps/kqstS5/8r5OCP/K4s4tn2Udkp6O427DklAcwadsxprln19vqgnb+GSy
X/VZFySe8XPWsXXlRrF7rA+QoGqSi0ptHEfyG/aff4zAr3WA/xaDAhPjbWmM
2WOM2EHBMpAbVL7Y5yVETVquLMECV4JNTFLSVITuImXC2MsNqo+EwD89o8nM
cLVnFO6thxf4Kk2LekCNaOha+i6De0H0THbG/dl2CRFEni/neCor1whOj5Jm
W2gC0jOqphX8O3kLcRjcUXBHPDBZpKP154iHET4Ml1p7fcgoP+SoKAO7gzj6
qlkHdi30aEwHvcNZZVo5AfJjNJfWoJ+0oEQpEXHy1Vw9StMlFbOOztx85fWd
v9HZZU1+ASS5e+0TIhbJgzjDmhaoc2tihLnnYQSVzjs+y2mMawMbpbTg0Qkh
Kr3YxCvqZrY0wMs/cHxuSBAPj8fz/cKzXCtTV96hWV5OdzrDXa0kjsm/nJJM
XQ6U/YIQ/J5BcI3wL1AIfg8huPzkT2MIEpYNujkJaG6M1PixPvFoIq6aNSbx
lz6rfyfMX36C7aX6SpDffyJR87o1ff/UfPzHTx846/LLe2zolbDplbLpz3g3
nsxxOdT1j/xZa7+6wvw8ifNzPy8vZ3YUoTT5R2pJsUjT9WYt8dMFPfWyo4ry
YcWa+iErwVGeV91UO0s6SO59c6+AdfQAa7vLTT0Cql2j/cB62BoN9+1KhWGY
mgLfFf+RVLJ7R4WRAmn69QuAgv7qdVhYMyqpiRBFVxG24Maz3BYM3vwpIfk7
OSMnxausRqjLEb3wfe4L1/QiNL+jlyONZrPfuBkObrZINm1ZjGHHS5LLnFV2
H7xJ7A7FY+6YJeHQ6hMwnYBR+gDjONnO0y1+ARoBxgpsHGSN3oLb4LNGyGVJ
WyWBK0axC2Z6irQSrVAMIusvmD4r8GOcWN/1iqz66jUHkfUddB41NPWpg8ug
uzPS+q2mCO/9rMxqrcyTEsdlOJecu00us6Oq7mbuY8QZuvDBKzdzyhQe8RYJ
6euhJ06qbV/0q//+Tw3/22ixP/yk8L+QGPvHc/4FauwPGEH/pYTN218kx/4b
oKBf/g1S0E8ha38PrP0F+BfX+nts7Z+u+h/xtT9c//8YYvvdTvw1iO3vmb3/
1v78fqB/Z69+mqr7RrN/RtW9fvyfQdUlUupvA15f/TVC7r9GMv0LiNrvReJ/
MLU/yfv7SRrtj3b8R2TZf3XD/wJ09q+xWP8YIP/DY/3rkfJPsKvQb9xV6C+C
V694+jt49Zs6/Q949T8NvHqt538nePUfX2PwsyzWJo//38/Q/A+N9WdByP/P
HznI/7WoVgSF/7NQrSRKUv8aqpUgiJ9HteLI9xjWf0S14r+byQ9QrQRG/R9G
tf4tMf4vgrX+bHfwtyv7b+C1Ev8yr/Wnr+WPb+j4fTf2rw7xdXtr/vxHfmtu
PjlO4f/v57dKWcl0zxsq4MmjwySu1/Zh28Nb9VHZIWuHAgaBJYXENhTWW92M
SVMx7PZ8vI0wxFWXe58rod8fChK0HQjDjkWpwRDgfmkVivBY0iqLFaCexJx2
Djnbp7H1b++CfqPe+uSwNrBF+gHib6FOBzKJBwIu0QDDqg0T0E8fmw0SJy8E
4LRX/IjdUhkyOl8cWDXjtGNH8CGpcnUne0zmYCQzrh/jwRyZUY/sqsEYmLs9
nh/ZuAO2tNX5fEhEsCEs7CKg1kFP6FPXbj6O/mcDNbILbv5suj7ysXKxd2XV
PcMdygI9Sx8psPmf4130OFH5imOI4M6Xi42ADI5QlABZJIjbqqfIvcpF2Lvf
SV2o/2/lt8YjCYqJny0DadM9gfdP3fpiawBhhfGPe99xIY3OInM4RxS+wDe3
MgS03qebMBNYjAlP/xRNUnZfnVix/ON5Wa0uZM70BL7u5cICL5T8DF25VyHw
KWJrcTHe5MY0herIb2YFyQI6UCbMSmXyaKcK6ZwDxURfpzngBb6wrAjm2MNH
lsxJ0dJbFn/nxZ73S2l6AlbP5MYt5kak9fLwU1DqPq1CjX1BRmJyAmmRj6iG
KMyDdoPVkDz4QwaKAW4wVXq7TvCMcDfGkE48I7xlw/lwJsVcJYMLQ+fzqFzg
XuMgkR5yD93Ge8CLheBIdgoHbkp4DnNihYGb+SOZjp6BUShtc5smSY+forVK
vS9+q2z/BL/1bgxnu7GCWoD5fk8UVGqRo2Xy4tyA9t5VJk/XOKKFd08CS/J+
MAqCFFD2Mu196OxqapEQ3f1C1iyrjTtPlDOoPsaQj2+ZArgJ5qRdz332B5nf
hTtz3zIZW2HixqPC01Cm4oS0fqmafdqcdJ5j4Xa3WX56psZm5w0JNLtzR4Qq
yv2T8Q2spCkO1tH9TpB0iNh3jwUj1KhOr+AFyKjnfhFZyxlv49ycK8ceMZDM
7NDTig9vEPdgs5aal9MGuQldou61kzdEWyCNP9SsExqw5SOTuA3Kre+1jx5H
5zMAXvez2ja+BMukSMJ9ibfFr66FztiUfluIfZu7J1xpS1zQxZMltNBn3EsP
FENgMEdxVKAQlQx8vwScitlILBzdBdE4bogx8cVTTZcZFKkrRzlyH6Yw61OZ
w7ogiCXBAivM9XvAmhOcOkysbXayJdw1wWtUvYSHWUADW8LCUe9bnpo+pNKz
Xu6gF0zlVRuuKPJgrOtkQEooizvkUGM4ymLTrPAiW473TPTa+YnaCwrPWmgZ
ZJ2ujeaY9SB6yAKVaqaJbvbqXoDWm9LHd27y++CpaIBdqfXkIai2uGWIqEs/
9Vwn6cO5Yr+vMyt36fUhmTBfzcZjBU8OmBeacJwWiwQGQbY0eyMKRBsls+XZ
ISYZ8n6qgrtmeiDY6oPzp0wqjpdgHbc7s4+wpQPDzSZvbv9G+RsXGX1GuscH
7pHzRUVREiLwaIFG0IqctUOHdOs+er4SGHuAeZ2/8fcXLXGJWrZKBhUTpEGF
HD1p6ABfvfCh1ONHhXjYTcW60XXuPX0yu+EiFnr48a25baW8iwogPwNbp64+
DiU1rhQg6I49osWqWQUzIhOdUWFh12USpJlzHNad39SMjuHuQ6aDPRzwDcBa
D23dx2p7b+dwbnwQIduf3gSZWugK0DP2nYA2C9uNIw27DCbXI23ofaKqEZN4
BXmgnm3IiRYETRbc8V7pCevaM4aZ60Jdf9EMOVkVSlGX1JnvN5Z1BL/rqs4k
ebtC1nUVgVZQtPS9h2d6Ce9WyMb7s3yq6JwshpaCwBKaoKVzf9VzUNFhVgZ1
YWjd0yonCmnf2AbkhZl6LO3idi3NyOOlxftiE41Vr8FZZO4tNScvfZ7h2/f6
Yb9txuf9RqnjcBMJW/r3A9AXDblzV8w3tvNSYxZvotSSNKHTC7bbn0yjeahK
R+5lzfyHFle12TJ3VM0qI2Y7l1eByM1h990Y00QF5CkXz6HstKMWXmbZRW8Y
fnlUjrRYU8/gteGIPnUUvtBPR4MixMNuHDBOaPV+j1XkCZ2HsLrG1pQa5pEl
Ui/GNdP1Y06HOJwvGnQyul7VfSdP9vCol83ZrIwBqOm8PlwhPvqcKIyITFpj
uPNX2n3C3CyVkUnTGBfdc2PVMe4uWyKH7KtEa0zYRy64OYDIb9sBN2UjFyif
Ow223Ea4X4JQxbqoKFeOVp+Dqr2GZzkI84OHNdoLhP0lob2FUZkMoCphU13K
ZinvxwYalazc8V33zD39RRCWZrxqVSeedIsMfluJOGynYFxpD+pKFhoZcWCu
bjfoYxq+Wbw+YzgK9ppEqAcrEXls98qcP9YivLW7FzTzBGu86hGXdAwT/HmG
QZt+APGN3Sttf4Yvjq9y6SEqHPUcUokXONR7ukh+vxvgc6p2NJQWzh4/ynbm
yaHr22zeydYCHjajgWIGydFj4e/SlcrHc3izUt5q0+WEHKF3sPAOxbjyQOnX
VjTCYToNz+vB6E2GQANUO75NYmnR8OsVucJptNQ0mhPut3sz4MxpiAd2hGZZ
hCnpeQ+0+BQmWz3unmdQaB4vgPbuHkWR3Z9vZ12dxEahyX1b9OCq7kh5NnUb
DuJxSG70EJhSUNKUZKUDZyr58gqdj2UAdd5GIb1MHyR3NPuQFfNFdUaJ1SgJ
2Tz1Xl9BPfu9/QjJDncv+8e2HBluwn3p6gE3MGA7JQbyoywDP3HCNZSz9aHF
9fF26HTcLsQca8i7a7xjwH3L48ex2aNaqoNEi110lj5AQCaYDV0d63qJYxg/
Z2WKH6+1ekIvHqJ3mu9tpB55SX48zdtKd8qhLbaXrc4wmdHJKgCqxGGFJ9AD
R9WXwphaX39gGiJ5r+rQ4sFPN1syfHWPOzRnqSwj9deiW3WH+sPpxRIH4Iq1
4DVmDnfdFBecZ94jNcpQkK7laFLds3Jt7j2rL7R3HusLRv2DrhlNqkZQPZ4z
1gA2ppnZkRhVDD7j+s3viH3sHyTkc+URfbIwCtvBrw8Mu1+O/pE5KIs1U7lT
o1XON8ivAEpY7+Z5xczcY8jIGw+SEQpr9Xks8u57tsmxkH+EMdhUdjZ2GMaf
Gcdzn7sNBugbLAPAJb2IoPvKd9o7sTtd8Lw/z0i1YWueVYxpbTQ37hPnyVQ+
1uaiUZiBe4dNUYP3XObAAyKUPGt45liYZbGNJGIjMFIJzVodfZLp1TOozT2n
157J31f9mNeIXp63D/ESdg0v4GQHssnowkX++Hv0eL9x5nClkoFOXV7Ke8E4
zwVz08+CBdCkS8Zrz7GOeyIrnQ7pDaWfOg6kAUFswguKzDukTzg3OIGWbQdq
Vi7cPxZSffJXXsUwFVtjxUHtLijobbkhlvZk4lfhAglz9hvMUNwgbCKyaLNt
Ru6NNfWeSyFwT8xmDwznFcsf+JDlUN0/j5qDMV9VWamJhATQwzW64b1u7c29
2cN0jtDmIxLEqH/MbMAWOUMTXCFldMh5ob8fucq623iQWNWeelm+gWzvTyl+
a3IiwF521OVh53c7DAryFKY13Y9ymkioLSyl/oR1NBjlazsdStPaeCMfQQLk
2u5jSWNJeB/dUg3bXnrOhPMQ7Kn+2a8W8x2/yif2ZqM5iyBpmde7o1ZunyO1
RkJ6AAgIHXUMrWqsICp4zCKV50SDQ/TH7p8WgsbOVTLm5eMYxthwjZMsUDe+
drRCHa7uaxsYyXsA6yWs2kcRk1lZsENVrw+r8h9UnYknJEPC6N0cP3qb7nZ/
6+zlAl0rkpsi7jP7Buz7DWSd9+UE9GMzoKOVxeP9Ac+M24RoSwMB0/cAfu8G
Kml4tzuZTxpNJSTCCJnltt4AqdOVhMGusvx47kFovnLOkQQwoLFIKVu+kA5H
tslJnrdkJrjsdaxc5xJJ3GiTWO1kAnS2XW3pHDZn/VHhQvJfQldGN+GUQyxL
p1FFF1oNRJZlXNU3UrQL65tTEWh93rNJiN6Az92mZslf6CPPizc21rrq03fV
pmQycrE2BT+SfUUzr4/W8XyfrtklFDhk7DLYrnG4OdDSmnlTTbbjA2qCeb8o
FWuwSv5BK407RHbtjbNt7emnY+HoNsrPnkRGlG3fr17pqGoDxNsbh12meHNw
veY0o0M3jb+fT8chIZ4TRd7+BK7v4wJeP0h4FN9R8RFbKWzfbKznZAnsYEGC
154Y9iFYWy4M04svOb2LyKXME6+Hex5RapoNzI8gjFcjh6ENlcAuNmufEaVu
wAILsvXMBgm682CVij4s3AbXFGEuWzkiLVoZUWOjZ8ndXzP8JagGVdJV8dqb
TeD8lw1w1/LTZlPU6jroK3XjF6Sy3FF+yzkMbZfh72qTnCqcgE4UfvmSpxU3
bAn88ZxAkkwjYCdVUVtLr6fojLkX2GffP6u1kHfvkYzOowupNJyDMXorMwrW
yO2B8C/u2F0MTd6VG96BPNvExOkgazISbKUC0MkhkL6provyZbEb5qSFsJQi
D+HsHtGut9RC2QfpuxilupohAUjwkePcDelsNFeVS7Pwrj0JUIZY83W/BW6H
H/vc7jcircrYSayxlanxlcdo1xFvA8QB4ZwYSq/gN5Odpc3jk9E+E2jwncoX
d4zWiwpM5tYIHKKegqHBHpeFwcq1cbK2HjDwar5ze5CWz8bCtgyl0XQmtefI
r5yZWy/lsWOVdm/gva2R6PeJDu8bTWoagsrC5c/ViNOAYTyh1xrFyCgQodPC
Yn518Po0vOh5vo8v1xBMFZQXNOLmx16+6N6Yel+soFrkwhqvckBB68JPi+2x
jfS43bjtwQdmIXamfzUYRfo0upyAz9TIzFqTboqmPFp5mPIbxIll5YEF0HAv
ri5dl77TISRcOxEwGOJZPp/ab3FsTKXnrBdEuXj7/sjg2Q6Vmb80xcKx+0y7
xRMwys2YsJqNLdr48i6zolXtPnZ1vCFuMIjn/S4vpoDjhx9eVgKGuqsxvy8J
hcwvvnMKwDcYiThxU9Lfm6p5uJGaQieVoMzL+yBQbY6/7kNrgGpPJpMd0ic7
32M/Og4y/lhC1QCLtHl3bR5QDZ8m0TEVvVWsKn2anOffw9e2yNbutzOaFXEu
gdLlc1q5qth0DMZsTvMFeIsBIpe93VW5X3B0RqsSRgu4tZ57n099G4ABgbhd
yi2U9yj6YnwcVKocoqbQQymqATCyNYy+yupWNhm80UKbM6v+wLU8uMF99uTg
m4TlyAeEjKC/9VUbBza9vuUVC0OrYSIPoOtudsoPcwiYmxMDG2Mi4tu8TPkq
9JqSBJuoimat4dlhSFGPm/yMkulxcpmmLr3UlIB76FwSm/2uZyS/DQF6j0Y+
Fpp8vLtnc6p3Y/4cVybc23fUSVr/zP2bwp+o+mSVpE8EoFhDh8QHmXm2UVUz
+1G5iuQPIV9RiE2x1AjTxQDXT9dCJmt4z90aRgxj9IgVR3ok5UAfEw0MlVRO
yyBYO0n4cAaVB8EHcoNGp26swPMO/uEghcF9rkKicwEPlYwioEGth84KENjz
EJe3uBlUrtEfxnbevlAuZ1wvx76WTGyScUvMk7lm1r07xpO7lRPmrZRkfESz
DoAzuLTzLt2pKbc8qoguM4HLVaqxHa1u3RjmUFfcwhEVbdWdZbIOg+VGancB
pKzWQzwamLtSRWAK8apl7F+vSXyA6lBVnpfudC6RM34HXeZkpHIB77Irc/cB
ilwC26g1bRiiuAH1NuM4nEPhLV9YirisfWFY2ps40kfy0K9mvT1insGwJLLW
iYAR8sP3U6VVuIs5avkZgc6ZGhQlTS5HieqZGju7y7qqEI5Ga3eznENNYHMP
zongFaFDkygcJjKWRRIgyJhN3QCfZTdXME8SusnDAlrE6YOC/rR9Gpt9Hfo5
W29TCJqcdHwL3Gs73DeNBFGTvZvQSR06MImZyIaFR137JMH7wj6xD47Xeifu
L0rqTpvM5OB20z/Yk/NwdKS7AA0eSZvKDGjUcQmszsI/Hugm3zL6av51pJ/b
vCjb4r09HYg3aVQdH9UWypZFa80mE4z6CalX4Nx2087gBZBY3XKGXsRyovus
637X8SfkBZ4QfQJmQJ3JE5A7Jmhtu3NLNWqJoILbnkFMUieK2jRAPURvWq+n
21UQ6sH3A1S6cpCoKLHrbF+LoawDpakS/UhCsQcpv059xuFu32BV6TCoAkps
L/pXf/QmE4YH4ZQ9TtTNVvlZBweVnfqPtMlt2VY+3jbASz+i6zX7Xjz9J99E
2P9i7756HEe2BVG/E6j/MDivxED05mLmAhRFL3ojkm+i9xSdaH79para7LZ7
d9c+Z2Zw56GR2ZUSTcRasVZkSp88YIrZtDwzQ3XeuVz70o0NBFANWdIZzz1j
mMF4ql97X791DsqblRnnm6a+ynu87CY2VhhQ5E3jna21lNQHqHrQOK5o5vho
47l3F8ojuI/UPicyV1CekWPkVxgar0Ulv5Bmue+7AijgVLJVoydcx+W70N/e
QdI8veUWaUXsuA1aqxyFgpDXn03D8+gcfWk7a/Gu7hagUxwAzWSk0CjmxkIt
hexEPHFpr2dbvvoUN3WjpbDa49E/kkyGcLzf36iW321GVp1zR91blwZIXY3K
CI/TaIRheTrB0OrckPh9qsoyt+Ulce8GMFOSdx6lRq8HLw2tk4g3necgJali
AC9BHfHmejwuqpBjJMdE66AncKwGD9bhKm8tdp7qukzR4nfucWIchSSvhQWy
oG8hHSLgcI/bIZJdMJuFREUy7GyjjeZQ9ei4AVIuItdoc4AsB4EPdB2Nq36H
8IIfZ0ed5OvVA+6U5E7GTrcYy4zaJINL+MBGZV8vRyhYbbxTpFuydTspd7et
jkI+aw+x21t6jE/4MTzOPZOBt54CK/k9trDdehnZioA3O1UPbHVLClp569Jm
4ADyqNFC4ea4xCNugh4yoUhM7oBwuwxa5iKwYFrdrUf7PoJmpI8MTwk8VtFe
KHphcGVdmRuNRgvMNJe3SYiXI1HX7VjfwHOQ+/zy7g3q6ZmuuNFJ2lrSKxgq
+E2pEIIywXFbvSguE8lB5uWlzagouZW3uOxYLgoQSkQJIaMdaEgHBqxTLU/b
IEBaOJh65kImlXubvCMM5igN+/Ld59rD930hHn7JQuWrBGAEu4U5WEYTcb1T
nfiGhx1GbtgeUZqHD/llCy65cQlue3sPBFktXcEVqhlFhTVMCDkBBIg1s5sg
p3UQPGp+f9yOq7soSQEdYkKFXnKZ1mKjkCg8SOs2bsF1hqXDRfuzsX5vVQak
nOg9fFCLl6eahktxV56FxryaEm5N0EoDdM0YM93Rj/MdnC2FyAlzH5TrTX/m
KXOjAIiN3YwIz5qAqq8OHLTVp3EDou+gkAkK+LjLwd67L0h9k1LD3YJXYiLU
2K+11SRXMHoCzYwkxjO2RGhz8sb1D1g+qvdw14PZGDIeks054MWjdNLpKmfo
3BTmyI0eZEYwnmmMCMzTa4M388BfvOi07BvBxes95XVMQoIdft7borI4z5nA
ZrsG/L2KsLeHnGdBwv3lM1MOBElJ+46I0bX/Vm0DDc8NfHAIFkRsBZe7LEJY
VUeR2ZsfHTYuCiuKzXrdnG3Bic08O5ShuaoOKw3KrLGSubIHxZ5jhjyNOrrb
AXVj1xKRknyHYc01ath9VDkTRCzc24nX+U8OEJ7jXa3aTm4RAozr1LlGaiii
mLhiJEgETjkG6CW+xJr0LuOCVZXXs5VjxXg8eP+lviaAfyBkUSmaTD0i2Hs/
d9B6FRB73HEs6eat7EsjZrb0zhD3A24QND93g3suhXw2RqSnWYDWF/TujsUx
2QKqU+Jb3UceLB1oGt+3S2+b4oGwz4nNNXw7CJ9I0kx77vfxTC/J2p4tYGoy
san8DcRD0QM5env20dFc/QC6XTQjOFKHh2B3NF4J2F+GK/UIwaFpLSIoPVzZ
VArA2bh6Xx/FbG+D3sr+az+KnTaeC7V6KfEWcoHf+HPtuwmbyfQ2qz9AfPtU
65G4NlUYAc6ASNIq3Z24lckXGUByK7Pg3RPYJuAcH8xnCoMZcnXVObzirzxH
NG+1z5YTPnTxHmOAwOPWe5vYRIUb4ULGl4R6OIY9Sa5ftWoPL8/eNhykKeO3
EQTPiHyhMCRIW97X0oupNuB+Y+ruiNj8+bC812i8I199CfaZd+WDSJWKvITn
IiQkCr3Gpc41Ersy/Y1HlIUKMA2BAcJMPJO+nKHse8wRNeLVtcRbCGbvC+Y0
1o2LWk2pqaiK3Yrmrlji8qRIio0qWi4jqBWgasrSnr1IsjtDYyLsvUvd14AF
YlKnqguJl4ZFoMwa7sfZqJkEKLsh1dhEkmCZgh3qBYAoDOPSAXo17HxFX/NL
oUGmwarWP1fH0hMn2sbHszeqTd8l88JlQf2dozMV1QPoJ/kFuLMmM8c0dWkE
Jw962RWj5hG2DBv0a2+GqSoGfXbP+9w3ZCbHR25KNmt5wI3udrQgCgBtErtA
mFtPgjBZXU0xkmtK9bZOeVJeAUs3cVdtTGEWRo7RWqC2NZwMU4zlc58C2lQP
qCkSO8lV43mt3hU/DvAG63SFvqcLOAvCZFW6PEl4lNagoWSHzoIu2LkyglJr
p8VbCkxS3VSYoC8cyrQ81z8HxlTpixvO15mRbm085AcPR4w4Z3AkraqgX9KZ
b83jCnO5oiYAzpm+aE2P6UaTNWLKuD0c5tTIzk6IjvCY1QeFW4psrByVnIss
toTgogZ61Z57DI8oOKBp62Mvh5XCaEtaK7CvOZF8tsnNht6iBLlUBxbc55O6
XOOl2x4dVlNOFDQerGKE0WMOZDl+5orJwspNRrXssaPKXsXdO2p4JgAxF5nL
evAcnsjFRbk32HKGREpMltSLcWBUGnADkb1R8tXahflcFGUT0Q7ej8BUOnCe
NMZhditQUUKs2B18kCjhDkGX4Lrwhzlb6DwBoksyl6fEpquePaHinTtbX0P6
46EZXWAG93i79gh+NsABkQ7i4xnfhwiERnNnObgc1xhQBq7FF+exqqTOLW7H
xrQVUwYKkpR7ObQeQ+qD8tuRNk2NoReIPh7KHrBCOdlNv0AKkKbPp1eq5QCV
137Q32zgbTFjuPx94J+00Jg3ZU2F9ObHfWRL8J15Ejx1NpEpTHAuKKEAlMR5
MnUQnqfwOV52f20JFNdVJJrOWl4o/tQc4dasS8ji+c3axQfdzpRdWvHtusKX
GgAhCRFIJ6UW6nYLotEyn/slh/TkwfVDKFOi5du5ghWpkNDbHKRt9g5j+32/
ZbYwYmELbBRslhsx0ffpUYj+RnBc2hJb6XOZcHF7txyc/urkYA+9twsqWRAt
zC2ujaQyveYLIwMWuxQD3qkvdOYfc382IefzWRYTdiddsVWiXWp6U4h4LLRM
SmcDIK5DLr7FwW3xMqNAIKSIoVaqbHk+ZxE+G8ln4RLKOZZIpjj1itVEGMJ5
BDLgwG2L5fm9TDT6uTNtivolFz6AyauHjiVtV5n2+ZPAzeyuipYEBnTvvFZO
9PQJjgUsVFAt3TEpeKKO2cuHgklcas4XA4Dgy3pz7vvR+uRZZo1zs9c3l1Kn
wij9fNyj9H4SrOh1tuY/5bFGRxO5e5kjM+jAwcySANeXLG307R60eLyzN5iR
JR4rMMzxe/iZ1vjD5c8ztppKm4lyhYd1vIK9xBTM6pDh+h4BMZlpWqIp4VLv
aVEtci9DlvaWVfpu3PJhCdgHXPXwZG1vCosDFb9kQsL3NznsIQfFU4ADoUev
VeNqrvIbLhKeccSL4+0DrxfIU0YY/1W/MpIo0AjOA1otzo2Q5yNLkahvvHNx
oK0Czycu4j2xcX6q3OctfNK3PrCGq+y+QeRBTkaXoWfzMx77oBqIxESx/dA7
UenfLmYDuLzyBE1ll45HjtfCzE+mp1g7Prsk6K4x8EMtdfYohNfz2qXpPkuu
Z3HzgRx7cHY29gIU8GTALm+lUlqCLVMGX99nPcZePuZsX/TbkspVNQfsdbq+
aS8f4NvZUhhpXd0jFlwTwJvMB9Sk2HYn9XPPZHH9A6uKnmnLF5yE0ov07lqE
W9Du70riKuBiTWUcHxSFv0fXTkdg2ZC7Q7TxMt8ILKCTUcwK+LAKZIUu2gOU
B3d5TfrLLelFO1QpDtXHKH8+fWFP1vsi2QDMsxaMwPVCN0HRRHwh0RWFyYnM
XGFfgBsqL0kcXy/nIclkayt0RLBywNYrrR/NgiJAU274gvQ72NnuhRPX6Lkz
c3lP7ZbgPW07RpjRaXrLnVvdUvpjY192NRzd8cgyCVyMAbD74X7hK9f1CFzY
hvbdaQRRC4ZEm6kPvlqRoW/N9IyGR74jh6m0Cm6amZXrTe+CtSQAzIC7RAvx
ylU++5wnlbNUgYnR8ozF8kGv9Fpe+YTUlpG4hMURHiDLN3vV9M0C2o8sOvsD
sn1pt1nPyuwKY7ZXnXexvCK6XZ9Of08xrGnE0acIaCPP/blFMnKIpTTjRHhY
66XHAMshn1txOVo6feIGrO0l8dYYK7ZNmAuBhEYOzfISUw9uNro9UBoBaetB
XUaqC61ap3JAu46wVzzbKGxKQasYnsxtkOn3MLF58V3tZ0OSbJCzYgMnvN3X
c5xeiKqIQ8tDIEI7OyDUep7O+p2I4v6B0EZddH2i2FPcJ+RUYywJFfJVJq1R
1hoGD5Z1fBx9nd7QseKOoamApLU0pKXPhcjXUlGZNm5i61xK76E3jeymerrm
sGOSmZ3SHeEtn3sJ4wI+484tMTGYJPCm7nMp78PcBrbhojG6ReAxPWaumXpQ
zETuPq5TQOUpRuHbdZ0FR1DCmY23SZkrmvSBPLpgr+x9lM+KvbsX9dxzY9lh
+kbl15TGmVZSg9yU96y+dWcDWjDdA1RvGoyhXXLTQBkAr4vz4j3+kiw66PXR
G9VANBFBM4GHYinBgbTAvvL3Fw4TPiSFrDISCAwXjJBLZAnuQIhYAitKPMow
aBeLF6aDfMgSc7MkQ6m3hdvn0yPeUNTo/u2qNYfl+6XHucIC+8v1demB663r
/CG+O4jW5cicJwvhvyMpy5MRxi/HuCocEwnoLj+RUpj68wHlAt9yl2yyem7O
XMhm58iR7n2rHcGhCGZyTE1F2IaxZqY1u6XB3xe9pxGiYkcQI+GR8zONEFri
qNe1ZwQg3DmYfnXSk7+8yDk+UkPLl/x//pepwb/zzov/bSDhH1/B/r85Jey+
8t9Qwm5zsCwvq39CCY/G71HC4+clzsqb+8+ihCMhqe6+vEYMpPxIy349wp/i
sn9Kyz627is+u8fCxvxdUvgL8CMq/HdJ4fMafkCFfyCFkb9KCn8BfkSF/4AU
/qfj8/ts6zlCTYjwVfrnvPDXo/+EQ/2V8f/F0c8j/BNs+J9Rw/958fAP8G55
FeKWns+v38BB+5zxf8AGz5H8BZD1m2d/JZ7NM0bOqCojRP4NUXjexW+f9acY
9a/j5kO/fY2cX0LHH8K0hK8h4i3J7Std/AOYBHumff0JoP2Qnp93/f1qHn6F
DX8FiP8E8f4C/HEme13w0P6UdP5E2Idt/WWM/dUZ/QL8UQT/Mwj4vCvsvBvy
w+j8EgBWkbNX3699fIPKAGnW54dszb+SpvPdCY5g/SXp+yERf0Z9f0n6NuuH
kP4zwvM8U3mO5IcFFfg9daBSvzH/cL58Vf+EEP7xbB9s9F8ghH/n2s5rwRKW
/ro+8K+o+mMeVj/v+wMz/zTiNlw/fe2cF/4zbh8w/etV/7YO/KtV4IOu/rIO
nEf7DQT7t1a57lvWrx9K+Ecy9Ruz21j9B1v9/BfY16+z+e1KgzMmvh4blfFY
tJqQvTr3b5B+/jMj++FTmyXcr6YNaY50xB+UuT3jrvWmCL02IWcVicDl59x/
jbKfWOVv/75I7NX9UKrxOYqRQBfnWV4f0uhanPf+u3T1D3D1P17DN3ZY4Jdz
nJaf0NVzlD4/pdczBj58MJQIfPU8N2Ln/C9ntkMfsDk87/sr28p9IN4zN8ur
ea5+0HmEcwa/rhbiOf+Cd87itf2siz9QsXXc8u2H+v0Bnv0Kwj4FbfWRbyP/
GUn8H4/7oVDb5+MTf9brs6ImYp27Av2pwPhPcPM5w1L9LcK+AKl95X6MMam8
fsugH3PD/sT/t/r9oW1/r35/qzh/JZN+nUdfgL+YSX0iwNOZ1eeY8WeH5J0j
adgyHO/wOSra62lL5Hk9+Sfuf1wn74+vMOwU+DUtVdw3frzavh7JOL9+5oKv
z+9+ZpPRMwY+K121vn/klT/QbfqpK9V25mVw5vFWxKhKS23x6UC+zgG8fub2
x5n9vUyWqq9HOB/3dc3+KZc/9Pxfy+Zf5/I5Duc68+24PXU/RzSpMOqvUM//
5IMEfs7y8+jS5+rnH1nw+zlO8Q375OZ5b8avcv6vZPzXzPpNzv+VjD/Xyd/J
+b+S8V+v4Tc5/1cy/sM6/zbn/0rGn9n9Ozn/VzL+HIffyfnfzfgfZu/r3J1Z
kNywT/afHWnQSeAPZC31+f6voNAfEvrsH36BQp9rRPkzCq1VWvVnKPSHhD7n
4jtQ6A8Jfa5R34FCf0joH0Dkv4lCf0josxv8DhT6Q0Kf6+R3oNAfEvpTL/4+
Cv25069A9h+i0J/Z/DMU+vOO3zMevgOF/rwx+QvwPSj0553Jn48q+fso9IeE
Ptfq70ChPyT0B7j8+yj0h4T+AnwPCv0hob8A34NCf0jo8wjfgUJ/SOgvwPeg
0B8S+gvwPSj0h4T+AnwPCv0hob8A34NC/96e96+h0B8S+gvwPSj0h4T+ML5/
H4X+kNBfgO9BoT8k9Dmb34FCf0joswP5DhT6Q0J/Ab4Hhf6Q0Gfd/A4U+kNC
n+PwHSj0P+CzfxOF/kamfg8K/SGhP+vk30ehP9zA57cofx+Flr5+CND3oNAf
EvoL8D0o9IeE/gJ8Dwr9IaHPePgOFPpDQp/j8B0o9IeE/gJ8Dwr9IaG/AN+D
Qn9I6K9Y+d9GoT8k9HmE70ChPyT02U9+Bwr9ycrzGr4Dhf6Q0F+A70GhPyT0
uVv8DhT6Q0J/Ab4Hhf6Q0GdefAcK/SGhvwDfg0J/VprPBzL9fRT6I5t8Ab4H
hf6Q0GfN+g4U+uePAfhdFLr6YxQay0gcHcCprnTn7EC4qcEH4uHuNstE+dbP
j1oj2RK5mKRMx38IsJSusLAic3aDcn34fleLaE3tvDBzda1O8cJCsm6sQ7eJ
h3S/3oL53Mq9UuM5Opdk1CEvt5SNNaF2O69hOqDb57NGjh4M/WzxWRw0seIY
Eq02C5bySlJEtDul3Kfr6Gv3cBYoZIt7iMqcz9+0hs/fUMR1YYw7BAYFmDnZ
MI54//l0Q8Orna2hSWVzGDjQzOIyge7yjJe2a8cLWi7iWi1Rcq5yZTox1BrS
1mNq07MmCO7x9EbHksSKehGBeY5DrPetRwuLFVXuoXrO/ZLp5/JByEV/5sVz
IDrBi6fec1RpFKnz7PiZeOb8mAP+KksUjve3qJZs7LaJ0GrhMAJfn7ulkWrO
EgN49nJgLDtM6N4QiSfN/0IU+s//KPxf70T/9g/B/xVS9A9n/YUV/S8Lxr82
yv5TvWjiO7zof/2OfsmM/QKO/vsH+c8SpH87/v/LDGni+w3p//bvmbGfj/dv
mbt/WZQm0Pj3ROnzn/8dojQFIT8c8Pzu75HBf0Wh/rwi5ByWb6Px35Nv6+P/
/A/46zX8zRXm7xjVPz35/yrVf8lB/QL8PoT6LxrW/84Y+yP3+k9D7C/g1kn5
/m9x85ym//kfxdeR+e+vnwb2V0f/j68q8/hJ678Zw//j8u3p/+Nynvb//buw
9g+H+7+09r87vH8H3v7J3f6L7PaZAj+y21+X8P/Lbv/b2O1zPP8L2O2p2P8J
r30+4ptx//9LV/szPn/O2P/nqtlnjP271GyChIm/p2YjJPqvq9kwTPxTNRsl
fy1r/0bNxkjsf42a/VO8/x/EZf952/7THf2ayf6dtf7rxvM3+5s/3HGS/w9M
ffY0IAT9dRj7n17171rYf+FZn5dkp+Jv+ev05rCsmP+fz1+LTeDemFCeR8a6
g7U1l6aLvTW2OCQ1wJQBzJ/A/I6mtGL3x8vQZSJiq42Ulp3fHfN4lZexjq/J
/ipux2Xijp0nqJaZ+bdwFQsPXUvougIeBjrsyxfLHoKfcHaLHqbTSlah9Q7E
rjU3IMzjUNOxaowaDoTDepgIT73xMw+tWUMbIF/etT+i7/15Q9ZoINxAWi8b
TLydjGsH3uss1Z6SRzJU3jgaouN4++xK+HItlIHMYBZIHjPZefrg5M2DeihX
aMiZq+IQHGkMz8w9fPW6wFxb8YW8awY2jmbQBTRZepHRuft+ALbrRvjrHkLP
56V/cZpR42PBml2EpVwXCTbdLJfkrPL7RaIvDZkKfP9/Kn9dgM2hhqn9qBCH
KpNk5O1Q7z0Y8IKdLasjlmXuhanZgDrPS9MR4dmBvHOZWfjnq4BbVVB8uAwl
DaPmlLBbk0Kk/Tq86xfQkkT/2iaE0DsthCfvvRaO9DjMSnMDbNocHndvzqAs
dyYe9avhzN47n+RZLbHxcQYNAqjRYe9gu+3co7nVtxC6IFc/5zxfa6+5jA+u
q/IgCj/KTaUDsNTomidgGvMwJ7qatIsBWT0titmUCpjq/vAMy4hxtryjrthz
XKJXJ/IrFFXdE4nUWmzN6ZI6qMdJsGXzmJmjL4B/3w6fvVTiMBbR3Jm1dTkC
KnppN54rr280BdtdeN4xdupcXV2iDZ/rwsCk4+Gv1sGygLD8C/z1tdK2wdoP
ZkNp4RCjUMfYVWfyYmQAZZ35+yOEpRZailC+2CHt3DjTF3jqOuOPbmdfqMFS
LbLnW7+U1A7597d48VEclcxDfAPlvGhygrMa1RLWwxb3ltSEYC0zPi7fl2UK
a/jyer/Ayjve/OMiMM/0ifZ7PZ3L4IH1ILDjknBx+L3eI1fbbwo3y2it2vgN
IsfolgtyRw69ciFHLnImN4M1W+ISr85UyuZERS+BR7J61KLLOJ1g7QbDi351
SdDTPT7qwcAzruIif87lEsILo5wFlRJGNm3QMNqAkDgfANGRg8EqziDF3ybS
sKqQoLBlnVO1TmuVS4tNs80cEeUVf9CFMxvSZbATNtvgNM8sGADvcQVO9xLL
DF+h4qRHlJgehNKKS8yw7Ps2aazlg0YNBmPBwZc7vMEmqBNC61mkH8RA5l5s
3bgjdx2reKcXF4TUeLhxyAlLSm96+A2kdvjS5j0Y61dNSBiVcIoCh4Rlz/XG
BDYJOuPfiQqNI9gWy5G+LqRAry5KT9jNkoR+U7Ass02dAFJQREkZzVarV0dw
8qZugwxQsGb0pf2UK9xio0zbYYtDoOpe1YxyPLs4Y33pWK6LlZpPt/NqRtQL
gqmwctvg5zr6AE8VcguW4OM2dkJRR9Ax5Rbe0UcjPXM2K21CfoSgdmmCtE+d
pbfRRDO4lVhdv2XxAgJ6/yWLN9q1Ft2Oo9G887iyodgVNl715eFZ8n2L7J1E
phYkV07UWZCfEQhS+uyQ3yGiAd6CZzA1CFXdBHYrN+Sl0jyLmGEBizR81aQt
jBIvVR639+sNlizvR9emsBdYRTf6NlTAkR2Z84QQuXmJYTFv2r7qT0i/8zdz
iu67FzzkhlEEsh1QrMUqxVYektZF9TNVe2jjNKDBzW29+1E+clSfBmWWp9yU
eET6IqtPHvP64OKDX+BGv4qlz0gPUyd4CfE8eW0r2wG2Nm6p0icmwc0yFqRY
XG9KxKHX4lX3FWK5G7YkLZIitMOsYs5K+rKuiiCtE/pYpgUFsqEIlkNkDdYf
XsOULfJ7JhpEcYeCScbE0ANTU6M0Q429oPHhLbJzc/aAmrTeKlm0WGAFr1US
xjfpDfv6yARlQugbv8l3/F3Z9EW7C6BzAwXUKcgn6OjS3CmkJVZZBrK2mpU0
QFDl1C7JkjzZawT39QDvD7k075st0/1hdiuLSDGNorfK7/h6JQwpP3cz1Es7
I1qlCR/QWo0k3zy0KGyr9iyuWkJN8gFSwKV5WSmcCXf3DpNXK3bvlCxSx/50
VCZkDMLE00q5AL4Kwcsk81e5vBGbN6vpcOBc1lDTTMhIFLMUz+UIonMmdz+b
uAtfOytBl7gfCtdQ455A5+/QwaOr6S7VcFx8UbxsKMpw78rNojqRrX0wTLWD
Xr2Ka6/mbZOC9yxL0BkSNk/0BXBQS18oR3oS89Q/RLUm5403O8bzdLWsLjxN
vmUzfCLzOW0KiUiETR3qq97g+rGtRzEA+pusJ4OcySYbNVHk73aMCsMRa2ta
5dPcn/XNhmRukbp6YAfGB2cWWr32LjzPzC6qO9AGBb/Z7vNIH2ssXEy6e0J7
J+E+elzi+P50g0XCachuhSp4rjZuVrcKQSeC0hubi54X4KnxxIUMaLlMnjf5
6g88c7X8ZhzZIcQbSF/fj25ZDJ9Knt5zggw0AvGADMSwFkBi5npgo6+FDIev
MFJfCmmfHYgUblxhD2hVTSKzSHac6gbJa493dzZIytLc0NRD93UY/VTCHwA1
ckvdR7KZh2OtG8ZLXJGk5DM4qsnAzh68ViPlDd6gHsSv0477I+fuI8NKyqF0
VOwAWOWq60Ugi6spJ6PbxJM6RwTecIKBW3bVHRqv19M1UCHQLWhiMzKcX3ji
Skl6YYzzGxD727S/tO6uGfctRqSLVVVSZSEji7xr2VrjTrhsZ2spH7OxWqNt
FrlS96+nUDv3gKIL4JbQC009mPQljfSjom5Lq6FnyxqP0y2+6ffLxVns9JXQ
1aKuSu3Mxdt/EpkVVzLSbxoLcOF9Xu8FvtYZT0rJrHlCmSMPCNnr7Baz1wFy
rkns+A4na1Uq3NyC8XlrDa702LZYVwNivfnKLiKTgsqlG3OCxUkZY9lytjGC
i/UGilAoSUEQYb6lXhTEXDLQWzddVWXS5doFECW6Mq1DOZhPwBuipiRRJu0q
G5MBFh2HjcZKR0pyFic6DRoX4hHc68O86c6VWB7gCGCJaMxNZzoUW2zy907B
S35ZvbOpeB3EnYK2Bx7jMlnmoP5YI2Q+sruqYzzqvKdpeJHS5wVWMj+JNo++
cnvhhLRzwu36sojU6S/e2QxIyGiMgVLW8A1TN+1YXBha6jvNs0H9iC7APe7H
ltALWTfm+B284FKWN1S15i55NqK2wo2aeD4Xydz4UrbCflxe+dMa2cS/SMhr
1IFXqM7FXdHXhkRF5hGk3ltw0SlmqFaCIEQRBJ4V5PcLk6LIxLoMylCVKGJx
mJaWiK0UuOdXPIUQF+4Y/KVYePlgSrVu/YfrZAcbLgGjP69H57wZ8hA1LYOu
tflQ8jINqz2uvQiggqcePexppKm+eBKFqxtsllznZ+XfEXl8FYI/X2P45t3v
GeY5+Q7GjReEjH9LyhutvwFFGP1s1tGtJ2MXcaSY54dLGFUPeUko5mxeiOoZ
X6sq6O+Ldi21/aF6klbd3qXIoNgYAr7NebiMQ91izplrUAhOnh0VO6w1+Plt
4YMmZ3XT4XuPTqxegmd5AWOETba3y+szQpdAX0u0hscx8nzOqybmaHtueLnC
K2+L6PPwG3zw/FoNV3iWAvDZurdwsjuHqfxFpqiZqYFyec13BiJvx/UJhzC7
dJG5JomUj3upjMcKO2SEs9fn8FrynPAw+qVptc/Nb0iVNktHAdN7bhnfTZds
xhJ/U7hr+0gqnFHT+nFjBYKmJYmZF5VkggKn88tgda86tO1rs7gCctjA+jZL
uHQLhXAhK6N1DIwfGSu9w+V+4V3G6d2BohFv8sYj1KN0v8/DJjAqumc6Xhmv
ENjtOSiCGRYfs0++ySohtJKmEm0A0bzNXgN9kCT9dDYpPsO33QdHcy2hGrXd
z+imjXtgeC77g1KfedCR7uW6zs8NKvDhVd2HuNUNV+gvTmu0d0LVwKM7Nut+
nZ71+6ZxN2xmrAFAzKDuLUq8K+/oRQ2Uf52zi3RBUBseuG4YXmPXzwnUW/lT
dlcqvJi7164s2m9e45mBB8QYSsNZeF87L6p34o1je9fO1dlPineNbdBMYtAX
dePh9hCmsExu2MOmH6zk6tulsQYHKM5+i/bUWel1eGJlZEHilkefwblfi3gR
q2jk8N/0kj9g7hWQOJPvdSNV3LZLgeOayQAY3t2YbIES/W7pl89bKeBiox6V
JLP3Ay9e46a8Q9wt22pixAhh9Pgl7ecjXllp9MVtAcw7DCc3sbHiOjCu15aK
melc9TRGifRYqgliALFNNYaN62/E4EvQ7j4QJKkWDDEchwIBNX+pVkZKetXI
YHzvOfpiurHPOpuoM5FkvkmdSu5JZgWkCNpTXBJXG4ME0A5esXBznoDuyM1y
0whaXNJhyBisZFm5hbgZZ0x83dkNo5HXevafqZtY21ldz87qxuzLk9nM5X5u
/xF8ISzqmZjCuZMAE2jqZyunCe+qacIKOYSzYSw/LzjFSg+dmxO6BUer3xWV
9PpksyeAgx5J/iTYB4zKut7ELYnY+NWS02td3EwMI6aFn8uhUuXCKGyqi+eA
SqcNW7mE9AqeBlSjXZ9b0+LYuUWwZROne382t3IFdzNKX8RiYcyTQ2y1ng/I
ORZjbqV7I0ZUV7GUwKoAGd3e/VlEqifFVzxYMCvKditGljMPhq0nbNOjbWfQ
qkuzxzEQW0LUL1EpbJELo0J8AODnPrUJSlVBlcezRCiN6ZxCjBqyHZVRRgPs
fkht8CAnTyHuZXtpzAEx9dXhg4m+B9cOyKyedyBt8eY51dBUfYKcJSmsd02W
ziBiYsl4TA/vl2ZWBAPK6x6hM5iTGtSiPRGqAsB6D/jrSdI7/qjLwnC7nEHG
NjxQ6WVxb41YOSyGxnLDMfNaN8/j7ISRu+oFfichJrShQBjmLFQc0FYFQ3AJ
0qb3LfxlHAjGykw0qvbZ2xVzXwS3tnZk933p33igvDlKOgfP9RYgkxD6aZLv
cyeIpefWhBY9heo0DxHei3oBUeRuEM/m7YO75CrWSFzv+0yKRLOSBAdfbzXw
yje1dc9UM552j14diUqZ+825avdd0BWaqsPBT9tuDCKPkXPVRgo3S/ewbKmZ
z/DHBJyNgm7AmN0rENd2mCH7HsVcEF+dgpcTHnT3EHwEF5WnXzwZKRSeV+oG
MVNdNugZSK0C3IWUTLghv7CiZEN74rE6O/B6MkmBN7zY46Uj/ityehustT6g
HQyFIneVBnJMbpb02ADDrXOOYiQDqqllkIiVTXksL1dXr85OuMIUMC07hEY3
blWek38De1LU4v3dnBGO5hQPTFCaHjWNU690wCxEbjFlt6dFn4wsHajgPHuy
vsLKt2oFmTTzXir39jqNzojrs9ybPmA8n8uMh2pJoEbTUelDzSRehi9k096M
IHUE/Rij3fRzsIFhWFTyabnWY6PhZbgs7LsGJi0XigdCHLfXI0Mkf9M7Jon2
C0iEb7ZAjMPRaaw742zvoQfkZr2roNYmZk3KxVMiDgDqI5dllsOiVeEHKhrb
WSXY5nXbal/pHJEZK8trF/RgYzdKOZkT4ktMv9r92CCN6xodQPbMPSufG9TQ
dGdjdQhAytVmPQ1QEk1pK9gu8mzZXXBY5rnrw93EFpIlp7KrGsNr7QPJpNz1
i21cNr9HZZQZJSOdeLCiCluW5ucYxLDlvGJbXAYnBM0o869Qdi6uHq3IZTpH
ALpklbC+A8l6E5lJwaPEmg/CSVnrfVep2MeN2Si5GR5Nsonpq5K/hjzbZpzs
pgSPsBVwLl1ItuqlnpCW0HRa2UJEpM3AZtmeJNXIZKMt8bbCsrHnzU1jOK8d
U7zbiXzrXpadAZ1OyFs72NcXDc0yeL+JNg4JkDU3bwQVTHgf72j36O60TUxn
G8YLTV9rDTrnj8BMKa4GgjUsd2GlbwcBy2agE2cT9wjqIYsaORyatg+N7SYH
ZxkZ/APP40Nw9nc/6n79POfdO4AG1+VUMzSTTEJv4FjbLdBkkIn7xhmBs5MQ
2u7Y1ZDk+wxKrUNEBX8r0zIn44zut8ECQj+1X8WDaJRgP9Cdf5kgDnPEJY3C
Oa3eUrJ1aMASuNTnhpUnWjtuFPNYDtO62BZ+IYC+1JGgUmLyurLP0HNiwRcl
PYiOVzM+GVZlxzE/aMx/R08jRB8+yURy2G5pzQxqYloQUF70bS/7Kn13WjHC
RXZ12GcuyCPqlo7SmUfAX1+N9irEgZZTDH+TlEYxeFiFppQ6RQ68GGOhw6U6
/1cwt3MAs+khMQrXei5fmiD5uF0zStB51grvg9uWs60ZJDLgI8H0uNlLgK5U
0osHzSvcFIOpELQJOsnFvJjT1qAPTOfwFwgPoVbIt3wMujS8bqu2o1eXEHyz
ZyUg30qm76KLf0VRASPQ4sYt5UWNFu89qdBc5Hz+PuqeWCVJis/dahBVyrRE
npKyD3VCLoBO+7dUPpv3GHlN7eKW+t3CdBck24ajg8JqJWerj7m5U5Vc5vYd
rtvd+bwo3Re7RPITgFTC8FDvUJ7s5IEqT8PcDR0pFtmvxEbFwVtyAflz6bfp
Rb0z5ui/CpmbFPHVcbNC3FBAvOBjIHogMjwCrpKg2OgyyjqCWoHEiyvh6CHZ
2WXiWfSIIlW7sihoGyKikChXvR7PAziGOrjZjx17ZVwHg+3T555uFOXhxHIc
KddzhTg2honv+U7Abml1UWxEKxdGHWGoypgC9Pv6uo53+fZqpSmKiURUO1uA
CTC6hCTSjzFMo+h+XYaz/w2buWlJD7MgZniIYyzi1gb0foe7r3fYD83Dhfql
GyzzcjO6yXAM70Jkk8kvIGhl4zkV02RQbl3uuFdIpoLe3QyVAcMHi/kmDmFO
wdDeG0OF2CM6O2kw8KmUZk8ZjeXiRQaGxG5yOrO+ME1Cpztzc4lARQFC8fW8
J/MtLWofeV0QMCt8D36i5llwBX9X8F6UUZBvhefc34eXd4dSq7Jkp3FCBnUG
EDhvkMgjanq75Btk65vpu+iQEwsF3d372ykbv8hkzZ69lZ12pwtAhW7TchSc
Nnkn8EwBENWzlaNhvC6/nv6YvcVHYoHYs3O6Nzex7sTrHGuiz4s9ypFoYAfb
H7kWPallNqSM6gADu90aXkmf9lscMUW0sWJazm4eE+2If0PLNILPx8c2VSJo
Lwylg7i1XMY1kmyQ1cpzEFf8mZKevc+N0bLgI7vt1lBmjcDL4tUp87MfvDnd
okxnJl3UKRTGl5tvUCbyanB9X2qAeReodDXQeodvYJMaF+usSetbL/et5ieG
x9K1JY/hYtYvnA0ElALfxpKBJU9mIvTU70Bdk0LfhQStvJXrHQ9kf4T7xzBd
bBOxZSqIL9670p+36CJv9dvyG+kG7e07uz8aWsGqCZh27+lNVYehBWNAo/ig
nzMXdO/KvaDD/rD7AYfOp47tue2/r4fz6BtyRjyYWNbPH+0iwPcW5ILcL9bF
85/3cHV0ZkgTE/H7FXp12LC+eLZ+tw6kxCUYbm9cRRk6nmy/issHioWAW5MR
TMjB0yGvS04cxszzcY8tSEcwD33E4muALVoQXQxFE3D2guU5eK+XIcvG7Oxo
CUBPnEJ7vUKQR5Q83QKRfyrRTK69lzGdab45zslvRmOUQ2y9kLYtmEOjRkR6
IuwIlWdpw7PiLnahx6CmXavSniZ+Jia8qiN4GTEvW6VoqeTi9aX1JMyDjDEX
PuteaBbLrmxQtgBLaIRuRZRDtDDBImMiCll3Ji79qo3MMWetdqYHR2UGcV89
yEPWi4QXePEYU8J8DWMOVNVtkdRnmzla6VGW4s1+6zuH+KTjxO0G/REfr+44
QKq7X/G3PhSEGo/usNj2sKmFGgBh6il4oU6TetHrNR5Unt3YKpwZvUwYL6gX
IzHvFmWupLfS9FXkbY/OpIvGXqG7LxkMoLFoJ3N3Z0DgUAIvnPiSlPFAj5sL
9h5evlp4HfnH2RpV9hFtDA3C77eLW0/awGZP30yAz1aTaPvKhRD7XBjht9k/
reJ2ZzTqZogiz+KMSziautVPhNBdlp70xZAsyePj5DVEPmC+O04q7poDLsJM
3ZSiRKfo4mCC4jbxxqrg2VtSEkg/9bOp28uHcFOxLULvxrgahe5egF08dNNW
oW2tWetZXh7c2PM2Z9Br2ueDO5CLNJrXduXrq+l2qelhSjpl9Q0XwfcRPiLg
84mVRO6Y1lnLw9eddTqoSiTlIpVp2lPbjhUQw0yXzkMn3IyQjE5hPCO4Lsjs
8pHQZ5snZhoIzVt+i4aXW1lL2+8tFFSLxq+Js3UHxYIBO9QODWV0d/gkGEkH
eB0wdu/eDEcCD1ytCdmSJCtm13X1kYet+qR18wIrx3kw33i+3upOD23K5SPm
bV2qevWqyuBcG+alFiBhrggf5Pveo9BTqBey1sryXNUfyGCJN3gNB/DZGwKF
4qV5X/NEJJCZv0CzdW6fhlkTALnfSLLtlgEuH6AE8+d+qoxGTYTZW/liEw66
wSDnp1jJ6O520fVK8TBdU3Y8vdWXGceB5LiC8isVG2ZCGPcameltVXoCt4hJ
hyiZhY2odHxvqpd31fL2hVqO+nZ23HJapIelXc7CkmOOhJHb4a0Kc1VtlCc7
I3iEjrKD1XokRruk7HILp3q+HY0V5dK510ETLafIUnMyAEL97Oikp6O8Gm7o
N0tVaRO6V+2h9bdwNvTukWPP9cgv5FO7ktdKg6XMbxSPFHE9QTvA0jZy7DyO
Z3yclFWHZ+RYAd0eK6O4RBJVG1Q8fjE+fTeu7bR3mb09naMwHtzjZZhrANis
wLal95Z54eJENru0VS0JV9+Y5JfBysWGJVjBwvNYDTThVUHtQbSGQIaOy0pj
9RDwPDBbouqhIpntibtZ5rMv286ic/t01mRK2qZNFcj5GkIMx3uyhxIkfYQV
onlJwWsRBbB1K/bo/iSiJLxocmLvJMkmtDdD1U7DSI756GWCnsuU3PSwtyKH
d1zYU5bX/dbTL/Pzi2m6VMsWSS0hJ3NynQo6MKOU0uliHXeXOwt/mkpGEXF4
ztXUVhnIDENnr/aqMa+0HgCvPJ3lIilTQZHzOJscRSus83q5N5bbCQ0XuXI0
ugf95uQeO7uXEGFek/vqvOCG1RY9A5PKgcaSxmJpFUMBJlxPc6KYjMW+4GhC
Z2wsFNE10842zM7Qju0KHS+Ow13RLH496BdACrXS6OD+iF9bDGf6+F4GSD9L
QlnMDWuS2p6YOLah7+d4JtQ9JJL+NW1+Vwl2kz1XCRBcpYEI9k0LCSUQ4aSO
WFRU+w15jVonv/T4mfjwCN65OvOxs+tHOTFPUZlOO90CMzUEZs8cS6fXOfWK
txk36wZEjmt2Y0vBr5nQYJdaZRFkJ4N6GsqI6nEY6R9xtOENyHu8DsxZu4Mx
SuIdsoHrXJx9aHC5P0fTvU1Q413eoMYSCwk71a4WQ32uz7dom2+DDhajWw8C
cKVxT8slgT+bJg8FpeYGo+J2GZnskqrZM5FxnhSbVa8SP+o482MsrfNGuPq8
jF5fiEDj8sNQJRPH+gbcYyZfljr4BB8Cr3E7rDyz7hpcI+8l9ctC5agtzKIy
8oyxiWSJLXwEdKzgByqsE+I1MWsel8TUEy92gZZnu6pQZZPZri9FPWKWfLcs
7wihIO8GF7fHPmEDHAAUEpmJZOrHJTDrm9a6vQrRocnN1iFswjDst1GZ+1TQ
lnMn/ZYuvclPYIdnlxd4JdPIAMDbgDGvWTsLcik73lgrygpFiymrY+y+H4qy
1Wc5umj4LdU8j9y9Zfeurl7D5rnTiigfsDW+5m8hJoFsZt5GjQ7SJAAbRq3i
tgykW0dPiNUGnZAzXhOsqUbuVMGhxKQx281VBoDhcpaK5NFhdvK5Pc9eu6Xi
Cw93/tEq13MHYWKH/aD6VKvemf3KbDxMm0rsdnEMR1fDgczb0/mC5n2NouZQ
4FSF1L7t5Q95nKNJquENDxfEBM3UbdW9ZpBmZtLLRYtiq8W14wFkCbPrBipJ
79f6IlZ9nG/bfk1vt9awiXPDUrwuZ1vGtjeyStduRm5oRusCXDWhBHfvdwl4
26DULLiLwhYoLFwn77Cre8+w8UlgUNuxtuORZ0eoj9171yqlS/taDhBWZSia
odYWiBMmYqiHs/X3ntSjKm2CcjfyK359uMPjbUWj5wY20Yz53eldKfNs+xKl
2l6ta1uJuQWw6BMpz90FVge7OsLltaIVKHbT3bOvoq6+VwH335BR9O+DWJ9e
mNgPPd6q29QcoFDkFyAmz2QnC960mVJyZzo8Rg4/N8CaQayxkF5sSN3uuCoQ
0bDgV5FShfGampBkWOzq8+d6AIrvtbi0Eo+7MVRMk3ULtI4OtoCBKvY+Va+t
UuObzKou85/OAE/F/r+a+/35pbf/mzu/Dsf8xvl1GIdluTf0J85vjf+e81sP
V0mS5frf6fzGSIHf/W+26HkE7SeXzW04/V+3ZX2tT214/+re/sr7/AJ83kQd
OX3+o1ZkCH+oL3xsuN8orT9dw69s14/a5n6U2iJh11ytmNxqvfIjtKoVl6uO
RKhOTqg3Kf8C3B0GVm+MxjYfZ02azfMeo878+uwfXnKpeS6X/zSqP+mD3+zV
r17hN331X9VQP2PyD2PxTSv+ld+bGz+Ogf+DRcfC58/UOUDor89KWbiP2XMO
z672o7L+oW37j3Mf3c8C6Ju/VGQ/tuEXwPnJpvyq9f6F89dz3Hofx/O8kn9B
6P0Ttfk3Ou5HcBbkd1D/9tG/fqwl8B8B0/lq6EJ3ltlV9iqED+kz/7tqM5t2
9Jt+61e1ZMZzxtffaLq8d3xG8q/EwC/u8Kvw/DnCT8bzX5rFP7WG7fARNuc4
LwHiHf8s0v7BVP1VrP2rzu7HrzTJXzm7kNYGf+Lsmkj4D1rnVyn4T7zOf+7s
fgE+0u4/Orthy8E/ne8RFpr5u3dzzmYB3dHPSAaPZvlH2fNXrud5TX+4Zn4V
/z7j8FUR3IMHfoTtx/z+zAFdPx94d94ZGrQN9GuV9iM1nkf4eyvtzwLmN5vX
/QL8pG0KXP7zfPPLt2jS9vO+ofPoubvTmu2em27hJzE3T87I+yi9cf7ZILm7
ip7HPOcgbKKzgoQP66NYF2c3vn8dafZHW/Pbv99L5szCj0YqidcifWzv4DzP
V4XzHPs/m71fXMOP+mQR/Wwl5mdefH76jgW8+2iwiWgVAVLMX0f8zKaE/aid
3vGDZSl9M1XP/Mxd8YxLwat+eMn7cT6rOXMhDz/1xP5mXIaiXISdqbHdN7Ey
+XYXQlHFPP1ZtXL7o7B+Ipg756MNX+EnioTmsz5BqX01I+SsSmi9/KgRSl9F
1B9q1cfq/KNa9fXRn1j9PYnyM5JWk4rm+ylac3T7Y735U3U/s3n3zsz/ZskT
Pzvg/4pfqSHyK/lqMvfUt7Nh1MeePUfy/O68V+hTWQ2W/lmpRT4SqAkaZ+aH
Yv3Vff097/WsWX8gvv5pB+Cs7+Cj1bbwp27+YDp/FT7PWDdEBjxj7eOqfrVV
f1JYWbiI2m+5E3fNet51LfHq+6xZX9ea608Z87FSP3kp8de7CauVtkLK+ayP
gHhGmVd/akRgn6tcS8PnEfNP//Dtyr/9BMsl/musnRHdTBHC1z9k3eeK4Ui0
XvGZJwlLF+f352qMFx+VtUHCX1zDD0LqAzsjHP/mq/6DPvqxR8/MgoKH1kdf
hdyExXLbNz+Z2pz3/TV6f4pN/nrmpdUE6Lc3/JzrVh+e0SYJXz8N4aeo/qxP
4ccp/WbMfsuYPkCv2Wd1+We+6xfgR+H1j9zWoJPexg8m2hkb++d1O/9Yxz+r
3M+1+RNR5zOpO8p8ouvs1Sz8q3v8LQZ/yo+vtuc58+fXc304q8vv1oj/j733
2nkdWdo0zwXUPWz0QWMGxICeFNHdA9CI3oqiPaP3VqRI8eqHWmX+VW6X2aZ7
D+pgYQn6pGRmZMQbEZL45E904uuI+pEqn2r/gy4z1RlFrV7/mPt8P3czEc7o
//b2KeIHDq/1RWlPnXQb2XT6ZLOhtI+/sFp5w4Hd4e66/Rdia/vlOcZ19LNH
/DzWjciVtkfz5fn6w57eeccNbZ2TYbe9m5kgM59IPmuKh35oeNxcD1dk7PSQ
tlDkt6ALGafl+aih8FMn0W8unodzqbDcbASvAmif9To8Em93FHSEDO+MCWHh
lSNUU2SJPlkmRGUi7PTdbeDtwclndxAfNKRzae859y10+Hf0Xsy4GaUIagfL
Cx2Hl08N+zwOYM8Z3+mRIlEfbF6b2i4EnZF11gPjOTYS8kynuXykdcvtzrVY
IjKNIaZfbGA1o+0+XD7pFiVE0t58/GQ3F/W069nXiGPNsvT1evYvCjrQn3NM
JPa2XRc5hu5GmCpHIzslIa7mwxKq+ds7k765fHVvks5Y9M84W791B9Wpk7/B
2fqtW6hOO4jNJjGJrj2az++htx8IrWVhnnXlqTE0rtXJDzRCjXv+iC/7zeU3
7/27JxtvfXfv34Z/d34Fo8XoJ0N/PCo8u0Laln7pfi2uKG4mzZ1/twb2fMzQ
8uQq+aRukVrXQME4bN6cmTdRHsU1SRBjkanQzlLCQWtnqEJ31NTERDVHWdRM
LagZ7uhc4loG3No47aLUN7v5eVbF7yrt4jXsjJHBX4Nr5ZUaBG+0MnYyMKbD
n1tiTU2IbKCnCziprd/5fc6VbLBuvF8Y0TcXIe36HTMEMENHOJcUDUrN04kH
g5Z5vMMNaD98UyWxg2e9EcnhsFlvGE20GNwMUeizp0fhvkpu3kPV1EzPqVMY
8eapTM463URaS+G+G3StqAPKzd08mV/UhqGCcOWX0faBh3eugkEO3UYMHvAl
tz/uAs5lg6NO19f1GuKxOkoy2O8IMV9pzLbPfY/cF7aZO53DlfmU3DPrRbPD
0tuNpiODmQ+WmbkPVVB3xbv2hZ1K1/T5RPItDZW2LI3GPmxX5XsS2zeXTx9P
P+js23fdbh/qZHHXf7Ur0hjty2jyOZhGD8I3F5Y9Y+ATgJt2O8f/ljD4LfXw
Rm8SL3GfO8o+PFfsxheWM7Q6AzvWtWAbN6dvp0ddjcyYr+iRbtdN/JZqWDNM
sfED7TQP1sjpxOeUfGftstXLsReFEqH45gcP/ObyVVxyX/xO4uVMYZPnQ0n4
ydLGx/xe67twyGlAA3cqY+iVU5/REi/K0mL8N5ejKe5vo0BhEGA3UrxmKFSp
synxrafDUy3OdWG8pSdOW2BZ7OpLrWa0vDkuEqLa/amdGacWkZ2yBQo2bxqE
EUVu9glVaIJYn909PL0iJVEtE3eO8RaY6jzMiI+Z+OrvkQmpUng/5+B1zQbf
eZI3ONLMT9emMA1HSMwPdg/xsFURUtISeie8G/bLDhqh8rgRlsvJ33LuuJ67
CWW99BD8frg1NP961RU7lQRmwqWUacNco8RYqDA1eCFHBPNhe6JzwDwE1et7
NXLr7FCmjihfM/eY9FHUQwjGc8O5HxFsN+yrogS+0x1zcItfYl+jluXi31xI
3wWtqat8boYAYTa6qfd/L/v6o0zfXP4R9vXntuTPWUd/nn39IV+fWv0PsK8/
5OsvHM8/zb7+kK/PEb5lX0OU1A8eV3hmg0Q5BNhLVdu6cb8qYKlfOaCFyOuw
tu2zwejTLbb6yeoD+RQ/nRq2W06LywbhTgF8VWl9M+71nFBM5GNasR7PmPeZ
jFj5Eu7c0e/43R4d5m0BFA5p/KlRYPYyC5MiNhc4sMdCb97p8dj8qA6MOxMc
RPqBzjs3o32CReOYiLAf7+5pIE0UeI91OS1pz292ysQbH4d8w2DrrDXYPksy
i7KHN682YkG8GDNt3hSKjm++WzQen1fGmuRsD0jWN5dnNI0DnKI5VdtNvNAu
vqGvIx+KKwVT2q5IlHgKs7Le2p5eZPIsfpNnS6Zn+7lSrFHcznzR3Ct3aHir
mCzS1zkHmFE7M7yteZK/xb7+kK8/jN0/z77+fCL49Wdif5B9/aS3D/n6rAa/
Z1+rL+RQpeV81hblbFW86dQ+rQi78Pg19vWHfH0q7e9mXzNHFUnIeCXGQWjq
FMSU5qy0zryJ4H0AQplO3zkCHHgIfAZD7yPpUJ21rNbg6FytBT0kbI8f8VF6
oOymQY9Czp6/58+nKHf6uOWkIE4FA+rv2ohSdExHN8i4EksqXanjJxDdhodX
0M0w3fTlc2xrm7xiUnR9HMHOelIJI3gwH47edoQ1Vq9l4qR0EuRUyK8qfKi5
z6zDaSJUvAMaxXIzZowTIrPNYUJWedZR5DhISSLcCIl6PAvgPhs0VbHW0+xh
4CxNgiythcPxeIic9e4BPQ6TdQ+HXpl2BmR5OePCUN7j20KzISRuZnT4k/YW
aTd5dpAgoQQmGTQUX017lvWlLgF6knErFwEoI3X70PtbdypMILFfaqV8+3zC
vsV/kGR9WvIrlvWfIVmfOvlhWVt/l7n9k0/9hSJ60MFPqaza/uG7fvX9AaMx
29eeJTOPm8lv0Pusgd9nlbrrxw3TOPmsxD4r+NEruVvFsBz0SvawPxu/yBjz
A0+kgdKiCLJdgzNZX5VbF/HiCQuJczePnxKIPwxs+7Qqg3bERELXksGXbj2I
+rBloGfvJAsx9zg/9/DW2+Y3lwZZUjU6az9vFqe2tlOsaW+y90Z3xH6pKjUB
sx13kjcqKGZ6rgrfyCKOZYmp89OTnOGbCxBottSUCh8puVOs7a2CDksAxaLX
zoxEsJwf4eEcezhq30Z9DIqkdJJpLIgQehsMRH5zGcRP7cojMAzf7/bxrHXt
TE8dCKsvg2fuQO/c7nQpviY4HYVRX1+nEpZYtXiqGnNqe9YPhfSaq1KMp8gp
c8zlLL3ANK9ORYF+fD76pWOsHPNoF3fh9gL0gAEJ3LU8RVC0cK2nT2WuilTv
PsqKbm/Gu5ppmnTb7tU6VsFkHTTWJVHt/aZQYm7G5Cj8y6mtP/4O799GZ/2l
7+3+hVjWHy73zT/CwPmXYliv/wCG9fcDbr75c1yc34Va/ebyt3/IuD9lrP4i
Q/HHbNWf2fj3UFV/RCD651BV/5wl/+RW/G5yKkbkv0ROPZ/+Z5BT8wj/bsDz
0R+joP45BuYf4Jx+Fe9/AU5/G0j3O+mlv7bPv0Yi/bPb/AcgpX8MFPqDW/xF
CP1D/vEL+E/wB/4n+AcBoKcXfQ8A/aJEfwFA/2kA0NOe/yYA6M8Z/7+DCfod
NPgvNOhvYXj/9ssU3n8tNxTGoX8WN5TEoeuf44ZeUeT3c0OJs5r7LW4oTv6U
LfozbiiJXf/3cUO/jon/IHzob2D/f7qyfwlGlPrXYUR/elzBH+qafvbmz+8/
S/XnUNFSfLCsdP/Ph4oKLb1GOl5h12vvQYz65ANBOF4QHpJt4ICInPCXmPX0
QvOU0JcLGK+39AhEYJ8fnKg1qNqhwFEolDO4gM1KjIgkUa8y861gGlLJJpNg
L74d4hP13oV3CLCTfB20Z/0qs2MFedC7G0PLmiCtvo5tRR9ay5IfrIErpUDa
BLHcTuXlip05RLIfp9JiCi4wgok/NnbBoInXJ2io2BI1NecdWgZy39np5UEo
XF9lkraVncaK9lK1ds1i1hNvcuBxcxKgerf+lbPkFV8QVuteS8TYJcsYzd5P
Vmux5FW29qEOgf1mwlfkIopThWpTiuEH0t1bRFjlSOtbDzTKyBnagKQLzngI
nBQAVyt7V5/Plv9DoaLcnVKuIxFBYIWJr8qiHgtlxuT9oi8CRUf1QyZmWk3h
7t5x7bhZtaKm65oHCsPuO0NAalM9HF8w0/TMbtVsx7dnbURo8rysmVg8HHNn
rwcpj13dQFGMjkXVvruEZdCofjb7uVYWaJ7PrBalBMxvV2WQjSuVB1r9ushX
xmyIogoYgGfzg+JvnODvXu1ghpV2wd1qyzsjdhFPstLIvusBcXtZbtuRtB9K
TmeXXonjW8wYTz7fUAfhETq/dUPc6dW+6Gyk83GqWaoLNjAwCCvdFEXIQoAO
PO2cDnHOvYTWK03xbMdbvdZK2y3haYRxRE2EeLFKE52M0osmLqhP25hE75k4
aM58YdVGEjI1y17E/HdARfljz4s97qK2cciXSlynbcrfdFGi1kV9qTMIoazc
1XZggwteOfe8mIfkLc+vsEHvHlrBWLHrKsff2uSh3OGcXR2hj1yqmgPmQmO8
470h637VHTO+VeXC+S23lrl0p+JDMPCoQ4V00GUv1s1bwlLuEpFWy3l1fuw6
f73o8kZMoN2GcEdbrDhdRzxdmOfdexoiWQyNnRRvhhwMnxF7o7MgI3ZimfIS
Kaav5+4Wl0XmzP3DQ2m4KV230l6yJdxaSJz95/iyhzomgGclS3wSlcgIlnwC
eXsOlfDzIHFs6y4wOkELwgiCV43jrVVtyn8/1yEHjrjbNhon+UYecbSHzGev
TOVLuQ1Q+L5pZqOs+EGNF1/HIB9EzW1m9gETB3FdQB0V9e0tP8klJmHwSsfd
/GgXmhadkgsSOGXHI7puPLYJPXtp+J13jRuAzg9FCtNHp6fv7T0w4xAHV8VW
y0yZx+guRBnzIqyej15jCcIb9kzbmym40YX19R7FhXph8Ji+4anW7PF8qyKu
Qrl1XC3e3kvdOxhTdSXV25m+Ljjv8+G1e7d33PAv2uGAgp3lIdGyWPbuZ0oR
UB65VfcORt56DRr3Nnx0aBrnzm6PQHc3EALpmxp2tOStZhc0e2y7gr8V8Tpq
urFaxnhjCFaQA5iS8GN+80uqxzgTmbotHP3WFFrvY5N5E+Cr47fT5a3kB1jW
ieoH7yDWzkmAe4mu3N3zTZ9etF4efe79yjnNVkAu4iUk0yEkT0NY7Gdy5y7a
nVZmXjhbOK6a63qvA1cQGydj2J4SgeMg4tMn0kTXYBSxllB8BqWUEab96t5x
CA785Y6s0/nvdrrKMpg0DUA8XtYIcT+zrprJpZCm75ef6yPkQ/raX/ntGJ91
T/TmNrxNHbqUWcq6sFHhPruKhEzYpczB2VJ1V5pMdyVdfaIdseUJ2qKiI9ur
Nyn8CG/7602paExFlw7MvAm5vuYKO/ODmpjxc+O9pmaaIoQ5c9227oUlAKFn
3ju0ZU1TiHwJuZVWnFzc3PvFtQFT3LHmQb22AlHsQ1aaeKGkKOCcWY+FpynH
Yb5UBWNDB0KQgoB0gV1HT3t/AavjX2K1KQbxVu3y6sQFKL+efdLHb1Le5Ntc
cL2qkzYSCuqbjrLl7TGcF4cB/4Zsy4e8OQ8v5e0oQpAnBzWnJ44ycQOQEMPe
2+siuiLb32fajzSnJSX4Rs9d1dsbIFythz24VzGF1Mtt28ZACbUu8vMrCSj0
OAWPQAHyFwpnEjlFDANcxb2KECIrqF2LwExCcEK+aoJJm4/1giabwj44WiDP
KqWcbUkJLZnVmbCPpQkpAo9+8wjA3Nzp2b3Rzvf1hF7NfYtZzHFkS760y+L6
oTxyszgZcwGT2YZ4x0t/9G5qbq8vgNRnONJwsJN7Lyo+CjiAdqh+7jRKgdwu
qoUY6IAYATREOWkaKvkuKB+iwakyTtGxIt2yHpGAURougILkv/Ggyo94yUIp
IpC7dRGerJxz17GKtSc4v1vdaPzxjPEtwYHClbMYpEb6AMKIFlGmvFaistgw
mrVct6Zakm8XkO3DiqMyNO/4NQhFWrMemLnld/Yg3OTYn3KpBw/nLhNbNb1j
e+D8wm/EeYfriQxp/KLK3egn9k6frWWhaWT8hDLLPjg2e9osPz8wOn0+IITA
8NG1iT7MdsjENAbyyYeZMMR+IZqs7WocXUYBP4KWGXqYhhbvoGbdFByEFmZj
pbViWKKhBaarPqEzHkedTFapZTvHcjE28LXWpdkrDu4tuO8zXOS3MCDiSR5t
acOVVw3IIgnuBd26l6x0BWQ9uSeqqlWhyLWXOXk1O3odmyfjtbesPjLqTWCC
DlU0BC9sKjw6aZh3rpbkx5DZRjdlnPiQqokXkenp0hcDPFbvfqoy3fvzVr2E
zIzYiRoNoJoxDrSvQyhAnEychRMVjYUj30F6v6XIhhbUS2DJy9hL4xV+1eEw
pzAeCYe9alcYWBuQeWOmhTZhhxoL8SohAIztUIFcd8CMDdjM3OgjjL8wNUTL
FfrEBn7TVX1Czr2q19ti42sudR2eUBVtAI309g3tqaoyjXryWELsAkDpjUTD
y5VCCaQcRECuOHWk6tdzvbGvyJG8s6gPrjAu+HO3uHGDxcVLV33YvxIwxXx4
/FqsyfUlC+wFXLnBCJYSd215gKXUEvyjZ336fhAW44NOOtwmTT9ojXQN0VAQ
mXDHlw544q56l3KWdmJD+9vZrlYN212f1JNr4rmQt058gJ7FHTlPz3Sz3s9A
POT2ZsDZS00OKFD6BrxdQCni7SeSDvHKcY7ftF28+4HhIW4DuNoCPF/1bWMD
1R9No5zKNddhUXImgeJAELtXzAWsZ9l4X5MKz3vkpQHJMUeFo+v0+lxZibr3
ZmG/TVHdtDftq+GANh6/MMTVUAwqeRDhpYGXrFNV0jAayGUcDINhOyFtnLg2
gc+8HQKSwyVOt54tpRQKHs/DwpMJN0F06Vs23i6wyCfo+9V6CKsaDLrp3T4g
tdGl2PWONN3hEloCsoAJubvkQWUJFok7LVcc8yprdzfiEhncTFBDjVNDK4Kx
GeGbK7GKAaDsvCa55akVmt3Pirq3EB1Bs9Djs+jNhYBDoDb33i7SGs/Ucpe2
UF+R5pUjmfhQB/W5DQ/+Stp2nIjxsY2ZeotHBIfEIX00uQopEr0noZaBl+M5
np1OZDDvpwpCB075qN2QbVZh00ib1GoI79ekUJW1QTogkPjr6pqecHahj2dH
9zF52cEpNEYf1WyYrK45NUskXgfO2Dl4C4ixMZsbkby3/iUoSa0Dt/Z9A9wA
vq0paKpwWV8sBBNu154lb1bfKfyq+wdUrFzWgBFpa16RjKA7mFoKwomEuDPl
bW2Z5CDvqJNwN1b2QusZ00ZOEb44yfOntOoCmq955rUDY3CWzAn9Pt7doPQK
tdUevGfvZzKTL/0qKPT9U2x7qiaVq4/SCsJbTuKNR73SpVW2WQDTsQvxyqOB
R1+NcxpHCGV3uIBaby5w1fDqPr6Iy3pgPgSbDRlvD1tvNkG6e4/raX2Pht1Y
oO9Pp+pL/vyndM0rPX1C4RbzkSZl0yVn93fhgFgaV0/RSiule5sdzlKjS3QA
n66mSEqvjagOwhOFurL0YQqitHrMAB2u1HW99w4kXl5x4M8EujAKAflSbfLJ
Kmp9c92JyBqdgPaCs38Hbi/3tWSJveQoBi2rWUC+l5ZUUQoXUMv5ytJUo8eK
B/CaCDM027liRQezKHLq0u1Rzpb1nMkmgI7kxmOHsXK7TieJgjj64+JGcA1F
oJP0CN4izqJ5gGVXByXNZzVRMnTbTnwaGM9iCkyN6cMdzi2AG/Wts8jb1acv
4s0mPEXQQj005H5cMQxlTEF0ernB7PfMKdamIrdcwZdnAjHDmWiEUkntJm1p
hgpJ8DJLeYVnZ78nKq/r3Isp8toPv0sZQk3QTNFZUmL1G+5QwwYGKQVFGjNL
qULleNWdbV5zYVWEVBsX3q9RlUWl/DibBNdl7uGBkHzRdAy8I3cM6WqKOrzw
NORsN8J+3WoMnJ7JNF1QaqvAhbsud6x6T8dgXh+cbiKB2zV8b7u2EfjZTbPn
6HjEqVGBz12ZHsuOP0OronJQvpAKRVmBITRyV9YV2+IiuNDk50Bs0WShvDA5
Bu+gdkThZ6VxVY0RM2bco9KpRzNdzOYiFcteemklA2VPoHNHePwxePc278CG
eu/2MyuMMRhYpagQLDRE8IrNi2v4eaIpB1D1F+DaNdvdbcnYIkul0Z+UvPUW
h5L7jovsBuPQplevd89IQmvikv2ckeg+AFmVPhEE5W8X6o48XN1f5BHRu4II
AFWJtZR1tigkN/TlPdCn1QnQ3CP9FsN22YuvU9vajSxp+hZP6ZkX0JSfX665
Tx1gEZDu1v5Ms4vU5slDA1TbSSiN9esi2v32ob0rr+gMqiOc/iYsL6+6qILU
TSDEioVHBOyDije1N/PmQFT41SAjeS0eztSKJFn5y/Uh3mCvZiQGFOQWP9/a
85eXBLdP1dIaBcXxcCnwrcH5ksPIM23xh+Up+bsnABde0TLfBMjCAf6+FcHd
xvucRpHHxd95S0pVnFxs/7BnK+H2syOZkXhVDA8r2kj0eLzpYuVaJOU7e2J5
97oBo0pBTwyzHeUSTkzjoU0dCUMR0snSemEzAZCV3IN+qXDl/m7I+lAeIJXD
qspgU5qcOvseFkGRz2YXv4zvSt2aXSu8vRySyqNAdIULc1tBBdsw5JAtZ/FR
HW/Jx6szy5xzSBUdip6Vsyh8xbfLdpMpJYiv8qmmb3sGJGM2LPh05VcHehMU
sio1xcjtVPh9jykA5l/MAnvCiBxBz7hRcLnb6z4DD36FJWvRCq42Oahohcq9
PlnB5+DZTrCOGK+jzbfS7OvMjUeIpIp6M5JdmOMvgT1NyTAyeq5hx02as/s4
QnqZZMSmeGRfJvu4PXp7ZgA7pK9jXR2Dsdc217aRD27CfAk5+pa3PrNVLJGM
VOFVLzFAzvI+RVWDqge3zqV8x62dSdDXO+hkmH4UgyX5RKTKEwBenBIp+ccG
glQ7zlMxNoqdziD6OD3a59p3gL+fLq+0pEHzThlH6pPQYnf2o7sooBhtrJft
8UKWZ8wnEzo1Ezvv5Jxfu9CX3sLtiKXSAgAJrm+ufWwHcqPmVcTqGW01PKXW
9UmwF1c7L/FgY7XfBCXLG1gsEeNlv3gKQhwbNrs42Rg+G4L39VTyBdhF5RpJ
SRzXxL4zNHZZXoz0PBs2NlGC4eWn+uIZ1G2HoIyWIpLUnU6N7iYbeM+uEGRc
b4NCf5vQe37uB0j4yQVpH8ljWLqzEqw99q6l3svqBcf2AsjKQO5ZL/7sJmZt
s0y6h1fOq9lAunZd9x6wdoX9i2mzmr9NicXFQvLSxenY31D2IJGwVFGYijgy
i9p4CvGzZbiSIpw7dwvsmhFU7+E7W8FLTBW0pOIObQE3ANYLKw3ALluNaNNH
dIK8sSlaKJ6KNkhvTkeSL8EAuJZ7WOi87mdHdZFSpnLfY0wGrZzoOw4aaJzj
svNWx2rMqu3wH9ldxF/xwSinyD9V/lRAjxIBepFAzoUvxlQKb3Xor3Jj6gYI
e6c/IfliIcpIossDSJ+WZMT2PDe2b1G9E0VmbC/ZmBylOS6bfdmxY+evxTMh
rmkIGc93PSZbJUdSRxTeM8sYODY9nJLaqtdFvtwnou0WlOzJCHAtdmQvg/7q
81qI3G1gPMQWfMB6roRqgWTI+DHdg2Fu0oxsVH1P7u+EYenZhXVamkG2mI9T
UESULiWAzK9OL8DybPRaJK9SkoxX1T27OF66tdnDYNREuSsg/s6I9HE/J+qD
safKVThfNl51ztCxRUzZTc8S+AzeAZVdfUYaCAuaUPvhNE3BQWSUs09ij26h
SEVPkKpNpB4F4xKqlYtL1RU8QgR5idJC3eo6f9Wmzt2KgQKA+2ODE0OOnt6r
cGg58cr7dj+KR+Z313Y9U5vf+6CFiCJrLWUhBY/UfMlXeBWph5+vSvUgG67v
4toXysi8YauzuHg3NCtP4CkS3t+X/h5Yj4WsbyHiZiRAlGcFVaGK4KG7+9Kq
+IVUT0GQgIV2snx2aRaOlf7e1yD6bI77QV7kNy89Dfsm4rBHCFU0Bu5WbtI7
IuR4QnKWCfAEhJ63V93WlnPFcJNQajVnHRl2UuNOXiJ9JFRirGTKxWLkFbt+
xp5dgk83Y+nCY1MdqAgqb+0NkqJDknfjOR9eAvvmOtLuGQYXjI1udGtMO+7e
C3tsBqi2IsCRifLFXhtjK5kdsCaYAwWVTvBGvfZ62qhhLr0N8K125QVoSkWi
HrfbbR1xRt4EfQO5PSyArtcEaJPT7AG+qUGZJiaqLbFokP1uvl83oX5X8DFP
F5Er6oAItKh9bOXO6479usqDGCsO5AW1zqVPmDYnPpYn4qY9r2Lhzm9Orq0H
VdXz7QZcFi8GHnBjervtKXf06RCdX7riJLtHImpyrNRQM5RcGoNqpB8cZFsz
fhdBbBVRAScZ8NJfzbLQ9bmx4GcvdNOGyGpu3/3xlaqIQKN9RkbHGNyLm6o9
Yd7OS3x5zPzsLQmSPl/i5cxY5m4FZMqwLDFtENI8dHGNA2a9Q1y0YrbOVK8X
T7vRdB8tGDdOo5jdVcBft7UZ+eTi7OXVSGj17hoxbqJK/ZZS9ixQUaAizkI0
FZUB0DI7nhUzDRfX88wlc3qGGLkFFXR4OBuOWUYUySVXJCD0Zya/XVS4Uozp
LOVZSAAep5TZQLx6PUeumBzuuTS9KimU3nOYWB59uZUeDsaY8u4WTYwYHKMx
rS+DeZoEq6Pga1yY8ssyPCBJkc95HTjXVkCIMPtb5Er2AV1s0yhk1THph3zH
nqV4H4f0tPDdKx9GdqWeV0p99NKdrmegg8kZhp6PIPZ3dXtuzmER7UXCXX/b
CFB8jLicIQK8L4X6MpTgPT4k/tgrc6vVHp2nPJB1y0tU65pQtTe8qjcq20Z8
2ZdtDsBchjouyRg+dpaiA4U4K/C33+nUrTGKe5K6JO/pgnhUZ+tvRXDT++m5
dk5d1wtUTnzycNp7oGVDyI79+7aQeHKdu63rXVcoY5R/q7NjUC83e5svc2Ug
utoUKr2xr+Q407sNiI0+yLaTqiwCWq6LJPIiS/EVSRBag9nPoVKPR+1rCqW8
QyPzSoYNdEd93gn+yNQLLFhbLntJWt1uUjy/EnBpApHrm6ddcP4ew9gN5xDT
65qhWHT6CTgr5KnJQdFlKVCnqCLBOTws0/DLovyJ8BmQTIyJ9sMdT4OJljW4
Jl+QnhbZQsSOE7YrfZMPHbewvVIwsbkwDzkGB7uGnRYpNe25WnomulYgW13r
jCaG6kNK8KnQck/ODsBw0kqyInbsNW21Vt+2i9oK6VgXxjwx5P1gNl48MvOK
vdrsiV5FpuhvUtoz1stybsYgabRozoy+YqosF6OFkfMFZSGelEEYSOFhYfkk
Zzuvmzd7fiCJzbu3rk9vCkqBDwd/2a2Sdqi/9AS/+DRVBWebcMFz1BHOMVc1
P0akp2hqVB8BUuKkuCG9/AjhIpSokb6KaNQM9tAIUaLix+Ibhh6IzH7BIhZa
dZ0z/cNnhfZ4ODWryO8S0EreXnmz3u6hfi+0ql9estyyz+uVJncIf8EMCES3
/jIfUGa/5UGICNqEddnIb6R22CoaP44UHM/OTMQ6VFgrI4PBF2WQgjnculS+
xqhaSkp1ibZCx9YiwQBbXwf9c4N5eM33rM60RmCGBUCVeD3i94RUyHSXcgI0
yGHb+JbG1jm/DZcOtF/+xgIQRFD05LhW3qLMnIFFn1PclgUGI1RPLFZWb0/W
AtuDKlkoCIYyzgGve1Zc0tzAqZ5JAVaLp/v1TfMrEa8yA90I7GnLmxe4I+Z7
GiDefTuWldmcxhi+hkh58KyrkxdxggPdEhrBheOeOODVgK5no1/4wRWdJKTN
vSX2yXsOPGvYWM9Sk+ias6rlqlMxu1A3L0pDPd+vhrD6dBE7ca5evV97qTYS
Se329vV5MDszVZwSv0LRmMtcklomBWupQ60zZweXxTSGYZo6yU7ExhuABI/s
Nxk4N1/UQwPlfK991/QWSDmFFzSJI7mZRyYZ7V1BTrwOXlJAKWkd54ERfwNa
IAdyd9zeqeetD32mxVr2B1gCOsJUvA7mxw4vnHK+vf2zRTb3poguUsQDIUqo
Wc91mdlm8jWoepbipcOLDAhjWMRKQAWWR9b1VlG0aqrP1wSDWoawUAPhLjQh
7kx2w1++aPAjoXgbV66JYHuZBj4kVQLXyhOxtnnJ7koswCgUhtWSgCzaXG52
hXwZaFRzvVTBNzPImpJQFg3p1Xw0ruxQA09y9/N8gsuITep+Q8GzqFauGJ9Y
c6AwPuFmF6zVgDh4HK86ZwLwwXIx5QzKGjzvaQEvZoPSLB+5zwHun2KJeRoq
cbj+dpljk+ye5PALebWTkRj40AJwpmqvqf3I1bJhPZ3iApN4PLBoEk4h8gKp
jxX8rdGSoqk6XmZazR7V+3K8bs8Pc4da2KnabP8sLwm2n3IGe25nnpilyqyQ
tLxfr+EVwVWcj8GRoB0RrEGjCWb5QjHSY7hOdgDNBylGCeDdgMEsVZBhk6p1
93DmnoJYvuN1JKZUPnNCzUVSlM5ynCEBqF6cYTetoXMG96hN9W1BUsi7O8y+
e2aV3cU6csEiRCdi6JH3nmgGU2brVo1lCJVEFlF6iTjamo87dnjwQnpbPsLp
NaJSvTq2rrv1lLu+k1pVyRcfwloK52gp63zAO/Y1TWykyS6MOBCdFtyux3Sz
QC22jYfOm2Q/wjW0g1k7xTyCkKynYnHqsCaH82SuQXB7J9aXnCnlZS88NRP0
CkiXgJaBHbOuYDiCxz4Bac209OpG6Ch7zk0fbtSkGev42iXzkVbl4c235HZ5
I0tLZAaOpgQuXvn5JTMWdcwkBzEkhkjc4T/ZAah3fKnuJIxxs6BZS+Y/5uPs
sHjNuuhGfPTYzLJ8BoJdYrfLdVxLrYwzfEteNY3Ft7ErSqYeoMQoskJsStMw
c/5+52GXAx6X8GrS0ewsfkuaGtDdwgTYraVCO33lIlMUktjxGtTwc/+aLJge
QY8b5kePm6hIhB7t9wuZEShG+YjcOGowVGTMF0gC66HPrctZrZZLEMzmhyj6
fLZ1Hj7BO7Pm3ID03kMcIVi42EHXljOmgw9jVvJoPCoK9hy3XQZhABzcfZf+
e6FIhUtq6H2L2Aw90F53y7P3EGqE6y7XqAH17gakdjntnpGT1ZPV5ivWds5i
gU/QKtG7Uyh2Tkz64IYIMHpl5CuAvpaK1kvTRaN5UH+OZ6aY8VUvmzamDFTr
jlPHEeJA1aJymfxogiwJcLKbM6BiBugYq0FlhAYct0sNx/7LAs8YpvLZNC3r
LN9AXMMp7GmGQLtiqLS8pOGAAJtLbtSZzK3MoBQ/Etjr/Wq+L/kOo4NFSfc4
RBm5P1PUjVqiAFZ0r6+ROQxQwVjqnHZN/47oBH0veMZLIEGSEkHWE+oiSu0G
zVx0u9qiAu3YSowEGQfwHZuakcOz2hTvjmFlrWQhEj7wsrexUxBIuJZZAHdm
58GF6lx9P5WzncLcLkGo0dj5ElkCWQGjXS3sB8uaVATFPvK2ycIY+rkT3npH
Tp7M+M6FxNhWeqzGaJZxSlphnjVMvW4LwFF2U94MmZDqa5uD4wuQD6eomzED
WmN/iX3eSPIUXiQ+HocmTXgne90ULxdlK4CufCC1uZhTsGiB6hwTWhbPjfdZ
mqvc7saN1mu0a21L9y/CewyZ+8ya8sDtd0fk3rmILLjAHdyLyqJmlFamA/OO
0m2zMBvp5cdyw0zezAFerenMJbofFcGCYnKmDCDj3Zni8gdDyxRUNNsT4lvw
1jla95gZ63BrjNK42CAfb7NfFFgPnscleZqZ/74SBQbssQdJZ2Qhs1/JtRsn
j3A1efYO6kty97cMENIN095mnmjXgPAikDkV8IL6cZjm25ugtDXoFRmXMgTR
EoG5RWhvcO2YIKiTvbn33uZUXTyjZnnAkxQDMc/doOCMxsgNh/fjEMKH120I
nWEzd/YXoG1OMDwP4fVl7Wbm9r77xhSZAxFZwcEn66/3w2+wxr9Atvs2OkjL
VD0HdM+UMizNMiGy6G1xkNp69d0qN77oJQK99luECR6C3x57kkxZsxDvS4Oa
jMJkYVa/hv05L9kQZIYnxmbyWsrWaeR8RCQqO5XhUd/U5zS94ltkX7kQ7c1Y
77nLeF0L3BuckRpbnyjylkLZmpCuMAMp5aIcUaX67n2ihllvo8R4B1VmKFbZ
AOl4SAx3yvrkMwjCswiC196s9FtwGK7HP95hflTRzHE2cK/dOvFYzgAJQ3mm
LZxCRzxCbuM3t/UyVTsI6cVctflmhNgWBQ/VWKmq1CnFFaXirBp6aoIYhzL6
oppvMBY3q71iykvSuuX9uKBZOKB6B8Sbd8hHO2DvoTjaRyFCttDv76GKD8M/
tIkv1MaNvdf06DfKCWn7Naj0e7YvNp8s/Zobg9mKlDyrQJcPzhUd5+ed0zpj
WtPjXeHg7pWY9Iq618t6TjiA7k9rhtOVBi4eKGbh9UwcZWHgTp7tNl7SSaE/
Me9AdJdlWyo358Feg5Jio+FAzK1VrmQCam11m7zkUof4YDcQcGyq/xjRfXxh
mrhxh7hNLmGnBZAYzpm7tjYcobNO2s/suLT1aZKbh5xVDX+RJpg6Cw7orpoW
eR9zdpFpKXDoNRAOqNtSgrBIOEUpb8eJTaSpx2Qxj0OfJIhVCLDzL897qMza
S2UeZ6PeYGw0rkRW8nLhLKhR5VVMcJ5LvHDREc7MuGDHlampCL0ThM6oXnu/
KABiDkyQphSGKJTfagLTo6rcYrSavqTEZLwaFXhgFd6rm5Eb09o7xebth7Mv
4YFdXBzOHgsAP3uDqX4tWitdAeyssENP2df4GgSYpB2NtctJ/MonadvqOXst
Ej1b8WK2ISdcJvwwu7i7na1FksnZ+LQ7O6tu/ilQllzELREOaX3oEX2oqZEI
oQRMr4rqYJvCXS53zwFmtSVKbr+x1vb5ocsmzCJhLecsFvvgRKP3lPvtHld0
sVKyeVuzBtMCjEVXIl2yNwv8G25a/oU7UP5PYBH/6Of8/4cjiV3n50hi1zrz
Lf/4e0ji5ReRxMsHSayG/3wksbe3IcLXPyAFLUj5Hl37ZYQPvFZn/wiK14af
oZeWAdosH0CDu/0cZPsFtkdIt28BeBK3/x2I7Qdl+AVce5NfwTmPoKOqXwEa
fxCbH2DpI/Ct5wdPLN0+wI7zXW+Nk3aJu72N+oYbNf2WWGjTH/THcm6CfIB3
fP+B4H159/e/7HddRuLDLzieL7jI7239BUz7R7C031y+xvue1uoDT8ct4Uez
/7tI2g9y9PfY/NeRwd9cfg+8WLr9gBldbMf6AjP+fnXfXH4PvPj71X2PYP16
lT9HEn+PrP4pbuaHVfxkft+cBeUHDc18AVb/1qul28/R1d9cfgyvTgjt0XyB
VysHvX1BV/8YFfwz//hgcH/sIT/xj69XeMYO8zN/Ob36D+Cgf8lffmbJz3X+
Eajxr3rQr0OGTzt8AdXCYya4zc/gwpyGSvWzOJWGkjp9TISyTSrpO6Qh3GhH
op/q+xvA4K9Rr5Lwc2joR2Hw8gs09PEsgi8g0nuZ9M15TesI7a+u94HM/sLV
Tq3++fV+A0/847l9kOXn7L7D0J67V0YeRkqCPpz2OUL/7AB791A9/giQdjxt
8tmrz+5+pZPhF5TmXn4sp303awd1q6hz65Qbit9S3zM2f0F/v1Xf5ncp7qlR
X0Gt/4zinrH5neb+fcX9h+HOv5Cz4q9yFvbFen8Effs1+PYT3X8cffs1+PYc
4U+gb78G334/hz+Gvv0afHv65J9A334Nvv3m8mfQt9+Dbz9z/8B8z9nbdPX4
TsE+HhP5+uk9PC5VzLeg6+8B5PZHeb/1zw+++uOf527+Qk3wLa78jG7rv/Do
vwZHP1Xui3LJZdzrn99+LPdz72PktEGXEBKXVpFv/aLKnb6BnfszfFYBP/8O
9Jz85MiPb/6Q+bxzd1Hmc9AOJdW36qPVwwcBPHxGMs//P+DtDw74B0z0uSfp
J/I+UN/PfnHYJ+qa7PEFHfwBG/lBESB7maDaqWzf7wG8nf4HffL5Z+1fxUXz
g5Xrb+HDH538ErE/qxN/b8Sde/GTmPvpcRNyt0MG8qsY7+4cAbXIHx08wYbP
lFt+OZfbYZ9yzx8dP/GBO//aARTf5vAfjp/4gJdF+YuWmeyp334AfIDY31y+
0oVPfHysU5n978/GX/LmjyqcD5L5c534hyMfvkU1/wz2/R1u/vta7vcD53+K
m/949R8Dzv8UN38qzB8Ezv8UN3/65B8Ezv8UN/8F9v2HgPM/xc1/8uZvAud/
mL3Eytp3mfHjVV9i9FPDNNXHOklv/Qidbop3yPxg6rm9SurvQMKPL4//UVQ3
p7f/heqGz+j+1EJ/obr//4Dq/m43/0J1/4Xq/gvV/Req+y9U91+o7r9Q3X+h
uv9Cdf+F6v4L1f2/D9WN/11Ud5fJRPuc7abWMTpkpIafuGcKCcwk3mippMPD
Npsh9U5Lso9fQ3XTV4CgobpDvJlL8xcflJBhYffxDRBDXt37Ha+l61k/RFDF
EQ5JAooNwh6VYHOH2w1ya29kEcagr+Ic2VI+Hg3VyhNK8TbnQ2dVTEDDgzrU
4JsL3AIkmwDu834Vk4DqCgl3UCzuHvAesmKDukD5sJ0eOG6I7+JNufvQDTd2
4Whm+0Cpc4THPbvdhVAwTX+YHSkBNdNUXP0GrWXrOgHquSM13Ng+MJg+vN5S
Cp4P2ROpMn45E1CfeRNBnngXm4Jd4X00FjdpBl8vgmBX1mYUapgcAQPTdwqW
L9UtlhBt+mHvr67pO0V+DTbim0v3xsHBXqbEQC3KTmGSUJ8hZixFgjUCeaUm
kW4f0Y6JwuSgMV39O1Ddf/9b738rvftXvun+F0O8v77qj1je3/xZIt2/FOpN
/Suh3j/lzP0xtvfP3/07EN9/++dY/N9I+qb+cdL3udB/cF++Huof26Pfzf5O
UfKX2N/n0/8M9neKZj8MmP05zPMf4YV/fsxyWuQ7b0q/Vb7/9d/gL3P4k9rx
b4r6Pwgt//Ec/2KX/1Fi7rkvP0Lm/k6y+T/Ti3+Nhv53nfgPIM/T6vW3pI2e
z//138ovlvl/xh9s+pPR/9sXavf8cdd/QpT893b5H79gv/9eLP/jv2Ll86Kf
hcu3L/mdEfM/wW9n/D/Bc6X/758gvH+9gr9A7//EYPoFDPwPFPg/CIE/A+57
CPyXlPQXBP6fBoE/7fn7IfC/1oZ812TcefZvVxyH/15b8tmGL377PQD+E5Lf
hdX3kfmp/M9hzgD9/tX/6fz39icG+laK//ZfUvy3/+v82+dPovl/fx+dP4rG
H+z2989e+JdC3yn8Cv2TmO8EdEV+H/P9R93g3+Drjwntv0KGh6/IV5T230TD
wwTxo1f/IhsepZCfvuhncHiMgn70ml+nwyN/mg7/uwLmPxEO/7sW9lM2/N8p
yf9eRf53ygvkv87W+j2k+M9v4+P+57j2uH6wrID95+PaJeFRT34L3Agaf5qD
XbHYXCiWOYL2RCltVwXhpRHXMqoIFm7e6h2UPhAbfZFj4EH0jvYkVoi9tqLK
a0Nrl74edw7k8Ht8PGqmO4gpjS/FdKhZkDYP4LzQys/Pwrr6C6dPUiiKwzlA
grWht6cy3DBCFC21VR8DOdFYLsCrBdIXnTNDcTjWUr3hoIUAEPuI6Wh75T7X
0YD9BOwSf7n7spHZy9j14W4e75F+JQlYqGz7pi4sfpe5N5Is0WvdCbVjrxRO
wBKCr45YFvbORu7j2u6lo+2vgs10qPcYboR74uq/ryjhXlJEVezqNkGSntOY
ARnzc613E/fkSO6wvQQy27ESdjQT+SYw2upFzn8qrl1zORwBmieH6rhK3lol
TtoCw/KL1zHa4/GcnUwFJuA5ifRh6jlA7khQLS/Kx6z6TENJaOkDRD0xOCW9
KnKJx6K9Tm9PtItbAfEK1aZYZRXi7Qtth1Q0i5CHABGDEdJGOo943lr05tu0
jks+L70z69FiXb1kyD29aPuIDtCBIZ5xPHO6BNBuJmL9dfqtjXhO/NrMc7Ny
r5ph4QFvOeKlr2sEVWxi36Baul3wQbmdStRgta7vfoZWKKSiO8rfcXis9HFP
9oGAqlVO3vrI9EcdErx6mJzynkz1KLnicppAwPy39tQz9ZpPeFDX63qQ++Io
VnVtb1WJC7CWZSr7JqW3eYdfxxxJGYaw+rgdLHsRhN+Da9c1Mk4sTl7ClgrV
vIL1ConooizpSx9UAewxJCoYZZpK9SmNCpuvZu7xnbOx6NG89wO3ihI0SCdQ
kcA3RRDwkD3s7RZ28Esm6mimTmz3vLNIfM9NenTTCAw9UkYE9iYGxv1+7ncH
N2SszhbN0rjJ9egDT4IH8HxPl+wV9NKkQAudTAOZjKUVgj24bumrMb1X019T
K4PE6/2xAexTMwfKzg5lRsu3fMZAOWeXx3N7D8OGl8tiF2IOv+wXDqeKrK0K
Lbx8j6QjWupWvSTmpekP3wbcw9HdEuJfR6E69AUl7CPjT73QH/OoQdgIcisE
2dQzUtOdhwz4oanR2heDqoWFRkAhy6oVemAsv1pvqV0uDoO8qrtg5HLZZGbh
RcPyJjL11bYPX2H9GIayUnPI/OoOm7vdvY5ASgi0g5fJrMLqyxdSuLmB2M4j
dmovolhxpg3vfQ/w0hEU7+AK7JATeL5CEh36CYE9SfsOwTvOuFXvl/btsmGu
YJHWC2XHoVWsbH1bMOYrJNgfbRN4qa/yWb46OHItxDeG+AvAR8qdCM9U4tzN
dL5AkuTpgJDOyDUeraEr467sSNieD3JCJUlAN/9WgtO8ezn0Pux5lttVTVi6
pNK3p6HZ5ZWvfebP/f6YqUcOCx446+8iHETtNdejfZfm40ZPE3ssoPuET9WH
HozY4/mTuiHjIHkXKvY7HFuT0T9VFQ+jfBSde/aYfVUTTBmQmrcguDPNbvRT
4oIOjExbw0Qag7lDXJrgeplA8R54d8IeyLkNbgOJxQGSAY+3IZc2PYZXMkYk
WNYa0QkzBo1o87mFmZaGAw2JPKBcRAU5/A4uz+tzWcImODUBnIndjT7XYtpB
aPaxv0oglQ+fEtIqZ52spHS/J9E8vuY4dCEbVLjHBfooBoeTuzx2rtueictO
cq+zY4iju0p7V/YB5e8slXmhJadSRaujLcWRkuvnxT7C8WhV1gSDF2gQh76a
0P15h7w1moJUQadxLKRBWCI8BMJE3FW6bOd9BjsennZuMC9PvhRAZzBt9QG2
7yPQsTFmJha07iuLFjOkaYo4Mh0pEIU8joxHYs+M2jBpk5iu7Q3kkl8fCF8M
MU+GaJ/B6n1UWS6JrJJ/sW8dlu4rZcoiriQJVArBJNEiuRCyec8TqdPjxb54
1wCPkxACYRtvAtCi9LMbrRzO1dMFmtLgZiyJ/v+19ybLjitH2uAeZvcdWKmF
bhbzJOfpVkn9YyYJjiBBEpDK/sQMkJgHkqAks7Ze9BNU73rfm172E9WTdEQA
4HCGvCczVVJZ/UqT6WaeA8Tg4eH+uYfHh1UAnMhgHSWhMKE6dMCOY3XeYd2D
6mH4mpp0vMtYmxC93ZFfcnaV0beji3Bxoupo2LMPrd6WPeyl0ympko7YOOB7
c9caBL4wXgP/gUU1Ux7VA7N2vPT7TigdukeTX7oj/kQcm+xxQhvH6aU+t4zB
ET9dxLOittJ9t13ryLuxEp8jbHEO5MS3+XFaDZiGZ3WVBVddD8W1p++bicM2
LpNtSh/P0nHoCaEDvGVb5eP05HZJoz6sNbHDsT4U27zq7e1LoyUvpiOhdtmb
9ehguAtDMnwjW4yNWWzvyIbVJ5OsPuQksuZtnYlZD8YmZrlVRjkKo+hoLawp
Nx2bYsubh0xXpw+n0JOC7WV5DvonVd7M4kWjzvoE25roRmOqrLx4ZGGRcO7O
s91OC87yyOS342WwO6y0zuDS2axHGa2M933bdmosHYa7uL6dsnPP4emqP4j5
ZkOSsarb7ax7VhzWhV6vS2+BuNVIabcjrxZvq65Z7VcdPd1N2sIMpyK32w53
R1IdHYbROljw0wl2qG17jUUiZgp97usSf6DZVjLa+mZruOmfqlueWzVilxGP
zPnU7erCQGUoj/PFMb60e8IqxAztsK0tJ+lOGKfsMeBYduv2R2Nzrl8UdnFQ
bPFUJdbTMUefzd0qwS3csjbMouXW2j1cOA8whbX5KWvSxDGI1oNR2nMzbTjf
C/NaLeTdriHs5uK4s3P7c2F/qJ1GtdOc1JJ5t5ucatpg0sa8ZnyQFN6Z0tpq
L3eb7WaPHE5IXZPwbZatZVI77FtLm6wdjX2v7R+OVaG3iqlM2J69FVcPsGAq
0Stt0w8FIJP9ekBbXWJFtYnWKmKpFNhtbZZuu/Wl0hRlpS7tt3IajXU23HjN
Fl5NeCwdNF2wNYk2VxucBhP22J3t+I0/SVdS73RWad6dDuSd2Ta6wn7B2Xtl
ccEpbxHJVhhLbUvB1oFylg5CTehy7syd15zBtMNJe4Ofzvs9bYT3ub7erutj
P2R1MlvrF7K/uqRc1j01u8pkuQRxkZcJhKkEHn9ZmC3t3MW7SyOqDnt0Y7ej
1uut6osDhmQXqXg4uHvR3PPbWi+wVHy1M4cXrNetko0OP6qRmmR1wqZFSnRv
MtDC4bwV72qNZpDxNYr0WWrmzOvnWjo4h4Tfdc98a7IWjRbGL7rrzYTz1r16
5gGELu7l8VSebve1Ks3FdtCrr8+S7AVDEKC0nXlV3AZHbtJZLJPzcXXwqxjt
W+O1IC/2Z7ZLj/dtrrdL23I4EMJtTwWmWJw2/LmsLGViIIkNriUvNf50FJtU
r1ZTSH+AwW9BtCnL4YygMT3IB91ajBmxxRwXcjQdHHjxbPRIz9poy11TOOB2
5yzHEs/Vm/VDLET1AxbPp431UTd4STFlw9hVKSs5HhXhyDh20ltsTnu1s6yr
HdGe0BPHXIXrgOO8eXU0qaf1XWuIgTDNjZsdXAoTsb+R6GSfMsfOzpe42jBh
uu2uHej1TD5t7cbYn7GrU6dObi6dSzYQE9VYjDD20ulOfA3PlhsHKPFKInl6
kKydLGPOsXTJDK6Kh6YqW5G27sVqv+UEWmthn/C9MKlvSBPrAxQ5HE2Y1mY9
qFLxnpXGSnj0R2uTAGC3brdVbWeuWrVMluoyvfIkAvdoQtgly+VkcAoXmNMX
QKxrVg/HKdfq4aIesqYf61ZXOo53WscaTffdrR7vhPV8mXVH7EVSbQpf6DNB
m7rbuoDN7ONosJr007Oy2rH9GTFYdlvn4R4sznY/k2eXrbSgo1qYOcZlKS96
aXZac7uorW7WG/HEsdhaYqWkMZe8zD2etv6wN7HGnXDVCBahXmubM3tPqp5J
uHygs/WQGs5XzLhWa0081Ry0TW+MzfrGQOxfhEPqRPPmZBiv08ulPmqKpBQv
2k3JnHS7w1aa9aaHoymKzLw1GkYr263px2W4qknYlguGPDlvkr7RtxJ5EEjL
mO9uiS15JoUVrZgqASzOxmzaAETvNpRJZeJiOErq3EoAxn2FLbl4t3PIdW/E
t81arT7lF00+49RItEeHS30gp5yon3vkLFuKkhHq+pQTUu7UMXf7qbSqBdh+
06Q9328IbPNwwUVm0nT5i6bIZ90Pd5ujYtLRtK32ttzBdw2fHS263KHtzrcn
lT4u/MsYC2ZnYU4uRgLh8+pumvpSAHQU+KpWnSb4XdUcb8WQtwdBQ/PUAb27
uI3pcNcT7O553ZXII0YxPdEithvgiVmyKnJ8ZzQOdvRiXnc6C9pj7ZY62wyA
dCwrWW65PmWLe75NzJPhsu5K/ASbsVs+o5RNty6rveDo1E6LE0nTRrZKm9q6
bR2ZEe01ekTTn3Bn/+SPY/oy1+dMlWy2zvzAw4bGdKbXGK05Ts7j7nZsBKLL
1qyjJoodZpa0N84s4Gpmepoqe0U0Ul4ZWqTSwdm6qZzt0RlT4st2NTrWZKMj
M9Zya/X0naSuJH/cWkgjACK70QCfMDKbdQdLOz4pph8AfB73B4c9EUlLrN2s
6lS/M9idmpeoL/JpfOBGEa45jT3RTM4SWLzlYWhdpnvZpE21G6sibdqH6ZrP
ppTYXGMLc5xkE7vR2OhqV1o2BzXTH8xq0UgE9vHcOM1qOjHtrUKgdweL7uJ6
RFg2qyeu45i817cxQiFNtU86S0HZLNud3fJCtwDg7wgeroy3vkFrw7GsrKys
YflTI2WWzE5rK8DHTQVmfhoMMWtttzR5Ptm7oem3gTOYD2Vnl7SnI+CJJ7vF
oMpG1obuHMVZw6qpGx4ftLn+1JlUO8PLumEAe8CbTtw3Jxtu06CqhLNjTr2x
saq3j3hiHLvNJElp2+MFWwXRejTl7DbPyXW3x4isTbW62NLRWXmw7Q4Oh/H8
HGQHBue74a4m0PX1JtNovl3tGu1au7VIOyA2jlvD0OfibbcTNs5K67jDLqrd
bQHfPGk7aRNM5Lx1dcLtH/nMEvvtJT/ohKMaP/TF7Wg3W9E701R3Tfp49E9V
dR6pXSxukS1uT9X7dLbukVwSzjM8mA/VrcWMWubkaI6N3kEDGim1RrEp1deL
YGYt/Pnk1JuftskOC3ct+XDsnxfEYtmkDGGV+uMMCHzJTM6ty2bSJJzeye0s
q+tQ3U+7fKc7ZY0jwaZTV6FHyza2ddszsTfqTxazTl/QuXELbwZni9+xtbgW
9hdTSRjru0lnmYiE702ZmTdarRqNdVNd9BWixmITcU22wr6s77fcyqy6u0Yn
9o/mmWIZhq/xaTOr8c65OT30usl4EVX7nkKKG2/GGJoj0QcVsxLtNHHchq/u
jonSVvZcNj0A9BQOWwplELgcLMN0We0yIIJc6xodAzsyPx/NlpKJ4k6pYXTN
Ox45a9ehgkF9PztYDmuxBuX649OY3KXAT2rVxLNGDOPI0TE0/O6FIZc7PTkx
JkGbJrYSd0JqyrZ/PHWi+qDWM8ZxuzqYnKJ+YMXDRjKzlZO+ZV1r4LfYaT9h
zbNhyfPEPvDbcyvDpgGnq2d9wG+F1IiE00qlxGA96sV7Lxzie7cVrtsiufZ2
9WUs6nSjne0Ev2qshc4Wb+vHEDtfZqo89KvdhlitRSbRXTPiaGk2En40w4N+
lyYGrXrKKeNZ92zKzeV+RK4l53hhBnKgRzyDrVU3PMXNA72yMxBWEKyysUJ2
tfB6BnHwHAXH+9PJ0CKWG8vGexYI0W322DHnnmUHeED5mMNT57HVCFu9Wd2Y
zM/LHXVJQyFpt6dTcUCGjHTWeWqthjWNHV4Sn0vd7mw4lNYKPkhNb41JF5WJ
Eq6V+VFHtpS9Gm/n1XZbDTvN9YonpKydsZNGu+pPqcZa0Rch8DpakArnmS5L
rn7G+nWDYAhqBrDAoDPhlX4nmSeTy47CJ0crtoJ0u/Gq8bCfkl3Vica1c3UC
gJ2trew15ZgOjVUz/qKzLXEnNyfJRKGriz3lgjUfqMB49wfejD2GIueHe0pk
NA83d4NBnOya5rgTSFx68bBD32EJb9ioZYnNc1NnNt8sV/x8mfKeLXjOtCfs
8fRIJe2tFcwzv6u1vQ7N1lvA8Ma1uhtjdUPrcCd5uWkepj1gl7Zkn6YYZoEv
k8l+s/OUMBoPvcC7KP1qS3A1tacoyXoYDbWjMjd3W2xpN0fzxZSukmQ7EHvL
zX6ibXu0MEy2l7TT6/GbbE+anGe1w02yWIUedag7hm8GUTjvz/0YGwjCLNI3
1ZFe704PnfZ4z8andqZz4lp06hc6PUvNXQOYfNnqBJTmG7jjddL5CZ8SG8LX
JljY6vcVVdsk7mTLafU1rVZb43PVYElhaSzHYaPvBJdz11y4wCh3G8sdM+A7
44XaMIBemeMeZgWrCX+wl9FO6iXH4MzjjMYNzkHNyjjD76+IhchKOHdMesP+
9gis16JlLQiLijltbTYzEPYB2BZ6bt+Qq3h/Oe0a+yHohFz2DjgA5Vx2ibyq
teybnuYfhY7Fke5kPl/wHNkGsfqO3WHxMFxOF7VWl2L3NLvLWNd1yBG1tdOR
MTwvB0eZkoiB2nHTraiM6nXZwwXCXsTpUqTmRznAjtlZn8/kY9Rpeb4xP9Zw
J5qCR2h5rPoHShhM9loYKu68SREnK5z0lod9WjWOptOv7ucJgfWJlN2ChWWC
406sn5Y4PzJo39u3w2l7Ma2tXUk0zVDeHlZmSMLvl8j1iT+ihxO9dRg0eyds
zXlc6kdbd6+t3Prisr3oh/MmpY8nd7rYkodJbcpb1EEx3UZCRiqw3LGpXTw6
a3KNjlrbYsRCHWhWerEyfNGqJ+asP7MXe3zGZC4vOlJjx9vKmom2Ciu1xwch
6kX7CT7eWFOlJffWBIE1uoTTbHYdMW2qhkIH41lUy9ZHtts700RfY/G6ngAA
IskcSybH9azNNVqrmKSPh1mmGb0Jxu4v255wZIeeuPQXUk+tRpMJfnSXwSRW
4qNEjWxNPIY9dj/vkNVZi6txl8Zm0uOXIJKioz02qp6JhkPWqOoEhNdMLNmB
Nd6POr1F94RPWnq6GIhdMYmqq/HS9bRTd3YIW0nfaa7qzHa6uWCXiY4fx+2V
zA+zOs0va15ksOvRucm6a0k4RnHkDTghIbyetpi4GRdenNZFNDodbzLDq6yK
TSxdaDTZYYdrL/dyK+RoL7jUuYDapTSTnfGezRxVjg7HbtNoGfS4yRkrSp9p
M4oxuu2mi/m7ltTLWpoTt21Oi/ut036+mPOk398PIr/eYs8rcu865nro8Z14
2lDEKNO7vlUPTq3VPgOKxOCcVw21YVuqedqhxtWEUOpPM2qM79LVMu1GQ5k+
Di6XJtcdGtkk3PVbvuIxIt3azoYXEVszzIQLT60G3pH4hBTWszrVnRhS3T6c
gJ+pBtuLcWGPvGJaXDVmuZM+pRmmSSpe/dLCWyamHMlWzHZr0ZlgpJottESt
axE2P92HguDvY2dwWfkn3jkowojfSYkuU5516YQn1V0krWiO2b7WlppghbZ9
dzytz9f9dFefEiPmRO453gy5obHX1966MSOD83zYqXapcbSvu/TCMuZEw8e8
ITf2oy49nwrtS0zh0pBU9WCRHXljsg5666Ng1KkOTxzCmdEdG6y/WE+W3TFA
pt50vrissJXD4L6mNZee2Qo7xtIaJLbsW5KWGU1rVnWUgXKU1cZEUJyVNO26
q9pY9454rTrbbPxQs7DWiMb1YDcfHrtEfXGe9TY1vj1O1uZmNF5vFbK1ziZa
rOO2XRVbGZAfNxJwgmW1prsCG2eDuYuL3jJszo2NfXXeOaic0gurNFGvkdRK
qKbBinH5VdgUlWxaXXRqDUP2hUtz5mVVXe9IPawuboxp0t1b21Ayj4G2ljcX
hbOXNZlcui7vnekTv+wblpLsIu+i6cqQ68VMGnodN4kNk8f2k1pcpTrecnJQ
q5skiJ1Qnu8YnLlUbXbCpHiTodLT6ECTaTv0pzFdpxdVU1GXDq3s8XMT8/l+
M07anBlSOmHKtRa7Ds8doE6e4nX67XQvVTe4mNUFab+ynGG1PRuLDXbKDx28
obQOOGZtk0WttvAOu4YsMRt2iw8tezHydLYmkQnPCttwK0y9AcVrHWI2XfVW
tbPT6HEjZuAwymSFdZWO0QG+pnbaayeS7LvDOknOdpG25UdU6xhu6Iw4Dttp
TPh4/9htV5NkORJWSXLSCZ/tbjHcaS796Gz3TxIbSt1wErRNB18Pg+bMbuDh
oH5YNFXCEGaHRYedaATVbcyboU9MEiHlHRvH1s2OqpmXxhiEkhETc+N2Um8L
mtJfbFdRh0qZ0czaq9SidpomFsNbZDRZ2cE4ntOXSMdXFEY2jJQWlRPV9CMQ
0G5liWz1aH7dqG/I6iGbrZr7mnKepQoX7LbmfFhfb9f1ibbbk/vWPKZmmONY
i9TE96Y0D859o3rK5FSl6HPYTZWpOk3o9nLimT37GJ56xzETdxrMyDbjw2bB
e0Q98rFDN1pENPCOF3OzoomkLkyCJsnWeU3wFuRk7bB8jRgwrS0P3K7lnxRP
xGe4JDQmJl/TfBIL6YO5P284Y23tN9WdMSC2Qjcm8M0xrI36846lSbTXxSc8
Fa28NB6dXGOz1g6K0wX2imoE2FTap6xeXR9WgSA2SWG0SVXX3XSH5GbstofV
cUsYKLG7nG91oBaNA8VN5DBNQ5Hcjw+NGYEdx3OZ4mv12di+ZGRAtmOdHfdN
gAA27Q11VIctIK4ZUG51EK9a4lIbb1eN1iwQfelAZK6JkXyXNdrbXWea9DNr
C0KnpiSSzCDbd4lWfbXR+oJQqzdqx9aldRj2zcSze9EpHIi7TnU1P7cxq8Nw
sXgQGSWpThxrQNDy8CgyPXp2WrdGq24yiqt4x6x3iaw37wcLn+YiSXWmIj4P
pDiBH+mO5qPxbLIXZskwGzOjDtf1B32WHbd4ejhu2f1WZBy281aD7aw2phge
ek23t69pzrjZP3f7GN60QzNRZWlsXkycE5fUpTfJjorWcUSZFupZUiX3Vjze
r7pjdy0rzRbVAeENY/hUFXeDHdZhOZ4bDY+NMdP1D/3TMhhonEjNXF81227V
D0eeufFtf+I1ZnW81avbQFRkI3SZXUCf/DMWy2cmrFnEdsi557FDnmmGYGq4
eOpPB7YyP83HOIilhPbErAGoawscb7vKrrvr81Vm1VJbWIcO4zo/bGyoy/qY
tmV5pHTmxkYi97vaZHBet/XLTgoVvjdesVE2lKIaORtW+yCyX+9osi1gZ9xl
8J1ppDO10ZcOm2Q1WezH7UZfXenVzdxZtrbD5jxuzlqLRVcI+Z7lmJk71u14
06+T9Rl2SNM6LsrpcWh0XWphAVSiJcB3COJAXQ4GDbWxY4jWTDpJcoOdDIhE
DCbC4Bxr7UM1zC4jrHPZNgQQABDNbqfKWCIxvTSaHH/cG+upbspTMvRbW46t
B7WhobE8s7uIK1UiKU6veb2A2mLtTnVhbbLoHC6DWMvO66FSD/Vkr4jT2tzJ
NN2btgGIVgZUVRgF/F6cuIcWT045Q8G1rkdjarKZWMIwPpHTc9vxNrw22qUj
tZ0tozDFN4ujY1yIzehM6bp7MJoHN8Ibi44sSp5tOFHPxlY8W915ydHgMgCA
QPCLd+sda37psxm1mo8oPuyssoOip4KkgRjemg4BNm8FB3N7NhicGmJRkBys
/TJLVLG970teaPbnvbomD8Ztth0ro8mmMzc5eZ3Uev5hWo2Wfftw4QfCOMZx
Uz95GBV5aRJnERut3EvvNGIO+vm89abdmSRO1XGgZXVul6qJQWxHy7gqZWIE
ViAYtoARs9RqA0ua206PdTs9bUdYdSc8U57MMuyGcETb3+5rx0Zcp315I0yr
O1KkY54z9XZHi4QJa9VDXMJitlFrbIggmWRJSxBbe6uRCKff/e6dd+b+imWq
fzuW2PeV9f0XJ4nlly9JYvnpmiTp1ddIYrXgNZJYTSZGo+HmGygVf8LuaJ6O
qivt59QoQ3Rlb7TynKYIkrTcKCG/Rgg53YvNkfkGUS2i27qRG94oyPIxCY0p
pDfcji21uUFEeGB8V6LSnzBIVXpPUouIzG5kXjfC1N3YFS9mY7ZmIKEXokqC
NEiIaO5G4mQGrOoOEjDCgpQG779JULpuI7JEIMlfoUu8JzJ7jcYMkvaMutO9
eU9kxm3ACFW7QUjNTQqJIG8Xrxub5Yq4Et+NKDqFpfQ+N1nVs9lefIsaj1s2
B6kGqbLIhqDvCEjfmGhbSEZHWJDOYnkEc62Dt1JYEqm5Qm/Ejo/atnMAq9tZ
rMYHcS/apAlJ+Hh7Zv4QGaYZIMKzyeZKogolCeYyxd9PyEmawY1kbcj7YDUL
Qsnv0iwXUt0WupU+tM0y6QhITmyNOyqYoQQp0e7IH++pJCEJw+zyOpVk4LyH
vg1Sk71N4CYug+uqvbJmJiSjA7NAdHREC1E5otEXtF8rAmgx/N3gpLjqO2gk
S9K7ETNmlxnenq2F84i9kkE+EBGStrXiD1P0DNibDB6MhrO9zG6S61juaCVF
l7lI25xU7kpWeUfphmjiclK3ZVCSuqVI/1ZAm3PKE+5tAmE/geSoLzX1Xk9z
erbYFJsWkObM0ai6re2mCbAPe3l7sN8mqn20h2/TTEIKxyX3nSSQ3KvUhdyC
HVW/xeKB1byzedL6dBT37Re0hZAucnFH0ArpR0vCVLgWQM9Z5k5T30dbSLpA
s9xN/BOmtAhHQsTMtAlsArIsV4LW/OfpiCQEqHUqy3TAPrFAb4jIFZKnghZ+
hT7118hTgT4g+tRfpSwsiXRN4SBRIwpKkTblG/Hg8IFSlePg3shlPRLIw41i
dfiCwtCGu7tYhztqRGibJdc5wPHIWyaGReikQxyhF9Lv1wfoDVgLqg33QF/0
RsdFQZ26YMfZ5NJ5k1TrnqDwJ+wVikJEYgcsfDJZ3nzJKz4D2Q/ou3MLcv+E
6jKp2pSg32IUd3aU4Cwvvol2+lqs3++Zn7C3qQl9TgbB1Loxbk3pZCg1B4h8
b+3MNjK92UiIpHDM/4QhSr7NhlpuHPgEtXad1ZTuoKfF+ibmN8xWAABf20jC
umXZy2ekhGBnfYWW8D2khD9hJS0h6c081QtcscVs1ztiOnWD45Ra1mdNTeKH
hLPcjSOuPkhXBytabS1Ccvil4EKqWxn+a7+RVt64NWtJobYn5E1jvFuvBg2F
PXCayy+lPcNv9+OIp5cdfUicJMpqodkLY+4nTHCEBg/aX7maJ13qA2Qj16Pm
zK4nZEiSRFd8jUzresUB2Oq7Sw6v3XH4GpkWvImRkxd9L5kWvIoBNOoHyLQg
ldZP2I+QacF7Az9hP0KmBam0QAtLUnZWXtfus3a7XfPxDe51WI88tBdD4Ayj
lbEVPE93Zu0GN3I38ppsUYMLQ0arlt1eyAMgB3OY4Z2l0R9vW5ILQFMn7E37
vie5PYBcwqWudBlh2Lab7DRp72O9SYVxo9vRI289mHdmk58wxnCGwl7gVbmV
eSFNEJs25VqeFPR1yjq2kq62y8j9bLjuN1ddyiR5XUrXyVRtXLJqdXpe/oQ5
oeYNttLEmuPzQJ9JHOtuTnt9k1X7zCG7kK39rrZU3ao0IUNnElrEiRpqUiek
1qNRc7EBGtXYtbheTZ3PztaRUGTBqR0a8UmLL0KytwwnY6R+nU+XrZAhu8dJ
bcHq26y7Io1OX0vDGj7/CaMPMYlvHaU6pfrL4UDc90hm5YaN95BpQW38CfsR
Mi2II37CvotMa5WTaUEqLbAvIJkWN14vtQ29GOEBszsRoxrl7cParN9SF18j
04JUWjDOeg+ZFuh2B8LMCZ15hHygOKHbj/w6H2dgLbb44mDszOXEzHpstO2t
Ikkn1M6Iht8PGBg1M56fa8NkMLK7l4yQNntN9s/ddpuK7cl8SYPd3Ranq17W
DgdtnmE0V7vQCjURz4PYEKyjtj5Ts/ncH146rYVIEVb7QrdnctS0PbJOVTfT
LrDVLJV1u9zAqVJVxelv9wMyYwW1EQTTmcDr57VZvbROulLTqbmWVpnmdJM4
6cS2PL1OBA1W+AlbH6K6OyZ8x+xqK1F2+sNTv4bPhkFGn51OlxjjhNJrt83Q
11NqIK6Ge45rD6qhSA4MmXGBVlddrl93rMZ0wGuzUS+O9l59wgWpr3RP9e5e
5i9bbabvLg6tNhMhwKP2kbeAaaa6jAhsJ/UTdrmQJB7pJtQi3PwqqdUzuqg6
g1ME0MlvtE0vyLdgnPV++i1EvrXGTeZUP8/XoLU9DrBcSd3K4n1gUQFKow7Z
7HK1rKf55ev3qwAqfnbDClJ6ljesqAKRgDEeIfID0YMDr/SN9jeZ5KReOYnW
nMSXfRw+QZoczH3gCQg2u4zZZvadmesNFodI9Ov79cEgj+21gdcCbV4DnncS
SMp4jtNRPR718L087xENNp0KzFhfrVNHdmcGeaJU6iB2W4vlFqjeaBL32PPm
tEsjSwQ4SnLkTcdShRDs+8PiqGsUodZa0aVN1fSYMeIq3VtOmcTVqly9HVfx
/pqczRtNit8QVKDAfTFmqIEVq/0gopKAdZlDL9LqYd8MPetMbJu8hOuT8DKe
T+WMXCanuBH2DslhRvDNk7TrjIAk97rKNMQxY+3a+8gbnoKaTU/YMJRnO61V
E+sB21syujrr9Vvd0WKhGevpyl7w1UAnI2ss/YSdJiv9pGx3k7He2kyPynG5
94lpQIuOPCaEEXeYNy7LxiIc1L29E48n89OIwpc44bfZ43TExjB7cEI2iM4p
Vckpjp+YnCTVJAj8RO0h5WtQ5qJIfI0TUyKnYaWXS2BhpsSWoN+mgD/ReWsO
aOxEmuKIO4kEAC9D/LQ8UWZBPLjILfgS4BMFdFjPaV7N5ZYgVr1BnGUTvs7S
VraLbCc8EMDXsJKrXnCjtPZTmqXwrUms+Omo0yfO6jSo0WOOFZqsq6ryUKlv
X9C41QsNpHGws9quPQuNeSgTwahlVMlgTFnnJJWai8Fwv6SX1WOX0BY9lhs3
Bp48ilvEfjzXuu3Ix7khDjAMCMv67c0x2+y248GAme76YVMSltPzsHq2uj5u
XFT/4npadydvtkOzrQ9H+5Xf7C1ci6MbPhjDmOMsStEUWpV2k2b13NhUtZTN
3G0iU/UGJUnpgROjnmxmQ9myd7xXIwdq1gJiDmdxNgBxd93YL5Zmt0qFcmIv
g+llQI9kvSuTwyFhze2F0BstDvLFXIjmYUJ1BgaAJrDU4Rw3GEubd4GVkw4D
un85OWoDn5iSXLNXinqx41A9zFohq1tUEyCO/dQ6MUDrEsKeVVOSMmdsjaqH
2VoBMU7bMDlbF4bnWjJML0J8kc7jPUviJsRKwz5AoAS8yvnWTU6ok++7y/nW
VU6UPfjKZU6NIHZeou0GZCiP1flx3ZbjrhxqKrTOY0heDLDcVqAAoiB89gA2
yH2+9kBNl/Hzu4fqvWaRS5gDoc7qDH7xe7ofnaZrNZtTeAYQ6vHxyeUZRIDm
RdnhRC/aGbO42c3E+fCYAksLArPlgL/EK6ZjTDogUpZEYOvMN2+c4nEj61HL
yaq3qm6sJliLcdrZDoTTYRh0HeFQY3rumO7XGV7tc91LP1BXXvu8jhxSnpiT
nnxZ1v2aPVvSVpPejEMtA/pgpadT4si6vZCb5u40GpKcOmEtvKlsWzW+GtPx
WLJ7TJSFa/kwlwb6ThX5nb/YHruealSBJHW8twchUEtqT7xOsBgEVeHUGzb8
yB82xbZez/BwBLMu3qrKcvhknSjntdwImuJAi4dgMj9hTXWnGEIsNC9qR4kT
k9tJ2fqwT7lx3z4q4riZJIfeAGA9P94eKMI1L9x6varVh0FizAcrYGHcHbAJ
x2XSZYdLqb3mm7MNdQxbl2qNxJ1LzHfO7mzYIKspNRwM5ryftU5dcuge2/J6
7fJTgMxXVQALESHI3/N45T+BjvBbj1S+j43wGRnaw/P5scizV95Py9bsdj88
52J616T+O/ErPD0BMXyDFN8ioVOALCHhjdL9Jja5r/X8Os8Xdk/ihn3LqpXM
U3dsN17lxnEjX2lrvkZ38x2UU9/JOPUm4dSv0t1gP0h3g13pbp6eKjlb22tk
bW8v91u0a9+z2u9lY8Me2clu5GTvUg7ITfZATfbATPYPNfmampTiujGR1a5U
ZLVv4CLL9enpqTRKb/CQfQPHzissZNgPc5D9MAXZDzOQvYuArJAiEGfOPob9
BmGKQhwVOl+KuPKn36jox2CjFD8q6cDiAlf4BhAy+Geig/2SPcH/VspnwS+v
Gqremv8MgU5lpp9e++XLLkGPeCXJAluVHeSi7p+2wVpGhgz8ZDEQqJ5AyyFK
An4F/DzxwUMaLLLQ0S/LPiNdtQMb0j59Qj+Pc1//Ce1h+AOofZ+htsS2htq7
7/cE2vRPFcN2HLDX/TSpKNmtb8c+gAb9kvFLjo8mVvn89F1/PmN/rjz/U6wV
MChQigXguP0a9QSMyJ/vX63+ak9V8EZlpYPp//n2KgQaf36EIsW6fPb05PdF
4/Dh38I2fvvtvd71D1+9Yq4/V4ZgKRw4SyjYse/pOVVXJKvJM4H8+Vt7vZ/1
n7Fvef7xZdDrwtGBYQH6dLTBYkDtAUA28oF19qMKQLjISALtWFtpFGty9qli
J7+N0YDVCGgTUOt/erHCX/3z51dU4hteXVuydwBa/x2vQsj5nb1+5x/4KvAb
3/sqHDDrexfZ0S/f+CpOTulPlZGnfv7mXr/zzw8pIjTkIB77TbE7n0orerOQ
CBf97kNh3K9m497wj8qHP1SA2d1auockCHRYPcSVD9A4fPhUgfYfGmIQPOgR
sKtx5Sg7KfiPATT+yy3++fKp8gWGMl9yo/oFBiZfSrzA2LqjxflvwK4GgW0S
PxhoaH+hfffRT9GeCiIbmnHQjSsnn3PSTMErQAuww+WrL3zIU3p76i95gBvp
MYRUwLpcQZSfOlrF8f0DsN2unljwl8iUo5JC2wAbt3KSoe/zEgSGoN1H0M83
QfRq2eodgIpz619EY1td+1RpNCpjANJANNaqNLq/1Pu/tFtFNJZHfNeI7t7E
oljvTQN8i1G/Yi3vY9LKv8L+6w14bbVR77db0udGs9X+H44V3ELIH4zSsO+0
iVd7CJcIGSkMiCSPNO53Mnbbm9fEyV2WBOHUL/cg9Qsaw+MHGTBsBjy4Wvr3
e9UDOqfoV/XWiqW34+IXD0suO05WYn7YyTUY+FRg/iG5eDaYG8b4kuPwL2AD
AdVWwK5E0ArqNgMkpQPs/rBfPkEV+W2++wI5hmjeBtsGZl5Qm2gfgpZBRGE+
F8HnHLhFepJGXr7VYvhe/g7cujrYhNmz/vSzqgcJeFqGNbSPLf784UuhfV+A
Vfjw5Ssa+OXDx0qGdjx4DvFQfvnwuUh4kQ87aFFEPS/3cBEPFfv39bfgOMH6
Ow5cp7tVSaApu8VpQA5orrHt2o4cVQojk75iS2wASf/0NXPyl89AkQpwKWua
XcBiIK0nFMZ9ueP2/wKLkYHQgZVFEkc6cL/ZvhQv3Zu7L+VXCR5tZ25tywW4
dfYKcfm7u33cIRXa0WHoWPkZKYuN3EYQ66nmPxUBI5Qt1ECwyDZaek8/Qd34
COUG35pC/lYCmvIFZKb+X8Qm/svrBPL/UsHuv/TwiuV8/qmMX5PR8w90vC6t
xy90vC23tz4s8vp3Rd4ltfetxd/DYQCPcUaZFKfcVqsi9fEV+4Jo21/ag9I0
/aVIMIEAMU9nl9vgfj8/tjyBafX4M7L3CGcUbZbuI88jfSoc0F2zQCO+vHV/
4K27Al/yLP6nygl0bcEG4fiAP/iehp/xDBdtowyqjlrRX5cvSmjB9kF3heH1
oXJVUMLML8LwfIQQjcU3EPa3xlQvGJO/zVL8bXmeX1oTpOqFc5KT3OyXDuPR
l0DeckUHy+YrsZpGunavsQDggK33Ek2gdQsABvYN1DY5XZW3c6DmgqFFcrng
+cRhvtXXCp8MYXx8TbWUjdwS8b/5zV2iQy4+x/Wn36DPRdwlh2ZAzSon/Ybk
5IdsEXr8lieCiqVHOnwh1vVCB9AzyDT5BcAqvf/r+x36/Dw6yt8v4yM0xA+3
Vl6ly3/I2b44qPtUiaEQbNNK0ABfiUT+KmmlIrHEP8688vOHV8w0WZhpgOG+
M7X01eTSqzv0MTCufHd66asJJl7/qlt6NobvTjH9YJIpTzPNvV8zeCg4AIbc
h8bxr5KQyF/+/XekuO5efnTU39jzDw37BxJdv/+RVNcPDvsH0l2//5GE1+//
DimvH0rwFXk6ZILHunewQVj7rS9/34x/eM4/ZAyep/pyj3h1ceBvNjyFeyvh
lzvSa6oPfv9DB2Grrn1EWb8bXlB0VU7jwkkWWQeI3U5yBM9bXnNeAKUePP8E
gGoJOFQ/isBv74BHETraYGfqRx3iY5StKJJrJQD5DD+nIjuxXzQIHJR89G2I
UFUn1UqL/UbEWsDuMAVD02pykkS2kkLvC+O2fHYQUKOm9Lh8HH2LKUcDwMHP
PbUECBAe5TJCz+WYwi2rb0BLucN+K3f4D4/9bT3fjeEfHvubbcvf02P/0LBH
v3WciqmDHYh2EwwcEiSiXxvDD/fMAysSad8OFe4c0Hf2/N1//uE3v3lL/orf
fLe/vPeWr0SBxSkZyn7+tU7JAj9IHdQICuLvPnNbvnb7XO2rR2zIkz6cs+VO
7IdO2R5C8b/iGRsM0POjloejNtnLfuC4rd3/pdl8SA29nQB6KK98PTX0K57o
zaRRu99sSp873V7/MWn0+OXid2SZHr5P/Dc40/s2d4Zh3+GEsOe+B8Pe9gkY
VlrtogrxVpBYWrUXad+5ARYIdKZ/yvWtUEddPlQ8H7buZAVoLb4IB1BuiX6v
cE9JC2D6/Mk86VOi7+vzADuedDCL4tOAr2fg/glb+Q9A++R7v00qmo/A6r8U
6V/TL5CfGulwj77xRca7c8w4VVzwbrG/gQqf/Ojw+e0TU8//n+pjJd/rZ6fr
u1Q1mFmcusg2AVx9PwlUb/hWu5+QzF+mFSE2B1YLKIamGzIwIAhhaz5oCi1S
HiBAHYp0F2oTtAvPTB4KLE53h35AbmDWQ/8EDzlRg/knGvM1MVNbkyHcR6d9
KM54glrxl7/k1hOdKLryAdV3lZnKu3M5AyVRiyji9ZODq374QJNt76YglZ+/
cp7wEa6cBg/uXLhZ8qjKL2VQZiFVGLeUdujV7j+hU7pbzSa5qPz81rp8hBvi
CKSNjp/zqaXAQ6SqBcOytV9JA8t3tFL/Hz6GWcgG2G2wHL+9+jy0FGWa9eYb
9bOupqVXu/9mph7ElZ+ho1Sg9YDtwq152zrI5d350NqDS4QfcqzEln/yPqJj
WPqcRwe52yvMplYGokZ+Lv0zTLf+6U96/iwYRnHGGYNV+AWrVJ4qX8C7fr7g
cNsD2xn/gr42+ZR77V89kvhSPv2Vo4nrM189org+9XhUcf3xNx5ZfLnO7+rC
/yvO8WsFBt8986cKHgSF3QeAJQBYAuhi6iFYcV14+HPt51IBPr4inV/BFA9z
/rpUHjDG47p+K0q4vviNaOHLi3lfFeNvOPf3rPffTiJP6DgqLUo99ADWxEfA
jn8pteZ/AoP6pbQj906ksB+3zJoM3ElhXcoKmzvbFunX6pzP+TpAK+vKwU3y
hT38+UPxFqy/+RWJffhYefp9/hTSqQ9foBdPYzSYB/dZVNFAFP4lxxf5oFDF
kXYtL7r3CWU8ASz+bSJ2fHecGL+q1xDxQ1uOpmMbtxLqq7uHwdZ9gXYFObDi
8+kQKuRwC7wOQxcfDrAoxQYO5rfx8/O/z9jorhfYePyidQAfPpufP0FH+259
rOArfPEl92zPFAKBh38Gc/nnK3axizpzsJIJkDySbAXNMxdtgSRUoD5RUQsW
J5HvmWDMhdd65ng/3WI6OEDoXIEDhOgWIhYZ/EaOfQ+VmCHnf4VerwGAzwBG
A3wb6bC67XZ27PjwUBW+fneCb9hRfK2aBw8+m7xdqOrdgf8pR3gAZRgJUCIQ
fYB5XVft2smvlYc9Bp+34jBYsa+HKZiOU0jljVIOINQSq+ZK8q3FBv+IKP+L
VETdL8Tziqj3VDu9vTivVERdjdc7qqLeWprbm9+8SLdXv3W53q9p/y1i/WtR
5i2uMEDQDMxvjIKC5Cu1mdDyP6+PfJ4fe1dZ5qdbR99bl/mVU66/Zl3mj5bE
vW6O/1EQ93cuiPtP8FFfL4r7+3uj/z5Vd/fH429m5/IcJsRzlnyEOT+EyeH2
uGXQ/hbVekA3YM4HtnV3fzQqf/hrN0jLXOKrRibOTV2RbEXpyleTbXSxOB9z
0RfR0hvmM85rDMvjnht+ecPQoSTpG02BmZam79HMP6EWwZyHMJyCG7002MDl
PsEL3W/09vMzGwHXAEr+IxS9fEvx5jFQUcfwxugerAQT2Z8qzauVaIL/+6UN
/tf/61kJKmcPAWMAfvnBUEAh5yJ5JqfHvfxrlBN/Faz5HFn+mmD+05HlV1Hl
OyX3xiJgEz1BZxgAXQGF4WVXBv/k/cSurCw/gD/rBy5SMtMvnRDQzgNWRNo6
zDYjy5ZfwAamQikoQ1B8C2JF3/Tsi/5OuAN7ym3DWzalIpd6+9cce0F8UDDP
APV6UuVALqeSFKFp6l2LnBAEcXUYpdqxm08WAAg/+paZlnH+8xm/p5aplMJ/
+sI+t4WQd+Gvagphgw+W0AXeBUCt/3UtIZTIjxvCtxhV/vvawV+V2zcww2j2
saI6chz/7kMePD3dqgqe9fEBUplE+u9fXd5/rcFfYf9aAw0iypO/ztbMCVRq
xWALMpS/siF25fiASCxesUJfwHS+fKpccdxXzPUN28Dm0Tb+hwX/W1pwAMLn
8N+v8L+tEIUPNM4+fOIpp/SBYPytN4on8qgCRSnXBHuBvQM5BpHF9UwdBCqx
Xt69AdELelGL5JMiw7qoGMQlUEniANqpClIUKB05rxyGVb6oC7CSINBAHqZY
apS8R/GJYqND5p/BAKDDsNUU3t5Fz14V9OMnEHerB7jyKH+OSiTAgFCQYxQn
06hNL89b13z4z5z+KdHfrjD6/Bi3OHacFLMqRZXPoYj5EhAzlnskSJUy1rxq
pOarKcri+HlMBn6W+BG6t4QmrMdFWqYyLysG3ub3A7gv55v6058K3qa//KXy
813lCUwGAfsEdg3Yrj6It/70p/8NPNnpoSehcuU/aPXhDz7CwNFGl6dR4IeE
+SCXl/qCdh6MaD2oDvDAAcWhJxCsVmTND/Jlhj3Bh+Ci2AaYLRDATUeQQYtu
aZDbrkUqB6UGSx0+Yyt0xlZQdT2VWgNmAtNoLtzaYC+raRxfJQ5/YpQZhWLC
V4qr4sVrGQh4yfJPcBQWTJPqhfI+Xk5bRHoClJGW4wz83T5CVf05oIOPebYM
/A388+6ZIH/mI5T06In6HOjBU14c6ID+wRzQAVQc6CoQDKyJOPnXMSd5LqhU
tHus88pSwLmsboVBtzof/cmV7WvlSZyXu1wHo8Nf/uUvv2BzTy85v56e8oqJ
4gwPTopGbTCoPLDSqPy8oJmnxkf4JKxQupImJP4JZmyhVc5P8vLdkdf1gXZK
s40yW05ui5FteqNr2E2z6CVFx3x6coJmCXUAl9sHepfrjqLf+0ZkH0CPQG1y
oaATqasQoJuA44Oe03WheUAWDr2A4U6Rf4HDy4dQDK882XJ1qMN5pw/jyp9+
9NHxp+LH195d4CdgkX2KLD2ay53vyh+G9i5P/6kwyQ6Gkt3Z2cIlKbLmZB8/
X/kLtTQvALtZv9tucmzXzg0vTILg8auzQ8x2loxKZRA/hXfNHV03Tvn4zyUD
XcmAAG9fQo1F2dyPZbb2Gd/Cy2bys/O7ffkxT10pcgwjAjTCfCckUarCZH6R
EZXjsqCrcLZ45T/+/d//49//3//4v/6/G3ferUTuD/M8w5ovw79hRAU8/3//
x7//7+D5h8ygGdwK6zCykrf6/ClfTfTkCYxJl92ShO8Pr0Yz/4ZRFdDI//n/
VH4uEAy82vIRoyuV1waMeEkxplK5G94t+YGx11+g1x4JU4f5L/+P64j/MEKw
4zrnUaXyxnzgrA96FuewAi7AM6EDVUUR25fhXU0CXNKHLopdkSvozarDo3eg
diOkEgBRxGh3QKMlg40IzEp+cxfe+FFVlOssz/e1VNWfh3wWzNN7cW6sj7fS
iRdDLswG7OdxDyIVg6U9EazWfPwl2HEeNA5gGnnW1bDzs+rnrTsgis1T/Vf4
Id/tuNyzIZgKD5duZ0eFygMQinL+0PfCQkNUDmC7D9LJT/gL2rq8g8exwu0u
GzBzfF8yaD8jkckt3n0eGZ7RgUmWlhj0BU03AkzRw+Xom+iLYZe/RBsVJb1B
PBg/Azh2bv/R0iLaypdL8FjiCQ8OEWzwsptPhi9Zd4eW7ueSNSIfyjMvdkMC
ZQu51/6AEMSTnCY+2n4fSscJljWXEoDkhVO8PvTkgLgyfrrWQN1KA4GkYzWy
FR1FP7kVe2bl3oLWV1ev3dBNIbI7VF0GHnC5NbQmb+VdQHf6GYBIVP8BtRPu
0Gtdo6M93VKIYLk+vSIJ24MQBM7Eg7yC6GubxVHjh2e9wlNDdMkhjWEaxzay
MgZ6tjHK04bXjCHaeGABUQNQDm8k//NriPeQ8RaOXiMGKFffRY7f9a85f+hQ
378tH46DUY0p+gkMIz7cb9VrbIi2KwAA8Sub855w6KWsX9qXl7RSqh6h84uT
pSNgdKuszeMXrTBn92F4iX5e7O7Pf2Pb9PXp/71NFQiVqdI+kagCyfFNDPvj
H/74BxRm0QDG+DBxdR/yXRnA8sJzCPWg03gI7/74b3/8Nwz75zxQebL1xCiM
x8vkUrODofI+XNNAtJffMAURIJikCswHUnUE0fIj9hG9Yov6CvSWEGjoCoAK
cbWja2ZuBt7bdzvvm9JBd3n5P7qEBIyS7xtQhpEdH37JC7fzdAWq00OoqXg0
D07ytz0flnrbOY0xqrIoc0aP76BqejnyyolXEhDnVo5gVDAohVoBA6+7WLgA
iAUAjdF7uXiywofAJp/pVyVH8okcZe+VRyuXR44/YPoMrOWH125XfAAij4Dq
5zFloUPoXahh8IIYOqrN6/W+3F2tiK0sL6vl82sLH7ZFiUGBlj4UfqF4BpG6
fRghk3zzTWjnfHjhUj5c5Xn1l7ICEwtQ6o+Hzg8LjF5DJ7CPwW/pZ28I/Rqw
FKX8qg48ufZe6TahdP8ZzMqPTBllJ6/oAFX5gyg5zxloRY7nM3oeTiiP5nVg
CJ24mNRjlujZ2n8uekLyQ4IHxsUGi/olN/H3101+QeUdJWnb9WIFnPmthAda
O7DFik0fF0HqyMsvyOWxzqPR+kLm6hcXToTTs5MPYuEvt1mhapD8sOVKER7A
jV5IBAAbGxaonpG/fhBK/qUGiHHv377fR/lzMyiAvCwIHuMDiGqCPZVYLkBb
XuoqMNKGFy1KgcESyJv2wALQvCgFbcvC0N4uFxWv3ev6L6A9PwByOsGaLijD
a+ZeA1N/p6o0clUpvdCdnyr2Vwx/xxcWGMoXPnplDYAxTX45CVW7PnfMECQB
0ULnKjsqulP5eGFFzpN9JSv769W2N5HB/X5/JHOXNv7yAi7+7moOgt9d8UWR
iv3dl3LsOkzUxTraikbxbElhHd9qSgoggGKalxATRE5+7hfLT6KXG+7GPpkz
P96afgVmJFFRlFSYvyvD/QPmAPq6T4H6oV/YST6Ru6l9KIqpIKjSjnb8clWK
SWVl0TK6IVriiuAZQC+3Gdi7caokEENc02RoRfLlWZRRRJEHvuo/avhaEJ0h
IHIzeTDVeQ84yjp9LbcL+T6BYmDyLXGrnCm2BOUX6SQTeLFCnOVev5KBWqD9
/6mq+ckK3KilbSqevD7wwpp5qXNnyl6pCHrH5F/sCfXuZkNwF6gkcH8Aibxg
In33dq7n27l02SN8hj/3UbmkiuqjAH03IHfqeg4mYOLyDISc3ODPP1d0N7DA
Rr4UWYA39uDLs50GcDYgVjdRwCCja31Aj9BZTh4v5Zms6zFTEe8UcVAxF4D4
gbmu3cDCnZm9UrnCJcszzYh05GcAkW6rkFe9xx/fKcbGIBcjQN2oqBa2+AmY
sMBO8gGU+XqIpYF9N+wzzBD6MXqLLAacA0mcKuT4C/plinBkfDtcgD7HVm2w
r9DvgXu8Rn/FR4mugAVO7sMc2hmAtCrwkzIf7l5HpgeOB7WTwKJeHQ1jNZwL
EyquTYXVOr8PD3UYCtPLU6D5Cp+DvErkmrWHDhpZqAgsxxE+vNKhu06ySsnT
n29E9L4WAWfkpZpZ6pkHBIkiZAT67xVmUSpMXCpj9lJrwabOxwAkbnrF1zDQ
Squ+k7reddTl9CN4DQGYRbjpH5qFIn1tWi++whGXGf/81nF+2xXobB5Uu2gw
MPul2ef3KlI/V6T8UgZMmFaE1RO+IkcjmCG7RuK3WkEweuAyNGjgwc9xYsbA
bgHyUa339tnL+5xCJJdfuUGKuGUn5C8POypX45JC94pzkcX5gJ6Ei4AubCO/
Y9zFmDd7Ztl5oHBbPwSjvOv524Siy4MKeHZ2/ySMPlAa4VqSWdr/nOIHWnYA
EVIUn8ODDHiok+jvlUS3sIYFKdIzWwEM0WufxLgBN/QyuoeMTAqCxjlodt49
hE5hSYrTo8dQ81NuNT5V9ETNF6mIpOIr5C8dIVy99/bZzvss83plPH23B6AR
eNGS3swPrJ5Kh5HvME/1UzmC27pipCjJlO9PIEPtYbPBG2Xw35qOykJRuJGg
BAYIed479lYZuqDqkVwoLwOw/MwNncG+EaKhJ8gXOZ5b9pFGc/3w3nEVIRW0
odfU+B0SLpFxCZRR2FYqPVi+F2wBcRnIe08QYkDBoQ6eRam/5FYIieEaFPzO
Q5UJLwFv+U25Vxu6HrhdjfGr3+R5nzga5TKh4bl+fD2sIlS18MBJURoOxVOc
vN6fE0OY+1zjPqJWGeBOldRE0eIDkLoT6Nuyvxm/PIwt3NEtyL6nEys89oM7
uwYj5RswdM/eSgQXwV8U5cn2PEEd5A3BAgho3SALBIJVeU12jluLTDaAYEmB
faGhRf7p9rWcAlDk1lLTgVRMMKIaiABTGG5Zvo+kIewqsgEkhIT43qRUowCL
ZfMI2aEN7OsxpMOQ85vafmVV5Jefh975RKDjBxJ+8o0nlCP7MAc+sjKKY+CO
P5TWBz1KgPjGuMsWQVAojO4+XFTsClSRAcwLLMzPD+XuvXQhvgBemMxBbOTD
5H6S27WHpor8RbHni33yKP87pYIhbxGBv7VhrxdD4YZ9n5zrg0dQnidgfcc3
b/ikqFbIA74SZakvUVbZBlym64efUIlmkWTJH7vt9buMDEQcxQ2Fq7mBfX/F
jP2M7lXHRfiGmIHRZror7kDRZ3kID34X50dJqIYL/vUr1waKod4VMdxlVd4r
3P6dYS6IPYqTlduCf6pMcfH62/Ku0YMJyA07qpVS/ORaZHTDS7BiAOHj22HL
NR35zqEWwOxm0Z9FPddjJKiAr0dEcXkb4zGOeu8ICkB0K4ZSQBBxzLfXy0qw
a2yQU0FqaX5krZeJ6VulKAJTt9zUdy1kgZRgLHU7kS8+KlEu2fe0W6Ah+Vn2
+xZtPc79mgIuZgdNWKqUVuydfRYoRjuYJQKCRVpozQk98mx0Pg72vAuNoJwC
OxVdc5VCXBbe3ZvO8uCzqFOC545qUrCGxa8kt1Gs+CKdjZoaeUkJYF79mGAl
/5ggqhd30BvwQ7gWsBuv4uUHtLiChYbIV5UqhriT0EfcgBM0QAT0Kd8A+SlO
xSi+GmcCuCcr75VvgcbujnDyAL9Su8bsIAIxUzDW9zZZIBq4AhTHwvVR/ae7
pYFHsLAnHuVbUTSEK3HORgCFXUo1P5b6w5Co4dMaaOmP/1a2C83nLeKKXyLU
vHzn0+MPkX298grBnl63ppWfr/geyBO9lZ/Sfw3hwzPGP/7hNkq6rECajtZT
4CKv4SH6rl8ewkxlFRgg/alSQ51MdU1zgCxt7wmY+ifXhv9EAija5HVHhh78
MdicP+NlKm9cwgKt4oQWAsos0FEvHx6rbT7cdzBFxzsucFkRjCgdoP15/WNZ
EoAXQXvlZxQF5WkCJYMnkXZUCiuvLgNWFZ0B+55eNlKU3xblAznk+Hjff340
qFVWKlwGWEZ2i0ImMBaKH/PDW/YOBqO+ixhvRK8ZgMr6943PFSONC5xz9epF
aA1HjAKhgk0DKsftDAD+M289r1JI7di6Omr64SOqgneDO6XZe1zCAg4U0C33
AB8fT7oYmN1gbBN6xp9thB71orq0wAgo75RfK5ZR0dxJjq+SfOc2LTDrqKB9
OxYfUP4ZhRxBvkchaAVW17tZ3VwOv948VA47Ko92//WfIOXnBFJkbOGB0i+V
SpoY0LSh/LAdRJUTXFEVoPwoAdsvrsSZi/7L2o4D9LGy3mKVp6ffv9YUJ1te
ZegD8GPHYKxzBWzeqMJGsqLDD4hDCJxYaVQBulHBHf2sZ282NYphKnSKtl6s
n4EBG4HdO8V5Ms9HI+FQPtRuTs/iiqO92VRuXIrqCMSelt8+gCQBRWoG+Pm7
DOybLTkarNlGGAVhGk8/lS2Avx7B4gXRtVotKm8YxG+2dxfgQI8M24QffUgy
GAfBcn5mtAP4CfpXubJPTfnNluAjFjxL4HUb4hjet07AikFQ76exo2cVAl6v
OcgVDn5xtLKW3mxq4zsH6EGtFLgb0DDUAiOnCfRUGNtAN1QZTfFFxQUgXVXf
bAldQbjWRiDokPtEKC0oxPzN/x9cUoDv/gkJAA==
e) FYI - We updated the document to reflect the forms on the right for
consistency with the RFC Series and companion document. Please let us
know of any objections.
e-mail -> email
electronic email -> email
-->
<!--[rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
For example, please consider whether the following should be updated:
- dummy
- man in the middle
- whitespace
In addition, please consider whether "traditional" should be updated for clarity
.
While the NIST website
<https://web.archive.org/web/20250203031433/https://nvlpubs.nist.gov/nistpubs/ir
/2021/NIST.IR.8366.pdf>
indicates that this term is potentially biased, it is also ambiguous.
"Traditional" is a subjective term, as it is not the same for everyone.
--> -->
</rfc> </rfc>
 End of changes. 412 change blocks. 
11355 lines changed or deleted 5304 lines changed or added

This html diff was produced by rfcdiff 1.48.