From bac7d8cf163ddf433215034cf120f45291cca078 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 9 Oct 2023 14:39:38 +0200 Subject: [PATCH 01/31] Start content of verification chapter --- book/source/09-verification.md | 14 ++++++++++++++ book/source/mermaid/09-sigtree.md | 23 +++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 book/source/mermaid/09-sigtree.md diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 52f67f4..b6d8b38 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -10,6 +10,20 @@ SPDX-License-Identifier: CC-BY-SA-4.0 ## When are signatures valid? +The validity of a signature is constrained by a number of conditions. +First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact. +Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate. +In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account. + +For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate. + +The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID. +Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature. + +```{include} mermaid/09-sigtree.md +``` + + - Validity as a tree of signatures ## Which signatures take precedence? diff --git a/book/source/mermaid/09-sigtree.md b/book/source/mermaid/09-sigtree.md new file mode 100644 index 0000000..2ef16cd --- /dev/null +++ b/book/source/mermaid/09-sigtree.md @@ -0,0 +1,23 @@ +```{mermaid} +flowchart TD + subgraph Certificate + pk["Primary Key"] + uid["#quot;Alice #lt;alice@example.org#gt;#quot;"] + sk["Signing Subkey"] + + usig(["PositiveCertification + PrimaryUserID: true"]) + dksig(["DirectKeySignature"]) + sksig(["SubkeyBindingSignature + KeyFlags: Sign Data + EmbeddedSignature: BackSignature"]) + pk --- usig --> uid + dksig --> pk --- dksig + pk --- sksig --> sk + end + + ds(["Data Signature"]) + data("Data") + + sk --- ds --> data +``` \ No newline at end of file From 6f220c9f398fd1f285c4390cc7057cd0f358c317 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sun, 5 Nov 2023 17:59:32 +0100 Subject: [PATCH 02/31] Feverish signature precedence thought --- book/source/09-verification.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index b6d8b38..c9423db 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -27,3 +27,36 @@ Furthermore, the signature might not be valid in the first place, due to a missi - Validity as a tree of signatures ## Which signatures take precedence? + +An OpenPGP certificate can have multiple signatures with conflicting information in them. +For example, the latest direct-key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User-ID "Bob" could list "SHA256" only. +For yet another User-ID "Bobby", the self-signature could list no hash algorithm preferences at all. +If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. +The specification recommends, that implementations decide which signature takes precendence by the way the certificate is "addressed". +If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. +If instead the user wants to write as "Bobby", the impementation should inspect the self-certification on "Bobby" instead. +However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct-key signature instead. +The same is true, if the certificate is used without any User-ID as sender. + +But it gets more complicated still. +Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precendence. +Preferences from the subkey binding signature take precendence over the direct-key signature, but not over self-certifications on the User-ID. + +TODO: Have a table that lists which signatures take precendence in which cases. + +There can be more than one signature on a component. For example, there could be 3 direct-key signatures, e.g. because the user extended the lifespan of their key 2 times already. +In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". +For each certificate, there is at most one "active" direct-key signature, for each User-ID at most one active self-certification and for each subkey exactly one subkey binding. +TODO: Direct-Key Signaures can be revoked, canceling them, meaning an older one might get active? + +## +Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. +User-ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User-IDs appear in the certificates packet sequence. + + + +As a concrete example, consider a certificate with multiple User-IDs, all marked as primary. Or equaly, a certificate with multiple User-IDs of which none is marked as primary. +Clients might apply different heuristics to figure out, which User-ID actually qualifies as the primary User-ID here. + +You might wonder, which signature on the primary key takes precendence in case of multiple signature candidates with conflicting signature subpackets. + From 3276ab79d7dcc6d2a896883ce826f1600c89f6e1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 11:59:46 +0100 Subject: [PATCH 03/31] Other changes --- book/source/09-verification.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index c9423db..747de78 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -10,9 +10,23 @@ SPDX-License-Identifier: CC-BY-SA-4.0 ## When are signatures valid? +There is a difference between signature *correctness* and *validity*. +A signature might be correct, but still disqualify as a valid signature. + The validity of a signature is constrained by a number of conditions. -First and foremost, a signature must be cryptographically correct, meaning the signature as well as the signed information must be intact. -Futhermore, signatures on a certificate form a chain, originating from the certificates primary key down to signatures issued by the certificate. +First and foremost, a signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact. + +### Temporal validity + +A signature is valid only for a constrained period of time. +A hard, lower constraint for the validity period is the creation time of the signature. +An upper constraint might be its expiration time. + +When checking a signature for validity, a reference time is defined. +For an email that might be the signature creation time itself, or the reception date. +For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration. + +Futhermore, signatures on a certificate form a chain, or rather a tree of signatures, originating from the certificates primary key down to signatures issued by the certificate. In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account. For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate. From 6061b037e45946f58d5226a970bce8e65786891e Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 12:53:33 +0100 Subject: [PATCH 04/31] Section about self-authorizing signatures --- book/source/09-verification.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 747de78..24bc783 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -6,7 +6,22 @@ SPDX-License-Identifier: CC-BY-SA-4.0 (verification_chapter)= # Verification - - Self-authenticating data (unhashed subpackets) +Signature verification in the OpenPGP protocol is a complex process. +Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. + +We will call the former category *self-authorizing* signatures. +Typically, self-authorizing signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. +Examples for self-authorizing signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). + +Examples for signatures which are not self-authorizing are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). +To verify such signatures, it is not sufficient to only look at the signature itself. + +The reason is, that the issuer (sub-) key needs to be authorized to create such a signature. +This authorization typically comes via another self-signature on the key itself. +For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the users certificate via a subkey binding signature, and that binding signature needs to contain a key flags subpacket marking the subkey as **S**igning capable. +Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature authorizing it to **C**ertify other keys. + +Self-authorizing signatures have no such limitations. ## When are signatures valid? @@ -63,7 +78,7 @@ In general, for each component, only the newest self-signature is "in effect", a For each certificate, there is at most one "active" direct-key signature, for each User-ID at most one active self-certification and for each subkey exactly one subkey binding. TODO: Direct-Key Signaures can be revoked, canceling them, meaning an older one might get active? -## +## Complexity of the packet format Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. User-ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User-IDs appear in the certificates packet sequence. From 3727176d76609e2dd769562cb441cb26e1b7e572 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 13:10:40 +0100 Subject: [PATCH 05/31] More refinements --- book/source/09-verification.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 24bc783..d8e6013 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -9,6 +9,8 @@ SPDX-License-Identifier: CC-BY-SA-4.0 Signature verification in the OpenPGP protocol is a complex process. Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. +## Self-authorizing and non-self-authorizing signatures + We will call the former category *self-authorizing* signatures. Typically, self-authorizing signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. Examples for self-authorizing signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). @@ -22,6 +24,8 @@ For example, a data signature over an email body may be issued by a subkey only Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature authorizing it to **C**ertify other keys. Self-authorizing signatures have no such limitations. +For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-authorizing. +This construct is referred to as a [revocation certificate](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-openpgp-v6-revocation-certi). ## When are signatures valid? @@ -34,27 +38,23 @@ First and foremost, a signature must be cryptographically correct, meaning the s ### Temporal validity A signature is valid only for a constrained period of time. -A hard, lower constraint for the validity period is the creation time of the signature. +A lower constraint for the validity period is the creation time of the signature. An upper constraint might be its expiration time. When checking a signature for validity, a reference time is defined. For an email that might be the signature creation time itself, or the reception date. For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration. -Futhermore, signatures on a certificate form a chain, or rather a tree of signatures, originating from the certificates primary key down to signatures issued by the certificate. -In order to verify, whether a signature is valid, the whole signature chain must be checked, taking expiration dates, capabilities and revocations into account. +Futhermore, when verifying a signature which is not self-authorizing, other signatures on the certificate need to verified as well to establish authorization. For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate. The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID. -Furthermore, the signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature. +Furthermore, a non-self-authorizing signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature. In this case, the signature is not authorized. ```{include} mermaid/09-sigtree.md ``` - -- Validity as a tree of signatures - ## Which signatures take precedence? An OpenPGP certificate can have multiple signatures with conflicting information in them. @@ -79,11 +79,10 @@ For each certificate, there is at most one "active" direct-key signature, for ea TODO: Direct-Key Signaures can be revoked, canceling them, meaning an older one might get active? ## Complexity of the packet format + Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. User-ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User-IDs appear in the certificates packet sequence. - - As a concrete example, consider a certificate with multiple User-IDs, all marked as primary. Or equaly, a certificate with multiple User-IDs of which none is marked as primary. Clients might apply different heuristics to figure out, which User-ID actually qualifies as the primary User-ID here. From 39c79709bd54a0f4cb303dfe8ee992a2bfc4d433 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 14:36:04 +0100 Subject: [PATCH 06/31] Progress --- book/source/09-verification.md | 66 ++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index d8e6013..ae400f2 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -7,54 +7,66 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Verification Signature verification in the OpenPGP protocol is a complex process. +There are lots of different factors that can influence the validity of a signature. Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. - -## Self-authorizing and non-self-authorizing signatures - -We will call the former category *self-authorizing* signatures. -Typically, self-authorizing signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. -Examples for self-authorizing signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). - -Examples for signatures which are not self-authorizing are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). -To verify such signatures, it is not sufficient to only look at the signature itself. - -The reason is, that the issuer (sub-) key needs to be authorized to create such a signature. -This authorization typically comes via another self-signature on the key itself. -For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the users certificate via a subkey binding signature, and that binding signature needs to contain a key flags subpacket marking the subkey as **S**igning capable. -Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature authorizing it to **C**ertify other keys. - -Self-authorizing signatures have no such limitations. -For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-authorizing. -This construct is referred to as a [revocation certificate](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-openpgp-v6-revocation-certi). +Signatures can be invalid due to the absence or presence of other signatures. +A signature can be valid at one point in time and invalid merely a second later. ## When are signatures valid? -There is a difference between signature *correctness* and *validity*. +As a necessary condition, a valid signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact. +However, there is a difference between signature *correctness* and *validity*. A signature might be correct, but still disqualify as a valid signature. +Put mathematically, the set of valid signatures is a subset of the set of correct signatures. -The validity of a signature is constrained by a number of conditions. -First and foremost, a signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact. +The validity of a correct signature is additionally constrained by a number of conditions: +Most signatures have a limited validity period, constrained by the signature creation- and expiration time. +Furthermore, some signatures need to be *qualified* by another valid signature in order to be considered valid. +Lastly, signatures can be invalidated by revocations. ### Temporal validity A signature is valid only for a constrained period of time. -A lower constraint for the validity period is the creation time of the signature. -An upper constraint might be its expiration time. +A lower constraint for the validity period is the creation time of the signature. An exception from this rule are hard revocation signatures, where this lower constraint is dropped. +An upper constraint might be the signatures expiration time. When checking a signature for validity, a reference time is defined. For an email that might be the signature creation time itself, or the reception date. For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration. -Futhermore, when verifying a signature which is not self-authorizing, other signatures on the certificate need to verified as well to establish authorization. +The same reference time must be used when verifying additional qualifying signatures. -For example, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, as well as the direct-key signature on the primary key of the issuer certificate. +### Self-qualifying and non-self-qualifying signatures -The signature might be invalidated by corruption of the text document, corruption of the data signature packet, expiration or revocation of the primary or signing subkey, or revocation/expiration of the primary User ID. -Furthermore, a non-self-authorizing signature might not be valid in the first place, due to a missing subkey binding signature, or a missing `SIGN_DATA` keyflag on the subkey binding signature. In this case, the signature is not authorized. +Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. +Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. +Examples for self-qualifying signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). + +Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). +To verify such signatures, it is not sufficient to only look at the signature itself. + +The reason is, that the issuer (sub-) key needs to be qualified to create such a signature. +This qualification typically comes via another self-signature on the key itself. +For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the users certificate via a subkey binding signature, and that binding signature needs to contain a key flags subpacket marking the subkey as **S**igning capable. +Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature qualifying it to **C**ertify other keys. + +Self-qualifying signatures have no such limitations. +For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-qualifying. +This construct is referred to as a [revocation certificate](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-openpgp-v6-revocation-certi). + +On the other hand, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, which qualify the signing subkey. ```{include} mermaid/09-sigtree.md ``` +### Revocations + +A signature might be *disqualified* by the presence of a revocation signature. +Revocations can be limited in scope, e.g. a subkey-revocation signature only revokes a single subkey. +Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. + +TODO: Give guidance, which revocations need to be considered for different types of signatures + ## Which signatures take precedence? An OpenPGP certificate can have multiple signatures with conflicting information in them. From 89f776e6f333124c6f11db4932a64c7fc89acb3d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 15:24:44 +0100 Subject: [PATCH 07/31] Add line about well-formed-ness --- book/source/09-verification.md | 1 + 1 file changed, 1 insertion(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index ae400f2..8691c74 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -20,6 +20,7 @@ A signature might be correct, but still disqualify as a valid signature. Put mathematically, the set of valid signatures is a subset of the set of correct signatures. The validity of a correct signature is additionally constrained by a number of conditions: +Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or notations. Most signatures have a limited validity period, constrained by the signature creation- and expiration time. Furthermore, some signatures need to be *qualified* by another valid signature in order to be considered valid. Lastly, signatures can be invalidated by revocations. From 6388d5c33b1a826caad7212aa08cc1d892e90b03 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 8 Nov 2023 16:20:07 +0100 Subject: [PATCH 08/31] Complexity, complexity, complexity... --- book/source/09-verification.md | 38 ++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 8691c74..364b351 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -20,10 +20,14 @@ A signature might be correct, but still disqualify as a valid signature. Put mathematically, the set of valid signatures is a subset of the set of correct signatures. The validity of a correct signature is additionally constrained by a number of conditions: -Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or notations. -Most signatures have a limited validity period, constrained by the signature creation- and expiration time. -Furthermore, some signatures need to be *qualified* by another valid signature in order to be considered valid. -Lastly, signatures can be invalidated by revocations. +* well-formedness + Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or notations. +* temporal validity + Most signatures have a limited validity period, constrained by the signature creation- and expiration time. +* qualification + Furthermore, some signatures need to be *qualified* by another valid signature in order to be considered valid. +* revocation + Lastly, signatures can be invalidated by revocations. ### Temporal validity @@ -44,10 +48,15 @@ Typically, self-qualifying signatures are self-signatures, meaning signatures is Examples for self-qualifying signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). -To verify such signatures, it is not sufficient to only look at the signature itself. +### Signature qualification + +To verify non-self-qualifying signatures, it is not sufficient to only look at the signature itself. The reason is, that the issuer (sub-) key needs to be qualified to create such a signature. This qualification typically comes via another self-signature on the key itself. + +Instead, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. + For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the users certificate via a subkey binding signature, and that binding signature needs to contain a key flags subpacket marking the subkey as **S**igning capable. Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature qualifying it to **C**ertify other keys. @@ -60,6 +69,9 @@ On the other hand, in order to verify a data signature over a text document, an ```{include} mermaid/09-sigtree.md ``` +### Attribute Shadowing +TODO + ### Revocations A signature might be *disqualified* by the presence of a revocation signature. @@ -70,7 +82,21 @@ TODO: Give guidance, which revocations need to be considered for different types ## Which signatures take precedence? -An OpenPGP certificate can have multiple signatures with conflicting information in them. +An OpenPGP certificate or component can have multiple signatures with conflicting information attached to it. + +When verifying a non-self-qualifying signature, an implementation needs to identify self-qualifying signatures on the certificate to qualify that signature. +There might be more than one candidate for such a signature. + +For example, there might be multiple subkey binding signatures for the same subkey. +In general, for each category of signatures, only that with the latest signature creation time is considered and takes precendence. + +Alternatively, there might be competing qualifying signatures of different types, e.g. a direct-key signature and a self-certification signature on a primary User-ID. +In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. + +``` +TODO: Replace hash algorithm preferences with AEAD preferences for a more realistic example. +``` + For example, the latest direct-key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User-ID "Bob" could list "SHA256" only. For yet another User-ID "Bobby", the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. From 5ab4546144e6b470153d50ef6c72ecdfb61973a1 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Nov 2023 17:22:14 +0100 Subject: [PATCH 09/31] Small changes --- book/source/09-verification.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 364b351..2f0cc30 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -7,10 +7,11 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Verification Signature verification in the OpenPGP protocol is a complex process. -There are lots of different factors that can influence the validity of a signature. -Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. -Signatures can be invalid due to the absence or presence of other signatures. +There are lots of different factors that can influence the validity of a signature, most importantly its expiration date. A signature can be valid at one point in time and invalid merely a second later. +Signatures can be invalid due to the absence or presence of other signatures (e.g. revocations). +Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. + ## When are signatures valid? @@ -21,19 +22,23 @@ Put mathematically, the set of valid signatures is a subset of the set of correc The validity of a correct signature is additionally constrained by a number of conditions: * well-formedness - Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or notations. + Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or unknown critical notations. +Note: This also means, that a signature might be considered valid by one implementation and be rejected by another. +Some implementations further apply a policy when verifying signatures, putting constraints on used hash- and key algorithms and key strengths. * temporal validity Most signatures have a limited validity period, constrained by the signature creation- and expiration time. * qualification - Furthermore, some signatures need to be *qualified* by another valid signature in order to be considered valid. + Furthermore, some signatures need to be *qualified* by other valid signatures in order to be considered valid. +This is especially the case with signatures created by dedicated signing subkeys, where, in addition to the signature itself, the subkeys binding signature(s) must be verified. * revocation Lastly, signatures can be invalidated by revocations. ### Temporal validity A signature is valid only for a constrained period of time. -A lower constraint for the validity period is the creation time of the signature. An exception from this rule are hard revocation signatures, where this lower constraint is dropped. +A lower constraint for the validity period is the creation time of the signature, meaning a signature only becomes valid after its creation timestamp. An upper constraint might be the signatures expiration time. +A special case are hard revocation signatures, where the lower constraint is dropped, so hard revocations are valid since the dawn of time. When checking a signature for validity, a reference time is defined. For an email that might be the signature creation time itself, or the reception date. @@ -52,7 +57,7 @@ Examples for signatures which are not self-qualifying are data signatures (0x00, ### Signature qualification To verify non-self-qualifying signatures, it is not sufficient to only look at the signature itself. -The reason is, that the issuer (sub-) key needs to be qualified to create such a signature. +The reason is, that the issuer (sub-) key needs to be qualified to create such a signature (e.g. because a special key-flag is required). This qualification typically comes via another self-signature on the key itself. Instead, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. @@ -70,6 +75,7 @@ On the other hand, in order to verify a data signature over a text document, an ``` ### Attribute Shadowing + TODO ### Revocations From 55396e845218671f1bae2ac0d5c95e2d379c8bce Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Nov 2023 17:29:26 +0100 Subject: [PATCH 10/31] Attribute shadowing --- book/source/09-verification.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 2f0cc30..bbc7f7c 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -76,7 +76,14 @@ On the other hand, in order to verify a data signature over a text document, an ### Attribute Shadowing -TODO +When determining preferences of a key, different signatures can be inspected. +For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. +At the same time, the specification states, that signature subpackets on the direct-key signature of the OpenPGP keys primary key apply to the whole key (therefore also to the signing subkey). + +In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct-key signature. +This is called attribute shadowing, since direct-key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. + +Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). ### Revocations From bcbbb0d901474a1f187b98a4e7a4ffaaccaf5403 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Nov 2023 19:56:20 +0100 Subject: [PATCH 11/31] Signature shadowing --- book/source/09-verification.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index bbc7f7c..829800e 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -74,7 +74,7 @@ On the other hand, in order to verify a data signature over a text document, an ```{include} mermaid/09-sigtree.md ``` -### Attribute Shadowing +### Attribute shadowing When determining preferences of a key, different signatures can be inspected. For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. @@ -85,6 +85,14 @@ This is called attribute shadowing, since direct-key signature subpackets apply Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). +### Signature shadowing + +When inspecting signatures on a component of an OpenPGP certificate, only the newest, effective signature for each function is considered. +In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. +`A` is therefore shadowed. + +Note: Signature shadowing is not to be mistaken with attribute shadowing. + ### Revocations A signature might be *disqualified* by the presence of a revocation signature. From 7d18cbe76e106e98bff31aac121bd56cb3c0c41c Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 9 Nov 2023 19:59:29 +0100 Subject: [PATCH 12/31] Add some cert validity diagrams --- .../drawio/cert-validity-key-expiration.drawio | 1 + .../drawio/cert-validity-key-expiration.png | Bin 0 -> 40414 bytes book/source/drawio/cert-validity-simple.drawio | 1 + book/source/drawio/cert-validity-simple.png | Bin 0 -> 26776 bytes book/source/drawio/cert-validity-subkey.drawio | 1 + book/source/drawio/cert-validity-subkey.png | Bin 0 -> 51572 bytes 6 files changed, 3 insertions(+) create mode 100644 book/source/drawio/cert-validity-key-expiration.drawio create mode 100644 book/source/drawio/cert-validity-key-expiration.png create mode 100644 book/source/drawio/cert-validity-simple.drawio create mode 100644 book/source/drawio/cert-validity-simple.png create mode 100644 book/source/drawio/cert-validity-subkey.drawio create mode 100644 book/source/drawio/cert-validity-subkey.png diff --git a/book/source/drawio/cert-validity-key-expiration.drawio b/book/source/drawio/cert-validity-key-expiration.drawio new file mode 100644 index 0000000..0f63f6b --- /dev/null +++ b/book/source/drawio/cert-validity-key-expiration.drawio @@ -0,0 +1 @@ +7ZtRc6I6FMc/jTO9D3YICSCPq213Z7x37p1x5u7uI4WoTCNxQ9za++lvIkGBREu3gKy2DxZP0JDf/yScc4gDOFltP7NgvfyLRpgMbCvaDuDdwLZHyBGv0vCSGRBEmWHB4igzgYNhFv+HldFS1k0c4bR0IqeU8HhdNoY0SXDIS7aAMfpcPm1OSbnXdbDAmmEWBkS3fo0jvlTDcqyD/QuOF8u8Z2CpllWQn6wM6TKI6HPBBO8HcMIo5dnRajvBRLLLuWSfezjSur8whhNe5wPf+Wj699SyLIfNsP/5+/Trty/DfBw/A7JRI1ZXy19yBIxukgjLb7EGcPy8jDmerYNQtj4LzYVtyVdEvAPiUH0dZhxvj14o2A9fuA2mK8zZizhFfQCpa1Ie46q3zwf83kjZlgX0KCcfKMkX+28+UBEHCsxbIL3OiMSJOBqnnNGnvaOIMY6jmAm3jGki3qd0I+0N4xqVcQFb5wUMuPaYG8fl9hqXbfWNl9drXtDuG69Rr3kh1Ddefq95OW7feIEa98QzAnN7t+ADoAHjloZMjJiXYWT0JpRQJiwJ3SGdx4RUTAGJF5JnKAhhYR9LfrGI0T6phlUcRbIbY3BSDl+a8FinzN/S+bsG/rA1/PY7/LVh36y4JtTReLaBDWiNDdRdE1yuawKvb76JdP66d14Mf9vvG389GOfwcvkj0Df+enDP0eXyd2Df+OvJAncul7/bt9jErRGbHCiA1+tLRQ0GNpyPQhyGmmCixdr9NYPVr4Q1yEDVN2B1W3NrU07nEr5LQH6W8Lo/NrLCOJ7ThA/TXX31kzgBWOvtDk7eLo4W8v/dVLTOMJkPZ8KDA75heCBDNukiWQ+P7F0d5F8jBr671rL1vZc/YTjI0i95Grfa7e1+u45Zob9hu91NsXTKaqcyoDX32uBE8/2HB9/XJlqE58GG5GNQ5Xsgp10UpMt9X93MQWBKe1ubg64e2raztC1YEMWC0l2htICDlJ9c9U7KQcU1xFySdBpaISEsy7PP6AryIKdLeWy9KNH6Egl+xyXS7naJlOlH92vksGVl2lhp83lfCTlrLwfH1+aOJny36zGs8VwgXQZreRhuGHkZsyB8wvx1gcpqkuARk39oGiv2BM95IfD/s9K8TwDyVIFlLI5nCoxy5bl3Q78puSqFIWhbtxBoihlrc60V52CNJxNXqxjye6gY0tO5fwWlSJPtYjJqUKkoQf/MGTXSw84LlwA6fZNA3xAyEQPMww58wVqg6n3k3Fp4pjD/4x6ilPCcW2iX4zTDdirTPUQoduvClkRzTVteWs7N7N8xN0NXUL76SM0aTs0cr5KajQxTvtPUDNUI9BdCmPXR0avtvcFjfrr1VioeArf2Lz4dcVoDU2Pv35u23xrDiqq3Ck9+UH+nnbbi/tlH6j9UOeELR2UaGnYzmeqGLWpSo47QvCavryBFMQ7rR2tCGLbuwE51yGfi9SQ6rqOFa2ePr92PqtqJ4gDsYY3G/aiqndigVa0l9EExT1/prqWeYFdn0LnXO0+vcN5U85Y/eqpHIZcYtSMPMjzl6VYefT/vTfbgVf2+LhVHTzu98CHPtC06z6oA1vVoVy2bIkNk3a12etk01w7n65yVUvGSyBdCkwVmJWGvS8BqrfX8AuqbiW+yytqJyXc9elU3X7aol3h7+OHwrq3w62t4/z8= \ No newline at end of file diff --git a/book/source/drawio/cert-validity-key-expiration.png b/book/source/drawio/cert-validity-key-expiration.png new file mode 100644 index 0000000000000000000000000000000000000000..06a202d2dd2e804576d51264ae727c8589081921 GIT binary patch literal 40414 zcmeFYXH-*L7dDEhfCU5;DbkyWv_OE+Ndko4dndGnPUszJB2DQ{dKaW9NR=W*s#F05 z1nEscdgpG`bKY~_`;Kqi|Mwds14#B}?YY*PYtH#R^T{)1MFjp$iknziSokv15~^5O zSMjm1u0-SE0G~YkYV;Ee3y<4bQrp?q-2!c6j>W_S|NR#eHy6s@$(e~qf{B~k#KD2X z3~geGF|l>xurqfCJ_4@W+MA&*(B@{p@8Ra+=3xhc*trDMK@cV$C=dUy9~=+}x9;!z zO)Smr{tU>=!37M!q74E)`hCsZ*~IeqI4a6WS(rA28_H*Ht)ixbP=;xk|Gvl79OHzx zxBK%r5C<0r==TL@4+rz#pPHGwqD_C@&Las-<&Vw4qwGv<|JIU!uERTR*kTILRyL-R=T>pH8N^2zW?DVQ>GOIfKa2}tnh$iUU$%8uM19$kKS z9)1UqJFg4Biws!HULCIJt|H)R!o&>&UN){W)(DuYqzjLwoCmjryRI^qtb_$HjE9=3 zDcDj%Ny^4qnP1V;)xtww)xlB$33oM-aFH-`lh>8@fFWGDT;Xa6RhXo$mNX2Ew)C{r zQAA0(0s~9im`SODthr3VNL4NwM{^B`G|EiTUWZFfTS7*S-vp{);b5w43sO=;+G(31 zC7`ypl3FlpH69ClE-P0XbqP~P4`5rRR9uv#ATAJHZn%Sujh2cXpPK@ox||H3v@#5) z1d%pXkg?}Avr{#(a)qhN%geiHsacqNTB*5UAZ{p>qB*adGB6vMmKC3XfSQNAjD@0; zGB7Iduh~nfW1KyJcM=vbH{chPUshEHq^s=#67Yb@xVuSl&}d)7eAQOwtvqjMk9mGSfx5yIO(3_S{eb3l}K2tsKNt7ww6XvQU9Ln1E!= z!F-N9o^BQp9&0OI8%u32Ik>5XoPxDBU;{S<_@M!ll!iOGBW2`yl+X%lvPv*VJ3B>$ zovVqGjDilIl`Yhk#|mMM=5aLRk^%1LQUtp@YMQD@A$i?26kL=|bPx~=8v&G~Hqt^% z(MG@wqwOr=g5VQS#qe08KoVx=7LEeEN?QCD<}#8d0uU8XsGTA|a6n*C345rtm5sfw zf|V>>H?A}0am=S7*rVG@ci)@UsizyM`_ zDK0Z!DToye!^aQ8$b(#UFVCiqx|IwUT7VaUu`uB`zqHf^%&TjU6hOHMfE1my)#Xea zO+D--w0XE)V3L4uNO4QU1b|=KvNn#AybuI}7on)atLI}I(hIb zEAv4y9x`%f^5$9|0&B5R{$BQ3z~YVCy3wBfcvIY4-9Ea2)k z7*N80xVgH6EKMC8tzDq1);t3C z2(&9VOhJHG#^Ul|I|;}^)ZHXJG-af0<+U> zqiisyd|aBm+;Bx%cSUVScPkHbK1&@gXC+<>H!T}AS!HJ(D_KVkIcs~B%gCjGP}f#- zgMj62+@O3Gx{6R9cc_P?in4;68!yC7)6tU8j>nou$^qWNzaqaP#9fg~QCmZvpHEGJ%S7FY%M`;aXJVz| zuI}ortRbPOAtL}YgWD==t8$sRI=h-mSy^B(AWgKrITT~TE$<07Gu5=0(BM{f<>7VV z=5fbJpdB4~;MTwf!!)FUA9i*~BpNWu*+!brNBV1DHCpUWsCr~vZJ%3ED*+> zbaZ$wPoxRj(asEQscFJxBOod1t`2OXlmo_5%Unmw%#KUmPFo4cc`#Q~MP3aEuMTk0 z+|fZ=M%PrwSxrG%!OGKyPgBR-LLIo^s&0X_)U*I{EKDAyDXs45A^?F)D?7uv_&oXS zp&(aHdrc2+q>QzqHIE61+uYfj3*^Rc$H(iTso{!H^8i-L+D+3|Rtw>(27x(ZEVLm| z7e^#o3mDMD1F+gd+f=~ZMuSJ2-^AXA2L+sSn3A*`#*xR3kJ}jxSl|g{a0wuR0)PIM zLw_Yy;QgQSfJZW&m$?!Pixx{p0;=wAxSodV9XWRKQA{e}Yef-Jn_-n@iK=eSAxS)O z-m4Lt$L|>T*|K!4@-!n~Wxsp%+5#zIQ}u`hd7b>?l zbf?CpGl7HJC8vJb>$LRScQ}b@ul(y38Y|9fLP5_tOZV^3X`k@p<;uq21moL~F^XgV z^YxQB6Ky>AU*kx>z*4yS0Pn^Ntbe`~u1@^x{f!smLpL09=~mX=AO7>c8{^lnq~O%Q zNRDUxrx{Oj?`EQ<1%&lYcMt|6S$39q#|X zjv>yU|2^=IXmdy8gFF_u&2R0N89pIbaS1Y!?P1zA4s>Dn9wA8s$g5%o_aa}-MNtXO zi%t6+802V9*sYQnO!p*m_Vkx!WYA!iK1JTR%baOD@y@mNLnujP>E^fhUW3*4MtEs* zaV$^1ytT}cilmS#c{erksC4OVVZ-6N>+--A$?*GC5AI8qpqza~L_|QIyC^kY9`o*? zkI!iyRD3N_BgR|q07D>zl zu8}_ftz~~VXAbb_9LxUnS3zBn7-`^h^X|AOsi_Yd&yTHb#>=l5)H$~t?JTL38@Dhn zewwIcCd{+f)=nDvS-;r`55Ld8^`m+kd476SjAm@2S$ZV?Y@6RC*FV=i*wv?@3iy5!Br`ewG z3S1j2W6&zqcR$)@!pwI*aa#IB=XZX3lhzzBfjG2uv%>Tvm)nN^DKID1Ihk1IL9q5s z^@`oWJ(8T@JlXh|CjC5_SScypJXw+mN&#XT-@`0qG|$U6!qCz(cSW}!UrFj+f5cRO zt9MfpP0SGUi>gEqGcyb2t3-&eFTKslVJJ1I4@qFxo1ON%Xiwp_Mp4`w?u~Iku1#b@ zuO1#AX6ja1C788Vy28Xs^PwoBg&8 zOE@Hv6K;kKW%|9(*~Q1lkEiPLKHBb*74beK{PgJ)#ABNgLE+5iwBBDvMsi;ai%svH zyenHGr%~zLSJ3YAamdrBJx1B>-~`UbL+r-JMlimhJ^kQbUn)PRYyunFlUXU14__e# zJm`T>-dKgV{0U4c>aDG4TjTIO;2CtP&IRPYWqj0w%jpB;uz>=*XOV&&K3B1^2a41l zHe8&aVC=x0XT+heH_uKE2J;mjP>Oh}D=HE9+ZY}*5gJTCyZdmqB@j1B*n?X(kwalP z(?~}l8nN=Y*LSWX5`=8SL*H&^Q9an0GWV0~-I|fauH(Va{#jR7H@p910whJzh7>ZP zc3+9bQV0}vk+T`8@GH7U^*ou!61hHJfl&c-`rHj&+j(r|JlBCQ5VLzQ?bqXiYS@*b zl{ND7^E>jGYVs2s%9BG3XDSIyhYB|Kmq}|kxI3Z=YjuL5ZHgAW&XyGEB3{g6+@YK~ z>tEjXv=1T`;Ks(ZO>r?_$SNDs@}Y9akBnTMecG{6Amm{WXVcbLaU8-vmN`R?synjEN?}|Zk$U~*{P9y%dQo(GxaDjMa5cGBy za0JwBhaxzj*t1zAdG_kCQZ$!h&a)wY78dDq43n!Iv4z+w@n(Ty+E)n4ySFJ4E00Gx zw6m*4g) zBO;+~M^G+-t)r05I+_i;4ur3=W7-ZwRqTX~=c}-#-=lhwCzptcqtodVKS|A5d+fSI zNU9LHU#I;zfW^n}@cUE981>oyggt7iuBs}`RFsdI@NDO?Z!&m6)tR2Y%ULj(Npf)f9?X9QUH%6=7Y!`Tpq3y?~r zfEoim=}!9ZvIzf*K}yI}y<1OfVA~6~v*W!VQfyvDEPK4~hDH*PDN_9_tUva1?(yRSw$t!2rn> z-$yI59N~d^jrSRbKjV*RX<>9I+4ic)l1uF}8|z|v7F#g6EsLExnF83}sAPuR&4Z${ z#yuWVkv(37^z^2hk`rD5agRop0dy+H&NmnX_m zSWR(pv2Cxe00YgcbMUMdzhuM z-fhOPU#8vqZ_|K{0;+17ZlamQ7)*>dFYT(e#>;MVDWCZNny~D3iQ&vR%G*+eGw`1A zAO6RxMy7YUTz?!MUG8V|*Dv0=CS#=rgnp{4U*CIG_clQTaSDx^d}T>my?N=yeR#3$ zbC5-4k>b|sxA#8dHAIHxHS%G zGT)b~#bEwg%_b}Y?C#;wWfbla{m+tG9D|pukb0khfWYzG(b+lT;QjIeDs7`TnWs>_ zNEO3{^0g03!ifT-N{dUcD(@u{7{E1H+*gZVkUb*2xuD;%J`&uM0S z_(}OK`87J)NW87Acrw{z1-Q>%u>q34pz&E&?lgErtLZBfGiEiFOm;stB)`SCO6%RC zH|o*jNDb_qM$MK&8|D!$9drpX*n2WogUp0(x2jl6WwM>=*|m|HzJdHKmkG`B8ppdK8`Kd2ytj&> zlLR?YZ2*3eq=eEbv^H0qsT6vdnDr*gTlZ;yVO#F%W<-!H$kJ@`^s^RRp zk|@yj#NHXl`peq81S?c8n3V22r%#hBUQe54+c`{`!xRsWn(EF~e{cH!{q@u3xb6yqdE6|Gtu3r#!o~|9Th-wi&>~Fh#OLI zevQxFHZF_`Y6T$2RK>Lc4cLMViOE zO+m-&DDs@;WuaWT^N}R=hNfPS&Q6uQ{Vkhqv{-~)?)ks-72QOM#FxwMk zRXB9yXR63FEj=6dG~cl%ChQZZt6>%=+;MYahiu!>(#hnf&);CYo>6=_GhjW08{da? zSL$dZp4gT`;=?U3PUD_7_T~DDvM%tXu+LqD7G*q@2WW`!tPZn$(|2QsM|j_>^FX5D zn|&nBD{uAdV^Kz}L;Z=cmvS?z)7PoI1)Ddu!~}+B)H`o9d7s^~^3&C8q;?4o4ryV? zz?Dj)3@$l()1BCFBNq5U;}(O1UM4yh8ev0uxNV>1zEcD|WG&q4oIbVi6xwpQ7-?L=-NkiTa zvddCVxl&Wb%()wtlFs<;`DzKG-|gcr)i~JoZa3fKa7N~>g{7Q2fN<_ zu8V{e|1UqN=f@{KFlt-;nW``xn{vmRAkmXUd%v9EE@IwGq$LL_srKGjVSC; z6{3nLdePzXHy5&THtMR2UVFiQH*iCO`5kd4xoYEMKML3HYi9_g^*rn{)&UL}2%0 zfZf06S@7cYx@gwpW9h)<+kVr>UN!s9KBjb)+K;*R(<;cyeXua3{kGkz&Rgy3*;j;c zI)ex9l!`Tvc&aVj%Up>p$QgdAh=J~W_;hO_j;bOPVs(&PlmGCU(R%x=Nre=2{djl# zi(K!q@qJy-YKg5M#=wqy-l(uM9%zIP2}f|y2*j^;^+FT^56%590?shqF=Y5e!?F3e z3W*H#$SHVEV3pI!dWwD9(Bt>3AC1drVy~lwD%eK} z48k={b?GdlUvB$=BxNEdL**ho+p0JiU0d&L2?lk&_WIvvf(M^fyc!&`)Y4z!wqXdS z8oAd`Bl2t-cIwYa=|(hMMlW;M z4-*(xoy!7cX*54XF!RtS7F^wE+|V8|ClXfj=#EV%t>yf%^Rz!&z|BHHkhb@kbSelT zC49aFl5Nt{O|PeYr;+x>hPlIt-2T<~PdY*sc87wsK31dNItvMJ6`Ihj{pw_f&Jbq( zv={OeGWBV3;qLEq=^Ic>crp&Vt5TikI_v0j{pXFT#~nol5Zcn8{vF%G zcp!R}Oz$fr7uli&ht%RT`{K^&W8_X>`=A+-KJ&?Vvs`?R%KG{bA)MznpqJK=9w*8+ z9ijuy>BJ?~+ns#k>4a&;+8pi)`)xpSq=k>(cHcXV2h$Ih6-I{`Jw0VLE&9Ii`6`AB zKd1lsI~2H0_Y(N%GA7^oLlcliU&g^#fWM(CyoTaiwaQzZt{&TNkd~nd3m%0lHgFMs zxoH*%$H5H>37XwFsweZYtE7bDjZ^qre=PkzqlEkY?)u#VG$EC*Bg|#ALFec4Cx%|M z5F$Y+tK(XPsE}@g*xMud%i8zLEwkr5)UjwXN;C!QsU<~QmK%LSWfa=>8%M2IOkea{ z@jsb)fatQuZ_7qY=ii(y=LLzNC*vLSjaDR|`ogMiB)R)!gKxG*5yU=3D7_N7arSN( z9>PZ6)M5&$6D? z{bJ9gnkN%Xz$4hkg^zqvsYdq@ygp2La(_LR;g-f%t(NoaCxf;!{FC+GN{UJ;)L<$v zzsc}{#4OZEbu{`Qw|$B<2lXSnaN<43JB6u`%m+}y@TNI#{4d*<@bThuekp>6ZYk<8 z(wShrE7e<085uwKGK?4;5VQnrf|*}nC}4f4uSY!jgICmCWy*!&Mp`=@RQy#AW@^yRrRBUDDC+qC5r5nxvV&^UlRV61S8ftW&Hwi3GV zKA61CE9&8c(nXe(c9gCWnYwoIU}dLsp)aTrHJ# zR(J4xLeXWaOmlKGD*_4|c&)_(A@7jGY2uu829pT(yKBbFSy|&VRabnQj$3}RBSuyX zacjeuI)J()y4uXp`K+jT(pMt_tUu{TRE$%CO;6kJNH|fHuI-2YG=cKNoFDa^$CeYA z<}0O!kb1m%IJ@pgBl3*i6unJXV8f{87A5{%zNC9U6W5pJ0LmJ>|Bxg01oA$nIx_2 zQ3(?Gv6$K4A&Tck&V0vbM{q8UK{?Y5QAMz2HM zGWi2GaZD9c1-8wsejXPumE{ttEM%jVC2w><|Cq`8tFj^a9eia`oq&_zq)(e+=*HdlFx@yu4@*#Fdd!eOgx|Wyy1x1ZOI_`@Nj$y ze|YOle};+d`$t2Rp=+IC3^k71I6y#VFm}S4T&(FDd*9>Lb9Gj|p~fpF>=hUDUnnE^ zGQP?J`BN=8NIq~{SB!1-4W3cy1u@fugt&ZY1cf)(_EnwLT;152#!f1~!&4J(`~|%@ z#7ajVkuwk8|2v$4@zo3px>fKTf1EjTZWuH^RElfd9wVtt9_T1RFT5`<|4R!{0{~qB zfIb}F(;vP|{^qp0P$=1**hPpG_VDK2yMGut|FmDrqw(+|O?XSeoqCSvS{u7$41 z3AJ29P-~aQ&--XwcYnK-X z#DRY=0kU=T`qc#v$=RD8!~ymXe8Uffzro|5ztS!l%QAmj{$^U%tS{rUvwe|N-aKrf z%@CnQ-7ZFY(Q?u{&F|IoA1Xi%KMq~qu_2?954DjyHVEHTuF#MKAHIRcR1)Vy*NsOUH9s;=aoQ0(;xWv; z_|y{jbX@0=OUj7-e68gMb`I7+?#RMX>(aK()6zzR=nlF_`G1s-6t)km;vMgF^W(wKDFP^iojNZ_3v@Zx8wfq* z7UM0UryFNN1e{`QN;U5i&;Ts^-`RY0Ttp@bXN*(7!g`-WzCo0T{7s`M)t7%0F!RrP z#-a@1d3^E8`|sau`wV_jOavL+9xk_PW;OE@s$Z%4nlUPs;~QDN9&XNJSO#%DUYD3w z@X5Q8H0nSBRIdKJIzy)3@jnmOm--z}dTj+RA8JCJ-Azb!q?w~fSKy?0*sv5BHSN+? zo3;cH4fNC|6!-n!X{S#qmmx$>kESwe{EkF*-QP9)+g!Z__Z|sBmT0BqO}#JQKJ-{} z<`EI$GpvS*3^_cWxj#yvBR8D+;b9W!uR{O(rBl;Z07stJRcSRg>&`2;S5f-yPTyOq za2-xs@GtS#Of@e2*b^av5Q!7c;6g<&eCc+pr`~Qe5_wab8$o> zC0*f#q>sLU^L6W|rSUm;W{=GWI6LQJ5Ge^Pf3Ycsjhuo91$=2ABJc8-13+(gYLZmz zxuH)h7;lHm_yo&Cv@J*IIak3C%H4^{J9n+*o0s3_m>cq>_Dd`srA5DQ_FH83lvMo+ z2Ef_>*t|<`UCyWy%NI-HD8P#><|atw8KHh}Uoz$&YzgiME=g*@@Q9cPYr^}G7`4f3~^;A9+=o4U`@ z?9&B988hDrJHV9U1JKfeE16u=IOKEq4i6f-DtV9>iv(s7CfNC8Dl1S04o-6 zvHZ;kX0rY|&_GpGzP}-pNT46HMixRt6NTO@$hxF7Ea^eKg|MERg5#icP4pWn<44+8A2b-7UdOvZ^e z+Lav3h9PsIC1otijs7JWRRs@$MDf3^Uj)L@Y-klOvS%dh^<&wqboti>wA?x#?ubHH zM~WPq53qphsB@2?g42Wo3E&!!8*jJ9Vw$$TZ1>Z?AR-(NR58oq4 z{($ZV4*>PDFU?uKe(uXhmdv%yM=hUmQLBUZ9v_#y2v2LDwXDd$WbO}FhBF9>Dd|Z? z5$r)x{opo3JoeQ}mu=0%vb~S|UX9V=g|BTXfSTZclP-<7JafDcWce13ff`@sjf#xA zot}WsLfDE-{nEPBn502${Bvr1V1l0Nk)XfQ$m`2A66OqB0N5*aw83?e(ft<;Snp~y zclGGp7*^kxy1iUt)+TP9Mw}-w5CD`4TWud9dQG1_V)hP(BAcV++Fxa}e-&`{v{O;4 z+dOe-mYJ6{G$*dGXU9x29|8_g;^OPd!IB4D*Pk_DS5H=Mm!7TPHn>`qJ) zSY6HE(9keXqokxXEYi}_QaF|MPWY*Rq9~sC${|z0{*S;wxUSE&UY5U`7&h{NZm*+x zj_s2&1AcbMTfdjV;2)|CE(EwFhuk68@ERHpuSIf@ASx!ysxb@yqX+Z}j8_=g&gx-O8xFn5w&EY+;WJyo1_t)cAvxCGkC8?SB-D{^Y;d7oye_oGaC>A8AbdnxVI+M92uf40jF3nr66`1mNux zxAwi)`e{(V3Ch*u-(72-idmO*8;$(~Rbmi88{gx!#Hl(wH(xw*1*aii^9 z(>}wpCZSzgQzZT8@XXVb1*Z1LPs?U@^M|*my{GCZUs?+?JeQ-M6n42gc2=fW@R^$w zC{+~jM#?m9)!(5W$+fvJi_K`-G*k8@Xvqp z11^Als;a6;T#O^(^EynewzshCzna?;MgAy?xR}5eJU~uBUQeZLv}$dG-BC&<)^sTX z&=!gUm*X#o0iAzmro{FZRip6el~tV8;>WdY1PRBw5%OC6%0@spf5%v0$k=I~ZGiHM zXk{aMpZ(be58A^?lLVZY z`Rq=pd_SJPD3GSs->OG_c2Ckdy%wgy5{6q%ovAX1Q>fC&%9_CW{OrPy-ubGQ)<~J2 z*0%<)Y0>qsZxQDw?Qbn1HGX1su0O))+ryF#pL2>B`SmGqQWlmq?!KusC@R_fb`^Ji z=OLhKD%2|=u+k{w5EDW~(R>7niRDIlzt@dtbuU0l9vv6?W4#o0lFH{addJos$H8tS z=J%7H!?2EVIFZGWQZg-VVQtKAvU#sljNT_J;Ci%}pYPGJ*ulp4Z)YdcX@b0$V!W3E zn9ebp>$r1(R*pM^P3H}*T1Uk8-iyx7*IH$UU1P&}a=4BuRW<1n`Th5j75f1;I{h;b zYCXZ36+f(b;InK=BZDwvW&%AtP_6}6Up*vvL(&;i;_;RuB{D4D%Xx_iXn1{Zll8O7 zsJa^4AeC)Dw(&Eh&g;N#{cF`Ndgsy+x;w`&ish`fRRvIzJUA2m+kwKcuB+6KXD^pRB3909}Mb8hmuR# zVCyyTF`VpGbGfa@@z1bKtz^b^F^l`eMk=q|jvGzPhwi+C4`w5Et(0FiP^}9a;m^Bao!T^XJOoBf zK%g_DS~r|!I{GR| z(MLmt-h5VB*9d6X6HNu^qbb<@+jHO1HAmx2IE=oEJKUubz+8(8p_EL0WLtGJazR(x zxUbo0fKku(_Ti~h3eK%BE4;NsX|nHO8Z35sdwJ-AhP(kVisQ=F8RwGd-}G~{1~+xI<(lJbl{!Z>rGdx23;k2v%{zW#U$CcvAo~6LcNXmm<2O69@;C<^ z)9}*l+Fs`O0I25he&A2Svp4`w$}^9+ChNu;`9ynIm*q95LSViv{GQ^kZ2~e?<5zL- ze7bP8`w_xC+%2{m!DzA-F=FyJ7R><0=Bi(?0dUh5fHk6Q1)qu@yG@EZJ(x;#OZ2iv z7`T0!YUw?&_`uVAcZEB@wc_)~a@%gc+akgvCFm`VCH(&3bo<-~r~AgcU&axx%QX64 z{uS{bk-J|8xupgN-J}yw+4uK*rvkSI9CWmtwA{7b=g(&@J_|JNKKN)S0YE~+8WBP! ziUjc+W5nDmpG~!X){ku-Vpc=TrEx3ICBGAh@pp>MaPjKa`9XbQ0H z12BHdoF$ec(abKRX?6JFF1y-$Fb*YklJPn0d+Huy&7M`4))m$hc-ufsRWk$rPf zI&hJg%YPi8DrcG%c9K8b4}o$yIJ!i4$T@_jxVrpCeW|G70UiydhB}wn{FZSV zJ)oYbdI&IywK#xB$u(mEUz{k$*ZvH?CejX2h~KG}*%jbhX~y1=bNH7PlC)hg!Nrf& zyJ>Hd-uhXrk*@>f7lx!im}942T%L!R%FprH-51lPhkV^&cGFRC=&sVaPrzHDPu)f< zo9RuD5!`K@7l4%2E^)G^<{%qw+uljc0Qz7b1ja|6NmfODrj-)k@0))5X-BXpI@JI5 zl^WOe6v{M090pMS_tVlHl-PTb)3GDdz2?s>>Ul3p!pU4vBJX%#`RPvui6_M~i6kUR zQFxZE*?K+)&b{dKgi*~Eqipuqw}+dc;=c}#eZ@bgIsA);P5o%kr=Vm7aAo?dwZ>ma zdu9ND*Y~tTnD)~JzhACGqGl9c=wo_%Y=*Gs;uo*aKxM7Mx5fDM8#(e>o>g5b;7j)e z@M;d-C~Tf3=Bh#?ntm93^y-<6#I%yn0?Sh_wh!P-hJNBn^#V&kjqtXYac?ka2#go2 z3NQuC!vi0RuY0E)HdiGUQ(h;`p+{0ldgq&%U&OO~Da`FXSRE{W6Tvg_iPl&SOZ0f3 z;pn($iPM}7J=DmjyyTkJnh#2yKfa~%^h9f8PUQK4^5%}`woeMq$+57mu3nx{e1c}k z3ef8=r6_wI9kqYpcj5a(ZC3W~j>}+jf)=(PqQNs*ouJETF5mnukPu=-d!k~o3LcWz zn`rldLqBaDyl#4Gtu%JoYpB9DohA>zGJ#9$_H&XsGdqwopBR4}B+e1!>u`1@e>9b~ z087DMm?~}2Ip$UhsjDGN!FuTRb`^j@ z`tgp-?;EQpk7VMeT!+@!t#af8L(#f{Xl`bc7ai(kfn{z!wz^JqLw2ck_#U#0(ZhK` zj_w70Ld;TN{EqWerr(8g;r^NIT54$2(VD35E`j$X)w%i&3P2BcsQXAE@N0%qeMA&+ zNZvdgyKKfA+MO`pryIkRG5Il(YOS+tJuiU-`0VVP%+P>HwJreu1ya6@WfCL@)7XYLDLLxFYwXFH@XD6`qpiIN(o+!Rtod|ZVYWc4L zro~Zoezm7Hp7X3yY1B-lnjfjr4ykj@2w@oY)6VuWD1U%5AYiO*L`r6mEU!+GAaPkL z=3>VcWY|jV#>-3qLBjdcz#BMsq&DebxjlSjQ$tKDM|Z0WyE1M3KET3A7K2{Dcq^@# zf@A8pUZN=kxQAwO-kC*iB_P31;g?Ur>0>g+ssPX^S-k?|NAPlV@6OE9xR4ts0L{ae zo~N50*AIi%JGn$OnLZ`e5`N`UWqw5uq~5z4SD9r){eQ*RZ|*>XO7y=1pku8E<^036 zBLYk^1rDWkw`m1Fnxo77Wka>zZyUh)`=4>v z2f<`ICMh@!#U~b1aU1Gi6Yo7z)w?WQq>1|2yW;X&h;`+y?_$49H@n-LLINAkBtO3Q zC@G&#vYa)w2q<*Si&h?T{VsIq2LDs&T=^{D3grHBivbFcP932CaPPIwJ%DPTNooOg zeE^V~S~?%QD>7_TxhB_)gWyT=PZ|8=gVi$4o~vJB0r2_#S0s8G^0EnCjZgFGzTmmU zKLMU)5UtLm{rg#izl$p13u|S3nJH-P^977qck&JP_qwul|7pxKM*L~a7n1y|F;9eB zL#6GGHLLti$a2%z>Z~XUV;MH7(LD-O>93zz>!kw^vmGSMcK-da$lnwD{jeCI1MKNI z+A=O@s*o@K(#ZkSDl>9k$(KKp8lV~}M|WsfE)3}d#8~I=k2zo76wI0!vg=%qBLXt= zrO*ywl|lul)-s2l#&hL#MRdl_VYwN(UA9Wn3xpSB`T^SaJ3zK}z7%>pDXNilH=55h zD#HD=-!#s*x>DE;YEvxu_KSQ(6Zf|fi0h}X&s_PT>zXV>Hz(EbY0L*DA)yV?9oHqygG9dmJ3J3v&9{>vY zRbKkb=6~=0{&;+*_R1OGLHHOrbU04(p&?nQ&Gk1ebb(i4aG2x4sX>G&zit%mH5>fq zD$_BCt%AU<8~e|O!J!0AkSsy#Zzb*ktXiy0W9Ug!HpQ08pknVK#T{|^t7D(O40LOf zi9?nqGnR7ET|mXdjQ=bjdUrjA9IAOdCqEo3 z@qcRF6A}?!sqojG+#GJhEq$;5eRee<*zVSMkFPv-!-P6fkTgNLbhaUf&|h?B;_wR` z8cLgJG+~H|=8g`FeifH)q#aX%0NMrcM@hp}O#FtrRbZQP9_wX6zGxen4|Tdh2J~ut zs;ek86X)TOLrE{#9aq}NDMU*^hz0}<@Lv=9jf)+&l$Vc#Mu@J2b$hh*KT zoMtM)x%GX|!TfIS3Us*Q;NyEdAM!9D6(qYV=}!89!bUm509ht-V#F4&jwlFFQO$z? zwDGxeUF09+IJ(F01!(z`0-byR$4^U}ZKF~bBcEOxWkcZ)oT$_oE(;UcHGmZN$jSK+ zG!y3?rv3lY$yerpoqK;?8nWqK9Jdd=jIMiVax_@xC zyP|{%SFhL-xa@o};B%%oxC1IT6w_P1J}JeemzcP@k<9|+dN+8xt&@LLd_3EH@UmMa zXwEWKq>dYF$DjfLK%Bk_5@1z{xv+ptZ*}!mGR{f1{n^(cuy#gKw*V_}C;3Z7q}s1L z^@#p)Cy@PyQuAB1JyVJ!fmu7X?D)LBb_r}-N_-!s0i;*n4IaPn8*O7nl@Nw+nT!DY z#$+yoQ3m77NEP%v05)|srcf99_}8XJ2LIkv#AVG0q&U41T6q)y)vNHo<^%o!XS^+-LM;pPyhh1xcNv(M%*&leP;oCkKln9~o{QmIP zLhY?Zjtc+d?I%4f7f=tjwJJa(Q1oQhB`meRZ~cT{X-dM~9dc8XEp%8<(e%eml{?9{ zY`XE(%88=IX0;}E3XXO32tpLFWbcXc3d`?P`ycEM7+QUUL_To5LV6t)HzN0PcngpR z=Jq6giVKDa(J6f8@0Y7_+90@;4yPA;%>rsi%mWR_4LGK3xj^wbEALICAE&bESLi;) z9xhKjFG0!^-(|RL)R8~DT-Q0{(Guog-lS6>%9`{K-`7xp0~$Q}QW0{avm+8f4K{nC zIo%3~lsh!YpZ3;r&jHHX`A5kJyLi@jXc7i|5xZr&&h!PTL&P|RVi16PC`83 z)bwLsKK5wtML%I0^VE1rKw9{w0_fk8@uc)((O(98{jYv9=`?g4(VCQeS|6%{6e#X1 z1S)VnRtp8DWzMp~Pxw3SnEW&C1fa=uycxF>x~;K|02!5c-Ju$#j^j1b1A{gI{V5md zQN>xQ-}K?$jb0Q_3TV$@Pe?mvrO^N-huCj>2dX?o&?!9=J~Zv1>D+haQ$I2yu}Lr2 zNuQ%t42z;b14wCiGv3e9a|i8gG-^O`%>>-mH9V^yisM7kd38oYheS_HqCJ7+C(z>% z5G3+pWB??jg`I#7@=_*-hDkIyMtbH-$mO7=Z@gMvECQmXflb{r`QOnJ@y}>!OhF8^ z%HRKVHv5!Do^f`Xe9yvo|4EX!B{$`ez|2U88l-Za@T-!&JvaU^g?uYs6A?4f)eF41 z0!bP}S2EuE5s9Pw3)5Wq2wzcbK*d}5HS1MFP7^)BUs{0v;t0}^6a0_4DX{}?PDW;Z zsU&*Lw$T0Rw>cqtk&p+{Hp5%OhXNeywf>Pg{MmDERNwWdzA)nh`b6fW_(u{zqU4U- zeefH{ek=cHqWl65dKzpBR0|l{7upPj<`nspY4k?70D;)maDvQ0CEQr_VQIS?S*6EyQ-UtscjOhY zA~NS_Lp@Eh+G`2DV>1Li+9p6J83q((tZi zE=kS3Ubi>#{diP3{wiBv$Rr$C!25BZAHjhI6ijk{@a%V`QTopXYyp}^!?gDZZ@u)X zKSlz&G)&gpqZ6pz_%RhV55dxQB2ezp+ito#+iSjR z@a+LmhxRdfQEd*vF)h1;@ra-O?S5P5TL*VtGVVV^QB-D@8YBZTzp53P6!SagyZ)}! z0KWED%-2f|X{LH|xUgo#<*+1f)*byw#vvG3k}T#uUzNgf$45SkyZPI#u+~|TDuHg} z(AS!+t*r~S_^%AX_^()Fxg8%(70D;FPH2?=E*A81|5Ge9C*)_Xdzn{c4r2pan>zq? zHlL7N+@u@X{Nu@+tJA(xUch%NLM);E1KubnVXwp6fP@GMP-!5EXZ>LBi|+@h$tIBg zYQ3@5`yz(}myg}Pj~5b(tNSNI02#2y|3lqdKvlK2Yr_&QLKYzg9a7TWNJyuI(kZ#< z?k+)EknTnrLAnt^K)OV_yOrj9miz2;_TKMz-v5km{A2vzKgQlemn`O-&z#S^@9Vzq zxE_fDco4#dsInz5Qq-M??a7TtDu0O@*1+&iD?h(44il84!IO>M4U5}~t!iEmK4|xF zj8tr2>P&IlkVd0d^@9qU3iAaz{Nv`ZUn@z_y?e7Ut(M*)>_lBZ%XA()$scx$k47(r zyr&Ze4_P_)1V8+bhg|rVhg|Ulh6(Ks*ing%&pB0wn|bqC~9jfJ@lPSy8(?v@C=(7dlr<5xQVhr(MfM&Hjc~O zUD>I2D{q2IYf)vvOV_lMJ_9jF&YwOcnIES>;kQs*Ma_UQm7Sd zk6qcf4~k0Ri^~mJi#L)P)kkB@uR%jlcu@s^M=IaLrugjW-AlKFG8%3uC)rl$l4Wn$ zd^X#tc(=&P*tG_GV&m4U(*kr`Pdh-j(o*Lk=~un&96dDo7n&f}m5e8C2SLt4^qfd? zu!(3&R-gr%0G2oAe$^Z(n|+NjdT?4+9z$*c(Fo*O*adVV>ePL*+uJ^<9w_DN>K!q? z<+)c&`ooC8j_s7+YQ7z`lPqd?;*ayGcD@%?tFXBd1l7sY`2g-sJ*Zs^0y}anHSz}O zH`p2=#QP2R{^T|-jR`t*gBJs0NEbl09Gs!Ju-T2O>70O9p~KB%AW_XX{o}v^cuSom z!4h9AIr;Ct58h;!t25jBHIc;Nwa(M=X>RJOWC%v($gjkm0 zmggT0F2{BclY<@j2eU?hr5XJ=<{yw8VB*Z%qy;sZT^tM!`3Cz@9;;HakxzI_%ozah zdhHgW17{%qJA(y>9e}efl?y1;AKR0DZT=$S8|Q)Q&)QtSjrs5 zA+cdD`Bx6hgYUjOcR%KU+J}*fkZLdP(;zhsX4ku}Ah2MQf5CU??mn_%pF^H6X_Zt* zr7%jCPaS$n2ph?lwo3yhmZ(zsE*zM@jS~#`1DF&32QUZy$ZCW`9UP$c7;B#E>QQGT zv@`xt%hvms+w}RPw5uhjFj<7)hxoxQDVI<5Ha+cpNJPR_l6UZjCEYqrAF{Lx9 zHmZjQ4WT?Di8jepYL&@vVCvKoDQ5_mn zV|-RZ907l$)U~X`j&ooYc=$F_FhI@3jRe*V2nl*QtoGf-62bzQXFMNaj?dwqkoQT> zkG*P;L66n>iDl(2jFN$w|9PVKo8lrySESPD2ZhfAhBq8g^lhVoA>dCmKV~~8C;VZN z=>DLXY;*s}?qpdNa6RR$;CTCz{qEDD%akkX+a}&N1V!DfL1awzKlVKe#vN@FC#lnfnmOhPtHeb2Z?NrNtBD z^U04g<=iya2z_pUeYeQCua=xx9`>!e>HZo2(l~vtz3q@wABZ1oJi9T{M`Oc_EMAr_ zjs5}?P~hZD|BuiIq5jIP>TWW+sP25&1A(_;DunU9=V{-HoR$wB5g(@ zb$KK7${#*WphZ<-RDWl%mB|7;DcR}!#E#D|Ft1GRSg+Ovb&Jl+J9^6%Lj81bZ^Z^) zt`0T!6|f>If|MbYPV~Ku7nEw9@cn;mOwzv@hW^c&nm7C;4^br?%GbIfSheIO@%j@XCFwOoW9b@TKQZ6KSnR^B)ZEehdRQOj}=UQU5<36T2CB4 zQu%dl@w;tNVvq_VLOr;Ijce&_={5p^S(#>g8UIjP*s}OyVGHT3{N&3|jTu(24!o1S zADp@%&g3gJt3p$pH==mShxA8avisMJW>+#qWEEui@i@$|zv*Ijp|!?7Rll+#nsNBi z;tNxsdHwM1(%h+sYk>?^wf8Tilk25>M90US`K4OMFUN~j#gFslS6icq_^I`N3E3eg zFl)D|U0-(2&d#2IcJ1>E3v2g9VXxD?guGoDC$Ff>%jGDY#%Mlyf|q44(V#jys~zjU z?4}jBL*%)kKjN~qr>hE;N|UeTbm|<@ykiC_D>X#X9zTA`aC^a!UJORW9Q@$T4ec+m z&3gV+sj04i{bw3~o%?RG=QEqRrl)5=XV|U-GRb~iuallP#Kz*4usj;e2WUxi_wr?!3#dr0k6^d>Iy!( zK!5lC6XDUepIJm;^aL$U=qse`7S+#1+9qRaywW8E*rzpg3ae~6EnlUxUkY(uw+B&{2rLMSkw3f?Uj&M6Eh+W9k)#BPyAxv@cOOmG$I5iZtj{uprsYh($41 zwg@(sQ+LXHStpU2?O}ImWzo&?US)dB66?RjOdn86Zrt2LZK~aNx{Ah zoBJv#%_$^DlMf)^V?hT)F;uogLEa@Pj2)) za1s;=kx_kaE8jF3Ls@yRU6pxh6>5XYW*sy3`iM$|3g=|d`!$5j4~{y8Fa8{PYLmtJ z^3P!SPQIkwQvl|ClX+nv3|PgF>;ugP7xb?UW!gX}~labbtVU zCH}UxdR-YXieZr-`MMXX;OLsyfre;=pA4|08v?EDfK~t8y9Z_qz#&NKm+EdC&_3R& zg*EJ?G>Hcr+!u^`g{0Q&DwbaQrA7j@7uY$jDqT4ok~RrlT^nuNACJigzIl_Q|JlFy z8+{fA=tgVH_;}OxG1IhgIxl}kdNew_2RDsZlHh*CTQn66=DC=atBFJqABk`%j<%|KA(a%c;^M6!Y~1@@BBnN!vbR9kNNG5 zsoVlDKq;j)pa_Od4N0f7d~A0Sx>ZTShD{~=@WdtO$a9PJ+Mg#n6}OL(6R1G zZgKqY>K$&_&RMfAki!oM{l;J_hT5xk8|Shw9x&*!On3V=(j=)2TwQWN*YH_`BG4*E z4Gb5!m?AH}EczyMK>rYn>&kIkVQfw`=lu3ZmT&*#aRY#)M*m~pfDjlF z5xvUSviej~na)cc4G?Z2M4AXcyk;v4`<}R_yIbi_L}=6W-A~xKy7fAXE#jJ5{RnnB_*k%o@OAD=lwiZeZB)U*K=&x#_d3KCmPoy>LDi2Th}yJB`LLf@;_v zs|WAE@2cU$B9Il1QX{JNSWH7Io8bY8t}b^ial)*%<>YJZCcr*=eTu@;l( zIeDSx3XQxY2Z7BPv8_Kn(hi@W!~}2HiGhdPO6~)VQ3>-*zR>SkB)5+7#(5ZyU{gOvFY99@~II^|Lv3kc=_AzTbmrYQ8r-3q;6N{X?Pl!89*-q z#_-}J3jC!6pUQmlT3KuDA0ETipI#e<#@M4rZ>)r!J_b=-03O0Lw+|`ESTRUGLHq<+ z_+DvY@Aw=qyel#Ixba)g^~q0ohr~FNT8`rT=T%Iv$FfeRCJJxtoN(_MsK%eDzb1ff zG?&$GK2t(r{Z5|m{IE!qaynR~By`~3D9Xn9C@o&Zs5HjgK{=abS0K7K|_9)N~CxFrj9Wscn8E+T$~ug?T=ML zAv<_vkDm+G-P}>xmVd9}o6nsdso=oZdw1X-KXaUlbC>^8;cV;@n7iR!`S@P$XM!MY zafij#j|qvV?F`i?)}aeC?IR#myZ?H&Ez>I?*9}ic(4KBQHVMRgTh`;1KJDJqu*W&% zAV+tSxoIyZR^kDgQ*q$gfVpjtzO)RnY0$(HVL%`z2Po%QR1o2Z#5UQdVR2nh3D;A*Q*cQ>9JfEOi}Wl#L+GCR1t@>%3l^gnNJRw zE^Okbm8kXc9*pPo^>wfRK3*Wl0Nzvbe`8GpB;alagYZnKRi*QWW;MYmI&auY+%{dj zPd$-_y(w$n^~#qQiVX&vMp0b0?#f3Q@*wUo?I9|W1KyGz=@kS2R&gSkD(0IDP5i>w z)59E3simHDx{+KFd93e=kBZ12UJX0Q`MB@}6XVDCG}gT6-jx1sLG}a=YEUF_B7PfH z%s-7P2+H)lCOyi&fEJb&K19|krLyU5&WG-GW&~r3AVUi!#=9#YFk20$AAds>J&*6t zdZ*BfHTdBG2|S>G0WlzFX1HDEv4ygG?+fz`Ol@F~@fms$6m3wW;jz$a2 z{M(POB^^w;0n|DyzCD15JMJ4+Y%o9iyH;M(!ELVH~a|ZG@g*Q~y zCkgQvTQAsUpX9g14~^()mcgX(2f89fmgM|F)u%Cng}_9Q1N3{ijUk=l&e#K|Zz8X= zL%hrUr_iK#&Ws}HKOx|l(#e(aYov$3d*Uq~97>P?>eqjKNe&dON^}z{CxaVEE3ZCt zRaE}zN~OVZD+NvwfI7#EEAcnFsZK0EN7Q3!vDb;<-9fzPnDocsMBTcDkL<_CuQP>My)xxW2|ZNnPN8ddm{2GoY*Dbz zpc@I<)$uXAM(Wy=d!~8<8jkf1r^t}WC0BghTg(VfO43CPO$$0RJ8pbx{xgICE4k49 zOW8ud_Wz4z3yc!z0jd-O!30fX4&ej`H=v!Qkp1BuB<{7~)o!zARGm}dn0HW5`m z;8ch|^lMC7q?o~o)swAatrfy?0h=M9IPRn+Hgzh~k=QGEDNGxRe+?q=g44EMuF z(4HyjLSmpW!&~(Ojgz`(Q+(c{(IWe7M?<>zJn2wZ{p=gCj zt();QqN5_GbES7U*8IiuR>tdSa#@I&n3ym_=A&Pi9EW}u%xZOY4fc`cLMmC~Mh8t`0)$f zCg4q9T7xN5J)5bxV2D@ZmdvQ|XmoC{O<2lVp3%Lp-`|UP)fn1@y(=nbd}^TvIUSE| zW|YZ?Ropd>$4T)$XR1Gc0E?#fYmVrjC*=>yJGaXf$#EWFriy5rDOBIGpco=}DEha- zi1Gmv3%gC~eT^qJa|SS)dF`b5HDH>RDAp3*Ni0~s1OqW~%p%@qwGjB#Dpih6N@Q}< z1?P)U960Ni)MI+So~x~nwPAW83#iMXLY!k+X^I0by7-IlsMQjm74`ml+R;oLSAOOR zZ4^P)eXZ}k+zADF=O7tA7IL1Ki{nc8P}a)|Su^K#VfkNA3#$-x{oBL?Ig;e~DGQBq zV>YitzRv@5_8`6ephy>aF>6u%toON_b--4_zg*Y*!+&>O`d$Ye9C22vkKWI`Qm|iR z&S;I(%6a>dsO#Y)0u#Pta_9VGq4cOkhedYlb`pC8$FFA@`H1{r- zZi?2In+&m3Q4)e+KttOz&r6e!020&1{dQG%4f^&U;Pp88SQ?tpfa2Y zS8ld)qE)Q&mGgG2deD#+Ex@(Q`po+wJ9MUXnu%2KS60t_wjGge>Q>aTPh8!mo&C}R z8n4$?b=OIF4BbGn*(^`C)6h4OZ=F(EVjmHj-Vg3#9u0i0)*_J??P`!+dV7|$@|O!Q zESFuNc*%Ggfo+!XAq!?pA|TfpFRn#tu~&i?BqVTQpi_zsdG%*4z;ll3?~1SkWu)`h zQ;$cCl^$#G7-f~Dd{k)g8P!>4#V8egiLy`Xcq5!Z)6PM*Cc52Q>h#Fq2h#G&=B)tZ z;rbHi#*FU(Qdc5O*b~LjO?h6~i&L+C`&$iDs?l)4YMw0R{EfYkI z_KcnVIxZM2#tD7NM%box{$r19zC^BZb(ll!L#=IoJJrbE%RZ4e{68pO(Vs>iah{`mj0m zIDG=_sZ!-mnTzvEuP=_R$WJ88Q$Hz75Rux2!pweo^W&=;CMF~0j+2(eH*f!vshoM+ zn?J}U-Dk&mI&VndW$w$v{cifs+}Cwylyei~?~I_7J0d+Gl8}%d337$oeU%|}ec3qb zr_*p+SQvi+(J}!g>;dv*Q!bLD3r#Hv>`;sKlJ~Tw`8_Jf8Se=98bsugOrU$)9vNIl zJ-ed0r*RWiu3byWV5WihU0M$pjq~MNA)~Hlid>U|WaSSgv`Ihgt4`*pgfvE3n$~R7 zf`m11e%kX^FGown&DEP1aFG0%8spdrpP@az=pXeY7ThA!u)n#@x26e6f-aPLTDwHs zsOHZefo;5jW)RmdB8fNT>4uop4f7M>p^KwgPj|flG`^Z_0QjNLeq^r7<657LYrPxmB&AAdlPuKSA|xMTdL`n5l=gvI<0eSt+@!_iPQX3306gxl9O{y7l7F z255Sca7`&~VwxII5M>j}>Xy)F9}j!0Uf#~5HotD{-{OEAz+p>q;3LDPX|7aku;Tn*KMir@qN(-;y>?SBdtSftbD~zOg&GxqVD93- zwzge!mZjaAbV(e@2$nnXli0ztyzbq70p`Su~~I!4DkHJYAwj=Rp_Am z#92}tkKY}eRI{J91|B7%U+uA?o?fqUBWNr56my7(f|~gEJwUX9y7-`-G|#s1d>xoM z($WqX?J4w4vQJr7%gr!dYWxUCplHNoZoKc`w>)`GGg<%kdCmiBo(ydXFRv#r69;lz z4E&FKjmIWwo(D~XTJ7zHirYIy)=>?hX(^mXgU`H3pmu||H;ys()c+;{7h!57@7DC` zh4!@SX^J~VgX2Jp*HZP%L58k@#%&~2qL37T?b@sp81D-j?l84~7S)^Vi zhh1E};^_^?a)wT!>3#3mYn3yosk*4AV!eU<#hl*;+uA$F4Q+ z=@;72P5d0mq9=l)t*6)bU&X(J;fbbn>+}2Bd=!X|NsWCyhe%)YrY#0Ie1Bx=VM^!kB(3-vVD*%ZHyY{gyD1l| zFw)wq!~`Y<=NZO-eTzoV5sb9eMXNySe6Bd-X?96oZ@cGTo&G~JN6qKijm31O`5OVQ zRo3kx? z7i&PL4j*@7Fa>{9&&A#CJk1pIk%PQo_rqij3*?yenWh;D%zYjPo4MnBN3CIbY5^V* zch4D7Re8O0eLVanSh0 z5q;jQ?c;aU#t$yVZccofv^D2wmC+*doBd%E;c#;3tPvEh>N(?@8IJDQBzce~U zDPEnSo&WkVLx|qNeIRD(RhaB&$io^I!;E&*0HN4$4Yn;g(S6Ql=AsSze1o-*>`q)+ zzp$E}29e}Mf!(Kll@piB>m~t-Beo5NZJc^BOS>5JO&?@HkEC~K>|GKXsazI+9IYNO zt8hSP;w@tz8ETr%P=88%`bz87t5KCQYu?0s?RME->vY@E!gvYy!z=0Q`!N7JXmLS3CU#?ZnZMyMkbbYUe}lPYKv33vs0m}s z4JC*l-!G4+S$~#fmfy|-y$4~47MNU(;r~9D6@1q%Eh}%_2k4=gs zk}$lza94bQk^Cd#9>W?#tNuFEF#CX;omY=@qo!=_*GopqD7t`JkzEa-}R^s;9> zqfkp|=F=FBc6=dvJ#}%kTEU#RS{HAB+FBNG;DQnR=8HfH^%F@yqK5kO{V<=t<$VFB zyE2cYCOGtOyTUQqDMjNk>~&VR9rX}@YIzE-ILr#@WNU_s5oWcfU6m&LeNVHXu?$qO z&i5nC!kxhcmVYoZhxa^Z<*CBpLkX{EG@&`r?3T!-6K#XBNibIJduH58slD1m*zGG1 z$?dnFIwE)ZsdKiXWSn8|bRH$bd}HdiE{b<_w|cKkY_8#u#iZ>IAXqn6^KUS%wDkOy z+IqsCMWZb6xZ37Pt;N?~$NNXlA8SwRM$u2{axYA}xk%^-BspG8S*C3v>M*ta{k>mM zrdf)5_g9$Q!sHjFSTn}`JX7ZbHI-LNwdE7zbb1PL8`>@9K6R^Tw0}5M?X4`Z|Ij=G zKjgLGAnq!2j!jY>;CzU`kU*`L9na0(A6gV$Ek@FlUN(r(F~={4vLXCq56eD_6O#GM zS%WVc{wowojyrkgvX^Q!7^5SRM!foea0%K9^Ef$@JzF1(^VW_zb-+wvDBZtYLUZhY ze+dNaUi{8`Pf?DDqZ7SZnQEfPAu<0z2LRN-e&($ze^f6OMJ_BCC3~icae7+Fg2@?n z!G}DO^I3hkc6M}k#b`KIxlzk1YVK~zDmUUk>{Eh!+Iwckgye2>VlrVbV&9F$Cxzv2 zKHFu&#wHO$NSHc4v`~Brk9*wELRP~+9{+ZLUS@9lNM^62{+Xw#Wpcv5J{bem)@p5Y zl45x((Dg6lOVXNp;jW$ek}K*W|9<8d=Gq(^PtPVGV56*BszW9FnECy-j2?|eeA(d{ zah01cWwfA|dv7$kXq69}Nq^#!Y1U+28W=19n&*vR%u6*t^6AU!o|m1`{1U=xzy0JH zGlReD39Fw~ov_IOg$#rJFVqzEgo=z?OUEV!*@bjOysmTOuRkg4UG`^hq9+HNDbLXS z`pV3hf%?#dy~rkU!P6f9^fXk_fGhSQ80{NPf|6ba>Z&q3j6fT4&|HPOjk#3+7v`VA z#h3Mj3rNbH{XKhlU4W2)q_2?7|Hl5EI{l|8GxN?8Cf1F6z(O zLm>OmPTkhHEQfUITaJ1l+54|(a%_@|O;1PI%Zo~_i?A;#IE2D9$OQQ;&sd^oK0`&% zXWMiF2zLDa!_x+#0$7Ok^)t6$S0hKc43V5~FZhB-V(%*Hz4*GMo>N$E`1F|u_UUOZ zLplu1$uP~;7sWul8bNo~19<`NDP(^y7f!#P7P(0U20>-*){k>-w9? z7Z?Zn9WQ#@yM6DpR{PIl0S*+(<)=SS3@SVbEfJgezj0JxoxQ!|6X!{lu-mPyH`C+k zgm8NLUi%XvAWHs3)8b8)sjv_pdsQ- zS`Z#^uEhWIJ~#H^9OS_=bN_2{&hOFEFF-RJhYmO@`$Y6Vpt zevqD;R89?Y{a4(@=Otsk0x=Z7|N3Ooe!?io7k0|QX`J<|?G3*NXH5I|`l{=;XK7>O{5JL>I)B^my zRnF{WX7mx{`Tg~b2mUkW@QZz{t$fqO{`<0DptoDqz)yUSiFOVj%@s&If&4MIhe={- z)rFxUr(WW~f-y|2?SnNqwGz9AWg>FPmdU^TGXszdK?mo1hv0CyBwnPL6wn_rY@iZ7diN6*i>| zYA;PjoXmSVUT4A5^|51vfC_R`AoK-10bcJrsxSuaI>jNhQtB;>_i_B^h2{SssZ2{L z7ak+}u|pwet9=Q51sUFSKx6Ga__PK&mEJqS9&G%408Vs?Y)T;@&rfV zeNoiiW{+Q6nHS})HzV!z;en6uLn3JuQir&*A|xY;Vr*K@B}l`I%Ud*cz0X$zp$s{a zQSp9AC?DEGLPLkY>E%k{5QnUPOVhHUv6v{azqxW_{*jFNc37gC7D(1zP_4dv>d?9s zCRk^`D#HngbWQHlQJ_av3fr1oPnaKUADO(FJ-bA|qBdNJdXIM&pyD)CpjM(z?smL3 zo;Mpo$UTvAb@+ue??r|nA6Na&#kNx_LV#Z&E9wpL8j_FX6N8Gk^8;fyR(TloZabfl zj9-_mkInf@vAigYEM$RNx64~K?>GNScif-TIhcUldYx=2Z4T$W5v-8Ap%M1FE?->T z`@_{P%-#*XqpPZrA*f^Buu08{HkvOV3&a6w@Pf!@>G!ETfw^1!7&i4DhzO2Pqm*zP zqmv+P5emqQ?uY#L)$jwf^~6vZgW4!IAUIc~QlJoR9r0@kK9dZEEZ+$yk-96`+7i*^ zUw<*ex6<(uvp}L0Ssdtj#k%MO6~I(L0noo@R<4~w*ejp_wn41)hmUN`#CiJaL!7|R zDZ>VV&`@AEJf~0=_IO4YL>C#jk}fonS4Sf32gkxbjgj*$i@3!UsP zF|Z859i%IzqbxJ7WH~RZwj%@8t!>d^OOB+A@4lZ)(rJ8i+O};$x60OhYpY&zzq3ThonIVc zsE+2v8dXN2V`V!0HJ=aMqwZ(6kUZ?pGEvfdBkW#{x3#TgFjZ24TB6sgi~f+VYk9Ua z`|(bg8G(N(^M2&t9FVd+sB0ca)%dF%)g3hClsodG6{oASf0wEH0LBsI5|H2fPtgeY zU;OkzjUnnMAdCZstNqu1Qk-CV!%GSygui<>OK^|cClXvF|6`cxA3rUk201D7Kn7oA zW$Fr-eONo>aNJocN_z!xZL%*U%7iP^!b17G+K+MMmUQUU+L0+x-eqBi#)1y$d-)nby# z?boaeZcV;HXE5KTZ~H9}2wVxJNss2Vn2-V&ZG5oMZr{gP+Y^FAVKm?3RRwGrt!8!M z0|s@)U<~|h9KM1V8B9P(^H&>j6&fYBHln9@Kr!QfIIyT?QknE50o*kOsljMg? zMA5cB$r{HH0**)qHZkH8N}Em(s9f{$54~L0Um}T>>+OxFTYY>wl=BF! z>qLGDz-0iB#?|zCf7CnRmgT_?(z`8{Y|#$Rq42v3?(hMq4GsJfp%&vyi(u)#H`jbg z#SZO@XN(1^n_uf4)+wo}C1m2B#uS#Q>AHzK@BN?^x;}{wCwZ2f-yX-o9_@RKe0Ie* z7)J$Uug<_O3urwx+H{p za_IsZpKRutY?@C&C+r(elTm+J@RV$8R@2~53;<73yq>Wll`qXHuLmx64$q<9 zk_*R#o)I~VnCD&(p>&daBrt*}U-+`}fwy}F)GbSGvX0jVif>6sNtuJtAHD<9r`sAg zy?KhGzHAjuc|hrn1IlD(RwJ_`zcG>*R-#?6%%t1&w0726E1L%jRx(PVFY^B-7J&98AN9H%aG|IMpdKy?2XckDgxD(lL zIhr4#?~H(E!=zPXo+s(}8i^rtr3>p(1KQE)dT<0$c7Y3aKXwVRBO<8!uqHOmvk)34c-*s=1AKfEQru5=Z5UeHmV)1_R&o0`84;Z zKhr|;fXhiL*V!8II;@40Ooy^xRmRcQCqXRpKbuSgG0LqpGWUa5YC2SQc6Q)Eus-tu z_&E+Z*NEQVworlL6%QpA_;*Y~s3Jr?1l7+Ul?8 zy)Uia<|7RIx8B}(GN{XHzMgE3t^$wQ%k*Mvv>_de-Od6~bCe7{sH6LcHVUg+_sNn~$o;QnXQ1G$@ zg53D?yG0&AegqHC${P1ZB8DYWgNH_AA2I8eoa-~#e!U;5-npI%lj65y-Ds->)Ua$Aoq(B|}KaXI`raIG%IJ$&ieD zJ!_4kZI(mBzzaVc|KM|b(=bge+h6eu`8I>oLiHR-`L2Q&)qgt3Zn<0f=g#!%&Ei1LfaPI$V8g-=9&v$Q zg{lws!tpj%+LR3NbT&Ycg`1r=v%(CW zN`5$8n77KPH+yv!I72v)hTDw0#iuCXjlUTREd`Tn4;}%uWwY5naTe%1og(uCvShh3 zn4yRC(_k9sz8n%)lhFA}?8Pn5?gs$r?e~7vi{)nlVQGK9=+}mZaObOBsF)?@s4qq0 zb7ePO?_k=|T5B_}OQ%{Q^>0_H3Ly^Zk1&=>#1Z!HhqQ5!oslfrk{RF%C^UBrH-L3T z2^@u_`vwI*!%B>Cz1*!my=B&}BLf22Y2VoNZ;?z0*i65bWEd3P4@dsRQ8&h_UdoJm zaDEyjXGsa}=ND)LbIqMQ54okqL|y{-<|>EH^@S9LAvjJEyczW3n`w}AeQqdV3m=# zh*)2PB&tvY4k-EpH!vUb~UkozB0TTUxS^#EPs zRseBCC_J!;`Cc0GcYXf6xq}EfPZa3^F+8w8#y&^AG$YL(F3=+sBv!j6F%dabqVlk$ zpwsQi?JCMd^h9i6vd7ug%Squ&4Un;<085>OFHaul6U`7Z%cx?F`70Q3E1CPT+>(eQ zlx^$WAs>#?0q0NxU{r<7+jFTl1Vkc7o;xw((Y~_4Z#N*Pj|0E$>JR)jjgdY@c2L{a zc(D@&2VyHL@W5wbcQW*RHa|~*@9@Y1VnZXHA>wan6A|vCZQmUQ|DD*-0I28Nkr9j% zn-wtxFJfaPgka!LaSd>*fSJiBXWXo^)Wa3t2>@tIX7_u|Du|m#GR;HA!egUARA9I{ zCwP11;CA@=F()?RNbAih^X5!#`DP8=5_M~_CdI%NGHb#^(`=HoKARQ0A@)rec^bU&IB0g$~5ZUd9B>H9gF3b$jEh~gmt@1dEW zTn}Hvfa4Z8XhR}+u^7QU2Ul0#687#0L`${-6aX90E9Z6Gh=$mS`or3Uvn?je(6}S; z{V|F8dVpkg96f`61X4)sK&jy+HbvW>DK4*x~LZT{lWr?_VI`@mM6b{I7D^( zw~;-}Xg>N%PvAyiESJn7-6ui_{NRTGxSIR+!p3Gn#sofkzARcesgN$55364cCX8c+ z+%PvC_;-K4^MVDU)iud70+hX9zM#ZF4tqeG&B_U)kX)oMSb}H5%MN4<^T0{a0tZtD z5AV(8GFLxY&AjYXyvAk~;Nnu9b6Y2-Rm}7)(W+IL^VokD@#}CkK@a^x5#R~sXG0Oe zg4h=faQXL)aIsx33#RJk0p1ClPoqO=yQ{hF3n4AjZ|4 z`!*x-4$!_;M{y5^ZHyNud}ARSFH{o!UTeb)0{{GlftA+VYn#x}&=|ma6xFv0BMfH) zb66&E2XZ$+5JfbZdN+dv5UAuhefG`a=N?2Igyn8RbX=ApS*zNP!qosngFw z@cKjrdjE|dgB<#39x}_>8@n?Ax#BJdxaS#ACr}LEAn==zAH?&GaljGmM43+U8X{7c zfZI_Ip!iohv4r9j()fxrI`y%U!N zrq#|Au`6H03SR`mxks;sZ@}_CBnf{|EltK8V%_$gM#A8Ui2EUjB*^c5Ro6n>orz%c zp>hn>=G`HrUN(X0;?sSk5Ni2kvm|xRKmm1`!&#U4&G6@iur@+F3}sf^b}a=A7Jw%U ztUAfY)zK@RwpAIiY^0NzsC-4{0Cqb;>VM>S3ksBaP(gW)9r5l$wEvdNkJ z{ZDS14ZlS4@%tq~Fzy`YdrVarAb#`<YjXOj=-?(&FVe% z^uT9OSELY;MG&Jovas09320Ql4q71ZNWa_vMBf*$!IX?@)VDT*>RdqW5X-HEkuuu+F`3R=JmaW)d+i+NYe>qP{=s_^_MqeNk%h9hW zfP^Ij&!~fE3CpDT-Btp-sRAc12q;JG4ah2t&_6!HTY0X6;R#TrJT0>*e9w8HbSF}E zgk#5V83f;RcVhg2IkT}4sj&rxGGh0zEM|`XlK$9h8A^U7%)->F$f7gbI zwW375G8_DgSf6OR;%J5GAW8e0*;vHsq$@=Wpg7VNrvMGH_F4ZSl1{&b{zn=}oU}X= zgxa_-e%y~9yvJ>4fbQ?~F zg%gApP+IVsE(I1sWMWnxxeug2h4ddGvSVz}JVgmmF^if;(GI)madbn>8f240>gR%7 z4tr(DnxsPS7pHU?WZ~!Lb zS_A>2`a6G8J3z=FpvM#9f5dVoHyH90p@LAu(hk-Lg~;T3aoeI8OyXFCjnE+oje}L= zjcc2ds?w}_nmAIM3y{Qq5JM{79B15av=H`}G@p#fe#apB5v^)2CRxt`9nNCkXTw08 ziVo*K?bcfBd+0}nqQ2!zMd^%da<5|ZVL)`XTp@~0X(!B3^HZON@iNo~IPT^NhEFsP zk#_|8REt^TaWw`8Jt-GB{NgaJ+jg7)+wHVTWI_bE@b?Fo9RY-?s^kq{b6_D%&2F{- zNoygH+13XT+D0S(?9ktb#t-6$qHrS%yFRw@%WoGyD@ld}AQq&+z*>Jf`0wbyZ(9XN zzc1U*7Dunfq+};h*G{LiCJV%qkS^~6w&^8K8=oGLRamVfEUiQgjVp5FGp$S(PEe;6 zVdT!|m`wH2{uKeg>Zv~cN6)^WH|mFqkVTKQLwQmWzE~}Ifq>H#jY zY3HU?$h0r6{lWZHZX_NN>Q+$u9R;b5sArM8U9`F(BoXq>>atPl*is?$*vXFz9Ba&m zpTBs;7K!VGP+9(=Ym-&I1)*gFDa6j-X`WWxFc`*?U9+6a)@3N%ddDTzBw)b~wJ;<{ z=kU|x0^7wd_8qMbX@xADY@EB_!Li9Advvh$)ABL%6mNfW|n5F1=b=iQS`v{j8W3oJwM$jx39B zr8UX*QVXrfuC_=X&nZEmCiaeN`w7B*+q64!Nd8OYpCC^zUJt2N=!+Yh03H(&zI0X2b5BfIg}+?c|c$K7}O67|`zClM@? zVh-F!nt-JPT^|v;kWpW6-z1VN5oB1?=?hu{cJOu+nK)sWBYe?%Qb)1GB23ZGk%@6a zd?iu>-FV~sR-Nw=fiwvOXAS$>|93jFNddg1+vt^EV4pzu~#n{@TC;6R4Dl@Q1vzcOkYp{z4E$gvkauP z%48)34T-&!M}5r}q>t_M+jU*gpw`BTkp7k22NC$1@bHO`A}|RFk0(_biQ?@-Bye#f zp8`;@%mZB+Tsln?l~5xnv6>_9g#XkW_(8cKh(NNm&;p6E1|nR!p&tc-t5ZY6^B`cE z0&K^pGMzU{J!$;4z_3f2;&1=X#ip ziC0;TOx>X%6Bg^VGd9>XM-KM~vsc>Xy3f)g+U`H4zApv!%YDPMKn1y&fD=3U_nGnF zP*0YDRqHME93cJ)Is;7xD@0fX?Tb*B1`V$Xj*I00! z7dwIi2QCzdmVEK&;EYFxpqFxh|6~IY6=|nBD2WGPHU-&M?!#fHMQu>{eai&(iep3l zPk?wyd;b)GwF;YfmxMLscO*-9DBdCwSKzctMv=I;A?mv7qY=exFJ+=oEZ#+JnY2YD zG@+=}#-#aZfXxFaLLEM}k0$bIteqGP3eKIqx-8Ic6R!eHyS8-F{sz|bC=fK>au|mF zr+7_vxbTQ55ghHOwbOz0-#cLj2*dkMnC;ZPAbb=GgZ&34kD_f4L~E^Q$ISGTuzw!u z`#iYOH$g-}_~A6Ec)N`i9wndc2 zvJ*bw+UadiF9G+~LRgYP)E~c1t^>qUiNeT)$94^mmxA>V=Br^UIxT@nB+-v2$3DE0 zy(MOcP8rsCU%PWcyITmsQiS#8i7W=s-6r*?ep@|JhYc&kx zquG%jm_!pIG?QnhJ$o9`?kf_DW6aIz;#;$XI`jsQ2;ib+&BuTPOPN1}Jd)*}l2jJu zNt~p9)`jqfb76&Pr?VqHI6>E4S|MGah^E|t-N&p$>Dv@i3>+Gv@~kYva}8dXKQ~K| zTWTYTc(ZBh4O9^&kpQT|7+n}6#{?OrF)ygx4X8L+5E__z4PF&2TwxA_)Xad>&RA;s z5pI`Qnims>x&{OlXfcEcvpCqYY%Dy0he;%fc?-=@kF;B8Lm)0$F10eN-dp+{w*4*& z1d`hlO2`)hky*ppmFYyuoxWuL+^=mGBADXC+a4?g=7G#HjpkcF?oPbA#U9m@yQzsm z@}nEfy!IY^0;E>XR9ygn%V$#VL>_;$DD9dF7*39zdhKrCBs=KG0CHhx2zodpA)-_0XJorA>s zZOpP@sB1;Gd8TmNs2civO0hhstgQSlY5Txpf3Df79#sx8(l7`?#BGNnW}m{l9LElK zh=z4Jn%hQKt2V$pR6mHN6qbb7&d0c!?==kw)xktgP$MCR;|DTM+u?{1Z+N7K`5Zdx zyUcwkkpyn_CN>WRiOsda9DtR1>`3ZMewl8UzxLHeu?b2EWjV1e5Rg1AAAK&tnd=Ug z2W&8VTnK>_CXvnOr>AE+A&Hf_R0DG|qj-xqy@DgOZWzb0+W zJ42VF_u5|Ikc;e|=clH6oA(?NP>R2laWP^Vi*u95#UC}mF4r&i=XV}Qc)HY?O{-0q z#^k;9gLw~kT}$s$&yOEJR&nvAY2R?a^HO=uRA87G^S)sQwZRr54p)R8_&8tjIxh{pW3r%`!JKKAYk)Om}>+2636ynvYt zI4uU6B5dL8n-1zhz>ⅈE^XCVoNLMgRFuh0X5*vsKLRHMqsV5Dbo%yV4-qxk;!}5 z#aECavO~a|dIi)h;$XL{LyWoT1RN2In)0j`lu_WwVFs}4a){;lX^2)RsSpJU`0h)4 z{88-V04}I;p7EeU63GBy(&YxaEhBK&cTXe-J1`{*c^L2}#+^qsxq)R-!-4;dTW5)G VFx`z_sonqp literal 0 HcmV?d00001 diff --git a/book/source/drawio/cert-validity-simple.drawio b/book/source/drawio/cert-validity-simple.drawio new file mode 100644 index 0000000..991fa94 --- /dev/null +++ b/book/source/drawio/cert-validity-simple.drawio @@ -0,0 +1 @@ +5Vpdc6IwFP01PtohCR/yWLUfM92d3akzu9vHVKJmGo0TY9X99RskKBCs1IU2Q31wwoVAcs4Bzr2kgwbz7Z3Ay9l3HhHWgU607aBhB8IeCNV/HNglARe5SWAqaJSEwDEwon+JDjo6uqYRWeUOlJwzSZf54JgvFmQsczEsBN/kD5twlr/qEk+JERiNMTOjv2kkZ3pannOM3xM6naVXBo7eM8fpwTqwmuGIbzIhdNNBA8G5TFrz7YCwGLsUl6Tf7Ym9h4EJspBVOjzJ3sOPB8dxPDEi4d3Tw+8/9910Hq+YrfWM9WjlLoVA8PUiIvFZnA7qb2ZUktESj+O9G8W5is3knKktoJr6dERIsj05UHCYvpIN4XMixU4doju4ekxaMb7e3BzhD3o6NstADwMdxJry6eHMR1RUQwPzHpDOY8ToQrX6Kyn4y0Eoao79iAolS8oXanvF13G8Zrh6ebgANPECJXABvym4fKvhgo5teAVW44WgbXj1rMbLdW3DK7QaL8+3DS9Q4Z34iYD51j3wATAAk44BmZqxzIORoDfgjAsVWfA9pBPKWCGEGZ3GeI4VQkTF+zF+VHm0a71jTqMovkypOcnblzoU6+Xxd0z8/RL8UWPww//Qa83aLEgTmdAEsEybjWGDTGmC9koTBLZp0zXxN9XZGvxhaBv+phmXqL34u8A2/E1zL9324u8h2/A3kwXptRd/3zpvUpZ8+EzunfKrak7j5nBvmrsPJJ7KiLBJd6TQw3ItSCe2C/Hwkk7PIu2TRtSwMmcqOflAEJwY8mt1MulU7nizXVKR7Yqqj6IgsCPR4HwJLSszNfcwvL0NQ0OTEZngNZP16CYs+DbXlA3ySnTTWEqRmsS3dZMI5pG88nHCU91iAZeLBX6KWGKpNC2Wg1vfFbazCWhZBtqcWswE9JKnDKhPOO7Fwul+7kNmKnBElRAK77k0PMyUNwheyWaV5gXnn0uHd9eHKA2Z+YzBw2qGl3FzvBZs1xd4/ELkeULy7DH8TNhPvqIaa0YmMuMuvhV2H1xG6kdEgsVpOyK41KIbdsO6ss+C+4Ppdpausuy/sfQfVfgW8WXpKhayLKCrQmn/y9KFAuvoqvBl4cvS5Ya20eWWeepW0HXCtDToTPzAvUJB3pwE3pWPKnEMYe8qvZvrpxkaNP9S0EYG162peoBC1Q99dtXDNb86xEnqC2kxCRDZRoJp1Vt+HyDPNgrMlVP7dLfN94Eb2EaCmQM9ku7+VsCyzUz4yL+C58kAjveRbFTwzFMFxfIkAHqlK35OD3feC0zgFcoqFSV6uFT9qFRYA/euZailki3axH29NPm9XeIyiqzxz6ks0zeEcJKjbsmqnrIKfIOcVEjG6+fkfL0xS8Y7Pf0lRJQsYSmrOF7Cg9o8Lv/e78usoUc3/wA= \ No newline at end of file diff --git a/book/source/drawio/cert-validity-simple.png b/book/source/drawio/cert-validity-simple.png new file mode 100644 index 0000000000000000000000000000000000000000..36ab24ae7ab728abb8afb65003d6ec852e950532 GIT binary patch literal 26776 zcmeFZWmJ{j`Y()tAPQ1ScZre<7AexXf?O<0Iv3rIfV4D7D@b>zq)3+_DJY?Uba%fu zkNesG{p|NW+Ac~^B!kd=VG1c$SWf~KV^oc~W5S5rqPl%4Irngeli zbAtYSaQ3h_{qxqu)D>lHdi$1F2I$Jacm|rXHMIFx5oLf4j(=4|{mr|Uq^ql@l(mMF zoQstT9ObEDYX64_AJX2$NXX7jR+$^5EDMu0u@q3y0?RVSM)Hlfypbo7+cxOJG)D|@!Ifsx=30JD7z|4 zL7gP{Kz2Ob^3u|FDnc?)M^`17BuoOu=V2u%sm?8B4l&nIG*?v?RFl_KiVB{t zY97i;##*i(CfrI^uCCIO?n2sj0tgf@(p=FPuFA`!D#Z^ql$NxEc-j~tYSw_tgD52yjC#b=Pa^khJg<4tKLG1aJ zq!g@pwE2yp(&kQ@f;Mu3(l)AE4#qCrsvu)!HB)CfSwS-+I{`OIPi_+%9u0E~u#A$H z6)&HVw6uqeswR>fE+r_*kMNX}mg854@&awBnL7f%#uidg4I4PXp`8^BV&w{zRk9Xv zH&OL)l{4fsl}CXk5Jv72QbkBar=c?f>~0T|QRn41Qnyt?IIFqyK!wa; zU?q>+1!iV$3;a4r%Y(t1Km|Kz4Q*#x2Q>&n&Rj|ZYNY7yC@E=gsVZs8uMUxLcH!pN zb_4_SCTZ^^Z3cF8mH?K!EH~I429gyJ)YOmwNXj}G@>%on2?&~*su-D}j6Aep+&p$J zzy~8fZeFOm(`~C#M!X1DYowx~iMz3YIj^S)x4aBW$XZnqWu*jy*=ZSBY1m6D8(C;t z@T(b`*jkxsLlk)I4Q;e#p^_GY3g#Ay(q<0aa#q{|)|QrLMi5m^ZAS-7ewc)vl#;uG zqNlx?ijyS-Vdw@lE6pS1?g$Heq=%E7t$>@OJdcT*CrsJI34yY=;kUJg09|p@ zRJV6`R<;VC7^Z&95bIV`dMva^;s3bmdpq0``oo z0u1b=X{^a_t%Br68d}Yp_zxZodQ_d z5oDnvpaPZGvhd^=;8Bt@H1jl);WxE{86spLGK$u6<~Fv-Tdu&y3UEOlDJM5YfQqcM zv9lnrvbn0OmZ}|8Tf&n^O~92;)eQzyL?~M-xPoD}9x75wLVU7LNM&ibx|^n~AWB8T z)DG@wW(9UN5dy;yN)kv9lpPYH=>SHW@z^01E%}8U1WfGtHPm1xjxuJ3>VR&LG;%lL z^@KqkfHvjj9n?G#ieObYD+fgv4-G?8Cue&Bb3S)!B z8EYkXW2m7MSknnAtz_v5ENe+;elrgq4--{SGoXls#I3rxy`+GrzqQ0)Dg$`_mjdLK z!QJD2f`&$irXVeWaM#;q?6M=u0l18*5k%;**VgRJ}~Uvx0ub@gKGKRb30 zcpDXy62$b6UfcjZ`@akW%jW-%@ZWpq|Hvg_Kt85iYpH&DIHsii_F!c=8#R{qt-=uF zJ}GC!Q?)!gojU6%g2A#N=cy_6ZqtFpwHu$kF48S+>z=m*y7OW;mumBE&s{ggXKGL& z_g#bWBJ}|f`=+L{o6l64Zg`!|cS+|j@lWu(BPl~vb0O1}-=dzXA%@MLHvedHSs#~( zq7tI&_#AcDWvbq7XKr<>T;ClO&jNo#DPa4p@*8_REhf7$#plnT?RVy0=yrM@t<$UJ z!N|ZC1hP?7Vao$ai&Of(N7<($o$Q!DjuMiOcjn9WWlObdB@ccN4H2;{?#BBywJNHTq&i>3{>(x9{b4; zT&SJW>i~ufWH%?0iWQIg4Hb+%;?Qpuk&UDXB4UP|#^If~+`9u!#`^ksIWU?^==Dm5 zFU`uA_Yacf8(9@(s-4$HAI1*7>WWy0CVF?pVUy`ll$6&)=Y4OkG&GoaO?p2(aM_yS zGZ{{&ZgSf(g9ZedMtR>riYvU)l7*b|$~0dc3<;2MQcJl_owNsFpF?Y$jZt5-?&iVM zWXBBlpq;w&hihYuc5}@?hnEN$Wj{DB_mgnZcL==kTZVNca_Bfu1xtlI4B~bF8AQ7K zGlX`XixxJ?BtB*UpKXp5e&%zsIUR6*w6Qp$p+Di1ol*j&t7=W+)Ri1c<*RhrK+e8U zNS}sHGB1?v#L!FGFZVz8-tT+Tn;|9!4{$NXi~f;Yo_qyKc$R5CoIXPaVH@?@Y02Nv z8SMxN!(=z7So+1GQ^)=#{RL%at_0TiFb{(&mOH6fR_niQ#$($MkS^oH)vsjS27WY; zhD>bGRc6~%v()kx*AjD#d!p7HEC5y)M%{q%Jb$Iz_UZ)@3rrs1T!=PoX6%aX`S1P& zD5bO_(vY~)SPOR`C0M84cC8Y3p9hk{lS@OzVN7wn^}Q!am7ObCnMQGp0CMgxR^Qah zgQl&G3(y=W*YKC4eaqW$m{5sZZ8kJIE2FDmHkl&g!Sf7JK=4-6ooEr~_M@5OP2=cL znm{b83Ij0O*udK5yY3tWv0}bF@7H`x{_T2F$1W&CgQYBn6QW*(z=5!fgnh)(><3?7 zoy?za1P>N5l2#oSz9qpzN$OM@1$|WDZM4AYl^Vz`w~~uORSe54j-ISf6rT?y3??#} z%_l6KG&n5I6(;i}42Y)D@!W|pTYRN>o;zEn@y zsF~dI2vGdm#`1N-ol!u>RNHFBt+?zj^=+wWCNdyzWx~rVV^g}C!DfaraQ}irp`Z8F z(Ui4m=!7Z3dBE&Z!n6?6S8$*nX*PrX+VfYJr>s3RLm6VUuA^FkJ6=gqCx6`} zM&sdv~Ss|VtmTnBvIJ!TpLpM0ec`Z_ygk#jxoch z5F{+HVR`LQ_*2hyN@9BR8^y5&>npgHr)UlAX}F<;ihhT3 zDi7nj6+{d7!JBi6;L*3_D*9^uMyVexC}50tF&qdNqz2}u(2sIkk68?MM)$67Z$6F6 z$oT=>g{<9jC#-;r7kWbVk$O#9lJ4ET1>Et+c$l5~lIJ z+#@KYJwRcMj*jFj(O%Uihy9No4%p=Aa5{E&+-+YXCV7INJF&iQSF@{EO!{{F5tbRe z=3nTnCQJNfm))-KfbgtQyE^zZ1@|=1pxAdKQqYbfQ(_ZNKC~i{T))2++6_jOG>0S{ znL?!&%A5U?gT+IJL=*g3sAet;?JUl)&o{>fMgpbM#E$SdZp1U*pJS!kTO8!KW-i+u zSC4^{b?LFYdqNUhWb#|br{*v>b%p2JZf`UjR{i+= zaC4@~tk31wq#gZ@Rh#9NYLRmEk6ki9{C;y)&LebGYg729XTX;Mz7;w)*yFBH8`vMe z;+oJMH=4eD=6*4U|BMK;@3Vw!na*rUiBCE{XV-W^!e2!55$jjeza-!jmLnwJo4+iI z@DvP{^ws4_Xg?+?hQFjF{!2vofiUCfaEb~!f@ZQHbI50rVZk3U)BFU^_pd0e)!jwu z7wo#k>K^-?9CY(@r3RzD900wj;aos}h5W8t3yS^A(ISJ=5fWt<&19`tJsLZh{wANS zQ-RZ&!!_U5jtpFJBK&~5cUf!Dl!%4W()_?r-t+_2)L?JE= zJjkbsnKhQQGjCA%=|Eb>FOPnADrgJVVP@UU`FCTOiGC4wthxND!Ji!Y)waK;V72-V z<-9#G%0%63{$0m|cj7=hHsPxD_dxkG69jXERni8}e?qKL_t+1VSGE=OTYaTUafg-0 z2u`g&A@hE+e=*9ON&e#=zLpYiWX)BlgiG1Ghn%yg!!YLCGLgY6`9LrD4A{mhNWCf* z|EAtful#WN5K#igYyU~TUhU3<=Y12bO`e`{%er4Ftb_lu{$Hbn86pn4tp5te3~?(M z{?!NGy`r=V zgNL-As`y~O(e;7T^WiR9u^ayod|C$RPxgYjHsPv-UJ{$u0XdGIW#gp1$=-VVwN>Vb zau7|B9$VlPcJp)ATupDX>Ud>c)#u+AjdxW>BQmaKnM^QzzTQe@ZsN1GdM z!i=>{LAwhD?9`-sU1}hZ6@wy9BuC6^k2j)0P%>lXJZM7`WONXN3jaL*7G@b2x zLp^&hvsVuH@ONHxuD#E9*sqT-7%4)B2WZhiKwX9tfM#B<`o0rOJ6g8yv;X-C>qNz) z{#w=$*S;CUZyyaC>`&2uJ0}Oc9A5dH&g?bfW93#tR*gO&#~A_}R4s7@jZ>)-kAhtf z`r+QQn^rc0Ij{B15!5E^F@yn7TtGbtD4!mEZggBr|Di*1T>dRu!R1Nj#A{@)ig3u> z*4%rqdL^{6lFB>tQJ^{(loSEcrWmtM=; zLG_|uP~R)J+`F_~;&X3`>fO$o8yxrFlr7QDyHce*Fqa)_=W}5T8~{Hm)WX!CJma|x z_ngpEXIyIY_-z(ixO%N~vg<2WeS(XO(hI}V2Y(tRgzim!Y;%Totj#MKYsaG+T+b;W z0-TYNWBkA3t24wSdZvcjWYk&((F&as}u1(Y5S`6y1ea}X3zC^fH zIG?Is@*I*fLDOJ2y4qHH+s8cn8t3KA2F?jz3x0g$i4%=IB)oc9CK_t@-8Xz=rQFK+ zn}Ih5lR^Sh|G?##g`HtICxvG#hQ&G zV7$b{;gyBb^Xuh{-s_$0Vf_m#E;n!Tz6|-OpcWE_VJDB>l^LlyU-gBppKj~5 zg>QCMXG5l*xwD@cH~ylX2D7hLqLm+cTPb=Ge*v3sICqNrnnVUJca>Tu!t737i%lpVZSKM92cl8?M z%l3=#yz12T{^Q-Mj<5S6i81|+$)V3?i&qngK-e9__;Q+Ap&azpGlQRL!*51r&2zj| zir8;l+8lE;hw&!%+QyfeH}x7QtG^G*?udCBchunhoQ?m%b{)&t;JIET>bBR|wf8c9 zC1!D&Dl~)c)v0Znajq3|$Ge4(62w1WbB(pp`Z8qiCTc1#)6Tzj=0~r_RR;EDL`&PY zOj50`^G0+s(OS{tCwf$~l1!C}1v=>49C-UT>9ByNSE|!H3B{z^T-K$=SFPVq1br7o zw7D#(GcCTi%}1Tht}OQNvB}4?MP8SaJ^JZx(m^=;9zK|xLoK%XX$HsYtF6NGY)+Nm z#%O>ehe4;!`rz*^-8&18@U;=qyV_NMYokr#cGDW}px&MN^EBAKY9wBh_Z41QMr)J+ zRvTeEm}=gU>iNoc=WN?HgK6H|83QJG$|EIp@B1IqhjLF^e9rjme4F0qNt_$%Fl!xU znm%ro?OI!-Z!!B!aoM`+rkm+(hdQnKobTx!aQHQ2#{Jpo3bdSUBd%_6=Cvtf;?E8^ zZPu2t&C#o{_$Svp^>%e1&7$ezF3bl8IfN6Xtnk;Inn$-Di(DL6 zdzO6mGsjvb0m9MDYm3da*~g(X4em=>8hH{?v7GWo505!!LyDi2XDJ^^Hs*>qihYDh z?Fo17smGVs(8oGok9c^$TUoRp&NsU+a-`fqETWlbpAc)?n8FO4<{!X@zwRTddF{{tNR0y4 zj?E@I5>T-m-c<8UME&gP3;U0zmx(huonaR@;fOH8*w#zkQJ3~lV%SDA-^ZNmpA{y{ zC7FzrIXlH|BUKBP-gDG$cgM4sr``*hAk&nhygwywagrE(9dxm{UD_m{F8a|HC-mKt zAgWTRVf{nYkc)L0siWc1O7Yk0q~mjfzHFPgx}SMJ!v$K!+pew-?Rd-#B)4#8!18Qw zl8cDHE3R@~^At2nrrign1#2KqayV~XlpLp&V4wOc*<3ES6<~p6=qF6Nah*SU-3dS> zQc8FeV&M+4ws51DObXDBB8TGL_9}dKhpXqz@~K$)tXKL%TV@omeqG3KScaT@U6}xA zDgrc9Cmcx{OE>c1pVvXfl|IL=BI(x-o%rF=6{m)wv|^&`5d{Gzh4C`ncs#vYFqum2 zu8M*whH)xo-p}9e)`5Wp!$ufw=cp$S-sn-j^c7Kb1S)yd{!Q5@$a&Rv66?#Biu78! z(fOpC?jxtESbjHcT^yRDDOM);&9?GmRl`KCb5)#USGpSK=W$y8OWyk~Ezon$)yfuZ zn&H!iFKSp!(36a}DQdsMwe>%ID!zNTDKDk?&|?Yu(K}^FqkvYl0aqQq#KiIZ8rm05$PX2gVV4;I6fyw6Iu;vfY~04Fn6YYaZeY^!JI9H12VR&I+av2 z9XI|$$IWJ`6Wp*-e;z&|Sa}u59~`%R<3-z3N9AQgP;D<%^P7Oi>k?%1t+S+e!4`yN zB)mP>94;W{qqb7%zH4Mt_0mJutg|g77!59E(Gap;;>wHXO)KGxsP4EZaNC}<5UH%> z$E(&E?hdgM9e;dXT3z?+*LApi%g)C64v*;1&#e!7U(z`RZYvA~b9Cf(B*iev5CsMW zNnoku%cn`Y$#}A_`7Y90P*_k%9&OfMc`&A7k$-A7I=uhld6d;L)5*5NcEXoZr#hp( z4_y}Z4b;D$yeY@#gx(xm(rR?9l>0{EDw%)UxYF;5+HqU0#P9g>u;VL-9H{(2#Jgdy zL++a_-}3qjpXk(>H-E|u=6ub$tZzcOSZiz9Dn1)8tX{e|LPE7NW8S!xrh)3CQtO7a zR0eesw($VCxNnTPXWGZScDi7$T=>l-=Y5n=4A%)4*hd2YFtO^Ps1Vu46EAa$S2t&F zgBHRV@K(#LwpOvz6MwUhXB$I}F5MHObo${r8)~y47nKi?J1^#>v}s-%Q;4Ksow*rm zx7fMZu$bgAkn5{f+Q!SNmfziT6ROc2VAHNygR_m8%sc9gKMr-6gosMDLZp zvJQF@E?TG~6ICMiI*LtLG%FI9)7Pv2`wSxVt9=UQnkZkZOS$4&`wsx4RI1tdiN0`ICX+&`6LFk?9Lf&A81I!*2Yq z?hxY__k@a=jL};+PN|Q%=F83P<2aR&emUl zJd5U+Ga51Z%>**gX`6kMo53k_u#>uR@MVKXX?TPQBk|~4WVD_~Cs@9@iFB*`M7OO+ z-~2{$@|TuNkiMC%qZ0nM*e5wHu~81e(f80iHJ6=hW{j>RTs`z@CCz?150+cEn>&fd zKdQSwPht}9*F|sZPBvI;>_dNuIxr!sYhumo+{j4npyyNDbkKJ8f|-`0?Xo3NueiZC z;FExlGqBC%YK%3fe7U-;X$y)UG|#BU2v(o4AJmK7DU^qvN{F5QE?wjr(UOq$Q9xZLA? zkB5nJnietOgd`Zg%%h_VNY#keFKtV0GDGK)G5Cr}ufJkyzxRH_Er!AP{;VYN*@L#} zflsF;fbY{TtW8e%6dpkM=xQKfCwukdnYM)67VUTSceBHk-;FvzkbfELm^p;Hmr0TogiTW zBKn4Vm-pW1wc}feFtK8O8zpcbymizEd2iF%el|ev_8W4B^?~fz0((m-LL2bpi)F?L z+`B~ry6*KdI2<$$_Y~^pA8HfaEq*M$WmtRU`B0WArORUM5MIDnllY|!{)^u;$V#hp zruWgA$ked@)L31Ai5lR&Ojb+uS&qV(2q=NHab>1?i!qAgb#aRByxjI9Q#_g!J}!7v z=z|aEkkq_(4Wrf_rLl$QyflW!=sk5b9Tv6y4gp*gt1b_1UpD)Hq+VgLy=<`H&({i! z8-V#KcmDVr3m{WPkXqj7vur7J{HY(qb1SG}Z#;_^E3bDY1z{JL&Y+Gg)Z=$dNvD~7 z7SM#(`MCu5c2KyL@SxNScTQOlU9oVawIhv1O1F@!!v)! zqZ#>FW&h8tJ3>gJw}E*L7u-E6>=#O zU$alLm>GReBaZo~YGY9Y;77p5wL&QYomigvEs+Mo5oz0~5t+#!E3S z61T_LRNeGuwcPY6bZkoaF%q65WluI|kM2+AQY3tyoYvVJ^UD~q^A(e}yoKy9mEiU_>&vDEt36j*>zbqyare6pI$xYk*KoVn#^?ks3yx%+~uq9;8`!Im$V3f7%D_R^0k7%Fc zU*>=hm#U{z&{x9(#Ao>lowc@mApwW;%v9iG}f zM9y#$je4WTSKoOas|SgZn!(#TO&k4}i{!LZ92n1kZ+-f~=>*!`gD~AUr2iJTY%liEx^}IgJ4nBTC;*(v_qd5x?C?R^0+y3ZKY+TIS_w3El zeh63gu2oQ>D9$My*zk7Fi6SvO^9#LZD<`o8FL_LGZ1p~d35a@Nv>cq|p-$%;$G~`Z z8rn`r?xP{h!kX%LvUEpXJ(V4o60txSLKy>L?+@I5UA7+-h?TXn@MnF#_fpi894G$j zhVJ*<6xFQRIM+tDSP`~LIcz*WDPD?F{ zAV4|G7UwGM@D7J|Q^8c8gr0cEz{9B(H)a&7K%gvro2N?}{hH_lYB%W}U-aUIfMDbF znUAyMio%Pha!E(JhYjMX!8f##5@Q5@7vX=TRO+V>zXFu=&U|%Wzf?HaaaH_IjuD0X zsf^a`=dYjPo+AD^TpO>#K2JQzHo1yB->E8hehi6whU2-k=}+_BlTPXy7l?q|$4a82 za)L_fPK=H$v?T^_9n={Q1@d`TR3&4PbJ3SRxK0jks^891OI0Luv<&5!uBs}CK&@7n z<99A`$NIJ1E)!<+p~cf{ymVVvAKKFQ4J7j}=bThavuSRGVk+LvlPi3;Dzoj56J5>x zYO`nzMrMm_7xjB_@y5g6PbI;`6j=rnuTM9A=%3~-3jnUR=&fUnP2H4+wI*5PK4Mg( z^FvYWFehB)%Zk&l6zyRH_mrPA7QLF-9^$s?mE;+E*9bSI)G3d2nhd%=zC6S4?`%Ak zT|#oH37*(ey$FxT?dP1TdRdeAb0)>g)4(N>L5o2ike|dGFzN1mo^{cj;_lMXyqv{1 zQHn7Mrnq!>fHnP@&u|im(Gquk*`3c6>=_ev&Se zwG>w45knrk^uWhtYo8;P0v0HruiW32G55`le53lf2Mcd{Am_ zy_^ItwLpG=dz(Kn&;j&HT|#1ByVj_7YYm{)l45{}b%Y1jE$*p;0|-QXhd=?nhT_n_ z)oW1szw{c$ZOY(VBA`2Ma&uAki8YB_8~{<~9MnA#^{#MF0x zij^(z`6c8}2Z)Jdu$@9osbg~OJNX`7;+^g94V<2Ax5+0x*9~M}nm3_9DixY)LL=G) z^lrTW9Tx675{O`pju&b(eKxJg_WWo274~XkF6DYuX}ILXeZ%SefePDE;ZQ9jhCBK| zF6dNp;QV3~j43Deq$Mqa0WxOrNC6n9_$6|71-eG;gWy8S3WxLVn`hJbGzRuz?YB0* zt!`7$d$G+gC}JT*FtkWB?M6@GJPkJ`_0;DKvY$(R&*k!)P#S~ zT9mlw)$_b5J=XcgW<3j=mq!lYTI>aQNO}u2ViFTl0Z|`Z(P^mp&5NGt;jJc=jP&QL zNr`!!wcNb_Z#@X9y(F1v#H*4G=;R9j)Td2khwFtAzo8_Xum0Y7PJnYxd@4d0bbPEy z4WxzKp@6j2Q9b?^4Ggic@bat)6Fe1*5heScREGk6IN6*VW7O7MeH1Ae&y1T>>K0~#r7BZ~04{=|^cmr)#ekfA zhJer8zZ4;>UVekEVN8w77i39BvtHUg5FW}YUuH;x@5qjLKDFS4<6KrHx+a?kk0`z- zlxp6SDw2gyvJmU$eRvpVGq9x>IG%cK0=5?w_4`9xo;R%U02QVeD^h=K&M+MJF+1m_ zaK_lfupD>afSER|A8{V3OFBGP;?^3X;dgZ`hS1zp`G=9G?u0)w=?f$HAaV(DLqScUaxS( zl4-G(C7On%ai=W3@y+&hlkrHU#0(iI)~_BAPR-1w(N`7}ud}n`=it1lL!a6cu=&2> zC;Iv!l=Ai;@W2D~zj+IX=Cwb0`D5A^)5w#X_N5a65W4LiViWj!yi(^$<)0j!V2sTA zo@YxDg8OVct~LDn;>+1{#$+rMv%SyNjo?m?`*OC%?&kO5^~7)*A+J@DY#UTTu{Oo^ z$&v3x^Oh#BA)fH%j6_;6U{$V7-t~ob_^V^@elM9Hv6t+ySMXX|_3w_SWV8!vc8yP2 z#`#Y@LD=>Gxjvln%~JL(KJj8Wcb$L!`JmBC8Hfyj?g7`FS3bUvWDC^~zJ6U=U7xk` zCEb&R;lzJrJ1=vQnA&ASy7kQ&9oB7V>(u?Er*T4}8ys=%1^!GF-2O+wX@bn|3bSwd z2|6qq9I|EK2C9|IOg~z{J8F5S4*gcxWf;EPW1fxw?UJ6~Bhf4Bld&CsV%Cxme;tvL zJmE=#MME9R^fW$M6BKO556E^iHKvNa5in+AIh))6TSAG`47!!ge@$>aIs9_yW)EbU zUW#}V!t?n2ao^CWdWNR&$zw6wrB`Z2!v(AMLiH9Gww~HC`m`QK;|974;H8;ae{L>2 zh!K=Adf})2#mndd=S5jNUzx$D*gJ$~O4=hFQZGa>?X-&j$tGgRIisFH#Ltwa97ISGBtQX+-t&JEjxnDGvqopdjCJk<_}c;KpOvL-&oS>f^WxibpM62#ojd zUIJZd!?HG|*j^OPE8a@~yAgCK9j>88R-NE&4R)*QrS047vlU6uJ4$Roeb?3}pa@>3 zP1OAxT;R{FOcta9vDpp-42uDg@sD!(Kr%lQ*)x5c1#iBt@}Lrvh=Ja+2p%D| z)R~B7td+)5pM1D{F=hQm=m`xlHC8szF}iP@#amBmXa8O44_u*uBLRRbfYbrF!t0NL zZ~nj)p1Hj9(F5vj*y)VXt>zRWx&^3|zjOQz95|H|AC#o2?Gp^{)s6e%beN~QrjIGo zkBiwn0e~-f3zkdBZaJ+lg$FzrJ==GXu@M+QRqG4oQ4!3Swtnw<3e6nMwP= z{|f^KBYp%AK;;7D3SXnh|W&$gS{c01bQ^KS7~{4{>t`mI&q(&OsNl9A6oqxtfIUN%Y~e|tsVhF zSiQU5!Q*Ho4jI%H?w=+=4eQU5QHsMXK;p^AGW4Uhj85gq7;A!vKeU2)tM+Ner~22s zsGi?qn&M9YfmU_S!r>KxU;2R5FT)pWdyWrzEi}%95c(uLSf+Z>$^9Rx&}M~{!4xS6nr1>0(E{t`+ih) z@e8k0>b(9fntq=UM<*bCj8J-{&N@lX*mmHL4=VyA^8)5>nn- zQY&^;o2b_+3-$3~{#|kftgqa9X2`}~W~~h+oo{l9%m+=7`1J@_6DlBj<9>u>@r!fSwbUf^;^k4sgW^dL|Buyo%%BU8LPB6*}D zb6xS~=4#Dn*?#Gl%+mTa@!n$hL`c8(SmA^)rd<(aw?Np1V8{1n+p1M|t8HbF95!Er zBV{%5`FFP5SF=g>%gL4|mFY!&zNjVAiO*`a1`^ii2TCSt#iIEd8(h{ZE0$+N0)m;7 z0|jMR&!bCqNW)%mtO7XYWEx~|Xu?Cbf+gRG@hM+dq+r~+wnXko7vQJ~AB$9DqgR6P z+{WqFii~?04i=-0Qz`r?DLd$XhM`zT>bY!-MReCj&JI|G?de3z^=Ts^Ne>I7Ht=a> zhiQE~`xW2YUme?Qin%>xt~M87&ui&_TXS)&!+x=V@s?VYDxQK*@(UOhqf1TI=&?Rh`dkNBD=N%iSap94?NXWcq_wU27PO_El*7x;NWHs*y_hX{Im-4~-#9mk;`4 zsaSIp2Du$`q<LXWxuXl^G@!mGnfDDkW{~&-*fJlD$k3L*1nnp<4sPDxH9kdfPXZ4k$yzfryR*e88lgP^k!b` zkG?(Hpw}Pp-5Qa&xjLLEcHhsAwueW0xO8X$kIyn@ z>SP>U(p!Aa>74rC3J)WTCg{V@Z&n+k>Pc)U^5lGN z;0VN`1M>Y?JSrwJMz||{g9J;#@w)F#&|4Lllr7)gb-D=#hPBc#;-gl(f&*zq^_~a` z{Rtw++(?*9g<|PQv1HtT$9LsC;y%9F0Lb_~*HmpDJnwJUZc3pNJT)k9tSXyGjVXxwiS~Q08>G*p2(W%8xO*%otOvQ=+V#gSS!`b11|OD zb&uJ84b)n>kTU<|P|&6rb={6=0uGiOkrAb0jm;YS@%#8~iQeg6+uT#o5 zP7bH#wVzYWlwn>cV@+);+!S!_bs>VzT2?Z8u#2K^NQ*T#IQfZZTi-xwea?#7bX>m1 zmT&S90~s`?QfyEP*3=G{_dd={;r*Hjyn?dUby|e3_e)fWus)}$(Nb|!jTzYI=iM4L z-9!`GvwD-FWy3Ze)|Bh1Q99jho&xePNKu)hktcs45?^7o7BVP_F`*r!R+}#WAh0H| zm+VcPrL_c%1J6Z$!=H)`HFvy~TwxYz>p(cBtdpRnO)8QS%LqG$W))JX!BXhpT zTyB@52(sxG$>uz^g&rZz#Jf2{g*2?FV3zs5W zP|Tfa?D6E_ean|Y5gjp{>Z6Y#W~@bTxo8`&b^~ZmMdWL>->UGEQmf2^2`3<=xRUla?R{WF2r>15mgEDW!^4gtGH0dyma(QB$ zr7{GL@LI6^BmB;>;>wN=@=z76!F6mB*6;wdHIQ#>*`cj+!dlmQv4;j9n)dlJ>2RvL zMt^nD5f)P|q8g6_`S{AXUsF0kWGJ2Ku^YK^O97lxcQ1)NI%k<7p2CezEf$GLc%@*D zsLvkkPxhWF(Q-ebT^j|Gz#4^G?>jLMkqI_a-!Rr>nT)Bfo1JlnP5NFJ+O^$gTQkg_ z0pm=U6J-3ONWI_#QfoUiPl!Xvu+<-k*oLieBR5%nM|N7qZ!+fJ$#(!_{%;B{2U_A_8 zIUrhY=0Zh52@ev4sbGUos*7 z=nd|RSi)c4ho4%ytO;4pAWoPb^fBW;IM8APF;|6tht%>13Nr3;6|KHc|V z+PSjy{3fjbDhz4a68zhAfWkv~*y9#`Uaj!uGbBVI@SZZ+xPZ6;JdWdtFN}Z%FCecy z=d++tiE=8I)|wWHM10T;khC=`13NNJx~^rBK94`5xmGT{J3W4mW4tjj7G4mEc+k+L zg53)lkg}W%{GrKqydx)9n;uYd6r)(0Cn8ykY>r_gg%kwMbF%U>gm?4}!mA_?g=!y4 z8kvfFa=k3j@K0p262L`Rv4y6@)IK&jLY-|z@v!l|dDNcV=yGJ2J^nGj@QBRy(k{qM z2x%1MO%vwyYo=DP5b2SK1jg#gys1Cib2e&!W2@kIh2`XkdoOXv1?;W2VtC;J)QB1_ za!FH)oMpPOqEGsWVy=8x922BSRbr>fg7B5av}*lBc6D7J6aR*Z_s=)Bp%dLv6J{Tb zm-~CmkU5F!ag>GqH=Ct8An{V!mNtE{mN(U2(0~E(;A|^3V-iOP*VcC{US*kDcQBh8 z)=se)5Ns{lR;}7Uz^G+#qOZMw1OxsuPjs!;@Z4D$w^r^N|Ln5;v?vkltYt1ofi>d^ zKCs%hDXSj=E3KN9Fj=s`&Y&TcS!3Obgn5u08y+C!;^2(PO2EN^aR3~LC7l>rE3s4o zFemFp{oe0?b#-Wjq-RHTn@m*Evq-`Yj+s;b#sWxf14n1&YmMYRt$s`+?vYbpUk z@N2zF@BLwjT<-|>a_6`JYqFFp(K;p1VWJ=i9>8qkh>QUkte@x~QBa2l;6kE)jMABj zllY~zIX!v!%n4NX%7+7Tw|3|2KvL|W4S`eM+ozS%%Z$2V!R%VEE8O>D1ayV11s$2R z$CUM!nRS!p6GPj z|BC|8LLMB4331DmE(I*pdIT@Ej5)=ZmrZ%tNYcJIX7s+^6^E-{5MJ{#x`JOq)c@Md z$pqt}t4)Gp{QJFz(`ELh|D-~522}qe6KTuOhY%R)1>C+SZ5F+OJBWSHeO~V z6QNUk|MC8B8GOF$%%vE5*0)cIf7e0})Kxwv-AXC5q;m&0bzANK{Cxz;dC@2TQL2zX-US8~L|Au>kGhk($037@G zSONa2&z}QA|Np7&tfQiO*S@bvNUAhQN=gq5B_SwChl6wsg0z5?NDLt%(gK4pQc4cp z2$D*N$N&-&A|(u=C^ZPYH~2g6Ir_fmkLQnPEtZQl&fasg_r0(DUY{w^xu2cgT)}0( zF^?{*-zN6*1X3P@pyj|&(4!m>B0&+pAZA3k{eQz6VDqo3SvTYhNtw z7o}GZjI@v_aWBWr2{QetdUKeQI2mw@`w4}y3?U#(7=6O&GJH!|>WQNMsR?>vriHUH#yFd`MS6O7dYt z?MN%{?sn2!liK#C@AKP({1=!MCZ_5y3A>mD0%e4hah+mbf;l=mAtxXAQ}LX5iBo3G}cz<8|DnT(^` zc(xF7J<0p6o;9|Q?^Ln^jSHot@^Zjv(LBmAb?@%7Hj^IV+)2SANm?uq>QWr@HX>JJ z`|$$|MprL2$dHt}RkeoAEYopRSJYGjnkh}y!hF&+wKs2;^(_i4E2T|LRQC&xX4odd zpk*Gm*WY~?FC{?ML?;y5&W?U*a@9A>k^G_?@#P%10b_p%7*MiGK(Kshn6Axm}FzJLumZ?}_; zE}NhsarOrra&fRqMX^;NPm$JzzsSJLCD-6y@=3%@+B&r~u>IJXJYRF@7;diLN>tP_ zOPgTf)2Z*@g4CkQwsr?9W} zpX#g^DsA?15q{+*Wf*N}=Y zD>^8DeTw0eey-n4Eb}E3#$HfRpg{7i9NsIw2}9P=KbbCk3%7_d9e=ge{X!meOJ8o} zs1@ino^(s0c31;Vil>3{(gUb46}S>&h1IZ(MS@w5u?;$6XiYeiq+X?t5kwCZ8{_Gu#?B$VAVrw9 z{mh5~&GB@vs%lY4w8NfhjIn9~;q^D2(Ef>9a_c+%tuPzPFMNsLBXLbV9)mA)8Lcm+ zJ4kt~qgcL~ablu%F>>f1jXu6iq3tOeG4S|_1Q?GRWx$Hs82UBg;AHzmVw#s-6)?n2 z|BoRa&zr-g%QV0?GV)q}P*9}FJbC9R7~-IXQXo`*&LXNb_=qzk0Z8Ns(Uz{V?)W|< z#cFyp0hjkj#zVWScZerLvm@>^>pa?D-N;3UF(2o<+>}zOcPA2k z1&xBrM#!`ia*Br8fC8w$kviQW!f}UF`l!%R@G81jS2dNIL06EQ(;ZdT--k_;>+#$T zMdDfIV$>b?S@^fN(^HYLV8j{5zgGcj~4H4xk*s-p`z|4!roC;m?4jYGVC=3pV@Y_7*bM7_w=Ii}&y#Ze&A@x%TrC%O*+ zOqN&iY$eH)A3KDDZjU7)&12eg{7A){%n4MtXX7m|Osb(>Kj@lnDV@~j@9$6mwW=)+ z10C1=@HOfk=nE|7opz~={?${86V7e&3--ba=+hDwoiDg*^-R)LiUhPA5c<0CRVP=x z9Ug}_UF%rIgR*voM%yg>Q z9ES&wdujQtt1k%F+`@afUTO4{iK*12og!CV`AqBcgr+j0|JLb<*m>!-EA;Jfw{;sE zp81@CQIpNbJB6QDVe>;6BEJE-78PIDb=v z?A?XyXO4f}d}zxRFT$={#m&~)W{4Ot;qF|d38vqKm$}br+j4hY#tpOy8uM{k*2GfJhoYFv2?`lb0hg}ebPSpD}?J!JR=|IXb8 z;>EVbLr9ilf(6N!MmsB>eSc}=y7K$U{SWqp;OQp>33L60oA{?nQ8jXQWDMp`AZJty z#b=h*p{F`4Uv2dlZo=tU8&OgM*BsKDO*t=p;0@9XtZOgk$4i^PaT7+mBV!^-dHoSM z6pVHlUwPP)@hW{p)EQQjoo3pZC?El6eseuX~Ei$wQxCdT9-RVX0)0JkKtu^`WKCFF3D}cB+T~J1#9L;@i z)k#>6<9RqJ1hcp9mdTZ#(*aLjQfzL7;8_h6p-x!xTUq}-ky_11{_(_*ieA(m5J>xH z2od7VtS+qw;JXO@{$+`eIs3bTr0XunZJ;c~0zqtf>BHKmQ=gv4)E!I^Mr)CLDRG(E zu%i;Fy&7KE;PWQaxph2;?eruPZEvmOgE)W+LkjlLgJ$ydnA9TA=uXq=#_2ev0p-?{ zUk1%`t)Zs}aH<1kqd5q&KaReac;&sRBjmvC7v!1X*>>j=<4<3 z;dL2Nt5nt2tN1`~QD{&S3BXBg9!ve&LxWq3vR7Eb8_Ndrb_Y^c~+ zta0y4l>KBidTjsAPb6*bLQkR}g2|gq=5*I-$)Ed# zTNZvuzfSmmpYtL$9uR)qaPCimd>zUrn(^C|yVsjU+!0B0voo6EnLNUmQ#0k_Q%Wup z60;2a*B;9hNBhgHX)@jvcJI^L0ECN8Yi7%xLB#URWUVt+jC-gKAdVg_r+a%ELRYb3 zH{MZXHHW{1+T0o$ORA)&y~FmCS<;26!F%)la@Acv2nVIeg|nt8LOP2T9^s@G8n4EzSg ztsPNx+in+FWLp8^>RUUN&gbrD9K3pY(KdZcMW6?7Xw|u~iLJq6C(vbO?a|YjIJ{=j z&p-B$%M|&iS~_PSOYa2%kp%ZHeIz83`s(9@-OcPfXxItC$#JA080vsg;%)6oJckM zNZcRK!Uo!E)k=`thOtNsxwhV0!RXe*8WE+FdWpCm6u^(y2S@8&3q>C&lPs`e12~rL2HM9KEzVXAVrtx|3}B z^5-x*3x$oTdM}+Ao=kt(m>4Wi6OCm6E37+5ncSuV9wm7^(xr`!Lv=aSQos zVhrXJh(>3NRo=S$#7 z+Irp`);VD41StjI{X_z>4l<=?2PjZ5ePi|~_w{v)F>&{2dxky{tM>C%;oYxq0EH;f zoFSxZ&Ub96HD9dy2x1cx-+e~Ge;*q)&GCNassKws1q>sMSRQV zQzK(C+6L26I1_#8%`YJ1cKc$n#KSh7Xc4e)6U};k=2x5O+bk-eJ^%3R!22yAna%y$ z|8d0JpRK7A^dC9aPa-||utxitCQi2Sm-i8OrhawoyZZ+sR{yL_NQr6Pj?4uXdse(e9-YpE%@)?V=>%yHThGlI^W!&lE17{u ziVdDC-@vE7y4RC1_aq$<_@vzzS|_UPz5~;vlxhyJa9&Lu2;5H`?r6PkmStk_lXuM2 zCEXC~lhnF{bO{#h2!8L|Dj&zq(4MXX} zG2fye9W%y4zcNHRoIvfYY1jG*c-#ZbhHJeh+Zy8Yqu}|9I5jX~PKkZ$V(O zDk99KA&n*DPr}0HW}5tF!i#r*NVsN-F1`;q*>so9*C_mf*I<{ds1{O9NPYr{jq~Fb z)<*U2T-P416|j$f7Y~vc?J9*nGHSS_^I0 zex(u{+Y9a1E^FFhRDUiM1004z^Heuomh-3Dmk;LN(#t*)A)ytB00!G~cVoIcL+;J{ zU8JFfA^HV2iA2tS_J0l)p+gXk?Xind;t6d0Hl?^AeQpRIA=$vJVv3`G(nO^nL2JP*7rby&de>1+W9USOb3n6<2xfGp!KW#>F|q z5)*L&lWNtLpP7Ce($3$&~!Q1n|X`mMG$Q^(NUy8Sjna?4-ypfR@xn z!?=p!Ef&W@@Ml71ue09BsLq5ClD`ECO|M;o9#fMXK)eh;M?~@UNfSKUNo4G)7qd%+sm@Pp74X>cKFy^yt?< z#DDMGdGHK*Scxpu0}tvIw_EH__F(!GY$CzWy!i;^Pg-6GAhwwehD*VsiHQRaKjlrOw)c3PiFhdaQ^neeAS?Q2tDbFEq|Wk%v~?+#~94X zb^m@R@R^aBAh~~B>Mknks_2OVnBc3o&($7set1QWv?&gwUX|_79{&Qk@aV~b!55M` zvyB+!RdB75Zz0y5mLRgf2JJb(#(`M5A;bBv!iInt@2L`2v{5KY)lumXsbJp79vZdy8{<-7dd!o z=z2_DJ^~`EJ;#dZ3-^-l0Kiur7RIZm&AD>L;d5(nybu+XoDhDVPiCg2Q;gg;Hlq{T zh+8e1q*g_V+$5U@eTLHpJRlCo!J#fTDj3dbj={K~tC;4n}6SZthan)AwUxx1^l zTg`-O0Yx3cHkLagydcNPTFD8AFm6GL6hjDc**1X2nhhn#_-?G2&!dm7RJ;agFKh1R zuU6-QXgPGU>DN{tE{p??%6Snfdxldh{Tj{9aIzuElsnfX?~i{Tf_9JDI~*ljo2hkb zsM66;gi07poyc2C%}IycfVsde3QyAjiX+2ZJIv>K*^w1lyKc8e>!_TX=DU{Tqsud9 z0?12{1S=%~#B-azFCcuLL5v-l0JgK$+IWTUuP8rCs@ny+>AJ! zTalMHL6eyLRw<+gs!FysbgO|z9b4wv7Z0W~<;fz@&pB=7oF}V&{Zm2N=D^@Rd(W^O zKT>GL{SmOi->&pkDK>~#=Cacp2Ja7E0)4t__W*z#mGW33TR5CwN#~eG=CZJ>nV@rH z+07s4kXCs*B+$C;ORmrgvMMf2CMJ70^w7TJ7jy!wn<=`C8S#u&Vag|c&~I|KM^1x! zp&(8h(QcOL8?#%ny#g=EJ$_TotD39lV&MRUM5ef5Uq^>{>%~QmX_%QX#GyXk0QB*! zJGP;Dip_i7bWG@KjlNbuVtuD0fIu#?rwJH~Itu|+!W#cUcS{fJiZAy-XTrVvk)B!! z>LDp)kSix((F=%`CC=#&3)rQ0Aa**kl4>tkZ2~nxu3#upy3n*rbv3c^g9=%`Qe_6((5jaj1u=F07KTCPPu{Qme-&< ze+ZVvyT+oIh!a8y1_xi0^asWkbV9q8n6@g^n!olPus3*X-{DHy=---CBh>3lVRSIR z=)tDe(Am?9U^rmgrqIc28-8;ucK1%8n1sBSV&A|NT8~GLO$~SE)~FmBq(;7E?bQy$Kl?PIRmv=yev(GzwHdj|r4sts z_ZeRHndmdTv44YONulA2+M*&KwWuzPP(Y)q9J;P<2vrmP3~O%gb`_OSY@k&$6kB<< zfO6OG)PBuJ<<7DnSZ{IfBR6`yoBsUD1wpuLPJ&qAk^eNadMU@m^S^dnDq$*(RwrGL zn4v8+;o$a$IH>eys5XC#9C|K4>z=7@(*v|<2eV+qO{e6zbF&iUTz-|Nm*<-2aK2OD z^2kF8bYmSM9k@xq@CUHF zL}R=34m)fZkB$yprz_ibQ})YR3a)@MbcKt1Rd1A<1+0`)Y`#BDS}!mxp$vmzT0t$g z)@X+utf`6qh+X69yupXu@-hy{cMvf!)5%kePM5W}5vl%V*!;d*Qw@fWCs6F(j!*5`KE8& zOQ&TJ>vwvz2`-q|gdEn2h=krmF_;$g*W4+RrDFa&mCy$4FoZ=hL6 zt?K0NxtUg=&d18V=$m{k+%r3olTfL2_l2bEsvFXZ@!o?Lr*Mw?3sZJFksGH*ZU5<6 zK)=}%LJHOR#~Cl1cq)V0M7aTa$Z6J~aQ?iiMu?{T9Ewi{pZ#0XNnn0a^d!?ddx!#G zrE~W3$#(?Y9HdG-O(cw-f;K90#Htv)?-q#9L{PjxI8O74a;~$+` z7Xjh_$a>BY@12bEsaQ^>|G^PWy9Hi#h^%V-C*Sye=Fc2pX{^C+-v6XRzZ0VWy5P53 lA#q)Qy_xMS(WSlXv^RM8F7~Z0oqXevnzFW1=?%-r{|7vv!=V5G literal 0 HcmV?d00001 diff --git a/book/source/drawio/cert-validity-subkey.drawio b/book/source/drawio/cert-validity-subkey.drawio new file mode 100644 index 0000000..f241774 --- /dev/null +++ b/book/source/drawio/cert-validity-subkey.drawio @@ -0,0 +1 @@ +7Vtbj+I2GP01SN0HVnGcEPI4MDO70rTqqkjd7qMhBqwxGBkzMP31dRIHkthAoAnjDcsDcr5csM85sb+L6cDhYveFo9X8DxZh2nGdaNeBjx3X7YNQfseG99TgQS81zDiJUhM4GEbkX6yMjrJuSITXhQsFY1SQVdE4YcslnoiCDXHOtsXLpowWf3WFZlgzjCaI6tbvJBJzNSzfOdi/YjKbZ78MHHVmgbKLlWE9RxHb5kzwqQOHnDGRtha7IaYxdhku6X3PR87uO8bxUlS54Yfov/z54jiOz0c4/PLj5fs/X7vZON4Q3agRq96K9wwCzjbLCMdPcTpwsJ0TgUcrNInPbiXn0jYXCyqPgGyqx2Eu8O5oR8F++FI2mC2w4O/yEiWRnurTNod3BuI8h7UHlREpjmf7Rx1gkA2FxCWonAeFkqVsDdaCs9e9MuSgBhHhUoeELeXxmm1ie134ZO+UGraCC7g6XsAAFwRNwdWzGi7XsQ2vwGq8oGsbXn2r8fI82/AKrcbL79mGF6iwCH4gYD3rJnwANMCEo0EmRyyKYKToDRllXFqWLIF0SigtmRAlsxjPiUQIS/sgxo9Ip+xBnViQKIp/xuiNFP2VOhTrF/F3dPx7Jvwbg9/9H3qtWZslaUIdmsDkuzUnTahLE7RXmiCwTZuejr+uztbg74a24a874wK2F38P2Ia/7twLr734+9A2/PVgQfjtxb9nnW9iCj56VCSe8ptszuLmY+I0d19wPJQRptPuSKKHxIbjTuwuxN1Lbxrz7J7MIruVe5Lh4UOOUeqQP8iHCafyjU+7FeH5W2H1XpQEdiAanM+Z5WUmxx6Gz89hqGkywlO0oaIe3YQlv83TZQN9g256TekmcxJP6yYVzF/4jU1SnuoWC7heLO6HiCWWStNi2Xvr76XjfABqikCbU4segF4zy4D6hONdLxz/lnPKjKOISN5Ly1pmfsxlMzBai2aF5Qfnp6HbCgvq4YvGw3qOVnFzsuH0fcDR5BWL84QU2aNojOk3tiYKa4qnIudM/F46vXcqMveDp1gc9z44E0pjj92wrmCz5OzBfvgZBhpjxni/sYAfVqg+3C1j5dSVHYxVyOffLWMwsJGxChWFu2XMCy1kzHM1xv6WKEUaba2JhEEpE+T5nomGmwbDnp6MHsoxqhDmFbeYDhdaSIfu3I0249ckPEi88jYTAn0LCdE32qj3o/V0eIF9dPgVgp+PqSu6gR4YBtC0ojaGjT6Vp3NHd0CWEVnOLsgtHM8iwJ8ki9BgTsDzS9T3deqhifrGcgL+L+/3OF2BjTkBrwJjMwn+6igAajsxGmeXOxcD44HP7pXFGb8xYCpsPbxou69x9S3nGJM0dfo5nWrUctvxx6ms1BNaOEpT17CZylT4aJCTCumQ+jk5n/fNk3HhDH8NEYadQ6ZZvjkefD1kPr3Cnyg7NVKNdO+lGmla8o1iaG7JN/0DQGPoGycLlIwjKTFV5PU3Z/fw8OlqLu2IgJpJVhdXy1BXQd80IzQmAlNlQaMznhTk5CCvy3IJJhpj0gef7onM4isNDctseFMydc8nP52P467HHFlKUQ2MlIr4+zjrw7INv8pAJ/IfwMKwKpOHKZ3dTcoLSLQ5Z+eH9uXsepV2wpSzqj+171EDk8FNi0Xy8PA33+Rc7r/S8Ok/ \ No newline at end of file diff --git a/book/source/drawio/cert-validity-subkey.png b/book/source/drawio/cert-validity-subkey.png new file mode 100644 index 0000000000000000000000000000000000000000..6c0571aadb0d660173686e096cd48deccae0aa4e GIT binary patch literal 51572 zcmeFZcQl;c+drx$LWo49C?U~F)R{4e5^WfaHhPUVV@5a1j4p)`C3-tpV_)wqW|v4M#E0ULS5Y6z*0vSY^4c8dO=I?sASI~2yA_s8R30v>tR*ah)DTwDcT%=i(t?8# zikeViH(gg(d#nxA6=5gu>V;R9xA#V9fkbR{;41d+c5=>gPFO{2oT9ZG#2SYXhv2M$ zuGGb>743{XZDGz5hT@8NV>?kNWgANkTX`%VWC%6V&_>~Gl_ex}(b`CH5pP9|s-7JJ ztgK{ZZzx7UVBJ(bkZ@f?J8c}yNCc^^Z=(b@vc@?$Ib#$Q4OKMVafa$H&Rzy6kO9ot z0qu=du!M`bTY0L=t9ol7y-}Jr7%owm5mwF07%GlXQPFoqTdAo#7$`~T;8m<3_TFBu z+L|g(ipo0fc9u}Mr4io7&fY`J5TvCe4)xF!x5Dc=AR%BQl(Q$$k2eI2#b|m9TZ4fM zEp;peg#%6up`ON?8enaZC0fT-LQGA<%S*uM=(@WV^+*uiC zW#}a8CXRxO1M40pr{-pDr4E&FRECLRycATxXd^|Co2rwSoCZQc$yr#*QHMZKGg8xa zR@8BDFod}psKa5xNDSKDQAf@JhsSDR^t9nfpeGy}?<@famYO_X-bo*$t#*D6!+T&f zU|OR3ns&Nw02g2|kc}1|s_N-wg_Zy=B~(DJ?gqv<2TMJ;jU!Ic-osnZN!QX&T?wjV z=!jA9(lz$5#kv8VdU(5Ap`l<)QLv>r6zruY3ImC2iNY;`PN42y>TXaFFmLh_a_586 z(no8fuDt;mTH{r<#0W{1YUt?(6*I)5O?@YrH_k&v7-g-f1CcjS7YA$WiCStnV>RtT?ieFAOR%dG z+`|SK6AT6x^E9+}MR?jOx`?2yCA`64C1DpVRzlRv%~8P{qUkM<@T6(hVpK@){iH$VV;Mj5YQX8`jMHAE;7MC`p)5F&U_F#|Ov zJxeP~QB^x7B^M>2tuDmL*-_ci%SsU-9-)GB#=F`nI>M}MjTG%{ERk@O2M8`K3YM_8 z*HXfWi(`#+<(!1o6>OA1qOMqwGeC#Fuq_-WVWWlCN1rcDEmx$67+MExB=4>u?2NTk z#_EdcyMQ!QY=jjIl=Pi6)p2Nd6@)m(OI6$+BO#C0#VL9tC3HbHwyt&-- z{0Hb9qzMz1$LiY4yLqW%5nfKfT`>$=&Jv5mD?8d6YT~UG!C)0FsEZ*?*-9L5q~L?S%!I$wEBTE}?F=Jy-ti3HtQN&)$4W!^iKtnb3)ii9*Wr2gT zql2Zmvk1mg8LFxQv=vs=R@QP>CRnRGz`d|)x-fl+mL3RDXfTwQxTb@vx`!wnt?Htx zZ)amj5Ro_3wh~!rR3JRVC5L{Iim}_CQEeh)FgaBi38j9BL zI9nKkU}G)rqy-Vx0*gUaRA3HjdfK802e{k$-t@-0c|qYCp5iWYs=znlC@+MXmzs;F zikdOVM%UU|9jUGj0jQC;Rgv&8#M!#&i+Z^ryF@)XVW7w0ArV!A`>YMp}kHYIgcj|?~;)H_mO2!CJd=fpo^y@y-Mc7Od-n~l3y*lMPc{q{n?SA7adT~QAXHb@ z%$JvSwW_?mp%f3KGbMaj>mrySuOAqdi@R)?WwW_>gvsJ?T4N*#g81Ic;XI0KK>! zpnEgog*toEA0k7p-1(u+6}PMi++S#q4M`DmRBiCtBStVobza^SSUNt~j=QIDktgBB zTT^&*?)uT*dS0ZzzrXGqeSs7yf@pX8!$d*z`lXJQtOq>TFP-@=tO0`-occmZ$NCK8 zA?j>^Mwd7P44kJ6rDXzNDu&hLH%PaNXS*%=|X+}+>)OgB$ z1Hpq%i}2ebHt^?{ZxOQv1wgD;zys4yqAAY4R#y@^BY$d z+`a6;eKM7BkK z69g&IZ#kGx-tpV}oqqf}l^eli)RvlzYgtLt>5k@Y9&rw3#i*18uS z&m66mHr2irlTNFg#{A`6;8txnCncI&?@wPX`wsSjr%t+ z5pHap0L4i=v@|qvvmR%sCkzig9g>**Iu78)#Ss>b!Y0)Y1I_G7FXcW*T7e#8Utj8T zufy~;;5X%e=S?Tt#&E)IHb^Fs+r6@9Kl7G3hkv(SB(~leGBY67G_u?cM4K8E8$Y)= zGvx^yh*3Y>GEcGXOlY5PCVq}C1Bg(*abI88n9`;sG7xStx!N{65|<$xpy4|6Ir|z1 zOsmQNWJr%h;y%~ofy6yk*PkK5w9LT?UxUo>RK~k2-{OZ!lUJXfbHaT_Zf|WAbg+6= z`O8dDtGzcNI5=O$>(|(PZp^EQhnJF8?fKb!us^b&rHCR9gP%QXvp5wWV?4WUd77iN zv(*2MA<{Jdy6|%65&Cqm=?re&!W|r8pD1Xy)DeGwOPQC`kN(|`??S@kgJhXq8Vmc_ z#`>?(QD1*T8mk z?g|){Q&fO8X4Xm^x_0N6B-0*af8+&kcS4pQ+7CZ?=`%H4Y@+P3GUV$2v8|trqU)>B zSu@zK?=C?DG5pqOzObIl&!gD-y zO~{bf^`3lS`%n1LTnu1^A7O0I{|8u7j3-e?=u#Pf$b{x>v6&A9+R{>!)JdoU5`7Xa^!jS}Dj5NK@)VO4cIkEG)0u(wloC47wK%`2&lxA7qyXf7a5v zvGj(dD7gGtBNM&CQ@x-=`{{Q#+hJ{D)5<`0>HmH)tQJzJopts9 zv$ZWQx@6wuk7#Ucbm!f;`fIc*q_J)H!kx?F#4PoeQ0Z;vKb zhEMVP?0z{iVD=-OHDH#!op%$E32~K+*@p^W*_Ir8-s_g2B`!c7C7hdBKa(jukJgA3 zBlLZmjj~1*k9)UALG6q=-~KGEwjFsbR;E{$FRF&!nM;o=%h zJ;PWzym_17mrm)t{eG6hsyvXu_P#H~i>+XI!#MND&B>v+%=M9{V>`EYx7L+5V_I>! zNtz`9v>~T$7k$R>t(U7K8~3_b<}AEgb4(-1o*dIWO}eE8w{QP3)b;jZtZF5%-1C)N zVeWpy{u~iKv(C>7wfioxdlww4?`1c81?g6!jV^F;{58`gq}=b&1FZaq1nreci8URt ziG{bE<`hNR$tkTfHmPU()gqX8_AZl)9Z6n$dT>2GK6=m0c?{~sCf&H5S(tALRKgu4^w?B^QqNcE3QY-mEs| zy-*(Y_PRvrz1itb0_F)J=d7>gkEK=M7&W> z4nw{EXmk^79;UmpfZKy4`PSxqRf@bIi`E9zI8}j5Jn%u&ue4R83*SV&O{)3wS z-XV8=WLTz@O!|~x1|GH4-oP{Pd9$e^Su{B%>!n;JW{&$%s(o?D-4oey8!PbN-dxkxC!St*MI4(9qW6FQ@p+4Is?ZC!hiK-aNkW<;69Q9YB4DPbdTY zsp#9 zb1fx;wV$@r@;dL9d5nI4zLs1F&)|}9yj>dv%ecdcV*C9}=eo_Q-jRMD zl3BBVtE3aNzdT*(zvN9Y+m-va+9B zD2efkpJ*_6T+8U|1Fnj`6jJ-8$r_&_TZKd|WJ_l+$`|ys!{dSS0amhc=YenU=Y7Z@ zL%n`UK*j17OY8FBHM0VG~Wsgdd-C)tOJm9CZMnj z{<4XpH``V8ybY+Vv3Ne?MUQl@Ul#;!YOR;*EYtS-kDQoQWrxF%QQtJ z5!sjURG8yy|D(hHM#9n3y6h?OPgB)du5!KipRnWnqrpPj{H4RtRkw?UzrWYU6|0Ml z$p*;YG4g-recZ1w$%FQ6yb5|4MeOiQ`7hFt3t3R#9cnG z(jReUF0c!E?Eh>S9GSrtv+S4tw=nZF@&6jPByu}GsStCrtWGP$V=tN$n)?gcAM&J> z0=Y(U#`fqgyp~h9p5Q83cKFPc{-#WFYD)hF*kI}{XI{&dXG31j7Bll`bah5_z#)aBT6dDC{{+JT2UO^?Q14uapbfVzE!@D-w8-<=9=5cKtp^ zs-Z0R1UH*m_~;jzTPPEc`KR5v-`8u_Q75lNZ=gbF2GiX45fT z*?=X_DYfqTGT)?aL!rY_`Oe{ieXakoBqVdt)c^E!!l%}IpWjv>UT<^@6mCJsSgGN_ ztsZgRGNruykCuQ=*`=zzGxrVyxf`$kS+aM9^JiEjR{|J_tqR^xE2f&J5r~bd$HtS6 z5?@~2-~b;c6S7Ef$QJJDy|Sj*k#%zhkcN87I9||JAYCsd@!n{#)^<%dpTWForDwA- zbu9zuUjBx9_bR${p8ITr&v&OHQPX^&t)8Q>XGzlSPY4=@Z_-Gvww(*V(mNMkClWdH zIf^4O%C!=Fg{67^nWnFK*9$3*7iiBghyZs^=B6klW0VnZlNG)uR^4WZ$!g@?x!}m! zU=$qlyXsA%D6+-l^ZxFupw(Q|ry+5wT!PpzYY~mlpRc3Ts)`BG_nQ0Btqd#*{nlYx z@iWJylWpxnERlw>J1=uZ)zBHT&C!lm1SM5=d4|q%YlBwFF@rA<;JMGQ`g$XaC1IVl z4{}(?eY6gbmpKMM_xYGhdEX1je%LS%_B-B>7G-FARHZzUAoSq{eN*4l(uF3a&cpp%L`TH zBOMmsb`1wyUhquA9Kx}jPL2z_}JDovcgR$Bo$Zh z9@X>R(+aHKarJZrgiQS6(2EnHdZFjNQSev%L1}&m!$;$N4fluDY4;wAL3~i_+3$s> zIuOSQlvp%jbAaEx`b%#ojRh(z;j*z#d3gKWWC{VX(2j=hFNWsfu;1}6&&n+WXk#n* zShRmF6sB%TrNai9v`bWLIIYA4P6q$v-`qCQD%8(=V6~Ws^KGROa`ZV{kj^`>U^+y7 zhGzHHAyYN_Q~d4c)UU7eSRq?I#ORjSx}+hd@Nf%s)K%+6N&t9Spk;M$=w36TCUd|N z{UPzbPkcG)BB?9v#{_3EcyooWRDpEDY4ewpTk|nbCr=w>r`aZlHc)*Q{`=2sPbRzh zeBLcUGle>BKrx&O^oKs?>YbY+Su@Kd=G9P{_ml-*Kth%txnnm7k{>io3V&T0>ScRy5(myRDinjGRs7Ph`(ip%l6QnwY^b#M*G z)RV1h9&f{pPbZ99j1NrUyf8YW@FA}N3&IlX`=;&zF*k{eF`k!xszrNNx+ozwPOH?D zX*H*Y{4i_Z%Eagf-JfgxNeJ4s7veMhdXA)a$fa~|Jkon*i$_}XKe685hIMS+=?sBY zO_Pu8-+JqiSJ93+kyEBLk`4&u7=3_gQecGLFYDKSy?O5zYxlGEQ4P=P8*>Zo&;_nF$$-H1#j6>#`C>HJQMi_O zv~d+W8XZRW^1p49JQ@sF?9PU?44w52D10WO`=aHt&-{RX=`cH(N@kc8H_6kyL1>l7 zpS(@4d0hC0wi6P5k(EiM{&zZ}f8?Yo;bMGZK$1FZ?{}&C(^o0oPQikf6#`9*>r;KgN1P?PvQwHql}K=X;B~W7Q-7 zN#%;k?igb5NJz!Oj8U|Jb#)tLf@L`b-TNK9sZ(z!^17W-Oy*^_-Rx@{8DvYqdla^7 z*BWH?tLwsc^&Jab+Ays#Pwy+0Xo2U)0b*KRn*%{=ZZ+(w78*Rm8CeY#dod&WLKhlt z7{L-q8X1%l(qz_Kj`olf_+=61l;M{qTy&tB5bESIGeuvi&y;S2NGXb`qs* zx_%6)mxw0==17|~`*082QouV|kE8n3dO@d8AIgVA0;JV1tlo@sJ>w9CNY%A;CgBCZ z>vYpqBY=O*b4VmPe6Z}I5K~QatJaZ?AlyBuJa53SV>jaS#PnZOW8hdySl} zh}V2{`Mx^V+tQGi<3hyk)5Up+wAY`wV6^|>!4S?slQB0C{Q$4etr;)n7K_VIN}s#u z)c;!fa(7|`{W_QH&M~QZSaauhyu{7aNSovsBk8F?+9)oh_3ANcV-&i+hcYb@&5@)| z%QjQ(v*5JSSX}2onfb9#!2G=ya(nQ-Y=1#T&K$ZPZR`1TbYN)1pGVAZB+4ui#LeO! zm~;Fc46%4QkM=t=^GB7ir83x~1>aeUXx7h#ci&o9o@rU&{*iW97G?b-8UT8=D{F#2u}Yd7Qs5&YQspc*+Q;B)tyd9kOBEl$ylbBG%7hOl94rr5jHS1!v1W z8%cZZzJrhz8zIl*#59eQ6ZtkLub1wd1LGEz0{pwSCqj7=BCd1Ecds~NQwlAwgSIlG zMK1%$2ZT&xIuLtpSZ3XRmohobw%iU|^ydwK_uYKC~eSYJH@dO&OdscDAQ(VR{ zKtN3-i-xGC8X1WRop6MO2ZK~5TH>?wVdB`RA zzwP9(KJ@mr!s2`5szA3sy=)2MFz#{Yqf41>Sybl^PW*~^BN}n>4zr?&_1E0ZFJC*a z=1X*p-g=IZON1rt>&$KXHGf;TFqz&;Cp-wO`Ec#dwV!V_nkgNA$THLZS1y2CuKJbU zfPVR6V11i6+j+YF*-=}CgdR0P?rjTmO!*pQl&h!7IX7?{_*CIA8iE1Cj%e3FQ zHwF<@&?Y`uaT>7O_t%^97>tn5Lj7A8oU~V!+%jpLKUhpSL%Q*hr~6!v zj>OhVsi>Bitx?H(xlE4CGC8TkaqTe~!b1g0iJ{n;aO(3LnImu)xcDwaan7s#F3tZe?D`%Gig)6Z`w7 zjd|9jX&>*t<{*1J-+OPloBYG~BFZzD?bH!xH&lv&@J5taq1!QYLMD0LMuxI~R8qpv zu?`{8OzUGuP;-$|&(a8>3EiKC}!E0MDv~v3$xv#~y5S?DNfZGM;( zI5)bsB=WkGas3X`vv2$7VjQ<7lLT{5C#E~<(qro~z#w7di@B~mHunO3Jmo8lnq(qi z7UR-&?G*(GE(LkBq!0MKZ4RzUD0Ej0o(%5hyFy#rA4${^*Izf_{&WNiv-HywVRf?~ z2eB7{fw=zHK%ND%_OksPrS&H?d2fZ$=OH+A>NiKhDtEJ<0KppSqOtD5zgH##5OM4{ z8${_;!<>wgxx7iCPo5SM2ihQ}5l#W;RYZ?$im{L*g0CVk?%oC^E2B!iMJ)Q|GDmww zQx_V$zkV&5>5A{5r5>efhJ=LCL)N>v%`QvD^sR3UH9rz^(=0Vz@x2VQ(hsSS+?r0HkoSr=dEY6mB+>lyq;ilj$!uNyQaEy_y30~;lIw@E{ z_Wq9JJwlQ&kJx3F=DbJgWNsIO$p<$so_yc5?(|Ek2DIwRV#9OdJo-xtL(ZqE8<87$ zk`m>8Fz@zVrp>)egbk6z?jWPC>*^5`6ZE%gUjXw%*7w`DfZy)Q-@dB}dLV73*gd-F z!~LnI>QD3UlSbHwhFmJ!%YSv!r{2K0V9D;CDqtW=FAjpfH zkP!jW+1JW0p@tvMOBX~{yql1;? z5#7^yA)&o&u|C+(qn6jz5V_Q5_Z981_)&wOV~@7RR=5-nkG^fiYTtQS@|!m?Gdc3o zPrInuu&5mEMVR&z1}Zz_D$Kca`6ZG2^(<+Z4|RzB!YtX?=~#mJZL;;%>FwHc#-bwx zq$_U%!6elZe}J!Kc?hn|X#znt5pg<9*?4m(*E|Jtu?FTxfI{6EM%02WQ}%C*0x0UOhaI?J7A<`V)R zqq3x0%)L;WsN>zhQrjJn8VKThdO4&9J^0DTsl$t3^S)1M+($k9)5hf&Bv;7Z5zm+; z%hxV7_#VgLQNinFVC42zyV@IIYW5gp)RO|h_xtN9HU}ikgKx@w9KsKOA5gFdltRJW zUrOPwS_J*ir+3w=_?2wO5~zx&&wYk@TMP$evlheqBMsyE&YgL*z6)1ErsiBS7$W9g zR-C(e$Y3K}$2Nc6Vb{_)ccxOd0)zT?>NYTZjJW3$i=&jXG z@EBS-O6;a#&JuO(xO(;zT)4(bP;sdq7)=|&lP^5mw11?1LyU?DBQ-6S0VMDZquN&_ zO_v&G2>rQPa0Vf`)Jv|4pzmO}>mJ7Aq2-C48fOk?Aqk$ws(zk((Vc_%12Sis;(<5R zo7{cIEm-Z%g)hrXTRD}4E)I3`(vEjhDOy zLlWd;7E01m<(;1Q#nx%^T2F^tt~khWd~OX>Nb{cBz0!bk59r!ebBTh@Gb@42yWbh}r!tuf4in7KgzhIdFY|ho4C(r5c^piIB;Fz3k$Gs>*Dp8V zu<_s$+aFJ>T`J>mUN;C+o7GtCf>_3VX!#ZmEzjwEG&HBY-4bcd$61I$zRjafO-;EU zQrdS++{WxY@6S%$daL`7m)%r_QHe1Euml(p+I}fay*eKW#b5S4Sk*M!0L}+>0Ae_c zUCn!Yifj&vcx0Z8<*sIO2=}=N2bkAg1pYphSKXc`TG@_ zycf)a$F_3K)NE(3#9VxR^*k)vM@8z(HxR0&QA7kZIgGZZH~U0Fy8cwFgyAP!);^_B z5)+SyvCS-)ELaTEn<1U!I9}af>#=IrnII7N(8~$q0wn1uCxhM`J^z?armc^zO_0?mt2{rSK2qGmy~lP)>&T6X zImNuQH zV29tr+hck1M=Q{SPbul_MoP>yF07V>6d{>|y3X@$n@Iq*PILD)Il^V+Xr%4lo-@T{ z))&WH$f*-QKK(UAVaSyoWz!YobH1=}-ZiUrKTnT42-zD^jAE6J+W@l63W40QfqijM z&1&{am)KpQzrxUDfLi1zunS=Rac~O3ww;^<)l135orMEtM#OgNwJEJC|8Hxzc<2qR zj$vdelv7rANZiSx$KlLNp{3=){Le@BS9zPC`qXNq_MqR_Un0mc2sn_pnzAUgi%PPN zIkwn~CKcm}m=LOxrbskLq$8(-&VEWxB zD8b7_gHBL3OIJdt{i(QFnaDRrM>*E9dx1hqWBs3QKwR?+Mcmr_aKGLicioU?v{eiS z)>k)>V^*m5M!%A_R;=j z(vYIxzot@U&MhEOnygm;2)=;g<4WtTE9arxvSbA^Qsqm{L*nvkXCt*oC-y_Hj)WnH zY|I&bWD2P%Kw_5a_CN(%vq-;~DP7$4$$pU6{)Xk@Y?N%=^6Kx9qVnK-)`{0&v<q^8?umcPHAAOY?`@ z_tJe6dfrb?4b*dQp9hzd_Xe}_hlCtuw|tg)R)Z`x3xr+cxH#XL7GRRhc$fn&>iK*;GS z6T)7Ru2ec#96AGhWpItjTVWmG5M*Rz&D_*1rBB>TnC|<-%GBAaqDcNp;^lnem&~i{Fv;H)XA@ zv23}R^3ba!JebHoom~|6c5&XmHzS450+GGnK8viI|HXM%404VQ{@fo6A!9aksr+FV zF#j`Nm`F5?wbI?M`?Mu#?pghIRTQuf!w2TolyB{s<@!?|8bKfq-c0-8ES7n^tLWvV@AVsQIDl*Dw^4fO1yEvuq+X=HpWEfvKY7a&Cb z#E7$v1dej&a=kP^j4B~fd_xt42*Gf^aMvEgIAedL+o4<7}B}Mr?TYDf0BXw}Z zQfp_g{+^M*-t-29;|v-z_Q0M4L9;$(G;GUwf}d9oOXSS>x=Rig-=f&alVZRvMS9fP~b3qaE=v49`@hHi>lF*=XQR_?$0!Hiq(RoeZ6YHu>_%CPB;Gay?@ zXY8Y}fBX!@bODe+Z-;l52lKS2Tf{g-*?k>P4tH(u1`!ddI%(pr55j(}uM5%Y0Q41V z-Rqpjm>pM;W-4YdlLC=Dt_HUAd{mN9TXuT zsUQ4Z)8ekQzxvUQYFug;EB&^;(IZ&si%!J2-ZcIpeyo|9?VNax7ER6XoQnvO1 z2vS^8`M?<$cn^U9uxg7+J%CHXfJ90Fq6q9v<*O&pxIo3dezVMXVSErx_t}cBK*^wg zl{8VFTd#EVCg5*>(@?#bFYONa(}%2_E{~FC{0NXIZ@R7GFLW|jV;PyjfpWs`Yt8Y+ z=W9jWgYb?R)XW{AUyeO^-G2*){G@wLXx*z4YIQ8B+Er1ycL`|?xAH-B0~!|tWOVL~ zJ2&+gBJ-C{j`qZS!hw{W=rE;%hO@KGJ60eL)4!{tu5yv#_TFt9b>Y5R`EJmF6_bgC^6L$t$Qi?{rh zox+ZwUh#U(#-)0)&M2vJp72OQwsOhE&L#7;jQjeqbP|(C5+uIj+~cMm@v!&WY;sB+ zdR=EbGgZwmCe4Y`qn>w6tD(%KMWw5_}ec4vj)V29FuORQ9G{)erTH}km9-><6kiUfK8UV~${iFs4?{;{pZ6X#zX z9+64yLmLEJA-0BGAo8OY#c*h@PV01TkdKjUjJ=ats=)jxi;~bRgX=70%iW;?`p$l5wg?}M z>C8L#sSNBR0tNggPENl_SXKMbw3a%;K70}-RY+w*#tNC&tE`TcCSF`z8?6uxV^jve zF|I25rXVITT?>@;*mkFULs^vXYR%J(c{-}~ic06G`tgr;(fu>P@5;?n0b1a>L)#8&c{)W_%p0_O~C52%{OL_J6fP9VMuSLY<~JfuYm*s6FXqW;vN`@ zs%A(@q|5lFa3fL_9mgs|wcY?WXh(salr;{3=c%=0+gkJLzUV`psY$;=oqSc@ENxQN zlzV(!8umVf)NbmZWarCm<0=`;{PJ{Fh`ZYt_+iT)UCn3caSRB@@JA+7nj&*L1yg!X zj)Hf%h2zrWIAg%2p`I?O$HXYc1ym|!8CPN3WsS;hq7MOkNdELaSI(!*%@~jv2;k1E zAoBgUOy-|Z_eYPk=6&~tHGvu(N&L*+3u`o4G!mkHWr5b!VaL; z4Yll2*UHKv`lZW$5s2pR#Vz}g>PBtHbW0%My0kt~2SsGcm<8i2cs4!q)DnsJ6oUH< zEd030sl~U`n0!_O?JG4&==6TsGsH8=PZjhHo;LIu95E^71@}SucPayfcD^;je!tBI zx>J}pO7TBA1nQjrJlAv@uP*+9iv^)I2rxtrEP_`#l11a8?_j!oj>F=$W`%Er2USVe zcfP&m?|E~52k;{bEKvAW6@+cCQ23>P9e5$ZI5tFcTR71F^Z?CoQvCp+O|XkzG~;7g z+ zuzR7;U}S6bt<+9csLIH#M;2zC=!&hr5pH%f3lcvMfy}KA=CL8eoRNG@HpY(8=$-vd zYvVdkfhz2`js?ft?qb)L56PC^*dI9PvmTBq=B{4ODlM6>Fd{73Uym*k3T&)R&?L;$ zI%4;m5tGQ4{!aDK#6+NaGBol|1*=$%^Hk$!avt+~eD>aj3m2{lp;MvG83^tF2c+3_ zCPcs@S>S9kzIVmM0sHPAfXeu_vPe!gTIlqr|19-C6?6Kb;@g8bujl-;Haaj@Y1jXx zzM;V}?1>!uzliKb&1aV)6l)tv4p)q2QsYA!|248WgULQ(a4&Is8#USJr>6AsW*%Ue zbhZcr;7UCxDCpWJX^)jSKuA?cNmW!l{z%41)t&K74o$~(VovV2`zBo)64LlbYhWGH zXV5e@io`A1|Lf6xEHG8bcaP;}0!ixWf?L4b4u~S%!dwZ$#?K(V#*ZIAo>x|lRoN%f z{F3teZHk?0l-@K?J1+(y3jV`=<(>KM7+*g>zKy@;sYQOrd?)hb%$NDl?dsNd9EaF-j!hcQD1rG58b;WN8WPmY!W@hRrRz*_Vd z%Y1gzWeB3Q43ssVCAy(ZpVC zu)SCbnAf%5yG5q26FA}Y9Wh)lrF=pD$NQeU+)}!~KIM+TbXXqO-YE`$%|`pySns_f z*!zoeC@%ju4?@-73d8451+E>l97o$9d*7s;t-5*0q=`J{wRAwFk4paSpz7%BJ{MKD zMXa7pw=$o#TR-{NYZashj8VzN>MK8<$>z)<^CDDP70&y?kx? zp_$@{56=^=ol0w%=EzkVtpoTBWmK;cNp#P2!fVT8rbj<6rI7e#mzGi8uJgFv)H)0; zDh5>+0)}e@m@{5rO1m)7t@r!2~Er?2*-KWYA7#Jy!y zl>7TWY5;!`hqUC-B@NQu&3V{+|6+g7|IJzJ ztaIM5WUX;{o=@C)UDtgZUarZ=1fl}!ERIk9)3*Qx_4R=SSj%Om7Wnq{I}Zi$pS~Dj zgPuyZlMQ%YR}fzR(lbK3kmrb>1{2lxtCuUGnUY~vQM^bgkM`wfVvD(tjnGIbNjuk$ z)co%-VkM<=jP1#0S5^?;C=MDbob$jg_RmMh=j@ehNf z9&fH_g7Csx7M&}K?=6YZUFI?0TjWJyy}{|F)W#!nIY3m|evrkMM@-p*>Zia0X`uvy7wvLGU(}aB zJ=u->C{10Nb?e@H2C*o((bA+z+;!nWG;y%JU@u$ahYL<+@4$nOLU~&s6)PKh3n*5W~?R2@h^v+~PC2b>657=J`x@x9T$k#pJD?Q|l? zpQceKb$214$*lY%8yBjKoMi)@X6;KBs2@1CFxcGjyrOcaF(Gx1HOfN{k61f_n|E?A zDn>n!Bd0dmc=Ivp$!z%A7-k(-#+&z%wrd`|o;rV>v{x?#>vTFYAO6<&sb508CnW2} zP+$V9lB&7oI*>2W)j8J>qnn8NnKL8Lm-n&rMNT%?mi@t87gvn1NaH(l0v^NyW_ z_Q|+Iyg4J)2XG~9lR@rE!XUOGut^?+ME-LZ z-rcbwSA|7a;OXfEgAB!YLfv=#vDZb~R6&>0@r9n912V=~N7k*Ej6tlzygo|tjHt5q zSSV$s$Uoe`Z>dZ8;lZfbvb%{vHnqA{w!v?`O??Ac(_qUk337uhp7+u!od&hPJKN$c z)eByUPUsVA&dT2!s9-ytP~XwXy-Z5G&5|5bHh9JmM1ngorje=N14I!BHYZ8x)~;-4YBatFi0e2c80LJmj%JMApLq^x5bNo(l#PA( z5DZ^zO>?SQ#wdRX8Y>RRyf$2V??QP#r<%kSA`x(>2MJ&~fuO!6MSE{$lWysx(y>k> zU!-}Qw)hJBP<@vJzr&Oh<++{KK=NT~YU9E}hO5limqzUzbP7HZ%XiE=%}v?MhFRrW zgc1pg(I*%FSkd>b?q(@nMPQ_(3uW?`r0{R?CPBn6D=|q;#J7VIh)Nu_%d;z1A?a_hENi+f%+kt~!V z5txw8A4W2k+j<}A8cl8WTLP~Wbq8)pM?kaSh%GzdB#0$2^Tbzy6*T)+qoe>a6<$KV zm-;om)U~d$Ky`D6e)O8LCp_0LXK8Gn+j9E-Vt_GSiTqo;66*cgV{#+tSAUkR{@I$C z8`*OdBWzN1*R_vtD7Zh93wwI^_>^2A z%Z~(jO!UI5f^2A=o;m=aT(lF(a(gJ{s}`hICT4R3h~Hjwt`7#7LY2?AM6JcXVaP^c z8bEdVJ?8WXQsMjR?>}D+YcN3^H_+YZi@(+Ma~Hu3cAbycGMIE~ehuE2$N}q-y?0#! ztcTnPTt6rwxP9f7d(vnQEN|NAcx-?EE6N06r554>MSCTAUgvAZ)SM+L6T+k*Q;1~( z!Ptf|wLB%u5n|d!?l^8G`9{}kW)(iNzJ6*sT)6h3rQ&aP<6p9j(yJDii?96?k}BKZ z=iFEWjr@RsokH~<;y60xF#~uC;fGs}J4!AS zZam1_v4D_~b%Vs#yK^1mZ9rH+v@jqz%Me=kRMOWR#^YQu$4a8$gU?JZH{?<-P!R5) z&#k>HzDxye?36>N(Rb+X?{(68>q#u6_3F(}3BQYxTg8GmIG85B7lUQaGcN1F$!E)G zXGgwX2~=`8@ULH%zNwK{vE{|S!u^GhhpzcWeisHKJwH1XBGqT_k)7vh*ZiYfZ}xMx znw|BhCfkmRx)^aIWo$iF;JY}NAS!53mq*RV5ea>dNy)dU3nWG@d47Y#c38nijjU`V z;u4ZW z@^aOPPKyI%$;h+xGq*%9hi%#4Sl}c|e%Ezbu_wldZrM(UkwKOvcudB|EZ^K2k40-0 z?d~Z#{kx>-<#yEg^Oi$)wgn^GtG4IY%3{xShbwZ57$mKA=z~!YI+pP>@qt#Kl8-P6 z<9RL4JK@yhS7V)IF@srYXgK|%&LkK#p(Wkx{?BOvcznl2@Xej$wQl?ebR9hj#*9^C zv)oRkg87xMH;l9Gu8}4Ihm(X~+LXV;M!M_1sxck9IpCOIL<7nN9rJ2AA0QeLlcv1D z8QPCT@E+1z(^DzQ%B7~SCZLaX6~q%k;`ziDNdUADpmk7?hCo_%L9p#MqI*h*Qepjj zNHKj@hztJc_*{d1kW0`Xb|69i3K`@qxBi)WVw_Bcf|ODz1?3>oh$mP$BspF|#KHYx z#{79qV!vEOSrkBop=lJa2X0iV$Jod>rBr5Bc&s+gjedZk$r+nZj>Ad_7vw7uU z?Atz0D_YnaeB?Hn%_v{^=G2}*25f@h4x$S(p+^LO$S+a(5EVhuIgMbnAJW8>nRzL1 zMh1AUHHzJ?e(4Z?>W%12ju@J20SBQIXQQ0$^zW_&B1196G&h`9zQ~&99{!0xUeEuM z%mYne08TaotwkOxuo+ptfr;-SII7iAG^Z1xxY|VlWMH&3$&MSSTmZ&Wky4h#+xvIi zR;sx#kW$#I5`Rsn0JV*}Wez=$*Eg008-ubU3TeuvYK649nAKpDtPz;hMg!AVDsp)FgZOlQHg3xu=X_&IT{N*H=O>(fPiJl zdc~`CXIE>RYN&F#(n^_1PD;qICQq)$QdO03z!?%xCDar}QA%}qoY}ZS7+=>;iiRhQ zbl8@Ve7T!Q(lx_w>2PV8aJx0u57$TGP^zct6w(i4IH`X+?+`sHH zG}9Po1<3MfkpqH$s4wQ#Uc*i2rPmdGGfGA4>>SxnCsIB!7nhNNLu663X;Hn0=3nMB zE$Zd^nd+~gcw=#zzorVngBw!JybqqM3Yc`*rZm;43ChuR`?j$!4`l8nNKkuSz;54vHR>Gy#4tsw|2Xxz>n0CU^EsyovHdt z%1OhvXMHhzAhZH~z59!bjvu{}Z=hs$Q9l6cCKwY1z<5YBM=r}zEw@hx(5%UR!r z1ip#j;7nFWrr=Z80 zJkfrkvbrMl?MFe7S7RNIV?tt_^@5@sn@UI0c?TSTVJ<)Cn+i}|-|)Rk7|9OER#wt= zrQ(Ty9sl`QA&wH|GtSkaa`}-?t#Z*@Hd@mHRlB9p9Aq#UF#?Z8iGjvMiHE4+tM4qc zwwNax2{Rb&U3|BAP#@f>#uq;A1+%f)5VPSzS-P_Pk3u1_`%@D@Ng?cSNgum7m;r)# zcW4g!1Je~d*|H#ruIso$)~I{Y zJ=x~H6@MAU4<=|hIwZrvb~U&BJ3;_IB*C0w@K7g;JmfzzQPRF3Rtt zK>$|BA@5rYP{BhOZtw>%PqdpPe{r%h80XEQPQ8=dhF3GYCWHC8$bZ~45D+&3T-~YG zKzx-FLhI5$n9Gnmz)k2440K{m9lov@HI&G^kAo;{m2>|H!91wmVtR(eC}ijVokk(H zAAVh=&veoAg?$gEWwRTP%2%crAHPXH{6x}VH61ZUEW5&AZg5XB?9-ChcYJmqB{nzS zT#WKO3DK1KZ)$BPGv6{3K`8%J8Uf=l_u^2|p6v@B-iEwN2l$VzF3;NWqT{||JI~*M z$|g#tCfL>GQ5GjiAnRCpH)WahDM!~RCzr^)=S@iLONuCcM#+-`)c_L&1jVjoUh}eP zPZi5sr@l01qT>B&Ho4QvjCWkaEaZ{+G^uy^44G+NZ~CVI;$duN+R+^uJnaYFi`?!m zq8ZVk4&d~+|8x3@BkixO%zXx)Q?~=}hbtU<;v2sIpgmNAv*A% z-GSBt-g8GA8&(iAQb`?8JVDntP^@4ooB+GCcfzYh9;u*wH@&nQVMNouEKkCV^dFg~ zcmlM5WuF27rS>#4wBqN9mZYJ0X2CG`>tQ>)SEmyZnpXMr0KsAN|C5hvBqqLTc2)Tm zg!hI?_l6}xs7^AEsxk(gsSbe-RxX(QWKTcRLSv^VJDLpE_{)3 z)fVvo<)37kgH9Y~nf2vptme|AQC<)8V3`-U@C=X5pyYPXh*hVMq{3$>X$q>nTa>8s z_ii#uYtC#O_W)}{`|Y1=R1KRU8}g;Y+z*cXwNi&mC}$1ygm!@rQSbMMkPZPI*>XPn z%-Twm-mp7(O4iqzN|oTv5egl&po^n=5MjYAG-{>H;`<>l_^?S|_i?Vc&fFg zYn$l+%r9{VgQRbVokl@km{C`%+$SMnG9OD1`$1od(Wa3xSZrG?;Fnu2wO3pmC#W!# zB#(~YVYp_0KIbT(8CB}Pz0~14_`1^5)4cBZznoOP?PGG^aI=PjGZfDjT(HgoI#_7U zBQ>xa^{?P9SL$b!8-itsvZ-Wcl&AL;0AYpX#BM3aX?0o*aj8!WfX1@7_k$_@B=DAh zs)}a31y#ZJ03 z^BW7yk~CkqzZ+dEgY~AeQ-u_3D0obM86tGvtHs(4Kxw@lpyWNMHfOg^O;#hgfOrh; zqQ}E*sKI+1z8jV2pg~hmTjqSdF?3;Frb}Ed&`cXm} z?5Y%YZFq-E)6{^T&X2f&80>EUF|r89-{L`=rOO>TFoWk~b!JLeGZ*boK$s7E{;*~I z)T7@u(%xLT@>1v4sD%B%hHy3|KOPkx9;?Kv64(1Y|fBGe{J1u*@mUA+G`GuLtc>WV$ zjP{B@d6GI0i)O$p7cnOd?xi!ZbDH$K7#F~HH8BiYdXg&$VhAP5+A_p7e#}gLQLeS! z77A49wkgjq0VaZ#unXn$XKzsPMndA!&a|4f_dAyPOt5cEd1kdL0Ab3BjU1bi6heEn zTnSO{e#A!~i5NbwiEwI9;fD7H&0X(_R*yK~)iE*t`%Is#O)!`f42)%xc%<7p9*m0H z#P$P~X@75|=(oc95{#?ho1iXBw0GZxS@bdq$+u^2W0~mUrr%);T_;@04I0`=$O#+J zzwQcQc#is|9;oNV-9UMiXGbiiHX~V;)<@ueR@3iW{gEw`o#=jRV%-H(2-pig!g^H_l?SXPTTD6;VCTb>qgw`Z3PaE$+v)& z`TUQSVE}_aB@S|cbl}MuUF5TGBR@Zjhm{ZhlF|SoD@u^?=U1n`E#1`LCdI`bNkI=k zMb#d!F`)QB#+IxI=poX)A6LS4655d}l2XOF1`zR~R$eW9ulv!|d|^sYi2hz7n7xWE zn6SZFa#tEal?D0bo7d6lf~Zx!oMsFH_;&llcFKXv-A5D2+`sD(LBXT%rN*0)4QFpc=NF zpzqUc<~!S*!Oo?wz_fP&95o;IK-=~Q$P2Hn-LIR49BsO~dIRIMPeT88)K$3$K%<^k zZ<-=6Z-map*iVwG@~?8qXU{PLw9Kw<(a+U=|r4<=p^nnpNt%2N)+P0^=Et55I9#h z|7-)3do!Oy_L|}96>E7BigXf!-{%E6IQyscUR;w2%dNse+zfR92;XuZIl5s#tnnx| zYq1Hax4@gw0b1AoKhECubZ@qX$=KyQ_*%6fJ0mfRUhb#Pu4_XSB?>r|cZ?j<^%PP1 z4)~huiJ{a)QHU$;)&;?4A!JWi$rdo#(f@4g`8NO9RGbUoVp4p{%~jK%03k>8D7Ac1 zMy!*B8js~k^$!g5uHLA%n;w!*S%eN2UJe?A(w0;axKpuDOZV8D)v4*k4-ohWcL9?x zEP!6*)x~NK>`^h)PHYiq{Y90sa?=2{fRv|CqeU5=U-CG}i59atsL{V+mfNtNOP2vU z{L9LZup0(B#V4}Gj$#m_F%FZR^ino^Q1#3I?(zdxJ>7FDqu~E%Ez%QRTuEW11 zHJOHf(y~k*Y2+)4sImQ;0wbiCCjD&8*WBD8AGV@Lx^6&e3JUaXVSct3cffk}Us!-# z!>R%nk|jbwT@xUVjy_19CTtPAmX>euNuI3jcz^#+3-q0>lqY$+T(V(oyzU#MV$6TT z82|p6DnklLK)+#7XAJTby4mF@OiNf?-QT&tzp)O%P=pj9IW0;A*k5@DdU0+dE>&rJa2R3Q7K<^TMPHVYAO z{6741{Qln;nqB#o?g|h(1Z?gVm&j%-Eil|8c3$z}e#73t`SqPqF#P@UOW&>QnH|-Z zug>)PWjxN#&REvn!L+>W9)g&#{iI$07Qoi(TX8-?(Eace+3Q(}eya>`#h))IENZ@h zOCq&6khMKN?dANmgjq0N{~E_k_1o(_S-AjZ8f8TafE%7FyL2?)^X4msk9-M_^l$gt zsEbe5+Y333YNY3(5I9xALG15BmQ?ulB!2aary8&Q<&_>FsISQ~QZ9uhPhMqU%240u zZ9E!WL0A1mVY^$eg>^UCKQ6Hlh11i!Ox!FVNP?HW8mC1(b^vnI?yE+vov3ulR=>YPg3Ck+WN_}A?pA9 zu3deD@Y|whPUkW6(KTuFzA-u^bGpQ*&#tNew;E#=8PM6E99Q2va;p(XP6Nb|d1QXZ zwv}zzN`n211&9VQa=Vo#1lL?FSO!rRuxUwYzioqyHpnQ4dg9p^L#3(tAr?!rYC}L{Oy}5R+%yD?$w+UwjqOpMo&2KAo z=(B%yoXKD4XiwJ-T)#PhmzOE_QND}UZv25(4jfIpy_3(_D{f(Z z#YNlI{5a!%rSOo0&F5VPtDVc@D(ihAm-|EBNA1r(2U=Mwo#^1h^>7_B&Wuh30#Bn` znkhhr^?RhTj6_VMMosB62YsA6p>UIl6!8%w37TuEHw^NOed^TjKxtFSk=e2zbZ9Jd zOfgcGo*y7NtV^99AITC#en!4RxDwm;&_PU@`x40&GAH)Pt?S&vR%uDR$_Jzy-w3+c zQT<8Su5?(^rk~7yo6{dRq>e*z#|yU;XgKp{#~Box8*-~Y?seEpYfY=Ut@B-Ib!WMG zAG4rFuIIP?j$dr&J&ADO&?)3Y`jd&y`J`6jH26N%dei7pYMU!HdvousYj^Y%Ac~oP ze|a6zJ8OP1&Hnb>Z9gBSJSH#es%@O7nEx#UMRPOf#o%wr`>{LNpYO5J86S}v9QTO_ zi}+Q9C|^!8nW+&1Wj8Pd*GM?F=%;3VA!ljfiHCsKx$;t0kzJcl>6;rD zTfg^z+2DH43}zIJ&}K0Q*VAugYA8TPA{}ID&AYS5zsPh*O-wELfs5H=pr|krfJ0Tb z6Z^=ms@fdMrYq-096$}1sDmyRJZgUuc)APB3p&P8$E1k4UtHu&9~t(a*J{oBRmAo| zt!tQ@fm%#X-MoJMLMq(q#d`M3CBc&i;nZb8?6V70$9`^>h2aHW*FRz23yw`G<0=$! zAxz!|@Qu(!OdV&wL=rjhS{3)Lo{OtFvsG>U3U%l^6NlB!z^v2LdzFIeYVxDFRp|2q zrTxD89EX+(cbH5XeKem2lmOx;5M!mMJ#>7CH|?^zqm*I&3Lv-*0%EUbC-H;h))3)9 zqKAjs#@BU81^dnHuTTV8*%Fl36U6*{q$m@qu#~$|#o4Ju zO%l$el^;^~8m%wf=Xa8CT1*!k_ubR(Zmw`P=Ike(Q!C*@aD9u?lu5#y{f>iy*~~`% z1*VuJwb)wiCaNo$ji|<1NZ_v9_zA_;>Kw_anNyY%{1rLqJ`?E$7LF#Hv9H}#Ll7fj zi=sRcpYgu&hb)wC>QKGQyYEFtF&QMT*{L{)3T7F56=Ww>tDr}7*N?{wV$dsJTYc^P& zV{QG$Dz<3K6i3W&cF@|i&U@NYprQNQ{77<~W`=AOnxynU*e3*T9+8^cwo!r`F z=9HFg$|;;Cd7;gFFT&fS^s3~U(QGEPLM}ON&tYxMGc7KUgsO+k=K5WR9DO#DJMP;J zKZZa8WG@sn8mZm~209QV-#LMH=3-uGtD&Os_G}6=T5AU}XUp=%0!0xgP!hH5eiZ7a z;fyDBojO3Hg+99za$VkKuj~7`b*pCD8!wm@++>lBW#=U}7~oDLhp-ykT`LvSQz*6k z`=x9FCv0WE7b526eVQ;Pdq;L=JQxg;SgL}IFZfIQCuU9r5zIN1Oq-YRUhkS|@mmyQ zf%oug;tG}Zsj~KojWelhxmqUtl_1&FZ+{3Wsa$)F9{-A$q}0o`TVLoC(CnU`x$Kol zm@tVwz0asU8k`D!_^PYlcmU$9xby$S5~=6Gf0V>)XIq>E?$e5RcoV^|J#TRTx#PvV zwH*|QY$N=)Z!=3nJ*jxeyJ*9WWHVRco|ngjraVJVyhEI6b8~iRpO8>Xg_1KRXrYG! zOTTd-r4QNB4@oM-3@jr6Z9^JB=j8y%ZDoKa*$W`>HLaKkUJRziK2XZ`Fvoljs!cdU zRMSz9ac!Ju*kaFZG|bL*_1b4YUX!vVo}GTtEtBw~@0Zu$3pwpkM-n&FOp01iYn9MO z*A65)&qNR>F7Wi6!#W9Li?4Y{YN|=k_*Wa**Xv<(d}Vuo)CJ+o3e|ik3+Um}{aLMU z(uVd{O>WYsp_D6jrKr_zLS^fpIqqK6LYyQ1Tw-eMpZZBJTHRW&9Ow8aw-5ry5w7n_ z8$Du-8pH6hzMY@FgY*}e7d{IlAe1b4+SwoLtFzY0LW98KPz3Y(b%F=lW3P^S+K438 zy~9q>sCQx?)3fLzAU{s(`)UQP*fw+C zk0Jskc2zC4mFPjmpN1AI%z~O0&)m1lOC&X~A^CV2`6xK$n?k|_i|~<<%hrXzuG<99 zs%rr)^gB%kn=&?o_0Yq74?w;*Zu^dSy!?Zt&os@Q8ek=`KFiZ@c2Uk(B(rdQx93ew z{?xW{Acj!f_SdQkajWk5+>OGuR-EjX>0SR>oPnfYm%)|QjU$!HxtvM){V{i3QrK_7 z#r+7YMF)p7dJw*S@+h_(vJKUtNw&nTmGCxQ>wYbf_gP9Ggk8A zpNtRunvX`|;a`1`;dmV_;a;vU`r;^BgX28>RC&ahhA~s<7R#F4_;++py!NrRHGQUQ z}nXpX$|+eLExxJe7W z@5x|M9y4_%>G*wKT9b78K@4)MGk7oh^!B1d+~{xu?%t{MBsr@MKp z#Yxl0e{fIA=R8e4DWLZUz7J867rKG3?O3Mgi`u^Nh-90L!<4A+UZQQ8V$!v`T?FYy zoe-#;ZO0@**vu9EN$q+k#9fLG3^Eza{833~!>J&+S^_TR(qPf(7ZLA@Fr=rS6~jat zR2qZ#23*3yCtO|FARGd9))9QpwEVUouHBaSgP>t9j|Qa$mzCnbHUz_3m@yAMnH`Ik zlkuA#uf6e4sljoYT$$8JXF2+~Qav8ew#!#al~(6`tJdCRXxV!cpN)rGM7p^-#i|vX z+TuKru%63}xMd>kxC{fAqbyrKX*L@Rw@8yUJs+hrLt*^%4pv&v{PG>??4+aXB9A8- zrR`jJhuF9qT05%YYv;j3l-7PV@;EI|Z#1TI;`|YR*`17ajARx}+d*os#$W}shxbZZ zUcQG{n4b?e4#|uzWd5;gm+UWSp|sH3MO`)~C@^A)wos##ONroirq()b&h?;KxzXWs z{eHvFCjkC=42Wg)0n?)d-IFALrw4rX=Wm(CqEQ_p7G&T^OES;I0_$6ouf7ZB&deJ5 zB~fv8GRU5L{sqSQ+#4k#D>y>+yk9;BF9G z`^U{a(Lp{e)lI&JlYG>c&t=k{q6FG~s&p)?R2lhgl4so3ZbrCy6ncAwHW1!Gf^0{T zB|Gie-Xd7Sv{~jArer6bLB_ZDz%u%j<>vHr>&X?o6(jM{N(X`bS3ZKVMt@;8U+%zL zgPlZ=eB!uU2@hPN66GR`t|}8ZQ78N4JnSk2S`V)n0u%A!1L1Sre_~(gJO5n6%^H2% zNiZqd#`4Cl4z>;!;gzF>4$NkGW~%$2lOkfdb%c4fq6W*doklzx@FIDM_#XL8*Aqrg z^pdQ}1ztGnuIH#S{-ldC5e%gkFRU+YUkApe8U$x{BTBK^$y7C`86moaauAxjWp)SI zbWgE7Zb)QEzDUG3fK3XF?XVvpDJnf;(Qw_L4h>%_t%sS7&n<~VWR&gRn3}|K-;3HlIm2r=E z;8H9^V>K9#{t6KRmrGY=^;SQyfa83Bo?!~&*__O4D^b?s=lkq*?8h%O3?Zx{`6u%m4_cC^VbhJJJ?_$9vESLn*5&!oWqvC#_t$Q|UF|;_ZHcsdde1}p z>d8WqhVmZ^aAYwSl~-EF)R@$NH{+G21pEoYrqJ8ni52OqDb9&D_2)jrIBO~zX0 zG1|CteErrc^auTiWJ^D2SY|f>Zb_KGtJq5|=h-M{{T z1aRkoF={ido~_w(3Cc1t^i)Y)pCbWQLlP&an2jX}J+US{M~{3-5LmheqkT ztcewvkHaE-rg+^itLR>Y(3@TLtwr@v3sVC@`cPs2$j}4kPwg~SHvM$}{QtwG1 zf*gcveKt*?kL3+okCyBfGMo&k@b&u^_4A9ZfGXC?Ck|EDH=qm~;)u#}3^bnsKm&pt z7*xmUI<9Lw2#VyjHLsER;`%5H7f_kYMk9xIP z&yj^Oi_v&w;0(FEy!4RQcXPF=E$16b-y96Of<$*45xnB6)a5jcaO2o|w{@W+%<@rI zohuo^FKIO+5R)b;V>T;a>Hb$JK8FM_Zx4IpPnzdF9dPL5H1wUt0U|bZ&=oy#GQD}= zFuXuCyKhx(1qYAEb$2&skgau}d|F|ByiMin(vRmR!by_d0^~su9n16lh{DcYHWh0{ zL6t=3ot5Ha{ho^f>h!6#CJ6#`YqRrce5alFytZq>(avST0=%oz=5eqTR6$NvBcU^VGHIXP*JcH#{4kb2eW40W{PezJk?Hs@ zx#{wJ#mdM&*_^e?t7&EpT!{rDphkrJI{6;V%T2wsKBfN=zwrOIPDVCDL48-D)ZcCtVoN4gTcBIc<+Gy z)*6fh9!7VWvxxH6FfSdf2EnQK{k?Mj#Lc!cXt$Y zAn*itbFty!du)8+t=Wms9*pMN&(u0LiEv1(<$xKcVO;Af=gQOZ2L0iDby`XZ_0u4+ zQXUUfXMkGnX*bK}Rwq+8bDwc#B0XE5?5<5T(j-x7F>s#BM0&ne2JIL)b4QCHU|bQC zAxv_7w4gtXIW<>qcnLH|SB)6MI8c6ZLHtau4)czIvPJ&iN=Rq(g zXP!b@Y%o5D48Q~nW}%T!E?dWb0k#;{H*xyO^nC5ylsU)kilBWX#nvv?ga4-Yg2bIg z(vuH5S()BEa*0NF@*W>Hot=5bKO|1C=~slGEg3;PYNUtJtGANo9_+!({G0*ZE_9sp zo<{kkRjc^ScB;PurGLQC!=IpNO2m$uEpt8W;hrp|!ZA|h1_{5-@AOF#%-OlWpU_gk zqlp$OfTUW_+maT8oju&FNn~2XG*7)abgNFBa%e`lE%@>xyl25pE^uB;jttvH@9V!k z(AEji`=OJBYu*iDW#;odrPDDwAhFQz%Ynv4s{D}eF z=9l<`-|ibe+eyAo|wn{CB_;{k}z>MN-4+DazJF>Ct}!G zV<;n0qbg}4AM^fOoF=iTs5hXIPW4guoP23Mzuv(QMWGyTgY@gSaGbxcM@e*kOxYaR zFp+uCyYntl0b9*AHbZEUI6lQx_Y<69`DHgL_3MO^h|tmLKJbdR1|*#F;(W|#*cvroX*Vw zSRw~P4<$vZ<=Pc%{p3LVob|&qmTPT6Xm5I;H>LGf(OR{RH4}(gCA#!vUEkndNq0V?f%4 z-R0EGe4-!*=40}g)n(j!{qz7UJ^zSUWf1quV{!o9o#NR@z<*qTzO-iD`mepf$jltY z3{S@%-!d2=`!EwcroNhP{z_|>>e&Ltd!<#u+(f`d6eSQ{OCV%oKmGTTM+>`hFF0it z>D0=X)UPM6Dg5zK2$d(0t~}Ji7%3Fbl>YNkWJsEU ziWC8S!Slhra%(+^rG*yp<(qI|3~yh$h7b*dPGDk+eGe)lWmZM(3YPG9%+e_tW;?*J_E zt($JG<&2?NZ@cd+D(i(N6G3#JK?UJEN$u+!La7oer|kGqj}Fq>gcm0>$pz$Lcz1tUb8Oq% zUi0LqLiejPJmh)Ub5HQ?TgzD%D4^im zxwuMIt|3sf5r2EtlNNc>oqQy>w5Yhwt7(zaP#xUJIz+fo^C@Xgb5BA#g8lv^QZvo1 zwPOL9R&Cx~n&w1-CC*KYo~xMl!mdG*%cEi>+I7FOIqcJ58VClwUuzx^d7hp;#wPLu z^VE4ZNSBvkrcp`Y*w>D6;m2qXDXb?h?aXY+W)C6%z9oHW6%&OTJiC_NY2QT_shI}joFj{n!SeSvlOMwfF2lfl z<#Fie=s)G*@oXmnd6(Kqd;f(6xW~Dc-P5lQVXEl_Zf}&+Zst*(o3JE>#qycf3D0w{ za;qV}tNb3x>4{$i-s!v73EXaXC?8IKUq%${D_y5#og>6h z^Wm8R1}TVx-w63&QUbwzv`U^l;;F~Y`CjgvEg<4V1;|ZMvsXGD8Pcib1_PoA`lERY z2ToIuiz@TiqLS+VP`{wMVw_368k%?MbFA}+ks`xdrZwWJ@~k@@AW?nd{szn|efHEQdsSoD%CN?G5iDTuDL`VQxZT z=ws2_FFQ{-h9284Cef?0Ye{Is+BW%PJd-43+MCuTmmkxV_X$DM zzeJV~1(mx;6o*WnOSD>230n`Ie1!Ww2gog-Ucm5$J(>h=b}J(RO_D1hs~dQLr|@e4 zdP6iM?xzuShb< zgRnqBk}R=Sg^dZeq?mjgn~Z{!7vX5O+?_$=Z<@36=O*r%ZHXsmNz>l8n=E#_f5$Jf zvS^SlF|2>~e~dQ0F~q>3?`)--pPmhr2Vj6XH)5?Z-N16~ryL|^Krmnu#SK=4E&P-{ zpMD+oL>#R(%m^*)}??m?w}EUQ>eIYzNnEM;#?0_0$`!Iz~QmA)9rH|9Qi!eJr4?qAh?3 zMWupHJM=d0|yif1)q(v?Z!z$YtFnA^>I!5Hb*CfDM$LEL}(AjO> zg--id0&+r6o26ptV|44jv<)0Xnw*q?{LJ)z-$F{TLz^HE2!>EHI!PP}fWF>u=E~Ut z_WJJ6!WI^jIo=$(*`M+HL31W)z|)R{;G5G zdw^pkOA5p2Brqbe`#}tvs2@09l-8&p3)ZCGYc;bL1N-{n$k|bsXRbHPAN1~n8o@4v zrh~5^P^oUI#6ui4CA_Ix(z3jAeqHA~CyQjS4^N7Y?uM8kQ5LoCCgv43IqZX+SC_f} zdV93dQcwM}%DLlVAksoZgtBTm0L`h6b`bORJ4~6C(6L{L_Yv zIG95$nT{V1c{o8_nG9r2E07t37MdAUn(ZR16s3w_^l*{bgCC6N&43Y$4sl@Zf-Zc% zD8b@VXuYw^?8XOb|4t73YrI?fWsN{nRar(@QQPBk_eEvMlkSw$DV|cA&^sE6OQL@p zp{!FBA&1@g@gl9UXk8B=W)6;rDP{Somgvr?zE1*K#Ln4I<=A82GXXk9$M-h}J$EXA zs^RKgGeDj*DGpItP2ciSTnRHOySh6)kl?(mrO6c}`%yy_nI%jV(~~E}OiRF;e@v=U zjv90hz#cwNcJJ!et9->Bq#LB+jstRFJ$2fj!pfD3a<`%;d{Z~oQ*m4z(+$e5m>^P|Qk8F1&Zbs8%&v&Hf93P{tH{q3S9j(P#A}%Xy94mTMI?Z4Zi|zsWBArW4A1T z!1P5#=q{wG|earS=u~RqN7#7b)gd{N=oe7}N#$hh%KQvyf zqXB61(WbedC!iAY3?rxb6a#^E=z<|Q^zSut3ZuBQJlROf={m(-Ze}gT#X)9O#>U}v zUI#LOR1s-W59BY&(hFhU|Gv^PX$E3uWj}?%iJT?|o+Y~VYlq7nj}^456Sy!HAhkse zVj4$E0vxdIE&ii(Xm@$`BB`vM$Q~~%KY*_E3(tHQ7=2Mw!S7<{zSh4}7sgE_#Tt{g}e)LC%9(3`2V$)Y1& z8s{{;*2|IAH<Jc zk0DO@?$P6)+$H^XoZn$h#QfueBsahOc{yJpP$tguK?lmjlK+vV_fvb|ts+W~9*o=) zel9xdF>=p5&!4uzSlxF$%R;=iQ+#GH4t2YQ7t+i5*IB04@pL9MNSzK%@c@v*BOqsx zewNs$Ys+TUX8QQVwAVmlHl-)d!*G|;dr9t}UW{)%EKrTNeC&26wpK~xv32!l=LCKz zA)Zb6X`RczKe&`7$t#wUtGI2m_Ui6yZ}=?!?sHc$lW<6V#9zAgrsy>g2;``^SU&ai zs4nKYO>JKe@>1g2P|A_Et`zRDcUHlBbFm}OeViJSm#QiX(?Mdew;=!f)y1B)duENM zJ{&R|hj%>(g+zgX8gAP!NId+#QkYg@uYY&qCYqRwGmR;sExx`gf2b7aZo9@$|<> z;GpT8!q;FJ=X%L5W9Pi}t+f1Hg_ud{O@OF*v-jqz-M^C8{Tv!0%IcFxR5_mg_x`LUf%i+ zd6-pNdA&>O!T>N47qS;apoA*qWoK`nHK{P-TBk#FVz_>u?CKRg4O;UQ4Aera6eHRh zSLFi6)mjb@i|$~Hz8&`}tu^rinl+u2h9i5cfryM2&?6vMZWebKZdmy$5h?YvRRrux zS2C9yT&7tzHQ-Xibkm(rBnMx>g*8TYrtwl#AgVa zBET^C2jpkVb#?N54^(F2KzVTI<8vRITL)loD6@YZ|Hz@6R@ZdZHyMiB zrdX7#{_5jfh*SLcL-K8)yRou2OS}jS1OM!c9Q7V}|0=+^QaL@J%{}VCu6_gxlS21q zmjZL^Rv}1mm1VTtd{?hmr(oR*!Tw`Pug;{58LX-8IN_!n^K_-$>CqBL{8sHcE|g(( z;f1eDTmJz^JSm^MSM&ZoP|?7UL(cOQQ0i>U>#60b1U;$BoM;O0(H(jB_0+FkE`L$p zzZoS^eIC|=HY_Urxj6aHp_wR1aY1K*;NDY=*^aNX!XHAP~z{y{(pZUeYCXKv~rbMRr;kZ?waw3R)>$Y0NKl!8QAr3!NMk^ z?k>ao#oml-!zC!G;5~0aOPTe7`>VbaMIW%%;W!-yWHG9%G^?v6F{vgEXoBw_gPTbzlkx~D%1)s%~Fyp z%&_@q6IJXoP{FW>TZ;fx^bP>EtYba{#I9!Ut&tOrC38$~EhR^df=1{Ajr;8q`{o)L zB!5pW(%GC1(IVt*{7oAy8G!Vj1E!=5hyb&`o14~HNV=8Pjb6fBh_>6jA4%$FlxpKP zR4ri;YCdG!PqFFt>#}2t^rIyR;BVg8Tc7hk9F4+I+P(Lvcd~HC%zyWZ z=3=r7dbCWRQKRu5NEoW|R{R4ju3&()I?z4cM&-)XdKB)xx_OG>=KWYI&cak1&dQZ~ z{m^aiyTch^6#|d#HpnQFSA8v-k~yBW9%NrmK&noCt@(F-tXm@9e@yy-vSaZg35{z3 z)&-4u)YtajQ0~*!B&J)6|F&m;8Zb+Kd&{vaP5zRwbpT^Eo+Vc*F!$&6%*W~EL+;b2 z+T35)`6$1iBu{dI3)XUBF6r6zP0s6-W=hb}64Gc0poat53BewJ+jYFUm(#0>2O!w% z`LJ7xgFNQfQgPKK9X?Jywacm1QhK50!*kE27bku6%-Q)`s=pX78-Uj{P@wb{l(fO; zz)hF)vQ_{{clkkNWcD27OGXzADF>-PYK=A5S}2z|&HwRs9CGZ;pyx z9!RzMbt|m`X)sxCEcFQjj4orW%Cws>C9@H~Hv_>&891Cg0?5grzFo!7Qzqu5y|qG$ z%6>7pK-wxH%;H66u0kcPP?cXdxjE3;SSe`J+|;x+at??`KgrLk?JqKZ9WIR(v2L>9 zkaZUTPrRKE#`xFm|6e@?e)d@mDGjlkb86_V*;Yb@pq(2083RDHH}N7O8L#P&|34iK z-?0fhI)hJP4R%JVkzweowq_(q`!8qTt>aM95K(tE@6li>&duLk4bTu04i- zaq`zRbl&1aplDc5E&`YBLaj9y(@&6T_VNOzV1T1hh&scDS;oRA5@-4E7E19%Ts9LD z01W97L}X`ctzSh#QXV6pa3~dsUcEVWrbW@e?lZ~$3?{@CuVwF>6-D8T9D626?|Z@IORbnBa> zu&e6cEKx%;9;v@4uMW_yYhX#-04Mi1LwB`4uiUSF(#54z@N3ooX+=!r!&)Ya&F!*r z)x{bQ7{Q&vRS>{`NCib3&Vt;{WkI_?Hpeg8=!4R^S3f?xjt3*zk*=9YFysEC1qZAs zaP4xWuEm2$G6OshXS%&wnxdNi!Skgd5bE%O1gCdExs1!aU?=_$2li5f<85$4qwu5+ z8V5LqDJU-CtoIDKVpoE`KL+!g{Xe!~8723;=i2cw#yK!%%e{YKI%Z*;S}*{qj5kQP zL0z@*j>cIMn5XG)-p5i?JxsNsDi)H`4`oifJH#B%L51Hg{#~nG8}p_cp&1I%TML(B zdZCGShydo`*KhySD)LM-R5ZN0hi~6pJ4W*&AVO2Yi2wTSpIS*S_SBLXGw1NN#P=9~ zp+qH-fT;+0)8Bvl$JV-8%KgU#)$okPi}dW2R(C7w)xog;`t6@uS+4N3u&A3~O~(nr zweAWtAzAe7DjI(M_K&R{k;03UzXnFYH@c(?BDm`N>$iVu{nM~TKQtb*fPp#w>$iVu z{d-XV9@Jm6?eCfT_wxVSrv7bH|0g%98dCVuFD<~|n-<;^cms$}lCbKFwVuayuUR0A za!>XQ{N)z2a9y&H`Vha>7VsDP*-us!gz+4z+}hy){RFT(mHu9JOBDCItg&#Y+pY-_o)D&G+*My#quWgR#7j{!JqB?@7HMwpEf;L8B`i{ z?xg~N<d&eEBXbVSKK{jSeGLojR4K z%-^nY*G=X#;qTWV6B~|-{rwuJU+9>ghW&nxSq4LY?C&=OUoMB@uaVyVzvCKdk&k5n zB9IOa6R}_8n-VXQGl^Ij12XB%7m+rO{cXzc>mPVp=DL;hFY>j_X)EC-;eYsaP>Vt{ z>d^Wu_V55+<_-YmVmGRr%uJy2fm@XyeMb%PLNQ%%Jg0}>GViK2V5iG{dGK{J`TFf|q6_2t7?YQ%L0~lKr z)OpDASsuWP#ui&6i0C&(j<5Y(?BxY@sk`J$#8Zm>-< z_$9M|G3Rqt?PXZ6woeP>e49Wg6KUV~K2$9`+pyxw=jZ9KJU zwJlmgkMQJ2*EoQJ^g;DzL;jH22(mt}Aq{ZEbQoxxkp?9fT278%#$0Cn$f>9f7|F#K z-yUWJ?{8j;%T1f<88Qrgt-P?>q91fT6_ycWV;|Ok{Ps9+%BlOrZ*HY!?~Wc`pQjda z-0w%5JjdR>%WzCHb7Aj?R{1#S(z)rTfc{RQD9ZP{Ghtp*x}TCMv5_q*<1jdWP!P73P>CT02nf!`z*id zO5!XBk}nfbFo^A0$6^Q-u$cS&zu8Uf_m>VQNgkp2I7wbxeDWAPFjSSBkeGFXTUJX) zx=lXKhe(>u)J{Ri188OwYv}3c23xvA@_J$ACu8~T}Ih!fK zGpPJCQF&*|p(_C}hWa43s0`SyAFpl%AlwH4#`pQ1az6s1r>3Q#{$xr!9M^@YZGH*= z*Kp$>Km73Jxkr^6mu4odgADH(Qj3U}H$X$6_a<;Iq2uW^yR zfdRN@!cES3jhlEn^w1+Nt=u2n?_sClS(RL>nvyAppWXPUKRWSiO#i7eP34 z3SLTr{I%0If=T6@J+Ma)Hy;xP^bP;^f7T)u! z`(;&k@l~%l)8@pX!6o;A!V^zA?gM;`52&YaOj`M|^MFv2LA8^nVi}%+`!+4jX82H+ zApiL|{=Vd@+UA35dS!q-XMq5qcdNJ`+*NHSWQ<6t3{(>;2Ud3)sDa9<27UCvv?5t~ zZx#bs-|jCCDW?J5{V&e}JeutmnI_W-)5Ej4)4V{MC6{&^n9Dp$3t-e`l=_`ORd6vA zOg}sQO?GL=#E2uHNJs@{<8>T|yF?V1*)SdtZOGw;3jvkx{d%I|NN1z%mGPuKJS*vj z_5oqZ97~eG6Ae{%W4zY zLV5v)oFpoHL|%8YvMg{n*7^pEyVVA`@aGs#PlhZ@GrG%K?x$RRd`?Fu$BR?>D}Qr5cxnj zrcz^q8c`kW(VfhN7$wQ*YWCA5fB4fZg?|0u((GPPTrpolF2L?6CWiI~X+!rvXD#tk zaJ}Vsgw;>RW{_}db4skjo1Pc2iY;kpECirVMlz*z9 z?b}kFCr!g{HdfuH+kK`DLuPo=PUZ`W30_;DZF8K5&=ZseKYE9n?c(&x1X`}w_eJ(c z&WYL0^Z2XF0P5nfVW_k`wI)?)QJ6SL-C99aoTFXhZ zAOq$C(6M}d|M-5uTEjb3_|c?Tvuw@FIqIqny>2y7Ue7j+A($0ZklcRc_X8*o79I#2 z0XvxgHbR?*w#3H1|3=DbmB{7~9v|gAtdqm@oFW#yzMMA#wg>Q|&Jz{tWv~ZS^vohl z-Q6^f#2^SA!#yz!8;LyYY<&Amlu-%kvZjn(aUl?-T$-Ybh^nL^^HLNgxp@<-&v!J z1&4-^!@e_cKgoVhH8xZv>64;&Pn?;C-lXQaMp1{zNi26L+pcMR?z$?Gf7aZq!vUqW z>|UPrxD=R;+2Pp|M<8l?6u9lWAOU}$9o4SHtgxHC*rr5}pD+Cis0^uLb{nk&wrAQ~WNKjM-GKkAbLWG_eWUD<__Q!W!)el%*pF++U@nX=+TV9 z>%^8$&}r27{hNU?UlWama>106c9F0S)_XGJTz7bfoBtXn1^xo8}D(tP+s`u0>R z(GQ!b*GF6%ea4_`G|crqMQfexPs-I1Z#v@`lNz#Z!^t%`7)A#1^EjSkrhxZz6|l@p zpRSjyas`yx&k+6oehMS%;&MBmciW&Kgd%%gt0I(AdvazMUM%Ih^>vj;;GI_S6t&}L z@3fg^jdebRnO>OjTCb0K{Z(WDN^$Gt)e<-=P?JqPr3f36kf!rYeG->q%0$+>s`93h z*PKauW6%4wt`D%DtVlyn@OTy2TwOhrx^O$oSeDXX&K);Hp}JwS{~R$TGHnkfcV zEwGLYdKWTTDqP4EcnAv+XwrMPw6c3|#A?>G1ut z`#yd#w2Z_77u~9HtsO!_NgTXc#o@*MINZw?w;k zX#rQwZjnnkNJ8{w5E;7jN?mJ_lryV@Sb{}(-hq;fLArB~ylXWjtc>&|CWR~b%RCOa z^|^2S1)zkNEe!hf3?KPt`e#Tc6YLOa9dJz3RBHC>`~!D^F_8NUxz-htY!ZZUx8I$H z-gqjh6>&+MIysvL%*dBkIU0e~Cibba3n%r7Il6sP6?$pytJMkYsIs%R6KSII5DS?^ zc1s&(mYRC?V=-;Y9Rf`XclX)oOEzX^?_S(=Q%4ikND?K!Lx4(+9GKKV&B7iMdKhFl zmSFmw1qPF2GxHLD@FVgc9-X=ftoZC$ai7%Ye*GPygwMt|iOlavUG4Ek)ub&&<+S6I zA&jvF%O7%R_rDcyafegr)wZ=JpdRdz>&7!*wj~b!Dgu~z>4X^is6UoJraM|6pZrAmLwozYymj+W@9(cw;`MWb`tI~Zf0#=hL*9Pa~)1gl|VLkdA- zC;}=hK$S#ipNY{quJoc;l&#kM+6K1dyf>$h$8&M0q&3SPl_J32ZlvIcZ=FUgb&@I~ z?$HD1R@yV%^v~Ox&j??rAqQ_|kfd5@POh0$GOqtf0RNnS^m_dxz@w2uNZk;ioVwGF zaI3B;{EUTnJdzp8Yhe@7bGBW@wN4JN6D;@Nm|vQPS>IS5@Q}^?_O78~{|IoYPCMi3 zXLH0OM;l#CpC9dfFpNgzr#Mr0Qs=f*w%Plg>ad>xl|Zx4TD!N=`+s}zw9npwiIm{h zlrb|s`|4$gMtq2fF;^9kXlbBmLKF08CdP~H7$vnsq2qTe=SFq^3G4y)e3k@Kn80E7 zRx{36rYzNti^L?`*on)<&Vm=C*9$~HeY*8wFArAkCrzo}J|jb(18|O<=r4O-RVL+$ z0+B~RF*lQs31PFPYthOiFL&X&5UjdaTh+E-c}S~PS48yTHoba)epyb0X-zHR9SbTV z!Z^Jv;D|ypZk8Gtc_alXFN)BrY0FW(S#4WkPtI$bQpt%*dU_rv-?kXxHN#NDqji-L zEn9Q`T#i(^6RR?)uA5V*9$nKZt8A(#hk7jYWC*%$F8Xt(l$0eE5pVJ#&Sff*?)E4M z!Kl1UMW&1K`Z=>>*r*nu`I= zyqXrS!ptCxWgm0UJNfJXHkzU6G z2}dnse-zsp>Vknwa#je%J=>SZtValJdaz)P!hk-b%UoJZlA!Df4-IX?7!gR}q6@U|2RJ_(R{Bpi{ zv^Z`T;TTar08P8m2X*k^JWj^SPsqdH(9i;ju=tcV(;6zcVU{b- zo#m<;Olm>gwT_+liN1QL%2W_j#`DV6gYQpgaTjC2qw8Vg6 z57QzxgQpsg*=`aLv5g!X-=*X(&?7=MQfH8Txew*h6YLCZRQmC(1IGm?DIp?~sJ?u6 zu7h>hoN2O^c2YihOWLeg%aX{Qmm>kp&=gzFZ&h`tX@}9&Q&8<}kIq$YgrK(yRy00$ zh?~DcgRu!9w-ZeXZG_V~vnZ*XP{19_z@Ss#U^9!c6b?($=44p=W(Spz9B+fcm}Q`5Ef6 zY;AQjCNu}NCv-pi`%jfay>0EY#Hv@&Oc3dxdSA8E$PL77L*4^t&)IQpIMp&f#SX^` zrZ>ZZlKaB7NUP8EgxlXQMQU&^^Dr|L3C8QpYOy^CJ2{TboSV(x{m_M$|`H-Oj#v94L*5Ns8*r%+ZflTHlEC<<(X`;_M_rki)LP{OczAK!!CmW}c%tlY(hhU6C%`}&H*Fg=1+FBM5!0o5N*!L3Rf&!E2J&`q zNy0!hphw+x0(Qw@UH+q9pl|=mhM3T_(54x&tt)0mGm1!bCyH_cmueagbvL9@O_n%E zj*jSwKT$QZpo)lK+J6sK!(tD10^3{W=q8HxN0jIZQ7i1KmOPQLOn@!Am<*CtbO$qO;v1!JSwwmmwK-Rqldx_fozNgqsAzjeM63}v_0g+bGs3IJQsb9u9h$9 zJPA#XU=LqJT`R{k+mf!QhML8@0-aPPq86sHDM|*mcG5neb!y-uaB~LG@m3js!?GrIj&(L`%_i-DIo z7zxaJwV%aFl)Y%B9%*wci8jrI5>F)A-T0=Ebu3-AZ3*e1u7pta%7UokPQo zvZrmbBSYXI5QGDS*-}ee7hxIvCs)B%1!irz%pu!?%8nixcQYA;$Y{5!K-#ovb{N`i zZp;zux@6)P8j~}|o?MZX+~WeipJq6|kQ%SiB` zvbq^8d__-yDV*f(FA5|;w-nQ?8T)#V&<-cI?_*8QA#6?*M zeAj`0{R<0+eFf=x__(wzL0|ve5D6Nzp~2R Date: Fri, 10 Nov 2023 15:05:52 +0100 Subject: [PATCH 13/31] Add more diagrams --- book/source/drawio/attribute-shadowing.drawio | 88 ++++++++++++++++++ book/source/drawio/attribute-shadowing.png | Bin 0 -> 58361 bytes .../drawio/dk-attributes-and-shadowing.drawio | 87 +++++++++++++++++ .../drawio/dk-attributes-and-shadowing.png | Bin 0 -> 57974 bytes 4 files changed, 175 insertions(+) create mode 100644 book/source/drawio/attribute-shadowing.drawio create mode 100644 book/source/drawio/attribute-shadowing.png create mode 100644 book/source/drawio/dk-attributes-and-shadowing.drawio create mode 100644 book/source/drawio/dk-attributes-and-shadowing.png diff --git a/book/source/drawio/attribute-shadowing.drawio b/book/source/drawio/attribute-shadowing.drawio new file mode 100644 index 0000000..de3ad80 --- /dev/null +++ b/book/source/drawio/attribute-shadowing.drawio @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/attribute-shadowing.png b/book/source/drawio/attribute-shadowing.png new file mode 100644 index 0000000000000000000000000000000000000000..f09062d607dde6d3cc64853f6d02259e796dd28d GIT binary patch literal 58361 zcmeFZ1zc9y)-Wz8NJuCkAz+|%=R-;(A*pmoH#~F+h;%Cw(jg%&T@sQ4(p^&0odTl# z_feQ};=Omi`+x6y@BO}aelyN<_St9cwO6mT_tIZhS_}h?2<_ata~R_HgyqkjL!>x& z4#5=#8H`NkzVA7Aj)lrrMA_Ed(ZJYD|J)rGp&!5QFf$ri+SuM<5x&FBtPO|L>ltes zT5Frz&|B!+f+6tU+)~fjz*t}J#~fxxW)?aoCORg@2TaU&SOnPEz#oj9^sLM<)gSY< z4fQQf0p7QCHa0WUzQZiaM$ZU9Q7SVr-C+>~zod*U>>R=W9bxQR?5sb=tnC3PCIE|( z3cL~1*EO{SUotZ?F@k@Yz>ui1wZ4HR_)L_E3C#MjoW8BL;Sba}3>_`4Z44X)&2;TW znB)YV7)2C*%(2(EwlTJ}INbp=J=598woY*UAESEu_QtyU&~z4&JB$KgHRxX!p;LN* z2McZU)48%>i*x`Xh&sk+bWstsw^tT2Q?e1WGnKnN))wU}a(bF<@wYw#@0O(13!m^C><|r=&2nGuG3$`SI=PL|aQs zGh1W$ZwGZPEiCkPPkD4YQQO+u(&4w$3@pt~H+MP*4)*;U=+JiI0 z#deAwH2a>uv7yn~%7C#y_GhkrHu-eG#zi|*uKmYa@YFPgw=>LDf*>OtT*ONE6$D-gU!7d~RvsckJp#!1? zNteC0ncXRIe+<~zI-OD5+S1NK@4H$8ITds;GPc!MfNKL8W)XG(;swTxY|YKU(+`#V z4o=_NR{vDm{$v;5hyFGxenRyd#h2ss(cxEFU^$y&^phO0 zz)mM>pUR)%FQ6f${|b-5oKqJ6ZS*0t_d7}WQ}VO?3HjO0fSd{H8Qb4sW;cX>%32$n zYkwzzq&^_SkM{tRpQfCR{xn3%=qMln4BU_DI@V{<&PIL@03yLZ%5`At&4et?EUmw5 z5{sU;KFmNDU~Xe;ZE33i(;IeOn7)nycyqe%f3BRc|5i?zARa^8{7F!l{!CEL49UNb zoSfR{->B&yZmWJvITWeAd)Q(N<$p8uIL z1p6zt<`>BkG`7$K!bArNmA0*&H3(V$VKMsapZ=Fd2=Xm|$MyW)2(jtI^jQDQ2*H?j zSlHSBr;HHiZ;cT1pLnZZ#(wrz|9(b@?XL)sFo>OXZRx&yD#rf~;gJQgxW2VD2tb$_ z?`hi@f&U4Z8CqH!+ZvezKmI*}W)oDnCqTyr5(Q=<@Qay^{SF&QH2$i<{@*WkOlPj} zC)f8MB6S>pMe6?C^?^9^uZqB*x;~-*b$yU(oVvbWV(On{=szTUV*g7rbQU!Ice=j6 zZoODwtp97Ye(>o`;Lh^3p9Jnd#At!?)8Eaj^)2)SpkfHfnRLu7bxlD)q6hrj_e>iK zcYeyMf184X4@E)31-^q4a(zc*TV?1sJ*bdVgWZ{}YsYCvHaM55nhtI)tt<%OSwU)N0A#>N;b z7yJ#02L&KV$RWJ|#V~89?=t>F;-SZ1#r*rznVkQs8|=)#(GGeT3(Kjt{Q4hNM z2AKg!08XWy8622>fBv6SFlM$ts`Y=ag8fOggGKZQNq_QV;Ftp{(f{PRep~alu(SZ7 zi{Q_-sna2CGf-IrmR}e6GswjVg2O{wV{phNaQedBSWgc+gZb0C*KZ@jA80`U{&}Y^ ztY?L*GXeXP=={v${v60b1!zbv&*bo5f9S&WXX)VYZKs(TIL-X8sQ(kY|Ae!@iQ@k! zSo2F}e&*@ULdlZT)9o{paQ1w*j#uGSmutu zOZt9~{x1~!Kh5pH{2z$^6{P;<*%{}lN&5B3|JUlN1GIH!M(Eh@M`;~Y)4!M1MNiA> z-%a`dlm3tG%-{W9*ncvz%x4DmXCwQ2rTEu7z_U>CHwpSr74V-Db#^N|=-P{*fu)5l zoz3@~K+uT`2OQLuKpE-mHTd=Ys)Dd2c=?A@A0SjeT}(JD%6}jF$Cm<^$jpqvEhJ_} zTX21g(ZR?P1WU|}x=<8l0OBay-<(+f|=9EZY8=Wfc0wGD0Q$|22qb8Rsui=ueFQ<=pY#oby0UzH7>_ zKJgEX{RbG$QwUyGSA*mnTG6k5*8F26$i zA1q~_CR2a6%JQS+`PU+(f8T=w_OsOLGzwrnvvy|@>OUdM{$2Hy^$dlxCI8K%>@y1e zo?=j_`B%i@EPe;`|8t^j=0D!-RDfcm)3asp>&Mk&D1P~U(Dc8N#g79KwzHDOndF=a z{?88POuGKf9n2rg^+G=fs!+xS;_81(&Y!x*e`;}&<#)x!vs~-nfz#g;_W$Dc|5-Bs zYn#Q-7VZ1nv&N1eFHS!IRYOo)gqjJ6nAQc(ox5>PTv*_NqvmQnk}WZ3k@toLyx~L8 zH3I{3-{@cd;k;%r&Nz#ln78fxtzdRo*JU-iHz6*Vcfw>zg3wjtA@x^;Dc>V95nOB} zVFbB4G_>P`n_8KQ&*ZY;R!HA&#J#^uj-QCs>ng{O`z8R<{dntQt!%D*)Pq}S<%Nid z6nQ*Hy$;a3EbyQhp+Ie;jdVd;-ElK*CFKd_BMtD7lbz8&Ux|hiSH3*2IMfW*{wu-t)f zmV5>c1UTRoy(6HgT68iF56XvP?m#G##PF)r-D#6DNiecP)>wU&Zv|xqk+DXctz)m z2cZm+Kx;0dP2(PfGLf07!(Ly8%;HE9#bBOBp!>;JeDN3LBDHQ`WmAMvuirJ$dG{VF|0G5+n4%bR+4su&%Fd5&gLLO&yHA*FXe6@>+H?P%X`E= z^SK=pU=Xp^fsdY%-zWMI!-ft(?UaVNd|tn4F<$;!HW@LJPHlc^&;QDu`YMNw&8c_i zFQDPRALE)s`~vajTgyGwMFOx3STk%ypGGo@J~&Ch)8wTeDKA&4*~rtQy%pV|JdJy? z?71T5-;VZZz8&w#Tq5NmICk0iSZ%e?N%HvHF`+*Wg=i=#FZS(w*k8XabR~KQ)}-0F zn4McW+@1>*S!1TpQZ1p@X%6xi@I=<$UF;dIu%Re5ADcHPArlR%i(xZ`AMF}r!v($3 z=GGH%D5R6jMha1gVT=ZyasJ1LJ1%M&>W@wUlEWti;^-tofT%456ji2kAtcnsgr>&zi;q|+=}nmgp4Vz+d8O308y`u;!)`OFNNc`z^bidu(*C?Y;YY&F-W)=b zonPzvg`J4QB51ZHbj7>YX=k3uOd^8Xdv9fkOusE0=CqxPjI64A;GimuA{Nc8Z=JEz z5_;W^8&&u@nb=?*E|ZS1dWE$}8H>Qv3zh3%K5vlO%zwB6Z}ht?H1zzY5Hbeq@!N;l zimw%OW2!30$}IEWt%L6$X{FzfHE__S#n`R@;>$NAwT_L%1LRwH-a8*RNo00ytc(cF zO{vmu#U~J-;VJ#KN_y*s&ftM;B{IoKTIU`LMyZ#K2tY=f>pafik9+};F@Ytk`C?OAOI}4ZD&6E`!fUJ2Cb6PK!5_sQWv0HwCL0&vX41=H3sI={I)g__5 zQ2N$sXJ&n(s?xpqcF&$ZE~0oG%&Hj4r%oY>AA#rbK{v^#LlfCg1VFIJsCsiUsg5g6gjrx-)S{1~n=g{ehE?lnUL7^yiCZH!utV7klCG3aIMSllu zv~pb}@M^MDH1omcw5NSCwlG1y;60fA>dO#crYWyCVe}eY7$ojr_o8YN6LA8@$H%26 zrd?Mlv>PZnZRY!v9u(?{V^9GG51DgXfAX`JDPUZm|N7wT9hkcrEuzHb=SO38|=4LIh+T3zOvI+aV)XD6~-)(w8EDy=lZbEhtS% zsgxIIpMCuG^JKb6tjulx-Hl1DhE~9-k}9tz3OKWF^Cb*XTVF?7+lB6@Tf0jNt{8OJ zE*Y@-zNmKjY=V7*^(B6(#~|^mHw?vo*o;Af?X8XeI0E;Q#{$+eyfc7NNjD`ZmsFB@ z^XT2~1_4b2|0tK;@?zprTMVyDDHY}%updcxj5^~u-LBzQjLkzT^%x};K{^GPx)+!9 z_#Jc`d@zU*Q3!(K8PRmbG^?G{@Kr12rQ^Bu0~(T=o(?q!;7K;L0)e-?J(L_lqq!Y z89mg_LDBXSsJ+ytuZAL8yx2Xbi;KKuy>NM~<(ztR3*+m-w{REcT-ntq+!n||ShYy2 zT4+Hm7;=O?FeSilZ+gjeL;aaC>f%^gK2;a$1m1;n$c0x>01H#`4X%d53k|zSt6zCn zDJ#E4_nTX|Z-@)KO}< z8GIRdK`}+J$>(A+qZTsICi{%;sX>uTG89WJPQPd#dk!?*o|T{%7dT_M83fwpICXCy zV(Ql*?_yyHv^oU(I=^wv1SJ5?A#@YtJ7~yt^@z!iS~5VO+wa}uhCok4pbu__V-7>c z!=4$t_Yws9F$CKEQrgA+WC-gZ&tgFUI*uQJrXUbrda40|#&5V0424#PvH&!psNB&b zEC_T1<-KbVXeuZ~2+$6f9`=AhGotiffIwpc&~duNY51iOM*F%q=pYyrP{<;VEMKW@ z1KykQUFbarO}+|E*1w&0y%eI%AlZ#Bd@wl!nr!SN&!wXaP3Aeb?FdaKg(e%)rcsna zvQm1~-Ur1u{ty}|@51wj9{}uQ+ZeDQ5Qg$#O0=lLk&Yw;BD01^4cedtn36#xy%dB2 z*`(xyZ6gRUJp|a4Cyk>N3X$wb+h0I{TOq)O2odYUQV?Kq1}rG{GK8j#h(0*dr9sNU zq@WYqD0ry#sRA>r?x56(qKF5#X_9=#l1}4}Lr+oRI<)hV>aqXqiFLA>BZfq0p2txd#grOG&+= zaxF*$uuC6kCD6fd+0vM1U!+7UQ366Al53?=}&uwoiT|$=gk;cVA|2=9$ey-%*KO&98ARcC@Q}R(P5xeFe;52uF8E9kDIRC+WX->$_0nm zGZa!;{5NorgA+n%M|N(wrwbc>thp$m^x7lXG*V~#r2x@m6bc;C{h_Yba5|1sOI6RN zophc3UOMO1iS2ZeNo}0xH*GLwrf=Ji9}ut&ao?=v%{PrV z77OAUG8vI}&*%)@!gJNpL$CAkhZ`|%PG-mqS6bou?5zZOF07lvIGy2G8#U&U)^=t|8zMkvd#0W;kwC6pi}akURTI{q9jco_khl7-(<(kfTJ+HKtt1W%;$W& zI$zx6lU8@l%MlQ=(=e~v6>7O!!uIw-c3&esMQxqG24)~@TNF^p19@1*eO$Ocj470J z3xxYNEuLO zC?uZtwP3|gecBH;UF6k!yHsFDgFk>!=3t@OKr)BCoUP7GiaxD3xt@E2Km+E0MxxsP zv?pYX?8rl)<~i9(aVmlSU~fmc`{%1inNyQ^u~=j-Sp>sLqoj9CY^&mqf$`_0?WNR$ zqC3gyPwc>Ye=_9HF@y^a-M?IBUGww>u@idoqruzC)q4b2$i>q&gz*COS>CnAt8sLj zb}RSkE_4utt|&1~k46L1>)n1&n!7UVuak>YY!qUgGCnP*BS}JOY zF6a~+A8Q2s-x_zPD`@F;L}Seb=*cA&qO~fdwWRi(w^|++sD9z=y`Jvr;*jK4wEuc2 zHFrYV?GGs2fN$64HV&4?b>}t^-(DFAA+-?58%RRB+L;hU%ej5aIY_y-4mDAWRY@XM zJdseSrE}ZX+BtH;i;2OUNU6zZ!VtbxuR?ONy}KopD)j>4yqL5?mB-9-C3~KRPib(r z_CkRvSKW|iV4Z(;NKkP*2P8G3Y!za-2M-aV3gU)mr<5K>Mk2Qr$|cxQ@9<8lM_qzK-PH+{kxdf+1@2Wxix_EDcH3ZrM{}U`4GO z39wwu5Bnyg+q|_G2L8w8J+&f14;<4hD!UO?ps;G8Pk1I(Ab%G5+_u{dc)`Uw@giQ} z>4nLCC?AmkACmLxRsRg+&L307jT=CkF+BI?-Ya6r_n{*PGZAZy_77dW;C8r;)G&Y< zjgcMoy2#{KO3Ra;gn7!XoYD0)BJINzmErQwv{xwZZ?)esRif=D)NsKf4PCa2jp4JD zt4(p<*O4i^rq=zqsz!LKG0#_wXaVw}k11cO)1w`WLMx>=7o#@pa&mbGL^Ovv^}Vs5 zyCtPnPKy6MU`l?k%~nPh4W+rg)Y!1*}g&P9?Py(LQU zR4B8$hD$G}IH{5$fBC`dwsT*{#$Sz zit{%+K+O!)#h%MiUq%9o-En)kKtG=Ek>zf<_fZ@0VM`7BjwmP8WD&($ zO2b-wC7JFtfrj=#I+m7tEp|Y-nU+&dZmqNRIr&ushLIfRs&p1!*Gvf(cjYrMh;!t)=xlEmP)t~u^f-d+s5j1d_R+_HwR_JfGrvVgzCgK5maHguV(8=z^yK+klHW`6|jM@#;Saw|; z5vgk(D@yC~U0pHEL|ut|Ru@@6mP}mc!-rXU$%V12W&uRfBwFoKo(!S+%{9gnGN)Qn zU|bJYwe3}Mmg1CgkQ|XHku6kz$Y_yjHZA2xL`NAnrV$$=~Sq;%jEj2xj(Fa#>clWZcw&dv!U1rv! zv^5>Wwwk%af4OY?wI+EYrbSvHMb&6p(d;JP3mU&YTMG>=P{z!OuV2SIb@hGneB8Z22=stTG&+~ZZy_>D&r1HifYSt4yo>hImo~x@B zmkZ3`m|vy6JE*U^9H)IAgd%G}I)>L~Z>Z!m$~H|_G!5Df)ygPp2g%_xlW3A(5kT4? z&YwlsWo-cX6z611l4OZUfysEUS2z$#d6cOuWN|m42r2poJCsJHZ?`w(LK}%dida@x zM9A=d5t^tq-S$Gm@$(iFX-!3tJ7;j5d?s!zQdN%K-!|9wO=mEf>a6twIh7rfuthdr6K>55h!7ltcD3-|8W#SDx8X(8atpz@N zSFfC#2yEXAd1`Abq&Q@0=}9&3M*??gY|K^hugfph0NBbYbtPgMm#K~J;oegm3~Q&W z6rF0k75(X!T%8*9$-Y)%>NqDMcJFnvt?Gvg^iUG)D>t>4p;W$ia4AdA!lHy7Jx=+) zMCSV@JU9_d#jTKSyqEo%1}8mVa@v=aCuwMp<*FRn6XU(}1Iva`;~Z(8tAnLe zpY+wWhRt@!@+r^+a?#=Y1L9EfBPo(z_f4=+$R!6!;6Q44fI3tuz)w8a>nc|V)!?k= zdZKE^iV(j6KfeeMZwzd*)+iCytrz8(|EI!lph zkxI)=5w9+W2>4q!J-@9IrjcQFF4n&&_q^(nMe)+0>SxzxuV}};nLAv&%TrNej?Vc?uBAr}se+bJ?yPvL z0vzE$#SQl76MWYtV68FSG+6_=0SsC-Q^(Oei=&0tOxSZgmiMw}C&nDg?Y>@>Pm`R> zJFms(F7Pag?{3v=fixeZ@$}2g`dy#y#2tTLy33l|bE!v1xT&t-{MSq59QhN%!SZZO zw)NP09T9jNlhtAynAMlb6ffDX4-uYx{G#;vuEo=G#p{&$N2?kJDR2Rll=&& zZXwGM1noxmRjjj%lR1miX+33pvXf>c;ihPo3D zHou*3!_Rv1b>Z{U%7INnzf-|%qrDf#N$m?Gj-2r)hkXlGMdv2Ut)CbsT!fk3J~w#e8<^^%FPhF04Vm9oak(lVs7yb+lk6Ui516wcFxk z+FivpRe!Z1i?6*}JA6pTW>z5-XmPL>m;^(d3=rsrYYJMQ-?P9DK{nUhbU$>hrEGd> zHe-G2)3m2A0k1BuPLsbklV|fx^T0I%J|}_%9_Od3`X;*Ls|6^8)VRx$`GK6-2B!Q* zDph!BRd|9VB`7Y2oW|qnOr?2a0WG1VD__oE#LW4!zYN&du1JitaGyUW$e7W2$_NR) zY_CgyCqgJ+oA)`r0+-p?8`aZh#_M%xx?ud| z=J5w*E)sX-BZbdJ7Dbhmn&~gA_;x;Pz7wyx<<#RU>(I@-SM}}4`OTbYE->9v7v$>r zAnV>`RUn?t zK2imWXYi5iZ5Ssz?#u_*baKNEceik68UsE1T4Zz&_x1fqI7;($2WB1)=j1T;4a{^2 zW{bYNu28_;lmV)Bte|l*dn_aJ z#TEU)SNAe+9c;~Bly8ypJn)~X3Jj){rM;WL>*UkedWB|1Fj%Xfaq70Z7ku=7WBs|| zkZSHH7V(a#Guj8?+5{YWJkliGX}J_Z)k)lXJ*!QAxSU~CTp0}UK3^O*vXdqRlnb4h ztTWm?OI!wTSogoz47soo&1{lok7v$X+H`?pi6x^Yj8l@)yp`4Uqy_8xb0z_DoVeo5 z$*b2ebA}Ro!g@;uxG^ZY5_!cEFA5>uWrGDy)p{%<^0jJ{H9|{|KI3<4)_GQ8$(HMBThdX0^t##n0j)af zTvkM10j=Z$eN&S=ee#AMU!^p1@Hd;I>*m49O;632hO5XT8I(hiR_0Hb9gBT#ONC+Y z#SF2zHXG_myd+c$u^7y|-5iHYt0^ml?BO}LzUD$1S@IH9dX(KLaPNz|H;!tsawW!M zK+?OXDTZSSTzlGy%1c>VB;xI^pXl+>2o#&OOE zWsiCB8Y?fjdmo@j1U`6oP%-a3+>MLPP4%=(}7!}(KjZ^EM1-Gj=gwsfFq4pWP(BX^b1vKJ&RVD zqO5l3k`kt_aC%6B&*zOvGRx$*&SIC!NV{TS*K9I6n--T|J>!#fc0hFT!f}JyZz|)F zSzkcspsjN&c^SHT_evM(U7-M0s&32FQBE9gpFG{2(T>IL@>ljfjLJhrg$^y66XX^& zm_)3vo!z*KS4K3ev_Ckkbl>WGbzf#;p9{@abpN_{pM&)DQN&7H@NC80r?A3h#!fGb zq;O*elR(TB^B<^bma>zhl1SyiKRVYtDn9NRXNgR~l+1CoP_7i{HHLh+C>V?L`K)}GFeio;}f%*<2#{O zhD)_$t8P1f5a`R+uvF)BSD|n+?aReLi=aG^+_TiIedkw0_QrC-t=fggI3U$%Br~mT zBurjQO~D*LKd11cy!$Ko3af)^e5GseF1Lj@eR#o}Hh%?zSLva)pNVs$xUNif#Fo8J z;Ev^TPQtJE!ti``F*G@0l*>Xh(p)3U!Jt599L;V2lS=N^8}SBPVr;fqLk0Z%Tf2dneq+Ro#=s0>&W=k!61ud&;?eL9mm!%(1R#S6Uks-sH<-@1=*$NY9_f3imCk0qNOF0dq-)}|-$-an*xl5hKK0IX#XWIuJ8H=A z%4PfX*X~syMsJa|qr5FSVQshfcyl$?6r$$g+EDD{8))DpF3J}t>tyqr5bg(M6ql~G zo@e#v*YmV$(myuqq_j+}JHLzOu&X)J@%kocmR%U%`Ea373Pk?e_1*%B+SPke$%Yx* z)>foh(p~p6q$hZjYQ~*v(jW~pjI*e+*^w3wxuQaWSd}54`=!~sUMgS6 z1*?HKVlEt=u&Yu#%aL4d*28{`!(s@hzLbG9c>+r@SM0|=#echnrr^`Byf z7TGH&PIHmbPQEc_V=OF-X+WK9jE;}UT#P14aN-a0+{mM<{*v_}izDx&@LR8~U8;sw z`8$1Z-8_7oRL0B1lT#HmzG)t981>`SCvjXEoh64!MNQ-~@#>)@_~WG*V>jQ9qP;a7 z)5PH5k=@*C5OdC{c#lcU&A(vFX}25Bh2;1|+9UCX)#Hd%^EYj`WBJRHAA4*ct&%20 z>EfzNf0#}!bB@I#VK3(E7^YMkG=CRp$Y7gC01E96s?Pm!J7k6d>g3(*Cvl42AJ@Jt z7QBDS=7}n8R6!M%Mj4`U*QC&b>5IjS(qK0JXna!k;WT%{PgE~kc2~9<$QL=EsdP9< zPJ8W@t&bAn_{#MA-j1YH5*!jU)e2JXd1w*kbF?sl7XG>?E1qUgAgnm)rQy~bTTB1t z^TqRMQ#um9SCNr`?qywGS+2Z`hbqs5@| z<|A$cqP6_14V>8vi{6(KYpCMI z1oR^Fuk2FSI5Z5&=j>H#BAC%>YIm2urNpM1Ok@!?Vs3D+8gn@!qGElVC1lmAc`WcX zV6R|d)dGWN9$wG7o*eG8=2F_=6LGDi%C{@6^Nvk~Jh~ijc($sdJG=J51v9SVE&S>{ z&9^3P@+&>o%nvGthwanTEftHRr3t&vpF^bx?VonziCvgV@JwpTjyE~4Fzq0hc{ocm zbWUNesMhSf3>GQdBV2GKlsWnSF35q=4e5=_5~uTKYWYLqf^^0zuQh9l0wU=H8r>=E z4gHHixvjT%w$_>aS@yc(`GSWtFhL3p(rVw&%p}j=uQ)wEH$C(w4z8}1@^HcU?VDQDDqc z-ks;yg5n5+Y?21NEG<9`2N;fe-mZP9>0RK(-DErUoDTQ>WiJhS9;x_F`vN#q&Ex69 z47hx4N+Bs_U%6BA!_;7FD#m#)iqFjKPc6ra!x+U0wSz2Ec*EIrHxC3xD;wAgyRGYo zJsP60j9HE&0+qTeRPbeVWeIlbjvR+cC0o_+MChmESmV8)!<2Tk?JLTz&R#F>XS3_PJ3^{lM`F49TET0>r2JN# z-b2eT#b~aF$4E;v=`HUhFYYSpF1v5Pr!wcAz7-<@{+{Dj_2N(waY8?<_DW>O(d)H)L5nRfP{!?`QR6Q>x6 zHtiMIT3paqpi0-9KcHsYx_!q^w4b|d-KZ?2$08q5&nXWRCxWoxLUA3g62(<4BJS=B z6ve9DNLKqF3155yuC^y|2HY^s=&kBviw|x5~Z)- z4StR`I+N8Gp;CJ%5+}b{j~MyP4pbR0b_O4p?d~+sB(-NvEU@WmzZ^pkE*Zbb zG_-+smoIZdfx~$nRg9@avTG?+3Khj779@i6v+mbpb;<~4*&a!`+qn~dl~Q%*Vp|Ei zCwI$O=?234BEjr2t+x6wN@GFV*xK>%uTga`7|h*p%#LuSZ_hW5B}bvJ@*~t-+N>Il z0Od~K9`d;H>b;%dSnqlLW(@*2YqyH+M%DFArn0!>^#>o7+HCI+c@(U8!*#wDDN%Gr zb|_&^^s5yV@M9`jHlKVv8ES#ct0Jv!2iuJd>T~%#t)h6D69liX?fY8a@Q@^KGnYdv=J;iqeO@VJ0sMKsO4il=#7W;+YRd5SYw2NK*mue7<3}?U z-W7F^HcrW@N^`xA7n!dLZu>-+t%0ll?86@52FM={aHWremjh``%m}gtSFYgK%`Jx_ z7$&$BQiyhaq@uvZjc<5%x6qGoKQ!hO~1TKZWBn15Xh}_6uQ1a7YEPd$QxCzItb#o zX|`N@c#+}CI^kG@Q*WUS`dlZCp~=OCerhD0;%@B7ea6`E!^c6{zZ$fIRT6N z15`ynOrQ|WPKgqHX28FwIEz?`9;Z33n@BF();#rIY<&wnOw8P7zS=g{3k?UYVPK}% zqRDv^BbJ*A6pKwEdsBD(Bbf7qZdBc@~6DiqKsX)%GFvj z;PoV;BVh(ZS3}-<@8|@gMUsHxNGZu=maa5?V(n8_>W?kiFJH)=7d0)rG$FV3kbf<3 zfx-3-6V~3Vv2O16*4QD->i#f<5A)t0y{_EMq$Z{I9^K0}A|5vvvVcWHJ+FhB6|{hg z|Bd2yVK<&o6lpFm>Vr#|8kz$V50tK^3Zs##F5g&=rPjEIVnRXVYzg35&qzoOUq zTm@;Fec&1YkSHVGTebJOH!8EvHH@{D==;xkRaxG8O%S$UJz5pZ>sg7V=n=&rTdRK_ zCk}3EIutpv8`)cb2R-}1kL4&QhLx~)@nxi2{L$=Su-dZTqvmsa-3SS!d(36vex?sS zvxPrKR$UuIB#vO~pq&~XZg6uuK7-ves`GR#ujA<>*9WK7qce3V*t4E!B3t*C$jh!h z(I&l|-v1d>IrERy9_3F_89w`;~kY)4MOI*3C839Y-CL4%4#^O3IJoD#LMBbQ8P>-gGu7o;G zUp1R=OrA?mw8m$~j^<7(kM$edS9!VO!$cMIN+N3}w}wE!-m@W4(cSyd&<&A&W%p4Au39h^`l3oQHyGqDndX@9^g6TDVc zN^EWhZa$hfrdCHnw;cQ>?45(_{Npi$a5w^^)hk~4i`{r>>1jVhKV~;XAi48(%pvF{ z*Z73oIZZZI`<3CnXA-mDv_Ki)VgedC6yb5~wUw(Ag>E9;b9BlHg-#@&tMA(toZSS4 zUjU^CV(swMU}*M5@Y``Sbt&aZFjT{PzPYV@9lDc8R2- zwOXkU3uq!!jd-FXTVE&vjdY;w+d?MApev^h zH)GXO9AlhOh$&y6|120ok2WmrLF-?X^_FF2_g!#HUbZKC{M*Ne`-HJwoq|z1cV)y& zMXj1d8i^{!Ni=Du0(RPrI|o%Bn;~8iz3(gg?j$Nqjr=Wi;FW$Zms~1nsKSzBb2a|; z@&!}FvV^x^cdwL@CW=IS=%B-CeVVOqb-955YDHrxTKUXdYa-Z)l`$UQ<3m4TxxOPS zqW5blPgbb-vs*hAxUs2iDdS5MD86!4?R^@3#ezb@dSRP_#%0U%>CBQ8?=unun_ z0-SVJ$>cNXTWaCTsA;8_156J15p1&ktzv1EW!U2qLarWOydm5z%O@-OVM7r|lDZH& zRRu@+UFcYo!#*wy8#nYq3D!LR>gjil?`Gj`%0~m2Ap&F} zO6Vt0eA+|O)}m;hIWm`|X)v8hk)1g->M(+e7wbhZLi=h3YrQB*3n^u{T)nZ(E=nJ^EZytQO({=YU=&u0XF6Tj)hrkQ+`*G4v zlDjsQ(vrT%8VE{pN}z#>FZUBd%9B~jNB(NQaKZ8$;XqigkZ{`z_od%wivw*BXx#Rz zb>I%RRD1%fao9K4JoO4j=Ut=ztcU2A$wYSxDCyKn8xOV;GGYKmRX*3%@S)A+R?zTF ze%~C;2eYMDl#fJ^fJ+{@!me6o5lp3!J_Q;qn;FFhn^?~Eml2TI#pbU_3?LMcO;=sD$q3~BIK_vz%-Q#It!FbOz_a~>4U%~ z7hSHg8YOw$NeZN)zlD%nK*QJdgF2nIOGT8M*N`4B4?2B4Dk%*hu!y%`8-?0Ol;1q^ zD1G*(8?Am)EQDC4LFBFD)*H)7zEr8`E3Gdm#6ZJGceWA(1_jhi6nRDU5sCn47^wpt zIM{b2aB<=`RlMRbNw|{aUWp!U*y4jb{FrnP)^Dp?C{xU;Ay$^p+`7_DR5i1sZl#GD zS3V;Z#TSTJD_0lBARs7IVlwcI%~X-cY5T&3m@>=B7(|^=V$KvgLecTox%Mc##}a_H zB@gxLo**2_lvzx4SJ)V?xgGAWU90!S+Q5_^ZUo&!rk^qIegPd@+Y4QxFDPVYCf!ev z5{n$Sba3K6#B<|kNXPe*!|Tybu6H+G`HEP1f19U82{J-;{P$QVh0o7>;- z8$3in&gs2UUtf-ULa8~&bGT7^Qb)oQ#ErT*6A*Zh-*gqNYplkVoBF})Bpjmc$uOpT z0;MMNFU2rxhZq)oaHWb=V=0z$N(d=udXUM!Px)vOv^3l@?2H2qBHn3bFH3P;>^weug6jwB_S~k>>vsoH2S5YT?)r6u^f~Foi&&&Lq~l=a4jZIb>DB$B zSqx{olZB2jUc3=%7YEIP-EW<2;vLc+y?Y9^5n+XIPNeB@ZpB+z59Omlja%2h@Dnhh zg?dkIl=DuGfa{S(p>K9&a5p^=6X^1!ybKa91*7(}n~$cJZ8d|IGeZ-$lW6h2OE5xi z`y47JB9=zx6V#604_5W#cW8a)^nk8a=7BDlsm;vq75Db%y-;zU8f?dNI~?(&PHIrYXSgRm z(Rbm2a>(En8yM5cNVFXe%xbyV81Z`Qav?DzEZO^f}PGb@Vs^ z*lUxz=~yzH%FAv>4+)ucygD72wd*fT41%`3r8vqDp@LDDbMGEky904KQ5-H=<|s=j z4;%1$MGK!%wb5{O#sS9cxHNdRJuOI{iUG5~w@}>1n0bw*XZyD9)4 zK~GVoJ7|1NNAOxb`Kq1hd9NZJ=R9eNXVzSc+uCU$ z&OroG&o#!2MtR!2(}xOq*rqy{{FSANA6ZM_hNx^#5b z2HeH4dO%!tpJzK6+&@bi>m$5^r^-d7==&n_)o0}+vkGb4ZnPlFSf%hcI7o=rR{Er2 zpf%G(2@7jWw~l&(JwzQ*{;t@d_$WP^W5$!(I`M3iinlI#kLl5jpdJqfxQ>|3yIOoD z3$pn<;+?nTJPN)ZIUn)XXGRKieW_#zt5(dnD%@8L1NmB6L=e=VKoosoE*k2SST$u< zo*6vU2*e_WowHzJw+?2!5m5#8F}2?VeXM)ek>4}tw@y?!*zJQ_o5K*cszen1S{~-n z7~zff3lFC2y&FK&qiw=Pt3@C+y{e;!;`%^s zMz(qe3z9F({^qJ=aGh%tbD5nPPn4zOETu@Y#6Tv%rrxV;iMxprr(O;huq**R%P>dS zt)dO)4N1`Xx<}Q)ljyg_UPI+pJ;~AaiPvtqzo)9uku*r|&4xWw}S6%fh4mK+C z<$Zw#_r^0LZi%3|wgay0?QipYATF(~j8`;G86iJdXq$7*qeC{sX|@FYs~j% zH#9<@V{d{M;q{o77bO)K3BGbfO+}?!EXd}cSBAQ5NpuU!13TU_+Gl|~vqx{KBC)RX zB^mdn50{$9ev6LQ?pS$rGGfuJX%+i5h>)djm~KDTN(1=k-p@=Q1FOb?rG3lDX9|Ls zb!Hw4iEtEPry4vj{(t1XWmuI_*Y7J`(w!2*qPt7FT{KbxN_UH(bax}&-O{0SBi#tn zjdYiL^6azU_dVx2U(cuG2QE>#=e=f*ImY!1 zJCE$U%k)d~4d{aG|0frqzqU#{8S3-saeG!kVLxiSg6E67QcQQP{T589GI<941z%Xv zKwP>4#TZJMCiGUjVQ9-BiSD^|9n0EBLWEQg}G+^qowAJqI*vo2F#)j*x|n` z+kw?xxCQPpG|tN!<=U!jU#TR6F3va(y#W;+Bkb z6HOgVjit~*-bU*=jIE)>srDU)iOc;N$rhKri`)U;@!T$QUH!wC))N4%ub1{8qwH}k z6ATAF^J5DHVB?0)2H9?Pk+K;Gqmyk1hQA^7)Gdo}I$f83>{CYbEdW7;hVM|;{W=U) zNOT|xFjGhZUh7J};L4Y4suAMRJj|8F$pKEm{7Vj0W^%KX0^ux_*AU+CJ4;b^WE> zZT}`myUl^XpxwhaAT&P5X(WhVucYwX#@WppoCb3&+&y&pX{&`?Z}!8?WOFk2mjdO! z*<5S+6Tl=%{_*Q|+}_0Qi6F;}&6DbGp6VZObw+!*Uu8wbV+}R%@1tts+|p?U$`pF4 z?K3-5y)*X8&TXxpd9U7XKdkTM{^GOMg^BoxK?tbixh#%7GQxLV@aJtr4qbu1tnuK! zvbTbbwM)Ud8sy-#{fqc<_U#Mm;_A$=w`Y5NdJ;%0(&XGF4F&=);YY_ptbf2C1>Z!%W96e&4PbA}cduCR(lM2cmjZ{c>nF;BwuMq?DR%r)$hX z$j6&YuXA%2LvFNlb7)Tt2UiTUsqWGbFNBeUB-#5Tf0bhGy%pYJEeEH^A?b_b2}I{_ z_LB9Sx9kp^8a<)kux_~^646h2u}p^8b=JD?{f$8SkSBGS^c-rs_G@*Y_nT?GJRKxE zFEGy{y#kPR*)1GbyHW+5&1@O63&614T*>nxtKZhLL;aHQ;h@MQfoO!YS<<062;W%W zPZD4`^RM~+YSBT)(VyQPT7@0q`%KV+YvBnloBAP5$!E6nFA&U5wj>6nBhUz`!nI%; zdX002!(5$VjHzPS_bBcM{^3p{BkO-fk!OzRT!kIF*XAP>>f1UYiROUl+vp(M!1ElV z5`Ga)>yWzEDN!q^btEat7@UjL)fDkmeRhIS_1n*4ZF2;irqh{$K+DHE>67FApV~ zqLGc-^|<=`yQnixAV8a_QDRu{`^Vm;%arrD4te^uQ=Gb}2^QHh^vmqTfLShBhW_O9 zZ%Kq#z9c6WsKy2!e01AcLh$K$Lsxt)*RKjzjv_ffX}@~LyL4)H#9IQ^98R*37M*H7 zT;fEKOv8B>XBWn8m9FpR{M7#O2~(G+JR*Nk?ZZ}F^UcEw1WzM-+<8@7@(0y(pn0<` z=y|~xYGzB(yNf$>*)4$0WMmq2bona;D=^hJk(5S*^vM|DpW5yBb!}OmW*K^z1{Z@% zHM_dNpJswu9o|#1!B^r52iaEM^c$v>)x~X!aa5(zcZl5}u~IQNs7EL16J;k85^HhoG@g`LLoPLeKtY8r6Tf zwj=+yy0AAHfWw*}l<1R$dll+wyr!e%Vv3DNlrYrA=g<<2OvfBR)U^N{Oy1wq9elU_ zhC8%cD2VbtT2ftbWcm}pwgfQ)PG^R9EOWR+-O9YFKEe^W%un20@Uan*qXO8wbGx&e zchmIbB6h}gWyUErCdrLMxAJvr&F*x&UZQcaIzt^ss~uRK$SiF)(qH?0*4iG+suB+* zpdJ_( zD`UL^F3Huq^Ulb#Rr&#=s2bb!*8Z~m3pHM}EevJQkvkTZA1>0bZ-4)69%14iOk`!< zFBQd6h+?$HVqt~%JKup?HbU7D)MpfSq^mkNxQof>Yu`5;q#Eb!+tbf9^zkU>iN(e( zrq+G_qw&k2MS6G>z%6$eX~j81KUA{9|E0?esN~ELYGA3fCx2hh{gkK0UwkKGwx637 ze=(!DDTj-;bNu7_zve|;IGGd-urXL(>2C_(9q;vJrv-4p2jFg0Bpf04nO2YIcJ%i8 z;C6+aYCQ?@Q$;w$8gr}$2ua^CccG)PQ0mKx_~WvAaNjzMZ~f+S8$GE=_UT3_eVfMX z5ghdWzUS-wJcKp7uS+vu4%_pDX3d|#?_zJtx(xL_Q5{M3c&~b$h3Zf3+HrE}7aPBY zS1yR%KEU^ojOES*yx1nDB%WixNj~YiA_}xaWt|Sd?W;fWs`_*Q=EqeQ0jh3MMAy!Q znz3C9&?3o646wu2%|p(T$r%psY^zJC1~&=AG1BwT1hDx1u^T(&=_Ug);?WbpetTOz za9UI!NC*3gX00my*6I}*&m_8+dZ?GY9ir16v(Sua6fGE%gmzF^y?XSto8QA z^^#HS?plbiNAR<)(*7w*(zsuKaDfUvGgI=xeV27`pq)C+=>LGqi>wQv_1@u~u^2{M znU};u>fV1!OvzuX5D<1ROO#ENGvsmDZ((ezX~h8Ed1E17wpf=D^D3*^+Jls1g!A%S z(2QcPX8)hhrIo*bdeYosW<~7b25*dx91vye3o}2&DNr!+L*ILs&@GN-i&z7$&zgbZ za^C;hc=tmhWJz5mZWpWNH-6D%!KFP_oqjT$5zcQ+Xu+~Z%1!9l^7;W4;*v9-Dn5rp z2t~}8j9Vv8$5Qw#;+A_tBGH{I9bWzQ)(IV3Kcd;fL(2kxjrFx35upT_i3IvTEJ8o% zBd;+4Pw1Vq?n`897joiC%2`E1JQfE1auM(|$S!#fIolHQa|A0(&B|WUIod)hY0kS=wP5MRlbvH0okSfD z_x9JxsEtlBe@k_&FAc;)qND%03&N)-Ux(%Xo&P}q_oZI)z7kHQ!HES|KSK2=93+G1 z$(OO-C5Z^}`gfKDZRN{_I?=0c@90Sa`mLT61n%m}4N>$k^vCDe4e~YphX4=FR#O-f zgmx{OnyS`j!HX};Ij+vnVSik*5zJnmm0FB~V_ghvfXgxh*+(<-I=v#7&Io>|wVb^x zUyPK0hv|`J$o@Hj%78gmA+fh;rt%9jPu&(}`0oPqe@qX~p+p|IP~ikY+5?kyOoA z*{{|DIc33iSS@Bm@4Cpz>bx9eqx&TeU^{)X#eH(+vy3{^36|U?-bK4(V4dGvUas1a zv+Bd+biMF*yuE^|u=@mzndzeua_geb^PYF{x#r97m9LL%Tn4+=&uMSF!IZ!4@*UNOATz zR%S|BTVLamG2&(sIpn)na4;qR(}}Vn%Wp26x%<|LN&`y`8A5@U6J)!}Klv!Nj50DE zJB#0!UHy}c#%ie9Nc-p4JGSAYwN2lefP`OJP(7|+{_%Y;|3*ThpL(+=rrtVm+V_3F zYz?+DAJndZ^H+bzl5zcpUzJ@=LPt^C3k`xQ({T8Yn8>UH#h6X4AG2be>xZ;a*^>Ndlz`zsnvIsoY4lUGqk#v=01zM-l`A9sA8LPLs|j1xcIsy! zeZ7D&72raTt%9QgNl_=*)C^ekVU%HKN=dkeT`0?fe^Y10E{ML@*9VB_lc&yg9h&NS z`^IC#wXDsrc@lA3k>I?3B4x{bBfV0|g3Y0ZcR|c4-YBGdp}jk6pC6XD5GKQ;us@IA zh4Nk+o)B@3;!VvfmYI5BO~F>M^=Ym5qYi{^EBQ(@Vr{r=wW>8}o9dv-a9MRB&!Q-_PqEb7rJ!JfV+xKT{)_I1z$GzM43In@vZt#DDK||BaW4d?%pJ=M29tMi*M-8 zZsY46%YxDmFCZ@oOe6Yxy+^Yx22mGN$IS;m=a0n9EYD9Y^(9AMG7)ZodoePpsNbT5 zzD#e+OO4KEs*BO&509;@`vu+!XpE@2GT}Mvsx21$C7L-gQ4Cbv0Vsq9_FE$Nt`I3-~fcMpF4|?k{prC^9gD>`Ki-2AdlZH0Ptlj}oao_AO1 ziY}d7IBZmbk0gMr;|x^MMB$8tO2~O0;)urcDr&T)WTtqRnJd;C=dh7?!*Wd5C)%%7 z2U&`uW~x8=6lalIX^Csr*A|J_UM*f4SM>_<=V1PxJm)*CkDg?md&X5<`*c0_+fn)P z)5pm!6Otn9KdGxV50}L8Aa5er13>Wl+g(5(rC_jtUIkqm2OgAc` zk;kjc+Zs3QtYbrwY5O`2mL&QEM3*=jXpQi&8lzTR2>4I`?+#5Ys7(DpPW%OtO4l+R z^HS}Vf9WFWnUJ1WkG|2^Vp_EQbIiwf#2l?g)qg; z!IRS1udYq&cdVIHhF1Dyxy9tdZ)d2!Xj<{WHex7~@w|8pdRw!Jjo}svSjcZ79|Sl? zF|mi`J1~o$2fg|EOV$z#>a)V5Hap>HreLYs4%>|R5jzLzSffsjSC(jFk=5YRenh6b z2Vt~Zfoh~0Bish*qgji^h@G3mWQ`;n9<#1O+O)eFw0qx95ZC4*K>k8NG*aU!K7es9 zq!u6CihpewiJ`_H$^QzijcjthmR;>>?tkY&=rprH8YQ4XSQ`o&ZRGJg+bYs|9-5 z{(?>es3nBM?XLHf%KfufMeGR6+Y+M7=&oS9;3sX1R-wJhnD+81>*ia$!E`X zzBEPD>J3YG`dMJX8SOu~It-`DWJ#opxWRY|I)Gd1s#ZhTUWu^j=c9{L?beMR0I0#i z=}lJ!d@Nwh4i&_U3FLsJT^ou4c`as}W@CLIOF*>ox}xq`LT%V3u1pH%_*rx87*8#W za5w{Xn2(&3{7kkwS>b!AjRjgAWD()=s+H0|_U6XUyQVV}!ats0BZBQ&H-2BUvA&t7 z2AM%&sPHIwc&F4)k#aeCG}aHW$oRtL?SmkYWjUG*uJ zupBZx23}8ZkX8$b`s(}2)6nJU1e=MrPedKx-2LSe^}O|wt+Lh5VkE83$tKwT$^xj*ZjESmi6CS4i$gY zKwL+W5x=GQ`6&DL%C)s6}Hy)6VFBJ>6- z)(nU~?`O3IBIBCNb;<-eJ!QmqK0W(J%MaekK9!SvTSX-sk&0d^-_Qf5wzFy^4|lsT+}$WrN;Whi>vNDqPuO zuWbd-fwpm!us+=Ud_iYd&F0676j!U>|E306EB{N>A>I~a+xb-B^|Bi^f<7(fEKyBj ze}7KVZ;i6Z?Em@z|E28k%qO;wAb~G?5Mas#{YTy*hEHL=_oKk~z>_njBDIdhB|$R& z@9F$A7m1_%v9MafxO$dT-jc>Zb}5u?3?G5)nQTNN=eKN_dJe7zNPc}Ba(#I$1iLeq zE(;Ws0p!Q%@@krVjXL1Grt#qm`}%I*tBPVf zv0(?A(cNJO_uXY!?N$9;TsR=E0$#1OcUSyKqy09_L-4FIm80U6LXXt}&QbX4)u+d% zV=EXYKss4XS4DAZ4y{(TKXn}rI#&ZajCtV)5l~0nu}?EX<4-9bbVNSngq6W4z=Xx1SQ1ggHe{yV1F&S-e`$GfBApfQH=J>!2~rYI^U z$lkF1Zg(k-EvubUPDMa{h{+QH%ADfq6iJVD^87|Wwx8~L0QH?GcIU_M@fTSl2(=`u zSGwMF17nvbA7Z!M6gdGWYy7n6e#h1JcWS6B3kC9_E2#6kWWVF_s0eUD<9o_nAo@SN z93BL`xoVOA`vlEZ^$G(XvUhVBM*{Fb7D%?QoOr_8LfIjf)vy@$IlcZl;+u7z4^+({ z4Ky}4|1yvjheHL@t3}EPs=D@RtzEus(-(VOU8FRm*V)cv$j8xkl3XqTAR-vH_bl&s zhh57PU?xAPG>U(|eV_%J2wkV$5O$|UWU_hJj@4nvzS<^jcT1#*_-Ly>bkt$ zD`flc=RdYP*P|j92;ev;Tr&kfp+58PpaUkdO+BB*G6d8&CAziHIqdg^(J|{u<|OJ{ zG%xcAeracWy?Iq-&?eFK8s!BQ|%bV>w>qtoSITn=Hy0dFx!( zQW0Aw#`-Ib7jt9=#>+B+w%jdPwCVE^HBdzi<6T~)|E#cA{G9Fp-pjM;?^6a{gFwN8-Tcx;GvWlTT=$uj(2t9RRPy;k?W}*RNJwAG_($rO&1Z>kEok z2E2eW0vla)svpDt*y2xXkdQHUG?q@owd9l}_4~*+w$Xv&<*pzW6G3@LGm<$t>UsY# z*|Meo1dhQ>+b`4!lRrJjKFwD<<-sN%B{zQ!LV*JPl7O}N;I&_;T*ZdpVWL*}gUppP zJ6YbzBk(C=@p?F{4`ohLV8ug#1v^Fji$ozK3K_-Tt`s!!@g|q2xKCVl zdyBgL&YzKhXmp^oP1#6y?jcGH}7}rxpUY$5Y4G!8Y+jv%$P75Lv zVFhQW{QSwNGnCdY!*8FxO-Qrs2Fjc$7? zL!E!vxp=dfD9MDJlW%++rQK#EKv16cPcd3JT;RhC<_e6mPnA7w9&o$4hSFi~dVr7S6q% zGMB!Lrl;`G)Q&D{_VWq&`qcuJ$@71P0x&s@DL?TlmTR{Ooz_<#!Mdxq0$Lqx8#+ zDK}uCG_s6$Qhdz+DK1|5)tk6TweIo5guwxYlr?TAzYvOFm$R38%jp=^Iwb~% zr`vS+z>3234ysRLbG}MM9!&M{g;nCqwhKElTn9#9y#@zC2UuQfDW^97$`JK@kXqLL z^o}kQp4;(Aiua%+AN~@7uJvsh-_#Et=Y@x$_QOA6uau}5Tt&kVDOt_bl$$;J?^t6T zS5&bD@`59C6wTQj>1~6UiTR!KwD&%yEBDMSBsP@7;hKf&qFYba56_`*ZhA9L6M4~w zd}Yx5j<*m^G87i#n29TOexW(R^_d2VI3+tF**rRnL3V*`h+`%;jtQb$XG_|k`fn6& zUKU|A#fvlnSLz#OI|@l(61663jcY?e+?K+_y7T(0<_`0I42rziFpX6s7Q=dBDl4<> zvod51fzC&jFF{ugMc2oguj8myaq&dWk20?a*E*_st_0kl4x6dXKe=o@;Fs!`ak@Wl zNM8++1?>_ie|?~V#3qEIV04C1NZfEE_s_3w+_doz5n5zZ3lkZN9C&bl&8Eo^^ayM7 z{3m0|m{hpQ5dTjC$_^92D}>>aTlTF|ZPG;E@&s9rQLQGVs#(PIAz?qUN?Dyi$&7P9 zzw#Ya`mox1@9jWnK~?pyF@0<-r;n9P=7<}JmOgKW_urQ(eX4WF?p+h<$a#~d_Q`f( zBrI}eAU6j3;)%a^2+tVz+nD65sMLkeM*i}t>SFA33_E7#eCCf9h`QT!!Of zpuZ0*37tNEQlx{6qC`d(2&F`OEGj~&g?DlWMp>ZXg3H}hH0H$ls+<23qa5tF*OoY1 zjNF$HDRScXFAGePID2o3kqbc@z9au9Z2ShBeRM`0$ib*WGo$?9mPVe-wWq6_fb<96 zfJt9UEIQBt3a)m6`hnG329Jo{A;YdntW4&S3v8cg1)vI)kfr8ABI1e{9Ioeq>-2Gt ziTRxC9ehA~^1;wx69P;IHow;{zj?g$Xd+0>l3Dyh1rfBT-h*O|qkyF=2*a?947(lG zkrHpte`?^Y`Hdl$n+k$$T40*F9pn>(>#WB?Tt$f`gG|}AJL9Z5B`fVFoj|wwI=8&; z*VGag=v_M|x($5zE@YV3DZlI8A#e4#St2rxJeE-fIDYcPVxz!{i4BAv!ikGvg;YQH zRkb1;E}!G`3*NvEp1{M1QyzlH;Cur9CclnjO3KYmxAAbXYw9mdPTwenwXNr>^mh{W zSK9w&KLnni_TRYo7m{DxP7#KYu%McANlU7>GZ+_PsZD#UdLs&8Y);?l-t2>vQHG#> zQvA;o2Et#&-|M-kdwTEmn4-Ezy_fnHJ_UCKw=!jZ+ zt&kw*Cfb_B%^jmdi2W1uX0VrY(SULC@Sq-K`rNzFMV5C7=?~`3v9(5IR=GgU$%@{z z-Qa@BKQ$c}ky*A)t1*j;gLBL!V(H~di7bQ2Z5T2 zTwU%kjK%1NqI7rXvz?8MzA0dDFgPU)L@0A6K2g}7?G8p9ti=8+G_y@3cB;;v?oiKy zeDw^ip>4|LBI!H3JvR>{;bAl#N|G1Zv40{vK(b+nTD}3Zomxm7i~a3$_infBax!9t z@m2j9FH+8;FVR#xQm4VRU-^;ew!dlzL{(l5-H;`Eo&F0b#W}i3*|_zil z^D1`F<1rEG<#G^F%gW19IFb4$ucUOM!~#Rg`8}8JCB`JZs#hGr1NrqAyYqax{TGpy z1E^MG*}f*(CzKc`^!qU*F#;mqQ3v8=)Q|Y`%ebM|FD!5QW2Df%|E(DQ zyLCJNl>I6u-P`+N*m&-)JEzJMiMoLN$$`E1$0>PStEJ_g>i64>u2(2ylV);?-#_-R zH)jZWMge8IQD@mt3-gX2&v!_*>^4y+Rx}v=tV$VcWpuSz3`Qn+n%bm;w;9*oYqfbz zkE^v@PN)go}RxFB0DaB~h##1EsBKN3!Cq>Qp z%Aq(c+|L08r*DUZX|XfvINM3C_9eVnve;^!KHVR;pL-K^kZ4*h&2|>4~rHAGNWIoM74|GEEi}}?LDkCaO>|xZlr<&sO(@tG&lUM07HcIH? zRFJ|3YEBCARS2vERLKP*_Ltx7PB;y3y(h9e&ql32H14pfnA%>e?$fcZzu*gL*nHSv ziO`zf+i~A6qa*uzx)yFuW*YeHCkwN@?$W!<4O!6(3H(T#Kb0w+@bl#|&Vpa|nRQA$ zTkXbl{iy>|MFq}G%+J+7^H4$70)Gg2I9H1@xX=;u7ePwFP0Fi$>H(M@mRi9^Kqfnng&@%q~m;qtF; zE9?2F70Q?7R&tJWN0&SZkX2v{;AOU{NX+hjQ5 zQhvTb3w*_k3OUx~|NBsXe(S7}@^_(-@V;E5L^I_M^I$BCM$q{5u$PQFl~NTJKWNeK zO~1JR18K-F@m=dPjlo;zfH9|#$~&5oAJ`qb)cRxr1W~iPpShGmmA_J)yJ=d#+fuRQ zmf9Bna;C8r?k+2Wbea8Yf%AOlgixU6AAN5m;kSlYD}7&3MjW$ok4q9t)QOyyk~u$u zY3A-~VuMZmY$CSZA;Tf;-MoAJ1}uzB7Myh3_wAa2AzrKcq{#PDt?qvbBFQ-8Fe{gC zohK-Z#2;>fQ=!L?Nk zxf<6rx`*2`!YT`(&$5J>8(s%*OSA#JCjxWwUoQzV8;uOwD3ECT0`wvL4{Ak{Bo`=9~STHFOq8fuY(nn>2q?tH%-Lj1o`=j6w-#q=YV16MOUqUy*Uuy z%|7d&iL?hO4BXlM2a^O;=DbaTX5b z7%jCW@c-x+e8Q*bP%Jq7l_GczQB@IArr}cY)j!n7+q)TshhI>gu+#r3E@>0wgu|8m zUEf@Jbu6~5z;$^x4EZ5DnZtPU&J!quVkIHslQL4D_{XQQtTaTtLDI3(ZpMxeb0MB2 zuJqo0j436k=$l(r5&iVH7^e8E|ln>5z(7!d*i6EU+->GO7!)He^HVw6(y zRpzoWCDly$-0F_sD)XPFff&hrxBEXA7pGj%*L()1y)!kff)}qw_X&~HhhG!IeQ!#VW&*&5+~wztr&oT4eQuAcw;C1MN3&xg_|_dlCRVC)C!&+yDa=@EZs<4boe zi>$n)LQldOUm(LiZ(d&?p8^{)GGrTO3gJB+*{gi^-kxisZnHS0P*Nh_`1|z6#G672 z)q?VG>9y*z+F&L@i(**FFMS)c3?~2fn-8`)xGnqOIOUQiOsc}mc6=NdJQ}v%>z<2F z;Mg0J!?Xl%LWv9?)ZzMyEsUHNF>y>wnJ*jcgop($c%9hQL{4W%Q`Sx^$8t004biKL zj8la0@V={*)wjQF_Eo*$dqZ%T_`e|?kWfK7{p4A}jwS`#Kr!>U*oK~YxqoviWTe>a z*@Atx)|!y@o4k`Jd&b11C*O_Z!&5<8x)?H~jo_KX(v8S}{)isGgnXly9r}pQREUE0X*`=uwP9Fg6}cI1S_te!_c~-9D|Mgz^_Uy>AsKa(nUz zaC&jY8=I7ba%p^u)0GWZ;>XH_TrMZxXwW&cEaT&%8-vN~**N%cDbYbah|=Ny?-rfB z^{+etnR9=S0cCt~d0g=ELV{lyC{5B1$%Gn1igNdu_VIYUsgQU5fpzQYkYMni5m>#GjSG0o>qmKV5B~qw6Vy5aU4R8o1eQ+? zHav_cIPY^Yqb9>a?<0e4*aQ<9R*;HvQwl;^K>DAbloE&)q5OY56>CfC%7-!=7yNU<^Jfy8!BGFtL6Har$F~YBq%q|+7!oBX9TOF^ z5b#_seQrgP8gK{KeVY;vn)x5&^Z!*digJU4eUYSt6BDt3N0J6ec|M>L#=#YB4+JH0 zIgIkJnt)}y2F^|rb>tDU`QW;KSu>@7~+9+;8-o^fS4jj3FQvkrd zCC|4<^6D(75UsU|xy&VvQYpiPL=ulAD?3Z4K598?_oHxCVBXR zK7OymmGTYrxeh(CSv3|iiU6o72jm@9{Rr3$l<*lfvccs|4ZwvAZ&SH9x3^`$$0z_N zmr9{hir=M8JE6O~JI9)Q0=;VS5$4ES{sbTmOz^8o0tcE4tU1|me7N3y6qRi6i z)R-iIDvcE1;^T4OoCBIGfl-r@LKy&RgEKRU+rLsI`Rtam0o;7<#-vrA4QQ5A5AeEa zgQ>Hk-cL%PqY5_%en-%#s=;QB}~?I=QvIu>CkAqUlPDlQ9)D)0hTWZ5*N8I zJohGPQ-$3*n_F9JQCBxMx`$9O9spxp?J-`e$)sCt1OrgY5Qp(~AHGLgBZnq`wf^4M~|`oqQDrF9sY0B8H-hJXqIAgcO3{qZc(OJyEzP6vPgPV4uT z6#38<-~!;_#qY*Q?w>!80}Tk2QpFsJz?+!4X^IO%fa>2}uXyhPaFW}4mig$@?s$$1 zsA@|0sjmW5JuELYQUb~iAJaj}#Epa0YzItMfrUCtT;sp1t71S7As1jAr_L0jUoASY z-@Ng>O9(}D;CJ1}o2k(IHiuygdc8a*gWs`>T_yr#8ExP}pk!1K?ax0+tPXZF+MYlO z4DLQh%D>l3eQDg*QA;LVoB`ABGqIK8ZsCJ~j9n328F~n?^hKMe~Uw6s*T# zDfmKsdLH(~RZ13vAN+q;+OtC8M5Bqhw%IoGz5hJ{$p-GDc0e53IK3eDOQ8W}R&Cnk zQn?w%OhK{OwsBBZm5xb@QdigC(j3fIn|=ECE!<2jU3i=$H6=5q=kTRhWRC2AvqHh69q&reHN(I51GK5 zAcqYCW}nzOxum**QYD!$fv}u~gdM1EFxT7uPLfZfhtNTxh!++kXmej;aCHjgq>-+V z@<9c#$+Hn8h5|vQX!1X@fniB!rqM44j|*3RuH5L9C5`4uI~PsthC0*hjs9>s=+oT) z(*Scx${EL~S%$k>-4&j`)Z`JG9(+|8SoTS+wqYO;Vkr%!(F}O-dg`{K}{D(Qr)0OYjR{GYWb7H}?Ol5cXHH0Ji zO10Xb9UBkG8=gCFC zCL2A83puR5Kqq4N(S+x|i4(i^Wkav@-B$rrsmkB54hJLwusc(yg+-A5;!%laKLYG0 zyJJ^+Hmd92#l%DmqkNtlG+*IPZiHG4cCj>3PeELz7?EU`Y7CXQ>L5yHAY5TimVF0K zLPsaH5^XJ#^}`|iYuz;NPyF~SI#FSGY?8N}J$c0<~IKNZNe2~V&PE`Qt+`9L?W@6Wb_pV&c!BlLG$(XdQ;KE7uk_={^a+c`i>RP+t ztgTMF-)M$_ygzxr`rwZeoo3%3Le=J^EiQi)W6PN8+*fp{AUSvV^nB9X@Dd8ph|^|J zqF6vkhzrICCkHIsP5yBsSn=*oWLHTV2q+b8gn)ovh(k~M6pQ;6@f8a9k3D}pF%%fp z3FKZNPH_9;N)h^}-FvJs6yS`t-ArVHIbA+vORa9vk8(zTd@PX|qaC|pFkGd$Ojm{I zAr3gbOXFgQtE9%|En=E4++p`5zMOBPUq?%l<|7-Qlz|$Xes=-K{=XmADaf`=01#`_ z0>dHhKZv-2G;#hrdm8ApM74L9=}LI|DTl@2YKq=b^@~{^#ff#-FCaG4Gu@(UD!R$z5nq8h=_D10A{iKzmTm43DN+K=ul6=xkcqVu%^;~azi!!r*-1}Y|FR z+7f=n)Hew}WLu*dX*-CV0gfhvXX^F658`H-!tN51K`%elZ16E6o6$)%87aZkXFCKR z%c)EVQc9n+`?h0}JeZ0-U?Bi(2|{Pbu4jqfCe}f)iBgI#M@T~UehP8RlXv+E1y zsXP^Sl#I>H$~>mTF{T^)7nr^(RLrEfJ(g`8d{whtr+R)h-8@Hm#05sV!N}uoXVJM0 zqe8K)MZ+K#9jgMNmTm$-L-gOWEJBmQD}Z{syotP;81+#1`Tx~!p4LK!@^ zTx72Nwb=46r_1;O1rxQGUjKG|@!Sg}4*(3cTB8X>r>z~}P(hL&#tgR$`JU}4{*Vti zI!z8#OlbTOt1rWsQBv7`6@a{nW`b)BC+=&^`PIUx&({hTmoNcxQ`EtYwDS>*x&0h(D`0?mAoR2k zHgD;tEnM@<1I0(g=xmR-y2Jy$Ql@R7a2SW{p6PJoArSvwO)q7DXj)Adk+`OvxOuj4 zn{$O2I!)Gk8ZUb7QX9f~#~P5Qj@LxqmsmuZxJ=yVeV|7#B~bTz&H5CFyK$N+>K@Q1 zxS+Opk&>(dPP)HoT18jOceOf2&|W{6!*yjgJ8r`JHl-j=hRcGqvqy`$dbSFU0JIIo zxalz6*{bY;d2(s9kEBQPR*C7`tiKg((=<%ECYSZ*_Kq^rHu=p`+uON^2#4hKFw=_= zY9Sm9e(T0d0qHkrX z5JIMH`p)ZYiwt0#hNb%?`xp_+&S#GSVJ#;++#3wvuavN;sL2gU4stTxKiPN082of$ zy7-oa0-}@OKpaFg+G2h{{s+oxddsK4 ze(z1G*jN$;7ICzgbb8L3$5rKiuE=zo#V97k#o@F=&foCuQ>#i7pLV0s@y zMs>|XUU${YVjNN3KfNC~zu}>SkhfxHt$^ ztmqbH9wunv+9O(Og)5Uz=F=cgc3jo-zdGx6_PCl3<}@7??^y4vA9i_P@6N(ef>bIcRwitiKJS zfLd;k{9d7;%a=NPsh@}#Mf>%n!~=tQ_t*1d@CvdI@S%9v#R{>BQkE)E33;f|>>j{n zb!e4)tx(eC?%nLA&)*&01Oj3F5B;jFH1Ew-@04`*de4hC`I{iLN(li$(V0UVP_x9i z!*n|OH>u>)CDJTc?_mUdOOSgIpiPkIl9&Gbi{!yQk( zaoF%B!eqjnlKHnfHlg2~4T zr_jSW*x+~9@_81wxeH{G>faS?omAlEh7(olHK6zt>dAddcWn3Br)JJs!n&qv5#p{S z4cUdRL*u-re@=e~qzCN0QFd==roz(N>{)V%IYotS5BJdlaTDlSso=@l3n3Nh>D6yN zAvvB2A7hhSt{Twn2w@D6Bwnb$OhCyBzAkYbi90OAR+Mf@wz4jz{vzmd&|mmU-Bx@{ zKzx9_>tz87?6%KyXj+?=I8T7mNOcn)r{FjJ7s1k8lQz%$q0&w)NMfZ9QYenXU_@wM zLUbP-?f)w8EB~U19)1M@3F$_`Gml#~uZK|q#9 z=??GN=XdYtKKJ<-t}l4y%Yil!m^y&)0mR!M zM#jb|`#JD)t%9__W;kvqRrOHw+UxqhTJLh}i}FEJg)^($L>qr395#^Qr{zKH^uDb-h{!xqswo?M#@~NAi?qh;-;s-Ab^zP!N@%&(h#65w&P*418N` zF=H4CpKood9=v*m@t8&-68@^Jd{q34Wc=W+iSZ)E2Miahmxk_`19oG3L|u|>N^@0- zB+Sdixx^=i6A_YzNL2XI5I}{chm;AFIs^X28P0M|V2#j!FMz)MIo?qQi}mqkVocWagl&Dn?5@Y zcY?^d9~ByA>|C)9$*a#OUKf66#hma*jhaVMmidfVUZe6E>Q$ZaT$~v>7^?TS^%^rTOyG$HSDOladXDEv3%6zF=<=nZoIs&2!_c%bW|&Vd`&kL5=U`=Snk2zH8OmaYX-^K;8mT zZ%CNnte9yJ!AE{GPqB(Y-VAVhJuCzY?WJJ{Z@JDQVtum0;37LVNa`XGK6JDaDD z&|1aEaW`!L&)$FEoZjvbvkIopf=`@w7%~2kHAG8*b}EDXtwrPBQ4b*swc~?)i&l~k z`I=`Pm!h~Hf~MNwU0t3}yBnWYcRR;)?&t({$azevu??Dc`=$C?8ojDX5P$39xUj?* z&wir@7`~)7Ubk4$C%y8qE{zTe4hG7CVjkg;GXrnp9fhIDNbV1h<;aouF>2wWCu)g5 ziDSFRUh3imOFJt)f*BJ*$gzGl@eHP^8#a~7<62_!bAG1sYo@4zZ(H%4{Y2!Gk+%Y5 zi)TAZWi!QFs39QLrEqKnLI$n-s+&Ciw@@FqnEq5?sF((<7IQ0zLst7WF7RO#s*yx2 zEE6QjU16WN5kigI`~^ao-gr4vbmVd&I|N1iM=B8Or8&Hjyr zJyQ2oW!Ik*p8${OxHoBaXTZnDCq*1iJ&*^0_6`UbBz%&l@y&EdnNOyzw7zF^C|fE` zfA774m!#23`t6U*1bFR>SJ(gG;MTr^+hxu-`1<;?`(2-^sja#MKmHDK(eg##{+3mCITGS6EiH-7 z%_1$Wt^6D^vvGQHOiLK{Huz1iV8=(JT&>qu_#HQwX|x?JvMT|;LJdWUYuKp4fwY+N zaU`MBtlv~3EsQj$+(`l9_{GP4&xH=GR2~~P>{95?=Sl@YEeB$rRlLodHhY?sWqh=# za0&lf{(vPqGqpfL@4QRtAL*Px5qd%$k~&*pJp6M*etmlO@T$F2?mKOE!Eee6t)s^& zeTaN;QZ&7WJ$J-V;wcE2ltt0D&zI}|Jv97hD|~0}#xYr-QIsz9jp~p|aG*7lYtIdz zwMqv3xQMg*Mm{ua8?VgZ9VYQO$S_mw3&$53J<9COdm4rOLdtZV5_!fPp=oKon@P_w zQH!IxzuqWvC@jsYC`{?g01CI9>)v+I+Qmg31jQER%Z1-BJ~En|0TgZbpw(beq7IXb zIF2E0dK94UK9HgswQp)P*T<0vI8ZOsG9ctd*vDF#jEszAQJZ8!P-}!;=HZXmdyF1K zAnP5e1uw1&5I@?@AE&$X0^Tn*u-hY7fP_m$tvsPB=gkZulBcy;%LEx<`TPix-k)XveTDhZw!Qhf1mfj9!M!*qCnt6Q z3e18m+=d)QFT7uX^exvG))8=d6gh%5vCIq({)QP;!x?4!bJ5$%$T{jwA=!UESrbIp zif$=`+@moc+BJw*Gy~hH`ny7m&<{mnTQ*6yIH;Rp-5GHBaObAla@f=VTx}tMQOpzL5W|S(L(Xgd zF{h_S!iZ?QM+MMP1dx-Lk~aqnzXPmHosDfx$Yg6QJ2dM9`Q@>( zOt%_Ri&>0g`@65Hsi_zcGnxQ_RrCE+EdCsbliGyyX%}NFMC`KGy;@g2f-Js9DYTqy z6)-S`YqX;sq5hf4&waSTlMqfNSaGn|+U)X6YeQCddwY&4pB5e<@^`T_+^1>hYth%l zm(NsY*^|4J{9*4r3O?y6+mFw-oB|`!u2f|}M9$AV3ppwQXTd)|8>MtE9-Y^A*GhO^ zQ@1R%Oh*0Tk`?^5YTRzUtap7eh+n>#XXDEA(J>fF8=9fAd6u$$yWvynaMOajlB8I=p9fY5r?dhw)C0|D9DKoJ>v*^d1yF-!SW_OZm|0mt- zvQ%t*1q-!n?`iSc>^C^Q`zf+J-(}>=v*p<7f2ERGsPwX|`vLfQ_Wv-Ghdl@q^Vrq6 zIsa1zm^X$msysr--zfA?IAA%nLvKlUF3&7U1oYH$Xz=Fzvu|c4?m#+1dNLV)aqvq!^V+#Ahf#9uhfpDW z_lM?r;SOkk)v2|Up%Na*aa9s2olU?q6_rk8RQR1cir`Ug`?sh7gqHe*WFwK!AU$65 zJVvT}sWn?i+!~*D7iVlMvrcywK7y8QwY@n{@Kh?so*RK@N7Gyc+#X_4*^4BZN(LyW zIO-L^760X9H4Mz;ON0k|`~xBzyNEFj)OQ|KbH!&|!jqkD?^|5f$w->;52Tn&WT2JE z*uAiu=YGEhH+Zu^1pB2DjZafaK~a>}Fm+L>WlbF7*-Xf=T*Y`*slm_U+tROYWEB(S zQxzX;*yT1K3&QGgB)(h(?)%`b9f+UqcKi8hQk+uH!lgobPc_YBa^E*L=7Y}B#6fQS z-RcN6+M*ATQ#$C!agze>#Rd(RwqH@tH$K;z&|U9Hum~A&ENIlN>Io}`lXPcG{ z2lHxj&1Twj?x|5cXi=4WD)u?gq9|HxU$hQ)UBd6TS{}mcAkOcz*|M)n>T}Aoz1du? zPbyI1cfx8=JmUrRWkdHuYHwJ%-1v)hHB-$-i#hv@L7fq8KKzUKpdj_W#kA#G(5X^l zgDW}y-J4$uToQWISt$*EYnvalR;3SS@_9*ljk11tx?JD@8g>o)>2muA|J$388#-~n z$JP_s*(r=ASWum66@!emUFhH4iLkppfJ@vjzy2a`UT#oNc1AfJKBC7X$Ar-~x%;(Z z2lUi-B@jQB9C_`JNMh?NbT*&^?UuJ-6oomQ_k*hIRpcyRqDk+C1T0#oqbwx z9xFCEoXNJm2)ET~(0QuxCRIDb-QMoBc4}lv0m1i@Gm?aWTq642>d{6h?N` zE-7aQwyya6;j;%t7Q;&{Xa#StdaZ>8PHCO`?x|%GL4?w8t=ArT1#8Z2ihDV}llt5m z$~5;I+owk}pF!QRo^~G0$*3#Vrsh&vERTD&)$)7XG;j|lW9QoK<7~3* z33q1q#rQ#8rATs^hm&frINnb8gHfSgpjWW-6F)C3_b5MJ`8aN*f-^t9)fI4c8yaQH z)#G=m3%zZV@>b!}6XjF<4EnOQ&VCD_GP4DlJE}pkt=ZMY)%Wu*vDV$XHcoWSNWrdb zK<$Yf3kjASS4yFvv)Gr!lxh)|UmCsgSUYE<-zzygeD8w?THX#ZFcFilm>5cP_PwX1L)aSJK2 zAy`aiFN=&s8>$WJUzAZ1+wV<1jgo$TRFst^;gLEZ{*o`vqki+-i^gNF;aR2wq&tLVCGJAH# zW9NnD9IWuSCly(~_owN4?4jtJS<5Bw>K6MJDz(dAu#}r#l&Fd2Mf-4-8Kif0ZF?jd zv&Qndw@6MCi5O{OO3?-uv!iPVZUCXLLvoIhtSl0ZqnavJ71{{o* zOScv{ELb+#5U#D-oz2STk88)Qx>YG+Ge4!F^9Lq_okDhe-YB`R-dY@qIj?-leiln8 z5Oy8Vn>Re140--$tWvws)T3Oh4LftGRq#NiZ2Hr&(3{Mjjx;+JCL$PP8$CAxyFop3 zEM=joG)T0K{>vnv3l_>w>1(`omg{&Kbylr4>5Y{$QB;j~N*r@C8@tbg$XpD+t<=1( z%K_D*j^OFLK3Lc(cXQ~e&tqC-%9&vkyX64Dy}MkPv)twyfhTN z&7kPhq@N^8Byb6}NU?R8KSna$GqLS@Qk}hg$5I*G)RXvq@!m%izLcwzKR){i z{P49SW>HED6chUMOvM3UQ$Ygo@X6>BE`{1 zQ--c;Yqz+PQbC48N7%K|zbR`EsF~NVeXm@ng9M?XX@@T>iF4|9GRIQ!N2PMGe3i&z$*@h=GfJ)Cne!eR6Ru)=YeKsnh5jXm>Oy&f`-R^*) z{*PqZbM*ro-4_|`Z1s^r;u{h!lbDmpFJf)edLCxI+?o~UFI(STwFYI~s)thb)u1Kv7ICIB-e}4h5I!4s z3%1MY%*XUai}#k61>^3hGseZspd-Vbg{yCE|!A+X?WB7}%c z-vW4l$ux~O>C_uXzV?OQGLc{IFZ5UnY9(UJe@U(}%pnjG(74h?3(s2hFO`sc|8wT% zf|E!&u@nnCSHM&KrcD5~Z+>A5an-ODm9;pPa-v@fs~SO^#gi{`xlt6@njIg-XUS`^ zvWlWH`CzWi&{JE6$FJY~W`CU*6m@9kdsewObr=-qzPrtFeSY^OrR-HkQi<9<4x|T- z;K#n`WF+XTS5bzu6!kDUl_@EEXU>r6Cllk`qT8WrkHFdRpBjFSfNhOCqZU4!U;tR* zgoi-1W{6;SuJu{9E~~hy=;ZH1+SSS2mmF%CH9y&C$ROvTym5>Gv zwoE8%EaB~&1S53i)gJ|Z#o|WV zRQ?Pg$C?6CBzCaPOXV+;lEi0V3!pxZIFkN<-9#@5_!Pj-JMDLQ+P^fQ?NEGw@wW&_ z$uj;~_1a^A*8&zOEJALeqyYTW8-UCG77Zy`13PnVaC>sU^$Dw7QOa$)F+T-PC>5DS7xho*p6l&?Hq-6DWwLa+Z3bOVU(0 z&B@4A`ICZl4X(1$J-OR%Hz8-o(`!eg%N+Ms&OeR=hqa=7kl{i}@wf@dw@;RWXA+V+ zw0cH30~D=c*%CdjqXmo6x{lAYln9^3%y*fe>R?SeRLHugIOsf{XTLiq*ZJo!E@Tbk54iR{*2y2l z98-v;d#WCugFy2N`e2`u5WBbdfgF;~?^DmvLp|~!?@SB*KB-9QMfe3R>rH2$-SFmD z>R=jU7!kO%i@sxYE}fw(y^K~@Y~n(^SaFz=PgPi>U2s%yE9@w$+(j@I-qEPfjLmTw z+c3pwOq1^W(b>d-zSdcHN=ZkL3`SHLFbzvgXCweZEuX_x6k<<+0|2;c+ZE@Krwf5b zE(z=%oMe^#LQrX~97%r_k!oXoLIw`I?NWv;9h?-q9;3X+r<#<8c6IH&5l4Ejhxfw6EXJ{v zQzQIZ9HJXXBwD?xy$iKVhOdXmRUE~#xTKg1<*T&BJ!cw%1h@P+tJj{3pK$wEx`$dH z+IQbx9&vlW{AgSt7}dYKmoxN$c9pe2mx70c=#wu|Cf zalpxsrz)8YPxaNuQ@Nh3xU|!9XqT+^yOa(&8Dm`@32Z~+fY9U0GRs-f)#2Z1`gED0c%jb5+UawQ@!7WbjWvGg8~tfnc|!%j ziIVai(bX!dJpkQkX9=CV$K-)vVXAgzQu#6MRq64YeV}@ennHqyC~#}w(Wx^;cbKgw zTnP(~7~-zv@Le!kHuBJKu{CYb{#;y*1(~`ck8`(8!UXjJAvpj90{W{ z1*jc}vKc#&Z{@yyld7moZ`d~+g$!LV{cGCk}Ab;)nbG z*x{u0^S>YL&(}X8XP3{H?!x_g$)`8_6UCo`>(}O858iLk%P9lZaa1X*@FiJ z>dNvmIy+zdXMBuVymr5oWy$011|InYk~p0C-g2^`#F8WWw}SA=>7KVA@W~v>9?26Z z8KqDPn-rf`igquBKU=N!q*+tp)hTFuHuJ)*N1k2y70x=?Ks^|hdyiM%F%`zee!~Lm zVE_wt%1Nov@L%{lmRYd!eqocvtFsbQ){o~&EItrt4)j);GZd&hBf<}K(f1{ zM}7fFck8v_bha`R0bn1lOI6hDHvQnVm63Q*fC}OiUS-M0lBK-AzyBj%1kE+v7_Z%G zHfm=nOr!P{noRgDVKU$zW=wzR){TPowGT`c;ZZN$Y%=AJNwWh*Qlo^RCfpy>YpUT3 zBR&=`im6xK4oT0mn~Qq*(;v*nTQ%XDMYRPc_U^PxEsxR~Bc9uMyOJ3;L#mC1t^k;*Q{&|4bB*Ar@y6e9 zo7PPv{0u24V3^*$crve^*lXCs$hPnro`R(c*gq`HJkFyWiTB**oNL05fIC+1AlG2< zl8~OwQ`g5^=UgG=o8N1QJ80FJaWx>SU>0;-RC@^FFv%C(fF_13#~k%&%MfDeY$_PK zS43SVw@$J_SH+m`?QR2`JnJxid$ zvI^wS6*`wVxIzJZ=4mWcf{xwgp+`PwFQBMYyhD+xhIE{o_k!r#`**pdk(%5Db3xz@ zlj>hkF6L{TIHP7Dped!$gnH5ew5Kr_gtr#w?8I~c$74-eAfc_S5?*X2{Fh$1l-j{1oA*An5HWo1@gFYk1>T(~j7(Q+dERTKVXSXB8UlKMUkyu=L}17e z2`9iaqXJ(Q)&J%$1JS2_x^d=z7aKjAYwWTEhp;wh3`p6QJm1yyq*F+W-ROR`AP^nf zvdUZUe!zty2azG{b5?Ao(t9FFgts0xg zqK%mdg=0}9vp$rG?aq%pfO*y$KL#Go2QH1(HG+um?luAZ3D42(h$%Wjm^1w{T*~&DS@u5&4hU# zlhzNHBH2L94;1%tyR&7)hz=n7{luZ|pJ6EXeXO0d3+cijS3DKH|89*oS0tA{RGnUVp}Pv0&Q|x zf;O;@Z62z$+cUPJ6hBcy3?TX!=M5J5q^9_+X?rsrxLDTu{xLW4JA>IMO@dlZ9TS4; zPpedgXZ!LJYoWZ?m4StA2<>M%)KRk1;%lVB`s~{0w`Z)ZlFP|-sxOL&+;@Ja-|=VY zG}`a|;wqxr*T*DUu;2Te@?YyoY|)D<%RjW6Kt`c@b071KgN)m~ z&Si_PCxD#wS{IrzXID+~F~)cmA3E5a9FX|(=GUyHnP<6Sn?nMEnVtJCBZJ_@?d^`+ zyWYF=vnRN_=A$a=6G0M~mcsyi%XF))cJ=>Lb{pz2Tk+QsuOJKU7H1PItBnJ`{`!^E z5ZS9gI64~rUk(rsuq4oFeq$o{2$(5~Kp^aN2jc1Iwq1A=;8_qiB2GkD@traZ z6^5d9e7vDb#b@>asRka#!dwL18ut4ObzvN8xsusZyt?HifH2Yom4KM}Z4Ayqgq)S3 zbt*K|og3FHiqb>F2bS9v;R#8^muP`mU^XYMl&(F-`IkJT$#}!aR(kW>VymE6F}@aG zrtPn@?yL%q@H+VQ_(Vl{uJs`lF6(kW_||T6srv@AMt;I^^w=DbpoaC*{K7Q$ZhX`! z!O>0LlHT&v$KP<}<^N>?rZs(?~iI}IpE zYRQ!m1{~7R@^Ut)OOz+)F+SWlcz29Y*3*%m2d1Kaw{V|eZyA$FQm#~fhQT$d0XGcE zz40y@qzVPFe52!5&GgAp+n+Nd@mP_u#FyZgg*yNP|va2)+^%8`xmy0dA;{ z0}HVUN~bC`%7ItsedpdDCqR98!Wnt!CKn^$cDL+97Kxan`AT z0F*(s;wVd|`tPrfQMYQ%LJa4X&g{3}Nl0R|9$Ww+pcW8bmw|e#82xZOnzUM_8#g3B z?DlFD-b;ZT6mA4_j7ZF`9feNA8%q4p;#21)etgSZXnJa zNjHjg2*)ZPK0bWDRKX$`A{#tG%m)4DhCbYLV%8g+5z;E$7lvyIvv_X%yhJ{dsB%gA z&(siB4tml|S3m%31mBY$V?hw}r018nl&5~#{NJt|Er@`@wPz3Y?9W2HDm_KGOn50V zaVrIMMoQ=N1c;N6)jg)?E+)!BAb^$kcAi$`jj?3^+toKeK1YHToxCgG=1^kD%JG!h zJPKu?Jw{xeXx3d4aazRTe0&H6rOKM=s0Aj z3Q%cja2pM-hX(TlzuE45)e|_8V48B?4>L7-Tu@ZGRu|~ht%Hhcz9dD0Ef_;;g;QJz z99Id2g-kt&B1k{2_`8^!sat5?b$2@&F<~-2IXU_L;`n&n94oV=+${B`nHu!4Qrz=z z?G?_7c@`gBW-Z7tbSsb#AefikAHw+j5=htgf0@^j7pbp+>5xdn00>k^GyqlIX-loU#P~Dz~htgeh6wzNm1*TY=S& z7Ff8S&}=v_3%e1dz*(i5ruQK`Bms`ucFO-2>B%ic$m^LB@OdDynrrOgOJFFa|AvfD zv6)mE4DNOTuV+N_Dm)V%MW#Co$+wPIuvs=+{Wrt1Vt^u%cp;0+tMp9zJaW|6T><&d zwp)qLjgv(t7cSHh+kpomg5aYrC6EVki$6=@XC70mD^TXXK5)irF(Qbdzyv+cNpGYi zRgpBdusQGr%W%*rxFY}merJ2Cr0<;)C44jX|GJM|mj|OQ6eDFe8s>1uH+ouM0Bep} zQZ!l+{r_+*tVe37DXhX?> z8r4OAgH17w)(&4VquE;oq9nLJ8gF?)B|V9hzT%5L zhhcIWi9vxE<2KnxdqsCNf|Qe;z4yo79^uuJ*Wn{p)kSR<1?J!(P;ele-erpUiW!0; zdLY%6Z`mxdv-nfd{btd+mzN!B-X=IA=#Exym0x6kyN}Qj^iweLQ@btTKrsLQ!<+tg zf!?eR!R)k}WD0&ja8>_hKNkO=_G17P2?za0dw1HS>GL03G04~fhp-{#GiaaOnZOVR z2O{y`|9No1f61xbfpjhsDy<>{z7joV1dQ>$G{NK}fEr$}vUea4rKcbH|M!GxS=+N8 t|1*Zt9~4(t0ygv=KCGajcDpbg26Uo)d$Mj9s`~)^Q&xb=SIe3O|1Uvblpz2B literal 0 HcmV?d00001 diff --git a/book/source/drawio/dk-attributes-and-shadowing.drawio b/book/source/drawio/dk-attributes-and-shadowing.drawio new file mode 100644 index 0000000..e81cb62 --- /dev/null +++ b/book/source/drawio/dk-attributes-and-shadowing.drawio @@ -0,0 +1,87 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/dk-attributes-and-shadowing.png b/book/source/drawio/dk-attributes-and-shadowing.png new file mode 100644 index 0000000000000000000000000000000000000000..73e8292aeef2ea5c49bd37ba786c50680dd7c125 GIT binary patch literal 57974 zcmeFY1zc9!wmxi764DLQ-5}jv(v8yH-7hH8B_$~$odS{)0@5YY-Q5k+@U2&2Z+G0Y z_l^I(=iKl5Q(?_D*I09oIp!G881q>{^0MLxusE=H?%Y9;ln_z8bLXxO@UIF63TUCq zVSjYz4r7X=sJf$-tFf7-(H$}t;UB+|F*BOlI5?8Ah>$Te>)G1U8=C2v*y~w2&|4ch z0!_euD;q;IV>2VeAAOh^nOW$VnCO@om6;xsu?R9U0sk>`&@*$eYX0c2XJTZ1BT&Z1 z-OSQbkBnK2m7Wn0MXAmNbQc1Cdtzqo`qn^pl@P#!E#DuI2*c}x$4Qzxg?A(S$;H_*x$b9=B?lcB{TP%@i5(}!oMmHVx?Cot_e%sC1#`0!zH+^h@dH+T_xIxK4&+?D0YG#Ixra$^}u-*(0 z+*`uP%*6Ee&A`I`n4gv2ZReW?2U9&m8>%#rLLvtjb>%DsE(BW#nk@28{AXBJ<-LHQbml%gv?BueQK)YYV17*}>!6 z=k#vu&*T@;;6eYLH3ItFEb%`cKG^O3&JzAq{WtsWH|l4z1nf-6(9D^Pnau?JtGvCL zmELy+NE-oa_;DW?$xmHwTYqYzWONl21RUI-cLz`SKf1<%XSWo#v9z)OzHe9z^^7=- z4S;bvINIA-82xmI&49y5-x#=aV`Tqtt%B{hR>A&9t6=&wtGI3ZCo&3PalY@OpEu)_RUk_CRm}rp^LL`17Uzqoki66t*|ga|DMlW=3T* za2x_hD96XQvh?kN-@Y5=ZOdQU;cdsieiS_CKeb7)WBCie^Lv|QHR3RQ{AV`F!K}~1 z#`fQ3lbpY`NfwSj8YT0sq5kZu{t1op&s^2-R?NuSP!Js60l#2ispsHe2KEX+1&7~8 z5<@)))9+ygyu9EGc|Au*BYQA<0s;gW?+F2M&)!WPXkesgy}i`&HsMEA(F^ z|1mS`j}^Wd|9?2`1b+s@A*?a#5+FS7pHu>OGLfc$_?%u>$;$Zx(^7FdOp$XJ1j%a4wKE%0~o{MUH> zzXpLZgB>z>nm<|UzX$?j{-bjf1~Mw3W@e!02nPM&gzv}XenQbe9uCeSe?nouP1CGx ztO4vH^s}G2Y0|R<{3L*k3;=9p1mt=`Ky}Lzc$cN%%?&FvLql+p;7_snueS3mAOj2d ze^(ax1IGE|N;BP7uzp5jx8;Ld81X+}6}S!E|2d}w0N1}6(Ei#f0XydJ`jEfjlmJ`( zKezN7bjEU9q5KzgOKg9FxqcT&{(Xtze>Ceeay4`Okt}kuumElee60b_2c8H{|K8kxIpVv0<-eAX z|3zc}yM6q3YyV9_&Jnz?|HQ`wi0$`2-WoV@|35c>>#lFG%`bNU8#jMb?EUA?Yguj% zU4DxAA^_FKz>)6z!8YU1dFam-*`H3ef9~?%Q9lF9-@^Y_L%XS@+*sf*Rg|AB@L!~c z#`4D+8X1e&A3!9);Q_cz|5j=1r&`)?&M^O^hW119e{g(o{K#8l=koo}F%qVbFQxY#q6ZI}r>3TONs(M!CMs*rxAT?U zSgr-2uu`z&Q_bry?>%wq$W0#jXfx%p&T!{C=vqYqh7tnp9_(Ef;$6%RH8d9I+-k+| zO~|<3^;c(b!61@vyeY;-Nb)egckcy*n(jCbWeN!pr69>K=5OEidjb581O-F6k8r4T|j+#FBVDFi3ZSi}UK`!CWQN-jut<;;%y84wh5( zTY|kSa;eo30ZS+_q3h;DWnf@1L!SQRrWBQ47>dPouP6Y#h)dR?CRWy`%wdsby{I#X9$2KzQCDT38P zwRY+J?8pMp73B2vv_v#H0=Y~g>Bda02c}kyb4y1w1zGXYYM(HQ%T%>fu~8Ss;@7vh zfSg!g35!Jjfi$vHOe)1@%vU;fpvVQ%ISR=r5k4doGAUnRxx4I)zr-t4T<*>ZqtR)i zkq*A5QtD)bMW-fx@aEm|`Vbu5(~83(=X$TpMW2ur3VZrelODEnoV^ob z96t#;Yzjb(I=rBH_3Bln{Sxe|;%vUtScy@wUK11=jp~yqoCkL6gSmmI6b~n-rjBBF zD(x0XPy4q7qCyDx`JfPRe1U1Kb;My%6<8r6BA#l>z4W-cs3KM7gXf^v?1hBGXy(7Z zAnBOt-KWziAvLW+#9|bPDtY@BpI)ol*L81xE!*Mzo7HP-6{%OEY7&E`#@$iP(r_2O zslv9lwh;~nxU?X`7zUk3$2&7|2McfRXt7iaHOjnUD=15mT#cbtX^f_j1MxP~UO_3K z!XN?jT8DbTcJHuzxg%N}CH%P`M5+CfRK%*fX=Ie?sg&$~=1`sk5riK|GM34p^|jX= zFrUr}U_-n*JK9({Sn1hEe9Bx!DIAhNJ_PmknTxy8t^ zT)>E3GO3all~#2b2njGP@u*!u`HSkW@VUvSC}VF1j2m zH5rLUp%8e9#|Nq;oxx?dZXa=rO^MiIaAEpU8s*_|f`MW@guwhABQv=S$qEN#zWkli3Cz`zN%R4BD>^Wj_YJ`cQBM z6+DZoyolRi^CCjFUbEc1-#s0d2yiI;nbH425nzJs!MH~h# z!6Q5d$zq`0-k{q?SqLy+!$4g2ucmt?GH14C=mTofB}-Yv?3WxEDExHx)ufJoZ(f8> z&Yn~@h+jWu--3s08acseaLd)d1RKE>>%$>z`=&5MVFKC*0kKJM-n`-a8do$x%3=LF zau@0$9%WEK3&ZKz$w_nMV zvRJSs%iXdGg+ zmr6G5-2!A7*8Q!alF(rTl`T10ZrqxIhsuO zfzI7`O4b`Kf$prhgL&x@!~lrMfXUlvLInem0rQ+9JO&|_kqNLRs+00&g(p;$tE=JLT&;`T;8S^F-8mj&BW)&ra zZ-{_qyxQXgtki2EO36KRS5mt^Sk1sJQ4f7?9El+Xf=xR zW`sffy}I4(CLgjzYAi#3vUHLB3`xMT^M>*$kO$LYaczN7FKqzYmk zQNv+hU`hBF&sQ6GIgU17suwTlj$f2Vf!^`BzvysKBa#`1Umed%X4o$n$w7yz3G)k> z5TK3cyldftC+PoV45AOcq5Xk_{Ch)AW!flg-ZKQj+SY<%s|D&W@f?aM+#N3Km2)NU zh{-zjd%lIK7rSC$ydS69DIQ-sXtFwdj7F{5NqL$j8Fv?zSIg+BWE6Rv)AT1VKWefP zz2*5ZO8H8N)@ttguLT?X$6V;J?cZQAsDiYfj&#*w6iyp49hVa8glJH+%A*4Km!{pt zSBXF*2uG#y2tZjvPVJo$6Y z)3L4(1*!sP(v>Z04QIvPGr8U+-rfaDTc+V7?wS2Y)tE?q`js)cWu~J90GXsnvsx z&I=Xp-Q6pEc+@u`z{-kt@K6=2gz}n|pp8#T8k>qn7GVphYQ-afJw*hA7Tl0IJ3Pi| zEVT|~Oo&N~zZOLVmBqugM$>2MzR94SsVaoH$mm13I@fKq$!a@v_97j@9`VC_ixK^tuBO-a2cIjEoGgU@_70unXghK(XRd zB(c#te|y}q%n@@{WRb3dt8AjpAsaKsiu5~&cZGBxhR*Q{wfPt>dl-^=1-C(dvwYSS zfmsq16XO+TteZ6z&C{stOHgTK=%RJ8Wt!&iy@`JK=J?i6JNKQ_RF|2zN{9U>thPzKH_VFs{( zS4dZIRoH2DKmm3aK#BJaM0^{D5or8Wg^1y?nHo$(3yZgt&YT+(mkx@puH6hfVmHF6 z-we}7W1AJGXQil|Z=dySaj_wL7BS+y!gy)sHzAFF>OYaGa32l|c(c#l#OzYP!xX3|5r6<78^x$X>4}(n5lM-bW(`y)Q$RiqoG`Aq~QTJk}wB zSf@*ahPD4Qu&lToVqzAqTa&bqmgF#F60s$a1JX>m!J8i<45LYSS=oY(?#5FUk2N>YXUDt36wTSA= zT%qBy{eo32x-9BISE2iUEHD9_=ES04cc1ntSFo*lv^olWZXN(Ol%x7avpz~ zfSPHUStw6QQQoe-(OYZ7Xrj*<2ZYk!XxabZ#df<+4i*lp4Fx{~T?Qd$(UebULg^Zv zPO`I}#SZE7?AAtmB6o+`FIu%Ci{H8}dW$?PnlG>8Cv0A3paxoelADel;lW&MFoMev zo^;*Yi?g-5K#|1SnW;UB!Qs&{g{gPno5a+Ec95F8Viv8N^9mZg;{&dF5WX-{kC|U1 z9iex=zx3`h3t|AjH^uDfpxNlX!wI$=O^A-DY@sPJx+9!wN0QeC@(A4%&XHEO2k#A& zm4!|~K7`-q6**B0DIpf(sAiR7*t``v4HKi ziYxRnhs!$FWLr-x9jy)rs)w^>^JeB#!(iJ04A$bEW;(l1@|GOqE@I<{*nYG|BxQLz zg4W4>kP3<-oUZt_+Z!og1#7tpwLd{9(nqZuqs`||rBr#n-cX}M$>4!}^GUX&J~Gtp zb)Dk{W;1iHU?Lcyp?dE>-P&t9|FAO*n_uy0@M!^0wpGz+UR8eVybn8^@@Uy%+7Sh-KHdWgBEfEWrnxX z$yH(>eF{H$oeD*LtGL8mTz(XeqeBwRjRI^*%y_=D~+<>}atyxiA<(rH1O)dgiiC z6sBIGo*$qL{6o-A6Ym-h`HcYqA6F>H&0n+d6QuB{)Gj?@SDg?0e1ukJJGGE#F@D6U*ULNo|C+!D@rT`>SzKGX(GYF zhe0JIc1dWI$*Cy%;^COfpVjG3wLPk#FZiDZ3rRd;;7t<`3TlshuLC0gvO~#w2b?j? zt`zN@oGq{<*VTmJ%E_i1F0WH2(x{+i$9dcFo_pG}9HHJkSp{T{6MZqVmU z=zvHv4Qn(BCFUzui|XkiCwo^q>y?$0LzSM~J5K36z6=slfAC{Al(J(qtU4C>)i4>wh)4;cx%Foy0| zHFp%dFGEIY z(BiB{t6;^9L;ZRgZ~g)HW82Xc7+7?gK+GPU*@NsJdwjRoLnm_!#a2zucCS@H@Q>zR zpcoC|>IziOfZQ>P(_4iy@#+x;8BL0*_jz3{s%_cPgx=eJh&KBw3NNKYIz#pblf}b!O!^J8$6)y}9?0~t|UIByv0Q@pymRv7vUR9xOql|u1O90{#xzm52) zt6f$&0mY_eC7-Ek_jJ{A5Ik^&O<*Pa03Fe+n$5|zlE&gcqL z<&3y7!Lp2pVUas)2HA6yBajo}mghbo8f6;9>`2*@y-R5G*EvCEA=$(_bD;QHK0)

pyW%{@$3|0y%7a&F+Evs}G-yk>^C(goV!AW<1Qy-q=DF3W)bP(nY|OBja9xyk=2B6HlD)Ym%^bR{l`~CF6ckNW z-`>w^Kib?tJB7mK>iX1+b-E8XS*FQi7I|6@l1u|x>D24+DgbRS$Y@eMRy}?3L@mdYEMZ#FLHqI`gQ< zZI&mW9|VHr@c6u`;3&E(F5m2|Yvo^6_ASdjC7gj;H8)kQ<*dM;rrtp7lvn2ySYy-Q z+bQ_WyffL0TRs$Nvnsgsyi2n5y?m?<;b&Zu8J4yl-N4#Xg|0ZAP2V6?{j<@veO4a3 zsOCENl*}R3N_g_GZwT2vFEH?t`=GlJ7-RW-JkkwMqwJfyB_p&Q-WZo4Sf3r)pIk2Y zYe$R;@0k97jEpYtEG}=k)%r@DCj8yeL*iyA&$L%}G=@ATY zzbHRg#8NjsC6{=OG__d+6)Y!GsH?Jws|v>nvQPt1B;gEIdbSiX z@XD6OJPmIz_Gx1*yO!TX+rInOPcHxHbO19-UgIQUw9-618MGEX6j?)bI!vwd^h|Su zwSZy@dniN&QvshPG-@Z8n*td)t68I1uB7MTV(5tTa@MN9+pWfaS6=|`jScl0b5?Zx z1=+>mB;^wM(>Lx`eGL`0&0(3+2lVzJF8HQ(5A5l4mBsu9SgL&lJQ3lpLoLRJqw67|9f)Y@TVJ&vvJKm>FELX2!aq4?L!#6Wt zz^Ha&=)|W}&2q85j0?y5l*i-2Fs%k1ThuUYq^r%BWktFMMnyEUN9XE^WjTT?%B^5ni?27e-Xn2Lo z_mJUT?dxVP%cM7lTg-K@iw?QjccN5vJ@h=+(vY#HolY-|HhC(VW=x^Ak{A$?j4H8R zw$E!0qYcY6BbXipys;vc(P|cX%j^^(K8VZNF}0d;eZIpl>3BHCS9vTTW~7WkWbBD| z-j2Z9XYs(ur9!hT%O{JWuQALS zGVCi`jdFZCp$n%2E0n~O)S#!kT(v8RU2zKtrghbl$=pt|WgqWEV?GgT3PxahTIuOn zNI1_v?oB4hPUI!mxT|5fq{S0r{%MGL2I}D}H7dk>;T(5e}2VYl^T$ zS`y+>wgT$_Js+V->p-YXdNvvW4YR&@dh^t`?NOR2KC#c%DR0RWZ0A7L=B~y9z(FSz zA)5W?X5aE~H8;+TpICR^vDdT|2rxhrj4e2$UEfW3AhZjXRP1 z=iFhcA^JHYVwZlxY7fncC7M34V2H8w*1v}fk&fm=5R-LAEO*)q37WgWV%QoVK{pXy zgg`ZjPfU`^uo53k14b7Up0n76lx|MkUSEz>nmhA}Pro_P8+(r|m{l{%NOn>waZdN_Q-n5r+n^hy@=mdYUKX2wYU4y3B7v}#*2Sw9TQ9%n(BNAx zKxl$2wPHkqS*7VWeLTz#3a$cpx@B`SD`0_jTZpMonTx$qeA;Xtp;Ben57NNaQ8C8lS_lC*cSq(1y01UXSnul77lzB?O>;*?&hEMjw|_!T^(H&% zNx!ZpD}iqk!$5m9xm;eu$KL%!uy;rlRo*9aR6Y*I<)_zlF{kUd3fX|{JWZI3OJXX> zk9!}PU_hEa>@=Ptvoh?yZ$$h#9y{G`dyzADx8(_)6xJ|?B*GIyi8vyBo@YFyMDhop zd-s=m?nW|{E|P!24<9sB>Vp2fh5OM+=ZQc{#eGz0taT&x`07d7z;DWhr%%cIY^t13 ztK)?&B8@FW*t9ek1_I=+^1!-KB~?<8tV7#2Q>{&qsEiNWtSV`kGRpvkVDU~VMHM{{ zHfbQ6c|c5KbKou0&#I8_DuYI&^hCdL(Av0@;!hq24+nhP zzv4y~avLwl6Gk#*qB1@;vHqn-( zCjv(2Gw0PlZPwTQtU__kCM9ph2E?gX|%8qjB_vW*wf&H+mZG)>~P22AnK=^!a23PP2T$c08uUjAbJbWDQ ze|X*X^wAp-8?p1`XbIgqB4bPpL@bA7+UE|n9G^b)R0nSP!5YmebNd4-n>>)BZ|kmO zs1z&px)w(DsXT5x>Eg)#5)GFYNuS?y58Y$$etp9S5}sRY3nt`Lz*OU`6jZ|8QK}oe zD?LrV>7QreGmkaJ&uiFrj4;L|V1vHNepAejr-y@Gj{x0Q^nhEX$so~z#oD7YxP~O~ zbkeL77DI?cTn|)7J2n5XjvNDGFC6#P5>ji}(J;HX=MWvtr-^^6xRz(PL9W>JqNTz5 z!|0mqDgXWv^5Xe*NhH@k@2Bg)*YruH_7$PYDI4>%(>`Jy$N9Zst8}#17;V$C5=0lB zT>C~MzJ)qx_--gZUwb4rUUljm3gcpk+3q$&*RA8m`p4i%(r|ff^v|XrTx+e3z*+7m5FBir63sRSA#7;au z7S529!4QO`+pS(Ncqh1bjli5*&s5@TPaNwH2PdSU;K;?KaA7$auB~Kt`Iw~lZ511B zseaL6m#e10Q8ObhcMpqX2q!-y9-sH0br3AHYVmn_rE`{q0LNav9+Mw#oQ7Y~QX(Ii zckmb*g`Rx@zJs0ch*c@3-Er|;NJ6F}X9(qBGdvy3)wm}-H8|M>w#$`UKOI?gKt&a%4@e#}U zq*!>r@oR-;58`Q={0djjBxYf&B#Q|gDijf&?z>+PjyzEzW(jpB98=iayqq|mFaPu+ z)LHknfIzTGs$|{W+;^v#Tc7u^s0)}tHnwu&Rmo7#>AhzoIV2CG4h@D4>TQ9Rr-`rxrEgl{@oAbqspAA@ zz$ZU`A1p+e20mu>iTOQBCDr7GUYOlD{<=?TF~JP}K)*k5>hmLa1gLte9&||x3(U@7dS`a%bFCWaCW4)sQ9uidQgZjnu-78_YJI2R#Q>@%ZFBiF8j-KTf=&EDs zV_+;w&kwZ_D@_JyIC}<+l1TQG3XQHHCA9=K!VQ1DCK-+u?`L^9?l}*0icO#hf2|LC ztQ4qWPu5e=&JJ_@PE`f{)ci%p&0PH#yF}n{BP+&Lo6jpOXM|>gnIP#+JTS2h-VeB? z*pI2{i9W>Rnhl?pA=1%IArZajdrWVG&8PMZ2F~pXHd(X`R+p3@e(={p3q`dYFRPb5 zkTzq8;ZZZCR^b;3l6br=eIm3xb7P+UFv{<>`$k+%PuJUzSH071*H(hJ#49?!@MtA) z>S3e>Ia(#pTB<)2odQZafl3M2*;)-B_{l|kgH;!CeR1U$^1$j*zEKbUY1E5N%T0N~ zcEWzxLG)|1N=4YY?V%90HCDsi_GMzU{?HbjH$ru!gJce|y4!i2C*1urgpyGgd2ska z;|#$ z#7fk3$pFPmbxS=LQ;J~H;lrVi^V;P(mUFUuu|x(GOH7QpQJDbM#Hd(~x!b#m6=_3p zc6b9m9rFh!ov|7_&V&z`59nkkITU@3b;AX7CMqA=FLzTFOv{|JcP>*>E0r43N!DeD zziU9+8_S_0$;9}O`Z@eL5>^yLOhd_XJ2A_B89LGKQa)3hPsR4A|O!ycGf!PYO%uDg+8lrw|!VCf0B{471D!JGia(JDvm0cp$t z;2dPq6-N!oTJNUZ==5aDmSpd7?znPYr;;28AtZfrC_tCspB;0k5GskpL2C`BT9l^K z#Sovnm%@`(T3fpL&dVsOM0PI}2bnc^Bx12^72?cXvUhM3pYV{X8iwYz?~V==sm{8% z{2Tpqy}1MQH`dkjM6yG!45Yl`vi8SAPlkwxdIqQWj^VfX(YV8R00NZn zx$FkmDg|z>(je71#Dt+Cku2Zu*`lWF&bQcMGP!O-s{KvI;A|y=IFV5))1xbjs{_uR z0)F*=o8znqn|HF`+G!_|obS80Q{D^qiSBjV#x)|v7w1ZQ($bH$^jIo5B^ucBY zvqmq$3}jO&gT^7>==^#?yi~K%+Ugm5D9s0~c*6Tj(4YM2eXbhyvwAQ1is#yVs4(BZ zW9WE?7>mVZ(B4GV7NSHgi_hyfClt@?V>|E(L;vtlPznF524xLZ7ds4lax2&|+{w9h zg6(m2YW{B&+}_tq^Gnv{Lt?WKe=i!EI>zeb+dWozq|j3oW6A-c)P4+E}l$Ax)-PZt1>I}Q6yN}47#a*VuSguN-6|Jy1AJaW&f&}XBi-O|AYJzBgJ z>Qg{L@VI`E}qBSeYQ1s!*9bDRR0X93ELcle0 zadL!zQ`}7*5WG{sY!U7DX1+k8xlY|x!%m-?nT+PeXrE`BiRMY!d+QSqm(3R20AynH z5!uow91br;*jqG^>4ytzBuG!Mn_=kAhB7fr>5>Psf=`i7c8?IYdAP%uMLpt+2CjEH z^4do>*4;r@dyomymwb4N=s)PzNcY&^B?~9zFexyJ-!Hvyq_TLvx552oa>qaMlsge$ zVki|jOwx6OvE=23c19N`G#(r^CitWh$hd+;4UF$@I~9}CvhKC4@^rVY}^!6!l!{~M7b-*3cB2TAU8AJazv3WPjB&- zvDDRx131&NfBCMiwyl`kV{g9+b<)iZ{n;HA@Jj*%?jRJw2RRT*CcUOiF1C+9alK5l z9$LiRvu0v7Fn|G{?gN}i^)k~)hAl0>SRq1M@Y!|jYJOe!%g^nRBy-ElP?(sQ9Gsj9 znQ}uxLWGO}Jpjr-;%ssrIq(rLSDoj%KfogGd=8M`eWAhBfdCbG0~l5a)1!yDY)_)- zAsv(6zKuD;H8;)o_jw5%+NPvru504m7%doJ7&wdVzkbxz(Q+gsoZ2_4xHs z{&vVNxaV#OiaA~)i9lK=pUviIu|gfl?d0TScA+g?_ps@Bhk8@q;j@a5AegxjF{>Cu z2YDADP(QYw#8S$Z72OyvFe>xO&!>r{*9uPN_0R`Mn>hf_F!PCc*Z?drNejP_ysSft zdtCb}qm&ShaNq;SE-9=~ACc7HZ!o?4DxyS4+Te3aZPiA^Q|dIB0JwDj45VH#!58Oc zu8Pt+x&{rY3OBHl055LFwvr7HFqf7?L*Rh-U|jpF0Dn{Q)6q zU@=%=G57OC9fCpS0t)4+NH8-1M-L%jBfXs+k3JYDN=U!}P^US34n{ZC{?I+qA%7u4 z5D7qJ!7B_0zmC#e0`_hg@(+%o_<~;EGTOa*|~kr;YX2^5rUD%GJ_ zVUz$JSinlJaaL2~`n8rVgM3_+?KBY|hl&zrH*sC|T(YnZ7?2@lgOd$S(P?*zTf}r8yLv zMm;{@(7pcc*TnfC)~@A+sfm&H*JRL%<-0kZX=#8JZNj z%A{{PU0)1^ewqkrJQS3G^ucr=A0US5t+SY7DP~Cd_)OQ#4Sr-%wdM^Rd`bHX|C?as zyb%(WVuo%5cK-$fw^k{LFZRnDsPG_%ND>#X3x^FZ_c9w_FIf_WOflZ)ZJ4Ty9vf%q z@C5zPA;X(uU1#V3?+BwmtH(E3l*OQZ_W`9+D$bd+4H<#slsn=>j5@(uiC?G+fVNbm z3W3c$`VXn^3ZNPMiw(!liU>UyE zp(^Z>rFI{Hoi=y=u_%W&uy@QeiqvxIDE!f+U)Pq0A{G;>NH{kvx)FRB3WOhsD~bFk1#w_+||nu`9sz)K=FO~sB5+N6M5Fxr(qz- zkOyh+f+0)Ez2TnKI+Gj{Fr&Qs_BN8vg- zFpXN#O0CGz(Crumd}8V>=dW;m7jwjEQc<GkmY6ae98TA>o{s88U&oU2i*PoXtczd6Y2r6HsyO!fE4J^#l-=e z|4Bxid+_}TghuH~Y;z9H-AJ2+duzSgUm`O+o~a*{#Y?)z(I-V(Lu2lJFx4pHc_t`hfI~2D67) zb(13yj}tafCvR{~cOVnuR$mYh`w3E3DPMmD(N>0W97|cRb3A94oTowRVS=#st@s*+&Wrs0;IJpc1=whdb@m_^`OBU=}EXHi`Fvjdra_ z@`c|VlUecwNVmtios!o0E%yu6>x%@`53X-9J7H+P?fM0{o?cLC4$=kqtZXmX?6J*$ zbhK81u7#?c_sdzSHNo`{Pw?g(Xq}zr|Hvp*NvOVx`89!y>+7Vu&*;k>;TpgPTluP- zFN*-07(vP*;P?7$(MDcbb0}KhK+>C{@s!t17OiOH0V;*yN9~9EC ziOh#=$oWfmhNbGV&dFu~a-KfGFD`j_SzgP<+5|8m6?oL_pLy+y^1l`vl7`_gtWnr! z#oI}U7H4#izu#~2g;;Wc;ndku0TtisT>7JMZKt2z=057>()L$RvN03n;Zmy_|3=0)7ehboxw24k6RHI4=o6&s!6F{^yWV8DQ>q!c=@rbh$@#|%c z-p(Fw6o~s6>xJSHb(b?WS_j1Oo&)fK&pxl`K{=m!lWHY?o^la|XFCl>_v;LvT6#PfX+)*dXmte-F@f5lHzUTgK-QhvMB0wQ5Cahi$L}4`#1c;^qbyH7C zL^~h%k1vs{TtBiZ);%iZZ+F>*5l`Z9zeCd2Bi2eg2Id=AB5VhV1V!uTv?+6LFH$Ks z0o3@pwrM~5f(?lorjEEmcoY`)Q`tw{fyrsxg-vRL8ycAA-=6T;=EZ&WTWUn~T=|CZ zC27&Ss_P@MX4z_EqD|0CQK?4Rh%HaOEtHSf&CdgR_z#a}`==Zxm7mq<-)-$thqX2@ zoN$A;gY3ILJCf#uX?>zanl5oRRw20jp3|^q8Q^nudzY*?Jp;Q%;6t~&kMxhvmadLb~hYnM-sJZJ{SC-4!Y&qKGy2 zUpEqL5_Wt9lVP)^6+?0Pz2T3jwd#V4Orf3Gj5Zmuy+0$ACq#?sEk$uMC#Kq$SKFdP z5UB9js^`UZ&=C^{H#+o#(vQc!bUX?~CLv#EwGP8L>eLIc1bA;4;Dbf2WX4Wx z@fPF0o_G8iLo1IhdD29~A7Sx%d&x?>v^Fa=il4#srMLCAT|>F+VJYi6-lMb7?04ie zWqR%)D;!zG*{A9W&~=et0(@N&X|w0yflzi1AENp8vWUNQ_XiW}NIzv_oqhpewES(v z5b)=YEwnK>IS&AE#(I}jg$x9yK7-!-;P|ltO$bD<(2i3}FqJ~F6$GytE<4$X5fVBO zv(U2Zvm zqMK5X>sXQ^QqITSHk>G%o-6vCXSMWKm&ZD}W4%=>RtX)kL`tf;Bz>aI*TyKt709WS z`(ZHocy`MGc7?F$R@Tx?R_06>8f`<|@gp7=8JiCcBJo?^x}QsEOp*o%1ovnSTX+Y9 zmjSX^HndoH@>=#;=FBs`d`6N11j0h~N^vT?QZUb!{U#bG-f$v*vXiZ(7hgVGPdeB8b7N0iC{`#!joj=;979x&+1^7eW~ok{642>|M#hFQ((pEG zGirjxYwu8e?!t&{yi5w6w>@#sb(83)P}2}Qqa<~to9N6VX3gkw%{D`Rb(H|V5Js$yVLf* z)xN{J7zjCAeRmNWW1WQO({oIc)~{$>FhzYS=E$id5mK71bbeP5a6=uP!3(aAzB24W z9Xz>=4tr3!2zp;ux*V4$*o)R6yWb4blAYn9uC{73W@8u90~tqQtS|z(FW9!pUnoN_ z6!U7g6?S1zewdcE{M^@##A^QdF|zpe?qn(O5liO)J%FGoAwil!2fY=+-R#wbQo)qa zMd>4%FrNw;UlM_dxl>;lP8B2CWLIHFawgP^WS+d+dF2y#q`%#e^hy*wMdDaVgnkiV ziit30KVpU z&_GMOq6mCkP^xO4;SEjzZ9^{#iUnax>Yra@u)X#8&d23)3&pixqBFHyH*9!Y43t-h zvkT$E!D?y9>lL4v%DM}DuAzH~SBCT$e>HQa&I_GFwJgF@{B>G8d)j-)=J;%28yB+3 zh3SqLZQFJsv6<{I@$iSKx+IoiKdEc&rvb?Ihv>=+?7#Uo-?k4JVlW(dYpvNXY;$kW1lQ%0r{d!}tl z;88#Zo85)U%jIfB_a)vd(@ZSEV3w}(1>RX5Oaag_by;AE{^bZ zo`YHkTwLrHI?P^wd4^BMqQZJD0PkKVwO@O%&N%H=?LBEG?MwCl@phI`aXnj`PYCXi z;1JviE2f*IIi}&s@liF&m%7VaJj7jfTM=F1P{%SR+)v>t8g|&Mg5N{1dN8g}q zZ{HtWFsL=d1KWAf`4)GI14%QrfA9^VP@mYNFjaD<$`qC7oK9(SLC~)fJ57l1*@F9~ zBSWaprU^Y4w>C5<^C{P3jrT0;FlfsnYWwG~iu0e-sN^zrv*}u~m!4$!knxuXLsvJw zpSUZ2lXeY;#(-y7YrDtvfZ=v`>%fxTf?i!< z$Zoe~e?E90{ypUL*wmhKb_83F$oRS(SV<3!9&`J+E_L@;F( zEX742hn8_gFsZ}v&RD&sM3c`3LUV3;MqtZR8TML6*=)3UFaWd(*S}EPO``48Q}!2| z()kkoDr4^34b0$dC|lo)-90cfYrF2%aJ+z_Ev%MNtDNDjus1y4`LAbW*N^yrkX`*t zYdfTzHIb1-;pl-{UpsyG!(VD52D;WREvLVgbt+Ld4vvH1q|i3v|C(0*ZbGFWG?4z% z-Szn#H7uIoU)(bLTY1e6ce2VQFe!MLIn#=zU z%rZ3~Y%^D?{pu=nUgEJ&h;}=`)IBJ{31C~<9nLlKxBwWF*h?~C&ma0ZF{0qkq_N8C zRf*cyL~N`((%v(%{#xgLaTjqn(k0aTN}VdWL+W9g~~x9 zWOo~5gB8-Fi%VBiIl?j(%T;x<6G8aAE3r6S;c8F}bp18&aSfJNxanOO2qh47}Zq5}mqSuQu6N#q`p-=qLIT9%Re|XpTnIs6N%+9G~|OTYqd~^dwtntmA3~ z$pt2wWW(4*nrNS<&%w<;=31;=Fqgc(BM^9Rwgp zcjBffZ-t%VRo)6qA&5m@!iwdSm{i9X)kvK*if2zFsH@~~i5_YjS=T#1hXAB!KM<>g z@mI|O_;Ien>3X3&TH@mL7FFIajAP1&kY_Ljpk4>%#=5(E!XXtGFsM`V3X5SKH{DbY zjdA)zV$B}6N;1=v;C+c=b^Vg7GgonJHmhH+XQ=rS1AS1B|%Czkdv)ZwnLy zFzApgJ9s%qqlRA$Fz7{K?R+es+LmOZEZ?7XhLuhLtc8irB{*#}DLF$9O$TD|UW1qq z7Mnis-rC3CK%Hnd0H{6Ju>V@8?Nivmk_Oaay;K;}n4jk1?nt|G_-m{nyw7C9b}pV# zn<^e@hs&EfvteixKJaGt#klQe{i6O6 zo0bgNv`!U3iX*X8YK-k|lqN|(D1iM>1nMqSpxK<-S@q{qr=Dr;&ZwLg<20GSIzF)h zbTcDg*XQP=Fwd>|6#Uf%34I7bLl;Fv#Fi$%R^^jlLQ=6TQ=})prAo%T#xLvn&EBzI zwQkswZ98!me*v8akdUE_0&a2GQ7VY6(i-95fZzMiMT?e>0tN`bf@C@XBtT#TXXyQ<1Gx0nV@>$_*;WT z=0J<{5Y=bspPw^EW+UPXOJH?lIWUdrzX@aV8M8@Sr9(Uc5#K2BP*R7?DoG?ewVKMj3}Sie|15(QDMwxkIO!;=q!z( z*EI5xj@R8-Ax+n2&pdK856Es2FrgY-pNV=*;pL;e-CczQMX9=r8_a{aoxJQWq`xUS zg4dqnQOToMkRuu@3~RsoX{H^zk440Ib*?i^a^(`Y?-ia-&QSVijCJfA%Ma)+e3(bB zccN2Avfgn4(bTX0hPMh8>5dgfm;vpe7#Qfl$)W>^_2elDgdlbhDJcVvIgDfjrCr9> z-yHv98+t$R9!A{e|6`UXxYoGGrm+_!oH&{Qz@Cz~g4{`*~>>eqbzYzMLQ#zDy zJCAEfrD~nw-$8!_e;tua18%Vj4Tp2={m{=!M{+sFS7!54q5bFpfqV5%_vEj>=r<}& z4$wWj92irW^zxw^*KUZ9prua2Lila{=ksH!Hw@4_czeS<71(9nPtIk?Y4;;O)(^f} zdSS00q%aeTI=5`ycJ5QE;Szl}V+`F*HX!P%GZ!fiZd^6EZ8L+Id$sjKFBVl;GCR=q z7aYIguB$ii*+2W*(>me%psS@6i5|kQUIvp=^7}=k#Os!+%2CFD}QZ452`{CKv!<I!~4*yhmKKEP_Wpd$nU)r)FUoJ=yIJ*_g{}@|p^GR(?)cb;w_f=S+ z$0>`=*a}9wd&E5Ib(J`OLw6szYVU?`UbV78LT3Pngus8y54%gY><)u;*#CAt*f!5= zlF5Nae(6u3GbBzLNqRK8O+QGoY?P4cz)a)w5b?}ewSZn-#wwp@F}+(TZ>ktk64HYW z$%`%#i?GO=ffQ~o50aKz>wDkhF#BHrCUUv_`A)7}fG;L*N5Pou$mOD5d>(qk&<9WS zyUBJ>eslOF7D&_iv{y&g3h<&&mdJ0GFZm9ky`|!$3P`wj?N14dfQ!Me&h-=QqTR&A&#aD_h-3hA(Gi)+ z5`Z{zE4PhV)ZQBq{-bg>UXfe@F`qab^}*F^Ec(O`eiUZ507dpfWRlz_yt;sRANoFY>=AO%LBa{_$%|U;tQq>(8;1a6g9NRe~z}j03-=8 zM7irw9NXvF)n#1vv zi<~v$z*jQ;8=i~ERxSEABKOS+1fnIUQiQyhtMw?Boe%V$<92-IRhmfwjs3~%Gu5BW zfhWM4CN0?G(L?^rosuXpFJGtkGR%2@OiU@%f>2~goSffpO2hS&9CiLjLMB4Jqb&lo ze%Oo!+R1HdOIFt1zQz`4wCDEDG?H|U(cnk33Gxs#X;e|n#t09-GRsl?(}aU+=@G`6wl1Fi@{scx zoW4rPR#Nd%BF$5>D<4ZOi!!5iOYVD&7MX>vby@Jyec|Zzy;H`mKeE$JE23N*=`Zw}4zDm34GA(SfG$Ka_!ME_H> zD8yULIgBk}$?R&l=u>sY11~YiO_!1ULmkss#dkE>P6U~M-65hSN@uI^Kfz&IWAWjU zkk<2URJ^JM@%`df^sPm_em4GXLv1!)YOV!YX$?ZVpKVRwL9u1QU7$zYrt!IiFE0)_ z3qvBJBWU2WK}C~L3|XaE$hdtairX-?$MPKXrSsj8L)mFhOndW{Lt(sNe-AoZLw#D0 zsxD19A+w@1yXMZgh7?D!O%ljhB!IRtB2%t6_rD0~VQegzWp9Lq8 z^*)anW+>iR$$v28=1^M3X)5UNosf#uYI%ZJ#>{B=%nS|1?)WKHvg%dql_KS+!iXtB z%^{M-y0*eFVs(T9frV#Ex>%DcU0CK@9bb*nr-=!Uj|0OR(02y;?8}}u)OQwoP#u>p zR*|&Zmg5LHwD7QewmH1(I6_%)aXDz_ooQ5l+Ez)5E-#gF zjV*_xX478_MNqD&*LBs(AE@3#e5I|~VzPO(jN}L3+X`xwtD#_>2#XF6Wt&SIi!!;r z^b2!$M6%p*`Qb&nR$ViRWFV7wG#=COZ;&`0gt56Thjlc-i12!q-t2D1;Ul_?3^Pa-*?5P#G_?bAxCqK%L|fZN5aXm_l_O6Z zESXPJgpp1{7swE3jWZsvv#8Qa487L_gQTpY+}ttvbtLXh#1 zI(p4Y?*5kHUcx>Wjn|YfnNq?}CQOkN@40y7*_q~gt?I`_E%)nHenl-9r>5EjkPr}_mN_kNvMEssdPJRt z7Qtmv>Sja(aBwc;wKko$(qkJ1v(>tU)x&-muFzIOk2m_B!b)-BHyP0Ry zC+H%Rb#5|;@4<0_Lnxv-C;gVC;UV)hq(W#xmz@WYu{?~nHqUj_p;z>1o0ekPovQA+&E*HZ8amVU;a=>`DYnceYP z=imYZ4Z5=u5y0ejnca<#>iEme>S=q$yfjUkNHyv=mw4F467~J)kj6Ckjl7=ZKRqi3 zdKP+e@~6X$dg5Q$Gy32xk!FuN9l9SlhUd!pIyuF4AxpRDU)ZyGOh5`-e@7`yJ_rcx z|CGZe6?TttHy*%Scx`;w#<-B{^D1C|?mm&NzmjnK^U__UhET!3@#fO6Lq9!zmNeKpukeG*Z!k_HytJ_ zAh}K&^b_wIo;YU%ReW2-{hm|WVi z+V(AR=aEli4C$eLgxaWoRAY+2tEzuW$pxV0^ui4wt@N$Z6ngE;{8OeT|LEJ~5iQ)4 zBQ_p|mnB_^;8XdpI^wYUrz z$l4Cc2GUBAeFnf1$5-#}O02JsN8R!gYUOL*DHQP%C)hsheK^mv6yRdqHwR>Lcw8{!!ZV-D zcy9!Fm3&xyA1tp5!x4EH&;bz@3`b6k%;y}ww11{f2%Y;sSI)HL}WoH-JlKPHDPFb z>=8vtyno?*hs~2Tzkbw@c)+*=d_IZk?q8`9qbIsA>GFV}QD>kZ2g2=s5Vg4UMVa@F zM!bmenhj1ANGW*U{@e43v+4O*I+u$=1`|MWaVe%!m#Qc|i@0{($1Ba(-LuTzDaJ!N ze_Xr!xHI1Lq?(0YqEM@9wfVC|g$@Q{e97O~O;T;pO7+uPZep%3*ZWSM5`|wM8KF+q zz8Em@6G0!qPm$**uWPMV-VWduu2uW`ay$LiSMTfIN(EsY&8!Q%-Lo(zg8|6|7$D^I ze>|&u$JPYdObv%9AG=-o?9IS8KfKL`{*XM$9;KwPH!SzO zW?W)0Ak7P!^nJon9@+$Exu3wVXXS}nl4*(W--a0AaRsJA3OWn7Wo44fbchSGq~%=P z6P;9Cgw%GAbtOmiw1x0kLoDYr6%vcb15Y9^iGETW1$%>4IU7M(-eiFaAGCcYK5lM> zo&SenU82D-t{p<6xJ~ywc>kcnz~Fs?D6BL0|0tDR=yGa#f%oGuk~$h1`I(x&jf5<= z3^IN(zrRByj$?Rp{R)QCk&<>r&<%tCP1;p_C?k3*YBn2HLs{-qRPeW z%2C{?&(ul9rV4xnxK9`iF=z5+(3&XElGibq`GVW~4sFy2WZ=U3`ES0r`apPE8j0 z%)GUX82tZE`+n;)p9cJYlIN=-)UB|4RM(_+bzRvp#p5}5!$c$S>GMA-w*iuqrp}%5_1+(62MubAu zi1vyU5x*-2%vaXX^Pk-B85bg; zJNXW^>bGfsxZG?k{yXA-*xw4W&hjGcXAl8?BW$4v0A3}utga6A0O3#1rScSUAj@by zev^Pn8`vZewInLE7xU}=n|igHa9x4jJe*YGhd!_}V-(UX13)r0pbzc+c+a0mrxX=O z{vmhDD5s|ua~2uk)!vA(GR;=-=ZU7elNtuCJwvjy;~^ji>}+?oEqGi-k& z?0Y?MIA5VwB>yemt58oB8UFS2ZSbtzZ0e8-;dTKiPtgvbRz0E~r{82tTaokL1rCsO z9tK2h)mj`4#e;xyZvu-hXMrK+TOmR~^H}n`kk4h# z2mgCQK-5;M#;8k?h>q159P{{aw+$Ih+NzyuWzecjBh}BB`~uf0qL9L})aFLdX)y+= z_}$@k8ZYAaxzp!jsPM7ht%#V%wr6q@v&nWIwWS|G6);n!6Kbxbao<2ayu6UY*3$RI z#ec+8z5-O8LxGMJNJZl_=ruBsl94?TLW-3#*>dZlPb>bDiBk`0B z+SOV2X^sg1!9DgU`xt~LLdt15!SJQs@9sL1h>LFMD_Jz406Y>g2*`H-ae9pt1e(eg zi~y8|sa>`Pg2ad{a{z@XuKkBoAe;R<+KdS{OJ&YWidOX#5C&HG*y+3(e7~~UA2E|B zfn)#(K*x#A&WmkbUtdeNIIhKi2=Is1taE~HoV`DPmM6bVq*VauSQ__}RiYZ>ZfQXN z*)M@jE?~1S?7i=GWsT)q;m@JmHnV{Xwps68AXYRG%O4r0Lor0IAWTfm_ugl@_s4*+ z@vQvrDa|?{>ufTa#qa&}*maz_>3y$j1@pf-d$}{7nmVA2<_aik@2_?60ZcgE@QBF% z2R7B*K#;RD=Dn~~)SFhX)3>;EilyXiHOA!X#fk|Jgeejcn7s=N_+BTgV%NvNEXes?A)?s= z9yHgDKt|?vew(Cmx-W>2tn4oND}8ukdjmh!p8sEmZ0z5~2eT z)-ka2tCgzeeaOfgrxFW>PkbY1aK80$s$n5Q14m^%X*!Rk4dXC640Q|wVf|d z1j!ZCRP}|Sh2T(ECh@yj>UK+h!L2t;6qHMX=XcvxOlHx=1)%z*53kw!`+Q~=!5&9i zLZBPf=3b<^B85~)Cfrey27koMSBSYldlNx6UBH-Wh-fTL)mx0KmL)pDWJE||DZO^j zirs)t@(36>VsTk1^Ye-bCDO=I)$Eac`3m|%w*E$^23S9EtwczFr~#10s~w7KKxZN{ zFkMx+6(R`e0IvcH>3UyS++|eBgSGM}x8^*a0{#FZ{+bGlM(a&@9l#G-hkhN})v_5C z9Tglt9KLDGQc%>Ihr{5B)^YXS(*-No58S``0%@sdGfQ{MEvMppmz8CA!(YMEO5FxT zb9lV#E9maas(-TpN7{6%pv$NG3#|ESGAM8(YRYEjnzFhND z*js#9dq>CX`}|r!HTx&*Vo&#~R~w_7_sve1?_cjc*YmAGp_`k#yNfGAZ09w=X)!uF z`UP(Xc&EyMb>e>FEY6PPJ9z^VHq~)Y&?`kKg#uI9=!5*^ESPBzFgSWcS!C};T)j5V_wp9ex76x?=hH5wj)Y_d#WCpc;d=z7tB5nDiHj3O6%&&@g7?hcG)6e}8`=69!21UEYGJ>b`Y1jqxiH z2K6q<#F|@S5}+?zM6zgO*x@$ppgv%IL0yoIM~fsD`IOesz;#Eo*$@_>?f{hv=M5bX zT5YQOe08X3trHVM910iS>x51aB@U(_WTEJrmR3C9gbVC`9fE{NQmPz}BTF`Qy0bI5 zDDe|A+e14&wNBS$)OLq8mMuqSYuizSWn5*@6oc&dgK`H|8%o(0rOq1TF#>sq%_$kIwl zM=WB@(%NJ_6a0kUgq|Ow@}{tw;ns1jy>4rm0^x6Pbz6ITeK)~hiG=>W=%XN~nS3c- z-GXe*3auUF*XUZ#f}t{C@3%LdV#O3Ifc7}Yf+`TrGs6zfAqat6#Z7ZDiEg7YzUt;k zVo(EyXpImDiV$RWC~P)>{D}3_OcLH?6D3+)RsJT>0|Ts%%?g#7hUDl;GXODYQTK z0l2J07OF|Eo_qrwojg5y-sL-O%U#addY3tq1X*uV1;IryBZ3_!l+9LXU_+i*`(?(! zlgkda`A|GFO9K~9@gg`}{;P5lgd}@ky53$6oB*%Iw2u?x+n%A~A5TpANdWBl! z5S?dGPOKqj7~`aY8;T8-OFAt%Jw2G~@_TawLl8#p6zhI^uvqP))ThUZN0vl`L)oG& zG_XNaYlozleLN8`Pq+yv@t0HxLwsXf5AnU9d@JBHm4j-|q>%n`H-7*n@#DQW3VNWV z5fyNI8Zlh=(|zG-H+VK03u}Mj!cBwLSfV_!#lKRdST6CjO=fui@rXo&Mt?^KL0gLz zxP_1&PMe&(w_{Li}?!D@EV%L`R>A03WJPll3RL^9z2zPFZFs(u|)zFIRM@R>s$t%By2MI;` zVDdKH?b0F9Fr>evg|G(v>7)o1hEKaO8U>CR#Fl)?Dv225#F~zZ-|d7LWvY*RSp{qF zUO4Esd|ORzEnEJa`h~Tz&zF`Q4P9vE<(jF$!DL!>JFDH#3I@B;EzReQh?A_ z{us~WUWV`079Q;Mtb}#JkV@0jp!4858qGX`ooJqMm1!u`3Fymi4ARcHPD&zCue_!E zHKc3hZ>hpXHH339ok_Ds5{L!l$x+j*rP%9QPb70l%Yd!pXREE^a?~QiwYW9V-#7@i zP{zMReAZ%_V}Q6wo8qx|P9cj` zXY<$Hglm%63m~kC(dlZSOFMg(GvX-|YDA?UEhZ&ByJsxEA4B$WJq=ow!cnZ4u(< z-zps?{qQDP-tEY~hW(+AD>^Y49;K$Yxz^BzUKx`g(}qLm>5T7vjyLLrRC9%2bzl}= zudOryxgd=KS46Wib4^*eG>W2Yw;lz`!h+C;@h+|D`mk{wvF+O;w3K=%&*fuw=EI0X zMrIn(eMCm1qc|XtSA?gZ8gaAH*RRz9)?aj*Y0cX{*ttlZ%QtizI-TALaetch%Mcp- zo^w8zpq~8BiubKOlU9|e3i$_G-}9Ak(b|K)#5n@jjrlLBk*0ebL-ymJD94N$K73m0 z9)D5)b~O`8oA8a-)T3~ynUWIg>#Q>Ouvz!x4Hvy`E3$07sV$nvKR=H6G^#)HXY6wZ zeJoxem!Ahz0`<0AGI(p&`u4!OScgAQy=NmwFE<~MTmp0(sMd|CP|X&L2F+JSBodu8 zu$`A?;+B)ialcV*4RisLb-6>D8L9>Nv4DRRU!&ZBk&bz=k9r;Or2OpMaXWbE_&ZnO z;6%)C3crp8t#u<+SkrSaaZ&bEj2y-W!vj29i)l#WU z!I|m8t5M;vlp(N?z+1U0nwn!|26a$tp#3GVR6l00e<(+fnX_>#x^Vt_prmfA#Y*M7 zTF31lo2i4fnCxa~ljAzQ2K3KtB^m}HM_~K)A8}(5zfFJ9fD{((L<2HIsRyi^)8%Hb zJrP$o*KGke$XM@_N)ju^)lCPI?iI4YcfSYdl_F%f5OlsuGS&VwwD>#6-19_o}El?Zg(t0qx!-k9dGu6Oy!49eqC z%e0i;3u@S&fZEDVrzt*$1rG=V=ZZ$L0;Kx&TIFBukfxz%DE`RnU=Uson}1Kb-aJc1 z!kro4cg~~4nsFh5ay@2-`;yNy#ElR8ycv9MB6kc(sA0&00lRP*2mF$3u)~gki{&5U zE+Pfz%G)>o#$t&ppq2yL^|M;dr@!>QjK!G`D%IQ%h50+kS!jn zI~wUvZ8M(tBZln}10KY@fq!Mamb7r9*H1_y4;EgzEZlxMywu%o^Mh`=$%4SA=3>`V zG;Hymew^}}fZQlcBEnHLz%R`P>t5JAj=>afFSIA9(FdaBpcshSjZadEPK^?z4|t+V ztXY3X%PpqT*CP=NVHk$ZwDlr+)A3~w00(HH}_i|cSSLcXrAv0%=boGslnD-D21R2mNS>cBF z&C{;GL*i>d4V`CEi*A0qEPgHSBM~OC(_hOz2QY_Skcw0PDgN)3(2dzZvR_`Iod|TQ z`Bm@qqa`T1-Lh|2vD=rJ{ybdVVO1Hnr*tlSc1iDPG58K8hLSC;gmZ+7p{(d&SwRtA z3M}(;qU^C{8Kcwe+00*m+e~y?|N2n682J6zlW;A7+d;7Y+xT}j#Nv5{1=aRTu{6fr zu1RLXx~+8%WZ}-gk>N|2mcb&mU6=oz+@QI|F)dl3d{zDF2w7($6d|?62oe{Ea}`3L1jr|QNO-i`MOArk_6f+!{)DY9{05< z$Lk)>9=QqPbz++RDyY6}BfMuG6g$jmagKDB%ZZYeQ-pNo!;A2w`V7>Oi}IUyF$W2TwnHseayzbth0xaoeBjJ>?b4eF(}+{ zrJ`BfY@GPzId_e^U5R_X?)e*q)$tVhh>pC9(H-zmj9|v3UnrS?O>vOOcIciilnrML zwwxyvhaFN*t?)ViWXQWtanut}Z?G)h^b7yFbD_Pz-$aeL_C$A9b#`%GjJJ}aZYySV zR???ZrE(A+Q8oLUiKiSpa!wihvj;~!f2>NL$R05NhSD@7%B7X1H&7M%3r2+nh%SGqb&wpjQS z922-eQ93I8>h_;35x?9wH+{q#WvwA-#$46?TNZzAoAw(3YpIo#f=YV<^~1I5Gm-yC zq$%3bpo6hGQ!27lmf3)gh||J+u(AR)<39oK?65H|%A{A%pp;Ha^{(Cu<=Wc$Vvbom z=Q?LyW|E3CUjz2B)1<;75u|x1gux`6SR=+h8Z9o-(?1vjMhz&bj^d;n5H+Fb!ZCC1 zLp$aEEq4?6Gdyx4QZ{pQw~kymOj?O}G&(4fE)cE9%5S5S~)atC?V27DH&w z*MJ9glCK9qG~H5RR3{q4!-PeBnqZ>xsUM@+%H)DSY{~1!o6Q7r7+mrh=Ha_Jwk&Yi zvME0ya!?bJi@Qjd!TGqwPyluTLK-cs{6&6{l*vpLKqLr-PtsfIKkhKr|SV_Hkrk?ctrW6_Aseg0()7}0fgq6uNmA-1CH&b+@gX7I_U-$2Rc1! z@)_JV8c`5m91+BjI8v~cxoe08ff^$+UQD(Bj6>`7g|Pok8XacN!1>w|h;zb`aNh1C z-`EtfHd;KSLVPNn8TQCLQWJ!{a5~$;)zoM!CznW*M@w~%?pb4cbf}%6ffV#Os6e3o za%V$|B5r`ZF0#lzki9V2_(K4~xD?KU@W|2vkT+nv-Xu)_GK%2C+bW~Z@RoVU5B0IQ z^m3JL!koI`+d4|;jbqsDwW>#dpd{0Y^>h(iyOLMMLTvh<<#iL?wVlP`6z2Ka_dR(m(W;;%q{${D4$nd~@t=ge9#(1|A2BQSil+foO zVit0TYpgu!Kuy}U%vbNlD`t?-F!2a7(NO#KK|ZCipKdRlF#;4RI`##>+aAr{mq|rr z`CEA@Sok+33`q2vPPIq_qyATWp%<%N9;p|CCNhRCDQo-*f_*)W7#;Pw(}z*9l(*=a zIOzX80uKA1h%iL(XKGh0uZ>W#uqb?*VV9rY_#A##URChWvao`raLg7?YX z-`gE{LP3U7^2*1mp?3LdMMD~OpQVQ2&-<4!BFOynEYgoy+50GBzXe!Qa6!Wu@+mO(ExYtF_jvI?-H#_b0<>1lN;LI;3rDbgI{n?bGZ(V#7;!ez zVzA>nSLLK#O|X(^6?OOR#stzWCA`#_>(Hd2>uR)_XrT};4-U741?%_4$C#nQs*Rh! zdtoc%@Z*`tzW*A^y+@w4T{R%ccT%V+s0DSBRSvcLc8`-lxqd#|lY z>*L1Z`-pqx6NveHR9JJ_N($dA3M6*>g=F0<1yL8l{c%*wgudYMYUrSj2qDZ}?}D4QXH%>Yw=!hI2c z?Y%a;>stvP>MNQNzDgFi@I*EP6_I==ttb$MYG9yW*Q~c#5vk%EnWKPQAe)t&zfgt9aFf!AP5z zkA}x=@0`LW!4+l0Y|Ik*E7|~s9o?)+e%^8?8r^x>oCpZ2X{GQ>jC$Qdh_VcjSSi*t zl9@o^F4f3@yU9JhEs^aWq|^J>7A@GW59bB_0LmL#T9gk}&Cn~n$KPa`p0nZ!Lucta z48h&WZm@7Mu)qHOK!VuaU~eXxRQcE`C<7s}YeJVhVhz*T$7GpUiQU>lA=Ive z4Wb=s$|PjicnX`+U8$W8Q>PS&th65i5Nuo@(!U`=aM3QyjQIUy&x;K(BF53&$z+-C zTd%nRx^S4E@^|-xXhWxE{S+VX2th;Kbp1rH*Q1uXGqXmeYGjSvXc{89lSIPp?CF4V zLNV93T>%;q)YCIfJQ1}57I9#&S~IJLpzXh1^`pS=Gho>G_=5avr1?Q4QxD_oWf9|n z3;`8q(;@>v6kRK$4Z8bAW3r7FJP)zpc zMZE+sH>6H<_r0Vb1ut*&2mxy*(3dd$KQ9!MV{G29V}z7cZ?cGtho>-s!dz;e2j()J zKdC0~EJzWk`Xlck(1dSl`T?aH1rihHq?RGsLyGgftJNq#F~}up2GTiv=puZ2^}Z+( zWe@J6+u*)*lX~8(h1vdVZ~pJS`v3Y_lNByg0NW$4vM}J`_S3E)gl9l4tC%=5N zNF`~SU{C&~H?Be(gqo~6VSIGfPEB9s4L8@KYXt`+7O|~%ZT9j-i`zE+q|ZE0?AWTq zwPWsu!=Kv=w*ee~Ua0L*HI5P-P`IEv6|)eH&ivpQ8;C9r2Kg=AIiDaHMq@xRnEUl- z6bFG<>fXQX*^!B-nhe|>$wZJB&&HX7al{kTLMIrFZXw?;ZU5R6x8wkflioR|$wc40 zsJ!uh&CmZ1xvr!(Nk)0rKEZuxF~Bc!fk+;FTVHSL%f(AZv5D!5kXoi1&efocb)xjG zTze~&H?mAhPr?4NhqZ%7F3EX<#S?)_Qe~x2p@wl(dnZ+)XbWh~i$b6&q8e?;@lM^Q z58mp-;{1tnS_!N8*y~W4=nK z!jZp#nsJ_`MWzW?5Q`*YE6(fiXhSza1e~}6DX>U#x3j;kDwwkBudxgfmsO!Z*_|3% zLOk+HQ$jqQX})B#1dU`Wqymce8f{Pxs`=6#m?wdyt~eCN_HvU6%t(gseS<)Ms|j@H zf@RTAX1pAJN&P+w{;Dq{FKLb;=y61I)pRHmB8>$h`#cgD-uTrA4KkwuZWl3z5IfGc ze;L}#eDAWQ+E8!GT=$eNoK-+zsoRdZ$0Y49;x>_)E3Cvh zmH?)o3ok3-tOb=s2BjlXE9#|%MJ5Ah;^w159GmU;b_ogQN%fa4{lByCTEQz+D?0Of znxm60_G$c1!1?qZI-m-8$u(c-0h64f+#vKin53C&doFar%#KSrFHnU?Gz;GJgB#~! zl;rwIa~Nqi-z&%2NHBF-(1>6R2vOFrbPAnvoto-ZCb-i6rxaCAecQN8l&ra3h?s@o zWV*bRq?tRQQpk#Sziu(>?!s%tNz9h)Yz-XKc2eoXqmqDbPyf$cc9-~p?K$6|#5UQC zD7Bmygy+NJRzfuxJuSW%CQf9W3s_Bdk!OEv)6qIx~|pBTe29mWYxHJI7e^PvrNciVd$T;&=wZ^~Dwhoz$bzbRN+~bf27wRXODQ z;b9Lf0+3@HW0PYcpa;&Vn9pxGi=k)tgm*+@V&3#W!7@hAM_U^yO@<~N#k*WE~nANdB>=x=I2pWD{ew#00VO}BIrD)o3;*$jpB z06~uZ$8iO7O-l1%*uGEZw}1DN>wTfoJe2f_pC2Fi<|z)ANjA&ZEvP2ZtWzL#rhZ*JFSt)1`?#Cj#^BOto-8UYHn1E`$DD#Z zKnE9Td-HgN*5&;a=qU0OVT*5#Zx^NA+iN~bfOWGoEF<6%@BzX9v-00pHLnFkGbBZ+ zO#G2Wy?2zg(`Mss~;G6X!{&jIX@UV|k@HosdqKC6LjGyxLr@q*P@ zlhZnQM-vL*L#pK(oAgHqzZ&SRhWcJ601ODls*|0a0;76yjH-$pG#1++&j>wV%2-E7 zXSzbWhCw16{StOzC4SjImBV?gN|tQFm>|_dGwO9PTcp?yNWvBX#kv#X;;@oVV~Dt{ z_owq3ZReSY*-b=C;bZK?TC)Yc=t@ffYKSRpYusC2&tn}qFd}8iqtxB?pMqwG zm01AIDN{&g4J9BeW74iRkPAV=D!w{eR0rx@&(-LpFyOFbzf7VtHkq!{=L0eb_<5Xu zX91v$G{r7Zt$rpPgQOHFBhT%3>z+`1$K2M|rUn?(guDz^_ieHXRNU6n6t|ZLuQ5p9 z$Kz=L#pG@FCbJdyDJ}pqNfn46!$jiQs)Lqomm3*_UgUz*kS6JYwvb(&tYrfH)bL`F zY(j82IuUL@#zz?O&9(FfXBeozV`sU^?jGFQ+Im*h;rVAv>=Iz8G&;Rq-Wr@g?l0$j z2xxTzssT?mdVMBH&5&!2K^RC3k!HS%|Jx8?e$#$a~v^RG6DBUyfdKk zco_gxX;d5VL(k4OQZ?(Qli5U)0sdtgK%PngR7fLN^yOFv53|yDq4Y0CEf|R)3_m}N z?nzasu>bx0Sn?0w0j5k=<-1Uxco^!rplXpk-q(ztp6JIpp3BWFez%)!V&Tu+-3t3M ze!KhoBOx5Tvm1u+{2N^ZiWs(}rwG5hr_l$p=~dpoZ9Si)Rmw=VoXi@9$86El8F2Ut zsfcaKb3(uEmX0NU!)7ET;q>Lq19*YSML@YY)Y8_gnBJr3rX~WYIcNP5Sh`oiq7|AI z(myhIKE1#LbWz9z_kkByqt--BK3jmtI3(^h8#p_gEUB)ki3fP_ad;eKGk_=jeg;-b zaM%t|7nP+A7UM%=PdC#ZD-@%AeWxz1e1zg)9cl(+u+UwEexr5o=_|wuVc%ff+-<); z-xtQ<6XF+^{QFj*#(<{>K46rho@(p>L~hpup70INSl?Zs7-2XOKIkXKE-;x~_<^$V zSj~=Smj~)&--QKR=zX9N5IHi@E5VWb-5;4k+XA028J;|EFKx6&Zv;mOre1IaT_p&3 z9LA@n5`2hjhW=S;VOsvM_w%BbwDES>r7&n5`L!EC~AyA$_Hj9juiztj-L z@7Y7_f7R1sebgaw@$#ZC1#MuW*S^A8CkB^{r?UM7YS*_4F?igQfYUDzeqOZj`Ci+5 zp8i@|Vz*?Uu&n!nm=^qASXlTVC*Tn!{BNykf3OD%So@M>S*t?ponF^x9xTfqykL|N z2JcrMW~xVXWv@RWv8*)N$Z0P^KBU| zJXI!OjzN?MqXU&k0m6YDI%s?*&RntUZL?_^C=i4T_bcCi@RHHE^fd@swfzQJw8#5^ zy-KaPyd79lNmx^*|5tZ+8CK=j?+Kjl?hx5*x;q5vMq<+~T_Pn)NV92>21)7e5D@7G zX+aP~T2WCtHhC8R|GDPGoadP{bIrUN-Vqmd-+SF_{nqFAUFRtBBb4D!I9GWsy4?Ni z z`1YN7e{N9sK`qL6!R;fMxqdxVO|+LU*9DvQF~Adth;{s;imMN747l|28Z_^GnHG*V zg4^x(r7h_;F0-J;ygM-W$wKYKHnMUm>H++guPS&M4R_=GW-UdT+7b5+F30`iFYPa! zIZRu)>NbP@Ws`f(2BJwH`UIczKkDs?7O@Eq=ES@u;F8zvT8ji1^C&-buLVE_g|}%utgHa zBF_Ls$iN-e4f>~L%em%o!@)OK2o;dPjrErejnTTiLL7D6M>#}67}S`geVfXg+GA6p zz8&tCN0;O4$=7t4$Qs# zee;JGC(c6zTeu|h2)<^_Rs1)UXi=*_7wV?E*8{IG7{YFCxG^wh!}hM1TixPfH@?ld z-op@04l@DVtP2{yFIoDj*iuCpKJMykeTv-T>5q;ww1x-q?hap zYGGmF^*|<9VNRxfpJ6k6;FwhQww+~Ew6HuPC;-eCbp6^0^WFEY;5pCni$kc1^ys6| z1gn5FtPeT|u#KUX@B=3HVP70pEs{LGi^8%@TdUiuy=aIC;*I!=82zdZFQiQC{9tx8 ztikvoOx4~J?KXES7In5RFieFzm0PvlZ^q{!;h+E1Odna?XJN8VCJXshGsX^JT`qD-s1FsHP)a{# z9Li-zq!Z)oy0SsfJ+00&))~WMu|Have`K*}8>#0B5x0ct$5L=x&*Dz3(V{y6dxq~4 zUPs|f;%?D%jRfaV$izWFp(rk4y>)mN%!LnRx?nFM`d8Gb1bo2)Kv<@iaOZRhV-*^E@LA^DA!36FUEbm99Uh{)8JdGBu3a*97LaD6dQY@0G?POPq@Eq3+z4U zPx%?tT9A%)OLFh`MQMSyQv}m$d4AdL*C?Q@%GQSakLimG5;JrfNrpill5N-zsjDoQ zZyTmn6zma%-W(Ot=YpgY3sQSl(owXFb5z0VQBIXh7O8g`#$5^l&i`oImRsC?kKyKaIgBlfY zDQY#}fOrghkkC%j|9qcl3a1r=f+ykLgT5|zqJS!c8lNG|Re>>h6-GfOEQ4x9CXkrf zVq7ekv`~Wx2g^*h2N+hH9I}qLv{1ovY}ur)}8lUtHB4wFtl*7nYNBLAb7R@f}k&am53e~O8@+Qt)CYG zva>N8gKCmrXdqfdOr_PZWH#1jN6a})<`_i|Hq|yfnf(21>jV5+?l#GM=z21ev9$@% zYgf$>((*3wC~cY|MXS~5>OuZVf%_5Se*V4zf<@0x)>%@*ERXUGHKboOZjdt|Vx@Q= z*9L|}+>ei>h%+DMCF|R_5=xDPbYukyf({3Rnt+O~IE+9Cs^%BFN8$r%TKmE0I6L`-Bzy*N_Z}MAX*l1_P+!RpE_?ze;xU#Zmtc99 zz&^)mMi-?R5h|qEzrh+sfm`N|D@(`eF{T~xShY(WtIsLE0#X{gPuqJN#z%VIQ~wNi zL;vP+lfA}${PnXz5xs$6>lwyMFb-8>MRZt13+s2=8W$=+m{6i9Blg6&z-k*#U=Y17 z(lf?RF)P!uf7|<+pgXm(3O#5T6Mtjyme?zTj~84E>_!!Uw#sYJ zLC)IwXEn{V;T*ZFqiZm8qywxW7~xqR%21+KBJjvm3SyYUd~cdsZPy-T=sNgQ$ln6i z|0LsoPtV=0i0JQ>9eblH33A$9u}dKT2^m;2d%In=zQA0_DO#d~>)@%S zV5y)L#><5IV6z)8$))o6+E=E&CopExq&|@=G723{-aC-++u4!~;z+FEvQx{9C1F)j zJJ@87f|~JrUS4G$IrWU>+b-O#b3@7*_b;ckE^dBtcAoDCyGlwc>mLdibNIqF`=hu8 zRSzZ4c7Q+#fXCQY-7{@dssNW$J5=i{7cmxPNL50D?oHfa`SVkb^~bd4lo|IB_q&_2 z-vs%PI7Cy@agU0&KlV1RRagu9CrIyD0$g=X@4Tn}_v9?UE7H@zKDvydJto+9P&_xHbEaM>99v`{WK&M=NBTE^NO$DuWTKEHL+` zRI^iDXQEvgzxE77SA~5S^ZM;r{D-ivu)hA4x?g{l7NRrgJ94w-yuUne!rTkd+OPR! z?7FZ@p^BZ^caQYmDcN0|p3pv66rVnjmn}nY{XLtGkwD;E=~c`jbeQeh-6lhUouZxF zS7Y5#0_q6PlRmJnI6L-C;%Zx^64rjkRln9f?bqMTN9}3_^(!AogNmftliTTuh=^_IB8pm=fwk0oDc?c@r{fdvJB2)q{hp)!3t@O$6w>()WTS-s; ztTt1^N{K&om+g|ur#89oAiP|a{g)W&JdueTptk?c@aYb$ zWP3Yp7wQW+T__ypY${3zUFG-MglbNnWWJB;3P6knMOr^yD9JtF7n%O9l{c8TJPRp! z_Kyi4)R15My7Xk!z60OoXhrk#>NIIs$GdiOD=9_DuaXmSQAc=c1nXMbij_{Fdzg-i z)9hfm5Hi>0=V#D0A7fA^C4Ujso~|1jhFxyj?K)TCpxhPoZUM)n#hsed(X9Ji_Gpr<}1wX7=6xZaL<~?#tw9T8E z$G^L3hXkt36L3zvnD-91_vIQ&SzcpL>b1)`iF@sf)vPwfPsTWSkldbrJE7$;thlG~ zJX3~U_ZMNw6O$V1ngde}(BHq_v|5dM!g94d_kaLEyy-X(u$OaOC)V5hsaIqOo4u6t zin$Q-cZn=ilQmvdkp1w*zhb_WbHzvI>q&dy=$3MiG?uw?MaCze3($jvApc#>mk}e5 zW!L=tNJs4r^Z`DRt<&dx5n<QM~`!FCVV^#D8l;L;&mS?6bjp8Zk6JoTL`rRxVbiY(UbY1=jEna>^OZn&IQCtqs zf-2TrG5^qCsK&!uM0rCot8XNIm45$hEt4$s7W7&gTWAl+gN?R6YT^;H96y8diYSqpybr61 z_tU|Ervxnr)e;(xKdCnpI7UT>7zn%j_D3k0EibzC*m}XH!}L)ZZ+Qzu;oQH;eu}2{ z@NKqudgTJP_#dn%BnlYPTyxv+Mfb{$Dy+A5MACvH)h2RzMNjBx6e?kfZJ05*VIq#l zGN-hk*iBz|eDcx$isCDmShsOBNGL{Hm1QUV%wl&)*B)%KWqy~_cSaAt)#EjRx6rRB z9VvVf^iM^-rM>jO8Aqp?^^AIaIPVS4AI=Wn@K@T*9rAeB70T3#aQ*nGYu&1BZPvs z{aLONoZpBstOvh#2k@E^5!@NnL!)n#tTfqhu$58pdO{KLQx0ADoqG$bmh@T9XS!s6 zNq--0#ec(n)~9<*TF&X!+lqC)k`XXM{D?IZEOF|O_9@bQjM7i#?QZT zUoR=bukHv(sk)5#^3?g_SH8P%58Z6JqCAaMpig~fDo$RhHYEcn z%Kzb~JPh9$GllS;&@Af0X(%klzSqdS*V?lV+V%Em+?{TaM|i(4*ktoeR|oo#6^frP zWd$oSQs|rW{N4CMy>c^B!}7KkUWNLKEC#=lCQyfJPJ8W_%$Ok`{R&>2D&s}G?R?yi zpa0zX>3Ln#E%_NWdvpXI&U<$6saeP_);WD?&L{N(PfR8=F4N;=7oSDVx4C0d-%~4e zX19_~)ywO_f?l@>WDjpS+qe`_$2E_(s?L{M6V;be{5IY94Z`OXAtNThJx=DmXjPlY zH_gC?o!%R^jtwgTp`Cqw24%*4OV6dH-LUzb`iKqE|O3*%VO~ zPm@R#<&Fz^5QUnrM?bRfZ#x^jVo0sKf7lVQDe{WsiQA7-=F|ty_B3A|#LT6F!s8!H zSWjQOp{(LaySbS(xI8GK*g_BDxSG32b@c(hv__{0Cq(5pT7e-YYUW2VRujh5`VB9v zSN>HL6-rH=_S%C_$VY>Q9~VTqI3D$C=;ga3dr9;RqVZ?v1l3c$~o$RYJLSc;Y-MjD~BPF5>3>%Su$6`H$M7ZX%wnuQl|@HRq>>?Z24Kw<6_$Hu|K$^tko@KyFjvI8Nh7&*2`$JpTd^ zo-O))vT!2|^*7`;nUKGPLupKpaOD;Hk) zqEEHMwLY=MfQ5pbXa*_RTYk-<=+oviZMeRt2Yg0&r5P3$Ua_bgo+c!y>_D>*Ge<Wd&K;##oiw_4f24zCAkGOkZ-0VNS|0QRXl5+R*4#gnDd3KPW$HcZpN zGOes$T9SJ41efL_mRC3p**qNh)01olEQZG76z+OybdRy<;l0WPt4$p0zky|{{*JFF^J)+}LYS!c!u+LoX}SS7JJ=j(R$zM5`$zbx z`87xKPsp^iILc0v@(e)_uPcX3WlEN!0NzceTC6jM1P&+C%_*PNnZ_fCtc#gLG612?tD zvPv^tQNsS|nhKTxO{7F7^ zrhCRmES)&Vx(xAH2aENX`n`|Ev!773=QH>8_WIs|$8(eezZNRLwCrMiH=^O}_!l11 zXE#d&v8n@O3qkLt-$jc+R*|uMXOC5L!Z1uVAtj4Z+9CPs#Gw-Zwe)ix5*lzUnm~PzPj-!vP3hDO*W%Np zxO<4X3K|}wKaYB-lEe`{QaG>3)LtgAny=>lHjF&!r(0G94e)h?Haxa+f#fpj7 zcZEOgIC$?H>q81^7pV%T>ZyCDxhx{=$@)cH65ZCSM4@Nyn3`02<&LsnLt~B64!?$S z{gHutd=hxr*)X<8ps6 z^9~`#usSBkn5$3a#jv#XqJ?;|hhEXG+$%XuGoC0M>iMSL_1|}W=a-F6BZd|Re73_E z=LbcLPHE}hQw$##-;26A4fRpy3=G2#xeedlv-(bk_g}ESMgdOa7TfZzyX)M>j5o?w znz(mi_sbV^oh(Tg`IKcJpSAeG?bppiNF4vnl8-c@Z$!OqoIy|S$E)i_BK7cHG9U}=BUkTaVm)h)%~ z72-J>msHw_Npi}lBfVePmQ?##gKo;Cx?KAhrS5a}ynpEWsQ$C-`}Ml6Y+3Y=LbU(- zGnjSh`<9)dccDo~RF%{ftg>BJcA0`<{z(ehzOn|croGpol*nX~jPNfS@3epP4`82% zlA*-cd&o_6LIzt%1mgNAQWmy9W+ynj%$QJyM~S~ei3ti>*V@I}Z_6Ja-f7$sN@8NQ zPHc$Niz~&-^or?xxfW6Z(k0 zsfB7KPn!SP_6-iV+I-YBVVk9rB8}zQfBlSSm2YIhEjACtq;-Rsv;q}PH+J@q2Lb z$G3+I(S%sxR=xPN=xf%!Gpb`y2Ct-bG%N-AwL~rEZ{!{|DkkylqSiUMl)U5H5NdG@ zCI#U&KA3`K4``6wJWc_Xqyhn`dFiR1WI7~yUWxQ>Hi2aDx2_r}x=aw0gN83gW5~}9 z0=eZY-_tJXEL@D89Bv`3pOq@~Y(s^>0lscId~Ti1YaQ%?g3(uG8KrwYWpQg2)WA@- zYyId*)T4F<9Hzq#I_qf!6nDrA+1+W-<85^a_6A0&#VU7dq8x@QXmNfpF0F+-O2k{s zJ@dL}M<_3r@#hCIhdg_1EDLCcu0*N^^9-3dTVjZD>=s1_75cA_1%zPjpZsiVvR65k zGloR@xL7SWX5Pus)PwPJ7}Yy`4#dp$u=T!AuWik}&Unvta7Zlk8^PCN^lno0-_iPi z3@^^GPWb%gDOW*J7EE|zdSWD=VfWOl+Q1j5kzd5h3wdr&4Bp1qe26g-%2!EgLu-TZ zQ2jL4z7YF?iWWx~DMn|ceav#u!*WP;H{npZn}t!S5ibh2dZy%IZHhCsu(sw$Owb;t zsaRpZs7lm0ehaxuZgpGK^emgQ>E@r++$ev+w!0`Yz|mj!3MSm90*=H}W4w$nUc%=_ z@af{2%~})Qb%$I21v=%~QP$l?Twqm?xhFO4pMo>EIX`^bYM9GCBp+AS9avA7dvi2| zZzI%ZL9i<|0)OpFAz<^gj=fbCT+dF)%eS8AJRJx_1W&No`6s`dU#^!9(+G1I%^|DCIvq!Okcb7c4;jc@+sh9(%t}L%|)PWz| z~#iU5gvx&ov);hECdhhUnkpOCJeLFS4bi8aQbyxv#Ycek*-*N;C@GBM55v@bs~*t7wd0V%|Hg$gXC@8cUI5 zLWSrZKbG9>aOM-{`TS@L1#9V+m-`78#H0OmW>=e2<15{Llo4qL((|y$61p^;B`d+By`A#f!u*{}1bC^oL5Ph|_~@tD=Zi@r#p0rMbkHB0Al(AJtNm-abfHHQAwRSdebKm#q z9oMb=o|sj7$Dum?B!8k6?QyKGmXui?D&~go&^P6 zSHDJ&6I3m0Ji|4mI>B)m-HpcfL0U3PbCidedW?U_*U|Sk$LA~Z9O<2Ead0P1a%%}* zlJqlb>zdEeb{`$Ywny_KkN$kBwfK;;HvN$Ei#Ir3xWsgW>f9SjxsT={!-f}W>iYP7 zI3ZS=vIzBXmB-1b$5^H~ul_ixgdjl*qs8-IgTt&lr&UNCSv8Fw$BmiID7rh@$gSsF z*q50ph>C&?%;$76#)_KDp^7*zsN1o7 zj+v#3SqZ2?iXhfkim0l&Wc*cH=&B5Fp_-}@>syhfeE}itK3+*a_mppX+>a5n=#SWa z$F|fLUzv)`CZ3#dE@WOMvuf2okVV3wm7&c1Sv|+Z-|xgt}nk^NF9iQPUx&4 z6(vTmCbZS!rsQ-2bMp@ ztJ1eHl30bg4;98l#@**CM;I>oU)RB1fVK%E|G_$~y7TMUApn;P;1v-j~WStFLfv}mjulM^+ zQP53ZoceK|CI~@vlIB%tuh9b?mp8Z*I0;yF3t?-KHmC;g>OctcS zjXVRYK{{AcXQ!mb-?q`AmT%;HJn9`xM9pQ&b`(R2Runh{hfKmip#yOX#-gDZumZOE zP5rqRixFvF!fuR=#hhzPBZE)2auutH%`J)@jAcV)vyE>Ym1VR$)f9EEl_a(rL)k#n zohZ)QsOc+AWS9A>X0=L-%^&oilM}(uN^=WWg&-9w#?^&~qXX&}BVaos1LPcwf;2?R z5Oe`7f)UyIsU&on)Cvux3n{xSx0HZ<9-Y@b=3=#!*}Mk-kqSc1YCB}1M7ei=hURm- z&kdo$a$Up~9l(1wdw!oJY6ZtdYey2$u>rM4%+53Lc5-rZYjaZ`;K&k?Fr^EkjLLzS zvr0z*rd6p|L2@VE23~*Uva=6Gz{9z=`n3i0tJ0w`yXHxb<+0)8BSxt$_^ zxQy)xWu!}=Vu1^YO)3ElZMH(U>`wG0x!x2i#*Xy&!-08_0}*e9*`jVbAfpI7Ebcba z{+nDEh)601iE0_B2l-m z(_m*FAG!*7j&`ltyOH^MVJcuCj|=oFbY_6X6uKoa#Pa_L$H2FK9aU4qJzqhZYF-7j zrqHu36%M^}qJ`xuLtcXkSOjEO#APY5<*?K1H;u64w9H3MBFQDBdu#E%k{}?el!RGr zy536m0q0Nx{S<;5M4XXV*TB93KgdjE4Wh(GCnjD!`Bbe+c>kg0+rZOZ1Yrs@Gl^-aPl-U#x1PfOo&uEv8dlRKe7)w;@6Oc78g zP2f5+&2DZk-B?h~w{eAWG+|6cvZVC>N< z&>S?o)cMDP4wK_2R>4#PwpfHDR5HQDBj+GkPOns*x*f!|fr(%=Hi>P!{REA;#|9c9 z)Myutm@`7)+4sqb-;+RA3O`*;e0jXnyUnrn-svOD;qh^?`Fk(^&qXePU(P4)f%LT> zAe1j>4ojf}klKl0@*l66Dcn-GXk*ttR2E@|lqd5>VdA(0Cc2w9uiOQx<20joto;K5!6`be>78>jXR%wA@)+qAV=87%OyARuTD{tNnxb`)ZgQKI5i6Gm+W+<*8 znRiYiiuNb@7)_v6x$`&%*-SRH3NsD@#iraGK#${w(NYz(X5uI=#Lo+M zZF_}O-qIz=lf;@9D}H<_qi~q4oKa%m@jW#{ThvvaFIW)Wb64W`c!z`C@C^PHsb^bQ z7Jk1zaT|P7D+iHtQ|C)X$_b6qR11A>F)hJyvNc&a+J6l z)34OCdJDjO;3`RoSm@ml97BSJ94glgwkLy#c3>lSH2 z^Qp-}i(pC+yo8)9C7p++!pU#JNOI7ZNTTJe8T9FF+?^DXg-nbM^UR$EiXFeLw)b3%K~Adz7QrJXDiT)KkSOccE7e~&hx$piW5uICPM+Ufr+I#>Zh z0alcM4MhLneQG+ Date: Fri, 10 Nov 2023 15:38:09 +0100 Subject: [PATCH 14/31] Integrate some diagrams with ch9 --- book/source/09-verification.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 829800e..d458144 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -83,6 +83,11 @@ At the same time, the specification states, that signature subpackets on the dir In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct-key signature. This is called attribute shadowing, since direct-key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. +```{figure} drawio/attribute-shadowing.png + +Attributes from the primary key's Direct-Key signature apply to the whole certificate, but can be shadowed by binding signatures. +``` + Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). ### Signature shadowing @@ -91,8 +96,20 @@ When inspecting signatures on a component of an OpenPGP certificate, only the ne In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. `A` is therefore shadowed. +```{figure} drawio/cert-validity-subkey.png + +An example for how certificate validity can change with time. +``` + Note: Signature shadowing is not to be mistaken with attribute shadowing. +Attribute- and signature shadowing also combine, so it is not always obvious, what properties a key has at any given time. + +```{figure} drawio/dk-attributes-and-shadowing.png + +Signatures shadow another, based on reference time. +``` + ### Revocations A signature might be *disqualified* by the presence of a revocation signature. From bc25296cec2ddd59cb6d9e48865952f7c8365b8b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 10 Nov 2023 16:27:52 +0100 Subject: [PATCH 15/31] Add diagram about narrow interpretation of signatures --- book/source/09-verification.md | 6 ++ .../drawio/narrow-interpretation.drawio | 89 ++++++++++++++++++ book/source/drawio/narrow-interpretation.png | Bin 0 -> 70128 bytes 3 files changed, 95 insertions(+) create mode 100644 book/source/drawio/narrow-interpretation.drawio create mode 100644 book/source/drawio/narrow-interpretation.png diff --git a/book/source/09-verification.md b/book/source/09-verification.md index d458144..f2a5ec4 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -139,6 +139,12 @@ For example, the latest direct-key signature could list "SHA512, SHA384" as hash For yet another User-ID "Bobby", the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. The specification recommends, that implementations decide which signature takes precendence by the way the certificate is "addressed". + +```{figure} drawio/narrow-interpretation.png + +Preferrences are sourced from different component signatures, depending on how the key is addressed. +``` + If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. If instead the user wants to write as "Bobby", the impementation should inspect the self-certification on "Bobby" instead. However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct-key signature instead. diff --git a/book/source/drawio/narrow-interpretation.drawio b/book/source/drawio/narrow-interpretation.drawio new file mode 100644 index 0000000..8a32531 --- /dev/null +++ b/book/source/drawio/narrow-interpretation.drawio @@ -0,0 +1,89 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/source/drawio/narrow-interpretation.png b/book/source/drawio/narrow-interpretation.png new file mode 100644 index 0000000000000000000000000000000000000000..0eb35206d83a3ebe048abd56f5598f49d661cf8d GIT binary patch literal 70128 zcmeFZ1zeQdx<5Vx64FXHSbzw^3=G|6(4hzjj4<@jF?55Xf&nO964L4b5|W~z0t2W> zNJvVH2-5#G2z$HZp8B18&pH2l{rK6=yWSP=yVeum=leYGzNW3IMoGp(27y2*&z@1% zg+K_<5D3(qlo+&p_Sf8kKt#LURSezH7%N)`6y!Ku>Bq0*Fd-W!H}~Uk<>N3I(%D(i z(iUm$ibT5!I-=Y`6S$9dvb43bMOpsn0~3P51%!nKgoX5lMUTT3U_$u+hzp8{z>I$M zM_QvC_a@YE^09SrKpuywiV6yWsdx>Ag^$A(!7p`NM-L467bA`^Lx}unbM*vM2@6RG z3h{wEYA6ePComEwBrF8}3WFw9TUV5o6Bwo{EDU=6SPtcmwEppE7z_$wt*Id4s3>aT z<)o=&c}7FwM;}j=tDCKp1n9saM4Z8!(KEEb#!-f za&WhG{%xa$lcOWbV(*OhIwDgkXp9od0l(M#`?$9b5T(C=>@U0F`ir3dzf9*LaZbZh*Xj&h4|5Koq$BQm327$) zL<=uno=69ez0Lj6;O6eVzuT@(9*&l~Y6;|2(aXlx9i``t1TqX)_5$Js+HBm>4&dsC z%I!{va&<@TN!y>i#ctDI-pXG$R1M{XM!CCsgQwh^5r)5sUuI8y;d_@}zsdq!Y_HAc zCpm!c3kY&g{;YqQ8b90Laz>!f-Vy)h$H$w!-$}xsZvUR%{bu_S4nWQnEp0uI!w}Z^ zpW3drXyon&oJWCe_;DXR$xmJOTYqZe6~ZVe00Z~u-SIE{kDf8G><&s!4ou>hZmNgbn&<6;ppTDR95ll!`o{@I@ns{eU=3PkP@@{QI0Ve9t)k zW&KwMaKyr0U|0Et^uSpm-923Ka&R1mf2BWH@IP1)FkC>@0cj0v-!AG9Ra81I3eeb( zj#pg4uU%`i-||-tj5YvCg5W6>R20B8LQ1yIHYisCJrCd?eqBRBMNb$eE}*5P_;)S# zUz#VpkNGPu=w}HBJ7g(}61Nlq!+xs{;Ep)#3LJp|cm5}Y7AEmq^Yn{^{$!tE`!?%m zsr~n}PjK-+*r$D=`N{vNI9j-RJG9p|)t^pkUx)upuU%0NNOxP$J@mcj5dO?X{bj_7 z_Xhia@#s_A$reP%zhY+b-5|*WvIl>wzDC!;-&<@cxqS zNLOo=`#-QGTxl1F{}LJe<(=8>2`z#>YgvARZtq z&?+K?!hl8xl%SKV^)DUvobB%v;aBPY`#l{>82GwB6?X}Q7##UO=IQnoeh;1r?|ZeM z6he4k9RExs_T}SWAD-(~ru{bpDwrtZ{{R*2 z_kaqv5BYx*vtLZkzqy$GO<}+f3?-mw>u71~2<*r|GZawyyU_U`VvD~=a@CYH{;tLT zi3alDG!%gU2TSfBsfr)4;wNtDCv0cofOK=S#dAe}0nh=i&u|aV0Ybvn`x3Yi5(GH_ z#obF~JPU|tB7a=roy_hP#?~D_Oh`~dR2+X7T>ls;4u|hu|2h=hRQ`FSHVSZTs9pAB zcedXFNg*LoArzj-`a=u}QU=N(klv3W|2mKawA(Jy0*?xI>Q6~Q(Y;Omfsg(|NBAxd z`OBCF4@rK&vtQs6Oz0;Q`LBnjhRP@gn z<=>gmzf&Ri6bp|>e^shob;N7YFWUICO8x!nv#ZRz`io!YZ&&*tlJZYcyL~bIt7-@G zh#++Ok5{{WI&@D5e!)unI`Ger2*vQm2rrELOTvGr>HoQE_eVdt&wuSgHFuC<#>a*( z9{41p;y)ZM?oaSz8-H@L|9jYf#C|e&-**2=cnRCr<)3l?zP#_t_rE^86x|d5zY<=8 zun-04C<{QV!-T9{ozVL+=wGGi-B1oz0v5lGN&h@u@H-drzet?+!S}vR+83{%Fp}`T z-TF5dC&Ul4@EdXZ-NF8yz8~+1@m_h?`Ty-+8IKcoow=Ym0CPX%hJOMW|F2nHn6en& zI{b6NxY&87kK@rg95RAAiSpy|NT&0Y~L*JoAZ7B+c(qyxtL&2a(+_BKVpJk zjr0E{_F}|ncHJph5Usz7WK9RC# z$9^eN*|%f=4dK-9P3Qjg{*wQ&>BQq5JZS`SvPgX4-Ts8m_@p90p?_QS`(u{|o?rMMn}0Wb_+umfHt+tg%}pYJmBAaDpS;d~xbRbPhW0-mQ-DC^ z*Se0~q7I=e`zeY4i!FXrs4Dt9oA65=@=vkFZV4Cu!2Zo0+OCoQjaY%wE_@~upU>Hq zxc`-G#2?@*-W=hN^QR-;$JGDkC;UeWYwv{d#e4sE!oQG~|G6jpN4iPN8RZJ9k9KSH zY=L7J0$+-ttU;BrCHTEdTDt93?%`$n-%i7=oE+WvK2O2dz3h2Dz<2#OetfVGviA9+ z{p+6;{$IsD?n0IS;yac7nyFtu2>Kb#?B3n~1nI|(y#XMV14`5IpS?gWXOBZTTH z^gPmbDp|#IwN`sbCbA#Q1S&6=tf$@QeRcEkzy}to@YKwM?<6>tgR!TE}(CDFEWaN zyEsVR`09B6&xNxZ zW##Q=#1D~A*BAr?W$9>ap2Yaa8$=Og$}?R6^HVq#pVFYi>46TWBs%h7VFwdvFoJbR zKB1P^Jcob)ZAEtc-Zk(#yyivtWoO!3YLua`PlDMm$)H4bhbV#}J#a~+7lmdSN@nR0zdWDWB0BSAmzbmq0(!Q4}i%^oxlst z`tG2us6b|Nx>+x2q z?=Ea_AfMi5;U$?I@|nQh4Fd&e_&H_uQL-_Mrs z=rw}(g$n5Fe$ZIv!PvC6(i z%hRsVh??)Z@<&)2L5qflgAk&~qsqg!lJX){>k9V_WE4S9)Ko;s9$E-uQh zr&y!lLJ`cze|`D$=dY6;%VVvyWQ>9)K^CuwkZNEvOP}0(d|0Pm4s7MvRw)ZnzCnTN zp`)snE$8kWJLv7}s|SYLEDSyy8y+@)FTJz9;j}(eQfKr0>Y=b5PcN@r5^4@yN17a; zQUryFc|9bGhMOR8t1U_F029p1q3NJ`vRPd~g6QeFOkzqF?Z=j_Hs2RVM39XK`kq)* z&ka<<>xExLv!7>0IHbExwjZiL?Xx^pJ1^nCF7hr*jURt1O0yu7$oe7Rb;DT31f=G>=GjrAJ~bvuXO!|dOmDj0H0NFT>5WpX_1 z4zGC|+11>(M6Z|86U5XXa<$T!;?*zJ1#C@CzbgpC@hAozKNp)0BuTF!gorr;qN|sq zp1~x1N{=k;TiLTK|o%Xm%-g95FRhjqg#l=&{A4^;6@o?@?R{ zI`f8{qgvW~2?utJndO@dS|y5(8$;&1I^QPLQ|V@1<+lcFj-o$bku2pkuicrc;w_j6 zU9@UXZmlPd85(JdY<>4Gt|vm+9MY?seXg@9lG@vUQTj+&A+x*y>Q(IQBSO-6KD~%k z8Q%%=fVnAy$FH-=u)X8uuQTVgfr?2DxZ9h+TsvIHS{mxFyn>wIzfi~pIZVMJ1YuE( z3_@U9vD((=>6EwVMeX$4eXldaPsBWP=!NB*K9ls{T8~q@4G|e@f~IPwO1G|gvS6W~ zTqoPxgcy#WqpRf{A~_`~B{dTtx>2erf8PqchDA`JZZ=s{(!G0(9pm4>jIvFHbC)c< zzIU1pL3|_o{Jm(mZAe;aC_ky}R}9Q;;*I3}U`*Z=5 zuV-znyDujlGS^?xb2&8RV3_(*m8j=tN`f3@Oo?Jn?K`SxFx#7JRniqe-VRGgk~5qt zeR;7}u;&!c>R!L#^>QV=6?N_|a%nX#cR-30V7SH3!^d)-1@5Fm4{*0WvF?~&su><> zENi{XV{KFIzk!&%O2p7dV|Rl=fW`m&V(>E)AxtZHvlk=kkmK8|oHrm(fZnWyl+W~( zz>|^li5cdQcgc$f?1*`ZVxjdyW^}^lwLQg`M?W2?=Yi17RJo3m`OXQNJeAkf)SSK4 z^cA`IBEyb8oQ1bsey~47DH5Yudj6iE@PQ*W1;MGJ^ObK}fAxN)R^agqy}f1~9O+N$ zn>!t9Ou2UW_@^2HIv%dsYtQ{Ku@KqrTrKOXe5N(xlNA}}^-S22@8om`?%(Z>@WVRv zJ{A@SCNx^oeX5>Ac&w89CFQ&O_C3YpN5zKMLVGAjbfgJ)I62_*JQL*i?FOC-GqN#V z@P1!#F(!sZK>;f5z(gxyx7f(dNO>#b3OSvUxgbOp134u5j-vTcURd*{_V=JoDLVKR zYxJSup2IVT$v5y`VM`{SK8ipa?`jDPbRglRL3CsHq58uTEHKNf^T~*?Er=>F7lilQ z=kCa0A}dn##_GZ(*?E0~MuL;d^{YDWK{%eELkD*tWzE+azq)B_L!4M9AWoc1-OkU6 zPfF{UJ1-2%v_B%mHP{oI!#rn+6_YfQ5aTn$*Nh)q9yBv6Hj!xeQfi@fgVJ3Q1e$LB zv_Sviof7|732>f^kB_WU4pw(&sco#wx+|Pv)aGYc0S=RV!}kY(2nx^sfGKf?_?Yyz&G>MFrX2JpZBvrh_j@xH$l@B1-s zDBH}SRD1`?f0^$$l)-u=l*&=GoH}2sN>t+$`}l=zYqD~%JOEn^HmzgCI`t>$OAp%2 z^p!r`6TULk!~2#_V+JFW|w@yOg`$BxixY=4#~;Gfn`n zcA=ab#;(J4AMX-RAW?=h0HU>3t*Tiuih~U!$h~JGK=vUYbS$rOgDr63=R3AGX2p*` zk5>rgoTFq1?t;4w#|kOzKjLlG>UPU4K`sD~!^?LHRG`NA1G(U(Il+Dm%olPjZNLGA z@75d9;;tNQt_uL+{jfM>kufmSGlQH7mxu9Bl5FZ)#%o>xI`&Stx7LI{0Q21%yPH&` z4!ZI8(JLKNx=^TBsu=8z(5wBVc&1@$$5|u$;(V6Y{ zMaEyHT-TORui^!g(tP7jT~gFY6ydJ1V3+a~u~)Bbd5RY(s}I@WAJ57;q-SS*NI7te z-Rs|G1d6+Xb>-E4a3)a1F^u#OsXP=c%o)e4(@1T&-CC~}&6WWrBwoDFjgkx8esJ~B z(L0YsksPV1snVQ~o?t?fmd?&EF*y+~+W=s>dU=U$Y$w324-eb*m!sWRW-sOI-SwAqeaajZL^X*rdS7dxYZbW4}T2f<&nKA zkq59NO48Qt$s&QPSs#PnKxnNT2LT>)yjmu_p~q64>NuB*jNibGF|i9RA!>!YN=_8gz$8OLJ{$ zJnO*0!?;ppll#WbL>ud?G&#ABY@;$eEauAX-R)qcnO|*Hz|p=%xNffvJ%-u98my3$>W~axF~x57efV? zo}36QFsXEX`xte85MKWQpaH|c!b8In0IAnf*$1!SN`TjJ|2m;zrc~#@5wDx8*|rKc zJi+l}RrAJ?6>D%7TM3S;3r4U&7Rs3(jnz;NK3BR|7fYGEZ=@((yL0TTo7PN3+(Vbw zn)>+;$I07|I4et=MqKu2w!e*Z7}OX6w2&-CU7i4l$;YmV)ab(3Bne{^nAKu z?~5$}`O+ujkK9_iBl{@q*;!$p6 zIQbK63hg_x{ywR4wG-3RuW(hi-6tYSBdIyNfCTXZMUzf_B+4%9cfTjpy9xdeOvg(n@A7Cd@s4N^@y-|naE>`Gbb=xgn*WF) zXu9BH2~*A^4*490OjXiy%$HALG2Bu+N0J#eZT?x*|pK8_4zGR->_7*-;)cE}%?Fma< zI3u+=k$86`;tio&=zAdyFSHKCO5e)Lfq8w*cEEe!WcN^t3yC};tGI*VXkL$)gu0xen97?E^{I15{yPw}( zpLGAajye~AMAUz0B@TvaQ)uh=9QD>>k~kACQhPh8%5-Qs109h#nIrnzrnO3jOoVn3 z#S_E96%#D;xvhXPwocoHMcVG9|JG7M{=L^~F9qdB>(15X1v0))NM1>)wTGwk;24Hy zPBDJCMGzl?*m3QHpv&yuWdeWj1V+gsVlJdOMawz0i22+fPR^JIzp@^aQhHkmVJJVqSZkt#E)&07OjPe?AuD~xJ_nS zo3@p#*b|pe5S>}G{T|k3$rL#m4_9XScXnbqMXVRPmajE2lS0vYFDOSR$4;As zc%u8|Uo*BnSmS@@4Q0Vx zT)!-T?q-`7Awu7O4NUHLAAg$y?F@oQ1k^(avph^m-qKCX^e$fjYDIe9E)|ZRytPVn zwR7Uy%&m)&l}Efe?L!o(gZOHUNe?QLpk==Y{7}!2Ar%yE%EioB#Y4dvxs>vemE1Qd z356OgtnOcopy83e(sDFRL2c{>^wn@{s5Py5WLbR{aZ_J9QH__-?CI3VQs)fCa119f z!|iTe6q1lT(Bvz@7Xf-(OiZXD#7%UXjXUOXlFkve7o=Og9b1b%c8M&aoPaD(WZ@n+ zR-nH$tqawn9=W=Z+1X@b+noxR)=U#@d+7YAOFzq0&*#hR!Q<-5u>pC?!|cXAol_b9 zpIe$=QlNRFXLD`I-+#elhRjb?d~3cXX0o}&2IspnzEb;dm4(kh&>LP(7Nve06ZGFa zI5pz(*Edz3TCMpJD^YGP&ff9v#(hq5id}W4i+R`N!TW7~;6_F<^6LtNJ{%Ky*oNHH zAGLhTfJ-EU(%XpiUdBlp4tk8sBGNQRommb?Y(OIzMnV}BqexfGh!Nrs|KO8 zXtCR?5fY93S7~@_yq}VApQDo=o(W==CYNwqG)V|SG>Im>vW0(Bf5Td7yXbyI{aUHe z1oW0NhHf;5NjOBt|GR9BC4g7sn{atL#q#xt1q*4m5&|4C7Fs*fVE- zv;mQW^npO$gWKQ+$;V;urkV_D=~9Sa8_g2&8|X?iK?xq7i^9DlA1&r>HwTrU6lKwF z&X=uZh`^P5><~qjD5k1W&t+dS&2mrW?{O^p@S51hxcW-)`k>ADQnb8nm-Pd;-008g zbK5D#W3pZ6S6djqB|pWDG<-B(mJip9%){kmK>MiX`xPKB_!&ENOWHNgCPnsq$OscX zerC9TT+V6S(`R#$gVI2S(Y~BB>xjhL)5fB!Vb|^$YPSuupGz0Oe2eQ;x&S?|z$$D0 z1zG3>xU^$ol7|N26Skp~mVo18lU4f03!!RVTnquEh>+k?;_$mJ>f6x1#fIpwt+jq@ zjj613Lgtr)I53ar2Xy$jecol|q*K0&Z{bv$qC%=4`(QyCk;-0=3??A@p7^fdqT4rq zvcu+!g4|xz87lrwokxQ-ZrrRKsVg%Pt!GnwM0${5c;Zb$lc~4`&dNa}2k-M-!Xg+B zM+89B85tR=C4GkdO+tf&)ta;s?@3QHbFmB`)K-e-9%gQ4H_BsLAf8uC zJ(5n%?SP^CMrqL4a`U+ljh#xkpt&i0>?3rA2GJA6p}3OUT%L9UXVtI;C+VXhC>oyC z(`7fb;Wx@>ixY^w{eD6G>}QzOh_?M)RJaFjWq6RCMa1upqssLOOy^uu&(!;y1#g>C zT=aZ8FL<#d*NwjMlJN}I1f1<=EY2M#x9*BNKlyZ>p7`EQvm1}Zu_(^PMzZ%NA7A3~ zkGt8d9nN7c9di_=cau;uGRjugtQ$gI?uGo zxRPnBV0)n@{AIwl-SaNW0yVk7^)qqj$1~^sBeXNFMC(6MR3LJm;kA#J7D0#bq{w)O z@t;SM_H#&-CK-9SXT;B;3&M=k+d@v)QqWJ6eIUbf>#%$4Qc+QvoMmCdMYwehBNbKn z3PE63_2jLhf0iZ4KhWU$hs>b$3KB6aw{#TzEuw%-kBztSsq87N7A$|&m2F^zeW zJ|VH(PrZB>Qwc=ux}>xCMLjiHU8k!m?B$JDQgZDt3OWaTEMV;5^)0R$lW>gB*VJgX zK!1E1<%6|9$4z=lVh(TXv|- zRaahepS{KOh7Q{{D3zSEz@m8jsA@)*(qQCs{W0cD`CIs{c^n1<84gn2Fc0G7v!nH@#Pst3U#YVCE5oXu}gy${&hZYa1)D*$C@ zTJCyr;aGQBEWy-}jeW$EW(SwS_jymInEa|kYn7IxiP-}U_5NXu zqIM(QQ3u{v8nAzx9aoJZdUW{ODM`w#?*VT`2)LoI-P2q3}z3s%~kWuJi?+Q7TVtM*C1AzMrkC@~i0F(RyhssZ~X;EtzXl z{lLlTb|$y-`oAdjdtoFN*I{LYX1!=Yq7^V!_v#+{L+%Dbo|+@+-3Aj0(#1=&kM&}>$uP^AY##VX1cJ76GJhj zDHXFWqW6AwtGZ(Bz8rg6-Gsh0>zt%d%He{qAI+ywM!Bv!sf0!;VIFV;88S>#!@De< zY#))rx&ufXe?X_%z)^geL2`JJXqb7_?@KFYl_q4t*O8-~`gY&}d)p{7=*fX=hxMuj z{cRgt6b3%9XS8Vw*zpHR<$kTNbazl(BV)*t%s0Z?6px7nHhaEn<*IND=QpT+Xff>| z8fM-}A{vg&KnL7PASm= zb_MJYMg?+Zq%l0J_}NEqghcmq^V5cz$6CJ+ecxVP7-~T;GAYg{J;@^U{oq5*q>%ku z>Z|BbZ9ul}S{Ls^pNDKn(=#U?k1CA%w2X6@W4MNWoPj{Dk4`I0bD+(9`^L5Wkqw=X ztDO+p%4tvBVtCjB{8#@@!2Y~nWLYNINp4&Uu z_}W4xmg;0pY~DP;A-UKx7^IgAW<8uG37WLzxGxRdTogJB=4Q0%x#8PQz(+#kvDMr&B4p03_a;rL?V@Bsj3@a_$+5l z319hO85vsdm?dv)PJef%=u$8)q#UFjaaA5O-(%F0ofuA=O6Om$Mu4cEPdjevyT1Vl zPS^8~5O1t(UF1TwC9<{)oGNUHUoP*dBm+X#p5^*=^YiGKL;ypFRc{D0)_#LHvCI-) zk!jbPet1sC+gQ{nT64<>n-Tl4TbF3k=xturQAT<$eIsRqoAa`sN{qVA;{MfT4-6lD z(yq%G&2t>TGGIPfsp|hRs;9^#&%FIQVqUh*jPSWZQLpwz2$HDlKtCNYzZyo&;&gPR z8aDj;c{G(zp9*19Kw2mNVu>bTxN=tJ{I}D?GKx6rHLp`Jopayb^tS86@+Gjx8SU2s zT&}@%I(*X>;MCcgf5HGSi{O+C(0*{{b|ESeM$HOPb{iRD@$+cp+bsX1MwR0<9mIi; zZaOch`058M>J!-!O7rMuWM)q-e^Ginl+AuI=F`1*QyIm}^K&-}NdkWMqf*G-m(OVaVK;n}+<+{a(hgA_D7J{1izwHmhFIoTj5csDES=+^dD5-|mn z{B;I_EB70>E?2paeD?MB{_+7w%h807wgNfvWDq`&@hVvYK9mGfZ6Eo+Xk=$il^{Qq zBHupq^*U*UHiKf5-b6FG1Y=T=ZD0twva!kw@N(Xz{^Ho<#>LtRonMY_*rrLs zo}*hnXnO~ok<$lQivHdtQ7*xI0(6jYn8fAFmmdPkj{*%T0Hm2VMVyb$gENOB?hHQj z?Ve~$dI%EN6#NxVLslIFfZ3h`Iq_J)e{BZ(>H_J)yxe4Y<(D z&wS$IPn)&lNSKW30-l|0jA|DWclo588W|Z$0&?Ydsn{i-mtrkj5BEJrk;?>Z-cJj@ zbt)BP$ViA^7(Tjk`^gh{2R+x-M{wy8)BT+*hhvc+~IvV$BK+^=eTPQeeoRuBlEJ1f0@^B@Sut<)9ob z76lFq>#$choK4Q`AZf)b+BwwI+c-RX1Ku+w;)qW(niC!(z!cw_BtFgB?t1_Wy~@VM zHU+rkSis}^Y;Q`aTss^t#sf0Zvu8nd!8Ixj*d{fQ(KT-gfxghqQ9lc)-ANj|);q_U z!_2=+786l44qql@E4S$kSsH6?;vxYe}`>ZvVK-w}vUR~&EgOt@9iVVsQ@2z#w$S~n{5R}^hTH0?0WOTjf7jYmZb`yDc zCI~5jp=x}Cqkxc5gNhso-uF+*Jk6})w0xbwqi;o**g&5i8l@)a>2Pk;2Q(T!8NKrCFIF@_)TD~rXPBA-3ybW->FGuA4G{^-S z&wGJvL!#*GTp@B53LdRgOKQ5ttedQ2R$QUbS!Xn;fmj<_ROe2c2bp{d+eOEQ<%}XA zddb}rV`I;U2@w^CsDp?5{!Va&h~e#x{r>Vu5Zo}$!uU!0(QQ>ej_yw z1Eoo%=gE{w8E@;pe69Y);#h{F?JMo&mPd;I-sKQ<;!ARGYw_`_ttwRD-XJ|7NVG=osuQ~z-No{duM1qtR$nbhh zjD`mAOE>1Kw*44K0u%0xWj}wUt2aif!{_(3bV&arh3yz92%4w+zOkyczCFV)v*VoR zC@ZC;(j}#H+kITgAQHHH?aNqc6S`7-?Et}tWnZUg+{S4!KHpc3p5J|1?x=w5Fc*=a zoTMW2VN~t_pWjI)r6!Q=Rr2u8;iXvuNOCP}?c1c(=b0fbUNu)}`K>_FaS#>F@j8!x z5kAMjpS@HS9{o}yz0GrwKH(uR4L9 zrHNwTv$|Shm@e@A_&t&+0#K$UpLDRdL&iw$_K|IUBz2^AFOxCGW<*_O>h5tn9+0m)Ni zdnmgjHdStR)o0;2wU}07ohJvX^>%o%S#2@P2cAsvFQ2C3X|zXecHSrQR}x;v_{qxK z_--x=ixzYyOD@lXcw#Mil8(-}+JRjlr8-uc$47f&Hi4P6x_nAihAut+q2Y@u$1D~l zOV6A}9x7a4fBWd7nw)+6J%n6}zjFl0zPtB64RQ@{vIctF1l8X ziN#DaNp;4vfVIRvv1xgG&!QZ`wrbs^;vzol)a18M?P%@Z7c<8dn8Z8TUap{gXQLf@ zvM0~-a$Q5A4Wdrp;PVRk*Os!(i&r~d8D-1?yEV{vvNXc2*O`IE$b7_*noa#WLRX;- z7gP?a5A}c>*C?-pm7nmp*|@tAntyk|=^3yF2_KT^b0u|)HZK=>O%|G4y-1&X^93$a zI?2`N>0ZET<5s90wNAaDRTr?G85Pdo`Bp`b_hPMyNP}C*lIh3EKzoi<+v~Yq*R4LDX4IqU&*^Cqp%S?_#R?a+jYB?J6mMLlYa~>vrnU;HD~TD8g^Cr${?SMm{1HQP0?TeI~vnYmT*i#{8i31%#7C z``MX7X}iTc67i>-ze>7%4+|-H5PQTR3X&m!ju453d7SfES(Ydos8yW2={ED}g-}66^q&ml#ok0WFv5_8creMMOJ*N3+Um)7{F=8LMyu55Hxi!ET- zf>>)@TAB$5knQW~)1258Y1cb74C)h)G>W|5MaKoK_zb>XoAp;dgH6@*@AI)FH@hpQ zAxrEOR)Nf^xfQs%6xPX#rtez}j>(yxIuRrY4Pt;O1NgGm#OWNmz%Jtx8+>4qKwh4d znq(w1@`NOLJ>2vAB2sZjd!XcI=zD!5Ld^2~^E#+~P_d}}d*_WjQ1FWbg&9v3s%vvK zc5rLO52jSHJthFoAvwkN&(0{gr#gI(IeX{dI*Hixu=B@|(? zIy!91_Wrsf6^=fI4U!J1rUk~E8uCfUQF4_Q-1K?F{iEg%n_?>L>doP(U z@(xx7BxTHXRlXkU?YKK4pcGHxzA|>nsLK0n5H4QIfJ4%Ml`c|^bD&a-P?d_*`B{Yh zbWd3t*{Gx*c1p*#VVUUM#x=i#=AMIzmC_^tBD;KQ&R&t}yR`ID_{~jJ0WKbfI_GFY zB@~=t4`oTt;^Z;6`P`MQUt81RastHRW2vcA;*c1&^aBwHJqUdeHROP)6qB^kQ~+dw z)yF%N6;e+_bG4nIJ@qaJ6qBLL#7nu6&<7)9`Ab(vA6(dK<03mM9?> zSrnvPf4t_>qHbeT4HtE0m;(Ws#!3 zkQ>X~eVA)ve7xD2B6O7osRQyZv)fi}i8@~=+Pt;QL2*tdsDCEIhF1;=DPN#Q$G;yK z5Na$Hm;+dnW{3&veKWNYf;^Rr-Vipp#w3O)GI@HZIDep++k#{!;F6i7*EQG4j{3s+_&clQB!xOSp`+eU}9h3S*iqPF0d{olG~K^Lcpd;nB(a4TE+5 zS|w)BCJ3UAyT#+!$GNNhM-d+GpUts~kNvjEL>%9Xi(c?dIr5U4J-6W*@!bkC3p)-K zOslDEU^5pnp^2kmr2+}MMWQ=ho3rmEqsN5FV>^$6FC6nG4dOMT?Urqp^x^?&1{ zrutg-eT+bfb&0fWa=pS74aGq?WH73F*&5A>n_A-|89@h{Ni_0Bv*X!~OC3wgzx6L| zickt{xiMdO@kGT&X(MNGq{+>~z5bdNh<7Kc{p)F1(vCWiDSfBP(87cadx!9x8=~P* zA;e%3LZ^GIxH3AoL z>v&=#r!?kPzdkg7m^m4SigLW!=Ld0_5{|0Ovh@cQ379#Y{1609nw80Tawl4+lmxQ1 z_BEH&2A*>q8yR`1sLCAhNfuh!!ZvWvz~0B;f33fGxDnS*&Y}7R8y+`wYNtpE;IULP zEYarU8KwSJr=idF#e^b;$KN(7g;EDLE#?uUJ5r^yeCVg|_B6J}imF{m6h=lY38suX zk2fY<$0YNSKl5|#OJ?n4i*w5v$8yiw8M52Xw#2ABVd$Q2F3=CzV(F`J<7`V5NwN}5 zYFJ%y97=*d3Jt+Vu5#)ejT2ifS+Cn-T=^1tFXQIwefiv&lpJLKts^(d8fyK&#ur$Q z@|E<}-zM~!QBQ@1zp}7zrZ02(^kQVppHAH-6`_Z_AYw1fQj%V3{wRdvp^VXL`nQeu zIxkK!GwYX$GPdf*632MvE*ZS~>cZxh+YTo~^WG6EGu66w;c&ToDl7x50#0+ObHB|S~W!AnQL{g#A@ zAP-__&VuD0qA(u^A+;GvJyepW@4)>Aw+GB11y`4Ol1{=lh(eyV82EK@vj{ecH-tM8 zYVEPPls5-P&UU3iP_-Bc@*W!i%rMOCyf9ZV{n!)s!k#4gF?r*ub{VZ~Pn z<8D18t`vG+s7phlt#F9I{Ct6Yk!}syxONX^+L*0-=b|#?)~&lMQw>LpT?GoF*QW+c zq!?MIN@&-7OtW&d3qL&4kF%4I44fc{L>{6-5TRRqS#!B4+|&eztUXrPqk9cMKMRRr z=zL$JF%E6l`-)lHJU)JL#0s3py|7n9J4U`QTaYyARDxgX5#r)dwV;Zk@D5UNQJR>s0sKSW1=8I znv4b_hM@{rfG{0mP=4BFV$&VHS#NTyJ3{dQgm;_OO(FPzImzO+Tc-;Fv%0A+a!>8d z2PQ1{sT*a4e$aTJo1?gV3Bb&8E{)LWs+OHve(Con907qZD{HcvQ!)e7+6J<#zm|++$Jebzo+-3A-mgh%*GOp*1wFKp4Xb6#C z%TY0k5wEZw?KV<4k&>{*3(Knt7}^D?ZC3hB(ij#+))#=tBWFaU2SJHj3~MmLa@5Z8 z!WOFS0!n!_lX)Xosl!Zlj%Aq1NIDP8D=H9BaGb!rh6D$PBL-sZIzT?b`2$0JxCh}$ zsQO~9?FgWwFT$=i5GI_ssg;^r+t5vX^*K|C>9fppaVK4#9-d@LBt$=@S|{A3xuBxS z-B>Z9$f{V25(gBvn+1g(j8tg9=g1 zJZXke7WBRLVsMkc3xWfy8Yhr{29HxcNzjKmD2-1$YhQR`y}{w}p@hU^zPtBG3T+6C zu~N(djqv_K(>QY6**Ijy!^zC>4*=<`Kc6|2MrNxdz^ ztc9*`^Z+r%(}PT=rYH^d4sA$G6s_wpXD~R(k$Bj#aAA9e0(1( zKn%uqI>Pf%ogI7RTr?=|ay-y@aDQwDW>BX}+7N+$N6JQ^-9?7inX?J;D?VzOnk+ z>oNW+ZZ!HZZ*n~!)nct3gN%=R`|Hq*5N6X$Y&#(Y49Uj1^x;g#>`O;(H${Gh3M2BP zT$mnvmUGQ3hzd3Ki$@cMbLJUxz^y327eCi~Zd8tbpkw3Cat4`7EYUZO(l=WK==e?@ z)q|IaoJ*YmCVEQ7$bRBhU>h&57DHn>Z^|v{N3S0q|_r zmpLyNJngw+^J+uRJ}a$Mjierj3?ec+oFG|5sLw|OYl39^i1!!8r6^O#PtrMOp8a~l zwM36eQUE(WaIU9YKdH157ZHWinI3qoHZ3%WIrvE@t>M{2?A?yjh-Fv`sC-#}y%abg zJPcS4zjQ$(pA6i{m!_BbUwl|tWW5jgwiKIHDwMr?`^mImJyj9Yx12$_CENMh{jGi) zp_J&%Kq0xPeNSwM9jy&{`Nf48Vg{RyqrGD%$oZXj3okMXd$TgHLL>PIb)6SWJzIo` z7peQ49ms<|zkR4zWu3u90B+rK)+d)I876MJeM0;(k@c66Qxa^{p@NL-5f+Bds+{uV z5sD0BvY(h}l?c_L1fA2Tz?Y7-wKuJ^c1}ur*rY^!-CTA%+3CcP?mdO$mSv?@YfJAY z#^TcH2PH6sE;!f(_|9sDA5}?yT-r`TK)r`C@Ep ztVQ77%ECa24~8n2a--*K86XTsPkeDQt;;wU&fnc|o@A4)4k?JuKT&G2bJ@N^rqnuoGY8_7IDUw&Mnrhru0gLCiryD%|d^6xfE5euIPa3wk-qUqM5Pa^NL6{{K4(uda; zixW;B3(lp)MT90nZAc>q?%Ua=3y zYDQ?xk`*Fli-qK0f$s?=Zji#`yNO8^qgg0Mlp&0gs?t8oS35?OG+7&?5*v&WKFc=5 zFt*_v+Q)`zieAwiQ9%i|-*4i6DK1_K0%yNc=WsImrv-%R6eF5Sq4%g$j^T3YBWQ90 zm>5TUij41p&mH@{qs%&s8iz7-A%7q6dyg`U);e5aZXmpoWlDskR!JWt$A}sr$ z*L?=Gq4Gt2(zj(#_n2{(AnpBSqalA&Gap%LAHy5=TYvxp8$p&}s{(2|~P~&ges2?q4L+VG`=M zr;52rb&ytur|a5L9zLZBihMmqEh^hYn9~18)mcYH8MSMl2I&rIk#3NbMnFoC?i8fE zb7-WMluk(r3F#E18Cr(!4nexk=6%1j*7^L)wFa1({p{!2d*9b}{cbDU5}*8rgQ@QL zVyt~x42}ptY<#Nwo=cWS2XI4kSXeA{vZ$K9Meun%=UXPGHF!zc%E!7YwfcBd^_wTo zT+)||5TO&7#SWSqROuQPxca_FC~ua927~t9MqXFKW%wx3Nd-LY3%#PH8#7ZV+@CJG z@XS|-H0ECSPB`6PAx$9I`}e*-5%KN$@p8@>{Hs?6(ZPsb1Jw<)RmQh}>+&?oyX&sn zuvN%iPT|V?ixJZhEdPpl?SND2EsEZb&$D>FxA-|t^8f1v=*NBDSB=}X*lQT}df7$# zy5;8){%K1CcM^3WQx9{M_W~7=|ZdTy#_PUH48Og zYdODre!8=#ZPy767imcyGk*WLDi-0;UH;Q_6J@leCC_E{$JX%RQj=!1b~(yLx%FgM zEJHGHXal#+(o<1)eA17_im$x%bQKz3@6)!2U{CvxD*cw!HliV=mSXo`*8LWTTqTA% zI@}VA@DyWwGlrMN2_#RO<+OQ4IT#+2fOv7bsfcZVgKE#j)}PMD+7oMuCWr6^&YqOo z9DYNu!LGCgg^FDxyc^>iSzpj^Y$^^3f+#c-2)~9$cP$B>ET-{mgigf_esH27TA|OKGLX{uMm;)PvHEW@xG4dVug`<@n?r^=lf{nj-UkK7UFgZ^AF&{ z!~$=WrWG`cIsBVdr-e0>wkwFAWEmU2vR*2o*>`1X^6<~oGYbas?Tdbt<8Fdda12L3 zg;n`nH3Q%GnV9(1NGe|8STd1t{_k^2a#fUhuLX|FL>jc}ye3~n5eUQy|0uxn?MhhJ z5>&@K&D@YI(jf3Uj$L}?T}W~$QXk?91Byvrcec>|i1qEs1LAh?w5?YBUio7e@vzQY z{TT;SN4hA|mm)Tl$EExjU|=)-ALU5oN^9+Yb+;n)iP#?wHLJUN!Md+E%Hchr=EOv) zH{no*C?t@}*y5}M#kAPOTfB)k_~JBJ*B?v%wSw^LrMgVqJjjH(_0Yk>=-!-QdNspo z!35D9Wr1Msy1>QYvf!kIdOCb@v}o%#2J-SlO;#tP$!xk`L|sBqu-2lqLk-~VnV2MS zbPPi1tc8gJ6 zz_Reo#W^|FE^m^9L7U_!e8v|7INB^a6*MXj=R>m^EU9$fN)&xY%;uKZb*q{DnOHw9 z7PSJ_YV()t zPu$;LmG#EhU9BPV!I6_8^PB3$R6Z`=r)=U=#S3RGtIfs3!~tunz9aB) z3zu!wS=tINn@fB1Yc!#dT5exgFM@qg%J7~8h=(?_*9<+QY^je%|H$+))fQ(zn%IiB zrU##@{!p7*{tm7I&xr1-+EBk5XrJmpj{B$G*x_bhahD+g)5%gtJ>`Ed^UTVEp7;ic zF<}o>{g`ipsw*Iik{O|LJ*WF@wgkvh+8}%ioi@(qKo50C1}FdFMb)RxagqTeh~lP$ zs{APj$l6LcJ=tj#z_U2<>N8^UPZOi(A~RX6gox(qnv+f%T$PLU44t93BYP$2v!f1s zNRRMSxibEX<}vOlodV7kebvu;+-AQvQ!gT_Zbr(sSVe!~l9yu9tR&RdP9Hq>dH5$3 z>p@-M(lmOiYuR+Vd8$eFmC@Zu*zX*dI>Bntr*3y3Vk_TfQtjezkDS>2;Yzl2Yl_kw z&tE(`_%L10?6wk^mG^|gakATOAFw{z5S(kE?&(b=T+TE**dC2S=-$2}pK`^`!Tb5Q z6Gb71x$S5l`tfpRF@U8b9O#DAds>^`FOp)QY@=F(Ul}8WT`N0sF0BSK=@r&b?+i%G zJR+K~=`>EeZOX$h3~$`F9{aeNLVR(yT=$%C|3dH(@29cHE}n~qRT?yQA4f?Wp%&@m zD5R`)NDCtRXxk)zR~D#R+Hf};!+-fs;!p#lwpn?9;)nN8%^@IYz#FeTvruJ>c$*B?@37-s{I zK-ok;i9Pz$SRj0U&8scU0jpN^Yzve#-odfi3y>gRvF$$iE4JTsnGjyCFxbB*?X|Y> zDPZe-^NgfS@5l3Ld$rWP5}Z4y)t*wE*-gxx3>=5G292GU2`ZGI;c;JCNQO1!hzF?s zdi!`j*y9RUUtQ_nqPq6s({6t|-78he@dNV({9rf%6+@E> z9r$CpPnq=7T^+kujRaWPTvY!C)M?_!GX*GU)$(!)_#CDq%Vw)axA8}E+94Nq%hEt| z`v@oH+`DUDT&j3hx#zT+jNUzQ@+#tjQUP4%jgUa<1%HXGbdN2B7<5fmRng)bjm9^o z)0g#F?8eo>TAX?^OMCaPEah-0ik2vExE5Zgc)p|*Z_n6KtKM&utm$bkCJJCDf|BpsYf<*Pp`}#=X zLO9Z;G__4dHSw{4g%qSLj2P?iru@my!~LI3rKej~{?hf{8f*ri3?j~pzE~*keM3>f zg_J?xeBA(+1ifw7@z2J(}FG#VyN}5cS3ex@Ay-o)Z|MrB^+^ z*SQ*~LH~W9OM5VbfqIO*`rpH$FH3qoX;!oEMEq|;D(-(#y|;!}GsO9hyW351b7-(}F&iE6^} zzV(LX%fu@rZYi5tA-XB0@n(N1R(cnkNuF4cNLPRGC-|Zq$9gQF$Gv#X)@j|C6mRGa z?-@ZvTrDHc`g*Q5+?OWk*7AK{F4lTO#bT6AX&gd0^&m) zOqH9h)h+pmOR9X!!wg;|2Kkg6n%>;(2aZNPa#2aF>Xbk=H1?a75UsqbaQV5a>*?xiOL6SdSsCQ`*S^Q7w~V9GhQGAT<0~ zn^QBytS_z<8`GiU73;4vUQ3{)tj!nzu!;}7JH&h^&cAXl7e%wwFl;5Z*R*@*ce9%J z95!pNQM>)u98>tRX~h|nT;2u5`(wV+nOB{jGSo09ObikG`xdNR``-;}|47G?VF34V z`zERU4Lqy%(<3guyMXQ{9vUXPy4s&5{`0iXi{~X=864pb_cbW~mKio+Up9ySeujc0 zbKKRYxuheXCC5TzW&6IIUK$7;^8yaVK+tt2RSIcXMMuJt{w$g-hvo!-b{wD%ooVrR zM2X*`OuxN(@8rhxz55%%pAf4-P-a*}sk`IyB5$eR8;#gPP*5vYmRVeA{>!x^px5-R zHaKONfzP*4YMfDXXWF*wLqR-BXs+he%=!Ed@GWGT|7liaO-9s;U42mvMR6oDDgHiK z6KuK=Rz^wG9Xn#%kV{cELfnakOPBy6Pzm~4{Ki5Tm6CK`HwhWvtSwlI?dN8SS~-n7 z{46+E+9_{$VVkxTu*1r_;Q|`fWz0O~TPhK2>04~`sxly;94JeBMm2BlJNJ_}ML|Tp z-eF;_9_N*1^v=-f-}&LJAZJ|~|B-VaoW(jZ93QjpF+tn+&=T^X^l8|xp%>YstMP&% z+&oJ>jz*aI{9S=i;n0py=m(aDpF|`{hq;C!jig^b?Y9z&m9rf zApC1Fnk}O(801YdW)#dJB0L7&(kMdMN1Ak5SS!Is`}PW$lAeh+y5^w7P)PjLh$PhO z!5s{}e7EfM_IT;g*Se792OOzZmG%fu-R8UGh) z-!m4n>?2)_YGHLGN-zC+G$AZug|QQ04n;v@%J@maKHog7@{XK^7(TfFa^h#Yg-wko zUK{Wn!q$FinLtB0+bYZOUzg(2J?|kWeqr_aE{8cweq@H-cq|P6KH~DM_7+WjmdP+N z&fxWMp7=+F47)U;wep2#76~!D^Pz{T`q1 zva0DcLZ@=rcrfZcy+6y<1Z#ZH|TOm3TyRr>xe&O=68*jE9e8G8Pc0)oXlSX>~ zzL+y>Yu_79E?=KW8lQ*c%H9boMDk>31@0ktDyVVmd_L(Yk zwG}67PqXcnO4bN4_H-%R+pxthi42z`0&8(AYo7~@t55X2HpC6?Z{2l2E7UTJ`WFxD z`%Z(W4QmCnNSU#yO{3`**Gw)JwF95xY<@U9xzp0bs(-{leImIu#+Sc*jn|hsftpr( z-_UD?ul^cz)=t0W6OOoi$NRDwu_56VRYEa)?ky14PC{_b(eS#-zf;KwVqF`Yr%xB$ z>;+aMvwVoGeu=;IS-%L!{$!7BsWCD>bEinE@&w`h?1?pC!J5onN*3401yaJOGwHOh zK709Pa_jVwa-P$8#Av@gjwU~?=D$tJf8|y8I=MN*v%NcEwG{oEgqL;uJk1-uCwM+VHNOFQ4c9JP^p!9_Y6cN7iJ@!tCIf#;bjW*RKO zE~Coa?8bdxrN*rH<*VjP99ROccF`Nny{#zE?>rGppE1I3wSB5iW+%hj_V-|6(NeFZ z86#Av#hhjK5}ZRy?PN4Ja$&xbuPI~@;w$qg)s_T)R^B(B5+V;2_h(L+j=RvofQ^}}Ov0*+$!WC(1>XP5n5#<4K zSsqxYy{*JP$X?=K4&_?nw{Xd52&zNqD15M7#y3~V9%xq52r>^nB)#FBac(>=JdVGg z4T6K+X#q!e+b^R0u&HL$c*@~tTi-`{^~!gZI*S-4dEv&%Uqh zK0oGuI{E${xV;xyXq5Psxd$peDdh#`a5^^)idjSa2JpPORLQw$$5P_{<An_JXeOh6Z9tx${pQQq(m2j_w|w)jg}z zJwvSl%t9`3uHz?AK=$;STEP0UA30VvR4V0PB318soA~YYqLOTe6UqQ(5J%0I&{2I_ zju%dL`VS3D)GAX5#WIgWw0pY0&BLA}!5-$hgBrwreWej#AR8z@&pAvt8)X#8KR~l! z;eaIR0t=@3vA}|^6Z9mEZP~QnZ4fG?G6~4UQ_L^uZ#0{ztpMN59&|+~pzLGFuCtaX zo1WOY-MUmi^`xV@#dIR}=0INTbnq^Qrm5^Z<1oRL?3v=@GKJ`7dhof!S&Q+B*u5n_HlQpT{IXOm;B?zi)S2R1Tk2|!6ZM?iCsM`W|G12w7R-)? zYVzMl2ZeISRH_$*GEx?<8&8->6LNHe0KZVRUU@m>$&_cw&oXX(m0e&`7QRm}_dem0 zBnHpo<0ihRYBTG*EX&d8*r9%)c_Ld{BXg85<9#LA&dnUa2!ja&@3gXycQq4kKKdWZ zy07F^)5~Gzo*v_?^Ycv7YpqEywQQm&xSz`;luh9JzuziIvu3=hURI{aFK(xf%MlPo_sbGAMbXzMCEh8OSb6iAA1t5|HQ>SP=UYe zN?`~fR=}lWCQ{Jn*KqlRsYzm0+i|I?WtRgA1#{c&LuF4^Z_K9v8n7Ityg!Vj-vPw~;BF>fKp(pL4=fC+ z7E~3w*s3u((RDukS5B?}BB1h(7F-hICybSu+Mq-}MDsrnl<5}Q#HV2H`xP88u(ycg z8^rHBQJ&CQUCN2f(N6@>T#%m6XvN8g_&;51hSm4CUNsiU`4G`3Sy-io-M0SYe+nD- zo0emoVHJj85bPA;T?4D+&r9qN%ZIfHximVrau0_hs@zsruzVg*=|tP_g99FK*jvEF zPDWUz3oY0n!+(DeTEnFMNr{lplCV5IM~UI!X?!j&G_+o#ld5-q%RO9Zw{;76w>CF{{5ClKvgE|85mBrid3sd8lp;^&5%qqKf8>%d|e9G^)@cW*oj5#^W z5FWA;lL;@>uF)~2qChaLePHkvFhNkJd-QDx2L_$x}DVzQ1YwO<5h6<|1+}D7zu(xwD^aD7!1etm(*J+hvcUhPzfF-_S9U_9hgsU0 zI6K`ybXC#XcUdL&P2s!3p9`rE7g~TymN9MrN$D*i8ZmMO70j~fd;X8}XoX~}YP$~1 z=U>os%iP8W3#Kf+78Cp`M24`zK-GpQr_e_sD8QFTH0-vesBfmk{m{*qNK-Z0Z}p!t zwF}{@A=V8&e@Zut`qJ{^AqT623fGE;b{{b^CiwkC?H7WC)kt;IrRot+5Ujxa^VBM4 zAfTqE0~!m(B){!2up~@^m#$$<@AIJmcE}7Ou9l1Y%Q7HeR2=wl9r2vc=EH>!c%>MK zKa(Ib!wk@mNdk^Wi)|pYR{WH`0vH%31Hqg#X-?q40ePZg5F2{}nt2@onhy7^cS1H64)FE$Ds(gNd4B|z>?jnG01=vOMxg#(m zim&nhPX>mZTdIX}>}OVr0IdqrZt;Eb)MIcnzyb}b!UUXH)PnyHYsNjSlqvYxVWCkH z5Y&qEWum_T_lEl+ELqeW#1&V3pMr@%3Mv9=u=hv1Gl>F0IC%nvq7yPn03s)YpOZLH4gngt$2N?LPBtd@?)nUM z?|cq0;+}Z7M+;5T0E2194pL@YL;D{`4cY@AM}1@NyR%J{Bv>&|7Rt3bm#RXa5!|Fx zx2B%&O`FFbg6Vwi+c%R85@_9z0O2YRf^;vuxL4}|+>6wgCl7}PmnP;C6K34x61I&C zoZ(BpaQ{}iLad>=l72WMet*V51n$)9q~s|%mBZ_}B!Xh;Z*}GvdlRi!Yl-!wvRx7f zzA_m-X*8?&IF>yQz?01GdsD9fiS2=`>-Li;H^B6T=41d;(sfG&y<*Bn4lN@iqcAYK z`6elU1?SZBbsCar1WEAlXScc;SnMMLfz$0TWF?@R^gyL-G(!n}6blY+`?ei+h*zRJB zKnUYX9k}5tsN2H>5vAae9=t2y+~a!z5PK+I!v#`d=oNerT-zQB_+zh*6Mu+6AL12az~A5SBKbE^OB;}T zB%ZQ=y+X1Q4||mz4Y0i-AQyc3hX4Ul1a9yyq=7}VtlATe`d>A;i=ER5&M^8o@fQG_EpLM~hp?Gn{V4BSWP zH)wYIM62W*aWcAM*tyhG5G76ww}bX^Jsw_ycgb5~7U<1$wHQ5_tH@!gL`IzUDo)f( z+HjkI6zwi#|7}Ll<3J~CA&p?^yO8VF$!tPP#4Skn_KkH?lcish-iCS-2fB48Z~{n} z-VEaG$_;P;@W$A#{(~%W_8eo>A!~6r84;odgDW73tKz^{3MtAR>B!`lAQv-Or3|5$ z{}S3JaYEC18;o1f4v+tw->#pQedLMJh#P^!3x_X;2~T#V`a2@e@}zym8%-V%kA^M! zV#xe3TFKKeS``{`jHpL&144^?#jQdZk*P;dJUUNImz&*fjT|LrYRu)Z%WXQJL69S9 z-dJKL!F_}kyFiq4J&Dq?5bjkb<{(Ym9>4RsEn7?4MM4-ss`w&~)zP<GT+_$Z9#lh3rdHe&J(?+NbQo7E*d(0s@_|vM18Muapfb&s zE>?tuXZ@2}9RdD^^vt>F<}WsOb4(XcY`R(s=;O`XAjT3*-Cy+1ONgn$p=3e6}7oMIF*G%`xtB zPdb+ofN>jXE1P@$tfsp21x9gUm5frp?$_mH7g)9uOL+~(P^6Qnk2Epyk2oROXyvnI zn$eF~OwyI0Fqroiv3X@1Wy!>g7111Mo9`7XiI9U!06qp6IcYwY1vecUo=F!{r5*~^0V_R97voTz;un0UE;Qhj}*?7JB2t=3e zPjK9!^IVKxET09!a9lzK;LT1>^K=kgQN65qM8}X6x zf#=DR>($mdFCPg6NhA_Y6d?vL?pI^KqqJZP;F4lGKwQ0)R~O&t5Sm&+h+LZB=uh6# zZjVkiCt!qM!x!S}g`uM3qNW9vef!L+M{MmDfB?2GF~-8> zc&dStt<$^V^K>Qv2oXt6*AgGOP#1eXltA&WU5~96~ zD~q@SZ@0oMRe}YD@0rCLv&}%XN4mH=+-*q-Bnl6@Jn=BJ_)+k zSco_rDFnU~{bVu@hr9k70>2YW$CwZu_RAB3C_#EAv4hUOZlfc7iXVWzmG+C*7Q^-#_OEQfAo<+eaye7i76OGyz2$VFw%+~q&!BxWgZf@+^PJP0|He2Q=5Vl!8osN!tPXC z6}9qWlIVLqr<4g1K3jZ zAHH--DzYhtB5gP^S>2xX?)`)ji&i0+cTsERK#X7MavA@QpO5&zgUDAM)T7!?bNGT z5#GjyeN||K|E!i$8b9{v_tyo>xl4cA{&q4#J#I&p{~atFve|PQw@Kj4RtmcPqgm_y zgsPni-=BPM&T@Q!%**9}q%mN}te#Kd<90wFcya7?`H-b6O>MVakBs!GwdvG+7#An8 z{f-j2M_Y*XhGb*Nqlj!%iz(7lG#@w zUr%?L&%wPbM6kPpOK_YRx0S%55NyR6&zF^p;LmzrYDeU)^_b`Xna|bZV6FpWKh>ct z9jlzn@4)1445>kjO`j|xo~rxQo0_#Ab?XEJ)^O|_XLkLlxQsJgzf&t6|8y;+;$h7M znlw9vUl!oYA0T64vut)n>Lnxl{4-U0b#3nO@`be&MEL3T&!5 zPN!?goXExz1vxzPyo7 zsC`Qe52ecTAr};bXi;XEj(w9xa3j9lSwd{NFA}KQcJic*GIlWF?bM@W-KzSWuB-`o z@TiFUvHN^I(gnuJ!kaa2qYA&S#87PbO5-AzWeBY@YMqGj8Qz8hJXaub=u1c*M$wirHk zmklN-?&=lFy6<|`RHZ){dP@;WaC;4Y*ZA}(B)xKyRW$hVa$vmS`gh-89ZV^MSC>t2 zDb}1Z9u0G$(VLPFlWWGMjE+XKTvG$l|B?#S{NWY!>e1YmB=tvRHL(`zBx<^;%Rf_d ztt8PHA;e@0cK@y?WJx3;kX4o(+$cp-v--MDv5y7u;D@-H9qSr2`8?xrSgdwG=h)y# z$6A+D!jC45Q0%BQqc1q$AFLm;nkuXG6Rb$ zwHVUa$1*rR58-<>5Da`jWv78vJfh2E;kQ>I-{||uf%1>)CGf2AFY9onV$@}IxM5FX znHV*?8LhOZJ5$Ooe{6`$u@*R$Pc%jrHi!G7z@I_Y?PyK+<-0V}F=G+A5Lm2# zXhU$(S)@Cw`{1hwy`h(`Kwh(U-o0|q6!XPjG;BeG>d<~QCHbSozx6QUf zo8G3=ws(HEM?S!pQOr|pIdUeaz1>rn6R=Dd;aktn~Ot zB#pSnVD1d9F1b`|L5Fip|8j%Bu<9!vO4M_b(%y+J>b9>VN&Fwt7X*FBY-lq+Y!zz8 zp7hrKJjkh>AQk`hCc~1NwefhN1(BfG+sh?>f~UzV%v#v4B17b-!zc&Bt?_F#du7zw z&XWPpit3ApvA~U*8ne*eM0IM`ANx)s$fTnuMIn!t_pX8AM~^*odB$R6sg)|nXZk@^ zf&m@WmD)(Q$YOLq(6JHiN9F}&CD%{$>7zrmD(#SYO>VA)`oD1RGeTu;)%NTLoR)Ng z+IcH^<4S883-n|d6AfXCY(_DuYhHg(g|fwb_n66(jj08!Uujk9$H5q~D}0jEBdHF3 z_oJmv)^}!IbCLQy_b26fg#CZiX@1woJJj>Q{Ym*7K#)(=TdypY6I%^264`k+S}-c?jdzgN;(RvuF+rdA*CV9!lUZAcDa>tamxvCO@de zW$j;nB1#C^{%2l6{k~9w+ihoDtKt(yjIH0@2KUXSOKJ!2OkAZ=6}SCw6{_A$nOdjw zRMs>;XR5W{`vIQ-;~Q{ewR`T?_^lK8T`7u-bZE%6jYT7D5iE;y*YDa8^<2wPvo8q; zry}H>by2ozRhD1tAv55-3$v`hzr0?OIyRLQ^WZnYY?f1%QT<#QGO1dvm=QEQ_t;mL zERa&(+i2f8SX}?gb{6d`&j;dYwVWVPdbFIs)}NHw$V_>(Vsv)a7J3?4&IX!y-+f?6 z^^cwh3)Jk=eBeT=oOgV}Xjza*F4OeL*H z#XM_@Ty#;amRin**V+{KO96-iiDhy2p)&VyHHuWkN+0`rl!FeDqSBWzLXo#dn5-;`H?0XoN zWgoc(Ha`ajs4D79Sncck(0NbLtS|D@0|QDFL|WjN7ot6evP);nW#C)-z z2mOU~a@&xi&p^$HvK7Tfo^xtj;89i0qa1TqED}X})PFV?1}Y2LT;w zZ1OeBG>h#@EuPv#=HPG9Bv+PQ&P%JNy&~1|m&O%yje2V^ACKLTFEWb0gH-4C@!}ul zgRL2KgS9j)Z!g^T<9dE$rwjfnLFh^z(oXz1Cq*8n^TP#C)(4Y!W^Cunz3=HiXJ^Mr z_vhmk1rFyo*>KA$fA745X4CjR<1@6p%xQ0!L)2}RGQ{hrh91-<@|2fRG&{MUhSD{r z;9o#$%JXW+2vQAq$r$Ywii|=Inq|X?Na(yuir1mv#hispxa}gSaO*{ zv|80azFPq%GBdv6uj~RhUz=SYK7~AE`vmsUR_7FA9+62LrbLd-3AYzJ@o1}bNHbdB z$Ii>&%{TaWMQ~zdlCGem0nj zYRh#5JFhWNc}t#WibJb>25mPAYk&rHH+PtT_tUQyj#I5oTS2k6n_2`t$buR`T_+cu zt9JlI4`dXqr!)T+BE6nBTWUacx%p>3Rb@;K%FXAOLN(a*zPzZZtCLhq9f9#6V~?6@ zu_r8*0LGGbr`oNQ));)wguw7FXVfkt7@HoS!-9^94S?2s<6pZ>18p<(emcYgT;kiV zW56?5{q;=UhuK^flS+gXWNf4XcF!3|Foc{&6o3oZn=R_Qa&Qm>kT?YrK?rHDtnmY` zR#7!74ak6!(X}&PfQ$*SlMoQ~H3RkcZ(}YLpsU<7@ZTPQ-+<=JV7ydFLIYi7RpYQI4B`)3CY!0o0eC|T;F_O+PJ%DI zPd85Q0d``jw$h;K1(%#vi|ckAoa&dC^3d9kDh91ycmNTJze9)lU9W!dUwRxHmmp}l zqWc@PM5}S%*8<{{iitG<8tQZeh=S@rqbrnt$XmbOhQ703>HtJV6YKGjt}8$nmOOCD zc9z;+XN&o>j8#)Ev{>LEX&_{jmzQ^v&t?MfCHR6eCdmm`7l-<6I@J=nvA!E(J8D}? z;Qd){X)0W*LWL>giotwe&uTgnL<6%NL+Y>e->EJvnAPSBJFaihDXe`>MHTD$@y$T*>r!PMdGcXz2UQ&>IBVre!*mM=?q*B7Mch^Q%K?= z%I{W4lGwpCv$CwZK#fYElf#A=(EHs=Zj={$CgOXcWYFz53bYw6{~NcabI``^hlkz{ z!@Eo-t^t21C(g_W2TL1SNI{rN#5#BkY>Prx1Qcr3}w61h7h@ zwkQDm`-EKXwmb1Qh3#vxBB-AHom3Im%^MjRQD$>>^MqkbQ5Yrx(jqZe;eJB(Tj-D2 zWV!?B3oXzZ$e`U%mr7ERaxp8kfsk3v1mtf)(~6MdZGsnN-N_YUSa%|i4J<$dc@ZYpz5vXNZU9uA*WMN|5=MK4v1dS`Y9>R;4Z=7VyO#T z3xu}YDd&xFj~RMWzCmZIL;ie{=Lbtbv3K+5DNllv(PpL{5n7=M%MHSlaDqA z64Qj;%MAKnh69Z!3OVX%9AIqG6P$4myzD{0#*O1TCGPAaAaNpC*Eu-$FU!V|((cpQIYSlX%4zZvj^61V0pK3vk!Ixx!iSW$|9t-H-;#>tm*POA z*spD})PtefqTA=)Q6G{xsN@}DgiX$C1aZEX$U9WjnDo69!M|6;+#D~rNpAS?a}Q6+Ro#y{loYJvu}?B+xmKEBmQnx89P7z+`qcb!Fgy^ z=Tt}52!a+${NY+n5R_&46@yRG^o3An18qFm&zBZFM~ON6vTEv34dW}e`;_GMS61Ca zS^C^X{jOBu;%ZFl!o9 z3g}~rxfp1IJWND~Pk$hi)(V zpu+NpLn3d4TF&)h8s32GQH6|?eC>^544Nt3+B}!(y>qcqK6(j4o^nvf!vn#w*j=1l zmBZ>@4?%xoE8*!&R=mP_%y&@YLaCjNG6^Pa@TcMt+b`ys?{3EY3l)=ICv~7Vi)u;` zUEw2-E{j44YbI%3gX8C-B)P#IB;}r^PE_52&_xCN*2E?=p6-1Dz?VP8pD~eHoBG}! zx)v&ux{1di+Hl@bfWLtzg3Ph-Iy5Jr{*~6x+?qz_I^?Cfy+qBRl|qT?h=y3+3mSPC zQY0Z?zM;E0=6o}1;(LBqf|k+p#8QMZiGB@}p50w5!+xyK-E#G}D1@*Bj;41d=t!TQ z-XGguFjhS9k!Hnm%=zw`IP}vgyV|dT4`bHu98d3@hi>5OhW@!nMrwR2`LG=^jK4*( zlAsJhGXLqFmyI8Tdg=J{bw*k}h^)2~!`^1RBzb`xGR)QDV8Hk^0XWrGMp{xEudiO& zY+0SjTn3IP=RJezJXQcT*QAX<1!`hykTPvDUkafbX0jLqns(HH%9F zzSmr1jt?V2OsP$!mY-0*_21ZO(hxGAbbUy65auNiRq*}euboE(`@@*j>#X~ZE*F)2 zngFU}9BW^%!xGx-Fqa;MwK7d11d_P}_ae=`9U{W+{ZogcM zWR^PQJ>Oy+ZDgq;unowLPnJk}DUT1&OFUXM^tn={`?=#I0GyTznvE9<<0zZi!`Xgv- zOA6YXCQua~eCfO}JV@x=#zT6Ra!@mfaw@D5go|u1Qn|d`+B4Ud`gd)>cA@2hH1Pgf zJ2!K!R;p!sf|zM=Pg*kwS`L=@?b`dppUX%ye`In2Ut|J3DuhEtFB$EF-Iq~GTY@|W zK>d9P=GV&xn39)&9VqOqlLej4{_W4I_=EtXhFb}yvMn*Tym^0e5>_jL5pH8^FGWsvClR2-0{S~mX<9=(8zXI z_c_Qv?~L9RNJNJ4KiaX-RFYMdJUoT3q9#i=ViT#b&@$~tho<> zq_U1?i(p)4AL;z?e#Tz`iwqogtlTV12|1hL~v-Q4?$_ zCqy4FG-J$;Rz~8Tp~j@~bRVO7HLV?H{A|1)QZ5{`3-BT{xtfQQ-skvkdV4+=P?AbM zn#14Kfl^`+aUs*5e|@qxOG3IOJPg_XNy=wm*g^fcI);Nr&cVjhHx|l!`EJNx4x2)z z!9dq}>MpgD*LIW5`76b1HwvM%t&_`Id(OIP&?*QOKPijJI-k=g#Z$oDW`@i?W9IWV zhjBGR4xOGKL6XX$ek%x}k!#=O1Ma?ytTQJalWqT#J~qaX|^eqVp4A?fGJ5NqmCC?*&Qf=M@8TWCzf@zntEWURfVF>F)l)w- zyD~G4HCweL0aA?Po>tU_?{f5bN>G{`&F91IdE{eJ_@I^g`UZlo@b@j30)Y+@*@wOZ zm+1|THgOw~S^w(=sPNR?*k4?1F3`_7`V(-s?vGULXMJY=_nV9vx9i~q4#`-$QpGFg z@w|_yh=IFeb8i;W&s9rh={3sLr*GN-1R%dgonTm>m*n#cx$c^f-&~DjxOX@Iv=L3` zJ}i#MOjr2Reca$orv@Pb8FIu#K*9VCSd*V$Xri;tHxqiRZTAiuvO)pK)f~_FlbJLuvDsG{wRb~~5S_dp@oJKsMJ>vcdO5WNB*hE7Td)2)c^#YnQX!-s70vPw z?Q^*vG#~E^)2a8WPkLbmYxtzQE{HhTkyqRjT@kx-b@CwnkNoIo80`2bgPU<4V2EDx zG{mGZrL>u70f0X*9_S(wM6Q=Vnk~xe>^Mx!u2vYy=bMxwu#As)6^#;d4;Dj~uX%U8 z=F<QV+XKfO4mDts-PEZy%;r-X4#1k zv-(SiIpOlQ+!%N$WhfNQkS|BBOAy&(49sULbm@IH^4Q%TGq2JYg(&JuegD}Sk&IpX zfMRLz&2vTl!hSq%m%X=1W5)2Y^RHx+^^$7>dQoDi#i+<}96BpUTDYbmi!m0Hy-`|4 zZ#CEP4P%y<9vGZtFH63M4IsEi^K(e$#e{8&1y4K}qH~IWmeU~#v9$~ z;F&$w8w}fglNnRDbB-V1G!)L&9CsVNiKZISr$y5*a!u_DZCd}#tuGtnL2b{b@^j-j zl)rmuXSV=X+|;jWd1fL-R2Ta|=qEX2d}ep6^%IbKH(Y|iG3q?9V%|scV4{fYR z#J>lu=V3i=g5}2((ZNkl&gU-`zMx6pU~^N8K=!NKv)$4}ts977K0=o%*WM$swgO1P z+f`YNDQ!{6ta+dzshMPkhz~mUkr0!F&FcpHKO7uusFzeUrfZ?6%hWMpb*4k%g8p}P zHDwm~XW7y`9~ck5SXt7#6_L*y5fk2LD}xlUJgpwfAzF$V%L;ffl*{LA z4pP_%h=x{m_@aRq6j}OiU0XdF6*w%$xdr{h4&U?blo6O??O- z#U#l)-r4FQn2XxLDw$FKkwS9tf64uI=~exnMsSh2$WAN}2h!AewjGsBAJ(SX)-Ph` zOEemJ-Ytslu5XbJ)mxu4DCwVa%Z52=ve`OQwELiO9QwS_Ke8)XZp}V_7z=8U)qI{8 zFoeQnke{#+_)BMCjXp90^xk=EI!4NEzA_!HoyKLB?>sN|`(&U8h$s{Tu4acze31m4 zaU#)rCu3oX#Ip5k?*zSe;alVG8U1|<(nyJPij=@eNq38sL3j7iDV<6SNK1(fAUQC!bV+x2NDZNMyO-bl?s<3j z>^~fj;>>;SbK@JI(4DdgbLqD2@sf^}@gXpoXdN|GnOJQEQP)*?A&B;k*+8xy(f|^) z7LTQR1&HVVY%?Y(>=P*^Sa2nm*zW&eHLM|r#b$-)$uyY5?bPmWlvoOy;$p`2szz|HNVwK0Yd4u! zGirB6lZ+=m7*AH_Gk!^E!JZ=3i^J4{HD}#M#cPJBbA)0p%I7Wi7$46K@^G54Tb7WE zOH-}ixG)cgRhOz+6w>-!k!xyu}%4Km*K37oU$#vF79Q{X7Jf(8bx4(5z~ zL;IO!Vve$jS{bDSw%!T`lyyb}9b#k5P#wS4}Q z|B)Z+B+y6e41RUaTB^p>M^d|VEtJgPJzl*xf_fRbk$7EOwrpuSyta1Ft#z_8n_DYN z=;}?a^%FU}w6%HW`*?sur@;-gCz6I(?llSb=P4rO*(E*{x?9^7(ZNEP&?^-W1&=O^x*Y{Fg+?e3CERvltm*Y2k(S1*~F?RmTiAmQRt^KhgB z(F#U2jdB@QnM#Y5&2ew~S(@6Wo(!TR~i4l1ftoVlt1caK-A_hFPxk8mL@vSy04EP8e+ws<5n1w_C-QAWZz*D*AGo3}f z{z&pf5zvWqEIymLi*~(yIinHWOTDLRveV3M-1FcRZKi6!1ku3{@wtMV$h8YO;R#_*+cF#q2sStk;*vZOs0%}p}yl-J>jpr0& zR5rY@q|lH9=!aLy%yyLA%!3v=Q4=av+HYky96nilQ{~6?XsxuHcbNsA z+KZ`f4?#JL)3rO6cwV#|(`B=NXP=oouZv>{sa5{W<;yQr$55H5ez#hb;`oR1YqRTC zm4>LeX2U;2`2Axv<+=~JeI^8~%{FI$-2vBPx2T&p*5(P!0O1i3&2rFnzc`SI- zIzz@tl=M!&Wq8fi?Ii3dan;1EA72kTEwF>8!TFxd)ewZ{*+oCSQYBa7G!GVZFQktL zVu%^_fLAXW(xv?;b)<{m0*xd26+j_JoETV0nculA6uy0Sb8|eL3Rnox65d)zM{vk%Aam6wEb?s(flG5uQLI!N71v1``mqt@3&$uc-b0aY; z(eTduADQDKh&ZsFZ@dS$hSGQy=Dwq+tU8Ur4n|jwc6UHNIRa|IdfOu7pX>7Wue0*B z@94zsb~qHJ>z;Cn1>8};FHk)tLyWd}i5GDsnNrv{bxC)iF(&gpZ6#U|oUy6_4kdzq zSBR5riz2dQMK}$pyC+|Hqe1XLH~?E9R>;s#{C0g%MBeZQ>G|miw4Je0iEv1pJdN+K zbyL+NQbT6z%5ruwegr}%CuaK3EShq%OK#9p!ABoKo)}q{%>R!qe;Sm90_E;kK3Q-G z>gf1EcjNg#%v#mnk*4b9t~zX6pc?(9`=n(0)#s;-qdeWK8K48n>haT<$V{3jikkS2 zBjmxW6;Ow=X<8El?&=D_=lT0KkKGi}FYT1LgZB;Zc3dpZA5Arw(TGXYPj9;qr1L3p zSa87h7SEF*df@}80kFfh zgBXLS);iA++;3YO+hnnVX&|N>(TOY)Qxo4ObvYdGp9VpN zs1IO?p!y>^ogMcAkRT(_7HqKDp{#a~dpw6#rTjzi!wD;BJrQ%nURUMBNcq21b0MaF zNs-X(JtL}~PE6tU$^}Ls2zWJXDKFl`qHiQXw?}&8WeU%mcut&%bjx=bR0$J`>xfP6 zSMiuV%A{BAv(qslIX#+8qS|K_c@j4t>23}ir}svU|1Rw?s0Y0%l5F%Bsc`M+$<}Cd z{$8%}Xp0m|5UVuKH!BtNXSG>s@CeTBa}w~NeOSMS#7v*eAc-0T?}_9UfUxn&ZX6s_ zrYJ$-$-@2gxP%E;pBed~=(#x9gn_WW4NOy_4 z?%6M*nvi6nntyBQO_nL7FZ9VlCnhBoc-L1d&cCeuXhDb?aPwDTM@uR7m~y-uX>E~* zoNifaZ58hx4(4xvQfiCFh0lMd+ccWl~Hu<|k(!n1!8OF=;ym@mm_= z^Hf)J*i3Q&44swc3Dv4?Y18j%Lyl!DbU)1_BRI5v;_?VuqSuTsHrJ4IzOn=xkXJ$G z8%~>D%A*$?ksJ3(Ylo|y4`=Yx0kw#v+dl$d=+^J78;G7He5+r`@LV4aQGn@OJH3Cm z&IlqvPH0|3g9l%efCNUOrQ%l&oK+sa`GQfn4omL`L}})x(V}m|LG|+sk#;EBS-P&x zf>Iyic|P3_&n9JPwlfgA9~bX8m~-NeaxLBIm@85%C^v{LxYqIiZgUE|;2w(0YEU`Z zpCDr=E$d7dD~=bna6yVqST)+{{GRMvTy}#MYBvR!xYo@gFUPljf3y$h*cr8Z!-@3i z{NS9YQp|NGr4lb3h8Q%(g+IfLO{XpXcl%&7RH>FD-d^u4^mk*0-#Grxo3^D=Z=B7) zZ!w4Vx$S?NuO1lyh4IAE(!3pyzsrv6{!Q!}Q5qc}P`AhytcOo@-vhj;#QK;1NI9G4BneV~{UNSh}n zhnmYdG1<2_(FG{sPv3{W{IHR_qj;zfF!D^@&_63}Q$5G7sTg!aQVuyHlSf|x2z#yZ zusM-jKs=G#fn!|Cj%+b=DF#I6CZO?~aM5a5$wAgWBP1Th)%WOa@-=;HyqdKaLlnYx z^7WMbc@Y2}49R$M=!8>uXg95JiQ~?tiYwugLma4qnpHe=o#-FHgp0yX80qd{`8(Sn(#jqiO3B z+pX5`&eZcQKT3nlPo@%DmiY-nit=(v3Et*3I^j8qfmv*1fY%O>vf5DN*mCncYDPk$)o z&T}n?bJLYYp@~oL8?e)zp*_^xtSu$mI2AI&g>p>wQ`*&pyy+ip_7Um4e2$NwN?YLf z=m|tyVww1rmjUi|VdcrItAU;Tnv9P&KWRrkuPnM=`ak*g<_+aw)qrB71GH2rPh7{v zT&l^^T|($#ILDU(9UOO+@vGN-?7akiI1R(8+3Toe{mS)n-^2v6-$0t_w zxP3Ri=0IJe7|%m|d|qlwLBt?SXid4j_QGh_a_$oipOxT<1^rZ-bZc^s<$PF$Azc(Z z@d0iME63Co(3JQkOj>3X*xCD7DT2IZi9}kDYW#U{S6F>HFqU|o@`#jvlUJM4;@jnK z=A7Y<;zE$V-J*>h&dZ52&EI2 zX(&W@-j@y8R3Gxn6q2{*sD&v)D1~5Gdv;PS&otJ)8pfK2?Z}sv+YLr zYi(;$!Dw*4y+|FA|8Tb+Cn2lfAZR0QeukwILwe2{FrVKV3c*Dr!KV{vslxArrr{4Y}6?a;9-!8d5 zcl9s1`cnDwP8NT9oqa<{?T%E1X!|#$HYey!LFLvqBDft-^^G9VJv$vyAMBE)>erNC zszL(uJ@W%{25YYYWO8_YQi(Ua2)$eWkQABr`)fBvPQ4@L06`{K=lCeRN-Bi(G@m~s zUweNVp z28`otFlD~&+O$;*jw~oftK;AdXYvf+a0S9~k|leVXntdM^gd(B7n^DlIsg1p?(ul7 zdxdouU!~?;7a=9e6_m(EUm`4WK#Z3&HkfRDg?aMag?LWX=BdBZVT%!$FzK` zS>|eGq`5;Is%xOamq{t8t@gsRPgKzB@`0slY8WVQe{;@|&zd^_xbwX=mSjHGv3ja$ zy}pwRdfzY(kgrhSSU#+TO&9GO^IjLHl$o?I{Dr}?mJcH#2%W6=!2h5wj^dO4rR#IV zE&J>Lf=1FkEO8GtME_Q>XjZB4j~^SW*Eh6!r15&BscJZ!|8N5DTmnsqVIJ6~YV`8F<#Sg*TMY1x@x#b{n`$fQkP=m^$orGC`4(L*Ii zht+)o5V>p51DTLyJap9cyC>7*l()hB4GPfJ-9Y%&BQCC<)8n5re{(+VM9j7BwV1ZO z#_*-gQ_de7<6gTg=R`BdRv*st-wrv(|>p;^f)x#*`cM7`n`Qp4MdZA6J-OP{N9g7co z4ZKc}3}vE??PUdl7Gpu&P#+q!$=B%Y>oYNV*1b0c!EV}oksz9y@$oa*H%PlKbZyV z6)?{!?cIIG+S~4uL%Qp683})2Jt>hLCg`^9`dYEI=WrRgkrVc<*ja*v&2VISWa?KZ zJ<*kQ+dRUOcvCrx-GK`iG21<(GxR+Xjz#oB5WFcCYozT}++)#;AO{hkNy9KWZXZiU*s#ZZrB&Kj63$Q zZC}13LAEg;?G5+dWvR^badR7!puZ3&o711Gr;mszuyrsk5xiIsO5A$&h#ZB*59WsI zu-x;f+5huC12_^OdR>(yWJq8%lOG4SAuaWd1cY6aps%=k=A$@ucKr_e!U2la*ebE;7(&7emOjH6RC73KV=Lh_)E^=Q>fFB{MEBq72-T|lOXA3+JjYo zop;^X;yo1p5Gf&q8BFHBh4&t1OHz2i)ReEI0}^=x})Z>&)FWfcdstn|PvOt8v#krU`1f&ZXYf z2*>;!hvQ?JMcrx8ltMBLzIRmY%l)F!4@45V+BZmb4=-@TnVyF` zJKGbVjn!=x_$a4bV~5-Dz@&b+YjjrcP0n5ZS&~ubP*>EiMetmomU+3y@zhkf9uHZH zRj;TIE9UMmzkhFytC+3XpsBI)9vu~Jj{HID3j<-r#_C5HPxMS@QQuvZyLW{%TC;0a ze>Im|s`GdleOei#(O^#L%c7j{#x(xsAvE+y6^#25RC7yvM%%QD$0*p<#ywPSL-|_{ z&hY_N$OsgQITkAZB&PCPay&+(IJ6M?@uZY(N{&D6+}wuOfnWDl@I?k~J~TQi-jBD5 znL+z5OVok~97*-oNsO;gC?}2+wGth6`{aJCwC3MFCbOcTl@Vj)%1%Qd9?-Pdtc)=( zE(maGGWaNdZ3^gCu+C$TcY;RDf4IEKKOxLNjk(nvH-GhPwn}LW(!p~afN^#G5*+bC zyhf`(6PS9XqM&UjVO;)YAGNvtT;s-6es-NmWg?8f73^%sn!CKRS+6Vw4ZE@QQ+EMw z|K!w{x^T^OSu|Z*NLm{yu2EDh;G#B4)Ipz2HqKFf{^}{4RuS!a|$9|pXyWW^x z2`w=ZxxIwrp#F3B(XKju8}!|sgSBS}6885K3WKSa+r$WGngzQ^_1@7T^EjTsyY5M< zwOHtUX-q3RRmVBiX5{1FO2!j`Z&SHVV6`LNl~3Jd#whtG8F7?#1c9u|4iAj|YhXvK z|2h1j%AWpHd&4Rn%2`LT8o395FRQj*CA~;0(3&Hi!|Hl;wd`h{SHQz9mg$og-t%^} zDZtYxH-_8wH?Df1D}mLQVqH!B!)WyNTP1$Z?yzyP`?mFfk;w2kWgTX_dvp6GW5mi% zV!=0x#X&T=J03~;eE(}@`y8dltV;O?$0q#bC(bs@#9{-wMJQF?kl8#Xeu(_Sg)>ub zSGi{wJA(Urj!a_g=FivPbgnINp#N~nM>eNfLj8?Mu$FLqNf7V@99}6M$v8YSorR$> zjF9DL^zdZLaj%^Ovr>{N_w{9pje&0;INFibD=(0Z@RCpYlAL-L+@~pWf40lg1%{75 zzA}Dge<+Jq?vsPwg$li)T@;Ic*5L9N$FwH`kL1saqVOk&N!9u?ov4WO&T*tNYcMrMXt#^rTdR=%+gzN)VUE*oxr->CEkMRwz zJZidEy%(SLf33)xrU0_!Vic9;f7A;Gr^dPy=&jVU5+9A~TQ1+qpCmqT&E|k2-dugB zK)EjuL|`BM{?q&{0p+z*;ba9YXmhR--SQG>^2t|xV?SOfa-H!v&0tZYk_v$vJRiTY zPf(P{ML;rZ)j4dHrMJy0d5cIO2B47M9ks>zncf-ognF9+o8hjPHb37!{`sVIYbDLR zvO$d$Mk@B{09w9J%GGS_kLu#c{J+W0#N($ve+T3)Ym)}FS+Px(H*zv2)`k#G=YJ+; zypH?oRD2#0R^;_J<)e(?sFG~(*iKdXaTYap@0lO;+C_ieKh|D$_}M$uE-}x5;qcn{Jf0HX9UD@+O}$WYe$w9MR^Qbgl-0(vfHZX1W@#AB@dd0==1hj+}KM z-L536z1@RjwrvP~k4fI?nKe8H-Nz4pi^fhtyl~OhN(n{d#Xoy^tm~8lWz!bvewUMS zx~Q!d7ItwDR|)&@&~?oE&ndG!V}~Cp8Yjjpc1G+b{jo7bEKE1Ej8h z3m%>U7FET_+8i@z+wI&F=pN}Z9(?(rXrab?cZ*rURibDS}QM37e?1y2{+EIDqgHWrqqIpYD2_1p&Fq>vqdP%jcV-E zUOMDU|A<-t-&laIn7QFu#Awp?9XLtBv`Ze zX8=&Z!2`(kqy)MFEQ|aTfGuWF{VMnkN6D31(CGmXG%8?Z=F$o3#RX7oX@J(QupFc; zsx-`P@3~UNe$4p!9X)`vr3$&is#U4%IJqf;EM!va{xE&E7Gidf3*RHt)GEh8v$_Ws zAMb3>0d0ixRxPQFt}&n;#0QFEPj0RODDWQn{x&?YGq}#pyHfunU~2<7Yq>Jefw5EJ zw+wqcbT6b|q)LV20E&NJS0~SfJ@!7$z|8{SM|Uc+ml;2zk#+VL^u-(r<`Y*dU`0`pON z|AO|+M=DHYPWI=ubl;DP?XIqxlokNYAcqZ9?wr-GoDVvu-oQ{%LnT5x;z!B!`iXjp z_S-TO2GoB(z}M3`Om`Pi4XRSQ#z4#i4S;5@*}86!w2S^WO#c7=U?%hoooF2I4Bjsz z@_Upg<=b{S+4y^ur^)}IJnvsclcutl+2JTC!#@SEW{U)(E11OD`)))yOd-+;bt|6Du=ayLJ#Y|0;z( zPOMX@#FHJ?cWf6Z!c=}fERS;r2J9L zcenMh2&}f>kTLf{R3jLG{zsAtLX(M8=VnMo40^0mf&$iuGf3#XX zC)~}AvGqM)^z;JGP%Q1C1awRD7H6rxI%fIbu0F1_gXUg5;aA)}u=!hfu1Oe|<0Qh!p zfQlcH`ym6K8no1Mz@u0T$}NVlt<>Iwmgi!Y_Rn9O;ApJiKKZk)y^VV?rUx3`_no&t zBE$yqY=q?Zi^tALB*1vjAbY13Ct9zL08pcDP(v$Aff7OG!^!%<7_BOosgK8+KbaL~<#Owg7(DBqKqJi)sFKj~lIv!l{g z-=BZOxhM(LojcigdUbzrAI-?@!vKVW4mumOHAaSOTx@1IiW(rrZ7JEb%D1*| zgPhx{*~uzC?D)Fv^O9Ss(n|fy8q$VeIt419UQH@Jaz}=XiSVyx2i!^hKv1kK4B}Dn zSe>6<+G%lgHXG=1`QCh0E2EmI<@JC484EAHn&2}Z#-_}ZIn?(Cel<;Cx~gi|gtOTQ zU*cG2)&#h-AS?#s1>OX%51$``*8jz@_$sjif$_lS=G0mj%%x`U7^)V1{x?bMRoUx{ zcn0(QpE*6Zm*|`WUK>l=vwv{64evspKlKmp6d%eRA*DY;%BTlD04o$C`FrAH5o#Nl zIsO1?y&;72NTnaaKspb`YI~SM2kB7Zd?DZ6-L)f1u}1%9?=)3f`Lx{_sVgj|W4tHM z>Ga6k%6IZJ=XGHzhVxz=oem_h5c?9M8;Zk=g)${-#1((;!OWCNq zhd+}0!nTI9a;%GRHtT6t=9*%(=k5;w-4U#ZH=1;<%^sCRY9Mp+`X2x?4~BT@IFd?R z)RXOmk_#s+5&*>P_A2~;C6#lzY(D?=^6#^ih5hA?H0m8d41O|p zRtHAaE8YblrxN+a#>CD>ugVvNIff!M%!%0;N&|bnCwi*@PzL;;El= znQZcWS4~meEY!%QPp{sOWMJw;zmg!YMxZxz3J1~Lzm>ch;UqS~P_R7xFc3tR@+!K4 z?|bmS1--`(N=;JQG>&nmP|d8xh@)MSIjy|pa_sULdCl*?@!%m-f4rC{iv4^YWz?o> zTM1K!MYl^BPaAXwEvWhhbhpFo>fMv)I<)V*@!Ez;k#LuOBJXf;rQZ!;vjaT<9dxDLbOdGS*lhTt zut7ilLs)e`-2dF>k;gv6!RUrWfmHd>Aa}r|Dts=6dV*@Y-0;ahtwckda1xGLd&zI@ zMpGiwTXHH$roo@$p!dNWxvm6+;?kj#|5(7%*?x>f^SIySv8G7%ACiRNB(Qu4UFt$W z7M&jK@K}=$yA_IRyz*2n8?BVIe{EVDV}6liN4ocz^p-pSEFpEe43>e*1IUA<3EEAjIXf~YRk zBC=r9ROqsG-^hxwOEI}@Ps3Q_zpNWN4EVIV!)HcKWsr%~g0%nbxF!-gP_tet%ZOMm zCh&i7fdO4A^}K}1Xmi;;2I7w|0_UdvIDj-erz`0|I$9nJr)2V;_r{@LLyh$JUvEE` z8#^nL^ASc(9klUO-92oqH5r(Y^SIms&r6o({#XPYWtJ?t?vxtzpYGR15dX6292OMm znaQ7=E9j!I^yqJl`%W~x!ci) z8}Ms$iP64#*c(Q{$4T|di{HFt*T;-YZ1J(O$(u)fL~_AboVgTpwF*d0_m6Bc4RZ%Q zO6kOX38(XYmQ}a+c-|QIvm^4Ao?u%!{3JauR6{OS`scR-yUA+jgA-@FG1=Yh_GdOn z>RAb*kx6Brrf5DecwTwUIB!rk)H;UZU`Y2{ILm~xm77+!f|Ybi2qvV zP_ECUyqflEBU23~BnX~AZ*yKLUJAD{8Qz2n+UOV7IvOf0OPQ6jhPG4Ie zJ7j_`T8jN8(9JvinR9wzOY|d6wtSM?M z5r3@>bN6H6W!#(lbjK|Ztq!och~~(j@%Jtm)p_YC(?~p`(&Fq&r(r?632$)k8N<5< znCWgbv|!>blZXW7>b`H0@YqR*nK7f0Zip+5M8Rv^tpf+tZ_{|nHPE%tv&E}iWptK} zSGUiu2r@$7{Vq1WctEC{!L@(`)j!+-!Wt1l$VIq!repz>q20qwY;UkuT&bLLJzYqusClRqXGRTN+SfLvyy(xs=LL_NY`<&P1rbnr@*6skU|`+H zH=W!&3=i-BGEh@Jo9qi10($hSs zQONB4JB{+?T)x>+;D=>Fo+FCRfn8NMrT>h4P!7>pDrBfM1Xu|x|2d@TI!nYsp zD31ip$Oa4&QN93a1ztg+PsM$(co=-2EP=00bhXq1hkNoX;&TwH#Oqo{P49Pk5^U zSYWsqRx&eeT7tx985l>@ZjP1pA4)MG0AtQuQA z@7|#7vY2o=?)>XXKMk+NQ(b`{k$d$=d2gfevn8qYEJnwsI<%*2Xc``oV!=)!R_QbE zVj1->{#gh-tJRi+CqJ9ivwDvn{2ILZoOer>hQTwTqX*g*wgtXP4*f?O zwt7BMN7o&g4aSpGc}KUg5M*k)<5qmR6L#GRm4n~A+aFyc-`&Z^`>UStm*_<5B=#6z z!a_8GBhIZwkm z17}h18$xs*7U>D=(Z3SwY`620vq&vY`1&><n6ldv-oqRgqyz|RUsHnq1(8{PH6I|*)^t$Nmq`p{yW%;EE7Mfo-ztSK>S9_#XY z!&%1Za0v2H2h`GPNq^&5$hJIP&wuU% zB1mQ8vl>>ddYJnzh%QsRPieKQZZCj1+W8qC0{V_7pItrC@`O6tW*%{f>JR8luE}%^ zzw@jbApGpYMziBBD+=M9MTQ@^_Ipzgr!*QI1*spT|fSJHVLSW{oVsdct{X@9^m zn>#?8pYhV>=*vu#A945zGFZ`7lPa)3P-crR(r1DvOTs5ol)}F~T+C{;NWr_Y!=r{l*aYQDygqgztQ=vJK~uQO&)%7Mt_LPow%Vqyl}Z$`Zob2$+DKZS;Kpt{6zfpl>73yoDA4m8$vs^NW)=6{ARq2z$DeKV^) zsHr%}=MxLEid>l}U7p&!NB_x{du9rxGt9nL9lX2Wck+j=gGjCXCiU;H;`bYVXmJ{S zN{Z8g#qxm9{{5ZCEE{~b^H75lSfn5w{Qsn^fBqxgL5N=j?nxP1pTb3iv|gc@?qVvq z0?wEYTj>ItJCj&M{+`A4cwJoa+}*Vh7#)!}Dcn~a>QGHOLS@#-iwJpN>uBVjN^(#7~pusZ7d{r1u zDA)hXmkz5SlTRte@y!MAP8_R;yaqysnQIU0HexMZf`MX5?Dy92@$u1y&r}Ryakl4B zcEqfK%Y7m6@%?vvzMWW1!lFA+TR;2tgb~whSkV(Y8wQMPSAq4=CmI2MoG0vo_+pv2 z97lS>o)pSDFVV4yS^gjv1j?6lWX}==-F_PfI_BBJZRv0O z#rp0C){NX*4$8-5cU_a)JNH*#Ik;n~1tab2D;Wk_#58a7G9d`R-dpiOxasO^j#T)A z12YT;jRy65)*`}jBRaN8ILCVDTb=J+rR32$ck}r$j|4J3`Y-S5K-2hL^VaZr0E7O8 z(_M2G8R_7=M|!ai-QV9P67}qL6lD=74;e(dvrm~F1uNEhoiPaWA)_HZ`~jr00aFaY zqg{?mO`U^11#fv3s2a;(=MEkuAVYsheg;?kX2@Q@s$iZz43;ad!Fvx{?~ zwKYdpK)s1@rsDN8^)j7a?IhdvnKm=>1uHCnzpLV)V*70o1c8U+e8@gkZHL*JVA}e~ zk_}I^Y4xjRv4+buU z_&inpDR^|gM033|cB%9#g&P7)>B0xPO=Xob0uBOz7Zadsb@%46#4{<7-u%6$vz{x9 z7;qHP7ina8jbH^d+Njfh(4Ox;wi=d;;y<0s`4F;eYLjPSyO#s+4!)51Qu>ZmAx8Ch zYM`rKC(3uB2XGr#0S|IZHCy0tr?zmikXe^12l~DR;^DX$^Q7qAr|{VX%bwnOmJ)g; zyA43`aNa-SB)1)6aE%?9X+b_ncF|m|iM8P)wBf2uFAFY=_&`0&^|KRnz>ZU3E zKd&7jh6I`PWH@gQsd0nnC zQEJ%*zwi@&rj{#;3iTO2ltMO?#`BvAJJ&Y*-o2BIo3phAvA9+6KPH8=lj z7f+jS+M@5g;bzu#vp!%)+ye5xsm(Jg#vEltr zG{Yzh!MINqmyElQ6g3}?@cB;YDLa4arH@H>fS#sha4(>TkdT@E#~y-VZ(WkeN`;0Wk4yOI_YyAay(uB zKW_Mdww3Bv-Xk(z#Xl7X?+i|5^nUz^n)ks_jEM1ELeVQ*{WfY~Ws0#J58F?lJFdpB ztkn2D_iqbS4-&NU^@k`hLcd=?#e*jvf)`nGK z@UiOn3l`lW06PJt&2`L{{R#lMnf`Z$2GwQlJBU3bkx%yvCgDTPVn56-t?{!yx#-DioSOSX^^{ zu+Xvb_I+oJ;>=a&m?bK52Om+V&@+4{S^1@RgIk1upHPre%4sBRYiJ-oT)-wb9oZwQYugM?y%53FhW z=u&hxBaT8!Dgj!THk$NI|v6*_X|_U8!2Uf+VlZXITF zdZ3|gQpsu);Yu~CR#uR-2cQLj1J7Hg|I>7(825ED=Tn{BeIKvG^s^T*XmC(lMt3B? zX&)94y@?8HZk7>~(VH*p{(WAa4*}8%m9e`_b~%sD4t{ptFI=^C`FuW`tzMc>cQS7E z%lxpRGr#;OuZ@ZLSJ^_Dr~Mz#Y2+myMr6cLjjz$>C++p-70`cj<_a=7O_2#_5~k&eeQCj87l{$iz5MGw*d31kA!0$STos z&Fqm2E1=xw^`n7BgZ|?F((TX@#6gVy7@tNP7;oz738@?(0R^bpXbq&6`=PguDuALbtE zqT!C#D2*HKMTPz)X6CZ94)(U&TDzueCi8@tUEgc5oW%>Mh)46hN#!+CwKr(Nqsj2- z{9*8*>V55l2UMRGWu?^F|GMsGcZv0xKeP0kqal*&#BdUe_9RiH(wDoJvz6r_bVr5L*J}onE zaHcU~MF_P&N78Bp%eR@c}o5!+as9>~Y>EoweB`qjLNv z=hHEbB1kf`jBQnT_6;7iMf`fQGvKuIw`&S|s4ATVl)j`kXfir$O2wFoo|`$wiDLiS zn$_~PpWF7V)MGsRDg}zeEg%$SUYX3QMO~owm8h0+u@{iP*O%levCPIEEDk%Wz+Uv* zbIktKUg#qm(r*Ri@ru#F-^x|7EOA-%fF)_VxZrO(&yvhvmNHV~w)Bp0AT?C74xysF zicxRWjflzMBh`phZ&P1is;T>_6K;`;)Bfpqm8RRW?*#^0 z-#F1CUaIh&B5Bk1rtj6fGEVJE6gdodJpKswa^-g=oDO|RZSPJ_ZCoh{D;ul=Y0#DY z|E7zBL8cz2v}6q$pT7=civrp(f-B`zrwkhOsrS{60esn%Je*LT|9rLdEPLtvTl8Sn z`%=ufp_L{&^?h0n(pIlw_qZQ{2KTkZr~v>9Sg8QR26-YfB|EKy*QAhVuX2Ur7UKZv^(0p)}>ScMgyt_{Y&=$Om)e!WBEvTEFK=4z)NVcZmw?T z52GdzX}u<#Q|IlzHnlAG%l0JtAbwP;rvtUsI;8#SuJ(_CCd6d9bfD;c_t1ReBbbyx zg8v?Q0CmmC8AzY<+WysgE}6VF(4#UMO=aPxRHLWj zz6COPk-@;4il{3%GTr!aRC~?LG`gFdPXOkNT)Z4wNOQ(eWf*wWF?U`cu+T5m_|s?o z5>1$TESQTl)L?DWTQ2Ln;{Py0&h{3D=Dt5JCuUWO0W-Aj z5X}7=`OI01A=gwkrh(7e_Totr75;OPH#(@*>Uw`>;M{uF%R90S0f*wb3*$Rqc-j8V zIhD1{<|z8{Wv4UQ6}{7B9ky67wjs85-F}v~y8+<5hfBQ!azO(*zy(Y)Lniw@-rVO@ zPvhF4udk*`;XIjyh-!j|wZ5M^Q z(Mlzv+ANb@lfNh!&-#MK=gCO%qWx5;`knS%FxnjTl^{$=D5&NoQv&9_l^;6rVI#Ko z30hD5TW&j|8QL%Dw{nECxN2U*?QDmqbM^Mzb@LlV_=3awN3}PK4wz0mOiwsJb|IG* z>1NUA!XB#~p+kNxaB=qo=?VSy;h6Ao<4dmKP zqeY->k-l74=LDBU$?X$xpvr|zq^|aEZ z{SWUIvSV?+I~cYUxwOWto9_4E)4aDcZ1$%R^S{y7Ql@&X6+_1_l@uZE&H2DUAsfGs zsnMfLH&UA__sX}Agysin5%3U9$qvZXd1`|2>2dfFVp8t&k9MNjr&0ZsR4GG-uID8S z%SbXz_9&2*9_MEuu>L`Xayt3)+-V#~VLjkdSJkfZFJikgto_LjooUKCBKcLo9736W zZz+YUKjL>fHn}I<1Vg-E<|MLehqz6X0p`K6y{a>lIB&=j<9-KjW7%IqYcI zBA4Y`Og!Roi$tndI7w;ntqPKXLf3)Xd}7ULOAb~a|$q#Z1o3TB-n`A!;>BI*>`<$8btAktf+LynWi9ETsEj`-n}-f zuee-149F>iH2k>WUx1-Wy4#LL+^zlF6G^(z*ClvVPBw>eN~zrSnlvw{!%w3xerV4D z9jj)4EIHkG>`SmrNKvc;G@Zv5N3QBO9)Q0N#ziKv4Hd~;jd|9#{T50 zGv={B&K(mfBa0%BSuHIdK@4g)jAE?pZN|rg^kql#685u*tgAAocoJAYlK>M)a9;Ge z{sTRw@g!WWUt8l@eSEgPx=Dt(aWN73gLY;+DGDubnr|+x2PQ^O3|G(ZG|o|>|6cQd z^adtrf_B~swP`ZMoZx*Y{@PLM6QD{zAYk;~ zj@9gRi!NYnpo{lQv3C0Hy>I6~+Fy@kQLHp2b5wE$(}rtHRGw4-Ulb^Rk{$*zdga&u ze7MfRNPn9oN(s#m8`{qm)z{6(j@{*$@$# zj1*}`Y)Hq5!4LrzkdmRKbc!?*0@5MfF}nLl$pl2Y;rHW(!vmsto6q&VB355sUf$4|0j2}N0^J)f`5r>~x{YCdCJy8bw z8JaTNzGY#2+=&mNDWWh*DJJa^C$)dRc4TR@s1I<0Mx-Ssj|QfFpr(!)sGpM*a8+VSc)E*}Kg_YO0A2c3!_r%yf`Qh?Gw**1g{Z|_i}F78kudBqapr(MA4-3zu<*5O z--6^v_T_TlZJOw|Hb>Oj^QPOeYFpmssN#pEmg^n});U4Dj=Z|jZK4Xw;1osZAMdi1 z9_4v119Qctyhe+|lS%<55beN;Fk(xWg9&8MoCBP~pD z3eNSj>|`6%h&q!_>lpYZdOyQ6`rCrDoqAP=iaeCxt(T6jIH{WW=+&1x_UD8M+T`@; zKlL9>&`$OHDwKYD^)hzVTL^kh&Esu2`0izvRvEB~7rjkEYVZwd15{Ehn^;_#qm0R& zCvXSFw1ILn>HNvZAD>iYt^t*6vAsP~3=dqdejhJGN1Y8g>40$3_>kIf?6%)zNpu7g z!Y;e~vCD?8XL^a7@Lg*B`UT9nYs z34YeFH}}~%N_M|zU6KjbWU%Rd9`E$6rtKO$zRT>UI0!M99=3>{9scX-ul6;|>&jBG z08@@Ef8wTLad_jcHz&UzQ~`Lg3Y$b2lY)?r(rb;q&a@wwRgCTjkKDr`bD0!G@6lr* ztOLfvZ)owV67i|R%I2>rsdT5{$R7po zlGl$VXSHfNcS$Qz=BQjoYA*4}UIscwPKnqTKWxQWJDs?VI9_$J*S`4}-Fu!m)4omU z{A4xtxv8hrhjsmIi?TCfe=^j>P`p8*VM|y#<+cZx_nUhrPBPFO+ z8+0Vqm&`bVF&IL$K=sTZ6Lx=LVcbCA#MJ~WpiUqxl5FdTowb{kuByd2sD$isV{}id z3@1aXs)}TUo0)5rgB_=5I&!Qup!Owm@&)vdpOcS;z=^OqF(v3XZP< zPXL7$^XR4;qe#0-^hZIX{;yCYVu8WqGL%m-2q*ntIj~%TH=_213_R;n-;BZ6^!}du z@Jg#uPRwz@2)RJPg26ikiEhqgSaP5UCTgnk-2Ovz<*sq~`xP!OKGi2d{@LB@W@eqj4oM0W$EC7zLXWD56;KuwM`_l~u_s-fQ2(Ro;$6isgGkZcSFDO2^!Dmd%XT{ z4YD)=InlPfB4!Wb8Zz|rqX&I3Z^XZJ*&!kN=#618_W(4~t(V58P9ytP+_~Zn#{1}& z*|-AQXr;vL+c7k(1RtJ*HqQ6j=dAggS18o~soklc3MO(w!<{cOCLK#J;C5~PK4fCx z3Ho2qYfg8u%h*MJpH6EX1eL(7m*j%u#Wfutoj%^pYUE^s$5|sj*L7|cv<*Z zd;eb(|J|MnDYw0#z1H=NY&JdG`yWbM*(RPI6^eSiU9V`6vaz>Dw)i+WOlOW7olinO z5dvAR_Xm=Iidjn)LL9paq2TxgQ~h8m=afn zgN=60kE&R&pRQnB+@kHBK?aDdx7bDeb}OtV<$JcP7UQ7PdM8XKFUB#C4qPF9(0f^c zNr|?EEJt-)sOF|!aNh)1nNAA9QY7C$j;SPLx0VOnbh++*6a^a_$F9K(R{MM4OV>9n zrqH9?IwLL7>*#m{hQp<};kUob<`mDC1@i)sNRp>pmn*=qf;vUtP(-+#gAOx~yrZ}4 zHifveU`X-f*W4ZH748Qmc*fY!gc7eZkvfx##rmU3Dl_U_m}bj=rLk})tgqm8{P)U_ zo>k`&IVkArB#)tT9MocHecU;0)mrMD+52oHUZRBTk!`i746eEiRZwrbik=Bx{tngE z=^mO&!_zOgEH%O?Ul5SvA_g>@<}tWYrs;3@dL8bx9auA8Rkt>!Hr)j+stIKfRRn<~z_GYRx_$V|VI_ zv!iX1s^-m?6(lQ;EQqaKmf@GkT~*sFuP@tik4Xt(l~+BSu;eEnf}l&Zr(H}Aq4VM3 z`AYRCHK*sy>P8L1$O;~!*)IM%S;Jl!MkiaFxoK<(DyWWE{EWipZlHQ|EGrJN)Dy|n zBj}&n54IL2)2<}fxg5s7YNKKMPdPY2JQJNEow7ODrqN_cZOz0?FluGuR_-H|aO07U zEKCi|5MTq={DHyWY+|IT?+<9LhP_UE6H*s12}@MJ!r}Gie8xinl^@wb5+lG74}8uR zLe|8T=;_(+2W;K{8I<@)6oo~08x&U&`MK_U#lI8R$lq^b^Yq_0n;#vhjQE8m{j?}~ zXPe%^R!C9rjN7019o|jr>Zu;zFioZ2%t;Q?TygzuM(%s!Gt5>Rc(wJ5i4+Kbj_};F zS<23<2g*>S47&?o=LKO0opi*ozFqr+6u6-cx#K_UsJvtZhWC)JLk!3}5HUbTLPLX# z<~?e%0PJ{wLTp=+4=&H`u14o3Dc4HEyd(k)&po9J=OjCH!z8u|C!3 z$;&sFEn)-EtO#7`+*#w%zmM;8prBVv2tS^>jLuPzaoFR|a!kA)cftPQpy05q5 zt?Q0XbnEIGFJX26BzyakE?%Qd9o&o$Be&Niez88W-&(r8v%+1iLVlOO(6_6GlN`GZ z_nZa!SvH)dtpLX*zgw?zCenOC0;kVuRWN#H2fFH0v0j6;ADtiGOUzo|lljnPK$?GjWSb5}RvGn`2 z3au{wzK16*yhkE4@`{)2pDNP>QS&b#JtcOY$#W(s$ZdPdRvHplr|#A_=(;X9>(kiu zZcnZ2U;gSsctM-r%w6NJS++L*qEpYJ-B@+RdT5Ie{R7X_HjTPp`8gt~%YA2+{Al@D zYpAx$;hjrvt_UEHXa_PCk*Rwz1{1Hrn5519p1N-G2bGF81@YCZ7wH1{N5yT=f4CX&$+d` zCTijhuWlFi4FJOd=7gv_)Mg&P(EXE?Rpe(g;qGLP0Mb0XJEUi;?s^6^G7IWwGlnYy zOcG&8!343(0dNYM%20!86(ysM^m#~*dczapo!^25S~QiY9HhisSqA)52wr(-)GCxz z{WX6uL((YR_LHScaiR5ZXo#j6Ie=BLi_ zuK_z{BJW(t33X=*tGwtD3U-;2(K56u^!zR$G)p^Sp0frNkJU09B| z9Ny)X3SjxbGzeV#=N%uxq%6P09v;#4gqA-w<@s607RHe2VR#TwRRTCl05|8SX2Z!1tjaZkZh5a zZ;%=C8jvPai|_4=f8-TV07n|G^2ef|e7N9;lX literal 0 HcmV?d00001 From f211c7b00d44fb2fb9344211157ff67df1070675 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 15 Nov 2023 18:07:02 +0100 Subject: [PATCH 16/31] Align styling of "User ID" with RFC --- book/source/09-verification.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index f2a5ec4..63ff073 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -50,7 +50,7 @@ The same reference time must be used when verifying additional qualifying signat Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. -Examples for self-qualifying signatures are direct-key self-signatures (0x1F), User-ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). +Examples for self-qualifying signatures are direct-key self-signatures (0x1F), User ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). @@ -128,15 +128,15 @@ There might be more than one candidate for such a signature. For example, there might be multiple subkey binding signatures for the same subkey. In general, for each category of signatures, only that with the latest signature creation time is considered and takes precendence. -Alternatively, there might be competing qualifying signatures of different types, e.g. a direct-key signature and a self-certification signature on a primary User-ID. +Alternatively, there might be competing qualifying signatures of different types, e.g. a direct-key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. ``` TODO: Replace hash algorithm preferences with AEAD preferences for a more realistic example. ``` -For example, the latest direct-key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User-ID "Bob" could list "SHA256" only. -For yet another User-ID "Bobby", the self-signature could list no hash algorithm preferences at all. +For example, the latest direct-key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. +For yet another User ID "Bobby", the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. The specification recommends, that implementations decide which signature takes precendence by the way the certificate is "addressed". @@ -148,26 +148,26 @@ Preferrences are sourced from different component signatures, depending on how t If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. If instead the user wants to write as "Bobby", the impementation should inspect the self-certification on "Bobby" instead. However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct-key signature instead. -The same is true, if the certificate is used without any User-ID as sender. +The same is true, if the certificate is used without any User ID as sender. But it gets more complicated still. Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precendence. -Preferences from the subkey binding signature take precendence over the direct-key signature, but not over self-certifications on the User-ID. +Preferences from the subkey binding signature take precendence over the direct-key signature, but not over self-certifications on the User ID. TODO: Have a table that lists which signatures take precendence in which cases. There can be more than one signature on a component. For example, there could be 3 direct-key signatures, e.g. because the user extended the lifespan of their key 2 times already. In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". -For each certificate, there is at most one "active" direct-key signature, for each User-ID at most one active self-certification and for each subkey exactly one subkey binding. +For each certificate, there is at most one "active" direct-key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. TODO: Direct-Key Signaures can be revoked, canceling them, meaning an older one might get active? ## Complexity of the packet format Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. -User-ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User-IDs appear in the certificates packet sequence. +User ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User IDs appear in the certificates packet sequence. -As a concrete example, consider a certificate with multiple User-IDs, all marked as primary. Or equaly, a certificate with multiple User-IDs of which none is marked as primary. -Clients might apply different heuristics to figure out, which User-ID actually qualifies as the primary User-ID here. +As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equaly, a certificate with multiple User IDs of which none is marked as primary. +Clients might apply different heuristics to figure out, which User ID actually qualifies as the primary User ID here. You might wonder, which signature on the primary key takes precendence in case of multiple signature candidates with conflicting signature subpackets. From 058b7b5ebc6cda69326bb330e19bfaa2f1af324e Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 15 Nov 2023 19:02:41 +0100 Subject: [PATCH 17/31] Align styling of "direct key" with RFC --- book/source/09-verification.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 63ff073..b2741bb 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -50,9 +50,9 @@ The same reference time must be used when verifying additional qualifying signat Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. -Examples for self-qualifying signatures are direct-key self-signatures (0x1F), User ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). +Examples for self-qualifying signatures are direct key self-signatures (0x1F), User ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). -Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct-key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). +Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). ### Signature qualification @@ -78,14 +78,14 @@ On the other hand, in order to verify a data signature over a text document, an When determining preferences of a key, different signatures can be inspected. For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. -At the same time, the specification states, that signature subpackets on the direct-key signature of the OpenPGP keys primary key apply to the whole key (therefore also to the signing subkey). +At the same time, the specification states, that signature subpackets on the direct key signature of the OpenPGP keys primary key apply to the whole key (therefore also to the signing subkey). -In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct-key signature. -This is called attribute shadowing, since direct-key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. +In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct key signature. +This is called attribute shadowing, since direct key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. ```{figure} drawio/attribute-shadowing.png -Attributes from the primary key's Direct-Key signature apply to the whole certificate, but can be shadowed by binding signatures. +Attributes from the primary key's direct key signature apply to the whole certificate, but can be shadowed by binding signatures. ``` Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). @@ -128,14 +128,14 @@ There might be more than one candidate for such a signature. For example, there might be multiple subkey binding signatures for the same subkey. In general, for each category of signatures, only that with the latest signature creation time is considered and takes precendence. -Alternatively, there might be competing qualifying signatures of different types, e.g. a direct-key signature and a self-certification signature on a primary User ID. +Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. ``` TODO: Replace hash algorithm preferences with AEAD preferences for a more realistic example. ``` -For example, the latest direct-key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. +For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. For yet another User ID "Bobby", the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. The specification recommends, that implementations decide which signature takes precendence by the way the certificate is "addressed". @@ -147,19 +147,19 @@ Preferrences are sourced from different component signatures, depending on how t If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. If instead the user wants to write as "Bobby", the impementation should inspect the self-certification on "Bobby" instead. -However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct-key signature instead. +However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct key signature instead. The same is true, if the certificate is used without any User ID as sender. But it gets more complicated still. Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precendence. -Preferences from the subkey binding signature take precendence over the direct-key signature, but not over self-certifications on the User ID. +Preferences from the subkey binding signature take precendence over the direct key signature, but not over self-certifications on the User ID. TODO: Have a table that lists which signatures take precendence in which cases. -There can be more than one signature on a component. For example, there could be 3 direct-key signatures, e.g. because the user extended the lifespan of their key 2 times already. +There can be more than one signature on a component. For example, there could be 3 direct key signatures, e.g. because the user extended the lifespan of their key 2 times already. In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". -For each certificate, there is at most one "active" direct-key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. -TODO: Direct-Key Signaures can be revoked, canceling them, meaning an older one might get active? +For each certificate, there is at most one "active" direct key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. +TODO: direct key signatures can be revoked, canceling them, meaning an older one might get active? ## Complexity of the packet format From 09a64ee541d2141f4c29f35f9d227b25af65d54f Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Wed, 15 Nov 2023 19:11:59 +0100 Subject: [PATCH 18/31] Minor edits for clarity (and consistency with other chapters) --- book/source/09-verification.md | 62 +++++++++++++++++----------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index b2741bb..6846a96 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -4,45 +4,46 @@ SPDX-License-Identifier: CC-BY-SA-4.0 --> (verification_chapter)= -# Verification +# Signature verification Signature verification in the OpenPGP protocol is a complex process. There are lots of different factors that can influence the validity of a signature, most importantly its expiration date. A signature can be valid at one point in time and invalid merely a second later. Signatures can be invalid due to the absence or presence of other signatures (e.g. revocations). -Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly on the issuers certificate. - +Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly within the issuer's certificate. ## When are signatures valid? -As a necessary condition, a valid signature must be cryptographically correct, meaning the signature, as well as the signed information must be intact. +As a necessary condition, a valid signature must be [cryptographically correct](sig-verify), meaning the signature, as well as the signed information must be intact. However, there is a difference between signature *correctness* and *validity*. -A signature might be correct, but still disqualify as a valid signature. +A signature might be cryptographically correct, but still not qualify as a *valid* signature. Put mathematically, the set of valid signatures is a subset of the set of correct signatures. The validity of a correct signature is additionally constrained by a number of conditions: -* well-formedness +* **Well-formedness**: Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or unknown critical notations. -Note: This also means, that a signature might be considered valid by one implementation and be rejected by another. -Some implementations further apply a policy when verifying signatures, putting constraints on used hash- and key algorithms and key strengths. -* temporal validity +Note: This also means that a signature might be considered valid by one implementation and be rejected by another. +Some implementations further apply a policy when verifying signatures, putting constraints on accepted hash- and key algorithms and key strengths. +* **Temporal validity**: Most signatures have a limited validity period, constrained by the signature creation- and expiration time. -* qualification +* **Qualification**: Furthermore, some signatures need to be *qualified* by other valid signatures in order to be considered valid. This is especially the case with signatures created by dedicated signing subkeys, where, in addition to the signature itself, the subkeys binding signature(s) must be verified. -* revocation +* **Revocation**: Lastly, signatures can be invalidated by revocations. ### Temporal validity -A signature is valid only for a constrained period of time. -A lower constraint for the validity period is the creation time of the signature, meaning a signature only becomes valid after its creation timestamp. -An upper constraint might be the signatures expiration time. -A special case are hard revocation signatures, where the lower constraint is dropped, so hard revocations are valid since the dawn of time. +A signature is valid only for a constrained period of time: -When checking a signature for validity, a reference time is defined. -For an email that might be the signature creation time itself, or the reception date. -For the signature to qualify as valid, it needs to be effective, in other words, the reference time must fall into the period from signature creation to signature expiration. +- The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid after its creation time. Hard revocation signatures are an exception: they are by definition valid since the dawn of time, and have no lower temporal bound. + +- If present, the signature's expiration time defines an upper bound for its validity. + +When checking a signature for validity, a reference time is used. +This can be the current time during validation, or a point in time that relates to the signature that is getting checked. +For example, when checking a signature in an email, the reference time might be the signature creation time, or the time of receipt for the email. +For the signature to qualify as valid, it needs to be effective. In other words, the reference time must fall into the period between signature creation and signature expiration. The same reference time must be used when verifying additional qualifying signatures. @@ -62,8 +63,8 @@ This qualification typically comes via another self-signature on the key itself. Instead, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. -For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the users certificate via a subkey binding signature, and that binding signature needs to contain a key flags subpacket marking the subkey as **S**igning capable. -Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature qualifying it to **C**ertify other keys. +For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the certificate via a subkey binding signature. That binding signature needs to contain a *key flags* subpacket that marks the subkey as *signing* capable. +Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature with the *certification* key flag. Self-qualifying signatures have no such limitations. For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-qualifying. @@ -93,8 +94,7 @@ Note: Attribute shadowing should only be used for algorithm preferences, since t ### Signature shadowing When inspecting signatures on a component of an OpenPGP certificate, only the newest, effective signature for each function is considered. -In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. -`A` is therefore shadowed. +In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. `A` is shadowed, because it is older than `B`. ```{figure} drawio/cert-validity-subkey.png @@ -126,7 +126,7 @@ When verifying a non-self-qualifying signature, an implementation needs to ident There might be more than one candidate for such a signature. For example, there might be multiple subkey binding signatures for the same subkey. -In general, for each category of signatures, only that with the latest signature creation time is considered and takes precendence. +In general, for each category of signatures, only that with the latest signature creation time is considered and takes precedence. Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. @@ -138,11 +138,11 @@ TODO: Replace hash algorithm preferences with AEAD preferences for a more realis For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. For yet another User ID "Bobby", the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. -The specification recommends, that implementations decide which signature takes precendence by the way the certificate is "addressed". +The specification recommends, that implementations decide which signature takes precedence by the way the certificate is "addressed". ```{figure} drawio/narrow-interpretation.png -Preferrences are sourced from different component signatures, depending on how the key is addressed. +Preferences are sourced from signatures on different components, depending on how the key is addressed. ``` If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. @@ -151,10 +151,10 @@ However, since this signature does not carry any hash algorithm preferences subp The same is true, if the certificate is used without any User ID as sender. But it gets more complicated still. -Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precendence. -Preferences from the subkey binding signature take precendence over the direct key signature, but not over self-certifications on the User ID. +Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precedence. +Preferences from the subkey binding signature take precedence over the direct key signature, but not over self-certifications on the User ID. -TODO: Have a table that lists which signatures take precendence in which cases. +TODO: Have a table that lists which signatures take precedence in which cases. There can be more than one signature on a component. For example, there could be 3 direct key signatures, e.g. because the user extended the lifespan of their key 2 times already. In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". @@ -164,10 +164,10 @@ TODO: direct key signatures can be revoked, canceling them, meaning an older one ## Complexity of the packet format Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. -User ID packets for example, are not fixed with regards to their position, which means that an attacker (or canonicalizer) can change the order in which User IDs appear in the certificates packet sequence. +User ID packets for example, are not fixed in regard to their position, which means that an attacker (or canonicalizer) can change the order in which User IDs appear in the certificates packet sequence. -As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equaly, a certificate with multiple User IDs of which none is marked as primary. +As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equally, a certificate with multiple User IDs of which none is marked as primary. Clients might apply different heuristics to figure out, which User ID actually qualifies as the primary User ID here. -You might wonder, which signature on the primary key takes precendence in case of multiple signature candidates with conflicting signature subpackets. +You might wonder which signature on the primary key takes precedence in case of multiple signature candidates with conflicting signature subpackets. From 04ae1fb0a8adc6b267994f9f9b58ff308ed56f7a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Thu, 16 Nov 2023 19:41:34 +0100 Subject: [PATCH 19/31] Add link anchor --- book/source/09-verification.md | 1 + 1 file changed, 1 insertion(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 6846a96..33edf6a 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -32,6 +32,7 @@ This is especially the case with signatures created by dedicated signing subkeys * **Revocation**: Lastly, signatures can be invalidated by revocations. +(temporal-validity)= ### Temporal validity A signature is valid only for a constrained period of time: From 1ee302405687a70767e5957276b4a8eddb243de0 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 18 Nov 2023 22:31:23 +0100 Subject: [PATCH 20/31] Normalize term: effective -> in effect --- book/source/09-verification.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 33edf6a..22c731f 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -44,7 +44,7 @@ A signature is valid only for a constrained period of time: When checking a signature for validity, a reference time is used. This can be the current time during validation, or a point in time that relates to the signature that is getting checked. For example, when checking a signature in an email, the reference time might be the signature creation time, or the time of receipt for the email. -For the signature to qualify as valid, it needs to be effective. In other words, the reference time must fall into the period between signature creation and signature expiration. +For the signature to qualify as valid, it needs to be in effect. In other words, the reference time must fall into the period between signature creation and signature expiration. The same reference time must be used when verifying additional qualifying signatures. @@ -94,8 +94,8 @@ Note: Attribute shadowing should only be used for algorithm preferences, since t ### Signature shadowing -When inspecting signatures on a component of an OpenPGP certificate, only the newest, effective signature for each function is considered. -In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet effective. `A` is shadowed, because it is older than `B`. +When inspecting signatures on a component of an OpenPGP certificate, of the signatures that are in effect for each function, only the newest is considered. +In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet in effect. `A` is shadowed, because it is older than `B`. ```{figure} drawio/cert-validity-subkey.png From 1bb46763ece1d3f410cde4805edd8f260e3fc656 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Fri, 24 Nov 2023 16:42:17 +0100 Subject: [PATCH 21/31] Move mermaid diagram source out of sphinx field of view, and add a png version. --- book/{source/mermaid => input}/09-sigtree.md | 0 book/source/09-verification.md | 4 +++- book/source/mermaid/09-sigtree.png | Bin 0 -> 110935 bytes 3 files changed, 3 insertions(+), 1 deletion(-) rename book/{source/mermaid => input}/09-sigtree.md (100%) create mode 100644 book/source/mermaid/09-sigtree.png diff --git a/book/source/mermaid/09-sigtree.md b/book/input/09-sigtree.md similarity index 100% rename from book/source/mermaid/09-sigtree.md rename to book/input/09-sigtree.md diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 22c731f..059c48d 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -73,7 +73,9 @@ This construct is referred to as a [revocation certificate](https://www.ietf.org On the other hand, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, which qualify the signing subkey. -```{include} mermaid/09-sigtree.md +```{figure} mermaid/09-sigtree.png + +Tree of signatures ``` ### Attribute shadowing diff --git a/book/source/mermaid/09-sigtree.png b/book/source/mermaid/09-sigtree.png new file mode 100644 index 0000000000000000000000000000000000000000..dc35f658ded0218ffc76152d159d67b1d43198ec GIT binary patch literal 110935 zcmeFZ2T)X7*EWc9F#w7vh>|5pk|Y@f3?MdHaz=zELz8n-L=*)SM39_wkc>nD0VQW7 zC&@{2hFJ&iec$)1`KzYBsrjpBrammHo9=V=*?a93p7pG?eJw95aRHYU7YhsP0_u^N z0u~m|5Ed48%(*l0Nhi~(NO-ApQBt#0&~v1=vcVXdn4_ufoUPE*XeSdxEG(x13;Dqd zwbb|rMt%WfBmvibxnFl*5cIfkhN(dK^}6*L{m9ns1InH&r zp6mQF>2#lRc_PK;l%u#M53vx3|En%462ouv%%iydwsc!OkLhUoRd4ux%}PiP?C)Uw zMs%JW$J7n4;HSfJjYkdcn-J31Sr*5Od@&>M4=HX6UcVmsiHCHoh~IkiFTpEssKiwI zntLfI>fET0r@7yYbVaFGlnotKVPTzmVe;UCJnF%Ne-;GGh;)B1{HXRWd7Z9eU3|zz z2gZqaaSnNJ{P=sBiQ?|35^LCVeA&PYFQ8*$3wUl;T^(4L?)@e|`(pNU>YY;)^Am}) zH1tR8Oa-r2$4aPHmW7u`PTkLFJp#T;e2uK{;M0*T=^mlC=;iE z9M_#47m^wEk(nd%TGMI+FF88d&!u{Vm`iQu8uqRG-}F>IDo@x>ocCsXbnxB2Zi=s! z-WMnOI&a=5=LwEnwRycHU-ka>S1GR((vuY{-`T29mDj0f@T$#3ANW*1ugq(<57&RB zM=14<`u;s^VkNyBvKg{|ukn`{gbxw|bZJ8GXX9QIxGL{`rhnD@xO&C1WuiMVf=K%G zA$!pw=SBR*(@V(~o>YSl`+xlw#a4Cc(=|JlACt&erm=DEoCP*XpSDatHk+f@cSUVp z1BtaRB0ur5!?%@81aF54n=eU*&wGR$f83`U9V!g4m z`OK58cn1{E$pjQkO-5Q!A7jC$XMlN%W^=Nz0?ot1x+CgjrKfL(wxfQEHZrjkrdcVg zqMQZBdVn@IdE{b)R&u!g!jnD>@?ITm)MyJ)2PYFQ$N7ipsBgpxY;;Z#hpwXZqtb1Qs1#LFcee}d-(Sd z@Ru-+v7McjAUnIGqa&Lm7aPXLh@DeFK!Ba&Hv8?{tZ)UZt+S<_o)fF3EiE#{pE1PH zw)!?ER(2*BOKN0Hy{8y^J7F3c_@4To`B_-W$oy+~OWVJt0P}pSs{jWd zKdT-O2frRKzXAF-x50l5g|f7@)3ek^BSXR9Y$h-chaLx)K0k*5D=)8r04uiu+JN;b zKMyY}Cl@!@ZB9;ZE<;1U{}@8f#ssud&-_1Ug$!i?L-F56>j|LsxLEaWqq$hQIR!Xa zpYrJmus%ieqWScB__&|y>z@o|pfC6kV`HHQ+i7B6n^@XA{rd|g6AQGWogN}hPCgC}er^sf4nAH19sy3Ce_y16wy_0G zM8@RgVB_LF`3Bh*L0Ak3Ru9or7~te{Sc~8T8?>Gs#zqN)F&CymrbLb0`LC~Kz?=;9 z?DWL+?9ebM$89b_PENtw+)A9hf?WK9w|QAOI0ZTW<9dvNiJ|lV)zygcP~Z8p<&R8k z;rY%dAN{c?MYQ#wzyADbZgOHu)YK1?4(LDo4P*WJO5a$|(g+RS<8O8S z=W~<)g(?^r8VK;|^WA3U7tjY)Fw{fC)^YK(^6@<7f6Af9rN?pm&#L}4x-G`g&QZ?> zea{Hw2(kk8JdqVO<{##&te+!KL?*+3XKI5Mi-(mkh z$>h$-1^?k>;J!bff%5`i$o?;9__xep2LC&M{@#oKosXcV{-1~Zx8(aj;`$$P{kJ6W z-@5pJwCjJw_1}`ff9vA^(XRi;#D)9sbP8<=D990#B_3_%ACPFBc`79#hINemi>*ir zhEL90JyN&D!os_P{GP%JkGuvSp0z{Ch@YLoyGC%6%!r`oA{G`k7E0`%lGDKAu%nX_ zdar)fwG(w8_r<$+cU@?GXioh_gu~<@{_V71Y01Yrd+p&uzTV1S?Y>3~2{G}4#@)wS zcbV>cUAljIu7cskyOEh~iJYGZCv9GJt& zPrw@-`hVV!?GTn=|NTch-npSuf4`r_`D^)~Yc@`wcKqkP%c*BV|Gcm8`bzQldoP{4 zW3Zr;pS$eTR%icyA4_uS|Fy$^omacq_(MHoZA~owpZQ+1dWnC&FZHpltJ@GK&a$}p z;D@M+@brHqbcUQN=8de**oa+8LVsK=$hYx1Y&=ZDzaa^UOYk-d`n1u{AmFdJz_MFD3iVT@Vt6U}I6N290A`t$mT zsbYpqbZzsMl$4U=<8L1x*hcEOE$-#ds;fnY6F6t9uP0EtZzvz`w!N`mDkS-| zM8Bq123=%C7~O-%rkVS?lQ?xliY+7cKI*Z}yz2 zI6kt)J-<5XOANC}xp1O~8$z6%tEDs1GcsHi-p}3a#(lbo2?-fVNEmv$yVFurrO9~B z`(9q)G&MHvCd0TT78H;RA8u&hzJ||mD6%pT;`Gg(lCt*KIA>;)`_z=LbZDFC@vVIK zq9WdKE+dT?S2u^Hfd&F5c%ZD*i4n}IuC4jmtyHk57Zu4~y?V8Df0?Y{N%fHI4HqY; zSi{!H%%P$C!?tbfl5%Yw1fmC-pE*2Pb=>+edAl29hm zsxT@g7(VjjAF1Y)AFR2ir>DQC8+Kh;v8yA__gvqjm2jEg?4#;E*mX?H%hQP9YnU%x zV4LgKNKQ>v%2097uo&D*{rp+_!UcaDdwT_#2wVAY^C;KlM7D;i2|uBbDDBv~H|$+m z#cb_nIa!?pg%Qdc8rhx)lcx^XV^&yrHbZ^nb=_7eDt0D>f)bApW>De}&n%R!@GexJ z)qPKwrLkFl8ryxNTM;w2-q!bNxVJkEj~)d}+1s5VP*!n}x1BlC3EBv)8cNK_7Od(z zZ2JDa=PXrbM{Cq;W>(hF>L>3)`>dkud!1M{>~giVB1`Xpewn+k{n#F;aIM0{lj>=2 zXFThB4^hLn*Mqq|kIeJ=u+q~_?Uujrh56@NjqA27V=&!hhyphK5f$dwFCyc~`fI4p zFwQuM3xh)V*C*mV4;OBHDHXKuFGUZRX1Q#1sP_E)Ntc!tSel=o;OEy^V6Fd_*Ya(L zx=~bIN=#)&*RAz?-ivgo&CLrgONGiVD-}7-TW4{0zjt;jpitM7bBBkt=uul+4ie>U zIy%dKug<~8UnC_jJ~E9c#Bf|Quo$jLS&ebus)%;qI+o7=wX|psYf0VMAWuq}nSI0F zyAYzftO{GwZ+(2YLg2DDSKJa{YkfU)ZS8?ypqz@ETVCa!srQJ>0;l2=jEPCyt5?(% zf=Wq4Lo_IbCu5BL{rwK5RSk+5Sa~cvE#gh@R^{58Mb52-sJ1S5pm5#X=)y<^A?h!*tj37J5b*Hum@M@23-A7lU}hIhEL-uA zjq%tEBB!9BD`b7R-^|t2Gcb_;?vkkR-s}?Y#jTL;t>hX+W6W~gQ{TSTssJ-^S)}+oaWuulrbfI!z=L4Pa(N3rAn`BB%1^7>|%I4>n5z$mVdi01#JDTH0ylTDM zT#_RU&rCqTSMj?>S7tn?yNGd4hOY&&fOmB6N4ur6hd)?Z2TyOyL^zoAW-`IHl-X_d zU*SeK@?Rk1{q><|K15YTGU)z;Ls**Qr`D!{0gbK{iG|gMP)SqQgt3JjzVLwkao?Dp z&Q2PX%g(r_j9ytcZ`WaR#I#BMTU7D_FCSk_w+j*z+^?U+$vuDXvn=$5n}4ksH`&~= zvB8zTaWqjEN|EdS<6t)*jqceRZ?|74a&V5SufNHvZX+I(s;Ht;ndZ}i4sDt3&d~|F zDMy*0iK&p>9_)`H*hj$-}SD{1g@bs7!nk zKFndyKRjFzWw9jX^1#i_Z*FZoZaqgpQ1E+On^am_|3EQ&Mbkn_839j3mOC@W5z33! zXZnoyJ*kh)D>gA%Su&v&%R>D82MWglB8v=VBQW4yT`?redwC@2KeV&Ax5#;`s-R$5 z>Q;M!U}Gn&*4e3K^OIo6M@nvO2V2{@)m3}@&Aqjz&4B`w(A&4yl+@L;UcRgsQT{VW znm=mYL1hRLD_zeSbR)R!F;z8gBorOigEP6|9cQ7k;Y*eM*w)szI8f%%qn^$rIpe`1 z;bes8%i)KpUHU7CbIQs9WujM>b{4$o*}i|C(vo*}HxxM_u5 zcp~7le%M`jW@NnI$h!_nQ#X+c zmEZ|7i`CujipdTR4o;w(tJtpWY+|pXx?Nn}`o(mJ>cZr~l-I;}E zmr}<^l8x;tF&;Ua3&jzJxl|*5$>j&~q53%*oBlyTx22CQ&ACNmYWMSwUE+FzPt;^g z>Bb*5nHcAkX0O~)g)Nr~QprBh2-Q83s5snW82G|H0n#z0Rm4vcZrSM-kF)tkjdMW)~!OQ$|IC@U&v1O;KQtzPe# z++Y0l%UGk_uIZy1fQj_N!onu%^5TQlz&CV-EgHv@R57=4`dV6A2J+}twujaoQJw8^ zY^58W*MkycV;?7%di<^?B_{e1R?oto(~ih8RM$h!al|>wWItN?hhedh`OiyTQ?UMw zq$F_&-N}67vJX#unxfAMHf&#cOF@=Q%o5$HC|8m6^QSvAGjmr2#>4H~0s$GXnCEVj ze>kVUO{hMrW|2~$=utQbuE4mXg7o$`^{p*$C5X!q)`AirC*0Ybc(dI&Fi_gC-S>pU zxbcJaKndqVYim@vhTes}?msA&ClCg>2;1OJJ&ILe4wpoM6QsBDnq3ymYoR^=k ztgjyo!G#{h#wH6<#8oEd+UMNdj?SdM`AXU@i>6bJIh*6Yqp2W>WyveDl#%rnORxfAV{AVJEnUZ#t^g& z`hWf;x6b@x+t&FrH%_B)UejW*NW#Ylot~N50Xu|CK+v73ZZv{ zbFR;{A;a#CdGkohwkqi8ydN6U;&EK&*0ycI!M(5Gi}#sJw+uwXQtn*izZk-kp7co&xx$?=N8}XNS1(?guR4ls z+p(9fafo>EY6rc)fAZ}m;s4*JvR)!jYhSK#8@2w`@`>x-r%xtCCpxlsokbFs-d@;~ zA=)E)yxWY?X#lj|+M2z#P0(9l!e!SgU~6DuA+stQKQwfURsFVZ5O|K3(&bW3kM%uF z#b%z!zIhVeT>P79v$;-JG{-eYIvCJv@*xuRt;hjaDk&%=1_jYT>JcomXY2#n9gaWw zT-Ri7O>M($<$m-Bx-Vs}@*vfdJi#$ZMh2CW>osf|US9UZQyZvJ3c zkqnw{DN`vPS~L1Hq-sYkFc7h16QRZNw z=7C^E^Hzk7eZ*686r=EX)_@7ji^<11K~@Vqy{o21t<+y1Jw$8{~SYLUj}L zYF|1EF8|&?>`~SH5FMR4)uj8_#U; zTIqUg-QLz9yOOSM%Eymam6gc5+CI>}*SEf9x48aDIme*CBc7P{AB&C1Fu6WW)#D@{-D<1+3u<@f4Z23T<2H}j4z zInmg?J;93Y5i(OtOBJzi{D=^`sxqw#VUSsjsJHR~@Nzg#k)& znNQnSR(E~`Te7#Hdz}3GN=jo*&3$+dvbCFQO>(K}=?ZPa+n+zOA2%F?S8if|+-5sba1URru6AwK>zsf1Zqfdrrni?9W0|nO+_eh7r z!Epu+TU;BWGZ`$3*%-3L%y&xVbndJMOLLX5mpqA1EaIatGFKm+`f|84xov7<^1k{> z`(i%{RiFOqh$|+%W=s5y$7t4P?I4leU)lgq5wZbvy`0H>C3REXsHMA>;8P#<1A6` z8GJJ;3AS3uA}}EO>HM)r;zt&WER}ly2u4T8K>h5F{T24U#t_K$BO@aNon*Cl$9;K% z64Mmhl<(gCO=wD(^zNM%>Nehx+_V7V=w~C0nLzW~FL)lBZ5uw?-#asl@pKi3z13cJ zw6*1H;TFAGS@}%c($S9GymWDLa&*dGaIcAvo7>Jq!5EDWCmbbqbv@fPRbO9EtHaJb z|CX&7*^JgmsRFQczra8+pn(2~EOBw1 zm~0lCW;uCwV&bEzDT~7;0#ED&7CpW9h`W$%tPJ+}W2$6%IOir{V=n+Q@XE3+H6 zSBhIPFi+rLn$X;&o5PN};jB*vIM-c&KVguGa#`l=OG!<=``~5C97Icb6O-JdqiuXbMSj_Z_(i7&!0aj`wn-qzLq?YINn@N&&lZn+cNIUwpf}mV5N$|5)dj2 zTgHH=bXW-xm{%(*l86>xUS5s^EAo5YA5Z0>mR0u#!&O*0XWU}5{KZygd^7hP0abzo zrLztjTXs<5^XFPX%G!Wa>dnXz$q-s`8++Bj%iSHpCL~mLF#RR0FQ?TmMy~#kDwLhj zcBOjlvG)uuG|vPPh^SfO4zgElFb`YRE*Y{K&@qXMs`3rn?OKoa?#}3DhlQ~McN7~X zqjM1$k0ALnF2J;IFx=)-=k;OiWho?uQ>PQpCU^!jv@9&S`rLL!i?3E?b*49FT z+HEZ@!$hTyg~wLltlj7TIKB%f%tZ>Pl$2C|f8i!`PAcQdn&6KguQe+6u5?vJgp&p? z@XoYWNCQ`M;lc%%!_66G6%`sYGqaX3>!b5Raz;iZteRVSfF&}%d{J-ucqk4SF)F*y znrdRw(PU+0SUUi6+r%U(k~s)k9f6|R3tT7OW~}>!YUFPbe;5$j%}XZ4>riIm>h50A zo4KpCJ>nX1m94zLpxx-{MD%27#dxhSkH-NWsOE7gZjpOPaZrFZwwZl|4W zo0aL`+h(~sF-Q!M09ILgd?fn4R{zD~;+eEmM%~TL&2XV@1y;4sYPq?CkRU!FLgHF#=Jy6dfnMFMu5B zQL?hFE)%akXAzf?mv@;}v$wZvq{sf%MT&HJd;5^YA{>>KvX%1))SYQ11kL)IR*R2# zj4myC`BWX3Ini*zO)W63)Pe%FkPu=B+$p|P9{_3gE_`ZLgvem_wx--(B0DUmr}}r=pi!YEM)Hs&-|335{+OZ;Y-Ng z&7c>31Pi^(o{`?zH&Eyq6xb#n&cB*VN!5m|94pd}j5kvmg?gWvnQ2#z6KZ?nNYDIr zlDbDK5fh&+d|GD~l&GH1*4rLe%P#@5*1iIqm|6KL#Pa4S(88u7|e(`&U_2>Bb*7k|I;vao{ zUMD)l5qpwsjJhBZy^Kix_-zB=t{j^7ogKlxljc zp%Kt;58Hi5*tgL4w+@swczxDdTfLcR;0~+Pe+r@4?>dZ??%jKhiz``xZnDgGXJhl0 z883?&ebj{p>KZ5%KY%@0p}V{H)=HZ(LEqr% zt@84xxYz|`z)?MT$!~VB(-C#FVt^(l=OwFLas`SrJVG--(9+B-!^ZZ_hX~C?VCbP* zDA--s&2aQvXSLRsVCodC;j4)+68APxEiJ5)GA$}kpN3z)qF9L0ExpaP4&=Y2wHGDA zTN$Uu0EypR^oLmfX|Cd?qVg;+Z%tWSdoU}PfIPMR88$I+KON=>8SLiv5Ge6M^J*2S zVW_LCuf@VDp4>g*r&A(fy9^CIT&2Q_tc2<5rDSAUgh?AlMr7mSj!1dp08Ibj;3_hKSltsjGH82vDOA{3e*CO!S?4b0FYa^tdK$WkT_ACCe)A+JM1#cG?tp z96EIIdRJ4+wdt*`b7ABrS5~sBy(ygTB2TSB%-$;j5(30OsE=-LY(!danu!dJRbO1< z>hqi{TV57oRTG-fcX)qFVl?s2qwvCA(T$$v0?h^qkZ{OYIgoc)} zjmJ73k6gEt!%lAOmW6eYe*?pk-PvVJ ze`r2nX<~8%G2|F0&*S$?hZ7Q?zjGmu>aA)$78bsINJx+5qeomVTBF76+GzAy*E<0z zGaOybn?+v2ccH`L@srpg-#X$|UdZUi-Mg!o)<`!Qok6K3;+KBp5X9!;<2*7u!KGqwM(; z6y#@CvB9@+d_|gkIIz0=_>7N_@ab?z?Cs1+cljPyl>MNmIt)O5ov4V5`@!JDXZqEOqe9$_6Bh z%hc9-6J4Fo8L#zKcoIvMnw`ysH%LIxNpFwaBXl6BwbHoRr)#6p*ZYLydzWn(L|Bu? z54nc>kavCB`(|YDir(!A7j46oKjfmQ(%`bh+T3Gd4qAxzv93+u1V# zG_Md+!56{rvq&*+kYr6t8Nx_VaDHje@|YDA{eiyko9#H2+{-aCQp?2FE>~Do6n0pa zL48$U zC6|UirA7%|X(=iz!RKY|9=Q6=m4*6AqLy})69@Q*Jw_zX@4ahmG+i2w7!a`)76)Y? zw$yvFH))AZ8+$Uk^^v0*2{axaIt@gX7yeS7l97BP{EdL*48H!G#~{7Z+4wm~4H|SP zgl^vsJ5A*cj)dF6JheXH0?(k1rX~h=jO(_|K-ElIY;2K8=KoOJV^Up<7x61O$**IuMoMd6QoVcP^}ZPf3`RXkfO`JB)bGHBu;L z_q`%qCc5k%l=Wb6djxmb|6u|+Bx45Kpr8Hy%-r2_ad94ogAw83&@R(H5`DAy(6!RW z7O$t%W`p{uJHRR>ZLCwmjdiU3$uuLf0X;nDk|nfI`x=E)gvo2^MEaIeSPo%c>)ODo#lD+ecVV&H-rADa))vN0L^Y0T_Nst4P5S!vF-$Z<^Fv5aFNuh-a6^Hy z8F-@Nk&>*;MZs6Fm6>qKlKX@NGl$iO)2APrLOT^Dv;lbOBSrhK)`;J-u}QuRonwxe zM$W>Qxqn~;4b5}uQ)PfH{RXAdGt4$SBu3{G0xOlBo%;@lYHJSchwVd6r<+mWvlESH zRb6Q9+FDq2(}3%jPbinu<95W{4t>(pV0Ho=`RY6*Y3wavhgB7gn*m&Whk z&5olpA|q=oaaLi+wb^>-r>E1symYUcS(M#TxOma~#1aCwhWr8hw{wBlPquPj86l#l zN2llJrb+1U?7ZcOsGuaBXJ=u#KQf}Crj{PUQq>!(n+HA^MxYE zhFJqCqJ&-XjSxjOsyxbib4Ii8d7JaNyA&9&&<^AgwesnvKNzdU%YN23j=A9P-I2mU#5*>7bmd+|fbk zhMSmE^@w2OJObbYb=Y3O zPefaE{ZKBZa{K%cde};bR>n9U;azR+QC5v&2W*M^^3WBB zkGS@D?j85S&K)OS@sGoiQupd7nRzA#%sw79fE@ADJy^nA6aZ!YCqw zT3uz5SX^(pQkzMUW|(1t#dGKPy#4{blE9qRQ7;4O2?kh2_7Gq ztgVsCj_)&(k(oj9nThUOn>p|!4_q-jcal)h(jpsn}N}XMoAz*pl|98Q+E5b-1_pA%uI_0|f(vSMl-BKheA6 zLR-~BMh@>Rv}fFzpeY281)Q{${fKk0$+Kr&vX1v1y{ltiUrA^#QrFa+i?odg{<0%I z2h$!Xy4<}zis|UhDg(mD++jE}@_xl?Ju~tPy?%4g@siE97MW}uD4Vf4u)rajZp?bg z#u%h#W%0GVkdtas`Ga%HHk0k46#%9f^5KI?(QrpcWd*&=;M<*8YAQgFK?w=M1i-h= zs^UKcZnVq$=~GHYhb_~VPwT)Km#5KS#kQFM{*jmV z29`u+K_#!LnG-0glL2GtiN)JgEO z^Pb0p$(X7`l#t`iqiOpT8M2)I{1k9jKk^C-$M5mWD5%+N@t% zM!@N_^6Z(#=o|s0AF@!Xa)at1!|sk&;_E9^3#+RDYQ0Xy6&2~MuKw_QGni9SLI;lB z-qicI=HjCHAPKL*EEt7^nMBtuz_Q#r z8W7cEj@TxW3p{&=D^xuD+9n*=xb5eiD%Khg8+aTH4Wp5uW!7hT)FOBJOBq2&QfO=Y zRA^gJ+5RQU4_!!>?BVf4kJV)0^zP!~bIL+jp-4!r(^zHX-{qXfmSE!l8Ct{*Ns4b< z)Oi43*jl!>Z-RokTCVc3LcX^&30{$ybRNQG(WeEl%1+k`Do{fxJLoPPZdXCmhjz*# zgbJid6xvD8$2`O;1#(D*Z}i}m`s~QC!|h=`Zqh;{xxC8VX$i#ip^voGUTc1pGx@?fg)4Cxp!_>40n3ljVto|7p!Tsht07?KfF`1dMfXaR~ zc@FGC`^v8=Vio|QkXv@cJcakdoFrVsIQ8#y!$cwNN{IT7b?HjJDpY$_LNP`B{P>+U zJ|t!x@o%6jKqA-6z2zRoz%| zlJ$ig>c{+A%h2+yS|ShsPu1#b4{$k;)xxSGqs}Ut!{H5TK;U;{LW31kq1y`SCWCkf zeGVf_`r2A&SZ=R{ZgGr{KWnz6ybJll=E3@LFQhwBThOCxTK!z0bhX}@^v=&`PfuY# z0-go5j{#au1tGFJI#am13TZp^OS5V@<-R1KlI*Y=0)Q0~8EIlF6C6HJ^km`v$bmq3 z+yiYQ@}G4Y&eW*Ca?Ryq?FYUiW_ptPK+nk7in$dNQ?$Xw|Q<`uxJe$9KOz!Z};a+DdwP zB4zA}u1FjX)?Ly2plbY6AdEs=qvsBbKQkb|u^+oDUL3f&z1_RBnt-H4egOd=-r!NS zQGSOm4@4?R(>W0D>k|7Za)G_j^v?)<2@xKD3*yJ$upgyBq!oCYk(;akpwPI39*X17 z@y}q3*Pd5YRn7VEA;5wAlO)O{g4i=Nf4ri6NM_vi(W{vI_Yc$^k1yR)D~}J$f7jdB>}mX2##TDygSl*`InA^7hNuVlCH&culCUyS6Y$RAf!$dlHE4q8B4R??GS zO7JZS#@&f7PvpG2q^r>h81^i}#K_iAMUW!tABE7CX+uCoV{`M$2-S7(d*EtFMMb2q z+!Qmdd0}<+tB?#JL+z%I70L7S8u?4m%?jOe8F0XWTwOy$ff37aVp0)`>bhnyFUUn5 z23D4YwfIK(|aH3``G& z?Axq8WMY2)!#NZ}1BRc0druScWP^+dQNZwOkNWF>EvA$W47k972~B9dkeQadi+=`m z7@t+U^qrgl7Jqt8jRI7WP2G2=T%fJNabRUmKpL4$sFqE3X6CsO>v<3%BTL5DOnMnp zQ-{ETWs0MN#)bw(AWWBZEm-0I?!bY>=^mm)mJk;Aw~dgFS){FXVlr5W)xen!Qr&QV zPDu#;;T$)flX!CU=QF57r@KvxPBS#dLiOE|<<{Fef>RsPXmla8kX(Ug4?)0`_5&-+ zB4Sb>wbGo|TNBh~gMlAl5)e>C2x}luA^QP-Il$x=KuW_KZpNviX5+A1C#Rko4xVGy zr`0S5ucm~BRivk;&i7gari6JYbacEA=Vp=w=2}tOZf$EYW*(yUe8J&-Mq6KJ65g)y z9k0nFvaNcujE$+#1?Ua`(j$HME2Hp6J1YRWWVP9KQ?mtVP41!mR_u=WPuI2D@u6W~ zJKS;gNMbCnXr#t(C-vY#0vtR^u^5~vuo$F78~n0g;3o;K21Am!v-@yU_U(t_Z7aXm zv|Q0rM@{97BIO91*%N;_l;-0`4AC zF{D+|#^z<3gd2p@zy{>l2>3ySMpjevLK>w%>%I65wTJTvtazoMkXK-#SzcuEMo~*k zA(X1>mKTKrYXoB^W@D*v$ZtmbBx@?gya6T8eb7s{2c~N9b*=u8FAu0ys)K>>Jij2X&yR^C3afmENWR-FjGl}fG6R#?@MsdX^!aJS5&TkgAPuU*UGPxGpu;ed4e5#ndM=;3vSjCOV1uOPp!gD zEG^-f&G}^YMc7#h;d(%Fll4Ax&0GyI1x`RQaqnh{g&Y=pq8vpmdb7b7NWcLfZyQ_N zq`O$MpUTT=;6Q~LLca7n0G=4OZlHl6MJQflk`x~=3E^U(O7y}0R+7nR<%Xp@=~|zg zdxiA)KG0%t7%RB2kQkZDHDoHJjBuU=IZy!|(-xzYIi;m96DTLg$CFLE>VeT+1@(Ow z6~*c!mNU<6P9?;vlvBBPNfd*%_ZIwp2TM*ll6vJY1>Y2(n@d@Nj#pZk#38vYFojEl zeT3gq7RIU@DgE`(=rqVSKo$`F)W*k80d@TJ0yP|q5eG+tt@Q9=G_U#3Y=1I+;JzOg z>ny&#ekDCku>m2K0e+wetxtQ3*aDTYofa3@QNSuFct59n%?qI|E_sR2LtzIxtJk5u zn0HX*>5DStWR9~Fe!`=>WpKQ$>()-drOLcKBfNY;ethJp6@V$oUNV8&0`H$(0#%c7 zCu~QNZ5%B37m%ZjRHO}*SeNly4#ffQ0rCLC184_RkO$&Pz{3+=X3zrPwOlfZ%Kz*R zTqe?AjYiig;$gYVL2U<4@!<%sHxB}_C(*U_{P|^Qm+;=JI^K@}rd*Nnu0>1`0(!p8 z$Z}gWHL13u#m8@WFQ;z2w!Uxf^zHxNCQ(}GIf2Z#CJcWgSuKe~H zui(t=Y#q&_#ol^PVdJ3zY-8D7IWWtG(pxB1wyEYEflO_E2l%5AXfYZ(Qih*WF zl9v}ta13U5ea86b=NqLfl_WCm!vvI>-70=-53q$4^cWDB>Ecg$oWI^ClH9?H9UbrC z#ESe2YBhVS4N*Xdv<#H;Ec1yzXF;{L288o2;YZoFibXk3U%MJB7V{f9*ffaY`*gGf zyvp%jU+pdabFrhJz!xC`1hru5=`N^P)z;R|7_`((hHeF&=;#f*vo5CX)I#DC5{yvT zD_|9^DiMAm2b+(a0st3d^NkaH8XRFUb*UVmHHK{Ji9ehs0ALM7EFB08Aoy$-c+#=I zOiWFCfomzS9KLEXK$Nk!_j0tn5@aS5BXVyhk_$E2;QOPd<~dD#TPnmG$YL>FRRA0} z;7oyOH=~>%cC0SA+76+WJ4u5W-Q=Jk8XDZX@ zcC8`yZY|63`1}T*N8(N;q;8tU^~h;4R1n}*C`~~xiLpNw6?COOm>T1FbsrmRk0@IF z^j&t~EfEHz&~jJ>TI((X=s2FLf>E@3wl8IA$mvrR&EPc=!V6TGr%#JIEi0*O zd3Yak$RG$EM=k2VfofjTb592nNeb%n$Z3P25)NdJtCO|HRp$T%gD7K3zBQ!G!U+w8 zYEed`H!(VVbl+6-4P|AAh*oJ_EIn*;;}s&O_H(c@pTnj;X=AcB#BV7=bd- zYt0~yC*lFejO<37jSvS;bdJ9oDg+2hZwcc>1$F=YnFywXB%mcFhrk#KOstzhpEB4w zkfhc*XY_MjsW=-@nw6!JrLi#L z+S98pLA>zMuUFlA{3455maM;8I;G&ta5G-Mf_T`LD^IZY?E_w z>A#c~6WjH}aRiMZqNIGS-@rDuv%2oId;6eb@FTk}ZkEQEIPJ2BjE`&l#vjM!p_@*n zDlzNrHc(ZKm!B3>N-QZA)T?=MPp!fwrM<}DhYGo1!I{giUz{SGqNSj)fYTW`JZ37V z+KI6)UAx9iG`2E~=d@z9^7X6gIea&t2fnRXSdyV^r+{>Uf#PJN=G(i1ISpuN8WnGq zTp@IS{>wl>HfF1Ob&|wtrZr(3Z00S6MzQ59hb7YLk&$qi5)oO1*ZK_RT+_vi4#xd? zBHlORX^g&l1@L#P&z{GqM|4l&H14VF>{cs#`}>8aQ@cr|goIOqSBGA|61khE zG%?@fy0gE6S7J4ORY9@KW~j(+?y_-Dx`;-R-Gkk=q-&JKF1{C|UMlQnJMPEci@(4c z{ZB7I)OB1!Vs+6&?$hr3vRAX``#5uMAn<(mpuuKMS)l9JWBo>AUqLRIE;%-`R>#cwY#q2RXAIE(e}-MbeH zeTP;{1HxKm4g}-l@B2sCIXSP-v}%)xtbAZKBj76zPt~nDW7=c$qKH@OrkL2q+|Ken zu?5SWBuL{~3Kd<-Kj!mkQdYm>3ty|T>4EJhm)~B=E zJ30(GK+`Tz49GB+U|-k0lQ$--RC0}U-fY8*0M~_{XcRN-a_-9=p27VJCqh3G_WQZ6 z#Uuu|nY6UhYd|uj+^Oe*WMs}N@xzlpQE!JAVAxg048f=#H^z_YC&0;~zp%MbD63^rFG_?9p^z<67Ug0vG zJqw2^f1bC!Jyg1RsV`@=HiX6T(xpoumfU}>DQQ(MzG(_|KZTVf*&pw0tIBQq>$K5~ zB!0-NS2o|C3lS2V#l>O9#>a8kbJhj6?B4%Koc)=5zSI%p<3~(!jg*+I7$e%P=3txg z12#tu+CAUPLr#HNA)D>VxZr(*nFd*5T@rKUVUg%l{VQXWlW#IqS0)AuU0?ajeBTne zaU&;J-w(j~|yX>fDcbzXkO8z_+ zvnreS@~~!t`~JgsKN9i%{i4Rk`f4n$T%iSta}m)nUp4K`jL$vTS;c#KUrFo}sOtmY zo6w_vzT1?CQrP7gi|X>&d`}t3DUIXxny0u#Lv`0Wm6OX6_9tn-z0IhOL=*+La6U($XU`}f(9X+8 zB{qdY-&m~u7RRSg*SX-~@LyDFTvk*6L<|2>A=V|Tw&y~Rtqs5e!5JYwQl9ZciT%PU zHm#D^Z%8oXEfJ}=1~b4}+VqOQ;jIQm1jprdQ${N`qsbPZCjRNVdJy5I$B*elQzpJX zQ~dd*i>o2`nptn=^JmyXan|}Iuf%9xKHQ*M9G4ZVQ-6K=g?3=w;ub$l?@h`x61@x>z{$9txxq}Vs&pVG6kYL{f? zq=mPOz_ z@6zAiw>lW$!B;KM;#54P7E>~R@uK{tLK@M>rcm}4`B$?EKYyw{`Tj2Z+U-OZ&s!8`Z)o3m z>slfR@-lYUS3=}qp$zqrTE5ca&m50yOHu;Ec^OE~;%>xWlGf88xLf4I6~4 zn~Zl+yf2%zJw;CF=YYoTyZ;AIUmcd!7i73jf5bLl1fMjf=IV?gEUH~N{h6# z(%lUL5(0vBhe#tSaOeHq?|%N_FL=AE`ENU9z4dq>8l>ghNT}$c^mKH1 z2^X+t4B$2u1Z^X0~;^Lxw?UX3k;^7QoHZyc9@8%(?Imj z>N%wKr!r@QFFe1vSUEH|G_IG6^eU^YgajAA@#zzX$-#2Cu%8cO%XyxdvU0`HBe$FD zXHk^3NHU>Md#i0u$tdvEk-HIF+A5YtLSdmLuFUrmKRTU;KZS@<;iTt1V{4}GWlz(1 zDqHM$fjU|Ohsd1)%VC2@nwng10T?M1YQk4=cT~tSvwnXX zQEBO)y7T!vR}&#Vu`OZ?2LihbskXUkgQJB{MU_`x;=WTP>}tg=AM*#TP&3pRf35ub zN({3$L6P|6kH`=LLx=$8xP`Ky|75b!gYv27V_C!Km>410pb-+@iKbT<ynp z9hZIYDGaquGeJoT-!rj0gI@fJQWvVb`Et(XzivS z9E=KHYxcg8S5~G%+!Evc`&8RMcSsWd{&nLsk-c|YMix!F*=uO3#*W_a%8kW(yx^00 zb7`s6#c@iQR8b#Ym#?J1XW!Dom%FEAhBrL0$iNL_yKhLMijD`NojXXyj zT_yUxOPlHr1rye{IXj)Ypd9jAU}WGZ2ijqcBz0dz=_PT zmJbHa({1zf@;Z`E%LFvyp8ZB)1tY0qrw^i+wh=4%{Oc?{Gh!Wx7@djSM`i9iuJIh^ z#pOIKEHp>!S0ST08w~vXA;xfjXmEd{+N9*_)S{|B;ZB4W5Ri;PiXk-1yi0{Oz&4Xd^fpZ1=6y2ro}dd(IAa0h_=2 z(&&3h@AdZrIqBYlg&J^&C^+*MMQ`317`Fwm?;m+*kIvURi2b|1ymeyD%Av;UR=xQ9 zHxrlCYl0wZF>!LZdd11oOXFV^3&G~V5WeUN1`}35u*}Y74s7(c^zx~OGjX1TsdbxC}GD~-V!ZY62hYv=6eBfouzGX38 zwS*VB;OjG0=X8%o>aH2wLcwh74Jve+qbja7e*49$N)u6GuEbBpz!497iO+IK*mjDS zGBNRETH?u$7_!G{;T??E-!sF)4v`^m9c!JP&9?6^3A~Sw=c-EJdi54|an6%CQS7jS z0FDF1um0%d_!VzYOj_yaOr`hf^Ue8Y;!gT(>C&fZ)>E|( zT8S=28^eYsBbl#0y$uaxqea}*`EFOZQZlb`c~5vrr3>?)`DU(x&r-6Q``EPegj&Uk zq=}s!3}sfM7KqJl@VL(=ib7CfMXBTGSIWiw3}JhS2h{TNw{_~BF)hARVCm}@j)2K4 zNJdo> zk_IoVPg%MIR!^C+03K~d!2!A1^}jtjf^afCd}5I_u?L+Q{v|WuLWqF=qBns1 z_~{t3n?x-wP-Wu{dGs5iUmposRaM*XglHA#Nh>I%BI6S?2nmrSOI*H;u3=WHS>Byf zzzz+={M6_{yOQc)LC3;kU{$O?gFld@8Y0^vVj5PkSy5ZtlgRC&-r$N64JkLt$&;KR zTO5(r*CM@7Z|$$da^ClHTG$t&TEPoV7}ZUdti?Yo0<>q zNUw*36o0KApvL~32UeyUTTl%gQ=|TPq;I5ta@hL#Um;$V$9gp^gH%U>T+MQ3}PnDDbG>)fgrPe2BK z$pHM4O|`p+#b~w;jiR|9AbWc}dneglb@ekkdJ@y~!*7r+2&RFh^4d*v02RM2D{J_@ z#g}#eXxJuGv&EYm`~VowzkbAoMiBVB?wIm&;cB&NT8`$DJDUG(_x-=G?Jq!uZafnjV?Yzc~plL$ay%xZ70 zk$ZiJx;N_&&<6n_p|0ubvCOYmyO9dGv8JBqhk~8-4E@ais-DQcUO!#HT{^MzH?9YI ztWz7al1o4=2Si<`#iybt=~Zt`T5kmL4EbIBwbY;>CfL>JmnUf>RQh! z(ag7TcR9F`J^(8JG^M04%j8@rJzc{DUUDGTTC>k7X_{T1FdLwr04FcJH`7#)^M##!T&lJ=Q z{N5P_&VBqg5Gn{P&Je+~><(A65LsGSR!$Fi0q?6Hc+oY{l&4E0S!1w&4+nvI@L7%A z4+>Slw9CtrKf5|ThkTEZ!oYAL1*w^k1^b7Un8z-~TUZ%HU{)`gsd|;sQ@4XdF)j@t ziVRzwZ?x199h>}zR*oHHXkq77E{Ga>xoT|XUVoqd+wUa!oR^2O0}0(|IDM@^w_02V zRFX&AKXHuA%;>ll8vee^g2lOoSRC!(ke2p9l>8ubLPD9rG_ja=JYs>B9vmRKDuUA_ zJhSoUdgdVb5QE@DFO%2#Uvh{f`CDc;Bdw$Rk&lTX8@J$D{zu1|$w^ww;1BS@zV!cn z@K?jVta5QLS6Wah_{p+OtYEEyI>0rbAKFb-Z?nNQ-*bjPA8!d@#L~9HqZG)ym&lWb z3SfaAvJxt3k_Xx;f(lSPtT z1>~u0TUV9pH%7`qqT#{}Cg6N-+ZlwR^bQe_DJdyUR(gJs34K9_^|(O2dzblsqN(W$ zXe^^i=~x1{82Y)PRj#C5+^- zT4u>BiyAKbCK!wLA#5@K8((!Rcqn*K{Dcs-@Q{gskBy;!G)u-3k~Zz*r-@j04DatO z_>58K$o~z|8T6BtmCcYbG^|{tA?&2tg;R|X<@$;9pPpNBsiyEpW#PSt4>8`IbpkdQ z0*qDq^7@JupOP~6^-)V`B1vf&J%ftFg1l)@RCS&2jA72);2_yRqKb4hg%%k?6dIXG zc*VuaoXh+Fmp$THJ`Ywc=X2KpNIJkdC}bJ%Ee6SOAT9q{@Yk@C^1Z-ZUM47aUL)!= z)3_}sixj}9Fl6%mqf`Zvzx8BEM6MERM^{%E;=$5a>*kh!(I^DHWR!HdI!X4pdw1S9 zC@jp%xE_=b_;itv{N`lx(Z6#>-LD#G<)c5og(H7kR&%h~momECbi){+7)7@`e7SNm z?;XkqLl)&}Veku+3%1^7$AKl3B`m8 zb6(lwM{^C;UDJFw?cR*Og`v(r$h@f9))Gp7&!eaATdtE2LK}US%W%@TU?yrE&2^YE+fNJ$IpLW zT<)>Au=&eHyu_e6zr4ik3FV*Jda@jaQ*(e*va*_1jz2URE*MnPQD1R2)@cG=IDP^; zkMUTZ2qdMzkxD^!b~JD_;z3lAzPY9*BT&aDA~>XgNm#dIX`1^gN<8*z$fV}=R|bT$ zn-W>jiM9eX4tD*`8z?Z*kOV{dv$NSnbt#28m_iV%-Y#< z8Cew!13#|>?adhCVY2vZ5g*^H;FBDMW}p<9#m`mV0*iagz|jRi=JP)BYVx~!o}&*s zkYVcy8N?(r{`66e-7qhlAPH?oF16skk*E$Y_d(n0EN(&>B_-7IL{tK9J|+VEE?tJl zRkH7_!rSY;!ownNCuraVOXDO+g{ zcQ=;T`sImtSbk3PmdAHYX(*go8fD{@SxC#u-n>uDmi;qxzf0~j{jMFwGK0W1E`}Nd z%zzokQyMShU=Oq-higP(?!P6HmGU{-Mfn*_41Q8x8uWr^Bi8&K3*kt2v zy#89htuWu=gY3=3#Dt8bp|J|!8bdy6GZ>%IOSy&wTCU`A} zYGDYLk=pTA#v_!#d=E`eFNNs%E`L>9w*U>TV`D8{+{9d0W0UTby|6Ggk1a}@N39L? zR7IB9E-4?s$jUlm&ZFkj{gWe*&fvhi&3Eh}biyl6z+*(6}6eI83%FXl2SZ zHHi=-oV9kQwU(C3u}yo26abwCMA1}&|DkuTF}BR}0GC&2y>3?)ZRe={;x7$C#UHn> z?hys5uKe*nD%527*e;kja_^}6Ow_G>l^x&qSG90M3bnq?rayrvWd4_aJ(xgNHa_;V z7eV|NlYkFe*ho4ILJT3O*Yzc!KmipYdY1PE5mAFrC?D+RI4pdFS`P(>_WIPYtYNC|S41k(X`M%Latf!| zh6LhuY!$rM>JgewQ(B%Eo5X@nqo=+yFUS0087Z7ZtzVrsmnzyw`w^}QMyV^vKyTW+ z6wz6puRGdX#B5F$-tl@DkQ7VcxE)2%vJqdPrw}yF-Nn0(<|p@Goc(p(x>!;Q!Ylq7 z4ho9I7egr&xTsEuH^C>h4mo^geX3^%y~dlPImB-nE);=5M+9R%SlSv}da0F!tV z0oskttNqrzptp=_#r0&&{Rc`b*@*mn@t;cKM-bUfCRRiHDUH+g;#d&I;d$a{u*K^% zc?uw+kIT9hq|Xq!cvVna%PhXr3d6=sbYo!&fq0J8;QDIloMbacuKBk8O-{#{7)OB? z16i_FdwmLd|HOS02X_Vr4jIz+w>#SpLb8fFjTuc2Sz=~-vz~qY4KK~>7EdG77-Qi%Kg7hHPe~aJQL0) z^=nGUWU_=g85E6AqJK*)?bJp%L4F}eAaWL!-@I(u;*L<0`tsrk9U;blad9sR+8R^H z(yRY~9U(cLvu%AwrS&kK>y4)Bn~&VwYCYkECWQFvqh{8Oa-HclVZLz@+r5l<)QJ&S zHkt+V4^eAlOstOH%t^=o_pk~JUv=1(C+o+CvH5RpTA40&96))m;{)@{cZrF2kpPvM z{`hPTdMY)GG8r~EH%2GGbzl!&KXP9#ZEt6or$tAj^~8E86hF6z>(SNwOkpXmc?Y+@ zPPYQK59}hBD8%C;QT~!^B~Zn5Ymaqt=vQr>|BGN!KgIjI>3oCO#0G%>0gPn*talL* z7ESC%Je+lv&m%1!dl<7VJF#m6tex}oA&>BV^8nWT17q6RcBzY6@dU*-;EB3MkB*V7 zIr@a(yj&M-9L#W1Fl&d3vNUdyoM?={vP2`aao=Ku>ViCKyc2(rFSGCLQA|hWjFWJ= zOz;n_0E^~sUS8v+W?qv?WCpm@f*3}GZ6zl z&t_VKPj6Z`duRVcSy>Xp8UA9qY;YU8b;z?j<)QEoK$Axh&DvedKhthRt=A3c0PG+3 z>}yM1RZ&Pvwj>MLp_=iNxP?is9&d5#)Y_AR=wJDzSS{;5qUu2*$RPj`uswEMxc*u2 zv1VId6c2@KZD0&f=oQ>mznKZQTroZK!KO9#?rVjmvptS+D~2~OEit-GNEWcLAY+7u z6+CwG*uy4GDoW-zXEtc{epK(RL_=TYAG1_)N+DFipC!Rl$4bfDbQFTB01qdqq^HWhou;V z#xdf@7Mje?CHxs1apTRn1zP>a3oQvyt!|OOEY^15bzCF@!2N+9|4PAXlTtao30o#a zd04|XNzn}i`#Go8K2g`**{E)Jh+GHOR2OpLV)NFU&zZL6n%_Ss=~qc z1KF)Xh~hW{KtZ zx##^~4z>h_`#Xkjy5U4;>lxXz%FHa~8kvB-pH)k^Ru!!}LS~Ri7Ezr8ndJ>g+<7XL zfl!$Pv|0LCQSmksTLOpebQLbto;rTy#u?ezd@Cz>+~CP{wDV7cB z0a``i6B-F!K%X6Do0aE=+Do&Nf>my^R=f7N0+j5)JwaB{kigKr%Y(5eQM%~QP5kY^ zx{8t`L^iT{4hwXV!iSM}(U-Hw!(wk~5KKIdE6#dMNH3uheS9CE=#_PWrjPo$uJW^n ztgqll3xE>9(qAftKQ{Q`NZdP7aWA=F_1sL02573HGP<-)>7f!TJq+#4BglF+)-Y9D z%9W?`G8i2<9dqaUdU&*Uk4ZU&ADdeAzOkC7+1aI3Z-2s!)1JY@pK(HkcQ5|h#AeAf z0-a4V9wn`JQiL^|c=tPe)cKu66qhTRBEEpLnFA_%>%*%H6@Xs-KCS-7HSRkM|E^Ar z$;io9+5-I#ug-g;wn9norCWTPpSdIgq)Coc=CooE&;G2X&)ks8PoBd7683#stIz>- zL&iQSGzCActRpr)SF3MOCKi`BQqo~+3q3h*!0W%=vaup{=>YO-*#U?Fu z>Y*G;2RK@w_b+(uMqmy~bTl;;b=pX_9J*$KT1xv`#ncqpCkbyVk6k^5$B*fjS4`i3 z{D@hoiAhK(5YM4?ThOKBLEGSah9hmXE`9QIV9O9_p^py;4Y;c9PzQZ1WmQB5ui zQ?Pp^@i3B*g9gMH5Cc%aCz34bi-U;2Uye>%0%3<4fBO*b=w8xQR-hIh5z(EbL$`zVvfta>5cyA^MhGxAgFxmj2!B1u%OUcf|KUN*reC5;RS2nEee)ph$P zZjOR#e}!G6yZ+LuCZ(t-+ID|zkyaX?-Ly1PKth5_;J{fIhN|ss9f9-fh!GZoaNsv| zNdx#aG$H%@yt8#nD7dlQAgv<*{%NOH;Ma4{>Ew?Sm!TwOj=YNO>F(9J!VBzrx5|*j znmhM)ncH065=it`=6gSCQQinY61e2al!SbP$8dSc~&DMSHMf7fEWKChRnVT_Fmnt_G}ru*)3SGq(m zeNw)~3&UK+7eG0P1g*0b#Td{5CZeACQwnNFih!$Y*+ij5PG=pkKo= zU$xe9cn=9lK)~h8i%LeNYluLwXZSfZ3$R)9r=d=R{y8_-`0~V%&td+z$@|f(%NB99 zJ4kA^Im8-q37&uNllwb7%UZd^*Jbi^x`l*fmVLM&oqf;Pz7?HvXo6yLw&pDV^>USiyN9Um}|&M_;FBP>YNUSE#N?|b)wjND6r z*kDC4NyN}Xx%FlQk#Ew)i4etEHBDYgn?g-tzkduucGIEz`+Z#7-=UBPwO=^BAGEF1 zO0Zsk=}DQhwo;O_TCzv?HMI-*ppY)%%{6QPtD@7pHsPBYnaCl!=WFVRg&O7+*zA>N z->^NsGlCKlaDWUY?wAIJh8piL4j~0#5L#sFH!?A+`O;rBut2Pg9*f zg>#i@_5{7jhdijSFN|y3<>P%pNy)p-UgkbE$zmRYzb9;hTsEFA?zQ4F3ZJ2Y=ibQL z8j$kuO#hoDHg$%}rM7e_|2MvuH7nP?hF!hA?R|Zy37pz8wf0vK={S3@hF(dJ&Q6y? z$~9SNq251gj6OTlA)`#~_*N(cXEh40z-YdSc4=h=2Zqscy{u8M%h3HQZ)DVCS>E7A z2|((m)$1=smUihQpev4!Y^Ul{rg@N`{s5zzEH&(ysddOKE)L~4=g72~Yyp2DhPcEj zOg$#Xi|htB<#xwG#!K?v+edo{YYa$^b<_cdwkJFg2usaHs7IuOq5#PiuIJHZ_ z%;2$j{OTTD5lX3HXtqLZAeqn~vFP5{$D5Kd)M8=ixVun=#Dq9uVL<{LkVMq&_xF1@ zhslqbq~E632)D9g)5kt@bdRO@ie9mMQVjsRo=4@bcwKf6fPJQ36y0eC%|eGa9Dh}& zwu1}WT9sNkTPCgT!rLwnJUvAy9;k9IZhs9h)yKE4#_Jr3S63f3H#H5U79#-*feeVo zr6W8^`6eI<*12v8SqxF3Kn*8E&hR@Bk#fIgba;d*D(xx};9hE*YbJDc6Y&#RYXNve zb)%2=p3F+9?QTz^M#zWIu4Ru-I~JxcOZKL#R>g#(Y>nKa*A1#5<-t(m4%lx{%Z1Vr zcDYVeU*DZiVjj1Wc+$H6o!h8aTFk}z4UUZ94JIE*tR4~xi;5bb{7InbK51*SOcu1c z#lXPNf+WDl7Yta0fx)12cu(lxKYMTpA(3$Duo4N))a=}X9H<6|^z{!yVh-hjgY)KQ z)$2=@SaSa&~TD;Sqsw9}sHFU#~#;dBTGBPr{Q>_~f17Q~j zQ%vjpt_Wb%1CEW&%jn)ZufGu4Gj8Q-obMgIl;KEN`uUX;@xzuIKT)O+s$!(W(N~8D z2R$9ZV?kH^f`V^l83G|9o}GQ_RF&eEc6QcC+(4Q4EkrRRs*&p1Us~`#+~c}`A7O;J zH9D$}#P9Wedz*5x{jC^eE|!a9@>?m&q)3@Lj1yC(vwduIi}V(QX9j2F&E&!mU?`)|WOLPFBlZ`L~(o1B;+_N&>R zyl1-BU;oPS_gNX9k$#i%&uVm6;f@2#k{P8VMVYA01b}2x9TI zb#k|4OP_uEHn5z+K268?&)s6};kSA` zy%pxrDbu*2pfXEAOdP&7)+(o`$JL)y8ia=R6Qf&_E@x5HwC6M|Dk>ma1p}an!e;eX z;BPA{(F=YrLm)!%I?S5^_~x;)vFYsSz;ye4zwPgK(&COU0i(QfpSwSQPg^Sn5_q%Y zdRZ1qJ? z1Ob5H(F3^U1EPyTx55!oZ9|Iq0A4=6fkU4gi4!QK2ir{YEO!J8SpE2{RYE(!sXg?_ z)s+aaam(c{YnAl`KA?U`8E{@x%N-W(E@6GSS?Im@{c)C>(P(xCpe1x)Uld?sv~Jr% z0XkgZUF@1DCWU}_i;1br^jAd+ke7G+pPuCn%D}REoel~AY;fDo*pACnWFlwo9M=>9 zdz**mm(4Kfk?5S7(mZQMZVN>5ztepJKQLWvd*5*Ytpwpv;A{hMb$w>as2I-{Zt;D3 zKUf0y)mGT3Z2;Q|T3VNqK9%%ST$XA%his;Yx(V#qw2kYl?QQO{k%$T_C@Sv7a2%ERTom6gR= zp6W$_HJMK2#ZV?2ZN$s0WMLu@XK|zvLQ0VC0m_?`MWM{`mpel#?Ci!n4?&?%+PI7fGp`c$sG&4hmM`ZC`H;Yd; zLWfH}N1mJ4W&P0K@LtB!zw>7u7biQ7Si^B+*Lro16tE8%-m~?VPfl115@81SNY(4b zB;9-Kbhb}3_)!oUNv+k7u*zm~r_%ZF-{u%{fyC_BNAA*leksZ!*H@ugKIe)^0gWCG zRH#B$pLEv4{}~q))Z(B5StG?M|$Tp@f|iYvYF55ed}@A=vG4)7cAw} z8YCVb@}s^#v*(oK*6A|qf`#d*-{*Gd#z-iWjn~hkC1$rG3*y_p3UJJd7KbQ8 zxOvx69Y=hRlbPda>CUterfl^C9OzCl}2&$->3`+1fW%n(rJSe`1!`c+a2bxx3gyH;Wky9=c> zA4i}-WR?5IaT}Y7Rt4ze&!4SJo1?xU^K_M)qC5SWdV~~^rq2$U65dks(b1_87YnP{ z=U4tGuQ8a5i<~O-^$l2&pz{&X`Xv=Dqo5#hrR7ZkP4p1xRZ7F_b`f4o-F`A>X9zT$|lxeO76quk*rO ziYh9!_qnI1?e_yq_LnucLU1l=>}K50zt9{$>~VZpZ8JIGuAjj1)boVvA(;m2STv<1 z0{2H!^``AjmFGJ)txo#QHMkKYL1RP0j&H68`^713OfXh{^Xcm(?wKG#8xlIUO%WQ& zrqEE_J>)(zpR4W(X2>r8E7~W^9q((h4y87pXPeF0$zqexS2`CmR(`|bwBkfxx zsp`_!IV&J+=`1y$pQcTv$<|iMqm6P|YIjVtEzSNdFW7Rdc`opq_hYTR+nDr2LzlWa zy(&_SIdyY#x?G$()GE^K?TPm0^S{;wto`Clnu(d2++%M(2zDCe98BMfs*d&VHj;&` z{_B$Pa>-TUtit;G;2tfM`V{- zg&qv`@CZVIm*msf+~J{;qjmoD6#jNb(=x}UQ#Qkv`=Bi|K!Zr<3fcA9$~`9LT(cJr4i3?yIhWZgskbxc z-hSA8CfB0T*{g(RS9mAdYx;2NG6MMaXyd8T@va0J+?D6GIMVgCpXYHO?&;no187e` zz`LQ10wG<1cb-$#&ye;b(fHutEqHA~SZwTfr&L3~7hFDkycUD2R9NW_3oZEe4l^}0 zGc{jt7O%T|d+Fg_5oFUjDycmC`%{>Jf}iDIca#|~V9Z#Y*uyA&>9@DPJNpaNnbp{u~j!lI** zk&-`t^k1ARZ!6ZmC$)WgRd|VJ7R85IQ!j_v9~1;|P{KhFwEXn*YQM`t;D3<+b;sdt+%=z2s8{l6bD( zMv@LM0#k;33WS*5u~b4t{~Vv3{9tc`RAjpPvhK-;ob36-ZgE3+9$6#XfpBwgZVj)8=waz+aU2-U$S8^baXP&A`x=1AY(cKa#Z&frBGERCT$ z>|X}WjIwg(+-fg$Kbmxf&2P@ulUG$ueG5EP{iqkc(psGP9NB)(j!s~a-Rx1;*RRq2 z3B^}0b^hSOW0|Qf1w)S39Sn@FtuX@#PNJf&o9WxbS6TBvL`BK9CGvA~EgI)1Pe1Zv zqaoQYw9xz)fpwzC$30wffm1)^xT*{HT011lTC_7ae=F)X>$nnvJCrUF(*CyhPG_uH z%<24>7c;6n?;>RxHn%D7w1(m9)BR-h+ANL;+eXmiBj=$H(q(-33UO;3x`3LCf{ z?o7oGtabSLvW=;x4HEaUEkCdxzZFeUjf8j#OMUMpgdG=g;g7~!KghuXyob*E=eu~# z=O3qrxei7~$(AB8nuxsC!I1DePYDzX5RR4{9`mTS0~BugZ4<4-HRM#6K8Vds@Xfnb z@4Qr%`XaRD)5`}o|C-rR;Yk>48$^E~eqEA2=@~z!@Qhm)L zXe>PgNXj91a}?V*9ECg5^Nki1i5sE`JNu#>RyAFJ&Ac?dJPDpE?<9O#LxmR-rw(Ow zFc*;CoA2rfCj764!lqzdO<_5t*X_`{^T=v5m1{dX8i&`_%HtS3z@nnl*inab5V)KL+37MS+eJX9&)A43IX@*E=_>Z!UY4tqRmWw|e+`dG(BtiV&|q zd-lxO-acH?H^gYAC*ckjR`*9iEU?xpRoE66U)np*FLm~A2p4XJ0${^=V1Gs@DvDWa zuP@i^6}`XQ{R|b&+{fvfx$~P@k=B3~nZos-Un{Q-9B&-5gawX1ty-3D-H`km8(Z-I z!o+dL0RZi+@NuaWL0cRTQ_X&^w1#}^m zQ^@ooAx`Z9)C4jAY(HIJsH?AM2F0p}borK|0?VVE^ct#R30fGP?;C%=o&xG2OXdL- z;AE(xR{sEXtRFsvlL?uxZU_n%O`?Lx7Tc_evpa<4sfg`B7CoNN)QdgHuRU0?3wnuHiBq4DX zchYFk+|#jhBXv?~YV_{CzU`mOUSIz!(fg{-7aJK-D`fz;$;3{2q1KIiWgyjk8Pk1s zRyXW7JD6o*Vv;TCy?d*lcHNy{SdcGN9HY+h-Nx4IYtge1xNK zbkqqu0ts@;FraQ*MBh&=t<6(5n3xs}T{dm-Rv1JW^YY@qEpI3XF>1iSke&bqr(s5# z%R;rTbP2%q=2$-Q#i>K2fMt{9g*$8l_Fn&UezsnN)^FdQ z+`+{~K@t{@A8=3A$nEc#70)@FtKCx@FIvMynreD2m@eu2rTlAfaDtj^tM}=;_vyAT zniP0kYwQ}4kV^C$!#;nOMF>X^caQC%d;A*nVUHU7IbW6D)(>-Jq~Q#yZ%(O*gy79L zJ}+r1nF_+S|u6Wjxz?ani&@3yN)oXm8NWvbfy+61#{D3&;2EtFh+@ zmnd|OPySQmApxwq4kislKKNgV4r1PmqLK`x4}?ex51x@FA7Vz9=1K>1sBs8{aLtsj z)Si;u6M)^03zX^>68LCK%ZEA`avam35(31qVpf|cX{EIF#BX1O2ovpTn&`)!1}xH{ zJC}c8V%<`9kWLi)v-M5@6#zkW>Kv^TmyM3rcaV_${A!(UuG4I3StTT>!S3Ca%y;Fu z)RAIa3okd~1Z$SYvuEYTotU!n@(&U-)DP0G#vrUepew79ang7XU=1?@s>wk*^XH ze@>OJXhTs~F9**HM$p>+s<@4$mL1gGgGak(YHb|?B{cAYFa6!t26Jdh&qcb#T=0?+ zOozj!rFDqj@Vz+Z%Tv7}2@D*@BOnL^+1}z({O8XaX@?5|Oa7izcNd!r_2w+luAul? z`7aVK7}mYaxbtR8Z13#jkW@_TUNiXvZv_Gqq9=GcCc_^eRa@+27iigC>3&t`Aj++= zX4kb&$ky6CmyU$8VG#X4tAbr(4tyH*XKyZCgW6J|og07#>8GVx`pS(=0Ymj_G z(`wZ2`h=5~j-US%#0;qBDs)FAU~wYsopM@J-*kq5NJYnJFj9gu1 z^6}lPfL79;Xi7S{Y+SN^3|LfVPYWBxV9bvv*Bcqdb&l;a75cim6#oCpKLFcOFE!}o zFIS&y__$(Fx7ZF+-BES*)#Z)x;i?lh&A-CW;WrC+oI$;OHM2Ib0jTRyuEzVsyl@>4 z#{%weTjrKt;MwP6e~-o^SEZhg8bq zvf=jxbdTWjd7}?;&tTNVgP9s?CW&UF)fbT@IIwiFh3YvKyos55PPVC-)f9RSIyoZ* z$PY?Cy6@6LBUv-hufuCFsGWHkMEIl z6?=jg)bw_=aPZv~~L`6S96Sdc* zg~d8tmJ)#oR4jptqI+L*$ff7Mtew}$Rz%XCq+u>v7)nc3Bw~k`nRKsyb73k>s_5x2 zx|QK8l)|iJK}bjlKV4Dd_zTSxa23cY$~|4-Vo?c;7Qi{bZN_2F}JXTfBhZ6%{$tX~aomYCyAumK_Ea>aj*!G6u6Vk9M z+6U%uu>1Jfj}&XaTy+-d42{i)!rupppC$UxD@$bPCqgA5;p^(^`uK4e^Z_rg*95iR zT*n0jpchOGC%P==#D)-1Qbxm?!$%K-1B==2bZW|~@Vg*9iUqo8 z!v1c1#3k#f2~7N|XMt7x)Zj)PRF1k9BbKBoixz0-Ccz;>cIRz8p>DOcD(JBL`@&$9 zPd~f7#HXfy;^jr*Tu+69B4caE33V-QSS{@@pL(LmrOIt4E#N+tt*r21x`U4HbErrf z9Pdd{0p~eBK7OL8$Rr?eB(;(%k11`q5HOmN4{Y`ogp!EjOidb}0B71ww%?Wfzkf$8HFhs!YfrTZ2v^kEs;p+~n47(Edw$g; z+x+C>u80|y`Tp@KmwrP!)C`taT+#{(?kFoOJGuKMmFRnq7HN4Su_z}GR+zg$fmumI zL%M~SoRCHN5lh_Cn%kO_VNFj@UUpTp!vej|3oWC)`PSEGBS}$FuGl!yP%Y=Yy2Q=5 zp7{L(tLf(C^aDfE0Qm!Zg1zRA{_Cs8{e$|awzl{AQ?PApD2ud;pY+D;jeU8Mn)G4v zq1qcKrNYcd3Q9b?(W~QkiD{!qUQ-y}=XZ13`W6XYvJY;doG$%tATnK1?1*r{E24_7 zlvqX9bmq_0qD@VzSyiUPYx;#ctGxWL6@QbmQ-N@8nY&@}Yvt|QXP1d0 z;uL`mrB9!VFc_P6ht)ZVy-(AZYZqz=$zQ0&PPAuntn}i3)+!F^(0SwhP}#YRR9RWoP~MquK19H*&k9BkSMm09nstR41O=gv7C!S}QE}!>a?`7^ zy^D_9U}|UAnWu8ur9#-mM|CX`HdTi0rSk4sc|&r>1~WT*5R7Hf$W`=!(R5c+OdW-& z=fW!`EUU;+E&3{nU`O3Tk`9`)gg{ShBKR;=eNA99>pE z!Bz|J+5Z@qmezSd{cVbU#xzNRxu>fOkCfE1NV`@c5j*K_LaF!HT*l53RBYw;5!sON z+`1$OP7j{KCn~pk^YS`=@p!)7zzc=As-UD42^${cZ9E?a#sL|;A~08LR{bgQmZMTs9jWIuFhtL!9N zbSaqQZN?35>066p2jowGP(@@ILrK)1W^_fZf>CYK6WC`1ZowBRgDqBTfJxr1( zkp}*&!aB`{n~78Cc$b+?^DA%u{+K{PA>=Kl%c;ouq$r3VbM}BrE9PTy?|2`vT5(Dt zZ`fiqlcZz}4y7Mj=CgcUOsiQe11gALu!mm~5E7nUY^S*H{(BVY8$Zn>nA9zxtif#)n6X z__^y-B*d893(!CeW<5%+k?kKy}SW4zel=vPlZK@>W%LN>YO&A zkD(^rpW1kidCMRlfLW#!~Qe3kj|CA)&QVPHx6tt<-`ye4sH=W(;otM5|MWxOIH z29K%uHC+0X2N?FB-o|aZKZIxMQs(i_c#kdT!&~g!ma@6jt}B~&MCcO>g7U+Ul?l-t zXdr^WXmAx$SH}n0Fh2G5MruS{oPc634N&@j7u(VR5Fq!(>hZ7wmWX4;J-FQCL@Lm4 zq!}8*G4P^>cPcu$evy%tB~ysq?fh9o(Cmft;ro`#(OcNwG0mpAw=(c zr2~Jat5fRgbl^?7q2=YTBsVsT!2*~B5E5$+s>hFXbRNG~8u}wWZ)BS8>Gjv1X@ltc=rd#gu`o<^m){P= z__66emL|Dxo8#zDs1QyNy}lY_T(OfqPyQ=y zG)0th(G@p^uNp4rVVEgYzpL&O-o|fI_c>p4yoExm=t7sP@$Gm^3e-aSsAoM#TU%qK zyuKHtP@m=X*d+p#1ttkrdit0sY?Y^!-j_wnX`*`x6D}P=>_H*7mo_|Nqbap30WS;= zasjquWR{CN(*v9V9}_Q1U;J=i)aaQCuFFg6TlVGzgn2z3&j-I7qIN9tEW$Z*djHWX zvA-JI(1&sCM@QG^ee*&RlIOz0Qo2q-89 zKZ(RWQBsoQNfL1XGwE|?+_l^$U=^^{D4Mki$27#3>{!*U&*!DeI zueNl-E6{vRa}vLHeZAV!_4*|*|74cjJxcNGyQVjy#8<4}M%5!|PaXuWdJ12bVzyFJ zpnoc?7Sj48*m^I-LK;_x&U5Y^XIo8!WX;6iSJTwlG`aYmVkru>1of|AuB z$X<*uq;=@*f0%j?Xs-MIe_Tp~q$orvLI_EcU4#(IEEyp?TfqtA7)gD)O&3V{|rX$Nvpl9-zMfLaR z7SV+}5dw9cxfc9HFtvnC{9>55#5NhN4k$rC9|`I-C^-0KMg}Dcy|(n8+V^j% zM9RQGw6IYA{{1N%TQjA`=-pYL&S>9#(Ed^Gu~RhhfG=;-{Pu=xw39O6fwjffQqX=X zc{4?ui>=lq2}U?;Z6EblqOAqe!NSiEfg1k_hRLR^p^cpTT^UV=W8F~p>BAckimPR0 zxJC-{1jMY6f@d>f6kp`dnfh!rnW~;<6(^?}#v4=Rv3uvJmeQR&?_4(;!p@kP-yM)b zhPzK#$1#8ccnnabB$&0fBT^utI_w(0+Ej1RZl;*YKrwV;1YVf?&X;88mC`dI%DO}- zikp*_iwq|3+p z1dEPnUYCP~4=+SG(+s7yYReS4NotKgVB^}&!*p|SB#w=p{$PDh%1$(Ehz0%A$Hr9q z`!0RvSML#~sVY(UH+(OZ@4P2<@3FS~XYMZ)#%ZLjO|l=$8fWbk_TnA_Sb;Oz`&owHHLW2WKV#$fX~DH zsUydZosvs&m}ra2EQ`MV@xD)793Q6RUcLH^654mDu)f7zB!U){>$7&0@KRQG+Er82 zbIHm~9PNW{^TVfz?wvo*AW|Ar#U}SNdW#%20#Q?IYZWdN>?YC2HZf35W}7tjgLHdR z>33&X#MowzrKU?aS!s(>==ZLlKQUHnmgc%*J!yy)dW|!_)b;4DR13ZA3JwGW3}V%N zZ(TU5`0fj;E2agZaDkbdEaYQvK^fF%_)-Zorp6y2{5Lv<*$3zu58JQPt?S~lb#=Mw9hsJNQ>lN(Y z_i$mMQDT(K#K1rvny5T$XZwvWg0iot5I`Uh_(PXRb6|M*x{3<%sZ&?{GfVas7S>XB ztT?XAS}nTE$OvQo0j&sq_UtkGI3OgaaBmeoa?N+{@QRHklJSpTmE6FHRBBu*qwQ<= z%>`9eubeh>rpjp)2G_SQb+dp-O6zoZnHM=Fr-qoaw?x6 za3b~+9I@FEcA#UHmDPMTmPw{hA+UCF%HsHblOn=0+GBm{eE2Kj^s{q43=Q?!=G}|b zjkb+jAJ1N&Tee$Ei5PxtbKl%2t0K)kANNm~_`3-4W|_L0nn5q7(vd+aJ%DF1Zf zY=gXK0P>d$W-UJW&(yc8p!)snvbI+vL;GuAi3rw)$=WW_aL9X!VxG{`{Ptnk^jsQ<1Vf)Y=ZnFOxZ!|T!+oSKgZoR zEDr$j;MQ||E~!d@F?e)@70|~LT1e98)U(B^L0G77-W*mgbBow$PV0yzmQy7|IDkF@ zVnOGcWjka}M9rh^nUP`Tov~8sSNHMOKNh0&JCE*`zicGz5Dg7#&5XzR+S)iKZS6NA z9!x%z7v8>dWf#aW(5%OLuez3}x;eSjieZ@<%Q_)urtL2gT1 z3X-RJB#9nRD|OOSe*FxlXMg{1MQ(7Gl~eo#OI4@#E0WCJD;eh0q8$!=$11VLh&=|l zD@sFm3GXvn)zxhMkW5#gEm|c;!Mr@h&3a0veu>IFcrWQh$;t$kJH+I+f68|eL7TK7 z?HeQVC=fe>h*spGinuKQI*@0~{fpsG^T9`DeKAg3#)N2M>;4ve^Ut znPdRCG3j{FnE9e!@#7a*!*KWbU$AI@fkgoU)KYCXLR9Nm-zmLYj(5=M?(V)|-4`ks zWV|bah6E=?y}h!3Kv2-`ujStS^K#4_A@ab1uB2&9@45s85hG-H6G|I@OV~yI#`%b< zeQs-oY@xRfhuAsuHkv0gG!l=VSNN7EMTnyw^*-QvCz|p#QO$n*1A$Or) zs$`VLC_381#fh{LX00Fmxzi;+pW@s5g;(W>gWjvZBT1gn&>F&k{IZ*`*&6z@K6cH>vqt&ivMCkQ(tS)PGqpk_kwTQno;l8;y-1VBCSRM`2A(11HwUOyMUYL5&v##q~Nai?MBTyp`UgzBw7IgJWZR<2K6l*V=p?%usdz#CSZGz*k+J-KW+oxU{Yc~Rnai*-i@&l#|>FslD5Pv@T- zv5E=%=Zv+59&RW!p<25pF%sNct*x!e52u~rhI$LLs%m1b2=9m!%m@fw^sWB+6HaoLgC{OYc0UAs z&QV)tST(a&JHob8Y&YWKt*c9fGF5K*r{b&dz`#w(43<1`BHSRwZASC+IUDQey}i8y z#mCr8xe-Tbc0zoU7i{*ab91L^YP|2=yBBO06@!C&+PA=IafelNd*6kwx;oM-wxpgS zT7UoKh{~v6<7X=TogGuX;(||JJb(VxJ__AP+HT)* zCdZATG#Rtl*d*Trk9aHX7b5Ax4*jVr5e^Y`*bGJ-Yq7An(1X$N%7oQ1x2NcYUvituTK4Uu@NCIF%<&e+SKV2y0wBI_&qY*RfE9S;Ld1N&Z z?lRm+zL~Q+Gkr_?EeXotFn0@>UkXhXgC6XKR}~)=)zAmVK(rDN9u8!KBlfOC5ymFt zEWBrA1fk$Q0;anp#Bjpgo*>>tW8xpxE8F;h+;O_-@jqcSX?-uZ4;)@45e+F-a4Z(G-==sI`l*A1s2>(uW z$1)4=`OwC9wBaGBL{6=xtdXX|lNnLffEJz`vINL{5FKz=;O9-zP_C}ozh}p2aoi2o zmITLzFZl)B)O#I0U}5!#`2AaFCxSd*li|V{IjCyEaQ$qqql2LD)L8+oZUd$5v-`a^ z?p&3LpzEhMUsTLV(XN`yP0dS86hQrl-ixM4ukYS#pcT?H$?55eTkAZiH4$iG`0roA ze*_;ZYq)wE_26h$vGIOJbtvo&N#0plXc1kV2o!_KQ8UxBsY@bKgU%n(4BN+Z;s%us{aH>< zvt@k}!cM%w>9BaTSg`u_kFtHXo4f)^?dF_n)IoWgiZ7XPVH=vV1?rMr*h4~c&Rk88 z=*7XcV1Efl)v0Y%C59at^+be{=KvL3n6G-!?!6A73Bvn*ugd&CEr7z0XtA-TU&rR< zm057cKtwZutWO|E0g;hc!Kh-d;TfuB&RoM6H)~BA;;MPKe15&k{pOjY0J{+^CAlDGIA4x9i@0Bnu~~r=P{AZM4LVl-33$a z6zaSn)!wR$b5O6QR~wGWH*SWJ9=mVWTj*(QcWfRMo;$})ouHtgTc7RDvFZGPP@H(m1#MpeVR?<<^l-hVth+?Va(aq!@0_5SeIB4khka^Q7pz zf&xf2LPEaNJ~c7uEj$*OU4om0P|O6x50bN^8Vcc}IcI#`{fl+~6aPkX14F~=ni}v? z@X<@&xIvVx#9)kG1zL}nxQ~ge{&wdgI_{^@pYp%fuPp8C?11i{JUtBmch%~29;?gd zzm2mx>p#fq;x%Xi+U6Ht{EiF0`7#Ob(X`r#UpuEL$``t`nVEa~nP+sG9fChRAlFNC z%0n}T_{@Z43rZEYxhq$Mf+14`WJ7BDzQ8_6!pTtww)ieskUqI>mEF2^G4YD;#JKPDzK-b^la%sAMhCx$6779 za;LyfTr(pw*|2KmxVVc;sb!3tZ~%lX$hfV>mcV)8GGAk2YC*&J>*$Hi{epR!30?`P z!1N6aNa1r}HUIUY4wBHWJnMa8PK&&1cf`RQHj2|<_oGvK#k8XsCui%+GAp%_-CcO0 z^S9_n=66fgg$ zTFM9I9}S_}B9!%6>6}ikY?Z;9(&L_0ROZfN`UkJ1t_}HzOm$`*c>*ec&-kb2$meK) zAV6j_%Qq&+$6vm?b8xbq+hn$nfv7EQOcLitih3HNm6LF+1O`$9Qu$HpD)MhpR2mRf z>4p_?nueuRs>{4xBjA%mhjR5S?krAk@NKP=2W>YrG_bL3RLURh>G{>|#qiIV=JEA$| zracjX;e*6$Ub?WV{OZ4j#s#6rO#~u$YHEt?(A)NlxDo;)(_thv1~+-Xub7%QlM6@P zz@&3nwu$mN_iYC#CSKERYFwyoguRM`)y@@#2$&KuqOHV&AaQ$yxt^kx>gHEDhU9X7OA#Gg|W9{ z&Xh!$y_#RROcV>-O`s0E3G$C0r#KXYi$K&sC3?8k#a7r$m+1odxQ?)v1bLnREjt#A(mD^`VOr3q47tbm)YCy?(cz-k#3bP(h zB*c1hU{}AJ2(_i9<@M`70l1b|%HXixeHmD?!qh7VTeAix_m6uJ<|t=sW_Bv9uB)gc zyS(EU0N;;#JHEr8;9yWK72Me|stqpq87+3ede&m|UzPkt%XM=6#i;g<&~IF&cbOZw zNfJ3!a7je)F3_QmxA-XV2MKtrS*x{lbnEx;K2Vv&si!SJXT%UKlWgdufIpqr|9%(% zA`T7qix(pn9TX`WeU5SQTeJr_UktV?QtkbsqQr!Rx)1=s z98?2!Dk=O-#*^*+a&mH`VS1QyJ=>2Ho)$t9S+rbyf_bO$sdS1i4$W-SpizSXN)$m5-4Of_l{e%SD`34r>)H`l+X5(e}+V3!^Q#SIWnL`&tLjY@YC@@{7r~9H z6tc^G;^H0N|HJShYUI?+kf{ruMn7(yWiO)Ks0xofm0rIH-k-jinc~9e?7wDNDL#Jw zWJGI&5;*TLerqoUV@T%I53kaxt_4BDPxB#V=jW$_&Il)k88WPUi`>=5YiHnA2cs+< z!Z{0TYJXy3-`B5Rfoi5+hkB#e?O@Gp#>IBmMAJJ$AZp&yS*xYZi^8=FyQ{BHQ||h! zs`BzzPD|S39oDo2;I1pXY_O*ws4cVqWsI8^cZi7dGUDCmxQU7$IU}8$K)x_C${wJg zkOsfs-5m=4hwtv!m&9D*dZ$r#zoO;ag(Idt{mvDTqV$3pqjkK=$2tYUo3Lk zr~tnBxVS6Ws|peZXgQj{SegK{307{8zhvHKbFbyJAWV)F%*>M5I%83fPRKt{oc{fY z07BkO6X2B+emJE&wJjr43Gq1{Di0*W9LC$mevDU}xLIH)5E<2<2$W4(C)&hXFXTB{ z#{hO1vR()qZEo%`#KcYQ?V*&t1Zb>1U4*(Q=d(@`Pg`m$(W4bhOoj4*)CspHAAk1O zZ*hmPjo!O%WQei z0LXt8;;3=xn;@51t3}aF!_QAfpodW8V2~X)U;_Tu#VMg1PEAlGcYV|;ihTLkz9Qb3C>frMM*KOQ`OUZwj7N5voi0z|%R1cfHmp9C;X~DH zKCZ!o0DE|ks#@rL5Ii^f&F`v}qhznfcQ)Rj{QZ7z&LdjuC?zSg0T2@&FcF}?o0m&J zpTnM7-QMuNDq}v+5FQbsZ>SnjU45>&B$M!UN}L}d=ZbV{igQ=Q$ur=Caa-De@2e2* zQH~Zp?K;!;*E7u6_y5QV`EQpBnj7GkM2}fN{k!jk&}T2afNMtv9B*eEbKu?$*v`1| zEi^dzUX75b`!*+D22s-_yL-F}VcRF8e&e=LRki;!G&HwV!Xj7rGpdMkpBGJ7 z9!I997zf9{)Q!o>Nq)z9ibV0o0(UxA$IRXpyJLNy zx9(HJS&Z|uxw)B@k1qsN2UK8vu666Bkj?)O|E^kmEsK37;?q>0GJw-+6&m9hO|*IXFE0s;rC`wF{VDIj-7;j7X#* zQnx0%UqO^lYz@1Kxw#Df4Oc&eeYWFoMC`}5weP)R!W+DTbB9!{sxxc%+{y~q z;lHAHFPng8NY%_dMMjh1$aV)#5PzJa*nQN3c@=B-F=O2w%}C149|4)A5pqit5nt1K zT<*|c+$6;;tKRSnHQfESnYtxkbIhoS>U{>SOT+#A{ET1EU^~aSMRUVaX2+l-J z*c}%oZpSJ z_ia?P5=;otH2i=z%yB_Oe4)1MJ#){{AA{pUp9P_ueEaUsd7$lW=^H#mgM)E^6$ovo zzPY&)PEX<$woFTUXb!=2>bdZdqx-DBcOGB-c9ubO&UY777&#VW>pfdTW+-d@rF}0< z-)%Xa=aSY;bN1~w(A&ER1>fJkEfzDQXJ|1HJx`FTp)JN|4e~iQtlN{XQ@R`32?k~58HPmm2L6F z&T_6_Lc-xg3=!8tID5@n%G29MD!6>|o}6>9|830`*L>#ieq9#32Sz_OpBwkoT}@Q6 zZ`WBUYR*r~B`mu$RKa_-+N|_tWazZTnJd@A-|jP!NjMW63}LW3tMx8?qp(afI&Gr0@EhF zcKs_Db3DK-INMKLy^zdfWon)?H@%xC!9%-soudU8dbR0XFJq)S1DTbRhk8hwhp~q!?ADguB4A9jUVTj6HaI2(|EPS>-)^qFP;47 zGq0CRlluEQ2U>6eu9)l)Q0g14|4q#) zXlSB&0BU#TblIB+E?MB#uL~2%c0-$WaLGK&O|X^KO@- zxHkb%<0>NAD?YsXZ#N?4Je!(MLQ7NK&>)lA7Bv5Y;8y_K7g`YdA=V|XDNr>&?tq|j zmEB}<#ON&9?eMTG1_!H;#af?E*u6&@UAr3&34o2*f&@V%Zuhg=`AMDkVq@iu>FDXn zF9YwWm_byT&P;Dn#nwjNf@^>J9bSU299JDM%Qyl}`Q<;-8|)3uZ6gf`E( zQCH)=D@aKgAvo-u`!>~K2W=U{C+7H50{vq}TcUvT%FLNL*C=6fQ0mYahv3%W$4b}A zn|Y(0UG&lR!PXo6TziB_@@UT?poJ5zzVgb-fxnKVDBwTpq&eEoecQLSiUO8(+mhm- z%beP80`c@*@>KfyGd}O{y}TSmPkxexWh=4sI!{@9usGc$z z+Cu~mtu%R=Ur#Tm)o4FmmFDeFyqhXLjIlR5I$8;s15P$VbtAEJKhdC~_7&rn1op3v zX*i%*mCR^`teU7gE``vaqX00F?n8}|)@5`EC$gm7mlYtkXcajGJKjb`)q~st5XJ7O zx|ic9DTFG(67Zo9Lm>(eL)VvS3Y|A@cl!XJ)zH?#YY>?F_en_<1AD-Z=szSJ1|aH9w?%AWLY{mLdi1 zR{bS3=Bt>vVw_4LQa#VlpV+^MF6|}+`jV22C{mooy_|JZ5t`&w?C={odIWtJ<}|** zt&L_pwEB32AZN)Xc1No{%kF&V&l|5VlKgxp7=nuzjYjzgb>B~Unex4bpf;& za@g@EXGngb+e;ksz@(mf?j{iAIJ65K7lglk^8i4+@Y`Ae`QnE$@9KoAYIZWCpeAwh zrQhR|lZN{GtgL^yNm=6GFQ^XJeh`%s{$a9ElWLW7*)mgs{0>e!dy&zI=DTzSy?G=1GjdI0 zeR=Dxvc%TsuYBN2hX!tJ=XunYv;$ z$mfzw*Lnc;sC2ppL0FeL%K%W3K(j!kIp6z;3bp?oaTAZ++pLnIHbzmpVH8<(#=*p49h!nQ7T$(%sgdXws zMeE^DI8F--S?!6ElaoiBz58-4l+j6k>n#%Bvqv-*>O>+ybo-y+TvQ0W@O*IK#yjh> zD4qBATp_GMdgSEf#EFHkQZmjq6HV8@fp1#|(<<7Zp2Wr74ERka zVBXN3D?&h6ah2~sbm;V%Gfz--A3CwR58X9fQ5eY=BQLyaT{C#~ z)<2AT(8m3TxBJItQ&S$s43e$ z{U)K80|CCdI&=a1B?}TE2*g&=Mp!?Kihs{MuUH!W9LxdIC&`I`VmyNdCp69Cy1aaF z&p!Dl`DBP&4>DqV)fbW*b)2Bc&M`I z`+q)tN~V?K`464B3w^G6a-}K5aZ**3l$7N-EQD+Zm~h1)s_bf<(Sk6UtlxTILzKkh zBw>e%#a*bRrEOo`!C4pt3K%u!K*L^aS{6E0EMuIK#2GB+_$b= zt7ZYdyv=1MqMoKvRd2}`#O{xLJyHS}vAJsP6QabCYAJ6JGhc}tA)yg&qY!bu5~nM6 zUpmspzIW&~{tVkM81_HZMSWrc!2(MEJ2sJDK=bkw1r%QZZVkRt9hI9|c#0Ruh!@z( z^nvLSDT{s9eKkN+ZkR!EO7pTy@U<3|_7pYqr!#5IEdl!Kx7TVXRkM?*;CdOVVQK6#Szz+3=a>At`cW1Alfgzy(LjDps@zM-wFe$ z+0$_FVKL%s{!3jZp1Ty=pq&^~xc3gL+UWO}B_e{BD}Y79-8?)e=K^$rHUDSAf{y@O zAyp+&m|Lq@HqWZ0`IqZwIx9$>?{_cK6LD!;@to&7@fBGxw{ohwNF-exdko z`IyrTZm<{Rt(PL%lp>>*?M~&nUlJ0+>)A`-`2p@D-6Baj<`hXc9Qgz)2he;6z7nAz z1MG!+XKldKt>TNvSYqIiq1Oh3fRf+UMYXO5ay9?4y-=c`5rZ8sC?&>Iyv~DTs)cYz^BHJY=vMC7uvphu*eVJUs+i(Tpag@Gf_xfTo5L8XsS1iO;HsXnW0s z3sPB71BSTH{2L$i^puXGHj)pp5f(07n+VbTgBZoo%reFb92CrF&(eZu0IWa&O|VJf z-c@q)ctgMd{{2mM?J9QU#@AvN6C=k0`kb8&_=CWgzdGKkXV+Am^6*B4+na!Zh6-O3 zAWzgNdPpeip>8M8J>}jpHmKR(zh{P*{tDa_SYn5m`YJc(rhVH!vlIy>RgLYia+Ev4*I#iyOt=Qxr_=)VH@=60@bPR8!TY zWu8p_{mZBS{pjC3q^iu270ke%F20t)UgBIH zWox@yng5>_V72X{YBcJYxW$%K?ANu^3wFPQ{1hvgf6s#ii>CXhM~h~dAc98TVP5qX zxDam-#T#b}*XLatDV_$h0BpYWulc0rljs0RS}7dup|rP6<25WCOh}BpWZ0R`P6dyA z(1rT?d;6C^s_e0jHNS3diKk?L-^R>MEmvHZ(R? zf~dpFN-qeR7g$xe3hu7XH6|D$;L{hWfuBs9yOVW0D*e(}lL^jRT5*?6)jEQ?1|Az! zONNGqRd8E$mTsLX+bQ*R-w~@@{7Xjg(1M5u0~yHn0EYhyRy~wWm)d-t1`(9WE~F~_ zVEuB$ux94WnZJWp{iVCy-OJ9KG5OLIVTzuoWZYda`cs{@kxP@kU0FkyK`qC=DyIOSB9GR9b!E&E3m97Lx;w! zj6vk0y!RvL6~=P>HEUZdI-5%!`sl4sPZt4s1{$G#k&3e5AU{28_}@2yCo6|OpPsbU zm9=ExBR?ui4}$Awbjd*|_^^e-#WvnaR;?nGk~l*9n4q;TZ?TxM5!U2k2ky-^=x}Z%s}6EiCFurEp}c3_IBF*(VXG+lg6n zto@`F?^84zM{K(;Z*I;U>x@Pp7s_p+=j(<^B@ItW_%8v+CW3)&yx;wCsjFRL7|h0G zu3eE3C|H+qH`s68e!l5uUOA5mzB{73&zv4}yJ@-9S8@lOReTfS(3Y0vkiFn<^0@RE z+hhBiscok#KJaBx9#AFJroR6SuJ2}$Z{Hd zx=&(jksjKHWJopF-X{ZM@IioMcQ>0}IpdRz3?3L35x|v2M0fzZN~V$bv72t~oms0} zaIJ-fMJq0QgmjXazMr>a*KVv$QY@2eSUx2sqp;*eC-U$iH8k%I&sP_CvpVQoaWV54)_#I})tf*xuFmc1&iAhb%<Ee$e!24rrNUFMLAofeWO`(+P}K>!Nh59)Uy&!<<6 z$Vq_6@cTWtu?B7;m=wHuOINkHX`|B98Td_j;%;YC5J70eq)@-Rw^Lg=otKh>L5<3| zd4Nad#0drqhz~e%;Ul2~vobU1uT{a+PsmXqqUMdR1laZKVdowaF$2_I@Ki7Sk=`$0 z(cavx`DijJ*y`W1xB?)@ix(eCmZ^na68c5GUX3_EvRR@htB;YY`O$E){eihh-)`c~ zwhTOhm0v}Cua9w!e(%bJ>KdY~Oj zzth2Qa8((`%6}jFF7exswuqALkkfNk-GhO2s&6ZM&Q1Ny(bZM$v9!z=@W^;V17B>; zPqDB^Sv@!F>sKQE$cTuD_Yb!wJ4zsdiCdn+9F2i@)|HsHwsT;8Z6_m*Fh}a3Lv^rs zpu2Q~ARk$u&b?I1qon69QkDG1l+5iS+LDPMS6QzA4P2IA`qBA*lbqbn;v3uPYh;NG zAKn`&Q26a?m6Xz(gQw(js%NybueB8cy+meDO+!QF?~PXjQH%2<{NFs&@8pR)5+`|_ zzcoHLsAqsEoa}{nlX|n=xqeY1A&ffI)S-~`l{Jlh_|lhW)*7vqdx4&RqT|tzio{(W z9=mXG`7}g16QLNlz>EV3w~nG>Zb=DA3k)K#)yvC=%*&R*et;i#+g@`9=!gEF>6=1N zWo0Ph5L;reumC>{kqs+3*HgNswV-SCYE2Nix;3e)?kr(-WN(L8D%;z68dvZ^)Y7%0 z#u{Tr`Pd4I1V=ivCUGsK98dkV(5|z3;>Z#Ct#vD-J~xCd%-=WEwEf#6@ziSs?0l|n z{G(ar0@n??BS-Z2?A;rjvgk)j)jXhkap{zlfFm_~19QcX-jd@%?2X^*ERH}84bbQ~ zZ>FWByQw}jVyylA?%PLUI>(|A#x?MLCNub`ks*fJ=#Tzny(FyB;gpGIKsswM(l0ho z%Ueghd-rbf9T#T$i)Y!HnO~vlxmoa;1sVw4vn&DEkhjdn8)F4-y?5R?2FV-R+S!e!Wg7FFtM#pP_3CpEWLU6Nv2 zztdKK-t3B`9D|e7@(6$&bC-SYoB!AeZ3)IvKoJ&>AQUQ`5qN3{{zw1@gc&h!aQNAd zH7K64@`cZ=F4S^QthDbJ>=SnM904rO@yW?vMb7+C7gWDIGW2g{x-$#<}#Lm1@=-wxzX9H^R`lN6nE8RD3ko%RYRuo?RvzuD$Ol|9faojY_* zQ*ZGudg`^=_i4#fKkPo27oSnobEBq^Mxd~xu&>c^ZIG3V=V%O@u$0&#sJpBlxaZ@V<{ zF+i}_60_FC<9%R1proaZ4VBT+(LrEIMMKmbd?D5gizMo4rOTYYuMX1W)D$`VP5f7= zQ?&f&2SpJ~R%QrLuI%sk0t*e(n9MeSqRzr&kdeqk-_l zIiH_4Owk&6m_u5ZzNcc%&_-m$q z-aXT=eSE(5^bnhj73P?aThnf?GaoMFuGnaVv#94TFUSP69 zQ}!4U0H;@y|C|CYtvoG_j%M_wP9FqK3bZ#OHr5Ld8I9=O`}ZZMyC2v-vL;w=ZERAs z|Cl|(KJj9DXgk@iPFUiI2YLDW_2GN>@%>Y8#4%&K2(AlmXeSOACzI7B$Gm>;v=jk; zo&Cxc3U7b^AJ`3uX@^qm9H;t+r{%)wrowJ}Qw}PQ zPoF-$*WeD*9Qs}OQD=h-3WSmEEfHw;APst+W??8Qw$bv%a^K|wXZ_wnRup>7LPA+L zoHm%jD($GG*e_z)&|tYMZ@Zw$}K^HD2D*R`#Ijh>NyJX{P)`B#100PM0iP{NBBiF18KGr*vvrH~?r|`eHWxmO@ zyW=~3I_(K^b&|jO)ziKN-`+U0pNq?aO=PzTFc@eXvEq{MoZ-yNXtr zvgV|(_9fE%;-Xl&&v!#1H83>cYv=X69!IiWPh~z_WsWnbc<*@sIGs7;vC(CXFWK20 zXAZ=heUE3(yQ!|%AKTW_7waLiFqTPuuxW6R7nW3dbT!69mB-eUZrLZJ50$sj-J}mc zt8*^@_iquxb&qi}-@CG9kMkKs4iu!cI3s%bPMlaLV*Fpf7O-*nh%-W-qQayxdTugP z!e*;b(4R@-ZfnvnE%wle78BFA?jPwwM(C6hEJ5eM0Oi#pf@*Edu|w z?Z5XeFZk&b(;%ReclV#_bu2kkOm*>xTh5X4~t)-pPkdu) zfw=XO@y~m?u}RY3TC;iaICBt))MPYHP&W?23to?S zdRhrLCl9Ty_4W1IZ|)k~PO2XU^jR@w;P)Ow=h;3_S|K|ZM&)u`^Df(t{VJA46<5^# zEiJj`HfCk}&F=_09+Qv^4(8A~Zxoxx%Ms>_QZ@qc7)S|u$U(3!ZpNB8I*w(QxdDVq zhtX@Uj(4Ac{QIa&wl^O87v<-d3K~t1jr|B@<%eYO-b5P-T@`n-@(#CYlb}_P%Kekf z%tlY5w=F0h1u*~jzP!lKWG3`G)TUOdfFj0&9-8Vh1U?Y3wy-1XwEoWW$MWJ7466!Y z9y4yuF-38?&C7sKjdu#7T{?6N} zme@JL8*<@;X;+KX8%v=_N{+lCk=H@3?J4PY4}uQ@=TY3`U0-TT-{53pV|mM^XM4;_ ztE8_!3zZj2neXlDdj4-Hd5rIiXW@yKcVFr@Urp51RAeiqB^X12_U!I6YqD?7oT^ik z3J=_3Z^XuP(fyX*ribVg_URMYn#5o8ZCgomS<*$(I@5zog<$8b_G+%yR4}Rw=qcDu ze{p&Gmr2YdJeVvbCHp3^olj~#n=RS2@bTkW*d)F;O1M*;G4zGof|B0*<+bCn8|LEC zER~Af5e!m4pFYaB(VL!Ws0}XrHHM(pY{ydA;ZF$(1)#kFLMR1WwV;)@!APy+*;_Xj zQ-z0Wu^oyg4 z{}zh4sbzNEGdicDZc5sRZs=wH5A@9erE{~p9w<{tJ3W8B~@k8}=EruIbV*b9qzw!kn`1s;3Z!HU+VrQ3a zl4#Tk+pb4>*SE^ZnHm{@>5E(RW+4CqE*;vGOUYxBr@UFJc;={Jd-V$^<$ z(uOvv4HS#4_e`oQULEG>fIT}Jk1KV_-LTSSNonfkLpwX;mW12)JLecsB^tFP48DE) z7CoJew)U&LcddHYSun)nPYLHEDJiMZ2Ayv`1$qR7N=qU?bX#9*YhRR?KmLXRC|P?E zl0rrAgSQ@#?n9BvTf2RXr1{5|&c$fj6uPS43~G0@v_{rU3=I_!l1C^XC)+J)4l=-r zbn?=r8)roWRFGVGEnNxX;G5|YRN!5}@W}xR48GziLoBacCuGldgo&5?-&p>mM$NOY zp6bqJ7Bei7mxno<85nGL52!N|5)Lr4=?a@_Z7xzUXzlHNDT~}jYSmLUmCeqGIXUoR z57YUR;pKgO^7?wr_Vb9O54iV%Ta$ldrJG_r`kDN(V8T zU=xtx0X@7!?wD$GoF_XHqQ!fP9?1^nqJ2bzc4ny3HA($Y2D;;GrzwH0cjlN0pfd#P zPu9`s7alIOyezMyjt!$FHfK*oxBe6_Vwb#>lfJ|4-X2|gFZJ%y9b>>PiGK>x)6%#e zGng-YqCn3!-ds{Jf7_MG>dMmB2BiY2E4eIl{Sf3~&!~QMc>LJmXba5PyjmrH32Dz? zJ)%~Ze;=28ch;;$HF)Hn!Kvk?MDJ)1;^)M6pDUvFFpoG!T3wfUagc?D1x>kO^LqhA zb!|q;=|Lvd_1TCQIfCD7YK}87FyPbxh93uL0Lh;Xkc!Da2*@tRZg>JE;@7bl<#KfN zcrGYqAsKD{q;FWd`p4qp{Z$={b2dkg1hl;MFSC0>H8vzoZ|{A3jt4WB{o-9HQjms) z;Whbp_v1~{V2Iu20zaF%0V|@jx97zG1Q{OxF`+xySXt@Q;f~~zpEjq(gSW_x5 zK=oihT&)L9Qpl%IG*E*O+}Vlp>KOcV4AQown-V%pJviGwyKOxroM$oaR_MlqmBo+C z-@QwSc7^~8qtmIL>ZY?57gO6p@`EN}b;w_pF7Hd&QRL?S!Dk}W!O!+^05F8g@HC~SY!B!SZEd=y)YdAx2gk|oP{dzPrR{yw$_7bdl6Dzy7cmBR?e7?x#N!`%j5RA1Maafh~f>b zXJgep1rgPIge5pS1unUY)@)_(V8z>Smdu-P^xv53P@tl+C-KfAwX-`q9_rEawJcEv z2sH}(QE;<3R9~S@-X$MDJl?F=THdPxkd5DU{T3zVpKvi}V!$59hHrx1LxrF} zR5^kti3l6+$7*S`V(VPcs$7L~bYaxB;@N?I0xt%}zO+=Z^V5~%yMF-00bW5iHWC_N zfP06Bhnye`la*!fciZm2B;0-%g)HGJ27*1>u;ue$(oNmDAMoKTz@f|`l`y4VNV*=b zfSdMESepr7v!nxE2SJ9wB`v1 zP17*&%@DCkeu!j&X{Uft^FO|bu-uv;ug)))Vz84DLg^xkJ3Y#O^#q;xGi+-XLgpR#5h=olE%Xx3d_v^ShqZ)<50AR#q6U(A}tJVbkF+%-OSMpn@;ffNIn_2lQz>v25~ z9L{>bem(qu4*O7UF-%z%$vxm|J9)*HFz&Cf&%_ap5<%$!f`QJ6%ts!9*Qs|pLXgmg zqaEoQG_M>vrDSg>Z79|yozAP_7#Py!9%qgZb%GM#R+LfX?OI#fzx1kBK^_sijte(we9J@lIgliS1BQmSZ*z zNZ3J4(W$_!QG9NFh5W?CV^E&ooTNZ3JoqHzZ zxp}Rt2xMCrRjfo?2=w85!h@Q?S>#}o;#xYZ`>_qD)_?KOof%+0zoXtot(~!?+gr3k z_4FCBx$k~Q@&f`$9py^Xs2{5dsv-zvkbFG)j#@;-8N2X~X$_I9t1F7wuL!k!Q`2($ z(|`rcB;WwSt~^CWg46;THMOg$v^}z~X#LB|C}1xj3|!miRf`eh@PNO#&PFgyArb;X z9P~XU&c0+cN=Hs?z62z&ur@|T_HiF3PoO0B#HJXWo&C`i$7G09T(}qkgaY^(7|Hb; z{NWrJ73HVBZ7ia;_aNp=X{&Nqcl8`l$Ay*W*t${8Bk+dj5KF(|lX^@r{ke2Q)C8f`p@80{IzsKwP{`h{vT5~=z#$Dq)kxVh4Cumo8 z`-LT(5X~lfQ=@A8u>J&`?{**%(90GYLt|sSsvh~JCiMRZ?{rF-#^DR^xXJZz?T#^J zc;?>e&VShXa5>vO8n+KXoxrz;SpGmkR}b)SyoX#&HfY0&`I9!^Mlr{WD=SmLTLOC} zGqZM?h=hb6*d!4|s>VSECJZ5k@!N?CgRNNAweF6PzwPA0Dgfny+VKmB7Sz?b;qYu6 z81M%jBoLDs!?PZH%SMmBX442xh0Vie@-A_oZM*}@;=7=dWYjh`ra{KKL%S~Eyc@GM z;b}OK5!+l19vv_PpjYe4htn{}a+(pqf#)81fsLdm10Y#tvv3#MpXWW{->VK%s=!@gH32Hz^H>*C zB1>vkSJES}&~cxT4z1kVF+-{>IY?y5PwMPrsNLI@oO14i;asO$@+xhN7!GhtUS2koy)E ze$Pkmicc>3-g2QKSV0id<oyQ9!okE{a_zl zIha#`*wFmiD8roS>+1{Bq7}%n1So=p*W(NYTy%~+Lfg`T4Oo)`2zfrWAk?s2^;{;D)vUbLqiqe4kEl=Wr4hJSN$J zb8_V^&=VR1WsWi9<6A!qHJ;Z1hkiVjR501O&)LzTkP5@WtlZbqQbGaBd-oP*Geg%&oxVhTQp z8I|1bX8Rk;zQ5nprT;Tv;2Hh`J)_FLH6c(+@P|HTQXSU2lp{!F&-7(EU5d(3l@)>TSNeOapsxLi$e(E;+iLGGoV@DzKmKYd-ND)3dBPC<%g}5@hofr6FEWw~3@?L)I^^I5kKZXl zGwUY!$i3k8Y^a4~W0cUQ0} zX@F$pFZbwRHRLWD#&MmZ_-h9ou-?FaghjtnIm3PD?%kh&dGrqtXF|ADRV^}7bp&v( zE=rEuBqYpkNdnG>soRmK31J23R-)$S{$DkfmcO#Za%J($+VfQ%O6r>rRTk0 zty`onf4N-RCzS2H#|{3#Xs8&&U|AqCmi<*B&x>kOK%1WjJy2*5n)0z@XV;fe{XI5D z$dFuqzal{A*7QekKFrxcTRtPr&rtZ^E?mZ%?vm$hjzAmUXzG4?6H7WXtJWvx(GD+2 zvKOIe1$+FJu7}BXD@EXrsF)O3fJ{J)Tb@z?DT2}m0aY}0CMd$|qGG|OV6;7nuc;Hj z&(p>DvWekCZ46;%AW%U6yF2&Y&LY3(KOtx3g9j#fU$tGr_66=u?h_n_^$D{kjTC~cft247L~_Daj$0J)Tr@Q`!Et;8rVK;H4)GD-d`pJ zZAUT|UmK|F@v?0d8QlJIDLR&O!Xon*&46Yor?_QFjQ3-}4W~OubpdAX{}1%YQA$@o zCSK9hF0q_)1Wk)I;1$g+Fzvk!!99B7%FPhm!WzJq)r2FI+<{S9ox{6Fm zG3x>Mo_QS;uaL^mFBD&G7BE4w8~};|kWJG?_q~IuRRqj&HyXh`+&ngxDci@&0uy$Z zf29g$#?vj>q2BYmRl z(FG;JPuC#x?=K!f7kVGM(4f~k_d}lU2iOCa{vKLrTsoXz3+)P{?_}NFbU#n#yB>Kw z5cr1<&?}S$Fg)tQJ3-bDH)(ZaB@#PNvn1>fbe@{|&)qFSTk)|EB>a6xnxCJE!q?8# zD&4J^H{UJLoyji=bS;OKQh^ z8A2~{Llp)>y2W{8+2hadOFk}tw^edj0jbU`ATA1UOM=piR(=u>YhMubVo9YY!613S z(f@uEEU@oEY>bVAQvx^~2rb}~NUih=KIS1LMW5z@o}m>axWH5z8h(MvIK%m)X`qg< z-~3HVNty1%Lhj~n1&3Y~u;0(beX#iP#x}0!L0n$9bNbUGs4Hos=O9PrxE> z-z<7FI!)XM_NeNInc#t&@u}$p->FX@v-aZfaNp0LL*~EBE1f`CYU8DBNz1wKoOGrn zHET-A&tIz>xd+M+V2`gtP@`{Dw@7Sis+txiWEJ(H z9M(s)IwGG8zWsN)Wy*&rP@sm9huYGNJD_6Q(Hj;J`)D_L4rE$ii24ISH(+ym$OZQ_ z*lC|?Xb^%X3v_URSgGh1!!au$^HTrUY4+D1Wj_k?&LZ)o8P!xzw5Fm!U=D?me9+CXd29cXitbOK*X84hd-4(Iq7UBlh`;I~BJt1=NE9#M|N$`_`Vfa^?%f zhOl`1Sq-0zaN%=gd<2vW+W(vI*+spL`x20{@|vT%`rnEj$Bhv`(5BmhUKC07Muyn= zg@>26EdaF!@>LTkT|Wa33i${;5RZ`hR}-#5;NGEyV+Y`bG*`Vx>L0|cd|n%D-vtRC z9G)o-Z+cksCZ8LqsAOiy{Rf;EKY{@e3jjeQesnCXZh;kFKR+Z6CLwVHgo^fsYYg#M zV!r^hY`Z;)fdXeP8>Cy^Z3vd;5aihFF-qRtjL=_STQmFab_|vhV&?%{n5`1H61DQJ zvn%2rdE#e1e2f#{w3XLd{a*{OUv^_|JGaj*8V3ax#T>yMmMQkL+nypRGV#Y5 z9b>^J)iVLL8`PEGc<2cGR4a=Zfp}ot{~I@t{rP(>5}4?)5q0zRD6j_o8B#K!F#7~A z1#Fu@KSIGDCgykX5VS*J2cx@5Q-3_2A_3@mTfRGoV_>@6qzhb5ag<=9W2VzRXASRI-H}*1x;v&$6*80qG28dm8Q#ijcd>K0z!*@t=35(kNVj zrdPG`5X`+puLVPYt~MTQOatn78wrqn!0+f~Re!%d6r6&SS?iaP zM&}r`P5d)<5I-&w$uNxicf5iFKms)g;vZ5`#elyDe2Tm<84b9p)= zP`&{m^$UoWf$s|&d@ui+o;p;Y8fNA}}83~58r*LS_ z@jzpT43c15zyhZtz{f0#y;)VjOu$h;bb-{_kfneyPIo9>Fxwm<#L~D|H;?U)C7{DV zmb6vbB!h5$BH-)+H+NU&JS^=;Px2Xl8N5VJlRw9x@wq3kdnHK-2N8-wgxP?LhchF| zOT~TN8<;ukOov=XpUdk$o-k8o(5~Em$D#D|Hb9xmEi0-_C<~Xhhj*w8y0F!BBX;qg z48zZcX42;(T8CR{amwUqJJ}#G-a@O=l7Fh^ply0uMDra~22k780J`dPyr*%kORu`& z;-tkjT;gc^*dL$TN!Y|J^RTb2jR3yKc=^T;rB%spyyL+N#vEsH}JyZLoitfOeN~ZLy&F#H8x!Z!1GuIe~ zuYbn^o zBws`Y*e9H(t=DnK0Yj38Y$TT-Onv=??wz%`bYa^v5z(4|ESw+8 zX&-N7-6fBGFNTu?>5D7fVVG(Wmr&Fx4lhmpK6imEOUOREfkMCK5*``Z37Q3@f>SnQ z0?7r4sbj#Hh{^xt95w?)H3gHShk#cC(y0n{Jb!$BY4GAzm}fog@oymPfcGUS8G=x! zkQ%Z&{N^@Ln8PmmAR=xL+FJNuJV{%d0co*{^#eu=_>i`@0JLF_%~r0ysv@&Fuk92nK~DoD8C%UW4G_q7getgNI1HWH2AI z!?^-PfFiJ`00O}5=p^kvn8OPSYm5bB8JYaE_Q!<+2)d2wL!pqeZ2*8oFT+e)xm5W2Ta zfkK27kREldvBsf6xmaIJKH&+~=55fGHgwB;0j554wi*frDsC~`NYFrK+o|-E1RXS{qV|#%&6Ju|? z>4PAg%BglMWU}!UiVJlL$wJ=1KA=2~mr~+B%z=adHt|UUNMj!Z4E=WIf)b?CRG_D% zmZ^v4ZN&V19Lh`3SzZUFBWQ9P!Ab(BD5u5A73dm#3%4dJr&=Y9(iETiFw8&MlDiGv z`4y-i^Y~i2+s7m+*}vu*(iux*DAhXZjTD_n>eW^tpB?IJcso!;vLz+C`$X=6s14C8 z7TXWq<&t*9BLH;LyQ$7$ z)_n%7uS~yvdip(p!#&_31_^XLd=*gIdI9MA^Cxtv>x18n_-mYY{62q{O4^&K+<6W$ z=R-GMKvn~^hRWIU*M!c#mfki!ut>?zN7@`jk!JTs8cy!Lj?xHDkf|bT43KQ(r-Dhl z+`Jm^nD74=yh_2rQ92nNs9Q8Uc5Y~Y(AY1&`KF8bo*hP@P}r=UdT;s$MwPoEqp|;| zPm-Tuuy56A@IYpwl3rgUK=XAfP}a zh!$hA-aT-lvY74Fk0%f)SJ*Gf2?})Ya~z>P8J zO(4DZV?#sni^utjP49tvK)e=^#@y|7rKNmX!KM#TIiv!B7l-+J8R(j@s3=j;y+Gzr z0^b2oi=Ss_$fMW03FIK|9LjwiA|1J{j9%t_#rXt7@ z3dwk=6oq63wAcJ8j)A~}z_*RrDF@BK?EFAV$FU=jLJ+ScB_A~KzI%N921v)D?C%5! z0mgg9D)QJ?226UI7cPb1rfdT=cn1J8igUg1^X&aM^@_gdqNj3Xy(JJc5 z80dnd>(R!1-`$v2oS)jp5>1-)T?9eEAfpG`@ZiEw?gSbckMr(ZpbXBRuT+{ZDb2Et z7u{0KS0`QWGl<+dhOG+JThz*FC}lf`?czU*rO)r1Hg@;+H+3@Xrl#WOwxZ0yC6!hFyjp~E&e4|8Wgc;8avJ3aB0FMq~# zdcQn_w+gdQg5h*POcfAOl;i9QZV7g$Z4JaaJF6I*t3o)xoE4E3(Y>TwZJR{ysVk-V z8w+V}Am}oGi|%Z%&j9W9F<|RP|NgL|y*7e+4;FZ%RfEMqoN%k4CkV2=OX>_7ny^Xv z)U8k8jxhpH7SdgTVN#{~+iSAKeXchI;AKn8&TcO=!-DWe7Fa9~qr0o2x`NGtXUM?? zc795Pq6eKXFp+aDxA>#qk&f57#=m&G)1NM!E};O11U%?5#!B0Nf1Tq8<(|^(#BOGO zXPAbBSiN{=+z=ld2+^K`(QCGm1rcZf_y)Y*o22R`z!uOJwlB|T3|;n#Qq-R#%r%hM zZ>KjQshs>~QaOh)6AjR?@2^Ep&$^%DX2BPtj^nARDQ@@jJU<|L{`~ou2fSp^w3?gU zy7}idl#0Ls#c`T-W=NHO>j&<6E1qjx7|~y}c}M=Lc6I zSo#_r;ZGQ|3-QCkyHI%nJVyI2x3-$=<@w3h+sP_#s6t-7eH&(?@m#9nUM^=;JP#`t z?wgt#7ty*K;ILzXkIx2_-DK4op#EZ?9wF#9bc%QJ_CsLs^H;M$vO@k>UEZrJ(pu|X z3CacljT$teScg`;npmg~p(kGUdav!G-fYkZ&U<@KiqF~@ntLP3k{U^BjZO$UcUjEln&^n2G| z*X9Mf1LZ49rmO2l^8Np`05$eekbF@&AP>s1XSI%r;PU22^aoHEmXsHw8Vhwapfkfn zT^@O={Mp}3C-_^X`9+-6day0n30+VtYZ&?thCdhRrf=JM3cGc%Ald#lTtc)?xTy-_NTa# zHs<>8z>@2vH*$Jz<;xwSep4N0`_M`e#(;gAV~R*N8c-+o$Syafqw(?|;Q? zY4JO{F7_&#rH+$qu-={LaPv44TqcXI%!JW5AdXIY!RlbW`p$y~F(x+Pmk$y1V*!zK zj#Agnh&D;^Fe2#Ir=^xQP!#gmI3;EN5`~yiBsAzKcOAArD-%D?o5?o1`iQ z;e%D-i}PMR1>lw7X=H!hR;f*G3R#O7_>31FAQY5>sA<^O_XxuBRCAw$dlfiH2sghq zB+!o44bKdy`}bLVkgd`I^sZ)&z47}|$Y_aZvxoK@X!FmXl}{}?Lf8;JC7?U7{>%2$ zw{`2?Z~E4I|&0c zj~K!en9zbO=QX$F?f{TQshX4~Qvdmt@mV{_I+sCe38i2l=$HT)UK-1zr`Rp}Bk<5? zlL^fsPWo5>9fLns4k0O&O?DBu1l)gCU9Kvehy9R6)+{9$aiWjJLzsHfJY+B|$zEMv zaObWUoC&XMo$yCj{KtqV>!gXsTNbYqMZVX%2ZwFhMOIiS@TL^Za=Gp#q@?tw(fs@? zJ5q{(Ej(SrXZaG4)WH46oMYsg_6Ht1(g@?LlL&YorMj zIx=8H%1BtmR?a++)r1kXcmoJ@lRRVSG z!;Z^iI;;OeI5G55_g-ykYN|SP7z9?bDwE&7HTL%E=VO1#OB~8u3M+PO$RmgNMNmWS zst=?RldBROOw160v|ljIMeuQnqBIxh`ip?iKALAsiBNI?W*4)$$u#E!QY?IkS1dYM zVy4(N;OV%o8>E8!Y~r)ScYznCOsOk`e4BcVE6XLOOk3Dr3n{k4?t(Ug_+lmVnUGw2 z>J2we#m$)+Za4+sGK%QFJN{);tWli$FjtufR66AsS(rq}R#bP5h{1MS<}#BP)K8P1 zm7X46Y+}0YN=r-o3Q&gS%wtgJ9D{NeEsK?&J`^OB@U(`o+eb#mKg7IoEt*dvhX6@B z9O0xSW=u7qYNwky+sQL^S43i0=CJ$t93;Wn@s50^SFG zR+BfHzBb|AvLz*tKBaQ=gR8|xmPJ!f<0l%ka)ZEckPHg{dqnS&0g{5HBmIm$o2uV< zQ+4>>|7)hCH{)z=>iYQ;nE{S|>x|d>1tC%kLmBrowp2Hr_9Q;ak3nzzB&``T|JuGg z8^DAUe*n~G-1aQU*5c2`2OwLB2nOnb2pFV^|MC+5+3h5;{{5>Ah+#K$-DuSr&A$nt zoxprcNkc;ej+G7#3TcYaoKEE>n#vM=6%r{0g_WV)7Nh}1Fq5#beRaYV|AFVWqX-^= z@1mihtBVaII*gKnax_l1)XYD>&f*a-tE!h+U6nQ+kwV|OW=p0Un5|Wb`6?^I4xXEf zi%W;$8e)!t3m=>OB6F7X5p4WBWD(E5amEwlP-&{&#$jJVd*hm!eLB};%W`pFezZR* zMteQrJ`AE#rqdUYoNF3>_p>0S{c`P7ZFCm~7qR500L9w`5zotAjI9o|_74t9%9-zv zee?d#7*NVJ^XnI#K}$q^{rf+>94cnlyS6f6K$uVJ%Q=EVqi^=eTkq|2KNq;?D%i8L z6vk(up;4*$+-9kKe>b6c>%_;I+X6mrV@o@8OWe9xT>R%1QWr>Ze z0a*gdW)^SKIIlTd0#*j@^?*N>U>^b7{7wBKl#tNqblj*VD6bXC#>d81HtO;zDtTeS-_;{q1xP{qT*%YlcqI`W2+3~>#0B%Yk%Aa+CXC^QY$N>#a=et2I}6hps61ozgiKZ@Kf}%h+TG>`&Zz7j#vokBv?zT4%9iGGN6%Rjob_T65;Z%q5}Wl`BA!f zFURnCX=&-Mp!~#nfOlZvRz51<7s3pDAYu)Igczi?om(^PL%M~`v`_8BBWo-3lALu40l-$GY9yEc{$uLA_+00Tg6 zN=&VUiDZ$$)q*_l)5G(i$|J4G$-{xt6|YyBIv}zu7(*Y*Ee(XG8?i+}Cm-a4Sl&wy2X*o%Z&s;8DR5*jmL1j%x9^> z{kvO?zW~X4#qE{FR*@lV&%R&7;lEbJNNvC2U!TS+p9Eo4*DW?yL%>&ab!EKW)&4H& zlbP+OUgxEE;XV}$U>_lVC3_mLLq)ve5Oj{jajLgYw^@AngU2T5NGGa@1}u%xLu z1SNikh=wF4$|;8(@0p*1qxxHrKNo*QWg^S~ zw949u+nl-VJEUS#LxqN46No@g{C6RUsGN*8yi?jpiB3QO8Pss)7wAmD0B<@euB0d& zPR`JGdNwX;Yx{RzD|cMVX8pO=pUryqUllSOHuCxpo_#oV{S=SBdMWIBL`p86cxiJc zSh|LRfpPt+ctf=Pu`dqR%G1h;t?@ekW$$E95s~*nr2MwyO9krrkkaZfKB4b^kX&|(b8#GN-jX;+I9*R{c_q{74er=s;cE2`pGXA+PGHEPA)eWs~ha> z?0T!Vq86DxJP#~7ICFb6al8}~L$q^zyjXoCQzHaa)%uu5f*EE?OiT|k$1-o={k;UZ zjpVEAv`RM?7Zxa69`A3KrsLmHQgW=-TWG7Z?&1R|I{XICdXek)TBcF=a`N5=>xuQ6 zZgxJiOLD@NAdF)14fy7vaPc(5G})dHX1O)YUMg|=3)8OrbdR6$2%zuZpmRxv6e^kH z>6pnNRhEv@DN|Wai>sZ!{vTT=+N;tb?y6 zlQ$M~&DCtQpe}WSoM&l)w(#_klumSJ-gOhrt5x23i+p99!tM6<3PlWR(c5G%8Ny1V zqziBK`)v5$Qs|p%_9>M=J$l_9^sf2eNTC&zqfRtSrDPZscWIEilIZAMJ5@xR{2;BJ zoV*~CG1~cJy2{2*;oaq4AC^Kb%*N1f{qa_4%Ys_3{&jm%(vr!~e`jA*7?=#|pMjxd zFovx!H)Yn-q_O<%aRXLi(%L1f?vwoA?5!33H{=$rpG1U(WdsYkoU*QP^mca-jv6R1 zWAn?ZjOrbY61rH76l9uAAH#1=Iuy#+xO5xoZ>3h^B$aV=TsGTqoqtwwalV6*G;=8+ z*w<T!`+Ja}r|ie3FzmyE|)C-%OMy_J@geNtQ;mNf1u zPEiPd+y$_Zw2a&j2H`t|p&)09Ip1qCK6Ccn%6 z%|flx@0uz1NNP1$>-Im+&mV4dggzP09c;AIdHU1~dUzN%RsN<{=-;fILd=>yUpY*2 zcR3jL%uz3_NiveheIZlhCMn4~W!KjdmQkp~v)aQWK@iWLmXh++Zl(9vM~q^69v+GJ z??qZ!lwG#UM{~iA9hMQx(J+)IZYMzbVQ+Vr(`g$UU=ga}BE6lm@|_vaPwS&rR8rby zrWHvp<~al`358;QxODJiV0ZKK(&E8~Ej4y8Y$tEfflkV|3se-9uLgY+K&tr(rs2>? zX;)fiW+`0$TPtzGD!29A)I9yV zsFln1wrzTD+Zx?!#lF=^x%d$}R#pv`=xz@03Xu;qNo!A$pQu8fYfT(>G((;r6C($i zs#t&jv?z3Q${86OuVzLk(H&m#>0TN*Imkblv5DG};eQrW zHL1_~s2LgeB8ovq4KcJ&g)g2c^a<>FnfQkRR7*H362Xeb#=ek$J$G;<333EM!qSLd*sp zUA10=3y$VZy-fcUwvWauVb!RJU?%J-LbrA0=J#&QXR9G`jyWkcqdr|_Us>Mgi+cpA z)T(E1%pNjTCn!(o$dzyR3Z)d75?Rpw4bky)T+T7``_sMq06^Ky)14hB{cb=vp0)T2 z+DRoDD9yr%PW=|&b1}GDasXLTi)0w>ShHsky6{xV6gXKGR;zOkDxzQZ7r8 zCJ}LQ1^wyCYKn?qn_DPhy{*MIKYaXHlJ)yzb?`dfq9A`ads*gsZYbKySuhVrDLkKj)FKOhqvnf&EE^N?^^vC#v=TpQ86<++kAWSzIMsHM4{&2bQ8;? z{e9KGeRQDjhk&6dZH?lRQ=xqRJ`Y65 zz*AXwa#7{N3HEne;HhFbP2k}Au<)D93wPipCbdR2;6H5F9o@ls@a~egctL{9S-at! zAUz{v;bgZv_+YE@QVHfH4-BeA#>c0}TWzPp|8gxRxLw>&*QaV5qL^ay|NTpccs2j! zo>TQZckmgbiHbltxPF}<9jU<5f_%?KVU~~1=_5sYslf1W z1o88Aa>@z*X}mQ1m4YsC5W{!io|&1sx|U6@_~J##+1VMghrPT|fy4(z#=U3Cez>F| z6YejsA+tkrSCU8yG4AQBz(pu{ym;HkPl67f{n}b?QYjHEvD8t0*Q1COUVi>=4!+a3 zgDwdHz`-OAp2KOEpPl5=nZMD(DHr&FSD&@v%&E0?Yjm-5;b6|ss&i(h;dkr%jVmf0ZeVv>R%d1v?U-%zu-IAPC1s$8p?D{!d>!I{A2dT0;n(PF8o zFT48s!r`ol=O*QR(RiNZ?$zz^a*(6pPxA(`pvy-nLGs{d6&QDDd`n%gnyC z;wy07an}TZsXC*5J^{NHiXgSZq$V#6R;ZKw)p9LzM9NZUDt{lGwlQ&;>m;S2sxsKa z3;m}OGDCI;4nA@ig&BCI@+W;YoiR3>63ymjmFiD&xNknfCR!fn*R_~|HtTQH?PR{P zj=eP#Mjbs^n4_(nT`McD{@PO?G*--odJkJIdsP=mx;bvH*iW30tK5dcT>0?r;~vk! z&3_Q-xD%wLuI}61+?B7CZoCe+3|uho*C5;L*#5 zEe#u$%hIh7R%3RO;Hh)7NPG`N<%Hhb2zNLkz%@{O4c%k3D^jK$&JSv;2P*RN6`PK= zXXn@O?kI`ChgJuceJEGu7OeY(QNAL@N65l4=!yAT4eVZKL!wbV*pQHzVK?M-@&>WSgq*V5Ws=^JYLQ1VS13-7M7yk5;@ zn#cz-Mes)|XrotPc`$?CRe3OrnG3FexD)lIq}m;zd~9xE%n|vJ1*3{;YwW8tf7>;v zLU9M19>D4>8aeG8*CQeGUn!m9TIBc)&%o|xrv1&Z2qq+CAw>c!>u70l)xpSx`9#Hn zv+yMx1?jX&RTB5_uMzWXi@X1u8^y$+|GsJk?`){%AP{(#SZ*u*{Hm&RX*oG{5s`ZM zWl%=ssa8LSYDxX{Fp+ijOJMEJMLd!WK<@ERy`;o7A~ZA$W>>C_=eZ<3S!YMHq?d`^>I`>mM<1sM3O^6Z(o!}g?1<&4m8JDQ(%eSsrGx%VO?B2v!I z1o}GuL1dr#k55V`%kh24Up6+TyfT4^0KzIqYPYJT2TDJp`nBJ+*nv4;QsRe|U*g_EV|R{y}M^u@(zXxFdjJr5i=AKB!avhCi=p5kV$ za3{fHy*^nWxP`KMJh{D>?BKA_ro`v=?!C*Qn?h>psA4NSlW=>X*=s#pUYrBBoSJ5e zb2>~fndUX?H=RS2UGk;*M`Bs#JPVEb%cHq^{#sij%gMUmmSmci+=srapbfuOm%ouu zSoKPCPj9@GTdcvVH)3#G{aJ+lYl8rDu2gQL;qhZji}Th@k`qrVogx}%Yr zQ92APUP)AMj79XhNBxPG>Fc6bDi zCmam{EW2wkn=dw;yb2i+&+z2Q54+U4@THX%*JX`j-D=EM1~Ctv_(#zy=2MAZr*u~T ziXIem;CnV^>b-fOEzGJ#dLp5OhawzKO{BHAcCBb;l+xQ-_VUR5dn=4@(s=!3I}3N) zmeDd=#_wo(wZqDXkOq@wC!fLL1D<-n#``5V{0Hmljf&)GzM6Do*0D>*d0~3QmyNsAt5j&bM2A_# zkp3J8QoI}TY?m0~_zq50ntynEUuA}lGHj^KOr}p<8j390p9F!VrwJez<8=F%zuup| zLw}@IW1qCbhdrt{>YEmMr{Ze%D;^VuhnnX0f(L&Ht~yDE@lC&6eV3pkakOZ9Il?sj z2LHJdN*7Nnm)k-!go@lC_oyX{N$5Ja2E*mU+`l-;Ckq{9A)Q`PpOmk}-7b4`8C5XI za__-%dZVq-mjV>aqwJQ2DmR5SeS?>#el`_avWv^U$ z-__eYAVFSN=;ig)VfB}ImRXl&CDLM?Y?exeWdKi}uT>g_SNP?3i?$}3f4dgSSHgfyf6K@@KMPm86qQfZ6 zYmJO=(d5r}XWlIt@jHkqs2phDt}y6HGr#Yjr?yX`(usO%_N&G(_4k%#E0coS@QDaJ z^MiaFhsW4rl+V8?!--J#qUngwde$j3le&A$G2eXn4YC4}OA6*_WNKEKbG`kon(WT4 z6F}J4AIH@VjYSUJs%TISKp$80x2?BkDT*JDsAIP0+pD8>>@loK^QozjWZ`xF0>D^Pkk2Ogl&!03lQSNmJjJJ9hw`w_ z?W{QHuUr&34(b@;{GS$p1I{nvZ#sG>#|;==J>OJd`~O_Cf3x&uL0Z^SZEAU-$I0d~ zIx3~i+%x`>fv4F@m;F-m3x8G=s^}TXGHvG;ax!$WdI{B3-lA5mf_gC-kdwi@;Kfn;OiBXqCc7+vAJtL?43ep85R1QD3nG_ORXI& zvpguY(l^$U4Y03oKS^IL@=dF~-_>Jp+LQH}U7;2GdA@(s_^h|NV3O?mW>D@UL_Go2+=1h*Ll3iqRn=kdwoWt30}N|srA z!X6%~W4YX1rbanClyI^<=(vKSlVKQrJd_cb3g*AVqP`6Hun{(6X50uQlVUr7Q@5IK zAPZlg7DqdF{qz%kONe@(K+#k~mJGK2l|Qsne!FG=2GhH`ZRu*_Q^}5E*=2DT;YWyX zS#c~9KHSnx%=$vbh;{{)@&&FCZ4O2y0Ep%sKVW6*8^TXD;Ud0I{O^{^qq%_~{I!#% zjd$>E=&@1NdIN{agZteY7`D8+>uf(1Yo{N)LZRro&#vJ()V4=-KPpU$eONmzt^|Mi zq2eqi@26q>x~|TX90Ec@{5I!Y#o=GGCUV23RMezhqw@+ukBj-OBN;nvOvj=n%1!iq zn;E1(JdZKI-7|-V@?sQ8e1lWIX-LP@o$DY>rFWZOswJq~}6D7(hIpz0DqX936 zy*D1}bdO+dxY1Qc1hPGn2#T47v$|fs4!S>^Hy?%jwtJ+RULu0PO06(!V2V;!Ty=Sf z6BZ{G&mos;ZVle0E7@K(EDvAUM`q`@q;~&Co(R3_8V$ZU$$UB+gf)^Ekjj5)*(EG_ z;;xcK;N~U?7lR@IVj+>Q27@no^8&HLjVh~$=D1bd$tpTVlRxmlTGh?&f3-S-jx}*U z;VGr2EqX;99(IJ?Z#`|Uy{ZJ<%9>kj_`S1LGNX=Z*Xcepl;hwy_e;o4NFCEAoH(eb zMJWVpSVkqzqck2yw-j0kXPW;VqLfzn%8(bu`Av9NC{Tjt}vic`z`W31HV(q3VhHy!i$o(9BCua4~AXQ3whIqDr8 zlw;Yg$Yn+juskijkj~%g;fHJR#MC2MM51nXOGRZvkk@N>N;^kdV`2dXUY^b=B!z^dqj?e#H;! z@GCb)4kKAww>s1(d*6x=V=C9JDyrp^Qw)mcdJQlgXudzR>K+N5k?$~b>Yi8mH*GoG zs%nb1eht;AHZjSAeek_+=vFmL>rUV3iL;cslaA5-8;KB-!czI~w=NU_OqUPWf@o#Y z{A}FnAKaX@QTm65r>|OWL`%LkwK-6+#6sP+M9;>ea3PXq&V{8`xBA#e{lyT!qW16I zL_Q)rQS=HEdj9f1eApKv%K5#%+LMM#Prt@fTtT5?3B=sVxVbj2MdR*tg(f$M7g~MJ zcnr_txs>1D!G=@&(gNkwU(c*&#yb@TEZ4WIIs$Dfdm^7JsM)(+(j{wfgf7`v4R3g;46noEu%wEuVv@(58N8QC={m)CQY+Jb zI1v$R$iH;4MB#>yw@w*QOiwN>CRCs0b|!m#68ow~@~LetwcixAUk`Qm)YkD>+>Wwi zoSgh=F69uTTC_Pgw`zK5E<<_lBNXb1=TbA4f=)75XKqh`ieZmko>u!!Ojt40AyF@e zch~-YBdi+AZOC)3f?dm+!VqTUs@Fb(x(}&F;4c zHT6zZgvw~BSqiwl2D|QK*j8t3i(zwpS+3I2zFn0*l&h}bnQ&pd9@HF1J7(cy5F}h* zt2eZ1dwjO1HU9Ob9~C_nmE=7d0R<%%!WL!&12G|wuwu_SJT@T@pS_Z6u+ZKvQR3kI z^ULKWud#pOT2XK;U*5nWo#oRjj6zL2E>=D$Obn-MiGbrV&-isvWhTaZ{w}=BlxEfl zTyB}~cS}9OseE!1@`lrCqHm#VpitJ%aETND`I1YXRb~Iypa?nDvPIOE7EF{Mpitkb z9A%=Q@C+?(7}{Y|Q8N!kkKitILm_|k=g3W0due6Wtmvr8S$@G~9?sP#1?%vS_m*(B z+1@-J+I1NxLAl@h+IOnpqr*>YYwuH>k&qp3=v90kCMP2#n703n5m_%+$1oGLc_~HU zT%#-V=KPbK#i07=Eo+NX40Paob4A3tdzn9%eu ztwh9EVFfN?DTEaXeE62NC#HoI`Ipv8x}#%?s>}gVZfgTkDrW5in8^u*JD^i>K;%c($@yO$|TazCsX}euPJ}vg! zV|nIFK7F9(ped=@lWIQv_ObDQe;?X)lA3dyfbq#!3_BlHy6Xk9;A-eHb5eoFDQ|1& z6ht7;TkxaGO|6g-$D>y@a{S|#5r#?^@+(m+LSi-beyMp5vdkCFnROc+4vUrd%%}3h z^0;nh38B35wdJ$)pkQN!Ld;N-XP?vFT|woBmTRooESw8)0vP5Eb8s$-lNajE4q0s^ zA{SZO`t>}ynJ!EQ2||37wSx`s)QN?KFEleq+16pMyizNtR^yvdSCGc_-%F~>xavK% z&fcLqSYdg-TPX7xeXo2ry~TVw*PD1+QU6AG@>NvP)lR>?@|PmeTRhmk6@j#s3k;a#!EI{Xgr4g`_21*P1U3y}LmZhKl z&jY68Vo(ir!DbsSs?05HsM?>n5e+FBS$g?{YIRDy!)8kIk>=O$D#DdpKFQ>VYuPuF zs;AY}X)PUAl*=maRGQ;*ZQYKV(i$E4R1yCVdv6(4)f%o1qi#`AV5@|HfB{Nl5Yh?) zF1kBZq`N!REh>mexum;GxpB$@P@6DP5naBsq^K$JCz* z*{i#-HD7Ls%TJA6agj8Dp%V&7E2jwiW#RvMN(JUSk0BmU?Hx%h*6yriWuqRLYL6U9|!X;sQv!nB@*tUI?6Y)EeD8;CtmLa2h z`Q)#I@NfZJzAv$r9ki%x*c4`H;`t%pF;B6ccre(5UlaoK6gPcZ^nTKJR6>2-hgMSa4~)8mq{fkt@|E{`iR^NCH_Y4)V~{&S@`KYrQ{N&KIgX$6^F*;mM+_M2*Jit3-|yj%C-AwQYFmi^6#)n_lFBPQGf!+>S{PQ>x934+*|1i*GHf zZ}xRs+Qv!dHb-B7&C25>;hO{^+p7$Xef};J-~XJ$EZ&I_f-1TxfA;akpkO;;?50P{ z#z9vkwkvXHEB+3i+({|1UppFJr5E|1UxL4npZ>iukyq?=;w2yQC-S57@b~S*U;ppN z|L@BD58MRfBIocTKw5B(*JX289SgIkZvj>Ul?$!x3YQIaEbY~+2`ZUka$3lCFaGN| z&Hr;~=<-4rsuQT{$2Otfgr?~Vi3B9%c&%R5)YZoB8!d=Dkd#G{ruVamH4o9EnHkb~ zTHF=S-ue&k&USSsMl1ZjR)ZPWf$nyP%nDrVaIcxu^LV{$G&{xefz7lYV5zc5uD~T3 z_3@v5@$E0Rm>+SL8md&Z)5& zN3)qTupl4RI!Wd$Dlbo}e?{!Q$W9R2vOR{Z_Ow^tHLEjL8US+GkeFJU);~j3{^mPk zz^m!k=i^_OuRjodowC2VkN}ga3C`mgJ{l()kK<~UvG}5#M)F7=3FXEwEe!3lD0k#FnkP{Kx0n=Jla(W^~(nz#6QDF{ynj)gec+p-=uh255Otvm`8NnL4qZ(&IK)eg}d(v z@FcveslECr4LN=yACIv+NPnqxA?~DC;B~7r;|2e5J0q=JzrI$^2DyCazn9mq3H@`K zk8l~)|G13VgOP_!`0^*b9O3R6tpDTgSv_fft->l1+zq|Ozju>6GyPKOwjSJO@CC58 z*_^FLUywzAIIuP+zw+yLAoLgy`H$Pt^ubpkeTIBKf|&k+qjCL+#%`*wFdhx{RzIux zj6>Os;l9b>mD}_uj;*u}75g0SF#HAkdGhE%OJYKe1%bTSmZg9^(OX3_-_&Tqjey5h zSs9eOvWh3ZZ9ej9_NzYPe?YC^Q2Ju+?u#}3Gx#LyXgc-tDSury@tCodL`z z@s3tzm~(_Myo2;sbJ-pPD@rShj4)@dwW>LVvoXO>iGIZ{$jc~)6NdbW{6J&*Uq@Aa z{!elN|Gawgcc_DWmI?vlnq)}Duy2tUOZX5cj&S1v-fD)-tz-a&m6X_fKQT5G_e;Y$OhyeXS zDL@YsnrW#}@iys7f{E59H@l`cN}8`TGb;iHFo;e7U@P`>kvnoEuu|g}Bus_S$2+wc zf8Dg16XRNdTobN&E0h6PjC7!jx*ROa(xI^B_a&M?v&y|82nZ8&UsFdr@;Y*0Lrw0Z?b2T#8cXm|w)-R^X#}{UmW%+?bke zZ1a1=&_FdA<=61=@W_a`WC9Rt9j6I1zeuM0Nxae`+|Kb^4K)!cr-m0D$3ZY0-8rUqvEZU zm}_Gj+%x6S(TvLyamLANgmN5p+io-fP` z<+eQ|IlU~x})3Yl83Jxfbm1pAB z=L#=)jKv17puv`nQv)wveq+w_HVRo=kgAaf_zV+EM)|NskxWE`irEqktJ-P>0tu>l zOT0LPj_$6fZDZg%o0-3D+iZh#T^=NL!5!rwu(535fqNRIgh z$@8w69nRS6GdrDdp6$k~v1qqnuNeEl`o>UKk>5v)^rF$QxI%M2U4<^6Cj6Yt`zHiy>XK{dIKkj_D!M@bd$54l~R@ZX#g;qte6sjFis3}rfwBjsdEHGMDnlkr8%s|PnnFChX7>vCd6xVr3*#bb>}uDV-*<-x3p8rsiFPD%AO z#6rqTFskbaG1tq31uYw%uV1}Vju$g8upAS0-ygOgWc)(ox?}-pvK=k*XRvj{1P)B8 z`L8f1ccmim5qP=wL*}nvT=6C#AmFf_B?pUnoBlQ}x^^-i5F!gJWw@mI`NCQnK7f4f zjOjX&HJN5tqysvFqwu+h9ngCUVH&$sZzlrXPRzR zhx3*#G0lgbqA`zHYQ91SK0d`~&n6H{aq7%yHfZsfZq6GP7_`_F7<)CJ^u7Xa9e z>p!wK{ghG#Ck;^N3{bgGl@2GGtDrV8G&J5_eT#t5;Bc6J|3_B2#3tl<0q8u1dhF@v z!16oYgIV=y2&Qkyk~RYv)h;Vldi5#-2TONQonN2fP_VS zf%=r3H{#RDdF>y;;qf?j4xmG}96hPbv(7YSD)WI{9Wcd?k6s=OJh)0!fjd?M<*}H4 z+ZKQmu8iCT;)fUlQidh|#&~8J(EkgOjyfSN1{?gUT^AH>Y~m0z4ONL0>F|#(3yIup zPRDye`Y#ep7do9aimg6_Np)QufHw`#8v{rx#iiqe?d9Hv09j|YD~nT8@#`}+A(4@Z zaD;q(hqCDyv^@XYJ5 ziMfpdK+DhxaVv(nhmmKm7-37m&M`vpmkvt__qobpUe@jOp0wN1Zk7F0^*_vdO|$*v zEG#|(oKz`YMVsd;kvaHs%_56-z&*ghwSZz~T?;)5l+RU;_Weky%EZeY>r(*Vk$hNn zUL7YWD2RAhm&y08Az!}47P=RfD7(}4doS8lGov@-;z1i*-YwVhE5VG?Z| z6MD$V_#VbnW^$Qpr0;E10d?duuxut0jz)02SKx*aL}}FWLYv^;v;crC3+8s3Lec@L zU*Gl8d85TY1dY}-(?%(%sX2r1(FKTQFCe}7G0siF=KvlQ?Xt7tS+^sK+G&OuXf-P6 z)Hd8NZvFVtqerl?cjt~gdo$Ft0HX3pCRs6%goft2Z*3d^#*A9RbT=n`r(}j!4mYr& zp}(+wuoCisT!xnk8!0(noY=VT1I`FoO@ILHvMo))H2RwskinQH?tH5Wmc89w2Jq%^ zb`=x?^UVfM0=GjW=(eXa%U^5@7~W`m#qPJq%$_t?X11<1*NX$_v1h*HCY0Vtu3o(% zB;<)8dpBn72g{u!SE_Kja)&TkW%xR1)xO)aApC<`1en|WY=mll|n zQf>Txhrn0_#L^PZtqAhqeOrBF3=jvEhoq@yC&Ili0Av1v>3F5v-leuSz}4y}10(^W zH@S(1pW;5$cCK5c(%^puF`^7;w#aNi5{f=nLgHcp&nj?-1^Ue{pcpNMfYu?r&~eQI zAmQS$~w=Y;)Bp-=#wfJCB99tpP72LJZ4OrW);{!be@;T~)(cRzdQm3zcI1d|@!?=?w zFaZ*RMIh+8rW9={Xwr->yN+{H3>{rK_240uBZJs?wG;kv`FQWkJCIT~WQBFeP-eT|{;v-hZ?=f@drR z#zB~Lr-aUJ!;(pf`_lwQM@L6_dYI+(0ettmbkt!Itm9&jX^Q9ZhH_8lP<59T(1uEp z$O90Za^PySFWwX*bsbGoe^A!@^3*{-ym7xPcO?KE8|d%vk65}Kz39G<__v!i#P?x{ z;%jA$^(lq zps+}RBzzdZGXh4pk{Rl)^{9g2NCWhnoFt6w>@*QbZ&W?RJYbtD1rM#tf&G-eHYILy zxa%+LGJ+dwgMd=u4AD~8h$BuKq0?}M_vFzI=jvD7HnRkBSd_a%zF|T$hy-u-YT`PF zEUP9L_(?L;Z$Qk@*&ge^5amkqD-(if5fr2y+;K;qTSq%MW%%-~1zYrB{({rs&ib3* zNrC{9?mc`MLqM<&!~@+FQQuyj=mWl+H?=R{D!&D>)4O**h`+G|Y7vTwpV@x$N8eT} zUp)AMAB@YpLPa7%yW@oFnWupPlnQ<)@j{K9m{=)zf@JVkM%Ynpz;YV`Ja>aVx~~yu z2p(my%n=Q*@B^>iJQD!kNJ&T_`Oe;&LDMqx@k!n{I80V6t4zqoXo2X50zjXEPs5a{ zRU#G1YhRTy>&44h`%l{CMP8H%>S|FJ+a`xm=W zTT~?Ak&{8oQVF(}&xqmSZU7hx7Ee!4;0om}j#l_56JLbT^YZOVnAs{o$+ykpez$~0*oM)5T>4fMm+tiw&3%@OL=|>DPaErkoU|u^` zC$hsgjm47N&S4f%F*<>7tzkMx=~-XnXWDf!s;xxPv8d1u&WGB6@F8W zfzrfublndbI$cR`zB>8p`a6Zka$$t>PRlnYFOt5jIYBDQ5@W^k?y6|1lIW+=^lKF& z!eD9BdbVHy9q9D#rOjxvkbz35;wk)oi-6%g z!!pPp7goQ6xR@|(!#acL?eOH3f zy9sjGY--+rz$sINaV?*L3rf<^&;X^zchudn7y(X>c?yZh%cG^7eojIF7@$~uQ(EYmlTvl&nRNL}Ax zz6l}fK%U_hf3Qj|^DKonGdJG0c`kNaNAf#M1(IA^zh-&1n$@ei;-4W{r`9L|dK3ZS zawz7mZ|(D8lYF}ct@!Dht--Go+&~zU%-xD}OaQ_vCC9uv#ETfQy*I$iymBfSCSR#V z%`lhRW6a$iWNPl1#`Yn>`eI+UFHCV3h!k`eK0emxd|KVLzfwl;ve9x53SY`En~etZ z6F;+!#0})B0(EATDA~Au+{SWcb=9`7=Q9W*fpYX)x`E1p%3Q~+7Z@IXqxL*XUc2Ip z29l6yNYW296>IIi^mNt^zoP#<>%wqXXD5v6!Y?T;O_L69<}6pu(n^5$)i5+PmzK-w z;NhYF;c_XjJ>@iS=+~VO#p^1v_qVG+`b@`phB}08IUQ!TVt@z=)Sk~5D~rr1GFCoAg6&-Ff@zSF9>5Du}PY?J6!S!yF%EduVs3**k|qc8PxVDs6^GT1?D) za`O3AHlaITeIVk+uI9)@md^05oL3mGA9{aT+nv~WV?;P@XE~rAyOGu^U7INGFHXJP zTeVy`SXZF_EGr#C1~oWjk1Z@LppJI)t-k&;y+?EKTATfxlg#L-pqOBu$I%SYv&u@3 zQcTuIPwhNh-1PKx`mA<^OG(a!gM2&-i@#RrwORuPsR44K{g5D86A6eb3w}Tx5J7ZhZaXK8AHRNM#)z8YjhO4 zb;Tt!L{D1=aVJjbZ%z6Zo-l$<9t-bP?hNs9Y-ghT)?#}6#?^<7BO}@~&8j~)oX_X! zGAo_^*`vbKH?Y$5(sRkpO@g9oNODap^;wO9b5``xc_LID+H4OjD(l<`wQ4244V-(u zZZ4RY^tHyAlG9|xs_M;~NKToCjUn%d#C)IcLqp;MF8py6_h(IjgVvKVundAfP{8qA z{k4TozWIkg1%^)`u1^IqxwcF5^9<&Ln`KF|(HS71_gI#{Lj=whn?kYc{^r`rHa^V) z6UCH3X6KO80WY-l5|cE1%a7iuTfjNEI2%@>eOlX5CVcyK-Nz%f>(_}X`*c8&br8&a zCCry2c} zoL#3KMxN4ZkCctD!LfwcK69k3$arm%$E0Vm72`3QlJW$l5PI)~Xc)FL(YFo@Z^bEK zjxhs{n91^>?lcCYnxeC;3i(Ix{#KRoNU5&<;qEh0aq&hIX~xg)MwXJO^&NK2`8}I$ z?_J1kwt7^f$sWkMxkYq#c7D(#UakmAS1!BycXDFlLiNjvI+Uu%(#;NCio#oT{rF95 z8_bGk2UQTWK(#d7Y0sJfI7{mS9L;OKxWh!Ga1QF3r7Y>nj01kLYcC_69s3prqhOS%Zo^Ccs@ z)U-FFy+4Om*WP^ciI$ex%ehD$9UbJ*JbhoUkho4G)I!ss(@Z`8Mtvounaj3}U~+mo zp*It&fa!Il=qoF9-*^ji8{=<^A1i@w-)u{GBB$wROr+zj8A^0B3yeEw(kyg~@}Da= zkbLsawm;QmYjGw_aKvHG6h`xrTpiA;#-xDRg3`Ga1*E76cZnW#C1oms$a|!arx+C0 zm5hvt^-3f3Ez9f{TB-1?e6LxtfAcuryB$w6SZtk5{@|$4oQmY)MUS3$Got#$(X3>B zH(JmeREN3x&2tAJ#YF6Z6=oNrn|@SVCkAYHdw^dSfGBQenzHHq%QG}8$uc`&CRNgv z_3AEgui#tR+bb8CaL!;bhMWC`8j2t8k@qnhe!?y;I!K!XVM}#BU^=sx0SI?oOqh_v1d+9=DG<;$^7XkU1!L{H!;f?v87j57V`n2nhOAmj_3f z8y#+ce|0)I5^|QZdxg9!Sc#V09LTU`Dk)}kO`*f1l_7IJ*baG@nl3;8C=mRiQQZedUOS^InMhuXVIFf@mI9ER7b{W2;}$x( zbBT$Sm9^~z=Q^m2XC_L{QM_)^Vs@3@jvGBWx8S^|IfV)`c);?~Rsig9g5&7kLo}Oq z_xj9vq$m@~W2+GDz8zJ$zo=-xXjet!G(M4z-~H2gdx=7B2A_v~98R zwrf~!>vkcFiR-Lc^S9T!-R?UAa?^8#J1eculOcI4E*=vYxG?>I%Pn1X)gi$rvc6>B zY723S3JRNzw{Zb4sH$Q9!6O*!^ayG)whxY6u@#B$-dU-$kU{A51Z=F6GG2w-p0IQj z|B5$FA5`+31wV&`gkT=8h|yZ|^u@-o<1P8mX(fMe*c;48GuhDb@T9gkm)kAGfr@T6 z=+ICJ%vV&ncc*q8L22;qy1OS7z8*HJR=7y}(FmZjs|1yRoYju4%I^O9ESu*laZ1Wu zq^Q77d56TH1GHuiIjhsk3|jUTo;{n(*Q>u(U~X!my}r4bFD$f@vY`P%kd~GfXyIg= zv_@ExQoExdMD0$FZY^E(JqImCRaI4p2>~VI3ayTLQw^BxLfZ}s$XW1KkJg*pDDO?v zLp#+3g80CMgB886O5-ZRggciOcg9pHi@aOD+*OrCTQu$@t7dxynvMM=+kB+?_d%vn zM+e$R=`uoTti$%*dnolR1WMdVaMqOl~iJ&4Ok&B#aLW)lDn_~Rw5arkw zuWWylf!cZcvl<=SE4*{cWK%AK3JL)hWB21(mxl~!b99mR+*wUi-X3CVdcj$~i~KQ@-gIDzIp0rcY1jRLkJ@+Q3OP zbpMF_sQH9}y%mG4ijMvA#i%DuS(d$mLn6;GyB%K9#X>lf!B0Ujx{lN8ky)bjAlbe~ zGsu1w3pQcPyG#mZna*o;9%&DSL`CT&tOtMl=1A_u`m8E^EMRxH*bN;W5DVq^o1sofcPHo+{dQJ*#w&NkuHrPO; z;o?5O@fMl~h6VX!n}GCPg8FT=Yy+Y-8wNvGLwjFYSC zEzD3#%}p3SWu=m)G%&xH1M*Ahv*+OboVz^Ap>vAI^*u0T7lLGu<6$lf;nm%r%0;W8 z1-K%Mk(ilg@+W~h9($|>5Zy-!&>p2n9@{DxU!`!qUT?~c-S+~0`;v)zd!72A1g#kh zg3A}kch*$;`&JSq$^9<39S)8KL=+6jMmz|cv-_w6f>lVj6Q6h`^Wx2@9&f^Q{TwwY zH4qy$1zTYT?KDNEaaB0msg=fz8XR?U^R0&k>|$4OyhKqF``l zWexEhQgcTNXkVY%XGINA^La}If;?EN&~g8=)gFwxcUdVp0X;(bOzi{Hta_6^i>E&= zapR6~WI+jo4i$EPPBT-dLJJNPsJivG3E>jRb={gSPk(BfVY4- z;^rVFWA10)-1y;$mYh7@Uy$-93NfqQ<<6$4PCb7@#ivh6>FMb~DSxby^NCz*=WXZZ zzBlJR+aX7l8p`f-G^4fI?O*I^Hn)TrQ8ff(olxu#%{+_dt-%5fYV_kKXW_+p`v6*5 zS=pXcJ=aK!f!yASYeh(8nybG--HLo|o1m*Kqy&gh7TEa7946rU2ISDF7il548>WNU zKh@27=)nt2Z|1!fiPp9f+rn?R={3i-zF7YRy_LPb@?`s^{)u#&wuXlGoiW*}g~9CN zBG6~RM74ocU>L(6y>&&vSPIBb?dSnYgj; zX5N3_3#Lhvn5g>;?kD6#f$C1c$E!SFFl#cAE9e(xici128gOQt>yo`~RPA-J)xsUk z=T@$sH{_So4HF=eTf#ljbZ`E-qsC;Fe%*@wB^m3!e4x4Ab{Td>X?|~M;_&4u*Nr2G zvTKl*LmB)O9SVdZdT&Qd$tiWyPu18$WDbxMS=>HeS=ZU0bea{`aJ#j2b@RHo{VJ`A z=ir|Js{|GAD0v&3z_>WJ*~JMHd`Cw|D0N6f^Cc6cMKTeI!?c0kVr!_UeP+c#jaX$0 z2hp1(y0s6JO{|PNmZd6Kg_zWJ1hd(#$o?ev^jph{tydRa3|_o|sYia4_YI2SyUQYI z^DA75IV9{pP~6u7BhhGYV+%$3BaALC8BXEC&(NUKp>a(l1* z31g1^`qh?z&^)ufy%$*dr`|RfRXNmupoqe(yz1^&0!5eRV&-_g`u6mu3#4L3Ddy#W z9mGiRSl$$bU=5T+()PE)A4K%k)`~igji8_$Dt+JJClm~ivW&fy!2}MgwF&H$TGQ-| zx>`cNU9|uTh={Y5knn*7iRAL-OgP(_6!(+nOXlzyu3y)Yk&&U~S}G705O1}Pg7IF7 zP@bXkA82y~50u4}uHH$yq;ll+$wIM2MY>7|6q!O5H|5Nsz;N{Q*=hMy|+hN^E~r1^>D~<*yAA zMU4_NGOhOR8_~G(SnwuD^tSsn`ul0U)>g{9&oe+M1uDi_(9@V*d^wh@|5c-)R51`B z7aT{sQ`{xIU816*i$SutjP};w_rWZvfAN`a+n- zcbFD?<+TB9Q^v8Etl5y0lY`Vs4tUw)#mvKOQyu?DucMS7KQ8vbxhEppNYLAE>gtkY zWJC-7gc>%ShPv6XY|x~EoBMD}+C>#idZ%q0p&S$_A+%Gl+oX?2o53K(t(7v`rk`g?SW!!b^SHd`8NE`6>?OP=6EwzVI4!~eU05LK6CELze*N=)@6naX5 zY}%zMclFFT=b-!pg1#A0_xup#2Ln?W8B)S(g5pn|**4kVY&03%bU6K2FsMU?*L?`h z08u!jos~=|&MHBW)}17MW{T|`F)^`p=siVdRW=1Mac=I-^B?&Jp*^CqXMx#T!h!q= z)r=cB{mgWo1L?4QIZ!y3ZCc^loQD7&QquL{O? z*-Z$4iHL~U9Jak_5BnE#1soG2qdZ6g$P3~4#gVuaR$;Y>dJHM45K^gN09zIeuXJyJ ze_^urd|jg!*m6ROb(>hUV@16tsk)jeS51rb z;za`%96Z6o8}h8>qg#-Rg5agtP?2S4ou6sGelxFfhMGE5P<%dCCO~-yK6adVJ8Is# zryQ}QP|eyMhvQb<2uWSv8Ct167(0|X^{zq-uz}a`P>&xe)%zQ5%oaem*}QTi7=mjg z1ZCC4Ctu`&iEFW-T9F3O3@O9bi0=Dso62BvW+o@&Aa!wecE*f23fc5uOr&F8SzcdV zZQossHf{=D)2KS;21Je;40B|+iaI`u=30rUT*q}K%c?+@uH&|5?d;;x*wP{mb9j+o zoA01Sk_vk$M8iNWZTq9=RUS0=ruF@3ao%L?$MOii#=sy66s`574u0OxW?)Ehi7kST z#Y4zTHId9_Vqy+7vC05Uy5m@)R7jTtIz{@l~~XgX)uv)l!6CIYiWh*}J=Huq5e_o&vzj7Zlm`gQFT#L95@S z|7$2xzJaI$25T0>Z~)~bDX+zD;}lR3&G<+y;=8H;N*&H?GPqU^=t^hu(trn{$mn?!54ZVLG_EQ$1OVgo*KtN=X{OQvQlWt{P&0Ga0iwLLz zT!SEPdb|mkMm#oAFAtyBelNQ&>E3hxwty?vrD7t}q^-j~4> z5phiu_2s+Dc95E^)4sh-g?tH;_csNHf@F;%oG|2x$ymN*>eUl5^B+bW9yO=I$}DzF zff!)jyNh~om-RmH&Vu=0=cJ|WJM=cS?g0#F>YMX8=%#wgJMB6{dI`p$6e%+h3mtwb zFE97W|2Zi*3T=i=n44id@tro`u+2fclq43E)FGuv{>+M1nrj_Fe5aOecyV#D(dImH zfz#Sm2nD5(xC(Y70OT^x&^W1q@>;WfTx8z}DRNp$kODhY2PzQxH4sT!gfg-H+Vf&q zj^M~hRxpJj%&Lf!Re>a$e}NvbTun7KxGwtHyAw z>q-fGTbYCF4owW~hh3d!^bF8u zv+vWU2E@Y!K!Qj@TU}X8>jU%wV7lW?aFkvr`Fwdg^NpDSUJVnPq(Oqm6!cGUAJ%?I zgfL~kznlz3O=V=$f20ve@g-+(sHss@PVe1iR-6w=Kk0Sz`1k|?QKcq?X`ksv9LHW? zJ*;MJVB|BrJ1q>LhJ2Z5ow!e*{FO@WLOiAPwE4p`d1wt%RU~ysXf!^m5?c_!;Rm(P zZ@jMC!6#3p&lmL7fjHN#H(}g@f-+TyxoW;-M=29EW6Gf8W!!FRgcEc(ON@l5WF8BVC4GT1iX3WXg$4q?;7@;N=NZZ_{CIzJFh?&BseHmd-P;Rkyw?T_e_IH9HO?fZtX~#t$Z{v?+MaPK_U*}tTMh_NM$tKH2x5H2lJ235FpcDWM z3f1MADMblVroYk*T1wM2i=IW<@8IPPdmLy(fZqnkE3+eB7rN&0ex)!C@f?6ztHj)E zp!c?33xs;SEL4Sy-}J;p>hA6X_v5_-a3D%BWou?>DPwcf4m4+laYtAZlmdWpyHn)v z7oJag?^Bw-Og1#_Q>s8CFY6S_s;hn47ttnm~Po6WT%?SCHFyUshHIOA15mb>yI`57NW|VC#aS zqpKjH4GuG*`g9+x)u@vm|Ilegsp#Vzl?=5Mh(V`3U!SRp`ONy-`06+rLeVUa1q+c{ z=ckDrY@@NtNF*|pk_ra2nR1zfJ5rlOY@UqFg@**NAxuHxPvmH)YNNny@1*%~u~ zgir6*-?U;sNvnJNv|}OxF<#8m5YrBTDvw9UPDHk*Y4|%7Qvk8Tc=l&)-I)0xhhm<= zmhqSH;Pf-*c)_rAqT|XMCOx4;Q@<|yHGRkjGacUZ<~-xz4)%22*fO(Iy7C-8#|1pC zGo_|bHvIMT-*!R&=Wd1n(|6vy^|Rb|jyzY5-$?Y=JN62fl9DpXs*;U5l*aU7lb_)o z#sfB5r|+eHUEB<9SN%Wu)c>D;)&EI0{BLCp|L?N=+1q&kKk;t=-(Kj` z*mJ+FM9a0iTq5stC?tHE<(_MKD+J{k1!IicK=UGfaA=p0lmE$(%Hys(ecx((P=b|Y z&IcOPQ-%jQ#k?JNs)gPuIyg9RwftU52?A4_&#g2vy(RIDKK$skf4*Euq%-KeQ_NUW z%GX@qcB9HBiy&<(F@`saN%5PX_X!L6KleQD-6Ykf(*K?$k|!d=R$P(9nXShu!;F;J zdB3=!rAu^0hs|ckE}#sZH_Wd+y(pHb70jX@Iv^q4suad4*_$AhnAGplsgO%zKbp3w zG^9-tm8eCcR4>_sab--&Li4+88S#&k0YUxOjat0RkTS-Ws+r?BHH;YxuXPSgCRB&% z5Twn;H`$lZEXt&O)D&^}Y_}%m(@G=JT~hO20#)qRCpMyz*qx-Q?tE~m{1i9epJTmR z#8=6Vq9PMzy3PwCTLmxu)3_KC;c_;yvz*5#;#xKBXP?H&U}f(}+$vbq5@Y4tYwq#W z!z)(*Bc9_`)l!?6x_^}HTk6!S!j+^^qhK<4_u*(I8RZ$=6LpFK-h5V-GhB5HH#sGv z1lb5yC}Z%yCC)rvAsV*(6RlN`JsJw_AJ|c*yLW;+%{Zl0A#6!6Qnb zdtrjb%JUYm>%i>@>`KKPGOyQ?SRujyzgDvL*7aK=zDZH4W-m%9^BLols81P@#Qe<` zA=SGd&GuwqfPg|to|DqKi=kTj-&m2vclEN$5x;=cg7H9Uye3bNkwTc*37>0h_moWy z-ZIi(SIp!^%UcEKY;x(T8pPA%tSQ{bw26%W~5y$t{smOH$%h0~OLh^6EQr~%5+oQfrOQ<9# zU|TAbT^PWn`e@)ge=H7lT(LOIE81?nw;4n^yk990ME%sdzkk zgxrt(6tk(TcTTc@4<F@IV*} zj!xL9S5V4IdwbH& zw~T+kYB`dDflhBxG{6xPhD4gfOP3(EH(nhdC8D*pwhkyN@|Or%SBCPNQkBQ$0!!K( zo;WYh$7S_(b{AiAxVw9|QwPd} zKd!v%nxH;s;@}_Mq->om??v@Pe{;Sg-Wak6_>ogHB%(JR+kc>(F_G%>O8opOLuK>8=)3y@SKUHFL}?p+N4kWs(h}d_m9t6IJJI zGnyT;W_IXx5h5tBgoMWc+Gv6<4$P}VrYb;}sK9p401Aq_Nc9U^2ezy=fFMM;6hnnO zY0ycj?bYG_4tQKnJ0l@y04sSM)!~ZuIsq;TEgS;Au!Ibjg+j5>a`_Y7X9a#sw>=Dq z5d1=iN>k`dR*Oz{#J*hYn!7uN1?UL0SQ+>a5vE8c@GTj5c_jeW)tRNO$?0*J3^fOf zeV3(?vMKMvoh0chQ)r6?CP3YMacJjUfsyrFV2oXZVT(YNTsYjz)5tS;19jMF=q&(- zz!XUFNkFjCXGwP3^MNAhBgiEPBRAYqFdKj!U42u4 zoEvH12F?AdKsrwx9W31(je5X&GBv6Bd!~Rsxfc?nNgi^MZ>V_R}C?- z0(3KgV-||Zfs+JSQf_)wSJKg^^qsO7=@)TR{<@~X^M>Nar{rWbEPN)708K}v<7hn6 zH3x86!@z)g^JjC;lQ^jC2pq0f1SY`rohRSEE$6#z*&sU(wy_*EcY)ytgMEwAVIDfc zg^Wq75$FJJZnW7V*mnf@2RjWaF{+6YA)u7}6*3tm*rpAfZNLx$)^U8@n6BGeEYPGx zP(c0EO^5v%cIR0z&;euNbu5-)KR<9=ffQ-8UyoQKP{+kM7+`2u{DB(dgxmyz!3PFi zJT$=7VeXFK_nNka*thuesmW1o1sSi;;MxP}Z3{ec7PUVfBN$;oy7xfCSzz@cEs(>q z`#-*CvUek){+xFIZ6K*!qaQcRIR3wm@r}cJwhiga0!bOa`M0z*3HBJ31*kk107ed2 zGLHc!>{mZEH3glA8t4Q(LlwI8K|>8{izGB2I?w|FY@7{DcL}3$`|5vJ_YJ{IcpU*U zQT%DpvEADZRsik}9qPo1nJm{mz(^M?w<%tMVwBu87r*1m2LNjrLj@9*yA`&xz1;z$ zoC~0wzO{T%3?(~yl!e7gNpJJWNX@PQXHOcV;&D6x?i!!xG(Zg+WZ6k6C}MRzwc}tS zB&JK&Fje@CL`f8Gb>b8y=i+HSDpoSz!^0*9DDB>srRjp%K|m`P2CiT9bXtcFaM^kI z%I5oXL;}t9Z4Zyk4@SGXnuGh$$;rt%<_Kvv0fps_VB_P{1g>F*^M(N`mvCJZ2Drk> zW@1^2`2M}sc&4cqAtFFEyIAex8z%dT0_+Y$q~Mo?S?WWlnv)iIeo-UW3}q(29clyqRg=PfLA z8+RHZ2w^a%fI#tvfyK7~l{Gz02mIDVkHa-8pajVUvOZ~LoErl(2mRgyz|iZ#IFAaX zwAf?PbGSE#8L~`ff^`%+T(!?C`x~0U93F>MP@N3|rz7^^3h?%^fq8j((5)aqnoQ-R%i$>!0aa6e?xP$t|0LZ+(yA_t5kKAOg8 zih)n6vlBYv=sG*(y0w^m;*>W~CmbRki)wdnE(8HVo}eXyM;hjDEw+CMOY!=|RD0x80e zZUK6nsbKoWuCSqCj!72~r~_b}$S=g8sLSZ2P9>edR`&+dPXeq*oxi6D@EU?a)g&5e zp}^2xj76Eq+igsn&<^YlB`V565i(!a7u)OWy`QeLGb27x5 zvUMj&VAvlDwE$cm^~6acdi_YN<`-s3;>o){pyEpeu2hxQ;!V{ESp_wxbU1fyb zZ*6_I4mUC~0)iDTwe|HgC9O!e8hi)zrN9JaJ!#V%Zbm0S?S8Rhr?MSs7((Hl`oULK zX#a$~U=CM++A*T9Ass%N&IM^KY3Zi)BMwGE zQIQ@6A})=#6eDFqK$z!()?Yc03azB=kIp}*)x6GgJ?MWke}M)q3MvNMgtRO@7XjV_ z%pCyuN`nyvXl9>Mn?E=Xc+wB;`3yd;dw~#I>A?iw*GP|!kjkTLWn{>1ZSr(t0-b4F z)G~rhKo|vpl47JwD5LRk`UI_M_U>HSXhAj9mz) z=wXjw`fy417>}N{skZ>XrcdWg{87;gRJHk49H5_r>43}s#=DTMJ2x)whOa)gU$tm# zbi}_{0D&kPWE=j;cnNB0id{phs|Db-t+^&jl(-suf~Lv-7_Rc(F%cm2yu56n(Qxm$ z$aZelbcIKIxVcU8;X|GRQ^#ziWf4dM`0vx_4KT^k222pTUB3OXvpZD?5ZQr>CTYrn znfx*y@Ons_D}lCwK&xOX=na(3e}L$3b93)hC80niV#s3N^yk0;Pn(UvHkX~XHL&qZ zgjusw5CUsApQlUQ>>2FEehlGyrJ$^Of`3Eq5GdJnpO zw*zACNSL5Pr>9>W?WeO&Z>}*W&bDCh&;Vg3l}ZpmezPw1YXDjNHY3j7!8tagdv)~&@bv?c9N zt|~c!>(`G<3%}`@z-Vm=3JUH*!;+%xii8Wug8dOY#UqgrE6u!BQk(gr_8h_)Z)iA+ zkWC32l!fWMSbYlHVoCE+9XzKYbxt61~l8 zwGYj7R3Nm!NJ;G*Cpe(Nd%D-MiVV7gb?9>tH?`W9N{4$?&CY#AH=(4Y8f-z*X4qAG zNWLg5Q^mu@rIhGugQt2ebpu~nf92CBvdy#7=ZjDLo3X_@xeQ4tt6i29OC+H|D`JzC>cc%D>Yzx$kPVTz?Tg?&9A^vP4z3&PSn5j}*TRXeY10k6M zb~Fj5N%rdb3&ixKqa_33SrY?p;#kSi!`Jm7;-DLF0iO4f?#;6;5S6z^YHof%{~BNe zBWIKRX#|{l#*-lYq#t;tdoZ4{?J{e?A|ymC!0{0LYY-h0%)-#XCkXg4Rk0rA-C&l9 z9dx1Q=Q~8gxUsIFQueOnGJ=tl8_1nG@Ai?5bp;gKLg-Lq9(>B0g&Fq?Z_?9?>bh^G zA_z|ypheQ`QCKwb8(G<_b>ImAJeQ-b*u^oNaY;!Ds#95@0W7RJf1&$<7=&(&%*=pQ zV+>3%XtCfpxxvT`CmXvh{m=1xOO3Kt@3zHj{^8i&p+qlZF-i9fK^_+ zdPX{IGYhbNGYbpK<4+6wm}ausf0RpHEqjCS@s!OFh^e^ShcA$2|~<&eQ=k_D*8zj^q;&sVBr?_b)$^ z-K`ehpw_0wTc1;$Qj)vAt*%*3Pl55^MJA2L;>ptLQpVC4ER9U05x7AO*V7Z1a?bf? zQ8lx*YCK+XaxD6}OM9wK)dW^UJ#_67INKSe)N-zgq-*+oB(tKzylSb_&>Zv&i9i4C zZ5uAY=m-O&Po+}9bBZYbGP^WzLAC7e=fyi1K1nB}E!uG19m*n^R(N&T*w|Dt^Hu4R zj;nzebafZARr#(=CR4-nhCOJvlb(^05i;wXdDXg$smJLv`n#^<`5m9j3h4VD)z#ID zRTO@)S*j+KNf4nsj_TSll$ygo-iXf)z;(CoYHs`-yy8lK%# zODik6H8p2=vl_?1LEjahh0mz2!9m={MmlfJU}Y$_Ylvh3DsAn4IZM)zJTL++A)rz0 zwFugt^PIkwi5L}wn$}w6g@Fn^%k~rf(*6=Oa03LS-ajui=<}>y`NvSZQ>RW@+3BiV z=UTLmMb{lw&Ir7nW0B4o$V7c_4jGpfU~$L|ghC+vVJfaSx42l$AL(p2@G z&}A5#NYhVtEN{i7#? zKkYT9+tJo~hx`Xu*nQ5XT>}Hym>9BL=n~O~)34Yu+iyHcq}6D*^w?GI9~+HypB(V2 z%d|sq8K>3T=7W&J05^orTRjOJfQzmdU(s7lWdMTi67g27=PlknQ z191vk`bx_o5>{m5!O!mrk*z>mjN_tZ=Iw+9>jG5gG2WqOhe;u=b*rDhr>Hqu zZ7e&o)Sh1Q~&+cvi()so4xe^_I zg&uD$1=t{34z=lChzwPfK{j zgSp=-pOqj+(#{C`u~rPex7Dg*<(iDgaApnBZz81j!W_8$_}k^`AUC9#>xAm+(AI~6 ze4I^BucNu;9QjoF+QTZybS;YSo4Vp8k1|gwG5>uZguPAs5YESUw>Gbl@xj&l z*;Xe3pQF@wbW^De9Buv5FK4QC1BRCsK|zNrV3vDd$ryArJW|8G;~|vYCP-KqS3cBp zxPm#&QL+o$_d}ol4q>VSk2XWwc|RK_oST99yRL^(#npemVPix8w9m2?To&vmgMORb zI;eiv4dCorNyY;*w zy*^Db=t->|2@{LBG@3`NP%`0Uy6PV6OW*o*5-f@S#rcoyvKm#(k-D!J;W}QSdAbz+ zo@WEqF>-2lK%mx;Z}x&uLUfsxU5(kEw}Li!IAxCEzJJl7W6I;i2_St1v_bWbc|*i3}r`;&Dow zF?#&Lxc;F5FEH%s8dNBD!X732uh>B+!agCu8J=zh#h-4d zMwVgAtb$G&Onv`}FNrIJi2!LrPS|fYlMV(@I$1&LLak8H!#}3Ye^^M-E;v5pFx93{ z(99ubQLep&SgyOH6dXznsO5C%OiZY?)}5Zn4{z}|P6ZK#J)lpRAp=gbk+%~W8TTx` z?OiP@;XZ%pNNLFQ{lu@yUZ2c04;rf*P``WQa>sgK(&NFVm3>k-MVfkzWVMLPtV_z4 z)PCc0%XS1cXON;<(|89i;ajodHda_r`YKO%U(RmIP^+^0r{qeehL~Iqa9=ic|95q0p)3gdoA+iB?7B4KI~NTq1T4B-?YR18xe% zbbO_t<7=+@mGm=ia2!}j_Uh|Ny=A!RResCE+_={3ELmr@lIT4mnXxY_%+?Vs3{!(V z{9snk9atym~nw2Q;6}?aR z9piZN35{@0dZheF`uEVhx2Ib10r4%bFq+4IPIeXliRx9%Lzz^Y5Y^FW2Iqk+Xy4HAQpXR-{-L)2Cy{!+qz>AXbDoX7N6wlLHjca} zkk(fkM|=@;Ixlrz5sA8>!?A3ozAHJ&EbaVP_{d-6{L;tx0y7}JfAk=^*1FZdmir|i zJXiWL9Ikp;Bt5f#r>3U*tWD=i4{b~+8>Ymbt!{=xMt0N@H@BgF5XlPYB@Pj-G6b@J z(~3aCw~I6$Y!E?2lYu~XZjK1KxJ_g}fd++drTPCq$p6_jxtJ|-e^UCfznlpk9tYL( zz~hM#K>Mf^kPoz_XlOWn+|lqu;4ar}!}S($ycANePz)rM6~fS!G-QEe!RZ~BcF)$m9 zzcY|vztiL1J+)imy_@b!>Jn%cbjCNCM}O{!cnd*p3a-rSnA>y%P;4US*L_`l=e)Q` zSi_IxzqOgWNf5iQD3WIQkLa?3AwWT2*w$A#Zm=r5;oT+tt>+Q$o4=j^``>)y0*$gq2;IeR)zMuKCdcv$m;s$x+*8 zw?1m`66y?_t1UkX!UqdriEN z_M|iF6MANsgv`<=;r4Ja27)(0R%&^iHG}F~aMr*N(3ku_ftU#;u*7wCQ8S$_6mZTK z2fa?zznsj~0~4!1TQW)$#x&{YjE-Y@-Ae{xnGQ^zOYs{(J|TGV>4MY z?j2$E*H64B&44W7yHD2hKVJ;LWGdp}i7zUH8D@qd@4a1i`i>@KRivuc!zXgVrG=1- z5r<&DN+ykFhY&J9zFb_(e+v_(`olK%_UYBtYY~Q^J-AC9 zKZnuhOiOc}n1ipfgCK_%{DuuDrz6GghH(TbT5=E&w4{U6+wIv@mM`9}j{GwF@ai^hv!74AQ7{f0{ ztqcc9trG?Y5>BeBTB6vdwxtubr)_;4=ZLI{kVy?p;^N{N+^--qfP$Q>ql{vZUQ|@{ zSPpuMH%G)^U4|+b#2B95!!IbIb20c^@4#(nU>gi9qp!ce%QCYO?=buVJ;%LVRQat- zNFWJb|J2n~7%7Jz8BKmV+}ry+TA>;D6h#&zc`=5YC`$p!yuhi$S^%PzrE(MjNL? zV9j&4ag?_F%rysxjQsq3-+%yj_9O=;UtB1k0(e@?UEO=s6MNtGU2T>_e;I#S2#B=f z1_PMu5cJNiY2QO4O+i6A_DxO>$EK+lh((3JX&bJi9H5ozh@sU88@5TQ?=(_;WDi6p zf6Gsf*7D{KuC9JDl9pW!9B+IUvRvS32DaiF<76`_m<^Q_eO@z6e}lC#$CR&ydty)9 z2MaFV2Yb;06Zr+TNgxQQV}>cNeaQ=&&h~RS0l%{4PaoiPkR6~(EJ5iY)aS;?2FF<< zp1;;BDZ%j-d{QoZ>$oCwS^N1N?{L`sm+zMMVndD-gq}5l^I{E*xz|T4(7IOTC3=3;h)pMy93* zS=$+n6>1xBoTO{@PdBrO*;fF%WK)a7&IyqZ6KsFklQu5Hv6>pX@j!9eyYQ}R@>OmR zp;o=5E*QxwXjoO@kpKg0n0+b?q_?+8-i=`D0k zJp`KBxce+qGn*IbmJ^YRB(;`j`ZQQk2%-S>Sbp%Sk}Xi3h}g0U0>RsFBTm*1D6hc% zaP{-6*?=DygM~-28h*_8B>wj%rGB4>HxF3;5S3rr37R1bccI|9>#I?X_%(auvz2Qv z(}UN^$rO5)qP}~y0*aaEPFLOdmS0$bVtWl z?aFV)MI_E)$9wfJCtl|XWdQwD82$9bw*hhXSsi0F1H9>3o^@``oU;Kt#mi^@L-b?@ zIxL~F@j$63HTIxk*xe2&<8@jnCt3qB^z7%^1CHwlgdlrPVWAe#`8+)SDmG+PjN$Tq zK&xtHgzMq$-7@uc89HBYgjFgpKgy0nuA3rixkMpG?SXK}1dU?NQc4}qR*oJ`(Onr5 z;$HZ&v(1vKdN>J1lB&Es&f3~~=JSpyxlO;dbIA=>$sPbMSX>t^3M>CNC1V#O8Z8fI zD0z4=)gS-4?7QrGt32%oDTlD%gka_Vd)<8?`V;?9^Wcp6uty+w*RJpnSN=21QW?U* z0%ZS)=rN$ZqlRn~Ke`nxS?@lS;6$YdaTa<&%B=PDPrcf=LGW5gWU?rzzE+ZGpm|O| zonIx$HIKR;PB*<>%HhVFW!mG!b{A;vfq(gzC??tIU++|&VnEdP%49Wn5_>>sSOT5{ zgF$T?T2Y+s4*zE1-%?uoV06n?DIlY0IDfNhqeTygtGlwp&uF0Xu zw;CWEnN0^{_Xf~5BTMY8eBGetVAPN_=J7&ZFRSV1A@P!?&C~%T``VJC8n6HPB%h%7 p4qOooaTfLk5GvWf3pJ=0NT4tOUXVW#n=AZ^$z_Y*i++Ru`5*CoPig=F literal 0 HcmV?d00001 From 2467c044b8f5ad08dbde342646983224b2ae05fd Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 24 Nov 2023 23:23:43 +0100 Subject: [PATCH 22/31] Add section on well-formedness --- book/source/09-verification.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 059c48d..8f638e3 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -32,6 +32,18 @@ This is especially the case with signatures created by dedicated signing subkeys * **Revocation**: Lastly, signatures can be invalidated by revocations. +### Well-formedness of signatures +There is a number of criteria, that a signature must fulfill in order to be considered well-formed: + +- Each signature MUST have a signature creation time subpacket in its hashed subpacket area. A signature with only a unhashed creation time - or none at all - is not well-formed. +- The signature cannot be older than the key that issued it. +- Analogous, a signature with a creation time in the future needs to be rejected as well. +- A well-formed signature needs to carry an Issuer Fingerprint subpacket, or an Issuer KeyID subpacket. +It is generally recommended to place those in the hashed area of the signature, but a receiving implementation may also accept signatures which only contain unhashed copies of these subpackets. +- A signature disqualifies as well-formed, if it contains subpackets unknown to the implementation, which are marked as critical. +Unknown subpackets which are not marked as critical do not have an effect on whether the signature is well-formed. +- The same applies to notations. Critical, unknown notations result render the signature malformed. + (temporal-validity)= ### Temporal validity From 02146bbe96373e717f2ebfaf9dd107aaa0b0196f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 25 Nov 2023 00:17:32 +0100 Subject: [PATCH 23/31] Incorporate super helpful feedback from @dvzrv --- book/source/09-verification.md | 93 ++++++++++++++++++++++------------ 1 file changed, 61 insertions(+), 32 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 8f638e3..44e5826 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -7,7 +7,8 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Signature verification Signature verification in the OpenPGP protocol is a complex process. -There are lots of different factors that can influence the validity of a signature, most importantly its expiration date. +There are lots of different factors that can influence the validity of a signature. +Most importantly its expiration date: A signature can be valid at one point in time and invalid merely a second later. Signatures can be invalid due to the absence or presence of other signatures (e.g. revocations). Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly within the issuer's certificate. @@ -49,9 +50,9 @@ Unknown subpackets which are not marked as critical do not have an effect on whe A signature is valid only for a constrained period of time: -- The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid after its creation time. Hard revocation signatures are an exception: they are by definition valid since the dawn of time, and have no lower temporal bound. +- The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid after its creation time. Hard revocation signatures are an exception: They are by definition valid at any point in time, and have no lower temporal bound. -- If present, the signature's expiration time defines an upper bound for its validity. +- If present, the signature's expiration time acts as a natural upper bound for its validity. When checking a signature for validity, a reference time is used. This can be the current time during validation, or a point in time that relates to the signature that is getting checked. @@ -64,19 +65,19 @@ The same reference time must be used when verifying additional qualifying signat Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. -Examples for self-qualifying signatures are direct key self-signatures (0x1F), User ID self-certifications (0x10-0x13), key-revocation self-signatures (0x20), certification revocation self-signatures (0x30) or signatures used to bind or revoke subkeys (0x18, 0x19, 0x28). +Examples for self-qualifying signatures are direct key self-signatures (`0x1F`), User ID self-certifications (`0x10`-`0x13`), key-revocation self-signatures (`0x20`), certification revocation self-signatures (`0x30`) or signatures used to bind or revoke subkeys (`0x18`, `0x19`, `0x28`). -Examples for signatures which are not self-qualifying are data signatures (0x00, 0x01) and signatures issued over third-party certificates, such as third-party direct key signatures (0x1F) or key-revocations (0x20), third-party certification or revocation signatures (0x10-0x13, 0x30). +Examples for signatures which are not self-qualifying are data signatures (`0x00`, `0x01`) and signatures issued over third-party certificates, such as third-party direct key signatures (`0x1F`) or key-revocations (`0x20`), third-party certification or revocation signatures (`0x10`-`0x13`, `0x30`). ### Signature qualification -To verify non-self-qualifying signatures, it is not sufficient to only look at the signature itself. -The reason is, that the issuer (sub-) key needs to be qualified to create such a signature (e.g. because a special key-flag is required). -This qualification typically comes via another self-signature on the key itself. +To verify non-self-qualifying signatures, it is required to look at more than just the signature itself. +The reason is, that the issuer (sub-) key needs to be qualified to create such a signature (e.g. because a specific key-flag is required). +This qualification typically emerges via a self-signature on the key itself. -Instead, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. +In short, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. -For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the certificate via a subkey binding signature. That binding signature needs to contain a *key flags* subpacket that marks the subkey as *signing* capable. +For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the issuer's certificate via a subkey binding signature. That binding signature needs to contain a *key flags* subpacket that marks the subkey as *signing* capable. Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature with the *certification* key flag. Self-qualifying signatures have no such limitations. @@ -86,25 +87,33 @@ This construct is referred to as a [revocation certificate](https://www.ietf.org On the other hand, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, which qualify the signing subkey. ```{figure} mermaid/09-sigtree.png +:name: fig-signature-verification-signature-tree +:alt: Depicts a diagrammatic representation of a certificate and a data signature. Arrows between the primary key and other components of the certificate show, how signatures bind the certificate together. In this example, they form a tree of signatures, which all need to be verified in order for the data signature to be valid. Tree of signatures ``` ### Attribute shadowing -When determining preferences of a key, different signatures can be inspected. +When determining preferences of a key, several signatures may have to be inspected. For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. -At the same time, the specification states, that signature subpackets on the direct key signature of the OpenPGP keys primary key apply to the whole key (therefore also to the signing subkey). +However, the RFC [states](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-2), that signature subpackets on the direct key signature of the OpenPGP certificate's primary key (which also may contain preferences) apply to the entire OpenPGP key (therefore also to the signing subkey). In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct key signature. This is called attribute shadowing, since direct key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. ```{figure} drawio/attribute-shadowing.png +:name: fig-signature-verification-attribute-shadowing +:alt: Depicts a certificate with to dedicated signing subkeys and a subkey binding signature each. The primary key carries a direct-key signature, which specifies SHA-512 and SHA-256 as hash algorithm preferences. The binding signature of the first signing subkey does not specify preferences, while the binding signature of the second subkey defines SHA-384. Signatures made using the first subkey source the hash algorithm preferences from the direct-key signature, due to the absence of a preference subpacket on the binding signature, while for signature made using the second subkey the direct-key signature's preferences are shadowed by the subkey signatures preferences subpacket. -Attributes from the primary key's direct key signature apply to the whole certificate, but can be shadowed by binding signatures. +Inheritance and Shadowing of Attributes ``` -Note: Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). +```{admonition} Note +:class: note + +Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). +``` ### Signature shadowing @@ -112,17 +121,25 @@ When inspecting signatures on a component of an OpenPGP certificate, of the sign In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet in effect. `A` is shadowed, because it is older than `B`. ```{figure} drawio/cert-validity-subkey.png +:name: fig-signature-verification-subkey-validity +:alt: Depicts a gantt-style diagram visualizing how the validity of a certificates components changes over time, depending on component signatures. An example for how certificate validity can change with time. ``` -Note: Signature shadowing is not to be mistaken with attribute shadowing. +```{admonition} +:class: note -Attribute- and signature shadowing also combine, so it is not always obvious, what properties a key has at any given time. +Signature shadowing is not to be mistaken with attribute shadowing. +``` + +As attribute and signature shadowing can occur in combination, it is not always obvious, which properties a key has at a given time. ```{figure} drawio/dk-attributes-and-shadowing.png +:name: fig-signature-verification-signature-shadowing +:alt: Depicts a certificate with a subkey, whose capabilities change over time, due to signature shadowing another. -Signatures shadow another, based on reference time. +Signatures shadow one another, based on reference time. ``` ### Revocations @@ -131,14 +148,18 @@ A signature might be *disqualified* by the presence of a revocation signature. Revocations can be limited in scope, e.g. a subkey-revocation signature only revokes a single subkey. Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. -TODO: Give guidance, which revocations need to be considered for different types of signatures +```{admonition} +:class: todo + +Give guidance, which revocations need to be considered for different types of signatures +``` ## Which signatures take precedence? An OpenPGP certificate or component can have multiple signatures with conflicting information attached to it. -When verifying a non-self-qualifying signature, an implementation needs to identify self-qualifying signatures on the certificate to qualify that signature. -There might be more than one candidate for such a signature. +When verifying a non-self-qualifying signature, an implementation needs to consider self-qualifying signatures on the issuer's certificate for qualification. +There might be several signatures per component. For example, there might be multiple subkey binding signatures for the same subkey. In general, for each category of signatures, only that with the latest signature creation time is considered and takes precedence. @@ -146,8 +167,10 @@ In general, for each category of signatures, only that with the latest signature Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. -``` -TODO: Replace hash algorithm preferences with AEAD preferences for a more realistic example. +```{admonition} +:class: todo + +Replace hash algorithm preferences with AEAD preferences for a more realistic example. ``` For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. @@ -165,24 +188,30 @@ If instead the user wants to write as "Bobby", the impementation should inspect However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct key signature instead. The same is true, if the certificate is used without any User ID as sender. -But it gets more complicated still. -Algorithm preferences can also "live" on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precedence. +To complicate things further: +Algorithm preferences can also be stated on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precedence. Preferences from the subkey binding signature take precedence over the direct key signature, but not over self-certifications on the User ID. -TODO: Have a table that lists which signatures take precedence in which cases. +```{admonition} +:class: todo -There can be more than one signature on a component. For example, there could be 3 direct key signatures, e.g. because the user extended the lifespan of their key 2 times already. +Have a table that lists which signatures take precedence in which cases. +``` + +There can be more than one signature on a component. As an example, there are 3 direct key signatures (e.g. due to extending the key's expiry two times). In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". For each certificate, there is at most one "active" direct key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. -TODO: direct key signatures can be revoked, canceling them, meaning an older one might get active? + +```{admonition} +:class: todo + +direct key signatures can be revoked, [canceling them](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-4), meaning an older direct-key signature might become active again? The text of the spec is confusing here. +``` ## Complexity of the packet format -Unfortunately, the OpenPGP packet format allows for quite a lot of flexibility when composing certificates. -User ID packets for example, are not fixed in regard to their position, which means that an attacker (or canonicalizer) can change the order in which User IDs appear in the certificates packet sequence. +Unfortunately, the OpenPGP packet format allows a lot of flexibility when composing certificates. +User ID packets for example, are not fixed in regard to their position, which means that an attacker (or an implementations internal certificate canonicalization procedure) can change the order in which User IDs appear in the certificate's packet sequence. As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equally, a certificate with multiple User IDs of which none is marked as primary. Clients might apply different heuristics to figure out, which User ID actually qualifies as the primary User ID here. - -You might wonder which signature on the primary key takes precedence in case of multiple signature candidates with conflicting signature subpackets. - From 98ec25786e59345e8f1ad7146abdf42f419cc19a Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 25 Nov 2023 20:15:11 +0100 Subject: [PATCH 24/31] ch9: fix admonition syntax --- book/source/09-verification.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 44e5826..4d495ab 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -127,8 +127,7 @@ In other words; If there are three binding signatures `A, B, C` for a subkey, wh An example for how certificate validity can change with time. ``` -```{admonition} -:class: note +```{note} Signature shadowing is not to be mistaken with attribute shadowing. ``` @@ -148,8 +147,8 @@ A signature might be *disqualified* by the presence of a revocation signature. Revocations can be limited in scope, e.g. a subkey-revocation signature only revokes a single subkey. Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. -```{admonition} -:class: todo +```{admonition} TODO +:class: warning Give guidance, which revocations need to be considered for different types of signatures ``` @@ -167,8 +166,8 @@ In general, for each category of signatures, only that with the latest signature Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. -```{admonition} -:class: todo +```{admonition} TODO +:class: warning Replace hash algorithm preferences with AEAD preferences for a more realistic example. ``` @@ -192,8 +191,8 @@ To complicate things further: Algorithm preferences can also be stated on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precedence. Preferences from the subkey binding signature take precedence over the direct key signature, but not over self-certifications on the User ID. -```{admonition} -:class: todo +```{admonition} TODO +:class: warning Have a table that lists which signatures take precedence in which cases. ``` @@ -202,8 +201,8 @@ There can be more than one signature on a component. As an example, there are 3 In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". For each certificate, there is at most one "active" direct key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. -```{admonition} -:class: todo +```{admonition} TODO +:class: warning direct key signatures can be revoked, [canceling them](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-4), meaning an older direct-key signature might become active again? The text of the spec is confusing here. ``` From 1b33c10bf59315c215cb8d83219498c37f2be853 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 14:56:21 +0100 Subject: [PATCH 25/31] ci: codespell fix --- book/source/09-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 4d495ab..9820afc 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -183,7 +183,7 @@ Preferences are sourced from signatures on different components, depending on ho ``` If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. -If instead the user wants to write as "Bobby", the impementation should inspect the self-certification on "Bobby" instead. +If instead the user wants to write as "Bobby", the implementation should inspect the self-certification on "Bobby" instead. However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct key signature instead. The same is true, if the certificate is used without any User ID as sender. From 844f0a356120c2c27b1b588bc6d8af72efa142fe Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 14:58:34 +0100 Subject: [PATCH 26/31] ci: exclude input/ from codespell errors --- book/.codespellrc | 2 +- book/Makefile | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/book/.codespellrc b/book/.codespellrc index 24cc09d..3fe0661 100644 --- a/book/.codespellrc +++ b/book/.codespellrc @@ -2,4 +2,4 @@ # SPDX-License-Identifier: CC0-1.0 [codespell] -skip = ./build,./source/diag/*.svg +skip = ./build,./input,./source/diag/*.svg diff --git a/book/Makefile b/book/Makefile index 8e84021..8f8e64e 100644 --- a/book/Makefile +++ b/book/Makefile @@ -30,6 +30,7 @@ html-linkcheck: clean html codespell: @$(PRINTF) "The following change suggestions are only warnings! (Please don't fix them)\n" @$(CODESPELL) source/diag || true + @$(CODESPELL) input/ || true @$(PRINTF) "The following change suggestions are errors!\n" @$(CODESPELL) . From 1a71f94d122976ad2e79cd39b306eef0e09a3cde Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 15:00:21 +0100 Subject: [PATCH 27/31] ci: reuse fix --- .reuse/dep5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.reuse/dep5 b/.reuse/dep5 index 6ff7050..99ef9e6 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -7,7 +7,7 @@ Files: book/source/diag/*.png book/source/diag/*.svg Copyright: 2023 The "Notes on OpenPGP" project License: CC-BY-SA-4.0 -Files: book/source/mermaid/*.png +Files: book/source/drawio/* book/input/09-sigtree.md book/source/mermaid/*.png Copyright: 2023 The "Notes on OpenPGP" project License: CC-BY-SA-4.0 From 1a280ab49998a8f4c775a203a538063c9ea8cbec Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 17:24:59 +0100 Subject: [PATCH 28/31] minor edits --- book/source/09-verification.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 9820afc..eb70c08 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -8,10 +8,10 @@ SPDX-License-Identifier: CC-BY-SA-4.0 Signature verification in the OpenPGP protocol is a complex process. There are lots of different factors that can influence the validity of a signature. -Most importantly its expiration date: +Most importantly, its expiration date: A signature can be valid at one point in time and invalid merely a second later. -Signatures can be invalid due to the absence or presence of other signatures (e.g. revocations). -Some signatures can be verified standalone, while others require the verification of a chain-like structure of other signatures, mostly within the issuer's certificate. +Signatures can be invalid due to the absence or presence of other signatures (e.g., revocations). +Some signatures can be verified standalone, while others require the verification of a chain-like structure of signatures, mostly within the issuer's certificate. ## When are signatures valid? @@ -34,6 +34,7 @@ This is especially the case with signatures created by dedicated signing subkeys Lastly, signatures can be invalidated by revocations. ### Well-formedness of signatures + There is a number of criteria, that a signature must fulfill in order to be considered well-formed: - Each signature MUST have a signature creation time subpacket in its hashed subpacket area. A signature with only a unhashed creation time - or none at all - is not well-formed. @@ -51,7 +52,6 @@ Unknown subpackets which are not marked as critical do not have an effect on whe A signature is valid only for a constrained period of time: - The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid after its creation time. Hard revocation signatures are an exception: They are by definition valid at any point in time, and have no lower temporal bound. - - If present, the signature's expiration time acts as a natural upper bound for its validity. When checking a signature for validity, a reference time is used. @@ -84,7 +84,7 @@ Self-qualifying signatures have no such limitations. For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-qualifying. This construct is referred to as a [revocation certificate](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-openpgp-v6-revocation-certi). -On the other hand, in order to verify a data signature over a text document, an implementation would need to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey, which qualify the signing subkey. +On the other hand, to verify a data signature over a text document, an implementation needs to verify not only the data signature itself, but also the binding signature (and back-signature) of the signing subkey which qualifies the signing subkey. ```{figure} mermaid/09-sigtree.png :name: fig-signature-verification-signature-tree @@ -164,7 +164,7 @@ For example, there might be multiple subkey binding signatures for the same subk In general, for each category of signatures, only that with the latest signature creation time is considered and takes precedence. Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. -In this case, depending on how a key is "addressed", different attributes from both candidates "shadow" another. +In this case, depending on how a key is "addressed," different attributes from both candidates "shadow" another. ```{admonition} TODO :class: warning @@ -173,17 +173,17 @@ Replace hash algorithm preferences with AEAD preferences for a more realistic ex ``` For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. -For yet another User ID "Bobby", the self-signature could list no hash algorithm preferences at all. +For yet another User ID "Bobby," the self-signature could list no hash algorithm preferences at all. If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. -The specification recommends, that implementations decide which signature takes precedence by the way the certificate is "addressed". +The specification recommends that implementations decide which signature takes precedence by the way the certificate is "addressed." ```{figure} drawio/narrow-interpretation.png Preferences are sourced from signatures on different components, depending on how the key is addressed. ``` -If the user wants to write an email as "Bob", it should consider the signature on "Bob", so SHA256 should be used as hash algorithm. -If instead the user wants to write as "Bobby", the implementation should inspect the self-certification on "Bobby" instead. +If the user wants to write an email as "Bob," it should consider the signature on "Bob," so SHA256 should be used as hash algorithm. +If instead the user wants to write as "Bobby," the implementation should inspect the self-certification on "Bobby" instead. However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct key signature instead. The same is true, if the certificate is used without any User ID as sender. @@ -197,8 +197,8 @@ Preferences from the subkey binding signature take precedence over the direct ke Have a table that lists which signatures take precedence in which cases. ``` -There can be more than one signature on a component. As an example, there are 3 direct key signatures (e.g. due to extending the key's expiry two times). -In general, for each component, only the newest self-signature is "in effect", and older signatures are "shadowed". +There can be more than one signature on a component. As an example, there are 3 direct key signatures (e.g., due to extending the key's expiry two times). +In general, for each component, only the newest self-signature is "in effect," and older signatures are "shadowed." For each certificate, there is at most one "active" direct key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. ```{admonition} TODO @@ -210,7 +210,7 @@ direct key signatures can be revoked, [canceling them](https://www.ietf.org/arch ## Complexity of the packet format Unfortunately, the OpenPGP packet format allows a lot of flexibility when composing certificates. -User ID packets for example, are not fixed in regard to their position, which means that an attacker (or an implementations internal certificate canonicalization procedure) can change the order in which User IDs appear in the certificate's packet sequence. +User ID packets, for example, are not fixed in regard to their position, which means that an attacker (or an implementations internal certificate canonicalization procedure) can change the order in which User IDs appear in the certificate's packet sequence. As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equally, a certificate with multiple User IDs of which none is marked as primary. Clients might apply different heuristics to figure out, which User ID actually qualifies as the primary User ID here. From f446b12548eadc89a1b034c4362300c4d8dd876d Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 17:45:25 +0100 Subject: [PATCH 29/31] edits for clarity --- book/source/09-verification.md | 159 ++++++++++++++++++++------------- 1 file changed, 96 insertions(+), 63 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index eb70c08..41e857f 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -7,80 +7,97 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # Signature verification Signature verification in the OpenPGP protocol is a complex process. -There are lots of different factors that can influence the validity of a signature. -Most importantly, its expiration date: -A signature can be valid at one point in time and invalid merely a second later. +Many factors influence the validity of a signature. + +Firstly, its expiration date: A signature can be valid at one point in time and expired a second later. + Signatures can be invalid due to the absence or presence of other signatures (e.g., revocations). Some signatures can be verified standalone, while others require the verification of a chain-like structure of signatures, mostly within the issuer's certificate. ## When are signatures valid? -As a necessary condition, a valid signature must be [cryptographically correct](sig-verify), meaning the signature, as well as the signed information must be intact. -However, there is a difference between signature *correctness* and *validity*. -A signature might be cryptographically correct, but still not qualify as a *valid* signature. +As a necessary condition, a valid signature must be [cryptographically correct](sig-verify). This means that both the signature and its signed input data must be intact. + +However, there is a difference between signature *correctness* and *validity*: + +A signature may be cryptographically correct, but still not qualify as a *valid* signature. Put mathematically, the set of valid signatures is a subset of the set of correct signatures. The validity of a correct signature is additionally constrained by a number of conditions: -* **Well-formedness**: - Signatures need to be well-formed, meaning they must contain required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or unknown critical notations. -Note: This also means that a signature might be considered valid by one implementation and be rejected by another. -Some implementations further apply a policy when verifying signatures, putting constraints on accepted hash- and key algorithms and key strengths. -* **Temporal validity**: - Most signatures have a limited validity period, constrained by the signature creation- and expiration time. -* **Qualification**: - Furthermore, some signatures need to be *qualified* by other valid signatures in order to be considered valid. -This is especially the case with signatures created by dedicated signing subkeys, where, in addition to the signature itself, the subkeys binding signature(s) must be verified. -* **Revocation**: - Lastly, signatures can be invalidated by revocations. + +* **Well-formedness**: Signature packets need to be well-formed, meaning they must contain the required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or unknown critical notations[^unknown-critical]. Some implementations additionally apply a policy that constrains accepted hash algorithms, cryptographic algorithms, and key strengths. +* **Temporal validity**: Most signatures have a limited validity period, constrained by the signature creation- and expiration time. +* **Qualification**: Furthermore, some signatures need to be *qualified* by other valid signatures in order to be considered valid. This is especially the case with signatures created by dedicated signing subkeys, where, in addition to the signature itself, the subkeys binding signature(s) must be verified. +* **Revocation**: Lastly, signatures can be invalidated by revocations. + +[^unknown-critical]: Note that this implies that a signature might be considered valid by one implementation and be rejected by another, based on the set of subpackets and notations each implementation is aware of. ### Well-formedness of signatures -There is a number of criteria, that a signature must fulfill in order to be considered well-formed: +There are a number of criteria that a signature must fulfill to be considered well-formed: -- Each signature MUST have a signature creation time subpacket in its hashed subpacket area. A signature with only a unhashed creation time - or none at all - is not well-formed. -- The signature cannot be older than the key that issued it. -- Analogous, a signature with a creation time in the future needs to be rejected as well. -- A well-formed signature needs to carry an Issuer Fingerprint subpacket, or an Issuer KeyID subpacket. -It is generally recommended to place those in the hashed area of the signature, but a receiving implementation may also accept signatures which only contain unhashed copies of these subpackets. -- A signature disqualifies as well-formed, if it contains subpackets unknown to the implementation, which are marked as critical. -Unknown subpackets which are not marked as critical do not have an effect on whether the signature is well-formed. -- The same applies to notations. Critical, unknown notations result render the signature malformed. +- Each signature MUST have a signature creation time subpacket in its hashed subpacket area. A signature with only an unhashed creation time - or none at all - is not well-formed. +- The signature cannot be older than the component key that issued it. +- Analogously, a signature with a creation time in the future needs to be rejected as well. +- A well-formed signature needs to carry an Issuer Fingerprint subpacket, or an Issuer KeyID subpacket. It is generally recommended to place Issuer subpackets in the hashed area of the signature, but a receiving implementation may also accept signatures which only contain unhashed copies of these subpackets. +- A signature disqualifies as well-formed if it contains subpackets which are marked as critical, but unknown to the receiving implementation. Unknown subpackets which are not marked as critical do not have an effect on whether the signature is well-formed. +- The same applies to notations. Unknown notations that are marked as critical render the signature malformed. (temporal-validity)= ### Temporal validity A signature is valid only for a constrained period of time: -- The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid after its creation time. Hard revocation signatures are an exception: They are by definition valid at any point in time, and have no lower temporal bound. +- The creation time of the signature acts as a lower bound for the validity. A signature only becomes valid at its creation time. Hard revocation signatures are an exception: They are by definition valid at any point in time, and have no lower temporal bound. - If present, the signature's expiration time acts as a natural upper bound for its validity. -When checking a signature for validity, a reference time is used. -This can be the current time during validation, or a point in time that relates to the signature that is getting checked. -For example, when checking a signature in an email, the reference time might be the signature creation time, or the time of receipt for the email. +When checking a signature for validity, a reference time is used. The validity of the signature is evaluated at that reference time. + +The reference time can be: + +- the current time during validation, or +- another point in time that is significant to the signature that is validated. For example, when checking the signature of an email, the reference time might be the signature creation time, or the time of receipt of the email. + For the signature to qualify as valid, it needs to be in effect. In other words, the reference time must fall into the period between signature creation and signature expiration. -The same reference time must be used when verifying additional qualifying signatures. +The same reference time must be used when verifying required qualifying signatures, if any. ### Self-qualifying and non-self-qualifying signatures Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. -Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP key over its own components. -Examples for self-qualifying signatures are direct key self-signatures (`0x1F`), User ID self-certifications (`0x10`-`0x13`), key-revocation self-signatures (`0x20`), certification revocation self-signatures (`0x30`) or signatures used to bind or revoke subkeys (`0x18`, `0x19`, `0x28`). -Examples for signatures which are not self-qualifying are data signatures (`0x00`, `0x01`) and signatures issued over third-party certificates, such as third-party direct key signatures (`0x1F`) or key-revocations (`0x20`), third-party certification or revocation signatures (`0x10`-`0x13`, `0x30`). +Typically, self-qualifying signatures are self-signatures, meaning signatures issued by an OpenPGP primary key for the components in its certificate. + +Examples for self-qualifying signatures are: + +- direct key self-signatures (`0x1F`), +- User ID self-certifications (`0x10`-`0x13`), +- key-revocation self-signatures (`0x20`), +- certification revocation self-signatures (`0x30`) or +- self-signatures used to bind or revoke subkeys (`0x18`, `0x19`, `0x28`). + +Examples for signatures which are not self-qualifying are: + +- data signatures (`0x00`, `0x01`) and +- signatures issued over third-party certificates, such as: + - third-party direct key signatures (`0x1F`), + - third-party key-revocations (`0x20`), + - third-party certification (`0x10`-`0x13`), or + - third-party certification revocation signatures (`0x30`). ### Signature qualification -To verify non-self-qualifying signatures, it is required to look at more than just the signature itself. -The reason is, that the issuer (sub-) key needs to be qualified to create such a signature (e.g. because a specific key-flag is required). -This qualification typically emerges via a self-signature on the key itself. +To verify non-self-qualifying signatures, it is necessary to look at more than just the signature itself. + +This is required because the issuing component key needs to be qualified to create such a signature (e.g., because a specific capability key flag is required). The qualification typically emerges via a self-signature on the key itself. In short, a chain of valid signatures from the signature itself to the primary key of the issuer certificate needs to be established. For example, a data signature over an email body may be issued by a subkey only if that subkey is validly bound to the issuer's certificate via a subkey binding signature. That binding signature needs to contain a *key flags* subpacket that marks the subkey as *signing* capable. -Similarly, certification signatures over third-party certificates require the issuer key to carry a self-signature with the *certification* key flag. +Similarly, certification signatures over third-party certificates require the issuer key to carry a valid self-signature with the *certification* key flag. Self-qualifying signatures have no such limitations. + For example, a certificate consisting only of a primary key and a single key-revocation self-signature contains everything needed to verify the revocation, as key-revocation self-signatures are self-qualifying. This construct is referred to as a [revocation certificate](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-openpgp-v6-revocation-certi). @@ -90,16 +107,17 @@ On the other hand, to verify a data signature over a text document, an implement :name: fig-signature-verification-signature-tree :alt: Depicts a diagrammatic representation of a certificate and a data signature. Arrows between the primary key and other components of the certificate show, how signatures bind the certificate together. In this example, they form a tree of signatures, which all need to be verified in order for the data signature to be valid. -Tree of signatures +Tree of signatures that qualify a data signature ``` ### Attribute shadowing -When determining preferences of a key, several signatures may have to be inspected. -For example, when using a signing subkey to generate a data signature, the implementation might want to check for hash algorithm preferences on the subkey binding signature. -However, the RFC [states](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-2), that signature subpackets on the direct key signature of the OpenPGP certificate's primary key (which also may contain preferences) apply to the entire OpenPGP key (therefore also to the signing subkey). +When determining the preferences of a key, several signatures may have to be inspected. -In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences of the direct key signature. +For example, when using a signing subkey to generate a data signature, an implementation might want to check for hash algorithm preferences on the subkey binding signature. +However, the RFC [states](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-2) that signature subpackets in a direct key signature (which may also contain preferences) on the OpenPGP certificate's primary key apply to the entire OpenPGP key, and therefore also to the signing subkey. + +In this case, the implementation uses the preferences from the subkey binding signature, but if no such subpacket is found on the latest binding signature, it falls back to the preferences from the direct key signature. This is called attribute shadowing, since direct key signature subpackets apply to all subkeys, but are shadowed by binding signature subpackets. ```{figure} drawio/attribute-shadowing.png @@ -112,13 +130,23 @@ Inheritance and Shadowing of Attributes ```{admonition} Note :class: note -Attribute shadowing should only be used for algorithm preferences, since there are subpacket types where shadowing makes no sense (e.g. key expiration time subpackets). +Attribute shadowing is relatively straightforward to reason about when used for algorithm preferences. For other subpacket types, shadowing may be confusing, and/or the semantics underspecified (e.g. for key expiration time subpackets). ``` ### Signature shadowing When inspecting signatures on a component of an OpenPGP certificate, of the signatures that are in effect for each function, only the newest is considered. -In other words; If there are three binding signatures `A, B, C` for a subkey, where `A` was created at `t0`, `B` at `t1` and `C` at `t3` with `t0 < t1 < t2 < t3`, at `t2` an implementation only needs to consider `B`, as `C` is not yet in effect. `A` is shadowed, because it is older than `B`. + +In other words: +- If there are three binding signatures `A, B, C` for a subkey, +- where: + - `A` was created at `t0`, + - `B` at `t1`, and + - `C` at `t3`, with + - `t0 < t1 < t2 < t3`. +- Then at `t2`, an implementation only needs to consider signature `B`, + - because `C` is not yet in effect, and + - `A` is shadowed, because it is older than `B`. ```{figure} drawio/cert-validity-subkey.png :name: fig-signature-verification-subkey-validity @@ -129,10 +157,10 @@ An example for how certificate validity can change with time. ```{note} -Signature shadowing is not to be mistaken with attribute shadowing. +Signature shadowing should not be confused with attribute shadowing. ``` -As attribute and signature shadowing can occur in combination, it is not always obvious, which properties a key has at a given time. +As attribute and signature shadowing can occur in combination, it is not always obvious which properties a key has at a given time. ```{figure} drawio/dk-attributes-and-shadowing.png :name: fig-signature-verification-signature-shadowing @@ -143,27 +171,28 @@ Signatures shadow one another, based on reference time. ### Revocations -A signature might be *disqualified* by the presence of a revocation signature. -Revocations can be limited in scope, e.g. a subkey-revocation signature only revokes a single subkey. +A signature can be *disqualified* by the presence of a revocation signature. + +Revocations can be limited in scope, e.g., a subkey-revocation signature only revokes a single subkey. Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. ```{admonition} TODO :class: warning -Give guidance, which revocations need to be considered for different types of signatures +Give guidance which revocations need to be considered for different types of signatures ``` ## Which signatures take precedence? -An OpenPGP certificate or component can have multiple signatures with conflicting information attached to it. +Multiple signatures can be attached to an OpenPGP certificate or component. These signatures can contain conflicting information. -When verifying a non-self-qualifying signature, an implementation needs to consider self-qualifying signatures on the issuer's certificate for qualification. +When verifying a signature that is not self-qualifying, an implementation needs to consider self-qualifying signatures on the issuer's certificate for qualification. There might be several signatures per component. -For example, there might be multiple subkey binding signatures for the same subkey. -In general, for each category of signatures, only that with the latest signature creation time is considered and takes precedence. +For example, there could be multiple subkey binding signatures for one subkey. +In general, for each category of signatures, only the signature with the latest creation time is considered and takes precedence. -Alternatively, there might be competing qualifying signatures of different types, e.g. a direct key signature and a self-certification signature on a primary User ID. +Alternatively, there might be competing qualifying signatures of different types, e.g., a direct key signature and a self-certification signature on a primary User ID. In this case, depending on how a key is "addressed," different attributes from both candidates "shadow" another. ```{admonition} TODO @@ -172,9 +201,10 @@ In this case, depending on how a key is "addressed," different attributes from b Replace hash algorithm preferences with AEAD preferences for a more realistic example. ``` -For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of User ID "Bob" could list "SHA256" only. +For example, the latest direct key signature could list "SHA512, SHA384" as hash algorithm preferences, while the latest self-certification of the User ID "Bob" could list only "SHA256." For yet another User ID "Bobby," the self-signature could list no hash algorithm preferences at all. -If the user wants to compose a signed message using the associated OpenPGP key, they need to figure out, which preferences to use. +If the user wants to compose a signed message using the associated OpenPGP key they need to figure out which preferences to use. + The specification recommends that implementations decide which signature takes precedence by the way the certificate is "addressed." ```{figure} drawio/narrow-interpretation.png @@ -185,7 +215,7 @@ Preferences are sourced from signatures on different components, depending on ho If the user wants to write an email as "Bob," it should consider the signature on "Bob," so SHA256 should be used as hash algorithm. If instead the user wants to write as "Bobby," the implementation should inspect the self-certification on "Bobby" instead. However, since this signature does not carry any hash algorithm preferences subpacket, the implementation must fall back to the direct key signature instead. -The same is true, if the certificate is used without any User ID as sender. +The same is true if the certificate is used without any User ID as sender. To complicate things further: Algorithm preferences can also be stated on subkey binding signatures, so if the certificate has a dedicated signing subkey, there is yet another signature which could take precedence. @@ -197,7 +227,7 @@ Preferences from the subkey binding signature take precedence over the direct ke Have a table that lists which signatures take precedence in which cases. ``` -There can be more than one signature on a component. As an example, there are 3 direct key signatures (e.g., due to extending the key's expiry two times). +There can be more than one signature on a component. As an example, there are 3 direct key signatures (e.g., because the key's expiry has been extended two times). In general, for each component, only the newest self-signature is "in effect," and older signatures are "shadowed." For each certificate, there is at most one "active" direct key signature, for each User ID at most one active self-certification and for each subkey exactly one subkey binding. @@ -209,8 +239,11 @@ direct key signatures can be revoked, [canceling them](https://www.ietf.org/arch ## Complexity of the packet format -Unfortunately, the OpenPGP packet format allows a lot of flexibility when composing certificates. -User ID packets, for example, are not fixed in regard to their position, which means that an attacker (or an implementations internal certificate canonicalization procedure) can change the order in which User IDs appear in the certificate's packet sequence. +OpenPGP certificates can contain complex preference settings. Additionally, the OpenPGP packet format allows a lot of flexibility when storing certificates in TPK format. -As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or equally, a certificate with multiple User IDs of which none is marked as primary. -Clients might apply different heuristics to figure out, which User ID actually qualifies as the primary User ID here. +User ID packets, for example, do not have a fixed position in a TPK. This means an attacker (or an implementation-internal certificate canonicalization procedure) can change the order in which User IDs appear in the certificate's packet sequence. + +As a concrete example, consider a certificate with multiple User IDs, all marked as primary. Or similarly, a certificate with multiple User IDs of which none is marked as primary. +Clients might apply different heuristics to figure out which User ID actually qualifies as the primary User ID here. + +Such subtle changes to the representation of a certificate can lead to different preference settings being deduced, by different OpenPGP implementations. From cb4f358a0bac9d48ddfc11172bdb66fb39bc8145 Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sun, 26 Nov 2023 21:58:59 +0100 Subject: [PATCH 30/31] ch9: initial stab at splitting out "advanced" material --- book/source/09-verification.md | 40 ++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index 41e857f..c51d3ec 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -32,7 +32,7 @@ The validity of a correct signature is additionally constrained by a number of c [^unknown-critical]: Note that this implies that a signature might be considered valid by one implementation and be rejected by another, based on the set of subpackets and notations each implementation is aware of. -### Well-formedness of signatures +## Well-formedness of signatures There are a number of criteria that a signature must fulfill to be considered well-formed: @@ -44,7 +44,7 @@ There are a number of criteria that a signature must fulfill to be considered we - The same applies to notations. Unknown notations that are marked as critical render the signature malformed. (temporal-validity)= -### Temporal validity +## Temporal validity A signature is valid only for a constrained period of time: @@ -62,7 +62,7 @@ For the signature to qualify as valid, it needs to be in effect. In other words, The same reference time must be used when verifying required qualifying signatures, if any. -### Self-qualifying and non-self-qualifying signatures +## Self-qualifying and non-self-qualifying signatures Some signatures can be verified on their own, while others require the verification of additional signatures on the issuer certificate. We will call the former category *self-qualifying* signatures. @@ -85,7 +85,7 @@ Examples for signatures which are not self-qualifying are: - third-party certification (`0x10`-`0x13`), or - third-party certification revocation signatures (`0x30`). -### Signature qualification +## Signature qualification To verify non-self-qualifying signatures, it is necessary to look at more than just the signature itself. @@ -110,6 +110,21 @@ On the other hand, to verify a data signature over a text document, an implement Tree of signatures that qualify a data signature ``` +## Revocations + +A signature can be *disqualified* by the presence of a revocation signature. + +Revocations can be limited in scope, e.g., a subkey-revocation signature only revokes a single subkey. +Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. + +```{admonition} TODO +:class: warning + +Give guidance which revocations need to be considered for different types of signatures +``` + +## Advanced topics + ### Attribute shadowing When determining the preferences of a key, several signatures may have to be inspected. @@ -169,20 +184,7 @@ As attribute and signature shadowing can occur in combination, it is not always Signatures shadow one another, based on reference time. ``` -### Revocations - -A signature can be *disqualified* by the presence of a revocation signature. - -Revocations can be limited in scope, e.g., a subkey-revocation signature only revokes a single subkey. -Moreover, revocations can also be constrained to a certain validity period by including a soft revocation reason and expiration time in the revocation signature. - -```{admonition} TODO -:class: warning - -Give guidance which revocations need to be considered for different types of signatures -``` - -## Which signatures take precedence? +### Which signatures take precedence? Multiple signatures can be attached to an OpenPGP certificate or component. These signatures can contain conflicting information. @@ -237,7 +239,7 @@ For each certificate, there is at most one "active" direct key signature, for ea direct key signatures can be revoked, [canceling them](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.2.3.10-4), meaning an older direct-key signature might become active again? The text of the spec is confusing here. ``` -## Complexity of the packet format +### Complexity of the packet format OpenPGP certificates can contain complex preference settings. Additionally, the OpenPGP packet format allows a lot of flexibility when storing certificates in TPK format. From 33b02230736ff5fd0ebb56c0410a74ee65f9d0ff Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Mon, 27 Nov 2023 14:37:26 +0100 Subject: [PATCH 31/31] Clarify well-formedness also see: https://codeberg.org/openpgp/notes/pulls/108#issuecomment-1355448 --- book/source/09-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/source/09-verification.md b/book/source/09-verification.md index c51d3ec..168d4e0 100644 --- a/book/source/09-verification.md +++ b/book/source/09-verification.md @@ -25,7 +25,7 @@ Put mathematically, the set of valid signatures is a subset of the set of correc The validity of a correct signature is additionally constrained by a number of conditions: -* **Well-formedness**: Signature packets need to be well-formed, meaning they must contain the required signature subpackets in the proper subpacket area and must not contain unknown critical subpackets or unknown critical notations[^unknown-critical]. Some implementations additionally apply a policy that constrains accepted hash algorithms, cryptographic algorithms, and key strengths. +* **Well-formedness**: Signature packets need to be well-formed. This means that they must contain suitable signature metadata (this includes: the required signature subpackets must be present in the proper subpacket area). The signature metadata must not contain unknown critical subpackets or unknown critical notations[^unknown-critical]. Some implementations additionally apply a policy that constrains accepted hash algorithms, cryptographic algorithms, and key strengths. * **Temporal validity**: Most signatures have a limited validity period, constrained by the signature creation- and expiration time. * **Qualification**: Furthermore, some signatures need to be *qualified* by other valid signatures in order to be considered valid. This is especially the case with signatures created by dedicated signing subkeys, where, in addition to the signature itself, the subkeys binding signature(s) must be verified. * **Revocation**: Lastly, signatures can be invalidated by revocations.