From d829a8d3671a80bbaedbea24cc5a6747d867fd96 Mon Sep 17 00:00:00 2001 From: csalas Date: Mon, 11 Nov 2024 10:33:09 -0600 Subject: [PATCH] Updates to EA content --- .../Considerations.adoc | 2 +- .../Getting_Started.adoc | 220 +++++++++++++----- .../Images/chrome-ea-enable.png | Bin 0 -> 54463 bytes .../Images/yauth-ea.png | Bin 0 -> 57899 bytes .../Enterprise_Attestation/Use_cases.adoc | 4 +- .../Enterprise_Attestation/index.adoc | 4 +- 6 files changed, 172 insertions(+), 58 deletions(-) create mode 100644 content/WebAuthn/Concepts/Enterprise_Attestation/Images/chrome-ea-enable.png create mode 100644 content/WebAuthn/Concepts/Enterprise_Attestation/Images/yauth-ea.png diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/Considerations.adoc b/content/WebAuthn/Concepts/Enterprise_Attestation/Considerations.adoc index 684f24e62..733458867 100644 --- a/content/WebAuthn/Concepts/Enterprise_Attestation/Considerations.adoc +++ b/content/WebAuthn/Concepts/Enterprise_Attestation/Considerations.adoc @@ -19,7 +19,7 @@ Just because an application supports attestation, does not mean that it will sup Until EA is widely adopted, there may be cases where your chosen operating system, or browser may not allow for the ability for an application to request EA. Some ecosystems, like Google Chrome, require that the feature be enabled but also provides the ability to set a list of domains that are allowed to request EA. == Multi device credentials and enterprise attestation -As it currently stands, there are no known plans for passkeys created through multi-device credentials to include the ability to support enterprise attestation. The feature will be supported by passkeys created on YubiKeys in a future firmware version. +As it currently stands, there are no known plans for passkeys created through multi-device credentials to include the ability to support enterprise attestation. The feature is supported by passkeys created on YubiKeys in the future firmware version. == Getting Started Click the link below to continue to our next section where we will outline what is needed to get started deploying enterprise attestation. diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/Getting_Started.adoc b/content/WebAuthn/Concepts/Enterprise_Attestation/Getting_Started.adoc index c7c5d87fe..0461934ab 100644 --- a/content/WebAuthn/Concepts/Enterprise_Attestation/Getting_Started.adoc +++ b/content/WebAuthn/Concepts/Enterprise_Attestation/Getting_Started.adoc @@ -4,60 +4,76 @@ Learn how to get started with enterprise attestation, including procuring EA enabled security keys, needs for a relying party, and how to quickly test using a custom client application -In this section we are going to dive into what is required in order to enable enterprise attestation **(EA)** in your environment. There are a few different aspects that need to be understood, and enabled as there are inherent differences from a traditional WebAuthn protected ecosystem. We will cover authenticators, clients and browsers, and applications. +In this section we are going to dive into what is required in order to enable enterprise attestation **(EA)** in your environment. There are a few different aspects that need to be understood, and enabled as there are inherent differences from a traditional WebAuthn ecosystem. We will cover authenticators, clients/browsers, and relying parties. == Authenticators that support enterprise attestation -The first step in adopting EA is to utilize authenticators that include the feature. While EA has been included in the WebAuthn L2 specification since its release, there have not been any major vendors that have supported the feature. -Naturally the first step in the process will be to work directly with your device manufacturer to configure new authenticators with EA, if the vendor supports the feature. +The first step in the process will be to work directly with your device manufacturer to configure new authenticators with EA, if the vendor supports the feature. -Yubico will begin to offer the ability to add EA onto YubiKeys. If you are a current customer who would like to be a part of the early adopter program, please consult with your account representative for consideration. +Yubico now offers Enterprise Attestation on YubiKeys. If you are a current customer who would like to utilize EA then please consult with your Yubico account representative for consideration. -Your relying party also needs to support EA. If you are leveraging a vendor bought solution you will need to work with the vendor to begin to enable EA from their platform. If you are leveraging an in-house built solution, then you will need to implement these features on your solution. +Your relying party also needs to support EA. If you are leveraging a vendor bought solution you will need to work with the vendor to begin to enable EA from their platform. If you are leveraging an in-house built solution, or an IdP looking to adopt EA, then you will need to implement support in your application which will be covered in the implementation guidance below. == Vendor facilitated and platform managed strategies -Your next major determination is whether to leverage vendor facilitated, or platform managed. +The next step is to determine whether to leverage vendor facilitated, or platform managed EA. Both forms will require some coordination with your vendor / device manufacturer. Both forms will require that your authenticator can leverage enterprise attestation. -If you select vendor facilitated, then you will need to work with your vendor on the list of origins/domains which will be present on your authenticator. This means that once the keys are distributed, then EA can only be directly requested by those sites, regardless of platform. +If you select vendor facilitated, then you will need to work with your vendor to curate a list of origins/domains which will be added to your authenticator. This means that once the keys are distributed then EA will only be directly available when requesting attestation for those domains. -If you select platform managed, then you will need to consider two things. The first is to ensure that you work with your vendor to come up with tools to re-enable EA, should a user disable it through a device reset. Second is to work with your platform vendor to ensure that it has the ability to manage your security policy, and can be configured and rolled out to users within your enterprise. +If you select platform managed, then you will need work with your platform vendor to ensure that it has the ability to manage your security policy, and can be configured and rolled out to users within your enterprise. This includes your platforms ability to support EA, and to allow for the configuration of the curated origin/domain list that can request EA. -== Browser ecosystems -The next step is to ensure that your client application is being utilized in an ecosystem that supports EA. EA is not inherently available on all ecosystems. +== Enable Enterprise Attestation on your YubiKey + +YubiKeys with Enterprise Attestation come with the feature enabled, but a reset on the key will turn the feature off. If you are unsure if your YubiKey has EA enabled, you can verify this from the link:https://www.yubico.com/products/yubico-authenticator/[Yubico Authenticator App] by following the steps below: + +1. Open the Yubico Authenticator App +2. Navigate to **Passkeys** +3. Under **Manage** you should see a badge indicating that Enterprise Attestation is Enabled (as demonstrated in the image below) -As it currently stands, Google Chrome is the only browser that supports EA. This is currently marked as an experimental feature, but is still offered in the production version of Chrome. +image::./Images/yauth-ea.png[] -If you are an enterprise looking to deploy EA, you will need to set your internal Google Chrome package with the EA flag enabled. +If Enterprise Attestation is shown as **Disabled** you can reenable it from the Yubico Authenticator, or from the link:https://docs.yubico.com/software/yubikey/tools/ykman/index.html[YubiKey Manager CLI]. -Figure 1 demonstrates how to set the flag using a CLI (note the sample below targets Chrome Canary, but the feature is available in the latest version of Chrome) +Or, use the following steps to reenable EA from the Yubico Authenticator App + +1. Open the Yubico Authenticator App +2. Navigate to **Passkeys** +3. Under **Manage** you should see a badge indicating that Enterprise Attestation is Disabled +4. Click the Enterprise Attestation badge +5. When the pop-up window appears, click **Enable**. EA will now be enabled on your YubiKey + +Use the following command the reenable EA from the YubiKey Manager CLI [role="dark"] -- [source,bash] ---- -$ /Applications/Google\ Chrome\ Canary.app/Contents\MacOS/Google\ Chrome\ Canary --webauthn-permit-enterprise-attestation=my.sampleapp.com,my.othersampleapp.com +ykman fido config enable-ep-attestation ---- -- -**Figure 1** -This can also be accomplished through the Google Chrome UI. The steps below will assist you in setting up enterprise attestation in your local instance of Chrome: +== Browser/Client ecosystems +The next step is to ensure that your client application is being utilized in an ecosystem that supports EA. EA is not inherently available on all ecosystems. + +As of writing this material, Google Chrome is the only browser that supports EA **in the form on an experimental feature**. + +Follow the steps below to enable Enterprise Attestation from Google Chrome. An example image is provided below the steps -1. Type `chrome://flags` into the URL browser -2. Search for “enterprise attestation” -3. In the row denoted as “Web Authentication Enterprise Attestation”: +1. Navigate to `chrome://flags` +2. Search for `enterprise attestation`, an item with the title **Web Authentication Enterprise Attestation** should appear +3. Set the feature to `Enabled` +4. For vendor managed EA (or to request EA from origins/sites not pre-configured on your YubiKey), add your domain to the text box. Note, this needs to be the full domain name, including the HTTPS prefix, as seen in the image below below - * Change the dropdown to enabled - * Add your list of origins that will request enterprise attestation. +image::./Images/chrome-ea-enable.png[] == Relying party support -Your relying party (backend application) will need to support EA. This will include two different aspects. +Your relying party (backend application) will need to be modified to support EA. This will include two different aspects. The first is around the attestation conveyance of your relying party. To register a new credential, your relying party will issue a `PublicKeyCredentialCreationOptions` to your client application. This object contains an option to request a specific type of attestation - in most cases this is `direct`. To support enterprise attestation, the `PublicKeyCredentialCreationOptions` needs to issue an attestation type of `enterprise`. -Figure 2 demonstrates a sample `PublicKeyCredentialCreationOptions` object that can be used to invoke EA. +The JSON payload below demonstrates a sample `PublicKeyCredentialCreationOptions` object that can be used to invoke EA. [role="dark"] -- @@ -78,18 +94,17 @@ Figure 2 demonstrates a sample `PublicKeyCredentialCreationOptions` object that } ---- -- -**Figure 2** -It’s important to note a few things in Figure 2. The first is the property `rp` and `id`, This will be the RP ID that will either need to be +It’s important to note a few things in the payload. The first is the property `rp` and `id`, This will be the RP ID that will either need to be -* Included in your RP ID list, configured by your security key vendor +* Included in your vendor managed RP ID list * Included in your policy managed by your platform -Next, it’s important to set the `attestation` property to “enterprise”. In most cases, this value will be set to “direct”, which will provide you with “normal” attestation. +First we'll begin by setting the `attestation` property to `enterprise`. In most cases, this value will be set to `direct`, which will provide you with the standard form of attestation. The implementation for this will look different depending on the language and framework being utilized by your relying party. -Figure 3 provides an example of how to set this option, if you are leveraging link:https://github.com/Yubico/java-webauthn-server[Yubico’s java-webauthn-server library]. +The code sample below provides an example of how to set this option when leveraging link:https://github.com/Yubico/java-webauthn-server[Yubico’s java-webauthn-server library]. [role="dark"] -- @@ -98,53 +113,154 @@ Figure 3 provides an example of how to set this option, if you are leveraging li import com.yubico.webauthn.RelyingParty; private final RelyingParty rp = RelyingParty.builder() - .identity(Config.getRpIdentity()) + .identity(RelyingPartyIdentity.builder() + .id("my.ea.app") + .name("My app") + .build()) .credentialRepository(this.userStorage) .origins(Config.getOrigins()) .attestationConveyancePreference(Optional.of(AttestationConveyancePreference.ENTERPRISE)) - .allowUntrustedAttestation(true) - .validateSignatureCounter(true) .build(); ---- -- -**Figure 3** - -Note how the method `attestationConveyancePreference` is set to a property noting the use of “enterprise”. This will ensure that any registration request coming from this relying party will denote the use of enterprise attestation, as seen in Figure 2. -Next your relying party will need a mechanism to parse the attestation statement to utilize the identifiable information (like serial number) that was returned with the attestation statement. Your application will also benefit by having access to a metadata repository (like the FIDO MDS), to verify the signed attestation statement and associate the new credential with metadata related to the authenticator it was created on. You need to ensure that the EA has a corresponding entry in your chosen metadata repository to leverage this ability. +Note how the method `attestationConveyancePreference` is set to a property noting the use of `enterprise`. This will ensure that any registration request coming from this relying party will ask for enterprise attestation. -Below are two examples of attestation objects sent by a created credential. The first will demonstrate a “normal” attestation statement. The second will demonstrate an attestation object with EA related data (serial number). - -Figure 4 demonstrates an attestation object with “normal” attestation +Next we will develop a method to provide attestation options (PublicKeyCredentialCreationOptions) to the client application. The method below can be used to provide attestation options (assume that there is some sort of API controller invoking this method). [role="dark"] -- -[source,python] +[source,java] ---- -ATTESTATION OBJECT: AttestationObject(fmt='packed', auth_data=AuthenticatorData(rp_id_hash=b'I\x96\r\xe5\x88\x0e\x8cht4\x17\x0fdv`[\x8f\xe4\xae\xb9\xa2\x862\xc7\x99\\\xf3\xba\x83\x1d\x97c', flags=65, counter=3, credential_data=AttestedCredentialData(aaguid=AAGUID(1a4360eb-a2b1-447a-b3c4-f1f27eff1d32), credential_id=b'\x8f}\xc5\xb9\x8e7\xbf\x0ew@\xc3\x06\x91\x84\xd9\xec\xec\x10\x8f\xbf\xa4\xbd\xb9K\xfe\xd0\xc7\xe0i\xf5\x11\xcf5F\xbb\xee\xe9!}:\x8d#\x1d\xb19\x0e\xf8\xe5r=\xdf\x18\xb2\x8e\xb3\x8b\xda^1\xdd\x16t\x8e9', public_key={1: 2, 3: -7, -1: 1, -2: b'\xa1Y\xd3\xbc_\xb5\xd3\x1eb\x04\x1a]Z\xab\xd3\xe4\x9b\x86\x95\x9aBw\xec\x1c\xad\xc8\x9c\x9ehQA\xf1', -3: b'Q&#\xd9\xbbd\x84\xe9\xc5\xb0\xcd+W\x98\x08\x0eP\x8a\x96;~\xfe\x8bM\xefQ\xe3\x08', 'x5c': [b'0\x82\x02\xce0\x82\x01\xb6\xa0\x03\x02\x01\x02\x02\t\x00\xb0\xf9\xf1\xad\x01\xdd\xa4f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000&1$0"\x06\x03U\x04\x03\x0c\x1bYubico 2022 FIDO Preview CA0\x1e\x17\r220707233233Z\x17\r230707233233Z0n1\x0b0\t\x06\x03U\x04\x06\x13\x02SE1\x120\x10\x06\x03U\x04\n\x0c\tYubico AB1"0 \x06\x03U\x04\x0b\x0c\x19Authenticator Attestation1\'0%\x06\x03U\x04\x03\x0c\x1eYubico U2F EE Serial 7708328160Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x9b\x7f\xac\x0b!\x9d\xb8\xc5\xd1\x1bj\xd5-\x80\xbe\xb3\xc8M\xa0\x19\x03\x8b\xc4\x0f\x87\x7f\xad\xf2\x13O\x0b\x9f\x06\x05\xa5\xec\xf0R\x19\xd3\x14\xad\xda\xb7\xf8@\x96\xa4K\x00\xe3\x12\xf2E\xe3H\xf5a\x19z\x9c\xf0\xc5\xd4\xa3\x81\x810\x7f0\x13\x06\n+\x06\x01\x04\x01\x82\xc4\n\r\x01\x04\x05\x04\x03\x05\x06\x000"\x06\t+\x06\x01\x04\x01\x82\xc4\n\x02\x04\x151.3.6.1.4.1.41482.1.70\x13\x06\x0b+\x06\x01\x04\x01\x82\xe5\x1c\x02\x01\x01\x04\x04\x03\x02\x0400!\x06\x0b+\x06\x01\x04\x01\x82\xe5\x1c\x01\x01\x04\x04\x12\x04\x10\x1aC`\xeb\xa2\xb1Dz\xb3\xc4\xf1\xf2~\xff\x1d20\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x0fz"X\xc8C\xf8\xe3\x00\xa3,K\xf4,T3\x13jEN\x8d\x978s%3\'$Av\x0b\x00\x08\xa8\xe0C\x165(\xa1Y\x90%\xf1\x86\x86\x01\xeb)%%\xdd\x88\x0b5-\xfc\xd2\x82\x97\xf1K\xf2\xce{-i2e\xa2\x87\xdb\xaf5\x80\xeac\xcdt\xcd"u\xa7I\xc4-#$\xc1\xca\xbc\x12#AF\n\x8cc\xc9\x8aD\x8a\xabr0\xb0\xca\x9d\x00\xa9\x1eB\xd6\x0e\x0f~\xc1\x9dY\x8f\x8a6\xddY\xebk.\xda\xbdd\x93\x93sD\xf5e\xd2\xd1l\xa8\x93\xd1\xa8\xdcst\xa3W \xd4\x80v\xf6\x9d\xb7\xc4}\x9fU\xda\xfe\x19kk0\xb3\xa2\xf7q\xd7\x9czH\xc7\xe2\xf9\x90\xd0\x1a\n@J\'\x1e\xaav\x8c\xf1G\x18\xc71\x0e\x1d\x13s\xb7R\xa0\xee\xb0\xb1\xa5As\x80&\xc8.\xf6,c\xf4\x9b\x9c\xb7\x89\x84x\xddt\xb0N\x7fu\x9d\xe8\xf5cM\xacH\x97\xd8\xc0\xd49P\xcb\xe5\x92\xb8v\xdf\x02m\xf6\xaf\x83z\xac\xbc\xf8\xd0\xe8.']}) +import com.yubico.webauthn.data.UserIdentity; +import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions; + +public String attestationOptions() throws Exception { + + /* + * Create a generic/random user for the example + */ + UserIdentity userIdentity = UserIdentity.builder() + .name("Default User") + .displayName("Default User") + .id(generateRandom(32)) + .build(); + + /* + * Create PublicKeyCredentialCreationOptions + * Note, the attestation preference was set in the RP configs in the previous code example + */ + PublicKeyCredentialCreationOptions assertionOptions = this.rp.startRegistration( + StartRegistrationOptions.builder() + .user(userIdentity) + .timeout(180000) + .build()); + + /* + * Return the JSON object to the client + */ + return assertionOptions.toCredentialsCreateJson(); + } ---- -- -**Figure 4** -Figure 5 demonstrates an attestation object with enterprise attestation - Note the section below the full code sample, noting enterprise attestation, along with the device serial number. +From here your client will invoke the Java app's API to receive the attestation options. Other than the Chrome settings mentioned above, your client will not need any special functionality in order to invoke a WebAuthn request that includes EA. + +The code below will act as a generic example of calling an RP's API, and invoking the WebAuthn ceremony. [role="dark"] -- -[source,python] +[source,javascript] ---- -ATTESTATION OBJECT: AttestationObject(fmt='packed', auth_data=AuthenticatorData(rp_id_hash=b'\xe4S)\xd0: h\xd1\xca\xf7\xf7\xbb\n\xe9T\xe6\xb0\xe6%\x97E\xf3/H)\xf7P\xf0P\x11\xf9\xc2', flags=65, counter=2, credential_data=AttestedCredentialData(aaguid=AAGUID(1a4360eb-a2b1-447a-b3c4-f1f27eff1d32), credential_id=b'\xaa\x0c\x9aF\x12\x904\xff\xeb}\xee\xf1p\xdb\xbc\xa3\xcf\xc32<`)\x01\x93\x16f\xac\xe8>\x91@v\x81\xf6\xeb\xf6\xd1Y\x1d\xa8\x9c\xe0\xfc\xd2Z\xc6Q\x7f$\x9b\x0f\xad;\xc5\xa5L\\\xac\xf8\xfa\xab\x81\xf1<', public_key={1: 2, 3: -7, -1: 1, -2: b'\r\xc8 \xc8\x8b\xb7\xffdc\xacS\xf1\xf4{\xe8\x8d\x97\x9ec,lv4\x9c\xfa(\xd7\x1a\xa8\x90\xb5/', -3: b'#\xf8\x12A\xe2V\xfe\x87\t\xcdQJg\xe3/|]\x9c8\xc6\xf1\xd6\x08\x10\xf9\x14\xa5\x8b\xa4\x91\x8a\xa7'}), extensions=None), att_stmt={'alg': -7, 'sig': b'0D\x02 \x16\x98\xc0ITS\xf4\xb3-\xa6m`W\xceCc,Q \xe7\x02\xb6(\xa5M\x03\xcf[\x13\x9f\xd1\x88\x02 \nkh~s\x15\xfd\xc7\xd4\xdc\x9et*9\xf1Bb\x0e\x80^XC8\xab\x80\xde\tI\xdc.\xf8\xb2', 'x5c': [b'0\x82\x02\xe50\x82\x01\xcd\xa0\x03\x02\x01\x02\x02\t\x00\xe6H\x19\xfa\xccFV\x1e0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x000&1$0"\x06\x03U\x04\x03\x0c\x1bYubico 2022 FIDO Preview CA0\x1e\x17\r220707233233Z\x17\r230707233233Z0m1\x0b0\t\x06\x03U\x04\x06\x13\x02SE1\x120\x10\x06\x03U\x04\n\x0c\tYubico AB1\x1f0\x1d\x06\x03U\x04\x0b\x0c\x16Enterprise Attestation1)0\'\x06\x03U\x04\x03\x0c Yubico Fido EE (Serial=19600953)0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xd7\xbaL\xde|\x07\xc1s\xecd\x87\x88\xa76Y\xb9\xb4\xca6\xc8\xac\xd9\xd2\xa4\x1e\x00\x13\x0e!\xb6\xc1\x98\x9a\xc0C\xdd\x80\x10\xca\xa7\xb3G\xaa@p\x1aF\xd1B\x1c\xd2\xf6\x1bMe\xf7\xcd\xbc-\xa1\xed3\xdd\xd4\xa3\x81\x990\x81\x960\x13\x06\n+\x06\x01\x04\x01\x82\xc4\n\r\x01\x04\x05\x04\x03\x05\x06\x000\x15\x06\x0b+\x06\x01\x04\x01\x82\xe5\x1c\x01\x01\x02\x04\x06\x04\x04\x01+\x1690"\x06\t+\x06\x01\x04\x01\x82\xc4\n\x02\x04\x151.3.6.1.4.1.41482.1.70\x13\x06\x0b+\x06\x01\x04\x01\x82\xe5\x1c\x02\x01\x01\x04\x04\x03\x02\x0400!\x06\x0b+\x06\x01\x04\x01\x82\xe5\x1c\x01\x01\x04\x04\x12\x04\x10\x1aC`\xeb\xa2\xb1Dz\xb3\xc4\xf1\xf2~\xff\x1d20\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00>\xdb4\xcbM\xac$@\xd8\x94\xb2q\xc3$\x9d\xf2$\x9da\x89\xf7:\x16\'\xb5*\t\xbc+\x9b\x05\xc0\x9a0\xaf@\x10\xb5r\xde\x88V\x1c!\xbfyH\xeb\xe6-%U\x1f!\'\x8c\x97z)T\xad\x19 .\xc4?\xf0\xb2\xbd\x122W\xe7\x88\xa80\x83\nN\x9c\xee\x8f\x8c\xcev\x9a\xea` \xba-\x08\xa0\xe6\x1c\x91h\x92\x06\xce\x9c\x8c\xfd\xa0\xe9\xcd\x9f\xde\x0f=\x1f\xe0\x82\xa8\x11B\xf8\xc0\x01z\xa3\x93\xfe\xfb\xbb\x9dbQ\x8f\xec0\xefn\xfa$\x9e\xd6r5\x93\xc4\xb5\xfa\xa0p~hn\xf0\xa6\xaa9\x81Z\x1fZ\xde\x88).h\x10o\xcc\x02\x1a\xaa\n9\x13J,zX\x95\xfa\xd2\x17\xdf\xcf\xd8\x8f\xb8p@-\x19\x14\xda\xfd7\xb6 S\x86\x94A25\xc0\x08*T&X\x7f\x9dp\x01T \xe0>ss43R\x8f\x0eq0\xec\x81\xdb2[p\xe0-/\xc0\x8f\nU\xce\xbaX\xf6\xb8\xe6u\x8c\x9a\x9c\xd6\xf7kx\xea^\xd9m\xc5\xd7\xbd']}) +import { + create, + parseCreationOptionsFromJSON, +} from "@github/webauthn-json/browser-ponyfill"; + +const invokeWebAuthn = async() => { + // Call Java app for attestation options + const startOptions = { method: "GET" }; + const response = await fetch("https://api.my.ea.app/v1/attestation/options", startOptions); + const response_json = await response.json(); + + // Invoke WebAuthn request with attestation options + const attestationResult = await create( + parseCreationOptionsFromJSON(response_json) + ); + + // Call Java app to send credential response + // Note, the implementation for this method is the upcoming guidance + const resultOptions = { method: "POST", body: JSON.stringify(attestationResult) } + const response2 = await fetch( + "https://api.my.ea.app/v1/attestation/result", + resultOptions); + } ---- -[source,python] +-- + +Once the client has been used to create a credential on an EA enabled YubiKey, the credential response will be sent back the relying party in the form of an assertion result (the second API call in the code example above). + +To finalize things we will develop a method that will process the attestation result. For simplicity, we will not demonstrate the validating and storing of the credential; we will only be focused on the mechanism to read the serial number from the credential response, which is demonstrated in the Java code below. + +[role="dark"] +-- +[source,java] ---- -Enterprise Attestation1)0\'\x06\x03U\x04\x03\x0c Yubico Fido EE (Serial=19600953) +/* + * Request structure + * { + * type: "public-key", + * id: "base64url credential ID", + * clientExtensionResults: {}, + * response: { + * clientDataJSON: "base64url string", + * attestationObject: "CBOR encoded object" + * } + * } + */ + public void attestationResult(String request) throws Exception { + // Parse the JSON request + PublicKeyCredential + parsedRequest = PublicKeyCredential.parseRegistrationResponseJson(request); + + // Read the attestationObject + AttestationObject attestationObject = + new AttestationObject(parsedRequest.getResponse().getAttestationObject()); + + // Parse the attestation statement for the x5c cert + ObjectNode attestationStatement = attestationObject.getAttestationStatement(); + JsonNode x5cNode = attestationStatement.get("x5c"); + // Encode the x5c value to a String array (this is how the entry is represented) + String[] x5cArray = mapper.readValue(x5cNode.toString(), String[].class); + + // Assume the first entry (it's the only entry) + String firstX5c = x5cArray[0]; + byte[] bytes = ByteArray.fromBase64(firstX5c).getBytes(); + X509Certificate cert = X509CertUtils.parse(bytes); + + System.out.println("\nPrinting entire cert"); + System.out.println(cert.toString()); + + // Serial number is encoded in the cert subject name + System.out.println("\n\n**********"); + System.out.println("Printing subject name"); + System.out.println(cert.getSubjectX500Principal().getName()); + System.out.println("**********"); + + /* Perform additional regex to pull out the serial number */ + /* Perform other registration steps */ + } ---- -- -**Figure 5** -== Next steps -EA is an evolving feature that Yubico is working to perfect for customer use. If you are a Yubico customer who is looking to enable EA in your WebAuthn deployment, then please begin to: +The system logs from the code above will output the full `x5c` cert expressed by the attestation statement in the credential response. -* Reach out to your Yubico representative for consideration into our early adopter program -* Work with partners who develop your relying party solution to enable EA in their environment +Below the cert, the cert subject name will be printed which will include the serial number. An example of this log can be found below -We will continue to expand on this guide as we uncover more best practices, and features within our libraries and SDKs. \ No newline at end of file +[role="dark"] +-- +[source,bash] +---- +CN=Yubico Fido EE (Serial\=19600953),OU=Enterprise Attestation,O=Yubico AB,C=SE +---- +-- \ No newline at end of file diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/Images/chrome-ea-enable.png b/content/WebAuthn/Concepts/Enterprise_Attestation/Images/chrome-ea-enable.png new file mode 100644 index 0000000000000000000000000000000000000000..d9b5ac590ccc76712230f9a7851d0f3f694f6c1a GIT binary patch literal 54463 zcmeFZWmr}17A_16kdl@Xgas@>T0rUUlJ0Kl?(UXONu{K_TRIeJ5RmTfhHv7#_p9#j z*SW6q^LR~UuCeA*V>~g&J?=@Uth6W!(sLvzC@2(hF(G*RJ76!aCs6F_3~=6VkJ zplvEBC@U@~2$r?8Ha4{|f`WP(;}|U?36gu(9cB8G9U1otoqGLCvGQnJ1a*WIVT33C z&l8($s~NvdHje)(g~O>k z9UN$hXVU(0>nZ!wx8tGquRa=}BI@IdQw#52U!dOnC}^b{6+64R`W9JJGyrKHTXk- z!j+9w#f{&-g`x)T5ul)hO`%|cJ80nNIq(D6CN>BP9{7z3{0L=%{`)NqBn#%h_t005 z5ArJrii-ok6%6c*jI8WUtQ}rZ>39NFO`0mII;g&t;xMqbq}MaF);FSev9x(C0>$OR z0o+;|Ip~31EG?|;Ib66&e?7qg+&_vLNWs4zaWLm5RedW97PPiA0<+M+0&K^F1O|h- z>jsK)JxV!bOjTU5-bY3K%;RETD>N)DHaQtDG%_-A zdRmpA2b z|F~@4f`TfbpCFL&$6sDvn%L^EvfrfZ^ZWS<2?@!Dut}z^iT~Msa5%b;Er=KaOGih? zlHK-vTpl8(i_ze?lUU_h!S#2C_;4V)2ytob_GaOs%=w$uV^e#xbyOm0Btw-DKG5%L zkpfn?+DF@lg58LOf5m33GAUvahwM8!ouB6J*&5Q-VK%ehe(8^``jmHR_&{_@P$48@BR%DS04hvt)2NG~Zw^N+W<2N9#G`YWKTg zK2Sfpk5zk^CW4C$Jv&6~RYxr@v!C=LO%Fspnm^tb8n?u|rM9(P|I3_wlVDvL(d1!zHGX}ep;Q_@f7!)sA)F+PnBA! z4S#k75^W1Bkw8s;nd4ZQPd;=9*{L)dJVRh4JEtYPI$n!Qq|=Z%+n&gEIa+Qk!=jY# ztF@dp><+`WTN}W(e^7HHh&Y^d>xnnq8XSrv``5g_HyM0I$|a}l5yZSaUx(q`K#Wu8 z^07FW#iVdb2I;#EWJ*QKZ(DDVCAUVhgB6Qa<-&2K1}g5R4Wjy47d*)Je$-T1ecR^& z=?%nF#cje$B+?elN^W=UvV7=(->tB7!b5kH;XaFhMyvXLrjTBahmB1&YC-i9Djb^Y zYBdgrJaUK2VN=%iY(nMCrO9cJI*RA|vt&fN|L+;-TPy{3-k+1Nv(mcja8jq-L|mae zsQn>5DxfbJ(axbSMg0{ekwHgW+xyNj+$H4w`vkzW5~`}n4awtWIy$I?Y+%tyLh)$p zpB;v0aWXtHnB)?hn;wLmp4ZjQSL>-9y3PFlPeyYkaj$L;+O&QygOpY2*=v+z1p<*w zol;q?6T@*CKG@FV&Z2+%`0=CuXR8nu&EALm8=0ni&zrrvYcA9m964>A&ilm&Rrt)t zbGRG5{IUP8+x9z&EZ39u#E-1zlTzznQ{T#4G; z_OzR_wtI=uPcg9=iqR{*QG>n2-o;VYbMP;9$uz z?Uo#cd}+`iOvd6$THC|D`_@=~RQua)K!wLW1lA_zXdHeCdBBQjltEw!p_D3)lc-Ie zp+;K*C6R|PN`2SUdd}@u4Sv!q7V_1%2FkN8WET3 zq1Cf$M02bk0ggs<^|p4Wn{rwk{%Abkandv!>=27zy^L}~hc`^4q*c%KJWpYSHT_Xt z(C+7J?#JkJ_azYd%(i~hacA=FhE}}||3=3dDy>S1x{+xo`b+;OD6x?*IJZ4C^9Pd{ zBoBVJ(5*$h&)|07HV-@r`qI+^bHPV;wlgI|*vl z{_^U|)VAL1&Mmk!eT1j&_eQ(uMF|x}F?4ZzcX!5xYR`^`efVD0dT8d=RKOG#5k#lW zOUwJ!yPjrL`!Den8jW8}X!`LmHLxtD%u28*{F7m2l3(%5WRZyc^t{lzTW!+o47%=T zT^0k=%AyjxS3r6o(_F5?-q|AWF{LEF9takw*AzNkbs*|5hxWhH%y}hJ?az0;HkdRx z$k0~2v_IdZa({QBL#14tEWE4h7j|6FH<(B_W=?Jp8zD|7ghNq3%ykmMvzDaoCSK=% z(jMoL7L0MC`?agtIy~j7z5=BJ#;M8qVA6BNm_MVz3uyM#mA_lxLNMqlW8qGPVAfJl z$6Gj+in^a}lD$j2KWZey+i$N<2F=S_@~pWOyRMSxwbW&f_1+8Uuz81k@xH$jZ5q%c z7{EuIMK>2ihuee!ho?or&eEFlJSuCBFUUky+ zoF1XvLam>S?qr3ua5zrF{oT!AxnAe#M?j?-xFeJS`FA03h)235=@AB`_4 z6nZg0hS4uYw#K@B9^PF;L!fNatB=t7rQ7Z ziC)XG%-dXLB6ZP}+t48-N7yJTCgtZqtpsx=J z$qB`x+}4V~06oF7S|RQHpr1zhBjD2SjoI;Pf8)0wHRfjx{JKNwoGKf7YcTbaBzncF zM$lN!bI~RQIM@g*A%vZVZch|Z0=xDk4xLutDU1Lt&hrr5ThZ&QjZDXz5Psi~uA1PNfNM~;78tLPClx~~ z9JZ-!)5dSYFCF#A1j7B`!{hf%SUYxw%kpzFi*jI0L ziH(+W9qiUcryKk9NDoqPOTvGb@>at5O$c_?A!8E~{+Ys!B?3VRJXuE}G%FcIl_EO& z9Yht+2DKase~_7gf9a(^0U{!4j~JVCIcp{-Et1HWRpS0dI1=CECmO{;a3dh(9%6t2D_^JGw5%F_g8vK3yF>F-uKO=a0}j2(o1dz>ADr|LYQ%)5J4!_ zBxZ^^bk_CPHj8|B@e9cT%gKx#Z<4BNP~@PoO&|tOdm~>kR}xd+EX~QD($@kMHT7+^iV`(Bo1dH+ZK1GZW9}hW3F!g&1cHt3gKDn820oxqPN8fByAP)6n!Tn}{cuQ(YNYq#i(+>@_o^>2TBi)!zo z))g|n?;9c&f|9}=zYrp#T^ynFlyrpvYwk2PC$Q^Bp|3M0O#>xsQj>h?bvV$w`qi9tjWmRUs=tC22$DzTdD>Eey9_oD)m8q^m`=&ICJ6cKIXOrgII!%N^L6 z@*Qo1&jEj?U=TpR#_gqh(O+5)B3!Yah#|%QFNIgN(meH^QJdG6C43J9>CMy)sC;MIN*kA7Ec24U0v(IN39M27zm zT?kh*O_#d!J;?XnUDtx*#6E@J?2L{1Xd8)sOl@=taKR73B~@ zE9Gi56-HVvD3Yt?a0WAsz=^u27qlT{koqt+e)=*=+RsTX4Db z3R=W>+`guZZ3&(-;S}fB*PidkL!hXg+-EG;Y=`SneUF5tc)8t4hfMSQYYMX{d<%iV zlaBTEdbn)M6#~B}y5D&-$_+5hV2iSc0AK2~_hpm|^hu%gx@CMv@)Bh*xxrFTfD4Fh zseqkF}IuZw-r1BI2--BOiCKbufL038yUP`xM;9Ds*L28A@(vlP@xtu9vY6(Y&_L-3H} z2NS$3zU2;59VoXMzKYjh_(@(iYpB6-iznZDFyV` zV`S=<`q$-OY>sp;j|PUaCFTZ(qZJdF8~}cwWCe0;L)ncH!4Zuy<62*R2TnvBre$Qc z0lhy9NzRb|kOvp}tn5U&STfAR2r6u--bbHHU$9TnGt6S05SZs24xfKIufq$W(mG9E zKz@dTF8Hb~5$HmcL&#t&Q?Zm^`1{x@LO$%+rTz{GE0LfPqI%vF?7%miYz)^8z1QVy zzeUuRanX9Ru4o#gYso0UT0AQ`D&Qx97k{>jLN8nki>UviyqY@Wurr_7ieFaK#SKNr zlNK(#KZ`RrzN=Z+&ziemhOX+=WbAg`@#OL;qu)j9B9R}M5mTRiw;K)LXxDSLN=%P^ z30K>N9~~ETLEjb47YM`;2caJ->yiaN`3?OM?9fU<*$Z}=6QJ3@SLkjgu4r`Wf2|!C zjf3d+B?FKDMqFJ?7Rp}$s^0O-m=kUOpkXGI_A&x4mGfJ42pZR+kM_#*M3lJ*mq9Mg z!U)#xd~5<$9&`i0wO|ZRe;?XgQGL>XLqBNDK24Ad2J5=-xqPJ`EH;T)aS5a^c;~$% z7vgb>P_JiB7l(k;-yx_H0$&JUG$bL`11(f;BxAEZfIt~4F95bZKp#Sawg1}-f>+>j3k=N+ zy&0UNJjFD?0TGkMVdB!2 zU`7t1jZ1L*EW)lxG%IK^rdQ~%XCXEZSnYmFL_|c1aK%~Bqxu*{0DJ>O_hiKc(jphU z@Rz~(K>Kgox3Zirdb+Fr2i6gj1h6Di@i@yrjRp*oP1wh;i%OGL>hD&g6JcM9jmA>U z{yBjj^%e#N7phRNn*4i>J%*cLIz*SN%XP8A^J$#lJM2I32b)y;&h1P%Dy}jAUnT%* z13Kj}BO&?0BK+^_+NprfN-yc_{awJf8p6jPoA`R>f7cV?v}KU!4{jz9H~-t^3r^pxWpar3Jt+3;*ohZ!f&;XNe+x6i}>%MJa%vq4;l%xm#yO2-?NI313e2Y4*%IA_U~%i z89|!oQ;gE|3e;J;dId_9ieWf36j#WweF=j}tGg*nbhXJ_M&QxjtmHoT5<-ikqCVA9f)iP!9-43y= z+!#kmqkmSYYpu2zlcux8C6|2AekqDd9DBGk)y3;fM5R!hhC^-ngZr}%YPIW%8>PCj z+&|Oklr)+wxJ(hLfRx>SO=3JSI5>Eo-O6BCmhyYb`7<5Q;OFMoY?%%IOpRGsa$UMvS0FO;=lMW}NXF{tHG(y%lZ_KJSRoiI zY^}rT+%yDJWlC$!XT)z#Do*Eucuz;yXjXk|Eyt<|=ADXIN^;GothRnejdYYLceZlq6GM#&eo#s8P1@U<&!8EHj#RL}l z8e3ki;pRODL3(vx98BDnSL=Em@lg&o4?OlxpY}Z6oh9e5w|SLiHLrx=MybdEY;9}Y z?u+pPAtR}t2*&|7mAX)Au+CHqEId5&9L+CJtQ`YHE|G{syaF9GN^p7Sp`zA6qf}6+ zWj^wxt1m-~vrCe@q(qfns5h~_5EBnCr}!r&;Z~3l(0_S;-NDfV!-eaVL>vi4D-t@Q z8^wXiT?nU&bnR;Xnn;EZrrlCkWVHp8WVP_)Z0P~PA#KWOH`r12k7zeMdv}kF@G{wu zT?5{}fY&d(*Mo*csc&l-1 z=gDMH@UrxcJ{g_;aJ1W8ZyP@cZn`2~+{F33lj>s1^YcSAxHx~y<_jlI=Njjc%4N4x; zdp{gkr%cCkrBaw0?_-SyjTY^P2LKS=qPAD+aj8N13Iv9$@^wiR-?u!+aZ*B#j;5YC ztKjBz?yE7^lh5MgR}x5Qz}?fX7n4K6MCP`N=Ig;=vwundgjKZEqj7BR%0JiWfB}{i zWFHWBbD!{F+(O4V;+!M2mN;5J*tEPCr|>D;YOv#LmC>DFeS?VXRnPV`r=OFJ#ZB0e z`r_-Y^VZcNEis9J>iEehZ*oa5{ItbYJ6wdsb#9)R=D>l^>@oRHF9f~wQHv#H>1p=A z(|ZtWD&1lTQb$L8Z)a*3yM)=WxHdk;qZ7%KzEf(wx;F1G0@3x#B!5orPh!Y~#bqe< zr{i^b@MH&I1+K}eB=Ex?>%w=V_2E=X=J77x0w-{>t|^~X&p^UMeeR}G5bwJ;Iyf{-aSS?MFK$B(%363drPJ6*7+MbfZkzN2t6dkN zO}}UP##3vl|8#$VY4F&pY(6>HsB|2}*_vpoxFE2bZulZT{*jl=h*?T`yO*9aE@9cJfp*=#ujMWmMKvl zmQ3Qeos69~_rk81=D8daI{KQRqkMl~x_fK=30B2|0);p%_2Tv3{YOpqCY}4|vpS(M z>;rJSj8u4l%8#+*lqI_65IFPUdJ)O>&FWm`5R-8#Ew9)buxz!|#A*k7gmuU{5JNB? zJoqa;e!No4*e1&W*8$Ab)i|souwnn2YVONb!tvuN~oEb%vX{cA^uT-QI zmn|CA*ETR(F3DY^QLpQ(p1~A_iD2uw+|PHA5!HX|YM-DRdLyIwNeFSK*|o}Q>-$H+ zZO@nQx<;IWTCNLqQM_`rIGqR37Q8790JK2krP+9K!O4-qRi)AKebd1}d?wZhX~qm7 z`$2_)O_~{bEtIi2s}i+Vke@N>ecKy>U((BLwHsx(@$JRdL{U=iTZ5G}b+eNu>$ZfC zWvDUs8^ePDdU-}tF9{&nVxKH>ZCXnli&FmGRQzfN_th1PlY z5Yd<*edY{J!p?=_Nwh`fRpv-zx)zOh;^#gM%+d0?03G&RItq-Xq_rQp28}OH&=3;4 zn!Z9iw_-2rBW)HoNi?j8q%|%+4=18+zHItMnq*J*V%ZSyi`e8;A#J787#$<6UkfR z=T@e48a1&S@TlV}K{osY>*DDdP(;qaE}ur~vyko-cNL97qCY;ENAX$;(BYP(?w#MT zL|C*ki_@kMQMx_ix z8n#&67FhG`_#o%~X_urBOj7vsy%-=zV|Jmi89PY5f3VovG9dA(cvg8CGOA4Q?Wvy; z;A|68pksK6-#=&NYeczMXfpkJ+3fGsAOJI%-$qY)Ui#f~jZRVBj%sAN0OwQR{z`rc zX@)k>kF_H8v3vRKZe}~0+fTI_Qg=F%M)(Z{JJ@tD3N>rKoYl4vhv1w3Trt>tQtL9x z*I;*_g~Jsj+@sx696K!f>Y_hkuH34|i-eS7u!P8jVfZN_qzu(tBg5;S+;pU|m+Xu6?A-&E%Wkxq2POADV5A79@KK)*iEfpMkn}r{Ii^311YSS z#E*h9eclgmtV@N3h1U{mMb&&`CCW3vS$8zpE?zt9Z`B%CiRlEagy&*;y&kkQI9soc ztG$B7F7~7PKFjcqF;Yxgy1l!YJOlD71#NA2`|ethCYiZHJ?DL)tqCh#@M$)^9ywuBwVUIWm~FZ z$_3nSnF%GSto@Oe8mlw7@I}0KS2^!8@0lzIge-+^SD)#)Z3*LZS~Y7sBCT1^H&PLM z9k$NZ$6T)Q1+n@ac`CQSp-vqZFS&D6a#} zdK>MA=qFoT#TkJMI<6B3#{aasJ%*XOBWJba9rT)~hcC&6ye7#@b$F;G^HCD;$f+m4-KcImduX|#>U@gQ z;`SDE`rPi^iEBnWG<0XdUM&hm- zvl8{2O{(0V=GjCDy?wxwka_{EngJE@`A9juWy&J*D7!Uk^*ibzv;0lB4f_-0WpOX{ z_n5w$EjQd$UiS?X3U@_JXYa@*_FE)7V|dE#aQvwBwrnV{6`|Kd=sN6L#3E~}Y)^1r z4Bg)pt6lRF`1PfWqobiSPL=hxFm!!Jrjfv}Q9M}c434Wg2Jf%tVQL43CyhL5?ZDb_ zP~a{RN-YOzHE(<{rth_U^blWR@kMB*H=Zd;sn2QrI64-*WnNy1s4Qn%LHvC5?6t^U z>rAy?`kHfr+_#_3rJA8DE4v9sJcx$EAQ#uu+OGs-XXADSxo!tSKfiZuO}^l#okMDi zzD&OMPS+?&#wK!7FG)<0<#V}N9i=hR6W85=ohs3E4KMU@dV^MlDK%-NP??F*EYC#W zXptN60ePw;=X$E2w;zREK$mK3qOR?d#&+4n4{W0xk!2}0io)pU`EIu1lXAK(AjoWS zzo5V*>+2=H^51?z5hRI!yi1-|M#t!P+!u_;FQD;^>^Yn_5JdtBAY|WNl_L@nKcz19 zh()~Pr;H#;#6(z@2l_YLCjit6K0%mkwi2|NBS2Li{6eiB8jFcFRhA|N5s^i$Ag}F0 zi0okUo2VZZjL7m-dHW1f>SiR*SUMgStLU)jpwzr;bCAI;J!Js*s8Jh7kP5v{?465X z)5MsZ#!6&pWX$|_$)1Z0;xFD!Jppu2wBZPiRS0IibwRK7B>e!r{Uppa?-G;2(yxdf zT!ILW=H}wkl!$+stK)|t8OqKdqABmYM;S>xaUjJ+yz&dmdN z*L*xMfeT*-EKf(}rTd`G?qJgvdB6-o^jpAKd1u`b6+ukp{)k%o4v_#L6#E==@s#D^yQP%Ic~s$}OjJq?zG2msA&R6r3Vwo^32C%-(O$I<<|aKU{1%OG4|!T$>W z5j&Fu;!>52jXyG5K!51@0CWzH9u)kmcmMPevdHDz#K^e3)*Wpk+UJYq(xCqdY};M* z<&T^wU^q!A24#AjXHs&pPpLvMY(NYuQt|PnE=p{F0-?T!hyW_2=@*t1J)l%5<5x zIM`$kV5ndb0QbRy3#HMzg50B@OfImJ%`3T?`(t&O@Vrxn%hl60}QlPYInU=P1E-yE= zv$L}&oGmCKe6;>y(#*BNaydYi9o4PgbE8G3J$7Ij0Ei4n(|vd$w+6A|hck44AVNNa z=(MX8qQ5>&zYS8ZTl7hrTpwDrP& zbp;aL0gR3bkFDu9rR>+d4gsJh%wfO(MNaXh007qCx9a~@{+Am6kJZx5RNr<}*_6@Z zCO+Kj#_{?b8s>U1S2Br^dPgD<1Ogc@=k!1FJN>oYjS#F#^a{+yXj}X0G=FzORlev(vD1dZs>=HSz!JMprO$cssh_N6dV%oV- zE9Dx8^y0|phP}3$6H2-|4rf>eC|%--8~lGvINzbi?GN?=V6k2SiL$iMwhzxxkdfo8 zw3_C4Vb;a|1nMhcfo;X1J_2wclYZ3fY$mFdsnG#Wn#^~}&{* zpPD7J``Th!773T06yW$plZi%(%{uMn0L(Tf>z`aRwU((4vQ`>m00l2*XR2&xFEX7Y zv@WTxSffq4RI`E9QoSzmd!yqTK(b-dnc#FDCS5%^U_f)+rv>;^Q@sF(5}(C?bqg+uLczc@L*G>WfAH7rAaV+ll*& zZa5eiB(u&IGOrSwT~8zg9e=(tACCt@$w5G=hI@^Um<6?uuG_yCQ=*Tk%~5Ox{;bjU z`TEXI>iUbP_{W6~Zkr^&fjLIu>;1LFcz7>)Wv+w)erX=%Sc@Bvae+Tj`MRVuxxg#v z{ac%N1=(GLqGY1mOaLLS;3?5e3Pi$=g@Hepl$9-C9ZFFkzS$|eV)DFpNcq$g@u=vTYTN9e+O-~m znCwKAE+eFLPtZ@TAYJcntye|eoG(LIy9Q}KwhE`q@LWy5ENx52KhUslp(}}p@-tCw zIOa7STla;vTym32Wl`#R|AIz196PQ+A)lPhYL`~CoR8VQ9>#KaQ}Mjcxwl|V$Q#=^qN-VqS!|0O{F)yNz^GoM<$JX*2anWU5S zUUZgFvqL51$~xJevIfKGxbRQ;L(Mcg7V)5JmzR57c|TBYk(kiIEI;|<+~Xq!ArhNX zatu9XhL-Z7lu9%FCQ;r3u%)kVtA-tZb|GTrC>2eD%*7w>VGKKTyb(16e-wywi~<}k z!>=FSxXs?ecn+m-YqVZ(KhVxBP?N|5Tv95n#_Fdo$Kol6V=~v%QwtH3%6JIj_jj4! z@XZpR~V=?%FPac)tw?oXspVYQ4 zy0DJd3CLDMy*$@Oh`3j;HsH5!-(|XT@XNYSS!p@)6pLy#a#@%b8JDPoq|sGXKO#^4 z<>!D65WWj6LpJ1dB|=-!mIa1PH;V*M6+BgOMBZO3HZZ&&jdPGHTyVe8vX>iV$v95! zMnG+5x-{CW4Y1@|6BXbJT(X0!d#MVF2$+6mZ&*gfoO8c_MHhJVJE(IAw!@+!$ zvsxFzz_%3UUi|_eqb_tZwp#ZKEB1U^d@*u~`0<4Te1_*PZyRFp^CZk7R;CAJ3%F(CKgc*fT&l?C&Q~7nUqDBAJRow{-6LohHy}H5NQGJDz}>X=Qrnj zk~UAF7qBR9Apl9cI$ojUr^s_g{d%V)rt_~00EP3-!M0^R?h7s#*+S(KYF}z)P=VY^ z&ou$>;Rsu1@KAVKh6SmuiST++CFIPFHkV5ooYjSGewGh57q{`Cl~$i?S4` zRpsTTEj1eUm;c~Xs{)5cMAV_GV%IcQq4TD?ybwI+8JpH{=Q}K=+037|hpMpIfvy^Bml0~X? zG~V~OiFX4Dg0!=>EOr~`bqOVYB`eBZelNq`x6ss)EyMY7`(hO@3zTz})vWax!*8W+ zA+5mGz02^DKxYQ_P2K|4icer&B4nuXA{CkK@d7diG&k|4v|MIXmVfyIi?F_$US9H_ z3{BbHE~C{)dA*=hfmEZ!5oYeVSxStZR14;!`t$^B$$EdB3bjfJ#S%4+<3lSqqGm1D zGeypC@qq*`-2+P1y@U5HP2{`UZDwccN5ko}jiwDQOU?I-P(7M?7OvcxoaNq`nyn6u z{8y{r`ZcGCaNVz5z#1R*LoTT@M4t_g9if7$I#vlu$as#a?d@T*lRb>RZefL zw7DlF4?&eQX?Y@FE~}?7_^G$W`+!L8dRRaU?aY?w=S)kk@m^!4Nrxu8-DXy4+#Guf zL2YlhwwJD~?bh5G#)}1y8>ax{I?o+rwHCX;h8d|DV_A0&ee2Qcf^j7V4590-{39Hd z5>X;g#lvGEjRLKkbB>-4kEaaswD#6l+GN@Wdp|C*8=pLN8P(LZ&PG*+?d;Xo38l_8 z5HXIxm4P2JZB|dW7|rP)tYjFUa}(cz|4}rBkrr#q8fXyAkDi zL6XWrVn3GGxB(Jc8~xe-d-eu*3*Z$pb-}FIiqWFq;v=(QbWXIfpz8g=jY47dWWRon!@QiIKv7;!hdQ1v$z<%@~r$iDA4Qm@Ot7Rl{xHdyBon zeC_}ppW_>JFOVM`*c>r9jjf)}WWJH{=znwe6Qw#l0P!4nog;VQGV%_14PX$jW|v+W z#viXEhqFpSaRBp4^q9=)#)w=Ai%gJ6FGb3cdh9^Ca zjd(pC(sZxmCBNdw#Bx$`a*W6vhrBjzuGpros4Zk17!E7FKTMNro$D0YCcyp2T zbJk(TF7_~LyJS&3SG&b+I|)WVRHxYjjdd1ag694_rE& zmnO4pL7@)|$SW#m0eml&@`}^AFzVDz?KTWeRV}Ai^cjd(LLwtE>%&RB;Lv)lKf7)< zvsYm@D|gI^idc;aEJN+RbcBBKHhGoBY+SW0B#dR}wU2cy0i{bLJkKSKnEG>e}kf(E-2Xp+w0v(GPvONd4((lWtT zg2Yuw9L{+b`*W_aRvIooT;|sd9P~M|OQfS)O99&WoA8q{MJi>Vox8gcQRlB(h?C14 z4@NY;@(U%>saf#k6tmS1Q}L5fIv>*Xze(+21FBq~)4fjp-$FuFO59l12`N z(G>MQdB3<~(&%#ZsoLb{kkwJI`$eVuZl(OODk2iS&ct{jdT$i5jkpDiL2{7rsSYWJmEl z^VlVK@7Q4Wx_NupL9jz|8A%k1>?O!az+w?C{epO00It;1MZNspu=W`;i8kBJPSn-E z^Q}}^cPi4-PbQME^;kA(Ujok|4$+`(OaQ8aWF3~#_gS9yriC;*N@QX;l8&k{GL~Bo zve{X&#}(3MyOVt?e+PLroY6O8=C3n}d%;a-=n)%rI+T(*6Ghm&>2bMsNGuV-72aR( z1f%fZ(k9>JJE-{OgxGBeScn@_sEaYhd0~2XQu{dvvtd2>I-6MhY*w=fje#@{R10o# zYd2RA6`A7G#HGkQGads%j4g66Dv=?>fBEXAGEg)kH5Oyvm}HBe!{O2+V9}b{izCA2 zv}fr`;@3L}Q_0}e*QLfW8Q5HM%b;VMEEYEBSJN2WcG{g&D(gDCi74RM z?>3~PwEv$oz%xag2j=;EdD)PACK2ggt` z#7E>ngcrx*NU-T+UvJ!D=j$9*?Um*4)rRm>PrlYe*y!y{VQY@_`11R4{Sdq?tq<|?P2M4#QM{*2EKe9 zlxfIjPmO%RP8$Tkqjt%Rb)d3Ii{td8Iin z7pj+fcUOAD9_)RVuW6)z@o|~ME0cXf-u~yV+UQzL#%R+*9LK@XmO`b|nM4bU98?{3 zy;*mcP*GiPF@d&22GbwWDgfRh0a%tw z112H--(nI#%-X!kW%LKG1c0~L08CYCN6v=&w^$GmTe*z54*WIu7O5Y>+cgOr!oS5q zfOzik)5-r+_-~!p|6f*kv;ZjMC(mfsiVc-=UWQc%gSA}2#I|d{R#tr{-K51;Gi;(| zwBgmK-0e-LDx(vLN8`{%pm_T$(ASY$u(Gd^K|YT?01e$ zC<_#+ataj-l*tN6xkNzpZ`&&#Fz7vz2niAAh+);wuH~;=>iDTyHxu$;=;bSGy}z83 z{P%AG#FvdJ3CyC5?5#7%YZtO?F$DS*vCqlWf~MfH)s+YCZOa# zG{V!uXVjWq##4{E`zyN#h0e~JjH*(dCUsI$Qp20cuali?Kw91> z6j)V=PguplEeP>QrgZ4!02K)$!-sfuh87)iC`q-6>K$!>H69KGv7Gm*$>8C8>E-M5 z!Q+2&C46QGLPB$~XXYxod5Dwb&~=aLES#hi%9I&c>TypYFkzy!yOR3Fy##d-&!>{- zHbrJ*8w4{AW_BPs49$ z5u~B5gEXvV(LtVy%@XBvt*%Oud)lNsxE_h037LO|mt=^*9|fTCyym3?c&ETCg)kHO z$=5aOB)AM|Nmusw(X(}Ar#8o{Uui67onvp|K&M99_Z&M9Ti8g@2LG&)3s%!f`GLf; zm#wX>c678-wN^7P-JSNtWP>;%!2YB;Si4272yAC!f*|dm>^Zu!*bN?TQEAFnO6bpw z%pJzLHMwdeD_z|ruYPD@ovMD6W~F;Az5gK7ZOKJ4kpK=2jf~Ic#FgxNKZvQ=T2bw? ztDpt%ZAc6{iXZIz=J3k8S7FpIMEquZ<=!JM%X<-hHB8ArY1g9;lJ*J@b+} zeZgMuSX#@~B_zDf;?~-#h(5G0W>?MAQ*X082GDAq<}DI>Jae6Pa1-#{L|ABVx#U#d zbF|ToI9v4>KkPu9t%8eIh(=u(Uz3+M_T{y;Ju=fmxBnraGsW@&Sh`dSn{;T*%lW-3 zhNp>@Yt(()56WWnMviQ5tK}b7iQ_xr(Kc5SiWIA)=IShGAQ*L4-EWs4LJ8jZ4OP*^ zRM_7D`Tny3Yxb%0r^*_APBlf15G!%!W)kBI<%|$(S3{JzN7GZVcyay1%uaWVxUm@n zDr(K+?gTDO<{Q@|7q&NN6V!ieQ|)z`5QoF)N8wy@twwjkDXZozfO!U0gjmeP`sJHM z$6{gPiV2zZ$5HvuE-02Lm4u7Guxvw+Z`{D!0d%rWB6^LUFr}rXsf5`vo$ZT~{Mt0# z(G2Ey^xP7>-rjdD)(7;KM!wi<$GPE{cEjqG2D3Px9^IpDXRO7q8tksjFJ2k~Z{cs< z=6JDvH*yq*&0C&pb@S3We?;yx8SjDl$c z_vmccV6z3$N`e6rFu-M3^YlvBxuolGRYus$gF~FF-4_a=aV~IDkB%>zP(x0J(OBO+ z4h&OCQs!=p-)*(^24lTmZja19E7Rdg`CRjPmNfwZNg`e+OO-qwJ|-X;ZzsM@3=Rp? z{N)_*f{z#$=v;ZGa^jNCXz3LtYzhG)*2$zLr%8Bd%)7f5K{bKJbL>yFln*7Uh4WQk z%5;*lg877f$`)z7pPQD!@$0DT`619EDhZf z>-ns;n<%@gp-d=7F?d3dB-J4%lt2#S%$oo1=-Z|Y+U zBRMjc%!hgSH%k!$@p4vM95$Lu&5f|0x5{7-Yk~-2*Z$SV1B_LqI+B0osujA&M>3=i z`KH3^MdoP9^J++hCW38P(yVz9=0 zuA#bYYY$Qsn&3v#cujUp;WnyOoZgM9(V(xqwzI@jgu@54<1!jZSOO${3A6M1VYRCL zV&3h3lZ365_=1nE(~L?gol5)4gWh+7VxyD+@;9lyfRz&YjvZ9fGJ(K!(kHGTIM6Ft69V#zr zh+tT)kjl&kl=7F6>i5tS_vTTaB31cswY!DNZLzh|Y?#q+-x#o~__#yj!<4_<0E3bS zHO)5cC>K60a>4#SBip-A^OZ?|AM+)DHD2zosbUnn4or9HE*<_ICvn-jsd@L8R~>`DTS!OU+^q4XhXUR&QQAw1->li5?<<5B6DHo_j8V#(ByE^XiS5@pwt`N! zRP>tycdZ;|5Ancnr&KwlVl^M<% zLBA+_9RE=iQU+?`IBCaES+dLxE&Z3N^rbYGPynjvf@IRemy`LgpMvjz*RS+V?f=kS z|9iZ^WT1?eXA+$MKb(vl9{?|C(pbR#qrQ}YWditzM0J;P*?({%wDF&S38h442=N~k zJ>cq50JxgM9o@Kp)X{R3b3mP{9utrL-)9IsE=UGWQen7;{2!+tFH!n(O~h0r|E%e; z<(PnzOinZx{okwk_r(G44scC;QvCl0o&NJXUL6+1RI$%~1r$*|Mk*sr0x(_8^`J5CW`f7srSq*diyobN<<95Wd-mQS##7kn+usEA1e zl8(fmGwcu561}XSGdXqMD^`gj3>R5)(y-GLl(#=Ez0C|v0LY{ z=*R_%Ri_RUZKHG<7hKd=sPqG+3Jp0Ddbq2ll9hC_cME^4*qrb%0|>5fH- zJm4YT;r?XpZp*ZHstrnof^wE3u#Q}RY0on0GBu2TXq#>5c6iSz3Q5@+=-vL$C?k*K zL?Q{x^0k4GE5D~^)CxNMJ2Ps0sn+BVESns7q0I3Ot>sAaoFy^;CyO_<)h6%OJJ}di zGUU|6+1y?Jj?fhEtK!7D$zMk7CT0IE!>8PufHm&33Paz|Gi2? zCn+s35Deg~|-5q{uTMJqr~{vT_5 zwQ9G$VI%WwgpZjcMd;TG?sT<{RyRe!gHlu`MQAaZWdx9GEQJcGvtB?oy;Wt{ia{=9 z&BWuj{83RBd{Y(qbUyS-vUC{B2dKRvFkl3ZD(1gM))fzdXGXZJ_}m?S8K` z*e=XlDij|EItL$!E2fStI&ZT{mHR+tKQA?Hc*z>$B;Nu)z~Ph-wb9HKji8`fhMS!H z-O(z=P}G&3d&ne9S+_frp=X^-kuVbgbZBW8BbOKlq>)eNNDdafj}rA37826dQ&N%p z#%@|{Q|j;pl00+2GsZvv1~ z-&;!*`@nBPe3h8EWkxZ+8d-7A*#W^Dm3R7&y4-C8>p&w13oD%%YF;(g>F3j+ z1>2kN7mm@Ixe<^}2U=fWb}Mt@@KEE|Z;AFh>)%^`JP2$&!$(rOaoruWVLI8~ z&L7;(UNHtT^zv2)dv-@ths*VN*mfy%%(Nunvq*i4SH=A9z^+OT4_^ym!Xro6Y}Z#? zMu@RWzID6s*e~?u1pPZ~|PW%znB%PzWF2qw=b+8`*b z$^p+Ey8TNJxr1;EBn3b|l3r9diGag?<7B3ASwH;pHBiU5;kBRE#DBO-bAJq4l(Y-%2#L4~cs6SCZFGpiffH~XV61G~EvuUNL{M01 zbTJxEk)<89_uc*5-D#i6+76B?ZgSHG#`H>GSZ2Jcm>^AGIMT?1aoTJR;p1I@i#XA- zr0;8TL(P^&Jk34gvU|_t1{`eS?}`h7-PRla*@hj&_JU6*ZAJA4gv-$p5oI{|_*U=1 zbBFPil@?cEtTl)aBvT#QonkR)9yJK*8l3aF{0%$Z6(C7gmafl;_XA4znnti~r2Dq%@oS>;|!as*O;SynZFV1TaQK-FZ)o zdQHbH9)@Y+qOsm5~Y8Mj(QOaKvwVZ3TrV+Y&MkE)_J#y{)oQzVp6 z?dgLxrr5#4ha|r`dam1O{Qm0>A`^8Dybjw8_xA&#M^xm16_c^ARoKpiAHY;hh z87aVZt^1mXOn}-xR(v1gU+9Iep{j=OiNwx{#5D0*UkM0y<$#1QmbuUHdo zY{q(bDSe|Bf8+&GjNH#Hr~_er@Y?YJ(Po?bwKfX>nGIk7(;{%_(|^?3^-+I`OCaVu z*O6iXE&AWvGuf;O#R2(>5@^u~XuUwbqwn-j z6vAFJF<0vnYGYq=St{sxZ3Z^CVv)%en=D^4BC279(cQ8^UxWN`=nbzZv)@Zz-aeCOLj2 zGyX9b6hCaIssbfpDClm3?g1kC(vyna6v1Y$wBcxt#7e&RDqO3!E7B*DcBZts8AGMdoWDDPG(LR5yw~4C=mtQzJ%b?qI`^2}Dc~KQ{ngQ!^)}zg z6+F|Fz1~0L3x5rKIgKIE;}xAJ0hfZ7VvUvb*Te@vE~qz7(&s)u=905MSXi#0ddFw6 z$79>t>HXILs;3h6Sq=r8rox~}Te*4xyw-TUJj^mO{#u*ZN&|pK-BON)8x2ay)g&LV zX!$w1tZIgyA@T&v&+ZUbnmE%=0u8 zp|7|8UQ9-n-SawRTn}h;c(?bX$K-XzkZhk2z?YIZ7>hr7u2V~3yE)MG>5joTc>RU9 zB`J>pD&=GuX7XS4CAAcdc*rHh5n#XNDI&%Q*?lGj9^ZnkTs!NHOad z6lZq9A;i4-ZEpt}ejBL6$F__B z{H>}(8XB4Mk$2ip9_fo6xqQC265?|K3iw9v5zIDp!rvBaGBVdFm zz8>%l_bqRWy80bEY(pG{@JGRqb`teFnyKOFB>Y2%Rp>mmZW3O7Vdz)feY$gHA>TLS z?k+X(cxpAXe69r*1?_;vwG;$OF=dQkBwHNuGyy+Y;Xz8)$Dqnd@G>3H}37`oHG^(SKcniCWHJ*nt74EWeVhq*M$*c$Y!CN1G zI;_1t{917?vmQgjRa$jCLdG12+Kj2Lo%dD|?H8POU(iZQ$Jx!@K$KYXj~EgU$>qlJ zGBd%ge$zDe+lF1s>!UKEzX;oXx0{b_F(mgaP(e)5k2ILt4KZLbhqa$E?aw_(LjI+; zO(&7cY_~hx&+;$C%=u=|h<>9=+YZ$PytBM1l+}5Dft;HQ_%_{%@iuP?i=N=Q-mm_r zOm>O|0&DtOyrGsh?N&Qo8yl$?gH5GSr`6vSb~Kao!g6B_EuLp)9X>llri%PoH+|kg z!}zPs@s(wS;cxoF58F-qKse<;-DLZ1f%IjPySF3M$6EeplVZ?}^HImj3J#7g5xKn| z0hiimgmOT_43E|5rH#gwnD#XBI>iF&xi`3^|s zYc8FDznj_J>gVmh6wnE@GqSI$fbjG~{4Hgd_>}q=>jRZ)Ty>;;@>q6FM>f)60oxP-je#$(b9CAqJVX=>kRp zX*PE!>5mhvMX+s2PaHQ}QSWD``-)O17t1Q%L=oty;}bY4LdogjVrya?#l=-SsPPBB zq;!1eU8>LqpwsFVg3Bpz1)9k7x0Hz_H>U;K)=uXE1i&unOR$J)a+70Qzomz5x!w>vP-@K zTU$TNw>BQ6H(K4k$egXYp2G6my99Iy4atek-V$Z`zbMx&%mZID#D7?*0<8AH zOVFWUcAcCGrUHPtkcZbhjA9=l;NORi?wqZ2lOpz7+r7qjgX%v_$NPUjn*+gEi6B2j zxy3mapn=ZX(AQjb$l&pKa+svpvsnQt!R75?2Hp(^rSAESo&u*SsYKjNpFuF6H7lQO zr~;7oRcLwGINb($b#N!AdIp#-bKJp^IdOJNTO2bqaiZ*6rE_vd`6cC<%Uty~_c^OT z)K})p%ttdsG4kihb)PT8&ZItBFc4rv2p`}Vr38|9Ox>N?Tr zUUrUe^`^I;ac+<~ojY{Wt+lIJ`vu#np}WWY&g$^r{*ntoIFAjJdV%#+?&AHWb3BX3 zk(Jc%y!VBlzj4=0s&0LKCcku*|4ZK2qJKfF5O5<;F)WH#^yqR|8f6{edBFg&0^1s;-h}+XCfxGYLmR-?4i$UKcmtZZ-)+_IF~t!*uk4m zenHPASkI#SyNP3>?m&0@cE+kp@qJ1X^Y({TjS@TY?(Q~t8ONswggiT!bFm9(f;ANk ziKN@vb;%bE@{!7;`P*Dg=3%8^UHWebNlD#2@{~FaU_OYbvJR+NEtj+_Bm3#WF&{Bv z)b|L9VmM-Z(Bdu`1%HIkdQq-N@p8W6N3H!Ry!PlBUm(|9 z^oo78-AnrE=D^X&EiW6LL?ESd%|~AknJt*A!MSgF-?`~Sv6?9nw^?#Bi_ZGFu=7Ll zSccephqZPa@^6yTvI=vb=GX*ZhZAWqpuDbo2hK75!tJz=yzLB(cY?nAIb+`h#|dAP zap?nul(|=?SPDH(=ktIT)16+MifBg|NWET{>m?=}Km=6yD~-(ugFQPh!9QGfreO41 zd`pa=)d~59zM+xYh!eJRKQomwdDoXmf8cvr0tx;pW!iYBa^kM~_#EjhMGc}RyjLdz zYT$WW6A^Y$GbPVYa|74wv+ z?f`=B^lI#Cx>**=-zx$cRb5vUr(I4|*yG zse#vF*-+^7QKJ0tFUF%VH``g72CjO0^Q#DawiVq)%Jfa*g-TH2ZN)Vx>}p$5I$SX{ zG9`xWtug>sRDwFbGm&++-%i}m|NJ3P(PVyl(_p{x0m!_=F@Htw;{n0F+y#p8At3w1 z;&%Fd>imj7@+2w$xffeqV#8G{9}8QyO%lWR8WL>`?y^Fv;I&q0qrdy^xussKXCUcf z*TM*}S4me|OWn`Wij^kbcBkTp-BEGWX^AO;H|rO31Oe5M6V-8jw}R&!s(FmXaCa$d z>RuFJF9m=MKT1Q4`93t*^+X^{SN>4lN%R?0h#jzwVn2(9J$-HUI=tUXUufX48hU7{ zvp7QP!Wv{PH`Hvksl%UExhKe~11zyguhDH;44dUP{i5Go>rN(Qb==GA?ZR~_>G>fB zzJvg>hVaab;vHsn^PFYYPz*hF_%uAvCS4GFhwY(W_n@u3gG971>rB}CSt)(9hJKjx z3*T$8?ec^Ml(*{kc|UF5l7BYFojKh|$TyA@LpysAb$;;N^uwQ5b%J~bua2*y?VCqk z-Zlh4vby&^bGv=xK0|W$L!F#ky&EGhpZqLx2<%qEMs#3haW@+Q8$5ruQ8<}<2bS-@ zAbWILKO(x$I^V1ww*VWGL#H5JC1Kb(BAX~+U!{Op0`W& z{+aa-D?Ol~?hpcjAX+Ek0O+rt?mTT>34;)kWTed3nrqfu!%97 zqyqI_X8hE!&&7(sH`OALndK&K5gI5hql1dfvW0Inpkkd0gL-dEk0&;)7Mw-KPj;XmKUX&F~hx^dbZ;sL+4VAx>-vIWkLqugSqB%m^_4pTiBMAVV8$_??BYqU-XxaE z5&$TYBgB1+E-<*2dQjUCA-9}wr?M5&m{{tplu{}T`1R$;|FY$BnVlYcf0I;rvVasMHOw2J|Ze9njY zKG2hSxe7zfRf?Jul-H${$;`()&gSk9iyzvW)-Hy*p${mBww{%_Vw z84B&rL%28+3>CYaP8V>JJCMCum}v>*+yb&vsQEt4*Ggh5Zr&!@Wtv8>&P&3yL$oV& znccwibsn}@;;Xi2>-`a(9(~JikGzAyyDh#B05%(fHALbP9e#q-9gIOU=`kz)D$RTC z4*htjvEqmQXM9jh$tOF*P8YrDtM?jJrZkFOMzZcyNSH?&{mzBfY-eA%(otu!hG4se!w@sf2%T`iy|wa{X!X(I zT~{;n-T0MnyY56W0c;SGfQ;@VEX}L@Q#EzU(+SNFs><6x$Mf2QJgM21Q4q(m{dyoD zq!EMqkvO-A6*&`;;_%@WINM>c7|-JK-bWH;clq9a^MgM3yfbO)h7l2qe^=R)jrm%x zo&vsnvtp@+ChrD7-c~AMM&yB<$DFq@_kSmU%MYE7De^1T{w|d3XB}vI%4nCo>GIigUkNz;%XWnkJ(5g6PvB|1 zY4grFkX8S!&U*P(Cvh=4_gdL0YA<6+6_i)z)bv%)m*x5=$*TM&);3I$0eY z^y9$hK)ZwBAEr=~DbcX|*ZF(O4aT{d-%AD14>oIhhMJ7cQlj|3Ai4dmA9hDw{+US3 z)G}v+mRQ{xc6oYk_KpH}lKb!OAM#&Uw~&%*pDm!vnTjN0*mlD4^rtt6|C4ab9y4Kg zI+Qqb{T^ddp1~9vplh_rb*@l;51S-9GbfDJBj_Lr^Xxa@YJZ>ph#Sm@MW_#`KAicZ z?)%v}Vu^M}hM=2r!$SR^KEVDzW%D3HMkmlz%4ljal6hBV*i(!L=8aE3dNi%R)!tmN z&en848owG62kUx=zdxa76qH@%vV&xPpt7sK6%^3XzAyX@m=%*K`7H=uxxRnY=Ja&WV(9e4b+4kLFjbu!?whkJtZ11nOXQv_iBs;D z5>)wgiQF%Fd!TZ;s5BZd;(MX2?i?pf-!y!O>rx@1J=(7fv8LQqI}a@s=wu;Q?@noj$BPUlY0AHT9uiLFT}q4%N4hbKXS_{T5{n`68Mv=jM| z!E=Cmw#jY9{UhggW-tVK{B>gaJc2z@%K|kV`_Rgo2M}|q*?0W~&qMM)2!{}p?!INLWM7p<{%hqnc<7fV)tpzd}zmVgGjR z&Cp;alw*vQ2Y35`Ng*qHWj84O0GH+*&--b5ww(mP!5V+7MxS?xUiak`{M7V=UZs8f zGHW|EW%%qjy9N=#K@N7#kC7z$RVppx-P+L(1iqP_^}lV>EaArg6eh^VZph52dK7#H zV>!X1CWfQuk7uf3%@Tq^DjdmWGmJ~WJ`miZ*%%vK0w^p9 zW_S#*E1L!NByG%(rQZ_DjJ$CVe&Z5Sp*{b>#!AF{()AdptjcSKzLv~g^{u0vn%F6G zFAlsjRDOpDXH~$6{9j|j>g@?n!aa34+4dEV=lU7Ny1n5K;xpdstW-de8nT@0wc81>wt90u#97e z!=>jgf~JreFHY;fXi(RxZZDs84;m6C#}GP2`?g?}dwQAV@yg^n+apizPn9UPYrw|! z@xYp6aDZkXw+hjSYY9G_J~B|QRu+U6_VB>c@wP2g2W&X};EkE8>LpfRsBzT+E-%1b zL?!F3gA4&Zd$6N&X7*0+fm#(0xFgskkLB)_+0zGxhp2_dnmhROVD%thtl;Bz>qQ9s z1?wheOA+FmX-Y$eR0+La5rle{-d5`MOcNSmZE`ijKab#Y*8;3knCqv)w7!w0Cabj2 z*6w?Rex$Gg9}0imE0deie#onaPc!Q$X~!rJv0rT&poS8{RP1Z=wYzN>t5%Dm`_rD{ zT(^Yz&_~4A+Ll+-a8W#-GXu-(rICM(I*>p<7YsrK2ZCPPnNZp|Vme9esw#xc?X|tG zqTUk}h}Y9Gpx!L4A~7C4x&^|7lv)eAmK*`s{SY<+jaSN-dOB?Lm(JG~n`X#qZxf`P1c zSPgJ!H@=fg#S!ny@FifF8K@LHnK9;Q%6@4|{DBYJp#QUXS{(k$EbvXZ$h*F5(C-a~ zK*|jBgFJ-Bm=F40BGs6}A_qr@a1qokl)mudsW;085LE4>bJS$|a>igzR^-3>5~osU zqo^@ZvVyXo?V{Ik!Xa;R0seRCy5MYEGnc}gt9LQbiCd}B16v#EG`*N*_4S8PB9`kM zyAZqglOAr)+3Yj-*`6iT_@p>Xxy4dv?_R%^Vx*KT@~Xmg?jU56e&9~VRO%hT^liCl zw^{4Fe{Z!_@73pBqE%K|!5h4dFI+`sFIlUn1Jf5LB9%J`7CWn?(jb3Q*q1Dy3Zrwc z86k*%#o7Jtg8(=}ej3gVwsAWO&ztiPZcscoVLCG1uYk+Casn3B^K*Ckl)>?0mR>AfK4XXT-hD;HXxR$CBgmoQ!b(tk(P@Rtfxs=Sy$5| z{UJ3b@}%dGHfs?*uGjb$;VdFUET6FX*-2{%m!sD`fLu#b&q9*zt$q+`xnAX}OM-MQu;co?n&a)&3NHXyEzPio3NO$_nk=Fz~w7DPv)Qx}uZ z!g8CUEtN^vTyIEFBMemVZ9Wjx8X7epZqa8kpuL0L4>tgVBHHMZLl?`{27`Z3^Da%W9;xS zo)Sd>0cDd1dsZOi>2j~Jmg=?pWkR^~GlM$8EYneE_XWa8IaKVc+nOX4?G8qp4b2RD zRyMIB$~;naYmFLhmK|6gh-{N7u0Fnd;MvgHI==dpCUyRQ{Zw>$(X zJ!{O9*_KH9b}_eQ*hry#motvhl+N0fJqB{|iGO0-64an;_Ytk|bAyE_wkxM%Zzg)j zZJl>R{KAY37QLR#E3+k?Q4&3Oe+jQ^bfBWU5m|fwNaT}I%dU2>-R62dkz;#yqPRo; z`QYpacDgDIhdebL-iZi=K}1jY(Q(Yy@kcHRm!aeE_mt6&Ve&tkea-`VnL zS}4;U=HZiSJ-aD1^vB_Dg$MUSj6YTxx#Y|6=m}^UoNmn@4H8RuM%vxkZbU;O;m=$r zL+o@kdA|1ZgVrUlB0VtTlDg}ZzK|zcwOnOS+YW-+=SmlrCJ=sSF&5 zriyO$w~a_r_e4t-1+BDT&_}u|*%QBPRD3bLFJLB0pYqqyO@oQn2n zS{dR2+OY?TfAsjAwo+0uw~?)S&B!<@an2k*7O?{Q?@K%3lrqp_qmNgP++s-d<^TWn zqemNG{t_)%i~POl{~*)A9!BViM?4l7|NVU6u^z2NFm2SPC-FZ!84}khQy}&F&gC^{hV*+xsO&=900{Tp_83sXMS>VG4|<}3+uMh z)*W-F%+ecTsftH_IQ|ll2DEZq3Sv3hAN1)h2^9iD%GS$W(HOmsV+itTWNRb zB#M*kj|E19>`&5y*JP8($sY`mI5T*yahV9<D3 z>_|`u&O<=53!vbX7`A+>N4)~`RogStsKEoVTMQ|eZyTYv35?BHksVsjSfs;*l|10A~ z34r`-Q7Sd4^2YoLu#SAY-rFI#i~w>0mtK+iGvcZjIr!a&Fj&k*S~eQhx!XU!hpxB) zQ8D+=#o27yOixrW*q-IU?Hw^Al5gxwM@)VWjMhvV41j1N1de-C+J1X}z=5BZ3g~kz zMJk0hx(mpU{YRflId@Z|FL}8A!0&qCNKcME2K*@jizseL&dx-pY@_2EYZ`}fsyms` z($|%UZCN%5u-U4Z8cnpEDK0axKaI;VSnHdpYw0Gz(4%^;86Alzd!EcI5aLRsUFxnP zfnM!azv57iDNW($18yK#PFb{(>F!)22;+|1cDX$imr+d(5YDMDK29c^%VPdm=?IQ( z_KJxX2srPw(`}MzbXaFJ2L%`aHdz+Hn26VWBK~;XHM)rDpUW{CQ7WQca~KSZ;%=)` zRcov&_9KDa)k?X^dsidOvEx3FRgc%$9kS|hAM_+4NP5*v$dtp{b$_UXPmc9jl+Sh{ z0Y)hDCXM5nQ74(Bz!nO^=RXBh^r7S{7JVq(Jyb@p{eC8Ul)a*_w*O7x_Hhlx$g$Kbh*Jb z{OU?%!bAFi+xL~=)~+a3JbWCNtv!JQZHS;e9)+HO<*l3it6 z^sqc|bLD8bg3vL6O{b_|yaU7y!ADL2nIk)PGQTv4qS{8=?Av0eOO=J&2B)W0hGrwS zk9|E>?<3-qxP@-2flRD}xuP!KsW*F>V7ySu2ikeRFFuISnx^dSr|@539zsisf?P&m z1B#~4gK=avV!`*~<&(c`g)RPeEC4M(^Db>MS%?6k4l*5a4mmyJ(tcDp26?>Torq0- z#=}Cj{C#9w+6VEF8uVE!(kv>^&P|=Ey|IjsVP?9S$FP0@F16X)dLkxMoMbnQR00l$ zY0^m7R?Oq0ea}aI7cARjL?wm|rObDsbdO^;dhI5a8QSl?k5mJwkQeNiN-KEhoqEOn z?+gy+^P4&_{clcenRJ0&KK?j8f|iz_R+s9yEw|qK`Gdwa{Z#@2O+gjj%6{`ZGgh~3 zqvW}voTW({;h3$@auM_IF(}WThpN0nBXUiL>QeU-xko z{x=JNp~MPp-NRE=CW{Tpi0e86Dp3x#%bUD-yvrbd>CMdm8JEA>Jb*9wb^Ev`Vb{N{ zH`0w;n_1#kKRXJ5eppV}poh!dEK?u}F^6P(`%l$xln150uV;`*w|ofL(t%xZm9!9Q zn%jB*qK}HE-Ibp?Rg}=k@%&Wbe^1U;Q?XpHRp_2rZrJ&2qQW)c-J(I^vfCkw*&)|C zyg4%J9}_@R2UM-SvGkk2W#Yr%wOHWUFVFFqmld}{xvJ#F{95ulf6P}U0Ups}m$lVe z$yWYjq2h%4{*mU-XL+wl1oiQj9zMOojekHuwP3C^=?QXwEzG4KPB8H|hUC)nAvl!p zk3JCaS{4cYsIh-Kg(S@AA*)qWVN{gW(e3OHhn^s*Pl#9p&yh=D?7xuxmX3_)2z#oJU_4sTK|Iplqzj?R@F!8tFZ+5k@N4)$ zsCh1=*QpcORBd*yRif0EBtyixx3RC;0QPaF-IC>-uum&%hJXRHW-+bwl~@d2GiFW! zWVuEea=~lkzhMw`X$qCZQq_?u7Yp`j{?zcP*5risKJH1tX$V=Et$Y$bW!GMqF@&S@ zycJiI1_kjV(o%73=GfJ(18< zt?w{(TiiW5DR$FDZ0P;iuz#$N{my<`xqq|3!a)v_R9Z&PdQBFdT(A%6z-%jDS$TH% z&GBkQQKpzp@7qI6&g34nAS?0L1aemBT&xC_LFicH-}sc#^R}iHktoO;O`KjSbP2oz z8bNs5Vm*{!ldA7R8v=#J=l420+T0|HzoHvdBaMa|*MMI&8+oWV>DN$E7j*<~t)X=@q(-x|}0X&z|49N57<@J(*{r;wp9N z$A;fQ{4c7mdqb(JRgGgkt&vc0ksc=Vp9Lz7ZJ!e`Fb$)(RJ7=zwVm}Q5_7hTL*x%D zZuR70!^1d(N|KV^cG62>NQ`d+saqVz6%MW7@AbESJlRX-9xUdbvjK+?xHmxUDV0#^-JkrPE13gOAhYKe*D3JAp zd5y$)3|KaJwlQfg=@e5NHLNDn&1f#(On%@gDX1A&1LZdNzFn)K;r`y~^khfG1%7X< zszd)8@3dQvN5oF;`+PC9pM@}CaHx*R-TT!paO)X%nCavVZ^B4^!&0gatwDldTm0^A zIsaGz)#~|Va(p%%@bKf9Bj*v(ucGp#syM%e^XcK(48<=%yOi5!-^8Mx=n-Zw-#GVa zzpiqeAzHYUyt?Zwlk7I~p0=EPJ&AJ}&AjJ{IzvHsW zN`zB3k8A7vRZig`vdew^&7Dll4?TU(P%3y1takd7rv@e1C-^JZG*<2G5>S4sS7+?u zJ}W%A1_AruiI_R7-enBe%BhWjn`>J%p7)^B`DRIkJ-U#EYhW4$_Z*ngJgn6F26V3b z5Z!KNIB)pkDeD-fcvSrkt2LV=8qCECcDw@{$HyS4jmMcMv5F%x<12kDE;+Y9Zm!tu+>7dK&7qUvahBNr?OJsQ8i*aKn< zy7OsXDxRZULSad{S2E$8>c{Zx0dlvIczhw7U+mkksC@&cUAG6~YC54O>wRB#;DR_& zqQT1rpC&&fhl{jx`wZ}sX4IUFDcy1a>VCB5)mfGfOhApr5mDb)R~ z;N1b|h2q{^xE}|lk&3)3(_vq5`WdTU-Z&ONEF{UeyEinv#oSsNIavuA*Np)gGi3UNjo>)4*@ICYnV|<+^tweY z)`Gs$Sgk4thq0;>(=7R>x5xD)emBMzHPPY_Mirx7b>ZqssteYN(1i2*xJJRkmJFz` zd83)UrAehkeGh(Jx%vwfyXFQ2D8L8^VL)qtoxAdFY#YT8aBxXDsLP88o zdI!!(dL&&ZHw@Qt9^4G)k=qhwQG-O0SHYgkhagQz2OJ5T#1o0c(upM{M5eGPPKrIk zs_K=%85*3BY&^lA?r##Gy=K&)KhKc-TDd@pQf916ax;1!FnA9GGV~l^DeVE8Upw7T zqC)X=V~8D28`Oq^slU7%ac8D9Jb!2A_!$BIa42i99@Saa9_K8gEpJc!pZs!2_vw!c zDuYT$YwayywvE>ZDq)u|0=S^|uL?GHS7+u4Z&ZKjNpnxn)M-gIWp%jy>MV{?GQ&mX zAPw1qM@eqs5WD{+G7fj_IN8U5&Qo%s_jQ^~V{|PznS=3aGT#{)?geEI9MtxH2MA za#YA%_H#cwywv}!jYk@`_|ge=2VZb)24Ts_wZAMjU3Y?SJ&-?CEac>h>fBvYSo|r{ z#(D-;nj+Y+Efn%4s(QI|NIDbpo7ImSeW`sMSb-e8>&s1@1Nl*zX;DQ>NhkC??PUcl zC8zUPQDjXM@t68~|)qbTU{zu57T zQN{VQ?%0jh=4fK#vA^1%Y#Q+G2GpivWH9w=ApAZ~5QVeeX`{alGw~0KwixQ^D9!@REK#iXM z+>$q04XKf74M>rDg1Xy+eYo_7fi+n?`6U6=uCG`$T8<$?gvD?GLbnpTl?v-SangHuiVC!x{`5dR7r<__-4jyG6n4k*%^r(lgANw_FHzACVm2dY= z9}n(T&sjOL)H_oPGfE`#H)B!1?%@)LeE1Xg1gVj$b}3F3E>h60}8BfA}lt=_j(}EBpV)_(qA5kkVj6B6b&^TwJn zo)c6(jb*ra6Bo`;Z?^sawfB}$QEm;`FeQz2NT;Nf0@9^~v`R^*G}0w8v`9D7jdV$u zpma!gmvjuB-^LT3bN+wpeb>7l*ZjEG;OyD6?|tvM_7%eYZ3k{AOzkqQuO_|Zf@k!~ z={y#&m<6aDiH=1{ZTqGiEOc5-2eo$jICNmUNhHdLZe96~T;Cn8g=|@7P~$x*oWPU8 z`WT{Q;7cNcWrkGJ_Z^KelRRB*oexn_x2%$5jdWr4!L+gV^r-h}Th#ZF@k#eZQlELSqql7y7$gW=iK++WcK7kOVizg~>_0Ba zz-=dkmQku_34hSvq^_x zt^tCVS9!D7koQ!`x8GX2%&i;E?ary)Xgn9GzL{C5(P7OjI=sW3YusR$g1lADW>U_u zD{ttCnhTvt;Z}r)hk?Q!XmTHDD&7rTFz32rS8H-xmQCuk%e|g7+CBWPVJW@#3xPr; z?5V4r>EeUe#h%X{pE0F=cB}woIl*V< zvuZy4IaBKXlp?4JH&}6T^*WAC*si|(=)smNdp^cNPx8^Gycb3{I2+AN6PGwa&T3&bh99b0e5D5@>GNqhq-a4cB*GVFcj$ zBu)6XTL^jN_JPNOMMLEXBz!rt*SDVC@97x)obpo@US|_GiWye-jMQCC-wF(pg9bmM zbI%Fp!G?wn@8aCt&^P+(Z-R+)hKNKPTPNJM$gKHQ_`mV7sni}szZ+*QJH(g@t7XgWx*HM~(^Ved8L{&#LY6Q!^W!UA`}2mlR`*Q&*(#3DTzk;bT}gk?7>X z=K8uy@q3poVA4P&3eKqsc@I*KF^j*}hd`nl>kWiE6nRj=a=VR61hcDcv0Kvst3`@? z?Tv2j_kiQpHft4KYTDLUI0p>h^O&3huv%WWa&gTOqp?!jBc=P6N#ux^F9Nv)q$3z+ z%}ftA@HOU|fEoI}zTPgXM@_64Sbw?0b-7BJgd3*v+WoBy{o|rWfl}Sax4@!o3(U~} zdT@SAu^Vr-CC8U-!Q?AAejdL|~_h9(Mky(EX2QgP3;vzdkZy!7!cyw6I6V zBu~n9LWDeTX5c>`_`K@~B`3HtJIchn>U_0Rcf2jRIV4Y7tux`!tf<`tsMS300^dX9 z*vL0r&-C605j-+(-q*-@&B$x7+stuXGOJUlX7l+~NmKL?9b?(Zw)XWssG+9@OmnLl zLeK^HfrI;_GwjYrs%F?F>3+FizYIbj+>&@(xrS1}QE*9%b#|CKC9E=Nrh)A{W4Uq&M0`8RxKs-QJYga?^;T;+%Ce{wAaVDdX`ST#R< zPt~FrtW0#+f_c6(S1Zn{(}c&YK6Cy2cs${NCQKdwh{Q6yW!P@L-)Kh}$OT%K=aP?) zd9>bCS;_c(L-U*d`&df>50;pA(xMpbS!4Q0%boZbe|#EjV5@ld$p(Bb(Qn-`#WEf z#>4h$?hMb}ZFOdch497A%1*k9xAIZr^RBA$*~!uB!?_b>aoR58fSJ!4MIVe-q?g&= z#}dZ)>3%!%9j?x4y(_yhQJc6jkSgrzv0glzEj>&Sds8~*a>rA&=-smJIk$V8Z5xyS zsmbeVm*>_@qEFH8V{kdIb${ClHQ?kq9N(4~A<)^=sdsp~&uZg=Ha4O~M zb7%rE-`srJ9Eq`-b(0y?{~p{0kOP)1bR>;xOE%SF%~%&ZW3@L|q9!xj4~7l*OCt!p z5n0(AX&FH6y zo(v8N)zUgeVKu7^(?u2w)C)pg&|ef}G@IOz#yweko828F$9sB9z4rC`awW0khSrK4 zg;Qi=_=pkLXgXHTo4v$8B=JpC4Ptb?%QE5}$^TXSq8^0fvBBmu^(MoJQ4FXeL33%{DxA1D1x7h!?eX=jEN$TxTtP|#uMcRzVg z-M8enJ(6j^cLl}_I^-DJNDxhamwE30E=F10EZ<_bd{BTL%*u5xQ5@cbT(9vRolCIz z0tBFIAxHO!XxNH%{e26pGbMfx?&8yQ9lB_tU|(?{G-gyxOSjPXj2BrHQuHi2qImKxTGoB%L z5I%FnzGmR$>zhD9KyV?ABZX9PJN_J;H`%SZHc2{=&Cd0w^mrW*%nl2S%mz&Zix~rlQPUJK) z?`|>sAsxA|Hv$*oa^hIEq5;1!pFSrwXES%*sB`7RyySX<^T4U~c+q@I^gALni9OHa0)j;>)_ z%hgeJbI@8F#_wqq`3`^!mL~|MVrd5fb`i?83#Nf@!xxgy?TowYg|GdxXUk1}dLAA@ zll$dNg}&` zEN1q;3wjt-wuqjEJ3pQ`g`GDv(Yr1!g{*b!_o#4qna<`r3wia){pKWc{oDeK#7aayav|By7 z`t@-WlKIyebxt)xbfSzMNK;g-qnNRI=a}-q^@3pB?^%p?0r>}|4K4ZM`YgXwkuNo| zSr+`@!+VE>y@q+Z{Yd)f90$aD(m?I;L4%ng;!ci$?N*q#ia@0fjFc;}n5x+Z2ZE36 zUqxaQ+_Q$u`V&6MjWp3V<-3LdgT)HT%}V8^;W8iNUT*7yh_)JUqCiOb9VgJ!=iD!Q zB$6w_J=Q8Y>lw`*Mk~N^mZ^!NkqqHUu9qtkdjOK&E2857%2e07Bs;C+k?q0#Om@f; z2Hji_{Gz%ZoKaI2tKK#~OCNeksOrKoq(#JMoT{8GrJC-=f&#$CzVtuu(``G>P?!D8^M0>1m}wIv&#-38vT9DJG7C z_Vr_?oi=?cFEcDcehOJ-`NOP-({?_fl0h!AxsB2~#78BO2%WCnGJztep}RrzUVjdH zGF%G}gmk6h^bGcD(x@-R@f~G5??>)v@Jwpr`}*tki@;*kepYQx_wx|_aKdyhx{kCX z!|yT^jOk3lKAvgzg_!&N3b1KKyTng-hUYuHsOP>&vN2}JtY(Dnxt}SG)O*!FcClyu z4rOaLwtM!j4;(fU`XcMWJ&iVy&6gxAHDnVDNqb@-Bn2c)v^$3160zFz)S)WvHzjF$`Yc<=aB6oP7B6$mWy-$uqzPy83ip3>Exebu* z9PUsSDBog@4#;Y>q|#Dtobd5B`;{e~Br1z0nqEYtVdC#iTpDW9- zmh;B}Mw3~$jBaCc5$=h`#uup`woX-SCSBidW%`ptd%2F^A{wlA7E4Lh-l{e16}-Jk z%u4O_xL%5BTgJpm3s@0-2yxr5Cp_CjSmXsgE@BaX@6-*4ckM(kMMN?g`D!y!n8OGI zl>;GYIUIXnG70|M^>P3#M|ZIDNA}H`^jCyk*{0qqI^NX_m)5t`G%0R_55wx~L>BE2 zZmd#op&b`SLf+v8ALczXSHr4CV--DpE&Ag57(e~c!gZ{9KO;(N*Rl8&G6=!X{Zt(o z90+KcGqvsobR7-%WbyWfJ=4%%trEe}k-d0y!k_SDkw5wAZAM?0&E>n@naSZDb0V7F zb&>09W}%&lrti`A)i?@{*)Txb%DmjcwZMN&;1--FDJni)1t4N)O%HD4jL1^!h~DcJ-m{tXtP_ zYm;ogzi!9S=zElRpW(DhJ}V$1GEmp(X>R}uP9^4M7)4dqAFD6J)Rw3-nVpW4;z-lf zkeKS*>GF8Qu5!lPlHw_KF?mw8+}rUN=lOEk9nf2??$`Mxdj%ThR&#qREwQ||Lf55u zj7p+>=vUbz)`GoW9*3BHS=v2cZI>2YYhA9(pP2EynA$pMI7jUa9uN+dgEt{1ICSo`raXTssj2 z)@MJlvEJ!>5gDHSm2rShdWf68lsAc@pf=w!Z`Ge@g^G}y|X(kJk)TNfI z)#XN$stGsZqW+pfPD8m4ReWc5(%yc`;TuRWw11vTY%$B?Uj0GoQkY23DGVbsr_c511v@OmjskOL?)j9rMwHthsVpf3aG($TI46~Pd>tU! zhSGo|#~%`LIQmJt?Id%A#J2Okp8mO=@Z}qfi2g_(PpYraoI69zBNUx1cy`Y+TsSu? zi5M`ZL!V?KTsD?FoaWXYTnKpxr+&eTeJs~BQP#97!mfDVV2v>N;!2SCL_?YricAhziOXK9Wh!(4()Ny z8}%7qH8nbVqBAYNgV*~jZd+<00+;Bly~M!ZBHi}6j7snrhbM%ZAm5LSU5tAJ0qQfo zHf`f;BiewCieFG&>V5|AW4v`(5PHuux+s>pXFR+klEQv zKkhlN&yrawmBWa+?ty1<$@c0}H{Q=J>X#RqV`2s8$}D}~8)fap4B>Bn&S+9@i*GN$w$})W zY_PrFbg6Yb?+TIlDv-Fi=Uyz)r2!|7px@qk>G{$iE6Lq6>6YDa%f^aqEabQQZi*sY zZm3nvE6FOu3r`gcZ)e-fF*(McO0>!ZjDn&Qm)_GotYA40uG zthq+W$_F%SZKr9SeJ!)erc4&KW$16_%S~p4Kh3_(c65WLS!f^nJ)j1?m~r@AVTsT= zN#f>6=5hZ%$s?K(B1rlnEwUi3f*5mI=s$M%zSu26sve^8cP$pa*E*oxf3Vx9|M zr5;WSSADU!y!4<1eRE{A^yEdC?H3E3uhev_J-36iRUCxb4ymUW)0aq4F@o#;`H}iV z{~d`*_x3Bc>+1@*HJ7hJZ+afy3YWW%m1J4ONGMoz#-4uC^J-z}is2u?1rPd-=E?YU z5J%MkjUNUvcPy|s=#ct4`;WR&!d@YcfpxiIS4QXiK%`f`doDO}*BH$i-@^259YwV= zc&eGkMQyi?4e`6+{HTR#$)XW2t>znY3Z&;E;rxPx!x8j!)%4JscW+p_maDee1Zizt zDT1*F!@nsA-^6GRufDp2IRAWwGr(Q}>ATQ1!o@R{kjQ5}u2Vzjp0C!S*3@y~0~$y;`GI^t)rVo2{a}_)!g1|Vr1Ap4w`!EI=*D7UUP7XvJ0d>> zdxv-#d$!ifpASAP{gFd(HwB19BBV*OZ}Ur=$ll1_L3grTJZ!PQ`^p`=h3yXgD>>1% z{M%FT?qVT;Amfjb>d!hXsMCXA6yPedZY7un2+zFH z)0qPgRaviHE{Jd(S=t$A{<7cwqirFeQV9Ce9&hXKCue*3NTky{ZVqVyOA?&Nat+HI z3cZW))?wF*bC>&ZklMALIE9;CiW?=w`wz&SllcGj&6E$|lEfp?i!5@AR2u!G8I+lf zSr0-x1UQf|Uyt&|K2nu`s6a#*ZyvYXh(I1mhqiu?d|m!uKUvBjaLNr$zDsKWE0bQS!p#cx}fF7dE0Y)q{EWy2Q}^iQq3iD>#>ZOqwQfG z`DBogVm=mm7pEPR{n4;5AAgV-gPi-N*?1A#U5vFxwN+Q-bEr|<)ac;yUC?xD!>wJd z(_YHe$^5N4Figf3T$}wl?O6(vRHXraw=ruuo#(k#wPUn?Qe=C)sk|{(5jIjVFLI~c zOBe!?t&&1ltDccS11+;Llx;xX3{oIT`CZkF2jV|%ToHdU>jCoqE()QWn3$-Iv~`(} zDwbIV<$bBb%{zi14tAta3m8K1QO2hjjJQ#SCag;N+k$doMX8?*-N?nkfaZz!Gi=Dt9ejz2iBsshUsMAK$QbxwWS zRDL&=rmJQ8vE~=~ivpW|953r+)wdpZR6Z)Q;<4&1jTn#_-5f1S)v0qPXZ2a9_}7$ywZx`T9wke?P^btw@bxLv1}?J`iIZd+V!-a+gW%@T$n09>yd^n zN>t5PE-^h8bX-yVc>rA>`1Ex_kZ}5VB+v`)ekMIwL9tTnK6V(w%z2`k_gdXpHkpCT zd^94cu2CF=p5X+8m@CwHINeT_*K^lGtQ~m`0fU%NOg=Ate^%#~rQXpZYPa#?1*0Vr za(wI0OXzxY+`;mV8R9y#bp!4r<~c<4kN51}cBS6zm-Q-T7Mgw8%-;^H8U|i2<~zzo z5^@Rr=5>I1-7W@4!ewRFu?+5s5h1gRW_!a;)k;sIg0WmGwT|bxBrhOa*B*bOWNSRk zDQ7k{YWpD~=s#CN62CSI&5fjc{4WN)!Kf8F_A8cCgG{Bm0cFj{&AlgQOZ@CTf zxk?xh07SsW=1*65yZ$NmUN*sPIx>>ddvpO*DvBhglu~LBoh1lj=RQ}y6?WaebHCf&pb;Wh4GQx_;!#9g39r0)5x(( z?Sf9L9wm-wl=mJMDyByg^R4#=dJV<~vb=1w8Ym`v*(COy@l8XGX1$|wcT7R}#_MR< z(ES{(T3dBu?hiz?tV#_+i$mwadMs@}eW?66bywuC7By-=&xKMy|M)2#Vymaywq>() z#_{+_Qz%yU~y*)+p9HW@|YLvR^BLDzfjbtvxS_xX(N0IKv{ zAaZ=xNJGAdBIcl*G&1Ch$N2J_0HR#tm&!qVBD{l8exDrUzNyXcCi>k1(a@LKJ$X1y zjHTo^$^A8Aox{n~5$sPGx?G^o>$uSoiQW*622erxYHhDw&YPD>SHcvZ(ksre6+lo- zr_-a3UMt`q`Z}eX4C+@2m-tsfoCI8MvQ-~_Lq}w8Z9H7A0TG?2A(H8CHDosoqjg|x~d`|gQT@kHkOL8xk;n)JFRDTe}bYe`Z$YPO5Fs~kID2s_QUv$o~^ z$vqF;qWf!}cTho7o6Hj6(%*Vx`<2o*x9|_i$5=bd7tfrA);y8qVnIunP;BR@hD(Wz z%zmM9Ml|G0=7fkQv6cRFceYW+bwl%k#ojB0a9n3&cAgbY3IE=4tX#FF=7(8r$inDf zcKPP-xfH%>dNRBbf6HO`jbXal;y_G#*o9ACmw}RHy9Auc?Q|bainmqYC!1jtet-F8 zhvH@iYJBGGj!?E48qQfc3UmO5%NJi9ZwBn=BW_)b0bZ6EOsUmgQj`K7WTiwzmyfX!|L{PA+)NTG$P-7`jEq*+$QzLXFHl~nkL9B z+4b0gRRaF86#D^LCe+1Nat*Gg0j&TDJ}U2kB6C9fbJn8NzAU9LgVch$h?dVW z;6i?|%ZdaPf|2MIP9^+dyQeco1DrVQIGh2-N4S;oa~=RoRq#=hiS1&+`3r;#Km2h? zr!reM0gHe}rK^qE+V(@j!!#pmb5JN=6Em!@IC=Up-G@>7aAZBh-Ki^g%bqoi*a3E~ z3|&$xi(;A6loJ%pX@_LB`355r$acjMsH)SlYt_{oV#&@);?D^u%H8l)0??Lmzl~n|&2>asGDBq{n zY42!`y8D{{^^`V|SxV{5L^{^Zrb#Jvv z`~s9#@l}uAma3>Fujd=rovS&J;7|os7QI#5nSuQP=Aps;=jzFo^Adtj9%)p68P;9U z&1UXwJ+H{VP18FZoWJ&Q4>(1gqqcrDTh&~=fZ>xHQ~U-I6C0h+*Bzhb^~9mACl>KB zP)1Lw7JB=gOKaaXRl82ksX*m$@8_tj+XcPDi)n)$tSRfA>zHYFg^lw#oha4$s}E#8 zr@dO$aS1#M|L9X9D#$BC_z_9{(J@epdb=5%LSE%EOyLW+^Yz>Fc{`?hmepYZglWv8 z9D5CvzeEsc5lrNIsH&tG~;3`tca8p;M&4qOP=iPa`4CELxdf2d!=)m z*eK%@X3K^mpoLHx|B_P-Q<}4q+^3T0IVKK6k0@@m&yefs*F>D0yuC3js@@&s!%%0a z3u$$kH=#!-whVP!Vl=)1!uUOLcyd3rNRKtyLUEhZ%-O5seUjM^IBLqJV=5`5cF7J$8v1ad~w~~|hyV+tc+1E2&L*9U( zJJD;)SkuoeeA7m=4Ig6aImyoiAH*HBZQ~ZBd;AfM`D-)61kiiwd#e_)ka=h1i`63w zhvGsCP1k%B1hgC|6_ag zYo7&sw-FFoWc};&e{9tuBUs>wnYf?jA5+}j6GiC-N`YaR`A;NDI5AjeylhLz{?`@< z1_c3>f&=4M|NCM5HCetC2Xlbg(+a%*d?^el1upF!;qMmx)e2^Jt$^|Nj;-3xyV_gX;GWUKew6;#w$%&4HWn0rdTxCsJiE_XJV{i(v%ai~5kK#r$yWfaGx z^(F|PEhTbmKMqj*T1gqJfxh%*n(kK))i^HGsOk$F+Xfil|4Fg z1yMFWH^ zY+oYJN?7WRitEV++ZVHOWdmk$Cgo!NW9@p^Yzxiiv3?My%oX_<$@Q05%RZEQplaDw9pDT>H??Bm4LmbDk#7GX8znKg6`rp%|_Sf zYketMI2FIvb7^%%rjoLf)lU$jZcajt3rD$>SOV;l$4 ztNn=@kC0?smA5ij`?>Os7r-D_r12zVC_`C8#^!1QJ3+`O<1PrZsl)8;zQ@~bq;k(a zZNM5!c~J9{XQKM;xcuk&(g@d(!_JeU#MSbXFrZIPAiUd$aXJh+_uOWy&PUS(+&5{S zq^FT=&XPTx@W=vOk^nDaNyqQ`xS{?w$eZ*;*%VLgvw)y~mb2q{AfB&lbMcIH%p-8; z4kY;eie5Y+-MzFTw0X$|5Y680RK(ny z6GXSa3uWDd6hKZx%soL$(fbnV3IgM3Z2|G( z2RXV5gap5MfDzywX?tP+Nj7D_F-hsUJ7AOLc&UqB``D#hEI!4%m~%&p&sYmZa&IN7 zb-#>Ft}y%l^7E_elqaTBGm!)gY9fd8B}k6Cw6mk;L%ufoEVD|h&SA-0hyJ2YtKCKr z>eymLiCos%Y~8P7j+Sh}E^>z(c~^kuV>o=_FjQw5V50sM6ZI#M3>xlkZ@^{dSM=jT z5Mq=Shuhvkba!7QI+DG{p4SiJiLTV6ku-OQ%2+m%_s&8V;j>A*M|8P@C_fVPMg#}j zi(UXlJN?_ooZk}JreK2yQsk=5XX@Q@wH0_wf0ULbQ~c^>^dQkUQUQP6Kjc$);e%I( z8yV+Q?OebsH9eNEFxgI;^>Mx~DU0?~9bkU>*^T zlrRN>!ZDUUCdp_fZiZQ@5r7OfAvB_Q(CPyFC1e}50QaS@4YC>ke#x7nPb~5LJvW&i z@S`RHPlb?g69oCJ=(p?m5MwtYw$)1UR5cY zo-8Y^Q}gx`)^qRnY!pqhNe!4q6ZaQ>D{;)Db1gkq_(t!#9$4r?uD{q-lV3FC=}Md= zsSkq;C?KoE&<<>7omgK54--i}5}2b6+ZlGJ)6HsP7?e1tN;XHWDeqMB9F|RA0^`bW01mtJ*Y?I91zftRyu#@wo9nueXD5I-8S=r5uQgFM#Ao`1 z0@ZM;Ynhv~_U(YY>F3N1qFJqsZkoTuf^vhJ)yCO7J{?9NvbqYR4bXFh%Ln_Q>;0$_ z7mc>B8cW}fDEYtM@iGd_JI>i4HiKO-9;{l$XAOyiCza&&;3mb zB1L)y(pQ-@oSPqa0I_T;@Eqdqw(8V;uKG9-)y!l}h$~IEL4?%=nQRKi_Tu#?ch}pN z{g&gF8gE_N<{;w0kVNh%keV~mq~_o+>gOUTzuP4U)vwu8Oj^8#M2{%BJ3CS4ITbq2 z0cuY+vUrh0E;5`8L=t*^XP2+;={E)$(af0VaS zzIgBZ64r?0-)5CNnOM&DpT3wFP45oe;ibo036hff9BsT(TNlYaZSJk+vCK}ajIV1- zIr&&pZ%$Nq!+l4yUuHAqFT@4rGy);(0s7V}(ebTybRT4gAP2UUzC_i1;jo(kr$HAY zC2UVm2MMwUPj>Dfq5H04-kbVJySJu={(J&{<|>b>1*6(2hJjVqXkdx8rFSxO+#{uu z4G;cM4@K2fnYoJz*gK1fyMr@`q%2rCB_X!t%OMkbA8kGsiMbA{nytRoovbw|00L+# zr2A@_`who9t4^wzhiz)732Xi6Kn|;Yze^UAr8cLvQ@#Cp;t7+_EyTVP`^`6 z`oB813)r?h2{z3!soa}*uDWh!PP6wE$z{n?<(`9+E$B$oy-_@2(QFTDcL(dbqj00) z#lLrbM~mR)KD+;&Y0y=d91Wd?o_#Y(&u37ZlII+*bO5>%HKD&A_H8 zHHTuQ%qsiMsXn?21tM{I;H0=W;V*_l_awqmqWt)=WI6;d(`MT*Kaz-SbtV@p&+un zINPOh3jQlzWuM{B0z~|FtVm-}x=nRNBU0G&+1IaCuc$G}C+Go?T=kCX+dG|RN3EEj z>$1{K((;0_s4!Q zrF51;?bdP1-pTiR!uwk@guTN|h2&(;^;lEL)<~@fS3}kdx{v4H%3cno&?Ad7=Td2E z+pM~t>X8gk^y)xSTbVhKg8$moDd51~9o@Y_4)EfHHNtF1jMkSO`F_I4#YyRAZv`ho zp8k$ppmbi$2e?jKrpw1y!%XI8W+@Wf*>px}VRwXvvz$&plzR07UnBU0fH}uzh3_k= z9sbGQrOj({(}qZm9xq)4fPU@p*;hrV#I2Px*~X7Uu(f<4A_;_Hu-;0}-(rAD!JD0l zVYW>oI5yI?2)WC3dFM34j(!QuX=8JO^_Jv_V%3U-y&b>o)-D#6y;~-{JK&?{8@+4J zBh5M&<4Ha{bpUf3OG`NToV+!(RV;M;7AU@A@r;2dwx0>92FS{S` z#AN2#bfeewb<11FtrbiD;JIb;pTKwI*!mqAusqyC!^GR3#{QVVHVLn@Xi9Xw#5_i! zyFi1Ec}-Q|@L@c+VfHq9#@*-n{nnHRbI{tq&IQBJfM_4b1SQyuCWitp6P8)QawHR^`B%GR7uIb8hA7;9CZ8h?HGL)BBMChT_!r-Bpri;L&%;}^n|r`Y3Q(3o33 zV$te>RYP1g|F{O?$@#R^(3y=HW$=faQo2oua+T~=!t;} zSL*Nd-TYb2;q^8CVjL^NNVZL?sDn+%41Fud@)sYO9)&-*fzA^Mk?!<^;yAg_g|2?? zEoUt(zWo5R#{5*&M@1i@4%5dPOF$XNgDDgT#0K4%|ya&z}CJuWWY1^#|~Au@0` zRJBJ_9?ZYr>HtHD0p^n3?_od_2a7gNd)k`r?;&YF-iy*@TlD??-yf5K^IjP;zbyJa zD3Rl0(S`{I4*VV;-${#vYr0xC$NW7kwHSbpl_4GQ{{9#%3UZ`O$xb!S-vg7g>;eUj Xh>Sk!{dGJT@K5@={Ig;)UGM)7k9?wl literal 0 HcmV?d00001 diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/Images/yauth-ea.png b/content/WebAuthn/Concepts/Enterprise_Attestation/Images/yauth-ea.png new file mode 100644 index 0000000000000000000000000000000000000000..d215ec0122a2abbb29bb10e1d1d670aaa2663dba GIT binary patch literal 57899 zcmeFZbyQUC9xw_ct#k>}IkcdNbazU34@kq%T_Q@y41%Dv#L(R-H6SS6-3`+DjqmY2 z=RNnh)?Mq~e?Qh9=Gpt{Up>Ft^IlCw78{Ek3keAcTV75|9SI4A7zqh^5CaYIq(_Wf z32|d=BPppSFDXf*26nQtu?Ha`0ps1{R22cQh`M5Jfcy_h(Kz($fO2JVE*Sb4Dbg5d zq2x)8E>+y$x456-bA+@=28u{ju}r^7B{{_o$;i;^KWndg>OHriY5T+1a4@#B`GAu1 zDViHiF&!=7E}ZQEXpLw$}fl8IZnT>Q>^G(};^ zP?KaLV#I~zsy1*lYHYhk>(+fK<-Gp9jb5Ta6xedm zr5bePxyae`T=9CUXb5}KfMsgM`N?D9wVUEcC@W&;?|-VK{@f>93`BFBQ(fON1&ddc z4Ilun4bqjjQdUM{MU*j+ki%_|P!J_##D^U5K|*?v@D>Rj@lAmENM!*2u0QOjix_IcMpM^KS6NBG!pVWt%+kpm#OdYW{HqI+ zke2|W=m2svqw#XEcXSo-5~lmBg#e=b>oFG{&0kI2?1brbmDOk@oxmWP7o1NKxD&ym zp`j51TUrUIOUeB1j<^%1d+p}tEWpL(>FLSo`Ha&EY|X{Z&(F{Gl!uFlhXc`q!`0i- z&CH9#(UtyRgZw>?6v)*AY~$=^jZh({AVUd*WcSh zY>?|$4Hq}(Q?7rHjp!=$>#2a6jTgvXPs+vt0UpF0BF|s&2>sRme`@|S<3D=p{--DR z)91YZ?D~(Y|7TY%R}fgz$pJB^o5+7q^SkpuD}Q$s;`+7qe}Lj&aQ^El0?;B@LR|kw znh4f8M`t_|k{FV_l(?oB^6n>eF^KGR4>go7Bj_FQg)#1d((Z+s% zmJb12&B<0#OfnX`|7r@o=dYY5}R$dl;VYN!CsMX~=+~uXx2^W8v0~AAc!$d1A`o zX4)rG$Gu-t{4D-wLJN!H@PuVw*Y3^f(4~=A((iRgB#H5#USrj79tv)6H?7Rg)H-nm z2M1Sp|Fq)wKF(PI1xK!Ah=*Ek4d*r}l>nsO0JmK`9bpf{9Lu$f^@sCc(aS3-LFO7g zNgIS!$q&!ZKM3yENhTyFg5VIA&zfdre}gbs5v8f3qGGlqe_PAgI3}MJn^hlz`Nf$~ zl)Bwct*rHinNu&u+V_kGpB#8Rt?Tq2s}^^7vPgyBMmsO$k&TY=9Y3u>f@-Q@{X!Bh zJ9E3|b)>5DH8I*j12IZz1Z6YhT52VD={fPkefeY7zfjx;W%yohA-nY>JKRJ3=4{4k z?Z!J&#(y;bm3pbM@cWpUB)v+j`aJ@s1zy|HxXDS~JcY2uMN<}&mZmpv-qbndJtfV~ z%Ch|W4!_|&uibcWp%zTYvBY+)aJbA&lHYwBvO8U^IML}fU1dW*KR^FLx!`-QBB_7r z>CS|moidP^Rl7*nGL2&9{4vJEgnv<;7$$?-yo>u+k4I%{&R^8ZI39pH+1w?&8k?FE z+G?Vv!oxzIg@x3|a6qt2V}BAj;TG|lWiBdZn$A!`u(kG&NMC_i7{ma-E;U08`{^oq zm2?pfD4WiB;_H)#uoE?)SbLdySA>KoapFyS;GJF)hk^EHjUn&%BE4rjjJh(bvKgA2 z)77x5*FWe)$FPh@&c8m4c!0< z*&mgX(}Y49C5+XjZ62zRKKTCG?OYpo!h@4*qN=tQ=sfNrmkUk+%UGV%o{ysj82K|~ zWXD!A?G9??8yXL$*8``}e{SiRO<>{vru>Xej5aMKmuOQ5wPqjpsTzmWM^r+(Y-BGS zXMw)w`_NRU7CiyCO&V@)?u3*SmgpyZST*vL}a^Gh(@f@HiNU91Rp<> zm{UzRL-etyfiYcWyNIn%56{#D4Hm>5MAZy%9mT?0Hesf(yhv0e6O`N;%5iY_iM zw<;csvhxp*jDS{q;|a*fSOh(GzfXL8ZbNr_bvnZSkLz>Ox9eumi2Gr_Bda81E)sc) z12m-RiKU(}xCzc$-kqxSd9;WUhK6$fb{OdZeV+PI_S#to*%wIT92oUvMa&y$PBS;`A%(FEEt*dQC6|bG45YNK@5{-(PMr8v26RC*R~1P;%13b=f}^DG*V%Wc75P) zY}9++V_?D2CZ}$K-;Cx=hQY2^Aypb+0eGla56=B;xv`;L27bDJoh;Q^+@=(#ESOwp zu0_q`zO9)e;@`k-Sf^$nWlG%au{Z6*ONmU)to)H7ky&+|ZA}f>25w7vjM~xSe|>^N z4T{QY*Ylonb#ZYCNk+p{`id_Kh!4H&qn%N_4h98tnXi)1&oE_9|IjgQB`nJk>6TI^htk2a68rwJCL&SLe)w8=G zQWsxG$1cU+O&3{$EqY?Mv;veO%1z?>7?{4}C10$BwMFS())4DriNwFBWgk_N8S?g4VR#$zX7*g{;&?G$;#nwma1TWT!VJ3*pWZrhmNv zovhi2;xJUADN}2+4wCpwE{Xvd-v=4wcHBj=e_Co!M5gQ=7_8JiS&C%s4BeqNnn8;* z=i%zp-t(UL27{~#s4J=e%@HpNo^oTG#yGKA0U|Jk;BAy`DW=P~I#@;Po!dx&HNfDL zU}B`{P!>`6Vx8k$!}KbZ0%l^u@C%JMDfy{(UpVZep@1_panqfIV7oGg!>ar4<_8Y^ zgfo+>i$MV##!b42rKuGrYzPg~l_O+}*M#V-tX#?b07?W z$wxSe5b!(uPaYywhCO^hgp>^IoV`C^2%K;sAJA29e7Yq2BpF!iIH%vkB-S7ge2kao zf;iTvZ>XlQpBB7L{p!?u`=yvl$zW0fGbkDR^~4G0hFLf6LyS7qi~s}>eA`Qm8r=kY zYmlVh;E!0lMsW=8%{Lq5^?se?-sH`Z2Ix!;AykUh6OmzDwYSy{(VE`#V-y>8eS99Kakd8=M8p^^R zmk6)x4Y>oG*p@T+Mz7v^dhe+N%sKsUU62?VNE~bkx)JNUQR@Sj4)BteFH=41=+?&Ck~ipUAD zrg@&moXS3bYxSq@K`13W$ff!D`LJ2k`OkmYm0Sh`LB_SDyx+v6^`BOb_G{&6PJqUL zf#|>gGsYuU&Uj>GkuLwg=2FIEJjBW$H(~Aq{;+b06hM;|^3^lipXncf`fZp6n~Mc0 zgqa^Ql|B3~1pP)6!7nrsEbyMC{9!{8$iL9kp4!IwPg40?=apwbpy~f^76E7A|1ZoQ zHW2t9o}DEjR3YNN;$K?5o}QlcFv*kOQu@Df3Va#NmZgdD@L}RkNn^=kb5()&=670o zIk__aPNP3i9ZfJyd@%w@tgfzZ*%L!4%_CAJ{l|gpu2A68($YpvS97L+n;!p7i3;S% zXtwM&2am56|HOK4+K62O+jQ}Z%7Jgh$sP)vv;{OVrwlQY0+>Wt8+{p)j03t9Rr9@6C?E7~$?~@<0ktp9~sr?!H`uhG~ zup}lRFDlv^az6aU>Q(NSDw~AHKQ0@UrcEpwHK?2QkF|7B1#PN-64`NL!59eUrLixP z`U5%;%n1;E@W&BR=@5(?Tvkr-2U!w_kU}?){=n`?m_+Xob*LTP3V$3_llAb~e@nFA z&D3ZR(uoM;3ELk;JrY9tv<>|)HV{w#@8@;?h%rxk$I`h$TC&<9PccQ(K zf5vm#CEed(S&SgqCxjceIFbrZSecD4F)wC46&{7iDNxM(9#JJ5i7;aUob=Y$?0Z)IYGs?7#G(xjQwueFo*_;o8a>G$DdJe zIN0&Op7p_nxHfnO*>dkLJ6`DQZqrkNXQ)nHS%|Nq9U0#hMD4_sL)pBbI!TbZ9OJ}o z^%g(xsV}pPA?{4?(Ks^ni+qcIFB%kOQb_{D+D>cUN>L>O+8|7!FhfU^S zwx?q95uz-Cx8(*k#nI2cZ92%E!oee7UBkBcygyZr9oM_K#0LwU-K!7v>t;=fNAb4h_IbUs2HUdQfi2T*Gt<~(t zfKw5Ca>#Od_o)kfBr%xZ+|;jF=i{95FBXRw1Kt%AK3=BRD%2smhtC7nI-u&nAlChZ zodZUwq+hPBvM6y~lSDxXW#jd`3(b>+B->>twog~Q!-@CVm@GAU(2&fuo9oIas8jDu zzXhFVZn=S6DdTsMJZ_wV=3dk5RYZMk*A-^n&9({hv872MgD(4bN$n8S89=s^`nUjx?l?6TT26zV**Je@CKj zAp8ck&|Z|Zf~)tH)}7jb%T(o7oLIpM@Y6M)`cyEWI8SGAp?FGP_2sT6P9d;)6e|J0 zs@~D1ioeP+GNHQq)jk555IMkn%Nk>TVJSp|@Oqg>?WtJ(;#wl3wTcySI45xfuA;T$ zgbOiRJ~YsR_Irk2-G$C^d~+(UqH}fH0{(1~_)q78%?%DgK8l2c`&zk$`_IS4kLI%pVkyjOrnwSoazV3~ZldCD-Uttp*cNS&Sj_pIYn)*VbVSWwUSZAHI zC{rh~1R2aqkk=I2Dp%f_&P?Q|)S0`{l4PUPUZM!N0Kq+Fu z5G>u4Y>7L?x!-!Kw;^xWyRW&N8!yK87yaw=0$>8X$fW{(yGn<3Zen@a8yndrs zP*7gRCrQf5mFm!ih-voIwgAl069=|~2<>tu>y{cM_?}YUHXWots3s0Fl4eG4hZ8Kv z1nSOfSd#!$3MW5xV8v!jAS(oG{q&rIhF+8|s>Ghoaz&epCjd&Nx(SZfKy9=*Pi1TZY7 z{eqpdcik`v)z*9%5Azgl(-ZHwO1tr>J3$usS}qXC3p)@E@m3gLzkq zx_fD3u2Ja0>1PK*S)o#6`9{*@Y=p`NfwSD_9$M=u&lsL{&O@rTHhK-QQ0q_`3ZSHQ zsG3^A*>N%bH5^KtxU6;&IibvZYIGUIvsm`1Y%kEY1es&Mu-1ka3Y0nN*%9GnQQ$;wg&PC9HlTRG z&`Pf2D#7`oIbH}h#_=nKFt;9C#(l5b1b-fVy(3HN!)wtqJ3e@~u6jO7ZUdl0eyoVe~%)MTEW_?ANfO;aXF)}$IE=mI;Y zb>z#@$@9o3z#_5@m3d1QgBl-W^S}sM2DK#2RfB>cF-PxW3SvgJo76DOv4j+ZT>WU% zEuoBftN}16051YeVIPU2K!Z@VQ%8 zOpT+CbrK80(i-^T`q>Y;l>BkK1j0o`I6!GSE>hfjt>WoogZ4O6BaVF$ox=g1lw|la zt)oeW0>2fvvUFz2gVdMq!LLU+diIdlG9cpq^wNFPRec7hB`S*;gEg z2^uVUYuUIhklSmV&7I4l4mJA9rSG*d%VF4of{E%DbKMEYYSN< z$=#H03N@zx2s^lVSONa*nk&&?l63GB1V=?yaFcU@-jQV`5uJ{Yh&sFWYGQeObq}H; zAz0>}gukaRP?zu0e?7)Kyv?(bj~CkvS<2KeHf_`#(R~MGbIG$$aY;v+#qXWirLdvL z@7+_tqqQyV=n3w+I&e{d>giot%UDhRsK%>YO4MMY=uP?BPzmIT@8e%_ zlRldJJfX5lj|ceI8o3C%>?(1F0a&{aG?1w&0i<*^NzB9g!mG5+NyTju7RNpP_Nsd4 z=!VuNXQiTNtLngv!;jLwnhitQ<35jN50*HJdtmE(HTxDlP`XB~4U9%`%nCc}xCh@7 z!b2hUo*_sVt7hS}CiJjSO?-GT4T^qn9e#Q`FPOeVM?A`_OCqLJAHE-`@I^J15j$(U zU$OK~!=y9aj2=y4$k@noepdQ;xpm>YLfFRL<(pptVII!~&&ID^l#tfBYtN}xQEf*` z-_Yukl^E5o;dpHG`J8B<*JaP=t6ADrj_d^2AF!J8pd@)?WO?1Uq8V&ZXmx;#X6$$B zro*pki}3a}9HLqpVM6ymPJP5HLcsA)_oFMBbRn172U~QKPFpk!@syUdv55~!0?H8!z1{K;_l&0&dKy!C*{iK1Ed>h1BkX?L(Tf8`*k z?`^eUjyLSBI{#BKb=ADSnBsc>y3WFIx!bqy#llJ=J`!j9F;Lf(DRt4pn9<@MB0=q! zxv$ah&(0kc)nH5;3Iq87Eio~vj~b8SjYe*97_>?Z5jkvlhH?0~6d*Q@chAUxi zK!?Y)DRj*2OC5A;hB%e2%x^Gf`c=;3S9~uf(QY5ZHEm{#ld-^zZ z;Kr=@*qhR^*)UIBYe%F=tU{B9{h5a~C*H-KtfLFPGwoC*e>=st!>jTdI|w?$8O4|o zgr^N<@&4(KFadUy_(PX zT1-!%iNj&07Q!3o5ZCOR1zN_{IPo7ZnFD?^s58$0dB%~cfckU9%_cHvNOo+MA|-d7 z)e}W0WI#Ti^(O(O%Ltu!ycK#~%elqnx4v%cvE{80dLJ;H>`UCe0>@P2p@!ZZl8)qOK;Nas+dp} zrI&P(>m~7n!qXA4rM318O*-TE)pLcKFa5Wp{H_L7)fu0w33&ABL0#?hXnHi5IlqrB zKC#NtLik#tSgn41vaIL@L_(#rr33AL?njl@&n)5Rt~t{qwKll`BH+ss4KBmnm+;Hv z=MF#G3NW06VmxIF7sn~5&8nqHvZCY)o7Tp5f3;8j3_{oO&cf=w z?pnq2WNntY!~X9REl%f3F0eHM+%s3Ji+-_k-kRSQFqnR>lxZY*zHQy%L8;%jn-VAo zU8K3R2pIHq@bPI#lUGh;QYMEN65FjM;`ZzmUO3e4zm2bO4R6*;vLQ976N5-yt`~>Z zH{1?tjJSUCz5T&bKe)u_blj7*vPol9zTzpsD&*ULUcY_2Fef_oDRRzLYTnPU@XqK> zzng8u&kLed?cIqZKfGGz%U&CYvF`|H4+G5iiFi}kkjck94vG%VwrgZo?^DJ{*xZ2lZz)yU zH_!!_)csT88r|0gOjGf%sx9|Va0LIT2sHxfe9k6^>AF_haS$+MS>?kdGRXS-29u)|+rj6i2<=$&|hGU0C*q#^&+cwA*K=tjW0UOS};5o0fG(_j6xLZPR%ji~2 zG3%+B=N}w%mT(H0|9RX1G_yTDDvId-SQNsia%)?!EmU-35~V2I85uTuR^{o=H9ytq3T0;pWbPtxv3vIYt9lV$@%m2bgN8o@Vv4}eOy z^qTYbO>bvswN1&&WOD7Lre&;Qymb>d>3rL5Ix#6^rp@2$95`+zX5S*5SgfSyI3HLz ze{S=cQ@xqMj(^}ATgPsjdjBL$4Sk&MbA*fg)3sQ}&%@)7)f&VojA*v=2S{Wx;#|gS zvn(C(~hu zPoyZ{g79pyplrA!NA*r`j+1qNCD)u&@kX8Np;#7;HVVoQ&vsn!QxSP`zEV4D`K1Gs zS5#id+Wwyc6_}CzNZFGc3Z%Yjzs%6yW^QTCk(+iarf@oGl!YK?$dGn}rh2l#U=5$}tfYunz?TXp!HwMtb)NN0*X63u zjfn<2JuJ21GUIgJsB{&t++i~)ockIpU`B+kH74wZ$YjX4AndJp57n5Q?}(^UZQbYb z8F1!zxyhjraMR_h2Y1<$iI|r?BAYfDFPQ?K-#Vmu#7RaEM8i6;cbnLlD2Ij+ZBz0!m48c4KG(&k}tCuZl z2=~1a$z6l|IL91}nNrk78tuyD%czmU=|h_S&+ln2b@%^^AJ4-0R7l&u_xQ;p?Y@Tr9*{ zT19BSiIyW9a5y~cfY%7+2nWD=$rjc}kRt3};HKvCWR^wWk%CWY-fzh+<(Yr^3FWR~ z`SHlbl>U+V{^_xA?9QAU$o*BLio5H_86GL51x&m90X=t?JxN^k1!07@=fa>Qtx?g# z{^e^vaoNMR4bhf)dWIh8lfDZ+(rvNmi+x)}JZdy5Kfw-+vjzZ=#{^nr9{+T6^m+gO znQ?n2RP#%WoXseYAv(9)NuNW$Ils^`TTxHUZMP#j8TJ?>xK;&B?J+bN&o{~(?lV&=kMTc+z4mFvcT&{HFyQAJQ^tALv0 zAXt)>cXx9{@P00lffQODq74)a&A6ee;#neaSBlb5wTACUyAX_hiDBr;?VWBtGqB)D z(;}R;ffHxhR@-U5`H8n9Sq9_7)*}`0aAIk!rH&h%+tbLXFI?I7i`LI1pkDETK02lH z+t!}Soka~uy$ILeD&=tBe!H`tfI~eoBfqk-$#I9Gi4~Xg)iPK;Q?iz%!tG9AYq+vl zTdB>bJp~0#ivXw)^+@B|spT;2YZsGTPD47II9en=-&s-t;ku$Qw7xw>=o;RvV!?`n zh6>~h&oR`B3+~WCEpSV6r_(X}jL0H@e^fVHe0+WI&R;NLbwf3Ybjmk;0JnEAh!lm4 z=qlEhFfL;4T#JVc1EL{aMbqmdtl_u5)gz`L3*pTS+4Y^jwOyx%ghguJEByL_^c z1P{Z7T~4CLqC4uuq+Wb`_1da%u~{BnSi_izaR=}yTniD^D&YyPw64fiFVjy0$Gs;E zAZ|+QdvGpfBfM9V#&WXNvr@g>wy>ZITB`sO4pcYx2-|whIhrAVh?mI?F_3GLL!{mp zVbp1{ww<U8>t?rWLfxcQp;S$DTKLEn+wwvm0J~V5YDR)0(`Bej3;y)ilt>F27#I-R zNd;iK$mZznpshchcp+76+{-4~?K>#0hLTvu947*iYzN7<8{&zALku+nyF) zF|o#Yd!6W_ByH6(tHi_$f@@w-h zH0yEN0i$+?;aI4$y19pSy{%6oxap}|)1DV^uIrsrt}Ez!_NUYdvW-|vJtXt+Mc;uL z;ZCfbJBZqo3JvGPJl~6HfF)LcvOCz{)lO;HuWhnY$xJbrt4t` zsLztRBegx(9;Buu4Muw`2*&9<6%#x3Z%Rh|Lm3?DCKG>T%SKivj{&yOe zYuDaB;C)>tMd=-BrMFv&q_%t!y=WyykL-8oou8- z<1JRtu>0nh#vQhA+i;CzhKnnCX2la z;3M)>in%Oq#C5rIDhK6ZkonjNHZEy8_dW~It;d*DAg$g$czoVw*po9?bH|?>R|O^P zv#ALOM_0%=GrDJiTQtCs1O%HLeau60yGx1Nku7Oy@H!eNzXp9A$}qMN z5WxN>vfLIm3;@3GP{<5e(Ff1@3o~?dKEnI#MqxvafASsLwoAQoT)cS`Jf$V9vwD483Kv|A1 zc8y-60MFGt=eP*5)>*h&t$W;yxgEWkuJfTU#M~8L-7jv9#tl*R?7tivbJOF`trii%vk*N%rJG26SXNednjqY)d6I!(o=UQralk$+#x-i;&!WZZCh|g z#0rZYD+8$v3jOKPPteu=4iP62I_kz~^rh9>K*&^#S)#*Fm}rPt<>C6cE@po0;s=vD z48T-Q^i@pl`#sbBaJSUnfTe$kP)ou#PxD+Frz5R>JRJi(Nn}pksBGuz11axBT^jz*j*8$iC%#-?tqSF$Bx?;oX#$^b@VfXVrWHBa_#Yf5eIJ* zBpxNMYk#6IVtJG~Yd-;N30UJr>p8$ITIWix&_i1o9oHugCOq(KNUuTZ)ke1alxy{d z&SHM(NwIsGtLYH_RO4yc=Zw^c*dMh%^cYi{xu=Q+$;yhGcJe+vfBAXv=i~F~itV7P zeG(gv8GkuKXvj_(MMODJDlWpVZ(wiONmJ2|?8I!K+33_IDdHB14P7?4amGoZd|4rG z3INCKIV!sAbRQ4TvfL{)5mH6y4`57Fx89ZDbD=zl@5q_C7XC#u{y1s@GgmF8J)Wf$X-{#0#>A7CW%U4S+r{~qk#oL zA$p{-HErthG_XrVujMjBY7~Qr`ZR35D!{$KuupZ10RA2f{vHt)sqj9?qf+zcjY2SM z`1R)5u*GXvmlNKa`D~PfUk*7*^n}&*#_)&cTxxO|FY$o`o{}!);mrQ>ir+MY3GWjS zF$BkN-HV0un4k!gTw6vvex(pI4pY0V*tXC<`2ui%r*KgOR+Y{?tSN#e(Eu~Z?pccg zz1)vYpoWMEi}0AIY3b4#Cs|CQlLju~&r%bUeDnOtM)l+!ZwKoF8Yn)Tj{fB+0S&>L zlXukzzr$H2yHvRcDPPzb-_DKCJNf~4lrn=vZm+sn`F$>kBI+Q?M)Dq5M7my&BOmEN z5&8hk_fY6ph>Z!!6QgPPjUzha^(V^%L`bxRDHw~EmX@nw8!5|v=4!r?bz@fuoOFM& zPd8NsPRA-s##TjVRN&7*xqcUkNGTgZ)5=w@BwvPAb#^w$%HPMF=A@_t4cQMk7L?|g zTrdmN7!38XZMMBKfv7bUIY67Tn!;)V7 zeIKnRLIsFNu(GE?^(Eh)*O|5;&+ze$76~~ab9YT*naaB;=qJaS_(JYfRsuWqt=&IprEY8t9@RW z_XYc#ag2mdPr&M$RPu7K&LiU+3RR)3Y-~KtY=N7E!>$4MtzBUDAI%cT=Q5X8d#>sW zA$;ARKOpq#rv0v+-wCmZELk-Y%)01;!}T0NtZu0-B!s(gbD@cU=p*N_E?Gu9MQ(_k zmu^tgouKfX$1m^`>Nz)R}g8(Ho6N;tXQLX1=%p}T5Nn7sEVv@tgyIpAXz z#`O5Fk}Tlmck222Rpp;wTOT0t^G%sb&AEl!rpBB6^8!>zgc7&iw4 zS#`~~@AM+i6m~P82}Co%tw7d&-o$a`J#FJ~zS`7df3}Z{?=GoG*$}7bYXCwMhXG7( z>o&8mw1^(zd7>TRGOybT0V`)C~&$UfWcvsm6jn1_ITazTz}pFrSBIv5CFPs1Tyb4xRqtHu$MOA?~|a z{gIP@ReHs<*4gFY_-2~m3TdPTY$AfXS(FSv$D(0*oTifMQ|)&q1Ht{ zB5Uy}CKhIy)$r4E2^sVo8APtte*hDKj$Eq{hR7Vr)%t)D>l1Oa0=u7NRLm>>AShb{ zDW{)-mrOG7LqBpFoPCaqoEH&reL(bxl(U{sca|bUsqEs}qLas&_buL(g|i(QcTFWt zcw=>)tgsm^;sEJa{ueY1QOIkGXrUoDVBXm036XiErA74h0)4;y?7uIy?q9Yo1vs&L z04~q*_|vO);=EWBmICzHzU!e!knYnC%j*^t8#O^qW3POK#&JdQUKFhDHyS91xs}a9 zVwxMI9j8lxgS)2rC7k`}=Q$L=)^qHL(2v!Jv|fVt*-D!IT$O=`{X7gpx|XX418z-L zL)~9a_6-gu$uA5hJn6xK(!cMk@M^aua~~1I#454p;B#L#w3#WWA9YG5jGp!RVYVSQ zKs$9f@q+Bdmr~7>etFqi|DRNPrGqAQ&aWCy9hsH&pO?W>lAWb$9HwCwn9oF(cYp`==(_^TNTs>RETy+#AZt(2{wIl!_ghT)2Xx@ms!sQzde<_c1 z)!w8bx7}+FYmYYf4c^ZE7N=WE|B=o1;fy!4^;kwn-#K&G5xa( zAK-iEhOlKP&F>p+bz0X_Au77t5) zT5~3bq7y)`mE#^!j7t`3!^{nG1`d2r=G4|%@Woyc1W7FQ>)d}|_#i#SIrGmHXdnf0 zZ2{%7P%m=8y4zc&OUrVvyd1cJ>RBS1y9C41ri+bn>)V{q-ylT~^^WIVC378<(<2Jh zR6vRO8B7i-Bs%DGo{DO+Usdy8u}SUw*_NG9j2rshHgT~~V)2RfOlt(B(FYD1aYTQd zNIcXZvs~wj1hp5fd34n{&eF3mtFqN%Q#a2w1k~PKtr#})%)Ho3Ok|$j&=z%jDsOzd zk$3!KM-<4|#w48bB6@emRjlRKvhYn9LPunUuEKBwNR;BD?R6`a@6MOKrt00(HDR9< zMF$`~kBIjqnzj-WoiK#L+=7sQMJNcucY4b=9&s;v!#vmf;r8=A#Rvx!g zJIM&xy$iiE)YosY(*7YTi)q1OU+H=xSFyX`uXa9lGPfX2siWlZaikFe1dfYGRr`~g zDh%lfstcF$Y#tQ-&@~IymM3r?>X>F{lo#xg@$~2#ZrgqSGlZb^^PSb~z#&ex?(mM& zH`V`q>kaWsALHuC`19GdObVUaOPn+B7ZTZJEn@p>?U(AERW)3YccjnB`wP zGulw-X?RFcC+JX7)5NyEkW~Td>?-Aosfm-g6@^9GLPdTWetB-EVd5B2SE~slcAHve zHbwOr`S=Mu<3FJw2m&D;9UUc|!aRF3mV}Ef3>(cO-S*=NA3q}XaGYY+1vyO=gjJ_a zP1W=2>zQ~dYOct+DmXPmesRL>snqp1(w3^m8qh7L&A5QV+n8Rw<8m&|=fY-@_I2MZaMuXKSWb4+rzVW#BAsY;>z0TW32dx3#n?ZoUHE_N=3DinX> z{2PcEsjK%pHzEl)Xz(h)*Ym3_j{DBoXirR_K3jhXg2pIScUC6-(W}i-)BODWEyp3E zs3Z@GZ~Z_MHMb1|`;^=tEoSc|3zeh`v>F>&6KMlEW^yLoh@7aeV|NQ6&(t}ZB2K7> zzikPBllN3oCbKsqu5dY3A-isSZ8MTtQ1yCF&N$$T-k};V6T(XLV*zvEu1&RLjiJo^ z|FHGeVNrHn`!EbccX!v&11KOJ(g;I$x1=DQLpMkxQqt0hgwjZ-NP~owN_WHW;=Z5z ziSPaX@!&YXnQQNB#ktP4_PO^}yJG)2L;e^IVYlebpR^<|nyR0zdJ?^Pp$)A%#Pc~G zy*mD*%h5YLEZ?gk#PI0@vLf?S{WxVImKT2_hkK8SPru#(5(NY%O)*;N6-?yhyHwXtIKCorc-}zo%}k-$)ju zVFaf6Z+u4eRkTnlxou(B*?;KB()h%uvdl9StyxY`%+eM+^L2ocXFT=pRe!PNc**f? zWYb_u%@4YO$fgXD2j1t-{>>T8bnC?4sMWe0w{R)M<28qs;YFT6<_cZMdeymCe$508 zdsBKGbdF#6&Fs83O-=Pn?w_ojH!Rb7e5Y&KS`cp;`y!$)Uv=6O4&ufvP2CwN`Sj)S zm_fChG@Afj-M6Emz5KVg$9JOo$Ndxm`|pNg)@YLmJ2~k(SN`a%?Z5qUlQS&J+NB-( zdL&FK4aw@~?8j+vKy*9p{X5+*{=A?KW1pLcc8xpqG=Si*5~@U=9upiYMlw2jd;3EL zP;bF-)Tiaj;hvTi4Uc%i$jow`zx%^OvIQQdl#%Piq{vo~|2*nPjfLBjgo(4Y`=e8! zbKlzl#g;h=A;U@o-7(wb)kpbkSymN6XGdqKH8oKTYlG)L8($({Dy7F$`Q946QKjb@{{Re)!1vexE8CN=VvpUjw;s{fR zYZ20+X2K~?n7ET4R*Rzd#VtEddmld`MDdWz3peA!;|s{_OwtGu@= z9ar6?3nR2=e`NJXcE(F`w2v@f4pn&>ULy*|j1C#Uuc`kase)1HFG&qn`&rO(TRD7&;lqip3XWeJZx+49oKBA;vs^;f=nbEo-&B}I!1s#Nnr zw-8MOj%T}_G2MC^t9LgY9YK&qEj-o!)$IMu1%c=b@?>Pv9OWTOE2eT7z1m&26MwNM z?F#bi0LUj79@PIm`+dc-`c1`tI>gwSlDm}U(3kTx>({ zz53ZRLNSJR#aRvEdz}um*ct7!ufGxQjKpGFE~#Om0^guLV9aasU0x&wWlW2dN*(*xhxh zlNR&x*fG=hQlk3Sj(>3!7JD@L&JcSvVH@|w!iOXR&+11PF78i%^Dpd~ zb{&nWnk?3(Y!V~mtIz19qT$7jV`8C7+hAlJDd;z>jOgEu&!Fwd4icB6c*=#2(bdolAno zv-~Fr@({Z?hEm00lm+DXaEcT~F7(a5>b-BC&g>;Qa{))kiyO!vR?m30q7rTk-twf z0soSLh^3{aO`f3cHy-g0PL`|5SbsQJu*+S_A(VKAi&roHN~0=GeIwpQgWM7eTC~B}hG!Jek3M@$?H9ODh`AyqAJ*j#IbMJ3-5G z&UbAF#c^0~zR?{POoqX+X91oy7J-u_f;lm+67V7*DpjFC21a1>Z_SdyByrMlEDY z@qIIn6p?9@Ti*dBXiMzgHB$_Vr=Mo#lUKR-OxK9{YOkD}?!=`Op15+a&RYfX&_*Hf zQUP3`xJvCB=lA=Y$a~H^%bbzycC8kFsyEsDpXHj&XRr7?lS(xDRWHq=t!#66EE%_5 z{~LV*_2v>jgp`=rd|BvTTG7rfv#dll zn)dR%FLkl~<&C$7JVF5%=<5C|;_8Xpnx`OWe?ucwu^v5kUMmT@qD$f_1}#uOtNu8gAAi-%6APRoOvMACjR~!zDxbe0n6&mx z`A-r3SWvHG;2%OtLYz#YEm6yF?fhbHfX^&WMYylhEPyGk7~#bJ&)>%cOSY$BG;bFr zW(=(%UE!+ef$yvzD`MR!g!}mQ72*FTFaE06jqnGWZbI!Lz)AgmfK;A}!{RM{JPrq8 z2Is>r_xB_=r=lA)_!w|P|MNx1YWYfO?8leuiOSzgUU+PB88!}V45l!%u&_MD`@jkT zDZ1l1%f$IKQTMI5M`5|Z>)))3YHCd;eurJC#o84*#}hKRzd7xrxXyo<<~?c~ZkRq? zX8_>cXTN2;2#}>aKK-titqC0DdV>e4)j;&ZE!*X25}h=pXvE-29;?L%cz_Bu1a90~ zn1b?X>vfL#e@P*%vg5<_kFCbuJrl0=)6q%KZN9m@{I&OST%048l;^zJmdl_a>EZsO zgD>#bJL{Qy$*?b@d_pRziMP~Po-!?e+5r8*IixY3P{ib?`xl72e? z+IaOZr`ZGcDr(x3c{*-24zeXMNx4&j{ZP!{PLH$Q5^Z9F>4A{lf}n!EMe94Wq-dZP zb>LMhi37($`a0~{iIndB2J!zLZ-^2)0cE&yVvLo5i=5nMuY+Y{L#|E+1dNbd1wcP+ z>Vvkj)|Ob}hZi}*+O86Y(23F|3sNz* zw$L^rQr!ov)c^qrh!6PCh4dkUJhg74&1?7HIx(G_^b56ED)X~u(Yu<)_0hZfZ72}sKpq8iOyX3j(bk&R$n=ILd zMwF$2*fb6t*Z#;-ozj$d8_$i8>?ffY3$7+ZY!+T!VZR^!xx)S5-a!|M0HR=kGFXss znzkFYU;e~w%hT+xzW{{D9ApuPdbA7F^2CMvy5a?w%eW}aiV+-;2ja;2H%hXd>$Oe~ zc|v60J4r}LI5EEhWcNfJ#E%CUh0l8m6UEu1u%!SNO|f&w?Md#t*9O_@Jei*r4LlO2 zcu?G1sfy-V&^HnhLZHsZ?vfp43Intv>HpS?fruhDV>dYeSorK_IzfWpfR{yvH*x5O zu5$}0402`WuekPLPgWa?+(~LXCs2!&xEKQhYtOv)-_a?{MB-4NwuGYMDgm-( zpQgL-?`}?h$S%16GLoNj>l{1vO#SwrCN2Ofg-N%EJ-BZD)Lv+*G)>FC74m0#QD6+| z)p`iAiagX_|7P3d?gQB>BR+P8;@)+EMxiP(dX>63WLJtCghl`7`^0Yy1uB6IqLioO5)Yhu=u+$-et$3Z(}^yw7J}1= z`3?l#pU~bN3j1Fkas&n~Cp`uq3}u8m#1W>JTBmq&e!2U*gCNpI@}{#jx5IDpw7*Fw z1sU3y8l$o&np{lFP1-(dOC8VK=54;joF~V4uO&$p9&mI1`#irgDj{K}oU`trTr$gb z^y#cZPXu-q28P;BJr(*!WT&+@`FXQs++TShU*Tv7cCE)kK%eG1@wOBtFGZ?UwxN9Nw669qHEgM$%v z*bxIKNVyD{E?;>OZP*CFlc{Qsns@Ofi<~RPrOf*N?DA`#m$`m@%uTLWXsJ9db*g=T z9=zCJSek=hVL*=rok&W!Y(31`ppW8`vo(1mS^V;R{QOnDal^urpo3YHx2p<2whx=}$||%p{ZY9onhsFp)sYYBwDeKQt-ML%73Hdhi>;2hQa( zB;`?!Sz}JU3&EX4|f+7L`$d-XEi~Cp}69Zk2Yh;fC(AZ9wNfikic-NH*XO2>8evZWB8ew zHN$nF2uG@bigOS^lI9)-`5|ej&-J)51{2GL_c0wX)R0Ruat%!KjZe(h z?Qe3^F)=XMk0Tl5I3#x8oqdAz8zqfDx3eo7CN95)B1Ljs9sZ7EejNBn>fB_&qoR5@ zywExAVyND0arm0kHRuwE5df#6jDkZ2@mlsNePTBuX<=z;y*pPoV*|ugpazElnR8O`bzKmWvLQtoZlvja!JwQgkFQuiDgLo&>8 zFgGdUX9*+jddCa^9elv+90Jh@oA@8eKFT?&B5x|nA0i;lq8G)7tOzqPGRo9wm`x+9 zmz*RcW0KevBj|wftjV{|pzdMi^ePMw=S>~xBWzB{7qV~5arS^}E4ZUQ>=<|}-w>}< zbA+u8jU-0sj`>yCN1qekeeJ>0dG1InZRU%PWBkSQ6FV(50m$X(AZs6s{f918S_MG3 z$b+`i{OD(|Z--nwg>YNiZ^8Z8IiTJx~9`omGxuRih1n;yVntl!b@6a zjl$;LU@2FQIMfP}rX{ynvSGxASOi_*2$IkVfm&Z2s!ZI;zQn! z`Nr+KL^6`<>SyVjyyzPl2wcR+%5j@OFo}5z&oB+tzranI5nS>AzTTcdD`BDrKI#lc zr!vW$W2iq_YH=5=n?K z@jJ|L?u3z$;Qq?~El6WAL93@q7kQCHFY{UxCYjHj%A7f{I247?2tL5CegI7QdJ@1w zJYGLMGIFF5_vB<{f8T5pKPPbV;j;mz3Wrb8D_}yl!y*!S=&d!)65-vSD1}D2to@yILyYe=3v<@ zxlP+Z@Ir+&jk?rS_|b~{&y`DerAGFGOo#{|FCJa_#Q{q{z-{L1MvN*w)A_~AHl|#A zywYH=X^fTf6Od=!nPtuMe?Q)(Ma{8zg|CNAcSl>VGLkE1sN2i5Ai(!ThjT&zTyfpZ zlS*cj9FP8C&*~QN$C(rr2wLs?L`7B*4>J?fF99HJTY8WOUlqTi?To>>{?-u`UbTWi%Acmw- z6^(Suy!WYj#FIBM;*_%JL|m|$W2O5jw1+_=Bs|{VlU|bE_kx=;9O=6=&A2 zZ*CkgpIKQ#H>*fnfV1PS+JJhKtM<{!77+3?LJ=6Gvj;hiFh@SrRrs0n;dE_W0nxfq zeAWNrhnH_S&1@~Z3(IdIPgWR%SsG=EbEZo-a#!X)V@w17=_|m&`K*VCa!?3y74^{J zpdL}^{9E?7X}+0()utULf=K)-5X!i6Yb&cFaojvL#$TBG9@nS#V!ZO#9H})1pFXfz zG=xwK!&Jqn6msJ#<1A1y+N#fG3kQNS%BfH3mp=lU?> zlD>G#ofA1YNEe^+5d{Xw=5?X$Q~au_`VzwC@P%t6(`m6Q5ZE>t3AuoG&2bOb1&yFH zm4NUI@{xeiZ8W3&cYo=XNZPXmub}CztO=5LM9bwn20x`BI+P{87-$%MJcP0KDAXks zSP77}Ff8;{`mdFE>s{+OIaIh?niu$C@#7uR4)}R-L}v)XD>_HyfG72ydj?K#F;28vCvXd~ zr0!j#$OSpERSs2}O;^b*7;IeT>w67IUy+;5oAo8EYWzAt!WGTmX};E+;1y}q%^U|4 z(aU|aSQzEuw`}8cT6pq3%mb5|;4h@B#DNG&Jm`1`>^g|O66?|1nJQ;oTU#@b!firh zCsx{F4PIw22e&G{?4Nge44tm>2uGMu-rld2HV;k<4X+HSNYL<9A_xfy-P7P9AVOIP z5+E2?qO0mge7p+2m5Vpqq+q$ngW%El?egxanpJ;UV1Q`>7_%K#<>}Mj!AdJJuuc-Tpoflwh;lLZL%}~e$wXT!4`U=4ssoR^;Q!#r7 zNML^fgOs}X%ttbLKSOA+*8DJd@9SN2f{T%so*#y2BOixaZmwj0{ez);PxN{u;RW%T zErY~}8MdW=c)?V`BVLlUXGP!;J~2ev5ryF8-}Yg0+t=!Z*3-SCqD-p& zc-2oW92@SGo%t@2M$ABdxDQMXtQQ^E+`CJ=^DCWX+jg#>YIbyYT!U;Z$!9Uh6IZpV z$h5G!sM@x~`3~ThR`d1NGonjExSI%I+~9pT6H05uAqv@$S8%)8YHHOTx-{SIN!rX$ z-Bm~xT2Ya3Kl(<5>u9vKxxW7XMV-Ma>k~z1w$e9 zGUO%4aK&L`$7HW1frb!8;}zwGbo#D77CqHdt5i#L?>5)_tZ1?*52f>XuOgB=t*C>4 zZcG%&*h$CkAyHW11S3~cQwTVg=>|~IPIh7;VwsO3g!gXe1#pL=;7$hK+2N)5>IF%n z^Vv<%4Zk?P#EeDJW9{5TJfavWqHgJ+M&7!U`vwxkg%BhiAsk@y`K=1^3?5`sFLL}D ze;$~%Cf4VN8B6qEtR9gUD6Sl~v_gNL2&@wZ4!pmz6|~dOc)W?0J-lgt1 zK7Z{coc>YFb8E-vWK?j6K`%fc29xmen?NoCMnQWttJy;Db1EGqDDu;Nq)h*A&MARd zc-Ak=C5S_|4&e}1T)!Uc-1T+#4PcKl+pBWtsA!W?3)KwtwM<~noR(BG6&s_^`PZSp zez1&%sqc0sBVu4NKHP3gcm%x)VuZSchYwai*dA~qY<#Fj@lSCiAfO9dO_B`xf|9}1 zjO@j+zn@Ct#U+bL1cBufalm4}__?w+N8m*z;azQiaor9Q$;!$(o8R>^^IUHAI`eZ8 z@Ea4`UTRuND4m?K`0cyqC$p_0qK^wN31s;*j1`I<;w4uw^5nZpc*Z#7p~LmvQ3aAsf;JI8jPg$IT@(;86v2mIIT$aU-VY^am$(2g#S-iNK$Ah8w+p{Bg#Ej!igRVnisecSl$tGZ?1 zoz29Q3=q)K%^K$$=1l1rtHvyMIwnp{j-(9~>LA|w8OuY{!wZRx1RJt21l{eJ7WT{B zCf&d%6V-#0QX0ORyKW%UX48_2yu?d>|F~wm3b0%v4Rz$$fw!md%aK?v);Ci& zx2w453i;Y-uLth%h03*k8#N#I=f!h`i%S_?u_uiYKV^@*rRi%VXLjhmXftx`FnOvt zUlq#7;}EjGh(kxRk0d?=WcRma5HJ>1^NuJ6wv6+s!=?knUe#$cqGRAoa0gnVPz zi%A+QxJ;?UFyDOp4pC9>+gOAxo*Y~XNvf;ke8J&ly-NgsoOXSJNoRnWY3QpE6+49?r#pp{d780jAbTUu0;tUz#+YQ z<<@@D&~Ob}8&RZ<0tI)qarg82_jkMeMss<2%yfw8S{#VSTZcEF*}}pa0YK}c`NWzM zuo_0ROw9uP!%BAGFHqqCvA2bqEH;)mLS5^JfFWimNP;1U)QSu%QOwPZL-0mf^&RI1 zQ|Ypgi{CivS-p`xR-!-Cs1C7$tu8&=en&`r6fdvBO;Hl0ts0#6nt-A{InN`p#%gX*6Vdu`Qke%^%=Z*+xABo6*?d@q%;5Ba z30U7l>d&m0F&KlG@GLqdavR3|o|&rxmrf*F?_4vM8i|C@P6`bKCH*)msHMu|O3SmGz7PFFpD5w{QPKJ}w1?2T3z;-- z{W!7c`GnV_>u|{+9CQ*zWbWZx-vSj{f{EYlO+N#ohF)$5Gf>{ULvLI#O?u8UbnYo~auLf5FPOY-2j}&uVz)@eM3tLV-k6kE(2E#d%0D9I7jN zHTV0&(!P4yxprk+ikkQ{ZcvWf5L=pnWeW>KeyKDeyn!5D!EA`GQ{uXk>`8d7+tHtj znwfc`3M%`4xG?5}2?8T%89hyD;nn-eWeqYA~V{JQ)f!s zBT8y5H&dzOV9Tmha_gfc`ZuKvf5px!nc$UqfIl{`8q;(xFklUONE-TB8@&BPLz#>C zu}o~9lf)NApF4hw9G>m`na%&Gm(+Y(TNiudd>+6FJsz{hx|Q?Z+@D4xf!h=!p3WNa zW067We0kGPwix}70HVFd9r3+Y{|i@mFGw0O5}Q(|blaTy2eAXLCz)GnI%~dq!DiNC zA()8{?kN*2k))$%9`1iDVW@p9|K{&UB(TE-LpeXjsuw2@X`&v;w4y_~IUDCJ;CNE4 zU^IzlKm`AI=;^W_{|HouGqes7$)8uz$vyrYV5NV!j_~$}ZDyE?ujthIK7IPsJd)ZI zE$mjC;dU{88@!ypq0Qj`b1U0rEYjUV=ql~7($Hr!ZT)Fu6bl>w!`8<; zk0HS@b6{IZqE<bBB=PQyK9rRmMJy>U-``oc9N+)Y*yH7n6I6s!Bo#)vrjXmdMe&B1$!*SVZ%@V(n?kH6!k2M2_wk3G z?%!>Y(lyBhg!!YR(Sv)L$dTIb&KGa3i9AfaIY3Jh?eg0F-aQp`qt`j`DbTGZc96pUbwsGza&9Y+(mM50DJ z*&n39CqDK0@&;9u<`8F9n>JMXWh@k7VPK0|VHRU0WgEP$7#xKc15-&ZeLh4fMNT04 zvrY0+o|oPqvCFPg=lkzoogApbAn&{wBf5x{W6NgxZ_D`$E0qB^7IT&m`S8gG@Tr!a zL2e_P?OD)oMNN*wK7y!<|=G#j$p-fcwIiS&FsTzeXFh`dj@Ta`=r{6I_ z@E}l5Q(!ZOkrfF8{JPO;QD^WgfLM(nHTCBOE@l#9(f!&9pG8t6PT7{OJFgEd6kj*7 zjDPyme!(mQz3(lS$ow&lU;==L`;I;~{=IpBgJdQsGJ%M>oT-#44l`Y#N0BR*$nfGg2mp{<4XTp#ovMPFUVHwyId%r2(|bcCD$-{s;wq*cS;uGdbOE>dd!@J zSFa(PO-0~{n{^B&N=Ue}crp;-0*e$yCBujr1PTa3F_z>ydczVuzxf@i?*b8F7H62l z*DdCcZ=Fog0l+5zyz<8|Z3jgpI(x|vv10AH)X0=N_iwQjB^q+-S3r|1fVHPe!Rt4Z z`AHmVYVRDSN4gyXohd*pFC8fo8vm8W{%yyjgl3pSN~vc866&lIR$#0kJHAu_rvEXq zzrN4(@i|N{7U%!J>kbCLjRW2;i;TU@e?Q<~UjRRsl`NFL`Mffw^FL4j_)Fl+p0Gb5 zSE5Y*mrMO;fekz$3gU&?JI}`d`-v=!K#m@SEhPPqDg6~B0`MowCffI#KBoPjPkcg- z7?1HHVlv_{=l#z&0ZZG91)l!gqa&y4|9;{inw{3a_M?FW{+M${fI{o&>D}pf!7Hdu zuFuv4)t%h?|U+YoNgJrQ10C=YnR~HhE4+E^YafR0QSkC&1rgyte z0o$s~c&=E_8+jUX5K!r9(QjuMGWlmh6t0SN?A)F+n+^uPR7 znApwLv_ueid(^*Mj6zN8+KFfmv_jTWHC4+$-ai(5FxaE72oLMH!*QsE!+v-!a+$$? z%^eBe@Eg?tsbiqAxWByzN91cAmB*C2`DBq|0q;8>6LFwPdDzr($E8{b-0cPT^gI29 zU;X*dhr=i9WAbaJ#^lKEG@mqUO3XS!k* z-Rbo%j^SgHWU8Gpa0mzP@(~a{pR-&8N@uj1j(cA{n=EVT{R=|?3ZYt%6WsyOQqZyC zo1A%FFA3&jTmKU1lbnEcfggh>Tcs&q#9sF8@RUc4$E%B~us6KF1)=GP?g_9mzDxrp% zIDVSeG2i<%ivx^Y_+0|kWlx!U;ZJLw`3ytn79r2AaQR-Zm4J*7s^{$sFDqnGrleLo zhk^!3T)2<4?;O~m{+rNm*kk@`-Xz}pW!Xd6Hh^=@e<)UUY@ftkS{p1hn<0_ZQ+mg$PGw+vbuTdE&}++Sho{IT-h z`@t^{&^cO?`6VSR?6pL_0S~~WO}r9OKhW@xt@sXcN2{nJqq-E`YxpjQOk7M9j@LC! z6HX2E(3Bl9i*cAqtS^CnYvQa%CPKvuRq2IW08i^-xB73nBbjJ!A}kExLXFp24M9L| zu;VNci$h0~iyjqR5uK5Zme)7+oVUizj?VL1urDoJP0mA*#girJ{g^2VnAVkWs(h~h z@gP}Z;x`njtP=4NvrnS}i_aO6X16je6M`#5mH4SvZ~7(f-ze9K`tv3+!Cfpy?$)mR zC|#)f2iw93`%sFK_)*eZ08Kdd`EoHVXaii@NU3qjZ5Rr?cv;3Nv5Tb?9=V(1eexys zeNug^H+q4ef0x8YK)gvX#tBXE$eQg43%l{5X{B|9mQEqBpFaVa@ZeIh_L+s;U3&G?@d#p*Df5vdU zC&(aDAyOvVb{~7j`p)}j^s8dZ-kMA^DsP|?U8h3FET9>QLFc&erp_15bL~b~e^ye% z1Q~Jd`50_O7?(HgptFLHg);y&18Muufhi!yi6B0zudyDt&45o?uFS&-TG?Y>*%asa z<))g(VGV{B=?OyC$xQ7MYqKg-{Y+?rZjbbcaIu+wL|Tkv&Z-7vPAFrx!Nl1_BkK63x z?Q1qA4Sixp<_%1Yz0bf{LCsaeV${C^=El|oR;gA#0s~sYCfu`L#ZI<2M|%HCuI_a$EgI%N4)Zy&SDK_v^gTb`&WT1}S&$P!6K^B0y0qo`U~7@fB-9a$L^g^n#X(o*`_VS1)h zb`XJ~Gyr@Bvs8Z0KzClH$9kxoKefKUIb>+OKjL^+lID5T4?hI$yHI zoGG&A5E)7jD#hT*A%S~jd<$0Vq=!FnYK*-QC%L>s&DuXAlYC~mnJbDB##*~B!^<}7 zRd*b|4O7v7(U%05PH*MWXo=SsV z^|7C1mqEG2MDE>Oz<^yUkIt+ZBNkY|`{m&~=5UFX&I8n5vQE)(7ov2Y3vxzWM_%t$ z;}G*uDuyN2eZh!u+gu+O0XQpC@;+uCWA1@fYZNKJgoX(w76|YlkR?gp;3ixi2_-_Q z$Y>?r=}YoG7vsN>s^l=?gyz4vn~69u%u(OR7=S|SLr*z2AX*T;Fixgkj9wgBE^;K; z%sv1>gz6jW4IMLgIlGij0H%zDhfo@hDU4w=B$HGH7^Gv1MnBtgB*E82=BWZYZ}5|s z-#`gAv)&;z-_yE}@bbz(FOZHuj*b=Kn0jPwE5|VcH1gM@M{uQSU;>(DXdEk$DsScd zFv}z<*A%tt2S}qLT6kwD1NwTOOvo|WYdmR<=c_q2A)R)qrc zC6~V8fHm^2)i85pxR@MnZWhyTAGJPs(XBhR41Tv4@;Ff|{TzDe(Fu7ExsUwi{S@=& zwX@@*$Jw68KiJJ6GB_8bs^^CZ5MgbYf~CW{6&R$M*aB{LKdLkPI{rowA98~Ym2~d7+=BmNU|>mlcdF=jFrrt(^5101eE~T4 z^AA^yU^Gbmz3V9JE5;aLJf?%1*z*|06CGTFFpWNmgN9K+~8T~QzBiR zCUZ~V5#<`gh$m3b$S6&SDyw^lqkT9l=W$)5aXt8b19XWv{KoB4gyYaRb6ZFVrM1ya&2t;Dky4$> z7`(MRCCGW9c4oEjP54->7p=!O;#RX%J-l`7DY*yzfHlyhEQ zRW&=N4m<-dddes3tZsNVR7`iD!=(c^({ycO1umPX#Co7zn28x1#Tp+7bBPz&dh@l~ z`f^K6FDG4i+YcFUi>I2|+XTtv%<|4`$|??&7M(efc9j1?r?=n_45gq7`oR}h>4whH z9M482Jp2IMy1)pRmZe46eJS}i%G3iWocC*+K)J`wxv)AO zUJ2_yVxdb!DM0lgC;F9XTg-dn_-pmI;ARbE2IY1rzGCT2O!5!jolW8oMW%z`5gD;qQL$C zfB$t_Ccl^9X)?924=eO;BMXLwJUGDJyc$A=AteNUHTKww>;W1{)J>WkI;GFX>qe=f zm*xT;cIRHTI4$L3093QHc(#B!VLy$ZBUZKN|j~(HRA2?joC&vG?A9ggL0QbfHdRZ4<^ZvrdcStz6PK^nH$Ahd6 zznOct7E-q-yawb?frgNP^+)Y#67ze<(UJ6Z59Tk`AK-!(P%ay-U(*%3SoU;_r@*AU z!LUfd)FrQIZPPhG^AYY$qR?P*vE4GX00kguv1LuROF+-irOjh$+Ygu`NR;^v^wpj) znd#BhQD)Tw>)Ow3f?J;7_T>k^+5j?Vf@x91tT6dD?~@7f2(&;SYTsW4N2Fwn^KAdN zk4FyzPy(INTkzPfl@^3Eb4GrGKHcDDIY2ScY89bQm+nQR%J!Sf7XtV8HtJctOm)H{ zM_ZJ50HAORcECiw6mO}?jM?|4UFd69iN{ws*rz!gZQ=3l0Bv)7{#zN0vhaSIIg1(wz5F<^W-k=uYQw36Qz8GQ!E~^q&$*`wO4dL;#~CsMX(a zmMO^0|8k^%FEif*O%$l6t(#V>th6}!j=k<1zN;E49@+4Of{Zma3Ek(P`q_4PL4jIw z`-?P>?<3ie_q_|izG7MUr7iPyeni(MGDUhn06tcP;zeHq^_k`d0SH96b*OZ6AHk=jvume(d4w zi;X*z>U~ZETGX7r!mFPS0jj0sefvL=?Qa@Y`+2bTX)md%s4v|JU>C3aEbps>fKlZW zVT9;aw#e1BxC;+YZK_1H)^|r#ox@iEy@LVFoez(@bp|6I@nZna)2o}=z>pvC##sm|E>yK@MZ-j3h9y#yR{66w zsR#b!!K_ax6UiLI+W|^)Z6$6b4+Y_OC(uV7-U5TwqI~Axnv9Hdk-C*l{PsQ>^g-s_ zu*FjETW}@rFD-XtX^rFs{ecAf6C|*yXSAK`ChvQGQi@VVLi#m`GUgm%j3|d8mdS`QvAmaw;Y$Yd+`l( zh7liyzyK?vh$xkgiO=R^w_a8T)fy_Go_I5^*J8@)TF4J{j@yXJ4eUJ%yUR;+4R#Pi zh!7IRuYc)8rgMggis~y?i~ROIHwZ{b=|vx=Un33=*@^paq8!eagMjJu^{Q}$rI)l9 zqd0EbBei>mfXJgSnV5jeraz1qkrCvJRk0tY^ieXZlurrbUPvvP{1HPa7fi-j7F$1f zt1h4~HSVjV86mD2CqBdyA`TB3@zCkA$K4bpC!Wka3WOLzUd(!z;tYvY>_D!UkXq}H zAPV&WXDZ*e2Y5tW4Af-Bp{C7KYtlZCHyN9j?pAzB=FK(1R@)=dKjn z9B&>unV3A**79(FvpxasPGX|%0bL;WIaIgUoLUSVZ!Pnh44I)xWpbD>H^kEDeQ@S{ zcLnDjw0MeA5=r9=X^dS%3`OmWkPb!cV~SH6P~xac6%@$l*QsdutWFPC#1J6Kd5K@C zvE*MVw{&^ROe5;;N@ZdBG2J3ylYZNL+kDi3@#-ft%XD|otAALvzxerbwEVB{8{U^$ z_av#0;1e0@%=sJ%o&a%%^1+0=v{hhwu6_@i&|r`|W~*ENEV7O+KKtu288HSai{_8h zgg_~gU*KOzt$0{umG`#D;e5Xt=1-bWSZT-zU>Zl@0gQEaTUb7)rJ3wISEM*#W%b!P zg1!_^0CX0Un$Vq`i)A(`!a6&2>zvMOIeIT4szJulmwK(lyi3NxgQXM8S+8Jq2oSaX zhsn~6>gEq&bcYtZWUgeaM&7FAUga$$jXkz;Vrb*CpLLg%Pe)RDLR_Pm=EJQ;WhZ2> z66~}T!jxLwKdOlyef2&A$Zd%F2M^W9b`-oQ_VJ8d4{*@xf^56Km&EXEWbhJ3d|J@$ zI<0x4*g2Zl(kuDD+QN7OUU>dr>AcKYM zp8!B>3Nop$7W0{c0hj6-F&QBZF{DG{_E4si1Ab+;p%9U3VYx|@rqM9il>|;i1K;6x zAyLV8v}>@5^d(-PU^ccw%~r*dMVXY&hT9mY7{h;d7FOTrf8ffsEOI54X?30CrqVBz zZp`^wUJzir_;PIh!;zNVn4-<1>P*3@$*#dUm5A6Ov@WFw2>&!Z=FGhlout@`PQ_kh z#i(>`?%ay!OTdH#O^|y1i%phnM}kZ*XLo(FMLZ|GkC@{x3l? zVc3`=T~^v=x*_-Hb3&yzIYH^_jsEBU%)3wSwNe)bO*}xB4#Hf$D z0_cy~c~NV8olZqO^e;utGy2aogL&6vC66UjU5QMvNXRfXgis?;8kLL!&ZaGC$-?#S z`t1%ok#LEga(3d-qgx(xEBu(GxdPeolM_Qi&BNS(nYh|PMB>oM4A4HAbCb!S!6gsl z6hlf8`UsOP-zS=bSC?HAin3CBAxUu<^RPq<56v&Xb9}lH)hOLeT*t{#FJ9VlzuHWt z<8s#O++^BRL!iSo7oeic8BS+Y(c)tc_QLtEB@-ldZh$99@k9wfNKJazTLPnT!(~ZN zW6V+|^<|@3Y7pd*H?nMVqnAgUw+j^*A(y+Su;>YHj@3cDPzGZ~At_JC(~}{Nn&&l0 zI=>Y820e&u##qhUA-~D~UwdEq7uDLf4I|ynNO!lObP5PaBOoQA0!kw#NXdX8-5nw& zAs`|kAky8^A&nr?9lqDv_uls{?0?|>@c6~~4Kr)jy5hXfIF92aisrw@h-60GB2LPt zl8#ow+$8*qZofW5>=LjtKd%H@~a2x=weZ`=>NR#?;B8SF?q>gMG=Ltj3ORKi+!luT3E zEU@`l=hl8-ReAG#ARxPiLyu$6H|PhbLIl^P0jBb??L(~3tas_A8$kW}pN!_;Ig$({ z&N{ZR@vWe@IszxL-4V7}Q9nPDT=@D=l35JgKUdI*{m@9Yjb|!UM}$grc%Bn)z`@bH zXpza&`fBlBr0wVWwhGiqr-kn{^TnFoi5jyPSX~yObj^t4hi(0E*8uCSH$CPsA19jc zS&&pWKGlKsS!{r`=9wOlM;<9A!-|)8Yk|;g!0!v<1fZEZ@>6uT8m3 zmuUI|ekzNV>@zvN^)ir9bJ3zKL-qkDVzF{&i!*4UYqN1Vmau_CZ zM?ePH5~LV@cNEZ~$LBsq))KM3*3bialXpSBBBbwDOoWO4{8|MzEW_u*BbC+gI4YHp zzKH%h$)>sQafmnI1>7%c-AoMCE2G#ksPYuX_{NA0+7lfuyzbrZeuIa4sacn5R z3PYO8qkQcrh7C3n5g-p450(3u^e1C31=d?)eo#FjJ6*yvaQtyfF%x--CYq9qGTDJY zNbSr+l_Fs$vDiyjw8!I)FPx%3gT#44XNsWNxroH#vm{rfv_G7#A(bk*`>3$6gg?s}y zGbN(0^OBK~w!rj)D$O3P7Rd6+8_e5k4VjVCgm22uhx5F(PO#TQsl{%J1G|XGTR%?{ zCuAplRMrXCqquPh2*UwCa#Kq5htgxDV~D_ny%n~Fpk)6WNh=Iw5*sJ3x8m5i*4YK? z-=nrbcs%-~lD(GXiO?!KW`!e!-8jO1cJ$}BBBgf;p^|dQ&3b^KXzoW9hvjB?p8$(4 z6#%G!yx%(_AA$Il25*=Z@fJmrpXw` zWTYemP>c@&M)kGuok)p{wG$q{Wrpv+@O$J(TrZ)u{Mh4>l+PewWEdJ8{SKE>`)#67 zJZ#=thgA?Hb$674;&+fd*?lJC@J%=)1nNkPj6MLIQ~mYl2Tjo`Jl7`~N3R{T9)(6B zXN7@U!A-lm4t+9!bhNn_!Q5X20b_J)Z}ME)Nfq~C5Wur;f22_845VMULTMyK((+DWvB%{a7;e&h z45c~Dvd6Js{H6t>W#~=zf=~=10jz{9z*g_lqH2g$M_QtN*$5b|v=U^A{4{8QPFpN= zT(knqBEC~L%^SUfY(fkXv$%rj=`m-Bht$MuPvD;xyM4B#VLf*NHtEK-N{>HH*_}*V zB56m10G)Hu{83fZ_ z0o>5_jtPrf=+TlyG&1LNO+jsaR8l9a+5Drj$|OqRsIGn*O#NDrZ6dKgg>ukPQ1qYk zZ~_OJ#77o4-sJfY1B+Huht0afR_6}khM-1^9R^c2)2=%uX2Nt8eoP?&a&!S)r7z_K z1Zz)!eUAAkCvxHiHjeD?i}NPn_xBZ?iG(X%2v0v7LYUM&2k2EWR8sr-)hxeO?E-M5;Q1HLj@!7>HY5eE&A`Hm9v; zx3iGP`iJ8;A)5DpC%h<>Gqr!=M-fvPj6a7K^*cYL@z`LG=KL*iN}*T!m?L~3p3ioW zbtnXQ(SHFiV8 zqU*FB3Hlwh;ueC< zcKrj0Ih!;D#1xE7i1kFCer+F~@5_L2$$CfjD|-N_9h=-V^LT+}7IFH?I|L z-EWkr>U)WX8?x(5>CC-ErhY%#Yuju0te^b6A>PBjYA%pp(BCrIv+h^Tdh5DZ+sXbq zdEd6UMxI91;gq3%uBAZS+_ACCw|m#?N-^4v9)2iF+tu<|gCp`rqzU(q)iP6xw zl^F6+kgxopPpZ4r+H(Wlr?r>LL;WxctyALE+NRbrLjv%!i*g8J%x5>X7B~*P-g8Vq{{$2a}?B6F=v5d4jVkFZp12{}E#7BUzkPQ=c-}?T>)*fJRG&OG@OGnKB z{L+ry0i0;$fzP>BfOJ;t$3&-=fSUEcaAZ~@IGle?^=x&l@#%Y)^R-=T=psAxl5fT#oMuT;HzjgDLe`D-zE{0fhkJ`%wK)(!;Lm3&zhu zPYQc+&3W|0!~;Gxo6j4S$2FzPNzxjn$K4;2mRpa1@@EiE%#XM5HPubHFN7^PHw)GC z!marNx4i^{m~zq)&m`(BLK`T9D_5}>kkJSNR-)^Vy&b#H)to!Sg*;OymeM@TjT#bL z4#^hKWskM`yty>y+st2cleKj&Y0Yl_)E{&#Sb6E1$U7@hk3S{W`tEOQ{tm)GKB*=S z2be=E5@g-Sz|;AWACQIf81))*=QxCWDFLU2LkDxh?G~ob(?o@nVEx)2ozDKIDJ-7| zE%)>9#YPqF0L~GW9hi0pz;Kaoxz>U#kH_mzXs7B2Eu=mdE_D{)y7Bg=au~lcZ|f=8mCTiR)1vHDK_(r0?N|H_*DS$V zV9#Q{wfQ!~zOW<9*CN`Yqjje;{UcmKvgIvHP*SruRMN?8?@K%qfTaIK-N#8ErLGI1rXa=W1+(!bxXz*34V|GQ$rrdyd~+-WZ#S$*DFuUS#( z{l5=$9c<)Ju|@G>bHd=9Qy?}iWY)#JZ>u1q8m;R*Bmx=?2OYnZs>aWAK%Xkm+~H?4 zeP;UY`d8+Y%1OJ|Z5`A!hZYl!NMC8s*wpvJ-Xz=`w2G+z5wV?B^|m-)qh8-*2Bg8> z3$fDhg16DK}hMmIrWb7<~oWJ|8_Ds$l3vkKM5ODa^B})EO2f(Bhs~lQVPw2Tw~?DV{QAhZw%-YNkH= zQqrl$UA|JfDV5HC^k`WOcQOD^0@D>1g@}7N(a@m7wv=d!WG2RkLoD7_uxUeC5$qU% z@|Nkm5os4xSs%UD@d~BKqOV2cg{Nnb2xvGmCi$}+Io$0-a{i9knr^re)StCi_x)H^ zE5njL4spu_6Qhq!*|jFV(MO{hfNH-Dt9H1pIr$KVK8H_7IzgN7YeY@`>^O_E1TEi! zoAQAP`E%Mwlm9@{`UfG;O3?8XIGxFHNQGGt_fn@wTajIX0>R7v)SY+u<3yXX#Cxqq z+S8)IHw16o-w4-%Q+t3C_7Y`#6$9Xe$Rn0@-8GMbr&$ce)6v+>^h`V+g)fmoiSPSusN}Ps`@>Ir)-rKd4_*@%oIwE%Ds`4*1H?N zBkNOy$J)YatQgEm%A#c#THyU+wu_&~2HTF@_?adSJG~&X+Ytyv_%al;OTCOU*4HSP zT)sE>MJbkfU8{Hyj@hSWFy2PI2x=C|Hh07o-T6$%zP8YA63G$+pD(?mQ};Q8N6Qut zYX?R6U^OW12jpyP$8Vz2Gr_Ge*1z9h6j?cSYo`wy{$^BHVnMfXiY5oovlP27yfy?! zyA`T(r`qz%;LY_DZ_7#ceJ_V}{yCwne{5Kk?;QR&cReZ)c=wya*c7YMEsdu&y)_$y z)6};&*(Bgd6bx{*d>}L-E2c!4&8ussc|y>eonJbrE)flnZoqv+K+lR?b~4ihO7 z)t8-4&H+Tmy>62Ao)94{1?A^Kg!Bj}KJ^LN`v8oPSUTU~ves~o@out;nTI%+#)yMG zs~Hm}jZ#U_cYn1riFAsJ7#C~aTdj?fg7e8cdZqLTU# zFGzOr%)FKo8!}GAHAC-No3COcET6ouI|xDJ66e>@9}4l&%G6vWOvl~17E7eNFy}{) z@{$CNS)5CF*`u*5#{q|}GBj!>OCwP#bTx**tOxX^`+cecS3wK|uX=VlO-ez@ak*-HgJm^EvBbHS~C2n z+xuw8`wIVwrTb%{2#HyB5^x{h`6FTJIc=(4V;G@AJO%ZDS6EUZcXrV3JmPqv_;nUk zKeKn_DXYF@w-Z12We7y3uV&4jB4qIO_Xi|y)L8Nz0lFfA?9eQ(H&Yf4?jY`eii?P| zpI-sSd^}%A9LS|Bi1UzZDCVv3{I)&dXPa;oRxqtg! z!+TY-qjbM1(VtS3=DOGl(NY!@bHUTl0;4%Go^!U0J%oQ^oKvW_h^|W%Ku}4sNCn`B z@SJ@p+(s-7t!Qn!?1#yQ3t+umyskZ_%g!RM&b9+@YF}y4=bw5@dMLCuqmyL+3hisL_EtlQNPWM8`ah?aS!z89zOL7*RW;YuhpzKEU^4<{6%IC=Ck%< zo$~{7eU(ESAILQ~@IwmWQ1IPT^m!5F01g@j1hegS!udjarB?aFvaWpFL+09VR4(0L%6K2o09}A<7fqag<~%)zNH0OMheh z!AYYdDPn^Etufm#f8x9fpaiz;7X2 z(@J}ub7KFhT>ioMg#&xrM(RB?-6!jS)BA)5;nEdW2gpV@vD);U!3!CYW#QBFg9{FYJl$kO+huGsk&>;X(5BjN>4w@60bFE_?#zH{(pftw@kxU zP<*BhNKRe~#=+su9_brQk=Ky27W+q#{`X668IU$m(Wv|{;P1a5X&|{Ho!v;{uALVB zXK?@5-!uP+EdMsK|9meIhFLN33m-7dUm0eUC5Y~T`d1*pDvO+fB#k!Rfu@ZMM zDnjyPArcYo@1r&d%n<~#ge>*K%T%KV%DNz6aTtG;fOr&tKR2hQg7%+0!#_V6*+3$f zc`p=8>}RRmDxl;-?qC(jUo1f2rsAB%(k8suXs9!JO!uD+$TvZVaWs4yac0%7>MQpi zDIG^>6}J_1-!e_eyde|f$G2F7Vu5nI+nv$m6ykG;r&^W*j#*xUaQ>VClWqV`akK+F z)!x~n;>FebvT8#yXwgQFKzX>gI_WEPJXo^hL4wbDYy!6uFL#Y14$f;SOTQ2NaQ zX!`|%EC_GO#U}8f5b})>ysL@r7f>Q_7*f53+Q@C*eRX;=KbnFarP#@Wyi1*s~$kYdBFidW9L8`mn`G zA-0m&G*HG0;;tNHFaj`+Iq+79ZAC00s}u(Qe@FN4hGHGJmazQ?TI~*VZ-r+39<+mVVUg(*a+%%HHrPAQklEC>#jC}^$a4jk8Ofw)eD z4^iciIuEmgXejCk^A!`(EE@a$cD$Pj6$2a>T2X6JZ;qM1JW`{CfKoPCEf;_Qhe^zG z7X!pbj#JyPJ~SK(h={GT_2GrC(_KS2ArvW(vA6)&zfPZ&7qym@K>T_o&`)s>bwqyI z3?$m#LdI09!ln^RlSf_P|B~&KdwRzA)+G?P-*&pQgwhC!0#pF;Hc96hh|I_#l`<C zeX9Z7G9g46(+@l(S#Agh=m0K`UyI=o*v33bGg|=xAV~r=3oRNCvWjD0&x4f^f`%nd z)`=O2FV5ah?H3hLo#rxfe?Zy^0J-7|*MzQasYq!}n2>y5WrI?zc_Ug#2go_IiW&c$ zdWhf<9;ov?ENy3aeY?*OB1t{C*3=56j_U9=>M;o$y1u8m&2}WrAzhOb5cqB#+1v7R z*5~0aoC|o?+dqfYrP8>GXuOZ+q%jno zlr~~+2K+>wko!x`$ty5u9xw80O6MR~qGe^@;=$$zlA+mC}-x>Z8 zQ;25TQ%ny5%T&k+e0&Zfxj731TB3y{nrn{6RRaUkuk`&43aFJgyX`(40gzAt;3?5V zwIBXIBrNe@6eW{anTZSZe6Byo;JMOlun<=ZTx@re@6>*|?@EC%ni zx`Jm@v=2n5b?2Mf&Jcs45$YZmoSq-fwv7T(B;3u)^tFNsluA3sq5;{4F~Nn_qta#~ zl>h)NVhN;xgf<|~t0NU)a_Vvgxiy1A0WBV=GYPwud|1CNhoX)j5D>X&WQwg4iZOKe zhUysD4ZAp?qh;&xdl=cfuJH$Y=dpnCkzH8j=KpDr;W<_?zljYW7&f*-gDq&3Y{TtnPAmJ znZt6IG1X^daX0N(Gk$ck?CJy;eP-3+8uAfrW~gAJZt<`kE0D;<-2zB@U3F*ziL6}J z5hSCtA1wPE0DGT|nsrhs9h5ui*}uwTpL<6iv^)1}*dv^56FvvhXQq}~+@4r2(-8^9 zjf*WPe6O`Zp3W=C@^*bOx_vq3&dQ5FkT`$;)^L#Y2TIcNl2hwjL5;}eoe`zc4}wXs z!}8yzKl=B&C9)EQ_0U}OKa=~&{4a|IVxr)N#c_f{>u2GA%XIuM1l>8q*;7(>XkMeD?2o`oBl} zbEd&$WIn+huGniAb^8H-GFX^vv8q2r|Lo@&eZbUj5U};%fyKxs3Oi~g3VUn8rM%7I zQolZpzOQz>vTUTaiLD5;Wk-Ld$&T99I!#-PTdjFoc@iD@z^XU(+SEkkjDOu55?XmB zxWAd;)EZc3(Yj(n+&DHseDS4L@yaw&$YhR(V!6{kOQ~demQus=tessLx|a|Xrw3n4 zrk~C~)#_6+>(1Xc>+V~~)|2B5?<~1okiMyw*%5|C?bNAqNRzfu81}*Oh$xW(({xc~ zc3?p2oWfnT(?j6uE?!f~R0_ii5VQ`doZUW3qLKCHCr9i1oZh5ppIkO$=cwSwpsfp>K9smaKGpG(Q8~c z7b~M$*q*DwwE2)-5#K-mM=I%mR+f!Pqf9ePj%UIwIlV-m47T?HW#Srg{plIr)kFIs zrjCuy>P+?r50dgl@px%525E0pZ}h9PU5>&b!13&7zHAg?xeQ|WSm}44^IW|c6O8ma zX^pC3Oy?VtE_kfkZp{|_398S;@aqi4(tfJL*4V2}WaWlZbNo4TdfJ)wPmqhB z6Uv$(N92B;98bCd6e2fl!rc6~ME)Mnzvqp}Pt=&8#`Wn;@nUZBlXs>4jk|5zwdW(A zbASV>WC1Zo@?~LXYH+dVvZUeN^q0*dw`wLVTQ*IeLVUUS(==1jhZ&0M;x+Hx0Lb;P z0(wdapJ{i+myh{!7VXp zjF|UVtMG`vNn)Ty!!cqn`h1c6u@&Ly=lsBD-`4%-K;Bd1r|<9!-&a4;w?kZfOs3@b zy6t|taoCuRFLi(2OXbDbD``?RAL!X+FSFovAm0yxOKUf zF5PQ>+$g_An>j{HP3YdJ!z$q^!fraRGi-fl3&; z=dSwD1BbaoatFz~ZgNq-#F;O-CpzqYI|_*K9!s606_?+5a#APH1h`TcCl*Dm ze-eaC{3<=_U0IHle6fsi3Zx@#P5?Y1Y!jQeTzd89zRuh?y%`Mj4Yy}rb=wn$X35rh z02Wmv%{7#xvcjjhIo_BbWzksgNkfAt`8{H807NFO{@+Ha2)ekYeYR6&-muiB7kb|L zbt36WMN!}5L9^HHAp{5=tno@xqONNsYU2A5S)({ZK|m@>$jGzj%V19F=EY|;*S1Xj zR_7D;mA0p17iQ~67i(SbTfEV63`D#ihc1S=ucRGX)SZMf&K95(vB_jw+_u`Y1}-^s&@7Ey@s_D+?GKaum5DAbWcDf0CS-&h+b|6N6txEyuAGlc3@NZ6z`X0 zsZFo*MgYU0?Uh)c-&&^JY!(PRb{wX~e;1b@RoNPP!F;w-`Mc%u4~tJyREgRbdAMwg z5Jc(7r7^(Wc3^63=J~=j(5iV~?Wm41?c5r);X1`I<<=)RH&JMh^}A-S@@ynB!{1q@5iKy;wSGdTo}D-U3*$Y);F6%NvxIO*o<`% zDJ=r)v9#wJEgb#RbkO;6Flx-?_rqScyo$uZ9RGD7Wff5?gS?dV&0Cg8_)8y6(4*Hk zSC2qwfhQFKzrKDUY<~M_>t#e!6TT#27s58zCzEA&U$jQq4_~|FdO+T{^mW)$7}n}Q zPbq`aSc9)jVE`&w>aFhBE>vmQS2dB*-w#^Dao^XSC{*3Z3y3Kq0Aal&|HJQtoV{IX z>qLFp^%~pZi1qD-8Y3&2iSsOdp<3ehJU*|Zh`ISMCf6lTwqlMv4kg@*?w#$^+av1S zqy)KQyIe|J4X#0OKML0w+s~=wO;uanL%gl!pQfGMs&>PFFA)jxP>&crm0rDdXfy|U zo?geBI?M-BKdWAz?hJRO&YwAYb|sj2F^m76;@qCd*ZdN9e3Y%;Sp2)5^FjJcrRv|& z;^)K8X4Cs4uUfH>>h=aBpRw2LiG~}*ozeN3qg?zh<8=MzeCdFZ7Ngg=nb+7HtXe3- z6{TIJE_|HtFdnyp*l-;a=Nj?}PIMq(M6Skq+`V*H-?l-SpM+t%Ez+T5Y324yStCgw+vL)rkMj} zHGCZ~9#)Q9zRsczc)Ud+;-quLV)^QhQ=jo+Ta(PwB8u4|OUYqNs1Mky4gLUasT4F`F*jrte`R#l)y)cxg_bnM!RLF|niUrgJ+-DJ8vb z1NkM*pCH57gD%d z-0%_9bkja|5)c zdK)bnp44KMv{h4{oKyr_A~vtc4e^~VVv)`8AC2z{iwOd8PwA-~+qcUws|XB$xYG>; zf3>a1cF7&BS;x1}>s2!0$lkZEdU&GyYv0xbwBVv{8}KJJu`Z9WPw= z^GJwcWuSuHf`TZ(QzGQ8J9;-o7Cf7$z3=_NG3UZ8{=Oxiy7<9eL8I6w-xsEMNEZ24 z(6d?e<8i_p%8HoSiQJUfiKRi+6AuCymEjlyzU6%QM$+JKcOi(slUj zhG$~^=-%A7ga`P2lDp=KK7JlfGgu#*OQWitOo*GD0uy2)r1Eqd6^W$FdzdDj>Qga& z@*h&==)0T15Gbu-X#}ldNgD1Ge=-ummKS5}Hv>s*?&`%c+vH>@WT6NPpvG2{JdfCa zveLntj(cm?-BWlsm00f6uP+`PXDbJujnto}wcooYzv09B4btV5ENZFx<<$jwzi8Ty z&)uYAxtih=zbuMlXoUwvqjnjYl4Iat&n~v!khFZr9$R-fE%IFdY`ZT*QHnh(zG$uwZO!j!C0H)1BF%<*CQ^qf#C2cD;1mE5KuLMg-Fc$;t*5&9jp^^N4oqV?mkCd%J?DuQM8YrvIeYHA^MR`p9 zdniX~nOEXKU+Ik_e}=oQ;pqe{s%%MJWp~1ICH6rhvSmuaGx~_eYr}*;osf`dXq9fu z=wMc0A$yZ=iOKx0lJ}R*MDi1rAY~JLJbct&r)Y_1X!NUYB`ea2^X#w$-JsS7Vgp=c zAbr8UOqZ611xt@}Gizso4qpM+msjH@PoPLj8`e}0kD2s)yDy$F!S0&J{fFZP@=qF; zN7on?gW=~x@9&9Wq60-vK`CT!bSn)j@7{wy{CGOQ%G;R?*)ZY|EP2jlT`Lt0>Oz!U zK^U>~>`}k>SoQAsm>(vL%UAO65hv7IU9i+1J2L+H4n@R zYY>qihwmEe{rUS~JpL1phlSDJ;y-&em}QnlV%VpWsY>)+tj8^7v+C-_sr=9=Nv%k7 zERH^XNwmnKGJCI-iAzWqBzvazRKrTnttacxT0-VNhG1uYL#bng0;Z$htC7#a2V8!+ zbPaBao8|QQsxm`2|Gb-iNsM8^Z-N~Jzt_hwL9}ix+ondH{OBEWe>$9e%tTfK*)WH(F7K&C{w&Xk-fbafn6nyDVl+nR#gEa3r_smoytk8UMwfof z93^=;zad{!O(E<^DD>FFYxSnB>gr7w)z!=u+1Jw=V$qOD?>Lk#+7=Uad@~YIfxvu}tA_zh` z(N?00`pZ@bd^0l*;+m-0*A89gi9uuef8YA^5cvOQH1e&3J>1rY*}2M^iL#tmdc)R! zfg>2wgM>=4Rytz3|DMV_ncFC$-JrG}Los{zm`qJ%DYidHC1D4_Q7Z~WK)3Rw&I=j` zZ41XB(ha1H>HruRL7)oyvG}W)!Joqb9Uvf;l{~F&RyqE-i;@HsbBh&_(|semYo>oet1g{ZxSqIx1m7 z=-QWPNgUL!V`jihdyHAo^Q^vplhUSC2GkOX%|AvlDh2{TpD0&FzpU9p*iAf2ycs@7 zm}1|y-0B!A{h8813WmF*qo5%Lq{)bYXl|el8&CQy0BvW>%!P~n!T=;83rI7p5ojAw zL#XvF6RRiLjo?r4o8UX8;PZii3nUS> zDJa1y&O@lnBS6I8-Ae!(Dy2XWW?5=M)d3(Lm!)nk``$YN(zdrZk#Vpv&;l32#dyR4 zJpoc>E&L`Ph#ZOorVgOWeW&{27&t*n*w0EzXV=Eqb_f*K~O7( zU?TEzXf){Pv|bMScGXLbKmwcmajIi0+)3sI3NHduxu&=|0&o=VK?eXuum{xCX@p)3?8-) zb^xP~2cZ-aLF%Xx{3byYZ=!lMAjU~T0CqDl2ADuWI{cW{w6W~UsR$_*Ljwghhp95h zw+sJ}MF^x%USrwTkgAe~OM4a#F5o%7u;SltMf-4c-gC&u8gQ(nZz?Y9u(rsfx=s@b!=7Zv6cQ4b2cTC9293gJ(rDLOk zME(1x0Q6$M9;g~S`}80&20(&vp>99B?;(iJgUT{=cl1m?@)#geE*d#X*C9`COhPP2 z$n~4d4;X;{x)S10YPPrjlMF~jm`Z9i{(<)~ zq>|#OuQLKg&v9m@#~BnX~kS^)||@ST$Ao(Ap;rB9}h=YlAo5;YMPb5?r|_L z$cYarX5oD~+yW>n33v-))${;eMisG69PT>+GfPo5xvwNb+g|1Xs7V1}u?sEhEyOCVRger~j1Vu^6_F&twoEM2AWm=S_m8y9iv6DED>DaRc)=DR zDOpIjB5NGIdZqM&}IChJa2z@#`{NmQeqb2D-Oxr1{M1}cCS}XlpErosZZlQG zAN2Za85#rq5hJq(yKA_>Ks$z<47|*=3PwLoY@%BzoHe2}FzU!^}lAINtbiBQG5buqeZ>Tx$Uzx_-tNsL9SGU-4e)3TbC zot+va-;L+}xGy~oYJTBWBPFy*2&=4i4)js}aCZ-FES3oWv*x_i$~IroU(@j4`9Oy46OYX| z(az6F#WS4cDc*h;0880%Trh$mR0(wwE?pJFhQ^P3M%!#xaOnPjX7j(7@hf4`*kxw^ zOyPTQ_4+L+0az_l!wi3}0%TYYIRQuP1sT%icTqwxF-SwI3*`S;G2l0pdFgc6&bg5; zzl%XaOu#|nto{1(O~#r?=WCo8B3*u$fQy@XzqkC?3${96jjX*-NJy6^luqL= zxJI`s_my{_BWKC}ut!GvdoBNcsmw%hjl>j#EAQ^XWD$e2Fr>>PCCv}6!GG)Hm3M!j z24LlUK}EVecz)*K8s>IS2%(+x-y8QE#Ks_1_Q6KF^e!^&{|5Tc0r~%Dpoh72#z0es zK^b)FSb$HA7_Rf2PS(78b#+P8?dN}#3BZhDRab-h=25qp}FIo>k9GC+rk+n~sT2udb-Tdc;25G*vIsyEKbS6;fg%j z_a=1$jh%6vy9BQQpqhu;YwPO|5KgKAh@;{f5V2eXrtW0p(`+T1uFUyG7g@L+Mzr$+$c9XhBDGgW^{r zq$dX(DYP>QybtO}>U+)~0}W600d4ce_9$!6>p*27p5LN%QG-6v(&mW>Xht~*#2({- z2uhKvMBK^Mr@#hJ0bsDTkr1DG5BP?8pbLbq*&EgdAVQhpiDvV|1Q{X~f{qi#gTSFm zS?*0snRM72P|S;ukADUv40D0Up9@-c@|xd!ePjbXc5W?W>dRIKFTBR)siI2*k)|~` z?UX>gW1KAE=~_bB2C((2KY-X%_q{iHjQ~5I+!{ffF?$G_9fkqzjrUH3O}s!KFm4Zs zj^u%?!}7WJ6%(XDod07hsKoaJI1Z;m6K~Md>~TJ748Z&W)LsqjGYRV0p{6K;58EU6 zKmfUnGzWm(Dy*pvvXZK)@11(#gPKWl46ZXE$h2+^z3x#ZzZd(;fgw=oCxC=kmpr&K z&;uwnck>}B(_G+x?)Z2I;?tVE(3qvF0xd;cOgaSu#i6bnKR`f#XZyL_QluQ75|BrK zd;(zo+TC>!q<0FNzVYSnnXOr)7r?`<{v=!L0gALkAV-k!NwJEci5|i`*G|ZDWgUYZ zx?~3bOAog7@;Oh}Zv_*gz9^MUP2_R}!AlxV`Sbm?XQRe$IY4FP-O%~(#}+uYP?Vo6 z>heT%CDnO{00Gb4+U=9dgQ$z#hLuG_LusHTg@-4X&-IPq9e_h#T!4C4Q~;XCduKK| zoQ)&!=^;STNXb=AiKhWu;#n8>r?*gy{{DHC`ZD?D?QF&8m%Oj@Du)4Tpmatsn=}9x zMaqiKD-Ti*DJX(6F%byFhD6oU?r~Odv%E~bVW}nxs4>ltPBoR+hfV|g6A?CMUV$Vy}!etYs*_60^FRN=X zq4ffSUCie4C{6RmMhwD<1YjN{TGTCbfQi{(9bjxh3F6c(TKyRrHbEvq4;U0XA3+tR z!-y4zz#yBam-0uz1ItXm`u`SrfMfiMs0lu?8L^OEWbf2A_8WxZiv)~;n$4xJFa#lb z36)?ikfU*Yb!F27wTQr$aa8aHt*Bm6iv+RKi)Tb!ddb1)I3v7_k z3n1*vK{y-on1ohSf$Jn7bZ!<91>3V5Ud`ROzV88C|q14gI7rKU7 z`{!W{4iQ|2{*4R~*vN2sF-XOz5VNXvCwKv2s9mFLlr`R5-{8CS6%`eW>8O;V-WG?7 zn|>GPr+MJy%cXF&xjPN7F9W@p-h#H(#k*Tz{P;ItM`pbUe%jgxy2wo0A0%HsrUXG( zsOKCy4?!in3({F${$$Y>-lM{=d*E_#Ynl5M`VkxOoYSba+zoNuUMZ1_9Vn0WV@^&? zj8L-OKF1&yMZ+qSC}G#Yz(icSFokjEa+a)bPllA#3qTzhw_6)7_~t>j6X^Qo`N7X5 zV9H{GIL^R&N~ze9`#khq>B@OzgXWiv?~`94!eSlDOv=eAT4eB%L*AjkzM1c(axmSS z!KSS8o(GrhzjUTI%mtftp7C()8>ecrAUiIFAe*|?*mb!8Tu5v-eYotydF5sM47_^6 z{HOUE84*9k-zSMF|D4|u%~eDqlV^ftlFank8njlEZE!o1|2 zO1}U;>;Ar*%jMhcF9kkp;Q5+h>ZOsx_`i$)e>5yxK66vBRbR%&DJ1YuNnY)CiL9yr F{{u`jb+iBg literal 0 HcmV?d00001 diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/Use_cases.adoc b/content/WebAuthn/Concepts/Enterprise_Attestation/Use_cases.adoc index 79c3bbe3c..6df8a8672 100644 --- a/content/WebAuthn/Concepts/Enterprise_Attestation/Use_cases.adoc +++ b/content/WebAuthn/Concepts/Enterprise_Attestation/Use_cases.adoc @@ -7,9 +7,7 @@ Learn about different use cases for enterprise attestation In this section we will discuss some possible use cases for enterprise attestation **(EA)**. We are primarily focused on **high assurance** use cases, where there is a regulatory or business requirement that requires the highest degree of certainty that the device being used is owned and controlled by the real user. == Registration of new device -When a user receives a new authenticator with FIDO2 Enterprise Attestation enabled, the EA feature needs to be activated by the user, or it can be activated by an enterprise managed platform such as an enterprise managed browser. Once the feature is activated, the user will register the device just as any other FIDO2 security key. - -During the registration process the Relying Party will register normal data from the authenticator such as the public key and the AAGUID as well as the extra information associated with the EA certificate, e.g. the serial number. The Relying Party can then use the serial number of the authenticator to track the use of that individual authenticator in their IdP, or make decisions based on the information in the EA certificate. +When using a FIDO2 authenticator with enterprise attestation the user will register the device just as they would for any FIDO2 credential (there are no additional steps for the end user). During the registration process the Relying Party will register standard attestation data from the authenticator such as the public key and the AAGUID as well as the extra information associated with the EA certificate, e.g. the serial number. The Relying Party can then use the serial number of the authenticator to track the use of that individual authenticator in their IdP, or make decisions based on the information in the EA certificate. == Subdomain separation There may be cases where an enterprise has an instance of an application that is only available to a specific subdomain. This could be due to data residency, regulatory, or business requirements that prevent users from one region accessing an instance of the application from another region. In this case it’s not enough to allow all of the YubiKeys that you have deployed in your ecosystem to access an application; you want to ensure that only the YubiKeys that you deployed in a specific region can access their corresponding resources. diff --git a/content/WebAuthn/Concepts/Enterprise_Attestation/index.adoc b/content/WebAuthn/Concepts/Enterprise_Attestation/index.adoc index 141205e68..60b508ff0 100644 --- a/content/WebAuthn/Concepts/Enterprise_Attestation/index.adoc +++ b/content/WebAuthn/Concepts/Enterprise_Attestation/index.adoc @@ -25,7 +25,7 @@ Now that we have some understanding of what attestation is, let’s dive into ho == Enterprise attestation Let’s envision a scenario where an enterprise, Acme Inc, has worked with a trusted authenticator manufacturer, Yubico, to purchase and deploy YubiKey 5 NFCs to their workforce. -With “regular” YubiKey attestation, Acme will be able to limit registrations in their application to ONLY accept YubiKey 5 NFCs. This means that any attempt to register any other form of authenticator will be rejected. What if the RP could identify the make/model of the device, **AND** also uniquely identify each device, and determine whether it is to be allowed for use in the environment. One problem is that this notion goes against the privacy features of WebAuthn that prevent a backend service from uniquely identifying devices. +With “regular” YubiKey attestation, Acme will be able to limit registrations in their application to ONLY accept YubiKey 5 NFCs. This means that any attempt to register any other form of authenticator will be rejected. What if the RP could identify the make/model of the device, **AND** also uniquely identify each device to determine whether it is to be allowed for use in the environment? One problem is that this notion goes against the privacy features of WebAuthn that prevent a backend service from uniquely identifying devices. Enterprise Attestation **(EA)** looks to close this gap by providing the ability to configure authenticators with an attestation statement that could offer uniquely identifiable information. This could mean that if a backend service specifically requests EA, the authenticator could provide an identifier like the device's serial number. @@ -58,7 +58,7 @@ Platform managed EA allows for more flexibility in the domains/origins that are This form of EA works well in scenarios when an enterprise has a device management process in place where a set of policies can be given directly to an end user. In the case of platform managed EA, a user has the ability to disable the feature on their authenticator through a hard reset. EA should be allowed to be re-enabled through enterprise managed tools. -Note, that platform managed EA is independent of vendor facilitated. In both cases, the security key will need to support EA - but with platform managed, the platform can still allow EA requests from a list of domains, even if they are not part of a vendor configured list. +Note, that platform managed EA is independent of vendor facilitated. In both cases, the security key will need to support EA - but with platform managed, the platform can still allow EA requests from a list of domains, even if they are not part of a vendor configured list. == Use cases Click the link below to continue to our next section where we will explore use cases for enterprise attestation.