[10042] in pc-kerberos
To import a certificate, you call the Add method on the X509Store instance.
daemon@ATHENA.MIT.EDU (melting pot)
Fri Mar 23 09:07:14 2007
Message-ID: <000d01c76d54$8937bb80$e245a09c@outwa>
From: "melting pot" <cvnhd@mii.com>
To: <pc-kerberos@mit.edu>
Date: Fri, 23 Mar 2007 09:01:37 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0009_01C76D2A.A05D6DC0"
------=_NextPart_000_0009_01C76D2A.A05D6DC0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C76D2A.A05E7F30"
------=_NextPart_001_000A_01C76D2A.A05E7F30
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
For instance, if you need a certificate quickly for testing purposes, =
you can use makecert. However, as I mentioned earlier, .
Let's discuss in more detail what I set out to accomplish with the =
sample credential provider.
You then check the signing certificate.
exe, in the IIS Resource Kit; it is specialized for creating SSL key =
pairs, and it can also configure IIS with such a key pair in a single =
step. NET and provides a great foundation for beginning your =
application. This is important for long running processes like the =
gateway, especially for sensitive handles like tokens. (A configuration =
known as "GINA chaining" is also possible, but such a complex =
configuration is difficult to test and support. I'll save the discussion =
of the initialization tool for the end.
The DisplayCertificate method shows the same dialog you see when =
double-clicking on a . Support for SSL in the . You then check the =
signing certificate.
In turn, LogonUI renders those controls on behalf of the credential =
provider.
NET and provides a great foundation for beginning your application.
You can then do your own check and return true or false.
You might end up with a caller being denied permission to use the token =
you've given him. ) I didn't write the code from scratch.
And Figure 14 shows the code used to check and remove a signature, while =
Figure 15 provides the code used for detached signature validation.
NET and IIS by Jeff ProsiseASP. You usually get these from your Other =
People store (or from a .
So what's the downside? First, the process that hosts this logon service =
must run with the TCB privilege, and the best way to do that is to run =
as SYSTEM.
Running the gateway under lower privilege provides defense-in-depth =
against these sorts of attacks. First, the console session LogonUI =
process is started by winlogon. You can then assign a permission set to =
all applications signed by that publisher (see Figure 9). This is =
because that property is not established yet for all users and has not =
been added to the web. The thumbprint is also unique, but keep in mind =
that this is a SHA-1 hash value of the certificate and will change if, =
for example, the certificate gets renewed. In addition, I provided some =
examples of higher level application services that require you to =
understand the Windows certificate store and the relationship between =
public and private keys.
The new Credential Provider model represents one of the most dramatic =
changes, making it much easier to implement new user authentication =
scenarios that are supported by the OS.
Windows adds the signed certificate to the certificate store and the =
corresponding private key to a key container.
NET and IIS by Jeff ProsiseASP.
------=_NextPart_001_000A_01C76D2A.A05E7F30
Content-Type: text/html;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"tweet" hspace=3D0=20
src=3D"cid:000801c76d54$89326450$e245a09c@outwa" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>For instance, if you need a certificate =
quickly for=20
testing purposes, you can use makecert. However, as I mentioned =
earlier,=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Let's discuss in more detail what I set =
out to=20
accomplish with the sample credential provider.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>You then check the signing=20
certificate.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>exe, in the IIS Resource Kit; it is =
specialized for=20
creating SSL key pairs, and it can also configure IIS with such a key =
pair in a=20
single step. NET and provides a great foundation for beginning your =
application.=20
This is important for long running processes like the gateway, =
especially for=20
sensitive handles like tokens. (A configuration known as "GINA chaining" =
is also=20
possible, but such a complex configuration is difficult to test and =
support. I'll=20
save the discussion of the initialization tool for the end.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The DisplayCertificate method shows the =
same dialog=20
you see when double-clicking on a . Support for SSL in the . You then =
check the=20
signing certificate.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>In turn, LogonUI renders those controls =
on behalf=20
of the credential provider.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>NET and provides a great foundation for =
beginning=20
your application.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>You can then do your own check and =
return true or=20
false.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>You might end up with a caller being =
denied=20
permission to use the token you've given him. ) I didn't write the code =
from=20
scratch.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>And Figure 14 shows the code used to =
check and=20
remove a signature, while Figure 15 provides the code used for detached =
signature=20
validation.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>NET and IIS by Jeff ProsiseASP. You =
usually get=20
these from your Other People store (or from a .</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>So what's the downside? First, the =
process that=20
hosts this logon service must run with the TCB privilege, and the best =
way to do=20
that is to run as SYSTEM.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Running the gateway under lower =
privilege provides=20
defense-in-depth against these sorts of attacks. First, the console =
session LogonUI=20
process is started by winlogon. You can then assign a permission set to =
all=20
applications signed by that publisher (see Figure 9). This is because =
that property=20
is not established yet for all users and has not been added to the web. =
The=20
thumbprint is also unique, but keep in mind that this is a SHA-1 hash =
value of the=20
certificate and will change if, for example, the certificate gets =
renewed. In=20
addition, I provided some examples of higher level application services =
that require=20
you to understand the Windows certificate store and the relationship =
between public=20
and private keys.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The new Credential Provider model =
represents one of=20
the most dramatic changes, making it much easier to implement new =
user=20
authentication scenarios that are supported by the OS.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Windows adds the signed certificate to =
the=20
certificate store and the corresponding private key to a key =
container.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>NET and IIS by Jeff=20
ProsiseASP.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000A_01C76D2A.A05E7F30--
------=_NextPart_000_0009_01C76D2A.A05D6DC0
Content-Type: image/gif;
name="packet.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c76d54$89326450$e245a09c@outwa>
R0lGODdhugGHAfcAAHuIRlMCghzFJ94gjs/iBSW5w3XU55cz+SMuGo3DsKA+OeaRPGmtApGMIh9b
BCWBvuj3k8+Oxsiy9eJAuJPh983IiAkxNgvDwi3jHjIIn/Dwl4PAJUmJ2D5sGff/+u7MwnfV9K3h
t3AOmo5Aoi4xk8W0U+v+3MQ8SN00SNciFZqZ645HzEW32uBGG4J1TBY7AWkm/0brPI/IcNigk+06
LNjJc6QOK3/ucZtx5uiHIenxSOk4MyXH/JagnSmN2FZmockLsPSLn2YmEE0PmG74irfiwusHiuee
KoXHt10dHv/nKa/ctE5C21+P6vf+44G1xUSgzc6Ia/kOM7FrUM9qOPgaFK1oV4jH53K/5lVBnBuF
PehUxlRN1If+QNjOqhHGxCZ0LX389GVvtEvE9ejgeyXJz+sdHb+lHP9+6qqPsW+1JZwzIZGYkEbk
VTvMNbfx/obdHKScwcCcQKpHz1y2hIFTt6LlUDMrNIhnAb4e872k0NpJbZwKCdy1UasRBzCSW+g1
QDhobG3x02+v8WJtljJH36Dj6aq/nvtqsAKbQl6Dd5683wop0N2ZgM/77WUuNETOFy54181zQn12
3cDUYDdzHRd+R+hc4Ggr21aQCovV2aIEUXrRxbxPPJkQEPpHgxdfAl5HXj+wiRsGGSWR7/4081Cv
xRVrFFEFJGIAbOYYzOh3FEa2xM/Ry+n2Xdj1kstFQZFbraWsssoPszf1ywPdQhck+NzzyqjdwQW1
tpeB+9kSVoa4AzmDEuy7B7e+5fnWCfKz/b1b2n5hkDT4EjDSJYdY3YqRYZ19HKU124ovspMiZZHf
wWteIvuTGw7D7TNLRhHV2HJzVo4Yi2qiuhw23YHHvEIzG2UvroA9cm1wvbSBk4z0BuKCHm3twSgJ
9wWLv8LN8t0zIYuzXv4hz7vVUE5hRFVDx3SwtDXZvi3eSeygF95+SgAK/V4IHi3E834SVcNomIvc
SUARIv4+AEgroV8KH6kKKqdpMsaX97oWCQ/ZcqdlTvClYBKknhPsyiwAAAAAugGHAQAI/wAdCRxI
sKDBgwgTKlzIsKHDhxAjSjQYrqLFixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjypxZcaLN
mzhz6tzJs6dOmkCDCsXos6jRo0iTKl2a0IPTp1CjSp1KtarVq1izat3KtevWh07Cih1LtqzZs2jT
ql3Ltq3bt3Djyp1rdqhdkV7z6t3Lt6/fv4ADCx5MuPBUuogTK17MuLHjx5AjS55MubLly5gza97M
ubPnz3Dvih5NurTp0xYdGl7NurVrvahdto1Nu7bt27hlgk77urfv38CDCx9OvLjx48iTK1/OvLnz
59CjS59OXfru69iza9/Ovbv37+DDi/8fvzm3yero06tfT5Wp+/fw48ufT7++/fv4JZrfH469//8A
BijggAQWaCBX+SWo4IJFLcbfgxBGKGFJdDFoIUKP+UXehhxWZliHIIYo4ogklmjiYhEdeOCFLLbo
4ov2nSjjjDTGNSFJmsEEXI2TXQXjj0AGKeSQRO6k4o48Jqnkdzc2yVKRUEZp05JjHXncSFSG5mRH
Vnbp5ZdgprflmGSWeV57Uqap5pryhekmcWbGKeecdHaUJXdswvfmnnz2yd6dgAYq6KCEFmooZkQe
qqhkUI7mJ2BCVpXnpGkit+ilGT6q6aauXYTpp5z2RemopJZqan2hphpVQnW26uqrsDr/qaqmp9Zq
6624ljrrrrz26uuvwAYr7LDEFmtsVHGpeeyywcZ6G7PQRutrrtTu5Oy1FyUl7bLVKogctrF+qlm3
5JZr7rno2rctYOK26+67TIJ7V7r01vvjuvgiCe++/PYLL3H2LuTvwDXma3Bh8uJ1sJ/nLuzww1Ul
LPHEThJs8cWKQazxxmAG7DFYGIcscoeBlGxyWMssM1bKKXfgssslAxDIWIEEkJYFf+T8hwB/tKaz
IkAHDbR8SSQBkQhIJz1A0joN47QMUEN9k9NUE3SMywmOjN0PBIwVtQx/jJWzWOaU7URFZV+ENEdr
qy2CXSVbFLdo5pxgUgF2V3RC3inl/4yR3yUBHo7gOb9N8eE0SSPNRYo3zvjiFTle0Q8/XAQ0RwYo
glHRdh0AeTiKj9bBMSaljbY5K5mDAEamkySHHBu9DjtpHPeWSSZUJSCHU69D9cDvvj/g1AMKWKU4
VQsIrYhTQDMgtFMNOO3A3idkRflTrw9jwfbbe8D99059/0D33T+1PQQeQKN+BOr/7v4DOUuQVc5P
qT+B+vg7RbXT1Ve1d1T/o97eKPCUCgiwfx7431ROYAEE1g5ZJhqGHNAiuwmOBX9juQAGwqK+tHSw
LB8Myx8aQMIGjKUBGSAhWaQBDbV4QAOBeIrJnqKGGtZwA0+xB/WiQjUH3u6HwXMfVP84EMOrBKJn
TvnDMY4BlSUe4wEXGYYMOPK1r4UDahexhxa1eJEfdIByP/AAGCtnEaT9AXEvOdftFPKBBhQkHCbD
iMkCYSeXhQUEIOhACF42lpf58WUicILOwuaWsYXlGCMYC/VIcIKy7I0sAlRkJMUihxKYoJFjed1a
bicWFHSALC7LmdNSQDW0OG0sKhiGE04pFhKuYAWqFEvKwsIClZmFZVoTV8lotsuw9HIs3CNLDVtw
DLUskSxOLKZYXJBMtCRNBBZUixxm5ktqVpN6jsSkWJ45lqJ5s5tFewFZiraWJNhDLMeAAShj0AEZ
uIWc4IRnWLwpTyeYzZ7myKWWICT/mIo47SLetAgWMeK+jFzOI3OzyP4uMgMaBNQi9NxcEj7yOotU
1CI1qEEgbpeRi1rUBh69QQU/90eMhM4jlLNISi/CsmWw1KUbSWhF5niRQKThpmm4yE0rslON4KCn
aMTSvoaRA2noYAfSWGFSlbpUsRFSLYPUGQ8EmbOTOeGHWA3L/nrQg1iqBWpiAWtYv2aWOVrVZD6Y
oxPMWrJ7iuUH7lTLLFFmS0oCYZVO3F5aNJnJCVaQr06o4CPDMthsalOfbnFKUDrGplUxBGkXQqxj
Huir3mFvd9GRrJJM05qgbqSKU/QsbjRLWn59bEF5Ea15+nXa1tZLVa790V1KW5aH/5RkNbHt1mZq
V7ayBSEQQiiZlcAXmKjqzCv0qwrSBrO/5nbFaTwchl9yNhCdQUS1JIHKdzowBM1oUTM4DUsavMqW
qyz3Kbcr4la0aBUiSLcwvY2KOYqQlbI9RavknQsrVzmMp6Ylt1J6XXycBh8j7I0gRwgET7A2kJdF
hMATUcwPyYKEuELVv1RVjCGdcAyx0vYyG8lL+cL3PfJZQLt6/d6Gc5YEna1SCU57XzVLZscO6Mxp
mSCkcTE8llKKxWlLaC4rqeZitKiwlSU0oVjGxgTjOqHEehWLBZpgASlDucpPrvITwqsWKChOLNL4
4yfJQpAodKAgJXMEW9XMVikIRP8GyTzGFB4wEPcB+FRLtNoxqDCQZBZkiVU4BkGs0FKCpEwghzb0
MgiiuEFW17oE+cMVEIIF6j4a0o6IKkF+l5ATLDELx9iiI74rli2ecyymPrUT7KEFLYhlC6reIqpl
LRYuqBotTkSmMtXShSR7wQs1LIvsvvAFMCy5yMc+No8/LJ4NOyEM/hUDssNijzHYw7hkEOG0V1kG
svxyrWotS7jTwtY5msEsPzjDGCmHlsL2mLynrCAaxBJCqj51xWMWix/7mG+0pIHUb/0BW9g9Fnar
gWXv+11ZCB7wgAu8MbLFrkKHQZChDWRoFneEIjIRDo5yZA0PDcc/ozgMgEZ0I/v/YwNawDiWxjV1
LG1wg1uk8YayWtMJHm4uf9/t1f3uNyw/hINYHLHGhZSwICRkiBOOLJY4pEEOczhhkssigvzakS25
gRh7c2gPqNgDGk6hZxL0916n0KG35oCKNJC4dQ/Yo3Fqd7lUoAsVus/d7h5431SA9xS+T8Vlf+/A
U/4YlZzVAYn6s4MdnmJ3vHtgGHcYBh4Y7/ipONEp6FSmuyF5WCfsLQ+HBVpvy+JWPejBraNn9niI
/IdM7CGrYuFkWJI2lmcibZtJ+7nO+bs/JyyDD3wwi5DzO5Y++MEPPQ6mWUq8bLEAovkuW3c41p3S
lU6u+rYPR9vK+Dbbbz8j3k9a/xkD8f2MyDQc6kO/IKhPuYOMUYAD8eaCVE//7xgEGoq4s/4FQlkv
WdYpN9V/66FZ+2cQQjMIhJAfiiKAfiJxDviAzlJ/EjiBIgKBE+IXBegxFLiBVRId3cKAWzEXYzIt
GfgjHMgbIMiAJ8iBKdiCLviC1NEZTGGBNFiDEZgdNpiDOriDOViCPkgtMBiEV7ISP1iE8bGCSJiE
SsgZPKgSRviEUBiFUjiFVFiFTAEgIvIrLyGEAmiFo7KEnMGFYjiGebGA1oEdD5BkSsZ0ZeFjjfEA
hTAWCgcX7mNWfCQWQJMWTmQIx3AIYLgbgIFGgnE8fad3VCFEgmFfT6GIeQE0T/8RNFChCIhQFW3n
AcJFhphoGArkFCdQQcCBd//nFf8nO1ARilERiuaQCJkIQRlDhskVFWImeE7hR08hdkXziGJ3FYq4
CO/lNIywP49Xdk5RQ7U4dsVojLdYFcQ4d1rUCPawRB7gaMeVM4+QM5DwB16YjQxyUwchfwKhOANR
NQLhNJEQjhRnEFq0EIXmCCxjaPhTENAgCQMxCdBAEO/oCJRQjwmhPgYBWQSBduYwECzzB2UzEALW
MKvoAQ9SCRagEYIzOJZgETojkWdEkRWxYx9xCVBUEVFzETKACQMlUBbmYWNFkmZhkk5QTymZBHlY
Fi3JQS30h5pxMAGIXuqjCWD/Vz85+XjL6AE96ZM2pAZQsQnLgBUp8xQsAxU1xAlCqZRNCZRSEZRX
8ZP0FBVVKRVJoF6W2AkJmZCeIAJQAZD/GJCIlmjs+AmK1o4DUUMMUZAC0VsEAUZqEH/e6AjDAAoH
EQr6qBCcVmd2RhCi8JdopmADkWYCMQqjYJja+IHLwRP4Aw0nQAoCcWADcWDSMAylsD92eY7jeI7D
xxCmwJmO8FfT5AhwVG4WkQYTlRHJeBVidwphZ4se0JpQgQpsBRVz9CcWs5hTmAqLdirMgUYyKSNu
NZzGORcP9IpduZzGchsVwptKkSzkcpzUWZ1r4RvwAp2IAZ3cmSDMCSyqoDOr/4B4XCEHrNAVrUCK
ehFn0OgKRfkU0hAIr2AysGAysXCJTjFD37mffhGK6rkVNckVf+CIeXGUUNFSB/qeTsGIspB2i8iI
/BmhXpEGs+AXEKoVUSMVMkALMnAVMlALURE1y0NDTwmVZFd3lSehCNOEMqEGJWdQmmMRthA0t4AL
uZALaVM2umAOu9A65sALaHcRvZURQ9oRitALG3FQB2URSxoOStqk8tKdRfgUJPQ7igihiuALv7A8
wOCIyvMUwSAC+pmfwqCTO9kVficVz1N4wphcx6UXOiEXUjqnDFE1EAYNAWkOxOAIcNlbaUAQzUUQ
gVAMA2EMihkRloYQiRppgv8Wlz8AjktBWgYjJVUDqeB4qeCIDI2zaQ+QDMlAZ3VGlo6gDG4pETLw
mwMhNZ15EMyAjZGGaUWhomQIoTgFgDfVDLbqduw1SFChhr2KeG8KFcFKFcqZd8IzPMcaFdejrGEk
q5QVG4+ZfhQJOH4zkTtGODnjDNT6B8+gM58DOifVEVQTpBbROkKKOqyDriy6ruxqEiTUrvB6OFVI
mbxpnfaqFlZ1r/pKGfG6EUNnFINRW3SqIPt6IgN7sBLhrGNYsAzbsA7rGTj1b7cGDQCHGT9HWNGA
TWqRamEhO2j3cg8bFgq7FwRKYifmAY6wPfExDSTkqpmWqAeJEEUzEO1HDdT/UA2t1a+lISBqURDi
lQZjwWXglhlCdhaAtRaaJDshKxY6CxJ7IR8QhhDWIJqfuZnXcI+OAA3Y8Jg+SxbQsG0XFJNswVcl
hJzHsbSq95Jm8ZJq6wTZgEuy1FIrow1qQT3bYBYnoGRs0QCq5j7c4D5oG7iPcbFkIUVjRRZgRVZh
AVrdgJJjIRBBWRAM1hCTexCV252COxkQkXGO4A0ZpwiE6Qj+OBDfIAIDgTTgYLpM8xAxJpijBqoN
IXILEbUIW7tE0pcCYTKFGbqBIA6DGQiw6wjvMw6bRg4LUQ5tNRBwabk25rKQCqjD0KiOkGe2W71D
kjPmgGnGJRBiJg3f6HLe//u9jXMODWGWjoAO6DBGnxs0F6c8+ScQQDORZJK59EudIysY1pu/FnK/
vaK/P9i0KVG/Anyc/lvAEQHAqmXACmyEA0x/6aAIYxE0j1sQLpcf6hCxf7oQqlmXjiB2BFE062A0
CmFW7MAOChYI7RAI7rC8ACmq3gksZ8ExJesB8WUV3jQcA/EOLiu8wVsQgtmXuMupDhG1m/q8AyEN
8EAQl7vAtXuo8XCoB4FTR+EBQNQVciAPVUE1lOcB8yCMjEcPepEy9UDDDup1DrSJ/HsYF8MRPQVU
GJxTqQlUHudPMnAP9wBaTgFa+AAVGfpcXhyJJeuI+RCjGAGlIXEC+qAPaP+zDzXxaK9Kp4MyIJbF
D8aoPlDRDztpQyQqrLxqybmJm1rJFWaFFf7wDycwjX+Awbb6TFuRNE7hfU/hfeQZhP1KGfREb2Lr
BCGEQTAZtu8IWbHoRzrRAS68EAVZqn0qqqWqENR7EM2sZ0zcLQ+iCEUaDuZqDvZgEVukzdnMzdvM
RTQVE4QzchqxNtsnfudsOBwZkhbxOxyRpoWYxhyTpmm6rGJkz/i8bvd8z/Z8omT3xxraoU8BNQON
n1Fxifg5Q4GAQCcgjFqMolHhdyP2FMUqz09xLjDBRVmUahWRahqdalKUoQQ90ng80ASNFVHzn7yD
WYPXvJzMq06hz8x60KH/HIwPbdMpqipOciuql7eTUW8xrB4NPNT/khUGrB0B4r8gEc1M3dQ30cAW
XSDiEdVi2CbrEjBEndXvwiBm+CZafRlUnYIILCthndROfdZoLTBfzYRAgYLfqYFrHddyPRcREShj
fdd4ndd6vdd8jRplHTF9HSfKwSPPsi6BfdiI3bRzTSN/3diO/dhXgRiQPdmtkdaWnSCJHRJLCy2P
oYZT9y5zRWaOwH4/MBFQ3C1SXBCpfdk9scxMEbM/4trQ3GfP7BC1TS5BLJCLJjH70raVQbjgoZLg
NBa5BhfHtCQOwY0GQbus/RBZLIwJBzwT7QEkRN2+yjyK4Imvw55OEWfS/zV8vch6PcMRxoU6LWw6
580R13zeV2oOf7XS8P3PWixklkWaVmGKvWPfpFnf9l0V+12KLA3KDmMbDtF+7fu+bAbFc+QIJKrJ
m+yTYAkVLOmUUjmMDv7g8/MH/ylATPQU0EgVf4XKwDqs3nNiJmY+J4vdkEh5eJfTjxfhsezKsYxT
BuoBCJqgW5HPltfhlC0VNW7jCgrkP26s7wPTf8A9UWEBMP7KSy4CETsVOLXkyhV+IkCeLRXkphg8
QQTPHkCI8CkNljim1k1C7ksVaIcVt0PFaY5Vt0M1+PPH4A3Q8k01KT7dJIadSdgQbLmWmSCoJ+xG
ApF0SZcQkQu5c0kQsP/9VwkhB2OUEOLYmbT7R0p8ZggRxAlnEKravhqXf4rgsosqEJ9eEN+jEEMz
DGypBtxjEKku6hbwEKv+lsq8l4wWvs29E4t6667K5gJRdLm74Lvb6+ZIu4FaEMzN3ME+6ZUr6b0e
ugbRALIerfcn61lbj/w47QJR7QJRQQeR6HKQENcKq4peELA9mt3ejTNLl+huEHvOxJPB3qnXsdGk
tGLBVvNuVk5VZE4GtvY2SGnx7f4FuNH9AGgR3bv0bfVuMjdFbapmQ04wPt+TZWehYs3XcGFBcNTX
8HNIFgGfFuyNTwAZFi3cLlG92JLVED1OHbpF8g0LwCff8sxS60Ti8hr/A/MD8SsQofI4n/Mi474Q
PMNBM0hiVnizXFxDnxV6I60c4TIXUVCN3BD2wOxBko5JYRKm1Sgj8ZBX1JEWkTLnWq7qejoeIQL5
FBdsCBdueBZRs7hpDxdHuxYV+xjOhhZxjxnyDBNzXBFYtdF6v84Ywc4aYcggIQLfShIv4xEB784k
gfghofgxUUMaEe1WSCBA4z7h/W6813v7A7hGprdeG5NADZmSRFibJ0kHhEmlb/oHNDOBQJqBFU28
h3uBJLJTQYy076VfyvMjSqCBfPuKcKrreBBqWZbseOWL1lKyk+0VpLJX1uopuz3v+JjvIxAPwJ4+
kYI/GZQlWuEN3pMV/03RzRp4gAeLsrigmLXiVoF3Xu4BcdZEPN6rDYDGcOcU8V8V6T//X27/1f2M
6u+gNZxESNT9AOFB4MBhBQd6MHhQYJo0jhwxdOhQzcSIjiZerKimw8aKGz12iLjRnLmKI0lWRJlS
5cqICl2+VMhS5kyaNW3exLnSnr2KBX329BlU6M0/f2TKkaMSYkmTJ2cWBAr0pyMnThhaZZj16lUn
DbxWreq1AViyZL+CFdtV7FoRZcEuWzYSbNMTdetW5eq2bNpjx5z0dRJIcCBphaVVLUzWsFtFiso2
hhwZsl4nSJFSxpxZ82bOnT1/Bh1atF4ZMhQnTuwE9WG3Bd2ybCADZf/piLRTyhmGcijNxhWhQZMK
NeIwyCh793b0QDlOgScsHLQQPfpBscNgGkzoE+ZImAoHexDsoeifHwp/lPfw+6Bll8oVWpbjcmN3
Dx87HBydX/9+/v39qzXrrCQGTKKqAcsi8A/PRGiLLAbBYlClCFES7KaRHGqKKXMokugiNVBaLjnl
HkjJpJkqjGgwFB0azyiVimLRqN9cjLFGh3ZaSahhpIuOwkAcQlHFH1MczMcVHVFRpUwyqWhJaXKC
Mkopp6QSyv/IakouLM3B8jcvoXFiyc90HIasA91K7TT65PNIoI0kE0iyxjyw4Dw7fzhGoL76cmnP
NY9J4qDSZPBgUEP/S4NJhjQGYmghrRZlVKs1G/WA0kezGugjN+27b76D5uO0vg4o43TUK09FNVVV
V2W1VVedUO5VWfcLp1Zbb8U1V1135bVXX38FNlhhhyW2WGOPRTZZZZdlltgGTmg2WmmDrbJaayOa
Vb9rt+W2W2+/TQlVhh7Itlxzz0U3XXX1mrZdd9+FN15556W3XnvvxXfeddHNt19//wU4YIEHXpbb
fQ9GOGGFF84WXIcfhjhiiSemuGKLL/62yJSOPHLKPyJzaK0RQSSRYgKn5LHjrCr+aCYYK34ZY5ln
pnnKC0t0ypGbV1rzoBb/EKgon4Ee6A/rekY6afGIVnroopleGuqm/9ecziX41kxoaq0P2mlrr78G
O2yxxyb7a0R77lps+9x8biAGy/b6vKnJaoxux1zdSK+PNBNM1e6EhjtwwQcnXKF0XSvLS7IQd2KY
NPB69LOi1VgvPoHYuxwpAgf0gEAeBeJROtCjM/Sg8AYSsm/M4CKLdUfggqsi2GdfxhHDDHPodtx1
LyzKoEZ2aPMBdc7ZERztEVImaX5+mfkYf3bk0EFrtqlw669PiUOUJnQoQows+jAi7W+aaM++UDrf
oT0rMv+YiI5J6jY5fvONfofsdwR/h2Jfif/9aw9eEoBzvwES0EtM8QpKmkejKP1mSI5oQG5SEhQj
PRBJFiRZyRyiHP+kVMQyEhxOhv4HQOqVsEoAK42ulHOrEa2wVi18QF8s1zSk0KeGmXsP5nCIlI8E
hT5Zg2ELu+OeSAnkIUtxRF0qojsdOUIoZWGcaIpClimGaUlXXNLdnBAnRRTFQxPpTtYEkjoylvEg
kLle2Qj2rzUBTiFiDM93wBMIsYnRJVmz49UI4kOCmIQ+chMIIJMmSA/UZSB2OeQJDmIXQ8KEkYoM
mtSmdjqBCOVTnbrPHOlIyZ55RSFrcYknQ9kA6ogyjadEZSqbxqc+5WkgO7uQOXgSkZgRhYEp+UMB
9Ze/A0bkN8WJSGTspsW6IYY1YEkTmo4pJrBcESyAqYr5FLGM1i3/A5rP9MtfsnlNz0TxiWBB3Dcn
QpadYKacDmJQg6oCn7KwEyyWYdiVTPgw58UIiw5ZUpOYlInNuQ9KOErJTgSKI/85RCsVqZCKCpPQ
1IVlLWPpykV8kplh/AwsLRpRVYIYq4YGpqPR3JNouAlN5imoKlUEy0DPSZksjQRMTvASPCsDn8ug
1AnjAY0qdbpTnvbUpy8By7xGZKt5FtWoR0VqUpHKMNVB7nHxhOp/aKLKqijVqtuKqrkulVWudtWr
XwVrWMU6VrKW1azmcthZ1bpWtrbVrW+F66p+Ole61tWud8VrXvW615dctVtpnBNfPfA2wV7Sa4j8
Wn8KK1i/NlaJ/xISgcWmRqnFegCMXqMsZiEFtsxW1rOf9SkRQTvagSRBkkpzo9fsuDVOkta1lWVJ
SWkJvQsKlDalUVESKnIyh+goRBsdovQIVahDEXe4AlFPIU9wtD0Ogz03zBQm19adUolqutb9SK+K
kgQRCGc4IHRiE8kU3iaSl4I5Gq95gfewuMb1BOcBy53IBc6JLq5MjTsBZa75h7OEBacXNaleBkMW
FRG4wPQFZzZBSpY9/aAsdjINWAblmSzRt75VyVtnMoxhUzmhmGCRzFy4VBUtVeUuZDkxZuoWTEUY
h4SNhbFM4vlhDwsTxI4Jsd0o8+HoPGYyN8ZMf8nyRSKTpTQItv8wmaryG5iCyUsO3kwaFNG+kD5z
QLECywPyW5ZbPbIoLHyArTaqnILwCim4go+wzmyrNbNZDsKKcZxL6F0RrVdEETGJd527knx27wco
uVNFzsMSJFak0N+VIJ0VDd7eJjo33l3Gl1gyaEFPxSE0rUgtUZLAiHDaIYJUw2YPQkjzoOc9m+sZ
50o7Qxy+lq9rHNZ5bqXSWe9kGLgqczhyneta8ZrXvfaJrYK9q8Loqti2OnY4voSrvtxqIs6+CE3d
uc7L6KXaSbbvhSdMmSNLOMJVaWpTwR0IVr4ELgJpikK4Q591p/sg63Z14DgD2mHJ6Q+2Yl6tSnqr
Frk5zS4Uc5j/N8orgOPqAVn5ta5vLWyf2KVWvzFfrfYk8WNQvH29onJfCj7UgfOKTMAOSq1CF51w
WEAEvbpdrRaqol5FBD6N3o2cpQRrmid8jTtpV3t1vnOeo+ra6zqTgQrUc6IXfV8yv0mISviRjjlM
cEiHetSlPvWo09zqV8d61rMeb65z3eisSknXxe6BrH/d7Gd/ldbVvnZYUz0nuEJ73PUzzoONvMei
KSx0UTmesfddcGw/ls3nhTXmnnK1TcuJ0idWkBavRO4Jc/u2csUgmn/ZXpRvF3otZunId/5bB2vp
iJ1gDosWRU41boxJRNyU0ZtDeEMX3nxHg9KSKsimOGVeVdQg/6QyFeRLTG6yBeCJFB1V5fSYuRRX
HqUgZzYzE1bE4vMpE/3mU1/6iog+9LP/eO5z5sjfN5SZCOSE8Q9o2044lJHD720Z3LcqrBtNiVlP
YtIH+KYtouJ/waL8p+6//1jJCrLQChRLsbLQPyeALygKivyzqfujDEYCC7v4NhOzCwKEQApEGPwg
C8+Ts1giidBrKeL5QBMhEsG4E9qSnw6qEkpzhB/gHkd4uYhIvoPKiuHxoPiZrUwbj5VoEZqgM0fI
J+u7In3KBMvAogZYCbGoiAYolSbsgEeqCOTgwCnEmNuSDRhKieUYmR6kpdtJCWhovP6BHSoZBn9y
hPV5H/c5hv8/a8FBY0GVaKGIULw7K0EMqiCZ6JgYtJEFcgRNk4kdnC0/7MNbGkQGEsQS8rt4Cw+h
+ZmD8CGx8ABQai4xYqSXECM4aq3uWJJXgjfLohxP1J7x8RAfAZIhGYwXTKfISglUfMGKaMXN2a1Z
Mh6B+h+UUMEU9CASxDPLqAgslEMNokK3S5e6IcZiFCb4shME/IHxsDHUU4QfcLKXcoutEsC8oIzQ
GYwfMz4tKrGTGg8s2yiyGJFqY7q2eBDSSD/M6DZvQz/pMTL3a5ziowwyua8TKDInmAj8WwxkOoxE
9Me76r6A5L5gnBL6EEi5kxit+8eFZMiGdEhmOciIlMiJpMj/ijQrh8RIsiHIjeTIYLTIj1yXjhRJ
DgTJs8rIrhMtstE7D9CjHZKDLwJFmlKEU8KtYzCHd7vJUyKs6DrJnvTJmMiJW7yWjmmZkChKfBrC
i7ETpIyIPutFYLyW3lmiJwm7NTm3n3TIkXyYHzwvmKMzSbsYu0AJioJH/1ipqjjLzFCIlMRK7rue
knqaFhmd0KGTkYOOqvEAEES3ltJEUxMIIRoIGGqPB1CauhiMEfGAMftLwVxMwlQIvotLufSAxqAp
rVnJGoKPnRS+D0IIMgkkxrwOz+xMn/hErDRNTszJvHS3VnsjPurMg7gsy0qCwnPN14SJP9goOxm1
OxnMIOqO/1R0G+DMHB1iSWkjzk7cy4MoDIVIG6XBDoNoTtQkPfWrinWszgm0zrI4P2dkMAUrSbbq
RuejvjCpPfv7Azkgi2v7OfIbP7C4O71oQPxzghHiH7ioqAcgRJaQQodojDncIGB8gPD5Ht1gtPBS
wAsDjb4ZMAXtqAPLMtnTqHCkjPWctpniOcCzF8vDFQ3Ft3vjt/H40C6DllqpC1yJDGeTBl5JNpUz
jFuRhqawFdVETvrwlEm0RNo8Gu1wiUzMxMmMDK2ZEzT6koNILuTykoEoUiNVGrycy7YZndOE0tiE
zdIERSodTXj0JveLonZcx+1UwAOFRzLL0i3NDPiDkHTSi/9zrIoETEa3ELdxG7c3barx+yEdWU0Z
7cR1q9GQYzgze7NbSTM3w1B6wchNfAnqC6Q7UdTzgMyl8RBPVAhDYiTEhAm2dA/leNTiNM5NhQmk
YJ6luc1GNFJoUIjfgwZc4RGR4xGvuBWx+JUlsRVYDQfrqxXqu5Xoq1XzyYRekdU+1ZFBBdZgFZZh
SIJ2GRBewZhW1MplhRgotZ6a2BmbyZloRYl+GQlhzbmc2pp4AhhnHRsp/Zrl0RS8OjxvNddzpQ9m
lQlsZdd+yUh1hTq4YavF+s56bS94xdd81VcYMzqB6DkObBp71YumKdfT9EwxKs/xCJSoQC854Y0w
fJH8VKr/pquIzmAQezhI0NpJhdjYvOpRwrlMOTib4RwI6IpODzhZrrEHIJ3J7gisNVmjX5MSSxPW
uFPTz+iXdkJPWXGusjCfg/ATPZmh1npZl0gtsvnYz5rZH9zXq9ooHaSR2nseQISSXPo9XvKSHokO
acNDFdFCLYPClVBWg2qIIypbDMkZ2+hDHFQJobw044yIMZQd2qkd2glCJhGf8GlbuIVBOUhFR0jF
vw3cdIoIwi3F1AmgAVmLTusRnGhXgqkWt41bHByek0kCJew0JMwJG/xPO/stqFwJXRTBnTHcVVRF
yFLWF7zWWsE5XhGo7BqqgJPdF9q4MMuVfrMVhuCVL2u2/3CAn9pN1VrFoluRtVpZ3XAYCd2tFa2o
NXuwlUFJFnjdl2qzmhnCzOv9oNpMmqK1h0c6AXeb0ZcgzkocCEh8iUYKzRtViEdZE1U7CPd9CXjr
C2lQTvrlneVcTg9YHvpQj+QaUiTVXtvco5K1XlbTVFbToYsYLYEMzwjcMic4AccwB2RsU8qoYMqQ
hgeGlRaijDelDNhhQPNsQAAzQNnDsrI44QjNqMxI4XUaOsoIOsVJKYEqi3I6Jxpzi2MYi7NogCoD
KR+e4bKguw1+p50FJzko3lqxk8dl4mVJoXCA3lp5YiiWASquYhloUWRLUS3eYl6BBudlXVqzldZt
3XAoY/9cWWJbuRPiTWI0+1NBfbhTzZXfyJUr+pWCo91e8bU9HrY+VbhhODlbSVNzbBAGkQZ1aj3V
K4vwBD4i1ihEdoJ0IiZt1EaB3ZcFND64oGEb5mQnUCmMRWEInT4suouSCmH7cwtTvr0RTjIEfU+y
eOWqaL7MwOEa27HIOKbbUT0QpL8G/tK76zGbNAft4LwOUSCjaJHYKajXqZ1FZcHzoMqmleZGmyqF
gF+gsuTQ2FI5K2bPq0h4qV1kQRV4PbSralyHkI5pljqy4Q8VYeVszo9ZBislY5ixhOd7xud8Pjt1
5ud+9md1Rdek0efRCOiCprcmjpeT/OcSmhWEhheDhmj/vVroqRvortKrisboqprojaa6NeLojwbp
kP7oaMnokjbpt4roiC6rlGbp13JogBHpKmnpmQ7ol7ZpmlsXmtbpnfbWk/bpsqpYuGrXqZGSnuYM
h/hpJ7hpWJs3nnbqp4Zqg45pR/Caqbbqq8bqrJ6YqH5qrfbqrwbrsJ6npCbrslYXrSErZl3qfLEq
mF3rt4bruGbikcQrswZJscbrvI5prmYsva4SV/HrwF4qu85ovjbsrxFpwt65rFZsjJZrDBXsyLaS
xgZsyb4YvQg7sDjszebszvZsw9bnzxbt0X46y27aijRtKqHs1Wbt1nbt1/YbuFk72BZYrp7r1Mbt
3Par/8e+l/6IMdIG7sRKmOAm7qTR7eNWZ3rtOd5m7uZ27ueG7uiW7rhG7uq2bouh7ezWbp9WGm6Z
7u+W6+IW75mOmPEO2O1G74Mx7/Vm7/Z271SKF4wx7Oum74hJb3Wpb5owuvzm7/4+qvcG8ADHyM0Q
8AI/1/uuaPBW8AXHF/+Wkox2cI48lnt2CGdl8Au36Yg+bru6EoExcKWN8Kn78BEncRCfagTPD2sp
8bkK8RZ38QjH8LI76aJe8Rovm6KzcRKP7xfncXtG8RTvcRc3zbUKcpnOcQ7/8STvjCLHmBh38ieH
8iiX8imn8gtHmIlRcoo8cq+pyC1fSCYHc2bNct9miWAxN/ODqfI0V3O2O3N4DnMq1Mg3l/M5p3OK
WfM775c61/MXfzwV9/KB2POK+HMNbHOi26uBDHSPzOdE9+pB33KObmll4Ws8p/SXXue5KRdG1/Qe
L3SL3PSOBBZvWRO9CAgAOw==
------=_NextPart_000_0009_01C76D2A.A05D6DC0--
